1 // SPDX-License-Identifier: GPL-2.0 2 /* 3 * linux/ipc/msg.c 4 * Copyright (C) 1992 Krishna Balasubramanian 5 * 6 * Removed all the remaining kerneld mess 7 * Catch the -EFAULT stuff properly 8 * Use GFP_KERNEL for messages as in 1.2 9 * Fixed up the unchecked user space derefs 10 * Copyright (C) 1998 Alan Cox & Andi Kleen 11 * 12 * /proc/sysvipc/msg support (c) 1999 Dragos Acostachioaie <dragos@iname.com> 13 * 14 * mostly rewritten, threaded and wake-one semantics added 15 * MSGMAX limit removed, sysctl's added 16 * (c) 1999 Manfred Spraul <manfred@colorfullife.com> 17 * 18 * support for audit of ipc object properties and permission changes 19 * Dustin Kirkland <dustin.kirkland@us.ibm.com> 20 * 21 * namespaces support 22 * OpenVZ, SWsoft Inc. 23 * Pavel Emelianov <xemul@openvz.org> 24 */ 25 26 #include <linux/capability.h> 27 #include <linux/msg.h> 28 #include <linux/spinlock.h> 29 #include <linux/init.h> 30 #include <linux/mm.h> 31 #include <linux/proc_fs.h> 32 #include <linux/list.h> 33 #include <linux/security.h> 34 #include <linux/sched/wake_q.h> 35 #include <linux/syscalls.h> 36 #include <linux/audit.h> 37 #include <linux/seq_file.h> 38 #include <linux/rwsem.h> 39 #include <linux/nsproxy.h> 40 #include <linux/ipc_namespace.h> 41 42 #include <asm/current.h> 43 #include <linux/uaccess.h> 44 #include "util.h" 45 46 /* one msq_queue structure for each present queue on the system */ 47 struct msg_queue { 48 struct kern_ipc_perm q_perm; 49 time64_t q_stime; /* last msgsnd time */ 50 time64_t q_rtime; /* last msgrcv time */ 51 time64_t q_ctime; /* last change time */ 52 unsigned long q_cbytes; /* current number of bytes on queue */ 53 unsigned long q_qnum; /* number of messages in queue */ 54 unsigned long q_qbytes; /* max number of bytes on queue */ 55 struct pid *q_lspid; /* pid of last msgsnd */ 56 struct pid *q_lrpid; /* last receive pid */ 57 58 struct list_head q_messages; 59 struct list_head q_receivers; 60 struct list_head q_senders; 61 } __randomize_layout; 62 63 /* one msg_receiver structure for each sleeping receiver */ 64 struct msg_receiver { 65 struct list_head r_list; 66 struct task_struct *r_tsk; 67 68 int r_mode; 69 long r_msgtype; 70 long r_maxsize; 71 72 struct msg_msg *r_msg; 73 }; 74 75 /* one msg_sender for each sleeping sender */ 76 struct msg_sender { 77 struct list_head list; 78 struct task_struct *tsk; 79 size_t msgsz; 80 }; 81 82 #define SEARCH_ANY 1 83 #define SEARCH_EQUAL 2 84 #define SEARCH_NOTEQUAL 3 85 #define SEARCH_LESSEQUAL 4 86 #define SEARCH_NUMBER 5 87 88 #define msg_ids(ns) ((ns)->ids[IPC_MSG_IDS]) 89 90 static inline struct msg_queue *msq_obtain_object(struct ipc_namespace *ns, int id) 91 { 92 struct kern_ipc_perm *ipcp = ipc_obtain_object_idr(&msg_ids(ns), id); 93 94 if (IS_ERR(ipcp)) 95 return ERR_CAST(ipcp); 96 97 return container_of(ipcp, struct msg_queue, q_perm); 98 } 99 100 static inline struct msg_queue *msq_obtain_object_check(struct ipc_namespace *ns, 101 int id) 102 { 103 struct kern_ipc_perm *ipcp = ipc_obtain_object_check(&msg_ids(ns), id); 104 105 if (IS_ERR(ipcp)) 106 return ERR_CAST(ipcp); 107 108 return container_of(ipcp, struct msg_queue, q_perm); 109 } 110 111 static inline void msg_rmid(struct ipc_namespace *ns, struct msg_queue *s) 112 { 113 ipc_rmid(&msg_ids(ns), &s->q_perm); 114 } 115 116 static void msg_rcu_free(struct rcu_head *head) 117 { 118 struct kern_ipc_perm *p = container_of(head, struct kern_ipc_perm, rcu); 119 struct msg_queue *msq = container_of(p, struct msg_queue, q_perm); 120 121 security_msg_queue_free(&msq->q_perm); 122 kvfree(msq); 123 } 124 125 /** 126 * newque - Create a new msg queue 127 * @ns: namespace 128 * @params: ptr to the structure that contains the key and msgflg 129 * 130 * Called with msg_ids.rwsem held (writer) 131 */ 132 static int newque(struct ipc_namespace *ns, struct ipc_params *params) 133 { 134 struct msg_queue *msq; 135 int retval; 136 key_t key = params->key; 137 int msgflg = params->flg; 138 139 msq = kvmalloc(sizeof(*msq), GFP_KERNEL); 140 if (unlikely(!msq)) 141 return -ENOMEM; 142 143 msq->q_perm.mode = msgflg & S_IRWXUGO; 144 msq->q_perm.key = key; 145 146 msq->q_perm.security = NULL; 147 retval = security_msg_queue_alloc(&msq->q_perm); 148 if (retval) { 149 kvfree(msq); 150 return retval; 151 } 152 153 msq->q_stime = msq->q_rtime = 0; 154 msq->q_ctime = ktime_get_real_seconds(); 155 msq->q_cbytes = msq->q_qnum = 0; 156 msq->q_qbytes = ns->msg_ctlmnb; 157 msq->q_lspid = msq->q_lrpid = NULL; 158 INIT_LIST_HEAD(&msq->q_messages); 159 INIT_LIST_HEAD(&msq->q_receivers); 160 INIT_LIST_HEAD(&msq->q_senders); 161 162 /* ipc_addid() locks msq upon success. */ 163 retval = ipc_addid(&msg_ids(ns), &msq->q_perm, ns->msg_ctlmni); 164 if (retval < 0) { 165 call_rcu(&msq->q_perm.rcu, msg_rcu_free); 166 return retval; 167 } 168 169 ipc_unlock_object(&msq->q_perm); 170 rcu_read_unlock(); 171 172 return msq->q_perm.id; 173 } 174 175 static inline bool msg_fits_inqueue(struct msg_queue *msq, size_t msgsz) 176 { 177 return msgsz + msq->q_cbytes <= msq->q_qbytes && 178 1 + msq->q_qnum <= msq->q_qbytes; 179 } 180 181 static inline void ss_add(struct msg_queue *msq, 182 struct msg_sender *mss, size_t msgsz) 183 { 184 mss->tsk = current; 185 mss->msgsz = msgsz; 186 __set_current_state(TASK_INTERRUPTIBLE); 187 list_add_tail(&mss->list, &msq->q_senders); 188 } 189 190 static inline void ss_del(struct msg_sender *mss) 191 { 192 if (mss->list.next) 193 list_del(&mss->list); 194 } 195 196 static void ss_wakeup(struct msg_queue *msq, 197 struct wake_q_head *wake_q, bool kill) 198 { 199 struct msg_sender *mss, *t; 200 struct task_struct *stop_tsk = NULL; 201 struct list_head *h = &msq->q_senders; 202 203 list_for_each_entry_safe(mss, t, h, list) { 204 if (kill) 205 mss->list.next = NULL; 206 207 /* 208 * Stop at the first task we don't wakeup, 209 * we've already iterated the original 210 * sender queue. 211 */ 212 else if (stop_tsk == mss->tsk) 213 break; 214 /* 215 * We are not in an EIDRM scenario here, therefore 216 * verify that we really need to wakeup the task. 217 * To maintain current semantics and wakeup order, 218 * move the sender to the tail on behalf of the 219 * blocked task. 220 */ 221 else if (!msg_fits_inqueue(msq, mss->msgsz)) { 222 if (!stop_tsk) 223 stop_tsk = mss->tsk; 224 225 list_move_tail(&mss->list, &msq->q_senders); 226 continue; 227 } 228 229 wake_q_add(wake_q, mss->tsk); 230 } 231 } 232 233 static void expunge_all(struct msg_queue *msq, int res, 234 struct wake_q_head *wake_q) 235 { 236 struct msg_receiver *msr, *t; 237 238 list_for_each_entry_safe(msr, t, &msq->q_receivers, r_list) { 239 wake_q_add(wake_q, msr->r_tsk); 240 WRITE_ONCE(msr->r_msg, ERR_PTR(res)); 241 } 242 } 243 244 /* 245 * freeque() wakes up waiters on the sender and receiver waiting queue, 246 * removes the message queue from message queue ID IDR, and cleans up all the 247 * messages associated with this queue. 248 * 249 * msg_ids.rwsem (writer) and the spinlock for this message queue are held 250 * before freeque() is called. msg_ids.rwsem remains locked on exit. 251 */ 252 static void freeque(struct ipc_namespace *ns, struct kern_ipc_perm *ipcp) 253 { 254 struct msg_msg *msg, *t; 255 struct msg_queue *msq = container_of(ipcp, struct msg_queue, q_perm); 256 DEFINE_WAKE_Q(wake_q); 257 258 expunge_all(msq, -EIDRM, &wake_q); 259 ss_wakeup(msq, &wake_q, true); 260 msg_rmid(ns, msq); 261 ipc_unlock_object(&msq->q_perm); 262 wake_up_q(&wake_q); 263 rcu_read_unlock(); 264 265 list_for_each_entry_safe(msg, t, &msq->q_messages, m_list) { 266 atomic_dec(&ns->msg_hdrs); 267 free_msg(msg); 268 } 269 atomic_sub(msq->q_cbytes, &ns->msg_bytes); 270 ipc_update_pid(&msq->q_lspid, NULL); 271 ipc_update_pid(&msq->q_lrpid, NULL); 272 ipc_rcu_putref(&msq->q_perm, msg_rcu_free); 273 } 274 275 long ksys_msgget(key_t key, int msgflg) 276 { 277 struct ipc_namespace *ns; 278 static const struct ipc_ops msg_ops = { 279 .getnew = newque, 280 .associate = security_msg_queue_associate, 281 }; 282 struct ipc_params msg_params; 283 284 ns = current->nsproxy->ipc_ns; 285 286 msg_params.key = key; 287 msg_params.flg = msgflg; 288 289 return ipcget(ns, &msg_ids(ns), &msg_ops, &msg_params); 290 } 291 292 SYSCALL_DEFINE2(msgget, key_t, key, int, msgflg) 293 { 294 return ksys_msgget(key, msgflg); 295 } 296 297 static inline unsigned long 298 copy_msqid_to_user(void __user *buf, struct msqid64_ds *in, int version) 299 { 300 switch (version) { 301 case IPC_64: 302 return copy_to_user(buf, in, sizeof(*in)); 303 case IPC_OLD: 304 { 305 struct msqid_ds out; 306 307 memset(&out, 0, sizeof(out)); 308 309 ipc64_perm_to_ipc_perm(&in->msg_perm, &out.msg_perm); 310 311 out.msg_stime = in->msg_stime; 312 out.msg_rtime = in->msg_rtime; 313 out.msg_ctime = in->msg_ctime; 314 315 if (in->msg_cbytes > USHRT_MAX) 316 out.msg_cbytes = USHRT_MAX; 317 else 318 out.msg_cbytes = in->msg_cbytes; 319 out.msg_lcbytes = in->msg_cbytes; 320 321 if (in->msg_qnum > USHRT_MAX) 322 out.msg_qnum = USHRT_MAX; 323 else 324 out.msg_qnum = in->msg_qnum; 325 326 if (in->msg_qbytes > USHRT_MAX) 327 out.msg_qbytes = USHRT_MAX; 328 else 329 out.msg_qbytes = in->msg_qbytes; 330 out.msg_lqbytes = in->msg_qbytes; 331 332 out.msg_lspid = in->msg_lspid; 333 out.msg_lrpid = in->msg_lrpid; 334 335 return copy_to_user(buf, &out, sizeof(out)); 336 } 337 default: 338 return -EINVAL; 339 } 340 } 341 342 static inline unsigned long 343 copy_msqid_from_user(struct msqid64_ds *out, void __user *buf, int version) 344 { 345 switch (version) { 346 case IPC_64: 347 if (copy_from_user(out, buf, sizeof(*out))) 348 return -EFAULT; 349 return 0; 350 case IPC_OLD: 351 { 352 struct msqid_ds tbuf_old; 353 354 if (copy_from_user(&tbuf_old, buf, sizeof(tbuf_old))) 355 return -EFAULT; 356 357 out->msg_perm.uid = tbuf_old.msg_perm.uid; 358 out->msg_perm.gid = tbuf_old.msg_perm.gid; 359 out->msg_perm.mode = tbuf_old.msg_perm.mode; 360 361 if (tbuf_old.msg_qbytes == 0) 362 out->msg_qbytes = tbuf_old.msg_lqbytes; 363 else 364 out->msg_qbytes = tbuf_old.msg_qbytes; 365 366 return 0; 367 } 368 default: 369 return -EINVAL; 370 } 371 } 372 373 /* 374 * This function handles some msgctl commands which require the rwsem 375 * to be held in write mode. 376 * NOTE: no locks must be held, the rwsem is taken inside this function. 377 */ 378 static int msgctl_down(struct ipc_namespace *ns, int msqid, int cmd, 379 struct msqid64_ds *msqid64) 380 { 381 struct kern_ipc_perm *ipcp; 382 struct msg_queue *msq; 383 int err; 384 385 down_write(&msg_ids(ns).rwsem); 386 rcu_read_lock(); 387 388 ipcp = ipcctl_pre_down_nolock(ns, &msg_ids(ns), msqid, cmd, 389 &msqid64->msg_perm, msqid64->msg_qbytes); 390 if (IS_ERR(ipcp)) { 391 err = PTR_ERR(ipcp); 392 goto out_unlock1; 393 } 394 395 msq = container_of(ipcp, struct msg_queue, q_perm); 396 397 err = security_msg_queue_msgctl(&msq->q_perm, cmd); 398 if (err) 399 goto out_unlock1; 400 401 switch (cmd) { 402 case IPC_RMID: 403 ipc_lock_object(&msq->q_perm); 404 /* freeque unlocks the ipc object and rcu */ 405 freeque(ns, ipcp); 406 goto out_up; 407 case IPC_SET: 408 { 409 DEFINE_WAKE_Q(wake_q); 410 411 if (msqid64->msg_qbytes > ns->msg_ctlmnb && 412 !capable(CAP_SYS_RESOURCE)) { 413 err = -EPERM; 414 goto out_unlock1; 415 } 416 417 ipc_lock_object(&msq->q_perm); 418 err = ipc_update_perm(&msqid64->msg_perm, ipcp); 419 if (err) 420 goto out_unlock0; 421 422 msq->q_qbytes = msqid64->msg_qbytes; 423 424 msq->q_ctime = ktime_get_real_seconds(); 425 /* 426 * Sleeping receivers might be excluded by 427 * stricter permissions. 428 */ 429 expunge_all(msq, -EAGAIN, &wake_q); 430 /* 431 * Sleeping senders might be able to send 432 * due to a larger queue size. 433 */ 434 ss_wakeup(msq, &wake_q, false); 435 ipc_unlock_object(&msq->q_perm); 436 wake_up_q(&wake_q); 437 438 goto out_unlock1; 439 } 440 default: 441 err = -EINVAL; 442 goto out_unlock1; 443 } 444 445 out_unlock0: 446 ipc_unlock_object(&msq->q_perm); 447 out_unlock1: 448 rcu_read_unlock(); 449 out_up: 450 up_write(&msg_ids(ns).rwsem); 451 return err; 452 } 453 454 static int msgctl_info(struct ipc_namespace *ns, int msqid, 455 int cmd, struct msginfo *msginfo) 456 { 457 int err; 458 int max_id; 459 460 /* 461 * We must not return kernel stack data. 462 * due to padding, it's not enough 463 * to set all member fields. 464 */ 465 err = security_msg_queue_msgctl(NULL, cmd); 466 if (err) 467 return err; 468 469 memset(msginfo, 0, sizeof(*msginfo)); 470 msginfo->msgmni = ns->msg_ctlmni; 471 msginfo->msgmax = ns->msg_ctlmax; 472 msginfo->msgmnb = ns->msg_ctlmnb; 473 msginfo->msgssz = MSGSSZ; 474 msginfo->msgseg = MSGSEG; 475 down_read(&msg_ids(ns).rwsem); 476 if (cmd == MSG_INFO) { 477 msginfo->msgpool = msg_ids(ns).in_use; 478 msginfo->msgmap = atomic_read(&ns->msg_hdrs); 479 msginfo->msgtql = atomic_read(&ns->msg_bytes); 480 } else { 481 msginfo->msgmap = MSGMAP; 482 msginfo->msgpool = MSGPOOL; 483 msginfo->msgtql = MSGTQL; 484 } 485 max_id = ipc_get_maxid(&msg_ids(ns)); 486 up_read(&msg_ids(ns).rwsem); 487 return (max_id < 0) ? 