1 /* 2 * linux/ipc/msg.c 3 * Copyright (C) 1992 Krishna Balasubramanian 4 * 5 * Removed all the remaining kerneld mess 6 * Catch the -EFAULT stuff properly 7 * Use GFP_KERNEL for messages as in 1.2 8 * Fixed up the unchecked user space derefs 9 * Copyright (C) 1998 Alan Cox & Andi Kleen 10 * 11 * /proc/sysvipc/msg support (c) 1999 Dragos Acostachioaie <dragos@iname.com> 12 * 13 * mostly rewritten, threaded and wake-one semantics added 14 * MSGMAX limit removed, sysctl's added 15 * (c) 1999 Manfred Spraul <manfred@colorfullife.com> 16 * 17 * support for audit of ipc object properties and permission changes 18 * Dustin Kirkland <dustin.kirkland@us.ibm.com> 19 * 20 * namespaces support 21 * OpenVZ, SWsoft Inc. 22 * Pavel Emelianov <xemul@openvz.org> 23 */ 24 25 #include <linux/capability.h> 26 #include <linux/slab.h> 27 #include <linux/msg.h> 28 #include <linux/spinlock.h> 29 #include <linux/init.h> 30 #include <linux/mm.h> 31 #include <linux/proc_fs.h> 32 #include <linux/list.h> 33 #include <linux/security.h> 34 #include <linux/sched.h> 35 #include <linux/syscalls.h> 36 #include <linux/audit.h> 37 #include <linux/seq_file.h> 38 #include <linux/rwsem.h> 39 #include <linux/nsproxy.h> 40 #include <linux/ipc_namespace.h> 41 42 #include <asm/current.h> 43 #include <asm/uaccess.h> 44 #include "util.h" 45 46 /* 47 * one msg_receiver structure for each sleeping receiver: 48 */ 49 struct msg_receiver { 50 struct list_head r_list; 51 struct task_struct *r_tsk; 52 53 int r_mode; 54 long r_msgtype; 55 long r_maxsize; 56 57 struct msg_msg *volatile r_msg; 58 }; 59 60 /* one msg_sender for each sleeping sender */ 61 struct msg_sender { 62 struct list_head list; 63 struct task_struct *tsk; 64 }; 65 66 #define SEARCH_ANY 1 67 #define SEARCH_EQUAL 2 68 #define SEARCH_NOTEQUAL 3 69 #define SEARCH_LESSEQUAL 4 70 71 #define msg_ids(ns) ((ns)->ids[IPC_MSG_IDS]) 72 73 #define msg_unlock(msq) ipc_unlock(&(msq)->q_perm) 74 75 static void freeque(struct ipc_namespace *, struct kern_ipc_perm *); 76 static int newque(struct ipc_namespace *, struct ipc_params *); 77 #ifdef CONFIG_PROC_FS 78 static int sysvipc_msg_proc_show(struct seq_file *s, void *it); 79 #endif 80 81 /* 82 * Scale msgmni with the available lowmem size: the memory dedicated to msg 83 * queues should occupy at most 1/MSG_MEM_SCALE of lowmem. 84 * Also take into account the number of nsproxies created so far. 85 * This should be done staying within the (MSGMNI , IPCMNI/nr_ipc_ns) range. 86 */ 87 void recompute_msgmni(struct ipc_namespace *ns) 88 { 89 struct sysinfo i; 90 unsigned long allowed; 91 int nb_ns; 92 93 si_meminfo(&i); 94 allowed = (((i.totalram - i.totalhigh) / MSG_MEM_SCALE) * i.mem_unit) 95 / MSGMNB; 96 nb_ns = atomic_read(&nr_ipc_ns); 97 allowed /= nb_ns; 98 99 if (allowed < MSGMNI) { 100 ns->msg_ctlmni = MSGMNI; 101 return; 102 } 103 104 if (allowed > IPCMNI / nb_ns) { 105 ns->msg_ctlmni = IPCMNI / nb_ns; 106 return; 107 } 108 109 