1 files changed, 237 insertions, 30 deletions
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
index 06430598cf51..03ee4d359f6a 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -140,12 +140,17 @@ static struct hlist_head *unix_sockets_unbound(void *addr)
 #ifdef CONFIG_SECURITY_NETWORK
 static void unix_get_secdata(struct scm_cookie *scm, struct sk_buff *skb)
 {
-        memcpy(UNIXSID(skb), &scm->secid, sizeof(u32));
+        UNIXCB(skb).secid = scm->secid;
 }
 static inline void unix_set_secdata(struct scm_cookie *scm, struct sk_buff *skb)
 {
-        scm->secid = *UNIXSID(skb);
+        scm->secid = UNIXCB(skb).secid;
+}
+static inline bool unix_secdata_eq(struct scm_cookie *scm, struct sk_buff *skb)
+{
+        return (scm->secid == UNIXCB(skb).secid);
 }
 #else
 static inline void unix_get_secdata(struct scm_cookie *scm, struct sk_buff *skb)
@@ -153,6 +158,11 @@ static inline void unix_get_secdata(struct scm_cookie *scm, struct sk_buff *skb)
 static inline void unix_set_secdata(struct scm_cookie *scm, struct sk_buff *skb)
 { }
+static inline bool unix_secdata_eq(struct scm_cookie *scm, struct sk_buff *skb)
+{
+        return true;
+}
 #endif /* CONFIG_SECURITY_NETWORK */
 /*
@@ -518,6 +528,11 @@ static int unix_ioctl(struct socket *, unsigned int, unsigned long);
 static int unix_shutdown(struct socket *, int);
 static int unix_stream_sendmsg(struct socket *, struct msghdr *, size_t);
 static int unix_stream_recvmsg(struct socket *, struct msghdr *, size_t, int);
+static ssize_t unix_stream_sendpage(struct socket *, struct page *, int offset,
+                                    size_t size, int flags);
+static ssize_t unix_stream_splice_read(struct socket *,  loff_t *ppos,
+                                       struct pipe_inode_info *, size_t size,
+                                       unsigned int flags);
 static int unix_dgram_sendmsg(struct socket *, struct msghdr *, size_t);
 static int unix_dgram_recvmsg(struct socket *, struct msghdr *, size_t, int);
 static int unix_dgram_connect(struct socket *, struct sockaddr *,
@@ -558,7 +573,8 @@ static const struct proto_ops unix_stream_ops = {
        .sendmsg =      unix_stream_sendmsg,
        .recvmsg =      unix_stream_recvmsg,
        .mmap =         sock_no_mmap,
-        .sendpage =     sock_no_sendpage,
+        .sendpage =     unix_stream_sendpage,
+        .splice_read =  unix_stream_splice_read,
        .set_peek_off = unix_set_peek_off,
 };
@@ -620,7 +636,7 @@ static struct proto unix_proto = {
 */
 static struct lock_class_key af_unix_sk_receive_queue_lock_key;
-static struct sock *unix_create1(struct net *net, struct socket *sock)
+static struct sock *unix_create1(struct net *net, struct socket *sock, int kern)
 {
        struct sock *sk = NULL;
        struct unix_sock *u;
@@ -629,7 +645,7 @@ static struct sock *unix_create1(struct net *net, struct socket *sock)
        if (atomic_long_read(&unix_nr_socks) > 2 * get_max_files())
                goto out;
-        sk = sk_alloc(net, PF_UNIX, GFP_KERNEL, &unix_proto);
+        sk = sk_alloc(net, PF_UNIX, GFP_KERNEL, &unix_proto, kern);
        if (!sk)
                goto out;
@@ -688,7 +704,7 @@ static int unix_create(struct net *net, struct socket *sock, int protocol,
                return -ESOCKTNOSUPPORT;
        }
-        return unix_create1(net, sock) ? 0 : -ENOMEM;
+        return unix_create1(net, sock, kern) ? 0 : -ENOMEM;
 }
 static int unix_release(struct socket *sock)
@@ -1088,7 +1104,7 @@ static int unix_stream_connect(struct socket *sock, struct sockaddr *uaddr,
        err = -ENOMEM;
        /* create new sock for complete connection */
-        newsk = unix_create1(sock_net(sk), NULL);
+        newsk = unix_create1(sock_net(sk), NULL, 0);
        if (newsk == NULL)
                goto out;
@@ -1408,6 +1424,7 @@ static int unix_scm_to_skb(struct scm_cookie *scm, struct sk_buff *skb, bool sen
        UNIXCB(skb).uid = scm->creds.uid;
        UNIXCB(skb).gid = scm->creds.gid;
        UNIXCB(skb).fp = NULL;
+        unix_get_secdata(scm, skb);
        if (scm->fp && send_fds)
                err = unix_attach_fds(scm, skb);
@@ -1503,7 +1520,6 @@ static int unix_dgram_sendmsg(struct socket *sock, struct msghdr *msg,
        if (err < 0)
                goto out_free;
        max_level = err + 1;
-        unix_get_secdata(&scm, skb);
