From nobody Mon Feb 9 03:52:54 2026 Received: from mailtransmit05.runbox.com (mailtransmit05.runbox.com [185.226.149.38]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 56852254AFF for ; Sat, 7 Feb 2026 14:35:16 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=185.226.149.38 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770474918; cv=none; b=gOo1LJ6LmE3AQYXQ2n+7RSnF/NvOFe5kam5WDeHFa9D3SruNqStcWaHUaDXCaTVNh45fvWWV6mhw9uT8i37T0dVJ5tWOHiwisTMIAiue6VVvG16LECx1KxV2bi223PM6YrlNnX9JAtnhbvtwST4BFYLPukau9OSOv8KXyaZieZ8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770474918; c=relaxed/simple; bh=Hc7+R2mF21jy9zsi5eBu1HjQAxX9qX6No6aOq+OlE10=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=LMLZAO960DxuZIt85Q7RXf64T4JvcdeX3MnTCxTEgTy2qxLUA9VTlqrWOmxUd3RSAWIPiFQdkGBKO7T16ebo+FLynEIgwPgYZMH9sSrfP2wA1yw/4yoMdLQATPmSOZLZ8tAyAFz8RJXO5nrmlOc2bf0jkeniYzOXGHoRu+bEIVU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=rbox.co; spf=pass smtp.mailfrom=rbox.co; dkim=pass (2048-bit key) header.d=rbox.co header.i=@rbox.co header.b=Bs6mi3TT; arc=none smtp.client-ip=185.226.149.38 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=rbox.co Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=rbox.co Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=rbox.co header.i=@rbox.co header.b="Bs6mi3TT" Received: from mailtransmit03.runbox ([10.9.9.163] helo=aibo.runbox.com) by mailtransmit05.runbox.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.93) (envelope-from ) id 1vojOx-00AivQ-S9; Sat, 07 Feb 2026 15:35:11 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=rbox.co; s=selector2; h=Cc:To:In-Reply-To:References:Message-Id: Content-Transfer-Encoding:Content-Type:MIME-Version:Subject:Date:From; bh=aXjE+KBBPBDEGL17SNukFZZe6xLinfU8oJd7PxZV38s=; b=Bs6mi3TT6JvjyI3/NtouGwRuAm ZFIlojAiXwcvUPVq3fFLtrrRpD4Y4opAlOJl098mV7hgGlR2n7taPL83ScdIUdsk2/BycnZUyyuWQ iUtsi35ss3Te5SOPkzOSWtA6+3WBjVB1ZG9lsOOopq/pvHsaZwgzmGBZM1p3ML2fpyeU0WqGTP6hp s+K1eReugvknKnQzeFAD4SPG+5cUwxEUThKhKhHiNlQ6W9VJ40xrkNmqCn7HdXlXNXJSOh1q+z6qy Kbcv/iCctQm3HOIygpE2Z7gvULIe92JS5vCDExTMcL20LWdxSXYT5MyzcPWnJWTf0omWroeZ9Q6Fu 3CLvquPQ==; Received: from [10.9.9.72] (helo=submission01.runbox) by mailtransmit03.runbox with esmtp (Exim 4.86_2) (envelope-from ) id 1vojOx-0005X7-6G; Sat, 07 Feb 2026 15:35:11 +0100 Received: by submission01.runbox with esmtpsa [Authenticated ID (604044)] (TLS1.2:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.93) id 1vojOq-006OQ1-VG; Sat, 07 Feb 2026 15:35:05 +0100 From: Michal Luczaj Date: Sat, 07 Feb 2026 15:34:54 +0100 Subject: [PATCH bpf v2 1/4] bpf, sockmap: Annotate af_unix sock::sk_state data-races Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260207-unix-proto-update-null-ptr-deref-v2-1-9f091330e7cd@rbox.co> References: <20260207-unix-proto-update-null-ptr-deref-v2-0-9f091330e7cd@rbox.co> In-Reply-To: <20260207-unix-proto-update-null-ptr-deref-v2-0-9f091330e7cd@rbox.co> To: John Fastabend , Jakub Sitnicki , Kuniyuki Iwashima , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman , Daniel Borkmann , Willem de Bruijn , Cong Wang , Alexei Starovoitov , Yonghong Song , Andrii Nakryiko , Eduard Zingerman , Martin KaFai Lau , Song Liu , Yonghong Song , KP Singh , Stanislav Fomichev , Hao Luo , Jiri Olsa , Shuah Khan Cc: netdev@vger.kernel.org, bpf@vger.kernel.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, Michal Luczaj X-Mailer: b4 0.14.3 sock_map_sk_state_allowed() and sock_map_redirect_allowed() read af_unix socket sk_state locklessly. Use READ_ONCE(). Note that for sock_map_redirect_allowed() change affects not only af_unix, but all non-TCP sockets (UDP, af_vsock). Suggested-by: Kuniyuki Iwashima Suggested-by: Martin KaFai Lau Signed-off-by: Michal Luczaj --- net/core/sock_map.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/core/sock_map.c b/net/core/sock_map.c index 5947b38e4f8b..d4f15b846ad4 100644 --- a/net/core/sock_map.c +++ b/net/core/sock_map.c @@ -530,7 +530,7 @@ static bool sock_map_redirect_allowed(const struct sock= *sk) if (sk_is_tcp(sk)) return sk->sk_state !=3D TCP_LISTEN; else - return sk->sk_state =3D=3D TCP_ESTABLISHED; + return READ_ONCE(sk->sk_state) =3D=3D TCP_ESTABLISHED; } =20 static bool sock_map_sk_is_suitable(const struct sock *sk) @@ -543,7 +543,7 @@ static bool sock_map_sk_state_allowed(const struct sock= *sk) if (sk_is_tcp(sk)) return (1 << sk->sk_state) & (TCPF_ESTABLISHED | TCPF_LISTEN); if (sk_is_stream_unix(sk)) - return (1 << sk->sk_state) & TCPF_ESTABLISHED; + return (1 << READ_ONCE(sk->sk_state)) & TCPF_ESTABLISHED; if (sk_is_vsock(sk) && (sk->sk_type =3D=3D SOCK_STREAM || sk->sk_type =3D=3D SOCK_SEQPACKET)) return (1 << sk->sk_state) & TCPF_ESTABLISHED; --=20 2.52.0 From nobody Mon Feb 9 03:52:54 2026 Received: from mailtransmit04.runbox.com (mailtransmit04.runbox.com [185.226.149.37]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A3D6C34F476; Sat, 7 Feb 2026 14:35:20 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=185.226.149.37 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770474922; cv=none; b=sV1QtLukgyBKw6TNsvaEZ51tT0p6h8V+VWvAyBXcBNl0HbMvwhBoi356HIDXWctV+8Sw1b38PTVa3ix+gGJNCBQ01QsxAIGeSCMhhmE4AWwn9nnzleX5hncVLF1las4K0MbhvLUM15bE1kokXqsFyDORySwYTi4h4AueibQslT0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770474922; c=relaxed/simple; bh=IF+whSWHEyl63o5dNlnAmREIs1w6LwjIMd7WB+fF4eY=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=IEVDOvSONjEQ5ipoHCFGW/MoL73/gH0eau49j9g/Tc2AgOaCJXKQRLLtHrvE0T88qRFzomY5OVJ2kZRM1KWanm2/gTWp9nUiDLUUL8yJnAPNZihnTbdkBW6d8n5FODT9RAY3FxO6db5YiIvlTO4XBAsAvMkSRhQYulKS7CkgFqU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=rbox.co; spf=pass smtp.mailfrom=rbox.co; dkim=pass (2048-bit key) header.d=rbox.co header.i=@rbox.co header.b=GvqwWWmZ; arc=none smtp.client-ip=185.226.149.37 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=rbox.co Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=rbox.co Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=rbox.co header.i=@rbox.co header.b="GvqwWWmZ" Received: from mailtransmit02.runbox ([10.9.9.162] helo=aibo.runbox.com) by mailtransmit04.runbox.