1 files changed, 88 insertions, 50 deletions
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
index fef2cc5e9d2..3c95304a081 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -117,7 +117,7 @@
 static struct hlist_head unix_socket_table[UNIX_HASH_SIZE + 1];
 static DEFINE_SPINLOCK(unix_table_lock);
-static atomic_t unix_nr_socks = ATOMIC_INIT(0);
+static atomic_long_t unix_nr_socks;
 #define unix_sockets_unbound    (&unix_socket_table[UNIX_HASH_SIZE])
@@ -282,7 +282,7 @@ static inline struct sock *unix_find_socket_byname(struct net *net,
        return s;
 }
-static struct sock *unix_find_socket_byinode(struct net *net, struct inode *i)
+static struct sock *unix_find_socket_byinode(struct inode *i)
 {
        struct sock *s;
        struct hlist_node *node;
@@ -292,9 +292,6 @@ static struct sock *unix_find_socket_byinode(struct net *net, struct inode *i)
                    &unix_socket_table[i->i_ino & (UNIX_HASH_SIZE - 1)]) {
                struct dentry *dentry = unix_sk(s)->dentry;
-                if (!net_eq(sock_net(s), net))
-                        continue;
                if (dentry && dentry->d_inode == i) {
                        sock_hold(s);
                        goto found;
@@ -363,13 +360,13 @@ static void unix_sock_destructor(struct sock *sk)
        if (u->addr)
                unix_release_addr(u->addr);
-        atomic_dec(&unix_nr_socks);
+        atomic_long_dec(&unix_nr_socks);
        local_bh_disable();
        sock_prot_inuse_add(sock_net(sk), sk->sk_prot, -1);
        local_bh_enable();
 #ifdef UNIX_REFCNT_DEBUG
-        printk(KERN_DEBUG "UNIX %p is destroyed, %d are still alive.\n", sk,
+        printk(KERN_DEBUG "UNIX %p is destroyed, %ld are still alive.\n", sk,
-                atomic_read(&unix_nr_socks));
+                atomic_long_read(&unix_nr_socks));
 #endif
 }
@@ -450,11 +447,31 @@ static int unix_release_sock(struct sock *sk, int embrion)
        return 0;
 }
+static void init_peercred(struct sock *sk)
+{
+        put_pid(sk->sk_peer_pid);
+        if (sk->sk_peer_cred)
+                put_cred(sk->sk_peer_cred);
+        sk->sk_peer_pid  = get_pid(task_tgid(current));
+        sk->sk_peer_cred = get_current_cred();
+}
+static void copy_peercred(struct sock *sk, struct sock *peersk)
+{
+        put_pid(sk->sk_peer_pid);
+        if (sk->sk_peer_cred)
+                put_cred(sk->sk_peer_cred);
+        sk->sk_peer_pid  = get_pid(peersk->sk_peer_pid);
+        sk->sk_peer_cred = get_cred(peersk->sk_peer_cred);
+}
 static int unix_listen(struct socket *sock, int backlog)
 {
        int err;
        struct sock *sk = sock->sk;
        struct unix_sock *u = unix_sk(sk);
+        struct pid *old_pid = NULL;
+        const struct cred *old_cred = NULL;
        err = -EOPNOTSUPP;
        if (sock->type != SOCK_STREAM && sock->type != SOCK_SEQPACKET)
@@ -470,12 +487,14 @@ static int unix_listen(struct socket *sock, int backlog)
        sk->sk_max_ack_backlog  = backlog;
        sk->sk_state            = TCP_LISTEN;
        /* set credentials so connect can copy them */
-        sk->sk_peercred.pid     = task_tgid_vnr(current);
+        init_peercred(sk);
-        current_euid_egid(&sk->sk_peercred.uid, &sk->sk_peercred.gid);
        err = 0;
 out_unlock:
        unix_state_unlock(sk);
+        put_pid(old_pid);
+        if (old_cred)
+                put_cred(old_cred);
 out:
        return err;
 }
@@ -587,8 +606,8 @@ static struct sock *unix_create1(struct net *net, struct socket *sock)
        struct sock *sk = NULL;
        struct unix_sock *u;
-        atomic_inc(&unix_nr_socks);
+        atomic_long_inc(&unix_nr_socks);
-        if (atomic_read(&unix_nr_socks) > 2 * get_max_files())
+        if (atomic_long_read(&unix_nr_socks) > 2 * get_max_files())
                goto out;
        sk = sk_alloc(net, PF_UNIX, GFP_KERNEL, &unix_proto);
@@ -613,7 +632,7 @@ static struct sock *unix_create1(struct net *net, struct socket *sock)
        unix_insert_socket(unix_sockets_unbound, sk);
 out:
        if (sk == NULL)
-                atomic_dec(&unix_nr_socks);
+                atomic_long_dec(&unix_nr_socks);
        else {
                local_bh_disable();
                sock_prot_inuse_add(sock_net(sk), sk->sk_prot, 1);
@@ -673,6 +692,7 @@ static int unix_autobind(struct socket *sock)
        static u32 ordernum = 1;
        struct unix_address *addr;
        int err;
+        unsigned int retries = 0;
        mutex_lock(&u->readlock);
@@ -698,9 +718,17 @@ retry:
        if (__unix_find_socket_byname(net, addr->name, addr->len, sock->type,
                                      addr->hash)) {
                spin_unlock(&unix_table_lock);
-                /* Sanity yield. It is unusual case, but yet... */
+                /*
-                if (!(ordernum&0xFF))
+                 * __unix_find_socket_byname() may take long time if many names
-                        yield();
+                 * are already in use.
