Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S932684AbbFFNiy (ORCPT <rfc822;w@1wt.eu>);
	Sat, 6 Jun 2015 09:38:54 -0400
Received: from smtp2.provo.novell.com ([137.65.250.81]:45643 "EHLO
	smtp2.provo.novell.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1752952AbbFFNiW (ORCPT
	<rfc822;groupwise-linux-kernel@vger.kernel.org:0:0>);
	Sat, 6 Jun 2015 09:38:22 -0400
From: Davidlohr Bueso <dave@stgolabs.net>
To: Andrew Morton <akpm@linux-foundation.org>
Cc: Manfred Spraul <manfred@colorfullife.com>, dave@stgolabs.net,
        linux-kernel@vger.kernel.org, linux-mm@kvack.org,
        Davidlohr Bueso <dbueso@suse.de>
Subject: [PATCH 4/5] ipc,sysv: make return -EIDRM when racing with RMID consistent
Date: Sat,  6 Jun 2015 06:37:59 -0700
Message-Id: <1433597880-8571-5-git-send-email-dave@stgolabs.net>
X-Mailer: git-send-email 2.1.4
In-Reply-To: <1433597880-8571-1-git-send-email-dave@stgolabs.net>
References: <1433597880-8571-1-git-send-email-dave@stgolabs.net>
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 2605
Lines: 82

The ipc_lock helper is used by all forms of sysv ipc to acquire
the ipc object's spinlock. Upon error (bogus identifier), we
always return -EINVAL, whether the problem be in the idr path or
because we raced with a task performing RMID. For the later,
however, all ipc related manpages, state the that for:

       EIDRM  <ID> points to a removed identifier.

And return:

       EINVAL Invalid <ID> value, or unaligned, etc.

Which (EINVAL) should only return once the ipc resource is deleted.
For all types of ipc this is done immediately upon a RMID command.
However, shared memory behaves slightly different as it can merely
mark a segment for deletion, and delay the actual freeing until
there are no more active consumers. Per shmctl(IPC_RMID) manpage:

""
Mark  the  segment to be destroyed.  The segment will only actually
be destroyed after the last process detaches it (i.e., when the
shm_nattch member of the associated structure shmid_ds is zero).
""

Unlike ipc_lock, paths that behave "correctly", at least per the
manpage, involve controlling the ipc resource via *ctl(), doing
the exact same validity check as ipc_lock after right acquiring
the spinlock:

	if (!ipc_valid_object()) {
		err = -EIDRM;
		goto out_unlock;
	}

Thus make ipc_lock consistent with the rest of ipc code and return
-EIDRM in ipc_lock when !ipc_valid_object().

Signed-off-by: Davidlohr Bueso <dbueso@suse.de>
---
 ipc/util.c | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/ipc/util.c b/ipc/util.c
index adb8f89..15e750d 100644
--- a/ipc/util.c
+++ b/ipc/util.c
@@ -586,19 +586,22 @@ struct kern_ipc_perm *ipc_lock(struct ipc_ids *ids, int id)
 	rcu_read_lock();
 	out = ipc_obtain_object_idr(ids, id);
 	if (IS_ERR(out))
-		goto err1;
+		goto err;
 
 	spin_lock(&out->lock);
 
-	/* ipc_rmid() may have already freed the ID while ipc_lock
-	 * was spinning: here verify that the structure is still valid
+	/*
+	 * ipc_rmid() may have already freed the ID while ipc_lock()
+	 * was spinning: here verify that the structure is still valid.
+	 * Upon races with RMID, return -EIDRM, thus indicating that
+	 * the ID points to a removed identifier.
 	 */
 	if (ipc_valid_object(out))
 		return out;
 
 	spin_unlock(&out->lock);
-	out = ERR_PTR(-EINVAL);
-err1:
+	out = ERR_PTR(-EIDRM);
+err:
 	rcu_read_unlock();
 	return out;
 }
-- 
2.1.4

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/