aboutsummaryrefslogtreecommitdiffstats
path: root/net/unix
diff options
context:
space:
mode:
Diffstat (limited to 'net/unix')
-rw-r--r--net/unix/af_unix.c31
-rw-r--r--net/unix/garbage.c49
2 files changed, 61 insertions, 19 deletions
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
index 338c1aec7089..2775acbca199 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -1301,14 +1301,23 @@ static void unix_destruct_fds(struct sk_buff *skb)
1301 sock_wfree(skb); 1301 sock_wfree(skb);
1302} 1302}
1303 1303
1304static void unix_attach_fds(struct scm_cookie *scm, struct sk_buff *skb) 1304static int unix_attach_fds(struct scm_cookie *scm, struct sk_buff *skb)
1305{ 1305{
1306 int i; 1306 int i;
1307
1308 /*
1309 * Need to duplicate file references for the sake of garbage
1310 * collection. Otherwise a socket in the fps might become a
1311 * candidate for GC while the skb is not yet queued.
1312 */
1313 UNIXCB(skb).fp = scm_fp_dup(scm->fp);
1314 if (!UNIXCB(skb).fp)
1315 return -ENOMEM;
1316
1307 for (i=scm->fp->count-1; i>=0; i--) 1317 for (i=scm->fp->count-1; i>=0; i--)
1308 unix_inflight(scm->fp->fp[i]); 1318 unix_inflight(scm->fp->fp[i]);
1309 UNIXCB(skb).fp = scm->fp;
1310 skb->destructor = unix_destruct_fds; 1319 skb->destructor = unix_destruct_fds;
1311 scm->fp = NULL; 1320 return 0;
1312} 1321}
1313 1322
1314/* 1323/*
@@ -1367,8 +1376,11 @@ static int unix_dgram_sendmsg(struct kiocb *kiocb, struct socket *sock,
1367 goto out; 1376 goto out;
1368 1377
1369 memcpy(UNIXCREDS(skb), &siocb->scm->creds, sizeof(struct ucred)); 1378 memcpy(UNIXCREDS(skb), &siocb->scm->creds, sizeof(struct ucred));
1370 if (siocb->scm->fp) 1379 if (siocb->scm->fp) {
1371 unix_attach_fds(siocb->scm, skb); 1380 err = unix_attach_fds(siocb->scm, skb);
1381 if (err)
1382 goto out_free;
1383 }
1372 unix_get_secdata(siocb->scm, skb); 1384 unix_get_secdata(siocb->scm, skb);
1373 1385
1374 skb_reset_transport_header(skb); 1386 skb_reset_transport_header(skb);
@@ -1537,8 +1549,13 @@ static int unix_stream_sendmsg(struct kiocb *kiocb, struct socket *sock,
1537 size = min_t(int, size, skb_tailroom(skb)); 1549 size = min_t(int, size, skb_tailroom(skb));
1538 1550
1539 memcpy(UNIXCREDS(skb), &siocb->scm->creds, sizeof(struct ucred)); 1551 memcpy(UNIXCREDS(skb), &siocb->scm->creds, sizeof(struct ucred));
1540 if (siocb->scm->fp) 1552 if (siocb->scm->fp) {
1541 unix_attach_fds(siocb->scm, skb); 1553 err = unix_attach_fds(siocb->scm, skb);
1554 if (err) {
1555 kfree_skb(skb);
1556 goto out_err;
1557 }
1558 }
1542 1559
1543 if ((err = memcpy_fromiovec(skb_put(skb,size), msg->msg_iov, size)) != 0) { 1560 if ((err = memcpy_fromiovec(skb_put(skb,size), msg->msg_iov, size)) != 0) {
1544 kfree_skb(skb); 1561 kfree_skb(skb);
diff --git a/net/unix/garbage.c b/net/unix/garbage.c
index 2a27b84f740b..6d4a9a8de5ef 100644
--- a/net/unix/garbage.c
+++ b/net/unix/garbage.c
@@ -186,8 +186,17 @@ static void scan_inflight(struct sock *x, void (*func)(struct unix_sock *),
186 */ 186 */
187 struct sock *sk = unix_get_socket(*fp++); 187 struct sock *sk = unix_get_socket(*fp++);
188 if (sk) { 188 if (sk) {
189 hit = true; 189 struct unix_sock *u = unix_sk(sk);
190 func(unix_sk(sk)); 190
191 /*
192 * Ignore non-candidates, they could
193 * have been added to the queues after
194 * starting the garbage collection
195 */
196 if (u->gc_candidate) {
197 hit = true;
198 func(u);
199 }
191 } 200 }
192 } 201 }
193 if (hit && hitlist != NULL) { 202 if (hit && hitlist != NULL) {
@@ -249,11 +258,11 @@ static void inc_inflight_move_tail(struct unix_sock *u)
