1 // SPDX-License-Identifier: GPL-2.0-or-later
3 * NET4: Implementation of BSD Unix domain sockets.
5 * Authors: Alan Cox, <alan@lxorguk.ukuu.org.uk>
8 * Linus Torvalds : Assorted bug cures.
9 * Niibe Yutaka : async I/O support.
10 * Carsten Paeth : PF_UNIX check, address fixes.
11 * Alan Cox : Limit size of allocated blocks.
12 * Alan Cox : Fixed the stupid socketpair bug.
13 * Alan Cox : BSD compatibility fine tuning.
14 * Alan Cox : Fixed a bug in connect when interrupted.
15 * Alan Cox : Sorted out a proper draft version of
16 * file descriptor passing hacked up from
18 * Marty Leisner : Fixes to fd passing
19 * Nick Nevin : recvmsg bugfix.
20 * Alan Cox : Started proper garbage collector
21 * Heiko EiBfeldt : Missing verify_area check
22 * Alan Cox : Started POSIXisms
23 * Andreas Schwab : Replace inode by dentry for proper
25 * Kirk Petersen : Made this a module
26 * Christoph Rohland : Elegant non-blocking accept/connect algorithm.
28 * Alexey Kuznetosv : Repaired (I hope) bugs introduces
29 * by above two patches.
30 * Andrea Arcangeli : If possible we block in connect(2)
31 * if the max backlog of the listen socket
32 * is been reached. This won't break
33 * old apps and it will avoid huge amount
34 * of socks hashed (this for unix_gc()
35 * performances reasons).
36 * Security fix that limits the max
37 * number of socks to 2*max_files and
38 * the number of skb queueable in the
40 * Artur Skawina : Hash function optimizations
41 * Alexey Kuznetsov : Full scale SMP. Lot of bugs are introduced 8)
42 * Malcolm Beattie : Set peercred for socketpair
43 * Michal Ostrowski : Module initialization cleanup.
44 * Arnaldo C. Melo : Remove MOD_{INC,DEC}_USE_COUNT,
45 * the core infrastructure is doing that
46 * for all net proto families now (2.5.69+)
48 * Known differences from reference BSD that was tested:
51 * ECONNREFUSED is not returned from one end of a connected() socket to the
52 * other the moment one end closes.
53 * fstat() doesn't return st_dev=0, and give the blksize as high water mark
54 * and a fake inode identifier (nor the BSD first socket fstat twice bug).
56 * accept() returns a path name even if the connecting socket has closed
57 * in the meantime (BSD loses the path and gives up).
58 * accept() returns 0 length path for an unbound connector. BSD returns 16
59 * and a null first byte in the path (but not for gethost/peername - BSD bug ??)
60 * socketpair(...SOCK_RAW..) doesn't panic the kernel.
61 * BSD af_unix apparently has connect forgetting to block properly.
62 * (need to check this with the POSIX spec in detail)
64 * Differences from 2.0.0-11-... (ANK)
65 * Bug fixes and improvements.
66 * - client shutdown killed server socket.
67 * - removed all useless cli/sti pairs.
69 * Semantic changes/extensions.
70 * - generic control message passing.
71 * - SCM_CREDENTIALS control message.
72 * - "Abstract" (not FS based) socket bindings.
73 * Abstract names are sequences of bytes (not zero terminated)
74 * started by 0, so that this name space does not intersect
78 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
80 #include <linux/module.h>
81 #include <linux/kernel.h>
82 #include <linux/signal.h>
83 #include <linux/sched/signal.h>
84 #include <linux/errno.h>
85 #include <linux/string.h>
86 #include <linux/stat.h>
87 #include <linux/dcache.h>
88 #include <linux/namei.h>
89 #include <linux/socket.h>
91 #include <linux/fcntl.h>
92 #include <linux/termios.h>
93 #include <linux/sockios.h>
94 #include <linux/net.h>
97 #include <linux/slab.h>
98 #include <linux/uaccess.h>
99 #include <linux/skbuff.h>
100 #include <linux/netdevice.h>
101 #include <net/net_namespace.h>
102 #include <net/sock.h>
103 #include <net/tcp_states.h>
104 #include <net/af_unix.h>
105 #include <linux/proc_fs.h>
106 #include <linux/seq_file.h>
108 #include <linux/init.h>
109 #include <linux/poll.h>
110 #include <linux/rtnetlink.h>
111 #include <linux/mount.h>
112 #include <net/checksum.h>
113 #include <linux/security.h>
114 #include <linux/freezer.h>
115 #include <linux/file.h>
116 #include <linux/btf_ids.h>
120 struct hlist_head unix_socket_table[2 * UNIX_HASH_SIZE];
121 EXPORT_SYMBOL_GPL(unix_socket_table);
122 DEFINE_SPINLOCK(unix_table_lock);
123 EXPORT_SYMBOL_GPL(unix_table_lock);
124 static atomic_long_t unix_nr_socks;
127 static struct hlist_head *unix_sockets_unbound(void *addr)
129 unsigned long hash = (unsigned long)addr;
133 hash %= UNIX_HASH_SIZE;
134 return &unix_socket_table[UNIX_HASH_SIZE + hash];
137 #define UNIX_ABSTRACT(sk) (unix_sk(sk)->addr->hash < UNIX_HASH_SIZE)
139 #ifdef CONFIG_SECURITY_NETWORK
140 static void unix_get_secdata(struct scm_cookie *scm, struct sk_buff *skb)
142 UNIXCB(skb).secid = scm->secid;
145 static inline void unix_set_secdata(struct scm_cookie *scm, struct sk_buff *skb)
147 scm->secid = UNIXCB(skb).secid;
150 static inline bool unix_secdata_eq(struct scm_cookie *scm, struct sk_buff *skb)
152 return (scm->secid == UNIXCB(skb).secid);
155 static inline void unix_get_secdata(struct scm_cookie *scm, struct sk_buff *skb)
158 static inline void unix_set_secdata(struct scm_cookie *scm, struct sk_buff *skb)
161 static inline bool unix_secdata_eq(struct scm_cookie *scm, struct sk_buff *skb)
165 #endif /* CONFIG_SECURITY_NETWORK */
168 * SMP locking strategy:
169 * hash table is protected with spinlock unix_table_lock
170 * each socket state is protected by separate spin lock.
173 static inline unsigned int unix_hash_fold(__wsum n)
175 unsigned int hash = (__force unsigned int)csum_fold(n);
178 return hash&(UNIX_HASH_SIZE-1);
181 #define unix_peer(sk) (unix_sk(sk)->peer)
183 static inline int unix_our_peer(struct sock *sk, struct sock *osk)
185 return unix_peer(osk) == sk;
188 static inline int unix_may_send(struct sock *sk, struct sock *osk)
190 return unix_peer(osk) == NULL || unix_our_peer(sk, osk);
193 static inline int unix_recvq_full(const struct sock *sk)
195 return skb_queue_len(&sk->sk_receive_queue) > sk->sk_max_ack_backlog;
198 static inline int unix_recvq_full_lockless(const struct sock *sk)
200 return skb_queue_len_lockless(&sk->sk_receive_queue) >
201 READ_ONCE(sk->sk_max_ack_backlog);
204 struct sock *unix_peer_get(struct sock *s)
212 unix_state_unlock(s);
215 EXPORT_SYMBOL_GPL(unix_peer_get);
217 static inline void unix_release_addr(struct unix_address *addr)
219 if (refcount_dec_and_test(&addr->refcnt))
224 * Check unix socket name:
225 * - should be not zero length.
226 * - if started by not zero, should be NULL terminated (FS object)
227 * - if started by zero, it is abstract name.
230 static int unix_mkname(struct sockaddr_un *sunaddr, int len, unsigned int *hashp)
234 if (len <= offsetof(struct sockaddr_un, sun_path) ||
235 len > sizeof(*sunaddr))
237 if (!sunaddr || sunaddr->sun_family != AF_UNIX)
239 if (sunaddr->sun_path[0]) {
241 * This may look like an off by one error but it is a bit more
242 * subtle. 108 is the longest valid AF_UNIX path for a binding.
243 * sun_path[108] doesn't as such exist. However in kernel space
244 * we are guaranteed that it is a valid memory location in our
245 * kernel address buffer.
247 ((char *)sunaddr)[len] = 0;
248 len = strlen(sunaddr->sun_path) +
249 offsetof(struct sockaddr_un, sun_path) + 1;
253 *hashp = unix_hash_fold(csum_partial(sunaddr, len, 0));
257 static void __unix_remove_socket(struct sock *sk)
259 sk_del_node_init(sk);
262 static void __unix_insert_socket(struct hlist_head *list, struct sock *sk)
264 WARN_ON(!sk_unhashed(sk));
265 sk_add_node(sk, list);
268 static void __unix_set_addr(struct sock *sk, struct unix_address *addr,
271 __unix_remove_socket(sk);
272 smp_store_release(&unix_sk(sk)->addr, addr);
273 __unix_insert_socket(&unix_socket_table[hash], sk);
276 static inline void unix_remove_socket(struct sock *sk)
278 spin_lock(&unix_table_lock);
279 __unix_remove_socket(sk);
280 spin_unlock(&unix_table_lock);
283 static inline void unix_insert_socket(struct hlist_head *list, struct sock *sk)
285 spin_lock(&unix_table_lock);
286 __unix_insert_socket(list, sk);
287 spin_unlock(&unix_table_lock);
290 static struct sock *__unix_find_socket_byname(struct net *net,
291 struct sockaddr_un *sunname,
292 int len, unsigned int hash)
296 sk_for_each(s, &unix_socket_table[hash]) {
297 struct unix_sock *u = unix_sk(s);
299 if (!net_eq(sock_net(s), net))
302 if (u->addr->len == len &&
303 !memcmp(u->addr->name, sunname, len))
309 static inline struct sock *unix_find_socket_byname(struct net *net,
310 struct sockaddr_un *sunname,
311 int len, unsigned int hash)
315 spin_lock(&unix_table_lock);
316 s = __unix_find_socket_byname(net, sunname, len, hash);
319 spin_unlock(&unix_table_lock);
323 static struct sock *unix_find_socket_byinode(struct inode *i)
327 spin_lock(&unix_table_lock);
329 &unix_socket_table[i->i_ino & (UNIX_HASH_SIZE - 1)]) {
330 struct dentry *dentry = unix_sk(s)->path.dentry;
332 if (dentry && d_backing_inode(dentry) == i) {
339 spin_unlock(&unix_table_lock);
343 /* Support code for asymmetrically connected dgram sockets
345 * If a datagram socket is connected to a socket not itself connected
346 * to the first socket (eg, /dev/log), clients may only enqueue more
347 * messages if the present receive queue of the server socket is not
348 * "too large". This means there's a second writeability condition
349 * poll and sendmsg need to test. The dgram recv code will do a wake
350 * up on the peer_wait wait queue of a socket upon reception of a
351 * datagram which needs to be propagated to sleeping would-be writers
352 * since these might not have sent anything so far. This can't be
353 * accomplished via poll_wait because the lifetime of the server
354 * socket might be less than that of its clients if these break their
355 * association with it or if the server socket is closed while clients
356 * are still connected to it and there's no way to inform "a polling
357 * implementation" that it should let go of a certain wait queue
359 * In order to propagate a wake up, a wait_queue_entry_t of the client
360 * socket is enqueued on the peer_wait queue of the server socket
361 * whose wake function does a wake_up on the ordinary client socket
362 * wait queue. This connection is established whenever a write (or
363 * poll for write) hit the flow control condition and broken when the
364 * association to the server socket is dissolved or after a wake up
368 static int unix_dgram_peer_wake_relay(wait_queue_entry_t *q, unsigned mode, int flags,
372 wait_queue_head_t *u_sleep;
374 u = container_of(q, struct unix_sock, peer_wake);
376 __remove_wait_queue(&unix_sk(u->peer_wake.private)->peer_wait,
378 u->peer_wake.private = NULL;
380 /* relaying can only happen while the wq still exists */
381 u_sleep = sk_sleep(&u->sk);
383 wake_up_interruptible_poll(u_sleep, key_to_poll(key));
388 static int unix_dgram_peer_wake_connect(struct sock *sk, struct sock *other)
390 struct unix_sock *u, *u_other;
394 u_other = unix_sk(other);
396 spin_lock(&u_other->peer_wait.lock);
398 if (!u->peer_wake.private) {
399 u->peer_wake.private = other;
400 __add_wait_queue(&u_other->peer_wait, &u->peer_wake);
405 spin_unlock(&u_other->peer_wait.lock);
409 static void unix_dgram_peer_wake_disconnect(struct sock *sk,
412 struct unix_sock *u, *u_other;
415 u_other = unix_sk(other);
416 spin_lock(&u_other->peer_wait.lock);
418 if (u->peer_wake.private == other) {
419 __remove_wait_queue(&u_other->peer_wait, &u->peer_wake);
420 u->peer_wake.private = NULL;
423 spin_unlock(&u_other->peer_wait.lock);
426 static void unix_dgram_peer_wake_disconnect_wakeup(struct sock *sk,
429 unix_dgram_peer_wake_disconnect(sk, other);
430 wake_up_interruptible_poll(sk_sleep(sk),
437 * - unix_peer(sk) == other
438 * - association is stable
440 static int unix_dgram_peer_wake_me(struct sock *sk, struct sock *other)
444 connected = unix_dgram_peer_wake_connect(sk, other);
446 /* If other is SOCK_DEAD, we want to make sure we signal
447 * POLLOUT, such that a subsequent write() can get a
448 * -ECONNREFUSED. Otherwise, if we haven't queued any skbs
449 * to other and its full, we will hang waiting for POLLOUT.
