1 files changed, 62 insertions, 37 deletions
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
index fef2cc5e9d2..4414a18c63b 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -282,7 +282,7 @@ static inline struct sock *unix_find_socket_byname(struct net *net,
        return s;
 }
-static struct sock *unix_find_socket_byinode(struct net *net, struct inode *i)
+static struct sock *unix_find_socket_byinode(struct inode *i)
 {
        struct sock *s;
        struct hlist_node *node;
@@ -292,9 +292,6 @@ static struct sock *unix_find_socket_byinode(struct net *net, struct inode *i)
                    &unix_socket_table[i->i_ino & (UNIX_HASH_SIZE - 1)]) {
                struct dentry *dentry = unix_sk(s)->dentry;
-                if (!net_eq(sock_net(s), net))
-                        continue;
                if (dentry && dentry->d_inode == i) {
                        sock_hold(s);
                        goto found;
@@ -450,11 +447,31 @@ static int unix_release_sock(struct sock *sk, int embrion)
        return 0;
 }
+static void init_peercred(struct sock *sk)
+{
+        put_pid(sk->sk_peer_pid);
+        if (sk->sk_peer_cred)
+                put_cred(sk->sk_peer_cred);
+        sk->sk_peer_pid  = get_pid(task_tgid(current));
+        sk->sk_peer_cred = get_current_cred();
+}
+static void copy_peercred(struct sock *sk, struct sock *peersk)
+{
+        put_pid(sk->sk_peer_pid);
+        if (sk->sk_peer_cred)
+                put_cred(sk->sk_peer_cred);
+        sk->sk_peer_pid  = get_pid(peersk->sk_peer_pid);
+        sk->sk_peer_cred = get_cred(peersk->sk_peer_cred);
+}
 static int unix_listen(struct socket *sock, int backlog)
 {
        int err;
        struct sock *sk = sock->sk;
        struct unix_sock *u = unix_sk(sk);
+        struct pid *old_pid = NULL;
+        const struct cred *old_cred = NULL;
        err = -EOPNOTSUPP;
        if (sock->type != SOCK_STREAM && sock->type != SOCK_SEQPACKET)
@@ -470,12 +487,14 @@ static int unix_listen(struct socket *sock, int backlog)
        sk->sk_max_ack_backlog  = backlog;
        sk->sk_state            = TCP_LISTEN;
        /* set credentials so connect can copy them */
-        sk->sk_peercred.pid     = task_tgid_vnr(current);
+        init_peercred(sk);
-        current_euid_egid(&sk->sk_peercred.uid, &sk->sk_peercred.gid);
        err = 0;
 out_unlock:
        unix_state_unlock(sk);
+        put_pid(old_pid);
+        if (old_cred)
+                put_cred(old_cred);
 out:
        return err;
 }
@@ -736,7 +755,7 @@ static struct sock *unix_find_other(struct net *net,
                err = -ECONNREFUSED;
                if (!S_ISSOCK(inode->i_mode))
                        goto put_fail;
-                u = unix_find_socket_byinode(net, inode);
+                u = unix_find_socket_byinode(inode);
                if (!u)
                        goto put_fail;
@@ -1140,8 +1159,7 @@ restart:
        unix_peer(newsk)        = sk;
        newsk->sk_state         = TCP_ESTABLISHED;
        newsk->sk_type          = sk->sk_type;
-        newsk->sk_peercred.pid  = task_tgid_vnr(current);
+        init_peercred(newsk);