249{ 258{
250 atomic_long_inc(&u->inflight); 259 atomic_long_inc(&u->inflight);
251 /* 260 /*
252 * If this is still a candidate, move it to the end of the 261 * If this still might be part of a cycle, move it to the end
253 * list, so that it's checked even if it was already passed 262 * of the list, so that it's checked even if it was already
254 * over 263 * passed over
255 */ 264 */
256 if (u->gc_candidate) 265 if (u->gc_maybe_cycle)
257 list_move_tail(&u->link, &gc_candidates); 266 list_move_tail(&u->link, &gc_candidates);
258} 267}
259 268
@@ -267,6 +276,7 @@ void unix_gc(void)
267 struct unix_sock *next; 276 struct unix_sock *next;
268 struct sk_buff_head hitlist; 277 struct sk_buff_head hitlist;
269 struct list_head cursor; 278 struct list_head cursor;
279 LIST_HEAD(not_cycle_list);
270 280
271 spin_lock(&unix_gc_lock); 281 spin_lock(&unix_gc_lock);
272 282
@@ -282,10 +292,14 @@ void unix_gc(void)
282 * 292 *
283 * Holding unix_gc_lock will protect these candidates from 293 * Holding unix_gc_lock will protect these candidates from
284 * being detached, and hence from gaining an external 294 * being detached, and hence from gaining an external
285 * reference. This also means, that since there are no 295 * reference. Since there are no possible receivers, all
286 * possible receivers, the receive queues of these sockets are 296 * buffers currently on the candidates' queues stay there
287 * static during the GC, even though the dequeue is done 297 * during the garbage collection.
288 * before the detach without atomicity guarantees. 298 *
299 * We also know that no new candidate can be added onto the
300 * receive queues. Other, non candidate sockets _can_ be
301 * added to queue, so we must make sure only to touch
302 * candidates.
289 */ 303 */
290 list_for_each_entry_safe(u, next, &gc_inflight_list, link) { 304 list_for_each_entry_safe(u, next, &gc_inflight_list, link) {
291 long total_refs; 305 long total_refs;
@@ -299,6 +313,7 @@ void unix_gc(void)
299 if (total_refs == inflight_refs) { 313 if (total_refs == inflight_refs) {
300 list_move_tail(&u->link, &gc_candidates); 314 list_move_tail(&u->link, &gc_candidates);
301 u->gc_candidate = 1; 315 u->gc_candidate = 1;
316 u->gc_maybe_cycle = 1;
302 } 317 }
303 } 318 }
304 319
@@ -325,14 +340,24 @@ void unix_gc(void)
325 list_move(&cursor, &u->link); 340 list_move(&cursor, &u->link);
326 341
327 if (atomic_long_read(&u->inflight) > 0) { 342 if (atomic_long_read(&u->inflight) > 0) {
328 list_move_tail(&u->link, &gc_inflight_list); 343 list_move_tail(&u->link, &not_cycle_list);
329 u->gc_candidate = 0; 344 u->gc_maybe_cycle = 0;
330 scan_children(&u->sk, inc_inflight_move_tail, NULL); 345 scan_children(&u->sk, inc_inflight_move_tail, NULL);
331 } 346 }
332 } 347 }
333 list_del(&cursor); 348 list_del(&cursor);
334 349
335 /* 350 /*
351 * not_cycle_list contains those sockets which do not make up a
352 * cycle. Restore these to the inflight list.
353 */
354 while (!list_empty(&not_cycle_list)) {
355 u = list_entry(not_cycle_list.next, struct unix_sock, link);
356 u->gc_candidate = 0;
357 list_move_tail(&u->link, &gc_inflight_list);
358 }
359
360 /*
336 * Now gc_candidates contains only garbage. Restore original 361 * Now gc_candidates contains only garbage. Restore original
337 * inflight counters for these as well, and remove the skbuffs 362 * inflight counters for these as well, and remove the skbuffs
338 * which are creating the cycle(s). 363 * which are creating the cycle(s).