Back to home page

LXR

 
 

    


0001 /*
0002  * linux/ipc/shm.c
0003  * Copyright (C) 1992, 1993 Krishna Balasubramanian
0004  *   Many improvements/fixes by Bruno Haible.
0005  * Replaced `struct shm_desc' by `struct vm_area_struct', July 1994.
0006  * Fixed the shm swap deallocation (shm_unuse()), August 1998 Andrea Arcangeli.
0007  *
0008  * /proc/sysvipc/shm support (c) 1999 Dragos Acostachioaie <dragos@iname.com>
0009  * BIGMEM support, Andrea Arcangeli <andrea@suse.de>
0010  * SMP thread shm, Jean-Luc Boyard <jean-luc.boyard@siemens.fr>
0011  * HIGHMEM support, Ingo Molnar <mingo@redhat.com>
0012  * Make shmmax, shmall, shmmni sysctl'able, Christoph Rohland <cr@sap.com>
0013  * Shared /dev/zero support, Kanoj Sarcar <kanoj@sgi.com>
0014  * Move the mm functionality over to mm/shmem.c, Christoph Rohland <cr@sap.com>
0015  *
0016  * support for audit of ipc object properties and permission changes
0017  * Dustin Kirkland <dustin.kirkland@us.ibm.com>
0018  *
0019  * namespaces support
0020  * OpenVZ, SWsoft Inc.
0021  * Pavel Emelianov <xemul@openvz.org>
0022  *
0023  * Better ipc lock (kern_ipc_perm.lock) handling
0024  * Davidlohr Bueso <davidlohr.bueso@hp.com>, June 2013.
0025  */
0026 
0027 #include <linux/slab.h>
0028 #include <linux/mm.h>
0029 #include <linux/hugetlb.h>
0030 #include <linux/shm.h>
0031 #include <linux/init.h>
0032 #include <linux/file.h>
0033 #include <linux/mman.h>
0034 #include <linux/shmem_fs.h>
0035 #include <linux/security.h>
0036 #include <linux/syscalls.h>
0037 #include <linux/audit.h>
0038 #include <linux/capability.h>
0039 #include <linux/ptrace.h>
0040 #include <linux/seq_file.h>
0041 #include <linux/rwsem.h>
0042 #include <linux/nsproxy.h>
0043 #include <linux/mount.h>
0044 #include <linux/ipc_namespace.h>
0045 
0046 #include <linux/uaccess.h>
0047 
0048 #include "util.h"
0049 
0050 struct shm_file_data {
0051     int id;
0052     struct ipc_namespace *ns;
0053     struct file *file;
0054     const struct vm_operations_struct *vm_ops;
0055 };
0056 
0057 #define shm_file_data(file) (*((struct shm_file_data **)&(file)->private_data))
0058 
0059 static const struct file_operations shm_file_operations;
0060 static const struct vm_operations_struct shm_vm_ops;
0061 
0062 #define shm_ids(ns) ((ns)->ids[IPC_SHM_IDS])
0063 
0064 #define shm_unlock(shp)         \
0065     ipc_unlock(&(shp)->shm_perm)
0066 
0067 static int newseg(struct ipc_namespace *, struct ipc_params *);
0068 static void shm_open(struct vm_area_struct *vma);
0069 static void shm_close(struct vm_area_struct *vma);
0070 static void shm_destroy(struct ipc_namespace *ns, struct shmid_kernel *shp);
0071 #ifdef CONFIG_PROC_FS
0072 static int sysvipc_shm_proc_show(struct seq_file *s, void *it);
0073 #endif
0074 
0075 void shm_init_ns(struct ipc_namespace *ns)
0076 {
0077     ns->shm_ctlmax = SHMMAX;
0078     ns->shm_ctlall = SHMALL;
0079     ns->shm_ctlmni = SHMMNI;
0080     ns->shm_rmid_forced = 0;
0081     ns->shm_tot = 0;
0082     ipc_init_ids(&shm_ids(ns));
0083 }
0084 
0085 /*
0086  * Called with shm_ids.rwsem (writer) and the shp structure locked.
0087  * Only shm_ids.rwsem remains locked on exit.
0088  */
0089 static void do_shm_rmid(struct ipc_namespace *ns, struct kern_ipc_perm *ipcp)
0090 {
0091     struct shmid_kernel *shp;
0092 
0093     shp = container_of(ipcp, struct shmid_kernel, shm_perm);
0094 
0095     if (shp->shm_nattch) {
0096         shp->shm_perm.mode |= SHM_DEST;
0097         /* Do not find it any more */
0098         shp->shm_perm.key = IPC_PRIVATE;
0099         shm_unlock(shp);
0100     } else
0101         shm_destroy(ns, shp);
0102 }
0103 
0104 #ifdef CONFIG_IPC_NS
0105 void shm_exit_ns(struct ipc_namespace *ns)
0106 {
0107     free_ipcs(ns, &shm_ids(ns), do_shm_rmid);
0108     idr_destroy(&ns->ids[IPC_SHM_IDS].ipcs_idr);
0109 }
0110 #endif
0111 
0112 static int __init ipc_ns_init(void)
0113 {
0114     shm_init_ns(&init_ipc_ns);
0115     return 0;
0116 }
0117 
0118 pure_initcall(ipc_ns_init);
0119 
0120 void __init shm_init(void)
0121 {
0122     ipc_init_proc_interface("sysvipc/shm",
0123 #if BITS_PER_LONG <= 32
0124                 "       key      shmid perms       size  cpid  lpid nattch   uid   gid  cuid  cgid      atime      dtime      ctime        rss       swap\n",
0125 #else
0126                 "       key      shmid perms                  size  cpid  lpid nattch   uid   gid  cuid  cgid      atime      dtime      ctime                   rss                  swap\n",
0127 #endif
0128                 IPC_SHM_IDS, sysvipc_shm_proc_show);
0129 }
0130 
0131 static inline struct shmid_kernel *shm_obtain_object(struct ipc_namespace *ns, int id)
0132 {
0133     struct kern_ipc_perm *ipcp = ipc_obtain_object_idr(&shm_ids(ns), id);
0134 
0135     if (IS_ERR(ipcp))
0136         return ERR_CAST(ipcp);
0137 
0138     return container_of(ipcp, struct shmid_kernel, shm_perm);
0139 }
0140 
0141 static inline struct shmid_kernel *shm_obtain_object_check(struct ipc_namespace *ns, int id)
0142 {
0143     struct kern_ipc_perm *ipcp = ipc_obtain_object_check(&shm_ids(ns), id);
0144 
0145     if (IS_ERR(ipcp))
0146         return ERR_CAST(ipcp);
0147 
0148     return container_of(ipcp, struct shmid_kernel, shm_perm);
0149 }
0150 
0151 /*
0152  * shm_lock_(check_) routines are called in the paths where the rwsem
0153  * is not necessarily held.
