On 3/6/26 07:04, Jiayuan Chen wrote:
> On 3/6/26 7:30 AM, Michal Luczaj wrote:
>> @@ -3729,15 +3729,14 @@ static int bpf_iter_unix_seq_show(struct seq_file
>> *seq, void *v)
>> struct bpf_prog *prog;
>> struct sock *sk = v;
>> uid_t uid;
>> - bool slow;
>> int ret;
>>
>> if (v == SEQ_START_TOKEN)
>> return 0;
>>
>> - slow = lock_sock_fast(sk);
>> + lock_sock(sk);
>>
>> - if (unlikely(sk_unhashed(sk))) {
>> + if (unlikely(sock_flag(sk, SOCK_DEAD))) {
>> ret = SEQ_SKIP;
>> goto unlock;
>> }
>
>
> Switching to lock_sock() fixes the deadlock, but it does not provide mutual
> exclusion with unix_release_sock(), which uses unix_state_lock() exclusively
> and does not touch lock_sock() at all. So a dying socket can still reach the
> BPF prog concurrently with unix_release_sock() running on another CPU.
That's right. Note that although the socket is dying, iter holds a
reference to it, so the socket is far from being freed (as in: memory
released).
> Both SOCK_DEAD and the clearing of unix_peer(sk) happen under
> unix_state_lock() in unix_release_sock(). Without taking unix_state_lock()
> before the SOCK_DEAD check, there is a window:
>
> iter unix_release_sock()
> --- lock_sock(sk)
> SOCK_DEAD == 0 (check passes)
> unix_state_lock(sk)
> unix_peer(sk) = NULL
> sock_set_flag(sk, SOCK_DEAD)
> unix_state_unlock(sk)
> BPF prog runs
> → accesses unix_peer(sk) == NULL → crash
>
> This was not raised in the v2 discussion.
It was raised in v1[1]. Conclusion was that bpf prog bytecode directly
accessing unix_peer(sk) is not an issue; bpf machinery will handle any
faults. That said, should a "bad" value of unix_peer(sk) end up as a
parameter of a bpf helper, yes, that is a well known[2] problem (that have
a solution unrelated to this series).
[1]:
https://lore.kernel.org/bpf/[email protected]/
[2]:
https://lore.kernel.org/bpf/caadnvqk_93g_kknfyxsr8zva1fyh4hofrjcjfps-zs4ox0h...@mail.gmail.com/
