License cleanup: add SPDX GPL-2.0 license identifier to files with no license
Many source files in the tree are missing licensing information, which
makes it harder for compliance tools to determine the correct license.
By default all files without license information are under the default
license of the kernel, which is GPL version 2.
Update the files which contain no license information with the 'GPL-2.0'
SPDX license identifier. The SPDX identifier is a legally binding
shorthand, which can be used instead of the full boiler plate text.
This patch is based on work done by Thomas Gleixner and Kate Stewart and
Philippe Ombredanne.
How this work was done:
Patches were generated and checked against linux-4.14-rc6 for a subset of
the use cases:
- file had no licensing information it it.
- file was a */uapi/* one with no licensing information in it,
- file was a */uapi/* one with existing licensing information,
Further patches will be generated in subsequent months to fix up cases
where non-standard license headers were used, and references to license
had to be inferred by heuristics based on keywords.
The analysis to determine which SPDX License Identifier to be applied to
a file was done in a spreadsheet of side by side results from of the
output of two independent scanners (ScanCode & Windriver) producing SPDX
tag:value files created by Philippe Ombredanne. Philippe prepared the
base worksheet, and did an initial spot review of a few 1000 files.
The 4.13 kernel was the starting point of the analysis with 60,537 files
assessed. Kate Stewart did a file by file comparison of the scanner
results in the spreadsheet to determine which SPDX license identifier(s)
to be applied to the file. She confirmed any determination that was not
immediately clear with lawyers working with the Linux Foundation.
Criteria used to select files for SPDX license identifier tagging was:
- Files considered eligible had to be source code files.
- Make and config files were included as candidates if they contained >5
lines of source
- File already had some variant of a license header in it (even if <5
lines).
All documentation files were explicitly excluded.
The following heuristics were used to determine which SPDX license
identifiers to apply.
- when both scanners couldn't find any license traces, file was
considered to have no license information in it, and the top level
COPYING file license applied.
For non */uapi/* files that summary was:
SPDX license identifier # files
---------------------------------------------------|-------
GPL-2.0 11139
and resulted in the first patch in this series.
If that file was a */uapi/* path one, it was "GPL-2.0 WITH
Linux-syscall-note" otherwise it was "GPL-2.0". Results of that was:
SPDX license identifier # files
---------------------------------------------------|-------
GPL-2.0 WITH Linux-syscall-note 930
and resulted in the second patch in this series.
- if a file had some form of licensing information in it, and was one
of the */uapi/* ones, it was denoted with the Linux-syscall-note if
any GPL family license was found in the file or had no licensing in
it (per prior point). Results summary:
SPDX license identifier # files
---------------------------------------------------|------
GPL-2.0 WITH Linux-syscall-note 270
GPL-2.0+ WITH Linux-syscall-note 169
((GPL-2.0 WITH Linux-syscall-note) OR BSD-2-Clause) 21
((GPL-2.0 WITH Linux-syscall-note) OR BSD-3-Clause) 17
LGPL-2.1+ WITH Linux-syscall-note 15
GPL-1.0+ WITH Linux-syscall-note 14
((GPL-2.0+ WITH Linux-syscall-note) OR BSD-3-Clause) 5
LGPL-2.0+ WITH Linux-syscall-note 4
LGPL-2.1 WITH Linux-syscall-note 3
((GPL-2.0 WITH Linux-syscall-note) OR MIT) 3
((GPL-2.0 WITH Linux-syscall-note) AND MIT) 1
and that resulted in the third patch in this series.
- when the two scanners agreed on the detected license(s), that became
the concluded license(s).
- when there was disagreement between the two scanners (one detected a
license but the other didn't, or they both detected different
licenses) a manual inspection of the file occurred.
- In most cases a manual inspection of the information in the file
resulted in a clear resolution of the license that should apply (and
which scanner probably needed to revisit its heuristics).
- When it was not immediately clear, the license identifier was
confirmed with lawyers working with the Linux Foundation.
- If there was any question as to the appropriate license identifier,
the file was flagged for further research and to be revisited later
in time.
In total, over 70 hours of logged manual review was done on the
spreadsheet to determine the SPDX license identifiers to apply to the
source files by Kate, Philippe, Thomas and, in some cases, confirmation
by lawyers working with the Linux Foundation.
Kate also obtained a third independent scan of the 4.13 code base from
FOSSology, and compared selected files where the other two scanners
disagreed against that SPDX file, to see if there was new insights. The
Windriver scanner is based on an older version of FOSSology in part, so
they are related.
Thomas did random spot checks in about 500 files from the spreadsheets
for the uapi headers and agreed with SPDX license identifier in the
files he inspected. For the non-uapi files Thomas did random spot checks
in about 15000 files.
In initial set of patches against 4.14-rc6, 3 files were found to have
copy/paste license identifier errors, and have been fixed to reflect the
correct identifier.
Additionally Philippe spent 10 hours this week doing a detailed manual
inspection and review of the 12,461 patched files from the initial patch
version early this week with:
- a full scancode scan run, collecting the matched texts, detected
license ids and scores
- reviewing anything where there was a license detected (about 500+
files) to ensure that the applied SPDX license was correct
- reviewing anything where there was no detection but the patch license
was not GPL-2.0 WITH Linux-syscall-note to ensure that the applied
SPDX license was correct
This produced a worksheet with 20 files needing minor correction. This
worksheet was then exported into 3 different .csv files for the
different types of files to be modified.
