From: Martin KaFai Lau <martin.lau@linux.dev>
To: Michal Luczaj <mhal@rbox.co>, Kuniyuki Iwashima <kuniyu@google.com>
Cc: John Fastabend <john.fastabend@gmail.com>,
Jakub Sitnicki <jakub@cloudflare.com>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
Simon Horman <horms@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
netdev@vger.kernel.org, bpf@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH bpf] bpf, sockmap: Fix af_unix null-ptr-deref in proto update
Date: Mon, 2 Feb 2026 19:53:20 -0800 [thread overview]
Message-ID: <6de6f1bf-c8ee-4dfb-9b8c-f89185946630@linux.dev> (raw)
In-Reply-To: <b98a40e8-1be2-47f0-8238-92dee8f5a204@rbox.co>
On 2/2/26 7:10 AM, Michal Luczaj wrote:
>>> Other than update_elem, do other lock_sock() usages in sock_map have a
>>> similar issue for af_unix?
> As for the sockmap, I think that would be it.
Thanks for checking.
>
> In related news, looks like bpf_iter_unix_seq_show() is missing
> unix_state_lock(): lock_sock_fast() won't stop unix_release_sock(). E.g.
> bpf iterator can grab unix_sock::peer as it is being released.
If the concern is the bpf iterator prog may use a released unix_peer(sk)
pointer, it should be fine. The unix_peer(sk) pointer is not a trusted
pointer to the bpf prog, so nothing bad will happen other than
potentially reading incorrect values.
However, yeah, the bpf_iter_(tcp|udp)_seq_show is better in the sense
that the correct lock is used.
For tcp_sock that has many stats, I think it will be particularly useful
to read them in a consistent state. I don't have a strong opinion on
af_unix.
Unlike the sock_map where the lock_sock is not useful for af_unix. The
bpf iterator can do bpf_setsockopt, so a lock_sock_fast() is still
needed in bpf_iter_unix_seq_show and I think it is the reason
lock_sock_fast() is used here.
next prev parent reply other threads:[~2026-02-03 3:53 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-29 16:47 [PATCH bpf] bpf, sockmap: Fix af_unix null-ptr-deref in proto update Michal Luczaj
2026-01-29 19:41 ` Martin KaFai Lau
2026-01-30 11:00 ` Michal Luczaj
2026-01-30 21:29 ` Martin KaFai Lau
2026-01-31 10:06 ` Kuniyuki Iwashima
2026-02-02 15:10 ` Michal Luczaj
2026-02-03 3:53 ` Martin KaFai Lau [this message]
2026-02-03 9:57 ` Michal Luczaj
2026-02-03 19:47 ` Kuniyuki Iwashima
2026-02-04 7:15 ` Martin KaFai Lau
2026-02-04 7:58 ` Kuniyuki Iwashima
2026-02-04 15:41 ` Michal Luczaj
2026-02-04 19:16 ` Kuniyuki Iwashima
2026-02-04 20:18 ` Martin KaFai Lau
2026-02-04 19:34 ` Martin KaFai Lau
2026-02-04 21:09 ` Kuniyuki Iwashima
2026-02-05 0:55 ` Martin KaFai Lau
2026-02-05 2:00 ` Martin KaFai Lau
2026-02-05 7:39 ` Kuniyuki Iwashima
2026-02-04 23:25 ` Michal Luczaj
2026-02-05 0:27 ` Kuniyuki Iwashima
2026-02-05 0:31 ` Martin KaFai Lau
2026-02-02 19:15 ` Martin KaFai Lau
2026-02-07 14:37 ` Michal Luczaj
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=6de6f1bf-c8ee-4dfb-9b8c-f89185946630@linux.dev \
--to=martin.lau@linux.dev \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=jakub@cloudflare.com \
--cc=john.fastabend@gmail.com \
--cc=kuba@kernel.org \
--cc=kuniyu@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mhal@rbox.co \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.