Commit | Line | Data |
---|---|---|
b2441318 | 1 | // SPDX-License-Identifier: GPL-2.0 |
1da177e4 LT |
2 | /* |
3 | * linux/ipc/shm.c | |
4 | * Copyright (C) 1992, 1993 Krishna Balasubramanian | |
5 | * Many improvements/fixes by Bruno Haible. | |
6 | * Replaced `struct shm_desc' by `struct vm_area_struct', July 1994. | |
7 | * Fixed the shm swap deallocation (shm_unuse()), August 1998 Andrea Arcangeli. | |
8 | * | |
9 | * /proc/sysvipc/shm support (c) 1999 Dragos Acostachioaie <dragos@iname.com> | |
10 | * BIGMEM support, Andrea Arcangeli <andrea@suse.de> | |
11 | * SMP thread shm, Jean-Luc Boyard <jean-luc.boyard@siemens.fr> | |
12 | * HIGHMEM support, Ingo Molnar <mingo@redhat.com> | |
13 | * Make shmmax, shmall, shmmni sysctl'able, Christoph Rohland <cr@sap.com> | |
14 | * Shared /dev/zero support, Kanoj Sarcar <kanoj@sgi.com> | |
15 | * Move the mm functionality over to mm/shmem.c, Christoph Rohland <cr@sap.com> | |
16 | * | |
073115d6 SG |
17 | * support for audit of ipc object properties and permission changes |
18 | * Dustin Kirkland <dustin.kirkland@us.ibm.com> | |
4e982311 KK |
19 | * |
20 | * namespaces support | |
21 | * OpenVZ, SWsoft Inc. | |
22 | * Pavel Emelianov <xemul@openvz.org> | |
c2c737a0 DB |
23 | * |
24 | * Better ipc lock (kern_ipc_perm.lock) handling | |
25 | * Davidlohr Bueso <davidlohr.bueso@hp.com>, June 2013. | |
1da177e4 LT |
26 | */ |
27 | ||
1da177e4 LT |
28 | #include <linux/slab.h> |
29 | #include <linux/mm.h> | |
30 | #include <linux/hugetlb.h> | |
31 | #include <linux/shm.h> | |
32 | #include <linux/init.h> | |
33 | #include <linux/file.h> | |
34 | #include <linux/mman.h> | |
1da177e4 LT |
35 | #include <linux/shmem_fs.h> |
36 | #include <linux/security.h> | |
37 | #include <linux/syscalls.h> | |
38 | #include <linux/audit.h> | |
c59ede7b | 39 | #include <linux/capability.h> |
7d87e14c | 40 | #include <linux/ptrace.h> |
19b4946c | 41 | #include <linux/seq_file.h> |
3e148c79 | 42 | #include <linux/rwsem.h> |
4e982311 | 43 | #include <linux/nsproxy.h> |
bc56bba8 | 44 | #include <linux/mount.h> |
ae5e1b22 | 45 | #include <linux/ipc_namespace.h> |
0eb71a9d | 46 | #include <linux/rhashtable.h> |
7d87e14c | 47 | |
7153e402 | 48 | #include <linux/uaccess.h> |
1da177e4 LT |
49 | |
50 | #include "util.h" | |
51 | ||
a2e102cd EB |
52 | struct shmid_kernel /* private to the kernel */ |
53 | { | |
54 | struct kern_ipc_perm shm_perm; | |
55 | struct file *shm_file; | |
56 | unsigned long shm_nattch; | |
57 | unsigned long shm_segsz; | |
58 | time64_t shm_atim; | |
59 | time64_t shm_dtim; | |
60 | time64_t shm_ctim; | |
98f929b1 EB |
61 | struct pid *shm_cprid; |
62 | struct pid *shm_lprid; | |
d7c9e99a | 63 | struct ucounts *mlock_ucounts; |
a2e102cd EB |
64 | |
65 | /* The task created the shm object. NULL if the task is dead. */ | |
66 | struct task_struct *shm_creator; | |
67 | struct list_head shm_clist; /* list by creator */ | |
68 | } __randomize_layout; | |
69 | ||
70 | /* shm_mode upper byte flags */ | |
71 | #define SHM_DEST 01000 /* segment will be destroyed on last detach */ | |
72 | #define SHM_LOCKED 02000 /* segment will not be swapped */ | |
73 | ||
bc56bba8 EB |
74 | struct shm_file_data { |
75 | int id; | |
76 | struct ipc_namespace *ns; | |
77 | struct file *file; | |
78 | const struct vm_operations_struct *vm_ops; | |
79 | }; | |
80 | ||
81 | #define shm_file_data(file) (*((struct shm_file_data **)&(file)->private_data)) | |
82 | ||
9a32144e | 83 | static const struct file_operations shm_file_operations; |
f0f37e2f | 84 | static const struct vm_operations_struct shm_vm_ops; |
1da177e4 | 85 | |
ed2ddbf8 | 86 | #define shm_ids(ns) ((ns)->ids[IPC_SHM_IDS]) |
1da177e4 | 87 | |
4e982311 KK |
88 | #define shm_unlock(shp) \ |
89 | ipc_unlock(&(shp)->shm_perm) | |
1da177e4 | 90 | |
7748dbfa | 91 | static int newseg(struct ipc_namespace *, struct ipc_params *); |
bc56bba8 EB |
92 | static void shm_open(struct vm_area_struct *vma); |
93 | static void shm_close(struct vm_area_struct *vma); | |
239521f3 | 94 | static void shm_destroy(struct ipc_namespace *ns, struct shmid_kernel *shp); |
1da177e4 | 95 | #ifdef CONFIG_PROC_FS |
19b4946c | 96 | static int sysvipc_shm_proc_show(struct seq_file *s, void *it); |
1da177e4 LT |
97 | #endif |
98 | ||
eae04d25 | 99 | void shm_init_ns(struct ipc_namespace *ns) |
4e982311 | 100 | { |
4e982311 KK |
101 | ns->shm_ctlmax = SHMMAX; |
102 | ns->shm_ctlall = SHMALL; | |
103 | ns->shm_ctlmni = SHMMNI; | |
b34a6b1d | 104 | ns->shm_rmid_forced = 0; |
4e982311 | 105 | ns->shm_tot = 0; |
eae04d25 | 106 | ipc_init_ids(&shm_ids(ns)); |
4e982311 KK |
107 | } |
108 | ||
f4566f04 | 109 | /* |
d9a605e4 DB |
110 | * Called with shm_ids.rwsem (writer) and the shp structure locked. |
111 | * Only shm_ids.rwsem remains locked on exit. | |
f4566f04 | 112 | */ |
01b8b07a | 113 | static void do_shm_rmid(struct ipc_namespace *ns, struct kern_ipc_perm *ipcp) |
4e982311 | 114 | { |
01b8b07a | 115 | struct shmid_kernel *shp; |
63980c80 | 116 | |
01b8b07a PP |
117 | shp = container_of(ipcp, struct shmid_kernel, shm_perm); |
118 | ||
239521f3 | 119 | if (shp->shm_nattch) { |
4e982311 KK |
120 | shp->shm_perm.mode |= SHM_DEST; |
121 | /* Do not find it any more */ | |
0cfb6aee | 122 | ipc_set_key_private(&shm_ids(ns), &shp->shm_perm); |
4e982311 KK |
123 | shm_unlock(shp); |
124 | } else | |
125 | shm_destroy(ns, shp); | |
126 | } | |
127 | ||
ae5e1b22 | 128 | #ifdef CONFIG_IPC_NS |
4e982311 KK |
129 | void shm_exit_ns(struct ipc_namespace *ns) |
130 | { | |
01b8b07a | 131 | free_ipcs(ns, &shm_ids(ns), do_shm_rmid); |
7d6feeb2 | 132 | idr_destroy(&ns->ids[IPC_SHM_IDS].ipcs_idr); |
0cfb6aee | 133 | rhashtable_destroy(&ns->ids[IPC_SHM_IDS].key_ht); |
4e982311 | 134 | } |
ae5e1b22 | 135 | #endif |
1da177e4 | 136 | |
140d0b21 | 137 | static int __init ipc_ns_init(void) |
1da177e4 | 138 | { |
eae04d25 DB |
139 | shm_init_ns(&init_ipc_ns); |
140 | return 0; | |
140d0b21 LT |
141 | } |
142 | ||
143 | pure_initcall(ipc_ns_init); | |
144 | ||
239521f3 | 145 | void __init shm_init(void) |
140d0b21 | 146 | { |
19b4946c | 147 | ipc_init_proc_interface("sysvipc/shm", |
b7952180 HD |
148 | #if BITS_PER_LONG <= 32 |
149 | " key shmid perms size cpid lpid nattch uid gid cuid cgid atime dtime ctime rss swap\n", | |
150 | #else | |
151 | " key shmid perms size cpid lpid nattch uid gid cuid cgid atime dtime ctime rss swap\n", | |
152 | #endif | |
4e982311 | 153 | IPC_SHM_IDS, sysvipc_shm_proc_show); |
1da177e4 LT |
154 | } |
155 | ||
8b8d52ac DB |
156 | static inline struct shmid_kernel *shm_obtain_object(struct ipc_namespace *ns, int id) |
157 | { | |
55b7ae50 | 158 | struct kern_ipc_perm *ipcp = ipc_obtain_object_idr(&shm_ids(ns), id); |
8b8d52ac DB |
159 | |
160 | if (IS_ERR(ipcp)) | |
161 | return ERR_CAST(ipcp); | |
162 | ||
163 | return container_of(ipcp, struct shmid_kernel, shm_perm); | |
164 | } | |
165 | ||
166 | static inline struct shmid_kernel *shm_obtain_object_check(struct ipc_namespace *ns, int id) | |
167 | { | |
168 | struct kern_ipc_perm *ipcp = ipc_obtain_object_check(&shm_ids(ns), id); | |
169 | ||
170 | if (IS_ERR(ipcp)) | |
171 | return ERR_CAST(ipcp); | |
172 | ||
173 | return container_of(ipcp, struct shmid_kernel, shm_perm); | |
174 | } | |
175 | ||
3e148c79 | 176 | /* |
d9a605e4 | 177 | * shm_lock_(check_) routines are called in the paths where the rwsem |
00c2bf85 | 178 | * is not necessarily held. |
3e148c79 | 179 | */ |
023a5355 | 180 | static inline struct shmid_kernel *shm_lock(struct ipc_namespace *ns, int id) |
1da177e4 | 181 | { |
82061c57 | 182 | struct kern_ipc_perm *ipcp; |
03f02c76 | 183 | |
82061c57 DB |
184 | rcu_read_lock(); |
185 | ipcp = ipc_obtain_object_idr(&shm_ids(ns), id); | |
186 | if (IS_ERR(ipcp)) | |
187 | goto err; | |
188 | ||
189 | ipc_lock_object(ipcp); | |
190 | /* | |
191 | * ipc_rmid() may have already freed the ID while ipc_lock_object() | |
192 | * was spinning: here verify that the structure is still valid. | |
193 | * Upon races with RMID, return -EIDRM, thus indicating that | |
194 | * the ID points to a removed identifier. | |
195 | */ | |
196 | if (ipc_valid_object(ipcp)) { | |
197 | /* return a locked ipc object upon success */ | |
198 | return container_of(ipcp, struct shmid_kernel, shm_perm); | |
199 | } | |
200 | ||
201 | ipc_unlock_object(ipcp); | |
9c21dae2 | 202 | ipcp = ERR_PTR(-EIDRM); |
82061c57 DB |
203 | err: |
204 | rcu_read_unlock(); | |
c5c8975b | 205 | /* |
1ac0b6de | 206 | * Callers of shm_lock() must validate the status of the returned ipc |
