projects / linux-2.6-block.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Merge branch 'exit-cleanups-for-v5.16' of git://git.kernel.org/pub/scm/linux/kernel...
[linux-2.6-block.git] / ipc / shm.c
CommitLineData
b2441318 1// SPDX-License-Identifier: GPL-2.0
1da177e4
LT		 2/*
3 * linux/ipc/shm.c
4 * Copyright (C) 1992, 1993 Krishna Balasubramanian
5 * Many improvements/fixes by Bruno Haible.
6 * Replaced `struct shm_desc' by `struct vm_area_struct', July 1994.
7 * Fixed the shm swap deallocation (shm_unuse()), August 1998 Andrea Arcangeli.
8 *
9 * /proc/sysvipc/shm support (c) 1999 Dragos Acostachioaie <dragos@iname.com>
10 * BIGMEM support, Andrea Arcangeli <andrea@suse.de>
11 * SMP thread shm, Jean-Luc Boyard <jean-luc.boyard@siemens.fr>
12 * HIGHMEM support, Ingo Molnar <mingo@redhat.com>
13 * Make shmmax, shmall, shmmni sysctl'able, Christoph Rohland <cr@sap.com>
14 * Shared /dev/zero support, Kanoj Sarcar <kanoj@sgi.com>
15 * Move the mm functionality over to mm/shmem.c, Christoph Rohland <cr@sap.com>
16 *
073115d6
SG		 17 * support for audit of ipc object properties and permission changes
18 * Dustin Kirkland <dustin.kirkland@us.ibm.com>
4e982311
KK		 19 *
20 * namespaces support
21 * OpenVZ, SWsoft Inc.
22 * Pavel Emelianov <xemul@openvz.org>
c2c737a0
DB		 23 *
24 * Better ipc lock (kern_ipc_perm.lock) handling
25 * Davidlohr Bueso <davidlohr.bueso@hp.com>, June 2013.
1da177e4
LT		 26 */
27
1da177e4
LT		 28#include <linux/slab.h>
29#include <linux/mm.h>
30#include <linux/hugetlb.h>
31#include <linux/shm.h>
32#include <linux/init.h>
33#include <linux/file.h>
34#include <linux/mman.h>
1da177e4
LT		 35#include <linux/shmem_fs.h>
36#include <linux/security.h>
37#include <linux/syscalls.h>
38#include <linux/audit.h>
c59ede7b 39#include <linux/capability.h>
7d87e14c 40#include <linux/ptrace.h>
19b4946c 41#include <linux/seq_file.h>
3e148c79 42#include <linux/rwsem.h>
4e982311 43#include <linux/nsproxy.h>
bc56bba8 44#include <linux/mount.h>
ae5e1b22 45#include <linux/ipc_namespace.h>
0eb71a9d 46#include <linux/rhashtable.h>
7d87e14c 47
7153e402 48#include <linux/uaccess.h>
1da177e4
LT		 49
50#include "util.h"
51
a2e102cd
EB		 52struct shmid_kernel /* private to the kernel */
53{
54 struct kern_ipc_perm shm_perm;
55 struct file *shm_file;
56 unsigned long shm_nattch;
57 unsigned long shm_segsz;
58 time64_t shm_atim;
59 time64_t shm_dtim;
60 time64_t shm_ctim;
98f929b1
EB		 61 struct pid *shm_cprid;
62 struct pid *shm_lprid;
d7c9e99a 63 struct ucounts *mlock_ucounts;
a2e102cd
EB		 64
65 /* The task created the shm object. NULL if the task is dead. */
66 struct task_struct *shm_creator;
67 struct list_head shm_clist; /* list by creator */
68} __randomize_layout;
69
70/* shm_mode upper byte flags */
71#define SHM_DEST 01000 /* segment will be destroyed on last detach */
72#define SHM_LOCKED 02000 /* segment will not be swapped */
73
bc56bba8
EB		 74struct shm_file_data {
75 int id;
76 struct ipc_namespace *ns;
77 struct file *file;
78 const struct vm_operations_struct *vm_ops;
79};
80
81#define shm_file_data(file) (*((struct shm_file_data **)&(file)->private_data))
82
9a32144e 83static const struct file_operations shm_file_operations;
f0f37e2f 84static const struct vm_operations_struct shm_vm_ops;
1da177e4 85
ed2ddbf8 86#define shm_ids(ns) ((ns)->ids[IPC_SHM_IDS])
1da177e4 87
4e982311
KK		 88#define shm_unlock(shp) \
89 ipc_unlock(&(shp)->shm_perm)
1da177e4 90
7748dbfa 91static int newseg(struct ipc_namespace *, struct ipc_params *);
bc56bba8
EB		 92static void shm_open(struct vm_area_struct *vma);
93static void shm_close(struct vm_area_struct *vma);
239521f3 94static void shm_destroy(struct ipc_namespace *ns, struct shmid_kernel *shp);
1da177e4 95#ifdef CONFIG_PROC_FS
19b4946c 96static int sysvipc_shm_proc_show(struct seq_file *s, void *it);
1da177e4
LT		 97#endif
98
eae04d25 99void shm_init_ns(struct ipc_namespace *ns)
4e982311 100{
4e982311
KK		 101 ns->shm_ctlmax = SHMMAX;
102 ns->shm_ctlall = SHMALL;
103 ns->shm_ctlmni = SHMMNI;
b34a6b1d 104 ns->shm_rmid_forced = 0;
4e982311 105 ns->shm_tot = 0;
eae04d25 106 ipc_init_ids(&shm_ids(ns));
4e982311
KK		 107}
108
f4566f04 109/*
d9a605e4
DB		 110 * Called with shm_ids.rwsem (writer) and the shp structure locked.
111 * Only shm_ids.rwsem remains locked on exit.
f4566f04 112 */
01b8b07a 113static void do_shm_rmid(struct ipc_namespace *ns, struct kern_ipc_perm *ipcp)
4e982311 114{
01b8b07a 115 struct shmid_kernel *shp;
63980c80 116
01b8b07a
PP		 117 shp = container_of(ipcp, struct shmid_kernel, shm_perm);
118
239521f3 119 if (shp->shm_nattch) {
4e982311
KK		 120 shp->shm_perm.mode |= SHM_DEST;
121 /* Do not find it any more */
0cfb6aee 122 ipc_set_key_private(&shm_ids(ns), &shp->shm_perm);
4e982311
KK		 123 shm_unlock(shp);
124 } else
125 shm_destroy(ns, shp);
126}
127
ae5e1b22 128#ifdef CONFIG_IPC_NS
4e982311
KK		 129void shm_exit_ns(struct ipc_namespace *ns)
130{
01b8b07a 131 free_ipcs(ns, &shm_ids(ns), do_shm_rmid);
7d6feeb2 132 idr_destroy(&ns->ids[IPC_SHM_IDS].ipcs_idr);
0cfb6aee 133 rhashtable_destroy(&ns->ids[IPC_SHM_IDS].key_ht);
4e982311 134}
ae5e1b22 135#endif
1da177e4 136
140d0b21 137static int __init ipc_ns_init(void)
1da177e4 138{
eae04d25
DB		 139 shm_init_ns(&init_ipc_ns);
140 return 0;
140d0b21
LT		 141}
142
143pure_initcall(ipc_ns_init);
144
239521f3 145void __init shm_init(void)
140d0b21 146{
19b4946c 147 ipc_init_proc_interface("sysvipc/shm",
b7952180
HD		 148#if BITS_PER_LONG <= 32
149 " key shmid perms size cpid lpid nattch uid gid cuid cgid atime dtime ctime rss swap\n",
150#else
151 " key shmid perms size cpid lpid nattch uid gid cuid cgid atime dtime ctime rss swap\n",
152#endif
4e982311 153 IPC_SHM_IDS, sysvipc_shm_proc_show);
1da177e4
LT		 154}
155
8b8d52ac
DB		 156static inline struct shmid_kernel *shm_obtain_object(struct ipc_namespace *ns, int id)
157{
55b7ae50 158 struct kern_ipc_perm *ipcp = ipc_obtain_object_idr(&shm_ids(ns), id);
8b8d52ac
DB		 159
160 if (IS_ERR(ipcp))
161 return ERR_CAST(ipcp);
162
163 return container_of(ipcp, struct shmid_kernel, shm_perm);
164}
165
166static inline struct shmid_kernel *shm_obtain_object_check(struct ipc_namespace *ns, int id)
167{
168 struct kern_ipc_perm *ipcp = ipc_obtain_object_check(&shm_ids(ns), id);
169
170 if (IS_ERR(ipcp))
171 return ERR_CAST(ipcp);
172
173 return container_of(ipcp, struct shmid_kernel, shm_perm);
174}
175
3e148c79 176/*
d9a605e4 177 * shm_lock_(check_) routines are called in the paths where the rwsem
00c2bf85 178 * is not necessarily held.
3e148c79 179 */
023a5355 180static inline struct shmid_kernel *shm_lock(struct ipc_namespace *ns, int id)
1da177e4 181{
82061c57 182 struct kern_ipc_perm *ipcp;
03f02c76 183
82061c57
DB		 184 rcu_read_lock();
185 ipcp = ipc_obtain_object_idr(&shm_ids(ns), id);
186 if (IS_ERR(ipcp))
187 goto err;
188
189 ipc_lock_object(ipcp);
190 /*
191 * ipc_rmid() may have already freed the ID while ipc_lock_object()
192 * was spinning: here verify that the structure is still valid.
193 * Upon races with RMID, return -EIDRM, thus indicating that
194 * the ID points to a removed identifier.
