License cleanup: add SPDX GPL-2.0 license identifier to files with no license
Many source files in the tree are missing licensing information, which
makes it harder for compliance tools to determine the correct license.
By default all files without license information are under the default
license of the kernel, which is GPL version 2.
Update the files which contain no license information with the 'GPL-2.0'
SPDX license identifier. The SPDX identifier is a legally binding
shorthand, which can be used instead of the full boiler plate text.
This patch is based on work done by Thomas Gleixner and Kate Stewart and
Philippe Ombredanne.
How this work was done:
Patches were generated and checked against linux-4.14-rc6 for a subset of
the use cases:
- file had no licensing information it it.
- file was a */uapi/* one with no licensing information in it,
- file was a */uapi/* one with existing licensing information,
Further patches will be generated in subsequent months to fix up cases
where non-standard license headers were used, and references to license
had to be inferred by heuristics based on keywords.
The analysis to determine which SPDX License Identifier to be applied to
a file was done in a spreadsheet of side by side results from of the
output of two independent scanners (ScanCode & Windriver) producing SPDX
tag:value files created by Philippe Ombredanne. Philippe prepared the
base worksheet, and did an initial spot review of a few 1000 files.
The 4.13 kernel was the starting point of the analysis with 60,537 files
assessed. Kate Stewart did a file by file comparison of the scanner
results in the spreadsheet to determine which SPDX license identifier(s)
to be applied to the file. She confirmed any determination that was not
immediately clear with lawyers working with the Linux Foundation.
Criteria used to select files for SPDX license identifier tagging was:
- Files considered eligible had to be source code files.
- Make and config files were included as candidates if they contained >5
lines of source
- File already had some variant of a license header in it (even if <5
lines).
All documentation files were explicitly excluded.
The following heuristics were used to determine which SPDX license
identifiers to apply.
- when both scanners couldn't find any license traces, file was
considered to have no license information in it, and the top level
COPYING file license applied.
For non */uapi/* files that summary was:
SPDX license identifier # files
---------------------------------------------------|-------
GPL-2.0 11139
and resulted in the first patch in this series.
If that file was a */uapi/* path one, it was "GPL-2.0 WITH
Linux-syscall-note" otherwise it was "GPL-2.0". Results of that was:
SPDX license identifier # files
---------------------------------------------------|-------
GPL-2.0 WITH Linux-syscall-note 930
and resulted in the second patch in this series.
- if a file had some form of licensing information in it, and was one
of the */uapi/* ones, it was denoted with the Linux-syscall-note if
any GPL family license was found in the file or had no licensing in
it (per prior point). Results summary:
SPDX license identifier # files
---------------------------------------------------|------
GPL-2.0 WITH Linux-syscall-note 270
GPL-2.0+ WITH Linux-syscall-note 169
((GPL-2.0 WITH Linux-syscall-note) OR BSD-2-Clause) 21
((GPL-2.0 WITH Linux-syscall-note) OR BSD-3-Clause) 17
LGPL-2.1+ WITH Linux-syscall-note 15
GPL-1.0+ WITH Linux-syscall-note 14
((GPL-2.0+ WITH Linux-syscall-note) OR BSD-3-Clause) 5
LGPL-2.0+ WITH Linux-syscall-note 4
LGPL-2.1 WITH Linux-syscall-note 3
((GPL-2.0 WITH Linux-syscall-note) OR MIT) 3
((GPL-2.0 WITH Linux-syscall-note) AND MIT) 1
and that resulted in the third patch in this series.
- when the two scanners agreed on the detected license(s), that became
the concluded license(s).
- when there was disagreement between the two scanners (one detected a
license but the other didn't, or they both detected different
licenses) a manual inspection of the file occurred.
- In most cases a manual inspection of the information in the file
resulted in a clear resolution of the license that should apply (and
which scanner probably needed to revisit its heuristics).
- When it was not immediately clear, the license identifier was
confirmed with lawyers working with the Linux Foundation.
- If there was any question as to the appropriate license identifier,
the file was flagged for further research and to be revisited later
in time.
In total, over 70 hours of logged manual review was done on the
spreadsheet to determine the SPDX license identifiers to apply to the
source files by Kate, Philippe, Thomas and, in some cases, confirmation
by lawyers working with the Linux Foundation.
Kate also obtained a third independent scan of the 4.13 code base from
FOSSology, and compared selected files where the other two scanners
disagreed against that SPDX file, to see if there was new insights. The
Windriver scanner is based on an older version of FOSSology in part, so
they are related.
Thomas did random spot checks in about 500 files from the spreadsheets
for the uapi headers and agreed with SPDX license identifier in the
files he inspected. For the non-uapi files Thomas did random spot checks
in about 15000 files.
In initial set of patches against 4.14-rc6, 3 files were found to have
copy/paste license identifier errors, and have been fixed to reflect the
correct identifier.
Additionally Philippe spent 10 hours this week doing a detailed manual
inspection and review of the 12,461 patched files from the initial patch
version early this week with:
- a full scancode scan run, collecting the matched texts, detected
license ids and scores
- reviewing anything where there was a license detected (about 500+
files) to ensure that the applied SPDX license was correct
- reviewing anything where there was no detection but the patch license
was not GPL-2.0 WITH Linux-syscall-note to ensure that the applied
SPDX license was correct
This produced a worksheet with 20 files needing minor correction. This
worksheet was then exported into 3 different .csv files for the
different types of files to be modified.
These .csv files were then reviewed by Greg. Thomas wrote a script to
parse the csv files and add the proper SPDX tag to the file, in the
format that the file expected. This script was further refined by Greg
based on the output to detect more types of files automatically and to
distinguish between header and source .c files (which need different
comment types.) Finally Greg ran the script using the .csv files to
generate the patches.
Reviewed-by: Kate Stewart <kstewart@linuxfoundation.org>
Reviewed-by: Philippe Ombredanne <pombredanne@nexb.com>
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-11-01 23:07:57 +09:00
|
|
|
// SPDX-License-Identifier: GPL-2.0
|
2005-04-17 07:20:36 +09:00
|
|
|
/*
|
|
|
|
|
* linux/ipc/msg.c
|
2006-07-30 19:04:11 +09:00
|
|
|
* Copyright (C) 1992 Krishna Balasubramanian
|
2005-04-17 07:20:36 +09:00
|
|
|
*
|
|
|
|
|
* Removed all the remaining kerneld mess
|
|
|
|
|
* Catch the -EFAULT stuff properly
|
|
|
|
|
* Use GFP_KERNEL for messages as in 1.2
|
|
|
|
|
* Fixed up the unchecked user space derefs
|
|
|
|
|
* Copyright (C) 1998 Alan Cox & Andi Kleen
|
|
|
|
|
*
|
|
|
|
|
* /proc/sysvipc/msg support (c) 1999 Dragos Acostachioaie <dragos@iname.com>
|
|
|
|
|
*
|
|
|
|
|
* mostly rewritten, threaded and wake-one semantics added
|
|
|
|
|
* MSGMAX limit removed, sysctl's added
|
2006-01-15 10:43:54 +09:00
|
|
|
* (c) 1999 Manfred Spraul <manfred@colorfullife.com>
|
2006-04-03 06:07:33 +09:00
|
|
|
*
|
|
|
|
|
* support for audit of ipc object properties and permission changes
|
|
|
|
|
* Dustin Kirkland <dustin.kirkland@us.ibm.com>
|
2006-10-02 18:18:21 +09:00
|
|
|
*
|
|
|
|
|
* namespaces support
|
|
|
|
|
* OpenVZ, SWsoft Inc.
|
|
|
|
|
* Pavel Emelianov <xemul@openvz.org>
|
2005-04-17 07:20:36 +09:00
|
|
|
*/
|
|
|
|
|
|
2006-01-12 05:17:46 +09:00
|
|
|
#include <linux/capability.h>
|
2005-04-17 07:20:36 +09:00
|
|
|
#include <linux/msg.h>
|
|
|
|
|
#include <linux/spinlock.h>
|
|
|
|
|
#include <linux/init.h>
|
ipc: scale msgmni to the amount of lowmem
On large systems we'd like to allow a larger number of message queues. In
some cases up to 32K. However simply setting MSGMNI to a larger value may
cause problems for smaller systems.
The first patch of this series introduces a default maximum number of message
queue ids that scales with the amount of lowmem.
Since msgmni is per namespace and there is no amount of memory dedicated to
each namespace so far, the second patch of this series scales msgmni to the
number of ipc namespaces too.
Since msgmni depends on the amount of memory, it becomes necessary to
recompute it upon memory add/remove. In the 4th patch, memory hotplug
management is added: a notifier block is registered into the memory hotplug
notifier chain for the ipc subsystem. Since the ipc namespaces are not linked
together, they have their own notification chain: one notifier_block is
defined per ipc namespace. Each time an ipc namespace is created (removed) it
registers (unregisters) its notifier block in (from) the ipcns chain. The
callback routine registered in the memory chain invokes the ipcns notifier
chain with the IPCNS_MEMCHANGE event. Each callback routine registered in the
ipcns namespace, in turn, recomputes msgmni for the owning namespace.
The 5th patch makes it possible to keep the memory hotplug notifier chain's
lock for a lesser amount of time: instead of directly notifying the ipcns
notifier chain upon memory add/remove, a work item is added to the global
workqueue. When activated, this work item is the one who notifies the ipcns
notifier chain.
Since msgmni depends on the number of ipc namespaces, it becomes necessary to
recompute it upon ipc namespace creation / removal. The 6th patch uses the
ipc namespace notifier chain for that purpose: that chain is notified each
time an ipc namespace is created or removed. This makes it possible to
recompute msgmni for all the namespaces each time one of them is created or
removed.
When msgmni is explicitely set from userspace, we should avoid recomputing it
upon memory add/remove or ipcns creation/removal. This is what the 7th patch
does: it simply unregisters the ipcns callback routine as soon as msgmni has
been changed from procfs or sysctl().
Even if msgmni is set by hand, it should be possible to make it back
automatically recomputed upon memory add/remove or ipcns creation/removal.
This what is achieved in patch 8: if set to a negative value, msgmni is added
back to the ipcns notifier chain, making it automatically recomputed again.
This patch:
Compute msg_ctlmni to make it scale with the amount of lowmem. msg_ctlmni is
now set to make the message queues occupy 1/32 of the available lowmem.
Some cleaning has also been done for the MSGPOOL constant: the msgctl man page
says it's not used, but it also defines it as a size in bytes (the code
expresses it in Kbytes).
Signed-off-by: Nadia Derbey <Nadia.Derbey@bull.net>
Cc: Yasunori Goto <y-goto@jp.fujitsu.com>
Cc: Matt Helsley <matthltc@us.ibm.com>
Cc: Mingming Cao <cmm@us.ibm.com>
Cc: Pierre Peiffer <pierre.peiffer@bull.net>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2008-04-29 17:00:39 +09:00
|
|
|
#include <linux/mm.h>
|
2005-04-17 07:20:36 +09:00
|
|
|
#include <linux/proc_fs.h>
|
|
|
|
|
#include <linux/list.h>
|
|
|
|
|
#include <linux/security.h>
|
2017-02-02 00:36:40 +09:00
|
|
|
#include <linux/sched/wake_q.h>
|
2005-04-17 07:20:36 +09:00
|
|
|
#include <linux/syscalls.h>
|
|
|
|
|
#include <linux/audit.h>
|
2005-09-07 07:17:10 +09:00
|
|
|
#include <linux/seq_file.h>
|
2007-10-19 15:40:54 +09:00
|
|
|
#include <linux/rwsem.h>
|
2006-10-02 18:18:21 +09:00
|
|
|
#include <linux/nsproxy.h>
|
2008-02-08 21:18:22 +09:00
|
|
|
#include <linux/ipc_namespace.h>
|
2018-06-18 11:52:50 +09:00
|
|
|
#include <linux/rhashtable.h>
|
2006-03-26 18:37:17 +09:00
|
|
|
|
2005-04-17 07:20:36 +09:00
|
|
|
#include <asm/current.h>
|
2014-06-07 06:37:37 +09:00
|
|
|
#include <linux/uaccess.h>
|
2005-04-17 07:20:36 +09:00
|
|
|
#include "util.h"
|
|
|
|
|
|
2018-03-23 11:37:34 +09:00
|
|
|
/* one msq_queue structure for each present queue on the system */
|
|
|
|
|
struct msg_queue {
|
|
|
|
|
struct kern_ipc_perm q_perm;
|
|
|
|
|
time64_t q_stime; /* last msgsnd time */
|
|
|
|
|
time64_t q_rtime; /* last msgrcv time */
|
|
|
|
|
time64_t q_ctime; /* last change time */
|
|
|
|
|
unsigned long q_cbytes; /* current number of bytes on queue */
|
|
|
|
|
unsigned long q_qnum; /* number of messages in queue */
|
|
|
|
|
unsigned long q_qbytes; /* max number of bytes on queue */
|
2018-03-23 14:42:21 +09:00
|
|
|
struct pid *q_lspid; /* pid of last msgsnd */
|
|
|
|
|
struct pid *q_lrpid; /* last receive pid */
|
2018-03-23 11:37:34 +09:00
|
|
|
|
|
|
|
|
struct list_head q_messages;
|
|
|
|
|
struct list_head q_receivers;
|
|
|
|
|
struct list_head q_senders;
|
|
|
|
|
} __randomize_layout;
|
|
|
|
|
|
2014-06-07 06:37:46 +09:00
|
|
|
/* one msg_receiver structure for each sleeping receiver */
|
2005-04-17 07:20:36 +09:00
|
|
|
struct msg_receiver {
|
2006-07-30 19:04:11 +09:00
|
|
|
struct list_head r_list;
|
|
|
|
|
struct task_struct *r_tsk;
|
2005-04-17 07:20:36 +09:00
|
|
|
|
2006-07-30 19:04:11 +09:00
|
|
|
int r_mode;
|
|
|
|
|
long r_msgtype;
|
|
|
|
|
long r_maxsize;
|
2005-04-17 07:20:36 +09:00
|
|
|
|
ipc/msg: implement lockless pipelined wakeups
This patch moves the wakeup_process() invocation so it is not done under
the ipc global lock by making use of a lockless wake_q. With this change,
the waiter is woken up once the message has been assigned and it does not
need to loop on SMP if the message points to NULL. In the signal case we
still need to check the pointer under the lock to verify the state.
This change should also avoid the introduction of preempt_disable() in -RT
which avoids a busy-loop which pools for the NULL -> !NULL change if the
waiter has a higher priority compared to the waker.
By making use of wake_qs, the logic of sysv msg queues is greatly
simplified (and very well suited as we can batch lockless wakeups),
particularly around the lockless receive algorithm.
This has been tested with Manred's pmsg-shared tool on a "AMD A10-7800
Radeon R7, 12 Compute Cores 4C+8G":
test | before | after | diff
-----------------|------------|------------|----------
pmsg-shared 8 60 | 19,347,422 | 30,442,191 | + ~57.34 %
pmsg-shared 4 60 | 21,367,197 | 35,743,458 | + ~67.28 %
pmsg-shared 2 60 | 22,884,224 | 24,278,200 | + ~6.09 %
Link: http://lkml.kernel.org/r/1469748819-19484-2-git-send-email-dave@stgolabs.net
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: Davidlohr Bueso <dbueso@suse.de>
Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Manfred Spraul <manfred@colorfullife.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2016-10-12 05:54:53 +09:00
|
|
|
struct msg_msg *r_msg;
|
2005-04-17 07:20:36 +09:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
/* one msg_sender for each sleeping sender */
|
|
|
|
|
struct msg_sender {
|
2006-07-30 19:04:11 +09:00
|
|
|
struct list_head list;
|
|
|
|
|
struct task_struct *tsk;
|
2016-10-12 05:55:02 +09:00
|
|
|
size_t msgsz;
|
2005-04-17 07:20:36 +09:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
#define SEARCH_ANY 1
|
|
|
|
|
#define SEARCH_EQUAL 2
|
|
|
|
|
#define SEARCH_NOTEQUAL 3
|
|
|
|
|
#define SEARCH_LESSEQUAL 4
|
2013-05-01 11:14:54 +09:00
|
|
|
#define SEARCH_NUMBER 5
|
2005-04-17 07:20:36 +09:00
|
|
|
|
2008-02-08 21:18:57 +09:00
|
|
|
#define msg_ids(ns) ((ns)->ids[IPC_MSG_IDS])
|
2005-04-17 07:20:36 +09:00
|
|
|
|
2013-07-09 08:01:15 +09:00
|
|
|
static inline struct msg_queue *msq_obtain_object(struct ipc_namespace *ns, int id)
|
|
|
|
|
{
|
2015-07-01 06:58:42 +09:00
|
|
|
struct kern_ipc_perm *ipcp = ipc_obtain_object_idr(&msg_ids(ns), id);
|
2013-07-09 08:01:15 +09:00
|
|
|
|
|
|
|
|
if (IS_ERR(ipcp))
|
|
|
|
|
return ERR_CAST(ipcp);
|
|
|
|
|
|
|
|
|
|
return container_of(ipcp, struct msg_queue, q_perm);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static inline struct msg_queue *msq_obtain_object_check(struct ipc_namespace *ns,
|
|
|
|
|
int id)
|
|
|
|
|
{
|
|
|
|
|
struct kern_ipc_perm *ipcp = ipc_obtain_object_check(&msg_ids(ns), id);
|
|
|
|
|
|
|
|
|
|
if (IS_ERR(ipcp))
|
|
|
|
|
return ERR_CAST(ipcp);
|
|
|
|
|
|
|
|
|
|
return container_of(ipcp, struct msg_queue, q_perm);
|
|
|
|
|
}
|
|
|
|
|
|
2007-10-19 15:40:48 +09:00
|
|
|
static inline void msg_rmid(struct ipc_namespace *ns, struct msg_queue *s)
|
|
|
|
|
{
|
|
|
|
|
ipc_rmid(&msg_ids(ns), &s->q_perm);
|
|
|
|
|
}
|
|
|
|
|
|
ipc: fix race with LSMs
Currently, IPC mechanisms do security and auditing related checks under
RCU. However, since security modules can free the security structure,
for example, through selinux_[sem,msg_queue,shm]_free_security(), we can
race if the structure is freed before other tasks are done with it,
creating a use-after-free condition. Manfred illustrates this nicely,
for instance with shared mem and selinux:
-> do_shmat calls rcu_read_lock()
-> do_shmat calls shm_object_check().
Checks that the object is still valid - but doesn't acquire any locks.
Then it returns.
-> do_shmat calls security_shm_shmat (e.g. selinux_shm_shmat)
-> selinux_shm_shmat calls ipc_has_perm()
-> ipc_has_perm accesses ipc_perms->security
shm_close()
-> shm_close acquires rw_mutex & shm_lock
-> shm_close calls shm_destroy
-> shm_destroy calls security_shm_free (e.g. selinux_shm_free_security)
-> selinux_shm_free_security calls ipc_free_security(&shp->shm_perm)
-> ipc_free_security calls kfree(ipc_perms->security)
This patch delays the freeing of the security structures after all RCU
readers are done. Furthermore it aligns the security life cycle with
that of the rest of IPC - freeing them based on the reference counter.
For situations where we need not free security, the current behavior is
kept. Linus states:
"... the old behavior was suspect for another reason too: having the
security blob go away from under a user sounds like it could cause
various other problems anyway, so I think the old code was at least
_prone_ to bugs even if it didn't have catastrophic behavior."
I have tested this patch with IPC testcases from LTP on both my
quad-core laptop and on a 64 core NUMA server. In both cases selinux is
enabled, and tests pass for both voluntary and forced preemption models.
While the mentioned races are theoretical (at least no one as reported
them), I wanted to make sure that this new logic doesn't break anything
we weren't aware of.
Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Davidlohr Bueso <davidlohr@hp.com>
Acked-by: Manfred Spraul <manfred@colorfullife.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2013-09-24 09:04:45 +09:00
|
|
|
static void msg_rcu_free(struct rcu_head *head)
|
|
|
|
|
{
|
2017-07-13 06:34:41 +09:00
|
|
|
struct kern_ipc_perm *p = container_of(head, struct kern_ipc_perm, rcu);
|
|
|
|
|
struct msg_queue *msq = container_of(p, struct msg_queue, q_perm);
|
ipc: fix race with LSMs
Currently, IPC mechanisms do security and auditing related checks under
RCU. However, since security modules can free the security structure,
for example, through selinux_[sem,msg_queue,shm]_free_security(), we can
race if the structure is freed before other tasks are done with it,
creating a use-after-free condition. Manfred illustrates this nicely,
for instance with shared mem and selinux:
-> do_shmat calls rcu_read_lock()
-> do_shmat calls shm_object_check().
Checks that the object is still valid - but doesn't acquire any locks.
Then it returns.
-> do_shmat calls security_shm_shmat (e.g. selinux_shm_shmat)
-> selinux_shm_shmat calls ipc_has_perm()
-> ipc_has_perm accesses ipc_perms->security
shm_close()
-> shm_close acquires rw_mutex & shm_lock
-> shm_close calls shm_destroy
-> shm_destroy calls security_shm_free (e.g. selinux_shm_free_security)
-> selinux_shm_free_security calls ipc_free_security(&shp->shm_perm)
-> ipc_free_security calls kfree(ipc_perms->security)
This patch delays the freeing of the security structures after all RCU
readers are done. Furthermore it aligns the security life cycle with
that of the rest of IPC - freeing them based on the reference counter.
For situations where we need not free security, the current behavior is
kept. Linus states:
"... the old behavior was suspect for another reason too: having the
security blob go away from under a user sounds like it could cause
various other problems anyway, so I think the old code was at least
_prone_ to bugs even if it didn't have catastrophic behavior."
