1 /* 2 * NET4: Implementation of BSD Unix domain sockets. 3 * 4 * Authors: Alan Cox, <alan@lxorguk.ukuu.org.uk> 5 * 6 * This program is free software; you can redistribute it and/or 7 * modify it under the terms of the GNU General Public License 8 * as published by the Free Software Foundation; either version 9 * 2 of the License, or (at your option) any later version. 10 * 11 * Fixes: 12 * Linus Torvalds : Assorted bug cures. 13 * Niibe Yutaka : async I/O support. 14 * Carsten Paeth : PF_UNIX check, address fixes. 15 * Alan Cox : Limit size of allocated blocks. 16 * Alan Cox : Fixed the stupid socketpair bug. 17 * Alan Cox : BSD compatibility fine tuning. 18 * Alan Cox : Fixed a bug in connect when interrupted. 19 * Alan Cox : Sorted out a proper draft version of 20 * file descriptor passing hacked up from 21 * Mike Shaver's work. 22 * Marty Leisner : Fixes to fd passing 23 * Nick Nevin : recvmsg bugfix. 24 * Alan Cox : Started proper garbage collector 25 * Heiko EiBfeldt : Missing verify_area check 26 * Alan Cox : Started POSIXisms 27 * Andreas Schwab : Replace inode by dentry for proper 28 * reference counting 29 * Kirk Petersen : Made this a module 30 * Christoph Rohland : Elegant non-blocking accept/connect algorithm. 31 * Lots of bug fixes. 32 * Alexey Kuznetosv : Repaired (I hope) bugs introduces 33 * by above two patches. 34 * Andrea Arcangeli : If possible we block in connect(2) 35 * if the max backlog of the listen socket 36 * is been reached. This won't break 37 * old apps and it will avoid huge amount 38 * of socks hashed (this for unix_gc() 39 * performances reasons). 40 * Security fix that limits the max 41 * number of socks to 2*max_files and 42 * the number of skb queueable in the 43 * dgram receiver. 44 * Artur Skawina : Hash function optimizations 45 * Alexey Kuznetsov : Full scale SMP. Lot of bugs are introduced 8) 46 * Malcolm Beattie : Set peercred for socketpair 47 * Michal Ostrowski : Module initialization cleanup. 48 * Arnaldo C. Melo : Remove MOD_{INC,DEC}_USE_COUNT, 49 * the core infrastructure is doing that 50 * for all net proto families now (2.5.69+) 51 * 52 * 53 * Known differences from reference BSD that was tested: 54 * 55 * [TO FIX] 56 * ECONNREFUSED is not returned from one end of a connected() socket to the 57 * other the moment one end closes. 58 * fstat() doesn't return st_dev=0, and give the blksize as high water mark 59 * and a fake inode identifier (nor the BSD first socket fstat twice bug). 60 * [NOT TO FIX] 61 * accept() returns a path name even if the connecting socket has closed 62 * in the meantime (BSD loses the path and gives up). 63 * accept() returns 0 length path for an unbound connector. BSD returns 16 64 * and a null first byte in the path (but not for gethost/peername - BSD bug ??) 65 * socketpair(...SOCK_RAW..) doesn't panic the kernel. 66 * BSD af_unix apparently has connect forgetting to block properly. 67 * (need to check this with the POSIX spec in detail) 68 * 69 * Differences from 2.0.0-11-... (ANK) 70 * Bug fixes and improvements. 71 * - client shutdown killed server socket. 72 * - removed all useless cli/sti pairs. 73 * 74 * Semantic changes/extensions. 75 * - generic control message passing. 76 * - SCM_CREDENTIALS control message. 77 * - "Abstract" (not FS based) socket bindings. 78 * Abstract names are sequences of bytes (not zero terminated) 79 * started by 0, so that this name space does not intersect 80 * with BSD names. 81 */ 82 83 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 84 85 #include <linux/module.h> 86 #include <linux/kernel.h> 87 #include <linux/signal.h> 88 #include <linux/sched.h> 89 #include <linux/errno.h> 90 #include <linux/string.h> 91 #include <linux/stat.h> 92 #include <linux/dcache.h> 93 #include <linux/namei.h> 94 #include <linux/socket.h> 95 #include <linux/un.h> 96 #include <linux/fcntl.h> 97 #include <linux/termios.h> 98 #include <linux/sockios.h> 99 #include <linux/net.h> 100 #include <linux/in.h> 101 #include <linux/fs.h> 102 #include <linux/slab.h> 103 #include <asm/uaccess.h> 104 #include <linux/skbuff.h> 105 #include <linux/netdevice.h> 106 #include <net/net_namespace.h> 107 #include <net/sock.h> 108 #include <net/tcp_states.h> 109 #include <net/af_unix.h> 110 #include <linux/proc_fs.h> 111 #include <linux/seq_file.h> 112 #include <net/scm.h> 113 #include <linux/init.h> 114 #include <linux/poll.h> 115 #include <linux/rtnetlink.h> 116 #include <linux/mount.h> 117 #include <net/checksum.h> 118 #include <linux/security.h> 119 #include <linux/freezer.h> 120 121 struct hlist_head unix_socket_table[2 * UNIX_HASH_SIZE]; 122 EXPORT_SYMBOL_GPL(unix_socket_table); 123 DEFINE_SPINLOCK(unix_table_lock); 124 EXPORT_SYMBOL_GPL(unix_table_lock); 125 static atomic_long_t unix_nr_socks; 126 127 128 static struct hlist_head *unix_sockets_unbound(void *addr) 129 { 130 unsigned long hash = (unsigned long)addr; 131 132 hash ^= hash >> 16; 133 hash ^= hash >> 8; 134 hash %= UNIX_HASH_SIZE; 135 return &unix_socket_table[UNIX_HASH_SIZE + hash]; 136 } 137 138 #define UNIX_ABSTRACT(sk) (unix_sk(sk)->addr->hash < UNIX_HASH_SIZE) 139 140 #ifdef CONFIG_SECURITY_NETWORK 141 static void unix_get_secdata(struct scm_cookie *scm, struct sk_buff *skb) 142 { 143 UNIXCB(skb).secid = scm->secid; 144 } 145 146 static inline void unix_set_secdata(struct scm_cookie *scm, struct sk_buff *skb) 147 { 148 scm->secid = UNIXCB(skb).secid; 149 } 150 151 static inline bool unix_secdata_eq(struct scm_cookie *scm, struct sk_buff *skb) 152 { 153 return (scm->secid == UNIXCB(skb).secid); 154 } 155 #else 156 static inline void unix_get_secdata(struct scm_cookie *scm, struct sk_buff *skb) 157 { } 158 159 static inline void unix_set_secdata(struct scm_cookie *scm, struct sk_buff *skb) 160 { } 161 162 static inline bool unix_secdata_eq(struct scm_cookie *scm, struct sk_buff *skb) 163 { 164 return true; 165 } 166 #endif /* CONFIG_SECURITY_NETWORK */ 167 168 /* 169 * SMP locking strategy: 170 * hash table is protected with spinlock unix_table_lock 171 * each socket state is protected by separate spin lock. 172 */ 173 174 static inline unsigned int unix_hash_fold(__wsum n) 175 { 176 unsigned int hash = (__force unsigned int)csum_fold(n); 177 178 hash ^= hash>>8; 179 return hash&(UNIX_HASH_SIZE-1); 180 } 181 182 #define unix_peer(sk) (unix_sk(sk)->peer) 183 184 static inline int unix_our_peer(struct sock *sk, struct sock *osk) 185 { 186 return unix_peer(osk) == sk; 187 } 188 189 static inline int unix_may_send(struct sock *sk, struct sock *osk) 190 { 191 return unix_peer(osk) == NULL || unix_our_peer(sk, osk); 192 } 193 194 static inline int unix_recvq_full(struct sock const *sk) 195 { 196 return skb_queue_len(&sk->sk_receive_queue) > sk->sk_max_ack_backlog; 197 } 198 199 struct sock *unix_peer_get(struct sock *s) 200 { 201 struct sock *peer; 202 203 unix_state_lock(s); 204 peer = unix_peer(s); 205 if (peer) 206 sock_hold(peer); 207 unix_state_unlock(s); 208 return peer; 209 } 210 EXPORT_SYMBOL_GPL(unix_peer_get); 211 212 static inline void unix_release_addr(struct unix_address *addr) 213 { 214 if (atomic_dec_and_test(&addr->refcnt)) 215 kfree(addr); 216 } 217 218 /* 219 * Check unix socket name: 220 * - should be not zero length. 221 * - if started by not zero, should be NULL terminated (FS object) 222 * - if started by zero, it is abstract name. 223 */ 224 225 static int unix_mkname(struct sockaddr_un *sunaddr, int len, unsigned int *hashp) 226 { 227 if (len <= sizeof(short) || len > sizeof(*sunaddr)) 228 return -EINVAL; 229 if (!sunaddr || sunaddr->sun_family != AF_UNIX) 230 return -EINVAL; 231 if (sunaddr->sun_path[0]) { 232 /* 233 * This may look like an off by one error but it is a bit more 234 * subtle. 108 is the longest valid AF_UNIX path for a binding. 235 * sun_path[108] doesn't as such exist. However in kernel space 236 * we are guaranteed that it is a valid memory location in our 237 * kernel address buffer. 