0 : max_id; 488 } 489 490 static int msgctl_stat(struct ipc_namespace *ns, int msqid, 491 int cmd, struct msqid64_ds *p) 492 { 493 struct msg_queue *msq; 494 int id = 0; 495 int err; 496 497 memset(p, 0, sizeof(*p)); 498 499 rcu_read_lock(); 500 if (cmd == MSG_STAT || cmd == MSG_STAT_ANY) { 501 msq = msq_obtain_object(ns, msqid); 502 if (IS_ERR(msq)) { 503 err = PTR_ERR(msq); 504 goto out_unlock; 505 } 506 id = msq->q_perm.id; 507 } else { /* IPC_STAT */ 508 msq = msq_obtain_object_check(ns, msqid); 509 if (IS_ERR(msq)) { 510 err = PTR_ERR(msq); 511 goto out_unlock; 512 } 513 } 514 515 /* see comment for SHM_STAT_ANY */ 516 if (cmd == MSG_STAT_ANY) 517 audit_ipc_obj(&msq->q_perm); 518 else { 519 err = -EACCES; 520 if (ipcperms(ns, &msq->q_perm, S_IRUGO)) 521 goto out_unlock; 522 } 523 524 err = security_msg_queue_msgctl(&msq->q_perm, cmd); 525 if (err) 526 goto out_unlock; 527 528 ipc_lock_object(&msq->q_perm); 529 530 if (!ipc_valid_object(&msq->q_perm)) { 531 ipc_unlock_object(&msq->q_perm); 532 err = -EIDRM; 533 goto out_unlock; 534 } 535 536 kernel_to_ipc64_perm(&msq->q_perm, &p->msg_perm); 537 p->msg_stime = msq->q_stime; 538 p->msg_rtime = msq->q_rtime; 539 p->msg_ctime = msq->q_ctime; 540 #ifndef CONFIG_64BIT 541 p->msg_stime_high = msq->q_stime >> 32; 542 p->msg_rtime_high = msq->q_rtime >> 32; 543 p->msg_ctime_high = msq->q_ctime >> 32; 544 #endif 545 p->msg_cbytes = msq->q_cbytes; 546 p->msg_qnum = msq->q_qnum; 547 p->msg_qbytes = msq->q_qbytes; 548 p->msg_lspid = pid_vnr(msq->q_lspid); 549 p->msg_lrpid = pid_vnr(msq->q_lrpid); 550 551 ipc_unlock_object(&msq->q_perm); 552 rcu_read_unlock(); 553 return id; 554 555 out_unlock: 556 rcu_read_unlock(); 557 return err; 558 } 559 560 long ksys_msgctl(int msqid, int cmd, struct msqid_ds __user *buf) 561 { 562 int version; 563 struct ipc_namespace *ns; 564 struct msqid64_ds msqid64; 565 int err; 566 567 if (msqid < 0 || cmd < 0) 568 return -EINVAL; 569 570 version = ipc_parse_version(&cmd); 571 ns = current->nsproxy->ipc_ns; 572 573 switch (cmd) { 574 case IPC_INFO: 575 case MSG_INFO: { 576 struct msginfo msginfo; 577 err = msgctl_info(ns, msqid, cmd, &msginfo); 578 if (err < 0) 579 return err; 580 if (copy_to_user(buf, &msginfo, sizeof(struct msginfo))) 581 err = -EFAULT; 582 return err; 583 } 584 case MSG_STAT: /* msqid is an index rather than a msg queue id */ 585 case MSG_STAT_ANY: 586 case IPC_STAT: 587 err = msgctl_stat(ns, msqid, cmd, &msqid64); 588 if (err < 0) 589 return err; 590 if (copy_msqid_to_user(buf, &msqid64, version)) 591 err = -EFAULT; 592 return err; 593 case IPC_SET: 594 if (copy_msqid_from_user(&msqid64, buf, version)) 595 return -EFAULT; 596 /* fallthru */ 597 case IPC_RMID: 598 return msgctl_down(ns, msqid, cmd, &msqid64); 599 default: 600 return -EINVAL; 601 } 602 } 603 604 SYSCALL_DEFINE3(msgctl, int, msqid, int, cmd, struct msqid_ds __user *, buf) 605 { 606 return ksys_msgctl(msqid, cmd, buf); 607 } 608 609 #ifdef CONFIG_COMPAT 610 611 struct compat_msqid_ds { 612 struct compat_ipc_perm msg_perm; 613 compat_uptr_t msg_first; 614 compat_uptr_t msg_last; 615 compat_time_t msg_stime; 616 compat_time_t msg_rtime; 617 compat_time_t msg_ctime; 618 compat_ulong_t msg_lcbytes; 619 compat_ulong_t msg_lqbytes; 620 unsigned short msg_cbytes; 621 unsigned short msg_qnum; 622 unsigned short msg_qbytes; 623 compat_ipc_pid_t msg_lspid; 624 compat_ipc_pid_t msg_lrpid; 625 }; 626 627 static int copy_compat_msqid_from_user(struct msqid64_ds *out, void __user *buf, 628 int version) 629 { 630 memset(out, 0, sizeof(*out)); 631 if (version == IPC_64) { 632 struct compat_msqid64_ds __user *p = buf; 633 if (get_compat_ipc64_perm(&out->msg_perm, &p->msg_perm)) 634 return -EFAULT; 635 if (get_user(out->msg_qbytes, &p->msg_qbytes)) 636 return -EFAULT; 637 } else { 638 struct compat_msqid_ds __user *p = buf; 639 if (get_compat_ipc_perm(&out->msg_perm, &p->msg_perm)) 