Re: [PATCH net v5 0/2] bpf, skmsg: fix verdict sk_data_ready racing with ktls rx

From: patchwork-bot+netdevbpf@kernel.org
Date: 2026-05-21 00:30:05
Also in: bpf

Hello:

This series was applied to netdev/net.git (main)
by Jakub Kicinski [off-list ref]:

On Sun, 17 May 2026 23:56:25 +0900 you wrote:

sk_psock_verdict_data_ready() lacks the tls_sw_has_ctx_rx() guard that
sk_psock_strp_data_ready() gained in e91de6afa81c.  When a socket is
inserted into a sockmap (BPF_SK_SKB_VERDICT) before TLS RX is configured,
the missing guard causes tcp_read_skb() to drain sk_receive_queue without
advancing copied_seq, leaving a dangling frag_list pointer that
tls_decrypt_sg() walks — a use-after-free.

[...]

Here is the summary with links:
  - [net,v5,1/2] bpf, skmsg: fix verdict sk_data_ready racing with ktls rx
    https://git.kernel.org/netdev/net/c/ddf8029623a1
  - [net,v5,2/2] selftests/bpf: add regression test for ktls+sockmap verdict UAF
    https://git.kernel.org/netdev/net/c/33644bd38aec

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help