82061c57 | 207 | * object pointer and error out as appropriate. |
c5c8975b | 208 | */ |
59cf0a93 | 209 | return ERR_CAST(ipcp); |
023a5355 ND |
210 | } |
211 | ||
4c677e2e VK |
212 | static inline void shm_lock_by_ptr(struct shmid_kernel *ipcp) |
213 | { | |
214 | rcu_read_lock(); | |
cf9d5d78 | 215 | ipc_lock_object(&ipcp->shm_perm); |
4c677e2e VK |
216 | } |
217 | ||
53dad6d3 DB |
218 | static void shm_rcu_free(struct rcu_head *head) |
219 | { | |
dba4cdd3 MS |
220 | struct kern_ipc_perm *ptr = container_of(head, struct kern_ipc_perm, |
221 | rcu); | |
222 | struct shmid_kernel *shp = container_of(ptr, struct shmid_kernel, | |
223 | shm_perm); | |
7191adff | 224 | security_shm_free(&shp->shm_perm); |
bc8136a5 | 225 | kfree(shp); |
53dad6d3 DB |
226 | } |
227 | ||
7ca7e564 | 228 | static inline void shm_rmid(struct ipc_namespace *ns, struct shmid_kernel *s) |
1da177e4 | 229 | { |
ab602f79 | 230 | list_del(&s->shm_clist); |
7ca7e564 | 231 | ipc_rmid(&shm_ids(ns), &s->shm_perm); |
1da177e4 LT |
232 | } |
233 | ||
1da177e4 | 234 | |
1ac0b6de | 235 | static int __shm_open(struct vm_area_struct *vma) |
4e982311 | 236 | { |
bc56bba8 EB |
237 | struct file *file = vma->vm_file; |
238 | struct shm_file_data *sfd = shm_file_data(file); | |
1da177e4 LT |
239 | struct shmid_kernel *shp; |
240 | ||
bc56bba8 | 241 | shp = shm_lock(sfd->ns, sfd->id); |
1ac0b6de KS |
242 | |
243 | if (IS_ERR(shp)) | |
244 | return PTR_ERR(shp); | |
245 | ||
3f05317d EB |
246 | if (shp->shm_file != sfd->file) { |
247 | /* ID was reused */ | |
248 | shm_unlock(shp); | |
249 | return -EINVAL; | |
250 | } | |
251 | ||
7ff2819e | 252 | shp->shm_atim = ktime_get_real_seconds(); |
98f929b1 | 253 | ipc_update_pid(&shp->shm_lprid, task_tgid(current)); |
1da177e4 LT |
254 | shp->shm_nattch++; |
255 | shm_unlock(shp); | |
1ac0b6de KS |
256 | return 0; |
257 | } | |
258 | ||
259 | /* This is called by fork, once for every shm attach. */ | |
260 | static void shm_open(struct vm_area_struct *vma) | |
261 | { | |
262 | int err = __shm_open(vma); | |
263 | /* | |
264 | * We raced in the idr lookup or with shm_destroy(). | |
265 | * Either way, the ID is busted. | |
266 | */ | |
267 | WARN_ON_ONCE(err); | |
1da177e4 LT |
268 | } |
269 | ||
1da177e4 LT |
270 | /* |
271 | * shm_destroy - free the struct shmid_kernel | |
272 | * | |
f4566f04 | 273 | * @ns: namespace |
1da177e4 LT |
274 | * @shp: struct to free |
275 | * | |
d9a605e4 | 276 | * It has to be called with shp and shm_ids.rwsem (writer) locked, |
1da177e4 LT |
277 | * but returns with shp unlocked and freed. |
278 | */ | |
4e982311 | 279 | static void shm_destroy(struct ipc_namespace *ns, struct shmid_kernel *shp) |
1da177e4 | 280 | { |
a399b29d GT |
281 | struct file *shm_file; |
282 | ||
283 | shm_file = shp->shm_file; | |
284 | shp->shm_file = NULL; | |
4e982311 | 285 | ns->shm_tot -= (shp->shm_segsz + PAGE_SIZE - 1) >> PAGE_SHIFT; |
7ca7e564 | 286 | shm_rmid(ns, shp); |
1da177e4 | 287 | shm_unlock(shp); |
a399b29d | 288 | if (!is_file_hugepages(shm_file)) |
d7c9e99a | 289 | shmem_lock(shm_file, 0, shp->mlock_ucounts); |
a399b29d | 290 | fput(shm_file); |
98f929b1 EB |
291 | ipc_update_pid(&shp->shm_cprid, NULL); |
292 | ipc_update_pid(&shp->shm_lprid, NULL); | |
dba4cdd3 | 293 | ipc_rcu_putref(&shp->shm_perm, shm_rcu_free); |
1da177e4 LT |
294 | } |
295 | ||
b34a6b1d VK |
296 | /* |
297 | * shm_may_destroy - identifies whether shm segment should be destroyed now | |
298 | * | |
299 | * Returns true if and only if there are no active users of the segment and | |
300 | * one of the following is true: | |
301 | * | |
302 | * 1) shmctl(id, IPC_RMID, NULL) was called for this shp | |
303 | * | |
304 | * 2) sysctl kernel.shm_rmid_forced is set to 1. | |
305 | */ | |
306 | static bool shm_may_destroy(struct ipc_namespace *ns, struct shmid_kernel *shp) | |
307 | { | |
308 | return (shp->shm_nattch == 0) && | |
309 | (ns->shm_rmid_forced || | |
310 | (shp->shm_perm.mode & SHM_DEST)); | |
311 | } | |
312 | ||
1da177e4 | 313 | /* |
bc56bba8 | 314 | * remove the attach descriptor vma. |
1da177e4 LT |
315 | * free memory for segment if it is marked destroyed. |
316 | * The descriptor has already been removed from the current->mm->mmap list | |
317 | * and will later be kfree()d. | |
318 | */ | |
bc56bba8 | 319 | static void shm_close(struct vm_area_struct *vma) |
1da177e4 | 320 | { |
239521f3 | 321 | struct file *file = vma->vm_file; |
bc56bba8 | 322 | struct shm_file_data *sfd = shm_file_data(file); |
1da177e4 | 323 | struct shmid_kernel *shp; |
bc56bba8 | 324 | struct ipc_namespace *ns = sfd->ns; |
4e982311 | 325 | |
d9a605e4 | 326 | down_write(&shm_ids(ns).rwsem); |
1da177e4 | 327 | /* remove from the list of attaches of the shm segment */ |
00c2bf85 | 328 | shp = shm_lock(ns, sfd->id); |
1ac0b6de KS |
329 | |
330 | /* | |
331 | * We raced in the idr lookup or with shm_destroy(). | |
332 | * Either way, the ID is busted. | |
333 | */ | |
334 | if (WARN_ON_ONCE(IS_ERR(shp))) | |
335 | goto done; /* no-op */ | |
336 | ||
98f929b1 | 337 | ipc_update_pid(&shp->shm_lprid, task_tgid(current)); |
7ff2819e | 338 | shp->shm_dtim = ktime_get_real_seconds(); |
1da177e4 | 339 | shp->shm_nattch--; |
b34a6b1d VK |
340 | if (shm_may_destroy(ns, shp)) |
341 | shm_destroy(ns, shp); | |
342 | else | |
343 | shm_unlock(shp); | |
1ac0b6de | 344 | done: |
d9a605e4 | 345 | up_write(&shm_ids(ns).rwsem); |
b34a6b1d VK |
346 | } |
347 | ||
d9a605e4 | 348 | /* Called with ns->shm_ids(ns).rwsem locked */ |
b34a6b1d VK |
349 | static int shm_try_destroy_orphaned(int id, void *p, void *data) |
350 | { | |
351 | struct ipc_namespace *ns = data; | |
4c677e2e VK |
352 | struct kern_ipc_perm *ipcp = p; |
353 | struct shmid_kernel *shp = container_of(ipcp, struct shmid_kernel, shm_perm); | |
b34a6b1d VK |
354 | |
355 | /* | |
356 | * We want to destroy segments without users and with already | |
357 | * exit'ed originating process. | |
4c677e2e | 358 | * |
d9a605e4 | 359 | * As shp->* are changed under rwsem, it's safe to skip shp locking. |
b34a6b1d | 360 | */ |
4c677e2e | 361 | if (shp->shm_creator != NULL) |
b34a6b1d | 362 | return 0; |
b34a6b1d | 363 | |
4c677e2e VK |
364 | if (shm_may_destroy(ns, shp)) { |
365 | shm_lock_by_ptr(shp); | |
4e982311 | 366 | shm_destroy(ns, shp); |
4c677e2e | 367 | } |
b34a6b1d VK |
368 | return 0; |
369 | } | |
370 | ||
371 | void shm_destroy_orphaned(struct ipc_namespace *ns) | |
372 | { | |
d9a605e4 | 373 | down_write(&shm_ids(ns).rwsem); |
33a30ed4 | 374 | if (shm_ids(ns).in_use) |
4c677e2e | 375 | idr_for_each(&shm_ids(ns).ipcs_idr, &shm_try_destroy_orphaned, ns); |
d9a605e4 | 376 | up_write(&shm_ids(ns).rwsem); |
b34a6b1d VK |
377 | } |
378 | ||
83293c0f | 379 | /* Locking assumes this will only be called with task == current */ |
b34a6b1d VK |
380 | void exit_shm(struct task_struct *task) |
381 | { | |
4c677e2e | 382 | struct ipc_namespace *ns = task->nsproxy->ipc_ns; |
ab602f79 | 383 | struct shmid_kernel *shp, *n; |
b34a6b1d | 384 | |
83293c0f JM |
385 | if (list_empty(&task->sysvshm.shm_clist)) |
386 | return; | |
387 | ||
388 | /* | |
389 | * If kernel.shm_rmid_forced is not set then only keep track of | |
390 | * which shmids are orphaned, so that a later set of the sysctl | |
391 | * can clean them up. | |
392 | */ | |
393 | if (!ns->shm_rmid_forced) { | |
394 | down_read(&shm_ids(ns).rwsem); | |
395 | list_for_each_entry(shp, &task->sysvshm.shm_clist, shm_clist) | |
396 | shp->shm_creator = NULL; | |
397 | /* | |
398 | * Only under read lock but we are only called on current | |
399 | * so no entry on the list will be shared. | |
400 | */ | |
401 | list_del(&task->sysvshm.shm_clist); | |
402 | up_read(&shm_ids(ns).rwsem); | |
298507d4 | 403 | return; |
83293c0f | 404 | } |
298507d4 | 405 | |
83293c0f JM |
406 | /* |
407 | * Destroy all already created segments, that were not yet mapped, | |
408 | * and mark any mapped as orphan to cover the sysctl toggling. | |
409 | * Destroy is skipped if shm_may_destroy() returns false. | |
410 | */ | |
d9a605e4 | 411 | down_write(&shm_ids(ns).rwsem); |
83293c0f JM |
412 | list_for_each_entry_safe(shp, n, &task->sysvshm.shm_clist, shm_clist) { |
413 | shp->shm_creator = NULL; | |
414 | ||
415 | if (shm_may_destroy(ns, shp)) { | |
416 | shm_lock_by_ptr(shp); | |
417 | shm_destroy(ns, shp); | |
418 | } | |
419 | } | |
420 | ||
421 | /* Remove the list head from any segments still attached. */ | |
ab602f79 | 422 | list_del(&task->sysvshm.shm_clist); |
d9a605e4 | 423 | up_write(&shm_ids(ns).rwsem); |
1da177e4 LT |
424 | } |
425 | ||
14f28f57 | 426 | static vm_fault_t shm_fault(struct vm_fault *vmf) |
bc56bba8 | 427 | { |
11bac800 | 428 | struct file *file = vmf->vma->vm_file; |
bc56bba8 EB |
429 | struct shm_file_data *sfd = shm_file_data(file); |
430 | ||
11bac800 | 431 | return sfd->vm_ops->fault(vmf); |
bc56bba8 EB |
432 | } |
433 | ||
dd3b614f | 434 | static int shm_may_split(struct vm_area_struct *vma, unsigned long addr) |
3d942ee0 MK |
435 | { |
436 | struct file *file = vma->vm_file; | |
437 | struct shm_file_data *sfd = shm_file_data(file); | |
438 | ||
dd3b614f DS |
439 | if (sfd->vm_ops->may_split) |
440 | return sfd->vm_ops->may_split(vma, addr); | |
3d942ee0 MK |
441 | |
442 | return 0; | |
443 | } | |
444 | ||
eec3636a JC |
445 | static unsigned long shm_pagesize(struct vm_area_struct *vma) |
446 | { | |
447 | struct file *file = vma->vm_file; | |
448 | struct shm_file_data *sfd = shm_file_data(file); | |
449 | ||
450 | if (sfd->vm_ops->pagesize) | |
451 | return sfd->vm_ops->pagesize(vma); | |
452 | ||
453 | return PAGE_SIZE; | |
454 | } | |
455 | ||
bc56bba8 | 456 | #ifdef CONFIG_NUMA |
d823e3e7 | 457 | static int shm_set_policy(struct vm_area_struct *vma, struct mempolicy *new) |
bc56bba8 EB |
458 | { |
459 | struct file *file = vma->vm_file; | |
460 | struct shm_file_data *sfd = shm_file_data(file); | |
461 | int err = 0; | |
63980c80 | 462 | |
bc56bba8 EB |
463 | if (sfd->vm_ops->set_policy) |
464 | err = sfd->vm_ops->set_policy(vma, new); | |
465 | return err; | |
466 | } | |
467 | ||
d823e3e7 AB |
468 | static struct mempolicy *shm_get_policy(struct vm_area_struct *vma, |
469 | unsigned long addr) | |
bc56bba8 EB |
470 | { |
471 | struct file *file = vma->vm_file; | |
472 | struct shm_file_data *sfd = shm_file_data(file); | |
473 | struct mempolicy *pol = NULL; | |
474 | ||
475 | if (sfd->vm_ops->get_policy) | |
476 | pol = sfd->vm_ops->get_policy(vma, addr); | |
52cd3b07 | 477 | else if (vma->vm_policy) |
bc56bba8 | 478 | pol = vma->vm_policy; |
52cd3b07 | 479 | |
bc56bba8 EB |
480 | return pol; |
481 | } | |
482 | #endif | |
483 | ||
239521f3 | 484 | static int shm_mmap(struct file *file, struct vm_area_struct *vma) |
1da177e4 | 485 | { |
bc56bba8 | 486 | struct shm_file_data *sfd = shm_file_data(file); |
b0e15190 DH |
487 | int ret; |
488 | ||
1ac0b6de | 489 | /* |
3f05317d EB |
490 | * In case of remap_file_pages() emulation, the file can represent an |
491 | * IPC ID that was removed, and possibly even reused by another shm | |
492 | * segment already. Propagate this case as an error to caller. | |
1ac0b6de | 493 | */ |
63980c80 | 494 | ret = __shm_open(vma); |
1ac0b6de KS |
495 | if (ret) |
496 | return ret; | |
497 | ||
f74ac015 | 498 | ret = call_mmap(sfd->file, vma); |
1ac0b6de KS |
499 | if (ret) { |
500 | shm_close(vma); | |
bc56bba8 | 501 | return ret; |
1ac0b6de | 502 | } |
bc56bba8 | 503 | sfd->vm_ops = vma->vm_ops; |
2e92a3ba | 504 | #ifdef CONFIG_MMU |
d0edd852 | 505 | WARN_ON(!sfd->vm_ops->fault); |
2e92a3ba | 506 | #endif |
bc56bba8 | 507 | vma->vm_ops = &shm_vm_ops; |
1ac0b6de | 508 | return 0; |
1da177e4 LT |
509 | } |
510 | ||
4e982311 KK |
511 | static int shm_release(struct inode *ino, struct file *file) |
512 | { | |
bc56bba8 | 513 | struct shm_file_data *sfd = shm_file_data(file); |
4e982311 | 514 | |
bc56bba8 | 515 | put_ipc_ns(sfd->ns); |
3f05317d | 516 | fput(sfd->file); |
bc56bba8 EB |
517 | shm_file_data(file) = NULL; |
518 | kfree(sfd); | |
4e982311 KK |
519 | return 0; |
520 | } | |
521 | ||
02c24a82 | 522 | static int shm_fsync(struct file *file, loff_t start, loff_t end, int datasync) |
516dffdc | 523 | { |
516dffdc | 524 | struct shm_file_data *sfd = shm_file_data(file); |
516dffdc | 525 | |
7ea80859 CH |
526 | if (!sfd->file->f_op->fsync) |
527 | return -EINVAL; | |
0f41074a | 528 | return sfd->file->f_op->fsync(sfd->file, start, end, datasync); |
516dffdc AL |
529 | } |
530 | ||
7d8a4569 WD |
531 | static long shm_fallocate(struct file *file, int mode, loff_t offset, |
532 | loff_t len) | |
533 | { | |
534 | struct shm_file_data *sfd = shm_file_data(file); | |
535 | ||
536 | if (!sfd->file->f_op->fallocate) | |
537 | return -EOPNOTSUPP; | |
538 | return sfd->file->f_op->fallocate(file, mode, offset, len); | |
539 | } | |
540 | ||
bc56bba8 EB |
541 | static unsigned long shm_get_unmapped_area(struct file *file, |
542 | unsigned long addr, unsigned long len, unsigned long pgoff, | |
543 | unsigned long flags) | |
544 | { | |
545 | struct shm_file_data *sfd = shm_file_data(file); | |
63980c80 | 546 | |
c4caa778 AV |
547 | return sfd->file->f_op->get_unmapped_area(sfd->file, addr, len, |
548 | pgoff, flags); | |
bc56bba8 | 549 | } |
bc56bba8 | 550 | |
9a32144e | 551 | static const struct file_operations shm_file_operations = { |
4e982311 | 552 | .mmap = shm_mmap, |
516dffdc | 553 | .fsync = shm_fsync, |
4e982311 | 554 | .release = shm_release, |
ed5e5894 | 555 | .get_unmapped_area = shm_get_unmapped_area, |
6038f373 | 556 | .llseek = noop_llseek, |
7d8a4569 | 557 | .fallocate = shm_fallocate, |
c4caa778 AV |
558 | }; |
559 | ||
c01d5b30 HD |
560 | /* |
561 | * shm_file_operations_huge is now identical to shm_file_operations, | |
562 | * but we keep it distinct for the sake of is_file_shm_hugepages(). | |
563 | */ | |
c4caa778 AV |
564 | static const struct file_operations shm_file_operations_huge = { |
565 | .mmap = shm_mmap, | |
566 | .fsync = shm_fsync, | |
567 | .release = shm_release, | |
bc56bba8 | 568 | .get_unmapped_area = shm_get_unmapped_area, |
6038f373 | 569 | .llseek = noop_llseek, |
7d8a4569 | 570 | .fallocate = shm_fallocate, |
1da177e4 LT |
571 | }; |
572 | ||
2954e440 | 573 | bool is_file_shm_hugepages(struct file *file) |
c4caa778 AV |
574 | { |
575 | return file->f_op == &shm_file_operations_huge; | |
576 | } | |
577 | ||
f0f37e2f | 578 | static const struct vm_operations_struct shm_vm_ops = { |
1da177e4 LT |
579 | .open = shm_open, /* callback for a new vm-area open */ |
580 | .close = shm_close, /* callback for when the vm-area is released */ | |
54cb8821 | 581 | .fault = shm_fault, |
dd3b614f | 582 | .may_split = shm_may_split, |
eec3636a | 583 | .pagesize = shm_pagesize, |
bc56bba8 EB |
584 | #if defined(CONFIG_NUMA) |
585 | .set_policy = shm_set_policy, | |
586 | .get_policy = shm_get_policy, | |
1da177e4 LT |
587 | #endif |
588 | }; | |
589 | ||
f4566f04 ND |
590 | /** |
591 | * newseg - Create a new shared memory segment | |
592 | * @ns: namespace | |
593 | * @params: ptr to the structure that contains key, size and shmflg | |
594 | * | |
d9a605e4 | 595 | * Called with shm_ids.rwsem held as a writer. |
f4566f04 | 596 | */ |
7748dbfa | 597 | static int newseg(struct ipc_namespace *ns, struct ipc_params *params) |
1da177e4 | 598 | { |
7748dbfa ND |
599 | key_t key = params->key; |
600 | int shmflg = params->flg; | |
601 | size_t size = params->u.size; | |
1da177e4 LT |
602 | int error; |
603 | struct shmid_kernel *shp; | |
d69f3bad | 604 | size_t numpages = (size + PAGE_SIZE - 1) >> PAGE_SHIFT; |
239521f3 | 605 | struct file *file; |
1da177e4 | 606 | char name[13]; |
ca16d140 | 607 | vm_flags_t acctflag = 0; |
1da177e4 | 608 | |
4e982311 | 609 | if (size < SHMMIN || size > ns->shm_ctlmax) |
1da177e4 LT |
610 | return -EINVAL; |
611 | ||
1376327c MS |
612 | if (numpages << PAGE_SHIFT < size) |
613 | return -ENOSPC; | |
614 | ||
09c6eb1f MS |
615 | if (ns->shm_tot + numpages < ns->shm_tot || |
616 | ns->shm_tot + numpages > ns->shm_ctlall) | |
1da177e4 LT |
617 | return -ENOSPC; |
618 | ||
18319498 | 619 | shp = kmalloc(sizeof(*shp), GFP_KERNEL_ACCOUNT); |
42e618f7 | 620 | if (unlikely(!shp)) |
1da177e4 LT |
621 | return -ENOMEM; |
622 | ||
623 | shp->shm_perm.key = key; | |
b33291c0 | 624 | shp->shm_perm.mode = (shmflg & S_IRWXUGO); |
d7c9e99a | 625 | shp->mlock_ucounts = NULL; |
1da177e4 LT |
626 | |
627 | shp->shm_perm.security = NULL; | |
7191adff | 628 | error = security_shm_alloc(&shp->shm_perm); |
1da177e4 | 629 | if (error) { |
bc8136a5 | 630 | kfree(shp); |
1da177e4 LT |
631 | return error; |
632 | } | |
633 | ||
239521f3 | 634 | sprintf(name, "SYSV%08x", key); |
1da177e4 | 635 | if (shmflg & SHM_HUGETLB) { |
c103a4dc | 636 | struct hstate *hs; |
091d0d55 LZ |
637 | size_t hugesize; |
638 | ||
c103a4dc | 639 | hs = hstate_sizelog((shmflg >> SHM_HUGE_SHIFT) & SHM_HUGE_MASK); |
091d0d55 LZ |
640 | if (!hs) { |
641 | error = -EINVAL; | |
642 | goto no_file; | |
