Re: [PATCH net] udp: clear skb->dev before running a sockmap verdict
From: Alexander Lobakin
Date: Wed Jun 03 2026 - 09:57:09 EST
From: Sechang Lim <rhkrqnwk98@xxxxxxxxx>
Date: Wed, 3 Jun 2026 12:26:37 +0000
> On the UDP receive path skb->dev is repurposed as dev_scratch (the
> truesize/state cache set by udp_set_dev_scratch()), through the
> union { struct net_device *dev; unsigned long dev_scratch; } in sk_buff.
[...]
> Fixes: 965b57b469a5 ("net: Introduce a new proto_ops ->read_skb()")
I think you need to add
Cc: stable@xxxxxxxxxxxxxxx
here to mark it as a candidate for backporting.
> Signed-off-by: Sechang Lim <rhkrqnwk98@xxxxxxxxx>
> ---
> net/ipv4/udp.c | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
> index 0ac2bf4f8759..f5ba36e721cb 100644
> --- a/net/ipv4/udp.c
> +++ b/net/ipv4/udp.c
> @@ -2011,6 +2011,11 @@ int udp_read_skb(struct sock *sk, skb_read_actor_t recv_actor)
> }
>
> WARN_ON_ONCE(!skb_set_owner_sk_safe(skb, sk));
> + /* skb->dev still aliases the UDP rx dev_scratch (its charge was freed
Pls favor generic block comment style
/*
* skb->dev ...
> + * on dequeue above); a sockmap verdict program may deref it via
> + * bpf_sk_lookup_*(), so clear it -> bpf_skc_lookup() uses skb->sk
> + */
> + skb->dev = NULL;
> return recv_actor(sk, skb);
I'd put newlines before and after the added piece for readability.
WARN_ON_ONCE(...);
/*
* skb->dev ...
* ...
*/
skb->dev = NULL;
return recv_actor(sk, skb);
> }
Thanks,
Olek