Received: by 2002:ac0:a594:0:0:0:0:0 with SMTP id m20-v6csp908318imm; Tue, 15 May 2018 10:54:06 -0700 (PDT) X-Google-Smtp-Source: AB8JxZqHFjfukxgZJqdOat7eNG+OQ4wicBcBwBIg8KJQcygx9GJsWZ6lHHcVej1RqNtk4Mfiw6go X-Received: by 2002:a17:902:a702:: with SMTP id w2-v6mr15137502plq.8.1526406846269; Tue, 15 May 2018 10:54:06 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1526406846; cv=none; d=google.com; s=arc-20160816; b=SsMatdu1JQPir/c74N4ez0wOI5t/8Y72SSEnb28Y5PhgQh+wviRlJNJnr/jnpcqDM8 zfYdlGtcxpGYDS8tnWmuOX8QRKYna5xlCIGL+5H5a4om5ENKssIutW9yISt106DMQUmy 9eceojYBuISY6sBTMQl2g2Zn6t4TDBLLwlIwAZunOTrja/Jhi/avFrydp/WHm55fIgjY GvygNrvTdt/trxq+p+qlCbnynDQjEw6jgqEwM1YevL5ZTzklupISTPzpHgOF7wsnG2MN gjPIBPuQIIGV8vMmeg05L/QOI5bkvKZvzSwYlakS9LqNw0fgbTM/Czxfp0/mNYj/bWfo x/cw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-disposition:mime-version :message-id:subject:cc:to:from:date:dkim-signature:dkim-signature :arc-authentication-results; bh=tXMUUA/t9esl/OnFEDdw2TUxts6Xx2j2FBh5ACvaxmw=; b=Bk/jqaR0BBAb/NAHjubBRI4lv2AJHOrSyHVKLPzo4pPNSapvEPY7NimOy9iHhTILrA YeBeC4A+6gIFJSfW0CxDpDUsHo+VsACxUqwFXDqeyY+8yVcc7KotP5jbqj+A23lGwSG0 aZfqsAoL63kU5QnhvE/Ql7hLRkd9/5whI+yJbjj8yrgrPPY+18n83UOE3rQFDGug8Tiz 4za1ovt2adxjBdyyR9Tt84C2h40uO5czVFP8a6ps3Y5ynlTyDETFNYwl8QLGWP1XliVq 8FnZxzB92Db6S7+ZZ2i9QPFoEplF7y3tLxFZJrgiDv/xg8rDiLQJLhXNKmIZzuScvpte 979A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@anarazel.de header.s=fm1 header.b=iy09Qj45; dkim=pass header.i=@messagingengine.com header.s=fm2 header.b=gYACTohH; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w27-v6si395643pgc.645.2018.05.15.10.53.51; Tue, 15 May 2018 10:54:06 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@anarazel.de header.s=fm1 header.b=iy09Qj45; dkim=pass header.i=@messagingengine.com header.s=fm2 header.b=gYACTohH; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753464AbeEORwG (ORCPT + 99 others); Tue, 15 May 2018 13:52:06 -0400 Received: from out2-smtp.messagingengine.com ([66.111.4.26]:33707 "EHLO out2-smtp.messagingengine.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753309AbeEORwE (ORCPT ); Tue, 15 May 2018 13:52:04 -0400 Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.nyi.internal (Postfix) with ESMTP id EA0A82212A; Tue, 15 May 2018 13:52:03 -0400 (EDT) Received: from mailfrontend2 ([10.202.2.163]) by compute5.internal (MEProxy); Tue, 15 May 2018 13:52:03 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=anarazel.de; h= cc:content-type:date:from:message-id:mime-version:subject:to :x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=tXMUUA/t9esl/OnFE Ddw2TUxts6Xx2j2FBh5ACvaxmw=; b=iy09Qj45LLhpz0Gttt+smHLsN1tCBGmEE wKq3zkQaZEccEJ6G4rA0DnGqxieYub4QoU+Ki4HdAZMjS/CZjfMLvER4T+87bhig L01tBCvkdwvdVX5eah+Ajs2p02iV9VrlP4uzSe0IfwJAyYol1Xq4VB9xPNLCtlse FATtK+CxT/hCeMkikCCVELmXM+DRoXuoxpaMeVr2ZqGJ0JsjAJv1mmWljjxbgItM