Commit dc2c8c84 authored Aug 21, 2018 by Davidlohr Bueso Committed by Linus Torvalds Aug 22, 2018

ipc: get rid of ids->tables_initialized hack

In sysvipc we have an ids->tables_initialized regarding the rhashtable,
introduced in 0cfb6aee ("ipc: optimize semget/shmget/msgget for lots
of keys")

It's there, specifically, to prevent nil pointer dereferences, from using
an uninitialized api.  Considering how rhashtable_init() can fail
(probably due to ENOMEM, if anything), this made the overall ipc
initialization capable of failure as well.  That alone is ugly, but fine,
however I've spotted a few issues regarding the semantics of
tables_initialized (however unlikely they may be):

- There is inconsistency in what we return to userspace: ipc_addid()
  returns ENOSPC which is certainly _wrong_, while ipc_obtain_object_idr()
  returns EINVAL.

- After we started using rhashtables, ipc_findkey() can return nil upon
  !tables_initialized, but the caller expects nil for when the ipc
  structure isn't found, and can therefore call into ipcget() callbacks.

Now that rhashtable initialization cannot fail, we can properly get rid of
the hack altogether.

[manfred@colorfullife.com: commit id extended to 12 digits]
Link: http://lkml.kernel.org/r/20180712185241.4017-10-manfred@colorfullife.com


Signed-off-by: Davidlohr Bueso <dbueso@suse.de>
Signed-off-by: Manfred Spraul <manfred@colorfullife.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Cc: Kees Cook <keescook@chromium.org>
Cc: Michael Kerrisk <mtk.manpages@gmail.com>
Cc: Michal Hocko <mhocko@suse.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

parent 2d22ecf6

include/linux/ipc_namespace.h

+0 −1

Original line number	Diff line number	Diff line
		@@ -16,7 +16,6 @@ struct user_namespace;
		struct ipc_ids {
		int in_use;
		unsigned short seq;
		bool tables_initialized;
		struct rw_semaphore rwsem;
		struct idr ipcs_idr;
		int max_id;

ipc/util.c

+8 −15

Original line number	Diff line number	Diff line
		@@ -126,7 +126,6 @@ int ipc_init_ids(struct ipc_ids *ids)
		if (err)
		return err;
		idr_init(&ids->ipcs_idr);
		ids->tables_initialized = true;
		ids->max_id = -1;
		#ifdef CONFIG_CHECKPOINT_RESTORE
		ids->next_id = -1;
		@@ -179,21 +178,18 @@ void __init ipc_init_proc_interface(const char path, const char header,
		*/
		static struct kern_ipc_perm ipc_findkey(struct ipc_ids ids, key_t key)
		{
		struct kern_ipc_perm *ipcp = NULL;
		struct kern_ipc_perm *ipcp;

		if (likely(ids->tables_initialized))
		ipcp = rhashtable_lookup_fast(&ids->key_ht, &key,
		ipc_kht_params);
		if (!ipcp)
		return NULL;

		if (ipcp) {
		rcu_read_lock();
		ipc_lock_object(ipcp);
		return ipcp;
		}

		return NULL;
		}

		/*
		* Insert new IPC object into idr tree, and set sequence number and id
		* in the correct order.
		@@ -269,7 +265,7 @@ int ipc_addid(struct ipc_ids ids, struct kern_ipc_perm new, int limit)
		if (limit > IPCMNI)
		limit = IPCMNI;

		if (!ids->tables_initialized \|\| ids->in_use >= limit)
		if (ids->in_use >= limit)
		return -ENOSPC;

		idr_preload(GFP_KERNEL);
		@@ -578,9 +574,6 @@ struct kern_ipc_perm ipc_obtain_object_idr(struct ipc_ids ids, int id)
		struct kern_ipc_perm *out;
		int lid = ipcid_to_idx(id);

		if (unlikely(!ids->tables_initialized))
		return ERR_PTR(-EINVAL);

		out = idr_find(&ids->ipcs_idr, lid);
		if (!out)
		return ERR_PTR(-EINVAL);

Admin message