linux/net/unix/scm.c

// SPDX-License-Identifier: GPL-2.0
#include <linux/module.h>
#include <linux/kernel.h>
#include <linux/string.h>
#include <linux/socket.h>
#include <linux/net.h>
#include <linux/fs.h>
#include <net/af_unix.h>
#include <net/scm.h>
#include <linux/init.h>
#include <linux/io_uring.h>

#include "scm.h"

unsigned int unix_tot_inflight;
EXPORT_SYMBOL(unix_tot_inflight);

LIST_HEAD(gc_inflight_list);
EXPORT_SYMBOL(gc_inflight_list);

DEFINE_SPINLOCK(unix_gc_lock);
EXPORT_SYMBOL(unix_gc_lock);

struct sock *unix_get_socket(struct file *filp)
{
	struct sock *u_sock = NULL;
	struct inode *inode = file_inode(filp);

	/* Socket ? */
	if (S_ISSOCK(inode->i_mode) && !(filp->f_mode & FMODE_PATH)) {
		struct socket *sock = SOCKET_I(inode);
		struct sock *s = sock->sk;

		/* PF_UNIX ? */
		if (s && sock->ops && sock->ops->family == PF_UNIX)
			u_sock = s;
	} else {
		/* Could be an io_uring instance */
		u_sock = io_uring_get_socket(filp);
	}
	return u_sock;
}
EXPORT_SYMBOL(unix_get_socket);

/* Keep the number of times in flight count for the file
 * descriptor if it is for an AF_UNIX socket.
 */
void unix_inflight(struct user_struct *user, struct file *fp)
{
	struct sock *s = unix_get_socket(fp);

	spin_lock(&unix_gc_lock);

	if (s) {
		struct unix_sock *u = unix_sk(s);

		if (atomic_long_inc_return(&u->inflight) == 1) {
			BUG_ON(!list_empty(&u->link));
			list_add_tail(&u->link, &gc_inflight_list);
		} else {
			BUG_ON(list_empty(&u->link));
		}
		/* Paired with READ_ONCE() in wait_for_unix_gc() */
		WRITE_ONCE(unix_tot_inflight, unix_tot_inflight + 1);
	}
	user->unix_inflight++;
	spin_unlock(&unix_gc_lock);
}

void unix_notinflight(struct user_struct *user, struct file *fp)
{
	struct sock *s = unix_get_socket(fp);

	spin_lock(&unix_gc_lock);

	if (s) {
		struct unix_sock *u = unix_sk(s);

		BUG_ON(!atomic_long_read(&u->inflight));
		BUG_ON(list_empty(&u->link));

		if (atomic_long_dec_and_test(&u->inflight))
			list_del_init(&u->link);
		/* Paired with READ_ONCE() in wait_for_unix_gc() */
		WRITE_ONCE(unix_tot_inflight, unix_tot_inflight - 1);
	}
	user->unix_inflight--;
	spin_unlock(&unix_gc_lock);
}

/*
 * The "user->unix_inflight" variable is protected by the garbage
 * collection lock, and we just read it locklessly here. If you go
 * over the limit, there might be a tiny race in actually noticing
 * it across threads. Tough.
 */
static inline bool too_many_unix_fds(struct task_struct *p)
{
	struct user_struct *user = current_user();

	if (unlikely(user->unix_inflight > task_rlimit(p, RLIMIT_NOFILE)))
		return !capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN);
	return false;
}

int unix_attach_fds(struct scm_cookie *scm, struct sk_buff *skb)
{
	int i;

	if (too_many_unix_fds(current))
		return -ETOOMANYREFS;

	/*
	 * Need to duplicate file references for the sake of garbage
	 * collection.  Otherwise a socket in the fps might become a
	 * candidate for GC while the skb is not yet queued.
	 */
	UNIXCB(skb).fp = scm_fp_dup(scm->fp);
	if (!UNIXCB(skb).fp)
		return -ENOMEM;

	for (i = scm->fp->count - 1; i >= 0; i--)
		unix_inflight(scm->fp->user, scm->fp->fp[i]);
	return 0;
}
EXPORT_SYMBOL(unix_attach_fds);

void unix_detach_fds(struct scm_cookie *scm, struct sk_buff *skb)
{
	int i;

	scm->fp = UNIXCB(skb).fp;
	UNIXCB(skb).fp = NULL;

	for (i = scm->fp->count-1; i >= 0; i--)
		unix_notinflight(scm->fp->user, scm->fp->fp[i]);
}
EXPORT_SYMBOL(unix_detach_fds);

void unix_destruct_scm(struct sk_buff *skb)
{
	struct scm_cookie scm;

	memset(&scm, 0, sizeof(scm));
	scm.pid  = UNIXCB(skb).pid;
	if (UNIXCB(skb).fp)
		unix_detach_fds(&scm, skb);