I have tested this patch with IPC testcases from LTP on both my
quad-core laptop and on a 64 core NUMA server. In both cases selinux is
enabled, and tests pass for both voluntary and forced preemption models.
While the mentioned races are theoretical (at least no one as reported
them), I wanted to make sure that this new logic doesn't break anything
we weren't aware of.
Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Davidlohr Bueso <davidlohr@hp.com>
Acked-by: Manfred Spraul <manfred@colorfullife.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2013-09-24 09:04:45 +09:00
|
|
|
|
2018-03-23 11:22:26 +09:00
|
|
|
security_msg_queue_free(&msq->q_perm);
|
2017-07-13 06:35:28 +09:00
|
|
|
kvfree(msq);
|
2017-07-13 06:35:07 +09:00
|
|
|
}
|
|
|
|
|
|
2007-10-19 15:40:53 +09:00
|
|
|
/**
|
|
|
|
|
* newque - Create a new msg queue
|
|
|
|
|
* @ns: namespace
|
|
|
|
|
* @params: ptr to the structure that contains the key and msgflg
|
|
|
|
|
*
|
2013-09-12 06:26:24 +09:00
|
|
|
* Called with msg_ids.rwsem held (writer)
|
2007-10-19 15:40:53 +09:00
|
|
|
*/
|
2007-10-19 15:40:49 +09:00
|
|
|
static int newque(struct ipc_namespace *ns, struct ipc_params *params)
|
2005-04-17 07:20:36 +09:00
|
|
|
{
|
|
|
|
|
struct msg_queue *msq;
|
2017-07-13 06:35:19 +09:00
|
|
|
int retval;
|
2007-10-19 15:40:49 +09:00
|
|
|
key_t key = params->key;
|
|
|
|
|
int msgflg = params->flg;
|
2005-04-17 07:20:36 +09:00
|
|
|
|
2017-07-13 06:35:28 +09:00
|
|
|
msq = kvmalloc(sizeof(*msq), GFP_KERNEL);
|
|
|
|
|
if (unlikely(!msq))
|
2005-04-17 07:20:36 +09:00
|
|
|
return -ENOMEM;
|
|
|
|
|
|
2006-07-30 19:04:11 +09:00
|
|
|
msq->q_perm.mode = msgflg & S_IRWXUGO;
|
2005-04-17 07:20:36 +09:00
|
|
|
msq->q_perm.key = key;
|
|
|
|
|
|
|
|
|
|
msq->q_perm.security = NULL;
|
2018-03-23 11:22:26 +09:00
|
|
|
retval = security_msg_queue_alloc(&msq->q_perm);
|
2005-04-17 07:20:36 +09:00
|
|
|
if (retval) {
|
2017-07-13 06:35:28 +09:00
|
|
|
kvfree(msq);
|
2005-04-17 07:20:36 +09:00
|
|
|
return retval;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
msq->q_stime = msq->q_rtime = 0;
|
2017-08-03 11:51:12 +09:00
|
|
|
msq->q_ctime = ktime_get_real_seconds();
|
2005-04-17 07:20:36 +09:00
|
|
|
msq->q_cbytes = msq->q_qnum = 0;
|
2006-10-02 18:18:21 +09:00
|
|
|
msq->q_qbytes = ns->msg_ctlmnb;
|
2018-03-23 14:42:21 +09:00
|
|
|
msq->q_lspid = msq->q_lrpid = NULL;
|
2005-04-17 07:20:36 +09:00
|
|
|
INIT_LIST_HEAD(&msq->q_messages);
|
|
|
|
|
INIT_LIST_HEAD(&msq->q_receivers);
|
|
|
|
|
INIT_LIST_HEAD(&msq->q_senders);
|
2007-10-19 15:40:48 +09:00
|
|
|
|
2015-10-01 01:48:40 +09:00
|
|
|
/* ipc_addid() locks msq upon success. */
|
2017-07-13 06:35:19 +09:00
|
|
|
retval = ipc_addid(&msg_ids(ns), &msq->q_perm, ns->msg_ctlmni);
|
|
|
|
|
if (retval < 0) {
|
2018-08-22 14:01:29 +09:00
|
|
|
ipc_rcu_putref(&msq->q_perm, msg_rcu_free);
|
2017-07-13 06:35:19 +09:00
|
|
|
return retval;
|
2015-10-01 01:48:40 +09:00
|
|
|
}
|
|
|
|
|
|
2013-07-09 08:01:11 +09:00
|
|
|
ipc_unlock_object(&msq->q_perm);
|
ipc: move rcu lock out of ipc_addid
This patchset continues the work that began in the sysv ipc semaphore
scaling series, see
https://lkml.org/lkml/2013/3/20/546
Just like semaphores used to be, sysv shared memory and msg queues also
abuse the ipc lock, unnecessarily holding it for operations such as
permission and security checks.
This patchset mostly deals with mqueues, and while shared mem can be
done in a very similar way, I want to get these patches out in the open
first. It also does some pending cleanups, mostly focused on the two
level locking we have in ipc code, taking care of ipc_addid() and
ipcctl_pre_down_nolock() - yes there are still functions that need to be
updated as well.
This patch:
Make all callers explicitly take and release the RCU read lock.
This addresses the two level locking seen in newary(), newseg() and
newqueue(). For the last two, explicitly unlock the ipc object and the
rcu lock, instead of calling the custom shm_unlock and msg_unlock
functions. The next patch will deal with the open coded locking for
->perm.lock
Signed-off-by: Davidlohr Bueso <davidlohr.bueso@hp.com>
Cc: Andi Kleen <andi@firstfloor.org>
Cc: Rik van Riel <riel@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2013-07-09 08:01:09 +09:00
|
|
|
rcu_read_unlock();
|
2005-04-17 07:20:36 +09:00
|
|
|
|
2007-10-19 15:40:48 +09:00
|
|
|
return msq->q_perm.id;
|
2005-04-17 07:20:36 +09:00
|
|
|
}
|
|
|
|
|
|
2016-10-12 05:55:02 +09:00
|
|
|
static inline bool msg_fits_inqueue(struct msg_queue *msq, size_t msgsz)
|
|
|
|
|
{
|
|
|
|
|
return msgsz + msq->q_cbytes <= msq->q_qbytes &&
|
|
|
|
|
1 + msq->q_qnum <= msq->q_qbytes;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static inline void ss_add(struct msg_queue *msq,
|
|
|
|
|
struct msg_sender *mss, size_t msgsz)
|
2005-04-17 07:20:36 +09:00
|
|
|
{
|
2006-07-30 19:04:11 +09:00
|
|
|
mss->tsk = current;
|
2016-10-12 05:55:02 +09:00
|
|
|
mss->msgsz = msgsz;
|
2014-06-07 06:37:44 +09:00
|
|
|
__set_current_state(TASK_INTERRUPTIBLE);
|
2006-07-30 19:04:11 +09:00
|
|
|
list_add_tail(&mss->list, &msq->q_senders);
|
2005-04-17 07:20:36 +09:00
|
|
|
}
|
|
|
|
|
|
2006-07-30 19:04:11 +09:00
|
|
|
static inline void ss_del(struct msg_sender *mss)
|
2005-04-17 07:20:36 +09:00
|
|
|
{
|
2016-10-12 05:55:02 +09:00
|
|
|
if (mss->list.next)
|
2005-04-17 07:20:36 +09:00
|
|
|
list_del(&mss->list);
|
|
|
|
|
}
|
|
|
|
|
|
2016-10-12 05:55:02 +09:00
|
|
|
static void ss_wakeup(struct msg_queue *msq,
|
2016-10-12 05:54:59 +09:00
|
|
|
struct wake_q_head *wake_q, bool kill)
|
2005-04-17 07:20:36 +09:00
|
|
|
{
|
2013-05-01 11:15:49 +09:00
|
|
|
struct msg_sender *mss, *t;
|
2016-10-12 05:55:02 +09:00
|
|
|
struct task_struct *stop_tsk = NULL;
|
|
|
|
|
struct list_head *h = &msq->q_senders;
|
2005-04-17 07:20:36 +09:00
|
|
|
|
2013-05-01 11:15:49 +09:00
|
|
|
list_for_each_entry_safe(mss, t, h, list) {
|
2006-07-30 19:04:11 +09:00
|
|
|
if (kill)
|
|
|
|
|
mss->list.next = NULL;
|
2016-10-12 05:55:02 +09:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Stop at the first task we don't wakeup,
|
|
|
|
|
* we've already iterated the original
|
|
|
|
|
* sender queue.
|
|
|
|
|
*/
|
|
|
|
|
else if (stop_tsk == mss->tsk)
|
|
|
|
|
break;
|
|
|
|
|
/*
|
|
|
|
|
* We are not in an EIDRM scenario here, therefore
|
|
|
|
|
* verify that we really need to wakeup the task.
|
|
|
|
|
* To maintain current semantics and wakeup order,
|
|
|
|
|
* move the sender to the tail on behalf of the
|
|
|
|
|
* blocked task.
|
|
|
|
|
*/
|
|
|
|
|
else if (!msg_fits_inqueue(msq, mss->msgsz)) {
|
|
|
|
|
if (!stop_tsk)
|
|
|
|
|
stop_tsk = mss->tsk;
|
|
|
|
|
|
|
|
|
|
list_move_tail(&mss->list, &msq->q_senders);
|
|
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
|
2016-10-12 05:54:56 +09:00
|
|
|
wake_q_add(wake_q, mss->tsk);
|
2005-04-17 07:20:36 +09:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
ipc/msg: implement lockless pipelined wakeups
This patch moves the wakeup_process() invocation so it is not done under
the ipc global lock by making use of a lockless wake_q. With this change,
the waiter is woken up once the message has been assigned and it does not
need to loop on SMP if the message points to NULL. In the signal case we
still need to check the pointer under the lock to verify the state.
This change should also avoid the introduction of preempt_disable() in -RT
which avoids a busy-loop which pools for the NULL -> !NULL change if the
waiter has a higher priority compared to the waker.
By making use of wake_qs, the logic of sysv msg queues is greatly
simplified (and very well suited as we can batch lockless wakeups),
particularly around the lockless receive algorithm.
This has been tested with Manred's pmsg-shared tool on a "AMD A10-7800
Radeon R7, 12 Compute Cores 4C+8G":
test | before | after | diff
-----------------|------------|------------|----------
pmsg-shared 8 60 | 19,347,422 | 30,442,191 | + ~57.34 %
pmsg-shared 4 60 | 21,367,197 | 35,743,458 | + ~67.28 %
pmsg-shared 2 60 | 22,884,224 | 24,278,200 | + ~6.09 %
Link: http://lkml.kernel.org/r/1469748819-19484-2-git-send-email-dave@stgolabs.net
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: Davidlohr Bueso <dbueso@suse.de>
Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Manfred Spraul <manfred@colorfullife.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2016-10-12 05:54:53 +09:00
|
|
|
static void expunge_all(struct msg_queue *msq, int res,
|
|
|
|
|
struct wake_q_head *wake_q)
|
2005-04-17 07:20:36 +09:00
|
|
|
{
|
2013-05-01 11:15:49 +09:00
|
|
|
struct msg_receiver *msr, *t;
|
2006-07-30 19:04:11 +09:00
|
|
|
|
2013-05-01 11:15:49 +09:00
|
|
|
list_for_each_entry_safe(msr, t, &msq->q_receivers, r_list) {
|
ipc/msg: implement lockless pipelined wakeups
This patch moves the wakeup_process() invocation so it is not done under
the ipc global lock by making use of a lockless wake_q. With this change,
the waiter is woken up once the message has been assigned and it does not
need to loop on SMP if the message points to NULL. In the signal case we
still need to check the pointer under the lock to verify the state.
This change should also avoid the introduction of preempt_disable() in -RT
which avoids a busy-loop which pools for the NULL -> !NULL change if the
waiter has a higher priority compared to the waker.
By making use of wake_qs, the logic of sysv msg queues is greatly
simplified (and very well suited as we can batch lockless wakeups),
particularly around the lockless receive algorithm.
This has been tested with Manred's pmsg-shared tool on a "AMD A10-7800
Radeon R7, 12 Compute Cores 4C+8G":
test | before | after | diff
-----------------|------------|------------|----------
pmsg-shared 8 60 | 19,347,422 | 30,442,191 | + ~57.34 %
pmsg-shared 4 60 | 21,367,197 | 35,743,458 | + ~67.28 %
pmsg-shared 2 60 | 22,884,224 | 24,278,200 | + ~6.09 %
Link: http://lkml.kernel.org/r/1469748819-19484-2-git-send-email-dave@stgolabs.net
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: Davidlohr Bueso <dbueso@suse.de>
Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Manfred Spraul <manfred@colorfullife.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2016-10-12 05:54:53 +09:00
|
|
|
wake_q_add(wake_q, msr->r_tsk);
|
|
|
|
|
WRITE_ONCE(msr->r_msg, ERR_PTR(res));
|
2005-04-17 07:20:36 +09:00
|
|
|
}
|
|
|
|
|
}
|
2006-07-30 19:04:11 +09:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* freeque() wakes up waiters on the sender and receiver waiting queue,
|
2007-10-19 15:40:53 +09:00
|
|
|
* removes the message queue from message queue ID IDR, and cleans up all the
|
|
|
|
|
* messages associated with this queue.
|
2005-04-17 07:20:36 +09:00
|
|
|
*
|
2013-09-12 06:26:24 +09:00
|
|
|
* msg_ids.rwsem (writer) and the spinlock for this message queue are held
|
|
|
|
|
* before freeque() is called. msg_ids.rwsem remains locked on exit.
|
2005-04-17 07:20:36 +09:00
|
|
|
*/
|
2008-02-08 21:18:57 +09:00
|
|
|
static void freeque(struct ipc_namespace *ns, struct kern_ipc_perm *ipcp)
|
2005-04-17 07:20:36 +09:00
|
|
|
{
|
2013-05-01 11:15:49 +09:00
|
|
|
struct msg_msg *msg, *t;
|
2008-02-08 21:18:57 +09:00
|
|
|
struct msg_queue *msq = container_of(ipcp, struct msg_queue, q_perm);
|
2016-11-18 01:46:38 +09:00
|
|
|
DEFINE_WAKE_Q(wake_q);
|
2005-04-17 07:20:36 +09:00
|
|
|
|
ipc/msg: implement lockless pipelined wakeups
This patch moves the wakeup_process() invocation so it is not done under
the ipc global lock by making use of a lockless wake_q. With this change,
the waiter is woken up once the message has been assigned and it does not
need to loop on SMP if the message points to NULL. In the signal case we
still need to check the pointer under the lock to verify the state.
This change should also avoid the introduction of preempt_disable() in -RT
which avoids a busy-loop which pools for the NULL -> !NULL change if the
waiter has a higher priority compared to the waker.
By making use of wake_qs, the logic of sysv msg queues is greatly
simplified (and very well suited as we can batch lockless wakeups),
particularly around the lockless receive algorithm.
This has been tested with Manred's pmsg-shared tool on a "AMD A10-7800
Radeon R7, 12 Compute Cores 4C+8G":
test | before | after | diff
-----------------|------------|------------|----------
pmsg-shared 8 60 | 19,347,422 | 30,442,191 | + ~57.34 %
pmsg-shared 4 60 | 21,367,197 | 35,743,458 | + ~67.28 %
pmsg-shared 2 60 | 22,884,224 | 24,278,200 | + ~6.09 %
Link: http://lkml.kernel.org/r/1469748819-19484-2-git-send-email-dave@stgolabs.net
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: Davidlohr Bueso <dbueso@suse.de>
Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Manfred Spraul <manfred@colorfullife.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2016-10-12 05:54:53 +09:00
|
|
|
expunge_all(msq, -EIDRM, &wake_q);
|
2016-10-12 05:55:02 +09:00
|
|
|
ss_wakeup(msq, &wake_q, true);
|
2007-10-19 15:40:48 +09:00
|
|
|
msg_rmid(ns, msq);
|
2013-09-12 06:26:25 +09:00
|
|
|
ipc_unlock_object(&msq->q_perm);
|
ipc/msg: implement lockless pipelined wakeups
This patch moves the wakeup_process() invocation so it is not done under
the ipc global lock by making use of a lockless wake_q. With this change,
the waiter is woken up once the message has been assigned and it does not
need to loop on SMP if the message points to NULL. In the signal case we
still need to check the pointer under the lock to verify the state.
This change should also avoid the introduction of preempt_disable() in -RT
which avoids a busy-loop which pools for the NULL -> !NULL change if the
waiter has a higher priority compared to the waker.
By making use of wake_qs, the logic of sysv msg queues is greatly
simplified (and very well suited as we can batch lockless wakeups),
particularly around the lockless receive algorithm.
This has been tested with Manred's pmsg-shared tool on a "AMD A10-7800
Radeon R7, 12 Compute Cores 4C+8G":
test | before | after | diff
-----------------|------------|------------|----------
pmsg-shared 8 60 | 19,347,422 | 30,442,191 | + ~57.34 %
pmsg-shared 4 60 | 21,367,197 | 35,743,458 | + ~67.28 %
pmsg-shared 2 60 | 22,884,224 | 24,278,200 | + ~6.09 %
Link: http://lkml.kernel.org/r/1469748819-19484-2-git-send-email-dave@stgolabs.net
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: Davidlohr Bueso <dbueso@suse.de>
Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Manfred Spraul <manfred@colorfullife.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2016-10-12 05:54:53 +09:00
|
|
|
wake_up_q(&wake_q);
|
2013-09-12 06:26:25 +09:00
|
|
|
rcu_read_unlock();
|
2006-07-30 19:04:11 +09:00
|
|
|
|
2013-05-01 11:15:49 +09:00
|
|
|
list_for_each_entry_safe(msg, t, &msq->q_messages, m_list) {
|
2007-10-19 15:40:56 +09:00
|
|
|
atomic_dec(&ns->msg_hdrs);
|
2005-04-17 07:20:36 +09:00
|
|
|
free_msg(msg);
|
|
|
|
|
}
|
2007-10-19 15:40:56 +09:00
|
|
|
atomic_sub(msq->q_cbytes, &ns->msg_bytes);
|
2018-03-23 14:42:21 +09:00
|
|
|
ipc_update_pid(&msq->q_lspid, NULL);
|
|
|
|
|
ipc_update_pid(&msq->q_lrpid, NULL);
|
2017-07-13 06:34:41 +09:00
|
|
|
ipc_rcu_putref(&msq->q_perm, msg_rcu_free);
|
2005-04-17 07:20:36 +09:00
|
|
|
}
|
|
|
|
|
|
2018-03-21 04:06:04 +09:00
|
|
|
long ksys_msgget(key_t key, int msgflg)
|
2005-04-17 07:20:36 +09:00
|
|
|
{
|
2006-10-02 18:18:21 +09:00
|
|
|
struct ipc_namespace *ns;
|
2014-06-07 06:37:36 +09:00
|
|
|
static const struct ipc_ops msg_ops = {
|
|
|
|
|
.getnew = newque,
|
2018-03-24 13:41:55 +09:00
|
|
|
.associate = security_msg_queue_associate,
|
2014-06-07 06:37:36 +09:00
|
|
|
};
|
2007-10-19 15:40:49 +09:00
|
|
|
struct ipc_params msg_params;
|
2006-10-02 18:18:21 +09:00
|
|
|
|
|
|
|
|
ns = current->nsproxy->ipc_ns;
|
2007-10-19 15:40:48 +09:00
|
|
|
|
2007-10-19 15:40:49 +09:00
|
|
|
msg_params.key = key;
|
|
|
|
|
msg_params.flg = msgflg;
|
2006-07-30 19:04:11 +09:00
|
|
|
|
2007-10-19 15:40:49 +09:00
|
|
|
return ipcget(ns, &msg_ids(ns), &msg_ops, &msg_params);
|
2005-04-17 07:20:36 +09:00
|
|
|
}
|
|
|
|
|
|
2018-03-21 04:06:04 +09:00
|
|
|
SYSCALL_DEFINE2(msgget, key_t, key, int, msgflg)
|
|
|
|
|
{
|
|
|
|
|
return ksys_msgget(key, msgflg);
|
|
|
|
|
}
|
|
|
|
|
|
2006-07-30 19:04:11 +09:00
|
|
|
static inline unsigned long
|
|
|
|
|
copy_msqid_to_user(void __user *buf, struct msqid64_ds *in, int version)
|
2005-04-17 07:20:36 +09:00
|
|
|
{
|
2014-01-28 10:07:04 +09:00
|
|
|
switch (version) {
|
2005-04-17 07:20:36 +09:00
|
|
|
case IPC_64:
|
2006-07-30 19:04:11 +09:00
|
|
|
return copy_to_user(buf, in, sizeof(*in));
|
2005-04-17 07:20:36 +09:00
|
|
|
case IPC_OLD:
|
2006-07-30 19:04:11 +09:00
|
|
|
{
|
2005-04-17 07:20:36 +09:00
|
|
|
struct msqid_ds out;
|
|
|
|
|
|
2006-07-30 19:04:11 +09:00
|
|
|
memset(&out, 0, sizeof(out));
|
2005-04-17 07:20:36 +09:00
|
|
|
|
|
|
|
|
ipc64_perm_to_ipc_perm(&in->msg_perm, &out.msg_perm);
|
|
|
|
|
|
|
|
|
|
out.msg_stime = in->msg_stime;
|
|
|
|
|
out.msg_rtime = in->msg_rtime;
|
|
|
|
|
out.msg_ctime = in->msg_ctime;
|
|
|
|
|
|
2010-05-25 06:33:03 +09:00
|
|
|
if (in->msg_cbytes > USHRT_MAX)
|
|
|
|
|
out.msg_cbytes = USHRT_MAX;
|
2005-04-17 07:20:36 +09:00
|
|
|
else
|
|
|
|
|
out.msg_cbytes = in->msg_cbytes;
|
|
|
|
|
out.msg_lcbytes = in->msg_cbytes;
|
|
|
|
|
|
2010-05-25 06:33:03 +09:00
|
|
|
if (in->msg_qnum > USHRT_MAX)
|
|
|
|
|
out.msg_qnum = USHRT_MAX;
|
2005-04-17 07:20:36 +09:00
|
|
|
else
|
|
|
|
|
out.msg_qnum = in->msg_qnum;
|
|
|
|
|
|
2010-05-25 06:33:03 +09:00
|
|
|
if (in->msg_qbytes > USHRT_MAX)
|
|
|
|
|
out.msg_qbytes = USHRT_MAX;
|
2005-04-17 07:20:36 +09:00
|
|
|
else
|
|
|
|
|
out.msg_qbytes = in->msg_qbytes;
|
|
|
|
|
out.msg_lqbytes = in->msg_qbytes;
|
|
|
|
|
|
|
|
|
|
out.msg_lspid = in->msg_lspid;
|
|
|
|
|
out.msg_lrpid = in->msg_lrpid;
|
|
|
|
|
|
2006-07-30 19:04:11 +09:00
|
|
|
return copy_to_user(buf, &out, sizeof(out));
|
|
|
|
|
}
|
2005-04-17 07:20:36 +09:00
|
|
|
default:
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2006-07-30 19:04:11 +09:00
|
|
|
static inline unsigned long
|
2008-04-29 17:00:50 +09:00
|
|
|
copy_msqid_from_user(struct msqid64_ds *out, void __user *buf, int version)
|
2005-04-17 07:20:36 +09:00
|
|
|
{
|
2014-01-28 10:07:04 +09:00
|
|
|
switch (version) {
|
2005-04-17 07:20:36 +09:00
|
|
|
case IPC_64:
|
2008-04-29 17:00:50 +09:00
|
|
|
if (copy_from_user(out, buf, sizeof(*out)))
|
2005-04-17 07:20:36 +09:00
|
|
|
return -EFAULT;
|
|
|
|
|
return 0;
|
|
|
|
|
case IPC_OLD:
|
2006-07-30 19:04:11 +09:00
|
|
|
{
|
2005-04-17 07:20:36 +09:00
|
|
|
struct msqid_ds tbuf_old;
|
|
|
|
|
|
2006-07-30 19:04:11 +09:00
|
|
|
if (copy_from_user(&tbuf_old, buf, sizeof(tbuf_old)))
|
2005-04-17 07:20:36 +09:00
|
|
|
return -EFAULT;
|
|
|
|
|
|
2014-01-28 10:07:04 +09:00
|
|
|
out->msg_perm.uid = tbuf_old.msg_perm.uid;
|
|
|
|
|
out->msg_perm.gid = tbuf_old.msg_perm.gid;
|
|
|
|
|
out->msg_perm.mode = tbuf_old.msg_perm.mode;
|
2005-04-17 07:20:36 +09:00
|
|
|
|
2006-07-30 19:04:11 +09:00
|
|
|
if (tbuf_old.msg_qbytes == 0)
|
2008-04-29 17:00:50 +09:00
|
|
|
out->msg_qbytes = tbuf_old.msg_lqbytes;
|
2005-04-17 07:20:36 +09:00
|
|
|
else
|
2008-04-29 17:00:50 +09:00
|
|
|
out->msg_qbytes = tbuf_old.msg_qbytes;
|
2005-04-17 07:20:36 +09:00
|
|
|
|
|
|
|
|
return 0;
|
2006-07-30 19:04:11 +09:00
|
|
|
}
|
2005-04-17 07:20:36 +09:00
|
|
|
default:
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2008-04-29 17:00:48 +09:00
|
|
|
/*
|
2013-09-12 06:26:24 +09:00
|
|
|
* This function handles some msgctl commands which require the rwsem
|
2008-04-29 17:00:48 +09:00
|
|
|
* to be held in write mode.
|
2013-09-12 06:26:24 +09:00
|
|
|
* NOTE: no locks must be held, the rwsem is taken inside this function.
|
2008-04-29 17:00:48 +09:00
|
|
|
*/
|
|
|
|
|
static int msgctl_down(struct ipc_namespace *ns, int msqid, int cmd,
|
ipc/msg.c: consolidate all xxxctl_down() functions
commit 889b331724c82c11e15ba0a60979cf7bded0a26c upstream.
A use of uninitialized memory in msgctl_down() because msqid64 in
ksys_msgctl hasn't been initialized. The local | msqid64 | is created in
ksys_msgctl() and then passed into msgctl_down(). Along the way msqid64
is never initialized before msgctl_down() checks msqid64->msg_qbytes.
KUMSAN(KernelUninitializedMemorySantizer, a new error detection tool)
reports:
==================================================================
BUG: KUMSAN: use of uninitialized memory in msgctl_down+0x94/0x300
Read of size 8 at addr ffff88806bb97eb8 by task syz-executor707/2022
CPU: 0 PID: 2022 Comm: syz-executor707 Not tainted 5.2.0-rc4+ #63
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
Call Trace:
dump_stack+0x75/0xae
__kumsan_report+0x17c/0x3e6
kumsan_report+0xe/0x20
msgctl_down+0x94/0x300
ksys_msgctl.constprop.14+0xef/0x260
do_syscall_64+0x7e/0x1f0
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x4400e9
Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffd869e0598 EFLAGS: 00000246 ORIG_RAX: 0000000000000047
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004400e9
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 00000000006ca018 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000ffffffff R11: 0000000000000246 R12: 0000000000401970
R13: 0000000000401a00 R14: 0000000000000000 R15: 0000000000000000
The buggy address belongs to the page:
page:ffffea0001aee5c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0
flags: 0x100000000000000()
raw: 0100000000000000 0000000000000000 ffffffff01ae0101 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kumsan: bad access detected
==================================================================
Syzkaller reproducer:
msgctl$IPC_RMID(0x0, 0x0)
C reproducer:
// autogenerated by syzkaller (https://github.com/google/syzkaller)
int main(void)
{
syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
syscall(__NR_msgctl, 0, 0, 0);
return 0;
}
[natechancellor@gmail.com: adjust indentation in ksys_msgctl]
Link: https://github.com/ClangBuiltLinux/linux/issues/829
Link: http://lkml.kernel.org/r/20191218032932.37479-1-natechancellor@gmail.com
Link: http://lkml.kernel.org/r/20190613014044.24234-1-shuaibinglu@126.com
Signed-off-by: Lu Shuaibing <shuaibinglu@126.com>
Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
Suggested-by: Arnd Bergmann <arnd@arndb.de>
Cc: Davidlohr Bueso <dave@stgolabs.net>
Cc: Manfred Spraul <manfred@colorfullife.com>
Cc: NeilBrown <neilb@suse.com>
From: Andrew Morton <akpm@linux-foundation.org>
Subject: ipc/msg.c: consolidate all xxxctl_down() functions
Each line here overflows 80 cols by exactly one character. Delete one tab
per line to fix.
Cc: Shaohua Li <shli@fb.com>
Cc: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-02-04 10:34:46 +09:00
|
|
|
struct ipc64_perm *perm, int msg_qbytes)
|
2005-04-17 07:20:36 +09:00
|
|
|
{
|
|
|
|
|
struct kern_ipc_perm *ipcp;
|
2008-04-29 17:00:48 +09:00
|
|
|
struct msg_queue *msq;
|
|
|
|
|
int err;
|
|
|
|
|
|
2013-09-12 06:26:24 +09:00
|
|
|
down_write(&msg_ids(ns).rwsem);
|
2013-07-09 08:01:12 +09:00
|
|
|
rcu_read_lock();
|
|
|
|
|
|
2018-08-22 14:01:34 +09:00
|
|
|
ipcp = ipcctl_obtain_check(ns, &msg_ids(ns), msqid, cmd,
|
ipc/msg.c: consolidate all xxxctl_down() functions
commit 889b331724c82c11e15ba0a60979cf7bded0a26c upstream.
A use of uninitialized memory in msgctl_down() because msqid64 in
ksys_msgctl hasn't been initialized. The local | msqid64 | is created in
ksys_msgctl() and then passed into msgctl_down(). Along the way msqid64
is never initialized before msgctl_down() checks msqid64->msg_qbytes.
KUMSAN(KernelUninitializedMemorySantizer, a new error detection tool)
reports:
==================================================================
BUG: KUMSAN: use of uninitialized memory in msgctl_down+0x94/0x300
Read of size 8 at addr ffff88806bb97eb8 by task syz-executor707/2022
CPU: 0 PID: 2022 Comm: syz-executor707 Not tainted 5.2.0-rc4+ #63
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
Call Trace:
dump_stack+0x75/0xae
__kumsan_report+0x17c/0x3e6
kumsan_report+0xe/0x20
msgctl_down+0x94/0x300
ksys_msgctl.constprop.14+0xef/0x260
do_syscall_64+0x7e/0x1f0
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x4400e9
Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffd869e0598 EFLAGS: 00000246 ORIG_RAX: 0000000000000047
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004400e9
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 00000000006ca018 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000ffffffff R11: 0000000000000246 R12: 0000000000401970
R13: 0000000000401a00 R14: 0000000000000000 R15: 0000000000000000
The buggy address belongs to the page:
page:ffffea0001aee5c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0
flags: 0x100000000000000()
raw: 0100000000000000 0000000000000000 ffffffff01ae0101 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kumsan: bad access detected
==================================================================
Syzkaller reproducer:
msgctl$IPC_RMID(0x0, 0x0)
C reproducer:
// autogenerated by syzkaller (https://github.com/google/syzkaller)
int main(void)
{
syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
syscall(__NR_msgctl, 0, 0, 0);
return 0;
}
[natechancellor@gmail.com: adjust indentation in ksys_msgctl]
Link: https://github.com/ClangBuiltLinux/linux/issues/829
Link: http://lkml.kernel.org/r/20191218032932.37479-1-natechancellor@gmail.com
Link: http://lkml.kernel.org/r/20190613014044.24234-1-shuaibinglu@126.com
Signed-off-by: Lu Shuaibing <shuaibinglu@126.com>
Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
Suggested-by: Arnd Bergmann <arnd@arndb.de>
Cc: Davidlohr Bueso <dave@stgolabs.net>
Cc: Manfred Spraul <manfred@colorfullife.com>
Cc: NeilBrown <neilb@suse.com>
From: Andrew Morton <akpm@linux-foundation.org>
Subject: ipc/msg.c: consolidate all xxxctl_down() functions
Each line here overflows 80 cols by exactly one character. Delete one tab
per line to fix.
Cc: Shaohua Li <shli@fb.com>
Cc: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-02-04 10:34:46 +09:00
|
|
|
perm, msg_qbytes);
|
2013-07-09 08:01:12 +09:00
|
|
|
if (IS_ERR(ipcp)) {
|
|
|
|
|
err = PTR_ERR(ipcp);
|
|
|
|
|
goto out_unlock1;
|
|
|
|
|
}
|
2008-04-29 17:00:48 +09:00
|
|
|
|
2008-04-29 17:00:54 +09:00
|
|
|
msq = container_of(ipcp, struct msg_queue, q_perm);
|
2008-04-29 17:00:48 +09:00
|
|
|
|
2018-03-23 11:22:26 +09:00
|
|
|
err = security_msg_queue_msgctl(&msq->q_perm, cmd);
|
2008-04-29 17:00:48 +09:00
|
|
|
if (err)
|
2013-07-09 08:01:13 +09:00
|
|
|
goto out_unlock1;
|
2008-04-29 17:00:48 +09:00
|
|
|
|
|
|
|
|
switch (cmd) {
|
|
|
|
|
case IPC_RMID:
|
2013-07-09 08:01:13 +09:00
|
|
|
ipc_lock_object(&msq->q_perm);
|
2013-07-09 08:01:12 +09:00
|
|
|
/* freeque unlocks the ipc object and rcu */
|
2008-04-29 17:00:48 +09:00
|
|
|
freeque(ns, ipcp);
|
|
|
|
|
goto out_up;
|
|
|
|
|
case IPC_SET:
|
2016-10-12 05:54:56 +09:00
|
|
|
{
|
2016-11-18 01:46:38 +09:00
|
|
|
DEFINE_WAKE_Q(wake_q);
|
2016-10-12 05:54:56 +09:00
|
|
|
|
ipc/msg.c: consolidate all xxxctl_down() functions
commit 889b331724c82c11e15ba0a60979cf7bded0a26c upstream.
A use of uninitialized memory in msgctl_down() because msqid64 in
ksys_msgctl hasn't been initialized. The local | msqid64 | is created in
ksys_msgctl() and then passed into msgctl_down(). Along the way msqid64
is never initialized before msgctl_down() checks msqid64->msg_qbytes.
KUMSAN(KernelUninitializedMemorySantizer, a new error detection tool)
reports:
==================================================================
BUG: KUMSAN: use of uninitialized memory in msgctl_down+0x94/0x300
Read of size 8 at addr ffff88806bb97eb8 by task syz-executor707/2022
CPU: 0 PID: 2022 Comm: syz-executor707 Not tainted 5.2.0-rc4+ #63
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
Call Trace:
dump_stack+0x75/0xae
__kumsan_report+0x17c/0x3e6
kumsan_report+0xe/0x20
msgctl_down+0x94/0x300
ksys_msgctl.constprop.14+0xef/0x260
do_syscall_64+0x7e/0x1f0
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x4400e9
Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffd869e0598 EFLAGS: 00000246 ORIG_RAX: 0000000000000047
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004400e9
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 00000000006ca018 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000ffffffff R11: 0000000000000246 R12: 0000000000401970
R13: 0000000000401a00 R14: 0000000000000000 R15: 0000000000000000
The buggy address belongs to the page:
page:ffffea0001aee5c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0
flags: 0x100000000000000()
raw: 0100000000000000 0000000000000000 ffffffff01ae0101 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kumsan: bad access detected
==================================================================
Syzkaller reproducer:
msgctl$IPC_RMID(0x0, 0x0)
C reproducer:
// autogenerated by syzkaller (https://github.com/google/syzkaller)
int main(void)
{
syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
syscall(__NR_msgctl, 0, 0, 0);
return 0;
}
[natechancellor@gmail.com: adjust indentation in ksys_msgctl]
Link: https://github.com/ClangBuiltLinux/linux/issues/829
Link: http://lkml.kernel.org/r/20191218032932.37479-1-natechancellor@gmail.com
Link: http://lkml.kernel.org/r/20190613014044.24234-1-shuaibinglu@126.com
Signed-off-by: Lu Shuaibing <shuaibinglu@126.com>
Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
Suggested-by: Arnd Bergmann <arnd@arndb.de>
Cc: Davidlohr Bueso <dave@stgolabs.net>
Cc: Manfred Spraul <manfred@colorfullife.com>
Cc: NeilBrown <neilb@suse.com>
From: Andrew Morton <akpm@linux-foundation.org>
Subject: ipc/msg.c: consolidate all xxxctl_down() functions
Each line here overflows 80 cols by exactly one character. Delete one tab
per line to fix.
Cc: Shaohua Li <shli@fb.com>
Cc: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-02-04 10:34:46 +09:00
|
|
|
if (msg_qbytes > ns->msg_ctlmnb &&
|
2008-04-29 17:00:48 +09:00
|
|
|
!capable(CAP_SYS_RESOURCE)) {
|
|
|
|
|
err = -EPERM;
|
2013-07-09 08:01:13 +09:00
|
|
|
goto out_unlock1;
|
2008-04-29 17:00:48 +09:00
|
|
|
}
|
|
|
|
|
|
2013-07-09 08:01:13 +09:00
|
|
|
ipc_lock_object(&msq->q_perm);
|
ipc/msg.c: consolidate all xxxctl_down() functions
commit 889b331724c82c11e15ba0a60979cf7bded0a26c upstream.
A use of uninitialized memory in msgctl_down() because msqid64 in
ksys_msgctl hasn't been initialized. The local | msqid64 | is created in
ksys_msgctl() and then passed into msgctl_down(). Along the way msqid64
is never initialized before msgctl_down() checks msqid64->msg_qbytes.
KUMSAN(KernelUninitializedMemorySantizer, a new error detection tool)
reports:
==================================================================
BUG: KUMSAN: use of uninitialized memory in msgctl_down+0x94/0x300
Read of size 8 at addr ffff88806bb97eb8 by task syz-executor707/2022
CPU: 0 PID: 2022 Comm: syz-executor707 Not tainted 5.2.0-rc4+ #63
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
Call Trace:
dump_stack+0x75/0xae
__kumsan_report+0x17c/0x3e6
kumsan_report+0xe/0x20
msgctl_down+0x94/0x300
ksys_msgctl.constprop.14+0xef/0x260
do_syscall_64+0x7e/0x1f0
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x4400e9
Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffd869e0598 EFLAGS: 00000246 ORIG_RAX: 0000000000000047
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004400e9
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 00000000006ca018 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000ffffffff R11: 0000000000000246 R12: 0000000000401970
R13: 0000000000401a00 R14: 0000000000000000 R15: 0000000000000000
The buggy address belongs to the page:
page:ffffea0001aee5c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0
flags: 0x100000000000000()
raw: 0100000000000000 0000000000000000 ffffffff01ae0101 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kumsan: bad access detected
==================================================================
Syzkaller reproducer:
msgctl$IPC_RMID(0x0, 0x0)
C reproducer:
// autogenerated by syzkaller (https://github.com/google/syzkaller)
int main(void)
{
syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
syscall(__NR_msgctl, 0, 0, 0);
return 0;
}
[natechancellor@gmail.com: adjust indentation in ksys_msgctl]
Link: https://github.com/ClangBuiltLinux/linux/issues/829
Link: http://lkml.kernel.org/r/20191218032932.37479-1-natechancellor@gmail.com
Link: http://lkml.kernel.org/r/20190613014044.24234-1-shuaibinglu@126.com
Signed-off-by: Lu Shuaibing <shuaibinglu@126.com>
Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
Suggested-by: Arnd Bergmann <arnd@arndb.de>
Cc: Davidlohr Bueso <dave@stgolabs.net>
Cc: Manfred Spraul <manfred@colorfullife.com>
Cc: NeilBrown <neilb@suse.com>
From: Andrew Morton <akpm@linux-foundation.org>
Subject: ipc/msg.c: consolidate all xxxctl_down() functions
Each line here overflows 80 cols by exactly one character. Delete one tab
per line to fix.
Cc: Shaohua Li <shli@fb.com>
Cc: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-02-04 10:34:46 +09:00
|
|
|
err = ipc_update_perm(perm, ipcp);
|
2012-02-08 09:54:11 +09:00
|
|
|
if (err)
|
2013-07-09 08:01:12 +09:00
|
|
|
goto out_unlock0;
|
2012-02-08 09:54:11 +09:00
|
|
|
|
ipc/msg.c: consolidate all xxxctl_down() functions
commit 889b331724c82c11e15ba0a60979cf7bded0a26c upstream.
A use of uninitialized memory in msgctl_down() because msqid64 in
ksys_msgctl hasn't been initialized. The local | msqid64 | is created in
ksys_msgctl() and then passed into msgctl_down(). Along the way msqid64
is never initialized before msgctl_down() checks msqid64->msg_qbytes.
KUMSAN(KernelUninitializedMemorySantizer, a new error detection tool)
reports:
==================================================================
BUG: KUMSAN: use of uninitialized memory in msgctl_down+0x94/0x300
Read of size 8 at addr ffff88806bb97eb8 by task syz-executor707/2022
CPU: 0 PID: 2022 Comm: syz-executor707 Not tainted 5.2.0-rc4+ #63
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
Call Trace:
dump_stack+0x75/0xae
__kumsan_report+0x17c/0x3e6
kumsan_report+0xe/0x20
msgctl_down+0x94/0x300
ksys_msgctl.constprop.14+0xef/0x260
do_syscall_64+0x7e/0x1f0
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x4400e9
Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffd869e0598 EFLAGS: 00000246 ORIG_RAX: 0000000000000047
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004400e9
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 00000000006ca018 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000ffffffff R11: 0000000000000246 R12: 0000000000401970
R13: 0000000000401a00 R14: 0000000000000000 R15: 0000000000000000
The buggy address belongs to the page:
page:ffffea0001aee5c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0
flags: 0x100000000000000()
raw: 0100000000000000 0000000000000000 ffffffff01ae0101 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kumsan: bad access detected
==================================================================
Syzkaller reproducer:
msgctl$IPC_RMID(0x0, 0x0)
C reproducer:
// autogenerated by syzkaller (https://github.com/google/syzkaller)
int main(void)
{
syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
syscall(__NR_msgctl, 0, 0, 0);
return 0;
}
[natechancellor@gmail.com: adjust indentation in ksys_msgctl]
Link: https://github.com/ClangBuiltLinux/linux/issues/829
Link: http://lkml.kernel.org/r/20191218032932.37479-1-natechancellor@gmail.com
Link: http://lkml.kernel.org/r/20190613014044.24234-1-shuaibinglu@126.com
Signed-off-by: Lu Shuaibing <shuaibinglu@126.com>
Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
Suggested-by: Arnd Bergmann <arnd@arndb.de>
Cc: Davidlohr Bueso <dave@stgolabs.net>
Cc: Manfred Spraul <manfred@colorfullife.com>
Cc: NeilBrown <neilb@suse.com>
From: Andrew Morton <akpm@linux-foundation.org>
Subject: ipc/msg.c: consolidate all xxxctl_down() functions
Each line here overflows 80 cols by exactly one character. Delete one tab
per line to fix.
