static void msg_rcu_free(struct rcu_head *head)
{
- struct ipc_rcu *p = container_of(head, struct ipc_rcu, rcu);
- struct msg_queue *msq = ipc_rcu_to_struct(p);
+ struct kern_ipc_perm *p = container_of(head, struct kern_ipc_perm, rcu);
+ struct msg_queue *msq = container_of(p, struct msg_queue, q_perm);
security_msg_queue_free(msq);
- ipc_rcu_free(head);
+ kvfree(msq);
}
/**
static int newque(struct ipc_namespace *ns, struct ipc_params *params)
{
struct msg_queue *msq;
- int id, retval;
+ int retval;
key_t key = params->key;
int msgflg = params->flg;
- msq = ipc_rcu_alloc(sizeof(*msq));
- if (!msq)
+ msq = kvmalloc(sizeof(*msq), GFP_KERNEL);
+ if (unlikely(!msq))
return -ENOMEM;
msq->q_perm.mode = msgflg & S_IRWXUGO;
msq->q_perm.security = NULL;
retval = security_msg_queue_alloc(msq);
if (retval) {
- ipc_rcu_putref(msq, ipc_rcu_free);
+ kvfree(msq);
return retval;
}
INIT_LIST_HEAD(&msq->q_senders);
/* ipc_addid() locks msq upon success. */
- id = ipc_addid(&msg_ids(ns), &msq->q_perm, ns->msg_ctlmni);
- if (id < 0) {
- ipc_rcu_putref(msq, msg_rcu_free);
- return id;
+ retval = ipc_addid(&msg_ids(ns), &msq->q_perm, ns->msg_ctlmni);
+ if (retval < 0) {
+ call_rcu(&msq->q_perm.rcu, msg_rcu_free);
+ return retval;
}
ipc_unlock_object(&msq->q_perm);
free_msg(msg);
}
atomic_sub(msq->q_cbytes, &ns->msg_bytes);
- ipc_rcu_putref(msq, msg_rcu_free);
+ ipc_rcu_putref(&msq->q_perm, msg_rcu_free);
}
/*
* NOTE: no locks must be held, the rwsem is taken inside this function.
*/
static int msgctl_down(struct ipc_namespace *ns, int msqid, int cmd,
- struct msqid_ds __user *buf, int version)
+ struct msqid64_ds *msqid64)
{
struct kern_ipc_perm *ipcp;
- struct msqid64_ds uninitialized_var(msqid64);
struct msg_queue *msq;
int err;
- if (cmd == IPC_SET) {
- if (copy_msqid_from_user(&msqid64, buf, version))
- return -EFAULT;
- }
-
down_write(&msg_ids(ns).rwsem);
rcu_read_lock();
ipcp = ipcctl_pre_down_nolock(ns, &msg_ids(ns), msqid, cmd,
- &msqid64.msg_perm, msqid64.msg_qbytes);
+ &msqid64->msg_perm, msqid64->msg_qbytes);
if (IS_ERR(ipcp)) {
err = PTR_ERR(ipcp);
goto out_unlock1;
{
DEFINE_WAKE_Q(wake_q);
- if (msqid64.msg_qbytes > ns->msg_ctlmnb &&
+ if (msqid64->msg_qbytes > ns->msg_ctlmnb &&
!capable(CAP_SYS_RESOURCE)) {
err = -EPERM;
goto out_unlock1;
}
ipc_lock_object(&msq->q_perm);
- err = ipc_update_perm(&msqid64.msg_perm, ipcp);
+ err = ipc_update_perm(&msqid64->msg_perm, ipcp);
if (err)
goto out_unlock0;
- msq->q_qbytes = msqid64.msg_qbytes;
+ msq->q_qbytes = msqid64->msg_qbytes;
msq->q_ctime = get_seconds();
/*
return err;
}
-static int msgctl_nolock(struct ipc_namespace *ns, int msqid,
- int cmd, int version, void __user *buf)
+static int msgctl_info(struct ipc_namespace *ns, int msqid,
+ int cmd, struct msginfo *msginfo)
{
int err;
- struct msg_queue *msq;
-
- switch (cmd) {
- case IPC_INFO:
- case MSG_INFO:
- {
- struct msginfo msginfo;
- int max_id;
-
- if (!buf)
- return -EFAULT;
+ int max_id;
- /*
- * We must not return kernel stack data.
- * due to padding, it's not enough
- * to set all member fields.