ns->msg_ctlmni = allowed; 110 } 111 112 void msg_init_ns(struct ipc_namespace *ns) 113 { 114 ns->msg_ctlmax = MSGMAX; 115 ns->msg_ctlmnb = MSGMNB; 116 117 recompute_msgmni(ns); 118 119 atomic_set(&ns->msg_bytes, 0); 120 atomic_set(&ns->msg_hdrs, 0); 121 ipc_init_ids(&ns->ids[IPC_MSG_IDS]); 122 } 123 124 #ifdef CONFIG_IPC_NS 125 void msg_exit_ns(struct ipc_namespace *ns) 126 { 127 free_ipcs(ns, &msg_ids(ns), freeque); 128 idr_destroy(&ns->ids[IPC_MSG_IDS].ipcs_idr); 129 } 130 #endif 131 132 void __init msg_init(void) 133 { 134 msg_init_ns(&init_ipc_ns); 135 136 printk(KERN_INFO "msgmni has been set to %d\n", 137 init_ipc_ns.msg_ctlmni); 138 139 ipc_init_proc_interface("sysvipc/msg", 140 " key msqid perms cbytes qnum lspid lrpid uid gid cuid cgid stime rtime ctime\n", 141 IPC_MSG_IDS, sysvipc_msg_proc_show); 142 } 143 144 /* 145 * msg_lock_(check_) routines are called in the paths where the rw_mutex 146 * is not held. 147 */ 148 static inline struct msg_queue *msg_lock(struct ipc_namespace *ns, int id) 149 { 150 struct kern_ipc_perm *ipcp = ipc_lock(&msg_ids(ns), id); 151 152 if (IS_ERR(ipcp)) 153 return (struct msg_queue *)ipcp; 154 155 return container_of(ipcp, struct msg_queue, q_perm); 156 } 157 158 static inline struct msg_queue *msg_lock_check(struct ipc_namespace *ns, 159 int id) 160 { 161 struct kern_ipc_perm *ipcp = ipc_lock_check(&msg_ids(ns), id); 162 163 if (IS_ERR(ipcp)) 164 return (struct msg_queue *)ipcp; 165 166 return container_of(ipcp, struct msg_queue, q_perm); 167 } 168 169 static inline void msg_rmid(struct ipc_namespace *ns, struct msg_queue *s) 170 { 171 ipc_rmid(&msg_ids(ns), &s->q_perm); 172 } 173 174 /** 175 * newque - Create a new msg queue 176 * @ns: namespace 177 * @params: ptr to the structure that contains the key and msgflg 178 * 179 * Called with msg_ids.rw_mutex held (writer) 180 */ 181 static int newque(struct ipc_namespace *ns, struct ipc_params *params) 182 { 183 struct msg_queue *msq; 184 int id, retval; 185 key_t key = params->key; 186 int msgflg = params->flg; 187 188 msq = ipc_rcu_alloc(sizeof(*msq)); 189 if (!msq) 190 return -ENOMEM; 191 192 msq->q_perm.mode = msgflg & S_IRWXUGO; 193 msq->q_perm.key = key; 194 195 msq->q_perm.security = NULL; 196 retval = security_msg_queue_alloc(msq); 197 if (retval) { 198 ipc_rcu_putref(msq); 199 return retval; 200 } 201 202 /* 203 * ipc_addid() locks msq 204 */ 205 id = ipc_addid(&msg_ids(ns), &msq->q_perm, ns->msg_ctlmni); 206 if (id < 0) { 207 security_msg_queue_free(msq); 208 ipc_rcu_putref(msq); 209 return id; 210 } 211 212 msq->q_stime = msq->q_rtime = 0; 213 msq->q_ctime = get_seconds(); 214 msq->q_cbytes = msq->q_qnum = 0; 215 msq->q_qbytes = ns->msg_ctlmnb; 216 msq->q_lspid = msq->q_lrpid = 0; 217 INIT_LIST_HEAD(&msq->q_messages); 218 INIT_LIST_HEAD(&msq->q_receivers); 219 INIT_LIST_HEAD(&msq->q_senders); 220 221 msg_unlock(msq); 222 223 return msq->q_perm.id; 224 } 225 226 static inline void ss_add(struct