1 // SPDX-License-Identifier: GPL-2.0-or-later
3 * NET4: Implementation of BSD Unix domain sockets.
5 * Authors: Alan Cox, <alan@lxorguk.ukuu.org.uk>
8 * Linus Torvalds : Assorted bug cures.
9 * Niibe Yutaka : async I/O support.
10 * Carsten Paeth : PF_UNIX check, address fixes.
11 * Alan Cox : Limit size of allocated blocks.
12 * Alan Cox : Fixed the stupid socketpair bug.
13 * Alan Cox : BSD compatibility fine tuning.
14 * Alan Cox : Fixed a bug in connect when interrupted.
15 * Alan Cox : Sorted out a proper draft version of
16 * file descriptor passing hacked up from
18 * Marty Leisner : Fixes to fd passing
19 * Nick Nevin : recvmsg bugfix.
20 * Alan Cox : Started proper garbage collector
21 * Heiko EiBfeldt : Missing verify_area check
22 * Alan Cox : Started POSIXisms
23 * Andreas Schwab : Replace inode by dentry for proper
25 * Kirk Petersen : Made this a module
26 * Christoph Rohland : Elegant non-blocking accept/connect algorithm.
28 * Alexey Kuznetosv : Repaired (I hope) bugs introduces
29 * by above two patches.
30 * Andrea Arcangeli : If possible we block in connect(2)
31 * if the max backlog of the listen socket
32 * is been reached. This won't break
33 * old apps and it will avoid huge amount
34 * of socks hashed (this for unix_gc()
35 * performances reasons).
36 * Security fix that limits the max
37 * number of socks to 2*max_files and
38 * the number of skb queueable in the
40 * Artur Skawina : Hash function optimizations
41 * Alexey Kuznetsov : Full scale SMP. Lot of bugs are introduced 8)
42 * Malcolm Beattie : Set peercred for socketpair
43 * Michal Ostrowski : Module initialization cleanup.
44 * Arnaldo C. Melo : Remove MOD_{INC,DEC}_USE_COUNT,
45 * the core infrastructure is doing that
46 * for all net proto families now (2.5.69+)
48 * Known differences from reference BSD that was tested:
51 * ECONNREFUSED is not returned from one end of a connected() socket to the
52 * other the moment one end closes.
53 * fstat() doesn't return st_dev=0, and give the blksize as high water mark
54 * and a fake inode identifier (nor the BSD first socket fstat twice bug).
56 * accept() returns a path name even if the connecting socket has closed
57 * in the meantime (BSD loses the path and gives up).
58 * accept() returns 0 length path for an unbound connector. BSD returns 16
59 * and a null first byte in the path (but not for gethost/peername - BSD bug ??)
60 * socketpair(...SOCK_RAW..) doesn't panic the kernel.
61 * BSD af_unix apparently has connect forgetting to block properly.
62 * (need to check this with the POSIX spec in detail)
64 * Differences from 2.0.0-11-... (ANK)
65 * Bug fixes and improvements.
66 * - client shutdown killed server socket.
67 * - removed all useless cli/sti pairs.
69 * Semantic changes/extensions.
70 * - generic control message passing.
71 * - SCM_CREDENTIALS control message.
72 * - "Abstract" (not FS based) socket bindings.
73 * Abstract names are sequences of bytes (not zero terminated)
74 * started by 0, so that this name space does not intersect
78 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
80 #include <linux/module.h>
81 #include <linux/kernel.h>
82 #include <linux/signal.h>
83 #include <linux/sched/signal.h>
84 #include <linux/errno.h>
85 #include <linux/string.h>
86 #include <linux/stat.h>
87 #include <linux/dcache.h>
88 #include <linux/namei.h>
89 #include <linux/socket.h>
91 #include <linux/fcntl.h>
92 #include <linux/filter.h>
93 #include <linux/termios.h>
94 #include <linux/sockios.h>
95 #include <linux/net.h>
98 #include <linux/slab.h>
99 #include <linux/uaccess.h>
100 #include <linux/skbuff.h>
101 #include <linux/netdevice.h>
102 #include <net/net_namespace.h>
103 #include <net/sock.h>
104 #include <net/tcp_states.h>
105 #include <net/af_unix.h>
106 #include <linux/proc_fs.h>
107 #include <linux/seq_file.h>
109 #include <linux/init.h>
110 #include <linux/poll.h>
111 #include <linux/rtnetlink.h>
112 #include <linux/mount.h>
113 #include <net/checksum.h>
114 #include <linux/security.h>
115 #include <linux/splice.h>
116 #include <linux/freezer.h>
117 #include <linux/file.h>
118 #include <linux/btf_ids.h>
119 #include <linux/bpf-cgroup.h>
121 static atomic_long_t unix_nr_socks;
122 static struct hlist_head bsd_socket_buckets[UNIX_HASH_SIZE / 2];
123 static spinlock_t bsd_socket_locks[UNIX_HASH_SIZE / 2];
125 /* SMP locking strategy:
126 * hash table is protected with spinlock.
127 * each socket state is protected by separate spinlock.
129 #ifdef CONFIG_PROVE_LOCKING
130 #define cmp_ptr(l, r) (((l) > (r)) - ((l) < (r)))
132 static int unix_table_lock_cmp_fn(const struct lockdep_map *a,
133 const struct lockdep_map *b)
135 return cmp_ptr(a, b);
138 static int unix_state_lock_cmp_fn(const struct lockdep_map *_a,
139 const struct lockdep_map *_b)
141 const struct unix_sock *a, *b;
143 a = container_of(_a, struct unix_sock, lock.dep_map);
144 b = container_of(_b, struct unix_sock, lock.dep_map);
146 if (a->sk.sk_state == TCP_LISTEN) {
147 /* unix_stream_connect(): Before the 2nd unix_state_lock(),
149 * 1. a is TCP_LISTEN.
151 * 3. concurrent connect(b -> a) must fail.
153 * Except for 2. & 3., the b's state can be any possible
154 * value due to concurrent connect() or listen().
156 * 2. is detected in debug_spin_lock_before(), and 3. cannot
157 * be expressed as lock_cmp_fn.
159 switch (b->sk.sk_state) {
161 case TCP_ESTABLISHED:
170 /* Should never happen. Just to be symmetric. */
171 if (b->sk.sk_state == TCP_LISTEN) {
172 switch (b->sk.sk_state) {
174 case TCP_ESTABLISHED:
181 /* unix_state_double_lock(): ascending address order. */
182 return cmp_ptr(a, b);
185 static int unix_recvq_lock_cmp_fn(const struct lockdep_map *_a,
186 const struct lockdep_map *_b)
188 const struct sock *a, *b;
190 a = container_of(_a, struct sock, sk_receive_queue.lock.dep_map);
191 b = container_of(_b, struct sock, sk_receive_queue.lock.dep_map);
193 /* unix_collect_skb(): listener -> embryo order. */
194 if (a->sk_state == TCP_LISTEN && unix_sk(b)->listener == a)
197 /* Should never happen. Just to be symmetric. */
198 if (b->sk_state == TCP_LISTEN && unix_sk(a)->listener == b)
205 static unsigned int unix_unbound_hash(struct sock *sk)
207 unsigned long hash = (unsigned long)sk;
213 return hash & UNIX_HASH_MOD;
216 static unsigned int unix_bsd_hash(struct inode *i)
218 return i->i_ino & UNIX_HASH_MOD;
221 static unsigned int unix_abstract_hash(struct sockaddr_un *sunaddr,
222 int addr_len, int type)
224 __wsum csum = csum_partial(sunaddr, addr_len, 0);
227 hash = (__force unsigned int)csum_fold(csum);
231 return UNIX_HASH_MOD + 1 + (hash & UNIX_HASH_MOD);
234 static void unix_table_double_lock(struct net *net,
235 unsigned int hash1, unsigned int hash2)
237 if (hash1 == hash2) {
238 spin_lock(&net->unx.table.locks[hash1]);
245 spin_lock(&net->unx.table.locks[hash1]);
246 spin_lock(&net->unx.table.locks[hash2]);
249 static void unix_table_double_unlock(struct net *net,
250 unsigned int hash1, unsigned int hash2)
252 if (hash1 == hash2) {
253 spin_unlock(&net->unx.table.locks[hash1]);
257 spin_unlock(&net->unx.table.locks[hash1]);
258 spin_unlock(&net->unx.table.locks[hash2]);
261 #ifdef CONFIG_SECURITY_NETWORK
262 static void unix_get_secdata(struct scm_cookie *scm, struct sk_buff *skb)
264 UNIXCB(skb).secid = scm->secid;
267 static inline void unix_set_secdata(struct scm_cookie *scm, struct sk_buff *skb)
269 scm->secid = UNIXCB(skb).secid;
272 static inline bool unix_secdata_eq(struct scm_cookie *scm, struct sk_buff *skb)
274 return (scm->secid == UNIXCB(skb).secid);
277 static inline void unix_get_secdata(struct scm_cookie *scm, struct sk_buff *skb)
280 static inline void unix_set_secdata(struct scm_cookie *scm, struct sk_buff *skb)
283 static inline bool unix_secdata_eq(struct scm_cookie *scm, struct sk_buff *skb)
287 #endif /* CONFIG_SECURITY_NETWORK */
289 static inline int unix_our_peer(struct sock *sk, struct sock *osk)
291 return unix_peer(osk) == sk;
294 static inline int unix_may_send(struct sock *sk, struct sock *osk)
296 return unix_peer(osk) == NULL || unix_our_peer(sk, osk);
299 static inline int unix_recvq_full_lockless(const struct sock *sk)
301 return skb_queue_len_lockless(&sk->sk_receive_queue) > sk->sk_max_ack_backlog;
304 struct sock *unix_peer_get(struct sock *s)
312 unix_state_unlock(s);
315 EXPORT_SYMBOL_GPL(unix_peer_get);
317 static struct unix_address *unix_create_addr(struct sockaddr_un *sunaddr,
320 struct unix_address *addr;
322 addr = kmalloc(sizeof(*addr) + addr_len, GFP_KERNEL);
326 refcount_set(&addr->refcnt, 1);
327 addr->len = addr_len;
328 memcpy(addr->name, sunaddr, addr_len);
333 static inline void unix_release_addr(struct unix_address *addr)
335 if (refcount_dec_and_test(&addr->refcnt))
340 * Check unix socket name:
341 * - should be not zero length.
342 * - if started by not zero, should be NULL terminated (FS object)
343 * - if started by zero, it is abstract name.
346 static int unix_validate_addr(struct sockaddr_un *sunaddr, int addr_len)
348 if (addr_len <= offsetof(struct sockaddr_un, sun_path) ||
349 addr_len > sizeof(*sunaddr))
352 if (sunaddr->sun_family != AF_UNIX)
358 static int unix_mkname_bsd(struct sockaddr_un *sunaddr, int addr_len)
360 struct sockaddr_storage *addr = (struct sockaddr_storage *)sunaddr;
361 short offset = offsetof(struct sockaddr_storage, __data);
363 BUILD_BUG_ON(offset != offsetof(struct sockaddr_un, sun_path));
365 /* This may look like an off by one error but it is a bit more
366 * subtle. 108 is the longest valid AF_UNIX path for a binding.
367 * sun_path[108] doesn't as such exist. However in kernel space
368 * we are guaranteed that it is a valid memory location in our
369 * kernel address buffer because syscall functions always pass
370 * a pointer of struct sockaddr_storage which has a bigger buffer
371 * than 108. Also, we must terminate sun_path for strlen() in
374 addr->__data[addr_len - offset] = 0;
376 /* Don't pass sunaddr->sun_path to strlen(). Otherwise, 108 will
377 * cause panic if CONFIG_FORTIFY_SOURCE=y. Let __fortify_strlen()
378 * know the actual buffer.