        skb_put(skb, len - data_len);
        skb->data_len = data_len;
@@ -1720,6 +1736,101 @@ out_err:
        return sent ? : err;
 }
+static ssize_t unix_stream_sendpage(struct socket *socket, struct page *page,
+                                    int offset, size_t size, int flags)
+{
+        int err = 0;
+        bool send_sigpipe = true;
+        struct sock *other, *sk = socket->sk;
+        struct sk_buff *skb, *newskb = NULL, *tail = NULL;
+        if (flags & MSG_OOB)
+                return -EOPNOTSUPP;
+        other = unix_peer(sk);
+        if (!other || sk->sk_state != TCP_ESTABLISHED)
+                return -ENOTCONN;
+        if (false) {
+alloc_skb:
+                unix_state_unlock(other);
+                mutex_unlock(&unix_sk(other)->readlock);
+                newskb = sock_alloc_send_pskb(sk, 0, 0, flags & MSG_DONTWAIT,
+                                              &err, 0);
+                if (!newskb)
+                        return err;
+        }
+        /* we must acquire readlock as we modify already present
+         * skbs in the sk_receive_queue and mess with skb->len
+         */
+        err = mutex_lock_interruptible(&unix_sk(other)->readlock);
+        if (err) {
+                err = flags & MSG_DONTWAIT ? -EAGAIN : -ERESTARTSYS;
+                send_sigpipe = false;
+                goto err;
+        }
+        if (sk->sk_shutdown & SEND_SHUTDOWN) {
+                err = -EPIPE;
+                goto err_unlock;
+        }
+        unix_state_lock(other);
+        if (sock_flag(other, SOCK_DEAD) ||
+            other->sk_shutdown & RCV_SHUTDOWN) {
+                err = -EPIPE;
+                goto err_state_unlock;
+        }
+        skb = skb_peek_tail(&other->sk_receive_queue);
+        if (tail && tail == skb) {
+                skb = newskb;
+        } else if (!skb) {
+                if (newskb)
+                        skb = newskb;
+                else
+                        goto alloc_skb;
+        } else if (newskb) {
+                /* this is fast path, we don't necessarily need to
+                 * call to kfree_skb even though with newskb == NULL
+                 * this - does no harm
+                 */
+                consume_skb(newskb);
+        }
+        if (skb_append_pagefrags(skb, page, offset, size)) {
+                tail = skb;
+                goto alloc_skb;
+        }
+        skb->len += size;
+        skb->data_len += size;
+        skb->truesize += size;
+        atomic_add(size, &sk->sk_wmem_alloc);
+        if (newskb)
+                __skb_queue_tail(&other->sk_receive_queue, newskb);
+        unix_state_unlock(other);
+        mutex_unlock(&unix_sk(other)->readlock);
+        other->sk_data_ready(other);
+        return size;
+err_state_unlock:
+        unix_state_unlock(other);
+err_unlock:
+        mutex_unlock(&unix_sk(other)->readlock);
+err:
+        kfree_skb(newskb);
+        if (send_sigpipe && !(flags & MSG_NOSIGNAL))
+                send_sig(SIGPIPE, current, 0);
+        return err;
+}
 static int unix_seqpacket_sendmsg(struct socket *sock, struct msghdr *msg,
                                  size_t len)
 {
@@ -1860,8 +1971,9 @@ out:
 *      Sleep until more data has arrived. But check for races..
 */
 static long unix_stream_data_wait(struct sock *sk, long timeo,
-                                  struct sk_buff *last)
+                                  struct sk_buff *last, unsigned int last_len)
 {
+        struct sk_buff *tail;
        DEFINE_WAIT(wait);
        unix_state_lock(sk);
@@ -1869,7 +1981,9 @@ static long unix_stream_data_wait(struct sock *sk, long timeo,
        for (;;) {
                prepare_to_wait(sk_sleep(sk), &wait, TASK_INTERRUPTIBLE);
-                if (skb_peek_tail(&sk->sk_receive_queue) != last ||
+                tail = skb_peek_tail(&sk->sk_receive_queue);
+                if (tail != last ||
+                    (tail && tail->len != last_len) ||
                    sk->sk_err ||
                    (sk->sk_shutdown & RCV_SHUTDOWN) ||
                    signal_pending(current) ||
@@ -1897,38 +2011,50 @@ static unsigned int unix_skb_len(const struct sk_buff *skb)
        return skb->len - UNIXCB(skb).consumed;
 }
-static int unix_stream_recvmsg(struct socket *sock, struct msghdr *msg,
+struct unix_stream_read_state {
-                               size_t size, int flags)
