1 /* 2 * linux/ipc/msg.c 3 * Copyright (C) 1992 Krishna Balasubramanian 4 * 5 * Removed all the remaining kerneld mess 6 * Catch the -EFAULT stuff properly 7 * Use GFP_KERNEL for messages as in 1.2 8 * Fixed up the unchecked user space derefs 9 * Copyright (C) 1998 Alan Cox & Andi Kleen 10 * 11 * /proc/sysvipc/msg support (c) 1999 Dragos Acostachioaie <dragos@iname.com> 12 * 13 * mostly rewritten, threaded and wake-one semantics added 14 * MSGMAX limit removed, sysctl's added 15 * (c) 1999 Manfred Spraul <manfred@colorfullife.com> 16 * 17 * support for audit of ipc object properties and permission changes 18 * Dustin Kirkland <dustin.kirkland@us.ibm.com> 19 * 20 * namespaces support 21 * OpenVZ, SWsoft Inc. 22 * Pavel Emelianov <xemul@openvz.org> 23 */ 24 25 #include <linux/capability.h> 26 #include <linux/slab.h> 27 #include <linux/msg.h> 28 #include <linux/spinlock.h> 29 #include <linux/init.h> 30 #include <linux/proc_fs.h> 31 #include <linux/list.h> 32 #include <linux/security.h> 33 #include <linux/sched.h> 34 #include <linux/syscalls.h> 35 #include <linux/audit.h> 36 #include <linux/seq_file.h> 37 #include <linux/rwsem.h> 38 #include <linux/nsproxy.h> 39 #include <linux/ipc_namespace.h> 40 41 #include <asm/current.h> 42 #include <asm/uaccess.h> 43 #include "util.h" 44 45 /* 46 * one msg_receiver structure for each sleeping receiver: 47 */ 48 struct msg_receiver { 49 struct list_head r_list; 50 struct task_struct *r_tsk; 51 52 int r_mode; 53 long r_msgtype; 54 long r_maxsize; 55 56 struct msg_msg *volatile r_msg; 57 }; 58 59 /* one msg_sender for each sleeping sender */ 60 struct msg_sender { 61 struct list_head list; 62 struct task_struct *tsk; 63 }; 64 65 #define SEARCH_ANY 1 66 #define SEARCH_EQUAL 2 67 #define SEARCH_NOTEQUAL 3 68 #define SEARCH_LESSEQUAL 4 69 70 #define msg_ids(ns) ((ns)->ids[IPC_MSG_IDS]) 71 72 #define msg_unlock(msq) ipc_unlock(&(msq)->q_perm) 73 #define msg_buildid(id, seq) ipc_buildid(id, seq) 74 75 static void freeque(struct ipc_namespace *, struct kern_ipc_perm *); 76 static int newque(struct ipc_namespace *, struct ipc_params *); 77 #ifdef CONFIG_PROC_FS 78 static int sysvipc_msg_proc_show(struct seq_file *s, void *it); 79 #endif 80 81 void msg_init_ns(struct ipc_namespace *ns) 82 { 83 ns->msg_ctlmax = MSGMAX; 84 ns->msg_ctlmnb = MSGMNB; 85 ns->msg_ctlmni = MSGMNI; 86 atomic_set(&ns->msg_bytes, 0); 87 atomic_set(&ns->msg_hdrs, 0); 88 ipc_init_ids(&ns->ids[IPC_MSG_IDS]); 89 } 90 91 #ifdef CONFIG_IPC_NS 92 void msg_exit_ns(struct ipc_namespace *ns) 93 { 94 free_ipcs(ns, &msg_ids(ns), freeque); 95 } 96 #endif 97 98 void __init msg_init(void) 99 { 100 msg_init_ns(&init_ipc_ns); 101 ipc_init_proc_interface("sysvipc/msg", 102 " key msqid perms cbytes qnum lspid lrpid uid gid cuid cgid stime rtime ctime\n", 103 IPC_MSG_IDS, sysvipc_msg_proc_show); 104 } 105 106 /* 107 * This routine is called in the paths where the rw_mutex is held to protect 108 * access to the idr tree. 109 */ 110 static inline struct msg_queue *msg_lock_check_down(struct ipc_namespace *ns, 111 int id) 112 { 113 struct kern_ipc_perm *ipcp = ipc_lock_check_down(&msg_ids(ns), id); 114 115 if (IS_ERR(ipcp)) 116 return (struct msg_queue *)ipcp; 117 118 return container_of(ipcp, struct msg_queue, q_perm); 119 } 120 121 /* 122 * msg_lock_(check_) routines are called in the paths where the rw_mutex 123 * is not held. 124 */ 125 static inline struct msg_queue *msg_lock(struct ipc_namespace *ns, int id) 126 { 127 struct kern_ipc_perm *ipcp = ipc_lock(&msg_ids(ns), id); 128 129 if (IS_ERR(ipcp)) 130 return (struct msg_queue *)ipcp; 131 132 return container_of(ipcp, struct msg_queue, q_perm); 133 } 134 135 static inline struct msg_queue *msg_lock_check(struct ipc_namespace *ns, 136 int id) 137 { 138 struct kern_ipc_perm *ipcp = ipc_lock_check(&msg_ids(ns), id); 139 140 if (IS_ERR(ipcp)) 141 return (struct msg_queue *)ipcp; 142 143 return container_of(ipcp, struct msg_queue, q_perm); 144 } 145 146 static inline void msg_rmid(struct ipc_namespace *ns, struct msg_queue *s) 147 { 148 ipc_rmid(&msg_ids(ns), &s->q_perm); 149 } 150 151 /** 152 * newque - Create a new msg queue 153 * @ns: namespace 154 * @params: ptr to the structure that contains the key and msgflg 155 * 156 * Called with msg_ids.rw_mutex held (writer) 157 */ 158 static int newque(struct ipc_namespace *ns, struct ipc_params *params) 159 { 160 struct msg_queue *msq; 161 int id, retval; 162 key_t key = params->key; 163 int msgflg = params->flg; 164 165 msq = ipc_rcu_alloc(sizeof(*msq)); 166 if (!msq) 167 return -ENOMEM; 168 169 msq->q_perm.mode = msgflg & S_IRWXUGO; 170 msq->q_perm.key = key; 171 172 msq->q_perm.security = NULL; 173 retval = security_msg_queue_alloc(msq); 174 if (retval) { 175 ipc_rcu_putref(msq); 176 return retval; 177 } 178 179 /* 180 * ipc_addid() locks msq 181 */ 182 id = ipc_addid(&msg_ids(ns), &msq->q_perm, ns->msg_ctlmni); 183 if (id < 0) { 184 security_msg_queue_free(msq); 185 ipc_rcu_putref(msq); 186 return id; 187 } 188 189 msq->q_perm.id = msg_buildid(id, msq->q_perm.seq); 190 msq->q_stime = msq->q_rtime = 0; 191 msq->q_ctime = get_seconds(); 192 msq->q_cbytes = msq->q_qnum = 0; 193 msq->q_qbytes = ns->msg_ctlmnb; 194 msq->q_lspid = msq->q_lrpid = 0; 195 INIT_LIST_HEAD(&msq->q_messages); 196 INIT_LIST_HEAD(&msq->q_receivers); 197 INIT_LIST_HEAD(&msq->q_senders); 198 199 msg_unlock(msq); 200 201 return msq->q_perm.id; 202 } 203 204 static inline void ss_add(struct msg_queue *msq, struct msg_sender *mss) 205 { 206 mss->tsk = current; 207 current->state = TASK_INTERRUPTIBLE; 208 list_add_tail(&mss->list, &msq->q_senders); 209 } 210 211 static inline void ss_del(struct msg_sender *mss) 212 { 213 if (mss->list.next != NULL) 214 list_del(&mss->list); 215 } 216 217 static void ss_wakeup(struct list_head *h, int kill) 218 { 219 struct list_head *tmp; 220 221 tmp = h->next; 222 