451 if (unix_recvq_full(other) && !sock_flag(other, SOCK_DEAD))
455 unix_dgram_peer_wake_disconnect(sk, other);
460 static int unix_writable(const struct sock *sk)
462 return sk->sk_state != TCP_LISTEN &&
463 (refcount_read(&sk->sk_wmem_alloc) << 2) <= sk->sk_sndbuf;
466 static void unix_write_space(struct sock *sk)
468 struct socket_wq *wq;
471 if (unix_writable(sk)) {
472 wq = rcu_dereference(sk->sk_wq);
473 if (skwq_has_sleeper(wq))
474 wake_up_interruptible_sync_poll(&wq->wait,
475 EPOLLOUT | EPOLLWRNORM | EPOLLWRBAND);
476 sk_wake_async(sk, SOCK_WAKE_SPACE, POLL_OUT);
481 /* When dgram socket disconnects (or changes its peer), we clear its receive
482 * queue of packets arrived from previous peer. First, it allows to do
483 * flow control based only on wmem_alloc; second, sk connected to peer
484 * may receive messages only from that peer. */
485 static void unix_dgram_disconnected(struct sock *sk, struct sock *other)
487 if (!skb_queue_empty(&sk->sk_receive_queue)) {
488 skb_queue_purge(&sk->sk_receive_queue);
489 wake_up_interruptible_all(&unix_sk(sk)->peer_wait);
491 /* If one link of bidirectional dgram pipe is disconnected,
492 * we signal error. Messages are lost. Do not make this,
493 * when peer was not connected to us.
495 if (!sock_flag(other, SOCK_DEAD) && unix_peer(other) == sk) {
496 other->sk_err = ECONNRESET;
497 sk_error_report(other);
500 other->sk_state = TCP_CLOSE;
503 static void unix_sock_destructor(struct sock *sk)
505 struct unix_sock *u = unix_sk(sk);
507 skb_queue_purge(&sk->sk_receive_queue);
509 #if IS_ENABLED(CONFIG_AF_UNIX_OOB)
511 kfree_skb(u->oob_skb);
515 WARN_ON(refcount_read(&sk->sk_wmem_alloc));
516 WARN_ON(!sk_unhashed(sk));
517 WARN_ON(sk->sk_socket);
518 if (!sock_flag(sk, SOCK_DEAD)) {
519 pr_info("Attempt to release alive unix socket: %p\n", sk);
524 unix_release_addr(u->addr);
526 atomic_long_dec(&unix_nr_socks);
527 sock_prot_inuse_add(sock_net(sk), sk->sk_prot, -1);
528 #ifdef UNIX_REFCNT_DEBUG
529 pr_debug("UNIX %p is destroyed, %ld are still alive.\n", sk,
530 atomic_long_read(&unix_nr_socks));
534 static void unix_release_sock(struct sock *sk, int embrion)
536 struct unix_sock *u = unix_sk(sk);
542 unix_remove_socket(sk);
547 sk->sk_shutdown = SHUTDOWN_MASK;
549 u->path.dentry = NULL;
551 state = sk->sk_state;
552 sk->sk_state = TCP_CLOSE;
554 skpair = unix_peer(sk);
555 unix_peer(sk) = NULL;
557 unix_state_unlock(sk);
559 wake_up_interruptible_all(&u->peer_wait);
561 if (skpair != NULL) {
562 if (sk->sk_type == SOCK_STREAM || sk->sk_type == SOCK_SEQPACKET) {
563 unix_state_lock(skpair);
565 skpair->sk_shutdown = SHUTDOWN_MASK;
566 if (!skb_queue_empty(&sk->sk_receive_queue) || embrion)
567 skpair->sk_err = ECONNRESET;
568 unix_state_unlock(skpair);
569 skpair->sk_state_change(skpair);
570 sk_wake_async(skpair, SOCK_WAKE_WAITD, POLL_HUP);
573 unix_dgram_peer_wake_disconnect(sk, skpair);
574 sock_put(skpair); /* It may now die */
577 /* Try to flush out this socket. Throw out buffers at least */
579 while ((skb = skb_dequeue(&sk->sk_receive_queue)) != NULL) {
580 if (state == TCP_LISTEN)
581 unix_release_sock(skb->sk, 1);
582 /* passed fds are erased in the kfree_skb hook */
583 UNIXCB(skb).consumed = skb->len;
592 /* ---- Socket is dead now and most probably destroyed ---- */
595 * Fixme: BSD difference: In BSD all sockets connected to us get
596 * ECONNRESET and we die on the spot. In Linux we behave
597 * like files and pipes do and wait for the last
600 * Can't we simply set sock->err?
602 * What the above comment does talk about? --ANK(980817)
605 if (unix_tot_inflight)
606 unix_gc(); /* Garbage collect fds */
609 static void init_peercred(struct sock *sk)
611 const struct cred *old_cred;
614 spin_lock(&sk->sk_peer_lock);
615 old_pid = sk->sk_peer_pid;
616 old_cred = sk->sk_peer_cred;
617 sk->sk_peer_pid = get_pid(task_tgid(current));
618 sk->sk_peer_cred = get_current_cred();
619 spin_unlock(&sk->sk_peer_lock);
625 static void copy_peercred(struct sock *sk, struct sock *peersk)
627 const struct cred *old_cred;
631 spin_lock(&sk->sk_peer_lock);
632 spin_lock_nested(&peersk->sk_peer_lock, SINGLE_DEPTH_NESTING);
634 spin_lock(&peersk->sk_peer_lock);
635 spin_lock_nested(&sk->sk_peer_lock, SINGLE_DEPTH_NESTING);
637 old_pid = sk->sk_peer_pid;
638 old_cred = sk->sk_peer_cred;
639 sk->sk_peer_pid = get_pid(peersk->sk_peer_pid);
640 sk->sk_peer_cred = get_cred(peersk->sk_peer_cred);
642 spin_unlock(&sk->sk_peer_lock);
643 spin_unlock(&peersk->sk_peer_lock);
649 static int unix_listen(struct socket *sock, int backlog)
652 struct sock *sk = sock->sk;
653 struct unix_sock *u = unix_sk(sk);
656 if (sock->type != SOCK_STREAM && sock->type != SOCK_SEQPACKET)
657 goto out; /* Only stream/seqpacket sockets accept */
660 goto out; /* No listens on an unbound socket */
662 if (sk->sk_state != TCP_CLOSE && sk->sk_state != TCP_LISTEN)
664 if (backlog > sk->sk_max_ack_backlog)
665 wake_up_interruptible_all(&u->peer_wait);
666 sk->sk_max_ack_backlog = backlog;
667 sk->sk_state = TCP_LISTEN;
668 /* set credentials so connect can copy them */
673 unix_state_unlock(sk);
678 static int unix_release(struct socket *);
679 static int unix_bind(struct socket *, struct sockaddr *, int);
680 static int unix_stream_connect(struct socket *, struct sockaddr *,
681 int addr_len, int flags);
682 static int unix_socketpair(struct socket *, struct socket *);
683 static int unix_accept(struct socket *, struct socket *, int, bool);
684 static int unix_getname(struct socket *, struct sockaddr *, int);
685 static __poll_t unix_poll(struct file *, struct socket *, poll_table *);
686 static __poll_t unix_dgram_poll(struct file *, struct socket *,
688 static int unix_ioctl(struct socket *, unsigned int, unsigned long);
690 static int unix_compat_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg);
692 static int unix_shutdown(struct socket *, int);
693 static int unix_stream_sendmsg(struct socket *, struct msghdr *, size_t);
694 static int unix_stream_recvmsg(struct socket *, struct msghdr *, size_t, int);
695 static ssize_t unix_stream_sendpage(struct socket *, struct page *, int offset,
696 size_t size, int flags);
697 static ssize_t unix_stream_splice_read(struct socket *, loff_t *ppos,
698 struct pipe_inode_info *, size_t size,
700 static int unix_dgram_sendmsg(struct socket *, struct msghdr *, size_t);
701 static int unix_dgram_recvmsg(struct socket *, struct msghdr *, size_t, int);
702 static int unix_read_sock(struct sock *sk, read_descriptor_t *desc,
703 sk_read_actor_t recv_actor);
704 static int unix_stream_read_sock(struct sock *sk, read_descriptor_t *desc,
705 sk_read_actor_t recv_actor);
706 static int unix_dgram_connect(struct socket *, struct sockaddr *,
708 static int unix_seqpacket_sendmsg(struct socket *, struct msghdr *, size_t);
709 static int unix_seqpacket_recvmsg(struct socket *, struct msghdr *, size_t,
712 static int unix_set_peek_off(struct sock *sk, int val)
714 struct unix_sock *u = unix_sk(sk);
716 if (mutex_lock_interruptible(&u->iolock))
719 sk->sk_peek_off = val;
720 mutex_unlock(&u->iolock);
725 #ifdef CONFIG_PROC_FS
726 static void unix_show_fdinfo(struct seq_file *m, struct socket *sock)
728 struct sock *sk = sock->sk;
732 u = unix_sk(sock->sk);
733 seq_printf(m, "scm_fds: %u\n",
734 atomic_read(&u->scm_stat.nr_fds));
738 #define unix_show_fdinfo NULL
741 static const struct proto_ops unix_stream_ops = {
743 .owner = THIS_MODULE,
744 .release = unix_release,
746 .connect = unix_stream_connect,
747 .socketpair = unix_socketpair,
748 .accept = unix_accept,
749 .getname = unix_getname,
753 .compat_ioctl = unix_compat_ioctl,
755 .listen = unix_listen,
756 .shutdown = unix_shutdown,
757 .sendmsg = unix_stream_sendmsg,
758 .recvmsg = unix_stream_recvmsg,
759 .read_sock = unix_stream_read_sock,
760 .mmap = sock_no_mmap,
761 .sendpage = unix_stream_sendpage,
762 .splice_read = unix_stream_splice_read,
763 .set_peek_off = unix_set_peek_off,
764 .show_fdinfo = unix_show_fdinfo,
767 static const struct proto_ops unix_dgram_ops = {
769 .owner = THIS_MODULE,
770 .release = unix_release,
772 .connect = unix_dgram_connect,
773 .socketpair = unix_socketpair,
774 .accept = sock_no_accept,
775 .getname = unix_getname,
776 .poll = unix_dgram_poll,
779 .compat_ioctl = unix_compat_ioctl,
781 .listen = sock_no_listen,
782 .shutdown = unix_shutdown,
783 .sendmsg = unix_dgram_sendmsg,
784 .read_sock = unix_read_sock,
785 .recvmsg = unix_dgram_recvmsg,
786 .mmap = sock_no_mmap,
787 .sendpage = sock_no_sendpage,
788 .set_peek_off = unix_set_peek_off,
789 .show_fdinfo = unix_show_fdinfo,
792 static const struct proto_ops unix_seqpacket_ops = {
794 .owner = THIS_MODULE,
795 .release = unix_release,
797 .connect = unix_stream_connect,
798 .socketpair = unix_socketpair,
799 .accept = unix_accept,
800 .getname = unix_getname,
801 .poll = unix_dgram_poll,
804 .compat_ioctl = unix_compat_ioctl,
806 .listen = unix_listen,
807 .shutdown = unix_shutdown,
808 .sendmsg = unix_seqpacket_sendmsg,
809 .recvmsg = unix_seqpacket_recvmsg,
810 .mmap = sock_no_mmap,
811 .sendpage = sock_no_sendpage,
812 .set_peek_off = unix_set_peek_off,
813 .show_fdinfo = unix_show_fdinfo,
816 static void unix_close(struct sock *sk, long timeout)
818 /* Nothing to do here, unix socket does not need a ->close().
