1 // SPDX-License-Identifier: GPL-2.0 2 /* 3 * linux/ipc/sem.c 4 * Copyright (C) 1992 Krishna Balasubramanian 5 * Copyright (C) 1995 Eric Schenk, Bruno Haible 6 * 7 * /proc/sysvipc/sem support (c) 1999 Dragos Acostachioaie <dragos@iname.com> 8 * 9 * SMP-threaded, sysctl's added 10 * (c) 1999 Manfred Spraul <manfred@colorfullife.com> 11 * Enforced range limit on SEM_UNDO 12 * (c) 2001 Red Hat Inc 13 * Lockless wakeup 14 * (c) 2003 Manfred Spraul <manfred@colorfullife.com> 15 * (c) 2016 Davidlohr Bueso <dave@stgolabs.net> 16 * Further wakeup optimizations, documentation 17 * (c) 2010 Manfred Spraul <manfred@colorfullife.com> 18 * 19 * support for audit of ipc object properties and permission changes 20 * Dustin Kirkland <dustin.kirkland@us.ibm.com> 21 * 22 * namespaces support 23 * OpenVZ, SWsoft Inc. 24 * Pavel Emelianov <xemul@openvz.org> 25 * 26 * Implementation notes: (May 2010) 27 * This file implements System V semaphores. 28 * 29 * User space visible behavior: 30 * - FIFO ordering for semop() operations (just FIFO, not starvation 31 * protection) 32 * - multiple semaphore operations that alter the same semaphore in 33 * one semop() are handled. 34 * - sem_ctime (time of last semctl()) is updated in the IPC_SET, SETVAL and 35 * SETALL calls. 36 * - two Linux specific semctl() commands: SEM_STAT, SEM_INFO. 37 * - undo adjustments at process exit are limited to 0..SEMVMX. 38 * - namespace are supported. 39 * - SEMMSL, SEMMNS, SEMOPM and SEMMNI can be configured at runtime by writing 40 * to /proc/sys/kernel/sem. 41 * - statistics about the usage are reported in /proc/sysvipc/sem. 42 * 43 * Internals: 44 * - scalability: 45 * - all global variables are read-mostly. 46 * - semop() calls and semctl(RMID) are synchronized by RCU. 47 * - most operations do write operations (actually: spin_lock calls) to 48 * the per-semaphore array structure. 49 * Thus: Perfect SMP scaling between independent semaphore arrays. 50 * If multiple semaphores in one array are used, then cache line 51 * trashing on the semaphore array spinlock will limit the scaling. 52 * - semncnt and semzcnt are calculated on demand in count_semcnt() 53 * - the task that performs a successful semop() scans the list of all 54 * sleeping tasks and completes any pending operations that can be fulfilled. 55 * Semaphores are actively given to waiting tasks (necessary for FIFO). 56 * (see update_queue()) 57 * - To improve the scalability, the actual wake-up calls are performed after 58 * dropping all locks. (see wake_up_sem_queue_prepare()) 59 * - All work is done by the waker, the woken up task does not have to do 60 * anything - not even acquiring a lock or dropping a refcount. 61 * - A woken up task may not even touch the semaphore array anymore, it may 62 * have been destroyed already by a semctl(RMID). 63 * - UNDO values are stored in an array (one per process and per 64 * semaphore array, lazily allocated). For backwards compatibility, multiple 65 * modes for the UNDO variables are supported (per process, per thread) 66 * (see copy_semundo, CLONE_SYSVSEM) 67 * - There are two lists of the pending operations: a per-array list 68 * and per-semaphore list (stored in the array). This allows to achieve FIFO 69 * ordering without always scanning all pending operations. 70 * The worst-case behavior is nevertheless O(N^2) for N wakeups. 71 */ 72 73 #include <linux/compat.h> 74 #include <linux/slab.h> 75 #include <linux/spinlock.h> 76 #include <linux/init.h> 77 #include <linux/proc_fs.h> 78 #include <linux/time.h> 79 #include <linux/security.h> 80 #include <linux/syscalls.h> 81 #include <linux/audit.h> 82 #include <linux/capability.h> 83 #include <linux/seq_file.h> 84 #include <linux/rwsem.h> 85 #include <linux/nsproxy.h> 86 #include <linux/ipc_namespace.h> 87 #include <linux/sched/wake_q.h> 88 #include <linux/nospec.h> 89 #include <linux/rhashtable.h> 90 91 #include <linux/uaccess.h> 92 #include "util.h" 93 94 /* One semaphore structure for each semaphore in the system. */ 95 struct sem { 96 int semval; /* current value */ 97 /* 98 * PID of the process that last modified the semaphore. For 99 * Linux, specifically these are: 100 * - semop 101 * - semctl, via SETVAL and SETALL. 102 * - at task exit when performing undo adjustments (see exit_sem). 103 */ 104 struct pid *sempid; 105 spinlock_t lock; /* spinlock for fine-grained semtimedop */ 106 struct list_head pending_alter; /* pending single-sop operations */ 107 /* that alter the semaphore */ 108 struct list_head pending_const; /* pending single-sop operations */ 109 /* that do not alter the semaphore*/ 110 time64_t sem_otime; /* candidate for sem_otime */ 111 } ____cacheline_aligned_in_smp; 112 113 /* One sem_array data structure for each set of semaphores in the system. */ 114 struct sem_array { 115 struct kern_ipc_perm sem_perm; /* permissions .. see ipc.h */ 116 time64_t sem_ctime; /* create/last semctl() time */ 117 struct list_head pending_alter; /* pending operations */ 118 /* that alter the array */ 119 struct list_head pending_const; /* pending complex operations */ 120 /* that do not alter semvals */ 121 struct list_head list_id; /* undo requests on this array */ 122 int sem_nsems; /* no. of semaphores in array */ 123 int complex_count; /* pending complex operations */ 124 unsigned int use_global_lock;/* >0: global lock required */ 125 126 struct sem sems[]; 127 } __randomize_layout; 128 129 /* One queue for each sleeping process in the system. */ 130 struct sem_queue { 131 struct list_head list; /* queue of pending operations */ 132 struct task_struct *sleeper; /* this process */ 133 struct sem_undo *undo; /* undo structure */ 134 struct pid *pid; /* process id of requesting process */ 135 int status; /* completion status of operation */ 136 struct sembuf *sops; /* array of pending operations */ 137 struct sembuf *blocking; /* the operation that blocked */ 138 int nsops; /* number of operations */ 139 bool alter; /* does *sops alter the array? */ 140 bool dupsop; /* sops on more than one sem_num */ 141 }; 142 143 /* Each task has a list of undo requests. They are executed automatically 144 * when the process exits. 145 */ 146 struct sem_undo { 147 struct list_head list_proc; /* per-process list: * 148 * all undos from one process 149 * rcu protected */ 150 struct rcu_head rcu; /* rcu struct for sem_undo */ 151 struct sem_undo_list *ulp; /* back ptr to sem_undo_list */ 152 struct list_head list_id; /* per semaphore array list: 153 * all undos for one array */ 154 int semid; /* semaphore set identifier */ 155 short *semadj; /* array of adjustments */ 156 /* one per semaphore */ 157 }; 158 159 /* sem_undo_list controls shared access to the list of sem_undo structures 160 * that may be shared among all a CLONE_SYSVSEM task group. 161 */ 162 struct sem_undo_list { 163 refcount_t refcnt; 164 spinlock_t lock; 165 struct list_head list_proc; 166 }; 167 168 169 #define sem_ids(ns) ((ns)->ids[IPC_SEM_IDS]) 170 171 static int newary(struct ipc_namespace *, struct ipc_params *); 172 static void freeary(struct ipc_namespace *, struct kern_ipc_perm *); 173 #ifdef CONFIG_PROC_FS 174 static int sysvipc_sem_proc_show(struct seq_file *s, void *it); 175 #endif 176 177 #define SEMMSL_FAST 256 /* 512 bytes on stack */ 178 #define SEMOPM_FAST 64 /* ~ 372 bytes on stack */ 179 180 /* 181 * Switching from the mode suitable for simple ops 182 * to the mode for complex ops is costly. Therefore: 183 * use some hysteresis 184 */ 185 #define USE_GLOBAL_LOCK_HYSTERESIS 10 186 187 /* 188 * Locking: 189 * a) global sem_lock() for read/write 190 * sem_undo.id_next, 191 * sem_array.complex_count, 192 * sem_array.pending{_alter,_const}, 193 * sem_array.sem_undo 194 * 195 * b) global or semaphore sem_lock() for read/write: 196 * sem_array.sems[i].pending_{const,alter}: 197 * 198 * c) special: 199 * sem_undo_list.list_proc: 200 * * undo_list->lock for write 201 * * rcu for read 202 * use_global_lock: 203 * * global sem_lock() for write 204 * * either local or global sem_lock() for read. 205 * 206 * Memory ordering: 207 * Most ordering is enforced by using spin_lock() and spin_unlock(). 208 * 209 * Exceptions: 210 * 1) use_global_lock: (SEM_BARRIER_1) 211 * Setting it from non-zero to 0 is a RELEASE, this is ensured by 212 * using smp_store_release(): Immediately after setting it to 0, 213 * a simple op can start. 214 * Testing if it is non-zero is an ACQUIRE, this is ensured by using 215 * smp_load_acquire(). 216 * Setting it from 0 to non-zero must be ordered with regards to 217 * this smp_load_acquire(), this is guaranteed because the smp_load_acquire() 218 * is inside a spin_lock() and after a write from 0 to non-zero a 219 * spin_lock()+spin_unlock() is done. 220 * To prevent the compiler/cpu temporarily writing 0 to use_global_lock, 221 * READ_ONCE()/WRITE_ONCE() is used. 222 * 223 * 2) queue.status: (SEM_BARRIER_2) 224 * Initialization is done while holding sem_lock(), so no further barrier is 225 * required. 