Commit 19dfd03af7f194adb7ecfc3c2ecfefc1b6686ef1
Committed by
Greg Kroah-Hartman
1 parent
dbb563ec7b
ipc,shm: shorten critical region for shmat
commit c2c737a0461e61a34676bd0bd1bc1a70a1b4e396 upstream. Similar to other system calls, acquire the kern_ipc_perm lock after doing the initial permission and security checks. [sasha.levin@oracle.com: dont leave do_shmat with rcu lock held] Signed-off-by: Davidlohr Bueso <davidlohr.bueso@hp.com> Tested-by: Sedat Dilek <sedat.dilek@gmail.com> Cc: Rik van Riel <riel@redhat.com> Cc: Manfred Spraul <manfred@colorfullife.com> Signed-off-by: Sasha Levin <sasha.levin@oracle.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Cc: Mike Galbraith <efault@gmx.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Showing 1 changed file with 10 additions and 4 deletions Side-by-side Diff
ipc/shm.c
... | ... | @@ -19,6 +19,9 @@ |
19 | 19 | * namespaces support |
20 | 20 | * OpenVZ, SWsoft Inc. |
21 | 21 | * Pavel Emelianov <xemul@openvz.org> |
22 | + * | |
23 | + * Better ipc lock (kern_ipc_perm.lock) handling | |
24 | + * Davidlohr Bueso <davidlohr.bueso@hp.com>, June 2013. | |
22 | 25 | */ |
23 | 26 | |
24 | 27 | #include <linux/slab.h> |
25 | 28 | |
... | ... | @@ -1093,10 +1096,11 @@ |
1093 | 1096 | * additional creator id... |
1094 | 1097 | */ |
1095 | 1098 | ns = current->nsproxy->ipc_ns; |
1096 | - shp = shm_lock_check(ns, shmid); | |
1099 | + rcu_read_lock(); | |
1100 | + shp = shm_obtain_object_check(ns, shmid); | |
1097 | 1101 | if (IS_ERR(shp)) { |
1098 | 1102 | err = PTR_ERR(shp); |
1099 | - goto out; | |
1103 | + goto out_unlock; | |
1100 | 1104 | } |
1101 | 1105 | |
1102 | 1106 | err = -EACCES; |
1103 | 1107 | |
... | ... | @@ -1107,11 +1111,13 @@ |
1107 | 1111 | if (err) |
1108 | 1112 | goto out_unlock; |
1109 | 1113 | |
1114 | + ipc_lock_object(&shp->shm_perm); | |
1110 | 1115 | path = shp->shm_file->f_path; |
1111 | 1116 | path_get(&path); |
1112 | 1117 | shp->shm_nattch++; |
1113 | 1118 | size = i_size_read(path.dentry->d_inode); |
1114 | - shm_unlock(shp); | |
1119 | + ipc_unlock_object(&shp->shm_perm); | |
1120 | + rcu_read_unlock(); | |
1115 | 1121 | |
1116 | 1122 | err = -ENOMEM; |
1117 | 1123 | sfd = kzalloc(sizeof(*sfd), GFP_KERNEL); |
... | ... | @@ -1182,7 +1188,7 @@ |
1182 | 1188 | return err; |
1183 | 1189 | |
1184 | 1190 | out_unlock: |
1185 | - shm_unlock(shp); | |
1191 | + rcu_read_unlock(); | |
1186 | 1192 | out: |
1187 | 1193 | return err; |
1188 | 1194 | } |