xref: /openbmc/linux/ipc/msg.c (revision 9d56dd3b083a3bec56e9da35ce07baca81030b03)
1 /*
2  * linux/ipc/msg.c
3  * Copyright (C) 1992 Krishna Balasubramanian
4  *
5  * Removed all the remaining kerneld mess
6  * Catch the -EFAULT stuff properly
7  * Use GFP_KERNEL for messages as in 1.2
8  * Fixed up the unchecked user space derefs
9  * Copyright (C) 1998 Alan Cox & Andi Kleen
10  *
11  * /proc/sysvipc/msg support (c) 1999 Dragos Acostachioaie <dragos@iname.com>
12  *
13  * mostly rewritten, threaded and wake-one semantics added
14  * MSGMAX limit removed, sysctl's added
15  * (c) 1999 Manfred Spraul <manfred@colorfullife.com>
16  *
17  * support for audit of ipc object properties and permission changes
18  * Dustin Kirkland <dustin.kirkland@us.ibm.com>
19  *
20  * namespaces support
21  * OpenVZ, SWsoft Inc.
22  * Pavel Emelianov <xemul@openvz.org>
23  */
24 
25 #include <linux/capability.h>
26 #include <linux/slab.h>
27 #include <linux/msg.h>
28 #include <linux/spinlock.h>
29 #include <linux/init.h>
30 #include <linux/mm.h>
31 #include <linux/proc_fs.h>
32 #include <linux/list.h>
33 #include <linux/security.h>
34 #include <linux/sched.h>
35 #include <linux/syscalls.h>
36 #include <linux/audit.h>
37 #include <linux/seq_file.h>
38 #include <linux/rwsem.h>
39 #include <linux/nsproxy.h>
40 #include <linux/ipc_namespace.h>
41 
42 #include <asm/current.h>
43 #include <asm/uaccess.h>
44 #include "util.h"
45 
46 /*
47  * one msg_receiver structure for each sleeping receiver:
48  */
49 struct msg_receiver {
50 	struct list_head	r_list;
51 	struct task_struct	*r_tsk;
52 
53 	int			r_mode;
54 	long			r_msgtype;
55 	long			r_maxsize;
56 
57 	struct msg_msg		*volatile r_msg;
58 };
59 
60 /* one msg_sender for each sleeping sender */
61 struct msg_sender {
62 	struct list_head	list;
63 	struct task_struct	*tsk;
64 };
65 
66 #define SEARCH_ANY		1
67 #define SEARCH_EQUAL		2
68 #define SEARCH_NOTEQUAL		3
69 #define SEARCH_LESSEQUAL	4
70 
71 #define msg_ids(ns)	((ns)->ids[IPC_MSG_IDS])
72 
73 #define msg_unlock(msq)		ipc_unlock(&(msq)->q_perm)
74 
75 static void freeque(struct ipc_namespace *, struct kern_ipc_perm *);
76 static int newque(struct ipc_namespace *, struct ipc_params *);
77 #ifdef CONFIG_PROC_FS
78 static int sysvipc_msg_proc_show(struct seq_file *s, void *it);
79 #endif
80 
81 /*
82  * Scale msgmni with the available lowmem size: the memory dedicated to msg
83  * queues should occupy at most 1/MSG_MEM_SCALE of lowmem.
84  * Also take into account the number of nsproxies created so far.
85  * This should be done staying within the (MSGMNI , IPCMNI/nr_ipc_ns) range.
86  */
87 void recompute_msgmni(struct ipc_namespace *ns)
88 {
89 	struct sysinfo i;
90 	unsigned long allowed;
91 	int nb_ns;
92 
93 	si_meminfo(&i);
94 	allowed = (((i.totalram - i.totalhigh) / MSG_MEM_SCALE) * i.mem_unit)
95 		/ MSGMNB;
96 	nb_ns = atomic_read(&nr_ipc_ns);
97 	allowed /= nb_ns;
98 
99 	if (allowed < MSGMNI) {
100 		ns->msg_ctlmni = MSGMNI;
101 		return;
102 	}
103 
104 	if (allowed > IPCMNI / nb_ns) {
105 		ns->msg_ctlmni = IPCMNI / nb_ns;
106 		return;
107 	}
108 
109 	ns->msg_ctlmni = allowed;
110 }
111 
112 void msg_init_ns(struct ipc_namespace *ns)
113 {
114 	ns->msg_ctlmax = MSGMAX;
115 	ns->msg_ctlmnb = MSGMNB;
116 
117 	recompute_msgmni(ns);
118 
119 	atomic_set(&ns->msg_bytes, 0);
120 	atomic_set(&ns->msg_hdrs, 0);
121 	ipc_init_ids(&ns->ids[IPC_MSG_IDS]);
122 }
123 
124 #ifdef CONFIG_IPC_NS
125 void msg_exit_ns(struct ipc_namespace *ns)
126 {
127 	free_ipcs(ns, &msg_ids(ns), freeque);
128 	idr_destroy(&ns->ids[IPC_MSG_IDS].ipcs_idr);
129 }
130 #endif
131 
132 void __init msg_init(void)
133 {
134 	msg_init_ns(&init_ipc_ns);
135 
136 	printk(KERN_INFO "msgmni has been set to %d\n",
137 		init_ipc_ns.msg_ctlmni);
138 
139 	ipc_init_proc_interface("sysvipc/msg",
140 				"       key      msqid perms      cbytes       qnum lspid lrpid   uid   gid  cuid  cgid      stime      rtime      ctime\n",
141 				IPC_MSG_IDS, sysvipc_msg_proc_show);
142 }
143 
144 /*
145  * msg_lock_(check_) routines are called in the paths where the rw_mutex
146  * is not held.
147  */
148 static inline struct msg_queue *msg_lock(struct ipc_namespace *ns, int id)
149 {
150 	struct kern_ipc_perm *ipcp = ipc_lock(&msg_ids(ns), id);
151 
152 	if (IS_ERR(ipcp))
153 		return (struct msg_queue *)ipcp;
154 
155 	return container_of(ipcp, struct msg_queue, q_perm);
156 }
157 
158 static inline struct msg_queue *msg_lock_check(struct ipc_namespace *ns,
159 						int id)
160 {
161 	struct kern_ipc_perm *ipcp = ipc_lock_check(&msg_ids(ns), id);
162 
163 	if (IS_ERR(ipcp))
164 		return (struct msg_queue *)ipcp;
165 
166 	return container_of(ipcp, struct msg_queue, q_perm);
167 }
168 
169 static inline void msg_rmid(struct ipc_namespace *ns, struct msg_queue *s)
170 {
171 	ipc_rmid(&msg_ids(ns), &s->q_perm);
172 }
173 
174 /**
175  * newque - Create a new msg queue
176  * @ns: namespace
177  * @params: ptr to the structure that contains the key and msgflg
178  *
179  * Called with msg_ids.rw_mutex held (writer)
180  */
181 static int newque(struct ipc_namespace *ns, struct ipc_params *params)
182 {
183 	struct msg_queue *msq;
184 	int id, retval;
185 	key_t key = params->key;
186 	int msgflg = params->flg;
187 
188 	msq = ipc_rcu_alloc(sizeof(*msq));
189 	if (!msq)
190 		return -ENOMEM;
191 
192 	msq->q_perm.mode = msgflg & S_IRWXUGO;
193 	msq->q_perm.key = key;
194 
195 	msq->q_perm.security = NULL;
196 	retval = security_msg_queue_alloc(msq);
197 	if (retval) {
198 		ipc_rcu_putref(msq);
199 		return retval;
200 	}
201 
202 	/*
203 	 * ipc_addid() locks msq
204 	 */
205 	id = ipc_addid(&msg_ids(ns), &msq->q_perm, ns->msg_ctlmni);
206 	if (id < 0) {
207 		security_msg_queue_free(msq);
208 		ipc_rcu_putref(msq);
209 		return id;
210 	}
211 
212 	msq->q_stime = msq->q_rtime = 0;
213 	msq->q_ctime = get_seconds();
214 	msq->q_cbytes = msq->q_qnum = 0;
215 	msq->q_qbytes = ns->msg_ctlmnb;
216 	msq->q_lspid = msq->q_lrpid = 0;
217 	INIT_LIST_HEAD(&msq->q_messages);
218 	INIT_LIST_HEAD(&msq->q_receivers);
219 	INIT_LIST_HEAD(&msq->q_senders);
220 
221 	msg_unlock(msq);
222 
223 	return msq->q_perm.id;
224 }
225 
226 static inline void ss_add(struct msg_queue *msq, struct msg_sender *mss)
227 {
228 	mss->tsk = current;
229 	current->state = TASK_INTERRUPTIBLE;
230 	list_add_tail(&mss->list, &msq->q_senders);
231 }
232 
233 static inline void ss_del(struct msg_sender *mss)
234 {
235 	if (mss->list.next != NULL)
236 		list_del(&mss->list);
237 }
238 
239 static void ss_wakeup(struct list_head *h, int kill)
240 {
241 	struct list_head *tmp;
242 
243 	tmp = h->next;
244 	while (tmp != h) {
245 		struct msg_sender *mss;
246 
247 		mss = list_entry(tmp, struct msg_sender, list);
248 		tmp = tmp->next;
249 		if (kill)
250 			mss->list.next = NULL;
251 		wake_up_process(mss->tsk);
252 	}
253 }
254 
255 static void expunge_all(struct msg_queue *msq, int res)
256 {
257 	struct list_head *tmp;
258 
259 	tmp = msq->q_receivers.next;
260 	while (tmp != &msq->q_receivers) {
261 		struct msg_receiver *msr;
262 
263 		msr = list_entry(tmp, struct msg_receiver, r_list);
264 		tmp = tmp->next;
265 		msr->r_msg = NULL;
266 		wake_up_process(msr->r_tsk);
267 		smp_mb();
268 		msr->r_msg = ERR_PTR(res);
269 	}
270 }
271 
272 /*
273  * freeque() wakes up waiters on the sender and receiver waiting queue,
274  * removes the message queue from message queue ID IDR, and cleans up all the
275  * messages associated with this queue.
276  *
277  * msg_ids.rw_mutex (writer) and the spinlock for this message queue are held
278  * before freeque() is called. msg_ids.rw_mutex remains locked on exit.
279  */
280 static void freeque(struct ipc_namespace *ns, struct kern_ipc_perm *ipcp)
281 {
282 	struct list_head *tmp;
283 	struct msg_queue *msq = container_of(ipcp, struct msg_queue, q_perm);
284 
285 	expunge_all(msq, -EIDRM);
286 	ss_wakeup(&msq->q_senders, 1);
287 	msg_rmid(ns, msq);
288 	msg_unlock(msq);
289 
290 	tmp = msq->q_messages.next;
291 	while (tmp != &msq->q_messages) {
292 		struct msg_msg *msg = list_entry(tmp, struct msg_msg, m_list);
293 
294 		tmp = tmp->next;
295 		atomic_dec(&ns->msg_hdrs);
296 		free_msg(msg);
297 	}
298 	atomic_sub(msq->q_cbytes, &ns->msg_bytes);
299 	security_msg_queue_free(msq);
300 	ipc_rcu_putref(msq);
301 }
302 
303 /*
304  * Called with msg_ids.rw_mutex and ipcp locked.
305  */
306 static inline int msg_security(struct kern_ipc_perm *ipcp, int msgflg)
307 {
308 	struct msg_queue *msq = container_of(ipcp, struct msg_queue, q_perm);
309 
310 	return security_msg_queue_associate(msq, msgflg);
311 }
312 
313 SYSCALL_DEFINE2(msgget, key_t, key, int, msgflg)
314 {
315 	struct ipc_namespace *ns;
316 	struct ipc_ops msg_ops;
317 	struct ipc_params msg_params;
318 
319 	ns = current->nsproxy->ipc_ns;
320 
321 	msg_ops.getnew = newque;
322 	msg_ops.associate = msg_security;
323 	msg_ops.more_checks = NULL;
324 
325 	msg_params.key = key;
326 	msg_params.flg = msgflg;
327 
328 	return ipcget(ns, &msg_ids(ns), &msg_ops, &msg_params);
329 }
330 
331 static inline unsigned long
332 copy_msqid_to_user(void __user *buf, struct msqid64_ds *in, int version)
333 {
334 	switch(version) {
335 	case IPC_64:
336 		return copy_to_user(buf, in, sizeof(*in));
337 	case IPC_OLD:
338 	{
339 		struct msqid_ds out;
340 
341 		memset(&out, 0, sizeof(out));
342 
343 		ipc64_perm_to_ipc_perm(&in->msg_perm, &out.msg_perm);
344 
345 		out.msg_stime		= in->msg_stime;
346 		out.msg_rtime		= in->msg_rtime;
347 		out.msg_ctime		= in->msg_ctime;
348 
349 		if (in->msg_cbytes > USHORT_MAX)
350 			out.msg_cbytes	= USHORT_MAX;
351 		else
352 			out.msg_cbytes	= in->msg_cbytes;
353 		out.msg_lcbytes		= in->msg_cbytes;
354 
355 		if (in->msg_qnum > USHORT_MAX)
356 			out.msg_qnum	= USHORT_MAX;
357 		else
358 			out.msg_qnum	= in->msg_qnum;
359 
360 		if (in->msg_qbytes > USHORT_MAX)
361 			out.msg_qbytes	= USHORT_MAX;
362 		else
363 			out.msg_qbytes	= in->msg_qbytes;
364 		out.msg_lqbytes		= in->msg_qbytes;
365 
366 		out.msg_lspid		= in->msg_lspid;
367 		out.msg_lrpid		= in->msg_lrpid;
368 
369 		return copy_to_user(buf, &out, sizeof(out));
370 	}
371 	default:
372 		return -EINVAL;
373 	}
374 }
375 
376 static inline unsigned long
377 copy_msqid_from_user(struct msqid64_ds *out, void __user *buf, int version)
378 {
379 	switch(version) {
380 	case IPC_64:
381 		if (copy_from_user(out, buf, sizeof(*out)))
382 			return -EFAULT;
383 		return 0;
384 	case IPC_OLD:
385 	{
386 		struct msqid_ds tbuf_old;
387 
388 		if (copy_from_user(&tbuf_old, buf, sizeof(tbuf_old)))
389 			return -EFAULT;
390 
391 		out->msg_perm.uid      	= tbuf_old.msg_perm.uid;
392 		out->msg_perm.gid      	= tbuf_old.msg_perm.gid;
393 		out->msg_perm.mode     	= tbuf_old.msg_perm.mode;
394 
395 		if (tbuf_old.msg_qbytes == 0)
396 			out->msg_qbytes	= tbuf_old.msg_lqbytes;
397 		else
398 			out->msg_qbytes	= tbuf_old.msg_qbytes;
399 
400 		return 0;
401 	}
402 	default:
403 		return -EINVAL;
404 	}
405 }
406 
407 /*
408  * This function handles some msgctl commands which require the rw_mutex
409  * to be held in write mode.
410  * NOTE: no locks must be held, the rw_mutex is taken inside this function.
411  */
412 static int msgctl_down(struct ipc_namespace *ns, int msqid, int cmd,
413 		       struct msqid_ds __user *buf, int version)
414 {
415 	struct kern_ipc_perm *ipcp;
416 	struct msqid64_ds uninitialized_var(msqid64);
417 	struct msg_queue *msq;
418 	int err;
419 
420 	if (cmd == IPC_SET) {
421 		if (copy_msqid_from_user(&msqid64, buf, version))
422 			return -EFAULT;
423 	}
424 
425 	ipcp = ipcctl_pre_down(&msg_ids(ns), msqid, cmd,
426 			       &msqid64.msg_perm, msqid64.msg_qbytes);
427 	if (IS_ERR(ipcp))
428 		return PTR_ERR(ipcp);
429 
430 	msq = container_of(ipcp, struct msg_queue, q_perm);
431 
432 	err = security_msg_queue_msgctl(msq, cmd);
433 	if (err)
434 		goto out_unlock;
435 
436 	switch (cmd) {
437 	case IPC_RMID:
438 		freeque(ns, ipcp);
439 		goto out_up;
440 	case IPC_SET:
441 		if (msqid64.msg_qbytes > ns->msg_ctlmnb &&
442 		    !capable(CAP_SYS_RESOURCE)) {
443 			err = -EPERM;
444 			goto out_unlock;
445 		}
446 
447 		msq->q_qbytes = msqid64.msg_qbytes;
448 
449 		ipc_update_perm(&msqid64.msg_perm, ipcp);
450 		msq->q_ctime = get_seconds();
451 		/* sleeping receivers might be excluded by
452 		 * stricter permissions.
453 		 */
454 		expunge_all(msq, -EAGAIN);
455 		/* sleeping senders might be able to send
456 		 * due to a larger queue size.
