From nobody Thu Apr 2 09:48:19 2026 Received: from mailtransmit05.runbox.com (mailtransmit05.runbox.com [185.226.149.38]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E9F36370D54; Thu, 5 Mar 2026 23:31:56 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=185.226.149.38 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772753520; cv=none; b=jgMyoXX58AJ9jxnvXGvHM4F0wxKolY+7uvezo3dwzrPXCxRq4thlnu0QXc+WvstRjDo5MQ7QBsF7ZNpZMtlo1XFt7/VhJ2XLfzu/s3xHaKc1GXmtqq4nQh23hYVIC6NzQ3FsGWpen8ouQArQ85loiOvSvXRTwhtWxN2EIQhtKbw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772753520; c=relaxed/simple; bh=gdJT7K1pKjQBOSjWRelJahkezXPG1ww/h/3ZYeVts6M=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=uas4kbnPSEz03XXczq5WSLfTnKZuNEaYtWCcXmnOCHJaXNHivn36OL2+O2MrSyDGke/HSvy9APNBdhee4R4RgDHn2IsFxcqxCPyzxSBR5MU11xd4bvZdQvkJR4vuyZ0NGKRQe03VV0DAm5r4+dkNihxE/kEChH10Ek6MZqh6XD0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=rbox.co; spf=pass smtp.mailfrom=rbox.co; dkim=pass (2048-bit key) header.d=rbox.co header.i=@rbox.co header.b=bGZon8dJ; arc=none smtp.client-ip=185.226.149.38 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=rbox.co Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=rbox.co Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=rbox.co header.i=@rbox.co header.b="bGZon8dJ" Received: from mailtransmit02.runbox ([10.9.9.162] helo=aibo.runbox.com) by mailtransmit05.runbox.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.93) (envelope-from ) id 1vyIAP-00EUZ1-Kc; Fri, 06 Mar 2026 00:31:41 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=rbox.co; s=selector1; h=Cc:To:In-Reply-To:References:Message-Id: Content-Transfer-Encoding:Content-Type:MIME-Version:Subject:Date:From; bh=8LWn31xqqYR+DksBi9atiCH/RgX+9qrk7M9IefQaoMc=; b=bGZon8dJbeXZyyTY4uSgtjXTa+ zB4PHn92c/D5m55kF0HgorZl4z+cvCthP7pw9goRRYszTXpEA6hdQO65LWhj2l3OI8G+yv7x232GU TU4DFW2dvTUEbmIA/qkWJePUqICTTwttm7JVGNVhjPV/YxHKKVvhpOM/RT3CMZpYkhgKk342k1BnR G0Yfv5HIYlhzz9qp2u1H7o2zuDBfZnh+cyqKkPdSXo+3dxNxrIXDnQk0m7HrRp2Wt30h2HQEiDy2T zdFK7xl1vjqQCRKy5AqZg1aNEKa+trd6mXLYo/gRsskbwPbPo4JCm9L4S903xahWrXwr2NOrIEFvg cAmmWsSg==; Received: from [10.9.9.73] (helo=submission02.runbox) by mailtransmit02.runbox with esmtp (Exim 4.86_2) (envelope-from ) id 1vyIAP-0004Bc-BG; Fri, 06 Mar 2026 00:31:41 +0100 Received: by submission02.runbox with esmtpsa [Authenticated ID (604044)] (TLS1.2:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.93) id 1vyIAH-00141B-KO; Fri, 06 Mar 2026 00:31:33 +0100 From: Michal Luczaj Date: Fri, 06 Mar 2026 00:30:55 +0100 Subject: [PATCH bpf v3 1/5] bpf, sockmap: Annotate af_unix sock::sk_state data-races Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260306-unix-proto-update-null-ptr-deref-v3-1-2f0c7410c523@rbox.co> References: <20260306-unix-proto-update-null-ptr-deref-v3-0-2f0c7410c523@rbox.co> In-Reply-To: <20260306-unix-proto-update-null-ptr-deref-v3-0-2f0c7410c523@rbox.co> To: John Fastabend , Jakub Sitnicki , Eric Dumazet , Kuniyuki Iwashima , Paolo Abeni , Willem de Bruijn , "David S. Miller" , Jakub Kicinski , Simon Horman , Yonghong Song , Andrii Nakryiko , Alexei Starovoitov , Daniel Borkmann , Martin KaFai Lau , Eduard Zingerman , Song Liu , Yonghong Song , KP Singh , Stanislav Fomichev , Hao Luo , Jiri Olsa , Shuah Khan , Cong Wang Cc: netdev@vger.kernel.org, bpf@vger.kernel.