380 return strlen(addr->__data) + offset + 1;
383 static void __unix_remove_socket(struct sock *sk)
385 sk_del_node_init(sk);
388 static void __unix_insert_socket(struct net *net, struct sock *sk)
390 DEBUG_NET_WARN_ON_ONCE(!sk_unhashed(sk));
391 sk_add_node(sk, &net->unx.table.buckets[sk->sk_hash]);
394 static void __unix_set_addr_hash(struct net *net, struct sock *sk,
395 struct unix_address *addr, unsigned int hash)
397 __unix_remove_socket(sk);
398 smp_store_release(&unix_sk(sk)->addr, addr);
401 __unix_insert_socket(net, sk);
404 static void unix_remove_socket(struct net *net, struct sock *sk)
406 spin_lock(&net->unx.table.locks[sk->sk_hash]);
407 __unix_remove_socket(sk);
408 spin_unlock(&net->unx.table.locks[sk->sk_hash]);
411 static void unix_insert_unbound_socket(struct net *net, struct sock *sk)
413 spin_lock(&net->unx.table.locks[sk->sk_hash]);
414 __unix_insert_socket(net, sk);
415 spin_unlock(&net->unx.table.locks[sk->sk_hash]);
418 static void unix_insert_bsd_socket(struct sock *sk)
420 spin_lock(&bsd_socket_locks[sk->sk_hash]);
421 sk_add_bind_node(sk, &bsd_socket_buckets[sk->sk_hash]);
422 spin_unlock(&bsd_socket_locks[sk->sk_hash]);
425 static void unix_remove_bsd_socket(struct sock *sk)
427 if (!hlist_unhashed(&sk->sk_bind_node)) {
428 spin_lock(&bsd_socket_locks[sk->sk_hash]);
429 __sk_del_bind_node(sk);
430 spin_unlock(&bsd_socket_locks[sk->sk_hash]);
432 sk_node_init(&sk->sk_bind_node);
436 static struct sock *__unix_find_socket_byname(struct net *net,
437 struct sockaddr_un *sunname,
438 int len, unsigned int hash)
442 sk_for_each(s, &net->unx.table.buckets[hash]) {
443 struct unix_sock *u = unix_sk(s);
445 if (u->addr->len == len &&
446 !memcmp(u->addr->name, sunname, len))
452 static inline struct sock *unix_find_socket_byname(struct net *net,
453 struct sockaddr_un *sunname,
454 int len, unsigned int hash)
458 spin_lock(&net->unx.table.locks[hash]);
459 s = __unix_find_socket_byname(net, sunname, len, hash);
462 spin_unlock(&net->unx.table.locks[hash]);
466 static struct sock *unix_find_socket_byinode(struct inode *i)
468 unsigned int hash = unix_bsd_hash(i);
471 spin_lock(&bsd_socket_locks[hash]);
472 sk_for_each_bound(s, &bsd_socket_buckets[hash]) {
473 struct dentry *dentry = unix_sk(s)->path.dentry;
475 if (dentry && d_backing_inode(dentry) == i) {
477 spin_unlock(&bsd_socket_locks[hash]);
481 spin_unlock(&bsd_socket_locks[hash]);
485 /* Support code for asymmetrically connected dgram sockets
487 * If a datagram socket is connected to a socket not itself connected
488 * to the first socket (eg, /dev/log), clients may only enqueue more
489 * messages if the present receive queue of the server socket is not
490 * "too large". This means there's a second writeability condition
491 * poll and sendmsg need to test. The dgram recv code will do a wake
492 * up on the peer_wait wait queue of a socket upon reception of a
493 * datagram which needs to be propagated to sleeping would-be writers
494 * since these might not have sent anything so far. This can't be
495 * accomplished via poll_wait because the lifetime of the server
496 * socket might be less than that of its clients if these break their
497 * association with it or if the server socket is closed while clients
498 * are still connected to it and there's no way to inform "a polling
499 * implementation" that it should let go of a certain wait queue
501 * In order to propagate a wake up, a wait_queue_entry_t of the client
502 * socket is enqueued on the peer_wait queue of the server socket
503 * whose wake function does a wake_up on the ordinary client socket
504 * wait queue. This connection is established whenever a write (or
505 * poll for write) hit the flow control condition and broken when the
506 * association to the server socket is dissolved or after a wake up
510 static int unix_dgram_peer_wake_relay(wait_queue_entry_t *q, unsigned mode, int flags,
514 wait_queue_head_t *u_sleep;
516 u = container_of(q, struct unix_sock, peer_wake);
518 __remove_wait_queue(&unix_sk(u->peer_wake.private)->peer_wait,
520 u->peer_wake.private = NULL;
522 /* relaying can only happen while the wq still exists */
523 u_sleep = sk_sleep(&u->sk);
525 wake_up_interruptible_poll(u_sleep, key_to_poll(key));
530 static int unix_dgram_peer_wake_connect(struct sock *sk, struct sock *other)
532 struct unix_sock *u, *u_other;
536 u_other = unix_sk(other);
538 spin_lock(&u_other->peer_wait.lock);
540 if (!u->peer_wake.private) {
541 u->peer_wake.private = other;
542 __add_wait_queue(&u_other->peer_wait, &u->peer_wake);
547 spin_unlock(&u_other->peer_wait.lock);
551 static void unix_dgram_peer_wake_disconnect(struct sock *sk,
554 struct unix_sock *u, *u_other;
557 u_other = unix_sk(other);
558 spin_lock(&u_other->peer_wait.lock);
560 if (u->peer_wake.private == other) {
561 __remove_wait_queue(&u_other->peer_wait, &u->peer_wake);
562 u->peer_wake.private = NULL;
565 spin_unlock(&u_other->peer_wait.lock);
568 static void unix_dgram_peer_wake_disconnect_wakeup(struct sock *sk,
571 unix_dgram_peer_wake_disconnect(sk, other);
572 wake_up_interruptible_poll(sk_sleep(sk),
579 * - unix_peer(sk) == other
580 * - association is stable
582 static int unix_dgram_peer_wake_me(struct sock *sk, struct sock *other)
586 connected = unix_dgram_peer_wake_connect(sk, other);
588 /* If other is SOCK_DEAD, we want to make sure we signal
589 * POLLOUT, such that a subsequent write() can get a
590 * -ECONNREFUSED. Otherwise, if we haven't queued any skbs
591 * to other and its full, we will hang waiting for POLLOUT.
593 if (unix_recvq_full_lockless(other) && !sock_flag(other, SOCK_DEAD))
597 unix_dgram_peer_wake_disconnect(sk, other);
602 static int unix_writable(const struct sock *sk, unsigned char state)
604 return state != TCP_LISTEN &&
605 (refcount_read(&sk->sk_wmem_alloc) << 2) <= READ_ONCE(sk->sk_sndbuf);
608 static void unix_write_space(struct sock *sk)
610 struct socket_wq *wq;
613 if (unix_writable(sk, READ_ONCE(sk->sk_state))) {
614 wq = rcu_dereference(sk->sk_wq);
615 if (skwq_has_sleeper(wq))
616 wake_up_interruptible_sync_poll(&wq->wait,
617 EPOLLOUT | EPOLLWRNORM | EPOLLWRBAND);
618 sk_wake_async_rcu(sk, SOCK_WAKE_SPACE, POLL_OUT);
623 /* When dgram socket disconnects (or changes its peer), we clear its receive
624 * queue of packets arrived from previous peer. First, it allows to do
625 * flow control based only on wmem_alloc; second, sk connected to peer
626 * may receive messages only from that peer. */
627 static void unix_dgram_disconnected(struct sock *sk, struct sock *other)
629 if (!skb_queue_empty(&sk->sk_receive_queue)) {
630 skb_queue_purge(&sk->sk_receive_queue);
631 wake_up_interruptible_all(&unix_sk(sk)->peer_wait);
633 /* If one link of bidirectional dgram pipe is disconnected,
634 * we signal error. Messages are lost. Do not make this,
635 * when peer was not connected to us.
637 if (!sock_flag(other, SOCK_DEAD) && unix_peer(other) == sk) {
638 WRITE_ONCE(other->sk_err, ECONNRESET);
639 sk_error_report(other);
644 static void unix_sock_destructor(struct sock *sk)
646 struct unix_sock *u = unix_sk(sk);
648 skb_queue_purge(&sk->sk_receive_queue);
650 DEBUG_NET_WARN_ON_ONCE(refcount_read(&sk->sk_wmem_alloc));
651 DEBUG_NET_WARN_ON_ONCE(!sk_unhashed(sk));
652 DEBUG_NET_WARN_ON_ONCE(sk->sk_socket);
653 if (!sock_flag(sk, SOCK_DEAD)) {
654 pr_info("Attempt to release alive unix socket: %p\n", sk);
659 unix_release_addr(u->addr);
661 atomic_long_dec(&unix_nr_socks);
662 sock_prot_inuse_add(sock_net(sk), sk->sk_prot, -1);
663 #ifdef UNIX_REFCNT_DEBUG
664 pr_debug("UNIX %p is destroyed, %ld are still alive.\n", sk,
665 atomic_long_read(&unix_nr_socks));
669 static void unix_release_sock(struct sock *sk, int embrion)
671 struct unix_sock *u = unix_sk(sk);
677 unix_remove_socket(sock_net(sk), sk);
678 unix_remove_bsd_socket(sk);
683 WRITE_ONCE(sk->sk_shutdown, SHUTDOWN_MASK);
685 u->path.dentry = NULL;
687 state = sk->sk_state;
688 WRITE_ONCE(sk->sk_state, TCP_CLOSE);
690 skpair = unix_peer(sk);
691 unix_peer(sk) = NULL;
693 unix_state_unlock(sk);
695 #if IS_ENABLED(CONFIG_AF_UNIX_OOB)
699 wake_up_interruptible_all(&u->peer_wait);
701 if (skpair != NULL) {
702 if (sk->sk_type == SOCK_STREAM || sk->sk_type == SOCK_SEQPACKET) {
703 unix_state_lock(skpair);
705 WRITE_ONCE(skpair->sk_shutdown, SHUTDOWN_MASK);
706 if (!skb_queue_empty_lockless(&sk->sk_receive_queue) || embrion)
707 WRITE_ONCE(skpair->sk_err, ECONNRESET);
708 unix_state_unlock(skpair);
709 skpair->sk_state_change(skpair);
710 sk_wake_async(skpair, SOCK_WAKE_WAITD, POLL_HUP);
713 unix_dgram_peer_wake_disconnect(sk, skpair);
714 sock_put(skpair); /* It may now die */
717 /* Try to flush out this socket. Throw out buffers at least */
719 while ((skb = skb_dequeue(&sk->sk_receive_queue)) != NULL) {
720 if (state == TCP_LISTEN)
721 unix_release_sock(skb->sk, 1);
723 /* passed fds are erased in the kfree_skb hook */
732 /* ---- Socket is dead now and most probably destroyed ---- */
735 * Fixme: BSD difference: In BSD all sockets connected to us get
736 * ECONNRESET and we die on the spot. In Linux we behave
737 * like files and pipes do and wait for the last
740 * Can't we simply set sock->err?
742 * What the above comment does talk about? --ANK(980817)
745 if (READ_ONCE(unix_tot_inflight))
746 unix_gc(); /* Garbage collect fds */
749 static void init_peercred(struct sock *sk)
751 sk->sk_peer_pid = get_pid(task_tgid(current));
752 sk->sk_peer_cred = get_current_cred();
755 static void update_peercred(struct sock *sk)
757 const struct cred *old_cred;
760 spin_lock(&sk->sk_peer_lock);
761 old_pid = sk->sk_peer_pid;
762 old_cred = sk->sk_peer_cred;
764 spin_unlock(&sk->sk_peer_lock);
770 static void copy_peercred(struct sock *sk, struct sock *peersk)
772 lockdep_assert_held(&unix_sk(peersk)->lock);
774 spin_lock(&sk->sk_peer_lock);
775 sk->sk_peer_pid = get_pid(peersk->sk_peer_pid);
776 sk->sk_peer_cred = get_cred(peersk->sk_peer_cred);
777 spin_unlock(&sk->sk_peer_lock);
780 static int unix_listen(struct socket *sock, int backlog)
783 struct sock *sk = sock->sk;
784 struct unix_sock *u = unix_sk(sk);
787 if (sock->type != SOCK_STREAM && sock->type != SOCK_SEQPACKET)
788 goto out; /* Only stream/seqpacket sockets accept */
790 if (!READ_ONCE(u->addr))
791 goto out; /* No listens on an unbound socket */
793 if (sk->sk_state != TCP_CLOSE && sk->sk_state != TCP_LISTEN)
795 if (backlog > sk->sk_max_ack_backlog)
796 wake_up_interruptible_all(&u->peer_wait);
797 sk->sk_max_ack_backlog = backlog;
798 WRITE_ONCE(sk->sk_state, TCP_LISTEN);
800 /* set credentials so connect can copy them */
805 unix_state_unlock(sk);
810 static int unix_release(struct socket *);
811 static int unix_bind(struct socket *, struct sockaddr *, int);
812 static int unix_stream_connect(struct socket *, struct sockaddr *,
813 int addr_len, int flags);
814 static int unix_socketpair(struct socket *, struct socket *);
815 static int unix_accept(struct socket *, struct socket *, struct proto_accept_arg *arg);
816 static int unix_getname(struct socket *, struct sockaddr *, int);
817 static __poll_t unix_poll(struct file *, struct socket *, poll_table *);
818 static __poll_t unix_dgram_poll(struct file *, struct socket *,
820 static int unix_ioctl(struct socket *, unsigned int, unsigned long);
822 static int unix_compat_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg);
824 static int unix_shutdown(struct socket *, int);
825 static int unix_stream_sendmsg(struct socket *, struct msghdr *, size_t);
826 static int unix_stream_recvmsg(struct socket *, struct msghdr *, size_t, int);
827 static ssize_t unix_stream_splice_read(struct socket *, loff_t *ppos,
828 struct pipe_inode_info *, size_t size,
830 static int unix_dgram_sendmsg(struct socket *, struct msghdr *, size_t);
831 static int unix_dgram_recvmsg(struct socket *, struct msghdr *, size_t, int);
832 static int unix_read_skb(struct sock *sk, skb_read_actor_t recv_actor);
833 static int unix_stream_read_skb(struct sock *sk, skb_read_actor_t recv_actor);
834 static int unix_dgram_connect(struct socket *, struct sockaddr *,
836 static int unix_seqpacket_sendmsg(struct socket *, struct msghdr *, size_t);
837 static int unix_seqpacket_recvmsg(struct socket *, struct msghdr *, size_t,
840 #ifdef CONFIG_PROC_FS
841 static int unix_count_nr_fds(struct sock *sk)
847 spin_lock(&sk->sk_receive_queue.lock);
848 skb = skb_peek(&sk->sk_receive_queue);
850 u = unix_sk(skb->sk);
851 nr_fds += atomic_read(&u->scm_stat.nr_fds);
852 skb = skb_peek_next(skb, &sk->sk_receive_queue);
854 spin_unlock(&sk->sk_receive_queue.lock);
859 static void unix_show_fdinfo(struct seq_file *m, struct socket *sock)
861 struct sock *sk = sock->sk;
862 unsigned char s_state;
867 s_state = READ_ONCE(sk->sk_state);
870 /* SOCK_STREAM and SOCK_SEQPACKET sockets never change their
871 * sk_state after switching to TCP_ESTABLISHED or TCP_LISTEN.
