1 /* 2 * linux/ipc/shm.c 3 * Copyright (C) 1992, 1993 Krishna Balasubramanian 4 * Many improvements/fixes by Bruno Haible. 5 * Replaced `struct shm_desc' by `struct vm_area_struct', July 1994. 6 * Fixed the shm swap deallocation (shm_unuse()), August 1998 Andrea Arcangeli. 7 * 8 * /proc/sysvipc/shm support (c) 1999 Dragos Acostachioaie <dragos@iname.com> 9 * BIGMEM support, Andrea Arcangeli <andrea@suse.de> 10 * SMP thread shm, Jean-Luc Boyard <jean-luc.boyard@siemens.fr> 11 * HIGHMEM support, Ingo Molnar <mingo@redhat.com> 12 * Make shmmax, shmall, shmmni sysctl'able, Christoph Rohland <cr@sap.com> 13 * Shared /dev/zero support, Kanoj Sarcar <kanoj@sgi.com> 14 * Move the mm functionality over to mm/shmem.c, Christoph Rohland <cr@sap.com> 15 * 16 * support for audit of ipc object properties and permission changes 17 * Dustin Kirkland <dustin.kirkland@us.ibm.com> 18 * 19 * namespaces support 20 * OpenVZ, SWsoft Inc. 21 * Pavel Emelianov <xemul@openvz.org> 22 */ 23 24 #include <linux/slab.h> 25 #include <linux/mm.h> 26 #include <linux/hugetlb.h> 27 #include <linux/shm.h> 28 #include <linux/init.h> 29 #include <linux/file.h> 30 #include <linux/mman.h> 31 #include <linux/shmem_fs.h> 32 #include <linux/security.h> 33 #include <linux/syscalls.h> 34 #include <linux/audit.h> 35 #include <linux/capability.h> 36 #include <linux/ptrace.h> 37 #include <linux/seq_file.h> 38 #include <linux/mutex.h> 39 #include <linux/nsproxy.h> 40 41 #include <asm/uaccess.h> 42 43 #include "util.h" 44 45 static struct file_operations shm_file_operations; 46 static struct vm_operations_struct shm_vm_ops; 47 48 static struct ipc_ids init_shm_ids; 49 50 #define shm_ids(ns) (*((ns)->ids[IPC_SHM_IDS])) 51 52 #define shm_lock(ns, id) \ 53 ((struct shmid_kernel*)ipc_lock(&shm_ids(ns),id)) 54 #define shm_unlock(shp) \ 55 ipc_unlock(&(shp)->shm_perm) 56 #define shm_get(ns, id) \ 57 ((struct shmid_kernel*)ipc_get(&shm_ids(ns),id)) 58 #define shm_buildid(ns, id, seq) \ 59 ipc_buildid(&shm_ids(ns), id, seq) 60 61 static int newseg (struct ipc_namespace *ns, key_t key, 62 int shmflg, size_t size); 63 static void shm_open (struct vm_area_struct *shmd); 64 static void shm_close (struct vm_area_struct *shmd); 65 static void shm_destroy (struct ipc_namespace *ns, struct shmid_kernel *shp); 66 #ifdef CONFIG_PROC_FS 67 static int sysvipc_shm_proc_show(struct seq_file *s, void *it); 68 #endif 69 70 static void __ipc_init __shm_init_ns(struct ipc_namespace *ns, struct ipc_ids *ids) 71 { 72 ns->ids[IPC_SHM_IDS] = ids; 73 ns->shm_ctlmax = SHMMAX; 74 ns->shm_ctlall = SHMALL; 75 ns->shm_ctlmni = SHMMNI; 76 ns->shm_tot = 0; 77 ipc_init_ids(ids, 1); 78 } 79 80 static void do_shm_rmid(struct ipc_namespace *ns, struct shmid_kernel *shp) 81 { 82 if (shp->shm_nattch){ 83 shp->shm_perm.mode |= SHM_DEST; 84 /* Do not find it any more */ 85 shp->shm_perm.key = IPC_PRIVATE; 86 shm_unlock(shp); 87 } else 88 shm_destroy(ns, shp); 89 } 90 91 #ifdef CONFIG_IPC_NS 92 int shm_init_ns(struct ipc_namespace *ns) 93 { 94 struct ipc_ids *ids; 95 96 ids = kmalloc(sizeof(struct ipc_ids), GFP_KERNEL); 97 if (ids == NULL) 98 return -ENOMEM; 99 100 __shm_init_ns(ns, ids); 101 return 0; 102 } 103 104 void shm_exit_ns(struct ipc_namespace *ns) 105 { 106 int i; 107 struct shmid_kernel *shp; 108 109 mutex_lock(&shm_ids(ns).mutex); 110 for (i = 0; i <= shm_ids(ns).max_id; i++) { 111 shp = shm_lock(ns, i); 112 if (shp == NULL) 113 continue; 114 115 do_shm_rmid(ns, shp); 116 } 117 mutex_unlock(&shm_ids(ns).mutex); 118 119 ipc_fini_ids(ns->ids[IPC_SHM_IDS]); 120 kfree(ns->ids[IPC_SHM_IDS]); 121 ns->ids[IPC_SHM_IDS] = NULL; 122 } 123 #endif 124 125 void __init shm_init (void) 126 { 127 __shm_init_ns(&init_ipc_ns, &init_shm_ids); 128 ipc_init_proc_interface("sysvipc/shm", 129 " key shmid perms size cpid lpid nattch uid gid cuid cgid atime dtime ctime\n", 130 IPC_SHM_IDS, sysvipc_shm_proc_show); 131 } 132 133 static inline int shm_checkid(struct ipc_namespace *ns, 134 struct shmid_kernel *s, int id) 135 { 136 if (ipc_checkid(&shm_ids(ns), &s->shm_perm, id)) 137 return -EIDRM; 138 return 0; 139 } 140 141 static inline struct shmid_kernel *shm_rmid(struct ipc_namespace *ns, int id) 142 { 143 return (struct shmid_kernel *)ipc_rmid(&shm_ids(ns), id); 144 } 145 146 static inline int shm_addid(struct ipc_namespace *ns, struct shmid_kernel *shp) 147 { 148 return ipc_addid(&shm_ids(ns), &shp->shm_perm, ns->shm_ctlmni); 149 } 150 151 152 153 static inline void shm_inc(struct ipc_namespace *ns, int id) 154 { 155 struct shmid_kernel *shp; 156 157 shp = shm_lock(ns, id); 158 BUG_ON(!shp); 159 shp->shm_atim = get_seconds(); 160 shp->shm_lprid = current->tgid; 161 shp->shm_nattch++; 162 shm_unlock(shp); 163 } 164 165 #define shm_file_ns(file) (*((struct ipc_namespace **)&(file)->private_data)) 166 167 /* This is called by fork, once for every shm attach. */ 168 static void shm_open(struct vm_area_struct *shmd) 169 { 170 shm_inc(shm_file_ns(shmd->vm_file), 171 shmd->vm_file->f_path.dentry->d_inode->i_ino); 172 } 173 174 /* 175 * shm_destroy - free the struct shmid_kernel 176 * 177 * @shp: struct to free 178 * 179 * It has to be called with shp and shm_ids.mutex locked, 180 * but returns with shp unlocked and freed. 181 */ 182 static void shm_destroy(struct ipc_namespace *ns, struct shmid_kernel *shp) 183 { 184 ns->shm_tot -= (shp->shm_segsz + PAGE_SIZE - 1) >> PAGE_SHIFT; 185 shm_rmid(ns, shp->id); 186 shm_unlock(shp); 187 if (!is_file_hugepages(shp->shm_file)) 188 shmem_lock(shp->shm_file, 0, shp->mlock_user); 189 else 190 user_shm_unlock(shp->shm_file->f_path.dentry->d_inode->i_size, 191 shp->mlock_user); 192 fput (shp->shm_file); 193 security_shm_free(shp); 194 ipc_rcu_putref(shp); 195 } 196 197 /* 198 * remove the attach descriptor shmd. 199 * free memory for segment if it is marked destroyed. 200 * The descriptor has already been removed from the current->mm->mmap list 201 * and will later be kfree()d. 202 */ 203 static void shm_close (struct vm_area_struct *shmd) 204 { 205 struct file * file = shmd->vm_file; 206 int id = file->f_path.dentry->d_inode->i_ino; 207 struct shmid_kernel *shp; 208 struct ipc_namespace *ns; 209 210 ns = shm_file_ns(file); 211 212 mutex_lock(&shm_ids(ns).mutex); 213 /* remove from the list of attaches of the shm segment */ 214 shp = shm_lock(ns, id); 215 BUG_ON(!shp); 216 shp->shm_lprid = current->tgid; 217 shp->shm_dtim = get_seconds(); 218 shp->shm_nattch--; 219 if(shp->shm_nattch == 0 && 220 shp->shm_perm.mode & SHM_DEST) 221 shm_destroy(ns, shp); 222 else 223 shm_unlock(shp); 224 mutex_unlock(&shm_ids(ns).mutex); 225 } 226 227 static int shm_mmap(struct file * file, struct vm_area_struct * vma) 228 { 229 int ret; 230 231 ret = shmem_mmap(file, vma); 232 if (ret == 0) { 233 vma->vm_ops = &shm_vm_ops; 234 if (!