diff options
| author | Al Viro <viro@ZenIV.linux.org.uk> | 2013-05-02 19:30:49 -0400 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2013-05-02 22:51:31 -0400 |
| commit | ce857229e0c3adc211944a13a5579ef84fd7b4af (patch) | |
| tree | f12310c2c6492dd7ef4b25dd0c6052f7a114b9cf | |
| parent | 20a2078ce7705a6e0722ef5184336eb8657a58d8 (diff) | |
ipc: fix GETALL/IPC_RM race for sysv semaphores
We can step on WARN_ON_ONCE() in sem_getref() if a semaphore is removed
just as we are about to call sem_getref() from semctl_main(); results
are not pretty.
We should fail with -EIDRM, same as if IPC_RM happened while we'd been
doing allocation there. This also expands sem_getref() at its only
callsite (and fixed there), while sem_getref_and_unlock() is simply
killed off - it has no callers at all.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Acked-by: Davidlohr Bueso <davidlohr.bueso@hp.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
| -rw-r--r-- | ipc/sem.c | 29 |
1 files changed, 8 insertions, 21 deletions
| @@ -328,28 +328,12 @@ static inline void sem_lock_and_putref(struct sem_array *sma) | |||
| 328 | ipc_rcu_putref(sma); | 328 | ipc_rcu_putref(sma); |
| 329 | } | 329 | } |
| 330 | 330 | ||
| 331 | static inline void sem_getref_and_unlock(struct sem_array *sma) | ||
| 332 | { | ||
| 333 | WARN_ON_ONCE(!ipc_rcu_getref(sma)); | ||
| 334 | sem_unlock(sma, -1); | ||
| 335 | } | ||
| 336 | |||
| 337 | static inline void sem_putref(struct sem_array *sma) | 331 | static inline void sem_putref(struct sem_array *sma) |
| 338 | { | 332 | { |
| 339 | sem_lock_and_putref(sma); | 333 | sem_lock_and_putref(sma); |
| 340 | sem_unlock(sma, -1); | 334 | sem_unlock(sma, -1); |
| 341 | } | 335 | } |
| 342 | 336 | ||
| 343 | /* | ||
| 344 | * Call inside the rcu read section. | ||
| 345 | */ | ||
| 346 | static inline void sem_getref(struct sem_array *sma) | ||
| 347 | { | ||
| 348 | sem_lock(sma, NULL, -1); | ||
| 349 | WARN_ON_ONCE(!ipc_rcu_getref(sma)); | ||
| 350 | sem_unlock(sma, -1); | ||
| 351 | } | ||
| 352 | |||
| 353 | static inline void sem_rmid(struct ipc_namespace *ns, struct sem_array *s) | 337 | static inline void sem_rmid(struct ipc_namespace *ns, struct sem_array *s) |
| 354 | { | 338 | { |
| 355 | ipc_rmid(&sem_ids(ns), &s->sem_perm); | 339 | ipc_rmid(&sem_ids(ns), &s->sem_perm); |
| @@ -1116,9 +1100,14 @@ static int semctl_main(struct ipc_namespace *ns, int semid, int semnum, | |||
| 1116 | ushort __user *array = p; | 1100 | ushort __user *array = p; |
| 1117 | int i; | 1101 | int i; |
| 1118 | 1102 | ||
| 1103 | sem_lock(sma, NULL, -1); | ||
| 1119 | if(nsems > SEMMSL_FAST) { | 1104 | if(nsems > SEMMSL_FAST) { |
| 1120 | sem_getref(sma); | 1105 | if (!ipc_rcu_getref(sma)) { |
| 1121 | 1106 | sem_unlock(sma, -1); | |
| 1107 | err = -EIDRM; | ||
| 1108 | goto out_free; | ||
| 1109 | } | ||
| 1110 | sem_unlock(sma, -1); | ||
| 1122 | sem_io = ipc_alloc(sizeof(ushort)*nsems); | 1111 | sem_io = ipc_alloc(sizeof(ushort)*nsems); |
| 1123 | if(sem_io == NULL) { | 1112 | if(sem_io == NULL) { |
| 1124 | sem_putref(sma); | 1113 | sem_putref(sma); |
| @@ -1131,9 +1120,7 @@ static int semctl_main(struct ipc_namespace *ns, int semid, int semnum, | |||
| 1131 | err = -EIDRM; | 1120 | err = -EIDRM; |
| 1132 | goto out_free; | 1121 | goto out_free; |
| 1133 | } | 1122 | } |
| 1134 | } else | 1123 | } |
| 1135 | sem_lock(sma, NULL, -1); | ||
| 1136 | |||
| 1137 | for (i = 0; i < sma->sem_nsems; i++) | 1124 | for (i = 0; i < sma->sem_nsems; i++) |
| 1138 | sem_io[i] = sma->sem_base[i].semval; | 1125 | sem_io[i] = sma->sem_base[i].semval; |
| 1139 | sem_unlock(sma, -1); | 1126 | sem_unlock(sma, -1); |