[PATCH bpf v4 0/3] bpf, sockmap: reject a packet-modifying SK_SKB stream parser
From: Sechang Lim
Date: Fri Jun 19 2026 - 02:31:07 EST
A BPF_PROG_TYPE_SK_SKB stream parser runs on strparser's message head,
which can chain skbs through frag_list. A parser that resizes the skb
frees the frag_list segments that strparser still tracks through
skb_nextp, leading to a use-after-free.
A stream parser is only meant to measure the next message, not to modify
the packet, so reject a packet-modifying parser at attach time.
v4:
- drop the Fixes tag (Jiayuan Chen)
- drop the unsafe skb modification from the test prog (John Fastabend)
v3:
- https://lore.kernel.org/all/20260618102718.2331468-1-rhkrqnwk98@xxxxxxxxx/
v2:
- https://lore.kernel.org/all/20260612123553.2724240-1-rhkrqnwk98@xxxxxxxxx/
v1:
- https://lore.kernel.org/all/20260609112316.3685738-1-rhkrqnwk98@xxxxxxxxx/
Sechang Lim (3):
selftests/bpf: don't modify the skb in the strparser parser prog
bpf, sockmap: reject a packet-modifying SK_SKB stream parser
selftests/bpf: test rejection of a packet-modifying SK_SKB stream
parser
net/core/sock_map.c | 20 ++++++++++++
.../selftests/bpf/prog_tests/sockmap_strp.c | 31 +++++++++++++++++++
.../selftests/bpf/progs/sockmap_parse_prog.c | 22 -------------
.../selftests/bpf/progs/test_sockmap_strp.c | 7 +++++
4 files changed, 58 insertions(+), 22 deletions(-)
--
2.43.0