	/* Alas, it calls VFS */
	/* So fscking what? fput() had been SMP-safe since the last Summer */
	scm_destroy(&scm);
	sock_wfree(skb);
}
EXPORT_SYMBOL(unix_destruct_scm);
net: split out functions related to registering inflight socket files We need this functionality for the io_uring file registration, but we cannot rely on it since CONFIG_UNIX can be modular. Move the helpers to a separate file, that's always builtin to the kernel if CONFIG_UNIX is m/y. No functional changes in this patch, just moving code around. Reviewed-by: Hannes Reinecke <hare@suse.com> Acked-by: David S. Miller <davem@davemloft.net> Signed-off-by: Jens Axboe <axboe@kernel.dk> 2019-02-08 19:01:44 +03:00			`// SPDX-License-Identifier: GPL-2.0`
			`#include <linux/module.h>`
			`#include <linux/kernel.h>`
			`#include <linux/string.h>`
			`#include <linux/socket.h>`
			`#include <linux/net.h>`
			`#include <linux/fs.h>`
			`#include <net/af_unix.h>`
			`#include <net/scm.h>`
			`#include <linux/init.h>`
io_uring: move io_uring_get_socket() into io_uring.h Now we have a io_uring kernel header, move this definition out of fs.h and into io_uring.h where it belongs. Signed-off-by: Jens Axboe <axboe@kernel.dk> 2020-09-19 05:41:00 +03:00			`#include <linux/io_uring.h>`
net: split out functions related to registering inflight socket files We need this functionality for the io_uring file registration, but we cannot rely on it since CONFIG_UNIX can be modular. Move the helpers to a separate file, that's always builtin to the kernel if CONFIG_UNIX is m/y. No functional changes in this patch, just moving code around. Reviewed-by: Hannes Reinecke <hare@suse.com> Acked-by: David S. Miller <davem@davemloft.net> Signed-off-by: Jens Axboe <axboe@kernel.dk> 2019-02-08 19:01:44 +03:00
			`#include "scm.h"`

			`unsigned int unix_tot_inflight;`
			`EXPORT_SYMBOL(unix_tot_inflight);`

			`LIST_HEAD(gc_inflight_list);`
			`EXPORT_SYMBOL(gc_inflight_list);`

			`DEFINE_SPINLOCK(unix_gc_lock);`
			`EXPORT_SYMBOL(unix_gc_lock);`

			`struct sock unix_get_socket(struct file filp)`
			`{`
			`struct sock *u_sock = NULL;`
			`struct inode *inode = file_inode(filp);`

			`/* Socket ? */`
			`if (S_ISSOCK(inode->i_mode) && !(filp->f_mode & FMODE_PATH)) {`
			`struct socket *sock = SOCKET_I(inode);`
			`struct sock *s = sock->sk;`

			`/* PF_UNIX ? */`
			`if (s && sock->ops && sock->ops->family == PF_UNIX)`
			`u_sock = s;`
			`} else {`
			`/* Could be an io_uring instance */`
			`u_sock = io_uring_get_socket(filp);`
			`}`
			`return u_sock;`
			`}`
			`EXPORT_SYMBOL(unix_get_socket);`

			`/* Keep the number of times in flight count for the file`
			`* descriptor if it is for an AF_UNIX socket.`
			`*/`
			`void unix_inflight(struct user_struct user, struct file fp)`
			`{`
			`struct sock *s = unix_get_socket(fp);`

			`spin_lock(&unix_gc_lock);`

			`if (s) {`
			`struct unix_sock *u = unix_sk(s);`

			`if (atomic_long_inc_return(&u->inflight) == 1) {`
			`BUG_ON(!list_empty(&u->link));`
			`list_add_tail(&u->link, &gc_inflight_list);`
			`} else {`
			`BUG_ON(list_empty(&u->link));`
			`}`
af_unix: annote lockless accesses to unix_tot_inflight & gc_in_progress wait_for_unix_gc() reads unix_tot_inflight & gc_in_progress without synchronization. Adds READ_ONCE()/WRITE_ONCE() and their associated comments to better document the intent. BUG: KCSAN: data-race in unix_inflight / wait_for_unix_gc write to 0xffffffff86e2b7c0 of 4 bytes by task 9380 on cpu 0: unix_inflight+0x1e8/0x260 net/unix/scm.c:63 unix_attach_fds+0x10c/0x1e0 net/unix/scm.c:121 unix_scm_to_skb net/unix/af_unix.c:1674 [inline] unix_dgram_sendmsg+0x679/0x16b0 net/unix/af_unix.c:1817 unix_seqpacket_sendmsg+0xcc/0x110 net/unix/af_unix.c:2258 sock_sendmsg_nosec net/socket.c:704 [inline] sock_sendmsg net/socket.c:724 [inline] ____sys_sendmsg+0x39a/0x510 net/socket.c:2409 ___sys_sendmsg net/socket.c:2463 [inline] __sys_sendmmsg+0x267/0x4c0 net/socket.c:2549 __do_sys_sendmmsg net/socket.c:2578 [inline] __se_sys_sendmmsg net/socket.c:2575 [inline] __x64_sys_sendmmsg+0x53/0x60 net/socket.c:2575 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae read to 0xffffffff86e2b7c0 of 4 bytes by task 9375 on cpu 1: wait_for_unix_gc+0x24/0x160 net/unix/garbage.c:196 unix_dgram_sendmsg+0x8e/0x16b0 net/unix/af_unix.c:1772 unix_seqpacket_sendmsg+0xcc/0x110 net/unix/af_unix.c:2258 sock_sendmsg_nosec net/socket.c:704 [inline] sock_sendmsg net/socket.c:724 [inline] ____sys_sendmsg+0x39a/0x510 net/socket.c:2409 ___sys_sendmsg net/socket.c:2463 [inline] __sys_sendmmsg+0x267/0x4c0 net/socket.c:2549 __do_sys_sendmmsg net/socket.c:2578 [inline] __se_sys_sendmmsg net/socket.c:2575 [inline] __x64_sys_sendmmsg+0x53/0x60 net/socket.c:2575 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae value changed: 0x00000002 -> 0x00000004 Reported by Kernel Concurrency Sanitizer on: CPU: 1 PID: 9375 Comm: syz-executor.1 Not tainted 5.16.0-rc7-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Fixes: 9915672d4127 ("af_unix: limit unix_tot_inflight") Signed-off-by: Eric Dumazet <edumazet@google.com> Reported-by: syzbot <syzkaller@googlegroups.com> Link: https://lore.kernel.org/r/20220114164328.2038499-1-eric.dumazet@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> 2022-01-14 19:43:28 +03:00			`/* Paired with READ_ONCE() in wait_for_unix_gc() */`
			`WRITE_ONCE(unix_tot_inflight, unix_tot_inflight + 1);`
net: split out functions related to registering inflight socket files We need this functionality for the io_uring file registration, but we cannot rely on it since CONFIG_UNIX can be modular. Move the helpers to a separate file, that's always builtin to the kernel if CONFIG_UNIX is m/y. No functional changes in this patch, just moving code around. Reviewed-by: Hannes Reinecke <hare@suse.com> Acked-by: David S. Miller <davem@davemloft.net> Signed-off-by: Jens Axboe <axboe@kernel.dk> 2019-02-08 19:01:44 +03:00			`}`
			`user->unix_inflight++;`
			`spin_unlock(&unix_gc_lock);`
			`}`

			`void unix_notinflight(struct user_struct user, struct file fp)`
			`{`
			`struct sock *s = unix_get_socket(fp);`

