1b2441318SGreg Kroah-Hartman // SPDX-License-Identifier: GPL-2.0
21da177e4SLinus Torvalds /*
31da177e4SLinus Torvalds * linux/ipc/sem.c
41da177e4SLinus Torvalds * Copyright (C) 1992 Krishna Balasubramanian
51da177e4SLinus Torvalds * Copyright (C) 1995 Eric Schenk, Bruno Haible
61da177e4SLinus Torvalds *
71da177e4SLinus Torvalds * /proc/sysvipc/sem support (c) 1999 Dragos Acostachioaie <dragos@iname.com>
81da177e4SLinus Torvalds *
91da177e4SLinus Torvalds * SMP-threaded, sysctl's added
10624dffcbSChristian Kujau * (c) 1999 Manfred Spraul <manfred@colorfullife.com>
111da177e4SLinus Torvalds * Enforced range limit on SEM_UNDO
12046c6884SAlan Cox * (c) 2001 Red Hat Inc
131da177e4SLinus Torvalds * Lockless wakeup
141da177e4SLinus Torvalds * (c) 2003 Manfred Spraul <manfred@colorfullife.com>
159ae949faSDavidlohr Bueso * (c) 2016 Davidlohr Bueso <dave@stgolabs.net>
16c5cf6359SManfred Spraul * Further wakeup optimizations, documentation
17c5cf6359SManfred Spraul * (c) 2010 Manfred Spraul <manfred@colorfullife.com>
18073115d6SSteve Grubb *
19073115d6SSteve Grubb * support for audit of ipc object properties and permission changes
20073115d6SSteve Grubb * Dustin Kirkland <dustin.kirkland@us.ibm.com>
21e3893534SKirill Korotaev *
22e3893534SKirill Korotaev * namespaces support
23e3893534SKirill Korotaev * OpenVZ, SWsoft Inc.
24e3893534SKirill Korotaev * Pavel Emelianov <xemul@openvz.org>
25c5cf6359SManfred Spraul *
26c5cf6359SManfred Spraul * Implementation notes: (May 2010)
27c5cf6359SManfred Spraul * This file implements System V semaphores.
28c5cf6359SManfred Spraul *
29c5cf6359SManfred Spraul * User space visible behavior:
30c5cf6359SManfred Spraul * - FIFO ordering for semop() operations (just FIFO, not starvation
31c5cf6359SManfred Spraul * protection)
32c5cf6359SManfred Spraul * - multiple semaphore operations that alter the same semaphore in
33c5cf6359SManfred Spraul * one semop() are handled.
34c5cf6359SManfred Spraul * - sem_ctime (time of last semctl()) is updated in the IPC_SET, SETVAL and
35c5cf6359SManfred Spraul * SETALL calls.
36c5cf6359SManfred Spraul * - two Linux specific semctl() commands: SEM_STAT, SEM_INFO.
37c5cf6359SManfred Spraul * - undo adjustments at process exit are limited to 0..SEMVMX.
38c5cf6359SManfred Spraul * - namespace are supported.
39b1989a3dSBhaskar Chowdhury * - SEMMSL, SEMMNS, SEMOPM and SEMMNI can be configured at runtime by writing
40c5cf6359SManfred Spraul * to /proc/sys/kernel/sem.
41c5cf6359SManfred Spraul * - statistics about the usage are reported in /proc/sysvipc/sem.
42c5cf6359SManfred Spraul *
43c5cf6359SManfred Spraul * Internals:
44c5cf6359SManfred Spraul * - scalability:
45c5cf6359SManfred Spraul * - all global variables are read-mostly.
46c5cf6359SManfred Spraul * - semop() calls and semctl(RMID) are synchronized by RCU.
47c5cf6359SManfred Spraul * - most operations do write operations (actually: spin_lock calls) to
48c5cf6359SManfred Spraul * the per-semaphore array structure.
49c5cf6359SManfred Spraul * Thus: Perfect SMP scaling between independent semaphore arrays.
50c5cf6359SManfred Spraul * If multiple semaphores in one array are used, then cache line
51c5cf6359SManfred Spraul * trashing on the semaphore array spinlock will limit the scaling.
522f2ed41dSManfred Spraul * - semncnt and semzcnt are calculated on demand in count_semcnt()
53c5cf6359SManfred Spraul * - the task that performs a successful semop() scans the list of all
54c5cf6359SManfred Spraul * sleeping tasks and completes any pending operations that can be fulfilled.
55c5cf6359SManfred Spraul * Semaphores are actively given to waiting tasks (necessary for FIFO).
56c5cf6359SManfred Spraul * (see update_queue())
57c5cf6359SManfred Spraul * - To improve the scalability, the actual wake-up calls are performed after
589ae949faSDavidlohr Bueso * dropping all locks. (see wake_up_sem_queue_prepare())
59c5cf6359SManfred Spraul * - All work is done by the waker, the woken up task does not have to do
60c5cf6359SManfred Spraul * anything - not even acquiring a lock or dropping a refcount.
61c5cf6359SManfred Spraul * - A woken up task may not even touch the semaphore array anymore, it may
62c5cf6359SManfred Spraul * have been destroyed already by a semctl(RMID).
63c5cf6359SManfred Spraul * - UNDO values are stored in an array (one per process and per
64c5cf6359SManfred Spraul * semaphore array, lazily allocated). For backwards compatibility, multiple
65c5cf6359SManfred Spraul * modes for the UNDO variables are supported (per process, per thread)
66c5cf6359SManfred Spraul * (see copy_semundo, CLONE_SYSVSEM)
67c5cf6359SManfred Spraul * - There are two lists of the pending operations: a per-array list
68c5cf6359SManfred Spraul * and per-semaphore list (stored in the array). This allows to achieve FIFO
69c5cf6359SManfred Spraul * ordering without always scanning all pending operations.
70c5cf6359SManfred Spraul * The worst-case behavior is nevertheless O(N^2) for N wakeups.
711da177e4SLinus Torvalds */
721da177e4SLinus Torvalds
73b0d17578SArnd Bergmann #include <linux/compat.h>
741da177e4SLinus Torvalds #include <linux/slab.h>
751da177e4SLinus Torvalds #include <linux/spinlock.h>
761da177e4SLinus Torvalds #include <linux/init.h>
771da177e4SLinus Torvalds #include <linux/proc_fs.h>
781da177e4SLinus Torvalds #include <linux/time.h>
791da177e4SLinus Torvalds #include <linux/security.h>
801da177e4SLinus Torvalds #include <linux/syscalls.h>
811da177e4SLinus Torvalds #include <linux/audit.h>
82c59ede7bSRandy.Dunlap #include <linux/capability.h>
8319b4946cSMike Waychison #include <linux/seq_file.h>
843e148c79SNadia Derbey #include <linux/rwsem.h>
85e3893534SKirill Korotaev #include <linux/nsproxy.h>
86ae5e1b22SPavel Emelyanov #include <linux/ipc_namespace.h>
8784f001e1SIngo Molnar #include <linux/sched/wake_q.h>
88ec67aaa4SDavidlohr Bueso #include <linux/nospec.h>
890eb71a9dSNeilBrown #include <linux/rhashtable.h>
905f921ae9SIngo Molnar
917153e402SPaul McQuade #include <linux/uaccess.h>
921da177e4SLinus Torvalds #include "util.h"
931da177e4SLinus Torvalds
941a5c1349SEric W. Biederman /* One semaphore structure for each semaphore in the system. */
951a5c1349SEric W. Biederman struct sem {
961a5c1349SEric W. Biederman int semval; /* current value */
971a5c1349SEric W. Biederman /*
981a5c1349SEric W. Biederman * PID of the process that last modified the semaphore. For
991a5c1349SEric W. Biederman * Linux, specifically these are:
1001a5c1349SEric W. Biederman * - semop
1011a5c1349SEric W. Biederman * - semctl, via SETVAL and SETALL.
1021a5c1349SEric W. Biederman * - at task exit when performing undo adjustments (see exit_sem).
1031a5c1349SEric W. Biederman */
10451d6f263SEric W. Biederman struct pid *sempid;
1051a5c1349SEric W. Biederman spinlock_t lock; /* spinlock for fine-grained semtimedop */
1061a5c1349SEric W. Biederman struct list_head pending_alter; /* pending single-sop operations */
1071a5c1349SEric W. Biederman /* that alter the semaphore */
1081a5c1349SEric W. Biederman struct list_head pending_const; /* pending single-sop operations */
1091a5c1349SEric W. Biederman /* that do not alter the semaphore*/
1102a70b787SArnd Bergmann time64_t sem_otime; /* candidate for sem_otime */
1111a5c1349SEric W. Biederman } ____cacheline_aligned_in_smp;
1121a5c1349SEric W. Biederman
1131a5c1349SEric W. Biederman /* One sem_array data structure for each set of semaphores in the system. */
1141a5c1349SEric W. Biederman struct sem_array {
1151a5c1349SEric W. Biederman struct kern_ipc_perm sem_perm; /* permissions .. see ipc.h */
1161a5c1349SEric W. Biederman time64_t sem_ctime; /* create/last semctl() time */
1171a5c1349SEric W. Biederman struct list_head pending_alter; /* pending operations */
1181a5c1349SEric W. Biederman /* that alter the array */
1191a5c1349SEric W. Biederman struct list_head pending_const; /* pending complex operations */
1201a5c1349SEric W. Biederman /* that do not alter semvals */
1211a5c1349SEric W. Biederman struct list_head list_id; /* undo requests on this array */
1221a5c1349SEric W. Biederman int sem_nsems; /* no. of semaphores in array */
1231a5c1349SEric W. Biederman int complex_count; /* pending complex operations */
1241a5c1349SEric W. Biederman unsigned int use_global_lock;/* >0: global lock required */
1251a5c1349SEric W. Biederman
1261a5c1349SEric W. Biederman struct sem sems[];
1271a5c1349SEric W. Biederman } __randomize_layout;
128e57940d7SManfred Spraul
129e57940d7SManfred Spraul /* One queue for each sleeping process in the system. */
130e57940d7SManfred Spraul struct sem_queue {
131e57940d7SManfred Spraul struct list_head list; /* queue of pending operations */
132e57940d7SManfred Spraul struct task_struct *sleeper; /* this process */
133e57940d7SManfred Spraul struct sem_undo *undo; /* undo structure */
13451d6f263SEric W. Biederman struct pid *pid; /* process id of requesting process */
135e57940d7SManfred Spraul int status; /* completion status of operation */
136e57940d7SManfred Spraul struct sembuf *sops; /* array of pending operations */
137ed247b7cSManfred Spraul struct sembuf *blocking; /* the operation that blocked */
138e57940d7SManfred Spraul int nsops; /* number of operations */
1394ce33ec2SDavidlohr Bueso bool alter; /* does *sops alter the array? */
1404ce33ec2SDavidlohr Bueso bool dupsop; /* sops on more than one sem_num */
141e57940d7SManfred Spraul };
142e57940d7SManfred Spraul
143e57940d7SManfred Spraul /* Each task has a list of undo requests. They are executed automatically
144e57940d7SManfred Spraul * when the process exits.
145e57940d7SManfred Spraul */
146e57940d7SManfred Spraul struct sem_undo {
147e57940d7SManfred Spraul struct list_head list_proc; /* per-process list: *
148e57940d7SManfred Spraul * all undos from one process
149e57940d7SManfred Spraul * rcu protected */
150e57940d7SManfred Spraul struct rcu_head rcu; /* rcu struct for sem_undo */
151e57940d7SManfred Spraul struct sem_undo_list *ulp; /* back ptr to sem_undo_list */
152e57940d7SManfred Spraul struct list_head list_id; /* per semaphore array list:
153e57940d7SManfred Spraul * all undos for one array */
154e57940d7SManfred Spraul int semid; /* semaphore set identifier */
155*b46fae06SChristophe JAILLET short semadj[]; /* array of adjustments */
156e57940d7SManfred Spraul /* one per semaphore */
157e57940d7SManfred Spraul };
158e57940d7SManfred Spraul
159e57940d7SManfred Spraul /* sem_undo_list controls shared access to the list of sem_undo structures
160e57940d7SManfred Spraul * that may be shared among all a CLONE_SYSVSEM task group.
161e57940d7SManfred Spraul */
162e57940d7SManfred Spraul struct sem_undo_list {
163f74370b8SElena Reshetova refcount_t refcnt;
164e57940d7SManfred Spraul spinlock_t lock;
165e57940d7SManfred Spraul struct list_head list_proc;
166e57940d7SManfred Spraul };
167e57940d7SManfred Spraul
168e57940d7SManfred Spraul
169ed2ddbf8SPierre Peiffer #define sem_ids(ns) ((ns)->ids[IPC_SEM_IDS])
1701da177e4SLinus Torvalds
1717748dbfaSNadia Derbey static int newary(struct ipc_namespace *, struct ipc_params *);
17201b8b07aSPierre Peiffer static void freeary(struct ipc_namespace *, struct kern_ipc_perm *);
1731da177e4SLinus Torvalds #ifdef CONFIG_PROC_FS
17419b4946cSMike Waychison static int sysvipc_sem_proc_show(struct seq_file *s, void *it);
1751da177e4SLinus Torvalds #endif
1761da177e4SLinus Torvalds
1771da177e4SLinus Torvalds #define SEMMSL_FAST 256 /* 512 bytes on stack */
1781da177e4SLinus Torvalds #define SEMOPM_FAST 64 /* ~ 372 bytes on stack */
1791da177e4SLinus Torvalds
1801da177e4SLinus Torvalds /*
1819de5ab8aSManfred Spraul * Switching from the mode suitable for simple ops
1829de5ab8aSManfred Spraul * to the mode for complex ops is costly. Therefore:
1839de5ab8aSManfred Spraul * use some hysteresis
1849de5ab8aSManfred Spraul */
1859de5ab8aSManfred Spraul #define USE_GLOBAL_LOCK_HYSTERESIS 10
1869de5ab8aSManfred Spraul
1879de5ab8aSManfred Spraul /*
188758a6ba3SManfred Spraul * Locking:
1895864a2fdSManfred Spraul * a) global sem_lock() for read/write
1901da177e4SLinus Torvalds * sem_undo.id_next,
191758a6ba3SManfred Spraul * sem_array.complex_count,
1925864a2fdSManfred Spraul * sem_array.pending{_alter,_const},
1935864a2fdSManfred Spraul * sem_array.sem_undo
1941da177e4SLinus Torvalds *
1955864a2fdSManfred Spraul * b) global or semaphore sem_lock() for read/write:
1961a233956SManfred Spraul * sem_array.sems[i].pending_{const,alter}:
1975864a2fdSManfred Spraul *
1985864a2fdSManfred Spraul * c) special:
1995864a2fdSManfred Spraul * sem_undo_list.list_proc:
2005864a2fdSManfred Spraul * * undo_list->lock for write
2015864a2fdSManfred Spraul * * rcu for read
2029de5ab8aSManfred Spraul * use_global_lock:
2039de5ab8aSManfred Spraul * * global sem_lock() for write
2049de5ab8aSManfred Spraul * * either local or global sem_lock() for read.
2059de5ab8aSManfred Spraul *
2069de5ab8aSManfred Spraul * Memory ordering:
2079de5ab8aSManfred Spraul * Most ordering is enforced by using spin_lock() and spin_unlock().
2088116b54eSManfred Spraul *
2098116b54eSManfred Spraul * Exceptions:
2108116b54eSManfred Spraul * 1) use_global_lock: (SEM_BARRIER_1)
2119de5ab8aSManfred Spraul * Setting it from non-zero to 0 is a RELEASE, this is ensured by
2128116b54eSManfred Spraul * using smp_store_release(): Immediately after setting it to 0,
2138116b54eSManfred Spraul * a simple op can start.
2149de5ab8aSManfred Spraul * Testing if it is non-zero is an ACQUIRE, this is ensured by using
2159de5ab8aSManfred Spraul * smp_load_acquire().
2169de5ab8aSManfred Spraul * Setting it from 0 to non-zero must be ordered with regards to
2179de5ab8aSManfred Spraul * this smp_load_acquire(), this is guaranteed because the smp_load_acquire()
2189de5ab8aSManfred Spraul * is inside a spin_lock() and after a write from 0 to non-zero a
2199de5ab8aSManfred Spraul * spin_lock()+spin_unlock() is done.
22017d056e0SManfred Spraul * To prevent the compiler/cpu temporarily writing 0 to use_global_lock,
22117d056e0SManfred Spraul * READ_ONCE()/WRITE_ONCE() is used.
2228116b54eSManfred Spraul *
2238116b54eSManfred Spraul * 2) queue.status: (SEM_BARRIER_2)
2248116b54eSManfred Spraul * Initialization is done while holding sem_lock(), so no further barrier is
2258116b54eSManfred Spraul * required.
2268116b54eSManfred Spraul * Setting it to a result code is a RELEASE, this is ensured by both a
2278116b54eSManfred Spraul * smp_store_release() (for case a) and while holding sem_lock()
2288116b54eSManfred Spraul * (for case b).
229b1989a3dSBhaskar Chowdhury * The ACQUIRE when reading the result code without holding sem_lock() is
2308116b54eSManfred Spraul * achieved by using READ_ONCE() + smp_acquire__after_ctrl_dep().
2318116b54eSManfred Spraul * (case a above).
2328116b54eSManfred Spraul * Reading the result code while holding sem_lock() needs no further barriers,
2338116b54eSManfred Spraul * the locks inside sem_lock() enforce ordering (case b above)
2348116b54eSManfred Spraul *
2358116b54eSManfred Spraul * 3) current->state:
2368116b54eSManfred Spraul * current->state is set to TASK_INTERRUPTIBLE while holding sem_lock().
2378116b54eSManfred Spraul * The wakeup is handled using the wake_q infrastructure. wake_q wakeups may
2388116b54eSManfred Spraul * happen immediately after calling wake_q_add. As wake_q_add_safe() is called
2398116b54eSManfred Spraul * when holding sem_lock(), no further barriers are required.
2408116b54eSManfred Spraul *
2418116b54eSManfred Spraul * See also ipc/mqueue.c for more details on the covered races.
2421da177e4SLinus Torvalds */
2431da177e4SLinus Torvalds
244e3893534SKirill Korotaev #define sc_semmsl sem_ctls[0]
245e3893534SKirill Korotaev #define sc_semmns sem_ctls[1]
246e3893534SKirill Korotaev #define sc_semopm sem_ctls[2]
247e3893534SKirill Korotaev #define sc_semmni sem_ctls[3]
2481da177e4SLinus Torvalds
sem_init_ns(struct ipc_namespace * ns)249eae04d25SDavidlohr Bueso void sem_init_ns(struct ipc_namespace *ns)
250e3893534SKirill Korotaev {
251e3893534SKirill Korotaev ns->sc_semmsl = SEMMSL;
252e3893534SKirill Korotaev ns->sc_semmns = SEMMNS;
253e3893534SKirill Korotaev ns->sc_semopm = SEMOPM;
254e3893534SKirill Korotaev ns->sc_semmni = SEMMNI;
255e3893534SKirill Korotaev ns->used_sems = 0;
256eae04d25SDavidlohr Bueso ipc_init_ids(&ns->ids[IPC_SEM_IDS]);
257e3893534SKirill Korotaev }
258e3893534SKirill Korotaev
259ae5e1b22SPavel Emelyanov #ifdef CONFIG_IPC_NS
sem_exit_ns(struct ipc_namespace * ns)260e3893534SKirill Korotaev void sem_exit_ns(struct ipc_namespace *ns)
261e3893534SKirill Korotaev {
26201b8b07aSPierre Peiffer free_ipcs(ns, &sem_ids(ns), freeary);
2637d6feeb2SSerge E. Hallyn idr_destroy(&ns->ids[IPC_SEM_IDS].ipcs_idr);
2640cfb6aeeSGuillaume Knispel rhashtable_destroy(&ns->ids[IPC_SEM_IDS].key_ht);
265e3893534SKirill Korotaev }
266ae5e1b22SPavel Emelyanov #endif
2671da177e4SLinus Torvalds
sem_init(void)268eae04d25SDavidlohr Bueso void __init sem_init(void)
2691da177e4SLinus Torvalds {
270eae04d25SDavidlohr Bueso sem_init_ns(&init_ipc_ns);
27119b4946cSMike Waychison ipc_init_proc_interface("sysvipc/sem",
27219b4946cSMike Waychison " key semid perms nsems uid gid cuid cgid otime ctime\n",
273e3893534SKirill Korotaev IPC_SEM_IDS, sysvipc_sem_proc_show);
2741da177e4SLinus Torvalds }
2751da177e4SLinus Torvalds
276f269f40aSManfred Spraul /**
277f269f40aSManfred Spraul * unmerge_queues - unmerge queues, if possible.
278f269f40aSManfred Spraul * @sma: semaphore array
279f269f40aSManfred Spraul *
280f269f40aSManfred Spraul * The function unmerges the wait queues if complex_count is 0.
281f269f40aSManfred Spraul * It must be called prior to dropping the global semaphore array lock.
282f269f40aSManfred Spraul */
unmerge_queues(struct sem_array * sma)283f269f40aSManfred Spraul static void unmerge_queues(struct sem_array *sma)
284f269f40aSManfred Spraul {
285f269f40aSManfred Spraul struct sem_queue *q, *tq;
286f269f40aSManfred Spraul
287f269f40aSManfred Spraul /* complex operations still around? */
288f269f40aSManfred Spraul if (sma->complex_count)
289f269f40aSManfred Spraul return;
290f269f40aSManfred Spraul /*
291f269f40aSManfred Spraul * We will switch back to simple mode.
292f269f40aSManfred Spraul * Move all pending operation back into the per-semaphore
293f269f40aSManfred Spraul * queues.
294f269f40aSManfred Spraul */
295f269f40aSManfred Spraul list_for_each_entry_safe(q, tq, &sma->pending_alter, list) {
296f269f40aSManfred Spraul struct sem *curr;
2971a233956SManfred Spraul curr = &sma->sems[q->sops[0].sem_num];
298f269f40aSManfred Spraul
299f269f40aSManfred Spraul list_add_tail(&q->list, &curr->pending_alter);
300f269f40aSManfred Spraul }
301f269f40aSManfred Spraul INIT_LIST_HEAD(&sma->pending_alter);
302f269f40aSManfred Spraul }
303f269f40aSManfred Spraul
304f269f40aSManfred Spraul /**
3058001c858SDavidlohr Bueso * merge_queues - merge single semop queues into global queue
306f269f40aSManfred Spraul * @sma: semaphore array
307f269f40aSManfred Spraul *
308f269f40aSManfred Spraul * This function merges all per-semaphore queues into the global queue.
309f269f40aSManfred Spraul * It is necessary to achieve FIFO ordering for the pending single-sop
310f269f40aSManfred Spraul * operations when a multi-semop operation must sleep.
311f269f40aSManfred Spraul * Only the alter operations must be moved, the const operations can stay.
312f269f40aSManfred Spraul */
merge_queues(struct sem_array * sma)313f269f40aSManfred Spraul static void merge_queues(struct sem_array *sma)
314f269f40aSManfred Spraul {
315f269f40aSManfred Spraul int i;
316f269f40aSManfred Spraul for (i = 0; i < sma->sem_nsems; i++) {
3171a233956SManfred Spraul struct sem *sem = &sma->sems[i];
318f269f40aSManfred Spraul
319f269f40aSManfred Spraul list_splice_init(&sem->pending_alter, &sma->pending_alter);
320f269f40aSManfred Spraul }
321f269f40aSManfred Spraul }
322f269f40aSManfred Spraul
sem_rcu_free(struct rcu_head * head)32353dad6d3SDavidlohr Bueso static void sem_rcu_free(struct rcu_head *head)
32453dad6d3SDavidlohr Bueso {
325dba4cdd3SManfred Spraul struct kern_ipc_perm *p = container_of(head, struct kern_ipc_perm, rcu);
326dba4cdd3SManfred Spraul struct sem_array *sma = container_of(p, struct sem_array, sem_perm);
32753dad6d3SDavidlohr Bueso
328aefad959SEric W. Biederman security_sem_free(&sma->sem_perm);
329e2029dfeSKees Cook kvfree(sma);
33053dad6d3SDavidlohr Bueso }
33153dad6d3SDavidlohr Bueso
3323e148c79SNadia Derbey /*
3335864a2fdSManfred Spraul * Enter the mode suitable for non-simple operations:
3345e9d5275SManfred Spraul * Caller must own sem_perm.lock.
3355e9d5275SManfred Spraul */
complexmode_enter(struct sem_array * sma)3365864a2fdSManfred Spraul static void complexmode_enter(struct sem_array *sma)
3375e9d5275SManfred Spraul {
3385e9d5275SManfred Spraul int i;
3395e9d5275SManfred Spraul struct sem *sem;
3405e9d5275SManfred Spraul
3419de5ab8aSManfred Spraul if (sma->use_global_lock > 0) {
3429de5ab8aSManfred Spraul /*
3439de5ab8aSManfred Spraul * We are already in global lock mode.
3449de5ab8aSManfred Spraul * Nothing to do, just reset the
3459de5ab8aSManfred Spraul * counter until we return to simple mode.
3469de5ab8aSManfred Spraul */
34717d056e0SManfred Spraul WRITE_ONCE(sma->use_global_lock, USE_GLOBAL_LOCK_HYSTERESIS);
3486d07b68cSManfred Spraul return;
3496d07b68cSManfred Spraul }
35017d056e0SManfred Spraul WRITE_ONCE(sma->use_global_lock, USE_GLOBAL_LOCK_HYSTERESIS);
3515864a2fdSManfred Spraul
3525e9d5275SManfred Spraul for (i = 0; i < sma->sem_nsems; i++) {
3531a233956SManfred Spraul sem = &sma->sems[i];
35427d7be18SManfred Spraul spin_lock(&sem->lock);
35527d7be18SManfred Spraul spin_unlock(&sem->lock);
3565e9d5275SManfred Spraul }
3575e9d5275SManfred Spraul }
3585e9d5275SManfred Spraul
3595e9d5275SManfred Spraul /*
3605864a2fdSManfred Spraul * Try to leave the mode that disallows simple operations:
3615864a2fdSManfred Spraul * Caller must own sem_perm.lock.
3625864a2fdSManfred Spraul */
complexmode_tryleave(struct sem_array * sma)3635864a2fdSManfred Spraul static void complexmode_tryleave(struct sem_array *sma)
3645864a2fdSManfred Spraul {
3655864a2fdSManfred Spraul if (sma->complex_count) {
3665864a2fdSManfred Spraul /* Complex ops are sleeping.
3675864a2fdSManfred Spraul * We must stay in complex mode
3685864a2fdSManfred Spraul */
3695864a2fdSManfred Spraul return;
3705864a2fdSManfred Spraul }
3719de5ab8aSManfred Spraul if (sma->use_global_lock == 1) {
3728116b54eSManfred Spraul
3738116b54eSManfred Spraul /* See SEM_BARRIER_1 for purpose/pairing */
3749de5ab8aSManfred Spraul smp_store_release(&sma->use_global_lock, 0);
3759de5ab8aSManfred Spraul } else {
37617d056e0SManfred Spraul WRITE_ONCE(sma->use_global_lock,
37717d056e0SManfred Spraul sma->use_global_lock-1);
3789de5ab8aSManfred Spraul }
3795864a2fdSManfred Spraul }
3805864a2fdSManfred Spraul
3815864a2fdSManfred Spraul #define SEM_GLOBAL_LOCK (-1)
3825864a2fdSManfred Spraul /*
3836062a8dcSRik van Riel * If the request contains only one semaphore operation, and there are
3846062a8dcSRik van Riel * no complex transactions pending, lock only the semaphore involved.
3856062a8dcSRik van Riel * Otherwise, lock the entire semaphore array, since we either have
3866062a8dcSRik van Riel * multiple semaphores in our own semops, or we need to look at
3876062a8dcSRik van Riel * semaphores from other pending complex operations.
3886062a8dcSRik van Riel */
sem_lock(struct sem_array * sma,struct sembuf * sops,int nsops)3896062a8dcSRik van Riel static inline int sem_lock(struct sem_array *sma, struct sembuf *sops,
3906062a8dcSRik van Riel int nsops)
3916062a8dcSRik van Riel {
3925e9d5275SManfred Spraul struct sem *sem;
393ec67aaa4SDavidlohr Bueso int idx;
3946062a8dcSRik van Riel
3955e9d5275SManfred Spraul if (nsops != 1) {
3965e9d5275SManfred Spraul /* Complex operation - acquire a full lock */
3975e9d5275SManfred Spraul ipc_lock_object(&sma->sem_perm);
3985e9d5275SManfred Spraul
3995864a2fdSManfred Spraul /* Prevent parallel simple ops */
4005864a2fdSManfred Spraul complexmode_enter(sma);
4015864a2fdSManfred Spraul return SEM_GLOBAL_LOCK;
4025e9d5275SManfred Spraul }
4035e9d5275SManfred Spraul
4045e9d5275SManfred Spraul /*
4055e9d5275SManfred Spraul * Only one semaphore affected - try to optimize locking.
4065864a2fdSManfred Spraul * Optimized locking is possible if no complex operation
4075e9d5275SManfred Spraul * is either enqueued or processed right now.
4085864a2fdSManfred Spraul *
4099de5ab8aSManfred Spraul * Both facts are tracked by use_global_mode.
4105e9d5275SManfred Spraul */
411ec67aaa4SDavidlohr Bueso idx = array_index_nospec(sops->sem_num, sma->sem_nsems);
412ec67aaa4SDavidlohr Bueso sem = &sma->sems[idx];
4135e9d5275SManfred Spraul
4145864a2fdSManfred Spraul /*
4159de5ab8aSManfred Spraul * Initial check for use_global_lock. Just an optimization,
4165864a2fdSManfred Spraul * no locking, no memory barrier.
4175864a2fdSManfred Spraul */
41817d056e0SManfred Spraul if (!READ_ONCE(sma->use_global_lock)) {
4195e9d5275SManfred Spraul /*
4205e9d5275SManfred Spraul * It appears that no complex operation is around.
4215e9d5275SManfred Spraul * Acquire the per-semaphore lock.
4225e9d5275SManfred Spraul */
4236062a8dcSRik van Riel spin_lock(&sem->lock);
4246062a8dcSRik van Riel
4258116b54eSManfred Spraul /* see SEM_BARRIER_1 for purpose/pairing */
4269de5ab8aSManfred Spraul if (!smp_load_acquire(&sma->use_global_lock)) {
4275e9d5275SManfred Spraul /* fast path successful! */
4285e9d5275SManfred Spraul return sops->sem_num;
4295e9d5275SManfred Spraul }
4306062a8dcSRik van Riel spin_unlock(&sem->lock);
4316062a8dcSRik van Riel }
4326062a8dcSRik van Riel
4335e9d5275SManfred Spraul /* slow path: acquire the full lock */
434cf9d5d78SDavidlohr Bueso ipc_lock_object(&sma->sem_perm);
4355e9d5275SManfred Spraul
4369de5ab8aSManfred Spraul if (sma->use_global_lock == 0) {
4379de5ab8aSManfred Spraul /*
4389de5ab8aSManfred Spraul * The use_global_lock mode ended while we waited for
4399de5ab8aSManfred Spraul * sma->sem_perm.lock. Thus we must switch to locking
4409de5ab8aSManfred Spraul * with sem->lock.
4419de5ab8aSManfred Spraul * Unlike in the fast path, there is no need to recheck
4429de5ab8aSManfred Spraul * sma->use_global_lock after we have acquired sem->lock:
4439de5ab8aSManfred Spraul * We own sma->sem_perm.lock, thus use_global_lock cannot
4449de5ab8aSManfred Spraul * change.
4455e9d5275SManfred Spraul */
4465e9d5275SManfred Spraul spin_lock(&sem->lock);
4479de5ab8aSManfred Spraul
4485e9d5275SManfred Spraul ipc_unlock_object(&sma->sem_perm);
4495e9d5275SManfred Spraul return sops->sem_num;
4505e9d5275SManfred Spraul } else {
4519de5ab8aSManfred Spraul /*
4529de5ab8aSManfred Spraul * Not a false alarm, thus continue to use the global lock
4539de5ab8aSManfred Spraul * mode. No need for complexmode_enter(), this was done by
4549de5ab8aSManfred Spraul * the caller that has set use_global_mode to non-zero.
4555e9d5275SManfred Spraul */
4565864a2fdSManfred Spraul return SEM_GLOBAL_LOCK;
4576062a8dcSRik van Riel }
4586062a8dcSRik van Riel }
4596062a8dcSRik van Riel
sem_unlock(struct sem_array * sma,int locknum)4606062a8dcSRik van Riel static inline void sem_unlock(struct sem_array *sma, int locknum)
4616062a8dcSRik van Riel {
4625864a2fdSManfred Spraul if (locknum == SEM_GLOBAL_LOCK) {
463f269f40aSManfred Spraul unmerge_queues(sma);
4645864a2fdSManfred Spraul complexmode_tryleave(sma);
465cf9d5d78SDavidlohr Bueso ipc_unlock_object(&sma->sem_perm);
4666062a8dcSRik van Riel } else {
4671a233956SManfred Spraul struct sem *sem = &sma->sems[locknum];
4686062a8dcSRik van Riel spin_unlock(&sem->lock);
4696062a8dcSRik van Riel }
4706062a8dcSRik van Riel }
4716062a8dcSRik van Riel
4726062a8dcSRik van Riel /*
473d9a605e4SDavidlohr Bueso * sem_lock_(check_) routines are called in the paths where the rwsem
4743e148c79SNadia Derbey * is not held.
475321310ceSLinus Torvalds *
476321310ceSLinus Torvalds * The caller holds the RCU read lock.
4773e148c79SNadia Derbey */
sem_obtain_object(struct ipc_namespace * ns,int id)47816df3674SDavidlohr Bueso static inline struct sem_array *sem_obtain_object(struct ipc_namespace *ns, int id)
47916df3674SDavidlohr Bueso {
48055b7ae50SDavidlohr Bueso struct kern_ipc_perm *ipcp = ipc_obtain_object_idr(&sem_ids(ns), id);
48116df3674SDavidlohr Bueso
48216df3674SDavidlohr Bueso if (IS_ERR(ipcp))
48316df3674SDavidlohr Bueso return ERR_CAST(ipcp);
48416df3674SDavidlohr Bueso
48516df3674SDavidlohr Bueso return container_of(ipcp, struct sem_array, sem_perm);
48616df3674SDavidlohr Bueso }
48716df3674SDavidlohr Bueso
sem_obtain_object_check(struct ipc_namespace * ns,int id)48816df3674SDavidlohr Bueso static inline struct sem_array *sem_obtain_object_check(struct ipc_namespace *ns,
48916df3674SDavidlohr Bueso int id)
49016df3674SDavidlohr Bueso {
49116df3674SDavidlohr Bueso struct kern_ipc_perm *ipcp = ipc_obtain_object_check(&sem_ids(ns), id);
49216df3674SDavidlohr Bueso
49316df3674SDavidlohr Bueso if (IS_ERR(ipcp))
49416df3674SDavidlohr Bueso return ERR_CAST(ipcp);
495b1ed88b4SPierre Peiffer
49603f02c76SNadia Derbey return container_of(ipcp, struct sem_array, sem_perm);
497023a5355SNadia Derbey }
498023a5355SNadia Derbey
sem_lock_and_putref(struct sem_array * sma)4996ff37972SPierre Peiffer static inline void sem_lock_and_putref(struct sem_array *sma)
5006ff37972SPierre Peiffer {
5016062a8dcSRik van Riel sem_lock(sma, NULL, -1);
502dba4cdd3SManfred Spraul ipc_rcu_putref(&sma->sem_perm, sem_rcu_free);
5036ff37972SPierre Peiffer }
5046ff37972SPierre Peiffer
sem_rmid(struct ipc_namespace * ns,struct sem_array * s)5057ca7e564SNadia Derbey static inline void sem_rmid(struct ipc_namespace *ns, struct sem_array *s)
5067ca7e564SNadia Derbey {
5077ca7e564SNadia Derbey ipc_rmid(&sem_ids(ns), &s->sem_perm);
5087ca7e564SNadia Derbey }
5097ca7e564SNadia Derbey
sem_alloc(size_t nsems)510101ede01SKees Cook static struct sem_array *sem_alloc(size_t nsems)
511101ede01SKees Cook {
512101ede01SKees Cook struct sem_array *sma;
513101ede01SKees Cook
514101ede01SKees Cook if (nsems > (INT_MAX - sizeof(*sma)) / sizeof(sma->sems[0]))
515101ede01SKees Cook return NULL;
516101ede01SKees Cook
51718319498SVasily Averin sma = kvzalloc(struct_size(sma, sems, nsems), GFP_KERNEL_ACCOUNT);
518101ede01SKees Cook if (unlikely(!sma))
519101ede01SKees Cook return NULL;
520101ede01SKees Cook
521101ede01SKees Cook return sma;
522101ede01SKees Cook }
523101ede01SKees Cook
524f4566f04SNadia Derbey /**
525f4566f04SNadia Derbey * newary - Create a new semaphore set
526f4566f04SNadia Derbey * @ns: namespace
527f4566f04SNadia Derbey * @params: ptr to the structure that contains key, semflg and nsems
528f4566f04SNadia Derbey *
529d9a605e4SDavidlohr Bueso * Called with sem_ids.rwsem held (as a writer)
530f4566f04SNadia Derbey */
newary(struct ipc_namespace * ns,struct ipc_params * params)5317748dbfaSNadia Derbey static int newary(struct ipc_namespace *ns, struct ipc_params *params)
5321da177e4SLinus Torvalds {
5331da177e4SLinus Torvalds int retval;
5341da177e4SLinus Torvalds struct sem_array *sma;
5357748dbfaSNadia Derbey key_t key = params->key;
5367748dbfaSNadia Derbey int nsems = params->u.nsems;
5377748dbfaSNadia Derbey int semflg = params->flg;
538b97e820fSManfred Spraul int i;
5391da177e4SLinus Torvalds
5401da177e4SLinus Torvalds if (!nsems)
5411da177e4SLinus Torvalds return -EINVAL;
542e3893534SKirill Korotaev if (ns->used_sems + nsems > ns->sc_semmns)
5431da177e4SLinus Torvalds return -ENOSPC;
5441da177e4SLinus Torvalds
545101ede01SKees Cook sma = sem_alloc(nsems);
5463ab08fe2SDavidlohr Bueso if (!sma)
5471da177e4SLinus Torvalds return -ENOMEM;
5483ab08fe2SDavidlohr Bueso
5491da177e4SLinus Torvalds sma->sem_perm.mode = (semflg & S_IRWXUGO);
5501da177e4SLinus Torvalds sma->sem_perm.key = key;
5511da177e4SLinus Torvalds
5521da177e4SLinus Torvalds sma->sem_perm.security = NULL;
553aefad959SEric W. Biederman retval = security_sem_alloc(&sma->sem_perm);
5541da177e4SLinus Torvalds if (retval) {
555e2029dfeSKees Cook kvfree(sma);
5561da177e4SLinus Torvalds return retval;
5571da177e4SLinus Torvalds }
5581da177e4SLinus Torvalds
5596062a8dcSRik van Riel for (i = 0; i < nsems; i++) {
5601a233956SManfred Spraul INIT_LIST_HEAD(&sma->sems[i].pending_alter);
5611a233956SManfred Spraul INIT_LIST_HEAD(&sma->sems[i].pending_const);
5621a233956SManfred Spraul spin_lock_init(&sma->sems[i].lock);
5636062a8dcSRik van Riel }
564b97e820fSManfred Spraul
565b97e820fSManfred Spraul sma->complex_count = 0;
5669de5ab8aSManfred Spraul sma->use_global_lock = USE_GLOBAL_LOCK_HYSTERESIS;
5671a82e9e1SManfred Spraul INIT_LIST_HEAD(&sma->pending_alter);
5681a82e9e1SManfred Spraul INIT_LIST_HEAD(&sma->pending_const);
5694daa28f6SManfred Spraul INIT_LIST_HEAD(&sma->list_id);
5701da177e4SLinus Torvalds sma->sem_nsems = nsems;
571e54d02b2SDeepa Dinamani sma->sem_ctime = ktime_get_real_seconds();
572e8577d1fSManfred Spraul
57339c96a1bSDavidlohr Bueso /* ipc_addid() locks sma upon success. */
5742ec55f80SManfred Spraul retval = ipc_addid(&sem_ids(ns), &sma->sem_perm, ns->sc_semmni);
5752ec55f80SManfred Spraul if (retval < 0) {
57639cfffd7SManfred Spraul ipc_rcu_putref(&sma->sem_perm, sem_rcu_free);
5772ec55f80SManfred Spraul return retval;
578e8577d1fSManfred Spraul }
579e8577d1fSManfred Spraul ns->used_sems += nsems;
580e8577d1fSManfred Spraul
5816062a8dcSRik van Riel sem_unlock(sma, -1);
5826d49dab8SLinus Torvalds rcu_read_unlock();
5831da177e4SLinus Torvalds
5847ca7e564SNadia Derbey return sma->sem_perm.id;
5851da177e4SLinus Torvalds }
5861da177e4SLinus Torvalds
5877748dbfaSNadia Derbey
588f4566f04SNadia Derbey /*
589d9a605e4SDavidlohr Bueso * Called with sem_ids.rwsem and ipcp locked.
590f4566f04SNadia Derbey */
sem_more_checks(struct kern_ipc_perm * ipcp,struct ipc_params * params)59100898e85SAlexey Dobriyan static int sem_more_checks(struct kern_ipc_perm *ipcp, struct ipc_params *params)
5927748dbfaSNadia Derbey {
59303f02c76SNadia Derbey struct sem_array *sma;
59403f02c76SNadia Derbey
59503f02c76SNadia Derbey sma = container_of(ipcp, struct sem_array, sem_perm);
59603f02c76SNadia Derbey if (params->u.nsems > sma->sem_nsems)
5977748dbfaSNadia Derbey return -EINVAL;
5987748dbfaSNadia Derbey
5997748dbfaSNadia Derbey return 0;
6007748dbfaSNadia Derbey }
6017748dbfaSNadia Derbey
ksys_semget(key_t key,int nsems,int semflg)60269894718SDominik Brodowski long ksys_semget(key_t key, int nsems, int semflg)
6031da177e4SLinus Torvalds {
604e3893534SKirill Korotaev struct ipc_namespace *ns;
605eb66ec44SMathias Krause static const struct ipc_ops sem_ops = {
606eb66ec44SMathias Krause .getnew = newary,
60750ab44b1SEric W. Biederman .associate = security_sem_associate,
608eb66ec44SMathias Krause .more_checks = sem_more_checks,
609eb66ec44SMathias Krause };
6107748dbfaSNadia Derbey struct ipc_params sem_params;
6111da177e4SLinus Torvalds
612e3893534SKirill Korotaev ns = current->nsproxy->ipc_ns;
613e3893534SKirill Korotaev
614e3893534SKirill Korotaev if (nsems < 0 || nsems > ns->sc_semmsl)
6151da177e4SLinus Torvalds return -EINVAL;
6167ca7e564SNadia Derbey
6177748dbfaSNadia Derbey sem_params.key = key;
6187748dbfaSNadia Derbey sem_params.flg = semflg;
6197748dbfaSNadia Derbey sem_params.u.nsems = nsems;
6207ca7e564SNadia Derbey
6217748dbfaSNadia Derbey return ipcget(ns, &sem_ids(ns), &sem_ops, &sem_params);
6221da177e4SLinus Torvalds }
6231da177e4SLinus Torvalds
SYSCALL_DEFINE3(semget,key_t,key,int,nsems,int,semflg)62469894718SDominik Brodowski SYSCALL_DEFINE3(semget, key_t, key, int, nsems, int, semflg)
62569894718SDominik Brodowski {
62669894718SDominik Brodowski return ksys_semget(key, nsems, semflg);
62769894718SDominik Brodowski }
62869894718SDominik Brodowski
62978f5009cSPetr Mladek /**
6304ce33ec2SDavidlohr Bueso * perform_atomic_semop[_slow] - Attempt to perform semaphore
6314ce33ec2SDavidlohr Bueso * operations on a given array.
632758a6ba3SManfred Spraul * @sma: semaphore array
633d198cd6dSManfred Spraul * @q: struct sem_queue that describes the operation
634758a6ba3SManfred Spraul *
6354ce33ec2SDavidlohr Bueso * Caller blocking are as follows, based the value
6364ce33ec2SDavidlohr Bueso * indicated by the semaphore operation (sem_op):
6374ce33ec2SDavidlohr Bueso *
6384ce33ec2SDavidlohr Bueso * (1) >0 never blocks.
6394ce33ec2SDavidlohr Bueso * (2) 0 (wait-for-zero operation): semval is non-zero.
6404ce33ec2SDavidlohr Bueso * (3) <0 attempting to decrement semval to a value smaller than zero.
6414ce33ec2SDavidlohr Bueso *
642758a6ba3SManfred Spraul * Returns 0 if the operation was possible.
643758a6ba3SManfred Spraul * Returns 1 if the operation is impossible, the caller must sleep.
6444ce33ec2SDavidlohr Bueso * Returns <0 for error codes.
6451da177e4SLinus Torvalds */
perform_atomic_semop_slow(struct sem_array * sma,struct sem_queue * q)6464ce33ec2SDavidlohr Bueso static int perform_atomic_semop_slow(struct sem_array *sma, struct sem_queue *q)
6471da177e4SLinus Torvalds {
64851d6f263SEric W. Biederman int result, sem_op, nsops;
64951d6f263SEric W. Biederman struct pid *pid;
6501da177e4SLinus Torvalds struct sembuf *sop;
6511da177e4SLinus Torvalds struct sem *curr;
652d198cd6dSManfred Spraul struct sembuf *sops;
653d198cd6dSManfred Spraul struct sem_undo *un;
654d198cd6dSManfred Spraul
655d198cd6dSManfred Spraul sops = q->sops;
656d198cd6dSManfred Spraul nsops = q->nsops;
657d198cd6dSManfred Spraul un = q->undo;
6581da177e4SLinus Torvalds
6591da177e4SLinus Torvalds for (sop = sops; sop < sops + nsops; sop++) {
660ec67aaa4SDavidlohr Bueso int idx = array_index_nospec(sop->sem_num, sma->sem_nsems);
661ec67aaa4SDavidlohr Bueso curr = &sma->sems[idx];
6621da177e4SLinus Torvalds sem_op = sop->sem_op;
6631da177e4SLinus Torvalds result = curr->semval;
6641da177e4SLinus Torvalds
6651da177e4SLinus Torvalds if (!sem_op && result)
6661da177e4SLinus Torvalds goto would_block;
6671da177e4SLinus Torvalds
6681da177e4SLinus Torvalds result += sem_op;
6691da177e4SLinus Torvalds if (result < 0)
6701da177e4SLinus Torvalds goto would_block;
6711da177e4SLinus Torvalds if (result > SEMVMX)
6721da177e4SLinus Torvalds goto out_of_range;
67378f5009cSPetr Mladek
6741da177e4SLinus Torvalds if (sop->sem_flg & SEM_UNDO) {
6751da177e4SLinus Torvalds int undo = un->semadj[sop->sem_num] - sem_op;
67678f5009cSPetr Mladek /* Exceeding the undo range is an error. */
6771da177e4SLinus Torvalds if (undo < (-SEMAEM - 1) || undo > SEMAEM)
6781da177e4SLinus Torvalds goto out_of_range;
67978f5009cSPetr Mladek un->semadj[sop->sem_num] = undo;
6801da177e4SLinus Torvalds }
68178f5009cSPetr Mladek
6821da177e4SLinus Torvalds curr->semval = result;
6831da177e4SLinus Torvalds }
6841da177e4SLinus Torvalds
6851da177e4SLinus Torvalds sop--;
686d198cd6dSManfred Spraul pid = q->pid;
6871da177e4SLinus Torvalds while (sop >= sops) {
68851d6f263SEric W. Biederman ipc_update_pid(&sma->sems[sop->sem_num].sempid, pid);
6891da177e4SLinus Torvalds sop--;
6901da177e4SLinus Torvalds }
6911da177e4SLinus Torvalds
6921da177e4SLinus Torvalds return 0;
6931da177e4SLinus Torvalds
6941da177e4SLinus Torvalds out_of_range:
6951da177e4SLinus Torvalds result = -ERANGE;
6961da177e4SLinus Torvalds goto undo;
6971da177e4SLinus Torvalds
6981da177e4SLinus Torvalds would_block:
699ed247b7cSManfred Spraul q->blocking = sop;
700ed247b7cSManfred Spraul
7011da177e4SLinus Torvalds if (sop->sem_flg & IPC_NOWAIT)
7021da177e4SLinus Torvalds result = -EAGAIN;
7031da177e4SLinus Torvalds else
7041da177e4SLinus Torvalds result = 1;
7051da177e4SLinus Torvalds
7061da177e4SLinus Torvalds undo:
7071da177e4SLinus Torvalds sop--;
7081da177e4SLinus Torvalds while (sop >= sops) {
70978f5009cSPetr Mladek sem_op = sop->sem_op;
7101a233956SManfred Spraul sma->sems[sop->sem_num].semval -= sem_op;
71178f5009cSPetr Mladek if (sop->sem_flg & SEM_UNDO)
71278f5009cSPetr Mladek un->semadj[sop->sem_num] += sem_op;
7131da177e4SLinus Torvalds sop--;
7141da177e4SLinus Torvalds }
7151da177e4SLinus Torvalds
7161da177e4SLinus Torvalds return result;
7171da177e4SLinus Torvalds }
7181da177e4SLinus Torvalds
perform_atomic_semop(struct sem_array * sma,struct sem_queue * q)7194ce33ec2SDavidlohr Bueso static int perform_atomic_semop(struct sem_array *sma, struct sem_queue *q)
7204ce33ec2SDavidlohr Bueso {
7214ce33ec2SDavidlohr Bueso int result, sem_op, nsops;
7224ce33ec2SDavidlohr Bueso struct sembuf *sop;
7234ce33ec2SDavidlohr Bueso struct sem *curr;
7244ce33ec2SDavidlohr Bueso struct sembuf *sops;
7254ce33ec2SDavidlohr Bueso struct sem_undo *un;
7264ce33ec2SDavidlohr Bueso
7274ce33ec2SDavidlohr Bueso sops = q->sops;
7284ce33ec2SDavidlohr Bueso nsops = q->nsops;
7294ce33ec2SDavidlohr Bueso un = q->undo;
7304ce33ec2SDavidlohr Bueso
7314ce33ec2SDavidlohr Bueso if (unlikely(q->dupsop))
7324ce33ec2SDavidlohr Bueso return perform_atomic_semop_slow(sma, q);
7334ce33ec2SDavidlohr Bueso
7344ce33ec2SDavidlohr Bueso /*
7354ce33ec2SDavidlohr Bueso * We scan the semaphore set twice, first to ensure that the entire
7364ce33ec2SDavidlohr Bueso * operation can succeed, therefore avoiding any pointless writes
7374ce33ec2SDavidlohr Bueso * to shared memory and having to undo such changes in order to block
7384ce33ec2SDavidlohr Bueso * until the operations can go through.
7394ce33ec2SDavidlohr Bueso */
7404ce33ec2SDavidlohr Bueso for (sop = sops; sop < sops + nsops; sop++) {
741ec67aaa4SDavidlohr Bueso int idx = array_index_nospec(sop->sem_num, sma->sem_nsems);
742ec67aaa4SDavidlohr Bueso
743ec67aaa4SDavidlohr Bueso curr = &sma->sems[idx];
7444ce33ec2SDavidlohr Bueso sem_op = sop->sem_op;
7454ce33ec2SDavidlohr Bueso result = curr->semval;
7464ce33ec2SDavidlohr Bueso
7474ce33ec2SDavidlohr Bueso if (!sem_op && result)
7484ce33ec2SDavidlohr Bueso goto would_block; /* wait-for-zero */
7494ce33ec2SDavidlohr Bueso
7504ce33ec2SDavidlohr Bueso result += sem_op;
7514ce33ec2SDavidlohr Bueso if (result < 0)
7524ce33ec2SDavidlohr Bueso goto would_block;
7534ce33ec2SDavidlohr Bueso
7544ce33ec2SDavidlohr Bueso if (result > SEMVMX)
7554ce33ec2SDavidlohr Bueso return -ERANGE;
7564ce33ec2SDavidlohr Bueso
7574ce33ec2SDavidlohr Bueso if (sop->sem_flg & SEM_UNDO) {
7584ce33ec2SDavidlohr Bueso int undo = un->semadj[sop->sem_num] - sem_op;
7594ce33ec2SDavidlohr Bueso
7604ce33ec2SDavidlohr Bueso /* Exceeding the undo range is an error. */
7614ce33ec2SDavidlohr Bueso if (undo < (-SEMAEM - 1) || undo > SEMAEM)
7624ce33ec2SDavidlohr Bueso return -ERANGE;
7634ce33ec2SDavidlohr Bueso }
7644ce33ec2SDavidlohr Bueso }
7654ce33ec2SDavidlohr Bueso
7664ce33ec2SDavidlohr Bueso for (sop = sops; sop < sops + nsops; sop++) {
7671a233956SManfred Spraul curr = &sma->sems[sop->sem_num];
7684ce33ec2SDavidlohr Bueso sem_op = sop->sem_op;
7694ce33ec2SDavidlohr Bueso
7704ce33ec2SDavidlohr Bueso if (sop->sem_flg & SEM_UNDO) {
7714ce33ec2SDavidlohr Bueso int undo = un->semadj[sop->sem_num] - sem_op;
7724ce33ec2SDavidlohr Bueso
7734ce33ec2SDavidlohr Bueso un->semadj[sop->sem_num] = undo;
7744ce33ec2SDavidlohr Bueso }
7754ce33ec2SDavidlohr Bueso curr->semval += sem_op;
77651d6f263SEric W. Biederman ipc_update_pid(&curr->sempid, q->pid);
7774ce33ec2SDavidlohr Bueso }
7784ce33ec2SDavidlohr Bueso
7794ce33ec2SDavidlohr Bueso return 0;
7804ce33ec2SDavidlohr Bueso
7814ce33ec2SDavidlohr Bueso would_block:
7824ce33ec2SDavidlohr Bueso q->blocking = sop;
7834ce33ec2SDavidlohr Bueso return sop->sem_flg & IPC_NOWAIT ? -EAGAIN : 1;
7844ce33ec2SDavidlohr Bueso }
7854ce33ec2SDavidlohr Bueso
wake_up_sem_queue_prepare(struct sem_queue * q,int error,struct wake_q_head * wake_q)7869ae949faSDavidlohr Bueso static inline void wake_up_sem_queue_prepare(struct sem_queue *q, int error,
7879ae949faSDavidlohr Bueso struct wake_q_head *wake_q)
788d4212093SNick Piggin {
789a11ddb37SVarad Gautam struct task_struct *sleeper;
790a11ddb37SVarad Gautam
791a11ddb37SVarad Gautam sleeper = get_task_struct(q->sleeper);
7928116b54eSManfred Spraul
7937497835fSBhaskar Chowdhury /* see SEM_BARRIER_2 for purpose/pairing */
7948116b54eSManfred Spraul smp_store_release(&q->status, error);
7958116b54eSManfred Spraul
796a11ddb37SVarad Gautam wake_q_add_safe(wake_q, sleeper);
797d4212093SNick Piggin }
798d4212093SNick Piggin
unlink_queue(struct sem_array * sma,struct sem_queue * q)799b97e820fSManfred Spraul static void unlink_queue(struct sem_array *sma, struct sem_queue *q)
800b97e820fSManfred Spraul {
801b97e820fSManfred Spraul list_del(&q->list);
8029f1bc2c9SRik van Riel if (q->nsops > 1)
803b97e820fSManfred Spraul sma->complex_count--;
804b97e820fSManfred Spraul }
805b97e820fSManfred Spraul
806fd5db422SManfred Spraul /** check_restart(sma, q)
807fd5db422SManfred Spraul * @sma: semaphore array
808fd5db422SManfred Spraul * @q: the operation that just completed
809fd5db422SManfred Spraul *
810fd5db422SManfred Spraul * update_queue is O(N^2) when it restarts scanning the whole queue of
811fd5db422SManfred Spraul * waiting operations. Therefore this function checks if the restart is
812fd5db422SManfred Spraul * really necessary. It is called after a previously waiting operation
8131a82e9e1SManfred Spraul * modified the array.
8141a82e9e1SManfred Spraul * Note that wait-for-zero operations are handled without restart.
815fd5db422SManfred Spraul */
check_restart(struct sem_array * sma,struct sem_queue * q)8164663d3e8SDavidlohr Bueso static inline int check_restart(struct sem_array *sma, struct sem_queue *q)
817fd5db422SManfred Spraul {
8181a82e9e1SManfred Spraul /* pending complex alter operations are too difficult to analyse */
8191a82e9e1SManfred Spraul if (!list_empty(&sma->pending_alter))
820fd5db422SManfred Spraul return 1;
821fd5db422SManfred Spraul
822fd5db422SManfred Spraul /* we were a sleeping complex operation. Too difficult */
823fd5db422SManfred Spraul if (q->nsops > 1)
824fd5db422SManfred Spraul return 1;
825fd5db422SManfred Spraul
826fd5db422SManfred Spraul /* It is impossible that someone waits for the new value:
8271a82e9e1SManfred Spraul * - complex operations always restart.
828b1989a3dSBhaskar Chowdhury * - wait-for-zero are handled separately.
829fd5db422SManfred Spraul * - q is a previously sleeping simple operation that
830fd5db422SManfred Spraul * altered the array. It must be a decrement, because
831fd5db422SManfred Spraul * simple increments never sleep.
832fd5db422SManfred Spraul * - If there are older (higher priority) decrements
833fd5db422SManfred Spraul * in the queue, then they have observed the original
834fd5db422SManfred Spraul * semval value and couldn't proceed. The operation
835fd5db422SManfred Spraul * decremented to value - thus they won't proceed either.
836fd5db422SManfred Spraul */
837fd5db422SManfred Spraul return 0;
838fd5db422SManfred Spraul }
8391a82e9e1SManfred Spraul
8401a82e9e1SManfred Spraul /**
8418001c858SDavidlohr Bueso * wake_const_ops - wake up non-alter tasks
8421a82e9e1SManfred Spraul * @sma: semaphore array.
8431a82e9e1SManfred Spraul * @semnum: semaphore that was modified.
8449ae949faSDavidlohr Bueso * @wake_q: lockless wake-queue head.
8451a82e9e1SManfred Spraul *
8461a82e9e1SManfred Spraul * wake_const_ops must be called after a semaphore in a semaphore array
8471a82e9e1SManfred Spraul * was set to 0. If complex const operations are pending, wake_const_ops must
8481a82e9e1SManfred Spraul * be called with semnum = -1, as well as with the number of each modified
8491a82e9e1SManfred Spraul * semaphore.
8509ae949faSDavidlohr Bueso * The tasks that must be woken up are added to @wake_q. The return code
8511a82e9e1SManfred Spraul * is stored in q->pid.
8521a82e9e1SManfred Spraul * The function returns 1 if at least one operation was completed successfully.
853fd5db422SManfred Spraul */
wake_const_ops(struct sem_array * sma,int semnum,struct wake_q_head * wake_q)8541a82e9e1SManfred Spraul static int wake_const_ops(struct sem_array *sma, int semnum,
8559ae949faSDavidlohr Bueso struct wake_q_head *wake_q)
8561a82e9e1SManfred Spraul {
857f150f02cSDavidlohr Bueso struct sem_queue *q, *tmp;
8581a82e9e1SManfred Spraul struct list_head *pending_list;
8591a82e9e1SManfred Spraul int semop_completed = 0;
860fd5db422SManfred Spraul
8611a82e9e1SManfred Spraul if (semnum == -1)
8621a82e9e1SManfred Spraul pending_list = &sma->pending_const;
8631a82e9e1SManfred Spraul else
8641a233956SManfred Spraul pending_list = &sma->sems[semnum].pending_const;
865fd5db422SManfred Spraul
866f150f02cSDavidlohr Bueso list_for_each_entry_safe(q, tmp, pending_list, list) {
867f150f02cSDavidlohr Bueso int error = perform_atomic_semop(sma, q);
8681a82e9e1SManfred Spraul
869f150f02cSDavidlohr Bueso if (error > 0)
870f150f02cSDavidlohr Bueso continue;
8711a82e9e1SManfred Spraul /* operation completed, remove from queue & wakeup */
8721a82e9e1SManfred Spraul unlink_queue(sma, q);
8731a82e9e1SManfred Spraul
8749ae949faSDavidlohr Bueso wake_up_sem_queue_prepare(q, error, wake_q);
8751a82e9e1SManfred Spraul if (error == 0)
8761a82e9e1SManfred Spraul semop_completed = 1;
8771a82e9e1SManfred Spraul }
878f150f02cSDavidlohr Bueso
8791a82e9e1SManfred Spraul return semop_completed;
8801a82e9e1SManfred Spraul }
8811a82e9e1SManfred Spraul
8821a82e9e1SManfred Spraul /**
8838001c858SDavidlohr Bueso * do_smart_wakeup_zero - wakeup all wait for zero tasks
8841a82e9e1SManfred Spraul * @sma: semaphore array
8851a82e9e1SManfred Spraul * @sops: operations that were performed
8861a82e9e1SManfred Spraul * @nsops: number of operations
8879ae949faSDavidlohr Bueso * @wake_q: lockless wake-queue head
8881a82e9e1SManfred Spraul *
8898001c858SDavidlohr Bueso * Checks all required queue for wait-for-zero operations, based
8908001c858SDavidlohr Bueso * on the actual changes that were performed on the semaphore array.
8911a82e9e1SManfred Spraul * The function returns 1 if at least one operation was completed successfully.
8921a82e9e1SManfred Spraul */
do_smart_wakeup_zero(struct sem_array * sma,struct sembuf * sops,int nsops,struct wake_q_head * wake_q)8931a82e9e1SManfred Spraul static int do_smart_wakeup_zero(struct sem_array *sma, struct sembuf *sops,
8949ae949faSDavidlohr Bueso int nsops, struct wake_q_head *wake_q)
8951a82e9e1SManfred Spraul {
8961a82e9e1SManfred Spraul int i;
8971a82e9e1SManfred Spraul int semop_completed = 0;
8981a82e9e1SManfred Spraul int got_zero = 0;
8991a82e9e1SManfred Spraul
9001a82e9e1SManfred Spraul /* first: the per-semaphore queues, if known */
9011a82e9e1SManfred Spraul if (sops) {
9021a82e9e1SManfred Spraul for (i = 0; i < nsops; i++) {
9031a82e9e1SManfred Spraul int num = sops[i].sem_num;
9041a82e9e1SManfred Spraul
9051a233956SManfred Spraul if (sma->sems[num].semval == 0) {
9061a82e9e1SManfred Spraul got_zero = 1;
9079ae949faSDavidlohr Bueso semop_completed |= wake_const_ops(sma, num, wake_q);
9081a82e9e1SManfred Spraul }
9091a82e9e1SManfred Spraul }
9101a82e9e1SManfred Spraul } else {
9111a82e9e1SManfred Spraul /*
9121a82e9e1SManfred Spraul * No sops means modified semaphores not known.
9131a82e9e1SManfred Spraul * Assume all were changed.
9141a82e9e1SManfred Spraul */
9151a82e9e1SManfred Spraul for (i = 0; i < sma->sem_nsems; i++) {
9161a233956SManfred Spraul if (sma->sems[i].semval == 0) {
9171a82e9e1SManfred Spraul got_zero = 1;
9189ae949faSDavidlohr Bueso semop_completed |= wake_const_ops(sma, i, wake_q);
9191a82e9e1SManfred Spraul }
9201a82e9e1SManfred Spraul }
9211a82e9e1SManfred Spraul }
9221a82e9e1SManfred Spraul /*
9231a82e9e1SManfred Spraul * If one of the modified semaphores got 0,
9241a82e9e1SManfred Spraul * then check the global queue, too.
9251a82e9e1SManfred Spraul */
9261a82e9e1SManfred Spraul if (got_zero)
9279ae949faSDavidlohr Bueso semop_completed |= wake_const_ops(sma, -1, wake_q);
9281a82e9e1SManfred Spraul
9291a82e9e1SManfred Spraul return semop_completed;
930fd5db422SManfred Spraul }
931fd5db422SManfred Spraul
932636c6be8SManfred Spraul
933636c6be8SManfred Spraul /**
9348001c858SDavidlohr Bueso * update_queue - look for tasks that can be completed.
935636c6be8SManfred Spraul * @sma: semaphore array.
936636c6be8SManfred Spraul * @semnum: semaphore that was modified.
9379ae949faSDavidlohr Bueso * @wake_q: lockless wake-queue head.
938636c6be8SManfred Spraul *
939636c6be8SManfred Spraul * update_queue must be called after a semaphore in a semaphore array
9409f1bc2c9SRik van Riel * was modified. If multiple semaphores were modified, update_queue must
9419f1bc2c9SRik van Riel * be called with semnum = -1, as well as with the number of each modified
9429f1bc2c9SRik van Riel * semaphore.
9439ae949faSDavidlohr Bueso * The tasks that must be woken up are added to @wake_q. The return code
9440a2b9d4cSManfred Spraul * is stored in q->pid.
9451a82e9e1SManfred Spraul * The function internally checks if const operations can now succeed.
9461a82e9e1SManfred Spraul *
9470a2b9d4cSManfred Spraul * The function return 1 if at least one semop was completed successfully.
9481da177e4SLinus Torvalds */
update_queue(struct sem_array * sma,int semnum,struct wake_q_head * wake_q)9499ae949faSDavidlohr Bueso static int update_queue(struct sem_array *sma, int semnum, struct wake_q_head *wake_q)
9501da177e4SLinus Torvalds {
951f150f02cSDavidlohr Bueso struct sem_queue *q, *tmp;
952636c6be8SManfred Spraul struct list_head *pending_list;
9530a2b9d4cSManfred Spraul int semop_completed = 0;
954636c6be8SManfred Spraul
9559f1bc2c9SRik van Riel if (semnum == -1)
9561a82e9e1SManfred Spraul pending_list = &sma->pending_alter;
9579f1bc2c9SRik van Riel else
9581a233956SManfred Spraul pending_list = &sma->sems[semnum].pending_alter;
9591da177e4SLinus Torvalds
9609cad200cSNick Piggin again:
961f150f02cSDavidlohr Bueso list_for_each_entry_safe(q, tmp, pending_list, list) {
962fd5db422SManfred Spraul int error, restart;
963636c6be8SManfred Spraul
964d987f8b2SManfred Spraul /* If we are scanning the single sop, per-semaphore list of
965d987f8b2SManfred Spraul * one semaphore and that semaphore is 0, then it is not
9661a82e9e1SManfred Spraul * necessary to scan further: simple increments
967d987f8b2SManfred Spraul * that affect only one entry succeed immediately and cannot
968d987f8b2SManfred Spraul * be in the per semaphore pending queue, and decrements
969d987f8b2SManfred Spraul * cannot be successful if the value is already 0.
970d987f8b2SManfred Spraul */
9711a233956SManfred Spraul if (semnum != -1 && sma->sems[semnum].semval == 0)
972d987f8b2SManfred Spraul break;
973d987f8b2SManfred Spraul
974d198cd6dSManfred Spraul error = perform_atomic_semop(sma, q);
9751da177e4SLinus Torvalds
9761da177e4SLinus Torvalds /* Does q->sleeper still need to sleep? */
9779cad200cSNick Piggin if (error > 0)
9789cad200cSNick Piggin continue;
9799cad200cSNick Piggin
980b97e820fSManfred Spraul unlink_queue(sma, q);
981a1193f8eSManfred Spraul
9820a2b9d4cSManfred Spraul if (error) {
983fd5db422SManfred Spraul restart = 0;
9840a2b9d4cSManfred Spraul } else {
9850a2b9d4cSManfred Spraul semop_completed = 1;
9869ae949faSDavidlohr Bueso do_smart_wakeup_zero(sma, q->sops, q->nsops, wake_q);
987fd5db422SManfred Spraul restart = check_restart(sma, q);
9880a2b9d4cSManfred Spraul }
989fd5db422SManfred Spraul
9909ae949faSDavidlohr Bueso wake_up_sem_queue_prepare(q, error, wake_q);
991fd5db422SManfred Spraul if (restart)
9929cad200cSNick Piggin goto again;
9931da177e4SLinus Torvalds }
9940a2b9d4cSManfred Spraul return semop_completed;
9951da177e4SLinus Torvalds }
9961da177e4SLinus Torvalds
9970a2b9d4cSManfred Spraul /**
9988001c858SDavidlohr Bueso * set_semotime - set sem_otime
9990e8c6656SManfred Spraul * @sma: semaphore array
10000e8c6656SManfred Spraul * @sops: operations that modified the array, may be NULL
10010e8c6656SManfred Spraul *
10020e8c6656SManfred Spraul * sem_otime is replicated to avoid cache line trashing.
10030e8c6656SManfred Spraul * This function sets one instance to the current time.
10040e8c6656SManfred Spraul */
set_semotime(struct sem_array * sma,struct sembuf * sops)10050e8c6656SManfred Spraul static void set_semotime(struct sem_array *sma, struct sembuf *sops)
10060e8c6656SManfred Spraul {
10070e8c6656SManfred Spraul if (sops == NULL) {
10082a70b787SArnd Bergmann sma->sems[0].sem_otime = ktime_get_real_seconds();
10090e8c6656SManfred Spraul } else {
10101a233956SManfred Spraul sma->sems[sops[0].sem_num].sem_otime =
10112a70b787SArnd Bergmann ktime_get_real_seconds();
10120e8c6656SManfred Spraul }
10130e8c6656SManfred Spraul }
10140e8c6656SManfred Spraul
10150e8c6656SManfred Spraul /**
10168001c858SDavidlohr Bueso * do_smart_update - optimized update_queue
1017fd5db422SManfred Spraul * @sma: semaphore array
1018fd5db422SManfred Spraul * @sops: operations that were performed
1019fd5db422SManfred Spraul * @nsops: number of operations
10200a2b9d4cSManfred Spraul * @otime: force setting otime
10219ae949faSDavidlohr Bueso * @wake_q: lockless wake-queue head
1022fd5db422SManfred Spraul *
10231a82e9e1SManfred Spraul * do_smart_update() does the required calls to update_queue and wakeup_zero,
10241a82e9e1SManfred Spraul * based on the actual changes that were performed on the semaphore array.
10250a2b9d4cSManfred Spraul * Note that the function does not do the actual wake-up: the caller is
10269ae949faSDavidlohr Bueso * responsible for calling wake_up_q().
10270a2b9d4cSManfred Spraul * It is safe to perform this call after dropping all locks.
1028fd5db422SManfred Spraul */
do_smart_update(struct sem_array * sma,struct sembuf * sops,int nsops,int otime,struct wake_q_head * wake_q)10290a2b9d4cSManfred Spraul static void do_smart_update(struct sem_array *sma, struct sembuf *sops, int nsops,
10309ae949faSDavidlohr Bueso int otime, struct wake_q_head *wake_q)
1031fd5db422SManfred Spraul {
1032fd5db422SManfred Spraul int i;
1033fd5db422SManfred Spraul
10349ae949faSDavidlohr Bueso otime |= do_smart_wakeup_zero(sma, sops, nsops, wake_q);
10351a82e9e1SManfred Spraul
1036f269f40aSManfred Spraul if (!list_empty(&sma->pending_alter)) {
1037f269f40aSManfred Spraul /* semaphore array uses the global queue - just process it. */
10389ae949faSDavidlohr Bueso otime |= update_queue(sma, -1, wake_q);
1039f269f40aSManfred Spraul } else {
10409f1bc2c9SRik van Riel if (!sops) {
1041f269f40aSManfred Spraul /*
1042f269f40aSManfred Spraul * No sops, thus the modified semaphores are not
1043f269f40aSManfred Spraul * known. Check all.
1044f269f40aSManfred Spraul */
1045f269f40aSManfred Spraul for (i = 0; i < sma->sem_nsems; i++)
10469ae949faSDavidlohr Bueso otime |= update_queue(sma, i, wake_q);
1047f269f40aSManfred Spraul } else {
1048f269f40aSManfred Spraul /*
1049f269f40aSManfred Spraul * Check the semaphores that were increased:
1050f269f40aSManfred Spraul * - No complex ops, thus all sleeping ops are
1051f269f40aSManfred Spraul * decrease.
1052f269f40aSManfred Spraul * - if we decreased the value, then any sleeping
1053b1989a3dSBhaskar Chowdhury * semaphore ops won't be able to run: If the
1054f269f40aSManfred Spraul * previous value was too small, then the new
1055f269f40aSManfred Spraul * value will be too small, too.
1056f269f40aSManfred Spraul */
1057fd5db422SManfred Spraul for (i = 0; i < nsops; i++) {
1058f269f40aSManfred Spraul if (sops[i].sem_op > 0) {
1059f269f40aSManfred Spraul otime |= update_queue(sma,
10609ae949faSDavidlohr Bueso sops[i].sem_num, wake_q);
1061ab465df9SManfred Spraul }
1062ab465df9SManfred Spraul }
1063fd5db422SManfred Spraul }
1064f269f40aSManfred Spraul }
10650e8c6656SManfred Spraul if (otime)
10660e8c6656SManfred Spraul set_semotime(sma, sops);
1067d12e1e50SManfred Spraul }
1068fd5db422SManfred Spraul
10692f2ed41dSManfred Spraul /*
1070b220c57aSManfred Spraul * check_qop: Test if a queued operation sleeps on the semaphore semnum
10712f2ed41dSManfred Spraul */
check_qop(struct sem_array * sma,int semnum,struct sem_queue * q,bool count_zero)10722f2ed41dSManfred Spraul static int check_qop(struct sem_array *sma, int semnum, struct sem_queue *q,
10732f2ed41dSManfred Spraul bool count_zero)
10742f2ed41dSManfred Spraul {
1075b220c57aSManfred Spraul struct sembuf *sop = q->blocking;
10762f2ed41dSManfred Spraul
10779b44ee2eSManfred Spraul /*
10789b44ee2eSManfred Spraul * Linux always (since 0.99.10) reported a task as sleeping on all
10799b44ee2eSManfred Spraul * semaphores. This violates SUS, therefore it was changed to the
10809b44ee2eSManfred Spraul * standard compliant behavior.
10819b44ee2eSManfred Spraul * Give the administrators a chance to notice that an application
10829b44ee2eSManfred Spraul * might misbehave because it relies on the Linux behavior.
10839b44ee2eSManfred Spraul */
10849b44ee2eSManfred Spraul pr_info_once("semctl(GETNCNT/GETZCNT) is since 3.16 Single Unix Specification compliant.\n"
10859b44ee2eSManfred Spraul "The task %s (%d) triggered the difference, watch for misbehavior.\n",
10869b44ee2eSManfred Spraul current->comm, task_pid_nr(current));
10879b44ee2eSManfred Spraul
1088b220c57aSManfred Spraul if (sop->sem_num != semnum)
1089b220c57aSManfred Spraul return 0;
10902f2ed41dSManfred Spraul
1091b220c57aSManfred Spraul if (count_zero && sop->sem_op == 0)
1092b220c57aSManfred Spraul return 1;
1093b220c57aSManfred Spraul if (!count_zero && sop->sem_op < 0)
1094b220c57aSManfred Spraul return 1;
1095b220c57aSManfred Spraul
1096b220c57aSManfred Spraul return 0;
10972f2ed41dSManfred Spraul }
10982f2ed41dSManfred Spraul
10991da177e4SLinus Torvalds /* The following counts are associated to each semaphore:
11001da177e4SLinus Torvalds * semncnt number of tasks waiting on semval being nonzero
11011da177e4SLinus Torvalds * semzcnt number of tasks waiting on semval being zero
1102b220c57aSManfred Spraul *
1103b220c57aSManfred Spraul * Per definition, a task waits only on the semaphore of the first semop
1104b220c57aSManfred Spraul * that cannot proceed, even if additional operation would block, too.
11051da177e4SLinus Torvalds */
count_semcnt(struct sem_array * sma,ushort semnum,bool count_zero)11062f2ed41dSManfred Spraul static int count_semcnt(struct sem_array *sma, ushort semnum,
11072f2ed41dSManfred Spraul bool count_zero)
11081da177e4SLinus Torvalds {
11092f2ed41dSManfred Spraul struct list_head *l;
11101da177e4SLinus Torvalds struct sem_queue *q;
11112f2ed41dSManfred Spraul int semcnt;
11121da177e4SLinus Torvalds
11132f2ed41dSManfred Spraul semcnt = 0;
11142f2ed41dSManfred Spraul /* First: check the simple operations. They are easy to evaluate */
11152f2ed41dSManfred Spraul if (count_zero)
11161a233956SManfred Spraul l = &sma->sems[semnum].pending_const;
11172f2ed41dSManfred Spraul else
11181a233956SManfred Spraul l = &sma->sems[semnum].pending_alter;
11192f2ed41dSManfred Spraul
11202f2ed41dSManfred Spraul list_for_each_entry(q, l, list) {
11212f2ed41dSManfred Spraul /* all task on a per-semaphore list sleep on exactly
11222f2ed41dSManfred Spraul * that semaphore
11232f2ed41dSManfred Spraul */
11242f2ed41dSManfred Spraul semcnt++;
1125de2657f9SRik van Riel }
1126de2657f9SRik van Riel
11272f2ed41dSManfred Spraul /* Then: check the complex operations. */
11281a82e9e1SManfred Spraul list_for_each_entry(q, &sma->pending_alter, list) {
11292f2ed41dSManfred Spraul semcnt += check_qop(sma, semnum, q, count_zero);
11301da177e4SLinus Torvalds }
11312f2ed41dSManfred Spraul if (count_zero) {
11321a82e9e1SManfred Spraul list_for_each_entry(q, &sma->pending_const, list) {
11332f2ed41dSManfred Spraul semcnt += check_qop(sma, semnum, q, count_zero);
11341da177e4SLinus Torvalds }
11351994862dSManfred Spraul }
11362f2ed41dSManfred Spraul return semcnt;
11371da177e4SLinus Torvalds }
11381da177e4SLinus Torvalds
1139d9a605e4SDavidlohr Bueso /* Free a semaphore set. freeary() is called with sem_ids.rwsem locked
1140d9a605e4SDavidlohr Bueso * as a writer and the spinlock for this semaphore set hold. sem_ids.rwsem
11413e148c79SNadia Derbey * remains locked on exit.
11421da177e4SLinus Torvalds */
freeary(struct ipc_namespace * ns,struct kern_ipc_perm * ipcp)114301b8b07aSPierre Peiffer static void freeary(struct ipc_namespace *ns, struct kern_ipc_perm *ipcp)
11441da177e4SLinus Torvalds {
1145380af1b3SManfred Spraul struct sem_undo *un, *tu;
1146380af1b3SManfred Spraul struct sem_queue *q, *tq;
114701b8b07aSPierre Peiffer struct sem_array *sma = container_of(ipcp, struct sem_array, sem_perm);
11489f1bc2c9SRik van Riel int i;
11499ae949faSDavidlohr Bueso DEFINE_WAKE_Q(wake_q);
11501da177e4SLinus Torvalds
1151380af1b3SManfred Spraul /* Free the existing undo structures for this semaphore set. */
1152cf9d5d78SDavidlohr Bueso ipc_assert_locked_object(&sma->sem_perm);
1153380af1b3SManfred Spraul list_for_each_entry_safe(un, tu, &sma->list_id, list_id) {
1154380af1b3SManfred Spraul list_del(&un->list_id);
1155380af1b3SManfred Spraul spin_lock(&un->ulp->lock);
11561da177e4SLinus Torvalds un->semid = -1;
1157380af1b3SManfred Spraul list_del_rcu(&un->list_proc);
1158380af1b3SManfred Spraul spin_unlock(&un->ulp->lock);
1159fc37a3b8SVasily Averin kvfree_rcu(un, rcu);
1160380af1b3SManfred Spraul }
11611da177e4SLinus Torvalds
11621da177e4SLinus Torvalds /* Wake up all pending processes and let them fail with EIDRM. */
11631a82e9e1SManfred Spraul list_for_each_entry_safe(q, tq, &sma->pending_const, list) {
11641a82e9e1SManfred Spraul unlink_queue(sma, q);
11659ae949faSDavidlohr Bueso wake_up_sem_queue_prepare(q, -EIDRM, &wake_q);
11661a82e9e1SManfred Spraul }
11671a82e9e1SManfred Spraul
11681a82e9e1SManfred Spraul list_for_each_entry_safe(q, tq, &sma->pending_alter, list) {
1169b97e820fSManfred Spraul unlink_queue(sma, q);
11709ae949faSDavidlohr Bueso wake_up_sem_queue_prepare(q, -EIDRM, &wake_q);
11711da177e4SLinus Torvalds }
11729f1bc2c9SRik van Riel for (i = 0; i < sma->sem_nsems; i++) {
11731a233956SManfred Spraul struct sem *sem = &sma->sems[i];
11741a82e9e1SManfred Spraul list_for_each_entry_safe(q, tq, &sem->pending_const, list) {
11751a82e9e1SManfred Spraul unlink_queue(sma, q);
11769ae949faSDavidlohr Bueso wake_up_sem_queue_prepare(q, -EIDRM, &wake_q);
11771a82e9e1SManfred Spraul }
11781a82e9e1SManfred Spraul list_for_each_entry_safe(q, tq, &sem->pending_alter, list) {
11799f1bc2c9SRik van Riel unlink_queue(sma, q);
11809ae949faSDavidlohr Bueso wake_up_sem_queue_prepare(q, -EIDRM, &wake_q);
11819f1bc2c9SRik van Riel }
118251d6f263SEric W. Biederman ipc_update_pid(&sem->sempid, NULL);
11839f1bc2c9SRik van Riel }
11841da177e4SLinus Torvalds
11857ca7e564SNadia Derbey /* Remove the semaphore set from the IDR */
11867ca7e564SNadia Derbey sem_rmid(ns, sma);
11876062a8dcSRik van Riel sem_unlock(sma, -1);
11886d49dab8SLinus Torvalds rcu_read_unlock();
11891da177e4SLinus Torvalds
11909ae949faSDavidlohr Bueso wake_up_q(&wake_q);
1191e3893534SKirill Korotaev ns->used_sems -= sma->sem_nsems;
1192dba4cdd3SManfred Spraul ipc_rcu_putref(&sma->sem_perm, sem_rcu_free);
11931da177e4SLinus Torvalds }
11941da177e4SLinus Torvalds
copy_semid_to_user(void __user * buf,struct semid64_ds * in,int version)11951da177e4SLinus Torvalds static unsigned long copy_semid_to_user(void __user *buf, struct semid64_ds *in, int version)
11961da177e4SLinus Torvalds {
11971da177e4SLinus Torvalds switch (version) {
11981da177e4SLinus Torvalds case IPC_64:
11991da177e4SLinus Torvalds return copy_to_user(buf, in, sizeof(*in));
12001da177e4SLinus Torvalds case IPC_OLD:
12011da177e4SLinus Torvalds {
12021da177e4SLinus Torvalds struct semid_ds out;
12031da177e4SLinus Torvalds
1204982f7c2bSDan Rosenberg memset(&out, 0, sizeof(out));
1205982f7c2bSDan Rosenberg
12061da177e4SLinus Torvalds ipc64_perm_to_ipc_perm(&in->sem_perm, &out.sem_perm);
12071da177e4SLinus Torvalds
12081da177e4SLinus Torvalds out.sem_otime = in->sem_otime;
12091da177e4SLinus Torvalds out.sem_ctime = in->sem_ctime;
12101da177e4SLinus Torvalds out.sem_nsems = in->sem_nsems;
12111da177e4SLinus Torvalds
12121da177e4SLinus Torvalds return copy_to_user(buf, &out, sizeof(out));
12131da177e4SLinus Torvalds }
12141da177e4SLinus Torvalds default:
12151da177e4SLinus Torvalds return -EINVAL;
12161da177e4SLinus Torvalds }
12171da177e4SLinus Torvalds }
12181da177e4SLinus Torvalds
get_semotime(struct sem_array * sma)1219e54d02b2SDeepa Dinamani static time64_t get_semotime(struct sem_array *sma)
1220d12e1e50SManfred Spraul {
1221d12e1e50SManfred Spraul int i;
1222e54d02b2SDeepa Dinamani time64_t res;
1223d12e1e50SManfred Spraul
12241a233956SManfred Spraul res = sma->sems[0].sem_otime;
1225d12e1e50SManfred Spraul for (i = 1; i < sma->sem_nsems; i++) {
1226e54d02b2SDeepa Dinamani time64_t to = sma->sems[i].sem_otime;
1227d12e1e50SManfred Spraul
1228d12e1e50SManfred Spraul if (to > res)
1229d12e1e50SManfred Spraul res = to;
1230d12e1e50SManfred Spraul }
1231d12e1e50SManfred Spraul return res;
1232d12e1e50SManfred Spraul }
1233d12e1e50SManfred Spraul
semctl_stat(struct ipc_namespace * ns,int semid,int cmd,struct semid64_ds * semid64)123445a4a64aSAl Viro static int semctl_stat(struct ipc_namespace *ns, int semid,
