ipc/mqueue: strengthen checks on mqueue creation

We already check the mq attr struct if it's passed in, but now that the
admin can set system wide defaults separate from maximums, it's actually
possible to set the defaults to something that would overflow.  So, if
there is no attr struct passed in to the open call, check the default
values.

While we are at it, simplify mq_attr_ok() by making it return 0 or an
error condition, so that way if we add more tests to it later, we have the
option of what error should be returned instead of the calling location
having to pick a possibly inaccurate error code.

[akpm@linux-foundation.org: s/ENOMEM/EOVERFLOW/]
Signed-off-by: Doug Ledford <dledford@redhat.com>
Cc: Stephen Rothwell <sfr@canb.auug.org.au>
Cc: Manfred Spraul <manfred@colorfullife.com>
Acked-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

1 files changed, 18 insertions, 9 deletions

diff --git a/ipc/mqueue.c b/ipc/mqueue.c
index 076399ce363a..af1692556c52 100644
--- a/ipc/mqueue.c
+++ b/ipc/mqueue.c
@@ -680,26 +680,26 @@ static int mq_attr_ok(struct ipc_namespace *ipc_ns, struct mq_attr *attr)
         unsigned long total_size;
 
         if (attr->mq_maxmsg <= 0 || attr->mq_msgsize <= 0)
-                return 0;
+                return -EINVAL;
         if (capable(CAP_SYS_RESOURCE)) {
                 if (attr->mq_maxmsg > HARD_MSGMAX ||
                     attr->mq_msgsize > HARD_MSGSIZEMAX)
-                        return 0;
+                        return -EINVAL;
         } else {
                 if (attr->mq_maxmsg > ipc_ns->mq_msg_max ||
                                 attr->mq_msgsize > ipc_ns->mq_msgsize_max)
-                        return 0;
+                        return -EINVAL;
         }
         /* check for overflow */
         if (attr->mq_msgsize > ULONG_MAX/attr->mq_maxmsg)
-                return 0;
+                return -EOVERFLOW;
         mq_treesize = attr->mq_maxmsg * sizeof(struct msg_msg) +
                 min_t(unsigned int, attr->mq_maxmsg, MQ_PRIO_MAX) *
                 sizeof(struct posix_msg_tree_node);
         total_size = attr->mq_maxmsg * attr->mq_msgsize;
         if (total_size + mq_treesize < total_size)
-                return 0;
-        return 1;
+                return -EOVERFLOW;
+        return 0;
 }
 
 /*
@@ -714,12 +714,21 @@ static struct file *do_create(struct ipc_namespace *ipc_ns, struct dentry *dir,
         int ret;
 
         if (attr) {
-                if (!mq_attr_ok(ipc_ns, attr)) {
-                        ret = -EINVAL;
+                ret = mq_attr_ok(ipc_ns, attr);
+                if (ret)
                         goto out;
-                }
                 /* store for use during create */
                 dentry->d_fsdata = attr;
+        } else {
+                struct mq_attr def_attr;
+
+                def_attr.mq_maxmsg = min(ipc_ns->mq_msg_max,
+                                         ipc_ns->mq_msg_default);
+                def_attr.mq_msgsize = min(ipc_ns->mq_msgsize_max,
+                                          ipc_ns->mq_msgsize_default);
+                ret = mq_attr_ok(ipc_ns, &def_attr);
+                if (ret)
+                        goto out;
         }
 
         mode &= ~current_umask();