From nobody Tue Feb 10 21:59:54 2026
Received: from mailtransmit05.runbox.com (mailtransmit05.runbox.com
 [185.226.149.38])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 56852254AFF
	for <linux-kernel@vger.kernel.org>; Sat,  7 Feb 2026 14:35:16 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=185.226.149.38
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1770474918; cv=none;
 b=gOo1LJ6LmE3AQYXQ2n+7RSnF/NvOFe5kam5WDeHFa9D3SruNqStcWaHUaDXCaTVNh45fvWWV6mhw9uT8i37T0dVJ5tWOHiwisTMIAiue6VVvG16LECx1KxV2bi223PM6YrlNnX9JAtnhbvtwST4BFYLPukau9OSOv8KXyaZieZ8=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1770474918; c=relaxed/simple;
	bh=Hc7+R2mF21jy9zsi5eBu1HjQAxX9qX6No6aOq+OlE10=;
	h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References:
	 In-Reply-To:To:Cc;
 b=LMLZAO960DxuZIt85Q7RXf64T4JvcdeX3MnTCxTEgTy2qxLUA9VTlqrWOmxUd3RSAWIPiFQdkGBKO7T16ebo+FLynEIgwPgYZMH9sSrfP2wA1yw/4yoMdLQATPmSOZLZ8tAyAFz8RJXO5nrmlOc2bf0jkeniYzOXGHoRu+bEIVU=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=rbox.co;
 spf=pass smtp.mailfrom=rbox.co;
 dkim=pass (2048-bit key) header.d=rbox.co header.i=@rbox.co
 header.b=Bs6mi3TT; arc=none smtp.client-ip=185.226.149.38
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=rbox.co
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=rbox.co
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=rbox.co header.i=@rbox.co
 header.b="Bs6mi3TT"
Received: from mailtransmit03.runbox ([10.9.9.163] helo=aibo.runbox.com)
	by mailtransmit05.runbox.com with esmtps  (TLS1.2) tls
 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
	(Exim 4.93)
	(envelope-from <mhal@rbox.co>)
	id 1vojOx-00AivQ-S9; Sat, 07 Feb 2026 15:35:11 +0100
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=rbox.co;
	s=selector2; h=Cc:To:In-Reply-To:References:Message-Id:
	Content-Transfer-Encoding:Content-Type:MIME-Version:Subject:Date:From;
	bh=aXjE+KBBPBDEGL17SNukFZZe6xLinfU8oJd7PxZV38s=; b=Bs6mi3TT6JvjyI3/NtouGwRuAm
	ZFIlojAiXwcvUPVq3fFLtrrRpD4Y4opAlOJl098mV7hgGlR2n7taPL83ScdIUdsk2/BycnZUyyuWQ
	iUtsi35ss3Te5SOPkzOSWtA6+3WBjVB1ZG9lsOOopq/pvHsaZwgzmGBZM1p3ML2fpyeU0WqGTP6hp
	s+K1eReugvknKnQzeFAD4SPG+5cUwxEUThKhKhHiNlQ6W9VJ40xrkNmqCn7HdXlXNXJSOh1q+z6qy
	Kbcv/iCctQm3HOIygpE2Z7gvULIe92JS5vCDExTMcL20LWdxSXYT5MyzcPWnJWTf0omWroeZ9Q6Fu
	3CLvquPQ==;
Received: from [10.9.9.72] (helo=submission01.runbox)
	by mailtransmit03.runbox with esmtp (Exim 4.86_2)
	(envelope-from <mhal@rbox.co>)
	id 1vojOx-0005X7-6G; Sat, 07 Feb 2026 15:35:11 +0100
Received: by submission01.runbox with esmtpsa  [Authenticated ID (604044)]
  (TLS1.2:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256)
	(Exim 4.93)
	id 1vojOq-006OQ1-VG; Sat, 07 Feb 2026 15:35:05 +0100
From: Michal Luczaj <mhal@rbox.co>
Date: Sat, 07 Feb 2026 15:34:54 +0100
Subject: [PATCH bpf v2 1/4] bpf, sockmap: Annotate af_unix sock::sk_state
 data-races
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-Id: 
 <20260207-unix-proto-update-null-ptr-deref-v2-1-9f091330e7cd@rbox.co>
References: 
 <20260207-unix-proto-update-null-ptr-deref-v2-0-9f091330e7cd@rbox.co>
In-Reply-To: 
 <20260207-unix-proto-update-null-ptr-deref-v2-0-9f091330e7cd@rbox.co>
To: John Fastabend <john.fastabend@gmail.com>,
 Jakub Sitnicki <jakub@cloudflare.com>,
 Kuniyuki Iwashima <kuniyu@google.com>,
 "David S. Miller" <davem@davemloft.net>, Eric Dumazet <edumazet@google.com>,
 Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
 Simon Horman <horms@kernel.org>, Daniel Borkmann <daniel@iogearbox.net>,
 Willem de Bruijn <willemb@google.com>, Cong Wang <cong.wang@bytedance.com>,
 Alexei Starovoitov <ast@kernel.org>, Yonghong Song <yhs@fb.com>,
 Andrii Nakryiko <andrii@kernel.org>, Eduard Zingerman <eddyz87@gmail.com>,
 Martin KaFai Lau <martin.lau@linux.dev>, Song Liu <song@kernel.org>,
 Yonghong Song <yonghong.song@linux.dev>, KP Singh <kpsingh@kernel.org>,
 Stanislav Fomichev <sdf@fomichev.me>, Hao Luo <haoluo@google.com>,
 Jiri Olsa <jolsa@kernel.org>, Shuah Khan <shuah@kernel.org>
Cc: netdev@vger.kernel.org, bpf@vger.kernel.org,
 linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org,
 Michal Luczaj <mhal@rbox.co>
X-Mailer: b4 0.14.3

sock_map_sk_state_allowed() and sock_map_redirect_allowed() read af_unix
socket sk_state locklessly.

Use READ_ONCE(). Note that for sock_map_redirect_allowed() change affects
not only af_unix, but all non-TCP sockets (UDP, af_vsock).

Suggested-by: Kuniyuki Iwashima <kuniyu@google.com>
Suggested-by: Martin KaFai Lau <martin.lau@linux.dev>
Signed-off-by: Michal Luczaj <mhal@rbox.co>
---
 net/core/sock_map.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/core/sock_map.c b/net/core/sock_map.c
index 5947b38e4f8b..d4f15b846ad4 100644
--- a/net/core/sock_map.c
+++ b/net/core/sock_map.c
@@ -530,7 +530,7 @@ static bool sock_map_redirect_allowed(const struct sock=
 *sk)
 	if (sk_is_tcp(sk))
 		return sk->sk_state !=3D TCP_LISTEN;
 	else
-		return sk->sk_state =3D=3D TCP_ESTABLISHED;
+		return READ_ONCE(sk->sk_state) =3D=3D TCP_ESTABLISHED;
 }
=20
 static bool sock_map_sk_is_suitable(const struct sock *sk)
@@ -543,7 +543,7 @@ static bool sock_map_sk_state_allowed(const struct sock=
 *sk)
 	if (sk_is_tcp(sk))
 		return (1 << sk->sk_state) & (TCPF_ESTABLISHED | TCPF_LISTEN);
 	if (sk_is_stream_unix(sk))
-		return (1 << sk->sk_state) & TCPF_ESTABLISHED;
+		return (1 << READ_ONCE(sk->sk_state)) & TCPF_ESTABLISHED;
 	if (sk_is_vsock(sk) &&
 	    (sk->sk_type =3D=3D SOCK_STREAM || sk->sk_type =3D=3D SOCK_SEQPACKET))
 		return (1 << sk->sk_state) & TCPF_ESTABLISHED;

--=20
2.52.0