{"api_version":"1","generated_at":"2026-06-25T11:44:16+00:00","cve":"CVE-2026-53034","urls":{"html":"https://cve.report/CVE-2026-53034","api":"https://cve.report/api/cve/CVE-2026-53034.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-53034","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-53034"},"summary":{"title":"bpf, sockmap: Fix af_unix null-ptr-deref in proto update","description":"In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, sockmap: Fix af_unix null-ptr-deref in proto update\n\nunix_stream_connect() sets sk_state (`WRITE_ONCE(sk->sk_state,\nTCP_ESTABLISHED)`) _before_ it assigns a peer (`unix_peer(sk) = newsk`).\nsk_state == TCP_ESTABLISHED makes sock_map_sk_state_allowed() believe that\nsocket is properly set up, which would include having a defined peer. IOW,\nthere's a window when unix_stream_bpf_update_proto() can be called on\nsocket which still has unix_peer(sk) == NULL.\n\n CPU0 bpf CPU1 connect\n -------- ------------\n\n WRITE_ONCE(sk->sk_state, TCP_ESTABLISHED)\nsock_map_sk_state_allowed(sk)\n...\nsk_pair = unix_peer(sk)\nsock_hold(sk_pair)\n sock_hold(newsk)\n smp_mb__after_atomic()\n unix_peer(sk) = newsk\n\nBUG: kernel NULL pointer dereference, address: 0000000000000080\nRIP: 0010:unix_stream_bpf_update_proto+0xa0/0x1b0\nCall Trace:\n sock_map_link+0x564/0x8b0\n sock_map_update_common+0x6e/0x340\n sock_map_update_elem_sys+0x17d/0x240\n __sys_bpf+0x26db/0x3250\n __x64_sys_bpf+0x21/0x30\n do_syscall_64+0x6b/0x3a0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nInitial idea was to move peer assignment _before_ the sk_state update[1],\nbut that involved an additional memory barrier, and changing the hot path\nwas rejected.\nThen a NULL check during proto update in unix_stream_bpf_update_proto() was\nconsidered[2], but the follow-up discussion[3] focused on the root cause,\ni.e. sockmap update taking a wrong lock. Or, more specifically, missing\nunix_state_lock()[4].\nIn the end it was concluded that teaching sockmap about the af_unix locking\nwould be unnecessarily complex[5].\nComplexity aside, since BPF_PROG_TYPE_SCHED_CLS and BPF_PROG_TYPE_SCHED_ACT\nare allowed to update sockmaps, sock_map_update_elem() taking the unix\nlock, as it is currently implemented in unix_state_lock():\nspin_lock(&unix_sk(s)->lock), would be problematic. unix_state_lock() taken\nin a process context, followed by a softirq-context TC BPF program\nattempting to take the same spinlock -- deadlock[6].\nThis way we circled back to the peer check idea[2].\n\n[1]: https://lore.kernel.org/netdev/ba5c50aa-1df4-40c2-ab33-a72022c5a32e@rbox.co/\n[2]: https://lore.kernel.org/netdev/20240610174906.32921-1-kuniyu@amazon.com/\n[3]: https://lore.kernel.org/netdev/7603c0e6-cd5b-452b-b710-73b64bd9de26@linux.dev/\n[4]: https://lore.kernel.org/netdev/CAAVpQUA+8GL_j63CaKb8hbxoL21izD58yr1NvhOhU=j+35+3og@mail.gmail.com/\n[5]: https://lore.kernel.org/bpf/CAAVpQUAHijOMext28Gi10dSLuMzGYh+jK61Ujn+fZ-wvcODR2A@mail.gmail.com/\n[6]: https://lore.kernel.org/bpf/dd043c69-4d03-46fe-8325-8f97101435cf@linux.dev/\n\nSummary of scenarios where af_unix/stream connect() may race a sockmap\nupdate:\n\n1. connect() vs. bpf(BPF_MAP_UPDATE_ELEM), i.e. sock_map_update_elem_sys()\n\n Implemented NULL check is sufficient. Once assigned, socket peer won't\n be released until socket fd is released. And that's not an issue because\n sock_map_update_elem_sys() bumps fd refcnf.\n\n2. connect() vs BPF program doing update\n\n Update restricted per verifier.c:may_update_sockmap() to\n\n BPF_PROG_TYPE_TRACING/BPF_TRACE_ITER\n BPF_PROG_TYPE_SOCK_OPS (bpf_sock_map_update() only)\n BPF_PROG_TYPE_SOCKET_FILTER\n BPF_PROG_TYPE_SCHED_CLS\n BPF_PROG_TYPE_SCHED_ACT\n BPF_PROG_TYPE_XDP\n BPF_PROG_TYPE_SK_REUSEPORT\n BPF_PROG_TYPE_FLOW_DISSECTOR\n BPF_PROG_TYPE_SK_LOOKUP\n\n Plus one more race to consider:\n\n CPU0 bpf CPU1 connect\n -------- ------------\n\n WRITE_ONCE(sk->sk_state, TCP_ESTABLISHED)\n sock_map_sk_state_allowed(sk)\n sock_hold(newsk)\n smp_mb__after_atomic()\n \n---truncated---","state":"PUBLISHED","assigner":"Linux","published_at":"2026-06-24 17:17:14","updated_at":"2026-06-24 17:17:14"},"problem_types":[],"metrics":[],"references":[{"url":"https://git.kernel.org/stable/c/4913c94a3adcdbb64c552110c0c243cb1fdbb317","name":"https://git.kernel.org/stable/c/4913c94a3adcdbb64c552110c0c243cb1fdbb317","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/75b7d3b3f8bd4e59eb3af1b11a43c64c0c2db6f4","name":"https://git.kernel.org/stable/c/75b7d3b3f8bd4e59eb3af1b11a43c64c0c2db6f4","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/dca38b7734d2ea00af4818ff3ae836fab33d5d5a","name":"https://git.kernel.org/stable/c/dca38b7734d2ea00af4818ff3ae836fab33d5d5a","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/37bfcd164161b47d00b1c3bd20adc816a6977ce0","name":"https://git.kernel.org/stable/c/37bfcd164161b47d00b1c3bd20adc816a6977ce0","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/a94d3dd78ee8b63e6b8ad629081c952c93ee5a10","name":"https://git.kernel.org/stable/c/a94d3dd78ee8b63e6b8ad629081c952c93ee5a10","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://git.kernel.org/stable/c/041eb6348d73ee5e15fc8161f1eac5a6e8289ca0","name":"https://git.kernel.org/stable/c/041eb6348d73ee5e15fc8161f1eac5a6e8289ca0","refsource":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-53034","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-53034","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected c63829182c37c2d6d0608976d15fa61ebebe9e6b 75b7d3b3f8bd4e59eb3af1b11a43c64c0c2db6f4 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected c63829182c37c2d6d0608976d15fa61ebebe9e6b a94d3dd78ee8b63e6b8ad629081c952c93ee5a10 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected c63829182c37c2d6d0608976d15fa61ebebe9e6b 4913c94a3adcdbb64c552110c0c243cb1fdbb317 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected c63829182c37c2d6d0608976d15fa61ebebe9e6b 041eb6348d73ee5e15fc8161f1eac5a6e8289ca0 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected c63829182c37c2d6d0608976d15fa61ebebe9e6b 37bfcd164161b47d00b1c3bd20adc816a6977ce0 git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected c63829182c37c2d6d0608976d15fa61ebebe9e6b dca38b7734d2ea00af4818ff3ae836fab33d5d5a git","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"affected 5.15","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 5.15 semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.1.175 6.1.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.6.141 6.6.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.12.91 6.12.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 6.18.33 6.18.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.0.10 7.0.* semver","platforms":[]},{"source":"CNA","vendor":"Linux","product":"Linux","version":"unaffected 7.1 * original_commit_for_fix","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Linux","programFiles":["net/unix/unix_bpf.