(vma->vm_flags & VM_WRITE)) 235 vma->vm_flags &= ~VM_MAYWRITE; 236 shm_inc(shm_file_ns(file), file->f_path.dentry->d_inode->i_ino); 237 } 238 239 return ret; 240 } 241 242 static int shm_release(struct inode *ino, struct file *file) 243 { 244 struct ipc_namespace *ns; 245 246 ns = shm_file_ns(file); 247 put_ipc_ns(ns); 248 shm_file_ns(file) = NULL; 249 return 0; 250 } 251 252 static struct file_operations shm_file_operations = { 253 .mmap = shm_mmap, 254 .release = shm_release, 255 #ifndef CONFIG_MMU 256 .get_unmapped_area = shmem_get_unmapped_area, 257 #endif 258 }; 259 260 static struct vm_operations_struct shm_vm_ops = { 261 .open = shm_open, /* callback for a new vm-area open */ 262 .close = shm_close, /* callback for when the vm-area is released */ 263 .nopage = shmem_nopage, 264 #if defined(CONFIG_NUMA) && defined(CONFIG_SHMEM) 265 .set_policy = shmem_set_policy, 266 .get_policy = shmem_get_policy, 267 #endif 268 }; 269 270 static int newseg (struct ipc_namespace *ns, key_t key, int shmflg, size_t size) 271 { 272 int error; 273 struct shmid_kernel *shp; 274 int numpages = (size + PAGE_SIZE -1) >> PAGE_SHIFT; 275 struct file * file; 276 char name[13]; 277 int id; 278 279 if (size < SHMMIN || size > ns->shm_ctlmax) 280 return -EINVAL; 281 282 if (ns->shm_tot + numpages > ns->shm_ctlall) 283 return -ENOSPC; 284 285 shp = ipc_rcu_alloc(sizeof(*shp)); 286 if (!shp) 287 return -ENOMEM; 288 289 shp->shm_perm.key = key; 290 shp->shm_perm.mode = (shmflg & S_IRWXUGO); 291 shp->mlock_user = NULL; 292 293 shp->shm_perm.security = NULL; 294 error = security_shm_alloc(shp); 295 if (error) { 296 ipc_rcu_putref(shp); 297 return error; 298 } 299 300 if (shmflg & SHM_HUGETLB) { 301 /* hugetlb_zero_setup takes care of mlock user accounting */ 302 file = hugetlb_zero_setup(size); 303 shp->mlock_user = current->user; 304 } else { 305 int acctflag = VM_ACCOUNT; 306 /* 307 * Do not allow no accounting for OVERCOMMIT_NEVER, even 308 * if it's asked for. 309 */ 310 if ((shmflg & SHM_NORESERVE) && 311 sysctl_overcommit_memory != OVERCOMMIT_NEVER) 312 acctflag = 0; 313 sprintf (name, "SYSV%08x", key); 314 file = shmem_file_setup(name, size, acctflag); 315 } 316 error = PTR_ERR(file); 317 if (IS_ERR(file)) 318 goto no_file; 319 320 error = -ENOSPC; 321 id = shm_addid(ns, shp); 322 if(id == -1) 323 goto no_id; 324 325 shp->shm_cprid = current->tgid; 326 shp->shm_lprid = 0; 327 shp->shm_atim = shp->shm_dtim = 0; 328 shp->shm_ctim = get_seconds(); 329 shp->shm_segsz = size; 330 shp->shm_nattch = 0; 331 shp->id = shm_buildid(ns, id, shp->shm_perm.seq); 332 shp->shm_file = file; 333 file->f_path.dentry->d_inode->i_ino = shp->id; 334 335 shm_file_ns(file) = get_ipc_ns(ns); 336 337 /* Hugetlb ops would have already been assigned. */ 338 if (!(shmflg & SHM_HUGETLB)) 339 file->f_op = &shm_file_operations; 340 341 ns->shm_tot += numpages; 342 shm_unlock(shp); 343 return shp->id; 344 345 no_id: 346 fput(file); 347 no_file: 348 security_shm_free(shp); 349 ipc_rcu_putref(shp); 350 return error; 351 } 352 353 asmlinkage long sys_shmget (key_t key, size_t size, int shmflg) 354 { 355 struct shmid_kernel *shp; 356 int err, id = 0; 357 struct ipc_namespace *ns; 358 359 ns = current->nsproxy->ipc_ns; 360 361 mutex_lock(&shm_ids(ns).mutex); 362 if (key == IPC_PRIVATE) { 363 err = newseg(ns, key, shmflg, size); 364 } else if ((id = ipc_findkey(&shm_ids(ns), key)) == -1) { 365 if (!