195 */
196 if (ipc_valid_object(ipcp)) {
197 /* return a locked ipc object upon success */
198 return container_of(ipcp, struct shmid_kernel, shm_perm);
199 }
200
201 ipc_unlock_object(ipcp);
9c21dae2 202 ipcp = ERR_PTR(-EIDRM);
82061c57
DB		 203err:
204 rcu_read_unlock();
c5c8975b 205 /*
1ac0b6de 206 * Callers of shm_lock() must validate the status of the returned ipc
82061c57 207 * object pointer and error out as appropriate.
c5c8975b 208 */
59cf0a93 209 return ERR_CAST(ipcp);
023a5355
ND		 210}
211
4c677e2e
VK		 212static inline void shm_lock_by_ptr(struct shmid_kernel *ipcp)
213{
214 rcu_read_lock();
cf9d5d78 215 ipc_lock_object(&ipcp->shm_perm);
4c677e2e
VK		 216}
217
53dad6d3
DB		 218static void shm_rcu_free(struct rcu_head *head)
219{
dba4cdd3
MS		 220 struct kern_ipc_perm *ptr = container_of(head, struct kern_ipc_perm,
221 rcu);
222 struct shmid_kernel *shp = container_of(ptr, struct shmid_kernel,
223 shm_perm);
7191adff 224 security_shm_free(&shp->shm_perm);
bc8136a5 225 kfree(shp);
53dad6d3
DB		 226}
227
7ca7e564 228static inline void shm_rmid(struct ipc_namespace *ns, struct shmid_kernel *s)
1da177e4 229{
ab602f79 230 list_del(&s->shm_clist);
7ca7e564 231 ipc_rmid(&shm_ids(ns), &s->shm_perm);
1da177e4
LT		 232}
233
1da177e4 234
1ac0b6de 235static int __shm_open(struct vm_area_struct *vma)
4e982311 236{
bc56bba8
EB		 237 struct file *file = vma->vm_file;
238 struct shm_file_data *sfd = shm_file_data(file);
1da177e4
LT		 239 struct shmid_kernel *shp;
240
bc56bba8 241 shp = shm_lock(sfd->ns, sfd->id);
1ac0b6de
KS		 242
243 if (IS_ERR(shp))
244 return PTR_ERR(shp);
245
3f05317d
EB		 246 if (shp->shm_file != sfd->file) {
247 /* ID was reused */
248 shm_unlock(shp);
249 return -EINVAL;
250 }
251
7ff2819e 252 shp->shm_atim = ktime_get_real_seconds();
98f929b1 253 ipc_update_pid(&shp->shm_lprid, task_tgid(current));
1da177e4
LT		 254 shp->shm_nattch++;
255 shm_unlock(shp);
1ac0b6de
KS		 256 return 0;
257}
258
259/* This is called by fork, once for every shm attach. */
260static void shm_open(struct vm_area_struct *vma)
261{
262 int err = __shm_open(vma);
263 /*
264 * We raced in the idr lookup or with shm_destroy().
265 * Either way, the ID is busted.
266 */
267 WARN_ON_ONCE(err);
1da177e4
LT		 268}
269
1da177e4
LT		 270/*
271 * shm_destroy - free the struct shmid_kernel
272 *
f4566f04 273 * @ns: namespace
1da177e4
LT		 274 * @shp: struct to free
275 *
d9a605e4 276 * It has to be called with shp and shm_ids.rwsem (writer) locked,
1da177e4
LT		 277 * but returns with shp unlocked and freed.
278 */
4e982311 279static void shm_destroy(struct ipc_namespace *ns, struct shmid_kernel *shp)
1da177e4 280{
a399b29d
GT		 281 struct file *shm_file;
282
283 shm_file = shp->shm_file;
284 shp->shm_file = NULL;
4e982311 285 ns->shm_tot -= (shp->shm_segsz + PAGE_SIZE - 1) >> PAGE_SHIFT;
7ca7e564 286 shm_rmid(ns, shp);
1da177e4 287 shm_unlock(shp);
a399b29d 288 if (!is_file_hugepages(shm_file))
d7c9e99a 289 shmem_lock(shm_file, 0, shp->mlock_ucounts);
a399b29d 290 fput(shm_file);
98f929b1
EB		 291 ipc_update_pid(&shp->shm_cprid, NULL);
292 ipc_update_pid(&shp->shm_lprid, NULL);
dba4cdd3 293 ipc_rcu_putref(&shp->shm_perm, shm_rcu_free);
1da177e4
LT		 294}
295
b34a6b1d
VK		 296/*
297 * shm_may_destroy - identifies whether shm segment should be destroyed now
298 *
299 * Returns true if and only if there are no active users of the segment and
300 * one of the following is true:
301 *
302 * 1) shmctl(id, IPC_RMID, NULL) was called for this shp
303 *
304 * 2) sysctl kernel.shm_rmid_forced is set to 1.
305 */
306static bool shm_may_destroy(struct ipc_namespace *ns, struct shmid_kernel *shp)
307{
308 return (shp->shm_nattch == 0) &&
309 (ns->shm_rmid_forced ||
310 (shp->shm_perm.mode & SHM_DEST));
311}
312
1da177e4 313/*
bc56bba8 314 * remove the attach descriptor vma.
1da177e4
LT		 315 * free memory for segment if it is marked destroyed.
316 * The descriptor has already been removed from the current->mm->mmap list
317 * and will later be kfree()d.
318 */
bc56bba8 319static void shm_close(struct vm_area_struct *vma)
1da177e4 320{
239521f3 321 struct file *file = vma->vm_file;
bc56bba8 322 struct shm_file_data *sfd = shm_file_data(file);
1da177e4 323 struct shmid_kernel *shp;
bc56bba8 324 struct ipc_namespace *ns = sfd->ns;
4e982311 325
d9a605e4 326 down_write(&shm_ids(ns).rwsem);
1da177e4 327 /* remove from the list of attaches of the shm segment */
00c2bf85 328 shp = shm_lock(ns, sfd->id);
1ac0b6de
KS		 329
330 /*
331 * We raced in the idr lookup or with shm_destroy().
332 * Either way, the ID is busted.
333 */
334 if (WARN_ON_ONCE(IS_ERR(shp)))
335 goto done; /* no-op */
336
98f929b1 337 ipc_update_pid(&shp->shm_lprid, task_tgid(current));
7ff2819e 338 shp->shm_dtim = ktime_get_real_seconds();
1da177e4 339 shp->shm_nattch--;
b34a6b1d
VK		 340 if (shm_may_destroy(ns, shp))
341 shm_destroy(ns, shp);
342 else
343 shm_unlock(shp);
1ac0b6de 344done:
d9a605e4 345 up_write(&shm_ids(ns).rwsem);
b34a6b1d
VK		 346}
347
d9a605e4 348/* Called with ns->shm_ids(ns).rwsem locked */
b34a6b1d
VK		 349static int shm_try_destroy_orphaned(int id, void *p, void *data)
350{
351 struct ipc_namespace *ns = data;
4c677e2e
VK		 352 struct kern_ipc_perm *ipcp = p;
353 struct shmid_kernel *shp = container_of(ipcp, struct shmid_kernel, shm_perm);
b34a6b1d
VK		 354
355 /*
356 * We want to destroy segments without users and with already
357 * exit'ed originating process.
4c677e2e 358 *
d9a605e4 359 * As shp->* are changed under rwsem, it's safe to skip shp locking.
b34a6b1d 360 */
4c677e2e 361 if (shp->shm_creator != NULL)
b34a6b1d 362 return 0;
b34a6b1d 363
4c677e2e
VK		 364 if (shm_may_destroy(ns, shp)) {
365 shm_lock_by_ptr(shp);
4e982311 366 shm_destroy(ns, shp);
4c677e2e 367 }
b34a6b1d
VK		 368 return 0;
369}
370
371void shm_destroy_orphaned(struct ipc_namespace *ns)
372{
d9a605e4 373 down_write(&shm_ids(ns).rwsem);
33a30ed4 374 if (shm_ids(ns).in_use)
4c677e2e 375 idr_for_each(&shm_ids(ns).ipcs_idr, &shm_try_destroy_orphaned, ns);
d9a605e4 376 up_write(&shm_ids(ns).rwsem);
b34a6b1d
VK		 377}
378
83293c0f 379/* Locking assumes this will only be called with task == current */
b34a6b1d
VK		 380void exit_shm(struct task_struct *task)
381{
4c677e2e 382 struct ipc_namespace *ns = task->nsproxy->ipc_ns;
ab602f79 383 struct shmid_kernel *shp, *n;
b34a6b1d 384
83293c0f
JM		 385 if (list_empty(&task->sysvshm.shm_clist))
386 return;
387
388 /*
389 * If kernel.shm_rmid_forced is not set then only keep track of
390 * which shmids are orphaned, so that a later set of the sysctl
391 * can clean them up.
392 */
393 if (!ns->shm_rmid_forced) {
394 down_read(&shm_ids(ns).rwsem);
395 list_for_each_entry(shp, &task->sysvshm.shm_clist, shm_clist)
396 shp->shm_creator = NULL;
397 /*
398 * Only under read lock but we are only called on current
399 * so no entry on the list will be shared.
400 */
401 list_del(&task->sysvshm.shm_clist);
402 up_read(&shm_ids(ns).rwsem);
298507d4 403 return;
83293c0f 404 }
298507d4 405
83293c0f
JM		 406 /*
407 * Destroy all already created segments, that were not yet mapped,
408 * and mark any mapped as orphan to cover the sysctl toggling.
409 * Destroy is skipped if shm_may_destroy() returns false.
