sock_map_sk_state_allowed() and sock_map_redirect_allowed() read af_unix
socket sk_state locklessly.
Use READ_ONCE(). Note that for sock_map_redirect_allowed() change affects
not only af_unix, but all non-TCP sockets (UDP, af_vsock).
Suggested-by: Kuniyuki Iwashima <kuniyu@google.com>
Suggested-by: Martin KaFai Lau <martin.lau@linux.dev>
Signed-off-by: Michal Luczaj <mhal@rbox.co>
---
net/core/sock_map.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/core/sock_map.c b/net/core/sock_map.c
index b0e96337a269..02a68be3002a 100644
--- a/net/core/sock_map.c
+++ b/net/core/sock_map.c
@@ -530,7 +530,7 @@ static bool sock_map_redirect_allowed(const struct sock *sk)
if (sk_is_tcp(sk))
return sk->sk_state != TCP_LISTEN;
else
- return sk->sk_state == TCP_ESTABLISHED;
+ return READ_ONCE(sk->sk_state) == TCP_ESTABLISHED;
}
static bool sock_map_sk_is_suitable(const struct sock *sk)
@@ -543,7 +543,7 @@ static bool sock_map_sk_state_allowed(const struct sock *sk)
if (sk_is_tcp(sk))
return (1 << sk->sk_state) & (TCPF_ESTABLISHED | TCPF_LISTEN);
if (sk_is_stream_unix(sk))
- return (1 << sk->sk_state) & TCPF_ESTABLISHED;
+ return (1 << READ_ONCE(sk->sk_state)) & TCPF_ESTABLISHED;
if (sk_is_vsock(sk) &&
(sk->sk_type == SOCK_STREAM || sk->sk_type == SOCK_SEQPACKET))
return (1 << sk->sk_state) & TCPF_ESTABLISHED;
--
2.52.0On 3/6/26 00:30, Michal Luczaj wrote:
> sock_map_sk_state_allowed() and sock_map_redirect_allowed() read af_unix
> socket sk_state locklessly.
>
> Use READ_ONCE(). Note that for sock_map_redirect_allowed() change affects
> not only af_unix, but all non-TCP sockets (UDP, af_vsock).
>
> Suggested-by: Kuniyuki Iwashima <kuniyu@google.com>
> Suggested-by: Martin KaFai Lau <martin.lau@linux.dev>
> Signed-off-by: Michal Luczaj <mhal@rbox.co>
> ---
> net/core/sock_map.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/net/core/sock_map.c b/net/core/sock_map.c
> index b0e96337a269..02a68be3002a 100644
> --- a/net/core/sock_map.c
> +++ b/net/core/sock_map.c
...
> @@ -543,7 +543,7 @@ static bool sock_map_sk_state_allowed(const struct sock *sk)
> if (sk_is_tcp(sk))
> return (1 << sk->sk_state) & (TCPF_ESTABLISHED | TCPF_LISTEN);
> if (sk_is_stream_unix(sk))
> - return (1 << sk->sk_state) & TCPF_ESTABLISHED;
> + return (1 << READ_ONCE(sk->sk_state)) & TCPF_ESTABLISHED;
> if (sk_is_vsock(sk) &&
> (sk->sk_type == SOCK_STREAM || sk->sk_type == SOCK_SEQPACKET))
> return (1 << sk->sk_state) & TCPF_ESTABLISHED;
>
Another reason to (conditionally) take unix_state_lock() at
sock_map_update_elem{,_sys}(): chunk above can be dropped.
On 3/6/26 7:30 AM, Michal Luczaj wrote: > sock_map_sk_state_allowed() and sock_map_redirect_allowed() read af_unix > socket sk_state locklessly. > > Use READ_ONCE(). Note that for sock_map_redirect_allowed() change affects > not only af_unix, but all non-TCP sockets (UDP, af_vsock). > > Suggested-by: Kuniyuki Iwashima <kuniyu@google.com> > Suggested-by: Martin KaFai Lau <martin.lau@linux.dev> > Signed-off-by: Michal Luczaj <mhal@rbox.co> Reviewed-by: Jiayuan Chen <jiayuan.chen@linux.dev>
On Thu, Mar 5, 2026 at 3:31 PM Michal Luczaj <mhal@rbox.co> wrote: > > sock_map_sk_state_allowed() and sock_map_redirect_allowed() read af_unix > socket sk_state locklessly. > > Use READ_ONCE(). Note that for sock_map_redirect_allowed() change affects > not only af_unix, but all non-TCP sockets (UDP, af_vsock). > > Suggested-by: Kuniyuki Iwashima <kuniyu@google.com> > Suggested-by: Martin KaFai Lau <martin.lau@linux.dev> > Signed-off-by: Michal Luczaj <mhal@rbox.co> Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com> Actually TCP path also needs READ_ONCE(), but I think it's okay for now since this series focuses on AF_UNIX.
© 2016 - 2026 Red Hat, Inc.