226 * Setting it to a result code is a RELEASE, this is ensured by both a 227 * smp_store_release() (for case a) and while holding sem_lock() 228 * (for case b). 229 * The ACQUIRE when reading the result code without holding sem_lock() is 230 * achieved by using READ_ONCE() + smp_acquire__after_ctrl_dep(). 231 * (case a above). 232 * Reading the result code while holding sem_lock() needs no further barriers, 233 * the locks inside sem_lock() enforce ordering (case b above) 234 * 235 * 3) current->state: 236 * current->state is set to TASK_INTERRUPTIBLE while holding sem_lock(). 237 * The wakeup is handled using the wake_q infrastructure. wake_q wakeups may 238 * happen immediately after calling wake_q_add. As wake_q_add_safe() is called 239 * when holding sem_lock(), no further barriers are required. 240 * 241 * See also ipc/mqueue.c for more details on the covered races. 242 */ 243 244 #define sc_semmsl sem_ctls[0] 245 #define sc_semmns sem_ctls[1] 246 #define sc_semopm sem_ctls[2] 247 #define sc_semmni sem_ctls[3] 248 249 void sem_init_ns(struct ipc_namespace *ns) 250 { 251 ns->sc_semmsl = SEMMSL; 252 ns->sc_semmns = SEMMNS; 253 ns->sc_semopm = SEMOPM; 254 ns->sc_semmni = SEMMNI; 255 ns->used_sems = 0; 256 ipc_init_ids(&ns->ids[IPC_SEM_IDS]); 257 } 258 259 #ifdef CONFIG_IPC_NS 260 void sem_exit_ns(struct ipc_namespace *ns) 261 { 262 free_ipcs(ns, &sem_ids(ns), freeary); 263 idr_destroy(&ns->ids[IPC_SEM_IDS].ipcs_idr); 264 rhashtable_destroy(&ns->ids[IPC_SEM_IDS].key_ht); 265 } 266 #endif 267 268 void __init sem_init(void) 269 { 270 sem_init_ns(&init_ipc_ns); 271 ipc_init_proc_interface("sysvipc/sem", 272 " key semid perms nsems uid gid cuid cgid otime ctime\n", 273 IPC_SEM_IDS, sysvipc_sem_proc_show); 274 } 275 276 /** 277 * unmerge_queues - unmerge queues, if possible. 278 * @sma: semaphore array 279 * 280 * The function unmerges the wait queues if complex_count is 0. 281 * It must be called prior to dropping the global semaphore array lock. 282 */ 283 static void unmerge_queues(struct sem_array *sma) 284 { 285 struct sem_queue *q, *tq; 286 287 /* complex operations still around? */ 288 if (sma->complex_count) 289 return; 290 /* 291 * We will switch back to simple mode. 292 * Move all pending operation back into the per-semaphore 293 * queues. 294 */ 295 list_for_each_entry_safe(q, tq, &sma->pending_alter, list) { 296 struct sem *curr; 297 curr = &sma->sems[q->sops[0].sem_num]; 298 299 list_add_tail(&q->list, &curr->pending_alter); 300 } 301 INIT_LIST_HEAD(&sma->pending_alter); 302 } 303 304 /** 305 * merge_queues - merge single semop queues into global queue 306 * @sma: semaphore array 307 * 308 * This function merges all per-semaphore queues into the global queue. 309 * It is necessary to achieve FIFO ordering for the pending single-sop 310 * operations when a multi-semop operation must sleep. 311 * Only the alter operations must be moved, the const operations can stay. 312 */ 313 static void merge_queues(struct sem_array *sma) 314 { 315 int i; 316 for (i = 0; i < sma->sem_nsems; i++) { 317 struct sem *sem = &sma->sems[i]; 318 319 list_splice_init(&sem->pending_alter, &sma->pending_alter); 320 } 321 } 322 323 static void sem_rcu_free(struct rcu_head *head) 324 { 325 struct kern_ipc_perm *p = container_of(head, struct kern_ipc_perm, rcu); 326 struct sem_array *sma = container_of(p, struct sem_array, sem_perm); 327 328 security_sem_free(&sma->sem_perm); 329 kvfree(sma); 330 } 331 332 /* 333 * Enter the mode suitable for non-simple operations: 334 * Caller must own sem_perm.lock. 335 */ 336 static void complexmode_enter(struct sem_array *sma) 337 { 338 int i; 339 struct sem *sem; 340 341 if (sma->use_global_lock > 0) { 342 /* 343 * We are already in global lock mode. 344 * Nothing to do, just reset the 345 * counter until we return to simple mode. 346 */ 347 WRITE_ONCE(sma->use_global_lock, USE_GLOBAL_LOCK_HYSTERESIS); 348 return; 349 } 350 WRITE_ONCE(sma->use_global_lock, USE_GLOBAL_LOCK_HYSTERESIS); 351 352 for (i = 0; i < sma->sem_nsems; i++) { 353 sem = &sma->sems[i]; 354 spin_lock(&sem->lock); 355 spin_unlock(&sem->lock); 356 } 357 } 358 359 /* 360 * Try to leave the mode that disallows simple operations: 361 * Caller must own sem_perm.lock. 362 */ 363 static void complexmode_tryleave(struct sem_array *sma) 364 { 365 if (sma->complex_count) { 366 /* Complex ops are sleeping. 367 * We must stay in complex mode 368 */ 369 return; 370 } 371 if (sma->use_global_lock == 1) { 372 373 /* See SEM_BARRIER_1 for purpose/pairing */ 374 smp_store_release(&sma->use_global_lock, 0); 375 } else { 376 WRITE_ONCE(sma->use_global_lock, 377 sma->use_global_lock-1); 378 } 379 } 380 381 #define SEM_GLOBAL_LOCK (-1) 382 /* 383 * If the request contains only one semaphore operation, and there are 384 * no complex transactions pending, lock only the semaphore involved. 385 * Otherwise, lock the entire semaphore array, since we either have 386 * multiple semaphores in our own semops, or we need to look at 387 * semaphores from other pending complex operations. 388 */ 389 static inline int sem_lock(struct sem_array *sma, struct sembuf *sops, 390 int nsops) 391 { 392 struct sem *sem; 393 int idx; 394 395 if (nsops != 1) { 396 /* Complex operation - acquire a full lock */ 397 ipc_lock_object(&sma->sem_perm); 398 399 /* Prevent parallel simple ops */ 400 complexmode_enter(sma); 401 return SEM_GLOBAL_LOCK; 402 } 403 404 /* 405 * Only one semaphore affected - try to optimize locking. 406 * Optimized locking is possible if no complex operation 407 * is either enqueued or processed right now. 408 * 409 * Both facts are tracked by use_global_mode. 410 */ 411 idx = array_index_nospec(sops->sem_num, sma->sem_nsems); 412 sem = &sma->sems[idx]; 413 414 /* 415 * Initial check for use_global_lock. Just an optimization, 416 * no locking, no memory barrier. 417 */ 418 if (!READ_ONCE(sma->use_global_lock)) { 419 /* 420 * It appears that no complex operation is around. 421 * Acquire the per-semaphore lock. 422 */ 423 spin_lock(&sem->lock); 424 425 /* see SEM_BARRIER_1 for purpose/pairing */ 426 if (!smp_load_acquire(&sma->use_global_lock)) { 427 /* fast path successful! */ 428 return sops->sem_num; 429 } 430 spin_unlock(&sem->lock); 431 } 432 433 /* slow path: acquire the full lock */ 434 ipc_lock_object(&sma->sem_perm); 435 436 if (sma->use_global_lock == 0) { 437 /* 438 * The use_global_lock mode ended while we waited for 439 * sma->sem_perm.lock. Thus we must switch to locking 440 * with sem->lock. 441 * Unlike in the fast path, there is no need to recheck 442 * sma->use_global_lock after we have acquired sem->lock: 443 * We own sma->sem_perm.lock, thus use_global_lock cannot 444 * change. 445 */ 446 spin_lock(&sem->lock); 447 448 ipc_unlock_object(&sma->sem_perm); 449 return sops->sem_num; 450 } else { 451 /* 452 * Not a false alarm, thus continue to use the global lock 453 * mode. No need for complexmode_enter(), this was done by 454 * the caller that has set use_global_mode to non-zero. 455 */ 456 return SEM_GLOBAL_LOCK; 457 } 458 } 459 460 static inline void sem_unlock(struct sem_array *sma, int locknum) 461 { 462 if (locknum == SEM_GLOBAL_LOCK) { 463 unmerge_queues(sma); 464 complexmode_tryleave(sma); 465 ipc_unlock_object(&sma->sem_perm); 466 } else { 467 struct sem *sem = &sma->sems[locknum]; 468 spin_unlock(&sem->lock); 469 } 470 } 471 472 /* 473 * sem_lock_(check_) routines are called in the paths where the rwsem 474 * is not held. 475 * 476 * The caller holds the RCU read lock. 477 */ 478 static inline struct sem_array *sem_obtain_object(struct ipc_namespace *ns, int id) 479 { 480 struct kern_ipc_perm *ipcp = ipc_obtain_object_idr(&sem_ids(ns), id); 481 482 if (IS_ERR(ipcp)) 483 return ERR_CAST(ipcp); 484 485 return container_of(ipcp, struct sem_array, sem_perm); 486 } 487 488 static inline struct sem_array *sem_obtain_object_check(struct ipc_namespace *ns, 489 int id) 490 { 491 struct kern_ipc_perm *ipcp = ipc_obtain_object_check(&sem_ids(ns), id); 492 493 if (IS_ERR(ipcp)) 494 return ERR_CAST(ipcp); 495 496 return container_of(ipcp, struct sem_array, sem_perm); 497 } 498 499 static inline void sem_lock_and_putref(struct sem_array *sma) 500 { 501 sem_lock(sma, NULL, -1); 502 ipc_rcu_putref(&sma->sem_perm, sem_rcu_free); 503 } 504 505 static inline void sem_rmid(struct ipc_namespace *ns, struct sem_array *s) 506 { 507 ipc_rmid(&sem_ids(ns), &s->sem_perm); 508 } 509 510 static struct sem_array *sem_alloc(size_t nsems) 511 { 512 struct sem_array *sma; 513 514 if (nsems > (INT_MAX - sizeof(*sma)) / sizeof(sma->sems[0])) 515 return NULL; 516 517 sma = kvzalloc(struct_size(sma, sems, nsems), GFP_KERNEL_ACCOUNT); 518 if (unlikely(!sma)) 519 return NULL; 520 521 return sma; 522 } 523 524 /** 525 * newary - Create a new semaphore set 526 * @ns: namespace 527 * @params: ptr to the structure that contains key, semflg and nsems 528 * 529 * Called with sem_ids.rwsem held (as a writer) 530 */ 531 static int newary(struct ipc_namespace *ns, struct ipc_params *params) 532 { 533 int retval; 534 struct sem_array *sma; 535 key_t key = params->key; 536 int nsems = params->u.nsems; 537 int semflg = params->flg; 538 int i; 539 540 if (!nsems) 541 return -EINVAL; 542 if (ns->used_sems + nsems > ns->sc_semmns) 543 return -ENOSPC; 544 545 sma = sem_alloc(nsems); 546 if (!sma) 547 return -ENOMEM; 548 549 sma->sem_perm.mode = (semflg & S_IRWXUGO); 550 sma->sem_perm.key = key; 551 552 sma->sem_perm.security = NULL; 553 retval = security_sem_alloc(&sma->sem_perm); 554 if (retval) { 555 kvfree(sma); 556 return retval; 557 } 558 559 for (i = 0; i < nsems; i++) { 560 INIT_LIST_HEAD(&sma->sems[i].pending_alter); 561 INIT_LIST_HEAD(&sma->sems[i].pending_const); 562 spin_lock_init(&sma->sems[i].lock); 563 } 564 565 sma->complex_count = 0; 566 sma->use_global_lock = USE_GLOBAL_LOCK_HYSTERESIS; 567 INIT_LIST_HEAD(&sma->pending_alter); 568 INIT_LIST_HEAD(&sma->pending_const); 569 INIT_LIST_HEAD(&sma->list_id); 570 sma->sem_nsems = nsems; 571 sma->sem_ctime = ktime_get_real_seconds(); 572 573 /* ipc_addid() locks sma upon success. */ 574 retval = ipc_addid(&sem_ids(ns), &sma->sem_perm, ns->sc_semmni); 575 if (retval < 0) { 576 ipc_rcu_putref(&sma->sem_perm, sem_rcu_free); 577 return retval; 578 } 579 ns->used_sems += nsems; 580 581 sem_unlock(sma, -1); 582 rcu_read_unlock(); 583 584 return sma->sem_perm.id; 585 } 586 587 588 /* 589 * Called with sem_ids.rwsem and ipcp locked. 