238 */ 239 ((char *)sunaddr)[len] = 0; 240 len = strlen(sunaddr->sun_path)+1+sizeof(short); 241 return len; 242 } 243 244 *hashp = unix_hash_fold(csum_partial(sunaddr, len, 0)); 245 return len; 246 } 247 248 static void __unix_remove_socket(struct sock *sk) 249 { 250 sk_del_node_init(sk); 251 } 252 253 static void __unix_insert_socket(struct hlist_head *list, struct sock *sk) 254 { 255 WARN_ON(!sk_unhashed(sk)); 256 sk_add_node(sk, list); 257 } 258 259 static inline void unix_remove_socket(struct sock *sk) 260 { 261 spin_lock(&unix_table_lock); 262 __unix_remove_socket(sk); 263 spin_unlock(&unix_table_lock); 264 } 265 266 static inline void unix_insert_socket(struct hlist_head *list, struct sock *sk) 267 { 268 spin_lock(&unix_table_lock); 269 __unix_insert_socket(list, sk); 270 spin_unlock(&unix_table_lock); 271 } 272 273 static struct sock *__unix_find_socket_byname(struct net *net, 274 struct sockaddr_un *sunname, 275 int len, int type, unsigned int hash) 276 { 277 struct sock *s; 278 279 sk_for_each(s, &unix_socket_table[hash ^ type]) { 280 struct unix_sock *u = unix_sk(s); 281 282 if (!net_eq(sock_net(s), net)) 283 continue; 284 285 if (u->addr->len == len && 286 !memcmp(u->addr->name, sunname, len)) 287 goto found; 288 } 289 s = NULL; 290 found: 291 return s; 292 } 293 294 static inline struct sock *unix_find_socket_byname(struct net *net, 295 struct sockaddr_un *sunname, 296 int len, int type, 297 unsigned int hash) 298 { 299 struct sock *s; 300 301 spin_lock(&unix_table_lock); 302 s = __unix_find_socket_byname(net, sunname, len, type, hash); 303 if (s) 304 sock_hold(s); 305 spin_unlock(&unix_table_lock); 306 return s; 307 } 308 309 static struct sock *unix_find_socket_byinode(struct inode *i) 310 { 311 struct sock *s; 312 313 spin_lock(&unix_table_lock); 314 sk_for_each(s, 315 &unix_socket_table[i->i_ino & (UNIX_HASH_SIZE - 1)]) { 316 struct dentry *dentry = unix_sk(s)->path.dentry; 317 318 if (dentry && d_backing_inode(dentry) == i) { 319 sock_hold(s); 320 goto found; 321 } 322 } 323 s = NULL; 324 found: 325 spin_unlock(&unix_table_lock); 326 return s; 327 } 328 329 static int unix_writable(const struct sock *sk) 330 { 331 return sk->sk_state != TCP_LISTEN && 332 (atomic_read(&sk->sk_wmem_alloc) << 2) <= sk->sk_sndbuf; 333 } 334 335 static void unix_write_space(struct sock *sk) 336 { 337 struct socket_wq *wq; 338 339 rcu_read_lock(); 340 if (unix_writable(sk)) { 341 wq = rcu_dereference(sk->sk_wq); 342 if (wq_has_sleeper(wq)) 343 wake_up_interruptible_sync_poll(&wq->wait, 344 POLLOUT | POLLWRNORM | POLLWRBAND); 345 sk_wake_async(sk, SOCK_WAKE_SPACE, POLL_OUT); 346 } 347 rcu_read_unlock(); 348 } 349 350 /* When dgram socket disconnects (or changes its peer), we clear its receive 351 * queue of packets arrived from previous peer. First, it allows to do 352 * flow control based only on wmem_alloc; second, sk connected to peer 353 * may receive messages only from that peer. */ 354 static void unix_dgram_disconnected(struct sock *sk, struct sock *other) 355 { 356 if (!skb_queue_empty(&sk->sk_receive_queue)) { 357 skb_queue_purge(&sk->sk_receive_queue); 358 wake_up_interruptible_all(&unix_sk(sk)->peer_wait); 359 360 /* If one link of bidirectional dgram pipe is disconnected, 361 * we signal error. Messages are lost. Do not make this, 362 * when peer was not connected to us. 363 */ 364 if (!sock_flag(other, SOCK_DEAD) && unix_peer(other) == sk) { 365 other->sk_err = ECONNRESET; 366 other->sk_error_report(other); 367 } 368 } 369 } 370 371 static void unix_sock_destructor(struct sock *sk) 372 { 373 struct unix_sock *u = unix_sk(sk); 374 375 skb_queue_purge(&sk->sk_receive_queue); 376 377 WARN_ON(atomic_read(&sk->sk_wmem_alloc)); 378 WARN_ON(!sk_unhashed(sk)); 379 WARN_ON(sk->sk_socket); 380 if (!sock_flag(sk, SOCK_DEAD)) { 381 pr_info("Attempt to release alive unix socket: %p\n", sk); 382 return; 383 } 384 385 if (u->addr) 386 unix_release_addr(u->addr); 387 388 atomic_long_dec(&unix_nr_socks); 389 local_bh_disable(); 390 sock_prot_inuse_add(sock_net(sk), sk->sk_prot, -1); 391 local_bh_enable(); 392 #ifdef UNIX_REFCNT_DEBUG 393 pr_debug("UNIX %p is destroyed, %ld are still alive.\n", sk, 394 atomic_long_read(&unix_nr_socks)); 395 #endif 396 } 397 398 static void unix_release_sock(struct sock *sk, int embrion) 399 { 400 struct unix_sock *u = unix_sk(sk); 401 struct path path; 402 struct sock *skpair; 403 struct sk_buff *skb; 404 int state; 405 406 unix_remove_socket(sk); 407 408 /* Clear state */ 409 unix_state_lock(sk); 410 sock_orphan(sk); 411 sk->sk_shutdown = SHUTDOWN_MASK; 412 path = u->path; 413 u->path.dentry = NULL; 414 u->path.mnt = NULL; 415 state = sk->sk_state; 416 sk->sk_state = TCP_CLOSE; 417 unix_state_unlock(sk); 418 419 wake_up_interruptible_all(&u->peer_wait); 420 421 skpair = unix_peer(sk); 422 423 if (skpair != NULL) { 424 if (sk->sk_type == SOCK_STREAM || sk->sk_type == SOCK_SEQPACKET) { 425 unix_state_lock(skpair); 426 /* No more writes */ 427 skpair->sk_shutdown = SHUTDOWN_MASK; 428 if (!skb_queue_empty(&sk->sk_receive_queue) || embrion) 429 skpair->sk_err = ECONNRESET; 430 unix_state_unlock(skpair); 431 skpair->sk_state_change(skpair); 432 sk_wake_async(skpair, SOCK_WAKE_WAITD, POLL_HUP); 433 } 434 sock_put(skpair); /* It may now die */ 435 unix_peer(sk) = NULL; 436 } 437 438 /* Try to flush out this socket. Throw out buffers at least */ 439 440 while ((skb = skb_dequeue(&sk->sk_receive_queue)) != NULL) { 441 if (state == TCP_LISTEN) 442 unix_release_sock(skb->sk, 1); 443 /* passed fds are erased in the kfree_skb hook */ 444 kfree_skb(skb); 445 } 446 447 if (path.dentry) 448 path_put(&path); 449 450 sock_put(sk); 451 452 /* ---- Socket is dead now and most probably destroyed ---- */ 453 454 /* 455 * Fixme: BSD difference: In BSD all sockets connected to us get 456 * ECONNRESET and we die on the spot. In Linux we behave 457 * like files and pipes do and wait for the last 458 * dereference. 459 * 460 * Can't we simply set sock->err? 461 * 462 * What the above comment does talk about? --ANK(980817) 463 */ 464 465 if (unix_tot_inflight) 466 unix_gc(); /* Garbage collect fds */ 467 } 468 469 static void init_peercred(struct sock *sk) 470 { 471 put_pid(sk->sk_peer_pid); 472 if (sk->sk_peer_cred) 473 put_cred(sk->sk_peer_cred); 474 sk->sk_peer_pid = get_pid(task_tgid(current)); 475 sk->sk_peer_cred = get_current_cred(); 476 } 477 478 static void copy_peercred(struct sock *sk, struct sock *peersk) 479 { 480 put_pid(sk->sk_peer_pid); 481 if (sk->sk_peer_cred) 482 put_cred(sk->sk_peer_cred); 483 sk->sk_peer_pid = get_pid(peersk->sk_peer_pid); 484 sk->sk_peer_cred = get_cred(peersk->sk_peer_cred); 485 } 486 487 static int unix_listen(struct socket *sock, int backlog) 488 { 489 int err; 490 struct sock *sk = sock->sk; 491 struct unix_sock *u = unix_sk(sk); 492 struct pid *old_pid = NULL; 493 494 err = -EOPNOTSUPP; 495 if (sock->type != SOCK_STREAM && sock->type != SOCK_SEQPACKET) 496 goto out; /* Only stream/seqpacket sockets accept */ 497 err = -EINVAL; 498 if (!u->addr) 499 goto out; /* No listens on an unbound socket */ 500 unix_state_lock(sk); 501 if (sk->sk_state != TCP_CLOSE && sk->sk_state != TCP_LISTEN) 502 goto out_unlock; 503 if (backlog > sk->sk_max_ack_backlog) 504 wake_up_interruptible_all(&u->peer_wait); 505 sk->sk_max_ack_backlog = backlog; 506 sk->sk_state = TCP_LISTEN; 507 /* set credentials so connect can copy them */ 508 init_peercred(sk); 509 err = 0; 510 511 out_unlock: 512 unix_state_unlock(sk); 513 put_pid(old_pid); 514 out: 515 return err; 516 } 517 518 static int unix_release(struct socket *); 519 static int unix_bind(struct socket *, struct sockaddr *, int); 520 static int unix_stream_connect(struct socket *, struct sockaddr *, 521 int addr_len, int flags); 522 static int unix_socketpair(struct socket *, struct socket *); 523 static int unix_accept(struct socket *, struct socket *, int); 524 static int unix_getname(struct socket *, struct sockaddr *, int *, int); 525 static unsigned int unix_poll(struct file *, struct socket *, poll_table *); 526 static unsigned int unix_dgram_poll(struct file *, struct socket *, 527 poll_table *); 528 static int unix_ioctl(struct socket *, unsigned int, unsigned long); 529 static int unix_shutdown(struct socket *, int); 530 static int unix_stream_sendmsg(struct socket *, struct msghdr *, size_t); 531 static int unix_stream_recvmsg(struct socket *, struct msghdr *, size_t, int); 532 static ssize_t unix_stream_sendpage(struct socket *, struct page *, int offset, 533 size_t size, int flags); 534 static ssize_t unix_stream_splice_read(struct socket *, loff_t *ppos, 535 struct pipe_inode_info *, size_t size, 536 unsigned int flags); 537 static int unix_dgram_sendmsg(struct socket *, struct msghdr *, size_t); 538 static int unix_dgram_recvmsg(struct socket *, struct msghdr *, size_t, int); 539 static int unix_dgram_connect(struct socket *, struct sockaddr *, 540 int, int); 541 static int unix_seqpacket_sendmsg(struct socket *, struct msghdr *, size_t); 542 static int unix_seqpacket_recvmsg(struct socket *, struct msghdr *, size_t, 543 int); 544 545 static int unix_set_peek_off(struct sock *sk, int val) 546 { 547 struct unix_sock *u = unix_sk(sk); 548 549 if (mutex_lock_interruptible(&u->readlock)) 550 return -EINTR; 551 552 sk->sk_peek_off = val; 553 mutex_unlock(&u->readlock); 554 555 return 0; 556 } 557 558 559 static const struct proto_ops unix_stream_ops = { 560 .family = PF_UNIX, 561 .owner = THIS_MODULE, 562 .release = unix_release, 563 .bind = unix_bind, 564 .connect = unix_stream_connect, 565 .socketpair = unix_socketpair, 566 .accept = unix_accept, 567 .getname = unix_getname, 568 .poll = unix_poll, 569 .ioctl = unix_ioctl, 570 .listen = unix_listen, 571 .shutdown = unix_shutdown, 572 .setsockopt = sock_no_setsockopt, 573 .getsockopt = sock_no_getsockopt, 574 .sendmsg = unix_stream_sendmsg, 575 .recvmsg = unix_stream_recvmsg, 576 .mmap = sock_no_mmap, 577 .sendpage = unix_stream_sendpage, 