xref: /openbmc/linux/ipc/msg.c (revision e868d61272caa648214046a096e5a6bfc068dc8c)
1 /*
2  * linux/ipc/msg.c
3  * Copyright (C) 1992 Krishna Balasubramanian
4  *
5  * Removed all the remaining kerneld mess
6  * Catch the -EFAULT stuff properly
7  * Use GFP_KERNEL for messages as in 1.2
8  * Fixed up the unchecked user space derefs
9  * Copyright (C) 1998 Alan Cox & Andi Kleen
10  *
11  * /proc/sysvipc/msg support (c) 1999 Dragos Acostachioaie <dragos@iname.com>
12  *
13  * mostly rewritten, threaded and wake-one semantics added
14  * MSGMAX limit removed, sysctl's added
15  * (c) 1999 Manfred Spraul <manfred@colorfullife.com>
16  *
17  * support for audit of ipc object properties and permission changes
18  * Dustin Kirkland <dustin.kirkland@us.ibm.com>
19  *
20  * namespaces support
21  * OpenVZ, SWsoft Inc.
22  * Pavel Emelianov <xemul@openvz.org>
23  */
24 
25 #include <linux/capability.h>
26 #include <linux/slab.h>
27 #include <linux/msg.h>
28 #include <linux/spinlock.h>
29 #include <linux/init.h>
30 #include <linux/proc_fs.h>
31 #include <linux/list.h>
32 #include <linux/security.h>
33 #include <linux/sched.h>
34 #include <linux/syscalls.h>
35 #include <linux/audit.h>
36 #include <linux/seq_file.h>
37 #include <linux/mutex.h>
38 #include <linux/nsproxy.h>
39 
40 #include <asm/current.h>
41 #include <asm/uaccess.h>
42 #include "util.h"
43 
44 /*
45  * one msg_receiver structure for each sleeping receiver:
46  */
47 struct msg_receiver {
48 	struct list_head	r_list;
49 	struct task_struct	*r_tsk;
50 
51 	int			r_mode;
52 	long			r_msgtype;
53 	long			r_maxsize;
54 
55 	struct msg_msg		*volatile r_msg;
56 };
57 
58 /* one msg_sender for each sleeping sender */
59 struct msg_sender {
60 	struct list_head	list;
61 	struct task_struct	*tsk;
62 };
63 
64 #define SEARCH_ANY		1
65 #define SEARCH_EQUAL		2
66 #define SEARCH_NOTEQUAL		3
67 #define SEARCH_LESSEQUAL	4
68 
69 static atomic_t msg_bytes =	ATOMIC_INIT(0);
70 static atomic_t msg_hdrs =	ATOMIC_INIT(0);
71 
72 static struct ipc_ids init_msg_ids;
73 
74 #define msg_ids(ns)	(*((ns)->ids[IPC_MSG_IDS]))
75 
76 #define msg_lock(ns, id)	((struct msg_queue*)ipc_lock(&msg_ids(ns), id))
77 #define msg_unlock(msq)		ipc_unlock(&(msq)->q_perm)
78 #define msg_rmid(ns, id)	((struct msg_queue*)ipc_rmid(&msg_ids(ns), id))
79 #define msg_checkid(ns, msq, msgid)	\
80 	ipc_checkid(&msg_ids(ns), &msq->q_perm, msgid)
81 #define msg_buildid(ns, id, seq) \
82 	ipc_buildid(&msg_ids(ns), id, seq)
83 
84 static void freeque (struct ipc_namespace *ns, struct msg_queue *msq, int id);
85 static int newque (struct ipc_namespace *ns, key_t key, int msgflg);
86 #ifdef CONFIG_PROC_FS
87 static int sysvipc_msg_proc_show(struct seq_file *s, void *it);
88 #endif
89 
90 static void __ipc_init __msg_init_ns(struct ipc_namespace *ns, struct ipc_ids *ids)
91 {
92 	ns->ids[IPC_MSG_IDS] = ids;
93 	ns->msg_ctlmax = MSGMAX;
94 	ns->msg_ctlmnb = MSGMNB;
95 	ns->msg_ctlmni = MSGMNI;
96 	ipc_init_ids(ids, ns->msg_ctlmni);
97 }
98 
99 #ifdef CONFIG_IPC_NS
100 int msg_init_ns(struct ipc_namespace *ns)
101 {
102 	struct ipc_ids *ids;
103 
104 	ids = kmalloc(sizeof(struct ipc_ids), GFP_KERNEL);
105 	if (ids == NULL)
106 		return -ENOMEM;
107 
