/*
 * linux/ipc/sem.c
 * Copyright (C) 1992 Krishna Balasubramanian
 * Copyright (C) 1995 Eric Schenk, Bruno Haible
 *
 * IMPLEMENTATION NOTES ON CODE REWRITE (Eric Schenk, January 1995):
 * This code underwent a massive rewrite in order to solve some problems
 * with the original code. In particular the original code failed to
 * wake up processes that were waiting for semval to go to 0 if the
 * value went to 0 and was then incremented rapidly enough. In solving
 * this problem I have also modified the implementation so that it
 * processes pending operations in a FIFO manner, thus give a guarantee
 * that processes waiting for a lock on the semaphore won't starve
 * unless another locking process fails to unlock.
 * In addition the following two changes in behavior have been introduced:
 * - The original implementation of semop returned the value
 *   last semaphore element examined on success. This does not
 *   match the manual page specifications, and effectively
 *   allows the user to read the semaphore even if they do not
 *   have read permissions. The implementation now returns 0
 *   on success as stated in the manual page.
 * - There is some confusion over whether the set of undo adjustments
 *   to be performed at exit should be done in an atomic manner.
 *   That is, if we are attempting to decrement the semval should we queue
 *   up and wait until we can do so legally?
 *   The original implementation attempted to do this.
 *   The current implementation does not do so. This is because I don't
 *   think it is the right thing (TM) to do, and because I couldn't
 *   see a clean way to get the old behavior with the new design.
 *   The POSIX standard and SVID should be consulted to determine
 *   what behavior is mandated.
 *
 * Further notes on refinement (Christoph Rohland, December 1998):
 * - The POSIX standard says, that the undo adjustments simply should
 *   redo. So the current implementation is o.K.
 * - The previous code had two flaws:
 *   1) It actively gave the semaphore to the next waiting process
 *      sleeping on the semaphore. Since this process did not have the
 *      cpu this led to many unnecessary context switches and bad
 *      performance. Now we only check which process should be able to
 *      get the semaphore and if this process wants to reduce some
 *      semaphore value we simply wake it up without doing the
 *      operation. So it has to try to get it later. Thus e.g. the
 *      running process may reacquire the semaphore during the current
 *      time slice. If it only waits for zero or increases the semaphore,
 *      we do the operation in advance and wake it up.
 *   2) It did not wake up all zero waiting processes. We try to do
 *      better but only get the semops right which only wait for zero or
 *      increase. If there are decrement operations in the operations
 *      array we do the same as before.
 *
 * With the incarnation of O(1) scheduler, it becomes unnecessary to perform
 * check/retry algorithm for waking up blocked processes as the new scheduler
 * is better at handling thread switch than the old one.
 *
 * /proc/sysvipc/sem support (c) 1999 Dragos Acostachioaie <dragos@iname.com>
 *
 * SMP-threaded, sysctl's added
 * (c) 1999 Manfred Spraul <manfred@colorfullife.com>
 * Enforced range limit on SEM_UNDO
 * (c) 2001 Red Hat Inc
 * Lockless wakeup
 * (c) 2003 Manfred Spraul <manfred@colorfullife.com>
 *
 * support for audit of ipc object properties and permission changes
 * Dustin Kirkland <dustin.kirkland@us.ibm.com>
 *
 * namespaces support
 * OpenVZ, SWsoft Inc.
 * Pavel Emelianov <xemul@openvz.org>
 */

#include <linux/slab.h>
#include <linux/spinlock.h>
#include <linux/init.h>
#include <linux/proc_fs.h>
#include <linux/time.h>
#include <linux/security.h>
#include <linux/syscalls.h>
#include <linux/audit.h>
#include <linux/capability.h>
#include <linux/seq_file.h>
#include <linux/rwsem.h>
#include <linux/nsproxy.h>
#include <linux/ipc_namespace.h>

#include <asm/uaccess.h>
#include "util.h"

#define sem_ids(ns)     ((ns)->ids[IPC_SEM_IDS])

#define sem_unlock(sma)         ipc_unlock(&(sma)->sem_perm)
#define sem_checkid(sma, semid) ipc_checkid(&sma->sem_perm, semid)

static int newary(struct ipc_namespace *, struct ipc_params *);
static void freeary(struct ipc_namespace *, struct kern_ipc_perm *);
#ifdef CONFIG_PROC_FS
static int sysvipc_sem_proc_show(struct seq_file *s, void *it);
#endif

#define SEMMSL_FAST     256 /* 512 bytes on stack */
#define SEMOPM_FAST     64  /* ~ 372 bytes on stack */

/*
 * linked list protection:
 *      sem_undo.id_next,
 *      sem_array.sem_pending{,last},
 *      sem_array.sem_undo: sem_lock() for read/write
 *      sem_undo.proc_next: only "current" is allowed to read/write that field.
 *      
 */

#define sc_semmsl       sem_ctls[0]
#define sc_semmns       sem_ctls[1]
#define sc_semopm       sem_ctls[2]
#define sc_semmni       sem_ctls[3]

void sem_init_ns(struct ipc_namespace *ns)
{
        ns->sc_semmsl = SEMMSL;
        ns->sc_semmns = SEMMNS;
        ns->sc_semopm = SEMOPM;
        ns->sc_semmni = SEMMNI;
        ns->used_sems = 0;
        ipc_init_ids(&ns->ids[IPC_SEM_IDS]);
}

#ifdef CONFIG_IPC_NS
void sem_exit_ns(struct ipc_namespace *ns)
{
        free_ipcs(ns, &sem_ids(ns), freeary);
        idr_destroy(&ns->ids[IPC_SEM_IDS].ipcs_idr);
}
#endif

void __init sem_init (void)
{
        sem_init_ns(&init_ipc_ns);
        ipc_init_proc_interface("sysvipc/sem",
                                "       key      semid perms      nsems   uid   gid  cuid  cgid      otime      ctime\n",
                                IPC_SEM_IDS, sysvipc_sem_proc_show);
}

/*
 * sem_lock_(check_) routines are called in the paths where the rw_mutex
 * is not held.
 */
static inline struct sem_array *sem_lock(struct ipc_namespace *ns, int id)
{
        struct kern_ipc_perm *ipcp = ipc_lock(&sem_ids(ns), id);

        if (IS_ERR(ipcp))
                return (struct sem_array *)ipcp;

        return container_of(ipcp, struct sem_array, sem_perm);
}

static inline struct sem_array *sem_lock_check(struct ipc_namespace *ns,
                                                int id)
{
        struct kern_ipc_perm *ipcp = ipc_lock_check(&sem_ids(ns), id);

        if (IS_ERR(ipcp))
                return (struct sem_array *)ipcp;

        return container_of(ipcp, struct sem_array, sem_perm);
}

static inline void sem_lock_and_putref(struct sem_array *sma)
{
        ipc_lock_by_ptr(&sma->sem_perm);
        ipc_rcu_putref(sma);
}

static inline void sem_getref_and_unlock(struct sem_array *sma)
{
        ipc_rcu_getref(sma);
        ipc_unlock(&(sma)->sem_perm);
}

static inline void sem_putref(struct sem_array *sma)
{
        ipc_lock_by_ptr(&sma->sem_perm);
        ipc_rcu_putref(sma);
        ipc_unlock(&(sma)->sem_perm);
}

static inline void sem_rmid(struct ipc_namespace *ns, struct sem_array *s)
{
        ipc_rmid(&sem_ids(ns), &s->sem_perm);
}

/*
 * Lockless wakeup algorithm:
 * Without the check/retry algorithm a lockless wakeup is possible:
 * - queue.status is initialized to -EINTR before blocking.
 * - wakeup is performed by
 *      * unlinking the queue entry from sma->sem_pending
 *      * setting queue.status to IN_WAKEUP
 *        This is the notification for the blocked thread that a
 *        result value is imminent.
 *      * call wake_up_process
 *      * set queue.status to the final value.
 * - the previously blocked thread checks queue.status:
 *      * if it's IN_WAKEUP, then it must wait until the value changes
 *      * if it's not -EINTR, then the operation was completed by
 *        update_queue. semtimedop can return queue.status without
 *        performing any operation on the sem array.
 *      * otherwise it must acquire the spinlock and check what's up.
 *
 * The two-stage algorithm is necessary to protect against the following
 * races:
 * - if queue.status is set after wake_up_process, then the woken up idle
 *   thread could race forward and try (and fail) to acquire sma->lock
 *   before update_queue had a chance to set queue.status
 * - if queue.status is written before wake_up_process and if the
 *   blocked process is woken up by a signal between writing
 *   queue.status and the wake_up_process, then the woken up
 *   process could return from semtimedop and die by calling
 *   sys_exit before wake_up_process is called. Then wake_up_process
 *   will oops, because the task structure is already invalid.
 *   (yes, this happened on s390 with sysv msg).
 *
 */
#define IN_WAKEUP       1

/**
 * newary - Create a new semaphore set
 * @ns: namespace
 * @params: ptr to the structure that contains key, semflg and nsems
 *
 * Called with sem_ids.rw_mutex held (as a writer)
 */

static int newary(struct ipc_namespace *ns, struct ipc_params *params)
{
        int id;
        int retval;
        struct sem_array *sma;
        int size;
        key_t key = params->key;
        int nsems = params->u.nsems;
        int semflg = params->flg;
        int i;

        if (!nsems)
                return -EINVAL;
        if (ns->used_sems + nsems > ns->sc_semmns)
                return -ENOSPC;

        size = sizeof (*sma) + nsems * sizeof (struct sem);
        sma = ipc_rcu_alloc(size);
        if (!sma) {
                return -ENOMEM;
        }
        memset (sma, 0, size);

        sma->sem_perm.mode = (semflg & S_IRWXUGO);
        sma->sem_perm.key = key;

        sma->sem_perm.security = NULL;
        retval = security_sem_alloc(sma);
        if (retval) {
                ipc_rcu_putref(sma);
                return retval;
        }

        id = ipc_addid(&sem_ids(ns), &sma->sem_perm, ns->sc_semmni);
        if (id < 0) {
                security_sem_free(sma);
                ipc_rcu_putref(sma);
                return id;
        }
        ns->used_sems += nsems;

        sma->sem_base = (struct sem *) &sma[1];

        for (i = 0; i < nsems; i++)
                INIT_LIST_HEAD(&sma->sem_base[i].sem_pending);

        sma->complex_count = 0;
        INIT_LIST_HEAD(&sma->sem_pending);
        INIT_LIST_HEAD(&sma->list_id);
        sma->sem_nsems = nsems;
        sma->sem_ctime = get_seconds();
        sem_unlock(sma);

        return sma->sem_perm.id;
}


/*
 * Called with sem_ids.rw_mutex and ipcp locked.
 */
static inline int sem_security(struct kern_ipc_perm *ipcp, int semflg)
{
        struct sem_array *sma;

        sma = container_of(ipcp, struct sem_array, sem_perm);
        return security_sem_associate(sma, semflg);
}

/*
 * Called with sem_ids.rw_mutex and ipcp locked.
 */
static inline int sem_more_checks(struct kern_ipc_perm *ipcp,
                                struct ipc_params *params)
{
        struct sem_array *sma;

        sma = container_of(ipcp, struct sem_array, sem_perm);
        if (params->u.nsems > sma->sem_nsems)
                return -EINVAL;

        return 0;
}

SYSCALL_DEFINE3(semget, key_t, key, int, nsems, int, semflg)
{
        struct ipc_namespace *ns;
        struct ipc_ops sem_ops;
        struct ipc_params sem_params;

        ns = current->nsproxy->ipc_ns;

        if (nsems < 0 || nsems > ns->sc_semmsl)
                return -EINVAL;

        sem_ops.getnew = newary;
        sem_ops.associate = sem_security;
        sem_ops.more_checks = sem_more_checks;

        sem_params.key = key;
        sem_params.flg = semflg;
        sem_params.u.nsems = nsems;

        return ipcget(ns, &sem_ids(ns), &sem_ops, &sem_params);
}

/*
 * Determine whether a sequence of semaphore operations would succeed
 * all at once. Return 0 if yes, 1 if need to sleep, else return error code.
 */

static int try_atomic_semop (struct sem_array * sma, struct sembuf * sops,
                             int nsops, struct sem_undo *un, int pid)
{
        int result, sem_op;
        struct sembuf *sop;
        struct sem * curr;

        for (sop = sops; sop < sops + nsops; sop++) {
                curr = sma->sem_base + sop->sem_num;
                sem_op = sop->sem_op;
                result = curr->semval;
  
                if (!sem_op && result)
                        goto would_block;

                result += sem_op;
                if (result < 0)
                        goto would_block;
                if (result > SEMVMX)
                        goto out_of_range;
                if (sop->sem_flg & SEM_UNDO) {
                        int undo = un->semadj[sop->sem_num] - sem_op;
                        /*
                         *      Exceeding the undo range is an error.
                         */
                        if (undo < (-SEMAEM - 1) || undo > SEMAEM)
                                goto out_of_range;
                }
                curr->semval = result;
        }

        sop--;
        while (sop >= sops) {
                sma->sem_base[sop->sem_num].sempid = pid;
                if (sop->sem_flg & SEM_UNDO)
                        un->semadj[sop->sem_num] -= sop->sem_op;
                sop--;
        }
        
        sma->sem_otime = get_seconds();
        return 0;

out_of_range:
        result = -ERANGE;
        goto undo;

would_block:
        if (sop->sem_flg & IPC_NOWAIT)
                result = -EAGAIN;
        else
                result = 1;

undo:
        sop--;
        while (sop >= sops) {
                sma->sem_base[sop->sem_num].semval -= sop->sem_op;
                sop--;
        }

        return result;
}

/*
 * Wake up a process waiting on the sem queue with a given error.
 * The queue is invalid (may not be accessed) after the function returns.
 */
static void wake_up_sem_queue(struct sem_queue *q, int error)
{
        /*
         * Hold preempt off so that we don't get preempted and have the
         * wakee busy-wait until we're scheduled back on. We're holding
         * locks here so it may not strictly be needed, however if the
         * locks become preemptible then this prevents such a problem.
         */
        preempt_disable();
        q->status = IN_WAKEUP;
        wake_up_process(q->sleeper);
        /* hands-off: q can disappear immediately after writing q->status. */
        smp_wmb();
        q->status = error;
        preempt_enable();
}

static void unlink_queue(struct sem_array *sma, struct sem_queue *q)
{
        list_del(&q->list);
        if (q->nsops == 1)
                list_del(&q->simple_list);
        else
                sma->complex_count--;
}


/**
 * update_queue(sma, semnum): Look for tasks that can be completed.
 * @sma: semaphore array.
 * @semnum: semaphore that was modified.
 *
 * update_queue must be called after a semaphore in a semaphore array
 * was modified. If multiple semaphore were modified, then @semnum
 * must be set to -1.
 */
static void update_queue(struct sem_array *sma, int semnum)
{
        struct sem_queue *q;
        struct list_head *walk;
        struct list_head *pending_list;
        int offset;

        /* if there are complex operations around, then knowing the semaphore
         * that was modified doesn't help us. Assume that multiple semaphores
         * were modified.
         */
        if (sma->complex_count)
                semnum = -1;

        if (semnum == -1) {
                pending_list = &sma->sem_pending;
                offset = offsetof(struct sem_queue, list);
        } else {
                pending_list = &sma->sem_base[semnum].sem_pending;
                offset = offsetof(struct sem_queue, simple_list);
        }

again:
        walk = pending_list->next;
        while (walk != pending_list) {
                int error, alter;

                q = (struct sem_queue *)((char *)walk - offset);
                walk = walk->next;

                /* If we are scanning the single sop, per-semaphore list of
                 * one semaphore and that semaphore is 0, then it is not
                 * necessary to scan the "alter" entries: simple increments
                 * that affect only one entry succeed immediately and cannot
                 * be in the  per semaphore pending queue, and decrements
                 * cannot be successful if the value is already 0.
                 */
                if (semnum != -1 && sma->sem_base[semnum].semval == 0 &&
                                q->alter)
                        break;

                error = try_atomic_semop(sma, q->sops, q->nsops,
                                         q->undo, q->pid);

                /* Does q->sleeper still need to sleep? */
                if (error > 0)
                        continue;

                unlink_queue(sma, q);

                /*
                 * The next operation that must be checked depends on the type
                 * of the completed operation:
                 * - if the operation modified the array, then restart from the
                 *   head of the queue and check for threads that might be
                 *   waiting for the new semaphore values.
                 * - if the operation didn't modify the array, then just
                 *   continue.
                 */
                alter = q->alter;
                wake_up_sem_queue(q, error);
                if (alter && !error)
                        goto again;
        }
}

