2005-04-16 22:20:36 +00:00
|
|
|
/*
|
|
|
|
|
* linux/ipc/shm.c
|
|
|
|
|
* Copyright (C) 1992, 1993 Krishna Balasubramanian
|
|
|
|
|
* Many improvements/fixes by Bruno Haible.
|
|
|
|
|
* Replaced `struct shm_desc' by `struct vm_area_struct', July 1994.
|
|
|
|
|
* Fixed the shm swap deallocation (shm_unuse()), August 1998 Andrea Arcangeli.
|
|
|
|
|
*
|
|
|
|
|
* /proc/sysvipc/shm support (c) 1999 Dragos Acostachioaie <dragos@iname.com>
|
|
|
|
|
* BIGMEM support, Andrea Arcangeli <andrea@suse.de>
|
|
|
|
|
* SMP thread shm, Jean-Luc Boyard <jean-luc.boyard@siemens.fr>
|
|
|
|
|
* HIGHMEM support, Ingo Molnar <mingo@redhat.com>
|
|
|
|
|
* Make shmmax, shmall, shmmni sysctl'able, Christoph Rohland <cr@sap.com>
|
|
|
|
|
* Shared /dev/zero support, Kanoj Sarcar <kanoj@sgi.com>
|
|
|
|
|
* Move the mm functionality over to mm/shmem.c, Christoph Rohland <cr@sap.com>
|
|
|
|
|
*
|
2006-04-02 21:07:33 +00:00
|
|
|
* support for audit of ipc object properties and permission changes
|
|
|
|
|
* Dustin Kirkland <dustin.kirkland@us.ibm.com>
|
2006-10-02 09:18:22 +00:00
|
|
|
*
|
|
|
|
|
* namespaces support
|
|
|
|
|
* OpenVZ, SWsoft Inc.
|
|
|
|
|
* Pavel Emelianov <xemul@openvz.org>
|
2013-09-11 21:26:23 +00:00
|
|
|
*
|
|
|
|
|
* Better ipc lock (kern_ipc_perm.lock) handling
|
|
|
|
|
* Davidlohr Bueso <davidlohr.bueso@hp.com>, June 2013.
|
2005-04-16 22:20:36 +00:00
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
#include <linux/slab.h>
|
|
|
|
|
#include <linux/mm.h>
|
|
|
|
|
#include <linux/hugetlb.h>
|
|
|
|
|
#include <linux/shm.h>
|
|
|
|
|
#include <linux/init.h>
|
|
|
|
|
#include <linux/file.h>
|
|
|
|
|
#include <linux/mman.h>
|
|
|
|
|
#include <linux/shmem_fs.h>
|
|
|
|
|
#include <linux/security.h>
|
|
|
|
|
#include <linux/syscalls.h>
|
|
|
|
|
#include <linux/audit.h>
|
2006-01-11 20:17:46 +00:00
|
|
|
#include <linux/capability.h>
|
2005-05-01 15:59:12 +00:00
|
|
|
#include <linux/ptrace.h>
|
2005-09-06 22:17:10 +00:00
|
|
|
#include <linux/seq_file.h>
|
2007-10-19 06:40:54 +00:00
|
|
|
#include <linux/rwsem.h>
|
2006-10-02 09:18:22 +00:00
|
|
|
#include <linux/nsproxy.h>
|
2007-02-20 21:57:53 +00:00
|
|
|
#include <linux/mount.h>
|
2008-02-08 12:18:22 +00:00
|
|
|
#include <linux/ipc_namespace.h>
|
2005-05-01 15:59:12 +00:00
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
#include <asm/uaccess.h>
|
|
|
|
|
|
|
|
|
|
#include "util.h"
|
|
|
|
|
|
2007-02-20 21:57:53 +00:00
|
|
|
struct shm_file_data {
|
|
|
|
|
int id;
|
|
|
|
|
struct ipc_namespace *ns;
|
|
|
|
|
struct file *file;
|
|
|
|
|
const struct vm_operations_struct *vm_ops;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
#define shm_file_data(file) (*((struct shm_file_data **)&(file)->private_data))
|
|
|
|
|
|
2007-02-12 08:55:35 +00:00
|
|
|
static const struct file_operations shm_file_operations;
|
2009-09-27 18:29:37 +00:00
|
|
|
static const struct vm_operations_struct shm_vm_ops;
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2008-02-08 12:18:57 +00:00
|
|
|
#define shm_ids(ns) ((ns)->ids[IPC_SHM_IDS])
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2006-10-02 09:18:22 +00:00
|
|
|
#define shm_unlock(shp) \
|
|
|
|
|
ipc_unlock(&(shp)->shm_perm)
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2007-10-19 06:40:49 +00:00
|
|
|
static int newseg(struct ipc_namespace *, struct ipc_params *);
|
2007-02-20 21:57:53 +00:00
|
|
|
static void shm_open(struct vm_area_struct *vma);
|
|
|
|
|
static void shm_close(struct vm_area_struct *vma);
|
2006-10-02 09:18:22 +00:00
|
|
|
static void shm_destroy (struct ipc_namespace *ns, struct shmid_kernel *shp);
|
2005-04-16 22:20:36 +00:00
|
|
|
#ifdef CONFIG_PROC_FS
|
2005-09-06 22:17:10 +00:00
|
|
|
static int sysvipc_shm_proc_show(struct seq_file *s, void *it);
|
2005-04-16 22:20:36 +00:00
|
|
|
#endif
|
|
|
|
|
|
2008-02-08 12:18:57 +00:00
|
|
|
void shm_init_ns(struct ipc_namespace *ns)
|
2006-10-02 09:18:22 +00:00
|
|
|
{
|
|
|
|
|
ns->shm_ctlmax = SHMMAX;
|
|
|
|
|
ns->shm_ctlall = SHMALL;
|
|
|
|
|
ns->shm_ctlmni = SHMMNI;
|
2011-07-26 23:08:48 +00:00
|
|
|
ns->shm_rmid_forced = 0;
|
2006-10-02 09:18:22 +00:00
|
|
|
ns->shm_tot = 0;
|
2009-01-06 22:42:49 +00:00
|
|
|
ipc_init_ids(&shm_ids(ns));
|
2006-10-02 09:18:22 +00:00
|
|
|
}
|
|
|
|
|
|
2007-10-19 06:40:53 +00:00
|
|
|
/*
|
2013-09-11 21:26:24 +00:00
|
|
|
* Called with shm_ids.rwsem (writer) and the shp structure locked.
|
|
|
|
|
* Only shm_ids.rwsem remains locked on exit.
|
2007-10-19 06:40:53 +00:00
|
|
|
*/
|
2008-02-08 12:18:57 +00:00
|
|
|
static void do_shm_rmid(struct ipc_namespace *ns, struct kern_ipc_perm *ipcp)
|
2006-10-02 09:18:22 +00:00
|
|
|
{
|
2008-02-08 12:18:57 +00:00
|
|
|
struct shmid_kernel *shp;
|
|
|
|
|
shp = container_of(ipcp, struct shmid_kernel, shm_perm);
|
|
|
|
|
|
2006-10-02 09:18:22 +00:00
|
|
|
if (shp->shm_nattch){
|
|
|
|
|
shp->shm_perm.mode |= SHM_DEST;
|
|
|
|
|
/* Do not find it any more */
|
|
|
|
|
shp->shm_perm.key = IPC_PRIVATE;
|
|
|
|
|
shm_unlock(shp);
|
|
|
|
|
} else
|
|
|
|
|
shm_destroy(ns, shp);
|
|
|
|
|
}
|
|
|
|
|
|
2008-02-08 12:18:22 +00:00
|
|
|
#ifdef CONFIG_IPC_NS
|
2006-10-02 09:18:22 +00:00
|
|
|
void shm_exit_ns(struct ipc_namespace *ns)
|
|
|
|
|
{
|
2008-02-08 12:18:57 +00:00
|
|
|
free_ipcs(ns, &shm_ids(ns), do_shm_rmid);
|
2009-12-16 00:47:27 +00:00
|
|
|
idr_destroy(&ns->ids[IPC_SHM_IDS].ipcs_idr);
|
2006-10-02 09:18:22 +00:00
|
|
|
}
|
2008-02-08 12:18:22 +00:00
|
|
|
#endif
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2011-08-05 05:35:59 +00:00
|
|
|
static int __init ipc_ns_init(void)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
2008-02-08 12:18:57 +00:00
|
|
|
shm_init_ns(&init_ipc_ns);
|
2011-08-05 05:35:59 +00:00
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
pure_initcall(ipc_ns_init);
|
|
|
|
|
|
|
|
|
|
void __init shm_init (void)
|
|
|
|
|
{
|
2005-09-06 22:17:10 +00:00
|
|
|
ipc_init_proc_interface("sysvipc/shm",
|
2010-10-27 22:34:16 +00:00
|
|
|
#if BITS_PER_LONG <= 32
|
|
|
|
|
" key shmid perms size cpid lpid nattch uid gid cuid cgid atime dtime ctime rss swap\n",
|
|
|
|
|
#else
|
|
|
|
|
" key shmid perms size cpid lpid nattch uid gid cuid cgid atime dtime ctime rss swap\n",
|
|
|
|
|
#endif
|
2006-10-02 09:18:22 +00:00
|
|
|
IPC_SHM_IDS, sysvipc_shm_proc_show);
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
|
|
ipc,shm: introduce lockless functions to obtain the ipc object
commit 8b8d52ac382b17a19906b930cd69e2edb0aca8ba upstream.
This is the third and final patchset that deals with reducing the amount
of contention we impose on the ipc lock (kern_ipc_perm.lock). These
changes mostly deal with shared memory, previous work has already been
done for semaphores and message queues:
http://lkml.org/lkml/2013/3/20/546 (sems)
http://lkml.org/lkml/2013/5/15/584 (mqueues)
With these patches applied, a custom shm microbenchmark stressing shmctl
doing IPC_STAT with 4 threads a million times, reduces the execution
time by 50%. A similar run, this time with IPC_SET, reduces the
execution time from 3 mins and 35 secs to 27 seconds.
Patches 1-8: replaces blindly taking the ipc lock for a smarter
combination of rcu and ipc_obtain_object, only acquiring the spinlock
when updating.
Patch 9: renames the ids rw_mutex to rwsem, which is what it already was.
Patch 10: is a trivial mqueue leftover cleanup
Patch 11: adds a brief lock scheme description, requested by Andrew.
This patch:
Add shm_obtain_object() and shm_obtain_object_check(), which will allow us
to get the ipc object without acquiring the lock. Just as with other
forms of ipc, these functions are basically wrappers around
ipc_obtain_object*().
Signed-off-by: Davidlohr Bueso <davidlohr.bueso@hp.com>
Tested-by: Sedat Dilek <sedat.dilek@gmail.com>
Cc: Rik van Riel <riel@redhat.com>
Cc: Manfred Spraul <manfred@colorfullife.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Mike Galbraith <efault@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-09-11 21:26:15 +00:00
|
|
|
static inline struct shmid_kernel *shm_obtain_object(struct ipc_namespace *ns, int id)
|
|
|
|
|
{
|
|
|
|
|
struct kern_ipc_perm *ipcp = ipc_obtain_object(&shm_ids(ns), id);
|
|
|
|
|
|
|
|
|
|
if (IS_ERR(ipcp))
|
|
|
|
|
return ERR_CAST(ipcp);
|
|
|
|
|
|
|
|
|
|
return container_of(ipcp, struct shmid_kernel, shm_perm);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static inline struct shmid_kernel *shm_obtain_object_check(struct ipc_namespace *ns, int id)
|
|
|
|
|
{
|
|
|
|
|
struct kern_ipc_perm *ipcp = ipc_obtain_object_check(&shm_ids(ns), id);
|
|
|
|
|
|
|
|
|
|
if (IS_ERR(ipcp))
|
|
|
|
|
return ERR_CAST(ipcp);
|
|
|
|
|
|
|
|
|
|
return container_of(ipcp, struct shmid_kernel, shm_perm);
|
|
|
|
|
}
|
|
|
|
|
|
2007-10-19 06:40:54 +00:00
|
|
|
/*
|
2013-09-11 21:26:24 +00:00
|
|
|
* shm_lock_(check_) routines are called in the paths where the rwsem
|
2008-07-25 08:48:03 +00:00
|
|
|
* is not necessarily held.
|
2007-10-19 06:40:54 +00:00
|
|
|
*/
|
2007-10-19 06:40:51 +00:00
|
|
|
static inline struct shmid_kernel *shm_lock(struct ipc_namespace *ns, int id)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
2007-10-19 06:40:51 +00:00
|
|
|
struct kern_ipc_perm *ipcp = ipc_lock(&shm_ids(ns), id);
|
|
|
|
|
|
2015-06-30 21:58:36 +00:00
|
|
|
/*
|
ipc/shm: handle removed segments gracefully in shm_mmap()
commit 1ac0b6dec656f3f78d1c3dd216fad84cb4d0a01e upstream.
remap_file_pages(2) emulation can reach file which represents removed
IPC ID as long as a memory segment is mapped. It breaks expectations of
IPC subsystem.
Test case (rewritten to be more human readable, originally autogenerated
by syzkaller[1]):
#define _GNU_SOURCE
#include <stdlib.h>
#include <sys/ipc.h>
#include <sys/mman.h>
#include <sys/shm.h>
#define PAGE_SIZE 4096
int main()
{
int id;
void *p;
id = shmget(IPC_PRIVATE, 3 * PAGE_SIZE, 0);
p = shmat(id, NULL, 0);
shmctl(id, IPC_RMID, NULL);
remap_file_pages(p, 3 * PAGE_SIZE, 0, 7, 0);
return 0;
}
The patch changes shm_mmap() and code around shm_lock() to propagate
locking error back to caller of shm_mmap().
[1] http://github.com/google/syzkaller
Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: Davidlohr Bueso <dave@stgolabs.net>
Cc: Manfred Spraul <manfred@colorfullife.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
2016-02-17 21:11:35 +00:00
|
|
|
* Callers of shm_lock() must validate the status of the returned ipc
|
|
|
|
|
* object pointer (as returned by ipc_lock()), and error out as
|
|
|
|
|
* appropriate.
|
2015-06-30 21:58:36 +00:00
|
|
|
*/
|
ipc/shm: handle removed segments gracefully in shm_mmap()
commit 1ac0b6dec656f3f78d1c3dd216fad84cb4d0a01e upstream.
remap_file_pages(2) emulation can reach file which represents removed
IPC ID as long as a memory segment is mapped. It breaks expectations of
IPC subsystem.
Test case (rewritten to be more human readable, originally autogenerated
by syzkaller[1]):
#define _GNU_SOURCE
#include <stdlib.h>
#include <sys/ipc.h>
#include <sys/mman.h>
#include <sys/shm.h>
#define PAGE_SIZE 4096
int main()
{
int id;
void *p;
id = shmget(IPC_PRIVATE, 3 * PAGE_SIZE, 0);
p = shmat(id, NULL, 0);
shmctl(id, IPC_RMID, NULL);
remap_file_pages(p, 3 * PAGE_SIZE, 0, 7, 0);
return 0;
}
The patch changes shm_mmap() and code around shm_lock() to propagate
locking error back to caller of shm_mmap().
[1] http://github.com/google/syzkaller
Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: Davidlohr Bueso <dave@stgolabs.net>
Cc: Manfred Spraul <manfred@colorfullife.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
2016-02-17 21:11:35 +00:00
|
|
|
if (IS_ERR(ipcp))
|
|
|
|
|
return (void *)ipcp;
|
2007-10-19 06:40:51 +00:00
|
|
|
return container_of(ipcp, struct shmid_kernel, shm_perm);
|
2007-10-19 06:40:51 +00:00
|
|
|
}
|
|
|
|
|
|
2011-07-28 23:56:40 +00:00
|
|
|
static inline void shm_lock_by_ptr(struct shmid_kernel *ipcp)
|
|
|
|
|
{
|
|
|
|
|
rcu_read_lock();
|
2013-07-08 23:01:11 +00:00
|
|
|
ipc_lock_object(&ipcp->shm_perm);
|
2011-07-28 23:56:40 +00:00
|
|
|
}
|
|
|
|
|
|
ipc: fix race with LSMs
commit 53dad6d3a8e5ac1af8bacc6ac2134ae1a8b085f1 upstream.
Currently, IPC mechanisms do security and auditing related checks under
RCU. However, since security modules can free the security structure,
for example, through selinux_[sem,msg_queue,shm]_free_security(), we can
race if the structure is freed before other tasks are done with it,
creating a use-after-free condition. Manfred illustrates this nicely,
for instance with shared mem and selinux:
-> do_shmat calls rcu_read_lock()
-> do_shmat calls shm_object_check().
Checks that the object is still valid - but doesn't acquire any locks.
Then it returns.
-> do_shmat calls security_shm_shmat (e.g. selinux_shm_shmat)
-> selinux_shm_shmat calls ipc_has_perm()
-> ipc_has_perm accesses ipc_perms->security
shm_close()
-> shm_close acquires rw_mutex & shm_lock
-> shm_close calls shm_destroy
-> shm_destroy calls security_shm_free (e.g. selinux_shm_free_security)
-> selinux_shm_free_security calls ipc_free_security(&shp->shm_perm)
-> ipc_free_security calls kfree(ipc_perms->security)
This patch delays the freeing of the security structures after all RCU
readers are done. Furthermore it aligns the security life cycle with
that of the rest of IPC - freeing them based on the reference counter.
For situations where we need not free security, the current behavior is
kept. Linus states:
"... the old behavior was suspect for another reason too: having the
security blob go away from under a user sounds like it could cause
various other problems anyway, so I think the old code was at least
_prone_ to bugs even if it didn't have catastrophic behavior."
I have tested this patch with IPC testcases from LTP on both my
quad-core laptop and on a 64 core NUMA server. In both cases selinux is
enabled, and tests pass for both voluntary and forced preemption models.
While the mentioned races are theoretical (at least no one as reported
them), I wanted to make sure that this new logic doesn't break anything
we weren't aware of.
Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Davidlohr Bueso <davidlohr@hp.com>
Acked-by: Manfred Spraul <manfred@colorfullife.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Mike Galbraith <efault@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-09-24 00:04:45 +00:00
|
|
|
static void shm_rcu_free(struct rcu_head *head)
|
|
|
|
|
{
|
|
|
|
|
struct ipc_rcu *p = container_of(head, struct ipc_rcu, rcu);
|
|
|
|
|
struct shmid_kernel *shp = ipc_rcu_to_struct(p);
|
|
|
|
|
|
|
|
|
|
security_shm_free(shp);
|
|
|
|
|
ipc_rcu_free(head);
|
|
|
|
|
}
|
|
|
|
|
|
2007-10-19 06:40:48 +00:00
|
|
|
static inline void shm_rmid(struct ipc_namespace *ns, struct shmid_kernel *s)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
2007-10-19 06:40:48 +00:00
|
|
|
ipc_rmid(&shm_ids(ns), &s->shm_perm);
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
ipc/shm: handle removed segments gracefully in shm_mmap()
commit 1ac0b6dec656f3f78d1c3dd216fad84cb4d0a01e upstream.
remap_file_pages(2) emulation can reach file which represents removed
IPC ID as long as a memory segment is mapped. It breaks expectations of
IPC subsystem.
