forked from Minki/linux
6209344f5a
Previously I assumed that the receive queues of candidates don't change during the GC. This is only half true, nothing can be received from the queues (see comment in unix_gc()), but buffers could be added through the other half of the socket pair, which may still have file descriptors referring to it. This can result in inc_inflight_move_tail() erronously increasing the "inflight" counter for a unix socket for which dec_inflight() wasn't previously called. This in turn can trigger the "BUG_ON(total_refs < inflight_refs)" in a later garbage collection run. Fix this by only manipulating the "inflight" counter for sockets which are candidates themselves. Duplicating the file references in unix_attach_fds() is also needed to prevent a socket becoming a candidate for GC while the skb that contains it is not yet queued. Reported-by: Andrea Bittau <a.bittau@cs.ucl.ac.uk> Signed-off-by: Miklos Szeredi <mszeredi@suse.cz> CC: stable@kernel.org Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
71 lines
1.8 KiB
C
71 lines
1.8 KiB
C
#ifndef __LINUX_NET_AFUNIX_H
|
|
#define __LINUX_NET_AFUNIX_H
|
|
|
|
#include <linux/socket.h>
|
|
#include <linux/un.h>
|
|
#include <linux/mutex.h>
|
|
#include <net/sock.h>
|
|
|
|
extern void unix_inflight(struct file *fp);
|
|
extern void unix_notinflight(struct file *fp);
|
|
extern void unix_gc(void);
|
|
|
|
#define UNIX_HASH_SIZE 256
|
|
|
|
extern unsigned int unix_tot_inflight;
|
|
|
|
struct unix_address {
|
|
atomic_t refcnt;
|
|
int len;
|
|
unsigned hash;
|
|
struct sockaddr_un name[0];
|
|
};
|
|
|
|
struct unix_skb_parms {
|
|
struct ucred creds; /* Skb credentials */
|
|
struct scm_fp_list *fp; /* Passed files */
|
|
#ifdef CONFIG_SECURITY_NETWORK
|
|
u32 secid; /* Security ID */
|
|
#endif
|
|
};
|
|
|
|
#define UNIXCB(skb) (*(struct unix_skb_parms*)&((skb)->cb))
|
|
#define UNIXCREDS(skb) (&UNIXCB((skb)).creds)
|
|
#define UNIXSID(skb) (&UNIXCB((skb)).secid)
|
|
|
|
#define unix_state_lock(s) spin_lock(&unix_sk(s)->lock)
|
|
#define unix_state_unlock(s) spin_unlock(&unix_sk(s)->lock)
|
|
#define unix_state_lock_nested(s) \
|
|
spin_lock_nested(&unix_sk(s)->lock, \
|
|
SINGLE_DEPTH_NESTING)
|
|
|
|
#ifdef __KERNEL__
|
|
/* The AF_UNIX socket */
|
|
struct unix_sock {
|
|
/* WARNING: sk has to be the first member */
|
|
struct sock sk;
|
|
struct unix_address *addr;
|
|
struct dentry *dentry;
|
|
struct vfsmount *mnt;
|
|
struct mutex readlock;
|
|
struct sock *peer;
|
|
struct sock *other;
|
|
struct list_head link;
|
|
atomic_long_t inflight;
|
|
spinlock_t lock;
|
|
unsigned int gc_candidate : 1;
|
|
unsigned int gc_maybe_cycle : 1;
|
|
wait_queue_head_t peer_wait;
|
|
};
|
|
#define unix_sk(__sk) ((struct unix_sock *)__sk)
|
|
|
|
#ifdef CONFIG_SYSCTL
|
|
extern int unix_sysctl_register(struct net *net);
|
|
extern void unix_sysctl_unregister(struct net *net);
|
|
#else
|
|
static inline int unix_sysctl_register(struct net *net) { return 0; }
|
|
static inline void unix_sysctl_unregister(struct net *net) {}
|
|
#endif
|
|
#endif
|
|
#endif
|