Re: [PATCH bpf] bpf, sockmap: Fix af_unix null-ptr-deref in proto update

Next message: Brett A C Sheffield: "Re: [PATCH 5.15 000/206] 5.15.199-rc1 review"
Previous message: Al Viro: "Re: [PATCH v2] audit: Avoid excessive dput/dget in audit_context setup and reset paths"
In reply to: Kuniyuki Iwashima: "Re: [PATCH bpf] bpf, sockmap: Fix af_unix null-ptr-deref in proto update"
Next in thread: Martin KaFai Lau: "Re: [PATCH bpf] bpf, sockmap: Fix af_unix null-ptr-deref in proto update"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Martin KaFai Lau

Date: Wed Feb 04 2026 - 15:18:53 EST

On 2/4/26 11:16 AM, Kuniyuki Iwashima wrote:

For example, inet_sock(sk)->inet_opt could be freed by
setsockopt(IP_OPTIONS) even after fentry prog verifies
that it's not NULL.

This one should be fine because of rcu.

I'm not sure if bpf_core_cast() etc allows such access, but
if it's allowed, I think there is no general solution.

bpf_core_cast (i.e. the "kfunc" bpf_rdonly_cast) does not use the pointer argument, so should be fine. Its return value is marked as PTR_UNTRUSTED. iirc, PTR_UNTRUSTED cannot be passed to helper, so bpf_core_cast should be fine overall.

Fortunately that's not null-deref nor oob-write, and it just reads
stale info as Martin mentioned... so probably this is WAI for
tracing prog ?

afaik, the tracing radius is large, so the prog cannot expect much guarantee.

Reading in the bpf prog is fine. The exception is handled.

The problem here is passing it to a helper (not kfunc) that depends on the arg being valid.