410 */
d9a605e4 411 down_write(&shm_ids(ns).rwsem);
83293c0f
JM		 412 list_for_each_entry_safe(shp, n, &task->sysvshm.shm_clist, shm_clist) {
413 shp->shm_creator = NULL;
414
415 if (shm_may_destroy(ns, shp)) {
416 shm_lock_by_ptr(shp);
417 shm_destroy(ns, shp);
418 }
419 }
420
421 /* Remove the list head from any segments still attached. */
ab602f79 422 list_del(&task->sysvshm.shm_clist);
d9a605e4 423 up_write(&shm_ids(ns).rwsem);
1da177e4
LT		 424}
425
14f28f57 426static vm_fault_t shm_fault(struct vm_fault *vmf)
bc56bba8 427{
11bac800 428 struct file *file = vmf->vma->vm_file;
bc56bba8
EB		 429 struct shm_file_data *sfd = shm_file_data(file);
430
11bac800 431 return sfd->vm_ops->fault(vmf);
bc56bba8
EB		 432}
433
dd3b614f 434static int shm_may_split(struct vm_area_struct *vma, unsigned long addr)
3d942ee0
MK		 435{
436 struct file *file = vma->vm_file;
437 struct shm_file_data *sfd = shm_file_data(file);
438
dd3b614f
DS		 439 if (sfd->vm_ops->may_split)
440 return sfd->vm_ops->may_split(vma, addr);
3d942ee0
MK		 441
442 return 0;
443}
444
eec3636a
JC		 445static unsigned long shm_pagesize(struct vm_area_struct *vma)
446{
447 struct file *file = vma->vm_file;
448 struct shm_file_data *sfd = shm_file_data(file);
449
450 if (sfd->vm_ops->pagesize)
451 return sfd->vm_ops->pagesize(vma);
452
453 return PAGE_SIZE;
454}
455
bc56bba8 456#ifdef CONFIG_NUMA
d823e3e7 457static int shm_set_policy(struct vm_area_struct *vma, struct mempolicy *new)
bc56bba8
EB		 458{
459 struct file *file = vma->vm_file;
460 struct shm_file_data *sfd = shm_file_data(file);
461 int err = 0;
63980c80 462
bc56bba8
EB		 463 if (sfd->vm_ops->set_policy)
464 err = sfd->vm_ops->set_policy(vma, new);
465 return err;
466}
467
d823e3e7
AB		 468static struct mempolicy *shm_get_policy(struct vm_area_struct *vma,
469 unsigned long addr)
bc56bba8
EB		 470{
471 struct file *file = vma->vm_file;
472 struct shm_file_data *sfd = shm_file_data(file);
473 struct mempolicy *pol = NULL;
474
475 if (sfd->vm_ops->get_policy)
476 pol = sfd->vm_ops->get_policy(vma, addr);
52cd3b07 477 else if (vma->vm_policy)
bc56bba8 478 pol = vma->vm_policy;
52cd3b07 479
bc56bba8
EB		 480 return pol;
481}
482#endif
483
239521f3 484static int shm_mmap(struct file *file, struct vm_area_struct *vma)
1da177e4 485{
bc56bba8 486 struct shm_file_data *sfd = shm_file_data(file);
b0e15190
DH		 487 int ret;
488
1ac0b6de 489 /*
3f05317d
EB		 490 * In case of remap_file_pages() emulation, the file can represent an
491 * IPC ID that was removed, and possibly even reused by another shm
492 * segment already. Propagate this case as an error to caller.
1ac0b6de 493 */
63980c80 494 ret = __shm_open(vma);
1ac0b6de
KS		 495 if (ret)
496 return ret;
497
f74ac015 498 ret = call_mmap(sfd->file, vma);
1ac0b6de
KS		 499 if (ret) {
500 shm_close(vma);
bc56bba8 501 return ret;
1ac0b6de 502 }
bc56bba8 503 sfd->vm_ops = vma->vm_ops;
2e92a3ba 504#ifdef CONFIG_MMU
d0edd852 505 WARN_ON(!sfd->vm_ops->fault);
2e92a3ba 506#endif
bc56bba8 507 vma->vm_ops = &shm_vm_ops;
1ac0b6de 508 return 0;
1da177e4
LT		 509}
510
4e982311
KK		 511static int shm_release(struct inode *ino, struct file *file)
512{
bc56bba8 513 struct shm_file_data *sfd = shm_file_data(file);
4e982311 514
bc56bba8 515 put_ipc_ns(sfd->ns);
3f05317d 516 fput(sfd->file);
bc56bba8
EB		 517 shm_file_data(file) = NULL;
518 kfree(sfd);
4e982311
KK		 519 return 0;
520}
521
02c24a82 522static int shm_fsync(struct file *file, loff_t start, loff_t end, int datasync)
516dffdc 523{
516dffdc 524 struct shm_file_data *sfd = shm_file_data(file);
516dffdc 525
7ea80859
CH		 526 if (!sfd->file->f_op->fsync)
527 return -EINVAL;
0f41074a 528 return sfd->file->f_op->fsync(sfd->file, start, end, datasync);
516dffdc
AL		 529}
530
7d8a4569
WD		 531static long shm_fallocate(struct file *file, int mode, loff_t offset,
532 loff_t len)
533{
534 struct shm_file_data *sfd = shm_file_data(file);
535
536 if (!sfd->file->f_op->fallocate)
537 return -EOPNOTSUPP;
538 return sfd->file->f_op->fallocate(file, mode, offset, len);
539}
540
bc56bba8
EB		 541static unsigned long shm_get_unmapped_area(struct file *file,
542 unsigned long addr, unsigned long len, unsigned long pgoff,
543 unsigned long flags)
544{
545 struct shm_file_data *sfd = shm_file_data(file);
63980c80 546
c4caa778
AV		 547 return sfd->file->f_op->get_unmapped_area(sfd->file, addr, len,
548 pgoff, flags);
bc56bba8 549}
bc56bba8 550
9a32144e 551static const struct file_operations shm_file_operations = {
4e982311 552 .mmap = shm_mmap,
516dffdc 553 .fsync = shm_fsync,
4e982311 554 .release = shm_release,
ed5e5894 555 .get_unmapped_area = shm_get_unmapped_area,
6038f373 556 .llseek = noop_llseek,
7d8a4569 557 .fallocate = shm_fallocate,
c4caa778
AV		 558};
559
c01d5b30
HD		 560/*
561 * shm_file_operations_huge is now identical to shm_file_operations,
562 * but we keep it distinct for the sake of is_file_shm_hugepages().
563 */
c4caa778
AV		 564static const struct file_operations shm_file_operations_huge = {
565 .mmap = shm_mmap,
566 .fsync = shm_fsync,
567 .release = shm_release,
bc56bba8 568 .get_unmapped_area = shm_get_unmapped_area,
6038f373 569 .llseek = noop_llseek,
7d8a4569 570 .fallocate = shm_fallocate,
1da177e4
LT		 571};
572
2954e440 573bool is_file_shm_hugepages(struct file *file)
c4caa778
AV		 574{
575 return file->f_op == &shm_file_operations_huge;
576}
577
f0f37e2f 578static const struct vm_operations_struct shm_vm_ops = {
1da177e4
LT		 579 .open = shm_open, /* callback for a new vm-area open */
580 .close = shm_close, /* callback for when the vm-area is released */
54cb8821 581 .fault = shm_fault,
dd3b614f 582 .may_split = shm_may_split,
eec3636a 583 .pagesize = shm_pagesize,
bc56bba8
EB		 584#if defined(CONFIG_NUMA)
585 .set_policy = shm_set_policy,
586 .get_policy = shm_get_policy,
1da177e4
LT		 587#endif
588};
589
f4566f04
ND		 590/**
591 * newseg - Create a new shared memory segment
592 * @ns: namespace
593 * @params: ptr to the structure that contains key, size and shmflg
594 *
d9a605e4 595 * Called with shm_ids.rwsem held as a writer.
f4566f04 596 */
7748dbfa 597static int newseg(struct ipc_namespace *ns, struct ipc_params *params)
1da177e4 598{
7748dbfa
ND		 599 key_t key = params->key;
600 int shmflg = params->flg;
601 size_t size = params->u.size;
1da177e4
LT		 602 int error;
603 struct shmid_kernel *shp;
d69f3bad 604 size_t numpages = (size + PAGE_SIZE - 1) >> PAGE_SHIFT;
239521f3 605 struct file *file;
1da177e4 606 char name[13];
ca16d140 607 vm_flags_t acctflag = 0;
1da177e4 608
4e982311 609 if (size < SHMMIN || size > ns->shm_ctlmax)
1da177e4
LT		 610 return -EINVAL;
611
1376327c
MS		 612 if (numpages << PAGE_SHIFT < size)
613 return -ENOSPC;
614
09c6eb1f
MS		 615 if (ns->shm_tot + numpages < ns->shm_tot ||
616 ns->shm_tot + numpages > ns->shm_ctlall)
1da177e4
LT		 617 return -ENOSPC;
618
18319498 619 shp = kmalloc(sizeof(*shp), GFP_KERNEL_ACCOUNT);
42e618f7 620 if (unlikely(!shp))
1da177e4
LT		 621 return -ENOMEM;
622
623 shp->shm_perm.key = key;
b33291c0 624 shp->shm_perm.mode = (shmflg & S_IRWXUGO);
d7c9e99a 625 shp->mlock_ucounts = NULL;
1da177e4
LT		 626
627 shp->shm_perm.security = NULL;
7191adff 628 error = security_shm_alloc(&shp->shm_perm);
1da177e4 629 if (error) {
bc8136a5 630 kfree(shp);
1da177e4
LT		 631 return error;
632 }
633
239521f3 634 sprintf(name, "SYSV%08x", key);
1da177e4 635 if (shmflg & SHM_HUGETLB) {
c103a4dc 636 struct hstate *hs;
091d0d55
LZ		 637 size_t hugesize;
638
c103a4dc 639 hs = hstate_sizelog((shmflg >> SHM_HUGE_SHIFT) & SHM_HUGE_MASK);
091d0d55
LZ		 640 if (!hs) {
641 error = -EINVAL;
642 goto no_file;
643 }
644 hugesize = ALIGN(size, huge_page_size(hs));
af73e4d9 645
5a6fe125
MG		 646 /* hugetlb_file_setup applies strict accounting */
647 if (shmflg & SHM_NORESERVE)
648 acctflag = VM_NORESERVE;
af73e4d9 649 file = hugetlb_file_setup(name, hugesize, acctflag,
83c1fd76 650 HUGETLB_SHMFS_INODE, (shmflg >> SHM_HUGE_SHIFT) & SHM_HUGE_MASK);
1da177e4 651 } else {
bf8f972d
BP		 652 /*
653 * Do not allow no accounting for OVERCOMMIT_NEVER, even
239521f3 654 * if it's asked for.
bf8f972d
BP		 655 */
656 if ((shmflg & SHM_NORESERVE) &&
657 sysctl_overcommit_memory != OVERCOMMIT_NEVER)
fc8744ad 658 acctflag = VM_NORESERVE;
e1832f29 659 file = shmem_kernel_file_setup(name, size, acctflag);
1da177e4
LT		 660 }
661 error = PTR_ERR(file);
662 if (IS_ERR(file))
663 goto no_file;
664
98f929b1
EB		 665 shp->shm_cprid = get_pid(task_tgid(current));
666 shp->shm_lprid = NULL;
1da177e4 667 shp->shm_atim = shp->shm_dtim = 0;
7ff2819e 668 shp->shm_ctim = ktime_get_real_seconds();
1da177e4
LT		 669 shp->shm_segsz = size;
670 shp->shm_nattch = 0;
1da177e4 671 shp->shm_file = file;
5774ed01 672 shp->shm_creator = current;
b9a53227 673
39c96a1b 674 /* ipc_addid() locks shp upon success. */
a2642f87
MS		 675 error = ipc_addid(&shm_ids(ns), &shp->shm_perm, ns->shm_ctlmni);
676 if (error < 0)
b9a53227 677 goto no_id;
b9a53227 678
ab602f79 679 list_add(&shp->shm_clist, &current->sysvshm.shm_clist);
dbfcd91f 680
30475cc1
BP		 681 /*
682 * shmid gets reported as "inode#" in /proc/pid/maps.
683 * proc-ps tools use this. Changing this will break them.
684 */
496ad9aa 685 file_inode(file)->i_ino = shp->shm_perm.id;
551110a9 686
4e982311 687 ns->shm_tot += numpages;
7ca7e564 688 error = shp->shm_perm.id;
dbfcd91f 689
cf9d5d78 690 ipc_unlock_object(&shp->shm_perm);
dbfcd91f 691 rcu_read_unlock();
7ca7e564 692 return error;
1da177e4
LT		 693
694no_id:
2236d4d3
EB		 695 ipc_update_pid(&shp->shm_cprid, NULL);
696 ipc_update_pid(&shp->shm_lprid, NULL);
1da177e4 697 fput(file);
39cfffd7
MS		 698 ipc_rcu_putref(&shp->shm_perm, shm_rcu_free);
699 return error;
1da177e4 700no_file:
a2642f87 701 call_rcu(&shp->shm_perm.rcu, shm_rcu_free);
1da177e4
LT		 702 return error;
703}
704
f4566f04 705/*
d9a605e4 706 * Called with shm_ids.rwsem and ipcp locked.
f4566f04 707 */
00898e85 708static int shm_more_checks(struct kern_ipc_perm *ipcp, struct ipc_params *params)
7748dbfa 709{
03f02c76
ND		 710 struct shmid_kernel *shp;
711
712 shp = container_of(ipcp, struct shmid_kernel, shm_perm);
713 if (shp->shm_segsz < params->u.size)
7748dbfa
ND		 714 return -EINVAL;
715
716 return 0;
717}
718
65749e0b 719long ksys_shmget(key_t key, size_t size, int shmflg)
1da177e4 720{
4e982311 721 struct ipc_namespace *ns;
eb66ec44
MK		 722 static const struct ipc_ops shm_ops = {
723 .getnew = newseg,
50ab44b1 724 .associate = security_shm_associate,
eb66ec44
MK		 725 .more_checks = shm_more_checks,
726 };
7748dbfa 727 struct ipc_params shm_params;
4e982311
KK		 728
729 ns = current->nsproxy->ipc_ns;
1da177e4 730
7748dbfa
ND		 731 shm_params.key = key;
732 shm_params.flg = shmflg;
733 shm_params.u.size = size;
1da177e4 734
7748dbfa 735 return ipcget(ns, &shm_ids(ns), &shm_ops, &shm_params);
1da177e4
LT		 736}
737
65749e0b
DB		 738SYSCALL_DEFINE3(shmget, key_t, key, size_t, size, int, shmflg)
739{
740 return ksys_shmget(key, size, shmflg);
741}
742
1da177e4
LT		 743static inline unsigned long copy_shmid_to_user(void __user *buf, struct shmid64_ds *in, int version)
744{
239521f3 745 switch (version) {
1da177e4
LT		 746 case IPC_64:
747 return copy_to_user(buf, in, sizeof(*in));
748 case IPC_OLD:
749 {
750 struct shmid_ds out;
751
3af54c9b 752 memset(&out, 0, sizeof(out));
1da177e4
LT		 753 ipc64_perm_to_ipc_perm(&in->shm_perm, &out.shm_perm);
754 out.shm_segsz = in->shm_segsz;
755 out.shm_atime = in->shm_atime;
756 out.shm_dtime = in->shm_dtime;
757 out.shm_ctime = in->shm_ctime;
758 out.shm_cpid = in->shm_cpid;
759 out.shm_lpid = in->shm_lpid;
760 out.shm_nattch = in->shm_nattch;
761
762 return copy_to_user(buf, &out, sizeof(out));
763 }
764 default:
765 return -EINVAL;
766 }
767}
768
016d7132
PP		 769static inline unsigned long
770copy_shmid_from_user(struct shmid64_ds *out, void __user *buf, int version)
1da177e4 771{
239521f3 772 switch (version) {
1da177e4 773 case IPC_64:
016d7132 774 if (copy_from_user(out, buf, sizeof(*out)))
1da177e4 775 return -EFAULT;
1da177e4 776 return 0;
1da177e4
LT		 777 case IPC_OLD:
778 {
779 struct shmid_ds tbuf_old;
780
781 if (copy_from_user(&tbuf_old, buf, sizeof(tbuf_old)))
782 return -EFAULT;
783
016d7132
PP		 784 out->shm_perm.uid = tbuf_old.shm_perm.uid;
785 out->shm_perm.gid = tbuf_old.shm_perm.gid;
786 out->shm_perm.mode = tbuf_old.shm_perm.mode;
1da177e4
LT		 787
788 return 0;
789 }
790 default:
791 return -EINVAL;
792 }
793}
794
795static inline unsigned long copy_shminfo_to_user(void __user *buf, struct shminfo64 *in, int version)
796{
239521f3 797 switch (version) {
1da177e4
LT		 798 case IPC_64:
799 return copy_to_user(buf, in, sizeof(*in));
800 case IPC_OLD:
801 {
802 struct shminfo out;
803
239521f3 804 if (in->shmmax > INT_MAX)
1da177e4
LT		 805 out.shmmax = INT_MAX;
806 else
807 out.shmmax = (int)in->shmmax;
808
809 out.shmmin = in->shmmin;
810 out.shmmni = in->shmmni;
811 out.shmseg = in->shmseg;
46c0a8ca 812 out.shmall = in->shmall;
1da177e4
LT		 813
814 return copy_to_user(buf, &out, sizeof(out));
815 }
816 default:
817 return -EINVAL;
818 }
819}
820
b7952180
HD		 821/*
822 * Calculate and add used RSS and swap pages of a shm.
d9a605e4 823 * Called with shm_ids.rwsem held as a reader
b7952180
HD		 824 */
825static void shm_add_rss_swap(struct shmid_kernel *shp,
826 unsigned long *rss_add, unsigned long *swp_add)
827{
828 struct inode *inode;
829
496ad9aa 830 inode = file_inode(shp->shm_file);
b7952180
HD		 831
832 if (is_file_hugepages(shp->shm_file)) {
833 struct address_space *mapping = inode->i_mapping;
834 struct hstate *h = hstate_file(shp->shm_file);
835 *rss_add += pages_per_huge_page(h) * mapping->nrpages;
836 } else {
837#ifdef CONFIG_SHMEM
838 struct shmem_inode_info *info = SHMEM_I(inode);
63980c80 839
4595ef88 840 spin_lock_irq(&info->lock);
b7952180
HD		 841 *rss_add += inode->i_mapping->nrpages;
842 *swp_add += info->swapped;
4595ef88 843 spin_unlock_irq(&info->lock);
b7952180
HD		 844#else
845 *rss_add += inode->i_mapping->nrpages;
846#endif
847 }
848}
849
f4566f04 850/*
d9a605e4 851 * Called with shm_ids.rwsem held as a reader
f4566f04 852 */
4e982311
KK		 853static void shm_get_stat(struct ipc_namespace *ns, unsigned long *rss,
854 unsigned long *swp)
1da177e4 855{
7ca7e564
ND		 856 int next_id;
857 int total, in_use;
1da177e4
LT		 858
859 *rss = 0;
860 *swp = 0;
861
7ca7e564
ND		 862 in_use = shm_ids(ns).in_use;
863
864 for (total = 0, next_id = 0; total < in_use; next_id++) {
e562aebc 865 struct kern_ipc_perm *ipc;
1da177e4 866 struct shmid_kernel *shp;
1da177e4 867
e562aebc
TB		 868 ipc = idr_find(&shm_ids(ns).ipcs_idr, next_id);
869 if (ipc == NULL)
1da177e4 870 continue;
e562aebc 871 shp = container_of(ipc, struct shmid_kernel, shm_perm);
1da177e4 872
b7952180 873 shm_add_rss_swap(shp, rss, swp);
7ca7e564
ND		 874
875 total++;
1da177e4
LT		 876 }
877}
878
8d4cc8b5 879/*
d9a605e4 880 * This function handles some shmctl commands which require the rwsem
8d4cc8b5 881 * to be held in write mode.
d9a605e4 882 * NOTE: no locks must be held, the rwsem is taken inside this function.