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.93) (envelope-from ) id 1vojOv-00Ah2l-6k; Sat, 07 Feb 2026 15:35:09 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=rbox.co; s=selector2; h=Cc:To:In-Reply-To:References:Message-Id: Content-Transfer-Encoding:Content-Type:MIME-Version:Subject:Date:From; bh=iiwqZmvHpK4U5djj6CwxOagEF++9Cz/mSVLs8FweoX0=; b=GvqwWWmZw4B8dmUjAsMS3ucBHk BmE24LozWYNS/3sbzTpAz1annsr4uMV+MBt2OgxOmV0CRjrxCUqqDCYAVKQrRNA87gQOOqp/wPrQc A1ILLfDz+Adrnf5F05OCTsGyXbe1UelTk/VPQCwwx3CiBtI6lHqapV9tWPk42VHlgqxdd0U+ZbG3U tL/i2mVebPNwlQxTJwuU0BfP6tlsgQ/cUk9h9mLopDKf4x1TCB+yC2ejvNHgzuFsXDI6Ks/rAkfkN /+J1wCQApexGT0QwQX8IPyYYXI2v2mGtfIVjeeYnlnMhqWp0WaR5PFFB1oQbJBBhKiy/j0QabtBJx YE7bbl+w==; Received: from [10.9.9.72] (helo=submission01.runbox) by mailtransmit02.runbox with esmtp (Exim 4.86_2) (envelope-from ) id 1vojOu-0007TN-Nh; Sat, 07 Feb 2026 15:35:08 +0100 Received: by submission01.runbox with esmtpsa [Authenticated ID (604044)] (TLS1.2:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.93) id 1vojOs-006OQ1-B0; Sat, 07 Feb 2026 15:35:06 +0100 From: Michal Luczaj Date: Sat, 07 Feb 2026 15:34:55 +0100 Subject: [PATCH bpf v2 2/4] bpf, sockmap: Use sock_map_sk_{acquire,release}() where open-coded Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260207-unix-proto-update-null-ptr-deref-v2-2-9f091330e7cd@rbox.co> References: <20260207-unix-proto-update-null-ptr-deref-v2-0-9f091330e7cd@rbox.co> In-Reply-To: <20260207-unix-proto-update-null-ptr-deref-v2-0-9f091330e7cd@rbox.co> To: John Fastabend , Jakub Sitnicki , Kuniyuki Iwashima , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman , Daniel Borkmann , Willem de Bruijn , Cong Wang , Alexei Starovoitov , Yonghong Song , Andrii Nakryiko , Eduard Zingerman , Martin KaFai Lau , Song Liu , Yonghong Song , KP Singh , Stanislav Fomichev , Hao Luo , Jiri Olsa , Shuah Khan Cc: netdev@vger.kernel.org, bpf@vger.kernel.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, Michal Luczaj X-Mailer: b4 0.14.3 Instead of repeating the same (un)locking pattern, reuse sock_map_sk_{acquire,release}(). This centralizes the code and makes it easier to adapt sockmap to af_unix-specific locking. Signed-off-by: Michal Luczaj --- net/core/sock_map.c | 21 +++++++-------------- 1 file changed, 7 insertions(+), 14 deletions(-) diff --git a/net/core/sock_map.c b/net/core/sock_map.c index d4f15b846ad4..b6586d9590b7 100644 --- a/net/core/sock_map.c +++ b/net/core/sock_map.c @@ -353,11 +353,9 @@ static void sock_map_free(struct bpf_map *map) sk =3D xchg(psk, NULL); if (sk) { sock_hold(sk); - lock_sock(sk); - rcu_read_lock(); + sock_map_sk_acquire(sk); sock_map_unref(sk, psk); - rcu_read_unlock(); - release_sock(sk); + sock_map_sk_release(sk); sock_put(sk); } } @@ -1176,11 +1174,9 @@ static void sock_hash_free(struct bpf_map *map) */ hlist_for_each_entry_safe(elem, node, &unlink_list, node) { hlist_del(&elem->node); - lock_sock(elem->sk); - rcu_read_lock(); + sock_map_sk_acquire(elem->sk); sock_map_unref(elem->sk, elem); - rcu_read_unlock(); - release_sock(elem->sk); + sock_map_sk_release(elem->sk); sock_put(elem->sk); sock_hash_free_elem(htab, elem); } @@ -1676,8 +1672,7 @@ void sock_map_close(struct sock *sk, long timeout) void (*saved_close)(struct sock *sk, long timeout); struct sk_psock *psock; =20 - lock_sock(sk); - rcu_read_lock(); + sock_map_sk_acquire(sk); psock =3D sk_psock(sk); if (likely(psock)) { saved_close =3D psock->saved_close; @@ -1685,16 +1680,14 @@ void sock_map_close(struct sock *sk, long timeout) psock =3D sk_psock_get(sk); if (unlikely(!psock)) goto no_psock; - rcu_read_unlock(); sk_psock_stop(psock); - release_sock(sk); + sock_map_sk_release(sk); cancel_delayed_work_sync(&psock->work); sk_psock_put(sk, psock); } else { saved_close =3D READ_ONCE(sk->sk_prot)->close; no_psock: - rcu_read_unlock(); - release_sock(sk); + sock_map_sk_release(sk); } =20 /* Make sure we do not recurse. This is a bug. --=20 2.52.0 From nobody Mon Feb 9 03:52:54 2026 Received: from mailtransmit04.runbox.com (mailtransmit04.runbox.com [185.226.149.37]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B455D34F472; Sat, 7 Feb 2026 14:35:33 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=185.226.149.37 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770474934; cv=none; b=QMQbBgtvuLh33PwEqnVs9bWJl1Xg312P7gtUVNbATsyEeKouO3yO7Kfd5XeYqoLCRhF6y1gk1q+Hm8TSsbqwvoHd9mNCRILaSIjHiuNBGeiYlQmJIqnZoZXeYQ9McWLwckYrcvalg9kM090L+z6jydv5d3jc5caViQZM7I0HLeE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770474934; c=relaxed/simple; bh=qlrHDBtba3vTO/Bn5PxIN6BjuWLrUyUbnIk8fyr4qVk=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=iYtFcNvNfK5DiNjk9m+erY3t8F+E0JnL+BpPC+zTInLng0ULyIxitRdmbPGY/BjCses64LL2hCmvXA6uhErQLXWQH+fyBQM72luk4yt1i4TTzoBoP8arq0Z9e/UgzmL4WHTwyRLT208fad/v8PXH8TJCvfa19Mn9e9Rf0X7ZNlY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=rbox.co; spf=pass smtp.mailfrom=rbox.co; dkim=pass (2048-bit key) header.d=rbox.co header.i=@rbox.co header.b=lIwpbTYL; arc=none smtp.client-ip=185.226.149.37 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=rbox.co Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=rbox.co Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=rbox.co header.i=@rbox.co header.b="lIwpbTYL" Received: from mailtransmit03.runbox ([10.9.9.163] helo=aibo.runbox.com) by mailtransmit04.runbox.