+        int (*recv_actor)(struct sk_buff *, int, int,
+                          struct unix_stream_read_state *);
+        struct socket *socket;
+        struct msghdr *msg;
+        struct pipe_inode_info *pipe;
+        size_t size;
+        int flags;
+        unsigned int splice_flags;
+};
+static int unix_stream_read_generic(struct unix_stream_read_state *state)
 {
        struct scm_cookie scm;
+        struct socket *sock = state->socket;
        struct sock *sk = sock->sk;
        struct unix_sock *u = unix_sk(sk);
-        DECLARE_SOCKADDR(struct sockaddr_un *, sunaddr, msg->msg_name);
        int copied = 0;
+        int flags = state->flags;
        int noblock = flags & MSG_DONTWAIT;
-        int check_creds = 0;
+        bool check_creds = false;
        int target;
        int err = 0;
        long timeo;
        int skip;
+        size_t size = state->size;
+        unsigned int last_len;
        err = -EINVAL;
        if (sk->sk_state != TCP_ESTABLISHED)
                goto out;
        err = -EOPNOTSUPP;
-        if (flags&MSG_OOB)
+        if (flags & MSG_OOB)
                goto out;
-        target = sock_rcvlowat(sk, flags&MSG_WAITALL, size);
+        target = sock_rcvlowat(sk, flags & MSG_WAITALL, size);
        timeo = sock_rcvtimeo(sk, noblock);
+        memset(&scm, 0, sizeof(scm));
        /* Lock the socket to prevent queue disordering
         * while sleeps in memcpy_tomsg
         */
-        memset(&scm, 0, sizeof(scm));
        err = mutex_lock_interruptible(&u->readlock);
        if (unlikely(err)) {
                /* recvmsg() in non blocking mode is supposed to return -EAGAIN
@@ -1948,6 +2074,7 @@ static int unix_stream_recvmsg(struct socket *sock, struct msghdr *msg,
                        goto unlock;
                }
                last = skb = skb_peek(&sk->sk_receive_queue);
+                last_len = last ? last->len : 0;
 again:
                if (skb == NULL) {
                        unix_sk(sk)->recursion_level = 0;
@@ -1970,16 +2097,17 @@ again:
                                break;
                        mutex_unlock(&u->readlock);
-                        timeo = unix_stream_data_wait(sk, timeo, last);
+                        timeo = unix_stream_data_wait(sk, timeo, last,
+                                                      last_len);
-                        if (signal_pending(current)
+                        if (signal_pending(current) ||
-                            ||  mutex_lock_interruptible(&u->readlock)) {
+                            mutex_lock_interruptible(&u->readlock)) {
                                err = sock_intr_errno(timeo);
                                goto out;
                        }
                        continue;
- unlock:
+unlock:
                        unix_state_unlock(sk);
                        break;
                }
@@ -1988,6 +2116,7 @@ again:
                while (skip >= unix_skb_len(skb)) {
                        skip -= unix_skb_len(skb);
                        last = skb;
+                        last_len = skb->len;
                        skb = skb_peek_next(skb, &sk->sk_receive_queue);
                        if (!skb)
                                goto again;
@@ -1999,23 +2128,27 @@ again:
                        /* Never glue messages from different writers */
                        if ((UNIXCB(skb).pid  != scm.pid) ||
                            !uid_eq(UNIXCB(skb).uid, scm.creds.uid) ||
-                            !gid_eq(UNIXCB(skb).gid, scm.creds.gid))
+                            !gid_eq(UNIXCB(skb).gid, scm.creds.gid) ||
+                            !unix_secdata_eq(&scm, skb))
                                break;
                } else if (test_bit(SOCK_PASSCRED, &sock->flags)) {
                        /* Copy credentials */
                        scm_set_cred(&scm, UNIXCB(skb).pid, UNIXCB(skb).uid, UNIXCB(skb).gid);
-                        check_creds = 1;
+                        unix_set_secdata(&scm, skb);
+                        check_creds = true;
                }
                /* Copy address just once */
-                if (sunaddr) {
+                if (state->msg && state->msg->msg_name) {
-                        unix_copy_addr(msg, skb->sk);
+                        DECLARE_SOCKADDR(struct sockaddr_un *, sunaddr,
