Re: [PATCH bpf-next v3 4/7] bpf, sockmap: keep sk_msg copy state in sync

[Kuniyuki Iwashima]

From: Jiayuan Chen <jiayuan.chen@xxxxxxxxx>
Date: Fri, 12 Jun 2026 21:07:48 +0800
> From: Zhang Cen <rollkingzzc@xxxxxxxxx>
> 
> SK_MSG uses msg->sg.copy as per-scatterlist-entry provenance. Entries
> with this bit set are copied before data/data_end are exposed to SK_MSG
> BPF programs for direct packet access.
> 
> bpf_msg_pull_data(), bpf_msg_push_data(), and bpf_msg_pop_data()
> rewrite the sk_msg scatterlist ring by collapsing, splitting, and
> shifting entries. These operations move msg->sg.data[] entries, but the
> parallel copy bitmap can be left behind on the old slot. A copied entry
> can then return to msg->sg.start with its copy bit clear and be exposed
> as directly writable packet data.
> 
> This corruption path requires an attached SK_MSG BPF program that calls
> the mutating helpers; ordinary sockmap/TLS traffic that never runs
> push/pop/pull helper sequences is not affected.
> 
> Keep msg->sg.copy synchronized with scatterlist entry moves, preserve
> the copy bit when an entry is split, clear it when a helper replaces an
> entry with a private page, and clear slots vacated by pull-data
> compaction.
> 
> Fixes: 015632bb30da ("bpf: sk_msg program helper bpf_sk_msg_pull_data")
> Fixes: 6fff607e2f14 ("bpf: sk_msg program helper bpf_msg_push_data")
> Fixes: 7246d8ed4dcc ("bpf: helper to pop data from messages")
> Cc: stable@xxxxxxxxxxxxxxx
> Co-developed-by: Han Guidong <2045gemini@xxxxxxxxx>
> Reviewed-by: John Fastabend <john.fastabend@xxxxxxxxx>
> Reviewed-by: Emil Tsalapatis <emil@xxxxxxxxxxxxxxx>
> Signed-off-by: Han Guidong <2045gemini@xxxxxxxxx>
> Signed-off-by: Zhang Cen <rollkingzzc@xxxxxxxxx>
> Signed-off-by: Jiayuan Chen <jiayuan.chen@xxxxxxxxx>

Reviewed-by: Kuniyuki Iwashima <kuniyu@xxxxxxxxxx>