643 | } | |
644 | hugesize = ALIGN(size, huge_page_size(hs)); | |
af73e4d9 | 645 | |
5a6fe125 MG |
646 | /* hugetlb_file_setup applies strict accounting */ |
647 | if (shmflg & SHM_NORESERVE) | |
648 | acctflag = VM_NORESERVE; | |
af73e4d9 | 649 | file = hugetlb_file_setup(name, hugesize, acctflag, |
83c1fd76 | 650 | HUGETLB_SHMFS_INODE, (shmflg >> SHM_HUGE_SHIFT) & SHM_HUGE_MASK); |
1da177e4 | 651 | } else { |
bf8f972d BP |
652 | /* |
653 | * Do not allow no accounting for OVERCOMMIT_NEVER, even | |
239521f3 | 654 | * if it's asked for. |
bf8f972d BP |
655 | */ |
656 | if ((shmflg & SHM_NORESERVE) && | |
657 | sysctl_overcommit_memory != OVERCOMMIT_NEVER) | |
fc8744ad | 658 | acctflag = VM_NORESERVE; |
e1832f29 | 659 | file = shmem_kernel_file_setup(name, size, acctflag); |
1da177e4 LT |
660 | } |
661 | error = PTR_ERR(file); | |
662 | if (IS_ERR(file)) | |
663 | goto no_file; | |
664 | ||
98f929b1 EB |
665 | shp->shm_cprid = get_pid(task_tgid(current)); |
666 | shp->shm_lprid = NULL; | |
1da177e4 | 667 | shp->shm_atim = shp->shm_dtim = 0; |
7ff2819e | 668 | shp->shm_ctim = ktime_get_real_seconds(); |
1da177e4 LT |
669 | shp->shm_segsz = size; |
670 | shp->shm_nattch = 0; | |
1da177e4 | 671 | shp->shm_file = file; |
5774ed01 | 672 | shp->shm_creator = current; |
b9a53227 | 673 | |
39c96a1b | 674 | /* ipc_addid() locks shp upon success. */ |
a2642f87 MS |
675 | error = ipc_addid(&shm_ids(ns), &shp->shm_perm, ns->shm_ctlmni); |
676 | if (error < 0) | |
b9a53227 | 677 | goto no_id; |
b9a53227 | 678 | |
ab602f79 | 679 | list_add(&shp->shm_clist, ¤t->sysvshm.shm_clist); |
dbfcd91f | 680 | |
30475cc1 BP |
681 | /* |
682 | * shmid gets reported as "inode#" in /proc/pid/maps. | |
683 | * proc-ps tools use this. Changing this will break them. | |
684 | */ | |
496ad9aa | 685 | file_inode(file)->i_ino = shp->shm_perm.id; |
551110a9 | 686 | |
4e982311 | 687 | ns->shm_tot += numpages; |
7ca7e564 | 688 | error = shp->shm_perm.id; |
dbfcd91f | 689 | |
cf9d5d78 | 690 | ipc_unlock_object(&shp->shm_perm); |
dbfcd91f | 691 | rcu_read_unlock(); |
7ca7e564 | 692 | return error; |
1da177e4 LT |
693 | |
694 | no_id: | |
2236d4d3 EB |
695 | ipc_update_pid(&shp->shm_cprid, NULL); |
696 | ipc_update_pid(&shp->shm_lprid, NULL); | |
1da177e4 | 697 | fput(file); |
39cfffd7 MS |
698 | ipc_rcu_putref(&shp->shm_perm, shm_rcu_free); |
699 | return error; | |
1da177e4 | 700 | no_file: |
a2642f87 | 701 | call_rcu(&shp->shm_perm.rcu, shm_rcu_free); |
1da177e4 LT |
702 | return error; |
703 | } | |
704 | ||
f4566f04 | 705 | /* |
d9a605e4 | 706 | * Called with shm_ids.rwsem and ipcp locked. |
f4566f04 | 707 | */ |
00898e85 | 708 | static int shm_more_checks(struct kern_ipc_perm *ipcp, struct ipc_params *params) |
7748dbfa | 709 | { |
03f02c76 ND |
710 | struct shmid_kernel *shp; |
711 | ||
712 | shp = container_of(ipcp, struct shmid_kernel, shm_perm); | |
713 | if (shp->shm_segsz < params->u.size) | |
7748dbfa ND |
714 | return -EINVAL; |
715 | ||
716 | return 0; | |
717 | } | |
718 | ||
65749e0b | 719 | long ksys_shmget(key_t key, size_t size, int shmflg) |
1da177e4 | 720 | { |
4e982311 | 721 | struct ipc_namespace *ns; |
eb66ec44 MK |
722 | static const struct ipc_ops shm_ops = { |
723 | .getnew = newseg, | |
50ab44b1 | 724 | .associate = security_shm_associate, |
eb66ec44 MK |
725 | .more_checks = shm_more_checks, |
726 | }; | |
7748dbfa | 727 | struct ipc_params shm_params; |
4e982311 KK |
728 | |
729 | ns = current->nsproxy->ipc_ns; | |
1da177e4 | 730 | |
7748dbfa ND |
731 | shm_params.key = key; |
732 | shm_params.flg = shmflg; | |
733 | shm_params.u.size = size; | |
1da177e4 | 734 | |
7748dbfa | 735 | return ipcget(ns, &shm_ids(ns), &shm_ops, &shm_params); |
1da177e4 LT |
736 | } |
737 | ||
65749e0b DB |
738 | SYSCALL_DEFINE3(shmget, key_t, key, size_t, size, int, shmflg) |
739 | { | |
740 | return ksys_shmget(key, size, shmflg); | |
741 | } | |
742 | ||
1da177e4 LT |
743 | static inline unsigned long copy_shmid_to_user(void __user *buf, struct shmid64_ds *in, int version) |
744 | { | |
239521f3 | 745 | switch (version) { |
1da177e4 LT |
746 | case IPC_64: |
747 | return copy_to_user(buf, in, sizeof(*in)); | |
748 | case IPC_OLD: | |
749 | { | |
750 | struct shmid_ds out; | |
751 | ||
3af54c9b | 752 | memset(&out, 0, sizeof(out)); |
1da177e4 LT |
753 | ipc64_perm_to_ipc_perm(&in->shm_perm, &out.shm_perm); |
754 | out.shm_segsz = in->shm_segsz; | |
755 | out.shm_atime = in->shm_atime; | |
756 | out.shm_dtime = in->shm_dtime; | |
757 | out.shm_ctime = in->shm_ctime; | |
758 | out.shm_cpid = in->shm_cpid; | |
759 | out.shm_lpid = in->shm_lpid; | |
760 | out.shm_nattch = in->shm_nattch; | |
761 | ||
762 | return copy_to_user(buf, &out, sizeof(out)); | |
763 | } | |
764 | default: | |
765 | return -EINVAL; | |
766 | } | |
767 | } | |
768 | ||
016d7132 PP |
769 | static inline unsigned long |
770 | copy_shmid_from_user(struct shmid64_ds *out, void __user *buf, int version) | |
1da177e4 | 771 | { |
239521f3 | 772 | switch (version) { |
1da177e4 | 773 | case IPC_64: |
016d7132 | 774 | if (copy_from_user(out, buf, sizeof(*out))) |
1da177e4 | 775 | return -EFAULT; |
1da177e4 | 776 | return 0; |
1da177e4 LT |
777 | case IPC_OLD: |
778 | { | |
779 | struct shmid_ds tbuf_old; | |
780 | ||
781 | if (copy_from_user(&tbuf_old, buf, sizeof(tbuf_old))) | |
782 | return -EFAULT; | |
783 | ||
016d7132 PP |
784 | out->shm_perm.uid = tbuf_old.shm_perm.uid; |
785 | out->shm_perm.gid = tbuf_old.shm_perm.gid; | |
786 | out->shm_perm.mode = tbuf_old.shm_perm.mode; | |
1da177e4 LT |
787 | |
788 | return 0; | |
789 | } | |
790 | default: | |
791 | return -EINVAL; | |
792 | } | |
793 | } | |
794 | ||
795 | static inline unsigned long copy_shminfo_to_user(void __user *buf, struct shminfo64 *in, int version) | |
796 | { | |
239521f3 | 797 | switch (version) { |
1da177e4 LT |
798 | case IPC_64: |
799 | return copy_to_user(buf, in, sizeof(*in)); | |
800 | case IPC_OLD: | |
801 | { | |
802 | struct shminfo out; | |
803 | ||
239521f3 | 804 | if (in->shmmax > INT_MAX) |
1da177e4 LT |
805 | out.shmmax = INT_MAX; |
806 | else | |
807 | out.shmmax = (int)in->shmmax; | |
808 | ||
809 | out.shmmin = in->shmmin; | |
810 | out.shmmni = in->shmmni; | |
811 | out.shmseg = in->shmseg; | |
46c0a8ca | 812 | out.shmall = in->shmall; |
1da177e4 LT |
813 | |
814 | return copy_to_user(buf, &out, sizeof(out)); | |
815 | } | |
816 | default: | |
817 | return -EINVAL; | |
818 | } | |
819 | } | |
820 | ||
b7952180 HD |
821 | /* |
822 | * Calculate and add used RSS and swap pages of a shm. | |
d9a605e4 | 823 | * Called with shm_ids.rwsem held as a reader |
b7952180 HD |
824 | */ |
825 | static void shm_add_rss_swap(struct shmid_kernel *shp, | |
826 | unsigned long *rss_add, unsigned long *swp_add) | |
827 | { | |
828 | struct inode *inode; | |
829 | ||
496ad9aa | 830 | inode = file_inode(shp->shm_file); |
b7952180 HD |
831 | |
832 | if (is_file_hugepages(shp->shm_file)) { | |
833 | struct address_space *mapping = inode->i_mapping; | |
834 | struct hstate *h = hstate_file(shp->shm_file); | |
835 | *rss_add += pages_per_huge_page(h) * mapping->nrpages; | |
836 | } else { | |
837 | #ifdef CONFIG_SHMEM | |
838 | struct shmem_inode_info *info = SHMEM_I(inode); | |
63980c80 | 839 | |
4595ef88 | 840 | spin_lock_irq(&info->lock); |
b7952180 HD |
841 | *rss_add += inode->i_mapping->nrpages; |
842 | *swp_add += info->swapped; | |
4595ef88 | 843 | spin_unlock_irq(&info->lock); |
b7952180 HD |
844 | #else |
845 | *rss_add += inode->i_mapping->nrpages; | |
846 | #endif | |
847 | } | |
848 | } | |
849 | ||
f4566f04 | 850 | /* |
d9a605e4 | 851 | * Called with shm_ids.rwsem held as a reader |
f4566f04 | 852 | */ |
4e982311 KK |
853 | static void shm_get_stat(struct ipc_namespace *ns, unsigned long *rss, |
854 | unsigned long *swp) | |
1da177e4 | 855 | { |
7ca7e564 ND |
856 | int next_id; |
857 | int total, in_use; | |
1da177e4 LT |
858 | |
859 | *rss = 0; | |
860 | *swp = 0; | |
861 | ||
7ca7e564 ND |
862 | in_use = shm_ids(ns).in_use; |
863 | ||
864 | for (total = 0, next_id = 0; total < in_use; next_id++) { | |
e562aebc | 865 | struct kern_ipc_perm *ipc; |
1da177e4 | 866 | struct shmid_kernel *shp; |
1da177e4 | 867 | |
e562aebc TB |
868 | ipc = idr_find(&shm_ids(ns).ipcs_idr, next_id); |
869 | if (ipc == NULL) | |
1da177e4 | 870 | continue; |
e562aebc | 871 | shp = container_of(ipc, struct shmid_kernel, shm_perm); |
1da177e4 | 872 | |
b7952180 | 873 | shm_add_rss_swap(shp, rss, swp); |
7ca7e564 ND |