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, Michal Luczaj X-Mailer: b4 0.14.3 sock_map_sk_state_allowed() and sock_map_redirect_allowed() read af_unix socket sk_state locklessly. Use READ_ONCE(). Note that for sock_map_redirect_allowed() change affects not only af_unix, but all non-TCP sockets (UDP, af_vsock). Suggested-by: Kuniyuki Iwashima Suggested-by: Martin KaFai Lau Signed-off-by: Michal Luczaj Reviewed-by: Jiayuan Chen Reviewed-by: Kuniyuki Iwashima --- net/core/sock_map.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/core/sock_map.c b/net/core/sock_map.c index b0e96337a269..02a68be3002a 100644 --- a/net/core/sock_map.c +++ b/net/core/sock_map.c @@ -530,7 +530,7 @@ static bool sock_map_redirect_allowed(const struct sock= *sk) if (sk_is_tcp(sk)) return sk->sk_state !=3D TCP_LISTEN; else - return sk->sk_state =3D=3D TCP_ESTABLISHED; + return READ_ONCE(sk->sk_state) =3D=3D TCP_ESTABLISHED; } =20 static bool sock_map_sk_is_suitable(const struct sock *sk) @@ -543,7 +543,7 @@ static bool sock_map_sk_state_allowed(const struct sock= *sk) if (sk_is_tcp(sk)) return (1 << sk->sk_state) & (TCPF_ESTABLISHED | TCPF_LISTEN); if (sk_is_stream_unix(sk)) - return (1 << sk->sk_state) & TCPF_ESTABLISHED; + return (1 << READ_ONCE(sk->sk_state)) & TCPF_ESTABLISHED; if (sk_is_vsock(sk) && (sk->sk_type =3D=3D SOCK_STREAM || sk->sk_type =3D=3D SOCK_SEQPACKET)) return (1 << sk->sk_state) & TCPF_ESTABLISHED; --=20 2.52.0 From nobody Thu Apr 2 09:48:19 2026 Received: from mailtransmit04.runbox.com (mailtransmit04.runbox.com [185.226.149.37]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6430B36920C; Thu, 5 Mar 2026 23:32:02 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=185.226.149.37 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772753526; cv=none; b=qPBDvPz8plkhG/pA8PYgmeQH96Fjd2AgFa7ctGts52RQm+ek8GpzkoxNSsrQmEYLbUXBZ0cGva06aqKnfLec7ZI5V3QLhXObWAgWtFIvcZmC0xhUMY51EJ3SsbB+JsBf5Qc46Y8VY/RDbzpMrEiprnxAPjMoW2/+WSCIw6sZepk= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772753526; c=relaxed/simple; bh=ZQr+WTwSnte7ugmiliHwL9asahOJBYvUnHt5xYlz2Is=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=UTQuPKMCzYzDKovXlgfsBCYZ7vTiLjPfu3Qwn4UX8v1a9hGmbidIDQnZJ/P3G6YYz5PDvaKxjaiO6AxbVjoQl8RcBRGCwFDc+/qY28hiXzdQsjaJJCFipN5kiqRb5ucY79ay2VN11I3klhpII03HLMmUSstioBgY3U1MZ5Q3FhE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=rbox.co; spf=pass smtp.mailfrom=rbox.co; dkim=pass (2048-bit key) header.d=rbox.co header.i=@rbox.co header.b=vRFIZhJJ; arc=none smtp.client-ip=185.226.149.37 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=rbox.co Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=rbox.co Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=rbox.co header.i=@rbox.co header.b="vRFIZhJJ" Received: from mailtransmit03.runbox ([10.9.9.163] helo=aibo.runbox.com) by mailtransmit04.runbox.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.93) (envelope-from ) id 1vyIAh-0012v4-04; Fri, 06 Mar 2026 00:31:59 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=rbox.co; s=selector1; h=Cc:To:In-Reply-To:References:Message-Id: Content-Transfer-Encoding:Content-Type:MIME-Version:Subject:Date:From; bh=sSLGc2cwazj/BaeN56d1lulum1UQWYpoeFSBe7HE8yA=; b=vRFIZhJJcAGnOJWZcaWpLMUK3U s7g9UQCDGwOLLGkT1dnmH0FT7D7mFULlJ3yOf6Aa7NgkQWetTYzR+r3abBqx3lAJILtcQaaXg1u3z kYj0X9ooz8MLrgo29U9M3MsKVISHyjRYm9tJV5+YuAQVuGEHx9M/SCKuUq3jiVuLGfjKFI93ogi+6 7zjjjSavw8dZvTVvJduKT5NS8uqQ1cjZr6aENxdEDFP/zT56ZOEXmzaYfg/GFFLEXT1244EGOXoRU 3GfvUCLQSr9bR2vbvOGYoXb1mREQxvsXpfp3qRI3V8fVeZgpB1Cm19wl/ndCsOSU2TCbjaiAb14bp AyDWWEyw==; Received: from [10.9.9.73] (helo=submission02.runbox) by mailtransmit03.runbox with esmtp (Exim 4.86_2) (envelope-from ) id 1vyIAg-00024o-AK; Fri, 06 Mar 2026 00:31:58 +0100 Received: by submission02.runbox with esmtpsa [Authenticated ID (604044)] (TLS1.2:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.93) id 1vyIAJ-00141B-1j; Fri, 06 Mar 2026 00:31:35 +0100 From: Michal Luczaj Date: Fri, 06 Mar 2026 00:30:56 +0100 Subject: [PATCH bpf v3 2/5] bpf, sockmap: Use sock_map_sk_{acquire,release}() where open-coded Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260306-unix-proto-update-null-ptr-deref-v3-2-2f0c7410c523@rbox.co> References: <20260306-unix-proto-update-null-ptr-deref-v3-0-2f0c7410c523@rbox.co> In-Reply-To: <20260306-unix-proto-update-null-ptr-deref-v3-0-2f0c7410c523@rbox.co> To: John Fastabend , Jakub Sitnicki , Eric Dumazet , Kuniyuki Iwashima , Paolo Abeni , Willem de Bruijn , "David S. Miller" , Jakub Kicinski , Simon Horman , Yonghong Song , Andrii Nakryiko , Alexei Starovoitov , Daniel Borkmann , Martin KaFai Lau , Eduard Zingerman , Song Liu , Yonghong Song , KP Singh , Stanislav Fomichev , Hao Luo , Jiri Olsa , Shuah Khan , Cong Wang Cc: netdev@vger.kernel.org, bpf@vger.kernel.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, Michal Luczaj X-Mailer: b4 0.14.3 Instead of repeating the same (un)locking pattern, reuse sock_map_sk_{acquire,release}(). This centralizes the code and makes it easier to adapt sockmap to af_unix-specific locking. Signed-off-by: Michal Luczaj --- net/core/sock_map.c | 21 +++++++-------------- 1 file changed, 7 insertions(+), 14 deletions(-) diff --git a/net/core/sock_map.c b/net/core/sock_map.c index 02a68be3002a..7ba6a7f24ccd 100644 --- a/net/core/sock_map.c +++ b/net/core/sock_map.c @@ -353,11 +353,9 @@ static void sock_map_free(struct bpf_map *map) sk =3D xchg(psk, NULL); if (sk) { sock_hold(sk); - lock_sock(sk); - rcu_read_lock(); + sock_map_sk_acquire(sk); sock_map_unref(sk, psk); - rcu_read_unlock(); - release_sock(sk); + sock_map_sk_release(sk); sock_put(sk); } } @@ -1176,11 +1174,9 @@ static void sock_hash_free(struct bpf_map *map) */ hlist_for_each_entry_safe(elem, node, &unlink_list, node) { hlist_del(&elem->node); - lock_sock(elem->sk); - rcu_read_lock(); + sock_map_sk_acquire(elem->sk); sock_map_unref(elem->sk, elem); - rcu_read_unlock(); - release_sock(elem->sk); + sock_map_sk_release(elem->sk); sock_put(elem->sk); sock_hash_free_elem(htab, elem); } @@ -1676,8 +1672,7 @@ void sock_map_close(struct sock *sk, long timeout) void (*saved_close)(struct sock *sk, long timeout); struct sk_psock *psock; =20 - lock_sock(sk); - rcu_read_lock(); + sock_map_sk_acquire(sk); psock =3D sk_psock(sk); if (likely(psock)) { saved_close =3D psock->saved_close; @@ -1685,16 +1680,14 @@ void sock_map_close(struct sock *sk, long timeout) psock =3D sk_psock_get(sk); if (unlikely(!psock)) goto no_psock; - rcu_read_unlock(); sk_psock_stop(psock); - release_sock(sk); + sock_map_sk_release(sk); cancel_delayed_work_sync(&psock->work); sk_psock_put(sk, psock); } else { saved_close =3D READ_ONCE(sk->sk_prot)->close; no_psock: - rcu_read_unlock(); - release_sock(sk); + sock_map_sk_release(sk); } =20 /* Make sure we do not recurse. This is a bug. --=20 2.52.0 From nobody Thu Apr 2 09:48:19 2026 Received: from mailtransmit04.runbox.com (mailtransmit04.runbox.com [185.226.149.37]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7E3E3366DA1; Thu, 5 Mar 2026 23:32:27 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=185.226.149.37 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772753548; cv=none; b=qycNqE9yx6o1yVvX93ef2CndYFTSqTiY2doRJVfvPYc56Zsad5D6g7M6D6dGNunkA+Mb63Q3zqcOaqNAVTgeY3l0owJWyVP4c+RG9Ik3WxJTZPk6i3DILuLzplU2p6SuXkfM1hfAp1I3NqQ3Mg0U3fdta0GgcvAdK7RrRi6Cpvw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772753548; c=relaxed/simple; bh=oNnL6PgF9i8BYLmz2dLn/HEJ+dwNCEs6Wzi0I8A2pHc=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=J26TRuM/UljIu9UbQe2DwztkTLiMLyx9bYl0PkTd80L3liZHLw5Qx8Z1MhMRgQxOnaN7KqO5wakbeQ1SX8Ak38oBGrKxJZesW2X5fSq4KEDQrw5mGCYIncqmaMDzEFz8a2HY/GYRJAzvQYRlFCeZIDTqzPUVUPYGG0qscWKwOAc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=rbox.co; spf=pass smtp.mailfrom=rbox.co; dkim=pass (2048-bit key) header.d=rbox.co header.i=@rbox.co header.b=S++1oYfX; arc=none smtp.client-ip=185.226.149.37 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=rbox.co Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=rbox.co Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=rbox.co header.i=@rbox.co header.b="S++1oYfX" Received: from mailtransmit02.runbox ([10.9.9.162] helo=aibo.runbox.com) by mailtransmit04.runbox.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.93) (envelope-from ) id 1vyIB4-00130B-Uy; Fri, 06 Mar 2026 00:32:22 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=rbox.co; s=selector1; h=Cc:To:In-Reply-To:References:Message-Id: Content-Transfer-Encoding:Content-Type:MIME-Version:Subject:Date:From; bh=KABCYR0VsFTXAqyXXhibjrexgB3N0ErIAHc1B1FNe3A=; b=S++1oYfXbyWS8Se+zDTggLJ7B1 0PtFtJ5xZIKHqqjwxPBxKrxTf/uW6/DI9JOb2IpkrEosZVGngQLoHkV3opIuPyYVi0/l13hHx/smh tZod1zSOj9kR9R+TZlo77KvkoW+StF9dMiWbsYG2Ph/2PixYtDTONl8zSjIS/Gn7VY+1pxQ3fUfkQ hjr3xPBbjq4V2Am7mNhKMQnizmnVRVpL3hkZSsKswxPvsnH9fY2rB7btl6PZitlCbxwLuIo7gB5cL yoCVDP6N9IPI3EX8T6uE/rNucfs/jN1aYYR+ULgxbbHvT2an9lglEfyHv06MvWwCDZ5SmCo/QFCq8 UFM835ew==; Received: from [10.9.9.73] (helo=submission02.runbox) by mailtransmit02.runbox with esmtp (Exim 4.86_2) (envelope-from ) id 1vyIAu-0004DA-EG; Fri, 06 Mar 2026 00:32:12 +0100 Received: by submission02.runbox with esmtpsa [Authenticated ID (604044)] (TLS1.2:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.93) id 1vyIAK-00141B-Fy; Fri, 06 Mar 2026 00:31:36 +0100 From: Michal Luczaj Date: Fri, 06 Mar 2026 00:30:57 +0100 Subject: [PATCH bpf v3 3/5] bpf, sockmap: Fix af_unix iter deadlock Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260306-unix-proto-update-null-ptr-deref-v3-3-2f0c7410c523@rbox.co> References: <20260306-unix-proto-update-null-ptr-deref-v3-0-2f0c7410c523@rbox.co> In-Reply-To: <20260306-unix-proto-update-null-ptr-deref-v3-0-2f0c7410c523@rbox.co> To: John Fastabend , Jakub Sitnicki , Eric Dumazet , Kuniyuki Iwashima , Paolo Abeni , Willem de Bruijn , "David S. Miller" , Jakub Kicinski , Simon Horman , Yonghong Song , Andrii Nakryiko , Alexei Starovoitov , Daniel Borkmann , Martin KaFai Lau , Eduard Zingerman , Song Liu , Yonghong Song , KP Singh , Stanislav Fomichev , Hao Luo , Jiri Olsa , Shuah Khan , Cong Wang Cc: netdev@vger.kernel.org, bpf@vger.kernel.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, Michal Luczaj X-Mailer: b4 0.14.3 bpf_iter_unix_seq_show() may deadlock when lock_sock_fast() takes the fast path and the iter prog attempts to update a sockmap. Which ends up spinning at sock_map_update_elem()'s bh_lock_sock(): WARNING: possible recursive locking detected test_progs/1393 is trying to acquire lock: ffff88811ec25f58 (slock-AF_UNIX){+...