From ce857229e0c3adc211944a13a5579ef84fd7b4af Mon Sep 17 00:00:00 2001 From: Al Viro Date: Fri, 3 May 2013 00:30:49 +0100 Subject: [PATCH] ipc: fix GETALL/IPC_RM race for sysv semaphores We can step on WARN_ON_ONCE() in sem_getref() if a semaphore is removed just as we are about to call sem_getref() from semctl_main(); results are not pretty. We should fail with -EIDRM, same as if IPC_RM happened while we'd been doing allocation there. This also expands sem_getref() at its only callsite (and fixed there), while sem_getref_and_unlock() is simply killed off - it has no callers at all. Signed-off-by: Al Viro Acked-by: Davidlohr Bueso Signed-off-by: Linus Torvalds --- ipc/sem.c | 29 ++++++++--------------------- 1 file changed, 8 insertions(+), 21 deletions(-) diff --git a/ipc/sem.c b/ipc/sem.c index e78ee3186d1f..4734e9c2a98a 100644 --- a/ipc/sem.c +++ b/ipc/sem.c @@ -328,28 +328,12 @@ static inline void sem_lock_and_putref(struct sem_array *sma) ipc_rcu_putref(sma); } -static inline void sem_getref_and_unlock(struct sem_array *sma) -{ - WARN_ON_ONCE(!ipc_rcu_getref(sma)); - sem_unlock(sma, -1); -} - static inline void sem_putref(struct sem_array *sma) { sem_lock_and_putref(sma); sem_unlock(sma, -1); } -/* - * Call inside the rcu read section. - */ -static inline void sem_getref(struct sem_array *sma) -{ - sem_lock(sma, NULL, -1); - WARN_ON_ONCE(!ipc_rcu_getref(sma)); - sem_unlock(sma, -1); -} - static inline void sem_rmid(struct ipc_namespace *ns, struct sem_array *s) { ipc_rmid(&sem_ids(ns), &s->sem_perm); @@ -1116,9 +1100,14 @@ static int semctl_main(struct ipc_namespace *ns, int semid, int semnum, ushort __user *array = p; int i; + sem_lock(sma, NULL, -1); if(nsems > SEMMSL_FAST) { - sem_getref(sma); - + if (!ipc_rcu_getref(sma)) { + sem_unlock(sma, -1); + err = -EIDRM; + goto out_free; + } + sem_unlock(sma, -1); sem_io = ipc_alloc(sizeof(ushort)*nsems); if(sem_io == NULL) { sem_putref(sma); @@ -1131,9 +1120,7 @@ static int semctl_main(struct ipc_namespace *ns, int semid, int semnum, err = -EIDRM; goto out_free; } - } else - sem_lock(sma, NULL, -1); - + } for (i = 0; i < sma->sem_nsems; i++) sem_io[i] = sma->sem_base[i].semval; sem_unlock(sma, -1); -- 2.20.1