Line data Source code
1 : /*
2 : * POSIX message queues filesystem for Linux.
3 : *
4 : * Copyright (C) 2003,2004 Krzysztof Benedyczak (golbi@mat.uni.torun.pl)
5 : * Michal Wronski (michal.wronski@gmail.com)
6 : *
7 : * Spinlocks: Mohamed Abbas (abbas.mohamed@intel.com)
8 : * Lockless receive & send, fd based notify:
9 : * Manfred Spraul (manfred@colorfullife.com)
10 : *
11 : * Audit: George Wilson (ltcgcw@us.ibm.com)
12 : *
13 : * This file is released under the GPL.
14 : */
15 :
16 : #include <linux/capability.h>
17 : #include <linux/init.h>
18 : #include <linux/pagemap.h>
19 : #include <linux/file.h>
20 : #include <linux/mount.h>
21 : #include <linux/fs_context.h>
22 : #include <linux/namei.h>
23 : #include <linux/sysctl.h>
24 : #include <linux/poll.h>
25 : #include <linux/mqueue.h>
26 : #include <linux/msg.h>
27 : #include <linux/skbuff.h>
28 : #include <linux/vmalloc.h>
29 : #include <linux/netlink.h>
30 : #include <linux/syscalls.h>
31 : #include <linux/audit.h>
32 : #include <linux/signal.h>
33 : #include <linux/mutex.h>
34 : #include <linux/nsproxy.h>
35 : #include <linux/pid.h>
36 : #include <linux/ipc_namespace.h>
37 : #include <linux/user_namespace.h>
38 : #include <linux/slab.h>
39 : #include <linux/sched/wake_q.h>
40 : #include <linux/sched/signal.h>
41 : #include <linux/sched/user.h>
42 :
43 : #include <net/sock.h>
44 : #include "util.h"
45 :
46 : struct mqueue_fs_context {
47 : struct ipc_namespace *ipc_ns;
48 : };
49 :
50 : #define MQUEUE_MAGIC 0x19800202
51 : #define DIRENT_SIZE 20
52 : #define FILENT_SIZE 80
53 :
54 : #define SEND 0
55 : #define RECV 1
56 :
57 : #define STATE_NONE 0
58 : #define STATE_READY 1
59 :
60 : struct posix_msg_tree_node {
61 : struct rb_node rb_node;
62 : struct list_head msg_list;
63 : int priority;
64 : };
65 :
66 : /*
67 : * Locking:
68 : *
69 : * Accesses to a message queue are synchronized by acquiring info->lock.
70 : *
71 : * There are two notable exceptions:
72 : * - The actual wakeup of a sleeping task is performed using the wake_q
73 : * framework. info->lock is already released when wake_up_q is called.
74 : * - The exit codepaths after sleeping check ext_wait_queue->state without
75 : * any locks. If it is STATE_READY, then the syscall is completed without
76 : * acquiring info->lock.
77 : *
78 : * MQ_BARRIER:
79 : * To achieve proper release/acquire memory barrier pairing, the state is set to
80 : * STATE_READY with smp_store_release(), and it is read with READ_ONCE followed
81 : * by smp_acquire__after_ctrl_dep(). In addition, wake_q_add_safe() is used.
82 : *
83 : * This prevents the following races:
84 : *
85 : * 1) With the simple wake_q_add(), the task could be gone already before
86 : * the increase of the reference happens
87 : * Thread A
88 : * Thread B
89 : * WRITE_ONCE(wait.state, STATE_NONE);
90 : * schedule_hrtimeout()
91 : * wake_q_add(A)
92 : * if (cmpxchg()) // success
93 : * ->state = STATE_READY (reordered)
94 : * <timeout returns>
95 : * if (wait.state == STATE_READY) return;
96 : * sysret to user space
97 : * sys_exit()
98 : * get_task_struct() // UaF
99 : *
100 : * Solution: Use wake_q_add_safe() and perform the get_task_struct() before
101 : * the smp_store_release() that does ->state = STATE_READY.
102 : *
103 : * 2) Without proper _release/_acquire barriers, the woken up task
104 : * could read stale data
105 : *
106 : * Thread A
107 : * Thread B
108 : * do_mq_timedreceive
109 : * WRITE_ONCE(wait.state, STATE_NONE);
110 : * schedule_hrtimeout()
111 : * state = STATE_READY;
112 : * <timeout returns>
113 : * if (wait.state == STATE_READY) return;
114 : * msg_ptr = wait.msg; // Access to stale data!
115 : * receiver->msg = message; (reordered)
116 : *
117 : * Solution: use _release and _acquire barriers.
118 : *
119 : * 3) There is intentionally no barrier when setting current->state
120 : * to TASK_INTERRUPTIBLE: spin_unlock(&info->lock) provides the
121 : * release memory barrier, and the wakeup is triggered when holding
122 : * info->lock, i.e. spin_lock(&info->lock) provided a pairing
123 : * acquire memory barrier.
124 : */
125 :
126 : struct ext_wait_queue { /* queue of sleeping tasks */
127 : struct task_struct *task;
128 : struct list_head list;
129 : struct msg_msg *msg; /* ptr of loaded message */
130 : int state; /* one of STATE_* values */
131 : };
132 :
133 : struct mqueue_inode_info {
134 : spinlock_t lock;
135 : struct inode vfs_inode;
136 : wait_queue_head_t wait_q;
137 :
138 : struct rb_root msg_tree;
139 : struct rb_node *msg_tree_rightmost;
140 : struct posix_msg_tree_node *node_cache;
141 : struct mq_attr attr;
142 :
143 : struct sigevent notify;
144 : struct pid *notify_owner;
145 : u32 notify_self_exec_id;
146 : struct user_namespace *notify_user_ns;
147 : struct user_struct *user; /* user who created, for accounting */
148 : struct sock *notify_sock;
149 : struct sk_buff *notify_cookie;
150 :
151 : /* for tasks waiting for free space and messages, respectively */
152 : struct ext_wait_queue e_wait_q[2];
153 :
154 : unsigned long qsize; /* size of queue in memory (sum of all msgs) */
155 : };
156 :
157 : static struct file_system_type mqueue_fs_type;
158 : static const struct inode_operations mqueue_dir_inode_operations;
159 : static const struct file_operations mqueue_file_operations;
160 : static const struct super_operations mqueue_super_ops;
161 : static const struct fs_context_operations mqueue_fs_context_ops;
162 : static void remove_notification(struct mqueue_inode_info *info);
163 :
164 : static struct kmem_cache *mqueue_inode_cachep;
165 :
166 : static struct ctl_table_header *mq_sysctl_table;
167 :
168 0 : static inline struct mqueue_inode_info *MQUEUE_I(struct inode *inode)
169 : {
170 0 : return container_of(inode, struct mqueue_inode_info, vfs_inode);
171 : }
172 :
173 : /*
174 : * This routine should be called with the mq_lock held.
175 : */
176 0 : static inline struct ipc_namespace *__get_ns_from_inode(struct inode *inode)
177 : {
178 0 : return get_ipc_ns(inode->i_sb->s_fs_info);
179 : }
180 :
181 0 : static struct ipc_namespace *get_ns_from_inode(struct inode *inode)
182 : {
183 0 : struct ipc_namespace *ns;
184 :
185 0 : spin_lock(&mq_lock);
186 0 : ns = __get_ns_from_inode(inode);
187 0 : spin_unlock(&mq_lock);
188 0 : return ns;
189 : }
190 :
191 : /* Auxiliary functions to manipulate messages' list */
192 0 : static int msg_insert(struct msg_msg *msg, struct mqueue_inode_info *info)
193 : {
194 0 : struct rb_node **p, *parent = NULL;
195 0 : struct posix_msg_tree_node *leaf;
196 0 : bool rightmost = true;
197 :
198 0 : p = &info->msg_tree.rb_node;
199 0 : while (*p) {
200 0 : parent = *p;
201 0 : leaf = rb_entry(parent, struct posix_msg_tree_node, rb_node);
202 :
203 0 : if (likely(leaf->priority == msg->m_type))
204 0 : goto insert_msg;
205 0 : else if (msg->m_type < leaf->priority) {
206 0 : p = &(*p)->rb_left;
207 0 : rightmost = false;
208 : } else
209 0 : p = &(*p)->rb_right;
210 : }
211 0 : if (info->node_cache) {
212 0 : leaf = info->node_cache;
213 0 : info->node_cache = NULL;
214 : } else {
215 0 : leaf = kmalloc(sizeof(*leaf), GFP_ATOMIC);
216 0 : if (!leaf)
217 : return -ENOMEM;
218 0 : INIT_LIST_HEAD(&leaf->msg_list);
219 : }
220 0 : leaf->priority = msg->m_type;
221 :
222 0 : if (rightmost)
223 0 : info->msg_tree_rightmost = &leaf->rb_node;
224 :
225 0 : rb_link_node(&leaf->rb_node, parent, p);
226 0 : rb_insert_color(&leaf->rb_node, &info->msg_tree);
227 0 : insert_msg:
228 0 : info->attr.mq_curmsgs++;
229 0 : info->qsize += msg->m_ts;
230 0 : list_add_tail(&msg->m_list, &leaf->msg_list);
231 0 : return 0;
232 : }
233 :
234 0 : static inline void msg_tree_erase(struct posix_msg_tree_node *leaf,
235 : struct mqueue_inode_info *info)
236 : {
237 0 : struct rb_node *node = &leaf->rb_node;
238 :
239 0 : if (info->msg_tree_rightmost == node)
240 0 : info->msg_tree_rightmost = rb_prev(node);
241 :
242 0 : rb_erase(node, &info->msg_tree);
243 0 : if (info->node_cache)
244 0 : kfree(leaf);
245 : else
246 0 : info->node_cache = leaf;
247 0 : }
248 :
249 0 : static inline struct msg_msg *msg_get(struct mqueue_inode_info *info)
250 : {
251 0 : struct rb_node *parent = NULL;
252 0 : struct posix_msg_tree_node *leaf;
253 0 : struct msg_msg *msg;
254 :
255 0 : try_again:
256 : /*
257 : * During insert, low priorities go to the left and high to the
258 : * right. On receive, we want the highest priorities first, so
259 : * walk all the way to the right.
