ipc: introduce ipc_valid_object() helper to sort out IPC_RMID races
authorRafael Aquini <aquini@redhat.com>
Tue, 28 Jan 2014 01:07:01 +0000 (17:07 -0800)
committerLinus Torvalds <torvalds@linux-foundation.org>
Tue, 28 Jan 2014 05:02:39 +0000 (21:02 -0800)
After the locking semantics for the SysV IPC API got improved, a couple
of IPC_RMID race windows were opened because we ended up dropping the
'kern_ipc_perm.deleted' check performed way down in ipc_lock().  The
spotted races got sorted out by re-introducing the old test within the
racy critical sections.

This patch introduces ipc_valid_object() to consolidate the way we cope
with IPC_RMID races by using the same abstraction across the API
implementation.

Signed-off-by: Rafael Aquini <aquini@redhat.com>
Acked-by: Rik van Riel <riel@redhat.com>
Acked-by: Greg Thelen <gthelen@google.com>
Reviewed-by: Davidlohr Bueso <davidlohr@hp.com>
Cc: Manfred Spraul <manfred@colorfullife.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
ipc/msg.c
ipc/sem.c
ipc/shm.c
ipc/util.h

index 558aa91186b6ced1a27b1e05b65c5ee129e0a175..8983ea57d970464c7051b83534fdad7e462e7e4b 100644 (file)
--- a/ipc/msg.c
+++ b/ipc/msg.c
@@ -696,7 +696,7 @@ long do_msgsnd(int msqid, long mtype, void __user *mtext,
                        goto out_unlock0;
 
                /* raced with RMID? */
-               if (msq->q_perm.deleted) {
+               if (!ipc_valid_object(&msq->q_perm)) {
                        err = -EIDRM;
                        goto out_unlock0;
                }
@@ -731,7 +731,8 @@ long do_msgsnd(int msqid, long mtype, void __user *mtext,
                ipc_lock_object(&msq->q_perm);
 
                ipc_rcu_putref(msq, ipc_rcu_free);
-               if (msq->q_perm.deleted) {
+               /* raced with RMID? */
+               if (!ipc_valid_object(&msq->q_perm)) {
                        err = -EIDRM;
                        goto out_unlock0;
                }
@@ -909,7 +910,7 @@ long do_msgrcv(int msqid, void __user *buf, size_t bufsz, long msgtyp, int msgfl
                ipc_lock_object(&msq->q_perm);
 
                /* raced with RMID? */
-               if (msq->q_perm.deleted) {
+               if (!ipc_valid_object(&msq->q_perm)) {
                        msg = ERR_PTR(-EIDRM);
                        goto out_unlock0;
                }
index cc9ac35b793c3b067c80a6e09243bfc7c779c2db..4d88194a5ffe74dbf02deaba02aca46c6098a140 100644 (file)
--- a/ipc/sem.c
+++ b/ipc/sem.c
@@ -1284,7 +1284,7 @@ static int semctl_setval(struct ipc_namespace *ns, int semid, int semnum,
 
        sem_lock(sma, NULL, -1);
 
-       if (sma->sem_perm.deleted) {
+       if (!ipc_valid_object(&sma->sem_perm)) {
                sem_unlock(sma, -1);
                rcu_read_unlock();
                return -EIDRM;
@@ -1344,7 +1344,7 @@ static int semctl_main(struct ipc_namespace *ns, int semid, int semnum,
                int i;
 
                sem_lock(sma, NULL, -1);
-               if (sma->sem_perm.deleted) {
+               if (!ipc_valid_object(&sma->sem_perm)) {
                        err = -EIDRM;
                        goto out_unlock;
                }
@@ -1363,7 +1363,7 @@ static int semctl_main(struct ipc_namespace *ns, int semid, int semnum,
 
                        rcu_read_lock();
                        sem_lock_and_putref(sma);
-                       if (sma->sem_perm.deleted) {
+                       if (!ipc_valid_object(&sma->sem_perm)) {
                                err = -EIDRM;
                                goto out_unlock;
                        }
@@ -1411,7 +1411,7 @@ static int semctl_main(struct ipc_namespace *ns, int semid, int semnum,
                }
                rcu_read_lock();
                sem_lock_and_putref(sma);
-               if (sma->sem_perm.deleted) {
+               if (!ipc_valid_object(&sma->sem_perm)) {
                        err = -EIDRM;
                        goto out_unlock;
                }
@@ -1437,7 +1437,7 @@ static int semctl_main(struct ipc_namespace *ns, int semid, int semnum,
                goto out_rcu_wakeup;
 