+                                         state->msg->msg_name);
+                        unix_copy_addr(state->msg, skb->sk);
                        sunaddr = NULL;
                }
                chunk = min_t(unsigned int, unix_skb_len(skb) - skip, size);
-                if (skb_copy_datagram_msg(skb, UNIXCB(skb).consumed + skip,
+                chunk = state->recv_actor(skb, skip, chunk, state);
-                                          msg, chunk)) {
+                if (chunk < 0) {
                        if (copied == 0)
                                copied = -EFAULT;
                        break;
@@ -2053,11 +2186,85 @@ again:
        } while (size);
        mutex_unlock(&u->readlock);
-        scm_recv(sock, msg, &scm, flags);
+        if (state->msg)
+                scm_recv(sock, state->msg, &scm, flags);
+        else
+                scm_destroy(&scm);
 out:
        return copied ? : err;
 }
+static int unix_stream_read_actor(struct sk_buff *skb,
+                                  int skip, int chunk,
+                                  struct unix_stream_read_state *state)
+{
+        int ret;
+        ret = skb_copy_datagram_msg(skb, UNIXCB(skb).consumed + skip,
+                                    state->msg, chunk);
+        return ret ?: chunk;
+}
+static int unix_stream_recvmsg(struct socket *sock, struct msghdr *msg,
+                               size_t size, int flags)
+{
+        struct unix_stream_read_state state = {
+                .recv_actor = unix_stream_read_actor,
+                .socket = sock,
+                .msg = msg,
+                .size = size,
+                .flags = flags
+        };
+        return unix_stream_read_generic(&state);
+}
+static ssize_t skb_unix_socket_splice(struct sock *sk,
+                                      struct pipe_inode_info *pipe,
+                                      struct splice_pipe_desc *spd)
+{
+        int ret;
+        struct unix_sock *u = unix_sk(sk);
+        mutex_unlock(&u->readlock);
+        ret = splice_to_pipe(pipe, spd);
+        mutex_lock(&u->readlock);
+        return ret;
+}
+static int unix_stream_splice_actor(struct sk_buff *skb,
+                                    int skip, int chunk,
+                                    struct unix_stream_read_state *state)
+{
+        return skb_splice_bits(skb, state->socket->sk,
+                               UNIXCB(skb).consumed + skip,
+                               state->pipe, chunk, state->splice_flags,
+                               skb_unix_socket_splice);
+}
+static ssize_t unix_stream_splice_read(struct socket *sock,  loff_t *ppos,
+                                       struct pipe_inode_info *pipe,
+                                       size_t size, unsigned int flags)
+{
+        struct unix_stream_read_state state = {
+                .recv_actor = unix_stream_splice_actor,
+                .socket = sock,
+                .pipe = pipe,
+                .size = size,
+                .splice_flags = flags,
+        };
+        if (unlikely(*ppos))
+                return -ESPIPE;
+        if (sock->file->f_flags & O_NONBLOCK ||
+            flags & SPLICE_F_NONBLOCK)
+                state.flags = MSG_DONTWAIT;
+        return unix_stream_read_generic(&state);
+}
 static int unix_shutdown(struct socket *sock, int mode)
 {
        struct sock *sk = sock->sk;

diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c index 06430598cf51..03ee4d359f6a 100644 --- a/net/unix/af_unix.c +++ b/net/unix/af_unix.c
@@ -140,12 +140,17 @@ static struct hlist_head unix_sockets_unbound(void addr)
140	#ifdef CONFIG_SECURITY_NETWORK	140	#ifdef CONFIG_SECURITY_NETWORK
141	static void unix_get_secdata(struct scm_cookie scm, struct sk_buff skb)	141	static void unix_get_secdata(struct scm_cookie scm, struct sk_buff skb)
142	{	142	{
143	memcpy(UNIXSID(skb), &scm->secid, sizeof(u32));	143	UNIXCB(skb).secid = scm->secid;
144	}	144	}
145		145
146	static inline void unix_set_secdata(struct scm_cookie scm, struct sk_buff skb)	146	static inline void unix_set_secdata(struct scm_cookie scm, struct sk_buff skb)
147	{	147	{
148	scm->secid = *UNIXSID(skb);	148	scm->secid = UNIXCB(skb).secid;
		149	}
		150
		151	static inline bool unix_secdata_eq(struct scm_cookie scm, struct sk_buff skb)
		152	{
		153	return (scm->secid == UNIXCB(skb).secid);
149	}	154	}
150	#else	155	#else
151	static inline void unix_get_secdata(struct scm_cookie scm, struct sk_buff skb)	156	static inline void unix_get_secdata(struct scm_cookie scm, struct sk_buff skb)
@@ -153,6 +158,11 @@ static inline void unix_get_secdata(struct scm_cookie scm, struct sk_buff skb)
153		158
154	static inline void unix_set_secdata(struct scm_cookie scm, struct sk_buff skb)	159	static inline void unix_set_secdata(struct scm_cookie scm, struct sk_buff skb)
155	{ }	160	{ }
		161
		162	static inline bool unix_secdata_eq(struct scm_cookie scm, struct sk_buff skb)
		163	{
		164	return true;
		165	}
156	#endif /* CONFIG_SECURITY_NETWORK */	166	#endif /* CONFIG_SECURITY_NETWORK */
157		167
158	/*	168	/*
@@ -518,6 +528,11 @@ static int unix_ioctl(struct socket *, unsigned int, unsigned long);
518	static int unix_shutdown(struct socket *, int);	528	static int unix_shutdown(struct socket *, int);
519	static int unix_stream_sendmsg(struct socket , struct msghdr , size_t);	529	static int unix_stream_sendmsg(struct socket , struct msghdr , size_t);
520	static int unix_stream_recvmsg(struct socket , struct msghdr , size_t, int);	530	static int unix_stream_recvmsg(struct socket , struct msghdr , size_t, int);
		531	static ssize_t unix_stream_sendpage(struct socket , struct page , int offset,
		532	size_t size, int flags);
		533	static ssize_t unix_stream_splice_read(struct socket , loff_t ppos,
		534	struct pipe_inode_info *, size_t size,
		535	unsigned int flags);
521	static int unix_dgram_sendmsg(struct socket , struct msghdr , size_t);	536	static int unix_dgram_sendmsg(struct socket , struct msghdr , size_t);
522	static int unix_dgram_recvmsg(struct socket , struct msghdr , size_t, int);	537	static int unix_dgram_recvmsg(struct socket , struct msghdr , size_t, int);
523	static int unix_dgram_connect(struct socket , struct sockaddr ,	538	static int unix_dgram_connect(struct socket , struct sockaddr ,
@@ -558,7 +573,8 @@ static const struct proto_ops unix_stream_ops = {
558	.sendmsg = unix_stream_sendmsg,	573	.sendmsg = unix_stream_sendmsg,
559	.recvmsg = unix_stream_recvmsg,	574	.recvmsg = unix_stream_recvmsg,
560	.mmap = sock_no_mmap,	575	.mmap = sock_no_mmap,
561	.sendpage = sock_no_sendpage,	576	.sendpage = unix_stream_sendpage,
		577	.splice_read = unix_stream_splice_read,
562	.set_peek_off = unix_set_peek_off,	578	.set_peek_off = unix_set_peek_off,
563	};	579	};
564		580
@@ -620,7 +636,7 @@ static struct proto unix_proto = {
620	*/	636	*/
621	static struct lock_class_key af_unix_sk_receive_queue_lock_key;	637	static struct lock_class_key af_unix_sk_receive_queue_lock_key;
622		638
623	static struct sock unix_create1(struct net net, struct socket *sock)	639	static struct sock unix_create1(struct net net, struct socket *sock, int kern)
624	{	640	{
625	struct sock *sk = NULL;	641	struct sock *sk = NULL;
626	struct unix_sock *u;	642	struct unix_sock *u;
@@ -629,7 +645,7 @@ static struct sock unix_create1(struct net net, struct socket *sock)
629	if (atomic_long_read(&unix_nr_socks) > 2 * get_max_files())	645	if (atomic_long_read(&unix_nr_socks) > 2 * get_max_files())
630	goto out;	646	goto out;
631		647
632	sk = sk_alloc(net, PF_UNIX, GFP_KERNEL, &unix_proto);	648	sk = sk_alloc(net, PF_UNIX, GFP_KERNEL, &unix_proto, kern);
633	if (!sk)	649	if (!sk)
634	goto out;	650	goto out;
635		651
@@ -688,7 +704,7 @@ static int unix_create(struct net net, struct socket sock, int protocol,
688	return -ESOCKTNOSUPPORT;	704	return -ESOCKTNOSUPPORT;
689	}	705	}
690		706
691	return unix_create1(net, sock) ? 0 : -ENOMEM;	707	return unix_create1(net, sock, kern) ? 0 : -ENOMEM;
692	}	708	}
693		709
694	static int unix_release(struct socket *sock)	710	static int unix_release(struct socket *sock)
@@ -1088,7 +1104,7 @@ static int unix_stream_connect(struct socket sock, struct sockaddr uaddr,
1088	err = -ENOMEM;	1104	err = -ENOMEM;
1089		1105
1090	/* create new sock for complete connection */	1106	/* create new sock for complete connection */
1091	newsk = unix_create1(sock_net(sk), NULL);	1107	newsk = unix_create1(sock_net(sk), NULL, 0);
1092	if (newsk == NULL)	1108	if (newsk == NULL)
1093	goto out;	1109	goto out;
1094		1110
@@ -1408,6 +1424,7 @@ static int unix_scm_to_skb(struct scm_cookie scm, struct sk_buff skb, bool sen
1408	UNIXCB(skb).uid = scm->creds.uid;	1424	UNIXCB(skb).uid = scm->creds.uid;
1409	UNIXCB(skb).gid = scm->creds.gid;	1425	UNIXCB(skb).gid = scm->creds.gid;