0154  */
0155 static inline struct shmid_kernel *shm_lock(struct ipc_namespace *ns, int id)
0156 {
0157     struct kern_ipc_perm *ipcp = ipc_lock(&shm_ids(ns), id);
0158 
0159     /*
0160      * Callers of shm_lock() must validate the status of the returned ipc
0161      * object pointer (as returned by ipc_lock()), and error out as
0162      * appropriate.
0163      */
0164     if (IS_ERR(ipcp))
0165         return (void *)ipcp;
0166     return container_of(ipcp, struct shmid_kernel, shm_perm);
0167 }
0168 
0169 static inline void shm_lock_by_ptr(struct shmid_kernel *ipcp)
0170 {
0171     rcu_read_lock();
0172     ipc_lock_object(&ipcp->shm_perm);
0173 }
0174 
0175 static void shm_rcu_free(struct rcu_head *head)
0176 {
0177     struct ipc_rcu *p = container_of(head, struct ipc_rcu, rcu);
0178     struct shmid_kernel *shp = ipc_rcu_to_struct(p);
0179 
0180     security_shm_free(shp);
0181     ipc_rcu_free(head);
0182 }
0183 
0184 static inline void shm_rmid(struct ipc_namespace *ns, struct shmid_kernel *s)
0185 {
0186     list_del(&s->shm_clist);
0187     ipc_rmid(&shm_ids(ns), &s->shm_perm);
0188 }
0189 
0190 
0191 static int __shm_open(struct vm_area_struct *vma)
0192 {
0193     struct file *file = vma->vm_file;
0194     struct shm_file_data *sfd = shm_file_data(file);
0195     struct shmid_kernel *shp;
0196 
0197     shp = shm_lock(sfd->ns, sfd->id);
0198 
0199     if (IS_ERR(shp))
0200         return PTR_ERR(shp);
0201 
0202     shp->shm_atim = get_seconds();
0203     shp->shm_lprid = task_tgid_vnr(current);
0204     shp->shm_nattch++;
0205     shm_unlock(shp);
0206     return 0;
0207 }
0208 
0209 /* This is called by fork, once for every shm attach. */
0210 static void shm_open(struct vm_area_struct *vma)
0211 {
0212     int err = __shm_open(vma);
0213     /*
0214      * We raced in the idr lookup or with shm_destroy().
0215      * Either way, the ID is busted.
0216      */
0217     WARN_ON_ONCE(err);
0218 }
0219 
0220 /*
0221  * shm_destroy - free the struct shmid_kernel
0222  *
0223  * @ns: namespace
0224  * @shp: struct to free
0225  *
0226  * It has to be called with shp and shm_ids.rwsem (writer) locked,
0227  * but returns with shp unlocked and freed.
0228  */
0229 static void shm_destroy(struct ipc_namespace *ns, struct shmid_kernel *shp)
0230 {
0231     struct file *shm_file;
0232 
0233     shm_file = shp->shm_file;
0234     shp->shm_file = NULL;
0235     ns->shm_tot -= (shp->shm_segsz + PAGE_SIZE - 1) >> PAGE_SHIFT;
0236     shm_rmid(ns, shp);
0237     shm_unlock(shp);
0238     if (!is_file_hugepages(shm_file))
0239         shmem_lock(shm_file, 0, shp->mlock_user);
0240     else if (shp->mlock_user)
0241         user_shm_unlock(i_size_read(file_inode(shm_file)),
0242                 shp->mlock_user);
0243     fput(shm_file);
0244     ipc_rcu_putref(shp, shm_rcu_free);
0245 }
0246 
0247 /*
0248  * shm_may_destroy - identifies whether shm segment should be destroyed now
0249  *
0250  * Returns true if and only if there are no active users of the segment and
0251  * one of the following is true:
0252  *
0253  * 1) shmctl(id, IPC_RMID, NULL) was called for this shp
0254  *
0255  * 2) sysctl kernel.shm_rmid_forced is set to 1.
0256  */
0257 static bool shm_may_destroy(struct ipc_namespace *ns, struct shmid_kernel *shp)
0258 {
0259     return (shp->shm_nattch == 0) &&
0260            (ns->shm_rmid_forced ||
0261         (shp->shm_perm.mode & SHM_DEST));
0262 }
0263 
0264 /*
0265  * remove the attach descriptor vma.
0266  * free memory for segment if it is marked destroyed.
0267  * The descriptor has already been removed from the current->mm->mmap list
0268  * and will later be kfree()d.
0269  */
0270 static void shm_close(struct vm_area_struct *vma)
0271 {
0272     struct file *file = vma->vm_file;
0273     struct shm_file_data *sfd = shm_file_data(file);
0274     struct shmid_kernel *shp;
0275     struct ipc_namespace *ns = sfd->ns;
0276 
0277     down_write(&shm_ids(ns).rwsem);
0278     /* remove from the list of attaches of the shm segment */
0279     shp = shm_lock(ns, sfd->id);
0280 
0281     /*
0282      * We raced in the idr lookup or with shm_destroy().
0283      * Either way, the ID is busted.
0284      */
0285     if (WARN_ON_ONCE(IS_ERR(shp)))
0286         goto done; /* no-op */
0287 
0288     shp->shm_lprid = task_tgid_vnr(current);
0289     shp->shm_dtim = get_seconds();
0290     shp->shm_nattch--;
0291     if (shm_may_destroy(ns, shp))
0292         shm_destroy(ns, shp);
0293     else
0294         shm_unlock(shp);
0295 done:
0296     up_write(&shm_ids(ns).rwsem);
0297 }
0298 
0299 /* Called with ns->shm_ids(ns).rwsem locked */
0300 static int shm_try_destroy_orphaned(int id, void *p, void *data)
0301 {
0302     struct ipc_namespace *ns = data;
0303     struct kern_ipc_perm *ipcp = p;
0304     struct shmid_kernel *shp = container_of(ipcp, struct shmid_kernel, shm_perm);
0305 
0306     /*
0307      * We want to destroy segments without users and with already
0308      * exit'ed originating process.
0309      *
0310      * As shp->* are changed under rwsem, it's safe to skip shp locking.
