ipc/sem.c: fully initialize sem_array before making it visible

(cherry pick from commit e8577d1f0329d4842e8302e289fb2c22156abef4) ipc_addid() makes a new ipc identifier visible to everyone. New objects start as locked, so that the caller can complete the initialization after the call. Within struct sem_array, at least sma->sem_base and sma->sem_nsems are accessed without any locks, therefore this approach doesn't work. Thus: Move the ipc_addid() to the end of the initialization. Signed-off-by: Manfred Spraul <[email protected]> Reported-by: Rik van Riel <[email protected]> Acked-by: Rik van Riel <[email protected]> Acked-by: Davidlohr Bueso <[email protected]> Acked-by: Rafael Aquini <[email protected]> Signed-off-by: Andrew Morton <[email protected]> Signed-off-by: Linus Torvalds <[email protected]> Signed-off-by: Mark Salyzyn <[email protected]> Bug: 24551430 Change-Id: I36a8cc2281dfd68e9a399695f1d7e7b038e105d0
yuweiyuan8 · Sep 6, 2016 · a4d11ef · a4d11ef
1 parent c072a3f
commit a4d11ef
Showing 1 changed file with 8 additions and 7 deletions.
diff --git a/ipc/sem.c b/ipc/sem.c
@@ -436,13 +436,6 @@ static int newary(struct ipc_namespace *ns, struct ipc_params *params)
 		return retval;
 	}
 
-	id = ipc_addid(&sem_ids(ns), &sma->sem_perm, ns->sc_semmni);
-	if (id < 0) {
-		ipc_rcu_putref(sma, sem_rcu_free);
-		return id;
-	}
-	ns->used_sems += nsems;
-
 	sma->sem_base = (struct sem *) &sma[1];
 
 	for (i = 0; i < nsems; i++) {
@@ -457,6 +450,14 @@ static int newary(struct ipc_namespace *ns, struct ipc_params *params)
 	INIT_LIST_HEAD(&sma->list_id);
 	sma->sem_nsems = nsems;
 	sma->sem_ctime = get_seconds();
+
+	id = ipc_addid(&sem_ids(ns), &sma->sem_perm, ns->sc_semmni);
+	if (id < 0) {
+		ipc_rcu_putref(sma, sem_rcu_free);
+		return id;
+	}
+	ns->used_sems += nsems;
+
 	sem_unlock(sma, -1);
 	rcu_read_unlock();