Re: [PATCH bpf v3 1/2] bpf, sockmap: fix use-after-free when the stream parser resizes the skb

[Sechang Lim]

On Thu, Jun 18, 2026 at 11:01:58AM -0700, John Fastabend wrote:
> On Thu, Jun 18, 2026 at 07:56:34PM +0800, Jiayuan Chen wrote:
> > On 6/18/26 6:27 PM, Sechang Lim wrote:
> > > sk_psock_strp_parse() runs the BPF_PROG_TYPE_SK_SKB stream-parser program
> > > to find the length of the next message. strparser assembles a message out
> > > of several received skbs by chaining them onto the head's frag_list and
> > > recording where to append the next one in strp->skb_nextp:
> > >
> > > 	*strp->skb_nextp = skb;
> > > 	strp->skb_nextp = &skb->next;
> > >
> > > and then calls the parser on the head:
> > >
> > > 	len = (*strp->cb.parse_msg)(strp, head);
> >
> > [...]
> >
> > > unaffected and may still modify the skb.
> > >
> > > Fixes: 8a31db561566 ("bpf: add access to sock fields and pkt data from sk_skb programs")
> >
> > Is the Fixes tag correct ?
> >
> > Anyway, I don't think this patch is a fix; it's more of a hardening. 
> > So no Fixes tag needed, IMO.

Thanks for your review, dropping the Fixes tag in v4.

> > > Signed-off-by: Sechang Lim <rhkrqnwk98@xxxxxxxxx>
> > > ---
>
> [...]
>
> > CI failed:
> > https://github.com/kernel-patches/bpf/actions/runs/27754218839/job/82113319982
> >    Failed stream parser bpf prog attach
> >
> > Hi John
> > I noticed that bpf_skb_pull_data was added to the skmsg test:
> > https://github.com/torvalds/linux/commit/82a8616889d506cb690cfc0afb2ccadda120461d
> >
> > Can we drop bpf_skb_pull_data in parser prog(sockmap_parse_prog.c‎) ?
> > And are there any scenarios where we need to modify skb len when 
> > using strparser ?
>
> We should never modify the skb from strparser. Just remove any tests
> that do this and state its not safe. We haven't used strparser progs
> for a long time anyways.

Thanks for your review. Will do in v4. 

Best,
Sechang