}-{3:3}, at: sock_map_update_elem+0xdb= /0x1f0 but task is already holding lock: ffff88811ec25f58 (slock-AF_UNIX){+...}-{3:3}, at: __lock_sock_fast+0x37/0xe0 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(slock-AF_UNIX); lock(slock-AF_UNIX); *** DEADLOCK *** May be due to missing lock nesting notation 4 locks held by test_progs/1393: #0: ffff88814b59c790 (&p->lock){+.+.}-{4:4}, at: bpf_seq_read+0x59/0x10d0 #1: ffff88811ec25fd8 (sk_lock-AF_UNIX){+.+.}-{0:0}, at: bpf_seq_read+0x42c= /0x10d0 #2: ffff88811ec25f58 (slock-AF_UNIX){+...}-{3:3}, at: __lock_sock_fast+0x3= 7/0xe0 #3: ffffffff85a6a7c0 (rcu_read_lock){....}-{1:3}, at: bpf_iter_run_prog+0x= 51d/0xb00 Call Trace: dump_stack_lvl+0x5d/0x80 print_deadlock_bug.cold+0xc0/0xce __lock_acquire+0x130f/0x2590 lock_acquire+0x14e/0x2b0 _raw_spin_lock+0x30/0x40 sock_map_update_elem+0xdb/0x1f0 bpf_prog_2d0075e5d9b721cd_dump_unix+0x55/0x4f4 bpf_iter_run_prog+0x5b9/0xb00 bpf_iter_unix_seq_show+0x1f7/0x2e0 bpf_seq_read+0x42c/0x10d0 vfs_read+0x171/0xb20 ksys_read+0xff/0x200 do_syscall_64+0x6b/0x3a0 entry_SYSCALL_64_after_hwframe+0x76/0x7e Suggested-by: Kuniyuki Iwashima Suggested-by: Martin KaFai Lau Fixes: 2c860a43dd77 ("bpf: af_unix: Implement BPF iterator for UNIX domain = socket.") Signed-off-by: Michal Luczaj Reviewed-by: Jiayuan Chen Reviewed-by: Kuniyuki Iwashima --- net/unix/af_unix.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c index 3756a93dc63a..3d2cfb4ecbcd 100644 --- a/net/unix/af_unix.c +++ b/net/unix/af_unix.c @@ -3729,15 +3729,14 @@ static int bpf_iter_unix_seq_show(struct seq_file *= seq, void *v) struct bpf_prog *prog; struct sock *sk =3D v; uid_t uid; - bool slow; int ret; =20 if (v =3D=3D SEQ_START_TOKEN) return 0; =20 - slow =3D lock_sock_fast(sk); + lock_sock(sk); =20 - if (unlikely(sk_unhashed(sk))) { + if (unlikely(sock_flag(sk, SOCK_DEAD))) { ret =3D SEQ_SKIP; goto unlock; } @@ -3747,7 +3746,7 @@ static int bpf_iter_unix_seq_show(struct seq_file *se= q, void *v) prog =3D bpf_iter_get_info(&meta, false); ret =3D unix_prog_seq_show(prog, &meta, v, uid); unlock: - unlock_sock_fast(sk, slow); + release_sock(sk); return ret; } =20 --=20 2.52.0 From nobody Thu Apr 2 09:48:19 2026 Received: from mailtransmit05.runbox.com (mailtransmit05.runbox.com [185.226.149.38]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 82C4736A02C; Thu, 5 Mar 2026 23:32:16 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=185.226.149.38 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772753537; cv=none; b=Zoek7slmDU/Tkl8qKwRfp5NsrXQl4fmP5KFaUG0y9ubiTn2v4QcAoDbqhmEn+jzPkAQkqTwA4htBndjlEQJ09/6uzxB2JYoamHC3TvgO/GgZYqnCW71hAyW9akpwtnZ4W9on1TfRj335v+5fpc6vmXwIT3d1aQKEI6TCGofskdw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772753537; c=relaxed/simple; bh=dPxiuBeFVLFXcQWhDoQAORF1N20Mja2gEH0QbJScTxc=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=gDpxJcGTL3mwlvkmVD0giweanqUDyPfxX+ae4pQzO+qp3CpxHe2f5e4MF5O0NwSFDtXGLuxeU/q5sc35i/DXHGWwibcFyTo2agxx2I/cZ6e5eH3jf6yVbjWqdckRf4lwUPIxhY0Xao480NSX0xsbxvnDYPBCk+wXFQL2yWGepR8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=rbox.co; spf=pass smtp.mailfrom=rbox.co; dkim=pass (2048-bit key) header.d=rbox.co header.i=@rbox.co header.b=bPcPcFgt; arc=none smtp.client-ip=185.226.149.38 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=rbox.co Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=rbox.co Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=rbox.co header.i=@rbox.co header.b="bPcPcFgt" Received: from mailtransmit02.runbox ([10.9.9.162] helo=aibo.runbox.com) by mailtransmit05.runbox.