Test case (rewritten to be more human readable, originally autogenerated
by syzkaller[1]):
#define _GNU_SOURCE
#include <stdlib.h>
#include <sys/ipc.h>
#include <sys/mman.h>
#include <sys/shm.h>
#define PAGE_SIZE 4096
int main()
{
int id;
void *p;
id = shmget(IPC_PRIVATE, 3 * PAGE_SIZE, 0);
p = shmat(id, NULL, 0);
shmctl(id, IPC_RMID, NULL);
remap_file_pages(p, 3 * PAGE_SIZE, 0, 7, 0);
return 0;
}
The patch changes shm_mmap() and code around shm_lock() to propagate
locking error back to caller of shm_mmap().
[1] http://github.com/google/syzkaller
Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: Davidlohr Bueso <dave@stgolabs.net>
Cc: Manfred Spraul <manfred@colorfullife.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
2016-02-17 21:11:35 +00:00
|
|
|
static int __shm_open(struct vm_area_struct *vma)
|
2006-10-02 09:18:22 +00:00
|
|
|
{
|
2007-02-20 21:57:53 +00:00
|
|
|
struct file *file = vma->vm_file;
|
|
|
|
|
struct shm_file_data *sfd = shm_file_data(file);
|
2005-04-16 22:20:36 +00:00
|
|
|
struct shmid_kernel *shp;
|
|
|
|
|
|
2007-02-20 21:57:53 +00:00
|
|
|
shp = shm_lock(sfd->ns, sfd->id);
|
ipc/shm: handle removed segments gracefully in shm_mmap()
commit 1ac0b6dec656f3f78d1c3dd216fad84cb4d0a01e upstream.
remap_file_pages(2) emulation can reach file which represents removed
IPC ID as long as a memory segment is mapped. It breaks expectations of
IPC subsystem.
Test case (rewritten to be more human readable, originally autogenerated
by syzkaller[1]):
#define _GNU_SOURCE
#include <stdlib.h>
#include <sys/ipc.h>
#include <sys/mman.h>
#include <sys/shm.h>
#define PAGE_SIZE 4096
int main()
{
int id;
void *p;
id = shmget(IPC_PRIVATE, 3 * PAGE_SIZE, 0);
p = shmat(id, NULL, 0);
shmctl(id, IPC_RMID, NULL);
remap_file_pages(p, 3 * PAGE_SIZE, 0, 7, 0);
return 0;
}
The patch changes shm_mmap() and code around shm_lock() to propagate
locking error back to caller of shm_mmap().
[1] http://github.com/google/syzkaller
Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: Davidlohr Bueso <dave@stgolabs.net>
Cc: Manfred Spraul <manfred@colorfullife.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
2016-02-17 21:11:35 +00:00
|
|
|
|
|
|
|
|
if (IS_ERR(shp))
|
|
|
|
|
return PTR_ERR(shp);
|
|
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
shp->shm_atim = get_seconds();
|
2007-10-19 06:40:14 +00:00
|
|
|
shp->shm_lprid = task_tgid_vnr(current);
|
2005-04-16 22:20:36 +00:00
|
|
|
shp->shm_nattch++;
|
|
|
|
|
shm_unlock(shp);
|
ipc/shm: handle removed segments gracefully in shm_mmap()
commit 1ac0b6dec656f3f78d1c3dd216fad84cb4d0a01e upstream.
remap_file_pages(2) emulation can reach file which represents removed
IPC ID as long as a memory segment is mapped. It breaks expectations of
IPC subsystem.
Test case (rewritten to be more human readable, originally autogenerated
by syzkaller[1]):
#define _GNU_SOURCE
#include <stdlib.h>
#include <sys/ipc.h>
#include <sys/mman.h>
#include <sys/shm.h>
#define PAGE_SIZE 4096
int main()
{
int id;
void *p;
id = shmget(IPC_PRIVATE, 3 * PAGE_SIZE, 0);
p = shmat(id, NULL, 0);
shmctl(id, IPC_RMID, NULL);
remap_file_pages(p, 3 * PAGE_SIZE, 0, 7, 0);
return 0;
}
The patch changes shm_mmap() and code around shm_lock() to propagate
locking error back to caller of shm_mmap().
[1] http://github.com/google/syzkaller
Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: Davidlohr Bueso <dave@stgolabs.net>
Cc: Manfred Spraul <manfred@colorfullife.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
2016-02-17 21:11:35 +00:00
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* This is called by fork, once for every shm attach. */
|
|
|
|
|
static void shm_open(struct vm_area_struct *vma)
|
|
|
|
|
{
|
|
|
|
|
int err = __shm_open(vma);
|
|
|
|
|
/*
|
|
|
|
|
* We raced in the idr lookup or with shm_destroy().
|
|
|
|
|
* Either way, the ID is busted.
|
|
|
|
|
*/
|
|
|
|
|
WARN_ON_ONCE(err);
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* shm_destroy - free the struct shmid_kernel
|
|
|
|
|
*
|
2007-10-19 06:40:53 +00:00
|
|
|
* @ns: namespace
|
2005-04-16 22:20:36 +00:00
|
|
|
* @shp: struct to free
|
|
|
|
|
*
|
2013-09-11 21:26:24 +00:00
|
|
|
* It has to be called with shp and shm_ids.rwsem (writer) locked,
|
2005-04-16 22:20:36 +00:00
|
|
|
* but returns with shp unlocked and freed.
|
|
|
|
|
*/
|
2006-10-02 09:18:22 +00:00
|
|
|
static void shm_destroy(struct ipc_namespace *ns, struct shmid_kernel *shp)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
2013-11-21 22:32:00 +00:00
|
|
|
struct file *shm_file;
|
|
|
|
|
|
|
|
|
|
shm_file = shp->shm_file;
|
|
|
|
|
shp->shm_file = NULL;
|
2006-10-02 09:18:22 +00:00
|
|
|
ns->shm_tot -= (shp->shm_segsz + PAGE_SIZE - 1) >> PAGE_SHIFT;
|
2007-10-19 06:40:48 +00:00
|
|
|
shm_rmid(ns, shp);
|
2005-04-16 22:20:36 +00:00
|
|
|
shm_unlock(shp);
|
2013-11-21 22:32:00 +00:00
|
|
|
if (!is_file_hugepages(shm_file))
|
|
|
|
|
shmem_lock(shm_file, 0, shp->mlock_user);
|
2009-08-24 15:30:28 +00:00
|
|
|
else if (shp->mlock_user)
|
2013-11-21 22:32:00 +00:00
|
|
|
user_shm_unlock(file_inode(shm_file)->i_size, shp->mlock_user);
|
|
|
|
|
fput(shm_file);
|
ipc: fix race with LSMs
commit 53dad6d3a8e5ac1af8bacc6ac2134ae1a8b085f1 upstream.
Currently, IPC mechanisms do security and auditing related checks under
RCU. However, since security modules can free the security structure,
for example, through selinux_[sem,msg_queue,shm]_free_security(), we can
race if the structure is freed before other tasks are done with it,
creating a use-after-free condition. Manfred illustrates this nicely,
for instance with shared mem and selinux:
-> do_shmat calls rcu_read_lock()
-> do_shmat calls shm_object_check().
Checks that the object is still valid - but doesn't acquire any locks.
Then it returns.
-> do_shmat calls security_shm_shmat (e.g. selinux_shm_shmat)
-> selinux_shm_shmat calls ipc_has_perm()
-> ipc_has_perm accesses ipc_perms->security
shm_close()
-> shm_close acquires rw_mutex & shm_lock
-> shm_close calls shm_destroy
-> shm_destroy calls security_shm_free (e.g. selinux_shm_free_security)
-> selinux_shm_free_security calls ipc_free_security(&shp->shm_perm)
-> ipc_free_security calls kfree(ipc_perms->security)
This patch delays the freeing of the security structures after all RCU
readers are done. Furthermore it aligns the security life cycle with
that of the rest of IPC - freeing them based on the reference counter.
For situations where we need not free security, the current behavior is
kept. Linus states:
"... the old behavior was suspect for another reason too: having the
security blob go away from under a user sounds like it could cause
various other problems anyway, so I think the old code was at least
_prone_ to bugs even if it didn't have catastrophic behavior."
I have tested this patch with IPC testcases from LTP on both my
quad-core laptop and on a 64 core NUMA server. In both cases selinux is
enabled, and tests pass for both voluntary and forced preemption models.
While the mentioned races are theoretical (at least no one as reported
them), I wanted to make sure that this new logic doesn't break anything
we weren't aware of.
Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Davidlohr Bueso <davidlohr@hp.com>
Acked-by: Manfred Spraul <manfred@colorfullife.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Mike Galbraith <efault@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-09-24 00:04:45 +00:00
|
|
|
ipc_rcu_putref(shp, shm_rcu_free);
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
|
|
2011-07-26 23:08:48 +00:00
|
|
|
/*
|
|
|
|
|
* shm_may_destroy - identifies whether shm segment should be destroyed now
|
|
|
|
|
*
|
|
|
|
|
* Returns true if and only if there are no active users of the segment and
|
|
|
|
|
* one of the following is true:
|
|
|
|
|
*
|
|
|
|
|
* 1) shmctl(id, IPC_RMID, NULL) was called for this shp
|
|
|
|
|
*
|
|
|
|
|
* 2) sysctl kernel.shm_rmid_forced is set to 1.
|
|
|
|
|
*/
|
|
|
|
|
static bool shm_may_destroy(struct ipc_namespace *ns, struct shmid_kernel *shp)
|
|
|
|
|
{
|
|
|
|
|
return (shp->shm_nattch == 0) &&
|
|
|
|
|
(ns->shm_rmid_forced ||
|
|
|
|
|
(shp->shm_perm.mode & SHM_DEST));
|
|
|
|
|
}
|
|
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
/*
|
2007-02-20 21:57:53 +00:00
|
|
|
* remove the attach descriptor vma.
|
2005-04-16 22:20:36 +00:00
|
|
|
* free memory for segment if it is marked destroyed.
|
|
|
|
|
* The descriptor has already been removed from the current->mm->mmap list
|
|
|
|
|
* and will later be kfree()d.
|
|
|
|
|
*/
|
2007-02-20 21:57:53 +00:00
|
|
|
static void shm_close(struct vm_area_struct *vma)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
2007-02-20 21:57:53 +00:00
|
|
|
struct file * file = vma->vm_file;
|
|
|
|
|
struct shm_file_data *sfd = shm_file_data(file);
|
2005-04-16 22:20:36 +00:00
|
|
|
struct shmid_kernel *shp;
|
2007-02-20 21:57:53 +00:00
|
|
|
struct ipc_namespace *ns = sfd->ns;
|
2006-10-02 09:18:22 +00:00
|
|
|
|
2013-09-11 21:26:24 +00:00
|
|
|
down_write(&shm_ids(ns).rwsem);
|
2005-04-16 22:20:36 +00:00
|
|
|
/* remove from the list of attaches of the shm segment */
|
2008-07-25 08:48:03 +00:00
|
|
|
shp = shm_lock(ns, sfd->id);
|
ipc/shm: handle removed segments gracefully in shm_mmap()
commit 1ac0b6dec656f3f78d1c3dd216fad84cb4d0a01e upstream.
remap_file_pages(2) emulation can reach file which represents removed
IPC ID as long as a memory segment is mapped. It breaks expectations of
IPC subsystem.
Test case (rewritten to be more human readable, originally autogenerated
by syzkaller[1]):
#define _GNU_SOURCE
#include <stdlib.h>
#include <sys/ipc.h>
#include <sys/mman.h>
#include <sys/shm.h>
#define PAGE_SIZE 4096
int main()
{
int id;
void *p;
id = shmget(IPC_PRIVATE, 3 * PAGE_SIZE, 0);
p = shmat(id, NULL, 0);
shmctl(id, IPC_RMID, NULL);
remap_file_pages(p, 3 * PAGE_SIZE, 0, 7, 0);
return 0;
}
The patch changes shm_mmap() and code around shm_lock() to propagate
locking error back to caller of shm_mmap().
[1] http://github.com/google/syzkaller
Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: Davidlohr Bueso <dave@stgolabs.net>
Cc: Manfred Spraul <manfred@colorfullife.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
2016-02-17 21:11:35 +00:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* We raced in the idr lookup or with shm_destroy().
|
|
|
|
|
* Either way, the ID is busted.
|
|
|
|
|
*/
|
|
|
|
|
if (WARN_ON_ONCE(IS_ERR(shp)))
|
|
|
|
|
goto done; /* no-op */
|
|
|
|
|
|
2007-10-19 06:40:14 +00:00
|
|
|
shp->shm_lprid = task_tgid_vnr(current);
|
2005-04-16 22:20:36 +00:00
|
|
|
shp->shm_dtim = get_seconds();
|
|
|
|
|
shp->shm_nattch--;
|
2011-07-26 23:08:48 +00:00
|
|
|
if (shm_may_destroy(ns, shp))
|
|
|
|
|
shm_destroy(ns, shp);
|
|
|
|
|
else
|
|
|
|
|
shm_unlock(shp);
|
ipc/shm: handle removed segments gracefully in shm_mmap()
commit 1ac0b6dec656f3f78d1c3dd216fad84cb4d0a01e upstream.
remap_file_pages(2) emulation can reach file which represents removed
IPC ID as long as a memory segment is mapped. It breaks expectations of
IPC subsystem.
Test case (rewritten to be more human readable, originally autogenerated
by syzkaller[1]):
#define _GNU_SOURCE
#include <stdlib.h>
#include <sys/ipc.h>
#include <sys/mman.h>
#include <sys/shm.h>
#define PAGE_SIZE 4096
int main()
{
int id;
void *p;
id = shmget(IPC_PRIVATE, 3 * PAGE_SIZE, 0);
p = shmat(id, NULL, 0);
shmctl(id, IPC_RMID, NULL);
remap_file_pages(p, 3 * PAGE_SIZE, 0, 7, 0);
return 0;
}
The patch changes shm_mmap() and code around shm_lock() to propagate
locking error back to caller of shm_mmap().
[1] http://github.com/google/syzkaller
Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: Davidlohr Bueso <dave@stgolabs.net>
Cc: Manfred Spraul <manfred@colorfullife.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
2016-02-17 21:11:35 +00:00
|
|
|
done:
|
2013-09-11 21:26:24 +00:00
|
|
|
up_write(&shm_ids(ns).rwsem);
|
2011-07-26 23:08:48 +00:00
|
|
|
}
|
|
|
|
|
|
2013-09-11 21:26:24 +00:00
|
|
|
/* Called with ns->shm_ids(ns).rwsem locked */
|
2011-07-26 23:08:48 +00:00
|
|
|
static int shm_try_destroy_current(int id, void *p, void *data)
|
|
|
|
|
{
|
|
|
|
|
struct ipc_namespace *ns = data;
|
2011-07-28 23:56:40 +00:00
|
|
|
struct kern_ipc_perm *ipcp = p;
|
|
|
|
|
struct shmid_kernel *shp = container_of(ipcp, struct shmid_kernel, shm_perm);
|
2011-07-26 23:08:48 +00:00
|
|
|
|
2011-07-28 23:56:40 +00:00
|
|
|
if (shp->shm_creator != current)
|
2011-07-28 23:55:31 +00:00
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Mark it as orphaned to destroy the segment when
|
|
|
|
|
* kernel.shm_rmid_forced is changed.
|
|
|
|
|
* It is noop if the following shm_may_destroy() returns true.
|
|
|
|
|
*/
|
|
|
|
|
shp->shm_creator = NULL;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Don't even try to destroy it. If shm_rmid_forced=0 and IPC_RMID
|
|
|
|
|
* is not set, it shouldn't be deleted here.
|
|
|
|
|
*/
|
2011-07-28 23:56:40 +00:00
|
|
|
if (!ns->shm_rmid_forced)
|
2011-07-26 23:08:48 +00:00
|
|
|
return 0;
|
|
|
|
|
|
2011-07-28 23:56:40 +00:00
|
|
|
if (shm_may_destroy(ns, shp)) {
|
|
|
|
|
shm_lock_by_ptr(shp);
|
2011-07-26 23:08:48 +00:00
|
|
|
shm_destroy(ns, shp);
|
2011-07-28 23:56:40 +00:00
|
|
|
}
|
2011-07-26 23:08:48 +00:00
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2013-09-11 21:26:24 +00:00
|
|
|
/* Called with ns->shm_ids(ns).rwsem locked */
|
2011-07-26 23:08:48 +00:00
|
|
|
static int shm_try_destroy_orphaned(int id, void *p, void *data)
|
|
|
|
|
{
|
|
|
|
|
struct ipc_namespace *ns = data;
|
2011-07-28 23:56:40 +00:00
|
|
|
struct kern_ipc_perm *ipcp = p;
|
|
|
|
|
struct shmid_kernel *shp = container_of(ipcp, struct shmid_kernel, shm_perm);
|
2011-07-26 23:08:48 +00:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* We want to destroy segments without users and with already
|
|
|
|
|
* exit'ed originating process.
|
2011-07-28 23:56:40 +00:00
|
|
|
*
|
2013-09-11 21:26:24 +00:00
|
|
|
* As shp->* are changed under rwsem, it's safe to skip shp locking.
|
2011-07-26 23:08:48 +00:00
|
|
|
*/
|
2011-07-28 23:56:40 +00:00
|
|
|
if (shp->shm_creator != NULL)
|
2011-07-26 23:08:48 +00:00
|
|
|
return 0;
|
|
|
|
|
|
2011-07-28 23:56:40 +00:00
|
|
|
if (shm_may_destroy(ns, shp)) {
|
|
|
|
|
shm_lock_by_ptr(shp);
|
2006-10-02 09:18:22 +00:00
|
|
|
shm_destroy(ns, shp);
|
2011-07-28 23:56:40 +00:00
|
|
|
}
|
2011-07-26 23:08:48 +00:00
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void shm_destroy_orphaned(struct ipc_namespace *ns)
|
|
|
|
|
{
|
2013-09-11 21:26:24 +00:00
|
|
|
down_write(&shm_ids(ns).rwsem);
|
2011-08-03 18:26:55 +00:00
|
|
|
if (shm_ids(ns).in_use)
|
2011-07-28 23:56:40 +00:00
|
|
|
idr_for_each(&shm_ids(ns).ipcs_idr, &shm_try_destroy_orphaned, ns);
|
2013-09-11 21:26:24 +00:00
|
|
|
up_write(&shm_ids(ns).rwsem);
|
2011-07-26 23:08:48 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
void exit_shm(struct task_struct *task)
|
|
|
|
|
{
|
2011-07-28 23:56:40 +00:00
|
|
|
struct ipc_namespace *ns = task->nsproxy->ipc_ns;
|
2011-07-26 23:08:48 +00:00
|
|
|
|
2011-08-03 18:28:26 +00:00
|
|
|
if (shm_ids(ns).in_use == 0)
|
|
|
|
|
return;
|
|
|
|
|
|
2011-07-26 23:08:48 +00:00
|
|
|
/* Destroy all already created segments, but not mapped yet */
|
2013-09-11 21:26:24 +00:00
|
|
|
down_write(&shm_ids(ns).rwsem);
|
2011-08-03 18:26:55 +00:00
|
|
|
if (shm_ids(ns).in_use)
|
2011-07-28 23:56:40 +00:00
|
|
|
idr_for_each(&shm_ids(ns).ipcs_idr, &shm_try_destroy_current, ns);
|
2013-09-11 21:26:24 +00:00
|
|
|
up_write(&shm_ids(ns).rwsem);
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
|
|
2007-07-19 08:47:03 +00:00
|
|
|
static int shm_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
|
2007-02-20 21:57:53 +00:00
|
|
|
{
|
|
|
|
|
struct file *file = vma->vm_file;
|
|
|
|
|
struct shm_file_data *sfd = shm_file_data(file);
|
|
|
|
|
|
2007-07-19 08:47:03 +00:00
|
|
|
return sfd->vm_ops->fault(vma, vmf);
|
2007-02-20 21:57:53 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#ifdef CONFIG_NUMA
|
2007-10-17 06:26:42 +00:00
|
|
|
static int shm_set_policy(struct vm_area_struct *vma, struct mempolicy *new)
|
2007-02-20 21:57:53 +00:00
|
|
|
{
|
|
|
|
|
struct file *file = vma->vm_file;
|
|
|
|
|
struct shm_file_data *sfd = shm_file_data(file);
|
|
|
|
|
int err = 0;
|
|
|
|
|
if (sfd->vm_ops->set_policy)
|
|
|
|
|
err = sfd->vm_ops->set_policy(vma, new);
|
|
|
|
|
return err;
|
|
|
|
|
}
|
|
|
|
|
|
2007-10-17 06:26:42 +00:00
|
|
|
static struct mempolicy *shm_get_policy(struct vm_area_struct *vma,
|
|
|
|
|
unsigned long addr)
|
2007-02-20 21:57:53 +00:00
|
|
|
{
|
|
|
|
|
struct file *file = vma->vm_file;
|
|
|
|
|
struct shm_file_data *sfd = shm_file_data(file);
|
|
|
|
|
struct mempolicy *pol = NULL;
|
|
|
|
|
|
|
|
|
|
if (sfd->vm_ops->get_policy)
|
|
|
|
|
pol = sfd->vm_ops->get_policy(vma, addr);
|
mempolicy: rework mempolicy Reference Counting [yet again]
After further discussion with Christoph Lameter, it has become clear that my
earlier attempts to clean up the mempolicy reference counting were a bit of
overkill in some areas, resulting in superflous ref/unref in what are usually
fast paths. In other areas, further inspection reveals that I botched the
unref for interleave policies.
A separate patch, suitable for upstream/stable trees, fixes up the known
errors in the previous attempt to fix reference counting.
This patch reworks the memory policy referencing counting and, one hopes,
simplifies the code. Maybe I'll get it right this time.
See the update to the numa_memory_policy.txt document for a discussion of
memory policy reference counting that motivates this patch.
Summary:
Lookup of mempolicy, based on (vma, address) need only add a reference for
shared policy, and we need only unref the policy when finished for shared
policies. So, this patch backs out all of the unneeded extra reference
counting added by my previous attempt. It then unrefs only shared policies
when we're finished with them, using the mpol_cond_put() [conditional put]
helper function introduced by this patch.
Note that shmem_swapin() calls read_swap_cache_async() with a dummy vma
containing just the policy. read_swap_cache_async() can call alloc_page_vma()
multiple times, so we can't let alloc_page_vma() unref the shared policy in
this case. To avoid this, we make a copy of any non-null shared policy and
remove the MPOL_F_SHARED flag from the copy. This copy occurs before reading
a page [or multiple pages] from swap, so the overhead should not be an issue
here.
I introduced a new static inline function "mpol_cond_copy()" to copy the
shared policy to an on-stack policy and remove the flags that would require a
conditional free. The current implementation of mpol_cond_copy() assumes that
the struct mempolicy contains no pointers to dynamically allocated structures
that must be duplicated or reference counted during copy.
Signed-off-by: Lee Schermerhorn <lee.schermerhorn@hp.com>
Cc: Christoph Lameter <clameter@sgi.com>
Cc: David Rientjes <rientjes@google.com>
Cc: Mel Gorman <mel@csn.ul.ie>
Cc: Andi Kleen <ak@suse.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2008-04-28 09:13:16 +00:00
|
|
|
else if (vma->vm_policy)
|
2007-02-20 21:57:53 +00:00
|
|
|
pol = vma->vm_policy;
|
mempolicy: rework mempolicy Reference Counting [yet again]
After further discussion with Christoph Lameter, it has become clear that my
earlier attempts to clean up the mempolicy reference counting were a bit of
overkill in some areas, resulting in superflous ref/unref in what are usually
fast paths. In other areas, further inspection reveals that I botched the
unref for interleave policies.
A separate patch, suitable for upstream/stable trees, fixes up the known
errors in the previous attempt to fix reference counting.
This patch reworks the memory policy referencing counting and, one hopes,
simplifies the code. Maybe I'll get it right this time.
See the update to the numa_memory_policy.txt document for a discussion of
memory policy reference counting that motivates this patch.
Summary:
Lookup of mempolicy, based on (vma, address) need only add a reference for
shared policy, and we need only unref the policy when finished for shared
policies. So, this patch backs out all of the unneeded extra reference
counting added by my previous attempt. It then unrefs only shared policies
when we're finished with them, using the mpol_cond_put() [conditional put]
helper function introduced by this patch.
Note that shmem_swapin() calls read_swap_cache_async() with a dummy vma
containing just the policy. read_swap_cache_async() can call alloc_page_vma()
multiple times, so we can't let alloc_page_vma() unref the shared policy in
this case. To avoid this, we make a copy of any non-null shared policy and
remove the MPOL_F_SHARED flag from the copy. This copy occurs before reading
a page [or multiple pages] from swap, so the overhead should not be an issue
here.
I introduced a new static inline function "mpol_cond_copy()" to copy the
shared policy to an on-stack policy and remove the flags that would require a
conditional free. The current implementation of mpol_cond_copy() assumes that
the struct mempolicy contains no pointers to dynamically allocated structures
that must be duplicated or reference counted during copy.
Signed-off-by: Lee Schermerhorn <lee.schermerhorn@hp.com>
Cc: Christoph Lameter <clameter@sgi.com>
Cc: David Rientjes <rientjes@google.com>
Cc: Mel Gorman <mel@csn.ul.ie>
Cc: Andi Kleen <ak@suse.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2008-04-28 09:13:16 +00:00
|
|
|
|
2007-02-20 21:57:53 +00:00
|
|
|
return pol;
|
|
|
|
|
}
|
|
|
|
|
#endif
|
|
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
static int shm_mmap(struct file * file, struct vm_area_struct * vma)
|
|
|
|
|
{
|
2007-02-20 21:57:53 +00:00
|
|
|
struct shm_file_data *sfd = shm_file_data(file);
|
2006-01-06 08:11:42 +00:00
|
|
|
int ret;
|
|
|
|
|
|
ipc/shm: handle removed segments gracefully in shm_mmap()
commit 1ac0b6dec656f3f78d1c3dd216fad84cb4d0a01e upstream.
remap_file_pages(2) emulation can reach file which represents removed
IPC ID as long as a memory segment is mapped. It breaks expectations of
IPC subsystem.
Test case (rewritten to be more human readable, originally autogenerated
by syzkaller[1]):
#define _GNU_SOURCE
#include <stdlib.h>
#include <sys/ipc.h>
#include <sys/mman.h>
#include <sys/shm.h>
#define PAGE_SIZE 4096
int main()
{
int id;
void *p;
id = shmget(IPC_PRIVATE, 3 * PAGE_SIZE, 0);
p = shmat(id, NULL, 0);
shmctl(id, IPC_RMID, NULL);
remap_file_pages(p, 3 * PAGE_SIZE, 0, 7, 0);
return 0;
}
The patch changes shm_mmap() and code around shm_lock() to propagate
locking error back to caller of shm_mmap().
[1] http://github.com/google/syzkaller
Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: Davidlohr Bueso <dave@stgolabs.net>
Cc: Manfred Spraul <manfred@colorfullife.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
2016-02-17 21:11:35 +00:00
|
|
|
/*
|
|
|
|
|
* In case of remap_file_pages() emulation, the file can represent
|
|
|
|
|
* removed IPC ID: propogate shm_lock() error to caller.
|
|
|
|
|
*/
|
|
|
|
|
ret =__shm_open(vma);
|
|
|
|
|
if (ret)
|
|
|
|
|
return ret;
|
|
|
|
|
|
2007-02-20 21:57:53 +00:00
|
|
|
ret = sfd->file->f_op->mmap(sfd->file, vma);
|
ipc/shm: handle removed segments gracefully in shm_mmap()
commit 1ac0b6dec656f3f78d1c3dd216fad84cb4d0a01e upstream.
remap_file_pages(2) emulation can reach file which represents removed
IPC ID as long as a memory segment is mapped. It breaks expectations of
IPC subsystem.
Test case (rewritten to be more human readable, originally autogenerated
by syzkaller[1]):
#define _GNU_SOURCE
#include <stdlib.h>
#include <sys/ipc.h>
#include <sys/mman.h>
#include <sys/shm.h>
#define PAGE_SIZE 4096
int main()
{
int id;
void *p;
id = shmget(IPC_PRIVATE, 3 * PAGE_SIZE, 0);
p = shmat(id, NULL, 0);
shmctl(id, IPC_RMID, NULL);
remap_file_pages(p, 3 * PAGE_SIZE, 0, 7, 0);
return 0;
}
The patch changes shm_mmap() and code around shm_lock() to propagate
locking error back to caller of shm_mmap().
[1] http://github.com/google/syzkaller
Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: Davidlohr Bueso <dave@stgolabs.net>
Cc: Manfred Spraul <manfred@colorfullife.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
2016-02-17 21:11:35 +00:00
|
|
|
if (ret) {
|
|
|
|
|
shm_close(vma);
|
2007-02-20 21:57:53 +00:00
|
|
|
return ret;
|
ipc/shm: handle removed segments gracefully in shm_mmap()
commit 1ac0b6dec656f3f78d1c3dd216fad84cb4d0a01e upstream.
remap_file_pages(2) emulation can reach file which represents removed
IPC ID as long as a memory segment is mapped. It breaks expectations of
IPC subsystem.
Test case (rewritten to be more human readable, originally autogenerated
by syzkaller[1]):
#define _GNU_SOURCE
#include <stdlib.h>
#include <sys/ipc.h>
#include <sys/mman.h>
#include <sys/shm.h>
#define PAGE_SIZE 4096
int main()
{
int id;
void *p;
id = shmget(IPC_PRIVATE, 3 * PAGE_SIZE, 0);
p = shmat(id, NULL, 0);
shmctl(id, IPC_RMID, NULL);
remap_file_pages(p, 3 * PAGE_SIZE, 0, 7, 0);
return 0;
}
The patch changes shm_mmap() and code around shm_lock() to propagate
locking error back to caller of shm_mmap().
[1] http://github.com/google/syzkaller
Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: Davidlohr Bueso <dave@stgolabs.net>
Cc: Manfred Spraul <manfred@colorfullife.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
2016-02-17 21:11:35 +00:00
|
|
|
}
|
2007-02-20 21:57:53 +00:00
|
|
|
sfd->vm_ops = vma->vm_ops;
|
2007-07-31 07:37:24 +00:00
|
|
|
#ifdef CONFIG_MMU
|
2015-09-09 22:39:20 +00:00
|
|
|
WARN_ON(!sfd->vm_ops->fault);
|
2007-07-31 07:37:24 +00:00
|
|
|
#endif
|
2007-02-20 21:57:53 +00:00
|
|
|
vma->vm_ops = &shm_vm_ops;
|
ipc/shm: handle removed segments gracefully in shm_mmap()
commit 1ac0b6dec656f3f78d1c3dd216fad84cb4d0a01e upstream.
remap_file_pages(2) emulation can reach file which represents removed
IPC ID as long as a memory segment is mapped. It breaks expectations of
IPC subsystem.
Test case (rewritten to be more human readable, originally autogenerated
by syzkaller[1]):
#define _GNU_SOURCE
#include <stdlib.h>
#include <sys/ipc.h>
#include <sys/mman.h>
#include <sys/shm.h>
#define PAGE_SIZE 4096
int main()
{
int id;
void *p;
id = shmget(IPC_PRIVATE, 3 * PAGE_SIZE, 0);
p = shmat(id, NULL, 0);
shmctl(id, IPC_RMID, NULL);
remap_file_pages(p, 3 * PAGE_SIZE, 0, 7, 0);
return 0;
}
The patch changes shm_mmap() and code around shm_lock() to propagate
locking error back to caller of shm_mmap().
[1] http://github.com/google/syzkaller
Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: Davidlohr Bueso <dave@stgolabs.net>
Cc: Manfred Spraul <manfred@colorfullife.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
2016-02-17 21:11:35 +00:00
|
|
|
return 0;
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
|
|
2006-10-02 09:18:22 +00:00
|
|
|
static int shm_release(struct inode *ino, struct file *file)
|
|
|
|
|
{
|
2007-02-20 21:57:53 +00:00
|
|
|
struct shm_file_data *sfd = shm_file_data(file);
|
2006-10-02 09:18:22 +00:00
|
|
|
|
2007-02-20 21:57:53 +00:00
|
|
|
put_ipc_ns(sfd->ns);
|
|
|
|
|
shm_file_data(file) = NULL;
|
|
|
|
|
kfree(sfd);
|
2006-10-02 09:18:22 +00:00
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2011-07-17 00:44:56 +00:00
|
|
|
static int shm_fsync(struct file *file, loff_t start, loff_t end, int datasync)
|
2007-03-01 23:46:08 +00:00
|
|
|
{
|
|
|
|
|
struct shm_file_data *sfd = shm_file_data(file);
|
|
|
|
|
|
2010-05-26 15:53:25 +00:00
|
|
|
if (!sfd->file->f_op->fsync)
|
|
|
|
|
return -EINVAL;
|
2011-07-17 00:44:56 +00:00
|
|
|
return sfd->file->f_op->fsync(sfd->file, start, end, datasync);
|
2007-03-01 23:46:08 +00:00
|
|
|
}
|
|
|
|
|
|
2012-06-07 21:21:13 +00:00
|
|
|
static long shm_fallocate(struct file *file, int mode, loff_t offset,
|
|
|
|
|
loff_t len)
|
|
|
|
|
{
|
|
|
|
|
struct shm_file_data *sfd = shm_file_data(file);
|
|
|
|
|
|
|
|
|
|
if (!sfd->file->f_op->fallocate)
|
|
|
|
|
return -EOPNOTSUPP;
|
|
|
|
|
return sfd->file->f_op->fallocate(file, mode, offset, len);
|
|
|
|
|
}
|
|
|
|
|
|
2007-02-20 21:57:53 +00:00
|
|
|
static unsigned long shm_get_unmapped_area(struct file *file,
|
|
|
|
|
unsigned long addr, unsigned long len, unsigned long pgoff,
|
|
|
|
|
unsigned long flags)
|
|
|
|
|
{
|
|
|
|
|
struct shm_file_data *sfd = shm_file_data(file);
|
2009-11-30 13:38:43 +00:00
|
|
|
return sfd->file->f_op->get_unmapped_area(sfd->file, addr, len,
|
|
|
|
|
pgoff, flags);
|
2007-02-20 21:57:53 +00:00
|
|
|
}
|
|
|
|
|
|
2007-02-12 08:55:35 +00:00
|
|
|
static const struct file_operations shm_file_operations = {
|
2006-10-02 09:18:22 +00:00
|
|
|
.mmap = shm_mmap,
|
2007-03-01 23:46:08 +00:00
|
|
|
.fsync = shm_fsync,
|
2006-10-02 09:18:22 +00:00
|
|
|
.release = shm_release,
|
2010-01-16 01:01:32 +00:00
|
|
|
#ifndef CONFIG_MMU
|
|
|
|
|
.get_unmapped_area = shm_get_unmapped_area,
|
|
|
|
|
#endif
|
llseek: automatically add .llseek fop
All file_operations should get a .llseek operation so we can make
nonseekable_open the default for future file operations without a
.llseek pointer.
The three cases that we can automatically detect are no_llseek, seq_lseek
and default_llseek. For cases where we can we can automatically prove that
the file offset is always ignored, we use noop_llseek, which maintains
the current behavior of not returning an error from a seek.
New drivers should normally not use noop_llseek but instead use no_llseek
and call nonseekable_open at open time. Existing drivers can be converted
to do the same when the maintainer knows for certain that no user code
relies on calling seek on the device file.
The generated code is often incorrectly indented and right now contains
comments that clarify for each added line why a specific variant was
chosen. In the version that gets submitted upstream, the comments will
be gone and I will manually fix the indentation, because there does not
seem to be a way to do that using coccinelle.
Some amount of new code is currently sitting in linux-next that should get
the same modifications, which I will do at the end of the merge window.
Many thanks to Julia Lawall for helping me learn to write a semantic
patch that does all this.
===== begin semantic patch =====
// This adds an llseek= method to all file operations,
// as a preparation for making no_llseek the default.
//
// The rules are
// - use no_llseek explicitly if we do nonseekable_open
// - use seq_lseek for sequential files
// - use default_llseek if we know we access f_pos
// - use noop_llseek if we know we don't access f_pos,
// but we still want to allow users to call lseek
//
@ open1 exists @
identifier nested_open;
@@
nested_open(...)
{
<+...
nonseekable_open(...)
...+>
}
@ open exists@
identifier open_f;
identifier i, f;
identifier open1.nested_open;
@@
int open_f(struct inode *i, struct file *f)
{
<+...
(
nonseekable_open(...)
|
nested_open(...)
)
...+>
}
@ read disable optional_qualifier exists @
identifier read_f;
identifier f, p, s, off;
type ssize_t, size_t, loff_t;
expression E;
identifier func;
@@
ssize_t read_f(struct file *f, char *p, size_t s, loff_t *off)
{
<+...
(
*off = E
|
*off += E
|
func(..., off, ...)
|
E = *off
)
...+>
}
@ read_no_fpos disable optional_qualifier exists @
identifier read_f;
identifier f, p, s, off;
type ssize_t, size_t, loff_t;
@@
ssize_t read_f(struct file *f, char *p, size_t s, loff_t *off)
{
... when != off
}
@ write @
identifier write_f;
identifier f, p, s, off;
type ssize_t, size_t, loff_t;
expression E;
identifier func;
@@
ssize_t write_f(struct file *f, const char *p, size_t s, loff_t *off)
{
<+...
(
*off = E
|
*off += E
|
func(..., off, ...)
|
E = *off
)
...+>
}
@ write_no_fpos @
identifier write_f;
identifier f, p, s, off;
type ssize_t, size_t, loff_t;
@@
ssize_t write_f(struct file *f, const char *p, size_t s, loff_t *off)
{
... when != off
}
@ fops0 @
identifier fops;
@@
struct file_operations fops = {
...
};
@ has_llseek depends on fops0 @
identifier fops0.fops;
identifier llseek_f;
@@
struct file_operations fops = {
...
.llseek = llseek_f,
...
};
@ has_read depends on fops0 @
identifier fops0.fops;
identifier read_f;
@@
struct file_operations fops = {
...
.read = read_f,
...
};
@ has_write depends on fops0 @
identifier fops0.fops;
identifier write_f;
@@
struct file_operations fops = {
...
.write = write_f,
...
};
@ has_open depends on fops0 @
identifier fops0.fops;
identifier open_f;
@@
struct file_operations fops = {
...
.open = open_f,
...
};
// use no_llseek if we call nonseekable_open
////////////////////////////////////////////
@ nonseekable1 depends on !has_llseek && has_open @
identifier fops0.fops;
identifier nso ~= "nonseekable_open";
@@
struct file_operations fops = {
... .open = nso, ...
+.llseek = no_llseek, /* nonseekable */
};
@ nonseekable2 depends on !has_llseek @
identifier fops0.fops;
identifier open.open_f;
@@
struct file_operations fops = {
... .open = open_f, ...
+.llseek = no_llseek, /* open uses nonseekable */
};
// use seq_lseek for sequential files
/////////////////////////////////////
@ seq depends on !has_llseek @
identifier fops0.fops;
identifier sr ~= "seq_read";
@@
struct file_operations fops = {
... .read = sr, ...
