Re: [PATCH bpf v3 3/5] bpf, sockmap: Fix af_unix iter deadlock

public inbox for netdev@vger.kernel.org
 help / color / mirror / Atom feed

From: "Jiayuan Chen" <jiayuan.chen@linux.dev>
To: "Michal Luczaj" <mhal@rbox.co>,
	"John Fastabend" <john.fastabend@gmail.com>,
	"Jakub Sitnicki" <jakub@cloudflare.com>,
	"Eric Dumazet" <edumazet@google.com>,
	"Kuniyuki Iwashima" <kuniyu@google.com>,
	"Paolo Abeni" <pabeni@redhat.com>,
	"Willem de Bruijn" <willemb@google.com>,
	"David S. Miller" <davem@davemloft.net>,
	"Jakub Kicinski" <kuba@kernel.org>,
	"Simon Horman" <horms@kernel.org>, "Yonghong Song" <yhs@fb.com>,
	"Andrii Nakryiko" <andrii@kernel.org>,
	"Alexei Starovoitov" <ast@kernel.org>,
	"Daniel Borkmann" <daniel@iogearbox.net>,
	"Martin KaFai Lau" <martin.lau@linux.dev>,
	"Eduard Zingerman" <eddyz87@gmail.com>,
	"Song Liu" <song@kernel.org>,
	"Yonghong Song" <yonghong.song@linux.dev>,
	"KP Singh" <kpsingh@kernel.org>,
	"Stanislav Fomichev" <sdf@fomichev.me>,
	"Hao Luo" <haoluo@google.com>, "Jiri Olsa" <jolsa@kernel.org>,
	"Shuah Khan" <shuah@kernel.org>,
	"Cong Wang" <cong.wang@bytedance.com>
Cc: netdev@vger.kernel.org, bpf@vger.kernel.org,
	linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org
Subject: Re: [PATCH bpf v3 3/5] bpf, sockmap: Fix af_unix iter deadlock
Date: Fri, 06 Mar 2026 14:31:02 +0000	[thread overview]
Message-ID: <834c065e89ccb2d9c3dbeda2677cd6e429cb8f28@linux.dev> (raw)
In-Reply-To: <6b02c177-69a2-4e08-a936-65bfa8e85b7e@rbox.co>

March 6, 2026 at 22:06, "Michal Luczaj" <mhal@rbox.co mailto:mhal@rbox.co?to=%22Michal%20Luczaj%22%20%3Cmhal%40rbox.co%3E > wrote:


> 
> On 3/6/26 07:04, Jiayuan Chen wrote:
> 
> > 
> > On 3/6/26 7:30 AM, Michal Luczaj wrote:
> > 
> > > 
> > > @@ -3729,15 +3729,14 @@ static int bpf_iter_unix_seq_show(struct seq_file *seq, void *v)
> > >  struct bpf_prog *prog;
> > >  struct sock *sk = v;
> > >  uid_t uid;
> > >  - bool slow;
> > >  int ret;
> > >  
> > >  if (v == SEQ_START_TOKEN)
> > >  return 0;
> > >  
> > >  - slow = lock_sock_fast(sk);
> > >  + lock_sock(sk);
> > >  
> > >  - if (unlikely(sk_unhashed(sk))) {
> > >  + if (unlikely(sock_flag(sk, SOCK_DEAD))) {
> > >  ret = SEQ_SKIP;
> > >  goto unlock;
> > >  }
> > > 
> >  
> >  
> >  Switching to lock_sock() fixes the deadlock, but it does not provide mutual
> >  exclusion with unix_release_sock(), which uses unix_state_lock() exclusively
> >  and does not touch lock_sock() at all. So a dying socket can still reach the
> >  BPF prog concurrently with unix_release_sock() running on another CPU.
> > 
> That's right. Note that although the socket is dying, iter holds a
> reference to it, so the socket is far from being freed (as in: memory
> released).
> 
> > 
> > Both SOCK_DEAD and the clearing of unix_peer(sk) happen under
> >  unix_state_lock() in unix_release_sock(). Without taking unix_state_lock()
> >  before the SOCK_DEAD check, there is a window:
> > 
> >  iter unix_release_sock()
> >  --- lock_sock(sk)
> >  SOCK_DEAD == 0 (check passes)
> >  unix_state_lock(sk)
> >  unix_peer(sk) = NULL
> >  sock_set_flag(sk, SOCK_DEAD)
> >  unix_state_unlock(sk)
> >  BPF prog runs
> >  → accesses unix_peer(sk) == NULL → crash
> > 
> >  This was not raised in the v2 discussion.
> > 
> It was raised in v1[1]. Conclusion was that bpf prog bytecode directly
> accessing unix_peer(sk) is not an issue; bpf machinery will handle any
> faults. That said, should a "bad" value of unix_peer(sk) end up as a
> parameter of a bpf helper, yes, that is a well known[2] problem (that have
> a solution unrelated to this series).
> 
> [1]:
> https://lore.kernel.org/bpf/6de6f1bf-c8ee-4dfb-9b8c-f89185946630@linux.dev/
> [2]:
> https://lore.kernel.org/bpf/CAADnVQK_93g_KkNFYXSr8ZvA1fYh4hoFRJCJFPS-zs4ox0HhAA@mail.gmail.com/
>

