diff options
Diffstat (limited to 'net/unix/af_unix.c')
| -rw-r--r-- | net/unix/af_unix.c | 56 | 
1 files changed, 41 insertions, 15 deletions
| diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c index ef05cd9403d4..6579fd6e7459 100644 --- a/net/unix/af_unix.c +++ b/net/unix/af_unix.c @@ -315,7 +315,7 @@ static struct sock *unix_find_socket_byinode(struct inode *i)  		    &unix_socket_table[i->i_ino & (UNIX_HASH_SIZE - 1)]) {  		struct dentry *dentry = unix_sk(s)->path.dentry; -		if (dentry && d_backing_inode(dentry) == i) { +		if (dentry && d_real_inode(dentry) == i) {  			sock_hold(s);  			goto found;  		} @@ -911,7 +911,7 @@ static struct sock *unix_find_other(struct net *net,  		err = kern_path(sunname->sun_path, LOOKUP_FOLLOW, &path);  		if (err)  			goto fail; -		inode = d_backing_inode(path.dentry); +		inode = d_real_inode(path.dentry);  		err = inode_permission(inode, MAY_WRITE);  		if (err)  			goto put_fail; @@ -1048,7 +1048,7 @@ static int unix_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)  			goto out_up;  		}  		addr->hash = UNIX_HASH_SIZE; -		hash = d_backing_inode(dentry)->i_ino & (UNIX_HASH_SIZE - 1); +		hash = d_real_inode(dentry)->i_ino & (UNIX_HASH_SIZE - 1);  		spin_lock(&unix_table_lock);  		u->path = u_path;  		list = &unix_socket_table[hash]; @@ -1496,7 +1496,7 @@ static void unix_detach_fds(struct scm_cookie *scm, struct sk_buff *skb)  	UNIXCB(skb).fp = NULL;  	for (i = scm->fp->count-1; i >= 0; i--) -		unix_notinflight(scm->fp->fp[i]); +		unix_notinflight(scm->fp->user, scm->fp->fp[i]);  }  static void unix_destruct_scm(struct sk_buff *skb) @@ -1513,6 +1513,21 @@ static void unix_destruct_scm(struct sk_buff *skb)  	sock_wfree(skb);  } +/* + * The "user->unix_inflight" variable is protected by the garbage + * collection lock, and we just read it locklessly here. If you go + * over the limit, there might be a tiny race in actually noticing + * it across threads. Tough. + */ +static inline bool too_many_unix_fds(struct task_struct *p) +{ +	struct user_struct *user = current_user(); + +	if (unlikely(user->unix_inflight > task_rlimit(p, RLIMIT_NOFILE))) +		return !capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN); +	return false; +} +  #define MAX_RECURSION_LEVEL 4  static int unix_attach_fds(struct scm_cookie *scm, struct sk_buff *skb) @@ -1521,6 +1536,9 @@ static int unix_attach_fds(struct scm_cookie *scm, struct sk_buff *skb)  	unsigned char max_level = 0;  	int unix_sock_count = 0; +	if (too_many_unix_fds(current)) +		return -ETOOMANYREFS; +  	for (i = scm->fp->count - 1; i >= 0; i--) {  		struct sock *sk = unix_get_socket(scm->fp->fp[i]); @@ -1542,10 +1560,8 @@ static int unix_attach_fds(struct scm_cookie *scm, struct sk_buff *skb)  	if (!UNIXCB(skb).fp)  		return -ENOMEM; -	if (unix_sock_count) { -		for (i = scm->fp->count - 1; i >= 0; i--) -			unix_inflight(scm->fp->fp[i]); -	} +	for (i = scm->fp->count - 1; i >= 0; i--) +		unix_inflight(scm->fp->user, scm->fp->fp[i]);  	return max_level;  } @@ -1765,7 +1781,12 @@ restart_locked:  			goto out_unlock;  	} -	if (unlikely(unix_peer(other) != sk && unix_recvq_full(other))) { +	/* other == sk && unix_peer(other) != sk if +	 * - unix_peer(sk) == NULL, destination address bound to sk +	 * - unix_peer(sk) == sk by time of get but disconnected before lock +	 */ +	if (other != sk && +	    unlikely(unix_peer(other) != sk && unix_recvq_full(other))) {  		if (timeo) {  			timeo = unix_wait_for_peer(other, timeo); @@ -2254,13 +2275,15 @@ static int unix_stream_read_generic(struct unix_stream_read_state *state)  	size_t size = state->size;  	unsigned int last_len; -	err = -EINVAL; -	if (sk->sk_state != TCP_ESTABLISHED) +	if (unlikely(sk->sk_state != TCP_ESTABLISHED)) { +		err = -EINVAL;  		goto out; +	} -	err = -EOPNOTSUPP; -	if (flags & MSG_OOB) +	if (unlikely(flags & MSG_OOB)) { +		err = -EOPNOTSUPP;  		goto out; +	}  	target = sock_rcvlowat(sk, flags & MSG_WAITALL, size);  	timeo = sock_rcvtimeo(sk, noblock); @@ -2306,9 +2329,11 @@ again:  				goto unlock;  			unix_state_unlock(sk); -			err = -EAGAIN; -			if (!timeo) +			if (!timeo) { +				err = -EAGAIN;  				break; +			} +  			mutex_unlock(&u->readlock);  			timeo = unix_stream_data_wait(sk, timeo, last, @@ -2316,6 +2341,7 @@ again:  			if (signal_pending(current)) {  				err = sock_intr_errno(timeo); +				scm_destroy(&scm);  				goto out;  			} | 