8d4cc8b5
PP		 883 */
884static int shmctl_down(struct ipc_namespace *ns, int shmid, int cmd,
9ba720c1 885 struct shmid64_ds *shmid64)
1da177e4 886{
8d4cc8b5 887 struct kern_ipc_perm *ipcp;
8d4cc8b5
PP		 888 struct shmid_kernel *shp;
889 int err;
890
d9a605e4 891 down_write(&shm_ids(ns).rwsem);
7b4cc5d8
DB		 892 rcu_read_lock();
893
4241c1a3 894 ipcp = ipcctl_obtain_check(ns, &shm_ids(ns), shmid, cmd,
9ba720c1 895 &shmid64->shm_perm, 0);
7b4cc5d8
DB		 896 if (IS_ERR(ipcp)) {
897 err = PTR_ERR(ipcp);
7b4cc5d8
DB		 898 goto out_unlock1;
899 }
8d4cc8b5 900
a5f75e7f 901 shp = container_of(ipcp, struct shmid_kernel, shm_perm);
8d4cc8b5 902
7191adff 903 err = security_shm_shmctl(&shp->shm_perm, cmd);
8d4cc8b5 904 if (err)
79ccf0f8 905 goto out_unlock1;
7b4cc5d8 906
8d4cc8b5
PP		 907 switch (cmd) {
908 case IPC_RMID:
79ccf0f8 909 ipc_lock_object(&shp->shm_perm);
7b4cc5d8 910 /* do_shm_rmid unlocks the ipc object and rcu */
8d4cc8b5
PP		 911 do_shm_rmid(ns, ipcp);
912 goto out_up;
913 case IPC_SET:
79ccf0f8 914 ipc_lock_object(&shp->shm_perm);
9ba720c1 915 err = ipc_update_perm(&shmid64->shm_perm, ipcp);
1efdb69b 916 if (err)
7b4cc5d8 917 goto out_unlock0;
7ff2819e 918 shp->shm_ctim = ktime_get_real_seconds();
8d4cc8b5
PP		 919 break;
920 default:
921 err = -EINVAL;
79ccf0f8 922 goto out_unlock1;
8d4cc8b5 923 }
7b4cc5d8
DB		 924
925out_unlock0:
926 ipc_unlock_object(&shp->shm_perm);
927out_unlock1:
928 rcu_read_unlock();
8d4cc8b5 929out_up:
d9a605e4 930 up_write(&shm_ids(ns).rwsem);
8d4cc8b5
PP		 931 return err;
932}
933
9ba720c1
AV		 934static int shmctl_ipc_info(struct ipc_namespace *ns,
935 struct shminfo64 *shminfo)
8d4cc8b5 936{
9ba720c1
AV		 937 int err = security_shm_shmctl(NULL, IPC_INFO);
938 if (!err) {
939 memset(shminfo, 0, sizeof(*shminfo));
940 shminfo->shmmni = shminfo->shmseg = ns->shm_ctlmni;
941 shminfo->shmmax = ns->shm_ctlmax;
942 shminfo->shmall = ns->shm_ctlall;
943 shminfo->shmmin = SHMMIN;
d9a605e4 944 down_read(&shm_ids(ns).rwsem);
27c331a1 945 err = ipc_get_maxidx(&shm_ids(ns));
d9a605e4 946 up_read(&shm_ids(ns).rwsem);
239521f3 947 if (err < 0)
1da177e4 948 err = 0;
1da177e4 949 }
9ba720c1
AV		 950 return err;
951}
1da177e4 952
9ba720c1
AV		 953static int shmctl_shm_info(struct ipc_namespace *ns,
954 struct shm_info *shm_info)
955{
956 int err = security_shm_shmctl(NULL, SHM_INFO);
957 if (!err) {
958 memset(shm_info, 0, sizeof(*shm_info));
d9a605e4 959 down_read(&shm_ids(ns).rwsem);
9ba720c1
AV		 960 shm_info->used_ids = shm_ids(ns).in_use;
961 shm_get_stat(ns, &shm_info->shm_rss, &shm_info->shm_swp);
962 shm_info->shm_tot = ns->shm_tot;
963 shm_info->swap_attempts = 0;
964 shm_info->swap_successes = 0;
27c331a1 965 err = ipc_get_maxidx(&shm_ids(ns));
d9a605e4 966 up_read(&shm_ids(ns).rwsem);
9ba720c1
AV		 967 if (err < 0)
968 err = 0;
1da177e4 969 }
9ba720c1
AV		 970 return err;
971}
c97cb9cc 972
9ba720c1
AV		 973static int shmctl_stat(struct ipc_namespace *ns, int shmid,
974 int cmd, struct shmid64_ds *tbuf)
975{
976 struct shmid_kernel *shp;
9ba720c1 977 int err;
c97cb9cc 978
87ad4b0d
PM		 979 memset(tbuf, 0, sizeof(*tbuf));
980
9ba720c1 981 rcu_read_lock();
c21a6970 982 if (cmd == SHM_STAT || cmd == SHM_STAT_ANY) {
9ba720c1
AV		 983 shp = shm_obtain_object(ns, shmid);
984 if (IS_ERR(shp)) {
985 err = PTR_ERR(shp);
986 goto out_unlock;
987 }
c21a6970 988 } else { /* IPC_STAT */
9ba720c1
AV		 989 shp = shm_obtain_object_check(ns, shmid);
990 if (IS_ERR(shp)) {
991 err = PTR_ERR(shp);
1da177e4 992 goto out_unlock;
1da177e4 993 }
9ba720c1 994 }
1da177e4 995
c21a6970
DB		 996 /*
997 * Semantically SHM_STAT_ANY ought to be identical to
998 * that functionality provided by the /proc/sysvipc/
999 * interface. As such, only audit these calls and
1000 * do not do traditional S_IRUGO permission checks on
1001 * the ipc object.
1002 */
1003 if (cmd == SHM_STAT_ANY)
1004 audit_ipc_obj(&shp->shm_perm);
1005 else {
1006 err = -EACCES;
1007 if (ipcperms(ns, &shp->shm_perm, S_IRUGO))
1008 goto out_unlock;
1009 }
c97cb9cc 1010
7191adff 1011 err = security_shm_shmctl(&shp->shm_perm, cmd);
9ba720c1
AV		 1012 if (err)
1013 goto out_unlock;
1014
87ad4b0d
PM		 1015 ipc_lock_object(&shp->shm_perm);
1016
1017 if (!ipc_valid_object(&shp->shm_perm)) {
1018 ipc_unlock_object(&shp->shm_perm);
1019 err = -EIDRM;
1020 goto out_unlock;
1021 }
1022
9ba720c1
AV		 1023 kernel_to_ipc64_perm(&shp->shm_perm, &tbuf->shm_perm);
1024 tbuf->shm_segsz = shp->shm_segsz;
1025 tbuf->shm_atime = shp->shm_atim;
1026 tbuf->shm_dtime = shp->shm_dtim;
1027 tbuf->shm_ctime = shp->shm_ctim;
c2ab975c
AB		 1028#ifndef CONFIG_64BIT
1029 tbuf->shm_atime_high = shp->shm_atim >> 32;
1030 tbuf->shm_dtime_high = shp->shm_dtim >> 32;
1031 tbuf->shm_ctime_high = shp->shm_ctim >> 32;
1032#endif
98f929b1
EB		 1033 tbuf->shm_cpid = pid_vnr(shp->shm_cprid);
1034 tbuf->shm_lpid = pid_vnr(shp->shm_lprid);
9ba720c1 1035 tbuf->shm_nattch = shp->shm_nattch;
87ad4b0d 1036
615c999c
MS		 1037 if (cmd == IPC_STAT) {
1038 /*
1039 * As defined in SUS:
1040 * Return 0 on success
1041 */
1042 err = 0;
1043 } else {
1044 /*
1045 * SHM_STAT and SHM_STAT_ANY (both Linux specific)
1046 * Return the full id, including the sequence number
1047 */
1048 err = shp->shm_perm.id;
1049 }
68eccc1d 1050
615c999c 1051 ipc_unlock_object(&shp->shm_perm);
68eccc1d 1052out_unlock:
c97cb9cc 1053 rcu_read_unlock();
68eccc1d
DB		 1054 return err;
1055}
1056
9ba720c1 1057static int shmctl_do_lock(struct ipc_namespace *ns, int shmid, int cmd)
68eccc1d
DB		 1058{
1059 struct shmid_kernel *shp;
9ba720c1
AV		 1060 struct file *shm_file;
1061 int err;
68eccc1d 1062
9ba720c1
AV		 1063 rcu_read_lock();
1064 shp = shm_obtain_object_check(ns, shmid);
1065 if (IS_ERR(shp)) {
1066 err = PTR_ERR(shp);
1067 goto out_unlock1;
1da177e4 1068 }
c97cb9cc 1069
9ba720c1 1070 audit_ipc_obj(&(shp->shm_perm));
7191adff 1071 err = security_shm_shmctl(&shp->shm_perm, cmd);
9ba720c1
AV		 1072 if (err)
1073 goto out_unlock1;
c97cb9cc 1074
9ba720c1 1075 ipc_lock_object(&shp->shm_perm);
c97cb9cc 1076
9ba720c1
AV		 1077 /* check if shm_destroy() is tearing down shp */
1078 if (!ipc_valid_object(&shp->shm_perm)) {
1079 err = -EIDRM;
1080 goto out_unlock0;
1da177e4 1081 }
073115d6 1082
9ba720c1
AV		 1083 if (!ns_capable(ns->user_ns, CAP_IPC_LOCK)) {
1084 kuid_t euid = current_euid();
0f3d2b01 1085
9ba720c1
AV		 1086 if (!uid_eq(euid, shp->shm_perm.uid) &&
1087 !uid_eq(euid, shp->shm_perm.cuid)) {
1088 err = -EPERM;
0f3d2b01
RA		 1089 goto out_unlock0;
1090 }
9ba720c1
AV		 1091 if (cmd == SHM_LOCK && !rlimit(RLIMIT_MEMLOCK)) {
1092 err = -EPERM;
1093 goto out_unlock0;
1da177e4 1094 }
68eccc1d
DB		 1095 }
1096
9ba720c1
AV		 1097 shm_file = shp->shm_file;
1098 if (is_file_hugepages(shm_file))