while (tmp != h) { 223 struct msg_sender *mss; 224 225 mss = list_entry(tmp, struct msg_sender, list); 226 tmp = tmp->next; 227 if (kill) 228 mss->list.next = NULL; 229 wake_up_process(mss->tsk); 230 } 231 } 232 233 static void expunge_all(struct msg_queue *msq, int res) 234 { 235 struct list_head *tmp; 236 237 tmp = msq->q_receivers.next; 238 while (tmp != &msq->q_receivers) { 239 struct msg_receiver *msr; 240 241 msr = list_entry(tmp, struct msg_receiver, r_list); 242 tmp = tmp->next; 243 msr->r_msg = NULL; 244 wake_up_process(msr->r_tsk); 245 smp_mb(); 246 msr->r_msg = ERR_PTR(res); 247 } 248 } 249 250 /* 251 * freeque() wakes up waiters on the sender and receiver waiting queue, 252 * removes the message queue from message queue ID IDR, and cleans up all the 253 * messages associated with this queue. 254 * 255 * msg_ids.rw_mutex (writer) and the spinlock for this message queue are held 256 * before freeque() is called. msg_ids.rw_mutex remains locked on exit. 257 */ 258 static void freeque(struct ipc_namespace *ns, struct kern_ipc_perm *ipcp) 259 { 260 struct list_head *tmp; 261 struct msg_queue *msq = container_of(ipcp, struct msg_queue, q_perm); 262 263 expunge_all(msq, -EIDRM); 264 ss_wakeup(&msq->q_senders, 1); 265 msg_rmid(ns, msq); 266 msg_unlock(msq); 267 268 tmp = msq->q_messages.next; 269 while (tmp != &msq->q_messages) { 270 struct msg_msg *msg = list_entry(tmp, struct msg_msg, m_list); 271 272 tmp = tmp->next; 273 atomic_dec(&ns->msg_hdrs); 274 free_msg(msg); 275 } 276 atomic_sub(msq->q_cbytes, &ns->msg_bytes); 277 security_msg_queue_free(msq); 278 ipc_rcu_putref(msq); 279 } 280 281 /* 282 * Called with msg_ids.rw_mutex and ipcp locked. 283 */ 284 static inline int msg_security(struct kern_ipc_perm *ipcp, int msgflg) 285 { 286 struct msg_queue *msq = container_of(ipcp, struct msg_queue, q_perm); 287 288 return security_msg_queue_associate(msq, msgflg); 289 } 290 291 asmlinkage long sys_msgget(key_t key, int msgflg) 292 { 293 struct ipc_namespace *ns; 294 struct ipc_ops msg_ops; 295 struct ipc_params msg_params; 296 297 ns = current->nsproxy->ipc_ns; 298 299 msg_ops.getnew = newque; 300 msg_ops.associate = msg_security; 301 msg_ops.more_checks = NULL; 302 303 msg_params.key = key; 304 msg_params.flg = msgflg; 305 306 return ipcget(ns, &msg_ids(ns), &msg_ops, &msg_params); 307 } 308 309 static inline unsigned long 310 copy_msqid_to_user(void __user *buf, struct msqid64_ds *in, int version) 311 { 312 switch(version) { 313 case IPC_64: 314 return copy_to_user(buf, in, sizeof(*in)); 315 case IPC_OLD: 316 { 317 struct msqid_ds out; 318 319 memset(&out, 0, sizeof(out)); 320 321 ipc64_perm_to_ipc_perm(&in->msg_perm, &out.msg_perm); 322 323 out.msg_stime = in->msg_stime; 324 out.msg_rtime = in->msg_rtime; 325 out.msg_ctime = in->msg_ctime; 326 327 if (in->msg_cbytes > USHRT_MAX) 328 out.msg_cbytes = USHRT_MAX; 329 else 330 out.msg_cbytes = in->msg_cbytes; 331 out.msg_lcbytes = in->msg_cbytes; 332 333 if (in->msg_qnum > USHRT_MAX) 334 out.msg_qnum = USHRT_MAX; 335 else 336 out.msg_qnum = in->msg_qnum; 337 338 if (in->msg_qbytes > USHRT_MAX) 339 out.msg_qbytes = USHRT_MAX; 340 else 341 out.msg_qbytes = in->msg_qbytes; 342 out.msg_lqbytes = in->msg_qbytes; 343 344 out.msg_lspid = in->msg_lspid; 345 out.msg_lrpid = in->msg_lrpid; 346 347 return copy_to_user(buf, &out, sizeof(out)); 348 } 349 default: 350 return -EINVAL; 351 } 352 } 353 354 struct msq_setbuf { 355 unsigned long qbytes; 356 uid_t uid; 357 gid_t gid; 358 mode_t mode; 359 }; 360 361 static inline unsigned long 362 copy_msqid_from_user(struct msq_setbuf *out, void __user *buf, int version) 363 { 364 switch(version) { 365 case IPC_64: 366 { 367 struct msqid64_ds tbuf; 368 369 if (copy_from_user(&tbuf, buf, sizeof(tbuf))) 370 return -EFAULT; 371 372 out->qbytes = tbuf.msg_qbytes; 373 out->uid = tbuf.msg_perm.uid; 374 out->gid = tbuf.msg_perm.gid; 375 out->mode = tbuf.msg_perm.mode; 376 377 return 0; 378 } 379 case IPC_OLD: 380 { 381 struct msqid_ds tbuf_old; 382 383 if (copy_from_user(&tbuf_old, buf, sizeof(tbuf_old))) 384 return -EFAULT; 385 386 out->uid = tbuf_old.msg_perm.uid; 387 out->gid = tbuf_old.msg_perm.gid; 388 out->mode = tbuf_old.msg_perm.mode; 389 390 if (tbuf_old.msg_qbytes == 0) 391 out->qbytes = tbuf_old.msg_lqbytes; 392 else 393 out->qbytes = tbuf_old.msg_qbytes; 394 395 return 0; 396 } 397 default: 398 return -EINVAL; 399 } 400 } 401 402 asmlinkage long sys_msgctl(int msqid, int cmd, struct msqid_ds __user *buf) 403 { 404 struct kern_ipc_perm *ipcp; 405 struct msq_setbuf uninitialized_var(setbuf); 406 struct msg_queue *msq; 407 int err, version; 408 struct ipc_namespace *ns; 409 410 if (msqid < 0 || cmd < 0) 411 return -EINVAL; 412 413 version = ipc_parse_version(&cmd); 414 ns = current->nsproxy->ipc_ns; 415 416 switch (cmd) { 417 case IPC_INFO: 418 case MSG_INFO: 419 { 420 struct msginfo msginfo; 421 int max_id; 422 423 if (!buf) 424 return -EFAULT; 425 /* 426 * We must not return kernel stack data. 427 * due to padding, it's not enough 428 * to set all member fields. 429 */ 430 err = security_msg_queue_msgctl(NULL, cmd); 431 if (err) 432 return err; 433 434 memset(&msginfo, 0, sizeof(msginfo)); 435 msginfo.msgmni = ns->msg_ctlmni; 436 msginfo.msgmax = ns->msg_ctlmax; 437 msginfo.msgmnb = ns->msg_ctlmnb; 438 msginfo.msgssz = MSGSSZ; 439 msginfo.msgseg = MSGSEG; 440 down_read(&msg_ids(ns).rw_mutex); 441 if (cmd == MSG_INFO) { 442 msginfo.msgpool = msg_ids(ns).in_use; 443 msginfo.msgmap = atomic_read(&ns->msg_hdrs); 444 msginfo.msgtql = atomic_read(&ns->msg_bytes); 445 } else { 446 msginfo.msgmap = MSGMAP; 447 msginfo.msgpool = MSGPOOL; 448 msginfo.msgtql = MSGTQL; 449 } 450 max_id = ipc_get_maxid(&msg_ids(ns)); 451 up_read(&msg_ids(ns).rw_mutex); 452 if (copy_to_user(buf, &msginfo, sizeof(struct msginfo))) 453 return -EFAULT; 454 return (max_id < 0) ? 0 : max_id; 455 } 456 case MSG_STAT: /* msqid is an index rather than a msg queue id */ 457 case IPC_STAT: 458 { 459 struct msqid64_ds tbuf; 460 int success_return; 461 462 if (!buf) 463 return -EFAULT; 464 465 if (cmd == MSG_STAT) { 466 msq = msg_lock(ns, msqid); 467 if (IS_ERR(msq)) 468 return PTR_ERR(msq); 469 success_return = msq->q_perm.id; 470 } else { 471 msq = msg_lock_check(ns, msqid); 472 if (IS_ERR(msq)) 473 return PTR_ERR(msq); 474 success_return = 0; 475 } 476 err = -EACCES; 477 if (ipcperms(&msq->q_perm, S_IRUGO)) 478 goto out_unlock; 479 480 err = security_msg_queue_msgctl(msq, cmd); 481 if (err) 482 goto out_unlock; 483 484 memset(&tbuf, 0, sizeof(tbuf)); 485 486 kernel_to_ipc64_perm(&msq->q_perm, &tbuf.msg_perm); 487 tbuf.msg_stime = msq->q_stime; 488 tbuf.msg_rtime = msq->q_rtime; 489 tbuf.msg_ctime = msq->q_ctime; 490 tbuf.msg_cbytes = msq->q_cbytes; 491 tbuf.msg_qnum = msq->q_qnum; 492 tbuf.msg_qbytes = msq->q_qbytes; 493 tbuf.msg_lspid = msq->q_lspid; 494 tbuf.msg_lrpid = msq->q_lrpid; 495 msg_unlock(msq); 496 if (copy_msqid_to_user(buf, &tbuf, version)) 497 return -EFAULT; 498 return success_return; 499 } 500 case IPC_SET: 501 if (!buf) 502 return -EFAULT; 503 if (copy_msqid_from_user(&setbuf, buf, version)) 504 return -EFAULT; 505 break; 506 case IPC_RMID: 507 break; 508 default: 509 return -EINVAL; 510 } 511 512 down_write(&msg_ids(ns).rw_mutex); 513 msq = msg_lock_check_down(ns, msqid); 514 if (IS_ERR(msq)) { 515 err = PTR_ERR(msq); 516 goto out_up; 517 } 518 519 ipcp = &msq->q_perm; 520 521 err = audit_ipc_obj(ipcp); 522 if (err) 523 goto out_unlock_up; 524 if (cmd == IPC_SET) { 525 err = audit_ipc_set_perm(setbuf.qbytes, setbuf.uid, setbuf.gid, 526 setbuf.mode); 527 if (err) 528 goto out_unlock_up; 529 } 530 531 err = -EPERM; 532 if (current->euid != ipcp->cuid && 533 current->euid != ipcp->uid && !capable(CAP_SYS_ADMIN)) 534 /* We _could_ check for CAP_CHOWN above, but we don't */ 535 goto out_unlock_up; 536 537 err = security_msg_queue_msgctl(msq, cmd); 538 if (err) 539 goto out_unlock_up; 540 541 switch (cmd) { 542 case IPC_SET: 543 { 544 err = -EPERM; 545 if (setbuf.qbytes > ns->msg_ctlmnb && !capable(CAP_SYS_RESOURCE)) 546 goto out_unlock_up; 547 548 msq->q_qbytes = setbuf.qbytes; 549 550 ipcp->uid = setbuf.uid; 551 ipcp->gid = setbuf.gid; 552 ipcp->mode = (ipcp->mode & ~S_IRWXUGO) | 553 (S_IRWXUGO & setbuf.mode); 554 msq->q_ctime = get_seconds(); 555 /* sleeping receivers might be excluded by 556 * stricter permissions. 