[PATCH bpf v4 0/5] bpf, sockmap: Fix af_unix null-ptr-deref in proto update

[Michal Luczaj]

Updating sockmap/sockhash using a unix sock races unix_stream_connect():
when sock_map_sk_state_allowed() passes (sk_state == TCP_ESTABLISHED),
unix_peer(sk) in unix_stream_bpf_update_proto() may still return NULL.

Signed-off-by: Michal Luczaj <mhal@xxxxxxx>
---
Changes in v4:
- Circle back to v1 approach
- More details in commit messages [Martin]
- Make unix iter take the state lock [Kaniyuki]
- Link to v3: https://lore.kernel.org/r/20260306-unix-proto-update-null-ptr-deref-v3-0-2f0c7410c523@xxxxxxx

Changes in v3:
- Drop sparse annotations [Martin]
- Keep lock_sock() along the unix_state_lock() [Kaniyuki]
- Unify BPF iter af_unix locking [Kaniyuki, Martin]
- Link to v2: https://lore.kernel.org/r/20260207-unix-proto-update-null-ptr-deref-v2-0-9f091330e7cd@xxxxxxx

Changes in v2:
- Instead of probing for unix peer, make sockmap take the right lock [Martin]
- Annotate data races [Kaniyuki, Martin]
- Extend bpf unix iter selftest to attempt a deadlock
- Link to v1: https://lore.kernel.org/r/20260129-unix-proto-update-null-ptr-deref-v1-1-e1daeb7012fd@xxxxxxx

To: John Fastabend <john.fastabend@xxxxxxxxx>
To: Jakub Sitnicki <jakub@xxxxxxxxxxxxxx>
To: Eric Dumazet <edumazet@xxxxxxxxxx>
To: Kuniyuki Iwashima <kuniyu@xxxxxxxxxx>
To: Paolo Abeni <pabeni@xxxxxxxxxx>
To: Willem de Bruijn <willemb@xxxxxxxxxx>
To: "David S. Miller" <davem@xxxxxxxxxxxxx>
To: Jakub Kicinski <kuba@xxxxxxxxxx>
To: Simon Horman <horms@xxxxxxxxxx>
To: Yonghong Song <yhs@xxxxxx>
To: Andrii Nakryiko <andrii@xxxxxxxxxx>
To: Eduard Zingerman <eddyz87@xxxxxxxxx>
To: Alexei Starovoitov <ast@xxxxxxxxxx>
To: Daniel Borkmann <daniel@xxxxxxxxxxxxx>
To: Martin KaFai Lau <martin.lau@xxxxxxxxx>
To: Song Liu <song@xxxxxxxxxx>
To: Yonghong Song <yonghong.song@xxxxxxxxx>
To: KP Singh <kpsingh@xxxxxxxxxx>
To: Stanislav Fomichev <sdf@xxxxxxxxxxx>
To: Hao Luo <haoluo@xxxxxxxxxx>
To: Jiri Olsa <jolsa@xxxxxxxxxx>
To: Shuah Khan <shuah@xxxxxxxxxx>
To: Cong Wang <cong.wang@xxxxxxxxxxxxx>
Cc: netdev@xxxxxxxxxxxxxxx
Cc: bpf@xxxxxxxxxxxxxxx
Cc: linux-kernel@xxxxxxxxxxxxxxx
Cc: linux-kselftest@xxxxxxxxxxxxxxx

---
Michal Luczaj (5):
      bpf, sockmap: Annotate af_unix sock::sk_state data-races
      bpf, sockmap: Fix af_unix iter deadlock
      selftests/bpf: Extend bpf_iter_unix to attempt deadlocking
      bpf, sockmap: Fix af_unix null-ptr-deref in proto update
      bpf, sockmap: Take state lock for af_unix iter

 net/core/sock_map.c                               |  4 ++--
 net/unix/af_unix.c                                |  9 +++++----
 net/unix/unix_bpf.c                               |  3 +++
 tools/testing/selftests/bpf/progs/bpf_iter_unix.c | 10 ++++++++++
 4 files changed, 20 insertions(+), 6 deletions(-)
---
base-commit: 0f00132132937ca01a99feaf8985109a9087c9ff
change-id: 20260129-unix-proto-update-null-ptr-deref-6a2733bcbbf8

Best regards,
--  
Michal Luczaj <mhal@xxxxxxx>