260 : */
261 0 : parent = info->msg_tree_rightmost;
262 0 : if (!parent) {
263 0 : if (info->attr.mq_curmsgs) {
264 0 : pr_warn_once("Inconsistency in POSIX message queue, "
265 : "no tree element, but supposedly messages "
266 : "should exist!\n");
267 0 : info->attr.mq_curmsgs = 0;
268 : }
269 0 : return NULL;
270 : }
271 0 : leaf = rb_entry(parent, struct posix_msg_tree_node, rb_node);
272 0 : if (unlikely(list_empty(&leaf->msg_list))) {
273 0 : pr_warn_once("Inconsistency in POSIX message queue, "
274 : "empty leaf node but we haven't implemented "
275 : "lazy leaf delete!\n");
276 0 : msg_tree_erase(leaf, info);
277 0 : goto try_again;
278 : } else {
279 0 : msg = list_first_entry(&leaf->msg_list,
280 : struct msg_msg, m_list);
281 0 : list_del(&msg->m_list);
282 0 : if (list_empty(&leaf->msg_list)) {
283 0 : msg_tree_erase(leaf, info);
284 : }
285 : }
286 0 : info->attr.mq_curmsgs--;
287 0 : info->qsize -= msg->m_ts;
288 0 : return msg;
289 : }
290 :
291 1 : static struct inode *mqueue_get_inode(struct super_block *sb,
292 : struct ipc_namespace *ipc_ns, umode_t mode,
293 : struct mq_attr *attr)
294 : {
295 1 : struct user_struct *u = current_user();
296 1 : struct inode *inode;
297 1 : int ret = -ENOMEM;
298 :
299 1 : inode = new_inode(sb);
300 1 : if (!inode)
301 0 : goto err;
302 :
303 1 : inode->i_ino = get_next_ino();
304 1 : inode->i_mode = mode;
305 1 : inode->i_uid = current_fsuid();
306 1 : inode->i_gid = current_fsgid();
307 1 : inode->i_mtime = inode->i_ctime = inode->i_atime = current_time(inode);
308 :
309 1 : if (S_ISREG(mode)) {
310 0 : struct mqueue_inode_info *info;
311 0 : unsigned long mq_bytes, mq_treesize;
312 :
313 0 : inode->i_fop = &mqueue_file_operations;
314 0 : inode->i_size = FILENT_SIZE;
315 : /* mqueue specific info */
316 0 : info = MQUEUE_I(inode);
317 0 : spin_lock_init(&info->lock);
318 0 : init_waitqueue_head(&info->wait_q);
319 0 : INIT_LIST_HEAD(&info->e_wait_q[0].list);
320 0 : INIT_LIST_HEAD(&info->e_wait_q[1].list);
321 0 : info->notify_owner = NULL;
322 0 : info->notify_user_ns = NULL;
323 0 : info->qsize = 0;
324 0 : info->user = NULL; /* set when all is ok */
325 0 : info->msg_tree = RB_ROOT;
326 0 : info->msg_tree_rightmost = NULL;
327 0 : info->node_cache = NULL;
328 0 : memset(&info->attr, 0, sizeof(info->attr));
329 0 : info->attr.mq_maxmsg = min(ipc_ns->mq_msg_max,
330 : ipc_ns->mq_msg_default);
331 0 : info->attr.mq_msgsize = min(ipc_ns->mq_msgsize_max,
332 : ipc_ns->mq_msgsize_default);
333 0 : if (attr) {
334 0 : info->attr.mq_maxmsg = attr->mq_maxmsg;
335 0 : info->attr.mq_msgsize = attr->mq_msgsize;
336 : }
337 : /*
338 : * We used to allocate a static array of pointers and account
339 : * the size of that array as well as one msg_msg struct per
340 : * possible message into the queue size. That's no longer
341 : * accurate as the queue is now an rbtree and will grow and
342 : * shrink depending on usage patterns. We can, however, still
343 : * account one msg_msg struct per message, but the nodes are
344 : * allocated depending on priority usage, and most programs
345 : * only use one, or a handful, of priorities. However, since
346 : * this is pinned memory, we need to assume worst case, so
347 : * that means the min(mq_maxmsg, max_priorities) * struct
348 : * posix_msg_tree_node.
349 : */
350 :
351 0 : ret = -EINVAL;
352 0 : if (info->attr.mq_maxmsg <= 0 || info->attr.mq_msgsize <= 0)
353 0 : goto out_inode;
354 0 : if (capable(CAP_SYS_RESOURCE)) {
355 0 : if (info->attr.mq_maxmsg > HARD_MSGMAX ||
356 0 : info->attr.mq_msgsize > HARD_MSGSIZEMAX)
357 0 : goto out_inode;
358 : } else {
359 0 : if (info->attr.mq_maxmsg > ipc_ns->mq_msg_max ||
360 0 : info->attr.mq_msgsize > ipc_ns->mq_msgsize_max)
361 0 : goto out_inode;
362 : }
363 0 : ret = -EOVERFLOW;
364 : /* check for overflow */
365 0 : if (info->attr.mq_msgsize > ULONG_MAX/info->attr.mq_maxmsg)
366 0 : goto out_inode;
367 0 : mq_treesize = info->attr.mq_maxmsg * sizeof(struct msg_msg) +
368 0 : min_t(unsigned int, info->attr.mq_maxmsg, MQ_PRIO_MAX) *
369 : sizeof(struct posix_msg_tree_node);
370 0 : mq_bytes = info->attr.mq_maxmsg * info->attr.mq_msgsize;
371 0 : if (mq_bytes + mq_treesize < mq_bytes)
372 0 : goto out_inode;
373 0 : mq_bytes += mq_treesize;
374 0 : spin_lock(&mq_lock);
375 0 : if (u->mq_bytes + mq_bytes < u->mq_bytes ||
376 0 : u->mq_bytes + mq_bytes > rlimit(RLIMIT_MSGQUEUE)) {
377 0 : spin_unlock(&mq_lock);
378 : /* mqueue_evict_inode() releases info->messages */
379 0 : ret = -EMFILE;
380 0 : goto out_inode;
381 : }
382 0 : u->mq_bytes += mq_bytes;
383 0 : spin_unlock(&mq_lock);
384 :
385 : /* all is ok */
386 0 : info->user = get_uid(u);
387 1 : } else if (S_ISDIR(mode)) {
388 1 : inc_nlink(inode);
389 : /* Some things misbehave if size == 0 on a directory */
390 1 : inode->i_size = 2 * DIRENT_SIZE;
391 1 : inode->i_op = &mqueue_dir_inode_operations;
392 1 : inode->i_fop = &simple_dir_operations;
393 : }
394 :
395 : return inode;
396 0 : out_inode:
397 0 : iput(inode);
398 0 : err:
399 0 : return ERR_PTR(ret);
400 : }
401 :
402 1 : static int mqueue_fill_super(struct super_block *sb, struct fs_context *fc)
403 : {
404 1 : struct inode *inode;
405 1 : struct ipc_namespace *ns = sb->s_fs_info;
406 :
407 1 : sb->s_iflags |= SB_I_NOEXEC | SB_I_NODEV;
408 1 : sb->s_blocksize = PAGE_SIZE;
409 1 : sb->s_blocksize_bits = PAGE_SHIFT;
410 1 : sb->s_magic = MQUEUE_MAGIC;
411 1 : sb->s_op = &mqueue_super_ops;
412 :
413 1 : inode = mqueue_get_inode(sb, ns, S_IFDIR | S_ISVTX | S_IRWXUGO, NULL);
414 1 : if (IS_ERR(inode))
415 0 : return PTR_ERR(inode);
416 :
417 1 : sb->s_root = d_make_root(inode);
418 1 : if (!sb->s_root)
419 0 : return -ENOMEM;
420 : return 0;
421 : }
422 :
423 2 : static int mqueue_get_tree(struct fs_context *fc)
424 : {
425 2 : struct mqueue_fs_context *ctx = fc->fs_private;
426 :
427 2 : return get_tree_keyed(fc, mqueue_fill_super, ctx->ipc_ns);
428 : }
429 :
430 2 : static void mqueue_fs_context_free(struct fs_context *fc)
431 : {
432 2 : struct mqueue_fs_context *ctx = fc->fs_private;
433 :
