[LTP] [ipc/sem.c] 6394de3b86: BUG:kernel_NULL_pointer_dereference, address
Manfred Spraul
manfred@colorfullife.com
Wed Oct 23 20:28:52 CEST 2019
Hello,
On 10/21/19 10:35 AM, kernel test robot wrote:
> FYI, we noticed the following commit (built with gcc-7):
>
> commit: 6394de3b868537a90dd9128607192b0e97109f6b ("[PATCH 4/5] ipc/sem.c: Document and update memory barriers")
> url: https://github.com/0day-ci/linux/commits/Manfred-Spraul/wake_q-Cleanup-Documentation-update/20191014-055627
Yes, known issue:
> @@ -2148,9 +2176,11 @@ static long do_semtimedop(int semid, struct
> sembuf __user *tsops,
> }
>
> do {
> - WRITE_ONCE(queue.status, -EINTR);
> + /* memory ordering ensured by the lock in sem_lock() */
> + queue.status = EINTR;
> queue.sleeper = current;
>
> + /* memory ordering is ensured by the lock in sem_lock() */
> __set_current_state(TASK_INTERRUPTIBLE);
> sem_unlock(sma, locknum);
> rcu_read_unlock();
It must be "-EINTR", not "EINTR".
If there is a timeout or a spurious wakeup, then the do_semtimedop()
returns to user space without unlinking everything properly.
I was able to reproduce the issue: V1 of the series ends up with the
shown error.
V3 as now merged doesn't fail.
--
Manfred
More information about the ltp
mailing list