578 .splice_read = unix_stream_splice_read, 579 .set_peek_off = unix_set_peek_off, 580 }; 581 582 static const struct proto_ops unix_dgram_ops = { 583 .family = PF_UNIX, 584 .owner = THIS_MODULE, 585 .release = unix_release, 586 .bind = unix_bind, 587 .connect = unix_dgram_connect, 588 .socketpair = unix_socketpair, 589 .accept = sock_no_accept, 590 .getname = unix_getname, 591 .poll = unix_dgram_poll, 592 .ioctl = unix_ioctl, 593 .listen = sock_no_listen, 594 .shutdown = unix_shutdown, 595 .setsockopt = sock_no_setsockopt, 596 .getsockopt = sock_no_getsockopt, 597 .sendmsg = unix_dgram_sendmsg, 598 .recvmsg = unix_dgram_recvmsg, 599 .mmap = sock_no_mmap, 600 .sendpage = sock_no_sendpage, 601 .set_peek_off = unix_set_peek_off, 602 }; 603 604 static const struct proto_ops unix_seqpacket_ops = { 605 .family = PF_UNIX, 606 .owner = THIS_MODULE, 607 .release = unix_release, 608 .bind = unix_bind, 609 .connect = unix_stream_connect, 610 .socketpair = unix_socketpair, 611 .accept = unix_accept, 612 .getname = unix_getname, 613 .poll = unix_dgram_poll, 614 .ioctl = unix_ioctl, 615 .listen = unix_listen, 616 .shutdown = unix_shutdown, 617 .setsockopt = sock_no_setsockopt, 618 .getsockopt = sock_no_getsockopt, 619 .sendmsg = unix_seqpacket_sendmsg, 620 .recvmsg = unix_seqpacket_recvmsg, 621 .mmap = sock_no_mmap, 622 .sendpage = sock_no_sendpage, 623 .set_peek_off = unix_set_peek_off, 624 }; 625 626 static struct proto unix_proto = { 627 .name = "UNIX", 628 .owner = THIS_MODULE, 629 .obj_size = sizeof(struct unix_sock), 630 }; 631 632 /* 633 * AF_UNIX sockets do not interact with hardware, hence they 634 * dont trigger interrupts - so it's safe for them to have 635 * bh-unsafe locking for their sk_receive_queue.lock. Split off 636 * this special lock-class by reinitializing the spinlock key: 637 */ 638 static struct lock_class_key af_unix_sk_receive_queue_lock_key; 639 640 static struct sock *unix_create1(struct net *net, struct socket *sock, int kern) 641 { 642 struct sock *sk = NULL; 643 struct unix_sock *u; 644 645 atomic_long_inc(&unix_nr_socks); 646 if (atomic_long_read(&unix_nr_socks) > 2 * get_max_files()) 647 goto out; 648 649 sk = sk_alloc(net, PF_UNIX, GFP_KERNEL, &unix_proto, kern); 650 if (!sk) 651 goto out; 652 653 sock_init_data(sock, sk); 654 lockdep_set_class(&sk->sk_receive_queue.lock, 655 &af_unix_sk_receive_queue_lock_key); 656 657 sk->sk_write_space = unix_write_space; 658 sk->sk_max_ack_backlog = net->unx.sysctl_max_dgram_qlen; 659 sk->sk_destruct = unix_sock_destructor; 660 u = unix_sk(sk); 661 u->path.dentry = NULL; 662 u->path.mnt = NULL; 663 spin_lock_init(&u->lock); 664 atomic_long_set(&u->inflight, 0); 665 INIT_LIST_HEAD(&u->link); 666 mutex_init(&u->readlock); /* single task reading lock */ 667 init_waitqueue_head(&u->peer_wait); 668 unix_insert_socket(unix_sockets_unbound(sk), sk); 669 out: 670 if (sk == NULL) 671 atomic_long_dec(&unix_nr_socks); 672 else { 673 local_bh_disable(); 674 sock_prot_inuse_add(sock_net(sk), sk->sk_prot, 1); 675 local_bh_enable(); 676 } 677 return sk; 678 } 679 680 static int unix_create(struct net *net, struct socket *sock, int protocol, 681 int kern) 682 { 683 if (protocol && protocol != PF_UNIX) 684 return -EPROTONOSUPPORT; 685 686 sock->state = SS_UNCONNECTED; 687 688 switch (sock->type) { 689 case SOCK_STREAM: 690 sock->ops = &unix_stream_ops; 691 break; 692 /* 693 * Believe it or not BSD has AF_UNIX, SOCK_RAW though 694 * nothing uses it. 695 */ 696 case SOCK_RAW: 697 sock->type = SOCK_DGRAM; 698 case SOCK_DGRAM: 699 sock->ops = &unix_dgram_ops; 700 break; 701 case SOCK_SEQPACKET: 702 sock->ops = &unix_seqpacket_ops; 703 break; 704 default: 705 return -ESOCKTNOSUPPORT; 706 } 707 708 return unix_create1(net, sock, kern) ? 0 : -ENOMEM; 709 } 710 711 static int unix_release(struct socket *sock) 712 { 713 struct sock *sk = sock->sk; 714 715 if (!sk) 716 return 0; 717 718 unix_release_sock(sk, 0); 719 sock->sk = NULL; 720 721 return 0; 722 } 723 724 static int unix_autobind(struct socket *sock) 725 { 726 struct sock *sk = sock->sk; 727 struct net *net = sock_net(sk); 728 struct unix_sock *u = unix_sk(sk); 729 static u32 ordernum = 1; 730 struct unix_address *addr; 731 int err; 732 unsigned int retries = 0; 733 734 err = mutex_lock_interruptible(&u->readlock); 735 if (err) 736 return err; 737 738 err = 0; 739 if (u->addr) 740 goto out; 741 742 err = -ENOMEM; 743 addr = kzalloc(sizeof(*addr) + sizeof(short) + 16, GFP_KERNEL); 744 if (!addr) 745 goto out; 746 747 addr->name->sun_family = AF_UNIX; 748 atomic_set(&addr->refcnt, 1); 749 750 retry: 751 addr->len = sprintf(addr->name->sun_path+1, "%05x", ordernum) + 1 + sizeof(short); 752 addr->hash = unix_hash_fold(csum_partial(addr->name, addr->len, 0)); 753 754 spin_lock(&unix_table_lock); 755 ordernum = (ordernum+1)&0xFFFFF; 756 757 if (__unix_find_socket_byname(net, addr->name, addr->len, sock->type, 758 addr->hash)) { 759 spin_unlock(&unix_table_lock); 760 /* 761 * __unix_find_socket_byname() may take long time if many names 762 * are already in use. 763 */ 764 cond_resched(); 765 /* Give up if all names seems to be in use. */ 766 if (retries++ == 0xFFFFF) { 767 err = -ENOSPC; 768 kfree(addr); 769 goto out; 770 } 771 goto retry; 772 } 773 addr->hash ^= sk->sk_type; 774 775 __unix_remove_socket(sk); 776 u->addr = addr; 777 __unix_insert_socket(&unix_socket_table[addr->hash], sk); 778 spin_unlock(&unix_table_lock); 779 err = 0; 780 781 out: mutex_unlock(&u->readlock); 782 return err; 783 } 784 785 static struct sock *unix_find_other(struct net *net, 786 struct sockaddr_un *sunname, int len, 787 int type, unsigned int hash, int *error) 788 { 789 struct sock *u; 790 struct path path; 791 int err = 0; 792 793 if (sunname->sun_path[0]) { 794 struct inode *inode; 795 err = kern_path(sunname->sun_path, LOOKUP_FOLLOW, &path); 796 if (err) 797 goto fail; 798 inode = d_backing_inode(path.dentry); 799 err = inode_permission(inode, MAY_WRITE); 800 if (err) 801 goto put_fail; 802 803 err = -ECONNREFUSED; 804 if (!S_ISSOCK(inode->i_mode)) 805 goto put_fail; 806 u = unix_find_socket_byinode(inode); 807 if (!u) 808 goto put_fail; 809 810 if (u->sk_type == type) 811 touch_atime(&path); 812 813 path_put(&path); 814 815 err = -EPROTOTYPE; 816 if (u->sk_type != type) { 817 sock_put(u); 818 goto fail; 819 } 820 } else { 821 err = -ECONNREFUSED; 822 u = unix_find_socket_byname(net, sunname, len, type, hash); 823 if (u) { 824 struct dentry *dentry; 825 dentry = unix_sk(u)->path.dentry; 826 if (dentry) 827 touch_atime(&unix_sk(u)->path); 828 } else 829 goto fail; 830 } 831 return u; 832 833 put_fail: 834 path_put(&path); 835 fail: 836 *error = err; 837 return NULL; 838 } 839 840 static int unix_mknod(const char *sun_path, umode_t mode, struct path *res) 841 { 842 struct dentry *dentry; 843 struct path path; 844 int err = 0; 845 /* 846 * Get the parent directory, calculate the hash for last 847 * component. 848 */ 849 dentry = kern_path_create(AT_FDCWD, sun_path, &path, 0); 850 err = PTR_ERR(dentry); 851 if (IS_ERR(dentry)) 852 return err; 853 854 /* 855 * All right, let's create it. 856 */ 857 err = security_path_mknod(&path, dentry, mode, 0); 858 if (!err) { 859 err = vfs_mknod(d_inode(path.dentry), dentry, mode, 0); 860 if (!err) { 861 res->mnt = mntget(path.mnt); 862 res->dentry = dget(dentry); 863 } 864 } 865 done_path_create(&path, dentry); 866 return err; 867 } 868 869 static int unix_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len) 870 { 871 struct sock *sk = sock->sk; 872 struct net *net = sock_net(sk); 873 struct unix_sock *u = unix_sk(sk); 874 struct sockaddr_un *sunaddr = (struct sockaddr_un *)uaddr; 875 char *sun_path = sunaddr->sun_path; 876 int err; 877 unsigned int hash; 878 struct unix_address *addr; 879 struct hlist_head *list; 880 881 err = -EINVAL; 882 if (sunaddr->sun_family != AF_UNIX) 883 goto out; 884 885 if (addr_len == sizeof(short)) { 886 err = unix_autobind(sock); 887 goto out; 888 } 889 890 err = unix_mkname(sunaddr, addr_len, &hash); 891 if (err < 0) 892 goto out; 893 addr_len = err; 894 895 err = mutex_lock_interruptible(&u->readlock); 896 if (err) 897 goto out; 898 899 err = -EINVAL; 900 if (u->addr) 901 goto out_up; 902 903 err = -ENOMEM; 904 addr = kmalloc(sizeof(*addr)+addr_len, GFP_KERNEL); 905 if (!addr) 906 goto out_up; 907 908 memcpy(addr->name, sunaddr, addr_len); 909 addr->len = addr_len; 910 addr->hash = hash ^ sk->sk_type; 911 atomic_set(&addr->refcnt, 1); 912 913 if (sun_path[0]) { 914 struct path path; 915 umode_t mode = S_IFSOCK | 916 (SOCK_INODE(sock)->i_mode & ~current_umask()); 917 err = unix_mknod(sun_path, mode, &path); 918 if (err) { 919 if (err == -EEXIST) 920 err = -EADDRINUSE; 921 unix_release_addr(addr); 922 goto out_up; 923 } 924 addr->hash = UNIX_HASH_SIZE; 925 hash = d_backing_inode(path.dentry)->i_ino & (UNIX_HASH_SIZE-1); 926 spin_lock(&unix_table_lock); 927 u->path = path; 928 list = &unix_socket_table[hash]; 929 } else { 930 spin_lock(&unix_table_lock); 931 err = -EADDRINUSE; 932 if (__unix_find_socket_byname(net, sunaddr, addr_len, 933 sk->sk_type, hash)) { 934 unix_release_addr(addr); 935 goto out_unlock; 936 } 937 938 list = &unix_socket_table[addr->hash]; 939 } 940 941 err = 0; 942 __unix_remove_socket(sk); 943 u->addr = addr; 944 __unix_insert_socket(list, sk); 945 946 out_unlock: 947 spin_unlock(&unix_table_lock); 948 out_up: 949 mutex_unlock(&u->readlock); 950 out: 951 return err; 952 } 953 954 static void unix_state_double_lock(struct sock *sk1, struct sock *sk2) 955 { 956 if (unlikely(sk1 == sk2) || !sk2) { 957 unix_state_lock(sk1); 958 return; 959 } 960 if (sk1 < sk2) { 961 unix_state_lock(sk1); 962 unix_state_lock_nested(sk2); 963 } else { 964 unix_state_lock(sk2); 965 unix_state_lock_nested(sk1); 966 } 967 } 968 969 static void unix_state_double_unlock(struct sock *sk1, struct sock *sk2) 970 { 971 if (unlikely(sk1 == sk2) || !sk2) { 972 unix_state_unlock(sk1); 973 return; 974 } 975 unix_state_unlock(sk1); 976 unix_state_unlock(sk2); 977 } 978 979 static int unix_dgram_connect(struct socket *sock, struct sockaddr *addr, 980 int alen, int flags) 981 { 982 struct sock *sk = sock->sk; 983 struct net *net = sock_net(sk); 984 struct sockaddr_un *sunaddr = (struct sockaddr_un *)addr; 985 struct sock *other; 986 unsigned int hash; 987 int err; 988 989 if (addr->sa_family != AF_UNSPEC) { 990 err = unix_mkname(sunaddr, alen, &hash); 991 if (err < 0) 992 goto out; 993 alen = err; 994 995 if (test_bit(SOCK_PASSCRED, &sock->flags) && 996 !unix_sk(sk)->addr && (err = unix_autobind(sock)) != 0) 997 goto out; 998 999 restart: 1000 other = unix_find_other(net, sunaddr, alen, sock->type, hash, &err); 1001 if (!other) 1002 goto out; 1003 1004 unix_state_double_lock(sk, other); 1005 1006 /* Apparently VFS overslept socket death. Retry. */ 1007 if (sock_flag(other, SOCK_DEAD)) { 1008 unix_state_double_unlock(sk, other); 1009 sock_put(other); 1010 goto restart; 1011 } 1012 1013 err = -EPERM; 1014 if (!unix_may_send(sk, other)) 1015 goto out_unlock; 1016 1017 err = security_unix_may_send(sk->sk_socket, other->sk_socket); 1018 if (err) 1019 goto out_unlock; 1020 1021 } else { 1022 /* 1023 * 1003.1g breaking connected state with AF_UNSPEC 1024 */ 1025 other = NULL; 1026 unix_state_double_lock(sk, other); 1027 } 1028 1029 /* 1030 * If it was connected, reconnect. 1031 */ 1032 if (unix_peer(sk)) { 1033 struct sock *old_peer = unix_peer(sk); 1034 unix_peer(sk) = other; 1035 unix_state_double_unlock(sk, other); 1036 1037 if (other != old_peer) 1038 unix_dgram_disconnected(sk, old_peer); 1039 sock_put(old_peer); 1040 } else { 1041 unix_peer(sk) = other; 1042 unix_state_double_unlock(sk, other); 1043 } 1044 return 0; 1045 1046 out_unlock: 1047 unix_state_double_unlock(sk, other); 1048 sock_put(other); 1049 out: 1050 return err; 1051 } 1052 1053 static long unix_wait_for_peer(struct sock *other, long timeo) 1054 { 1055 struct unix_sock *u = unix_sk(other); 1056 int sched; 1057 DEFINE_WAIT(wait); 1058 1059 prepare_to_wait_exclusive(&u->peer_wait, &wait, TASK_INTERRUPTIBLE); 1060 1061 sched = !sock_flag(other, SOCK_DEAD) && 1062 !(other->sk_shutdown & RCV_SHUTDOWN) && 1063 unix_recvq_full(other); 1064 1065 unix_state_unlock(other); 1066 1067 if (sched) 1068 timeo = schedule_timeout(timeo); 1069 1070 finish_wait(&u->peer_wait, &wait); 1071 return timeo; 1072 } 1073 1074 static int unix_stream_connect(struct socket *sock, struct sockaddr *uaddr, 1075 int addr_len, int flags) 1076 { 1077 struct sockaddr_un *sunaddr = (struct sockaddr_un *)uaddr; 1078 struct sock *sk = sock->sk; 1079 struct net *net = sock_net(sk); 1080 struct unix_sock *u = unix_sk(sk), *newu, *otheru; 1081 struct sock *newsk = NULL; 1082 struct sock *other = NULL; 1083 struct sk_buff *skb = NULL; 1084 unsigned int hash; 1085 int st; 1086 int err; 1087 long timeo; 1088 1089 err = unix_mkname(sunaddr, addr_len, &hash); 1090 if (err < 0) 1091 goto out; 1092 addr_len = err; 1093 1094 if (test_bit(SOCK_PASSCRED, &sock->flags) && !u->addr && 1095 (err = unix_autobind(sock)) != 0) 1096 goto out; 1097 1098 timeo = sock_sndtimeo(sk, flags & O_NONBLOCK); 1099 1100 /* First of all allocate resources. 1101 If we will make it after state is locked, 1102 we will have to recheck all again in any case. 1103 */ 1104 1105 err = -ENOMEM; 1106 1107 /* create new sock for complete connection */ 1108 newsk = unix_create1(sock_net(sk), NULL, 0); 1109 if (newsk == NULL) 1110 goto out; 1111 1112 /* Allocate skb for sending to listening sock */ 1113 skb = sock_wmalloc(newsk, 1, 0, GFP_KERNEL); 1114 if (skb == NULL) 1115 goto out; 1116 1117 restart: 1118 /* Find listening sock. */ 1119 other = unix_find_other(net, sunaddr, addr_len, sk->sk_type, hash, &err); 1120 if (!other) 1121 goto out; 1122 1123 /* Latch state of peer */ 1124 unix_state_lock(other); 1125 1126 /* Apparently VFS overslept socket death. Retry. */ 1127 if (sock_flag(other, SOCK_DEAD)) { 1128 unix_state_unlock(other); 1129 sock_put(other); 1130 goto restart; 1131 } 1132 1133 err = -ECONNREFUSED; 1134 if (other->sk_state != TCP_LISTEN) 1135 goto out_unlock; 1136 if (other->sk_shutdown & RCV_SHUTDOWN) 1137 goto out_unlock; 1138 1139 if (unix_recvq_full(other)) { 1140 err = -EAGAIN; 1141 if (!timeo) 1142 goto out_unlock; 1143 1144 timeo = unix_wait_for_peer(other, timeo); 1145 1146 err = sock_intr_errno(timeo); 1147 if (signal_pending(current)) 1148 goto out; 1149 sock_put(other); 1150 goto restart; 1151 } 1152 1153 /* Latch our state. 1154 1155 It is tricky place. We need to grab our state lock and cannot 1156 drop lock on peer. It is dangerous because deadlock is 1157 possible. Connect to self case and simultaneous 1158 attempt to connect are eliminated by checking socket 1159 state. other is TCP_LISTEN, if sk is TCP_LISTEN we 1160 check this before attempt to grab lock. 1161 1162 Well, and we have to recheck the state after socket locked. 1163 */ 1164 st = sk->sk_state; 1165 1166 switch (st) { 1167 case TCP_CLOSE: 1168 /* This is ok... continue with connect */ 1169 break; 1170 case TCP_ESTABLISHED: 1171 /* Socket is already connected */ 1172 err = -EISCONN; 1173 goto out_unlock; 1174 default: 1175 err = -EINVAL; 1176 goto out_unlock; 1177 } 1178 1179 unix_state_lock_nested(sk); 1180 1181 if (sk->sk_state != st) { 1182 unix_state_unlock(sk); 1183 unix_state_unlock(other); 1184 sock_put(other); 1185 goto restart; 1186 } 1187 1188 err = security_unix_stream_connect(sk, other, newsk); 1189 if (err) { 1190 unix_state_unlock(sk); 1191 goto out_unlock; 1192 } 1193 1194 /* The way is open! Fastly set all the necessary fields... */ 1195 1196 sock_hold(sk); 1197 unix_peer(newsk) = sk; 1198 newsk->sk_state = TCP_ESTABLISHED; 1199 newsk->sk_type = sk->sk_type; 1200 init_peercred(newsk); 1201 newu = unix_sk(newsk); 1202 RCU_INIT_POINTER(newsk->sk_wq, &newu->peer_wq); 1203 otheru = unix_sk(other); 1204 1205 /* copy address information from listening to new sock*/ 1206 if (otheru->addr) { 1207 atomic_inc(&otheru->addr->refcnt); 1208 newu->addr = otheru->addr; 1209 } 1210 if (otheru->path.dentry) { 1211 path_get(&otheru->path); 1212 newu->path = otheru->path; 1213 } 1214 1215 /* Set credentials */ 1216 copy_peercred(sk, other); 1217 1218 sock->state = SS_CONNECTED; 1219 sk->sk_state = TCP_ESTABLISHED; 1220 sock_hold(newsk); 1221 1222 smp_mb__after_atomic(); /* sock_hold() does an atomic_inc() */ 1223 unix_peer(sk) = newsk; 1224 1225 unix_state_unlock(sk); 1226 1227 /* take ten and and send info to listening sock */ 1228 spin_lock(&other->sk_receive_queue.lock); 1229 __skb_queue_tail(&other->sk_receive_queue, skb); 1230 spin_unlock(&other->sk_receive_queue.lock); 1231 unix_state_unlock(other); 1232 other->sk_data_ready(other); 1233 sock_put(other); 1234 return 0; 1235 1236 out_unlock: 1237 if (other) 1238 unix_state_unlock(other); 1239 1240 out: 1241 kfree_skb(skb); 1242 if (newsk) 1243 unix_release_sock(newsk, 0); 1244 if (other) 1245 sock_put(other); 1246 return err; 1247 } 1248 1249 static int unix_socketpair(struct socket *socka, struct socket *sockb) 1250 { 1251 struct sock *ska = socka->sk, *skb = sockb->sk; 1252 1253 /* Join our sockets back to back */ 1254 sock_hold(ska); 1255 sock_hold(skb); 1256 unix_peer(ska) = skb; 1257 unix_peer(skb) = ska; 1258 init_peercred(ska); 1259 init_peercred(skb); 1260 1261 if (ska->sk_type != SOCK_DGRAM) { 1262 ska->sk_state = TCP_ESTABLISHED; 1263 skb->sk_state = TCP_ESTABLISHED; 1264 socka->state = SS_CONNECTED; 1265 sockb->state = SS_CONNECTED; 1266 } 1267 return 0; 1268 } 1269 1270 static void unix_sock_inherit_flags(const struct socket *old, 1271 struct socket *new) 1272 { 1273 if (test_bit(SOCK_PASSCRED, &old->flags)) 1274 set_bit(SOCK_PASSCRED, &new->flags); 1275 if (test_bit(SOCK_PASSSEC, &old->flags)) 1276 set_bit(SOCK_PASSSEC, &new->flags); 1277 } 1278 1279 static int unix_accept(struct socket *sock, struct socket *newsock, int flags) 1280 { 1281 struct sock *sk = sock->sk; 1282 struct sock *tsk; 1283 struct sk_buff *skb; 1284 int err; 1285 1286 err = -EOPNOTSUPP; 1287 if (sock->type != SOCK_STREAM && sock->type != SOCK_SEQPACKET) 1288 goto out; 1289 1290 err = -EINVAL; 1291 if (sk->sk_state != TCP_LISTEN) 1292 goto out; 1293 1294 /* If socket state is TCP_LISTEN it cannot change (for now...), 1295 * so that no locks are necessary. 