1 // SPDX-License-Identifier: GPL-2.0-only 2 #include <linux/types.h> 3 #include <linux/spinlock.h> 4 #include <linux/sock_diag.h> 5 #include <linux/unix_diag.h> 6 #include <linux/skbuff.h> 7 #include <linux/module.h> 8 #include <linux/uidgid.h> 9 #include <net/netlink.h> 10 #include <net/af_unix.h> 11 #include <net/tcp_states.h> 12 #include <net/sock.h> 13 14 static int sk_diag_dump_name(struct sock *sk, struct sk_buff *nlskb) 15 { 16 /* might or might not have a hash table lock */ 17 struct unix_address *addr = smp_load_acquire(&unix_sk(sk)->addr); 18 19 if (!addr) 20 return 0; 21 22 return nla_put(nlskb, UNIX_DIAG_NAME, 23 addr->len - offsetof(struct sockaddr_un, sun_path), 24 addr->name->sun_path); 25 } 26 27 static int sk_diag_dump_vfs(struct sock *sk, struct sk_buff *nlskb) 28 { 29 struct dentry *dentry = unix_sk(sk)->path.dentry; 30 31 if (dentry) { 32 struct unix_diag_vfs uv = { 33 .udiag_vfs_ino = d_backing_inode(dentry)->i_ino, 34 .udiag_vfs_dev = dentry->d_sb->s_dev, 35 }; 36 37 return nla_put(nlskb, UNIX_DIAG_VFS, sizeof(uv), &uv); 38 } 39 40 return 0; 41 } 42 43 static int sk_diag_dump_peer(struct sock *sk, struct sk_buff *nlskb) 44 { 45 struct sock *peer; 46 int ino; 47 48 peer = unix_peer_get(sk); 49 if (peer) { 50 unix_state_lock(peer); 51 ino = sock_i_ino(peer); 52 unix_state_unlock(peer); 53 sock_put(peer); 54 55 return nla_put_u32(nlskb, UNIX_DIAG_PEER, ino); 56 } 57 58 return 0; 59 } 60 61 static int sk_diag_dump_icons(struct sock *sk, struct sk_buff *nlskb) 62 { 63 struct sk_buff *skb; 64 struct nlattr *attr; 65 u32 *buf; 66 int i; 67 68 if (READ_ONCE(sk->sk_state) == TCP_LISTEN) { 69 spin_lock(&sk->sk_receive_queue.lock); 70 71 attr = nla_reserve(nlskb, UNIX_DIAG_ICONS, 72 sk->sk_receive_queue.qlen * sizeof(u32)); 73 if (!attr) 74 goto errout; 75 76 buf = nla_data(attr); 77 i = 0; 78 skb_queue_walk(&sk->sk_receive_queue, skb) { 79 struct sock *req, *peer; 80 81 req = skb->sk; 82 /* 83 * The state lock is outer for the same sk's 84 * queue lock. With the other's queue locked it's 85 * OK to lock the state. 86 */ 87 unix_state_lock_nested(req, U_LOCK_DIAG); 88 peer = unix_sk(req)->peer; 89 buf[i++] = (peer ? sock_i_ino(peer) : 0); 90 unix_state_unlock(req); 91 } 92 spin_unlock(&sk->sk_receive_queue.lock); 93 } 94 95 return 0; 96 97 errout: 98 spin_unlock(&sk->sk_receive_queue.lock); 99 return -EMSGSIZE; 100 } 101 102 static int sk_diag_show_rqlen(struct sock *sk, struct sk_buff *nlskb) 103 { 104 struct unix_diag_rqlen rql; 105 106 if (READ_ONCE(sk->sk_state) == TCP_LISTEN) { 107 rql.udiag_rqueue = skb_queue_len_lockless(&sk->sk_receive_queue); 108 rql.udiag_wqueue = sk->sk_max_ack_backlog; 109 } else { 110 rql.udiag_rqueue = (u32) unix_inq_len(sk); 111 rql.udiag_wqueue = (u32) unix_outq_len(sk); 112 } 113 114 return nla_put(nlskb, UNIX_DIAG_RQLEN, sizeof(rql), &rql); 115 } 116 117 static int sk_diag_dump_uid(struct