CVE Request -- Linux kernel: ipc: ipc_rcu_putref refcount races

[Petr Matousek <pmatouse () redhat com>]

A flaw was found in the way ipc_rcu_putref() function handled reference
counter decrementing. Without external synchronization reference counter
might not be adjusted properly, as presented with the freeque() vs
do_msgsnd() race, leading to memory leaks.

An unprivileged local user could use this flaw to cause OOM conditions,
potentially crashing the system.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1024854
https://wiki.openvz.org/Download/kernel/rhel6-testing/042stab084.3

Upstream patch:
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=6062a8
(making the refcounter atomic hunks)

Acknowledgements:

Red Hat would like to thank Vladimir Davydov (Parallels) for reporting
this issue.

Thanks,
-- 
Petr Matousek / Red Hat Security Response Team