1 /*-
2 * SPDX-License-Identifier: BSD-3-Clause
3 *
4 * Copyright (c) 1982, 1986, 1989, 1991, 1993
5 * The Regents of the University of California. All Rights Reserved.
6 * Copyright (c) 2004-2009 Robert N. M. Watson All Rights Reserved.
7 * Copyright (c) 2018 Matthew Macy
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the University nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 *
33 * From: @(#)uipc_usrreq.c 8.3 (Berkeley) 1/4/94
34 */
35
36 /*
37 * UNIX Domain (Local) Sockets
38 *
39 * This is an implementation of UNIX (local) domain sockets. Each socket has
40 * an associated struct unpcb (UNIX protocol control block). Stream sockets
41 * may be connected to 0 or 1 other socket. Datagram sockets may be
42 * connected to 0, 1, or many other sockets. Sockets may be created and
43 * connected in pairs (socketpair(2)), or bound/connected to using the file
44 * system name space. For most purposes, only the receive socket buffer is
45 * used, as sending on one socket delivers directly to the receive socket
46 * buffer of a second socket.
47 *
48 * The implementation is substantially complicated by the fact that
49 * "ancillary data", such as file descriptors or credentials, may be passed
50 * across UNIX domain sockets. The potential for passing UNIX domain sockets
51 * over other UNIX domain sockets requires the implementation of a simple
52 * garbage collector to find and tear down cycles of disconnected sockets.
53 *
54 * TODO:
55 * RDM
56 * rethink name space problems
57 * need a proper out-of-band
58 */
59
60 #include <sys/cdefs.h>
61 __FBSDID("$FreeBSD$");
62
63 #include "opt_ddb.h"
64
65 #include <sys/param.h>
66 #include <sys/capsicum.h>
67 #include <sys/domain.h>
68 #include <sys/eventhandler.h>
69 #include <sys/fcntl.h>
70 #include <sys/file.h>
71 #include <sys/filedesc.h>
72 #include <sys/kernel.h>
73 #include <sys/lock.h>
74 #include <sys/malloc.h>
75 #include <sys/mbuf.h>
76 #include <sys/mount.h>
77 #include <sys/mutex.h>
78 #include <sys/namei.h>
79 #include <sys/proc.h>
80 #include <sys/protosw.h>
81 #include <sys/queue.h>
82 #include <sys/resourcevar.h>
83 #include <sys/rwlock.h>
84 #include <sys/socket.h>
85 #include <sys/socketvar.h>
86 #include <sys/signalvar.h>
87 #include <sys/stat.h>
88 #include <sys/sx.h>
89 #include <sys/sysctl.h>
90 #include <sys/systm.h>
91 #include <sys/taskqueue.h>
92 #include <sys/un.h>
93 #include <sys/unpcb.h>
94 #include <sys/vnode.h>
95
96 #include <net/vnet.h>
97
98 #ifdef DDB
99 #include <ddb/ddb.h>
100 #endif
101
102 #include <security/mac/mac_framework.h>
103
104 #include <vm/uma.h>
105
106 MALLOC_DECLARE(M_FILECAPS);
107
108 /*
109 * See unpcb.h for the locking key.
110 */
111
112 static uma_zone_t unp_zone;
113 static unp_gen_t unp_gencnt; /* (l) */
114 static u_int unp_count; /* (l) Count of local sockets. */
115 static ino_t unp_ino; /* Prototype for fake inode numbers. */
116 static int unp_rights; /* (g) File descriptors in flight. */
117 static struct unp_head unp_shead; /* (l) List of stream sockets. */
118 static struct unp_head unp_dhead; /* (l) List of datagram sockets. */
119 static struct unp_head unp_sphead; /* (l) List of seqpacket sockets. */
120
121 struct unp_defer {
122 SLIST_ENTRY(unp_defer) ud_link;
123 struct file *ud_fp;
124 };
125 static SLIST_HEAD(, unp_defer) unp_defers;
126 static int unp_defers_count;
127
128 static const struct sockaddr sun_noname = { sizeof(sun_noname), AF_LOCAL };
129
130 /*
131 * Garbage collection of cyclic file descriptor/socket references occurs
132 * asynchronously in a taskqueue context in order to avoid recursion and
133 * reentrance in the UNIX domain socket, file descriptor, and socket layer
134 * code. See unp_gc() for a full description.
135 */
136 static struct timeout_task unp_gc_task;
137
138 /*
139 * The close of unix domain sockets attached as SCM_RIGHTS is
140 * postponed to the taskqueue, to avoid arbitrary recursion depth.
141 * The attached sockets might have another sockets attached.
142 */
143 static struct task unp_defer_task;
144
145 /*
146 * Both send and receive buffers are allocated PIPSIZ bytes of buffering for
147 * stream sockets, although the total for sender and receiver is actually
148 * only PIPSIZ.
149 *
150 * Datagram sockets really use the sendspace as the maximum datagram size,
151 * and don't really want to reserve the sendspace. Their recvspace should be
152 * large enough for at least one max-size datagram plus address.
153 */
154 #ifndef PIPSIZ
155 #define PIPSIZ 8192
156 #endif
157 static u_long unpst_sendspace = PIPSIZ;
158 static u_long unpst_recvspace = PIPSIZ;
159 static u_long unpdg_sendspace = 2*1024; /* really max datagram size */
160 static u_long unpdg_recvspace = 4*1024;
161 static u_long unpsp_sendspace = PIPSIZ; /* really max datagram size */
162 static u_long unpsp_recvspace = PIPSIZ;
163
164 static SYSCTL_NODE(_net, PF_LOCAL, local, CTLFLAG_RW, 0, "Local domain");
165 static SYSCTL_NODE(_net_local, SOCK_STREAM, stream, CTLFLAG_RW, 0,
166 "SOCK_STREAM");
167 static SYSCTL_NODE(_net_local, SOCK_DGRAM, dgram, CTLFLAG_RW, 0, "SOCK_DGRAM");
168 static SYSCTL_NODE(_net_local, SOCK_SEQPACKET, seqpacket, CTLFLAG_RW, 0,
169 "SOCK_SEQPACKET");
170
171 SYSCTL_ULONG(_net_local_stream, OID_AUTO, sendspace, CTLFLAG_RW,
172 &unpst_sendspace, 0, "Default stream send space.");
173 SYSCTL_ULONG(_net_local_stream, OID_AUTO, recvspace, CTLFLAG_RW,
174 &unpst_recvspace, 0, "Default stream receive space.");
175 SYSCTL_ULONG(_net_local_dgram, OID_AUTO, maxdgram, CTLFLAG_RW,
176 &unpdg_sendspace, 0, "Default datagram send space.");
177 SYSCTL_ULONG(_net_local_dgram, OID_AUTO, recvspace, CTLFLAG_RW,
178 &unpdg_recvspace, 0, "Default datagram receive space.");
179 SYSCTL_ULONG(_net_local_seqpacket, OID_AUTO, maxseqpacket, CTLFLAG_RW,
180 &unpsp_sendspace, 0, "Default seqpacket send space.");
181 SYSCTL_ULONG(_net_local_seqpacket, OID_AUTO, recvspace, CTLFLAG_RW,
182 &unpsp_recvspace, 0, "Default seqpacket receive space.");
183 SYSCTL_INT(_net_local, OID_AUTO, inflight, CTLFLAG_RD, &unp_rights, 0,
184 "File descriptors in flight.");
185 SYSCTL_INT(_net_local, OID_AUTO, deferred, CTLFLAG_RD,
186 &unp_defers_count, 0,
187 "File descriptors deferred to taskqueue for close.");
188
189 /*
190 * Locking and synchronization:
191 *
192 * Several types of locks exist in the local domain socket implementation:
193 * - a global linkage lock
194 * - a global connection list lock
195 * - the mtxpool lock
196 * - per-unpcb mutexes
197 *
198 * The linkage lock protects the global socket lists, the generation number
199 * counter and garbage collector state.
200 *
201 * The connection list lock protects the list of referring sockets in a datagram
202 * socket PCB. This lock is also overloaded to protect a global list of
203 * sockets whose buffers contain socket references in the form of SCM_RIGHTS
204 * messages. To avoid recursion, such references are released by a dedicated
205 * thread.
206 *
207 * The mtxpool lock protects the vnode from being modified while referenced.
208 * Lock ordering rules require that it be acquired before any PCB locks.
209 *
210 * The unpcb lock (unp_mtx) protects the most commonly referenced fields in the
211 * unpcb. This includes the unp_conn field, which either links two connected
212 * PCBs together (for connected socket types) or points at the destination
213 * socket (for connectionless socket types). The operations of creating or
214 * destroying a connection therefore involve locking multiple PCBs. To avoid
215 * lock order reversals, in some cases this involves dropping a PCB lock and
216 * using a reference counter to maintain liveness.
217 *
218 * UNIX domain sockets each have an unpcb hung off of their so_pcb pointer,
219 * allocated in pru_attach() and freed in pru_detach(). The validity of that
220 * pointer is an invariant, so no lock is required to dereference the so_pcb
221 * pointer if a valid socket reference is held by the caller. In practice,
222 * this is always true during operations performed on a socket. Each unpcb
223 * has a back-pointer to its socket, unp_socket, which will be stable under
224 * the same circumstances.
225 *
226 * This pointer may only be safely dereferenced as long as a valid reference
227 * to the unpcb is held. Typically, this reference will be from the socket,
228 * or from another unpcb when the referring unpcb's lock is held (in order
229 * that the reference not be invalidated during use). For example, to follow
230 * unp->unp_conn->unp_socket, you need to hold a lock on unp_conn to guarantee
231 * that detach is not run clearing unp_socket.
232 *
233 * Blocking with UNIX domain sockets is a tricky issue: unlike most network
234 * protocols, bind() is a non-atomic operation, and connect() requires
235 * potential sleeping in the protocol, due to potentially waiting on local or
236 * distributed file systems. We try to separate "lookup" operations, which
237 * may sleep, and the IPC operations themselves, which typically can occur
238 * with relative atomicity as locks can be held over the entire operation.
239 *
240 * Another tricky issue is simultaneous multi-threaded or multi-process
241 * access to a single UNIX domain socket. These are handled by the flags
242 * UNP_CONNECTING and UNP_BINDING, which prevent concurrent connecting or
243 * binding, both of which involve dropping UNIX domain socket locks in order
244 * to perform namei() and other file system operations.
245 */
246 static struct rwlock unp_link_rwlock;
247 static struct mtx unp_defers_lock;
248
249 #define UNP_LINK_LOCK_INIT() rw_init(&unp_link_rwlock, \
250 "unp_link_rwlock")
251
252 #define UNP_LINK_LOCK_ASSERT() rw_assert(&unp_link_rwlock, \
253 RA_LOCKED)
254 #define UNP_LINK_UNLOCK_ASSERT() rw_assert(&unp_link_rwlock, \
255 RA_UNLOCKED)
256
257 #define UNP_LINK_RLOCK() rw_rlock(&unp_link_rwlock)
258 #define UNP_LINK_RUNLOCK() rw_runlock(&unp_link_rwlock)
259 #define UNP_LINK_WLOCK() rw_wlock(&unp_link_rwlock)
260 #define UNP_LINK_WUNLOCK() rw_wunlock(&unp_link_rwlock)
261 #define UNP_LINK_WLOCK_ASSERT() rw_assert(&unp_link_rwlock, \
262 RA_WLOCKED)
263 #define UNP_LINK_WOWNED() rw_wowned(&unp_link_rwlock)
264
265 #define UNP_DEFERRED_LOCK_INIT() mtx_init(&unp_defers_lock, \
266 "unp_defer", NULL, MTX_DEF)
267 #define UNP_DEFERRED_LOCK() mtx_lock(&unp_defers_lock)
268 #define UNP_DEFERRED_UNLOCK() mtx_unlock(&unp_defers_lock)
269
270 #define UNP_REF_LIST_LOCK() UNP_DEFERRED_LOCK();
271 #define UNP_REF_LIST_UNLOCK() UNP_DEFERRED_UNLOCK();
272
273 #define UNP_PCB_LOCK_INIT(unp) mtx_init(&(unp)->unp_mtx, \
274 "unp", "unp", \
275 MTX_DUPOK|MTX_DEF)
276 #define UNP_PCB_LOCK_DESTROY(unp) mtx_destroy(&(unp)->unp_mtx)
277 #define UNP_PCB_LOCKPTR(unp) (&(unp)->unp_mtx)
278 #define UNP_PCB_LOCK(unp) mtx_lock(&(unp)->unp_mtx)
279 #define UNP_PCB_TRYLOCK(unp) mtx_trylock(&(unp)->unp_mtx)
280 #define UNP_PCB_UNLOCK(unp) mtx_unlock(&(unp)->unp_mtx)
281 #define UNP_PCB_OWNED(unp) mtx_owned(&(unp)->unp_mtx)
282 #define UNP_PCB_LOCK_ASSERT(unp) mtx_assert(&(unp)->unp_mtx, MA_OWNED)
283 #define UNP_PCB_UNLOCK_ASSERT(unp) mtx_assert(&(unp)->unp_mtx, MA_NOTOWNED)
284
285 static int uipc_connect2(struct socket *, struct socket *);
286 static int uipc_ctloutput(struct socket *, struct sockopt *);
287 static int unp_connect(struct socket *, struct sockaddr *,
288 struct thread *);
289 static int unp_connectat(int, struct socket *, struct sockaddr *,
290 struct thread *);
291 static int unp_connect2(struct socket *so, struct socket *so2, int);
292 static void unp_disconnect(struct unpcb *unp, struct unpcb *unp2);
293 static void unp_dispose(struct socket *so);
294 static void unp_dispose_mbuf(struct mbuf *);
295 static void unp_shutdown(struct unpcb *);
296 static void unp_drop(struct unpcb *);
297 static void unp_gc(__unused void *, int);
298 static void unp_scan(struct mbuf *, void (*)(struct filedescent **, int));
299 static void unp_discard(struct file *);
300 static void unp_freerights(struct filedescent **, int);
301 static void unp_init(void);
302 static int unp_internalize(struct mbuf **, struct thread *);
303 static void unp_internalize_fp(struct file *);
304 static int unp_externalize(struct mbuf *, struct mbuf **, int);
305 static int unp_externalize_fp(struct file *);
306 static struct mbuf *unp_addsockcred(struct thread *, struct mbuf *);
307 static void unp_process_defers(void * __unused, int);
308
309
310 static void
311 unp_pcb_hold(struct unpcb *unp)
312 {
313 refcount_acquire(&unp->unp_refcount);
314 }
315
316 static __result_use_check bool
317 unp_pcb_rele(struct unpcb *unp)
318 {
319 bool ret;
320
321 UNP_PCB_LOCK_ASSERT(unp);
322
323 if ((ret = refcount_release(&unp->unp_refcount))) {
324 UNP_PCB_UNLOCK(unp);
325 UNP_PCB_LOCK_DESTROY(unp);
326 uma_zfree(unp_zone, unp);
327 }
328 return (ret);
329 }
330
331 static void
332 unp_pcb_rele_notlast(struct unpcb *unp)
333 {
334 bool ret __unused;
335
336 ret = refcount_release(&unp->unp_refcount);
337 KASSERT(!ret, ("%s: unpcb %p has no references", __func__, unp));
338 }
339
340 static void
341 unp_pcb_lock_pair(struct unpcb *unp, struct unpcb *unp2)
342 {
343 UNP_PCB_UNLOCK_ASSERT(unp);
344 UNP_PCB_UNLOCK_ASSERT(unp2);
345
346 if (unp == unp2) {
347 UNP_PCB_LOCK(unp);
348 } else if ((uintptr_t)unp2 > (uintptr_t)unp) {
349 UNP_PCB_LOCK(unp);
350 UNP_PCB_LOCK(unp2);
351 } else {
352 UNP_PCB_LOCK(unp2);
353 UNP_PCB_LOCK(unp);
354 }
355 }
356
357 static void
358 unp_pcb_unlock_pair(struct unpcb *unp, struct unpcb *unp2)
359 {
360 UNP_PCB_UNLOCK(unp);
361 if (unp != unp2)
362 UNP_PCB_UNLOCK(unp2);
363 }
364
365 /*
366 * Try to lock the connected peer of an already locked socket. In some cases
367 * this requires that we unlock the current socket. The pairbusy counter is
368 * used to block concurrent connection attempts while the lock is dropped. The
369 * caller must be careful to revalidate PCB state.
370 */
371 static struct unpcb *
372 unp_pcb_lock_peer(struct unpcb *unp)
373 {
374 struct unpcb *unp2;
375
376 UNP_PCB_LOCK_ASSERT(unp);
377 unp2 = unp->unp_conn;
378 if (__predict_false(unp2 == NULL))
379 return (NULL);
380 if (__predict_false(unp == unp2))
381 return (unp);
382
383 UNP_PCB_UNLOCK_ASSERT(unp2);
384
385 if (__predict_true(UNP_PCB_TRYLOCK(unp2)))
386 return (unp2);
387 if ((uintptr_t)unp2 > (uintptr_t)unp) {
388 UNP_PCB_LOCK(unp2);
389 return (unp2);
390 }
391 unp->unp_pairbusy++;
392 unp_pcb_hold(unp2);
393 UNP_PCB_UNLOCK(unp);
394
395 UNP_PCB_LOCK(unp2);
396 UNP_PCB_LOCK(unp);
397 KASSERT(unp->unp_conn == unp2 || unp->unp_conn == NULL,
398 ("%s: socket %p was reconnected", __func__, unp));
399 if (--unp->unp_pairbusy == 0 && (unp->unp_flags & UNP_WAITING) != 0) {
400 unp->unp_flags &= ~UNP_WAITING;
401 wakeup(unp);
402 }
403 if (unp_pcb_rele(unp2)) {
404 /* unp2 is unlocked. */
405 return (NULL);
406 }
407 if (unp->unp_conn == NULL) {
408 UNP_PCB_UNLOCK(unp2);
409 return (NULL);
410 }
411 return (unp2);
412 }
413
414
415 /*
416 * Definitions of protocols supported in the LOCAL domain.
417 */
418 static struct domain localdomain;
419 static struct pr_usrreqs uipc_usrreqs_dgram, uipc_usrreqs_stream;
420 static struct pr_usrreqs uipc_usrreqs_seqpacket;
421 static struct protosw localsw[] = {
422 {
423 .pr_type = SOCK_STREAM,
424 .pr_domain = &localdomain,
425 .pr_flags = PR_CONNREQUIRED|PR_WANTRCVD|PR_RIGHTS,
426 .pr_ctloutput = &uipc_ctloutput,
427 .pr_usrreqs = &uipc_usrreqs_stream
428 },
429 {
430 .pr_type = SOCK_DGRAM,
431 .pr_domain = &localdomain,
432 .pr_flags = PR_ATOMIC|PR_ADDR|PR_RIGHTS,
433 .pr_ctloutput = &uipc_ctloutput,
434 .pr_usrreqs = &uipc_usrreqs_dgram
435 },
436 {
437 .pr_type = SOCK_SEQPACKET,
438 .pr_domain = &localdomain,
439
440 /*
441 * XXXRW: For now, PR_ADDR because soreceive will bump into them
442 * due to our use of sbappendaddr. A new sbappend variants is needed
443 * that supports both atomic record writes and control data.
444 */
445 .pr_flags = PR_ADDR|PR_ATOMIC|PR_CONNREQUIRED|PR_WANTRCVD|
446 PR_RIGHTS,
447 .pr_ctloutput = &uipc_ctloutput,
448 .pr_usrreqs = &uipc_usrreqs_seqpacket,
449 },
450 };
451
452 static struct domain localdomain = {
453 .dom_family = AF_LOCAL,
454 .dom_name = "local",
455 .dom_init = unp_init,
456 .dom_externalize = unp_externalize,
457 .dom_dispose = unp_dispose,
458 .dom_protosw = localsw,
459 .dom_protoswNPROTOSW = &localsw[nitems(localsw)]
460 };
461 DOMAIN_SET(local);
462
463 static void
464 uipc_abort(struct socket *so)
465 {
466 struct unpcb *unp, *unp2;
467
468 unp = sotounpcb(so);
469 KASSERT(unp != NULL, ("uipc_abort: unp == NULL"));
470 UNP_PCB_UNLOCK_ASSERT(unp);
471
472 UNP_PCB_LOCK(unp);
473 unp2 = unp->unp_conn;
474 if (unp2 != NULL) {
475 unp_pcb_hold(unp2);
476 UNP_PCB_UNLOCK(unp);
477 unp_drop(unp2);
478 } else
479 UNP_PCB_UNLOCK(unp);
480 }
481
482 static int
483 uipc_accept(struct socket *so, struct sockaddr **nam)
484 {
485 struct unpcb *unp, *unp2;
486 const struct sockaddr *sa;
487
488 /*
489 * Pass back name of connected socket, if it was bound and we are
490 * still connected (our peer may have closed already!).
491 */
492 unp = sotounpcb(so);
493 KASSERT(unp != NULL, ("uipc_accept: unp == NULL"));
494
495 *nam = malloc(sizeof(struct sockaddr_un), M_SONAME, M_WAITOK);
496 UNP_PCB_LOCK(unp);
497 unp2 = unp_pcb_lock_peer(unp);
498 if (unp2 != NULL && unp2->unp_addr != NULL)
499 sa = (struct sockaddr *)unp2->unp_addr;
500 else
501 sa = &sun_noname;
502 bcopy(sa, *nam, sa->sa_len);
503 if (unp2 != NULL)
504 unp_pcb_unlock_pair(unp, unp2);
505 else
506 UNP_PCB_UNLOCK(unp);
507 return (0);
508 }
509
510 static int
511 uipc_attach(struct socket *so, int proto, struct thread *td)
512 {
513 u_long sendspace, recvspace;
514 struct unpcb *unp;
515 int error;
516 bool locked;
517
518 KASSERT(so->so_pcb == NULL, ("uipc_attach: so_pcb != NULL"));
519 if (so->so_snd.sb_hiwat == 0 || so->so_rcv.sb_hiwat == 0) {
520 switch (so->so_type) {
521 case SOCK_STREAM:
522 sendspace = unpst_sendspace;
523 recvspace = unpst_recvspace;
524 break;
525
526 case SOCK_DGRAM:
527 sendspace = unpdg_sendspace;
528 recvspace = unpdg_recvspace;
529 break;
530
531 case SOCK_SEQPACKET:
532 sendspace = unpsp_sendspace;
533 recvspace = unpsp_recvspace;
534 break;
535
536 default:
537 panic("uipc_attach");
538 }
539 error = soreserve(so, sendspace, recvspace);
540 if (error)
541 return (error);
542 }
543 unp = uma_zalloc(unp_zone, M_NOWAIT | M_ZERO);
544 if (unp == NULL)
545 return (ENOBUFS);
546 LIST_INIT(&unp->unp_refs);
547 UNP_PCB_LOCK_INIT(unp);
548 unp->unp_socket = so;
549 so->so_pcb = unp;
550 refcount_init(&unp->unp_refcount, 1);
551
552 if ((locked = UNP_LINK_WOWNED()) == false)
553 UNP_LINK_WLOCK();
554
555 unp->unp_gencnt = ++unp_gencnt;
556 unp->unp_ino = ++unp_ino;
557 unp_count++;
558 switch (so->so_type) {
559 case SOCK_STREAM:
560 LIST_INSERT_HEAD(&unp_shead, unp, unp_link);
561 break;
562
563 case SOCK_DGRAM:
564 LIST_INSERT_HEAD(&unp_dhead, unp, unp_link);
565 break;
566
567 case SOCK_SEQPACKET:
568 LIST_INSERT_HEAD(&unp_sphead, unp, unp_link);
569 break;
570
571 default:
572 panic("uipc_attach");
573 }
574
575 if (locked == false)
576 UNP_LINK_WUNLOCK();
577
578 return (0);
579 }
580
581 static int
582 uipc_bindat(int fd, struct socket *so, struct sockaddr *nam, struct thread *td)
583 {
584 struct sockaddr_un *soun = (struct sockaddr_un *)nam;
585 struct vattr vattr;
586 int error, namelen;
587 struct nameidata nd;
588 struct unpcb *unp;
589 struct vnode *vp;
590 struct mount *mp;
591 cap_rights_t rights;
592 char *buf;
593
594 if (nam->sa_family != AF_UNIX)
595 return (EAFNOSUPPORT);
596
597 unp = sotounpcb(so);
598 KASSERT(unp != NULL, ("uipc_bind: unp == NULL"));
599
600 if (soun->sun_len > sizeof(struct sockaddr_un))
601 return (EINVAL);
602 namelen = soun->sun_len - offsetof(struct sockaddr_un, sun_path);
603 if (namelen <= 0)
604 return (EINVAL);
605
606 /*
607 * We don't allow simultaneous bind() calls on a single UNIX domain
608 * socket, so flag in-progress operations, and return an error if an
609 * operation is already in progress.
610 *
611 * Historically, we have not allowed a socket to be rebound, so this
612 * also returns an error. Not allowing re-binding simplifies the
613 * implementation and avoids a great many possible failure modes.
614 */
615 UNP_PCB_LOCK(unp);
616 if (unp->unp_vnode != NULL) {
617 UNP_PCB_UNLOCK(unp);
618 return (EINVAL);
619 }
620 if (unp->unp_flags & UNP_BINDING) {
621 UNP_PCB_UNLOCK(unp);
622 return (EALREADY);
623 }
624 unp->unp_flags |= UNP_BINDING;
625 UNP_PCB_UNLOCK(unp);
626
627 buf = malloc(namelen + 1, M_TEMP, M_WAITOK);
628 bcopy(soun->sun_path, buf, namelen);
629 buf[namelen] = 0;
630
631 restart:
632 NDINIT_ATRIGHTS(&nd, CREATE, NOFOLLOW | LOCKPARENT | SAVENAME | NOCACHE,
633 UIO_SYSSPACE, buf, fd, cap_rights_init(&rights, CAP_BINDAT), td);
634 /* SHOULD BE ABLE TO ADOPT EXISTING AND wakeup() ALA FIFO's */
635 error = namei(&nd);
636 if (error)
637 goto error;
638 vp = nd.ni_vp;
639 if (vp != NULL || vn_start_write(nd.ni_dvp, &mp, V_NOWAIT) != 0) {
640 NDFREE(&nd, NDF_ONLY_PNBUF);
641 if (nd.ni_dvp == vp)
642 vrele(nd.ni_dvp);
643 else
644 vput(nd.ni_dvp);
645 if (vp != NULL) {
646 vrele(vp);
647 error = EADDRINUSE;
648 goto error;
649 }
650 error = vn_start_write(NULL, &mp, V_XSLEEP | PCATCH);
651 if (error)
652 goto error;
653 goto restart;
654 }
655 VATTR_NULL(&vattr);
656 vattr.va_type = VSOCK;
657 vattr.va_mode = (ACCESSPERMS & ~td->td_proc->p_fd->fd_cmask);
658 #ifdef MAC
659 error = mac_vnode_check_create(td->td_ucred, nd.ni_dvp, &nd.ni_cnd,
660 &vattr);
661 #endif
662 if (error == 0)
663 error = VOP_CREATE(nd.ni_dvp, &nd.ni_vp, &nd.ni_cnd, &vattr);
664 NDFREE(&nd, NDF_ONLY_PNBUF);
665 vput(nd.ni_dvp);
666 if (error) {
667 vn_finished_write(mp);
668 goto error;
669 }
670 vp = nd.ni_vp;
671 ASSERT_VOP_ELOCKED(vp, "uipc_bind");
672 soun = (struct sockaddr_un *)sodupsockaddr(nam, M_WAITOK);
673
674 UNP_PCB_LOCK(unp);
675 VOP_UNP_BIND(vp, unp);
676 unp->unp_vnode = vp;
677 unp->unp_addr = soun;
678 unp->unp_flags &= ~UNP_BINDING;
679 UNP_PCB_UNLOCK(unp);
680 VOP_UNLOCK(vp, 0);
681 vn_finished_write(mp);
682 free(buf, M_TEMP);
683 return (0);
684
685 error:
686 UNP_PCB_LOCK(unp);
687 unp->unp_flags &= ~UNP_BINDING;
688 UNP_PCB_UNLOCK(unp);
689 free(buf, M_TEMP);
690 return (error);
691 }
692
693 static int
694 uipc_bind(struct socket *so, struct sockaddr *nam, struct thread *td)
695 {
696
697 return (uipc_bindat(AT_FDCWD, so, nam, td));
698 }
699
700 static int
701 uipc_connect(struct socket *so, struct sockaddr *nam, struct thread *td)
702 {
703 int error;
704
705 KASSERT(td == curthread, ("uipc_connect: td != curthread"));
706 error = unp_connect(so, nam, td);
707 return (error);
708 }
709
710 static int
711 uipc_connectat(int fd, struct socket *so, struct sockaddr *nam,
712 struct thread *td)
713 {
714 int error;
715
716 KASSERT(td == curthread, ("uipc_connectat: td != curthread"));
717 error = unp_connectat(fd, so, nam, td);
718 return (error);
719 }
720
721 static void
722 uipc_close(struct socket *so)
723 {
724 struct unpcb *unp, *unp2;
725 struct vnode *vp = NULL;
726 struct mtx *vplock;
727
728 unp = sotounpcb(so);
729 KASSERT(unp != NULL, ("uipc_close: unp == NULL"));
730
731
732 vplock = NULL;
733 if ((vp = unp->unp_vnode) != NULL) {
734 vplock = mtx_pool_find(mtxpool_sleep, vp);
735 mtx_lock(vplock);
736 }
737 UNP_PCB_LOCK(unp);
738 if (vp && unp->unp_vnode == NULL) {
739 mtx_unlock(vplock);
740 vp = NULL;
741 }
742 if (vp != NULL) {
743 VOP_UNP_DETACH(vp);
744 unp->unp_vnode = NULL;
745 }
746 if ((unp2 = unp_pcb_lock_peer(unp)) != NULL)
747 unp_disconnect(unp, unp2);
748 else
749 UNP_PCB_UNLOCK(unp);
750 if (vp) {
751 mtx_unlock(vplock);
752 vrele(vp);
753 }
754 }
755
756 static int
757 uipc_connect2(struct socket *so1, struct socket *so2)
758 {
759 struct unpcb *unp, *unp2;
760 int error;
761
762 unp = so1->so_pcb;
763 KASSERT(unp != NULL, ("uipc_connect2: unp == NULL"));
764 unp2 = so2->so_pcb;
765 KASSERT(unp2 != NULL, ("uipc_connect2: unp2 == NULL"));
766 unp_pcb_lock_pair(unp, unp2);
767 error = unp_connect2(so1, so2, PRU_CONNECT2);
768 unp_pcb_unlock_pair(unp, unp2);
769 return (error);
770 }
771
772 static void
773 uipc_detach(struct socket *so)
774 {
775 struct unpcb *unp, *unp2;
776 struct mtx *vplock;
777 struct vnode *vp;
778 int local_unp_rights;
779
780 unp = sotounpcb(so);
781 KASSERT(unp != NULL, ("uipc_detach: unp == NULL"));
782
783 vp = NULL;
784 vplock = NULL;
785
786 SOCK_LOCK(so);
787 if (!SOLISTENING(so)) {
788 /*
789 * Once the socket is removed from the global lists,
790 * uipc_ready() will not be able to locate its socket buffer, so
791 * clear the buffer now. At this point internalized rights have
792 * already been disposed of.
793 */
794 sbrelease(&so->so_rcv, so);
795 }
796 SOCK_UNLOCK(so);
797
798 UNP_LINK_WLOCK();
799 LIST_REMOVE(unp, unp_link);
800 unp->unp_gencnt = ++unp_gencnt;
801 --unp_count;
802 UNP_LINK_WUNLOCK();
803
804 UNP_PCB_UNLOCK_ASSERT(unp);
805 restart:
806 if ((vp = unp->unp_vnode) != NULL) {
807 vplock = mtx_pool_find(mtxpool_sleep, vp);
808 mtx_lock(vplock);
809 }
810 UNP_PCB_LOCK(unp);
811 if (unp->unp_vnode != vp && unp->unp_vnode != NULL) {
812 if (vplock)
813 mtx_unlock(vplock);
814 UNP_PCB_UNLOCK(unp);
815 goto restart;
816 }
817 if ((vp = unp->unp_vnode) != NULL) {
818 VOP_UNP_DETACH(vp);
819 unp->unp_vnode = NULL;
820 }
821 if ((unp2 = unp_pcb_lock_peer(unp)) != NULL)
822 unp_disconnect(unp, unp2);
823 else
824 UNP_PCB_UNLOCK(unp);
825
826 UNP_REF_LIST_LOCK();
827 while (!LIST_EMPTY(&unp->unp_refs)) {
828 struct unpcb *ref = LIST_FIRST(&unp->unp_refs);
829
830 unp_pcb_hold(ref);
831 UNP_REF_LIST_UNLOCK();
832
833 MPASS(ref != unp);
834 UNP_PCB_UNLOCK_ASSERT(ref);
835 unp_drop(ref);
836 UNP_REF_LIST_LOCK();
837 }
838 UNP_REF_LIST_UNLOCK();
839
840 UNP_PCB_LOCK(unp);
841 local_unp_rights = unp_rights;
842 unp->unp_socket->so_pcb = NULL;
843 unp->unp_socket = NULL;
844 free(unp->unp_addr, M_SONAME);
845 unp->unp_addr = NULL;
846 if (!unp_pcb_rele(unp))
847 UNP_PCB_UNLOCK(unp);
848 if (vp) {
849 mtx_unlock(vplock);
850 vrele(vp);
851 }
852 if (local_unp_rights)
853 taskqueue_enqueue_timeout(taskqueue_thread, &unp_gc_task, -1);
854 }
855
856 static int
857 uipc_disconnect(struct socket *so)
858 {
859 struct unpcb *unp, *unp2;
860
861 unp = sotounpcb(so);
862 KASSERT(unp != NULL, ("uipc_disconnect: unp == NULL"));
863
864 UNP_PCB_LOCK(unp);
865 if ((unp2 = unp_pcb_lock_peer(unp)) != NULL)
866 unp_disconnect(unp, unp2);
867 else
868 UNP_PCB_UNLOCK(unp);
869 return (0);
870 }
871
872 static int
873 uipc_listen(struct socket *so, int backlog, struct thread *td)
874 {
875 struct unpcb *unp;
876 int error;
877
878 if (so->so_type != SOCK_STREAM && so->so_type != SOCK_SEQPACKET)
879 return (EOPNOTSUPP);
880
881 unp = sotounpcb(so);
882 KASSERT(unp != NULL, ("uipc_listen: unp == NULL"));
883
884 UNP_PCB_LOCK(unp);
885 if (unp->unp_vnode == NULL) {
886 /* Already connected or not bound to an address. */
887 error = unp->unp_conn != NULL ? EINVAL : EDESTADDRREQ;
888 UNP_PCB_UNLOCK(unp);
889 return (error);
890 }
891
892 SOCK_LOCK(so);
893 error = solisten_proto_check(so);
894 if (error == 0) {
895 cru2xt(td, &unp->unp_peercred);
896 solisten_proto(so, backlog);
897 }
898 SOCK_UNLOCK(so);
899 UNP_PCB_UNLOCK(unp);
900 return (error);
901 }
902
903 static int
904 uipc_peeraddr(struct socket *so, struct sockaddr **nam)
905 {
906 struct unpcb *unp, *unp2;
907 const struct sockaddr *sa;
908
909 unp = sotounpcb(so);
910 KASSERT(unp != NULL, ("uipc_peeraddr: unp == NULL"));
911
912 *nam = malloc(sizeof(struct sockaddr_un), M_SONAME, M_WAITOK);
913 UNP_LINK_RLOCK();
914 /*
915 * XXX: It seems that this test always fails even when connection is
916 * established. So, this else clause is added as workaround to
917 * return PF_LOCAL sockaddr.
918 */
919 unp2 = unp->unp_conn;
920 if (unp2 != NULL) {
921 UNP_PCB_LOCK(unp2);
922 if (unp2->unp_addr != NULL)
923 sa = (struct sockaddr *) unp2->unp_addr;
924 else
925 sa = &sun_noname;
926 bcopy(sa, *nam, sa->sa_len);
927 UNP_PCB_UNLOCK(unp2);
928 } else {
929 sa = &sun_noname;
930 bcopy(sa, *nam, sa->sa_len);
931 }
932 UNP_LINK_RUNLOCK();
933 return (0);
934 }
935
936 static int
937 uipc_rcvd(struct socket *so, int flags)
938 {
939 struct unpcb *unp, *unp2;
940 struct socket *so2;
941 u_int mbcnt, sbcc;
942
943 unp = sotounpcb(so);
944 KASSERT(unp != NULL, ("%s: unp == NULL", __func__));
945 KASSERT(so->so_type == SOCK_STREAM || so->so_type == SOCK_SEQPACKET,
946 ("%s: socktype %d", __func__, so->so_type));
947
948 /*
949 * Adjust backpressure on sender and wakeup any waiting to write.
950 *
951 * The unp lock is acquired to maintain the validity of the unp_conn
952 * pointer; no lock on unp2 is required as unp2->unp_socket will be
953 * static as long as we don't permit unp2 to disconnect from unp,
954 * which is prevented by the lock on unp. We cache values from
955 * so_rcv to avoid holding the so_rcv lock over the entire
956 * transaction on the remote so_snd.
957 */
958 SOCKBUF_LOCK(&so->so_rcv);
959 mbcnt = so->so_rcv.sb_mbcnt;
960 sbcc = sbavail(&so->so_rcv);
961 SOCKBUF_UNLOCK(&so->so_rcv);
962 /*
963 * There is a benign race condition at this point. If we're planning to
964 * clear SB_STOP, but uipc_send is called on the connected socket at
965 * this instant, it might add data to the sockbuf and set SB_STOP. Then
966 * we would erroneously clear SB_STOP below, even though the sockbuf is
967 * full. The race is benign because the only ill effect is to allow the
968 * sockbuf to exceed its size limit, and the size limits are not
969 * strictly guaranteed anyway.
970 */
971 UNP_PCB_LOCK(unp);
972 unp2 = unp->unp_conn;
973 if (unp2 == NULL) {
974 UNP_PCB_UNLOCK(unp);
975 return (0);
976 }
977 so2 = unp2->unp_socket;
978 SOCKBUF_LOCK(&so2->so_snd);
979 if (sbcc < so2->so_snd.sb_hiwat && mbcnt < so2->so_snd.sb_mbmax)
980 so2->so_snd.sb_flags &= ~SB_STOP;
981 sowwakeup_locked(so2);
982 UNP_PCB_UNLOCK(unp);
983 return (0);
984 }
985
986 static int
987 uipc_send(struct socket *so, int flags, struct mbuf *m, struct sockaddr *nam,
988 struct mbuf *control, struct thread *td)
989 {
990 struct unpcb *unp, *unp2;
991 struct socket *so2;
992 u_int mbcnt, sbcc;
993 int freed, error;
994
995 unp = sotounpcb(so);
996 KASSERT(unp != NULL, ("%s: unp == NULL", __func__));
997 KASSERT(so->so_type == SOCK_STREAM || so->so_type == SOCK_DGRAM ||
998 so->so_type == SOCK_SEQPACKET,
999 ("%s: socktype %d", __func__, so->so_type));
1000
1001 freed = error = 0;
1002 if (flags & PRUS_OOB) {
1003 error = EOPNOTSUPP;
1004 goto release;
1005 }
1006 if (control != NULL && (error = unp_internalize(&control, td)))
1007 goto release;
1008
1009 unp2 = NULL;
1010 switch (so->so_type) {
1011 case SOCK_DGRAM:
1012 {
1013 const struct sockaddr *from;
1014
1015 if (nam != NULL) {
1016 error = unp_connect(so, nam, td);
1017 if (error != 0)
1018 break;
1019 }
1020 UNP_PCB_LOCK(unp);
1021
1022 /*
1023 * Because connect() and send() are non-atomic in a sendto()
1024 * with a target address, it's possible that the socket will
1025 * have disconnected before the send() can run. In that case
1026 * return the slightly counter-intuitive but otherwise
1027 * correct error that the socket is not connected.
1028 */
1029 unp2 = unp_pcb_lock_peer(unp);
1030 if (unp2 == NULL) {
1031 UNP_PCB_UNLOCK(unp);
1032 error = ENOTCONN;
1033 break;
1034 }
1035
1036 if (unp2->unp_flags & UNP_WANTCRED)
1037 control = unp_addsockcred(td, control);
1038 if (unp->unp_addr != NULL)
1039 from = (struct sockaddr *)unp->unp_addr;
1040 else
1041 from = &sun_noname;
1042 so2 = unp2->unp_socket;
1043 SOCKBUF_LOCK(&so2->so_rcv);
1044 if (sbappendaddr_locked(&so2->so_rcv, from, m,
1045 control)) {
1046 sorwakeup_locked(so2);
1047 m = NULL;
1048 control = NULL;
1049 } else {
1050 soroverflow_locked(so2);
1051 error = ENOBUFS;
1052 }
1053 if (nam != NULL)
1054 unp_disconnect(unp, unp2);
1055 else
1056 unp_pcb_unlock_pair(unp, unp2);
1057 break;
1058 }
1059
1060 case SOCK_SEQPACKET:
1061 case SOCK_STREAM:
1062 if ((so->so_state & SS_ISCONNECTED) == 0) {
1063 if (nam != NULL) {
1064 error = unp_connect(so, nam, td);
1065 if (error != 0)
1066 break;
1067 } else {
1068 error = ENOTCONN;
1069 break;
1070 }
1071 }
1072
1073 UNP_PCB_LOCK(unp);
1074 if ((unp2 = unp_pcb_lock_peer(unp)) == NULL) {
1075 UNP_PCB_UNLOCK(unp);
1076 error = ENOTCONN;
1077 break;
1078 } else if (so->so_snd.sb_state & SBS_CANTSENDMORE) {
1079 unp_pcb_unlock_pair(unp, unp2);
1080 error = EPIPE;
1081 break;
1082 }
1083 UNP_PCB_UNLOCK(unp);
1084 if ((so2 = unp2->unp_socket) == NULL) {
1085 UNP_PCB_UNLOCK(unp2);
1086 error = ENOTCONN;
1087 break;
1088 }
1089 SOCKBUF_LOCK(&so2->so_rcv);
1090 if (unp2->unp_flags & UNP_WANTCRED) {
1091 /*
1092 * Credentials are passed only once on SOCK_STREAM
1093 * and SOCK_SEQPACKET.
1094 */
1095 unp2->unp_flags &= ~UNP_WANTCRED;
1096 control = unp_addsockcred(td, control);
1097 }
1098
1099 /*
1100 * Send to paired receive port and wake up readers. Don't
1101 * check for space available in the receive buffer if we're
1102 * attaching ancillary data; Unix domain sockets only check
1103 * for space in the sending sockbuf, and that check is
1104 * performed one level up the stack. At that level we cannot
1105 * precisely account for the amount of buffer space used
1106 * (e.g., because control messages are not yet internalized).
1107 */
1108 switch (so->so_type) {
1109 case SOCK_STREAM:
1110 if (control != NULL) {
1111 sbappendcontrol_locked(&so2->so_rcv, m,
1112 control, flags);
1113 control = NULL;
1114 } else
1115 sbappend_locked(&so2->so_rcv, m, flags);
1116 break;
1117
1118 case SOCK_SEQPACKET:
1119 if (sbappendaddr_nospacecheck_locked(&so2->so_rcv,
1120 &sun_noname, m, control))
1121 control = NULL;
1122 break;
1123 }
1124
1125 mbcnt = so2->so_rcv.sb_mbcnt;
1126 sbcc = sbavail(&so2->so_rcv);
1127 if (sbcc)
1128 sorwakeup_locked(so2);
1129 else
1130 SOCKBUF_UNLOCK(&so2->so_rcv);
1131
1132 /*
1133 * The PCB lock on unp2 protects the SB_STOP flag. Without it,
1134 * it would be possible for uipc_rcvd to be called at this
1135 * point, drain the receiving sockbuf, clear SB_STOP, and then
1136 * we would set SB_STOP below. That could lead to an empty
1137 * sockbuf having SB_STOP set
1138 */
1139 SOCKBUF_LOCK(&so->so_snd);
1140 if (sbcc >= so->so_snd.sb_hiwat || mbcnt >= so->so_snd.sb_mbmax)
1141 so->so_snd.sb_flags |= SB_STOP;
1142 SOCKBUF_UNLOCK(&so->so_snd);
1143 UNP_PCB_UNLOCK(unp2);
1144 m = NULL;
1145 break;
1146 }
1147
1148 /*
1149 * PRUS_EOF is equivalent to pru_send followed by pru_shutdown.
1150 */
1151 if (flags & PRUS_EOF) {
1152 UNP_PCB_LOCK(unp);
1153 socantsendmore(so);
1154 unp_shutdown(unp);
1155 UNP_PCB_UNLOCK(unp);
1156 }
1157 if (control != NULL && error != 0)
1158 unp_dispose_mbuf(control);
1159
1160 release:
1161 if (control != NULL)
1162 m_freem(control);
1163 /*
1164 * In case of PRUS_NOTREADY, uipc_ready() is responsible
1165 * for freeing memory.
1166 */
1167 if (m != NULL && (flags & PRUS_NOTREADY) == 0)
1168 m_freem(m);
1169 return (error);
1170 }
1171
1172 static bool
1173 uipc_ready_scan(struct socket *so, struct mbuf *m, int count, int *errorp)
1174 {
1175 struct mbuf *mb, *n;
1176 struct sockbuf *sb;
1177
1178 SOCK_LOCK(so);
1179 if (SOLISTENING(so)) {
1180 SOCK_UNLOCK(so);
1181 return (false);
1182 }
1183 mb = NULL;
1184 sb = &so->so_rcv;
1185 SOCKBUF_LOCK(sb);
1186 if (sb->sb_fnrdy != NULL) {
1187 for (mb = sb->sb_mb, n = mb->m_nextpkt; mb != NULL;) {
1188 if (mb == m) {
1189 *errorp = sbready(sb, m, count);
1190 break;
1191 }
1192 mb = mb->m_next;
1193 if (mb == NULL) {
1194 mb = n;
1195 if (mb != NULL)
1196 n = mb->m_nextpkt;
1197 }
1198 }
1199 }
1200 SOCKBUF_UNLOCK(sb);
1201 SOCK_UNLOCK(so);
1202 return (mb != NULL);
1203 }
1204
1205 static int
1206 uipc_ready(struct socket *so, struct mbuf *m, int count)
1207 {
1208 struct unpcb *unp, *unp2;
1209 struct socket *so2;
1210 int error, i;
1211
1212 unp = sotounpcb(so);
1213
1214 KASSERT(so->so_type == SOCK_STREAM,
1215 ("%s: unexpected socket type for %p", __func__, so));
1216
1217 UNP_PCB_LOCK(unp);
1218 if ((unp2 = unp_pcb_lock_peer(unp)) != NULL) {
1219 UNP_PCB_UNLOCK(unp);
1220 so2 = unp2->unp_socket;
1221 SOCKBUF_LOCK(&so2->so_rcv);
1222 if ((error = sbready(&so2->so_rcv, m, count)) == 0)
1223 sorwakeup_locked(so2);
1224 else
1225 SOCKBUF_UNLOCK(&so2->so_rcv);
1226 UNP_PCB_UNLOCK(unp2);
1227 return (error);
1228 }
1229 UNP_PCB_UNLOCK(unp);
1230
1231 /*
1232 * The receiving socket has been disconnected, but may still be valid.
1233 * In this case, the now-ready mbufs are still present in its socket
1234 * buffer, so perform an exhaustive search before giving up and freeing
1235 * the mbufs.
1236 */
1237 UNP_LINK_RLOCK();
1238 LIST_FOREACH(unp, &unp_shead, unp_link) {
1239 if (uipc_ready_scan(unp->unp_socket, m, count, &error))
1240 break;
1241 }
1242 UNP_LINK_RUNLOCK();
1243
1244 if (unp == NULL) {
1245 for (i = 0; i < count; i++)
1246 m = m_free(m);
1247 error = ECONNRESET;
1248 }
1249 return (error);
1250 }
1251
1252 static int
1253 uipc_sense(struct socket *so, struct stat *sb)
1254 {
1255 struct unpcb *unp;
1256
1257 unp = sotounpcb(so);
1258 KASSERT(unp != NULL, ("uipc_sense: unp == NULL"));
1259
1260 sb->st_blksize = so->so_snd.sb_hiwat;
1261 sb->st_dev = NODEV;
1262 sb->st_ino = unp->unp_ino;
1263 return (0);
1264 }
1265
1266 static int
1267 uipc_shutdown(struct socket *so)
1268 {
1269 struct unpcb *unp;
1270
1271 unp = sotounpcb(so);
1272 KASSERT(unp != NULL, ("uipc_shutdown: unp == NULL"));
1273
1274 UNP_PCB_LOCK(unp);
1275 socantsendmore(so);
1276 unp_shutdown(unp);
1277 UNP_PCB_UNLOCK(unp);
1278 return (0);
1279 }
1280
1281 static int
1282 uipc_sockaddr(struct socket *so, struct sockaddr **nam)
1283 {
1284 struct unpcb *unp;
1285 const struct sockaddr *sa;
1286
1287 unp = sotounpcb(so);
1288 KASSERT(unp != NULL, ("uipc_sockaddr: unp == NULL"));
1289
1290 *nam = malloc(sizeof(struct sockaddr_un), M_SONAME, M_WAITOK);
1291 UNP_PCB_LOCK(unp);
1292 if (unp->unp_addr != NULL)
1293 sa = (struct sockaddr *) unp->unp_addr;
1294 else
1295 sa = &sun_noname;
1296 bcopy(sa, *nam, sa->sa_len);
1297 UNP_PCB_UNLOCK(unp);
1298 return (0);
1299 }
1300
1301 static struct pr_usrreqs uipc_usrreqs_dgram = {
1302 .pru_abort = uipc_abort,
1303 .pru_accept = uipc_accept,
1304 .pru_attach = uipc_attach,
1305 .pru_bind = uipc_bind,
1306 .pru_bindat = uipc_bindat,
1307 .pru_connect = uipc_connect,
1308 .pru_connectat = uipc_connectat,
1309 .pru_connect2 = uipc_connect2,
1310 .pru_detach = uipc_detach,
1311 .pru_disconnect = uipc_disconnect,
1312 .pru_listen = uipc_listen,
1313 .pru_peeraddr = uipc_peeraddr,
1314 .pru_rcvd = uipc_rcvd,
1315 .pru_send = uipc_send,
1316 .pru_sense = uipc_sense,
1317 .pru_shutdown = uipc_shutdown,
1318 .pru_sockaddr = uipc_sockaddr,
1319 .pru_soreceive = soreceive_dgram,
1320 .pru_close = uipc_close,
1321 };
1322
1323 static struct pr_usrreqs uipc_usrreqs_seqpacket = {
1324 .pru_abort = uipc_abort,
1325 .pru_accept = uipc_accept,
1326 .pru_attach = uipc_attach,
1327 .pru_bind = uipc_bind,
1328 .pru_bindat = uipc_bindat,
1329 .pru_connect = uipc_connect,
1330 .pru_connectat = uipc_connectat,
1331 .pru_connect2 = uipc_connect2,
1332 .pru_detach = uipc_detach,
1333 .pru_disconnect = uipc_disconnect,
1334 .pru_listen = uipc_listen,
1335 .pru_peeraddr = uipc_peeraddr,
1336 .pru_rcvd = uipc_rcvd,
1337 .pru_send = uipc_send,
1338 .pru_sense = uipc_sense,
1339 .pru_shutdown = uipc_shutdown,
1340 .pru_sockaddr = uipc_sockaddr,
1341 .pru_soreceive = soreceive_generic, /* XXX: or...? */
1342 .pru_close = uipc_close,
1343 };
1344
1345 static struct pr_usrreqs uipc_usrreqs_stream = {
1346 .pru_abort = uipc_abort,
1347 .pru_accept = uipc_accept,
1348 .pru_attach = uipc_attach,
1349 .pru_bind = uipc_bind,
1350 .pru_bindat = uipc_bindat,
1351 .pru_connect = uipc_connect,
1352 .pru_connectat = uipc_connectat,
1353 .pru_connect2 = uipc_connect2,
1354 .pru_detach = uipc_detach,
1355 .pru_disconnect = uipc_disconnect,
1356 .pru_listen = uipc_listen,
1357 .pru_peeraddr = uipc_peeraddr,
1358 .pru_rcvd = uipc_rcvd,
1359 .pru_send = uipc_send,
1360 .pru_ready = uipc_ready,
1361 .pru_sense = uipc_sense,
1362 .pru_shutdown = uipc_shutdown,
1363 .pru_sockaddr = uipc_sockaddr,
1364 .pru_soreceive = soreceive_generic,
1365 .pru_close = uipc_close,
1366 };
1367
1368 static int
1369 uipc_ctloutput(struct socket *so, struct sockopt *sopt)
1370 {
1371 struct unpcb *unp;
1372 struct xucred xu;
1373 int error, optval;
1374
1375 if (sopt->sopt_level != SOL_LOCAL)
1376 return (EINVAL);
1377
1378 unp = sotounpcb(so);
1379 KASSERT(unp != NULL, ("uipc_ctloutput: unp == NULL"));
1380 error = 0;
1381 switch (sopt->sopt_dir) {
1382 case SOPT_GET:
1383 switch (sopt->sopt_name) {
1384 case LOCAL_PEERCRED:
1385 UNP_PCB_LOCK(unp);
1386 if (unp->unp_flags & UNP_HAVEPC)
1387 xu = unp->unp_peercred;
1388 else {
1389 if (so->so_type == SOCK_STREAM)
1390 error = ENOTCONN;
1391 else
1392 error = EINVAL;
1393 }
1394 UNP_PCB_UNLOCK(unp);
1395 if (error == 0)
1396 error = sooptcopyout(sopt, &xu, sizeof(xu));
1397 break;
1398
1399 case LOCAL_CREDS:
1400 /* Unlocked read. */
1401 optval = unp->unp_flags & UNP_WANTCRED ? 1 : 0;
1402 error = sooptcopyout(sopt, &optval, sizeof(optval));
1403 break;
1404
1405 case LOCAL_CONNWAIT:
1406 /* Unlocked read. */
1407 optval = unp->unp_flags & UNP_CONNWAIT ? 1 : 0;
1408 error = sooptcopyout(sopt, &optval, sizeof(optval));
1409 break;
1410
1411 default:
1412 error = EOPNOTSUPP;
1413 break;
1414 }
1415 break;
1416
1417 case SOPT_SET:
1418 switch (sopt->sopt_name) {
1419 case LOCAL_CREDS:
1420 case LOCAL_CONNWAIT:
1421 error = sooptcopyin(sopt, &optval, sizeof(optval),
1422 sizeof(optval));
1423 if (error)
1424 break;
1425
1426 #define OPTSET(bit) do { \
1427 UNP_PCB_LOCK(unp); \
1428 if (optval) \
1429 unp->unp_flags |= bit; \
1430 else \
1431 unp->unp_flags &= ~bit; \
1432 UNP_PCB_UNLOCK(unp); \
1433 } while (0)
1434
1435 switch (sopt->sopt_name) {
1436 case LOCAL_CREDS:
1437 OPTSET(UNP_WANTCRED);
1438 break;
1439
1440 case LOCAL_CONNWAIT:
1441 OPTSET(UNP_CONNWAIT);
1442 break;
1443
1444 default:
1445 break;
1446 }
1447 break;
1448 #undef OPTSET
1449 default:
1450 error = ENOPROTOOPT;
1451 break;
1452 }
1453 break;
1454
1455 default:
1456 error = EOPNOTSUPP;
1457 break;
1458 }
1459 return (error);
1460 }
1461
1462 static int
1463 unp_connect(struct socket *so, struct sockaddr *nam, struct thread *td)
1464 {
1465
1466 return (unp_connectat(AT_FDCWD, so, nam, td));
1467 }
1468
1469 static int
1470 unp_connectat(int fd, struct socket *so, struct sockaddr *nam,
1471 struct thread *td)
1472 {
1473 struct mtx *vplock;
1474 struct sockaddr_un *soun;
1475 struct vnode *vp;
1476 struct socket *so2;
1477 struct unpcb *unp, *unp2, *unp3;
1478 struct nameidata nd;
1479 char buf[SOCK_MAXADDRLEN];
1480 struct sockaddr *sa;
1481 cap_rights_t rights;
1482 int error, len;
1483 bool connreq;
1484
1485 if (nam->sa_family != AF_UNIX)
1486 return (EAFNOSUPPORT);
1487 if (nam->sa_len > sizeof(struct sockaddr_un))
1488 return (EINVAL);
1489 len = nam->sa_len - offsetof(struct sockaddr_un, sun_path);
1490 if (len <= 0)
1491 return (EINVAL);
1492 soun = (struct sockaddr_un *)nam;
1493 bcopy(soun->sun_path, buf, len);
1494 buf[len] = 0;
1495
1496 unp = sotounpcb(so);
1497 UNP_PCB_LOCK(unp);
1498 for (;;) {
1499 /*
1500 * Wait for connection state to stabilize. If a connection
1501 * already exists, give up. For datagram sockets, which permit
1502 * multiple consecutive connect(2) calls, upper layers are
1503 * responsible for disconnecting in advance of a subsequent
1504 * connect(2), but this is not synchronized with PCB connection
1505 * state.
