[Bug 215933] SCM_RIGHTS messages being lost, socket data being lost as well, with example code..

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Tue Jan 10 11:48:01 UTC 2017 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=215933

            Bug ID: 215933
           Summary: SCM_RIGHTS messages being lost, socket data being lost
                    as well, with example code..
           Product: Base System
           Version: 10.3-STABLE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Many People
          Priority: ---
         Component: kern
          Assignee: freebsd-bugs at FreeBSD.org
          Reporter: ian at niw.com.au

Created attachment 178701
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=178701&action=edit
Minimal example code to demonstrate the bug

I have a reproducible situation where an entire message including SCM_RIGHTS is
lost when transmitting over a unix domain socket.

This situation occurs when the total transmitted data alligns with the size of
the socket buffer. The attached code reproduces this on many platforms
including freebsd 8.4, and 10.3.

The attached code sends a variable size message without an attached fd,
followed by a fixed small size message containing a SCM_RIGHTS message. Some of
these messages go missing in the kernel.

dtrace summing the total of the 'sendmsg' syscalls against the 'recvmsg'
syscalls confirms this.

Typical output from the attached example is as follows

Master sent a total of 18203750 bytes
Slave done received a total of 18203190 bytes, dropped 35 frames (Guessed
original based on fdesc frame only frame drops 18203750)..

The output from the dtrace script which counts the raw syscall return values
for sendmsg and recvmsg is as follows

Sent=18203750 rcvd=18203190

This indicates that 35 16 byte messages with an attached file descriptor were
lost while being transmitted over a unix domain socket. There was no error
returned to the sending end.

My wild guess is that when the 'data' portion of the message with SCM_RIGHTS
fits in the socket buffer, but the 'extra' data for the SCM_RIGHTS does not,
the return value indicates a success (bytes total matches requested), but the
messages is dropped because the SCM_RIGHTS extra data overflows.

The output from the example program shows a combined receive very close to the
socket buffer size for every drop.

The following dtrace script was used to verify the behaviour at the syscall
level.

#pragma D option quiet

BEGIN
{
  totalsent=0;
  totalrcvd=0;
}

syscall::sendmsg:return
/execname == "scm_rights_thrash"/
{
  totalsent+=arg1;
}

syscall::recvmsg:return
/execname == "scm_rights_thrash"/
{
  totalrcvd+=arg1;
}

END
{
  printf("Sent=%d rcvd=%d\n",totalsent,totalrcvd);
}

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-bugs mailing list