ipc/shm: handle removed segments gracefully in shm_mmap()

remap_file_pages(2) emulation can reach file which represents removed IPC ID as long as a memory segment is mapped. It breaks expectations of IPC subsystem. Test case (rewritten to be more human readable, originally autogenerated by syzkaller[1]): #define _GNU_SOURCE #include <stdlib.h> #include <sys/ipc.h> #include <sys/mman.h> #include <sys/shm.h> #define PAGE_SIZE 4096 int main() { int id; void *p; id = shmget(IPC_PRIVATE, 3 * PAGE_SIZE, 0); p = shmat(id, NULL, 0); shmctl(id, IPC_RMID, NULL); remap_file_pages(p, 3 * PAGE_SIZE, 0, 7, 0); return 0; } The patch changes shm_mmap() and code around shm_lock() to propagate locking error back to caller of shm_mmap(). [1] http://github.com/google/syzkaller Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com> Reported-by: Dmitry Vyukov <dvyukov@google.com> Cc: Davidlohr Bueso <dave@stgolabs.net> Cc: Manfred Spraul <manfred@colorfullife.com> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
author: Kirill A. Shutemov <kirill.shutemov@linux.intel.com> 2016-02-17 16:11:35 -0500
committer: Linus Torvalds <torvalds@linux-foundation.org> 2016-02-18 19:23:24 -0500
commit: 1ac0b6dec656f3f78d1c3dd216fad84cb4d0a01e (patch)
tree: 18e90253e636c98a801e30f022c650696f4b8926
parent: 64f00850011b834746bab94119d1d5eb7eabb19a (diff)
1 files changed, 43 insertions, 10 deletions
diff --git a/ipc/shm.c b/ipc/shm.c
index ed3027d0f277..331fc1b0b3c7 100644
--- a/ipc/shm.c
+++ b/ipc/shm.c
@@ -156,11 +156,12 @@ static inline struct shmid_kernel *shm_lock(struct ipc_namespace *ns, int id)
        struct kern_ipc_perm *ipcp = ipc_lock(&shm_ids(ns), id);
        /*
-         * We raced in the idr lookup or with shm_destroy().  Either way, the
+         * Callers of shm_lock() must validate the status of the returned ipc
-         * ID is busted.
+         * object pointer (as returned by ipc_lock()), and error out as
+         * appropriate.
         */
-        WARN_ON(IS_ERR(ipcp));
+        if (IS_ERR(ipcp))
+                return (void *)ipcp;
        return container_of(ipcp, struct shmid_kernel, shm_perm);
 }
@@ -186,18 +187,33 @@ static inline void shm_rmid(struct ipc_namespace *ns, struct shmid_kernel *s)
 }
-/* This is called by fork, once for every shm attach. */
+static int __shm_open(struct vm_area_struct *vma)
-static void shm_open(struct vm_area_struct *vma)
 {
        struct file *file = vma->vm_file;
        struct shm_file_data *sfd = shm_file_data(file);
        struct shmid_kernel *shp;
        shp = shm_lock(sfd->ns, sfd->id);
+        if (IS_ERR(shp))
+                return PTR_ERR(shp);
        shp->shm_atim = get_seconds();
        shp->shm_lprid = task_tgid_vnr(current);
        shp->shm_nattch++;
        shm_unlock(shp);
+        return 0;
+}
+/* This is called by fork, once for every shm attach. */
+static void shm_open(struct vm_area_struct *vma)
+{
+        int err = __shm_open(vma);
+        /*
+         * We raced in the idr lookup or with shm_destroy().
+         * Either way, the ID is busted.
+         */
+        WARN_ON_ONCE(err);
 }
 /*
@@ -260,6 +276,14 @@ static void shm_close(struct vm_area_struct *vma)
        down_write(&shm_ids(ns).rwsem);
        /* remove from the list of attaches of the shm segment */
        shp = shm_lock(ns, sfd->id);
+        /*
+         * We raced in the idr lookup or with shm_destroy().
+         * Either way, the ID is busted.
+         */
+        if (WARN_ON_ONCE(IS_ERR(shp)))
+                goto done; /* no-op */
        shp->shm_lprid = task_tgid_vnr(current);
        shp->shm_dtim = get_seconds();
        shp->shm_nattch--;
@@ -267,6 +291,7 @@ static void shm_close(struct vm_area_struct *vma)
                shm_destroy(ns, shp);
        else
                shm_unlock(shp);
+done:
        up_write(&shm_ids(ns).rwsem);
 }
@@ -388,17 +413,25 @@ static int shm_mmap(struct file *file, struct vm_area_struct *vma)
        struct shm_file_data *sfd = shm_file_data(file);
        int ret;
+        /*
+         * In case of remap_file_pages() emulation, the file can represent
+         * removed IPC ID: propogate shm_lock() error to caller.
+         */
+        ret =__shm_open(vma);
+        if (ret)
+                return ret;
        ret = sfd->file->f_op->mmap(sfd->file, vma);
-        if (ret != 0)
+        if (ret) {
+                shm_close(vma);
                return ret;
+        }
        sfd->vm_ops = vma->vm_ops;
 #ifdef CONFIG_MMU
        WARN_ON(!sfd->vm_ops->fault);
 #endif
        vma->vm_ops = &shm_vm_ops;
-        shm_open(vma);
+        return 0;
-        return ret;
 }
 static int shm_release(struct inode *ino, struct file *file)
author	Kirill A. Shutemov <kirill.shutemov@linux.intel.com>	2016-02-17 16:11:35 -0500
committer	Linus Torvalds <torvalds@linux-foundation.org>	2016-02-18 19:23:24 -0500
commit	1ac0b6dec656f3f78d1c3dd216fad84cb4d0a01e (patch)
tree	18e90253e636c98a801e30f022c650696f4b8926
parent	64f00850011b834746bab94119d1d5eb7eabb19a (diff)

diff --git a/ipc/shm.c b/ipc/shm.c index ed3027d0f277..331fc1b0b3c7 100644 --- a/ipc/shm.c +++ b/ipc/shm.c
@@ -156,11 +156,12 @@ static inline struct shmid_kernel shm_lock(struct ipc_namespace ns, int id)
156	struct kern_ipc_perm *ipcp = ipc_lock(&shm_ids(ns), id);	156	struct kern_ipc_perm *ipcp = ipc_lock(&shm_ids(ns), id);
157		157
158	/*	158	/*
159	* We raced in the idr lookup or with shm_destroy(). Either way, the	159	* Callers of shm_lock() must validate the status of the returned ipc
160	* ID is busted.	160	* object pointer (as returned by ipc_lock()), and error out as
		161	* appropriate.