872 * SOCK_DGRAM is ordinary. So, no lock is needed.
874 if (sock->type == SOCK_DGRAM || s_state == TCP_ESTABLISHED)
875 nr_fds = atomic_read(&u->scm_stat.nr_fds);
876 else if (s_state == TCP_LISTEN)
877 nr_fds = unix_count_nr_fds(sk);
879 seq_printf(m, "scm_fds: %u\n", nr_fds);
883 #define unix_show_fdinfo NULL
886 static const struct proto_ops unix_stream_ops = {
888 .owner = THIS_MODULE,
889 .release = unix_release,
891 .connect = unix_stream_connect,
892 .socketpair = unix_socketpair,
893 .accept = unix_accept,
894 .getname = unix_getname,
898 .compat_ioctl = unix_compat_ioctl,
900 .listen = unix_listen,
901 .shutdown = unix_shutdown,
902 .sendmsg = unix_stream_sendmsg,
903 .recvmsg = unix_stream_recvmsg,
904 .read_skb = unix_stream_read_skb,
905 .mmap = sock_no_mmap,
906 .splice_read = unix_stream_splice_read,
907 .set_peek_off = sk_set_peek_off,
908 .show_fdinfo = unix_show_fdinfo,
911 static const struct proto_ops unix_dgram_ops = {
913 .owner = THIS_MODULE,
914 .release = unix_release,
916 .connect = unix_dgram_connect,
917 .socketpair = unix_socketpair,
918 .accept = sock_no_accept,
919 .getname = unix_getname,
920 .poll = unix_dgram_poll,
923 .compat_ioctl = unix_compat_ioctl,
925 .listen = sock_no_listen,
926 .shutdown = unix_shutdown,
927 .sendmsg = unix_dgram_sendmsg,
928 .read_skb = unix_read_skb,
929 .recvmsg = unix_dgram_recvmsg,
930 .mmap = sock_no_mmap,
931 .set_peek_off = sk_set_peek_off,
932 .show_fdinfo = unix_show_fdinfo,
935 static const struct proto_ops unix_seqpacket_ops = {
937 .owner = THIS_MODULE,
938 .release = unix_release,
940 .connect = unix_stream_connect,
941 .socketpair = unix_socketpair,
942 .accept = unix_accept,
943 .getname = unix_getname,
944 .poll = unix_dgram_poll,
947 .compat_ioctl = unix_compat_ioctl,
949 .listen = unix_listen,
950 .shutdown = unix_shutdown,
951 .sendmsg = unix_seqpacket_sendmsg,
952 .recvmsg = unix_seqpacket_recvmsg,
953 .mmap = sock_no_mmap,
954 .set_peek_off = sk_set_peek_off,
955 .show_fdinfo = unix_show_fdinfo,
958 static void unix_close(struct sock *sk, long timeout)
960 /* Nothing to do here, unix socket does not need a ->close().
961 * This is merely for sockmap.
965 static void unix_unhash(struct sock *sk)
967 /* Nothing to do here, unix socket does not need a ->unhash().
968 * This is merely for sockmap.
972 static bool unix_bpf_bypass_getsockopt(int level, int optname)
974 if (level == SOL_SOCKET) {
986 struct proto unix_dgram_proto = {
988 .owner = THIS_MODULE,
989 .obj_size = sizeof(struct unix_sock),
991 .bpf_bypass_getsockopt = unix_bpf_bypass_getsockopt,
992 #ifdef CONFIG_BPF_SYSCALL
993 .psock_update_sk_prot = unix_dgram_bpf_update_proto,
997 struct proto unix_stream_proto = {
998 .name = "UNIX-STREAM",
999 .owner = THIS_MODULE,
1000 .obj_size = sizeof(struct unix_sock),
1001 .close = unix_close,
1002 .unhash = unix_unhash,
1003 .bpf_bypass_getsockopt = unix_bpf_bypass_getsockopt,
1004 #ifdef CONFIG_BPF_SYSCALL
1005 .psock_update_sk_prot = unix_stream_bpf_update_proto,
1009 static struct sock *unix_create1(struct net *net, struct socket *sock, int kern, int type)
1011 struct unix_sock *u;
1015 atomic_long_inc(&unix_nr_socks);
1016 if (atomic_long_read(&unix_nr_socks) > 2 * get_max_files()) {
1021 if (type == SOCK_STREAM)
1022 sk = sk_alloc(net, PF_UNIX, GFP_KERNEL, &unix_stream_proto, kern);
1023 else /*dgram and seqpacket */
1024 sk = sk_alloc(net, PF_UNIX, GFP_KERNEL, &unix_dgram_proto, kern);
1031 sock_init_data(sock, sk);
1033 sk->sk_hash = unix_unbound_hash(sk);
1034 sk->sk_allocation = GFP_KERNEL_ACCOUNT;
1035 sk->sk_write_space = unix_write_space;
1036 sk->sk_max_ack_backlog = READ_ONCE(net->unx.sysctl_max_dgram_qlen);
1037 sk->sk_destruct = unix_sock_destructor;
1038 lock_set_cmp_fn(&sk->sk_receive_queue.lock, unix_recvq_lock_cmp_fn, NULL);
1043 u->path.dentry = NULL;
1045 spin_lock_init(&u->lock);
1046 lock_set_cmp_fn(&u->lock, unix_state_lock_cmp_fn, NULL);
1047 mutex_init(&u->iolock); /* single task reading lock */
1048 mutex_init(&u->bindlock); /* single task binding lock */
1049 init_waitqueue_head(&u->peer_wait);
1050 init_waitqueue_func_entry(&u->peer_wake, unix_dgram_peer_wake_relay);
1051 memset(&u->scm_stat, 0, sizeof(struct scm_stat));
1052 unix_insert_unbound_socket(net, sk);
1054 sock_prot_inuse_add(net, sk->sk_prot, 1);
1059 atomic_long_dec(&unix_nr_socks);
1060 return ERR_PTR(err);
1063 static int unix_create(struct net *net, struct socket *sock, int protocol,
1068 if (protocol && protocol != PF_UNIX)
1069 return -EPROTONOSUPPORT;
1071 sock->state = SS_UNCONNECTED;
1073 switch (sock->type) {
1075 sock->ops = &unix_stream_ops;
1078 * Believe it or not BSD has AF_UNIX, SOCK_RAW though
1082 sock->type = SOCK_DGRAM;
1085 sock->ops = &unix_dgram_ops;
1087 case SOCK_SEQPACKET:
1088 sock->ops = &unix_seqpacket_ops;
1091 return -ESOCKTNOSUPPORT;
1094 sk = unix_create1(net, sock, kern, sock->type);
1101 static int unix_release(struct socket *sock)
1103 struct sock *sk = sock->sk;
1108 sk->sk_prot->close(sk, 0);
1109 unix_release_sock(sk, 0);
1115 static struct sock *unix_find_bsd(struct sockaddr_un *sunaddr, int addr_len,
1118 struct inode *inode;
1123 unix_mkname_bsd(sunaddr, addr_len);
1124 err = kern_path(sunaddr->sun_path, LOOKUP_FOLLOW, &path);
1128 err = path_permission(&path, MAY_WRITE);
1132 err = -ECONNREFUSED;
1133 inode = d_backing_inode(path.dentry);
1134 if (!S_ISSOCK(inode->i_mode))
1137 sk = unix_find_socket_byinode(inode);
1142 if (sk->sk_type == type)
1156 return ERR_PTR(err);
1159 static struct sock *unix_find_abstract(struct net *net,
1160 struct sockaddr_un *sunaddr,
1161 int addr_len, int type)
1163 unsigned int hash = unix_abstract_hash(sunaddr, addr_len, type);
1164 struct dentry *dentry;
1167 sk = unix_find_socket_byname(net, sunaddr, addr_len, hash);
1169 return ERR_PTR(-ECONNREFUSED);
1171 dentry = unix_sk(sk)->path.dentry;
1173 touch_atime(&unix_sk(sk)->path);
1178 static struct sock *unix_find_other(struct net *net,
1179 struct sockaddr_un *sunaddr,
1180 int addr_len, int type)
1184 if (sunaddr->sun_path[0])
1185 sk = unix_find_bsd(sunaddr, addr_len, type);
1187 sk = unix_find_abstract(net, sunaddr, addr_len, type);
1192 static int unix_autobind(struct sock *sk)
1194 struct unix_sock *u = unix_sk(sk);
1195 unsigned int new_hash, old_hash;
1196 struct net *net = sock_net(sk);
1197 struct unix_address *addr;
1198 u32 lastnum, ordernum;
1201 err = mutex_lock_interruptible(&u->bindlock);
1209 addr = kzalloc(sizeof(*addr) +
1210 offsetof(struct sockaddr_un, sun_path) + 16, GFP_KERNEL);
1214 addr->len = offsetof(struct sockaddr_un, sun_path) + 6;
1215 addr->name->sun_family = AF_UNIX;
1216 refcount_set(&addr->refcnt, 1);
1218 old_hash = sk->sk_hash;
1219 ordernum = get_random_u32();
1220 lastnum = ordernum & 0xFFFFF;
1222 ordernum = (ordernum + 1) & 0xFFFFF;
1223 sprintf(addr->name->sun_path + 1, "%05x", ordernum);
1225 new_hash = unix_abstract_hash(addr->name, addr->len, sk->sk_type);
1226 unix_table_double_lock(net, old_hash, new_hash);
1228 if (__unix_find_socket_byname(net, addr->name, addr->len, new_hash)) {
1229 unix_table_double_unlock(net, old_hash, new_hash);
1231 /* __unix_find_socket_byname() may take long time if many names
1232 * are already in use.
1236 if (ordernum == lastnum) {
1237 /* Give up if all names seems to be in use. */
1239 unix_release_addr(addr);
1246 __unix_set_addr_hash(net, sk, addr, new_hash);
1247 unix_table_double_unlock(net, old_hash, new_hash);
1250 out: mutex_unlock(&u->bindlock);
1254 static int unix_bind_bsd(struct sock *sk, struct sockaddr_un *sunaddr,
1257 umode_t mode = S_IFSOCK |
1258 (SOCK_INODE(sk->sk_socket)->i_mode & ~current_umask());
1259 struct unix_sock *u = unix_sk(sk);
1260 unsigned int new_hash, old_hash;
1261 struct net *net = sock_net(sk);
1262 struct mnt_idmap *idmap;
1263 struct unix_address *addr;
1264 struct dentry *dentry;
1268 addr_len = unix_mkname_bsd(sunaddr, addr_len);
1269 addr = unix_create_addr(sunaddr, addr_len);
1274 * Get the parent directory, calculate the hash for last
1277 dentry = kern_path_create(AT_FDCWD, addr->name->sun_path, &parent, 0);
1278 if (IS_ERR(dentry)) {
1279 err = PTR_ERR(dentry);
1284 * All right, let's create it.
