ipc,msg: prevent race with rmid in msgsnd,msgrcv

This fixes a race in both msgrcv() and msgsnd() between finding the msg and actually dealing with the queue, as another thread can delete shmid underneath us if we are preempted before acquiring the kern_ipc_perm.lock. Manfred illustrates this nicely: Assume a preemptible kernel that is preempted just after msq = msq_obtain_object_check(ns, msqid) in do_msgrcv(). The only lock that is held is rcu_read_lock(). Now the other thread processes IPC_RMID. When the first task is resumed, then it will happily wait for messages on a deleted queue. Fix this by checking for if the queue has been deleted after taking the lock. Signed-off-by: Davidlohr Bueso <davidlohr@hp.com> Reported-by: Manfred Spraul <manfred@colorfullife.com> Cc: Rik van Riel <riel@redhat.com> Cc: Mike Galbraith <efault@gmx.de> Cc: <stable@vger.kernel.org> [3.11] Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
author: Davidlohr Bueso <davidlohr@hp.com> 2013-09-30 16:45:26 -0400
committer: Linus Torvalds <torvalds@linux-foundation.org> 2013-09-30 17:31:03 -0400
commit: 4271b05a227dc6175b66c3d9941aeab09048aeb2 (patch)
tree: 0c535ee0400940f5ad905128c9ecb405c9d65980 /ipc
parent: 0e8c665699e953fa58dc1b0b0d09e5dce7343cc7 (diff)
1 files changed, 13 insertions, 0 deletions
diff --git a/ipc/msg.c b/ipc/msg.c
index 9e4310c546ae..558aa91186b6 100644
--- a/ipc/msg.c
+++ b/ipc/msg.c
@@ -695,6 +695,12 @@ long do_msgsnd(int msqid, long mtype, void __user *mtext,
                if (ipcperms(ns, &msq->q_perm, S_IWUGO))
                        goto out_unlock0;
+                /* raced with RMID? */
+                if (msq->q_perm.deleted) {
+                        err = -EIDRM;
+                        goto out_unlock0;
+                }
                err = security_msg_queue_msgsnd(msq, msg, msgflg);
                if (err)
                        goto out_unlock0;
@@ -901,6 +907,13 @@ long do_msgrcv(int msqid, void __user *buf, size_t bufsz, long msgtyp, int msgfl
                        goto out_unlock1;
                ipc_lock_object(&msq->q_perm);
+                /* raced with RMID? */
+                if (msq->q_perm.deleted) {
+                        msg = ERR_PTR(-EIDRM);
+                        goto out_unlock0;
+                }
                msg = find_msg(msq, &msgtyp, mode);
                if (!IS_ERR(msg)) {
                        /*
author	Davidlohr Bueso <davidlohr@hp.com>	2013-09-30 16:45:26 -0400
committer	Linus Torvalds <torvalds@linux-foundation.org>	2013-09-30 17:31:03 -0400
commit	4271b05a227dc6175b66c3d9941aeab09048aeb2 (patch)
tree	0c535ee0400940f5ad905128c9ecb405c9d65980 /ipc
parent	0e8c665699e953fa58dc1b0b0d09e5dce7343cc7 (diff)

diff --git a/ipc/msg.c b/ipc/msg.c index 9e4310c546ae..558aa91186b6 100644 --- a/ipc/msg.c +++ b/ipc/msg.c
@@ -695,6 +695,12 @@ long do_msgsnd(int msqid, long mtype, void __user *mtext,
695	if (ipcperms(ns, &msq->q_perm, S_IWUGO))	695	if (ipcperms(ns, &msq->q_perm, S_IWUGO))
696	goto out_unlock0;	696	goto out_unlock0;
697		697
		698	/* raced with RMID? */
		699	if (msq->q_perm.deleted) {
		700	err = -EIDRM;
		701	goto out_unlock0;
		702	}
		703
698	err = security_msg_queue_msgsnd(msq, msg, msgflg);	704	err = security_msg_queue_msgsnd(msq, msg, msgflg);
699	if (err)	705	if (err)
700	goto out_unlock0;	706	goto out_unlock0;
@@ -901,6 +907,13 @@ long do_msgrcv(int msqid, void __user *buf, size_t bufsz, long msgtyp, int msgfl
901	goto out_unlock1;	907	goto out_unlock1;
902		908
903	ipc_lock_object(&msq->q_perm);	909	ipc_lock_object(&msq->q_perm);
		910
		911	/* raced with RMID? */
		912	if (msq->q_perm.deleted) {
		913	msg = ERR_PTR(-EIDRM);
		914	goto out_unlock0;
		915	}
		916
904	msg = find_msg(msq, &msgtyp, mode);	917	msg = find_msg(msq, &msgtyp, mode);
905	if (!IS_ERR(msg)) {	918	if (!IS_ERR(msg)) {
906	/*	919	/*