        sem_lock(sma, NULL, -1);
-       if (sma->sem_perm.deleted) {
+       if (!ipc_valid_object(&sma->sem_perm)) {
                err = -EIDRM;
                goto out_unlock;
        }
@@ -1701,7 +1701,7 @@ static struct sem_undo *find_alloc_undo(struct ipc_namespace *ns, int semid)
        /* step 3: Acquire the lock on semaphore array */
        rcu_read_lock();
        sem_lock_and_putref(sma);
-       if (sma->sem_perm.deleted) {
+       if (!ipc_valid_object(&sma->sem_perm)) {
                sem_unlock(sma, -1);
                rcu_read_unlock();
                kfree(new);
@@ -1848,7 +1848,15 @@ SYSCALL_DEFINE4(semtimedop, int, semid, struct sembuf __user *, tsops,
 
        error = -EIDRM;
        locknum = sem_lock(sma, sops, nsops);
-       if (sma->sem_perm.deleted)
+       /*
+        * We eventually might perform the following check in a lockless
+        * fashion, considering ipc_valid_object() locking constraints.
+        * If nsops == 1 and there is no contention for sem_perm.lock, then
+        * only a per-semaphore lock is held and it's OK to proceed with the
+        * check below. More details on the fine grained locking scheme
+        * entangled here and why it's RMID race safe on comments at sem_lock()
+        */
+       if (!ipc_valid_object(&sma->sem_perm))
                goto out_unlock_free;
        /*
         * semid identifiers are not unique - find_alloc_undo may have
@@ -2070,7 +2078,7 @@ void exit_sem(struct task_struct *tsk)
 
                sem_lock(sma, NULL, -1);
                /* exit_sem raced with IPC_RMID, nothing to do */
-               if (sma->sem_perm.deleted) {
+               if (!ipc_valid_object(&sma->sem_perm)) {
                        sem_unlock(sma, -1);
                        rcu_read_unlock();
                        continue;
index 7a51443a51d6421bd2a02a66ec18db98f6796dd3..1bc68f115842d562a336644df154d9b3b62adc71 100644 (file)
--- a/ipc/shm.c
+++ b/ipc/shm.c
@@ -975,6 +975,13 @@ SYSCALL_DEFINE3(shmctl, int, shmid, int, cmd, struct shmid_ds __user *, buf)
                        goto out_unlock1;
 
                ipc_lock_object(&shp->shm_perm);
+
+               /* check if shm_destroy() is tearing down shp */
+               if (!ipc_valid_object(&shp->shm_perm)) {
+                       err = -EIDRM;
+                       goto out_unlock0;
+               }
+
                if (!ns_capable(ns->user_ns, CAP_IPC_LOCK)) {
                        kuid_t euid = current_euid();
                        if (!uid_eq(euid, shp->shm_perm.uid) &&
@@ -989,13 +996,6 @@ SYSCALL_DEFINE3(shmctl, int, shmid, int, cmd, struct shmid_ds __user *, buf)
                }
 
                shm_file = shp->shm_file;
-
-               /* check if shm_destroy() is tearing down shp */
-               if (shm_file == NULL) {
-                       err = -EIDRM;
-                       goto out_unlock0;
-               }
-
                if (is_file_hugepages(shm_file))
                        goto out_unlock0;
 
@@ -1116,7 +1116,7 @@ long do_shmat(int shmid, char __user *shmaddr, int shmflg, ulong *raddr,
        ipc_lock_object(&shp->shm_perm);
 
        /* check if shm_destroy() is tearing down shp */
-       if (shp->shm_file == NULL) {
+       if (!ipc_valid_object(&shp->shm_perm)) {
                ipc_unlock_object(&shp->shm_perm);
                err = -EIDRM;
                goto out_unlock;
index 59d78aa949874aff138845ce13fb55c764205f9d..d05b7085a8871810e8696ce9929b6b56b0a57658 100644 (file)
@@ -185,6 +185,19 @@ static inline void ipc_unlock(struct kern_ipc_perm *perm)
        rcu_read_unlock();
 }
 
+/*
+ * ipc_valid_object() - helper to sort out IPC_RMID races for codepaths
+ * where the respective ipc_ids.rwsem is not being held down.
+ * Checks whether the ipc object is still around or if it's gone already, as
+ * ipc_rmid() may have already freed the ID while the ipc lock was spinning.
+ * Needs to be called with kern_ipc_perm.lock held -- exception made for one
+ * checkpoint case at sys_semtimedop() as noted in code commentary.
+ */
+static inline bool ipc_valid_object(struct kern_ipc_perm *perm)
+{
+       return perm->deleted == 0;
+}
+
 struct kern_ipc_perm *ipc_obtain_object_check(struct ipc_ids *ids, int id);
 int ipcget(struct ipc_namespace *ns, struct ipc_ids *ids,
                        struct ipc_ops *ops, struct ipc_params *params);