(shmflg & IPC_CREAT)) 366 err = -ENOENT; 367 else 368 err = newseg(ns, key, shmflg, size); 369 } else if ((shmflg & IPC_CREAT) && (shmflg & IPC_EXCL)) { 370 err = -EEXIST; 371 } else { 372 shp = shm_lock(ns, id); 373 BUG_ON(shp==NULL); 374 if (shp->shm_segsz < size) 375 err = -EINVAL; 376 else if (ipcperms(&shp->shm_perm, shmflg)) 377 err = -EACCES; 378 else { 379 int shmid = shm_buildid(ns, id, shp->shm_perm.seq); 380 err = security_shm_associate(shp, shmflg); 381 if (!err) 382 err = shmid; 383 } 384 shm_unlock(shp); 385 } 386 mutex_unlock(&shm_ids(ns).mutex); 387 388 return err; 389 } 390 391 static inline unsigned long copy_shmid_to_user(void __user *buf, struct shmid64_ds *in, int version) 392 { 393 switch(version) { 394 case IPC_64: 395 return copy_to_user(buf, in, sizeof(*in)); 396 case IPC_OLD: 397 { 398 struct shmid_ds out; 399 400 ipc64_perm_to_ipc_perm(&in->shm_perm, &out.shm_perm); 401 out.shm_segsz = in->shm_segsz; 402 out.shm_atime = in->shm_atime; 403 out.shm_dtime = in->shm_dtime; 404 out.shm_ctime = in->shm_ctime; 405 out.shm_cpid = in->shm_cpid; 406 out.shm_lpid = in->shm_lpid; 407 out.shm_nattch = in->shm_nattch; 408 409 return copy_to_user(buf, &out, sizeof(out)); 410 } 411 default: 412 return -EINVAL; 413 } 414 } 415 416 struct shm_setbuf { 417 uid_t uid; 418 gid_t gid; 419 mode_t mode; 420 }; 421 422 static inline unsigned long copy_shmid_from_user(struct shm_setbuf *out, void __user *buf, int version) 423 { 424 switch(version) { 425 case IPC_64: 426 { 427 struct shmid64_ds tbuf; 428 429 if (copy_from_user(&tbuf, buf, sizeof(tbuf))) 430 return -EFAULT; 431 432 out->uid = tbuf.shm_perm.uid; 433 out->gid = tbuf.shm_perm.gid; 434 out->mode = tbuf.shm_perm.mode; 435 436 return 0; 437 } 438 case IPC_OLD: 439 { 440 struct shmid_ds tbuf_old; 441 442 if (copy_from_user(&tbuf_old, buf, sizeof(tbuf_old))) 443 return -EFAULT; 444 445 out->uid = tbuf_old.shm_perm.uid; 446 out->gid = tbuf_old.shm_perm.gid; 447 out->mode = tbuf_old.shm_perm.mode; 448 449 return 0; 450 } 451 default: 452 return -EINVAL; 453 } 454 } 455 456 static inline unsigned long copy_shminfo_to_user(void __user *buf, struct shminfo64 *in, int version) 457 { 458 switch(version) { 459 case IPC_64: 460 return copy_to_user(buf, in, sizeof(*in)); 461 case IPC_OLD: 462 { 463 struct shminfo out; 464 465 if(in->shmmax > INT_MAX) 466 out.shmmax = INT_MAX; 467 else 468 out.shmmax = (int)in->shmmax; 469 470 out.shmmin = in->shmmin; 471 out.shmmni = in->shmmni; 472 out.shmseg = in->shmseg; 473 out.shmall = in->shmall; 474 475 return copy_to_user(buf, &out, sizeof(out)); 476 } 477 default: 478 return -EINVAL; 479 } 480 } 481 482 static void shm_get_stat(struct ipc_namespace *ns, unsigned long *rss, 483 unsigned long *swp) 484 { 485 int i; 486 487 *rss = 0; 488 *swp = 0; 489 490 for (i = 0; i <= shm_ids(ns).max_id; i++) { 491 struct shmid_kernel *shp; 492 struct inode *inode; 493 494 shp = shm_get(ns, i); 495 if(!shp) 496 continue; 497 498 inode = shp->shm_file->f_path.dentry->d_inode; 499 500 if (is_file_hugepages(shp->shm_file)) { 501 struct address_space *mapping = inode->i_mapping; 502 *rss += (HPAGE_SIZE/PAGE_SIZE)*mapping->nrpages; 