Re: [PATCH bpf v5 1/2] bpf: guard sock_ops rtt_min against non-locked tcp_sock

Next message: Marek Vasut: "[PATCH 2/3] dt-bindings: display: simple: Document Displaytech DT050BTFT-PTS panel"
Previous message: Mark Brown: "Re: [PATCH v2 1/2] ASoC: dt-bindings: ti,tas2781: Add TAS5832 support"
In reply to: Werner Kasselman: "[PATCH bpf v5 1/2] bpf: guard sock_ops rtt_min against non-locked tcp_sock"
Next in thread: Werner Kasselman: "[PATCH bpf v5 2/2] selftests/bpf: cover same-reg sock_ops rtt_min request_sock access"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Martin KaFai Lau

Date: Wed Apr 22 2026 - 17:03:46 EST

On Mon, Apr 20, 2026 at 11:00:35PM +0000, Werner Kasselman wrote:
> sock_ops_convert_ctx_access() reads rtt_min without the is_locked_tcp_sock guard used for every other tcp_sock field. On request_sock-backed sock_ops callbacks, sk points at a tcp_request_sock and the converted load reads past the end of the allocation.
>
> Extract the guarded tcp_sock field load sequence into SOCK_OPS_LOAD_TCP_SOCK_FIELD() and use it for the rtt_min access after computing the sub-field offset with offsetof(struct minmax_sample, v). Reusing the shared helper keeps rtt_min aligned with the other guarded tcp_sock field loads and preserves the dst_reg == src_reg failure path that zeros the destination register when the guard fails.

I think some formatting instruction was not given to the AI this time and
no human bothered to look at the formatting of the commit message
before posting?