[PATCH v1 net] af_unix: Allow passing cred for embryo without SO_PASSCRED/SO_PASSPIDFD.

[PATCH v1 net] af_unix: Allow passing cred for embryo without SO_PASSCRED/SO_PASSPIDFD.

[Kuniyuki Iwashima]

From: Kuniyuki Iwashima <kuniyu@google.com>

Before the cited commit, the kernel unconditionally embedded SCM
credentials to skb for embryo sockets even when both the sender
and listener disabled SO_PASSCRED and SO_PASSPIDFD.

Now, the credentials are added to skb only when configured by the
sender or the listener.

However, as reported in the link below, it caused a regression for
some programs that assume credentials are included in every skb,
but sometimes not now.

The only problematic scenario would be that a socket starts listening
before setting the option.  Then, there will be 2 types of non-small
race window, where a client can send skb without credentials, which
the peer receives as an "invalid" message (and aborts the connection
it seems ?):

  Client                    Server
  ------                    ------
                            s1.listen()  <-- No SO_PASS{CRED,PIDFD}
  s2.connect()
  s2.send()  <-- w/o cred
                            s1.setsockopt(SO_PASS{CRED,PIDFD})
  s2.send()  <-- w/  cred

or

  Client                    Server
  ------                    ------
                            s1.listen()  <-- No SO_PASS{CRED,PIDFD}
  s2.connect()
  s2.send()  <-- w/o cred
                            s3, _ = s1.accept()  <-- Inherit cred options
  s2.send()  <-- w/o cred                            but not set yet

                            s3.setsockopt(SO_PASS{CRED,PIDFD})
  s2.send()  <-- w/  cred

It's unfortunate that buggy programs depend on the behaviour,
but let's restore the previous behaviour.

Fixes: 3f84d577b79d ("af_unix: Inherit sk_flags at connect().")
Reported-by: Jacek Łuczak <difrost.kernel@gmail.com>
Closes: https://lore.kernel.org/all/68d38b0b-1666-4974-85d4-15575789c8d4@gmail.com/
Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
---
 net/unix/af_unix.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
index fd6b5e17f6c4..87439d7f965d 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -1971,7 +1971,8 @@ static void unix_maybe_add_creds(struct sk_buff *skb, const struct sock *sk,
 	if (UNIXCB(skb).pid)
 		return;
 
-	if (unix_may_passcred(sk) || unix_may_passcred(other)) {
+	if (unix_may_passcred(sk) || unix_may_passcred(other) ||
+	    !other->sk_socket) {
 		UNIXCB(skb).pid = get_pid(task_tgid(current));
 		current_uid_gid(&UNIXCB(skb).uid, &UNIXCB(skb).gid);
 	}
-- 
2.49.0

Re: [PATCH v1 net] af_unix: Allow passing cred for embryo without SO_PASSCRED/SO_PASSPIDFD.

[Christian Heusel]

[-- Attachment #1: Type: text/plain, Size: 2736 bytes --]

On 25/06/11 01:27PM, Kuniyuki Iwashima wrote:
> From: Kuniyuki Iwashima <kuniyu@google.com>
> 
> Before the cited commit, the kernel unconditionally embedded SCM
> credentials to skb for embryo sockets even when both the sender
> and listener disabled SO_PASSCRED and SO_PASSPIDFD.
> 
> Now, the credentials are added to skb only when configured by the
> sender or the listener.
> 
> However, as reported in the link below, it caused a regression for
> some programs that assume credentials are included in every skb,
> but sometimes not now.
> 
> The only problematic scenario would be that a socket starts listening
> before setting the option.  Then, there will be 2 types of non-small
> race window, where a client can send skb without credentials, which
> the peer receives as an "invalid" message (and aborts the connection
> it seems ?):
> 
>   Client                    Server
>   ------                    ------
>                             s1.listen()  <-- No SO_PASS{CRED,PIDFD}
>   s2.connect()
>   s2.send()  <-- w/o cred
>                             s1.setsockopt(SO_PASS{CRED,PIDFD})
>   s2.send()  <-- w/  cred
> 
> or
> 
>   Client                    Server
>   ------                    ------
>                             s1.listen()  <-- No SO_PASS{CRED,PIDFD}
>   s2.connect()
>   s2.send()  <-- w/o cred
>                             s3, _ = s1.accept()  <-- Inherit cred options
>   s2.send()  <-- w/o cred                            but not set yet
> 
>                             s3.setsockopt(SO_PASS{CRED,PIDFD})
>   s2.send()  <-- w/  cred
> 
> It's unfortunate that buggy programs depend on the behaviour,
> but let's restore the previous behaviour.
> 
> Fixes: 3f84d577b79d ("af_unix: Inherit sk_flags at connect().")
> Reported-by: Jacek Łuczak <difrost.kernel@gmail.com>
> Closes: https://lore.kernel.org/all/68d38b0b-1666-4974-85d4-15575789c8d4@gmail.com/
> Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
> ---
>  net/unix/af_unix.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
> index fd6b5e17f6c4..87439d7f965d 100644
> --- a/net/unix/af_unix.c
> +++ b/net/unix/af_unix.c
> @@ -1971,7 +1971,8 @@ static void unix_maybe_add_creds(struct sk_buff *skb, const struct sock *sk,
>  	if (UNIXCB(skb).pid)
>  		return;
>  
> -	if (unix_may_passcred(sk) || unix_may_passcred(other)) {
> +	if (unix_may_passcred(sk) || unix_may_passcred(other) ||
> +	    !other->sk_socket) {
>  		UNIXCB(skb).pid = get_pid(task_tgid(current));
>  		current_uid_gid(&UNIXCB(skb).uid, &UNIXCB(skb).gid);
>  	}
> -- 
> 2.49.0

