ipc: fix GETALL/IPC_RM race for sysv semaphores
We can step on WARN_ON_ONCE() in sem_getref() if a semaphore is removed just as we are about to call sem_getref() from semctl_main(); results are not pretty. We should fail with -EIDRM, same as if IPC_RM happened while we'd been doing allocation there. This also expands sem_getref() at its only callsite (and fixed there), while sem_getref_and_unlock() is simply killed off - it has no callers at all. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Acked-by: Davidlohr Bueso <davidlohr.bueso@hp.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
This commit is contained in:
parent
20a2078ce7
commit
ce857229e0
1 changed files with 8 additions and 21 deletions
29
ipc/sem.c
29
ipc/sem.c
|
@ -328,28 +328,12 @@ static inline void sem_lock_and_putref(struct sem_array *sma)
|
||||||
ipc_rcu_putref(sma);
|
ipc_rcu_putref(sma);
|
||||||
}
|
}
|
||||||
|
|
||||||
static inline void sem_getref_and_unlock(struct sem_array *sma)
|
|
||||||
{
|
|
||||||
WARN_ON_ONCE(!ipc_rcu_getref(sma));
|
|
||||||
sem_unlock(sma, -1);
|
|
||||||
}
|
|
||||||
|
|
||||||
static inline void sem_putref(struct sem_array *sma)
|
static inline void sem_putref(struct sem_array *sma)
|
||||||
{
|
{
|
||||||
sem_lock_and_putref(sma);
|
sem_lock_and_putref(sma);
|
||||||
sem_unlock(sma, -1);
|
sem_unlock(sma, -1);
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
|
||||||
* Call inside the rcu read section.
|
|
||||||
*/
|
|
||||||
static inline void sem_getref(struct sem_array *sma)
|
|
||||||
{
|
|
||||||
sem_lock(sma, NULL, -1);
|
|
||||||
WARN_ON_ONCE(!ipc_rcu_getref(sma));
|
|
||||||
sem_unlock(sma, -1);
|
|
||||||
}
|
|
||||||
|
|
||||||
static inline void sem_rmid(struct ipc_namespace *ns, struct sem_array *s)
|
static inline void sem_rmid(struct ipc_namespace *ns, struct sem_array *s)
|
||||||
{
|
{
|
||||||
ipc_rmid(&sem_ids(ns), &s->sem_perm);
|
ipc_rmid(&sem_ids(ns), &s->sem_perm);
|
||||||
|
@ -1116,9 +1100,14 @@ static int semctl_main(struct ipc_namespace *ns, int semid, int semnum,
|
||||||
ushort __user *array = p;
|
ushort __user *array = p;
|
||||||
int i;
|
int i;
|
||||||
|
|
||||||
|
sem_lock(sma, NULL, -1);
|
||||||
if(nsems > SEMMSL_FAST) {
|
if(nsems > SEMMSL_FAST) {
|
||||||
sem_getref(sma);
|
if (!ipc_rcu_getref(sma)) {
|
||||||
|
sem_unlock(sma, -1);
|
||||||
|
err = -EIDRM;
|
||||||
|
goto out_free;
|
||||||
|
}
|
||||||
|
sem_unlock(sma, -1);
|
||||||
sem_io = ipc_alloc(sizeof(ushort)*nsems);
|
sem_io = ipc_alloc(sizeof(ushort)*nsems);
|
||||||
if(sem_io == NULL) {
|
if(sem_io == NULL) {
|
||||||
sem_putref(sma);
|
sem_putref(sma);
|
||||||
|
@ -1131,9 +1120,7 @@ static int semctl_main(struct ipc_namespace *ns, int semid, int semnum,
|
||||||
err = -EIDRM;
|
err = -EIDRM;
|
||||||
goto out_free;
|
goto out_free;
|
||||||
}
|
}
|
||||||
} else
|
}
|
||||||
sem_lock(sma, NULL, -1);
|
|
||||||
|
|
||||||
for (i = 0; i < sma->sem_nsems; i++)
|
for (i = 0; i < sma->sem_nsems; i++)
|
||||||
sem_io[i] = sma->sem_base[i].semval;
|
sem_io[i] = sma->sem_base[i].semval;
|
||||||
sem_unlock(sma, -1);
|
sem_unlock(sma, -1);
|
||||||
|
|
Loading…
Reference in a new issue