1410	UNIXCB(skb).fp = NULL;	1426	UNIXCB(skb).fp = NULL;
		1427	unix_get_secdata(scm, skb);
1411	if (scm->fp && send_fds)	1428	if (scm->fp && send_fds)
1412	err = unix_attach_fds(scm, skb);	1429	err = unix_attach_fds(scm, skb);
1413		1430
@@ -1503,7 +1520,6 @@ static int unix_dgram_sendmsg(struct socket sock, struct msghdr msg,
1503	if (err < 0)	1520	if (err < 0)
1504	goto out_free;	1521	goto out_free;
1505	max_level = err + 1;	1522	max_level = err + 1;
1506	unix_get_secdata(&scm, skb);
1507		1523
1508	skb_put(skb, len - data_len);	1524	skb_put(skb, len - data_len);
1509	skb->data_len = data_len;	1525	skb->data_len = data_len;
@@ -1720,6 +1736,101 @@ out_err:
1720	return sent ? : err;	1736	return sent ? : err;
1721	}	1737	}
1722		1738
		1739	static ssize_t unix_stream_sendpage(struct socket socket, struct page page,
		1740	int offset, size_t size, int flags)
		1741	{
		1742	int err = 0;
		1743	bool send_sigpipe = true;
		1744	struct sock other, sk = socket->sk;
		1745	struct sk_buff skb, newskb = NULL, *tail = NULL;
		1746
		1747	if (flags & MSG_OOB)
		1748	return -EOPNOTSUPP;
		1749
		1750	other = unix_peer(sk);
		1751	if (!other \|\| sk->sk_state != TCP_ESTABLISHED)
		1752	return -ENOTCONN;
		1753
		1754	if (false) {
		1755	alloc_skb:
		1756	unix_state_unlock(other);
		1757	mutex_unlock(&unix_sk(other)->readlock);
		1758	newskb = sock_alloc_send_pskb(sk, 0, 0, flags & MSG_DONTWAIT,
		1759	&err, 0);
		1760	if (!newskb)
		1761	return err;
		1762	}
		1763
		1764	/* we must acquire readlock as we modify already present
		1765	* skbs in the sk_receive_queue and mess with skb->len
		1766	*/
		1767	err = mutex_lock_interruptible(&unix_sk(other)->readlock);
		1768	if (err) {
		1769	err = flags & MSG_DONTWAIT ? -EAGAIN : -ERESTARTSYS;
		1770	send_sigpipe = false;
		1771	goto err;
		1772	}
		1773
		1774	if (sk->sk_shutdown & SEND_SHUTDOWN) {
		1775	err = -EPIPE;
		1776	goto err_unlock;
		1777	}
		1778
		1779	unix_state_lock(other);
		1780
		1781	if (sock_flag(other, SOCK_DEAD) \|\|
		1782	other->sk_shutdown & RCV_SHUTDOWN) {
		1783	err = -EPIPE;
		1784	goto err_state_unlock;
		1785	}
		1786
		1787	skb = skb_peek_tail(&other->sk_receive_queue);
		1788	if (tail && tail == skb) {
		1789	skb = newskb;
		1790	} else if (!skb) {
		1791	if (newskb)
		1792	skb = newskb;
		1793	else
		1794	goto alloc_skb;
		1795	} else if (newskb) {
		1796	/* this is fast path, we don't necessarily need to
		1797	* call to kfree_skb even though with newskb == NULL
		1798	* this - does no harm
		1799	*/
		1800	consume_skb(newskb);
		1801	}
		1802
		1803	if (skb_append_pagefrags(skb, page, offset, size)) {
		1804	tail = skb;
		1805	goto alloc_skb;
		1806	}
		1807
		1808	skb->len += size;
		1809	skb->data_len += size;
		1810	skb->truesize += size;
		1811	atomic_add(size, &sk->sk_wmem_alloc);
		1812
		1813	if (newskb)
		1814	__skb_queue_tail(&other->sk_receive_queue, newskb);
		1815
		1816	unix_state_unlock(other);
		1817	mutex_unlock(&unix_sk(other)->readlock);
		1818
		1819	other->sk_data_ready(other);
		1820
		1821	return size;
		1822
		1823	err_state_unlock:
		1824	unix_state_unlock(other);
		1825	err_unlock:
		1826	mutex_unlock(&unix_sk(other)->readlock);
		1827	err:
		1828	kfree_skb(newskb);
		1829	if (send_sigpipe && !(flags & MSG_NOSIGNAL))
		1830	send_sig(SIGPIPE, current, 0);
		1831	return err;
		1832	}
		1833
1723	static int unix_seqpacket_sendmsg(struct socket sock, struct msghdr msg,	1834	static int unix_seqpacket_sendmsg(struct socket sock, struct msghdr msg,
1724	size_t len)	1835	size_t len)
1725	{	1836	{
@@ -1860,8 +1971,9 @@ out:
1860	* Sleep until more data has arrived. But check for races..	1971	* Sleep until more data has arrived. But check for races..
1861	*/	1972	*/
1862	static long unix_stream_data_wait(struct sock *sk, long timeo,	1973	static long unix_stream_data_wait(struct sock *sk, long timeo,
1863	struct sk_buff *last)	1974	struct sk_buff *last, unsigned int last_len)
1864	{	1975	{
		1976	struct sk_buff *tail;
1865	DEFINE_WAIT(wait);	1977	DEFINE_WAIT(wait);
1866		1978
1867	unix_state_lock(sk);	1979	unix_state_lock(sk);
@@ -1869,7 +1981,9 @@ static long unix_stream_data_wait(struct sock *sk, long timeo,
1869	for (;;) {	1981	for (;;) {
1870	prepare_to_wait(sk_sleep(sk), &wait, TASK_INTERRUPTIBLE);	1982	prepare_to_wait(sk_sleep(sk), &wait, TASK_INTERRUPTIBLE);
1871		1983
1872	if (skb_peek_tail(&sk->sk_receive_queue) != last \|\|	1984	tail = skb_peek_tail(&sk->sk_receive_queue);
		1985	if (tail != last \|\|
		1986	(tail && tail->len != last_len) \|\|
1873	sk->sk_err \|\|	1987	sk->sk_err \|\|
1874	(sk->sk_shutdown & RCV_SHUTDOWN) \|\|	1988	(sk->sk_shutdown & RCV_SHUTDOWN) \|\|
1875	signal_pending(current) \|\|	1989	signal_pending(current) \|\|
@@ -1897,38 +2011,50 @@ static unsigned int unix_skb_len(const struct sk_buff *skb)
1897	return skb->len - UNIXCB(skb).consumed;	2011	return skb->len - UNIXCB(skb).consumed;
1898	}	2012	}
1899		2013
1900	static int unix_stream_recvmsg(struct socket sock, struct msghdr msg,	2014	struct unix_stream_read_state {
1901	size_t size, int flags)	2015	int (recv_actor)(struct sk_buff , int, int,
		2016	struct unix_stream_read_state *);
		2017	struct socket *socket;
		2018	struct msghdr *msg;
		2019	struct pipe_inode_info *pipe;
		2020	size_t size;
		2021	int flags;
		2022	unsigned int splice_flags;
		2023	};
		2024
		2025	static int unix_stream_read_generic(struct unix_stream_read_state *state)
1902	{	2026	{
1903	struct scm_cookie scm;	2027	struct scm_cookie scm;
		2028	struct socket *sock = state->socket;
1904	struct sock *sk = sock->sk;	2029	struct sock *sk = sock->sk;
1905	struct unix_sock *u = unix_sk(sk);	2030	struct unix_sock *u = unix_sk(sk);
1906	DECLARE_SOCKADDR(struct sockaddr_un *, sunaddr, msg->msg_name);
1907	int copied = 0;	2031	int copied = 0;
		2032	int flags = state->flags;
1908	int noblock = flags & MSG_DONTWAIT;	2033	int noblock = flags & MSG_DONTWAIT;
1909	int check_creds = 0;	2034	bool check_creds = false;
1910	int target;	2035	int target;
1911	int err = 0;	2036	int err = 0;
1912	long timeo;	2037	long timeo;
1913	int skip;	2038	int skip;
		2039	size_t size = state->size;
		2040	unsigned int last_len;
1914		2041
1915	err = -EINVAL;	2042	err = -EINVAL;
1916	if (sk->sk_state != TCP_ESTABLISHED)	2043	if (sk->sk_state != TCP_ESTABLISHED)
1917	goto out;	2044	goto out;
1918		2045
1919	err = -EOPNOTSUPP;	2046	err = -EOPNOTSUPP;
1920	if (flags&MSG_OOB)	2047	if (flags & MSG_OOB)
1921	goto out;	2048	goto out;
1922		2049
1923	target = sock_rcvlowat(sk, flags&MSG_WAITALL, size);	2050	target = sock_rcvlowat(sk, flags & MSG_WAITALL, size);
1924	timeo = sock_rcvtimeo(sk, noblock);	2051	timeo = sock_rcvtimeo(sk, noblock);
1925		2052
		2053	memset(&scm, 0, sizeof(scm));
		2054
1926	/* Lock the socket to prevent queue disordering	2055	/* Lock the socket to prevent queue disordering
1927	* while sleeps in memcpy_tomsg	2056	* while sleeps in memcpy_tomsg
1928	*/	2057	*/
1929
1930	memset(&scm, 0, sizeof(scm));
1931
1932	err = mutex_lock_interruptible(&u->readlock);	2058	err = mutex_lock_interruptible(&u->readlock);
1933	if (unlikely(err)) {	2059	if (unlikely(err)) {
1934	/* recvmsg() in non blocking mode is supposed to return -EAGAIN	2060	/* recvmsg() in non blocking mode is supposed to return -EAGAIN
@@ -1948,6 +2074,7 @@ static int unix_stream_recvmsg(struct socket sock, struct msghdr msg,
1948	goto unlock;	2074	goto unlock;
1949	}	2075	}
1950	last = skb = skb_peek(&sk->sk_receive_queue);	2076	last = skb = skb_peek(&sk->sk_receive_queue);
		2077	last_len = last ? last->len : 0;
1951	again:	2078	again:
1952	if (skb == NULL) {	2079	if (skb == NULL) {
1953	unix_sk(sk)->recursion_level = 0;	2080	unix_sk(sk)->recursion_level = 0;
@@ -1970,16 +2097,17 @@ again:
1970	break;	2097	break;
1971	mutex_unlock(&u->readlock);	2098	mutex_unlock(&u->readlock);
1972		2099
1973	timeo = unix_stream_data_wait(sk, timeo, last);	2100	timeo = unix_stream_data_wait(sk, timeo, last,
		2101	last_len);
1974		2102
1975	if (signal_pending(current)	2103	if (signal_pending(current) \|\|
1976	\|\| mutex_lock_interruptible(&u->readlock)) {	2104	mutex_lock_interruptible(&u->readlock)) {
1977	err = sock_intr_errno(timeo);	2105	err = sock_intr_errno(timeo);
1978	goto out;	2106	goto out;
1979	}	2107	}
1980		2108
1981	continue;	2109	continue;
1982	unlock:	2110	unlock:
1983	unix_state_unlock(sk);	2111	unix_state_unlock(sk);
1984	break;	2112	break;
1985	}	2113	}
@@ -1988,6 +2116,7 @@ again:
1988	while (skip >= unix_skb_len(skb)) {	2116	while (skip >= unix_skb_len(skb)) {
1989	skip -= unix_skb_len(skb);	2117	skip -= unix_skb_len(skb);
1990	last = skb;	2118	last = skb;
		2119	last_len = skb->len;
1991	skb = skb_peek_next(skb, &sk->sk_receive_queue);	2120	skb = skb_peek_next(skb, &sk->sk_receive_queue);