1286 idmap = mnt_idmap(parent.mnt);
1287 err = security_path_mknod(&parent, dentry, mode, 0);
1289 err = vfs_mknod(idmap, d_inode(parent.dentry), dentry, mode, 0);
1292 err = mutex_lock_interruptible(&u->bindlock);
1298 old_hash = sk->sk_hash;
1299 new_hash = unix_bsd_hash(d_backing_inode(dentry));
1300 unix_table_double_lock(net, old_hash, new_hash);
1301 u->path.mnt = mntget(parent.mnt);
1302 u->path.dentry = dget(dentry);
1303 __unix_set_addr_hash(net, sk, addr, new_hash);
1304 unix_table_double_unlock(net, old_hash, new_hash);
1305 unix_insert_bsd_socket(sk);
1306 mutex_unlock(&u->bindlock);
1307 done_path_create(&parent, dentry);
1311 mutex_unlock(&u->bindlock);
1314 /* failed after successful mknod? unlink what we'd created... */
1315 vfs_unlink(idmap, d_inode(parent.dentry), dentry, NULL);
1317 done_path_create(&parent, dentry);
1319 unix_release_addr(addr);
1320 return err == -EEXIST ? -EADDRINUSE : err;
1323 static int unix_bind_abstract(struct sock *sk, struct sockaddr_un *sunaddr,
1326 struct unix_sock *u = unix_sk(sk);
1327 unsigned int new_hash, old_hash;
1328 struct net *net = sock_net(sk);
1329 struct unix_address *addr;
1332 addr = unix_create_addr(sunaddr, addr_len);
1336 err = mutex_lock_interruptible(&u->bindlock);
1345 old_hash = sk->sk_hash;
1346 new_hash = unix_abstract_hash(addr->name, addr->len, sk->sk_type);
1347 unix_table_double_lock(net, old_hash, new_hash);
1349 if (__unix_find_socket_byname(net, addr->name, addr->len, new_hash))
1352 __unix_set_addr_hash(net, sk, addr, new_hash);
1353 unix_table_double_unlock(net, old_hash, new_hash);
1354 mutex_unlock(&u->bindlock);
1358 unix_table_double_unlock(net, old_hash, new_hash);
1361 mutex_unlock(&u->bindlock);
1363 unix_release_addr(addr);
1367 static int unix_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
1369 struct sockaddr_un *sunaddr = (struct sockaddr_un *)uaddr;
1370 struct sock *sk = sock->sk;
1373 if (addr_len == offsetof(struct sockaddr_un, sun_path) &&
1374 sunaddr->sun_family == AF_UNIX)
1375 return unix_autobind(sk);
1377 err = unix_validate_addr(sunaddr, addr_len);
1381 if (sunaddr->sun_path[0])
1382 err = unix_bind_bsd(sk, sunaddr, addr_len);
1384 err = unix_bind_abstract(sk, sunaddr, addr_len);
1389 static void unix_state_double_lock(struct sock *sk1, struct sock *sk2)
1391 if (unlikely(sk1 == sk2) || !sk2) {
1392 unix_state_lock(sk1);
1399 unix_state_lock(sk1);
1400 unix_state_lock(sk2);
1403 static void unix_state_double_unlock(struct sock *sk1, struct sock *sk2)
1405 if (unlikely(sk1 == sk2) || !sk2) {
1406 unix_state_unlock(sk1);
1409 unix_state_unlock(sk1);
1410 unix_state_unlock(sk2);
1413 static int unix_dgram_connect(struct socket *sock, struct sockaddr *addr,
1414 int alen, int flags)
1416 struct sockaddr_un *sunaddr = (struct sockaddr_un *)addr;
1417 struct sock *sk = sock->sk;
1422 if (alen < offsetofend(struct sockaddr, sa_family))
1425 if (addr->sa_family != AF_UNSPEC) {
1426 err = unix_validate_addr(sunaddr, alen);
1430 err = BPF_CGROUP_RUN_PROG_UNIX_CONNECT_LOCK(sk, addr, &alen);
1434 if ((test_bit(SOCK_PASSCRED, &sock->flags) ||
1435 test_bit(SOCK_PASSPIDFD, &sock->flags)) &&
1436 !READ_ONCE(unix_sk(sk)->addr)) {
1437 err = unix_autobind(sk);
1443 other = unix_find_other(sock_net(sk), sunaddr, alen, sock->type);
1444 if (IS_ERR(other)) {
1445 err = PTR_ERR(other);
1449 unix_state_double_lock(sk, other);
1451 /* Apparently VFS overslept socket death. Retry. */
1452 if (sock_flag(other, SOCK_DEAD)) {
1453 unix_state_double_unlock(sk, other);
1459 if (!unix_may_send(sk, other))
1462 err = security_unix_may_send(sk->sk_socket, other->sk_socket);
1466 WRITE_ONCE(sk->sk_state, TCP_ESTABLISHED);
1467 WRITE_ONCE(other->sk_state, TCP_ESTABLISHED);
1470 * 1003.1g breaking connected state with AF_UNSPEC
1473 unix_state_double_lock(sk, other);
1477 * If it was connected, reconnect.
1479 if (unix_peer(sk)) {
1480 struct sock *old_peer = unix_peer(sk);
1482 unix_peer(sk) = other;
1484 WRITE_ONCE(sk->sk_state, TCP_CLOSE);
1485 unix_dgram_peer_wake_disconnect_wakeup(sk, old_peer);
1487 unix_state_double_unlock(sk, other);
1489 if (other != old_peer) {
1490 unix_dgram_disconnected(sk, old_peer);
1492 unix_state_lock(old_peer);
1493 if (!unix_peer(old_peer))
1494 WRITE_ONCE(old_peer->sk_state, TCP_CLOSE);
1495 unix_state_unlock(old_peer);
1500 unix_peer(sk) = other;
1501 unix_state_double_unlock(sk, other);
1507 unix_state_double_unlock(sk, other);
1513 static long unix_wait_for_peer(struct sock *other, long timeo)
1514 __releases(&unix_sk(other)->lock)
1516 struct unix_sock *u = unix_sk(other);
1520 prepare_to_wait_exclusive(&u->peer_wait, &wait, TASK_INTERRUPTIBLE);
1522 sched = !sock_flag(other, SOCK_DEAD) &&
1523 !(other->sk_shutdown & RCV_SHUTDOWN) &&
1524 unix_recvq_full_lockless(other);
1526 unix_state_unlock(other);
1529 timeo = schedule_timeout(timeo);
1531 finish_wait(&u->peer_wait, &wait);
1535 static int unix_stream_connect(struct socket *sock, struct sockaddr *uaddr,
1536 int addr_len, int flags)
1538 struct sockaddr_un *sunaddr = (struct sockaddr_un *)uaddr;
1539 struct sock *sk = sock->sk, *newsk = NULL, *other = NULL;
1540 struct unix_sock *u = unix_sk(sk), *newu, *otheru;
1541 struct net *net = sock_net(sk);
1542 struct sk_buff *skb = NULL;
1543 unsigned char state;
1547 err = unix_validate_addr(sunaddr, addr_len);
1551 err = BPF_CGROUP_RUN_PROG_UNIX_CONNECT_LOCK(sk, uaddr, &addr_len);
1555 if ((test_bit(SOCK_PASSCRED, &sock->flags) ||
1556 test_bit(SOCK_PASSPIDFD, &sock->flags)) &&
1557 !READ_ONCE(u->addr)) {
1558 err = unix_autobind(sk);
1563 timeo = sock_sndtimeo(sk, flags & O_NONBLOCK);
1565 /* First of all allocate resources.
1566 If we will make it after state is locked,
1567 we will have to recheck all again in any case.
1570 /* create new sock for complete connection */
1571 newsk = unix_create1(net, NULL, 0, sock->type);
1572 if (IS_ERR(newsk)) {
1573 err = PTR_ERR(newsk);
1580 /* Allocate skb for sending to listening sock */
1581 skb = sock_wmalloc(newsk, 1, 0, GFP_KERNEL);
1586 /* Find listening sock. */
1587 other = unix_find_other(net, sunaddr, addr_len, sk->sk_type);
1588 if (IS_ERR(other)) {
1589 err = PTR_ERR(other);
1594 unix_state_lock(other);
1596 /* Apparently VFS overslept socket death. Retry. */
1597 if (sock_flag(other, SOCK_DEAD)) {
1598 unix_state_unlock(other);
1603 err = -ECONNREFUSED;
1604 if (other->sk_state != TCP_LISTEN)
1606 if (other->sk_shutdown & RCV_SHUTDOWN)
1609 if (unix_recvq_full_lockless(other)) {
1614 timeo = unix_wait_for_peer(other, timeo);
1616 err = sock_intr_errno(timeo);
1617 if (signal_pending(current))
1623 /* self connect and simultaneous connect are eliminated
1624 * by rejecting TCP_LISTEN socket to avoid deadlock.
1626 state = READ_ONCE(sk->sk_state);
1627 if (unlikely(state != TCP_CLOSE)) {
1628 err = state == TCP_ESTABLISHED ? -EISCONN : -EINVAL;
1632 unix_state_lock(sk);
1634 if (unlikely(sk->sk_state != TCP_CLOSE)) {
1635 err = sk->sk_state == TCP_ESTABLISHED ? -EISCONN : -EINVAL;
1636 unix_state_unlock(sk);
1640 err = security_unix_stream_connect(sk, other, newsk);
1642 unix_state_unlock(sk);
1646 /* The way is open! Fastly set all the necessary fields... */
1649 unix_peer(newsk) = sk;
1650 newsk->sk_state = TCP_ESTABLISHED;
1651 newsk->sk_type = sk->sk_type;
1652 init_peercred(newsk);
1653 newu = unix_sk(newsk);
1654 newu->listener = other;
1655 RCU_INIT_POINTER(newsk->sk_wq, &newu->peer_wq);
1656 otheru = unix_sk(other);
1658 /* copy address information from listening to new sock
1660 * The contents of *(otheru->addr) and otheru->path
1661 * are seen fully set up here, since we have found
1662 * otheru in hash under its lock. Insertion into the
1663 * hash chain we'd found it in had been done in an
1664 * earlier critical area protected by the chain's lock,
1665 * the same one where we'd set *(otheru->addr) contents,
1666 * as well as otheru->path and otheru->addr itself.
1668 * Using smp_store_release() here to set newu->addr
1669 * is enough to make those stores, as well as stores
1670 * to newu->path visible to anyone who gets newu->addr
1671 * by smp_load_acquire(). IOW, the same warranties
1672 * as for unix_sock instances bound in unix_bind() or
1673 * in unix_autobind().
1675 if (otheru->path.dentry) {
1676 path_get(&otheru->path);
1677 newu->path = otheru->path;
1679 refcount_inc(&otheru->addr->refcnt);
1680 smp_store_release(&newu->addr, otheru->addr);
1682 /* Set credentials */
1683 copy_peercred(sk, other);
1685 sock->state = SS_CONNECTED;
1686 WRITE_ONCE(sk->sk_state, TCP_ESTABLISHED);
1689 smp_mb__after_atomic(); /* sock_hold() does an atomic_inc() */
1690 unix_peer(sk) = newsk;
1692 unix_state_unlock(sk);
1694 /* take ten and send info to listening sock */
1695 spin_lock(&other->sk_receive_queue.lock);
1696 __skb_queue_tail(&other->sk_receive_queue, skb);
1697 spin_unlock(&other->sk_receive_queue.lock);
1698 unix_state_unlock(other);
1699 other->sk_data_ready(other);
1705 unix_state_unlock(other);
1710 unix_release_sock(newsk, 0);
1716 static int unix_socketpair(struct socket *socka, struct socket *sockb)
1718 struct sock *ska = socka->sk, *skb = sockb->sk;
1720 /* Join our sockets back to back */
1723 unix_peer(ska) = skb;
1724 unix_peer(skb) = ska;
1728 ska->sk_state = TCP_ESTABLISHED;
1729 skb->sk_state = TCP_ESTABLISHED;
1730 socka->state = SS_CONNECTED;
1731 sockb->state = SS_CONNECTED;
1735 static void unix_sock_inherit_flags(const struct socket *old,
1738 if (test_bit(SOCK_PASSCRED, &old->flags))
1739 set_bit(SOCK_PASSCRED, &new->flags);
1740 if (test_bit(SOCK_PASSPIDFD, &old->flags))
1741 set_bit(SOCK_PASSPIDFD, &new->flags);
1742 if (test_bit(SOCK_PASSSEC, &old->flags))
1743 set_bit(SOCK_PASSSEC, &new->flags);
1746 static int unix_accept(struct socket *sock, struct socket *newsock,
1747 struct proto_accept_arg *arg)
1749 struct sock *sk = sock->sk;
1750 struct sk_buff *skb;
1753 arg->err = -EOPNOTSUPP;
1754 if (sock->type != SOCK_STREAM && sock->type != SOCK_SEQPACKET)
1758 if (READ_ONCE(sk->sk_state) != TCP_LISTEN)
1761 /* If socket state is TCP_LISTEN it cannot change (for now...),
1762 * so that no locks are necessary.
1765 skb = skb_recv_datagram(sk, (arg->flags & O_NONBLOCK) ? MSG_DONTWAIT : 0,
1768 /* This means receive shutdown. */
1775 skb_free_datagram(sk, skb);
1776 wake_up_interruptible(&unix_sk(sk)->peer_wait);
1778 /* attach accepted sock to socket */
1779 unix_state_lock(tsk);
1780 unix_update_edges(unix_sk(tsk));
1781 newsock->state = SS_CONNECTED;
1782 unix_sock_inherit_flags(sock, newsock);
1783 sock_graft(tsk, newsock);
1784 unix_state_unlock(tsk);
1792 static int unix_getname(struct socket *sock, struct sockaddr *uaddr, int peer)
1794 struct sock *sk = sock->sk;
1795 struct unix_address *addr;
1796 DECLARE_SOCKADDR(struct sockaddr_un *, sunaddr, uaddr);
1800 sk = unix_peer_get(sk);
1810 addr = smp_load_acquire(&unix_sk(sk)->addr);
1812 sunaddr->sun_family = AF_UNIX;
1813 sunaddr->sun_path[0] = 0;
1814 err = offsetof(struct sockaddr_un, sun_path);
1817 memcpy(sunaddr, addr->name, addr->len);
1820 BPF_CGROUP_RUN_SA_PROG(sk, uaddr, &err,
1821 CGROUP_UNIX_GETPEERNAME);
1823 BPF_CGROUP_RUN_SA_PROG(sk, uaddr, &err,
1824 CGROUP_UNIX_GETSOCKNAME);
1831 /* The "user->unix_inflight" variable is protected by the garbage
1832 * collection lock, and we just read it locklessly here. If you go
1833 * over the limit, there might be a tiny race in actually noticing
1834 * it across threads. Tough.