819 * This is merely for sockmap.
823 static void unix_unhash(struct sock *sk)
825 /* Nothing to do here, unix socket does not need a ->unhash().
826 * This is merely for sockmap.
830 struct proto unix_dgram_proto = {
832 .owner = THIS_MODULE,
833 .obj_size = sizeof(struct unix_sock),
835 #ifdef CONFIG_BPF_SYSCALL
836 .psock_update_sk_prot = unix_dgram_bpf_update_proto,
840 struct proto unix_stream_proto = {
841 .name = "UNIX-STREAM",
842 .owner = THIS_MODULE,
843 .obj_size = sizeof(struct unix_sock),
845 .unhash = unix_unhash,
846 #ifdef CONFIG_BPF_SYSCALL
847 .psock_update_sk_prot = unix_stream_bpf_update_proto,
851 static struct sock *unix_create1(struct net *net, struct socket *sock, int kern, int type)
857 atomic_long_inc(&unix_nr_socks);
858 if (atomic_long_read(&unix_nr_socks) > 2 * get_max_files()) {
863 if (type == SOCK_STREAM)
864 sk = sk_alloc(net, PF_UNIX, GFP_KERNEL, &unix_stream_proto, kern);
865 else /*dgram and seqpacket */
866 sk = sk_alloc(net, PF_UNIX, GFP_KERNEL, &unix_dgram_proto, kern);
873 sock_init_data(sock, sk);
875 sk->sk_allocation = GFP_KERNEL_ACCOUNT;
876 sk->sk_write_space = unix_write_space;
877 sk->sk_max_ack_backlog = net->unx.sysctl_max_dgram_qlen;
878 sk->sk_destruct = unix_sock_destructor;
880 u->path.dentry = NULL;
882 spin_lock_init(&u->lock);
883 atomic_long_set(&u->inflight, 0);
884 INIT_LIST_HEAD(&u->link);
885 mutex_init(&u->iolock); /* single task reading lock */
886 mutex_init(&u->bindlock); /* single task binding lock */
887 init_waitqueue_head(&u->peer_wait);
888 init_waitqueue_func_entry(&u->peer_wake, unix_dgram_peer_wake_relay);
889 memset(&u->scm_stat, 0, sizeof(struct scm_stat));
890 unix_insert_socket(unix_sockets_unbound(sk), sk);
892 sock_prot_inuse_add(sock_net(sk), sk->sk_prot, 1);
897 atomic_long_dec(&unix_nr_socks);
901 static int unix_create(struct net *net, struct socket *sock, int protocol,
906 if (protocol && protocol != PF_UNIX)
907 return -EPROTONOSUPPORT;
909 sock->state = SS_UNCONNECTED;
911 switch (sock->type) {
913 sock->ops = &unix_stream_ops;
916 * Believe it or not BSD has AF_UNIX, SOCK_RAW though
920 sock->type = SOCK_DGRAM;
923 sock->ops = &unix_dgram_ops;
926 sock->ops = &unix_seqpacket_ops;
929 return -ESOCKTNOSUPPORT;
932 sk = unix_create1(net, sock, kern, sock->type);
939 static int unix_release(struct socket *sock)
941 struct sock *sk = sock->sk;
946 sk->sk_prot->close(sk, 0);
947 unix_release_sock(sk, 0);
953 static int unix_autobind(struct sock *sk)
955 struct unix_sock *u = unix_sk(sk);
956 struct unix_address *addr;
957 unsigned int retries = 0;
958 static u32 ordernum = 1;
961 err = mutex_lock_interruptible(&u->bindlock);
969 addr = kzalloc(sizeof(*addr) +
970 offsetof(struct sockaddr_un, sun_path) + 16, GFP_KERNEL);
974 addr->name->sun_family = AF_UNIX;
975 refcount_set(&addr->refcnt, 1);
978 addr->len = sprintf(addr->name->sun_path + 1, "%05x", ordernum) +
979 offsetof(struct sockaddr_un, sun_path) + 1;
980 addr->hash = unix_hash_fold(csum_partial(addr->name, addr->len, 0));
981 addr->hash ^= sk->sk_type;
983 spin_lock(&unix_table_lock);
984 ordernum = (ordernum+1)&0xFFFFF;
986 if (__unix_find_socket_byname(sock_net(sk), addr->name, addr->len,
988 spin_unlock(&unix_table_lock);
990 * __unix_find_socket_byname() may take long time if many names
991 * are already in use.
994 /* Give up if all names seems to be in use. */
995 if (retries++ == 0xFFFFF) {
1003 __unix_set_addr(sk, addr, addr->hash);
1004 spin_unlock(&unix_table_lock);
1007 out: mutex_unlock(&u->bindlock);
1011 static struct sock *unix_find_other(struct net *net,
1012 struct sockaddr_un *sunname, int len,
1013 int type, unsigned int hash, int *error)
1019 if (sunname->sun_path[0]) {
1020 struct inode *inode;
1021 err = kern_path(sunname->sun_path, LOOKUP_FOLLOW, &path);
1024 inode = d_backing_inode(path.dentry);
1025 err = path_permission(&path, MAY_WRITE);
1029 err = -ECONNREFUSED;
1030 if (!S_ISSOCK(inode->i_mode))
1032 u = unix_find_socket_byinode(inode);
1036 if (u->sk_type == type)
1042 if (u->sk_type != type) {
1047 err = -ECONNREFUSED;
1048 u = unix_find_socket_byname(net, sunname, len, type ^ hash);
1050 struct dentry *dentry;
1051 dentry = unix_sk(u)->path.dentry;
1053 touch_atime(&unix_sk(u)->path);
1066 static int unix_bind_bsd(struct sock *sk, struct unix_address *addr)
1068 struct unix_sock *u = unix_sk(sk);
1069 umode_t mode = S_IFSOCK |
1070 (SOCK_INODE(sk->sk_socket)->i_mode & ~current_umask());
1071 struct user_namespace *ns; // barf...
1073 struct dentry *dentry;
1078 * Get the parent directory, calculate the hash for last
1081 dentry = kern_path_create(AT_FDCWD, addr->name->sun_path, &parent, 0);
1083 return PTR_ERR(dentry);
1084 ns = mnt_user_ns(parent.mnt);
1087 * All right, let's create it.
1089 err = security_path_mknod(&parent, dentry, mode, 0);
1091 err = vfs_mknod(ns, d_inode(parent.dentry), dentry, mode, 0);
1094 err = mutex_lock_interruptible(&u->bindlock);
1100 addr->hash = UNIX_HASH_SIZE;
1101 hash = d_backing_inode(dentry)->i_ino & (UNIX_HASH_SIZE - 1);
1102 spin_lock(&unix_table_lock);
1103 u->path.mnt = mntget(parent.mnt);
1104 u->path.dentry = dget(dentry);
1105 __unix_set_addr(sk, addr, hash);
1106 spin_unlock(&unix_table_lock);
1107 mutex_unlock(&u->bindlock);
1108 done_path_create(&parent, dentry);
1112 mutex_unlock(&u->bindlock);
1115 /* failed after successful mknod? unlink what we'd created... */
1116 vfs_unlink(ns, d_inode(parent.dentry), dentry, NULL);
1118 done_path_create(&parent, dentry);
1122 static int unix_bind_abstract(struct sock *sk, struct unix_address *addr)
1124 struct unix_sock *u = unix_sk(sk);
1127 err = mutex_lock_interruptible(&u->bindlock);
1132 mutex_unlock(&u->bindlock);
1136 spin_lock(&unix_table_lock);
1137 if (__unix_find_socket_byname(sock_net(sk), addr->name, addr->len,
1139 spin_unlock(&unix_table_lock);
1140 mutex_unlock(&u->bindlock);
1143 __unix_set_addr(sk, addr, addr->hash);
1144 spin_unlock(&unix_table_lock);
1145 mutex_unlock(&u->bindlock);
1149 static int unix_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
1151 struct sock *sk = sock->sk;
1152 struct sockaddr_un *sunaddr = (struct sockaddr_un *)uaddr;
1153 char *sun_path = sunaddr->sun_path;
1156 struct unix_address *addr;
1158 if (addr_len < offsetofend(struct sockaddr_un, sun_family) ||
1159 sunaddr->sun_family != AF_UNIX)
1162 if (addr_len == offsetof(struct sockaddr_un, sun_path))
1163 return unix_autobind(sk);
1165 err = unix_mkname(sunaddr, addr_len, &hash);
1169 addr = kmalloc(sizeof(*addr)+addr_len, GFP_KERNEL);
1173 memcpy(addr->name, sunaddr, addr_len);
1174 addr->len = addr_len;
1175 addr->hash = hash ^ sk->sk_type;
1176 refcount_set(&addr->refcnt, 1);
1179 err = unix_bind_bsd(sk, addr);
1181 err = unix_bind_abstract(sk, addr);
1183 unix_release_addr(addr);
1184 return err == -EEXIST ? -EADDRINUSE : err;
1187 static void unix_state_double_lock(struct sock *sk1, struct sock *sk2)
1189 if (unlikely(sk1 == sk2) || !sk2) {
1190 unix_state_lock(sk1);
1194 unix_state_lock(sk1);
1195 unix_state_lock_nested(sk2);
1197 unix_state_lock(sk2);
1198 unix_state_lock_nested(sk1);
1202 static void unix_state_double_unlock(struct sock *sk1, struct sock *sk2)
1204 if (unlikely(sk1 == sk2) || !sk2) {
1205 unix_state_unlock(sk1);
1208 unix_state_unlock(sk1);
1209 unix_state_unlock(sk2);
1212 static int unix_dgram_connect(struct socket *sock, struct sockaddr *addr,
1213 int alen, int flags)
1215 struct sock *sk = sock->sk;
1216 struct net *net = sock_net(sk);
1217 struct sockaddr_un *sunaddr = (struct sockaddr_un *)addr;
1223 if (alen < offsetofend(struct sockaddr, sa_family))
1226 if (addr->sa_family != AF_UNSPEC) {
1227 err = unix_mkname(sunaddr, alen, &hash);
1232 if (test_bit(SOCK_PASSCRED, &sock->flags) &&
1233 !unix_sk(sk)->addr) {
1234 err = unix_autobind(sk);
1240 other = unix_find_other(net, sunaddr, alen, sock->type, hash, &err);
1244 unix_state_double_lock(sk, other);
1246 /* Apparently VFS overslept socket death. Retry. */
1247 if (sock_flag(other, SOCK_DEAD)) {
1248 unix_state_double_unlock(sk, other);
1254 if (!unix_may_send(sk, other))
1257 err = security_unix_may_send(sk->sk_socket, other->sk_socket);
1261 sk->sk_state = other->sk_state = TCP_ESTABLISHED;
1264 * 1003.1g breaking connected state with AF_UNSPEC
1267 unix_state_double_lock(sk, other);
1271 * If it was connected, reconnect.