These .csv files were then reviewed by Greg. Thomas wrote a script to
parse the csv files and add the proper SPDX tag to the file, in the
format that the file expected. This script was further refined by Greg
based on the output to detect more types of files automatically and to
distinguish between header and source .c files (which need different
comment types.) Finally Greg ran the script using the .csv files to
generate the patches.
Reviewed-by: Kate Stewart <kstewart@linuxfoundation.org>
Reviewed-by: Philippe Ombredanne <pombredanne@nexb.com>
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-11-01 17:07:57 +03:00
/* SPDX-License-Identifier: GPL-2.0 */
2005-04-17 02:20:36 +04:00
/*
* linux / ipc / util . h
* Copyright ( C ) 1999 Christoph Rohland
*
2006-01-15 04:43:54 +03:00
* ipc helper functions ( c ) 1999 Manfred Spraul < manfred @ colorfullife . com >
2006-10-02 13:18:20 +04:00
* namespaces support . 2006 OpenVZ , SWsoft Inc .
* Pavel Emelianov < xemul @ openvz . org >
2005-04-17 02:20:36 +04:00
*/
# ifndef _IPC_UTIL_H
# define _IPC_UTIL_H
2009-06-20 04:23:29 +04:00
# include <linux/unistd.h>
2007-10-19 10:40:51 +04:00
# include <linux/err.h>
2017-11-18 02:31:18 +03:00
# include <linux/ipc_namespace.h>
2007-10-19 10:40:48 +04:00
2018-03-23 05:45:50 +03:00
# define IPCMNI 32768 /* <= MAX_INT limit for ipc arrays (including sysctl changes) */
2005-04-17 02:20:36 +04:00
# define SEQ_MULTIPLIER (IPCMNI)
2018-08-22 08:01:56 +03:00
void sem_init ( void ) ;
void msg_init ( void ) ;
2014-01-28 05:07:04 +04:00
void shm_init ( void ) ;
2005-04-17 02:20:36 +04:00
2008-02-08 15:18:22 +03:00
struct ipc_namespace ;
2018-03-23 08:22:05 +03:00
struct pid_namespace ;
2008-02-08 15:18:22 +03:00
2009-04-07 06:01:08 +04:00
# ifdef CONFIG_POSIX_MQUEUE
namespaces: ipc namespaces: implement support for posix msqueues
Implement multiple mounts of the mqueue file system, and link it to usage
of CLONE_NEWIPC.
Each ipc ns has a corresponding mqueuefs superblock. When a user does
clone(CLONE_NEWIPC) or unshare(CLONE_NEWIPC), the unshare will cause an
internal mount of a new mqueuefs sb linked to the new ipc ns.
When a user does 'mount -t mqueue mqueue /dev/mqueue', he mounts the
mqueuefs superblock.
Posix message queues can be worked with both through the mq_* system calls
(see mq_overview(7)), and through the VFS through the mqueue mount. Any
usage of mq_open() and friends will work with the acting task's ipc
namespace. Any actions through the VFS will work with the mqueuefs in
which the file was created. So if a user doesn't remount mqueuefs after
unshare(CLONE_NEWIPC), mq_open("/ab") will not be reflected in "ls
/dev/mqueue".
If task a mounts mqueue for ipc_ns:1, then clones task b with a new ipcns,
ipcns:2, and then task a is the last task in ipc_ns:1 to exit, then (1)
ipc_ns:1 will be freed, (2) it's superblock will live on until task b
umounts the corresponding mqueuefs, and vfs actions will continue to
succeed, but (3) sb->s_fs_info will be NULL for the sb corresponding to
the deceased ipc_ns:1.
To make this happen, we must protect the ipc reference count when
a) a task exits and drops its ipcns->count, since it might be dropping
it to 0 and freeing the ipcns
b) a task accesses the ipcns through its mqueuefs interface, since it
bumps the ipcns refcount and might race with the last task in the ipcns
exiting.
So the kref is changed to an atomic_t so we can use
atomic_dec_and_lock(&ns->count,mq_lock), and every access to the ipcns
through ns = mqueuefs_sb->s_fs_info is protected by the same lock.
Signed-off-by: Cedric Le Goater <clg@fr.ibm.com>
Signed-off-by: Serge E. Hallyn <serue@us.ibm.com>
Cc: Alexey Dobriyan <adobriyan@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2009-04-07 06:01:10 +04:00
extern void mq_clear_sbinfo ( struct ipc_namespace * ns ) ;
extern void mq_put_mnt ( struct ipc_namespace * ns ) ;
2009-04-07 06:01:08 +04:00
# else
namespaces: ipc namespaces: implement support for posix msqueues
Implement multiple mounts of the mqueue file system, and link it to usage
of CLONE_NEWIPC.
Each ipc ns has a corresponding mqueuefs superblock. When a user does
clone(CLONE_NEWIPC) or unshare(CLONE_NEWIPC), the unshare will cause an
internal mount of a new mqueuefs sb linked to the new ipc ns.
When a user does 'mount -t mqueue mqueue /dev/mqueue', he mounts the
mqueuefs superblock.