+                 */
+                cond_resched();
+                /* Give up if all names seems to be in use. */
+                if (retries++ == 0xFFFFF) {
+                        err = -ENOSPC;
+                        kfree(addr);
+                        goto out;
+                }
                goto retry;
        }
        addr->hash ^= sk->sk_type;
@@ -736,7 +764,7 @@ static struct sock *unix_find_other(struct net *net,
                err = -ECONNREFUSED;
                if (!S_ISSOCK(inode->i_mode))
                        goto put_fail;
-                u = unix_find_socket_byinode(net, inode);
+                u = unix_find_socket_byinode(inode);
                if (!u)
                        goto put_fail;
@@ -1140,8 +1168,7 @@ restart:
        unix_peer(newsk)        = sk;
        newsk->sk_state         = TCP_ESTABLISHED;
        newsk->sk_type          = sk->sk_type;
-        newsk->sk_peercred.pid  = task_tgid_vnr(current);
+        init_peercred(newsk);
-        current_euid_egid(&newsk->sk_peercred.uid, &newsk->sk_peercred.gid);
        newu = unix_sk(newsk);
        newsk->sk_wq            = &newu->peer_wq;
        otheru = unix_sk(other);
@@ -1157,7 +1184,7 @@ restart:
        }
        /* Set credentials */
-        sk->sk_peercred = other->sk_peercred;
+        copy_peercred(sk, other);
        sock->state     = SS_CONNECTED;
        sk->sk_state    = TCP_ESTABLISHED;
@@ -1199,10 +1226,8 @@ static int unix_socketpair(struct socket *socka, struct socket *sockb)
        sock_hold(skb);
        unix_peer(ska) = skb;
        unix_peer(skb) = ska;
-        ska->sk_peercred.pid = skb->sk_peercred.pid = task_tgid_vnr(current);
+        init_peercred(ska);
-        current_euid_egid(&skb->sk_peercred.uid, &skb->sk_peercred.gid);
+        init_peercred(skb);
-        ska->sk_peercred.uid = skb->sk_peercred.uid;
-        ska->sk_peercred.gid = skb->sk_peercred.gid;
        if (ska->sk_type != SOCK_DGRAM) {
                ska->sk_state = TCP_ESTABLISHED;
@@ -1297,18 +1322,20 @@ static void unix_detach_fds(struct scm_cookie *scm, struct sk_buff *skb)
        int i;
        scm->fp = UNIXCB(skb).fp;
-        skb->destructor = sock_wfree;
        UNIXCB(skb).fp = NULL;
        for (i = scm->fp->count-1; i >= 0; i--)
                unix_notinflight(scm->fp->fp[i]);
 }
-static void unix_destruct_fds(struct sk_buff *skb)
+static void unix_destruct_scm(struct sk_buff *skb)
 {
        struct scm_cookie scm;
        memset(&scm, 0, sizeof(scm));
-        unix_detach_fds(&scm, skb);
+        scm.pid  = UNIXCB(skb).pid;
+        scm.cred = UNIXCB(skb).cred;
+        if (UNIXCB(skb).fp)
+                unix_detach_fds(&scm, skb);
        /* Alas, it calls VFS */
        /* So fscking what? fput() had been SMP-safe since the last Summer */
@@ -1331,10 +1358,22 @@ static int unix_attach_fds(struct scm_cookie *scm, struct sk_buff *skb)
        for (i = scm->fp->count-1; i >= 0; i--)
                unix_inflight(scm->fp->fp[i]);
-        skb->destructor = unix_destruct_fds;
        return 0;
 }
+static int unix_scm_to_skb(struct scm_cookie *scm, struct sk_buff *skb, bool send_fds)
+{
+        int err = 0;
+        UNIXCB(skb).pid  = get_pid(scm->pid);
+        UNIXCB(skb).cred = get_cred(scm->cred);
+        UNIXCB(skb).fp = NULL;
+        if (scm->fp && send_fds)
+                err = unix_attach_fds(scm, skb);
+        skb->destructor = unix_destruct_scm;
+        return err;
+}
 /*
 *      Send AF_UNIX data.
