[PATCH bpf-next v5 0/3] bpf, sockmap: reject a packet-modifying SK_SKB stream parser

Next message: Sechang Lim: "[PATCH bpf-next v5 2/3] bpf, sockmap: reject a packet-modifying SK_SKB stream parser"
Previous message: Xin Zhao: "Re: [PATCH v3] coredump: exit_files() in coredump_wait() if MMF_DUMP_MAPPED_SHARED is not set"
Next in thread: Sechang Lim: "[PATCH bpf-next v5 2/3] bpf, sockmap: reject a packet-modifying SK_SKB stream parser"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Sechang Lim

Date: Fri Jun 19 2026 - 22:44:41 EST

A BPF_PROG_TYPE_SK_SKB stream parser runs on strparser's message head,
which can chain skbs through frag_list. A parser that resizes the skb
frees the frag_list segments that strparser still tracks through
skb_nextp, leading to a use-after-free.

A stream parser is only meant to measure the next message, not to modify
the packet, so reject a packet-modifying parser at attach time.

v5:
- target bpf-next instead of bpf
- add Reviewed-by tag (Jiayuan Chen)

v4:
- https://lore.kernel.org/all/20260619062959.3277612-1-rhkrqnwk98@xxxxxxxxx/

v3:
- https://lore.kernel.org/all/20260618102718.2331468-1-rhkrqnwk98@xxxxxxxxx/

v2:
- https://lore.kernel.org/all/20260612123553.2724240-1-rhkrqnwk98@xxxxxxxxx/

v1:
- https://lore.kernel.org/all/20260609112316.3685738-1-rhkrqnwk98@xxxxxxxxx/

Sechang Lim (3):
selftests/bpf: don't modify the skb in the strparser parser prog
bpf, sockmap: reject a packet-modifying SK_SKB stream parser
selftests/bpf: test rejection of a packet-modifying SK_SKB stream
parser

net/core/sock_map.c | 20 ++++++++++++
.../selftests/bpf/prog_tests/sockmap_strp.c | 31 +++++++++++++++++++
.../selftests/bpf/progs/sockmap_parse_prog.c | 22 -------------
.../selftests/bpf/progs/test_sockmap_strp.c | 7 +++++
4 files changed, 58 insertions(+), 22 deletions(-)

--
2.43.0