ipc/msg: lockless security checks for msgsnd

Just as with msgrcv (along with the rest of sysvipc since a few years
ago), perform the security checks without holding the ipc object lock.
This also reduces the hogging of the lock for the entire duration of a
sender, as we drop the lock upon every iteration -- and this is exactly
why we also check for racing with RMID in the first place.

Link: http://lkml.kernel.org/r/1469748819-19484-5-git-send-email-dave@stgolabs.net
Signed-off-by: Davidlohr Bueso <dbueso@suse.de>
Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Manfred Spraul <manfred@colorfullife.com>
Cc: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>

diff --git a/ipc/msg.c b/ipc/msg.c
index 3c44bbcc05f675be48392d17caf12494c9fac382..4a9b2a16101ec95aa4d2f0452ab845e81c49249a 100644 (file)
--- a/ipc/msg.c
+++ b/ipc/msg.c
@@ -623,14 +623,14 @@ long do_msgsnd(int msqid, long mtype, void __user *mtext,
                goto out_unlock1;
        }
 
-       ipc_lock_object(&msq->q_perm);
-
        for (;;) {
                struct msg_sender s;
 
                err = -EACCES;
                if (ipcperms(ns, &msq->q_perm, S_IWUGO))
-                       goto out_unlock0;
+                       goto out_unlock1;
+
+               ipc_lock_object(&msq->q_perm);
 
                /* raced with RMID? */
                if (!ipc_valid_object(&msq->q_perm)) {
@@ -681,6 +681,7 @@ long do_msgsnd(int msqid, long mtype, void __user *mtext,
                        goto out_unlock0;
                }
 
+               ipc_unlock_object(&msq->q_perm);
        }
        msq->q_lspid = task_tgid_vnr(current);
        msq->q_stime = get_seconds();