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.93) (envelope-from ) id 1vojPC-00AhCc-Vc; Sat, 07 Feb 2026 15:35:26 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=rbox.co; s=selector2; h=Cc:To:In-Reply-To:References:Message-Id: Content-Transfer-Encoding:Content-Type:MIME-Version:Subject:Date:From; bh=DX8BCBW2MTYLYee6mM+3hgNqEdhj4yKdeAJaLf3biuc=; b=lIwpbTYLXGC+Wthoc+yHKFo44V jC4rVC337/M8TjscPMl4qXimLclxqCxnYnJCfl0ebv3c9jbedjAlKPawhAdXrqKv1tXfhi4HizayM 850bnokkpLH21fPhMO5WkvjWzRtCGF/Lo8RepcWHHRkB4+DCshqDlZdVjfThdIcyUnQqNEdua3rl8 5c8VFAYK5RlREiKscmMhJPrIzKFIxsaqET9vhNoxAG+H8xvAEHxAcHR7AQXL+mXudMNGSRwPVBwSs Pb+sxzZ07Yk5l/vP6tioaeDt6qWQXJjp1Kb0jet2QJoeetobwzzXTNaXQRXS/5DEVnMBMJ3krBzMj FtM+0WJA==; Received: from [10.9.9.72] (helo=submission01.runbox) by mailtransmit03.runbox with esmtp (Exim 4.86_2) (envelope-from ) id 1vojPC-0005bg-KY; Sat, 07 Feb 2026 15:35:26 +0100 Received: by submission01.runbox with esmtpsa [Authenticated ID (604044)] (TLS1.2:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.93) id 1vojOt-006OQ1-Ks; Sat, 07 Feb 2026 15:35:07 +0100 From: Michal Luczaj Date: Sat, 07 Feb 2026 15:34:56 +0100 Subject: [PATCH bpf v2 3/4] bpf, sockmap: Adapt for the af_unix-specific lock Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260207-unix-proto-update-null-ptr-deref-v2-3-9f091330e7cd@rbox.co> References: <20260207-unix-proto-update-null-ptr-deref-v2-0-9f091330e7cd@rbox.co> In-Reply-To: <20260207-unix-proto-update-null-ptr-deref-v2-0-9f091330e7cd@rbox.co> To: John Fastabend , Jakub Sitnicki , Kuniyuki Iwashima , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman , Daniel Borkmann , Willem de Bruijn , Cong Wang , Alexei Starovoitov , Yonghong Song , Andrii Nakryiko , Eduard Zingerman , Martin KaFai Lau , Song Liu , Yonghong Song , KP Singh , Stanislav Fomichev , Hao Luo , Jiri Olsa , Shuah Khan Cc: netdev@vger.kernel.org, bpf@vger.kernel.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, Michal Luczaj X-Mailer: b4 0.14.3 unix_stream_connect() sets sk_state (`WRITE_ONCE(sk->sk_state, TCP_ESTABLISHED)`) _before_ it assigns a peer (`unix_peer(sk) =3D newsk`). sk_state =3D=3D TCP_ESTABLISHED makes sock_map_sk_state_allowed() believe t= hat socket is properly set up, which would include having a defined peer. IOW, there's a window when unix_stream_bpf_update_proto() can be called on socket which still has unix_peer(sk) =3D=3D NULL. T0 bpf T1 connect ------ ---------- WRITE_ONCE(sk->sk_state, TCP_ESTABLISHED) sock_map_sk_state_allowed(sk) ... sk_pair =3D unix_peer(sk) sock_hold(sk_pair) sock_hold(newsk) smp_mb__after_atomic() unix_peer(sk) =3D newsk BUG: kernel NULL pointer dereference, address: 0000000000000080 RIP: 0010:unix_stream_bpf_update_proto+0xa0/0x1b0 Call Trace: sock_map_link+0x564/0x8b0 sock_map_update_common+0x6e/0x340 sock_map_update_elem_sys+0x17d/0x240 __sys_bpf+0x26db/0x3250 __x64_sys_bpf+0x21/0x30 do_syscall_64+0x6b/0x3a0 entry_SYSCALL_64_after_hwframe+0x76/0x7e Initial idea was to move peer assignment _before_ the sk_state update[1], but that involved an additional memory barrier, and changing the hot path was rejected. Then a check during proto update was considered[2], but a follow-up discussion[3] concluded the root cause is sockmap taking a wrong lock. Thus, teach sockmap about the af_unix-specific locking: instead of the usual lock_sock() involving sock::sk_lock, af_unix protects critical sections under unix_state_lock() operating on unix_sock::lock. [1]: https://lore.kernel.org/netdev/ba5c50aa-1df4-40c2-ab33-a72022c5a32e@rb= ox.co/ [2]: https://lore.kernel.org/netdev/20240610174906.32921-1-kuniyu@amazon.co= m/ [3]: https://lore.kernel.org/netdev/7603c0e6-cd5b-452b-b710-73b64bd9de26@li= nux.dev/ This patch also happens to fix a deadlock that may occur when bpf_iter_unix_seq_show()'s lock_sock_fast() takes the fast path and the iter prog attempts to update a sockmap. Which ends up spinning at sock_map_update_elem()'s bh_lock_sock(): WARNING: possible recursive locking detected Suggested-by: Kuniyuki Iwashima Suggested-by: Martin KaFai Lau -------------------------------------------- test_progs/1393 is trying to acquire lock: ffff88811ec25f58 (slock-AF_UNIX){+...}-{3:3}, at: sock_map_update_elem+0xdb= /0x1f0 but task is already holding lock: ffff88811ec25f58 (slock-AF_UNIX){+...}-{3:3}, at: __lock_sock_fast+0x37/0xe0 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(slock-AF_UNIX); lock(slock-AF_UNIX); *** DEADLOCK *** May be due to missing lock nesting notation 4 locks held by test_progs/1393: #0: ffff88814b59c790 (&p->lock){+.+.}-{4:4}, at: bpf_seq_read+0x59/0x10d0 #1: ffff88811ec25fd8 (sk_lock-AF_UNIX){+.+.}-{0:0}, at: bpf_seq_read+0x42c= /0x10d0 #2: ffff88811ec25f58 (slock-AF_UNIX){+...}-{3:3}, at: __lock_sock_fast+0x3= 7/0xe0 #3: ffffffff85a6a7c0 (rcu_read_lock){....}-{1:3}, at: bpf_iter_run_prog+0x= 51d/0xb00 Call Trace: dump_stack_lvl+0x5d/0x80 print_deadlock_bug.cold+0xc0/0xce __lock_acquire+0x130f/0x2590 lock_acquire+0x14e/0x2b0 _raw_spin_lock+0x30/0x40 sock_map_update_elem+0xdb/0x1f0 bpf_prog_2d0075e5d9b721cd_dump_unix+0x55/0x4f4 bpf_iter_run_prog+0x5b9/0xb00 bpf_iter_unix_seq_show+0x1f7/0x2e0 bpf_seq_read+0x42c/0x10d0 vfs_read+0x171/0xb20 ksys_read+0xff/0x200 do_syscall_64+0x6b/0x3a0 entry_SYSCALL_64_after_hwframe+0x76/0x7e Suggested-by: Kuniyuki Iwashima Suggested-by: Martin KaFai Lau Fixes: c63829182c37 ("af_unix: Implement ->psock_update_sk_prot()") Fixes: 2c860a43dd77 ("bpf: af_unix: Implement BPF iterator for UNIX domain = socket.") Signed-off-by: Michal Luczaj --- Keeping sparse annotations in sock_map_sk_{acquire,release}() required some hackery I'm not proud of. Is there a better way? --- net/core/sock_map.c | 47 +++++++++++++++++++++++++++++++++++++++-------- 1 file changed, 39 insertions(+), 8 deletions(-) diff --git a/net/core/sock_map.c b/net/core/sock_map.c index b6586d9590b7..0c638b1f363a 100644 --- a/net/core/sock_map.c +++ b/net/core/sock_map.c @@ -12,6 +12,7 @@ #include #include #include +#include #include =20 struct bpf_stab { @@ -115,17 +116,49 @@ int sock_map_prog_detach(const union bpf_attr *attr, = enum bpf_prog_type ptype) } =20 static void sock_map_sk_acquire(struct sock *sk) - __acquires(&sk->sk_lock.slock) + __acquires(sock_or_unix_lock) { - lock_sock(sk); + if (sk_is_unix(sk)) { + unix_state_lock(sk); + __release(sk); /* Silence sparse. */ + } else { + lock_sock(sk); + } + rcu_read_lock(); } =20 static void sock_map_sk_release(struct sock *sk) - __releases(&sk->sk_lock.slock) + __releases(sock_or_unix_lock) { rcu_read_unlock(); - release_sock(sk); + + if (sk_is_unix(sk)) { + unix_state_unlock(sk); + __acquire(sk); /* Silence sparse. */ + } else { + release_sock(sk); + } +} + +static inline void sock_map_sk_acquire_fast(struct sock *sk) +{ + local_bh_disable(); + + if (sk_is_unix(sk)) + unix_state_lock(sk); + else + bh_lock_sock(sk); +} + +static inline void sock_map_sk_release_fast(struct sock *sk) +{ + if (sk_is_unix(sk)) + unix_state_unlock(sk); + else + bh_unlock_sock(sk); + + local_bh_enable(); } =20 static void sock_map_add_link(struct sk_psock *psock, @@ -604,16 +637,14 @@ static long sock_map_update_elem(struct bpf_map *map,= void *key, if (!sock_map_sk_is_suitable(sk)) return -EOPNOTSUPP; =20 - local_bh_disable(); - bh_lock_sock(sk); + sock_map_sk_acquire_fast(sk); if (!sock_map_sk_state_allowed(sk)) ret =3D -EOPNOTSUPP; else if (map->map_type =3D=3D BPF_MAP_TYPE_SOCKMAP) ret =3D sock_map_update_common(map, *(u32 *)key, sk, flags); else ret =3D sock_hash_update_common(map, key, sk, flags); - bh_unlock_sock(sk); - local_bh_enable(); + sock_map_sk_release_fast(sk); return ret; } =20 --=20 2.52.0 From nobody Mon Feb 9 03:52:54 2026 Received: from mailtransmit04.runbox.com (mailtransmit04.runbox.com [185.226.149.37]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3FDB334F499; Sat, 7 Feb 2026 14:35:21 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=185.226.149.37 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770474921; cv=none; b=bWih68u0jwi8w9n7xexgVI0lpQ327co/oA05+y8xfNT7t26qAbi/1Rs1FTdk/fx7bjeMxf3Y3JE7N2DYsehjb3Tv8sj3kkQScTZX5TuyveI+tXAbAI70HcL2Tq6c4N7bIqFQmqDP6TWsbBIhWVcqTX6EhB/3Naw6NhD49EAOT3c= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770474921; c=relaxed/simple; bh=dPxiuBeFVLFXcQWhDoQAORF1N20Mja2gEH0QbJScTxc=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=VNqCCtzz7AftFrRoToTORZ10MIyOViyL55WuvmtRGUK5KipvKqcCeklzZeN7daTWj6SZNLaTFd6dWC81S4r+XGPyqI3/3tHl10v/9BkmTfLmk2T46wmhrkjq4tHnnwh8St9R5vcdRlcjLY49IlyRObJU6uc8b4DXv589Vz0dcxQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=rbox.co; spf=pass smtp.mailfrom=rbox.co; dkim=pass (2048-bit key) header.d=rbox.co header.i=@rbox.co header.b=QxexerH/; arc=none smtp.client-ip=185.226.149.37 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=rbox.co Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=rbox.co Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=rbox.co header.i=@rbox.co header.b="QxexerH/" Received: from mailtransmit03.runbox ([10.9.9.163] helo=aibo.runbox.com) by mailtransmit04.runbox.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.93) (envelope-from ) id 1vojOz-00Ah6X-ET; Sat, 07 Feb 2026 15:35:13 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=rbox.co; s=selector2; h=Cc:To:In-Reply-To:References:Message-Id: Content-Transfer-Encoding:Content-Type:MIME-Version:Subject:Date:From; bh=RdHEkIIRAhdGMHaZV+5C0ZEGBw8Y9TkMkH8ReCDpSdI=; b=QxexerH/G4vQrH0ysQvQZs5/h6 TM7eBxQrdwPl2XWkMh+sdKQF5HWIY99GWfw/VHw3bcjuLxAN0VIfcxLU58aGGRls3+2zcSa8UU9dD KXvT04w41NtQW65dCcfn0RkANvmBY8njdOQ0wbdQohUzLZaNy4oI8/TAxV/sy5ynm+1tIH6C7jTtD pNkoQfpkaap+hDFl555PlY31eSMrNAPlCU6aj4baseW+v4lWqgtmaKKEX0bw28kCqKCBBgYL1UmYO aQqWx1zHYPzPv6ItAttzUHTjzMIbooXJkrzFwMUB8flAa1ZiZPz08PuKA+6hEVSMS3VUsXQbRyndf rdmbWfmA==; Received: from [10.9.9.72] (helo=submission01.runbox) by mailtransmit03.runbox with esmtp (Exim 4.86_2) (envelope-from ) id 1vojOy-0005Xv-Si; Sat, 07 Feb 2026 15:35:13 +0100 Received: by submission01.runbox with esmtpsa [Authenticated ID (604044)] (TLS1.2:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.93) id 1vojOu-006OQ1-VX; Sat, 07 Feb 2026 15:35:09 +0100 From: Michal Luczaj Date: Sat, 07 Feb 2026 15:34:57 +0100 Subject: [PATCH bpf v2 4/4] selftests/bpf: Extend bpf_iter_unix to attempt deadlocking Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260207-unix-proto-update-null-ptr-deref-v2-4-9f091330e7cd@rbox.co> References: <20260207-unix-proto-update-null-ptr-deref-v2-0-9f091330e7cd@rbox.co> In-Reply-To: <20260207-unix-proto-update-null-ptr-deref-v2-0-9f091330e7cd@rbox.co> To: John Fastabend , Jakub Sitnicki , Kuniyuki Iwashima , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman , Daniel Borkmann , Willem de Bruijn , Cong Wang , Alexei Starovoitov , Yonghong Song , Andrii Nakryiko , Eduard Zingerman , Martin KaFai Lau , Song Liu , Yonghong Song , KP Singh , Stanislav Fomichev , Hao Luo , Jiri Olsa , Shuah Khan Cc: netdev@vger.kernel.org, bpf@vger.kernel.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, Michal Luczaj X-Mailer: b4 0.14.3 Updating a sockmap from a unix iterator prog may lead to a deadlock. Piggyback on the original selftest. Signed-off-by: Michal Luczaj --- tools/testing/selftests/bpf/progs/bpf_iter_unix.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/tools/testing/selftests/bpf/progs/bpf_iter_unix.c b/tools/test= ing/selftests/bpf/progs/bpf_iter_unix.c index fea275df9e22..a2652c8c3616 100644 --- a/tools/testing/selftests/bpf/progs/bpf_iter_unix.c +++ b/tools/testing/selftests/bpf/progs/bpf_iter_unix.c @@ -7,6 +7,13 @@ =20 char _license[] SEC("license") =3D "GPL"; =20 +SEC(".maps") struct { + __uint(type, BPF_MAP_TYPE_SOCKMAP); + __uint(max_entries, 1); + __type(key, __u32); + __type(value, __u64); +} sockmap; + static long sock_i_ino(const struct sock *sk) { const struct socket *sk_socket =3D sk->sk_socket; @@ -76,5 +83,8 @@ int dump_unix(struct bpf_iter__unix *ctx) =20 BPF_SEQ_PRINTF(seq, "\n"); =20 + /* Test for deadlock. */ + bpf_map_update_elem(&sockmap, &(int){0}, sk, 0); + return 0; } --=20 2.52.0