From: Kuniyuki Iwashima <kuniyu@amazon.com>
To: <willemdebruijn.kernel@gmail.com>
Cc: <brauner@kernel.org>, <davem@davemloft.net>,
<edumazet@google.com>, <horms@kernel.org>, <kuba@kernel.org>,
<kuni1840@gmail.com>, <kuniyu@amazon.com>,
<netdev@vger.kernel.org>, <pabeni@redhat.com>,
<willemb@google.com>
Subject: Re: [PATCH v4 net-next 7/9] af_unix: Inherit sk_flags at connect().
Date: Fri, 16 May 2025 10:22:32 -0700 [thread overview]
Message-ID: <20250516172419.66673-1-kuniyu@amazon.com> (raw)
In-Reply-To: <68276c1118d32_2b92fe29428@willemb.c.googlers.com.notmuch>
From: Willem de Bruijn <willemdebruijn.kernel@gmail.com>
Date: Fri, 16 May 2025 12:47:13 -0400
> Kuniyuki Iwashima wrote:
> > For SOCK_STREAM embryo sockets, the SO_PASS{CRED,PIDFD,SEC} options
> > are inherited from the parent listen()ing socket.
> >
> > Currently, this inheritance happens at accept(), because these
> > attributes were stored in sk->sk_socket->flags and the struct socket
> > is not allocated until accept().
> >
> > This leads to unintentional behaviour.
> >
> > When a peer sends data to an embryo socket in the accept() queue,
> > unix_maybe_add_creds() embeds credentials into the skb, even if
> > neither the peer nor the listener has enabled these options.
> >
> > If the option is enabled, the embryo socket receives the ancillary
> > data after accept(). If not, the data is silently discarded.
> >
> > This conservative approach works for SO_PASS{CRED,PIDFD,SEC}, but
> > would not for SO_PASSRIGHTS; once an SCM_RIGHTS with a hung file
> > descriptor was sent, it'd be game over.
>
> Code LGTM, hence my Reviewed-by.
>
> Just curious: could this case be handled in a way that does not
> require receivers explicitly disabling a dangerous default mode?
>
> IIUC the issue is the receiver taking a file reference using fget_raw
> in scm_fp_copy from __scm_send, and if that is the last ref, it now
> will hang the receiver process waiting to close this last ref?
>
> If so, could the unwelcome ref be detected at accept, and taken from
> the responsibility of this process? Worst case, assigned to some
> zombie process.
I had the same idea and I think it's doable but complicated.
We can't detect such a hung fd until we actually do close() it (*), so
the workaround at recvmsg() would be always call an extra fget_raw()
and queue the fd to another task (kthread or workqueue?).
The task can't release the ref until it can ensure that the receiver
of fd has close()d it, so the task will need to check ref == 1
preodically.
But, once the task gets stuck, we need to add another task, or all
fds will be leaked for a while.
(*) With bpf lsm, we will be able to inspect such fd at sendmsg() but
still can't know if it will really hang at close() especially if it's of
NFS.
https://github.com/q2ven/linux/commit/a9f03f88430242d231682bfe7c19623b7584505a
next prev parent reply other threads:[~2025-05-16 17:24 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-15 22:49 [PATCH v4 net-next 0/9] af_unix: Introduce SO_PASSRIGHTS Kuniyuki Iwashima
2025-05-15 22:49 ` [PATCH v4 net-next 1/9] af_unix: Factorise test_bit() for SOCK_PASSCRED and SOCK_PASSPIDFD Kuniyuki Iwashima
2025-05-16 16:28 ` Willem de Bruijn
2025-05-15 22:49 ` [PATCH v4 net-next 2/9] af_unix: Don't pass struct socket to maybe_add_creds() Kuniyuki Iwashima
2025-05-15 22:49 ` [PATCH v4 net-next 3/9] scm: Move scm_recv() from scm.h to scm.c Kuniyuki Iwashima
2025-05-15 22:49 ` [PATCH v4 net-next 4/9] tcp: Restrict SO_TXREHASH to TCP socket Kuniyuki Iwashima
2025-05-15 22:49 ` [PATCH v4 net-next 5/9] net: Restrict SO_PASS{CRED,PIDFD,SEC} to AF_{UNIX,NETLINK,BLUETOOTH} Kuniyuki Iwashima
2025-05-15 22:49 ` [PATCH v4 net-next 6/9] af_unix: Move SOCK_PASS{CRED,PIDFD,SEC} to struct sock Kuniyuki Iwashima
2025-05-16 16:29 ` Willem de Bruijn
2025-05-15 22:49 ` [PATCH v4 net-next 7/9] af_unix: Inherit sk_flags at connect() Kuniyuki Iwashima
2025-05-16 16:47 ` Willem de Bruijn
2025-05-16 17:22 ` Kuniyuki Iwashima [this message]
2025-05-16 19:27 ` Willem de Bruijn
2025-05-16 20:54 ` Kuniyuki Iwashima
2025-05-16 21:09 ` Willem de Bruijn
2025-05-16 21:13 ` Kuniyuki Iwashima
2025-05-15 22:49 ` [PATCH v4 net-next 8/9] af_unix: Introduce SO_PASSRIGHTS Kuniyuki Iwashima
2025-05-16 16:30 ` Willem de Bruijn
2025-05-15 22:49 ` [PATCH v4 net-next 9/9] selftest: af_unix: Test SO_PASSRIGHTS Kuniyuki Iwashima
2025-05-16 16:30 ` Willem de Bruijn
2025-05-19 14:00 ` [PATCH v4 net-next 0/9] af_unix: Introduce SO_PASSRIGHTS Jakub Kicinski
2025-05-19 17:09 ` Kuniyuki Iwashima
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250516172419.66673-1-kuniyu@amazon.com \
--to=kuniyu@amazon.com \
--cc=brauner@kernel.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=kuba@kernel.org \
--cc=kuni1840@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=willemb@google.com \
--cc=willemdebruijn.kernel@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).