/* The following counts are associated to each semaphore:
 *   semncnt        number of tasks waiting on semval being nonzero
 *   semzcnt        number of tasks waiting on semval being zero
 * This model assumes that a task waits on exactly one semaphore.
 * Since semaphore operations are to be performed atomically, tasks actually
 * wait on a whole sequence of semaphores simultaneously.
 * The counts we return here are a rough approximation, but still
 * warrant that semncnt+semzcnt>0 if the task is on the pending queue.
 */
static int count_semncnt (struct sem_array * sma, ushort semnum)
{
        int semncnt;
        struct sem_queue * q;

        semncnt = 0;
        list_for_each_entry(q, &sma->sem_pending, list) {
                struct sembuf * sops = q->sops;
                int nsops = q->nsops;
                int i;
                for (i = 0; i < nsops; i++)
                        if (sops[i].sem_num == semnum
                            && (sops[i].sem_op < 0)
                            && !(sops[i].sem_flg & IPC_NOWAIT))
                                semncnt++;
        }
        return semncnt;
}

static int count_semzcnt (struct sem_array * sma, ushort semnum)
{
        int semzcnt;
        struct sem_queue * q;

        semzcnt = 0;
        list_for_each_entry(q, &sma->sem_pending, list) {
                struct sembuf * sops = q->sops;
                int nsops = q->nsops;
                int i;
                for (i = 0; i < nsops; i++)
                        if (sops[i].sem_num == semnum
                            && (sops[i].sem_op == 0)
                            && !(sops[i].sem_flg & IPC_NOWAIT))
                                semzcnt++;
        }
        return semzcnt;
}

static void free_un(struct rcu_head *head)
{
        struct sem_undo *un = container_of(head, struct sem_undo, rcu);
        kfree(un);
}

/* Free a semaphore set. freeary() is called with sem_ids.rw_mutex locked
 * as a writer and the spinlock for this semaphore set hold. sem_ids.rw_mutex
 * remains locked on exit.
 */
static void freeary(struct ipc_namespace *ns, struct kern_ipc_perm *ipcp)
{
        struct sem_undo *un, *tu;
        struct sem_queue *q, *tq;
        struct sem_array *sma = container_of(ipcp, struct sem_array, sem_perm);

        /* Free the existing undo structures for this semaphore set.  */
        assert_spin_locked(&sma->sem_perm.lock);
        list_for_each_entry_safe(un, tu, &sma->list_id, list_id) {
                list_del(&un->list_id);
                spin_lock(&un->ulp->lock);
                un->semid = -1;
                list_del_rcu(&un->list_proc);
                spin_unlock(&un->ulp->lock);
                call_rcu(&un->rcu, free_un);
        }

        /* Wake up all pending processes and let them fail with EIDRM. */
        list_for_each_entry_safe(q, tq, &sma->sem_pending, list) {
                unlink_queue(sma, q);
                wake_up_sem_queue(q, -EIDRM);
        }

        /* Remove the semaphore set from the IDR */
        sem_rmid(ns, sma);
        sem_unlock(sma);

        ns->used_sems -= sma->sem_nsems;
        security_sem_free(sma);
        ipc_rcu_putref(sma);
}

static unsigned long copy_semid_to_user(void __user *buf, struct semid64_ds *in, int version)
{
        switch(version) {
        case IPC_64:
                return copy_to_user(buf, in, sizeof(*in));
        case IPC_OLD:
            {
                struct semid_ds out;

                ipc64_perm_to_ipc_perm(&in->sem_perm, &out.sem_perm);

                out.sem_otime   = in->sem_otime;
                out.sem_ctime   = in->sem_ctime;
                out.sem_nsems   = in->sem_nsems;

                return copy_to_user(buf, &out, sizeof(out));
            }
        default:
                return -EINVAL;
        }
}

static int semctl_nolock(struct ipc_namespace *ns, int semid,
                         int cmd, int version, union semun arg)
{
        int err;
        struct sem_array *sma;

        switch(cmd) {
        case IPC_INFO:
        case SEM_INFO:
        {
                struct seminfo seminfo;
                int max_id;

                err = security_sem_semctl(NULL, cmd);
                if (err)
                        return err;
                
                memset(&seminfo,0,sizeof(seminfo));
                seminfo.semmni = ns->sc_semmni;
                seminfo.semmns = ns->sc_semmns;
                seminfo.semmsl = ns->sc_semmsl;
                seminfo.semopm = ns->sc_semopm;
                seminfo.semvmx = SEMVMX;
                seminfo.semmnu = SEMMNU;
                seminfo.semmap = SEMMAP;
                seminfo.semume = SEMUME;
                down_read(&sem_ids(ns).rw_mutex);
                if (cmd == SEM_INFO) {
                        seminfo.semusz = sem_ids(ns).in_use;
                        seminfo.semaem = ns->used_sems;
                } else {
                        seminfo.semusz = SEMUSZ;
                        seminfo.semaem = SEMAEM;
                }
                max_id = ipc_get_maxid(&sem_ids(ns));
                up_read(&sem_ids(ns).rw_mutex);
                if (copy_to_user (arg.__buf, &seminfo, sizeof(struct seminfo))) 
                        return -EFAULT;
                return (max_id < 0) ? 0: max_id;
        }
        case IPC_STAT:
        case SEM_STAT:
        {
                struct semid64_ds tbuf;
                int id;

                if (cmd == SEM_STAT) {
                        sma = sem_lock(ns, semid);
                        if (IS_ERR(sma))
                                return PTR_ERR(sma);
                        id = sma->sem_perm.id;
                } else {
                        sma = sem_lock_check(ns, semid);
                        if (IS_ERR(sma))
                                return PTR_ERR(sma);
                        id = 0;
                }

                err = -EACCES;
                if (ipcperms (&sma->sem_perm, S_IRUGO))
                        goto out_unlock;

                err = security_sem_semctl(sma, cmd);
                if (err)
                        goto out_unlock;