Cc: Shaohua Li <shli@fb.com>
Cc: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-02-04 10:34:46 +09:00
|
|
|
msq->q_qbytes = msg_qbytes;
|
2008-04-29 17:00:48 +09:00
|
|
|
|
2017-08-03 11:51:12 +09:00
|
|
|
msq->q_ctime = ktime_get_real_seconds();
|
2016-10-12 05:54:56 +09:00
|
|
|
/*
|
|
|
|
|
* Sleeping receivers might be excluded by
|
2008-04-29 17:00:48 +09:00
|
|
|
* stricter permissions.
|
|
|
|
|
*/
|
ipc/msg: implement lockless pipelined wakeups
This patch moves the wakeup_process() invocation so it is not done under
the ipc global lock by making use of a lockless wake_q. With this change,
the waiter is woken up once the message has been assigned and it does not
need to loop on SMP if the message points to NULL. In the signal case we
still need to check the pointer under the lock to verify the state.
This change should also avoid the introduction of preempt_disable() in -RT
which avoids a busy-loop which pools for the NULL -> !NULL change if the
waiter has a higher priority compared to the waker.
By making use of wake_qs, the logic of sysv msg queues is greatly
simplified (and very well suited as we can batch lockless wakeups),
particularly around the lockless receive algorithm.
This has been tested with Manred's pmsg-shared tool on a "AMD A10-7800
Radeon R7, 12 Compute Cores 4C+8G":
test | before | after | diff
-----------------|------------|------------|----------
pmsg-shared 8 60 | 19,347,422 | 30,442,191 | + ~57.34 %
pmsg-shared 4 60 | 21,367,197 | 35,743,458 | + ~67.28 %
pmsg-shared 2 60 | 22,884,224 | 24,278,200 | + ~6.09 %
Link: http://lkml.kernel.org/r/1469748819-19484-2-git-send-email-dave@stgolabs.net
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: Davidlohr Bueso <dbueso@suse.de>
Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Manfred Spraul <manfred@colorfullife.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2016-10-12 05:54:53 +09:00
|
|
|
expunge_all(msq, -EAGAIN, &wake_q);
|
2016-10-12 05:54:56 +09:00
|
|
|
/*
|
|
|
|
|
* Sleeping senders might be able to send
|
2008-04-29 17:00:48 +09:00
|
|
|
* due to a larger queue size.
|
|
|
|
|
*/
|
2016-10-12 05:55:02 +09:00
|
|
|
ss_wakeup(msq, &wake_q, false);
|
2016-10-12 05:54:56 +09:00
|
|
|
ipc_unlock_object(&msq->q_perm);
|
|
|
|
|
wake_up_q(&wake_q);
|
|
|
|
|
|
|
|
|
|
goto out_unlock1;
|
|
|
|
|
}
|
2008-04-29 17:00:48 +09:00
|
|
|
default:
|
|
|
|
|
err = -EINVAL;
|
2013-07-09 08:01:13 +09:00
|
|
|
goto out_unlock1;
|
2008-04-29 17:00:48 +09:00
|
|
|
}
|
2013-07-09 08:01:12 +09:00
|
|
|
|
|
|
|
|
out_unlock0:
|
|
|
|
|
ipc_unlock_object(&msq->q_perm);
|
|
|
|
|
out_unlock1:
|
|
|
|
|
rcu_read_unlock();
|
2008-04-29 17:00:48 +09:00
|
|
|
out_up:
|
2013-09-12 06:26:24 +09:00
|
|
|
up_write(&msg_ids(ns).rwsem);
|
2008-04-29 17:00:48 +09:00
|
|
|
return err;
|
|
|
|
|
}
|
|
|
|
|
|
2017-07-09 20:57:34 +09:00
|
|
|
static int msgctl_info(struct ipc_namespace *ns, int msqid,
|
|
|
|
|
int cmd, struct msginfo *msginfo)
|
2008-04-29 17:00:48 +09:00
|
|
|
{
|
2013-07-09 08:01:14 +09:00
|
|
|
int err;
|
2018-08-22 14:02:00 +09:00
|
|
|
int max_idx;
|
2005-04-17 07:20:36 +09:00
|
|
|
|
2017-07-09 20:57:34 +09:00
|
|
|
/*
|
|
|
|
|
* We must not return kernel stack data.
|
|
|
|
|
* due to padding, it's not enough
|
|
|
|
|
* to set all member fields.
|
|
|
|
|
*/
|
|
|
|
|
err = security_msg_queue_msgctl(NULL, cmd);
|
|
|
|
|
if (err)
|
|
|
|
|
return err;
|
|
|
|
|
|
|
|
|
|
memset(msginfo, 0, sizeof(*msginfo));
|
|
|
|
|
msginfo->msgmni = ns->msg_ctlmni;
|
|
|
|
|
msginfo->msgmax = ns->msg_ctlmax;
|
|
|
|
|
msginfo->msgmnb = ns->msg_ctlmnb;
|
|
|
|
|
msginfo->msgssz = MSGSSZ;
|
|
|
|
|
msginfo->msgseg = MSGSEG;
|
|
|
|
|
down_read(&msg_ids(ns).rwsem);
|
|
|
|
|
if (cmd == MSG_INFO) {
|
|
|
|
|
msginfo->msgpool = msg_ids(ns).in_use;
|
|
|
|
|
msginfo->msgmap = atomic_read(&ns->msg_hdrs);
|
|
|
|
|
msginfo->msgtql = atomic_read(&ns->msg_bytes);
|
|
|
|
|
} else {
|
|
|
|
|
msginfo->msgmap = MSGMAP;
|
|
|
|
|
msginfo->msgpool = MSGPOOL;
|
|
|
|
|
msginfo->msgtql = MSGTQL;
|
2005-04-17 07:20:36 +09:00
|
|
|
}
|
2018-08-22 14:02:00 +09:00
|
|
|
max_idx = ipc_get_maxidx(&msg_ids(ns));
|
2017-07-09 20:57:34 +09:00
|
|
|
up_read(&msg_ids(ns).rwsem);
|
2018-08-22 14:02:00 +09:00
|
|
|
return (max_idx < 0) ? 0 : max_idx;
|
2017-07-09 20:57:34 +09:00
|
|
|
}
|
2013-07-09 08:01:14 +09:00
|
|
|
|
2017-07-09 20:57:34 +09:00
|
|
|
static int msgctl_stat(struct ipc_namespace *ns, int msqid,
|
|
|
|
|
int cmd, struct msqid64_ds *p)
|
|
|
|
|
{
|
|
|
|
|
struct msg_queue *msq;
|
2018-02-07 08:40:49 +09:00
|
|
|
int err;
|
2013-07-09 08:01:16 +09:00
|
|
|
|
2017-07-09 20:57:34 +09:00
|
|
|
memset(p, 0, sizeof(*p));
|
2013-07-09 08:01:16 +09:00
|
|
|
|
2017-07-09 20:57:34 +09:00
|
|
|
rcu_read_lock();
|
2018-04-11 08:35:30 +09:00
|
|
|
if (cmd == MSG_STAT || cmd == MSG_STAT_ANY) {
|
2017-07-09 20:57:34 +09:00
|
|
|
msq = msq_obtain_object(ns, msqid);
|
|
|
|
|
if (IS_ERR(msq)) {
|
|
|
|
|
err = PTR_ERR(msq);
|
2005-04-17 07:20:36 +09:00
|
|
|
goto out_unlock;
|
|
|
|
|
}
|
2018-04-11 08:35:30 +09:00
|
|
|
} else { /* IPC_STAT */
|
2017-07-09 20:57:34 +09:00
|
|
|
msq = msq_obtain_object_check(ns, msqid);
|
|
|
|
|
if (IS_ERR(msq)) {
|
|
|
|
|
err = PTR_ERR(msq);
|
2005-04-17 07:20:36 +09:00
|
|
|
goto out_unlock;
|
2017-07-09 20:57:34 +09:00
|
|
|
}
|
|
|
|
|
}
|
2005-04-17 07:20:36 +09:00
|
|
|
|
2018-04-11 08:35:30 +09:00
|
|
|
/* see comment for SHM_STAT_ANY */
|
|
|
|
|
if (cmd == MSG_STAT_ANY)
|
|
|
|
|
audit_ipc_obj(&msq->q_perm);
|
|
|
|
|
else {
|
|
|
|
|
err = -EACCES;
|
|
|
|
|
if (ipcperms(ns, &msq->q_perm, S_IRUGO))
|
|
|
|
|
goto out_unlock;
|
|
|
|
|
}
|
2013-07-09 08:01:16 +09:00
|
|
|
|
2018-03-23 11:22:26 +09:00
|
|
|
err = security_msg_queue_msgctl(&msq->q_perm, cmd);
|
2017-07-09 20:57:34 +09:00
|
|
|
if (err)
|
|
|
|
|
goto out_unlock;
|
|
|
|
|
|
2018-02-07 08:40:49 +09:00
|
|
|
ipc_lock_object(&msq->q_perm);
|
|
|
|
|
|
|
|
|
|
if (!ipc_valid_object(&msq->q_perm)) {
|
|
|
|
|
ipc_unlock_object(&msq->q_perm);
|
|
|
|
|
err = -EIDRM;
|
|
|
|
|
goto out_unlock;
|
|
|
|
|
}
|
|
|
|
|
|
2017-07-09 20:57:34 +09:00
|
|
|
kernel_to_ipc64_perm(&msq->q_perm, &p->msg_perm);
|
|
|
|
|
p->msg_stime = msq->q_stime;
|
|
|
|
|
p->msg_rtime = msq->q_rtime;
|
|
|
|
|
p->msg_ctime = msq->q_ctime;
|
2015-04-29 04:39:50 +09:00
|
|
|
#ifndef CONFIG_64BIT
|
|
|
|
|
p->msg_stime_high = msq->q_stime >> 32;
|
|
|
|
|
p->msg_rtime_high = msq->q_rtime >> 32;
|
|
|
|
|
p->msg_ctime_high = msq->q_ctime >> 32;
|
|
|
|
|
#endif
|
2017-07-09 20:57:34 +09:00
|
|
|
p->msg_cbytes = msq->q_cbytes;
|
|
|
|
|
p->msg_qnum = msq->q_qnum;
|
|
|
|
|
p->msg_qbytes = msq->q_qbytes;
|
2018-03-23 14:42:21 +09:00
|
|
|
p->msg_lspid = pid_vnr(msq->q_lspid);
|
|
|
|
|
p->msg_lrpid = pid_vnr(msq->q_lrpid);
|
2013-07-09 08:01:14 +09:00
|
|
|
|
2018-08-22 14:01:21 +09:00
|
|
|
if (cmd == IPC_STAT) {
|
|
|
|
|
/*
|
|
|
|
|
* As defined in SUS:
|
|
|
|
|
* Return 0 on success
|
|
|
|
|
*/
|
|
|
|
|
err = 0;
|
|
|
|
|
} else {
|
|
|
|
|
/*
|
|
|
|
|
* MSG_STAT and MSG_STAT_ANY (both Linux specific)
|
|
|
|
|
* Return the full id, including the sequence number
|
|
|
|
|
*/
|
|
|
|
|
err = msq->q_perm.id;
|
|
|
|
|
}
|
2005-04-17 07:20:36 +09:00
|
|
|
|
2018-08-22 14:01:21 +09:00
|
|
|
ipc_unlock_object(&msq->q_perm);
|
2005-04-17 07:20:36 +09:00
|
|
|
out_unlock:
|
2013-07-09 08:01:16 +09:00
|
|
|
rcu_read_unlock();
|
2005-04-17 07:20:36 +09:00
|
|
|
return err;
|
|
|
|
|
}
|
|
|
|
|
|
ipc: rename old-style shmctl/semctl/msgctl syscalls
The behavior of these system calls is slightly different between
architectures, as determined by the CONFIG_ARCH_WANT_IPC_PARSE_VERSION
symbol. Most architectures that implement the split IPC syscalls don't set
that symbol and only get the modern version, but alpha, arm, microblaze,
mips-n32, mips-n64 and xtensa expect the caller to pass the IPC_64 flag.
For the architectures that so far only implement sys_ipc(), i.e. m68k,
mips-o32, powerpc, s390, sh, sparc, and x86-32, we want the new behavior
when adding the split syscalls, so we need to distinguish between the
two groups of architectures.
The method I picked for this distinction is to have a separate system call
entry point: sys_old_*ctl() now uses ipc_parse_version, while sys_*ctl()
does not. The system call tables of the five architectures are changed
accordingly.
As an additional benefit, we no longer need the configuration specific
definition for ipc_parse_version(), it always does the same thing now,
but simply won't get called on architectures with the modern interface.
A small downside is that on architectures that do set
ARCH_WANT_IPC_PARSE_VERSION, we now have an extra set of entry points
that are never called. They only add a few bytes of bloat, so it seems
better to keep them compared to adding yet another Kconfig symbol.
I considered adding new syscall numbers for the IPC_64 variants for
consistency, but decided against that for now.
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
2019-01-01 06:22:40 +09:00
|
|
|
static long ksys_msgctl(int msqid, int cmd, struct msqid_ds __user *buf, int version)
|
2013-07-09 08:01:14 +09:00
|
|
|
{
|
|
|
|
|
struct ipc_namespace *ns;
|
2017-07-09 20:57:34 +09:00
|
|
|
struct msqid64_ds msqid64;
|
|
|
|
|
int err;
|
2013-07-09 08:01:14 +09:00
|
|
|
|
|
|
|
|
if (msqid < 0 || cmd < 0)
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
|
|
ns = current->nsproxy->ipc_ns;
|
|
|
|
|
|
|
|
|
|
switch (cmd) {
|
|
|
|
|
case IPC_INFO:
|
2017-07-09 20:57:34 +09:00
|
|
|
case MSG_INFO: {
|
|
|
|
|
struct msginfo msginfo;
|
|
|
|
|
err = msgctl_info(ns, msqid, cmd, &msginfo);
|
|
|
|
|
if (err < 0)
|
|
|
|
|
return err;
|
|
|
|
|
if (copy_to_user(buf, &msginfo, sizeof(struct msginfo)))
|
|
|
|
|
err = -EFAULT;
|
|
|
|
|
return err;
|
|
|
|
|
}
|
2013-07-09 08:01:14 +09:00
|
|
|
case MSG_STAT: /* msqid is an index rather than a msg queue id */
|
2018-04-11 08:35:30 +09:00
|
|
|
case MSG_STAT_ANY:
|
2013-07-09 08:01:14 +09:00
|
|
|
case IPC_STAT:
|
2017-07-09 20:57:34 +09:00
|
|
|
err = msgctl_stat(ns, msqid, cmd, &msqid64);
|
|
|
|
|
if (err < 0)
|
|
|
|
|
return err;
|
|
|
|
|
if (copy_msqid_to_user(buf, &msqid64, version))
|
|
|
|
|
err = -EFAULT;
|
|
|
|
|
return err;
|
2013-07-09 08:01:14 +09:00
|
|
|
case IPC_SET:
|
2017-07-09 20:57:34 +09:00
|
|
|
if (copy_msqid_from_user(&msqid64, buf, version))
|
|
|
|
|
return -EFAULT;
|
ipc/msg.c: consolidate all xxxctl_down() functions
commit 889b331724c82c11e15ba0a60979cf7bded0a26c upstream.
A use of uninitialized memory in msgctl_down() because msqid64 in
ksys_msgctl hasn't been initialized. The local | msqid64 | is created in
ksys_msgctl() and then passed into msgctl_down(). Along the way msqid64
is never initialized before msgctl_down() checks msqid64->msg_qbytes.
KUMSAN(KernelUninitializedMemorySantizer, a new error detection tool)
reports:
==================================================================
BUG: KUMSAN: use of uninitialized memory in msgctl_down+0x94/0x300
Read of size 8 at addr ffff88806bb97eb8 by task syz-executor707/2022
CPU: 0 PID: 2022 Comm: syz-executor707 Not tainted 5.2.0-rc4+ #63
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
Call Trace:
dump_stack+0x75/0xae
__kumsan_report+0x17c/0x3e6
kumsan_report+0xe/0x20
msgctl_down+0x94/0x300
ksys_msgctl.constprop.14+0xef/0x260
do_syscall_64+0x7e/0x1f0
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x4400e9
Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffd869e0598 EFLAGS: 00000246 ORIG_RAX: 0000000000000047
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004400e9
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 00000000006ca018 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000ffffffff R11: 0000000000000246 R12: 0000000000401970
R13: 0000000000401a00 R14: 0000000000000000 R15: 0000000000000000
The buggy address belongs to the page:
page:ffffea0001aee5c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0
flags: 0x100000000000000()
raw: 0100000000000000 0000000000000000 ffffffff01ae0101 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kumsan: bad access detected
==================================================================
Syzkaller reproducer:
msgctl$IPC_RMID(0x0, 0x0)
C reproducer:
// autogenerated by syzkaller (https://github.com/google/syzkaller)
int main(void)
{
syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
syscall(__NR_msgctl, 0, 0, 0);
return 0;
}
[natechancellor@gmail.com: adjust indentation in ksys_msgctl]
Link: https://github.com/ClangBuiltLinux/linux/issues/829
Link: http://lkml.kernel.org/r/20191218032932.37479-1-natechancellor@gmail.com
Link: http://lkml.kernel.org/r/20190613014044.24234-1-shuaibinglu@126.com
Signed-off-by: Lu Shuaibing <shuaibinglu@126.com>
Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
Suggested-by: Arnd Bergmann <arnd@arndb.de>
Cc: Davidlohr Bueso <dave@stgolabs.net>
Cc: Manfred Spraul <manfred@colorfullife.com>
Cc: NeilBrown <neilb@suse.com>
From: Andrew Morton <akpm@linux-foundation.org>
Subject: ipc/msg.c: consolidate all xxxctl_down() functions
Each line here overflows 80 cols by exactly one character. Delete one tab
per line to fix.
Cc: Shaohua Li <shli@fb.com>
Cc: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-02-04 10:34:46 +09:00
|
|
|
return msgctl_down(ns, msqid, cmd, &msqid64.msg_perm,
|
|
|
|
|
msqid64.msg_qbytes);
|
2013-07-09 08:01:14 +09:00
|
|
|
case IPC_RMID:
|
ipc/msg.c: consolidate all xxxctl_down() functions
commit 889b331724c82c11e15ba0a60979cf7bded0a26c upstream.
A use of uninitialized memory in msgctl_down() because msqid64 in
ksys_msgctl hasn't been initialized. The local | msqid64 | is created in
ksys_msgctl() and then passed into msgctl_down(). Along the way msqid64
is never initialized before msgctl_down() checks msqid64->msg_qbytes.
KUMSAN(KernelUninitializedMemorySantizer, a new error detection tool)
reports:
==================================================================
BUG: KUMSAN: use of uninitialized memory in msgctl_down+0x94/0x300
Read of size 8 at addr ffff88806bb97eb8 by task syz-executor707/2022
CPU: 0 PID: 2022 Comm: syz-executor707 Not tainted 5.2.0-rc4+ #63
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
Call Trace:
dump_stack+0x75/0xae
__kumsan_report+0x17c/0x3e6
kumsan_report+0xe/0x20
msgctl_down+0x94/0x300
ksys_msgctl.constprop.14+0xef/0x260
do_syscall_64+0x7e/0x1f0
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x4400e9
Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffd869e0598 EFLAGS: 00000246 ORIG_RAX: 0000000000000047
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004400e9
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 00000000006ca018 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000ffffffff R11: 0000000000000246 R12: 0000000000401970
R13: 0000000000401a00 R14: 0000000000000000 R15: 0000000000000000
The buggy address belongs to the page:
page:ffffea0001aee5c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0
flags: 0x100000000000000()
raw: 0100000000000000 0000000000000000 ffffffff01ae0101 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kumsan: bad access detected
==================================================================
Syzkaller reproducer:
msgctl$IPC_RMID(0x0, 0x0)
C reproducer:
// autogenerated by syzkaller (https://github.com/google/syzkaller)
int main(void)
{
syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
syscall(__NR_msgctl, 0, 0, 0);
return 0;
}
[natechancellor@gmail.com: adjust indentation in ksys_msgctl]
Link: https://github.com/ClangBuiltLinux/linux/issues/829
Link: http://lkml.kernel.org/r/20191218032932.37479-1-natechancellor@gmail.com
Link: http://lkml.kernel.org/r/20190613014044.24234-1-shuaibinglu@126.com
Signed-off-by: Lu Shuaibing <shuaibinglu@126.com>
Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
Suggested-by: Arnd Bergmann <arnd@arndb.de>
Cc: Davidlohr Bueso <dave@stgolabs.net>
Cc: Manfred Spraul <manfred@colorfullife.com>
Cc: NeilBrown <neilb@suse.com>
From: Andrew Morton <akpm@linux-foundation.org>
Subject: ipc/msg.c: consolidate all xxxctl_down() functions
Each line here overflows 80 cols by exactly one character. Delete one tab
per line to fix.
Cc: Shaohua Li <shli@fb.com>
Cc: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-02-04 10:34:46 +09:00
|
|
|
return msgctl_down(ns, msqid, cmd, NULL, 0);
|
2013-07-09 08:01:14 +09:00
|
|
|
default:
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2018-03-21 04:15:28 +09:00
|
|
|
SYSCALL_DEFINE3(msgctl, int, msqid, int, cmd, struct msqid_ds __user *, buf)
|
|
|
|
|
{
|
ipc: rename old-style shmctl/semctl/msgctl syscalls
The behavior of these system calls is slightly different between
architectures, as determined by the CONFIG_ARCH_WANT_IPC_PARSE_VERSION
symbol. Most architectures that implement the split IPC syscalls don't set
that symbol and only get the modern version, but alpha, arm, microblaze,
mips-n32, mips-n64 and xtensa expect the caller to pass the IPC_64 flag.
For the architectures that so far only implement sys_ipc(), i.e. m68k,
mips-o32, powerpc, s390, sh, sparc, and x86-32, we want the new behavior
when adding the split syscalls, so we need to distinguish between the
two groups of architectures.