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"lessThan":"75b7d3b3f8bd4e59eb3af1b11a43c64c0c2db6f4","status":"affected","version":"c63829182c37c2d6d0608976d15fa61ebebe9e6b","versionType":"git"},{"lessThan":"a94d3dd78ee8b63e6b8ad629081c952c93ee5a10","status":"affected","version":"c63829182c37c2d6d0608976d15fa61ebebe9e6b","versionType":"git"},{"lessThan":"4913c94a3adcdbb64c552110c0c243cb1fdbb317","status":"affected","version":"c63829182c37c2d6d0608976d15fa61ebebe9e6b","versionType":"git"},{"lessThan":"041eb6348d73ee5e15fc8161f1eac5a6e8289ca0","status":"affected","version":"c63829182c37c2d6d0608976d15fa61ebebe9e6b","versionType":"git"},{"lessThan":"37bfcd164161b47d00b1c3bd20adc816a6977ce0","status":"affected","version":"c63829182c37c2d6d0608976d15fa61ebebe9e6b","versionType":"git"},{"lessThan":"dca38b7734d2ea00af4818ff3ae836fab33d5d5a","status":"affected","version":"c63829182c37c2d6d0608976d15fa61ebebe9e6b","versionType":"git"}]},{"defaultStatus":"affected","product":"Linux","programFiles":["net/unix/unix_bpf.c"],"repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","vendor":"Linux","versions":[{"status":"affected","version":"5.15"},{"lessThan":"5.15","status":"unaffected","version":"0","versionType":"semver"},{"lessThanOrEqual":"6.1.*","status":"unaffected","version":"6.1.175","versionType":"semver"},{"lessThanOrEqual":"6.6.*","status":"unaffected","version":"6.6.141","versionType":"semver"},{"lessThanOrEqual":"6.12.*","status":"unaffected","version":"6.12.91","versionType":"semver"},{"lessThanOrEqual":"6.18.*","status":"unaffected","version":"6.18.33","versionType":"semver"},{"lessThanOrEqual":"7.0.*","status":"unaffected","version":"7.0.10","versionType":"semver"},{"lessThanOrEqual":"*","status":"unaffected","version":"7.1","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.1.175","versionStartIncluding":"5.15","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.6.141","versionStartIncluding":"5.15","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.12.91","versionStartIncluding":"5.15","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"6.18.33","versionStartIncluding":"5.15","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.0.10","versionStartIncluding":"5.15","vulnerable":true},{"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionEndExcluding":"7.1","versionStartIncluding":"5.15","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, sockmap: Fix af_unix null-ptr-deref in proto update\n\nunix_stream_connect() sets sk_state (`WRITE_ONCE(sk->sk_state,\nTCP_ESTABLISHED)`) _before_ it assigns a peer (`unix_peer(sk) = newsk`).\nsk_state == TCP_ESTABLISHED makes sock_map_sk_state_allowed() believe that\nsocket is properly set up, which would include having a defined peer. IOW,\nthere's a window when unix_stream_bpf_update_proto() can be called on\nsocket which still has unix_peer(sk) == NULL.\n\n CPU0 bpf CPU1 connect\n -------- ------------\n\n WRITE_ONCE(sk->sk_state, TCP_ESTABLISHED)\nsock_map_sk_state_allowed(sk)\n...\nsk_pair = unix_peer(sk)\nsock_hold(sk_pair)\n sock_hold(newsk)\n smp_mb__after_atomic()\n unix_peer(sk) = newsk\n\nBUG: kernel NULL pointer dereference, address: 0000000000000080\nRIP: 0010:unix_stream_bpf_update_proto+0xa0/0x1b0\nCall Trace:\n sock_map_link+0x564/0x8b0\n sock_map_update_common+0x6e/0x340\n sock_map_update_elem_sys+0x17d/0x240\n __sys_bpf+0x26db/0x3250\n __x64_sys_bpf+0x21/0x30\n do_syscall_64+0x6b/0x3a0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nInitial idea was to move peer assignment _before_ the sk_state update[1],\nbut that involved an additional memory barrier, and changing the hot path\nwas rejected.\nThen a NULL check during proto update in unix_stream_bpf_update_proto() was\nconsidered[2], but the follow-up discussion[3] focused on the root cause,\ni.e. sockmap update taking a wrong lock. Or, more specifically, missing\nunix_state_lock()[4].