1296 */ 1297 1298 skb = skb_recv_datagram(sk, 0, flags&O_NONBLOCK, &err); 1299 if (!skb) { 1300 /* This means receive shutdown. */ 1301 if (err == 0) 1302 err = -EINVAL; 1303 goto out; 1304 } 1305 1306 tsk = skb->sk; 1307 skb_free_datagram(sk, skb); 1308 wake_up_interruptible(&unix_sk(sk)->peer_wait); 1309 1310 /* attach accepted sock to socket */ 1311 unix_state_lock(tsk); 1312 newsock->state = SS_CONNECTED; 1313 unix_sock_inherit_flags(sock, newsock); 1314 sock_graft(tsk, newsock); 1315 unix_state_unlock(tsk); 1316 return 0; 1317 1318 out: 1319 return err; 1320 } 1321 1322 1323 static int unix_getname(struct socket *sock, struct sockaddr *uaddr, int *uaddr_len, int peer) 1324 { 1325 struct sock *sk = sock->sk; 1326 struct unix_sock *u; 1327 DECLARE_SOCKADDR(struct sockaddr_un *, sunaddr, uaddr); 1328 int err = 0; 1329 1330 if (peer) { 1331 sk = unix_peer_get(sk); 1332 1333 err = -ENOTCONN; 1334 if (!sk) 1335 goto out; 1336 err = 0; 1337 } else { 1338 sock_hold(sk); 1339 } 1340 1341 u = unix_sk(sk); 1342 unix_state_lock(sk); 1343 if (!u->addr) { 1344 sunaddr->sun_family = AF_UNIX; 1345 sunaddr->sun_path[0] = 0; 1346 *uaddr_len = sizeof(short); 1347 } else { 1348 struct unix_address *addr = u->addr; 1349 1350 *uaddr_len = addr->len; 1351 memcpy(sunaddr, addr->name, *uaddr_len); 1352 } 1353 unix_state_unlock(sk); 1354 sock_put(sk); 1355 out: 1356 return err; 1357 } 1358 1359 static void unix_detach_fds(struct scm_cookie *scm, struct sk_buff *skb) 1360 { 1361 int i; 1362 1363 scm->fp = UNIXCB(skb).fp; 1364 UNIXCB(skb).fp = NULL; 1365 1366 for (i = scm->fp->count-1; i >= 0; i--) 1367 unix_notinflight(scm->fp->fp[i]); 1368 } 1369 1370 static void unix_destruct_scm(struct sk_buff *skb) 1371 { 1372 struct scm_cookie scm; 1373 memset(&scm, 0, sizeof(scm)); 1374 scm.pid = UNIXCB(skb).pid; 1375 if (UNIXCB(skb).fp) 1376 unix_detach_fds(&scm, skb); 1377 1378 /* Alas, it calls VFS */ 1379 /* So fscking what? fput() had been SMP-safe since the last Summer */ 1380 scm_destroy(&scm); 1381 sock_wfree(skb); 1382 } 1383 1384 #define MAX_RECURSION_LEVEL 4 1385 1386 static int unix_attach_fds(struct scm_cookie *scm, struct sk_buff *skb) 1387 { 1388 int i; 1389 unsigned char max_level = 0; 1390 int unix_sock_count = 0; 1391 1392 for (i = scm->fp->count - 1; i >= 0; i--) { 1393 struct sock *sk = unix_get_socket(scm->fp->fp[i]); 1394 1395 if (sk) { 1396 unix_sock_count++; 1397 max_level = max(max_level, 1398 unix_sk(sk)->recursion_level); 1399 } 1400 } 1401 if (unlikely(max_level > MAX_RECURSION_LEVEL)) 1402 return -ETOOMANYREFS; 1403 1404 /* 1405 * Need to duplicate file references for the sake of garbage 1406 * collection. Otherwise a socket in the fps might become a 1407 * candidate for GC while the skb is not yet queued. 1408 */ 1409 UNIXCB(skb).fp = scm_fp_dup(scm->fp); 1410 if (!UNIXCB(skb).fp) 1411 return -ENOMEM; 1412 1413 if (unix_sock_count) { 1414 for (i = scm->fp->count - 1; i >= 0; i--) 1415 unix_inflight(scm->fp->fp[i]); 1416 } 1417 return max_level; 1418 } 1419 1420 static int unix_scm_to_skb(struct scm_cookie *scm, struct sk_buff *skb, bool send_fds) 1421 { 1422 int err = 0; 1423 1424 UNIXCB(skb).pid = get_pid(scm->pid); 1425 UNIXCB(skb).uid = scm->creds.uid; 1426 UNIXCB(skb).gid = scm->creds.gid; 1427 UNIXCB(skb).fp = NULL; 1428 unix_get_secdata(scm, skb); 1429 if (scm->fp && send_fds) 1430 err = unix_attach_fds(scm, skb); 1431 1432 skb->destructor = unix_destruct_scm; 1433 return err; 1434 } 1435 1436 /* 1437 * Some apps rely on write() giving SCM_CREDENTIALS 1438 * We include credentials if source or destination socket 1439 * asserted SOCK_PASSCRED. 1440 */ 1441 static void maybe_add_creds(struct sk_buff *skb, const struct socket *sock, 1442 const struct sock *other) 1443 { 1444 if (UNIXCB(skb).pid) 1445 return; 1446 if (test_bit(SOCK_PASSCRED, &sock->flags) || 1447 !other->sk_socket || 1448 test_bit(SOCK_PASSCRED, &other->sk_socket->flags)) { 1449 UNIXCB(skb).pid = get_pid(task_tgid(current)); 1450 current_uid_gid(&UNIXCB(skb).uid, &UNIXCB(skb).gid); 1451 } 1452 } 1453 1454 /* 1455 * Send AF_UNIX data. 1456 */ 1457 1458 static int unix_dgram_sendmsg(struct socket *sock, struct msghdr *msg, 1459 size_t len) 1460 { 1461 struct sock *sk = sock->sk; 1462 struct net *net = sock_net(sk); 1463 struct unix_sock *u = unix_sk(sk); 1464 DECLARE_SOCKADDR(struct sockaddr_un *, sunaddr, msg->msg_name); 1465 struct sock *other = NULL; 1466 int namelen = 0; /* fake GCC */ 1467 int err; 1468 unsigned int hash; 1469 struct sk_buff *skb; 1470 long timeo; 1471 struct scm_cookie scm; 1472 int max_level; 1473 int data_len = 0; 1474 1475 wait_for_unix_gc(); 1476 err = scm_send(sock, msg, &scm, false); 1477 if (err < 0) 1478 return err; 1479 1480 err = -EOPNOTSUPP; 1481 if (msg->msg_flags&MSG_OOB) 1482 goto out; 1483 1484 if (msg->msg_namelen) { 1485 err = unix_mkname(sunaddr, msg->msg_namelen, &hash); 1486 if (err < 0) 1487 goto out; 1488 namelen = err; 1489 } else { 1490 sunaddr = NULL; 1491 err = -ENOTCONN; 1492 other = unix_peer_get(sk); 1493 if (!other) 1494 goto out; 1495 } 1496 1497 if (test_bit(SOCK_PASSCRED, &sock->flags) && !u->addr 1498 && (err = unix_autobind(sock)) != 0) 1499 goto out; 1500 1501 err = -EMSGSIZE; 1502 if (len > sk->sk_sndbuf - 32) 1503 goto out; 1504 1505 if (len > SKB_MAX_ALLOC) { 1506 data_len = min_t(size_t, 1507 len - SKB_MAX_ALLOC, 1508 MAX_SKB_FRAGS * PAGE_SIZE); 1509 data_len = PAGE_ALIGN(data_len); 1510 1511 BUILD_BUG_ON(SKB_MAX_ALLOC < PAGE_SIZE); 1512 } 1513 1514 skb = sock_alloc_send_pskb(sk, len - data_len, data_len, 1515 msg->msg_flags & MSG_DONTWAIT, &err, 1516 PAGE_ALLOC_COSTLY_ORDER); 1517 if (skb == NULL) 1518 goto out; 1519 1520 err = unix_scm_to_skb(&scm, skb, true); 1521 if (err < 0) 1522 goto out_free; 1523 max_level = err + 1; 1524 1525 skb_put(skb, len - data_len); 1526 skb->data_len = data_len; 1527 skb->len = len; 1528 err = skb_copy_datagram_from_iter(skb, 0, &msg->msg_iter, len); 1529 if (err) 1530 goto out_free; 1531 1532 timeo = sock_sndtimeo(sk, msg->msg_flags & MSG_DONTWAIT); 1533 1534 restart: 1535 if (!other) { 1536 err = -ECONNRESET; 1537 if (sunaddr == NULL) 1538 goto out_free; 1539 1540 other = unix_find_other(net, sunaddr, namelen, sk->sk_type, 1541 hash, &err); 1542 if (other == NULL) 1543 goto out_free; 1544 } 1545 1546 if (sk_filter(other, skb) < 0) { 1547 /* Toss the packet but do not return any error to the sender */ 1548 err = len; 1549 goto out_free; 1550 } 1551 1552 unix_state_lock(other); 1553 err = -EPERM; 1554 if (!unix_may_send(sk, other)) 1555 goto out_unlock; 1556 1557 if (sock_flag(other, SOCK_DEAD)) { 1558 /* 1559 * Check with 1003.1g - what should 1560 * datagram error 1561 */ 1562 unix_state_unlock(other); 1563 sock_put(other); 1564 1565 err = 0; 1566 unix_state_lock(sk); 1567 if (unix_peer(sk) == other) { 1568 unix_peer(sk) = NULL; 1569 unix_state_unlock(sk); 1570 1571 unix_dgram_disconnected(sk, other); 1572 sock_put(other); 1573 err = -ECONNREFUSED; 1574 } else { 1575 unix_state_unlock(sk); 1576 } 1577 1578 other = NULL; 1579 if (err) 1580 goto out_free; 1581 goto restart; 1582 } 1583 1584 err = -EPIPE; 1585 if (other->sk_shutdown & RCV_SHUTDOWN) 1586 goto out_unlock; 1587 1588 if (sk->sk_type != SOCK_SEQPACKET) { 1589 err = security_unix_may_send(sk->sk_socket, other->sk_socket); 1590 if (err) 1591 goto out_unlock; 1592 } 1593 1594 if (unix_peer(other) != sk && unix_recvq_full(other)) { 1595 if (!timeo) { 1596 err = -EAGAIN; 1597 goto out_unlock; 1598 } 1599 1600 timeo = unix_wait_for_peer(other, timeo); 1601 1602 err = sock_intr_errno(timeo); 1603 if (signal_pending(current)) 1604 goto out_free; 1605 1606 goto restart; 1607 } 1608 1609 if (sock_flag(other, SOCK_RCVTSTAMP)) 1610 __net_timestamp(skb); 1611 maybe_add_creds(skb, sock, other); 1612 skb_queue_tail(&other->sk_receive_queue, skb); 1613 if (max_level > unix_sk(other)->recursion_level) 1614 unix_sk(other)->recursion_level = max_level; 1615 unix_state_unlock(other); 1616 other->sk_data_ready(other); 1617 sock_put(other); 1618 scm_destroy(&scm); 1619 return len; 1620 1621 out_unlock: 1622 unix_state_unlock(other); 1623 out_free: 1624 kfree_skb(skb); 1625 out: 1626 if (other) 1627 sock_put(other); 1628 scm_destroy(&scm); 1629 return err; 1630 } 1631 1632 /* We use paged skbs for stream sockets, and limit occupancy to 32768 1633 * bytes, and a minimun of a full page. 1634 */ 1635 #define UNIX_SKB_FRAGS_SZ (PAGE_SIZE << get_order(32768)) 1636 1637 static int unix_stream_sendmsg(struct socket *sock, struct msghdr *msg, 1638 size_t len) 1639 { 1640 struct sock *sk = sock->sk; 1641 struct