Tested-by: Christian Heusel <christian@heusel.eu>

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [PATCH v1 net] af_unix: Allow passing cred for embryo without SO_PASSCRED/SO_PASSPIDFD.

[André Almeida]

Em 11/06/2025 17:27, Kuniyuki Iwashima escreveu:
> From: Kuniyuki Iwashima <kuniyu@google.com>
> 
> Before the cited commit, the kernel unconditionally embedded SCM
> credentials to skb for embryo sockets even when both the sender
> and listener disabled SO_PASSCRED and SO_PASSPIDFD.
> 
> Now, the credentials are added to skb only when configured by the
> sender or the listener.
> 
> However, as reported in the link below, it caused a regression for
> some programs that assume credentials are included in every skb,
> but sometimes not now.
> 
> The only problematic scenario would be that a socket starts listening
> before setting the option.  Then, there will be 2 types of non-small
> race window, where a client can send skb without credentials, which
> the peer receives as an "invalid" message (and aborts the connection
> it seems ?):
> 
>    Client                    Server
>    ------                    ------
>                              s1.listen()  <-- No SO_PASS{CRED,PIDFD}
>    s2.connect()
>    s2.send()  <-- w/o cred
>                              s1.setsockopt(SO_PASS{CRED,PIDFD})
>    s2.send()  <-- w/  cred
> 
> or
> 
>    Client                    Server
>    ------                    ------
>                              s1.listen()  <-- No SO_PASS{CRED,PIDFD}
>    s2.connect()
>    s2.send()  <-- w/o cred
>                              s3, _ = s1.accept()  <-- Inherit cred options
>    s2.send()  <-- w/o cred                            but not set yet
> 
>                              s3.setsockopt(SO_PASS{CRED,PIDFD})
>    s2.send()  <-- w/  cred
> 
> It's unfortunate that buggy programs depend on the behaviour,
> but let's restore the previous behaviour.
> 
> Fixes: 3f84d577b79d ("af_unix: Inherit sk_flags at connect().")
> Reported-by: Jacek Łuczak <difrost.kernel@gmail.com>
> Closes: https://lore.kernel.org/all/68d38b0b-1666-4974-85d4-15575789c8d4@gmail.com/
> Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>

Tested-by: André Almeida <andrealmeid@igalia.com>

Re: [PATCH v1 net] af_unix: Allow passing cred for embryo without SO_PASSCRED/SO_PASSPIDFD.

[Jacek Łuczak]

On 6/11/25 10:27 PM, Kuniyuki Iwashima wrote:
> From: Kuniyuki Iwashima <kuniyu@google.com>
> 
> Before the cited commit, the kernel unconditionally embedded SCM
> credentials to skb for embryo sockets even when both the sender
> and listener disabled SO_PASSCRED and SO_PASSPIDFD.
> 
> Now, the credentials are added to skb only when configured by the
> sender or the listener.
> 
> However, as reported in the link below, it caused a regression for
> some programs that assume credentials are included in every skb,
> but sometimes not now.
> 
> The only problematic scenario would be that a socket starts listening
> before setting the option.  Then, there will be 2 types of non-small
> race window, where a client can send skb without credentials, which
> the peer receives as an "invalid" message (and aborts the connection
> it seems ?):
> 
>    Client                    Server
>    ------                    ------
>                              s1.listen()  <-- No SO_PASS{CRED,PIDFD}
>    s2.connect()
>    s2.send()  <-- w/o cred
>                              s1.setsockopt(SO_PASS{CRED,PIDFD})
>    s2.send()  <-- w/  cred
> 
> or
> 
>    Client                    Server
>    ------                    ------
>                              s1.listen()  <-- No SO_PASS{CRED,PIDFD}
>    s2.connect()
>    s2.send()  <-- w/o cred
>                              s3, _ = s1.accept()  <-- Inherit cred options
>    s2.send()  <-- w/o cred                            but not set yet
> 
>                              s3.setsockopt(SO_PASS{CRED,PIDFD})
>    s2.send()  <-- w/  cred
> 
> It's unfortunate that buggy programs depend on the behaviour,
> but let's restore the previous behaviour.
> 
> Fixes: 3f84d577b79d ("af_unix: Inherit sk_flags at connect().")
> Reported-by: Jacek Łuczak <difrost.kernel@gmail.com>
> Closes: https://lore.kernel.org/all/68d38b0b-1666-4974-85d4-15575789c8d4@gmail.com/
> Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
> ---
>   net/unix/af_unix.c | 3 ++-
>   1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
> index fd6b5e17f6c4..87439d7f965d 100644
> --- a/net/unix/af_unix.c
> +++ b/net/unix/af_unix.c
> @@ -1971,7 +1971,8 @@ static void unix_maybe_add_creds(struct sk_buff *skb, const struct sock *sk,
>   	if (UNIXCB(skb).pid)
>   		return;
>   
> -	if (unix_may_passcred(sk) || unix_may_passcred(other)) {
> +	if (unix_may_passcred(sk) || unix_may_passcred(other) ||
> +	    !other->sk_socket) {
>   		UNIXCB(skb).pid = get_pid(task_tgid(current));
>   		current_uid_gid(&UNIXCB(skb).uid, &UNIXCB(skb).gid);
>   	}