874 | |
875 | total++; | |
1da177e4 LT |
876 | } |
877 | } | |
878 | ||
8d4cc8b5 | 879 | /* |
d9a605e4 | 880 | * This function handles some shmctl commands which require the rwsem |
8d4cc8b5 | 881 | * to be held in write mode. |
d9a605e4 | 882 | * NOTE: no locks must be held, the rwsem is taken inside this function. |
8d4cc8b5 PP |
883 | */ |
884 | static int shmctl_down(struct ipc_namespace *ns, int shmid, int cmd, | |
9ba720c1 | 885 | struct shmid64_ds *shmid64) |
1da177e4 | 886 | { |
8d4cc8b5 | 887 | struct kern_ipc_perm *ipcp; |
8d4cc8b5 PP |
888 | struct shmid_kernel *shp; |
889 | int err; | |
890 | ||
d9a605e4 | 891 | down_write(&shm_ids(ns).rwsem); |
7b4cc5d8 DB |
892 | rcu_read_lock(); |
893 | ||
4241c1a3 | 894 | ipcp = ipcctl_obtain_check(ns, &shm_ids(ns), shmid, cmd, |
9ba720c1 | 895 | &shmid64->shm_perm, 0); |
7b4cc5d8 DB |
896 | if (IS_ERR(ipcp)) { |
897 | err = PTR_ERR(ipcp); | |
7b4cc5d8 DB |
898 | goto out_unlock1; |
899 | } | |
8d4cc8b5 | 900 | |
a5f75e7f | 901 | shp = container_of(ipcp, struct shmid_kernel, shm_perm); |
8d4cc8b5 | 902 | |
7191adff | 903 | err = security_shm_shmctl(&shp->shm_perm, cmd); |
8d4cc8b5 | 904 | if (err) |
79ccf0f8 | 905 | goto out_unlock1; |
7b4cc5d8 | 906 | |
8d4cc8b5 PP |
907 | switch (cmd) { |
908 | case IPC_RMID: | |
79ccf0f8 | 909 | ipc_lock_object(&shp->shm_perm); |
7b4cc5d8 | 910 | /* do_shm_rmid unlocks the ipc object and rcu */ |
8d4cc8b5 PP |
911 | do_shm_rmid(ns, ipcp); |
912 | goto out_up; | |
913 | case IPC_SET: | |
79ccf0f8 | 914 | ipc_lock_object(&shp->shm_perm); |
9ba720c1 | 915 | err = ipc_update_perm(&shmid64->shm_perm, ipcp); |
1efdb69b | 916 | if (err) |
7b4cc5d8 | 917 | goto out_unlock0; |
7ff2819e | 918 | shp->shm_ctim = ktime_get_real_seconds(); |
8d4cc8b5 PP |
919 | break; |
920 | default: | |
921 | err = -EINVAL; | |
79ccf0f8 | 922 | goto out_unlock1; |
8d4cc8b5 | 923 | } |
7b4cc5d8 DB |
924 | |
925 | out_unlock0: | |
926 | ipc_unlock_object(&shp->shm_perm); | |
927 | out_unlock1: | |
928 | rcu_read_unlock(); | |
8d4cc8b5 | 929 | out_up: |
d9a605e4 | 930 | up_write(&shm_ids(ns).rwsem); |
8d4cc8b5 PP |
931 | return err; |
932 | } | |
933 | ||
9ba720c1 AV |
934 | static int shmctl_ipc_info(struct ipc_namespace *ns, |
935 | struct shminfo64 *shminfo) | |
8d4cc8b5 | 936 | { |
9ba720c1 AV |
937 | int err = security_shm_shmctl(NULL, IPC_INFO); |
938 | if (!err) { | |
939 | memset(shminfo, 0, sizeof(*shminfo)); | |
940 | shminfo->shmmni = shminfo->shmseg = ns->shm_ctlmni; | |
941 | shminfo->shmmax = ns->shm_ctlmax; | |
942 | shminfo->shmall = ns->shm_ctlall; | |
943 | shminfo->shmmin = SHMMIN; | |
d9a605e4 | 944 | down_read(&shm_ids(ns).rwsem); |
27c331a1 | 945 | err = ipc_get_maxidx(&shm_ids(ns)); |
d9a605e4 | 946 | up_read(&shm_ids(ns).rwsem); |
239521f3 | 947 | if (err < 0) |
1da177e4 | 948 | err = 0; |
1da177e4 | 949 | } |
9ba720c1 AV |
950 | return err; |
951 | } | |
1da177e4 | 952 | |
9ba720c1 AV |
953 | static int shmctl_shm_info(struct ipc_namespace *ns, |
954 | struct shm_info *shm_info) | |
955 | { | |
956 | int err = security_shm_shmctl(NULL, SHM_INFO); | |
957 | if (!err) { | |
958 | memset(shm_info, 0, sizeof(*shm_info)); | |
d9a605e4 | 959 | down_read(&shm_ids(ns).rwsem); |
9ba720c1 AV |
960 | shm_info->used_ids = shm_ids(ns).in_use; |
961 | shm_get_stat(ns, &shm_info->shm_rss, &shm_info->shm_swp); | |
962 | shm_info->shm_tot = ns->shm_tot; | |
963 | shm_info->swap_attempts = 0; | |
964 | shm_info->swap_successes = 0; | |
27c331a1 | 965 | err = ipc_get_maxidx(&shm_ids(ns)); |
d9a605e4 | 966 | up_read(&shm_ids(ns).rwsem); |
9ba720c1 AV |
967 | if (err < 0) |
968 | err = 0; | |
1da177e4 | 969 | } |
9ba720c1 AV |
970 | return err; |
971 | } | |
c97cb9cc | 972 | |
9ba720c1 AV |
973 | static int shmctl_stat(struct ipc_namespace *ns, int shmid, |
974 | int cmd, struct shmid64_ds *tbuf) | |
975 | { | |
976 | struct shmid_kernel *shp; | |
9ba720c1 | 977 | int err; |
c97cb9cc | 978 | |
87ad4b0d PM |
979 | memset(tbuf, 0, sizeof(*tbuf)); |
980 | ||
9ba720c1 | 981 | rcu_read_lock(); |
c21a6970 | 982 | if (cmd == SHM_STAT || cmd == SHM_STAT_ANY) { |
9ba720c1 AV |
983 | shp = shm_obtain_object(ns, shmid); |
984 | if (IS_ERR(shp)) { | |
985 | err = PTR_ERR(shp); | |
986 | goto out_unlock; | |
987 | } | |
c21a6970 | 988 | } else { /* IPC_STAT */ |
9ba720c1 AV |
989 | shp = shm_obtain_object_check(ns, shmid); |
990 | if (IS_ERR(shp)) { | |
991 | err = PTR_ERR(shp); | |
1da177e4 | 992 | goto out_unlock; |
1da177e4 | 993 | } |
9ba720c1 | 994 | } |
1da177e4 | 995 | |
c21a6970 DB |
996 | /* |
997 | * Semantically SHM_STAT_ANY ought to be identical to | |
998 | * that functionality provided by the /proc/sysvipc/ | |
999 | * interface. As such, only audit these calls and | |
1000 | * do not do traditional S_IRUGO permission checks on | |
1001 | * the ipc object. | |
1002 | */ | |
1003 | if (cmd == SHM_STAT_ANY) | |
1004 | audit_ipc_obj(&shp->shm_perm); | |
1005 | else { | |
1006 | err = -EACCES; | |
1007 | if (ipcperms(ns, &shp->shm_perm, S_IRUGO)) | |
1008 | goto out_unlock; | |
1009 | } | |
c97cb9cc | 1010 | |
7191adff | 1011 | err = security_shm_shmctl(&shp->shm_perm, cmd); |
9ba720c1 AV |
1012 | if (err) |
1013 | goto out_unlock; | |
1014 | ||
87ad4b0d PM |
1015 | ipc_lock_object(&shp->shm_perm); |
1016 | ||
1017 | if (!ipc_valid_object(&shp->shm_perm)) { | |
1018 | ipc_unlock_object(&shp->shm_perm); | |
1019 | err = -EIDRM; | |
1020 | goto out_unlock; | |
1021 | } | |
1022 | ||
9ba720c1 AV |
1023 | kernel_to_ipc64_perm(&shp->shm_perm, &tbuf->shm_perm); |
1024 | tbuf->shm_segsz = shp->shm_segsz; | |
1025 | tbuf->shm_atime = shp->shm_atim; | |
1026 | tbuf->shm_dtime = shp->shm_dtim; | |
1027 | tbuf->shm_ctime = shp->shm_ctim; | |
c2ab975c AB |
1028 | #ifndef CONFIG_64BIT |
1029 | tbuf->shm_atime_high = shp->shm_atim >> 32; | |
1030 | tbuf->shm_dtime_high = shp->shm_dtim >> 32; | |
1031 | tbuf->shm_ctime_high = shp->shm_ctim >> 32; | |
1032 | #endif | |
98f929b1 EB |
1033 | tbuf->shm_cpid = pid_vnr(shp->shm_cprid); |
1034 | tbuf->shm_lpid = pid_vnr(shp->shm_lprid); | |
9ba720c1 | 1035 | tbuf->shm_nattch = shp->shm_nattch; |
87ad4b0d | 1036 | |
615c999c MS |
1037 | if (cmd == IPC_STAT) { |
1038 | /* | |
1039 | * As defined in SUS: | |
1040 | * Return 0 on success | |
1041 | */ | |
1042 | err = 0; | |
1043 | } else { | |
1044 | /* | |
1045 | * SHM_STAT and SHM_STAT_ANY (both Linux specific) | |
1046 | * Return the full id, including the sequence number | |
1047 | */ | |
1048 | err = shp->shm_perm.id; | |
1049 | } | |
68eccc1d | 1050 | |
615c999c | 1051 | ipc_unlock_object(&shp->shm_perm); |
68eccc1d | 1052 | out_unlock: |
c97cb9cc | 1053 | rcu_read_unlock(); |
68eccc1d DB |
1054 | return err; |
1055 | } | |
1056 | ||
9ba720c1 | 1057 | static int shmctl_do_lock(struct ipc_namespace *ns, int shmid, int cmd) |
68eccc1d DB |
1058 | { |
1059 | struct shmid_kernel *shp; | |
9ba720c1 AV |
1060 | struct file *shm_file; |
1061 | int err; | |
68eccc1d | 1062 | |
9ba720c1 AV |
1063 | rcu_read_lock(); |
1064 | shp = shm_obtain_object_check(ns, shmid); | |
1065 | if (IS_ERR(shp)) { | |
1066 | err = PTR_ERR(shp); | |
1067 | goto out_unlock1; | |
1da177e4 | 1068 | } |
c97cb9cc | 1069 | |
9ba720c1 | 1070 | audit_ipc_obj(&(shp->shm_perm)); |
7191adff | 1071 | err = security_shm_shmctl(&shp->shm_perm, cmd); |
9ba720c1 AV |
1072 | if (err) |
1073 | goto out_unlock1; | |
c97cb9cc | 1074 | |
9ba720c1 | 1075 | ipc_lock_object(&shp->shm_perm); |
c97cb9cc | 1076 | |
9ba720c1 AV |
1077 | /* check if shm_destroy() is tearing down shp */ |
1078 | if (!ipc_valid_object(&shp->shm_perm)) { | |
1079 | err = -EIDRM; | |
1080 | goto out_unlock0; | |
1da177e4 | 1081 | } |
073115d6 | 1082 | |
9ba720c1 AV |
1083 | if (!ns_capable(ns->user_ns, CAP_IPC_LOCK)) { |
1084 | kuid_t euid = current_euid(); | |
0f3d2b01 | 1085 | |
9ba720c1 AV |
1086 | if (!uid_eq(euid, shp->shm_perm.uid) && |
1087 | !uid_eq(euid, shp->shm_perm.cuid)) { | |
1088 | err = -EPERM; | |
0f3d2b01 RA |
1089 | goto out_unlock0; |
1090 | } | |
9ba720c1 AV |
1091 | if (cmd == SHM_LOCK && !rlimit(RLIMIT_MEMLOCK)) { |
1092 | err = -EPERM; | |
1093 | goto out_unlock0; | |
1da177e4 | 1094 | } |
68eccc1d DB |
1095 | } |
1096 | ||
9ba720c1 AV |
1097 | shm_file = shp->shm_file; |
1098 | if (is_file_hugepages(shm_file)) | |
1099 | goto out_unlock0; | |
85046579 | 1100 | |
9ba720c1 | 1101 | if (cmd == SHM_LOCK) { |
d7c9e99a | 1102 | struct ucounts *ucounts = current_ucounts(); |
63980c80 | 1103 | |
d7c9e99a | 1104 | err = shmem_lock(shm_file, 1, ucounts); |
9ba720c1 AV |
1105 | if (!err && !(shp->shm_perm.mode & SHM_LOCKED)) { |
1106 | shp->shm_perm.mode |= SHM_LOCKED; | |
d7c9e99a | 1107 | shp->mlock_ucounts = ucounts; |
1da177e4 | 1108 | } |
9ba720c1 | 1109 | goto out_unlock0; |
1da177e4 LT |
1110 | } |
1111 | ||
9ba720c1 AV |
1112 | /* SHM_UNLOCK */ |
1113 | if (!(shp->shm_perm.mode & SHM_LOCKED)) | |
1114 | goto out_unlock0; | |
d7c9e99a | 1115 | shmem_lock(shm_file, 0, shp->mlock_ucounts); |
9ba720c1 | 1116 | shp->shm_perm.mode &= ~SHM_LOCKED; |
d7c9e99a | 1117 | shp->mlock_ucounts = NULL; |
9ba720c1 AV |
1118 | get_file(shm_file); |
1119 | ipc_unlock_object(&shp->shm_perm); | |
1120 | rcu_read_unlock(); | |
1121 | shmem_unlock_mapping(shm_file->f_mapping); | |
1122 | ||
1123 | fput(shm_file); | |
1124 | return err; | |
1125 | ||
2caacaa8 DB |
1126 | out_unlock0: |
1127 | ipc_unlock_object(&shp->shm_perm); | |
1128 | out_unlock1: | |
c97cb9cc | 1129 | rcu_read_unlock(); |
68eccc1d DB |
1130 | return err; |
1131 | } | |
1132 | ||
275f2214 | 1133 | static long ksys_shmctl(int shmid, int cmd, struct shmid_ds __user *buf, int version) |
68eccc1d | 1134 | { |
275f2214 | 1135 | int err; |
68eccc1d | 1136 | struct ipc_namespace *ns; |
553f770e | 1137 | struct shmid64_ds sem64; |
68eccc1d | 1138 | |
2caacaa8 DB |
1139 | if (cmd < 0 || shmid < 0) |
1140 | return -EINVAL; | |
68eccc1d | 1141 | |
68eccc1d DB |
1142 | ns = current->nsproxy->ipc_ns; |
1143 | ||
1144 | switch (cmd) { | |
9ba720c1 AV |
1145 | case IPC_INFO: { |
1146 | struct shminfo64 shminfo; | |
1147 | err = shmctl_ipc_info(ns, &shminfo); | |
1148 | if (err < 0) | |
1149 | return err; | |
1150 | if (copy_shminfo_to_user(buf, &shminfo, version)) | |
1151 | err = -EFAULT; | |
1152 | return err; | |
1153 | } | |
1154 | case SHM_INFO: { | |
1155 | struct shm_info shm_info; | |
1156 | err = shmctl_shm_info(ns, &shm_info); | |
1157 | if (err < 0) | |
1158 | return err; | |
1159 | if (copy_to_user(buf, &shm_info, sizeof(shm_info))) | |
1160 | err = -EFAULT; | |
1161 | return err; | |
1162 | } | |
68eccc1d | 1163 | case SHM_STAT: |
c21a6970 | 1164 | case SHM_STAT_ANY: |
9ba720c1 | 1165 | case IPC_STAT: { |
553f770e | 1166 | err = shmctl_stat(ns, shmid, cmd, &sem64); |
9ba720c1 AV |
1167 | if (err < 0) |
1168 | return err; | |
553f770e | 1169 | if (copy_shmid_to_user(buf, &sem64, version)) |
9ba720c1 AV |
1170 | err = -EFAULT; |
1171 | return err; | |
1172 | } | |
2caacaa8 | 1173 | case IPC_SET: |
553f770e | 1174 | if (copy_shmid_from_user(&sem64, buf, version)) |
9ba720c1 | 1175 | return -EFAULT; |
df561f66 | 1176 | fallthrough; |
9ba720c1 | 1177 | case IPC_RMID: |
553f770e | 1178 | return shmctl_down(ns, shmid, cmd, &sem64); |
1da177e4 LT |
1179 | case SHM_LOCK: |
1180 | case SHM_UNLOCK: | |
9ba720c1 AV |
1181 | return shmctl_do_lock(ns, shmid, cmd); |
1182 | default: | |
1183 | return -EINVAL; | |
1184 | } | |
1185 | } | |
89e004ea | 1186 | |
c84d0791 DB |
1187 | SYSCALL_DEFINE3(shmctl, int, shmid, int, cmd, struct shmid_ds __user *, buf) |
1188 | { | |
275f2214 AB |
1189 | return ksys_shmctl(shmid, cmd, buf, IPC_64); |
1190 | } | |
1191 | ||
1192 | #ifdef CONFIG_ARCH_WANT_IPC_PARSE_VERSION | |
1193 | long ksys_old_shmctl(int shmid, int cmd, struct shmid_ds __user *buf) | |
1194 | { | |
1195 | int version = ipc_parse_version(&cmd); | |
1196 | ||
1197 | return ksys_shmctl(shmid, cmd, buf, version); | |
1198 | } | |
1199 | ||
1200 | SYSCALL_DEFINE3(old_shmctl, int, shmid, int, cmd, struct shmid_ds __user *, buf) | |
1201 | { | |
1202 | return ksys_old_shmctl(shmid, cmd, buf); | |
c84d0791 | 1203 | } |
275f2214 | 1204 | #endif |
c84d0791 | 1205 | |
553f770e AV |
1206 | #ifdef CONFIG_COMPAT |
1207 | ||
1208 | struct compat_shmid_ds { | |
1209 | struct compat_ipc_perm shm_perm; | |
1210 | int shm_segsz; | |
9afc5eee AB |
1211 | old_time32_t shm_atime; |
1212 | old_time32_t shm_dtime; | |
1213 | old_time32_t shm_ctime; | |
553f770e AV |
1214 | compat_ipc_pid_t shm_cpid; |
1215 | compat_ipc_pid_t shm_lpid; | |
1216 | unsigned short shm_nattch; | |
1217 | unsigned short shm_unused; | |
1218 | compat_uptr_t shm_unused2; | |
1219 | compat_uptr_t shm_unused3; | |
1220 | }; | |
1da177e4 | 1221 | |
553f770e AV |
1222 | struct compat_shminfo64 { |
1223 | compat_ulong_t shmmax; | |
1224 | compat_ulong_t shmmin; | |
1225 | compat_ulong_t shmmni; | |
1226 | compat_ulong_t shmseg; | |
1227 | compat_ulong_t shmall; | |
1228 | compat_ulong_t __unused1; | |
1229 | compat_ulong_t __unused2; | |
1230 | compat_ulong_t __unused3; | |
1231 | compat_ulong_t __unused4; | |
1232 | }; | |
073115d6 | 1233 | |
553f770e AV |
1234 | struct compat_shm_info { |
1235 | compat_int_t used_ids; | |
1236 | compat_ulong_t shm_tot, shm_rss, shm_swp; | |
1237 | compat_ulong_t swap_attempts, swap_successes; | |
1238 | }; | |
0f3d2b01 | 1239 | |
553f770e AV |
1240 | static int copy_compat_shminfo_to_user(void __user *buf, struct shminfo64 *in, |
1241 | int version) | |
1242 | { | |
1243 | if (in->shmmax > INT_MAX) | |
1244 | in->shmmax = INT_MAX; | |
1245 | if (version == IPC_64) { | |
1246 | struct compat_shminfo64 info; | |
1247 | memset(&info, 0, sizeof(info)); | |
1248 | info.shmmax = in->shmmax; | |
1249 | info.shmmin = in->shmmin; | |
1250 | info.shmmni = in->shmmni; | |
1251 | info.shmseg = in->shmseg; | |
1252 | info.shmall = in->shmall; | |
1253 | return copy_to_user(buf, &info, sizeof(info)); | |
1254 | } else { | |
1255 | struct shminfo info; | |
1256 | memset(&info, 0, sizeof(info)); | |
1257 | info.shmmax = in->shmmax; | |
1258 | info.shmmin = in->shmmin; | |
1259 | info.shmmni = in->shmmni; | |
1260 | info.shmseg = in->shmseg; | |
1261 | info.shmall = in->shmall; | |
1262 | return copy_to_user(buf, &info, sizeof(info)); | |
1263 | } | |
1264 | } | |
0f3d2b01 | 1265 | |
553f770e AV |
1266 | static int put_compat_shm_info(struct shm_info *ip, |
1267 | struct compat_shm_info __user *uip) | |
1268 | { | |
1269 | struct compat_shm_info info; | |
1270 | ||
1271 | memset(&info, 0, sizeof(info)); | |
1272 | info.used_ids = ip->used_ids; | |
1273 | info.shm_tot = ip->shm_tot; | |
1274 | info.shm_rss = ip->shm_rss; | |
1275 | info.shm_swp = ip->shm_swp; | |
1276 | info.swap_attempts = ip->swap_attempts; | |
1277 | info.swap_successes = ip->swap_successes; | |
b776e4b1 | 1278 | return copy_to_user(uip, &info, sizeof(info)); |
553f770e | 1279 | } |
1da177e4 | 1280 | |
553f770e AV |
1281 | static int copy_compat_shmid_to_user(void __user *buf, struct shmid64_ds *in, |
1282 | int version) | |
1283 | { | |
1284 | if (version == IPC_64) { | |
1285 | struct compat_shmid64_ds v; | |
1286 | memset(&v, 0, sizeof(v)); | |
28327fae | 1287 | to_compat_ipc64_perm(&v.shm_perm, &in->shm_perm); |
c2ab975c AB |
1288 | v.shm_atime = lower_32_bits(in->shm_atime); |
1289 | v.shm_atime_high = upper_32_bits(in->shm_atime); | |
1290 | v.shm_dtime = lower_32_bits(in->shm_dtime); | |
1291 | v.shm_dtime_high = upper_32_bits(in->shm_dtime); | |
1292 | v.shm_ctime = lower_32_bits(in->shm_ctime); | |
1293 | v.shm_ctime_high = upper_32_bits(in->shm_ctime); | |
553f770e AV |
1294 | v.shm_segsz = in->shm_segsz; |
1295 | v.shm_nattch = in->shm_nattch; | |
1296 | v.shm_cpid = in->shm_cpid; | |
1297 | v.shm_lpid = in->shm_lpid; | |
1298 | return copy_to_user(buf, &v, sizeof(v)); | |
1299 | } else { | |
1300 | struct compat_shmid_ds v; | |
1301 | memset(&v, 0, sizeof(v)); | |
28327fae | 1302 | to_compat_ipc_perm(&v.shm_perm, &in->shm_perm); |
553f770e | 1303 | v.shm_perm.key = in->shm_perm.key; |
553f770e AV |
1304 | v.shm_atime = in->shm_atime; |
1305 | v.shm_dtime = in->shm_dtime; | |
1306 | v.shm_ctime = in->shm_ctime; | |
1307 | v.shm_segsz = in->shm_segsz; | |
1308 | v.shm_nattch = in->shm_nattch; | |
1309 | v.shm_cpid = in->shm_cpid; | |
1310 | v.shm_lpid = in->shm_lpid; | |
1311 | return copy_to_user(buf, &v, sizeof(v)); | |
1312 | } | |
1313 | } | |
85046579 | 1314 | |
553f770e AV |
1315 | static int copy_compat_shmid_from_user(struct shmid64_ds *out, void __user *buf, |
1316 | int version) | |
1317 | { | |
1318 | memset(out, 0, sizeof(*out)); | |
1319 | if (version == IPC_64) { | |
6aa211e8 | 1320 | struct compat_shmid64_ds __user *p = buf; |
28327fae | 1321 | return get_compat_ipc64_perm(&out->shm_perm, &p->shm_perm); |
553f770e | 1322 | } else { |
6aa211e8 | 1323 | struct compat_shmid_ds __user *p = buf; |
28327fae | 1324 | return get_compat_ipc_perm(&out->shm_perm, &p->shm_perm); |
553f770e | 1325 | } |
553f770e | 1326 | } |
63980c80 | 1327 | |