+.llseek = seq_lseek, /* we have seq_read */
};
// use default_llseek if there is a readdir
///////////////////////////////////////////
@ fops1 depends on !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
identifier readdir_e;
@@
// any other fop is used that changes pos
struct file_operations fops = {
... .readdir = readdir_e, ...
+.llseek = default_llseek, /* readdir is present */
};
// use default_llseek if at least one of read/write touches f_pos
/////////////////////////////////////////////////////////////////
@ fops2 depends on !fops1 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
identifier read.read_f;
@@
// read fops use offset
struct file_operations fops = {
... .read = read_f, ...
+.llseek = default_llseek, /* read accesses f_pos */
};
@ fops3 depends on !fops1 && !fops2 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
identifier write.write_f;
@@
// write fops use offset
struct file_operations fops = {
... .write = write_f, ...
+ .llseek = default_llseek, /* write accesses f_pos */
};
// Use noop_llseek if neither read nor write accesses f_pos
///////////////////////////////////////////////////////////
@ fops4 depends on !fops1 && !fops2 && !fops3 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
identifier read_no_fpos.read_f;
identifier write_no_fpos.write_f;
@@
// write fops use offset
struct file_operations fops = {
...
.write = write_f,
.read = read_f,
...
+.llseek = noop_llseek, /* read and write both use no f_pos */
};
@ depends on has_write && !has_read && !fops1 && !fops2 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
identifier write_no_fpos.write_f;
@@
struct file_operations fops = {
... .write = write_f, ...
+.llseek = noop_llseek, /* write uses no f_pos */
};
@ depends on has_read && !has_write && !fops1 && !fops2 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
identifier read_no_fpos.read_f;
@@
struct file_operations fops = {
... .read = read_f, ...
+.llseek = noop_llseek, /* read uses no f_pos */
};
@ depends on !has_read && !has_write && !fops1 && !fops2 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
@@
struct file_operations fops = {
...
+.llseek = noop_llseek, /* no read or write fn */
};
===== End semantic patch =====
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Cc: Julia Lawall <julia@diku.dk>
Cc: Christoph Hellwig <hch@infradead.org>
2010-08-15 16:52:59 +00:00
|
|
|
.llseek = noop_llseek,
|
2012-06-07 21:21:13 +00:00
|
|
|
.fallocate = shm_fallocate,
|
2009-11-30 13:38:43 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
static const struct file_operations shm_file_operations_huge = {
|
|
|
|
|
.mmap = shm_mmap,
|
|
|
|
|
.fsync = shm_fsync,
|
|
|
|
|
.release = shm_release,
|
2007-02-20 21:57:53 +00:00
|
|
|
.get_unmapped_area = shm_get_unmapped_area,
|
llseek: automatically add .llseek fop
All file_operations should get a .llseek operation so we can make
nonseekable_open the default for future file operations without a
.llseek pointer.
The three cases that we can automatically detect are no_llseek, seq_lseek
and default_llseek. For cases where we can we can automatically prove that
the file offset is always ignored, we use noop_llseek, which maintains
the current behavior of not returning an error from a seek.
New drivers should normally not use noop_llseek but instead use no_llseek
and call nonseekable_open at open time. Existing drivers can be converted
to do the same when the maintainer knows for certain that no user code
relies on calling seek on the device file.
The generated code is often incorrectly indented and right now contains
comments that clarify for each added line why a specific variant was
chosen. In the version that gets submitted upstream, the comments will
be gone and I will manually fix the indentation, because there does not
seem to be a way to do that using coccinelle.
Some amount of new code is currently sitting in linux-next that should get
the same modifications, which I will do at the end of the merge window.
Many thanks to Julia Lawall for helping me learn to write a semantic
patch that does all this.
===== begin semantic patch =====
// This adds an llseek= method to all file operations,
// as a preparation for making no_llseek the default.
//
// The rules are
// - use no_llseek explicitly if we do nonseekable_open
// - use seq_lseek for sequential files
// - use default_llseek if we know we access f_pos
// - use noop_llseek if we know we don't access f_pos,
// but we still want to allow users to call lseek
//
@ open1 exists @
identifier nested_open;
@@
nested_open(...)
{
<+...
nonseekable_open(...)
...+>
}
@ open exists@
identifier open_f;
identifier i, f;
identifier open1.nested_open;
@@
int open_f(struct inode *i, struct file *f)
{
<+...
(
nonseekable_open(...)
|
nested_open(...)
)
...+>
}
@ read disable optional_qualifier exists @
identifier read_f;
identifier f, p, s, off;
type ssize_t, size_t, loff_t;
expression E;
identifier func;
@@
ssize_t read_f(struct file *f, char *p, size_t s, loff_t *off)
{
<+...
(
*off = E
|
*off += E
|
func(..., off, ...)
|
E = *off
)
...+>
}
@ read_no_fpos disable optional_qualifier exists @
identifier read_f;
identifier f, p, s, off;
type ssize_t, size_t, loff_t;
@@
ssize_t read_f(struct file *f, char *p, size_t s, loff_t *off)
{
... when != off
}
@ write @
identifier write_f;
identifier f, p, s, off;
type ssize_t, size_t, loff_t;
expression E;
identifier func;
@@
ssize_t write_f(struct file *f, const char *p, size_t s, loff_t *off)
{
<+...
(
*off = E
|
*off += E
|
func(..., off, ...)
|
E = *off
)
...+>
}
@ write_no_fpos @
identifier write_f;
identifier f, p, s, off;
type ssize_t, size_t, loff_t;
@@
ssize_t write_f(struct file *f, const char *p, size_t s, loff_t *off)
{
... when != off
}
@ fops0 @
identifier fops;
@@
struct file_operations fops = {
...
};
@ has_llseek depends on fops0 @
identifier fops0.fops;
identifier llseek_f;
@@
struct file_operations fops = {
...
.llseek = llseek_f,
...
};
@ has_read depends on fops0 @
identifier fops0.fops;
identifier read_f;
@@
struct file_operations fops = {
...
.read = read_f,
...
};
@ has_write depends on fops0 @
identifier fops0.fops;
identifier write_f;
@@
struct file_operations fops = {
...
.write = write_f,
...
};
@ has_open depends on fops0 @
identifier fops0.fops;
identifier open_f;
@@
struct file_operations fops = {
...
.open = open_f,
...
};
// use no_llseek if we call nonseekable_open
////////////////////////////////////////////
@ nonseekable1 depends on !has_llseek && has_open @
identifier fops0.fops;
identifier nso ~= "nonseekable_open";
@@
struct file_operations fops = {
... .open = nso, ...
+.llseek = no_llseek, /* nonseekable */
};
@ nonseekable2 depends on !has_llseek @
identifier fops0.fops;
identifier open.open_f;
@@
struct file_operations fops = {
... .open = open_f, ...
+.llseek = no_llseek, /* open uses nonseekable */
};
// use seq_lseek for sequential files
/////////////////////////////////////
@ seq depends on !has_llseek @
identifier fops0.fops;
identifier sr ~= "seq_read";
@@
struct file_operations fops = {
... .read = sr, ...
+.llseek = seq_lseek, /* we have seq_read */
};
// use default_llseek if there is a readdir
///////////////////////////////////////////
@ fops1 depends on !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
identifier readdir_e;
@@
// any other fop is used that changes pos
struct file_operations fops = {
... .readdir = readdir_e, ...
+.llseek = default_llseek, /* readdir is present */
};
// use default_llseek if at least one of read/write touches f_pos
/////////////////////////////////////////////////////////////////
@ fops2 depends on !fops1 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
identifier read.read_f;
@@
// read fops use offset
struct file_operations fops = {
... .read = read_f, ...
+.llseek = default_llseek, /* read accesses f_pos */
};
@ fops3 depends on !fops1 && !fops2 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
identifier write.write_f;
@@
// write fops use offset
struct file_operations fops = {
... .write = write_f, ...
+ .llseek = default_llseek, /* write accesses f_pos */
};
// Use noop_llseek if neither read nor write accesses f_pos
///////////////////////////////////////////////////////////
@ fops4 depends on !fops1 && !fops2 && !fops3 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
identifier read_no_fpos.read_f;
identifier write_no_fpos.write_f;
@@
// write fops use offset
struct file_operations fops = {
...
.write = write_f,
.read = read_f,
...
+.llseek = noop_llseek, /* read and write both use no f_pos */
};
@ depends on has_write && !has_read && !fops1 && !fops2 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
identifier write_no_fpos.write_f;
@@
struct file_operations fops = {
... .write = write_f, ...
+.llseek = noop_llseek, /* write uses no f_pos */
};
@ depends on has_read && !has_write && !fops1 && !fops2 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
identifier read_no_fpos.read_f;
@@
struct file_operations fops = {
... .read = read_f, ...
+.llseek = noop_llseek, /* read uses no f_pos */
};
@ depends on !has_read && !has_write && !fops1 && !fops2 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
@@
struct file_operations fops = {
...
+.llseek = noop_llseek, /* no read or write fn */
};
===== End semantic patch =====
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Cc: Julia Lawall <julia@diku.dk>
Cc: Christoph Hellwig <hch@infradead.org>
2010-08-15 16:52:59 +00:00
|
|
|
.llseek = noop_llseek,
|
2012-06-07 21:21:13 +00:00
|
|
|
.fallocate = shm_fallocate,
|
2005-04-16 22:20:36 +00:00
|
|
|
};
|
|
|
|
|
|
2009-11-30 13:38:43 +00:00
|
|
|
int is_file_shm_hugepages(struct file *file)
|
|
|
|
|
{
|
|
|
|
|
return file->f_op == &shm_file_operations_huge;
|
|
|
|
|
}
|
|
|
|
|
|
2009-09-27 18:29:37 +00:00
|
|
|
static const struct vm_operations_struct shm_vm_ops = {
|
2005-04-16 22:20:36 +00:00
|
|
|
.open = shm_open, /* callback for a new vm-area open */
|
|
|
|
|
.close = shm_close, /* callback for when the vm-area is released */
|
2007-07-19 08:46:59 +00:00
|
|
|
.fault = shm_fault,
|
2007-02-20 21:57:53 +00:00
|
|
|
#if defined(CONFIG_NUMA)
|
|
|
|
|
.set_policy = shm_set_policy,
|
|
|
|
|
.get_policy = shm_get_policy,
|
2005-04-16 22:20:36 +00:00
|
|
|
#endif
|
|
|
|
|
};
|
|
|
|
|
|
2007-10-19 06:40:53 +00:00
|
|
|
/**
|
|
|
|
|
* newseg - Create a new shared memory segment
|
|
|
|
|
* @ns: namespace
|
|
|
|
|
* @params: ptr to the structure that contains key, size and shmflg
|
|
|
|
|
*
|
2013-09-11 21:26:24 +00:00
|
|
|
* Called with shm_ids.rwsem held as a writer.
|
2007-10-19 06:40:53 +00:00
|
|
|
*/
|
|
|
|
|
|
2007-10-19 06:40:49 +00:00
|
|
|
static int newseg(struct ipc_namespace *ns, struct ipc_params *params)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
2007-10-19 06:40:49 +00:00
|
|
|
key_t key = params->key;
|
|
|
|
|
int shmflg = params->flg;
|
|
|
|
|
size_t size = params->u.size;
|
2005-04-16 22:20:36 +00:00
|
|
|
int error;
|
|
|
|
|
struct shmid_kernel *shp;
|
2013-05-01 02:15:54 +00:00
|
|
|
size_t numpages = (size + PAGE_SIZE - 1) >> PAGE_SHIFT;
|
2005-04-16 22:20:36 +00:00
|
|
|
struct file * file;
|
|
|
|
|
char name[13];
|
|
|
|
|
int id;
|
2011-05-26 10:16:19 +00:00
|
|
|
vm_flags_t acctflag = 0;
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2006-10-02 09:18:22 +00:00
|
|
|
if (size < SHMMIN || size > ns->shm_ctlmax)
|
2005-04-16 22:20:36 +00:00
|
|
|
return -EINVAL;
|
|
|
|
|
|
2007-01-23 18:20:04 +00:00
|
|
|
if (ns->shm_tot + numpages > ns->shm_ctlall)
|
2005-04-16 22:20:36 +00:00
|
|
|
return -ENOSPC;
|
|
|
|
|
|
|
|
|
|
shp = ipc_rcu_alloc(sizeof(*shp));
|
|
|
|
|
if (!shp)
|
|
|
|
|
return -ENOMEM;
|
|
|
|
|
|
|
|
|
|
shp->shm_perm.key = key;
|
2006-01-08 09:02:21 +00:00
|
|
|
shp->shm_perm.mode = (shmflg & S_IRWXUGO);
|
2005-04-16 22:20:36 +00:00
|
|
|
shp->mlock_user = NULL;
|
|
|
|
|
|
|
|
|
|
shp->shm_perm.security = NULL;
|
|
|
|
|
error = security_shm_alloc(shp);
|
|
|
|
|
if (error) {
|
ipc: fix race with LSMs
commit 53dad6d3a8e5ac1af8bacc6ac2134ae1a8b085f1 upstream.
Currently, IPC mechanisms do security and auditing related checks under
RCU. However, since security modules can free the security structure,
for example, through selinux_[sem,msg_queue,shm]_free_security(), we can
race if the structure is freed before other tasks are done with it,
creating a use-after-free condition. Manfred illustrates this nicely,
for instance with shared mem and selinux:
-> do_shmat calls rcu_read_lock()
-> do_shmat calls shm_object_check().
Checks that the object is still valid - but doesn't acquire any locks.
Then it returns.
-> do_shmat calls security_shm_shmat (e.g. selinux_shm_shmat)
-> selinux_shm_shmat calls ipc_has_perm()
-> ipc_has_perm accesses ipc_perms->security
shm_close()
-> shm_close acquires rw_mutex & shm_lock
-> shm_close calls shm_destroy
-> shm_destroy calls security_shm_free (e.g. selinux_shm_free_security)
-> selinux_shm_free_security calls ipc_free_security(&shp->shm_perm)
-> ipc_free_security calls kfree(ipc_perms->security)
This patch delays the freeing of the security structures after all RCU
readers are done. Furthermore it aligns the security life cycle with
that of the rest of IPC - freeing them based on the reference counter.
For situations where we need not free security, the current behavior is
kept. Linus states:
"... the old behavior was suspect for another reason too: having the
security blob go away from under a user sounds like it could cause
various other problems anyway, so I think the old code was at least
_prone_ to bugs even if it didn't have catastrophic behavior."
I have tested this patch with IPC testcases from LTP on both my
quad-core laptop and on a 64 core NUMA server. In both cases selinux is
enabled, and tests pass for both voluntary and forced preemption models.
While the mentioned races are theoretical (at least no one as reported
them), I wanted to make sure that this new logic doesn't break anything
we weren't aware of.
Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Davidlohr Bueso <davidlohr@hp.com>
Acked-by: Manfred Spraul <manfred@colorfullife.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Mike Galbraith <efault@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-09-24 00:04:45 +00:00
|
|
|
ipc_rcu_putref(shp, ipc_rcu_free);
|
2005-04-16 22:20:36 +00:00
|
|
|
return error;
|
|
|
|
|
}
|
|
|
|
|
|
2007-06-16 17:16:16 +00:00
|
|
|
sprintf (name, "SYSV%08x", key);
|
2005-04-16 22:20:36 +00:00
|
|
|
if (shmflg & SHM_HUGETLB) {
|
2013-05-07 23:18:13 +00:00
|
|
|
struct hstate *hs = hstate_sizelog((shmflg >> SHM_HUGE_SHIFT)
|
|
|
|
|
& SHM_HUGE_MASK);
|
2013-05-09 07:08:15 +00:00
|
|
|
size_t hugesize;
|
|
|
|
|
|
|
|
|
|
if (!hs) {
|
|
|
|
|
error = -EINVAL;
|
|
|
|
|
goto no_file;
|
|
|
|
|
}
|
|
|
|
|
hugesize = ALIGN(size, huge_page_size(hs));
|
2013-05-07 23:18:13 +00:00
|
|
|
|
2009-02-10 14:02:27 +00:00
|
|
|
/* hugetlb_file_setup applies strict accounting */
|
|
|
|
|
if (shmflg & SHM_NORESERVE)
|
|
|
|
|
acctflag = VM_NORESERVE;
|
2013-05-07 23:18:13 +00:00
|
|
|
file = hugetlb_file_setup(name, hugesize, acctflag,
|
2012-12-12 00:01:34 +00:00
|
|
|
&shp->mlock_user, HUGETLB_SHMFS_INODE,
|
|
|
|
|
(shmflg >> SHM_HUGE_SHIFT) & SHM_HUGE_MASK);
|
2005-04-16 22:20:36 +00:00
|
|
|
} else {
|
2005-11-07 08:59:27 +00:00
|
|
|
/*
|
|
|
|
|
* Do not allow no accounting for OVERCOMMIT_NEVER, even
|
|
|
|
|
* if it's asked for.
|
|
|
|
|
*/
|
|
|
|
|
if ((shmflg & SHM_NORESERVE) &&
|
|
|
|
|
sysctl_overcommit_memory != OVERCOMMIT_NEVER)
|
2009-01-31 23:08:56 +00:00
|
|
|
acctflag = VM_NORESERVE;
|
2005-11-07 08:59:27 +00:00
|
|
|
file = shmem_file_setup(name, size, acctflag);
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
|
error = PTR_ERR(file);
|
|
|
|
|
if (IS_ERR(file))
|
|
|
|
|
goto no_file;
|
|
|
|
|
|
2007-10-19 06:40:14 +00:00
|
|
|
shp->shm_cprid = task_tgid_vnr(current);
|
2005-04-16 22:20:36 +00:00
|
|
|
shp->shm_lprid = 0;
|
|
|
|
|
shp->shm_atim = shp->shm_dtim = 0;
|
|
|
|
|
shp->shm_ctim = get_seconds();
|
|
|
|
|
shp->shm_segsz = size;
|
|
|
|
|
shp->shm_nattch = 0;
|
|
|
|
|
shp->shm_file = file;
|
2011-07-28 23:55:31 +00:00
|
|
|
shp->shm_creator = current;
|
ipc: move rcu lock out of ipc_addid
commit dbfcd91f06f0e2d5564b2fd184e9c2a43675f9ab upstream.
This patchset continues the work that began in the sysv ipc semaphore
scaling series, see
https://lkml.org/lkml/2013/3/20/546
Just like semaphores used to be, sysv shared memory and msg queues also
abuse the ipc lock, unnecessarily holding it for operations such as
permission and security checks.
This patchset mostly deals with mqueues, and while shared mem can be
done in a very similar way, I want to get these patches out in the open
first. It also does some pending cleanups, mostly focused on the two
level locking we have in ipc code, taking care of ipc_addid() and
ipcctl_pre_down_nolock() - yes there are still functions that need to be
updated as well.
This patch:
Make all callers explicitly take and release the RCU read lock.
This addresses the two level locking seen in newary(), newseg() and
newqueue(). For the last two, explicitly unlock the ipc object and the
rcu lock, instead of calling the custom shm_unlock and msg_unlock
functions. The next patch will deal with the open coded locking for
->perm.lock
Signed-off-by: Davidlohr Bueso <davidlohr.bueso@hp.com>
Cc: Andi Kleen <andi@firstfloor.org>
Cc: Rik van Riel <riel@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Mike Galbraith <efault@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-07-08 23:01:09 +00:00
|
|
|
|
2015-09-30 16:48:40 +00:00
|
|
|
id = ipc_addid(&shm_ids(ns), &shp->shm_perm, ns->shm_ctlmni);
|
|
|
|
|
if (id < 0) {
|
|
|
|
|
error = id;
|
|
|
|
|
goto no_id;
|
|
|
|
|
}
|
|
|
|
|
|
2007-06-16 17:15:59 +00:00
|
|
|
/*
|
|
|
|
|
* shmid gets reported as "inode#" in /proc/pid/maps.
|
|
|
|
|
* proc-ps tools use this. Changing this will break them.
|
|
|
|
|
*/
|
2013-01-23 22:07:38 +00:00
|
|
|
file_inode(file)->i_ino = shp->shm_perm.id;
|
2005-10-30 01:16:45 +00:00
|
|
|
|
2006-10-02 09:18:22 +00:00
|
|
|
ns->shm_tot += numpages;
|
2007-10-19 06:40:48 +00:00
|
|
|
error = shp->shm_perm.id;
|
ipc: move rcu lock out of ipc_addid
commit dbfcd91f06f0e2d5564b2fd184e9c2a43675f9ab upstream.
This patchset continues the work that began in the sysv ipc semaphore
scaling series, see
https://lkml.org/lkml/2013/3/20/546
Just like semaphores used to be, sysv shared memory and msg queues also
abuse the ipc lock, unnecessarily holding it for operations such as
permission and security checks.
This patchset mostly deals with mqueues, and while shared mem can be
done in a very similar way, I want to get these patches out in the open
first. It also does some pending cleanups, mostly focused on the two
level locking we have in ipc code, taking care of ipc_addid() and
ipcctl_pre_down_nolock() - yes there are still functions that need to be
updated as well.
This patch:
Make all callers explicitly take and release the RCU read lock.
This addresses the two level locking seen in newary(), newseg() and
newqueue(). For the last two, explicitly unlock the ipc object and the
rcu lock, instead of calling the custom shm_unlock and msg_unlock
functions. The next patch will deal with the open coded locking for
->perm.lock
Signed-off-by: Davidlohr Bueso <davidlohr.bueso@hp.com>
Cc: Andi Kleen <andi@firstfloor.org>
Cc: Rik van Riel <riel@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Mike Galbraith <efault@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-07-08 23:01:09 +00:00
|
|
|
|
2013-07-08 23:01:11 +00:00
|
|
|
ipc_unlock_object(&shp->shm_perm);
|
ipc: move rcu lock out of ipc_addid
commit dbfcd91f06f0e2d5564b2fd184e9c2a43675f9ab upstream.
This patchset continues the work that began in the sysv ipc semaphore
scaling series, see
https://lkml.org/lkml/2013/3/20/546
Just like semaphores used to be, sysv shared memory and msg queues also
abuse the ipc lock, unnecessarily holding it for operations such as
permission and security checks.
This patchset mostly deals with mqueues, and while shared mem can be
done in a very similar way, I want to get these patches out in the open
first. It also does some pending cleanups, mostly focused on the two
level locking we have in ipc code, taking care of ipc_addid() and
ipcctl_pre_down_nolock() - yes there are still functions that need to be
updated as well.
This patch:
Make all callers explicitly take and release the RCU read lock.
This addresses the two level locking seen in newary(), newseg() and
newqueue(). For the last two, explicitly unlock the ipc object and the
rcu lock, instead of calling the custom shm_unlock and msg_unlock
functions. The next patch will deal with the open coded locking for
->perm.lock
Signed-off-by: Davidlohr Bueso <davidlohr.bueso@hp.com>
Cc: Andi Kleen <andi@firstfloor.org>
Cc: Rik van Riel <riel@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Mike Galbraith <efault@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-07-08 23:01:09 +00:00
|
|
|
rcu_read_unlock();
|
2007-10-19 06:40:48 +00:00
|
|
|
return error;
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
|
no_id:
|
2009-09-12 11:21:27 +00:00
|
|
|
if (is_file_hugepages(file) && shp->mlock_user)
|
2009-08-24 15:30:28 +00:00
|
|
|
user_shm_unlock(size, shp->mlock_user);
|
2005-04-16 22:20:36 +00:00
|
|
|
fput(file);
|
|
|
|
|
no_file:
|
ipc: fix race with LSMs
commit 53dad6d3a8e5ac1af8bacc6ac2134ae1a8b085f1 upstream.
Currently, IPC mechanisms do security and auditing related checks under
RCU. However, since security modules can free the security structure,
for example, through selinux_[sem,msg_queue,shm]_free_security(), we can
race if the structure is freed before other tasks are done with it,
creating a use-after-free condition. Manfred illustrates this nicely,
for instance with shared mem and selinux:
-> do_shmat calls rcu_read_lock()
-> do_shmat calls shm_object_check().
Checks that the object is still valid - but doesn't acquire any locks.
Then it returns.
-> do_shmat calls security_shm_shmat (e.g. selinux_shm_shmat)
-> selinux_shm_shmat calls ipc_has_perm()
-> ipc_has_perm accesses ipc_perms->security
shm_close()
-> shm_close acquires rw_mutex & shm_lock
-> shm_close calls shm_destroy
-> shm_destroy calls security_shm_free (e.g. selinux_shm_free_security)
-> selinux_shm_free_security calls ipc_free_security(&shp->shm_perm)
-> ipc_free_security calls kfree(ipc_perms->security)
This patch delays the freeing of the security structures after all RCU
readers are done. Furthermore it aligns the security life cycle with
that of the rest of IPC - freeing them based on the reference counter.
For situations where we need not free security, the current behavior is
kept. Linus states:
"... the old behavior was suspect for another reason too: having the
security blob go away from under a user sounds like it could cause
various other problems anyway, so I think the old code was at least
_prone_ to bugs even if it didn't have catastrophic behavior."
I have tested this patch with IPC testcases from LTP on both my
quad-core laptop and on a 64 core NUMA server. In both cases selinux is
enabled, and tests pass for both voluntary and forced preemption models.
While the mentioned races are theoretical (at least no one as reported
them), I wanted to make sure that this new logic doesn't break anything
we weren't aware of.
Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Davidlohr Bueso <davidlohr@hp.com>
Acked-by: Manfred Spraul <manfred@colorfullife.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Mike Galbraith <efault@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-09-24 00:04:45 +00:00
|
|
|
ipc_rcu_putref(shp, shm_rcu_free);
|
2005-04-16 22:20:36 +00:00
|
|
|
return error;
|
|
|
|
|
}
|
|
|
|
|
|
2007-10-19 06:40:53 +00:00
|
|
|
/*
|
2013-09-11 21:26:24 +00:00
|
|
|
* Called with shm_ids.rwsem and ipcp locked.
|
2007-10-19 06:40:53 +00:00
|
|
|
*/
|
2007-10-19 06:40:51 +00:00
|
|
|
static inline int shm_security(struct kern_ipc_perm *ipcp, int shmflg)
|
2007-10-19 06:40:49 +00:00
|
|
|
{
|
2007-10-19 06:40:51 +00:00
|
|
|
struct shmid_kernel *shp;
|
|
|
|
|
|
|
|
|
|
shp = container_of(ipcp, struct shmid_kernel, shm_perm);
|
|
|
|
|
return security_shm_associate(shp, shmflg);
|
2007-10-19 06:40:49 +00:00
|
|
|
}
|
|
|
|
|
|
2007-10-19 06:40:53 +00:00
|
|
|
/*
|
2013-09-11 21:26:24 +00:00
|
|
|
* Called with shm_ids.rwsem and ipcp locked.
|
2007-10-19 06:40:53 +00:00
|
|
|
*/
|
2007-10-19 06:40:51 +00:00
|
|
|
static inline int shm_more_checks(struct kern_ipc_perm *ipcp,
|
|
|
|
|
struct ipc_params *params)
|
2007-10-19 06:40:49 +00:00
|
|
|
{
|
2007-10-19 06:40:51 +00:00
|
|
|
struct shmid_kernel *shp;
|
|
|
|
|
|
|
|
|
|
shp = container_of(ipcp, struct shmid_kernel, shm_perm);
|
|
|
|
|
if (shp->shm_segsz < params->u.size)
|
2007-10-19 06:40:49 +00:00
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2009-01-14 13:14:27 +00:00
|
|
|
SYSCALL_DEFINE3(shmget, key_t, key, size_t, size, int, shmflg)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
2006-10-02 09:18:22 +00:00
|
|
|
struct ipc_namespace *ns;
|
2007-10-19 06:40:49 +00:00
|
|
|
struct ipc_ops shm_ops;
|
|
|
|
|
struct ipc_params shm_params;
|
2006-10-02 09:18:22 +00:00
|
|
|
|
|
|
|
|
ns = current->nsproxy->ipc_ns;
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2007-10-19 06:40:49 +00:00
|
|
|
shm_ops.getnew = newseg;
|
|
|
|
|
shm_ops.associate = shm_security;
|
|
|
|
|
shm_ops.more_checks = shm_more_checks;
|
2007-10-19 06:40:48 +00:00
|
|
|
|
2007-10-19 06:40:49 +00:00
|
|
|
shm_params.key = key;
|
|
|
|
|
shm_params.flg = shmflg;
|
|
|
|
|
shm_params.u.size = size;
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2007-10-19 06:40:49 +00:00
|
|
|
return ipcget(ns, &shm_ids(ns), &shm_ops, &shm_params);
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static inline unsigned long copy_shmid_to_user(void __user *buf, struct shmid64_ds *in, int version)
|
|
|
|
|
{
|
|
|
|
|
switch(version) {
|
|
|
|
|
case IPC_64:
|
|
|
|
|
return copy_to_user(buf, in, sizeof(*in));
|
|
|
|
|
case IPC_OLD:
|
|
|
|
|
{
|
|
|
|
|
struct shmid_ds out;
|
|
|
|
|
|
2010-10-30 14:22:49 +00:00
|
|
|
memset(&out, 0, sizeof(out));
|
2005-04-16 22:20:36 +00:00
|
|
|
ipc64_perm_to_ipc_perm(&in->shm_perm, &out.shm_perm);
|
|
|
|
|
out.shm_segsz = in->shm_segsz;
|
|
|
|
|
out.shm_atime = in->shm_atime;
|
|
|
|
|
out.shm_dtime = in->shm_dtime;
|
|
|
|
|
out.shm_ctime = in->shm_ctime;
|
|
|
|
|
out.shm_cpid = in->shm_cpid;
|
|
|
|
|
out.shm_lpid = in->shm_lpid;
|
|
|
|
|
out.shm_nattch = in->shm_nattch;
|
|
|
|
|
|
|
|
|
|
return copy_to_user(buf, &out, sizeof(out));
|
|
|
|
|
}
|
|
|
|
|
default:
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2008-04-29 08:00:50 +00:00
|
|
|
static inline unsigned long
|
|
|
|
|
copy_shmid_from_user(struct shmid64_ds *out, void __user *buf, int version)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
|
|
|
|
switch(version) {
|
|
|
|
|
case IPC_64:
|
2008-04-29 08:00:50 +00:00
|
|
|
if (copy_from_user(out, buf, sizeof(*out)))
|
2005-04-16 22:20:36 +00:00
|
|
|
return -EFAULT;
|
|
|
|
|
return 0;
|
|
|
|
|
case IPC_OLD:
|
|
|
|
|
{
|
|
|
|
|
struct shmid_ds tbuf_old;
|
|
|
|
|
|
|
|
|
|
if (copy_from_user(&tbuf_old, buf, sizeof(tbuf_old)))
|
|
|
|
|
return -EFAULT;
|
|
|
|
|
|
2008-04-29 08:00:50 +00:00
|
|
|
out->shm_perm.uid = tbuf_old.shm_perm.uid;
|
|
|
|
|
out->shm_perm.gid = tbuf_old.shm_perm.gid;
|
|
|
|
|
out->shm_perm.mode = tbuf_old.shm_perm.mode;
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
default:
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static inline unsigned long copy_shminfo_to_user(void __user *buf, struct shminfo64 *in, int version)
|
|
|
|
|
{
|
|
|
|
|
switch(version) {
|
|
|
|
|
case IPC_64:
|
|
|
|
|
return copy_to_user(buf, in, sizeof(*in));
|
|
|
|
|
case IPC_OLD:
|
|
|
|
|
{
|
|
|
|
|
struct shminfo out;
|
|
|
|
|
|
|
|
|
|
if(in->shmmax > INT_MAX)
|
|
|
|
|
out.shmmax = INT_MAX;
|
|
|
|
|
else
|
|
|
|
|
out.shmmax = (int)in->shmmax;
|
|
|
|
|
|
|
|
|
|
out.shmmin = in->shmmin;
|
|
|
|
|
out.shmmni = in->shmmni;
|
|
|
|
|
out.shmseg = in->shmseg;
|
|
|
|
|
out.shmall = in->shmall;
|
|
|
|
|
|
|
|
|
|
return copy_to_user(buf, &out, sizeof(out));
|
|
|
|
|
}
|
|
|
|
|
default:
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2010-10-27 22:34:16 +00:00
|
|
|
/*
|
|
|
|
|
* Calculate and add used RSS and swap pages of a shm.
|
2013-09-11 21:26:24 +00:00
|
|
|
* Called with shm_ids.rwsem held as a reader
|
2010-10-27 22:34:16 +00:00
|
|
|
*/
|
|
|
|
|
static void shm_add_rss_swap(struct shmid_kernel *shp,
|
|
|
|
|
unsigned long *rss_add, unsigned long *swp_add)
|
|
|
|
|
{
|
|
|
|
|
struct inode *inode;
|
|
|
|
|
|
2013-01-23 22:07:38 +00:00
|
|
|
inode = file_inode(shp->shm_file);
|
2010-10-27 22:34:16 +00:00
|
|
|
|
|
|
|
|
if (is_file_hugepages(shp->shm_file)) {
|
|
|
|
|
struct address_space *mapping = inode->i_mapping;
|
|
|
|
|
struct hstate *h = hstate_file(shp->shm_file);
|
|
|
|
|
*rss_add += pages_per_huge_page(h) * mapping->nrpages;
|
|
|
|
|
} else {
|
|
|
|
|
#ifdef CONFIG_SHMEM
|
|
|
|
|
struct shmem_inode_info *info = SHMEM_I(inode);
|
|
|
|
|
spin_lock(&info->lock);
|
|
|
|
|
*rss_add += inode->i_mapping->nrpages;
|
|
|
|
|
*swp_add += info->swapped;
|
|
|
|
|
spin_unlock(&info->lock);
|
|
|
|
|
#else
|
|
|
|
|
*rss_add += inode->i_mapping->nrpages;
|
|
|
|
|
#endif
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2007-10-19 06:40:53 +00:00
|
|
|
/*
|
2013-09-11 21:26:24 +00:00
|
|
|
* Called with shm_ids.rwsem held as a reader
|
2007-10-19 06:40:53 +00:00
|
|
|
*/
|
2006-10-02 09:18:22 +00:00
|
|
|
static void shm_get_stat(struct ipc_namespace *ns, unsigned long *rss,
|
|
|
|
|
unsigned long *swp)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
2007-10-19 06:40:48 +00:00
|
|
|
int next_id;
|
|
|
|
|
int total, in_use;
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
|
*rss = 0;
|
|
|
|
|
*swp = 0;
|
|
|
|
|
|
2007-10-19 06:40:48 +00:00
|
|
|
in_use = shm_ids(ns).in_use;
|
|
|
|
|
|
|
|
|
|
for (total = 0, next_id = 0; total < in_use; next_id++) {
|
2009-04-02 23:58:26 +00:00
|
|
|
struct kern_ipc_perm *ipc;
|
2005-04-16 22:20:36 +00:00
|
|
|
struct shmid_kernel *shp;
|
|
|
|
|
|
2009-04-02 23:58:26 +00:00
|
|
|
ipc = idr_find(&shm_ids(ns).ipcs_idr, next_id);
|
|
|
|
|
if (ipc == NULL)
|
2005-04-16 22:20:36 +00:00
|
|
|
continue;
|
2009-04-02 23:58:26 +00:00
|
|
|
shp = container_of(ipc, struct shmid_kernel, shm_perm);
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2010-10-27 22:34:16 +00:00
|
|
|
shm_add_rss_swap(shp, rss, swp);
|
2007-10-19 06:40:48 +00:00
|
|
|
|
|
|
|
|
total++;
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2008-04-29 08:00:47 +00:00
|
|
|
/*
|
2013-09-11 21:26:24 +00:00
|
|
|
* This function handles some shmctl commands which require the rwsem
|
2008-04-29 08:00:47 +00:00
|
|
|
* to be held in write mode.
|
2013-09-11 21:26:24 +00:00
|
|
|
* NOTE: no locks must be held, the rwsem is taken inside this function.
