diff options
-rw-r--r-- | ipc/mqueue.c | 77 |
1 files changed, 50 insertions, 27 deletions
diff --git a/ipc/mqueue.c b/ipc/mqueue.c index 3853116a2ef8..547d9c8631f5 100644 --- a/ipc/mqueue.c +++ b/ipc/mqueue.c | |||
@@ -184,7 +184,7 @@ static int mqueue_fill_super(struct super_block *sb, void *data, int silent) | |||
184 | { | 184 | { |
185 | struct inode *inode; | 185 | struct inode *inode; |
186 | struct ipc_namespace *ns = data; | 186 | struct ipc_namespace *ns = data; |
187 | int error = 0; | 187 | int error; |
188 | 188 | ||
189 | sb->s_blocksize = PAGE_CACHE_SIZE; | 189 | sb->s_blocksize = PAGE_CACHE_SIZE; |
190 | sb->s_blocksize_bits = PAGE_CACHE_SHIFT; | 190 | sb->s_blocksize_bits = PAGE_CACHE_SHIFT; |
@@ -202,7 +202,9 @@ static int mqueue_fill_super(struct super_block *sb, void *data, int silent) | |||
202 | if (!sb->s_root) { | 202 | if (!sb->s_root) { |
203 | iput(inode); | 203 | iput(inode); |
204 | error = -ENOMEM; | 204 | error = -ENOMEM; |
205 | goto out; | ||
205 | } | 206 | } |
207 | error = 0; | ||
206 | 208 | ||
207 | out: | 209 | out: |
208 | return error; | 210 | return error; |
@@ -621,9 +623,10 @@ static struct file *do_create(struct ipc_namespace *ipc_ns, struct dentry *dir, | |||
621 | int ret; | 623 | int ret; |
622 | 624 | ||
623 | if (attr) { | 625 | if (attr) { |
624 | ret = -EINVAL; | 626 | if (!mq_attr_ok(ipc_ns, attr)) { |
625 | if (!mq_attr_ok(ipc_ns, attr)) | 627 | ret = -EINVAL; |
626 | goto out; | 628 | goto out; |
629 | } | ||
627 | /* store for use during create */ | 630 | /* store for use during create */ |
628 | dentry->d_fsdata = attr; | 631 | dentry->d_fsdata = attr; |
629 | } | 632 | } |
@@ -714,9 +717,10 @@ SYSCALL_DEFINE4(mq_open, const char __user *, u_name, int, oflag, mode_t, mode, | |||
714 | if (oflag & O_CREAT) { | 717 | if (oflag & O_CREAT) { |
715 | if (dentry->d_inode) { /* entry already exists */ | 718 | if (dentry->d_inode) { /* entry already exists */ |
716 | audit_inode(name, dentry); | 719 | audit_inode(name, dentry); |
717 | error = -EEXIST; | 720 | if (oflag & O_EXCL) { |
718 | if (oflag & O_EXCL) | 721 | error = -EEXIST; |
719 | goto out; | 722 | goto out; |
723 | } | ||
720 | filp = do_open(ipc_ns, dentry, oflag); | 724 | filp = do_open(ipc_ns, dentry, oflag); |
721 | } else { | 725 | } else { |
722 | filp = do_create(ipc_ns, ipc_ns->mq_mnt->mnt_root, | 726 | filp = do_create(ipc_ns, ipc_ns->mq_mnt->mnt_root, |
@@ -724,9 +728,10 @@ SYSCALL_DEFINE4(mq_open, const char __user *, u_name, int, oflag, mode_t, mode, | |||
724 | u_attr ? &attr : NULL); | 728 | u_attr ? &attr : NULL); |
725 | } | 729 | } |
726 | } else { | 730 | } else { |
727 | error = -ENOENT; | 731 | if (!dentry->d_inode) { |
728 | if (!dentry->d_inode) | 732 | error = -ENOENT; |
729 | goto out; | 733 | goto out; |
734 | } | ||
730 | audit_inode(name, dentry); | 735 | audit_inode(name, dentry); |
731 | filp = do_open(ipc_ns, dentry, oflag); | 736 | filp = do_open(ipc_ns, dentry, oflag); |
732 | } | 737 | } |
@@ -873,19 +878,24 @@ SYSCALL_DEFINE5(mq_timedsend, mqd_t, mqdes, const char __user *, u_msg_ptr, | |||