1cd377ba | 1328 | static long compat_ksys_shmctl(int shmid, int cmd, void __user *uptr, int version) |
553f770e AV |
1329 | { |
1330 | struct ipc_namespace *ns; | |
1331 | struct shmid64_ds sem64; | |
553f770e | 1332 | int err; |
85046579 | 1333 | |
553f770e AV |
1334 | ns = current->nsproxy->ipc_ns; |
1335 | ||
1336 | if (cmd < 0 || shmid < 0) | |
1337 | return -EINVAL; | |
2caacaa8 | 1338 | |
553f770e AV |
1339 | switch (cmd) { |
1340 | case IPC_INFO: { | |
1341 | struct shminfo64 shminfo; | |
1342 | err = shmctl_ipc_info(ns, &shminfo); | |
1343 | if (err < 0) | |
1344 | return err; | |
1345 | if (copy_compat_shminfo_to_user(uptr, &shminfo, version)) | |
1346 | err = -EFAULT; | |
1347 | return err; | |
1348 | } | |
1349 | case SHM_INFO: { | |
1350 | struct shm_info shm_info; | |
1351 | err = shmctl_shm_info(ns, &shm_info); | |
1352 | if (err < 0) | |
1353 | return err; | |
1354 | if (put_compat_shm_info(&shm_info, uptr)) | |
1355 | err = -EFAULT; | |
8d4cc8b5 | 1356 | return err; |
2caacaa8 | 1357 | } |
553f770e | 1358 | case IPC_STAT: |
c21a6970 | 1359 | case SHM_STAT_ANY: |
553f770e AV |
1360 | case SHM_STAT: |
1361 | err = shmctl_stat(ns, shmid, cmd, &sem64); | |
1362 | if (err < 0) | |
1363 | return err; | |
58aff0af | 1364 | if (copy_compat_shmid_to_user(uptr, &sem64, version)) |
553f770e AV |
1365 | err = -EFAULT; |
1366 | return err; | |
1367 | ||
1368 | case IPC_SET: | |
1369 | if (copy_compat_shmid_from_user(&sem64, uptr, version)) | |
1370 | return -EFAULT; | |
df561f66 | 1371 | fallthrough; |
553f770e AV |
1372 | case IPC_RMID: |
1373 | return shmctl_down(ns, shmid, cmd, &sem64); | |
1374 | case SHM_LOCK: | |
1375 | case SHM_UNLOCK: | |
1376 | return shmctl_do_lock(ns, shmid, cmd); | |
1da177e4 | 1377 | default: |
8d4cc8b5 | 1378 | return -EINVAL; |
1da177e4 | 1379 | } |
1da177e4 LT |
1380 | return err; |
1381 | } | |
c84d0791 DB |
1382 | |
1383 | COMPAT_SYSCALL_DEFINE3(shmctl, int, shmid, int, cmd, void __user *, uptr) | |
1384 | { | |
275f2214 | 1385 | return compat_ksys_shmctl(shmid, cmd, uptr, IPC_64); |
c84d0791 | 1386 | } |
275f2214 AB |
1387 | |
1388 | #ifdef CONFIG_ARCH_WANT_COMPAT_IPC_PARSE_VERSION | |
1389 | long compat_ksys_old_shmctl(int shmid, int cmd, void __user *uptr) | |
1390 | { | |
1391 | int version = compat_ipc_parse_version(&cmd); | |
1392 | ||
1393 | return compat_ksys_shmctl(shmid, cmd, uptr, version); | |
1394 | } | |
1395 | ||
1396 | COMPAT_SYSCALL_DEFINE3(old_shmctl, int, shmid, int, cmd, void __user *, uptr) | |
1397 | { | |
1398 | return compat_ksys_old_shmctl(shmid, cmd, uptr); | |
1399 | } | |
1400 | #endif | |
553f770e | 1401 | #endif |
1da177e4 LT |
1402 | |
1403 | /* | |
1404 | * Fix shmaddr, allocate descriptor, map shm, add attach descriptor to lists. | |
1405 | * | |
1406 | * NOTE! Despite the name, this is NOT a direct system call entrypoint. The | |
1407 | * "raddr" thing points to kernel space, and there has to be a wrapper around | |
1408 | * this. | |
1409 | */ | |
95e91b83 DB |
1410 | long do_shmat(int shmid, char __user *shmaddr, int shmflg, |
1411 | ulong *raddr, unsigned long shmlba) | |
1da177e4 LT |
1412 | { |
1413 | struct shmid_kernel *shp; | |
f0cb8802 | 1414 | unsigned long addr = (unsigned long)shmaddr; |
1da177e4 | 1415 | unsigned long size; |
4f089acc | 1416 | struct file *file, *base; |
1da177e4 | 1417 | int err; |
f0cb8802 | 1418 | unsigned long flags = MAP_SHARED; |
1da177e4 | 1419 | unsigned long prot; |
1da177e4 | 1420 | int acc_mode; |
4e982311 | 1421 | struct ipc_namespace *ns; |
bc56bba8 | 1422 | struct shm_file_data *sfd; |
c9c554f2 | 1423 | int f_flags; |
41badc15 | 1424 | unsigned long populate = 0; |
1da177e4 | 1425 | |
bc56bba8 EB |
1426 | err = -EINVAL; |
1427 | if (shmid < 0) | |
1da177e4 | 1428 | goto out; |
f0cb8802 DB |
1429 | |
1430 | if (addr) { | |
079a96ae | 1431 | if (addr & (shmlba - 1)) { |
8f89c007 | 1432 | if (shmflg & SHM_RND) { |
a73ab244 | 1433 | addr &= ~(shmlba - 1); /* round down */ |
8f89c007 DB |
1434 | |
1435 | /* | |
1436 | * Ensure that the round-down is non-nil | |
1437 | * when remapping. This can happen for | |
1438 | * cases when addr < shmlba. | |
1439 | */ | |
1440 | if (!addr && (shmflg & SHM_REMAP)) | |
1441 | goto out; | |
1442 | } else | |
1da177e4 LT |
1443 | #ifndef __ARCH_FORCE_SHMLBA |
1444 | if (addr & ~PAGE_MASK) | |
1445 | #endif | |
bc56bba8 | 1446 | goto out; |
1da177e4 | 1447 | } |
1da177e4 | 1448 | |
f0cb8802 DB |
1449 | flags |= MAP_FIXED; |
1450 | } else if ((shmflg & SHM_REMAP)) | |
1451 | goto out; | |
1da177e4 LT |
1452 | |
1453 | if (shmflg & SHM_RDONLY) { | |
1454 | prot = PROT_READ; | |
1da177e4 | 1455 | acc_mode = S_IRUGO; |
c9c554f2 | 1456 | f_flags = O_RDONLY; |
1da177e4 LT |
1457 | } else { |
1458 | prot = PROT_READ | PROT_WRITE; | |
1da177e4 | 1459 | acc_mode = S_IRUGO | S_IWUGO; |
c9c554f2 | 1460 | f_flags = O_RDWR; |
1da177e4 LT |
1461 | } |
1462 | if (shmflg & SHM_EXEC) { | |
1463 | prot |= PROT_EXEC; | |
1464 | acc_mode |= S_IXUGO; | |
1465 | } | |
1466 | ||
1467 | /* | |
1468 | * We cannot rely on the fs check since SYSV IPC does have an | |
1469 | * additional creator id... | |
1470 | */ | |
4e982311 | 1471 | ns = current->nsproxy->ipc_ns; |
c2c737a0 DB |
1472 | rcu_read_lock(); |
1473 | shp = shm_obtain_object_check(ns, shmid); | |
023a5355 ND |
1474 | if (IS_ERR(shp)) { |
1475 | err = PTR_ERR(shp); | |
c2c737a0 | 1476 | goto out_unlock; |
023a5355 | 1477 | } |
bc56bba8 EB |
1478 | |
1479 | err = -EACCES; | |
b0e77598 | 1480 | if (ipcperms(ns, &shp->shm_perm, acc_mode)) |
bc56bba8 | 1481 | goto out_unlock; |
1da177e4 | 1482 | |
7191adff | 1483 | err = security_shm_shmat(&shp->shm_perm, shmaddr, shmflg); |
bc56bba8 EB |
1484 | if (err) |
1485 | goto out_unlock; | |
1486 | ||
c2c737a0 | 1487 | ipc_lock_object(&shp->shm_perm); |
a399b29d GT |
1488 | |
1489 | /* check if shm_destroy() is tearing down shp */ | |
0f3d2b01 | 1490 | if (!ipc_valid_object(&shp->shm_perm)) { |
a399b29d GT |
1491 | ipc_unlock_object(&shp->shm_perm); |
1492 | err = -EIDRM; | |
1493 | goto out_unlock; | |
1494 | } | |
1495 | ||
4f089acc AV |
1496 | /* |
1497 | * We need to take a reference to the real shm file to prevent the | |
1498 | * pointer from becoming stale in cases where the lifetime of the outer | |
1499 | * file extends beyond that of the shm segment. It's not usually | |
1500 | * possible, but it can happen during remap_file_pages() emulation as | |
1501 | * that unmaps the memory, then does ->mmap() via file reference only. | |
1502 | * We'll deny the ->mmap() if the shm segment was since removed, but to | |
1503 | * detect shm ID reuse we need to compare the file pointers. | |
1504 | */ | |
1505 | base = get_file(shp->shm_file); | |
1da177e4 | 1506 | shp->shm_nattch++; |
4f089acc | 1507 | size = i_size_read(file_inode(base)); |
c2c737a0 DB |
1508 | ipc_unlock_object(&shp->shm_perm); |
1509 | rcu_read_unlock(); | |
1da177e4 | 1510 | |
bc56bba8 EB |
1511 | err = -ENOMEM; |
1512 | sfd = kzalloc(sizeof(*sfd), GFP_KERNEL); | |
f42569b1 | 1513 | if (!sfd) { |
4f089acc | 1514 | fput(base); |
f42569b1 DB |
1515 | goto out_nattch; |
1516 | } | |
bc56bba8 | 1517 | |
4f089acc AV |
1518 | file = alloc_file_clone(base, f_flags, |
1519 | is_file_hugepages(base) ? | |
c4caa778 AV |
1520 | &shm_file_operations_huge : |
1521 | &shm_file_operations); | |
39b65252 | 1522 | err = PTR_ERR(file); |
f42569b1 DB |
1523 | if (IS_ERR(file)) { |
1524 | kfree(sfd); | |
4f089acc | 1525 | fput(base); |
f42569b1 DB |
1526 | goto out_nattch; |
1527 | } | |
bc56bba8 | 1528 | |
7ca7e564 | 1529 | sfd->id = shp->shm_perm.id; |
bc56bba8 | 1530 | sfd->ns = get_ipc_ns(ns); |
4f089acc | 1531 | sfd->file = base; |
bc56bba8 | 1532 | sfd->vm_ops = NULL; |
4f089acc | 1533 | file->private_data = sfd; |
bc56bba8 | 1534 | |
8b3ec681 AV |
1535 | err = security_mmap_file(file, prot, flags); |
1536 | if (err) | |
1537 | goto out_fput; | |
1538 | ||
d8ed45c5 | 1539 | if (mmap_write_lock_killable(current->mm)) { |
91f4f94e MH |
1540 | err = -EINTR; |
1541 | goto out_fput; | |
1542 | } | |
1543 | ||
1da177e4 | 1544 | if (addr && !(shmflg & SHM_REMAP)) { |
bc56bba8 | 1545 | err = -EINVAL; |
247a8ce8 MS |
1546 | if (addr + size < addr) |
1547 | goto invalid; | |
1548 | ||
1da177e4 LT |
1549 | if (find_vma_intersection(current->mm, addr, addr + size)) |
1550 | goto invalid; | |
1da177e4 | 1551 | } |
f42569b1 | 1552 | |
45e55300 | 1553 | addr = do_mmap(file, addr, size, prot, flags, 0, &populate, NULL); |
bebeb3d6 | 1554 | *raddr = addr; |