557 */ 558 expunge_all(msq, -EAGAIN); 559 /* sleeping senders might be able to send 560 * due to a larger queue size. 561 */ 562 ss_wakeup(&msq->q_senders, 0); 563 msg_unlock(msq); 564 break; 565 } 566 case IPC_RMID: 567 freeque(ns, &msq->q_perm); 568 break; 569 } 570 err = 0; 571 out_up: 572 up_write(&msg_ids(ns).rw_mutex); 573 return err; 574 out_unlock_up: 575 msg_unlock(msq); 576 goto out_up; 577 out_unlock: 578 msg_unlock(msq); 579 return err; 580 } 581 582 static int testmsg(struct msg_msg *msg, long type, int mode) 583 { 584 switch(mode) 585 { 586 case SEARCH_ANY: 587 return 1; 588 case SEARCH_LESSEQUAL: 589 if (msg->m_type <=type) 590 return 1; 591 break; 592 case SEARCH_EQUAL: 593 if (msg->m_type == type) 594 return 1; 595 break; 596 case SEARCH_NOTEQUAL: 597 if (msg->m_type != type) 598 return 1; 599 break; 600 } 601 return 0; 602 } 603 604 static inline int pipelined_send(struct msg_queue *msq, struct msg_msg *msg) 605 { 606 struct list_head *tmp; 607 608 tmp = msq->q_receivers.next; 609 while (tmp != &msq->q_receivers) { 610 struct msg_receiver *msr; 611 612 msr = list_entry(tmp, struct msg_receiver, r_list); 613 tmp = tmp->next; 614 if (testmsg(msg, msr->r_msgtype, msr->r_mode) && 615 !security_msg_queue_msgrcv(msq, msg, msr->r_tsk, 616 msr->r_msgtype, msr->r_mode)) { 617 618 list_del(&msr->r_list); 619 if (msr->r_maxsize < msg->m_ts) { 620 msr->r_msg = NULL; 621 wake_up_process(msr->r_tsk); 622 smp_mb(); 623 msr->r_msg = ERR_PTR(-E2BIG); 624 } else { 625 msr->r_msg = NULL; 626 msq->q_lrpid = task_pid_vnr(msr->r_tsk); 627 msq->q_rtime = get_seconds(); 628 wake_up_process(msr->r_tsk); 629 smp_mb(); 630 msr->r_msg = msg; 631 632 return 1; 633 } 634 } 635 } 636 return 0; 637 } 638 639 long do_msgsnd(int msqid, long mtype, void __user *mtext, 640 size_t msgsz, int msgflg) 641 { 642 struct msg_queue *msq; 643 struct msg_msg *msg; 644 int err; 645 struct ipc_namespace *ns; 646 647 ns = current->nsproxy->ipc_ns; 648 649 if (msgsz > ns->msg_ctlmax || (long) msgsz < 0 || msqid < 0) 650 return -EINVAL; 651 if (mtype < 1) 652 return -EINVAL; 653 654 msg = load_msg(mtext, msgsz); 655 if (IS_ERR(msg)) 656 return PTR_ERR(msg); 657 658 msg->m_type = mtype; 659 msg->m_ts = msgsz; 660 661 msq = msg_lock_check(ns, msqid); 662 if (IS_ERR(msq)) { 663 err = PTR_ERR(msq); 664 goto out_free; 665 } 666 667 for (;;) { 668 struct msg_sender s; 669 670 err = -EACCES; 671 if (ipcperms(&msq->q_perm, S_IWUGO)) 672 goto out_unlock_free; 673 674 err = security_msg_queue_msgsnd(msq, msg, msgflg); 675 if (err) 676 goto out_unlock_free; 677 678 if (msgsz + msq->q_cbytes <= msq->q_qbytes && 679 1 + msq->q_qnum <= msq->q_qbytes) { 680 break; 681 } 682 683 /* queue full, wait: */ 684 if (msgflg & IPC_NOWAIT) { 685 err = -EAGAIN; 686 goto out_unlock_free; 687 } 688 ss_add(msq, &s); 689 ipc_rcu_getref(msq); 690 msg_unlock(msq); 691 schedule(); 692 693 ipc_lock_by_ptr(&msq->q_perm); 694 ipc_rcu_putref(msq); 695 if (msq->q_perm.deleted) { 696 err = -EIDRM; 697 goto out_unlock_free; 698 } 699 ss_del(&s); 700 701 if (signal_pending(current)) { 702 err = -ERESTARTNOHAND; 703 goto out_unlock_free; 704 } 705 } 706 707 msq->q_lspid = task_tgid_vnr(current); 708 msq->q_stime = get_seconds(); 709 710 if (!pipelined_send(msq, msg)) { 711 /* noone is waiting for this message, enqueue it */ 712 list_add_tail(&msg->m_list, &msq->q_messages); 713 msq->q_cbytes += msgsz; 714 msq->q_qnum++; 715 atomic_add(msgsz, &ns->msg_bytes); 716 atomic_inc(&ns->msg_hdrs); 717 } 718 719 err = 0; 720 msg = NULL; 721 722 out_unlock_free: 723 msg_unlock(msq); 724 out_free: 725 if (msg != NULL) 726 free_msg(msg); 727 return err; 728 } 729 730 asmlinkage long 731 sys_msgsnd(int msqid, struct msgbuf __user *msgp, size_t msgsz, int msgflg) 732 { 733 long mtype; 734 735 if (get_user(mtype, &msgp->mtype)) 736 return -EFAULT; 737 return do_msgsnd(msqid, mtype, msgp->mtext, msgsz, msgflg); 738 } 739 740 static inline int convert_mode(long *msgtyp, int msgflg) 741 { 742 /* 743 * find message of correct type. 744 * msgtyp = 0 => get first. 745 * msgtyp > 0 => get first message of matching type. 746 * msgtyp < 0 => get message with least type must be < abs(msgtype). 747 */ 748 if (*msgtyp == 0) 749 return SEARCH_ANY; 750 if (*msgtyp < 0) { 751 *msgtyp = -*msgtyp; 752 return SEARCH_LESSEQUAL; 753 } 754 if (msgflg & MSG_EXCEPT) 755 return SEARCH_NOTEQUAL; 756 return SEARCH_EQUAL; 757 } 758 759 long do_msgrcv(int msqid, long *pmtype, void __user *mtext, 760 size_t msgsz, long msgtyp, int msgflg) 761 { 762 struct msg_queue *msq; 763 struct msg_msg *msg; 764 int mode; 765 struct ipc_namespace *ns; 766 767 if (msqid < 0 || (long) msgsz < 0) 768 return -EINVAL; 769 mode = convert_mode(&msgtyp, msgflg); 770 ns = current->nsproxy->ipc_ns; 771 772 msq = msg_lock_check(ns, msqid); 773 if (IS_ERR(msq)) 774 return PTR_ERR(msq); 775 776 for (;;) { 777 struct msg_receiver msr_d; 778 struct list_head *tmp; 779 780 msg = ERR_PTR(-EACCES); 781 if (ipcperms(&msq->q_perm, S_IRUGO)) 782 goto out_unlock; 783 784 msg = ERR_PTR(-EAGAIN); 785 tmp = msq->q_messages.next; 786 while (tmp != &msq->q_messages) { 787 struct msg_msg *walk_msg; 788 789 walk_msg = list_entry(tmp, struct msg_msg, m_list); 790 if (testmsg(walk_msg, msgtyp, mode) && 791 !security_msg_queue_msgrcv(msq, walk_msg, current, 792 msgtyp, mode)) { 793 794 msg = walk_msg; 795 if (mode == SEARCH_LESSEQUAL && 796 walk_msg->m_type != 1) { 797 msg = walk_msg; 798 msgtyp = walk_msg->m_type - 1; 799 } else { 800 msg = walk_msg; 801 break; 802 } 803 } 804 tmp = tmp->next; 805 } 806 if (!IS_ERR(msg)) { 807 /* 808 * Found a suitable message. 809 * Unlink it from the queue. 810 */ 811 if ((msgsz < msg->m_ts) && !(msgflg & MSG_NOERROR)) { 812 msg = ERR_PTR(-E2BIG); 813 goto out_unlock; 814 } 815 list_del(&msg->m_list); 816 msq->q_qnum--; 817 msq->q_rtime = get_seconds(); 818 msq->q_lrpid = task_tgid_vnr(current); 819 msq->q_cbytes -= msg->m_ts; 820 atomic_sub(msg->m_ts, &ns->msg_bytes); 821 atomic_dec(&ns->msg_hdrs); 822 ss_wakeup(&msq->q_senders, 0); 823 msg_unlock(msq); 824 break; 825 } 826 /* No message waiting. Wait for a message */ 827 if (msgflg & IPC_NOWAIT) { 828 msg = ERR_PTR(-ENOMSG); 829 goto out_unlock; 830 } 831 list_add_tail(&msr_d.r_list, &msq->q_receivers); 832 msr_d.r_tsk = current; 833 