1836 static inline bool too_many_unix_fds(struct task_struct *p)
1838 struct user_struct *user = current_user();
1840 if (unlikely(READ_ONCE(user->unix_inflight) > task_rlimit(p, RLIMIT_NOFILE)))
1841 return !capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN);
1845 static int unix_attach_fds(struct scm_cookie *scm, struct sk_buff *skb)
1847 if (too_many_unix_fds(current))
1848 return -ETOOMANYREFS;
1850 UNIXCB(skb).fp = scm->fp;
1853 if (unix_prepare_fpl(UNIXCB(skb).fp))
1859 static void unix_detach_fds(struct scm_cookie *scm, struct sk_buff *skb)
1861 scm->fp = UNIXCB(skb).fp;
1862 UNIXCB(skb).fp = NULL;
1864 unix_destroy_fpl(scm->fp);
1867 static void unix_peek_fds(struct scm_cookie *scm, struct sk_buff *skb)
1869 scm->fp = scm_fp_dup(UNIXCB(skb).fp);
1872 static void unix_destruct_scm(struct sk_buff *skb)
1874 struct scm_cookie scm;
1876 memset(&scm, 0, sizeof(scm));
1877 scm.pid = UNIXCB(skb).pid;
1879 unix_detach_fds(&scm, skb);
1881 /* Alas, it calls VFS */
1882 /* So fscking what? fput() had been SMP-safe since the last Summer */
1887 static int unix_scm_to_skb(struct scm_cookie *scm, struct sk_buff *skb, bool send_fds)
1891 UNIXCB(skb).pid = get_pid(scm->pid);
1892 UNIXCB(skb).uid = scm->creds.uid;
1893 UNIXCB(skb).gid = scm->creds.gid;
1894 UNIXCB(skb).fp = NULL;
1895 unix_get_secdata(scm, skb);
1896 if (scm->fp && send_fds)
1897 err = unix_attach_fds(scm, skb);
1899 skb->destructor = unix_destruct_scm;
1903 static bool unix_passcred_enabled(const struct socket *sock,
1904 const struct sock *other)
1906 return test_bit(SOCK_PASSCRED, &sock->flags) ||
1907 test_bit(SOCK_PASSPIDFD, &sock->flags) ||
1908 !other->sk_socket ||
1909 test_bit(SOCK_PASSCRED, &other->sk_socket->flags) ||
1910 test_bit(SOCK_PASSPIDFD, &other->sk_socket->flags);
1914 * Some apps rely on write() giving SCM_CREDENTIALS
1915 * We include credentials if source or destination socket
1916 * asserted SOCK_PASSCRED.
1918 static void maybe_add_creds(struct sk_buff *skb, const struct socket *sock,
1919 const struct sock *other)
1921 if (UNIXCB(skb).pid)
1923 if (unix_passcred_enabled(sock, other)) {
1924 UNIXCB(skb).pid = get_pid(task_tgid(current));
1925 current_uid_gid(&UNIXCB(skb).uid, &UNIXCB(skb).gid);
1929 static bool unix_skb_scm_eq(struct sk_buff *skb,
1930 struct scm_cookie *scm)
1932 return UNIXCB(skb).pid == scm->pid &&
1933 uid_eq(UNIXCB(skb).uid, scm->creds.uid) &&
1934 gid_eq(UNIXCB(skb).gid, scm->creds.gid) &&
1935 unix_secdata_eq(scm, skb);
1938 static void scm_stat_add(struct sock *sk, struct sk_buff *skb)
1940 struct scm_fp_list *fp = UNIXCB(skb).fp;
1941 struct unix_sock *u = unix_sk(sk);
1943 if (unlikely(fp && fp->count)) {
1944 atomic_add(fp->count, &u->scm_stat.nr_fds);
1945 unix_add_edges(fp, u);
1949 static void scm_stat_del(struct sock *sk, struct sk_buff *skb)
1951 struct scm_fp_list *fp = UNIXCB(skb).fp;
1952 struct unix_sock *u = unix_sk(sk);
1954 if (unlikely(fp && fp->count)) {
1955 atomic_sub(fp->count, &u->scm_stat.nr_fds);
1961 * Send AF_UNIX data.
1964 static int unix_dgram_sendmsg(struct socket *sock, struct msghdr *msg,
1967 DECLARE_SOCKADDR(struct sockaddr_un *, sunaddr, msg->msg_name);
1968 struct sock *sk = sock->sk, *other = NULL;
1969 struct unix_sock *u = unix_sk(sk);
1970 struct scm_cookie scm;
1971 struct sk_buff *skb;
1977 err = scm_send(sock, msg, &scm, false);
1981 wait_for_unix_gc(scm.fp);
1984 if (msg->msg_flags&MSG_OOB)
1987 if (msg->msg_namelen) {
1988 err = unix_validate_addr(sunaddr, msg->msg_namelen);
1992 err = BPF_CGROUP_RUN_PROG_UNIX_SENDMSG_LOCK(sk,
2001 other = unix_peer_get(sk);
2006 if ((test_bit(SOCK_PASSCRED, &sock->flags) ||
2007 test_bit(SOCK_PASSPIDFD, &sock->flags)) &&
2008 !READ_ONCE(u->addr)) {
2009 err = unix_autobind(sk);
2015 if (len > READ_ONCE(sk->sk_sndbuf) - 32)
2018 if (len > SKB_MAX_ALLOC) {
2019 data_len = min_t(size_t,
2020 len - SKB_MAX_ALLOC,
2021 MAX_SKB_FRAGS * PAGE_SIZE);
2022 data_len = PAGE_ALIGN(data_len);
2024 BUILD_BUG_ON(SKB_MAX_ALLOC < PAGE_SIZE);
2027 skb = sock_alloc_send_pskb(sk, len - data_len, data_len,
2028 msg->msg_flags & MSG_DONTWAIT, &err,
2029 PAGE_ALLOC_COSTLY_ORDER);
2033 err = unix_scm_to_skb(&scm, skb, true);
2037 skb_put(skb, len - data_len);
2038 skb->data_len = data_len;
2040 err = skb_copy_datagram_from_iter(skb, 0, &msg->msg_iter, len);
2044 timeo = sock_sndtimeo(sk, msg->msg_flags & MSG_DONTWAIT);
2049 if (sunaddr == NULL)
2052 other = unix_find_other(sock_net(sk), sunaddr, msg->msg_namelen,
2054 if (IS_ERR(other)) {
2055 err = PTR_ERR(other);
2061 if (sk_filter(other, skb) < 0) {
2062 /* Toss the packet but do not return any error to the sender */
2068 unix_state_lock(other);
2071 if (!unix_may_send(sk, other))
2074 if (unlikely(sock_flag(other, SOCK_DEAD))) {
2076 * Check with 1003.1g - what should
2079 unix_state_unlock(other);
2083 unix_state_lock(sk);
2086 if (sk->sk_type == SOCK_SEQPACKET) {
2087 /* We are here only when racing with unix_release_sock()
2088 * is clearing @other. Never change state to TCP_CLOSE
2089 * unlike SOCK_DGRAM wants.
2091 unix_state_unlock(sk);
2093 } else if (unix_peer(sk) == other) {
2094 unix_peer(sk) = NULL;
2095 unix_dgram_peer_wake_disconnect_wakeup(sk, other);
2097 WRITE_ONCE(sk->sk_state, TCP_CLOSE);
2098 unix_state_unlock(sk);
2100 unix_dgram_disconnected(sk, other);
2102 err = -ECONNREFUSED;
2104 unix_state_unlock(sk);
2114 if (other->sk_shutdown & RCV_SHUTDOWN)
2117 if (sk->sk_type != SOCK_SEQPACKET) {
2118 err = security_unix_may_send(sk->sk_socket, other->sk_socket);
2123 /* other == sk && unix_peer(other) != sk if
2124 * - unix_peer(sk) == NULL, destination address bound to sk
2125 * - unix_peer(sk) == sk by time of get but disconnected before lock
2128 unlikely(unix_peer(other) != sk &&
2129 unix_recvq_full_lockless(other))) {
2131 timeo = unix_wait_for_peer(other, timeo);
2133 err = sock_intr_errno(timeo);
2134 if (signal_pending(current))
2141 unix_state_unlock(other);
2142 unix_state_double_lock(sk, other);
2145 if (unix_peer(sk) != other ||
2146 unix_dgram_peer_wake_me(sk, other)) {
2154 goto restart_locked;
2158 if (unlikely(sk_locked))
2159 unix_state_unlock(sk);
2161 if (sock_flag(other, SOCK_RCVTSTAMP))
2162 __net_timestamp(skb);
2163 maybe_add_creds(skb, sock, other);
2164 scm_stat_add(other, skb);
2165 skb_queue_tail(&other->sk_receive_queue, skb);
2166 unix_state_unlock(other);
2167 other->sk_data_ready(other);
2174 unix_state_unlock(sk);
2175 unix_state_unlock(other);
2185 /* We use paged skbs for stream sockets, and limit occupancy to 32768
2186 * bytes, and a minimum of a full page.