1506 *
1507 * Also make sure that no threads are currently attempting to
1508 * lock the peer socket, to ensure that unp_conn cannot
1509 * transition between two valid sockets while locks are dropped.
1510 */
1511 if (unp->unp_conn != NULL) {
1512 UNP_PCB_UNLOCK(unp);
1513 return (EISCONN);
1514 }
1515 if ((unp->unp_flags & UNP_CONNECTING) != 0) {
1516 UNP_PCB_UNLOCK(unp);
1517 return (EALREADY);
1518 }
1519 if (unp->unp_pairbusy > 0) {
1520 unp->unp_flags |= UNP_WAITING;
1521 mtx_sleep(unp, UNP_PCB_LOCKPTR(unp), 0, "unpeer", 0);
1522 continue;
1523 }
1524 break;
1525 }
1526 unp->unp_flags |= UNP_CONNECTING;
1527 UNP_PCB_UNLOCK(unp);
1528
1529 connreq = (so->so_proto->pr_flags & PR_CONNREQUIRED) != 0;
1530 if (connreq)
1531 sa = malloc(sizeof(struct sockaddr_un), M_SONAME, M_WAITOK);
1532 else
1533 sa = NULL;
1534 NDINIT_ATRIGHTS(&nd, LOOKUP, FOLLOW | LOCKSHARED | LOCKLEAF,
1535 UIO_SYSSPACE, buf, fd, cap_rights_init(&rights, CAP_CONNECTAT), td);
1536 error = namei(&nd);
1537 if (error)
1538 vp = NULL;
1539 else
1540 vp = nd.ni_vp;
1541 ASSERT_VOP_LOCKED(vp, "unp_connect");
1542 NDFREE(&nd, NDF_ONLY_PNBUF);
1543 if (error)
1544 goto bad;
1545
1546 if (vp->v_type != VSOCK) {
1547 error = ENOTSOCK;
1548 goto bad;
1549 }
1550 #ifdef MAC
1551 error = mac_vnode_check_open(td->td_ucred, vp, VWRITE | VREAD);
1552 if (error)
1553 goto bad;
1554 #endif
1555 error = VOP_ACCESS(vp, VWRITE, td->td_ucred, td);
1556 if (error)
1557 goto bad;
1558
1559 unp = sotounpcb(so);
1560 KASSERT(unp != NULL, ("unp_connect: unp == NULL"));
1561
1562 vplock = mtx_pool_find(mtxpool_sleep, vp);
1563 mtx_lock(vplock);
1564 VOP_UNP_CONNECT(vp, &unp2);
1565 if (unp2 == NULL) {
1566 error = ECONNREFUSED;
1567 goto bad2;
1568 }
1569 so2 = unp2->unp_socket;
1570 if (so->so_type != so2->so_type) {
1571 error = EPROTOTYPE;
1572 goto bad2;
1573 }
1574 if (connreq) {
1575 if (so2->so_options & SO_ACCEPTCONN) {
1576 CURVNET_SET(so2->so_vnet);
1577 so2 = sonewconn(so2, 0);
1578 CURVNET_RESTORE();
1579 } else
1580 so2 = NULL;
1581 if (so2 == NULL) {
1582 error = ECONNREFUSED;
1583 goto bad2;
1584 }
1585 unp3 = sotounpcb(so2);
1586 unp_pcb_lock_pair(unp2, unp3);
1587 if (unp2->unp_addr != NULL) {
1588 bcopy(unp2->unp_addr, sa, unp2->unp_addr->sun_len);
1589 unp3->unp_addr = (struct sockaddr_un *) sa;
1590 sa = NULL;
1591 }
1592
1593 unp_copy_peercred(td, unp3, unp, unp2);
1594
1595 UNP_PCB_UNLOCK(unp2);
1596 unp2 = unp3;
1597
1598 /*
1599 * It is safe to block on the PCB lock here since unp2 is
1600 * nascent and cannot be connected to any other sockets.
1601 */
1602 UNP_PCB_LOCK(unp);
1603 #ifdef MAC
1604 mac_socketpeer_set_from_socket(so, so2);
1605 mac_socketpeer_set_from_socket(so2, so);
1606 #endif
1607 } else {
1608 unp_pcb_lock_pair(unp, unp2);
1609 }
1610 KASSERT(unp2 != NULL && so2 != NULL && unp2->unp_socket == so2 &&
1611 sotounpcb(so2) == unp2,
1612 ("%s: unp2 %p so2 %p", __func__, unp2, so2));
1613 error = unp_connect2(so, so2, PRU_CONNECT);
1614 unp_pcb_unlock_pair(unp, unp2);
1615 bad2:
1616 mtx_unlock(vplock);
1617 bad:
1618 if (vp != NULL) {
1619 vput(vp);
1620 }
1621 free(sa, M_SONAME);
1622 UNP_PCB_LOCK(unp);
1623 KASSERT((unp->unp_flags & UNP_CONNECTING) != 0,
1624 ("%s: unp %p has UNP_CONNECTING clear", __func__, unp));
1625 unp->unp_flags &= ~UNP_CONNECTING;
1626 UNP_PCB_UNLOCK(unp);
1627 return (error);
1628 }
1629
1630 /*
1631 * Set socket peer credentials at connection time.
1632 *
1633 * The client's PCB credentials are copied from its process structure. The
1634 * server's PCB credentials are copied from the socket on which it called
1635 * listen(2). uipc_listen cached that process's credentials at the time.
1636 */
1637 void
1638 unp_copy_peercred(struct thread *td, struct unpcb *client_unp,
1639 struct unpcb *server_unp, struct unpcb *listen_unp)
1640 {
1641 cru2xt(td, &client_unp->unp_peercred);
1642 client_unp->unp_flags |= UNP_HAVEPC;
1643
1644 memcpy(&server_unp->unp_peercred, &listen_unp->unp_peercred,
1645 sizeof(server_unp->unp_peercred));
1646 server_unp->unp_flags |= UNP_HAVEPC;
1647 if (listen_unp->unp_flags & UNP_WANTCRED)
1648 client_unp->unp_flags |= UNP_WANTCRED;
1649 }
1650
1651 static int
1652 unp_connect2(struct socket *so, struct socket *so2, int req)
1653 {
1654 struct unpcb *unp;
1655 struct unpcb *unp2;
1656
1657 unp = sotounpcb(so);
1658 KASSERT(unp != NULL, ("unp_connect2: unp == NULL"));
1659 unp2 = sotounpcb(so2);
1660 KASSERT(unp2 != NULL, ("unp_connect2: unp2 == NULL"));
1661
1662 UNP_PCB_LOCK_ASSERT(unp);
1663 UNP_PCB_LOCK_ASSERT(unp2);
1664 KASSERT(unp->unp_conn == NULL,
1665 ("%s: socket %p is already connected", __func__, unp));
1666
1667 if (so2->so_type != so->so_type)
1668 return (EPROTOTYPE);
1669 unp->unp_conn = unp2;
1670 unp_pcb_hold(unp2);
1671 unp_pcb_hold(unp);
1672 switch (so->so_type) {
1673 case SOCK_DGRAM:
1674 UNP_REF_LIST_LOCK();
1675 LIST_INSERT_HEAD(&unp2->unp_refs, unp, unp_reflink);
1676 UNP_REF_LIST_UNLOCK();
1677 soisconnected(so);
1678 break;
1679
1680 case SOCK_STREAM:
1681 case SOCK_SEQPACKET:
1682 KASSERT(unp2->unp_conn == NULL,
1683 ("%s: socket %p is already connected", __func__, unp2));
1684 unp2->unp_conn = unp;
1685 if (req == PRU_CONNECT &&
1686 ((unp->unp_flags | unp2->unp_flags) & UNP_CONNWAIT))
1687 soisconnecting(so);
1688 else
1689 soisconnected(so);
1690 soisconnected(so2);
1691 break;
1692
1693 default:
1694 panic("unp_connect2");
1695 }
1696 return (0);
1697 }
1698
1699 static void
1700 unp_disconnect(struct unpcb *unp, struct unpcb *unp2)
1701 {
1702 struct socket *so, *so2;
1703 #ifdef INVARIANTS
1704 struct unpcb *unptmp;
1705 #endif
1706
1707 UNP_PCB_LOCK_ASSERT(unp);
1708 UNP_PCB_LOCK_ASSERT(unp2);
1709 KASSERT(unp->unp_conn == unp2,
1710 ("%s: unpcb %p is not connected to %p", __func__, unp, unp2));
1711
1712 unp->unp_conn = NULL;
1713 so = unp->unp_socket;
1714 so2 = unp2->unp_socket;
1715 switch (unp->unp_socket->so_type) {
1716 case SOCK_DGRAM:
1717 UNP_REF_LIST_LOCK();
1718 #ifdef INVARIANTS
1719 LIST_FOREACH(unptmp, &unp2->unp_refs, unp_reflink) {
1720 if (unptmp == unp)
1721 break;
1722 }
1723 KASSERT(unptmp != NULL,
1724 ("%s: %p not found in reflist of %p", __func__, unp, unp2));
1725 #endif
1726 LIST_REMOVE(unp, unp_reflink);
1727 UNP_REF_LIST_UNLOCK();
1728 if (so) {
1729 SOCK_LOCK(so);
1730 so->so_state &= ~SS_ISCONNECTED;
1731 SOCK_UNLOCK(so);
1732 }
1733 break;
1734
1735 case SOCK_STREAM:
1736 case SOCK_SEQPACKET:
1737 if (so)
1738 soisdisconnected(so);
1739 MPASS(unp2->unp_conn == unp);
1740 unp2->unp_conn = NULL;
1741 if (so2)
1742 soisdisconnected(so2);
1743 break;
1744 }
1745
1746 if (unp == unp2) {
1747 unp_pcb_rele_notlast(unp);
1748 if (!unp_pcb_rele(unp))
1749 UNP_PCB_UNLOCK(unp);
1750 } else {
1751 if (!unp_pcb_rele(unp))
1752 UNP_PCB_UNLOCK(unp);
1753 if (!unp_pcb_rele(unp2))
1754 UNP_PCB_UNLOCK(unp2);
1755 }
1756 }
1757
1758 /*
1759 * unp_pcblist() walks the global list of struct unpcb's to generate a
1760 * pointer list, bumping the refcount on each unpcb. It then copies them out
1761 * sequentially, validating the generation number on each to see if it has
1762 * been detached. All of this is necessary because copyout() may sleep on
1763 * disk I/O.
1764 */
1765 static int
1766 unp_pcblist(SYSCTL_HANDLER_ARGS)
1767 {
1768 struct unpcb *unp, **unp_list;
1769 unp_gen_t gencnt;
1770 struct xunpgen *xug;
1771 struct unp_head *head;
1772 struct xunpcb *xu;
1773 u_int i;
1774 int error, n;
1775
1776 switch ((intptr_t)arg1) {
1777 case SOCK_STREAM:
1778 head = &unp_shead;
1779 break;
1780
1781 case SOCK_DGRAM:
1782 head = &unp_dhead;
1783 break;
1784
1785 case SOCK_SEQPACKET:
1786 head = &unp_sphead;
1787 break;
1788
1789 default:
1790 panic("unp_pcblist: arg1 %d", (int)(intptr_t)arg1);
1791 }
1792
1793 /*
1794 * The process of preparing the PCB list is too time-consuming and
1795 * resource-intensive to repeat twice on every request.
1796 */
1797 if (req->oldptr == NULL) {
1798 n = unp_count;
1799 req->oldidx = 2 * (sizeof *xug)
1800 + (n + n/8) * sizeof(struct xunpcb);
1801 return (0);
1802 }
1803
1804 if (req->newptr != NULL)
1805 return (EPERM);
1806
1807 /*
1808 * OK, now we're committed to doing something.
1809 */
1810 xug = malloc(sizeof(*xug), M_TEMP, M_WAITOK | M_ZERO);
1811 UNP_LINK_RLOCK();
1812 gencnt = unp_gencnt;
1813 n = unp_count;
1814 UNP_LINK_RUNLOCK();
1815
1816 xug->xug_len = sizeof *xug;
1817 xug->xug_count = n;
1818 xug->xug_gen = gencnt;
1819 xug->xug_sogen = so_gencnt;
1820 error = SYSCTL_OUT(req, xug, sizeof *xug);
1821 if (error) {
1822 free(xug, M_TEMP);
1823 return (error);
1824 }
1825
1826 unp_list = malloc(n * sizeof *unp_list, M_TEMP, M_WAITOK);
1827
1828 UNP_LINK_RLOCK();
1829 for (unp = LIST_FIRST(head), i = 0; unp && i < n;
1830 unp = LIST_NEXT(unp, unp_link)) {
1831 UNP_PCB_LOCK(unp);
1832 if (unp->unp_gencnt <= gencnt) {
1833 if (cr_cansee(req->td->td_ucred,
1834 unp->unp_socket->so_cred)) {
1835 UNP_PCB_UNLOCK(unp);
1836 continue;
1837 }
1838 unp_list[i++] = unp;
1839 unp_pcb_hold(unp);
1840 }
1841 UNP_PCB_UNLOCK(unp);
1842 }
1843 UNP_LINK_RUNLOCK();
1844 n = i; /* In case we lost some during malloc. */
1845
1846 error = 0;
1847 xu = malloc(sizeof(*xu), M_TEMP, M_WAITOK | M_ZERO);
1848 for (i = 0; i < n; i++) {
1849 unp = unp_list[i];
1850 UNP_PCB_LOCK(unp);
1851 if (unp_pcb_rele(unp))
1852 continue;
1853
1854 if (unp->unp_gencnt <= gencnt) {
1855 xu->xu_len = sizeof *xu;
1856 xu->xu_unpp = (uintptr_t)unp;
1857 /*
1858 * XXX - need more locking here to protect against
1859 * connect/disconnect races for SMP.
1860 */
1861 if (unp->unp_addr != NULL)
1862 bcopy(unp->unp_addr, &xu->xu_addr,
1863 unp->unp_addr->sun_len);
1864 else
1865 bzero(&xu->xu_addr, sizeof(xu->xu_addr));
1866 if (unp->unp_conn != NULL &&
1867 unp->unp_conn->unp_addr != NULL)
1868 bcopy(unp->unp_conn->unp_addr,
1869 &xu->xu_caddr,
1870 unp->unp_conn->unp_addr->sun_len);
1871 else
1872 bzero(&xu->xu_caddr, sizeof(xu->xu_caddr));
1873 xu->unp_vnode = (uintptr_t)unp->unp_vnode;
1874 xu->unp_conn = (uintptr_t)unp->unp_conn;
1875 xu->xu_firstref = (uintptr_t)LIST_FIRST(&unp->unp_refs);
1876 xu->xu_nextref = (uintptr_t)LIST_NEXT(unp, unp_reflink);
1877 xu->unp_gencnt = unp->unp_gencnt;
1878 sotoxsocket(unp->unp_socket, &xu->xu_socket);
1879 UNP_PCB_UNLOCK(unp);
1880 error = SYSCTL_OUT(req, xu, sizeof *xu);
1881 } else {
1882 UNP_PCB_UNLOCK(unp);
1883 }
1884 }
1885 free(xu, M_TEMP);
1886 if (!error) {
1887 /*
1888 * Give the user an updated idea of our state. If the
1889 * generation differs from what we told her before, she knows
1890 * that something happened while we were processing this
1891 * request, and it might be necessary to retry.
1892 */
1893 xug->xug_gen = unp_gencnt;
1894 xug->xug_sogen = so_gencnt;
1895 xug->xug_count = unp_count;
1896 error = SYSCTL_OUT(req, xug, sizeof *xug);
1897 }
1898 free(unp_list, M_TEMP);
1899 free(xug, M_TEMP);
1900 return (error);
1901 }
1902
1903 SYSCTL_PROC(_net_local_dgram, OID_AUTO, pcblist, CTLTYPE_OPAQUE | CTLFLAG_RD,
1904 (void *)(intptr_t)SOCK_DGRAM, 0, unp_pcblist, "S,xunpcb",
1905 "List of active local datagram sockets");
1906 SYSCTL_PROC(_net_local_stream, OID_AUTO, pcblist, CTLTYPE_OPAQUE | CTLFLAG_RD,
1907 (void *)(intptr_t)SOCK_STREAM, 0, unp_pcblist, "S,xunpcb",
1908 "List of active local stream sockets");
1909 SYSCTL_PROC(_net_local_seqpacket, OID_AUTO, pcblist,
1910 CTLTYPE_OPAQUE | CTLFLAG_RD,
1911 (void *)(intptr_t)SOCK_SEQPACKET, 0, unp_pcblist, "S,xunpcb",
1912 "List of active local seqpacket sockets");
1913
1914 static void
1915 unp_shutdown(struct unpcb *unp)
1916 {
1917 struct unpcb *unp2;
1918 struct socket *so;
1919
1920 UNP_PCB_LOCK_ASSERT(unp);
1921
1922 unp2 = unp->unp_conn;
1923 if ((unp->unp_socket->so_type == SOCK_STREAM ||
1924 (unp->unp_socket->so_type == SOCK_SEQPACKET)) && unp2 != NULL) {
1925 so = unp2->unp_socket;
1926 if (so != NULL)
1927 socantrcvmore(so);
1928 }
1929 }
1930
1931 static void
1932 unp_drop(struct unpcb *unp)
1933 {
1934 struct socket *so = unp->unp_socket;
1935 struct unpcb *unp2;
1936
1937 /*
1938 * Regardless of whether the socket's peer dropped the connection
1939 * with this socket by aborting or disconnecting, POSIX requires
1940 * that ECONNRESET is returned.
1941 */
1942
1943 UNP_PCB_LOCK(unp);
1944 if (so)
1945 so->so_error = ECONNRESET;
1946 if ((unp2 = unp_pcb_lock_peer(unp)) != NULL) {
1947 /* Last reference dropped in unp_disconnect(). */
1948 unp_pcb_rele_notlast(unp);
1949 unp_disconnect(unp, unp2);
1950 } else if (!unp_pcb_rele(unp)) {
1951 UNP_PCB_UNLOCK(unp);
1952 }
1953 }
1954
1955 static void
1956 unp_freerights(struct filedescent **fdep, int fdcount)
1957 {
1958 struct file *fp;
1959 int i;
1960
1961 KASSERT(fdcount > 0, ("%s: fdcount %d", __func__, fdcount));
1962
1963 for (i = 0; i < fdcount; i++) {
1964 fp = fdep[i]->fde_file;
1965 filecaps_free(&fdep[i]->fde_caps);
1966 unp_discard(fp);
1967 }
1968 free(fdep[0], M_FILECAPS);
1969 }
1970
1971 static int
1972 unp_externalize(struct mbuf *control, struct mbuf **controlp, int flags)
1973 {
1974 struct thread *td = curthread; /* XXX */
1975 struct cmsghdr *cm = mtod(control, struct cmsghdr *);
1976 int i;
1977 int *fdp;
1978 struct filedesc *fdesc = td->td_proc->p_fd;
1979 struct filedescent **fdep;
1980 void *data;
1981 socklen_t clen = control->m_len, datalen;
1982 int error, newfds;
1983 u_int newlen;
1984
1985 UNP_LINK_UNLOCK_ASSERT();
1986
1987 error = 0;
1988 if (controlp != NULL) /* controlp == NULL => free control messages */
1989 *controlp = NULL;
1990 while (cm != NULL) {
1991 if (sizeof(*cm) > clen || cm->cmsg_len > clen) {
1992 error = EINVAL;
1993 break;
1994 }
1995 data = CMSG_DATA(cm);
1996 datalen = (caddr_t)cm + cm->cmsg_len - (caddr_t)data;
1997 if (cm->cmsg_level == SOL_SOCKET
1998 && cm->cmsg_type == SCM_RIGHTS) {
1999 newfds = datalen / sizeof(*fdep);
2000 if (newfds == 0)
2001 goto next;
2002 fdep = data;
2003
2004 /* If we're not outputting the descriptors free them. */
2005 if (error || controlp == NULL) {
2006 unp_freerights(fdep, newfds);
2007 goto next;
2008 }
2009 FILEDESC_XLOCK(fdesc);
2010
2011 /*
2012 * Now change each pointer to an fd in the global
2013 * table to an integer that is the index to the local
2014 * fd table entry that we set up to point to the
2015 * global one we are transferring.
2016 */
2017 newlen = newfds * sizeof(int);
2018 *controlp = sbcreatecontrol(NULL, newlen,
2019 SCM_RIGHTS, SOL_SOCKET);
2020 if (*controlp == NULL) {
2021 FILEDESC_XUNLOCK(fdesc);
2022 error = E2BIG;
2023 unp_freerights(fdep, newfds);
2024 goto next;
2025 }
2026
2027 fdp = (int *)
2028 CMSG_DATA(mtod(*controlp, struct cmsghdr *));
2029 if (fdallocn(td, 0, fdp, newfds) != 0) {
2030 FILEDESC_XUNLOCK(fdesc);
2031 error = EMSGSIZE;
2032 unp_freerights(fdep, newfds);
2033 m_freem(*controlp);
2034 *controlp = NULL;
2035 goto next;
2036 }
2037 for (i = 0; i < newfds; i++, fdp++) {
2038 _finstall(fdesc, fdep[i]->fde_file, *fdp,
2039 (flags & MSG_CMSG_CLOEXEC) != 0 ? UF_EXCLOSE : 0,
2040 &fdep[i]->fde_caps);
2041 unp_externalize_fp(fdep[i]->fde_file);
2042 }
2043
2044 /*
2045 * The new type indicates that the mbuf data refers to
2046 * kernel resources that may need to be released before
2047 * the mbuf is freed.
2048 */
2049 m_chtype(*controlp, MT_EXTCONTROL);
2050 FILEDESC_XUNLOCK(fdesc);
2051 free(fdep[0], M_FILECAPS);
2052 } else {
2053 /* We can just copy anything else across. */
2054 if (error || controlp == NULL)
2055 goto next;
2056 *controlp = sbcreatecontrol(NULL, datalen,
2057 cm->cmsg_type, cm->cmsg_level);
2058 if (*controlp == NULL) {
2059 error = ENOBUFS;
2060 goto next;
2061 }
2062 bcopy(data,
2063 CMSG_DATA(mtod(*controlp, struct cmsghdr *)),
2064 datalen);
2065 }
2066 controlp = &(*controlp)->m_next;
2067
2068 next:
2069 if (CMSG_SPACE(datalen) < clen) {
2070 clen -= CMSG_SPACE(datalen);
2071 cm = (struct cmsghdr *)
2072 ((caddr_t)cm + CMSG_SPACE(datalen));
2073 } else {
2074 clen = 0;
2075 cm = NULL;
2076 }
2077 }
2078
2079 m_freem(control);
2080 return (error);
2081 }
2082
2083 static void
2084 unp_zone_change(void *tag)
2085 {
2086
2087 uma_zone_set_max(unp_zone, maxsockets);
2088 }
2089
2090 #ifdef INVARIANTS
2091 static void
2092 unp_zdtor(void *mem, int size __unused, void *arg __unused)
2093 {
2094 struct unpcb *unp;
2095
2096 unp = mem;
2097
2098 KASSERT(LIST_EMPTY(&unp->unp_refs),
2099 ("%s: unpcb %p has lingering refs", __func__, unp));
2100 KASSERT(unp->unp_socket == NULL,
2101 ("%s: unpcb %p has socket backpointer", __func__, unp));
2102 KASSERT(unp->unp_vnode == NULL,
2103 ("%s: unpcb %p has vnode references", __func__, unp));
2104 KASSERT(unp->unp_conn == NULL,
2105 ("%s: unpcb %p is still connected", __func__, unp));
2106 KASSERT(unp->unp_addr == NULL,
2107 ("%s: unpcb %p has leaked addr", __func__, unp));
2108 }
2109 #endif
2110
2111 static void
2112 unp_init(void)
2113 {
2114 uma_dtor dtor;
2115
2116 #ifdef VIMAGE
2117 if (!IS_DEFAULT_VNET(curvnet))
2118 return;
2119 #endif
2120
2121 #ifdef INVARIANTS
2122 dtor = unp_zdtor;
2123 #else
2124 dtor = NULL;
2125 #endif
2126 unp_zone = uma_zcreate("unpcb", sizeof(struct unpcb), NULL, dtor,
2127 NULL, NULL, UMA_ALIGN_CACHE, 0);
2128 uma_zone_set_max(unp_zone, maxsockets);
2129 uma_zone_set_warning(unp_zone, "kern.ipc.maxsockets limit reached");
2130 EVENTHANDLER_REGISTER(maxsockets_change, unp_zone_change,
2131 NULL, EVENTHANDLER_PRI_ANY);
2132 LIST_INIT(&unp_dhead);
2133 LIST_INIT(&unp_shead);
2134 LIST_INIT(&unp_sphead);
2135 SLIST_INIT(&unp_defers);
2136 TIMEOUT_TASK_INIT(taskqueue_thread, &unp_gc_task, 0, unp_gc, NULL);
2137 TASK_INIT(&unp_defer_task, 0, unp_process_defers, NULL);
2138 UNP_LINK_LOCK_INIT();
2139 UNP_DEFERRED_LOCK_INIT();
2140 }
2141
2142 static void
2143 unp_internalize_cleanup_rights(struct mbuf *control)
2144 {
2145 struct cmsghdr *cp;
2146 struct mbuf *m;
2147 void *data;
2148 socklen_t datalen;
2149
2150 for (m = control; m != NULL; m = m->m_next) {
2151 cp = mtod(m, struct cmsghdr *);
2152 if (cp->cmsg_level != SOL_SOCKET ||
2153 cp->cmsg_type != SCM_RIGHTS)
2154 continue;
2155 data = CMSG_DATA(cp);
2156 datalen = (caddr_t)cp + cp->cmsg_len - (caddr_t)data;
2157 unp_freerights(data, datalen / sizeof(struct filedesc *));
2158 }
2159 }
2160
2161 static int
2162 unp_internalize(struct mbuf **controlp, struct thread *td)
2163 {
2164 struct mbuf *control, **initial_controlp;
2165 struct proc *p;
2166 struct filedesc *fdesc;
2167 struct bintime *bt;
2168 struct cmsghdr *cm;
2169 struct cmsgcred *cmcred;
2170 struct filedescent *fde, **fdep, *fdev;
2171 struct file *fp;
2172 struct timeval *tv;
2173 struct timespec *ts;
2174 void *data;
2175 socklen_t clen, datalen;
2176 int i, j, error, *fdp, oldfds;
2177 u_int newlen;
2178
2179 UNP_LINK_UNLOCK_ASSERT();
2180
2181 p = td->td_proc;
2182 fdesc = p->p_fd;
2183 error = 0;
2184 control = *controlp;
2185 clen = control->m_len;
2186 *controlp = NULL;
2187 initial_controlp = controlp;
2188 for (cm = mtod(control, struct cmsghdr *); cm != NULL;) {
2189 if (sizeof(*cm) > clen || cm->cmsg_level != SOL_SOCKET
2190 || cm->cmsg_len > clen || cm->cmsg_len < sizeof(*cm)) {
2191 error = EINVAL;
2192 goto out;
2193 }
2194 data = CMSG_DATA(cm);
2195 datalen = (caddr_t)cm + cm->cmsg_len - (caddr_t)data;
2196
2197 switch (cm->cmsg_type) {
2198 /*
2199 * Fill in credential information.