msg_queue *msq, struct msg_sender *mss) 227 { 228 mss->tsk = current; 229 current->state = TASK_INTERRUPTIBLE; 230 list_add_tail(&mss->list, &msq->q_senders); 231 } 232 233 static inline void ss_del(struct msg_sender *mss) 234 { 235 if (mss->list.next != NULL) 236 list_del(&mss->list); 237 } 238 239 static void ss_wakeup(struct list_head *h, int kill) 240 { 241 struct list_head *tmp; 242 243 tmp = h->next; 244 while (tmp != h) { 245 struct msg_sender *mss; 246 247 mss = list_entry(tmp, struct msg_sender, list); 248 tmp = tmp->next; 249 if (kill) 250 mss->list.next = NULL; 251 wake_up_process(mss->tsk); 252 } 253 } 254 255 static void expunge_all(struct msg_queue *msq, int res) 256 { 257 struct list_head *tmp; 258 259 tmp = msq->q_receivers.next; 260 while (tmp != &msq->q_receivers) { 261 struct msg_receiver *msr; 262 263 msr = list_entry(tmp, struct msg_receiver, r_list); 264 tmp = tmp->next; 265 msr->r_msg = NULL; 266 wake_up_process(msr->r_tsk); 267 smp_mb(); 268 msr->r_msg = ERR_PTR(res); 269 } 270 } 271 272 /* 273 * freeque() wakes up waiters on the sender and receiver waiting queue, 274 * removes the message queue from message queue ID IDR, and cleans up all the 275 * messages associated with this queue. 276 * 277 * msg_ids.rw_mutex (writer) and the spinlock for this message queue are held 278 * before freeque() is called. msg_ids.rw_mutex remains locked on exit. 279 */ 280 static void freeque(struct ipc_namespace *ns, struct kern_ipc_perm *ipcp) 281 { 282 struct list_head *tmp; 283 struct msg_queue *msq = container_of(ipcp, struct msg_queue, q_perm); 284 285 expunge_all(msq, -EIDRM); 286 ss_wakeup(&msq->q_senders, 1); 287 msg_rmid(ns, msq); 288 msg_unlock(msq); 289 290 tmp = msq->q_messages.next; 291 while (tmp != &msq->q_messages) { 292 struct msg_msg *msg = list_entry(tmp, struct msg_msg, m_list); 293 294 tmp = tmp->next; 295 atomic_dec(&ns->msg_hdrs); 296 free_msg(msg); 297 } 298 atomic_sub(msq->q_cbytes, &ns->msg_bytes); 299 security_msg_queue_free(msq); 300 ipc_rcu_putref(msq); 301 } 302 303 /* 304 * Called with msg_ids.rw_mutex and ipcp locked. 305 */ 306 static inline int msg_security(struct kern_ipc_perm *ipcp, int msgflg) 307 { 308 struct msg_queue *msq = container_of(ipcp, struct msg_queue, q_perm); 309 310 return security_msg_queue_associate(msq, msgflg); 311 } 312 313 SYSCALL_DEFINE2(msgget, key_t, key, int, msgflg) 314 { 315 struct ipc_namespace *ns; 316 struct ipc_ops msg_ops; 317 struct ipc_params msg_params; 318 319 ns = current->nsproxy->ipc_ns; 320 321 msg_ops.getnew = newque; 322 msg_ops.associate = msg_security; 323 msg_ops.more_checks = NULL; 324 325 msg_params.key = key; 326 msg_params.flg = msgflg; 327 328 return ipcget(ns, &msg_ids(ns), &msg_ops, &msg_params); 329 } 330 331 static inline unsigned long 332 copy_msqid_to_user(void __user *buf, struct msqid64_ds *in, int version) 333 { 334 switch(version) { 335 case IPC_64: 336 return copy_to_user(buf, in, sizeof(*in)); 