|
2008-04-29 08:00:47 +00:00
|
|
|
*/
|
|
|
|
|
static int shmctl_down(struct ipc_namespace *ns, int shmid, int cmd,
|
|
|
|
|
struct shmid_ds __user *buf, int version)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
2008-04-29 08:00:47 +00:00
|
|
|
struct kern_ipc_perm *ipcp;
|
2008-04-29 08:00:50 +00:00
|
|
|
struct shmid64_ds shmid64;
|
2008-04-29 08:00:47 +00:00
|
|
|
struct shmid_kernel *shp;
|
|
|
|
|
int err;
|
|
|
|
|
|
|
|
|
|
if (cmd == IPC_SET) {
|
2008-04-29 08:00:50 +00:00
|
|
|
if (copy_shmid_from_user(&shmid64, buf, version))
|
2008-04-29 08:00:47 +00:00
|
|
|
return -EFAULT;
|
|
|
|
|
}
|
|
|
|
|
|
2013-09-11 21:26:24 +00:00
|
|
|
down_write(&shm_ids(ns).rwsem);
|
2013-07-08 23:01:12 +00:00
|
|
|
rcu_read_lock();
|
|
|
|
|
|
2013-09-11 21:26:16 +00:00
|
|
|
ipcp = ipcctl_pre_down_nolock(ns, &shm_ids(ns), shmid, cmd,
|
|
|
|
|
&shmid64.shm_perm, 0);
|
2013-07-08 23:01:12 +00:00
|
|
|
if (IS_ERR(ipcp)) {
|
|
|
|
|
err = PTR_ERR(ipcp);
|
|
|
|
|
goto out_unlock1;
|
|
|
|
|
}
|
2008-04-29 08:00:47 +00:00
|
|
|
|
2008-04-29 08:00:54 +00:00
|
|
|
shp = container_of(ipcp, struct shmid_kernel, shm_perm);
|
2008-04-29 08:00:47 +00:00
|
|
|
|
|
|
|
|
err = security_shm_shmctl(shp, cmd);
|
|
|
|
|
if (err)
|
2013-09-11 21:26:16 +00:00
|
|
|
goto out_unlock1;
|
2013-07-08 23:01:12 +00:00
|
|
|
|
2008-04-29 08:00:47 +00:00
|
|
|
switch (cmd) {
|
|
|
|
|
case IPC_RMID:
|
2013-09-11 21:26:16 +00:00
|
|
|
ipc_lock_object(&shp->shm_perm);
|
2013-07-08 23:01:12 +00:00
|
|
|
/* do_shm_rmid unlocks the ipc object and rcu */
|
2008-04-29 08:00:47 +00:00
|
|
|
do_shm_rmid(ns, ipcp);
|
|
|
|
|
goto out_up;
|
|
|
|
|
case IPC_SET:
|
2013-09-11 21:26:16 +00:00
|
|
|
ipc_lock_object(&shp->shm_perm);
|
2012-02-08 00:54:11 +00:00
|
|
|
err = ipc_update_perm(&shmid64.shm_perm, ipcp);
|
|
|
|
|
if (err)
|
2013-07-08 23:01:12 +00:00
|
|
|
goto out_unlock0;
|
2008-04-29 08:00:47 +00:00
|
|
|
shp->shm_ctim = get_seconds();
|
|
|
|
|
break;
|
|
|
|
|
default:
|
|
|
|
|
err = -EINVAL;
|
2013-09-11 21:26:16 +00:00
|
|
|
goto out_unlock1;
|
2008-04-29 08:00:47 +00:00
|
|
|
}
|
2013-07-08 23:01:12 +00:00
|
|
|
|
|
|
|
|
out_unlock0:
|
|
|
|
|
ipc_unlock_object(&shp->shm_perm);
|
|
|
|
|
out_unlock1:
|
|
|
|
|
rcu_read_unlock();
|
2008-04-29 08:00:47 +00:00
|
|
|
out_up:
|
2013-09-11 21:26:24 +00:00
|
|
|
up_write(&shm_ids(ns).rwsem);
|
2008-04-29 08:00:47 +00:00
|
|
|
return err;
|
|
|
|
|
}
|
|
|
|
|
|
2013-09-11 21:26:18 +00:00
|
|
|
static int shmctl_nolock(struct ipc_namespace *ns, int shmid,
|
|
|
|
|
int cmd, int version, void __user *buf)
|
2008-04-29 08:00:47 +00:00
|
|
|
{
|
2013-09-11 21:26:18 +00:00
|
|
|
int err;
|
2005-04-16 22:20:36 +00:00
|
|
|
struct shmid_kernel *shp;
|
|
|
|
|
|
2013-09-11 21:26:18 +00:00
|
|
|
/* preliminary security checks for *_INFO */
|
|
|
|
|
if (cmd == IPC_INFO || cmd == SHM_INFO) {
|
|
|
|
|
err = security_shm_shmctl(NULL, cmd);
|
|
|
|
|
if (err)
|
|
|
|
|
return err;
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
|
|
2013-09-11 21:26:18 +00:00
|
|
|
switch (cmd) {
|
2005-04-16 22:20:36 +00:00
|
|
|
case IPC_INFO:
|
|
|
|
|
{
|
|
|
|
|
struct shminfo64 shminfo;
|
|
|
|
|
|
2009-01-06 22:42:49 +00:00
|
|
|
memset(&shminfo, 0, sizeof(shminfo));
|
2006-10-02 09:18:22 +00:00
|
|
|
shminfo.shmmni = shminfo.shmseg = ns->shm_ctlmni;
|
|
|
|
|
shminfo.shmmax = ns->shm_ctlmax;
|
|
|
|
|
shminfo.shmall = ns->shm_ctlall;
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
|
shminfo.shmmin = SHMMIN;
|
|
|
|
|
if(copy_shminfo_to_user (buf, &shminfo, version))
|
|
|
|
|
return -EFAULT;
|
2007-10-19 06:40:53 +00:00
|
|
|
|
2013-09-11 21:26:24 +00:00
|
|
|
down_read(&shm_ids(ns).rwsem);
|
2007-10-19 06:40:48 +00:00
|
|
|
err = ipc_get_maxid(&shm_ids(ns));
|
2013-09-11 21:26:24 +00:00
|
|
|
up_read(&shm_ids(ns).rwsem);
|
2007-10-19 06:40:53 +00:00
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
if(err<0)
|
|
|
|
|
err = 0;
|
|
|
|
|
goto out;
|
|
|
|
|
}
|
|
|
|
|
case SHM_INFO:
|
|
|
|
|
{
|
|
|
|
|
struct shm_info shm_info;
|
|
|
|
|
|
2009-01-06 22:42:49 +00:00
|
|
|
memset(&shm_info, 0, sizeof(shm_info));
|
2013-09-11 21:26:24 +00:00
|
|
|
down_read(&shm_ids(ns).rwsem);
|
2006-10-02 09:18:22 +00:00
|
|
|
shm_info.used_ids = shm_ids(ns).in_use;
|
|
|
|
|
shm_get_stat (ns, &shm_info.shm_rss, &shm_info.shm_swp);
|
|
|
|
|
shm_info.shm_tot = ns->shm_tot;
|
2005-04-16 22:20:36 +00:00
|
|
|
shm_info.swap_attempts = 0;
|
|
|
|
|
shm_info.swap_successes = 0;
|
2007-10-19 06:40:48 +00:00
|
|
|
err = ipc_get_maxid(&shm_ids(ns));
|
2013-09-11 21:26:24 +00:00
|
|
|
up_read(&shm_ids(ns).rwsem);
|
2009-01-06 22:42:49 +00:00
|
|
|
if (copy_to_user(buf, &shm_info, sizeof(shm_info))) {
|
2005-04-16 22:20:36 +00:00
|
|
|
err = -EFAULT;
|
|
|
|
|
goto out;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
err = err < 0 ? 0 : err;
|
|
|
|
|
goto out;
|
|
|
|
|
}
|
|
|
|
|
case SHM_STAT:
|
|
|
|
|
case IPC_STAT:
|
|
|
|
|
{
|
|
|
|
|
struct shmid64_ds tbuf;
|
|
|
|
|
int result;
|
2007-10-19 06:40:51 +00:00
|
|
|
|
2013-09-11 21:26:20 +00:00
|
|
|
rcu_read_lock();
|
2007-10-19 06:40:51 +00:00
|
|
|
if (cmd == SHM_STAT) {
|
2013-09-11 21:26:20 +00:00
|
|
|
shp = shm_obtain_object(ns, shmid);
|
2007-10-19 06:40:51 +00:00
|
|
|
if (IS_ERR(shp)) {
|
|
|
|
|
err = PTR_ERR(shp);
|
2013-09-11 21:26:20 +00:00
|
|
|
goto out_unlock;
|
2007-10-19 06:40:51 +00:00
|
|
|
}
|
2007-10-19 06:40:48 +00:00
|
|
|
result = shp->shm_perm.id;
|
2005-04-16 22:20:36 +00:00
|
|
|
} else {
|
2013-09-11 21:26:20 +00:00
|
|
|
shp = shm_obtain_object_check(ns, shmid);
|
2007-10-19 06:40:51 +00:00
|
|
|
if (IS_ERR(shp)) {
|
|
|
|
|
err = PTR_ERR(shp);
|
2013-09-11 21:26:20 +00:00
|
|
|
goto out_unlock;
|
2007-10-19 06:40:51 +00:00
|
|
|
}
|
2005-04-16 22:20:36 +00:00
|
|
|
result = 0;
|
|
|
|
|
}
|
2013-09-11 21:26:20 +00:00
|
|
|
|
2009-01-06 22:42:49 +00:00
|
|
|
err = -EACCES;
|
2011-03-23 23:43:24 +00:00
|
|
|
if (ipcperms(ns, &shp->shm_perm, S_IRUGO))
|
2005-04-16 22:20:36 +00:00
|
|
|
goto out_unlock;
|
2013-09-11 21:26:20 +00:00
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
err = security_shm_shmctl(shp, cmd);
|
|
|
|
|
if (err)
|
|
|
|
|
goto out_unlock;
|
2013-09-11 21:26:20 +00:00
|
|
|
|
2007-10-19 06:40:51 +00:00
|
|
|
memset(&tbuf, 0, sizeof(tbuf));
|
2005-04-16 22:20:36 +00:00
|
|
|
kernel_to_ipc64_perm(&shp->shm_perm, &tbuf.shm_perm);
|
|
|
|
|
tbuf.shm_segsz = shp->shm_segsz;
|
|
|
|
|
tbuf.shm_atime = shp->shm_atim;
|
|
|
|
|
tbuf.shm_dtime = shp->shm_dtim;
|
|
|
|
|
tbuf.shm_ctime = shp->shm_ctim;
|
|
|
|
|
tbuf.shm_cpid = shp->shm_cprid;
|
|
|
|
|
tbuf.shm_lpid = shp->shm_lprid;
|
2007-02-20 21:57:53 +00:00
|
|
|
tbuf.shm_nattch = shp->shm_nattch;
|
2013-09-11 21:26:20 +00:00
|
|
|
rcu_read_unlock();
|
|
|
|
|
|
|
|
|
|
if (copy_shmid_to_user(buf, &tbuf, version))
|
2005-04-16 22:20:36 +00:00
|
|
|
err = -EFAULT;
|
|
|
|
|
else
|
|
|
|
|
err = result;
|
|
|
|
|
goto out;
|
|
|
|
|
}
|
2013-09-11 21:26:18 +00:00
|
|
|
default:
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
out_unlock:
|
2013-09-11 21:26:20 +00:00
|
|
|
rcu_read_unlock();
|
2013-09-11 21:26:18 +00:00
|
|
|
out:
|
|
|
|
|
return err;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
SYSCALL_DEFINE3(shmctl, int, shmid, int, cmd, struct shmid_ds __user *, buf)
|
|
|
|
|
{
|
|
|
|
|
struct shmid_kernel *shp;
|
|
|
|
|
int err, version;
|
|
|
|
|
struct ipc_namespace *ns;
|
|
|
|
|
|
2013-09-11 21:26:21 +00:00
|
|
|
if (cmd < 0 || shmid < 0)
|
|
|
|
|
return -EINVAL;
|
2013-09-11 21:26:18 +00:00
|
|
|
|
|
|
|
|
version = ipc_parse_version(&cmd);
|
|
|
|
|
ns = current->nsproxy->ipc_ns;
|
|
|
|
|
|
|
|
|
|
switch (cmd) {
|
|
|
|
|
case IPC_INFO:
|
|
|
|
|
case SHM_INFO:
|
|
|
|
|
case SHM_STAT:
|
|
|
|
|
case IPC_STAT:
|
|
|
|
|
return shmctl_nolock(ns, shmid, cmd, version, buf);
|
2013-09-11 21:26:21 +00:00
|
|
|
case IPC_RMID:
|
|
|
|
|
case IPC_SET:
|
|
|
|
|
return shmctl_down(ns, shmid, cmd, buf, version);
|
2005-04-16 22:20:36 +00:00
|
|
|
case SHM_LOCK:
|
|
|
|
|
case SHM_UNLOCK:
|
|
|
|
|
{
|
SHM_UNLOCK: fix long unpreemptible section
scan_mapping_unevictable_pages() is used to make SysV SHM_LOCKed pages
evictable again once the shared memory is unlocked. It does this with
pagevec_lookup()s across the whole object (which might occupy most of
memory), and takes 300ms to unlock 7GB here. A cond_resched() every
PAGEVEC_SIZE pages would be good.
However, KOSAKI-san points out that this is called under shmem.c's
info->lock, and it's also under shm.c's shm_lock(), both spinlocks.
There is no strong reason for that: we need to take these pages off the
unevictable list soonish, but those locks are not required for it.
So move the call to scan_mapping_unevictable_pages() from shmem.c's
unlock handling up to shm.c's unlock handling. Remove the recently
added barrier, not needed now we have spin_unlock() before the scan.
Use get_file(), with subsequent fput(), to make sure we have a reference
to mapping throughout scan_mapping_unevictable_pages(): that's something
that was previously guaranteed by the shm_lock().
Remove shmctl's lru_add_drain_all(): we don't fault in pages at SHM_LOCK
time, and we lazily discover them to be Unevictable later, so it serves
no purpose for SHM_LOCK; and serves no purpose for SHM_UNLOCK, since
pages still on pagevec are not marked Unevictable.
The original code avoided redundant rescans by checking VM_LOCKED flag
at its level: now avoid them by checking shp's SHM_LOCKED.
The original code called scan_mapping_unevictable_pages() on a locked
area at shm_destroy() time: perhaps we once had accounting cross-checks
which required that, but not now, so skip the overhead and just let
inode eviction deal with them.
Put check_move_unevictable_page() and scan_mapping_unevictable_pages()
under CONFIG_SHMEM (with stub for the TINY case when ramfs is used),
more as comment than to save space; comment them used for SHM_UNLOCK.
Signed-off-by: Hugh Dickins <hughd@google.com>
Reviewed-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Cc: Minchan Kim <minchan.kim@gmail.com>
Cc: Rik van Riel <riel@redhat.com>
Cc: Shaohua Li <shaohua.li@intel.com>
Cc: Eric Dumazet <eric.dumazet@gmail.com>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: Michel Lespinasse <walken@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2012-01-20 22:34:19 +00:00
|
|
|
struct file *shm_file;
|
2008-10-19 03:26:43 +00:00
|
|
|
|
2013-09-11 21:26:21 +00:00
|
|
|
rcu_read_lock();
|
|
|
|
|
shp = shm_obtain_object_check(ns, shmid);
|
2007-10-19 06:40:51 +00:00
|
|
|
if (IS_ERR(shp)) {
|
|
|
|
|
err = PTR_ERR(shp);
|
2013-09-11 21:26:21 +00:00
|
|
|
goto out_unlock1;
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
|
|
2008-12-10 08:40:06 +00:00
|
|
|
audit_ipc_obj(&(shp->shm_perm));
|
2013-09-11 21:26:21 +00:00
|
|
|
err = security_shm_shmctl(shp, cmd);
|
|
|
|
|
if (err)
|
|
|
|
|
goto out_unlock1;
|
2006-04-02 21:07:33 +00:00
|
|
|
|
2013-09-11 21:26:21 +00:00
|
|
|
ipc_lock_object(&shp->shm_perm);
|
2011-03-23 23:43:24 +00:00
|
|
|
if (!ns_capable(ns->user_ns, CAP_IPC_LOCK)) {
|
2012-02-08 00:54:11 +00:00
|
|
|
kuid_t euid = current_euid();
|
|
|
|
|
if (!uid_eq(euid, shp->shm_perm.uid) &&
|
ipc,shm: correct error return value in shmctl (SHM_UNLOCK)
commit 3a72660b07d86d60457ca32080b1ce8c2b628ee2 upstream.
Commit 2caacaa82a51 ("ipc,shm: shorten critical region for shmctl")
restructured the ipc shm to shorten critical region, but introduced a
path where the return value could be -EPERM, even if the operation
actually was performed.
Before the commit, the err return value was reset by the return value
from security_shm_shmctl() after the if (!ns_capable(...)) statement.
Now, we still exit the if statement with err set to -EPERM, and in the
case of SHM_UNLOCK, it is not reset at all, and used as the return value
from shmctl.
To fix this, we only set err when errors occur, leaving the fallthrough
case alone.
Signed-off-by: Jesper Nilsson <jesper.nilsson@axis.com>
Cc: Davidlohr Bueso <davidlohr@hp.com>
Cc: Rik van Riel <riel@redhat.com>
Cc: Michel Lespinasse <walken@google.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-11-21 22:32:08 +00:00
|
|
|
!uid_eq(euid, shp->shm_perm.cuid)) {
|
|
|
|
|
err = -EPERM;
|
2013-09-11 21:26:21 +00:00
|
|
|
goto out_unlock0;
|
ipc,shm: correct error return value in shmctl (SHM_UNLOCK)
commit 3a72660b07d86d60457ca32080b1ce8c2b628ee2 upstream.
Commit 2caacaa82a51 ("ipc,shm: shorten critical region for shmctl")
restructured the ipc shm to shorten critical region, but introduced a
path where the return value could be -EPERM, even if the operation
actually was performed.
Before the commit, the err return value was reset by the return value
from security_shm_shmctl() after the if (!ns_capable(...)) statement.
Now, we still exit the if statement with err set to -EPERM, and in the
case of SHM_UNLOCK, it is not reset at all, and used as the return value
from shmctl.
To fix this, we only set err when errors occur, leaving the fallthrough
case alone.
Signed-off-by: Jesper Nilsson <jesper.nilsson@axis.com>
Cc: Davidlohr Bueso <davidlohr@hp.com>
Cc: Rik van Riel <riel@redhat.com>
Cc: Michel Lespinasse <walken@google.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-11-21 22:32:08 +00:00
|
|
|
}
|
|
|
|
|
if (cmd == SHM_LOCK && !rlimit(RLIMIT_MEMLOCK)) {
|
|
|
|
|
err = -EPERM;
|
2013-09-11 21:26:21 +00:00
|
|
|
goto out_unlock0;
|
ipc,shm: correct error return value in shmctl (SHM_UNLOCK)
commit 3a72660b07d86d60457ca32080b1ce8c2b628ee2 upstream.
Commit 2caacaa82a51 ("ipc,shm: shorten critical region for shmctl")
restructured the ipc shm to shorten critical region, but introduced a
path where the return value could be -EPERM, even if the operation
actually was performed.
Before the commit, the err return value was reset by the return value
from security_shm_shmctl() after the if (!ns_capable(...)) statement.
Now, we still exit the if statement with err set to -EPERM, and in the
case of SHM_UNLOCK, it is not reset at all, and used as the return value
from shmctl.
To fix this, we only set err when errors occur, leaving the fallthrough
case alone.
Signed-off-by: Jesper Nilsson <jesper.nilsson@axis.com>
Cc: Davidlohr Bueso <davidlohr@hp.com>
Cc: Rik van Riel <riel@redhat.com>
Cc: Michel Lespinasse <walken@google.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-11-21 22:32:08 +00:00
|
|
|
}
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
|
|
SHM_UNLOCK: fix long unpreemptible section
scan_mapping_unevictable_pages() is used to make SysV SHM_LOCKed pages
evictable again once the shared memory is unlocked. It does this with
pagevec_lookup()s across the whole object (which might occupy most of
memory), and takes 300ms to unlock 7GB here. A cond_resched() every
PAGEVEC_SIZE pages would be good.
However, KOSAKI-san points out that this is called under shmem.c's
info->lock, and it's also under shm.c's shm_lock(), both spinlocks.
There is no strong reason for that: we need to take these pages off the
unevictable list soonish, but those locks are not required for it.
So move the call to scan_mapping_unevictable_pages() from shmem.c's
unlock handling up to shm.c's unlock handling. Remove the recently
added barrier, not needed now we have spin_unlock() before the scan.
Use get_file(), with subsequent fput(), to make sure we have a reference
to mapping throughout scan_mapping_unevictable_pages(): that's something
that was previously guaranteed by the shm_lock().
Remove shmctl's lru_add_drain_all(): we don't fault in pages at SHM_LOCK
time, and we lazily discover them to be Unevictable later, so it serves
no purpose for SHM_LOCK; and serves no purpose for SHM_UNLOCK, since
pages still on pagevec are not marked Unevictable.
The original code avoided redundant rescans by checking VM_LOCKED flag
at its level: now avoid them by checking shp's SHM_LOCKED.
The original code called scan_mapping_unevictable_pages() on a locked
area at shm_destroy() time: perhaps we once had accounting cross-checks
which required that, but not now, so skip the overhead and just let
inode eviction deal with them.
Put check_move_unevictable_page() and scan_mapping_unevictable_pages()
under CONFIG_SHMEM (with stub for the TINY case when ramfs is used),
more as comment than to save space; comment them used for SHM_UNLOCK.
