From: "Jiayuan Chen" <jiayuan.chen@linux.dev>
To: "Michal Luczaj" <mhal@rbox.co>,
"John Fastabend" <john.fastabend@gmail.com>,
"Jakub Sitnicki" <jakub@cloudflare.com>,
"Eric Dumazet" <edumazet@google.com>,
"Kuniyuki Iwashima" <kuniyu@google.com>,
"Paolo Abeni" <pabeni@redhat.com>,
"Willem de Bruijn" <willemb@google.com>,
"David S. Miller" <davem@davemloft.net>,
"Jakub Kicinski" <kuba@kernel.org>,
"Simon Horman" <horms@kernel.org>, "Yonghong Song" <yhs@fb.com>,
"Andrii Nakryiko" <andrii@kernel.org>,
"Alexei Starovoitov" <ast@kernel.org>,
"Daniel Borkmann" <daniel@iogearbox.net>,
"Martin KaFai Lau" <martin.lau@linux.dev>,
"Eduard Zingerman" <eddyz87@gmail.com>,
"Song Liu" <song@kernel.org>,
"Yonghong Song" <yonghong.song@linux.dev>,
"KP Singh" <kpsingh@kernel.org>,
"Stanislav Fomichev" <sdf@fomichev.me>,
"Hao Luo" <haoluo@google.com>, "Jiri Olsa" <jolsa@kernel.org>,
"Shuah Khan" <shuah@kernel.org>,
"Cong Wang" <cong.wang@bytedance.com>
Cc: netdev@vger.kernel.org, bpf@vger.kernel.org,
linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org
Subject: Re: [PATCH bpf v3 3/5] bpf, sockmap: Fix af_unix iter deadlock
Date: Fri, 06 Mar 2026 14:31:02 +0000 [thread overview]
Message-ID: <834c065e89ccb2d9c3dbeda2677cd6e429cb8f28@linux.dev> (raw)
In-Reply-To: <6b02c177-69a2-4e08-a936-65bfa8e85b7e@rbox.co>
March 6, 2026 at 22:06, "Michal Luczaj" <mhal@rbox.co mailto:mhal@rbox.co?to=%22Michal%20Luczaj%22%20%3Cmhal%40rbox.co%3E > wrote:
>
> On 3/6/26 07:04, Jiayuan Chen wrote:
>
> >
> > On 3/6/26 7:30 AM, Michal Luczaj wrote:
> >
> > >
> > > @@ -3729,15 +3729,14 @@ static int bpf_iter_unix_seq_show(struct seq_file *seq, void *v)
> > > struct bpf_prog *prog;
> > > struct sock *sk = v;
> > > uid_t uid;
> > > - bool slow;
> > > int ret;
> > >
> > > if (v == SEQ_START_TOKEN)
> > > return 0;
> > >
> > > - slow = lock_sock_fast(sk);
> > > + lock_sock(sk);
> > >
> > > - if (unlikely(sk_unhashed(sk))) {
> > > + if (unlikely(sock_flag(sk, SOCK_DEAD))) {
> > > ret = SEQ_SKIP;
> > > goto unlock;
> > > }
> > >
> >
> >
> > Switching to lock_sock() fixes the deadlock, but it does not provide mutual
> > exclusion with unix_release_sock(), which uses unix_state_lock() exclusively
> > and does not touch lock_sock() at all. So a dying socket can still reach the
> > BPF prog concurrently with unix_release_sock() running on another CPU.
> >
> That's right. Note that although the socket is dying, iter holds a
> reference to it, so the socket is far from being freed (as in: memory
> released).
>
> >
> > Both SOCK_DEAD and the clearing of unix_peer(sk) happen under
> > unix_state_lock() in unix_release_sock(). Without taking unix_state_lock()
> > before the SOCK_DEAD check, there is a window:
> >
> > iter unix_release_sock()
> > --- lock_sock(sk)
> > SOCK_DEAD == 0 (check passes)
> > unix_state_lock(sk)
> > unix_peer(sk) = NULL
> > sock_set_flag(sk, SOCK_DEAD)
> > unix_state_unlock(sk)
> > BPF prog runs
> > → accesses unix_peer(sk) == NULL → crash
> >
> > This was not raised in the v2 discussion.
> >
> It was raised in v1[1]. Conclusion was that bpf prog bytecode directly
> accessing unix_peer(sk) is not an issue; bpf machinery will handle any
> faults. That said, should a "bad" value of unix_peer(sk) end up as a
> parameter of a bpf helper, yes, that is a well known[2] problem (that have
> a solution unrelated to this series).
>
> [1]:
> https://lore.kernel.org/bpf/6de6f1bf-c8ee-4dfb-9b8c-f89185946630@linux.dev/
> [2]:
> https://lore.kernel.org/bpf/CAADnVQK_93g_KkNFYXSr8ZvA1fYh4hoFRJCJFPS-zs4ox0HhAA@mail.gmail.com/
>
Thanks for letting me know.
next prev parent reply other threads:[~2026-03-06 14:31 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-05 23:30 [PATCH bpf v3 0/5] bpf, sockmap: Fix af_unix null-ptr-deref in proto update Michal Luczaj
2026-03-05 23:30 ` [PATCH bpf v3 1/5] bpf, sockmap: Annotate af_unix sock::sk_state data-races Michal Luczaj
2026-03-06 5:30 ` Kuniyuki Iwashima
2026-03-06 6:24 ` [PATCH bpf v3 1/5] bpf, sockmap: Annotate af_unix sock^sk_state data-races Jiayuan Chen
2026-03-18 17:05 ` [PATCH bpf v3 1/5] bpf, sockmap: Annotate af_unix sock::sk_state data-races Michal Luczaj
2026-03-05 23:30 ` [PATCH bpf v3 2/5] bpf, sockmap: Use sock_map_sk_{acquire,release}() where open-coded Michal Luczaj
2026-03-06 5:44 ` Kuniyuki Iwashima
2026-03-06 14:05 ` Michal Luczaj
2026-03-11 4:17 ` Kuniyuki Iwashima
2026-03-11 4:57 ` Kuniyuki Iwashima
2026-03-15 23:58 ` Michal Luczaj
2026-03-05 23:30 ` [PATCH bpf v3 3/5] bpf, sockmap: Fix af_unix iter deadlock Michal Luczaj
2026-03-06 5:47 ` Kuniyuki Iwashima
2026-03-06 6:04 ` Jiayuan Chen
2026-03-06 6:15 ` Jiayuan Chen
2026-03-06 14:06 ` Michal Luczaj
2026-03-06 14:31 ` Jiayuan Chen [this message]
2026-03-06 14:33 ` Jiayuan Chen
2026-03-05 23:30 ` [PATCH bpf v3 4/5] selftests/bpf: Extend bpf_iter_unix to attempt deadlocking Michal Luczaj
2026-03-06 14:34 ` Jiayuan Chen
2026-03-05 23:30 ` [PATCH bpf v3 5/5] bpf, sockmap: Adapt for af_unix-specific lock Michal Luczaj
2026-03-06 5:01 ` Jiayuan Chen
2026-03-06 14:09 ` Michal Luczaj
2026-03-10 22:20 ` Martin KaFai Lau
2026-03-15 23:58 ` Michal Luczaj
2026-03-26 6:26 ` Martin KaFai Lau
2026-03-30 23:03 ` Michal Luczaj
2026-03-30 23:27 ` Kuniyuki Iwashima
2026-03-31 22:43 ` Michal Luczaj
2026-03-31 23:18 ` Kuniyuki Iwashima
2026-04-01 19:18 ` Michal Luczaj
2026-03-31 0:20 ` Martin KaFai Lau
2026-03-31 22:43 ` Michal Luczaj
2026-04-02 1:34 ` Martin KaFai Lau
2026-04-14 14:19 ` Michal Luczaj
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=834c065e89ccb2d9c3dbeda2677cd6e429cb8f28@linux.dev \
--to=jiayuan.chen@linux.dev \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=cong.wang@bytedance.com \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=eddyz87@gmail.com \
--cc=edumazet@google.com \
--cc=haoluo@google.com \
--cc=horms@kernel.org \
--cc=jakub@cloudflare.com \
--cc=john.fastabend@gmail.com \
--cc=jolsa@kernel.org \
--cc=kpsingh@kernel.org \
--cc=kuba@kernel.org \
--cc=kuniyu@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=martin.lau@linux.dev \
--cc=mhal@rbox.co \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=sdf@fomichev.me \
--cc=shuah@kernel.org \
--cc=song@kernel.org \
--cc=willemb@google.com \
--cc=yhs@fb.com \
--cc=yonghong.song@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.