March 6, 2026 at 22:06, "Michal Luczaj" <[email protected]
mailto:[email protected]?to=%22Michal%20Luczaj%22%20%3Cmhal%40rbox.co%3E > wrote:
>
> On 3/6/26 07:04, Jiayuan Chen wrote:
>
> >
> > On 3/6/26 7:30 AM, Michal Luczaj wrote:
> >
> > >
> > > @@ -3729,15 +3729,14 @@ static int bpf_iter_unix_seq_show(struct seq_file
> > > *seq, void *v)
> > > struct bpf_prog *prog;
> > > struct sock *sk = v;
> > > uid_t uid;
> > > - bool slow;
> > > int ret;
> > >
> > > if (v == SEQ_START_TOKEN)
> > > return 0;
> > >
> > > - slow = lock_sock_fast(sk);
> > > + lock_sock(sk);
> > >
> > > - if (unlikely(sk_unhashed(sk))) {
> > > + if (unlikely(sock_flag(sk, SOCK_DEAD))) {
> > > ret = SEQ_SKIP;
> > > goto unlock;
> > > }
> > >
> >
> >
> > Switching to lock_sock() fixes the deadlock, but it does not provide mutual
> > exclusion with unix_release_sock(), which uses unix_state_lock()
> > exclusively
> > and does not touch lock_sock() at all. So a dying socket can still reach
> > the
> > BPF prog concurrently with unix_release_sock() running on another CPU.
> >
> That's right. Note that although the socket is dying, iter holds a
> reference to it, so the socket is far from being freed (as in: memory
> released).
>
> >
> > Both SOCK_DEAD and the clearing of unix_peer(sk) happen under
> > unix_state_lock() in unix_release_sock(). Without taking unix_state_lock()
> > before the SOCK_DEAD check, there is a window:
> >
> > iter unix_release_sock()
> > --- lock_sock(sk)
> > SOCK_DEAD == 0 (check passes)
> > unix_state_lock(sk)
> > unix_peer(sk) = NULL
> > sock_set_flag(sk, SOCK_DEAD)
> > unix_state_unlock(sk)
> > BPF prog runs
> > → accesses unix_peer(sk) == NULL → crash
> >
> > This was not raised in the v2 discussion.
> >
> It was raised in v1[1]. Conclusion was that bpf prog bytecode directly
> accessing unix_peer(sk) is not an issue; bpf machinery will handle any
> faults. That said, should a "bad" value of unix_peer(sk) end up as a
> parameter of a bpf helper, yes, that is a well known[2] problem (that have
> a solution unrelated to this series).
>
> [1]:
> https://lore.kernel.org/bpf/[email protected]/
> [2]:
> https://lore.kernel.org/bpf/caadnvqk_93g_kknfyxsr8zva1fyh4hofrjcjfps-zs4ox0h...@mail.gmail.com/
>
Thanks for letting me know.