0311      */
0312     if (shp->shm_creator != NULL)
0313         return 0;
0314 
0315     if (shm_may_destroy(ns, shp)) {
0316         shm_lock_by_ptr(shp);
0317         shm_destroy(ns, shp);
0318     }
0319     return 0;
0320 }
0321 
0322 void shm_destroy_orphaned(struct ipc_namespace *ns)
0323 {
0324     down_write(&shm_ids(ns).rwsem);
0325     if (shm_ids(ns).in_use)
0326         idr_for_each(&shm_ids(ns).ipcs_idr, &shm_try_destroy_orphaned, ns);
0327     up_write(&shm_ids(ns).rwsem);
0328 }
0329 
0330 /* Locking assumes this will only be called with task == current */
0331 void exit_shm(struct task_struct *task)
0332 {
0333     struct ipc_namespace *ns = task->nsproxy->ipc_ns;
0334     struct shmid_kernel *shp, *n;
0335 
0336     if (list_empty(&task->sysvshm.shm_clist))
0337         return;
0338 
0339     /*
0340      * If kernel.shm_rmid_forced is not set then only keep track of
0341      * which shmids are orphaned, so that a later set of the sysctl
0342      * can clean them up.
0343      */
0344     if (!ns->shm_rmid_forced) {
0345         down_read(&shm_ids(ns).rwsem);
0346         list_for_each_entry(shp, &task->sysvshm.shm_clist, shm_clist)
0347             shp->shm_creator = NULL;
0348         /*
0349          * Only under read lock but we are only called on current
0350          * so no entry on the list will be shared.
0351          */
0352         list_del(&task->sysvshm.shm_clist);
0353         up_read(&shm_ids(ns).rwsem);
0354         return;
0355     }
0356 
0357     /*
0358      * Destroy all already created segments, that were not yet mapped,
0359      * and mark any mapped as orphan to cover the sysctl toggling.
0360      * Destroy is skipped if shm_may_destroy() returns false.
0361      */
0362     down_write(&shm_ids(ns).rwsem);
0363     list_for_each_entry_safe(shp, n, &task->sysvshm.shm_clist, shm_clist) {
0364         shp->shm_creator = NULL;
0365 
0366         if (shm_may_destroy(ns, shp)) {
0367             shm_lock_by_ptr(shp);
0368             shm_destroy(ns, shp);
0369         }
0370     }
0371 
0372     /* Remove the list head from any segments still attached. */
0373     list_del(&task->sysvshm.shm_clist);
0374     up_write(&shm_ids(ns).rwsem);
0375 }
0376 
0377 static int shm_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
0378 {
0379     struct file *file = vma->vm_file;
0380     struct shm_file_data *sfd = shm_file_data(file);
0381 
0382     return sfd->vm_ops->fault(vma, vmf);
0383 }
0384 
0385 #ifdef CONFIG_NUMA
0386 static int shm_set_policy(struct vm_area_struct *vma, struct mempolicy *new)
0387 {
0388     struct file *file = vma->vm_file;
0389     struct shm_file_data *sfd = shm_file_data(file);
0390     int err = 0;
0391 
0392     if (sfd->vm_ops->set_policy)
0393         err = sfd->vm_ops->set_policy(vma, new);
0394     return err;
0395 }
0396 
0397 static struct mempolicy *shm_get_policy(struct vm_area_struct *vma,
0398                     unsigned long addr)
0399 {
0400     struct file *file = vma->vm_file;
0401     struct shm_file_data *sfd = shm_file_data(file);
0402     struct mempolicy *pol = NULL;
0403 
0404     if (sfd->vm_ops->get_policy)
0405         pol = sfd->vm_ops->get_policy(vma, addr);
0406     else if (vma->vm_policy)
0407         pol = vma->vm_policy;
0408 
0409     return pol;
0410 }
0411 #endif
0412 
0413 static int shm_mmap(struct file *file, struct vm_area_struct *vma)
0414 {
0415     struct shm_file_data *sfd = shm_file_data(file);
0416     int ret;
0417 
0418     /*
0419      * In case of remap_file_pages() emulation, the file can represent
0420      * removed IPC ID: propogate shm_lock() error to caller.
0421      */
0422     ret = __shm_open(vma);
0423     if (ret)
0424         return ret;
0425 
0426     ret = sfd->file->f_op->mmap(sfd->file, vma);
0427     if (ret) {
0428         shm_close(vma);
0429         return ret;
0430     }
0431     sfd->vm_ops = vma->vm_ops;
0432 #ifdef CONFIG_MMU
0433     WARN_ON(!sfd->vm_ops->fault);
0434 #endif
0435     vma->vm_ops = &shm_vm_ops;
0436     return 0;
0437 }
0438 
0439 static int shm_release(struct inode *ino, struct file *file)
0440 {
0441     struct shm_file_data *sfd = shm_file_data(file);
0442 
0443     put_ipc_ns(sfd->ns);
0444     shm_file_data(file) = NULL;
0445     kfree(sfd);
0446     return 0;
0447 }
0448 
0449 static int shm_fsync(struct file *file, loff_t start, loff_t end, int datasync)
0450 {
0451     struct shm_file_data *sfd = shm_file_data(file);
0452 
0453     if (!sfd->file->f_op->fsync)
0454         return -EINVAL;
0455     return sfd->file->f_op->fsync(sfd->file, start, end, datasync);
0456 }
0457 
0458 static long shm_fallocate(struct file *file, int mode, loff_t offset,
0459               loff_t len)
0460 {
0461     struct shm_file_data *sfd = shm_file_data(file);
0462 
0463     if (!sfd->file->f_op->fallocate)
0464         return -EOPNOTSUPP;
0465     return sfd->file->f_op->fallocate(file, mode, offset, len);
0466 }
0467 
0468 static unsigned long shm_get_unmapped_area(struct file *file,
0469     unsigned long addr, unsigned long len, unsigned long pgoff,
0470     unsigned long flags)
0471 {
0472     struct shm_file_data *sfd = shm_file_data(file);
0473 
0474     return sfd->file->f_op->get_unmapped_area(sfd->file, addr, len,
0475                         pgoff, flags);
0476 }
0477 
0478 static const struct file_operations shm_file_operations = {
0479     .mmap       = shm_mmap,
0480     .fsync      = shm_fsync,
0481     .release    = shm_release,
0482     .get_unmapped_area  = shm_get_unmapped_area,
0483     .llseek     = noop_llseek,
0484     .fallocate  = shm_fallocate,
0485 };
0486 
0487 /*
0488  * shm_file_operations_huge is now identical to shm_file_operations,
0489  * but we keep it distinct for the sake of is_file_shm_hugepages().
0490  */
0491 static const struct file_operations shm_file_operations_huge = {
0492     .mmap       = shm_mmap,
0493     .fsync      = shm_fsync,
0494     .release    = shm_release,
0495     .get_unmapped_area  = shm_get_unmapped_area,
0496     .llseek     = noop_llseek,
0497     .fallocate  = shm_fallocate,
0498 };
0499 
0500 bool is_file_shm_hugepages(struct file *file)
0501 {
0502     return file->f_op == &shm_file_operations_huge;
0503 }
0504 
0505 static const struct vm_operations_struct shm_vm_ops = {
0506     .open   = shm_open, /* callback for a new vm-area open */
0507     .close  = shm_close,    /* callback for when the vm-area is released */
0508     .fault  = shm_fault,
0509 #if defined(CONFIG_NUMA)
0510     .set_policy = shm_set_policy,
0511     .get_policy = shm_get_policy,
0512 #endif
0513 };
0514 
0515 /**
0516  * newseg - Create a new shared memory segment
0517  * @ns: namespace
0518  * @params: ptr to the structure that contains key, size and shmflg
0519  *
0520  * Called with shm_ids.rwsem held as a writer.
0521  */
0522 static int newseg(struct ipc_namespace *ns, struct ipc_params *params)
0523 {
0524     key_t key = params->key;
0525     int shmflg = params->flg;
0526     size_t size = params->u.size;
0527     int error;
0528     struct shmid_kernel *shp;
0529     size_t numpages = (size + PAGE_SIZE - 1) >> PAGE_SHIFT;
0530     struct file *file;
0531     char name[13];
0532     int id;
0533     vm_flags_t acctflag = 0;
0534 
0535     if (size < SHMMIN || size > ns->shm_ctlmax)
0536         return -EINVAL;
0537 
0538     if (numpages << PAGE_SHIFT < size)
0539         return -ENOSPC;
0540 
0541     if (ns->shm_tot + numpages < ns->shm_tot ||
0542             ns->shm_tot + numpages > ns->shm_ctlall)
0543         return -ENOSPC;
0544 
0545     shp = ipc_rcu_alloc(sizeof(*shp));
0546     if (!shp)
0547         return -ENOMEM;
0548 
0549     shp->shm_perm.key = key;
0550     shp->shm_perm.mode = (shmflg & S_IRWXUGO);
0551     shp->mlock_user = NULL;
0552 
0553     shp->shm_perm.security = NULL;
0554     error = security_shm_alloc(shp);
0555     if (error) {
0556         ipc_rcu_putref(shp, ipc_rcu_free);
0557         return error;
0558     }
0559 
0560     sprintf(name, "SYSV%08x", key);
0561     if (shmflg & SHM_HUGETLB) {
0562         struct hstate *hs;
0563         size_t hugesize;
0564 
0565         hs = hstate_sizelog((shmflg >> SHM_HUGE_SHIFT) & SHM_HUGE_MASK);
0566         if (!hs) {
0567             error = -EINVAL;
0568             goto no_file;
0569         }
0570         hugesize = ALIGN(size, huge_page_size(hs));
0571 
0572         /* hugetlb_file_setup applies strict accounting */
0573         if (shmflg & SHM_NORESERVE)
0574             acctflag = VM_NORESERVE;
0575         file = hugetlb_file_setup(name, hugesize, acctflag,
0576                   &shp->mlock_user, HUGETLB_SHMFS_INODE,
0577                 (shmflg >> SHM_HUGE_SHIFT) & SHM_HUGE_MASK);
0578     } else {
0579         /*
0580          * Do not allow no accounting for OVERCOMMIT_NEVER, even
0581          * if it's asked for.
0582          */
0583         if  ((shmflg & SHM_NORESERVE) &&
0584                 sysctl_overcommit_memory != OVERCOMMIT_NEVER)
0585             acctflag = VM_NORESERVE;
0586         file = shmem_kernel_file_setup(name, size, acctflag);
0587     }
0588     error = PTR_ERR(file);
0589     if (IS_ERR(file))
0590         goto no_file;
0591 
0592     shp->shm_cprid = task_tgid_vnr(current);
0593     shp->shm_lprid = 0;
0594     shp->shm_atim = shp->shm_dtim = 0;
0595     shp->shm_ctim = get_seconds();
0596     shp->shm_segsz = size;
0597     shp->shm_nattch = 0;
0598     shp->shm_file = file;
0599     shp->shm_creator = current;
0600 
0601     id = ipc_addid(&shm_ids(ns), &shp->shm_perm, ns->shm_ctlmni);
0602     if (id < 0) {
0603         error = id;
0604         goto no_id;
0605     }
0606 
0607     list_add(&shp->shm_clist, &current->sysvshm.shm_clist);
0608 
0609     /*
0610      * shmid gets reported as "inode#" in /proc/pid/maps.
0611      * proc-ps tools use this. Changing this will break them.
0612      */
0613     file_inode(file)->i_ino = shp->shm_perm.id;
0614 
0615     ns->shm_tot += numpages;
0616     error = shp->shm_perm.id;
0617 
0618     ipc_unlock_object(&shp->shm_perm);
0619     rcu_read_unlock();
0620     return error;
0621 
0622 no_id:
0623     if (is_file_hugepages(file) && shp->mlock_user)
0624         user_shm_unlock(size, shp->mlock_user);
0625     fput(file);
0626 no_file:
0627     ipc_rcu_putref(shp, shm_rcu_free);
0628     return error;
0629 }
0630 
0631 /*
0632  * Called with shm_ids.rwsem and ipcp locked.
0633  */
0634 static inline int shm_security(struct kern_ipc_perm *ipcp, int shmflg)
0635 {
0636     struct shmid_kernel *shp;
0637 
0638     shp = container_of(ipcp, struct shmid_kernel, shm_perm);
0639     return security_shm_associate(shp, shmflg);
0640 }
0641 
0642 /*
0643  * Called with shm_ids.rwsem and ipcp locked.
0644  */
0645 static inline int shm_more_checks(struct kern_ipc_perm *ipcp,
0646                 struct ipc_params *params)
0647 {
0648     struct shmid_kernel *shp;
0649 
0650     shp = container_of(ipcp, struct shmid_kernel, shm_perm);
0651     if (shp->shm_segsz < params->u.size)
0652         return -EINVAL;
0653 
0654     return 0;
0655 }
0656 
0657 SYSCALL_DEFINE3(shmget, key_t, key, size_t, size, int, shmflg)
0658 {
0659     struct ipc_namespace *ns;
0660     static const struct ipc_ops shm_ops = {
0661         .getnew = newseg,
0662         .associate = shm_security,
0663         .more_checks = shm_more_checks,
0664     };
0665     struct ipc_params shm_params;
0666 
0667     ns = current->nsproxy->ipc_ns;
0668 
0669     shm_params.key = key;
0670     shm_params.flg = shmflg;
0671     shm_params.u.size = size;
0672 
0673     return ipcget(ns, &shm_ids(ns), &shm_ops, &shm_params);
0674 }
0675 
0676 static inline unsigned long copy_shmid_to_user(void __user *buf, struct shmid64_ds *in, int version)
0677 {
0678     switch (version) {
0679     case IPC_64:
0680         return copy_to_user(buf, in, sizeof(*in));
0681     case IPC_OLD:
0682         {
0683         struct shmid_ds out;
0684 
0685         memset(&out, 0, sizeof(out));
0686         ipc64_perm_to_ipc_perm(&in->shm_perm, &out.shm_perm);
0687         out.shm_segsz   = in->shm_segsz;
0688         out.shm_atime   = in->shm_atime;
0689         out.shm_dtime   = in->shm_dtime;
0690         out.shm_ctime   = in->shm_ctime;
0691         out.shm_cpid    = in->shm_cpid;
0692         out.shm_lpid    = in->shm_lpid;
0693         out.shm_nattch  = in->shm_nattch;
0694 
0695         return copy_to_user(buf, &out, sizeof(out));
0696         }
0697     default:
0698         return -EINVAL;
0699     }
0700 }
0701 
0702 static inline unsigned long
0703 copy_shmid_from_user(struct shmid64_ds *out, void __user *buf, int version)
0704 {
0705     switch (version) {
0706     case IPC_64:
0707         if (copy_from_user(out, buf, sizeof(*out)))
0708             return -EFAULT;
0709         return 0;
0710     case IPC_OLD:
0711         {
0712         struct shmid_ds tbuf_old;
0713 
0714         if (copy_from_user(&tbuf_old, buf, sizeof(tbuf_old)))
0715             return -EFAULT;
0716 
0717         out->shm_perm.uid   = tbuf_old.shm_perm.uid;
0718         out->shm_perm.gid   = tbuf_old.shm_perm.gid;
0719         out->shm_perm.mode  = tbuf_old.shm_perm.mode;
0720 
0721         return 0;
0722         }
0723     default:
0724         return -EINVAL;
0725     }
0726 }
0727 
0728 static inline unsigned long copy_shminfo_to_user(void __user *buf, struct shminfo64 *in, int version)
0729 {
0730     switch (version) {
0731     case IPC_64:
0732         return copy_to_user(buf, in, sizeof(*in));
0733     case IPC_OLD:
0734         {
0735         struct shminfo out;
0736 
0737         if (in->shmmax > INT_MAX)
0738             out.shmmax = INT_MAX;
0739         else
0740             out.shmmax = (int)in->shmmax;
0741 
0742         out.shmmin  = in->shmmin;
0743         out.shmmni  = in->shmmni;
0744         out.shmseg  = in->shmseg;
0745         out.shmall  = in->shmall;
0746 
0747         return copy_to_user(buf, &out, sizeof(out));
0748         }
0749     default:
0750         return -EINVAL;
0751     }
0752 }
0753 
0754 /*
0755  * Calculate and add used RSS and swap pages of a shm.
0756  * Called with shm_ids.rwsem held as a reader
0757  */
0758 static void shm_add_rss_swap(struct shmid_kernel *shp,
0759     unsigned long *rss_add, unsigned long *swp_add)
0760 {
0761     struct inode *inode;
0762 
0763     inode = file_inode(shp->shm_file);
0764 
0765     if (is_file_hugepages(shp->shm_file)) {
0766         struct address_space *mapping = inode->i_mapping;
0767         struct hstate *h = hstate_file(shp->shm_file);
0768         *rss_add += pages_per_huge_page(h) * mapping->nrpages;
0769     } else {
0770 #ifdef CONFIG_SHMEM
0771         struct shmem_inode_info *info = SHMEM_I(inode);
0772 
0773         spin_lock_irq(&info->lock);
0774         *rss_add += inode->i_mapping->nrpages;
0775         *swp_add += info->swapped;
0776         spin_unlock_irq(&info->lock);
0777 #else
0778         *rss_add += inode->i_mapping->nrpages;
0779 #endif
0780     }
0781 }
0782 
0783 /*
0784  * Called with shm_ids.rwsem held as a reader
0785  */
0786 static void shm_get_stat(struct ipc_namespace *ns, unsigned long *rss,
0787         unsigned long *swp)
0788 {
0789     int next_id;
0790     int total, in_use;
0791 
0792     *rss = 0;
0793     *swp = 0;
0794 
0795     in_use = shm_ids(ns).in_use;
0796 
0797     for (total = 0, next_id = 0; total < in_use; next_id++) {
0798         struct kern_ipc_perm *ipc;
0799         struct shmid_kernel *shp;
0800 
0801         ipc = idr_find(&shm_ids(ns).ipcs_idr, next_id);
0802         if (ipc == NULL)
0803             continue;
0804         shp = container_of(ipc, struct shmid_kernel, shm_perm);
0805 
0806         shm_add_rss_swap(shp, rss, swp);
0807 
0808         total++;
0809     }
0810 }
0811 
0812 /*
0813  * This function handles some shmctl commands which require the rwsem
0814  * to be held in write mode.
0815  * NOTE: no locks must be held, the rwsem is taken inside this function.
