Commit 0b846445 authored by Cong Wang's avatar Cong Wang Committed by Andrii Nakryiko
Browse files

unix_bpf: Fix a potential deadlock in unix_dgram_bpf_recvmsg() 



As Eric noticed, __unix_dgram_recvmsg() may acquire u->iolock
too, so we have to release it before calling this function.

Fixes: 9825d866 ("af_unix: Implement unix_dgram_bpf_recvmsg()")
Reported-by: default avatarEric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: default avatarCong Wang <cong.wang@bytedance.com>
Signed-off-by: default avatarAndrii Nakryiko <andrii@kernel.org>
Acked-by: default avatarJakub Sitnicki <jakub@cloudflare.com>
Acked-by: default avatarJohn Fastabend <john.fastabend@gmail.com>
parent a710eed3

net/unix/unix_bpf.c

+8 −8
Original line number Diff line number Diff line
@@ -44,7 +44,7 @@ static int unix_dgram_bpf_recvmsg(struct sock *sk, struct msghdr *msg, 
{

	struct unix_sock *u = unix_sk(sk);

	struct sk_psock *psock;

	int copied, ret;

	int copied;



	psock = sk_psock_get(sk);

	if (unlikely(!psock))
@@ -53,8 +53,9 @@ static int unix_dgram_bpf_recvmsg(struct sock *sk, struct msghdr *msg, 
	mutex_lock(&u->iolock);

	if (!skb_queue_empty(&sk->sk_receive_queue) &&

	    sk_psock_queue_empty(psock)) {

		ret = __unix_dgram_recvmsg(sk, msg, len, flags);

		goto out;

		mutex_unlock(&u->iolock);

		sk_psock_put(sk, psock);

		return __unix_dgram_recvmsg(sk, msg, len, flags);

	}



msg_bytes_ready:
@@ -68,16 +69,15 @@ static int unix_dgram_bpf_recvmsg(struct sock *sk, struct msghdr *msg, 
		if (data) {

			if (!sk_psock_queue_empty(psock))

				goto msg_bytes_ready;

			ret = __unix_dgram_recvmsg(sk, msg, len, flags);

			goto out;

			mutex_unlock(&u->iolock);

			sk_psock_put(sk, psock);

			return __unix_dgram_recvmsg(sk, msg, len, flags);

		}

		copied = -EAGAIN;

	}

	ret = copied;

out:

	mutex_unlock(&u->iolock);

	sk_psock_put(sk, psock);

	return ret;

	return copied;

}



static struct proto *unix_prot_saved __read_mostly;