1 /* 2 * linux/ipc/sem.c 3 * Copyright (C) 1992 Krishna Balasubramanian 4 * Copyright (C) 1995 Eric Schenk, Bruno Haible 5 * 6 * /proc/sysvipc/sem support (c) 1999 Dragos Acostachioaie <dragos@iname.com> 7 * 8 * SMP-threaded, sysctl's added 9 * (c) 1999 Manfred Spraul <manfred@colorfullife.com> 10 * Enforced range limit on SEM_UNDO 11 * (c) 2001 Red Hat Inc 12 * Lockless wakeup 13 * (c) 2003 Manfred Spraul <manfred@colorfullife.com> 14 * (c) 2016 Davidlohr Bueso <dave@stgolabs.net> 15 * Further wakeup optimizations, documentation 16 * (c) 2010 Manfred Spraul <manfred@colorfullife.com> 17 * 18 * support for audit of ipc object properties and permission changes 19 * Dustin Kirkland <dustin.kirkland@us.ibm.com> 20 * 21 * namespaces support 22 * OpenVZ, SWsoft Inc. 23 * Pavel Emelianov <xemul@openvz.org> 24 * 25 * Implementation notes: (May 2010) 26 * This file implements System V semaphores. 27 * 28 * User space visible behavior: 29 * - FIFO ordering for semop() operations (just FIFO, not starvation 30 * protection) 31 * - multiple semaphore operations that alter the same semaphore in 32 * one semop() are handled. 33 * - sem_ctime (time of last semctl()) is updated in the IPC_SET, SETVAL and 34 * SETALL calls. 35 * - two Linux specific semctl() commands: SEM_STAT, SEM_INFO. 36 * - undo adjustments at process exit are limited to 0..SEMVMX. 37 * - namespace are supported. 38 * - SEMMSL, SEMMNS, SEMOPM and SEMMNI can be configured at runtine by writing 39 * to /proc/sys/kernel/sem. 40 * - statistics about the usage are reported in /proc/sysvipc/sem. 41 * 42 * Internals: 43 * - scalability: 44 * - all global variables are read-mostly. 45 * - semop() calls and semctl(RMID) are synchronized by RCU. 46 * - most operations do write operations (actually: spin_lock calls) to 47 * the per-semaphore array structure. 48 * Thus: Perfect SMP scaling between independent semaphore arrays. 49 * If multiple semaphores in one array are used, then cache line 50 * trashing on the semaphore array spinlock will limit the scaling. 51 * - semncnt and semzcnt are calculated on demand in count_semcnt() 52 * - the task that performs a successful semop() scans the list of all 53 * sleeping tasks and completes any pending operations that can be fulfilled. 54 * Semaphores are actively given to waiting tasks (necessary for FIFO). 55 * (see update_queue()) 56 * - To improve the scalability, the actual wake-up calls are performed after 57 * dropping all locks. (see wake_up_sem_queue_prepare()) 58 * - All work is done by the waker, the woken up task does not have to do 59 * anything - not even acquiring a lock or dropping a refcount. 60 * - A woken up task may not even touch the semaphore array anymore, it may 61 * have been destroyed already by a semctl(RMID). 62 * - UNDO values are stored in an array (one per process and per 63 * semaphore array, lazily allocated). For backwards compatibility, multiple 64 * modes for the UNDO variables are supported (per process, per thread) 65 * (see copy_semundo, CLONE_SYSVSEM) 66 * - There are two lists of the pending operations: a per-array list 67 * and per-semaphore list (stored in the array). This allows to achieve FIFO 68 * ordering without always scanning all pending operations. 69 * The worst-case behavior is nevertheless O(N^2) for N wakeups. 70 */ 71 72 #include <linux/slab.h> 73 #include <linux/spinlock.h> 74 #include <linux/init.h> 75 #include <linux/proc_fs.h> 76 #include <linux/time.h> 77 #include <linux/security.h> 78 #include <linux/syscalls.h> 79 #include <linux/audit.h> 80 #include <linux/capability.h> 81 #include <linux/seq_file.h> 82 #include <linux/rwsem.h> 83 #include <linux/nsproxy.h> 84 #include <linux/ipc_namespace.h> 85 #include <linux/sched/wake_q.h> 86 87 #include <linux/uaccess.h> 88 #include "util.h" 89 90 /* One semaphore structure for each semaphore in the system. */ 91 struct sem { 92 int semval; /* current value */ 93 /* 94 * PID of the process that last modified the semaphore. For 95 * Linux, specifically these are: 96 * - semop 97 * - semctl, via SETVAL and SETALL. 98 * - at task exit when performing undo adjustments (see exit_sem). 99 */ 100 int sempid; 101 spinlock_t lock; /* spinlock for fine-grained semtimedop */ 102 struct list_head pending_alter; /* pending single-sop operations */ 103 /* that alter the semaphore */ 104 struct list_head pending_const; /* pending single-sop operations */ 105 /* that do not alter the semaphore*/ 106 time_t sem_otime; /* candidate for sem_otime */ 107 } ____cacheline_aligned_in_smp; 108 109 /* One queue for each sleeping process in the system. */ 110 struct sem_queue { 111 struct list_head list; /* queue of pending operations */ 112 struct task_struct *sleeper; /* this process */ 113 struct sem_undo *undo; /* undo structure */ 114 int pid; /* process id of requesting process */ 115 int status; /* completion status of operation */ 116 struct sembuf *sops; /* array of pending operations */ 117 struct sembuf *blocking; /* the operation that blocked */ 118 int nsops; /* number of operations */ 119 bool alter; /* does *sops alter the array? */ 120 bool dupsop; /* sops on more than one sem_num */ 121 }; 122 123 /* Each task has a list of undo requests. They are executed automatically 124 * when the process exits. 125 */ 126 struct sem_undo { 127 struct list_head list_proc; /* per-process list: * 128 * all undos from one process 129 * rcu protected */ 130 struct rcu_head rcu; /* rcu struct for sem_undo */ 131 struct sem_undo_list *ulp; /* back ptr to sem_undo_list */ 132 struct list_head list_id; /* per semaphore array list: 133 * all undos for one array */ 134 int semid; /* semaphore set identifier */ 135 short *semadj; /* array of adjustments */ 136 /* one per semaphore */ 137 }; 138 139 /* sem_undo_list controls shared access to the list of sem_undo structures 140 * that may be shared among all a CLONE_SYSVSEM task group. 141 */ 142 struct sem_undo_list { 143 atomic_t refcnt; 144 spinlock_t lock; 145 struct list_head list_proc; 146 }; 147 148 149 #define sem_ids(ns) ((ns)->ids[IPC_SEM_IDS]) 150 151 #define sem_checkid(sma, semid) ipc_checkid(&sma->sem_perm, semid) 152 153 static int newary(struct ipc_namespace *, struct ipc_params *); 154 static void freeary(struct ipc_namespace *, struct kern_ipc_perm *); 155 #ifdef CONFIG_PROC_FS 156 static int sysvipc_sem_proc_show(struct seq_file *s, void *it); 157 #endif 158 159 #define SEMMSL_FAST 256 /* 512 bytes on stack */ 160 #define SEMOPM_FAST 64 /* ~ 372 bytes on stack */ 161 162 /* 163 * Switching from the mode suitable for simple ops 164 * to the mode for complex ops is costly. Therefore: 165 * use some hysteresis 166 */ 167 #define USE_GLOBAL_LOCK_HYSTERESIS 10 168 169 /* 170 * Locking: 171 * a) global sem_lock() for read/write 172 * sem_undo.id_next, 173 * sem_array.complex_count, 174 * sem_array.pending{_alter,_const}, 175 * sem_array.sem_undo 176 * 177 * b) global or semaphore sem_lock() for read/write: 178 * sem_array.sem_base[i].pending_{const,alter}: 179 * 180 * c) special: 181 * sem_undo_list.list_proc: 182 * * undo_list->lock for write 183 * * rcu for read 184 * use_global_lock: 185 * * global sem_lock() for write 186 * * either local or global sem_lock() for read. 187 * 188 * Memory ordering: 189 * Most ordering is enforced by using spin_lock() and spin_unlock(). 190 * The special case is use_global_lock: 191 * Setting it from non-zero to 0 is a RELEASE, this is ensured by 192 * using smp_store_release(). 193 * Testing if it is non-zero is an ACQUIRE, this is ensured by using 194 * smp_load_acquire(). 