1273 if (unix_peer(sk)) {
1274 struct sock *old_peer = unix_peer(sk);
1276 unix_peer(sk) = other;
1278 sk->sk_state = TCP_CLOSE;
1279 unix_dgram_peer_wake_disconnect_wakeup(sk, old_peer);
1281 unix_state_double_unlock(sk, other);
1283 if (other != old_peer)
1284 unix_dgram_disconnected(sk, old_peer);
1287 unix_peer(sk) = other;
1288 unix_state_double_unlock(sk, other);
1294 unix_state_double_unlock(sk, other);
1300 static long unix_wait_for_peer(struct sock *other, long timeo)
1301 __releases(&unix_sk(other)->lock)
1303 struct unix_sock *u = unix_sk(other);
1307 prepare_to_wait_exclusive(&u->peer_wait, &wait, TASK_INTERRUPTIBLE);
1309 sched = !sock_flag(other, SOCK_DEAD) &&
1310 !(other->sk_shutdown & RCV_SHUTDOWN) &&
1311 unix_recvq_full(other);
1313 unix_state_unlock(other);
1316 timeo = schedule_timeout(timeo);
1318 finish_wait(&u->peer_wait, &wait);
1322 static int unix_stream_connect(struct socket *sock, struct sockaddr *uaddr,
1323 int addr_len, int flags)
1325 struct sockaddr_un *sunaddr = (struct sockaddr_un *)uaddr;
1326 struct sock *sk = sock->sk;
1327 struct net *net = sock_net(sk);
1328 struct unix_sock *u = unix_sk(sk), *newu, *otheru;
1329 struct sock *newsk = NULL;
1330 struct sock *other = NULL;
1331 struct sk_buff *skb = NULL;
1337 err = unix_mkname(sunaddr, addr_len, &hash);
1342 if (test_bit(SOCK_PASSCRED, &sock->flags) && !u->addr) {
1343 err = unix_autobind(sk);
1348 timeo = sock_sndtimeo(sk, flags & O_NONBLOCK);
1350 /* First of all allocate resources.
1351 If we will make it after state is locked,
1352 we will have to recheck all again in any case.
1355 /* create new sock for complete connection */
1356 newsk = unix_create1(sock_net(sk), NULL, 0, sock->type);
1357 if (IS_ERR(newsk)) {
1358 err = PTR_ERR(newsk);
1365 /* Allocate skb for sending to listening sock */
1366 skb = sock_wmalloc(newsk, 1, 0, GFP_KERNEL);
1371 /* Find listening sock. */
1372 other = unix_find_other(net, sunaddr, addr_len, sk->sk_type, hash, &err);
1376 /* Latch state of peer */
1377 unix_state_lock(other);
1379 /* Apparently VFS overslept socket death. Retry. */
1380 if (sock_flag(other, SOCK_DEAD)) {
1381 unix_state_unlock(other);
1386 err = -ECONNREFUSED;
1387 if (other->sk_state != TCP_LISTEN)
1389 if (other->sk_shutdown & RCV_SHUTDOWN)
1392 if (unix_recvq_full(other)) {
1397 timeo = unix_wait_for_peer(other, timeo);
1399 err = sock_intr_errno(timeo);
1400 if (signal_pending(current))
1408 It is tricky place. We need to grab our state lock and cannot
1409 drop lock on peer. It is dangerous because deadlock is
1410 possible. Connect to self case and simultaneous
1411 attempt to connect are eliminated by checking socket
1412 state. other is TCP_LISTEN, if sk is TCP_LISTEN we
1413 check this before attempt to grab lock.
1415 Well, and we have to recheck the state after socket locked.
1421 /* This is ok... continue with connect */
1423 case TCP_ESTABLISHED:
1424 /* Socket is already connected */
1432 unix_state_lock_nested(sk);
1434 if (sk->sk_state != st) {
1435 unix_state_unlock(sk);
1436 unix_state_unlock(other);
1441 err = security_unix_stream_connect(sk, other, newsk);
1443 unix_state_unlock(sk);
1447 /* The way is open! Fastly set all the necessary fields... */
1450 unix_peer(newsk) = sk;
1451 newsk->sk_state = TCP_ESTABLISHED;
1452 newsk->sk_type = sk->sk_type;
1453 init_peercred(newsk);
1454 newu = unix_sk(newsk);
1455 RCU_INIT_POINTER(newsk->sk_wq, &newu->peer_wq);
1456 otheru = unix_sk(other);
1458 /* copy address information from listening to new sock
1460 * The contents of *(otheru->addr) and otheru->path
1461 * are seen fully set up here, since we have found
1462 * otheru in hash under unix_table_lock. Insertion
1463 * into the hash chain we'd found it in had been done
1464 * in an earlier critical area protected by unix_table_lock,
1465 * the same one where we'd set *(otheru->addr) contents,
1466 * as well as otheru->path and otheru->addr itself.
1468 * Using smp_store_release() here to set newu->addr
1469 * is enough to make those stores, as well as stores
1470 * to newu->path visible to anyone who gets newu->addr
1471 * by smp_load_acquire(). IOW, the same warranties
1472 * as for unix_sock instances bound in unix_bind() or
1473 * in unix_autobind().
1475 if (otheru->path.dentry) {
1476 path_get(&otheru->path);
1477 newu->path = otheru->path;
1479 refcount_inc(&otheru->addr->refcnt);
1480 smp_store_release(&newu->addr, otheru->addr);
1482 /* Set credentials */
1483 copy_peercred(sk, other);
1485 sock->state = SS_CONNECTED;
1486 sk->sk_state = TCP_ESTABLISHED;
1489 smp_mb__after_atomic(); /* sock_hold() does an atomic_inc() */
1490 unix_peer(sk) = newsk;
1492 unix_state_unlock(sk);
1494 /* take ten and send info to listening sock */
1495 spin_lock(&other->sk_receive_queue.lock);
1496 __skb_queue_tail(&other->sk_receive_queue, skb);
1497 spin_unlock(&other->sk_receive_queue.lock);
1498 unix_state_unlock(other);
1499 other->sk_data_ready(other);
1505 unix_state_unlock(other);
1510 unix_release_sock(newsk, 0);
1516 static int unix_socketpair(struct socket *socka, struct socket *sockb)
1518 struct sock *ska = socka->sk, *skb = sockb->sk;
1520 /* Join our sockets back to back */
1523 unix_peer(ska) = skb;
1524 unix_peer(skb) = ska;
1528 ska->sk_state = TCP_ESTABLISHED;
1529 skb->sk_state = TCP_ESTABLISHED;
1530 socka->state = SS_CONNECTED;
1531 sockb->state = SS_CONNECTED;
1535 static void unix_sock_inherit_flags(const struct socket *old,
1538 if (test_bit(SOCK_PASSCRED, &old->flags))
1539 set_bit(SOCK_PASSCRED, &new->flags);
1540 if (test_bit(SOCK_PASSSEC, &old->flags))
1541 set_bit(SOCK_PASSSEC, &new->flags);
1544 static int unix_accept(struct socket *sock, struct socket *newsock, int flags,
1547 struct sock *sk = sock->sk;
1549 struct sk_buff *skb;
1553 if (sock->type != SOCK_STREAM && sock->type != SOCK_SEQPACKET)
1557 if (sk->sk_state != TCP_LISTEN)
1560 /* If socket state is TCP_LISTEN it cannot change (for now...),
1561 * so that no locks are necessary.
1564 skb = skb_recv_datagram(sk, 0, flags&O_NONBLOCK, &err);
1566 /* This means receive shutdown. */
1573 skb_free_datagram(sk, skb);
1574 wake_up_interruptible(&unix_sk(sk)->peer_wait);
1576 /* attach accepted sock to socket */
1577 unix_state_lock(tsk);
1578 newsock->state = SS_CONNECTED;
1579 unix_sock_inherit_flags(sock, newsock);
1580 sock_graft(tsk, newsock);
1581 unix_state_unlock(tsk);
1589 static int unix_getname(struct socket *sock, struct sockaddr *uaddr, int peer)
1591 struct sock *sk = sock->sk;
1592 struct unix_address *addr;
1593 DECLARE_SOCKADDR(struct sockaddr_un *, sunaddr, uaddr);
1597 sk = unix_peer_get(sk);
1607 addr = smp_load_acquire(&unix_sk(sk)->addr);
1609 sunaddr->sun_family = AF_UNIX;
1610 sunaddr->sun_path[0] = 0;
1611 err = offsetof(struct sockaddr_un, sun_path);
1614 memcpy(sunaddr, addr->name, addr->len);
1621 static void unix_peek_fds(struct scm_cookie *scm, struct sk_buff *skb)
1623 scm->fp = scm_fp_dup(UNIXCB(skb).fp);
1626 * Garbage collection of unix sockets starts by selecting a set of
1627 * candidate sockets which have reference only from being in flight
1628 * (total_refs == inflight_refs). This condition is checked once during
1629 * the candidate collection phase, and candidates are marked as such, so
1630 * that non-candidates can later be ignored. While inflight_refs is
1631 * protected by unix_gc_lock, total_refs (file count) is not, hence this
1632 * is an instantaneous decision.
1634 * Once a candidate, however, the socket must not be reinstalled into a
1635 * file descriptor while the garbage collection is in progress.
1637 * If the above conditions are met, then the directed graph of
1638 * candidates (*) does not change while unix_gc_lock is held.
1640 * Any operations that changes the file count through file descriptors
1641 * (dup, close, sendmsg) does not change the graph since candidates are
1642 * not installed in fds.
1644 * Dequeing a candidate via recvmsg would install it into an fd, but
1645 * that takes unix_gc_lock to decrement the inflight count, so it's
1646 * serialized with garbage collection.
1648 * MSG_PEEK is special in that it does not change the inflight count,
1649 * yet does install the socket into an fd. The following lock/unlock
1650 * pair is to ensure serialization with garbage collection. It must be
1651 * done between incrementing the file count and installing the file into
1654 * If garbage collection starts after the barrier provided by the
1655 * lock/unlock, then it will see the elevated refcount and not mark this
1656 * as a candidate. If a garbage collection is already in progress
1657 * before the file count was incremented, then the lock/unlock pair will
1658 * ensure that garbage collection is finished before progressing to
1659 * installing the fd.
1661 * (*) A -> B where B is on the queue of A or B is on the queue of C
1662 * which is on the queue of listening socket A.
1664 spin_lock(&unix_gc_lock);
1665 spin_unlock(&unix_gc_lock);
1668 static int unix_scm_to_skb(struct scm_cookie *scm, struct sk_buff *skb, bool send_fds)
1672 UNIXCB(skb).pid = get_pid(scm->pid);
1673 UNIXCB(skb).uid = scm->creds.uid;
1674 UNIXCB(skb).gid = scm->creds.gid;
1675 UNIXCB(skb).fp = NULL;
1676 unix_get_secdata(scm, skb);
1677 if (scm->fp && send_fds)
1678 err = unix_attach_fds(scm, skb);
1680 skb->destructor = unix_destruct_scm;
1684 static bool unix_passcred_enabled(const struct socket *sock,
1685 const struct sock *other)
1687 return test_bit(SOCK_PASSCRED, &sock->flags) ||
1688 !other->sk_socket ||
1689 test_bit(SOCK_PASSCRED, &other->sk_socket->flags);
1693 * Some apps rely on write() giving SCM_CREDENTIALS
1694 * We include credentials if source or destination socket
1695 * asserted SOCK_PASSCRED.
1697 static void maybe_add_creds(struct sk_buff *skb, const struct socket *sock,
1698 const struct sock *other)
1700 if (UNIXCB(skb).pid)
1702 if (unix_passcred_enabled(sock, other)) {
1703 UNIXCB(skb).pid = get_pid(task_tgid(current));
1704 current_uid_gid(&UNIXCB(skb).uid, &UNIXCB(skb).gid);
1708 static int maybe_init_creds(struct scm_cookie *scm,
1709 struct socket *socket,
1710 const struct sock *other)
1713 struct msghdr msg = { .msg_controllen = 0 };
1715 err = scm_send(socket, &msg, scm, false);
1719 if (unix_passcred_enabled(socket, other)) {
1720 scm->pid = get_pid(task_tgid(current));
1721 current_uid_gid(&scm->creds.uid, &scm->creds.gid);
1726 static bool unix_skb_scm_eq(struct sk_buff *skb,
1727 struct scm_cookie *scm)
1729 const struct unix_skb_parms *u = &UNIXCB(skb);
1731 return u->pid == scm->pid &&
1732 uid_eq(u->uid, scm->creds.uid) &&
1733 gid_eq(u->gid, scm->creds.gid) &&
1734 unix_secdata_eq(scm, skb);
1737 static void scm_stat_add(struct sock *sk, struct sk_buff *skb)
1739 struct scm_fp_list *fp = UNIXCB(skb).fp;
1740 struct unix_sock *u = unix_sk(sk);
1742 if (unlikely(fp && fp->count))
1743 atomic_add(fp->count, &u->scm_stat.nr_fds);
1746 static void scm_stat_del(struct sock *sk, struct sk_buff *skb)
1748 struct scm_fp_list *fp = UNIXCB(skb).fp;
1749 struct unix_sock *u = unix_sk(sk);
1751 if (unlikely(fp && fp->count))
1752 atomic_sub(fp->count, &u->scm_stat.nr_fds);
1756 * Send AF_UNIX data.
1759 static int unix_dgram_sendmsg(struct socket *sock, struct msghdr *msg,
1762 struct sock *sk = sock->sk;
1763 struct net *net = sock_net(sk);
1764 struct unix_sock *u = unix_sk(sk);
1765 DECLARE_SOCKADDR(struct sockaddr_un *, sunaddr, msg->msg_name);
1766 struct sock *other = NULL;
1767 int namelen = 0; /* fake GCC */
1770 struct sk_buff *skb;
1772 struct scm_cookie scm;
1777 err = scm_send(sock, msg, &scm, false);
1782 if (msg->msg_flags&MSG_OOB)
1785 if (msg->msg_namelen) {
1786 err = unix_mkname(sunaddr, msg->msg_namelen, &hash);
1793 other = unix_peer_get(sk);
1798 if (test_bit(SOCK_PASSCRED, &sock->flags) && !u->addr) {
1799 err = unix_autobind(sk);
1805 if (len > sk->sk_sndbuf - 32)
1808 if (len > SKB_MAX_ALLOC) {
1809 data_len = min_t(size_t,
1810 len - SKB_MAX_ALLOC,
1811 MAX_SKB_FRAGS * PAGE_SIZE);
1812 data_len = PAGE_ALIGN(data_len);
1814 BUILD_BUG_ON(SKB_MAX_ALLOC < PAGE_SIZE);
1817 skb = sock_alloc_send_pskb(sk, len - data_len, data_len,
1818 msg->msg_flags & MSG_DONTWAIT, &err,
1819 PAGE_ALLOC_COSTLY_ORDER);
1823 err = unix_scm_to_skb(&scm, skb, true);
1827 skb_put(skb, len - data_len);
1828 skb->data_len = data_len;
1830 err = skb_copy_datagram_from_iter(skb, 0, &msg->msg_iter, len);
1834 timeo = sock_sndtimeo(sk, msg->msg_flags & MSG_DONTWAIT);
1839 if (sunaddr == NULL)
1842 other = unix_find_other(net, sunaddr, namelen, sk->sk_type,
1848 if (sk_filter(other, skb) < 0) {
1849 /* Toss the packet but do not return any error to the sender */
1855 unix_state_lock(other);
1858 if (!unix_may_send(sk, other))
1861 if (unlikely(sock_flag(other, SOCK_DEAD))) {
1863 * Check with 1003.1g - what should
1866 unix_state_unlock(other);
1870 unix_state_lock(sk);
1873 if (unix_peer(sk) == other) {
1874 unix_peer(sk) = NULL;
1875 unix_dgram_peer_wake_disconnect_wakeup(sk, other);
1877 unix_state_unlock(sk);
1879 sk->sk_state = TCP_CLOSE;
1880 unix_dgram_disconnected(sk, other);
1882 err = -ECONNREFUSED;
1884 unix_state_unlock(sk);
1894 if (other->sk_shutdown & RCV_SHUTDOWN)
1897 if (sk->sk_type != SOCK_SEQPACKET) {
1898 err = security_unix_may_send(sk->sk_socket, other->sk_socket);
1903 /* other == sk && unix_peer(other) != sk if
1904 * - unix_peer(sk) == NULL, destination address bound to sk
1905 * - unix_peer(sk) == sk by time of get but disconnected before lock
1908 unlikely(unix_peer(other) != sk &&
1909 unix_recvq_full_lockless(other))) {
1911 timeo = unix_wait_for_peer(other, timeo);
1913 err = sock_intr_errno(timeo);
1914 if (signal_pending(current))
1921 unix_state_unlock(other);
1922 unix_state_double_lock(sk, other);
1925 if (unix_peer(sk) != other ||
1926 unix_dgram_peer_wake_me(sk, other)) {
1934 goto restart_locked;
1938 if (unlikely(sk_locked))
1939 unix_state_unlock(sk);
1941 if (sock_flag(other, SOCK_RCVTSTAMP))
1942 __net_timestamp(skb);
1943 maybe_add_creds(skb, sock, other);
1944 scm_stat_add(other, skb);
1945 skb_queue_tail(&other->sk_receive_queue, skb);
1946 unix_state_unlock(other);
1947 other->sk_data_ready(other);
1954 unix_state_unlock(sk);
1955 unix_state_unlock(other);
1965 /* We use paged skbs for stream sockets, and limit occupancy to 32768
1966 * bytes, and a minimum of a full page.