Signed-off-by: Hugh Dickins <hughd@google.com>
Reviewed-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Cc: Minchan Kim <minchan.kim@gmail.com>
Cc: Rik van Riel <riel@redhat.com>
Cc: Shaohua Li <shaohua.li@intel.com>
Cc: Eric Dumazet <eric.dumazet@gmail.com>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: Michel Lespinasse <walken@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2012-01-20 22:34:19 +00:00
|
|
|
shm_file = shp->shm_file;
|
2013-11-21 22:32:00 +00:00
|
|
|
|
|
|
|
|
/* check if shm_destroy() is tearing down shp */
|
|
|
|
|
if (shm_file == NULL) {
|
|
|
|
|
err = -EIDRM;
|
|
|
|
|
goto out_unlock0;
|
|
|
|
|
}
|
|
|
|
|
|
SHM_UNLOCK: fix long unpreemptible section
scan_mapping_unevictable_pages() is used to make SysV SHM_LOCKed pages
evictable again once the shared memory is unlocked. It does this with
pagevec_lookup()s across the whole object (which might occupy most of
memory), and takes 300ms to unlock 7GB here. A cond_resched() every
PAGEVEC_SIZE pages would be good.
However, KOSAKI-san points out that this is called under shmem.c's
info->lock, and it's also under shm.c's shm_lock(), both spinlocks.
There is no strong reason for that: we need to take these pages off the
unevictable list soonish, but those locks are not required for it.
So move the call to scan_mapping_unevictable_pages() from shmem.c's
unlock handling up to shm.c's unlock handling. Remove the recently
added barrier, not needed now we have spin_unlock() before the scan.
Use get_file(), with subsequent fput(), to make sure we have a reference
to mapping throughout scan_mapping_unevictable_pages(): that's something
that was previously guaranteed by the shm_lock().
Remove shmctl's lru_add_drain_all(): we don't fault in pages at SHM_LOCK
time, and we lazily discover them to be Unevictable later, so it serves
no purpose for SHM_LOCK; and serves no purpose for SHM_UNLOCK, since
pages still on pagevec are not marked Unevictable.
The original code avoided redundant rescans by checking VM_LOCKED flag
at its level: now avoid them by checking shp's SHM_LOCKED.
The original code called scan_mapping_unevictable_pages() on a locked
area at shm_destroy() time: perhaps we once had accounting cross-checks
which required that, but not now, so skip the overhead and just let
inode eviction deal with them.
Put check_move_unevictable_page() and scan_mapping_unevictable_pages()
under CONFIG_SHMEM (with stub for the TINY case when ramfs is used),
more as comment than to save space; comment them used for SHM_UNLOCK.
Signed-off-by: Hugh Dickins <hughd@google.com>
Reviewed-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Cc: Minchan Kim <minchan.kim@gmail.com>
Cc: Rik van Riel <riel@redhat.com>
Cc: Shaohua Li <shaohua.li@intel.com>
Cc: Eric Dumazet <eric.dumazet@gmail.com>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: Michel Lespinasse <walken@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2012-01-20 22:34:19 +00:00
|
|
|
if (is_file_hugepages(shm_file))
|
2013-09-11 21:26:21 +00:00
|
|
|
goto out_unlock0;
|
SHM_UNLOCK: fix long unpreemptible section
scan_mapping_unevictable_pages() is used to make SysV SHM_LOCKed pages
evictable again once the shared memory is unlocked. It does this with
pagevec_lookup()s across the whole object (which might occupy most of
memory), and takes 300ms to unlock 7GB here. A cond_resched() every
PAGEVEC_SIZE pages would be good.
However, KOSAKI-san points out that this is called under shmem.c's
info->lock, and it's also under shm.c's shm_lock(), both spinlocks.
There is no strong reason for that: we need to take these pages off the
unevictable list soonish, but those locks are not required for it.
So move the call to scan_mapping_unevictable_pages() from shmem.c's
unlock handling up to shm.c's unlock handling. Remove the recently
added barrier, not needed now we have spin_unlock() before the scan.
Use get_file(), with subsequent fput(), to make sure we have a reference
to mapping throughout scan_mapping_unevictable_pages(): that's something
that was previously guaranteed by the shm_lock().
Remove shmctl's lru_add_drain_all(): we don't fault in pages at SHM_LOCK
time, and we lazily discover them to be Unevictable later, so it serves
no purpose for SHM_LOCK; and serves no purpose for SHM_UNLOCK, since
pages still on pagevec are not marked Unevictable.
The original code avoided redundant rescans by checking VM_LOCKED flag
at its level: now avoid them by checking shp's SHM_LOCKED.
The original code called scan_mapping_unevictable_pages() on a locked
area at shm_destroy() time: perhaps we once had accounting cross-checks
which required that, but not now, so skip the overhead and just let
inode eviction deal with them.
Put check_move_unevictable_page() and scan_mapping_unevictable_pages()
under CONFIG_SHMEM (with stub for the TINY case when ramfs is used),
more as comment than to save space; comment them used for SHM_UNLOCK.
Signed-off-by: Hugh Dickins <hughd@google.com>
Reviewed-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Cc: Minchan Kim <minchan.kim@gmail.com>
Cc: Rik van Riel <riel@redhat.com>
Cc: Shaohua Li <shaohua.li@intel.com>
Cc: Eric Dumazet <eric.dumazet@gmail.com>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: Michel Lespinasse <walken@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2012-01-20 22:34:19 +00:00
|
|
|
|
|
|
|
|
if (cmd == SHM_LOCK) {
|
2008-11-13 23:39:18 +00:00
|
|
|
struct user_struct *user = current_user();
|
SHM_UNLOCK: fix long unpreemptible section
scan_mapping_unevictable_pages() is used to make SysV SHM_LOCKed pages
evictable again once the shared memory is unlocked. It does this with
pagevec_lookup()s across the whole object (which might occupy most of
memory), and takes 300ms to unlock 7GB here. A cond_resched() every
PAGEVEC_SIZE pages would be good.
However, KOSAKI-san points out that this is called under shmem.c's
info->lock, and it's also under shm.c's shm_lock(), both spinlocks.
There is no strong reason for that: we need to take these pages off the
unevictable list soonish, but those locks are not required for it.
So move the call to scan_mapping_unevictable_pages() from shmem.c's
unlock handling up to shm.c's unlock handling. Remove the recently
added barrier, not needed now we have spin_unlock() before the scan.
Use get_file(), with subsequent fput(), to make sure we have a reference
to mapping throughout scan_mapping_unevictable_pages(): that's something
that was previously guaranteed by the shm_lock().
Remove shmctl's lru_add_drain_all(): we don't fault in pages at SHM_LOCK
time, and we lazily discover them to be Unevictable later, so it serves
no purpose for SHM_LOCK; and serves no purpose for SHM_UNLOCK, since
pages still on pagevec are not marked Unevictable.
The original code avoided redundant rescans by checking VM_LOCKED flag
at its level: now avoid them by checking shp's SHM_LOCKED.
The original code called scan_mapping_unevictable_pages() on a locked
area at shm_destroy() time: perhaps we once had accounting cross-checks
which required that, but not now, so skip the overhead and just let
inode eviction deal with them.
Put check_move_unevictable_page() and scan_mapping_unevictable_pages()
under CONFIG_SHMEM (with stub for the TINY case when ramfs is used),
more as comment than to save space; comment them used for SHM_UNLOCK.
Signed-off-by: Hugh Dickins <hughd@google.com>
Reviewed-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Cc: Minchan Kim <minchan.kim@gmail.com>
Cc: Rik van Riel <riel@redhat.com>
Cc: Shaohua Li <shaohua.li@intel.com>
Cc: Eric Dumazet <eric.dumazet@gmail.com>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: Michel Lespinasse <walken@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2012-01-20 22:34:19 +00:00
|
|
|
err = shmem_lock(shm_file, 1, user);
|
|
|
|
|
if (!err && !(shp->shm_perm.mode & SHM_LOCKED)) {
|
|
|
|
|
shp->shm_perm.mode |= SHM_LOCKED;
|
|
|
|
|
shp->mlock_user = user;
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
2013-09-11 21:26:21 +00:00
|
|
|
goto out_unlock0;
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
SHM_UNLOCK: fix long unpreemptible section
scan_mapping_unevictable_pages() is used to make SysV SHM_LOCKed pages
evictable again once the shared memory is unlocked. It does this with
pagevec_lookup()s across the whole object (which might occupy most of
memory), and takes 300ms to unlock 7GB here. A cond_resched() every
PAGEVEC_SIZE pages would be good.
However, KOSAKI-san points out that this is called under shmem.c's
info->lock, and it's also under shm.c's shm_lock(), both spinlocks.
There is no strong reason for that: we need to take these pages off the
unevictable list soonish, but those locks are not required for it.
So move the call to scan_mapping_unevictable_pages() from shmem.c's
unlock handling up to shm.c's unlock handling. Remove the recently
added barrier, not needed now we have spin_unlock() before the scan.
Use get_file(), with subsequent fput(), to make sure we have a reference
to mapping throughout scan_mapping_unevictable_pages(): that's something
that was previously guaranteed by the shm_lock().
Remove shmctl's lru_add_drain_all(): we don't fault in pages at SHM_LOCK
time, and we lazily discover them to be Unevictable later, so it serves
no purpose for SHM_LOCK; and serves no purpose for SHM_UNLOCK, since
pages still on pagevec are not marked Unevictable.
The original code avoided redundant rescans by checking VM_LOCKED flag
at its level: now avoid them by checking shp's SHM_LOCKED.
The original code called scan_mapping_unevictable_pages() on a locked
area at shm_destroy() time: perhaps we once had accounting cross-checks
which required that, but not now, so skip the overhead and just let
inode eviction deal with them.
Put check_move_unevictable_page() and scan_mapping_unevictable_pages()
under CONFIG_SHMEM (with stub for the TINY case when ramfs is used),
more as comment than to save space; comment them used for SHM_UNLOCK.
Signed-off-by: Hugh Dickins <hughd@google.com>
Reviewed-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Cc: Minchan Kim <minchan.kim@gmail.com>
Cc: Rik van Riel <riel@redhat.com>
Cc: Shaohua Li <shaohua.li@intel.com>
Cc: Eric Dumazet <eric.dumazet@gmail.com>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: Michel Lespinasse <walken@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2012-01-20 22:34:19 +00:00
|
|
|
|
|
|
|
|
/* SHM_UNLOCK */
|
|
|
|
|
if (!(shp->shm_perm.mode & SHM_LOCKED))
|
2013-09-11 21:26:21 +00:00
|
|
|
goto out_unlock0;
|
SHM_UNLOCK: fix long unpreemptible section
scan_mapping_unevictable_pages() is used to make SysV SHM_LOCKed pages
evictable again once the shared memory is unlocked. It does this with
pagevec_lookup()s across the whole object (which might occupy most of
memory), and takes 300ms to unlock 7GB here. A cond_resched() every
PAGEVEC_SIZE pages would be good.
However, KOSAKI-san points out that this is called under shmem.c's
info->lock, and it's also under shm.c's shm_lock(), both spinlocks.
There is no strong reason for that: we need to take these pages off the
unevictable list soonish, but those locks are not required for it.
So move the call to scan_mapping_unevictable_pages() from shmem.c's
unlock handling up to shm.c's unlock handling. Remove the recently
added barrier, not needed now we have spin_unlock() before the scan.
Use get_file(), with subsequent fput(), to make sure we have a reference
to mapping throughout scan_mapping_unevictable_pages(): that's something
that was previously guaranteed by the shm_lock().
Remove shmctl's lru_add_drain_all(): we don't fault in pages at SHM_LOCK
time, and we lazily discover them to be Unevictable later, so it serves
no purpose for SHM_LOCK; and serves no purpose for SHM_UNLOCK, since
pages still on pagevec are not marked Unevictable.
The original code avoided redundant rescans by checking VM_LOCKED flag
at its level: now avoid them by checking shp's SHM_LOCKED.
The original code called scan_mapping_unevictable_pages() on a locked
area at shm_destroy() time: perhaps we once had accounting cross-checks
which required that, but not now, so skip the overhead and just let
inode eviction deal with them.
Put check_move_unevictable_page() and scan_mapping_unevictable_pages()
under CONFIG_SHMEM (with stub for the TINY case when ramfs is used),
more as comment than to save space; comment them used for SHM_UNLOCK.
Signed-off-by: Hugh Dickins <hughd@google.com>
Reviewed-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Cc: Minchan Kim <minchan.kim@gmail.com>
Cc: Rik van Riel <riel@redhat.com>
Cc: Shaohua Li <shaohua.li@intel.com>
Cc: Eric Dumazet <eric.dumazet@gmail.com>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: Michel Lespinasse <walken@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2012-01-20 22:34:19 +00:00
|
|
|
shmem_lock(shm_file, 0, shp->mlock_user);
|
|
|
|
|
shp->shm_perm.mode &= ~SHM_LOCKED;
|
|
|
|
|
shp->mlock_user = NULL;
|
|
|
|
|
get_file(shm_file);
|
2013-09-11 21:26:21 +00:00
|
|
|
ipc_unlock_object(&shp->shm_perm);
|
|
|
|
|
rcu_read_unlock();
|
SHM_UNLOCK: fix Unevictable pages stranded after swap
Commit cc39c6a9bbde ("mm: account skipped entries to avoid looping in
find_get_pages") correctly fixed an infinite loop; but left a problem
that find_get_pages() on shmem would return 0 (appearing to callers to
mean end of tree) when it meets a run of nr_pages swap entries.
The only uses of find_get_pages() on shmem are via pagevec_lookup(),
called from invalidate_mapping_pages(), and from shmctl SHM_UNLOCK's
scan_mapping_unevictable_pages(). The first is already commented, and
not worth worrying about; but the second can leave pages on the
Unevictable list after an unusual sequence of swapping and locking.
Fix that by using shmem_find_get_pages_and_swap() (then ignoring the
swap) instead of pagevec_lookup().
But I don't want to contaminate vmscan.c with shmem internals, nor
shmem.c with LRU locking. So move scan_mapping_unevictable_pages() into
shmem.c, renaming it shmem_unlock_mapping(); and rename
check_move_unevictable_page() to check_move_unevictable_pages(), looping
down an array of pages, oftentimes under the same lock.
Leave out the "rotate unevictable list" block: that's a leftover from
when this was used for /proc/sys/vm/scan_unevictable_pages, whose flawed
handling involved looking at pages at tail of LRU.
Was there significance to the sequence first ClearPageUnevictable, then
test page_evictable, then SetPageUnevictable here? I think not, we're
under LRU lock, and have no barriers between those.
Signed-off-by: Hugh Dickins <hughd@google.com>
Reviewed-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Cc: Minchan Kim <minchan.kim@gmail.com>
Cc: Rik van Riel <riel@redhat.com>
Cc: Shaohua Li <shaohua.li@intel.com>
Cc: Eric Dumazet <eric.dumazet@gmail.com>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: Michel Lespinasse <walken@google.com>
Cc: <stable@vger.kernel.org> [back to 3.1 but will need respins]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2012-01-20 22:34:21 +00:00
|
|
|
shmem_unlock_mapping(shm_file->f_mapping);
|
2013-09-11 21:26:21 +00:00
|
|
|
|
SHM_UNLOCK: fix long unpreemptible section
scan_mapping_unevictable_pages() is used to make SysV SHM_LOCKed pages
evictable again once the shared memory is unlocked. It does this with
pagevec_lookup()s across the whole object (which might occupy most of
memory), and takes 300ms to unlock 7GB here. A cond_resched() every
PAGEVEC_SIZE pages would be good.
However, KOSAKI-san points out that this is called under shmem.c's
info->lock, and it's also under shm.c's shm_lock(), both spinlocks.
There is no strong reason for that: we need to take these pages off the
unevictable list soonish, but those locks are not required for it.
So move the call to scan_mapping_unevictable_pages() from shmem.c's
unlock handling up to shm.c's unlock handling. Remove the recently
added barrier, not needed now we have spin_unlock() before the scan.
Use get_file(), with subsequent fput(), to make sure we have a reference
to mapping throughout scan_mapping_unevictable_pages(): that's something
that was previously guaranteed by the shm_lock().
Remove shmctl's lru_add_drain_all(): we don't fault in pages at SHM_LOCK
time, and we lazily discover them to be Unevictable later, so it serves
no purpose for SHM_LOCK; and serves no purpose for SHM_UNLOCK, since
pages still on pagevec are not marked Unevictable.
The original code avoided redundant rescans by checking VM_LOCKED flag
at its level: now avoid them by checking shp's SHM_LOCKED.
The original code called scan_mapping_unevictable_pages() on a locked
area at shm_destroy() time: perhaps we once had accounting cross-checks
which required that, but not now, so skip the overhead and just let
inode eviction deal with them.
Put check_move_unevictable_page() and scan_mapping_unevictable_pages()
under CONFIG_SHMEM (with stub for the TINY case when ramfs is used),
more as comment than to save space; comment them used for SHM_UNLOCK.
Signed-off-by: Hugh Dickins <hughd@google.com>
Reviewed-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Cc: Minchan Kim <minchan.kim@gmail.com>
Cc: Rik van Riel <riel@redhat.com>
Cc: Shaohua Li <shaohua.li@intel.com>
Cc: Eric Dumazet <eric.dumazet@gmail.com>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: Michel Lespinasse <walken@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2012-01-20 22:34:19 +00:00
|
|
|
fput(shm_file);
|
2008-04-29 08:00:47 +00:00
|
|
|
return err;
|
2013-09-11 21:26:21 +00:00
|
|
|
}
|
2005-04-16 22:20:36 +00:00
|
|
|
default:
|
2008-04-29 08:00:47 +00:00
|
|
|
return -EINVAL;
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
|
|
2013-09-11 21:26:21 +00:00
|
|
|
out_unlock0:
|
|
|
|
|
ipc_unlock_object(&shp->shm_perm);
|
|
|
|
|
out_unlock1:
|
|
|
|
|
rcu_read_unlock();
|
2005-04-16 22:20:36 +00:00
|
|
|
return err;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Fix shmaddr, allocate descriptor, map shm, add attach descriptor to lists.
|
|
|
|
|
*
|
|
|
|
|
* NOTE! Despite the name, this is NOT a direct system call entrypoint. The
|
|
|
|
|
* "raddr" thing points to kernel space, and there has to be a wrapper around
|
|
|
|
|
* this.
|
|
|
|
|
*/
|
ipc/shm: Fix shmat mmap nil-page protection
commit 95e91b831f87ac8e1f8ed50c14d709089b4e01b8 upstream.
The issue is described here, with a nice testcase:
https://bugzilla.kernel.org/show_bug.cgi?id=192931
The problem is that shmat() calls do_mmap_pgoff() with MAP_FIXED, and
the address rounded down to 0. For the regular mmap case, the
protection mentioned above is that the kernel gets to generate the
address -- arch_get_unmapped_area() will always check for MAP_FIXED and
return that address. So by the time we do security_mmap_addr(0) things
get funky for shmat().
The testcase itself shows that while a regular user crashes, root will
not have a problem attaching a nil-page. There are two possible fixes
to this. The first, and which this patch does, is to simply allow root
to crash as well -- this is also regular mmap behavior, ie when hacking
up the testcase and adding mmap(... |MAP_FIXED). While this approach
is the safer option, the second alternative is to ignore SHM_RND if the
rounded address is 0, thus only having MAP_SHARED flags. This makes the
behavior of shmat() identical to the mmap() case. The downside of this
is obviously user visible, but does make sense in that it maintains
semantics after the round-down wrt 0 address and mmap.
Passes shm related ltp tests.