0816  */
0817 static int shmctl_down(struct ipc_namespace *ns, int shmid, int cmd,
0818                struct shmid_ds __user *buf, int version)
0819 {
0820     struct kern_ipc_perm *ipcp;
0821     struct shmid64_ds shmid64;
0822     struct shmid_kernel *shp;
0823     int err;
0824 
0825     if (cmd == IPC_SET) {
0826         if (copy_shmid_from_user(&shmid64, buf, version))
0827             return -EFAULT;
0828     }
0829 
0830     down_write(&shm_ids(ns).rwsem);
0831     rcu_read_lock();
0832 
0833     ipcp = ipcctl_pre_down_nolock(ns, &shm_ids(ns), shmid, cmd,
0834                       &shmid64.shm_perm, 0);
0835     if (IS_ERR(ipcp)) {
0836         err = PTR_ERR(ipcp);
0837         goto out_unlock1;
0838     }
0839 
0840     shp = container_of(ipcp, struct shmid_kernel, shm_perm);
0841 
0842     err = security_shm_shmctl(shp, cmd);
0843     if (err)
0844         goto out_unlock1;
0845 
0846     switch (cmd) {
0847     case IPC_RMID:
0848         ipc_lock_object(&shp->shm_perm);
0849         /* do_shm_rmid unlocks the ipc object and rcu */
0850         do_shm_rmid(ns, ipcp);
0851         goto out_up;
0852     case IPC_SET:
0853         ipc_lock_object(&shp->shm_perm);
0854         err = ipc_update_perm(&shmid64.shm_perm, ipcp);
0855         if (err)
0856             goto out_unlock0;
0857         shp->shm_ctim = get_seconds();
0858         break;
0859     default:
0860         err = -EINVAL;
0861         goto out_unlock1;
0862     }
0863 
0864 out_unlock0:
0865     ipc_unlock_object(&shp->shm_perm);
0866 out_unlock1:
0867     rcu_read_unlock();
0868 out_up:
0869     up_write(&shm_ids(ns).rwsem);
0870     return err;
0871 }
0872 
0873 static int shmctl_nolock(struct ipc_namespace *ns, int shmid,
0874              int cmd, int version, void __user *buf)
0875 {
0876     int err;
0877     struct shmid_kernel *shp;
0878 
0879     /* preliminary security checks for *_INFO */
0880     if (cmd == IPC_INFO || cmd == SHM_INFO) {
0881         err = security_shm_shmctl(NULL, cmd);
0882         if (err)
0883             return err;
0884     }
0885 
0886     switch (cmd) {
0887     case IPC_INFO:
0888     {
0889         struct shminfo64 shminfo;
0890 
0891         memset(&shminfo, 0, sizeof(shminfo));
0892         shminfo.shmmni = shminfo.shmseg = ns->shm_ctlmni;
0893         shminfo.shmmax = ns->shm_ctlmax;
0894         shminfo.shmall = ns->shm_ctlall;
0895 
0896         shminfo.shmmin = SHMMIN;
0897         if (copy_shminfo_to_user(buf, &shminfo, version))
0898             return -EFAULT;
0899 
0900         down_read(&shm_ids(ns).rwsem);
0901         err = ipc_get_maxid(&shm_ids(ns));
0902         up_read(&shm_ids(ns).rwsem);
0903 
0904         if (err < 0)
0905             err = 0;
0906         goto out;
0907     }
0908     case SHM_INFO:
0909     {
0910         struct shm_info shm_info;
0911 
0912         memset(&shm_info, 0, sizeof(shm_info));
0913         down_read(&shm_ids(ns).rwsem);
0914         shm_info.used_ids = shm_ids(ns).in_use;
0915         shm_get_stat(ns, &shm_info.shm_rss, &shm_info.shm_swp);
0916         shm_info.shm_tot = ns->shm_tot;
0917         shm_info.swap_attempts = 0;
0918         shm_info.swap_successes = 0;
0919         err = ipc_get_maxid(&shm_ids(ns));
0920         up_read(&shm_ids(ns).rwsem);
0921         if (copy_to_user(buf, &shm_info, sizeof(shm_info))) {
0922             err = -EFAULT;
0923             goto out;
0924         }
0925 
0926         err = err < 0 ? 0 : err;
0927         goto out;
0928     }
0929     case SHM_STAT:
0930     case IPC_STAT:
0931     {
0932         struct shmid64_ds tbuf;
0933         int result;
0934 
0935         rcu_read_lock();
0936         if (cmd == SHM_STAT) {
0937             shp = shm_obtain_object(ns, shmid);
0938             if (IS_ERR(shp)) {
0939                 err = PTR_ERR(shp);
0940                 goto out_unlock;
0941             }
0942             result = shp->shm_perm.id;
0943         } else {
0944             shp = shm_obtain_object_check(ns, shmid);
0945             if (IS_ERR(shp)) {
0946                 err = PTR_ERR(shp);
0947                 goto out_unlock;
0948             }
0949             result = 0;
0950         }
0951 
0952         err = -EACCES;
0953         if (ipcperms(ns, &shp->shm_perm, S_IRUGO))
0954             goto out_unlock;
0955 
0956         err = security_shm_shmctl(shp, cmd);
0957         if (err)
0958             goto out_unlock;
0959 
0960         memset(&tbuf, 0, sizeof(tbuf));
0961         kernel_to_ipc64_perm(&shp->shm_perm, &tbuf.shm_perm);
0962         tbuf.shm_segsz  = shp->shm_segsz;
0963         tbuf.shm_atime  = shp->shm_atim;
0964         tbuf.shm_dtime  = shp->shm_dtim;
0965         tbuf.shm_ctime  = shp->shm_ctim;
0966         tbuf.shm_cpid   = shp->shm_cprid;
0967         tbuf.shm_lpid   = shp->shm_lprid;
0968         tbuf.shm_nattch = shp->shm_nattch;
0969         rcu_read_unlock();
0970 
0971         if (copy_shmid_to_user(buf, &tbuf, version))
0972             err = -EFAULT;
0973         else
0974             err = result;
0975         goto out;
0976     }
0977     default:
0978         return -EINVAL;
0979     }
0980 
0981 out_unlock:
0982     rcu_read_unlock();
0983 out:
0984     return err;
0985 }
0986 
0987 SYSCALL_DEFINE3(shmctl, int, shmid, int, cmd, struct shmid_ds __user *, buf)
0988 {
0989     struct shmid_kernel *shp;
0990     int err, version;
0991     struct ipc_namespace *ns;
0992 
0993     if (cmd < 0 || shmid < 0)
0994         return -EINVAL;
0995 
0996     version = ipc_parse_version(&cmd);
0997     ns = current->nsproxy->ipc_ns;
0998 
0999     switch (cmd) {
1000     case IPC_INFO:
1001     case SHM_INFO:
1002     case SHM_STAT:
1003     case IPC_STAT:
1004         return shmctl_nolock(ns, shmid, cmd, version, buf);
1005     case IPC_RMID:
1006     case IPC_SET:
1007         return shmctl_down(ns, shmid, cmd, buf, version);
1008     case SHM_LOCK:
1009     case SHM_UNLOCK:
1010     {
1011         struct file *shm_file;
1012 
1013         rcu_read_lock();
1014         shp = shm_obtain_object_check(ns, shmid);
1015         if (IS_ERR(shp)) {
1016             err = PTR_ERR(shp);
1017             goto out_unlock1;
1018         }
1019 
1020         audit_ipc_obj(&(shp->shm_perm));
1021         err = security_shm_shmctl(shp, cmd);
1022         if (err)
1023             goto out_unlock1;
1024 
1025         ipc_lock_object(&shp->shm_perm);
1026 
1027         /* check if shm_destroy() is tearing down shp */
1028         if (!ipc_valid_object(&shp->shm_perm)) {
1029             err = -EIDRM;
1030             goto out_unlock0;
1031         }
1032 
1033         if (!ns_capable(ns->user_ns, CAP_IPC_LOCK)) {
1034             kuid_t euid = current_euid();
1035 
1036             if (!uid_eq(euid, shp->shm_perm.uid) &&
1037                 !uid_eq(euid, shp->shm_perm.cuid)) {
1038                 err = -EPERM;
1039                 goto out_unlock0;
1040             }
1041             if (cmd == SHM_LOCK && !rlimit(RLIMIT_MEMLOCK)) {
1042                 err = -EPERM;
1043                 goto out_unlock0;
1044             }
1045         }
1046 
1047         shm_file = shp->shm_file;
1048         if (is_file_hugepages(shm_file))
1049             goto out_unlock0;
1050 
1051         if (cmd == SHM_LOCK) {
1052             struct user_struct *user = current_user();
1053 
1054             err = shmem_lock(shm_file, 1, user);
1055             if (!err && !(shp->shm_perm.mode & SHM_LOCKED)) {
1056                 shp->shm_perm.mode |= SHM_LOCKED;
1057                 shp->mlock_user = user;
1058             }
1059             goto out_unlock0;
1060         }
1061 
1062         /* SHM_UNLOCK */
1063         if (!(shp->shm_perm.mode & SHM_LOCKED))
1064             goto out_unlock0;
1065         shmem_lock(shm_file, 0, shp->mlock_user);
1066         shp->shm_perm.mode &= ~SHM_LOCKED;
1067         shp->mlock_user = NULL;
1068         get_file(shm_file);
1069         ipc_unlock_object(&shp->shm_perm);
1070         rcu_read_unlock();
1071         shmem_unlock_mapping(shm_file->f_mapping);
1072 
1073         fput(shm_file);
1074         return err;
1075     }
1076     default:
1077         return -EINVAL;
1078     }
1079 
1080 out_unlock0:
1081     ipc_unlock_object(&shp->shm_perm);
1082 out_unlock1:
1083     rcu_read_unlock();
1084     return err;
1085 }
1086 
1087 /*
1088  * Fix shmaddr, allocate descriptor, map shm, add attach descriptor to lists.