590 */ 591 static int sem_more_checks(struct kern_ipc_perm *ipcp, struct ipc_params *params) 592 { 593 struct sem_array *sma; 594 595 sma = container_of(ipcp, struct sem_array, sem_perm); 596 if (params->u.nsems > sma->sem_nsems) 597 return -EINVAL; 598 599 return 0; 600 } 601 602 long ksys_semget(key_t key, int nsems, int semflg) 603 { 604 struct ipc_namespace *ns; 605 static const struct ipc_ops sem_ops = { 606 .getnew = newary, 607 .associate = security_sem_associate, 608 .more_checks = sem_more_checks, 609 }; 610 struct ipc_params sem_params; 611 612 ns = current->nsproxy->ipc_ns; 613 614 if (nsems < 0 || nsems > ns->sc_semmsl) 615 return -EINVAL; 616 617 sem_params.key = key; 618 sem_params.flg = semflg; 619 sem_params.u.nsems = nsems; 620 621 return ipcget(ns, &sem_ids(ns), &sem_ops, &sem_params); 622 } 623 624 SYSCALL_DEFINE3(semget, key_t, key, int, nsems, int, semflg) 625 { 626 return ksys_semget(key, nsems, semflg); 627 } 628 629 /** 630 * perform_atomic_semop[_slow] - Attempt to perform semaphore 631 * operations on a given array. 632 * @sma: semaphore array 633 * @q: struct sem_queue that describes the operation 634 * 635 * Caller blocking are as follows, based the value 636 * indicated by the semaphore operation (sem_op): 637 * 638 * (1) >0 never blocks. 639 * (2) 0 (wait-for-zero operation): semval is non-zero. 640 * (3) <0 attempting to decrement semval to a value smaller than zero. 641 * 642 * Returns 0 if the operation was possible. 643 * Returns 1 if the operation is impossible, the caller must sleep. 644 * Returns <0 for error codes. 645 */ 646 static int perform_atomic_semop_slow(struct sem_array *sma, struct sem_queue *q) 647 { 648 int result, sem_op, nsops; 649 struct pid *pid; 650 struct sembuf *sop; 651 struct sem *curr; 652 struct sembuf *sops; 653 struct sem_undo *un; 654 655 sops = q->sops; 656 nsops = q->nsops; 657 un = q->undo; 658 659 for (sop = sops; sop < sops + nsops; sop++) { 660 int idx = array_index_nospec(sop->sem_num, sma->sem_nsems); 661 curr = &sma->sems[idx]; 662 sem_op = sop->sem_op; 663 result = curr->semval; 664 665 if (!sem_op && result) 666 goto would_block; 667 668 result += sem_op; 669 if (result < 0) 670 goto would_block; 671 if (result > SEMVMX) 672 goto out_of_range; 673 674 if (sop->sem_flg & SEM_UNDO) { 675 int undo = un->semadj[sop->sem_num] - sem_op; 676 /* Exceeding the undo range is an error. */ 677 if (undo < (-SEMAEM - 1) || undo > SEMAEM) 678 goto out_of_range; 679 un->semadj[sop->sem_num] = undo; 680 } 681 682 curr->semval = result; 683 } 684 685 sop--; 686 pid = q->pid; 687 while (sop >= sops) { 688 ipc_update_pid(&sma->sems[sop->sem_num].sempid, pid); 689 sop--; 690 } 691 692 return 0; 693 694 out_of_range: 695 result = -ERANGE; 696 goto undo; 697 698 would_block: 699 q->blocking = sop; 700 701 if (sop->sem_flg & IPC_NOWAIT) 702 result = -EAGAIN; 703 else 704 result = 1; 705 706 undo: 707 sop--; 708 while (sop >= sops) { 709 sem_op = sop->sem_op; 710 sma->sems[sop->sem_num].semval -= sem_op; 711 if (sop->sem_flg & SEM_UNDO) 712 un->semadj[sop->sem_num] += sem_op; 713 sop--; 714 } 715 716 return result; 717 } 718 719 static int perform_atomic_semop(struct sem_array *sma, struct sem_queue *q) 720 { 721 int result, sem_op, nsops; 722 struct sembuf *sop; 723 struct sem *curr; 724 struct sembuf *sops; 725 struct sem_undo *un; 726 727 sops = q->sops; 728 nsops = q->nsops; 729 un = q->undo; 730 731 if (unlikely(q->dupsop)) 732 return perform_atomic_semop_slow(sma, q); 733 734 /* 735 * We scan the semaphore set twice, first to ensure that the entire 736 * operation can succeed, therefore avoiding any pointless writes 737 * to shared memory and having to undo such changes in order to block 738 * until the operations can go through. 739 */ 740 for (sop = sops; sop < sops + nsops; sop++) { 741 int idx = array_index_nospec(sop->sem_num, sma->sem_nsems); 742 743 curr = &sma->sems[idx]; 744 sem_op = sop->sem_op; 745 result = curr->semval; 746 747 if (!sem_op && result) 748 goto would_block; /* wait-for-zero */ 749 750 result += sem_op; 751 if (result < 0) 752 goto would_block; 753 754 if (result > SEMVMX) 755 return -ERANGE; 756 757 if (sop->sem_flg & SEM_UNDO) { 758 int undo = un->semadj[sop->sem_num] - sem_op; 759 760 /* Exceeding the undo range is an error. */ 761 if (undo < (-SEMAEM - 1) || undo > SEMAEM) 762 return -ERANGE; 763 } 764 } 765 766 for (sop = sops; sop < sops + nsops; sop++) { 767 curr = &sma->sems[sop->sem_num]; 768 sem_op = sop->sem_op; 769 result = curr->semval; 770 771 if (sop->sem_flg & SEM_UNDO) { 772 int undo = un->semadj[sop->sem_num] - sem_op; 773 774 un->semadj[sop->sem_num] = undo; 775 } 776 curr->semval += sem_op; 777 ipc_update_pid(&curr->sempid, q->pid); 778 } 779 780 return 0; 781 782 would_block: 783 q->blocking = sop; 784 return sop->sem_flg & IPC_NOWAIT ? -EAGAIN : 1; 785 } 786 787 static inline void wake_up_sem_queue_prepare(struct sem_queue *q, int error, 788 struct wake_q_head *wake_q) 789 { 790 struct task_struct *sleeper; 791 792 sleeper = get_task_struct(q->sleeper); 793 794 /* see SEM_BARRIER_2 for purpose/pairing */ 795 smp_store_release(&q->status, error); 796 797 wake_q_add_safe(wake_q, sleeper); 798 } 799 800 static void unlink_queue(struct sem_array *sma, struct sem_queue *q) 801 { 802 list_del(&q->list); 803 if (q->nsops > 1) 804 sma->complex_count--; 805 } 806 807 /** check_restart(sma, q) 808 * @sma: semaphore array 809 * @q: the operation that just completed 810 * 811 * update_queue is O(N^2) when it restarts scanning the whole queue of 812 * waiting operations. Therefore this function checks if the restart is 813 * really necessary. It is called after a previously waiting operation 814 * modified the array. 815 * Note that wait-for-zero operations are handled without restart. 816 */ 817 static inline int check_restart(struct sem_array *sma, struct sem_queue *q) 818 { 819 /* pending complex alter operations are too difficult to analyse */ 820 if (!list_empty(&sma->pending_alter)) 821 return 1; 822 823 /* we were a sleeping complex operation. Too difficult */ 824 if (q->nsops > 1) 825 return 1; 826 827 /* It is impossible that someone waits for the new value: 828 * - complex operations always restart. 829 * - wait-for-zero are handled separately. 830 * - q is a previously sleeping simple operation that 831 * altered the array. It must be a decrement, because 832 * simple increments never sleep. 833 * - If there are older (higher priority) decrements 834 * in the queue, then they have observed the original 835 * semval value and couldn't proceed. The operation 836 * decremented to value - thus they won't proceed either. 837 */ 838 return 0; 839 } 840 841 /** 842 * wake_const_ops - wake up non-alter tasks 843 * @sma: semaphore array. 844 * @semnum: semaphore that was modified. 845 * @wake_q: lockless wake-queue head. 846 * 847 * wake_const_ops must be called after a semaphore in a semaphore array 848 * was set to 0. If complex const operations are pending, wake_const_ops must 849 * be called with semnum = -1, as well as with the number of each modified 850 * semaphore. 851 * The tasks that must be woken up are added to @wake_q. The return code 852 * is stored in q->pid. 853 * The function returns 1 if at least one operation was completed successfully. 