The method I picked for this distinction is to have a separate system call
entry point: sys_old_*ctl() now uses ipc_parse_version, while sys_*ctl()
does not. The system call tables of the five architectures are changed
accordingly.
As an additional benefit, we no longer need the configuration specific
definition for ipc_parse_version(), it always does the same thing now,
but simply won't get called on architectures with the modern interface.
A small downside is that on architectures that do set
ARCH_WANT_IPC_PARSE_VERSION, we now have an extra set of entry points
that are never called. They only add a few bytes of bloat, so it seems
better to keep them compared to adding yet another Kconfig symbol.
I considered adding new syscall numbers for the IPC_64 variants for
consistency, but decided against that for now.
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
2019-01-01 06:22:40 +09:00
|
|
|
return ksys_msgctl(msqid, cmd, buf, IPC_64);
|
2018-03-21 04:15:28 +09:00
|
|
|
}
|
|
|
|
|
|
ipc: rename old-style shmctl/semctl/msgctl syscalls
The behavior of these system calls is slightly different between
architectures, as determined by the CONFIG_ARCH_WANT_IPC_PARSE_VERSION
symbol. Most architectures that implement the split IPC syscalls don't set
that symbol and only get the modern version, but alpha, arm, microblaze,
mips-n32, mips-n64 and xtensa expect the caller to pass the IPC_64 flag.
For the architectures that so far only implement sys_ipc(), i.e. m68k,
mips-o32, powerpc, s390, sh, sparc, and x86-32, we want the new behavior
when adding the split syscalls, so we need to distinguish between the
two groups of architectures.
The method I picked for this distinction is to have a separate system call
entry point: sys_old_*ctl() now uses ipc_parse_version, while sys_*ctl()
does not. The system call tables of the five architectures are changed
accordingly.
As an additional benefit, we no longer need the configuration specific
definition for ipc_parse_version(), it always does the same thing now,
but simply won't get called on architectures with the modern interface.
A small downside is that on architectures that do set
ARCH_WANT_IPC_PARSE_VERSION, we now have an extra set of entry points
that are never called. They only add a few bytes of bloat, so it seems
better to keep them compared to adding yet another Kconfig symbol.
I considered adding new syscall numbers for the IPC_64 variants for
consistency, but decided against that for now.
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
2019-01-01 06:22:40 +09:00
|
|
|
#ifdef CONFIG_ARCH_WANT_IPC_PARSE_VERSION
|
|
|
|
|
long ksys_old_msgctl(int msqid, int cmd, struct msqid_ds __user *buf)
|
|
|
|
|
{
|
|
|
|
|
int version = ipc_parse_version(&cmd);
|
|
|
|
|
|
|
|
|
|
return ksys_msgctl(msqid, cmd, buf, version);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
SYSCALL_DEFINE3(old_msgctl, int, msqid, int, cmd, struct msqid_ds __user *, buf)
|
|
|
|
|
{
|
|
|
|
|
return ksys_old_msgctl(msqid, cmd, buf);
|
|
|
|
|
}
|
|
|
|
|
#endif
|
|
|
|
|
|
2017-07-09 21:31:16 +09:00
|
|
|
#ifdef CONFIG_COMPAT
|
|
|
|
|
|
|
|
|
|
struct compat_msqid_ds {
|
|
|
|
|
struct compat_ipc_perm msg_perm;
|
|
|
|
|
compat_uptr_t msg_first;
|
|
|
|
|
compat_uptr_t msg_last;
|
y2038: globally rename compat_time to old_time32
Christoph Hellwig suggested a slightly different path for handling
backwards compatibility with the 32-bit time_t based system calls:
Rather than simply reusing the compat_sys_* entry points on 32-bit
architectures unchanged, we get rid of those entry points and the
compat_time types by renaming them to something that makes more sense
on 32-bit architectures (which don't have a compat mode otherwise),
and then share the entry points under the new name with the 64-bit
architectures that use them for implementing the compatibility.
The following types and interfaces are renamed here, and moved
from linux/compat_time.h to linux/time32.h:
old new
--- ---
compat_time_t old_time32_t
struct compat_timeval struct old_timeval32
struct compat_timespec struct old_timespec32
struct compat_itimerspec struct old_itimerspec32
ns_to_compat_timeval() ns_to_old_timeval32()
get_compat_itimerspec64() get_old_itimerspec32()
put_compat_itimerspec64() put_old_itimerspec32()
compat_get_timespec64() get_old_timespec32()
compat_put_timespec64() put_old_timespec32()
As we already have aliases in place, this patch addresses only the
instances that are relevant to the system call interface in particular,
not those that occur in device drivers and other modules. Those
will get handled separately, while providing the 64-bit version
of the respective interfaces.
I'm not renaming the timex, rusage and itimerval structures, as we are
still debating what the new interface will look like, and whether we
will need a replacement at all.
This also doesn't change the names of the syscall entry points, which can
be done more easily when we actually switch over the 32-bit architectures
to use them, at that point we need to change COMPAT_SYSCALL_DEFINEx to
SYSCALL_DEFINEx with a new name, e.g. with a _time32 suffix.
Suggested-by: Christoph Hellwig <hch@infradead.org>
Link: https://lore.kernel.org/lkml/20180705222110.GA5698@infradead.org/
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
2018-07-13 19:52:28 +09:00
|
|
|
old_time32_t msg_stime;
|
|
|
|
|
old_time32_t msg_rtime;
|
|
|
|
|
old_time32_t msg_ctime;
|
2017-07-09 21:31:16 +09:00
|
|
|
compat_ulong_t msg_lcbytes;
|
|
|
|
|
compat_ulong_t msg_lqbytes;
|
|
|
|
|
unsigned short msg_cbytes;
|
|
|
|
|
unsigned short msg_qnum;
|
|
|
|
|
unsigned short msg_qbytes;
|
|
|
|
|
compat_ipc_pid_t msg_lspid;
|
|
|
|
|
compat_ipc_pid_t msg_lrpid;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
static int copy_compat_msqid_from_user(struct msqid64_ds *out, void __user *buf,
|
|
|
|
|
int version)
|
|
|
|
|
{
|
|
|
|
|
memset(out, 0, sizeof(*out));
|
|
|
|
|
if (version == IPC_64) {
|
2017-09-26 10:37:28 +09:00
|
|
|
struct compat_msqid64_ds __user *p = buf;
|
2017-07-09 23:10:32 +09:00
|
|
|
if (get_compat_ipc64_perm(&out->msg_perm, &p->msg_perm))
|
2017-07-09 21:31:16 +09:00
|
|
|
return -EFAULT;
|
|
|
|
|
if (get_user(out->msg_qbytes, &p->msg_qbytes))
|
|
|
|
|
return -EFAULT;
|
|
|
|
|
} else {
|
2017-09-26 10:37:28 +09:00
|
|
|
struct compat_msqid_ds __user *p = buf;
|
2017-07-09 23:10:32 +09:00
|
|
|
if (get_compat_ipc_perm(&out->msg_perm, &p->msg_perm))
|
2017-07-09 21:31:16 +09:00
|
|
|
return -EFAULT;
|
|
|
|
|
if (get_user(out->msg_qbytes, &p->msg_qbytes))
|
|
|
|
|
return -EFAULT;
|
|
|
|
|
}
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int copy_compat_msqid_to_user(void __user *buf, struct msqid64_ds *in,
|
|
|
|
|
int version)
|
|
|
|
|
{
|
|
|
|
|
if (version == IPC_64) {
|
|
|
|
|
struct compat_msqid64_ds v;
|
|
|
|
|
memset(&v, 0, sizeof(v));
|
2017-07-09 23:10:32 +09:00
|
|
|
to_compat_ipc64_perm(&v.msg_perm, &in->msg_perm);
|
2015-04-29 04:39:50 +09:00
|
|
|
v.msg_stime = lower_32_bits(in->msg_stime);
|
|
|
|
|
v.msg_stime_high = upper_32_bits(in->msg_stime);
|
|
|
|
|
v.msg_rtime = lower_32_bits(in->msg_rtime);
|
|
|
|
|
v.msg_rtime_high = upper_32_bits(in->msg_rtime);
|
|
|
|
|
v.msg_ctime = lower_32_bits(in->msg_ctime);
|
|
|
|
|
v.msg_ctime_high = upper_32_bits(in->msg_ctime);
|
2017-07-09 21:31:16 +09:00
|
|
|
v.msg_cbytes = in->msg_cbytes;
|
|
|
|
|
v.msg_qnum = in->msg_qnum;
|
|
|
|
|
v.msg_qbytes = in->msg_qbytes;
|
|
|
|
|
v.msg_lspid = in->msg_lspid;
|
|
|
|
|
v.msg_lrpid = in->msg_lrpid;
|
|
|
|
|
return copy_to_user(buf, &v, sizeof(v));
|
|
|
|
|
} else {
|
|
|
|
|
struct compat_msqid_ds v;
|
|
|
|
|
memset(&v, 0, sizeof(v));
|
2017-07-09 23:10:32 +09:00
|
|
|
to_compat_ipc_perm(&v.msg_perm, &in->msg_perm);
|
2017-07-09 21:31:16 +09:00
|
|
|
v.msg_stime = in->msg_stime;
|
|
|
|
|
v.msg_rtime = in->msg_rtime;
|
|
|
|
|
v.msg_ctime = in->msg_ctime;
|
|
|
|
|
v.msg_cbytes = in->msg_cbytes;
|
|
|
|
|
v.msg_qnum = in->msg_qnum;
|
|
|
|
|
v.msg_qbytes = in->msg_qbytes;
|
|
|
|
|
v.msg_lspid = in->msg_lspid;
|
|
|
|
|
v.msg_lrpid = in->msg_lrpid;
|
|
|
|
|
return copy_to_user(buf, &v, sizeof(v));
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
ipc: rename old-style shmctl/semctl/msgctl syscalls
The behavior of these system calls is slightly different between
architectures, as determined by the CONFIG_ARCH_WANT_IPC_PARSE_VERSION
symbol. Most architectures that implement the split IPC syscalls don't set
that symbol and only get the modern version, but alpha, arm, microblaze,
mips-n32, mips-n64 and xtensa expect the caller to pass the IPC_64 flag.
For the architectures that so far only implement sys_ipc(), i.e. m68k,
mips-o32, powerpc, s390, sh, sparc, and x86-32, we want the new behavior
when adding the split syscalls, so we need to distinguish between the
two groups of architectures.
The method I picked for this distinction is to have a separate system call
entry point: sys_old_*ctl() now uses ipc_parse_version, while sys_*ctl()
does not. The system call tables of the five architectures are changed
accordingly.
As an additional benefit, we no longer need the configuration specific
definition for ipc_parse_version(), it always does the same thing now,
but simply won't get called on architectures with the modern interface.
A small downside is that on architectures that do set
ARCH_WANT_IPC_PARSE_VERSION, we now have an extra set of entry points
that are never called. They only add a few bytes of bloat, so it seems
better to keep them compared to adding yet another Kconfig symbol.
I considered adding new syscall numbers for the IPC_64 variants for
consistency, but decided against that for now.
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
2019-01-01 06:22:40 +09:00
|
|
|
static long compat_ksys_msgctl(int msqid, int cmd, void __user *uptr, int version)
|
2017-07-09 21:31:16 +09:00
|
|
|
{
|
|
|
|
|
struct ipc_namespace *ns;
|
|
|
|
|
int err;
|
|
|
|
|
struct msqid64_ds msqid64;
|
|
|
|
|
|
|
|
|
|
ns = current->nsproxy->ipc_ns;
|
|
|
|
|
|
|
|
|
|
if (msqid < 0 || cmd < 0)
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
|
|
switch (cmd & (~IPC_64)) {
|
|
|
|
|
case IPC_INFO:
|
|
|
|
|
case MSG_INFO: {
|
|
|
|
|
struct msginfo msginfo;
|
|
|
|
|
err = msgctl_info(ns, msqid, cmd, &msginfo);
|
|
|
|
|
if (err < 0)
|
|
|
|
|
return err;
|
|
|
|
|
if (copy_to_user(uptr, &msginfo, sizeof(struct msginfo)))
|
|
|
|
|
err = -EFAULT;
|
|
|
|
|
return err;
|
|
|
|
|
}
|
|
|
|
|
case IPC_STAT:
|
|
|
|
|
case MSG_STAT:
|
2018-04-11 08:35:30 +09:00
|
|
|
case MSG_STAT_ANY:
|
2017-07-09 21:31:16 +09:00
|
|
|
err = msgctl_stat(ns, msqid, cmd, &msqid64);
|
|
|
|
|
if (err < 0)
|
|
|
|
|
return err;
|
|
|
|
|
if (copy_compat_msqid_to_user(uptr, &msqid64, version))
|
|
|
|
|
err = -EFAULT;
|
|
|
|
|
return err;
|
|
|
|
|
case IPC_SET:
|
|
|
|
|
if (copy_compat_msqid_from_user(&msqid64, uptr, version))
|
|
|
|
|
return -EFAULT;
|
ipc/msg.c: consolidate all xxxctl_down() functions
commit 889b331724c82c11e15ba0a60979cf7bded0a26c upstream.
A use of uninitialized memory in msgctl_down() because msqid64 in
ksys_msgctl hasn't been initialized. The local | msqid64 | is created in
ksys_msgctl() and then passed into msgctl_down(). Along the way msqid64
is never initialized before msgctl_down() checks msqid64->msg_qbytes.
KUMSAN(KernelUninitializedMemorySantizer, a new error detection tool)
reports:
==================================================================
BUG: KUMSAN: use of uninitialized memory in msgctl_down+0x94/0x300
Read of size 8 at addr ffff88806bb97eb8 by task syz-executor707/2022
CPU: 0 PID: 2022 Comm: syz-executor707 Not tainted 5.2.0-rc4+ #63
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
Call Trace:
dump_stack+0x75/0xae
__kumsan_report+0x17c/0x3e6
kumsan_report+0xe/0x20
msgctl_down+0x94/0x300
ksys_msgctl.constprop.14+0xef/0x260
do_syscall_64+0x7e/0x1f0
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x4400e9
Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffd869e0598 EFLAGS: 00000246 ORIG_RAX: 0000000000000047
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004400e9
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 00000000006ca018 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000ffffffff R11: 0000000000000246 R12: 0000000000401970
R13: 0000000000401a00 R14: 0000000000000000 R15: 0000000000000000
The buggy address belongs to the page:
page:ffffea0001aee5c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0
flags: 0x100000000000000()
raw: 0100000000000000 0000000000000000 ffffffff01ae0101 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kumsan: bad access detected
==================================================================
Syzkaller reproducer:
msgctl$IPC_RMID(0x0, 0x0)
C reproducer:
// autogenerated by syzkaller (https://github.com/google/syzkaller)
int main(void)
{
syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
syscall(__NR_msgctl, 0, 0, 0);
return 0;
}
[natechancellor@gmail.com: adjust indentation in ksys_msgctl]
Link: https://github.com/ClangBuiltLinux/linux/issues/829
Link: http://lkml.kernel.org/r/20191218032932.37479-1-natechancellor@gmail.com
Link: http://lkml.kernel.org/r/20190613014044.24234-1-shuaibinglu@126.com
Signed-off-by: Lu Shuaibing <shuaibinglu@126.com>
Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
Suggested-by: Arnd Bergmann <arnd@arndb.de>
Cc: Davidlohr Bueso <dave@stgolabs.net>
Cc: Manfred Spraul <manfred@colorfullife.com>
Cc: NeilBrown <neilb@suse.com>
From: Andrew Morton <akpm@linux-foundation.org>
Subject: ipc/msg.c: consolidate all xxxctl_down() functions
Each line here overflows 80 cols by exactly one character. Delete one tab
per line to fix.
Cc: Shaohua Li <shli@fb.com>
Cc: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-02-04 10:34:46 +09:00
|
|
|
return msgctl_down(ns, msqid, cmd, &msqid64.msg_perm, msqid64.msg_qbytes);
|
2017-07-09 21:31:16 +09:00
|
|
|
case IPC_RMID:
|
ipc/msg.c: consolidate all xxxctl_down() functions
commit 889b331724c82c11e15ba0a60979cf7bded0a26c upstream.
A use of uninitialized memory in msgctl_down() because msqid64 in
ksys_msgctl hasn't been initialized. The local | msqid64 | is created in
ksys_msgctl() and then passed into msgctl_down(). Along the way msqid64
is never initialized before msgctl_down() checks msqid64->msg_qbytes.
KUMSAN(KernelUninitializedMemorySantizer, a new error detection tool)
reports:
==================================================================
BUG: KUMSAN: use of uninitialized memory in msgctl_down+0x94/0x300
Read of size 8 at addr ffff88806bb97eb8 by task syz-executor707/2022
CPU: 0 PID: 2022 Comm: syz-executor707 Not tainted 5.2.0-rc4+ #63
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
Call Trace:
dump_stack+0x75/0xae
__kumsan_report+0x17c/0x3e6
kumsan_report+0xe/0x20
msgctl_down+0x94/0x300
ksys_msgctl.constprop.14+0xef/0x260
do_syscall_64+0x7e/0x1f0
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x4400e9
Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffd869e0598 EFLAGS: 00000246 ORIG_RAX: 0000000000000047
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004400e9
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 00000000006ca018 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000ffffffff R11: 0000000000000246 R12: 0000000000401970
R13: 0000000000401a00 R14: 0000000000000000 R15: 0000000000000000
The buggy address belongs to the page:
page:ffffea0001aee5c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0
flags: 0x100000000000000()
raw: 0100000000000000 0000000000000000 ffffffff01ae0101 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kumsan: bad access detected
==================================================================
Syzkaller reproducer:
msgctl$IPC_RMID(0x0, 0x0)
C reproducer:
// autogenerated by syzkaller (https://github.com/google/syzkaller)
int main(void)
{
syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
syscall(__NR_msgctl, 0, 0, 0);
return 0;
}
[natechancellor@gmail.com: adjust indentation in ksys_msgctl]
Link: https://github.com/ClangBuiltLinux/linux/issues/829
Link: http://lkml.kernel.org/r/20191218032932.37479-1-natechancellor@gmail.com
Link: http://lkml.kernel.org/r/20190613014044.24234-1-shuaibinglu@126.com
Signed-off-by: Lu Shuaibing <shuaibinglu@126.com>
Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
Suggested-by: Arnd Bergmann <arnd@arndb.de>
Cc: Davidlohr Bueso <dave@stgolabs.net>
Cc: Manfred Spraul <manfred@colorfullife.com>
Cc: NeilBrown <neilb@suse.com>
From: Andrew Morton <akpm@linux-foundation.org>
Subject: ipc/msg.c: consolidate all xxxctl_down() functions
Each line here overflows 80 cols by exactly one character. Delete one tab
per line to fix.
Cc: Shaohua Li <shli@fb.com>
Cc: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-02-04 10:34:46 +09:00
|
|
|
return msgctl_down(ns, msqid, cmd, NULL, 0);
|
2017-07-09 21:31:16 +09:00
|
|
|
default:
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
}
|
|
|
|
|
}
|
2018-03-21 04:15:28 +09:00
|
|
|
|
|
|
|
|
COMPAT_SYSCALL_DEFINE3(msgctl, int, msqid, int, cmd, void __user *, uptr)
|
|
|
|
|
{
|
ipc: rename old-style shmctl/semctl/msgctl syscalls
The behavior of these system calls is slightly different between
architectures, as determined by the CONFIG_ARCH_WANT_IPC_PARSE_VERSION
symbol. Most architectures that implement the split IPC syscalls don't set
that symbol and only get the modern version, but alpha, arm, microblaze,
mips-n32, mips-n64 and xtensa expect the caller to pass the IPC_64 flag.
For the architectures that so far only implement sys_ipc(), i.e. m68k,
mips-o32, powerpc, s390, sh, sparc, and x86-32, we want the new behavior
when adding the split syscalls, so we need to distinguish between the
two groups of architectures.
The method I picked for this distinction is to have a separate system call
entry point: sys_old_*ctl() now uses ipc_parse_version, while sys_*ctl()
does not. The system call tables of the five architectures are changed
accordingly.
As an additional benefit, we no longer need the configuration specific
definition for ipc_parse_version(), it always does the same thing now,
but simply won't get called on architectures with the modern interface.
A small downside is that on architectures that do set
ARCH_WANT_IPC_PARSE_VERSION, we now have an extra set of entry points
that are never called. They only add a few bytes of bloat, so it seems
better to keep them compared to adding yet another Kconfig symbol.
I considered adding new syscall numbers for the IPC_64 variants for
consistency, but decided against that for now.
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
2019-01-01 06:22:40 +09:00
|
|
|
return compat_ksys_msgctl(msqid, cmd, uptr, IPC_64);
|
2018-03-21 04:15:28 +09:00
|
|
|
}
|
ipc: rename old-style shmctl/semctl/msgctl syscalls
The behavior of these system calls is slightly different between
architectures, as determined by the CONFIG_ARCH_WANT_IPC_PARSE_VERSION
symbol. Most architectures that implement the split IPC syscalls don't set
that symbol and only get the modern version, but alpha, arm, microblaze,
mips-n32, mips-n64 and xtensa expect the caller to pass the IPC_64 flag.
For the architectures that so far only implement sys_ipc(), i.e. m68k,
mips-o32, powerpc, s390, sh, sparc, and x86-32, we want the new behavior
when adding the split syscalls, so we need to distinguish between the
two groups of architectures.
The method I picked for this distinction is to have a separate system call
entry point: sys_old_*ctl() now uses ipc_parse_version, while sys_*ctl()
does not. The system call tables of the five architectures are changed
accordingly.
As an additional benefit, we no longer need the configuration specific
definition for ipc_parse_version(), it always does the same thing now,
but simply won't get called on architectures with the modern interface.