 */
@@ -1391,12 +1430,9 @@ static int unix_dgram_sendmsg(struct kiocb *kiocb, struct socket *sock,
        if (skb == NULL)
                goto out;
-        memcpy(UNIXCREDS(skb), &siocb->scm->creds, sizeof(struct ucred));
+        err = unix_scm_to_skb(siocb->scm, skb, true);
-        if (siocb->scm->fp) {
+        if (err)
-                err = unix_attach_fds(siocb->scm, skb);
+                goto out_free;
-                if (err)
-                        goto out_free;
-        }
        unix_get_secdata(siocb->scm, skb);
        skb_reset_transport_header(skb);
@@ -1475,6 +1511,8 @@ restart:
                goto restart;
        }
+        if (sock_flag(other, SOCK_RCVTSTAMP))
+                __net_timestamp(skb);
        skb_queue_tail(&other->sk_receive_queue, skb);
        unix_state_unlock(other);
        other->sk_data_ready(other, len);
@@ -1566,16 +1604,14 @@ static int unix_stream_sendmsg(struct kiocb *kiocb, struct socket *sock,
                 */
                size = min_t(int, size, skb_tailroom(skb));
-                memcpy(UNIXCREDS(skb), &siocb->scm->creds, sizeof(struct ucred));
                /* Only send the fds in the first buffer */
-                if (siocb->scm->fp && !fds_sent) {
+                err = unix_scm_to_skb(siocb->scm, skb, !fds_sent);
-                        err = unix_attach_fds(siocb->scm, skb);
+                if (err) {
-                        if (err) {
+                        kfree_skb(skb);
-                                kfree_skb(skb);
+                        goto out_err;
-                                goto out_err;
-                        }
-                        fds_sent = true;
                }
+                fds_sent = true;
                err = memcpy_fromiovec(skb_put(skb, size), msg->msg_iov, size);
                if (err) {
@@ -1688,11 +1724,14 @@ static int unix_dgram_recvmsg(struct kiocb *iocb, struct socket *sock,
        if (err)
                goto out_free;
+        if (sock_flag(sk, SOCK_RCVTSTAMP))
+                __sock_recv_timestamp(msg, sk, skb);
        if (!siocb->scm) {
                siocb->scm = &tmp_scm;
                memset(&tmp_scm, 0, sizeof(tmp_scm));
        }
-        siocb->scm->creds = *UNIXCREDS(skb);
+        scm_set_cred(siocb->scm, UNIXCB(skb).pid, UNIXCB(skb).cred);
        unix_set_secdata(siocb->scm, skb);
        if (!(flags & MSG_PEEK)) {
@@ -1841,14 +1880,14 @@ static int unix_stream_recvmsg(struct kiocb *iocb, struct socket *sock,
                if (check_creds) {
                        /* Never glue messages from different writers */
-                        if (memcmp(UNIXCREDS(skb), &siocb->scm->creds,
+                        if ((UNIXCB(skb).pid  != siocb->scm->pid) ||
-                                   sizeof(siocb->scm->creds)) != 0) {
+                            (UNIXCB(skb).cred != siocb->scm->cred)) {
                                skb_queue_head(&sk->sk_receive_queue, skb);
                                break;
                        }
                } else {
                        /* Copy credentials */
-                        siocb->scm->creds = *UNIXCREDS(skb);
+                        scm_set_cred(siocb->scm, UNIXCB(skb).pid, UNIXCB(skb).cred);
                        check_creds = 1;
                }
@@ -1881,7 +1920,7 @@ static int unix_stream_recvmsg(struct kiocb *iocb, struct socket *sock,
                                break;
                        }