1089  *
1090  * NOTE! Despite the name, this is NOT a direct system call entrypoint. The
1091  * "raddr" thing points to kernel space, and there has to be a wrapper around
1092  * this.
1093  */
1094 long do_shmat(int shmid, char __user *shmaddr, int shmflg, ulong *raddr,
1095           unsigned long shmlba)
1096 {
1097     struct shmid_kernel *shp;
1098     unsigned long addr;
1099     unsigned long size;
1100     struct file *file;
1101     int    err;
1102     unsigned long flags;
1103     unsigned long prot;
1104     int acc_mode;
1105     struct ipc_namespace *ns;
1106     struct shm_file_data *sfd;
1107     struct path path;
1108     fmode_t f_mode;
1109     unsigned long populate = 0;
1110 
1111     err = -EINVAL;
1112     if (shmid < 0)
1113         goto out;
1114     else if ((addr = (ulong)shmaddr)) {
1115         if (addr & (shmlba - 1)) {
1116             if (shmflg & SHM_RND)
1117                 addr &= ~(shmlba - 1);     /* round down */
1118             else
1119 #ifndef __ARCH_FORCE_SHMLBA
1120                 if (addr & ~PAGE_MASK)
1121 #endif
1122                     goto out;
1123         }
1124         flags = MAP_SHARED | MAP_FIXED;
1125     } else {
1126         if ((shmflg & SHM_REMAP))
1127             goto out;
1128 
1129         flags = MAP_SHARED;
1130     }
1131 
1132     if (shmflg & SHM_RDONLY) {
1133         prot = PROT_READ;
1134         acc_mode = S_IRUGO;
1135         f_mode = FMODE_READ;
1136     } else {
1137         prot = PROT_READ | PROT_WRITE;
1138         acc_mode = S_IRUGO | S_IWUGO;
1139         f_mode = FMODE_READ | FMODE_WRITE;
1140     }
1141     if (shmflg & SHM_EXEC) {
1142         prot |= PROT_EXEC;
1143         acc_mode |= S_IXUGO;
1144     }
1145 
1146     /*
1147      * We cannot rely on the fs check since SYSV IPC does have an
1148      * additional creator id...
1149      */
1150     ns = current->nsproxy->ipc_ns;
1151     rcu_read_lock();
1152     shp = shm_obtain_object_check(ns, shmid);
1153     if (IS_ERR(shp)) {
1154         err = PTR_ERR(shp);
1155         goto out_unlock;
1156     }
1157 
1158     err = -EACCES;
1159     if (ipcperms(ns, &shp->shm_perm, acc_mode))
1160         goto out_unlock;
1161 
1162     err = security_shm_shmat(shp, shmaddr, shmflg);
1163     if (err)
1164         goto out_unlock;
1165 
1166     ipc_lock_object(&shp->shm_perm);
1167 
1168     /* check if shm_destroy() is tearing down shp */
1169     if (!ipc_valid_object(&shp->shm_perm)) {
1170         ipc_unlock_object(&shp->shm_perm);
1171         err = -EIDRM;
1172         goto out_unlock;
1173     }
1174 
1175     path = shp->shm_file->f_path;
1176     path_get(&path);
1177     shp->shm_nattch++;
1178     size = i_size_read(d_inode(path.dentry));
1179     ipc_unlock_object(&shp->shm_perm);
1180     rcu_read_unlock();
1181 
1182     err = -ENOMEM;
1183     sfd = kzalloc(sizeof(*sfd), GFP_KERNEL);
1184     if (!sfd) {
1185         path_put(&path);
1186         goto out_nattch;
1187     }
1188 
1189     file = alloc_file(&path, f_mode,
1190               is_file_hugepages(shp->shm_file) ?
1191                 &shm_file_operations_huge :
1192                 &shm_file_operations);
1193     err = PTR_ERR(file);
1194     if (IS_ERR(file)) {
1195         kfree(sfd);
1196         path_put(&path);
1197         goto out_nattch;
1198     }
1199 
1200     file->private_data = sfd;
1201     file->f_mapping = shp->shm_file->f_mapping;
1202     sfd->id = shp->shm_perm.id;
1203     sfd->ns = get_ipc_ns(ns);
1204     sfd->file = shp->shm_file;
1205     sfd->vm_ops = NULL;
1206 
1207     err = security_mmap_file(file, prot, flags);
1208     if (err)
1209         goto out_fput;
1210 
1211     if (down_write_killable(&current->mm->mmap_sem)) {
1212         err = -EINTR;
1213         goto out_fput;
1214     }
1215 
1216     if (addr && !(shmflg & SHM_REMAP)) {
1217         err = -EINVAL;
1218         if (addr + size < addr)
1219             goto invalid;
1220 
1221         if (find_vma_intersection(current->mm, addr, addr + size))
1222             goto invalid;
1223     }
1224 
1225     addr = do_mmap_pgoff(file, addr, size, prot, flags, 0, &populate);
1226     *raddr = addr;
1227     err = 0;
1228     if (IS_ERR_VALUE(addr))
1229         err = (long)addr;
1230 invalid:
1231     up_write(&current->mm->mmap_sem);
1232     if (populate)
1233         mm_populate(addr, populate);
1234 
1235 out_fput:
1236     fput(file);
1237 
1238 out_nattch:
1239     down_write(&shm_ids(ns).rwsem);
1240     shp = shm_lock(ns, shmid);
1241     shp->shm_nattch--;
1242     if (shm_may_destroy(ns, shp))
1243         shm_destroy(ns, shp);
1244     else
1245         shm_unlock(shp);
1246     up_write(&shm_ids(ns).rwsem);
1247     return err;
1248 
1249 out_unlock:
1250     rcu_read_unlock();
1251 out:
1252     return err;
1253 }
1254 
1255 SYSCALL_DEFINE3(shmat, int, shmid, char __user *, shmaddr, int, shmflg)
1256 {
1257     unsigned long ret;
1258     long err;
1259 
1260     err = do_shmat(shmid, shmaddr, shmflg, &ret, SHMLBA);
1261     if (err)
1262         return err;
1263     force_successful_syscall_return();
1264     return (long)ret;
1265 }
1266 
1267 /*
1268  * detach and kill segment if marked destroyed.
