From: Martin KaFai Lau <martin.lau@linux.dev>
To: Michal Luczaj <mhal@rbox.co>, Kuniyuki Iwashima <kuniyu@google.com>
Cc: bpf@vger.kernel.org, daniel@iogearbox.net, davem@davemloft.net,
edumazet@google.com, horms@kernel.org, jakub@cloudflare.com,
john.fastabend@gmail.com, kuba@kernel.org,
linux-kernel@vger.kernel.org, netdev@vger.kernel.org,
pabeni@redhat.com
Subject: Re: [PATCH bpf] bpf, sockmap: Fix af_unix null-ptr-deref in proto update
Date: Wed, 4 Feb 2026 11:34:55 -0800 [thread overview]
Message-ID: <0f8ec4c7-5de4-4e0b-a50e-cf4f8d59709b@linux.dev> (raw)
In-Reply-To: <408569e7-2b82-4eff-b767-79ce6ef6cae0@rbox.co>
On 2/4/26 7:41 AM, Michal Luczaj wrote:
>>>>>> If the concern is the bpf iterator prog may use a released unix_peer(sk)
>>>>>> pointer, it should be fine. The unix_peer(sk) pointer is not a trusted
>>>>>> pointer to the bpf prog, so nothing bad will happen other than
>>>>>> potentially reading incorrect values.
I misremembered that following unix->peer would be marked as
(PTR_TO_BTF_ID | PTR_UNTRUSTED). I forgot there are some legacy supports
on the PTR_TO_BTF_ID (i.e. without PTR_UNTRUSTED marking).
>>>>>
>>>>> But if the prog passes a released peer pointer to a bpf helper:
>>>>>
>>>>> BUG: KASAN: slab-use-after-free in bpf_skc_to_unix_sock+0x95/0xb0
>>>>> Read of size 1 at addr ffff888110654c92 by task test_progs/1936
>>>
>>> hmm... bpf_skc_to_unix_sock is exposed to tracing. bpf_iter is a tracing
>>> bpf prog.
>>>
>>>>
>>>> Can you cook a patch for this ? probably like below
>>>
>>> This can help the bpf_iter but not the other tracing prog such as fentry.
>>
>> Oh well ... then bpf_skc_to_unix_sock() can be used even
>> with SEQ_START_TOKEN at fentry of bpf_iter_unix_seq_show() ??
It is fine. The type is void.
>>
>> How about adding notrace to all af_unix bpf iterator functions ?
but right, other functions taking [unix_]sock pointer could be audited.
I don't know af_unix well enough to assess the blast radius or whether
some useful functions may become untraceable.
>>
>> The procfs iterator holds a spinlock of the hashtable from
>> ->start/next() to ->stop() to prevent the race with unix_release_sock().
>>
>> I think other (non-iterator) functions cannot do such racy
>> access with tracing prog.
>
> But then there's SOCK_DGRAM where you can drop unix_peer(sk) without
> releasing sk; see AF_UNSPEC in unix_dgram_connect(). I think Martin is
> right, we can crash at many fentries.
>
> BUG: KASAN: slab-use-after-free in bpf_skc_to_unix_sock+0xa4/0xb0
> Read of size 2 at addr ffff888147d38890 by task test_progs/2495
> Call Trace:
> dump_stack_lvl+0x5d/0x80
> print_report+0x170/0x4f3
> kasan_report+0xe1/0x180
> bpf_skc_to_unix_sock+0xa4/0xb0
> bpf_prog_564a1c39c35d86a2_unix_shutdown_entry+0x8a/0x8e
> bpf_trampoline_6442564662+0x47/0xab
> unix_shutdown+0x9/0x880
> __sys_shutdown+0xe1/0x160
> __x64_sys_shutdown+0x52/0x90
> do_syscall_64+0x6b/0x3a0
> entry_SYSCALL_64_after_hwframe+0x76/0x7e
This probably is the first case where reading a sk pointer requires a
lock. I think it will need to be marked as PTR_UNTRUSTED in the verifier
for the unix->peer access, so that it cannot be passed to a helper.
There is a BTF_TYPE_SAFE_TRUSTED list. afaik, there is no untrusted one now.
next prev parent reply other threads:[~2026-02-04 19:35 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-29 16:47 [PATCH bpf] bpf, sockmap: Fix af_unix null-ptr-deref in proto update Michal Luczaj
2026-01-29 19:41 ` Martin KaFai Lau
2026-01-30 11:00 ` Michal Luczaj
2026-01-30 21:29 ` Martin KaFai Lau
2026-01-31 10:06 ` Kuniyuki Iwashima
2026-02-02 15:10 ` Michal Luczaj
2026-02-03 3:53 ` Martin KaFai Lau
2026-02-03 9:57 ` Michal Luczaj
2026-02-03 19:47 ` Kuniyuki Iwashima
2026-02-04 7:15 ` Martin KaFai Lau
2026-02-04 7:58 ` Kuniyuki Iwashima
2026-02-04 15:41 ` Michal Luczaj
2026-02-04 19:16 ` Kuniyuki Iwashima
2026-02-04 20:18 ` Martin KaFai Lau
2026-02-04 19:34 ` Martin KaFai Lau [this message]
2026-02-04 21:09 ` Kuniyuki Iwashima
2026-02-05 0:55 ` Martin KaFai Lau
2026-02-05 2:00 ` Martin KaFai Lau
2026-02-05 7:39 ` Kuniyuki Iwashima
2026-02-04 23:25 ` Michal Luczaj
2026-02-05 0:27 ` Kuniyuki Iwashima
2026-02-05 0:31 ` Martin KaFai Lau
2026-02-02 19:15 ` Martin KaFai Lau
2026-02-07 14:37 ` Michal Luczaj
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=0f8ec4c7-5de4-4e0b-a50e-cf4f8d59709b@linux.dev \
--to=martin.lau@linux.dev \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=jakub@cloudflare.com \
--cc=john.fastabend@gmail.com \
--cc=kuba@kernel.org \
--cc=kuniyu@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mhal@rbox.co \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox