review.tizen.org Git - profile/mobile/platform/kernel/linux-3.10-sc7730.git/commit

author	Thomas Gleixner <tglx@linutronix.de>
	Tue, 31 Jan 2017 14:24:03 +0000 (15:24 +0100)
committer	Seung-Woo Kim <sw0312.kim@samsung.com>
	Thu, 12 Oct 2017 07:50:55 +0000 (16:50 +0900)
commit	a73c5170c20c7376bd30d23389e78e4569623d32
tree	53e7217018af4da30a0e5080996a704f7a0a19aa	tree \| snapshot
parent	da466768ba74e51d1618105b13ac4e53371a6a52	commit \| diff

timerfd: Protect the might cancel mechanism proper

commit 1e38da300e1e395a15048b0af1e5305bd91402f6 upstream.

The handling of the might_cancel queueing is not properly protected, so
parallel operations on the file descriptor can race with each other and
lead to list corruptions or use after free.

Protect the context for these operations with a seperate lock.

The wait queue lock cannot be reused for this because that would create a
lock inversion scenario vs. the cancel lock. Replacing might_cancel with an
atomic (atomic_t or atomic bit) does not help either because it still can
race vs. the actual list operation.

Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: "linux-fsdevel@vger.kernel.org"
Cc: syzkaller <syzkaller@googlegroups.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: linux-fsdevel@vger.kernel.org
Link: http://lkml.kernel.org/r/alpine.DEB.2.20.1701311521430.3457@nanos
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
[sw0312.kim: cherry-pick from linux-3.16.y to fix CVE-2017-10661]
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Change-Id: Id75cf1554ac7f3f2fbd847b961387cdf690eea57