			`spin_lock(&unix_gc_lock);`

			`if (s) {`
			`struct unix_sock *u = unix_sk(s);`

			`BUG_ON(!atomic_long_read(&u->inflight));`
			`BUG_ON(list_empty(&u->link));`

			`if (atomic_long_dec_and_test(&u->inflight))`
			`list_del_init(&u->link);`
af_unix: annote lockless accesses to unix_tot_inflight & gc_in_progress wait_for_unix_gc() reads unix_tot_inflight & gc_in_progress without synchronization. Adds READ_ONCE()/WRITE_ONCE() and their associated comments to better document the intent. BUG: KCSAN: data-race in unix_inflight / wait_for_unix_gc write to 0xffffffff86e2b7c0 of 4 bytes by task 9380 on cpu 0: unix_inflight+0x1e8/0x260 net/unix/scm.c:63 unix_attach_fds+0x10c/0x1e0 net/unix/scm.c:121 unix_scm_to_skb net/unix/af_unix.c:1674 [inline] unix_dgram_sendmsg+0x679/0x16b0 net/unix/af_unix.c:1817 unix_seqpacket_sendmsg+0xcc/0x110 net/unix/af_unix.c:2258 sock_sendmsg_nosec net/socket.c:704 [inline] sock_sendmsg net/socket.c:724 [inline] ____sys_sendmsg+0x39a/0x510 net/socket.c:2409 ___sys_sendmsg net/socket.c:2463 [inline] __sys_sendmmsg+0x267/0x4c0 net/socket.c:2549 __do_sys_sendmmsg net/socket.c:2578 [inline] __se_sys_sendmmsg net/socket.c:2575 [inline] __x64_sys_sendmmsg+0x53/0x60 net/socket.c:2575 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae read to 0xffffffff86e2b7c0 of 4 bytes by task 9375 on cpu 1: wait_for_unix_gc+0x24/0x160 net/unix/garbage.c:196 unix_dgram_sendmsg+0x8e/0x16b0 net/unix/af_unix.c:1772 unix_seqpacket_sendmsg+0xcc/0x110 net/unix/af_unix.c:2258 sock_sendmsg_nosec net/socket.c:704 [inline] sock_sendmsg net/socket.c:724 [inline] ____sys_sendmsg+0x39a/0x510 net/socket.c:2409 ___sys_sendmsg net/socket.c:2463 [inline] __sys_sendmmsg+0x267/0x4c0 net/socket.c:2549 __do_sys_sendmmsg net/socket.c:2578 [inline] __se_sys_sendmmsg net/socket.c:2575 [inline] __x64_sys_sendmmsg+0x53/0x60 net/socket.c:2575 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae value changed: 0x00000002 -> 0x00000004 Reported by Kernel Concurrency Sanitizer on: CPU: 1 PID: 9375 Comm: syz-executor.1 Not tainted 5.16.0-rc7-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Fixes: 9915672d4127 ("af_unix: limit unix_tot_inflight") Signed-off-by: Eric Dumazet <edumazet@google.com> Reported-by: syzbot <syzkaller@googlegroups.com> Link: https://lore.kernel.org/r/20220114164328.2038499-1-eric.dumazet@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> 2022-01-14 19:43:28 +03:00			`/* Paired with READ_ONCE() in wait_for_unix_gc() */`
			`WRITE_ONCE(unix_tot_inflight, unix_tot_inflight - 1);`
net: split out functions related to registering inflight socket files We need this functionality for the io_uring file registration, but we cannot rely on it since CONFIG_UNIX can be modular. Move the helpers to a separate file, that's always builtin to the kernel if CONFIG_UNIX is m/y. No functional changes in this patch, just moving code around. Reviewed-by: Hannes Reinecke <hare@suse.com> Acked-by: David S. Miller <davem@davemloft.net> Signed-off-by: Jens Axboe <axboe@kernel.dk> 2019-02-08 19:01:44 +03:00			`}`
			`user->unix_inflight--;`
			`spin_unlock(&unix_gc_lock);`
			`}`

			`/*`
			`* The "user->unix_inflight" variable is protected by the garbage`
			`* collection lock, and we just read it locklessly here. If you go`
			`* over the limit, there might be a tiny race in actually noticing`
			`* it across threads. Tough.`
			`*/`
			`static inline bool too_many_unix_fds(struct task_struct *p)`
			`{`
			`struct user_struct *user = current_user();`

			`if (unlikely(user->unix_inflight > task_rlimit(p, RLIMIT_NOFILE)))`
			`return !capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN);`
			`return false;`
			`}`

			`int unix_attach_fds(struct scm_cookie scm, struct sk_buff skb)`
			`{`
			`int i;`

			`if (too_many_unix_fds(current))`
			`return -ETOOMANYREFS;`

			`/*`
			`* Need to duplicate file references for the sake of garbage`
			`* collection. Otherwise a socket in the fps might become a`
			`* candidate for GC while the skb is not yet queued.`
			`*/`
			`UNIXCB(skb).fp = scm_fp_dup(scm->fp);`
			`if (!UNIXCB(skb).fp)`
			`return -ENOMEM;`

			`for (i = scm->fp->count - 1; i >= 0; i--)`
			`unix_inflight(scm->fp->user, scm->fp->fp[i]);`
			`return 0;`
			`}`
			`EXPORT_SYMBOL(unix_attach_fds);`

			`void unix_detach_fds(struct scm_cookie scm, struct sk_buff skb)`
			`{`
			`int i;`

			`scm->fp = UNIXCB(skb).fp;`
			`UNIXCB(skb).fp = NULL;`

			`for (i = scm->fp->count-1; i >= 0; i--)`
			`unix_notinflight(scm->fp->user, scm->fp->fp[i]);`
			`}`
			`EXPORT_SYMBOL(unix_detach_fds);`

			`void unix_destruct_scm(struct sk_buff *skb)`
			`{`
			`struct scm_cookie scm;`

			`memset(&scm, 0, sizeof(scm));`
			`scm.pid = UNIXCB(skb).pid;`
			`if (UNIXCB(skb).fp)`
			`unix_detach_fds(&scm, skb);`

			`/* Alas, it calls VFS */`
			`/* So fscking what? fput() had been SMP-safe since the last Summer */`
			`scm_destroy(&scm);`
			`sock_wfree(skb);`
			`}`
			`EXPORT_SYMBOL(unix_destruct_scm);`