Jeongjun Park 78297d53d3 ipc: fix to protect IPCS lookups using RCU ... commit d66adabe91 upstream. syzbot reported that it discovered a use-after-free vulnerability, [0] [0]: https://lore.kernel.org/all/67af13f8.050a0220.21dd3.0038.GAE@google.com/ idr_for_each() is protected by rwsem, but this is not enough. If it is not protected by RCU read-critical region, when idr_for_each() calls radix_tree_node_free() through call_rcu() to free the radix_tree_node structure, the node will be freed immediately, and when reading the next node in radix_tree_for_each_slot(), the already freed memory may be read. Therefore, we need to add code to make sure that idr_for_each() is protected within the RCU read-critical region when we call it in shm_destroy_orphaned(). Link: https://lkml.kernel.org/r/20250424143322.18830-1-aha310510@gmail.com Fixes: b34a6b1da3 ("ipc: introduce shm_rmid_forced sysctl") Signed-off-by: Jeongjun Park <aha310510@gmail.com> Reported-by: syzbot+a2b84e569d06ca3a949c@syzkaller.appspotmail.com Cc: Jeongjun Park <aha310510@gmail.com> Cc: Liam Howlett <liam.howlett@oracle.com> Cc: Lorenzo Stoakes <lorenzo.stoakes@oracle.com> Cc: Matthew Wilcox (Oracle) <willy@infradead.org> Cc: Vasiliy Kulikov <segoon@openwall.com> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>		2025-06-27 11:07:30 +01:00
..
compat.c
ipc_sysctl.c	sysctl: treewide: drop unused argument ctl_table_root::set_ownership(table)	2024-08-11 12:35:51 +02:00
Makefile
mq_sysctl.c	sysctl: treewide: drop unused argument ctl_table_root::set_ownership(table)	2024-08-11 12:35:51 +02:00
mqueue.c
msg.c
msgutil.c
namespace.c	ipc: fix memleak if msg_init_ns failed in create_ipc_ns	2024-12-14 19:54:06 +01:00
sem.c
shm.c	ipc: fix to protect IPCS lookups using RCU	2025-06-27 11:07:30 +01:00
syscall.c
util.c
util.h