1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71#include <linux/kernel.h>
72#include <linux/string.h>
73#include <linux/socket.h>
74#include <linux/un.h>
75#include <linux/net.h>
76#include <linux/fs.h>
77#include <linux/skbuff.h>
78#include <linux/netdevice.h>
79#include <linux/file.h>
80#include <linux/proc_fs.h>
81#include <linux/mutex.h>
82#include <linux/wait.h>
83
84#include <net/sock.h>
85#include <net/af_unix.h>
86#include <net/scm.h>
87#include <net/tcp_states.h>
88
89
90
91static LIST_HEAD(gc_inflight_list);
92static LIST_HEAD(gc_candidates);
93static DEFINE_SPINLOCK(unix_gc_lock);
94static DECLARE_WAIT_QUEUE_HEAD(unix_gc_wait);
95
96unsigned int unix_tot_inflight;
97
98struct sock *unix_get_socket(struct file *filp)
99{
100 struct sock *u_sock = NULL;
101 struct inode *inode = file_inode(filp);
102
103
104 if (S_ISSOCK(inode->i_mode) && !(filp->f_mode & FMODE_PATH)) {
105 struct socket *sock = SOCKET_I(inode);
106 struct sock *s = sock->sk;
107
108
109 if (s && sock->ops && sock->ops->family == PF_UNIX)
110 u_sock = s;
111 }
112 return u_sock;
113}
114
115
116
117
118
119void unix_inflight(struct user_struct *user, struct file *fp)
120{
121 struct sock *s = unix_get_socket(fp);
122
123 spin_lock(&unix_gc_lock);
124
125 if (s) {
126 struct unix_sock *u = unix_sk(s);
127
128 if (atomic_long_inc_return(&u->inflight) == 1) {
129 BUG_ON(!list_empty(&u->link));
130 list_add_tail(&u->link, &gc_inflight_list);
131 } else {
132 BUG_ON(list_empty(&u->link));
133 }
134 unix_tot_inflight++;
135 }
136 user->unix_inflight++;
137 spin_unlock(&unix_gc_lock);
138}
139
140void unix_notinflight(struct user_struct *user, struct file *fp)
141{
142 struct sock *s = unix_get_socket(fp);
143
144 spin_lock(&unix_gc_lock);
145
146 if (s) {
147 struct unix_sock *u = unix_sk(s);
148
149 BUG_ON(!atomic_long_read(&u->inflight));
150 BUG_ON(list_empty(&u->link));
151
152 if (atomic_long_dec_and_test(&u->inflight))
153 list_del_init(&u->link);
154 unix_tot_inflight--;
155 }
156 user->unix_inflight--;
157 spin_unlock(&unix_gc_lock);
158}
159
160static void scan_inflight(struct sock *x, void (*func)(struct unix_sock *),
161 struct sk_buff_head *hitlist)
162{
163 struct sk_buff *skb;
164 struct sk_buff *next;
165
166 spin_lock(&x->sk_receive_queue.lock);
167 skb_queue_walk_safe(&x->sk_receive_queue, skb, next) {
168
169 if (UNIXCB(skb).fp) {
170 bool hit = false;
171
172 int nfd = UNIXCB(skb).fp->count;
173 struct file **fp = UNIXCB(skb).fp->fp;
174
175 while (nfd--) {
176
177 struct sock *sk = unix_get_socket(*fp++);
178
179 if (sk) {
180 struct unix_sock *u = unix_sk(sk);
181
182
183
184
185
186 if (test_bit(UNIX_GC_CANDIDATE, &u->gc_flags)) {
187 hit = true;
188
189 func(u);
190 }
191 }
192 }
193 if (hit && hitlist != NULL) {
194 __skb_unlink(skb, &x->sk_receive_queue);
195 __skb_queue_tail(hitlist, skb);
196 }
197 }
198 }
199 spin_unlock(&x->sk_receive_queue.lock);
200}
201
202static void scan_children(struct sock *x, void (*func)(struct unix_sock *),
203 struct sk_buff_head *hitlist)
204{
205 if (x->sk_state != TCP_LISTEN) {
206 scan_inflight(x, func, hitlist);
207 } else {
208 struct sk_buff *skb;
209 struct sk_buff *next;
210 struct unix_sock *u;
211 LIST_HEAD(embryos);
