ipc: fix GETALL/IPC_RM race for sysv semaphores

We can step on WARN_ON_ONCE() in sem_getref() if a semaphore is removed
just as we are about to call sem_getref() from semctl_main(); results
are not pretty.

We should fail with -EIDRM, same as if IPC_RM happened while we'd been
doing allocation there.  This also expands sem_getref() at its only
callsite (and fixed there), while sem_getref_and_unlock() is simply
killed off - it has no callers at all.

Signed-off-by: Al Viro <[email protected]>
Acked-by: Davidlohr Bueso <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>

Author: Al Viro

ipc/sem.c

@@ -328,28 +328,12 @@ static inline void sem_lock_and_putref(struct sem_array *sma)
 	ipc_rcu_putref(sma);
 }
 
-static inline void sem_getref_and_unlock(struct sem_array *sma)
-{
-	WARN_ON_ONCE(!ipc_rcu_getref(sma));
-	sem_unlock(sma, -1);
-}
-
 static inline void sem_putref(struct sem_array *sma)
 {
 	sem_lock_and_putref(sma);
 	sem_unlock(sma, -1);
 }
 
-/*
- * Call inside the rcu read section.
- */
-static inline void sem_getref(struct sem_array *sma)
-{
-	sem_lock(sma, NULL, -1);
-	WARN_ON_ONCE(!ipc_rcu_getref(sma));
-	sem_unlock(sma, -1);
-}
-
 static inline void sem_rmid(struct ipc_namespace *ns, struct sem_array *s)
 {
 	ipc_rmid(&sem_ids(ns), &s->sem_perm);
@@ -1116,9 +1100,14 @@ static int semctl_main(struct ipc_namespace *ns, int semid, int semnum,
 		ushort __user *array = p;
 		int i;
 
+		sem_lock(sma, NULL, -1);
 		if(nsems > SEMMSL_FAST) {
-			sem_getref(sma);
-
+			if (!ipc_rcu_getref(sma)) {
+				sem_unlock(sma, -1);
+				err = -EIDRM;
+				goto out_free;
+			}
+			sem_unlock(sma, -1);
 			sem_io = ipc_alloc(sizeof(ushort)*nsems);
 			if(sem_io == NULL) {
 				sem_putref(sma);
@@ -1131,9 +1120,7 @@ static int semctl_main(struct ipc_namespace *ns, int semid, int semnum,
 				err = -EIDRM;
 				goto out_free;
 			}
-		} else
-			sem_lock(sma, NULL, -1);
-
+		}
 		for (i = 0; i < sma->sem_nsems; i++)
 			sem_io[i] = sma->sem_base[i].semval;
 		sem_unlock(sma, -1);