1968 #define UNIX_SKB_FRAGS_SZ (PAGE_SIZE << get_order(32768))
1970 #if (IS_ENABLED(CONFIG_AF_UNIX_OOB))
1971 static int queue_oob(struct socket *sock, struct msghdr *msg, struct sock *other)
1973 struct unix_sock *ousk = unix_sk(other);
1974 struct sk_buff *skb;
1977 skb = sock_alloc_send_skb(sock->sk, 1, msg->msg_flags & MSG_DONTWAIT, &err);
1983 err = skb_copy_datagram_from_iter(skb, 0, &msg->msg_iter, 1);
1990 unix_state_lock(other);
1992 if (sock_flag(other, SOCK_DEAD) ||
1993 (other->sk_shutdown & RCV_SHUTDOWN)) {
1994 unix_state_unlock(other);
1999 maybe_add_creds(skb, sock, other);
2003 consume_skb(ousk->oob_skb);
2005 ousk->oob_skb = skb;
2007 scm_stat_add(other, skb);
2008 skb_queue_tail(&other->sk_receive_queue, skb);
2009 sk_send_sigurg(other);
2010 unix_state_unlock(other);
2011 other->sk_data_ready(other);
2017 static int unix_stream_sendmsg(struct socket *sock, struct msghdr *msg,
2020 struct sock *sk = sock->sk;
2021 struct sock *other = NULL;
2023 struct sk_buff *skb;
2025 struct scm_cookie scm;
2026 bool fds_sent = false;
2030 err = scm_send(sock, msg, &scm, false);
2035 if (msg->msg_flags & MSG_OOB) {
2036 #if (IS_ENABLED(CONFIG_AF_UNIX_OOB))
2044 if (msg->msg_namelen) {
2045 err = sk->sk_state == TCP_ESTABLISHED ? -EISCONN : -EOPNOTSUPP;
2049 other = unix_peer(sk);
2054 if (sk->sk_shutdown & SEND_SHUTDOWN)
2057 while (sent < len) {
2060 /* Keep two messages in the pipe so it schedules better */
2061 size = min_t(int, size, (sk->sk_sndbuf >> 1) - 64);
2063 /* allow fallback to order-0 allocations */
2064 size = min_t(int, size, SKB_MAX_HEAD(0) + UNIX_SKB_FRAGS_SZ);
2066 data_len = max_t(int, 0, size - SKB_MAX_HEAD(0));
2068 data_len = min_t(size_t, size, PAGE_ALIGN(data_len));
2070 skb = sock_alloc_send_pskb(sk, size - data_len, data_len,
2071 msg->msg_flags & MSG_DONTWAIT, &err,
2072 get_order(UNIX_SKB_FRAGS_SZ));
2076 /* Only send the fds in the first buffer */
2077 err = unix_scm_to_skb(&scm, skb, !fds_sent);
2084 skb_put(skb, size - data_len);
2085 skb->data_len = data_len;
2087 err = skb_copy_datagram_from_iter(skb, 0, &msg->msg_iter, size);
2093 unix_state_lock(other);
2095 if (sock_flag(other, SOCK_DEAD) ||
2096 (other->sk_shutdown & RCV_SHUTDOWN))
2099 maybe_add_creds(skb, sock, other);
2100 scm_stat_add(other, skb);
2101 skb_queue_tail(&other->sk_receive_queue, skb);
2102 unix_state_unlock(other);
2103 other->sk_data_ready(other);
2107 #if (IS_ENABLED(CONFIG_AF_UNIX_OOB))
2108 if (msg->msg_flags & MSG_OOB) {
2109 err = queue_oob(sock, msg, other);
2121 unix_state_unlock(other);
2124 if (sent == 0 && !(msg->msg_flags&MSG_NOSIGNAL))
2125 send_sig(SIGPIPE, current, 0);
2129 return sent ? : err;
2132 static ssize_t unix_stream_sendpage(struct socket *socket, struct page *page,
2133 int offset, size_t size, int flags)
2136 bool send_sigpipe = false;
2137 bool init_scm = true;
2138 struct scm_cookie scm;
2139 struct sock *other, *sk = socket->sk;
2140 struct sk_buff *skb, *newskb = NULL, *tail = NULL;
2142 if (flags & MSG_OOB)
2145 other = unix_peer(sk);
2146 if (!other || sk->sk_state != TCP_ESTABLISHED)
2151 unix_state_unlock(other);
2152 mutex_unlock(&unix_sk(other)->iolock);
2153 newskb = sock_alloc_send_pskb(sk, 0, 0, flags & MSG_DONTWAIT,
2159 /* we must acquire iolock as we modify already present
2160 * skbs in the sk_receive_queue and mess with skb->len
2162 err = mutex_lock_interruptible(&unix_sk(other)->iolock);
2164 err = flags & MSG_DONTWAIT ? -EAGAIN : -ERESTARTSYS;
2168 if (sk->sk_shutdown & SEND_SHUTDOWN) {
2170 send_sigpipe = true;
2174 unix_state_lock(other);
2176 if (sock_flag(other, SOCK_DEAD) ||
2177 other->sk_shutdown & RCV_SHUTDOWN) {
2179 send_sigpipe = true;
2180 goto err_state_unlock;
2184 err = maybe_init_creds(&scm, socket, other);
2186 goto err_state_unlock;
2190 skb = skb_peek_tail(&other->sk_receive_queue);
2191 if (tail && tail == skb) {
2193 } else if (!skb || !unix_skb_scm_eq(skb, &scm)) {
2200 } else if (newskb) {
2201 /* this is fast path, we don't necessarily need to
2202 * call to kfree_skb even though with newskb == NULL
2203 * this - does no harm
2205 consume_skb(newskb);
2209 if (skb_append_pagefrags(skb, page, offset, size)) {
2215 skb->data_len += size;
2216 skb->truesize += size;
2217 refcount_add(size, &sk->sk_wmem_alloc);
2220 err = unix_scm_to_skb(&scm, skb, false);
2222 goto err_state_unlock;
2223 spin_lock(&other->sk_receive_queue.lock);
2224 __skb_queue_tail(&other->sk_receive_queue, newskb);
2225 spin_unlock(&other->sk_receive_queue.lock);
2228 unix_state_unlock(other);
2229 mutex_unlock(&unix_sk(other)->iolock);
2231 other->sk_data_ready(other);
2236 unix_state_unlock(other);
2238 mutex_unlock(&unix_sk(other)->iolock);
2241 if (send_sigpipe && !(flags & MSG_NOSIGNAL))
2242 send_sig(SIGPIPE, current, 0);
2248 static int unix_seqpacket_sendmsg(struct socket *sock, struct msghdr *msg,
2252 struct sock *sk = sock->sk;
2254 err = sock_error(sk);
2258 if (sk->sk_state != TCP_ESTABLISHED)
2261 if (msg->msg_namelen)
2262 msg->msg_namelen = 0;
2264 return unix_dgram_sendmsg(sock, msg, len);
2267 static int unix_seqpacket_recvmsg(struct socket *sock, struct msghdr *msg,
2268 size_t size, int flags)
2270 struct sock *sk = sock->sk;
2272 if (sk->sk_state != TCP_ESTABLISHED)
2275 return unix_dgram_recvmsg(sock, msg, size, flags);
2278 static void unix_copy_addr(struct msghdr *msg, struct sock *sk)
2280 struct unix_address *addr = smp_load_acquire(&unix_sk(sk)->addr);
2283 msg->msg_namelen = addr->len;
2284 memcpy(msg->msg_name, addr->name, addr->len);
2288 int __unix_dgram_recvmsg(struct sock *sk, struct msghdr *msg, size_t size,
2291 struct scm_cookie scm;
2292 struct socket *sock = sk->sk_socket;
2293 struct unix_sock *u = unix_sk(sk);
2294 struct sk_buff *skb, *last;
2303 timeo = sock_rcvtimeo(sk, flags & MSG_DONTWAIT);
2306 mutex_lock(&u->iolock);
2308 skip = sk_peek_offset(sk, flags);
2309 skb = __skb_try_recv_datagram(sk, &sk->sk_receive_queue, flags,
2310 &skip, &err, &last);
2312 if (!(flags & MSG_PEEK))
2313 scm_stat_del(sk, skb);
2317 mutex_unlock(&u->iolock);
2322 !__skb_wait_for_more_packets(sk, &sk->sk_receive_queue,
2323 &err, &timeo, last));
2325 if (!skb) { /* implies iolock unlocked */
2326 unix_state_lock(sk);
2327 /* Signal EOF on disconnected non-blocking SEQPACKET socket. */
2328 if (sk->sk_type == SOCK_SEQPACKET && err == -EAGAIN &&
2329 (sk->sk_shutdown & RCV_SHUTDOWN))
2331 unix_state_unlock(sk);
2335 if (wq_has_sleeper(&u->peer_wait))
2336 wake_up_interruptible_sync_poll(&u->peer_wait,
2337 EPOLLOUT | EPOLLWRNORM |
2341 unix_copy_addr(msg, skb->sk);
2343 if (size > skb->len - skip)
2344 size = skb->len - skip;
2345 else if (size < skb->len - skip)
2346 msg->msg_flags |= MSG_TRUNC;
2348 err = skb_copy_datagram_msg(skb, skip, msg, size);
2352 if (sock_flag(sk, SOCK_RCVTSTAMP))
2353 __sock_recv_timestamp(msg, sk, skb);
2355 memset(&scm, 0, sizeof(scm));
2357 scm_set_cred(&scm, UNIXCB(skb).pid, UNIXCB(skb).uid, UNIXCB(skb).gid);
2358 unix_set_secdata(&scm, skb);
2360 if (!(flags & MSG_PEEK)) {
2362 unix_detach_fds(&scm, skb);
2364 sk_peek_offset_bwd(sk, skb->len);
2366 /* It is questionable: on PEEK we could:
2367 - do not return fds - good, but too simple 8)
2368 - return fds, and do not return them on read (old strategy,
2370 - clone fds (I chose it for now, it is the most universal
2373 POSIX 1003.1g does not actually define this clearly
2374 at all. POSIX 1003.1g doesn't define a lot of things
2379 sk_peek_offset_fwd(sk, size);
2382 unix_peek_fds(&scm, skb);
2384 err = (flags & MSG_TRUNC) ? skb->len - skip : size;
2386 scm_recv(sock, msg, &scm, flags);
2389 skb_free_datagram(sk, skb);
2390 mutex_unlock(&u->iolock);
2395 static int unix_dgram_recvmsg(struct socket *sock, struct msghdr *msg, size_t size,
2398 struct sock *sk = sock->sk;
2400 #ifdef CONFIG_BPF_SYSCALL
2401 const struct proto *prot = READ_ONCE(sk->sk_prot);
2403 if (prot != &unix_dgram_proto)
2404 return prot->recvmsg(sk, msg, size, flags & MSG_DONTWAIT,
2405 flags & ~MSG_DONTWAIT, NULL);
2407 return __unix_dgram_recvmsg(sk, msg, size, flags);
2410 static int unix_read_sock(struct sock *sk, read_descriptor_t *desc,
2411 sk_read_actor_t recv_actor)
2416 struct unix_sock *u = unix_sk(sk);
2417 struct sk_buff *skb;
2420 mutex_lock(&u->iolock);
2421 skb = skb_recv_datagram(sk, 0, 1, &err);
2422 mutex_unlock(&u->iolock);
2426 used = recv_actor(desc, skb, 0, skb->len);
2432 } else if (used <= skb->len) {
2445 * Sleep until more data has arrived. But check for races..
2447 static long unix_stream_data_wait(struct sock *sk, long timeo,
2448 struct sk_buff *last, unsigned int last_len,
2451 struct sk_buff *tail;
2454 unix_state_lock(sk);
2457 prepare_to_wait(sk_sleep(sk), &wait, TASK_INTERRUPTIBLE);
2459 tail = skb_peek_tail(&sk->sk_receive_queue);
2461 (tail && tail->len != last_len) ||
2463 (sk->sk_shutdown & RCV_SHUTDOWN) ||
2464 signal_pending(current) ||
2468 sk_set_bit(SOCKWQ_ASYNC_WAITDATA, sk);
2469 unix_state_unlock(sk);
2471 timeo = freezable_schedule_timeout(timeo);
2473 timeo = schedule_timeout(timeo);
2474 unix_state_lock(sk);
2476 if (sock_flag(sk, SOCK_DEAD))
2479 sk_clear_bit(SOCKWQ_ASYNC_WAITDATA, sk);
2482 finish_wait(sk_sleep(sk), &wait);
2483 unix_state_unlock(sk);
2487 static unsigned int unix_skb_len(const struct sk_buff *skb)
2489 return skb->len - UNIXCB(skb).consumed;
2492 struct unix_stream_read_state {
2493 int (*recv_actor)(struct sk_buff *, int, int,
2494 struct unix_stream_read_state *);
2495 struct socket *socket;
2497 struct pipe_inode_info *pipe;
2500 unsigned int splice_flags;
2503 #if IS_ENABLED(CONFIG_AF_UNIX_OOB)
2504 static int unix_stream_recv_urg(struct unix_stream_read_state *state)
2506 struct socket *sock = state->socket;
2507 struct sock *sk = sock->sk;
2508 struct unix_sock *u = unix_sk(sk);
2510 struct sk_buff *oob_skb;
2512 mutex_lock(&u->iolock);
2513 unix_state_lock(sk);
2515 if (sock_flag(sk, SOCK_URGINLINE) || !u->oob_skb) {
2516 unix_state_unlock(sk);
2517 mutex_unlock(&u->iolock);
2521 oob_skb = u->oob_skb;
2523 if (!(state->flags & MSG_PEEK)) {
2527 unix_state_unlock(sk);
2529 chunk = state->recv_actor(oob_skb, 0, chunk, state);
2531 if (!(state->flags & MSG_PEEK)) {
2532 UNIXCB(oob_skb).consumed += 1;
2536 mutex_unlock(&u->iolock);
2541 state->msg->msg_flags |= MSG_OOB;
2545 static struct sk_buff *manage_oob(struct sk_buff *skb, struct sock *sk,
2546 int flags, int copied)
2548 struct unix_sock *u = unix_sk(sk);
2550 if (!unix_skb_len(skb) && !(flags & MSG_PEEK)) {
2551 skb_unlink(skb, &sk->sk_receive_queue);
2555 if (skb == u->oob_skb) {
2558 } else if (sock_flag(sk, SOCK_URGINLINE)) {
2559 if (!(flags & MSG_PEEK)) {
2563 } else if (!(flags & MSG_PEEK)) {
2564 skb_unlink(skb, &sk->sk_receive_queue);
2566 skb = skb_peek(&sk->sk_receive_queue);
2574 static int unix_stream_read_sock(struct sock *sk, read_descriptor_t *desc,
2575 sk_read_actor_t recv_actor)
2577 if (unlikely(sk->sk_state != TCP_ESTABLISHED))
2580 return unix_read_sock(sk, desc, recv_actor);
2583 static int unix_stream_read_generic(struct unix_stream_read_state *state,
2586 struct scm_cookie scm;
2587 struct socket *sock = state->socket;
2588 struct sock *sk = sock->sk;
2589 struct unix_sock *u = unix_sk(sk);
2591 int flags = state->flags;
2592 int noblock = flags & MSG_DONTWAIT;
2593 bool check_creds = false;
2598 size_t size = state->size;
2599 unsigned int last_len;
2601 if (unlikely(sk->sk_state != TCP_ESTABLISHED)) {
2606 if (unlikely(flags & MSG_OOB)) {
2608 #if IS_ENABLED(CONFIG_AF_UNIX_OOB)
2609 err = unix_stream_recv_urg(state);
2614 target = sock_rcvlowat(sk, flags & MSG_WAITALL, size);
2615 timeo = sock_rcvtimeo(sk, noblock);
2617 memset(&scm, 0, sizeof(scm));
2619 /* Lock the socket to prevent queue disordering
2620 * while sleeps in memcpy_tomsg
2622 mutex_lock(&u->iolock);
2624 skip = max(sk_peek_offset(sk, flags), 0);
2629 struct sk_buff *skb, *last;
2632 unix_state_lock(sk);
2633 if (sock_flag(sk, SOCK_DEAD)) {
2637 last = skb = skb_peek(&sk->sk_receive_queue);
2638 last_len = last ? last->len : 0;
2640 #if IS_ENABLED(CONFIG_AF_UNIX_OOB)
2642 skb = manage_oob(skb, sk, flags, copied);
2644 unix_state_unlock(sk);
2653 if (copied >= target)
2657 * POSIX 1003.1g mandates this order.
