git.karo-electronics.de Git - karo-tx-linux.git/commit

author	Vasiliy Kulikov <segoon@openwall.com>
	Wed, 3 Aug 2011 00:52:32 +0000 (10:52 +1000)
committer	Stephen Rothwell <sfr@canb.auug.org.au>
	Tue, 23 Aug 2011 05:10:05 +0000 (15:10 +1000)
commit	4877e2e23ced9e54750d3639ce23447256fcb349
tree	820bd7a2467f582f49aab3db906a61b3a4e427f8	tree \| snapshot
parent	47d653f6d3bfd296bfb91376deafda324460e355	commit \| diff

On thread exit shm_exit_ns() is called, it uses shm_ids(ns).rw_mutex. It
is initialized in shm_init(), but it is not called yet at the moment of
kernel threads exit. Some kernel threads are created in
do_pre_smp_initcalls(), and shm_init() is called in do_initcalls().

Static initialization of shm_ids(init_ipc_ns).rw_mutex fixes the race.

It fixes a kernel oops:

Unable to handle kernel NULL pointer dereference at virtual address 00000000
...
[<c0320090>] (__down_write_nested+0x88/0xe0) from [<c015da08>] (exit_shm+0x28/0x48)
[<c015da08>] (exit_shm+0x28/0x48) from [<c002e550>] (do_exit+0x59c/0x750)
[<c002e550>] (do_exit+0x59c/0x750) from [<c003eaac>] (____call_usermodehelper+0x13c/0x154)
[<c003eaac>] (____call_usermodehelper+0x13c/0x154) from [<c000f630>] (kernel_thread_exit+0x0/0x8)
Code: 1afffffa e597c00c e58d0000 e587d00c (e58cd000)

Reported-by: Manuel Lauss <manuel.lauss@googlemail.com>
Reported-by: Richard Weinberger <richard@nod.at>
Reported-by: Marc Zyngier <maz@misterjones.org>
Tested-by: Manuel Lauss <manuel.lauss@googlemail.com>
Tested-by: Richard Weinberger <richard@nod.at>
Tested-by: Marc Zyngier <marc.zyngier@arm.com>
Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>

ipc/msgutil.c		diff \| blob \| history
ipc/shm.c		diff \| blob \| history
ipc/util.c		diff \| blob \| history
ipc/util.h		diff \| blob \| history