195 * Setting it from 0 to non-zero must be ordered with regards to 196 * this smp_load_acquire(), this is guaranteed because the smp_load_acquire() 197 * is inside a spin_lock() and after a write from 0 to non-zero a 198 * spin_lock()+spin_unlock() is done. 199 */ 200 201 #define sc_semmsl sem_ctls[0] 202 #define sc_semmns sem_ctls[1] 203 #define sc_semopm sem_ctls[2] 204 #define sc_semmni sem_ctls[3] 205 206 void sem_init_ns(struct ipc_namespace *ns) 207 { 208 ns->sc_semmsl = SEMMSL; 209 ns->sc_semmns = SEMMNS; 210 ns->sc_semopm = SEMOPM; 211 ns->sc_semmni = SEMMNI; 212 ns->used_sems = 0; 213 ipc_init_ids(&ns->ids[IPC_SEM_IDS]); 214 } 215 216 #ifdef CONFIG_IPC_NS 217 void sem_exit_ns(struct ipc_namespace *ns) 218 { 219 free_ipcs(ns, &sem_ids(ns), freeary); 220 idr_destroy(&ns->ids[IPC_SEM_IDS].ipcs_idr); 221 } 222 #endif 223 224 void __init sem_init(void) 225 { 226 sem_init_ns(&init_ipc_ns); 227 ipc_init_proc_interface("sysvipc/sem", 228 " key semid perms nsems uid gid cuid cgid otime ctime\n", 229 IPC_SEM_IDS, sysvipc_sem_proc_show); 230 } 231 232 /** 233 * unmerge_queues - unmerge queues, if possible. 234 * @sma: semaphore array 235 * 236 * The function unmerges the wait queues if complex_count is 0. 237 * It must be called prior to dropping the global semaphore array lock. 238 */ 239 static void unmerge_queues(struct sem_array *sma) 240 { 241 struct sem_queue *q, *tq; 242 243 /* complex operations still around? */ 244 if (sma->complex_count) 245 return; 246 /* 247 * We will switch back to simple mode. 248 * Move all pending operation back into the per-semaphore 249 * queues. 250 */ 251 list_for_each_entry_safe(q, tq, &sma->pending_alter, list) { 252 struct sem *curr; 253 curr = &sma->sem_base[q->sops[0].sem_num]; 254 255 list_add_tail(&q->list, &curr->pending_alter); 256 } 257 INIT_LIST_HEAD(&sma->pending_alter); 258 } 259 260 /** 261 * merge_queues - merge single semop queues into global queue 262 * @sma: semaphore array 263 * 264 * This function merges all per-semaphore queues into the global queue. 265 * It is necessary to achieve FIFO ordering for the pending single-sop 266 * operations when a multi-semop operation must sleep. 267 * Only the alter operations must be moved, the const operations can stay. 268 */ 269 static void merge_queues(struct sem_array *sma) 270 { 271 int i; 272 for (i = 0; i < sma->sem_nsems; i++) { 273 struct sem *sem = sma->sem_base + i; 274 275 list_splice_init(&sem->pending_alter, &sma->pending_alter); 276 } 277 } 278 279 static void sem_rcu_free(struct rcu_head *head) 280 { 281 struct ipc_rcu *p = container_of(head, struct ipc_rcu, rcu); 282 struct sem_array *sma = ipc_rcu_to_struct(p); 283 284 security_sem_free(sma); 285 ipc_rcu_free(head); 286 } 287 288 /* 289 * Enter the mode suitable for non-simple operations: 290 * Caller must own sem_perm.lock. 291 */ 292 static void complexmode_enter(struct sem_array *sma) 293 { 294 int i; 295 struct sem *sem; 296 297 if (sma->use_global_lock > 0) { 298 /* 299 * We are already in global lock mode. 300 * Nothing to do, just reset the 301 * counter until we return to simple mode. 302 */ 303 sma->use_global_lock = USE_GLOBAL_LOCK_HYSTERESIS; 304 return; 305 } 306 sma->use_global_lock = USE_GLOBAL_LOCK_HYSTERESIS; 307 308 for (i = 0; i < sma->sem_nsems; i++) { 309 sem = sma->sem_base + i; 310 spin_lock(&sem->lock); 311 spin_unlock(&sem->lock); 312 } 313 } 314 315 /* 316 * Try to leave the mode that disallows simple operations: 317 * Caller must own sem_perm.lock. 318 */ 319 static void complexmode_tryleave(struct sem_array *sma) 320 { 321 if (sma->complex_count) { 322 /* Complex ops are sleeping. 323 * We must stay in complex mode 324 */ 325 return; 326 } 327 if (sma->use_global_lock == 1) { 328 /* 329 * Immediately after setting use_global_lock to 0, 330 * a simple op can start. Thus: all memory writes 331 * performed by the current operation must be visible 332 * before we set use_global_lock to 0. 333 */ 334 smp_store_release(&sma->use_global_lock, 0); 335 } else { 336 sma->use_global_lock--; 337 } 338 } 339 340 #define SEM_GLOBAL_LOCK (-1) 341 /* 342 * If the request contains only one semaphore operation, and there are 343 * no complex transactions pending, lock only the semaphore involved. 344 * Otherwise, lock the entire semaphore array, since we either have 345 * multiple semaphores in our own semops, or we need to look at 346 * semaphores from other pending complex operations. 347 */ 348 static inline int sem_lock(struct sem_array *sma, struct sembuf *sops, 349 int nsops) 350 { 351 struct sem *sem; 352 353 if (nsops != 1) { 354 /* Complex operation - acquire a full lock */ 355 ipc_lock_object(&sma->sem_perm); 356 357 /* Prevent parallel simple ops */ 358 complexmode_enter(sma); 359 return SEM_GLOBAL_LOCK; 360 } 361 362 /* 363 * Only one semaphore affected - try to optimize locking. 364 * Optimized locking is possible if no complex operation 365 * is either enqueued or processed right now. 366 * 367 * Both facts are tracked by use_global_mode. 368 */ 369 sem = sma->sem_base + sops->sem_num; 370 371 /* 372 * Initial check for use_global_lock. Just an optimization, 373 * no locking, no memory barrier. 374 */ 375 if (!sma->use_global_lock) { 376 /* 377 * It appears that no complex operation is around. 378 * Acquire the per-semaphore lock. 379 */ 380 spin_lock(&sem->lock); 381 382 /* pairs with smp_store_release() */ 383 if (!smp_load_acquire(&sma->use_global_lock)) { 384 /* fast path successful! */ 385 return sops->sem_num; 386 } 387 spin_unlock(&sem->lock); 388 } 389 390 /* slow path: acquire the full lock */ 391 ipc_lock_object(&sma->sem_perm); 392 393 if (sma->use_global_lock == 0) { 394 /* 395 * The use_global_lock mode ended while we waited for 396 * sma->sem_perm.lock. Thus we must switch to locking 397 * with sem->lock. 398 * Unlike in the fast path, there is no need to recheck 399 * sma->use_global_lock after we have acquired sem->lock: 400 * We own sma->sem_perm.lock, thus use_global_lock cannot 401 * change. 402 */ 403 spin_lock(&sem->lock); 404 405 ipc_unlock_object(&sma->sem_perm); 406 return sops->sem_num; 407 } else { 408 /* 409 * Not a false alarm, thus continue to use the global lock 410 * mode. No need for complexmode_enter(), this was done by 411 * the caller that has set use_global_mode to non-zero. 412 */ 413 return SEM_GLOBAL_LOCK; 414 } 415 } 416 417 static inline void sem_unlock(struct sem_array *sma, int locknum) 418 { 419 if (locknum == SEM_GLOBAL_LOCK) { 420 unmerge_queues(sma); 421 complexmode_tryleave(sma); 422 ipc_unlock_object(&sma->sem_perm); 423 } else { 424 struct sem *sem = sma->sem_base + locknum; 425 spin_unlock(&sem->lock); 426 } 427 } 428 429 /* 430 * sem_lock_(check_) routines are called in the paths where the rwsem 431 * is not held. 432 * 433 * The caller holds the RCU read lock. 434 */ 435 static inline struct sem_array *sem_obtain_object(struct ipc_namespace *ns, int id) 436 { 437 struct kern_ipc_perm *ipcp = ipc_obtain_object_idr(&sem_ids(ns), id); 438 439 if (IS_ERR(ipcp)) 440 return ERR_CAST(ipcp); 441 442 return container_of(ipcp, struct sem_array, sem_perm); 443 } 444 445 static inline struct sem_array *sem_obtain_object_check(struct ipc_namespace *ns, 446 int id) 447 { 448 struct kern_ipc_perm *ipcp = ipc_obtain_object_check(&sem_ids(ns), id); 449 450 if (IS_ERR(ipcp)) 451 return ERR_CAST(ipcp); 452 453 return container_of(ipcp, struct sem_array, sem_perm); 454 } 455 456 static inline void sem_lock_and_putref(struct sem_array *sma) 457 { 458 sem_lock(sma, NULL, -1); 459 ipc_rcu_putref(sma, sem_rcu_free); 460 } 461 462 static inline void sem_rmid(struct ipc_namespace *ns, struct sem_array *s) 463 { 464 ipc_rmid(&sem_ids(ns), &s->sem_perm); 465 } 466 467 /** 468 * newary - Create a new semaphore set 469 * @ns: namespace 470 * @params: ptr to the structure that contains key, semflg and nsems 471 * 472 * Called with sem_ids.rwsem held (as a writer) 473 */ 474 static int newary(struct ipc_namespace *ns, struct ipc_params *params) 475 { 476 int id; 477 int retval; 478 struct sem_array *sma; 479 int size; 480 key_t key = params->key; 481 int nsems = params->u.nsems; 482 int semflg = params->flg; 483 int i; 484 485 if (!nsems) 486 return -EINVAL; 487 if (ns->used_sems + nsems > ns->sc_semmns) 488 return -ENOSPC; 489 490 size = sizeof(*sma) + nsems * sizeof(struct sem); 491 sma = ipc_rcu_alloc(size); 492 if (!sma) 493 return -ENOMEM; 494 495 memset(sma, 0, size); 496 497 sma->sem_perm.mode = (semflg & S_IRWXUGO); 498 sma->sem_perm.key = key; 499 500 sma->sem_perm.security = NULL; 501 retval = security_sem_alloc(sma); 502 if (retval) { 503 ipc_rcu_putref(sma, ipc_rcu_free); 504 return retval; 505 } 506 507 sma->sem_base = (struct sem *) &sma[1]; 508 509 for (i = 0; i < nsems; i++) { 510 INIT_LIST_HEAD(&sma->sem_base[i].pending_alter); 511 INIT_LIST_HEAD(&sma->sem_base[i].pending_const); 512 spin_lock_init(&sma->sem_base[i].lock); 513 } 514 515 sma->complex_count = 0; 516 sma->use_global_lock = USE_GLOBAL_LOCK_HYSTERESIS; 517 INIT_LIST_HEAD(&sma->pending_alter); 518 INIT_LIST_HEAD(&sma->pending_const); 519 INIT_LIST_HEAD(&sma->list_id); 520 sma->sem_nsems = nsems; 521 sma->sem_ctime = get_seconds(); 522 523 id = ipc_addid(&sem_ids(ns), &sma->sem_perm, ns->sc_semmni); 524 if (id < 0) { 525 ipc_rcu_putref(sma, sem_rcu_free); 526 return id; 527 } 528 ns->used_sems += nsems; 529 530 sem_unlock(sma, -1); 531 rcu_read_unlock(); 532 533 return sma->sem_perm.id; 534 } 535 536 537 /* 538 * Called with sem_ids.rwsem and ipcp locked. 539 */ 540 static inline int sem_security(struct kern_ipc_perm *ipcp, int semflg) 541 { 542 struct sem_array *sma; 543 544 sma = container_of(ipcp, struct sem_array, sem_perm); 545 return security_sem_associate(sma, semflg); 546 } 547 548 /* 549 * Called with sem_ids.rwsem and ipcp locked. 550 */ 551 static inline int sem_more_checks(struct kern_ipc_perm *ipcp, 552 struct ipc_params *params) 553 { 554 struct sem_array *sma; 555 556 sma = container_of(ipcp, struct sem_array, sem_perm); 557 if (params->u.nsems > sma->sem_nsems) 558 return -EINVAL; 559 560 return 0; 561 } 562 563 SYSCALL_DEFINE3(semget, key_t, key, int, nsems, int, semflg) 564 { 565 struct ipc_namespace *ns; 566 static const struct ipc_ops sem_ops = { 567 .getnew = newary, 568 .associate = sem_security, 569 .more_checks = sem_more_checks, 570 }; 571 struct ipc_params sem_params; 572 573 ns = current->nsproxy->ipc_ns; 574 575 if (nsems < 0 || nsems > ns->sc_semmsl) 576 return -EINVAL; 577 578 sem_params.key = key; 579 sem_params.flg = semflg; 580 sem_params.u.nsems = nsems; 581 582 return ipcget(ns, &sem_ids(ns), &sem_ops, &sem_params); 583 } 584 585 /** 586 * perform_atomic_semop[_slow] - Attempt to perform semaphore 587 * operations on a given array. 588 * @sma: semaphore array 589 * @q: struct sem_queue that describes the operation 590 * 591 * Caller blocking are as follows, based the value 592 * indicated by the semaphore operation (sem_op): 593 * 594 * (1) >0 never blocks. 595 * (2) 0 (wait-for-zero operation): semval is non-zero. 596 * (3) <0 attempting to decrement semval to a value smaller than zero. 597 * 598 * Returns 0 if the operation was possible. 599 * Returns 1 if the operation is impossible, the caller must sleep. 600 * Returns <0 for error codes. 601 */ 602 static int perform_atomic_semop_slow(struct sem_array *sma, struct sem_queue *q) 603 { 604 int result, sem_op, nsops, pid; 605 struct sembuf *sop; 606 struct sem *curr; 607 struct sembuf *sops; 608 struct sem_undo *un; 609 610 sops = q->sops; 611 nsops = q->nsops; 612 un = q->undo; 613 614 for (sop = sops; sop < sops + nsops; sop++) { 615 curr = sma->sem_base + sop->sem_num; 616 sem_op = sop->sem_op; 617 result = curr->semval; 618 619 if (!sem_op && result) 620 goto would_block; 621 622 result += sem_op; 623 if (result < 0) 624 goto would_block; 625 if (result > SEMVMX) 626 goto out_of_range; 627 628 if (sop->sem_flg & SEM_UNDO) { 629 int undo = un->semadj[sop->sem_num] - sem_op; 630 /* Exceeding the undo range is an error. */ 631 if (undo < (-SEMAEM - 1) || undo > SEMAEM) 632 goto out_of_range; 633 un->semadj[sop->sem_num] = undo; 634 } 635 636 curr->semval = result; 637 } 638 639 sop--; 640 pid = q->pid; 641 while (sop >= sops) { 642 sma->sem_base[sop->sem_num].sempid = pid; 643 sop--; 644 } 645 646 return 0; 647 648 out_of_range: 649 result = -ERANGE; 650 goto undo; 651 652 would_block: 653 q->blocking = sop; 654 655 if (sop->sem_flg & IPC_NOWAIT) 656 result = -EAGAIN; 657 else 658 result = 1; 659 660 undo: 661 sop--; 662 while (sop >= sops) { 663 sem_op = sop->sem_op; 664 sma->sem_base[sop->sem_num].semval -= sem_op; 665 if (sop->sem_flg & SEM_UNDO) 666 un->semadj[sop->sem_num] += sem_op; 667 sop--; 668 } 669 670 return result; 671 } 672 673 static int perform_atomic_semop(struct sem_array *sma, struct sem_queue *q) 674 { 675 int result, sem_op, nsops; 676 struct sembuf *sop; 677 struct sem *curr; 678 struct sembuf *sops; 679 struct sem_undo *un; 680 681 sops = q->sops; 682 nsops = q->nsops; 683 un = q->undo; 684 685 if (unlikely(q->dupsop)) 686 return perform_atomic_semop_slow(sma, q); 687 688 /* 689 * We scan the semaphore set twice, first to ensure that the entire 690 * operation can succeed, therefore avoiding any pointless writes 691 * to shared memory and having to undo such changes in order to block 692 * until the operations can go through. 693 */ 694 for (sop = sops; sop < sops + nsops; sop++) { 695 curr = sma->sem_base + sop->sem_num; 696 sem_op = sop->sem_op; 697 result = curr->semval; 698 699 if (!sem_op && result) 700 goto would_block; /* wait-for-zero */ 701 702 result += sem_op; 703 if (result < 0) 704 goto would_block; 705 706 if (result > SEMVMX) 707 return -ERANGE; 708 709 if (sop->sem_flg & SEM_UNDO) { 710 int undo = un->semadj[sop->sem_num] - sem_op; 711 712 /* Exceeding the undo range is an error. */ 713 if (undo < (-SEMAEM - 1) || undo > SEMAEM) 714 return -ERANGE; 715 } 716 } 717 718 for (sop = sops; sop < sops + nsops; sop++) { 719 curr = sma->sem_base + sop->sem_num; 720 sem_op = sop->sem_op; 721 result = curr->semval; 722 723 if (sop->sem_flg & SEM_UNDO) { 724 int undo = un->semadj[sop->sem_num] - sem_op; 725 726 un->semadj[sop->sem_num] = undo; 727 } 728 curr->semval += sem_op; 729 curr->sempid = q->pid; 730 } 731 732 return 0; 733 734 would_block: 735 q->blocking = sop; 736 return sop->sem_flg & IPC_NOWAIT ? -EAGAIN : 1; 737 } 738 739 static inline void wake_up_sem_queue_prepare(struct sem_queue *q, int error, 740 struct wake_q_head *wake_q) 741 { 742 wake_q_add(wake_q, q->sleeper); 743 /* 744 * Rely on the above implicit barrier, such that we can 745 * ensure that we hold reference to the task before setting 746 * q->status. Otherwise we could race with do_exit if the 747 * task is awoken by an external event before calling 748 * wake_up_process(). 749 */ 750 WRITE_ONCE(q->status, error); 751 } 752 753 static void unlink_queue(struct sem_array *sma, struct sem_queue *q) 754 { 755 list_del(&q->list); 756 if (q->nsops > 1) 757 sma->complex_count--; 758 } 759 760 /** check_restart(sma, q) 761 * @sma: semaphore array 762 * @q: the operation that just completed 763 * 764 * update_queue is O(N^2) when it restarts scanning the whole queue of 765 * waiting operations. Therefore this function checks if the restart is 766 * really necessary. It is called after a previously waiting operation 767 * modified the array. 768 * Note that wait-for-zero operations are handled without restart. 769 */ 770 static inline int check_restart(struct sem_array *sma, struct sem_queue *q) 771 { 772 /* pending complex alter operations are too difficult to analyse */ 773 if (!list_empty(&sma->pending_alter)) 774 return 1; 775 776 /* we were a sleeping complex operation. Too difficult */ 777 if (q->nsops > 1) 778 return 1; 779 780 /* It is impossible that someone waits for the new value: 781 * - complex operations always restart. 782 * - wait-for-zero are handled seperately. 783 * - q is a previously sleeping simple operation that 784 * altered the array. It must be a decrement, because 785 * simple increments never sleep. 