Thanks for letting me know.

next prev parent reply	other threads:[~2026-03-06 14:31 UTC|newest]

Thread overview: 26+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-03-05 23:30 [PATCH bpf v3 0/5] bpf, sockmap: Fix af_unix null-ptr-deref in proto update Michal Luczaj
2026-03-05 23:30 ` [PATCH bpf v3 1/5] bpf, sockmap: Annotate af_unix sock::sk_state data-races Michal Luczaj
2026-03-06  5:30   ` Kuniyuki Iwashima
2026-03-06  6:24   ` [PATCH bpf v3 1/5] bpf, sockmap: Annotate af_unix sock^sk_state data-races Jiayuan Chen
2026-03-18 17:05   ` [PATCH bpf v3 1/5] bpf, sockmap: Annotate af_unix sock::sk_state data-races Michal Luczaj
2026-03-05 23:30 ` [PATCH bpf v3 2/5] bpf, sockmap: Use sock_map_sk_{acquire,release}() where open-coded Michal Luczaj
2026-03-06  5:44   ` Kuniyuki Iwashima
2026-03-06 14:05     ` Michal Luczaj
2026-03-11  4:17       ` Kuniyuki Iwashima
2026-03-11  4:57         ` Kuniyuki Iwashima
2026-03-15 23:58           ` Michal Luczaj
2026-03-05 23:30 ` [PATCH bpf v3 3/5] bpf, sockmap: Fix af_unix iter deadlock Michal Luczaj
2026-03-06  5:47   ` Kuniyuki Iwashima
2026-03-06  6:04   ` Jiayuan Chen
2026-03-06  6:15     ` Jiayuan Chen
2026-03-06 14:06     ` Michal Luczaj
2026-03-06 14:31       ` Jiayuan Chen [this message]
2026-03-06 14:33   ` Jiayuan Chen
2026-03-05 23:30 ` [PATCH bpf v3 4/5] selftests/bpf: Extend bpf_iter_unix to attempt deadlocking Michal Luczaj
2026-03-06 14:34   ` Jiayuan Chen
2026-03-05 23:30 ` [PATCH bpf v3 5/5] bpf, sockmap: Adapt for af_unix-specific lock Michal Luczaj
2026-03-06  5:01   ` Jiayuan Chen
2026-03-06 14:09     ` Michal Luczaj
2026-03-10 22:20       ` Martin KaFai Lau
2026-03-15 23:58         ` Michal Luczaj
2026-03-26  6:26           ` Martin KaFai Lau

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=834c065e89ccb2d9c3dbeda2677cd6e429cb8f28@linux.dev \
    --to=jiayuan.chen@linux.dev \
    --cc=andrii@kernel.org \
    --cc=ast@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=cong.wang@bytedance.com \
    --cc=daniel@iogearbox.net \
    --cc=davem@davemloft.net \
    --cc=eddyz87@gmail.com \
    --cc=edumazet@google.com \
    --cc=haoluo@google.com \
    --cc=horms@kernel.org \
    --cc=jakub@cloudflare.com \
    --cc=john.fastabend@gmail.com \
    --cc=jolsa@kernel.org \
    --cc=kpsingh@kernel.org \
    --cc=kuba@kernel.org \
    --cc=kuniyu@google.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-kselftest@vger.kernel.org \
    --cc=martin.lau@linux.dev \
    --cc=mhal@rbox.co \
    --cc=netdev@vger.kernel.org \
    --cc=pabeni@redhat.com \
    --cc=sdf@fomichev.me \
    --cc=shuah@kernel.org \
    --cc=song@kernel.org \
    --cc=willemb@google.com \
    --cc=yhs@fb.com \
    --cc=yonghong.song@linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox