[PATCH bpf v3 0/2] bpf, sockmap: reject a packet-modifying SK_SKB stream parser

Next message: Greg KH: "Re: [PATCH] misc: vmw_zerocopy: Add VMware zero-copy buffer sharing driver"
Previous message: Heikki Krogerus: "Re: [PATCH 2/2] usb: typec: ucsi: Add ITE IT885x Type-C PD controller driver"
Next in thread: Sechang Lim: "[PATCH bpf v3 1/2] bpf, sockmap: fix use-after-free when the stream parser resizes the skb"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Sechang Lim

Date: Thu Jun 18 2026 - 06:29:22 EST

A BPF_PROG_TYPE_SK_SKB stream parser runs on strparser's message head,
which can chain skbs through frag_list. A parser that resizes the skb
frees the frag_list segments that strparser still tracks through
skb_nextp, leading to a use-after-free.

A stream parser is only meant to measure the next message, not to modify
the packet, so reject a packet-modifying parser at attach time rather
than working around the resize at runtime.

v3:
- reject the parser at attach time instead of cloning the skb at
runtime (Kuniyuki Iwashima, Jiayuan Chen)
- add a selftest (Bobby Eshleman)

v2:
- https://lore.kernel.org/all/20260612123553.2724240-1-rhkrqnwk98@xxxxxxxxx/

v1:
- https://lore.kernel.org/all/20260609112316.3685738-1-rhkrqnwk98@xxxxxxxxx/

Sechang Lim (2):
bpf, sockmap: fix use-after-free when the stream parser resizes the
skb
selftests/bpf: test rejection of a packet-modifying SK_SKB stream
parser

net/core/sock_map.c | 20 ++++++++++++
.../selftests/bpf/prog_tests/sockmap_strp.c | 31 +++++++++++++++++++
.../selftests/bpf/progs/test_sockmap_strp.c | 7 +++++
3 files changed, 58 insertions(+)

--
2.43.0