Re: [PATCH bpf v8 1/2] net: Validate protocol in skb_steal_sock() for... | netdev

[PATCH bpf v8 0/2] bpf: tcp: Fix null-ptr-deref in arbitrary SYN Cookie · Jiayuan Chen <jiayuan.chen@linux.dev> · 2026-06-08
[PATCH bpf v8 1/2] net: Validate protocol in skb_steal_sock() for BPF-assigned sockets · Jiayuan Chen <jiayuan.chen@linux.dev> · 2026-06-08
Re: [PATCH bpf v8 1/2] net: Validate protocol in skb_steal_sock() for BPF-assigned sockets · bot+bpf-ci@kernel.org · 2026-06-08
Re: [PATCH bpf v8 1/2] net: Validate protocol in skb_steal_sock() for BPF-assigned sockets · Kuniyuki Iwashima <kuniyu@google.com> · 2026-06-08
Re: [PATCH bpf v8 1/2] net: Validate protocol in skb_steal_sock() for BPF-assigned sockets · Alexei Starovoitov <hidden> · 2026-06-08
Re: [PATCH bpf v8 1/2] net: Validate protocol in skb_steal_sock() for BPF-assigned sockets · Kuniyuki Iwashima <kuniyu@google.com> · 2026-06-08
Re: [PATCH bpf v8 1/2] net: Validate protocol in skb_steal_sock() for BPF-assigned sockets · Alexei Starovoitov <hidden> · 2026-06-08
Re: [PATCH bpf v8 1/2] net: Validate protocol in skb_steal_sock() for BPF-assigned sockets · Kuniyuki Iwashima <kuniyu@google.com> · 2026-06-08
Re: [PATCH bpf v8 1/2] net: Validate protocol in skb_steal_sock() for BPF-assigned sockets · Alexei Starovoitov <hidden> · 2026-06-08
Re: [PATCH bpf v8 1/2] net: Validate protocol in skb_steal_sock() for BPF-assigned sockets · Kuniyuki Iwashima <kuniyu@google.com> · 2026-06-08
Re: [PATCH bpf v8 1/2] net: Validate protocol in skb_steal_sock() for BPF-assigned sockets · Jiayuan Chen <jiayuan.chen@linux.dev> · 2026-06-09
Re: [PATCH bpf v8 1/2] net: Validate protocol in skb_steal_sock() for BPF-assigned sockets · Kuniyuki Iwashima <kuniyu@google.com> · 2026-06-09
Re: [PATCH bpf v8 1/2] net: Validate protocol in skb_steal_sock() for BPF-assigned sockets · Jiayuan Chen <jiayuan.chen@linux.dev> · 2026-06-10
[PATCH bpf v8 2/2] selftests/bpf: Add protocol check test for bpf_sk_assign_tcp_reqsk() · Jiayuan Chen <jiayuan.chen@linux.dev> · 2026-06-08
Re: [PATCH bpf v8 2/2] selftests/bpf: Add protocol check test for bpf_sk_assign_tcp_reqsk() · bot+bpf-ci@kernel.org · 2026-06-08

Re: [PATCH bpf v8 1/2] net: Validate protocol in skb_steal_sock() for BPF-assigned sockets

From: bot+bpf-ci@kernel.org
Date: 2026-06-08 13:31:47
Also in: bpf, linux-kselftest, lkml

diff --git a/include/net/request_sock.h b/include/net/request_sock.h
index 5a9c826a7092..c2b8c6350b62 100644
--- a/include/net/request_sock.h
+++ b/include/net/request_sock.h

[ ... ]

quoted hunk ↗ jump to hunk

@@ -103,6 +105,18 @@ static inline struct sock *skb_steal_sock(struct sk_buff *skb,

 	*prefetched = skb_sk_is_prefetched(skb);
 	if (*prefetched) {
+		/* A non-full socket here is either a reqsk or a
+		 * timewait sock, both only contain sock_common and
+		 * lack sk_protocol. Since both can only be TCP,
+		 * use IPPROTO_TCP as the protocol.
+		 */
+		if (unlikely(((sk_fullsock(sk) ? sk->sk_protocol : IPPROTO_TCP) != protocol))) {

                         ^^^

This isn't a bug, but there are extra parentheses around the expression
inside unlikely(). Kuniyuki Iwashima requested adding unlikely() in v7
review, but the v8 code has unlikely(((expression))) instead of
unlikely(expression).

Reference: https://lore.kernel.org/bpf/CAAVpQUA6z4bZVReNDMToRVL1V7xmYg4Tq2YMnWyU8AYXWoeB5A@mail.gmail.com/ (local)

+			skb_orphan(skb);
+			*prefetched = false;
+			*refcounted = false;
+			return NULL;
+		}
+
 #if IS_ENABLED(CONFIG_SYN_COOKIES)
 		if (sk->sk_state == TCP_NEW_SYN_RECV && inet_reqsk(sk)->syncookie) {
 			struct request_sock *req = inet_reqsk(sk);

[ ... ]


---
AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md

CI run summary: https://github.com/kernel-patches/bpf/actions/runs/27139886597

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help