diff options
Diffstat (limited to 'ipc/namespace.c')
| -rw-r--r-- | ipc/namespace.c | 39 |
1 files changed, 35 insertions, 4 deletions
diff --git a/ipc/namespace.c b/ipc/namespace.c index 9171d948751e..4a5e752a9276 100644 --- a/ipc/namespace.c +++ b/ipc/namespace.c | |||
| @@ -9,17 +9,26 @@ | |||
| 9 | #include <linux/rcupdate.h> | 9 | #include <linux/rcupdate.h> |
| 10 | #include <linux/nsproxy.h> | 10 | #include <linux/nsproxy.h> |
| 11 | #include <linux/slab.h> | 11 | #include <linux/slab.h> |
| 12 | #include <linux/fs.h> | ||
| 13 | #include <linux/mount.h> | ||
| 12 | 14 | ||
| 13 | #include "util.h" | 15 | #include "util.h" |
| 14 | 16 | ||
| 15 | static struct ipc_namespace *clone_ipc_ns(struct ipc_namespace *old_ns) | 17 | static struct ipc_namespace *clone_ipc_ns(struct ipc_namespace *old_ns) |
| 16 | { | 18 | { |
| 17 | struct ipc_namespace *ns; | 19 | struct ipc_namespace *ns; |
| 20 | int err; | ||
| 18 | 21 | ||
| 19 | ns = kmalloc(sizeof(struct ipc_namespace), GFP_KERNEL); | 22 | ns = kmalloc(sizeof(struct ipc_namespace), GFP_KERNEL); |
| 20 | if (ns == NULL) | 23 | if (ns == NULL) |
| 21 | return ERR_PTR(-ENOMEM); | 24 | return ERR_PTR(-ENOMEM); |
| 22 | 25 | ||
| 26 | atomic_set(&ns->count, 1); | ||
| 27 | err = mq_init_ns(ns); | ||
| 28 | if (err) { | ||
| 29 | kfree(ns); | ||
| 30 | return ERR_PTR(err); | ||
| 31 | } | ||
| 23 | atomic_inc(&nr_ipc_ns); | 32 | atomic_inc(&nr_ipc_ns); |
| 24 | 33 | ||
| 25 | sem_init_ns(ns); | 34 | sem_init_ns(ns); |
| @@ -34,7 +43,6 @@ static struct ipc_namespace *clone_ipc_ns(struct ipc_namespace *old_ns) | |||
| 34 | ipcns_notify(IPCNS_CREATED); | 43 | ipcns_notify(IPCNS_CREATED); |
| 35 | register_ipcns_notifier(ns); | 44 | register_ipcns_notifier(ns); |
| 36 | 45 | ||
| 37 | kref_init(&ns->kref); | ||
| 38 | return ns; | 46 | return ns; |
| 39 | } | 47 | } |
| 40 | 48 | ||
| @@ -84,11 +92,34 @@ void free_ipcs(struct ipc_namespace *ns, struct ipc_ids *ids, | |||
| 84 | up_write(&ids->rw_mutex); | 92 | up_write(&ids->rw_mutex); |
| 85 | } | 93 | } |
| 86 | 94 | ||
| 87 | void free_ipc_ns(struct kref *kref) | 95 | /* |
| 96 | * put_ipc_ns - drop a reference to an ipc namespace. | ||
| 97 | * @ns: the namespace to put | ||
| 98 | * | ||
| 99 | * If this is the last task in the namespace exiting, and | ||
| 100 | * it is dropping the refcount to 0, then it can race with | ||
| 101 | * a task in another ipc namespace but in a mounts namespace | ||
| 102 | * which has this ipcns's mqueuefs mounted, doing some action | ||
| 103 | * with one of the mqueuefs files. That can raise the refcount. | ||
| 104 | * So dropping the refcount, and raising the refcount when | ||
| 105 | * accessing it through the VFS, are protected with mq_lock. | ||
| 106 | * | ||
| 107 | * (Clearly, a task raising the refcount on its own ipc_ns | ||
| 108 | * needn't take mq_lock since it can't race with the last task | ||
| 109 | * in the ipcns exiting). | ||
| 110 | */ | ||
| 111 | void put_ipc_ns(struct ipc_namespace *ns) | ||
| 88 | { | 112 | { |
| 89 | struct ipc_namespace *ns; | 113 | if (atomic_dec_and_lock(&ns->count, &mq_lock)) { |
| 114 | mq_clear_sbinfo(ns); | ||
| 115 | spin_unlock(&mq_lock); | ||
| 116 | mq_put_mnt(ns); | ||
| 117 | free_ipc_ns(ns); | ||
| 118 | } | ||
| 119 | } | ||
| 90 | 120 | ||
| 91 | ns = container_of(kref, struct ipc_namespace, kref); | 121 | void free_ipc_ns(struct ipc_namespace *ns) |
| 122 | { | ||
| 92 | /* | 123 | /* |
| 93 | * Unregistering the hotplug notifier at the beginning guarantees | 124 | * Unregistering the hotplug notifier at the beginning guarantees |
| 94 | * that the ipc namespace won't be freed while we are inside the | 125 | * that the ipc namespace won't be freed while we are inside the |