1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3 * NET4: Implementation of BSD Unix domain sockets.
4 *
5 * Authors: Alan Cox, <alan@lxorguk.ukuu.org.uk>
6 *
7 * Fixes:
8 * Linus Torvalds : Assorted bug cures.
9 * Niibe Yutaka : async I/O support.
10 * Carsten Paeth : PF_UNIX check, address fixes.
11 * Alan Cox : Limit size of allocated blocks.
12 * Alan Cox : Fixed the stupid socketpair bug.
13 * Alan Cox : BSD compatibility fine tuning.
14 * Alan Cox : Fixed a bug in connect when interrupted.
15 * Alan Cox : Sorted out a proper draft version of
16 * file descriptor passing hacked up from
17 * Mike Shaver's work.
18 * Marty Leisner : Fixes to fd passing
19 * Nick Nevin : recvmsg bugfix.
20 * Alan Cox : Started proper garbage collector
21 * Heiko EiBfeldt : Missing verify_area check
22 * Alan Cox : Started POSIXisms
23 * Andreas Schwab : Replace inode by dentry for proper
24 * reference counting
25 * Kirk Petersen : Made this a module
26 * Christoph Rohland : Elegant non-blocking accept/connect algorithm.
27 * Lots of bug fixes.
28 * Alexey Kuznetosv : Repaired (I hope) bugs introduces
29 * by above two patches.
30 * Andrea Arcangeli : If possible we block in connect(2)
31 * if the max backlog of the listen socket
32 * is been reached. This won't break
33 * old apps and it will avoid huge amount
34 * of socks hashed (this for unix_gc()
35 * performances reasons).
36 * Security fix that limits the max
37 * number of socks to 2*max_files and
38 * the number of skb queueable in the
39 * dgram receiver.
40 * Artur Skawina : Hash function optimizations
41 * Alexey Kuznetsov : Full scale SMP. Lot of bugs are introduced 8)
42 * Malcolm Beattie : Set peercred for socketpair
43 * Michal Ostrowski : Module initialization cleanup.
44 * Arnaldo C. Melo : Remove MOD_{INC,DEC}_USE_COUNT,
45 * the core infrastructure is doing that
46 * for all net proto families now (2.5.69+)
47 *
48 * Known differences from reference BSD that was tested:
49 *
50 * [TO FIX]
51 * ECONNREFUSED is not returned from one end of a connected() socket to the
52 * other the moment one end closes.
53 * fstat() doesn't return st_dev=0, and give the blksize as high water mark
54 * and a fake inode identifier (nor the BSD first socket fstat twice bug).
55 * [NOT TO FIX]
56 * accept() returns a path name even if the connecting socket has closed
57 * in the meantime (BSD loses the path and gives up).
58 * accept() returns 0 length path for an unbound connector. BSD returns 16
59 * and a null first byte in the path (but not for gethost/peername - BSD bug ??)
60 * socketpair(...SOCK_RAW..) doesn't panic the kernel.
61 * BSD af_unix apparently has connect forgetting to block properly.
62 * (need to check this with the POSIX spec in detail)
63 *
64 * Differences from 2.0.0-11-... (ANK)
65 * Bug fixes and improvements.
66 * - client shutdown killed server socket.
67 * - removed all useless cli/sti pairs.
68 *
69 * Semantic changes/extensions.
70 * - generic control message passing.
71 * - SCM_CREDENTIALS control message.
72 * - "Abstract" (not FS based) socket bindings.
73 * Abstract names are sequences of bytes (not zero terminated)
74 * started by 0, so that this name space does not intersect
75 * with BSD names.
76 */
77
78 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
79
80 #include <linux/module.h>
81 #include <linux/kernel.h>
82 #include <linux/signal.h>
83 #include <linux/sched/signal.h>
84 #include <linux/errno.h>
85 #include <linux/string.h>
86 #include <linux/stat.h>
87 #include <linux/dcache.h>
88 #include <linux/namei.h>
89 #include <linux/socket.h>
90 #include <linux/un.h>
91 #include <linux/fcntl.h>
92 #include <linux/filter.h>
93 #include <linux/termios.h>
94 #include <linux/sockios.h>
95 #include <linux/net.h>
96 #include <linux/in.h>
97 #include <linux/fs.h>
98 #include <linux/slab.h>
99 #include <linux/uaccess.h>
100 #include <linux/skbuff.h>
101 #include <linux/netdevice.h>
102 #include <net/net_namespace.h>
103 #include <net/sock.h>
104 #include <net/tcp_states.h>
105 #include <net/af_unix.h>
106 #include <linux/proc_fs.h>
107 #include <linux/seq_file.h>
108 #include <net/scm.h>
109 #include <linux/init.h>
110 #include <linux/poll.h>
111 #include <linux/rtnetlink.h>
112 #include <linux/mount.h>
113 #include <net/checksum.h>
114 #include <linux/security.h>
115 #include <linux/splice.h>
116 #include <linux/freezer.h>
117 #include <linux/file.h>
118 #include <linux/btf_ids.h>
119
120 #include "scm.h"
121
122 static atomic_long_t unix_nr_socks;
123 static struct hlist_head bsd_socket_buckets[UNIX_HASH_SIZE / 2];
124 static spinlock_t bsd_socket_locks[UNIX_HASH_SIZE / 2];
125
126 /* SMP locking strategy:
127 * hash table is protected with spinlock.
128 * each socket state is protected by separate spinlock.
129 */
130
unix_unbound_hash(struct sock * sk)131 static unsigned int unix_unbound_hash(struct sock *sk)
132 {
133 unsigned long hash = (unsigned long)sk;
134
135 hash ^= hash >> 16;
136 hash ^= hash >> 8;
137 hash ^= sk->sk_type;
138
139 return hash & UNIX_HASH_MOD;
140 }
141
unix_bsd_hash(struct inode * i)142 static unsigned int unix_bsd_hash(struct inode *i)
143 {
144 return i->i_ino & UNIX_HASH_MOD;
145 }
146
unix_abstract_hash(struct sockaddr_un * sunaddr,int addr_len,int type)147 static unsigned int unix_abstract_hash(struct sockaddr_un *sunaddr,
148 int addr_len, int type)
149 {
150 __wsum csum = csum_partial(sunaddr, addr_len, 0);
151 unsigned int hash;
152
153 hash = (__force unsigned int)csum_fold(csum);
154 hash ^= hash >> 8;
155 hash ^= type;
156
157 return UNIX_HASH_MOD + 1 + (hash & UNIX_HASH_MOD);
158 }
159
unix_table_double_lock(struct net * net,unsigned int hash1,unsigned int hash2)160 static void unix_table_double_lock(struct net *net,
161 unsigned int hash1, unsigned int hash2)
162 {
163 if (hash1 == hash2) {
164 spin_lock(&net->unx.table.locks[hash1]);
165 return;
166 }
167
168 if (hash1 > hash2)
169 swap(hash1, hash2);
170
171 spin_lock(&net->unx.table.locks[hash1]);
172 spin_lock_nested(&net->unx.table.locks[hash2], SINGLE_DEPTH_NESTING);
173 }
174
unix_table_double_unlock(struct net * net,unsigned int hash1,unsigned int hash2)175 static void unix_table_double_unlock(struct net *net,
176 unsigned int hash1, unsigned int hash2)
177 {
178 if (hash1 == hash2) {
179 spin_unlock(&net->unx.table.locks[hash1]);
180 return;
181 }
182
183 spin_unlock(&net->unx.table.locks[hash1]);
184 spin_unlock(&net->unx.table.locks[hash2]);
185 }
186
187 #ifdef CONFIG_SECURITY_NETWORK
unix_get_secdata(struct scm_cookie * scm,struct sk_buff * skb)188 static void unix_get_secdata(struct scm_cookie *scm, struct sk_buff *skb)
189 {
190 UNIXCB(skb).secid = scm->secid;
191 }
192
unix_set_secdata(struct scm_cookie * scm,struct sk_buff * skb)193 static inline void unix_set_secdata(struct scm_cookie *scm, struct sk_buff *skb)
194 {
195 scm->secid = UNIXCB(skb).secid;
196 }
197
unix_secdata_eq(struct scm_cookie * scm,struct sk_buff * skb)198 static inline bool unix_secdata_eq(struct scm_cookie *scm, struct sk_buff *skb)
199 {
200 return (scm->secid == UNIXCB(skb).secid);
201 }
202 #else
unix_get_secdata(struct scm_cookie * scm,struct sk_buff * skb)203 static inline void unix_get_secdata(struct scm_cookie *scm, struct sk_buff *skb)
204 { }
205
unix_set_secdata(struct scm_cookie * scm,struct sk_buff * skb)206 static inline void unix_set_secdata(struct scm_cookie *scm, struct sk_buff *skb)
207 { }
208
unix_secdata_eq(struct scm_cookie * scm,struct sk_buff * skb)209 static inline bool unix_secdata_eq(struct scm_cookie *scm, struct sk_buff *skb)
210 {
211 return true;
212 }
213 #endif /* CONFIG_SECURITY_NETWORK */
214
unix_our_peer(struct sock * sk,struct sock * osk)215 static inline int unix_our_peer(struct sock *sk, struct sock *osk)
216 {
217 return unix_peer(osk) == sk;
218 }
219
unix_may_send(struct sock * sk,struct sock * osk)220 static inline int unix_may_send(struct sock *sk, struct sock *osk)
221 {
222 return unix_peer(osk) == NULL || unix_our_peer(sk, osk);
223 }
224
unix_recvq_full_lockless(const struct sock * sk)225 static inline int unix_recvq_full_lockless(const struct sock *sk)
226 {
227 return skb_queue_len_lockless(&sk->sk_receive_queue) > sk->sk_max_ack_backlog;
228 }
229
unix_peer_get(struct sock * s)230 struct sock *unix_peer_get(struct sock *s)
231 {
232 struct sock *peer;
233
234 unix_state_lock(s);
235 peer = unix_peer(s);
236 if (peer)
237 sock_hold(peer);
238 unix_state_unlock(s);
239 return peer;
240 }
241 EXPORT_SYMBOL_GPL(unix_peer_get);
242
unix_create_addr(struct sockaddr_un * sunaddr,int addr_len)243 static struct unix_address *unix_create_addr(struct sockaddr_un *sunaddr,
244 int addr_len)
245 {
246 struct unix_address *addr;
247
248 addr = kmalloc(sizeof(*addr) + addr_len, GFP_KERNEL);
249 if (!addr)
250 return NULL;
251
252 refcount_set(&addr->refcnt, 1);
253 addr->len = addr_len;
254 memcpy(addr->name, sunaddr, addr_len);
255
256 return addr;
257 }
258
unix_release_addr(struct unix_address * addr)259 static inline void unix_release_addr(struct unix_address *addr)
260 {
261 if (refcount_dec_and_test(&addr->refcnt))
262 kfree(addr);
263 }
264
265 /*
266 * Check unix socket name:
267 * - should be not zero length.
268 * - if started by not zero, should be NULL terminated (FS object)
269 * - if started by zero, it is abstract name.
270 */
271
unix_validate_addr(struct sockaddr_un * sunaddr,int addr_len)272 static int unix_validate_addr(struct sockaddr_un *sunaddr, int addr_len)
273 {
274 if (addr_len <= offsetof(struct sockaddr_un, sun_path) ||
275 addr_len > sizeof(*sunaddr))
276 return -EINVAL;
277
278 if (sunaddr->sun_family != AF_UNIX)
279 return -EINVAL;
280
281 return 0;
282 }
283
unix_mkname_bsd(struct sockaddr_un * sunaddr,int addr_len)284 static int unix_mkname_bsd(struct sockaddr_un *sunaddr, int addr_len)
285 {
286 struct sockaddr_storage *addr = (struct sockaddr_storage *)sunaddr;
287 short offset = offsetof(struct sockaddr_storage, __data);
288
289 BUILD_BUG_ON(offset != offsetof(struct sockaddr_un, sun_path));
290
291 /* This may look like an off by one error but it is a bit more
292 * subtle. 108 is the longest valid AF_UNIX path for a binding.
293 * sun_path[108] doesn't as such exist. However in kernel space
294 * we are guaranteed that it is a valid memory location in our
295 * kernel address buffer because syscall functions always pass
296 * a pointer of struct sockaddr_storage which has a bigger buffer
297 * than 108. Also, we must terminate sun_path for strlen() in
298 * getname_kernel().
299 */
300 addr->__data[addr_len - offset] = 0;
301
302 /* Don't pass sunaddr->sun_path to strlen(). Otherwise, 108 will
303 * cause panic if CONFIG_FORTIFY_SOURCE=y. Let __fortify_strlen()
304 * know the actual buffer.
305 */
306 return strlen(addr->__data) + offset + 1;
307 }
308
__unix_remove_socket(struct sock * sk)309 static void __unix_remove_socket(struct sock *sk)
310 {
311 sk_del_node_init(sk);
312 }
313
__unix_insert_socket(struct net * net,struct sock * sk)314 static void __unix_insert_socket(struct net *net, struct sock *sk)
315 {
316 DEBUG_NET_WARN_ON_ONCE(!sk_unhashed(sk));
317 sk_add_node(sk, &net->unx.table.buckets[sk->sk_hash]);
318 }
319
__unix_set_addr_hash(struct net * net,struct sock * sk,struct unix_address * addr,unsigned int hash)320 static void __unix_set_addr_hash(struct net *net, struct sock *sk,
321 struct unix_address *addr, unsigned int hash)
322 {
323 __unix_remove_socket(sk);
324 smp_store_release(&unix_sk(sk)->addr, addr);
325
326 sk->sk_hash = hash;
327 __unix_insert_socket(net, sk);
328 }
329
unix_remove_socket(struct net * net,struct sock * sk)330 static void unix_remove_socket(struct net *net, struct sock *sk)
331 {
332 spin_lock(&net->unx.table.locks[sk->sk_hash]);
333 __unix_remove_socket(sk);
334 spin_unlock(&net->unx.table.locks[sk->sk_hash]);
335 }
336
unix_insert_unbound_socket(struct net * net,struct sock * sk)337 static void unix_insert_unbound_socket(struct net *net, struct sock *sk)
338 {
339 spin_lock(&net->unx.table.locks[sk->sk_hash]);
340 __unix_insert_socket(net, sk);
341 spin_unlock(&net->unx.table.locks[sk->sk_hash]);
342 }
343
unix_insert_bsd_socket(struct sock * sk)344 static void unix_insert_bsd_socket(struct sock *sk)
345 {
346 spin_lock(&bsd_socket_locks[sk->sk_hash]);
347 sk_add_bind_node(sk, &bsd_socket_buckets[sk->sk_hash]);
348 spin_unlock(&bsd_socket_locks[sk->sk_hash]);
349 }
350
unix_remove_bsd_socket(struct sock * sk)351 static void unix_remove_bsd_socket(struct sock *sk)
352 {
353 if (!hlist_unhashed(&sk->sk_bind_node)) {
354 spin_lock(&bsd_socket_locks[sk->sk_hash]);
355 __sk_del_bind_node(sk);
356 spin_unlock(&bsd_socket_locks[sk->sk_hash]);
357
358 sk_node_init(&sk->sk_bind_node);
359 }
360 }
361
__unix_find_socket_byname(struct net * net,struct sockaddr_un * sunname,int len,unsigned int hash)362 static struct sock *__unix_find_socket_byname(struct net *net,
363 struct sockaddr_un *sunname,
364 int len, unsigned int hash)
365 {
366 struct sock *s;
367
368 sk_for_each(s, &net->unx.table.buckets[hash]) {
369 struct unix_sock *u = unix_sk(s);
370
371 if (u->addr->len == len &&
372 !memcmp(u->addr->name, sunname, len))
373 return s;
374 }
375 return NULL;
376 }
377
unix_find_socket_byname(struct net * net,struct sockaddr_un * sunname,int len,unsigned int hash)378 static inline struct sock *unix_find_socket_byname(struct net *net,
379 struct sockaddr_un *sunname,
380 int len, unsigned int hash)
381 {
382 struct sock *s;
383
384 spin_lock(&net->unx.table.locks[hash]);
385 s = __unix_find_socket_byname(net, sunname, len, hash);
386 if (s)
387 sock_hold(s);
388 spin_unlock(&net->unx.table.locks[hash]);
389 return s;
390 }
391
unix_find_socket_byinode(struct inode * i)392 static struct sock *unix_find_socket_byinode(struct inode *i)
393 {
394 unsigned int hash = unix_bsd_hash(i);
395 struct sock *s;
396
397 spin_lock(&bsd_socket_locks[hash]);
398 sk_for_each_bound(s, &bsd_socket_buckets[hash]) {
399 struct dentry *dentry = unix_sk(s)->path.dentry;
400
401 if (dentry && d_backing_inode(dentry) == i) {
402 sock_hold(s);
403 spin_unlock(&bsd_socket_locks[hash]);
404 return s;
405 }
406 }
407 spin_unlock(&bsd_socket_locks[hash]);
408 return NULL;
409 }
410
411 /* Support code for asymmetrically connected dgram sockets
412 *
413 * If a datagram socket is connected to a socket not itself connected
414 * to the first socket (eg, /dev/log), clients may only enqueue more
415 * messages if the present receive queue of the server socket is not
416 * "too large". This means there's a second writeability condition
417 * poll and sendmsg need to test. The dgram recv code will do a wake
418 * up on the peer_wait wait queue of a socket upon reception of a
419 * datagram which needs to be propagated to sleeping would-be writers
420 * since these might not have sent anything so far. This can't be
421 * accomplished via poll_wait because the lifetime of the server
422 * socket might be less than that of its clients if these break their
423 * association with it or if the server socket is closed while clients
424 * are still connected to it and there's no way to inform "a polling
425 * implementation" that it should let go of a certain wait queue
426 *
427 * In order to propagate a wake up, a wait_queue_entry_t of the client
428 * socket is enqueued on the peer_wait queue of the server socket
429 * whose wake function does a wake_up on the ordinary client socket
430 * wait queue. This connection is established whenever a write (or
431 * poll for write) hit the flow control condition and broken when the
432 * association to the server socket is dissolved or after a wake up
433 * was relayed.
434 */
435
unix_dgram_peer_wake_relay(wait_queue_entry_t * q,unsigned mode,int flags,void * key)436 static int unix_dgram_peer_wake_relay(wait_queue_entry_t *q, unsigned mode, int flags,
437 void *key)
438 {
439 struct unix_sock *u;
440 wait_queue_head_t *u_sleep;
441
442 u = container_of(q, struct unix_sock, peer_wake);
443
444 __remove_wait_queue(&unix_sk(u->peer_wake.private)->peer_wait,
445 q);
446 u->peer_wake.private = NULL;
447
448 /* relaying can only happen while the wq still exists */
449 u_sleep = sk_sleep(&u->sk);
450 if (u_sleep)
451 wake_up_interruptible_poll(u_sleep, key_to_poll(key));
452
453 return 0;
454 }
455
unix_dgram_peer_wake_connect(struct sock * sk,struct sock * other)456 static int unix_dgram_peer_wake_connect(struct sock *sk, struct sock *other)
457 {
458 struct unix_sock *u, *u_other;
459 int rc;
460
461 u = unix_sk(sk);
462 u_other = unix_sk(other);
463 rc = 0;
464 spin_lock(&u_other->peer_wait.lock);
465
466 if (!u->peer_wake.private) {
467 u->peer_wake.private = other;
468 __add_wait_queue(&u_other->peer_wait, &u->peer_wake);
469
470 rc = 1;
471 }
472
473 spin_unlock(&u_other->peer_wait.lock);
474 return rc;
475 }
476
unix_dgram_peer_wake_disconnect(struct sock * sk,struct sock * other)477 static void unix_dgram_peer_wake_disconnect(struct sock *sk,
478 struct sock *other)
479 {
480 struct unix_sock *u, *u_other;
481
482 u = unix_sk(sk);
483 u_other = unix_sk(other);
484 spin_lock(&u_other->peer_wait.lock);
485
486 if (u->peer_wake.private == other) {
487 __remove_wait_queue(&u_other->peer_wait, &u->peer_wake);
488 u->peer_wake.private = NULL;
489 }
490
491 spin_unlock(&u_other->peer_wait.lock);
492 }
493
unix_dgram_peer_wake_disconnect_wakeup(struct sock * sk,struct sock * other)494 static void unix_dgram_peer_wake_disconnect_wakeup(struct sock *sk,
495 struct sock *other)
496 {
497 unix_dgram_peer_wake_disconnect(sk, other);
498 wake_up_interruptible_poll(sk_sleep(sk),
499 EPOLLOUT |
500 EPOLLWRNORM |
501 EPOLLWRBAND);
502 }
503
504 /* preconditions:
505 * - unix_peer(sk) == other
506 * - association is stable
507 */
unix_dgram_peer_wake_me(struct sock * sk,struct sock * other)508 static int unix_dgram_peer_wake_me(struct sock *sk, struct sock *other)
509 {
510 int connected;
511
512 connected = unix_dgram_peer_wake_connect(sk, other);
513
514 /* If other is SOCK_DEAD, we want to make sure we signal
515 * POLLOUT, such that a subsequent write() can get a
516 * -ECONNREFUSED. Otherwise, if we haven't queued any skbs
517 * to other and its full, we will hang waiting for POLLOUT.
518 */
519 if (unix_recvq_full_lockless(other) && !sock_flag(other, SOCK_DEAD))
520 return 1;
521
522 if (connected)
523 unix_dgram_peer_wake_disconnect(sk, other);
524
525 return 0;
526 }
527
unix_writable(const struct sock * sk,unsigned char state)528 static int unix_writable(const struct sock *sk, unsigned char state)
529 {
530 return state != TCP_LISTEN &&
531 (refcount_read(&sk->sk_wmem_alloc) << 2) <= READ_ONCE(sk->sk_sndbuf);
532 }
533
unix_write_space(struct sock * sk)534 static void unix_write_space(struct sock *sk)
535 {
536 struct socket_wq *wq;
537
538 rcu_read_lock();
539 if (unix_writable(sk, READ_ONCE(sk->sk_state))) {
540 wq = rcu_dereference(sk->sk_wq);
541 if (skwq_has_sleeper(wq))
542 wake_up_interruptible_sync_poll(&wq->wait,
543 EPOLLOUT | EPOLLWRNORM | EPOLLWRBAND);
544 sk_wake_async(sk, SOCK_WAKE_SPACE, POLL_OUT);
545 }
546 rcu_read_unlock();
547 }
548
549 /* When dgram socket disconnects (or changes its peer), we clear its receive
550 * queue of packets arrived from previous peer. First, it allows to do
551 * flow control based only on wmem_alloc; second, sk connected to peer
552 * may receive messages only from that peer. */
unix_dgram_disconnected(struct sock * sk,struct sock * other)553 static void unix_dgram_disconnected(struct sock *sk, struct sock *other)
554 {
555 if (!skb_queue_empty(&sk->sk_receive_queue)) {
556 skb_queue_purge(&sk->sk_receive_queue);
557 wake_up_interruptible_all(&unix_sk(sk)->peer_wait);
558
559 /* If one link of bidirectional dgram pipe is disconnected,
560 * we signal error. Messages are lost. Do not make this,
561 * when peer was not connected to us.
562 */
563 if (!sock_flag(other, SOCK_DEAD) && unix_peer(other) == sk) {
564 WRITE_ONCE(other->sk_err, ECONNRESET);
565 sk_error_report(other);
566 }
567 }
568 }
569
unix_sock_destructor(struct sock * sk)570 static void unix_sock_destructor(struct sock *sk)
571 {
572 struct unix_sock *u = unix_sk(sk);
573
574 skb_queue_purge(&sk->sk_receive_queue);
575
576 DEBUG_NET_WARN_ON_ONCE(refcount_read(&sk->sk_wmem_alloc));
577 DEBUG_NET_WARN_ON_ONCE(!sk_unhashed(sk));
578 DEBUG_NET_WARN_ON_ONCE(sk->sk_socket);
579 if (!sock_flag(sk, SOCK_DEAD)) {
580 pr_info("Attempt to release alive unix socket: %p\n", sk);
581 return;
582 }
583
584 if (u->addr)
585 unix_release_addr(u->addr);
586
587 atomic_long_dec(&unix_nr_socks);
588 sock_prot_inuse_add(sock_net(sk), sk->sk_prot, -1);
589 #ifdef UNIX_REFCNT_DEBUG
590 pr_debug("UNIX %p is destroyed, %ld are still alive.\n", sk,
591 atomic_long_read(&unix_nr_socks));
592 #endif
593 }
594
unix_release_sock(struct sock * sk,int embrion)595 static void unix_release_sock(struct sock *sk, int embrion)
596 {
597 struct unix_sock *u = unix_sk(sk);
598 struct sock *skpair;
599 struct sk_buff *skb;
600 struct path path;
601 int state;
602
603 unix_remove_socket(sock_net(sk), sk);
604 unix_remove_bsd_socket(sk);
605
606 /* Clear state */
607 unix_state_lock(sk);
608 sock_orphan(sk);
609 WRITE_ONCE(sk->sk_shutdown, SHUTDOWN_MASK);
610 path = u->path;
611 u->path.dentry = NULL;
612 u->path.mnt = NULL;
613 state = sk->sk_state;
614 WRITE_ONCE(sk->sk_state, TCP_CLOSE);
615
616 skpair = unix_peer(sk);
617 unix_peer(sk) = NULL;
618
619 unix_state_unlock(sk);
620
621 #if IS_ENABLED(CONFIG_AF_UNIX_OOB)
622 if (u->oob_skb) {
623 kfree_skb(u->oob_skb);
624 u->oob_skb = NULL;
625 }
626 #endif
627
628 wake_up_interruptible_all(&u->peer_wait);
629
630 if (skpair != NULL) {
631 if (sk->sk_type == SOCK_STREAM || sk->sk_type == SOCK_SEQPACKET) {
632 unix_state_lock(skpair);
633 /* No more writes */
634 WRITE_ONCE(skpair->sk_shutdown, SHUTDOWN_MASK);
635 if (!skb_queue_empty_lockless(&sk->sk_receive_queue) || embrion)
636 WRITE_ONCE(skpair->sk_err, ECONNRESET);
637 unix_state_unlock(skpair);
638 skpair->sk_state_change(skpair);
639 sk_wake_async(skpair, SOCK_WAKE_WAITD, POLL_HUP);
640 }
641
642 unix_dgram_peer_wake_disconnect(sk, skpair);
643 sock_put(skpair); /* It may now die */
644 }
645
646 /* Try to flush out this socket. Throw out buffers at least */
647
648 while ((skb = skb_dequeue(&sk->sk_receive_queue)) != NULL) {
649 if (state == TCP_LISTEN)
650 unix_release_sock(skb->sk, 1);
651 /* passed fds are erased in the kfree_skb hook */
652 UNIXCB(skb).consumed = skb->len;
653 kfree_skb(skb);
654 }
655
656 if (path.dentry)
657 path_put(&path);
658
659 sock_put(sk);
660
661 /* ---- Socket is dead now and most probably destroyed ---- */
662
663 /*
664 * Fixme: BSD difference: In BSD all sockets connected to us get
665 * ECONNRESET and we die on the spot. In Linux we behave
666 * like files and pipes do and wait for the last
667 * dereference.
668 *
669 * Can't we simply set sock->err?
670 *
671 * What the above comment does talk about? --ANK(980817)
672 */
673
674 if (READ_ONCE(unix_tot_inflight))
675 unix_gc(); /* Garbage collect fds */
676 }
677
init_peercred(struct sock * sk)678 static void init_peercred(struct sock *sk)
679 {
680 const struct cred *old_cred;
681 struct pid *old_pid;
682
683 spin_lock(&sk->sk_peer_lock);
684 old_pid = sk->sk_peer_pid;
685 old_cred = sk->sk_peer_cred;
686 sk->sk_peer_pid = get_pid(task_tgid(current));
687 sk->sk_peer_cred = get_current_cred();
688 spin_unlock(&sk->sk_peer_lock);
689
690 put_pid(old_pid);
691 put_cred(old_cred);
692 }
693
copy_peercred(struct sock * sk,struct sock * peersk)694 static void copy_peercred(struct sock *sk, struct sock *peersk)
695 {
696 if (sk < peersk) {
697 spin_lock(&sk->sk_peer_lock);
698 spin_lock_nested(&peersk->sk_peer_lock, SINGLE_DEPTH_NESTING);
699 } else {
700 spin_lock(&peersk->sk_peer_lock);
701 spin_lock_nested(&sk->sk_peer_lock, SINGLE_DEPTH_NESTING);
702 }
703
704 sk->sk_peer_pid = get_pid(peersk->sk_peer_pid);
705 sk->sk_peer_cred = get_cred(peersk->sk_peer_cred);
706
707 spin_unlock(&sk->sk_peer_lock);
708 spin_unlock(&peersk->sk_peer_lock);
709 }
710
unix_listen(struct socket * sock,int backlog)711 static int unix_listen(struct socket *sock, int backlog)
712 {
713 int err;
714 struct sock *sk = sock->sk;
715 struct unix_sock *u = unix_sk(sk);
716
717 err = -EOPNOTSUPP;
718 if (sock->type != SOCK_STREAM && sock->type != SOCK_SEQPACKET)
719 goto out; /* Only stream/seqpacket sockets accept */
720 err = -EINVAL;
721 if (!READ_ONCE(u->addr))
722 goto out; /* No listens on an unbound socket */
723 unix_state_lock(sk);
724 if (sk->sk_state != TCP_CLOSE && sk->sk_state != TCP_LISTEN)
725 goto out_unlock;
726 if (backlog > sk->sk_max_ack_backlog)
727 wake_up_interruptible_all(&u->peer_wait);
728 sk->sk_max_ack_backlog = backlog;
729 WRITE_ONCE(sk->sk_state, TCP_LISTEN);
730
731 /* set credentials so connect can copy them */
732 init_peercred(sk);
733 err = 0;
734
735 out_unlock:
736 unix_state_unlock(sk);
737 out:
738 return err;
739 }
740
741 static int unix_release(struct socket *);
742 static int unix_bind(struct socket *, struct sockaddr *, int);
743 static int unix_stream_connect(struct socket *, struct sockaddr *,
744 int addr_len, int flags);
745 static int unix_socketpair(struct socket *, struct socket *);
746 static int unix_accept(struct socket *, struct socket *, int, bool);
747 static int unix_getname(struct socket *, struct sockaddr *, int);
748 static __poll_t unix_poll(struct file *, struct socket *, poll_table *);
749 static __poll_t unix_dgram_poll(struct file *, struct socket *,
750 poll_table *);
751 static int unix_ioctl(struct socket *, unsigned int, unsigned long);
752 #ifdef CONFIG_COMPAT
753 static int unix_compat_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg);
754 #endif
755 static int unix_shutdown(struct socket *, int);
756 static int unix_stream_sendmsg(struct socket *, struct msghdr *, size_t);
757 static int unix_stream_recvmsg(struct socket *, struct msghdr *, size_t, int);
758 static ssize_t unix_stream_splice_read(struct socket *, loff_t *ppos,
759 struct pipe_inode_info *, size_t size,
760 unsigned int flags);
761 static int unix_dgram_sendmsg(struct socket *, struct msghdr *, size_t);
762 static int unix_dgram_recvmsg(struct socket *, struct msghdr *, size_t, int);
763 static int unix_read_skb(struct sock *sk, skb_read_actor_t recv_actor);
764 static int unix_stream_read_skb(struct sock *sk, skb_read_actor_t recv_actor);
765 static int unix_dgram_connect(struct socket *, struct sockaddr *,
766 int, int);
767 static int unix_seqpacket_sendmsg(struct socket *, struct msghdr *, size_t);
768 static int unix_seqpacket_recvmsg(struct socket *, struct msghdr *, size_t,
769 int);
770
unix_set_peek_off(struct sock * sk,int val)771 static int unix_set_peek_off(struct sock *sk, int val)
772 {
773 struct unix_sock *u = unix_sk(sk);
774
775 if (mutex_lock_interruptible(&u->iolock))
776 return -EINTR;
777
778 WRITE_ONCE(sk->sk_peek_off, val);
779 mutex_unlock(&u->iolock);
780
781 return 0;
782 }
783
784 #ifdef CONFIG_PROC_FS
unix_count_nr_fds(struct sock * sk)785 static int unix_count_nr_fds(struct sock *sk)
786 {
787 struct sk_buff *skb;
788 struct unix_sock *u;
789 int nr_fds = 0;
790
791 spin_lock(&sk->sk_receive_queue.lock);
792 skb = skb_peek(&sk->sk_receive_queue);
793 while (skb) {
794 u = unix_sk(skb->sk);
795 nr_fds += atomic_read(&u->scm_stat.nr_fds);
796 skb = skb_peek_next(skb, &sk->sk_receive_queue);
797 }
798 spin_unlock(&sk->sk_receive_queue.lock);
799
800 return nr_fds;
801 }
802
unix_show_fdinfo(struct seq_file * m,struct socket * sock)803 static void unix_show_fdinfo(struct seq_file *m, struct socket *sock)
804 {
805 struct sock *sk = sock->sk;
806 unsigned char s_state;
807 struct unix_sock *u;
808 int nr_fds = 0;
809
810 if (sk) {
811 s_state = READ_ONCE(sk->sk_state);
812 u = unix_sk(sk);
813
814 /* SOCK_STREAM and SOCK_SEQPACKET sockets never change their
815 * sk_state after switching to TCP_ESTABLISHED or TCP_LISTEN.
816 * SOCK_DGRAM is ordinary. So, no lock is needed.
817 */
818 if (sock->type == SOCK_DGRAM || s_state == TCP_ESTABLISHED)
819 nr_fds = atomic_read(&u->scm_stat.nr_fds);
820 else if (s_state == TCP_LISTEN)
821 nr_fds = unix_count_nr_fds(sk);
822
823 seq_printf(m, "scm_fds: %u\n", nr_fds);
824 }
825 }
826 #else
827 #define unix_show_fdinfo NULL
828 #endif
829
830 static const struct proto_ops unix_stream_ops = {
831 .family = PF_UNIX,
832 .owner = THIS_MODULE,
833 .release = unix_release,
834 .bind = unix_bind,
835 .connect = unix_stream_connect,
836 .socketpair = unix_socketpair,
837 .accept = unix_accept,
838 .getname = unix_getname,
839 .poll = unix_poll,
840 .ioctl = unix_ioctl,
841 #ifdef CONFIG_COMPAT
842 .compat_ioctl = unix_compat_ioctl,
843 #endif
844 .listen = unix_listen,
845 .shutdown = unix_shutdown,
846 .sendmsg = unix_stream_sendmsg,
847 .recvmsg = unix_stream_recvmsg,
848 .read_skb = unix_stream_read_skb,
849 .mmap = sock_no_mmap,
850 .splice_read = unix_stream_splice_read,
851 .set_peek_off = unix_set_peek_off,
852 .show_fdinfo = unix_show_fdinfo,
853 };
854
855 static const struct proto_ops unix_dgram_ops = {
856 .family = PF_UNIX,
857 .owner = THIS_MODULE,
858 .release = unix_release,
859 .bind = unix_bind,
860 .connect = unix_dgram_connect,
861 .socketpair = unix_socketpair,
862 .accept = sock_no_accept,
863 .getname = unix_getname,
864 .poll = unix_dgram_poll,
865 .ioctl = unix_ioctl,
866 #ifdef CONFIG_COMPAT
867 .compat_ioctl = unix_compat_ioctl,
868 #endif
869 .listen = sock_no_listen,
870 .shutdown = unix_shutdown,
871 .sendmsg = unix_dgram_sendmsg,
872 .read_skb = unix_read_skb,
873 .recvmsg = unix_dgram_recvmsg,
874 .mmap = sock_no_mmap,
875 .set_peek_off = unix_set_peek_off,
876 .show_fdinfo = unix_show_fdinfo,
877 };
878
879 static const struct proto_ops unix_seqpacket_ops = {
880 .family = PF_UNIX,
881 .owner = THIS_MODULE,
882 .release = unix_release,
883 .bind = unix_bind,
884 .connect = unix_stream_connect,
885 .socketpair = unix_socketpair,
886 .accept = unix_accept,
887 .getname = unix_getname,
888 .poll = unix_dgram_poll,
889 .ioctl = unix_ioctl,
890 #ifdef CONFIG_COMPAT
891 .compat_ioctl = unix_compat_ioctl,
892 #endif
893 .listen = unix_listen,
894 .shutdown = unix_shutdown,
895 .sendmsg = unix_seqpacket_sendmsg,
896 .recvmsg = unix_seqpacket_recvmsg,
897 .mmap = sock_no_mmap,
898 .set_peek_off = unix_set_peek_off,
899 .show_fdinfo = unix_show_fdinfo,
900 };
901
unix_close(struct sock * sk,long timeout)902 static void unix_close(struct sock *sk, long timeout)
903 {
904 /* Nothing to do here, unix socket does not need a ->close().
905 * This is merely for sockmap.
906 */
907 }
908
unix_unhash(struct sock * sk)909 static void unix_unhash(struct sock *sk)
910 {
911 /* Nothing to do here, unix socket does not need a ->unhash().
912 * This is merely for sockmap.
913 */
914 }
915
unix_bpf_bypass_getsockopt(int level,int optname)916 static bool unix_bpf_bypass_getsockopt(int level, int optname)
917 {
918 if (level == SOL_SOCKET) {
919 switch (optname) {
920 case SO_PEERPIDFD:
921 return true;
922 default:
923 return false;
924 }
925 }
926
927 return false;
928 }
929
930 struct proto unix_dgram_proto = {
931 .name = "UNIX",
932 .owner = THIS_MODULE,
933 .obj_size = sizeof(struct unix_sock),
934 .close = unix_close,
935 .bpf_bypass_getsockopt = unix_bpf_bypass_getsockopt,
936 #ifdef CONFIG_BPF_SYSCALL
937 .psock_update_sk_prot = unix_dgram_bpf_update_proto,
938 #endif
939 };
940
941 struct proto unix_stream_proto = {
942 .name = "UNIX-STREAM",
943 .owner = THIS_MODULE,
944 .obj_size = sizeof(struct unix_sock),
945 .close = unix_close,
946 .unhash = unix_unhash,
947 .bpf_bypass_getsockopt = unix_bpf_bypass_getsockopt,
948 #ifdef CONFIG_BPF_SYSCALL
949 .psock_update_sk_prot = unix_stream_bpf_update_proto,
950 #endif
951 };
952
unix_create1(struct net * net,struct socket * sock,int kern,int type)953 static struct sock *unix_create1(struct net *net, struct socket *sock, int kern, int type)
954 {
955 struct unix_sock *u;
956 struct sock *sk;
957 int err;
958
959 atomic_long_inc(&unix_nr_socks);
960 if (atomic_long_read(&unix_nr_socks) > 2 * get_max_files()) {
961 err = -ENFILE;
962 goto err;
963 }
964
965 if (type == SOCK_STREAM)
966 sk = sk_alloc(net, PF_UNIX, GFP_KERNEL, &unix_stream_proto, kern);
967 else /*dgram and seqpacket */
968 sk = sk_alloc(net, PF_UNIX, GFP_KERNEL, &unix_dgram_proto, kern);
969
970 if (!sk) {
971 err = -ENOMEM;
972 goto err;
973 }
974
975 sock_init_data(sock, sk);
976
977 sk->sk_hash = unix_unbound_hash(sk);
978 sk->sk_allocation = GFP_KERNEL_ACCOUNT;
979 sk->sk_write_space = unix_write_space;
980 sk->sk_max_ack_backlog = READ_ONCE(net->unx.sysctl_max_dgram_qlen);
981 sk->sk_destruct = unix_sock_destructor;
982 u = unix_sk(sk);
983 u->inflight = 0;
984 u->path.dentry = NULL;
985 u->path.mnt = NULL;
986 spin_lock_init(&u->lock);
987 INIT_LIST_HEAD(&u->link);
988 mutex_init(&u->iolock); /* single task reading lock */
989 mutex_init(&u->bindlock); /* single task binding lock */
990 init_waitqueue_head(&u->peer_wait);
991 init_waitqueue_func_entry(&u->peer_wake, unix_dgram_peer_wake_relay);
992 memset(&u->scm_stat, 0, sizeof(struct scm_stat));
993 unix_insert_unbound_socket(net, sk);
994
995 sock_prot_inuse_add(net, sk->sk_prot, 1);
996
997 return sk;
998
999 err:
1000 atomic_long_dec(&unix_nr_socks);
1001 return ERR_PTR(err);
1002 }
1003
unix_create(struct net * net,struct socket * sock,int protocol,int kern)1004 static int unix_create(struct net *net, struct socket *sock, int protocol,
1005 int kern)
1006 {
1007 struct sock *sk;
1008
1009 if (protocol && protocol != PF_UNIX)
1010 return -EPROTONOSUPPORT;
1011
1012 sock->state = SS_UNCONNECTED;
1013
1014 switch (sock->type) {
1015 case SOCK_STREAM:
1016 sock->ops = &unix_stream_ops;
1017 break;
1018 /*
1019 * Believe it or not BSD has AF_UNIX, SOCK_RAW though
1020 * nothing uses it.
1021 */
1022 case SOCK_RAW:
1023 sock->type = SOCK_DGRAM;
1024 fallthrough;
1025 case SOCK_DGRAM:
1026 sock->ops = &unix_dgram_ops;
1027 break;
1028 case SOCK_SEQPACKET:
1029 sock->ops = &unix_seqpacket_ops;
1030 break;
1031 default:
1032 return -ESOCKTNOSUPPORT;
1033 }
1034
1035 sk = unix_create1(net, sock, kern, sock->type);
1036 if (IS_ERR(sk))
1037 return PTR_ERR(sk);
1038
1039 return 0;
1040 }
1041
unix_release(struct socket * sock)1042 static int unix_release(struct socket *sock)
1043 {
1044 struct sock *sk = sock->sk;
1045
1046 if (!sk)
1047 return 0;
1048
1049 sk->sk_prot->close(sk, 0);
1050 unix_release_sock(sk, 0);
1051 sock->sk = NULL;
1052
1053 return 0;
1054 }
1055
unix_find_bsd(struct sockaddr_un * sunaddr,int addr_len,int type)1056 static struct sock *unix_find_bsd(struct sockaddr_un *sunaddr, int addr_len,
1057 int type)
1058 {
1059 struct inode *inode;
1060 struct path path;
1061 struct sock *sk;
1062 int err;
1063
1064 unix_mkname_bsd(sunaddr, addr_len);
1065 err = kern_path(sunaddr->sun_path, LOOKUP_FOLLOW, &path);
1066 if (err)
1067 goto fail;
1068
1069 err = path_permission(&path, MAY_WRITE);
1070 if (err)
1071 goto path_put;
1072
1073 err = -ECONNREFUSED;
1074 inode = d_backing_inode(path.dentry);
1075 if (!S_ISSOCK(inode->i_mode))
1076 goto path_put;
1077
1078 sk = unix_find_socket_byinode(inode);
1079 if (!sk)
1080 goto path_put;
1081
1082 err = -EPROTOTYPE;
1083 if (sk->sk_type == type)
1084 touch_atime(&path);
1085 else
1086 goto sock_put;
1087
1088 path_put(&path);
1089
1090 return sk;
1091
1092 sock_put:
1093 sock_put(sk);
1094 path_put:
1095 path_put(&path);
1096 fail:
1097 return ERR_PTR(err);
1098 }
1099
unix_find_abstract(struct net * net,struct sockaddr_un * sunaddr,int addr_len,int type)1100 static struct sock *unix_find_abstract(struct net *net,
1101 struct sockaddr_un *sunaddr,
1102 int addr_len, int type)
1103 {
1104 unsigned int hash = unix_abstract_hash(sunaddr, addr_len, type);
1105 struct dentry *dentry;
1106 struct sock *sk;
1107
1108 sk = unix_find_socket_byname(net, sunaddr, addr_len, hash);
1109 if (!sk)
1110 return ERR_PTR(-ECONNREFUSED);
1111
1112 dentry = unix_sk(sk)->path.dentry;
1113 if (dentry)
1114 touch_atime(&unix_sk(sk)->path);
1115
1116 return sk;
1117 }
1118
unix_find_other(struct net * net,struct sockaddr_un * sunaddr,int addr_len,int type)1119 static struct sock *unix_find_other(struct net *net,
1120 struct sockaddr_un *sunaddr,
1121 int addr_len, int type)
1122 {
1123 struct sock *sk;
1124
1125 if (sunaddr->sun_path[0])
1126 sk = unix_find_bsd(sunaddr, addr_len, type);
1127 else
1128 sk = unix_find_abstract(net, sunaddr, addr_len, type);
1129
1130 return sk;
1131 }
1132
unix_autobind(struct sock * sk)1133 static int unix_autobind(struct sock *sk)
1134 {
1135 struct unix_sock *u = unix_sk(sk);
1136 unsigned int new_hash, old_hash;
1137 struct net *net = sock_net(sk);
1138 struct unix_address *addr;
1139 u32 lastnum, ordernum;
1140 int err;
1141
1142 err = mutex_lock_interruptible(&u->bindlock);
1143 if (err)
1144 return err;
1145
1146 if (u->addr)
1147 goto out;
1148
1149 err = -ENOMEM;
1150 addr = kzalloc(sizeof(*addr) +
1151 offsetof(struct sockaddr_un, sun_path) + 16, GFP_KERNEL);
1152 if (!addr)
1153 goto out;
1154
1155 addr->len = offsetof(struct sockaddr_un, sun_path) + 6;
1156 addr->name->sun_family = AF_UNIX;
1157 refcount_set(&addr->refcnt, 1);
1158
1159 old_hash = sk->sk_hash;
1160 ordernum = get_random_u32();
1161 lastnum = ordernum & 0xFFFFF;
1162 retry:
1163 ordernum = (ordernum + 1) & 0xFFFFF;
1164 sprintf(addr->name->sun_path + 1, "%05x", ordernum);
1165
1166 new_hash = unix_abstract_hash(addr->name, addr->len, sk->sk_type);
1167 unix_table_double_lock(net, old_hash, new_hash);
1168
1169 if (__unix_find_socket_byname(net, addr->name, addr->len, new_hash)) {
1170 unix_table_double_unlock(net, old_hash, new_hash);
1171
1172 /* __unix_find_socket_byname() may take long time if many names
1173 * are already in use.
1174 */
1175 cond_resched();
1176
1177 if (ordernum == lastnum) {
1178 /* Give up if all names seems to be in use. */
1179 err = -ENOSPC;
1180 unix_release_addr(addr);
1181 goto out;
1182 }
1183
1184 goto retry;
1185 }
1186
1187 __unix_set_addr_hash(net, sk, addr, new_hash);
1188 unix_table_double_unlock(net, old_hash, new_hash);
1189 err = 0;
1190
1191 out: mutex_unlock(&u->bindlock);
1192 return err;
1193 }
1194
unix_bind_bsd(struct sock * sk,struct sockaddr_un * sunaddr,int addr_len)1195 static int unix_bind_bsd(struct sock *sk, struct sockaddr_un *sunaddr,
1196 int addr_len)
1197 {
1198 umode_t mode = S_IFSOCK |
1199 (SOCK_INODE(sk->sk_socket)->i_mode & ~current_umask());
1200 struct unix_sock *u = unix_sk(sk);
1201 unsigned int new_hash, old_hash;
1202 struct net *net = sock_net(sk);
1203 struct mnt_idmap *idmap;
1204 struct unix_address *addr;
1205 struct dentry *dentry;
1206 struct path parent;
1207 int err;
1208
1209 addr_len = unix_mkname_bsd(sunaddr, addr_len);
1210 addr = unix_create_addr(sunaddr, addr_len);
1211 if (!addr)
1212 return -ENOMEM;
1213
1214 /*
1215 * Get the parent directory, calculate the hash for last
1216 * component.
1217 */
1218 dentry = kern_path_create(AT_FDCWD, addr->name->sun_path, &parent, 0);
1219 if (IS_ERR(dentry)) {
1220 err = PTR_ERR(dentry);
1221 goto out;
1222 }
1223
1224 /*
1225 * All right, let's create it.
1226 */
1227 idmap = mnt_idmap(parent.mnt);
1228 err = security_path_mknod(&parent, dentry, mode, 0);
1229 if (!err)
1230 err = vfs_mknod(idmap, d_inode(parent.dentry), dentry, mode, 0);
1231 if (err)
1232 goto out_path;
1233 err = mutex_lock_interruptible(&u->bindlock);
1234 if (err)
1235 goto out_unlink;
1236 if (u->addr)
1237 goto out_unlock;
1238
1239 old_hash = sk->sk_hash;
1240 new_hash = unix_bsd_hash(d_backing_inode(dentry));
1241 unix_table_double_lock(net, old_hash, new_hash);
1242 u->path.mnt = mntget(parent.mnt);
1243 u->path.dentry = dget(dentry);
1244 __unix_set_addr_hash(net, sk, addr, new_hash);
1245 unix_table_double_unlock(net, old_hash, new_hash);
1246 unix_insert_bsd_socket(sk);
1247 mutex_unlock(&u->bindlock);
1248 done_path_create(&parent, dentry);
1249 return 0;
1250
1251 out_unlock:
1252 mutex_unlock(&u->bindlock);
1253 err = -EINVAL;
1254 out_unlink:
1255 /* failed after successful mknod? unlink what we'd created... */
1256 vfs_unlink(idmap, d_inode(parent.dentry), dentry, NULL);
1257 out_path:
1258 done_path_create(&parent, dentry);
1259 out:
1260 unix_release_addr(addr);
1261 return err == -EEXIST ? -EADDRINUSE : err;
1262 }
1263
unix_bind_abstract(struct sock * sk,struct sockaddr_un * sunaddr,int addr_len)1264 static int unix_bind_abstract(struct sock *sk, struct sockaddr_un *sunaddr,
1265 int addr_len)
1266 {
1267 struct unix_sock *u = unix_sk(sk);
1268 unsigned int new_hash, old_hash;
1269 struct net *net = sock_net(sk);
1270 struct unix_address *addr;
1271 int err;
1272
1273 addr = unix_create_addr(sunaddr, addr_len);
1274 if (!addr)
1275 return -ENOMEM;
1276
1277 err = mutex_lock_interruptible(&u->bindlock);
1278 if (err)
1279 goto out;
1280
1281 if (u->addr) {
1282 err = -EINVAL;
1283 goto out_mutex;
1284 }
1285
1286 old_hash = sk->sk_hash;
1287 new_hash = unix_abstract_hash(addr->name, addr->len, sk->sk_type);
1288 unix_table_double_lock(net, old_hash, new_hash);
1289
1290 if (__unix_find_socket_byname(net, addr->name, addr->len, new_hash))
1291 goto out_spin;
1292
1293 __unix_set_addr_hash(net, sk, addr, new_hash);
1294 unix_table_double_unlock(net, old_hash, new_hash);
1295 mutex_unlock(&u->bindlock);
1296 return 0;
1297
1298 out_spin:
1299 unix_table_double_unlock(net, old_hash, new_hash);
1300 err = -EADDRINUSE;
1301 out_mutex:
1302 mutex_unlock(&u->bindlock);
1303 out:
1304 unix_release_addr(addr);
1305 return err;
1306 }
1307
unix_bind(struct socket * sock,struct sockaddr * uaddr,int addr_len)1308 static int unix_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
1309 {
1310 struct sockaddr_un *sunaddr = (struct sockaddr_un *)uaddr;
1311 struct sock *sk = sock->sk;
1312 int err;
1313
1314 if (addr_len == offsetof(struct sockaddr_un, sun_path) &&
1315 sunaddr->sun_family == AF_UNIX)
1316 return unix_autobind(sk);
1317
1318 err = unix_validate_addr(sunaddr, addr_len);
1319 if (err)
1320 return err;
1321
1322 if (sunaddr->sun_path[0])
1323 err = unix_bind_bsd(sk, sunaddr, addr_len);
1324 else
1325 err = unix_bind_abstract(sk, sunaddr, addr_len);
1326
1327 return err;
1328 }
1329
unix_state_double_lock(struct sock * sk1,struct sock * sk2)1330 static void unix_state_double_lock(struct sock *sk1, struct sock *sk2)
1331 {
1332 if (unlikely(sk1 == sk2) || !sk2) {
1333 unix_state_lock(sk1);
1334 return;
1335 }
1336 if (sk1 > sk2)
1337 swap(sk1, sk2);
1338
1339 unix_state_lock(sk1);
1340 unix_state_lock_nested(sk2, U_LOCK_SECOND);
1341 }
1342
unix_state_double_unlock(struct sock * sk1,struct sock * sk2)1343 static void unix_state_double_unlock(struct sock *sk1, struct sock *sk2)
1344 {
1345 if (unlikely(sk1 == sk2) || !sk2) {
1346 unix_state_unlock(sk1);
1347 return;
1348 }
1349 unix_state_unlock(sk1);
1350 unix_state_unlock(sk2);
1351 }
1352
unix_dgram_connect(struct socket * sock,struct sockaddr * addr,int alen,int flags)1353 static int unix_dgram_connect(struct socket *sock, struct sockaddr *addr,
1354 int alen, int flags)
1355 {
1356 struct sockaddr_un *sunaddr = (struct sockaddr_un *)addr;
1357 struct sock *sk = sock->sk;
1358 struct sock *other;
1359 int err;
1360
1361 err = -EINVAL;
1362 if (alen < offsetofend(struct sockaddr, sa_family))
1363 goto out;
1364
1365 if (addr->sa_family != AF_UNSPEC) {
1366 err = unix_validate_addr(sunaddr, alen);
1367 if (err)
1368 goto out;
1369
1370 if ((test_bit(SOCK_PASSCRED, &sock->flags) ||
1371 test_bit(SOCK_PASSPIDFD, &sock->flags)) &&
1372 !READ_ONCE(unix_sk(sk)->addr)) {
1373 err = unix_autobind(sk);
1374 if (err)
1375 goto out;
1376 }
1377
1378 restart:
1379 other = unix_find_other(sock_net(sk), sunaddr, alen, sock->type);
1380 if (IS_ERR(other)) {
1381 err = PTR_ERR(other);
1382 goto out;
1383 }
1384
1385 unix_state_double_lock(sk, other);
1386
1387 /* Apparently VFS overslept socket death. Retry. */
1388 if (sock_flag(other, SOCK_DEAD)) {
1389 unix_state_double_unlock(sk, other);
1390 sock_put(other);
1391 goto restart;
1392 }
1393
1394 err = -EPERM;
1395 if (!unix_may_send(sk, other))
1396 goto out_unlock;
1397
1398 err = security_unix_may_send(sk->sk_socket, other->sk_socket);
1399 if (err)
1400 goto out_unlock;
1401
1402 WRITE_ONCE(sk->sk_state, TCP_ESTABLISHED);
1403 WRITE_ONCE(other->sk_state, TCP_ESTABLISHED);
1404 } else {
1405 /*
1406 * 1003.1g breaking connected state with AF_UNSPEC
1407 */
1408 other = NULL;
1409 unix_state_double_lock(sk, other);
1410 }
1411
1412 /*
1413 * If it was connected, reconnect.
1414 */
1415 if (unix_peer(sk)) {
1416 struct sock *old_peer = unix_peer(sk);
1417
1418 unix_peer(sk) = other;
1419 if (!other)
1420 WRITE_ONCE(sk->sk_state, TCP_CLOSE);
1421 unix_dgram_peer_wake_disconnect_wakeup(sk, old_peer);
1422
1423 unix_state_double_unlock(sk, other);
1424
1425 if (other != old_peer) {
1426 unix_dgram_disconnected(sk, old_peer);
1427
1428 unix_state_lock(old_peer);
1429 if (!unix_peer(old_peer))
1430 WRITE_ONCE(old_peer->sk_state, TCP_CLOSE);
1431 unix_state_unlock(old_peer);
1432 }
1433
1434 sock_put(old_peer);
1435 } else {
1436 unix_peer(sk) = other;
1437 unix_state_double_unlock(sk, other);
1438 }
1439
1440 return 0;
1441
1442 out_unlock:
1443 unix_state_double_unlock(sk, other);
1444 sock_put(other);
1445 out:
1446 return err;
1447 }
1448
unix_wait_for_peer(struct sock * other,long timeo)1449 static long unix_wait_for_peer(struct sock *other, long timeo)
1450 __releases(&unix_sk(other)->lock)
1451 {
1452 struct unix_sock *u = unix_sk(other);
1453 int sched;
1454 DEFINE_WAIT(wait);
1455
1456 prepare_to_wait_exclusive(&u->peer_wait, &wait, TASK_INTERRUPTIBLE);
1457
1458 sched = !sock_flag(other, SOCK_DEAD) &&
1459 !(other->sk_shutdown & RCV_SHUTDOWN) &&
1460 unix_recvq_full_lockless(other);
1461
1462 unix_state_unlock(other);
1463
1464 if (sched)
1465 timeo = schedule_timeout(timeo);
1466
1467 finish_wait(&u->peer_wait, &wait);
1468 return timeo;
1469 }
1470
unix_stream_connect(struct socket * sock,struct sockaddr * uaddr,int addr_len,int flags)1471 static int unix_stream_connect(struct socket *sock, struct sockaddr *uaddr,
1472 int addr_len, int flags)
1473 {
1474 struct sockaddr_un *sunaddr = (struct sockaddr_un *)uaddr;
1475 struct sock *sk = sock->sk, *newsk = NULL, *other = NULL;
1476 struct unix_sock *u = unix_sk(sk), *newu, *otheru;
1477 struct net *net = sock_net(sk);
1478 struct sk_buff *skb = NULL;
1479 unsigned char state;
1480 long timeo;
1481 int err;
1482
1483 err = unix_validate_addr(sunaddr, addr_len);
1484 if (err)
1485 goto out;
1486
1487 if ((test_bit(SOCK_PASSCRED, &sock->flags) ||
1488 test_bit(SOCK_PASSPIDFD, &sock->flags)) &&
1489 !READ_ONCE(u->addr)) {
1490 err = unix_autobind(sk);
1491 if (err)
1492 goto out;
1493 }
1494
1495 timeo = sock_sndtimeo(sk, flags & O_NONBLOCK);
1496
1497 /* First of all allocate resources.
1498 If we will make it after state is locked,
1499 we will have to recheck all again in any case.
1500 */
1501
1502 /* create new sock for complete connection */
1503 newsk = unix_create1(net, NULL, 0, sock->type);
1504 if (IS_ERR(newsk)) {
1505 err = PTR_ERR(newsk);
1506 newsk = NULL;
1507 goto out;
1508 }
1509
1510 err = -ENOMEM;
1511
1512 /* Allocate skb for sending to listening sock */
1513 skb = sock_wmalloc(newsk, 1, 0, GFP_KERNEL);
1514 if (skb == NULL)
1515 goto out;
1516
1517 restart:
1518 /* Find listening sock. */
1519 other = unix_find_other(net, sunaddr, addr_len, sk->sk_type);
1520 if (IS_ERR(other)) {
1521 err = PTR_ERR(other);
1522 other = NULL;
1523 goto out;
1524 }
1525
1526 unix_state_lock(other);
1527
1528 /* Apparently VFS overslept socket death. Retry. */
1529 if (sock_flag(other, SOCK_DEAD)) {
1530 unix_state_unlock(other);
1531 sock_put(other);
1532 goto restart;
1533 }
1534
1535 err = -ECONNREFUSED;
1536 if (other->sk_state != TCP_LISTEN)
1537 goto out_unlock;
1538 if (other->sk_shutdown & RCV_SHUTDOWN)
1539 goto out_unlock;
1540
1541 if (unix_recvq_full_lockless(other)) {
1542 err = -EAGAIN;
1543 if (!timeo)
1544 goto out_unlock;
1545
1546 timeo = unix_wait_for_peer(other, timeo);
1547
1548 err = sock_intr_errno(timeo);
1549 if (signal_pending(current))
1550 goto out;
1551 sock_put(other);
1552 goto restart;
1553 }
1554
1555 /* self connect and simultaneous connect are eliminated
1556 * by rejecting TCP_LISTEN socket to avoid deadlock.
1557 */
1558 state = READ_ONCE(sk->sk_state);
1559 if (unlikely(state != TCP_CLOSE)) {
1560 err = state == TCP_ESTABLISHED ? -EISCONN : -EINVAL;
1561 goto out_unlock;
1562 }
1563
1564 unix_state_lock_nested(sk, U_LOCK_SECOND);
1565
1566 if (unlikely(sk->sk_state != TCP_CLOSE)) {
1567 err = sk->sk_state == TCP_ESTABLISHED ? -EISCONN : -EINVAL;
1568 unix_state_unlock(sk);
1569 goto out_unlock;
1570 }
1571
1572 err = security_unix_stream_connect(sk, other, newsk);
1573 if (err) {
1574 unix_state_unlock(sk);
1575 goto out_unlock;
1576 }
1577
1578 /* The way is open! Fastly set all the necessary fields... */
1579
1580 sock_hold(sk);
1581 unix_peer(newsk) = sk;
1582 newsk->sk_state = TCP_ESTABLISHED;
1583 newsk->sk_type = sk->sk_type;
1584 init_peercred(newsk);
1585 newu = unix_sk(newsk);
1586 RCU_INIT_POINTER(newsk->sk_wq, &newu->peer_wq);
1587 otheru = unix_sk(other);
1588
1589 /* copy address information from listening to new sock
1590 *
1591 * The contents of *(otheru->addr) and otheru->path
1592 * are seen fully set up here, since we have found
1593 * otheru in hash under its lock. Insertion into the
1594 * hash chain we'd found it in had been done in an
1595 * earlier critical area protected by the chain's lock,
1596 * the same one where we'd set *(otheru->addr) contents,
1597 * as well as otheru->path and otheru->addr itself.
1598 *
1599 * Using smp_store_release() here to set newu->addr
1600 * is enough to make those stores, as well as stores
1601 * to newu->path visible to anyone who gets newu->addr
1602 * by smp_load_acquire(). IOW, the same warranties
1603 * as for unix_sock instances bound in unix_bind() or
1604 * in unix_autobind().
1605 */
1606 if (otheru->path.dentry) {
1607 path_get(&otheru->path);
1608 newu->path = otheru->path;
1609 }
1610 refcount_inc(&otheru->addr->refcnt);
1611 smp_store_release(&newu->addr, otheru->addr);
1612
1613 /* Set credentials */
1614 copy_peercred(sk, other);
1615
1616 sock->state = SS_CONNECTED;
1617 WRITE_ONCE(sk->sk_state, TCP_ESTABLISHED);
1618 sock_hold(newsk);
1619
1620 smp_mb__after_atomic(); /* sock_hold() does an atomic_inc() */
1621 unix_peer(sk) = newsk;
1622
1623 unix_state_unlock(sk);
1624
1625 /* take ten and send info to listening sock */
1626 spin_lock(&other->sk_receive_queue.lock);
1627 __skb_queue_tail(&other->sk_receive_queue, skb);
1628 spin_unlock(&other->sk_receive_queue.lock);
1629 unix_state_unlock(other);
1630 other->sk_data_ready(other);
1631 sock_put(other);
1632 return 0;
1633
1634 out_unlock:
1635 if (other)
1636 unix_state_unlock(other);
1637
1638 out:
1639 kfree_skb(skb);
1640 if (newsk)
1641 unix_release_sock(newsk, 0);
1642 if (other)
1643 sock_put(other);
1644 return err;
1645 }
1646
unix_socketpair(struct socket * socka,struct socket * sockb)1647 static int unix_socketpair(struct socket *socka, struct socket *sockb)
1648 {
1649 struct sock *ska = socka->sk, *skb = sockb->sk;
1650
1651 /* Join our sockets back to back */
1652 sock_hold(ska);
1653 sock_hold(skb);
1654 unix_peer(ska) = skb;
1655 unix_peer(skb) = ska;
1656 init_peercred(ska);
1657 init_peercred(skb);
1658
1659 ska->sk_state = TCP_ESTABLISHED;
1660 skb->sk_state = TCP_ESTABLISHED;
1661 socka->state = SS_CONNECTED;
1662 sockb->state = SS_CONNECTED;
1663 return 0;
1664 }
1665
unix_sock_inherit_flags(const struct socket * old,struct socket * new)1666 static void unix_sock_inherit_flags(const struct socket *old,
1667 struct socket *new)
1668 {
1669 if (test_bit(SOCK_PASSCRED, &old->flags))
1670 set_bit(SOCK_PASSCRED, &new->flags);
1671 if (test_bit(SOCK_PASSPIDFD, &old->flags))
1672 set_bit(SOCK_PASSPIDFD, &new->flags);
1673 if (test_bit(SOCK_PASSSEC, &old->flags))
1674 set_bit(SOCK_PASSSEC, &new->flags);
1675 }
1676
unix_accept(struct socket * sock,struct socket * newsock,int flags,bool kern)1677 static int unix_accept(struct socket *sock, struct socket *newsock, int flags,
1678 bool kern)
1679 {
1680 struct sock *sk = sock->sk;
1681 struct sock *tsk;
1682 struct sk_buff *skb;
1683 int err;
1684
1685 err = -EOPNOTSUPP;
1686 if (sock->type != SOCK_STREAM && sock->type != SOCK_SEQPACKET)
1687 goto out;
1688
1689 err = -EINVAL;
1690 if (READ_ONCE(sk->sk_state) != TCP_LISTEN)
1691 goto out;
1692
1693 /* If socket state is TCP_LISTEN it cannot change (for now...),
1694 * so that no locks are necessary.
1695 */
1696
1697 skb = skb_recv_datagram(sk, (flags & O_NONBLOCK) ? MSG_DONTWAIT : 0,
1698 &err);
1699 if (!skb) {
1700 /* This means receive shutdown. */
1701 if (err == 0)
1702 err = -EINVAL;
1703 goto out;
1704 }
1705
1706 tsk = skb->sk;
1707 skb_free_datagram(sk, skb);
1708 wake_up_interruptible(&unix_sk(sk)->peer_wait);
1709
1710 /* attach accepted sock to socket */
1711 unix_state_lock(tsk);
1712 newsock->state = SS_CONNECTED;
1713 unix_sock_inherit_flags(sock, newsock);
1714 sock_graft(tsk, newsock);
1715 unix_state_unlock(tsk);
1716 return 0;
1717
1718 out:
1719 return err;
1720 }
1721
1722
unix_getname(struct socket * sock,struct sockaddr * uaddr,int peer)1723 static int unix_getname(struct socket *sock, struct sockaddr *uaddr, int peer)
1724 {
1725 struct sock *sk = sock->sk;
1726 struct unix_address *addr;
1727 DECLARE_SOCKADDR(struct sockaddr_un *, sunaddr, uaddr);
1728 int err = 0;
1729
1730 if (peer) {
1731 sk = unix_peer_get(sk);
1732
1733 err = -ENOTCONN;
1734 if (!sk)
1735 goto out;
1736 err = 0;
1737 } else {
1738 sock_hold(sk);
1739 }
1740
1741 addr = smp_load_acquire(&unix_sk(sk)->addr);
1742 if (!addr) {
1743 sunaddr->sun_family = AF_UNIX;
1744 sunaddr->sun_path[0] = 0;
1745 err = offsetof(struct sockaddr_un, sun_path);
1746 } else {
1747 err = addr->len;
1748 memcpy(sunaddr, addr->name, addr->len);
1749 }
1750 sock_put(sk);
1751 out:
1752 return err;
1753 }
1754
unix_peek_fds(struct scm_cookie * scm,struct sk_buff * skb)1755 static void unix_peek_fds(struct scm_cookie *scm, struct sk_buff *skb)
1756 {
1757 scm->fp = scm_fp_dup(UNIXCB(skb).fp);
1758
1759 /*
1760 * Garbage collection of unix sockets starts by selecting a set of
1761 * candidate sockets which have reference only from being in flight
1762 * (total_refs == inflight_refs). This condition is checked once during
1763 * the candidate collection phase, and candidates are marked as such, so
1764 * that non-candidates can later be ignored. While inflight_refs is
1765 * protected by unix_gc_lock, total_refs (file count) is not, hence this
1766 * is an instantaneous decision.
1767 *
1768 * Once a candidate, however, the socket must not be reinstalled into a
1769 * file descriptor while the garbage collection is in progress.
1770 *
1771 * If the above conditions are met, then the directed graph of
1772 * candidates (*) does not change while unix_gc_lock is held.
1773 *
1774 * Any operations that changes the file count through file descriptors
1775 * (dup, close, sendmsg) does not change the graph since candidates are
1776 * not installed in fds.
1777 *
1778 * Dequeing a candidate via recvmsg would install it into an fd, but
1779 * that takes unix_gc_lock to decrement the inflight count, so it's
1780 * serialized with garbage collection.
1781 *
1782 * MSG_PEEK is special in that it does not change the inflight count,
1783 * yet does install the socket into an fd. The following lock/unlock
1784 * pair is to ensure serialization with garbage collection. It must be
1785 * done between incrementing the file count and installing the file into
1786 * an fd.
1787 *
1788 * If garbage collection starts after the barrier provided by the
1789 * lock/unlock, then it will see the elevated refcount and not mark this
1790 * as a candidate. If a garbage collection is already in progress
1791 * before the file count was incremented, then the lock/unlock pair will
1792 * ensure that garbage collection is finished before progressing to
1793 * installing the fd.
1794 *
1795 * (*) A -> B where B is on the queue of A or B is on the queue of C
1796 * which is on the queue of listening socket A.
1797 */
1798 spin_lock(&unix_gc_lock);
1799 spin_unlock(&unix_gc_lock);
1800 }
1801
unix_scm_to_skb(struct scm_cookie * scm,struct sk_buff * skb,bool send_fds)1802 static int unix_scm_to_skb(struct scm_cookie *scm, struct sk_buff *skb, bool send_fds)
1803 {
1804 int err = 0;
1805
1806 UNIXCB(skb).pid = get_pid(scm->pid);
1807 UNIXCB(skb).uid = scm->creds.uid;
1808 UNIXCB(skb).gid = scm->creds.gid;
1809 UNIXCB(skb).fp = NULL;
1810 unix_get_secdata(scm, skb);
1811 if (scm->fp && send_fds)
1812 err = unix_attach_fds(scm, skb);
1813
1814 skb->destructor = unix_destruct_scm;
1815 return err;
1816 }
1817
unix_passcred_enabled(const struct socket * sock,const struct sock * other)1818 static bool unix_passcred_enabled(const struct socket *sock,
1819 const struct sock *other)
1820 {
1821 return test_bit(SOCK_PASSCRED, &sock->flags) ||
1822 test_bit(SOCK_PASSPIDFD, &sock->flags) ||
1823 !other->sk_socket ||
1824 test_bit(SOCK_PASSCRED, &other->sk_socket->flags) ||
1825 test_bit(SOCK_PASSPIDFD, &other->sk_socket->flags);
1826 }
1827
1828 /*
1829 * Some apps rely on write() giving SCM_CREDENTIALS
1830 * We include credentials if source or destination socket
1831 * asserted SOCK_PASSCRED.