bc56bba8 | 1555 | err = 0; |
bebeb3d6 ML |
1556 | if (IS_ERR_VALUE(addr)) |
1557 | err = (long)addr; | |
1da177e4 | 1558 | invalid: |
d8ed45c5 | 1559 | mmap_write_unlock(current->mm); |
bebeb3d6 | 1560 | if (populate) |
41badc15 | 1561 | mm_populate(addr, populate); |
1da177e4 | 1562 | |
8b3ec681 | 1563 | out_fput: |
bc56bba8 EB |
1564 | fput(file); |
1565 | ||
1566 | out_nattch: | |
d9a605e4 | 1567 | down_write(&shm_ids(ns).rwsem); |
00c2bf85 | 1568 | shp = shm_lock(ns, shmid); |
1da177e4 | 1569 | shp->shm_nattch--; |
b34a6b1d | 1570 | if (shm_may_destroy(ns, shp)) |
4e982311 | 1571 | shm_destroy(ns, shp); |
1da177e4 LT |
1572 | else |
1573 | shm_unlock(shp); | |
d9a605e4 | 1574 | up_write(&shm_ids(ns).rwsem); |
1da177e4 | 1575 | return err; |
bc56bba8 EB |
1576 | |
1577 | out_unlock: | |
c2c737a0 | 1578 | rcu_read_unlock(); |
f42569b1 DB |
1579 | out: |
1580 | return err; | |
1da177e4 LT |
1581 | } |
1582 | ||
d5460c99 | 1583 | SYSCALL_DEFINE3(shmat, int, shmid, char __user *, shmaddr, int, shmflg) |
7d87e14c SR |
1584 | { |
1585 | unsigned long ret; | |
1586 | long err; | |
1587 | ||
079a96ae | 1588 | err = do_shmat(shmid, shmaddr, shmflg, &ret, SHMLBA); |
7d87e14c SR |
1589 | if (err) |
1590 | return err; | |
1591 | force_successful_syscall_return(); | |
1592 | return (long)ret; | |
1593 | } | |
1594 | ||
a78ee9ed AV |
1595 | #ifdef CONFIG_COMPAT |
1596 | ||
1597 | #ifndef COMPAT_SHMLBA | |
1598 | #define COMPAT_SHMLBA SHMLBA | |
1599 | #endif | |
1600 | ||
1601 | COMPAT_SYSCALL_DEFINE3(shmat, int, shmid, compat_uptr_t, shmaddr, int, shmflg) | |
1602 | { | |
1603 | unsigned long ret; | |
1604 | long err; | |
1605 | ||
1606 | err = do_shmat(shmid, compat_ptr(shmaddr), shmflg, &ret, COMPAT_SHMLBA); | |
1607 | if (err) | |
1608 | return err; | |
1609 | force_successful_syscall_return(); | |
1610 | return (long)ret; | |
1611 | } | |
1612 | #endif | |
1613 | ||
1da177e4 LT |
1614 | /* |
1615 | * detach and kill segment if marked destroyed. | |
1616 | * The work is done in shm_close. | |
1617 | */ | |
da1e2744 | 1618 | long ksys_shmdt(char __user *shmaddr) |
1da177e4 LT |
1619 | { |
1620 | struct mm_struct *mm = current->mm; | |
586c7e6a | 1621 | struct vm_area_struct *vma; |
1da177e4 | 1622 | unsigned long addr = (unsigned long)shmaddr; |
1da177e4 | 1623 | int retval = -EINVAL; |
586c7e6a MF |
1624 | #ifdef CONFIG_MMU |
1625 | loff_t size = 0; | |
d3c97900 | 1626 | struct file *file; |
586c7e6a MF |
1627 | struct vm_area_struct *next; |
1628 | #endif | |
1da177e4 | 1629 | |
df1e2fb5 HD |
1630 | if (addr & ~PAGE_MASK) |
1631 | return retval; | |
1632 | ||
d8ed45c5 | 1633 | if (mmap_write_lock_killable(mm)) |
91f4f94e | 1634 | return -EINTR; |
1da177e4 LT |
1635 | |
1636 | /* | |
1637 | * This function tries to be smart and unmap shm segments that | |
1638 | * were modified by partial mlock or munmap calls: | |
1639 | * - It first determines the size of the shm segment that should be | |
1640 | * unmapped: It searches for a vma that is backed by shm and that | |
1641 | * started at address shmaddr. It records it's size and then unmaps | |
1642 | * it. | |
1643 | * - Then it unmaps all shm vmas that started at shmaddr and that | |
d3c97900 DH |
1644 | * are within the initially determined size and that are from the |
1645 | * same shm segment from which we determined the size. | |
1da177e4 LT |
1646 | * Errors from do_munmap are ignored: the function only fails if |
1647 | * it's called with invalid parameters or if it's called to unmap | |
1648 | * a part of a vma. Both calls in this function are for full vmas, | |
1649 | * the parameters are directly copied from the vma itself and always | |
1650 | * valid - therefore do_munmap cannot fail. (famous last words?) | |
1651 | */ | |
1652 | /* | |
1653 | * If it had been mremap()'d, the starting address would not | |
1654 | * match the usual checks anyway. So assume all vma's are | |
1655 | * above the starting address given. | |
1656 | */ | |
1657 | vma = find_vma(mm, addr); | |
1658 | ||
8feae131 | 1659 | #ifdef CONFIG_MMU |
1da177e4 LT |
1660 | while (vma) { |
1661 | next = vma->vm_next; | |
1662 | ||
1663 | /* | |
1664 | * Check if the starting address would match, i.e. it's | |
1665 | * a fragment created by mprotect() and/or munmap(), or it | |
1666 | * otherwise it starts at this address with no hassles. | |
1667 | */ | |
bc56bba8 | 1668 | if ((vma->vm_ops == &shm_vm_ops) && |
1da177e4 LT |
1669 | (vma->vm_start - addr)/PAGE_SIZE == vma->vm_pgoff) { |
1670 | ||
d3c97900 DH |
1671 | /* |
1672 | * Record the file of the shm segment being | |
1673 | * unmapped. With mremap(), someone could place | |
1674 | * page from another segment but with equal offsets | |
1675 | * in the range we are unmapping. | |
1676 | */ | |
1677 | file = vma->vm_file; | |
07a46ed2 | 1678 | size = i_size_read(file_inode(vma->vm_file)); |
897ab3e0 | 1679 | do_munmap(mm, vma->vm_start, vma->vm_end - vma->vm_start, NULL); |
1da177e4 LT |
1680 | /* |
1681 | * We discovered the size of the shm segment, so | |
1682 | * break out of here and fall through to the next | |
1683 | * loop that uses the size information to stop | |
1684 | * searching for matching vma's. | |
1685 | */ | |
1686 | retval = 0; | |
1687 | vma = next; | |
1688 | break; | |
1689 | } | |
1690 | vma = next; | |
1691 | } | |
1692 | ||
1693 | /* | |
1694 | * We need look no further than the maximum address a fragment | |
1695 | * could possibly have landed at. Also cast things to loff_t to | |
25985edc | 1696 | * prevent overflows and make comparisons vs. equal-width types. |
1da177e4 | 1697 | */ |
8e36709d | 1698 | size = PAGE_ALIGN(size); |
1da177e4 LT |
1699 | while (vma && (loff_t)(vma->vm_end - addr) <= size) { |
1700 | next = vma->vm_next; | |
1701 | ||
1702 | /* finding a matching vma now does not alter retval */ | |
bc56bba8 | 1703 | if ((vma->vm_ops == &shm_vm_ops) && |
d3c97900 DH |
1704 | ((vma->vm_start - addr)/PAGE_SIZE == vma->vm_pgoff) && |
1705 | (vma->vm_file == file)) | |
897ab3e0 | 1706 | do_munmap(mm, vma->vm_start, vma->vm_end - vma->vm_start, NULL); |
1da177e4 LT |
1707 | vma = next; |
1708 | } | |
1709 | ||
63980c80 | 1710 | #else /* CONFIG_MMU */ |
8feae131 | 1711 | /* under NOMMU conditions, the exact address to be destroyed must be |
63980c80 SP |
1712 | * given |
1713 | */ | |
530fcd16 | 1714 | if (vma && vma->vm_start == addr && vma->vm_ops == &shm_vm_ops) { |
897ab3e0 | 1715 | do_munmap(mm, vma->vm_start, vma->vm_end - vma->vm_start, NULL); |
8feae131 DH |
1716 | retval = 0; |
1717 | } | |
1718 | ||
1719 | #endif | |
1720 | ||
d8ed45c5 | 1721 | mmap_write_unlock(mm); |
1da177e4 LT |
1722 | return retval; |
1723 | } | |
1724 | ||
da1e2744 DB |
1725 | SYSCALL_DEFINE1(shmdt, char __user *, shmaddr) |
1726 | { | |
1727 | return ksys_shmdt(shmaddr); | |
1728 | } | |
1729 | ||
1da177e4 | 1730 | #ifdef CONFIG_PROC_FS |
19b4946c | 1731 | static int sysvipc_shm_proc_show(struct seq_file *s, void *it) |
1da177e4 | 1732 | { |
98f929b1 | 1733 | struct pid_namespace *pid_ns = ipc_seq_pid_ns(s); |
1efdb69b | 1734 | struct user_namespace *user_ns = seq_user_ns(s); |
ade9f91b KC |
1735 | struct kern_ipc_perm *ipcp = it; |
1736 | struct shmid_kernel *shp; | |
b7952180 HD |
1737 | unsigned long rss = 0, swp = 0; |
1738 | ||
ade9f91b | 1739 | shp = container_of(ipcp, struct shmid_kernel, shm_perm); |
b7952180 | 1740 | shm_add_rss_swap(shp, &rss, &swp); |
1da177e4 | 1741 | |
6c826818 PM |
1742 | #if BITS_PER_LONG <= 32 |
1743 | #define SIZE_SPEC "%10lu" | |
1744 | #else | |
1745 | #define SIZE_SPEC "%21lu" | |
1746 | #endif | |
1da177e4 | 1747 | |
7f032d6e JP |
1748 | seq_printf(s, |
1749 | "%10d %10d %4o " SIZE_SPEC " %5u %5u " | |
7ff2819e | 1750 | "%5lu %5u %5u %5u %5u %10llu %10llu %10llu " |
7f032d6e JP |
1751 | SIZE_SPEC " " SIZE_SPEC "\n", |
1752 | shp->shm_perm.key, | |
1753 | shp->shm_perm.id, | |
1754 | shp->shm_perm.mode, | |
1755 | shp->shm_segsz, | |
98f929b1 EB |
1756 | pid_nr_ns(shp->shm_cprid, pid_ns), |
1757 | pid_nr_ns(shp->shm_lprid, pid_ns), | |
7f032d6e JP |
1758 | shp->shm_nattch, |
1759 | from_kuid_munged(user_ns, shp->shm_perm.uid), | |
1760 | from_kgid_munged(user_ns, shp->shm_perm.gid), | |
1761 | from_kuid_munged(user_ns, shp->shm_perm.cuid), | |
1762 | from_kgid_munged(user_ns, shp->shm_perm.cgid), | |
1763 | shp->shm_atim, | |
1764 | shp->shm_dtim, | |
1765 | shp->shm_ctim, | |
1766 | rss * PAGE_SIZE, | |
1767 | swp * PAGE_SIZE); | |
1768 | ||
1769 | return 0; | |
1da177e4 LT |
1770 | } |
1771 | #endif |