URO3KILawchvN08Eor/75ERxYGhnTcV4G2ulf5LROabBCGHPFzGykyOe8Ed4NRGC 5/YlgNwiuoOasC8LEEDWuDdRtmch27EREyhAuP5TTK6KZb2Qh+l/w== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:message-id :mime-version:subject:to:x-me-sender:x-me-sender:x-sasl-enc; s= fm2; bh=tXMUUA/t9esl/OnFEDdw2TUxts6Xx2j2FBh5ACvaxmw=; b=gYACTohH dsCOxJad2sJ1Hpl/8h/xcWobWZVmPc0iyvUOnc3p8So+YQ4dVEnoIk9VtDSKwkGU Kl62YeW9074hVe/IFn5I2ZyKYElNfkFZEqkcV9oruiN1074iLe9q0xHOuWe8uTl7 xZ4BmxLW2fk3c95BVb9iJDKyQJ257q7yc2ZgCYZ2uX6xPX4HWjE54rQIMAV9j/yu VhKdbBDnBOkPefLvDxk+KQBV0rAb/Mj6kaZT/sfOp4RsVSBYye8UoqpmM9Tz7vYu rMiz2TC6Q8Sr/61ImIPoOTGAeWduZcl2SQv7ILprM8LM3Xv3L+CQhczX1nXdl3qA iL5LrmSdbW6J2w== X-ME-Sender: Received: from intern.anarazel.de (c-98-210-140-171.hsd1.ca.comcast.net [98.210.140.171]) by mail.messagingengine.com (Postfix) with ESMTPA id 90FEB10263; Tue, 15 May 2018 13:52:03 -0400 (EDT) Date: Tue, 15 May 2018 10:52:02 -0700 From: Andres Freund To: "David S. Miller" , mtk.manpages@gmail.com, Kees Cook , David Windsor , Hans Liljestrand , "Reshetova, Elena" , Al Viro Cc: linux-man@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org Subject: SCM_RIGHTS and file descriptor limits Message-ID: <20180515175202.glz4e4gxtarefna5@alap3.anarazel.de> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi, I'm not sure if this is a documentation omission, kernel code bug, missing understanding on my part, or all of the above. I'm looking at recvmsg()'s behaviour for AF_UNIX, where the sender has sent an fd using SCM_RIGHTS, and the receiving process has already exceeded RLIMIT_NOFILE. By my reading of scm_detach_fds() (called from unix_stream_read_generic() / unix_dgram_recvmsg(), via scm_recv()), the error appears to just be thrown away, with no notification given to userland at all: void scm_detach_fds(struct msghdr *msg, struct scm_cookie *scm) { ... for (i=0, cmfptr=(__force int __user *)CMSG_DATA(cm); imsg_flags ? O_CLOEXEC : 0); if (err < 0) break; If I understand correctly no error is reported to the user (function returns void, no put_user() calls for the unsuccessful fds/i), but all the scm data is "consumed" via scm_destroy(). Silently consuming data without reporting an error doesn't strike me as nice. Now admittedly scm is one of the more kludgey interfaces, and it's not entirely obvious how one would do much better without significant added complication - the correct behaviour seems to be to return EMFILE, but that'd need to somehow rewind the received data, which seems complicated... On the other hand it's not generally knowable how many file descriptors the other side sent, so one really needs to duplicate all scm information on the data level to make sure nothing gets lost. In case this is something that won't be fixed, it seems appropriate to add a section to the man pages (hence CCing linux man-pages list) Greetings, Andres Freund