-        current_euid_egid(&newsk->sk_peercred.uid, &newsk->sk_peercred.gid);
        newu = unix_sk(newsk);
        newsk->sk_wq            = &newu->peer_wq;
        otheru = unix_sk(other);
@@ -1157,7 +1175,7 @@ restart:
        }
        /* Set credentials */
-        sk->sk_peercred = other->sk_peercred;
+        copy_peercred(sk, other);
        sock->state     = SS_CONNECTED;
        sk->sk_state    = TCP_ESTABLISHED;
@@ -1199,10 +1217,8 @@ static int unix_socketpair(struct socket *socka, struct socket *sockb)
        sock_hold(skb);
        unix_peer(ska) = skb;
        unix_peer(skb) = ska;
-        ska->sk_peercred.pid = skb->sk_peercred.pid = task_tgid_vnr(current);
+        init_peercred(ska);
-        current_euid_egid(&skb->sk_peercred.uid, &skb->sk_peercred.gid);
+        init_peercred(skb);
-        ska->sk_peercred.uid = skb->sk_peercred.uid;
-        ska->sk_peercred.gid = skb->sk_peercred.gid;
        if (ska->sk_type != SOCK_DGRAM) {
                ska->sk_state = TCP_ESTABLISHED;
@@ -1297,18 +1313,20 @@ static void unix_detach_fds(struct scm_cookie *scm, struct sk_buff *skb)
        int i;
        scm->fp = UNIXCB(skb).fp;
-        skb->destructor = sock_wfree;
        UNIXCB(skb).fp = NULL;
        for (i = scm->fp->count-1; i >= 0; i--)
                unix_notinflight(scm->fp->fp[i]);
 }
-static void unix_destruct_fds(struct sk_buff *skb)
+static void unix_destruct_scm(struct sk_buff *skb)
 {
        struct scm_cookie scm;
        memset(&scm, 0, sizeof(scm));
-        unix_detach_fds(&scm, skb);
+        scm.pid  = UNIXCB(skb).pid;
+        scm.cred = UNIXCB(skb).cred;
+        if (UNIXCB(skb).fp)
+                unix_detach_fds(&scm, skb);
        /* Alas, it calls VFS */
        /* So fscking what? fput() had been SMP-safe since the last Summer */
@@ -1331,10 +1349,22 @@ static int unix_attach_fds(struct scm_cookie *scm, struct sk_buff *skb)
        for (i = scm->fp->count-1; i >= 0; i--)
                unix_inflight(scm->fp->fp[i]);
-        skb->destructor = unix_destruct_fds;
        return 0;
 }
+static int unix_scm_to_skb(struct scm_cookie *scm, struct sk_buff *skb, bool send_fds)
+{
+        int err = 0;
+        UNIXCB(skb).pid  = get_pid(scm->pid);
+        UNIXCB(skb).cred = get_cred(scm->cred);
+        UNIXCB(skb).fp = NULL;
+        if (scm->fp && send_fds)
+                err = unix_attach_fds(scm, skb);
+        skb->destructor = unix_destruct_scm;
+        return err;
+}
 /*
 *      Send AF_UNIX data.
 */
@@ -1391,12 +1421,9 @@ static int unix_dgram_sendmsg(struct kiocb *kiocb, struct socket *sock,
        if (skb == NULL)
                goto out;
-        memcpy(UNIXCREDS(skb), &siocb->scm->creds, sizeof(struct ucred));
+        err = unix_scm_to_skb(siocb->scm, skb, true);
-        if (siocb->scm->fp) {
+        if (err)
-                err = unix_attach_fds(siocb->scm, skb);
+                goto out_free;
-                if (err)
-                        goto out_free;
-        }
        unix_get_secdata(siocb->scm, skb);
        skb_reset_transport_header(skb);
@@ -1566,16 +1593,14 @@ static int unix_stream_sendmsg(struct kiocb *kiocb, struct socket *sock,
                 */