- */
- err = security_msg_queue_msgctl(NULL, cmd);
- if (err)
- return err;
-
- memset(&msginfo, 0, sizeof(msginfo));
- msginfo.msgmni = ns->msg_ctlmni;
- msginfo.msgmax = ns->msg_ctlmax;
- msginfo.msgmnb = ns->msg_ctlmnb;
- msginfo.msgssz = MSGSSZ;
- msginfo.msgseg = MSGSEG;
- down_read(&msg_ids(ns).rwsem);
- if (cmd == MSG_INFO) {
- msginfo.msgpool = msg_ids(ns).in_use;
- msginfo.msgmap = atomic_read(&ns->msg_hdrs);
- msginfo.msgtql = atomic_read(&ns->msg_bytes);
- } else {
- msginfo.msgmap = MSGMAP;
- msginfo.msgpool = MSGPOOL;
- msginfo.msgtql = MSGTQL;
- }
- max_id = ipc_get_maxid(&msg_ids(ns));
- up_read(&msg_ids(ns).rwsem);
- if (copy_to_user(buf, &msginfo, sizeof(struct msginfo)))
- return -EFAULT;
- return (max_id < 0) ? 0 : max_id;
+ /*
+ * We must not return kernel stack data.
+ * due to padding, it's not enough
+ * to set all member fields.
+ */
+ err = security_msg_queue_msgctl(NULL, cmd);
+ if (err)
+ return err;
+
+ memset(msginfo, 0, sizeof(*msginfo));
+ msginfo->msgmni = ns->msg_ctlmni;
+ msginfo->msgmax = ns->msg_ctlmax;
+ msginfo->msgmnb = ns->msg_ctlmnb;
+ msginfo->msgssz = MSGSSZ;
+ msginfo->msgseg = MSGSEG;
+ down_read(&msg_ids(ns).rwsem);
+ if (cmd == MSG_INFO) {
+ msginfo->msgpool = msg_ids(ns).in_use;
+ msginfo->msgmap = atomic_read(&ns->msg_hdrs);
+ msginfo->msgtql = atomic_read(&ns->msg_bytes);
+ } else {
+ msginfo->msgmap = MSGMAP;
+ msginfo->msgpool = MSGPOOL;
+ msginfo->msgtql = MSGTQL;
}
+ max_id = ipc_get_maxid(&msg_ids(ns));
+ up_read(&msg_ids(ns).rwsem);
+ return (max_id < 0) ? 0 : max_id;
+}
- case MSG_STAT:
- case IPC_STAT:
- {
- struct msqid64_ds tbuf;
- int success_return;
-
- if (!buf)
- return -EFAULT;
-
- memset(&tbuf, 0, sizeof(tbuf));
+static int msgctl_stat(struct ipc_namespace *ns, int msqid,
+ int cmd, struct msqid64_ds *p)
+{
+ int err;
+ struct msg_queue *msq;
+ int success_return;
- rcu_read_lock();
- if (cmd == MSG_STAT) {
- msq = msq_obtain_object(ns, msqid);
- if (IS_ERR(msq)) {
- err = PTR_ERR(msq);
- goto out_unlock;
- }
- success_return = msq->q_perm.id;
- } else {
- msq = msq_obtain_object_check(ns, msqid);
- if (IS_ERR(msq)) {
- err = PTR_ERR(msq);
- goto out_unlock;
- }
- success_return = 0;
- }
+ memset(p, 0, sizeof(*p));
- err = -EACCES;
- if (ipcperms(ns, &msq->q_perm, S_IRUGO))
+ rcu_read_lock();
+ if (cmd == MSG_STAT) {
+ msq = msq_obtain_object(ns, msqid);
+ if (IS_ERR(msq)) {
+ err = PTR_ERR(msq);
goto out_unlock;
-
- err = security_msg_queue_msgctl(msq, cmd);
- if (err)
+ }
+ success_return = msq->q_perm.id;
+ } else {
+ msq = msq_obtain_object_check(ns, msqid);
+ if (IS_ERR(msq)) {
+ err = PTR_ERR(msq);
goto out_unlock;
+ }
+ success_return = 0;
+ }
- kernel_to_ipc64_perm(&msq->q_perm, &tbuf.msg_perm);
- tbuf.msg_stime = msq->q_stime;
- tbuf.msg_rtime = msq->q_rtime;
- tbuf.msg_ctime = msq->q_ctime;
- tbuf.msg_cbytes = msq->q_cbytes;
- tbuf.msg_qnum = msq->q_qnum;
- tbuf.msg_qbytes = msq->q_qbytes;
