Re: [PATCH bpf] bpf, sockmap: Fix af_unix null-ptr-deref in proto update

Next message: Emil Tsalapatis: "Re: [PATCH] tools/sched_ext: Improve BPF verifier arena detection workaround"
Previous message: Jason Wang: "Re: [PATCH net-next v7 3/9] tun/tap: add ptr_ring consume helper with netdev queue wakeup"
In reply to: Michal Luczaj: "Re: [PATCH bpf] bpf, sockmap: Fix af_unix null-ptr-deref in proto update"
Next in thread: Michal Luczaj: "Re: [PATCH bpf] bpf, sockmap: Fix af_unix null-ptr-deref in proto update"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Martin KaFai Lau

Date: Mon Feb 02 2026 - 22:53:41 EST

On 2/2/26 7:10 AM, Michal Luczaj wrote:

Other than update_elem, do other lock_sock() usages in sock_map have a
similar issue for af_unix?

As for the sockmap, I think that would be it.

Thanks for checking.

In related news, looks like bpf_iter_unix_seq_show() is missing
unix_state_lock(): lock_sock_fast() won't stop unix_release_sock(). E.g.
bpf iterator can grab unix_sock::peer as it is being released.

If the concern is the bpf iterator prog may use a released unix_peer(sk) pointer, it should be fine. The unix_peer(sk) pointer is not a trusted pointer to the bpf prog, so nothing bad will happen other than potentially reading incorrect values.

However, yeah, the bpf_iter_(tcp|udp)_seq_show is better in the sense that the correct lock is used.

For tcp_sock that has many stats, I think it will be particularly useful to read them in a consistent state. I don't have a strong opinion on af_unix.

Unlike the sock_map where the lock_sock is not useful for af_unix. The bpf iterator can do bpf_setsockopt, so a lock_sock_fast() is still needed in bpf_iter_unix_seq_show and I think it is the reason lock_sock_fast() is used here.