1832 */
maybe_add_creds(struct sk_buff * skb,const struct socket * sock,const struct sock * other)1833 static void maybe_add_creds(struct sk_buff *skb, const struct socket *sock,
1834 const struct sock *other)
1835 {
1836 if (UNIXCB(skb).pid)
1837 return;
1838 if (unix_passcred_enabled(sock, other)) {
1839 UNIXCB(skb).pid = get_pid(task_tgid(current));
1840 current_uid_gid(&UNIXCB(skb).uid, &UNIXCB(skb).gid);
1841 }
1842 }
1843
unix_skb_scm_eq(struct sk_buff * skb,struct scm_cookie * scm)1844 static bool unix_skb_scm_eq(struct sk_buff *skb,
1845 struct scm_cookie *scm)
1846 {
1847 return UNIXCB(skb).pid == scm->pid &&
1848 uid_eq(UNIXCB(skb).uid, scm->creds.uid) &&
1849 gid_eq(UNIXCB(skb).gid, scm->creds.gid) &&
1850 unix_secdata_eq(scm, skb);
1851 }
1852
scm_stat_add(struct sock * sk,struct sk_buff * skb)1853 static void scm_stat_add(struct sock *sk, struct sk_buff *skb)
1854 {
1855 struct scm_fp_list *fp = UNIXCB(skb).fp;
1856 struct unix_sock *u = unix_sk(sk);
1857
1858 if (unlikely(fp && fp->count))
1859 atomic_add(fp->count, &u->scm_stat.nr_fds);
1860 }
1861
scm_stat_del(struct sock * sk,struct sk_buff * skb)1862 static void scm_stat_del(struct sock *sk, struct sk_buff *skb)
1863 {
1864 struct scm_fp_list *fp = UNIXCB(skb).fp;
1865 struct unix_sock *u = unix_sk(sk);
1866
1867 if (unlikely(fp && fp->count))
1868 atomic_sub(fp->count, &u->scm_stat.nr_fds);
1869 }
1870
1871 /*
1872 * Send AF_UNIX data.
1873 */
1874
unix_dgram_sendmsg(struct socket * sock,struct msghdr * msg,size_t len)1875 static int unix_dgram_sendmsg(struct socket *sock, struct msghdr *msg,
1876 size_t len)
1877 {
1878 DECLARE_SOCKADDR(struct sockaddr_un *, sunaddr, msg->msg_name);
1879 struct sock *sk = sock->sk, *other = NULL;
1880 struct unix_sock *u = unix_sk(sk);
1881 struct scm_cookie scm;
1882 struct sk_buff *skb;
1883 int data_len = 0;
1884 int sk_locked;
1885 long timeo;
1886 int err;
1887
1888 wait_for_unix_gc();
1889 err = scm_send(sock, msg, &scm, false);
1890 if (err < 0)
1891 return err;
1892
1893 err = -EOPNOTSUPP;
1894 if (msg->msg_flags&MSG_OOB)
1895 goto out;
1896
1897 if (msg->msg_namelen) {
1898 err = unix_validate_addr(sunaddr, msg->msg_namelen);
1899 if (err)
1900 goto out;
1901 } else {
1902 sunaddr = NULL;
1903 err = -ENOTCONN;
1904 other = unix_peer_get(sk);
1905 if (!other)
1906 goto out;
1907 }
1908
1909 if ((test_bit(SOCK_PASSCRED, &sock->flags) ||
1910 test_bit(SOCK_PASSPIDFD, &sock->flags)) &&
1911 !READ_ONCE(u->addr)) {
1912 err = unix_autobind(sk);
1913 if (err)
1914 goto out;
1915 }
1916
1917 err = -EMSGSIZE;
1918 if (len > READ_ONCE(sk->sk_sndbuf) - 32)
1919 goto out;
1920
1921 if (len > SKB_MAX_ALLOC) {
1922 data_len = min_t(size_t,
1923 len - SKB_MAX_ALLOC,
1924 MAX_SKB_FRAGS * PAGE_SIZE);
1925 data_len = PAGE_ALIGN(data_len);
1926
1927 BUILD_BUG_ON(SKB_MAX_ALLOC < PAGE_SIZE);
1928 }
1929
1930 skb = sock_alloc_send_pskb(sk, len - data_len, data_len,
1931 msg->msg_flags & MSG_DONTWAIT, &err,
1932 PAGE_ALLOC_COSTLY_ORDER);
1933 if (skb == NULL)
1934 goto out;
1935
1936 err = unix_scm_to_skb(&scm, skb, true);
1937 if (err < 0)
1938 goto out_free;
1939
1940 skb_put(skb, len - data_len);
1941 skb->data_len = data_len;
1942 skb->len = len;
1943 err = skb_copy_datagram_from_iter(skb, 0, &msg->msg_iter, len);
1944 if (err)
1945 goto out_free;
1946
1947 timeo = sock_sndtimeo(sk, msg->msg_flags & MSG_DONTWAIT);
1948
1949 restart:
1950 if (!other) {
1951 err = -ECONNRESET;
1952 if (sunaddr == NULL)
1953 goto out_free;
1954
1955 other = unix_find_other(sock_net(sk), sunaddr, msg->msg_namelen,
1956 sk->sk_type);
1957 if (IS_ERR(other)) {
1958 err = PTR_ERR(other);
1959 other = NULL;
1960 goto out_free;
1961 }
1962 }
1963
1964 if (sk_filter(other, skb) < 0) {
1965 /* Toss the packet but do not return any error to the sender */
1966 err = len;
1967 goto out_free;
1968 }
1969
1970 sk_locked = 0;
1971 unix_state_lock(other);
1972 restart_locked:
1973 err = -EPERM;
1974 if (!unix_may_send(sk, other))
1975 goto out_unlock;
1976
1977 if (unlikely(sock_flag(other, SOCK_DEAD))) {
1978 /*
1979 * Check with 1003.1g - what should
1980 * datagram error
1981 */
1982 unix_state_unlock(other);
1983 sock_put(other);
1984
1985 if (!sk_locked)
1986 unix_state_lock(sk);
1987
1988 err = 0;
1989 if (sk->sk_type == SOCK_SEQPACKET) {
1990 /* We are here only when racing with unix_release_sock()
1991 * is clearing @other. Never change state to TCP_CLOSE
1992 * unlike SOCK_DGRAM wants.
1993 */
1994 unix_state_unlock(sk);
1995 err = -EPIPE;
1996 } else if (unix_peer(sk) == other) {
1997 unix_peer(sk) = NULL;
1998 unix_dgram_peer_wake_disconnect_wakeup(sk, other);
1999
2000 WRITE_ONCE(sk->sk_state, TCP_CLOSE);
2001 unix_state_unlock(sk);
2002
2003 unix_dgram_disconnected(sk, other);
2004 sock_put(other);
2005 err = -ECONNREFUSED;
2006 } else {
2007 unix_state_unlock(sk);
2008 }
2009
2010 other = NULL;
2011 if (err)
2012 goto out_free;
2013 goto restart;
2014 }
2015
2016 err = -EPIPE;
2017 if (other->sk_shutdown & RCV_SHUTDOWN)
2018 goto out_unlock;
2019
2020 if (sk->sk_type != SOCK_SEQPACKET) {
2021 err = security_unix_may_send(sk->sk_socket, other->sk_socket);
2022 if (err)
2023 goto out_unlock;
2024 }
2025
2026 /* other == sk && unix_peer(other) != sk if
2027 * - unix_peer(sk) == NULL, destination address bound to sk
2028 * - unix_peer(sk) == sk by time of get but disconnected before lock
2029 */
2030 if (other != sk &&
2031 unlikely(unix_peer(other) != sk &&
2032 unix_recvq_full_lockless(other))) {
2033 if (timeo) {
2034 timeo = unix_wait_for_peer(other, timeo);
2035
2036 err = sock_intr_errno(timeo);
2037 if (signal_pending(current))
2038 goto out_free;
2039
2040 goto restart;
2041 }
2042
2043 if (!sk_locked) {
2044 unix_state_unlock(other);
2045 unix_state_double_lock(sk, other);
2046 }
2047
2048 if (unix_peer(sk) != other ||
2049 unix_dgram_peer_wake_me(sk, other)) {
2050 err = -EAGAIN;
2051 sk_locked = 1;
2052 goto out_unlock;
2053 }
2054
2055 if (!sk_locked) {
2056 sk_locked = 1;
2057 goto restart_locked;
2058 }
2059 }
2060
2061 if (unlikely(sk_locked))
2062 unix_state_unlock(sk);
2063
2064 if (sock_flag(other, SOCK_RCVTSTAMP))
2065 __net_timestamp(skb);
2066 maybe_add_creds(skb, sock, other);
2067 scm_stat_add(other, skb);
2068 skb_queue_tail(&other->sk_receive_queue, skb);
2069 unix_state_unlock(other);
2070 other->sk_data_ready(other);
2071 sock_put(other);
2072 scm_destroy(&scm);
2073 return len;
2074
2075 out_unlock:
2076 if (sk_locked)
2077 unix_state_unlock(sk);
2078 unix_state_unlock(other);
2079 out_free:
2080 kfree_skb(skb);
2081 out:
2082 if (other)
2083 sock_put(other);
2084 scm_destroy(&scm);
2085 return err;
2086 }
2087
2088 /* We use paged skbs for stream sockets, and limit occupancy to 32768
2089 * bytes, and a minimum of a full page.
2090 */
2091 #define UNIX_SKB_FRAGS_SZ (PAGE_SIZE << get_order(32768))
2092
2093 #if IS_ENABLED(CONFIG_AF_UNIX_OOB)
queue_oob(struct socket * sock,struct msghdr * msg,struct sock * other,struct scm_cookie * scm,bool fds_sent)2094 static int queue_oob(struct socket *sock, struct msghdr *msg, struct sock *other,
2095 struct scm_cookie *scm, bool fds_sent)
2096 {
2097 struct unix_sock *ousk = unix_sk(other);
2098 struct sk_buff *skb;
2099 int err = 0;
2100
2101 skb = sock_alloc_send_skb(sock->sk, 1, msg->msg_flags & MSG_DONTWAIT, &err);
2102
2103 if (!skb)
2104 return err;
2105
2106 err = unix_scm_to_skb(scm, skb, !fds_sent);
2107 if (err < 0) {
2108 kfree_skb(skb);
2109 return err;
2110 }
2111 skb_put(skb, 1);
2112 err = skb_copy_datagram_from_iter(skb, 0, &msg->msg_iter, 1);
2113
2114 if (err) {
2115 kfree_skb(skb);
2116 return err;
2117 }
2118
2119 unix_state_lock(other);
2120
2121 if (sock_flag(other, SOCK_DEAD) ||
2122 (other->sk_shutdown & RCV_SHUTDOWN)) {
2123 unix_state_unlock(other);
2124 kfree_skb(skb);
2125 return -EPIPE;
2126 }
2127
2128 maybe_add_creds(skb, sock, other);
2129 skb_get(skb);
2130
2131 scm_stat_add(other, skb);
2132
2133 spin_lock(&other->sk_receive_queue.lock);
2134 if (ousk->oob_skb)
2135 consume_skb(ousk->oob_skb);
2136 WRITE_ONCE(ousk->oob_skb, skb);
2137 __skb_queue_tail(&other->sk_receive_queue, skb);
2138 spin_unlock(&other->sk_receive_queue.lock);
2139
2140 sk_send_sigurg(other);
2141 unix_state_unlock(other);
2142 other->sk_data_ready(other);
2143
2144 return err;
2145 }
2146 #endif
2147
unix_stream_sendmsg(struct socket * sock,struct msghdr * msg,size_t len)2148 static int unix_stream_sendmsg(struct socket *sock, struct msghdr *msg,
2149 size_t len)
2150 {
2151 struct sock *sk = sock->sk;
2152 struct sock *other = NULL;
2153 int err, size;
2154 struct sk_buff *skb;
2155 int sent = 0;
2156 struct scm_cookie scm;
2157 bool fds_sent = false;
2158 int data_len;
2159
2160 wait_for_unix_gc();
2161 err = scm_send(sock, msg, &scm, false);
2162 if (err < 0)
2163 return err;
2164
2165 err = -EOPNOTSUPP;
2166 if (msg->msg_flags & MSG_OOB) {
2167 #if IS_ENABLED(CONFIG_AF_UNIX_OOB)
2168 if (len)
2169 len--;
2170 else
2171 #endif
2172 goto out_err;
2173 }
2174
2175 if (msg->msg_namelen) {
2176 err = READ_ONCE(sk->sk_state) == TCP_ESTABLISHED ? -EISCONN : -EOPNOTSUPP;
2177 goto out_err;
2178 } else {
2179 err = -ENOTCONN;
2180 other = unix_peer(sk);
2181 if (!other)
2182 goto out_err;
2183 }
2184
2185 if (READ_ONCE(sk->sk_shutdown) & SEND_SHUTDOWN)
2186 goto pipe_err;
2187
2188 while (sent < len) {
2189 size = len - sent;
2190
2191 if (unlikely(msg->msg_flags & MSG_SPLICE_PAGES)) {
2192 skb = sock_alloc_send_pskb(sk, 0, 0,
2193 msg->msg_flags & MSG_DONTWAIT,
2194 &err, 0);
2195 } else {
2196 /* Keep two messages in the pipe so it schedules better */
2197 size = min_t(int, size, (READ_ONCE(sk->sk_sndbuf) >> 1) - 64);
2198
2199 /* allow fallback to order-0 allocations */
2200 size = min_t(int, size, SKB_MAX_HEAD(0) + UNIX_SKB_FRAGS_SZ);
2201
2202 data_len = max_t(int, 0, size - SKB_MAX_HEAD(0));
2203
2204 data_len = min_t(size_t, size, PAGE_ALIGN(data_len));
2205
2206 skb = sock_alloc_send_pskb(sk, size - data_len, data_len,
2207 msg->msg_flags & MSG_DONTWAIT, &err,
2208 get_order(UNIX_SKB_FRAGS_SZ));
2209 }
2210 if (!skb)
2211 goto out_err;
2212
2213 /* Only send the fds in the first buffer */
2214 err = unix_scm_to_skb(&scm, skb, !fds_sent);
2215 if (err < 0) {
2216 kfree_skb(skb);
2217 goto out_err;
2218 }
2219 fds_sent = true;
2220
2221 if (unlikely(msg->msg_flags & MSG_SPLICE_PAGES)) {
2222 skb->ip_summed = CHECKSUM_UNNECESSARY;
2223 err = skb_splice_from_iter(skb, &msg->msg_iter, size,
2224 sk->sk_allocation);
2225 if (err < 0) {
2226 kfree_skb(skb);
2227 goto out_err;
2228 }
2229 size = err;
2230 refcount_add(size, &sk->sk_wmem_alloc);
2231 } else {
2232 skb_put(skb, size - data_len);
2233 skb->data_len = data_len;
2234 skb->len = size;
2235 err = skb_copy_datagram_from_iter(skb, 0, &msg->msg_iter, size);
2236 if (err) {
2237 kfree_skb(skb);
2238 goto out_err;
2239 }
2240 }
2241
2242 unix_state_lock(other);
2243
2244 if (sock_flag(other, SOCK_DEAD) ||
2245 (other->sk_shutdown & RCV_SHUTDOWN))
2246 goto pipe_err_free;
2247
2248 maybe_add_creds(skb, sock, other);
2249 scm_stat_add(other, skb);
2250 skb_queue_tail(&other->sk_receive_queue, skb);
2251 unix_state_unlock(other);
2252 other->sk_data_ready(other);
2253 sent += size;
2254 }
2255
2256 #if IS_ENABLED(CONFIG_AF_UNIX_OOB)
2257 if (msg->msg_flags & MSG_OOB) {
2258 err = queue_oob(sock, msg, other, &scm, fds_sent);
2259 if (err)
2260 goto out_err;
2261 sent++;
2262 }
2263 #endif
2264
2265 scm_destroy(&scm);
2266
2267 return sent;
2268
2269 pipe_err_free:
2270 unix_state_unlock(other);
2271 kfree_skb(skb);
2272 pipe_err:
2273 if (sent == 0 && !(msg->msg_flags&MSG_NOSIGNAL))
2274 send_sig(SIGPIPE, current, 0);
2275 err = -EPIPE;
2276 out_err:
2277 scm_destroy(&scm);
2278 return sent ? : err;
2279 }
2280
unix_seqpacket_sendmsg(struct socket * sock,struct msghdr * msg,size_t len)2281 static int unix_seqpacket_sendmsg(struct socket *sock, struct msghdr *msg,
2282 size_t len)
2283 {
2284 int err;
2285 struct sock *sk = sock->sk;
2286
2287 err = sock_error(sk);
2288 if (err)
2289 return err;
2290
2291 if (READ_ONCE(sk->sk_state) != TCP_ESTABLISHED)
2292 return -ENOTCONN;
2293
2294 if (msg->msg_namelen)
2295 msg->msg_namelen = 0;
2296
2297 return unix_dgram_sendmsg(sock, msg, len);
2298 }
2299
unix_seqpacket_recvmsg(struct socket * sock,struct msghdr * msg,size_t size,int flags)2300 static int unix_seqpacket_recvmsg(struct socket *sock, struct msghdr *msg,
2301 size_t size, int flags)
2302 {
2303 struct sock *sk = sock->sk;
2304
2305 if (READ_ONCE(sk->sk_state) != TCP_ESTABLISHED)
2306 return -ENOTCONN;
2307
2308 return unix_dgram_recvmsg(sock, msg, size, flags);
2309 }
2310
unix_copy_addr(struct msghdr * msg,struct sock * sk)2311 static void unix_copy_addr(struct msghdr *msg, struct sock *sk)
2312 {
2313 struct unix_address *addr = smp_load_acquire(&unix_sk(sk)->addr);
2314
2315 if (addr) {
2316 msg->msg_namelen = addr->len;
2317 memcpy(msg->msg_name, addr->name, addr->len);
2318 }
2319 }
2320
__unix_dgram_recvmsg(struct sock * sk,struct msghdr * msg,size_t size,int flags)2321 int __unix_dgram_recvmsg(struct sock *sk, struct msghdr *msg, size_t size,
2322 int flags)
2323 {
2324 struct scm_cookie scm;
2325 struct socket *sock = sk->sk_socket;
2326 struct unix_sock *u = unix_sk(sk);
2327 struct sk_buff *skb, *last;
2328 long timeo;
2329 int skip;
2330 int err;
2331
2332 err = -EOPNOTSUPP;
2333 if (flags&MSG_OOB)
2334 goto out;
2335
2336 timeo = sock_rcvtimeo(sk, flags & MSG_DONTWAIT);
2337
2338 do {
2339 mutex_lock(&u->iolock);
2340
2341 skip = sk_peek_offset(sk, flags);
2342 skb = __skb_try_recv_datagram(sk, &sk->sk_receive_queue, flags,
2343 &skip, &err, &last);
2344 if (skb) {
2345 if (!(flags & MSG_PEEK))
2346 scm_stat_del(sk, skb);
2347 break;
2348 }
2349
2350 mutex_unlock(&u->iolock);
2351
2352 if (err != -EAGAIN)
2353 break;
2354 } while (timeo &&
2355 !__skb_wait_for_more_packets(sk, &sk->sk_receive_queue,
2356 &err, &timeo, last));
2357
2358 if (!skb) { /* implies iolock unlocked */
2359 unix_state_lock(sk);
2360 /* Signal EOF on disconnected non-blocking SEQPACKET socket. */
2361 if (sk->sk_type == SOCK_SEQPACKET && err == -EAGAIN &&
2362 (sk->sk_shutdown & RCV_SHUTDOWN))
2363 err = 0;
2364 unix_state_unlock(sk);
2365 goto out;
2366 }
2367
2368 if (wq_has_sleeper(&u->peer_wait))
2369 wake_up_interruptible_sync_poll(&u->peer_wait,
2370 EPOLLOUT | EPOLLWRNORM |
2371 EPOLLWRBAND);
2372
2373 if (msg->msg_name)
2374 unix_copy_addr(msg, skb->sk);
2375
2376 if (size > skb->len - skip)
2377 size = skb->len - skip;
2378 else if (size < skb->len - skip)
2379 msg->msg_flags |= MSG_TRUNC;
2380
2381 err = skb_copy_datagram_msg(skb, skip, msg, size);
2382 if (err)
2383 goto out_free;
2384
2385 if (sock_flag(sk, SOCK_RCVTSTAMP))
2386 __sock_recv_timestamp(msg, sk, skb);
2387
2388 memset(&scm, 0, sizeof(scm));
2389
2390 scm_set_cred(&scm, UNIXCB(skb).pid, UNIXCB(skb).uid, UNIXCB(skb).gid);
2391 unix_set_secdata(&scm, skb);
2392
2393 if (!(flags & MSG_PEEK)) {
2394 if (UNIXCB(skb).fp)
2395 unix_detach_fds(&scm, skb);
2396
2397 sk_peek_offset_bwd(sk, skb->len);
2398 } else {
2399 /* It is questionable: on PEEK we could:
2400 - do not return fds - good, but too simple 8)
2401 - return fds, and do not return them on read (old strategy,
2402 apparently wrong)
2403 - clone fds (I chose it for now, it is the most universal
2404 solution)
2405
2406 POSIX 1003.1g does not actually define this clearly
2407 at all. POSIX 1003.1g doesn't define a lot of things
2408 clearly however!