1099 goto out_unlock0;
85046579 1100
9ba720c1 1101 if (cmd == SHM_LOCK) {
d7c9e99a 1102 struct ucounts *ucounts = current_ucounts();
63980c80 1103
d7c9e99a 1104 err = shmem_lock(shm_file, 1, ucounts);
9ba720c1
AV		 1105 if (!err && !(shp->shm_perm.mode & SHM_LOCKED)) {
1106 shp->shm_perm.mode |= SHM_LOCKED;
d7c9e99a 1107 shp->mlock_ucounts = ucounts;
1da177e4 1108 }
9ba720c1 1109 goto out_unlock0;
1da177e4
LT		 1110 }
1111
9ba720c1
AV		 1112 /* SHM_UNLOCK */
1113 if (!(shp->shm_perm.mode & SHM_LOCKED))
1114 goto out_unlock0;
d7c9e99a 1115 shmem_lock(shm_file, 0, shp->mlock_ucounts);
9ba720c1 1116 shp->shm_perm.mode &= ~SHM_LOCKED;
d7c9e99a 1117 shp->mlock_ucounts = NULL;
9ba720c1
AV		 1118 get_file(shm_file);
1119 ipc_unlock_object(&shp->shm_perm);
1120 rcu_read_unlock();
1121 shmem_unlock_mapping(shm_file->f_mapping);
1122
1123 fput(shm_file);
1124 return err;
1125
2caacaa8
DB		 1126out_unlock0:
1127 ipc_unlock_object(&shp->shm_perm);
1128out_unlock1:
c97cb9cc 1129 rcu_read_unlock();
68eccc1d
DB		 1130 return err;
1131}
1132
275f2214 1133static long ksys_shmctl(int shmid, int cmd, struct shmid_ds __user *buf, int version)
68eccc1d 1134{
275f2214 1135 int err;
68eccc1d 1136 struct ipc_namespace *ns;
553f770e 1137 struct shmid64_ds sem64;
68eccc1d 1138
2caacaa8
DB		 1139 if (cmd < 0 || shmid < 0)
1140 return -EINVAL;
68eccc1d 1141
68eccc1d
DB		 1142 ns = current->nsproxy->ipc_ns;
1143
1144 switch (cmd) {
9ba720c1
AV		 1145 case IPC_INFO: {
1146 struct shminfo64 shminfo;
1147 err = shmctl_ipc_info(ns, &shminfo);
1148 if (err < 0)
1149 return err;
1150 if (copy_shminfo_to_user(buf, &shminfo, version))
1151 err = -EFAULT;
1152 return err;
1153 }
1154 case SHM_INFO: {
1155 struct shm_info shm_info;
1156 err = shmctl_shm_info(ns, &shm_info);
1157 if (err < 0)
1158 return err;
1159 if (copy_to_user(buf, &shm_info, sizeof(shm_info)))
1160 err = -EFAULT;
1161 return err;
1162 }
68eccc1d 1163 case SHM_STAT:
c21a6970 1164 case SHM_STAT_ANY:
9ba720c1 1165 case IPC_STAT: {
553f770e 1166 err = shmctl_stat(ns, shmid, cmd, &sem64);
9ba720c1
AV		 1167 if (err < 0)
1168 return err;
553f770e 1169 if (copy_shmid_to_user(buf, &sem64, version))
9ba720c1
AV		 1170 err = -EFAULT;
1171 return err;
1172 }
2caacaa8 1173 case IPC_SET:
553f770e 1174 if (copy_shmid_from_user(&sem64, buf, version))
9ba720c1 1175 return -EFAULT;
df561f66 1176 fallthrough;
9ba720c1 1177 case IPC_RMID:
553f770e 1178 return shmctl_down(ns, shmid, cmd, &sem64);
1da177e4
LT		 1179 case SHM_LOCK:
1180 case SHM_UNLOCK:
9ba720c1
AV		 1181 return shmctl_do_lock(ns, shmid, cmd);
1182 default:
1183 return -EINVAL;
1184 }
1185}
89e004ea 1186
c84d0791
DB		 1187SYSCALL_DEFINE3(shmctl, int, shmid, int, cmd, struct shmid_ds __user *, buf)
1188{
275f2214
AB		 1189 return ksys_shmctl(shmid, cmd, buf, IPC_64);
1190}
1191
1192#ifdef CONFIG_ARCH_WANT_IPC_PARSE_VERSION
1193long ksys_old_shmctl(int shmid, int cmd, struct shmid_ds __user *buf)
1194{
1195 int version = ipc_parse_version(&cmd);
1196
1197 return ksys_shmctl(shmid, cmd, buf, version);
1198}
1199
1200SYSCALL_DEFINE3(old_shmctl, int, shmid, int, cmd, struct shmid_ds __user *, buf)
1201{
1202 return ksys_old_shmctl(shmid, cmd, buf);
c84d0791 1203}
275f2214 1204#endif
c84d0791 1205
553f770e
AV		 1206#ifdef CONFIG_COMPAT
1207
1208struct compat_shmid_ds {
1209 struct compat_ipc_perm shm_perm;
1210 int shm_segsz;
9afc5eee
AB		 1211 old_time32_t shm_atime;
1212 old_time32_t shm_dtime;
1213 old_time32_t shm_ctime;
553f770e
AV		 1214 compat_ipc_pid_t shm_cpid;
1215 compat_ipc_pid_t shm_lpid;
1216 unsigned short shm_nattch;
1217 unsigned short shm_unused;
1218 compat_uptr_t shm_unused2;
1219 compat_uptr_t shm_unused3;
1220};
1da177e4 1221
553f770e
AV		 1222struct compat_shminfo64 {
1223 compat_ulong_t shmmax;
1224 compat_ulong_t shmmin;
1225 compat_ulong_t shmmni;
1226 compat_ulong_t shmseg;
1227 compat_ulong_t shmall;
1228 compat_ulong_t __unused1;
1229 compat_ulong_t __unused2;
1230 compat_ulong_t __unused3;
1231 compat_ulong_t __unused4;
1232};
073115d6 1233
553f770e
AV		 1234struct compat_shm_info {
1235 compat_int_t used_ids;
1236 compat_ulong_t shm_tot, shm_rss, shm_swp;
1237 compat_ulong_t swap_attempts, swap_successes;
1238};
0f3d2b01 1239
553f770e
AV		 1240static int copy_compat_shminfo_to_user(void __user *buf, struct shminfo64 *in,
1241 int version)
1242{
1243 if (in->shmmax > INT_MAX)
1244 in->shmmax = INT_MAX;
1245 if (version == IPC_64) {
1246 struct compat_shminfo64 info;
1247 memset(&info, 0, sizeof(info));
1248 info.shmmax = in->shmmax;
1249 info.shmmin = in->shmmin;
1250 info.shmmni = in->shmmni;
1251 info.shmseg = in->shmseg;
1252 info.shmall = in->shmall;
1253 return copy_to_user(buf, &info, sizeof(info));
1254 } else {
1255 struct shminfo info;
1256 memset(&info, 0, sizeof(info));
1257 info.shmmax = in->shmmax;
1258 info.shmmin = in->shmmin;
1259 info.shmmni = in->shmmni;
1260 info.shmseg = in->shmseg;
1261 info.shmall = in->shmall;
1262 return copy_to_user(buf, &info, sizeof(info));
1263 }
1264}
0f3d2b01 1265
553f770e
AV		 1266static int put_compat_shm_info(struct shm_info *ip,
1267 struct compat_shm_info __user *uip)
1268{
1269 struct compat_shm_info info;
1270
1271 memset(&info, 0, sizeof(info));
1272 info.used_ids = ip->used_ids;
1273 info.shm_tot = ip->shm_tot;
1274 info.shm_rss = ip->shm_rss;
1275 info.shm_swp = ip->shm_swp;
1276 info.swap_attempts = ip->swap_attempts;
1277 info.swap_successes = ip->swap_successes;
b776e4b1 1278 return copy_to_user(uip, &info, sizeof(info));
553f770e 1279}
1da177e4 1280
553f770e
AV		 1281static int copy_compat_shmid_to_user(void __user *buf, struct shmid64_ds *in,
1282 int version)
1283{
1284 if (version == IPC_64) {
1285 struct compat_shmid64_ds v;
1286 memset(&v, 0, sizeof(v));
28327fae 1287 to_compat_ipc64_perm(&v.shm_perm, &in->shm_perm);
c2ab975c
AB		 1288 v.shm_atime = lower_32_bits(in->shm_atime);
1289 v.shm_atime_high = upper_32_bits(in->shm_atime);
1290 v.shm_dtime = lower_32_bits(in->shm_dtime);
1291 v.shm_dtime_high = upper_32_bits(in->shm_dtime);
1292 v.shm_ctime = lower_32_bits(in->shm_ctime);
1293 v.shm_ctime_high = upper_32_bits(in->shm_ctime);
553f770e
AV		 1294 v.shm_segsz = in->shm_segsz;
1295 v.shm_nattch = in->shm_nattch;
1296 v.shm_cpid = in->shm_cpid;
1297 v.shm_lpid = in->shm_lpid;
1298 return copy_to_user(buf, &v, sizeof(v));
1299 } else {
1300 struct compat_shmid_ds v;
1301 memset(&v, 0, sizeof(v));
28327fae 1302 to_compat_ipc_perm(&v.shm_perm, &in->shm_perm);
553f770e 1303 v.shm_perm.key = in->shm_perm.key;
553f770e
AV		 1304 v.shm_atime = in->shm_atime;
1305 v.shm_dtime = in->shm_dtime;
1306 v.shm_ctime = in->shm_ctime;
1307 v.shm_segsz = in->shm_segsz;
1308 v.shm_nattch = in->shm_nattch;
1309 v.shm_cpid = in->shm_cpid;