                size = min_t(int, size, skb_tailroom(skb));
-                memcpy(UNIXCREDS(skb), &siocb->scm->creds, sizeof(struct ucred));
                /* Only send the fds in the first buffer */
-                if (siocb->scm->fp && !fds_sent) {
+                err = unix_scm_to_skb(siocb->scm, skb, !fds_sent);
-                        err = unix_attach_fds(siocb->scm, skb);
+                if (err) {
-                        if (err) {
+                        kfree_skb(skb);
-                                kfree_skb(skb);
+                        goto out_err;
-                                goto out_err;
-                        }
-                        fds_sent = true;
                }
+                fds_sent = true;
                err = memcpy_fromiovec(skb_put(skb, size), msg->msg_iov, size);
                if (err) {
@@ -1692,7 +1717,7 @@ static int unix_dgram_recvmsg(struct kiocb *iocb, struct socket *sock,
                siocb->scm = &tmp_scm;
                memset(&tmp_scm, 0, sizeof(tmp_scm));
        }
-        siocb->scm->creds = *UNIXCREDS(skb);
+        scm_set_cred(siocb->scm, UNIXCB(skb).pid, UNIXCB(skb).cred);
        unix_set_secdata(siocb->scm, skb);
        if (!(flags & MSG_PEEK)) {
@@ -1841,14 +1866,14 @@ static int unix_stream_recvmsg(struct kiocb *iocb, struct socket *sock,
                if (check_creds) {
                        /* Never glue messages from different writers */
-                        if (memcmp(UNIXCREDS(skb), &siocb->scm->creds,
+                        if ((UNIXCB(skb).pid  != siocb->scm->pid) ||
-                                   sizeof(siocb->scm->creds)) != 0) {
+                            (UNIXCB(skb).cred != siocb->scm->cred)) {
                                skb_queue_head(&sk->sk_receive_queue, skb);
                                break;
                        }
                } else {
                        /* Copy credentials */
-                        siocb->scm->creds = *UNIXCREDS(skb);
+                        scm_set_cred(siocb->scm, UNIXCB(skb).pid, UNIXCB(skb).cred);
                        check_creds = 1;
                }
@@ -1881,7 +1906,7 @@ static int unix_stream_recvmsg(struct kiocb *iocb, struct socket *sock,
                                break;
                        }
-                        kfree_skb(skb);
+                        consume_skb(skb);
                        if (siocb->scm->fp)
                                break;

diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c index fef2cc5e9d2..4414a18c63b 100644 --- a/net/unix/af_unix.c +++ b/net/unix/af_unix.c
@@ -282,7 +282,7 @@ static inline struct sock unix_find_socket_byname(struct net net,
282	return s;	282	return s;
283	}	283	}
284		284
285	static struct sock unix_find_socket_byinode(struct net net, struct inode *i)	285	static struct sock unix_find_socket_byinode(struct inode i)
286	{	286	{
287	struct sock *s;	287	struct sock *s;
288	struct hlist_node *node;	288	struct hlist_node *node;
@@ -292,9 +292,6 @@ static struct sock unix_find_socket_byinode(struct net net, struct inode *i)