434 2 : put_ipc_ns(ctx->ipc_ns);
435 2 : kfree(ctx);
436 2 : }
437 :
438 2 : static int mqueue_init_fs_context(struct fs_context *fc)
439 : {
440 2 : struct mqueue_fs_context *ctx;
441 :
442 2 : ctx = kzalloc(sizeof(struct mqueue_fs_context), GFP_KERNEL);
443 2 : if (!ctx)
444 : return -ENOMEM;
445 :
446 2 : ctx->ipc_ns = get_ipc_ns(current->nsproxy->ipc_ns);
447 2 : put_user_ns(fc->user_ns);
448 2 : fc->user_ns = get_user_ns(ctx->ipc_ns->user_ns);
449 2 : fc->fs_private = ctx;
450 2 : fc->ops = &mqueue_fs_context_ops;
451 2 : return 0;
452 : }
453 :
454 1 : static struct vfsmount *mq_create_mount(struct ipc_namespace *ns)
455 : {
456 1 : struct mqueue_fs_context *ctx;
457 1 : struct fs_context *fc;
458 1 : struct vfsmount *mnt;
459 :
460 1 : fc = fs_context_for_mount(&mqueue_fs_type, SB_KERNMOUNT);
461 1 : if (IS_ERR(fc))
462 1 : return ERR_CAST(fc);
463 :
464 1 : ctx = fc->fs_private;
465 1 : put_ipc_ns(ctx->ipc_ns);
466 1 : ctx->ipc_ns = get_ipc_ns(ns);
467 1 : put_user_ns(fc->user_ns);
468 1 : fc->user_ns = get_user_ns(ctx->ipc_ns->user_ns);
469 :
470 1 : mnt = fc_mount(fc);
471 1 : put_fs_context(fc);
472 1 : return mnt;
473 : }
474 :
475 21 : static void init_once(void *foo)
476 : {
477 21 : struct mqueue_inode_info *p = (struct mqueue_inode_info *) foo;
478 :
479 21 : inode_init_once(&p->vfs_inode);
480 21 : }
481 :
482 1 : static struct inode *mqueue_alloc_inode(struct super_block *sb)
483 : {
484 1 : struct mqueue_inode_info *ei;
485 :
486 1 : ei = kmem_cache_alloc(mqueue_inode_cachep, GFP_KERNEL);
487 1 : if (!ei)
488 : return NULL;
489 1 : return &ei->vfs_inode;
490 : }
491 :
492 0 : static void mqueue_free_inode(struct inode *inode)
493 : {
494 0 : kmem_cache_free(mqueue_inode_cachep, MQUEUE_I(inode));
495 0 : }
496 :
497 0 : static void mqueue_evict_inode(struct inode *inode)
498 : {
499 0 : struct mqueue_inode_info *info;
500 0 : struct user_struct *user;
501 0 : struct ipc_namespace *ipc_ns;
502 0 : struct msg_msg *msg, *nmsg;
503 0 : LIST_HEAD(tmp_msg);
504 :
505 0 : clear_inode(inode);
506 :
507 0 : if (S_ISDIR(inode->i_mode))
508 0 : return;
509 :
510 0 : ipc_ns = get_ns_from_inode(inode);
511 0 : info = MQUEUE_I(inode);
512 0 : spin_lock(&info->lock);
513 0 : while ((msg = msg_get(info)) != NULL)
514 0 : list_add_tail(&msg->m_list, &tmp_msg);
515 0 : kfree(info->node_cache);
516 0 : spin_unlock(&info->lock);
517 :
518 0 : list_for_each_entry_safe(msg, nmsg, &tmp_msg, m_list) {
519 0 : list_del(&msg->m_list);
520 0 : free_msg(msg);
521 : }
522 :
523 0 : user = info->user;
524 0 : if (user) {
525 0 : unsigned long mq_bytes, mq_treesize;
526 :
527 : /* Total amount of bytes accounted for the mqueue */
528 0 : mq_treesize = info->attr.mq_maxmsg * sizeof(struct msg_msg) +
529 0 : min_t(unsigned int, info->attr.mq_maxmsg, MQ_PRIO_MAX) *
530 : sizeof(struct posix_msg_tree_node);
531 :
532 0 : mq_bytes = mq_treesize + (info->attr.mq_maxmsg *
533 0 : info->attr.mq_msgsize);
534 :
535 0 : spin_lock(&mq_lock);
536 0 : user->mq_bytes -= mq_bytes;
537 : /*
538 : * get_ns_from_inode() ensures that the
539 : * (ipc_ns = sb->s_fs_info) is either a valid ipc_ns
540 : * to which we now hold a reference, or it is NULL.
541 : * We can't put it here under mq_lock, though.
542 : */
543 0 : if (ipc_ns)
544 0 : ipc_ns->mq_queues_count--;
545 0 : spin_unlock(&mq_lock);
546 0 : free_uid(user);
547 : }
548 0 : if (ipc_ns)
549 0 : put_ipc_ns(ipc_ns);
550 : }
551 :
552 0 : static int mqueue_create_attr(struct dentry *dentry, umode_t mode, void *arg)
553 : {
554 0 : struct inode *dir = dentry->d_parent->d_inode;
555 0 : struct inode *inode;
556 0 : struct mq_attr *attr = arg;
557 0 : int error;
558 0 : struct ipc_namespace *ipc_ns;
559 :
560 0 : spin_lock(&mq_lock);
561 0 : ipc_ns = __get_ns_from_inode(dir);
562 0 : if (!ipc_ns) {
563 0 : error = -EACCES;
564 0 : goto out_unlock;
565 : }
566 :
567 0 : if (ipc_ns->mq_queues_count >= ipc_ns->mq_queues_max &&
568 0 : !capable(CAP_SYS_RESOURCE)) {
569 0 : error = -ENOSPC;
570 0 : goto out_unlock;
571 : }
572 0 : ipc_ns->mq_queues_count++;
573 0 : spin_unlock(&mq_lock);
574 :
575 0 : inode = mqueue_get_inode(dir->i_sb, ipc_ns, mode, attr);
576 0 : if (IS_ERR(inode)) {
577 0 : error = PTR_ERR(inode);
578 0 : spin_lock(&mq_lock);
579 0 : ipc_ns->mq_queues_count--;
580 0 : goto out_unlock;
581 : }
582 :
583 0 : put_ipc_ns(ipc_ns);
584 0 : dir->i_size += DIRENT_SIZE;
585 0 : dir->i_ctime = dir->i_mtime = dir->i_atime = current_time(dir);
586 :
587 0 : d_instantiate(dentry, inode);
588 0 : dget(dentry);
589 : return 0;
590 0 : out_unlock:
591 0 : spin_unlock(&mq_lock);
592 0 : if (ipc_ns)
593 0 : put_ipc_ns(ipc_ns);
594 0 : return error;
595 : }
596 :
597 0 : static int mqueue_create(struct user_namespace *mnt_userns, struct inode *dir,
598 : struct dentry *dentry, umode_t mode, bool excl)
599 : {
600 0 : return mqueue_create_attr(dentry, mode, NULL);
601 : }
602 :
603 0 : static int mqueue_unlink(struct inode *dir, struct dentry *dentry)
604 : {
605 0 : struct inode *inode = d_inode(dentry);
606 :
607 0 : dir->i_ctime = dir->i_mtime = dir->i_atime = current_time(dir);
608 0 : dir->i_size -= DIRENT_SIZE;
609 0 : drop_nlink(inode);
610 0 : dput(dentry);
611 0 : return 0;
612 : }
613 :
614 : /*
615 : * This is routine for system read from queue file.
616 : * To avoid mess with doing here some sort of mq_receive we allow
617 : * to read only queue size & notification info (the only values
618 : * that are interesting from user point of view and aren't accessible
619 : * through std routines)
620 : */
621 0 : static ssize_t mqueue_read_file(struct file *filp, char __user *u_data,
622 : size_t count, loff_t *off)
623 : {
624 0 : struct mqueue_inode_info *info = MQUEUE_I(file_inode(filp));
625 0 : char buffer[FILENT_SIZE];
626 0 : ssize_t ret;
627 :
628 0 : spin_lock(&info->lock);
629 0 : snprintf(buffer, sizeof(buffer),
630 : "QSIZE:%-10lu NOTIFY:%-5d SIGNO:%-5d NOTIFY_PID:%-6d\n",
631 : info->qsize,
632 : info->notify_owner ? info->notify.sigev_notify : 0,
633 0 : (info->notify_owner &&
634 0 : info->notify.sigev_notify == SIGEV_SIGNAL) ?
