Jeongjun Park b968ba8bfd ipc: fix to protect IPCS lookups using RCU ... commit d66adabe91 upstream. syzbot reported that it discovered a use-after-free vulnerability, [0] [0]: https://lore.kernel.org/all/67af13f8.050a0220.21dd3.0038.GAE@google.com/ idr_for_each() is protected by rwsem, but this is not enough. If it is not protected by RCU read-critical region, when idr_for_each() calls radix_tree_node_free() through call_rcu() to free the radix_tree_node structure, the node will be freed immediately, and when reading the next node in radix_tree_for_each_slot(), the already freed memory may be read. Therefore, we need to add code to make sure that idr_for_each() is protected within the RCU read-critical region when we call it in shm_destroy_orphaned(). Link: https://lkml.kernel.org/r/20250424143322.18830-1-aha310510@gmail.com Fixes: b34a6b1da3 ("ipc: introduce shm_rmid_forced sysctl") Signed-off-by: Jeongjun Park <aha310510@gmail.com> Reported-by: syzbot+a2b84e569d06ca3a949c@syzkaller.appspotmail.com Cc: Jeongjun Park <aha310510@gmail.com> Cc: Liam Howlett <liam.howlett@oracle.com> Cc: Lorenzo Stoakes <lorenzo.stoakes@oracle.com> Cc: Matthew Wilcox (Oracle) <willy@infradead.org> Cc: Vasiliy Kulikov <segoon@openwall.com> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>		2025-06-27 11:04:14 +01:00
..
compat.c
ipc_sysctl.c
Makefile
mq_sysctl.c
mqueue.c	ipc/mqueue: use get_tree_nodev() in mqueue_get_tree()	2022-06-09 10:21:17 +02:00
msg.c	memcg: enable accounting of ipc resources	2022-11-10 18:14:25 +01:00
msgutil.c
namespace.c
sem.c	ipc/sem: Fix dangling sem_array access in semtimedop race	2022-12-08 11:24:00 +01:00
shm.c	ipc: fix to protect IPCS lookups using RCU	2025-06-27 11:04:14 +01:00
syscall.c
util.c	ipc: replace costly bailout check in sysvipc_find_ipc()	2024-09-04 13:17:44 +02:00
util.h