pidfd_prepare() can return negative values as an error codes.
But scm_pidfd_recv() didn't check for that condition.
As the result, it is possible to create the race that leads to
the negative fds. The race happens if the peer process sends
something to SO_PASSPIDFD-enabled recipient, and quickly exits.
pidfd_prepare() has this code:

    if (!pid || !pid_has_task(pid, thread ? PIDTYPE_PID : PIDTYPE_TGID))
            return -EINVAL;

So if you exit quickly enough, you can hit that EINVAL.
Getting the fd=-22 is very weird, if not exploitable.

This patch adds the missing check and sets MSG_CTRUNC on error.
Recipient can now detect an error by checking this flag.

Signed-off-by: Stas Sergeev <stsp2@yandex.ru>

CC: "David S. Miller" <davem@davemloft.net>
CC: Eric Dumazet <edumazet@google.com>
CC: Jakub Kicinski <kuba@kernel.org>
CC: Paolo Abeni <pabeni@redhat.com>
CC: Simon Horman <horms@kernel.org>
CC: Christian Brauner <brauner@kernel.org>
CC: Kees Cook <kees@kernel.org>
CC: Kuniyuki Iwashima <kuniyu@amazon.com>
CC: netdev@vger.kernel.org
CC: linux-kernel@vger.kernel.org
---
 include/net/scm.h | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/include/net/scm.h b/include/net/scm.h
index 0d35c7c77a74..3ccf8546c506 100644
--- a/include/net/scm.h
+++ b/include/net/scm.h
@@ -155,6 +155,10 @@ static __inline__ void scm_pidfd_recv(struct msghdr *msg, struct scm_cookie *scm
 		return;
 
 	pidfd = pidfd_prepare(scm->pid, 0, &pidfd_file);
+	if (pidfd < 0) {
+		msg->msg_flags |= MSG_CTRUNC;
+		return;
+	}
 
 	if (put_cmsg(msg, SOL_SOCKET, SCM_PIDFD, sizeof(int), &pidfd)) {
 		if (pidfd_file) {
-- 
2.47.0