From: Christian Brauner
Sent: 04 June 2020 13:52
..
For scm you can fail somewhere in the middle of putting any number of file descriptors so you're left in a state with only a subset of requested file descriptors installed so it's not really useful there. And if you manage to install an fd but then fail to put_user() it userspace can simply check it's fds via proc and has to anyway on any scm message error. If you fail an scm message userspace better check their fds.
There is a similar error path in the sctp 'peeloff' code. If the put_user() fails it currently closes the fd before returning -EFAULT.
I'm not at all sure this is helpful. The application can't tell whether the SIGSEGV happened on the copyin of the parameters or the copyout of the result.
ISTM that if the application passes an address that cannot be written to it deserves what it gets - typically an fd it doesn't know the number of.
What is important is that the kernel data is consistent. So when the process exits the fd is closed and all the resources are released.
David
- Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK Registration No: 1397386 (Wales)