108 	__msg_init_ns(ns, ids);
109 	return 0;
110 }
111 
112 void msg_exit_ns(struct ipc_namespace *ns)
113 {
114 	int i;
115 	struct msg_queue *msq;
116 
117 	mutex_lock(&msg_ids(ns).mutex);
118 	for (i = 0; i <= msg_ids(ns).max_id; i++) {
119 		msq = msg_lock(ns, i);
120 		if (msq == NULL)
121 			continue;
122 
123 		freeque(ns, msq, i);
124 	}
125 	mutex_unlock(&msg_ids(ns).mutex);
126 
127 	ipc_fini_ids(ns->ids[IPC_MSG_IDS]);
128 	kfree(ns->ids[IPC_MSG_IDS]);
129 	ns->ids[IPC_MSG_IDS] = NULL;
130 }
131 #endif
132 
133 void __init msg_init(void)
134 {
135 	__msg_init_ns(&init_ipc_ns, &init_msg_ids);
136 	ipc_init_proc_interface("sysvipc/msg",
137 				"       key      msqid perms      cbytes       qnum lspid lrpid   uid   gid  cuid  cgid      stime      rtime      ctime\n",
138 				IPC_MSG_IDS, sysvipc_msg_proc_show);
139 }
140 
141 static int newque (struct ipc_namespace *ns, key_t key, int msgflg)
142 {
143 	struct msg_queue *msq;
144 	int id, retval;
145 
146 	msq = ipc_rcu_alloc(sizeof(*msq));
147 	if (!msq)
148 		return -ENOMEM;
149 
150 	msq->q_perm.mode = msgflg & S_IRWXUGO;
151 	msq->q_perm.key = key;
152 
153 	msq->q_perm.security = NULL;
154 	retval = security_msg_queue_alloc(msq);
155 	if (retval) {
156 		ipc_rcu_putref(msq);
157 		return retval;
158 	}
159 
160 	id = ipc_addid(&msg_ids(ns), &msq->q_perm, ns->msg_ctlmni);
161 	if (id == -1) {
162 		security_msg_queue_free(msq);
163 		ipc_rcu_putref(msq);
164 		return -ENOSPC;
165 	}
166 
167 	msq->q_id = msg_buildid(ns, id, msq->q_perm.seq);
168 	msq->q_stime = msq->q_rtime = 0;
169 	msq->q_ctime = get_seconds();
170 	msq->q_cbytes = msq->q_qnum = 0;
171 	msq->q_qbytes = ns->msg_ctlmnb;
172 	msq->q_lspid = msq->q_lrpid = 0;
173 	INIT_LIST_HEAD(&msq->q_messages);
174 	INIT_LIST_HEAD(&msq->q_receivers);
175 	INIT_LIST_HEAD(&msq->q_senders);
176 	msg_unlock(msq);
177 
178 	return msq->q_id;
179 }
180 
181 static inline void ss_add(struct msg_queue *msq, struct msg_sender *mss)
182 {
183 	mss->tsk = current;
184 	current->state = TASK_INTERRUPTIBLE;
185 	list_add_tail(&mss->list, &msq->q_senders);
186 }
187 
188 static inline void ss_del(struct msg_sender *mss)
189 {
190 	if (mss->list.next != NULL)
191 		list_del(&mss->list);
192 }
193 
194 static void ss_wakeup(struct list_head *h, int kill)
195 {
196 	struct list_head *tmp;
197 
198 	tmp = h->next;
199 	while (tmp != h) {
200 		struct msg_sender *mss;
201 
202 		mss = list_entry(tmp, struct msg_sender, list);
203 		tmp = tmp->next;
204 		if (kill)
205 			mss->list.next = NULL;
206 		wake_up_process(mss->tsk);
207 	}
208 }
209 
210 static void expunge_all(struct msg_queue *msq, int res)
211 {
212 	struct list_head *tmp;
213 
214 	tmp = msq->q_receivers.next;
215 	while (tmp != &msq->q_receivers) {
216 		struct msg_receiver *msr;
217 
218 		msr = list_entry(tmp, struct msg_receiver, r_list);
219 		tmp = tmp->next;
220 		msr->r_msg = NULL;
221 		wake_up_process(msr->r_tsk);
222 		smp_mb();
223 		msr->r_msg = ERR_PTR(res);
224 	}
225 }
226 
227 /*
228  * freeque() wakes up waiters on the sender and receiver waiting queue,
229  * removes the message queue from message queue ID
230  * array, and cleans up all the messages associated with this queue.
231  *
232  * msg_ids.mutex and the spinlock for this message queue is hold
233  * before freeque() is called. msg_ids.mutex remains locked on exit.
234  */
235 static void freeque(struct ipc_namespace *ns, struct msg_queue *msq, int id)
236 {
237 	struct list_head *tmp;
238 
239 	expunge_all(msq, -EIDRM);
240 	ss_wakeup(&msq->q_senders, 1);
241 	msq = msg_rmid(ns, id);
242 	msg_unlock(msq);
243 
244 	tmp = msq->q_messages.next;
245 	while (tmp != &msq->q_messages) {
246 		struct msg_msg *msg = list_entry(tmp, struct msg_msg, m_list);
247 
248 		tmp = tmp->next;
249 		atomic_dec(&msg_hdrs);
250 		free_msg(msg);
251 	}
252 	atomic_sub(msq->q_cbytes, &msg_bytes);
253 	security_msg_queue_free(msq);
254 	ipc_rcu_putref(msq);
255 }
256 
257 asmlinkage long sys_msgget(key_t key, int msgflg)
258 {
259 	struct msg_queue *msq;
260 	int id, ret = -EPERM;
261 	struct ipc_namespace *ns;
262 
263 	ns = current->nsproxy->ipc_ns;
264 
265 	mutex_lock(&msg_ids(ns).mutex);
266 	if (key == IPC_PRIVATE)
267 		ret = newque(ns, key, msgflg);
268 	else if ((id = ipc_findkey(&msg_ids(ns), key)) == -1) { /* key not used */
269 		if (!(msgflg & IPC_CREAT))
270 			ret = -ENOENT;
271 		else
272 			ret = newque(ns, key, msgflg);
273 	} else if (msgflg & IPC_CREAT && msgflg & IPC_EXCL) {
274 		ret = -EEXIST;
275 	} else {
276 		msq = msg_lock(ns, id);
277 		BUG_ON(msq == NULL);
278 		if (ipcperms(&msq->q_perm, msgflg))
279 			ret = -EACCES;
280 		else {
281 			int qid = msg_buildid(ns, id, msq->q_perm.seq);
282 
283 			ret = security_msg_queue_associate(msq, msgflg);
284 			if (!ret)
285 				ret = qid;
286 		}
287 		msg_unlock(msq);
288 	}
289 	mutex_unlock(&msg_ids(ns).mutex);
290 
291 	return ret;
292 }
293 
294 static inline unsigned long
295 copy_msqid_to_user(void __user *buf, struct msqid64_ds *in, int version)
296 {
297 	switch(version) {
298 	case IPC_64:
299 		return copy_to_user(buf, in, sizeof(*in));
300 	case IPC_OLD:
301 	{
302 		struct msqid_ds out;
303 
304 		memset(&out, 0, sizeof(out));
305 
306 		ipc64_perm_to_ipc_perm(&in->msg_perm, &out.msg_perm);
307 
308 		out.msg_stime		= in->msg_stime;
309 		out.msg_rtime		= in->msg_rtime;
310 		out.msg_ctime		= in->msg_ctime;
311 
312 		if (in->msg_cbytes > USHRT_MAX)
313 			out.msg_cbytes	= USHRT_MAX;
314 		else
315 			out.msg_cbytes	= in->msg_cbytes;
316 		out.msg_lcbytes		= in->msg_cbytes;
317 
318 		if (in->msg_qnum > USHRT_MAX)
319 			out.msg_qnum	= USHRT_MAX;
320 		else
321 			out.msg_qnum	= in->msg_qnum;
322 
323 		if (in->msg_qbytes > USHRT_MAX)
324 			out.msg_qbytes	= USHRT_MAX;
325 		else
326 			out.msg_qbytes	= in->msg_qbytes;
327 		out.msg_lqbytes		= in->msg_qbytes;
328 
329 		out.msg_lspid		= in->msg_lspid;
330 		out.msg_lrpid		= in->msg_lrpid;
331 
332 		return copy_to_user(buf, &out, sizeof(out));