msr_d.r_msgtype = msgtyp; 834 msr_d.r_mode = mode; 835 if (msgflg & MSG_NOERROR) 836 msr_d.r_maxsize = INT_MAX; 837 else 838 msr_d.r_maxsize = msgsz; 839 msr_d.r_msg = ERR_PTR(-EAGAIN); 840 current->state = TASK_INTERRUPTIBLE; 841 msg_unlock(msq); 842 843 schedule(); 844 845 /* Lockless receive, part 1: 846 * Disable preemption. We don't hold a reference to the queue 847 * and getting a reference would defeat the idea of a lockless 848 * operation, thus the code relies on rcu to guarantee the 849 * existance of msq: 850 * Prior to destruction, expunge_all(-EIRDM) changes r_msg. 851 * Thus if r_msg is -EAGAIN, then the queue not yet destroyed. 852 * rcu_read_lock() prevents preemption between reading r_msg 853 * and the spin_lock() inside ipc_lock_by_ptr(). 854 */ 855 rcu_read_lock(); 856 857 /* Lockless receive, part 2: 858 * Wait until pipelined_send or expunge_all are outside of 859 * wake_up_process(). There is a race with exit(), see 860 * ipc/mqueue.c for the details. 861 */ 862 msg = (struct msg_msg*)msr_d.r_msg; 863 while (msg == NULL) { 864 cpu_relax(); 865 msg = (struct msg_msg *)msr_d.r_msg; 866 } 867 868 /* Lockless receive, part 3: 869 * If there is a message or an error then accept it without 870 * locking. 871 */ 872 if (msg != ERR_PTR(-EAGAIN)) { 873 rcu_read_unlock(); 874 break; 875 } 876 877 /* Lockless receive, part 3: 878 * Acquire the queue spinlock. 879 */ 880 ipc_lock_by_ptr(&msq->q_perm); 881 rcu_read_unlock(); 882 883 /* Lockless receive, part 4: 884 * Repeat test after acquiring the spinlock. 885 */ 886 msg = (struct msg_msg*)msr_d.r_msg; 887 if (msg != ERR_PTR(-EAGAIN)) 888 goto out_unlock; 889 890 list_del(&msr_d.r_list); 891 if (signal_pending(current)) { 892 msg = ERR_PTR(-ERESTARTNOHAND); 893 out_unlock: 894 msg_unlock(msq); 895 break; 896 } 897 } 898 if (IS_ERR(msg)) 899 return PTR_ERR(msg); 900 901 msgsz = (msgsz > msg->m_ts) ? msg->m_ts : msgsz; 902 *pmtype = msg->m_type; 903 if (store_msg(mtext, msg, msgsz)) 904 msgsz = -EFAULT; 905 906 free_msg(msg); 907 908 return msgsz; 909 } 910 911 asmlinkage long sys_msgrcv(int msqid, struct msgbuf __user *msgp, size_t msgsz, 912 long msgtyp, int msgflg) 913 { 914 long err, mtype; 915 916 err = do_msgrcv(msqid, &mtype, msgp->mtext, msgsz, msgtyp, msgflg); 917 if (err < 0) 918 goto out; 919 920 if (put_user(mtype, &msgp->mtype)) 921 err = -EFAULT; 922 out: 923 return err; 924 } 925 926 #ifdef CONFIG_PROC_FS 927 static int sysvipc_msg_proc_show(struct seq_file *s, void *it) 928 { 929 struct msg_queue *msq = it; 930 931 return seq_printf(s, 932 "%10d %10d %4o %10lu %10lu %5u %5u %5u %5u %5u %5u %10lu %10lu %10lu\n", 933 msq->q_perm.key, 934 msq->q_perm.id, 935 msq->q_perm.mode, 936 msq->q_cbytes, 937 msq->q_qnum, 938 msq->q_lspid, 939 msq->q_lrpid, 940 msq->q_perm.uid, 941 msq->q_perm.gid, 942 msq->q_perm.cuid, 943 msq->q_perm.cgid, 944 msq->q_stime, 945 msq->q_rtime, 946 msq->q_ctime); 947 } 948 #endif 949