[PATCH bpf v3 0/2] bpf: Fix SOCK_OPS_GET_SK same-register OOB read in sock_ops and add selftest

[Jiayuan Chen]

When a BPF sock_ops program accesses ctx fields with dst_reg == src_reg,
the SOCK_OPS_GET_SK() and SOCK_OPS_GET_FIELD() macros fail to zero the
destination register in the !fullsock / !locked_tcp_sock path, leading to
OOB read (GET_SK) and kernel pointer leak (GET_FIELD).

Patch 1: Fix both macros by adding BPF_MOV64_IMM(si->dst_reg, 0) in the
!fullsock landing pad.
Patch 2: Add selftests covering same-register and different-register cases
for both GET_SK and GET_FIELD.

[1] https://lore.kernel.org/bpf/6fe1243e-149b-4d3b-99c7-fcc9e2f75787@xxxxxxxxxxxxxxxx/T/#u

Changes since v2:
https://lore.kernel.org/bpf/20260406031330.187630-1-jiayuan.chen@xxxxxxxxx/
- Addressed selftest review from Martin KaFai Lau: removed unused skel
  parameter, renamed to test_ns_ for automatic netns, ASSERT_GE -> ASSERT_OK_FD
- Add reviewed-by tags.

Changes since v1:
https://lore.kernel.org/bpf/20260404141010.247536-1-jiayuan.chen@xxxxxxxxx/
- Fixed the same bug in SOCK_OPS_GET_FIELD() (pointed out by AI review)
- Added SOCK_OPS_GET_FIELD same-register and GET_SK different-register
  subtests

Jiayuan Chen (2):
  bpf: Fix same-register dst/src OOB read and pointer leak in sock_ops
  selftests/bpf: Add tests for sock_ops ctx access with same src/dst
    register

 net/core/filter.c                             |   6 +-
 .../bpf/prog_tests/sock_ops_get_sk.c          |  76 ++++++++++++
 .../selftests/bpf/progs/sock_ops_get_sk.c     | 117 ++++++++++++++++++
 3 files changed, 197 insertions(+), 2 deletions(-)
 create mode 100644 tools/testing/selftests/bpf/prog_tests/sock_ops_get_sk.c
 create mode 100644 tools/testing/selftests/bpf/progs/sock_ops_get_sk.c

-- 
2.43.0