Posix message queues can be worked with both through the mq_* system calls
(see mq_overview(7)), and through the VFS through the mqueue mount. Any
usage of mq_open() and friends will work with the acting task's ipc
namespace. Any actions through the VFS will work with the mqueuefs in
which the file was created. So if a user doesn't remount mqueuefs after
unshare(CLONE_NEWIPC), mq_open("/ab") will not be reflected in "ls
/dev/mqueue".
If task a mounts mqueue for ipc_ns:1, then clones task b with a new ipcns,
ipcns:2, and then task a is the last task in ipc_ns:1 to exit, then (1)
ipc_ns:1 will be freed, (2) it's superblock will live on until task b
umounts the corresponding mqueuefs, and vfs actions will continue to
succeed, but (3) sb->s_fs_info will be NULL for the sb corresponding to
the deceased ipc_ns:1.
To make this happen, we must protect the ipc reference count when
a) a task exits and drops its ipcns->count, since it might be dropping
it to 0 and freeing the ipcns
b) a task accesses the ipcns through its mqueuefs interface, since it
bumps the ipcns refcount and might race with the last task in the ipcns
exiting.
So the kref is changed to an atomic_t so we can use
atomic_dec_and_lock(&ns->count,mq_lock), and every access to the ipcns
through ns = mqueuefs_sb->s_fs_info is protected by the same lock.
Signed-off-by: Cedric Le Goater <clg@fr.ibm.com>
Signed-off-by: Serge E. Hallyn <serue@us.ibm.com>
Cc: Alexey Dobriyan <adobriyan@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2009-04-07 06:01:10 +04:00
static inline void mq_clear_sbinfo ( struct ipc_namespace * ns ) { }
static inline void mq_put_mnt ( struct ipc_namespace * ns ) { }
2009-04-07 06:01:08 +04:00
# endif
# ifdef CONFIG_SYSVIPC
2018-08-22 08:01:56 +03:00
void sem_init_ns ( struct ipc_namespace * ns ) ;
void msg_init_ns ( struct ipc_namespace * ns ) ;
void shm_init_ns ( struct ipc_namespace * ns ) ;
2006-10-02 13:18:20 +04:00
void sem_exit_ns ( struct ipc_namespace * ns ) ;
void msg_exit_ns ( struct ipc_namespace * ns ) ;
void shm_exit_ns ( struct ipc_namespace * ns ) ;
2009-04-07 06:01:08 +04:00
# else
2018-08-22 08:01:56 +03:00
static inline void sem_init_ns ( struct ipc_namespace * ns ) { }
static inline void msg_init_ns ( struct ipc_namespace * ns ) { }
static inline void shm_init_ns ( struct ipc_namespace * ns ) { }
2009-04-07 06:01:08 +04:00
static inline void sem_exit_ns ( struct ipc_namespace * ns ) { }
static inline void msg_exit_ns ( struct ipc_namespace * ns ) { }
static inline void shm_exit_ns ( struct ipc_namespace * ns ) { }
# endif
2006-10-02 13:18:20 +04:00
2007-10-19 10:40:49 +04:00
/*
* Structure that holds the parameters needed by the ipc operations
* ( see after )
*/
struct ipc_params {
key_t key ;
int flg ;
union {
size_t size ; /* for shared memories */
int nsems ; /* for semaphores */
} u ; /* holds the getnew() specific param */
} ;
/*
* Structure that holds some ipc operations . This structure is used to unify
* the calls to sys_msgget ( ) , sys_semget ( ) , sys_shmget ( )
* . routine to call to create a new ipc object . Can be one of newque ,
* newary , newseg
2007-10-19 10:40:53 +04:00
* . routine to call to check permissions for a new ipc object .
2007-10-19 10:40:49 +04:00
* Can be one of security_msg_associate , security_sem_associate ,
* security_shm_associate
* . routine to call for an extra check if needed
*/
struct ipc_ops {
2014-06-07 01:37:37 +04:00
int ( * getnew ) ( struct ipc_namespace * , struct ipc_params * ) ;
int ( * associate ) ( struct kern_ipc_perm * , int ) ;
int ( * more_checks ) ( struct kern_ipc_perm * , struct ipc_params * ) ;
2007-10-19 10:40:49 +04:00
} ;
2005-09-07 02:17:09 +04:00
struct seq_file ;
2008-02-08 15:18:57 +03:00
struct ipc_ids ;
2007-07-16 10:40:58 +04:00
2018-08-22 08:01:56 +03:00
void ipc_init_ids ( struct ipc_ids * ids ) ;
2005-09-07 02:17:09 +04:00
# ifdef CONFIG_PROC_FS
void __init ipc_init_proc_interface ( const char * path , const char * header ,
2006-10-02 13:18:20 +04:00
int ids , int ( * show ) ( struct seq_file * , void * ) ) ;
2018-03-23 08:22:05 +03:00
struct pid_namespace * ipc_seq_pid_ns ( struct seq_file * ) ;
2005-09-07 02:17:09 +04:00
# else
# define ipc_init_proc_interface(path, header, ids, show) do {} while (0)
# endif
2005-04-17 02:20:36 +04:00
2006-10-02 13:18:20 +04:00
# define IPC_SEM_IDS 0
# define IPC_MSG_IDS 1
# define IPC_SHM_IDS 2
2007-10-19 10:40:52 +04:00
# define ipcid_to_idx(id) ((id) % SEQ_MULTIPLIER)
2013-01-05 03:34:50 +04:00
# define ipcid_to_seqx(id) ((id) / SEQ_MULTIPLIER)
2014-01-28 05:07:09 +04:00
# define IPCID_SEQ_MAX min_t(int, INT_MAX / SEQ_MULTIPLIER, USHRT_MAX)
2007-10-19 10:40:52 +04:00
2013-09-12 01:26:24 +04:00
/* must be called with ids->rwsem acquired for writing */
2007-10-19 10:40:48 +04:00
int ipc_addid ( struct ipc_ids * , struct kern_ipc_perm * , int ) ;
2007-10-19 10:40:54 +04:00
2005-04-17 02:20:36 +04:00
/* must be called with both locks acquired. */
2007-10-19 10:40:48 +04:00
void ipc_rmid ( struct ipc_ids * , struct kern_ipc_perm * ) ;
2005-04-17 02:20:36 +04:00
ipc: optimize semget/shmget/msgget for lots of keys
ipc_findkey() used to scan all objects to look for the wanted key. This
is slow when using a high number of keys. This change adds an rhashtable
of kern_ipc_perm objects in ipc_ids, so that one lookup cease to be O(n).
This change gives a 865% improvement of benchmark reaim.jobs_per_min on a
56 threads Intel(R) Xeon(R) CPU E5-2695 v3 @ 2.30GHz with 256G memory [1]
Other (more micro) benchmark results, by the author: On an i5 laptop, the
following loop executed right after a reboot took, without and with this
change:
for (int i = 0, k=0x424242; i < KEYS; ++i)
semget(k++, 1, IPC_CREAT | 0600);
total total max single max single
KEYS without with call without call with
1 3.5 4.9 µs 3.5 4.9
10 7.6 8.6 µs 3.7 4.7
32 16.2 15.9 µs 4.3 5.3
100 72.9 41.8 µs 3.7 4.7
1000 5,630.0 502.0 µs * *
10000 1,340,000.0 7,240.0 µs * *
31900 17,600,000.0 22,200.0 µs * *
*: unreliable measure: high variance
The duration for a lookup-only usage was obtained by the same loop once
the keys are present:
total total max single max single
KEYS without with call without call with
1 2.1 2.5 µs 2.1 2.5
10 4.5 4.8 µs 2.2 2.3
32 13.0 10.8 µs 2.3 2.8
100 82.9 25.1 µs * 2.3
1000 5,780.0 217.0 µs * *
10000 1,470,000.0 2,520.0 µs * *
31900 17,400,000.0 7,810.0 µs * *
Finally, executing each semget() in a new process gave, when still
summing only the durations of these syscalls:
creation:
total total
KEYS without with
1 3.7 5.0 µs
10 32.9 36.7 µs
32 125.0 109.0 µs
100 523.0 353.0 µs
1000 20,300.0 3,280.0 µs
10000 2,470,000.0 46,700.0 µs
31900 27,800,000.0 219,000.0 µs
lookup-only:
total total
KEYS without with
1 2.5 2.7 µs
10 25.4 24.4 µs
32 106.0 72.6 µs
100 591.0 352.0 µs
1000 22,400.0 2,250.0 µs
10000 2,510,000.0 25,700.0 µs
31900 28,200,000.0 115,000.0 µs
[1] http://lkml.kernel.org/r/20170814060507.GE23258@yexl-desktop
Link: http://lkml.kernel.org/r/20170815194954.ck32ta2z35yuzpwp@debix
Signed-off-by: Guillaume Knispel <guillaume.knispel@supersonicimagine.com>
Reviewed-by: Marc Pardo <marc.pardo@supersonicimagine.com>
Cc: Davidlohr Bueso <dave@stgolabs.net>
Cc: Kees Cook <keescook@chromium.org>
Cc: Manfred Spraul <manfred@colorfullife.com>
Cc: Alexey Dobriyan <adobriyan@gmail.com>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: "Peter Zijlstra (Intel)" <peterz@infradead.org>
Cc: Ingo Molnar <mingo@kernel.org>
Cc: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Cc: Serge Hallyn <serge@hallyn.com>
Cc: Andrey Vagin <avagin@openvz.org>
Cc: Guillaume Knispel <guillaume.knispel@supersonicimagine.com>
Cc: Marc Pardo <marc.pardo@supersonicimagine.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2017-09-09 02:17:55 +03:00
/* must be called with both locks acquired. */
void ipc_set_key_private ( struct ipc_ids * , struct kern_ipc_perm * ) ;
2007-10-19 10:40:53 +04:00
/* must be called with ipcp locked */
2011-03-24 02:43:24 +03:00
int ipcperms ( struct ipc_namespace * ns , struct kern_ipc_perm * ipcp , short flg ) ;
2005-04-17 02:20:36 +04:00
2017-11-18 02:31:18 +03:00
/**
2018-08-22 08:02:00 +03:00
* ipc_get_maxidx - get the highest assigned index
2017-11-18 02:31:18 +03:00
* @ ids : ipc identifier set
*
* Called with ipc_ids . rwsem held for reading .
*/
2018-08-22 08:02:00 +03:00
static inline int ipc_get_maxidx ( struct ipc_ids * ids )
2017-11-18 02:31:18 +03:00
{
if ( ids - > in_use = = 0 )
return - 1 ;
if ( ids - > in_use = = IPCMNI )
return IPCMNI - 1 ;
2018-08-22 08:02:00 +03:00
return ids - > max_idx ;
2017-11-18 02:31:18 +03:00
}
2005-04-17 02:20:36 +04:00
/*
* For allocation that need to be freed by RCU .
* Objects are reference counted , they start with reference count 1.
* getref increases the refcount , the putref call that reduces the recount
* to 0 schedules the rcu destruction . Caller must guarantee locking .
2017-07-13 00:35:34 +03:00
*
* refcount is initialized by ipc_addid ( ) , before that point call_rcu ( )
* must be used .
2005-04-17 02:20:36 +04:00
*/
2018-08-22 08:02:04 +03:00
bool ipc_rcu_getref ( struct kern_ipc_perm * ptr ) ;
2017-07-13 00:34:41 +03:00
void ipc_rcu_putref ( struct kern_ipc_perm * ptr ,
void ( * func ) ( struct rcu_head * head ) ) ;
2005-04-17 02:20:36 +04:00
2015-07-01 00:58:42 +03:00
struct kern_ipc_perm * ipc_obtain_object_idr ( struct ipc_ids * ids , int id ) ;
2005-04-17 02:20:36 +04:00
void kernel_to_ipc64_perm ( struct kern_ipc_perm * in , struct ipc64_perm * out ) ;
void ipc64_perm_to_ipc_perm ( struct ipc64_perm * in , struct ipc_perm * out ) ;
2012-02-08 04:54:11 +04:00
int ipc_update_perm ( struct ipc64_perm * in , struct kern_ipc_perm * out ) ;
2018-08-22 08:01:34 +03:00
struct kern_ipc_perm * ipcctl_obtain_check ( struct ipc_namespace * ns ,
2013-05-01 06:15:24 +04:00
struct ipc_ids * ids , int id , int cmd ,
struct ipc64_perm * perm , int extra_perm ) ;
2005-04-17 02:20:36 +04:00
2018-03-23 08:22:05 +03:00
static inline void ipc_update_pid ( struct pid * * pos , struct pid * pid )
{
struct pid * old = * pos ;
if ( old ! = pid ) {
* pos = get_pid ( pid ) ;
put_pid ( old ) ;
}
}
2012-07-31 01:42:46 +04:00
# ifndef CONFIG_ARCH_WANT_IPC_PARSE_VERSION
2014-06-07 01:37:37 +04:00
/* On IA-64, we always use the "64-bit version" of the IPC structures. */
2005-04-17 02:20:36 +04:00
# define ipc_parse_version(cmd) IPC_64
# else
2014-01-28 05:07:04 +04:00
int ipc_parse_version ( int * cmd ) ;
2005-04-17 02:20:36 +04:00
# endif
extern void free_msg ( struct msg_msg * msg ) ;
ipc, msg: fix message length check for negative values
On 64 bit systems the test for negative message sizes is bogus as the
size, which may be positive when evaluated as a long, will get truncated
to an int when passed to load_msg(). So a long might very well contain a
positive value but when truncated to an int it would become negative.
That in combination with a small negative value of msg_ctlmax (which will
be promoted to an unsigned type for the comparison against msgsz, making
it a big positive value and therefore make it pass the check) will lead to
two problems: 1/ The kmalloc() call in alloc_msg() will allocate a too
small buffer as the addition of alen is effectively a subtraction. 2/ The
copy_from_user() call in load_msg() will first overflow the buffer with
userland data and then, when the userland access generates an access
violation, the fixup handler copy_user_handle_tail() will try to fill the
remainder with zeros -- roughly 4GB. That almost instantly results in a
system crash or reset.
,-[ Reproducer (needs to be run as root) ]--
| #include <sys/stat.h>
| #include <sys/msg.h>
| #include <unistd.h>
| #include <fcntl.h>
|
| int main(void) {
| long msg = 1;
| int fd;
|
| fd = open("/proc/sys/kernel/msgmax", O_WRONLY);
| write(fd, "-1", 2);
| close(fd);
|
| msgsnd(0, &msg, 0xfffffff0, IPC_NOWAIT);
|
| return 0;
| }
'---
Fix the issue by preventing msgsz from getting truncated by consistently
using size_t for the message length. This way the size checks in
do_msgsnd() could still be passed with a negative value for msg_ctlmax but
we would fail on the buffer allocation in that case and error out.
Also change the type of m_ts from int to size_t to avoid similar nastiness
in other code paths -- it is used in similar constructs, i.e. signed vs.
unsigned checks. It should never become negative under normal
circumstances, though.
Setting msg_ctlmax to a negative value is an odd configuration and should
be prevented. As that might break existing userland, it will be handled
in a separate commit so it could easily be reverted and reworked without
reintroducing the above described bug.
Hardening mechanisms for user copy operations would have catched that bug
early -- e.g. checking slab object sizes on user copy operations as the
usercopy feature of the PaX patch does. Or, for that matter, detect the
long vs. int sign change due to truncation, as the size overflow plugin
of the very same patch does.
[akpm@linux-foundation.org: fix i386 min() warnings]
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Cc: Pax Team <pageexec@freemail.hu>
Cc: Davidlohr Bueso <davidlohr@hp.com>
Cc: Brad Spengler <spender@grsecurity.net>
Cc: Manfred Spraul <manfred@colorfullife.com>
Cc: <stable@vger.kernel.org> [ v2.3.27+ -- yes, that old ;) ]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2013-11-13 03:11:47 +04:00
extern struct msg_msg * load_msg ( const void __user * src , size_t len ) ;
2013-01-05 03:34:55 +04:00
extern struct msg_msg * copy_msg ( struct msg_msg * src , struct msg_msg * dst ) ;
ipc, msg: fix message length check for negative values
On 64 bit systems the test for negative message sizes is bogus as the
size, which may be positive when evaluated as a long, will get truncated
to an int when passed to load_msg(). So a long might very well contain a
positive value but when truncated to an int it would become negative.
That in combination with a small negative value of msg_ctlmax (which will
be promoted to an unsigned type for the comparison against msgsz, making
it a big positive value and therefore make it pass the check) will lead to
two problems: 1/ The kmalloc() call in alloc_msg() will allocate a too
small buffer as the addition of alen is effectively a subtraction. 2/ The
copy_from_user() call in load_msg() will first overflow the buffer with
userland data and then, when the userland access generates an access
violation, the fixup handler copy_user_handle_tail() will try to fill the
remainder with zeros -- roughly 4GB. That almost instantly results in a
system crash or reset.
,-[ Reproducer (needs to be run as root) ]--
| #include <sys/stat.h>
| #include <sys/msg.h>
| #include <unistd.h>
| #include <fcntl.h>
|
| int main(void) {
| long msg = 1;
| int fd;
|
| fd = open("/proc/sys/kernel/msgmax", O_WRONLY);
| write(fd, "-1", 2);
| close(fd);
|
| msgsnd(0, &msg, 0xfffffff0, IPC_NOWAIT);
|
| return 0;
| }
'---
Fix the issue by preventing msgsz from getting truncated by consistently
using size_t for the message length. This way the size checks in
do_msgsnd() could still be passed with a negative value for msg_ctlmax but
we would fail on the buffer allocation in that case and error out.
Also change the type of m_ts from int to size_t to avoid similar nastiness
in other code paths -- it is used in similar constructs, i.e. signed vs.
unsigned checks. It should never become negative under normal
circumstances, though.
Setting msg_ctlmax to a negative value is an odd configuration and should
be prevented. As that might break existing userland, it will be handled
in a separate commit so it could easily be reverted and reworked without
reintroducing the above described bug.
Hardening mechanisms for user copy operations would have catched that bug
early -- e.g. checking slab object sizes on user copy operations as the
usercopy feature of the PaX patch does. Or, for that matter, detect the
long vs. int sign change due to truncation, as the size overflow plugin
of the very same patch does.
[akpm@linux-foundation.org: fix i386 min() warnings]
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Cc: Pax Team <pageexec@freemail.hu>
Cc: Davidlohr Bueso <davidlohr@hp.com>
Cc: Brad Spengler <spender@grsecurity.net>
Cc: Manfred Spraul <manfred@colorfullife.com>
Cc: <stable@vger.kernel.org> [ v2.3.27+ -- yes, that old ;) ]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2013-11-13 03:11:47 +04:00
extern int store_msg ( void __user * dest , struct msg_msg * msg , size_t len ) ;
2007-10-19 10:40:49 +04:00
2018-08-22 08:02:00 +03:00
static inline int ipc_checkid ( struct kern_ipc_perm * ipcp , int id )
2007-10-19 10:40:51 +04:00
{
2018-08-22 08:02:00 +03:00
return ipcid_to_seqx ( id ) ! = ipcp - > seq ;
2007-10-19 10:40:51 +04:00
}
2013-07-09 03:01:10 +04:00
static inline void ipc_lock_object ( struct kern_ipc_perm * perm )
2007-10-19 10:40:51 +04:00
{
spin_lock ( & perm - > lock ) ;
}
2013-07-09 03:01:10 +04:00
static inline void ipc_unlock_object ( struct kern_ipc_perm * perm )
2007-10-19 10:40:51 +04:00
{
spin_unlock ( & perm - > lock ) ;
}
2013-07-09 03:01:10 +04:00
static inline void ipc_assert_locked_object ( struct kern_ipc_perm * perm )
ipc,sem: do not hold ipc lock more than necessary
Instead of holding the ipc lock for permissions and security checks, among
others, only acquire it when necessary.
Some numbers....
1) With Rik's semop-multi.c microbenchmark we can see the following
results:
Baseline (3.9-rc1):
cpus 4, threads: 256, semaphores: 128, test duration: 30 secs
total operations: 151452270, ops/sec 5048409
+ 59.40% a.out [kernel.kallsyms] [k] _raw_spin_lock
+ 6.14% a.out [kernel.kallsyms] [k] sys_semtimedop
+ 3.84% a.out [kernel.kallsyms] [k] avc_has_perm_flags
+ 3.64% a.out [kernel.kallsyms] [k] __audit_syscall_exit
+ 2.06% a.out [kernel.kallsyms] [k] copy_user_enhanced_fast_string
+ 1.86% a.out [kernel.kallsyms] [k] ipc_lock
With this patchset:
cpus 4, threads: 256, semaphores: 128, test duration: 30 secs
total operations: 273156400, ops/sec 9105213
+ 18.54% a.out [kernel.kallsyms] [k] _raw_spin_lock
+ 11.72% a.out [kernel.kallsyms] [k] sys_semtimedop
+ 7.70% a.out [kernel.kallsyms] [k] ipc_has_perm.isra.21
+ 6.58% a.out [kernel.kallsyms] [k] avc_has_perm_flags
+ 6.54% a.out [kernel.kallsyms] [k] __audit_syscall_exit
+ 4.71% a.out [kernel.kallsyms] [k] ipc_obtain_object_check
2) While on an Oracle swingbench DSS (data mining) workload the
improvements are not as exciting as with Rik's benchmark, we can see
some positive numbers. For an 8 socket machine the following are the
percentages of %sys time incurred in the ipc lock:
Baseline (3.9-rc1):
100 swingbench users: 8,74%
400 swingbench users: 21,86%
800 swingbench users: 84,35%
With this patchset:
100 swingbench users: 8,11%
400 swingbench users: 19,93%
800 swingbench users: 77,69%
[riel@redhat.com: fix two locking bugs]
[sasha.levin@oracle.com: prevent releasing RCU read lock twice in semctl_main]
[akpm@linux-foundation.org: coding-style fixes]
Signed-off-by: Davidlohr Bueso <davidlohr.bueso@hp.com>
Signed-off-by: Rik van Riel <riel@redhat.com>
Reviewed-by: Chegu Vinod <chegu_vinod@hp.com>
Acked-by: Michel Lespinasse <walken@google.com>
Cc: Rik van Riel <riel@redhat.com>
Cc: Jason Low <jason.low2@hp.com>
Cc: Emmanuel Benisty <benisty.e@gmail.com>
Cc: Peter Hurley <peter@hurleysoftware.com>
Cc: Stanislav Kinsbursky <skinsbursky@parallels.com>
Tested-by: Sedat Dilek <sedat.dilek@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2013-05-01 06:15:29 +04:00
{
2013-07-09 03:01:10 +04:00
assert_spin_locked ( & perm - > lock ) ;
}
static inline void ipc_unlock ( struct kern_ipc_perm * perm )
{
2013-07-09 03:01:11 +04:00
ipc_unlock_object ( perm ) ;
2013-07-09 03:01:10 +04:00
rcu_read_unlock ( ) ;
}
2014-01-28 05:07:01 +04:00
/*
* ipc_valid_object ( ) - helper to sort out IPC_RMID races for codepaths
* where the respective ipc_ids . rwsem is not being held down .
* Checks whether the ipc object is still around or if it ' s gone already , as
* ipc_rmid ( ) may have already freed the ID while the ipc lock was spinning .
* Needs to be called with kern_ipc_perm . lock held - - exception made for one
* checkpoint case at sys_semtimedop ( ) as noted in code commentary .
*/
static inline bool ipc_valid_object ( struct kern_ipc_perm * perm )
{
2014-01-28 05:07:02 +04:00
return ! perm - > deleted ;
2014-01-28 05:07:01 +04:00
}
2013-05-01 06:15:19 +04:00
struct kern_ipc_perm * ipc_obtain_object_check ( struct ipc_ids * ids , int id ) ;
2008-02-08 15:18:54 +03:00
int ipcget ( struct ipc_namespace * ns , struct ipc_ids * ids ,
2014-06-07 01:37:36 +04:00
const struct ipc_ops * ops , struct ipc_params * params ) ;
2009-06-18 03:27:57 +04:00
void free_ipcs ( struct ipc_namespace * ns , struct ipc_ids * ids ,
void ( * free ) ( struct ipc_namespace * , struct kern_ipc_perm * ) ) ;
2017-07-09 05:52:47 +03:00
2018-10-31 01:07:24 +03:00
static inline int sem_check_semmni ( struct ipc_namespace * ns ) {
/*
* Check semmni range [ 0 , IPCMNI ]
* semmni is the last element of sem_ctls [ 4 ] array
*/
return ( ( ns - > sem_ctls [ 3 ] < 0 ) | | ( ns - > sem_ctls [ 3 ] > IPCMNI ) )
? - ERANGE : 0 ;
}
2017-07-09 05:52:47 +03:00
# ifdef CONFIG_COMPAT
# include <linux/compat.h>
struct compat_ipc_perm {
key_t key ;
__compat_uid_t uid ;
__compat_gid_t gid ;
__compat_uid_t cuid ;
__compat_gid_t cgid ;
compat_mode_t mode ;
unsigned short seq ;
} ;
2017-07-09 17:03:23 +03:00
void to_compat_ipc_perm ( struct compat_ipc_perm * , struct ipc64_perm * ) ;
void to_compat_ipc64_perm ( struct compat_ipc64_perm * , struct ipc64_perm * ) ;
int get_compat_ipc_perm ( struct ipc64_perm * , struct compat_ipc_perm __user * ) ;
int get_compat_ipc64_perm ( struct ipc64_perm * ,