2200 */
2201 case SCM_CREDS:
2202 *controlp = sbcreatecontrol(NULL, sizeof(*cmcred),
2203 SCM_CREDS, SOL_SOCKET);
2204 if (*controlp == NULL) {
2205 error = ENOBUFS;
2206 goto out;
2207 }
2208 cmcred = (struct cmsgcred *)
2209 CMSG_DATA(mtod(*controlp, struct cmsghdr *));
2210 cmcred->cmcred_pid = p->p_pid;
2211 cmcred->cmcred_uid = td->td_ucred->cr_ruid;
2212 cmcred->cmcred_gid = td->td_ucred->cr_rgid;
2213 cmcred->cmcred_euid = td->td_ucred->cr_uid;
2214 cmcred->cmcred_ngroups = MIN(td->td_ucred->cr_ngroups,
2215 CMGROUP_MAX);
2216 for (i = 0; i < cmcred->cmcred_ngroups; i++)
2217 cmcred->cmcred_groups[i] =
2218 td->td_ucred->cr_groups[i];
2219 break;
2220
2221 case SCM_RIGHTS:
2222 oldfds = datalen / sizeof (int);
2223 if (oldfds == 0)
2224 break;
2225 /*
2226 * Check that all the FDs passed in refer to legal
2227 * files. If not, reject the entire operation.
2228 */
2229 fdp = data;
2230 FILEDESC_SLOCK(fdesc);
2231 for (i = 0; i < oldfds; i++, fdp++) {
2232 fp = fget_locked(fdesc, *fdp);
2233 if (fp == NULL) {
2234 FILEDESC_SUNLOCK(fdesc);
2235 error = EBADF;
2236 goto out;
2237 }
2238 if (!(fp->f_ops->fo_flags & DFLAG_PASSABLE)) {
2239 FILEDESC_SUNLOCK(fdesc);
2240 error = EOPNOTSUPP;
2241 goto out;
2242 }
2243
2244 }
2245
2246 /*
2247 * Now replace the integer FDs with pointers to the
2248 * file structure and capability rights.
2249 */
2250 newlen = oldfds * sizeof(fdep[0]);
2251 *controlp = sbcreatecontrol(NULL, newlen,
2252 SCM_RIGHTS, SOL_SOCKET);
2253 if (*controlp == NULL) {
2254 FILEDESC_SUNLOCK(fdesc);
2255 error = E2BIG;
2256 goto out;
2257 }
2258 fdp = data;
2259 for (i = 0; i < oldfds; i++, fdp++) {
2260 if (!fhold(fdesc->fd_ofiles[*fdp].fde_file)) {
2261 fdp = data;
2262 for (j = 0; j < i; j++, fdp++) {
2263 fdrop(fdesc->fd_ofiles[*fdp].
2264 fde_file, td);
2265 }
2266 FILEDESC_SUNLOCK(fdesc);
2267 error = EBADF;
2268 goto out;
2269 }
2270 }
2271 fdp = data;
2272 fdep = (struct filedescent **)
2273 CMSG_DATA(mtod(*controlp, struct cmsghdr *));
2274 fdev = malloc(sizeof(*fdev) * oldfds, M_FILECAPS,
2275 M_WAITOK);
2276 for (i = 0; i < oldfds; i++, fdev++, fdp++) {
2277 fde = &fdesc->fd_ofiles[*fdp];
2278 fdep[i] = fdev;
2279 fdep[i]->fde_file = fde->fde_file;
2280 filecaps_copy(&fde->fde_caps,
2281 &fdep[i]->fde_caps, true);
2282 unp_internalize_fp(fdep[i]->fde_file);
2283 }
2284 FILEDESC_SUNLOCK(fdesc);
2285 break;
2286
2287 case SCM_TIMESTAMP:
2288 *controlp = sbcreatecontrol(NULL, sizeof(*tv),
2289 SCM_TIMESTAMP, SOL_SOCKET);
2290 if (*controlp == NULL) {
2291 error = ENOBUFS;
2292 goto out;
2293 }
2294 tv = (struct timeval *)
2295 CMSG_DATA(mtod(*controlp, struct cmsghdr *));
2296 microtime(tv);
2297 break;
2298
2299 case SCM_BINTIME:
2300 *controlp = sbcreatecontrol(NULL, sizeof(*bt),
2301 SCM_BINTIME, SOL_SOCKET);
2302 if (*controlp == NULL) {
2303 error = ENOBUFS;
2304 goto out;
2305 }
2306 bt = (struct bintime *)
2307 CMSG_DATA(mtod(*controlp, struct cmsghdr *));
2308 bintime(bt);
2309 break;
2310
2311 case SCM_REALTIME:
2312 *controlp = sbcreatecontrol(NULL, sizeof(*ts),
2313 SCM_REALTIME, SOL_SOCKET);
2314 if (*controlp == NULL) {
2315 error = ENOBUFS;
2316 goto out;
2317 }
2318 ts = (struct timespec *)
2319 CMSG_DATA(mtod(*controlp, struct cmsghdr *));
2320 nanotime(ts);
2321 break;
2322
2323 case SCM_MONOTONIC:
2324 *controlp = sbcreatecontrol(NULL, sizeof(*ts),
2325 SCM_MONOTONIC, SOL_SOCKET);
2326 if (*controlp == NULL) {
2327 error = ENOBUFS;
2328 goto out;
2329 }
2330 ts = (struct timespec *)
2331 CMSG_DATA(mtod(*controlp, struct cmsghdr *));
2332 nanouptime(ts);
2333 break;
2334
2335 default:
2336 error = EINVAL;
2337 goto out;
2338 }
2339
2340 if (*controlp != NULL)
2341 controlp = &(*controlp)->m_next;
2342 if (CMSG_SPACE(datalen) < clen) {
2343 clen -= CMSG_SPACE(datalen);
2344 cm = (struct cmsghdr *)
2345 ((caddr_t)cm + CMSG_SPACE(datalen));
2346 } else {
2347 clen = 0;
2348 cm = NULL;
2349 }
2350 }
2351
2352 out:
2353 if (error != 0 && initial_controlp != NULL)
2354 unp_internalize_cleanup_rights(*initial_controlp);
2355 m_freem(control);
2356 return (error);
2357 }
2358
2359 static struct mbuf *
2360 unp_addsockcred(struct thread *td, struct mbuf *control)
2361 {
2362 struct mbuf *m, *n, *n_prev;
2363 struct sockcred *sc;
2364 const struct cmsghdr *cm;
2365 int ngroups;
2366 int i;
2367
2368 ngroups = MIN(td->td_ucred->cr_ngroups, CMGROUP_MAX);
2369 m = sbcreatecontrol(NULL, SOCKCREDSIZE(ngroups), SCM_CREDS, SOL_SOCKET);
2370 if (m == NULL)
2371 return (control);
2372
2373 sc = (struct sockcred *) CMSG_DATA(mtod(m, struct cmsghdr *));
2374 sc->sc_uid = td->td_ucred->cr_ruid;
2375 sc->sc_euid = td->td_ucred->cr_uid;
2376 sc->sc_gid = td->td_ucred->cr_rgid;
2377 sc->sc_egid = td->td_ucred->cr_gid;
2378 sc->sc_ngroups = ngroups;
2379 for (i = 0; i < sc->sc_ngroups; i++)
2380 sc->sc_groups[i] = td->td_ucred->cr_groups[i];
2381
2382 /*
2383 * Unlink SCM_CREDS control messages (struct cmsgcred), since just
2384 * created SCM_CREDS control message (struct sockcred) has another
2385 * format.
2386 */
2387 if (control != NULL)
2388 for (n = control, n_prev = NULL; n != NULL;) {
2389 cm = mtod(n, struct cmsghdr *);
2390 if (cm->cmsg_level == SOL_SOCKET &&
2391 cm->cmsg_type == SCM_CREDS) {
2392 if (n_prev == NULL)
2393 control = n->m_next;
2394 else
2395 n_prev->m_next = n->m_next;
2396 n = m_free(n);
2397 } else {
2398 n_prev = n;
2399 n = n->m_next;
2400 }
2401 }
2402
2403 /* Prepend it to the head. */
2404 m->m_next = control;
2405 return (m);
2406 }
2407
2408 static struct unpcb *
2409 fptounp(struct file *fp)
2410 {
2411 struct socket *so;
2412
2413 if (fp->f_type != DTYPE_SOCKET)
2414 return (NULL);
2415 if ((so = fp->f_data) == NULL)
2416 return (NULL);
2417 if (so->so_proto->pr_domain != &localdomain)
2418 return (NULL);
2419 return sotounpcb(so);
2420 }
2421
2422 static void
2423 unp_discard(struct file *fp)
2424 {
2425 struct unp_defer *dr;
2426
2427 if (unp_externalize_fp(fp)) {
2428 dr = malloc(sizeof(*dr), M_TEMP, M_WAITOK);
2429 dr->ud_fp = fp;
2430 UNP_DEFERRED_LOCK();
2431 SLIST_INSERT_HEAD(&unp_defers, dr, ud_link);
2432 UNP_DEFERRED_UNLOCK();
2433 atomic_add_int(&unp_defers_count, 1);
2434 taskqueue_enqueue(taskqueue_thread, &unp_defer_task);
2435 } else
2436 (void) closef(fp, (struct thread *)NULL);
2437 }
2438
2439 static void
2440 unp_process_defers(void *arg __unused, int pending)
2441 {
2442 struct unp_defer *dr;
2443 SLIST_HEAD(, unp_defer) drl;
2444 int count;
2445
2446 SLIST_INIT(&drl);
2447 for (;;) {
2448 UNP_DEFERRED_LOCK();
2449 if (SLIST_FIRST(&unp_defers) == NULL) {
2450 UNP_DEFERRED_UNLOCK();
2451 break;
2452 }
2453 SLIST_SWAP(&unp_defers, &drl, unp_defer);
2454 UNP_DEFERRED_UNLOCK();
2455 count = 0;
2456 while ((dr = SLIST_FIRST(&drl)) != NULL) {
2457 SLIST_REMOVE_HEAD(&drl, ud_link);
2458 closef(dr->ud_fp, NULL);
2459 free(dr, M_TEMP);
2460 count++;
2461 }
2462 atomic_add_int(&unp_defers_count, -count);
2463 }
2464 }
2465
2466 static void
2467 unp_internalize_fp(struct file *fp)
2468 {
2469 struct unpcb *unp;
2470
2471 UNP_LINK_WLOCK();
2472 if ((unp = fptounp(fp)) != NULL) {
2473 unp->unp_file = fp;
2474 unp->unp_msgcount++;
2475 }
2476 unp_rights++;
2477 UNP_LINK_WUNLOCK();
2478 }
2479
2480 static int
2481 unp_externalize_fp(struct file *fp)
2482 {
2483 struct unpcb *unp;
2484 int ret;
2485
2486 UNP_LINK_WLOCK();
2487 if ((unp = fptounp(fp)) != NULL) {
2488 unp->unp_msgcount--;
2489 ret = 1;
2490 } else
2491 ret = 0;
2492 unp_rights--;
2493 UNP_LINK_WUNLOCK();
2494 return (ret);
2495 }
2496
2497 /*
2498 * unp_defer indicates whether additional work has been defered for a future
2499 * pass through unp_gc(). It is thread local and does not require explicit
2500 * synchronization.