sock *other = NULL; 1642 int err, size; 1643 struct sk_buff *skb; 1644 int sent = 0; 1645 struct scm_cookie scm; 1646 bool fds_sent = false; 1647 int max_level; 1648 int data_len; 1649 1650 wait_for_unix_gc(); 1651 err = scm_send(sock, msg, &scm, false); 1652 if (err < 0) 1653 return err; 1654 1655 err = -EOPNOTSUPP; 1656 if (msg->msg_flags&MSG_OOB) 1657 goto out_err; 1658 1659 if (msg->msg_namelen) { 1660 err = sk->sk_state == TCP_ESTABLISHED ? -EISCONN : -EOPNOTSUPP; 1661 goto out_err; 1662 } else { 1663 err = -ENOTCONN; 1664 other = unix_peer(sk); 1665 if (!other) 1666 goto out_err; 1667 } 1668 1669 if (sk->sk_shutdown & SEND_SHUTDOWN) 1670 goto pipe_err; 1671 1672 while (sent < len) { 1673 size = len - sent; 1674 1675 /* Keep two messages in the pipe so it schedules better */ 1676 size = min_t(int, size, (sk->sk_sndbuf >> 1) - 64); 1677 1678 /* allow fallback to order-0 allocations */ 1679 size = min_t(int, size, SKB_MAX_HEAD(0) + UNIX_SKB_FRAGS_SZ); 1680 1681 data_len = max_t(int, 0, size - SKB_MAX_HEAD(0)); 1682 1683 data_len = min_t(size_t, size, PAGE_ALIGN(data_len)); 1684 1685 skb = sock_alloc_send_pskb(sk, size - data_len, data_len, 1686 msg->msg_flags & MSG_DONTWAIT, &err, 1687 get_order(UNIX_SKB_FRAGS_SZ)); 1688 if (!skb) 1689 goto out_err; 1690 1691 /* Only send the fds in the first buffer */ 1692 err = unix_scm_to_skb(&scm, skb, !fds_sent); 1693 if (err < 0) { 1694 kfree_skb(skb); 1695 goto out_err; 1696 } 1697 max_level = err + 1; 1698 fds_sent = true; 1699 1700 skb_put(skb, size - data_len); 1701 skb->data_len = data_len; 1702 skb->len = size; 1703 err = skb_copy_datagram_from_iter(skb, 0, &msg->msg_iter, size); 1704 if (err) { 1705 kfree_skb(skb); 1706 goto out_err; 1707 } 1708 1709 unix_state_lock(other); 1710 1711 if (sock_flag(other, SOCK_DEAD) || 1712 (other->sk_shutdown & RCV_SHUTDOWN)) 1713 goto pipe_err_free; 1714 1715 maybe_add_creds(skb, sock, other); 1716 skb_queue_tail(&other->sk_receive_queue, skb); 1717 if (max_level > unix_sk(other)->recursion_level) 1718 unix_sk(other)->recursion_level = max_level; 1719 unix_state_unlock(other); 1720 other->sk_data_ready(other); 1721 sent += size; 1722 } 1723 1724 scm_destroy(&scm); 1725 1726 return sent; 1727 1728 pipe_err_free: 1729 unix_state_unlock(other); 1730 kfree_skb(skb); 1731 pipe_err: 1732 if (sent == 0 && !(msg->msg_flags&MSG_NOSIGNAL)) 1733 send_sig(SIGPIPE, current, 0); 1734 err = -EPIPE; 1735 out_err: 1736 scm_destroy(&scm); 1737 return sent ? : err; 1738 } 1739 1740 static ssize_t unix_stream_sendpage(struct socket *socket, struct page *page, 1741 int offset, size_t size, int flags) 1742 { 1743 int err = 0; 1744 bool send_sigpipe = true; 1745 struct sock *other, *sk = socket->sk; 1746 struct sk_buff *skb, *newskb = NULL, *tail = NULL; 1747 1748 if (flags & MSG_OOB) 1749 return -EOPNOTSUPP; 1750 1751 other = unix_peer(sk); 1752 if (!other || sk->sk_state != TCP_ESTABLISHED) 1753 return -ENOTCONN; 1754 1755 if (false) { 1756 alloc_skb: 1757 unix_state_unlock(other); 1758 mutex_unlock(&unix_sk(other)->readlock); 1759 newskb = sock_alloc_send_pskb(sk, 0, 0, flags & MSG_DONTWAIT, 1760 &err, 0); 1761 if (!newskb) 1762 return err; 1763 } 1764 1765 /* we must acquire readlock as we modify already present 1766 * skbs in the sk_receive_queue and mess with skb->len 1767 */ 1768 err = mutex_lock_interruptible(&unix_sk(other)->readlock); 1769 if (err) { 1770 err = flags & MSG_DONTWAIT ? -EAGAIN : -ERESTARTSYS; 1771 send_sigpipe = false; 1772 goto err; 1773 } 1774 1775 if (sk->sk_shutdown & SEND_SHUTDOWN) { 1776 err = -EPIPE; 1777 goto err_unlock; 1778 } 1779 1780 unix_state_lock(other); 1781 1782 if (sock_flag(other, SOCK_DEAD) || 1783 other->sk_shutdown & RCV_SHUTDOWN) { 1784 err = -EPIPE; 1785 goto err_state_unlock; 1786 } 1787 1788 skb = skb_peek_tail(&other->sk_receive_queue); 1789 if (tail && tail == skb) { 1790 skb = newskb; 1791 } else if (!skb) { 1792 if (newskb) 1793 skb = newskb; 1794 else 1795 goto alloc_skb; 1796 } else if (newskb) { 1797 /* this is fast path, we don't necessarily need to 1798 * call to kfree_skb even though with newskb == NULL 1799 * this - does no harm 1800 */ 1801 consume_skb(newskb); 1802 } 1803 1804 if (skb_append_pagefrags(skb, page, offset, size)) { 1805 tail = skb; 1806 goto alloc_skb; 1807 } 1808 1809 skb->len += size; 1810 skb->data_len += size; 1811 skb->truesize += size; 1812 atomic_add(size, &sk->sk_wmem_alloc); 1813 1814 if (newskb) 1815 __skb_queue_tail(&other->sk_receive_queue, newskb); 1816 1817 unix_state_unlock(other); 1818 mutex_unlock(&unix_sk(other)->readlock); 1819 1820 other->sk_data_ready(other); 1821 1822 return size; 1823 1824 err_state_unlock: 1825 unix_state_unlock(other); 1826 err_unlock: 1827 mutex_unlock(&unix_sk(other)->readlock); 1828 err: 1829 kfree_skb(newskb); 1830 if (send_sigpipe && !(flags & MSG_NOSIGNAL)) 1831 send_sig(SIGPIPE, current, 0); 1832 return err; 1833 } 1834 1835 static int unix_seqpacket_sendmsg(struct socket *sock, struct msghdr *msg, 1836 size_t len) 1837 { 1838 int err; 1839 struct sock *sk = sock->sk; 1840 1841 err = sock_error(sk); 1842 if (err) 1843 return err; 1844 1845 if (sk->sk_state != TCP_ESTABLISHED) 1846 return -ENOTCONN; 1847 1848 if (msg->msg_namelen) 1849 msg->msg_namelen = 0; 1850 1851 return unix_dgram_sendmsg(sock, msg, len); 1852 } 1853 1854 static int unix_seqpacket_recvmsg(struct socket *sock, struct msghdr *msg, 1855 size_t size, int flags) 1856 { 1857 struct sock *sk = sock->sk; 1858 1859 if (sk->sk_state != TCP_ESTABLISHED) 1860 return -ENOTCONN; 1861 1862 return unix_dgram_recvmsg(sock, msg, size, flags); 1863 } 1864 1865 static void unix_copy_addr(struct msghdr *msg, struct sock *sk) 1866 { 1867 struct unix_sock *u = unix_sk(sk); 1868 1869 if (u->addr) { 1870 msg->msg_namelen = u->addr->len; 1871 memcpy(msg->msg_name, u->addr->name, u->addr->len); 1872 } 1873 } 1874 1875 static int unix_dgram_recvmsg(struct socket *sock, struct msghdr *msg, 1876 size_t size, int flags) 1877 { 1878 struct scm_cookie scm; 1879 struct sock *sk = sock->sk; 1880 struct unix_sock *u = unix_sk(sk); 1881 int noblock = flags & MSG_DONTWAIT; 1882 struct sk_buff *skb; 1883 int err; 1884 int peeked, skip; 1885 1886 err = -EOPNOTSUPP; 1887 if (flags&MSG_OOB) 1888 goto out; 1889 1890 err = mutex_lock_interruptible(&u->readlock); 1891 if (unlikely(err)) { 1892 /* recvmsg() in non blocking mode is supposed to return -EAGAIN 1893 * sk_rcvtimeo is not honored by mutex_lock_interruptible() 1894 */ 1895 err = noblock ? -EAGAIN : -ERESTARTSYS; 1896 goto out; 1897 } 1898 1899 skip = sk_peek_offset(sk, flags); 1900 1901 skb = __skb_recv_datagram(sk, flags, &peeked, &skip, &err); 1902 if (!skb) { 1903 unix_state_lock(sk); 1904 /* Signal EOF on disconnected non-blocking SEQPACKET socket. */ 1905 if (sk->sk_type == SOCK_SEQPACKET && err == -EAGAIN && 1906 (sk->sk_shutdown & RCV_SHUTDOWN)) 1907 err = 0; 1908 unix_state_unlock(sk); 1909 goto out_unlock; 1910 } 1911 1912 wake_up_interruptible_sync_poll(&u->peer_wait, 1913 POLLOUT | POLLWRNORM | POLLWRBAND); 1914 1915 if (msg->msg_name) 1916 unix_copy_addr(msg, skb->sk); 1917 1918 if (size > skb->len - skip) 1919 size = skb->len - skip; 1920 else if (size < skb->len - skip) 1921 msg->msg_flags |= MSG_TRUNC; 1922 1923 err = skb_copy_datagram_msg(skb, skip, msg, size); 1924 if (err) 1925 goto out_free; 1926 1927 if (sock_flag(sk, SOCK_RCVTSTAMP)) 1928 __sock_recv_timestamp(msg, sk, skb); 1929 1930 memset(&scm, 0, sizeof(scm)); 1931 1932 scm_set_cred(&scm, UNIXCB(skb).pid, UNIXCB(skb).uid, UNIXCB(skb).gid); 1933 unix_set_secdata(&scm, skb); 1934 1935 if (!(flags & MSG_PEEK)) { 1936 if (UNIXCB(skb).fp) 1937 unix_detach_fds(&scm, skb); 1938 1939 sk_peek_offset_bwd(sk, skb->len); 1940 } else { 1941 /* It is questionable: on PEEK we could: 1942 - do not return fds - good, but too simple 8) 1943 - return fds, and do not return them on read (old strategy, 1944 apparently wrong) 1945 - clone fds (I chose it for now, it is the most universal 1946 solution) 1947 1948 POSIX 1003.1g does not actually define this clearly 1949 at all. POSIX 1003.1g doesn't define a lot of things 1950 clearly however! 1951 1952 */ 1953 1954 sk_peek_offset_fwd(sk, size); 1955 1956 if (UNIXCB(skb).fp) 1957 scm.fp = scm_fp_dup(UNIXCB(skb).fp); 1958 } 1959 err = (flags & MSG_TRUNC) ? skb->len - skip : size; 1960 1961 scm_recv(sock, msg, &scm, flags); 1962 1963 out_free: 1964 skb_free_datagram(sk, skb); 1965 out_unlock: 1966 mutex_unlock(&u->readlock); 1967 out: 1968 return err; 1969 } 1970 1971 /* 1972 * Sleep until more data has arrived. But check for races.. 