457 		 */
458 		ss_wakeup(&msq->q_senders, 0);
459 		break;
460 	default:
461 		err = -EINVAL;
462 	}
463 out_unlock:
464 	msg_unlock(msq);
465 out_up:
466 	up_write(&msg_ids(ns).rw_mutex);
467 	return err;
468 }
469 
470 SYSCALL_DEFINE3(msgctl, int, msqid, int, cmd, struct msqid_ds __user *, buf)
471 {
472 	struct msg_queue *msq;
473 	int err, version;
474 	struct ipc_namespace *ns;
475 
476 	if (msqid < 0 || cmd < 0)
477 		return -EINVAL;
478 
479 	version = ipc_parse_version(&cmd);
480 	ns = current->nsproxy->ipc_ns;
481 
482 	switch (cmd) {
483 	case IPC_INFO:
484 	case MSG_INFO:
485 	{
486 		struct msginfo msginfo;
487 		int max_id;
488 
489 		if (!buf)
490 			return -EFAULT;
491 		/*
492 		 * We must not return kernel stack data.
493 		 * due to padding, it's not enough
494 		 * to set all member fields.
495 		 */
496 		err = security_msg_queue_msgctl(NULL, cmd);
497 		if (err)
498 			return err;
499 
500 		memset(&msginfo, 0, sizeof(msginfo));
501 		msginfo.msgmni = ns->msg_ctlmni;
502 		msginfo.msgmax = ns->msg_ctlmax;
503 		msginfo.msgmnb = ns->msg_ctlmnb;
504 		msginfo.msgssz = MSGSSZ;
505 		msginfo.msgseg = MSGSEG;
506 		down_read(&msg_ids(ns).rw_mutex);
507 		if (cmd == MSG_INFO) {
508 			msginfo.msgpool = msg_ids(ns).in_use;
509 			msginfo.msgmap = atomic_read(&ns->msg_hdrs);
510 			msginfo.msgtql = atomic_read(&ns->msg_bytes);
511 		} else {
512 			msginfo.msgmap = MSGMAP;
513 			msginfo.msgpool = MSGPOOL;
514 			msginfo.msgtql = MSGTQL;
515 		}
516 		max_id = ipc_get_maxid(&msg_ids(ns));
517 		up_read(&msg_ids(ns).rw_mutex);
518 		if (copy_to_user(buf, &msginfo, sizeof(struct msginfo)))
519 			return -EFAULT;
520 		return (max_id < 0) ? 0 : max_id;
521 	}
522 	case MSG_STAT:	/* msqid is an index rather than a msg queue id */
523 	case IPC_STAT:
524 	{
525 		struct msqid64_ds tbuf;
526 		int success_return;
527 
528 		if (!buf)
529 			return -EFAULT;
530 
531 		if (cmd == MSG_STAT) {
532 			msq = msg_lock(ns, msqid);
533 			if (IS_ERR(msq))
534 				return PTR_ERR(msq);
535 			success_return = msq->q_perm.id;
536 		} else {
537 			msq = msg_lock_check(ns, msqid);
538 			if (IS_ERR(msq))
539 				return PTR_ERR(msq);
540 			success_return = 0;
541 		}
542 		err = -EACCES;
543 		if (ipcperms(&msq->q_perm, S_IRUGO))
544 			goto out_unlock;
545 
546 		err = security_msg_queue_msgctl(msq, cmd);
547 		if (err)
548 			goto out_unlock;
549 
550 		memset(&tbuf, 0, sizeof(tbuf));
551 
552 		kernel_to_ipc64_perm(&msq->q_perm, &tbuf.msg_perm);
553 		tbuf.msg_stime  = msq->q_stime;
554 		tbuf.msg_rtime  = msq->q_rtime;
555 		tbuf.msg_ctime  = msq->q_ctime;
556 		tbuf.msg_cbytes = msq->q_cbytes;
557 		tbuf.msg_qnum   = msq->q_qnum;
558 		tbuf.msg_qbytes = msq->q_qbytes;
559 		tbuf.msg_lspid  = msq->q_lspid;
560 		tbuf.msg_lrpid  = msq->q_lrpid;
561 		msg_unlock(msq);
562 		if (copy_msqid_to_user(buf, &tbuf, version))
563 			return -EFAULT;
564 		return success_return;
565 	}
566 	case IPC_SET:
567 	case IPC_RMID:
568 		err = msgctl_down(ns, msqid, cmd, buf, version);
569 		return err;
570 	default:
571 		return  -EINVAL;
572 	}
573 
574 out_unlock:
575 	msg_unlock(msq);
576 	return err;
577 }
578 
579 static int testmsg(struct msg_msg *msg, long type, int mode)
580 {
581 	switch(mode)
582 	{
583 		case SEARCH_ANY:
584 			return 1;
585 		case SEARCH_LESSEQUAL:
586 			if (msg->m_type <=type)
587 				return 1;
588 			break;
589 		case SEARCH_EQUAL:
590 			if (msg->m_type == type)
591 				return 1;
592 			break;
593 		case SEARCH_NOTEQUAL:
594 			if (msg->m_type != type)
595 				return 1;
596 			break;
597 	}
598 	return 0;
599 }
600 
601 static inline int pipelined_send(struct msg_queue *msq, struct msg_msg *msg)
602 {
603 	struct list_head *tmp;
604 
605 	tmp = msq->q_receivers.next;
606 	while (tmp != &msq->q_receivers) {
607 		struct msg_receiver *msr;
608 
609 		msr = list_entry(tmp, struct msg_receiver, r_list);
610 		tmp = tmp->next;
611 		if (testmsg(msg, msr->r_msgtype, msr->r_mode) &&
612 		    !security_msg_queue_msgrcv(msq, msg, msr->r_tsk,
613 					       msr->r_msgtype, msr->r_mode)) {
614 
615 			list_del(&msr->r_list);
616 			if (msr->r_maxsize < msg->m_ts) {
617 				msr->r_msg = NULL;
618 				wake_up_process(msr->r_tsk);
619 				smp_mb();
620 				msr->r_msg = ERR_PTR(-E2BIG);
621 			} else {
622 				msr->r_msg = NULL;
623 				msq->q_lrpid = task_pid_vnr(msr->r_tsk);
624 				msq->q_rtime = get_seconds();
625 				wake_up_process(msr->r_tsk);
626 				smp_mb();
627 				msr->r_msg = msg;
628 
629 				return 1;
630 			}
631 		}
632 	}
633 	return 0;
634 }
635 
636 long do_msgsnd(int msqid, long mtype, void __user *mtext,
637 		size_t msgsz, int msgflg)
638 {
639 	struct msg_queue *msq;
640 	struct msg_msg *msg;
641 	int err;
642 	struct ipc_namespace *ns;
643 
644 	ns = current->nsproxy->ipc_ns;
645 
646 	if (msgsz > ns->msg_ctlmax || (long) msgsz < 0 || msqid < 0)
647 		return -EINVAL;
648 	if (mtype < 1)
649 		return -EINVAL;
650 
651 	msg = load_msg(mtext, msgsz);
652 	if (IS_ERR(msg))
653 		return PTR_ERR(msg);
654 
655 	msg->m_type = mtype;
656 	msg->m_ts = msgsz;
657 
658 	msq = msg_lock_check(ns, msqid);
659 	if (IS_ERR(msq)) {
660 		err = PTR_ERR(msq);
661 		goto out_free;
662 	}
663 
664 	for (;;) {
665 		struct msg_sender s;
666 
667 		err = -EACCES;
668 		if (ipcperms(&msq->q_perm, S_IWUGO))
669 			goto out_unlock_free;
670 
671 		err = security_msg_queue_msgsnd(msq, msg, msgflg);
672 		if (err)
673 			goto out_unlock_free;
674 
675 		if (msgsz + msq->q_cbytes <= msq->q_qbytes &&
676 				1 + msq->q_qnum <= msq->q_qbytes) {
677 			break;
678 		}
679 
680 		/* queue full, wait: */
681 		if (msgflg & IPC_NOWAIT) {
682 			err = -EAGAIN;
683 			goto out_unlock_free;
684 		}
685 		ss_add(msq, &s);
686 		ipc_rcu_getref(msq);
687 		msg_unlock(msq);
688 		schedule();
689 
690 		ipc_lock_by_ptr(&msq->q_perm);
691 		ipc_rcu_putref(msq);
692 		if (msq->q_perm.deleted) {
693 			err = -EIDRM;
694 			goto out_unlock_free;
695 		}
696 		ss_del(&s);
697 
698 		if (signal_pending(current)) {
699 			err = -ERESTARTNOHAND;
700 			goto out_unlock_free;
701 		}
702 	}
703 
704 	msq->q_lspid = task_tgid_vnr(current);
705 	msq->q_stime = get_seconds();
706 
707 	if (!pipelined_send(msq, msg)) {
708 		/* noone is waiting for this message, enqueue it */
709 		list_add_tail(&msg->m_list, &msq->q_messages);
710 		msq->q_cbytes += msgsz;
711 		msq->q_qnum++;
712 		atomic_add(msgsz, &ns->msg_bytes);
713 		atomic_inc(&ns->msg_hdrs);
714 	}
715 
716 	err = 0;
717 	msg = NULL;
718 
719 out_unlock_free:
720 	msg_unlock(msq);
721 out_free:
722 	if (msg != NULL)
723 		free_msg(msg);
724 	return err;
725 }
726 
727 SYSCALL_DEFINE4(msgsnd, int, msqid, struct msgbuf __user *, msgp, size_t, msgsz,
728 		int, msgflg)
729 {
730 	long mtype;
731 
732 	if (get_user(mtype, &msgp->mtype))
733 		return -EFAULT;
734 	return do_msgsnd(msqid, mtype, msgp->mtext, msgsz, msgflg);
735 }
736 
737 static inline int convert_mode(long *msgtyp, int msgflg)
738 {
739 	/*
740 	 *  find message of correct type.