- tbuf.msg_lspid = msq->q_lspid;
- tbuf.msg_lrpid = msq->q_lrpid;
- rcu_read_unlock();
+ err = -EACCES;
+ if (ipcperms(ns, &msq->q_perm, S_IRUGO))
+ goto out_unlock;
- if (copy_msqid_to_user(buf, &tbuf, version))
- return -EFAULT;
- return success_return;
- }
+ err = security_msg_queue_msgctl(msq, cmd);
+ if (err)
+ goto out_unlock;
+
+ kernel_to_ipc64_perm(&msq->q_perm, &p->msg_perm);
+ p->msg_stime = msq->q_stime;
+ p->msg_rtime = msq->q_rtime;
+ p->msg_ctime = msq->q_ctime;
+ p->msg_cbytes = msq->q_cbytes;
+ p->msg_qnum = msq->q_qnum;
+ p->msg_qbytes = msq->q_qbytes;
+ p->msg_lspid = msq->q_lspid;
+ p->msg_lrpid = msq->q_lrpid;
+ rcu_read_unlock();
- default:
- return -EINVAL;
- }
+ return success_return;
- return err;
out_unlock:
rcu_read_unlock();
return err;
{
int version;
struct ipc_namespace *ns;
+ struct msqid64_ds msqid64;
+ int err;
if (msqid < 0 || cmd < 0)
return -EINVAL;
switch (cmd) {
case IPC_INFO:
- case MSG_INFO:
+ case MSG_INFO: {
+ struct msginfo msginfo;
+ err = msgctl_info(ns, msqid, cmd, &msginfo);
+ if (err < 0)
+ return err;
+ if (copy_to_user(buf, &msginfo, sizeof(struct msginfo)))
+ err = -EFAULT;
+ return err;
+ }
case MSG_STAT: /* msqid is an index rather than a msg queue id */
case IPC_STAT:
- return msgctl_nolock(ns, msqid, cmd, version, buf);
+ err = msgctl_stat(ns, msqid, cmd, &msqid64);
+ if (err < 0)
+ return err;
+ if (copy_msqid_to_user(buf, &msqid64, version))
+ err = -EFAULT;
+ return err;
case IPC_SET:
+ if (copy_msqid_from_user(&msqid64, buf, version))
+ return -EFAULT;
+ /* fallthru */
case IPC_RMID:
- return msgctl_down(ns, msqid, cmd, buf, version);
+ return msgctl_down(ns, msqid, cmd, &msqid64);
default:
return -EINVAL;
}
}
+#ifdef CONFIG_COMPAT
+
+struct compat_msqid_ds {
+ struct compat_ipc_perm msg_perm;
+ compat_uptr_t msg_first;
+ compat_uptr_t msg_last;
+ compat_time_t msg_stime;
+ compat_time_t msg_rtime;
+ compat_time_t msg_ctime;
+ compat_ulong_t msg_lcbytes;
+ compat_ulong_t msg_lqbytes;
+ unsigned short msg_cbytes;
+ unsigned short msg_qnum;
+ unsigned short msg_qbytes;
+ compat_ipc_pid_t msg_lspid;
+ compat_ipc_pid_t msg_lrpid;
+};
+
+static int copy_compat_msqid_from_user(struct msqid64_ds *out, void __user *buf,
+ int version)
+{
+ memset(out, 0, sizeof(*out));
+ if (version == IPC_64) {
+ struct compat_msqid64_ds *p = buf;
+ struct compat_ipc64_perm v;
+ if (copy_from_user(&v, &p->msg_perm, sizeof(v)))
+ return -EFAULT;
+ out->msg_perm.uid = v.uid;
+ out->msg_perm.gid = v.gid;
+ out->msg_perm.mode = v.mode;
+ if (get_user(out->msg_qbytes, &p->msg_qbytes))
+ return -EFAULT;
+ } else {
+ struct compat_msqid_ds *p = buf;
+ struct compat_ipc_perm v;
+ if (copy_from_user(&v, &p->msg_perm, sizeof(v)))
+ return -EFAULT;
+ out->msg_perm.uid = v.uid;
+ out->msg_perm.gid = v.gid;
+ out->msg_perm.mode = v.mode;
+ if (get_user(out->msg_qbytes, &p->msg_qbytes))
+ return -EFAULT;
+ }
+ return 0;
+}
+