2409
2410 */
2411
2412 sk_peek_offset_fwd(sk, size);
2413
2414 if (UNIXCB(skb).fp)
2415 unix_peek_fds(&scm, skb);
2416 }
2417 err = (flags & MSG_TRUNC) ? skb->len - skip : size;
2418
2419 scm_recv_unix(sock, msg, &scm, flags);
2420
2421 out_free:
2422 skb_free_datagram(sk, skb);
2423 mutex_unlock(&u->iolock);
2424 out:
2425 return err;
2426 }
2427
unix_dgram_recvmsg(struct socket * sock,struct msghdr * msg,size_t size,int flags)2428 static int unix_dgram_recvmsg(struct socket *sock, struct msghdr *msg, size_t size,
2429 int flags)
2430 {
2431 struct sock *sk = sock->sk;
2432
2433 #ifdef CONFIG_BPF_SYSCALL
2434 const struct proto *prot = READ_ONCE(sk->sk_prot);
2435
2436 if (prot != &unix_dgram_proto)
2437 return prot->recvmsg(sk, msg, size, flags, NULL);
2438 #endif
2439 return __unix_dgram_recvmsg(sk, msg, size, flags);
2440 }
2441
unix_read_skb(struct sock * sk,skb_read_actor_t recv_actor)2442 static int unix_read_skb(struct sock *sk, skb_read_actor_t recv_actor)
2443 {
2444 struct unix_sock *u = unix_sk(sk);
2445 struct sk_buff *skb;
2446 int err;
2447
2448 mutex_lock(&u->iolock);
2449 skb = skb_recv_datagram(sk, MSG_DONTWAIT, &err);
2450 mutex_unlock(&u->iolock);
2451 if (!skb)
2452 return err;
2453
2454 return recv_actor(sk, skb);
2455 }
2456
2457 /*
2458 * Sleep until more data has arrived. But check for races..
2459 */
unix_stream_data_wait(struct sock * sk,long timeo,struct sk_buff * last,unsigned int last_len,bool freezable)2460 static long unix_stream_data_wait(struct sock *sk, long timeo,
2461 struct sk_buff *last, unsigned int last_len,
2462 bool freezable)
2463 {
2464 unsigned int state = TASK_INTERRUPTIBLE | freezable * TASK_FREEZABLE;
2465 struct sk_buff *tail;
2466 DEFINE_WAIT(wait);
2467
2468 unix_state_lock(sk);
2469
2470 for (;;) {
2471 prepare_to_wait(sk_sleep(sk), &wait, state);
2472
2473 tail = skb_peek_tail(&sk->sk_receive_queue);
2474 if (tail != last ||
2475 (tail && tail->len != last_len) ||
2476 sk->sk_err ||
2477 (sk->sk_shutdown & RCV_SHUTDOWN) ||
2478 signal_pending(current) ||
2479 !timeo)
2480 break;
2481
2482 sk_set_bit(SOCKWQ_ASYNC_WAITDATA, sk);
2483 unix_state_unlock(sk);
2484 timeo = schedule_timeout(timeo);
2485 unix_state_lock(sk);
2486
2487 if (sock_flag(sk, SOCK_DEAD))
2488 break;
2489
2490 sk_clear_bit(SOCKWQ_ASYNC_WAITDATA, sk);
2491 }
2492
2493 finish_wait(sk_sleep(sk), &wait);
2494 unix_state_unlock(sk);
2495 return timeo;
2496 }
2497
unix_skb_len(const struct sk_buff * skb)2498 static unsigned int unix_skb_len(const struct sk_buff *skb)
2499 {
2500 return skb->len - UNIXCB(skb).consumed;
2501 }
2502
2503 struct unix_stream_read_state {
2504 int (*recv_actor)(struct sk_buff *, int, int,
2505 struct unix_stream_read_state *);
2506 struct socket *socket;
2507 struct msghdr *msg;
2508 struct pipe_inode_info *pipe;
2509 size_t size;
2510 int flags;
2511 unsigned int splice_flags;
2512 };
2513
2514 #if IS_ENABLED(CONFIG_AF_UNIX_OOB)
unix_stream_recv_urg(struct unix_stream_read_state * state)2515 static int unix_stream_recv_urg(struct unix_stream_read_state *state)
2516 {
2517 struct socket *sock = state->socket;
2518 struct sock *sk = sock->sk;
2519 struct unix_sock *u = unix_sk(sk);
2520 int chunk = 1;
2521 struct sk_buff *oob_skb;
2522
2523 mutex_lock(&u->iolock);
2524 unix_state_lock(sk);
2525 spin_lock(&sk->sk_receive_queue.lock);
2526
2527 if (sock_flag(sk, SOCK_URGINLINE) || !u->oob_skb) {
2528 spin_unlock(&sk->sk_receive_queue.lock);
2529 unix_state_unlock(sk);
2530 mutex_unlock(&u->iolock);
2531 return -EINVAL;
2532 }
2533
2534 oob_skb = u->oob_skb;
2535
2536 if (!(state->flags & MSG_PEEK))
2537 WRITE_ONCE(u->oob_skb, NULL);
2538 else
2539 skb_get(oob_skb);
2540
2541 spin_unlock(&sk->sk_receive_queue.lock);
2542 unix_state_unlock(sk);
2543
2544 chunk = state->recv_actor(oob_skb, 0, chunk, state);
2545
2546 if (!(state->flags & MSG_PEEK))
2547 UNIXCB(oob_skb).consumed += 1;
2548
2549 consume_skb(oob_skb);
2550
2551 mutex_unlock(&u->iolock);
2552
2553 if (chunk < 0)
2554 return -EFAULT;
2555
2556 state->msg->msg_flags |= MSG_OOB;
2557 return 1;
2558 }
2559
manage_oob(struct sk_buff * skb,struct sock * sk,int flags,int copied)2560 static struct sk_buff *manage_oob(struct sk_buff *skb, struct sock *sk,
2561 int flags, int copied)
2562 {
2563 struct unix_sock *u = unix_sk(sk);
2564
2565 if (!unix_skb_len(skb) && !(flags & MSG_PEEK)) {
2566 skb_unlink(skb, &sk->sk_receive_queue);
2567 consume_skb(skb);
2568 skb = NULL;
2569 } else {
2570 struct sk_buff *unlinked_skb = NULL;
2571
2572 spin_lock(&sk->sk_receive_queue.lock);
2573
2574 if (skb == u->oob_skb) {
2575 if (copied) {
2576 skb = NULL;
2577 } else if (!(flags & MSG_PEEK)) {
2578 if (sock_flag(sk, SOCK_URGINLINE)) {
2579 WRITE_ONCE(u->oob_skb, NULL);
2580 consume_skb(skb);
2581 } else {
2582 __skb_unlink(skb, &sk->sk_receive_queue);
2583 WRITE_ONCE(u->oob_skb, NULL);
2584 unlinked_skb = skb;
2585 skb = skb_peek(&sk->sk_receive_queue);
2586 }
2587 } else if (!sock_flag(sk, SOCK_URGINLINE)) {
2588 skb = skb_peek_next(skb, &sk->sk_receive_queue);
2589 }
2590 }
2591
2592 spin_unlock(&sk->sk_receive_queue.lock);
2593
2594 if (unlinked_skb) {
2595 WARN_ON_ONCE(skb_unref(unlinked_skb));
2596 kfree_skb(unlinked_skb);
2597 }
2598 }
2599 return skb;
2600 }
2601 #endif
2602
unix_stream_read_skb(struct sock * sk,skb_read_actor_t recv_actor)2603 static int unix_stream_read_skb(struct sock *sk, skb_read_actor_t recv_actor)
2604 {
2605 struct unix_sock *u = unix_sk(sk);
2606 struct sk_buff *skb;
2607 int err;
2608
2609 if (unlikely(READ_ONCE(sk->sk_state) != TCP_ESTABLISHED))
2610 return -ENOTCONN;
2611
2612 mutex_lock(&u->iolock);
2613 skb = skb_recv_datagram(sk, MSG_DONTWAIT, &err);
2614 mutex_unlock(&u->iolock);
2615 if (!skb)
2616 return err;
2617
2618 #if IS_ENABLED(CONFIG_AF_UNIX_OOB)
2619 if (unlikely(skb == READ_ONCE(u->oob_skb))) {
2620 bool drop = false;
2621
2622 unix_state_lock(sk);
2623
2624 if (sock_flag(sk, SOCK_DEAD)) {
2625 unix_state_unlock(sk);
2626 kfree_skb(skb);
2627 return -ECONNRESET;
2628 }
2629
2630 spin_lock(&sk->sk_receive_queue.lock);
2631 if (likely(skb == u->oob_skb)) {
2632 WRITE_ONCE(u->oob_skb, NULL);
2633 drop = true;
2634 }
2635 spin_unlock(&sk->sk_receive_queue.lock);
2636
2637 unix_state_unlock(sk);
2638
2639 if (drop) {
2640 WARN_ON_ONCE(skb_unref(skb));
2641 kfree_skb(skb);
2642 return -EAGAIN;
2643 }
2644 }
2645 #endif
2646
2647 return recv_actor(sk, skb);
2648 }
2649
unix_stream_read_generic(struct unix_stream_read_state * state,bool freezable)2650 static int unix_stream_read_generic(struct unix_stream_read_state *state,
2651 bool freezable)
2652 {
2653 struct scm_cookie scm;
2654 struct socket *sock = state->socket;
2655 struct sock *sk = sock->sk;
2656 struct unix_sock *u = unix_sk(sk);
2657 int copied = 0;
2658 int flags = state->flags;
2659 int noblock = flags & MSG_DONTWAIT;
2660 bool check_creds = false;
2661 int target;
2662 int err = 0;
2663 long timeo;
2664 int skip;
2665 size_t size = state->size;
2666 unsigned int last_len;
2667
2668 if (unlikely(READ_ONCE(sk->sk_state) != TCP_ESTABLISHED)) {
2669 err = -EINVAL;
2670 goto out;
2671 }
2672
2673 if (unlikely(flags & MSG_OOB)) {
2674 err = -EOPNOTSUPP;
2675 #if IS_ENABLED(CONFIG_AF_UNIX_OOB)
2676 err = unix_stream_recv_urg(state);
2677 #endif
2678 goto out;
2679 }
2680
2681 target = sock_rcvlowat(sk, flags & MSG_WAITALL, size);
2682 timeo = sock_rcvtimeo(sk, noblock);
2683
2684 memset(&scm, 0, sizeof(scm));
2685
2686 /* Lock the socket to prevent queue disordering
2687 * while sleeps in memcpy_tomsg
2688 */
2689 mutex_lock(&u->iolock);
2690
2691 skip = max(sk_peek_offset(sk, flags), 0);
2692
2693 do {
2694 int chunk;
2695 bool drop_skb;
2696 struct sk_buff *skb, *last;
2697
2698 redo:
2699 unix_state_lock(sk);
2700 if (sock_flag(sk, SOCK_DEAD)) {
2701 err = -ECONNRESET;
2702 goto unlock;
2703 }
2704 last = skb = skb_peek(&sk->sk_receive_queue);
2705 last_len = last ? last->len : 0;
2706
2707 again:
2708 #if IS_ENABLED(CONFIG_AF_UNIX_OOB)
2709 if (skb) {
2710 skb = manage_oob(skb, sk, flags, copied);
2711 if (!skb && copied) {
2712 unix_state_unlock(sk);
2713 break;
2714 }
2715 }
2716 #endif
2717 if (skb == NULL) {
2718 if (copied >= target)
2719 goto unlock;
2720
2721 /*
2722 * POSIX 1003.1g mandates this order.
2723 */
2724
2725 err = sock_error(sk);
2726 if (err)
2727 goto unlock;
2728 if (sk->sk_shutdown & RCV_SHUTDOWN)
2729 goto unlock;
2730
2731 unix_state_unlock(sk);
2732 if (!timeo) {
2733 err = -EAGAIN;
2734 break;
2735 }
2736
2737 mutex_unlock(&u->iolock);
2738
2739 timeo = unix_stream_data_wait(sk, timeo, last,
2740 last_len, freezable);
2741
2742 if (signal_pending(current)) {
2743 err = sock_intr_errno(timeo);
2744 scm_destroy(&scm);
2745 goto out;
2746 }
2747
2748 mutex_lock(&u->iolock);
2749 goto redo;
2750 unlock:
2751 unix_state_unlock(sk);
2752 break;
2753 }
2754
2755 while (skip >= unix_skb_len(skb)) {
2756 skip -= unix_skb_len(skb);
2757 last = skb;
2758 last_len = skb->len;
2759 skb = skb_peek_next(skb, &sk->sk_receive_queue);
2760 if (!skb)
2761 goto again;
2762 }
2763
2764 unix_state_unlock(sk);
2765
2766 if (check_creds) {
2767 /* Never glue messages from different writers */
2768 if (!unix_skb_scm_eq(skb, &scm))
2769 break;
2770 } else if (test_bit(SOCK_PASSCRED, &sock->flags) ||
2771 test_bit(SOCK_PASSPIDFD, &sock->flags)) {
2772 /* Copy credentials */
2773 scm_set_cred(&scm, UNIXCB(skb).pid, UNIXCB(skb).uid, UNIXCB(skb).gid);
2774 unix_set_secdata(&scm, skb);
2775 check_creds = true;
2776 }
2777
2778 /* Copy address just once */
2779 if (state->msg && state->msg->msg_name) {
2780 DECLARE_SOCKADDR(struct sockaddr_un *, sunaddr,
2781 state->msg->msg_name);
2782 unix_copy_addr(state->msg, skb->sk);
2783 sunaddr = NULL;
2784 }
2785
2786 chunk = min_t(unsigned int, unix_skb_len(skb) - skip, size);
2787 skb_get(skb);
2788 chunk = state->recv_actor(skb, skip, chunk, state);
2789 drop_skb = !unix_skb_len(skb);
2790 /* skb is only safe to use if !drop_skb */
2791 consume_skb(skb);
2792 if (chunk < 0) {
2793 if (copied == 0)
2794 copied = -EFAULT;
2795 break;
2796 }
2797 copied += chunk;
2798 size -= chunk;
2799
2800 if (drop_skb) {
2801 /* the skb was touched by a concurrent reader;
2802 * we should not expect anything from this skb
2803 * anymore and assume it invalid - we can be
2804 * sure it was dropped from the socket queue
2805 *
2806 * let's report a short read
2807 */
2808 err = 0;
2809 break;
2810 }
2811
2812 /* Mark read part of skb as used */
2813 if (!(flags & MSG_PEEK)) {
2814 UNIXCB(skb).consumed += chunk;
2815
2816 sk_peek_offset_bwd(sk, chunk);
2817
2818 if (UNIXCB(skb).fp) {
2819 scm_stat_del(sk, skb);
2820 unix_detach_fds(&scm, skb);
2821 }
2822
2823 if (unix_skb_len(skb))
2824 break;
2825
2826 skb_unlink(skb, &sk->sk_receive_queue);
2827 consume_skb(skb);
2828
2829 if (scm.fp)
2830 break;
2831 } else {
2832 /* It is questionable, see note in unix_dgram_recvmsg.
