Home Explore Help
Sign In
GfA
/
linux_kernel
5
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

ipc: fix ipc data structures inconsistency

As described in the title, this patch fixes <ipc>id_ds inconsistency when
<ipc>ctl_stat executes concurrently with some ds-changing function, e.g.
shmat, msgsnd or whatever.

For instance, if shmctl(IPC_STAT) is running concurrently
with shmat, following data structure can be returned:
{... shm_lpid = 0, shm_nattch = 1, ...}

Link: http://lkml.kernel.org/r/20171202153456.6514-1-philippe.mikoyan@skat.systems
Signed-off-by: Philippe Mikoyan <philippe.mikoyan@skat.systems>
Reviewed-by: Davidlohr Bueso <dbueso@suse.de>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Manfred Spraul <manfred@colorfullife.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Philippe Mikoyan 7 years ago
parent
bac7a1fff7
commit
87ad4b0d85
4 changed files with 43 additions and 12 deletions
Unified View Show Diff Stats
  1. 14 6
      ipc/msg.c
  2. 10 0
      ipc/sem.c
  3. 15 5
      ipc/shm.c
  4. 4 1
      ipc/util.c

+ 14 - 6
ipc/msg.c
View File 

@@ -476,9 +476,9 @@ static int msgctl_info(struct ipc_namespace *ns, int msqid,
 
 static int msgctl_stat(struct ipc_namespace *ns, int msqid,
 
 static int msgctl_stat(struct ipc_namespace *ns, int msqid,
 
 			 int cmd, struct msqid64_ds *p)
 
 			 int cmd, struct msqid64_ds *p)
 
 {
 
 {
 
-	int err;
 
 	struct msg_queue *msq;
 
 	struct msg_queue *msq;
 
-	int success_return;
 
+	int id = 0;
 
+	int err;
 
 
 
 	memset(p, 0, sizeof(*p));
 
 	memset(p, 0, sizeof(*p));
 
 
 
@@ -489,14 +489,13 @@ static int msgctl_stat(struct ipc_namespace *ns, int msqid,
 
 			err = PTR_ERR(msq);
 
 			err = PTR_ERR(msq);
 
 			goto out_unlock;
 
 			goto out_unlock;
 
 		}
 
 		}
 
-		success_return = msq->q_perm.id;
 
+		id = msq->q_perm.id;
 
 	} else {
 
 	} else {
 
 		msq = msq_obtain_object_check(ns, msqid);
 
 		msq = msq_obtain_object_check(ns, msqid);
 
 		if (IS_ERR(msq)) {
 
 		if (IS_ERR(msq)) {
 
 			err = PTR_ERR(msq);
 
 			err = PTR_ERR(msq);
 
 			goto out_unlock;
 
 			goto out_unlock;
 
 		}
 
 		}
 
-		success_return = 0;
 
 	}
 
 	}
 
 
 
 	err = -EACCES;
 
 	err = -EACCES;
 
@@ -507,6 +506,14 @@ static int msgctl_stat(struct ipc_namespace *ns, int msqid,
 
 	if (err)
 
 	if (err)
 
 		goto out_unlock;
 
 		goto out_unlock;
 
 
 
+	ipc_lock_object(&msq->q_perm);
 
+
 
+	if (!ipc_valid_object(&msq->q_perm)) {
 
+		ipc_unlock_object(&msq->q_perm);
 
+		err = -EIDRM;
 
+		goto out_unlock;
 
+	}
 
+
 
 	kernel_to_ipc64_perm(&msq->q_perm, &p->msg_perm);
 
 	kernel_to_ipc64_perm(&msq->q_perm, &p->msg_perm);
 
 	p->msg_stime  = msq->q_stime;
 
 	p->msg_stime  = msq->q_stime;
 
 	p->msg_rtime  = msq->q_rtime;
 
 	p->msg_rtime  = msq->q_rtime;
 
@@ -516,9 +523,10 @@ static int msgctl_stat(struct ipc_namespace *ns, int msqid,
 
 	p->msg_qbytes = msq->q_qbytes;
 
 	p->msg_qbytes = msq->q_qbytes;
 
 	p->msg_lspid  = msq->q_lspid;
 
 	p->msg_lspid  = msq->q_lspid;
 
 	p->msg_lrpid  = msq->q_lrpid;
 
 	p->msg_lrpid  = msq->q_lrpid;
 
-	rcu_read_unlock();
 
 
 
-	return success_return;
 
+	ipc_unlock_object(&msq->q_perm);
 
+	rcu_read_unlock();
 
+	return id;
 
 
 
 out_unlock:
 
 out_unlock:
 
 	rcu_read_unlock();
 
 	rcu_read_unlock();

+ 10 - 0
ipc/sem.c
View File 

@@ -1213,10 +1213,20 @@ static int semctl_stat(struct ipc_namespace *ns, int semid,
 
 	if (err)
 
 	if (err)
 
 		goto out_unlock;
 
 		goto out_unlock;
 
 
 
+	ipc_lock_object(&sma->sem_perm);
 
+
 
+	if (!ipc_valid_object(&sma->sem_perm)) {
 
+		ipc_unlock_object(&sma->sem_perm);
 
+		err = -EIDRM;
 
+		goto out_unlock;
 