-                        kfree_skb(skb);
+                        consume_skb(skb);
                        if (siocb->scm->fp)
                                break;
@@ -1999,11 +2038,10 @@ static unsigned int unix_poll(struct file *file, struct socket *sock, poll_table
        if (sk->sk_shutdown == SHUTDOWN_MASK)
                mask |= POLLHUP;
        if (sk->sk_shutdown & RCV_SHUTDOWN)
-                mask |= POLLRDHUP;
+                mask |= POLLRDHUP | POLLIN | POLLRDNORM;
        /* readable? */
-        if (!skb_queue_empty(&sk->sk_receive_queue) ||
+        if (!skb_queue_empty(&sk->sk_receive_queue))
-            (sk->sk_shutdown & RCV_SHUTDOWN))
                mask |= POLLIN | POLLRDNORM;
        /* Connection-based need to check for termination and startup */

diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c index fef2cc5e9d2..3c95304a081 100644 --- a/net/unix/af_unix.c +++ b/net/unix/af_unix.c
@@ -117,7 +117,7 @@
117		117
118	static struct hlist_head unix_socket_table[UNIX_HASH_SIZE + 1];	118	static struct hlist_head unix_socket_table[UNIX_HASH_SIZE + 1];
119	static DEFINE_SPINLOCK(unix_table_lock);	119	static DEFINE_SPINLOCK(unix_table_lock);
120	static atomic_t unix_nr_socks = ATOMIC_INIT(0);	120	static atomic_long_t unix_nr_socks;
121		121
122	#define unix_sockets_unbound (&unix_socket_table[UNIX_HASH_SIZE])	122	#define unix_sockets_unbound (&unix_socket_table[UNIX_HASH_SIZE])
123		123
@@ -282,7 +282,7 @@ static inline struct sock unix_find_socket_byname(struct net net,
282	return s;	282	return s;
283	}	283	}
284		284
285	static struct sock unix_find_socket_byinode(struct net net, struct inode *i)	285	static struct sock unix_find_socket_byinode(struct inode i)
286	{	286	{
287	struct sock *s;	287	struct sock *s;
288	struct hlist_node *node;	288	struct hlist_node *node;
@@ -292,9 +292,6 @@ static struct sock unix_find_socket_byinode(struct net net, struct inode *i)
292	&unix_socket_table[i->i_ino & (UNIX_HASH_SIZE - 1)]) {	292	&unix_socket_table[i->i_ino & (UNIX_HASH_SIZE - 1)]) {
293	struct dentry *dentry = unix_sk(s)->dentry;	293	struct dentry *dentry = unix_sk(s)->dentry;
294		294
295	if (!net_eq(sock_net(s), net))
296	continue;
297
298	if (dentry && dentry->d_inode == i) {	295	if (dentry && dentry->d_inode == i) {
299	sock_hold(s);	296	sock_hold(s);
300	goto found;	297	goto found;
@@ -363,13 +360,13 @@ static void unix_sock_destructor(struct sock *sk)
363	if (u->addr)	360	if (u->addr)
364	unix_release_addr(u->addr);	361	unix_release_addr(u->addr);
365		362
366	atomic_dec(&unix_nr_socks);	363	atomic_long_dec(&unix_nr_socks);
367	local_bh_disable();	364	local_bh_disable();
368	sock_prot_inuse_add(sock_net(sk), sk->sk_prot, -1);	365	sock_prot_inuse_add(sock_net(sk), sk->sk_prot, -1);
369	local_bh_enable();	366	local_bh_enable();
370	#ifdef UNIX_REFCNT_DEBUG	367	#ifdef UNIX_REFCNT_DEBUG
371	printk(KERN_DEBUG "UNIX %p is destroyed, %d are still alive.\n", sk,	368	printk(KERN_DEBUG "UNIX %p is destroyed, %ld are still alive.\n", sk,
372	atomic_read(&unix_nr_socks));	369	atomic_long_read(&unix_nr_socks));
373	#endif	370	#endif
374	}	371	}
375		372
@@ -450,11 +447,31 @@ static int unix_release_sock(struct sock *sk, int embrion)
450	return 0;	447	return 0;
451	}	448	}
452		449
		450	static void init_peercred(struct sock *sk)
		451	{
		452	put_pid(sk->sk_peer_pid);
		453	if (sk->sk_peer_cred)
		454	put_cred(sk->sk_peer_cred);
		455	sk->sk_peer_pid = get_pid(task_tgid(current));
