Re: [PATCH] UNIX: Do not loop forever at unix_autobind().

From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
To: eric.dumazet@gmail.com
Cc: netdev@vger.kernel.org
Subject: Re: [PATCH] UNIX: Do not loop forever at unix_autobind().
Date: Sat, 04 Sep 2010 20:34:28 +0900	[thread overview]
Message-ID: <201009041134.o84BYS0E082227@www262.sakura.ne.jp> (raw)
In-Reply-To: <1283597729.3402.16.camel@edumazet-laptop>

Eric Dumazet wrote:
> Le samedi 04 septembre 2010 a 18:31 +0900, Tetsuo Handa a ecrit :
> > +		cond_resched();
> > +		/* Give up if all names seems to be in use. */
> > +		if (retries++ == 0xFFFFF) {
> > +			err = -ENOMEM;
> > +			kfree(addr);
> > +			goto out;
> > +		}
> >  		goto retry;
> >  	}
> >  	addr->hash ^= sk->sk_type;
> 
> Yes, but please use a different error code, its not ENOMEM...
> maybe EBUSY or ENOSPC ...

OK. I choose -ENOSPC.
----------------------------------------
>From c3ea4d8b28618dff235621ff1cb62e6a17aab423 Mon Sep 17 00:00:00 2001
From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Date: Sat, 4 Sep 2010 20:27:31 +0900
Subject: [PATCH] UNIX: Do not loop forever at unix_autobind().

We assumed that unix_autobind() never fails if kzalloc() succeeded.
But unix_autobind() allows only 1048576 names. If /proc/sys/fs/file-max is
larger than 1048576 (e.g. systems with more than 10GB of RAM), a local user can
consume all names using fork()/socket()/bind().

If all names are in use, those who call bind() with addr_len == sizeof(short)
or connect()/sendmsg() with setsockopt(SO_PASSCRED) will continue

  while (1)
        yield();

loop at unix_autobind() till a name becomes available.
This patch adds a loop counter in order to give up after 1048576 attempts.

Calling yield() for once per 256 attempts may not be sufficient when many names
are already in use, for __unix_find_socket_byname() can take long time under
such circumstance. Therefore, this patch also adds cond_resched() call.

Note that currently a local user can consume 2GB of kernel memory if the user
is allowed to create and autobind 1048576 UNIX domain sockets. We should
consider adding some restriction for autobind operation.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
---
 net/unix/af_unix.c |   15 ++++++++++++---
 1 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
index 4414a18..0b39b24 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -692,6 +692,7 @@ static int unix_autobind(struct socket *sock)
 	static u32 ordernum = 1;
 	struct unix_address *addr;
 	int err;
+	unsigned int retries = 0;
 
 	mutex_lock(&u->readlock);
 
@@ -717,9 +718,17 @@ retry:
 	if (__unix_find_socket_byname(net, addr->name, addr->len, sock->type,
 				      addr->hash)) {
 		spin_unlock(&unix_table_lock);
-		/* Sanity yield. It is unusual case, but yet... */
-		if (!(ordernum&0xFF))
-			yield();
+		/*
+		 * __unix_find_socket_byname() may take long time if many names
+		 * are already in use.
+		 */
+		cond_resched();
+		/* Give up if all names seems to be in use. */
+		if (retries++ == 0xFFFFF) {
+			err = -ENOSPC;
+			kfree(addr);
+			goto out;
+		}
 		goto retry;
 	}
 	addr->hash ^= sk->sk_type;
-- 
1.6.1