123545a4a64aSAl Viro int cmd, struct semid64_ds *semid64)
12361da177e4SLinus Torvalds {
12371da177e4SLinus Torvalds struct sem_array *sma;
1238c2ab975cSArnd Bergmann time64_t semotime;
123945a4a64aSAl Viro int err;
12401da177e4SLinus Torvalds
124145a4a64aSAl Viro memset(semid64, 0, sizeof(*semid64));
124245a4a64aSAl Viro
124345a4a64aSAl Viro rcu_read_lock();
1244a280d6dcSDavidlohr Bueso if (cmd == SEM_STAT || cmd == SEM_STAT_ANY) {
124545a4a64aSAl Viro sma = sem_obtain_object(ns, semid);
124645a4a64aSAl Viro if (IS_ERR(sma)) {
124745a4a64aSAl Viro err = PTR_ERR(sma);
124845a4a64aSAl Viro goto out_unlock;
124945a4a64aSAl Viro }
1250a280d6dcSDavidlohr Bueso } else { /* IPC_STAT */
125145a4a64aSAl Viro sma = sem_obtain_object_check(ns, semid);
125245a4a64aSAl Viro if (IS_ERR(sma)) {
125345a4a64aSAl Viro err = PTR_ERR(sma);
125445a4a64aSAl Viro goto out_unlock;
125545a4a64aSAl Viro }
125645a4a64aSAl Viro }
125745a4a64aSAl Viro
1258a280d6dcSDavidlohr Bueso /* see comment for SHM_STAT_ANY */
1259a280d6dcSDavidlohr Bueso if (cmd == SEM_STAT_ANY)
1260a280d6dcSDavidlohr Bueso audit_ipc_obj(&sma->sem_perm);
1261a280d6dcSDavidlohr Bueso else {
126245a4a64aSAl Viro err = -EACCES;
126345a4a64aSAl Viro if (ipcperms(ns, &sma->sem_perm, S_IRUGO))
126445a4a64aSAl Viro goto out_unlock;
1265a280d6dcSDavidlohr Bueso }
126645a4a64aSAl Viro
1267aefad959SEric W. Biederman err = security_sem_semctl(&sma->sem_perm, cmd);
126845a4a64aSAl Viro if (err)
126945a4a64aSAl Viro goto out_unlock;
127045a4a64aSAl Viro
127187ad4b0dSPhilippe Mikoyan ipc_lock_object(&sma->sem_perm);
127287ad4b0dSPhilippe Mikoyan
127387ad4b0dSPhilippe Mikoyan if (!ipc_valid_object(&sma->sem_perm)) {
127487ad4b0dSPhilippe Mikoyan ipc_unlock_object(&sma->sem_perm);
127587ad4b0dSPhilippe Mikoyan err = -EIDRM;
127687ad4b0dSPhilippe Mikoyan goto out_unlock;
127787ad4b0dSPhilippe Mikoyan }
127887ad4b0dSPhilippe Mikoyan
127945a4a64aSAl Viro kernel_to_ipc64_perm(&sma->sem_perm, &semid64->sem_perm);
1280c2ab975cSArnd Bergmann semotime = get_semotime(sma);
1281c2ab975cSArnd Bergmann semid64->sem_otime = semotime;
128245a4a64aSAl Viro semid64->sem_ctime = sma->sem_ctime;
1283c2ab975cSArnd Bergmann #ifndef CONFIG_64BIT
1284c2ab975cSArnd Bergmann semid64->sem_otime_high = semotime >> 32;
1285c2ab975cSArnd Bergmann semid64->sem_ctime_high = sma->sem_ctime >> 32;
1286c2ab975cSArnd Bergmann #endif
128745a4a64aSAl Viro semid64->sem_nsems = sma->sem_nsems;
128887ad4b0dSPhilippe Mikoyan
1289615c999cSManfred Spraul if (cmd == IPC_STAT) {
1290615c999cSManfred Spraul /*
1291615c999cSManfred Spraul * As defined in SUS:
1292615c999cSManfred Spraul * Return 0 on success
1293615c999cSManfred Spraul */
1294615c999cSManfred Spraul err = 0;
1295615c999cSManfred Spraul } else {
1296615c999cSManfred Spraul /*
1297615c999cSManfred Spraul * SEM_STAT and SEM_STAT_ANY (both Linux specific)
1298615c999cSManfred Spraul * Return the full id, including the sequence number
1299615c999cSManfred Spraul */
1300615c999cSManfred Spraul err = sma->sem_perm.id;
1301615c999cSManfred Spraul }
130287ad4b0dSPhilippe Mikoyan ipc_unlock_object(&sma->sem_perm);
130345a4a64aSAl Viro out_unlock:
130445a4a64aSAl Viro rcu_read_unlock();
130545a4a64aSAl Viro return err;
130645a4a64aSAl Viro }
130745a4a64aSAl Viro
semctl_info(struct ipc_namespace * ns,int semid,int cmd,void __user * p)130845a4a64aSAl Viro static int semctl_info(struct ipc_namespace *ns, int semid,
130945a4a64aSAl Viro int cmd, void __user *p)
13101da177e4SLinus Torvalds {
13111da177e4SLinus Torvalds struct seminfo seminfo;
131227c331a1SManfred Spraul int max_idx;
131345a4a64aSAl Viro int err;
13141da177e4SLinus Torvalds
13151da177e4SLinus Torvalds err = security_sem_semctl(NULL, cmd);
13161da177e4SLinus Torvalds if (err)
13171da177e4SLinus Torvalds return err;
13181da177e4SLinus Torvalds
13191da177e4SLinus Torvalds memset(&seminfo, 0, sizeof(seminfo));
1320e3893534SKirill Korotaev seminfo.semmni = ns->sc_semmni;
1321e3893534SKirill Korotaev seminfo.semmns = ns->sc_semmns;
1322e3893534SKirill Korotaev seminfo.semmsl = ns->sc_semmsl;
1323e3893534SKirill Korotaev seminfo.semopm = ns->sc_semopm;
13241da177e4SLinus Torvalds seminfo.semvmx = SEMVMX;
13251da177e4SLinus Torvalds seminfo.semmnu = SEMMNU;
13261da177e4SLinus Torvalds seminfo.semmap = SEMMAP;
13271da177e4SLinus Torvalds seminfo.semume = SEMUME;
1328d9a605e4SDavidlohr Bueso down_read(&sem_ids(ns).rwsem);
13291da177e4SLinus Torvalds if (cmd == SEM_INFO) {
1330e3893534SKirill Korotaev seminfo.semusz = sem_ids(ns).in_use;
1331e3893534SKirill Korotaev seminfo.semaem = ns->used_sems;
13321da177e4SLinus Torvalds } else {
13331da177e4SLinus Torvalds seminfo.semusz = SEMUSZ;
13341da177e4SLinus Torvalds seminfo.semaem = SEMAEM;
13351da177e4SLinus Torvalds }
133627c331a1SManfred Spraul max_idx = ipc_get_maxidx(&sem_ids(ns));
1337d9a605e4SDavidlohr Bueso up_read(&sem_ids(ns).rwsem);
1338e1fd1f49SAl Viro if (copy_to_user(p, &seminfo, sizeof(struct seminfo)))
13391da177e4SLinus Torvalds return -EFAULT;
134027c331a1SManfred Spraul return (max_idx < 0) ? 0 : max_idx;
13411da177e4SLinus Torvalds }
13421da177e4SLinus Torvalds
semctl_setval(struct ipc_namespace * ns,int semid,int semnum,int val)1343e1fd1f49SAl Viro static int semctl_setval(struct ipc_namespace *ns, int semid, int semnum,
134445a4a64aSAl Viro int val)
1345e1fd1f49SAl Viro {
1346e1fd1f49SAl Viro struct sem_undo *un;
1347e1fd1f49SAl Viro struct sem_array *sma;
1348e1fd1f49SAl Viro struct sem *curr;
134945a4a64aSAl Viro int err;
13509ae949faSDavidlohr Bueso DEFINE_WAKE_Q(wake_q);
13519ae949faSDavidlohr Bueso
13526062a8dcSRik van Riel if (val > SEMVMX || val < 0)
13536062a8dcSRik van Riel return -ERANGE;
1354e1fd1f49SAl Viro
13556062a8dcSRik van Riel rcu_read_lock();
13566062a8dcSRik van Riel sma = sem_obtain_object_check(ns, semid);
13576062a8dcSRik van Riel if (IS_ERR(sma)) {
13586062a8dcSRik van Riel rcu_read_unlock();
13596062a8dcSRik van Riel return PTR_ERR(sma);
13606062a8dcSRik van Riel }
13616062a8dcSRik van Riel
13626062a8dcSRik van Riel if (semnum < 0 || semnum >= sma->sem_nsems) {
13636062a8dcSRik van Riel rcu_read_unlock();
13646062a8dcSRik van Riel return -EINVAL;
13656062a8dcSRik van Riel }
13666062a8dcSRik van Riel
13676062a8dcSRik van Riel
13686062a8dcSRik van Riel if (ipcperms(ns, &sma->sem_perm, S_IWUGO)) {
13696062a8dcSRik van Riel rcu_read_unlock();
13706062a8dcSRik van Riel return -EACCES;
13716062a8dcSRik van Riel }
1372e1fd1f49SAl Viro
1373aefad959SEric W. Biederman err = security_sem_semctl(&sma->sem_perm, SETVAL);
13746062a8dcSRik van Riel if (err) {
13756062a8dcSRik van Riel rcu_read_unlock();
13766062a8dcSRik van Riel return -EACCES;
13776062a8dcSRik van Riel }
1378e1fd1f49SAl Viro
13796062a8dcSRik van Riel sem_lock(sma, NULL, -1);
1380e1fd1f49SAl Viro
13810f3d2b01SRafael Aquini if (!ipc_valid_object(&sma->sem_perm)) {
13826e224f94SManfred Spraul sem_unlock(sma, -1);
13836e224f94SManfred Spraul rcu_read_unlock();
13846e224f94SManfred Spraul return -EIDRM;
13856e224f94SManfred Spraul }
13866e224f94SManfred Spraul
1387ec67aaa4SDavidlohr Bueso semnum = array_index_nospec(semnum, sma->sem_nsems);
13881a233956SManfred Spraul curr = &sma->sems[semnum];
1389e1fd1f49SAl Viro
1390cf9d5d78SDavidlohr Bueso ipc_assert_locked_object(&sma->sem_perm);
1391e1fd1f49SAl Viro list_for_each_entry(un, &sma->list_id, list_id)
1392e1fd1f49SAl Viro un->semadj[semnum] = 0;
1393e1fd1f49SAl Viro
1394e1fd1f49SAl Viro curr->semval = val;
139551d6f263SEric W. Biederman ipc_update_pid(&curr->sempid, task_tgid(current));
1396e54d02b2SDeepa Dinamani sma->sem_ctime = ktime_get_real_seconds();
1397e1fd1f49SAl Viro /* maybe some queued-up processes were waiting for this */
13989ae949faSDavidlohr Bueso do_smart_update(sma, NULL, 0, 0, &wake_q);
13996062a8dcSRik van Riel sem_unlock(sma, -1);
14006d49dab8SLinus Torvalds rcu_read_unlock();
14019ae949faSDavidlohr Bueso wake_up_q(&wake_q);
14026062a8dcSRik van Riel return 0;
1403e1fd1f49SAl Viro }
1404e1fd1f49SAl Viro
semctl_main(struct ipc_namespace * ns,int semid,int semnum,int cmd,void __user * p)1405e3893534SKirill Korotaev static int semctl_main(struct ipc_namespace *ns, int semid, int semnum,
1406e1fd1f49SAl Viro int cmd, void __user *p)
14071da177e4SLinus Torvalds {
14081da177e4SLinus Torvalds struct sem_array *sma;
14091da177e4SLinus Torvalds struct sem *curr;
141016df3674SDavidlohr Bueso int err, nsems;
14111da177e4SLinus Torvalds ushort fast_sem_io[SEMMSL_FAST];
14121da177e4SLinus Torvalds ushort *sem_io = fast_sem_io;
14139ae949faSDavidlohr Bueso DEFINE_WAKE_Q(wake_q);
141416df3674SDavidlohr Bueso
141516df3674SDavidlohr Bueso rcu_read_lock();
141616df3674SDavidlohr Bueso sma = sem_obtain_object_check(ns, semid);
141716df3674SDavidlohr Bueso if (IS_ERR(sma)) {
141816df3674SDavidlohr Bueso rcu_read_unlock();
141916df3674SDavidlohr Bueso return PTR_ERR(sma);
142016df3674SDavidlohr Bueso }
142116df3674SDavidlohr Bueso
14221da177e4SLinus Torvalds nsems = sma->sem_nsems;
14231da177e4SLinus Torvalds
14241da177e4SLinus Torvalds err = -EACCES;
1425c728b9c8SLinus Torvalds if (ipcperms(ns, &sma->sem_perm, cmd == SETALL ? S_IWUGO : S_IRUGO))
1426c728b9c8SLinus Torvalds goto out_rcu_wakeup;
14271da177e4SLinus Torvalds
1428aefad959SEric W. Biederman err = security_sem_semctl(&sma->sem_perm, cmd);
1429c728b9c8SLinus Torvalds if (err)
1430c728b9c8SLinus Torvalds goto out_rcu_wakeup;
14311da177e4SLinus Torvalds
14321da177e4SLinus Torvalds switch (cmd) {
14331da177e4SLinus Torvalds case GETALL:
14341da177e4SLinus Torvalds {
1435e1fd1f49SAl Viro ushort __user *array = p;
14361da177e4SLinus Torvalds int i;
14371da177e4SLinus Torvalds
1438ce857229SAl Viro sem_lock(sma, NULL, -1);
14390f3d2b01SRafael Aquini if (!ipc_valid_object(&sma->sem_perm)) {
14406e224f94SManfred Spraul err = -EIDRM;
14416e224f94SManfred Spraul goto out_unlock;
14426e224f94SManfred Spraul }
14431da177e4SLinus Torvalds if (nsems > SEMMSL_FAST) {
1444dba4cdd3SManfred Spraul if (!ipc_rcu_getref(&sma->sem_perm)) {
1445ce857229SAl Viro err = -EIDRM;
14466e224f94SManfred Spraul goto out_unlock;
1447ce857229SAl Viro }
1448ce857229SAl Viro sem_unlock(sma, -1);
14496d49dab8SLinus Torvalds rcu_read_unlock();
1450f8dbe8d2SKees Cook sem_io = kvmalloc_array(nsems, sizeof(ushort),
1451f8dbe8d2SKees Cook GFP_KERNEL);
14521da177e4SLinus Torvalds if (sem_io == NULL) {
1453dba4cdd3SManfred Spraul ipc_rcu_putref(&sma->sem_perm, sem_rcu_free);
14541da177e4SLinus Torvalds return -ENOMEM;
14551da177e4SLinus Torvalds }
14561da177e4SLinus Torvalds
14574091fd94SLinus Torvalds rcu_read_lock();
14586ff37972SPierre Peiffer sem_lock_and_putref(sma);
14590f3d2b01SRafael Aquini if (!ipc_valid_object(&sma->sem_perm)) {
14601da177e4SLinus Torvalds err = -EIDRM;
14616e224f94SManfred Spraul goto out_unlock;
14621da177e4SLinus Torvalds }
1463ce857229SAl Viro }
14641da177e4SLinus Torvalds for (i = 0; i < sma->sem_nsems; i++)
14651a233956SManfred Spraul sem_io[i] = sma->sems[i].semval;
14666062a8dcSRik van Riel sem_unlock(sma, -1);
14676d49dab8SLinus Torvalds rcu_read_unlock();
14681da177e4SLinus Torvalds err = 0;
14691da177e4SLinus Torvalds if (copy_to_user(array, sem_io, nsems*sizeof(ushort)))
14701da177e4SLinus Torvalds err = -EFAULT;
14711da177e4SLinus Torvalds goto out_free;
14721da177e4SLinus Torvalds }
14731da177e4SLinus Torvalds case SETALL:
14741da177e4SLinus Torvalds {
14751da177e4SLinus Torvalds int i;
14761da177e4SLinus Torvalds struct sem_undo *un;
14771da177e4SLinus Torvalds
1478dba4cdd3SManfred Spraul if (!ipc_rcu_getref(&sma->sem_perm)) {
14796e224f94SManfred Spraul err = -EIDRM;
14806e224f94SManfred Spraul goto out_rcu_wakeup;
14816062a8dcSRik van Riel }
148216df3674SDavidlohr Bueso rcu_read_unlock();
14831da177e4SLinus Torvalds
14841da177e4SLinus Torvalds if (nsems > SEMMSL_FAST) {
1485f8dbe8d2SKees Cook sem_io = kvmalloc_array(nsems, sizeof(ushort),
1486f8dbe8d2SKees Cook GFP_KERNEL);
14871da177e4SLinus Torvalds if (sem_io == NULL) {
1488dba4cdd3SManfred Spraul ipc_rcu_putref(&sma->sem_perm, sem_rcu_free);
14891da177e4SLinus Torvalds return -ENOMEM;
14901da177e4SLinus Torvalds }
14911da177e4SLinus Torvalds }
14921da177e4SLinus Torvalds
1493e1fd1f49SAl Viro if (copy_from_user(sem_io, p, nsems*sizeof(ushort))) {
1494dba4cdd3SManfred Spraul ipc_rcu_putref(&sma->sem_perm, sem_rcu_free);
14951da177e4SLinus Torvalds err = -EFAULT;
14961da177e4SLinus Torvalds goto out_free;
14971da177e4SLinus Torvalds }
14981da177e4SLinus Torvalds
14991da177e4SLinus Torvalds for (i = 0; i < nsems; i++) {
15001da177e4SLinus Torvalds if (sem_io[i] > SEMVMX) {
1501dba4cdd3SManfred Spraul ipc_rcu_putref(&sma->sem_perm, sem_rcu_free);
15021da177e4SLinus Torvalds err = -ERANGE;
15031da177e4SLinus Torvalds goto out_free;
15041da177e4SLinus Torvalds }
15051da177e4SLinus Torvalds }
15064091fd94SLinus Torvalds rcu_read_lock();
15076ff37972SPierre Peiffer sem_lock_and_putref(sma);
15080f3d2b01SRafael Aquini if (!ipc_valid_object(&sma->sem_perm)) {
15091da177e4SLinus Torvalds err = -EIDRM;
15106e224f94SManfred Spraul goto out_unlock;
15111da177e4SLinus Torvalds }
15121da177e4SLinus Torvalds
1513a5f4db87SDavidlohr Bueso for (i = 0; i < nsems; i++) {
15141a233956SManfred Spraul sma->sems[i].semval = sem_io[i];
151551d6f263SEric W. Biederman ipc_update_pid(&sma->sems[i].sempid, task_tgid(current));
1516a5f4db87SDavidlohr Bueso }
15174daa28f6SManfred Spraul
1518cf9d5d78SDavidlohr Bueso ipc_assert_locked_object(&sma->sem_perm);
15194daa28f6SManfred Spraul list_for_each_entry(un, &sma->list_id, list_id) {
15201da177e4SLinus Torvalds for (i = 0; i < nsems; i++)
15211da177e4SLinus Torvalds un->semadj[i] = 0;
15224daa28f6SManfred Spraul }
1523e54d02b2SDeepa Dinamani sma->sem_ctime = ktime_get_real_seconds();
15241da177e4SLinus Torvalds /* maybe some queued-up processes were waiting for this */
15259ae949faSDavidlohr Bueso do_smart_update(sma, NULL, 0, 0, &wake_q);
15261da177e4SLinus Torvalds err = 0;
15271da177e4SLinus Torvalds goto out_unlock;
15281da177e4SLinus Torvalds }
1529e1fd1f49SAl Viro /* GETVAL, GETPID, GETNCTN, GETZCNT: fall-through */
15301da177e4SLinus Torvalds }
15311da177e4SLinus Torvalds err = -EINVAL;
1532c728b9c8SLinus Torvalds if (semnum < 0 || semnum >= nsems)
1533c728b9c8SLinus Torvalds goto out_rcu_wakeup;
15341da177e4SLinus Torvalds
15356062a8dcSRik van Riel sem_lock(sma, NULL, -1);
15360f3d2b01SRafael Aquini if (!ipc_valid_object(&sma->sem_perm)) {
15376e224f94SManfred Spraul err = -EIDRM;
15386e224f94SManfred Spraul goto out_unlock;
15396e224f94SManfred Spraul }
1540ec67aaa4SDavidlohr Bueso
1541ec67aaa4SDavidlohr Bueso semnum = array_index_nospec(semnum, nsems);
15421a233956SManfred Spraul curr = &sma->sems[semnum];
15431da177e4SLinus Torvalds
15441da177e4SLinus Torvalds switch (cmd) {
15451da177e4SLinus Torvalds case GETVAL:
15461da177e4SLinus Torvalds err = curr->semval;
15471da177e4SLinus Torvalds goto out_unlock;
15481da177e4SLinus Torvalds case GETPID:
154951d6f263SEric W. Biederman err = pid_vnr(curr->sempid);
15501da177e4SLinus Torvalds goto out_unlock;
15511da177e4SLinus Torvalds case GETNCNT:
15522f2ed41dSManfred Spraul err = count_semcnt(sma, semnum, 0);
15531da177e4SLinus Torvalds goto out_unlock;
15541da177e4SLinus Torvalds case GETZCNT:
15552f2ed41dSManfred Spraul err = count_semcnt(sma, semnum, 1);
15561da177e4SLinus Torvalds goto out_unlock;
15571da177e4SLinus Torvalds }
155816df3674SDavidlohr Bueso
15591da177e4SLinus Torvalds out_unlock:
15606062a8dcSRik van Riel sem_unlock(sma, -1);
1561c728b9c8SLinus Torvalds out_rcu_wakeup:
15626d49dab8SLinus Torvalds rcu_read_unlock();
15639ae949faSDavidlohr Bueso wake_up_q(&wake_q);
15641da177e4SLinus Torvalds out_free:
15651da177e4SLinus Torvalds if (sem_io != fast_sem_io)
1566f8dbe8d2SKees Cook kvfree(sem_io);
15671da177e4SLinus Torvalds return err;
15681da177e4SLinus Torvalds }
15691da177e4SLinus Torvalds
1570016d7132SPierre Peiffer static inline unsigned long
copy_semid_from_user(struct semid64_ds * out,void __user * buf,int version)1571016d7132SPierre Peiffer copy_semid_from_user(struct semid64_ds *out, void __user *buf, int version)
15721da177e4SLinus Torvalds {
15731da177e4SLinus Torvalds switch (version) {
15741da177e4SLinus Torvalds case IPC_64:
1575016d7132SPierre Peiffer if (copy_from_user(out, buf, sizeof(*out)))
15761da177e4SLinus Torvalds return -EFAULT;
15771da177e4SLinus Torvalds return 0;
15781da177e4SLinus Torvalds case IPC_OLD:
15791da177e4SLinus Torvalds {
15801da177e4SLinus Torvalds struct semid_ds tbuf_old;
15811da177e4SLinus Torvalds
15821da177e4SLinus Torvalds if (copy_from_user(&tbuf_old, buf, sizeof(tbuf_old)))
15831da177e4SLinus Torvalds return -EFAULT;
15841da177e4SLinus Torvalds
1585016d7132SPierre Peiffer out->sem_perm.uid = tbuf_old.sem_perm.uid;
1586016d7132SPierre Peiffer out->sem_perm.gid = tbuf_old.sem_perm.gid;
1587016d7132SPierre Peiffer out->sem_perm.mode = tbuf_old.sem_perm.mode;
15881da177e4SLinus Torvalds
15891da177e4SLinus Torvalds return 0;
15901da177e4SLinus Torvalds }
15911da177e4SLinus Torvalds default:
15921da177e4SLinus Torvalds return -EINVAL;
15931da177e4SLinus Torvalds }
15941da177e4SLinus Torvalds }
15951da177e4SLinus Torvalds
1596522bb2a2SPierre Peiffer /*
1597d9a605e4SDavidlohr Bueso * This function handles some semctl commands which require the rwsem
1598522bb2a2SPierre Peiffer * to be held in write mode.