sock *sk, struct sk_buff *nlskb, 118 struct user_namespace *user_ns) 119 { 120 uid_t uid = from_kuid_munged(user_ns, sock_i_uid(sk)); 121 return nla_put(nlskb, UNIX_DIAG_UID, sizeof(uid_t), &uid); 122 } 123 124 static int sk_diag_fill(struct sock *sk, struct sk_buff *skb, struct unix_diag_req *req, 125 struct user_namespace *user_ns, 126 u32 portid, u32 seq, u32 flags, int sk_ino) 127 { 128 struct nlmsghdr *nlh; 129 struct unix_diag_msg *rep; 130 131 nlh = nlmsg_put(skb, portid, seq, SOCK_DIAG_BY_FAMILY, sizeof(*rep), 132 flags); 133 if (!nlh) 134 return -EMSGSIZE; 135 136 rep = nlmsg_data(nlh); 137 rep->udiag_family = AF_UNIX; 138 rep->udiag_type = sk->sk_type; 139 rep->udiag_state = READ_ONCE(sk->sk_state); 140 rep->pad = 0; 141 rep->udiag_ino = sk_ino; 142 sock_diag_save_cookie(sk, rep->udiag_cookie); 143 144 if ((req->udiag_show & UDIAG_SHOW_NAME) && 145 sk_diag_dump_name(sk, skb)) 146 goto out_nlmsg_trim; 147 148 if ((req->udiag_show & UDIAG_SHOW_VFS) && 149 sk_diag_dump_vfs(sk, skb)) 150 goto out_nlmsg_trim; 151 152 if ((req->udiag_show & UDIAG_SHOW_PEER) && 153 sk_diag_dump_peer(sk, skb)) 154 goto out_nlmsg_trim; 155 156 if ((req->udiag_show & UDIAG_SHOW_ICONS) && 157 sk_diag_dump_icons(sk, skb)) 158 goto out_nlmsg_trim; 159 160 if ((req->udiag_show & UDIAG_SHOW_RQLEN) && 161 sk_diag_show_rqlen(sk, skb)) 162 goto out_nlmsg_trim; 163 164 if ((req->udiag_show & UDIAG_SHOW_MEMINFO) && 165 sock_diag_put_meminfo(sk, skb, UNIX_DIAG_MEMINFO)) 166 goto out_nlmsg_trim; 167 168 if (nla_put_u8(skb, UNIX_DIAG_SHUTDOWN, READ_ONCE(sk->sk_shutdown))) 169 goto out_nlmsg_trim; 170 171 if ((req->udiag_show & UDIAG_SHOW_UID) && 172 sk_diag_dump_uid(sk, skb, user_ns)) 173 goto out_nlmsg_trim; 174 175 nlmsg_end(skb, nlh); 176 return 0; 177 178 out_nlmsg_trim: 179 nlmsg_cancel(skb, nlh); 180 return -EMSGSIZE; 181 } 182 183 static int sk_diag_dump(struct sock *sk, struct sk_buff *skb, struct unix_diag_req *req, 184 struct user_namespace *user_ns, 185 u32 portid, u32 seq, u32 flags) 186 { 187 int sk_ino; 188 189 unix_state_lock(sk); 190 sk_ino = sock_i_ino(sk); 191 unix_state_unlock(sk); 192 193 if (!sk_ino) 194 return 0; 195 196 return sk_diag_fill(sk, skb, req, user_ns, portid, seq, flags, sk_ino); 197 } 198 199 static int unix_diag_dump(struct sk_buff *skb, struct netlink_callback *cb) 200 { 201 struct net *net = sock_net(skb->sk); 202 int num, s_num, slot, s_slot; 203 struct unix_diag_req *req; 204 205 req = nlmsg_data(cb->nlh); 206 207 s_slot = cb->args[0]; 208 num = s_num = cb->args[1]; 209 210 for (slot = s_slot; slot < UNIX_HASH_SIZE; s_num = 0, slot++) { 211 struct sock *sk; 212 213 num = 0; 214 spin_lock(&net->unx.table.locks[slot]); 215 sk_for_each(sk, &net->unx.table.buckets[slot]) { 216 if (num < s_num) 217 goto next; 218 if (!