854 */ 855 static int wake_const_ops(struct sem_array *sma, int semnum, 856 struct wake_q_head *wake_q) 857 { 858 struct sem_queue *q, *tmp; 859 struct list_head *pending_list; 860 int semop_completed = 0; 861 862 if (semnum == -1) 863 pending_list = &sma->pending_const; 864 else 865 pending_list = &sma->sems[semnum].pending_const; 866 867 list_for_each_entry_safe(q, tmp, pending_list, list) { 868 int error = perform_atomic_semop(sma, q); 869 870 if (error > 0) 871 continue; 872 /* operation completed, remove from queue & wakeup */ 873 unlink_queue(sma, q); 874 875 wake_up_sem_queue_prepare(q, error, wake_q); 876 if (error == 0) 877 semop_completed = 1; 878 } 879 880 return semop_completed; 881 } 882 883 /** 884 * do_smart_wakeup_zero - wakeup all wait for zero tasks 885 * @sma: semaphore array 886 * @sops: operations that were performed 887 * @nsops: number of operations 888 * @wake_q: lockless wake-queue head 889 * 890 * Checks all required queue for wait-for-zero operations, based 891 * on the actual changes that were performed on the semaphore array. 892 * The function returns 1 if at least one operation was completed successfully. 893 */ 894 static int do_smart_wakeup_zero(struct sem_array *sma, struct sembuf *sops, 895 int nsops, struct wake_q_head *wake_q) 896 { 897 int i; 898 int semop_completed = 0; 899 int got_zero = 0; 900 901 /* first: the per-semaphore queues, if known */ 902 if (sops) { 903 for (i = 0; i < nsops; i++) { 904 int num = sops[i].sem_num; 905 906 if (sma->sems[num].semval == 0) { 907 got_zero = 1; 908 semop_completed |= wake_const_ops(sma, num, wake_q); 909 } 910 } 911 } else { 912 /* 913 * No sops means modified semaphores not known. 914 * Assume all were changed. 915 */ 916 for (i = 0; i < sma->sem_nsems; i++) { 917 if (sma->sems[i].semval == 0) { 918 got_zero = 1; 919 semop_completed |= wake_const_ops(sma, i, wake_q); 920 } 921 } 922 } 923 /* 924 * If one of the modified semaphores got 0, 925 * then check the global queue, too. 926 */ 927 if (got_zero) 928 semop_completed |= wake_const_ops(sma, -1, wake_q); 929 930 return semop_completed; 931 } 932 933 934 /** 935 * update_queue - look for tasks that can be completed. 936 * @sma: semaphore array. 937 * @semnum: semaphore that was modified. 938 * @wake_q: lockless wake-queue head. 939 * 940 * update_queue must be called after a semaphore in a semaphore array 941 * was modified. If multiple semaphores were modified, update_queue must 942 * be called with semnum = -1, as well as with the number of each modified 943 * semaphore. 944 * The tasks that must be woken up are added to @wake_q. The return code 945 * is stored in q->pid. 946 * The function internally checks if const operations can now succeed. 947 * 948 * The function return 1 if at least one semop was completed successfully. 949 */ 950 static int update_queue(struct sem_array *sma, int semnum, struct wake_q_head *wake_q) 951 { 952 struct sem_queue *q, *tmp; 953 struct list_head *pending_list; 954 int semop_completed = 0; 955 956 if (semnum == -1) 957 pending_list = &sma->pending_alter; 958 else 959 pending_list = &sma->sems[semnum].pending_alter; 960 961 again: 962 list_for_each_entry_safe(q, tmp, pending_list, list) { 963 int error, restart; 964 965 /* If we are scanning the single sop, per-semaphore list of 966 * one semaphore and that semaphore is 0, then it is not 967 * necessary to scan further: simple increments 968 * that affect only one entry succeed immediately and cannot 969 * be in the per semaphore pending queue, and decrements 970 * cannot be successful if the value is already 0. 971 */ 972 if (semnum != -1 && sma->sems[semnum].semval == 0) 973 break; 974 975 error = perform_atomic_semop(sma, q); 976 977 /* Does q->sleeper still need to sleep? */ 978 if (error > 0) 979 continue; 980 981 unlink_queue(sma, q); 982 983 if (error) { 984 restart = 0; 985 } else { 986 semop_completed = 1; 987 do_smart_wakeup_zero(sma, q->sops, q->nsops, wake_q); 988 restart = check_restart(sma, q); 989 } 990 991 wake_up_sem_queue_prepare(q, error, wake_q); 992 if (restart) 993 goto again; 994 } 995 return semop_completed; 996 } 997 998 /** 999 * set_semotime - set sem_otime 1000 * @sma: semaphore array 1001 * @sops: operations that modified the array, may be NULL 1002 * 1003 * sem_otime is replicated to avoid cache line trashing. 1004 * This function sets one instance to the current time. 1005 */ 1006 static void set_semotime(struct sem_array *sma, struct sembuf *sops) 1007 { 1008 if (sops == NULL) { 1009 sma->sems[0].sem_otime = ktime_get_real_seconds(); 1010 } else { 1011 sma->sems[sops[0].sem_num].sem_otime = 1012 ktime_get_real_seconds(); 1013 } 1014 } 1015 1016 /** 1017 * do_smart_update - optimized update_queue 1018 * @sma: semaphore array 1019 * @sops: operations that were performed 1020 * @nsops: number of operations 1021 * @otime: force setting otime 1022 * @wake_q: lockless wake-queue head 1023 * 1024 * do_smart_update() does the required calls to update_queue and wakeup_zero, 1025 * based on the actual changes that were performed on the semaphore array. 1026 * Note that the function does not do the actual wake-up: the caller is 1027 * responsible for calling wake_up_q(). 1028 * It is safe to perform this call after dropping all locks. 1029 */ 1030 static void do_smart_update(struct sem_array *sma, struct sembuf *sops, int nsops, 1031 int otime, struct wake_q_head *wake_q) 1032 { 1033 int i; 1034 1035 otime |= do_smart_wakeup_zero(sma, sops, nsops, wake_q); 1036 1037 if (!list_empty(&sma->pending_alter)) { 1038 /* semaphore array uses the global queue - just process it. */ 1039 otime |= update_queue(sma, -1, wake_q); 1040 } else { 1041 if (!sops) { 1042 /* 1043 * No sops, thus the modified semaphores are not 1044 * known. Check all. 1045 */ 1046 for (i = 0; i < sma->sem_nsems; i++) 1047 otime |= update_queue(sma, i, wake_q); 1048 } else { 1049 /* 1050 * Check the semaphores that were increased: 1051 * - No complex ops, thus all sleeping ops are 1052 * decrease. 1053 * - if we decreased the value, then any sleeping 1054 * semaphore ops won't be able to run: If the 1055 * previous value was too small, then the new 1056 * value will be too small, too. 1057 */ 1058 for (i = 0; i < nsops; i++) { 1059 if (sops[i].sem_op > 0) { 1060 otime |= update_queue(sma, 1061 sops[i].sem_num, wake_q); 1062 } 1063 } 1064 } 1065 } 1066 if (otime) 1067 set_semotime(sma, sops); 1068 } 1069 1070 /* 1071 * check_qop: Test if a queued operation sleeps on the semaphore semnum 1072 */ 1073 static int check_qop(struct sem_array *sma, int semnum, struct sem_queue *q, 1074 bool count_zero) 1075 { 1076 struct sembuf *sop = q->blocking; 1077 1078 /* 1079 * Linux always (since 0.99.10) reported a task as sleeping on all 1080 * semaphores. This violates SUS, therefore it was changed to the 1081 * standard compliant behavior. 1082 * Give the administrators a chance to notice that an application 1083 * might misbehave because it relies on the Linux behavior. 1084 */ 1085 pr_info_once("semctl(GETNCNT/GETZCNT) is since 3.16 Single Unix Specification compliant.\n" 1086 "The task %s (%d) triggered the difference, watch for misbehavior.\n", 1087 current->comm, task_pid_nr(current)); 1088 1089 if (sop->sem_num != semnum) 1090 return 0; 1091 1092 if (count_zero && sop->sem_op == 0) 1093 return 1; 1094 if (!count_zero && sop->sem_op < 0) 1095 return 1; 1096 1097 return 0; 1098 } 1099 1100 /* The following counts are associated to each semaphore: 1101 * semncnt number of tasks waiting on semval being nonzero 1102 * semzcnt number of tasks waiting on semval being zero 1103 * 1104 * Per definition, a task waits only on the semaphore of the first semop 1105 * that cannot proceed, even if additional operation would block, too. 1106 */ 1107 static int count_semcnt(struct sem_array *sma, ushort semnum, 1108 bool count_zero) 1109 { 1110 struct list_head *l; 1111 struct sem_queue *q; 1112 int semcnt; 1113 1114 semcnt = 0; 1115 /* First: check the simple operations. They are easy to evaluate */ 1116 if (count_zero) 1117 l = &sma->sems[semnum].pending_const; 1118 else 1119 l = &sma->sems[semnum].pending_alter; 1120 1121 list_for_each_entry(q, l, list) { 1122 /* all task on a per-semaphore list sleep on exactly 1123 * that semaphore 1124 */ 1125 semcnt++; 1126 } 1127 1128 /* Then: check the complex operations. */ 1129 list_for_each_entry(q, &sma->pending_alter, list) { 1130 semcnt += check_qop(sma, semnum, q, count_zero); 1131 } 1132 if (count_zero) { 1133 list_for_each_entry(q, &sma->pending_const, list) { 1134 semcnt += check_qop(sma, semnum, q, count_zero); 1135 } 1136 } 1137 return semcnt; 1138 } 1139 1140 /* Free a semaphore set. freeary() is called with sem_ids.rwsem locked 1141 * as a writer and the spinlock for this semaphore set hold. sem_ids.rwsem 1142 * remains locked on exit. 1143 */ 1144 static void freeary(struct ipc_namespace *ns, struct kern_ipc_perm *ipcp) 1145 { 1146 struct sem_undo *un, *tu; 1147 struct sem_queue *q, *tq; 1148 struct sem_array *sma = container_of(ipcp, struct sem_array, sem_perm); 1149 int i; 1150 DEFINE_WAKE_Q(wake_q); 1151 1152 /* Free the existing undo structures for this semaphore set. */ 1153 ipc_assert_locked_object(&sma->sem_perm); 1154 list_for_each_entry_safe(un, tu, &sma->list_id, list_id) { 1155 list_del(&un->list_id); 1156 spin_lock(&un->ulp->lock); 1157 un->semid = -1; 1158 list_del_rcu(&un->list_proc); 1159 spin_unlock(&un->ulp->lock); 1160 kvfree_rcu(un, rcu); 1161 } 1162 1163 /* Wake up all pending processes and let them fail with EIDRM. */ 1164 list_for_each_entry_safe(q, tq, &sma->pending_const, list) { 1165 unlink_queue(sma, q); 1166 wake_up_sem_queue_prepare(q, -EIDRM, &wake_q); 1167 } 1168 1169 list_for_each_entry_safe(q, tq, &sma->pending_alter, list) { 1170 unlink_queue(sma, q); 1171 wake_up_sem_queue_prepare(q, -EIDRM, &wake_q); 1172 } 1173 for (i = 0; i < sma->sem_nsems; i++) { 1174 struct sem *sem = &sma->sems[i]; 1175 list_for_each_entry_safe(q, tq, &sem->pending_const, list) { 1176 unlink_queue(sma, q); 1177 wake_up_sem_queue_prepare(q, -EIDRM, &wake_q); 1178 } 1179 list_for_each_entry_safe(q, tq, &sem->pending_alter, list) { 1180 unlink_queue(sma, q); 1181 wake_up_sem_queue_prepare(q, -EIDRM, &wake_q); 1182 } 1183 ipc_update_pid(&sem->sempid, NULL); 1184 } 1185 1186 /* Remove the semaphore set from the IDR */ 1187 sem_rmid(ns, sma); 1188 sem_unlock(sma, -1); 1189 rcu_read_unlock(); 1190 1191 wake_up_q(&wake_q); 1192 ns->used_sems -= sma->sem_nsems; 1193 ipc_rcu_putref(&sma->sem_perm, sem_rcu_free); 1194 } 1195 1196 static unsigned long copy_semid_to_user(void __user *buf, struct semid64_ds *in, int version) 1197 { 1198 switch (version) { 1199 case IPC_64: 1200 return copy_to_user(buf, in, sizeof(*in)); 1201 case IPC_OLD: 1202 { 1203 struct semid_ds out; 1204 1205 memset(&out, 0, sizeof(out)); 1206 1207 ipc64_perm_to_ipc_perm(&in->sem_perm, &out.sem_perm); 1208 1209 out.sem_otime = in->sem_otime; 1210 out.sem_ctime = in->sem_ctime; 1211 out.sem_nsems = in->sem_nsems; 1212 1213 return copy_to_user(buf, &out, sizeof(out)); 1214 } 1215 default: 1216 return -EINVAL; 1217 } 1218 } 1219 1220 static time64_t get_semotime(struct sem_array *sma) 1221 { 1222 int i; 1223 time64_t res; 1224 1225 res = sma->sems[0].sem_otime; 1226 for (i = 1; i < sma->sem_nsems; i++) { 1227 time64_t to = sma->sems[i].sem_otime; 1228 1229 if (to > res) 1230 res = to; 1231 } 1232 return res; 1233 } 1234 1235 static int semctl_stat(struct ipc_namespace *ns, int semid, 1236 int cmd, struct semid64_ds *semid64) 1237 { 1238 struct sem_array *sma; 1239 time64_t semotime; 1240 int err; 1241 1242 memset(semid64, 0, sizeof(*semid64)); 1243 1244 rcu_read_lock(); 1245 if (cmd == SEM_STAT || cmd == SEM_STAT_ANY) { 1246 sma = sem_obtain_object(ns, semid); 1247 if (IS_ERR(sma)) { 1248 err = PTR_ERR(sma); 1249 goto out_unlock; 1250 } 1251 } else { /* IPC_STAT */ 1252 sma = sem_obtain_object_check(ns, semid); 1253 if (IS_ERR(sma)) { 1254 err = PTR_ERR(sma); 1255 goto out_unlock; 1256 } 1257 } 1258 1259 /* see comment for SHM_STAT_ANY */ 1260 if (cmd == SEM_STAT_ANY) 1261 audit_ipc_obj(&sma->sem_perm); 1262 else { 1263 err = -EACCES; 1264 if (ipcperms(ns, &sma->sem_perm, S_IRUGO)) 1265 goto out_unlock; 1266 } 1267 1268 err = security_sem_semctl(&sma->sem_perm, cmd); 1269 if (err) 1270 goto out_unlock; 1271 1272 ipc_lock_object(&sma->sem_perm); 1273 1274 if (!ipc_valid_object(&sma->sem_perm)) { 1275 ipc_unlock_object(&sma->sem_perm); 1276 err = -EIDRM; 1277 goto out_unlock; 1278 } 1279 1280 kernel_to_ipc64_perm(&sma->sem_perm, &semid64->sem_perm); 1281 semotime = get_semotime(sma); 1282 semid64->sem_otime = semotime; 1283 semid64->sem_ctime = sma->sem_ctime; 1284 #ifndef CONFIG_64BIT 1285 semid64->sem_otime_high = semotime >> 32; 1286 semid64->sem_ctime_high = sma->sem_ctime >> 32; 1287 #endif 1288 semid64->sem_nsems = sma->sem_nsems; 1289 1290 if (cmd == IPC_STAT) { 1291 /* 1292 * As defined in SUS: 1293 * Return 0 on success 1294 */ 1295 err = 0; 1296 } else { 1297 /* 1298 * SEM_STAT and SEM_STAT_ANY (both Linux specific) 1299 * Return the full id, including the sequence number 1300 */ 1301 err = sma->sem_perm.id; 1302 } 1303 ipc_unlock_object(&sma->sem_perm); 1304 out_unlock: 1305 rcu_read_unlock(); 1306 return err; 1307 } 1308 1309 static int semctl_info(struct ipc_namespace *ns, int semid, 1310 int cmd, void __user *p) 1311 { 1312 struct seminfo seminfo; 1313 int max_idx; 1314 int err; 1315 1316 err = security_sem_semctl(NULL, cmd); 1317 if (err) 1318 return err; 1319 1320 memset(&seminfo, 0, sizeof(seminfo)); 1321 seminfo.semmni = ns->sc_semmni; 1322 seminfo.semmns = ns->sc_semmns; 1323 seminfo.semmsl = ns->sc_semmsl; 1324 seminfo.semopm = ns->sc_semopm; 1325 seminfo.semvmx = SEMVMX; 1326 seminfo.semmnu = SEMMNU; 1327 seminfo.semmap = SEMMAP; 1328 seminfo.semume = SEMUME; 1329 down_read(&sem_ids(ns).rwsem); 1330 if (cmd == SEM_INFO) { 1331 seminfo.semusz = sem_ids(ns).in_use; 1332 seminfo.semaem = ns->used_sems; 1333 } else { 1334 seminfo.semusz = SEMUSZ; 1335 seminfo.semaem = SEMAEM; 1336 } 1337 max_idx = ipc_get_maxidx(&sem_ids(ns)); 1338 up_read(&sem_ids(ns).rwsem); 1339 if (copy_to_user(p, &seminfo, sizeof(struct seminfo))) 1340 return -EFAULT; 1341 return (max_idx < 0) ? 0 : max_idx; 1342 } 1343 1344 static int semctl_setval(struct ipc_namespace *ns, int semid, int semnum, 1345 int val) 1346 { 1347 struct sem_undo *un; 1348 struct sem_array *sma; 1349 struct sem *curr; 1350 int err; 1351 DEFINE_WAKE_Q(wake_q); 1352 1353 if (val > SEMVMX || val < 0) 1354 return -ERANGE; 1355 1356 rcu_read_lock(); 1357 sma = sem_obtain_object_check(ns, semid); 1358 if (IS_ERR(sma)) { 1359 rcu_read_unlock(); 1360 return PTR_ERR(sma); 1361 } 1362 1363 if (semnum < 0 || semnum >= sma->sem_nsems) { 1364 rcu_read_unlock(); 1365 return -EINVAL; 1366 } 1367 1368 1369 if (ipcperms(ns, &sma->sem_perm, S_IWUGO)) { 1370 rcu_read_unlock(); 1371 return -EACCES; 1372 } 1373 1374 err = security_sem_semctl(&sma->sem_perm, SETVAL); 1375 if (err) { 1376 rcu_read_unlock(); 1377 return -EACCES; 1378 } 1379 1380 sem_lock(sma, NULL, -1); 1381 1382 if (!ipc_valid_object(&sma->sem_perm)) { 1383 sem_unlock(sma, -1); 1384 rcu_read_unlock(); 1385 return -EIDRM; 1386 } 1387 1388 semnum = array_index_nospec(semnum, sma->sem_nsems); 1389 curr = &sma->sems[semnum]; 1390 1391 ipc_assert_locked_object(&sma->sem_perm); 1392 list_for_each_entry(un, &sma->list_id, list_id) 1393 un->semadj[semnum] = 0; 1394 1395 curr->semval = val; 1396 ipc_update_pid(&curr->sempid, task_tgid(current)); 1397 sma->sem_ctime = ktime_get_real_seconds(); 1398 /* maybe some queued-up processes were waiting for this */ 1399 do_smart_update(sma, NULL, 0, 0, &wake_q); 1400 sem_unlock(sma, -1); 1401 rcu_read_unlock(); 1402 wake_up_q(&wake_q); 1403 return 0; 1404 } 1405 1406 static int semctl_main(struct ipc_namespace *ns, int semid, int semnum, 1407 int cmd, void __user *p) 1408 { 1409 struct sem_array *sma; 1410 struct sem *curr; 1411 int err, nsems; 1412 ushort fast_sem_io[SEMMSL_FAST]; 1413 ushort *sem_io = fast_sem_io; 1414 DEFINE_WAKE_Q(wake_q); 1415 1416 rcu_read_lock(); 1417 sma = sem_obtain_object_check(ns, semid); 1418 if (IS_ERR(sma)) { 1419 rcu_read_unlock(); 1420 return PTR_ERR(sma); 1421 } 1422 1423 nsems = sma->sem_nsems; 1424 1425 err = -EACCES; 1426 if (ipcperms(ns, &sma->sem_perm, cmd == SETALL ? S_IWUGO : S_IRUGO)) 1427 goto out_rcu_wakeup; 1428 1429 err = security_sem_semctl(&sma->sem_perm, cmd); 1430 if (err) 1431 goto out_rcu_wakeup; 1432 1433 err = -EACCES; 1434 switch (cmd) { 1435 case GETALL: 1436 { 1437 ushort __user *array = p; 1438 int i; 1439 1440 sem_lock(sma, NULL, -1); 1441 if (!ipc_valid_object(&sma->sem_perm)) { 1442 err = -EIDRM; 1443 goto out_unlock; 1444 } 1445 if (nsems > SEMMSL_FAST) { 1446 if (!ipc_rcu_getref(&sma->sem_perm)) { 1447 err = -EIDRM; 1448 goto out_unlock; 1449 } 1450 sem_unlock(sma, -1); 1451 rcu_read_unlock(); 1452 sem_io = kvmalloc_array(nsems, sizeof(ushort), 1453 GFP_KERNEL); 1454 if (sem_io == NULL) { 1455 ipc_rcu_putref(&sma->sem_perm, sem_rcu_free); 1456 return -ENOMEM; 1457 } 1458 1459 rcu_read_lock(); 1460 sem_lock_and_putref(sma); 1461 if (!ipc_valid_object(&sma->sem_perm)) { 1462 err = -EIDRM; 1463 goto out_unlock; 1464 } 1465 } 1466 for (i = 0; i < sma->sem_nsems; i++) 1467 sem_io[i] = sma->sems[i].semval; 1468 sem_unlock(sma, -1); 1469 rcu_read_unlock(); 1470 err = 0; 1471 if (copy_to_user(array, sem_io, nsems*sizeof(ushort))) 1472 err = -EFAULT; 1473 goto out_free; 1474 } 1475 case SETALL: 1476 { 1477 int i; 1478 struct sem_undo *un; 1479 1480 if (!ipc_rcu_getref(&sma->sem_perm)) { 1481 err = -EIDRM; 1482 goto out_rcu_wakeup; 1483 } 1484 rcu_read_unlock(); 1485 1486 if (nsems > SEMMSL_FAST) { 1487 sem_io = kvmalloc_array(nsems, sizeof(ushort), 1488 GFP_KERNEL); 1489 if (sem_io == NULL) { 1490 ipc_rcu_putref(&sma->sem_perm, sem_rcu_free); 1491 return -ENOMEM; 1492 } 1493 } 1494 1495 if (copy_from_user(sem_io, p, nsems*sizeof(ushort))) { 1496 ipc_rcu_putref(&sma->sem_perm, sem_rcu_free); 1497 err = -EFAULT; 1498 goto out_free; 1499 } 1500 1501 for (i = 0; i < nsems; i++) { 1502 if (sem_io[i] > SEMVMX) { 1503 ipc_rcu_putref(&sma->sem_perm, sem_rcu_free); 1504 err = -ERANGE; 1505 goto out_free; 1506 } 1507 } 1508 rcu_read_lock(); 1509 sem_lock_and_putref(sma); 1510 if (!ipc_valid_object(&sma->sem_perm)) { 1511 err = -EIDRM; 1512 goto out_unlock; 1513 } 1514 1515 for (i = 0; i < nsems; i++) { 1516 sma->sems[i].semval = sem_io[i]; 1517 ipc_update_pid(&sma->sems[i].sempid, task_tgid(current)); 1518 } 1519 1520 ipc_assert_locked_object(&sma->sem_perm); 1521 list_for_each_entry(un, &sma->list_id, list_id) { 1522 for (i = 0; i < nsems; i++) 1523 un->semadj[i] = 0; 1524 } 1525 sma->sem_ctime = ktime_get_real_seconds(); 1526 /* maybe some queued-up processes were waiting for this */ 1527 do_smart_update(sma, NULL, 0, 0, &wake_q); 1528 err = 0; 1529 goto out_unlock; 1530 } 1531 /* GETVAL, GETPID, GETNCTN, GETZCNT: fall-through */ 1532 } 1533 err = -EINVAL; 1534 if (semnum < 0 || semnum >= nsems) 1535 goto out_rcu_wakeup; 1536 1537 sem_lock(sma, NULL, -1); 1538 if (!ipc_valid_object(&sma->sem_perm)) { 1539 err = -EIDRM; 1540 goto out_unlock; 1541 } 1542 1543 semnum = array_index_nospec(semnum, nsems); 1544 curr = &sma->sems[semnum]; 1545 1546 switch (cmd) { 1547 case GETVAL: 1548 err = curr->semval; 1549 goto out_unlock; 1550 case GETPID: 1551 err = pid_vnr(curr->sempid); 1552 goto out_unlock; 1553 case GETNCNT: 1554 err = count_semcnt(sma, semnum, 0); 1555 goto out_unlock; 1556 case GETZCNT: 1557 err = count_semcnt(sma, semnum, 1); 1558 goto out_unlock; 1559 } 1560 1561 out_unlock: 1562 sem_unlock(sma, -1); 1563 out_rcu_wakeup: 1564 rcu_read_unlock(); 1565 wake_up_q(&wake_q); 1566 out_free: 1567 if (sem_io != fast_sem_io) 1568 kvfree(sem_io); 1569 return err; 1570 } 1571 1572 static inline unsigned long 1573 copy_semid_from_user(struct semid64_ds *out, void __user *buf, int version) 1574 { 1575 switch (version) { 1576 case IPC_64: 1577 if (copy_from_user(out, buf, sizeof(*out))) 1578 return -EFAULT; 1579 return 0; 1580 case IPC_OLD: 1581 { 1582 struct semid_ds tbuf_old; 1583 1584 if (copy_from_user(&tbuf_old, buf, sizeof(tbuf_old))) 1585 return -EFAULT; 1586 1587 out->sem_perm.uid = tbuf_old.sem_perm.uid; 1588 out->sem_perm.gid = tbuf_old.sem_perm.gid; 1589 out->sem_perm.mode = tbuf_old.sem_perm.mode; 1590 1591 return 0; 1592 } 1593 default: 1594 return -EINVAL; 1595 } 1596 } 1597 1598 /* 1599 * This function handles some semctl commands which require the rwsem 1600 * to be held in write mode. 1601 * NOTE: no locks must be held, the rwsem is taken inside this function. 1602 */ 1603 static int semctl_down(struct ipc_namespace *ns, int semid, 1604 int cmd, struct semid64_ds *semid64) 1605 { 1606 struct sem_array *sma; 1607 int err; 1608 struct kern_ipc_perm *ipcp; 1609 1610 down_write(&sem_ids(ns).rwsem); 1611 rcu_read_lock(); 1612 1613 ipcp = ipcctl_obtain_check(ns, &sem_ids(ns), semid, cmd, 1614 &semid64->sem_perm, 0); 1615 if (IS_ERR(ipcp)) { 1616 err = PTR_ERR(ipcp); 1617 goto out_unlock1; 1618 } 1619 1620 sma = container_of(ipcp, struct sem_array, sem_perm); 1621 1622 err = security_sem_semctl(&sma->sem_perm, cmd); 1623 if (err) 1624 goto out_unlock1; 1625 1626 switch (cmd) { 1627 case IPC_RMID: 1628 sem_lock(sma, NULL, -1); 1629 /* freeary unlocks the ipc object and rcu */ 1630 freeary(ns, ipcp); 1631 goto out_up; 1632 case IPC_SET: 1633 sem_lock(sma, NULL, -1); 1634 err = ipc_update_perm(&semid64->sem_perm, ipcp); 1635 if (err) 1636 goto out_unlock0; 1637 sma->sem_ctime = ktime_get_real_seconds(); 1638 break; 1639 default: 1640 err = -EINVAL; 1641 goto out_unlock1; 1642 } 1643 1644 out_unlock0: 1645 sem_unlock(sma, -1); 1646 out_unlock1: 1647 rcu_read_unlock(); 1648 out_up: 1649 up_write(&sem_ids(ns).rwsem); 1650 return err; 1651 } 1652 1653 static long ksys_semctl(int semid, int semnum, int cmd, unsigned long arg, int version) 1654 { 1655 struct ipc_namespace *ns; 1656 void __user *p = (void __user *)arg; 1657 struct semid64_ds semid64; 1658 int err; 1659 1660 if (semid < 0) 1661 return -EINVAL; 1662 1663 ns = current->nsproxy->ipc_ns; 1664 1665 switch (cmd) { 1666 case IPC_INFO: 1667 case SEM_INFO: 1668 return semctl_info(ns, semid, cmd, p); 1669 case IPC_STAT: 1670 case SEM_STAT: 1671 case SEM_STAT_ANY: 1672 err = semctl_stat(ns, semid, cmd, &semid64); 1673 if (err < 0) 1674 return err; 1675 if (copy_semid_to_user(p, &semid64, version)) 1676 err = -EFAULT; 1677 return err; 1678 case GETALL: 1679 case GETVAL: 1680 case GETPID: 1681 case GETNCNT: 1682 case GETZCNT: 1683 case SETALL: 1684 return semctl_main(ns, semid, semnum, cmd, p); 1685 case SETVAL: { 1686 int val; 1687 #if defined(CONFIG_64BIT) && defined(__BIG_ENDIAN) 1688 /* big-endian 64bit */ 1689 val = arg >> 32; 1690 #else 1691 /* 32bit or little-endian 64bit */ 1692 val = arg; 1693 #endif 1694 return semctl_setval(ns, semid, semnum, val); 1695 } 1696 case IPC_SET: 1697 if (copy_semid_from_user(&semid64, p, version)) 1698 return -EFAULT; 1699 fallthrough; 1700 case IPC_RMID: 1701 return semctl_down(ns, semid, cmd, &semid64); 1702 default: 1703 return -EINVAL; 1704 } 1705 } 1706 1707 SYSCALL_DEFINE4(semctl, int, semid, int, semnum, int, cmd, unsigned long, arg) 1708 { 1709 return ksys_semctl(semid, semnum, cmd, arg, IPC_64); 1710 } 1711 1712 #ifdef CONFIG_ARCH_WANT_IPC_PARSE_VERSION 1713 long ksys_old_semctl(int semid, int semnum, int cmd, unsigned long arg) 1714 { 1715 int version = ipc_parse_version(&cmd); 1716 1717 return ksys_semctl(semid, semnum, cmd, arg, version); 1718 } 1719 1720 SYSCALL_DEFINE4(old_semctl, int, semid, int, semnum, int, cmd, unsigned long, arg) 1721 { 1722 return ksys_old_semctl(semid, semnum, cmd, arg); 1723 } 1724 #endif 1725 1726 #ifdef CONFIG_COMPAT 1727 1728 struct compat_semid_ds { 1729 struct compat_ipc_perm sem_perm; 1730 old_time32_t sem_otime; 1731 old_time32_t sem_ctime; 1732 compat_uptr_t sem_base; 1733 compat_uptr_t sem_pending; 1734 compat_uptr_t sem_pending_last; 1735 compat_uptr_t undo; 1736 unsigned short sem_nsems; 1737 }; 1738 1739 static int copy_compat_semid_from_user(struct semid64_ds *out, void __user *buf, 1740 int version) 1741 { 1742 memset(out, 0, sizeof(*out)); 1743 if (version == IPC_64) { 1744 struct compat_semid64_ds __user *p = buf; 1745 return get_compat_ipc64_perm(&out->sem_perm, &p->sem_perm); 1746 } else { 1747 struct compat_semid_ds __user *p = buf; 1748 return get_compat_ipc_perm(&out->sem_perm, &p->sem_perm); 1749 } 1750 } 1751 1752 static int copy_compat_semid_to_user(void __user *buf, struct semid64_ds *in, 1753 int version) 1754 { 1755 if (version == IPC_64) { 1756 struct compat_semid64_ds v; 1757 memset(&v, 0, sizeof(v)); 1758 to_compat_ipc64_perm(&v.sem_perm, &in->sem_perm); 1759 v.sem_otime = lower_32_bits(in->sem_otime); 1760 v.sem_otime_high = upper_32_bits(in->sem_otime); 1761 v.sem_ctime = lower_32_bits(in->sem_ctime); 1762 v.sem_ctime_high = upper_32_bits(in->sem_ctime); 1763 v.sem_nsems = in->sem_nsems; 1764 return copy_to_user(buf, &v, sizeof(v)); 1765 } else { 1766 struct compat_semid_ds v; 1767 memset(&v, 0, sizeof(v)); 1768 to_compat_ipc_perm(&v.sem_perm, &in->sem_perm); 1769 v.sem_otime = in->sem_otime; 1770 v.sem_ctime = in->sem_ctime; 1771 v.sem_nsems = in->sem_nsems; 1772 return copy_to_user(buf, &v, sizeof(v)); 1773 } 1774 } 1775 1776 static long compat_ksys_semctl(int semid, int semnum, int cmd, int arg, int version) 1777 { 1778 void __user *p = compat_ptr(arg); 1779 struct ipc_namespace *ns; 1780 struct semid64_ds semid64; 1781 int err; 1782 1783 ns = current->nsproxy->ipc_ns; 1784 1785 if (semid < 0) 1786 return -EINVAL; 1787 1788 switch (cmd & (~IPC_64)) { 1789 case IPC_INFO: 1790 case SEM_INFO: 1791 return semctl_info(ns, semid, cmd, p); 1792 case IPC_STAT: 1793 case SEM_STAT: 1794 case SEM_STAT_ANY: 1795 err = semctl_stat(ns, semid, cmd, &semid64); 1796 if (err < 0) 1797 return err; 1798 if (copy_compat_semid_to_user(p, &semid64, version)) 1799 err = -EFAULT; 1800 return err; 1801 case GETVAL: 1802 case GETPID: 1803 case GETNCNT: 1804 case GETZCNT: 1805 case GETALL: 1806 case SETALL: 1807 return semctl_main(ns, semid, semnum, cmd, p); 1808 case SETVAL: 1809 return semctl_setval(ns, semid, semnum, arg); 1810 case IPC_SET: 1811 if (copy_compat_semid_from_user(&semid64, p, version)) 1812 return -EFAULT; 1813 fallthrough; 1814 case IPC_RMID: 1815 return semctl_down(ns, semid, cmd, &semid64); 1816 default: 1817 return -EINVAL; 1818 } 1819 } 1820 1821 COMPAT_SYSCALL_DEFINE4(semctl, int, semid, int, semnum, int, cmd, int, arg) 1822 { 1823 return compat_ksys_semctl(semid, semnum, cmd, arg, IPC_64); 1824 } 1825 1826 #ifdef CONFIG_ARCH_WANT_COMPAT_IPC_PARSE_VERSION 1827 long compat_ksys_old_semctl(int semid, int semnum, int cmd, int arg) 1828 { 1829 int version = compat_ipc_parse_version(&cmd); 1830 1831 return compat_ksys_semctl(semid, semnum, cmd, arg, version); 1832 } 1833 1834 COMPAT_SYSCALL_DEFINE4(old_semctl, int, semid, int, semnum, int, cmd, int, arg) 1835 { 1836 return compat_ksys_old_semctl(semid, semnum, cmd, arg); 1837 } 1838 #endif 1839 #endif 1840 1841 /* If the task doesn't already have a undo_list, then allocate one 1842 * here. We guarantee there is only one thread using this undo list, 1843 * and current is THE ONE 1844 * 1845 * If this allocation and assignment succeeds, but later 1846 * portions of this code fail, there is no need to free the sem_undo_list. 1847 * Just let it stay associated with the task, and it'll be freed later 1848 * at exit time. 1849 * 1850 * This can block, so callers must hold no locks. 