1599d9a605e4SDavidlohr Bueso * NOTE: no locks must be held, the rwsem is taken inside this function.
1600522bb2a2SPierre Peiffer */
semctl_down(struct ipc_namespace * ns,int semid,int cmd,struct semid64_ds * semid64)160121a4826aSPierre Peiffer static int semctl_down(struct ipc_namespace *ns, int semid,
160245a4a64aSAl Viro int cmd, struct semid64_ds *semid64)
16031da177e4SLinus Torvalds {
16041da177e4SLinus Torvalds struct sem_array *sma;
16051da177e4SLinus Torvalds int err;
16061da177e4SLinus Torvalds struct kern_ipc_perm *ipcp;
16071da177e4SLinus Torvalds
1608d9a605e4SDavidlohr Bueso down_write(&sem_ids(ns).rwsem);
16097b4cc5d8SDavidlohr Bueso rcu_read_lock();
16107b4cc5d8SDavidlohr Bueso
16114241c1a3SManfred Spraul ipcp = ipcctl_obtain_check(ns, &sem_ids(ns), semid, cmd,
161245a4a64aSAl Viro &semid64->sem_perm, 0);
16137b4cc5d8SDavidlohr Bueso if (IS_ERR(ipcp)) {
16147b4cc5d8SDavidlohr Bueso err = PTR_ERR(ipcp);
16157b4cc5d8SDavidlohr Bueso goto out_unlock1;
16167b4cc5d8SDavidlohr Bueso }
1617073115d6SSteve Grubb
1618a5f75e7fSPierre Peiffer sma = container_of(ipcp, struct sem_array, sem_perm);
16191da177e4SLinus Torvalds
1620aefad959SEric W. Biederman err = security_sem_semctl(&sma->sem_perm, cmd);
16217b4cc5d8SDavidlohr Bueso if (err)
16227b4cc5d8SDavidlohr Bueso goto out_unlock1;
16231da177e4SLinus Torvalds
16241da177e4SLinus Torvalds switch (cmd) {
16251da177e4SLinus Torvalds case IPC_RMID:
16266062a8dcSRik van Riel sem_lock(sma, NULL, -1);
16277b4cc5d8SDavidlohr Bueso /* freeary unlocks the ipc object and rcu */
162801b8b07aSPierre Peiffer freeary(ns, ipcp);
1629522bb2a2SPierre Peiffer goto out_up;
16301da177e4SLinus Torvalds case IPC_SET:
16316062a8dcSRik van Riel sem_lock(sma, NULL, -1);
163245a4a64aSAl Viro err = ipc_update_perm(&semid64->sem_perm, ipcp);
16331efdb69bSEric W. Biederman if (err)
16347b4cc5d8SDavidlohr Bueso goto out_unlock0;
1635e54d02b2SDeepa Dinamani sma->sem_ctime = ktime_get_real_seconds();
16361da177e4SLinus Torvalds break;
16371da177e4SLinus Torvalds default:
16381da177e4SLinus Torvalds err = -EINVAL;
16397b4cc5d8SDavidlohr Bueso goto out_unlock1;
16401da177e4SLinus Torvalds }
16411da177e4SLinus Torvalds
16427b4cc5d8SDavidlohr Bueso out_unlock0:
16436062a8dcSRik van Riel sem_unlock(sma, -1);
16447b4cc5d8SDavidlohr Bueso out_unlock1:
16456d49dab8SLinus Torvalds rcu_read_unlock();
1646522bb2a2SPierre Peiffer out_up:
1647d9a605e4SDavidlohr Bueso up_write(&sem_ids(ns).rwsem);
16481da177e4SLinus Torvalds return err;
16491da177e4SLinus Torvalds }
16501da177e4SLinus Torvalds
ksys_semctl(int semid,int semnum,int cmd,unsigned long arg,int version)1651275f2214SArnd Bergmann static long ksys_semctl(int semid, int semnum, int cmd, unsigned long arg, int version)
16521da177e4SLinus Torvalds {
1653e3893534SKirill Korotaev struct ipc_namespace *ns;
1654e1fd1f49SAl Viro void __user *p = (void __user *)arg;
165545a4a64aSAl Viro struct semid64_ds semid64;
165645a4a64aSAl Viro int err;
16571da177e4SLinus Torvalds
16581da177e4SLinus Torvalds if (semid < 0)
16591da177e4SLinus Torvalds return -EINVAL;
16601da177e4SLinus Torvalds
1661e3893534SKirill Korotaev ns = current->nsproxy->ipc_ns;
16621da177e4SLinus Torvalds
16631da177e4SLinus Torvalds switch (cmd) {
16641da177e4SLinus Torvalds case IPC_INFO:
16651da177e4SLinus Torvalds case SEM_INFO:
166645a4a64aSAl Viro return semctl_info(ns, semid, cmd, p);
16674b9fcb0eSPierre Peiffer case IPC_STAT:
16681da177e4SLinus Torvalds case SEM_STAT:
1669a280d6dcSDavidlohr Bueso case SEM_STAT_ANY:
167045a4a64aSAl Viro err = semctl_stat(ns, semid, cmd, &semid64);
167145a4a64aSAl Viro if (err < 0)
167245a4a64aSAl Viro return err;
167345a4a64aSAl Viro if (copy_semid_to_user(p, &semid64, version))
167445a4a64aSAl Viro err = -EFAULT;
167545a4a64aSAl Viro return err;
16761da177e4SLinus Torvalds case GETALL:
16771da177e4SLinus Torvalds case GETVAL:
16781da177e4SLinus Torvalds case GETPID:
16791da177e4SLinus Torvalds case GETNCNT:
16801da177e4SLinus Torvalds case GETZCNT:
16811da177e4SLinus Torvalds case SETALL:
1682e1fd1f49SAl Viro return semctl_main(ns, semid, semnum, cmd, p);
168345a4a64aSAl Viro case SETVAL: {
168445a4a64aSAl Viro int val;
168545a4a64aSAl Viro #if defined(CONFIG_64BIT) && defined(__BIG_ENDIAN)
168645a4a64aSAl Viro /* big-endian 64bit */
168745a4a64aSAl Viro val = arg >> 32;
168845a4a64aSAl Viro #else
168945a4a64aSAl Viro /* 32bit or little-endian 64bit */
169045a4a64aSAl Viro val = arg;
169145a4a64aSAl Viro #endif
169245a4a64aSAl Viro return semctl_setval(ns, semid, semnum, val);
169345a4a64aSAl Viro }
16941da177e4SLinus Torvalds case IPC_SET:
169545a4a64aSAl Viro if (copy_semid_from_user(&semid64, p, version))
169645a4a64aSAl Viro return -EFAULT;
1697df561f66SGustavo A. R. Silva fallthrough;
169845a4a64aSAl Viro case IPC_RMID:
169945a4a64aSAl Viro return semctl_down(ns, semid, cmd, &semid64);
17001da177e4SLinus Torvalds default:
17011da177e4SLinus Torvalds return -EINVAL;
17021da177e4SLinus Torvalds }
17031da177e4SLinus Torvalds }
17041da177e4SLinus Torvalds
SYSCALL_DEFINE4(semctl,int,semid,int,semnum,int,cmd,unsigned long,arg)1705d969c6faSDominik Brodowski SYSCALL_DEFINE4(semctl, int, semid, int, semnum, int, cmd, unsigned long, arg)
1706d969c6faSDominik Brodowski {
1707275f2214SArnd Bergmann return ksys_semctl(semid, semnum, cmd, arg, IPC_64);
1708d969c6faSDominik Brodowski }
1709d969c6faSDominik Brodowski
1710275f2214SArnd Bergmann #ifdef CONFIG_ARCH_WANT_IPC_PARSE_VERSION
ksys_old_semctl(int semid,int semnum,int cmd,unsigned long arg)1711275f2214SArnd Bergmann long ksys_old_semctl(int semid, int semnum, int cmd, unsigned long arg)
1712275f2214SArnd Bergmann {
1713275f2214SArnd Bergmann int version = ipc_parse_version(&cmd);
1714275f2214SArnd Bergmann
1715275f2214SArnd Bergmann return ksys_semctl(semid, semnum, cmd, arg, version);
1716275f2214SArnd Bergmann }
1717275f2214SArnd Bergmann
SYSCALL_DEFINE4(old_semctl,int,semid,int,semnum,int,cmd,unsigned long,arg)1718275f2214SArnd Bergmann SYSCALL_DEFINE4(old_semctl, int, semid, int, semnum, int, cmd, unsigned long, arg)
1719275f2214SArnd Bergmann {
1720275f2214SArnd Bergmann return ksys_old_semctl(semid, semnum, cmd, arg);
1721275f2214SArnd Bergmann }
1722275f2214SArnd Bergmann #endif
1723275f2214SArnd Bergmann
1724c0ebccb6SAl Viro #ifdef CONFIG_COMPAT
1725c0ebccb6SAl Viro
1726c0ebccb6SAl Viro struct compat_semid_ds {
1727c0ebccb6SAl Viro struct compat_ipc_perm sem_perm;
17289afc5eeeSArnd Bergmann old_time32_t sem_otime;
17299afc5eeeSArnd Bergmann old_time32_t sem_ctime;
1730c0ebccb6SAl Viro compat_uptr_t sem_base;
1731c0ebccb6SAl Viro compat_uptr_t sem_pending;
1732c0ebccb6SAl Viro compat_uptr_t sem_pending_last;
1733c0ebccb6SAl Viro compat_uptr_t undo;
1734c0ebccb6SAl Viro unsigned short sem_nsems;
1735c0ebccb6SAl Viro };
1736c0ebccb6SAl Viro
copy_compat_semid_from_user(struct semid64_ds * out,void __user * buf,int version)1737c0ebccb6SAl Viro static int copy_compat_semid_from_user(struct semid64_ds *out, void __user *buf,
1738c0ebccb6SAl Viro int version)
1739c0ebccb6SAl Viro {
1740c0ebccb6SAl Viro memset(out, 0, sizeof(*out));
1741c0ebccb6SAl Viro if (version == IPC_64) {
17426aa211e8SLinus Torvalds struct compat_semid64_ds __user *p = buf;
1743c0ebccb6SAl Viro return get_compat_ipc64_perm(&out->sem_perm, &p->sem_perm);
1744c0ebccb6SAl Viro } else {
17456aa211e8SLinus Torvalds struct compat_semid_ds __user *p = buf;
1746c0ebccb6SAl Viro return get_compat_ipc_perm(&out->sem_perm, &p->sem_perm);
1747c0ebccb6SAl Viro }
1748c0ebccb6SAl Viro }
1749c0ebccb6SAl Viro
copy_compat_semid_to_user(void __user * buf,struct semid64_ds * in,int version)1750c0ebccb6SAl Viro static int copy_compat_semid_to_user(void __user *buf, struct semid64_ds *in,
1751c0ebccb6SAl Viro int version)
1752c0ebccb6SAl Viro {
1753c0ebccb6SAl Viro if (version == IPC_64) {
1754c0ebccb6SAl Viro struct compat_semid64_ds v;
1755c0ebccb6SAl Viro memset(&v, 0, sizeof(v));
1756c0ebccb6SAl Viro to_compat_ipc64_perm(&v.sem_perm, &in->sem_perm);
1757c2ab975cSArnd Bergmann v.sem_otime = lower_32_bits(in->sem_otime);
1758c2ab975cSArnd Bergmann v.sem_otime_high = upper_32_bits(in->sem_otime);
1759c2ab975cSArnd Bergmann v.sem_ctime = lower_32_bits(in->sem_ctime);
1760c2ab975cSArnd Bergmann v.sem_ctime_high = upper_32_bits(in->sem_ctime);
1761c0ebccb6SAl Viro v.sem_nsems = in->sem_nsems;
1762c0ebccb6SAl Viro return copy_to_user(buf, &v, sizeof(v));
1763c0ebccb6SAl Viro } else {
1764c0ebccb6SAl Viro struct compat_semid_ds v;
1765c0ebccb6SAl Viro memset(&v, 0, sizeof(v));
1766c0ebccb6SAl Viro to_compat_ipc_perm(&v.sem_perm, &in->sem_perm);
1767c0ebccb6SAl Viro v.sem_otime = in->sem_otime;
1768c0ebccb6SAl Viro v.sem_ctime = in->sem_ctime;
1769c0ebccb6SAl Viro v.sem_nsems = in->sem_nsems;
1770c0ebccb6SAl Viro return copy_to_user(buf, &v, sizeof(v));
1771c0ebccb6SAl Viro }
1772c0ebccb6SAl Viro }
1773c0ebccb6SAl Viro
compat_ksys_semctl(int semid,int semnum,int cmd,int arg,int version)1774275f2214SArnd Bergmann static long compat_ksys_semctl(int semid, int semnum, int cmd, int arg, int version)
1775c0ebccb6SAl Viro {
1776c0ebccb6SAl Viro void __user *p = compat_ptr(arg);
1777c0ebccb6SAl Viro struct ipc_namespace *ns;
1778c0ebccb6SAl Viro struct semid64_ds semid64;
1779c0ebccb6SAl Viro int err;
1780c0ebccb6SAl Viro
1781c0ebccb6SAl Viro ns = current->nsproxy->ipc_ns;
1782c0ebccb6SAl Viro
1783c0ebccb6SAl Viro if (semid < 0)
1784c0ebccb6SAl Viro return -EINVAL;
1785c0ebccb6SAl Viro
1786c0ebccb6SAl Viro switch (cmd & (~IPC_64)) {
1787c0ebccb6SAl Viro case IPC_INFO:
1788c0ebccb6SAl Viro case SEM_INFO:
1789c0ebccb6SAl Viro return semctl_info(ns, semid, cmd, p);
1790c0ebccb6SAl Viro case IPC_STAT:
1791c0ebccb6SAl Viro case SEM_STAT:
1792a280d6dcSDavidlohr Bueso case SEM_STAT_ANY:
1793c0ebccb6SAl Viro err = semctl_stat(ns, semid, cmd, &semid64);
1794c0ebccb6SAl Viro if (err < 0)
1795c0ebccb6SAl Viro return err;
1796c0ebccb6SAl Viro if (copy_compat_semid_to_user(p, &semid64, version))
1797c0ebccb6SAl Viro err = -EFAULT;
1798c0ebccb6SAl Viro return err;
1799c0ebccb6SAl Viro case GETVAL:
1800c0ebccb6SAl Viro case GETPID:
1801c0ebccb6SAl Viro case GETNCNT:
1802c0ebccb6SAl Viro case GETZCNT:
1803c0ebccb6SAl Viro case GETALL:
1804c0ebccb6SAl Viro case SETALL:
1805c0ebccb6SAl Viro return semctl_main(ns, semid, semnum, cmd, p);
1806c0ebccb6SAl Viro case SETVAL:
1807c0ebccb6SAl Viro return semctl_setval(ns, semid, semnum, arg);
1808c0ebccb6SAl Viro case IPC_SET:
1809c0ebccb6SAl Viro if (copy_compat_semid_from_user(&semid64, p, version))
1810c0ebccb6SAl Viro return -EFAULT;
1811df561f66SGustavo A. R. Silva fallthrough;
1812c0ebccb6SAl Viro case IPC_RMID:
1813c0ebccb6SAl Viro return semctl_down(ns, semid, cmd, &semid64);
1814c0ebccb6SAl Viro default:
1815c0ebccb6SAl Viro return -EINVAL;
1816c0ebccb6SAl Viro }
1817c0ebccb6SAl Viro }
1818d969c6faSDominik Brodowski
COMPAT_SYSCALL_DEFINE4(semctl,int,semid,int,semnum,int,cmd,int,arg)1819d969c6faSDominik Brodowski COMPAT_SYSCALL_DEFINE4(semctl, int, semid, int, semnum, int, cmd, int, arg)
1820d969c6faSDominik Brodowski {
1821275f2214SArnd Bergmann return compat_ksys_semctl(semid, semnum, cmd, arg, IPC_64);
1822d969c6faSDominik Brodowski }
1823275f2214SArnd Bergmann
1824275f2214SArnd Bergmann #ifdef CONFIG_ARCH_WANT_COMPAT_IPC_PARSE_VERSION
compat_ksys_old_semctl(int semid,int semnum,int cmd,int arg)1825275f2214SArnd Bergmann long compat_ksys_old_semctl(int semid, int semnum, int cmd, int arg)
1826275f2214SArnd Bergmann {
1827275f2214SArnd Bergmann int version = compat_ipc_parse_version(&cmd);
1828275f2214SArnd Bergmann
1829275f2214SArnd Bergmann return compat_ksys_semctl(semid, semnum, cmd, arg, version);
1830275f2214SArnd Bergmann }
1831275f2214SArnd Bergmann
COMPAT_SYSCALL_DEFINE4(old_semctl,int,semid,int,semnum,int,cmd,int,arg)1832275f2214SArnd Bergmann COMPAT_SYSCALL_DEFINE4(old_semctl, int, semid, int, semnum, int, cmd, int, arg)
1833275f2214SArnd Bergmann {
1834275f2214SArnd Bergmann return compat_ksys_old_semctl(semid, semnum, cmd, arg);
1835275f2214SArnd Bergmann }
1836275f2214SArnd Bergmann #endif
1837c0ebccb6SAl Viro #endif
1838c0ebccb6SAl Viro
18391da177e4SLinus Torvalds /* If the task doesn't already have a undo_list, then allocate one
18401da177e4SLinus Torvalds * here. We guarantee there is only one thread using this undo list,
18411da177e4SLinus Torvalds * and current is THE ONE
18421da177e4SLinus Torvalds *
18431da177e4SLinus Torvalds * If this allocation and assignment succeeds, but later
18441da177e4SLinus Torvalds * portions of this code fail, there is no need to free the sem_undo_list.
18451da177e4SLinus Torvalds * Just let it stay associated with the task, and it'll be freed later
18461da177e4SLinus Torvalds * at exit time.
18471da177e4SLinus Torvalds *
18481da177e4SLinus Torvalds * This can block, so callers must hold no locks.
18491da177e4SLinus Torvalds */
get_undo_list(struct sem_undo_list ** undo_listp)18501da177e4SLinus Torvalds static inline int get_undo_list(struct sem_undo_list **undo_listp)
18511da177e4SLinus Torvalds {
18521da177e4SLinus Torvalds struct sem_undo_list *undo_list;
18531da177e4SLinus Torvalds
18541da177e4SLinus Torvalds undo_list = current->sysvsem.undo_list;
18551da177e4SLinus Torvalds if (!undo_list) {
185618319498SVasily Averin undo_list = kzalloc(sizeof(*undo_list), GFP_KERNEL_ACCOUNT);
18571da177e4SLinus Torvalds if (undo_list == NULL)
18581da177e4SLinus Torvalds return -ENOMEM;
185900a5dfdbSIngo Molnar spin_lock_init(&undo_list->lock);
1860f74370b8SElena Reshetova refcount_set(&undo_list->refcnt, 1);
18614daa28f6SManfred Spraul INIT_LIST_HEAD(&undo_list->list_proc);
18624daa28f6SManfred Spraul
18631da177e4SLinus Torvalds current->sysvsem.undo_list = undo_list;
18641da177e4SLinus Torvalds }
18651da177e4SLinus Torvalds *undo_listp = undo_list;
18661da177e4SLinus Torvalds return 0;
18671da177e4SLinus Torvalds }
18681da177e4SLinus Torvalds
__lookup_undo(struct sem_undo_list * ulp,int semid)1869bf17bb71SNick Piggin static struct sem_undo *__lookup_undo(struct sem_undo_list *ulp, int semid)
18701da177e4SLinus Torvalds {
1871bf17bb71SNick Piggin struct sem_undo *un;
18721da177e4SLinus Torvalds
1873984035adSJoel Fernandes (Google) list_for_each_entry_rcu(un, &ulp->list_proc, list_proc,
1874984035adSJoel Fernandes (Google) spin_is_locked(&ulp->lock)) {
1875bf17bb71SNick Piggin if (un->semid == semid)
1876bf17bb71SNick Piggin return un;
18771da177e4SLinus Torvalds }
18784daa28f6SManfred Spraul return NULL;
18791da177e4SLinus Torvalds }
18801da177e4SLinus Torvalds
lookup_undo(struct sem_undo_list * ulp,int semid)1881bf17bb71SNick Piggin static struct sem_undo *lookup_undo(struct sem_undo_list *ulp, int semid)
1882bf17bb71SNick Piggin {
1883bf17bb71SNick Piggin struct sem_undo *un;
1884bf17bb71SNick Piggin
1885bf17bb71SNick Piggin assert_spin_locked(&ulp->lock);
1886bf17bb71SNick Piggin
1887bf17bb71SNick Piggin un = __lookup_undo(ulp, semid);
1888bf17bb71SNick Piggin if (un) {
1889bf17bb71SNick Piggin list_del_rcu(&un->list_proc);
1890bf17bb71SNick Piggin list_add_rcu(&un->list_proc, &ulp->list_proc);
1891bf17bb71SNick Piggin }
1892bf17bb71SNick Piggin return un;
1893bf17bb71SNick Piggin }
1894bf17bb71SNick Piggin
18954daa28f6SManfred Spraul /**
18968001c858SDavidlohr Bueso * find_alloc_undo - lookup (and if not present create) undo array
18974daa28f6SManfred Spraul * @ns: namespace
18984daa28f6SManfred Spraul * @semid: semaphore array id
18994daa28f6SManfred Spraul *
19004daa28f6SManfred Spraul * The function looks up (and if not present creates) the undo structure.
19014daa28f6SManfred Spraul * The size of the undo structure depends on the size of the semaphore
19024daa28f6SManfred Spraul * array, thus the alloc path is not that straightforward.
1903380af1b3SManfred Spraul * Lifetime-rules: sem_undo is rcu-protected, on success, the function
1904380af1b3SManfred Spraul * performs a rcu_read_lock().
19054daa28f6SManfred Spraul */
find_alloc_undo(struct ipc_namespace * ns,int semid)19064daa28f6SManfred Spraul static struct sem_undo *find_alloc_undo(struct ipc_namespace *ns, int semid)
19071da177e4SLinus Torvalds {
19081da177e4SLinus Torvalds struct sem_array *sma;
19091da177e4SLinus Torvalds struct sem_undo_list *ulp;
19101da177e4SLinus Torvalds struct sem_undo *un, *new;
19116062a8dcSRik van Riel int nsems, error;
19121da177e4SLinus Torvalds
19131da177e4SLinus Torvalds error = get_undo_list(&ulp);
19141da177e4SLinus Torvalds if (error)
19151da177e4SLinus Torvalds return ERR_PTR(error);
19161da177e4SLinus Torvalds
1917380af1b3SManfred Spraul rcu_read_lock();
1918c530c6acSPierre Peiffer spin_lock(&ulp->lock);
19191da177e4SLinus Torvalds un = lookup_undo(ulp, semid);
1920c530c6acSPierre Peiffer spin_unlock(&ulp->lock);
19211da177e4SLinus Torvalds if (likely(un != NULL))
19221da177e4SLinus Torvalds goto out;
19231da177e4SLinus Torvalds
19241da177e4SLinus Torvalds /* no undo structure around - allocate one. */
19254daa28f6SManfred Spraul /* step 1: figure out the size of the semaphore array */
192616df3674SDavidlohr Bueso sma = sem_obtain_object_check(ns, semid);
192716df3674SDavidlohr Bueso if (IS_ERR(sma)) {
192816df3674SDavidlohr Bueso rcu_read_unlock();
19294de85cd6SJulia Lawall return ERR_CAST(sma);
193016df3674SDavidlohr Bueso }
1931023a5355SNadia Derbey
19321da177e4SLinus Torvalds nsems = sma->sem_nsems;
1933dba4cdd3SManfred Spraul if (!ipc_rcu_getref(&sma->sem_perm)) {
19346062a8dcSRik van Riel rcu_read_unlock();
19356062a8dcSRik van Riel un = ERR_PTR(-EIDRM);
19366062a8dcSRik van Riel goto out;
19376062a8dcSRik van Riel }
193816df3674SDavidlohr Bueso rcu_read_unlock();
19391da177e4SLinus Torvalds
19404daa28f6SManfred Spraul /* step 2: allocate new undo structure */
1941*b46fae06SChristophe JAILLET new = kvzalloc(struct_size(new, semadj, nsems), GFP_KERNEL_ACCOUNT);
19421da177e4SLinus Torvalds if (!new) {
1943dba4cdd3SManfred Spraul ipc_rcu_putref(&sma->sem_perm, sem_rcu_free);
19441da177e4SLinus Torvalds return ERR_PTR(-ENOMEM);
19451da177e4SLinus Torvalds }
19461da177e4SLinus Torvalds
1947380af1b3SManfred Spraul /* step 3: Acquire the lock on semaphore array */
19484091fd94SLinus Torvalds rcu_read_lock();
19496ff37972SPierre Peiffer sem_lock_and_putref(sma);
19500f3d2b01SRafael Aquini if (!ipc_valid_object(&sma->sem_perm)) {
19516062a8dcSRik van Riel sem_unlock(sma, -1);
19526d49dab8SLinus Torvalds rcu_read_unlock();
1953fc37a3b8SVasily Averin kvfree(new);
19541da177e4SLinus Torvalds un = ERR_PTR(-EIDRM);
19551da177e4SLinus Torvalds goto out;
19561da177e4SLinus Torvalds }
1957380af1b3SManfred Spraul spin_lock(&ulp->lock);
1958380af1b3SManfred Spraul
1959380af1b3SManfred Spraul /*
1960380af1b3SManfred Spraul * step 4: check for races: did someone else allocate the undo struct?
1961380af1b3SManfred Spraul */
1962380af1b3SManfred Spraul un = lookup_undo(ulp, semid);
1963380af1b3SManfred Spraul if (un) {
1964520ba724SMinghao Chi spin_unlock(&ulp->lock);
1965fc37a3b8SVasily Averin kvfree(new);
1966380af1b3SManfred Spraul goto success;
1967380af1b3SManfred Spraul }
19684daa28f6SManfred Spraul /* step 5: initialize & link new undo structure */
1969380af1b3SManfred Spraul new->ulp = ulp;
19704daa28f6SManfred Spraul new->semid = semid;
19714daa28f6SManfred Spraul assert_spin_locked(&ulp->lock);
1972380af1b3SManfred Spraul list_add_rcu(&new->list_proc, &ulp->list_proc);
1973cf9d5d78SDavidlohr Bueso ipc_assert_locked_object(&sma->sem_perm);
19744daa28f6SManfred Spraul list_add(&new->list_id, &sma->list_id);
19754daa28f6SManfred Spraul un = new;
1976380af1b3SManfred Spraul spin_unlock(&ulp->lock);
1977520ba724SMinghao Chi success:
19786062a8dcSRik van Riel sem_unlock(sma, -1);
19791da177e4SLinus Torvalds out:
19801da177e4SLinus Torvalds return un;
19811da177e4SLinus Torvalds }
19821da177e4SLinus Torvalds
__do_semtimedop(int semid,struct sembuf * sops,unsigned nsops,const struct timespec64 * timeout,struct ipc_namespace * ns)1983bdec0145SArnd Bergmann long __do_semtimedop(int semid, struct sembuf *sops,
1984bdec0145SArnd Bergmann unsigned nsops, const struct timespec64 *timeout,
1985bdec0145SArnd Bergmann struct ipc_namespace *ns)
19861da177e4SLinus Torvalds {
19871da177e4SLinus Torvalds int error = -EINVAL;
19881da177e4SLinus Torvalds struct sem_array *sma;
1989bdec0145SArnd Bergmann struct sembuf *sop;
19901da177e4SLinus Torvalds struct sem_undo *un;
19914ce33ec2SDavidlohr Bueso int max, locknum;
19924ce33ec2SDavidlohr Bueso bool undos = false, alter = false, dupsop = false;
19931da177e4SLinus Torvalds struct sem_queue queue;
199449c9dd0dSPrakash Sangappa unsigned long dup = 0;
199549c9dd0dSPrakash Sangappa ktime_t expires, *exp = NULL;
199649c9dd0dSPrakash Sangappa bool timed_out = false;
19971da177e4SLinus Torvalds
19981da177e4SLinus Torvalds if (nsops < 1 || semid < 0)
19991da177e4SLinus Torvalds return -EINVAL;
2000e3893534SKirill Korotaev if (nsops > ns->sc_semopm)
20011da177e4SLinus Torvalds return -E2BIG;
20024ce33ec2SDavidlohr Bueso
20031da177e4SLinus Torvalds if (timeout) {
200449c9dd0dSPrakash Sangappa if (!timespec64_valid(timeout))
200549c9dd0dSPrakash Sangappa return -EINVAL;
200649c9dd0dSPrakash Sangappa expires = ktime_add_safe(ktime_get(),
200749c9dd0dSPrakash Sangappa timespec64_to_ktime(*timeout));
200849c9dd0dSPrakash Sangappa exp = &expires;
20091da177e4SLinus Torvalds }
20104ce33ec2SDavidlohr Bueso
2011bdec0145SArnd Bergmann
20121da177e4SLinus Torvalds max = 0;
20131da177e4SLinus Torvalds for (sop = sops; sop < sops + nsops; sop++) {
20144ce33ec2SDavidlohr Bueso unsigned long mask = 1ULL << ((sop->sem_num) % BITS_PER_LONG);
20154ce33ec2SDavidlohr Bueso
20161da177e4SLinus Torvalds if (sop->sem_num >= max)
20171da177e4SLinus Torvalds max = sop->sem_num;
20181da177e4SLinus Torvalds if (sop->sem_flg & SEM_UNDO)
20194ce33ec2SDavidlohr Bueso undos = true;
20204ce33ec2SDavidlohr Bueso if (dup & mask) {
20214ce33ec2SDavidlohr Bueso /*
20224ce33ec2SDavidlohr Bueso * There was a previous alter access that appears
20234ce33ec2SDavidlohr Bueso * to have accessed the same semaphore, thus use
20244ce33ec2SDavidlohr Bueso * the dupsop logic. "appears", because the detection
20254ce33ec2SDavidlohr Bueso * can only check % BITS_PER_LONG.
20264ce33ec2SDavidlohr Bueso */
20274ce33ec2SDavidlohr Bueso dupsop = true;
20281da177e4SLinus Torvalds }
20294ce33ec2SDavidlohr Bueso if (sop->sem_op != 0) {
20304ce33ec2SDavidlohr Bueso alter = true;
20314ce33ec2SDavidlohr Bueso dup |= mask;
20324ce33ec2SDavidlohr Bueso }
20334ce33ec2SDavidlohr Bueso }
20346062a8dcSRik van Riel
20351da177e4SLinus Torvalds if (undos) {
20366062a8dcSRik van Riel /* On success, find_alloc_undo takes the rcu_read_lock */
20374daa28f6SManfred Spraul un = find_alloc_undo(ns, semid);
20381da177e4SLinus Torvalds if (IS_ERR(un)) {
20391da177e4SLinus Torvalds error = PTR_ERR(un);
2040bdec0145SArnd Bergmann goto out;
20411da177e4SLinus Torvalds }
20426062a8dcSRik van Riel } else {
20431da177e4SLinus Torvalds un = NULL;
204416df3674SDavidlohr Bueso rcu_read_lock();
20456062a8dcSRik van Riel }
20466062a8dcSRik van Riel
204716df3674SDavidlohr Bueso sma = sem_obtain_object_check(ns, semid);
2048023a5355SNadia Derbey if (IS_ERR(sma)) {
2049380af1b3SManfred Spraul rcu_read_unlock();
2050023a5355SNadia Derbey error = PTR_ERR(sma);
2051bdec0145SArnd Bergmann goto out;
2052023a5355SNadia Derbey }
2053023a5355SNadia Derbey
205416df3674SDavidlohr Bueso error = -EFBIG;
2055248e7357SDavidlohr Bueso if (max >= sma->sem_nsems) {
2056248e7357SDavidlohr Bueso rcu_read_unlock();
2057bdec0145SArnd Bergmann goto out;
2058248e7357SDavidlohr Bueso }
205916df3674SDavidlohr Bueso
206016df3674SDavidlohr Bueso error = -EACCES;
2061248e7357SDavidlohr Bueso if (ipcperms(ns, &sma->sem_perm, alter ? S_IWUGO : S_IRUGO)) {
2062248e7357SDavidlohr Bueso rcu_read_unlock();
2063bdec0145SArnd Bergmann goto out;
2064248e7357SDavidlohr Bueso }
206516df3674SDavidlohr Bueso
2066aefad959SEric W. Biederman error = security_sem_semop(&sma->sem_perm, sops, nsops, alter);
2067248e7357SDavidlohr Bueso if (error) {
2068248e7357SDavidlohr Bueso rcu_read_unlock();
2069bdec0145SArnd Bergmann goto out;
2070248e7357SDavidlohr Bueso }
207116df3674SDavidlohr Bueso
20726e224f94SManfred Spraul error = -EIDRM;
20736e224f94SManfred Spraul locknum = sem_lock(sma, sops, nsops);
20740f3d2b01SRafael Aquini /*
20750f3d2b01SRafael Aquini * We eventually might perform the following check in a lockless
20760f3d2b01SRafael Aquini * fashion, considering ipc_valid_object() locking constraints.
20770f3d2b01SRafael Aquini * If nsops == 1 and there is no contention for sem_perm.lock, then
20780f3d2b01SRafael Aquini * only a per-semaphore lock is held and it's OK to proceed with the
20790f3d2b01SRafael Aquini * check below. More details on the fine grained locking scheme
20800f3d2b01SRafael Aquini * entangled here and why it's RMID race safe on comments at sem_lock()
20810f3d2b01SRafael Aquini */
20820f3d2b01SRafael Aquini if (!ipc_valid_object(&sma->sem_perm))
2083bdec0145SArnd Bergmann goto out_unlock;
20841da177e4SLinus Torvalds /*
20854daa28f6SManfred Spraul * semid identifiers are not unique - find_alloc_undo may have
20861da177e4SLinus Torvalds * allocated an undo structure, it was invalidated by an RMID
20874daa28f6SManfred Spraul * and now a new array with received the same id. Check and fail.
208825985edcSLucas De Marchi * This case can be detected checking un->semid. The existence of
2089380af1b3SManfred Spraul * "un" itself is guaranteed by rcu.
20901da177e4SLinus Torvalds */
20916062a8dcSRik van Riel if (un && un->semid == -1)
2092bdec0145SArnd Bergmann goto out_unlock;
20934daa28f6SManfred Spraul
2094d198cd6dSManfred Spraul queue.sops = sops;
2095d198cd6dSManfred Spraul queue.nsops = nsops;
2096d198cd6dSManfred Spraul queue.undo = un;
209751d6f263SEric W. Biederman queue.pid = task_tgid(current);
2098d198cd6dSManfred Spraul queue.alter = alter;
20994ce33ec2SDavidlohr Bueso queue.dupsop = dupsop;
2100d198cd6dSManfred Spraul
2101d198cd6dSManfred Spraul error = perform_atomic_semop(sma, &queue);
2102b1989a3dSBhaskar Chowdhury if (error == 0) { /* non-blocking successful path */
21039ae949faSDavidlohr Bueso DEFINE_WAKE_Q(wake_q);
21049ae949faSDavidlohr Bueso
21059ae949faSDavidlohr Bueso /*
21069ae949faSDavidlohr Bueso * If the operation was successful, then do
21070e8c6656SManfred Spraul * the required updates.
21080e8c6656SManfred Spraul */
21090e8c6656SManfred Spraul if (alter)
21109ae949faSDavidlohr Bueso do_smart_update(sma, sops, nsops, 1, &wake_q);
21110e8c6656SManfred Spraul else
21120e8c6656SManfred Spraul set_semotime(sma, sops);
21139ae949faSDavidlohr Bueso
21149ae949faSDavidlohr Bueso sem_unlock(sma, locknum);
21159ae949faSDavidlohr Bueso rcu_read_unlock();
21169ae949faSDavidlohr Bueso wake_up_q(&wake_q);
21179ae949faSDavidlohr Bueso
2118bdec0145SArnd Bergmann goto out;
21191da177e4SLinus Torvalds }
21209ae949faSDavidlohr Bueso if (error < 0) /* non-blocking error path */
2121bdec0145SArnd Bergmann goto out_unlock;
21221da177e4SLinus Torvalds
21239ae949faSDavidlohr Bueso /*
21249ae949faSDavidlohr Bueso * We need to sleep on this operation, so we put the current
21251da177e4SLinus Torvalds * task into the pending queue and go to sleep.
21261da177e4SLinus Torvalds */
2127b97e820fSManfred Spraul if (nsops == 1) {
2128b97e820fSManfred Spraul struct sem *curr;
2129ec67aaa4SDavidlohr Bueso int idx = array_index_nospec(sops->sem_num, sma->sem_nsems);
2130ec67aaa4SDavidlohr Bueso curr = &sma->sems[idx];
2131b97e820fSManfred Spraul
2132f269f40aSManfred Spraul if (alter) {
2133f269f40aSManfred Spraul if (sma->complex_count) {
2134f269f40aSManfred Spraul list_add_tail(&queue.list,
2135f269f40aSManfred Spraul &sma->pending_alter);
2136b97e820fSManfred Spraul } else {
2137f269f40aSManfred Spraul
2138f269f40aSManfred Spraul list_add_tail(&queue.list,
2139f269f40aSManfred Spraul &curr->pending_alter);
2140f269f40aSManfred Spraul }
2141f269f40aSManfred Spraul } else {
2142f269f40aSManfred Spraul list_add_tail(&queue.list, &curr->pending_const);
2143f269f40aSManfred Spraul }
2144f269f40aSManfred Spraul } else {
2145f269f40aSManfred Spraul if (!sma->complex_count)
2146f269f40aSManfred Spraul merge_queues(sma);
2147f269f40aSManfred Spraul
21489f1bc2c9SRik van Riel if (alter)
21491a82e9e1SManfred Spraul list_add_tail(&queue.list, &sma->pending_alter);
21509f1bc2c9SRik van Riel else
21511a82e9e1SManfred Spraul list_add_tail(&queue.list, &sma->pending_const);
21521a82e9e1SManfred Spraul
2153b97e820fSManfred Spraul sma->complex_count++;
2154b97e820fSManfred Spraul }
2155b97e820fSManfred Spraul
2156b5fa01a2SDavidlohr Bueso do {
21578116b54eSManfred Spraul /* memory ordering ensured by the lock in sem_lock() */
2158f075faa3SDavidlohr Bueso WRITE_ONCE(queue.status, -EINTR);
21591da177e4SLinus Torvalds queue.sleeper = current;
21600b0577f6SManfred Spraul
21618116b54eSManfred Spraul /* memory ordering is ensured by the lock in sem_lock() */
216252644c9aSDavidlohr Bueso __set_current_state(TASK_INTERRUPTIBLE);
21636062a8dcSRik van Riel sem_unlock(sma, locknum);
21646d49dab8SLinus Torvalds rcu_read_unlock();
21651da177e4SLinus Torvalds
216649c9dd0dSPrakash Sangappa timed_out = !schedule_hrtimeout_range(exp,
216749c9dd0dSPrakash Sangappa current->timer_slack_ns, HRTIMER_MODE_ABS);
21681da177e4SLinus Torvalds
21699ae949faSDavidlohr Bueso /*
2170b5fa01a2SDavidlohr Bueso * fastpath: the semop has completed, either successfully or
2171b5fa01a2SDavidlohr Bueso * not, from the syscall pov, is quite irrelevant to us at this
2172b5fa01a2SDavidlohr Bueso * point; we're done.
21739ae949faSDavidlohr Bueso *
21749ae949faSDavidlohr Bueso * We _do_ care, nonetheless, about being awoken by a signal or
2175b5fa01a2SDavidlohr Bueso * spuriously. The queue.status is checked again in the
2176b5fa01a2SDavidlohr Bueso * slowpath (aka after taking sem_lock), such that we can detect
2177b5fa01a2SDavidlohr Bueso * scenarios where we were awakened externally, during the
2178b5fa01a2SDavidlohr Bueso * window between wake_q_add() and wake_up_q().
21799ae949faSDavidlohr Bueso */
2180b52be557SJann Horn rcu_read_lock();
21819ae949faSDavidlohr Bueso error = READ_ONCE(queue.status);
21821da177e4SLinus Torvalds if (error != -EINTR) {
21838116b54eSManfred Spraul /* see SEM_BARRIER_2 for purpose/pairing */
21848116b54eSManfred Spraul smp_acquire__after_ctrl_dep();
2185b52be557SJann Horn rcu_read_unlock();
2186bdec0145SArnd Bergmann goto out;
21871da177e4SLinus Torvalds }
21881da177e4SLinus Torvalds
2189c626bc46SManfred Spraul locknum = sem_lock(sma, sops, nsops);
2190d694ad62SManfred Spraul
2191370b262cSDavidlohr Bueso if (!ipc_valid_object(&sma->sem_perm))
2192bdec0145SArnd Bergmann goto out_unlock;
2193370b262cSDavidlohr Bueso
21948116b54eSManfred Spraul /*
21958116b54eSManfred Spraul * No necessity for any barrier: We are protect by sem_lock()
21968116b54eSManfred Spraul */
2197370b262cSDavidlohr Bueso error = READ_ONCE(queue.status);
21981da177e4SLinus Torvalds
21991da177e4SLinus Torvalds /*
2200d694ad62SManfred Spraul * If queue.status != -EINTR we are woken up by another process.
2201d694ad62SManfred Spraul * Leave without unlink_queue(), but with sem_unlock().
22021da177e4SLinus Torvalds */
22033ab08fe2SDavidlohr Bueso if (error != -EINTR)
2204bdec0145SArnd Bergmann goto out_unlock;
22051da177e4SLinus Torvalds
22061da177e4SLinus Torvalds /*
22079ae949faSDavidlohr Bueso * If an interrupt occurred we have to clean up the queue.
22081da177e4SLinus Torvalds */
220949c9dd0dSPrakash Sangappa if (timed_out)
22101da177e4SLinus Torvalds error = -EAGAIN;
2211b5fa01a2SDavidlohr Bueso } while (error == -EINTR && !signal_pending(current)); /* spurious */
22120b0577f6SManfred Spraul
2213b97e820fSManfred Spraul unlink_queue(sma, &queue);
22141da177e4SLinus Torvalds
2215bdec0145SArnd Bergmann out_unlock:
22166062a8dcSRik van Riel sem_unlock(sma, locknum);
22176d49dab8SLinus Torvalds rcu_read_unlock();
2218bdec0145SArnd Bergmann out:
2219bdec0145SArnd Bergmann return error;
2220bdec0145SArnd Bergmann }
2221bdec0145SArnd Bergmann
do_semtimedop(int semid,struct sembuf __user * tsops,unsigned nsops,const struct timespec64 * timeout)2222bdec0145SArnd Bergmann static long do_semtimedop(int semid, struct sembuf __user *tsops,
2223bdec0145SArnd Bergmann unsigned nsops, const struct timespec64 *timeout)
2224bdec0145SArnd Bergmann {
2225bdec0145SArnd Bergmann struct sembuf fast_sops[SEMOPM_FAST];
2226bdec0145SArnd Bergmann struct sembuf *sops = fast_sops;
2227bdec0145SArnd Bergmann struct ipc_namespace *ns;
2228bdec0145SArnd Bergmann int ret;
2229bdec0145SArnd Bergmann
2230bdec0145SArnd Bergmann ns = current->nsproxy->ipc_ns;
2231bdec0145SArnd Bergmann if (nsops > ns->sc_semopm)
2232bdec0145SArnd Bergmann return -E2BIG;
2233bdec0145SArnd Bergmann if (nsops < 1)
2234bdec0145SArnd Bergmann return -EINVAL;
2235bdec0145SArnd Bergmann
2236bdec0145SArnd Bergmann if (nsops > SEMOPM_FAST) {
22376a4746baSVasily Averin sops = kvmalloc_array(nsops, sizeof(*sops), GFP_KERNEL);
2238bdec0145SArnd Bergmann if (sops == NULL)
2239bdec0145SArnd Bergmann return -ENOMEM;
2240bdec0145SArnd Bergmann }
2241bdec0145SArnd Bergmann
2242bdec0145SArnd Bergmann if (copy_from_user(sops, tsops, nsops * sizeof(*tsops))) {
2243bdec0145SArnd Bergmann ret = -EFAULT;
2244bdec0145SArnd Bergmann goto out_free;
2245bdec0145SArnd Bergmann }
2246bdec0145SArnd Bergmann
2247bdec0145SArnd Bergmann ret = __do_semtimedop(semid, sops, nsops, timeout, ns);
2248bdec0145SArnd Bergmann
22491da177e4SLinus Torvalds out_free:
22501da177e4SLinus Torvalds if (sops != fast_sops)
2251e4243b80SDavidlohr Bueso kvfree(sops);
2252bdec0145SArnd Bergmann
2253bdec0145SArnd Bergmann return ret;
22541da177e4SLinus Torvalds }
22551da177e4SLinus Torvalds
ksys_semtimedop(int semid,struct sembuf __user * tsops,unsigned int nsops,const struct __kernel_timespec __user * timeout)225641f4f0e2SDominik Brodowski long ksys_semtimedop(int semid, struct sembuf __user *tsops,
225721fc538dSArnd Bergmann unsigned int nsops, const struct __kernel_timespec __user *timeout)
225844ee4546SAl Viro {
225944ee4546SAl Viro if (timeout) {
22603ef56dc2SDeepa Dinamani struct timespec64 ts;
22613ef56dc2SDeepa Dinamani if (get_timespec64(&ts, timeout))
226244ee4546SAl Viro return -EFAULT;
226344ee4546SAl Viro return do_semtimedop(semid, tsops, nsops, &ts);
226444ee4546SAl Viro }
226544ee4546SAl Viro return do_semtimedop(semid, tsops, nsops, NULL);
226644ee4546SAl Viro }
226744ee4546SAl Viro
SYSCALL_DEFINE4(semtimedop,int,semid,struct sembuf __user *,tsops,unsigned int,nsops,const struct __kernel_timespec __user *,timeout)226841f4f0e2SDominik Brodowski SYSCALL_DEFINE4(semtimedop, int, semid, struct sembuf __user *, tsops,
226921fc538dSArnd Bergmann unsigned int, nsops, const struct __kernel_timespec __user *, timeout)
227041f4f0e2SDominik Brodowski {
227141f4f0e2SDominik Brodowski return ksys_semtimedop(semid, tsops, nsops, timeout);
227241f4f0e2SDominik Brodowski }
227341f4f0e2SDominik Brodowski
2274b0d17578SArnd Bergmann #ifdef CONFIG_COMPAT_32BIT_TIME
compat_ksys_semtimedop(int semid,struct sembuf __user * tsems,unsigned int nsops,const struct old_timespec32 __user * timeout)227541f4f0e2SDominik Brodowski long compat_ksys_semtimedop(int semid, struct sembuf __user *tsems,
227641f4f0e2SDominik Brodowski unsigned int nsops,
22779afc5eeeSArnd Bergmann const struct old_timespec32 __user *timeout)
227844ee4546SAl Viro {
227944ee4546SAl Viro if (timeout) {
22803ef56dc2SDeepa Dinamani struct timespec64 ts;
22819afc5eeeSArnd Bergmann if (get_old_timespec32(&ts, timeout))
228244ee4546SAl Viro return -EFAULT;
228344ee4546SAl Viro return do_semtimedop(semid, tsems, nsops, &ts);
228444ee4546SAl Viro }
228544ee4546SAl Viro return do_semtimedop(semid, tsems, nsops, NULL);
228644ee4546SAl Viro }
228741f4f0e2SDominik Brodowski
SYSCALL_DEFINE4(semtimedop_time32,int,semid,struct sembuf __user *,tsems,unsigned int,nsops,const struct old_timespec32 __user *,timeout)22888dabe724SArnd Bergmann SYSCALL_DEFINE4(semtimedop_time32, int, semid, struct sembuf __user *, tsems,
228941f4f0e2SDominik Brodowski unsigned int, nsops,
22909afc5eeeSArnd Bergmann const struct old_timespec32 __user *, timeout)
229141f4f0e2SDominik Brodowski {
229241f4f0e2SDominik Brodowski return compat_ksys_semtimedop(semid, tsems, nsops, timeout);
229341f4f0e2SDominik Brodowski }
229444ee4546SAl Viro #endif
229544ee4546SAl Viro
SYSCALL_DEFINE3(semop,int,semid,struct sembuf __user *,tsops,unsigned,nsops)2296d5460c99SHeiko Carstens SYSCALL_DEFINE3(semop, int, semid, struct sembuf __user *, tsops,
2297d5460c99SHeiko Carstens unsigned, nsops)
22981da177e4SLinus Torvalds {
229944ee4546SAl Viro return do_semtimedop(semid, tsops, nsops, NULL);
23001da177e4SLinus Torvalds }
23011da177e4SLinus Torvalds
23021da177e4SLinus Torvalds /* If CLONE_SYSVSEM is set, establish sharing of SEM_UNDO state between
23031da177e4SLinus Torvalds * parent and child tasks.
23041da177e4SLinus Torvalds */
23051da177e4SLinus Torvalds
copy_semundo(unsigned long clone_flags,struct task_struct * tsk)23061da177e4SLinus Torvalds int copy_semundo(unsigned long clone_flags, struct task_struct *tsk)
23071da177e4SLinus Torvalds {
23081da177e4SLinus Torvalds struct sem_undo_list *undo_list;
23091da177e4SLinus Torvalds int error;
23101da177e4SLinus Torvalds
23111da177e4SLinus Torvalds if (clone_flags & CLONE_SYSVSEM) {
23121da177e4SLinus Torvalds error = get_undo_list(&undo_list);
23131da177e4SLinus Torvalds if (error)
23141da177e4SLinus Torvalds return error;
2315f74370b8SElena Reshetova refcount_inc(&undo_list->refcnt);
23161da177e4SLinus Torvalds tsk->sysvsem.undo_list = undo_list;
23171da177e4SLinus Torvalds } else
23181da177e4SLinus Torvalds tsk->sysvsem.undo_list = NULL;
23191da177e4SLinus Torvalds
23201da177e4SLinus Torvalds return 0;
23211da177e4SLinus Torvalds }
23221da177e4SLinus Torvalds
23231da177e4SLinus Torvalds /*
23241da177e4SLinus Torvalds * add semadj values to semaphores, free undo structures.
23251da177e4SLinus Torvalds * undo structures are not freed when semaphore arrays are destroyed
23261da177e4SLinus Torvalds * so some of them may be out of date.
23271da177e4SLinus Torvalds * IMPLEMENTATION NOTE: There is some confusion over whether the
23281da177e4SLinus Torvalds * set of adjustments that needs to be done should be done in an atomic
23291da177e4SLinus Torvalds * manner or not. That is, if we are attempting to decrement the semval
23301da177e4SLinus Torvalds * should we queue up and wait until we can do so legally?
23311da177e4SLinus Torvalds * The original implementation attempted to do this (queue and wait).
23321da177e4SLinus Torvalds * The current implementation does not do so. The POSIX standard
23331da177e4SLinus Torvalds * and SVID should be consulted to determine what behavior is mandated.
23341da177e4SLinus Torvalds */
exit_sem(struct task_struct * tsk)23351da177e4SLinus Torvalds void exit_sem(struct task_struct *tsk)
23361da177e4SLinus Torvalds {
23374daa28f6SManfred Spraul struct sem_undo_list *ulp;
23381da177e4SLinus Torvalds
23394daa28f6SManfred Spraul ulp = tsk->sysvsem.undo_list;
23404daa28f6SManfred Spraul if (!ulp)
23411da177e4SLinus Torvalds return;
23429edff4abSManfred Spraul tsk->sysvsem.undo_list = NULL;
23431da177e4SLinus Torvalds
2344f74370b8SElena Reshetova if (!refcount_dec_and_test(&ulp->refcnt))
23451da177e4SLinus Torvalds return;
23461da177e4SLinus Torvalds
2347380af1b3SManfred Spraul for (;;) {
23481da177e4SLinus Torvalds struct sem_array *sma;
2349380af1b3SManfred Spraul struct sem_undo *un;
23506062a8dcSRik van Riel int semid, i;
23519ae949faSDavidlohr Bueso DEFINE_WAKE_Q(wake_q);
23521da177e4SLinus Torvalds
23532a1613a5SNikolay Borisov cond_resched();
23542a1613a5SNikolay Borisov
2355380af1b3SManfred Spraul rcu_read_lock();
235605725f7eSJiri Pirko un = list_entry_rcu(ulp->list_proc.next,
2357380af1b3SManfred Spraul struct sem_undo, list_proc);
2358602b8593SHerton R. Krzesinski if (&un->list_proc == &ulp->list_proc) {
2359602b8593SHerton R. Krzesinski /*
2360602b8593SHerton R. Krzesinski * We must wait for freeary() before freeing this ulp,
2361602b8593SHerton R. Krzesinski * in case we raced with last sem_undo. There is a small
2362602b8593SHerton R. Krzesinski * possibility where we exit while freeary() didn't
2363602b8593SHerton R. Krzesinski * finish unlocking sem_undo_list.
2364602b8593SHerton R. Krzesinski */
2365e0892e08SPaul E. McKenney spin_lock(&ulp->lock);
2366e0892e08SPaul E. McKenney spin_unlock(&ulp->lock);
2367380af1b3SManfred Spraul rcu_read_unlock();
2368380af1b3SManfred Spraul break;
23696062a8dcSRik van Riel }
2370602b8593SHerton R. Krzesinski spin_lock(&ulp->lock);
2371602b8593SHerton R. Krzesinski semid = un->semid;
2372602b8593SHerton R. Krzesinski spin_unlock(&ulp->lock);
2373380af1b3SManfred Spraul
2374602b8593SHerton R. Krzesinski /* exit_sem raced with IPC_RMID, nothing to do */
2375602b8593SHerton R. Krzesinski if (semid == -1) {
2376602b8593SHerton R. Krzesinski rcu_read_unlock();
2377602b8593SHerton R. Krzesinski continue;
2378602b8593SHerton R. Krzesinski }
2379602b8593SHerton R. Krzesinski
2380602b8593SHerton R. Krzesinski sma = sem_obtain_object_check(tsk->nsproxy->ipc_ns, semid);
2381380af1b3SManfred Spraul /* exit_sem raced with IPC_RMID, nothing to do */
23826062a8dcSRik van Riel if (IS_ERR(sma)) {
23836062a8dcSRik van Riel rcu_read_unlock();
2384380af1b3SManfred Spraul continue;
23856062a8dcSRik van Riel }
23861da177e4SLinus Torvalds
23876062a8dcSRik van Riel sem_lock(sma, NULL, -1);
23886e224f94SManfred Spraul /* exit_sem raced with IPC_RMID, nothing to do */
23890f3d2b01SRafael Aquini if (!ipc_valid_object(&sma->sem_perm)) {
23906e224f94SManfred Spraul sem_unlock(sma, -1);
23916e224f94SManfred Spraul rcu_read_unlock();
23926e224f94SManfred Spraul continue;
23936e224f94SManfred Spraul }
2394bf17bb71SNick Piggin un = __lookup_undo(ulp, semid);
2395380af1b3SManfred Spraul if (un == NULL) {
2396380af1b3SManfred Spraul /* exit_sem raced with IPC_RMID+semget() that created
2397380af1b3SManfred Spraul * exactly the same semid. Nothing to do.
2398380af1b3SManfred Spraul */
23996062a8dcSRik van Riel sem_unlock(sma, -1);
24006d49dab8SLinus Torvalds rcu_read_unlock();
2401380af1b3SManfred Spraul continue;
2402380af1b3SManfred Spraul }
24031da177e4SLinus Torvalds
2404380af1b3SManfred Spraul /* remove un from the linked lists */
2405cf9d5d78SDavidlohr Bueso ipc_assert_locked_object(&sma->sem_perm);
24064daa28f6SManfred Spraul list_del(&un->list_id);
24074daa28f6SManfred Spraul
2408edf28f40SIoanna Alifieraki spin_lock(&ulp->lock);
2409380af1b3SManfred Spraul list_del_rcu(&un->list_proc);
2410edf28f40SIoanna Alifieraki spin_unlock(&ulp->lock);
2411380af1b3SManfred Spraul
24124daa28f6SManfred Spraul /* perform adjustments registered in un */
24134daa28f6SManfred Spraul for (i = 0; i < sma->sem_nsems; i++) {
24141a233956SManfred Spraul struct sem *semaphore = &sma->sems[i];
24154daa28f6SManfred Spraul if (un->semadj[i]) {
24164daa28f6SManfred Spraul semaphore->semval += un->semadj[i];
24171da177e4SLinus Torvalds /*
24181da177e4SLinus Torvalds * Range checks of the new semaphore value,
24191da177e4SLinus Torvalds * not defined by sus:
24201da177e4SLinus Torvalds * - Some unices ignore the undo entirely
24211da177e4SLinus Torvalds * (e.g. HP UX 11i 11.22, Tru64 V5.1)
24221da177e4SLinus Torvalds * - some cap the value (e.g. FreeBSD caps
24231da177e4SLinus Torvalds * at 0, but doesn't enforce SEMVMX)
24241da177e4SLinus Torvalds *
24251da177e4SLinus Torvalds * Linux caps the semaphore value, both at 0
24261da177e4SLinus Torvalds * and at SEMVMX.
24271da177e4SLinus Torvalds *
24281da177e4SLinus Torvalds * Manfred <manfred@colorfullife.com>
24291da177e4SLinus Torvalds */
24305f921ae9SIngo Molnar if (semaphore->semval < 0)
24315f921ae9SIngo Molnar semaphore->semval = 0;
24325f921ae9SIngo Molnar if (semaphore->semval > SEMVMX)
24335f921ae9SIngo Molnar semaphore->semval = SEMVMX;
243451d6f263SEric W. Biederman ipc_update_pid(&semaphore->sempid, task_tgid(current));
24351da177e4SLinus Torvalds }
24361da177e4SLinus Torvalds }
24371da177e4SLinus Torvalds /* maybe some queued-up processes were waiting for this */
24389ae949faSDavidlohr Bueso do_smart_update(sma, NULL, 0, 1, &wake_q);
24396062a8dcSRik van Riel sem_unlock(sma, -1);
24406d49dab8SLinus Torvalds rcu_read_unlock();
24419ae949faSDavidlohr Bueso wake_up_q(&wake_q);
2442380af1b3SManfred Spraul
2443fc37a3b8SVasily Averin kvfree_rcu(un, rcu);
24441da177e4SLinus Torvalds }
24454daa28f6SManfred Spraul kfree(ulp);
24461da177e4SLinus Torvalds }
24471da177e4SLinus Torvalds
24481da177e4SLinus Torvalds #ifdef CONFIG_PROC_FS
sysvipc_sem_proc_show(struct seq_file * s,void * it)244919b4946cSMike Waychison static int sysvipc_sem_proc_show(struct seq_file *s, void *it)
24501da177e4SLinus Torvalds {
24511efdb69bSEric W. Biederman struct user_namespace *user_ns = seq_user_ns(s);
2452ade9f91bSKees Cook struct kern_ipc_perm *ipcp = it;
2453ade9f91bSKees Cook struct sem_array *sma = container_of(ipcp, struct sem_array, sem_perm);
2454e54d02b2SDeepa Dinamani time64_t sem_otime;
2455d12e1e50SManfred Spraul
2456d8c63376SManfred Spraul /*
2457d8c63376SManfred Spraul * The proc interface isn't aware of sem_lock(), it calls
245817d056e0SManfred Spraul * ipc_lock_object(), i.e. spin_lock(&sma->sem_perm.lock).
245917d056e0SManfred Spraul * (in sysvipc_find_ipc)
24605864a2fdSManfred Spraul * In order to stay compatible with sem_lock(), we must
24615864a2fdSManfred Spraul * enter / leave complex_mode.
2462d8c63376SManfred Spraul */
24635864a2fdSManfred Spraul complexmode_enter(sma);
2464d8c63376SManfred Spraul
2465d12e1e50SManfred Spraul sem_otime = get_semotime(sma);
24661da177e4SLinus Torvalds
24677f032d6eSJoe Perches seq_printf(s,
2468e54d02b2SDeepa Dinamani "%10d %10d %4o %10u %5u %5u %5u %5u %10llu %10llu\n",
24691da177e4SLinus Torvalds sma->sem_perm.key,
24707ca7e564SNadia Derbey sma->sem_perm.id,
24711da177e4SLinus Torvalds sma->sem_perm.mode,
24721da177e4SLinus Torvalds sma->sem_nsems,
24731efdb69bSEric W. Biederman from_kuid_munged(user_ns, sma->sem_perm.uid),
24741efdb69bSEric W. Biederman from_kgid_munged(user_ns, sma->sem_perm.gid),
24751efdb69bSEric W. Biederman from_kuid_munged(user_ns, sma->sem_perm.cuid),
24761efdb69bSEric W. Biederman from_kgid_munged(user_ns, sma->sem_perm.cgid),
2477d12e1e50SManfred Spraul sem_otime,
24781da177e4SLinus Torvalds sma->sem_ctime);
24797f032d6eSJoe Perches
24805864a2fdSManfred Spraul complexmode_tryleave(sma);
24815864a2fdSManfred Spraul
24827f032d6eSJoe Perches return 0;
24831da177e4SLinus Torvalds }
24841da177e4SLinus Torvalds #endif
2485