786 * - If there are older (higher priority) decrements 787 * in the queue, then they have observed the original 788 * semval value and couldn't proceed. The operation 789 * decremented to value - thus they won't proceed either. 790 */ 791 return 0; 792 } 793 794 /** 795 * wake_const_ops - wake up non-alter tasks 796 * @sma: semaphore array. 797 * @semnum: semaphore that was modified. 798 * @wake_q: lockless wake-queue head. 799 * 800 * wake_const_ops must be called after a semaphore in a semaphore array 801 * was set to 0. If complex const operations are pending, wake_const_ops must 802 * be called with semnum = -1, as well as with the number of each modified 803 * semaphore. 804 * The tasks that must be woken up are added to @wake_q. The return code 805 * is stored in q->pid. 806 * The function returns 1 if at least one operation was completed successfully. 807 */ 808 static int wake_const_ops(struct sem_array *sma, int semnum, 809 struct wake_q_head *wake_q) 810 { 811 struct sem_queue *q, *tmp; 812 struct list_head *pending_list; 813 int semop_completed = 0; 814 815 if (semnum == -1) 816 pending_list = &sma->pending_const; 817 else 818 pending_list = &sma->sem_base[semnum].pending_const; 819 820 list_for_each_entry_safe(q, tmp, pending_list, list) { 821 int error = perform_atomic_semop(sma, q); 822 823 if (error > 0) 824 continue; 825 /* operation completed, remove from queue & wakeup */ 826 unlink_queue(sma, q); 827 828 wake_up_sem_queue_prepare(q, error, wake_q); 829 if (error == 0) 830 semop_completed = 1; 831 } 832 833 return semop_completed; 834 } 835 836 /** 837 * do_smart_wakeup_zero - wakeup all wait for zero tasks 838 * @sma: semaphore array 839 * @sops: operations that were performed 840 * @nsops: number of operations 841 * @wake_q: lockless wake-queue head 842 * 843 * Checks all required queue for wait-for-zero operations, based 844 * on the actual changes that were performed on the semaphore array. 845 * The function returns 1 if at least one operation was completed successfully. 846 */ 847 static int do_smart_wakeup_zero(struct sem_array *sma, struct sembuf *sops, 848 int nsops, struct wake_q_head *wake_q) 849 { 850 int i; 851 int semop_completed = 0; 852 int got_zero = 0; 853 854 /* first: the per-semaphore queues, if known */ 855 if (sops) { 856 for (i = 0; i < nsops; i++) { 857 int num = sops[i].sem_num; 858 859 if (sma->sem_base[num].semval == 0) { 860 got_zero = 1; 861 semop_completed |= wake_const_ops(sma, num, wake_q); 862 } 863 } 864 } else { 865 /* 866 * No sops means modified semaphores not known. 867 * Assume all were changed. 868 */ 869 for (i = 0; i < sma->sem_nsems; i++) { 870 if (sma->sem_base[i].semval == 0) { 871 got_zero = 1; 872 semop_completed |= wake_const_ops(sma, i, wake_q); 873 } 874 } 875 } 876 /* 877 * If one of the modified semaphores got 0, 878 * then check the global queue, too. 879 */ 880 if (got_zero) 881 semop_completed |= wake_const_ops(sma, -1, wake_q); 882 883 return semop_completed; 884 } 885 886 887 /** 888 * update_queue - look for tasks that can be completed. 889 * @sma: semaphore array. 890 * @semnum: semaphore that was modified. 891 * @wake_q: lockless wake-queue head. 892 * 893 * update_queue must be called after a semaphore in a semaphore array 894 * was modified. If multiple semaphores were modified, update_queue must 895 * be called with semnum = -1, as well as with the number of each modified 896 * semaphore. 897 * The tasks that must be woken up are added to @wake_q. The return code 898 * is stored in q->pid. 899 * The function internally checks if const operations can now succeed. 900 * 901 * The function return 1 if at least one semop was completed successfully. 902 */ 903 static int update_queue(struct sem_array *sma, int semnum, struct wake_q_head *wake_q) 904 { 905 struct sem_queue *q, *tmp; 906 struct list_head *pending_list; 907 int semop_completed = 0; 908 909 if (semnum == -1) 910 pending_list = &sma->pending_alter; 911 else 912 pending_list = &sma->sem_base[semnum].pending_alter; 913 914 again: 915 list_for_each_entry_safe(q, tmp, pending_list, list) { 916 int error, restart; 917 918 /* If we are scanning the single sop, per-semaphore list of 919 * one semaphore and that semaphore is 0, then it is not 920 * necessary to scan further: simple increments 921 * that affect only one entry succeed immediately and cannot 922 * be in the per semaphore pending queue, and decrements 923 * cannot be successful if the value is already 0. 924 */ 925 if (semnum != -1 && sma->sem_base[semnum].semval == 0) 926 break; 927 928 error = perform_atomic_semop(sma, q); 929 930 /* Does q->sleeper still need to sleep? */ 931 if (error > 0) 932 continue; 933 934 unlink_queue(sma, q); 935 936 if (error) { 937 restart = 0; 938 } else { 939 semop_completed = 1; 940 do_smart_wakeup_zero(sma, q->sops, q->nsops, wake_q); 941 restart = check_restart(sma, q); 942 } 943 944 wake_up_sem_queue_prepare(q, error, wake_q); 945 if (restart) 946 goto again; 947 } 948 return semop_completed; 949 } 950 951 /** 952 * set_semotime - set sem_otime 953 * @sma: semaphore array 954 * @sops: operations that modified the array, may be NULL 955 * 956 * sem_otime is replicated to avoid cache line trashing. 957 * This function sets one instance to the current time. 958 */ 959 static void set_semotime(struct sem_array *sma, struct sembuf *sops) 960 { 961 if (sops == NULL) { 962 sma->sem_base[0].sem_otime = get_seconds(); 963 } else { 964 sma->sem_base[sops[0].sem_num].sem_otime = 965 get_seconds(); 966 } 967 } 968 969 /** 970 * do_smart_update - optimized update_queue 971 * @sma: semaphore array 972 * @sops: operations that were performed 973 * @nsops: number of operations 974 * @otime: force setting otime 975 * @wake_q: lockless wake-queue head 976 * 977 * do_smart_update() does the required calls to update_queue and wakeup_zero, 978 * based on the actual changes that were performed on the semaphore array. 979 * Note that the function does not do the actual wake-up: the caller is 980 * responsible for calling wake_up_q(). 981 * It is safe to perform this call after dropping all locks. 982 */ 983 static void do_smart_update(struct sem_array *sma, struct sembuf *sops, int nsops, 984 int otime, struct wake_q_head *wake_q) 985 { 986 int i; 987 988 otime |= do_smart_wakeup_zero(sma, sops, nsops, wake_q); 989 990 if (!list_empty(&sma->pending_alter)) { 991 /* semaphore array uses the global queue - just process it. */ 992 otime |= update_queue(sma, -1, wake_q); 993 } else { 994 if (!sops) { 995 /* 996 * No sops, thus the modified semaphores are not 997 * known. Check all. 998 */ 999 for (i = 0; i < sma->sem_nsems; i++) 1000 otime |= update_queue(sma, i, wake_q); 1001 } else { 1002 /* 1003 * Check the semaphores that were increased: 1004 * - No complex ops, thus all sleeping ops are 1005 * decrease. 1006 * - if we decreased the value, then any sleeping 1007 * semaphore ops wont be able to run: If the 1008 * previous value was too small, then the new 1009 * value will be too small, too. 1010 */ 1011 for (i = 0; i < nsops; i++) { 1012 if (sops[i].sem_op > 0) { 1013 otime |= update_queue(sma, 1014 sops[i].sem_num, wake_q); 1015 } 1016 } 1017 } 1018 } 1019 if (otime) 1020 set_semotime(sma, sops); 1021 } 1022 1023 /* 1024 * check_qop: Test if a queued operation sleeps on the semaphore semnum 1025 */ 1026 static int check_qop(struct sem_array *sma, int semnum, struct sem_queue *q, 1027 bool count_zero) 1028 { 1029 struct sembuf *sop = q->blocking; 1030 1031 /* 1032 * Linux always (since 0.99.10) reported a task as sleeping on all 1033 * semaphores. This violates SUS, therefore it was changed to the 1034 * standard compliant behavior. 1035 * Give the administrators a chance to notice that an application 1036 * might misbehave because it relies on the Linux behavior. 1037 */ 1038 pr_info_once("semctl(GETNCNT/GETZCNT) is since 3.16 Single Unix Specification compliant.\n" 1039 "The task %s (%d) triggered the difference, watch for misbehavior.\n", 1040 current->comm, task_pid_nr(current)); 1041 1042 if (sop->sem_num != semnum) 1043 return 0; 1044 1045 if (count_zero && sop->sem_op == 0) 1046 return 1; 1047 if (!count_zero && sop->sem_op < 0) 1048 return 1; 1049 1050 return 0; 1051 } 1052 1053 /* The following counts are associated to each semaphore: 1054 * semncnt number of tasks waiting on semval being nonzero 1055 * semzcnt number of tasks waiting on semval being zero 1056 * 1057 * Per definition, a task waits only on the semaphore of the first semop 1058 * that cannot proceed, even if additional operation would block, too. 1059 */ 1060 static int count_semcnt(struct sem_array *sma, ushort semnum, 1061 bool count_zero) 1062 { 1063 struct list_head *l; 1064 struct sem_queue *q; 1065 int semcnt; 1066 1067 semcnt = 0; 1068 /* First: check the simple operations. They are easy to evaluate */ 1069 if (count_zero) 1070 l = &sma->sem_base[semnum].pending_const; 1071 else 1072 l = &sma->sem_base[semnum].pending_alter; 1073 1074 list_for_each_entry(q, l, list) { 1075 /* all task on a per-semaphore list sleep on exactly 1076 * that semaphore 1077 */ 1078 semcnt++; 1079 } 1080 1081 /* Then: check the complex operations. */ 1082 list_for_each_entry(q, &sma->pending_alter, list) { 1083 semcnt += check_qop(sma, semnum, q, count_zero); 1084 } 1085 if (count_zero) { 1086 list_for_each_entry(q, &sma->pending_const, list) { 1087 semcnt += check_qop(sma, semnum, q, count_zero); 1088 } 1089 } 1090 return semcnt; 1091 } 1092 1093 /* Free a semaphore set. freeary() is called with sem_ids.rwsem locked 1094 * as a writer and the spinlock for this semaphore set hold. sem_ids.rwsem 1095 * remains locked on exit. 1096 */ 1097 static void freeary(struct ipc_namespace *ns, struct kern_ipc_perm *ipcp) 1098 { 1099 struct sem_undo *un, *tu; 1100 struct sem_queue *q, *tq; 1101 struct sem_array *sma = container_of(ipcp, struct sem_array, sem_perm); 1102 int i; 1103 DEFINE_WAKE_Q(wake_q); 1104 1105 /* Free the existing undo structures for this semaphore set. */ 1106 ipc_assert_locked_object(&sma->sem_perm); 1107 list_for_each_entry_safe(un, tu, &sma->list_id, list_id) { 1108 list_del(&un->list_id); 1109 spin_lock(&un->ulp->lock); 1110 un->semid = -1; 1111 list_del_rcu(&un->list_proc); 1112 spin_unlock(&un->ulp->lock); 1113 kfree_rcu(un, rcu); 1114 } 1115 1116 /* Wake up all pending processes and let them fail with EIDRM. */ 1117 list_for_each_entry_safe(q, tq, &sma->pending_const, list) { 1118 unlink_queue(sma, q); 1119 wake_up_sem_queue_prepare(q, -EIDRM, &wake_q); 1120 } 1121 1122 list_for_each_entry_safe(q, tq, &sma->pending_alter, list) { 1123 unlink_queue(sma, q); 1124 wake_up_sem_queue_prepare(q, -EIDRM, &wake_q); 1125 } 1126 for (i = 0; i < sma->sem_nsems; i++) { 1127 struct sem *sem = sma->sem_base + i; 1128 list_for_each_entry_safe(q, tq, &sem->pending_const, list) { 1129 unlink_queue(sma, q); 1130 wake_up_sem_queue_prepare(q, -EIDRM, &wake_q); 1131 } 1132 list_for_each_entry_safe(q, tq, &sem->pending_alter, list) { 1133 unlink_queue(sma, q); 1134 wake_up_sem_queue_prepare(q, -EIDRM, &wake_q); 1135 } 1136 } 1137 1138 /* Remove the semaphore set from the IDR */ 1139 sem_rmid(ns, sma); 1140 sem_unlock(sma, -1); 1141 rcu_read_unlock(); 1142 1143 wake_up_q(&wake_q); 1144 ns->used_sems -= sma->sem_nsems; 1145 ipc_rcu_putref(sma, sem_rcu_free); 1146 } 1147 1148 static unsigned long copy_semid_to_user(void __user *buf, struct semid64_ds *in, int version) 1149 { 1150 switch (version) { 1151 case IPC_64: 1152 return copy_to_user(buf, in, sizeof(*in)); 1153 case IPC_OLD: 1154 { 1155 struct semid_ds out; 1156 1157 memset(&out, 0, sizeof(out)); 1158 1159 ipc64_perm_to_ipc_perm(&in->sem_perm, &out.sem_perm); 1160 1161 out.sem_otime = in->sem_otime; 1162 out.sem_ctime = in->sem_ctime; 1163 out.sem_nsems = in->sem_nsems; 1164 1165 return copy_to_user(buf, &out, sizeof(out)); 1166 } 1167 default: 1168 return -EINVAL; 1169 } 1170 } 1171 1172 static time_t get_semotime(struct sem_array *sma) 1173 { 1174 int i; 1175 time_t res; 1176 1177 res = sma->sem_base[0].sem_otime; 1178 for (i = 1; i < sma->sem_nsems; i++) { 1179 time_t to = sma->sem_base[i].sem_otime; 1180 1181 if (to > res) 1182 res = to; 1183 } 1184 return res; 1185 } 1186 1187 static int semctl_nolock(struct ipc_namespace *ns, int semid, 1188 int cmd, int version, void __user *p) 1189 { 1190 int err; 1191 struct sem_array *sma; 1192 1193 switch (cmd) { 1194 case IPC_INFO: 1195 case SEM_INFO: 1196 { 1197 struct seminfo seminfo; 1198 int max_id; 1199 1200 err = security_sem_semctl(NULL, cmd); 1201 if (err) 1202 return err; 1203 1204 memset(&seminfo, 0, sizeof(seminfo)); 1205 seminfo.semmni = ns->sc_semmni; 1206 seminfo.semmns = ns->sc_semmns; 1207 seminfo.semmsl = ns->sc_semmsl; 1208 seminfo.semopm = ns->sc_semopm; 1209 seminfo.semvmx = SEMVMX; 1210 seminfo.semmnu = SEMMNU; 1211 seminfo.semmap = SEMMAP; 1212 seminfo.semume = SEMUME; 1213 down_read(&sem_ids(ns).rwsem); 1214 if (cmd == SEM_INFO) { 1215 seminfo.semusz = sem_ids(ns).in_use; 1216 seminfo.semaem = ns->used_sems; 1217 } else { 1218 seminfo.semusz = SEMUSZ; 1219 seminfo.semaem = SEMAEM; 1220 } 1221 max_id = ipc_get_maxid(&sem_ids(ns)); 1222 up_read(&sem_ids(ns).rwsem); 1223 if (copy_to_user(p, &seminfo, sizeof(struct seminfo))) 1224 return -EFAULT; 1225 return (max_id < 0) ? 0 : max_id; 1226 } 1227 case IPC_STAT: 1228 case SEM_STAT: 1229 { 1230 struct semid64_ds tbuf; 1231 int id = 0; 1232 1233 memset(&tbuf, 0, sizeof(tbuf)); 1234 1235 rcu_read_lock(); 1236 if (cmd == SEM_STAT) { 1237 sma = sem_obtain_object(ns, semid); 1238 if (IS_ERR(sma)) { 1239 err = PTR_ERR(sma); 1240 goto out_unlock; 1241 } 1242 id = sma->sem_perm.id; 1243 } else { 1244 sma = sem_obtain_object_check(ns, semid); 1245 if (IS_ERR(sma)) { 1246 err = PTR_ERR(sma); 1247 goto out_unlock; 1248 } 1249 } 1250 1251 err = -EACCES; 1252 if (ipcperms(ns, &sma->sem_perm, S_IRUGO)) 1253 goto out_unlock; 1254 1255 err = security_sem_semctl(sma, cmd); 1256 if (err) 1257 goto out_unlock; 1258 1259 kernel_to_ipc64_perm(&sma->sem_perm, &tbuf.sem_perm); 1260 tbuf.sem_otime = get_semotime(sma); 1261 tbuf.sem_ctime = sma->sem_ctime; 1262 tbuf.sem_nsems = sma->sem_nsems; 1263 rcu_read_unlock(); 1264 if (copy_semid_to_user(p, &tbuf, version)) 1265 return -EFAULT; 1266 return id; 1267 } 1268 default: 1269 return -EINVAL; 1270 } 1271 out_unlock: 1272 rcu_read_unlock(); 1273 return err; 1274 } 1275 1276 static int semctl_setval(struct ipc_namespace *ns, int semid, int semnum, 1277 unsigned long arg) 1278 { 1279 struct sem_undo *un; 1280 struct sem_array *sma; 1281 struct sem *curr; 1282 int err, val; 1283 DEFINE_WAKE_Q(wake_q); 1284 1285 #if defined(CONFIG_64BIT) && defined(__BIG_ENDIAN) 1286 /* big-endian 64bit */ 1287 val = arg >> 32; 1288 #else 1289 /* 32bit or little-endian 64bit */ 1290 val = arg; 1291 #endif 1292 1293 if (val > SEMVMX || val < 0) 1294 return -ERANGE; 1295 1296 rcu_read_lock(); 1297 sma = sem_obtain_object_check(ns, semid); 1298 if (IS_ERR(sma)) { 1299 rcu_read_unlock(); 1300 return PTR_ERR(sma); 1301 } 1302 1303 if (semnum < 0 || semnum >= sma->sem_nsems) { 1304 rcu_read_unlock(); 1305 return -EINVAL; 1306 } 1307 1308 1309 if (ipcperms(ns, &sma->sem_perm, S_IWUGO)) { 1310 rcu_read_unlock(); 1311 return -EACCES; 1312 } 1313 1314 err = security_sem_semctl(sma, SETVAL); 1315 if (err) { 1316 rcu_read_unlock(); 1317 return -EACCES; 1318 } 1319 1320 sem_lock(sma, NULL, -1); 1321 1322 if (!ipc_valid_object(&sma->sem_perm)) { 1323 sem_unlock(sma, -1); 1324 rcu_read_unlock(); 1325 return -EIDRM; 1326 } 1327 1328 curr = &sma->sem_base[semnum]; 1329 1330 ipc_assert_locked_object(&sma->sem_perm); 1331 list_for_each_entry(un, &sma->list_id, list_id) 1332 un->semadj[semnum] = 0; 1333 1334 curr->semval = val; 1335 curr->sempid = task_tgid_vnr(current); 1336 sma->sem_ctime = get_seconds(); 1337 /* maybe some queued-up processes were waiting for this */ 1338 do_smart_update(sma, NULL, 0, 0, &wake_q); 1339 sem_unlock(sma, -1); 1340 rcu_read_unlock(); 1341 wake_up_q(&wake_q); 1342 return 0; 1343 } 1344 1345 static int semctl_main(struct ipc_namespace *ns, int semid, int semnum, 1346 int cmd, void __user *p) 1347 { 1348 struct sem_array *sma; 1349 struct sem *curr; 1350 int err, nsems; 1351 ushort fast_sem_io[SEMMSL_FAST]; 1352 ushort *sem_io = fast_sem_io; 1353 DEFINE_WAKE_Q(wake_q); 1354 1355 rcu_read_lock(); 1356 sma = sem_obtain_object_check(ns, semid); 1357 if (IS_ERR(sma)) { 1358 rcu_read_unlock(); 1359 return PTR_ERR(sma); 1360 } 1361 1362 nsems = sma->sem_nsems; 1363 1364 err = -EACCES; 1365 if (ipcperms(ns, &sma->sem_perm, cmd == SETALL ? S_IWUGO : S_IRUGO)) 1366 goto out_rcu_wakeup; 1367 1368 err = security_sem_semctl(sma, cmd); 1369 if (err) 1370 goto out_rcu_wakeup; 1371 1372 err = -EACCES; 1373 switch (cmd) { 1374 case GETALL: 1375 { 1376 ushort __user *array = p; 1377 int i; 1378 1379 sem_lock(sma, NULL, -1); 1380 if (!ipc_valid_object(&sma->sem_perm)) { 1381 err = -EIDRM; 1382 goto out_unlock; 1383 } 1384 if (nsems > SEMMSL_FAST) { 1385 if (!ipc_rcu_getref(sma)) { 1386 err = -EIDRM; 1387 goto out_unlock; 1388 } 1389 sem_unlock(sma, -1); 1390 rcu_read_unlock(); 1391 sem_io = ipc_alloc(sizeof(ushort)*nsems); 1392 if (sem_io == NULL) { 1393 ipc_rcu_putref(sma, sem_rcu_free); 1394 return -ENOMEM; 1395 } 1396 1397 rcu_read_lock(); 1398 sem_lock_and_putref(sma); 1399 if (!ipc_valid_object(&sma->sem_perm)) { 1400 err = -EIDRM; 1401 goto out_unlock; 1402 } 1403 } 1404 for (i = 0; i < sma->sem_nsems; i++) 1405 sem_io[i] = sma->sem_base[i].semval; 1406 sem_unlock(sma, -1); 1407 rcu_read_unlock(); 1408 err = 0; 1409 if (copy_to_user(array, sem_io, nsems*sizeof(ushort))) 1410 err = -EFAULT; 1411 goto out_free; 1412 } 1413 case SETALL: 1414 { 1415 int i; 1416 struct sem_undo *un; 1417 1418 if (!ipc_rcu_getref(sma)) { 1419 err = -EIDRM; 1420 goto out_rcu_wakeup; 1421 } 1422 rcu_read_unlock(); 1423 1424 if (nsems > SEMMSL_FAST) { 1425 sem_io = ipc_alloc(sizeof(ushort)*nsems); 1426 if (sem_io == NULL) { 1427 ipc_rcu_putref(sma, sem_rcu_free); 1428 return -ENOMEM; 1429 } 1430 } 1431 1432 if (copy_from_user(sem_io, p, nsems*sizeof(ushort))) { 1433 ipc_rcu_putref(sma, sem_rcu_free); 1434 err = -EFAULT; 1435 goto out_free; 1436 } 1437 1438 for (i = 0; i < nsems; i++) { 1439 if (sem_io[i] > SEMVMX) { 1440 ipc_rcu_putref(sma, sem_rcu_free); 1441 err = -ERANGE; 1442 goto out_free; 1443 } 1444 } 1445 rcu_read_lock(); 1446 sem_lock_and_putref(sma); 1447 if (!ipc_valid_object(&sma->sem_perm)) { 1448 err = -EIDRM; 1449 goto out_unlock; 1450 } 1451 1452 for (i = 0; i < nsems; i++) { 1453 sma->sem_base[i].semval = sem_io[i]; 1454 sma->sem_base[i].sempid = task_tgid_vnr(current); 1455 } 1456 1457 ipc_assert_locked_object(&sma->sem_perm); 1458 list_for_each_entry(un, &sma->list_id, list_id) { 1459 for (i = 0; i < nsems; i++) 1460 un->semadj[i] = 0; 1461 } 1462 sma->sem_ctime = get_seconds(); 1463 /* maybe some queued-up processes were waiting for this */ 1464 do_smart_update(sma, NULL, 0, 0, &wake_q); 1465 err = 0; 1466 goto out_unlock; 1467 } 1468 /* GETVAL, GETPID, GETNCTN, GETZCNT: fall-through */ 1469 } 1470 err = -EINVAL; 1471 if (semnum < 0 || semnum >= nsems) 1472 goto out_rcu_wakeup; 1473 1474 sem_lock(sma, NULL, -1); 1475 if (!ipc_valid_object(&sma->sem_perm)) { 1476 err = -EIDRM; 1477 goto out_unlock; 1478 } 1479 curr = &sma->sem_base[semnum]; 1480 1481 switch (cmd) { 1482 case GETVAL: 1483 err = curr->semval; 1484 goto out_unlock; 1485 case GETPID: 1486 err = curr->sempid; 1487 goto out_unlock; 1488 case GETNCNT: 1489 err = count_semcnt(sma, semnum, 0); 1490 goto out_unlock; 1491 case GETZCNT: 1492 err = count_semcnt(sma, semnum, 1); 1493 goto out_unlock; 1494 } 1495 1496 out_unlock: 1497 sem_unlock(sma, -1); 1498 out_rcu_wakeup: 1499 rcu_read_unlock(); 1500 wake_up_q(&wake_q); 1501 out_free: 1502 if (sem_io != fast_sem_io) 1503 ipc_free(sem_io); 1504 return err; 1505 } 1506 1507 static inline unsigned long 1508 copy_semid_from_user(struct semid64_ds *out, void __user *buf, int version) 1509 { 1510 switch (version) { 1511 case IPC_64: 1512 if (copy_from_user(out, buf, sizeof(*out))) 1513 return -EFAULT; 1514 return 0; 1515 case IPC_OLD: 1516 { 1517 struct semid_ds tbuf_old; 1518 1519 if (copy_from_user(&tbuf_old, buf, sizeof(tbuf_old))) 1520 return -EFAULT; 1521 1522 out->sem_perm.uid = tbuf_old.sem_perm.uid; 1523 out->sem_perm.gid = tbuf_old.sem_perm.gid; 1524 out->sem_perm.mode = tbuf_old.sem_perm.mode; 1525 1526 return 0; 1527 } 1528 default: 1529 return -EINVAL; 1530 } 1531 } 1532 1533 /* 1534 * This function handles some semctl commands which require the rwsem 1535 * to be held in write mode. 1536 * NOTE: no locks must be held, the rwsem is taken inside this function. 1537 */ 1538 static int semctl_down(struct ipc_namespace *ns, int semid, 1539 int cmd, int version, void __user *p) 1540 { 1541 struct sem_array *sma; 1542 int err; 1543 struct semid64_ds semid64; 1544 struct kern_ipc_perm *ipcp; 1545 1546 if (cmd == IPC_SET) { 1547 if (copy_semid_from_user(&semid64, p, version)) 1548 return -EFAULT; 1549 } 1550 1551 down_write(&sem_ids(ns).rwsem); 1552 rcu_read_lock(); 1553 1554 ipcp = ipcctl_pre_down_nolock(ns, &sem_ids(ns), semid, cmd, 1555 &semid64.sem_perm, 0); 1556 if (IS_ERR(ipcp)) { 1557 err = PTR_ERR(ipcp); 1558 goto out_unlock1; 1559 } 1560 1561 sma = container_of(ipcp, struct sem_array, sem_perm); 1562 1563 err = security_sem_semctl(sma, cmd); 1564 if (err) 1565 goto out_unlock1; 1566 1567 switch (cmd) { 1568 case IPC_RMID: 1569 sem_lock(sma, NULL, -1); 1570 /* freeary unlocks the ipc object and rcu */ 1571 freeary(ns, ipcp); 1572 goto out_up; 1573 case IPC_SET: 1574 sem_lock(sma, NULL, -1); 1575 err = ipc_update_perm(&semid64.sem_perm, ipcp); 1576 if (err) 1577 goto out_unlock0; 1578 sma->sem_ctime = get_seconds(); 1579 break; 1580 default: 1581 err = -EINVAL; 1582 goto out_unlock1; 1583 } 1584 1585 out_unlock0: 1586 sem_unlock(sma, -1); 1587 out_unlock1: 1588 rcu_read_unlock(); 1589 out_up: 1590 up_write(&sem_ids(ns).rwsem); 1591 return err; 1592 } 1593 1594 SYSCALL_DEFINE4(semctl, int, semid, int, semnum, int, cmd, unsigned long, arg) 1595 { 1596 int version; 1597 struct ipc_namespace *ns; 1598 void __user *p = (void __user *)arg; 1599 1600 if (semid < 0) 1601 return -EINVAL; 1602 1603 version = ipc_parse_version(&cmd); 1604 ns = current->nsproxy->ipc_ns; 1605 1606 switch (cmd) { 1607 case IPC_INFO: 1608 case SEM_INFO: 1609 case IPC_STAT: 1610 case SEM_STAT: 1611 return semctl_nolock(ns, semid, cmd, version, p); 1612 case GETALL: 1613 case GETVAL: 1614 case GETPID: 1615 case GETNCNT: 1616 case GETZCNT: 1617 case SETALL: 1618 return semctl_main(ns, semid, semnum, cmd, p); 1619 case SETVAL: 1620 return semctl_setval(ns, semid, semnum, arg); 1621 case IPC_RMID: 1622 case IPC_SET: 1623 return semctl_down(ns, semid, cmd, version, p); 1624 default: 1625 return -EINVAL; 1626 } 1627 } 1628 1629 /* If the task doesn't already have a undo_list, then allocate one 1630 * here. We guarantee there is only one thread using this undo list, 1631 * and current is THE ONE 1632 * 1633 * If this allocation and assignment succeeds, but later 1634 * portions of this code fail, there is no need to free the sem_undo_list. 1635 * Just let it stay associated with the task, and it'll be freed later 1636 * at exit time. 1637 * 1638 * This can block, so callers must hold no locks. 1639 */ 1640 static inline int get_undo_list(struct sem_undo_list **undo_listp) 1641 { 1642 struct sem_undo_list *undo_list; 1643 1644 undo_list = current->sysvsem.undo_list; 1645 if (!undo_list) { 1646 undo_list = kzalloc(sizeof(*undo_list), GFP_KERNEL); 1647 if (undo_list == NULL) 1648 return -ENOMEM; 1649 spin_lock_init(&undo_list->lock); 1650 atomic_set(&undo_list->refcnt, 1); 1651 INIT_LIST_HEAD(&undo_list->list_proc); 1652 1653 current->sysvsem.undo_list = undo_list; 1654 } 1655 *undo_listp = undo_list; 1656 return 0; 1657 } 1658 1659 static struct sem_undo *__lookup_undo(struct sem_undo_list *ulp, int semid) 1660 { 1661 struct sem_undo *un; 1662 1663 list_for_each_entry_rcu(un, &ulp->list_proc, list_proc) { 1664 if (un->semid == semid) 1665 return un; 1666 } 1667 return NULL; 1668 } 1669 1670 static struct sem_undo *lookup_undo(struct sem_undo_list *ulp, int semid) 1671 { 1672 struct sem_undo *un; 1673 1674 assert_spin_locked(&ulp->lock); 1675 1676 un = __lookup_undo(ulp, semid); 1677 if (un) { 1678 list_del_rcu(&un->list_proc); 1679 list_add_rcu(&un->list_proc, &ulp->list_proc); 1680 } 1681 return un; 1682 } 1683 1684 /** 1685 * find_alloc_undo - lookup (and if not present create) undo array 1686 * @ns: namespace 1687 * @semid: semaphore array id 1688 * 1689 * The function looks up (and if not present creates) the undo structure. 1690 * The size of the undo structure depends on the size of the semaphore 1691 * array, thus the alloc path is not that straightforward. 1692 * Lifetime-rules: sem_undo is rcu-protected, on success, the function 1693 * performs a rcu_read_lock(). 1694 */ 1695 static struct sem_undo *find_alloc_undo(struct ipc_namespace *ns, int semid) 1696 { 1697 struct sem_array *sma; 1698 struct sem_undo_list *ulp; 1699 struct sem_undo *un, *new; 1700 int nsems, error; 1701 1702 error = get_undo_list(&ulp); 1703 if (error) 1704 return ERR_PTR(error); 1705 1706 rcu_read_lock(); 1707 spin_lock(&ulp->lock); 1708 un = lookup_undo(ulp, semid); 1709 spin_unlock(&ulp->lock); 1710 if (likely(un != NULL)) 1711 goto out; 1712 1713 /* no undo structure around - allocate one. */ 1714 /* step 1: figure out the size of the semaphore array */ 1715 sma = sem_obtain_object_check(ns, semid); 1716 if (IS_ERR(sma)) { 1717 rcu_read_unlock(); 1718 return ERR_CAST(sma); 1719 } 1720 1721 nsems = sma->sem_nsems; 1722 if (!ipc_rcu_getref(sma)) { 1723 rcu_read_unlock(); 1724 un = ERR_PTR(-EIDRM); 1725 goto out; 1726 } 1727 rcu_read_unlock(); 1728 1729 /* step 2: allocate new undo structure */ 1730 new = kzalloc(sizeof(struct sem_undo) + sizeof(short)*nsems, GFP_KERNEL); 1731 if (!new) { 1732 ipc_rcu_putref(sma, sem_rcu_free); 1733 return ERR_PTR(-ENOMEM); 1734 } 1735 1736 /* step 3: Acquire the lock on semaphore array */ 1737 rcu_read_lock(); 1738 sem_lock_and_putref(sma); 1739 if (!ipc_valid_object(&sma->sem_perm)) { 1740 sem_unlock(sma, -1); 1741 rcu_read_unlock(); 1742 kfree(new); 1743 un = ERR_PTR(-EIDRM); 1744 goto out; 1745 } 1746 spin_lock(&ulp->lock); 1747 1748 /* 1749 * step 4: check for races: did someone else allocate the undo struct? 1750 */ 1751 un = lookup_undo(ulp, semid); 1752 if (un) { 1753 kfree(new); 1754 goto success; 1755 } 1756 /* step 5: initialize & link new undo structure */ 1757 new->semadj = (short *) &new[1]; 1758 new->ulp = ulp; 1759 new->semid = semid; 1760 assert_spin_locked(&ulp->lock); 1761 list_add_rcu(&new->list_proc, &ulp->list_proc); 1762 ipc_assert_locked_object(&sma->sem_perm); 1763 list_add(&new->list_id, &sma->list_id); 1764 un = new; 1765 1766 success: 1767 spin_unlock(&ulp->lock); 1768 sem_unlock(sma, -1); 1769 out: 1770 return un; 1771 } 1772 1773 SYSCALL_DEFINE4(semtimedop, int, semid, struct sembuf __user *, tsops, 1774 unsigned, nsops, const struct timespec __user *, timeout) 1775 { 1776 int error = -EINVAL; 1777 struct sem_array *sma; 1778 struct sembuf fast_sops[SEMOPM_FAST]; 1779 struct sembuf *sops = fast_sops, *sop; 1780 struct sem_undo *un; 1781 int max, locknum; 1782 bool undos = false, alter = false, dupsop = false; 1783 struct sem_queue queue; 1784 unsigned long dup = 0, jiffies_left = 0; 1785 struct ipc_namespace *ns; 1786 1787 ns = current->nsproxy->ipc_ns; 1788 1789 if (nsops < 1 || semid < 0) 1790 return -EINVAL; 1791 if (nsops > ns->sc_semopm) 1792 return -E2BIG; 1793 if (nsops > SEMOPM_FAST) { 1794 sops = kmalloc(sizeof(*sops)*nsops, GFP_KERNEL); 1795 if (sops == NULL) 1796 return -ENOMEM; 1797 } 1798 1799 if (copy_from_user(sops, tsops, nsops * sizeof(*tsops))) { 1800 error = -EFAULT; 1801 goto out_free; 1802 } 1803 1804 if (timeout) { 1805 struct timespec _timeout; 1806 if (copy_from_user(&_timeout, timeout, sizeof(*timeout))) { 1807 error = -EFAULT; 1808 goto out_free; 1809 } 1810 if (_timeout.tv_sec < 0 || _timeout.tv_nsec < 0 || 1811 _timeout.tv_nsec >= 1000000000L) { 1812 error = -EINVAL; 1813 goto out_free; 1814 } 1815 jiffies_left = timespec_to_jiffies(&_timeout); 1816 } 1817 1818 max = 0; 1819 for (sop = sops; sop < sops + nsops; sop++) { 1820 unsigned long mask = 1ULL << ((sop->sem_num) % BITS_PER_LONG); 1821 1822 if (sop->sem_num >= max) 1823 max = sop->sem_num; 1824 if (sop->sem_flg & SEM_UNDO) 1825 undos = true; 1826 if (dup & mask) { 1827 /* 1828 * There was a previous alter access that appears 1829 * to have accessed the same semaphore, thus use 1830 * the dupsop logic. "appears", because the detection 1831 * can only check % BITS_PER_LONG. 1832 */ 1833 dupsop = true; 1834 } 1835 if (sop->sem_op != 0) { 1836 alter = true; 1837 dup |= mask; 1838 } 1839 } 1840 1841 if (undos) { 1842 /* On success, find_alloc_undo takes the rcu_read_lock */ 1843 un = find_alloc_undo(ns, semid); 1844 if (IS_ERR(un)) { 1845 error = PTR_ERR(un); 1846 goto out_free; 1847 } 1848 } else { 1849 un = NULL; 1850 rcu_read_lock(); 1851 } 1852 1853 sma = sem_obtain_object_check(ns, semid); 1854 if (IS_ERR(sma)) { 1855 rcu_read_unlock(); 1856 error = PTR_ERR(sma); 1857 goto out_free; 1858 } 1859 1860 error = -EFBIG; 1861 if (max >= sma->sem_nsems) { 1862 rcu_read_unlock(); 1863 goto out_free; 1864 } 1865 1866 error = -EACCES; 1867 if (ipcperms(ns, &sma->sem_perm, alter ? S_IWUGO : S_IRUGO)) { 1868 rcu_read_unlock(); 1869 goto out_free; 1870 } 1871 1872 error = security_sem_semop(sma, sops, nsops, alter); 1873 if (error) { 1874 rcu_read_unlock(); 1875 goto out_free; 1876 } 1877 1878 error = -EIDRM; 1879 locknum = sem_lock(sma, sops, nsops); 1880 /* 1881 * We eventually might perform the following check in a lockless 1882 * fashion, considering ipc_valid_object() locking constraints. 1883 * If nsops == 1 and there is no contention for sem_perm.lock, then 1884 * only a per-semaphore lock is held and it's OK to proceed with the 1885 * check below. More details on the fine grained locking scheme 1886 * entangled here and why it's RMID race safe on comments at sem_lock() 1887 */ 1888 if (!ipc_valid_object(&sma->sem_perm)) 1889 goto out_unlock_free; 1890 /* 1891 * semid identifiers are not unique - find_alloc_undo may have 1892 * allocated an undo structure, it was invalidated by an RMID 1893 * and now a new array with received the same id. Check and fail. 1894 * This case can be detected checking un->semid. The existence of 1895 * "un" itself is guaranteed by rcu. 1896 */ 1897 if (un && un->semid == -1) 1898 goto out_unlock_free; 1899 1900 queue.sops = sops; 1901 queue.nsops = nsops; 1902 queue.undo = un; 1903 queue.pid = task_tgid_vnr(current); 1904 queue.alter = alter; 1905 queue.dupsop = dupsop; 1906 1907 error = perform_atomic_semop(sma, &queue); 1908 if (error == 0) { /* non-blocking succesfull path */ 1909 DEFINE_WAKE_Q(wake_q); 1910 1911 /* 1912 * If the operation was successful, then do 1913 * the required updates. 1914 */ 1915 if (alter) 1916 do_smart_update(sma, sops, nsops, 1, &wake_q); 1917 else 1918 set_semotime(sma, sops); 1919 1920 sem_unlock(sma, locknum); 1921 rcu_read_unlock(); 1922 wake_up_q(&wake_q); 1923 1924 goto out_free; 1925 } 1926 if (error < 0) /* non-blocking error path */ 1927 goto out_unlock_free; 1928 1929 /* 1930 * We need to sleep on this operation, so we put the current 1931 * task into the pending queue and go to sleep. 1932 */ 1933 if (nsops == 1) { 1934 struct sem *curr; 1935 curr = &sma->sem_base[sops->sem_num]; 1936 1937 if (alter) { 1938 if (sma->complex_count) { 1939 list_add_tail(&queue.list, 1940 &sma->pending_alter); 1941 } else { 1942 1943 list_add_tail(&queue.list, 1944 &curr->pending_alter); 1945 } 1946 } else { 1947 list_add_tail(&queue.list, &curr->pending_const); 1948 } 1949 } else { 1950 if (!sma->complex_count) 1951 merge_queues(sma); 1952 1953 if (alter) 1954 list_add_tail(&queue.list, &sma->pending_alter); 1955 else 1956 list_add_tail(&queue.list, &sma->pending_const); 1957 1958 sma->complex_count++; 1959 } 1960 1961 do { 1962 queue.status = -EINTR; 1963 queue.sleeper = current; 1964 1965 __set_current_state(TASK_INTERRUPTIBLE); 1966 sem_unlock(sma, locknum); 1967 rcu_read_unlock(); 1968 1969 if (timeout) 1970 jiffies_left = schedule_timeout(jiffies_left); 1971 else 1972 schedule(); 1973 1974 /* 1975 * fastpath: the semop has completed, either successfully or 1976 * not, from the syscall pov, is quite irrelevant to us at this 1977 * point; we're done. 1978 * 1979 * We _do_ care, nonetheless, about being awoken by a signal or 1980 * spuriously. The queue.status is checked again in the 1981 * slowpath (aka after taking sem_lock), such that we can detect 1982 * scenarios where we were awakened externally, during the 1983 * window between wake_q_add() and wake_up_q(). 1984 */ 1985 error = READ_ONCE(queue.status); 1986 if (error != -EINTR) { 1987 /* 1988 * User space could assume that semop() is a memory 1989 * barrier: Without the mb(), the cpu could 1990 * speculatively read in userspace stale data that was 1991 * overwritten by the previous owner of the semaphore. 1992 */ 1993 smp_mb(); 1994 goto out_free; 1995 } 1996 1997 rcu_read_lock(); 1998 locknum = sem_lock(sma, sops, nsops); 1999 2000 if (!ipc_valid_object(&sma->sem_perm)) 2001 goto out_unlock_free; 2002 2003 error = READ_ONCE(queue.status); 2004 2005 /* 2006 * If queue.status != -EINTR we are woken up by another process. 2007 * Leave without unlink_queue(), but with sem_unlock(). 2008 */ 2009 if (error != -EINTR) 2010 goto out_unlock_free; 2011 2012 /* 2013 * If an interrupt occurred we have to clean up the queue. 2014 */ 2015 if (timeout && jiffies_left == 0) 2016 error = -EAGAIN; 2017 } while (error == -EINTR && !signal_pending(current)); /* spurious */ 2018 2019 unlink_queue(sma, &queue); 2020 2021 out_unlock_free: 2022 sem_unlock(sma, locknum); 2023 rcu_read_unlock(); 2024 out_free: 2025 if (sops != fast_sops) 2026 kfree(sops); 2027 return error; 2028 } 2029 2030 SYSCALL_DEFINE3(semop, int, semid, struct sembuf __user *, tsops, 2031 unsigned, nsops) 2032 { 2033 return sys_semtimedop(semid, tsops, nsops, NULL); 2034 } 2035 2036 /* If CLONE_SYSVSEM is set, establish sharing of SEM_UNDO state between 2037 * parent and child tasks. 2038 */ 2039 2040 int copy_semundo(unsigned long clone_flags, struct task_struct *tsk) 2041 { 2042 struct sem_undo_list *undo_list; 2043 int error; 2044 2045 if (clone_flags & CLONE_SYSVSEM) { 2046 error = get_undo_list(&undo_list); 2047 if (error) 2048 return error; 2049 atomic_inc(&undo_list->refcnt); 2050 tsk->sysvsem.undo_list = undo_list; 2051 } else 2052 tsk->sysvsem.undo_list = NULL; 2053 2054 return 0; 2055 } 2056 2057 /* 2058 * add semadj values to semaphores, free undo structures. 2059 * undo structures are not freed when semaphore arrays are destroyed 2060 * so some of them may be out of date. 2061 * IMPLEMENTATION NOTE: There is some confusion over whether the 2062 * set of adjustments that needs to be done should be done in an atomic 2063 * manner or not. That is, if we are attempting to decrement the semval 2064 * should we queue up and wait until we can do so legally? 2065 * The original implementation attempted to do this (queue and wait). 2066 * The current implementation does not do so. The POSIX standard 2067 * and SVID should be consulted to determine what behavior is mandated. 2068 */ 2069 void exit_sem(struct task_struct *tsk) 2070 { 2071 struct sem_undo_list *ulp; 2072 2073 ulp = tsk->sysvsem.undo_list; 2074 if (!ulp) 2075 return; 2076 tsk->sysvsem.undo_list = NULL; 2077 2078 if (!atomic_dec_and_test(&ulp->refcnt)) 2079 return; 2080 2081 for (;;) { 2082 struct sem_array *sma; 2083 struct sem_undo *un; 2084 int semid, i; 2085 DEFINE_WAKE_Q(wake_q); 2086 2087 cond_resched(); 2088 2089 rcu_read_lock(); 2090 un = list_entry_rcu(ulp->list_proc.next, 2091 struct sem_undo, list_proc); 2092 if (&un->list_proc == &ulp->list_proc) { 2093 /* 2094 * We must wait for freeary() before freeing this ulp, 2095 * in case we raced with last sem_undo. There is a small 2096 * possibility where we exit while freeary() didn't 2097 * finish unlocking sem_undo_list. 2098 */ 2099 spin_unlock_wait(&ulp->lock); 2100 rcu_read_unlock(); 2101 break; 2102 } 2103 spin_lock(&ulp->lock); 2104 semid = un->semid; 2105 spin_unlock(&ulp->lock); 2106 2107 /* exit_sem raced with IPC_RMID, nothing to do */ 2108 if (semid == -1) { 2109 rcu_read_unlock(); 2110 continue; 2111 } 2112 2113 sma = sem_obtain_object_check(tsk->nsproxy->ipc_ns, semid); 2114 /* exit_sem raced with IPC_RMID, nothing to do */ 2115 if (IS_ERR(sma)) { 2116 rcu_read_unlock(); 2117 continue; 2118 } 2119 2120 sem_lock(sma, NULL, -1); 2121 /* exit_sem raced with IPC_RMID, nothing to do */ 2122 if (!ipc_valid_object(&sma->sem_perm)) { 2123 sem_unlock(sma, -1); 2124 rcu_read_unlock(); 2125 continue; 2126 } 2127 un = __lookup_undo(ulp, semid); 2128 if (un == NULL) { 2129 /* exit_sem raced with IPC_RMID+semget() that created 2130 * exactly the same semid. Nothing to do. 2131 */ 2132 sem_unlock(sma, -1); 2133 rcu_read_unlock(); 2134 continue; 2135 } 2136 2137 /* remove un from the linked lists */ 2138 ipc_assert_locked_object(&sma->sem_perm); 2139 list_del(&un->list_id); 2140 2141 /* we are the last process using this ulp, acquiring ulp->lock 2142 * isn't required. Besides that, we are also protected against 2143 * IPC_RMID as we hold sma->sem_perm lock now 2144 */ 2145 list_del_rcu(&un->list_proc); 2146 2147 /* perform adjustments registered in un */ 2148 for (i = 0; i < sma->sem_nsems; i++) { 2149 struct sem *semaphore = &sma->sem_base[i]; 2150 if (un->semadj[i]) { 2151 semaphore->semval += un->semadj[i]; 2152 /* 2153 * Range checks of the new semaphore value, 2154 * not defined by sus: 2155 * - Some unices ignore the undo entirely 2156 * (e.g. HP UX 11i 11.22, Tru64 V5.1) 2157 * - some cap the value (e.g. FreeBSD caps 2158 * at 0, but doesn't enforce SEMVMX) 2159 * 2160 * Linux caps the semaphore value, both at 0 2161 * and at SEMVMX. 2162 * 2163 * Manfred <manfred@colorfullife.com> 2164 */ 2165 if (semaphore->semval < 0) 2166 semaphore->semval = 0; 2167 if (semaphore->semval > SEMVMX) 2168 semaphore->semval = SEMVMX; 2169 semaphore->sempid = task_tgid_vnr(current); 2170 } 2171 } 2172 /* maybe some queued-up processes were waiting for this */ 2173 do_smart_update(sma, NULL, 0, 1, &wake_q); 2174 sem_unlock(sma, -1); 2175 rcu_read_unlock(); 2176 wake_up_q(&wake_q); 2177 2178 kfree_rcu(un, rcu); 2179 } 2180 kfree(ulp); 2181 } 2182 2183 #ifdef CONFIG_PROC_FS 2184 static int sysvipc_sem_proc_show(struct seq_file *s, void *it) 2185 { 2186 struct user_namespace *user_ns = seq_user_ns(s); 2187 struct sem_array *sma = it; 2188 time_t sem_otime; 2189 2190 /* 2191 * The proc interface isn't aware of sem_lock(), it calls 2192 * ipc_lock_object() directly (in sysvipc_find_ipc). 2193 * In order to stay compatible with sem_lock(), we must 2194 * enter / leave complex_mode. 2195 */ 2196 complexmode_enter(sma); 2197 2198 sem_otime = get_semotime(sma); 2199 2200 seq_printf(s, 2201 "%10d %10d %4o %10u %5u %5u %5u %5u %10lu %10lu\n", 2202 sma->sem_perm.key, 2203 sma->sem_perm.id, 2204 sma->sem_perm.mode, 2205 sma->sem_nsems, 2206 from_kuid_munged(user_ns, sma->sem_perm.uid), 2207 from_kgid_munged(user_ns, sma->sem_perm.gid), 2208 from_kuid_munged(user_ns, sma->sem_perm.cuid), 2209 from_kgid_munged(user_ns, sma->sem_perm.cgid), 2210 sem_otime, 2211 sma->sem_ctime); 2212 2213 complexmode_tryleave(sma); 2214 2215 return 0; 2216 } 2217 #endif 2218