1992	if (!skb)	2121	if (!skb)
1993	goto again;	2122	goto again;
@@ -1999,23 +2128,27 @@ again:
1999	/* Never glue messages from different writers */	2128	/* Never glue messages from different writers */
2000	if ((UNIXCB(skb).pid != scm.pid) \|\|	2129	if ((UNIXCB(skb).pid != scm.pid) \|\|
2001	!uid_eq(UNIXCB(skb).uid, scm.creds.uid) \|\|	2130	!uid_eq(UNIXCB(skb).uid, scm.creds.uid) \|\|
2002	!gid_eq(UNIXCB(skb).gid, scm.creds.gid))	2131	!gid_eq(UNIXCB(skb).gid, scm.creds.gid) \|\|
		2132	!unix_secdata_eq(&scm, skb))
2003	break;	2133	break;
2004	} else if (test_bit(SOCK_PASSCRED, &sock->flags)) {	2134	} else if (test_bit(SOCK_PASSCRED, &sock->flags)) {
2005	/* Copy credentials */	2135	/* Copy credentials */
2006	scm_set_cred(&scm, UNIXCB(skb).pid, UNIXCB(skb).uid, UNIXCB(skb).gid);	2136	scm_set_cred(&scm, UNIXCB(skb).pid, UNIXCB(skb).uid, UNIXCB(skb).gid);
2007	check_creds = 1;	2137	unix_set_secdata(&scm, skb);
		2138	check_creds = true;
2008	}	2139	}
2009		2140
2010	/* Copy address just once */	2141	/* Copy address just once */
2011	if (sunaddr) {	2142	if (state->msg && state->msg->msg_name) {
2012	unix_copy_addr(msg, skb->sk);	2143	DECLARE_SOCKADDR(struct sockaddr_un *, sunaddr,
		2144	state->msg->msg_name);
		2145	unix_copy_addr(state->msg, skb->sk);
2013	sunaddr = NULL;	2146	sunaddr = NULL;
2014	}	2147	}
2015		2148
2016	chunk = min_t(unsigned int, unix_skb_len(skb) - skip, size);	2149	chunk = min_t(unsigned int, unix_skb_len(skb) - skip, size);
2017	if (skb_copy_datagram_msg(skb, UNIXCB(skb).consumed + skip,	2150	chunk = state->recv_actor(skb, skip, chunk, state);
2018	msg, chunk)) {	2151	if (chunk < 0) {
2019	if (copied == 0)	2152	if (copied == 0)
2020	copied = -EFAULT;	2153	copied = -EFAULT;
2021	break;	2154	break;
@@ -2053,11 +2186,85 @@ again:
2053	} while (size);	2186	} while (size);
2054		2187
2055	mutex_unlock(&u->readlock);	2188	mutex_unlock(&u->readlock);
2056	scm_recv(sock, msg, &scm, flags);	2189	if (state->msg)
		2190	scm_recv(sock, state->msg, &scm, flags);
		2191	else
		2192	scm_destroy(&scm);
2057	out:	2193	out:
2058	return copied ? : err;	2194	return copied ? : err;
2059	}	2195	}
2060		2196
		2197	static int unix_stream_read_actor(struct sk_buff *skb,
		2198	int skip, int chunk,
		2199	struct unix_stream_read_state *state)
		2200	{
		2201	int ret;
		2202
		2203	ret = skb_copy_datagram_msg(skb, UNIXCB(skb).consumed + skip,
		2204	state->msg, chunk);
		2205	return ret ?: chunk;
		2206	}
		2207
		2208	static int unix_stream_recvmsg(struct socket sock, struct msghdr msg,
		2209	size_t size, int flags)
		2210	{
		2211	struct unix_stream_read_state state = {
		2212	.recv_actor = unix_stream_read_actor,
		2213	.socket = sock,
		2214	.msg = msg,
		2215	.size = size,
		2216	.flags = flags
		2217	};
		2218
		2219	return unix_stream_read_generic(&state);
		2220	}
		2221
		2222	static ssize_t skb_unix_socket_splice(struct sock *sk,
		2223	struct pipe_inode_info *pipe,
		2224	struct splice_pipe_desc *spd)
		2225	{
		2226	int ret;
		2227	struct unix_sock *u = unix_sk(sk);
		2228
		2229	mutex_unlock(&u->readlock);
		2230	ret = splice_to_pipe(pipe, spd);
		2231	mutex_lock(&u->readlock);
		2232
		2233	return ret;
		2234	}
		2235
		2236	static int unix_stream_splice_actor(struct sk_buff *skb,
		2237	int skip, int chunk,
		2238	struct unix_stream_read_state *state)
		2239	{
		2240	return skb_splice_bits(skb, state->socket->sk,
		2241	UNIXCB(skb).consumed + skip,
		2242	state->pipe, chunk, state->splice_flags,
		2243	skb_unix_socket_splice);
		2244	}
		2245
		2246	static ssize_t unix_stream_splice_read(struct socket sock, loff_t ppos,
		2247	struct pipe_inode_info *pipe,
		2248	size_t size, unsigned int flags)
		2249	{
		2250	struct unix_stream_read_state state = {
		2251	.recv_actor = unix_stream_splice_actor,
		2252	.socket = sock,
		2253	.pipe = pipe,
		2254	.size = size,
		2255	.splice_flags = flags,
		2256	};
		2257
		2258	if (unlikely(*ppos))
		2259	return -ESPIPE;
		2260
		2261	if (sock->file->f_flags & O_NONBLOCK \|\|
		2262	flags & SPLICE_F_NONBLOCK)
		2263	state.flags = MSG_DONTWAIT;
		2264
		2265	return unix_stream_read_generic(&state);
		2266	}
		2267
2061	static int unix_shutdown(struct socket *sock, int mode)	2268	static int unix_shutdown(struct socket *sock, int mode)
2062	{	2269	{
2063	struct sock *sk = sock->sk;	2270	struct sock *sk = sock->sk;