diff options
Diffstat (limited to 'ipc')
| -rw-r--r-- | ipc/mqueue.c | 16 | ||||
| -rw-r--r-- | ipc/sem.c | 46 |
2 files changed, 46 insertions, 16 deletions
diff --git a/ipc/mqueue.c b/ipc/mqueue.c index c93fd3faac2..c60e519e291 100644 --- a/ipc/mqueue.c +++ b/ipc/mqueue.c @@ -158,7 +158,7 @@ static struct inode *mqueue_get_inode(struct super_block *sb, u->mq_bytes + mq_bytes > task_rlimit(p, RLIMIT_MSGQUEUE)) { spin_unlock(&mq_lock); - /* mqueue_delete_inode() releases info->messages */ + /* mqueue_evict_inode() releases info->messages */ goto out_inode; } u->mq_bytes += mq_bytes; @@ -241,7 +241,7 @@ static void mqueue_destroy_inode(struct inode *inode) kmem_cache_free(mqueue_inode_cachep, MQUEUE_I(inode)); } -static void mqueue_delete_inode(struct inode *inode) +static void mqueue_evict_inode(struct inode *inode) { struct mqueue_inode_info *info; struct user_struct *user; @@ -249,10 +249,11 @@ static void mqueue_delete_inode(struct inode *inode) int i; struct ipc_namespace *ipc_ns; - if (S_ISDIR(inode->i_mode)) { - clear_inode(inode); + end_writeback(inode); + + if (S_ISDIR(inode->i_mode)) return; - } + ipc_ns = get_ns_from_inode(inode); info = MQUEUE_I(inode); spin_lock(&info->lock); @@ -261,8 +262,6 @@ static void mqueue_delete_inode(struct inode *inode) kfree(info->messages); spin_unlock(&info->lock); - clear_inode(inode); - /* Total amount of bytes accounted for the mqueue */ mq_bytes = info->attr.mq_maxmsg * (sizeof(struct msg_msg *) + info->attr.mq_msgsize); @@ -1225,9 +1224,8 @@ static const struct file_operations mqueue_file_operations = { static const struct super_operations mqueue_super_ops = { .alloc_inode = mqueue_alloc_inode, .destroy_inode = mqueue_destroy_inode, + .evict_inode = mqueue_evict_inode, .statfs = simple_statfs, - .delete_inode = mqueue_delete_inode, - .drop_inode = generic_delete_inode, }; static struct file_system_type mqueue_fs_type = { diff --git a/ipc/sem.c b/ipc/sem.c index 506c8491a8d..40a8f462a82 100644 --- a/ipc/sem.c +++ b/ipc/sem.c @@ -1256,6 +1256,33 @@ out: return un; } + +/** + * get_queue_result - Retrieve the result code from sem_queue + * @q: Pointer to queue structure + * + * Retrieve the return code from the pending queue. If IN_WAKEUP is found in + * q->status, then we must loop until the value is replaced with the final + * value: This may happen if a task is woken up by an unrelated event (e.g. + * signal) and in parallel the task is woken up by another task because it got + * the requested semaphores. + * + * The function can be called with or without holding the semaphore spinlock. + */ +static int get_queue_result(struct sem_queue *q) +{ + int error; + + error = q->status; + while (unlikely(error == IN_WAKEUP)) { + cpu_relax(); + error = q->status; + } + + return error; +} + + SYSCALL_DEFINE4(semtimedop, int, semid, struct sembuf __user *, tsops, unsigned, nsops, const struct timespec __user *, timeout) { @@ -1409,15 +1436,18 @@ SYSCALL_DEFINE4(semtimedop, int, semid, struct sembuf __user *, tsops, else schedule(); - error = queue.status; - while(unlikely(error == IN_WAKEUP)) { - cpu_relax(); - error = queue.status; - } + error = get_queue_result(&queue); if (error != -EINTR) { /* fast path: update_queue already obtained all requested - * resources */ + * resources. + * Perform a smp_mb(): User space could assume that semop() + * is a memory barrier: Without the mb(), the cpu could + * speculatively read in user space stale data that was + * overwritten by the previous owner of the semaphore. + */ + smp_mb(); + goto out_free; } @@ -1427,10 +1457,12 @@ SYSCALL_DEFINE4(semtimedop, int, semid, struct sembuf __user *, tsops, goto out_free; } + error = get_queue_result(&queue); + /* * If queue.status != -EINTR we are woken up by another process */ - error = queue.status; + if (error != -EINTR) { goto out_unlock_free; } |