503 } else { 504 struct shmem_inode_info *info = SHMEM_I(inode); 505 spin_lock(&info->lock); 506 *rss += inode->i_mapping->nrpages; 507 *swp += info->swapped; 508 spin_unlock(&info->lock); 509 } 510 } 511 } 512 513 asmlinkage long sys_shmctl (int shmid, int cmd, struct shmid_ds __user *buf) 514 { 515 struct shm_setbuf setbuf; 516 struct shmid_kernel *shp; 517 int err, version; 518 struct ipc_namespace *ns; 519 520 if (cmd < 0 || shmid < 0) { 521 err = -EINVAL; 522 goto out; 523 } 524 525 version = ipc_parse_version(&cmd); 526 ns = current->nsproxy->ipc_ns; 527 528 switch (cmd) { /* replace with proc interface ? */ 529 case IPC_INFO: 530 { 531 struct shminfo64 shminfo; 532 533 err = security_shm_shmctl(NULL, cmd); 534 if (err) 535 return err; 536 537 memset(&shminfo,0,sizeof(shminfo)); 538 shminfo.shmmni = shminfo.shmseg = ns->shm_ctlmni; 539 shminfo.shmmax = ns->shm_ctlmax; 540 shminfo.shmall = ns->shm_ctlall; 541 542 shminfo.shmmin = SHMMIN; 543 if(copy_shminfo_to_user (buf, &shminfo, version)) 544 return -EFAULT; 545 /* reading a integer is always atomic */ 546 err= shm_ids(ns).max_id; 547 if(err<0) 548 err = 0; 549 goto out; 550 } 551 case SHM_INFO: 552 { 553 struct shm_info shm_info; 554 555 err = security_shm_shmctl(NULL, cmd); 556 if (err) 557 return err; 558 559 memset(&shm_info,0,sizeof(shm_info)); 560 mutex_lock(&shm_ids(ns).mutex); 561 shm_info.used_ids = shm_ids(ns).in_use; 562 shm_get_stat (ns, &shm_info.shm_rss, &shm_info.shm_swp); 563 shm_info.shm_tot = ns->shm_tot; 564 shm_info.swap_attempts = 0; 565 shm_info.swap_successes = 0; 566 err = shm_ids(ns).max_id; 567 mutex_unlock(&shm_ids(ns).mutex); 568 if(copy_to_user (buf, &shm_info, sizeof(shm_info))) { 569 err = -EFAULT; 570 goto out; 571 } 572 573 err = err < 0 ? 0 : err; 574 goto out; 575 } 576 case SHM_STAT: 577 case IPC_STAT: 578 { 579 struct shmid64_ds tbuf; 580 int result; 581 memset(&tbuf, 0, sizeof(tbuf)); 582 shp = shm_lock(ns, shmid); 583 if(shp==NULL) { 584 err = -EINVAL; 585 goto out; 586 } else if(cmd==SHM_STAT) { 587 err = -EINVAL; 588 if (shmid > shm_ids(ns).max_id) 589 goto out_unlock; 590 result = shm_buildid(ns, shmid, shp->shm_perm.seq); 591 } else { 592 err = shm_checkid(ns, shp,shmid); 593 if(err) 594 goto out_unlock; 595 result = 0; 596 } 597 err=-EACCES; 598 if (ipcperms (&shp->shm_perm, S_IRUGO)) 599 goto out_unlock; 600 err = security_shm_shmctl(shp, cmd); 601 if (err) 602 goto out_unlock; 603 kernel_to_ipc64_perm(&shp->shm_perm, &tbuf.shm_perm); 604 tbuf.shm_segsz = shp->shm_segsz; 605 tbuf.shm_atime = shp->shm_atim; 606 tbuf.shm_dtime = shp->shm_dtim; 607 tbuf.shm_ctime = shp->shm_ctim; 608 tbuf.shm_cpid = shp->shm_cprid; 609 tbuf.shm_lpid = shp->shm_lprid; 610 if (!is_file_hugepages(shp->shm_file)) 611 tbuf.shm_nattch = shp->shm_nattch; 612 else 613 tbuf.shm_nattch = file_count(shp->shm_file) - 1; 614 shm_unlock(shp); 615 if(copy_shmid_to_user (buf, &tbuf, version)) 616 err = -EFAULT; 617 else 618 err = result; 619 goto out; 620 } 621 case SHM_LOCK: 622 case SHM_UNLOCK: 623 { 624 shp = shm_lock(ns, shmid); 625 if(shp==NULL) { 626 err = -EINVAL; 627 goto out; 628 } 629 err = shm_checkid(ns, shp,shmid); 630 if(err) 631 goto out_unlock; 632 633 err = audit_ipc_obj(&(shp->shm_perm)); 634 if (err) 635 goto out_unlock; 636 637 if (!capable(CAP_IPC_LOCK)) { 638 err = -EPERM; 639 if (current->euid != shp->shm_perm.uid && 640 current->euid != shp->shm_perm.cuid) 641 goto out_unlock; 642 if (cmd == SHM_LOCK && 643 !current->signal->rlim[RLIMIT_MEMLOCK].rlim_cur) 644 goto out_unlock; 645 } 646 647 err = security_shm_shmctl(shp, cmd); 648 if (err) 649 goto out_unlock; 650 651 if(cmd==SHM_LOCK) { 652 struct user_struct * user = current->user; 653 if (!is_file_hugepages(shp->shm_file)) { 654 err = shmem_lock(shp->shm_file, 1, user); 655 if (!err) { 656 shp->shm_perm.mode |= SHM_LOCKED; 657 shp->mlock_user = user; 658 } 659 } 660 } else if (!is_file_hugepages(shp->shm_file)) { 661 shmem_lock(shp->shm_file, 0, shp->mlock_user); 662 shp->shm_perm.mode &= ~SHM_LOCKED; 663 shp->mlock_user = NULL; 664 } 665 shm_unlock(shp); 666 goto out; 667 } 668 case IPC_RMID: 669 { 670 /* 671 * We cannot simply remove the file. The SVID states 672 * that the block remains until the last person 673 * detaches from it, then is deleted. A shmat() on 674 * an RMID segment is legal in older Linux and if 675 * we change it apps break... 676 * 677 * Instead we set a destroyed flag, and then blow 678 * the name away when the usage hits zero. 679 */ 680 mutex_lock(&shm_ids(ns).mutex); 681 shp = shm_lock(ns, shmid); 682 err = -EINVAL; 683 if (shp == NULL) 684 goto out_up; 685 err = shm_checkid(ns, shp, shmid); 686 if(err) 687 goto out_unlock_up; 688 689 err = audit_ipc_obj(&(shp->shm_perm)); 690 if (err) 691 goto out_unlock_up; 692 693 if (current->euid != shp->shm_perm.uid && 694 current->euid != shp->shm_perm.cuid && 695 !capable(CAP_SYS_ADMIN)) { 696 err=-EPERM; 697 goto out_unlock_up; 698 } 699 700 err = security_shm_shmctl(shp, cmd); 701 if (err) 702 goto out_unlock_up; 703 704 do_shm_rmid(ns, shp); 705 mutex_unlock(&shm_ids(ns).mutex); 706 goto out; 707 } 708 709 case IPC_SET: 710 { 711 if (copy_shmid_from_user (&setbuf, buf, version)) { 712 err = -EFAULT; 713 goto out; 714 } 715 mutex_lock(&shm_ids(ns).mutex); 716 shp = shm_lock(ns, shmid); 717 err=-EINVAL; 718 if(shp==NULL) 719 goto out_up; 720 err = shm_checkid(ns, shp,shmid); 721 if(err) 722 goto out_unlock_up; 723 err = audit_ipc_obj(&(shp->shm_perm)); 724 if (err) 725 goto out_unlock_up; 726 err = audit_ipc_set_perm(0, setbuf.uid, setbuf.gid, setbuf.mode); 727 if (err) 728 goto out_unlock_up; 729 err=-EPERM; 730 if (current->euid != shp->shm_perm.uid && 731 current->euid != shp->shm_perm.cuid && 732 !capable(CAP_SYS_ADMIN)) { 733 goto out_unlock_up; 734 } 735 736 err = security_shm_shmctl(shp, cmd); 737 if (err) 738 goto out_unlock_up; 739 740 shp->shm_perm.uid = setbuf.uid; 741 shp->shm_perm.gid = setbuf.gid; 742 shp->shm_perm.mode = (shp->shm_perm.mode & ~S_IRWXUGO) 743 | (setbuf.mode & S_IRWXUGO); 744 shp->shm_ctim = get_seconds(); 745 break; 746 } 747 748 default: 749 err = -EINVAL; 750 goto out; 751 } 752 753 err = 0; 754 out_unlock_up: 755 shm_unlock(shp); 756 out_up: 757 mutex_unlock(&shm_ids(ns).mutex); 758 goto out; 759 out_unlock: 760 shm_unlock(shp); 761 out: 762 return err; 763 } 764 765 /* 766 * Fix shmaddr, allocate descriptor, map shm, add attach descriptor to lists. 