1310 v.shm_lpid = in->shm_lpid;
1311 return copy_to_user(buf, &v, sizeof(v));
1312 }
1313}
85046579 1314
553f770e
AV		 1315static int copy_compat_shmid_from_user(struct shmid64_ds *out, void __user *buf,
1316 int version)
1317{
1318 memset(out, 0, sizeof(*out));
1319 if (version == IPC_64) {
6aa211e8 1320 struct compat_shmid64_ds __user *p = buf;
28327fae 1321 return get_compat_ipc64_perm(&out->shm_perm, &p->shm_perm);
553f770e 1322 } else {
6aa211e8 1323 struct compat_shmid_ds __user *p = buf;
28327fae 1324 return get_compat_ipc_perm(&out->shm_perm, &p->shm_perm);
553f770e 1325 }
553f770e 1326}
63980c80 1327
1cd377ba 1328static long compat_ksys_shmctl(int shmid, int cmd, void __user *uptr, int version)
553f770e
AV		 1329{
1330 struct ipc_namespace *ns;
1331 struct shmid64_ds sem64;
553f770e 1332 int err;
85046579 1333
553f770e
AV		 1334 ns = current->nsproxy->ipc_ns;
1335
1336 if (cmd < 0 || shmid < 0)
1337 return -EINVAL;
2caacaa8 1338
553f770e
AV		 1339 switch (cmd) {
1340 case IPC_INFO: {
1341 struct shminfo64 shminfo;
1342 err = shmctl_ipc_info(ns, &shminfo);
1343 if (err < 0)
1344 return err;
1345 if (copy_compat_shminfo_to_user(uptr, &shminfo, version))
1346 err = -EFAULT;
1347 return err;
1348 }
1349 case SHM_INFO: {
1350 struct shm_info shm_info;
1351 err = shmctl_shm_info(ns, &shm_info);
1352 if (err < 0)
1353 return err;
1354 if (put_compat_shm_info(&shm_info, uptr))
1355 err = -EFAULT;
8d4cc8b5 1356 return err;
2caacaa8 1357 }
553f770e 1358 case IPC_STAT:
c21a6970 1359 case SHM_STAT_ANY:
553f770e
AV		 1360 case SHM_STAT:
1361 err = shmctl_stat(ns, shmid, cmd, &sem64);
1362 if (err < 0)
1363 return err;
58aff0af 1364 if (copy_compat_shmid_to_user(uptr, &sem64, version))
553f770e
AV		 1365 err = -EFAULT;
1366 return err;
1367
1368 case IPC_SET:
1369 if (copy_compat_shmid_from_user(&sem64, uptr, version))
1370 return -EFAULT;
df561f66 1371 fallthrough;
553f770e
AV		 1372 case IPC_RMID:
1373 return shmctl_down(ns, shmid, cmd, &sem64);
1374 case SHM_LOCK:
1375 case SHM_UNLOCK:
1376 return shmctl_do_lock(ns, shmid, cmd);
1da177e4 1377 default:
8d4cc8b5 1378 return -EINVAL;
1da177e4 1379 }
1da177e4
LT		 1380 return err;
1381}
c84d0791
DB		 1382
1383COMPAT_SYSCALL_DEFINE3(shmctl, int, shmid, int, cmd, void __user *, uptr)
1384{
275f2214 1385 return compat_ksys_shmctl(shmid, cmd, uptr, IPC_64);
c84d0791 1386}
275f2214
AB		 1387
1388#ifdef CONFIG_ARCH_WANT_COMPAT_IPC_PARSE_VERSION
1389long compat_ksys_old_shmctl(int shmid, int cmd, void __user *uptr)
1390{
1391 int version = compat_ipc_parse_version(&cmd);
1392
1393 return compat_ksys_shmctl(shmid, cmd, uptr, version);
1394}
1395
1396COMPAT_SYSCALL_DEFINE3(old_shmctl, int, shmid, int, cmd, void __user *, uptr)
1397{
1398 return compat_ksys_old_shmctl(shmid, cmd, uptr);
1399}
1400#endif
553f770e 1401#endif
1da177e4
LT		 1402
1403/*
1404 * Fix shmaddr, allocate descriptor, map shm, add attach descriptor to lists.
1405 *
1406 * NOTE! Despite the name, this is NOT a direct system call entrypoint. The
1407 * "raddr" thing points to kernel space, and there has to be a wrapper around
1408 * this.
1409 */
95e91b83
DB		 1410long do_shmat(int shmid, char __user *shmaddr, int shmflg,
1411 ulong *raddr, unsigned long shmlba)
1da177e4
LT		 1412{
1413 struct shmid_kernel *shp;
f0cb8802 1414 unsigned long addr = (unsigned long)shmaddr;
1da177e4 1415 unsigned long size;
4f089acc 1416 struct file *file, *base;
1da177e4 1417 int err;
f0cb8802 1418 unsigned long flags = MAP_SHARED;
1da177e4 1419 unsigned long prot;
1da177e4 1420 int acc_mode;
4e982311 1421 struct ipc_namespace *ns;
bc56bba8 1422 struct shm_file_data *sfd;
c9c554f2 1423 int f_flags;
41badc15 1424 unsigned long populate = 0;
1da177e4 1425
bc56bba8
EB		 1426 err = -EINVAL;
1427 if (shmid < 0)
1da177e4 1428 goto out;
f0cb8802
DB		 1429
1430 if (addr) {
079a96ae 1431 if (addr & (shmlba - 1)) {
8f89c007 1432 if (shmflg & SHM_RND) {
a73ab244 1433 addr &= ~(shmlba - 1); /* round down */
8f89c007
DB		 1434
1435 /*
1436 * Ensure that the round-down is non-nil
1437 * when remapping. This can happen for
1438 * cases when addr < shmlba.
1439 */
1440 if (!addr && (shmflg & SHM_REMAP))
1441 goto out;
1442 } else
1da177e4
LT		 1443#ifndef __ARCH_FORCE_SHMLBA
1444 if (addr & ~PAGE_MASK)
1445#endif
bc56bba8 1446 goto out;
1da177e4 1447 }
1da177e4 1448
f0cb8802
DB		 1449 flags |= MAP_FIXED;
1450 } else if ((shmflg & SHM_REMAP))
1451 goto out;
1da177e4
LT		 1452
1453 if (shmflg & SHM_RDONLY) {
1454 prot = PROT_READ;
1da177e4 1455 acc_mode = S_IRUGO;
c9c554f2 1456 f_flags = O_RDONLY;
1da177e4
LT		 1457 } else {
1458 prot = PROT_READ | PROT_WRITE;
1da177e4 1459 acc_mode = S_IRUGO | S_IWUGO;
c9c554f2 1460 f_flags = O_RDWR;
1da177e4
LT		 1461 }
1462 if (shmflg & SHM_EXEC) {
1463 prot |= PROT_EXEC;
1464 acc_mode |= S_IXUGO;
1465 }
1466
1467 /*
1468 * We cannot rely on the fs check since SYSV IPC does have an
1469 * additional creator id...
1470 */
4e982311 1471 ns = current->nsproxy->ipc_ns;
c2c737a0
DB		 1472 rcu_read_lock();
1473 shp = shm_obtain_object_check(ns, shmid);
023a5355
ND		 1474 if (IS_ERR(shp)) {
1475 err = PTR_ERR(shp);
c2c737a0 1476 goto out_unlock;
023a5355 1477 }
bc56bba8
EB		 1478
1479 err = -EACCES;
b0e77598 1480 if (ipcperms(ns, &shp->shm_perm, acc_mode))
bc56bba8 1481 goto out_unlock;
1da177e4 1482
7191adff 1483 err = security_shm_shmat(&shp->shm_perm, shmaddr, shmflg);
bc56bba8
EB		 1484 if (err)
1485 goto out_unlock;
1486
c2c737a0 1487 ipc_lock_object(&shp->shm_perm);
a399b29d
GT		 1488
1489 /* check if shm_destroy() is tearing down shp */
0f3d2b01 1490 if (!ipc_valid_object(&shp->shm_perm)) {
a399b29d
GT		 1491 ipc_unlock_object(&shp->shm_perm);
1492 err = -EIDRM;
1493 goto out_unlock;
1494 }
1495
4f089acc
AV		 1496 /*
1497 * We need to take a reference to the real shm file to prevent the
1498 * pointer from becoming stale in cases where the lifetime of the outer
1499 * file extends beyond that of the shm segment. It's not usually
1500 * possible, but it can happen during remap_file_pages() emulation as
1501 * that unmaps the memory, then does ->mmap() via file reference only.
1502 * We'll deny the ->mmap() if the shm segment was since removed, but to
1503 * detect shm ID reuse we need to compare the file pointers.
1504 */
1505 base = get_file(shp->shm_file);
1da177e4 1506 shp->shm_nattch++;
4f089acc 1507 size = i_size_read(file_inode(base));
c2c737a0
DB		 1508 ipc_unlock_object(&shp->shm_perm);
1509 rcu_read_unlock();
1da177e4 1510
bc56bba8
EB		 1511 err = -ENOMEM;
1512 sfd = kzalloc(sizeof(*sfd), GFP_KERNEL);
f42569b1 1513 if (!sfd) {
4f089acc 1514 fput(base);
f42569b1
DB		 1515 goto out_nattch;
1516 }
bc56bba8 1517
4f089acc
AV		 1518 file = alloc_file_clone(base, f_flags,
1519 is_file_hugepages(base) ?