(req->udiag_states & (1 << READ_ONCE(sk->sk_state)))) 219 goto next; 220 if (sk_diag_dump(sk, skb, req, sk_user_ns(skb->sk), 221 NETLINK_CB(cb->skb).portid, 222 cb->nlh->nlmsg_seq, 223 NLM_F_MULTI) < 0) { 224 spin_unlock(&net->unx.table.locks[slot]); 225 goto done; 226 } 227 next: 228 num++; 229 } 230 spin_unlock(&net->unx.table.locks[slot]); 231 } 232 done: 233 cb->args[0] = slot; 234 cb->args[1] = num; 235 236 return skb->len; 237 } 238 239 static struct sock *unix_lookup_by_ino(struct net *net, unsigned int ino) 240 { 241 struct sock *sk; 242 int i; 243 244 for (i = 0; i < UNIX_HASH_SIZE; i++) { 245 spin_lock(&net->unx.table.locks[i]); 246 sk_for_each(sk, &net->unx.table.buckets[i]) { 247 if (ino == sock_i_ino(sk)) { 248 sock_hold(sk); 249 spin_unlock(&net->unx.table.locks[i]); 250 return sk; 251 } 252 } 253 spin_unlock(&net->unx.table.locks[i]); 254 } 255 return NULL; 256 } 257 258 static int unix_diag_get_exact(struct sk_buff *in_skb, 259 const struct nlmsghdr *nlh, 260 struct unix_diag_req *req) 261 { 262 struct net *net = sock_net(in_skb->sk); 263 unsigned int extra_len; 264 struct sk_buff *rep; 265 struct sock *sk; 266 int err; 267 268 err = -EINVAL; 269 if (req->udiag_ino == 0) 270 goto out_nosk; 271 272 sk = unix_lookup_by_ino(net, req->udiag_ino); 273 err = -ENOENT; 274 if (sk == NULL) 275 goto out_nosk; 276 277 err = sock_diag_check_cookie(sk, req->udiag_cookie); 278 if (err) 279 goto out; 280 281 extra_len = 256; 282 again: 283 err = -ENOMEM; 284 rep = nlmsg_new(sizeof(struct unix_diag_msg) + extra_len, GFP_KERNEL); 285 if (!rep) 286 goto out; 287 288 err = sk_diag_fill(sk, rep, req, sk_user_ns(NETLINK_CB(in_skb).sk), 289 NETLINK_CB(in_skb).portid, 290 nlh->nlmsg_seq, 0, req->udiag_ino); 291 if (err < 0) { 292 nlmsg_free(rep); 293 extra_len += 256; 294 if (extra_len >= PAGE_SIZE) 295 goto out; 296 297 goto again; 298 } 299 err = nlmsg_unicast(net->diag_nlsk, rep, NETLINK_CB(in_skb).portid); 300 301 out: 302 if (sk) 303 sock_put(sk); 304 out_nosk: 305 return err; 306 } 307 308 static int unix_diag_handler_dump(struct sk_buff *skb, struct nlmsghdr *h) 309 { 310 int hdrlen = sizeof(struct unix_diag_req); 311 312 if (nlmsg_len(h) < hdrlen) 313 return -EINVAL; 314 315 if (h->nlmsg_flags & NLM_F_DUMP) { 316 struct netlink_dump_control c = { 317 .dump = unix_diag_dump, 318 }; 319 return netlink_dump_start(sock_net(skb->sk)->diag_nlsk, skb, h, &c); 320 } else 321 return unix_diag_get_exact(skb, h, nlmsg_data(h)); 322 } 323 324 static const struct sock_diag_handler unix_diag_handler = { 325 .family = AF_UNIX, 326 .dump = unix_diag_handler_dump, 327 }; 328 329 static int __init unix_diag_init(void) 330 { 331 return sock_diag_register(&unix_diag_handler); 332 } 333 334 static void __exit unix_diag_exit(void) 335 { 336 sock_diag_unregister(&unix_diag_handler); 337 } 338 339 module_init(unix_diag_init); 340 module_exit(unix_diag_exit); 341 MODULE_LICENSE("GPL"); 342 MODULE_ALIAS_NET_PF_PROTO_TYPE(PF_NETLINK, NETLINK_SOCK_DIAG, 1 /* AF_LOCAL */); 343