\nIn the end it was concluded that teaching sockmap about the af_unix locking\nwould be unnecessarily complex[5].\nComplexity aside, since BPF_PROG_TYPE_SCHED_CLS and BPF_PROG_TYPE_SCHED_ACT\nare allowed to update sockmaps, sock_map_update_elem() taking the unix\nlock, as it is currently implemented in unix_state_lock():\nspin_lock(&unix_sk(s)->lock), would be problematic. unix_state_lock() taken\nin a process context, followed by a softirq-context TC BPF program\nattempting to take the same spinlock -- deadlock[6].\nThis way we circled back to the peer check idea[2].\n\n[1]: https://lore.kernel.org/netdev/ba5c50aa-1df4-40c2-ab33-a72022c5a32e@rbox.co/\n[2]: https://lore.kernel.org/netdev/20240610174906.32921-1-kuniyu@amazon.com/\n[3]: https://lore.kernel.org/netdev/7603c0e6-cd5b-452b-b710-73b64bd9de26@linux.dev/\n[4]: https://lore.kernel.org/netdev/CAAVpQUA+8GL_j63CaKb8hbxoL21izD58yr1NvhOhU=j+35+3og@mail.gmail.com/\n[5]: https://lore.kernel.org/bpf/CAAVpQUAHijOMext28Gi10dSLuMzGYh+jK61Ujn+fZ-wvcODR2A@mail.gmail.com/\n[6]: https://lore.kernel.org/bpf/dd043c69-4d03-46fe-8325-8f97101435cf@linux.dev/\n\nSummary of scenarios where af_unix/stream connect() may race a sockmap\nupdate:\n\n1. connect() vs. bpf(BPF_MAP_UPDATE_ELEM), i.e. sock_map_update_elem_sys()\n\n Implemented NULL check is sufficient. Once assigned, socket peer won't\n be released until socket fd is released. And that's not an issue because\n sock_map_update_elem_sys() bumps fd refcnf.\n\n2. connect() vs BPF program doing update\n\n Update restricted per verifier.c:may_update_sockmap() to\n\n BPF_PROG_TYPE_TRACING/BPF_TRACE_ITER\n BPF_PROG_TYPE_SOCK_OPS (bpf_sock_map_update() only)\n BPF_PROG_TYPE_SOCKET_FILTER\n BPF_PROG_TYPE_SCHED_CLS\n BPF_PROG_TYPE_SCHED_ACT\n BPF_PROG_TYPE_XDP\n BPF_PROG_TYPE_SK_REUSEPORT\n BPF_PROG_TYPE_FLOW_DISSECTOR\n BPF_PROG_TYPE_SK_LOOKUP\n\n Plus one more race to consider:\n\n CPU0 bpf CPU1 connect\n -------- ------------\n\n WRITE_ONCE(sk->sk_state, TCP_ESTABLISHED)\n sock_map_sk_state_allowed(sk)\n sock_hold(newsk)\n smp_mb__after_atomic()\n \n---truncated---"}],"providerMetadata":{"dateUpdated":"2026-06-24T16:29:41.676Z","orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux"},"references":[{"url":"https://git.kernel.org/stable/c/75b7d3b3f8bd4e59eb3af1b11a43c64c0c2db6f4"},{"url":"https://git.kernel.org/stable/c/a94d3dd78ee8b63e6b8ad629081c952c93ee5a10"},{"url":"https://git.kernel.org/stable/c/4913c94a3adcdbb64c552110c0c243cb1fdbb317"},{"url":"https://git.kernel.org/stable/c/041eb6348d73ee5e15fc8161f1eac5a6e8289ca0"},{"url":"https://git.kernel.org/stable/c/37bfcd164161b47d00b1c3bd20adc816a6977ce0"},{"url":"https://git.kernel.org/stable/c/dca38b7734d2ea00af4818ff3ae836fab33d5d5a"}],"title":"bpf, sockmap: Fix af_unix null-ptr-deref in proto update","x_generator":{"engine":"bippy-1.2.0"}}},"cveMetadata":{"assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","assignerShortName":"Linux","cveId":"CVE-2026-53034","datePublished":"2026-06-24T16:29:41.676Z","dateReserved":"2026-06-09T07:44:35.380Z","dateUpdated":"2026-06-24T16:29:41.676Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-06-24 17:17:14","lastModifiedDate":"2026-06-24 17:17:14","problem_types":[],"metrics":[],"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"53034","Ordinal":"1","Title":"bpf, sockmap: Fix af_unix null-ptr-deref in proto update","CVE":"CVE-2026-53034","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"53034","Ordinal":"1","NoteData":"In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, sockmap: Fix af_unix null-ptr-deref in proto update\n\nunix_stream_connect() sets sk_state (`WRITE_ONCE(sk->sk_state,\nTCP_ESTABLISHED)`) _before_ it assigns a peer (`unix_peer(sk) = newsk`).