212
213
214
215
216 spin_lock(&x->sk_receive_queue.lock);
217 skb_queue_walk_safe(&x->sk_receive_queue, skb, next) {
218 u = unix_sk(skb->sk);
219
220
221
222
223 BUG_ON(!list_empty(&u->link));
224 list_add_tail(&u->link, &embryos);
225 }
226 spin_unlock(&x->sk_receive_queue.lock);
227
228 while (!list_empty(&embryos)) {
229 u = list_entry(embryos.next, struct unix_sock, link);
230 scan_inflight(&u->sk, func, hitlist);
231 list_del_init(&u->link);
232 }
233 }
234}
235
236static void dec_inflight(struct unix_sock *usk)
237{
238 atomic_long_dec(&usk->inflight);
239}
240
241static void inc_inflight(struct unix_sock *usk)
242{
243 atomic_long_inc(&usk->inflight);
244}
245
246static void inc_inflight_move_tail(struct unix_sock *u)
247{
248 atomic_long_inc(&u->inflight);
249
250
251
252
253 if (test_bit(UNIX_GC_MAYBE_CYCLE, &u->gc_flags))
254 list_move_tail(&u->link, &gc_candidates);
255}
256
257static bool gc_in_progress;
258#define UNIX_INFLIGHT_TRIGGER_GC 16000
259
260void wait_for_unix_gc(void)
261{
262
263
264
265 if (unix_tot_inflight > UNIX_INFLIGHT_TRIGGER_GC && !gc_in_progress)
266 unix_gc();
267 wait_event(unix_gc_wait, gc_in_progress == false);
268}
269
270
271void unix_gc(void)
272{
273 struct unix_sock *u;
274 struct unix_sock *next;
275 struct sk_buff_head hitlist;
276 struct list_head cursor;
277 LIST_HEAD(not_cycle_list);
278
279 spin_lock(&unix_gc_lock);
280
281
282 if (gc_in_progress)
283 goto out;
284
285 gc_in_progress = true;
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301 list_for_each_entry_safe(u, next, &gc_inflight_list, link) {
302 long total_refs;
303 long inflight_refs;
304
305 total_refs = file_count(u->sk.sk_socket->file);
306 inflight_refs = atomic_long_read(&u->inflight);
307
308 BUG_ON(inflight_refs < 1);
309 BUG_ON(total_refs < inflight_refs);
310 if (total_refs == inflight_refs) {
311 list_move_tail(&u->link, &gc_candidates);
312 __set_bit(UNIX_GC_CANDIDATE, &u->gc_flags);
313 __set_bit(UNIX_GC_MAYBE_CYCLE, &u->gc_flags);
314 }
315 }
316
317
318
319
320 list_for_each_entry(u, &gc_candidates, link)
321 scan_children(&u->sk, dec_inflight, NULL);
322
323
324
325
326
327
328
329
330 list_add(&cursor, &gc_candidates);
331 while (cursor.next != &gc_candidates) {
332 u = list_entry(cursor.next, struct unix_sock, link);
333
334
335 list_move(&cursor, &u->link);
336
337 if (atomic_long_read(&u->inflight) > 0) {
338 list_move_tail(&u->link, ¬_cycle_list);
339 __clear_bit(UNIX_GC_MAYBE_CYCLE, &u->gc_flags);
340 scan_children(&u->sk, inc_inflight_move_tail, NULL);
341 }
342 }
343 list_del(&cursor);
344
345
346
347
348
349 skb_queue_head_init(&hitlist);
350 list_for_each_entry(u, &gc_candidates, link)
351 scan_children(&u->sk, inc_inflight, &hitlist);
352
353
354
355
356 while (!list_empty(¬_cycle_list)) {
357 u = list_entry(not_cycle_list.next, struct unix_sock, link);
358 __clear_bit(UNIX_GC_CANDIDATE, &u->gc_flags);
359 list_move_tail(&u->link, &gc_inflight_list);
360 }
361
362 spin_unlock(&unix_gc_lock);
363
364
365 __skb_queue_purge(&hitlist);
366
367 spin_lock(&unix_gc_lock);
368
369
370 BUG_ON(!list_empty(&gc_candidates));
371 gc_in_progress = false;
372 wake_up(&unix_gc_wait);
373
374 out:
375 spin_unlock(&unix_gc_lock);
376}
377