From: Kuniyuki Iwashima <kuniyu@amazon.com>
To: <willemdebruijn.kernel@gmail.com>
Cc: <brauner@kernel.org>, <davem@davemloft.net>,
<edumazet@google.com>, <horms@kernel.org>, <kuba@kernel.org>,
<kuni1840@gmail.com>, <kuniyu@amazon.com>,
<netdev@vger.kernel.org>, <pabeni@redhat.com>,
<willemb@google.com>
Subject: Re: [PATCH v3 net-next 6/9] af_unix: Move SOCK_PASS{CRED,PIDFD,SEC} to struct sock.
Date: Thu, 15 May 2025 13:35:09 -0700 [thread overview]
Message-ID: <20250515203540.85511-1-kuniyu@amazon.com> (raw)
In-Reply-To: <682635fea3015_25ebe52945d@willemb.c.googlers.com.notmuch>
From: Willem de Bruijn <willemdebruijn.kernel@gmail.com>
Date: Thu, 15 May 2025 14:44:14 -0400
> Kuniyuki Iwashima wrote:
> > As explained in the next patch, SO_PASSRIGHTS would have a problem
> > if we assigned a corresponding bit to socket->flags, so it must be
> > managed in struct sock.
> >
> > Mixing socket->flags and sk->sk_flags for similar options will look
> > confusing, and sk->sk_flags does not have enough space on 32bit system.
> >
> > Also, as mentioned in commit 16e572626961 ("af_unix: dont send
> > SCM_CREDENTIALS by default"), SOCK_PASSCRED and SOCK_PASSPID handling
> > is known to be slow, and managing the flags in struct socket cannot
> > avoid that for embryo sockets.
> >
> > Let's move SOCK_PASS{CRED,PIDFD,SEC} to struct sock.
> >
> > While at it, other SOCK_XXX flags in net.h are grouped as enum.
> >
> > Note that assign_bit() was atomic, so the writer side is moved down
> > after lock_sock() in setsockopt(), but the bit is only read once
> > in sendmsg() and recvmsg(), so lock_sock() is not needed there.
>
> Because the socket lock is already held there?
No, for example, scm_recv_unix() is called without lock_sock(),
but it's okay because reading a single bit is always a matter
of timing, when to snapshot the flag, (unless there is another
dependency or the bit is read more than once).
With this, write happens before/after the if block:
<-- write could happen here
lock_sock()
if (sk->sk_scm_credentials) {
do something
}
lock_unlock()
<-- or here (not related to logic)
but this is same without lock_sock() if the bit is read only
once:
<-- write could happen here
if (sk->sk_scm_credentials) {
do something <-- or here (not related to logic)
}
<-- or here (not related to logic)
So for SOCK_PASSXXX bits, lock_sock() prevents data-race
between writers as you pointed out, but it does nothing
for readers.
>
> What about getsockopt. And the one READ_ONCE in unix_accept.
And this is same for getsockopt().
Regarding unix_accept(), I used READ_ONCE() here to snapshot
all the flags, but given the value is bit for each, this is
also the matter of timing to snapshot the values.
Also, in the next patch, reading sk->sk_scm_recv_flags will be
done under lock_sock(), so it's done without READ_ONCE().
next prev parent reply other threads:[~2025-05-15 20:35 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-14 16:51 [PATCH v3 net-next 0/9] af_unix: Introduce SO_PASSRIGHTS Kuniyuki Iwashima
2025-05-14 16:51 ` [PATCH v3 net-next 1/9] af_unix: Factorise test_bit() for SOCK_PASSCRED and SOCK_PASSPIDFD Kuniyuki Iwashima
2025-05-15 18:07 ` Willem de Bruijn
2025-05-15 20:23 ` Kuniyuki Iwashima
2025-05-15 21:48 ` Willem de Bruijn
2025-05-14 16:51 ` [PATCH v3 net-next 2/9] af_unix: Don't pass struct socket to maybe_add_creds() Kuniyuki Iwashima
2025-05-15 18:07 ` Willem de Bruijn
2025-05-14 16:51 ` [PATCH v3 net-next 3/9] scm: Move scm_recv() from scm.h to scm.c Kuniyuki Iwashima
2025-05-15 18:08 ` Willem de Bruijn
2025-05-14 16:51 ` [PATCH v3 net-next 4/9] tcp: Restrict SO_TXREHASH to TCP socket Kuniyuki Iwashima
2025-05-15 18:36 ` Willem de Bruijn
2025-05-14 16:51 ` [PATCH v3 net-next 5/9] net: Restrict SO_PASS{CRED,PIDFD,SEC} to AF_{UNIX,NETLINK,BLUETOOTH} Kuniyuki Iwashima
2025-05-15 18:36 ` Willem de Bruijn
2025-05-14 16:51 ` [PATCH v3 net-next 6/9] af_unix: Move SOCK_PASS{CRED,PIDFD,SEC} to struct sock Kuniyuki Iwashima
2025-05-15 3:18 ` Kuniyuki Iwashima
2025-05-15 18:44 ` Willem de Bruijn
2025-05-15 20:35 ` Kuniyuki Iwashima [this message]
2025-05-15 22:07 ` Willem de Bruijn
2025-05-15 22:15 ` Kuniyuki Iwashima
2025-05-14 16:51 ` [PATCH v3 net-next 7/9] af_unix: Inherit sk_flags at connect() Kuniyuki Iwashima
2025-05-15 19:06 ` Willem de Bruijn
2025-05-14 16:51 ` [PATCH v3 net-next 8/9] af_unix: Introduce SO_PASSRIGHTS Kuniyuki Iwashima
2025-05-15 19:25 ` Willem de Bruijn
2025-05-15 20:38 ` Kuniyuki Iwashima
2025-05-14 16:51 ` [PATCH v3 net-next 9/9] selftest: af_unix: Test SO_PASSRIGHTS Kuniyuki Iwashima
2025-05-15 19:27 ` Willem de Bruijn
2025-05-15 20:50 ` Kuniyuki Iwashima
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250515203540.85511-1-kuniyu@amazon.com \
--to=kuniyu@amazon.com \
--cc=brauner@kernel.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=kuba@kernel.org \
--cc=kuni1840@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=willemb@google.com \
--cc=willemdebruijn.kernel@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).