333 	}
334 	default:
335 		return -EINVAL;
336 	}
337 }
338 
339 struct msq_setbuf {
340 	unsigned long	qbytes;
341 	uid_t		uid;
342 	gid_t		gid;
343 	mode_t		mode;
344 };
345 
346 static inline unsigned long
347 copy_msqid_from_user(struct msq_setbuf *out, void __user *buf, int version)
348 {
349 	switch(version) {
350 	case IPC_64:
351 	{
352 		struct msqid64_ds tbuf;
353 
354 		if (copy_from_user(&tbuf, buf, sizeof(tbuf)))
355 			return -EFAULT;
356 
357 		out->qbytes		= tbuf.msg_qbytes;
358 		out->uid		= tbuf.msg_perm.uid;
359 		out->gid		= tbuf.msg_perm.gid;
360 		out->mode		= tbuf.msg_perm.mode;
361 
362 		return 0;
363 	}
364 	case IPC_OLD:
365 	{
366 		struct msqid_ds tbuf_old;
367 
368 		if (copy_from_user(&tbuf_old, buf, sizeof(tbuf_old)))
369 			return -EFAULT;
370 
371 		out->uid		= tbuf_old.msg_perm.uid;
372 		out->gid		= tbuf_old.msg_perm.gid;
373 		out->mode		= tbuf_old.msg_perm.mode;
374 
375 		if (tbuf_old.msg_qbytes == 0)
376 			out->qbytes	= tbuf_old.msg_lqbytes;
377 		else
378 			out->qbytes	= tbuf_old.msg_qbytes;
379 
380 		return 0;
381 	}
382 	default:
383 		return -EINVAL;
384 	}
385 }
386 
387 asmlinkage long sys_msgctl(int msqid, int cmd, struct msqid_ds __user *buf)
388 {
389 	struct kern_ipc_perm *ipcp;
390 	struct msq_setbuf setbuf;
391 	struct msg_queue *msq;
392 	int err, version;
393 	struct ipc_namespace *ns;
394 
395 	if (msqid < 0 || cmd < 0)
396 		return -EINVAL;
397 
398 	version = ipc_parse_version(&cmd);
399 	ns = current->nsproxy->ipc_ns;
400 
401 	switch (cmd) {
402 	case IPC_INFO:
403 	case MSG_INFO:
404 	{
405 		struct msginfo msginfo;
406 		int max_id;
407 
408 		if (!buf)
409 			return -EFAULT;
410 		/*
411 		 * We must not return kernel stack data.
412 		 * due to padding, it's not enough
413 		 * to set all member fields.
414 		 */
415 		err = security_msg_queue_msgctl(NULL, cmd);
416 		if (err)
417 			return err;
418 
419 		memset(&msginfo, 0, sizeof(msginfo));
420 		msginfo.msgmni = ns->msg_ctlmni;
421 		msginfo.msgmax = ns->msg_ctlmax;
422 		msginfo.msgmnb = ns->msg_ctlmnb;
423 		msginfo.msgssz = MSGSSZ;
424 		msginfo.msgseg = MSGSEG;
425 		mutex_lock(&msg_ids(ns).mutex);
426 		if (cmd == MSG_INFO) {
427 			msginfo.msgpool = msg_ids(ns).in_use;
428 			msginfo.msgmap = atomic_read(&msg_hdrs);
429 			msginfo.msgtql = atomic_read(&msg_bytes);
430 		} else {
431 			msginfo.msgmap = MSGMAP;
432 			msginfo.msgpool = MSGPOOL;
433 			msginfo.msgtql = MSGTQL;
434 		}
435 		max_id = msg_ids(ns).max_id;
436 		mutex_unlock(&msg_ids(ns).mutex);
437 		if (copy_to_user(buf, &msginfo, sizeof(struct msginfo)))
438 			return -EFAULT;
439 		return (max_id < 0) ? 0 : max_id;
440 	}
441 	case MSG_STAT:
442 	case IPC_STAT:
443 	{
444 		struct msqid64_ds tbuf;
445 		int success_return;
446 
447 		if (!buf)