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.93) (envelope-from ) id 1vyIAt-00EUi3-Ex; Fri, 06 Mar 2026 00:32:11 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=rbox.co; s=selector1; h=Cc:To:In-Reply-To:References:Message-Id: Content-Transfer-Encoding:Content-Type:MIME-Version:Subject:Date:From; bh=RdHEkIIRAhdGMHaZV+5C0ZEGBw8Y9TkMkH8ReCDpSdI=; b=bPcPcFgtE5d6dwCZUfVkoOkYYc zGIRT6ZToCxJNhtZ/jcJWqJRkOcDY+nSq5llGhexsFNpe4ASGTPeV/QQsD48MadenHAmiXeP60zXR 91XcQRyhPRovHaPtTqmTZlVFFhBH/RjSCDwSwUKlKPNA/XunV6Io5aKa7YaZQivf32ByAwt0hOcIB vK4KpkMnVxjTv+Mo/IB1pAfF3l8qFpJkEaAZ2xepF+rjXF9RoBdWenWMgLIM2Qmy00VF6io/TGizl tyi2nY/FZ3fTyngeOCEblKmdmk8jooTipfd+4BA+aW8MeDwoewlt2q1hZ4tjo2WinN8bC2S5rhnM0 +Ukl2sXw==; Received: from [10.9.9.73] (helo=submission02.runbox) by mailtransmit02.runbox with esmtp (Exim 4.86_2) (envelope-from ) id 1vyIAj-0004Bv-14; Fri, 06 Mar 2026 00:32:01 +0100 Received: by submission02.runbox with esmtpsa [Authenticated ID (604044)] (TLS1.2:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.93) id 1vyIAL-00141B-Si; Fri, 06 Mar 2026 00:31:37 +0100 From: Michal Luczaj Date: Fri, 06 Mar 2026 00:30:58 +0100 Subject: [PATCH bpf v3 4/5] selftests/bpf: Extend bpf_iter_unix to attempt deadlocking Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260306-unix-proto-update-null-ptr-deref-v3-4-2f0c7410c523@rbox.co> References: <20260306-unix-proto-update-null-ptr-deref-v3-0-2f0c7410c523@rbox.co> In-Reply-To: <20260306-unix-proto-update-null-ptr-deref-v3-0-2f0c7410c523@rbox.co> To: John Fastabend , Jakub Sitnicki , Eric Dumazet , Kuniyuki Iwashima , Paolo Abeni , Willem de Bruijn , "David S. Miller" , Jakub Kicinski , Simon Horman , Yonghong Song , Andrii Nakryiko , Alexei Starovoitov , Daniel Borkmann , Martin KaFai Lau , Eduard Zingerman , Song Liu , Yonghong Song , KP Singh , Stanislav Fomichev , Hao Luo , Jiri Olsa , Shuah Khan , Cong Wang Cc: netdev@vger.kernel.org, bpf@vger.kernel.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, Michal Luczaj X-Mailer: b4 0.14.3 Updating a sockmap from a unix iterator prog may lead to a deadlock. Piggyback on the original selftest. Signed-off-by: Michal Luczaj Reviewed-by: Jiayuan Chen --- tools/testing/selftests/bpf/progs/bpf_iter_unix.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/tools/testing/selftests/bpf/progs/bpf_iter_unix.c b/tools/test= ing/selftests/bpf/progs/bpf_iter_unix.c index fea275df9e22..a2652c8c3616 100644 --- a/tools/testing/selftests/bpf/progs/bpf_iter_unix.c +++ b/tools/testing/selftests/bpf/progs/bpf_iter_unix.c @@ -7,6 +7,13 @@ =20 char _license[] SEC("license") =3D "GPL"; =20 +SEC(".maps") struct { + __uint(type, BPF_MAP_TYPE_SOCKMAP); + __uint(max_entries, 1); + __type(key, __u32); + __type(value, __u64); +} sockmap; + static long sock_i_ino(const struct sock *sk) { const struct socket *sk_socket =3D sk->sk_socket; @@ -76,5 +83,8 @@ int dump_unix(struct bpf_iter__unix *ctx) =20 BPF_SEQ_PRINTF(seq, "\n"); =20 + /* Test for deadlock. */ + bpf_map_update_elem(&sockmap, &(int){0}, sk, 0); + return 0; } --=20 2.52.0 From nobody Thu Apr 2 09:48:19 2026 Received: from mailtransmit05.runbox.com (mailtransmit05.runbox.com [185.226.149.38]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A5EA536B067; Thu, 5 Mar 2026 23:32:29 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=185.226.149.38 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772753551; cv=none; b=OdHfk+rimrZoqvgPM9MukJEjki1zP6WPcH5KXViYoqq80ZP1AhCnggKlHcsPgQ5gpht07qXgziyyiTJa4m5zRFYk8qR1mS8eOv6E4AJVsNHl+lXT2HOC73wf1h5rT9GVLoH2RVej5wwCf2+mCZYwvkjX4VCfXTFrGDPZL+VIISI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772753551; c=relaxed/simple; bh=bDzbc3ZHCvPBc/hlIDrPvFqAxratovDgZTWCGUKaMcs=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:References: In-Reply-To:To:Cc; b=omfOlkoFiINIBz6iX7D3c+bBd7e0BT4iE07ZWwGld9UQvDg2EYVMOSeaL8OQjLuBlrHV4SDH7o5XXzTNiBw7/qvHZ2Bqz32w3C2JO+5O1Pl1ncA5BzqLhgbYPV7g81LPZjNu7Qvu1yBHPOU/SnErYvmSDWS/bL+FzIO65b3v3Pc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=rbox.co; spf=pass smtp.mailfrom=rbox.co; dkim=pass (2048-bit key) header.d=rbox.co header.i=@rbox.co header.b=tH/LCiLS; arc=none smtp.client-ip=185.226.149.38 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=rbox.co Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=rbox.co Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=rbox.co header.i=@rbox.co header.b="tH/LCiLS" Received: from mailtransmit02.runbox ([10.9.9.162] helo=aibo.runbox.com) by mailtransmit05.runbox.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.93) (envelope-from ) id 1vyIB6-00EUkk-AT; Fri, 06 Mar 2026 00:32:24 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=rbox.co; s=selector1; h=Cc:To:In-Reply-To:References:Message-Id: Content-Transfer-Encoding:Content-Type:MIME-Version:Subject:Date:From; bh=h3U/vn8cMJy7gTz7S1npXP10+eZWzW20H3DtLHiAKc0=; b=tH/LCiLSZnMna8l28wQy45gYGx heYq9n4eqSxv+Hp0y2W2r/r43siFTAT8ZxVnEl9LmxYWl99pDZPqnJXNhBik6PVvszMzJsSbHVYA6 0Tx4Yv5g1CgrRq7bdOlzIoi30H+jw41KfRkgwq5i7t0umrZmKtKa1Lma5YO00A5XBnWoR+olv5lY4 4qIDC5KcApNPNdqzGL4Bxime8Ds6d7a/Ya58akhH+moH7gxI5+SW8K8CwltCz0Bjt6N35nA6p6BWN ts4+jTmeHzgRV7axQ1S9pH6clP9PnEdOdYwdRnurOjMAHfisiGtMrpp6SBHbXeN8s5tboMfnm3TcR ac/Nf6hw==; Received: from [10.9.9.73] (helo=submission02.runbox) by mailtransmit02.runbox with esmtp (Exim 4.86_2) (envelope-from ) id 1vyIB5-0004DY-VA; Fri, 06 Mar 2026 00:32:24 +0100 Received: by submission02.runbox with esmtpsa [Authenticated ID (604044)] (TLS1.2:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.93) id 1vyIAN-00141B-96; Fri, 06 Mar 2026 00:31:39 +0100 From: Michal Luczaj Date: Fri, 06 Mar 2026 00:30:59 +0100 Subject: [PATCH bpf v3 5/5] bpf, sockmap: Adapt for af_unix-specific lock Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260306-unix-proto-update-null-ptr-deref-v3-5-2f0c7410c523@rbox.co> References: <20260306-unix-proto-update-null-ptr-deref-v3-0-2f0c7410c523@rbox.co> In-Reply-To: <20260306-unix-proto-update-null-ptr-deref-v3-0-2f0c7410c523@rbox.co> To: John Fastabend , Jakub Sitnicki , Eric Dumazet , Kuniyuki Iwashima , Paolo Abeni , Willem de Bruijn , "David S. Miller" , Jakub Kicinski , Simon Horman , Yonghong Song , Andrii Nakryiko , Alexei Starovoitov , Daniel Borkmann , Martin KaFai Lau , Eduard Zingerman , Song Liu , Yonghong Song , KP Singh , Stanislav Fomichev , Hao Luo , Jiri Olsa , Shuah Khan , Cong Wang Cc: netdev@vger.kernel.org, bpf@vger.kernel.