af_unix: Allow passing cred for embryo without SO_PASSCRED/SO_PASSPIDFD.

q2ven · kuba-moo · commit 43fb2b30eea7 · 2025-06-12T08:13:06.000-07:00
Before the cited commit, the kernel unconditionally embedded SCM credentials to skb for embryo sockets even when both the sender and listener disabled SO_PASSCRED and SO_PASSPIDFD. Now, the credentials are added to skb only when configured by the sender or the listener. However, as reported in the link below, it caused a regression for some programs that assume credentials are included in every skb, but sometimes not now. The only problematic scenario would be that a socket starts listening before setting the option. Then, there will be 2 types of non-small race window, where a client can send skb without credentials, which the peer receives as an "invalid" message (and aborts the connection it seems ?): Client Server ------ ------ s1.listen() <-- No SO_PASS{CRED,PIDFD} s2.connect() s2.send() <-- w/o cred s1.setsockopt(SO_PASS{CRED,PIDFD}) s2.send() <-- w/ cred or Client Server ------ ------ s1.listen() <-- No SO_PASS{CRED,PIDFD} s2.connect() s2.send() <-- w/o cred s3, _ = s1.accept() <-- Inherit cred options s2.send() <-- w/o cred but not set yet s3.setsockopt(SO_PASS{CRED,PIDFD}) s2.send() <-- w/ cred It's unfortunate that buggy programs depend on the behaviour, but let's restore the previous behaviour. Fixes: 3f84d57 ("af_unix: Inherit sk_flags at connect().") Reported-by: Jacek Łuczak <difrost.kernel@gmail.com> Closes: https://lore.kernel.org/all/68d38b0b-1666-4974-85d4-15575789c8d4@gmail.com/ Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com> Tested-by: Christian Heusel <christian@heusel.eu> Tested-by: André Almeida <andrealmeid@igalia.com> Tested-by: Jacek Łuczak <difrost.kernel@gmail.com> Link: https://patch.msgid.link/20250611202758.3075858-1-kuni1840@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
@@ -1971,7 +1971,8 @@ static void unix_maybe_add_creds(struct sk_buff *skb, const struct sock *sk,
 	if (UNIXCB(skb).pid)
 		return;
 
-	if (unix_may_passcred(sk) || unix_may_passcred(other)) {
+	if (unix_may_passcred(sk) || unix_may_passcred(other) ||
+	    !other->sk_socket) {
 		UNIXCB(skb).pid = get_pid(task_tgid(current));
 		current_uid_gid(&UNIXCB(skb).uid, &UNIXCB(skb).gid);
 	}

Original file line number	Diff line number	Diff line change
`@@ -1971,7 +1971,8 @@ static void unix_maybe_add_creds(struct sk_buff skb, const struct sock sk,`
`1971`	`1971`	`if (UNIXCB(skb).pid)`
`1972`	`1972`	`return;`
`1973`	`1973`
`1974`		`- if (unix_may_passcred(sk) \|\| unix_may_passcred(other)) {`
	`1974`	`+ if (unix_may_passcred(sk) \|\| unix_may_passcred(other) \|\|`
	`1975`	`+ !other->sk_socket) {`
`1975`	`1976`	`UNIXCB(skb).pid = get_pid(task_tgid(current));`
`1976`	`1977`	`current_uid_gid(&UNIXCB(skb).uid, &UNIXCB(skb).gid);`
`1977`	`1978`	`}`