Re: [PATCH v3 net-next 6/9] af_unix: Move SOCK_PASS{CRED,PIDFD,SEC} to struct sock.

[Kuniyuki Iwashima <kuniyu@amazon.com>]

From: Willem de Bruijn <willemdebruijn.kernel@gmail.com>
Date: Thu, 15 May 2025 18:07:59 -0400
> Kuniyuki Iwashima wrote:
> > From: Willem de Bruijn <willemdebruijn.kernel@gmail.com>
> > Date: Thu, 15 May 2025 14:44:14 -0400
> > > Kuniyuki Iwashima wrote:
> > > > As explained in the next patch, SO_PASSRIGHTS would have a problem
> > > > if we assigned a corresponding bit to socket->flags, so it must be
> > > > managed in struct sock.
> > > > 
> > > > Mixing socket->flags and sk->sk_flags for similar options will look
> > > > confusing, and sk->sk_flags does not have enough space on 32bit system.
> > > > 
> > > > Also, as mentioned in commit 16e572626961 ("af_unix: dont send
> > > > SCM_CREDENTIALS by default"), SOCK_PASSCRED and SOCK_PASSPID handling
> > > > is known to be slow, and managing the flags in struct socket cannot
> > > > avoid that for embryo sockets.
> > > > 
> > > > Let's move SOCK_PASS{CRED,PIDFD,SEC} to struct sock.
> > > > 
> > > > While at it, other SOCK_XXX flags in net.h are grouped as enum.
> > > > 
> > > > Note that assign_bit() was atomic, so the writer side is moved down
> > > > after lock_sock() in setsockopt(), but the bit is only read once
> > > > in sendmsg() and recvmsg(), so lock_sock() is not needed there.
> > > 
> > > Because the socket lock is already held there?
> > 
> > No, for example, scm_recv_unix() is called without lock_sock(),
> > but it's okay because reading a single bit is always a matter
> > of timing, when to snapshot the flag, (unless there is another
> > dependency or the bit is read more than once).
> > 
> > With this, write happens before/after the if block:
> > 
> >                                <-- write could happen here
> >   lock_sock()
> >   if (sk->sk_scm_credentials) {
> >     do something
> >   }
> >   lock_unlock()
> >                                <-- or here (not related to logic)
> > 
> > but this is same without lock_sock() if the bit is read only
> > once:
> > 
> >                                <-- write could happen here
> >   if (sk->sk_scm_credentials) {
> >     do something               <-- or here (not related to logic)
> >   }
> >                                <-- or here (not related to logic)
> > 
> > So for SOCK_PASSXXX bits, lock_sock() prevents data-race
> > between writers as you pointed out, but it does nothing
> > for readers.
> 
> Essentially you're saying that a single bit read is a natural
> word read, so atomic anyway? I.e., yes this is a data race, safe.

Yes, even there is load-tearing on the word read, bit is
never torn and is alwyas atomic.


> Will KCSAN report on the race regardless?

Not sure, but given we can't use READ_ONCE() for a bit field,
I guess/hope no ?


> 
> All other single bit cases in sk_getsockopt use sk_flags
> and sock_flag, so are not a good existing example. But the single
> bit reads in do_tcp_getsockopt do the same. So I guess it's fine.
> Indeed constant_test_bit does nothing special either.
> 
> Sounds good, thanks.

Thanks for checking!