767 * 768 * NOTE! Despite the name, this is NOT a direct system call entrypoint. The 769 * "raddr" thing points to kernel space, and there has to be a wrapper around 770 * this. 771 */ 772 long do_shmat(int shmid, char __user *shmaddr, int shmflg, ulong *raddr) 773 { 774 struct shmid_kernel *shp; 775 unsigned long addr; 776 unsigned long size; 777 struct file * file; 778 int err; 779 unsigned long flags; 780 unsigned long prot; 781 int acc_mode; 782 void *user_addr; 783 struct ipc_namespace *ns; 784 785 if (shmid < 0) { 786 err = -EINVAL; 787 goto out; 788 } else if ((addr = (ulong)shmaddr)) { 789 if (addr & (SHMLBA-1)) { 790 if (shmflg & SHM_RND) 791 addr &= ~(SHMLBA-1); /* round down */ 792 else 793 #ifndef __ARCH_FORCE_SHMLBA 794 if (addr & ~PAGE_MASK) 795 #endif 796 return -EINVAL; 797 } 798 flags = MAP_SHARED | MAP_FIXED; 799 } else { 800 if ((shmflg & SHM_REMAP)) 801 return -EINVAL; 802 803 flags = MAP_SHARED; 804 } 805 806 if (shmflg & SHM_RDONLY) { 807 prot = PROT_READ; 808 acc_mode = S_IRUGO; 809 } else { 810 prot = PROT_READ | PROT_WRITE; 811 acc_mode = S_IRUGO | S_IWUGO; 812 } 813 if (shmflg & SHM_EXEC) { 814 prot |= PROT_EXEC; 815 acc_mode |= S_IXUGO; 816 } 817 818 /* 819 * We cannot rely on the fs check since SYSV IPC does have an 820 * additional creator id... 821 */ 822 ns = current->nsproxy->ipc_ns; 823 shp = shm_lock(ns, shmid); 824 if(shp == NULL) { 825 err = -EINVAL; 826 goto out; 827 } 828 err = shm_checkid(ns, shp,shmid); 829 if (err) { 830 shm_unlock(shp); 831 goto out; 832 } 833 if (ipcperms(&shp->shm_perm, acc_mode)) { 834 shm_unlock(shp); 835 err = -EACCES; 836 goto out; 837 } 838 839 err = security_shm_shmat(shp, shmaddr, shmflg); 840 if (err) { 841 shm_unlock(shp); 842 return err; 843 } 844 845 file = shp->shm_file; 846 size = i_size_read(file->f_path.dentry->d_inode); 847 shp->shm_nattch++; 848 shm_unlock(shp); 849 850 down_write(¤t->mm->mmap_sem); 851 if (addr && !(shmflg & SHM_REMAP)) { 852 user_addr = ERR_PTR(-EINVAL); 853 if (find_vma_intersection(current->mm, addr, addr + size)) 854 goto invalid; 855 /* 856 * If shm segment goes below stack, make sure there is some 857 * space left for the stack to grow (at least 4 pages). 858 */ 859 if (addr < current->mm->start_stack && 860 addr > current->mm->start_stack - size - PAGE_SIZE * 5) 861 goto invalid; 862 } 863 864 user_addr = (void*) do_mmap (file, addr, size, prot, flags, 0); 865 866 invalid: 867 up_write(¤t->mm->mmap_sem); 868 869 mutex_lock(&shm_ids(ns).mutex); 870 shp = shm_lock(ns, shmid); 871 BUG_ON(!shp); 872 shp->shm_nattch--; 873 if(shp->shm_nattch == 0 && 874 shp->shm_perm.mode & SHM_DEST) 875 shm_destroy(ns, shp); 876 else 877 shm_unlock(shp); 878 mutex_unlock(&shm_ids(ns).mutex); 879 880 *raddr = (unsigned long) user_addr; 881 err = 0; 882 if (IS_ERR(user_addr)) 883 err = PTR_ERR(user_addr); 884 out: 885 return err; 886 } 887 888 asmlinkage long sys_shmat(int shmid, char __user *shmaddr, int shmflg) 889 { 890 unsigned long ret; 891 long err; 892 893 err = do_shmat(shmid, shmaddr, shmflg, &ret); 894 if (err) 895 return err; 896 force_successful_syscall_return(); 897 return (long)ret; 898 } 899 900 /* 901 * detach and kill segment if marked destroyed. 902 * The work is done in shm_close. 