Skip to content

Commit

Permalink
ipc,sysv: make return -EIDRM when racing with RMID consistent
Browse files Browse the repository at this point in the history
The ipc_lock helper is used by all forms of sysv ipc to acquire the ipc
object's spinlock.  Upon error (bogus identifier), we always return
-EINVAL, whether the problem be in the idr path or because we raced with a
task performing RMID.  For the later, however, all ipc related manpages,
state the that for:

       EIDRM  <ID> points to a removed identifier.

And return:

       EINVAL Invalid <ID> value, or unaligned, etc.

Which (EINVAL) should only return once the ipc resource is deleted.  For
all types of ipc this is done immediately upon a RMID command.  However,
shared memory behaves slightly different as it can merely mark a segment
for deletion, and delay the actual freeing until there are no more active
consumers.  Per shmctl(IPC_RMID) manpage:

""
Mark  the  segment to be destroyed.  The segment will only actually
be destroyed after the last process detaches it (i.e., when the
shm_nattch member of the associated structure shmid_ds is zero).
""

Unlike ipc_lock, paths that behave "correctly", at least per the manpage,
involve controlling the ipc resource via *ctl(), doing the exact same
validity check as ipc_lock after right acquiring the spinlock:

	if (!ipc_valid_object()) {
		err = -EIDRM;
		goto out_unlock;
	}

Thus make ipc_lock consistent with the rest of ipc code and return -EIDRM
in ipc_lock when !ipc_valid_object().

Signed-off-by: Davidlohr Bueso <[email protected]>
Cc: Manfred Spraul <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
  • Loading branch information
Davidlohr Bueso authored and torvalds committed Jul 1, 2015
1 parent 55b7ae5 commit f8b5918
Showing 1 changed file with 8 additions and 5 deletions.
13 changes: 8 additions & 5 deletions ipc/util.c
Original file line number Diff line number Diff line change
Expand Up @@ -583,19 +583,22 @@ struct kern_ipc_perm *ipc_lock(struct ipc_ids *ids, int id)
rcu_read_lock();
out = ipc_obtain_object_idr(ids, id);
if (IS_ERR(out))
goto err1;
goto err;

spin_lock(&out->lock);

/* ipc_rmid() may have already freed the ID while ipc_lock
* was spinning: here verify that the structure is still valid
/*
* ipc_rmid() may have already freed the ID while ipc_lock()
* was spinning: here verify that the structure is still valid.
* Upon races with RMID, return -EIDRM, thus indicating that
* the ID points to a removed identifier.
*/
if (ipc_valid_object(out))
return out;

spin_unlock(&out->lock);
out = ERR_PTR(-EINVAL);
err1:
out = ERR_PTR(-EIDRM);
err:
rcu_read_unlock();
return out;
}
Expand Down

0 comments on commit f8b5918

Please sign in to comment.