Re: [PATCH bpf v3 1/2] bpf, sockmap: fix use-after-free when the stream parser resizes the skb
From: Jiayuan Chen <jiayuan.chen@linux.dev>
Date: 2026-06-18 11:57:07
Also in:
bpf, lkml
On 6/18/26 6:27 PM, Sechang Lim wrote:
sk_psock_strp_parse() runs the BPF_PROG_TYPE_SK_SKB stream-parser program to find the length of the next message. strparser assembles a message out of several received skbs by chaining them onto the head's frag_list and recording where to append the next one in strp->skb_nextp: *strp->skb_nextp = skb; strp->skb_nextp = &skb->next; and then calls the parser on the head: len = (*strp->cb.parse_msg)(strp, head);
[...]
unaffected and may still modify the skb.
Fixes: 8a31db561566 ("bpf: add access to sock fields and pkt data from sk_skb programs")Is the Fixes tag correct ? Anyway, I don't think this patch is a fix; it's more of a hardening. So no Fixes tag needed, IMO.
quoted hunk ↗ jump to hunk
Signed-off-by: Sechang Lim <redacted> --- net/core/sock_map.c | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+)diff --git a/net/core/sock_map.c b/net/core/sock_map.c index 99e3789492a0..c60ba6d292f9 100644 --- a/net/core/sock_map.c +++ b/net/core/sock_map.c@@ -1515,6 +1515,17 @@ static int sock_map_prog_link_lookup(struct bpf_map *map, struct bpf_prog ***ppr return 0; } +static int sock_map_prog_attach_check(enum bpf_attach_type attach_type, + struct bpf_prog *prog) +{ + /* A stream parser must not modify the skb, only measure it. */ + if (prog && attach_type == BPF_SK_SKB_STREAM_PARSER && + prog->aux->changes_pkt_data) + return -EINVAL; + + return 0; +} + /* Handle the following four cases: * prog_attach: prog != NULL, old == NULL, link == NULL * prog_detach: prog == NULL, old != NULL, link == NULL@@ -1533,6 +1544,10 @@ static int sock_map_prog_update(struct bpf_map *map, struct bpf_prog *prog, if (ret) return ret; + ret = sock_map_prog_attach_check(which, prog); + if (ret) + return ret; + /* for prog_attach/prog_detach/link_attach, return error if a bpf_link * exists for that prog. */@@ -1776,6 +1791,11 @@ static int sock_map_link_update_prog(struct bpf_link *link, ret = -EINVAL; goto out; } + + ret = sock_map_prog_attach_check(link->attach_type, prog); + if (ret) + goto out; + if (!sockmap_link->map) { ret = -ENOLINK; goto out;
CI failed: https://github.com/kernel-patches/bpf/actions/runs/27754218839/job/82113319982 Failed stream parser bpf prog attach Hi John I noticed that bpf_skb_pull_data was added to the skmsg test: https://github.com/torvalds/linux/commit/82a8616889d506cb690cfc0afb2ccadda120461d Can we drop bpf_skb_pull_data in parser prog(sockmap_parse_prog.c) ? And are there any scenarios where we need to modify skb len when using strparser ?