1851 */ 1852 static inline int get_undo_list(struct sem_undo_list **undo_listp) 1853 { 1854 struct sem_undo_list *undo_list; 1855 1856 undo_list = current->sysvsem.undo_list; 1857 if (!undo_list) { 1858 undo_list = kzalloc(sizeof(*undo_list), GFP_KERNEL_ACCOUNT); 1859 if (undo_list == NULL) 1860 return -ENOMEM; 1861 spin_lock_init(&undo_list->lock); 1862 refcount_set(&undo_list->refcnt, 1); 1863 INIT_LIST_HEAD(&undo_list->list_proc); 1864 1865 current->sysvsem.undo_list = undo_list; 1866 } 1867 *undo_listp = undo_list; 1868 return 0; 1869 } 1870 1871 static struct sem_undo *__lookup_undo(struct sem_undo_list *ulp, int semid) 1872 { 1873 struct sem_undo *un; 1874 1875 list_for_each_entry_rcu(un, &ulp->list_proc, list_proc, 1876 spin_is_locked(&ulp->lock)) { 1877 if (un->semid == semid) 1878 return un; 1879 } 1880 return NULL; 1881 } 1882 1883 static struct sem_undo *lookup_undo(struct sem_undo_list *ulp, int semid) 1884 { 1885 struct sem_undo *un; 1886 1887 assert_spin_locked(&ulp->lock); 1888 1889 un = __lookup_undo(ulp, semid); 1890 if (un) { 1891 list_del_rcu(&un->list_proc); 1892 list_add_rcu(&un->list_proc, &ulp->list_proc); 1893 } 1894 return un; 1895 } 1896 1897 /** 1898 * find_alloc_undo - lookup (and if not present create) undo array 1899 * @ns: namespace 1900 * @semid: semaphore array id 1901 * 1902 * The function looks up (and if not present creates) the undo structure. 1903 * The size of the undo structure depends on the size of the semaphore 1904 * array, thus the alloc path is not that straightforward. 1905 * Lifetime-rules: sem_undo is rcu-protected, on success, the function 1906 * performs a rcu_read_lock(). 1907 */ 1908 static struct sem_undo *find_alloc_undo(struct ipc_namespace *ns, int semid) 1909 { 1910 struct sem_array *sma; 1911 struct sem_undo_list *ulp; 1912 struct sem_undo *un, *new; 1913 int nsems, error; 1914 1915 error = get_undo_list(&ulp); 1916 if (error) 1917 return ERR_PTR(error); 1918 1919 rcu_read_lock(); 1920 spin_lock(&ulp->lock); 1921 un = lookup_undo(ulp, semid); 1922 spin_unlock(&ulp->lock); 1923 if (likely(un != NULL)) 1924 goto out; 1925 1926 /* no undo structure around - allocate one. */ 1927 /* step 1: figure out the size of the semaphore array */ 1928 sma = sem_obtain_object_check(ns, semid); 1929 if (IS_ERR(sma)) { 1930 rcu_read_unlock(); 1931 return ERR_CAST(sma); 1932 } 1933 1934 nsems = sma->sem_nsems; 1935 if (!ipc_rcu_getref(&sma->sem_perm)) { 1936 rcu_read_unlock(); 1937 un = ERR_PTR(-EIDRM); 1938 goto out; 1939 } 1940 rcu_read_unlock(); 1941 1942 /* step 2: allocate new undo structure */ 1943 new = kvzalloc(sizeof(struct sem_undo) + sizeof(short)*nsems, 1944 GFP_KERNEL_ACCOUNT); 1945 if (!new) { 1946 ipc_rcu_putref(&sma->sem_perm, sem_rcu_free); 1947 return ERR_PTR(-ENOMEM); 1948 } 1949 1950 /* step 3: Acquire the lock on semaphore array */ 1951 rcu_read_lock(); 1952 sem_lock_and_putref(sma); 1953 if (!ipc_valid_object(&sma->sem_perm)) { 1954 sem_unlock(sma, -1); 1955 rcu_read_unlock(); 1956 kvfree(new); 1957 un = ERR_PTR(-EIDRM); 1958 goto out; 1959 } 1960 spin_lock(&ulp->lock); 1961 1962 /* 1963 * step 4: check for races: did someone else allocate the undo struct? 1964 */ 1965 un = lookup_undo(ulp, semid); 1966 if (un) { 1967 kvfree(new); 1968 goto success; 1969 } 1970 /* step 5: initialize & link new undo structure */ 1971 new->semadj = (short *) &new[1]; 1972 new->ulp = ulp; 1973 new->semid = semid; 1974 assert_spin_locked(&ulp->lock); 1975 list_add_rcu(&new->list_proc, &ulp->list_proc); 1976 ipc_assert_locked_object(&sma->sem_perm); 1977 list_add(&new->list_id, &sma->list_id); 1978 un = new; 1979 1980 success: 1981 spin_unlock(&ulp->lock); 1982 sem_unlock(sma, -1); 1983 out: 1984 return un; 1985 } 1986 1987 long __do_semtimedop(int semid, struct sembuf *sops, 1988 unsigned nsops, const struct timespec64 *timeout, 1989 struct ipc_namespace *ns) 1990 { 1991 int error = -EINVAL; 1992 struct sem_array *sma; 1993 struct sembuf *sop; 1994 struct sem_undo *un; 1995 int max, locknum; 1996 bool undos = false, alter = false, dupsop = false; 1997 struct sem_queue queue; 1998 unsigned long dup = 0, jiffies_left = 0; 1999 2000 if (nsops < 1 || semid < 0) 2001 return -EINVAL; 2002 if (nsops > ns->sc_semopm) 2003 return -E2BIG; 2004 2005 if (timeout) { 2006 if (timeout->tv_sec < 0 || timeout->tv_nsec < 0 || 2007 timeout->tv_nsec >= 1000000000L) { 2008 error = -EINVAL; 2009 goto out; 2010 } 2011 jiffies_left = timespec64_to_jiffies(timeout); 2012 } 2013 2014 2015 max = 0; 2016 for (sop = sops; sop < sops + nsops; sop++) { 2017 unsigned long mask = 1ULL << ((sop->sem_num) % BITS_PER_LONG); 2018 2019 if (sop->sem_num >= max) 2020 max = sop->sem_num; 2021 if (sop->sem_flg & SEM_UNDO) 2022 undos = true; 2023 if (dup & mask) { 2024 /* 2025 * There was a previous alter access that appears 2026 * to have accessed the same semaphore, thus use 2027 * the dupsop logic. "appears", because the detection 2028 * can only check % BITS_PER_LONG. 2029 */ 2030 dupsop = true; 2031 } 2032 if (sop->sem_op != 0) { 2033 alter = true; 2034 dup |= mask; 2035 } 2036 } 2037 2038 if (undos) { 2039 /* On success, find_alloc_undo takes the rcu_read_lock */ 2040 un = find_alloc_undo(ns, semid); 2041 if (IS_ERR(un)) { 2042 error = PTR_ERR(un); 2043 goto out; 2044 } 2045 } else { 2046 un = NULL; 2047 rcu_read_lock(); 2048 } 2049 2050 sma = sem_obtain_object_check(ns, semid); 2051 if (IS_ERR(sma)) { 2052 rcu_read_unlock(); 2053 error = PTR_ERR(sma); 2054 goto out; 2055 } 2056 2057 error = -EFBIG; 2058 if (max >= sma->sem_nsems) { 2059 rcu_read_unlock(); 2060 goto out; 2061 } 2062 2063 error = -EACCES; 2064 if (ipcperms(ns, &sma->sem_perm, alter ? S_IWUGO : S_IRUGO)) { 2065 rcu_read_unlock(); 2066 goto out; 2067 } 2068 2069 error = security_sem_semop(&sma->sem_perm, sops, nsops, alter); 2070 if (error) { 2071 rcu_read_unlock(); 2072 goto out; 2073 } 2074 2075 error = -EIDRM; 2076 locknum = sem_lock(sma, sops, nsops); 2077 /* 2078 * We eventually might perform the following check in a lockless 2079 * fashion, considering ipc_valid_object() locking constraints. 2080 * If nsops == 1 and there is no contention for sem_perm.lock, then 2081 * only a per-semaphore lock is held and it's OK to proceed with the 2082 * check below. More details on the fine grained locking scheme 2083 * entangled here and why it's RMID race safe on comments at sem_lock() 2084 */ 2085 if (!ipc_valid_object(&sma->sem_perm)) 2086 goto out_unlock; 2087 /* 2088 * semid identifiers are not unique - find_alloc_undo may have 2089 * allocated an undo structure, it was invalidated by an RMID 2090 * and now a new array with received the same id. Check and fail. 2091 * This case can be detected checking un->semid. The existence of 2092 * "un" itself is guaranteed by rcu. 2093 */ 2094 if (un && un->semid == -1) 2095 goto out_unlock; 2096 2097 queue.sops = sops; 2098 queue.nsops = nsops; 2099 queue.undo = un; 2100 queue.pid = task_tgid(current); 2101 queue.alter = alter; 2102 queue.dupsop = dupsop; 2103 2104 error = perform_atomic_semop(sma, &queue); 2105 if (error == 0) { /* non-blocking successful path */ 2106 DEFINE_WAKE_Q(wake_q); 2107 2108 /* 2109 * If the operation was successful, then do 2110 * the required updates. 2111 */ 2112 if (alter) 2113 do_smart_update(sma, sops, nsops, 1, &wake_q); 2114 else 2115 set_semotime(sma, sops); 2116 2117 sem_unlock(sma, locknum); 2118 rcu_read_unlock(); 2119 wake_up_q(&wake_q); 2120 2121 goto out; 2122 } 2123 if (error < 0) /* non-blocking error path */ 2124 goto out_unlock; 2125 2126 /* 2127 * We need to sleep on this operation, so we put the current 2128 * task into the pending queue and go to sleep. 2129 */ 2130 if (nsops == 1) { 2131 struct sem *curr; 2132 int idx = array_index_nospec(sops->sem_num, sma->sem_nsems); 2133 curr = &sma->sems[idx]; 2134 2135 if (alter) { 2136 if (sma->complex_count) { 2137 list_add_tail(&queue.list, 2138 &sma->pending_alter); 2139 } else { 2140 2141 list_add_tail(&queue.list, 2142 &curr->pending_alter); 2143 } 2144 } else { 2145 list_add_tail(&queue.list, &curr->pending_const); 2146 } 2147 } else { 2148 if (!sma->complex_count) 2149 merge_queues(sma); 2150 2151 if (alter) 2152 list_add_tail(&queue.list, &sma->pending_alter); 2153 else 2154 list_add_tail(&queue.list, &sma->pending_const); 2155 2156 sma->complex_count++; 2157 } 2158 2159 do { 2160 /* memory ordering ensured by the lock in sem_lock() */ 2161 WRITE_ONCE(queue.status, -EINTR); 2162 queue.sleeper = current; 2163 2164 /* memory ordering is ensured by the lock in sem_lock() */ 2165 __set_current_state(TASK_INTERRUPTIBLE); 2166 sem_unlock(sma, locknum); 2167 rcu_read_unlock(); 2168 2169 if (timeout) 2170 jiffies_left = schedule_timeout(jiffies_left); 2171 else 2172 schedule(); 2173 2174 /* 2175 * fastpath: the semop has completed, either successfully or 2176 * not, from the syscall pov, is quite irrelevant to us at this 2177 * point; we're done. 2178 * 2179 * We _do_ care, nonetheless, about being awoken by a signal or 2180 * spuriously. The queue.status is checked again in the 2181 * slowpath (aka after taking sem_lock), such that we can detect 2182 * scenarios where we were awakened externally, during the 2183 * window between wake_q_add() and wake_up_q(). 