640 return -EFAULT; 641 if (get_user(out->msg_qbytes, &p->msg_qbytes)) 642 return -EFAULT; 643 } 644 return 0; 645 } 646 647 static int copy_compat_msqid_to_user(void __user *buf, struct msqid64_ds *in, 648 int version) 649 { 650 if (version == IPC_64) { 651 struct compat_msqid64_ds v; 652 memset(&v, 0, sizeof(v)); 653 to_compat_ipc64_perm(&v.msg_perm, &in->msg_perm); 654 v.msg_stime = lower_32_bits(in->msg_stime); 655 v.msg_stime_high = upper_32_bits(in->msg_stime); 656 v.msg_rtime = lower_32_bits(in->msg_rtime); 657 v.msg_rtime_high = upper_32_bits(in->msg_rtime); 658 v.msg_ctime = lower_32_bits(in->msg_ctime); 659 v.msg_ctime_high = upper_32_bits(in->msg_ctime); 660 v.msg_cbytes = in->msg_cbytes; 661 v.msg_qnum = in->msg_qnum; 662 v.msg_qbytes = in->msg_qbytes; 663 v.msg_lspid = in->msg_lspid; 664 v.msg_lrpid = in->msg_lrpid; 665 return copy_to_user(buf, &v, sizeof(v)); 666 } else { 667 struct compat_msqid_ds v; 668 memset(&v, 0, sizeof(v)); 669 to_compat_ipc_perm(&v.msg_perm, &in->msg_perm); 670 v.msg_stime = in->msg_stime; 671 v.msg_rtime = in->msg_rtime; 672 v.msg_ctime = in->msg_ctime; 673 v.msg_cbytes = in->msg_cbytes; 674 v.msg_qnum = in->msg_qnum; 675 v.msg_qbytes = in->msg_qbytes; 676 v.msg_lspid = in->msg_lspid; 677 v.msg_lrpid = in->msg_lrpid; 678 return copy_to_user(buf, &v, sizeof(v)); 679 } 680 } 681 682 long compat_ksys_msgctl(int msqid, int cmd, void __user *uptr) 683 { 684 struct ipc_namespace *ns; 685 int err; 686 struct msqid64_ds msqid64; 687 int version = compat_ipc_parse_version(&cmd); 688 689 ns = current->nsproxy->ipc_ns; 690 691 if (msqid < 0 || cmd < 0) 692 return -EINVAL; 693 694 switch (cmd & (~IPC_64)) { 695 case IPC_INFO: 696 case MSG_INFO: { 697 struct msginfo msginfo; 698 err = msgctl_info(ns, msqid, cmd, &msginfo); 699 if (err < 0) 700 return err; 701 if (copy_to_user(uptr, &msginfo, sizeof(struct msginfo))) 702 err = -EFAULT; 703 return err; 704 } 705 case IPC_STAT: 706 case MSG_STAT: 707 case MSG_STAT_ANY: 708 err = msgctl_stat(ns, msqid, cmd, &msqid64); 709 if (err < 0) 710 return err; 711 if (copy_compat_msqid_to_user(uptr, &msqid64, version)) 712 err = -EFAULT; 713 return err; 714 case IPC_SET: 715 if (copy_compat_msqid_from_user(&msqid64, uptr, version)) 716 return -EFAULT; 717 /* fallthru */ 718 case IPC_RMID: 719 return msgctl_down(ns, msqid, cmd, &msqid64); 720 default: 721 return -EINVAL; 722 } 723 } 724 725 COMPAT_SYSCALL_DEFINE3(msgctl, int, msqid, int, cmd, void __user *, uptr) 726 { 727 return compat_ksys_msgctl(msqid, cmd, uptr); 728 } 729 #endif 730 731 static int testmsg(struct msg_msg *msg, long type, int mode) 732 { 733 switch (mode) { 734 case SEARCH_ANY: 735 case SEARCH_NUMBER: 736 return 1; 737 case SEARCH_LESSEQUAL: 738 if (msg->m_type <= type) 739 return 1; 740 break; 741 case SEARCH_EQUAL: 742 if (msg->m_type == type) 743 return 1; 744 break; 745 case SEARCH_NOTEQUAL: 746 if (msg->m_type != type) 747 return 1; 748 break; 749 } 750 return 0; 751 } 752 753 static inline int pipelined_send(struct msg_queue *msq, struct msg_msg *msg, 754 struct wake_q_head *wake_q) 755 { 756 struct msg_receiver *msr, *t; 757 758 list_for_each_entry_safe(msr, t, &msq->q_receivers, r_list) { 759 if (testmsg(msg, msr->r_msgtype, msr->r_mode) && 760 !security_msg_queue_msgrcv(&msq->q_perm, msg, msr->r_tsk, 761 msr->r_msgtype, msr->r_mode)) { 762 763 list_del(&msr->r_list); 764 if (msr->r_maxsize < msg->m_ts) { 765 wake_q_add(wake_q, msr->r_tsk); 766 WRITE_ONCE(msr->r_msg, ERR_PTR(-E2BIG)); 767 } else { 768 ipc_update_pid(&msq->q_lrpid, task_pid(msr->r_tsk)); 769 msq->q_rtime = ktime_get_real_seconds(); 770 771 wake_q_add(wake_q, msr->r_tsk); 772 WRITE_ONCE(msr->r_msg, msg); 773 return 1; 774 } 775 } 776 } 777 778 return 0; 779 } 780 781 static long do_msgsnd(int msqid, long mtype, void __user *mtext, 782 size_t msgsz, int msgflg) 783 { 784 struct msg_queue *msq; 785 struct msg_msg *msg; 786 int err; 787 struct ipc_namespace *ns; 788 DEFINE_WAKE_Q(wake_q); 789 790 ns = current->nsproxy->ipc_ns; 791 792 if (msgsz > ns->msg_ctlmax || (long) msgsz < 0 || msqid < 0) 793 return -EINVAL; 794 if (mtype < 1) 795 return -EINVAL; 796 797 msg = load_msg(mtext, msgsz); 798 if (IS_ERR(msg)) 799 return