448 			return -EFAULT;
449 		if (cmd == MSG_STAT && msqid >= msg_ids(ns).entries->size)
450 			return -EINVAL;
451 
452 		memset(&tbuf, 0, sizeof(tbuf));
453 
454 		msq = msg_lock(ns, msqid);
455 		if (msq == NULL)
456 			return -EINVAL;
457 
458 		if (cmd == MSG_STAT) {
459 			success_return = msg_buildid(ns, msqid, msq->q_perm.seq);
460 		} else {
461 			err = -EIDRM;
462 			if (msg_checkid(ns, msq, msqid))
463 				goto out_unlock;
464 			success_return = 0;
465 		}
466 		err = -EACCES;
467 		if (ipcperms(&msq->q_perm, S_IRUGO))
468 			goto out_unlock;
469 
470 		err = security_msg_queue_msgctl(msq, cmd);
471 		if (err)
472 			goto out_unlock;
473 
474 		kernel_to_ipc64_perm(&msq->q_perm, &tbuf.msg_perm);
475 		tbuf.msg_stime  = msq->q_stime;
476 		tbuf.msg_rtime  = msq->q_rtime;
477 		tbuf.msg_ctime  = msq->q_ctime;
478 		tbuf.msg_cbytes = msq->q_cbytes;
479 		tbuf.msg_qnum   = msq->q_qnum;
480 		tbuf.msg_qbytes = msq->q_qbytes;
481 		tbuf.msg_lspid  = msq->q_lspid;
482 		tbuf.msg_lrpid  = msq->q_lrpid;
483 		msg_unlock(msq);
484 		if (copy_msqid_to_user(buf, &tbuf, version))
485 			return -EFAULT;
486 		return success_return;
487 	}
488 	case IPC_SET:
489 		if (!buf)
490 			return -EFAULT;
491 		if (copy_msqid_from_user(&setbuf, buf, version))
492 			return -EFAULT;
493 		break;
494 	case IPC_RMID:
495 		break;
496 	default:
497 		return  -EINVAL;
498 	}
499 
500 	mutex_lock(&msg_ids(ns).mutex);
501 	msq = msg_lock(ns, msqid);
502 	err = -EINVAL;
503 	if (msq == NULL)
504 		goto out_up;
505 
506 	err = -EIDRM;
507 	if (msg_checkid(ns, msq, msqid))
508 		goto out_unlock_up;
509 	ipcp = &msq->q_perm;
510 
511 	err = audit_ipc_obj(ipcp);
512 	if (err)
513 		goto out_unlock_up;
514 	if (cmd==IPC_SET) {
515 		err = audit_ipc_set_perm(setbuf.qbytes, setbuf.uid, setbuf.gid,
516 					 setbuf.mode);
517 		if (err)
518 			goto out_unlock_up;
519 	}
520 
521 	err = -EPERM;
522 	if (current->euid != ipcp->cuid &&
523 	    current->euid != ipcp->uid && !capable(CAP_SYS_ADMIN))
524 		/* We _could_ check for CAP_CHOWN above, but we don't */
525 		goto out_unlock_up;
526 
527 	err = security_msg_queue_msgctl(msq, cmd);
528 	if (err)
529 		goto out_unlock_up;
530 
531 	switch (cmd) {
532 	case IPC_SET:
533 	{
534 		err = -EPERM;
535 		if (setbuf.qbytes > ns->msg_ctlmnb && !capable(CAP_SYS_RESOURCE))
536 			goto out_unlock_up;
537 
538 		msq->q_qbytes = setbuf.qbytes;
539 
540 		ipcp->uid = setbuf.uid;
541 		ipcp->gid = setbuf.gid;
542 		ipcp->mode = (ipcp->mode & ~S_IRWXUGO) |
543 			     (S_IRWXUGO & setbuf.mode);
544 		msq->q_ctime = get_seconds();
545 		/* sleeping receivers might be excluded by
546 		 * stricter permissions.
547 		 */
548 		expunge_all(msq, -EAGAIN);
549 		/* sleeping senders might be able to send
550 		 * due to a larger queue size.
551 		 */
552 		ss_wakeup(&msq->q_senders, 0);
553 		msg_unlock(msq);
554 		break;
555 	}
556 	case IPC_RMID:
557 		freeque(ns, msq, msqid);
558 		break;
559 	}
560 	err = 0;
561 out_up:
562 	mutex_unlock(&msg_ids(ns).mutex);
563 	return err;
564 out_unlock_up:
565 	msg_unlock(msq);
566 	goto out_up;
567 out_unlock:
568 	msg_unlock(msq);
569 	return err;
570 }
571 
572 static int testmsg(struct msg_msg *msg, long type, int mode)
573 {
574 	switch(mode)
575 	{
576 		case SEARCH_ANY:
577 			return 1;
578 		case SEARCH_LESSEQUAL:
579 			if (msg->m_type <=type)
580 				return 1;
581 			break;
582 		case SEARCH_EQUAL:
583 			if (msg->m_type == type)
584 				return 1;
585 			break;
586 		case SEARCH_NOTEQUAL:
587 			if (msg->m_type != type)
588 				return 1;
589 			break;
590 	}
591 	return 0;
592 }
593 
594 static inline int pipelined_send(struct msg_queue *msq, struct msg_msg *msg)
595 {
596 	struct list_head *tmp;
597 
598 	tmp = msq->q_receivers.next;
599 	while (tmp != &msq->q_receivers) {
600 		struct msg_receiver *msr;
601 
602 		msr = list_entry(tmp, struct msg_receiver, r_list);
603 		tmp = tmp->next;
604 		if (testmsg(msg, msr->r_msgtype, msr->r_mode) &&
605 		    !security_msg_queue_msgrcv(msq, msg, msr->r_tsk,
606 					       msr->r_msgtype, msr->r_mode)) {
607 
608 			list_del(&msr->r_list);
609 			if (msr->r_maxsize < msg->m_ts) {
610 				msr->r_msg = NULL;
611 				wake_up_process(msr->r_tsk);
612 				smp_mb();
613 				msr->r_msg = ERR_PTR(-E2BIG);
614 			} else {
615 				msr->r_msg = NULL;
616 				msq->q_lrpid = msr->r_tsk->pid;
617 				msq->q_rtime = get_seconds();
618 				wake_up_process(msr->r_tsk);
619 				smp_mb();
620 				msr->r_msg = msg;
621 
622 				return 1;
623 			}
624 		}
625 	}
626 	return 0;
627 }
628 
629 long do_msgsnd(int msqid, long mtype, void __user *mtext,
630 		size_t msgsz, int msgflg)
631 {
632 	struct msg_queue *msq;
633 	struct msg_msg *msg;
634 	int err;
635 	struct ipc_namespace *ns;
636 
637 	ns = current->nsproxy->ipc_ns;
638 
639 	if (msgsz > ns->msg_ctlmax || (long) msgsz < 0 || msqid < 0)
640 		return -EINVAL;
641 	if (mtype < 1)
642 		return -EINVAL;
643 
644 	msg = load_msg(mtext, msgsz);
645 	if (IS_ERR(msg))
646 		return PTR_ERR(msg);
647 
648 	msg->m_type = mtype;
649 	msg->m_ts = msgsz;
650 
651 	msq = msg_lock(ns, msqid);
652 	err = -EINVAL;
653 	if (msq == NULL)
654 		goto out_free;
655 
656 	err= -EIDRM;
657 	if (msg_checkid(ns, msq, msqid))
658 		goto out_unlock_free;
659 
660 	for (;;) {
661 		struct msg_sender s;
662 
663 		err = -EACCES;
664 		if (ipcperms(&msq->q_perm, S_IWUGO))
665 			goto out_unlock_free;
666 
667 		err = security_msg_queue_msgsnd(msq, msg, msgflg);
668 		if (err)
669 			goto out_unlock_free;
670 
671 		if (msgsz + msq->q_cbytes <= msq->q_qbytes &&
672 				1 + msq->q_qnum <= msq->q_qbytes) {
673 			break;
674 		}
675 
676 		/* queue full, wait: */
677 		if (msgflg & IPC_NOWAIT) {
678 			err = -EAGAIN;
679 			goto out_unlock_free;
680 		}
681 		ss_add(msq, &s);
682 		ipc_rcu_getref(msq);
683 		msg_unlock(msq);
684 		schedule();
685 
686 		ipc_lock_by_ptr(&msq->q_perm);
687 		ipc_rcu_putref(msq);
688 		if (msq->q_perm.deleted) {
689 			err = -EIDRM;
690 			goto out_unlock_free;
691 		}
692 		ss_del(&s);
693 
694 		if (signal_pending(current)) {
695 			err = -ERESTARTNOHAND;
696 			goto out_unlock_free;
697 		}
698 	}
699 
700 	msq->q_lspid = current->tgid;
701 	msq->q_stime = get_seconds();
702 
703 	if (!pipelined_send(msq, msg)) {
704 		/* noone is waiting for this message, enqueue it */
705 		list_add_tail(&msg->m_list, &msq->q_messages);
706 		msq->q_cbytes += msgsz;
707 		msq->q_qnum++;
708 		atomic_add(msgsz, &msg_bytes);
709 		atomic_inc(&msg_hdrs);
710 	}
711 
712 	err = 0;
713 	msg = NULL;
714 
715 out_unlock_free:
716 	msg_unlock(msq);
717 out_free:
718 	if (msg != NULL)
719 		free_msg(msg);
720 	return err;
721 }
722 
723 asmlinkage long
724 sys_msgsnd(int msqid, struct msgbuf __user *msgp, size_t msgsz, int msgflg)
725 {
726 	long mtype;
727 
728 	if (get_user(mtype, &msgp->mtype))
729 		return -EFAULT;
730 	return do_msgsnd(msqid, mtype, msgp->mtext, msgsz, msgflg);
731 }
732 
733 static inline int convert_mode(long *msgtyp, int msgflg)
734 {
735 	/*
736 	 *  find message of correct type.
