Loosely based on a patch from Kees Cook <[email protected]>: - id and error can be merged - if operations before ipc_addid() fail, then use call_rcu() directly.
The difference is that call_rcu is used for failures after security_shm_alloc(), to continue to guaranteed an rcu delay for security_sem_free(). Signed-off-by: Manfred Spraul <[email protected]> Cc: Kees Cook <[email protected]> --- ipc/shm.c | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/ipc/shm.c b/ipc/shm.c index c9f1f30..cb1d97e 100644 --- a/ipc/shm.c +++ b/ipc/shm.c @@ -548,7 +548,6 @@ static int newseg(struct ipc_namespace *ns, struct ipc_params *params) size_t numpages = (size + PAGE_SIZE - 1) >> PAGE_SHIFT; struct file *file; char name[13]; - int id; vm_flags_t acctflag = 0; if (size < SHMMIN || size > ns->shm_ctlmax) @@ -617,11 +616,9 @@ static int newseg(struct ipc_namespace *ns, struct ipc_params *params) shp->shm_file = file; shp->shm_creator = current; - id = ipc_addid(&shm_ids(ns), &shp->shm_perm, ns->shm_ctlmni); - if (id < 0) { - error = id; + error = ipc_addid(&shm_ids(ns), &shp->shm_perm, ns->shm_ctlmni); + if (error < 0) goto no_id; - } list_add(&shp->shm_clist, ¤t->sysvshm.shm_clist); @@ -643,7 +640,7 @@ static int newseg(struct ipc_namespace *ns, struct ipc_params *params) user_shm_unlock(size, shp->mlock_user); fput(file); no_file: - ipc_rcu_putref(&shp->shm_perm, shm_rcu_free); + call_rcu(&shp->shm_perm.rcu, shm_rcu_free); return error; } -- 2.9.3