PTR_ERR(msg); 800 801 msg->m_type = mtype; 802 msg->m_ts = msgsz; 803 804 rcu_read_lock(); 805 msq = msq_obtain_object_check(ns, msqid); 806 if (IS_ERR(msq)) { 807 err = PTR_ERR(msq); 808 goto out_unlock1; 809 } 810 811 ipc_lock_object(&msq->q_perm); 812 813 for (;;) { 814 struct msg_sender s; 815 816 err = -EACCES; 817 if (ipcperms(ns, &msq->q_perm, S_IWUGO)) 818 goto out_unlock0; 819 820 /* raced with RMID? */ 821 if (!ipc_valid_object(&msq->q_perm)) { 822 err = -EIDRM; 823 goto out_unlock0; 824 } 825 826 err = security_msg_queue_msgsnd(&msq->q_perm, msg, msgflg); 827 if (err) 828 goto out_unlock0; 829 830 if (msg_fits_inqueue(msq, msgsz)) 831 break; 832 833 /* queue full, wait: */ 834 if (msgflg & IPC_NOWAIT) { 835 err = -EAGAIN; 836 goto out_unlock0; 837 } 838 839 /* enqueue the sender and prepare to block */ 840 ss_add(msq, &s, msgsz); 841 842 if (!ipc_rcu_getref(&msq->q_perm)) { 843 err = -EIDRM; 844 goto out_unlock0; 845 } 846 847 ipc_unlock_object(&msq->q_perm); 848 rcu_read_unlock(); 849 schedule(); 850 851 rcu_read_lock(); 852 ipc_lock_object(&msq->q_perm); 853 854 ipc_rcu_putref(&msq->q_perm, msg_rcu_free); 855 /* raced with RMID? */ 856 if (!ipc_valid_object(&msq->q_perm)) { 857 err = -EIDRM; 858 goto out_unlock0; 859 } 860 ss_del(&s); 861 862 if (signal_pending(current)) { 863 err = -ERESTARTNOHAND; 864 goto out_unlock0; 865 } 866 867 } 868 869 ipc_update_pid(&msq->q_lspid, task_tgid(current)); 870 msq->q_stime = ktime_get_real_seconds(); 871 872 if (!pipelined_send(msq, msg, &wake_q)) { 873 /* no one is waiting for this message, enqueue it */ 874 list_add_tail(&msg->m_list, &msq->q_messages); 875 msq->q_cbytes += msgsz; 876 msq->q_qnum++; 877 atomic_add(msgsz, &ns->msg_bytes); 878 atomic_inc(&ns->msg_hdrs); 879 } 880 881 err = 0; 882 msg = NULL; 883 884 out_unlock0: 885 ipc_unlock_object(&msq->q_perm); 886 wake_up_q(&wake_q); 887 out_unlock1: 888 rcu_read_unlock(); 889 if (msg != NULL) 890 free_msg(msg); 891 return err; 892 } 893 894 long ksys_msgsnd(int msqid, struct msgbuf __user *msgp, size_t msgsz, 895 int msgflg) 896 { 897 long mtype; 898 899 if (get_user(mtype, &msgp->mtype)) 900 return -EFAULT; 901 return do_msgsnd(msqid, mtype, msgp->mtext, msgsz, msgflg); 902 } 903 904 SYSCALL_DEFINE4(msgsnd, int, msqid, struct msgbuf __user *, msgp, size_t, msgsz, 905 int, msgflg) 906 { 907 return ksys_msgsnd(msqid, msgp, msgsz, msgflg); 908 } 909 910 #ifdef CONFIG_COMPAT 911 912 struct compat_msgbuf { 913 compat_long_t mtype; 914 char mtext[1]; 915 }; 916 917 long compat_ksys_msgsnd(int msqid, compat_uptr_t msgp, 918 compat_ssize_t msgsz, int msgflg) 919 { 920 struct compat_msgbuf __user *up = compat_ptr(msgp); 921 compat_long_t mtype; 922 923 if (get_user(mtype, &up->mtype)) 924 return -EFAULT; 925 return do_msgsnd(msqid, mtype, up->mtext, (ssize_t)msgsz, msgflg); 926 } 927 928 COMPAT_SYSCALL_DEFINE4(msgsnd, int, msqid, compat_uptr_t, msgp, 929 compat_ssize_t, msgsz, int, msgflg) 930 { 931 return compat_ksys_msgsnd(msqid, msgp, msgsz, msgflg); 932 } 933 #endif 934 935 static inline int convert_mode(long *msgtyp, int msgflg) 936 { 937 if (msgflg & MSG_COPY) 938 return SEARCH_NUMBER; 939 /* 940 * find message of correct type. 941 * msgtyp = 0 => get first. 942 * msgtyp > 0 => get first message of matching type. 943 * msgtyp < 0 => get message with least type must be < abs(msgtype). 944 */ 945 if (*msgtyp == 0) 946 return SEARCH_ANY; 947 if (*msgtyp < 0) { 948 if (*msgtyp == LONG_MIN) /* -LONG_MIN is undefined */ 949 *msgtyp = LONG_MAX; 950 else 951 *msgtyp = -*msgtyp; 952 return SEARCH_LESSEQUAL; 953 } 954 if (msgflg & MSG_EXCEPT) 955 return SEARCH_NOTEQUAL; 956 return SEARCH_EQUAL; 957 } 958 959 static long do_msg_fill(void __user *dest, struct msg_msg *msg, size_t bufsz) 960 { 961 struct msgbuf __user *msgp = dest; 962 size_t msgsz; 963 964 if (put_user(msg->m_type, &msgp->mtype)) 965 return -EFAULT; 966 967 msgsz = (bufsz > msg->m_ts) ? msg->m_ts : bufsz; 968 if (store_msg(msgp->mtext, msg, msgsz)) 969 return -EFAULT; 970 return msgsz; 971 } 972 973 #ifdef CONFIG_CHECKPOINT_RESTORE 974 /* 975 * This function creates new kernel message structure, large enough to store 976 * bufsz message bytes. 