2184 */ 2185 error = READ_ONCE(queue.status); 2186 if (error != -EINTR) { 2187 /* see SEM_BARRIER_2 for purpose/pairing */ 2188 smp_acquire__after_ctrl_dep(); 2189 goto out; 2190 } 2191 2192 rcu_read_lock(); 2193 locknum = sem_lock(sma, sops, nsops); 2194 2195 if (!ipc_valid_object(&sma->sem_perm)) 2196 goto out_unlock; 2197 2198 /* 2199 * No necessity for any barrier: We are protect by sem_lock() 2200 */ 2201 error = READ_ONCE(queue.status); 2202 2203 /* 2204 * If queue.status != -EINTR we are woken up by another process. 2205 * Leave without unlink_queue(), but with sem_unlock(). 2206 */ 2207 if (error != -EINTR) 2208 goto out_unlock; 2209 2210 /* 2211 * If an interrupt occurred we have to clean up the queue. 2212 */ 2213 if (timeout && jiffies_left == 0) 2214 error = -EAGAIN; 2215 } while (error == -EINTR && !signal_pending(current)); /* spurious */ 2216 2217 unlink_queue(sma, &queue); 2218 2219 out_unlock: 2220 sem_unlock(sma, locknum); 2221 rcu_read_unlock(); 2222 out: 2223 return error; 2224 } 2225 2226 static long do_semtimedop(int semid, struct sembuf __user *tsops, 2227 unsigned nsops, const struct timespec64 *timeout) 2228 { 2229 struct sembuf fast_sops[SEMOPM_FAST]; 2230 struct sembuf *sops = fast_sops; 2231 struct ipc_namespace *ns; 2232 int ret; 2233 2234 ns = current->nsproxy->ipc_ns; 2235 if (nsops > ns->sc_semopm) 2236 return -E2BIG; 2237 if (nsops < 1) 2238 return -EINVAL; 2239 2240 if (nsops > SEMOPM_FAST) { 2241 sops = kvmalloc_array(nsops, sizeof(*sops), GFP_KERNEL_ACCOUNT); 2242 if (sops == NULL) 2243 return -ENOMEM; 2244 } 2245 2246 if (copy_from_user(sops, tsops, nsops * sizeof(*tsops))) { 2247 ret = -EFAULT; 2248 goto out_free; 2249 } 2250 2251 ret = __do_semtimedop(semid, sops, nsops, timeout, ns); 2252 2253 out_free: 2254 if (sops != fast_sops) 2255 kvfree(sops); 2256 2257 return ret; 2258 } 2259 2260 long ksys_semtimedop(int semid, struct sembuf __user *tsops, 2261 unsigned int nsops, const struct __kernel_timespec __user *timeout) 2262 { 2263 if (timeout) { 2264 struct timespec64 ts; 2265 if (get_timespec64(&ts, timeout)) 2266 return -EFAULT; 2267 return do_semtimedop(semid, tsops, nsops, &ts); 2268 } 2269 return do_semtimedop(semid, tsops, nsops, NULL); 2270 } 2271 2272 SYSCALL_DEFINE4(semtimedop, int, semid, struct sembuf __user *, tsops, 2273 unsigned int, nsops, const struct __kernel_timespec __user *, timeout) 2274 { 2275 return ksys_semtimedop(semid, tsops, nsops, timeout); 2276 } 2277 2278 #ifdef CONFIG_COMPAT_32BIT_TIME 2279 long compat_ksys_semtimedop(int semid, struct sembuf __user *tsems, 2280 unsigned int nsops, 2281 const struct old_timespec32 __user *timeout) 2282 { 2283 if (timeout) { 2284 struct timespec64 ts; 2285 if (get_old_timespec32(&ts, timeout)) 2286 return -EFAULT; 2287 return do_semtimedop(semid, tsems, nsops, &ts); 2288 } 2289 return do_semtimedop(semid, tsems, nsops, NULL); 2290 } 2291 2292 SYSCALL_DEFINE4(semtimedop_time32, int, semid, struct sembuf __user *, tsems, 2293 unsigned int, nsops, 2294 const struct old_timespec32 __user *, timeout) 2295 { 2296 return compat_ksys_semtimedop(semid, tsems, nsops, timeout); 2297 } 2298 #endif 2299 2300 SYSCALL_DEFINE3(semop, int, semid, struct sembuf __user *, tsops, 2301 unsigned, nsops) 2302 { 2303 return do_semtimedop(semid, tsops, nsops, NULL); 2304 } 2305 2306 /* If CLONE_SYSVSEM is set, establish sharing of SEM_UNDO state between 2307 * parent and child tasks. 2308 */ 2309 2310 int copy_semundo(unsigned long clone_flags, struct task_struct *tsk) 2311 { 2312 struct sem_undo_list *undo_list; 2313 int error; 2314 2315 if (clone_flags & CLONE_SYSVSEM) { 2316 error = get_undo_list(&undo_list); 2317 if (error) 2318 return error; 2319 refcount_inc(&undo_list->refcnt); 2320 tsk->sysvsem.undo_list = undo_list; 2321 } else 2322 tsk->sysvsem.undo_list = NULL; 2323 2324 return 0; 2325 } 2326 2327 /* 2328 * add semadj values to semaphores, free undo structures. 2329 * undo structures are not freed when semaphore arrays are destroyed 2330 * so some of them may be out of date. 2331 * IMPLEMENTATION NOTE: There is some confusion over whether the 2332 * set of adjustments that needs to be done should be done in an atomic 2333 * manner or not. That is, if we are attempting to decrement the semval 2334 * should we queue up and wait until we can do so legally? 2335 * The original implementation attempted to do this (queue and wait). 2336 * The current implementation does not do so. The POSIX standard 2337 * and SVID should be consulted to determine what behavior is mandated. 2338 */ 2339 void exit_sem(struct task_struct *tsk) 2340 { 2341 struct sem_undo_list *ulp; 2342 2343 ulp = tsk->sysvsem.undo_list; 2344 if (!ulp) 2345 return; 2346 tsk->sysvsem.undo_list = NULL; 2347 2348 if (!refcount_dec_and_test(&ulp->refcnt)) 2349 return; 2350 2351 for (;;) { 2352 struct sem_array *sma; 2353 struct sem_undo *un; 2354 int semid, i; 2355 DEFINE_WAKE_Q(wake_q); 2356 2357 cond_resched(); 2358 2359 rcu_read_lock(); 2360 un = list_entry_rcu(ulp->list_proc.next, 2361 struct sem_undo, list_proc); 2362 if (&un->list_proc == &ulp->list_proc) { 2363 /* 2364 * We must wait for freeary() before freeing this ulp, 2365 * in case we raced with last sem_undo. There is a small 2366 * possibility where we exit while freeary() didn't 2367 * finish unlocking sem_undo_list. 2368 */ 2369 spin_lock(&ulp->lock); 2370 spin_unlock(&ulp->lock); 2371 rcu_read_unlock(); 2372 break; 2373 } 2374 spin_lock(&ulp->lock); 2375 semid = un->semid; 2376 spin_unlock(&ulp->lock); 2377 2378 /* exit_sem raced with IPC_RMID, nothing to do */ 2379 if (semid == -1) { 2380 rcu_read_unlock(); 2381 continue; 2382 } 2383 2384 sma = sem_obtain_object_check(tsk->nsproxy->ipc_ns, semid); 2385 /* exit_sem raced with IPC_RMID, nothing to do */ 2386 if (IS_ERR(sma)) { 2387 rcu_read_unlock(); 2388 continue; 2389 } 2390 2391 sem_lock(sma, NULL, -1); 2392 /* exit_sem raced with IPC_RMID, nothing to do */ 2393 if (!ipc_valid_object(&sma->sem_perm)) { 2394 sem_unlock(sma, -1); 2395 rcu_read_unlock(); 2396 continue; 2397 } 2398 un = __lookup_undo(ulp, semid); 2399 if (un == NULL) { 2400 /* exit_sem raced with IPC_RMID+semget() that created 2401 * exactly the same semid. Nothing to do. 2402 */ 2403 sem_unlock(sma, -1); 2404 rcu_read_unlock(); 2405 continue; 2406 } 2407 2408 /* remove un from the linked lists */ 2409 ipc_assert_locked_object(&sma->sem_perm); 2410 list_del(&un->list_id); 2411 2412 spin_lock(&ulp->lock); 2413 list_del_rcu(&un->list_proc); 2414 spin_unlock(&ulp->lock); 2415 2416 /* perform adjustments registered in un */ 2417 for (i = 0; i < sma->sem_nsems; i++) { 2418 struct sem *semaphore = &sma->sems[i]; 2419 if (un->semadj[i]) { 2420 semaphore->semval += un->semadj[i]; 2421 /* 2422 * Range checks of the new semaphore value, 2423 * not defined by sus: 2424 * - Some unices ignore the undo entirely 2425 * (e.g. HP UX 11i 11.22, Tru64 V5.1) 2426 * - some cap the value (e.g. FreeBSD caps 2427 * at 0, but doesn't enforce SEMVMX) 2428 * 2429 * Linux caps the semaphore value, both at 0 2430 * and at SEMVMX. 2431 * 2432 * Manfred <manfred@colorfullife.com> 2433 */ 2434 if (semaphore->semval < 0) 2435 semaphore->semval = 0; 2436 if (semaphore->semval > SEMVMX) 2437 semaphore->semval = SEMVMX; 2438 ipc_update_pid(&semaphore->sempid, task_tgid(current)); 2439 } 2440 } 2441 /* maybe some queued-up processes were waiting for this */ 2442 do_smart_update(sma, NULL, 0, 1, &wake_q); 2443 sem_unlock(sma, -1); 2444 rcu_read_unlock(); 2445 wake_up_q(&wake_q); 2446 2447 kvfree_rcu(un, rcu); 2448 } 2449 kfree(ulp); 2450 } 2451 2452 #ifdef CONFIG_PROC_FS 2453 static int sysvipc_sem_proc_show(struct seq_file *s, void *it) 2454 { 2455 struct user_namespace *user_ns = seq_user_ns(s); 2456 struct kern_ipc_perm *ipcp = it; 2457 struct sem_array *sma = container_of(ipcp, struct sem_array, sem_perm); 2458 time64_t sem_otime; 2459 2460 /* 2461 * The proc interface isn't aware of sem_lock(), it calls 2462 * ipc_lock_object(), i.e. spin_lock(&sma->sem_perm.lock). 2463 * (in sysvipc_find_ipc) 2464 * In order to stay compatible with sem_lock(), we must 2465 * enter / leave complex_mode. 2466 */ 2467 complexmode_enter(sma); 2468 2469 sem_otime = get_semotime(sma); 2470 2471 seq_printf(s, 2472 "%10d %10d %4o %10u %5u %5u %5u %5u %10llu %10llu\n", 2473 sma->sem_perm.key, 2474 sma->sem_perm.id, 2475 sma->sem_perm.mode, 2476 sma->sem_nsems, 2477 from_kuid_munged(user_ns, sma->sem_perm.uid), 2478 from_kgid_munged(user_ns, sma->sem_perm.gid), 2479 from_kuid_munged(user_ns, sma->sem_perm.cuid), 2480 from_kgid_munged(user_ns, sma->sem_perm.cgid), 2481 sem_otime, 2482 sma->sem_ctime); 2483 2484 complexmode_tryleave(sma); 2485 2486 return 0; 2487 } 2488 #endif 2489