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, Michal Luczaj X-Mailer: b4 0.14.3 unix_stream_connect() sets sk_state (`WRITE_ONCE(sk->sk_state, TCP_ESTABLISHED)`) _before_ it assigns a peer (`unix_peer(sk) =3D newsk`). sk_state =3D=3D TCP_ESTABLISHED makes sock_map_sk_state_allowed() believe t= hat socket is properly set up, which would include having a defined peer. IOW, there's a window when unix_stream_bpf_update_proto() can be called on socket which still has unix_peer(sk) =3D=3D NULL. T0 bpf T1 connect ------ ---------- WRITE_ONCE(sk->sk_state, TCP_ESTABLISHED) sock_map_sk_state_allowed(sk) ... sk_pair =3D unix_peer(sk) sock_hold(sk_pair) sock_hold(newsk) smp_mb__after_atomic() unix_peer(sk) =3D newsk BUG: kernel NULL pointer dereference, address: 0000000000000080 RIP: 0010:unix_stream_bpf_update_proto+0xa0/0x1b0 Call Trace: sock_map_link+0x564/0x8b0 sock_map_update_common+0x6e/0x340 sock_map_update_elem_sys+0x17d/0x240 __sys_bpf+0x26db/0x3250 __x64_sys_bpf+0x21/0x30 do_syscall_64+0x6b/0x3a0 entry_SYSCALL_64_after_hwframe+0x76/0x7e Initial idea was to move peer assignment _before_ the sk_state update[1], but that involved an additional memory barrier, and changing the hot path was rejected. Then a check during proto update was considered[2], but a follow-up discussion[3] concluded the root cause is sockmap taking a wrong lock. Or, more specifically, an insufficient lock[4]. Thus, teach sockmap about the af_unix-specific locking: af_unix protects critical sections under unix_state_lock() operating on unix_sock::lock. [1]: https://lore.kernel.org/netdev/ba5c50aa-1df4-40c2-ab33-a72022c5a32e@rb= ox.co/ [2]: https://lore.kernel.org/netdev/20240610174906.32921-1-kuniyu@amazon.co= m/ [3]: https://lore.kernel.org/netdev/7603c0e6-cd5b-452b-b710-73b64bd9de26@li= nux.dev/ [4]: https://lore.kernel.org/netdev/CAAVpQUA+8GL_j63CaKb8hbxoL21izD58yr1Nvh= OhU=3Dj+35+3og@mail.gmail.com/ Suggested-by: Kuniyuki Iwashima Suggested-by: Martin KaFai Lau Fixes: c63829182c37 ("af_unix: Implement ->psock_update_sk_prot()") Signed-off-by: Michal Luczaj --- net/core/sock_map.c | 35 +++++++++++++++++++++++++++++------ 1 file changed, 29 insertions(+), 6 deletions(-) diff --git a/net/core/sock_map.c b/net/core/sock_map.c index 7ba6a7f24ccd..6109fbe6f99c 100644 --- a/net/core/sock_map.c +++ b/net/core/sock_map.c @@ -12,6 +12,7 @@ #include #include #include +#include #include =20 struct bpf_stab { @@ -115,19 +116,43 @@ int sock_map_prog_detach(const union bpf_attr *attr, = enum bpf_prog_type ptype) } =20 static void sock_map_sk_acquire(struct sock *sk) - __acquires(&sk->sk_lock.slock) { lock_sock(sk); + + if (sk_is_unix(sk)) + unix_state_lock(sk); + rcu_read_lock(); } =20 static void sock_map_sk_release(struct sock *sk) - __releases(&sk->sk_lock.slock) { rcu_read_unlock(); + + if (sk_is_unix(sk)) + unix_state_unlock(sk); + release_sock(sk); } =20 +static inline void sock_map_sk_acquire_fast(struct sock *sk) +{ + local_bh_disable(); + bh_lock_sock(sk); + + if (sk_is_unix(sk)) + unix_state_lock(sk); +} + +static inline void sock_map_sk_release_fast(struct sock *sk) +{ + if (sk_is_unix(sk)) + unix_state_unlock(sk); + + bh_unlock_sock(sk); + local_bh_enable(); +} + static void sock_map_add_link(struct sk_psock *psock, struct sk_psock_link *link, struct bpf_map *map, void *link_raw) @@ -604,16 +629,14 @@ static long sock_map_update_elem(struct bpf_map *map,= void *key, if (!sock_map_sk_is_suitable(sk)) return -EOPNOTSUPP; =20 - local_bh_disable(); - bh_lock_sock(sk); + sock_map_sk_acquire_fast(sk); if (!sock_map_sk_state_allowed(sk)) ret =3D -EOPNOTSUPP; else if (map->map_type =3D=3D BPF_MAP_TYPE_SOCKMAP) ret =3D sock_map_update_common(map, *(u32 *)key, sk, flags); else ret =3D sock_hash_update_common(map, key, sk, flags); - bh_unlock_sock(sk); - local_bh_enable(); + sock_map_sk_release_fast(sk); return ret; } =20 --=20 2.52.0