2833 */
2834 if (UNIXCB(skb).fp)
2835 unix_peek_fds(&scm, skb);
2836
2837 sk_peek_offset_fwd(sk, chunk);
2838
2839 if (UNIXCB(skb).fp)
2840 break;
2841
2842 skip = 0;
2843 last = skb;
2844 last_len = skb->len;
2845 unix_state_lock(sk);
2846 skb = skb_peek_next(skb, &sk->sk_receive_queue);
2847 if (skb)
2848 goto again;
2849 unix_state_unlock(sk);
2850 break;
2851 }
2852 } while (size);
2853
2854 mutex_unlock(&u->iolock);
2855 if (state->msg)
2856 scm_recv_unix(sock, state->msg, &scm, flags);
2857 else
2858 scm_destroy(&scm);
2859 out:
2860 return copied ? : err;
2861 }
2862
unix_stream_read_actor(struct sk_buff * skb,int skip,int chunk,struct unix_stream_read_state * state)2863 static int unix_stream_read_actor(struct sk_buff *skb,
2864 int skip, int chunk,
2865 struct unix_stream_read_state *state)
2866 {
2867 int ret;
2868
2869 ret = skb_copy_datagram_msg(skb, UNIXCB(skb).consumed + skip,
2870 state->msg, chunk);
2871 return ret ?: chunk;
2872 }
2873
__unix_stream_recvmsg(struct sock * sk,struct msghdr * msg,size_t size,int flags)2874 int __unix_stream_recvmsg(struct sock *sk, struct msghdr *msg,
2875 size_t size, int flags)
2876 {
2877 struct unix_stream_read_state state = {
2878 .recv_actor = unix_stream_read_actor,
2879 .socket = sk->sk_socket,
2880 .msg = msg,
2881 .size = size,
2882 .flags = flags
2883 };
2884
2885 return unix_stream_read_generic(&state, true);
2886 }
2887
unix_stream_recvmsg(struct socket * sock,struct msghdr * msg,size_t size,int flags)2888 static int unix_stream_recvmsg(struct socket *sock, struct msghdr *msg,
2889 size_t size, int flags)
2890 {
2891 struct unix_stream_read_state state = {
2892 .recv_actor = unix_stream_read_actor,
2893 .socket = sock,
2894 .msg = msg,
2895 .size = size,
2896 .flags = flags
2897 };
2898
2899 #ifdef CONFIG_BPF_SYSCALL
2900 struct sock *sk = sock->sk;
2901 const struct proto *prot = READ_ONCE(sk->sk_prot);
2902
2903 if (prot != &unix_stream_proto)
2904 return prot->recvmsg(sk, msg, size, flags, NULL);
2905 #endif
2906 return unix_stream_read_generic(&state, true);
2907 }
2908
unix_stream_splice_actor(struct sk_buff * skb,int skip,int chunk,struct unix_stream_read_state * state)2909 static int unix_stream_splice_actor(struct sk_buff *skb,
2910 int skip, int chunk,
2911 struct unix_stream_read_state *state)
2912 {
2913 return skb_splice_bits(skb, state->socket->sk,
2914 UNIXCB(skb).consumed + skip,
2915 state->pipe, chunk, state->splice_flags);
2916 }
2917
unix_stream_splice_read(struct socket * sock,loff_t * ppos,struct pipe_inode_info * pipe,size_t size,unsigned int flags)2918 static ssize_t unix_stream_splice_read(struct socket *sock, loff_t *ppos,
2919 struct pipe_inode_info *pipe,
2920 size_t size, unsigned int flags)
2921 {
2922 struct unix_stream_read_state state = {
2923 .recv_actor = unix_stream_splice_actor,
2924 .socket = sock,
2925 .pipe = pipe,
2926 .size = size,
2927 .splice_flags = flags,
2928 };
2929
2930 if (unlikely(*ppos))
2931 return -ESPIPE;
2932
2933 if (sock->file->f_flags & O_NONBLOCK ||
2934 flags & SPLICE_F_NONBLOCK)
2935 state.flags = MSG_DONTWAIT;
2936
2937 return unix_stream_read_generic(&state, false);
2938 }
2939
unix_shutdown(struct socket * sock,int mode)2940 static int unix_shutdown(struct socket *sock, int mode)
2941 {
2942 struct sock *sk = sock->sk;
2943 struct sock *other;
2944
2945 if (mode < SHUT_RD || mode > SHUT_RDWR)
2946 return -EINVAL;
2947 /* This maps:
2948 * SHUT_RD (0) -> RCV_SHUTDOWN (1)
2949 * SHUT_WR (1) -> SEND_SHUTDOWN (2)
2950 * SHUT_RDWR (2) -> SHUTDOWN_MASK (3)
2951 */
2952 ++mode;
2953
2954 unix_state_lock(sk);
2955 WRITE_ONCE(sk->sk_shutdown, sk->sk_shutdown | mode);
2956 other = unix_peer(sk);
2957 if (other)
2958 sock_hold(other);
2959 unix_state_unlock(sk);
2960 sk->sk_state_change(sk);
2961
2962 if (other &&
2963 (sk->sk_type == SOCK_STREAM || sk->sk_type == SOCK_SEQPACKET)) {
2964
2965 int peer_mode = 0;
2966 const struct proto *prot = READ_ONCE(other->sk_prot);
2967
2968 if (prot->unhash)
2969 prot->unhash(other);
2970 if (mode&RCV_SHUTDOWN)
2971 peer_mode |= SEND_SHUTDOWN;
2972 if (mode&SEND_SHUTDOWN)
2973 peer_mode |= RCV_SHUTDOWN;
2974 unix_state_lock(other);
2975 WRITE_ONCE(other->sk_shutdown, other->sk_shutdown | peer_mode);
2976 unix_state_unlock(other);
2977 other->sk_state_change(other);
2978 if (peer_mode == SHUTDOWN_MASK)
2979 sk_wake_async(other, SOCK_WAKE_WAITD, POLL_HUP);
2980 else if (peer_mode & RCV_SHUTDOWN)
2981 sk_wake_async(other, SOCK_WAKE_WAITD, POLL_IN);
2982 }
2983 if (other)
2984 sock_put(other);
2985
2986 return 0;
2987 }
2988
unix_inq_len(struct sock * sk)2989 long unix_inq_len(struct sock *sk)
2990 {
2991 struct sk_buff *skb;
2992 long amount = 0;
2993
2994 if (READ_ONCE(sk->sk_state) == TCP_LISTEN)
2995 return -EINVAL;
2996
2997 spin_lock(&sk->sk_receive_queue.lock);
2998 if (sk->sk_type == SOCK_STREAM ||
2999 sk->sk_type == SOCK_SEQPACKET) {
3000 skb_queue_walk(&sk->sk_receive_queue, skb)
3001 amount += unix_skb_len(skb);
3002 } else {
3003 skb = skb_peek(&sk->sk_receive_queue);
3004 if (skb)
3005 amount = skb->len;
3006 }
3007 spin_unlock(&sk->sk_receive_queue.lock);
3008
3009 return amount;
3010 }
3011 EXPORT_SYMBOL_GPL(unix_inq_len);
3012
unix_outq_len(struct sock * sk)3013 long unix_outq_len(struct sock *sk)
3014 {
3015 return sk_wmem_alloc_get(sk);
3016 }
3017 EXPORT_SYMBOL_GPL(unix_outq_len);
3018
unix_open_file(struct sock * sk)3019 static int unix_open_file(struct sock *sk)
3020 {
3021 struct path path;
3022 struct file *f;
3023 int fd;
3024
3025 if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN))
3026 return -EPERM;
3027
3028 if (!smp_load_acquire(&unix_sk(sk)->addr))
3029 return -ENOENT;
3030
3031 path = unix_sk(sk)->path;
3032 if (!path.dentry)
3033 return -ENOENT;
3034
3035 path_get(&path);
3036
3037 fd = get_unused_fd_flags(O_CLOEXEC);
3038 if (fd < 0)
3039 goto out;
3040
3041 f = dentry_open(&path, O_PATH, current_cred());
3042 if (IS_ERR(f)) {
3043 put_unused_fd(fd);
3044 fd = PTR_ERR(f);
3045 goto out;
3046 }
3047
3048 fd_install(fd, f);
3049 out:
3050 path_put(&path);
3051
3052 return fd;
3053 }
3054
unix_ioctl(struct socket * sock,unsigned int cmd,unsigned long arg)3055 static int unix_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
3056 {
3057 struct sock *sk = sock->sk;
3058 long amount = 0;
3059 int err;
3060
3061 switch (cmd) {
3062 case SIOCOUTQ:
3063 amount = unix_outq_len(sk);
3064 err = put_user(amount, (int __user *)arg);
3065 break;
3066 case SIOCINQ:
3067 amount = unix_inq_len(sk);
3068 if (amount < 0)
3069 err = amount;
3070 else
3071 err = put_user(amount, (int __user *)arg);
3072 break;
3073 case SIOCUNIXFILE:
3074 err = unix_open_file(sk);
3075 break;
3076 #if IS_ENABLED(CONFIG_AF_UNIX_OOB)
3077 case SIOCATMARK:
3078 {
3079 struct sk_buff *skb;
3080 int answ = 0;
3081
3082 skb = skb_peek(&sk->sk_receive_queue);
3083 if (skb && skb == READ_ONCE(unix_sk(sk)->oob_skb))
3084 answ = 1;
3085 err = put_user(answ, (int __user *)arg);
3086 }
3087 break;
3088 #endif
3089 default:
3090 err = -ENOIOCTLCMD;
3091 break;
3092 }
3093 return err;
3094 }
3095
3096 #ifdef CONFIG_COMPAT
unix_compat_ioctl(struct socket * sock,unsigned int cmd,unsigned long arg)3097 static int unix_compat_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
3098 {
3099 return unix_ioctl(sock, cmd, (unsigned long)compat_ptr(arg));
3100 }
3101 #endif
3102
unix_poll(struct file * file,struct socket * sock,poll_table * wait)3103 static __poll_t unix_poll(struct file *file, struct socket *sock, poll_table *wait)
3104 {
3105 struct sock *sk = sock->sk;
3106 unsigned char state;
3107 __poll_t mask;
3108 u8 shutdown;
3109
3110 sock_poll_wait(file, sock, wait);
3111 mask = 0;
3112 shutdown = READ_ONCE(sk->sk_shutdown);
3113 state = READ_ONCE(sk->sk_state);
3114
3115 /* exceptional events? */
3116 if (READ_ONCE(sk->sk_err))
3117 mask |= EPOLLERR;
3118 if (shutdown == SHUTDOWN_MASK)
3119 mask |= EPOLLHUP;
3120 if (shutdown & RCV_SHUTDOWN)
3121 mask |= EPOLLRDHUP | EPOLLIN | EPOLLRDNORM;
3122
3123 /* readable? */
3124 if (!skb_queue_empty_lockless(&sk->sk_receive_queue))
3125 mask |= EPOLLIN | EPOLLRDNORM;
3126 if (sk_is_readable(sk))
3127 mask |= EPOLLIN | EPOLLRDNORM;
3128 #if IS_ENABLED(CONFIG_AF_UNIX_OOB)
3129 if (READ_ONCE(unix_sk(sk)->oob_skb))
3130 mask |= EPOLLPRI;
3131 #endif
3132
3133 /* Connection-based need to check for termination and startup */
3134 if ((sk->sk_type == SOCK_STREAM || sk->sk_type == SOCK_SEQPACKET) &&
3135 state == TCP_CLOSE)
3136 mask |= EPOLLHUP;
3137
3138 /*
3139 * we set writable also when the other side has shut down the
3140 * connection. This prevents stuck sockets.
3141 */
3142 if (unix_writable(sk, state))
3143 mask |= EPOLLOUT | EPOLLWRNORM | EPOLLWRBAND;
3144
3145 return mask;
3146 }
3147
unix_dgram_poll(struct file * file,struct socket * sock,poll_table * wait)3148 static __poll_t unix_dgram_poll(struct file *file, struct socket *sock,
3149 poll_table *wait)
3150 {
3151 struct sock *sk = sock->sk, *other;
3152 unsigned int writable;
3153 unsigned char state;
3154 __poll_t mask;
3155 u8 shutdown;
3156
3157 sock_poll_wait(file, sock, wait);
3158 mask = 0;
3159 shutdown = READ_ONCE(sk->sk_shutdown);
3160 state = READ_ONCE(sk->sk_state);
3161
3162 /* exceptional events? */
3163 if (READ_ONCE(sk->sk_err) ||
3164 !skb_queue_empty_lockless(&sk->sk_error_queue))
3165 mask |= EPOLLERR |
3166 (sock_flag(sk, SOCK_SELECT_ERR_QUEUE) ? EPOLLPRI : 0);
3167
3168 if (shutdown & RCV_SHUTDOWN)
3169 mask |= EPOLLRDHUP | EPOLLIN | EPOLLRDNORM;
3170 if (shutdown == SHUTDOWN_MASK)
3171 mask |= EPOLLHUP;
3172
3173 /* readable? */
3174 if (!skb_queue_empty_lockless(&sk->sk_receive_queue))
3175 mask |= EPOLLIN | EPOLLRDNORM;
3176 if (sk_is_readable(sk))
3177 mask |= EPOLLIN | EPOLLRDNORM;
3178
3179 /* Connection-based need to check for termination and startup */
3180 if (sk->sk_type == SOCK_SEQPACKET && state == TCP_CLOSE)
3181 mask |= EPOLLHUP;
3182
3183 /* No write status requested, avoid expensive OUT tests. */
3184 if (!(poll_requested_events(wait) & (EPOLLWRBAND|EPOLLWRNORM|EPOLLOUT)))
3185 return mask;
3186
3187 writable = unix_writable(sk, state);
3188 if (writable) {
3189 unix_state_lock(sk);
3190
3191 other = unix_peer(sk);
3192 if (other && unix_peer(other) != sk &&
3193 unix_recvq_full_lockless(other) &&
3194 unix_dgram_peer_wake_me(sk, other))
3195 writable = 0;
3196
3197 unix_state_unlock(sk);
3198 }
3199
3200 if (writable)
3201 mask |= EPOLLOUT | EPOLLWRNORM | EPOLLWRBAND;
3202 else
3203 sk_set_bit(SOCKWQ_ASYNC_NOSPACE, sk);
3204
3205 return mask;
3206 }
3207
3208 #ifdef CONFIG_PROC_FS
3209
3210 #define BUCKET_SPACE (BITS_PER_LONG - (UNIX_HASH_BITS + 1) - 1)
3211
3212 #define get_bucket(x) ((x) >> BUCKET_SPACE)
3213 #define get_offset(x) ((x) & ((1UL << BUCKET_SPACE) - 1))
3214 #define set_bucket_offset(b, o) ((b) << BUCKET_SPACE | (o))
3215
unix_from_bucket(struct seq_file * seq,loff_t * pos)3216 static struct sock *unix_from_bucket(struct seq_file *seq, loff_t *pos)
3217 {
3218 unsigned long offset = get_offset(*pos);
3219 unsigned long bucket = get_bucket(*pos);
3220 unsigned long count = 0;
3221 struct sock *sk;
3222
3223 for (sk = sk_head(&seq_file_net(seq)->unx.table.buckets[bucket]);
3224 sk; sk = sk_next(sk)) {
3225 if (++count == offset)
3226 break;
3227 }
3228
3229 return sk;
3230 }
3231
unix_get_first(struct seq_file * seq,loff_t * pos)3232 static struct sock *unix_get_first(struct seq_file *seq, loff_t *pos)
3233 {
3234 unsigned long bucket = get_bucket(*pos);
3235 struct net *net = seq_file_net(seq);
3236 struct sock *sk;
3237
3238 while (bucket < UNIX_HASH_SIZE) {
3239 spin_lock(&net->unx.table.locks[bucket]);
3240
3241 sk = unix_from_bucket(seq, pos);
3242 if (sk)
3243 return sk;
3244
3245 spin_unlock(&net->unx.table.locks[bucket]);
3246
3247 *pos = set_bucket_offset(++bucket, 1);
3248 }
3249
3250 return NULL;
3251 }
3252
unix_get_next(struct seq_file * seq,struct sock * sk,loff_t * pos)3253 static struct sock *unix_get_next(struct seq_file *seq, struct sock *sk,
3254 loff_t *pos)
3255 {
3256 unsigned long bucket = get_bucket(*pos);
3257
3258 sk = sk_next(sk);
3259 if (sk)
3260 return sk;
3261
3262
3263 spin_unlock(&seq_file_net(seq)->unx.table.locks[bucket]);
3264
3265 *pos = set_bucket_offset(++bucket, 1);
3266
3267 return unix_get_first(seq, pos);
3268 }
3269
unix_seq_start(struct seq_file * seq,loff_t * pos)3270 static void *unix_seq_start(struct seq_file *seq, loff_t *pos)
3271 {
3272 if (!*pos)
3273 return SEQ_START_TOKEN;
3274
3275 return unix_get_first(seq, pos);
3276 }
3277
unix_seq_next(struct seq_file * seq,void * v,loff_t * pos)3278 static void *unix_seq_next(struct seq_file *seq, void *v, loff_t *pos)
3279 {
3280 ++*pos;
3281
3282 if (v == SEQ_START_TOKEN)
3283 return unix_get_first(seq, pos);
3284
3285 return unix_get_next(seq, v, pos);
3286 }
3287
unix_seq_stop(struct seq_file * seq,void * v)3288 static void unix_seq_stop(struct seq_file *seq, void *v)
3289 {
3290 struct sock *sk = v;
3291
3292 if (sk)
3293 spin_unlock(&seq_file_net(seq)->unx.table.locks[sk->sk_hash]);
3294 }
3295
unix_seq_show(struct seq_file * seq,void * v)3296 static int unix_seq_show(struct seq_file *seq, void *v)
3297 {
3298
3299 if (v == SEQ_START_TOKEN)
3300 seq_puts(seq, "Num RefCount Protocol Flags Type St "
3301 "Inode Path\n");
3302 else {
3303 struct sock *s = v;
3304 struct unix_sock *u = unix_sk(s);
3305 unix_state_lock(s);
3306
3307 seq_printf(seq, "%pK: %08X %08X %08X %04X %02X %5lu",
3308 s,
3309 refcount_read(&s->sk_refcnt),
3310 0,
3311 s->sk_state == TCP_LISTEN ? __SO_ACCEPTCON : 0,
3312 s->sk_type,
3313 s->sk_socket ?
3314 (s->sk_state == TCP_ESTABLISHED ? SS_CONNECTED : SS_UNCONNECTED) :
3315 (s->sk_state == TCP_ESTABLISHED ? SS_CONNECTING : SS_DISCONNECTING),
3316 sock_i_ino(s));
3317
3318 if (u->addr) { // under a hash table lock here
3319 int i, len;
3320 seq_putc(seq, ' ');
3321
3322 i = 0;
3323 len = u->addr->len -
3324 offsetof(struct sockaddr_un, sun_path);
3325 if (u->addr->name->sun_path[0]) {
3326 len--;
3327 } else {
3328 seq_putc(seq, '@');
3329 i++;
3330 }
3331 for ( ; i < len; i++)
3332 seq_putc(seq, u->addr->name->sun_path[i] ?:
3333 '@');
3334 }
3335 unix_state_unlock(s);
3336 seq_putc(seq, '\n');
3337 }
3338
3339 return 0;
3340 }
3341
3342 static const struct seq_operations unix_seq_ops = {
3343 .start = unix_seq_start,
3344 .next = unix_seq_next,
3345 .stop = unix_seq_stop,
3346 .show = unix_seq_show,
3347 };
3348
3349 #if IS_BUILTIN(CONFIG_UNIX) && defined(CONFIG_BPF_SYSCALL)
3350 struct bpf_unix_iter_state {
3351 struct seq_net_private p;
3352 unsigned int cur_sk;
3353 unsigned int end_sk;
3354 unsigned int max_sk;
3355 struct sock **batch;
3356 bool st_bucket_done;
3357 };
3358
3359 struct bpf_iter__unix {
3360 __bpf_md_ptr(struct bpf_iter_meta *, meta);
3361 __bpf_md_ptr(struct unix_sock *, unix_sk);
3362 uid_t uid __aligned(8);
3363 };
3364
unix_prog_seq_show(struct bpf_prog * prog,struct bpf_iter_meta * meta,struct unix_sock * unix_sk,uid_t uid)3365 static int unix_prog_seq_show(struct bpf_prog *prog, struct bpf_iter_meta *meta,
3366 struct unix_sock *unix_sk, uid_t uid)
3367 {
3368 struct bpf_iter__unix ctx;
3369
3370 meta->seq_num--; /* skip SEQ_START_TOKEN */
3371 ctx.meta = meta;
3372 ctx.unix_sk = unix_sk;
3373 ctx.uid = uid;
3374 return bpf_iter_run_prog(prog, &ctx);
3375 }
3376
bpf_iter_unix_hold_batch(struct seq_file * seq,struct sock * start_sk)3377 static int bpf_iter_unix_hold_batch(struct seq_file *seq, struct sock *start_sk)
3378
3379 {
3380 struct bpf_unix_iter_state *iter = seq->private;
3381 unsigned int expected = 1;
3382 struct sock *sk;
3383
3384 sock_hold(start_sk);
3385 iter->batch[iter->end_sk++] = start_sk;
3386
3387 for (sk = sk_next(start_sk); sk; sk = sk_next(sk)) {
3388 if (iter->end_sk < iter->max_sk) {
3389 sock_hold(sk);
3390 iter->batch[iter->end_sk++] = sk;
3391 }
3392
3393 expected++;
3394 }
3395
3396 spin_unlock(&seq_file_net(seq)->unx.table.locks[start_sk->sk_hash]);
3397
3398 return expected;
3399 }
3400
bpf_iter_unix_put_batch(struct bpf_unix_iter_state * iter)3401 static void bpf_iter_unix_put_batch(struct bpf_unix_iter_state *iter)
3402 {
3403 while (iter->cur_sk < iter->end_sk)
3404 sock_put(iter->batch[iter->cur_sk++]);
3405 }
3406
bpf_iter_unix_realloc_batch(struct bpf_unix_iter_state * iter,unsigned int new_batch_sz)3407 static int bpf_iter_unix_realloc_batch(struct bpf_unix_iter_state *iter,
3408 unsigned int new_batch_sz)
3409 {
3410 struct sock **new_batch;
3411
3412 new_batch = kvmalloc(sizeof(*new_batch) * new_batch_sz,
3413 GFP_USER | __GFP_NOWARN);
3414 if (!new_batch)
3415 return -ENOMEM;
3416
3417 bpf_iter_unix_put_batch(iter);
3418 kvfree(iter->batch);
3419 iter->batch = new_batch;
3420 iter->max_sk = new_batch_sz;
3421
3422 return 0;
3423 }
3424
bpf_iter_unix_batch(struct seq_file * seq,loff_t * pos)3425 static struct sock *bpf_iter_unix_batch(struct seq_file *seq,
3426 loff_t *pos)
3427 {
3428 struct bpf_unix_iter_state *iter = seq->private;
3429 unsigned int expected;
3430 bool resized = false;
3431 struct sock *sk;
3432
3433 if (iter->st_bucket_done)
3434 *pos = set_bucket_offset(get_bucket(*pos) + 1, 1);
3435
3436 again:
3437 /* Get a new batch */
3438 iter->cur_sk = 0;
3439 iter->end_sk = 0;
3440
3441 sk = unix_get_first(seq, pos);
3442 if (!sk)
3443 return NULL; /* Done */
3444
3445 expected = bpf_iter_unix_hold_batch(seq, sk);
3446
3447 if (iter->end_sk == expected) {
3448 iter->st_bucket_done = true;
3449 return sk;
3450 }
3451
3452 if (!resized && !bpf_iter_unix_realloc_batch(iter, expected * 3 / 2)) {
3453 resized = true;
3454 goto again;
3455 }
3456
3457 return sk;
3458 }
3459
bpf_iter_unix_seq_start(struct seq_file * seq,loff_t * pos)3460 static void *bpf_iter_unix_seq_start(struct seq_file *seq, loff_t *pos)
3461 {
3462 if (!*pos)
3463 return SEQ_START_TOKEN;
3464
3465 /* bpf iter does not support lseek, so it always
3466 * continue from where it was stop()-ped.
3467 */
3468 return bpf_iter_unix_batch(seq, pos);
3469 }
3470
bpf_iter_unix_seq_next(struct seq_file * seq,void * v,loff_t * pos)3471 static void *bpf_iter_unix_seq_next(struct seq_file *seq, void *v, loff_t *pos)
3472 {
3473 struct bpf_unix_iter_state *iter = seq->private;
3474 struct sock *sk;
3475
3476 /* Whenever seq_next() is called, the iter->cur_sk is
3477 * done with seq_show(), so advance to the next sk in
3478 * the batch.
3479 */
3480 if (iter->cur_sk < iter->end_sk)
3481 sock_put(iter->batch[iter->cur_sk++]);
3482
3483 ++*pos;
3484
3485 if (iter->cur_sk < iter->end_sk)
3486 sk = iter->batch[iter->cur_sk];
3487 else
3488 sk = bpf_iter_unix_batch(seq, pos);
3489
3490 return sk;
3491 }
3492
bpf_iter_unix_seq_show(struct seq_file * seq,void * v)3493 static int bpf_iter_unix_seq_show(struct seq_file *seq, void *v)
3494 {
3495 struct bpf_iter_meta meta;
3496 struct bpf_prog *prog;
3497 struct sock *sk = v;
3498 uid_t uid;
3499 bool slow;
3500 int ret;
3501
3502 if (v == SEQ_START_TOKEN)
3503 return 0;
3504
3505 slow = lock_sock_fast(sk);
3506
3507 if (unlikely(sk_unhashed(sk))) {
3508 ret = SEQ_SKIP;
3509 goto unlock;
3510 }
3511
3512 uid = from_kuid_munged(seq_user_ns(seq), sock_i_uid(sk));
3513 meta.seq = seq;
3514 prog = bpf_iter_get_info(&meta, false);
3515 ret = unix_prog_seq_show(prog, &meta, v, uid);
3516 unlock:
3517 unlock_sock_fast(sk, slow);
3518 return ret;
3519 }
3520
bpf_iter_unix_seq_stop(struct seq_file * seq,void * v)3521 static void bpf_iter_unix_seq_stop(struct seq_file *seq, void *v)
3522 {
3523 struct bpf_unix_iter_state *iter = seq->private;
3524 struct bpf_iter_meta meta;
3525 struct bpf_prog *prog;
3526
3527 if (!v) {
3528 meta.seq = seq;
3529 prog = bpf_iter_get_info(&meta, true);
3530 if (prog)
3531 (void)unix_prog_seq_show(prog, &meta, v, 0);
3532 }
3533
3534 if (iter->cur_sk < iter->end_sk)
3535 bpf_iter_unix_put_batch(iter);
3536 }
3537
3538 static const struct seq_operations bpf_iter_unix_seq_ops = {
3539 .start = bpf_iter_unix_seq_start,
3540 .next = bpf_iter_unix_seq_next,
3541 .stop = bpf_iter_unix_seq_stop,
3542 .show = bpf_iter_unix_seq_show,
3543 };
3544 #endif
3545 #endif
3546
3547 static const struct net_proto_family unix_family_ops = {
3548 .family = PF_UNIX,
3549 .create = unix_create,
3550 .owner = THIS_MODULE,
3551 };
3552
3553
unix_net_init(struct net * net)3554 static int __net_init unix_net_init(struct net *net)
3555 {
3556 int i;
3557
3558 net->unx.sysctl_max_dgram_qlen = 10;
3559 if (unix_sysctl_register(net))
3560 goto out;
3561
3562 #ifdef CONFIG_PROC_FS
3563 if (!proc_create_net("unix", 0, net->proc_net, &unix_seq_ops,
3564 sizeof(struct seq_net_private)))
3565 goto err_sysctl;
3566 #endif
3567
3568 net->unx.table.locks = kvmalloc_array(UNIX_HASH_SIZE,
3569 sizeof(spinlock_t), GFP_KERNEL);
3570 if (!net->unx.table.locks)
3571 goto err_proc;
3572
3573 net->unx.table.buckets = kvmalloc_array(UNIX_HASH_SIZE,
3574 sizeof(struct hlist_head),
3575 GFP_KERNEL);
3576 if (!net->unx.table.buckets)
3577 goto free_locks;
3578
3579 for (i = 0; i < UNIX_HASH_SIZE; i++) {
3580 spin_lock_init(&net->unx.table.locks[i]);
3581 INIT_HLIST_HEAD(&net->unx.table.buckets[i]);
3582 }
3583
3584 return 0;
3585
3586 free_locks:
3587 kvfree(net->unx.table.locks);
3588 err_proc:
3589 #ifdef CONFIG_PROC_FS
3590 remove_proc_entry("unix", net->proc_net);
3591 err_sysctl:
3592 #endif
3593 unix_sysctl_unregister(net);
3594 out:
3595 return -ENOMEM;
3596 }
3597
unix_net_exit(struct net * net)3598 static void __net_exit unix_net_exit(struct net *net)
3599 {
3600 kvfree(net->unx.table.buckets);
3601 kvfree(net->unx.table.locks);
3602 unix_sysctl_unregister(net);
3603 remove_proc_entry("unix", net->proc_net);
3604 }
3605
3606 static struct pernet_operations unix_net_ops = {
3607 .init = unix_net_init,
3608 .exit = unix_net_exit,
3609 };
3610
3611 #if IS_BUILTIN(CONFIG_UNIX) && defined(CONFIG_BPF_SYSCALL) && defined(CONFIG_PROC_FS)
DEFINE_BPF_ITER_FUNC(unix,struct bpf_iter_meta * meta,struct unix_sock * unix_sk,uid_t uid)3612 DEFINE_BPF_ITER_FUNC(unix, struct bpf_iter_meta *meta,
3613 struct unix_sock *unix_sk, uid_t uid)
3614
3615 #define INIT_BATCH_SZ 16
3616
3617 static int bpf_iter_init_unix(void *priv_data, struct bpf_iter_aux_info *aux)
3618 {
3619 struct bpf_unix_iter_state *iter = priv_data;
3620 int err;
3621
3622 err = bpf_iter_init_seq_net(priv_data, aux);
3623 if (err)
3624 return err;
3625
3626 err = bpf_iter_unix_realloc_batch(iter, INIT_BATCH_SZ);
3627 if (err) {
3628 bpf_iter_fini_seq_net(priv_data);
3629 return err;
3630 }
3631
3632 return 0;
3633 }
3634
bpf_iter_fini_unix(void * priv_data)3635 static void bpf_iter_fini_unix(void *priv_data)
3636 {
3637 struct bpf_unix_iter_state *iter = priv_data;
3638
3639 bpf_iter_fini_seq_net(priv_data);
3640 kvfree(iter->batch);
3641 }
3642
3643 static const struct bpf_iter_seq_info unix_seq_info = {
3644 .seq_ops = &bpf_iter_unix_seq_ops,
3645 .init_seq_private = bpf_iter_init_unix,
3646 .fini_seq_private = bpf_iter_fini_unix,
3647 .seq_priv_size = sizeof(struct bpf_unix_iter_state),
3648 };
3649
3650 static const struct bpf_func_proto *
bpf_iter_unix_get_func_proto(enum bpf_func_id func_id,const struct bpf_prog * prog)3651 bpf_iter_unix_get_func_proto(enum bpf_func_id func_id,
3652 const struct bpf_prog *prog)
3653 {
3654 switch (func_id) {
3655 case BPF_FUNC_setsockopt:
3656 return &bpf_sk_setsockopt_proto;
3657 case BPF_FUNC_getsockopt:
3658 return &bpf_sk_getsockopt_proto;
3659 default:
3660 return NULL;
3661 }
3662 }
3663
3664 static struct bpf_iter_reg unix_reg_info = {
3665 .target = "unix",
3666 .ctx_arg_info_size = 1,
3667 .ctx_arg_info = {
3668 { offsetof(struct bpf_iter__unix, unix_sk),
3669 PTR_TO_BTF_ID_OR_NULL },
3670 },
3671 .get_func_proto = bpf_iter_unix_get_func_proto,
3672 .seq_info = &unix_seq_info,
3673 };
3674
bpf_iter_register(void)3675 static void __init bpf_iter_register(void)
3676 {
3677 unix_reg_info.ctx_arg_info[0].btf_id = btf_sock_ids[BTF_SOCK_TYPE_UNIX];
3678 if (bpf_iter_reg_target(&unix_reg_info))
3679 pr_warn("Warning: could not register bpf iterator unix\n");
3680 }
3681 #endif
3682
af_unix_init(void)3683 static int __init af_unix_init(void)
3684 {
3685 int i, rc = -1;
3686
3687 BUILD_BUG_ON(sizeof(struct unix_skb_parms) > sizeof_field(struct sk_buff, cb));
3688
3689 for (i = 0; i < UNIX_HASH_SIZE / 2; i++) {
3690 spin_lock_init(&bsd_socket_locks[i]);
3691 INIT_HLIST_HEAD(&bsd_socket_buckets[i]);
3692 }
3693
3694 rc = proto_register(&unix_dgram_proto, 1);
3695 if (rc != 0) {
3696 pr_crit("%s: Cannot create unix_sock SLAB cache!\n", __func__);
3697 goto out;
3698 }
3699
3700 rc = proto_register(&unix_stream_proto, 1);
3701 if (rc != 0) {
3702 pr_crit("%s: Cannot create unix_sock SLAB cache!\n", __func__);
3703 proto_unregister(&unix_dgram_proto);
3704 goto out;
3705 }
3706
3707 sock_register(&unix_family_ops);
3708 register_pernet_subsys(&unix_net_ops);
3709 unix_bpf_build_proto();
3710
3711 #if IS_BUILTIN(CONFIG_UNIX) && defined(CONFIG_BPF_SYSCALL) && defined(CONFIG_PROC_FS)
3712 bpf_iter_register();
3713 #endif
3714
3715 out:
3716 return rc;
3717 }
3718
af_unix_exit(void)3719 static void __exit af_unix_exit(void)
3720 {
3721 sock_unregister(PF_UNIX);
3722 proto_unregister(&unix_dgram_proto);
3723 proto_unregister(&unix_stream_proto);
3724 unregister_pernet_subsys(&unix_net_ops);
3725 }
3726
3727 /* Earlier than device_initcall() so that other drivers invoking
3728 request_module() don't end up in a loop when modprobe tries
3729 to use a UNIX socket. But later than subsys_initcall() because
3730 we depend on stuff initialised there */
3731 fs_initcall(af_unix_init);
3732 module_exit(af_unix_exit);
3733
3734 MODULE_LICENSE("GPL");
3735 MODULE_ALIAS_NETPROTO(PF_UNIX);
3736