+static int copy_compat_msqid_to_user(void __user *buf, struct msqid64_ds *in,
+ int version)
+{
+ if (version == IPC_64) {
+ struct compat_msqid64_ds v;
+ memset(&v, 0, sizeof(v));
+ v.msg_perm.key = in->msg_perm.key;
+ v.msg_perm.uid = in->msg_perm.uid;
+ v.msg_perm.gid = in->msg_perm.gid;
+ v.msg_perm.cuid = in->msg_perm.cuid;
+ v.msg_perm.cgid = in->msg_perm.cgid;
+ v.msg_perm.mode = in->msg_perm.mode;
+ v.msg_perm.seq = in->msg_perm.seq;
+ v.msg_stime = in->msg_stime;
+ v.msg_rtime = in->msg_rtime;
+ v.msg_ctime = in->msg_ctime;
+ v.msg_cbytes = in->msg_cbytes;
+ v.msg_qnum = in->msg_qnum;
+ v.msg_qbytes = in->msg_qbytes;
+ v.msg_lspid = in->msg_lspid;
+ v.msg_lrpid = in->msg_lrpid;
+ return copy_to_user(buf, &v, sizeof(v));
+ } else {
+ struct compat_msqid_ds v;
+ memset(&v, 0, sizeof(v));
+ v.msg_perm.key = in->msg_perm.key;
+ SET_UID(v.msg_perm.uid, in->msg_perm.uid);
+ SET_GID(v.msg_perm.gid, in->msg_perm.gid);
+ SET_UID(v.msg_perm.cuid, in->msg_perm.cuid);
+ SET_GID(v.msg_perm.cgid, in->msg_perm.cgid);
+ v.msg_perm.mode = in->msg_perm.mode;
+ v.msg_perm.seq = in->msg_perm.seq;
+ v.msg_stime = in->msg_stime;
+ v.msg_rtime = in->msg_rtime;
+ v.msg_ctime = in->msg_ctime;
+ v.msg_cbytes = in->msg_cbytes;
+ v.msg_qnum = in->msg_qnum;
+ v.msg_qbytes = in->msg_qbytes;
+ v.msg_lspid = in->msg_lspid;
+ v.msg_lrpid = in->msg_lrpid;
+ return copy_to_user(buf, &v, sizeof(v));
+ }
+}
+
+COMPAT_SYSCALL_DEFINE3(msgctl, int, msqid, int, cmd, void __user *, uptr)
+{
+ struct ipc_namespace *ns;
+ int err;
+ struct msqid64_ds msqid64;
+ int version = compat_ipc_parse_version(&cmd);
+
+ ns = current->nsproxy->ipc_ns;
+
+ if (msqid < 0 || cmd < 0)
+ return -EINVAL;
+
+ switch (cmd & (~IPC_64)) {
+ case IPC_INFO:
+ case MSG_INFO: {
+ struct msginfo msginfo;
+ err = msgctl_info(ns, msqid, cmd, &msginfo);
+ if (err < 0)
+ return err;
+ if (copy_to_user(uptr, &msginfo, sizeof(struct msginfo)))
+ err = -EFAULT;
+ return err;
+ }
+ case IPC_STAT:
+ case MSG_STAT:
+ err = msgctl_stat(ns, msqid, cmd, &msqid64);
+ if (err < 0)
+ return err;
+ if (copy_compat_msqid_to_user(uptr, &msqid64, version))
+ err = -EFAULT;
+ return err;
+ case IPC_SET:
+ if (copy_compat_msqid_from_user(&msqid64, uptr, version))
+ return -EFAULT;
+ /* fallthru */
+ case IPC_RMID:
+ return msgctl_down(ns, msqid, cmd, &msqid64);
+ default:
+ return -EINVAL;
+ }
+}
+#endif
+
static int testmsg(struct msg_msg *msg, long type, int mode)
{
switch (mode) {
/* enqueue the sender and prepare to block */
ss_add(msq, &s, msgsz);
- if (!ipc_rcu_getref(msq)) {
+ if (!ipc_rcu_getref(&msq->q_perm)) {
err = -EIDRM;
goto out_unlock0;
}
rcu_read_lock();
ipc_lock_object(&msq->q_perm);
- ipc_rcu_putref(msq, msg_rcu_free);
+ ipc_rcu_putref(&msq->q_perm, msg_rcu_free);
/* raced with RMID? */
if (!ipc_valid_object(&msq->q_perm)) {
err = -EIDRM;
projects / GitHub / moto-9609 / android_kernel_motorola_exynos9610.git / blobdiff