337 case IPC_OLD: 338 { 339 struct msqid_ds out; 340 341 memset(&out, 0, sizeof(out)); 342 343 ipc64_perm_to_ipc_perm(&in->msg_perm, &out.msg_perm); 344 345 out.msg_stime = in->msg_stime; 346 out.msg_rtime = in->msg_rtime; 347 out.msg_ctime = in->msg_ctime; 348 349 if (in->msg_cbytes > USHORT_MAX) 350 out.msg_cbytes = USHORT_MAX; 351 else 352 out.msg_cbytes = in->msg_cbytes; 353 out.msg_lcbytes = in->msg_cbytes; 354 355 if (in->msg_qnum > USHORT_MAX) 356 out.msg_qnum = USHORT_MAX; 357 else 358 out.msg_qnum = in->msg_qnum; 359 360 if (in->msg_qbytes > USHORT_MAX) 361 out.msg_qbytes = USHORT_MAX; 362 else 363 out.msg_qbytes = in->msg_qbytes; 364 out.msg_lqbytes = in->msg_qbytes; 365 366 out.msg_lspid = in->msg_lspid; 367 out.msg_lrpid = in->msg_lrpid; 368 369 return copy_to_user(buf, &out, sizeof(out)); 370 } 371 default: 372 return -EINVAL; 373 } 374 } 375 376 static inline unsigned long 377 copy_msqid_from_user(struct msqid64_ds *out, void __user *buf, int version) 378 { 379 switch(version) { 380 case IPC_64: 381 if (copy_from_user(out, buf, sizeof(*out))) 382 return -EFAULT; 383 return 0; 384 case IPC_OLD: 385 { 386 struct msqid_ds tbuf_old; 387 388 if (copy_from_user(&tbuf_old, buf, sizeof(tbuf_old))) 389 return -EFAULT; 390 391 out->msg_perm.uid = tbuf_old.msg_perm.uid; 392 out->msg_perm.gid = tbuf_old.msg_perm.gid; 393 out->msg_perm.mode = tbuf_old.msg_perm.mode; 394 395 if (tbuf_old.msg_qbytes == 0) 396 out->msg_qbytes = tbuf_old.msg_lqbytes; 397 else 398 out->msg_qbytes = tbuf_old.msg_qbytes; 399 400 return 0; 401 } 402 default: 403 return -EINVAL; 404 } 405 } 406 407 /* 408 * This function handles some msgctl commands which require the rw_mutex 409 * to be held in write mode. 410 * NOTE: no locks must be held, the rw_mutex is taken inside this function. 411 */ 412 static int msgctl_down(struct ipc_namespace *ns, int msqid, int cmd, 413 struct msqid_ds __user *buf, int version) 414 { 415 struct kern_ipc_perm *ipcp; 416 struct msqid64_ds uninitialized_var(msqid64); 417 struct msg_queue *msq; 418 int err; 419 420 if (cmd == IPC_SET) { 421 if (copy_msqid_from_user(&msqid64, buf, version)) 422 return -EFAULT; 423 } 424 425 ipcp = ipcctl_pre_down(&msg_ids(ns), msqid, cmd, 426 &msqid64.msg_perm, msqid64.msg_qbytes); 427 if (IS_ERR(ipcp)) 428 return PTR_ERR(ipcp); 429 430 msq = container_of(ipcp, struct msg_queue, q_perm); 431 432 err = security_msg_queue_msgctl(msq, cmd); 433 if (err) 434 goto out_unlock; 435 436 switch (cmd) { 437 case IPC_RMID: 438 freeque(ns, ipcp); 439 goto out_up; 440 case IPC_SET: 441 if (msqid64.msg_qbytes > ns->msg_ctlmnb && 442 !capable(CAP_SYS_RESOURCE)) { 443 err = -EPERM; 444 goto out_unlock; 445 } 446 447 msq->q_qbytes = msqid64.msg_qbytes; 448 449 ipc_update_perm(&msqid64.msg_perm, ipcp); 450 msq->q_ctime = get_seconds(); 451 /* sleeping receivers might be excluded by 452 * stricter permissions. 453 */ 454 expunge_all(msq, -EAGAIN); 455 /* sleeping senders might be able to send 456 * due to a larger queue size. 457 */ 458 ss_wakeup(&msq->q_senders, 0); 459 break; 460 default: 461 err = -EINVAL; 462 } 463 out_unlock: 464 msg_unlock(msq); 465 out_up: 466 up_write(&msg_ids(ns).rw_mutex); 467 return err; 468 } 469 470 SYSCALL_DEFINE3(msgctl, int, msqid, int, cmd, struct msqid_ds __user *, buf) 471 { 472 struct msg_queue *msq; 473 int err, version; 474 struct ipc_namespace *ns; 475 476 if (msqid < 0 || cmd < 0) 477 return -EINVAL; 478 479 version = ipc_parse_version(&cmd); 480 ns = current->nsproxy->ipc_ns; 481 482 switch (cmd) { 483 case IPC_INFO: 484 case MSG_INFO: 485 { 486 struct msginfo msginfo; 487 int max_id; 488 489 if (!buf) 490 return -EFAULT; 491 /* 492 * We must not return kernel stack data. 493 * due to padding, it's not enough 494 * to set all member fields. 495 */ 496 err = security_msg_queue_msgctl(NULL, cmd); 497 if (err) 498 return err; 499 500 memset(&msginfo, 0, sizeof(msginfo)); 501 msginfo.msgmni = ns->msg_ctlmni; 502 msginfo.msgmax = ns->msg_ctlmax; 503 msginfo.msgmnb = ns->msg_ctlmnb; 504 msginfo.msgssz = MSGSSZ; 505 msginfo.msgseg = MSGSEG; 506 down_read(&msg_ids(ns).rw_mutex); 507 if (cmd == MSG_INFO) { 508 msginfo.msgpool = msg_ids(ns).in_use; 509 msginfo.msgmap = atomic_read(&ns->msg_hdrs); 510 msginfo.msgtql = atomic_read(&ns->msg_bytes); 511 } else { 512 msginfo.msgmap = MSGMAP; 513 msginfo.msgpool = MSGPOOL; 514 msginfo.msgtql = MSGTQL; 515 } 516 max_id = ipc_get_maxid(&msg_ids(ns)); 517 up_read(&msg_ids(ns).rw_mutex); 518 if (copy_to_user(buf, &msginfo, sizeof(struct msginfo))) 519 return -EFAULT; 520 return (max_id < 0) ? 0 : max_id; 521 } 522 case MSG_STAT: /* msqid is an index rather than a msg queue id */ 523 case IPC_STAT: 524 { 525 struct msqid64_ds tbuf; 526 int success_return; 527 528 if (!buf) 529 return -EFAULT; 530 531 if (cmd == MSG_STAT) { 532 msq = msg_lock(ns, msqid); 533 if (IS_ERR(msq)) 534 return PTR_ERR(msq); 535 success_return = msq->q_perm.id; 536 } else { 537 msq = msg_lock_check(ns, msqid); 538 if (IS_ERR(msq)) 539 return PTR_ERR(msq); 540 success_return = 0; 541 } 542 err = -EACCES; 543 if (ipcperms(&msq->q_perm, S_IRUGO)) 544 goto out_unlock; 545 546 err = security_msg_queue_msgctl(msq, cmd); 547 if (err) 548 goto out_unlock; 549 550 memset(&tbuf, 0, sizeof(tbuf)); 551 552 kernel_to_ipc64_perm(&msq->q_perm, &tbuf.msg_perm); 553 tbuf.msg_stime = msq->q_stime; 554 tbuf.msg_rtime = msq->q_rtime; 555 tbuf.msg_ctime = msq->q_ctime; 556 tbuf.msg_cbytes = msq->q_cbytes; 557 tbuf.msg_qnum = msq->q_qnum; 558 tbuf.msg_qbytes = msq->q_qbytes; 559 tbuf.msg_lspid = msq->q_lspid; 560 tbuf.msg_lrpid = msq->q_lrpid; 561 msg_unlock(msq); 562 if (copy_msqid_to_user(buf, &tbuf, version)) 563 return -EFAULT; 564 return success_return; 565 } 566 case IPC_SET: 567 case IPC_RMID: 568 err = msgctl_down(ns, msqid, cmd, buf, version); 569 return err; 570 default: 571 return -EINVAL; 572 } 573 574 out_unlock: 575 msg_unlock(msq); 576 return err; 577 } 578 579 static int testmsg(struct msg_msg *msg, long type, int mode) 580 { 581 switch(mode) 582 { 583 case SEARCH_ANY: 584 return 1; 585 case SEARCH_LESSEQUAL: 586 if (msg->m_type <=type) 587 return 1; 588 break; 589 case SEARCH_EQUAL: 590 if (msg->m_type == type) 591 return 1; 592 break; 593 case SEARCH_NOTEQUAL: 594 if (msg->m_type != type) 595 return 1; 596 break; 597 } 598 return 0; 599 } 600 601 static inline int pipelined_send(struct msg_queue *msq, struct msg_msg *msg) 602 { 603 struct list_head *tmp; 604 605 tmp = msq->q_receivers.next; 606 while (tmp != &msq->q_receivers) { 607 struct msg_receiver *msr; 608 609 msr = list_entry(tmp, struct msg_receiver, r_list); 610 tmp = tmp->next; 611 if (testmsg(msg, msr->r_msgtype, msr->r_mode) && 612 !security_msg_queue_msgrcv(msq, msg, msr->r_tsk, 613 msr->r_msgtype, msr->r_mode)) { 614 615 list_del(&msr->r_list); 616 if (msr->r_maxsize < msg->m_ts) { 617 msr->r_msg = NULL; 618 wake_up_process(msr->r_tsk); 619 smp_mb(); 620 msr->r_msg = ERR_PTR(-E2BIG); 621 } else { 622 msr->r_msg = NULL; 623 msq->q_lrpid = task_pid_vnr(msr->r_tsk); 624 msq->q_rtime = get_seconds(); 625 wake_up_process(msr->r_tsk); 626 smp_mb(); 627 msr->r_msg = msg; 628 629 return 1; 630 } 631 } 632 } 633 return 0; 634 } 635 636 long do_msgsnd(int msqid, long mtype, void __user *mtext, 637 size_t msgsz, int msgflg) 638 { 639 struct msg_queue *msq; 640 struct msg_msg *msg; 641 int err; 642 struct ipc_namespace *ns; 643 644 ns = current->nsproxy->ipc_ns; 645 646 if (msgsz > ns->msg_ctlmax || (long) msgsz < 0 || msqid < 0) 647 return -EINVAL; 648 if (mtype < 1) 649 return -EINVAL; 650 651 msg = load_msg(mtext, msgsz); 652 if (IS_ERR(msg)) 653 return PTR_ERR(msg); 654 655 msg->m_type = mtype; 656 msg->m_ts = msgsz; 657 658 msq = msg_lock_check(ns, msqid); 659 if (IS_ERR(msq)) { 660 err = PTR_ERR(msq); 661 goto out_free; 662 } 663 664 for (;;) { 665 struct msg_sender s; 666 667 err = -EACCES; 668 if (ipcperms(&msq->q_perm, S_IWUGO)) 669 goto out_unlock_free; 670 671 err = security_msg_queue_msgsnd(msq, msg, msgflg); 672 if (err) 673 goto out_unlock_free; 674 675 if (msgsz + msq->q_cbytes <= msq->q_qbytes && 676 1 + msq->q_qnum <= msq->q_qbytes) { 677 break; 678 } 679 680 /* queue full, wait: */ 681 if (msgflg & IPC_NOWAIT) { 682 err = -EAGAIN; 683 goto out_unlock_free; 684 } 685 ss_add(msq, &s); 686 ipc_rcu_getref(msq); 687 msg_unlock(msq); 688 schedule(); 689 690 ipc_lock_by_ptr(&msq->q_perm); 691 ipc_rcu_putref(msq); 692 if (msq->q_perm.deleted) { 693 err = -EIDRM; 694 goto out_unlock_free; 695 } 696 ss_del(&s); 697 698 if (signal_pending(current)) { 699 err = -ERESTARTNOHAND; 700 goto out_unlock_free; 701 } 702 } 703 704 msq->q_lspid = task_tgid_vnr(current); 705 msq->q_stime = get_seconds(); 706 707 if (!pipelined_send(msq, msg)) { 708 /* noone is waiting for this message, enqueue it */ 709 