Link: http://lkml.kernel.org/r/1486050195-18629-1-git-send-email-dave@stgolabs.net
Signed-off-by: Davidlohr Bueso <dbueso@suse.de>
Reported-by: Gareth Evans <gareth.evans@contextis.co.uk>
Cc: Manfred Spraul <manfred@colorfullife.com>
Cc: Michael Kerrisk <mtk.manpages@googlemail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
2017-02-27 22:28:24 +00:00
|
|
|
long do_shmat(int shmid, char __user *shmaddr, int shmflg,
|
|
|
|
|
ulong *raddr, unsigned long shmlba)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
|
|
|
|
struct shmid_kernel *shp;
|
|
|
|
|
unsigned long addr;
|
|
|
|
|
unsigned long size;
|
|
|
|
|
struct file * file;
|
|
|
|
|
int err;
|
|
|
|
|
unsigned long flags;
|
|
|
|
|
unsigned long prot;
|
|
|
|
|
int acc_mode;
|
2006-10-02 09:18:22 +00:00
|
|
|
struct ipc_namespace *ns;
|
2007-02-20 21:57:53 +00:00
|
|
|
struct shm_file_data *sfd;
|
|
|
|
|
struct path path;
|
2008-09-02 19:28:45 +00:00
|
|
|
fmode_t f_mode;
|
2013-02-23 00:32:47 +00:00
|
|
|
unsigned long populate = 0;
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2007-02-20 21:57:53 +00:00
|
|
|
err = -EINVAL;
|
|
|
|
|
if (shmid < 0)
|
2005-04-16 22:20:36 +00:00
|
|
|
goto out;
|
2007-02-20 21:57:53 +00:00
|
|
|
else if ((addr = (ulong)shmaddr)) {
|
2012-07-30 21:42:38 +00:00
|
|
|
if (addr & (shmlba - 1)) {
|
2018-05-25 21:47:30 +00:00
|
|
|
if (shmflg & SHM_RND) {
|
2018-05-25 21:47:27 +00:00
|
|
|
addr &= ~(shmlba - 1); /* round down */
|
2018-05-25 21:47:30 +00:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Ensure that the round-down is non-nil
|
|
|
|
|
* when remapping. This can happen for
|
|
|
|
|
* cases when addr < shmlba.
|
|
|
|
|
*/
|
|
|
|
|
if (!addr && (shmflg & SHM_REMAP))
|
|
|
|
|
goto out;
|
|
|
|
|
} else
|
2005-04-16 22:20:36 +00:00
|
|
|
#ifndef __ARCH_FORCE_SHMLBA
|
|
|
|
|
if (addr & ~PAGE_MASK)
|
|
|
|
|
#endif
|
2007-02-20 21:57:53 +00:00
|
|
|
goto out;
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
|
flags = MAP_SHARED | MAP_FIXED;
|
|
|
|
|
} else {
|
|
|
|
|
if ((shmflg & SHM_REMAP))
|
2007-02-20 21:57:53 +00:00
|
|
|
goto out;
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
|
flags = MAP_SHARED;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (shmflg & SHM_RDONLY) {
|
|
|
|
|
prot = PROT_READ;
|
|
|
|
|
acc_mode = S_IRUGO;
|
2007-02-20 21:57:53 +00:00
|
|
|
f_mode = FMODE_READ;
|
2005-04-16 22:20:36 +00:00
|
|
|
} else {
|
|
|
|
|
prot = PROT_READ | PROT_WRITE;
|
|
|
|
|
acc_mode = S_IRUGO | S_IWUGO;
|
2007-02-20 21:57:53 +00:00
|
|
|
f_mode = FMODE_READ | FMODE_WRITE;
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
|
if (shmflg & SHM_EXEC) {
|
|
|
|
|
prot |= PROT_EXEC;
|
|
|
|
|
acc_mode |= S_IXUGO;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* We cannot rely on the fs check since SYSV IPC does have an
|
|
|
|
|
* additional creator id...
|
|
|
|
|
*/
|
2006-10-02 09:18:22 +00:00
|
|
|
ns = current->nsproxy->ipc_ns;
|
2013-09-11 21:26:23 +00:00
|
|
|
rcu_read_lock();
|
|
|
|
|
shp = shm_obtain_object_check(ns, shmid);
|
2007-10-19 06:40:51 +00:00
|
|
|
if (IS_ERR(shp)) {
|
|
|
|
|
err = PTR_ERR(shp);
|
2013-09-11 21:26:23 +00:00
|
|
|
goto out_unlock;
|
2007-10-19 06:40:51 +00:00
|
|
|
}
|
2007-02-20 21:57:53 +00:00
|
|
|
|
|
|
|
|
err = -EACCES;
|
2011-03-23 23:43:24 +00:00
|
|
|
if (ipcperms(ns, &shp->shm_perm, acc_mode))
|
2007-02-20 21:57:53 +00:00
|
|
|
goto out_unlock;
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
|
err = security_shm_shmat(shp, shmaddr, shmflg);
|
2007-02-20 21:57:53 +00:00
|
|
|
if (err)
|
|
|
|
|
goto out_unlock;
|
|
|
|
|
|
2013-09-11 21:26:23 +00:00
|
|
|
ipc_lock_object(&shp->shm_perm);
|
2013-11-21 22:32:00 +00:00
|
|
|
|
|
|
|
|
/* check if shm_destroy() is tearing down shp */
|
|
|
|
|
if (shp->shm_file == NULL) {
|
|
|
|
|
ipc_unlock_object(&shp->shm_perm);
|
|
|
|
|
err = -EIDRM;
|
|
|
|
|
goto out_unlock;
|
|
|
|
|
}
|
|
|
|
|
|
2009-08-08 20:52:35 +00:00
|
|
|
path = shp->shm_file->f_path;
|
|
|
|
|
path_get(&path);
|
2005-04-16 22:20:36 +00:00
|
|
|
shp->shm_nattch++;
|
2007-02-20 21:57:53 +00:00
|
|
|
size = i_size_read(path.dentry->d_inode);
|
2013-09-11 21:26:23 +00:00
|
|
|
ipc_unlock_object(&shp->shm_perm);
|
|
|
|
|
rcu_read_unlock();
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2007-02-20 21:57:53 +00:00
|
|
|
err = -ENOMEM;
|
|
|
|
|
sfd = kzalloc(sizeof(*sfd), GFP_KERNEL);
|
2013-09-11 21:26:22 +00:00
|
|
|
if (!sfd) {
|
|
|
|
|
path_put(&path);
|
|
|
|
|
goto out_nattch;
|
|
|
|
|
}
|
2007-02-20 21:57:53 +00:00
|
|
|
|
2009-08-08 20:52:35 +00:00
|
|
|
file = alloc_file(&path, f_mode,
|
|
|
|
|
is_file_hugepages(shp->shm_file) ?
|
2009-11-30 13:38:43 +00:00
|
|
|
&shm_file_operations_huge :
|
|
|
|
|
&shm_file_operations);
|
2012-09-13 03:11:55 +00:00
|
|
|
err = PTR_ERR(file);
|
2013-09-11 21:26:22 +00:00
|
|
|
if (IS_ERR(file)) {
|
|
|
|
|
kfree(sfd);
|
|
|
|
|
path_put(&path);
|
|
|
|
|
goto out_nattch;
|
|
|
|
|
}
|
2007-02-20 21:57:53 +00:00
|
|
|
|
|
|
|
|
file->private_data = sfd;
|
|
|
|
|
file->f_mapping = shp->shm_file->f_mapping;
|
2007-10-19 06:40:48 +00:00
|
|
|
sfd->id = shp->shm_perm.id;
|
2007-02-20 21:57:53 +00:00
|
|
|
sfd->ns = get_ipc_ns(ns);
|
|
|
|
|
sfd->file = shp->shm_file;
|
|
|
|
|
sfd->vm_ops = NULL;
|
|
|
|
|
|
2012-05-30 21:11:23 +00:00
|
|
|
err = security_mmap_file(file, prot, flags);
|
|
|
|
|
if (err)
|
|
|
|
|
goto out_fput;
|
|
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
down_write(¤t->mm->mmap_sem);
|
|
|
|
|
if (addr && !(shmflg & SHM_REMAP)) {
|
2007-02-20 21:57:53 +00:00
|
|
|
err = -EINVAL;
|
2005-04-16 22:20:36 +00:00
|
|
|
if (find_vma_intersection(current->mm, addr, addr + size))
|
|
|
|
|
goto invalid;
|
|
|
|
|
/*
|
|
|
|
|
* If shm segment goes below stack, make sure there is some
|
|
|
|
|
* space left for the stack to grow (at least 4 pages).
|
|
|
|
|
*/
|
|
|
|
|
if (addr < current->mm->start_stack &&
|
|
|
|
|
addr > current->mm->start_stack - size - PAGE_SIZE * 5)
|
|
|
|
|
goto invalid;
|
|
|
|
|
}
|
2013-09-11 21:26:22 +00:00
|
|
|
|
2013-02-23 00:32:37 +00:00
|
|
|
addr = do_mmap_pgoff(file, addr, size, prot, flags, 0, &populate);
|
|
|
|
|
*raddr = addr;
|
2007-02-20 21:57:53 +00:00
|
|
|
err = 0;
|
2013-02-23 00:32:37 +00:00
|
|
|
if (IS_ERR_VALUE(addr))
|
|
|
|
|
err = (long)addr;
|
2005-04-16 22:20:36 +00:00
|
|
|
invalid:
|
|
|
|
|
up_write(¤t->mm->mmap_sem);
|
2013-02-23 00:32:37 +00:00
|
|
|
if (populate)
|
2013-02-23 00:32:47 +00:00
|
|
|
mm_populate(addr, populate);
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2012-05-30 21:11:23 +00:00
|
|
|
out_fput:
|
2007-02-20 21:57:53 +00:00
|
|
|
fput(file);
|
|
|
|
|
|
|
|
|
|
out_nattch:
|
2013-09-11 21:26:24 +00:00
|
|
|
down_write(&shm_ids(ns).rwsem);
|
2008-07-25 08:48:03 +00:00
|
|
|
shp = shm_lock(ns, shmid);
|
2005-04-16 22:20:36 +00:00
|
|
|
shp->shm_nattch--;
|
2011-07-26 23:08:48 +00:00
|
|
|
if (shm_may_destroy(ns, shp))
|
2006-10-02 09:18:22 +00:00
|
|
|
shm_destroy(ns, shp);
|
2005-04-16 22:20:36 +00:00
|
|
|
else
|
|
|
|
|
shm_unlock(shp);
|
2013-09-11 21:26:24 +00:00
|
|
|
up_write(&shm_ids(ns).rwsem);
|
2005-04-16 22:20:36 +00:00
|
|
|
return err;
|
2007-02-20 21:57:53 +00:00
|
|
|
|
|
|
|
|
out_unlock:
|
2013-09-11 21:26:23 +00:00
|
|
|
rcu_read_unlock();
|
2013-09-11 21:26:22 +00:00
|
|
|
out:
|
|
|
|
|
return err;
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
|
|
2009-01-14 13:14:27 +00:00
|
|
|
SYSCALL_DEFINE3(shmat, int, shmid, char __user *, shmaddr, int, shmflg)
|
2005-05-01 15:59:12 +00:00
|
|
|
{
|
|
|
|
|
unsigned long ret;
|
|
|
|
|
long err;
|
|
|
|
|
|
2012-07-30 21:42:38 +00:00
|
|
|
err = do_shmat(shmid, shmaddr, shmflg, &ret, SHMLBA);
|
2005-05-01 15:59:12 +00:00
|
|
|
if (err)
|
|
|
|
|
return err;
|
|
|
|
|
force_successful_syscall_return();
|
|
|
|
|
return (long)ret;
|
|
|
|
|
}
|
|
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
/*
|
|
|
|
|
* detach and kill segment if marked destroyed.
|
|
|
|
|
* The work is done in shm_close.
|
|
|
|
|
*/
|
2009-01-14 13:14:27 +00:00
|
|
|
SYSCALL_DEFINE1(shmdt, char __user *, shmaddr)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
|
|
|
|
struct mm_struct *mm = current->mm;
|
2009-06-09 23:26:23 +00:00
|
|
|
struct vm_area_struct *vma;
|
2005-04-16 22:20:36 +00:00
|
|
|
unsigned long addr = (unsigned long)shmaddr;
|
|
|
|
|
int retval = -EINVAL;
|
2009-06-09 23:26:23 +00:00
|
|
|
#ifdef CONFIG_MMU
|
|
|
|
|
loff_t size = 0;
|
|
|
|
|
struct vm_area_struct *next;
|
|
|
|
|
#endif
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2006-03-24 11:18:06 +00:00
|
|
|
if (addr & ~PAGE_MASK)
|
|
|
|
|
return retval;
|
|
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
down_write(&mm->mmap_sem);
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* This function tries to be smart and unmap shm segments that
|
|
|
|
|
* were modified by partial mlock or munmap calls:
|
|
|
|
|
* - It first determines the size of the shm segment that should be
|
|
|
|
|
* unmapped: It searches for a vma that is backed by shm and that
|
|
|
|
|
* started at address shmaddr. It records it's size and then unmaps
|
|
|
|
|
* it.
|
|
|
|
|
* - Then it unmaps all shm vmas that started at shmaddr and that
|
|
|
|
|
* are within the initially determined size.
|
|
|
|
|
* Errors from do_munmap are ignored: the function only fails if
|
|
|
|
|
* it's called with invalid parameters or if it's called to unmap
|
|
|
|
|
* a part of a vma. Both calls in this function are for full vmas,
|
|
|
|
|
* the parameters are directly copied from the vma itself and always
|
|
|
|
|
* valid - therefore do_munmap cannot fail. (famous last words?)
|
|
|
|
|
*/
|
|
|
|
|
/*
|
|
|
|
|
* If it had been mremap()'d, the starting address would not
|
|
|
|
|
* match the usual checks anyway. So assume all vma's are
|
|
|
|
|
* above the starting address given.
|
|
|
|
|
*/
|
|
|
|
|
vma = find_vma(mm, addr);
|
|
|
|
|
|
2009-01-08 12:04:47 +00:00
|
|
|
#ifdef CONFIG_MMU
|
2005-04-16 22:20:36 +00:00
|
|
|
while (vma) {
|
|
|
|
|
next = vma->vm_next;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Check if the starting address would match, i.e. it's
|
|
|
|
|
* a fragment created by mprotect() and/or munmap(), or it
|
|
|
|
|
* otherwise it starts at this address with no hassles.
|
|
|
|
|
*/
|
2007-02-20 21:57:53 +00:00
|
|
|
if ((vma->vm_ops == &shm_vm_ops) &&
|
2005-04-16 22:20:36 +00:00
|
|
|
(vma->vm_start - addr)/PAGE_SIZE == vma->vm_pgoff) {
|
|
|
|
|
|
|
|
|
|
|
2013-01-23 22:07:38 +00:00
|
|
|
size = file_inode(vma->vm_file)->i_size;
|
2005-04-16 22:20:36 +00:00
|
|
|
do_munmap(mm, vma->vm_start, vma->vm_end - vma->vm_start);
|
|
|
|
|
/*
|
|
|
|
|
* We discovered the size of the shm segment, so
|
|
|
|
|
* break out of here and fall through to the next
|
|
|
|
|
* loop that uses the size information to stop
|
|
|
|
|
* searching for matching vma's.
|
|
|
|
|
*/
|
|
|
|
|
retval = 0;
|
|
|
|
|
vma = next;
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
vma = next;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* We need look no further than the maximum address a fragment
|
|
|
|
|
* could possibly have landed at. Also cast things to loff_t to
|
2011-03-31 01:57:33 +00:00
|
|
|
* prevent overflows and make comparisons vs. equal-width types.
|
2005-04-16 22:20:36 +00:00
|
|
|
*/
|
2006-02-10 09:51:12 +00:00
|
|
|
size = PAGE_ALIGN(size);
|
2005-04-16 22:20:36 +00:00
|
|
|
while (vma && (loff_t)(vma->vm_end - addr) <= size) {
|
|
|
|
|
next = vma->vm_next;
|
|
|
|
|
|
|
|
|
|
/* finding a matching vma now does not alter retval */
|
2007-02-20 21:57:53 +00:00
|
|
|
if ((vma->vm_ops == &shm_vm_ops) &&
|
2005-04-16 22:20:36 +00:00
|
|
|
(vma->vm_start - addr)/PAGE_SIZE == vma->vm_pgoff)
|
|
|
|
|
|
|
|
|
|
do_munmap(mm, vma->vm_start, vma->vm_end - vma->vm_start);
|
|
|
|
|
vma = next;
|
|
|
|
|
}
|
|
|
|
|
|
2009-01-08 12:04:47 +00:00
|
|
|
#else /* CONFIG_MMU */
|
|
|
|
|
/* under NOMMU conditions, the exact address to be destroyed must be
|
|
|
|
|
* given */
|
2013-09-11 21:26:28 +00:00
|
|
|
if (vma && vma->vm_start == addr && vma->vm_ops == &shm_vm_ops) {
|
2009-01-08 12:04:47 +00:00
|
|
|
do_munmap(mm, vma->vm_start, vma->vm_end - vma->vm_start);
|
|
|
|
|
retval = 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#endif
|
|
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
up_write(&mm->mmap_sem);
|
|
|
|
|
return retval;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#ifdef CONFIG_PROC_FS
|
2005-09-06 22:17:10 +00:00
|
|
|
static int sysvipc_shm_proc_show(struct seq_file *s, void *it)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
2012-02-08 00:54:11 +00:00
|
|
|
struct user_namespace *user_ns = seq_user_ns(s);
|
2005-09-06 22:17:10 +00:00
|
|
|
struct shmid_kernel *shp = it;
|
2010-10-27 22:34:16 +00:00
|
|
|
unsigned long rss = 0, swp = 0;
|
|
|
|
|
|
|
|
|
|
shm_add_rss_swap(shp, &rss, &swp);
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2008-06-12 22:21:49 +00:00
|
|
|
#if BITS_PER_LONG <= 32
|
|
|
|
|
#define SIZE_SPEC "%10lu"
|
|
|
|
|
#else
|
|
|
|
|
#define SIZE_SPEC "%21lu"
|
|
|
|
|
#endif
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2008-06-12 22:21:49 +00:00
|
|
|
return seq_printf(s,
|
|
|
|
|
"%10d %10d %4o " SIZE_SPEC " %5u %5u "
|
2010-10-27 22:34:16 +00:00
|
|
|
"%5lu %5u %5u %5u %5u %10lu %10lu %10lu "
|
|
|
|
|
SIZE_SPEC " " SIZE_SPEC "\n",
|
2005-09-06 22:17:10 +00:00
|
|
|
shp->shm_perm.key,
|
2007-10-19 06:40:48 +00:00
|
|
|
shp->shm_perm.id,
|
2006-01-08 09:02:21 +00:00
|
|
|
shp->shm_perm.mode,
|
2005-09-06 22:17:10 +00:00
|
|
|
shp->shm_segsz,
|
|
|
|
|
shp->shm_cprid,
|
|
|
|
|
shp->shm_lprid,
|
2007-02-20 21:57:53 +00:00
|
|
|
shp->shm_nattch,
|
2012-02-08 00:54:11 +00:00
|
|
|
from_kuid_munged(user_ns, shp->shm_perm.uid),
|
|
|
|
|
from_kgid_munged(user_ns, shp->shm_perm.gid),
|
|
|
|
|
from_kuid_munged(user_ns, shp->shm_perm.cuid),
|
|
|
|
|
from_kgid_munged(user_ns, shp->shm_perm.cgid),
|
2005-09-06 22:17:10 +00:00
|
|
|
shp->shm_atim,
|
|
|
|
|
shp->shm_dtim,
|
2010-10-27 22:34:16 +00:00
|
|
|
shp->shm_ctim,
|
|
|
|
|
rss * PAGE_SIZE,
|
|
|
|
|
swp * PAGE_SIZE);
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
|
#endif
|