2188 #define UNIX_SKB_FRAGS_SZ (PAGE_SIZE << get_order(32768))
2190 #if IS_ENABLED(CONFIG_AF_UNIX_OOB)
2191 static int queue_oob(struct socket *sock, struct msghdr *msg, struct sock *other,
2192 struct scm_cookie *scm, bool fds_sent)
2194 struct unix_sock *ousk = unix_sk(other);
2195 struct sk_buff *skb;
2198 skb = sock_alloc_send_skb(sock->sk, 1, msg->msg_flags & MSG_DONTWAIT, &err);
2203 err = unix_scm_to_skb(scm, skb, !fds_sent);
2209 err = skb_copy_datagram_from_iter(skb, 0, &msg->msg_iter, 1);
2216 unix_state_lock(other);
2218 if (sock_flag(other, SOCK_DEAD) ||
2219 (other->sk_shutdown & RCV_SHUTDOWN)) {
2220 unix_state_unlock(other);
2225 maybe_add_creds(skb, sock, other);
2226 scm_stat_add(other, skb);
2228 spin_lock(&other->sk_receive_queue.lock);
2229 WRITE_ONCE(ousk->oob_skb, skb);
2230 __skb_queue_tail(&other->sk_receive_queue, skb);
2231 spin_unlock(&other->sk_receive_queue.lock);
2233 sk_send_sigurg(other);
2234 unix_state_unlock(other);
2235 other->sk_data_ready(other);
2241 static int unix_stream_sendmsg(struct socket *sock, struct msghdr *msg,
2244 struct sock *sk = sock->sk;
2245 struct sock *other = NULL;
2247 struct sk_buff *skb;
2249 struct scm_cookie scm;
2250 bool fds_sent = false;
2253 err = scm_send(sock, msg, &scm, false);
2257 wait_for_unix_gc(scm.fp);
2260 if (msg->msg_flags & MSG_OOB) {
2261 #if IS_ENABLED(CONFIG_AF_UNIX_OOB)
2269 if (msg->msg_namelen) {
2270 err = READ_ONCE(sk->sk_state) == TCP_ESTABLISHED ? -EISCONN : -EOPNOTSUPP;
2274 other = unix_peer(sk);
2279 if (READ_ONCE(sk->sk_shutdown) & SEND_SHUTDOWN)
2282 while (sent < len) {
2285 if (unlikely(msg->msg_flags & MSG_SPLICE_PAGES)) {
2286 skb = sock_alloc_send_pskb(sk, 0, 0,
2287 msg->msg_flags & MSG_DONTWAIT,
2290 /* Keep two messages in the pipe so it schedules better */
2291 size = min_t(int, size, (READ_ONCE(sk->sk_sndbuf) >> 1) - 64);
2293 /* allow fallback to order-0 allocations */
2294 size = min_t(int, size, SKB_MAX_HEAD(0) + UNIX_SKB_FRAGS_SZ);
2296 data_len = max_t(int, 0, size - SKB_MAX_HEAD(0));
2298 data_len = min_t(size_t, size, PAGE_ALIGN(data_len));
2300 skb = sock_alloc_send_pskb(sk, size - data_len, data_len,
2301 msg->msg_flags & MSG_DONTWAIT, &err,
2302 get_order(UNIX_SKB_FRAGS_SZ));
2307 /* Only send the fds in the first buffer */
2308 err = unix_scm_to_skb(&scm, skb, !fds_sent);
2315 if (unlikely(msg->msg_flags & MSG_SPLICE_PAGES)) {
2316 err = skb_splice_from_iter(skb, &msg->msg_iter, size,
2323 refcount_add(size, &sk->sk_wmem_alloc);
2325 skb_put(skb, size - data_len);
2326 skb->data_len = data_len;
2328 err = skb_copy_datagram_from_iter(skb, 0, &msg->msg_iter, size);
2335 unix_state_lock(other);
2337 if (sock_flag(other, SOCK_DEAD) ||
2338 (other->sk_shutdown & RCV_SHUTDOWN))
2341 maybe_add_creds(skb, sock, other);
2342 scm_stat_add(other, skb);
2343 skb_queue_tail(&other->sk_receive_queue, skb);
2344 unix_state_unlock(other);
2345 other->sk_data_ready(other);
2349 #if IS_ENABLED(CONFIG_AF_UNIX_OOB)
2350 if (msg->msg_flags & MSG_OOB) {
2351 err = queue_oob(sock, msg, other, &scm, fds_sent);
2363 unix_state_unlock(other);
2366 if (sent == 0 && !(msg->msg_flags&MSG_NOSIGNAL))
2367 send_sig(SIGPIPE, current, 0);
2371 return sent ? : err;
2374 static int unix_seqpacket_sendmsg(struct socket *sock, struct msghdr *msg,
2378 struct sock *sk = sock->sk;
2380 err = sock_error(sk);
2384 if (READ_ONCE(sk->sk_state) != TCP_ESTABLISHED)
2387 if (msg->msg_namelen)
2388 msg->msg_namelen = 0;
2390 return unix_dgram_sendmsg(sock, msg, len);
2393 static int unix_seqpacket_recvmsg(struct socket *sock, struct msghdr *msg,
2394 size_t size, int flags)
2396 struct sock *sk = sock->sk;
2398 if (READ_ONCE(sk->sk_state) != TCP_ESTABLISHED)
2401 return unix_dgram_recvmsg(sock, msg, size, flags);
2404 static void unix_copy_addr(struct msghdr *msg, struct sock *sk)
2406 struct unix_address *addr = smp_load_acquire(&unix_sk(sk)->addr);
2409 msg->msg_namelen = addr->len;
2410 memcpy(msg->msg_name, addr->name, addr->len);
2414 int __unix_dgram_recvmsg(struct sock *sk, struct msghdr *msg, size_t size,
2417 struct scm_cookie scm;
2418 struct socket *sock = sk->sk_socket;
2419 struct unix_sock *u = unix_sk(sk);
2420 struct sk_buff *skb, *last;
2429 timeo = sock_rcvtimeo(sk, flags & MSG_DONTWAIT);
2432 mutex_lock(&u->iolock);
2434 skip = sk_peek_offset(sk, flags);
2435 skb = __skb_try_recv_datagram(sk, &sk->sk_receive_queue, flags,
2436 &skip, &err, &last);
2438 if (!(flags & MSG_PEEK))
2439 scm_stat_del(sk, skb);
2443 mutex_unlock(&u->iolock);
2448 !__skb_wait_for_more_packets(sk, &sk->sk_receive_queue,
2449 &err, &timeo, last));
2451 if (!skb) { /* implies iolock unlocked */
2452 unix_state_lock(sk);
2453 /* Signal EOF on disconnected non-blocking SEQPACKET socket. */
2454 if (sk->sk_type == SOCK_SEQPACKET && err == -EAGAIN &&
2455 (sk->sk_shutdown & RCV_SHUTDOWN))
2457 unix_state_unlock(sk);
2461 if (wq_has_sleeper(&u->peer_wait))
2462 wake_up_interruptible_sync_poll(&u->peer_wait,
2463 EPOLLOUT | EPOLLWRNORM |
2466 if (msg->msg_name) {
2467 unix_copy_addr(msg, skb->sk);
2469 BPF_CGROUP_RUN_PROG_UNIX_RECVMSG_LOCK(sk,
2474 if (size > skb->len - skip)
2475 size = skb->len - skip;
2476 else if (size < skb->len - skip)
2477 msg->msg_flags |= MSG_TRUNC;
2479 err = skb_copy_datagram_msg(skb, skip, msg, size);
2483 if (sock_flag(sk, SOCK_RCVTSTAMP))
2484 __sock_recv_timestamp(msg, sk, skb);
2486 memset(&scm, 0, sizeof(scm));
2488 scm_set_cred(&scm, UNIXCB(skb).pid, UNIXCB(skb).uid, UNIXCB(skb).gid);
2489 unix_set_secdata(&scm, skb);
2491 if (!(flags & MSG_PEEK)) {
2493 unix_detach_fds(&scm, skb);
2495 sk_peek_offset_bwd(sk, skb->len);
2497 /* It is questionable: on PEEK we could:
2498 - do not return fds - good, but too simple 8)
2499 - return fds, and do not return them on read (old strategy,
2501 - clone fds (I chose it for now, it is the most universal
2504 POSIX 1003.1g does not actually define this clearly
2505 at all. POSIX 1003.1g doesn't define a lot of things
2510 sk_peek_offset_fwd(sk, size);
2513 unix_peek_fds(&scm, skb);
2515 err = (flags & MSG_TRUNC) ? skb->len - skip : size;
2517 scm_recv_unix(sock, msg, &scm, flags);
2520 skb_free_datagram(sk, skb);
2521 mutex_unlock(&u->iolock);
2526 static int unix_dgram_recvmsg(struct socket *sock, struct msghdr *msg, size_t size,
2529 struct sock *sk = sock->sk;
2531 #ifdef CONFIG_BPF_SYSCALL
2532 const struct proto *prot = READ_ONCE(sk->sk_prot);
2534 if (prot != &unix_dgram_proto)
2535 return prot->recvmsg(sk, msg, size, flags, NULL);
2537 return __unix_dgram_recvmsg(sk, msg, size, flags);
2540 static int unix_read_skb(struct sock *sk, skb_read_actor_t recv_actor)
2542 struct unix_sock *u = unix_sk(sk);
2543 struct sk_buff *skb;
2546 mutex_lock(&u->iolock);
2547 skb = skb_recv_datagram(sk, MSG_DONTWAIT, &err);
2548 mutex_unlock(&u->iolock);
2552 return recv_actor(sk, skb);
2556 * Sleep until more data has arrived. But check for races..
2558 static long unix_stream_data_wait(struct sock *sk, long timeo,
2559 struct sk_buff *last, unsigned int last_len,
2562 unsigned int state = TASK_INTERRUPTIBLE | freezable * TASK_FREEZABLE;
2563 struct sk_buff *tail;
2566 unix_state_lock(sk);
2569 prepare_to_wait(sk_sleep(sk), &wait, state);
2571 tail = skb_peek_tail(&sk->sk_receive_queue);
2573 (tail && tail->len != last_len) ||
2575 (sk->sk_shutdown & RCV_SHUTDOWN) ||
2576 signal_pending(current) ||
2580 sk_set_bit(SOCKWQ_ASYNC_WAITDATA, sk);
2581 unix_state_unlock(sk);
2582 timeo = schedule_timeout(timeo);
2583 unix_state_lock(sk);
2585 if (sock_flag(sk, SOCK_DEAD))
2588 sk_clear_bit(SOCKWQ_ASYNC_WAITDATA, sk);
2591 finish_wait(sk_sleep(sk), &wait);
2592 unix_state_unlock(sk);
2596 static unsigned int unix_skb_len(const struct sk_buff *skb)
2598 return skb->len - UNIXCB(skb).consumed;
2601 struct unix_stream_read_state {
2602 int (*recv_actor)(struct sk_buff *, int, int,
2603 struct unix_stream_read_state *);
2604 struct socket *socket;
2606 struct pipe_inode_info *pipe;
2609 unsigned int splice_flags;
2612 #if IS_ENABLED(CONFIG_AF_UNIX_OOB)
2613 static int unix_stream_recv_urg(struct unix_stream_read_state *state)
2615 struct socket *sock = state->socket;
2616 struct sock *sk = sock->sk;
2617 struct unix_sock *u = unix_sk(sk);
2619 struct sk_buff *oob_skb;
2621 mutex_lock(&u->iolock);
2622 unix_state_lock(sk);
2623 spin_lock(&sk->sk_receive_queue.lock);
2625 if (sock_flag(sk, SOCK_URGINLINE) || !u->oob_skb) {
2626 spin_unlock(&sk->sk_receive_queue.lock);
2627 unix_state_unlock(sk);
2628 mutex_unlock(&u->iolock);
2632 oob_skb = u->oob_skb;
2634 if (!(state->flags & MSG_PEEK))
2635 WRITE_ONCE(u->oob_skb, NULL);
2637 spin_unlock(&sk->sk_receive_queue.lock);
2638 unix_state_unlock(sk);
2640 chunk = state->recv_actor(oob_skb, 0, chunk, state);
2642 if (!(state->flags & MSG_PEEK))
2643 UNIXCB(oob_skb).consumed += 1;
2645 mutex_unlock(&u->iolock);
2650 state->msg->msg_flags |= MSG_OOB;
2654 static struct sk_buff *manage_oob(struct sk_buff *skb, struct sock *sk,
2655 int flags, int copied)
2657 struct sk_buff *read_skb = NULL, *unread_skb = NULL;
2658 struct unix_sock *u = unix_sk(sk);
2660 if (likely(unix_skb_len(skb) && skb != READ_ONCE(u->oob_skb)))
2663 spin_lock(&sk->sk_receive_queue.lock);
2665 if (!unix_skb_len(skb)) {
2666 if (copied && (!u->oob_skb || skb == u->oob_skb)) {
2668 } else if (flags & MSG_PEEK) {
2669 skb = skb_peek_next(skb, &sk->sk_receive_queue);
2672 skb = skb_peek_next(skb, &sk->sk_receive_queue);
2673 __skb_unlink(read_skb, &sk->sk_receive_queue);
2680 if (skb != u->oob_skb)
2685 } else if (!(flags & MSG_PEEK)) {
2686 WRITE_ONCE(u->oob_skb, NULL);
2688 if (!sock_flag(sk, SOCK_URGINLINE)) {
2689 __skb_unlink(skb, &sk->sk_receive_queue);
2691 skb = skb_peek(&sk->sk_receive_queue);
2693 } else if (!sock_flag(sk, SOCK_URGINLINE)) {
2694 skb = skb_peek_next(skb, &sk->sk_receive_queue);
2698 spin_unlock(&sk->sk_receive_queue.lock);
2700 consume_skb(read_skb);
2701 kfree_skb(unread_skb);
2707 static int unix_stream_read_skb(struct sock *sk, skb_read_actor_t recv_actor)
2709 struct unix_sock *u = unix_sk(sk);
2710 struct sk_buff *skb;
2713 if (unlikely(READ_ONCE(sk->sk_state) != TCP_ESTABLISHED))
2716 mutex_lock(&u->iolock);
2717 skb = skb_recv_datagram(sk, MSG_DONTWAIT, &err);
2718 mutex_unlock(&u->iolock);
2722 #if IS_ENABLED(CONFIG_AF_UNIX_OOB)
2723 if (unlikely(skb == READ_ONCE(u->oob_skb))) {
2726 unix_state_lock(sk);
2728 if (sock_flag(sk, SOCK_DEAD)) {
2729 unix_state_unlock(sk);
2734 spin_lock(&sk->sk_receive_queue.lock);
2735 if (likely(skb == u->oob_skb)) {
2736 WRITE_ONCE(u->oob_skb, NULL);
2739 spin_unlock(&sk->sk_receive_queue.lock);
2741 unix_state_unlock(sk);
2750 return recv_actor(sk, skb);
2753 static int unix_stream_read_generic(struct unix_stream_read_state *state,
2756 struct scm_cookie scm;
2757 struct socket *sock = state->socket;
2758 struct sock *sk = sock->sk;
2759 struct unix_sock *u = unix_sk(sk);
2761 int flags = state->flags;
2762 int noblock = flags & MSG_DONTWAIT;
2763 bool check_creds = false;
2768 size_t size = state->size;
2769 unsigned int last_len;
2771 if (unlikely(READ_ONCE(sk->sk_state) != TCP_ESTABLISHED)) {
2776 if (unlikely(flags & MSG_OOB)) {
2778 #if IS_ENABLED(CONFIG_AF_UNIX_OOB)
2779 err = unix_stream_recv_urg(state);
2784 target = sock_rcvlowat(sk, flags & MSG_WAITALL, size);
2785 timeo = sock_rcvtimeo(sk, noblock);
2787 memset(&scm, 0, sizeof(scm));
2789 /* Lock the socket to prevent queue disordering
2790 * while sleeps in memcpy_tomsg
2792 mutex_lock(&u->iolock);
2794 skip = max(sk_peek_offset(sk, flags), 0);
2797 struct sk_buff *skb, *last;
2801 unix_state_lock(sk);
2802 if (sock_flag(sk, SOCK_DEAD)) {
2806 last = skb = skb_peek(&sk->sk_receive_queue);
2807 last_len = last ? last->len : 0;
2810 #if IS_ENABLED(CONFIG_AF_UNIX_OOB)
2812 skb = manage_oob(skb, sk, flags, copied);
2813 if (!skb && copied) {
2814 unix_state_unlock(sk);
2820 if (copied >= target)
2824 * POSIX 1003.1g mandates this order.