struct compat_ipc64_perm __user * ) ;
2017-07-09 05:52:47 +03:00
static inline int compat_ipc_parse_version ( int * cmd )
{
# ifdef CONFIG_ARCH_WANT_COMPAT_IPC_PARSE_VERSION
int version = * cmd & IPC_64 ;
* cmd & = ~ IPC_64 ;
return version ;
# else
return IPC_64 ;
# endif
}
# endif
2018-03-20 21:48:14 +03:00
/* for __ARCH_WANT_SYS_IPC */
long ksys_semtimedop ( int semid , struct sembuf __user * tsops ,
unsigned int nsops ,
2018-04-13 14:58:00 +03:00
const struct __kernel_timespec __user * timeout ) ;
2018-03-20 21:53:58 +03:00
long ksys_semget ( key_t key , int nsems , int semflg ) ;
2018-03-20 22:00:39 +03:00
long ksys_semctl ( int semid , int semnum , int cmd , unsigned long arg ) ;
2018-03-20 22:06:04 +03:00
long ksys_msgget ( key_t key , int msgflg ) ;
2018-03-20 22:15:28 +03:00
long ksys_msgctl ( int msqid , int cmd , struct msqid_ds __user * buf ) ;
2018-03-20 23:25:57 +03:00
long ksys_msgrcv ( int msqid , struct msgbuf __user * msgp , size_t msgsz ,
long msgtyp , int msgflg ) ;
2018-03-20 23:29:00 +03:00
long ksys_msgsnd ( int msqid , struct msgbuf __user * msgp , size_t msgsz ,
int msgflg ) ;
2018-03-20 22:07:53 +03:00
long ksys_shmget ( key_t key , size_t size , int shmflg ) ;
2018-03-20 22:09:48 +03:00
long ksys_shmdt ( char __user * shmaddr ) ;
2018-03-20 22:12:33 +03:00
long ksys_shmctl ( int shmid , int cmd , struct shmid_ds __user * buf ) ;
2018-03-20 21:48:14 +03:00
/* for CONFIG_ARCH_WANT_OLD_COMPAT_IPC */
long compat_ksys_semtimedop ( int semid , struct sembuf __user * tsems ,
unsigned int nsops ,
y2038: globally rename compat_time to old_time32
Christoph Hellwig suggested a slightly different path for handling
backwards compatibility with the 32-bit time_t based system calls:
Rather than simply reusing the compat_sys_* entry points on 32-bit
architectures unchanged, we get rid of those entry points and the
compat_time types by renaming them to something that makes more sense
on 32-bit architectures (which don't have a compat mode otherwise),
and then share the entry points under the new name with the 64-bit
architectures that use them for implementing the compatibility.
The following types and interfaces are renamed here, and moved
from linux/compat_time.h to linux/time32.h:
old new
--- ---
compat_time_t old_time32_t
struct compat_timeval struct old_timeval32
struct compat_timespec struct old_timespec32
struct compat_itimerspec struct old_itimerspec32
ns_to_compat_timeval() ns_to_old_timeval32()
get_compat_itimerspec64() get_old_itimerspec32()
put_compat_itimerspec64() put_old_itimerspec32()
compat_get_timespec64() get_old_timespec32()
compat_put_timespec64() put_old_timespec32()
As we already have aliases in place, this patch addresses only the
instances that are relevant to the system call interface in particular,
not those that occur in device drivers and other modules. Those
will get handled separately, while providing the 64-bit version
of the respective interfaces.
I'm not renaming the timex, rusage and itimerval structures, as we are
still debating what the new interface will look like, and whether we
will need a replacement at all.
This also doesn't change the names of the syscall entry points, which can
be done more easily when we actually switch over the 32-bit architectures
to use them, at that point we need to change COMPAT_SYSCALL_DEFINEx to
SYSCALL_DEFINEx with a new name, e.g. with a _time32 suffix.
Suggested-by: Christoph Hellwig <hch@infradead.org>
Link: https://lore.kernel.org/lkml/20180705222110.GA5698@infradead.org/
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
2018-07-13 13:52:28 +03:00
const struct old_timespec32 __user * timeout ) ;
2018-04-13 14:58:23 +03:00
# ifdef CONFIG_COMPAT
2018-03-20 22:00:39 +03:00
long compat_ksys_semctl ( int semid , int semnum , int cmd , int arg ) ;
2018-03-20 22:15:28 +03:00
long compat_ksys_msgctl ( int msqid , int cmd , void __user * uptr ) ;
2018-03-20 23:25:57 +03:00
long compat_ksys_msgrcv ( int msqid , compat_uptr_t msgp , compat_ssize_t msgsz ,
compat_long_t msgtyp , int msgflg ) ;
2018-03-20 23:29:00 +03:00
long compat_ksys_msgsnd ( int msqid , compat_uptr_t msgp ,
compat_ssize_t msgsz , int msgflg ) ;
2018-03-20 22:12:33 +03:00
long compat_ksys_shmctl ( int shmid , int cmd , void __user * uptr ) ;
2018-03-20 21:48:14 +03:00
# endif /* CONFIG_COMPAT */
2005-04-17 02:20:36 +04:00
# endif