2660 err = sock_error(sk);
2663 if (sk->sk_shutdown & RCV_SHUTDOWN)
2666 unix_state_unlock(sk);
2672 mutex_unlock(&u->iolock);
2674 timeo = unix_stream_data_wait(sk, timeo, last,
2675 last_len, freezable);
2677 if (signal_pending(current)) {
2678 err = sock_intr_errno(timeo);
2683 mutex_lock(&u->iolock);
2686 unix_state_unlock(sk);
2690 while (skip >= unix_skb_len(skb)) {
2691 skip -= unix_skb_len(skb);
2693 last_len = skb->len;
2694 skb = skb_peek_next(skb, &sk->sk_receive_queue);
2699 unix_state_unlock(sk);
2702 /* Never glue messages from different writers */
2703 if (!unix_skb_scm_eq(skb, &scm))
2705 } else if (test_bit(SOCK_PASSCRED, &sock->flags)) {
2706 /* Copy credentials */
2707 scm_set_cred(&scm, UNIXCB(skb).pid, UNIXCB(skb).uid, UNIXCB(skb).gid);
2708 unix_set_secdata(&scm, skb);
2712 /* Copy address just once */
2713 if (state->msg && state->msg->msg_name) {
2714 DECLARE_SOCKADDR(struct sockaddr_un *, sunaddr,
2715 state->msg->msg_name);
2716 unix_copy_addr(state->msg, skb->sk);
2720 chunk = min_t(unsigned int, unix_skb_len(skb) - skip, size);
2722 chunk = state->recv_actor(skb, skip, chunk, state);
2723 drop_skb = !unix_skb_len(skb);
2724 /* skb is only safe to use if !drop_skb */
2735 /* the skb was touched by a concurrent reader;
2736 * we should not expect anything from this skb
2737 * anymore and assume it invalid - we can be
2738 * sure it was dropped from the socket queue
2740 * let's report a short read
2746 /* Mark read part of skb as used */
2747 if (!(flags & MSG_PEEK)) {
2748 UNIXCB(skb).consumed += chunk;
2750 sk_peek_offset_bwd(sk, chunk);
2752 if (UNIXCB(skb).fp) {
2753 scm_stat_del(sk, skb);
2754 unix_detach_fds(&scm, skb);
2757 if (unix_skb_len(skb))
2760 skb_unlink(skb, &sk->sk_receive_queue);
2766 /* It is questionable, see note in unix_dgram_recvmsg.
2769 unix_peek_fds(&scm, skb);
2771 sk_peek_offset_fwd(sk, chunk);
2778 last_len = skb->len;
2779 unix_state_lock(sk);
2780 skb = skb_peek_next(skb, &sk->sk_receive_queue);
2783 unix_state_unlock(sk);
2788 mutex_unlock(&u->iolock);
2790 scm_recv(sock, state->msg, &scm, flags);
2794 return copied ? : err;
2797 static int unix_stream_read_actor(struct sk_buff *skb,
2798 int skip, int chunk,
2799 struct unix_stream_read_state *state)
2803 ret = skb_copy_datagram_msg(skb, UNIXCB(skb).consumed + skip,
2805 return ret ?: chunk;
2808 int __unix_stream_recvmsg(struct sock *sk, struct msghdr *msg,
2809 size_t size, int flags)
2811 struct unix_stream_read_state state = {
2812 .recv_actor = unix_stream_read_actor,
2813 .socket = sk->sk_socket,
2819 return unix_stream_read_generic(&state, true);
2822 static int unix_stream_recvmsg(struct socket *sock, struct msghdr *msg,
2823 size_t size, int flags)
2825 struct unix_stream_read_state state = {
2826 .recv_actor = unix_stream_read_actor,
2833 #ifdef CONFIG_BPF_SYSCALL
2834 struct sock *sk = sock->sk;
2835 const struct proto *prot = READ_ONCE(sk->sk_prot);
2837 if (prot != &unix_stream_proto)
2838 return prot->recvmsg(sk, msg, size, flags & MSG_DONTWAIT,
2839 flags & ~MSG_DONTWAIT, NULL);
2841 return unix_stream_read_generic(&state, true);
2844 static int unix_stream_splice_actor(struct sk_buff *skb,
2845 int skip, int chunk,
2846 struct unix_stream_read_state *state)
2848 return skb_splice_bits(skb, state->socket->sk,
2849 UNIXCB(skb).consumed + skip,
2850 state->pipe, chunk, state->splice_flags);
2853 static ssize_t unix_stream_splice_read(struct socket *sock, loff_t *ppos,
2854 struct pipe_inode_info *pipe,
2855 size_t size, unsigned int flags)
2857 struct unix_stream_read_state state = {
2858 .recv_actor = unix_stream_splice_actor,
2862 .splice_flags = flags,
2865 if (unlikely(*ppos))
2868 if (sock->file->f_flags & O_NONBLOCK ||
2869 flags & SPLICE_F_NONBLOCK)
2870 state.flags = MSG_DONTWAIT;
2872 return unix_stream_read_generic(&state, false);
2875 static int unix_shutdown(struct socket *sock, int mode)
2877 struct sock *sk = sock->sk;
2880 if (mode < SHUT_RD || mode > SHUT_RDWR)
2883 * SHUT_RD (0) -> RCV_SHUTDOWN (1)
2884 * SHUT_WR (1) -> SEND_SHUTDOWN (2)
2885 * SHUT_RDWR (2) -> SHUTDOWN_MASK (3)
2889 unix_state_lock(sk);
2890 sk->sk_shutdown |= mode;
2891 other = unix_peer(sk);
2894 unix_state_unlock(sk);
2895 sk->sk_state_change(sk);
2898 (sk->sk_type == SOCK_STREAM || sk->sk_type == SOCK_SEQPACKET)) {
2901 const struct proto *prot = READ_ONCE(other->sk_prot);
2904 prot->unhash(other);
2905 if (mode&RCV_SHUTDOWN)
2906 peer_mode |= SEND_SHUTDOWN;
2907 if (mode&SEND_SHUTDOWN)
2908 peer_mode |= RCV_SHUTDOWN;
2909 unix_state_lock(other);
2910 other->sk_shutdown |= peer_mode;
2911 unix_state_unlock(other);
2912 other->sk_state_change(other);
2913 if (peer_mode == SHUTDOWN_MASK)
2914 sk_wake_async(other, SOCK_WAKE_WAITD, POLL_HUP);
2915 else if (peer_mode & RCV_SHUTDOWN)
2916 sk_wake_async(other, SOCK_WAKE_WAITD, POLL_IN);
2924 long unix_inq_len(struct sock *sk)
2926 struct sk_buff *skb;
2929 if (sk->sk_state == TCP_LISTEN)
2932 spin_lock(&sk->sk_receive_queue.lock);
2933 if (sk->sk_type == SOCK_STREAM ||
2934 sk->sk_type == SOCK_SEQPACKET) {
2935 skb_queue_walk(&sk->sk_receive_queue, skb)
2936 amount += unix_skb_len(skb);
2938 skb = skb_peek(&sk->sk_receive_queue);
2942 spin_unlock(&sk->sk_receive_queue.lock);
2946 EXPORT_SYMBOL_GPL(unix_inq_len);
2948 long unix_outq_len(struct sock *sk)
2950 return sk_wmem_alloc_get(sk);
2952 EXPORT_SYMBOL_GPL(unix_outq_len);
2954 static int unix_open_file(struct sock *sk)
2960 if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN))
2963 if (!smp_load_acquire(&unix_sk(sk)->addr))
2966 path = unix_sk(sk)->path;
2972 fd = get_unused_fd_flags(O_CLOEXEC);
2976 f = dentry_open(&path, O_PATH, current_cred());
2990 static int unix_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
2992 struct sock *sk = sock->sk;
2998 amount = unix_outq_len(sk);
2999 err = put_user(amount, (int __user *)arg);
3002 amount = unix_inq_len(sk);
3006 err = put_user(amount, (int __user *)arg);
3009 err = unix_open_file(sk);
3011 #if IS_ENABLED(CONFIG_AF_UNIX_OOB)
3014 struct sk_buff *skb;
3015 struct unix_sock *u = unix_sk(sk);
3018 skb = skb_peek(&sk->sk_receive_queue);
3019 if (skb && skb == u->oob_skb)
3021 err = put_user(answ, (int __user *)arg);
3032 #ifdef CONFIG_COMPAT
3033 static int unix_compat_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
3035 return unix_ioctl(sock, cmd, (unsigned long)compat_ptr(arg));
3039 static __poll_t unix_poll(struct file *file, struct socket *sock, poll_table *wait)
3041 struct sock *sk = sock->sk;
3044 sock_poll_wait(file, sock, wait);
3047 /* exceptional events? */
3050 if (sk->sk_shutdown == SHUTDOWN_MASK)
3052 if (sk->sk_shutdown & RCV_SHUTDOWN)
3053 mask |= EPOLLRDHUP | EPOLLIN | EPOLLRDNORM;
3056 if (!skb_queue_empty_lockless(&sk->sk_receive_queue))
3057 mask |= EPOLLIN | EPOLLRDNORM;
3058 if (sk_is_readable(sk))
3059 mask |= EPOLLIN | EPOLLRDNORM;
3061 /* Connection-based need to check for termination and startup */
3062 if ((sk->sk_type == SOCK_STREAM || sk->sk_type == SOCK_SEQPACKET) &&
3063 sk->sk_state == TCP_CLOSE)
3067 * we set writable also when the other side has shut down the
3068 * connection. This prevents stuck sockets.