737 	 *  msgtyp = 0 => get first.
738 	 *  msgtyp > 0 => get first message of matching type.
739 	 *  msgtyp < 0 => get message with least type must be < abs(msgtype).
740 	 */
741 	if (*msgtyp == 0)
742 		return SEARCH_ANY;
743 	if (*msgtyp < 0) {
744 		*msgtyp = -*msgtyp;
745 		return SEARCH_LESSEQUAL;
746 	}
747 	if (msgflg & MSG_EXCEPT)
748 		return SEARCH_NOTEQUAL;
749 	return SEARCH_EQUAL;
750 }
751 
752 long do_msgrcv(int msqid, long *pmtype, void __user *mtext,
753 		size_t msgsz, long msgtyp, int msgflg)
754 {
755 	struct msg_queue *msq;
756 	struct msg_msg *msg;
757 	int mode;
758 	struct ipc_namespace *ns;
759 
760 	if (msqid < 0 || (long) msgsz < 0)
761 		return -EINVAL;
762 	mode = convert_mode(&msgtyp, msgflg);
763 	ns = current->nsproxy->ipc_ns;
764 
765 	msq = msg_lock(ns, msqid);
766 	if (msq == NULL)
767 		return -EINVAL;
768 
769 	msg = ERR_PTR(-EIDRM);
770 	if (msg_checkid(ns, msq, msqid))
771 		goto out_unlock;
772 
773 	for (;;) {
774 		struct msg_receiver msr_d;
775 		struct list_head *tmp;
776 
777 		msg = ERR_PTR(-EACCES);
778 		if (ipcperms(&msq->q_perm, S_IRUGO))
779 			goto out_unlock;
780 
781 		msg = ERR_PTR(-EAGAIN);
782 		tmp = msq->q_messages.next;
783 		while (tmp != &msq->q_messages) {
784 			struct msg_msg *walk_msg;
785 
786 			walk_msg = list_entry(tmp, struct msg_msg, m_list);
787 			if (testmsg(walk_msg, msgtyp, mode) &&
788 			    !security_msg_queue_msgrcv(msq, walk_msg, current,
789 						       msgtyp, mode)) {
790 
791 				msg = walk_msg;
792 				if (mode == SEARCH_LESSEQUAL &&
793 						walk_msg->m_type != 1) {
794 					msg = walk_msg;
795 					msgtyp = walk_msg->m_type - 1;
796 				} else {
797 					msg = walk_msg;
798 					break;
799 				}
800 			}
801 			tmp = tmp->next;
802 		}
803 		if (!IS_ERR(msg)) {
804 			/*
805 			 * Found a suitable message.
806 			 * Unlink it from the queue.
807 			 */
808 			if ((msgsz < msg->m_ts) && !(msgflg & MSG_NOERROR)) {
809 				msg = ERR_PTR(-E2BIG);
810 				goto out_unlock;
811 			}
812 			list_del(&msg->m_list);
813 			msq->q_qnum--;
814 			msq->q_rtime = get_seconds();
815 			msq->q_lrpid = current->tgid;
816 			msq->q_cbytes -= msg->m_ts;
817 			atomic_sub(msg->m_ts, &msg_bytes);
818 			atomic_dec(&msg_hdrs);
819 			ss_wakeup(&msq->q_senders, 0);
820 			msg_unlock(msq);
821 			break;
822 		}
823 		/* No message waiting. Wait for a message */
824 		if (msgflg & IPC_NOWAIT) {
825 			msg = ERR_PTR(-ENOMSG);
826 			goto out_unlock;
827 		}
828 		list_add_tail(&msr_d.r_list, &msq->q_receivers);
829 		msr_d.r_tsk = current;
830 		msr_d.r_msgtype = msgtyp;
831 		msr_d.r_mode = mode;
832 		if (msgflg & MSG_NOERROR)
833 			msr_d.r_maxsize = INT_MAX;
834 		else
835 			msr_d.r_maxsize = msgsz;
836 		msr_d.r_msg = ERR_PTR(-EAGAIN);
837 		current->state = TASK_INTERRUPTIBLE;
838 		msg_unlock(msq);
839 
840 		schedule();
841 
842 		/* Lockless receive, part 1:
843 		 * Disable preemption.  We don't hold a reference to the queue
844 		 * and getting a reference would defeat the idea of a lockless
845 		 * operation, thus the code relies on rcu to guarantee the
846 		 * existance of msq:
847 		 * Prior to destruction, expunge_all(-EIRDM) changes r_msg.