A small downside is that on architectures that do set
ARCH_WANT_IPC_PARSE_VERSION, we now have an extra set of entry points
that are never called. They only add a few bytes of bloat, so it seems
better to keep them compared to adding yet another Kconfig symbol.
I considered adding new syscall numbers for the IPC_64 variants for
consistency, but decided against that for now.
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
2019-01-01 06:22:40 +09:00
|
|
|
|
|
|
|
|
#ifdef CONFIG_ARCH_WANT_COMPAT_IPC_PARSE_VERSION
|
|
|
|
|
long compat_ksys_old_msgctl(int msqid, int cmd, void __user *uptr)
|
|
|
|
|
{
|
|
|
|
|
int version = compat_ipc_parse_version(&cmd);
|
|
|
|
|
|
|
|
|
|
return compat_ksys_msgctl(msqid, cmd, uptr, version);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
COMPAT_SYSCALL_DEFINE3(old_msgctl, int, msqid, int, cmd, void __user *, uptr)
|
|
|
|
|
{
|
|
|
|
|
return compat_ksys_old_msgctl(msqid, cmd, uptr);
|
|
|
|
|
}
|
|
|
|
|
#endif
|
2017-07-09 21:31:16 +09:00
|
|
|
#endif
|
|
|
|
|
|
2006-07-30 19:04:11 +09:00
|
|
|
static int testmsg(struct msg_msg *msg, long type, int mode)
|
2005-04-17 07:20:36 +09:00
|
|
|
{
|
2014-06-07 06:37:37 +09:00
|
|
|
switch (mode) {
|
|
|
|
|
case SEARCH_ANY:
|
|
|
|
|
case SEARCH_NUMBER:
|
|
|
|
|
return 1;
|
|
|
|
|
case SEARCH_LESSEQUAL:
|
|
|
|
|
if (msg->m_type <= type)
|
|
|
|
|
return 1;
|
|
|
|
|
break;
|
|
|
|
|
case SEARCH_EQUAL:
|
|
|
|
|
if (msg->m_type == type)
|
2005-04-17 07:20:36 +09:00
|
|
|
return 1;
|
2014-06-07 06:37:37 +09:00
|
|
|
break;
|
|
|
|
|
case SEARCH_NOTEQUAL:
|
|
|
|
|
if (msg->m_type != type)
|
|
|
|
|
return 1;
|
|
|
|
|
break;
|
2005-04-17 07:20:36 +09:00
|
|
|
}
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
ipc/msg: implement lockless pipelined wakeups
This patch moves the wakeup_process() invocation so it is not done under
the ipc global lock by making use of a lockless wake_q. With this change,
the waiter is woken up once the message has been assigned and it does not
need to loop on SMP if the message points to NULL. In the signal case we
still need to check the pointer under the lock to verify the state.
This change should also avoid the introduction of preempt_disable() in -RT
which avoids a busy-loop which pools for the NULL -> !NULL change if the
waiter has a higher priority compared to the waker.
By making use of wake_qs, the logic of sysv msg queues is greatly
simplified (and very well suited as we can batch lockless wakeups),
particularly around the lockless receive algorithm.
This has been tested with Manred's pmsg-shared tool on a "AMD A10-7800
Radeon R7, 12 Compute Cores 4C+8G":
test | before | after | diff
-----------------|------------|------------|----------
pmsg-shared 8 60 | 19,347,422 | 30,442,191 | + ~57.34 %
pmsg-shared 4 60 | 21,367,197 | 35,743,458 | + ~67.28 %
pmsg-shared 2 60 | 22,884,224 | 24,278,200 | + ~6.09 %
Link: http://lkml.kernel.org/r/1469748819-19484-2-git-send-email-dave@stgolabs.net
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: Davidlohr Bueso <dbueso@suse.de>
Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Manfred Spraul <manfred@colorfullife.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2016-10-12 05:54:53 +09:00
|
|
|
static inline int pipelined_send(struct msg_queue *msq, struct msg_msg *msg,
|
|
|
|
|
struct wake_q_head *wake_q)
|
2005-04-17 07:20:36 +09:00
|
|
|
{
|
2013-05-01 11:15:49 +09:00
|
|
|
struct msg_receiver *msr, *t;
|
2006-07-30 19:04:11 +09:00
|
|
|
|
2013-05-01 11:15:49 +09:00
|
|
|
list_for_each_entry_safe(msr, t, &msq->q_receivers, r_list) {
|
2006-07-30 19:04:11 +09:00
|
|
|
if (testmsg(msg, msr->r_msgtype, msr->r_mode) &&
|
2018-03-23 11:22:26 +09:00
|
|
|
!security_msg_queue_msgrcv(&msq->q_perm, msg, msr->r_tsk,
|
2006-07-30 19:04:11 +09:00
|
|
|
msr->r_msgtype, msr->r_mode)) {
|
|
|
|
|
|
2005-04-17 07:20:36 +09:00
|
|
|
list_del(&msr->r_list);
|
2006-07-30 19:04:11 +09:00
|
|
|
if (msr->r_maxsize < msg->m_ts) {
|
ipc/msg: implement lockless pipelined wakeups
This patch moves the wakeup_process() invocation so it is not done under
the ipc global lock by making use of a lockless wake_q. With this change,
the waiter is woken up once the message has been assigned and it does not
need to loop on SMP if the message points to NULL. In the signal case we
still need to check the pointer under the lock to verify the state.
This change should also avoid the introduction of preempt_disable() in -RT
which avoids a busy-loop which pools for the NULL -> !NULL change if the
waiter has a higher priority compared to the waker.
By making use of wake_qs, the logic of sysv msg queues is greatly
simplified (and very well suited as we can batch lockless wakeups),
particularly around the lockless receive algorithm.
This has been tested with Manred's pmsg-shared tool on a "AMD A10-7800
Radeon R7, 12 Compute Cores 4C+8G":
test | before | after | diff
-----------------|------------|------------|----------
pmsg-shared 8 60 | 19,347,422 | 30,442,191 | + ~57.34 %
pmsg-shared 4 60 | 21,367,197 | 35,743,458 | + ~67.28 %
pmsg-shared 2 60 | 22,884,224 | 24,278,200 | + ~6.09 %
Link: http://lkml.kernel.org/r/1469748819-19484-2-git-send-email-dave@stgolabs.net
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: Davidlohr Bueso <dbueso@suse.de>
Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Manfred Spraul <manfred@colorfullife.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2016-10-12 05:54:53 +09:00
|
|
|
wake_q_add(wake_q, msr->r_tsk);
|
|
|
|
|
WRITE_ONCE(msr->r_msg, ERR_PTR(-E2BIG));
|
2005-04-17 07:20:36 +09:00
|
|
|
} else {
|
2018-03-23 14:42:21 +09:00
|
|
|
ipc_update_pid(&msq->q_lrpid, task_pid(msr->r_tsk));
|
2018-04-12 22:19:44 +09:00
|
|
|
msq->q_rtime = ktime_get_real_seconds();
|
2006-07-30 19:04:11 +09:00
|
|
|
|
ipc/msg: implement lockless pipelined wakeups
This patch moves the wakeup_process() invocation so it is not done under
the ipc global lock by making use of a lockless wake_q. With this change,
the waiter is woken up once the message has been assigned and it does not
need to loop on SMP if the message points to NULL. In the signal case we
still need to check the pointer under the lock to verify the state.
This change should also avoid the introduction of preempt_disable() in -RT
which avoids a busy-loop which pools for the NULL -> !NULL change if the
waiter has a higher priority compared to the waker.
By making use of wake_qs, the logic of sysv msg queues is greatly
simplified (and very well suited as we can batch lockless wakeups),
particularly around the lockless receive algorithm.
This has been tested with Manred's pmsg-shared tool on a "AMD A10-7800
Radeon R7, 12 Compute Cores 4C+8G":
test | before | after | diff
-----------------|------------|------------|----------
pmsg-shared 8 60 | 19,347,422 | 30,442,191 | + ~57.34 %
pmsg-shared 4 60 | 21,367,197 | 35,743,458 | + ~67.28 %
pmsg-shared 2 60 | 22,884,224 | 24,278,200 | + ~6.09 %
Link: http://lkml.kernel.org/r/1469748819-19484-2-git-send-email-dave@stgolabs.net
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: Davidlohr Bueso <dbueso@suse.de>
Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Manfred Spraul <manfred@colorfullife.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2016-10-12 05:54:53 +09:00
|
|
|
wake_q_add(wake_q, msr->r_tsk);
|
|
|
|
|
WRITE_ONCE(msr->r_msg, msg);
|
2005-04-17 07:20:36 +09:00
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
2014-01-28 10:07:10 +09:00
|
|
|
|
2005-04-17 07:20:36 +09:00
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2017-07-09 23:34:35 +09:00
|
|
|
static long do_msgsnd(int msqid, long mtype, void __user *mtext,
|
2006-12-07 13:37:48 +09:00
|
|
|
size_t msgsz, int msgflg)
|
2005-04-17 07:20:36 +09:00
|
|
|
{
|
|
|
|
|
struct msg_queue *msq;
|
|
|
|
|
struct msg_msg *msg;
|
|
|
|
|
int err;
|
2006-10-02 18:18:21 +09:00
|
|
|
struct ipc_namespace *ns;
|
2016-11-18 01:46:38 +09:00
|
|
|
DEFINE_WAKE_Q(wake_q);
|
2006-10-02 18:18:21 +09:00
|
|
|
|
|
|
|
|
ns = current->nsproxy->ipc_ns;
|
2006-07-30 19:04:11 +09:00
|
|
|
|
2006-10-02 18:18:21 +09:00
|
|
|
if (msgsz > ns->msg_ctlmax || (long) msgsz < 0 || msqid < 0)
|
2005-04-17 07:20:36 +09:00
|
|
|
return -EINVAL;
|
|
|
|
|
if (mtype < 1)
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
2006-12-07 13:37:48 +09:00
|
|
|
msg = load_msg(mtext, msgsz);
|
2006-07-30 19:04:11 +09:00
|
|
|
if (IS_ERR(msg))
|
2005-04-17 07:20:36 +09:00
|
|
|
return PTR_ERR(msg);
|
|
|
|
|
|
|
|
|
|
msg->m_type = mtype;
|
|
|
|
|
msg->m_ts = msgsz;
|
|
|
|
|
|
2013-07-09 08:01:17 +09:00
|
|
|
rcu_read_lock();
|
|
|
|
|
msq = msq_obtain_object_check(ns, msqid);
|
2007-10-19 15:40:51 +09:00
|
|
|
if (IS_ERR(msq)) {
|
|
|
|
|
err = PTR_ERR(msq);
|
2013-07-09 08:01:17 +09:00
|
|
|
goto out_unlock1;
|
2007-10-19 15:40:51 +09:00
|
|
|
}
|
2005-04-17 07:20:36 +09:00
|
|
|
|
2013-09-03 23:00:08 +09:00
|
|
|
ipc_lock_object(&msq->q_perm);
|
|
|
|
|
|
2005-04-17 07:20:36 +09:00
|
|
|
for (;;) {
|
|
|
|
|
struct msg_sender s;
|
|
|
|
|
|
2006-07-30 19:04:11 +09:00
|
|
|
err = -EACCES;
|
2011-03-24 08:43:24 +09:00
|
|
|
if (ipcperms(ns, &msq->q_perm, S_IWUGO))
|
2013-09-03 23:00:08 +09:00
|
|
|
goto out_unlock0;
|
2005-04-17 07:20:36 +09:00
|
|
|
|
2013-10-01 05:45:26 +09:00
|
|
|
/* raced with RMID? */
|
2014-01-28 10:07:01 +09:00
|
|
|
if (!ipc_valid_object(&msq->q_perm)) {
|
2013-10-01 05:45:26 +09:00
|
|
|
err = -EIDRM;
|
|
|
|
|
goto out_unlock0;
|
|
|
|
|
}
|
|
|
|
|
|
2018-03-23 11:22:26 +09:00
|
|
|
err = security_msg_queue_msgsnd(&msq->q_perm, msg, msgflg);
|
2005-04-17 07:20:36 +09:00
|
|
|
if (err)
|
2013-09-03 23:00:08 +09:00
|
|
|
goto out_unlock0;
|
2005-04-17 07:20:36 +09:00
|
|
|
|
2016-10-12 05:55:02 +09:00
|
|
|
if (msg_fits_inqueue(msq, msgsz))
|
2005-04-17 07:20:36 +09:00
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
/* queue full, wait: */
|
2006-07-30 19:04:11 +09:00
|
|
|
if (msgflg & IPC_NOWAIT) {
|
|
|
|
|
err = -EAGAIN;
|
2013-09-03 23:00:08 +09:00
|
|
|
goto out_unlock0;
|
2005-04-17 07:20:36 +09:00
|
|
|
}
|
2013-07-09 08:01:17 +09:00
|
|
|
|
2014-01-28 10:07:10 +09:00
|
|
|
/* enqueue the sender and prepare to block */
|
2016-10-12 05:55:02 +09:00
|
|
|
ss_add(msq, &s, msgsz);
|
2013-05-01 11:15:44 +09:00
|
|
|
|
2017-07-13 06:34:41 +09:00
|
|
|
if (!ipc_rcu_getref(&msq->q_perm)) {
|
2013-05-01 11:15:44 +09:00
|
|
|
err = -EIDRM;
|
2013-07-09 08:01:17 +09:00
|
|
|
goto out_unlock0;
|
2013-05-01 11:15:44 +09:00
|
|
|
}
|
|
|
|
|
|
2013-07-09 08:01:17 +09:00
|
|
|
ipc_unlock_object(&msq->q_perm);
|
|
|
|
|
rcu_read_unlock();
|
2005-04-17 07:20:36 +09:00
|
|
|
schedule();
|
|
|
|
|
|
2013-07-09 08:01:17 +09:00
|
|
|
rcu_read_lock();
|
|
|
|
|
ipc_lock_object(&msq->q_perm);
|
|
|
|
|
|
2017-07-13 06:34:41 +09:00
|
|
|
ipc_rcu_putref(&msq->q_perm, msg_rcu_free);
|
2014-01-28 10:07:01 +09:00
|
|
|
/* raced with RMID? */
|
|
|
|
|
if (!ipc_valid_object(&msq->q_perm)) {
|
2005-04-17 07:20:36 +09:00
|
|
|
err = -EIDRM;
|
2013-07-09 08:01:17 +09:00
|
|
|
goto out_unlock0;
|
2005-04-17 07:20:36 +09:00
|
|
|
}
|
|
|
|
|
ss_del(&s);
|
2006-07-30 19:04:11 +09:00
|
|
|
|
2005-04-17 07:20:36 +09:00
|
|
|
if (signal_pending(current)) {
|
2006-07-30 19:04:11 +09:00
|
|
|
err = -ERESTARTNOHAND;
|
2013-07-09 08:01:17 +09:00
|
|
|
goto out_unlock0;
|
2005-04-17 07:20:36 +09:00
|
|
|
}
|
2013-07-09 08:01:17 +09:00
|
|
|
|
2005-04-17 07:20:36 +09:00
|
|
|
}
|
2016-10-12 05:55:02 +09:00
|
|
|
|
2018-03-23 14:42:21 +09:00
|
|
|
ipc_update_pid(&msq->q_lspid, task_tgid(current));
|
2018-04-12 22:19:44 +09:00
|
|
|
msq->q_stime = ktime_get_real_seconds();
|
2005-04-17 07:20:36 +09:00
|
|
|
|
ipc/msg: implement lockless pipelined wakeups
This patch moves the wakeup_process() invocation so it is not done under
the ipc global lock by making use of a lockless wake_q. With this change,
the waiter is woken up once the message has been assigned and it does not
need to loop on SMP if the message points to NULL. In the signal case we
still need to check the pointer under the lock to verify the state.
This change should also avoid the introduction of preempt_disable() in -RT
which avoids a busy-loop which pools for the NULL -> !NULL change if the
waiter has a higher priority compared to the waker.
By making use of wake_qs, the logic of sysv msg queues is greatly
simplified (and very well suited as we can batch lockless wakeups),
particularly around the lockless receive algorithm.
This has been tested with Manred's pmsg-shared tool on a "AMD A10-7800
Radeon R7, 12 Compute Cores 4C+8G":
test | before | after | diff
-----------------|------------|------------|----------
pmsg-shared 8 60 | 19,347,422 | 30,442,191 | + ~57.34 %
pmsg-shared 4 60 | 21,367,197 | 35,743,458 | + ~67.28 %
pmsg-shared 2 60 | 22,884,224 | 24,278,200 | + ~6.09 %
Link: http://lkml.kernel.org/r/1469748819-19484-2-git-send-email-dave@stgolabs.net
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: Davidlohr Bueso <dbueso@suse.de>
Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Manfred Spraul <manfred@colorfullife.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2016-10-12 05:54:53 +09:00
|
|
|
if (!pipelined_send(msq, msg, &wake_q)) {
|
2011-03-31 10:57:33 +09:00
|
|
|
/* no one is waiting for this message, enqueue it */
|
2006-07-30 19:04:11 +09:00
|
|
|
list_add_tail(&msg->m_list, &msq->q_messages);
|
2005-04-17 07:20:36 +09:00
|
|
|
msq->q_cbytes += msgsz;
|
|
|
|
|
msq->q_qnum++;
|
2007-10-19 15:40:56 +09:00
|
|
|
atomic_add(msgsz, &ns->msg_bytes);
|
|
|
|
|
atomic_inc(&ns->msg_hdrs);
|
2005-04-17 07:20:36 +09:00
|
|
|
}
|
2006-07-30 19:04:11 +09:00
|
|
|
|
2005-04-17 07:20:36 +09:00
|
|
|
err = 0;
|
|
|
|
|
msg = NULL;
|
|
|
|
|
|
2013-07-09 08:01:17 +09:00
|
|
|
out_unlock0:
|
|
|
|
|
ipc_unlock_object(&msq->q_perm);
|
ipc/msg: implement lockless pipelined wakeups
This patch moves the wakeup_process() invocation so it is not done under
the ipc global lock by making use of a lockless wake_q. With this change,
the waiter is woken up once the message has been assigned and it does not
need to loop on SMP if the message points to NULL. In the signal case we
still need to check the pointer under the lock to verify the state.
This change should also avoid the introduction of preempt_disable() in -RT
which avoids a busy-loop which pools for the NULL -> !NULL change if the
waiter has a higher priority compared to the waker.
By making use of wake_qs, the logic of sysv msg queues is greatly
simplified (and very well suited as we can batch lockless wakeups),
particularly around the lockless receive algorithm.
This has been tested with Manred's pmsg-shared tool on a "AMD A10-7800
Radeon R7, 12 Compute Cores 4C+8G":
test | before | after | diff
-----------------|------------|------------|----------
pmsg-shared 8 60 | 19,347,422 | 30,442,191 | + ~57.34 %
pmsg-shared 4 60 | 21,367,197 | 35,743,458 | + ~67.28 %
pmsg-shared 2 60 | 22,884,224 | 24,278,200 | + ~6.09 %
Link: http://lkml.kernel.org/r/1469748819-19484-2-git-send-email-dave@stgolabs.net
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: Davidlohr Bueso <dbueso@suse.de>
Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Manfred Spraul <manfred@colorfullife.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2016-10-12 05:54:53 +09:00
|
|
|
wake_up_q(&wake_q);
|
2013-07-09 08:01:17 +09:00
|
|
|
out_unlock1:
|
|
|
|
|
rcu_read_unlock();
|
2006-07-30 19:04:11 +09:00
|
|
|
if (msg != NULL)
|
2005-04-17 07:20:36 +09:00
|
|
|
free_msg(msg);
|
|
|
|
|
return err;
|
|
|
|
|
}
|
|
|
|
|
|
2018-03-21 05:29:00 +09:00
|
|
|
long ksys_msgsnd(int msqid, struct msgbuf __user *msgp, size_t msgsz,
|
|
|
|
|
int msgflg)
|
2006-12-07 13:37:48 +09:00
|
|
|
{
|
|
|
|
|
long mtype;
|
|
|
|
|
|
|
|
|
|
if (get_user(mtype, &msgp->mtype))
|
|
|
|
|
return -EFAULT;
|
|
|
|
|
return do_msgsnd(msqid, mtype, msgp->mtext, msgsz, msgflg);
|
|
|
|
|
}
|
|
|
|
|
|
2018-03-21 05:29:00 +09:00
|
|
|
SYSCALL_DEFINE4(msgsnd, int, msqid, struct msgbuf __user *, msgp, size_t, msgsz,
|
|
|
|
|
int, msgflg)
|
|
|
|
|
{
|
|
|
|
|
return ksys_msgsnd(msqid, msgp, msgsz, msgflg);
|
|
|
|
|
}
|
|
|
|
|
|
2017-07-09 23:34:35 +09:00
|
|
|
#ifdef CONFIG_COMPAT
|
|
|
|
|
|
|
|
|
|
struct compat_msgbuf {
|
|
|
|
|
compat_long_t mtype;
|
|
|
|
|
char mtext[1];
|
|
|
|
|
};
|
|
|
|
|
|
2018-03-21 05:29:00 +09:00
|
|
|
long compat_ksys_msgsnd(int msqid, compat_uptr_t msgp,
|
|
|
|
|
compat_ssize_t msgsz, int msgflg)
|
2017-07-09 23:34:35 +09:00
|
|
|
{
|
|
|
|
|
struct compat_msgbuf __user *up = compat_ptr(msgp);
|
|
|
|
|
compat_long_t mtype;
|
|
|
|
|
|
|
|
|
|
if (get_user(mtype, &up->mtype))
|
|
|
|
|
return -EFAULT;
|
|
|
|
|
return do_msgsnd(msqid, mtype, up->mtext, (ssize_t)msgsz, msgflg);
|
|
|
|
|
}
|
2018-03-21 05:29:00 +09:00
|
|
|
|
|
|
|
|
COMPAT_SYSCALL_DEFINE4(msgsnd, int, msqid, compat_uptr_t, msgp,
|
|
|
|
|
compat_ssize_t, msgsz, int, msgflg)
|
|
|
|
|
{
|
|
|
|
|
return compat_ksys_msgsnd(msqid, msgp, msgsz, msgflg);
|
|
|
|
|
}
|
2017-07-09 23:34:35 +09:00
|
|
|
#endif
|
|
|
|
|
|
2006-07-30 19:04:11 +09:00
|
|
|
static inline int convert_mode(long *msgtyp, int msgflg)
|
2005-04-17 07:20:36 +09:00
|
|
|
{
|
2013-05-01 11:14:54 +09:00
|
|
|
if (msgflg & MSG_COPY)
|
|
|
|
|
return SEARCH_NUMBER;
|
2006-07-30 19:04:11 +09:00
|
|
|
/*
|
2005-04-17 07:20:36 +09:00
|
|
|
* find message of correct type.
|
|
|
|
|
* msgtyp = 0 => get first.
|
|
|
|
|
* msgtyp > 0 => get first message of matching type.
|
2006-07-30 19:04:11 +09:00
|
|
|
* msgtyp < 0 => get message with least type must be < abs(msgtype).
|
2005-04-17 07:20:36 +09:00
|
|
|
*/
|
2006-07-30 19:04:11 +09:00
|
|
|
if (*msgtyp == 0)
|
2005-04-17 07:20:36 +09:00
|
|
|
return SEARCH_ANY;
|
2006-07-30 19:04:11 +09:00
|
|
|
if (*msgtyp < 0) {
|
ipc: msg, make msgrcv work with LONG_MIN
When LONG_MIN is passed to msgrcv, one would expect to recieve any
message. But convert_mode does *msgtyp = -*msgtyp and -LONG_MIN is
undefined. In particular, with my gcc -LONG_MIN produces -LONG_MIN
again.