903 */ 904 asmlinkage long sys_shmdt(char __user *shmaddr) 905 { 906 struct mm_struct *mm = current->mm; 907 struct vm_area_struct *vma, *next; 908 unsigned long addr = (unsigned long)shmaddr; 909 loff_t size = 0; 910 int retval = -EINVAL; 911 912 if (addr & ~PAGE_MASK) 913 return retval; 914 915 down_write(&mm->mmap_sem); 916 917 /* 918 * This function tries to be smart and unmap shm segments that 919 * were modified by partial mlock or munmap calls: 920 * - It first determines the size of the shm segment that should be 921 * unmapped: It searches for a vma that is backed by shm and that 922 * started at address shmaddr. It records it's size and then unmaps 923 * it. 924 * - Then it unmaps all shm vmas that started at shmaddr and that 925 * are within the initially determined size. 926 * Errors from do_munmap are ignored: the function only fails if 927 * it's called with invalid parameters or if it's called to unmap 928 * a part of a vma. Both calls in this function are for full vmas, 929 * the parameters are directly copied from the vma itself and always 930 * valid - therefore do_munmap cannot fail. (famous last words?) 931 */ 932 /* 933 * If it had been mremap()'d, the starting address would not 934 * match the usual checks anyway. So assume all vma's are 935 * above the starting address given. 936 */ 937 vma = find_vma(mm, addr); 938 939 while (vma) { 940 next = vma->vm_next; 941 942 /* 943 * Check if the starting address would match, i.e. it's 944 * a fragment created by mprotect() and/or munmap(), or it 945 * otherwise it starts at this address with no hassles. 946 */ 947 if ((vma->vm_ops == &shm_vm_ops || is_vm_hugetlb_page(vma)) && 948 (vma->vm_start - addr)/PAGE_SIZE == vma->vm_pgoff) { 949 950 951 size = vma->vm_file->f_path.dentry->d_inode->i_size; 952 do_munmap(mm, vma->vm_start, vma->vm_end - vma->vm_start); 953 /* 954 * We discovered the size of the shm segment, so 955 * break out of here and fall through to the next 956 * loop that uses the size information to stop 957 * searching for matching vma's. 958 */ 959 retval = 0; 960 vma = next; 961 break; 962 } 963 vma = next; 964 } 965 966 /* 967 * We need look no further than the maximum address a fragment 968 * could possibly have landed at. Also cast things to loff_t to 969 * prevent overflows and make comparisions vs. equal-width types. 970 */ 971 size = PAGE_ALIGN(size); 972 while (vma && (loff_t)(vma->vm_end - addr) <= size) { 973 next = vma->vm_next; 974 975 /* finding a matching vma now does not alter retval */ 976 if ((vma->vm_ops == &shm_vm_ops || is_vm_hugetlb_page(vma)) && 977 (vma->vm_start - addr)/PAGE_SIZE == vma->vm_pgoff) 978 979 do_munmap(mm, vma->vm_start, vma->vm_end - vma->vm_start); 980 vma = next; 981 } 982 983 up_write(&mm->mmap_sem); 984 return retval; 985 } 986 987 #ifdef CONFIG_PROC_FS 988 static int sysvipc_shm_proc_show(struct seq_file *s, void *it) 989 { 990 struct shmid_kernel *shp = it; 991 char *format; 992 993 #define SMALL_STRING "%10d %10d %4o %10u %5u %5u %5d %5u %5u %5u %5u %10lu %10lu %10lu\n" 994 #define BIG_STRING "%10d %10d %4o %21u %5u %5u %5d %5u %5u %5u %5u %10lu %10lu %10lu\n" 995 996 if (sizeof(size_t) <= sizeof(int)) 997 format = SMALL_STRING; 998 else 999 format = BIG_STRING; 1000 return seq_printf(s, format, 1001 shp->shm_perm.key, 1002 shp->id, 1003 shp->shm_perm.mode, 1004 shp->shm_segsz, 1005 shp->shm_cprid, 1006 shp->shm_lprid, 1007 is_file_hugepages(shp->shm_file) ? (file_count(shp->shm_file) - 1) : shp->shm_nattch, 1008 shp->shm_perm.uid, 1009 shp->shm_perm.gid, 1010 shp->shm_perm.cuid, 1011 shp->shm_perm.cgid, 1012 shp->shm_atim, 1013 shp->shm_dtim, 1014 shp->shm_ctim); 1015 } 1016 #endif 1017