                memset(&tbuf, 0, sizeof(tbuf));

                kernel_to_ipc64_perm(&sma->sem_perm, &tbuf.sem_perm);
                tbuf.sem_otime  = sma->sem_otime;
                tbuf.sem_ctime  = sma->sem_ctime;
                tbuf.sem_nsems  = sma->sem_nsems;
                sem_unlock(sma);
                if (copy_semid_to_user (arg.buf, &tbuf, version))
                        return -EFAULT;
                return id;
        }
        default:
                return -EINVAL;
        }
out_unlock:
        sem_unlock(sma);
        return err;
}

static int semctl_main(struct ipc_namespace *ns, int semid, int semnum,
                int cmd, int version, union semun arg)
{
        struct sem_array *sma;
        struct sem* curr;
        int err;
        ushort fast_sem_io[SEMMSL_FAST];
        ushort* sem_io = fast_sem_io;
        int nsems;

        sma = sem_lock_check(ns, semid);
        if (IS_ERR(sma))
                return PTR_ERR(sma);

        nsems = sma->sem_nsems;

        err = -EACCES;
        if (ipcperms (&sma->sem_perm, (cmd==SETVAL||cmd==SETALL)?S_IWUGO:S_IRUGO))
                goto out_unlock;

        err = security_sem_semctl(sma, cmd);
        if (err)
                goto out_unlock;

        err = -EACCES;
        switch (cmd) {
        case GETALL:
        {
                ushort __user *array = arg.array;
                int i;

                if(nsems > SEMMSL_FAST) {
                        sem_getref_and_unlock(sma);

                        sem_io = ipc_alloc(sizeof(ushort)*nsems);
                        if(sem_io == NULL) {
                                sem_putref(sma);
                                return -ENOMEM;
                        }

                        sem_lock_and_putref(sma);
                        if (sma->sem_perm.deleted) {
                                sem_unlock(sma);
                                err = -EIDRM;
                                goto out_free;
                        }
                }

                for (i = 0; i < sma->sem_nsems; i++)
                        sem_io[i] = sma->sem_base[i].semval;
                sem_unlock(sma);
                err = 0;
                if(copy_to_user(array, sem_io, nsems*sizeof(ushort)))
                        err = -EFAULT;
                goto out_free;
        }
        case SETALL:
        {
                int i;
                struct sem_undo *un;

                sem_getref_and_unlock(sma);

                if(nsems > SEMMSL_FAST) {
                        sem_io = ipc_alloc(sizeof(ushort)*nsems);
                        if(sem_io == NULL) {
                                sem_putref(sma);
                                return -ENOMEM;
                        }
                }

                if (copy_from_user (sem_io, arg.array, nsems*sizeof(ushort))) {
                        sem_putref(sma);
                        err = -EFAULT;
                        goto out_free;
                }

                for (i = 0; i < nsems; i++) {
                        if (sem_io[i] > SEMVMX) {
                                sem_putref(sma);
                                err = -ERANGE;
                                goto out_free;
                        }
                }
                sem_lock_and_putref(sma);
                if (sma->sem_perm.deleted) {
                        sem_unlock(sma);
                        err = -EIDRM;
                        goto out_free;
                }

                for (i = 0; i < nsems; i++)
                        sma->sem_base[i].semval = sem_io[i];

                assert_spin_locked(&sma->sem_perm.lock);
                list_for_each_entry(un, &sma->list_id, list_id) {
                        for (i = 0; i < nsems; i++)
                                un->semadj[i] = 0;
                }
                sma->sem_ctime = get_seconds();
                /* maybe some queued-up processes were waiting for this */
                update_queue(sma, -1);
                err = 0;
                goto out_unlock;
        }
        /* GETVAL, GETPID, GETNCTN, GETZCNT, SETVAL: fall-through */
        }
        err = -EINVAL;
        if(semnum < 0 || semnum >= nsems)
                goto out_unlock;

        curr = &sma->sem_base[semnum];

        switch (cmd) {
        case GETVAL:
                err = curr->semval;
                goto out_unlock;
        case GETPID:
                err = curr->sempid;
                goto out_unlock;
        case GETNCNT:
                err = count_semncnt(sma,semnum);
                goto out_unlock;
        case GETZCNT:
                err = count_semzcnt(sma,semnum);
                goto out_unlock;
        case SETVAL:
        {
                int val = arg.val;
                struct sem_undo *un;

                err = -ERANGE;
                if (val > SEMVMX || val < 0)
                        goto out_unlock;

                assert_spin_locked(&sma->sem_perm.lock);
                list_for_each_entry(un, &sma->list_id, list_id)
                        un->semadj[semnum] = 0;

                curr->semval = val;
                curr->sempid = task_tgid_vnr(current);
                sma->sem_ctime = get_seconds();
                /* maybe some queued-up processes were waiting for this */
                update_queue(sma, semnum);
                err = 0;
                goto out_unlock;
        }
        }
out_unlock:
        sem_unlock(sma);
out_free:
        if(sem_io != fast_sem_io)
                ipc_free(sem_io, sizeof(ushort)*nsems);
        return err;
}

static inline unsigned long
copy_semid_from_user(struct semid64_ds *out, void __user *buf, int version)
{
        switch(version) {
        case IPC_64:
                if (copy_from_user(out, buf, sizeof(*out)))
                        return -EFAULT;
                return 0;
        case IPC_OLD:
            {
                struct semid_ds tbuf_old;

                if(copy_from_user(&tbuf_old, buf, sizeof(tbuf_old)))
                        return -EFAULT;

                out->sem_perm.uid       = tbuf_old.sem_perm.uid;
                out->sem_perm.gid       = tbuf_old.sem_perm.gid;
                out->sem_perm.mode      = tbuf_old.sem_perm.mode;

                return 0;
            }
        default:
                return -EINVAL;
        }
}

/*
 * This function handles some semctl commands which require the rw_mutex
 * to be held in write mode.
 * NOTE: no locks must be held, the rw_mutex is taken inside this function.
 */
static int semctl_down(struct ipc_namespace *ns, int semid,
                       int cmd, int version, union semun arg)
{
        struct sem_array *sma;
        int err;
        struct semid64_ds semid64;
        struct kern_ipc_perm *ipcp;

        if(cmd == IPC_SET) {
                if (copy_semid_from_user(&semid64, arg.buf, version))
                        return -EFAULT;
        }

        ipcp = ipcctl_pre_down(&sem_ids(ns), semid, cmd, &semid64.sem_perm, 0);
        if (IS_ERR(ipcp))
                return PTR_ERR(ipcp);

        sma = container_of(ipcp, struct sem_array, sem_perm);

        err = security_sem_semctl(sma, cmd);
        if (err)
                goto out_unlock;

        switch(cmd){
        case IPC_RMID:
                freeary(ns, ipcp);
                goto out_up;
        case IPC_SET:
                ipc_update_perm(&semid64.sem_perm, ipcp);
                sma->sem_ctime = get_seconds();
                break;
        default:
                err = -EINVAL;
        }

out_unlock:
        sem_unlock(sma);
out_up:
        up_write(&sem_ids(ns).rw_mutex);
        return err;
}

SYSCALL_DEFINE(semctl)(int semid, int semnum, int cmd, union semun arg)
{
        int err = -EINVAL;
        int version;
        struct ipc_namespace *ns;

        if (semid < 0)
                return -EINVAL;

        version = ipc_parse_version(&cmd);
        ns = current->nsproxy->ipc_ns;

        switch(cmd) {
        case IPC_INFO:
        case SEM_INFO:
        case IPC_STAT:
        case SEM_STAT:
                err = semctl_nolock(ns, semid, cmd, version, arg);
                return err;
        case GETALL:
        case GETVAL:
        case GETPID:
        case GETNCNT:
        case GETZCNT:
        case SETVAL:
        case SETALL:
                err = semctl_main(ns,semid,semnum,cmd,version,arg);
                return err;
        case IPC_RMID:
        case IPC_SET:
                err = semctl_down(ns, semid, cmd, version, arg);
                return err;
        default:
                return -EINVAL;
        }
}
#ifdef CONFIG_HAVE_SYSCALL_WRAPPERS
asmlinkage long SyS_semctl(int semid, int semnum, int cmd, union semun arg)
{
        return SYSC_semctl((int) semid, (int) semnum, (int) cmd, arg);
}
SYSCALL_ALIAS(sys_semctl, SyS_semctl);
#endif

/* If the task doesn't already have a undo_list, then allocate one
 * here.  We guarantee there is only one thread using this undo list,
 * and current is THE ONE
 *
 * If this allocation and assignment succeeds, but later
 * portions of this code fail, there is no need to free the sem_undo_list.
 * Just let it stay associated with the task, and it'll be freed later
 * at exit time.
 *
 * This can block, so callers must hold no locks.
 */
static inline int get_undo_list(struct sem_undo_list **undo_listp)
{
        struct sem_undo_list *undo_list;

        undo_list = current->sysvsem.undo_list;
        if (!undo_list) {
                undo_list = kzalloc(sizeof(*undo_list), GFP_KERNEL);
                if (undo_list == NULL)

                        return -ENOMEM;
                spin_lock_init(&undo_list->lock);
                atomic_set(&undo_list->refcnt, 1);
                INIT_LIST_HEAD(&undo_list->list_proc);

                current->sysvsem.undo_list = undo_list;
        }
        *undo_listp = undo_list;
        return 0;
}

static struct sem_undo *__lookup_undo(struct sem_undo_list *ulp, int semid)
{
        struct sem_undo *un;

        list_for_each_entry_rcu(un, &ulp->list_proc, list_proc) {
                if (un->semid == semid)
                        return un;
        }
        return NULL;
}

static struct sem_undo *lookup_undo(struct sem_undo_list *ulp, int semid)
{
        struct sem_undo *un;

        assert_spin_locked(&ulp->lock);

        un = __lookup_undo(ulp, semid);
        if (un) {
                list_del_rcu(&un->list_proc);
                list_add_rcu(&un->list_proc, &ulp->list_proc);
        }
        return un;
}

/**
 * find_alloc_undo - Lookup (and if not present create) undo array
 * @ns: namespace
 * @semid: semaphore array id
 *
 * The function looks up (and if not present creates) the undo structure.
 * The size of the undo structure depends on the size of the semaphore
 * array, thus the alloc path is not that straightforward.
 * Lifetime-rules: sem_undo is rcu-protected, on success, the function
 * performs a rcu_read_lock().
 */
static struct sem_undo *find_alloc_undo(struct ipc_namespace *ns, int semid)
{
        struct sem_array *sma;
        struct sem_undo_list *ulp;
        struct sem_undo *un, *new;
        int nsems;
        int error;

        error = get_undo_list(&ulp);
        if (error)
                return ERR_PTR(error);

        rcu_read_lock();
        spin_lock(&ulp->lock);
        un = lookup_undo(ulp, semid);
        spin_unlock(&ulp->lock);
        if (likely(un!=NULL))
                goto out;
        rcu_read_unlock();

        /* no undo structure around - allocate one. */
        /* step 1: figure out the size of the semaphore array */
        sma = sem_lock_check(ns, semid);
        if (IS_ERR(sma))
                return ERR_PTR(PTR_ERR(sma));

        nsems = sma->sem_nsems;
        sem_getref_and_unlock(sma);

        /* step 2: allocate new undo structure */
        new = kzalloc(sizeof(struct sem_undo) + sizeof(short)*nsems, GFP_KERNEL);
        if (!new) {
                sem_putref(sma);
                return ERR_PTR(-ENOMEM);
        }

        /* step 3: Acquire the lock on semaphore array */
        sem_lock_and_putref(sma);
        if (sma->sem_perm.deleted) {
                sem_unlock(sma);
                kfree(new);
                un = ERR_PTR(-EIDRM);
                goto out;
        }
        spin_lock(&ulp->lock);

        /*
         * step 4: check for races: did someone else allocate the undo struct?
         */
        un = lookup_undo(ulp, semid);
        if (un) {
                kfree(new);
                goto success;
        }
        /* step 5: initialize & link new undo structure */
        new->semadj = (short *) &new[1];
        new->ulp = ulp;
        new->semid = semid;
        assert_spin_locked(&ulp->lock);
        list_add_rcu(&new->list_proc, &ulp->list_proc);
        assert_spin_locked(&sma->sem_perm.lock);
        list_add(&new->list_id, &sma->list_id);
        un = new;

success:
        spin_unlock(&ulp->lock);
        rcu_read_lock();
        sem_unlock(sma);
out:
        return un;
}

SYSCALL_DEFINE4(semtimedop, int, semid, struct sembuf __user *, tsops,
                unsigned, nsops, const struct timespec __user *, timeout)
{
        int error = -EINVAL;
        struct sem_array *sma;
        struct sembuf fast_sops[SEMOPM_FAST];
        struct sembuf* sops = fast_sops, *sop;
        struct sem_undo *un;
        int undos = 0, alter = 0, max;
        struct sem_queue queue;
        unsigned long jiffies_left = 0;
        struct ipc_namespace *ns;

        ns = current->nsproxy->ipc_ns;

        if (nsops < 1 || semid < 0)
                return -EINVAL;
        if (nsops > ns->sc_semopm)
                return -E2BIG;
        if(nsops > SEMOPM_FAST) {
                sops = kmalloc(sizeof(*sops)*nsops,GFP_KERNEL);
                if(sops==NULL)
                        return -ENOMEM;
        }
        if (copy_from_user (sops, tsops, nsops * sizeof(*tsops))) {
                error=-EFAULT;
                goto out_free;
        }
        if (timeout) {
                struct timespec _timeout;
                if (copy_from_user(&_timeout, timeout, sizeof(*timeout))) {
                        error = -EFAULT;
                        goto out_free;
                }
                if (_timeout.tv_sec < 0 || _timeout.tv_nsec < 0 ||
                        _timeout.tv_nsec >= 1000000000L) {
                        error = -EINVAL;
                        goto out_free;
                }
                jiffies_left = timespec_to_jiffies(&_timeout);
        }
        max = 0;
        for (sop = sops; sop < sops + nsops; sop++) {
                if (sop->sem_num >= max)
                        max = sop->sem_num;
                if (sop->sem_flg & SEM_UNDO)
                        undos = 1;
                if (sop->sem_op != 0)
                        alter = 1;
        }

        if (undos) {
                un = find_alloc_undo(ns, semid);
                if (IS_ERR(un)) {
                        error = PTR_ERR(un);
                        goto out_free;
                }
        } else
                un = NULL;

        sma = sem_lock_check(ns, semid);
        if (IS_ERR(sma)) {
                if (un)
                        rcu_read_unlock();
                error = PTR_ERR(sma);
                goto out_free;
        }

        /*
         * semid identifiers are not unique - find_alloc_undo may have
         * allocated an undo structure, it was invalidated by an RMID
         * and now a new array with received the same id. Check and fail.
         * This case can be detected checking un->semid. The existance of
         * "un" itself is guaranteed by rcu.
         */
        error = -EIDRM;
        if (un) {
                if (un->semid == -1) {
                        rcu_read_unlock();
                        goto out_unlock_free;
                } else {
                        /*
                         * rcu lock can be released, "un" cannot disappear:
                         * - sem_lock is acquired, thus IPC_RMID is
                         *   impossible.
                         * - exit_sem is impossible, it always operates on
                         *   current (or a dead task).
                         */

                        rcu_read_unlock();
                }
        }

        error = -EFBIG;
        if (max >= sma->sem_nsems)
                goto out_unlock_free;

        error = -EACCES;
        if (ipcperms(&sma->sem_perm, alter ? S_IWUGO : S_IRUGO))
                goto out_unlock_free;

        error = security_sem_semop(sma, sops, nsops, alter);
        if (error)
                goto out_unlock_free;

        error = try_atomic_semop (sma, sops, nsops, un, task_tgid_vnr(current));
        if (error <= 0) {
                if (alter && error == 0)
                        update_queue(sma, (nsops == 1) ? sops[0].sem_num : -1);

                goto out_unlock_free;
        }

        /* We need to sleep on this operation, so we put the current
         * task into the pending queue and go to sleep.
         */
                
        queue.sops = sops;
        queue.nsops = nsops;
        queue.undo = un;
        queue.pid = task_tgid_vnr(current);
        queue.alter = alter;
        if (alter)
                list_add_tail(&queue.list, &sma->sem_pending);
        else
                list_add(&queue.list, &sma->sem_pending);

        if (nsops == 1) {
                struct sem *curr;
                curr = &sma->sem_base[sops->sem_num];

                if (alter)
                        list_add_tail(&queue.simple_list, &curr->sem_pending);
                else
                        list_add(&queue.simple_list, &curr->sem_pending);
        } else {
                INIT_LIST_HEAD(&queue.simple_list);
                sma->complex_count++;
        }

        queue.status = -EINTR;
        queue.sleeper = current;
        current->state = TASK_INTERRUPTIBLE;
        sem_unlock(sma);

        if (timeout)
                jiffies_left = schedule_timeout(jiffies_left);
        else
                schedule();

        error = queue.status;
        while(unlikely(error == IN_WAKEUP)) {
                cpu_relax();
                error = queue.status;
        }

        if (error != -EINTR) {
                /* fast path: update_queue already obtained all requested
                 * resources */
                goto out_free;
        }

        sma = sem_lock(ns, semid);
        if (IS_ERR(sma)) {
                error = -EIDRM;
                goto out_free;
        }

        /*
         * If queue.status != -EINTR we are woken up by another process
         */
        error = queue.status;
        if (error != -EINTR) {
                goto out_unlock_free;
        }

        /*
         * If an interrupt occurred we have to clean up the queue
         */
        if (timeout && jiffies_left == 0)
                error = -EAGAIN;
        unlink_queue(sma, &queue);

out_unlock_free:
        sem_unlock(sma);
out_free:
        if(sops != fast_sops)
                kfree(sops);
        return error;
}

SYSCALL_DEFINE3(semop, int, semid, struct sembuf __user *, tsops,
                unsigned, nsops)
{
        return sys_semtimedop(semid, tsops, nsops, NULL);
}

/* If CLONE_SYSVSEM is set, establish sharing of SEM_UNDO state between
 * parent and child tasks.
 */

int copy_semundo(unsigned long clone_flags, struct task_struct *tsk)
{
        struct sem_undo_list *undo_list;
        int error;

        if (clone_flags & CLONE_SYSVSEM) {
                error = get_undo_list(&undo_list);
                if (error)
                        return error;
                atomic_inc(&undo_list->refcnt);
                tsk->sysvsem.undo_list = undo_list;
        } else 
                tsk->sysvsem.undo_list = NULL;

        return 0;
}

/*
 * add semadj values to semaphores, free undo structures.
 * undo structures are not freed when semaphore arrays are destroyed
 * so some of them may be out of date.
 * IMPLEMENTATION NOTE: There is some confusion over whether the
 * set of adjustments that needs to be done should be done in an atomic
 * manner or not. That is, if we are attempting to decrement the semval
 * should we queue up and wait until we can do so legally?
 * The original implementation attempted to do this (queue and wait).
 * The current implementation does not do so. The POSIX standard
 * and SVID should be consulted to determine what behavior is mandated.
 */
void exit_sem(struct task_struct *tsk)
{
        struct sem_undo_list *ulp;

        ulp = tsk->sysvsem.undo_list;
        if (!ulp)
                return;
        tsk->sysvsem.undo_list = NULL;

        if (!atomic_dec_and_test(&ulp->refcnt))
                return;

        for (;;) {
                struct sem_array *sma;
                struct sem_undo *un;
                int semid;
                int i;

                rcu_read_lock();
                un = list_entry_rcu(ulp->list_proc.next,
                                    struct sem_undo, list_proc);
                if (&un->list_proc == &ulp->list_proc)
                        semid = -1;
                 else
                        semid = un->semid;
                rcu_read_unlock();

                if (semid == -1)
                        break;

                sma = sem_lock_check(tsk->nsproxy->ipc_ns, un->semid);

                /* exit_sem raced with IPC_RMID, nothing to do */
                if (IS_ERR(sma))
                        continue;

                un = __lookup_undo(ulp, semid);
                if (un == NULL) {
                        /* exit_sem raced with IPC_RMID+semget() that created
                         * exactly the same semid. Nothing to do.
                         */
                        sem_unlock(sma);
                        continue;
                }

                /* remove un from the linked lists */
                assert_spin_locked(&sma->sem_perm.lock);
                list_del(&un->list_id);

                spin_lock(&ulp->lock);
                list_del_rcu(&un->list_proc);
                spin_unlock(&ulp->lock);

                /* perform adjustments registered in un */
                for (i = 0; i < sma->sem_nsems; i++) {
                        struct sem * semaphore = &sma->sem_base[i];
                        if (un->semadj[i]) {
                                semaphore->semval += un->semadj[i];
                                /*
                                 * Range checks of the new semaphore value,
                                 * not defined by sus:
                                 * - Some unices ignore the undo entirely
                                 *   (e.g. HP UX 11i 11.22, Tru64 V5.1)
                                 * - some cap the value (e.g. FreeBSD caps
                                 *   at 0, but doesn't enforce SEMVMX)
                                 *
                                 * Linux caps the semaphore value, both at 0
                                 * and at SEMVMX.
                                 *
                                 *      Manfred <manfred@colorfullife.com>
                                 */
                                if (semaphore->semval < 0)
                                        semaphore->semval = 0;
                                if (semaphore->semval > SEMVMX)
                                        semaphore->semval = SEMVMX;
                                semaphore->sempid = task_tgid_vnr(current);
                        }
                }
                sma->sem_otime = get_seconds();
                /* maybe some queued-up processes were waiting for this */
                update_queue(sma, -1);
                sem_unlock(sma);

                call_rcu(&un->rcu, free_un);
        }
        kfree(ulp);
}

#ifdef CONFIG_PROC_FS
static int sysvipc_sem_proc_show(struct seq_file *s, void *it)
{
        struct sem_array *sma = it;

        return seq_printf(s,
                          "%10d %10d  %4o %10u %5u %5u %5u %5u %10lu %10lu\n",
                          sma->sem_perm.key,
                          sma->sem_perm.id,
                          sma->sem_perm.mode,
                          sma->sem_nsems,
                          sma->sem_perm.uid,
                          sma->sem_perm.gid,
                          sma->sem_perm.cuid,
                          sma->sem_perm.cgid,
                          sma->sem_otime,
                          sma->sem_ctime);
}
#endif