\nsk_state == TCP_ESTABLISHED makes sock_map_sk_state_allowed() believe that\nsocket is properly set up, which would include having a defined peer. IOW,\nthere's a window when unix_stream_bpf_update_proto() can be called on\nsocket which still has unix_peer(sk) == NULL.\n\n CPU0 bpf CPU1 connect\n -------- ------------\n\n WRITE_ONCE(sk->sk_state, TCP_ESTABLISHED)\nsock_map_sk_state_allowed(sk)\n...\nsk_pair = unix_peer(sk)\nsock_hold(sk_pair)\n sock_hold(newsk)\n smp_mb__after_atomic()\n unix_peer(sk) = newsk\n\nBUG: kernel NULL pointer dereference, address: 0000000000000080\nRIP: 0010:unix_stream_bpf_update_proto+0xa0/0x1b0\nCall Trace:\n sock_map_link+0x564/0x8b0\n sock_map_update_common+0x6e/0x340\n sock_map_update_elem_sys+0x17d/0x240\n __sys_bpf+0x26db/0x3250\n __x64_sys_bpf+0x21/0x30\n do_syscall_64+0x6b/0x3a0\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nInitial idea was to move peer assignment _before_ the sk_state update[1],\nbut that involved an additional memory barrier, and changing the hot path\nwas rejected.\nThen a NULL check during proto update in unix_stream_bpf_update_proto() was\nconsidered[2], but the follow-up discussion[3] focused on the root cause,\ni.e. sockmap update taking a wrong lock. Or, more specifically, missing\nunix_state_lock()[4].\nIn the end it was concluded that teaching sockmap about the af_unix locking\nwould be unnecessarily complex[5].\nComplexity aside, since BPF_PROG_TYPE_SCHED_CLS and BPF_PROG_TYPE_SCHED_ACT\nare allowed to update sockmaps, sock_map_update_elem() taking the unix\nlock, as it is currently implemented in unix_state_lock():\nspin_lock(&unix_sk(s)->lock), would be problematic. unix_state_lock() taken\nin a process context, followed by a softirq-context TC BPF program\nattempting to take the same spinlock -- deadlock[6].\nThis way we circled back to the peer check idea[2].\n\n[1]: https://lore.kernel.org/netdev/ba5c50aa-1df4-40c2-ab33-a72022c5a32e@rbox.co/\n[2]: https://lore.kernel.org/netdev/20240610174906.32921-1-kuniyu@amazon.com/\n[3]: https://lore.kernel.org/netdev/7603c0e6-cd5b-452b-b710-73b64bd9de26@linux.dev/\n[4]: https://lore.kernel.org/netdev/CAAVpQUA+8GL_j63CaKb8hbxoL21izD58yr1NvhOhU=j+35+3og@mail.gmail.com/\n[5]: https://lore.kernel.org/bpf/CAAVpQUAHijOMext28Gi10dSLuMzGYh+jK61Ujn+fZ-wvcODR2A@mail.gmail.com/\n[6]: https://lore.kernel.org/bpf/dd043c69-4d03-46fe-8325-8f97101435cf@linux.dev/\n\nSummary of scenarios where af_unix/stream connect() may race a sockmap\nupdate:\n\n1. connect() vs. bpf(BPF_MAP_UPDATE_ELEM), i.e. sock_map_update_elem_sys()\n\n Implemented NULL check is sufficient. Once assigned, socket peer won't\n be released until socket fd is released. And that's not an issue because\n sock_map_update_elem_sys() bumps fd refcnf.\n\n2. connect() vs BPF program doing update\n\n Update restricted per verifier.c:may_update_sockmap() to\n\n BPF_PROG_TYPE_TRACING/BPF_TRACE_ITER\n BPF_PROG_TYPE_SOCK_OPS (bpf_sock_map_update() only)\n BPF_PROG_TYPE_SOCKET_FILTER\n BPF_PROG_TYPE_SCHED_CLS\n BPF_PROG_TYPE_SCHED_ACT\n BPF_PROG_TYPE_XDP\n BPF_PROG_TYPE_SK_REUSEPORT\n BPF_PROG_TYPE_FLOW_DISSECTOR\n BPF_PROG_TYPE_SK_LOOKUP\n\n Plus one more race to consider:\n\n CPU0 bpf CPU1 connect\n -------- ------------\n\n WRITE_ONCE(sk->sk_state, TCP_ESTABLISHED)\n sock_map_sk_state_allowed(sk)\n sock_hold(newsk)\n smp_mb__after_atomic()\n \n---truncated---","Type":"Description","Title":"bpf, sockmap: Fix af_unix null-ptr-deref in proto update"}]}}}