161	*/	162	*/
162	WARN_ON(IS_ERR(ipcp));	163	if (IS_ERR(ipcp))
163		164	return (void *)ipcp;
164	return container_of(ipcp, struct shmid_kernel, shm_perm);	165	return container_of(ipcp, struct shmid_kernel, shm_perm);
165	}	166	}
166		167
@@ -186,18 +187,33 @@ static inline void shm_rmid(struct ipc_namespace ns, struct shmid_kernel s)
186	}	187	}
187		188
188		189
189	/* This is called by fork, once for every shm attach. */	190	static int __shm_open(struct vm_area_struct *vma)
190	static void shm_open(struct vm_area_struct *vma)
191	{	191	{
192	struct file *file = vma->vm_file;	192	struct file *file = vma->vm_file;
193	struct shm_file_data *sfd = shm_file_data(file);	193	struct shm_file_data *sfd = shm_file_data(file);
194	struct shmid_kernel *shp;	194	struct shmid_kernel *shp;
195		195
196	shp = shm_lock(sfd->ns, sfd->id);	196	shp = shm_lock(sfd->ns, sfd->id);
		197
		198	if (IS_ERR(shp))
		199	return PTR_ERR(shp);
		200
197	shp->shm_atim = get_seconds();	201	shp->shm_atim = get_seconds();
198	shp->shm_lprid = task_tgid_vnr(current);	202	shp->shm_lprid = task_tgid_vnr(current);
199	shp->shm_nattch++;	203	shp->shm_nattch++;
200	shm_unlock(shp);	204	shm_unlock(shp);
		205	return 0;
		206	}
		207
		208	/* This is called by fork, once for every shm attach. */
		209	static void shm_open(struct vm_area_struct *vma)
		210	{
		211	int err = __shm_open(vma);
		212	/*
		213	* We raced in the idr lookup or with shm_destroy().
		214	* Either way, the ID is busted.
		215	*/
		216	WARN_ON_ONCE(err);
201	}	217	}
202		218
203	/*	219	/*
@@ -260,6 +276,14 @@ static void shm_close(struct vm_area_struct *vma)
260	down_write(&shm_ids(ns).rwsem);	276	down_write(&shm_ids(ns).rwsem);
261	/* remove from the list of attaches of the shm segment */	277	/* remove from the list of attaches of the shm segment */
262	shp = shm_lock(ns, sfd->id);	278	shp = shm_lock(ns, sfd->id);
		279
		280	/*
		281	* We raced in the idr lookup or with shm_destroy().
		282	* Either way, the ID is busted.
		283	*/
		284	if (WARN_ON_ONCE(IS_ERR(shp)))
		285	goto done; /* no-op */
		286
263	shp->shm_lprid = task_tgid_vnr(current);	287	shp->shm_lprid = task_tgid_vnr(current);
264	shp->shm_dtim = get_seconds();	288	shp->shm_dtim = get_seconds();
265	shp->shm_nattch--;	289	shp->shm_nattch--;
@@ -267,6 +291,7 @@ static void shm_close(struct vm_area_struct *vma)
267	shm_destroy(ns, shp);	291	shm_destroy(ns, shp);
268	else	292	else
269	shm_unlock(shp);	293	shm_unlock(shp);
		294	done:
270	up_write(&shm_ids(ns).rwsem);	295	up_write(&shm_ids(ns).rwsem);
271	}	296	}
272		297
@@ -388,17 +413,25 @@ static int shm_mmap(struct file file, struct vm_area_struct vma)
388	struct shm_file_data *sfd = shm_file_data(file);	413	struct shm_file_data *sfd = shm_file_data(file);
389	int ret;	414	int ret;
390		415
		416	/*
		417	* In case of remap_file_pages() emulation, the file can represent
		418	* removed IPC ID: propogate shm_lock() error to caller.
		419	*/
		420	ret =__shm_open(vma);
		421	if (ret)
		422	return ret;
		423
391	ret = sfd->file->f_op->mmap(sfd->file, vma);	424	ret = sfd->file->f_op->mmap(sfd->file, vma);
392	if (ret != 0)	425	if (ret) {
		426	shm_close(vma);
393	return ret;	427	return ret;
		428	}
394	sfd->vm_ops = vma->vm_ops;	429	sfd->vm_ops = vma->vm_ops;
395	#ifdef CONFIG_MMU	430	#ifdef CONFIG_MMU
396	WARN_ON(!sfd->vm_ops->fault);	431	WARN_ON(!sfd->vm_ops->fault);
397	#endif	432	#endif
398	vma->vm_ops = &shm_vm_ops;	433	vma->vm_ops = &shm_vm_ops;
399	shm_open(vma);	434	return 0;
400
401	return ret;
402	}	435	}
403		436
404	static int shm_release(struct inode ino, struct file file)	437	static int shm_release(struct inode ino, struct file file)