Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp2365981imm; Tue, 10 Jul 2018 19:25:32 -0700 (PDT) X-Google-Smtp-Source: AAOMgpfg8W39mxtHgHYac77OiZk1WAaM6D8L5TshyKOZoIrk5/24W7TVFPrf0BXXlEehgoO1XlgW X-Received: by 2002:a65:5641:: with SMTP id m1-v6mr25458048pgs.246.1531275932596; Tue, 10 Jul 2018 19:25:32 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1531275932; cv=none; d=google.com; s=arc-20160816; b=YWyqSlWoh4GkafD65p1Oa5gs2w7IjVc6+y2RajblI8eFg8g0r2IuO8J9Mn5g/FXhoH 9bNGfZE7xfct4kAxnrfIUrzuoRjSg3SYymibUe264LnZ97Rc6sCnAbhp/lvhiSmWoT/a kXH/xfhkcLm41eyOZY+DUOHEq0CZzQ4kz9nGihVg5fgsXW8ioNOtqE3YIvH1bNhT6SOc ck9xKbkHloZw5McG+5i0VgYQ4Stg1J4iDFrqkqfzlkofpxmNWMAV1yMqXm/g4I9WvnmV HnlQcCHE3EPxAkCca1XQFHUju0GbwliuRhWiIcG+qXVeLhxZaV63FJ5vyBMiAuhEZvVs Gx9A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:arc-authentication-results; bh=2g9F9B8CSkueR2YS08+fKgCcS4rElj4O1D4BLfA8iIc=; b=zo1a+bnlHrCOzuLDGHRMPdckwrFo2dtqHWaIuNI9eBfiVQJMD4Ac84Pz3PW/DjIXcs xvw2hbNITTZNN+bILqK54E3B5+qBBflGo5Q1jKFygV6OtoaobnyUEedX0wtzs41QaKwM /h4mcBWhYNcdLi8hSv3HHP/NFahbH1UM5JPozytlIE88UY53PImLvLC/Ny6bh6MX82Qg Sww1KbnvYA/YpRRDoBfZDw7bMRgF9sEURxIM/IMrhTIrGy1FuWUKK2ZV2MRWwx3lCR1A 6CeKgW+vYW7WJwRgFsxVTZtiLh9hnDVfVUCrhp+huVTXw/MpYRL34vjBRif1HBRh0+sG riow== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d22-v6si20031319pfd.182.2018.07.10.19.25.17; Tue, 10 Jul 2018 19:25:32 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732758AbeGKCZD (ORCPT + 99 others); Tue, 10 Jul 2018 22:25:03 -0400 Received: from zeniv.linux.org.uk ([195.92.253.2]:45712 "EHLO ZenIV.linux.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732574AbeGKCYH (ORCPT ); Tue, 10 Jul 2018 22:24:07 -0400 Received: from viro by ZenIV.linux.org.uk with local (Exim 4.87 #1 (Red Hat Linux)) id 1fd4lf-0003Lc-22; Wed, 11 Jul 2018 02:22:11 +0000 From: Al Viro To: Linus Torvalds Cc: linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, Miklos Szeredi Subject: [RFC][PATCH 37/42] do_shmat(): grab shp->shm_file earlier, switch to alloc_file_clone() Date: Wed, 11 Jul 2018 03:22:01 +0100 Message-Id: <20180711022206.12571-37-viro@ZenIV.linux.org.uk> X-Mailer: git-send-email 2.9.5 In-Reply-To: <20180711022206.12571-1-viro@ZenIV.linux.org.uk> References: <20180711021136.GN30522@ZenIV.linux.org.uk> <20180711022206.12571-1-viro@ZenIV.linux.org.uk> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Al Viro Signed-off-by: Al Viro --- ipc/shm.c | 39 ++++++++++++++++++--------------------- 1 file changed, 18 insertions(+), 21 deletions(-) diff --git a/ipc/shm.c b/ipc/shm.c index 051a3e1fb8df..0cebcf74b669 100644 --- a/ipc/shm.c +++ b/ipc/shm.c @@ -1354,14 +1354,13 @@ long do_shmat(int shmid, char __user *shmaddr, int shmflg, struct shmid_kernel *shp; unsigned long addr = (unsigned long)shmaddr; unsigned long size; - struct file *file; + struct file *file, *base; int err; unsigned long flags = MAP_SHARED; unsigned long prot; int acc_mode; struct ipc_namespace *ns; struct shm_file_data *sfd; - struct path path; fmode_t f_mode; unsigned long populate = 0; @@ -1435,46 +1434,44 @@ long do_shmat(int shmid, char __user *shmaddr, int shmflg, goto out_unlock; } - path = shp->shm_file->f_path; - path_get(&path); + /* + * We need to take a reference to the real shm file to prevent the + * pointer from becoming stale in cases where the lifetime of the outer + * file extends beyond that of the shm segment. It's not usually + * possible, but it can happen during remap_file_pages() emulation as + * that unmaps the memory, then does ->mmap() via file reference only. + * We'll deny the ->mmap() if the shm segment was since removed, but to + * detect shm ID reuse we need to compare the file pointers. + */ + base = get_file(shp->shm_file); shp->shm_nattch++; - size = i_size_read(d_inode(path.dentry)); + size = i_size_read(file_inode(base)); ipc_unlock_object(&shp->shm_perm); rcu_read_unlock(); err = -ENOMEM; sfd = kzalloc(sizeof(*sfd), GFP_KERNEL); if (!sfd) { - path_put(&path); + fput(base); goto out_nattch; } - file = alloc_file(&path, f_mode, - is_file_hugepages(shp->shm_file) ? + file = alloc_file_clone(base, f_mode, + is_file_hugepages(base) ? &shm_file_operations_huge : &shm_file_operations); err = PTR_ERR(file); if (IS_ERR(file)) { kfree(sfd); - path_put(&path); + fput(base); goto out_nattch; } - file->private_data = sfd; - file->f_mapping = shp->shm_file->f_mapping; sfd->id = shp->shm_perm.id; sfd->ns = get_ipc_ns(ns); - /* - * We need to take a reference to the real shm file to prevent the - * pointer from becoming stale in cases where the lifetime of the outer - * file extends beyond that of the shm segment. It's not usually - * possible, but it can happen during remap_file_pages() emulation as - * that unmaps the memory, then does ->mmap() via file reference only. - * We'll deny the ->mmap() if the shm segment was since removed, but to - * detect shm ID reuse we need to compare the file pointers. - */ - sfd->file = get_file(shp->shm_file); + sfd->file = base; sfd->vm_ops = NULL; + file->private_data = sfd; err = security_mmap_file(file, prot, flags); if (err) -- 2.11.0