292	&unix_socket_table[i->i_ino & (UNIX_HASH_SIZE - 1)]) {	292	&unix_socket_table[i->i_ino & (UNIX_HASH_SIZE - 1)]) {
293	struct dentry *dentry = unix_sk(s)->dentry;	293	struct dentry *dentry = unix_sk(s)->dentry;
294		294
295	if (!net_eq(sock_net(s), net))
296	continue;
297
298	if (dentry && dentry->d_inode == i) {	295	if (dentry && dentry->d_inode == i) {
299	sock_hold(s);	296	sock_hold(s);
300	goto found;	297	goto found;
@@ -450,11 +447,31 @@ static int unix_release_sock(struct sock *sk, int embrion)
450	return 0;	447	return 0;
451	}	448	}
452		449
		450	static void init_peercred(struct sock *sk)
		451	{
		452	put_pid(sk->sk_peer_pid);
		453	if (sk->sk_peer_cred)
		454	put_cred(sk->sk_peer_cred);
		455	sk->sk_peer_pid = get_pid(task_tgid(current));
		456	sk->sk_peer_cred = get_current_cred();
		457	}
		458
		459	static void copy_peercred(struct sock sk, struct sock peersk)
		460	{
		461	put_pid(sk->sk_peer_pid);
		462	if (sk->sk_peer_cred)
		463	put_cred(sk->sk_peer_cred);
		464	sk->sk_peer_pid = get_pid(peersk->sk_peer_pid);
		465	sk->sk_peer_cred = get_cred(peersk->sk_peer_cred);
		466	}
		467
453	static int unix_listen(struct socket *sock, int backlog)	468	static int unix_listen(struct socket *sock, int backlog)
454	{	469	{
455	int err;	470	int err;
456	struct sock *sk = sock->sk;	471	struct sock *sk = sock->sk;
457	struct unix_sock *u = unix_sk(sk);	472	struct unix_sock *u = unix_sk(sk);
		473	struct pid *old_pid = NULL;
		474	const struct cred *old_cred = NULL;
458		475
459	err = -EOPNOTSUPP;	476	err = -EOPNOTSUPP;
460	if (sock->type != SOCK_STREAM && sock->type != SOCK_SEQPACKET)	477	if (sock->type != SOCK_STREAM && sock->type != SOCK_SEQPACKET)
@@ -470,12 +487,14 @@ static int unix_listen(struct socket *sock, int backlog)
470	sk->sk_max_ack_backlog = backlog;	487	sk->sk_max_ack_backlog = backlog;
471	sk->sk_state = TCP_LISTEN;	488	sk->sk_state = TCP_LISTEN;
472	/* set credentials so connect can copy them */	489	/* set credentials so connect can copy them */
473	sk->sk_peercred.pid = task_tgid_vnr(current);	490	init_peercred(sk);
474	current_euid_egid(&sk->sk_peercred.uid, &sk->sk_peercred.gid);
475	err = 0;	491	err = 0;
476		492
477	out_unlock:	493	out_unlock:
478	unix_state_unlock(sk);	494	unix_state_unlock(sk);
		495	put_pid(old_pid);
		496	if (old_cred)
		497	put_cred(old_cred);
479	out:	498	out:
480	return err;	499	return err;
481	}	500	}
@@ -736,7 +755,7 @@ static struct sock unix_find_other(struct net net,
736	err = -ECONNREFUSED;	755	err = -ECONNREFUSED;
737	if (!S_ISSOCK(inode->i_mode))	756	if (!S_ISSOCK(inode->i_mode))
738	goto put_fail;	757	goto put_fail;
739	u = unix_find_socket_byinode(net, inode);	758	u = unix_find_socket_byinode(inode);
740	if (!u)	759	if (!u)
741	goto put_fail;	760	goto put_fail;
742		761
@@ -1140,8 +1159,7 @@ restart:
1140	unix_peer(newsk) = sk;	1159	unix_peer(newsk) = sk;
1141	newsk->sk_state = TCP_ESTABLISHED;	1160	newsk->sk_state = TCP_ESTABLISHED;
1142	newsk->sk_type = sk->sk_type;	1161	newsk->sk_type = sk->sk_type;
1143	newsk->sk_peercred.pid = task_tgid_vnr(current);	1162	init_peercred(newsk);
1144	current_euid_egid(&newsk->sk_peercred.uid, &newsk->sk_peercred.gid);
1145	newu = unix_sk(newsk);	1163	newu = unix_sk(newsk);
1146	newsk->sk_wq = &newu->peer_wq;	1164	newsk->sk_wq = &newu->peer_wq;
1147	otheru = unix_sk(other);	1165	otheru = unix_sk(other);
@@ -1157,7 +1175,7 @@ restart:
1157	}	1175	}
1158		1176
1159	/* Set credentials */	1177	/* Set credentials */
1160	sk->sk_peercred = other->sk_peercred;	1178	copy_peercred(sk, other);
1161		1179
1162	sock->state = SS_CONNECTED;	1180	sock->state = SS_CONNECTED;
1163	sk->sk_state = TCP_ESTABLISHED;	1181	sk->sk_state = TCP_ESTABLISHED;
@@ -1199,10 +1217,8 @@ static int unix_socketpair(struct socket socka, struct socket sockb)
1199	sock_hold(skb);	1217	sock_hold(skb);
1200	unix_peer(ska) = skb;	1218	unix_peer(ska) = skb;
1201	unix_peer(skb) = ska;	1219	unix_peer(skb) = ska;
1202	ska->sk_peercred.pid = skb->sk_peercred.pid = task_tgid_vnr(current);	1220	init_peercred(ska);
1203	current_euid_egid(&skb->sk_peercred.uid, &skb->sk_peercred.gid);	1221	init_peercred(skb);
1204	ska->sk_peercred.uid = skb->sk_peercred.uid;
1205	ska->sk_peercred.gid = skb->sk_peercred.gid;
1206		1222
1207	if (ska->sk_type != SOCK_DGRAM) {	1223	if (ska->sk_type != SOCK_DGRAM) {
1208	ska->sk_state = TCP_ESTABLISHED;	1224	ska->sk_state = TCP_ESTABLISHED;
@@ -1297,18 +1313,20 @@ static void unix_detach_fds(struct scm_cookie scm, struct sk_buff skb)
1297	int i;	1313	int i;
1298		1314
1299	scm->fp = UNIXCB(skb).fp;	1315	scm->fp = UNIXCB(skb).fp;
1300	skb->destructor = sock_wfree;
1301	UNIXCB(skb).fp = NULL;	1316	UNIXCB(skb).fp = NULL;
1302		1317
1303	for (i = scm->fp->count-1; i >= 0; i--)	1318	for (i = scm->fp->count-1; i >= 0; i--)
1304	unix_notinflight(scm->fp->fp[i]);	1319	unix_notinflight(scm->fp->fp[i]);
1305	}	1320	}
1306		1321
1307	static void unix_destruct_fds(struct sk_buff *skb)	1322	static void unix_destruct_scm(struct sk_buff *skb)
1308	{	1323	{
1309	struct scm_cookie scm;	1324	struct scm_cookie scm;
1310	memset(&scm, 0, sizeof(scm));	1325	memset(&scm, 0, sizeof(scm));
1311	unix_detach_fds(&scm, skb);	1326	scm.pid = UNIXCB(skb).pid;
		1327	scm.cred = UNIXCB(skb).cred;
		1328	if (UNIXCB(skb).fp)
		1329	unix_detach_fds(&scm, skb);
1312		1330
1313	/* Alas, it calls VFS */	1331	/* Alas, it calls VFS */
1314	/* So fscking what? fput() had been SMP-safe since the last Summer */	1332	/* So fscking what? fput() had been SMP-safe since the last Summer */
@@ -1331,10 +1349,22 @@ static int unix_attach_fds(struct scm_cookie scm, struct sk_buff skb)
1331		1349
1332	for (i = scm->fp->count-1; i >= 0; i--)	1350	for (i = scm->fp->count-1; i >= 0; i--)
1333	unix_inflight(scm->fp->fp[i]);	1351	unix_inflight(scm->fp->fp[i]);
1334	skb->destructor = unix_destruct_fds;
1335	return 0;	1352	return 0;
1336	}	1353	}
1337		1354
		1355	static int unix_scm_to_skb(struct scm_cookie scm, struct sk_buff skb, bool send_fds)
		1356	{
		1357	int err = 0;
		1358	UNIXCB(skb).pid = get_pid(scm->pid);
		1359	UNIXCB(skb).cred = get_cred(scm->cred);
		1360	UNIXCB(skb).fp = NULL;
		1361	if (scm->fp && send_fds)
		1362	err = unix_attach_fds(scm, skb);
		1363
		1364	skb->destructor = unix_destruct_scm;
		1365	return err;
		1366	}
		1367
1338	/*	1368	/*
1339	* Send AF_UNIX data.	1369	* Send AF_UNIX data.
1340	*/	1370	*/
@@ -1391,12 +1421,9 @@ static int unix_dgram_sendmsg(struct kiocb kiocb, struct socket sock,
1391	if (skb == NULL)	1421	if (skb == NULL)
1392	goto out;	1422	goto out;
1393		1423
1394	memcpy(UNIXCREDS(skb), &siocb->scm->creds, sizeof(struct ucred));	1424	err = unix_scm_to_skb(siocb->scm, skb, true);
1395	if (siocb->scm->fp) {	1425	if (err)
1396	err = unix_attach_fds(siocb->scm, skb);	1426	goto out_free;
1397	if (err)
1398	goto out_free;
1399	}
1400	unix_get_secdata(siocb->scm, skb);	1427	unix_get_secdata(siocb->scm, skb);
1401		1428
1402	skb_reset_transport_header(skb);	1429	skb_reset_transport_header(skb);
@@ -1566,16 +1593,14 @@ static int unix_stream_sendmsg(struct kiocb kiocb, struct socket sock,
1566	*/	1593	*/
1567	size = min_t(int, size, skb_tailroom(skb));	1594	size = min_t(int, size, skb_tailroom(skb));
1568		1595
1569	memcpy(UNIXCREDS(skb), &siocb->scm->creds, sizeof(struct ucred));	1596
1570	/* Only send the fds in the first buffer */	1597	/* Only send the fds in the first buffer */
1571	if (siocb->scm->fp && !fds_sent) {	1598	err = unix_scm_to_skb(siocb->scm, skb, !fds_sent);
1572	err = unix_attach_fds(siocb->scm, skb);	1599	if (err) {
1573	if (err) {	1600	kfree_skb(skb);
1574	kfree_skb(skb);	1601	goto out_err;
1575	goto out_err;
1576	}
1577	fds_sent = true;
1578	}	1602	}
		1603	fds_sent = true;
1579		1604
1580	err = memcpy_fromiovec(skb_put(skb, size), msg->msg_iov, size);	1605	err = memcpy_fromiovec(skb_put(skb, size), msg->msg_iov, size);
1581	if (err) {	1606	if (err) {
@@ -1692,7 +1717,7 @@ static int unix_dgram_recvmsg(struct kiocb iocb, struct socket sock,
1692	siocb->scm = &tmp_scm;	1717	siocb->scm = &tmp_scm;
1693	memset(&tmp_scm, 0, sizeof(tmp_scm));	1718	memset(&tmp_scm, 0, sizeof(tmp_scm));
1694	}	1719	}
1695	siocb->scm->creds = *UNIXCREDS(skb);	1720	scm_set_cred(siocb->scm, UNIXCB(skb).pid, UNIXCB(skb).cred);
1696	unix_set_secdata(siocb->scm, skb);	1721	unix_set_secdata(siocb->scm, skb);
1697		1722
1698	if (!(flags & MSG_PEEK)) {	1723	if (!(flags & MSG_PEEK)) {
@@ -1841,14 +1866,14 @@ static int unix_stream_recvmsg(struct kiocb iocb, struct socket sock,
1841		1866
1842	if (check_creds) {	1867	if (check_creds) {
1843	/* Never glue messages from different writers */	1868	/* Never glue messages from different writers */
1844	if (memcmp(UNIXCREDS(skb), &siocb->scm->creds,	1869	if ((UNIXCB(skb).pid != siocb->scm->pid) \|\|
1845	sizeof(siocb->scm->creds)) != 0) {	1870	(UNIXCB(skb).cred != siocb->scm->cred)) {
1846	skb_queue_head(&sk->sk_receive_queue, skb);	1871	skb_queue_head(&sk->sk_receive_queue, skb);
1847	break;	1872	break;
1848	}	1873	}
1849	} else {	1874	} else {
1850	/* Copy credentials */	1875	/* Copy credentials */
1851	siocb->scm->creds = *UNIXCREDS(skb);	1876	scm_set_cred(siocb->scm, UNIXCB(skb).pid, UNIXCB(skb).cred);
1852	check_creds = 1;	1877	check_creds = 1;
1853	}	1878	}
1854		1879
@@ -1881,7 +1906,7 @@ static int unix_stream_recvmsg(struct kiocb iocb, struct socket sock,
1881	break;	1906	break;
1882	}	1907	}
1883		1908
1884	kfree_skb(skb);	1909	consume_skb(skb);
1885		1910
1886	if (siocb->scm->fp)	1911	if (siocb->scm->fp)
1887	break;	1912	break;