3070 if (unix_writable(sk))
3071 mask |= EPOLLOUT | EPOLLWRNORM | EPOLLWRBAND;
3076 static __poll_t unix_dgram_poll(struct file *file, struct socket *sock,
3079 struct sock *sk = sock->sk, *other;
3080 unsigned int writable;
3083 sock_poll_wait(file, sock, wait);
3086 /* exceptional events? */
3087 if (sk->sk_err || !skb_queue_empty_lockless(&sk->sk_error_queue))
3089 (sock_flag(sk, SOCK_SELECT_ERR_QUEUE) ? EPOLLPRI : 0);
3091 if (sk->sk_shutdown & RCV_SHUTDOWN)
3092 mask |= EPOLLRDHUP | EPOLLIN | EPOLLRDNORM;
3093 if (sk->sk_shutdown == SHUTDOWN_MASK)
3097 if (!skb_queue_empty_lockless(&sk->sk_receive_queue))
3098 mask |= EPOLLIN | EPOLLRDNORM;
3099 if (sk_is_readable(sk))
3100 mask |= EPOLLIN | EPOLLRDNORM;
3102 /* Connection-based need to check for termination and startup */
3103 if (sk->sk_type == SOCK_SEQPACKET) {
3104 if (sk->sk_state == TCP_CLOSE)
3106 /* connection hasn't started yet? */
3107 if (sk->sk_state == TCP_SYN_SENT)
3111 /* No write status requested, avoid expensive OUT tests. */
3112 if (!(poll_requested_events(wait) & (EPOLLWRBAND|EPOLLWRNORM|EPOLLOUT)))
3115 writable = unix_writable(sk);
3117 unix_state_lock(sk);
3119 other = unix_peer(sk);
3120 if (other && unix_peer(other) != sk &&
3121 unix_recvq_full_lockless(other) &&
3122 unix_dgram_peer_wake_me(sk, other))
3125 unix_state_unlock(sk);
3129 mask |= EPOLLOUT | EPOLLWRNORM | EPOLLWRBAND;
3131 sk_set_bit(SOCKWQ_ASYNC_NOSPACE, sk);
3136 #ifdef CONFIG_PROC_FS
3138 #define BUCKET_SPACE (BITS_PER_LONG - (UNIX_HASH_BITS + 1) - 1)
3140 #define get_bucket(x) ((x) >> BUCKET_SPACE)
3141 #define get_offset(x) ((x) & ((1L << BUCKET_SPACE) - 1))
3142 #define set_bucket_offset(b, o) ((b) << BUCKET_SPACE | (o))
3144 static struct sock *unix_from_bucket(struct seq_file *seq, loff_t *pos)
3146 unsigned long offset = get_offset(*pos);
3147 unsigned long bucket = get_bucket(*pos);
3149 unsigned long count = 0;
3151 for (sk = sk_head(&unix_socket_table[bucket]); sk; sk = sk_next(sk)) {
3152 if (sock_net(sk) != seq_file_net(seq))
3154 if (++count == offset)
3161 static struct sock *unix_next_socket(struct seq_file *seq,
3165 unsigned long bucket;
3167 while (sk > (struct sock *)SEQ_START_TOKEN) {
3171 if (sock_net(sk) == seq_file_net(seq))
3176 sk = unix_from_bucket(seq, pos);
3181 bucket = get_bucket(*pos) + 1;
3182 *pos = set_bucket_offset(bucket, 1);
3183 } while (bucket < ARRAY_SIZE(unix_socket_table));
3188 static void *unix_seq_start(struct seq_file *seq, loff_t *pos)
3189 __acquires(unix_table_lock)
3191 spin_lock(&unix_table_lock);
3194 return SEQ_START_TOKEN;
3196 if (get_bucket(*pos) >= ARRAY_SIZE(unix_socket_table))
3199 return unix_next_socket(seq, NULL, pos);
3202 static void *unix_seq_next(struct seq_file *seq, void *v, loff_t *pos)
3205 return unix_next_socket(seq, v, pos);
3208 static void unix_seq_stop(struct seq_file *seq, void *v)
3209 __releases(unix_table_lock)
3211 spin_unlock(&unix_table_lock);
3214 static int unix_seq_show(struct seq_file *seq, void *v)
3217 if (v == SEQ_START_TOKEN)
3218 seq_puts(seq, "Num RefCount Protocol Flags Type St "
3222 struct unix_sock *u = unix_sk(s);
3225 seq_printf(seq, "%pK: %08X %08X %08X %04X %02X %5lu",
3227 refcount_read(&s->sk_refcnt),
3229 s->sk_state == TCP_LISTEN ? __SO_ACCEPTCON : 0,
3232 (s->sk_state == TCP_ESTABLISHED ? SS_CONNECTED : SS_UNCONNECTED) :
3233 (s->sk_state == TCP_ESTABLISHED ? SS_CONNECTING : SS_DISCONNECTING),
3236 if (u->addr) { // under unix_table_lock here
3241 len = u->addr->len -
3242 offsetof(struct sockaddr_un, sun_path);
3243 if (!UNIX_ABSTRACT(s))
3249 for ( ; i < len; i++)
3250 seq_putc(seq, u->addr->name->sun_path[i] ?:
3253 unix_state_unlock(s);
3254 seq_putc(seq, '\n');
3260 static const struct seq_operations unix_seq_ops = {
3261 .start = unix_seq_start,
3262 .next = unix_seq_next,
3263 .stop = unix_seq_stop,
3264 .show = unix_seq_show,
3267 #if IS_BUILTIN(CONFIG_UNIX) && defined(CONFIG_BPF_SYSCALL)
3268 struct bpf_iter__unix {
3269 __bpf_md_ptr(struct bpf_iter_meta *, meta);
3270 __bpf_md_ptr(struct unix_sock *, unix_sk);
3271 uid_t uid __aligned(8);
3274 static int unix_prog_seq_show(struct bpf_prog *prog, struct bpf_iter_meta *meta,
3275 struct unix_sock *unix_sk, uid_t uid)
3277 struct bpf_iter__unix ctx;
3279 meta->seq_num--; /* skip SEQ_START_TOKEN */
3281 ctx.unix_sk = unix_sk;
3283 return bpf_iter_run_prog(prog, &ctx);
3286 static int bpf_iter_unix_seq_show(struct seq_file *seq, void *v)
3288 struct bpf_iter_meta meta;
3289 struct bpf_prog *prog;
3290 struct sock *sk = v;
3293 if (v == SEQ_START_TOKEN)
3296 uid = from_kuid_munged(seq_user_ns(seq), sock_i_uid(sk));
3298 prog = bpf_iter_get_info(&meta, false);
3299 return unix_prog_seq_show(prog, &meta, v, uid);
3302 static void bpf_iter_unix_seq_stop(struct seq_file *seq, void *v)
3304 struct bpf_iter_meta meta;
3305 struct bpf_prog *prog;
3309 prog = bpf_iter_get_info(&meta, true);
3311 (void)unix_prog_seq_show(prog, &meta, v, 0);
3314 unix_seq_stop(seq, v);
3317 static const struct seq_operations bpf_iter_unix_seq_ops = {
3318 .start = unix_seq_start,
3319 .next = unix_seq_next,
3320 .stop = bpf_iter_unix_seq_stop,
3321 .show = bpf_iter_unix_seq_show,
3326 static const struct net_proto_family unix_family_ops = {
3328 .create = unix_create,
3329 .owner = THIS_MODULE,
3333 static int __net_init unix_net_init(struct net *net)
3335 int error = -ENOMEM;
3337 net->unx.sysctl_max_dgram_qlen = 10;
3338 if (unix_sysctl_register(net))
3341 #ifdef CONFIG_PROC_FS
3342 if (!proc_create_net("unix", 0, net->proc_net, &unix_seq_ops,
3343 sizeof(struct seq_net_private))) {
3344 unix_sysctl_unregister(net);
3353 static void __net_exit unix_net_exit(struct net *net)
3355 unix_sysctl_unregister(net);
3356 remove_proc_entry("unix", net->proc_net);
3359 static struct pernet_operations unix_net_ops = {
3360 .init = unix_net_init,
3361 .exit = unix_net_exit,
3364 #if IS_BUILTIN(CONFIG_UNIX) && defined(CONFIG_BPF_SYSCALL) && defined(CONFIG_PROC_FS)
3365 DEFINE_BPF_ITER_FUNC(unix, struct bpf_iter_meta *meta,
3366 struct unix_sock *unix_sk, uid_t uid)
3368 static const struct bpf_iter_seq_info unix_seq_info = {
3369 .seq_ops = &bpf_iter_unix_seq_ops,
3370 .init_seq_private = bpf_iter_init_seq_net,
3371 .fini_seq_private = bpf_iter_fini_seq_net,
3372 .seq_priv_size = sizeof(struct seq_net_private),
3375 static struct bpf_iter_reg unix_reg_info = {
3377 .ctx_arg_info_size = 1,
3379 { offsetof(struct bpf_iter__unix, unix_sk),
3380 PTR_TO_BTF_ID_OR_NULL },
3382 .seq_info = &unix_seq_info,
3385 static void __init bpf_iter_register(void)
3387 unix_reg_info.ctx_arg_info[0].btf_id = btf_sock_ids[BTF_SOCK_TYPE_UNIX];
3388 if (bpf_iter_reg_target(&unix_reg_info))
3389 pr_warn("Warning: could not register bpf iterator unix\n");
3393 static int __init af_unix_init(void)
3397 BUILD_BUG_ON(sizeof(struct unix_skb_parms) > sizeof_field(struct sk_buff, cb));
3399 rc = proto_register(&unix_dgram_proto, 1);
3401 pr_crit("%s: Cannot create unix_sock SLAB cache!\n", __func__);
3405 rc = proto_register(&unix_stream_proto, 1);
3407 pr_crit("%s: Cannot create unix_sock SLAB cache!\n", __func__);
3411 sock_register(&unix_family_ops);
3412 register_pernet_subsys(&unix_net_ops);
3413 unix_bpf_build_proto();
3415 #if IS_BUILTIN(CONFIG_UNIX) && defined(CONFIG_BPF_SYSCALL) && defined(CONFIG_PROC_FS)
3416 bpf_iter_register();
3423 static void __exit af_unix_exit(void)
3425 sock_unregister(PF_UNIX);
3426 proto_unregister(&unix_dgram_proto);
3427 proto_unregister(&unix_stream_proto);
3428 unregister_pernet_subsys(&unix_net_ops);
3431 /* Earlier than device_initcall() so that other drivers invoking
3432 request_module() don't end up in a loop when modprobe tries
3433 to use a UNIX socket. But later than subsys_initcall() because
3434 we depend on stuff initialised there */
3435 fs_initcall(af_unix_init);
3436 module_exit(af_unix_exit);
3438 MODULE_LICENSE("GPL");
3439 MODULE_ALIAS_NETPROTO(PF_UNIX);