list_add_tail(&msg->m_list, &msq->q_messages); 710 msq->q_cbytes += msgsz; 711 msq->q_qnum++; 712 atomic_add(msgsz, &ns->msg_bytes); 713 atomic_inc(&ns->msg_hdrs); 714 } 715 716 err = 0; 717 msg = NULL; 718 719 out_unlock_free: 720 msg_unlock(msq); 721 out_free: 722 if (msg != NULL) 723 free_msg(msg); 724 return err; 725 } 726 727 SYSCALL_DEFINE4(msgsnd, int, msqid, struct msgbuf __user *, msgp, size_t, msgsz, 728 int, msgflg) 729 { 730 long mtype; 731 732 if (get_user(mtype, &msgp->mtype)) 733 return -EFAULT; 734 return do_msgsnd(msqid, mtype, msgp->mtext, msgsz, msgflg); 735 } 736 737 static inline int convert_mode(long *msgtyp, int msgflg) 738 { 739 /* 740 * find message of correct type. 741 * msgtyp = 0 => get first. 742 * msgtyp > 0 => get first message of matching type. 743 * msgtyp < 0 => get message with least type must be < abs(msgtype). 744 */ 745 if (*msgtyp == 0) 746 return SEARCH_ANY; 747 if (*msgtyp < 0) { 748 *msgtyp = -*msgtyp; 749 return SEARCH_LESSEQUAL; 750 } 751 if (msgflg & MSG_EXCEPT) 752 return SEARCH_NOTEQUAL; 753 return SEARCH_EQUAL; 754 } 755 756 long do_msgrcv(int msqid, long *pmtype, void __user *mtext, 757 size_t msgsz, long msgtyp, int msgflg) 758 { 759 struct msg_queue *msq; 760 struct msg_msg *msg; 761 int mode; 762 struct ipc_namespace *ns; 763 764 if (msqid < 0 || (long) msgsz < 0) 765 return -EINVAL; 766 mode = convert_mode(&msgtyp, msgflg); 767 ns = current->nsproxy->ipc_ns; 768 769 msq = msg_lock_check(ns, msqid); 770 if (IS_ERR(msq)) 771 return PTR_ERR(msq); 772 773 for (;;) { 774 struct msg_receiver msr_d; 775 struct list_head *tmp; 776 777 msg = ERR_PTR(-EACCES); 778 if (ipcperms(&msq->q_perm, S_IRUGO)) 779 goto out_unlock; 780 781 msg = ERR_PTR(-EAGAIN); 782 tmp = msq->q_messages.next; 783 while (tmp != &msq->q_messages) { 784 struct msg_msg *walk_msg; 785 786 walk_msg = list_entry(tmp, struct msg_msg, m_list); 787 if (testmsg(walk_msg, msgtyp, mode) && 788 !security_msg_queue_msgrcv(msq, walk_msg, current, 789 msgtyp, mode)) { 790 791 msg = walk_msg; 792 if (mode == SEARCH_LESSEQUAL && 793 walk_msg->m_type != 1) { 794 msg = walk_msg; 795 msgtyp = walk_msg->m_type - 1; 796 } else { 797 msg = walk_msg; 798 break; 799 } 800 } 801 tmp = tmp->next; 802 } 803 if (!IS_ERR(msg)) { 804 /* 805 * Found a suitable message. 806 * Unlink it from the queue. 807 */ 808 if ((msgsz < msg->m_ts) && !(msgflg & MSG_NOERROR)) { 809 msg = ERR_PTR(-E2BIG); 810 goto out_unlock; 811 } 812 list_del(&msg->m_list); 813 msq->q_qnum--; 814 msq->q_rtime = get_seconds(); 815 msq->q_lrpid = task_tgid_vnr(current); 816 msq->q_cbytes -= msg->m_ts; 817 atomic_sub(msg->m_ts, &ns->msg_bytes); 818 atomic_dec(&ns->msg_hdrs); 819 ss_wakeup(&msq->q_senders, 0); 820 msg_unlock(msq); 821 break; 822 } 823 /* No message waiting. Wait for a message */ 824 if (msgflg & IPC_NOWAIT) { 825 msg = ERR_PTR(-ENOMSG); 826 goto out_unlock; 827 } 828 list_add_tail(&msr_d.r_list, &msq->q_receivers); 829 msr_d.r_tsk = current; 