bpf, sockmap: Annotate af_unix sock:: Sk_state data-races

sock_map_sk_state_allowed() and sock_map_redirect_allowed() read af_unix
socket sk_state locklessly.

Use READ_ONCE(). Note that for sock_map_redirect_allowed() change affects
not only af_unix, but all non-TCP sockets (UDP, af_vsock).

Suggested-by: Kuniyuki Iwashima <kuniyu@google.com>
Suggested-by: Martin KaFai Lau <martin.lau@linux.dev>
Signed-off-by: Michal Luczaj <mhal@rbox.co>
Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
Reviewed-by: Jiayuan Chen <jiayuan.chen@linux.dev>
Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
Link: https://patch.msgid.link/20260414-unix-proto-update-null-ptr-deref-v4-1-2af6fe97918e@rbox.co

diff --git a/net/core/sock_map.c b/net/core/sock_map.c
index b0e96337a269804690ac975203f6f4c7c1202571..02a68be3002a2e88633b68549712f2323c9c98a3 100644 (file)
--- a/net/core/sock_map.c
+++ b/net/core/sock_map.c
@@ -530,7 +530,7 @@ static bool sock_map_redirect_allowed(const struct sock *sk)
        if (sk_is_tcp(sk))
                return sk->sk_state != TCP_LISTEN;
        else
-               return sk->sk_state == TCP_ESTABLISHED;
+               return READ_ONCE(sk->sk_state) == TCP_ESTABLISHED;
 }
 
 static bool sock_map_sk_is_suitable(const struct sock *sk)
@@ -543,7 +543,7 @@ static bool sock_map_sk_state_allowed(const struct sock *sk)
        if (sk_is_tcp(sk))
                return (1 << sk->sk_state) & (TCPF_ESTABLISHED | TCPF_LISTEN);
        if (sk_is_stream_unix(sk))
-               return (1 << sk->sk_state) & TCPF_ESTABLISHED;
+               return (1 << READ_ONCE(sk->sk_state)) & TCPF_ESTABLISHED;
        if (sk_is_vsock(sk) &&
            (sk->sk_type == SOCK_STREAM || sk->sk_type == SOCK_SEQPACKET))
                return (1 << sk->sk_state) & TCPF_ESTABLISHED;