net/unix/scm.c

   1 // SPDX-License-Identifier: GPL-2.0
   2 #include <linux/module.h>
   3 #include <linux/kernel.h>
   4 #include <linux/string.h>
   5 #include <linux/socket.h>
   6 #include <linux/net.h>
   7 #include <linux/fs.h>
   8 #include <net/af_unix.h>
   9 #include <net/scm.h>
  10 #include <linux/init.h>
  11 #include <linux/io_uring.h>
  12
  13 #include "scm.h"
  14
  15 unsigned int unix_tot_inflight;
  16 EXPORT_SYMBOL(unix_tot_inflight);
  17
  18 LIST_HEAD(gc_inflight_list);
  19 EXPORT_SYMBOL(gc_inflight_list);
  20
  21 DEFINE_SPINLOCK(unix_gc_lock);
  22 EXPORT_SYMBOL(unix_gc_lock);
  23
  24 struct sock *unix_get_socket(struct file *filp)
  25 {
  26         struct sock *u_sock = NULL;
  27         struct inode *inode = file_inode(filp);
  28
  29         /* Socket ? */
  30         if (S_ISSOCK(inode->i_mode) && !(filp->f_mode & FMODE_PATH)) {
  31                 struct socket *sock = SOCKET_I(inode);
  32                 struct sock *s = sock->sk;
  33
  34                 /* PF_UNIX ? */
  35                 if (s && sock->ops && sock->ops->family == PF_UNIX)
  36                         u_sock = s;
  37         } else {
  38                 /* Could be an io_uring instance */
  39                 u_sock = io_uring_get_socket(filp);
  40         }
  41         return u_sock;
  42 }
  43 EXPORT_SYMBOL(unix_get_socket);
  44
  45 /* Keep the number of times in flight count for the file
  46  * descriptor if it is for an AF_UNIX socket.
  47  */
  48 void unix_inflight(struct user_struct *user, struct file *fp)
  49 {
  50         struct sock *s = unix_get_socket(fp);
  51
  52         spin_lock(&unix_gc_lock);
  53
  54         if (s) {
  55                 struct unix_sock *u = unix_sk(s);
  56
  57                 if (atomic_long_inc_return(&u->inflight) == 1) {
  58                         BUG_ON(!list_empty(&u->link));
  59                         list_add_tail(&u->link, &gc_inflight_list);
  60                 } else {
  61                         BUG_ON(list_empty(&u->link));
  62                 }
  63                 unix_tot_inflight++;
  64         }
  65         user->unix_inflight++;
  66         spin_unlock(&unix_gc_lock);
  67 }
  68
  69 void unix_notinflight(struct user_struct *user, struct file *fp)
  70 {
  71         struct sock *s = unix_get_socket(fp);
  72
  73         spin_lock(&unix_gc_lock);
  74
  75         if (s) {
  76                 struct unix_sock *u = unix_sk(s);
  77
  78                 BUG_ON(!atomic_long_read(&u->inflight));
  79                 BUG_ON(list_empty(&u->link));
  80
  81                 if (atomic_long_dec_and_test(&u->inflight))
  82                         list_del_init(&u->link);
  83                 unix_tot_inflight--;
  84         }
  85         user->unix_inflight--;
  86         spin_unlock(&unix_gc_lock);
  87 }
  88
  89 /*
  90  * The "user->unix_inflight" variable is protected by the garbage
  91  * collection lock, and we just read it locklessly here. If you go
  92  * over the limit, there might be a tiny race in actually noticing
  93  * it across threads. Tough.
  94  */
  95 static inline bool too_many_unix_fds(struct task_struct *p)
  96 {
  97         struct user_struct *user = current_user();
  98
  99         if (unlikely(user->unix_inflight > task_rlimit(p, RLIMIT_NOFILE)))
 100                 return !capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN);
 101         return false;
 102 }
 103
 104 int unix_attach_fds(struct scm_cookie *scm, struct sk_buff *skb)
 105 {
 106         int i;
 107
 108         if (too_many_unix_fds(current))
 109                 return -ETOOMANYREFS;
 110
 111         /*
 112          * Need to duplicate file references for the sake of garbage
 113          * collection.  Otherwise a socket in the fps might become a
 114          * candidate for GC while the skb is not yet queued.
 115          */
 116         UNIXCB(skb).fp = scm_fp_dup(scm->fp);
 117         if (!UNIXCB(skb).fp)
 118                 return -ENOMEM;
 119
 120         for (i = scm->fp->count - 1; i >= 0; i--)
 121                 unix_inflight(scm->fp->user, scm->fp->fp[i]);
 122         return 0;
 123 }
 124 EXPORT_SYMBOL(unix_attach_fds);
 125
 126 void unix_detach_fds(struct scm_cookie *scm, struct sk_buff *skb)
 127 {
 128         int i;
 129
 130         scm->fp = UNIXCB(skb).fp;
 131         UNIXCB(skb).fp = NULL;
 132
 133         for (i = scm->fp->count-1; i >= 0; i--)
 134                 unix_notinflight(scm->fp->user, scm->fp->fp[i]);
 135 }
 136 EXPORT_SYMBOL(unix_detach_fds);
 137
 138 void unix_destruct_scm(struct sk_buff *skb)
 139 {
 140         struct scm_cookie scm;
 141
 142         memset(&scm, 0, sizeof(scm));
 143         scm.pid  = UNIXCB(skb).pid;
 144         if (UNIXCB(skb).fp)
 145                 unix_detach_fds(&scm, skb);
 146
 147         /* Alas, it calls VFS */
 148         /* So fscking what? fput() had been SMP-safe since the last Summer */
 149         scm_destroy(&scm);
 150         sock_wfree(skb);
 151 }
 152 EXPORT_SYMBOL(unix_destruct_scm);