| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250515221733.166-1-kuniyu@amazon.com>
Date: Thu, 15 May 2025 15:15:02 -0700
From: Kuniyuki Iwashima <kuniyu@...zon.com>
To: <willemdebruijn.kernel@...il.com>
CC: <brauner@...nel.org>, <davem@...emloft.net>, <edumazet@...gle.com>,
<horms@...nel.org>, <kuba@...nel.org>, <kuni1840@...il.com>,
<kuniyu@...zon.com>, <netdev@...r.kernel.org>, <pabeni@...hat.com>,
<willemb@...gle.com>
Subject: Re: [PATCH v3 net-next 6/9] af_unix: Move SOCK_PASS{CRED,PIDFD,SEC} to struct sock.
From: Willem de Bruijn <willemdebruijn.kernel@...il.com>
Date: Thu, 15 May 2025 18:07:59 -0400
> Kuniyuki Iwashima wrote:
> > From: Willem de Bruijn <willemdebruijn.kernel@...il.com>
> > Date: Thu, 15 May 2025 14:44:14 -0400
> > > Kuniyuki Iwashima wrote:
> > > > As explained in the next patch, SO_PASSRIGHTS would have a problem
> > > > if we assigned a corresponding bit to socket->flags, so it must be
> > > > managed in struct sock.
> > > >
> > > > Mixing socket->flags and sk->sk_flags for similar options will look
> > > > confusing, and sk->sk_flags does not have enough space on 32bit system.
> > > >
> > > > Also, as mentioned in commit 16e572626961 ("af_unix: dont send
> > > > SCM_CREDENTIALS by default"), SOCK_PASSCRED and SOCK_PASSPID handling
> > > > is known to be slow, and managing the flags in struct socket cannot
> > > > avoid that for embryo sockets.
> > > >
> > > > Let's move SOCK_PASS{CRED,PIDFD,SEC} to struct sock.
> > > >
> > > > While at it, other SOCK_XXX flags in net.h are grouped as enum.
> > > >
> > > > Note that assign_bit() was atomic, so the writer side is moved down
> > > > after lock_sock() in setsockopt(), but the bit is only read once
> > > > in sendmsg() and recvmsg(), so lock_sock() is not needed there.
> > >
> > > Because the socket lock is already held there?
> >
> > No, for example, scm_recv_unix() is called without lock_sock(),
> > but it's okay because reading a single bit is always a matter
> > of timing, when to snapshot the flag, (unless there is another
> > dependency or the bit is read more than once).
> >
> > With this, write happens before/after the if block:
> >
> > <-- write could happen here
> > lock_sock()
> > if (sk->sk_scm_credentials) {
> > do something
> > }
> > lock_unlock()
> > <-- or here (not related to logic)
> >
> > but this is same without lock_sock() if the bit is read only
> > once:
> >
> > <-- write could happen here
> > if (sk->sk_scm_credentials) {
> > do something <-- or here (not related to logic)
> > }
> > <-- or here (not related to logic)
> >
> > So for SOCK_PASSXXX bits, lock_sock() prevents data-race
> > between writers as you pointed out, but it does nothing
> > for readers.
>
> Essentially you're saying that a single bit read is a natural
> word read, so atomic anyway? I.e., yes this is a data race, safe.
Yes, even there is load-tearing on the word read, bit is
never torn and is alwyas atomic.
> Will KCSAN report on the race regardless?
Not sure, but given we can't use READ_ONCE() for a bit field,
I guess/hope no ?
>
> All other single bit cases in sk_getsockopt use sk_flags
> and sock_flag, so are not a good existing example. But the single
> bit reads in do_tcp_getsockopt do the same. So I guess it's fine.
> Indeed constant_test_bit does nothing special either.
>
> Sounds good, thanks.
Thanks for checking!
Powered by blists - more mailing lists