830 msr_d.r_msgtype = msgtyp; 831 msr_d.r_mode = mode; 832 if (msgflg & MSG_NOERROR) 833 msr_d.r_maxsize = INT_MAX; 834 else 835 msr_d.r_maxsize = msgsz; 836 msr_d.r_msg = ERR_PTR(-EAGAIN); 837 current->state = TASK_INTERRUPTIBLE; 838 msg_unlock(msq); 839 840 schedule(); 841 842 /* Lockless receive, part 1: 843 * Disable preemption. We don't hold a reference to the queue 844 * and getting a reference would defeat the idea of a lockless 845 * operation, thus the code relies on rcu to guarantee the 846 * existance of msq: 847 * Prior to destruction, expunge_all(-EIRDM) changes r_msg. 848 * Thus if r_msg is -EAGAIN, then the queue not yet destroyed. 849 * rcu_read_lock() prevents preemption between reading r_msg 850 * and the spin_lock() inside ipc_lock_by_ptr(). 851 */ 852 rcu_read_lock(); 853 854 /* Lockless receive, part 2: 855 * Wait until pipelined_send or expunge_all are outside of 856 * wake_up_process(). There is a race with exit(), see 857 * ipc/mqueue.c for the details. 858 */ 859 msg = (struct msg_msg*)msr_d.r_msg; 860 while (msg == NULL) { 861 cpu_relax(); 862 msg = (struct msg_msg *)msr_d.r_msg; 863 } 864 865 /* Lockless receive, part 3: 866 * If there is a message or an error then accept it without 867 * locking. 868 */ 869 if (msg != ERR_PTR(-EAGAIN)) { 870 rcu_read_unlock(); 871 break; 872 } 873 874 /* Lockless receive, part 3: 875 * Acquire the queue spinlock. 876 */ 877 ipc_lock_by_ptr(&msq->q_perm); 878 rcu_read_unlock(); 879 880 /* Lockless receive, part 4: 881 * Repeat test after acquiring the spinlock. 882 */ 883 msg = (struct msg_msg*)msr_d.r_msg; 884 if (msg != ERR_PTR(-EAGAIN)) 885 goto out_unlock; 886 887 list_del(&msr_d.r_list); 888 if (signal_pending(current)) { 889 msg = ERR_PTR(-ERESTARTNOHAND); 890 out_unlock: 891 msg_unlock(msq); 892 break; 893 } 894 } 895 if (IS_ERR(msg)) 896 return PTR_ERR(msg); 897 898 msgsz = (msgsz > msg->m_ts) ? msg->m_ts : msgsz; 899 *pmtype = msg->m_type; 900 if (store_msg(mtext, msg, msgsz)) 901 msgsz = -EFAULT; 902 903 free_msg(msg); 904 905 return msgsz; 906 } 907 908 SYSCALL_DEFINE5(msgrcv, int, msqid, struct msgbuf __user *, msgp, size_t, msgsz, 909 long, msgtyp, int, msgflg) 910 { 911 long err, mtype; 912 913 err = do_msgrcv(msqid, &mtype, msgp->mtext, msgsz, msgtyp, msgflg); 914 if (err < 0) 915 goto out; 916 917 if (put_user(mtype, &msgp->mtype)) 918 err = -EFAULT; 919 out: 920 return err; 921 } 922 923 #ifdef CONFIG_PROC_FS 924 static int sysvipc_msg_proc_show(struct seq_file *s, void *it) 925 { 926 struct msg_queue *msq = it; 927 928 return seq_printf(s, 929 "%10d %10d %4o %10lu %10lu %5u %5u %5u %5u %5u %5u %10lu %10lu %10lu\n", 930 msq->q_perm.key, 931 msq->q_perm.id, 932 msq->q_perm.mode, 933 msq->q_cbytes, 934 msq->q_qnum, 935 msq->q_lspid, 936 msq->q_lrpid, 937 msq->q_perm.uid, 938 msq->q_perm.gid, 939 msq->q_perm.cuid, 940 msq->q_perm.cgid, 941 msq->q_stime, 942 msq->q_rtime, 943 msq->q_ctime); 944 } 945 #endif 946