Tested-by: Jacek Łuczak <difrost.kernel@gmail.com>

Re: [PATCH v1 net] af_unix: Allow passing cred for embryo without SO_PASSCRED/SO_PASSPIDFD.

[patchwork-bot+netdevbpf]

Hello:

This patch was applied to netdev/net.git (main)
by Jakub Kicinski <kuba@kernel.org>:

On Wed, 11 Jun 2025 13:27:35 -0700 you wrote:
> From: Kuniyuki Iwashima <kuniyu@google.com>
> 
> Before the cited commit, the kernel unconditionally embedded SCM
> credentials to skb for embryo sockets even when both the sender
> and listener disabled SO_PASSCRED and SO_PASSPIDFD.
> 
> Now, the credentials are added to skb only when configured by the
> sender or the listener.
> 
> [...]

Here is the summary with links:
  - [v1,net] af_unix: Allow passing cred for embryo without SO_PASSCRED/SO_PASSPIDFD.
    https://git.kernel.org/netdev/net/c/43fb2b30eea7

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html

Re: [PATCH v1 net] af_unix: Allow passing cred for embryo without SO_PASSCRED/SO_PASSPIDFD.

[Johan Hovold]

On Wed, Jun 11, 2025 at 01:27:35PM -0700, Kuniyuki Iwashima wrote:
> From: Kuniyuki Iwashima <kuniyu@google.com>
> 
> Before the cited commit, the kernel unconditionally embedded SCM
> credentials to skb for embryo sockets even when both the sender
> and listener disabled SO_PASSCRED and SO_PASSPIDFD.
> 
> Now, the credentials are added to skb only when configured by the
> sender or the listener.
> 
> However, as reported in the link below, it caused a regression for
> some programs that assume credentials are included in every skb,
> but sometimes not now.
> 
> The only problematic scenario would be that a socket starts listening
> before setting the option.  Then, there will be 2 types of non-small
> race window, where a client can send skb without credentials, which
> the peer receives as an "invalid" message (and aborts the connection
> it seems ?):
> 
>   Client                    Server
>   ------                    ------
>                             s1.listen()  <-- No SO_PASS{CRED,PIDFD}
>   s2.connect()
>   s2.send()  <-- w/o cred
>                             s1.setsockopt(SO_PASS{CRED,PIDFD})
>   s2.send()  <-- w/  cred
> 
> or
> 
>   Client                    Server
>   ------                    ------
>                             s1.listen()  <-- No SO_PASS{CRED,PIDFD}
>   s2.connect()
>   s2.send()  <-- w/o cred
>                             s3, _ = s1.accept()  <-- Inherit cred options
>   s2.send()  <-- w/o cred                            but not set yet
> 
>                             s3.setsockopt(SO_PASS{CRED,PIDFD})
>   s2.send()  <-- w/  cred
> 
> It's unfortunate that buggy programs depend on the behaviour,
> but let's restore the previous behaviour.

For the record, this one fixes the wlroots and Xorg crashes on USB-C
DisplayPort Altmode hotplug that I hit consistently with 6.16-rc1 on
machines like the Lenovo ThinkPad X13s and T14s.

> Fixes: 3f84d577b79d ("af_unix: Inherit sk_flags at connect().")
> Reported-by: Jacek Łuczak <difrost.kernel@gmail.com>
> Closes: https://lore.kernel.org/all/68d38b0b-1666-4974-85d4-15575789c8d4@gmail.com/
> Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>

Johan