		456	sk->sk_peer_cred = get_current_cred();
		457	}
		458
		459	static void copy_peercred(struct sock sk, struct sock peersk)
		460	{
		461	put_pid(sk->sk_peer_pid);
		462	if (sk->sk_peer_cred)
		463	put_cred(sk->sk_peer_cred);
		464	sk->sk_peer_pid = get_pid(peersk->sk_peer_pid);
		465	sk->sk_peer_cred = get_cred(peersk->sk_peer_cred);
		466	}
		467
453	static int unix_listen(struct socket *sock, int backlog)	468	static int unix_listen(struct socket *sock, int backlog)
454	{	469	{
455	int err;	470	int err;
456	struct sock *sk = sock->sk;	471	struct sock *sk = sock->sk;
457	struct unix_sock *u = unix_sk(sk);	472	struct unix_sock *u = unix_sk(sk);
		473	struct pid *old_pid = NULL;
		474	const struct cred *old_cred = NULL;
458		475
459	err = -EOPNOTSUPP;	476	err = -EOPNOTSUPP;
460	if (sock->type != SOCK_STREAM && sock->type != SOCK_SEQPACKET)	477	if (sock->type != SOCK_STREAM && sock->type != SOCK_SEQPACKET)
@@ -470,12 +487,14 @@ static int unix_listen(struct socket *sock, int backlog)
470	sk->sk_max_ack_backlog = backlog;	487	sk->sk_max_ack_backlog = backlog;
471	sk->sk_state = TCP_LISTEN;	488	sk->sk_state = TCP_LISTEN;
472	/* set credentials so connect can copy them */	489	/* set credentials so connect can copy them */
473	sk->sk_peercred.pid = task_tgid_vnr(current);	490	init_peercred(sk);
474	current_euid_egid(&sk->sk_peercred.uid, &sk->sk_peercred.gid);
475	err = 0;	491	err = 0;
476		492
477	out_unlock:	493	out_unlock:
478	unix_state_unlock(sk);	494	unix_state_unlock(sk);
		495	put_pid(old_pid);
		496	if (old_cred)
		497	put_cred(old_cred);
479	out:	498	out:
480	return err;	499	return err;
481	}	500	}
@@ -587,8 +606,8 @@ static struct sock unix_create1(struct net net, struct socket *sock)
587	struct sock *sk = NULL;	606	struct sock *sk = NULL;
588	struct unix_sock *u;	607	struct unix_sock *u;
589		608
590	atomic_inc(&unix_nr_socks);	609	atomic_long_inc(&unix_nr_socks);
591	if (atomic_read(&unix_nr_socks) > 2 * get_max_files())	610	if (atomic_long_read(&unix_nr_socks) > 2 * get_max_files())
592	goto out;	611	goto out;
593		612
594	sk = sk_alloc(net, PF_UNIX, GFP_KERNEL, &unix_proto);	613	sk = sk_alloc(net, PF_UNIX, GFP_KERNEL, &unix_proto);
@@ -613,7 +632,7 @@ static struct sock unix_create1(struct net net, struct socket *sock)
613	unix_insert_socket(unix_sockets_unbound, sk);	632	unix_insert_socket(unix_sockets_unbound, sk);
614	out:	633	out:
615	if (sk == NULL)	634	if (sk == NULL)
616	atomic_dec(&unix_nr_socks);	635	atomic_long_dec(&unix_nr_socks);
617	else {	636	else {
618	local_bh_disable();	637	local_bh_disable();
619	sock_prot_inuse_add(sock_net(sk), sk->sk_prot, 1);	638	sock_prot_inuse_add(sock_net(sk), sk->sk_prot, 1);
@@ -673,6 +692,7 @@ static int unix_autobind(struct socket *sock)
673	static u32 ordernum = 1;	692	static u32 ordernum = 1;
674	struct unix_address *addr;	693	struct unix_address *addr;
675	int err;	694	int err;
		695	unsigned int retries = 0;
676		696
677	mutex_lock(&u->readlock);	697	mutex_lock(&u->readlock);
678		698
@@ -698,9 +718,17 @@ retry:
698	if (__unix_find_socket_byname(net, addr->name, addr->len, sock->type,	718	if (__unix_find_socket_byname(net, addr->name, addr->len, sock->type,
699	addr->hash)) {	719	addr->hash)) {
700	spin_unlock(&unix_table_lock);	720	spin_unlock(&unix_table_lock);
701	/* Sanity yield. It is unusual case, but yet... */	721	/*
702	if (!(ordernum&0xFF))	722	* __unix_find_socket_byname() may take long time if many names
703	yield();	723	* are already in use.
		724	*/
		725	cond_resched();
		726	/* Give up if all names seems to be in use. */
		727	if (retries++ == 0xFFFFF) {
		728	err = -ENOSPC;
		729	kfree(addr);
		730	goto out;
		731	}
704	goto retry;	732	goto retry;
705	}	733	}
706	addr->hash ^= sk->sk_type;	734	addr->hash ^= sk->sk_type;
@@ -736,7 +764,7 @@ static struct sock unix_find_other(struct net net,
736	err = -ECONNREFUSED;	764	err = -ECONNREFUSED;
737	if (!S_ISSOCK(inode->i_mode))	765	if (!S_ISSOCK(inode->i_mode))
738	goto put_fail;	766	goto put_fail;
739	u = unix_find_socket_byinode(net, inode);	767	u = unix_find_socket_byinode(inode);
740	if (!u)	768	if (!u)
741	goto put_fail;	769	goto put_fail;
742		770
@@ -1140,8 +1168,7 @@ restart:
1140	unix_peer(newsk) = sk;	1168	unix_peer(newsk) = sk;
1141	newsk->sk_state = TCP_ESTABLISHED;	1169	newsk->sk_state = TCP_ESTABLISHED;
1142	newsk->sk_type = sk->sk_type;	1170	newsk->sk_type = sk->sk_type;
1143	newsk->sk_peercred.pid = task_tgid_vnr(current);	1171	init_peercred(newsk);
1144	current_euid_egid(&newsk->sk_peercred.uid, &newsk->sk_peercred.gid);
1145	newu = unix_sk(newsk);	1172	newu = unix_sk(newsk);
1146	newsk->sk_wq = &newu->peer_wq;	1173	newsk->sk_wq = &newu->peer_wq;
1147	otheru = unix_sk(other);	1174	otheru = unix_sk(other);
@@ -1157,7 +1184,7 @@ restart:
1157	}	1184	}
1158		1185
1159	/* Set credentials */	1186	/* Set credentials */
1160	sk->sk_peercred = other->sk_peercred;	1187	copy_peercred(sk, other);
1161		1188
1162	sock->state = SS_CONNECTED;	1189	sock->state = SS_CONNECTED;
1163	sk->sk_state = TCP_ESTABLISHED;	1190	sk->sk_state = TCP_ESTABLISHED;
@@ -1199,10 +1226,8 @@ static int unix_socketpair(struct socket socka, struct socket sockb)
1199	sock_hold(skb);	1226	sock_hold(skb);
1200	unix_peer(ska) = skb;	1227	unix_peer(ska) = skb;
1201	unix_peer(skb) = ska;	1228	unix_peer(skb) = ska;
1202	ska->sk_peercred.pid = skb->sk_peercred.pid = task_tgid_vnr(current);	1229	init_peercred(ska);
1203	current_euid_egid(&skb->sk_peercred.uid, &skb->sk_peercred.gid);	1230	init_peercred(skb);
1204	ska->sk_peercred.uid = skb->sk_peercred.uid;
1205	ska->sk_peercred.gid = skb->sk_peercred.gid;
1206		1231
1207	if (ska->sk_type != SOCK_DGRAM) {	1232	if (ska->sk_type != SOCK_DGRAM) {
1208	ska->sk_state = TCP_ESTABLISHED;	1233	ska->sk_state = TCP_ESTABLISHED;
@@ -1297,18 +1322,20 @@ static void unix_detach_fds(struct scm_cookie scm, struct sk_buff skb)
1297	int i;	1322	int i;
1298		1323
1299	scm->fp = UNIXCB(skb).fp;	1324	scm->fp = UNIXCB(skb).fp;
1300	skb->destructor = sock_wfree;
1301	UNIXCB(skb).fp = NULL;	1325	UNIXCB(skb).fp = NULL;
1302		1326
1303	for (i = scm->fp->count-1; i >= 0; i--)	1327	for (i = scm->fp->count-1; i >= 0; i--)
1304	unix_notinflight(scm->fp->fp[i]);	1328	unix_notinflight(scm->fp->fp[i]);
1305	}	1329	}
1306		1330
1307	static void unix_destruct_fds(struct sk_buff *skb)	1331	static void unix_destruct_scm(struct sk_buff *skb)
1308	{	1332	{
1309	struct scm_cookie scm;	1333	struct scm_cookie scm;
1310	memset(&scm, 0, sizeof(scm));	1334	memset(&scm, 0, sizeof(scm));
1311	unix_detach_fds(&scm, skb);	1335	scm.pid = UNIXCB(skb).pid;
		1336	scm.cred = UNIXCB(skb).cred;
		1337	if (UNIXCB(skb).fp)
		1338	unix_detach_fds(&scm, skb);
1312		1339
1313	/* Alas, it calls VFS */	1340	/* Alas, it calls VFS */
1314	/* So fscking what? fput() had been SMP-safe since the last Summer */	1341	/* So fscking what? fput() had been SMP-safe since the last Summer */
@@ -1331,10 +1358,22 @@ static int unix_attach_fds(struct scm_cookie scm, struct sk_buff skb)
1331		1358
1332	for (i = scm->fp->count-1; i >= 0; i--)	1359	for (i = scm->fp->count-1; i >= 0; i--)
1333	unix_inflight(scm->fp->fp[i]);	1360	unix_inflight(scm->fp->fp[i]);
1334	skb->destructor = unix_destruct_fds;
1335	return 0;	1361	return 0;
1336	}	1362	}
1337		1363
		1364	static int unix_scm_to_skb(struct scm_cookie scm, struct sk_buff skb, bool send_fds)
		1365	{
		1366	int err = 0;
		1367	UNIXCB(skb).pid = get_pid(scm->pid);
		1368	UNIXCB(skb).cred = get_cred(scm->cred);
		1369	UNIXCB(skb).fp = NULL;
		1370	if (scm->fp && send_fds)
		1371	err = unix_attach_fds(scm, skb);
		1372
		1373	skb->destructor = unix_destruct_scm;
		1374	return err;
		1375	}
		1376
1338	/*	1377	/*
1339	* Send AF_UNIX data.	1378	* Send AF_UNIX data.
1340	*/	1379	*/
@@ -1391,12 +1430,9 @@ static int unix_dgram_sendmsg(struct kiocb kiocb, struct socket sock,
1391	if (skb == NULL)	1430	if (skb == NULL)
1392	goto out;	1431	goto out;
1393		1432
1394	memcpy(UNIXCREDS(skb), &siocb->scm->creds, sizeof(struct ucred));	1433	err = unix_scm_to_skb(siocb->scm, skb, true);
1395	if (siocb->scm->fp) {	1434	if (err)
1396	err = unix_attach_fds(siocb->scm, skb);	1435	goto out_free;
1397	if (err)
1398	goto out_free;
1399	}
1400	unix_get_secdata(siocb->scm, skb);	1436	unix_get_secdata(siocb->scm, skb);
1401		1437
1402	skb_reset_transport_header(skb);	1438	skb_reset_transport_header(skb);
@@ -1475,6 +1511,8 @@ restart:
1475	goto restart;	1511	goto restart;
1476	}	1512	}
1477		1513
		1514	if (sock_flag(other, SOCK_RCVTSTAMP))
		1515	__net_timestamp(skb);
1478	skb_queue_tail(&other->sk_receive_queue, skb);	1516	skb_queue_tail(&other->sk_receive_queue, skb);
1479	unix_state_unlock(other);	1517	unix_state_unlock(other);
1480	other->sk_data_ready(other, len);	1518	other->sk_data_ready(other, len);
@@ -1566,16 +1604,14 @@ static int unix_stream_sendmsg(struct kiocb kiocb, struct socket sock,
1566	*/	1604	*/
1567	size = min_t(int, size, skb_tailroom(skb));	1605	size = min_t(int, size, skb_tailroom(skb));
1568		1606
1569	memcpy(UNIXCREDS(skb), &siocb->scm->creds, sizeof(struct ucred));	1607
1570	/* Only send the fds in the first buffer */	1608	/* Only send the fds in the first buffer */
1571	if (siocb->scm->fp && !fds_sent) {	1609	err = unix_scm_to_skb(siocb->scm, skb, !fds_sent);
1572	err = unix_attach_fds(siocb->scm, skb);	1610	if (err) {
1573	if (err) {	1611	kfree_skb(skb);