c4caa778
AV		 1520 &shm_file_operations_huge :
1521 &shm_file_operations);
39b65252 1522 err = PTR_ERR(file);
f42569b1
DB		 1523 if (IS_ERR(file)) {
1524 kfree(sfd);
4f089acc 1525 fput(base);
f42569b1
DB		 1526 goto out_nattch;
1527 }
bc56bba8 1528
7ca7e564 1529 sfd->id = shp->shm_perm.id;
bc56bba8 1530 sfd->ns = get_ipc_ns(ns);
4f089acc 1531 sfd->file = base;
bc56bba8 1532 sfd->vm_ops = NULL;
4f089acc 1533 file->private_data = sfd;
bc56bba8 1534
8b3ec681
AV		 1535 err = security_mmap_file(file, prot, flags);
1536 if (err)
1537 goto out_fput;
1538
d8ed45c5 1539 if (mmap_write_lock_killable(current->mm)) {
91f4f94e
MH		 1540 err = -EINTR;
1541 goto out_fput;
1542 }
1543
1da177e4 1544 if (addr && !(shmflg & SHM_REMAP)) {
bc56bba8 1545 err = -EINVAL;
247a8ce8
MS		 1546 if (addr + size < addr)
1547 goto invalid;
1548
1da177e4
LT		 1549 if (find_vma_intersection(current->mm, addr, addr + size))
1550 goto invalid;
1da177e4 1551 }
f42569b1 1552
45e55300 1553 addr = do_mmap(file, addr, size, prot, flags, 0, &populate, NULL);
bebeb3d6 1554 *raddr = addr;
bc56bba8 1555 err = 0;
bebeb3d6
ML		 1556 if (IS_ERR_VALUE(addr))
1557 err = (long)addr;
1da177e4 1558invalid:
d8ed45c5 1559 mmap_write_unlock(current->mm);
bebeb3d6 1560 if (populate)
41badc15 1561 mm_populate(addr, populate);
1da177e4 1562
8b3ec681 1563out_fput:
bc56bba8
EB		 1564 fput(file);
1565
1566out_nattch:
d9a605e4 1567 down_write(&shm_ids(ns).rwsem);
00c2bf85 1568 shp = shm_lock(ns, shmid);
1da177e4 1569 shp->shm_nattch--;
b34a6b1d 1570 if (shm_may_destroy(ns, shp))
4e982311 1571 shm_destroy(ns, shp);
1da177e4
LT		 1572 else
1573 shm_unlock(shp);
d9a605e4 1574 up_write(&shm_ids(ns).rwsem);
1da177e4 1575 return err;
bc56bba8
EB		 1576
1577out_unlock:
c2c737a0 1578 rcu_read_unlock();
f42569b1
DB		 1579out:
1580 return err;
1da177e4
LT		 1581}
1582
d5460c99 1583SYSCALL_DEFINE3(shmat, int, shmid, char __user *, shmaddr, int, shmflg)
7d87e14c
SR		 1584{
1585 unsigned long ret;
1586 long err;
1587
079a96ae 1588 err = do_shmat(shmid, shmaddr, shmflg, &ret, SHMLBA);
7d87e14c
SR		 1589 if (err)
1590 return err;
1591 force_successful_syscall_return();
1592 return (long)ret;
1593}
1594
a78ee9ed
AV		 1595#ifdef CONFIG_COMPAT
1596
1597#ifndef COMPAT_SHMLBA
1598#define COMPAT_SHMLBA SHMLBA
1599#endif
1600
1601COMPAT_SYSCALL_DEFINE3(shmat, int, shmid, compat_uptr_t, shmaddr, int, shmflg)
1602{
1603 unsigned long ret;
1604 long err;
1605
1606 err = do_shmat(shmid, compat_ptr(shmaddr), shmflg, &ret, COMPAT_SHMLBA);
1607 if (err)
1608 return err;
1609 force_successful_syscall_return();
1610 return (long)ret;
1611}
1612#endif
1613
1da177e4
LT		 1614/*
1615 * detach and kill segment if marked destroyed.
1616 * The work is done in shm_close.
1617 */
da1e2744 1618long ksys_shmdt(char __user *shmaddr)
1da177e4
LT		 1619{
1620 struct mm_struct *mm = current->mm;
586c7e6a 1621 struct vm_area_struct *vma;
1da177e4 1622 unsigned long addr = (unsigned long)shmaddr;
1da177e4 1623 int retval = -EINVAL;
586c7e6a
MF		 1624#ifdef CONFIG_MMU
1625 loff_t size = 0;
d3c97900 1626 struct file *file;
586c7e6a
MF		 1627 struct vm_area_struct *next;
1628#endif
1da177e4 1629
df1e2fb5
HD		 1630 if (addr & ~PAGE_MASK)
1631 return retval;
1632
d8ed45c5 1633 if (mmap_write_lock_killable(mm))
91f4f94e 1634 return -EINTR;
1da177e4
LT		 1635
1636 /*
1637 * This function tries to be smart and unmap shm segments that
1638 * were modified by partial mlock or munmap calls:
1639 * - It first determines the size of the shm segment that should be
1640 * unmapped: It searches for a vma that is backed by shm and that
1641 * started at address shmaddr. It records it's size and then unmaps
1642 * it.
1643 * - Then it unmaps all shm vmas that started at shmaddr and that
d3c97900
DH		 1644 * are within the initially determined size and that are from the
1645 * same shm segment from which we determined the size.
1da177e4
LT		 1646 * Errors from do_munmap are ignored: the function only fails if
1647 * it's called with invalid parameters or if it's called to unmap
1648 * a part of a vma. Both calls in this function are for full vmas,
1649 * the parameters are directly copied from the vma itself and always
1650 * valid - therefore do_munmap cannot fail. (famous last words?)
1651 */
1652 /*
1653 * If it had been mremap()'d, the starting address would not
1654 * match the usual checks anyway. So assume all vma's are
1655 * above the starting address given.
1656 */
1657 vma = find_vma(mm, addr);
1658
8feae131 1659#ifdef CONFIG_MMU
1da177e4
LT		 1660 while (vma) {
1661 next = vma->vm_next;
1662
1663 /*
1664 * Check if the starting address would match, i.e. it's
1665 * a fragment created by mprotect() and/or munmap(), or it
1666 * otherwise it starts at this address with no hassles.
1667 */
bc56bba8 1668 if ((vma->vm_ops == &shm_vm_ops) &&
1da177e4
LT		 1669 (vma->vm_start - addr)/PAGE_SIZE == vma->vm_pgoff) {
1670
d3c97900
DH		 1671 /*
1672 * Record the file of the shm segment being
1673 * unmapped. With mremap(), someone could place
1674 * page from another segment but with equal offsets
1675 * in the range we are unmapping.
1676 */
1677 file = vma->vm_file;
07a46ed2 1678 size = i_size_read(file_inode(vma->vm_file));
897ab3e0 1679 do_munmap(mm, vma->vm_start, vma->vm_end - vma->vm_start, NULL);
1da177e4
LT		 1680 /*
1681 * We discovered the size of the shm segment, so
1682 * break out of here and fall through to the next
1683 * loop that uses the size information to stop
1684 * searching for matching vma's.
1685 */
1686 retval = 0;
1687 vma = next;
1688 break;
1689 }
1690 vma = next;
1691 }
1692
1693 /*
1694 * We need look no further than the maximum address a fragment
1695 * could possibly have landed at. Also cast things to loff_t to
25985edc 1696 * prevent overflows and make comparisons vs. equal-width types.
1da177e4 1697 */
8e36709d 1698 size = PAGE_ALIGN(size);
1da177e4
LT		 1699 while (vma && (loff_t)(vma->vm_end - addr) <= size) {
1700 next = vma->vm_next;
1701
1702 /* finding a matching vma now does not alter retval */
bc56bba8 1703 if ((vma->vm_ops == &shm_vm_ops) &&
d3c97900
DH		 1704 ((vma->vm_start - addr)/PAGE_SIZE == vma->vm_pgoff) &&
1705 (vma->vm_file == file))
897ab3e0 1706 do_munmap(mm, vma->vm_start, vma->vm_end - vma->vm_start, NULL);
1da177e4
LT		 1707 vma = next;
1708 }
1709
63980c80 1710#else /* CONFIG_MMU */
8feae131 1711 /* under NOMMU conditions, the exact address to be destroyed must be
63980c80
SP		 1712 * given
1713 */
530fcd16 1714 if (vma && vma->vm_start == addr && vma->vm_ops == &shm_vm_ops) {
897ab3e0 1715 do_munmap(mm, vma->vm_start, vma->vm_end - vma->vm_start, NULL);
8feae131
DH		 1716 retval = 0;
1717 }
1718
1719#endif
1720
d8ed45c5 1721 mmap_write_unlock(mm);
1da177e4
LT		 1722 return retval;
1723}
1724
da1e2744
DB		 1725SYSCALL_DEFINE1(shmdt, char __user *, shmaddr)
1726{
1727 return ksys_shmdt(shmaddr);
1728}
1729
1da177e4 1730#ifdef CONFIG_PROC_FS
19b4946c 1731static int sysvipc_shm_proc_show(struct seq_file *s, void *it)
1da177e4 1732{
98f929b1 1733 struct pid_namespace *pid_ns = ipc_seq_pid_ns(s);
1efdb69b 1734 struct user_namespace *user_ns = seq_user_ns(s);
ade9f91b
KC		 1735 struct kern_ipc_perm *ipcp = it;
1736 struct shmid_kernel *shp;
b7952180
HD		 1737 unsigned long rss = 0, swp = 0;
1738
ade9f91b 1739 shp = container_of(ipcp, struct shmid_kernel, shm_perm);
b7952180 1740 shm_add_rss_swap(shp, &rss, &swp);
1da177e4 1741
6c826818
PM		 1742#if BITS_PER_LONG <= 32
1743#define SIZE_SPEC "%10lu"
1744#else
1745#define SIZE_SPEC "%21lu"
1746#endif
1da177e4 1747
7f032d6e
JP		 1748 seq_printf(s,
1749 "%10d %10d %4o " SIZE_SPEC " %5u %5u "
7ff2819e 1750 "%5lu %5u %5u %5u %5u %10llu %10llu %10llu "
7f032d6e
JP		 1751 SIZE_SPEC " " SIZE_SPEC "\n",
1752 shp->shm_perm.key,
1753 shp->shm_perm.id,
1754 shp->shm_perm.mode,
1755 shp->shm_segsz,
98f929b1
EB		 1756 pid_nr_ns(shp->shm_cprid, pid_ns),
1757 pid_nr_ns(shp->shm_lprid, pid_ns),
7f032d6e
JP		 1758 shp->shm_nattch,
1759 from_kuid_munged(user_ns, shp->shm_perm.uid),
1760 from_kgid_munged(user_ns, shp->shm_perm.gid),
1761 from_kuid_munged(user_ns, shp->shm_perm.cuid),
1762 from_kgid_munged(user_ns, shp->shm_perm.cgid),
1763 shp->shm_atim,
1764 shp->shm_dtim,
1765 shp->shm_ctim,
1766 rss * PAGE_SIZE,
1767 swp * PAGE_SIZE);
1768
1769 return 0;
1da177e4
LT		 1770}
1771#endif
Linux 6.x block layer and io_uring tree(s)