977 */ 978 static inline struct msg_msg *prepare_copy(void __user *buf, size_t bufsz) 979 { 980 struct msg_msg *copy; 981 982 /* 983 * Create dummy message to copy real message to. 984 */ 985 copy = load_msg(buf, bufsz); 986 if (!IS_ERR(copy)) 987 copy->m_ts = bufsz; 988 return copy; 989 } 990 991 static inline void free_copy(struct msg_msg *copy) 992 { 993 if (copy) 994 free_msg(copy); 995 } 996 #else 997 static inline struct msg_msg *prepare_copy(void __user *buf, size_t bufsz) 998 { 999 return ERR_PTR(-ENOSYS); 1000 } 1001 1002 static inline void free_copy(struct msg_msg *copy) 1003 { 1004 } 1005 #endif 1006 1007 static struct msg_msg *find_msg(struct msg_queue *msq, long *msgtyp, int mode) 1008 { 1009 struct msg_msg *msg, *found = NULL; 1010 long count = 0; 1011 1012 list_for_each_entry(msg, &msq->q_messages, m_list) { 1013 if (testmsg(msg, *msgtyp, mode) && 1014 !security_msg_queue_msgrcv(&msq->q_perm, msg, current, 1015 *msgtyp, mode)) { 1016 if (mode == SEARCH_LESSEQUAL && msg->m_type != 1) { 1017 *msgtyp = msg->m_type - 1; 1018 found = msg; 1019 } else if (mode == SEARCH_NUMBER) { 1020 if (*msgtyp == count) 1021 return msg; 1022 } else 1023 return msg; 1024 count++; 1025 } 1026 } 1027 1028 return found ?: ERR_PTR(-EAGAIN); 1029 } 1030 1031 static long do_msgrcv(int msqid, void __user *buf, size_t bufsz, long msgtyp, int msgflg, 1032 long (*msg_handler)(void __user *, struct msg_msg *, size_t)) 1033 { 1034 int mode; 1035 struct msg_queue *msq; 1036 struct ipc_namespace *ns; 1037 struct msg_msg *msg, *copy = NULL; 1038 DEFINE_WAKE_Q(wake_q); 1039 1040 ns = current->nsproxy->ipc_ns; 1041 1042 if (msqid < 0 || (long) bufsz < 0) 1043 return -EINVAL; 1044 1045 if (msgflg & MSG_COPY) { 1046 if ((msgflg & MSG_EXCEPT) || !(msgflg & IPC_NOWAIT)) 1047 return -EINVAL; 1048 copy = prepare_copy(buf, min_t(size_t, bufsz, ns->msg_ctlmax)); 1049 if (IS_ERR(copy)) 1050 return PTR_ERR(copy); 1051 } 1052 mode = convert_mode(&msgtyp, msgflg); 1053 1054 rcu_read_lock(); 1055 msq = msq_obtain_object_check(ns, msqid); 1056 if (IS_ERR(msq)) { 1057 rcu_read_unlock(); 1058 free_copy(copy); 1059 return PTR_ERR(msq); 1060 } 1061 1062 for (;;) { 1063 struct msg_receiver msr_d; 1064 1065 msg = ERR_PTR(-EACCES); 1066 if (ipcperms(ns, &msq->q_perm, S_IRUGO)) 1067 goto out_unlock1; 1068 1069 ipc_lock_object(&msq->q_perm); 1070 1071 /* raced with RMID? */ 1072 if (!ipc_valid_object(&msq->q_perm)) { 1073 msg = ERR_PTR(-EIDRM); 1074 goto out_unlock0; 1075 } 1076 1077 msg = find_msg(msq, &msgtyp, mode); 1078 if (!IS_ERR(msg)) { 1079 /* 1080 * Found a suitable message. 1081 * Unlink it from the queue. 1082 */ 1083 if ((bufsz < msg->m_ts) && !(msgflg & MSG_NOERROR)) { 1084 msg = ERR_PTR(-E2BIG); 1085 goto out_unlock0; 1086 } 1087 /* 1088 * If we are copying, then do not unlink message and do 1089 * not update queue parameters. 1090 */ 1091 if (msgflg & MSG_COPY) { 1092 msg = copy_msg(msg, copy); 1093 goto out_unlock0; 1094 } 1095 1096 list_del(&msg->m_list); 1097 msq->q_qnum--; 1098 msq->q_rtime = ktime_get_real_seconds(); 1099 ipc_update_pid(&msq->q_lrpid, task_tgid(current)); 1100 msq->q_cbytes -= msg->m_ts; 1101 atomic_sub(msg->m_ts, &ns->msg_bytes); 1102 atomic_dec(&ns->msg_hdrs); 1103 ss_wakeup(msq, &wake_q, false); 1104 1105 goto out_unlock0; 1106 } 1107 1108 /* No message waiting. Wait for a message */ 1109 if (msgflg & IPC_NOWAIT) { 1110 msg = ERR_PTR(-ENOMSG); 1111 goto out_unlock0; 1112 } 1113 1114 list_add_tail(&msr_d.r_list, &msq->q_receivers); 1115 msr_d.r_tsk = current; 1116 msr_d.r_msgtype = msgtyp; 1117 msr_d.r_mode = mode; 1118 if (msgflg & MSG_NOERROR) 1119 msr_d.r_maxsize = INT_MAX; 1120 else 1121 msr_d.r_maxsize = bufsz; 1122 msr_d.r_msg = ERR_PTR(-EAGAIN); 1123 __set_current_state(TASK_INTERRUPTIBLE); 1124 1125 ipc_unlock_object(&msq->q_perm); 1126 rcu_read_unlock(); 1127 schedule(); 1128 1129 /* 1130 * Lockless receive, part 1: 1131 * We don't hold a reference to the queue and getting a 1132 * reference would defeat the idea of a lockless operation, 1133 * thus the code relies on rcu to guarantee the existence of 1134 * msq: 1135 * Prior to destruction, expunge_all(-EIRDM) changes r_msg. 1136 * Thus if r_msg is -EAGAIN, then the queue not yet destroyed. 