Updating sockmap/sockhash using a unix sock races unix_stream_connect(): when sock_map_sk_state_allowed() passes (sk_state == TCP_ESTABLISHED), unix_peer(sk) in unix_stream_bpf_update_proto() may still return NULL.
Signed-off-by: Michal Luczaj <[email protected]> --- Changes in v4: - Circle back to v1 approach - More details in commit messages [Martin] - Make unix iter take the state lock [Kaniyuki] - Link to v3: https://lore.kernel.org/r/20260306-unix-proto-update-null-ptr-deref-v3-0-2f0c7410c...@rbox.co Changes in v3: - Drop sparse annotations [Martin] - Keep lock_sock() along the unix_state_lock() [Kaniyuki] - Unify BPF iter af_unix locking [Kaniyuki, Martin] - Link to v2: https://lore.kernel.org/r/20260207-unix-proto-update-null-ptr-deref-v2-0-9f091330e...@rbox.co Changes in v2: - Instead of probing for unix peer, make sockmap take the right lock [Martin] - Annotate data races [Kaniyuki, Martin] - Extend bpf unix iter selftest to attempt a deadlock - Link to v1: https://lore.kernel.org/r/20260129-unix-proto-update-null-ptr-deref-v1-1-e1daeb701...@rbox.co To: John Fastabend <[email protected]> To: Jakub Sitnicki <[email protected]> To: Eric Dumazet <[email protected]> To: Kuniyuki Iwashima <[email protected]> To: Paolo Abeni <[email protected]> To: Willem de Bruijn <[email protected]> To: "David S. Miller" <[email protected]> To: Jakub Kicinski <[email protected]> To: Simon Horman <[email protected]> To: Yonghong Song <[email protected]> To: Andrii Nakryiko <[email protected]> To: Eduard Zingerman <[email protected]> To: Alexei Starovoitov <[email protected]> To: Daniel Borkmann <[email protected]> To: Martin KaFai Lau <[email protected]> To: Song Liu <[email protected]> To: Yonghong Song <[email protected]> To: KP Singh <[email protected]> To: Stanislav Fomichev <[email protected]> To: Hao Luo <[email protected]> To: Jiri Olsa <[email protected]> To: Shuah Khan <[email protected]> To: Cong Wang <[email protected]> Cc: [email protected] Cc: [email protected] Cc: [email protected] Cc: [email protected] --- Michal Luczaj (5): bpf, sockmap: Annotate af_unix sock::sk_state data-races bpf, sockmap: Fix af_unix iter deadlock selftests/bpf: Extend bpf_iter_unix to attempt deadlocking bpf, sockmap: Fix af_unix null-ptr-deref in proto update bpf, sockmap: Take state lock for af_unix iter net/core/sock_map.c | 4 ++-- net/unix/af_unix.c | 9 +++++---- net/unix/unix_bpf.c | 3 +++ tools/testing/selftests/bpf/progs/bpf_iter_unix.c | 10 ++++++++++ 4 files changed, 20 insertions(+), 6 deletions(-) --- base-commit: 0f00132132937ca01a99feaf8985109a9087c9ff change-id: 20260129-unix-proto-update-null-ptr-deref-6a2733bcbbf8 Best regards, -- Michal Luczaj <[email protected]>