741 	 *  msgtyp = 0 => get first.
742 	 *  msgtyp > 0 => get first message of matching type.
743 	 *  msgtyp < 0 => get message with least type must be < abs(msgtype).
744 	 */
745 	if (*msgtyp == 0)
746 		return SEARCH_ANY;
747 	if (*msgtyp < 0) {
748 		*msgtyp = -*msgtyp;
749 		return SEARCH_LESSEQUAL;
750 	}
751 	if (msgflg & MSG_EXCEPT)
752 		return SEARCH_NOTEQUAL;
753 	return SEARCH_EQUAL;
754 }
755 
756 long do_msgrcv(int msqid, long *pmtype, void __user *mtext,
757 		size_t msgsz, long msgtyp, int msgflg)
758 {
759 	struct msg_queue *msq;
760 	struct msg_msg *msg;
761 	int mode;
762 	struct ipc_namespace *ns;
763 
764 	if (msqid < 0 || (long) msgsz < 0)
765 		return -EINVAL;
766 	mode = convert_mode(&msgtyp, msgflg);
767 	ns = current->nsproxy->ipc_ns;
768 
769 	msq = msg_lock_check(ns, msqid);
770 	if (IS_ERR(msq))
771 		return PTR_ERR(msq);
772 
773 	for (;;) {
774 		struct msg_receiver msr_d;
775 		struct list_head *tmp;
776 
777 		msg = ERR_PTR(-EACCES);
778 		if (ipcperms(&msq->q_perm, S_IRUGO))
779 			goto out_unlock;
780 
781 		msg = ERR_PTR(-EAGAIN);
782 		tmp = msq->q_messages.next;
783 		while (tmp != &msq->q_messages) {
784 			struct msg_msg *walk_msg;
785 
786 			walk_msg = list_entry(tmp, struct msg_msg, m_list);
787 			if (testmsg(walk_msg, msgtyp, mode) &&
788 			    !security_msg_queue_msgrcv(msq, walk_msg, current,
789 						       msgtyp, mode)) {
790 
791 				msg = walk_msg;
792 				if (mode == SEARCH_LESSEQUAL &&
793 						walk_msg->m_type != 1) {
794 					msg = walk_msg;
795 					msgtyp = walk_msg->m_type - 1;
796 				} else {
797 					msg = walk_msg;
798 					break;
799 				}
800 			}
801 			tmp = tmp->next;
802 		}
803 		if (!IS_ERR(msg)) {
804 			/*
805 			 * Found a suitable message.
806 			 * Unlink it from the queue.
807 			 */
808 			if ((msgsz < msg->m_ts) && !(msgflg & MSG_NOERROR)) {
809 				msg = ERR_PTR(-E2BIG);
810 				goto out_unlock;
811 			}
812 			list_del(&msg->m_list);
813 			msq->q_qnum--;
814 			msq->q_rtime = get_seconds();
815 			msq->q_lrpid = task_tgid_vnr(current);
816 			msq->q_cbytes -= msg->m_ts;
817 			atomic_sub(msg->m_ts, &ns->msg_bytes);
818 			atomic_dec(&ns->msg_hdrs);
819 			ss_wakeup(&msq->q_senders, 0);
820 			msg_unlock(msq);
821 			break;
822 		}
823 		/* No message waiting. Wait for a message */
824 		if (msgflg & IPC_NOWAIT) {
825 			msg = ERR_PTR(-ENOMSG);
826 			goto out_unlock;
827 		}
828 		list_add_tail(&msr_d.r_list, &msq->q_receivers);
829 		msr_d.r_tsk = current;
830 		msr_d.r_msgtype = msgtyp;
831 		msr_d.r_mode = mode;
832 		if (msgflg & MSG_NOERROR)
833 			msr_d.r_maxsize = INT_MAX;
834 		else
835 			msr_d.r_maxsize = msgsz;
836 		msr_d.r_msg = ERR_PTR(-EAGAIN);
837 		current->state = TASK_INTERRUPTIBLE;
838 		msg_unlock(msq);
839 
840 		schedule();
841 
842 		/* Lockless receive, part 1:
843 		 * Disable preemption.  We don't hold a reference to the queue
844 		 * and getting a reference would defeat the idea of a lockless
845 		 * operation, thus the code relies on rcu to guarantee the
846 		 * existance of msq:
847 		 * Prior to destruction, expunge_all(-EIRDM) changes r_msg.
