diff options
| author | Mauro Carvalho Chehab <mchehab@redhat.com> | 2013-04-01 09:54:14 -0300 |
|---|---|---|
| committer | Mauro Carvalho Chehab <mchehab@redhat.com> | 2013-04-01 09:54:14 -0300 |
| commit | f9f11dfe4831adb1531e1face9dcd9fc57665d2e (patch) | |
| tree | 3fb605d9c6c7ed70d42237de21203fa131e6eee8 /ipc | |
| parent | 6bf7861fa2bb4be3cc70a6e9aed664ce65270027 (diff) | |
| parent | 07961ac7c0ee8b546658717034fe692fd12eefa9 (diff) | |
Merge tag 'v3.9-rc5' into patchwork
Linux 3.9-rc5
* tag 'v3.9-rc5': (1080 commits)
Linux 3.9-rc5
Revert "lockdep: check that no locks held at freeze time"
dw_dmac: adjust slave_id accordingly to request line base
dmaengine: dw_dma: fix endianess for DT xlate function
PNP: List Rafael Wysocki as a maintainer
rbd: don't zero-fill non-image object requests
ia64 idle: delete stale (*idle)() function pointer
Btrfs: don't drop path when printing out tree errors in scrub
target: Fix RESERVATION_CONFLICT status regression for iscsi-target special case
tcm_vhost: Avoid VIRTIO_RING_F_EVENT_IDX feature bit
Revert "mm: introduce VM_POPULATE flag to better deal with racy userspace programs"
usb: ftdi_sio: Add support for Mitsubishi FX-USB-AW/-BD
mg_disk: fix error return code in mg_probe()
Btrfs: fix wrong return value of btrfs_lookup_csum()
Btrfs: fix wrong reservation of csums
Btrfs: fix double free in the btrfs_qgroup_account_ref()
Btrfs: limit the global reserve to 512mb
Btrfs: hold the ordered operations mutex when waiting on ordered extents
Btrfs: fix space accounting for unlink and rename
Btrfs: fix space leak when we fail to reserve metadata space
...
Diffstat (limited to 'ipc')
| -rw-r--r-- | ipc/mqueue.c | 15 | ||||
| -rw-r--r-- | ipc/msg.c | 6 | ||||
| -rw-r--r-- | ipc/msgutil.c | 3 |
3 files changed, 16 insertions, 8 deletions
diff --git a/ipc/mqueue.c b/ipc/mqueue.c index e5c4f609f22..e4e47f64744 100644 --- a/ipc/mqueue.c +++ b/ipc/mqueue.c @@ -330,8 +330,16 @@ static struct dentry *mqueue_mount(struct file_system_type *fs_type, int flags, const char *dev_name, void *data) { - if (!(flags & MS_KERNMOUNT)) - data = current->nsproxy->ipc_ns; + if (!(flags & MS_KERNMOUNT)) { + struct ipc_namespace *ns = current->nsproxy->ipc_ns; + /* Don't allow mounting unless the caller has CAP_SYS_ADMIN + * over the ipc namespace. + */ + if (!ns_capable(ns->user_ns, CAP_SYS_ADMIN)) + return ERR_PTR(-EPERM); + + data = ns; + } return mount_ns(fs_type, flags, data, mqueue_fill_super); } @@ -840,7 +848,8 @@ out_putfd: fd = error; } mutex_unlock(&root->d_inode->i_mutex); - mnt_drop_write(mnt); + if (!ro) + mnt_drop_write(mnt); out_putname: putname(name); return fd; diff --git a/ipc/msg.c b/ipc/msg.c index 950572f9d79..31cd1bf6af2 100644 --- a/ipc/msg.c +++ b/ipc/msg.c @@ -820,15 +820,17 @@ long do_msgrcv(int msqid, void __user *buf, size_t bufsz, long msgtyp, struct msg_msg *copy = NULL; unsigned long copy_number = 0; + ns = current->nsproxy->ipc_ns; + if (msqid < 0 || (long) bufsz < 0) return -EINVAL; if (msgflg & MSG_COPY) { - copy = prepare_copy(buf, bufsz, msgflg, &msgtyp, ©_number); + copy = prepare_copy(buf, min_t(size_t, bufsz, ns->msg_ctlmax), + msgflg, &msgtyp, ©_number); if (IS_ERR(copy)) return PTR_ERR(copy); } mode = convert_mode(&msgtyp, msgflg); - ns = current->nsproxy->ipc_ns; msq = msg_lock_check(ns, msqid); if (IS_ERR(msq)) { diff --git a/ipc/msgutil.c b/ipc/msgutil.c index ebfcbfa8b7f..5df8e4bf1db 100644 --- a/ipc/msgutil.c +++ b/ipc/msgutil.c @@ -117,9 +117,6 @@ struct msg_msg *copy_msg(struct msg_msg *src, struct msg_msg *dst) if (alen > DATALEN_MSG) alen = DATALEN_MSG; - dst->next = NULL; - dst->security = NULL; - memcpy(dst + 1, src + 1, alen); len -= alen; |