1973 */ 1974 static long unix_stream_data_wait(struct sock *sk, long timeo, 1975 struct sk_buff *last, unsigned int last_len) 1976 { 1977 struct sk_buff *tail; 1978 DEFINE_WAIT(wait); 1979 1980 unix_state_lock(sk); 1981 1982 for (;;) { 1983 prepare_to_wait(sk_sleep(sk), &wait, TASK_INTERRUPTIBLE); 1984 1985 tail = skb_peek_tail(&sk->sk_receive_queue); 1986 if (tail != last || 1987 (tail && tail->len != last_len) || 1988 sk->sk_err || 1989 (sk->sk_shutdown & RCV_SHUTDOWN) || 1990 signal_pending(current) || 1991 !timeo) 1992 break; 1993 1994 set_bit(SOCK_ASYNC_WAITDATA, &sk->sk_socket->flags); 1995 unix_state_unlock(sk); 1996 timeo = freezable_schedule_timeout(timeo); 1997 unix_state_lock(sk); 1998 1999 if (sock_flag(sk, SOCK_DEAD)) 2000 break; 2001 2002 clear_bit(SOCK_ASYNC_WAITDATA, &sk->sk_socket->flags); 2003 } 2004 2005 finish_wait(sk_sleep(sk), &wait); 2006 unix_state_unlock(sk); 2007 return timeo; 2008 } 2009 2010 static unsigned int unix_skb_len(const struct sk_buff *skb) 2011 { 2012 return skb->len - UNIXCB(skb).consumed; 2013 } 2014 2015 struct unix_stream_read_state { 2016 int (*recv_actor)(struct sk_buff *, int, int, 2017 struct unix_stream_read_state *); 2018 struct socket *socket; 2019 struct msghdr *msg; 2020 struct pipe_inode_info *pipe; 2021 size_t size; 2022 int flags; 2023 unsigned int splice_flags; 2024 }; 2025 2026 static int unix_stream_read_generic(struct unix_stream_read_state *state) 2027 { 2028 struct scm_cookie scm; 2029 struct socket *sock = state->socket; 2030 struct sock *sk = sock->sk; 2031 struct unix_sock *u = unix_sk(sk); 2032 int copied = 0; 2033 int flags = state->flags; 2034 int noblock = flags & MSG_DONTWAIT; 2035 bool check_creds = false; 2036 int target; 2037 int err = 0; 2038 long timeo; 2039 int skip; 2040 size_t size = state->size; 2041 unsigned int last_len; 2042 2043 err = -EINVAL; 2044 if (sk->sk_state != TCP_ESTABLISHED) 2045 goto out; 2046 2047 err = -EOPNOTSUPP; 2048 if (flags & MSG_OOB) 2049 goto out; 2050 2051 target = sock_rcvlowat(sk, flags & MSG_WAITALL, size); 2052 timeo = sock_rcvtimeo(sk, noblock); 2053 2054 memset(&scm, 0, sizeof(scm)); 2055 2056 /* Lock the socket to prevent queue disordering 2057 * while sleeps in memcpy_tomsg 2058 */ 2059 err = mutex_lock_interruptible(&u->readlock); 2060 if (unlikely(err)) { 2061 /* recvmsg() in non blocking mode is supposed to return -EAGAIN 2062 * sk_rcvtimeo is not honored by mutex_lock_interruptible() 2063 */ 2064 err = noblock ? -EAGAIN : -ERESTARTSYS; 2065 goto out; 2066 } 2067 2068 if (flags & MSG_PEEK) 2069 skip = sk_peek_offset(sk, flags); 2070 else 2071 skip = 0; 2072 2073 do { 2074 int chunk; 2075 struct sk_buff *skb, *last; 2076 2077 unix_state_lock(sk); 2078 if (sock_flag(sk, SOCK_DEAD)) { 2079 err = -ECONNRESET; 2080 goto unlock; 2081 } 2082 last = skb = skb_peek(&sk->sk_receive_queue); 2083 last_len = last ? last->len : 0; 2084 again: 2085 if (skb == NULL) { 2086 unix_sk(sk)->recursion_level = 0; 2087 if (copied >= target) 2088 goto unlock; 2089 2090 /* 2091 * POSIX 1003.1g mandates this order. 2092 */ 2093 2094 err = sock_error(sk); 2095 if (err) 2096 goto unlock; 2097 if (sk->sk_shutdown & RCV_SHUTDOWN) 2098 goto unlock; 2099 2100 unix_state_unlock(sk); 2101 err = -EAGAIN; 2102 if (!timeo) 2103 break; 2104 mutex_unlock(&u->readlock); 2105 2106 timeo = unix_stream_data_wait(sk, timeo, last, 2107 last_len); 2108 2109 if (signal_pending(current) || 2110 mutex_lock_interruptible(&u->readlock)) { 2111 err = sock_intr_errno(timeo); 2112 goto out; 2113 } 2114 2115 continue; 2116 unlock: 2117 unix_state_unlock(sk); 2118 break; 2119 } 2120 2121 while (skip >= unix_skb_len(skb)) { 2122 skip -= unix_skb_len(skb); 2123 last = skb; 2124 last_len = skb->len; 2125 skb = skb_peek_next(skb, &sk->sk_receive_queue); 2126 if (!skb) 2127 goto again; 2128 } 2129 2130 unix_state_unlock(sk); 2131 2132 if (check_creds) { 2133 /* Never glue messages from different writers */ 2134 if ((UNIXCB(skb).pid != scm.pid) || 2135 !uid_eq(UNIXCB(skb).uid, scm.creds.uid) || 2136 !gid_eq(UNIXCB(skb).gid, scm.creds.gid) || 2137 !unix_secdata_eq(&scm, skb)) 2138 break; 2139 } else if (test_bit(SOCK_PASSCRED, &sock->flags)) { 2140 /* Copy credentials */ 2141 scm_set_cred(&scm, UNIXCB(skb).pid, UNIXCB(skb).uid, UNIXCB(skb).gid); 2142 unix_set_secdata(&scm, skb); 2143 check_creds = true; 2144 } 2145 2146 /* Copy address just once */ 2147 if (state->msg && state->msg->msg_name) { 2148 DECLARE_SOCKADDR(struct sockaddr_un *, sunaddr, 2149 state->msg->msg_name); 2150 unix_copy_addr(state->msg, skb->sk); 2151 sunaddr = NULL; 2152 } 2153 2154 chunk = min_t(unsigned int, unix_skb_len(skb) - skip, size); 2155 chunk = state->recv_actor(skb, skip, chunk, state); 2156 if (chunk < 0) { 2157 if (copied == 0) 2158 copied = -EFAULT; 2159 break; 2160 } 2161 copied += chunk; 2162 size -= chunk; 2163 2164 /* Mark read part of skb as used */ 2165 if (!(flags & MSG_PEEK)) { 2166 UNIXCB(skb).consumed += chunk; 2167 2168 sk_peek_offset_bwd(sk, chunk); 2169 2170 if (UNIXCB(skb).fp) 2171 unix_detach_fds(&scm, skb); 2172 2173 if (unix_skb_len(skb)) 2174 break; 2175 2176 skb_unlink(skb, &sk->sk_receive_queue); 2177 consume_skb(skb); 2178 2179 if (scm.fp) 2180 break; 2181 } else { 2182 /* It is questionable, see note in unix_dgram_recvmsg. 2183 */ 2184 if (UNIXCB(skb).fp) 2185 scm.fp = scm_fp_dup(UNIXCB(skb).fp); 2186 2187 sk_peek_offset_fwd(sk, chunk); 2188 2189 if (UNIXCB(skb).fp) 2190 break; 2191 2192 skip = 0; 2193 last = skb; 2194 last_len = skb->len; 2195 unix_state_lock(sk); 2196 skb = skb_peek_next(skb, &sk->sk_receive_queue); 2197 if (skb) 2198 goto again; 2199 unix_state_unlock(sk); 2200 break; 2201 } 2202 } while (size); 2203 2204 mutex_unlock(&u->readlock); 2205 if (state->msg) 2206 scm_recv(sock, state->msg, &scm, flags); 2207 else 2208 scm_destroy(&scm); 2209 out: 2210 return copied ? : err; 2211 } 2212 2213 static int unix_stream_read_actor(struct sk_buff *skb, 2214 int skip, int chunk, 2215 struct unix_stream_read_state *state) 2216 { 2217 int ret; 2218 2219 ret = skb_copy_datagram_msg(skb, UNIXCB(skb).consumed + skip, 2220 state->msg, chunk); 2221 return ret ?: chunk; 2222 } 2223 2224 static int unix_stream_recvmsg(struct socket *sock, struct msghdr *msg, 2225 size_t size, int flags) 2226 { 2227 struct unix_stream_read_state state = { 2228 .recv_actor = unix_stream_read_actor, 2229 .socket = sock, 2230 .msg = msg, 2231 .size = size, 2232 .flags = flags 2233 }; 2234 2235 return unix_stream_read_generic(&state); 2236 } 2237 2238 static ssize_t skb_unix_socket_splice(struct sock *sk, 2239 struct pipe_inode_info *pipe, 2240 struct splice_pipe_desc *spd) 2241 { 2242 int ret; 2243 struct unix_sock *u = unix_sk(sk); 2244 2245 mutex_unlock(&u->readlock); 2246 ret = splice_to_pipe(pipe, spd); 2247 mutex_lock(&u->readlock); 2248 2249 return ret; 2250 } 2251 2252 static int unix_stream_splice_actor(struct sk_buff *skb, 2253 int skip, int chunk, 2254 struct unix_stream_read_state *state) 2255 { 2256 return skb_splice_bits(skb, state->socket->sk, 2257 UNIXCB(skb).consumed + skip, 2258 state->pipe, chunk, state->splice_flags, 2259 skb_unix_socket_splice); 2260 } 2261 2262 static ssize_t unix_stream_splice_read(struct socket *sock, loff_t *ppos, 2263 struct pipe_inode_info *pipe, 2264 size_t size, unsigned int flags) 2265 { 2266 struct unix_stream_read_state state = { 2267 .recv_actor = unix_stream_splice_actor, 2268 .socket = sock, 2269 .pipe = pipe, 2270 .size = size, 2271 .splice_flags = flags, 2272 }; 2273 2274 if (unlikely(*ppos)) 2275 return -ESPIPE; 2276 2277 if (sock->file->f_flags & O_NONBLOCK || 2278 flags & SPLICE_F_NONBLOCK) 2279 state.flags = MSG_DONTWAIT; 2280 2281 return unix_stream_read_generic(&state); 2282 } 2283 2284 static int unix_shutdown(struct socket *sock, int mode) 2285 { 2286 struct sock *sk = sock->sk; 2287 struct sock *other; 2288 2289 if (mode < SHUT_RD || mode > SHUT_RDWR) 2290 return -EINVAL; 2291 /* This maps: 2292 * SHUT_RD (0) -> RCV_SHUTDOWN (1) 2293 * SHUT_WR (1) -> SEND_SHUTDOWN (2) 2294 * SHUT_RDWR (2) -> SHUTDOWN_MASK (3) 2295 */ 2296 ++mode; 2297 2298 unix_state_lock(sk); 2299 sk->sk_shutdown |= mode; 2300 other = unix_peer(sk); 2301 if (other) 2302 sock_hold(other); 2303 unix_state_unlock(sk); 2304 sk->sk_state_change(sk); 2305 2306 if (other && 2307 (sk->sk_type == SOCK_STREAM || sk->sk_type == SOCK_SEQPACKET)) { 2308 2309 int peer_mode = 0; 2310 2311 if (mode&RCV_SHUTDOWN) 2312 peer_mode |= SEND_SHUTDOWN; 2313 if (mode&SEND_SHUTDOWN) 2314 peer_mode |= RCV_SHUTDOWN; 2315 unix_state_lock(other); 2316 other->sk_shutdown |= peer_mode; 2317 unix_state_unlock(other); 2318 other->sk_state_change(other); 2319 if (peer_mode == SHUTDOWN_MASK) 2320 sk_wake_async(other, SOCK_WAKE_WAITD, POLL_HUP); 2321 else if (peer_mode & RCV_SHUTDOWN) 2322 sk_wake_async(other, SOCK_WAKE_WAITD, POLL_IN); 2323 } 2324 if (other) 2325 sock_put(other); 2326 2327 return 0; 2328 } 2329 2330 long unix_inq_len(struct sock *sk) 2331 { 2332 struct sk_buff *skb; 2333 long amount = 0; 2334 2335 if (sk->sk_state == TCP_LISTEN) 2336 return -EINVAL; 2337 2338 spin_lock(&sk->sk_receive_queue.lock); 2339 if (sk->sk_type == SOCK_STREAM || 2340 sk->sk_type == SOCK_SEQPACKET) { 2341 skb_queue_walk(&sk->sk_receive_queue, skb) 2342 amount += unix_skb_len(skb); 2343 } else { 2344 skb = skb_peek(&sk->sk_receive_queue); 2345 if (skb) 2346 amount = skb->len; 2347 } 2348 spin_unlock(&sk->sk_receive_queue.lock); 2349 2350 return amount; 2351 } 2352 EXPORT_SYMBOL_GPL(unix_inq_len); 2353 2354 long unix_outq_len(struct sock *sk) 2355 { 2356 return sk_wmem_alloc_get(sk); 2357 } 2358 EXPORT_SYMBOL_GPL(unix_outq_len); 2359 2360 static int unix_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg) 2361 { 2362 struct sock *sk = sock->sk; 2363 long amount = 0; 2364 int err; 2365 2366 switch (cmd) { 2367 case SIOCOUTQ: 2368 amount = unix_outq_len(sk); 2369 err = put_user(amount, (int __user *)arg); 2370 break; 2371 case SIOCINQ: 2372 amount = unix_inq_len(sk); 2373 if (amount < 0) 2374 err = amount; 2375 else 2376 err = put_user(amount, (int __user *)arg); 2377 break; 2378 default: 2379 err = -ENOIOCTLCMD; 2380 break; 2381 } 2382 return err; 2383 } 2384 2385 static unsigned int unix_poll(struct file *file, struct socket *sock, poll_table *wait) 2386 { 2387 struct sock *sk = sock->sk; 2388 unsigned int mask; 2389 2390 sock_poll_wait(file, sk_sleep(sk), wait); 2391 mask = 0; 2392 2393 /* exceptional events? */ 2394 if (sk->sk_err) 2395 mask |= POLLERR; 2396 if (sk->sk_shutdown == SHUTDOWN_MASK) 2397 mask |= POLLHUP; 2398 if (sk->sk_shutdown & RCV_SHUTDOWN) 2399 mask |= POLLRDHUP | POLLIN | POLLRDNORM; 2400 2401 /* readable? */ 2402 if (!skb_queue_empty(&sk->sk_receive_queue)) 2403 mask |= POLLIN | POLLRDNORM; 2404 2405 /* Connection-based need to check for termination and startup */ 2406 if ((sk->sk_type == SOCK_STREAM || sk->sk_type == SOCK_SEQPACKET) && 2407 sk->sk_state == TCP_CLOSE) 2408 mask |= POLLHUP; 2409 2410 /* 2411 * we set writable also when the other side has shut down the 2412 * connection. This prevents stuck sockets. 2413 */ 2414 if (unix_writable(sk)) 2415 mask |= POLLOUT | POLLWRNORM | POLLWRBAND; 2416 2417 return mask; 2418 } 2419 2420 static unsigned int unix_dgram_poll(struct file *file, struct socket *sock, 2421 poll_table *wait) 2422 { 2423 struct sock *sk = sock->sk, *other; 2424 unsigned int mask, writable; 2425 2426 sock_poll_wait(file, sk_sleep(sk), wait); 2427 mask = 0; 2428 2429 /* exceptional events? */ 2430 if (sk->sk_err || !skb_queue_empty(&sk->sk_error_queue)) 2431 mask |= POLLERR | 2432 (sock_flag(sk, SOCK_SELECT_ERR_QUEUE) ? POLLPRI : 0); 2433 2434 if (sk->sk_shutdown & RCV_SHUTDOWN) 2435 mask |= POLLRDHUP | POLLIN | POLLRDNORM; 2436 if (sk->sk_shutdown == SHUTDOWN_MASK) 2437 mask |= POLLHUP; 2438 2439 /* readable? */ 2440 if (!skb_queue_empty(&sk->sk_receive_queue)) 2441 mask |= POLLIN | POLLRDNORM; 2442 2443 /* Connection-based need to check for termination and startup */ 2444 if (sk->sk_type == SOCK_SEQPACKET) { 2445 if (sk->sk_state == TCP_CLOSE) 2446 mask |= POLLHUP; 2447 /* connection hasn't started yet? */ 2448 if (sk->sk_state == TCP_SYN_SENT) 2449 return mask; 2450 } 2451 2452 /* No write status requested, avoid expensive OUT tests. */ 2453 if (!(poll_requested_events(wait) & (POLLWRBAND|POLLWRNORM|POLLOUT))) 2454 return mask; 2455 2456 writable = unix_writable(sk); 2457 other = unix_peer_get(sk); 2458 if (other) { 2459 if (unix_peer(other) != sk) { 2460 sock_poll_wait(file, &unix_sk(other)->peer_wait, wait); 2461 if (unix_recvq_full(other)) 2462 writable = 0; 2463 } 2464 sock_put(other); 2465 } 2466 2467 if (writable) 2468 mask |= POLLOUT | POLLWRNORM | POLLWRBAND; 2469 else 2470 set_bit(SOCK_ASYNC_NOSPACE, &sk->sk_socket->flags); 2471 2472 return mask; 2473 } 2474 2475 #ifdef CONFIG_PROC_FS 2476 2477 #define BUCKET_SPACE (BITS_PER_LONG - (UNIX_HASH_BITS + 1) - 1) 2478 2479 #define get_bucket(x) ((x) >> BUCKET_SPACE) 2480 #define get_offset(x) ((x) & ((1L << BUCKET_SPACE) - 1)) 2481 #define set_bucket_offset(b, o) ((b) << BUCKET_SPACE | (o)) 2482 2483 static struct sock *unix_from_bucket(struct seq_file *seq, loff_t *pos) 2484 { 2485 unsigned long offset = get_offset(*pos); 2486 unsigned long bucket = get_bucket(*pos); 2487 struct sock *sk; 2488 unsigned long count = 0; 2489 2490 for (sk = sk_head(&unix_socket_table[bucket]); sk; sk = sk_next(sk)) { 2491 if (sock_net(sk) != seq_file_net(seq)) 2492 continue; 2493 if (++count == offset) 2494 break; 2495 } 2496 2497 return sk; 2498 } 2499 2500 static struct sock *unix_next_socket(struct seq_file *seq, 2501 struct sock *sk, 2502 loff_t *pos) 2503 { 2504 unsigned long bucket; 2505 2506 while (sk > (struct sock *)SEQ_START_TOKEN) { 2507 sk = sk_next(sk); 2508 if (!sk) 2509 goto next_bucket; 2510 if (sock_net(sk) == seq_file_net(seq)) 2511 return sk; 2512 } 2513 2514 do { 2515 sk = unix_from_bucket(seq, pos); 2516 if (sk) 2517 return sk; 2518 2519 next_bucket: 2520 bucket = get_bucket(*pos) + 1; 2521 *pos = set_bucket_offset(bucket, 1); 2522 } while (bucket < ARRAY_SIZE(unix_socket_table)); 2523 2524 return NULL; 2525 } 2526 2527 static void *unix_seq_start(struct seq_file *seq, loff_t *pos) 2528 __acquires(unix_table_lock) 2529 { 2530 spin_lock(&unix_table_lock); 2531 2532 if (!*pos) 2533 return SEQ_START_TOKEN; 2534 2535 if (get_bucket(*pos) >= ARRAY_SIZE(unix_socket_table)) 2536 return NULL; 2537 2538 return unix_next_socket(seq, NULL, pos); 2539 } 2540 2541 static void *unix_seq_next(struct seq_file *seq, void *v, loff_t *pos) 2542 { 2543 ++*pos; 2544 return unix_next_socket(seq, v, pos); 2545 } 2546 2547 static void unix_seq_stop(struct seq_file *seq, void *v) 2548 __releases(unix_table_lock) 2549 { 2550 spin_unlock(&unix_table_lock); 2551 } 2552 2553 static int unix_seq_show(struct seq_file *seq, void *v) 2554 { 2555 2556 if (v == SEQ_START_TOKEN) 2557 seq_puts(seq, "Num RefCount Protocol Flags Type St " 2558 "Inode Path\n"); 2559 else { 2560 struct sock *s = v; 2561 struct unix_sock *u = unix_sk(s); 2562 unix_state_lock(s); 2563 2564 seq_printf(seq, "%pK: %08X %08X %08X %04X %02X %5lu", 2565 s, 2566 atomic_read(&s->sk_refcnt), 2567 0, 2568 s->sk_state == TCP_LISTEN ? __SO_ACCEPTCON : 0, 2569 s->sk_type, 2570 s->sk_socket ? 2571 (s->sk_state == TCP_ESTABLISHED ? SS_CONNECTED : SS_UNCONNECTED) : 2572 (s->sk_state == TCP_ESTABLISHED ? SS_CONNECTING : SS_DISCONNECTING), 2573 sock_i_ino(s)); 2574 2575 if (u->addr) { 2576 int i, len; 2577 seq_putc(seq, ' '); 2578 2579 i = 0; 2580 len = u->addr->len - sizeof(short); 2581 if (!UNIX_ABSTRACT(s)) 2582 len--; 2583 else { 2584 seq_putc(seq, '@'); 2585 i++; 2586 } 2587 for ( ; i < len; i++) 2588 seq_putc(seq, u->addr->name->sun_path[i]); 2589 } 2590 unix_state_unlock(s); 2591 seq_putc(seq, '\n'); 2592 } 2593 2594 return 0; 2595 } 2596 2597 static const struct seq_operations unix_seq_ops = { 2598 .start = unix_seq_start, 2599 .next = unix_seq_next, 2600 .stop = unix_seq_stop, 2601 .show = unix_seq_show, 2602 }; 2603 2604 static int unix_seq_open(struct inode *inode, struct file *file) 2605 { 2606 return seq_open_net(inode, file, &unix_seq_ops, 2607 sizeof(struct seq_net_private)); 2608 } 2609 2610 static const struct file_operations unix_seq_fops = { 2611 .owner = THIS_MODULE, 2612 .open = unix_seq_open, 2613 .read = seq_read, 2614 .llseek = seq_lseek, 2615 .release = seq_release_net, 2616 }; 2617 2618 #endif 2619 2620 static const struct net_proto_family unix_family_ops = { 2621 .family = PF_UNIX, 2622 .create = unix_create, 2623 .owner = THIS_MODULE, 2624 }; 2625 2626 2627 static int __net_init unix_net_init(struct net *net) 2628 { 2629 int error = -ENOMEM; 2630 2631 net->unx.sysctl_max_dgram_qlen = 10; 2632 if (unix_sysctl_register(net)) 2633 goto out; 2634 2635 #ifdef CONFIG_PROC_FS 2636 if (!proc_create("unix", 0, net->proc_net, &unix_seq_fops)) { 2637 unix_sysctl_unregister(net); 2638 goto out; 2639 } 2640 #endif 2641 error = 0; 2642 out: 2643 return error; 2644 } 2645 2646 static void __net_exit unix_net_exit(struct net *net) 2647 { 2648 unix_sysctl_unregister(net); 2649 remove_proc_entry("unix", net->proc_net); 2650 } 2651 2652 static struct pernet_operations unix_net_ops = { 2653 .init = unix_net_init, 2654 .exit = unix_net_exit, 2655 }; 2656 2657 static int __init af_unix_init(void) 2658 { 2659 int rc = -1; 2660 2661 BUILD_BUG_ON(sizeof(struct unix_skb_parms) > FIELD_SIZEOF(struct sk_buff, cb)); 2662 2663 rc = proto_register(&unix_proto, 1); 2664 if (rc != 0) { 2665 pr_crit("%s: Cannot create unix_sock SLAB cache!\n", __func__); 2666 goto out; 2667 } 2668 2669 sock_register(&unix_family_ops); 2670 register_pernet_subsys(&unix_net_ops); 2671 out: 2672 return rc; 2673 } 2674 2675 static void __exit af_unix_exit(void) 2676 { 2677 sock_unregister(PF_UNIX); 2678 proto_unregister(&unix_proto); 2679 unregister_pernet_subsys(&unix_net_ops); 2680 } 2681 2682 /* Earlier than device_initcall() so that other drivers invoking 2683 request_module() don't end up in a loop when modprobe tries 2684 to use a UNIX socket. But later than subsys_initcall() because 2685 we depend on stuff initialised there */ 2686 fs_initcall(af_unix_init); 2687 module_exit(af_unix_exit); 2688 2689 MODULE_LICENSE("GPL"); 2690 MODULE_ALIAS_NETPROTO(PF_UNIX); 2691