848 		 * Thus if r_msg is -EAGAIN, then the queue not yet destroyed.
849 		 * rcu_read_lock() prevents preemption between reading r_msg
850 		 * and the spin_lock() inside ipc_lock_by_ptr().
851 		 */
852 		rcu_read_lock();
853 
854 		/* Lockless receive, part 2:
855 		 * Wait until pipelined_send or expunge_all are outside of
856 		 * wake_up_process(). There is a race with exit(), see
857 		 * ipc/mqueue.c for the details.
858 		 */
859 		msg = (struct msg_msg*)msr_d.r_msg;
860 		while (msg == NULL) {
861 			cpu_relax();
862 			msg = (struct msg_msg *)msr_d.r_msg;
863 		}
864 
865 		/* Lockless receive, part 3:
866 		 * If there is a message or an error then accept it without
867 		 * locking.
868 		 */
869 		if (msg != ERR_PTR(-EAGAIN)) {
870 			rcu_read_unlock();
871 			break;
872 		}
873 
874 		/* Lockless receive, part 3:
875 		 * Acquire the queue spinlock.
876 		 */
877 		ipc_lock_by_ptr(&msq->q_perm);
878 		rcu_read_unlock();
879 
880 		/* Lockless receive, part 4:
881 		 * Repeat test after acquiring the spinlock.
882 		 */
883 		msg = (struct msg_msg*)msr_d.r_msg;
884 		if (msg != ERR_PTR(-EAGAIN))
885 			goto out_unlock;
886 
887 		list_del(&msr_d.r_list);
888 		if (signal_pending(current)) {
889 			msg = ERR_PTR(-ERESTARTNOHAND);
890 out_unlock:
891 			msg_unlock(msq);
892 			break;
893 		}
894 	}
895 	if (IS_ERR(msg))
896 		return PTR_ERR(msg);
897 
898 	msgsz = (msgsz > msg->m_ts) ? msg->m_ts : msgsz;
899 	*pmtype = msg->m_type;
900 	if (store_msg(mtext, msg, msgsz))
901 		msgsz = -EFAULT;
902 
903 	free_msg(msg);
904 
905 	return msgsz;
906 }
907 
908 SYSCALL_DEFINE5(msgrcv, int, msqid, struct msgbuf __user *, msgp, size_t, msgsz,
909 		long, msgtyp, int, msgflg)
910 {
911 	long err, mtype;
912 
913 	err =  do_msgrcv(msqid, &mtype, msgp->mtext, msgsz, msgtyp, msgflg);
914 	if (err < 0)
915 		goto out;
916 
917 	if (put_user(mtype, &msgp->mtype))
918 		err = -EFAULT;
919 out:
920 	return err;
921 }
922 
923 #ifdef CONFIG_PROC_FS
924 static int sysvipc_msg_proc_show(struct seq_file *s, void *it)
925 {
926 	struct msg_queue *msq = it;
927 
928 	return seq_printf(s,
929 			"%10d %10d  %4o  %10lu %10lu %5u %5u %5u %5u %5u %5u %10lu %10lu %10lu\n",
930 			msq->q_perm.key,
931 			msq->q_perm.id,
932 			msq->q_perm.mode,
933 			msq->q_cbytes,
934 			msq->q_qnum,
935 			msq->q_lspid,
936 			msq->q_lrpid,
937 			msq->q_perm.uid,
938 			msq->q_perm.gid,
939 			msq->q_perm.cuid,
940 			msq->q_perm.cgid,
941 			msq->q_stime,
942 			msq->q_rtime,
943 			msq->q_ctime);
944 }
945 #endif
946