635 : info->notify.sigev_signo : 0,
636 : pid_vnr(info->notify_owner));
637 0 : spin_unlock(&info->lock);
638 0 : buffer[sizeof(buffer)-1] = '\0';
639 :
640 0 : ret = simple_read_from_buffer(u_data, count, off, buffer,
641 : strlen(buffer));
642 0 : if (ret <= 0)
643 : return ret;
644 :
645 0 : file_inode(filp)->i_atime = file_inode(filp)->i_ctime = current_time(file_inode(filp));
646 0 : return ret;
647 : }
648 :
649 0 : static int mqueue_flush_file(struct file *filp, fl_owner_t id)
650 : {
651 0 : struct mqueue_inode_info *info = MQUEUE_I(file_inode(filp));
652 :
653 0 : spin_lock(&info->lock);
654 0 : if (task_tgid(current) == info->notify_owner)
655 0 : remove_notification(info);
656 :
657 0 : spin_unlock(&info->lock);
658 0 : return 0;
659 : }
660 :
661 0 : static __poll_t mqueue_poll_file(struct file *filp, struct poll_table_struct *poll_tab)
662 : {
663 0 : struct mqueue_inode_info *info = MQUEUE_I(file_inode(filp));
664 0 : __poll_t retval = 0;
665 :
666 0 : poll_wait(filp, &info->wait_q, poll_tab);
667 :
668 0 : spin_lock(&info->lock);
669 0 : if (info->attr.mq_curmsgs)
670 0 : retval = EPOLLIN | EPOLLRDNORM;
671 :
672 0 : if (info->attr.mq_curmsgs < info->attr.mq_maxmsg)
673 0 : retval |= EPOLLOUT | EPOLLWRNORM;
674 0 : spin_unlock(&info->lock);
675 :
676 0 : return retval;
677 : }
678 :
679 : /* Adds current to info->e_wait_q[sr] before element with smaller prio */
680 0 : static void wq_add(struct mqueue_inode_info *info, int sr,
681 : struct ext_wait_queue *ewp)
682 : {
683 0 : struct ext_wait_queue *walk;
684 :
685 0 : list_for_each_entry(walk, &info->e_wait_q[sr].list, list) {
686 0 : if (walk->task->prio <= current->prio) {
687 0 : list_add_tail(&ewp->list, &walk->list);
688 0 : return;
689 : }
690 : }
691 0 : list_add_tail(&ewp->list, &info->e_wait_q[sr].list);
692 : }
693 :
694 : /*
695 : * Puts current task to sleep. Caller must hold queue lock. After return
696 : * lock isn't held.
697 : * sr: SEND or RECV
698 : */
699 0 : static int wq_sleep(struct mqueue_inode_info *info, int sr,
700 : ktime_t *timeout, struct ext_wait_queue *ewp)
701 : __releases(&info->lock)
702 : {
703 0 : int retval;
704 0 : signed long time;
705 :
706 0 : wq_add(info, sr, ewp);
707 :
708 0 : for (;;) {
709 : /* memory barrier not required, we hold info->lock */
710 0 : __set_current_state(TASK_INTERRUPTIBLE);
711 :
712 0 : spin_unlock(&info->lock);
713 0 : time = schedule_hrtimeout_range_clock(timeout, 0,
714 : HRTIMER_MODE_ABS, CLOCK_REALTIME);
715 :
716 0 : if (READ_ONCE(ewp->state) == STATE_READY) {
717 : /* see MQ_BARRIER for purpose/pairing */
718 0 : smp_acquire__after_ctrl_dep();
719 0 : retval = 0;
720 0 : goto out;
721 : }
722 0 : spin_lock(&info->lock);
723 :
724 : /* we hold info->lock, so no memory barrier required */
725 0 : if (READ_ONCE(ewp->state) == STATE_READY) {
726 0 : retval = 0;
727 0 : goto out_unlock;
728 : }
729 0 : if (signal_pending(current)) {
730 : retval = -ERESTARTSYS;
731 : break;
732 : }
733 0 : if (time == 0) {
734 : retval = -ETIMEDOUT;
735 : break;
736 : }
737 : }
738 0 : list_del(&ewp->list);
739 0 : out_unlock:
740 0 : spin_unlock(&info->lock);
741 0 : out:
742 0 : return retval;
743 : }
744 :
745 : /*
746 : * Returns waiting task that should be serviced first or NULL if none exists
747 : */
748 0 : static struct ext_wait_queue *wq_get_first_waiter(
749 : struct mqueue_inode_info *info, int sr)
750 : {
751 0 : struct list_head *ptr;
752 :
753 0 : ptr = info->e_wait_q[sr].list.prev;
754 0 : if (ptr == &info->e_wait_q[sr].list)
755 : return NULL;
756 0 : return list_entry(ptr, struct ext_wait_queue, list);
757 : }
758 :
759 :
760 0 : static inline void set_cookie(struct sk_buff *skb, char code)
761 : {
762 0 : ((char *)skb->data)[NOTIFY_COOKIE_LEN-1] = code;
763 : }
764 :
765 : /*
766 : * The next function is only to split too long sys_mq_timedsend
767 : */
768 0 : static void __do_notify(struct mqueue_inode_info *info)
769 : {
770 : /* notification
771 : * invoked when there is registered process and there isn't process
772 : * waiting synchronously for message AND state of queue changed from
773 : * empty to not empty. Here we are sure that no one is waiting
774 : * synchronously. */
775 0 : if (info->notify_owner &&
776 0 : info->attr.mq_curmsgs == 1) {
777 0 : switch (info->notify.sigev_notify) {
778 : case SIGEV_NONE:
779 : break;
780 0 : case SIGEV_SIGNAL: {
781 0 : struct kernel_siginfo sig_i;
782 0 : struct task_struct *task;
783 :
784 : /* do_mq_notify() accepts sigev_signo == 0, why?? */
785 0 : if (!info->notify.sigev_signo)
786 : break;
787 :
788 0 : clear_siginfo(&sig_i);
789 0 : sig_i.si_signo = info->notify.sigev_signo;
790 0 : sig_i.si_errno = 0;
791 0 : sig_i.si_code = SI_MESGQ;
792 0 : sig_i.si_value = info->notify.sigev_value;
793 0 : rcu_read_lock();
794 : /* map current pid/uid into info->owner's namespaces */
795 0 : sig_i.si_pid = task_tgid_nr_ns(current,
796 : ns_of_pid(info->notify_owner));
797 0 : sig_i.si_uid = from_kuid_munged(info->notify_user_ns,
798 0 : current_uid());
799 : /*
800 : * We can't use kill_pid_info(), this signal should
801 : * bypass check_kill_permission(). It is from kernel
802 : * but si_fromuser() can't know this.
803 : * We do check the self_exec_id, to avoid sending
804 : * signals to programs that don't expect them.
805 : */
806 0 : task = pid_task(info->notify_owner, PIDTYPE_TGID);
807 0 : if (task && task->self_exec_id ==
808 0 : info->notify_self_exec_id) {
809 0 : do_send_sig_info(info->notify.sigev_signo,
810 : &sig_i, task, PIDTYPE_TGID);
811 : }
812 0 : rcu_read_unlock();
813 0 : break;
814 : }
815 0 : case SIGEV_THREAD:
816 0 : set_cookie(info->notify_cookie, NOTIFY_WOKENUP);
817 0 : netlink_sendskb(info->notify_sock, info->notify_cookie);
818 0 : break;
819 : }
820 : /* after notification unregisters process */
821 0 : put_pid(info->notify_owner);
822 0 : put_user_ns(info->notify_user_ns);
823 0 : info->notify_owner = NULL;
824 0 : info->notify_user_ns = NULL;
825 : }
826 0 : wake_up(&info->wait_q);
827 0 : }
828 :
829 0 : static int prepare_timeout(const struct __kernel_timespec __user *u_abs_timeout,
830 : struct timespec64 *ts)
831 : {
832 0 : if (get_timespec64(ts, u_abs_timeout))
833 : return -EFAULT;
834 0 : if (!timespec64_valid(ts))
835 0 : return -EINVAL;
836 : return 0;
837 : }
838 :
839 0 : static void remove_notification(struct mqueue_inode_info *info)
840 : {
841 0 : if (info->notify_owner != NULL &&
842 0 : info->notify.sigev_notify == SIGEV_THREAD) {
843 0 : set_cookie(info->notify_cookie, NOTIFY_REMOVED);
844 0 : netlink_sendskb(info->notify_sock, info->notify_cookie);
845 : }
846 0 : put_pid(info->notify_owner);
847 0 : put_user_ns(info->notify_user_ns);
848 0 : info->notify_owner = NULL;
849 0 : info->notify_user_ns = NULL;
850 0 : }
851 :
852 0 : static int prepare_open(struct dentry *dentry, int oflag, int ro,
853 : umode_t mode, struct filename *name,
854 : struct mq_attr *attr)
855 : {
856 0 : static const int oflag2acc[O_ACCMODE] = { MAY_READ, MAY_WRITE,
857 : MAY_READ | MAY_WRITE };
858 0 : int acc;
859 :
860 0 : if (d_really_is_negative(dentry)) {
861 0 : if (!(oflag & O_CREAT))
862 : return -ENOENT;
863 0 : if (ro)
864 : return ro;
865 0 : audit_inode_parent_hidden(name, dentry->d_parent);
866 0 : return vfs_mkobj(dentry, mode & ~current_umask(),
867 : mqueue_create_attr, attr);
868 : }
869 : /* it already existed */
870 0 : audit_inode(name, dentry, 0);
871 0 : if ((oflag & (O_CREAT|O_EXCL)) == (O_CREAT|O_EXCL))
872 : return -EEXIST;
873 0 : if ((oflag & O_ACCMODE) == (O_RDWR | O_WRONLY))
