From: sashiko-bot@kernel.org
To: "Jakub Sitnicki" <jakub@cloudflare.com>
Cc: bpf@vger.kernel.org
Subject: Re: [PATCH bpf-next] bpf, unix: Guard sk_msg-dependent code behind CONFIG_NET_SOCK_MSG
Date: Mon, 22 Jun 2026 13:17:31 +0000 [thread overview]
Message-ID: <20260622131731.E619F1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260622-bpf-sk_msg-split-unix-v1-1-d7e0cb7bb03b@cloudflare.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [Critical] Calling recvmsg() on a UNIX socket added to a BPF sockmap causes a NULL pointer dereference when CONFIG_NET_SOCK_MSG is disabled.
--
commit 95825431b208bd3fb6f5fe58d504bdcb560273c9
Author: Jakub Sitnicki <jakub@cloudflare.com>
bpf, unix: Guard sk_msg-dependent code behind CONFIG_NET_SOCK_MSG
This commit conditionally compiles the assignment of recvmsg and
sock_is_readable in AF_UNIX BPF protocol rebuilding functions, guarding them
behind CONFIG_NET_SOCK_MSG.
> diff --git a/net/unix/unix_bpf.c b/net/unix/unix_bpf.c
> index f86ff19e9764d..5289a04b4993f 100644
> --- a/net/unix/unix_bpf.c
> +++ b/net/unix/unix_bpf.c
[ ... ]
> @@ -107,8 +109,10 @@ static void unix_dgram_bpf_rebuild_protos(struct proto *prot, const struct proto
> {
> *prot = *base;
> prot->close = sock_map_close;
> +#ifdef CONFIG_NET_SOCK_MSG
> prot->recvmsg = unix_bpf_recvmsg;
> prot->sock_is_readable = sk_msg_is_readable;
> +#endif
> }
[Severity: Critical]
If CONFIG_NET_SOCK_MSG is disabled but CONFIG_BPF_SYSCALL is enabled,
doesn't this leave prot->recvmsg as NULL?
When a UNIX datagram socket is added to a sockmap, its protocol is updated to
the rebuilt BPF protocol. If a user then calls recvmsg(), unix_dgram_recvmsg
checks if the protocol has been overridden:
net/unix/af_unix.c:unix_dgram_recvmsg() {
...
if (prot != &unix_dgram_proto)
return prot->recvmsg(sk, msg, size, flags);
...
}
Will this cause a NULL pointer dereference since prot->recvmsg is never
assigned for the rebuilt protocol when CONFIG_NET_SOCK_MSG is disabled?
>
> static void unix_stream_bpf_rebuild_protos(struct proto *prot,
> @@ -116,8 +120,10 @@ static void unix_stream_bpf_rebuild_protos(struct proto *prot,
> {
> *prot = *base;
> prot->close = sock_map_close;
> +#ifdef CONFIG_NET_SOCK_MSG
> prot->recvmsg = unix_bpf_recvmsg;
> prot->sock_is_readable = sk_msg_is_readable;
> +#endif
[Severity: Critical]
The same issue appears here for stream sockets. Does this also cause a NULL
pointer dereference during unix_stream_recvmsg since it behaves identically?
net/unix/af_unix.c:unix_stream_recvmsg() {
...
if (prot != &unix_stream_proto)
return prot->recvmsg(sk, msg, size, flags);
...
}
> prot->unhash = sock_map_unhash;
> }
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260622-bpf-sk_msg-split-unix-v1-1-d7e0cb7bb03b@cloudflare.com?part=1
next prev parent reply other threads:[~2026-06-22 13:17 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-22 12:58 [PATCH bpf-next] bpf, unix: Guard sk_msg-dependent code behind CONFIG_NET_SOCK_MSG Jakub Sitnicki
2026-06-22 13:17 ` sashiko-bot [this message]
2026-06-22 14:47 ` Jakub Sitnicki
2026-06-22 16:11 ` Kuniyuki Iwashima
2026-06-22 20:23 ` Jakub Sitnicki
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260622131731.E619F1F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=jakub@cloudflare.com \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox