Re: [PATCH bpf v5 1/2] bpf: tcp: Reject non-TCP skb in bpf_sk_assign_tcp_reqsk()

Next message: Yaxiong Tian: "Re: [PATCH v2 3/4] PM / devfreq: Fix governor_store() failing when device has no current governor"
Previous message: Saket Kumar Bhaskar: "[PATCH] powerpc64/bpf: Add powerpc64 JIT support for timed may_goto"
In reply to: Jiayuan Chen: "[PATCH bpf v5 1/2] bpf: tcp: Reject non-TCP skb in bpf_sk_assign_tcp_reqsk()"
Next in thread: Jiayuan Chen: "[PATCH bpf v5 2/2] selftests/bpf: Add protocol check test for bpf_sk_assign_tcp_reqsk()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Martin KaFai Lau

Date: Thu Apr 02 2026 - 01:47:54 EST

On Wed, Apr 01, 2026 at 07:04:49PM +0800, Jiayuan Chen wrote:
> diff --git a/net/core/filter.c b/net/core/filter.c
> index 78b548158fb0..f251744025e2 100644
> --- a/net/core/filter.c
> +++ b/net/core/filter.c
> @@ -12248,11 +12248,23 @@ __bpf_kfunc int bpf_sk_assign_tcp_reqsk(struct __sk_buff *s, struct sock *sk,
>
> switch (skb->protocol) {
> case htons(ETH_P_IP):
> + if (!pskb_may_pull(skb, sizeof(struct iphdr)))

The ai-review [1] is correct. skb_header_pointer() should be used.
pskb_may_pull() could invalidate the skb->data[_end] pointers
in the bpf prog.

[1]: https://sashiko.dev/#/patchset/20260401110511.73355-1-jiayuan.chen%40linux.dev

It needs one more spin. Thanks.

pw-bot: cr