+	}
 
+
 
 	kernel_to_ipc64_perm(&sma->sem_perm, &semid64->sem_perm);
 
 	kernel_to_ipc64_perm(&sma->sem_perm, &semid64->sem_perm);
 
 	semid64->sem_otime = get_semotime(sma);
 
 	semid64->sem_otime = get_semotime(sma);
 
 	semid64->sem_ctime = sma->sem_ctime;
 
 	semid64->sem_ctime = sma->sem_ctime;
 
 	semid64->sem_nsems = sma->sem_nsems;
 
 	semid64->sem_nsems = sma->sem_nsems;
 
+
 
+	ipc_unlock_object(&sma->sem_perm);
 
 	rcu_read_unlock();
 
 	rcu_read_unlock();
 
 	return id;
 
 	return id;

+ 15 - 5
ipc/shm.c
View File 

@@ -909,9 +909,11 @@ static int shmctl_stat(struct ipc_namespace *ns, int shmid,
 
 			int cmd, struct shmid64_ds *tbuf)
 
 			int cmd, struct shmid64_ds *tbuf)
 
 {
 
 {
 
 	struct shmid_kernel *shp;
 
 	struct shmid_kernel *shp;
 
-	int result;
 
+	int id = 0;
 
 	int err;
 
 	int err;
 
 
 
+	memset(tbuf, 0, sizeof(*tbuf));
 
+
 
 	rcu_read_lock();
 
 	rcu_read_lock();
 
 	if (cmd == SHM_STAT) {
 
 	if (cmd == SHM_STAT) {
 
 		shp = shm_obtain_object(ns, shmid);
 
 		shp = shm_obtain_object(ns, shmid);
 
@@ -919,14 +921,13 @@ static int shmctl_stat(struct ipc_namespace *ns, int shmid,
 
 			err = PTR_ERR(shp);
 
 			err = PTR_ERR(shp);
 
 			goto out_unlock;
 
 			goto out_unlock;
 
 		}
 
 		}
 
-		result = shp->shm_perm.id;
 
+		id = shp->shm_perm.id;
 
 	} else {
 
 	} else {
 
 		shp = shm_obtain_object_check(ns, shmid);
 
 		shp = shm_obtain_object_check(ns, shmid);
 
 		if (IS_ERR(shp)) {
 
 		if (IS_ERR(shp)) {
 
 			err = PTR_ERR(shp);
 
 			err = PTR_ERR(shp);
 
 			goto out_unlock;
 
 			goto out_unlock;
 
 		}
 
 		}
 
-		result = 0;
 
 	}
 
 	}
 
 
 
 	err = -EACCES;
 
 	err = -EACCES;
 
@@ -937,7 +938,14 @@ static int shmctl_stat(struct ipc_namespace *ns, int shmid,
 
 	if (err)
 
 	if (err)
 
 		goto out_unlock;
 
 		goto out_unlock;
 
 
 
-	memset(tbuf, 0, sizeof(*tbuf));
 
+	ipc_lock_object(&shp->shm_perm);
 
+
 
+	if (!ipc_valid_object(&shp->shm_perm)) {
 
+		ipc_unlock_object(&shp->shm_perm);
 
+		err = -EIDRM;
 
+		goto out_unlock;
 
+	}
 
+
 
 	kernel_to_ipc64_perm(&shp->shm_perm, &tbuf->shm_perm);
 
 	kernel_to_ipc64_perm(&shp->shm_perm, &tbuf->shm_perm);
 
 	tbuf->shm_segsz	= shp->shm_segsz;
 
 	tbuf->shm_segsz	= shp->shm_segsz;
 
 	tbuf->shm_atime	= shp->shm_atim;
 
 	tbuf->shm_atime	= shp->shm_atim;
 
@@ -946,8 +954,10 @@ static int shmctl_stat(struct ipc_namespace *ns, int shmid,
 
 	tbuf->shm_cpid	= shp->shm_cprid;
 
 	tbuf->shm_cpid	= shp->shm_cprid;
 
 	tbuf->shm_lpid	= shp->shm_lprid;
 
 	tbuf->shm_lpid	= shp->shm_lprid;
 
 	tbuf->shm_nattch = shp->shm_nattch;
 
 	tbuf->shm_nattch = shp->shm_nattch;
 
+
 
+	ipc_unlock_object(&shp->shm_perm);
 
 	rcu_read_unlock();
 
 	rcu_read_unlock();
 
-	return result;
 
+	return id;
 
 
 
 out_unlock:
 
 out_unlock:
 
 	rcu_read_unlock();
 
 	rcu_read_unlock();

+ 4 - 1
ipc/util.c
View File 

@@ -23,9 +23,12 @@
 
  *	    tree.
 
  *	    tree.
 
  *	    - perform initial checks (capabilities, auditing and permission,
 
  *	    - perform initial checks (capabilities, auditing and permission,
 
  *	      etc).
 
  *	      etc).
 
- *	    - perform read-only operations, such as STAT, INFO commands.
 
+ *	    - perform read-only operations, such as INFO command, that
 
+ *	      do not demand atomicity
 
  *	      acquire the ipc lock (kern_ipc_perm.lock) through
 
  *	      acquire the ipc lock (kern_ipc_perm.lock) through
 
  *	      ipc_lock_object()
 
  *	      ipc_lock_object()
 
+ *		- perform read-only operations that demand atomicity,
 
+ *		  such as STAT command.
 
  *		- perform data updates, such as SET, RMID commands and
 
  *		- perform data updates, such as SET, RMID commands and
 
  *		  mechanism-specific operations (semop/semtimedop,
 
  *		  mechanism-specific operations (semop/semtimedop,
 
  *		  msgsnd/msgrcv, shmat/shmdt).
 
  *		  msgsnd/msgrcv, shmat/shmdt).