1269  * The work is done in shm_close.
1270  */
1271 SYSCALL_DEFINE1(shmdt, char __user *, shmaddr)
1272 {
1273     struct mm_struct *mm = current->mm;
1274     struct vm_area_struct *vma;
1275     unsigned long addr = (unsigned long)shmaddr;
1276     int retval = -EINVAL;
1277 #ifdef CONFIG_MMU
1278     loff_t size = 0;
1279     struct file *file;
1280     struct vm_area_struct *next;
1281 #endif
1282 
1283     if (addr & ~PAGE_MASK)
1284         return retval;
1285 
1286     if (down_write_killable(&mm->mmap_sem))
1287         return -EINTR;
1288 
1289     /*
1290      * This function tries to be smart and unmap shm segments that
1291      * were modified by partial mlock or munmap calls:
1292      * - It first determines the size of the shm segment that should be
1293      *   unmapped: It searches for a vma that is backed by shm and that
1294      *   started at address shmaddr. It records it's size and then unmaps
1295      *   it.
1296      * - Then it unmaps all shm vmas that started at shmaddr and that
1297      *   are within the initially determined size and that are from the
1298      *   same shm segment from which we determined the size.
1299      * Errors from do_munmap are ignored: the function only fails if
1300      * it's called with invalid parameters or if it's called to unmap
1301      * a part of a vma. Both calls in this function are for full vmas,
1302      * the parameters are directly copied from the vma itself and always
1303      * valid - therefore do_munmap cannot fail. (famous last words?)
1304      */
1305     /*
1306      * If it had been mremap()'d, the starting address would not
1307      * match the usual checks anyway. So assume all vma's are
1308      * above the starting address given.
1309      */
1310     vma = find_vma(mm, addr);
1311 
1312 #ifdef CONFIG_MMU
1313     while (vma) {
1314         next = vma->vm_next;
1315 
1316         /*
1317          * Check if the starting address would match, i.e. it's
1318          * a fragment created by mprotect() and/or munmap(), or it
1319          * otherwise it starts at this address with no hassles.
1320          */
1321         if ((vma->vm_ops == &shm_vm_ops) &&
1322             (vma->vm_start - addr)/PAGE_SIZE == vma->vm_pgoff) {
1323 
1324             /*
1325              * Record the file of the shm segment being
1326              * unmapped.  With mremap(), someone could place
1327              * page from another segment but with equal offsets
1328              * in the range we are unmapping.
1329              */
1330             file = vma->vm_file;
1331             size = i_size_read(file_inode(vma->vm_file));
1332             do_munmap(mm, vma->vm_start, vma->vm_end - vma->vm_start);
1333             /*
1334              * We discovered the size of the shm segment, so
1335              * break out of here and fall through to the next
1336              * loop that uses the size information to stop
1337              * searching for matching vma's.
1338              */
1339             retval = 0;
1340             vma = next;
1341             break;
1342         }
1343         vma = next;
1344     }
1345 
1346     /*
1347      * We need look no further than the maximum address a fragment
1348      * could possibly have landed at. Also cast things to loff_t to
1349      * prevent overflows and make comparisons vs. equal-width types.
1350      */
1351     size = PAGE_ALIGN(size);
1352     while (vma && (loff_t)(vma->vm_end - addr) <= size) {
1353         next = vma->vm_next;
1354 
1355         /* finding a matching vma now does not alter retval */
1356         if ((vma->vm_ops == &shm_vm_ops) &&
1357             ((vma->vm_start - addr)/PAGE_SIZE == vma->vm_pgoff) &&
1358             (vma->vm_file == file))
1359             do_munmap(mm, vma->vm_start, vma->vm_end - vma->vm_start);
1360         vma = next;
1361     }
1362 
1363 #else   /* CONFIG_MMU */
1364     /* under NOMMU conditions, the exact address to be destroyed must be
1365      * given
1366      */
1367     if (vma && vma->vm_start == addr && vma->vm_ops == &shm_vm_ops) {
1368         do_munmap(mm, vma->vm_start, vma->vm_end - vma->vm_start);
1369         retval = 0;
1370     }
1371 
1372 #endif
1373 
1374     up_write(&mm->mmap_sem);
1375     return retval;
1376 }
1377 
1378 #ifdef CONFIG_PROC_FS
1379 static int sysvipc_shm_proc_show(struct seq_file *s, void *it)
1380 {
1381     struct user_namespace *user_ns = seq_user_ns(s);
1382     struct shmid_kernel *shp = it;
1383     unsigned long rss = 0, swp = 0;
1384 
1385     shm_add_rss_swap(shp, &rss, &swp);
1386 
1387 #if BITS_PER_LONG <= 32
1388 #define SIZE_SPEC "%10lu"
1389 #else
1390 #define SIZE_SPEC "%21lu"
1391 #endif
1392 
1393     seq_printf(s,
1394            "%10d %10d  %4o " SIZE_SPEC " %5u %5u  "
1395            "%5lu %5u %5u %5u %5u %10lu %10lu %10lu "
1396            SIZE_SPEC " " SIZE_SPEC "\n",
1397            shp->shm_perm.key,
1398            shp->shm_perm.id,
1399            shp->shm_perm.mode,
1400            shp->shm_segsz,
1401            shp->shm_cprid,
1402            shp->shm_lprid,
1403            shp->shm_nattch,
1404            from_kuid_munged(user_ns, shp->shm_perm.uid),
1405            from_kgid_munged(user_ns, shp->shm_perm.gid),
1406            from_kuid_munged(user_ns, shp->shm_perm.cuid),
1407            from_kgid_munged(user_ns, shp->shm_perm.cgid),
1408            shp->shm_atim,
1409            shp->shm_dtim,
1410            shp->shm_ctim,
1411            rss * PAGE_SIZE,
1412            swp * PAGE_SIZE);
1413 
1414     return 0;
1415 }
1416 #endif