So handle this case properly by assigning LONG_MAX to *msgtyp if
LONG_MIN was specified as msgtyp to msgrcv.
This code:
long msg[] = { 100, 200 };
int m = msgget(IPC_PRIVATE, IPC_CREAT | 0644);
msgsnd(m, &msg, sizeof(msg), 0);
msgrcv(m, &msg, sizeof(msg), LONG_MIN, 0);
produces currently nothing:
msgget(IPC_PRIVATE, IPC_CREAT|0644) = 65538
msgsnd(65538, {100, "\310\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"}, 16, 0) = 0
msgrcv(65538, ...
Except a UBSAN warning:
UBSAN: Undefined behaviour in ipc/msg.c:745:13
negation of -9223372036854775808 cannot be represented in type 'long int':
With the patch, I see what I expect:
msgget(IPC_PRIVATE, IPC_CREAT|0644) = 0
msgsnd(0, {100, "\310\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"}, 16, 0) = 0
msgrcv(0, {100, "\310\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"}, 16, -9223372036854775808, 0) = 16
Link: http://lkml.kernel.org/r/20161024082633.10148-1-jslaby@suse.cz
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Cc: Davidlohr Bueso <dave@stgolabs.net>
Cc: Manfred Spraul <manfred@colorfullife.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2016-12-15 08:06:07 +09:00
|
|
|
if (*msgtyp == LONG_MIN) /* -LONG_MIN is undefined */
|
|
|
|
|
*msgtyp = LONG_MAX;
|
|
|
|
|
else
|
|
|
|
|
*msgtyp = -*msgtyp;
|
2005-04-17 07:20:36 +09:00
|
|
|
return SEARCH_LESSEQUAL;
|
|
|
|
|
}
|
2006-07-30 19:04:11 +09:00
|
|
|
if (msgflg & MSG_EXCEPT)
|
2005-04-17 07:20:36 +09:00
|
|
|
return SEARCH_NOTEQUAL;
|
|
|
|
|
return SEARCH_EQUAL;
|
|
|
|
|
}
|
|
|
|
|
|
2013-01-05 08:34:52 +09:00
|
|
|
static long do_msg_fill(void __user *dest, struct msg_msg *msg, size_t bufsz)
|
|
|
|
|
{
|
|
|
|
|
struct msgbuf __user *msgp = dest;
|
|
|
|
|
size_t msgsz;
|
|
|
|
|
|
|
|
|
|
if (put_user(msg->m_type, &msgp->mtype))
|
|
|
|
|
return -EFAULT;
|
|
|
|
|
|
|
|
|
|
msgsz = (bufsz > msg->m_ts) ? msg->m_ts : bufsz;
|
|
|
|
|
if (store_msg(msgp->mtext, msg, msgsz))
|
|
|
|
|
return -EFAULT;
|
|
|
|
|
return msgsz;
|
|
|
|
|
}
|
|
|
|
|
|
2013-01-05 08:34:55 +09:00
|
|
|
#ifdef CONFIG_CHECKPOINT_RESTORE
|
2013-01-05 08:35:03 +09:00
|
|
|
/*
|
|
|
|
|
* This function creates new kernel message structure, large enough to store
|
|
|
|
|
* bufsz message bytes.
|
|
|
|
|
*/
|
2013-05-01 11:14:54 +09:00
|
|
|
static inline struct msg_msg *prepare_copy(void __user *buf, size_t bufsz)
|
2013-01-05 08:34:55 +09:00
|
|
|
{
|
|
|
|
|
struct msg_msg *copy;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Create dummy message to copy real message to.
|
|
|
|
|
*/
|
|
|
|
|
copy = load_msg(buf, bufsz);
|
|
|
|
|
if (!IS_ERR(copy))
|
|
|
|
|
copy->m_ts = bufsz;
|
|
|
|
|
return copy;
|
|
|
|
|
}
|
|
|
|
|
|
2013-01-05 08:34:58 +09:00
|
|
|
static inline void free_copy(struct msg_msg *copy)
|
2013-01-05 08:34:55 +09:00
|
|
|
{
|
2013-01-05 08:34:58 +09:00
|
|
|
if (copy)
|
2013-01-05 08:34:55 +09:00
|
|
|
free_msg(copy);
|
|
|
|
|
}
|
|
|
|
|
#else
|
2013-05-01 11:14:54 +09:00
|
|
|
static inline struct msg_msg *prepare_copy(void __user *buf, size_t bufsz)
|
2013-01-05 08:35:00 +09:00
|
|
|
{
|
|
|
|
|
return ERR_PTR(-ENOSYS);
|
|
|
|
|
}
|
|
|
|
|
|
2013-01-05 08:34:58 +09:00
|
|
|
static inline void free_copy(struct msg_msg *copy)
|
|
|
|
|
{
|
|
|
|
|
}
|
2013-01-05 08:34:55 +09:00
|
|
|
#endif
|
|
|
|
|
|
2013-05-01 11:15:04 +09:00
|
|
|
static struct msg_msg *find_msg(struct msg_queue *msq, long *msgtyp, int mode)
|
|
|
|
|
{
|
2013-08-29 08:35:17 +09:00
|
|
|
struct msg_msg *msg, *found = NULL;
|
2013-05-01 11:15:04 +09:00
|
|
|
long count = 0;
|
|
|
|
|
|
|
|
|
|
list_for_each_entry(msg, &msq->q_messages, m_list) {
|
|
|
|
|
if (testmsg(msg, *msgtyp, mode) &&
|
2018-03-23 11:22:26 +09:00
|
|
|
!security_msg_queue_msgrcv(&msq->q_perm, msg, current,
|
2013-05-01 11:15:04 +09:00
|
|
|
*msgtyp, mode)) {
|
|
|
|
|
if (mode == SEARCH_LESSEQUAL && msg->m_type != 1) {
|
|
|
|
|
*msgtyp = msg->m_type - 1;
|
2013-08-29 08:35:17 +09:00
|
|
|
found = msg;
|
2013-05-01 11:15:04 +09:00
|
|
|
} else if (mode == SEARCH_NUMBER) {
|
|
|
|
|
if (*msgtyp == count)
|
|
|
|
|
return msg;
|
|
|
|
|
} else
|
|
|
|
|
return msg;
|
|
|
|
|
count++;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2013-08-29 08:35:17 +09:00
|
|
|
return found ?: ERR_PTR(-EAGAIN);
|
2013-05-01 11:15:04 +09:00
|
|
|
}
|
|
|
|
|
|
2017-07-09 23:34:35 +09:00
|
|
|
static long do_msgrcv(int msqid, void __user *buf, size_t bufsz, long msgtyp, int msgflg,
|
2013-01-05 08:34:52 +09:00
|
|
|
long (*msg_handler)(void __user *, struct msg_msg *, size_t))
|
2005-04-17 07:20:36 +09:00
|
|
|
{
|
|
|
|
|
int mode;
|
2013-07-09 08:01:18 +09:00
|
|
|
struct msg_queue *msq;
|
2006-10-02 18:18:21 +09:00
|
|
|
struct ipc_namespace *ns;
|
2013-07-09 08:01:18 +09:00
|
|
|
struct msg_msg *msg, *copy = NULL;
|
2016-11-18 01:46:38 +09:00
|
|
|
DEFINE_WAKE_Q(wake_q);
|
2005-04-17 07:20:36 +09:00
|
|
|
|
2013-03-09 05:43:27 +09:00
|
|
|
ns = current->nsproxy->ipc_ns;
|
|
|
|
|
|
2013-01-05 08:34:52 +09:00
|
|
|
if (msqid < 0 || (long) bufsz < 0)
|
2005-04-17 07:20:36 +09:00
|
|
|
return -EINVAL;
|
2013-07-09 08:01:18 +09:00
|
|
|
|
2013-01-05 08:34:55 +09:00
|
|
|
if (msgflg & MSG_COPY) {
|
ipc: Fix 2 bugs in msgrcv() MSG_COPY implementation
While testing and documenting the msgrcv() MSG_COPY flag that Stanislav
Kinsbursky added in commit 4a674f34ba04 ("ipc: introduce message queue
copy feature" => kernel 3.8), I discovered a couple of bugs in the
implementation. The two bugs concern MSG_COPY interactions with other
msgrcv() flags, namely:
(A) MSG_COPY + MSG_EXCEPT
(B) MSG_COPY + !IPC_NOWAIT
The bugs are distinct (and the fix for the first one is obvious),
however my fix for both is a single-line patch, which is why I'm
combining them in a single mail, rather than writing two mails+patches.
===== (A) MSG_COPY + MSG_EXCEPT =====
With the addition of the MSG_COPY flag, there are now two msgrcv()
flags--MSG_COPY and MSG_EXCEPT--that modify the meaning of the 'msgtyp'
argument in unrelated ways. Specifying both in the same call is a
logical error that is currently permitted, with the effect that MSG_COPY
has priority and MSG_EXCEPT is ignored. The call should give an error
if both flags are specified. The patch below implements that behavior.
===== (B) (B) MSG_COPY + !IPC_NOWAIT =====
The test code that was submitted in commit 3a665531a3b7 ("selftests: IPC
message queue copy feature test") shows MSG_COPY being used in
conjunction with IPC_NOWAIT. In other words, if there is no message at
the position 'msgtyp'. return immediately with the error in ENOMSG.
What was not (fully) tested is the behavior if MSG_COPY is specified
*without* IPC_NOWAIT, and there is an odd behavior. If the queue
contains less than 'msgtyp' messages, then the call blocks until the
next message is written to the queue. At that point, the msgrcv() call
returns a copy of the newly added message, regardless of whether that
message is at the ordinal position 'msgtyp'. This is clearly bogus, and
problematic for applications that might want to make use of the MSG_COPY
flag.
I considered the following possible solutions to this problem:
(1) Force the call to block until a message *does* appear at the
position 'msgtyp'.
(2) If the MSG_COPY flag is specified, the kernel should implicitly add
IPC_NOWAIT, so that the call fails with ENOMSG for this case.
(3) If the MSG_COPY flag is specified, but IPC_NOWAIT is not, generate
an error (probably, EINVAL is the right one).
I do not know if any application would really want to have the
functionality of solution (1), especially since an application can
determine in advance the number of messages in the queue using msgctl()
IPC_STAT. Obviously, this solution would be the most work to implement.
Solution (2) would have the effect of silently fixing any applications
that tried to employ broken behavior. However, it would mean that if we
later decided to implement solution (1), then user-space could not
easily detect what the kernel supports (but, since I'm somewhat doubtful
that solution (1) is needed, I'm not sure that this is much of a
problem).
Solution (3) would have the effect of informing broken applications that
they are doing something broken. The downside is that this would cause
a ABI breakage for any applications that are currently employing the
broken behavior. However:
a) Those applications are almost certainly not getting the results they
expect.
b) Possibly, those applications don't even exist, because MSG_COPY is
currently hidden behind CONFIG_CHECKPOINT_RESTORE.
The upside of solution (3) is that if we later decided to implement
solution (1), user-space could determine what the kernel supports, via
the error return.
In my view, solution (3) is mildly preferable to solution (2), and
solution (1) could still be done later if anyone really cares. The
patch below implements solution (3).
PS. For anyone out there still listening, it's the usual story:
documenting an API (and the thinking about, and the testing of the API,
that documentation entails) is the one of the single best ways of
finding bugs in the API, as I've learned from a lot of experience. Best
to do that documentation before releasing the API.
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
Acked-by: Stanislav Kinsbursky <skinsbursky@parallels.com>
Cc: Stanislav Kinsbursky <skinsbursky@parallels.com>
Cc: stable@vger.kernel.org
Cc: Serge Hallyn <serge.hallyn@canonical.com>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Pavel Emelyanov <xemul@parallels.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2014-03-10 22:46:07 +09:00
|
|
|
if ((msgflg & MSG_EXCEPT) || !(msgflg & IPC_NOWAIT))
|
|
|
|
|
return -EINVAL;
|
2013-05-01 11:14:54 +09:00
|
|
|
copy = prepare_copy(buf, min_t(size_t, bufsz, ns->msg_ctlmax));
|
2013-01-05 08:34:55 +09:00
|
|
|
if (IS_ERR(copy))
|
|
|
|
|
return PTR_ERR(copy);
|
|
|
|
|
}
|
2006-07-30 19:04:11 +09:00
|
|
|
mode = convert_mode(&msgtyp, msgflg);
|
2005-04-17 07:20:36 +09:00
|
|
|
|
2013-07-09 08:01:18 +09:00
|
|
|
rcu_read_lock();
|
|
|
|
|
msq = msq_obtain_object_check(ns, msqid);
|
2013-01-05 08:34:55 +09:00
|
|
|
if (IS_ERR(msq)) {
|
2013-07-09 08:01:18 +09:00
|
|
|
rcu_read_unlock();
|
2013-01-05 08:34:58 +09:00
|
|
|
free_copy(copy);
|
2007-10-19 15:40:51 +09:00
|
|
|
return PTR_ERR(msq);
|
2013-01-05 08:34:55 +09:00
|
|
|
}
|
2005-04-17 07:20:36 +09:00
|
|
|
|
|
|
|
|
for (;;) {
|
|
|
|
|
struct msg_receiver msr_d;
|
|
|
|
|
|
|
|
|
|
msg = ERR_PTR(-EACCES);
|
2011-03-24 08:43:24 +09:00
|
|
|
if (ipcperms(ns, &msq->q_perm, S_IRUGO))
|
2013-07-09 08:01:18 +09:00
|
|
|
goto out_unlock1;
|
2005-04-17 07:20:36 +09:00
|
|
|
|
2013-07-09 08:01:18 +09:00
|
|
|
ipc_lock_object(&msq->q_perm);
|
2013-10-01 05:45:26 +09:00
|
|
|
|
|
|
|
|
/* raced with RMID? */
|
2014-01-28 10:07:01 +09:00
|
|
|
if (!ipc_valid_object(&msq->q_perm)) {
|
2013-10-01 05:45:26 +09:00
|
|
|
msg = ERR_PTR(-EIDRM);
|
|
|
|
|
goto out_unlock0;
|
|
|
|
|
}
|
|
|
|
|
|
2013-05-01 11:15:04 +09:00
|
|
|
msg = find_msg(msq, &msgtyp, mode);
|
2006-07-30 19:04:11 +09:00
|
|
|
if (!IS_ERR(msg)) {
|
|
|
|
|
/*
|
|
|
|
|
* Found a suitable message.
|
|
|
|
|
* Unlink it from the queue.
|
|
|
|
|
*/
|
2013-01-05 08:34:52 +09:00
|
|
|
if ((bufsz < msg->m_ts) && !(msgflg & MSG_NOERROR)) {
|
2005-04-17 07:20:36 +09:00
|
|
|
msg = ERR_PTR(-E2BIG);
|
2013-07-09 08:01:18 +09:00
|
|
|
goto out_unlock0;
|
2005-04-17 07:20:36 +09:00
|
|
|
}
|
2013-01-05 08:35:03 +09:00
|
|
|
/*
|
|
|
|
|
* If we are copying, then do not unlink message and do
|
|
|
|
|
* not update queue parameters.
|
|
|
|
|
*/
|
2013-05-01 11:14:48 +09:00
|
|
|
if (msgflg & MSG_COPY) {
|
|
|
|
|
msg = copy_msg(msg, copy);
|
2013-07-09 08:01:18 +09:00
|
|
|
goto out_unlock0;
|
2013-05-01 11:14:48 +09:00
|
|
|
}
|
2013-07-09 08:01:18 +09:00
|
|
|
|
2005-04-17 07:20:36 +09:00
|
|
|
list_del(&msg->m_list);
|
|
|
|
|
msq->q_qnum--;
|
2018-04-12 22:19:44 +09:00
|
|
|
msq->q_rtime = ktime_get_real_seconds();
|
2018-03-23 14:42:21 +09:00
|
|
|
ipc_update_pid(&msq->q_lrpid, task_tgid(current));
|
2005-04-17 07:20:36 +09:00
|
|
|
msq->q_cbytes -= msg->m_ts;
|
2007-10-19 15:40:56 +09:00
|
|
|
atomic_sub(msg->m_ts, &ns->msg_bytes);
|
|
|
|
|
atomic_dec(&ns->msg_hdrs);
|
2016-10-12 05:55:02 +09:00
|
|
|
ss_wakeup(msq, &wake_q, false);
|
2013-07-09 08:01:18 +09:00
|
|
|
|
|
|
|
|
goto out_unlock0;
|
2005-04-17 07:20:36 +09:00
|
|
|
}
|
2013-07-09 08:01:18 +09:00
|
|
|
|
2005-04-17 07:20:36 +09:00
|
|
|
/* No message waiting. Wait for a message */
|
|
|
|
|
if (msgflg & IPC_NOWAIT) {
|
|
|
|
|
msg = ERR_PTR(-ENOMSG);
|
2013-07-09 08:01:18 +09:00
|
|
|
goto out_unlock0;
|
2005-04-17 07:20:36 +09:00
|
|
|
}
|
2013-07-09 08:01:18 +09:00
|
|
|
|
2006-07-30 19:04:11 +09:00
|
|
|
list_add_tail(&msr_d.r_list, &msq->q_receivers);
|
2005-04-17 07:20:36 +09:00
|
|
|
msr_d.r_tsk = current;
|
|
|
|
|
msr_d.r_msgtype = msgtyp;
|
|
|
|
|
msr_d.r_mode = mode;
|
2006-07-30 19:04:11 +09:00
|
|
|
if (msgflg & MSG_NOERROR)
|
2005-04-17 07:20:36 +09:00
|
|
|
msr_d.r_maxsize = INT_MAX;
|
2006-07-30 19:04:11 +09:00
|
|
|
else
|
2013-01-05 08:34:52 +09:00
|
|
|
msr_d.r_maxsize = bufsz;
|
2005-04-17 07:20:36 +09:00
|
|
|
msr_d.r_msg = ERR_PTR(-EAGAIN);
|
2014-06-07 06:37:44 +09:00
|
|
|
__set_current_state(TASK_INTERRUPTIBLE);
|
2005-04-17 07:20:36 +09:00
|
|
|
|
2013-07-09 08:01:18 +09:00
|
|
|
ipc_unlock_object(&msq->q_perm);
|
|
|
|
|
rcu_read_unlock();
|
2005-04-17 07:20:36 +09:00
|
|
|
schedule();
|
|
|
|
|
|
ipc/msg: implement lockless pipelined wakeups
This patch moves the wakeup_process() invocation so it is not done under
the ipc global lock by making use of a lockless wake_q. With this change,
the waiter is woken up once the message has been assigned and it does not
need to loop on SMP if the message points to NULL. In the signal case we
still need to check the pointer under the lock to verify the state.
This change should also avoid the introduction of preempt_disable() in -RT
which avoids a busy-loop which pools for the NULL -> !NULL change if the
waiter has a higher priority compared to the waker.
By making use of wake_qs, the logic of sysv msg queues is greatly
simplified (and very well suited as we can batch lockless wakeups),
particularly around the lockless receive algorithm.