2501 */
2502 static int unp_marked;
2503 static int unp_unreachable;
2504
2505 static void
2506 unp_accessable(struct filedescent **fdep, int fdcount)
2507 {
2508 struct unpcb *unp;
2509 struct file *fp;
2510 int i;
2511
2512 for (i = 0; i < fdcount; i++) {
2513 fp = fdep[i]->fde_file;
2514 if ((unp = fptounp(fp)) == NULL)
2515 continue;
2516 if (unp->unp_gcflag & UNPGC_REF)
2517 continue;
2518 unp->unp_gcflag &= ~UNPGC_DEAD;
2519 unp->unp_gcflag |= UNPGC_REF;
2520 unp_marked++;
2521 }
2522 }
2523
2524 static void
2525 unp_gc_process(struct unpcb *unp)
2526 {
2527 struct socket *so, *soa;
2528 struct file *fp;
2529
2530 /* Already processed. */
2531 if (unp->unp_gcflag & UNPGC_SCANNED)
2532 return;
2533 fp = unp->unp_file;
2534
2535 /*
2536 * Check for a socket potentially in a cycle. It must be in a
2537 * queue as indicated by msgcount, and this must equal the file
2538 * reference count. Note that when msgcount is 0 the file is NULL.
2539 */
2540 if ((unp->unp_gcflag & UNPGC_REF) == 0 && fp &&
2541 unp->unp_msgcount != 0 && fp->f_count == unp->unp_msgcount) {
2542 unp->unp_gcflag |= UNPGC_DEAD;
2543 unp_unreachable++;
2544 return;
2545 }
2546
2547 so = unp->unp_socket;
2548 SOCK_LOCK(so);
2549 if (SOLISTENING(so)) {
2550 /*
2551 * Mark all sockets in our accept queue.
2552 */
2553 TAILQ_FOREACH(soa, &so->sol_comp, so_list) {
2554 if (sotounpcb(soa)->unp_gcflag & UNPGC_IGNORE_RIGHTS)
2555 continue;
2556 SOCKBUF_LOCK(&soa->so_rcv);
2557 unp_scan(soa->so_rcv.sb_mb, unp_accessable);
2558 SOCKBUF_UNLOCK(&soa->so_rcv);
2559 }
2560 } else {
2561 /*
2562 * Mark all sockets we reference with RIGHTS.
2563 */
2564 if ((unp->unp_gcflag & UNPGC_IGNORE_RIGHTS) == 0) {
2565 SOCKBUF_LOCK(&so->so_rcv);
2566 unp_scan(so->so_rcv.sb_mb, unp_accessable);
2567 SOCKBUF_UNLOCK(&so->so_rcv);
2568 }
2569 }
2570 SOCK_UNLOCK(so);
2571 unp->unp_gcflag |= UNPGC_SCANNED;
2572 }
2573
2574 static int unp_recycled;
2575 SYSCTL_INT(_net_local, OID_AUTO, recycled, CTLFLAG_RD, &unp_recycled, 0,
2576 "Number of unreachable sockets claimed by the garbage collector.");
2577
2578 static int unp_taskcount;
2579 SYSCTL_INT(_net_local, OID_AUTO, taskcount, CTLFLAG_RD, &unp_taskcount, 0,
2580 "Number of times the garbage collector has run.");
2581
2582 static void
2583 unp_gc(__unused void *arg, int pending)
2584 {
2585 struct unp_head *heads[] = { &unp_dhead, &unp_shead, &unp_sphead,
2586 NULL };
2587 struct unp_head **head;
2588 struct file *f, **unref;
2589 struct unpcb *unp;
2590 int i, total;
2591
2592 unp_taskcount++;
2593 UNP_LINK_RLOCK();
2594 /*
2595 * First clear all gc flags from previous runs, apart from
2596 * UNPGC_IGNORE_RIGHTS.
2597 */
2598 for (head = heads; *head != NULL; head++)
2599 LIST_FOREACH(unp, *head, unp_link)
2600 unp->unp_gcflag =
2601 (unp->unp_gcflag & UNPGC_IGNORE_RIGHTS);
2602
2603 /*
2604 * Scan marking all reachable sockets with UNPGC_REF. Once a socket
2605 * is reachable all of the sockets it references are reachable.
2606 * Stop the scan once we do a complete loop without discovering
2607 * a new reachable socket.
2608 */
2609 do {
2610 unp_unreachable = 0;
2611 unp_marked = 0;
2612 for (head = heads; *head != NULL; head++)
2613 LIST_FOREACH(unp, *head, unp_link)
2614 unp_gc_process(unp);
2615 } while (unp_marked);
2616 UNP_LINK_RUNLOCK();
2617 if (unp_unreachable == 0)
2618 return;
2619
2620 /*
2621 * Allocate space for a local list of dead unpcbs.
2622 */
2623 unref = malloc(unp_unreachable * sizeof(struct file *),
2624 M_TEMP, M_WAITOK);
2625
2626 /*
2627 * Iterate looking for sockets which have been specifically marked
2628 * as as unreachable and store them locally.
2629 */
2630 UNP_LINK_RLOCK();
2631 for (total = 0, head = heads; *head != NULL; head++)
2632 LIST_FOREACH(unp, *head, unp_link)
2633 if ((unp->unp_gcflag & UNPGC_DEAD) != 0) {
2634 f = unp->unp_file;
2635 if (unp->unp_msgcount == 0 || f == NULL ||
2636 f->f_count != unp->unp_msgcount ||
2637 !fhold(f))
2638 continue;
2639 unref[total++] = f;
2640 KASSERT(total <= unp_unreachable,
2641 ("unp_gc: incorrect unreachable count."));
2642 }
2643 UNP_LINK_RUNLOCK();
2644
2645 /*
2646 * Now flush all sockets, free'ing rights. This will free the
2647 * struct files associated with these sockets but leave each socket
2648 * with one remaining ref.
2649 */
2650 for (i = 0; i < total; i++) {
2651 struct socket *so;
2652
2653 so = unref[i]->f_data;
2654 CURVNET_SET(so->so_vnet);
2655 sorflush(so);
2656 CURVNET_RESTORE();
2657 }
2658
2659 /*
2660 * And finally release the sockets so they can be reclaimed.
2661 */
2662 for (i = 0; i < total; i++)
2663 fdrop(unref[i], NULL);
2664 unp_recycled += total;
2665 free(unref, M_TEMP);
2666 }
2667
2668 static void
2669 unp_dispose_mbuf(struct mbuf *m)
2670 {
2671
2672 if (m)
2673 unp_scan(m, unp_freerights);
2674 }
2675
2676 /*
2677 * Synchronize against unp_gc, which can trip over data as we are freeing it.
2678 */
2679 static void
2680 unp_dispose(struct socket *so)
2681 {
2682 struct unpcb *unp;
2683
2684 unp = sotounpcb(so);
2685 UNP_LINK_WLOCK();
2686 unp->unp_gcflag |= UNPGC_IGNORE_RIGHTS;
2687 UNP_LINK_WUNLOCK();
2688 if (!SOLISTENING(so))
2689 unp_dispose_mbuf(so->so_rcv.sb_mb);
2690 }
2691
2692 static void
2693 unp_scan(struct mbuf *m0, void (*op)(struct filedescent **, int))
2694 {
2695 struct mbuf *m;
2696 struct cmsghdr *cm;
2697 void *data;
2698 socklen_t clen, datalen;
2699
2700 while (m0 != NULL) {
2701 for (m = m0; m; m = m->m_next) {
2702 if (m->m_type != MT_CONTROL)
2703 continue;
2704
2705 cm = mtod(m, struct cmsghdr *);
2706 clen = m->m_len;
2707
2708 while (cm != NULL) {
2709 if (sizeof(*cm) > clen || cm->cmsg_len > clen)
2710 break;
2711
2712 data = CMSG_DATA(cm);
2713 datalen = (caddr_t)cm + cm->cmsg_len
2714 - (caddr_t)data;
2715
2716 if (cm->cmsg_level == SOL_SOCKET &&
2717 cm->cmsg_type == SCM_RIGHTS) {
2718 (*op)(data, datalen /
2719 sizeof(struct filedescent *));
2720 }
2721
2722 if (CMSG_SPACE(datalen) < clen) {
2723 clen -= CMSG_SPACE(datalen);
2724 cm = (struct cmsghdr *)
2725 ((caddr_t)cm + CMSG_SPACE(datalen));
2726 } else {
2727 clen = 0;
2728 cm = NULL;
2729 }
2730 }
2731 }
2732 m0 = m0->m_nextpkt;
2733 }
2734 }
2735
2736 /*
2737 * A helper function called by VFS before socket-type vnode reclamation.
2738 * For an active vnode it clears unp_vnode pointer and decrements unp_vnode
2739 * use count.
2740 */
2741 void
2742 vfs_unp_reclaim(struct vnode *vp)
2743 {
2744 struct unpcb *unp;
2745 int active;
2746 struct mtx *vplock;
2747
2748 ASSERT_VOP_ELOCKED(vp, "vfs_unp_reclaim");
2749 KASSERT(vp->v_type == VSOCK,
2750 ("vfs_unp_reclaim: vp->v_type != VSOCK"));
2751
2752 active = 0;
2753 vplock = mtx_pool_find(mtxpool_sleep, vp);
2754 mtx_lock(vplock);
2755 VOP_UNP_CONNECT(vp, &unp);
2756 if (unp == NULL)
2757 goto done;
2758 UNP_PCB_LOCK(unp);
2759 if (unp->unp_vnode == vp) {
2760 VOP_UNP_DETACH(vp);
2761 unp->unp_vnode = NULL;
2762 active = 1;
2763 }
2764 UNP_PCB_UNLOCK(unp);
2765 done:
2766 mtx_unlock(vplock);
2767 if (active)
2768 vunref(vp);
2769 }
2770
2771 #ifdef DDB
2772 static void
2773 db_print_indent(int indent)
2774 {
2775 int i;
2776
2777 for (i = 0; i < indent; i++)
2778 db_printf(" ");
2779 }
2780
2781 static void
2782 db_print_unpflags(int unp_flags)
2783 {
2784 int comma;
2785
2786 comma = 0;
2787 if (unp_flags & UNP_HAVEPC) {
2788 db_printf("%sUNP_HAVEPC", comma ? ", " : "");
2789 comma = 1;
2790 }
2791 if (unp_flags & UNP_WANTCRED) {
2792 db_printf("%sUNP_WANTCRED", comma ? ", " : "");
2793 comma = 1;
2794 }
2795 if (unp_flags & UNP_CONNWAIT) {
2796 db_printf("%sUNP_CONNWAIT", comma ? ", " : "");
2797 comma = 1;
2798 }
2799 if (unp_flags & UNP_CONNECTING) {
2800 db_printf("%sUNP_CONNECTING", comma ? ", " : "");
2801 comma = 1;
2802 }
2803 if (unp_flags & UNP_BINDING) {
2804 db_printf("%sUNP_BINDING", comma ? ", " : "");
2805 comma = 1;
2806 }
2807 }
2808
2809 static void
2810 db_print_xucred(int indent, struct xucred *xu)
2811 {
2812 int comma, i;
2813
2814 db_print_indent(indent);
2815 db_printf("cr_version: %u cr_uid: %u cr_pid: %d cr_ngroups: %d\n",
2816 xu->cr_version, xu->cr_uid, xu->cr_pid, xu->cr_ngroups);
2817 db_print_indent(indent);
2818 db_printf("cr_groups: ");
2819 comma = 0;
2820 for (i = 0; i < xu->cr_ngroups; i++) {
2821 db_printf("%s%u", comma ? ", " : "", xu->cr_groups[i]);
2822 comma = 1;
2823 }
2824 db_printf("\n");
2825 }
2826
2827 static void
2828 db_print_unprefs(int indent, struct unp_head *uh)
2829 {
2830 struct unpcb *unp;
2831 int counter;
2832
2833 counter = 0;
2834 LIST_FOREACH(unp, uh, unp_reflink) {
2835 if (counter % 4 == 0)
2836 db_print_indent(indent);
2837 db_printf("%p ", unp);
2838 if (counter % 4 == 3)
2839 db_printf("\n");
2840 counter++;
2841 }
2842 if (counter != 0 && counter % 4 != 0)
2843 db_printf("\n");
2844 }
2845
2846 DB_SHOW_COMMAND(unpcb, db_show_unpcb)
2847 {
2848 struct unpcb *unp;
2849
2850 if (!have_addr) {
2851 db_printf("usage: show unpcb <addr>\n");
2852 return;
2853 }
2854 unp = (struct unpcb *)addr;
2855
2856 db_printf("unp_socket: %p unp_vnode: %p\n", unp->unp_socket,
2857 unp->unp_vnode);
2858
2859 db_printf("unp_ino: %ju unp_conn: %p\n", (uintmax_t)unp->unp_ino,
2860 unp->unp_conn);
2861
2862 db_printf("unp_refs:\n");
2863 db_print_unprefs(2, &unp->unp_refs);
2864
2865 /* XXXRW: Would be nice to print the full address, if any. */
2866 db_printf("unp_addr: %p\n", unp->unp_addr);
2867
2868 db_printf("unp_gencnt: %llu\n",
2869 (unsigned long long)unp->unp_gencnt);
2870
2871 db_printf("unp_flags: %x (", unp->unp_flags);
2872 db_print_unpflags(unp->unp_flags);
2873 db_printf(")\n");
2874
2875 db_printf("unp_peercred:\n");
2876 db_print_xucred(2, &unp->unp_peercred);
2877
2878 db_printf("unp_refcount: %u\n", unp->unp_refcount);
2879 }
2880 #endif
Cache object: 43298d96c29781ed7136e9b6c9883bb8
|