Eric W. Biederman napisaĆ(a): > When enhancing do_shmat I forgot to take into account that shm_lock > is a spinlock, and was allocating memory with the lock held. > > This patch fixes that by grabbing a reference to the dentry and > mounts of shm_file before we drop the shm_lock and then performing > the memory allocations. > > This is also a bit of a general scrub on the error handling. > Everything is now forced through the single return statement > for clarity, and the handling of the return address now uses > fewer casts. > > Signed-off-by: Eric W. Biederman <[EMAIL PROTECTED]> > --- > ipc/shm.c | 56 ++++++++++++++++++++++++++++++++------------------------ > 1 files changed, 32 insertions(+), 24 deletions(-) > > diff --git a/ipc/shm.c b/ipc/shm.c > index e0b6544..26b935b 100644 > --- a/ipc/shm.c > +++ b/ipc/shm.c > @@ -815,15 +815,16 @@ long do_shmat(int shmid, char __user *shmaddr, int > shmflg, ulong *raddr) > unsigned long flags; > unsigned long prot; > int acc_mode; > - void *user_addr; > + unsigned long user_addr; > struct ipc_namespace *ns; > struct shm_file_data *sfd; > + struct path path; > mode_t f_mode; > > - if (shmid < 0) { > - err = -EINVAL; > + err = -EINVAL; > + if (shmid < 0) > goto out; > - } else if ((addr = (ulong)shmaddr)) { > + else if ((addr = (ulong)shmaddr)) { > if (addr & (SHMLBA-1)) { > if (shmflg & SHM_RND) > addr &= ~(SHMLBA-1); /* round down */ > @@ -831,12 +832,12 @@ long do_shmat(int shmid, char __user *shmaddr, int > shmflg, ulong *raddr) > #ifndef __ARCH_FORCE_SHMLBA > if (addr & ~PAGE_MASK) > #endif > - return -EINVAL; > + goto out; > } > flags = MAP_SHARED | MAP_FIXED; > } else { > if ((shmflg & SHM_REMAP)) > - return -EINVAL; > + goto out; > > flags = MAP_SHARED; > } > @@ -860,7 +861,6 @@ long do_shmat(int shmid, char __user *shmaddr, int > shmflg, ulong *raddr) > * additional creator id... > */ > ns = current->nsproxy->ipc_ns; > - err = -EINVAL; > shp = shm_lock(ns, shmid); > if(shp == NULL) > goto out; > @@ -877,19 +877,25 @@ long do_shmat(int shmid, char __user *shmaddr, int > shmflg, ulong *raddr) > if (err) > goto out_unlock; > > + path.dentry = dget(shp->shm_file->f_path.dentry); > + path.mnt = mntget(shp->shm_file->f_path.mnt); > + shp->shm_nattch++; > + size = i_size_read(path.dentry->d_inode); > + shm_unlock(shp); > + > err = -ENOMEM; > sfd = kzalloc(sizeof(*sfd), GFP_KERNEL); > if (!sfd) > - goto out_unlock; > + goto out_put_path; > > + err = -ENOMEM; > file = get_empty_filp(); > if (!file) > goto out_free; > > file->f_op = &shm_file_operations; > file->private_data = sfd; > - file->f_path.dentry = dget(shp->shm_file->f_path.dentry); > - file->f_path.mnt = mntget(shp->shm_file->f_path.mnt); > + file->f_path = path; > file->f_mapping = shp->shm_file->f_mapping; > file->f_mode = f_mode; > sfd->id = shp->id; > @@ -897,13 +903,9 @@ long do_shmat(int shmid, char __user *shmaddr, int > shmflg, ulong *raddr) > sfd->file = shp->shm_file; > sfd->vm_ops = NULL; > > - size = i_size_read(file->f_path.dentry->d_inode); > - shp->shm_nattch++; > - shm_unlock(shp); > - > down_write(¤t->mm->mmap_sem); > if (addr && !(shmflg & SHM_REMAP)) { > - user_addr = ERR_PTR(-EINVAL); > + err = -EINVAL; > if (find_vma_intersection(current->mm, addr, addr + size)) > goto invalid; > /* > @@ -915,13 +917,17 @@ long do_shmat(int shmid, char __user *shmaddr, int > shmflg, ulong *raddr) > goto invalid; > } > > - user_addr = (void*) do_mmap (file, addr, size, prot, flags, 0); > - > + user_addr = do_mmap (file, addr, size, prot, flags, 0); > + *raddr = user_addr; > + err = 0; > + if (IS_ERR_VALUE(user_addr)) > + err = (long)user_addr; > invalid: > up_write(¤t->mm->mmap_sem); > - > + > fput(file); > > +out_nattch: > mutex_lock(&shm_ids(ns).mutex); > shp = shm_lock(ns, shmid); > BUG_ON(!shp); > @@ -933,17 +939,19 @@ invalid:
^^^^ ??? > shm_unlock(shp); > mutex_unlock(&shm_ids(ns).mutex); > > - *raddr = (unsigned long) user_addr; > - err = 0; > - if (IS_ERR(user_addr)) > - err = PTR_ERR(user_addr); > out: > return err; > -out_free: > - kfree(sfd); > + > out_unlock: > shm_unlock(shp); > goto out; > + > +out_free: > + kfree(sfd); > +out_put_path: > + dput(path.dentry); > + mntput(path.mnt); > + goto out_nattch; > ^^^^ tabs > } > Regards, Michal -- Michal K. K. Piotrowski LTG - Linux Testers Group (PL) (http://www.stardust.webpages.pl/ltg/) LTG - Linux Testers Group (EN) (http://www.stardust.webpages.pl/linux_testers_group_en/) - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/