874 : return -EINVAL;
875 0 : acc = oflag2acc[oflag & O_ACCMODE];
876 0 : return inode_permission(&init_user_ns, d_inode(dentry), acc);
877 : }
878 :
879 0 : static int do_mq_open(const char __user *u_name, int oflag, umode_t mode,
880 : struct mq_attr *attr)
881 : {
882 0 : struct vfsmount *mnt = current->nsproxy->ipc_ns->mq_mnt;
883 0 : struct dentry *root = mnt->mnt_root;
884 0 : struct filename *name;
885 0 : struct path path;
886 0 : int fd, error;
887 0 : int ro;
888 :
889 0 : audit_mq_open(oflag, mode, attr);
890 :
891 0 : if (IS_ERR(name = getname(u_name)))
892 0 : return PTR_ERR(name);
893 :
894 0 : fd = get_unused_fd_flags(O_CLOEXEC);
895 0 : if (fd < 0)
896 0 : goto out_putname;
897 :
898 0 : ro = mnt_want_write(mnt); /* we'll drop it in any case */
899 0 : inode_lock(d_inode(root));
900 0 : path.dentry = lookup_one_len(name->name, root, strlen(name->name));
901 0 : if (IS_ERR(path.dentry)) {
902 0 : error = PTR_ERR(path.dentry);
903 0 : goto out_putfd;
904 : }
905 0 : path.mnt = mntget(mnt);
906 0 : error = prepare_open(path.dentry, oflag, ro, mode, name, attr);
907 0 : if (!error) {
908 0 : struct file *file = dentry_open(&path, oflag, current_cred());
909 0 : if (!IS_ERR(file))
910 0 : fd_install(fd, file);
911 : else
912 0 : error = PTR_ERR(file);
913 : }
914 0 : path_put(&path);
915 0 : out_putfd:
916 0 : if (error) {
917 0 : put_unused_fd(fd);
918 0 : fd = error;
919 : }
920 0 : inode_unlock(d_inode(root));
921 0 : if (!ro)
922 0 : mnt_drop_write(mnt);
923 0 : out_putname:
924 0 : putname(name);
925 0 : return fd;
926 : }
927 :
928 0 : SYSCALL_DEFINE4(mq_open, const char __user *, u_name, int, oflag, umode_t, mode,
929 : struct mq_attr __user *, u_attr)
930 : {
931 0 : struct mq_attr attr;
932 0 : if (u_attr && copy_from_user(&attr, u_attr, sizeof(struct mq_attr)))
933 : return -EFAULT;
934 :
935 0 : return do_mq_open(u_name, oflag, mode, u_attr ? &attr : NULL);
936 : }
937 :
938 0 : SYSCALL_DEFINE1(mq_unlink, const char __user *, u_name)
939 : {
940 0 : int err;
941 0 : struct filename *name;
942 0 : struct dentry *dentry;
943 0 : struct inode *inode = NULL;
944 0 : struct ipc_namespace *ipc_ns = current->nsproxy->ipc_ns;
945 0 : struct vfsmount *mnt = ipc_ns->mq_mnt;
946 :
947 0 : name = getname(u_name);
948 0 : if (IS_ERR(name))
949 0 : return PTR_ERR(name);
950 :
951 0 : audit_inode_parent_hidden(name, mnt->mnt_root);
952 0 : err = mnt_want_write(mnt);
953 0 : if (err)
954 0 : goto out_name;
955 0 : inode_lock_nested(d_inode(mnt->mnt_root), I_MUTEX_PARENT);
956 0 : dentry = lookup_one_len(name->name, mnt->mnt_root,
957 0 : strlen(name->name));
958 0 : if (IS_ERR(dentry)) {
959 0 : err = PTR_ERR(dentry);
960 0 : goto out_unlock;
961 : }
962 :
963 0 : inode = d_inode(dentry);
964 0 : if (!inode) {
965 : err = -ENOENT;
966 : } else {
967 0 : ihold(inode);
968 0 : err = vfs_unlink(&init_user_ns, d_inode(dentry->d_parent),
969 : dentry, NULL);
970 : }
971 0 : dput(dentry);
972 :
973 0 : out_unlock:
974 0 : inode_unlock(d_inode(mnt->mnt_root));
975 0 : if (inode)
976 0 : iput(inode);
977 0 : mnt_drop_write(mnt);
978 0 : out_name:
979 0 : putname(name);
980 :
981 0 : return err;
982 : }
983 :
984 : /* Pipelined send and receive functions.
985 : *
986 : * If a receiver finds no waiting message, then it registers itself in the
987 : * list of waiting receivers. A sender checks that list before adding the new
988 : * message into the message array. If there is a waiting receiver, then it
989 : * bypasses the message array and directly hands the message over to the
990 : * receiver. The receiver accepts the message and returns without grabbing the
991 : * queue spinlock:
992 : *
993 : * - Set pointer to message.
994 : * - Queue the receiver task for later wakeup (without the info->lock).
995 : * - Update its state to STATE_READY. Now the receiver can continue.
996 : * - Wake up the process after the lock is dropped. Should the process wake up
997 : * before this wakeup (due to a timeout or a signal) it will either see
998 : * STATE_READY and continue or acquire the lock to check the state again.
999 : *
1000 : * The same algorithm is used for senders.
1001 : */
1002 :
1003 0 : static inline void __pipelined_op(struct wake_q_head *wake_q,
1004 : struct mqueue_inode_info *info,
1005 : struct ext_wait_queue *this)
1006 : {
1007 0 : list_del(&this->list);
1008 0 : get_task_struct(this->task);
1009 :
1010 : /* see MQ_BARRIER for purpose/pairing */
1011 0 : smp_store_release(&this->state, STATE_READY);
1012 0 : wake_q_add_safe(wake_q, this->task);
1013 0 : }
1014 :
1015 : /* pipelined_send() - send a message directly to the task waiting in
1016 : * sys_mq_timedreceive() (without inserting message into a queue).
1017 : */
1018 0 : static inline void pipelined_send(struct wake_q_head *wake_q,
1019 : struct mqueue_inode_info *info,
1020 : struct msg_msg *message,
1021 : struct ext_wait_queue *receiver)
1022 : {
1023 0 : receiver->msg = message;
1024 0 : __pipelined_op(wake_q, info, receiver);
1025 0 : }
1026 :
1027 : /* pipelined_receive() - if there is task waiting in sys_mq_timedsend()
1028 : * gets its message and put to the queue (we have one free place for sure). */
1029 0 : static inline void pipelined_receive(struct wake_q_head *wake_q,
1030 : struct mqueue_inode_info *info)
1031 : {
1032 0 : struct ext_wait_queue *sender = wq_get_first_waiter(info, SEND);
1033 :
1034 0 : if (!sender) {
1035 : /* for poll */
1036 0 : wake_up_interruptible(&info->wait_q);
1037 0 : return;
1038 : }
1039 0 : if (msg_insert(sender->msg, info))
1040 : return;
1041 :
1042 0 : __pipelined_op(wake_q, info, sender);
1043 : }
1044 :
1045 0 : static int do_mq_timedsend(mqd_t mqdes, const char __user *u_msg_ptr,
1046 : size_t msg_len, unsigned int msg_prio,
1047 : struct timespec64 *ts)
1048 : {
1049 0 : struct fd f;
1050 0 : struct inode *inode;
1051 0 : struct ext_wait_queue wait;
1052 0 : struct ext_wait_queue *receiver;
1053 0 : struct msg_msg *msg_ptr;
1054 0 : struct mqueue_inode_info *info;
1055 0 : ktime_t expires, *timeout = NULL;
1056 0 : struct posix_msg_tree_node *new_leaf = NULL;
1057 0 : int ret = 0;
1058 0 : DEFINE_WAKE_Q(wake_q);
1059 :
1060 0 : if (unlikely(msg_prio >= (unsigned long) MQ_PRIO_MAX))
1061 : return -EINVAL;
1062 :
1063 0 : if (ts) {
1064 0 : expires = timespec64_to_ktime(*ts);
1065 0 : timeout = &expires;
1066 : }
1067 :
1068 0 : audit_mq_sendrecv(mqdes, msg_len, msg_prio, ts);
1069 :
1070 0 : f = fdget(mqdes);
1071 0 : if (unlikely(!f.file)) {
1072 0 : ret = -EBADF;
1073 0 : goto out;
1074 : }
1075 :
1076 0 : inode = file_inode(f.file);
1077 0 : if (unlikely(f.file->f_op != &mqueue_file_operations)) {
1078 0 : ret = -EBADF;
1079 0 : goto out_fput;
1080 : }
1081 0 : info = MQUEUE_I(inode);
1082 0 : audit_file(f.file);
1083 :
1084 0 : if (unlikely(!(f.file->f_mode & FMODE_WRITE))) {
1085 0 : ret = -EBADF;
1086 0 : goto out_fput;
1087 : }
1088 :
1089 0 : if (unlikely(msg_len > info->attr.mq_msgsize)) {
1090 0 : ret = -EMSGSIZE;
1091 0 : goto out_fput;
1092 : }
1093 :
1094 : /* First try to allocate memory, before doing anything with
1095 : * existing queues. */
1096 0 : msg_ptr = load_msg(u_msg_ptr, msg_len);
1097 0 : if (IS_ERR(msg_ptr)) {
1098 0 : ret = PTR_ERR(msg_ptr);
1099 0 : goto out_fput;
1100 : }
1101 0 : msg_ptr->m_ts = msg_len;
1102 0 : msg_ptr->m_type = msg_prio;
1103 :
1104 : /*
1105 : * msg_insert really wants us to have a valid, spare node struct so
1106 : * it doesn't have to kmalloc a GFP_ATOMIC allocation, but it will
1107 : * fall back to that if necessary.
