BPF_MAP_UPDATE_ELEM races unix_stream_connect(): when sock_map_sk_state_allowed() passes (sk_state == TCP_ESTABLISHED), unix_peer(sk) in unix_stream_bpf_update_proto() may still return NULL.
BUG: kernel NULL pointer dereference, address: 0000000000000080 RIP: 0010:unix_stream_bpf_update_proto+0xa0/0x1b0 Call Trace: sock_map_link+0x564/0x8b0 sock_map_update_common+0x6e/0x340 sock_map_update_elem_sys+0x17d/0x240 __sys_bpf+0x26db/0x3250 __x64_sys_bpf+0x21/0x30 do_syscall_64+0x6b/0x3a0 entry_SYSCALL_64_after_hwframe+0x76/0x7e Series fixes the null-ptr-deref by teaching sockmap about the af_unix-specific locking. Accidentally this also fixes a deadlock. Signed-off-by: Michal Luczaj <[email protected]> --- Changes in v2: - Instead of probing for unix peer, make sockmap take the right lock [Martin] - Annotate data races [Kaniyuki, Martin] - Extend bpf unix iter selftest to attempt a deadlock - Link to v1: https://lore.kernel.org/r/20260129-unix-proto-update-null-ptr-deref-v1-1-e1daeb701...@rbox.co --- Michal Luczaj (4): bpf, sockmap: Annotate af_unix sock::sk_state data-races bpf, sockmap: Use sock_map_sk_{acquire,release}() where open-coded bpf, sockmap: Adapt for the af_unix-specific lock selftests/bpf: Extend bpf_iter_unix to attempt deadlocking net/core/sock_map.c | 72 +++++++++++++++-------- tools/testing/selftests/bpf/progs/bpf_iter_unix.c | 10 ++++ 2 files changed, 58 insertions(+), 24 deletions(-) --- base-commit: 2687c848e57820651b9f69d30c4710f4219f7dbf change-id: 20260129-unix-proto-update-null-ptr-deref-6a2733bcbbf8 Best regards, -- Michal Luczaj <[email protected]>