This has been tested with Manred's pmsg-shared tool on a "AMD A10-7800
Radeon R7, 12 Compute Cores 4C+8G":
test | before | after | diff
-----------------|------------|------------|----------
pmsg-shared 8 60 | 19,347,422 | 30,442,191 | + ~57.34 %
pmsg-shared 4 60 | 21,367,197 | 35,743,458 | + ~67.28 %
pmsg-shared 2 60 | 22,884,224 | 24,278,200 | + ~6.09 %
Link: http://lkml.kernel.org/r/1469748819-19484-2-git-send-email-dave@stgolabs.net
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: Davidlohr Bueso <dbueso@suse.de>
Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Manfred Spraul <manfred@colorfullife.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2016-10-12 05:54:53 +09:00
|
|
|
/*
|
|
|
|
|
* Lockless receive, part 1:
|
|
|
|
|
* We don't hold a reference to the queue and getting a
|
|
|
|
|
* reference would defeat the idea of a lockless operation,
|
|
|
|
|
* thus the code relies on rcu to guarantee the existence of
|
|
|
|
|
* msq:
|
2005-04-17 07:20:36 +09:00
|
|
|
* Prior to destruction, expunge_all(-EIRDM) changes r_msg.
|
|
|
|
|
* Thus if r_msg is -EAGAIN, then the queue not yet destroyed.
|
|
|
|
|
*/
|
|
|
|
|
rcu_read_lock();
|
|
|
|
|
|
ipc/msg: implement lockless pipelined wakeups
This patch moves the wakeup_process() invocation so it is not done under
the ipc global lock by making use of a lockless wake_q. With this change,
the waiter is woken up once the message has been assigned and it does not
need to loop on SMP if the message points to NULL. In the signal case we
still need to check the pointer under the lock to verify the state.
This change should also avoid the introduction of preempt_disable() in -RT
which avoids a busy-loop which pools for the NULL -> !NULL change if the
waiter has a higher priority compared to the waker.
By making use of wake_qs, the logic of sysv msg queues is greatly
simplified (and very well suited as we can batch lockless wakeups),
particularly around the lockless receive algorithm.
This has been tested with Manred's pmsg-shared tool on a "AMD A10-7800
Radeon R7, 12 Compute Cores 4C+8G":
test | before | after | diff
-----------------|------------|------------|----------
pmsg-shared 8 60 | 19,347,422 | 30,442,191 | + ~57.34 %
pmsg-shared 4 60 | 21,367,197 | 35,743,458 | + ~67.28 %
pmsg-shared 2 60 | 22,884,224 | 24,278,200 | + ~6.09 %
Link: http://lkml.kernel.org/r/1469748819-19484-2-git-send-email-dave@stgolabs.net
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: Davidlohr Bueso <dbueso@suse.de>
Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Manfred Spraul <manfred@colorfullife.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2016-10-12 05:54:53 +09:00
|
|
|
/*
|
|
|
|
|
* Lockless receive, part 2:
|
|
|
|
|
* The work in pipelined_send() and expunge_all():
|
|
|
|
|
* - Set pointer to message
|
|
|
|
|
* - Queue the receiver task for later wakeup
|
|
|
|
|
* - Wake up the process after the lock is dropped.
|
2015-07-01 06:58:39 +09:00
|
|
|
*
|
ipc/msg: implement lockless pipelined wakeups
This patch moves the wakeup_process() invocation so it is not done under
the ipc global lock by making use of a lockless wake_q. With this change,
the waiter is woken up once the message has been assigned and it does not
need to loop on SMP if the message points to NULL. In the signal case we
still need to check the pointer under the lock to verify the state.
This change should also avoid the introduction of preempt_disable() in -RT
which avoids a busy-loop which pools for the NULL -> !NULL change if the
waiter has a higher priority compared to the waker.
By making use of wake_qs, the logic of sysv msg queues is greatly
simplified (and very well suited as we can batch lockless wakeups),
particularly around the lockless receive algorithm.
This has been tested with Manred's pmsg-shared tool on a "AMD A10-7800
Radeon R7, 12 Compute Cores 4C+8G":
test | before | after | diff
-----------------|------------|------------|----------
pmsg-shared 8 60 | 19,347,422 | 30,442,191 | + ~57.34 %
pmsg-shared 4 60 | 21,367,197 | 35,743,458 | + ~67.28 %
pmsg-shared 2 60 | 22,884,224 | 24,278,200 | + ~6.09 %
Link: http://lkml.kernel.org/r/1469748819-19484-2-git-send-email-dave@stgolabs.net
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: Davidlohr Bueso <dbueso@suse.de>
Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Manfred Spraul <manfred@colorfullife.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2016-10-12 05:54:53 +09:00
|
|
|
* Should the process wake up before this wakeup (due to a
|
|
|
|
|
* signal) it will either see the message and continue ...
|
2005-04-17 07:20:36 +09:00
|
|
|
*/
|
ipc/msg: implement lockless pipelined wakeups
This patch moves the wakeup_process() invocation so it is not done under
the ipc global lock by making use of a lockless wake_q. With this change,
the waiter is woken up once the message has been assigned and it does not
need to loop on SMP if the message points to NULL. In the signal case we
still need to check the pointer under the lock to verify the state.
This change should also avoid the introduction of preempt_disable() in -RT
which avoids a busy-loop which pools for the NULL -> !NULL change if the
waiter has a higher priority compared to the waker.
By making use of wake_qs, the logic of sysv msg queues is greatly
simplified (and very well suited as we can batch lockless wakeups),
particularly around the lockless receive algorithm.
This has been tested with Manred's pmsg-shared tool on a "AMD A10-7800
Radeon R7, 12 Compute Cores 4C+8G":
test | before | after | diff
-----------------|------------|------------|----------
pmsg-shared 8 60 | 19,347,422 | 30,442,191 | + ~57.34 %
pmsg-shared 4 60 | 21,367,197 | 35,743,458 | + ~67.28 %
pmsg-shared 2 60 | 22,884,224 | 24,278,200 | + ~6.09 %
Link: http://lkml.kernel.org/r/1469748819-19484-2-git-send-email-dave@stgolabs.net
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: Davidlohr Bueso <dbueso@suse.de>
Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Manfred Spraul <manfred@colorfullife.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2016-10-12 05:54:53 +09:00
|
|
|
msg = READ_ONCE(msr_d.r_msg);
|
2013-07-09 08:01:18 +09:00
|
|
|
if (msg != ERR_PTR(-EAGAIN))
|
|
|
|
|
goto out_unlock1;
|
2005-04-17 07:20:36 +09:00
|
|
|
|
ipc/msg: implement lockless pipelined wakeups
This patch moves the wakeup_process() invocation so it is not done under
the ipc global lock by making use of a lockless wake_q. With this change,
the waiter is woken up once the message has been assigned and it does not
need to loop on SMP if the message points to NULL. In the signal case we
still need to check the pointer under the lock to verify the state.
This change should also avoid the introduction of preempt_disable() in -RT
which avoids a busy-loop which pools for the NULL -> !NULL change if the
waiter has a higher priority compared to the waker.
By making use of wake_qs, the logic of sysv msg queues is greatly
simplified (and very well suited as we can batch lockless wakeups),
particularly around the lockless receive algorithm.
This has been tested with Manred's pmsg-shared tool on a "AMD A10-7800
Radeon R7, 12 Compute Cores 4C+8G":
test | before | after | diff
-----------------|------------|------------|----------
pmsg-shared 8 60 | 19,347,422 | 30,442,191 | + ~57.34 %
pmsg-shared 4 60 | 21,367,197 | 35,743,458 | + ~67.28 %
pmsg-shared 2 60 | 22,884,224 | 24,278,200 | + ~6.09 %
Link: http://lkml.kernel.org/r/1469748819-19484-2-git-send-email-dave@stgolabs.net
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: Davidlohr Bueso <dbueso@suse.de>
Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Manfred Spraul <manfred@colorfullife.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2016-10-12 05:54:53 +09:00
|
|
|
/*
|
|
|
|
|
* ... or see -EAGAIN, acquire the lock to check the message
|
|
|
|
|
* again.
|
|
|
|
|
*/
|
2013-07-09 08:01:18 +09:00
|
|
|
ipc_lock_object(&msq->q_perm);
|
2005-04-17 07:20:36 +09:00
|
|
|
|
ipc/msg: implement lockless pipelined wakeups
This patch moves the wakeup_process() invocation so it is not done under
the ipc global lock by making use of a lockless wake_q. With this change,
the waiter is woken up once the message has been assigned and it does not
need to loop on SMP if the message points to NULL. In the signal case we
still need to check the pointer under the lock to verify the state.
This change should also avoid the introduction of preempt_disable() in -RT
which avoids a busy-loop which pools for the NULL -> !NULL change if the
waiter has a higher priority compared to the waker.
By making use of wake_qs, the logic of sysv msg queues is greatly
simplified (and very well suited as we can batch lockless wakeups),
particularly around the lockless receive algorithm.
This has been tested with Manred's pmsg-shared tool on a "AMD A10-7800
Radeon R7, 12 Compute Cores 4C+8G":
test | before | after | diff
-----------------|------------|------------|----------
pmsg-shared 8 60 | 19,347,422 | 30,442,191 | + ~57.34 %
pmsg-shared 4 60 | 21,367,197 | 35,743,458 | + ~67.28 %
pmsg-shared 2 60 | 22,884,224 | 24,278,200 | + ~6.09 %
Link: http://lkml.kernel.org/r/1469748819-19484-2-git-send-email-dave@stgolabs.net
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: Davidlohr Bueso <dbueso@suse.de>
Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Manfred Spraul <manfred@colorfullife.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2016-10-12 05:54:53 +09:00
|
|
|
msg = msr_d.r_msg;
|
2006-07-30 19:04:11 +09:00
|
|
|
if (msg != ERR_PTR(-EAGAIN))
|
2013-07-09 08:01:18 +09:00
|
|
|
goto out_unlock0;
|
2005-04-17 07:20:36 +09:00
|
|
|
|
|
|
|
|
list_del(&msr_d.r_list);
|
|
|
|
|
if (signal_pending(current)) {
|
|
|
|
|
msg = ERR_PTR(-ERESTARTNOHAND);
|
2013-07-09 08:01:18 +09:00
|
|
|
goto out_unlock0;
|
2005-04-17 07:20:36 +09:00
|
|
|
}
|
2013-07-09 08:01:18 +09:00
|
|
|
|
|
|
|
|
ipc_unlock_object(&msq->q_perm);
|
2005-04-17 07:20:36 +09:00
|
|
|
}
|
2013-07-09 08:01:18 +09:00
|
|
|
|
|
|
|
|
out_unlock0:
|
|
|
|
|
ipc_unlock_object(&msq->q_perm);
|
2016-10-12 05:54:56 +09:00
|
|
|
wake_up_q(&wake_q);
|
2013-07-09 08:01:18 +09:00
|
|
|
out_unlock1:
|
|
|
|
|
rcu_read_unlock();
|
2013-01-05 08:34:55 +09:00
|
|
|
if (IS_ERR(msg)) {
|
2013-01-05 08:34:58 +09:00
|
|
|
free_copy(copy);
|
2006-07-30 19:04:11 +09:00
|
|
|
return PTR_ERR(msg);
|
2013-01-05 08:34:55 +09:00
|
|
|
}
|
2005-04-17 07:20:36 +09:00
|
|
|
|
2013-01-05 08:34:52 +09:00
|
|
|
bufsz = msg_handler(buf, msg, bufsz);
|
2005-04-17 07:20:36 +09:00
|
|
|
free_msg(msg);
|
2006-07-30 19:04:11 +09:00
|
|
|
|
2013-01-05 08:34:52 +09:00
|
|
|
return bufsz;
|
2005-04-17 07:20:36 +09:00
|
|
|
}
|
|
|
|
|
|
2018-03-21 05:25:57 +09:00
|
|
|
long ksys_msgrcv(int msqid, struct msgbuf __user *msgp, size_t msgsz,
|
|
|
|
|
long msgtyp, int msgflg)
|
|
|
|
|
{
|
|
|
|
|
return do_msgrcv(msqid, msgp, msgsz, msgtyp, msgflg, do_msg_fill);
|
|
|
|
|
}
|
|
|
|
|
|
2009-01-14 22:14:26 +09:00
|
|
|
SYSCALL_DEFINE5(msgrcv, int, msqid, struct msgbuf __user *, msgp, size_t, msgsz,
|
|
|
|
|
long, msgtyp, int, msgflg)
|
2006-12-07 13:37:48 +09:00
|
|
|
{
|
2018-03-21 05:25:57 +09:00
|
|
|
return ksys_msgrcv(msqid, msgp, msgsz, msgtyp, msgflg);
|
2006-12-07 13:37:48 +09:00
|
|
|
}
|
|
|
|
|
|
2017-07-09 23:34:35 +09:00
|
|
|
#ifdef CONFIG_COMPAT
|
|
|
|
|
static long compat_do_msg_fill(void __user *dest, struct msg_msg *msg, size_t bufsz)
|
|
|
|
|
{
|
|
|
|
|
struct compat_msgbuf __user *msgp = dest;
|
|
|
|
|
size_t msgsz;
|
|
|
|
|
|
|
|
|
|
if (put_user(msg->m_type, &msgp->mtype))
|
|
|
|
|
return -EFAULT;
|
|
|
|
|
|
|
|
|
|
msgsz = (bufsz > msg->m_ts) ? msg->m_ts : bufsz;
|
|
|
|
|
if (store_msg(msgp->mtext, msg, msgsz))
|
|
|
|
|
return -EFAULT;
|
|
|
|
|
return msgsz;
|
|
|
|
|
}
|
|
|
|
|
|
2018-03-21 05:25:57 +09:00
|
|
|
long compat_ksys_msgrcv(int msqid, compat_uptr_t msgp, compat_ssize_t msgsz,
|
|
|
|
|
compat_long_t msgtyp, int msgflg)
|
2017-07-09 23:34:35 +09:00
|
|
|
{
|
|
|
|
|
return do_msgrcv(msqid, compat_ptr(msgp), (ssize_t)msgsz, (long)msgtyp,
|
|
|
|
|
msgflg, compat_do_msg_fill);
|
|
|
|
|
}
|
2018-03-21 05:25:57 +09:00
|
|
|
|
|
|
|
|
COMPAT_SYSCALL_DEFINE5(msgrcv, int, msqid, compat_uptr_t, msgp,
|
|
|
|
|
compat_ssize_t, msgsz, compat_long_t, msgtyp,
|
|
|
|
|
int, msgflg)
|
|
|
|
|
{
|
|
|
|
|
return compat_ksys_msgrcv(msqid, msgp, msgsz, msgtyp, msgflg);
|
|
|
|
|
}
|
2017-07-09 23:34:35 +09:00
|
|
|
#endif
|
2014-06-07 06:37:45 +09:00
|
|
|
|
2018-08-22 14:01:56 +09:00
|
|
|
void msg_init_ns(struct ipc_namespace *ns)
|
2014-06-07 06:37:45 +09:00
|
|
|
{
|
|
|
|
|
ns->msg_ctlmax = MSGMAX;
|
|
|
|
|
ns->msg_ctlmnb = MSGMNB;
|
2014-12-13 09:58:17 +09:00
|
|
|
ns->msg_ctlmni = MSGMNI;
|
2014-06-07 06:37:45 +09:00
|
|
|
|
|
|
|
|
atomic_set(&ns->msg_bytes, 0);
|
|
|
|
|
atomic_set(&ns->msg_hdrs, 0);
|
2018-08-22 14:01:56 +09:00
|
|
|
ipc_init_ids(&ns->ids[IPC_MSG_IDS]);
|
2014-06-07 06:37:45 +09:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#ifdef CONFIG_IPC_NS
|
|
|
|
|
void msg_exit_ns(struct ipc_namespace *ns)
|
|
|
|
|
{
|
|
|
|
|
free_ipcs(ns, &msg_ids(ns), freeque);
|
|
|
|
|
idr_destroy(&ns->ids[IPC_MSG_IDS].ipcs_idr);
|
ipc: optimize semget/shmget/msgget for lots of keys
ipc_findkey() used to scan all objects to look for the wanted key. This
is slow when using a high number of keys. This change adds an rhashtable
of kern_ipc_perm objects in ipc_ids, so that one lookup cease to be O(n).
This change gives a 865% improvement of benchmark reaim.jobs_per_min on a
56 threads Intel(R) Xeon(R) CPU E5-2695 v3 @ 2.30GHz with 256G memory [1]
Other (more micro) benchmark results, by the author: On an i5 laptop, the
following loop executed right after a reboot took, without and with this
change:
for (int i = 0, k=0x424242; i < KEYS; ++i)
semget(k++, 1, IPC_CREAT | 0600);
total total max single max single
KEYS without with call without call with
1 3.5 4.9 µs 3.5 4.9
10 7.6 8.6 µs 3.7 4.7
32 16.2 15.9 µs 4.3 5.3
100 72.9 41.8 µs 3.7 4.7
1000 5,630.0 502.0 µs * *
10000 1,340,000.0 7,240.0 µs * *
31900 17,600,000.0 22,200.0 µs * *
*: unreliable measure: high variance
The duration for a lookup-only usage was obtained by the same loop once
the keys are present:
total total max single max single
KEYS without with call without call with
1 2.1 2.5 µs 2.1 2.5
10 4.5 4.8 µs 2.2 2.3
32 13.0 10.8 µs 2.3 2.8
100 82.9 25.1 µs * 2.3
1000 5,780.0 217.0 µs * *
10000 1,470,000.0 2,520.0 µs * *
31900 17,400,000.0 7,810.0 µs * *
Finally, executing each semget() in a new process gave, when still
summing only the durations of these syscalls:
creation:
total total
KEYS without with
1 3.7 5.0 µs
10 32.9 36.7 µs
32 125.0 109.0 µs
100 523.0 353.0 µs
1000 20,300.0 3,280.0 µs
10000 2,470,000.0 46,700.0 µs
31900 27,800,000.0 219,000.0 µs
lookup-only:
total total
KEYS without with
1 2.5 2.7 µs
10 25.4 24.4 µs
32 106.0 72.6 µs
100 591.0 352.0 µs
1000 22,400.0 2,250.0 µs
10000 2,510,000.0 25,700.0 µs
31900 28,200,000.0 115,000.0 µs
[1] http://lkml.kernel.org/r/20170814060507.GE23258@yexl-desktop
Link: http://lkml.kernel.org/r/20170815194954.ck32ta2z35yuzpwp@debix
Signed-off-by: Guillaume Knispel <guillaume.knispel@supersonicimagine.com>
Reviewed-by: Marc Pardo <marc.pardo@supersonicimagine.com>
Cc: Davidlohr Bueso <dave@stgolabs.net>
Cc: Kees Cook <keescook@chromium.org>
Cc: Manfred Spraul <manfred@colorfullife.com>
Cc: Alexey Dobriyan <adobriyan@gmail.com>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: "Peter Zijlstra (Intel)" <peterz@infradead.org>
Cc: Ingo Molnar <mingo@kernel.org>
Cc: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Cc: Serge Hallyn <serge@hallyn.com>
Cc: Andrey Vagin <avagin@openvz.org>
Cc: Guillaume Knispel <guillaume.knispel@supersonicimagine.com>
Cc: Marc Pardo <marc.pardo@supersonicimagine.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2017-09-09 08:17:55 +09:00
|
|
|
rhashtable_destroy(&ns->ids[IPC_MSG_IDS].key_ht);
|
2014-06-07 06:37:45 +09:00
|
|
|
}
|
|
|
|
|
#endif
|
|
|
|
|
|
2005-04-17 07:20:36 +09:00
|
|
|
#ifdef CONFIG_PROC_FS
|
2005-09-07 07:17:10 +09:00
|
|
|
static int sysvipc_msg_proc_show(struct seq_file *s, void *it)
|
2005-04-17 07:20:36 +09:00
|
|
|
{
|
2018-03-23 14:42:21 +09:00
|
|
|
struct pid_namespace *pid_ns = ipc_seq_pid_ns(s);
|
2012-02-08 09:54:11 +09:00
|
|
|
struct user_namespace *user_ns = seq_user_ns(s);
|
2017-08-03 05:32:21 +09:00
|
|
|
struct kern_ipc_perm *ipcp = it;
|
|
|
|
|
struct msg_queue *msq = container_of(ipcp, struct msg_queue, q_perm);
|
2005-09-07 07:17:10 +09:00
|
|
|
|
2015-04-16 08:17:54 +09:00
|
|
|
seq_printf(s,
|
2017-08-03 11:51:12 +09:00
|
|
|
"%10d %10d %4o %10lu %10lu %5u %5u %5u %5u %5u %5u %10llu %10llu %10llu\n",
|
2015-04-16 08:17:54 +09:00
|
|
|
msq->q_perm.key,
|
|
|
|
|
msq->q_perm.id,
|
|
|
|
|
msq->q_perm.mode,
|
|
|
|
|
msq->q_cbytes,
|
|
|
|
|
msq->q_qnum,
|
2018-03-23 14:42:21 +09:00
|
|
|
pid_nr_ns(msq->q_lspid, pid_ns),
|
|
|
|
|
pid_nr_ns(msq->q_lrpid, pid_ns),
|
2015-04-16 08:17:54 +09:00
|
|
|
from_kuid_munged(user_ns, msq->q_perm.uid),
|
|
|
|
|
from_kgid_munged(user_ns, msq->q_perm.gid),
|
|
|
|
|
from_kuid_munged(user_ns, msq->q_perm.cuid),
|
|
|
|
|
from_kgid_munged(user_ns, msq->q_perm.cgid),
|
|
|
|
|
msq->q_stime,
|
|
|
|
|
msq->q_rtime,
|
|
|
|
|
msq->q_ctime);
|
|
|
|
|
|
|
|
|
|
return 0;
|
2005-04-17 07:20:36 +09:00
|
|
|
}
|
|
|
|
|
#endif
|
2014-06-07 06:37:45 +09:00
|
|
|
|
2018-08-22 14:01:56 +09:00
|
|
|
void __init msg_init(void)
|
2014-06-07 06:37:45 +09:00
|
|
|
{
|
2018-08-22 14:01:56 +09:00
|
|
|
msg_init_ns(&init_ipc_ns);
|
2014-06-07 06:37:45 +09:00
|
|
|
|
|
|
|
|
ipc_init_proc_interface("sysvipc/msg",
|
|
|
|
|
" key msqid perms cbytes qnum lspid lrpid uid gid cuid cgid stime rtime ctime\n",
|
|
|
|
|
IPC_MSG_IDS, sysvipc_msg_proc_show);
|
|
|
|
|
}
|