1108 : */
1109 0 : if (!info->node_cache)
1110 0 : new_leaf = kmalloc(sizeof(*new_leaf), GFP_KERNEL);
1111 :
1112 0 : spin_lock(&info->lock);
1113 :
1114 0 : if (!info->node_cache && new_leaf) {
1115 : /* Save our speculative allocation into the cache */
1116 0 : INIT_LIST_HEAD(&new_leaf->msg_list);
1117 0 : info->node_cache = new_leaf;
1118 0 : new_leaf = NULL;
1119 : } else {
1120 0 : kfree(new_leaf);
1121 : }
1122 :
1123 0 : if (info->attr.mq_curmsgs == info->attr.mq_maxmsg) {
1124 0 : if (f.file->f_flags & O_NONBLOCK) {
1125 : ret = -EAGAIN;
1126 : } else {
1127 0 : wait.task = current;
1128 0 : wait.msg = (void *) msg_ptr;
1129 :
1130 : /* memory barrier not required, we hold info->lock */
1131 0 : WRITE_ONCE(wait.state, STATE_NONE);
1132 0 : ret = wq_sleep(info, SEND, timeout, &wait);
1133 : /*
1134 : * wq_sleep must be called with info->lock held, and
1135 : * returns with the lock released
1136 : */
1137 0 : goto out_free;
1138 : }
1139 : } else {
1140 0 : receiver = wq_get_first_waiter(info, RECV);
1141 0 : if (receiver) {
1142 0 : pipelined_send(&wake_q, info, msg_ptr, receiver);
1143 : } else {
1144 : /* adds message to the queue */
1145 0 : ret = msg_insert(msg_ptr, info);
1146 0 : if (ret)
1147 0 : goto out_unlock;
1148 0 : __do_notify(info);
1149 : }
1150 0 : inode->i_atime = inode->i_mtime = inode->i_ctime =
1151 0 : current_time(inode);
1152 : }
1153 0 : out_unlock:
1154 0 : spin_unlock(&info->lock);
1155 0 : wake_up_q(&wake_q);
1156 0 : out_free:
1157 0 : if (ret)
1158 0 : free_msg(msg_ptr);
1159 0 : out_fput:
1160 0 : fdput(f);
1161 : out:
1162 : return ret;
1163 : }
1164 :
1165 0 : static int do_mq_timedreceive(mqd_t mqdes, char __user *u_msg_ptr,
1166 : size_t msg_len, unsigned int __user *u_msg_prio,
1167 : struct timespec64 *ts)
1168 : {
1169 0 : ssize_t ret;
1170 0 : struct msg_msg *msg_ptr;
1171 0 : struct fd f;
1172 0 : struct inode *inode;
1173 0 : struct mqueue_inode_info *info;
1174 0 : struct ext_wait_queue wait;
1175 0 : ktime_t expires, *timeout = NULL;
1176 0 : struct posix_msg_tree_node *new_leaf = NULL;
1177 :
1178 0 : if (ts) {
1179 0 : expires = timespec64_to_ktime(*ts);
1180 0 : timeout = &expires;
1181 : }
1182 :
1183 0 : audit_mq_sendrecv(mqdes, msg_len, 0, ts);
1184 :
1185 0 : f = fdget(mqdes);
1186 0 : if (unlikely(!f.file)) {
1187 0 : ret = -EBADF;
1188 0 : goto out;
1189 : }
1190 :
1191 0 : inode = file_inode(f.file);
1192 0 : if (unlikely(f.file->f_op != &mqueue_file_operations)) {
1193 0 : ret = -EBADF;
1194 0 : goto out_fput;
1195 : }
1196 0 : info = MQUEUE_I(inode);
1197 0 : audit_file(f.file);
1198 :
1199 0 : if (unlikely(!(f.file->f_mode & FMODE_READ))) {
1200 0 : ret = -EBADF;
1201 0 : goto out_fput;
1202 : }
1203 :
1204 : /* checks if buffer is big enough */
1205 0 : if (unlikely(msg_len < info->attr.mq_msgsize)) {
1206 0 : ret = -EMSGSIZE;
1207 0 : goto out_fput;
1208 : }
1209 :
1210 : /*
1211 : * msg_insert really wants us to have a valid, spare node struct so
1212 : * it doesn't have to kmalloc a GFP_ATOMIC allocation, but it will
1213 : * fall back to that if necessary.
1214 : */
1215 0 : if (!info->node_cache)
1216 0 : new_leaf = kmalloc(sizeof(*new_leaf), GFP_KERNEL);
1217 :
1218 0 : spin_lock(&info->lock);
1219 :
1220 0 : if (!info->node_cache && new_leaf) {
1221 : /* Save our speculative allocation into the cache */
1222 0 : INIT_LIST_HEAD(&new_leaf->msg_list);
1223 0 : info->node_cache = new_leaf;
1224 : } else {
1225 0 : kfree(new_leaf);
1226 : }
1227 :
1228 0 : if (info->attr.mq_curmsgs == 0) {
1229 0 : if (f.file->f_flags & O_NONBLOCK) {
1230 0 : spin_unlock(&info->lock);
1231 0 : ret = -EAGAIN;
1232 : } else {
1233 0 : wait.task = current;
1234 :
1235 : /* memory barrier not required, we hold info->lock */
1236 0 : WRITE_ONCE(wait.state, STATE_NONE);
1237 0 : ret = wq_sleep(info, RECV, timeout, &wait);
1238 0 : msg_ptr = wait.msg;
1239 : }
1240 : } else {
1241 0 : DEFINE_WAKE_Q(wake_q);
1242 :
1243 0 : msg_ptr = msg_get(info);
1244 :
1245 0 : inode->i_atime = inode->i_mtime = inode->i_ctime =
1246 0 : current_time(inode);
1247 :
1248 : /* There is now free space in queue. */
1249 0 : pipelined_receive(&wake_q, info);
1250 0 : spin_unlock(&info->lock);
1251 0 : wake_up_q(&wake_q);
1252 0 : ret = 0;
1253 : }
1254 0 : if (ret == 0) {
1255 0 : ret = msg_ptr->m_ts;
1256 :
1257 0 : if ((u_msg_prio && put_user(msg_ptr->m_type, u_msg_prio)) ||
1258 0 : store_msg(u_msg_ptr, msg_ptr, msg_ptr->m_ts)) {
1259 : ret = -EFAULT;
1260 : }
1261 0 : free_msg(msg_ptr);
1262 : }
1263 0 : out_fput:
1264 0 : fdput(f);
1265 0 : out:
1266 0 : return ret;
1267 : }
1268 :
1269 0 : SYSCALL_DEFINE5(mq_timedsend, mqd_t, mqdes, const char __user *, u_msg_ptr,
1270 : size_t, msg_len, unsigned int, msg_prio,
1271 : const struct __kernel_timespec __user *, u_abs_timeout)
1272 : {
1273 0 : struct timespec64 ts, *p = NULL;
1274 0 : if (u_abs_timeout) {
1275 0 : int res = prepare_timeout(u_abs_timeout, &ts);
1276 0 : if (res)
1277 0 : return res;
1278 : p = &ts;
1279 : }
1280 0 : return do_mq_timedsend(mqdes, u_msg_ptr, msg_len, msg_prio, p);
1281 : }
1282 :
1283 0 : SYSCALL_DEFINE5(mq_timedreceive, mqd_t, mqdes, char __user *, u_msg_ptr,
1284 : size_t, msg_len, unsigned int __user *, u_msg_prio,
1285 : const struct __kernel_timespec __user *, u_abs_timeout)
1286 : {
1287 0 : struct timespec64 ts, *p = NULL;
1288 0 : if (u_abs_timeout) {
1289 0 : int res = prepare_timeout(u_abs_timeout, &ts);
1290 0 : if (res)
1291 0 : return res;
1292 : p = &ts;
1293 : }
1294 0 : return do_mq_timedreceive(mqdes, u_msg_ptr, msg_len, u_msg_prio, p);
1295 : }
1296 :
1297 : /*
1298 : * Notes: the case when user wants us to deregister (with NULL as pointer)
1299 : * and he isn't currently owner of notification, will be silently discarded.
1300 : * It isn't explicitly defined in the POSIX.
1301 : */
1302 0 : static int do_mq_notify(mqd_t mqdes, const struct sigevent *notification)
1303 : {
1304 0 : int ret;
1305 0 : struct fd f;
1306 0 : struct sock *sock;
1307 0 : struct inode *inode;
1308 0 : struct mqueue_inode_info *info;
1309 0 : struct sk_buff *nc;
1310 :
1311 0 : audit_mq_notify(mqdes, notification);
1312 :
1313 0 : nc = NULL;
1314 0 : sock = NULL;
1315 0 : if (notification != NULL) {
1316 0 : if (unlikely(notification->sigev_notify != SIGEV_NONE &&
1317 : notification->sigev_notify != SIGEV_SIGNAL &&
1318 : notification->sigev_notify != SIGEV_THREAD))
1319 : return -EINVAL;
1320 0 : if (notification->sigev_notify == SIGEV_SIGNAL &&
1321 0 : !valid_signal(notification->sigev_signo)) {
1322 : return -EINVAL;
1323 : }
1324 0 : if (notification->sigev_notify == SIGEV_THREAD) {
1325 0 : long timeo;
1326 :
1327 : /* create the notify skb */
1328 0 : nc = alloc_skb(NOTIFY_COOKIE_LEN, GFP_KERNEL);
1329 0 : if (!nc)
1330 0 : return -ENOMEM;
1331 :
1332 0 : if (copy_from_user(nc->data,
1333 0 : notification->sigev_value.sival_ptr,
1334 : NOTIFY_COOKIE_LEN)) {
1335 0 : ret = -EFAULT;
1336 0 : goto free_skb;
1337 : }
1338 :
1339 : /* TODO: add a header? */
1340 0 : skb_put(nc, NOTIFY_COOKIE_LEN);
1341 : /* and attach it to the socket */
1342 0 : retry:
1343 0 : f = fdget(notification->sigev_signo);
1344 0 : if (!f.file) {
1345 0 : ret = -EBADF;
1346 0 : goto out;
1347 : }
1348 0 : sock = netlink_getsockbyfilp(f.file);
1349 0 : fdput(f);
1350 0 : if (IS_ERR(sock)) {
1351 0 : ret = PTR_ERR(sock);
1352 0 : goto free_skb;
1353 : }
1354 :
1355 0 : timeo = MAX_SCHEDULE_TIMEOUT;
1356 0 : ret = netlink_attachskb(sock, nc, &timeo, NULL);
1357 0 : if (ret == 1) {
1358 0 : sock = NULL;
1359 0 : goto retry;
1360 : }
1361 0 : if (ret)
1362 : return ret;
1363 : }
1364 : }
1365 :
1366 0 : f = fdget(mqdes);
1367 0 : if (!f.file) {
1368 0 : ret = -EBADF;
1369 0 : goto out;
1370 : }
1371 :
1372 0 : inode = file_inode(f.file);
1373 0 : if (unlikely(f.file->f_op != &mqueue_file_operations)) {
1374 0 : ret = -EBADF;
1375 0 : goto out_fput;
1376 : }
1377 0 : info = MQUEUE_I(inode);
1378 :
1379 0 : ret = 0;
1380 0 : spin_lock(&info->lock);
1381 0 : if (notification == NULL) {
1382 0 : if (info->notify_owner == task_tgid(current)) {
1383 0 : remove_notification(info);
1384 0 : inode->i_atime = inode->i_ctime = current_time(inode);
1385 : }
1386 0 : } else if (info->notify_owner != NULL) {
1387 : ret = -EBUSY;
1388 : } else {
1389 0 : switch (notification->sigev_notify) {
1390 0 : case SIGEV_NONE:
1391 0 : info->notify.sigev_notify = SIGEV_NONE;
1392 0 : break;
1393 0 : case SIGEV_THREAD:
1394 0 : info->notify_sock = sock;
1395 0 : info->notify_cookie = nc;
1396 0 : sock = NULL;
1397 0 : nc = NULL;
1398 0 : info->notify.sigev_notify = SIGEV_THREAD;
1399 0 : break;
1400 0 : case SIGEV_SIGNAL:
1401 0 : info->notify.sigev_signo = notification->sigev_signo;
1402 0 : info->notify.sigev_value = notification->sigev_value;
1403 0 : info->notify.sigev_notify = SIGEV_SIGNAL;
1404 0 : info->notify_self_exec_id = current->self_exec_id;
1405 0 : break;
1406 : }
1407 :
1408 0 : info->notify_owner = get_pid(task_tgid(current));
1409 0 : info->notify_user_ns = get_user_ns(current_user_ns());
1410 0 : inode->i_atime = inode->i_ctime = current_time(inode);
1411 : }
1412 0 : spin_unlock(&info->lock);
1413 0 : out_fput:
1414 0 : fdput(f);
1415 0 : out:
1416 0 : if (sock)
1417 0 : netlink_detachskb(sock, nc);
1418 : else
1419 0 : free_skb:
1420 0 : dev_kfree_skb(nc);
1421 :
1422 : return ret;
1423 : }
1424 :
1425 0 : SYSCALL_DEFINE2(mq_notify, mqd_t, mqdes,
1426 : const struct sigevent __user *, u_notification)
1427 : {
1428 0 : struct sigevent n, *p = NULL;
1429 0 : if (u_notification) {
1430 0 : if (copy_from_user(&n, u_notification, sizeof(struct sigevent)))
1431 : return -EFAULT;
1432 : p = &n;
1433 : }
1434 0 : return do_mq_notify(mqdes, p);
1435 : }
1436 :
1437 0 : static int do_mq_getsetattr(int mqdes, struct mq_attr *new, struct mq_attr *old)
1438 : {
1439 0 : struct fd f;
1440 0 : struct inode *inode;
1441 0 : struct mqueue_inode_info *info;
1442 :
1443 0 : if (new && (new->mq_flags & (~O_NONBLOCK)))
1444 : return -EINVAL;
1445 :
1446 0 : f = fdget(mqdes);
1447 0 : if (!f.file)
1448 : return -EBADF;
1449 :
1450 0 : if (unlikely(f.file->f_op != &mqueue_file_operations)) {
1451 0 : fdput(f);
1452 0 : return -EBADF;
1453 : }
1454 :
1455 0 : inode = file_inode(f.file);
1456 0 : info = MQUEUE_I(inode);
1457 :
1458 0 : spin_lock(&info->lock);
1459 :
1460 0 : if (old) {
1461 0 : *old = info->attr;
1462 0 : old->mq_flags = f.file->f_flags & O_NONBLOCK;
1463 : }
1464 0 : if (new) {
1465 0 : audit_mq_getsetattr(mqdes, new);
1466 0 : spin_lock(&f.file->f_lock);
1467 0 : if (new->mq_flags & O_NONBLOCK)
1468 0 : f.file->f_flags |= O_NONBLOCK;
1469 : else
1470 0 : f.file->f_flags &= ~O_NONBLOCK;
1471 0 : spin_unlock(&f.file->f_lock);
1472 :
1473 0 : inode->i_atime = inode->i_ctime = current_time(inode);
1474 : }
1475 :
1476 0 : spin_unlock(&info->lock);
1477 0 : fdput(f);
1478 0 : return 0;
1479 : }
1480 :
1481 0 : SYSCALL_DEFINE3(mq_getsetattr, mqd_t, mqdes,
1482 : const struct mq_attr __user *, u_mqstat,
1483 : struct mq_attr __user *, u_omqstat)
1484 : {
1485 0 : int ret;
1486 0 : struct mq_attr mqstat, omqstat;
1487 0 : struct mq_attr *new = NULL, *old = NULL;
1488 :
1489 0 : if (u_mqstat) {
1490 0 : new = &mqstat;
1491 0 : if (copy_from_user(new, u_mqstat, sizeof(struct mq_attr)))
1492 : return -EFAULT;
1493 : }
1494 0 : if (u_omqstat)
1495 0 : old = &omqstat;
1496 :
1497 0 : ret = do_mq_getsetattr(mqdes, new, old);
1498 0 : if (ret || !old)
1499 0 : return ret;
1500 :
1501 0 : if (copy_to_user(u_omqstat, old, sizeof(struct mq_attr)))
1502 0 : return -EFAULT;
1503 : return 0;
1504 : }
1505 :
1506 : #ifdef CONFIG_COMPAT
1507 :
1508 : struct compat_mq_attr {
1509 : compat_long_t mq_flags; /* message queue flags */
1510 : compat_long_t mq_maxmsg; /* maximum number of messages */
1511 : compat_long_t mq_msgsize; /* maximum message size */
1512 : compat_long_t mq_curmsgs; /* number of messages currently queued */
1513 : compat_long_t __reserved[4]; /* ignored for input, zeroed for output */
1514 : };
1515 :
1516 0 : static inline int get_compat_mq_attr(struct mq_attr *attr,
1517 : const struct compat_mq_attr __user *uattr)
1518 : {
1519 0 : struct compat_mq_attr v;
1520 :
1521 0 : if (copy_from_user(&v, uattr, sizeof(*uattr)))
1522 : return -EFAULT;
1523 :
1524 0 : memset(attr, 0, sizeof(*attr));
1525 0 : attr->mq_flags = v.mq_flags;
1526 0 : attr->mq_maxmsg = v.mq_maxmsg;
1527 0 : attr->mq_msgsize = v.mq_msgsize;
1528 0 : attr->mq_curmsgs = v.mq_curmsgs;
1529 0 : return 0;
1530 : }
1531 :
1532 0 : static inline int put_compat_mq_attr(const struct mq_attr *attr,
1533 : struct compat_mq_attr __user *uattr)
1534 : {
1535 0 : struct compat_mq_attr v;
1536 :
1537 0 : memset(&v, 0, sizeof(v));
1538 0 : v.mq_flags = attr->mq_flags;
1539 0 : v.mq_maxmsg = attr->mq_maxmsg;
1540 0 : v.mq_msgsize = attr->mq_msgsize;
1541 0 : v.mq_curmsgs = attr->mq_curmsgs;
1542 0 : if (copy_to_user(uattr, &v, sizeof(*uattr)))
1543 0 : return -EFAULT;
1544 : return 0;
1545 : }
1546 :
1547 0 : COMPAT_SYSCALL_DEFINE4(mq_open, const char __user *, u_name,
1548 : int, oflag, compat_mode_t, mode,
1549 : struct compat_mq_attr __user *, u_attr)
1550 : {
1551 0 : struct mq_attr attr, *p = NULL;
1552 0 : if (u_attr && oflag & O_CREAT) {
1553 0 : p = &attr;
1554 0 : if (get_compat_mq_attr(&attr, u_attr))
1555 : return -EFAULT;
1556 : }
1557 0 : return do_mq_open(u_name, oflag, mode, p);
1558 : }
1559 :
1560 0 : COMPAT_SYSCALL_DEFINE2(mq_notify, mqd_t, mqdes,
1561 : const struct compat_sigevent __user *, u_notification)
1562 : {
1563 0 : struct sigevent n, *p = NULL;
1564 0 : if (u_notification) {
1565 0 : if (get_compat_sigevent(&n, u_notification))
1566 : return -EFAULT;
1567 0 : if (n.sigev_notify == SIGEV_THREAD)
1568 0 : n.sigev_value.sival_ptr = compat_ptr(n.sigev_value.sival_int);
1569 : p = &n;
1570 : }
1571 0 : return do_mq_notify(mqdes, p);
1572 : }
1573 :
1574 0 : COMPAT_SYSCALL_DEFINE3(mq_getsetattr, mqd_t, mqdes,
1575 : const struct compat_mq_attr __user *, u_mqstat,
1576 : struct compat_mq_attr __user *, u_omqstat)
1577 : {
1578 0 : int ret;
1579 0 : struct mq_attr mqstat, omqstat;
1580 0 : struct mq_attr *new = NULL, *old = NULL;
1581 :
1582 0 : if (u_mqstat) {
1583 0 : new = &mqstat;
1584 0 : if (get_compat_mq_attr(new, u_mqstat))
1585 : return -EFAULT;
1586 : }
1587 0 : if (u_omqstat)
1588 0 : old = &omqstat;
1589 :
1590 0 : ret = do_mq_getsetattr(mqdes, new, old);
1591 0 : if (ret || !old)
1592 0 : return ret;
1593 :
1594 0 : if (put_compat_mq_attr(old, u_omqstat))
1595 0 : return -EFAULT;
1596 : return 0;
1597 : }
1598 : #endif
1599 :
1600 : #ifdef CONFIG_COMPAT_32BIT_TIME
1601 : static int compat_prepare_timeout(const struct old_timespec32 __user *p,
1602 : struct timespec64 *ts)
1603 : {
1604 : if (get_old_timespec32(ts, p))
1605 : return -EFAULT;
1606 : if (!timespec64_valid(ts))
1607 : return -EINVAL;
1608 : return 0;
1609 : }
1610 :
1611 : SYSCALL_DEFINE5(mq_timedsend_time32, mqd_t, mqdes,
1612 : const char __user *, u_msg_ptr,
1613 : unsigned int, msg_len, unsigned int, msg_prio,
1614 : const struct old_timespec32 __user *, u_abs_timeout)
1615 : {
1616 : struct timespec64 ts, *p = NULL;
1617 : if (u_abs_timeout) {
1618 : int res = compat_prepare_timeout(u_abs_timeout, &ts);
1619 : if (res)
1620 : return res;
1621 : p = &ts;
1622 : }
1623 : return do_mq_timedsend(mqdes, u_msg_ptr, msg_len, msg_prio, p);
1624 : }
1625 :
1626 : SYSCALL_DEFINE5(mq_timedreceive_time32, mqd_t, mqdes,
1627 : char __user *, u_msg_ptr,
1628 : unsigned int, msg_len, unsigned int __user *, u_msg_prio,
1629 : const struct old_timespec32 __user *, u_abs_timeout)
1630 : {
1631 : struct timespec64 ts, *p = NULL;
1632 : if (u_abs_timeout) {
1633 : int res = compat_prepare_timeout(u_abs_timeout, &ts);
1634 : if (res)
1635 : return res;
1636 : p = &ts;
1637 : }
1638 : return do_mq_timedreceive(mqdes, u_msg_ptr, msg_len, u_msg_prio, p);
1639 : }
1640 : #endif
1641 :
1642 : static const struct inode_operations mqueue_dir_inode_operations = {
1643 : .lookup = simple_lookup,
1644 : .create = mqueue_create,
1645 : .unlink = mqueue_unlink,
1646 : };
1647 :
1648 : static const struct file_operations mqueue_file_operations = {
1649 : .flush = mqueue_flush_file,
1650 : .poll = mqueue_poll_file,
1651 : .read = mqueue_read_file,
1652 : .llseek = default_llseek,
1653 : };
1654 :
1655 : static const struct super_operations mqueue_super_ops = {
1656 : .alloc_inode = mqueue_alloc_inode,
1657 : .free_inode = mqueue_free_inode,
1658 : .evict_inode = mqueue_evict_inode,
1659 : .statfs = simple_statfs,
1660 : };
1661 :
1662 : static const struct fs_context_operations mqueue_fs_context_ops = {
1663 : .free = mqueue_fs_context_free,
1664 : .get_tree = mqueue_get_tree,
1665 : };
1666 :
1667 : static struct file_system_type mqueue_fs_type = {
1668 : .name = "mqueue",
1669 : .init_fs_context = mqueue_init_fs_context,
1670 : .kill_sb = kill_litter_super,
1671 : .fs_flags = FS_USERNS_MOUNT,
1672 : };
1673 :
1674 1 : int mq_init_ns(struct ipc_namespace *ns)
1675 : {
1676 1 : struct vfsmount *m;
1677 :
1678 1 : ns->mq_queues_count = 0;
1679 1 : ns->mq_queues_max = DFLT_QUEUESMAX;
1680 1 : ns->mq_msg_max = DFLT_MSGMAX;
1681 1 : ns->mq_msgsize_max = DFLT_MSGSIZEMAX;
1682 1 : ns->mq_msg_default = DFLT_MSG;
1683 1 : ns->mq_msgsize_default = DFLT_MSGSIZE;
1684 :
1685 1 : m = mq_create_mount(ns);
1686 1 : if (IS_ERR(m))
1687 0 : return PTR_ERR(m);
1688 1 : ns->mq_mnt = m;
1689 1 : return 0;
1690 : }
1691 :
1692 0 : void mq_clear_sbinfo(struct ipc_namespace *ns)
1693 : {
1694 0 : ns->mq_mnt->mnt_sb->s_fs_info = NULL;
1695 0 : }
1696 :
1697 0 : void mq_put_mnt(struct ipc_namespace *ns)
1698 : {
1699 0 : kern_unmount(ns->mq_mnt);
1700 0 : }
1701 :
1702 1 : static int __init init_mqueue_fs(void)
1703 : {
1704 1 : int error;
1705 :
1706 1 : mqueue_inode_cachep = kmem_cache_create("mqueue_inode_cache",
1707 : sizeof(struct mqueue_inode_info), 0,
1708 : SLAB_HWCACHE_ALIGN|SLAB_ACCOUNT, init_once);
1709 1 : if (mqueue_inode_cachep == NULL)
1710 : return -ENOMEM;
1711 :
1712 : /* ignore failures - they are not fatal */
1713 1 : mq_sysctl_table = mq_register_sysctl_table();
1714 :
1715 1 : error = register_filesystem(&mqueue_fs_type);
1716 1 : if (error)
1717 0 : goto out_sysctl;
1718 :
1719 1 : spin_lock_init(&mq_lock);
1720 :
1721 1 : error = mq_init_ns(&init_ipc_ns);
1722 1 : if (error)
1723 0 : goto out_filesystem;
1724 :
1725 : return 0;
1726 :
1727 0 : out_filesystem:
1728 0 : unregister_filesystem(&mqueue_fs_type);
1729 0 : out_sysctl:
1730 0 : if (mq_sysctl_table)
1731 0 : unregister_sysctl_table(mq_sysctl_table);
1732 0 : kmem_cache_destroy(mqueue_inode_cachep);
1733 0 : return error;
1734 : }
1735 :
1736 : device_initcall(init_mqueue_fs);
|
