提交 ce857229 编写于 作者: A Al Viro 提交者: Linus Torvalds

ipc: fix GETALL/IPC_RM race for sysv semaphores

We can step on WARN_ON_ONCE() in sem_getref() if a semaphore is removed
just as we are about to call sem_getref() from semctl_main(); results
are not pretty.

We should fail with -EIDRM, same as if IPC_RM happened while we'd been
doing allocation there.  This also expands sem_getref() at its only
callsite (and fixed there), while sem_getref_and_unlock() is simply
killed off - it has no callers at all.
Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
Acked-by: NDavidlohr Bueso <davidlohr.bueso@hp.com>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
上级 20a2078c
...@@ -328,28 +328,12 @@ static inline void sem_lock_and_putref(struct sem_array *sma) ...@@ -328,28 +328,12 @@ static inline void sem_lock_and_putref(struct sem_array *sma)
ipc_rcu_putref(sma); ipc_rcu_putref(sma);
} }
static inline void sem_getref_and_unlock(struct sem_array *sma)
{
WARN_ON_ONCE(!ipc_rcu_getref(sma));
sem_unlock(sma, -1);
}
static inline void sem_putref(struct sem_array *sma) static inline void sem_putref(struct sem_array *sma)
{ {
sem_lock_and_putref(sma); sem_lock_and_putref(sma);
sem_unlock(sma, -1); sem_unlock(sma, -1);
} }
/*
* Call inside the rcu read section.
*/
static inline void sem_getref(struct sem_array *sma)
{
sem_lock(sma, NULL, -1);
WARN_ON_ONCE(!ipc_rcu_getref(sma));
sem_unlock(sma, -1);
}
static inline void sem_rmid(struct ipc_namespace *ns, struct sem_array *s) static inline void sem_rmid(struct ipc_namespace *ns, struct sem_array *s)
{ {
ipc_rmid(&sem_ids(ns), &s->sem_perm); ipc_rmid(&sem_ids(ns), &s->sem_perm);
...@@ -1116,9 +1100,14 @@ static int semctl_main(struct ipc_namespace *ns, int semid, int semnum, ...@@ -1116,9 +1100,14 @@ static int semctl_main(struct ipc_namespace *ns, int semid, int semnum,
ushort __user *array = p; ushort __user *array = p;
int i; int i;
sem_lock(sma, NULL, -1);
if(nsems > SEMMSL_FAST) { if(nsems > SEMMSL_FAST) {
sem_getref(sma); if (!ipc_rcu_getref(sma)) {
sem_unlock(sma, -1);
err = -EIDRM;
goto out_free;
}
sem_unlock(sma, -1);
sem_io = ipc_alloc(sizeof(ushort)*nsems); sem_io = ipc_alloc(sizeof(ushort)*nsems);
if(sem_io == NULL) { if(sem_io == NULL) {
sem_putref(sma); sem_putref(sma);
...@@ -1131,9 +1120,7 @@ static int semctl_main(struct ipc_namespace *ns, int semid, int semnum, ...@@ -1131,9 +1120,7 @@ static int semctl_main(struct ipc_namespace *ns, int semid, int semnum,
err = -EIDRM; err = -EIDRM;
goto out_free; goto out_free;
} }
} else }
sem_lock(sma, NULL, -1);
for (i = 0; i < sma->sem_nsems; i++) for (i = 0; i < sma->sem_nsems; i++)
sem_io[i] = sma->sem_base[i].semval; sem_io[i] = sma->sem_base[i].semval;
sem_unlock(sma, -1); sem_unlock(sma, -1);
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册