1137 */ 1138 rcu_read_lock(); 1139 1140 /* 1141 * Lockless receive, part 2: 1142 * The work in pipelined_send() and expunge_all(): 1143 * - Set pointer to message 1144 * - Queue the receiver task for later wakeup 1145 * - Wake up the process after the lock is dropped. 1146 * 1147 * Should the process wake up before this wakeup (due to a 1148 * signal) it will either see the message and continue ... 1149 */ 1150 msg = READ_ONCE(msr_d.r_msg); 1151 if (msg != ERR_PTR(-EAGAIN)) 1152 goto out_unlock1; 1153 1154 /* 1155 * ... or see -EAGAIN, acquire the lock to check the message 1156 * again. 1157 */ 1158 ipc_lock_object(&msq->q_perm); 1159 1160 msg = msr_d.r_msg; 1161 if (msg != ERR_PTR(-EAGAIN)) 1162 goto out_unlock0; 1163 1164 list_del(&msr_d.r_list); 1165 if (signal_pending(current)) { 1166 msg = ERR_PTR(-ERESTARTNOHAND); 1167 goto out_unlock0; 1168 } 1169 1170 ipc_unlock_object(&msq->q_perm); 1171 } 1172 1173 out_unlock0: 1174 ipc_unlock_object(&msq->q_perm); 1175 wake_up_q(&wake_q); 1176 out_unlock1: 1177 rcu_read_unlock(); 1178 if (IS_ERR(msg)) { 1179 free_copy(copy); 1180 return PTR_ERR(msg); 1181 } 1182 1183 bufsz = msg_handler(buf, msg, bufsz); 1184 free_msg(msg); 1185 1186 return bufsz; 1187 } 1188 1189 long ksys_msgrcv(int msqid, struct msgbuf __user *msgp, size_t msgsz, 1190 long msgtyp, int msgflg) 1191 { 1192 return do_msgrcv(msqid, msgp, msgsz, msgtyp, msgflg, do_msg_fill); 1193 } 1194 1195 SYSCALL_DEFINE5(msgrcv, int, msqid, struct msgbuf __user *, msgp, size_t, msgsz, 1196 long, msgtyp, int, msgflg) 1197 { 1198 return ksys_msgrcv(msqid, msgp, msgsz, msgtyp, msgflg); 1199 } 1200 1201 #ifdef CONFIG_COMPAT 1202 static long compat_do_msg_fill(void __user *dest, struct msg_msg *msg, size_t bufsz) 1203 { 1204 struct compat_msgbuf __user *msgp = dest; 1205 size_t msgsz; 1206 1207 if (put_user(msg->m_type, &msgp->mtype)) 1208 return -EFAULT; 1209 1210 msgsz = (bufsz > msg->m_ts) ? msg->m_ts : bufsz; 1211 if (store_msg(msgp->mtext, msg, msgsz)) 1212 return -EFAULT; 1213 return msgsz; 1214 } 1215 1216 long compat_ksys_msgrcv(int msqid, compat_uptr_t msgp, compat_ssize_t msgsz, 1217 compat_long_t msgtyp, int msgflg) 1218 { 1219 return do_msgrcv(msqid, compat_ptr(msgp), (ssize_t)msgsz, (long)msgtyp, 1220 msgflg, compat_do_msg_fill); 1221 } 1222 1223 COMPAT_SYSCALL_DEFINE5(msgrcv, int, msqid, compat_uptr_t, msgp, 1224 compat_ssize_t, msgsz, compat_long_t, msgtyp, 1225 int, msgflg) 1226 { 1227 return compat_ksys_msgrcv(msqid, msgp, msgsz, msgtyp, msgflg); 1228 } 1229 #endif 1230 1231 int msg_init_ns(struct ipc_namespace *ns) 1232 { 1233 ns->msg_ctlmax = MSGMAX; 1234 ns->msg_ctlmnb = MSGMNB; 1235 ns->msg_ctlmni = MSGMNI; 1236 1237 atomic_set(&ns->msg_bytes, 0); 1238 atomic_set(&ns->msg_hdrs, 0); 1239 return ipc_init_ids(&ns->ids[IPC_MSG_IDS]); 1240 } 1241 1242 #ifdef CONFIG_IPC_NS 1243 void msg_exit_ns(struct ipc_namespace *ns) 1244 { 1245 free_ipcs(ns, &msg_ids(ns), freeque); 1246 idr_destroy(&ns->ids[IPC_MSG_IDS].ipcs_idr); 1247 rhashtable_destroy(&ns->ids[IPC_MSG_IDS].key_ht); 1248 } 1249 #endif 1250 1251 #ifdef CONFIG_PROC_FS 1252 static int sysvipc_msg_proc_show(struct seq_file *s, void *it) 1253 { 1254 struct pid_namespace *pid_ns = ipc_seq_pid_ns(s); 1255 struct user_namespace *user_ns = seq_user_ns(s); 1256 struct kern_ipc_perm *ipcp = it; 1257 struct msg_queue *msq = container_of(ipcp, struct msg_queue, q_perm); 1258 1259 seq_printf(s, 1260 "%10d %10d %4o %10lu %10lu %5u %5u %5u %5u %5u %5u %10llu %10llu %10llu\n", 1261 msq->q_perm.key, 1262 msq->q_perm.id, 1263 msq->q_perm.mode, 1264 msq->q_cbytes, 1265 msq->q_qnum, 1266 pid_nr_ns(msq->q_lspid, pid_ns), 1267 pid_nr_ns(msq->q_lrpid, pid_ns), 1268 from_kuid_munged(user_ns, msq->q_perm.uid), 1269 from_kgid_munged(user_ns, msq->q_perm.gid), 1270 from_kuid_munged(user_ns, msq->q_perm.cuid), 1271 from_kgid_munged(user_ns, msq->q_perm.cgid), 1272 msq->q_stime, 1273 msq->q_rtime, 1274 msq->q_ctime); 1275 1276 return 0; 1277 } 1278 #endif 1279 1280 int __init msg_init(void) 1281 { 1282 const int err = msg_init_ns(&init_ipc_ns); 1283 1284 ipc_init_proc_interface("sysvipc/msg", 1285 " key msqid perms cbytes qnum lspid lrpid uid gid cuid cgid stime rtime ctime\n", 1286 IPC_MSG_IDS, sysvipc_msg_proc_show); 1287 return err; 1288 } 1289