873 | audit_mq_sendrecv(mqdes, msg_len, msg_prio, p); | 878 | audit_mq_sendrecv(mqdes, msg_len, msg_prio, p); |
874 | timeout = prepare_timeout(p); | 879 | timeout = prepare_timeout(p); |
875 | 880 | ||
876 | ret = -EBADF; | ||
877 | filp = fget(mqdes); | 881 | filp = fget(mqdes); |
878 | if (unlikely(!filp)) | 882 | if (unlikely(!filp)) { |
883 | ret = -EBADF; | ||
879 | goto out; | 884 | goto out; |
885 | } | ||
880 | 886 | ||
881 | inode = filp->f_path.dentry->d_inode; | 887 | inode = filp->f_path.dentry->d_inode; |
882 | if (unlikely(filp->f_op != &mqueue_file_operations)) | 888 | if (unlikely(filp->f_op != &mqueue_file_operations)) { |
889 | ret = -EBADF; | ||
883 | goto out_fput; | 890 | goto out_fput; |
891 | } | ||
884 | info = MQUEUE_I(inode); | 892 | info = MQUEUE_I(inode); |
885 | audit_inode(NULL, filp->f_path.dentry); | 893 | audit_inode(NULL, filp->f_path.dentry); |
886 | 894 | ||
887 | if (unlikely(!(filp->f_mode & FMODE_WRITE))) | 895 | if (unlikely(!(filp->f_mode & FMODE_WRITE))) { |
896 | ret = -EBADF; | ||
888 | goto out_fput; | 897 | goto out_fput; |
898 | } | ||
889 | 899 | ||
890 | if (unlikely(msg_len > info->attr.mq_msgsize)) { | 900 | if (unlikely(msg_len > info->attr.mq_msgsize)) { |
891 | ret = -EMSGSIZE; | 901 | ret = -EMSGSIZE; |
@@ -962,19 +972,24 @@ SYSCALL_DEFINE5(mq_timedreceive, mqd_t, mqdes, char __user *, u_msg_ptr, | |||
962 | audit_mq_sendrecv(mqdes, msg_len, 0, p); | 972 | audit_mq_sendrecv(mqdes, msg_len, 0, p); |
963 | timeout = prepare_timeout(p); | 973 | timeout = prepare_timeout(p); |
964 | 974 | ||
965 | ret = -EBADF; | ||
966 | filp = fget(mqdes); | 975 | filp = fget(mqdes); |
967 | if (unlikely(!filp)) | 976 | if (unlikely(!filp)) { |
977 | ret = -EBADF; | ||
968 | goto out; | 978 | goto out; |
979 | } | ||
969 | 980 | ||
970 | inode = filp->f_path.dentry->d_inode; | 981 | inode = filp->f_path.dentry->d_inode; |
971 | if (unlikely(filp->f_op != &mqueue_file_operations)) | 982 | if (unlikely(filp->f_op != &mqueue_file_operations)) { |
983 | ret = -EBADF; | ||
972 | goto out_fput; | 984 | goto out_fput; |
985 | } | ||
973 | info = MQUEUE_I(inode); | 986 | info = MQUEUE_I(inode); |
974 | audit_inode(NULL, filp->f_path.dentry); | 987 | audit_inode(NULL, filp->f_path.dentry); |
975 | 988 | ||
976 | if (unlikely(!(filp->f_mode & FMODE_READ))) | 989 | if (unlikely(!(filp->f_mode & FMODE_READ))) { |
990 | ret = -EBADF; | ||
977 | goto out_fput; | 991 | goto out_fput; |
992 | } | ||
978 | 993 | ||
979 | /* checks if buffer is big enough */ | 994 | /* checks if buffer is big enough */ |
980 | if (unlikely(msg_len < info->attr.mq_msgsize)) { | 995 | if (unlikely(msg_len < info->attr.mq_msgsize)) { |
@@ -1064,13 +1079,14 @@ SYSCALL_DEFINE2(mq_notify, mqd_t, mqdes, | |||
1064 | 1079 | ||
1065 | /* create the notify skb */ | 1080 | /* create the notify skb */ |
1066 | nc = alloc_skb(NOTIFY_COOKIE_LEN, GFP_KERNEL); | 1081 | nc = alloc_skb(NOTIFY_COOKIE_LEN, GFP_KERNEL); |
1067 | ret = -ENOMEM; | 1082 | if (!nc) { |
1068 | if (!nc) | 1083 | ret = -ENOMEM; |
1069 | goto out; | 1084 | goto out; |
1070 | ret = -EFAULT; | 1085 | } |
1071 | if (copy_from_user(nc->data, | 1086 | if (copy_from_user(nc->data, |
1072 | notification.sigev_value.sival_ptr, | 1087 | notification.sigev_value.sival_ptr, |
1073 | NOTIFY_COOKIE_LEN)) { | 1088 | NOTIFY_COOKIE_LEN)) { |
1089 | ret = -EFAULT; | ||
1074 | goto out; | 1090 | goto out; |
1075 | } | 1091 | } |
1076 | 1092 | ||
@@ -1079,9 +1095,10 @@ SYSCALL_DEFINE2(mq_notify, mqd_t, mqdes, | |||
1079 | /* and attach it to the socket */ | 1095 | /* and attach it to the socket */ |
1080 | retry: | 1096 | retry: |
1081 | filp = fget(notification.sigev_signo); | 1097 | filp = fget(notification.sigev_signo); |
1082 | ret = -EBADF; | 1098 | if (!filp) { |
1083 | if (!filp) | 1099 | ret = -EBADF; |
1084 | goto out; | 1100 | goto out; |
1101 | } | ||
1085 | sock = netlink_getsockbyfilp(filp); | 1102 | sock = netlink_getsockbyfilp(filp); |
1086 | fput(filp); | 1103 | fput(filp); |
1087 | if (IS_ERR(sock)) { | 1104 | if (IS_ERR(sock)) { |
@@ -1093,7 +1110,7 @@ retry: | |||
1093 | timeo = MAX_SCHEDULE_TIMEOUT; | 1110 | timeo = MAX_SCHEDULE_TIMEOUT; |
1094 | ret = netlink_attachskb(sock, nc, &timeo, NULL); | 1111 | ret = netlink_attachskb(sock, nc, &timeo, NULL); |
1095 | if (ret == 1) | 1112 | if (ret == 1) |
1096 | goto retry; | 1113 | goto retry; |
1097 | if (ret) { | 1114 | if (ret) { |
1098 | sock = NULL; | 1115 | sock = NULL; |
1099 | nc = NULL; | 1116 | nc = NULL; |
@@ -1102,14 +1119,17 @@ retry: | |||
1102 | } | 1119 | } |
1103 | } | 1120 | } |
1104 | 1121 | ||
1105 | ret = -EBADF; | ||
1106 | filp = fget(mqdes); | 1122 | filp = fget(mqdes); |
1107 | if (!filp) | 1123 | if (!filp) { |
1124 | ret = -EBADF; | ||
1108 | goto out; | 1125 | goto out; |
1126 | } | ||
1109 | 1127 | ||
1110 | inode = filp->f_path.dentry->d_inode; | 1128 | inode = filp->f_path.dentry->d_inode; |
1111 | if (unlikely(filp->f_op != &mqueue_file_operations)) | 1129 | if (unlikely(filp->f_op != &mqueue_file_operations)) { |
1130 | ret = -EBADF; | ||
1112 | goto out_fput; | 1131 | goto out_fput; |
1132 | } | ||
1113 | info = MQUEUE_I(inode); | 1133 | info = MQUEUE_I(inode); |
1114 | 1134 | ||
1115 | ret = 0; | 1135 | ret = 0; |
@@ -1172,14 +1192,17 @@ SYSCALL_DEFINE3(mq_getsetattr, mqd_t, mqdes, | |||
1172 | return -EINVAL; | 1192 | return -EINVAL; |
1173 | } | 1193 | } |
1174 | 1194 | ||
1175 | ret = -EBADF; | ||
1176 | filp = fget(mqdes); | 1195 | filp = fget(mqdes); |
1177 | if (!filp) | 1196 | if (!filp) { |
1197 | ret = -EBADF; | ||
1178 | goto out; | 1198 | goto out; |
1199 | } | ||
1179 | 1200 | ||
1180 | inode = filp->f_path.dentry->d_inode; | 1201 | inode = filp->f_path.dentry->d_inode; |
1181 | if (unlikely(filp->f_op != &mqueue_file_operations)) | 1202 | if (unlikely(filp->f_op != &mqueue_file_operations)) { |
1203 | ret = -EBADF; | ||
1182 | goto out_fput; | 1204 | goto out_fput; |
1205 | } | ||
1183 | info = MQUEUE_I(inode); | 1206 | info = MQUEUE_I(inode); |
1184 | 1207 | ||
1185 | spin_lock(&info->lock); | 1208 | spin_lock(&info->lock); |