2827 err = sock_error(sk);
2830 if (sk->sk_shutdown & RCV_SHUTDOWN)
2833 unix_state_unlock(sk);
2839 mutex_unlock(&u->iolock);
2841 timeo = unix_stream_data_wait(sk, timeo, last,
2842 last_len, freezable);
2844 if (signal_pending(current)) {
2845 err = sock_intr_errno(timeo);
2850 mutex_lock(&u->iolock);
2853 unix_state_unlock(sk);
2857 while (skip >= unix_skb_len(skb)) {
2858 skip -= unix_skb_len(skb);
2860 last_len = skb->len;
2861 skb = skb_peek_next(skb, &sk->sk_receive_queue);
2866 unix_state_unlock(sk);
2869 /* Never glue messages from different writers */
2870 if (!unix_skb_scm_eq(skb, &scm))
2872 } else if (test_bit(SOCK_PASSCRED, &sock->flags) ||
2873 test_bit(SOCK_PASSPIDFD, &sock->flags)) {
2874 /* Copy credentials */
2875 scm_set_cred(&scm, UNIXCB(skb).pid, UNIXCB(skb).uid, UNIXCB(skb).gid);
2876 unix_set_secdata(&scm, skb);
2880 /* Copy address just once */
2881 if (state->msg && state->msg->msg_name) {
2882 DECLARE_SOCKADDR(struct sockaddr_un *, sunaddr,
2883 state->msg->msg_name);
2884 unix_copy_addr(state->msg, skb->sk);
2886 BPF_CGROUP_RUN_PROG_UNIX_RECVMSG_LOCK(sk,
2887 state->msg->msg_name,
2888 &state->msg->msg_namelen);
2893 chunk = min_t(unsigned int, unix_skb_len(skb) - skip, size);
2894 chunk = state->recv_actor(skb, skip, chunk, state);
2903 /* Mark read part of skb as used */
2904 if (!(flags & MSG_PEEK)) {
2905 UNIXCB(skb).consumed += chunk;
2907 sk_peek_offset_bwd(sk, chunk);
2909 if (UNIXCB(skb).fp) {
2910 scm_stat_del(sk, skb);
2911 unix_detach_fds(&scm, skb);
2914 if (unix_skb_len(skb))
2917 skb_unlink(skb, &sk->sk_receive_queue);
2923 /* It is questionable, see note in unix_dgram_recvmsg.
2926 unix_peek_fds(&scm, skb);
2928 sk_peek_offset_fwd(sk, chunk);
2935 last_len = skb->len;
2936 unix_state_lock(sk);
2937 skb = skb_peek_next(skb, &sk->sk_receive_queue);
2940 unix_state_unlock(sk);
2945 mutex_unlock(&u->iolock);
2947 scm_recv_unix(sock, state->msg, &scm, flags);
2951 return copied ? : err;
2954 static int unix_stream_read_actor(struct sk_buff *skb,
2955 int skip, int chunk,
2956 struct unix_stream_read_state *state)
2960 ret = skb_copy_datagram_msg(skb, UNIXCB(skb).consumed + skip,
2962 return ret ?: chunk;
2965 int __unix_stream_recvmsg(struct sock *sk, struct msghdr *msg,
2966 size_t size, int flags)
2968 struct unix_stream_read_state state = {
2969 .recv_actor = unix_stream_read_actor,
2970 .socket = sk->sk_socket,
2976 return unix_stream_read_generic(&state, true);
2979 static int unix_stream_recvmsg(struct socket *sock, struct msghdr *msg,
2980 size_t size, int flags)
2982 struct unix_stream_read_state state = {
2983 .recv_actor = unix_stream_read_actor,
2990 #ifdef CONFIG_BPF_SYSCALL
2991 struct sock *sk = sock->sk;
2992 const struct proto *prot = READ_ONCE(sk->sk_prot);
2994 if (prot != &unix_stream_proto)
2995 return prot->recvmsg(sk, msg, size, flags, NULL);
2997 return unix_stream_read_generic(&state, true);
3000 static int unix_stream_splice_actor(struct sk_buff *skb,
3001 int skip, int chunk,
3002 struct unix_stream_read_state *state)
3004 return skb_splice_bits(skb, state->socket->sk,
3005 UNIXCB(skb).consumed + skip,
3006 state->pipe, chunk, state->splice_flags);
3009 static ssize_t unix_stream_splice_read(struct socket *sock, loff_t *ppos,
3010 struct pipe_inode_info *pipe,
3011 size_t size, unsigned int flags)
3013 struct unix_stream_read_state state = {
3014 .recv_actor = unix_stream_splice_actor,
3018 .splice_flags = flags,
3021 if (unlikely(*ppos))
3024 if (sock->file->f_flags & O_NONBLOCK ||
3025 flags & SPLICE_F_NONBLOCK)
3026 state.flags = MSG_DONTWAIT;
3028 return unix_stream_read_generic(&state, false);
3031 static int unix_shutdown(struct socket *sock, int mode)
3033 struct sock *sk = sock->sk;
3036 if (mode < SHUT_RD || mode > SHUT_RDWR)
3039 * SHUT_RD (0) -> RCV_SHUTDOWN (1)
3040 * SHUT_WR (1) -> SEND_SHUTDOWN (2)
3041 * SHUT_RDWR (2) -> SHUTDOWN_MASK (3)
3045 unix_state_lock(sk);
3046 WRITE_ONCE(sk->sk_shutdown, sk->sk_shutdown | mode);
3047 other = unix_peer(sk);
3050 unix_state_unlock(sk);
3051 sk->sk_state_change(sk);
3054 (sk->sk_type == SOCK_STREAM || sk->sk_type == SOCK_SEQPACKET)) {
3057 const struct proto *prot = READ_ONCE(other->sk_prot);
3060 prot->unhash(other);
3061 if (mode&RCV_SHUTDOWN)
3062 peer_mode |= SEND_SHUTDOWN;
3063 if (mode&SEND_SHUTDOWN)
3064 peer_mode |= RCV_SHUTDOWN;
3065 unix_state_lock(other);
3066 WRITE_ONCE(other->sk_shutdown, other->sk_shutdown | peer_mode);
3067 unix_state_unlock(other);
3068 other->sk_state_change(other);
3069 if (peer_mode == SHUTDOWN_MASK)
3070 sk_wake_async(other, SOCK_WAKE_WAITD, POLL_HUP);
3071 else if (peer_mode & RCV_SHUTDOWN)
3072 sk_wake_async(other, SOCK_WAKE_WAITD, POLL_IN);
3080 long unix_inq_len(struct sock *sk)
3082 struct sk_buff *skb;
3085 if (READ_ONCE(sk->sk_state) == TCP_LISTEN)
3088 spin_lock(&sk->sk_receive_queue.lock);
3089 if (sk->sk_type == SOCK_STREAM ||
3090 sk->sk_type == SOCK_SEQPACKET) {
3091 skb_queue_walk(&sk->sk_receive_queue, skb)
3092 amount += unix_skb_len(skb);
3094 skb = skb_peek(&sk->sk_receive_queue);
3098 spin_unlock(&sk->sk_receive_queue.lock);
3102 EXPORT_SYMBOL_GPL(unix_inq_len);
3104 long unix_outq_len(struct sock *sk)
3106 return sk_wmem_alloc_get(sk);
3108 EXPORT_SYMBOL_GPL(unix_outq_len);
3110 static int unix_open_file(struct sock *sk)
3116 if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN))
3119 if (!smp_load_acquire(&unix_sk(sk)->addr))
3122 path = unix_sk(sk)->path;
3128 fd = get_unused_fd_flags(O_CLOEXEC);
3132 f = dentry_open(&path, O_PATH, current_cred());
3146 static int unix_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
3148 struct sock *sk = sock->sk;
3154 amount = unix_outq_len(sk);
3155 err = put_user(amount, (int __user *)arg);
3158 amount = unix_inq_len(sk);
3162 err = put_user(amount, (int __user *)arg);
3165 err = unix_open_file(sk);
3167 #if IS_ENABLED(CONFIG_AF_UNIX_OOB)
3170 struct unix_sock *u = unix_sk(sk);
3171 struct sk_buff *skb;
3174 mutex_lock(&u->iolock);
3176 skb = skb_peek(&sk->sk_receive_queue);
3178 struct sk_buff *oob_skb = READ_ONCE(u->oob_skb);
3179 struct sk_buff *next_skb;
3181 next_skb = skb_peek_next(skb, &sk->sk_receive_queue);
3183 if (skb == oob_skb ||
3184 (!unix_skb_len(skb) &&
3185 (!oob_skb || next_skb == oob_skb)))
3189 mutex_unlock(&u->iolock);
3191 err = put_user(answ, (int __user *)arg);
3202 #ifdef CONFIG_COMPAT
3203 static int unix_compat_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
3205 return unix_ioctl(sock, cmd, (unsigned long)compat_ptr(arg));
3209 static __poll_t unix_poll(struct file *file, struct socket *sock, poll_table *wait)
3211 struct sock *sk = sock->sk;
3212 unsigned char state;
3216 sock_poll_wait(file, sock, wait);
3218 shutdown = READ_ONCE(sk->sk_shutdown);
3219 state = READ_ONCE(sk->sk_state);
3221 /* exceptional events? */
3222 if (READ_ONCE(sk->sk_err))
3224 if (shutdown == SHUTDOWN_MASK)
3226 if (shutdown & RCV_SHUTDOWN)
3227 mask |= EPOLLRDHUP | EPOLLIN | EPOLLRDNORM;
3230 if (!skb_queue_empty_lockless(&sk->sk_receive_queue))
3231 mask |= EPOLLIN | EPOLLRDNORM;
3232 if (sk_is_readable(sk))
3233 mask |= EPOLLIN | EPOLLRDNORM;
3234 #if IS_ENABLED(CONFIG_AF_UNIX_OOB)
3235 if (READ_ONCE(unix_sk(sk)->oob_skb))
3239 /* Connection-based need to check for termination and startup */
3240 if ((sk->sk_type == SOCK_STREAM || sk->sk_type == SOCK_SEQPACKET) &&
3245 * we set writable also when the other side has shut down the
3246 * connection. This prevents stuck sockets.
3248 if (unix_writable(sk, state))
3249 mask |= EPOLLOUT | EPOLLWRNORM | EPOLLWRBAND;
3254 static __poll_t unix_dgram_poll(struct file *file, struct socket *sock,
3257 struct sock *sk = sock->sk, *other;
3258 unsigned int writable;
3259 unsigned char state;
3263 sock_poll_wait(file, sock, wait);
3265 shutdown = READ_ONCE(sk->sk_shutdown);
3266 state = READ_ONCE(sk->sk_state);
3268 /* exceptional events? */
3269 if (READ_ONCE(sk->sk_err) ||
3270 !skb_queue_empty_lockless(&sk->sk_error_queue))
3272 (sock_flag(sk, SOCK_SELECT_ERR_QUEUE) ? EPOLLPRI : 0);
3274 if (shutdown & RCV_SHUTDOWN)
3275 mask |= EPOLLRDHUP | EPOLLIN | EPOLLRDNORM;
3276 if (shutdown == SHUTDOWN_MASK)
3280 if (!skb_queue_empty_lockless(&sk->sk_receive_queue))
3281 mask |= EPOLLIN | EPOLLRDNORM;
3282 if (sk_is_readable(sk))
3283 mask |= EPOLLIN | EPOLLRDNORM;
3285 /* Connection-based need to check for termination and startup */
3286 if (sk->sk_type == SOCK_SEQPACKET && state == TCP_CLOSE)
3289 /* No write status requested, avoid expensive OUT tests. */
3290 if (!(poll_requested_events(wait) & (EPOLLWRBAND|EPOLLWRNORM|EPOLLOUT)))
3293 writable = unix_writable(sk, state);
3295 unix_state_lock(sk);
3297 other = unix_peer(sk);
3298 if (other && unix_peer(other) != sk &&
3299 unix_recvq_full_lockless(other) &&
3300 unix_dgram_peer_wake_me(sk, other))
3303 unix_state_unlock(sk);
3307 mask |= EPOLLOUT | EPOLLWRNORM | EPOLLWRBAND;
3309 sk_set_bit(SOCKWQ_ASYNC_NOSPACE, sk);
3314 #ifdef CONFIG_PROC_FS
3316 #define BUCKET_SPACE (BITS_PER_LONG - (UNIX_HASH_BITS + 1) - 1)
3318 #define get_bucket(x) ((x) >> BUCKET_SPACE)
3319 #define get_offset(x) ((x) & ((1UL << BUCKET_SPACE) - 1))
3320 #define set_bucket_offset(b, o) ((b) << BUCKET_SPACE | (o))
3322 static struct sock *unix_from_bucket(struct seq_file *seq, loff_t *pos)
3324 unsigned long offset = get_offset(*pos);
3325 unsigned long bucket = get_bucket(*pos);
3326 unsigned long count = 0;
3329 for (sk = sk_head(&seq_file_net(seq)->unx.table.buckets[bucket]);
3330 sk; sk = sk_next(sk)) {
3331 if (++count == offset)
3338 static struct sock *unix_get_first(struct seq_file *seq, loff_t *pos)
3340 unsigned long bucket = get_bucket(*pos);
3341 struct net *net = seq_file_net(seq);
3344 while (bucket < UNIX_HASH_SIZE) {
3345 spin_lock(&net->unx.table.locks[bucket]);
3347 sk = unix_from_bucket(seq, pos);
3351 spin_unlock(&net->unx.table.locks[bucket]);
3353 *pos = set_bucket_offset(++bucket, 1);
3359 static struct sock *unix_get_next(struct seq_file *seq, struct sock *sk,
3362 unsigned long bucket = get_bucket(*pos);
3369 spin_unlock(&seq_file_net(seq)->unx.table.locks[bucket]);
3371 *pos = set_bucket_offset(++bucket, 1);
3373 return unix_get_first(seq, pos);
3376 static void *unix_seq_start(struct seq_file *seq, loff_t *pos)
3379 return SEQ_START_TOKEN;
3381 return unix_get_first(seq, pos);
3384 static void *unix_seq_next(struct seq_file *seq, void *v, loff_t *pos)
3388 if (v == SEQ_START_TOKEN)
3389 return unix_get_first(seq, pos);
3391 return unix_get_next(seq, v, pos);
3394 static void unix_seq_stop(struct seq_file *seq, void *v)
3396 struct sock *sk = v;
3399 spin_unlock(&seq_file_net(seq)->unx.table.locks[sk->sk_hash]);
3402 static int unix_seq_show(struct seq_file *seq, void *v)
3405 if (v == SEQ_START_TOKEN)
3406 seq_puts(seq, "Num RefCount Protocol Flags Type St "
3410 struct unix_sock *u = unix_sk(s);
3413 seq_printf(seq, "%pK: %08X %08X %08X %04X %02X %5lu",
3415 refcount_read(&s->sk_refcnt),
3417 s->sk_state == TCP_LISTEN ? __SO_ACCEPTCON : 0,
3420 (s->sk_state == TCP_ESTABLISHED ? SS_CONNECTED : SS_UNCONNECTED) :
3421 (s->sk_state == TCP_ESTABLISHED ? SS_CONNECTING : SS_DISCONNECTING),
3424 if (u->addr) { // under a hash table lock here
3429 len = u->addr->len -
3430 offsetof(struct sockaddr_un, sun_path);
3431 if (u->addr->name->sun_path[0]) {
3437 for ( ; i < len; i++)
3438 seq_putc(seq, u->addr->name->sun_path[i] ?:
3441 unix_state_unlock(s);
3442 seq_putc(seq, '\n');
3448 static const struct seq_operations unix_seq_ops = {
3449 .start = unix_seq_start,
3450 .next = unix_seq_next,
3451 .stop = unix_seq_stop,
3452 .show = unix_seq_show,
3455 #ifdef CONFIG_BPF_SYSCALL
3456 struct bpf_unix_iter_state {
3457 struct seq_net_private p;
3458 unsigned int cur_sk;
3459 unsigned int end_sk;
3460 unsigned int max_sk;
3461 struct sock **batch;
3462 bool st_bucket_done;
3465 struct bpf_iter__unix {
3466 __bpf_md_ptr(struct bpf_iter_meta *, meta);
3467 __bpf_md_ptr(struct unix_sock *, unix_sk);
3468 uid_t uid __aligned(8);
3471 static int unix_prog_seq_show(struct bpf_prog *prog, struct bpf_iter_meta *meta,
3472 struct unix_sock *unix_sk, uid_t uid)
3474 struct bpf_iter__unix ctx;
3476 meta->seq_num--; /* skip SEQ_START_TOKEN */
3478 ctx.unix_sk = unix_sk;
3480 return bpf_iter_run_prog(prog, &ctx);
3483 static int bpf_iter_unix_hold_batch(struct seq_file *seq, struct sock *start_sk)
3486 struct bpf_unix_iter_state *iter = seq->private;
3487 unsigned int expected = 1;
3490 sock_hold(start_sk);
3491 iter->batch[iter->end_sk++] = start_sk;
3493 for (sk = sk_next(start_sk); sk; sk = sk_next(sk)) {
3494 if (iter->end_sk < iter->max_sk) {
3496 iter->batch[iter->end_sk++] = sk;
3502 spin_unlock(&seq_file_net(seq)->unx.table.locks[start_sk->sk_hash]);
3507 static void bpf_iter_unix_put_batch(struct bpf_unix_iter_state *iter)
3509 while (iter->cur_sk < iter->end_sk)
3510 sock_put(iter->batch[iter->cur_sk++]);
3513 static int bpf_iter_unix_realloc_batch(struct bpf_unix_iter_state *iter,
3514 unsigned int new_batch_sz)
3516 struct sock **new_batch;
3518 new_batch = kvmalloc(sizeof(*new_batch) * new_batch_sz,
3519 GFP_USER | __GFP_NOWARN);
3523 bpf_iter_unix_put_batch(iter);
3524 kvfree(iter->batch);
3525 iter->batch = new_batch;
3526 iter->max_sk = new_batch_sz;
3531 static struct sock *bpf_iter_unix_batch(struct seq_file *seq,
3534 struct bpf_unix_iter_state *iter = seq->private;
3535 unsigned int expected;
3536 bool resized = false;
3539 if (iter->st_bucket_done)
3540 *pos = set_bucket_offset(get_bucket(*pos) + 1, 1);
3543 /* Get a new batch */
3547 sk = unix_get_first(seq, pos);
3549 return NULL; /* Done */
3551 expected = bpf_iter_unix_hold_batch(seq, sk);
3553 if (iter->end_sk == expected) {
3554 iter->st_bucket_done = true;
3558 if (!resized && !bpf_iter_unix_realloc_batch(iter, expected * 3 / 2)) {
3566 static void *bpf_iter_unix_seq_start(struct seq_file *seq, loff_t *pos)
3569 return SEQ_START_TOKEN;
3571 /* bpf iter does not support lseek, so it always
3572 * continue from where it was stop()-ped.
3574 return bpf_iter_unix_batch(seq, pos);
3577 static void *bpf_iter_unix_seq_next(struct seq_file *seq, void *v, loff_t *pos)
3579 struct bpf_unix_iter_state *iter = seq->private;
3582 /* Whenever seq_next() is called, the iter->cur_sk is
3583 * done with seq_show(), so advance to the next sk in
3586 if (iter->cur_sk < iter->end_sk)
3587 sock_put(iter->batch[iter->cur_sk++]);
3591 if (iter->cur_sk < iter->end_sk)
3592 sk = iter->batch[iter->cur_sk];
3594 sk = bpf_iter_unix_batch(seq, pos);
3599 static int bpf_iter_unix_seq_show(struct seq_file *seq, void *v)
3601 struct bpf_iter_meta meta;
3602 struct bpf_prog *prog;
3603 struct sock *sk = v;
3608 if (v == SEQ_START_TOKEN)
3611 slow = lock_sock_fast(sk);
3613 if (unlikely(sk_unhashed(sk))) {
3618 uid = from_kuid_munged(seq_user_ns(seq), sock_i_uid(sk));
3620 prog = bpf_iter_get_info(&meta, false);
3621 ret = unix_prog_seq_show(prog, &meta, v, uid);
3623 unlock_sock_fast(sk, slow);
3627 static void bpf_iter_unix_seq_stop(struct seq_file *seq, void *v)
3629 struct bpf_unix_iter_state *iter = seq->private;
3630 struct bpf_iter_meta meta;
3631 struct bpf_prog *prog;
3635 prog = bpf_iter_get_info(&meta, true);
3637 (void)unix_prog_seq_show(prog, &meta, v, 0);
3640 if (iter->cur_sk < iter->end_sk)
3641 bpf_iter_unix_put_batch(iter);
3644 static const struct seq_operations bpf_iter_unix_seq_ops = {
3645 .start = bpf_iter_unix_seq_start,
3646 .next = bpf_iter_unix_seq_next,
3647 .stop = bpf_iter_unix_seq_stop,
3648 .show = bpf_iter_unix_seq_show,
3653 static const struct net_proto_family unix_family_ops = {
3655 .create = unix_create,
3656 .owner = THIS_MODULE,
3660 static int __net_init unix_net_init(struct net *net)
3664 net->unx.sysctl_max_dgram_qlen = 10;
3665 if (unix_sysctl_register(net))
3668 #ifdef CONFIG_PROC_FS
3669 if (!proc_create_net("unix", 0, net->proc_net, &unix_seq_ops,
3670 sizeof(struct seq_net_private)))
3674 net->unx.table.locks = kvmalloc_array(UNIX_HASH_SIZE,
3675 sizeof(spinlock_t), GFP_KERNEL);
3676 if (!net->unx.table.locks)
3679 net->unx.table.buckets = kvmalloc_array(UNIX_HASH_SIZE,
3680 sizeof(struct hlist_head),
3682 if (!net->unx.table.buckets)
3685 for (i = 0; i < UNIX_HASH_SIZE; i++) {
3686 spin_lock_init(&net->unx.table.locks[i]);
3687 lock_set_cmp_fn(&net->unx.table.locks[i], unix_table_lock_cmp_fn, NULL);
3688 INIT_HLIST_HEAD(&net->unx.table.buckets[i]);
3694 kvfree(net->unx.table.locks);
3696 #ifdef CONFIG_PROC_FS
3697 remove_proc_entry("unix", net->proc_net);
3700 unix_sysctl_unregister(net);
3705 static void __net_exit unix_net_exit(struct net *net)
3707 kvfree(net->unx.table.buckets);
3708 kvfree(net->unx.table.locks);
3709 unix_sysctl_unregister(net);
3710 remove_proc_entry("unix", net->proc_net);
3713 static struct pernet_operations unix_net_ops = {
3714 .init = unix_net_init,
3715 .exit = unix_net_exit,
3718 #if defined(CONFIG_BPF_SYSCALL) && defined(CONFIG_PROC_FS)
3719 DEFINE_BPF_ITER_FUNC(unix, struct bpf_iter_meta *meta,
3720 struct unix_sock *unix_sk, uid_t uid)
3722 #define INIT_BATCH_SZ 16
3724 static int bpf_iter_init_unix(void *priv_data, struct bpf_iter_aux_info *aux)
3726 struct bpf_unix_iter_state *iter = priv_data;
3729 err = bpf_iter_init_seq_net(priv_data, aux);
3733 err = bpf_iter_unix_realloc_batch(iter, INIT_BATCH_SZ);
3735 bpf_iter_fini_seq_net(priv_data);
3742 static void bpf_iter_fini_unix(void *priv_data)
3744 struct bpf_unix_iter_state *iter = priv_data;
3746 bpf_iter_fini_seq_net(priv_data);
3747 kvfree(iter->batch);
3750 static const struct bpf_iter_seq_info unix_seq_info = {
3751 .seq_ops = &bpf_iter_unix_seq_ops,
3752 .init_seq_private = bpf_iter_init_unix,
3753 .fini_seq_private = bpf_iter_fini_unix,
3754 .seq_priv_size = sizeof(struct bpf_unix_iter_state),
3757 static const struct bpf_func_proto *
3758 bpf_iter_unix_get_func_proto(enum bpf_func_id func_id,
3759 const struct bpf_prog *prog)
3762 case BPF_FUNC_setsockopt:
3763 return &bpf_sk_setsockopt_proto;
3764 case BPF_FUNC_getsockopt:
3765 return &bpf_sk_getsockopt_proto;
3771 static struct bpf_iter_reg unix_reg_info = {
3773 .ctx_arg_info_size = 1,
3775 { offsetof(struct bpf_iter__unix, unix_sk),
3776 PTR_TO_BTF_ID_OR_NULL },
3778 .get_func_proto = bpf_iter_unix_get_func_proto,
3779 .seq_info = &unix_seq_info,
3782 static void __init bpf_iter_register(void)
3784 unix_reg_info.ctx_arg_info[0].btf_id = btf_sock_ids[BTF_SOCK_TYPE_UNIX];
3785 if (bpf_iter_reg_target(&unix_reg_info))
3786 pr_warn("Warning: could not register bpf iterator unix\n");
3790 static int __init af_unix_init(void)
3794 BUILD_BUG_ON(sizeof(struct unix_skb_parms) > sizeof_field(struct sk_buff, cb));
3796 for (i = 0; i < UNIX_HASH_SIZE / 2; i++) {
3797 spin_lock_init(&bsd_socket_locks[i]);
3798 INIT_HLIST_HEAD(&bsd_socket_buckets[i]);
3801 rc = proto_register(&unix_dgram_proto, 1);
3803 pr_crit("%s: Cannot create unix_sock SLAB cache!\n", __func__);
3807 rc = proto_register(&unix_stream_proto, 1);
3809 pr_crit("%s: Cannot create unix_sock SLAB cache!\n", __func__);
3810 proto_unregister(&unix_dgram_proto);
3814 sock_register(&unix_family_ops);
3815 register_pernet_subsys(&unix_net_ops);
3816 unix_bpf_build_proto();
3818 #if defined(CONFIG_BPF_SYSCALL) && defined(CONFIG_PROC_FS)
3819 bpf_iter_register();
3826 /* Later than subsys_initcall() because we depend on stuff initialised there */
3827 fs_initcall(af_unix_init);