848 		 * Thus if r_msg is -EAGAIN, then the queue not yet destroyed.
849 		 * rcu_read_lock() prevents preemption between reading r_msg
850 		 * and the spin_lock() inside ipc_lock_by_ptr().
851 		 */
852 		rcu_read_lock();
853 
854 		/* Lockless receive, part 2:
855 		 * Wait until pipelined_send or expunge_all are outside of
856 		 * wake_up_process(). There is a race with exit(), see
857 		 * ipc/mqueue.c for the details.
858 		 */
859 		msg = (struct msg_msg*)msr_d.r_msg;
860 		while (msg == NULL) {
861 			cpu_relax();
862 			msg = (struct msg_msg *)msr_d.r_msg;
863 		}
864 
865 		/* Lockless receive, part 3:
866 		 * If there is a message or an error then accept it without
867 		 * locking.
868 		 */
869 		if (msg != ERR_PTR(-EAGAIN)) {
870 			rcu_read_unlock();
871 			break;
872 		}
873 
874 		/* Lockless receive, part 3:
875 		 * Acquire the queue spinlock.
876 		 */
877 		ipc_lock_by_ptr(&msq->q_perm);
878 		rcu_read_unlock();
879 
880 		/* Lockless receive, part 4:
881 		 * Repeat test after acquiring the spinlock.
882 		 */
883 		msg = (struct msg_msg*)msr_d.r_msg;
884 		if (msg != ERR_PTR(-EAGAIN))
885 			goto out_unlock;
886 
887 		list_del(&msr_d.r_list);
888 		if (signal_pending(current)) {
889 			msg = ERR_PTR(-ERESTARTNOHAND);
890 out_unlock:
891 			msg_unlock(msq);
892 			break;
893 		}
894 	}
895 	if (IS_ERR(msg))
896 		return PTR_ERR(msg);
897 
898 	msgsz = (msgsz > msg->m_ts) ? msg->m_ts : msgsz;
899 	*pmtype = msg->m_type;
900 	if (store_msg(mtext, msg, msgsz))
901 		msgsz = -EFAULT;
902 
903 	free_msg(msg);
904 
905 	return msgsz;
906 }
907 
908 asmlinkage long sys_msgrcv(int msqid, struct msgbuf __user *msgp, size_t msgsz,
909 			   long msgtyp, int msgflg)
910 {
911 	long err, mtype;
912 
913 	err =  do_msgrcv(msqid, &mtype, msgp->mtext, msgsz, msgtyp, msgflg);
914 	if (err < 0)
915 		goto out;
916 
917 	if (put_user(mtype, &msgp->mtype))
918 		err = -EFAULT;
919 out:
920 	return err;
921 }
922 
923 #ifdef CONFIG_PROC_FS
924 static int sysvipc_msg_proc_show(struct seq_file *s, void *it)
925 {
926 	struct msg_queue *msq = it;
927 
928 	return seq_printf(s,
929 			"%10d %10d  %4o  %10lu %10lu %5u %5u %5u %5u %5u %5u %10lu %10lu %10lu\n",
930 			msq->q_perm.key,
931 			msq->q_id,
932 			msq->q_perm.mode,
933 			msq->q_cbytes,
934 			msq->q_qnum,
935 			msq->q_lspid,
936 			msq->q_lrpid,
937 			msq->q_perm.uid,
938 			msq->q_perm.gid,
939 			msq->q_perm.cuid,
940 			msq->q_perm.cgid,
941 			msq->q_stime,
942 			msq->q_rtime,
943 			msq->q_ctime);
944 }
945 #endif
946