1574	kfree_skb(skb);	1612	goto out_err;
1575	goto out_err;
1576	}
1577	fds_sent = true;
1578	}	1613	}
		1614	fds_sent = true;
1579		1615
1580	err = memcpy_fromiovec(skb_put(skb, size), msg->msg_iov, size);	1616	err = memcpy_fromiovec(skb_put(skb, size), msg->msg_iov, size);
1581	if (err) {	1617	if (err) {
@@ -1688,11 +1724,14 @@ static int unix_dgram_recvmsg(struct kiocb iocb, struct socket sock,
1688	if (err)	1724	if (err)
1689	goto out_free;	1725	goto out_free;
1690		1726
		1727	if (sock_flag(sk, SOCK_RCVTSTAMP))
		1728	__sock_recv_timestamp(msg, sk, skb);
		1729
1691	if (!siocb->scm) {	1730	if (!siocb->scm) {
1692	siocb->scm = &tmp_scm;	1731	siocb->scm = &tmp_scm;
1693	memset(&tmp_scm, 0, sizeof(tmp_scm));	1732	memset(&tmp_scm, 0, sizeof(tmp_scm));
1694	}	1733	}
1695	siocb->scm->creds = *UNIXCREDS(skb);	1734	scm_set_cred(siocb->scm, UNIXCB(skb).pid, UNIXCB(skb).cred);
1696	unix_set_secdata(siocb->scm, skb);	1735	unix_set_secdata(siocb->scm, skb);
1697		1736
1698	if (!(flags & MSG_PEEK)) {	1737	if (!(flags & MSG_PEEK)) {
@@ -1841,14 +1880,14 @@ static int unix_stream_recvmsg(struct kiocb iocb, struct socket sock,
1841		1880
1842	if (check_creds) {	1881	if (check_creds) {
1843	/* Never glue messages from different writers */	1882	/* Never glue messages from different writers */
1844	if (memcmp(UNIXCREDS(skb), &siocb->scm->creds,	1883	if ((UNIXCB(skb).pid != siocb->scm->pid) \|\|
1845	sizeof(siocb->scm->creds)) != 0) {	1884	(UNIXCB(skb).cred != siocb->scm->cred)) {
1846	skb_queue_head(&sk->sk_receive_queue, skb);	1885	skb_queue_head(&sk->sk_receive_queue, skb);
1847	break;	1886	break;
1848	}	1887	}
1849	} else {	1888	} else {
1850	/* Copy credentials */	1889	/* Copy credentials */
1851	siocb->scm->creds = *UNIXCREDS(skb);	1890	scm_set_cred(siocb->scm, UNIXCB(skb).pid, UNIXCB(skb).cred);
1852	check_creds = 1;	1891	check_creds = 1;
1853	}	1892	}
1854		1893
@@ -1881,7 +1920,7 @@ static int unix_stream_recvmsg(struct kiocb iocb, struct socket sock,
1881	break;	1920	break;
1882	}	1921	}
1883		1922
1884	kfree_skb(skb);	1923	consume_skb(skb);
1885		1924
1886	if (siocb->scm->fp)	1925	if (siocb->scm->fp)
1887	break;	1926	break;
@@ -1999,11 +2038,10 @@ static unsigned int unix_poll(struct file file, struct socket sock, poll_table
1999	if (sk->sk_shutdown == SHUTDOWN_MASK)	2038	if (sk->sk_shutdown == SHUTDOWN_MASK)
2000	mask \|= POLLHUP;	2039	mask \|= POLLHUP;
2001	if (sk->sk_shutdown & RCV_SHUTDOWN)	2040	if (sk->sk_shutdown & RCV_SHUTDOWN)
2002	mask \|= POLLRDHUP;	2041	mask \|= POLLRDHUP \| POLLIN \| POLLRDNORM;
2003		2042
2004	/* readable? */	2043	/* readable? */
2005	if (!skb_queue_empty(&sk->sk_receive_queue) \|\|	2044	if (!skb_queue_empty(&sk->sk_receive_queue))
2006	(sk->sk_shutdown & RCV_SHUTDOWN))
2007	mask \|= POLLIN \| POLLRDNORM;	2045	mask \|= POLLIN \| POLLRDNORM;
2008		2046
2009	/* Connection-based need to check for termination and startup */	2047	/* Connection-based need to check for termination and startup */