Re: [PATCH bpf-next v5 0/3] bpf, sockmap: reject a packet-modifying SK_SKB stream parser

Next message: patchwork-bot+netdevbpf: "Re: [PATCH bpf 1/1] bpf: Fix insn_aux_data leak on verifier err_free_env path"
Previous message: patchwork-bot+netdevbpf: "Re: [PATCH bpf-next v2 0/2] bpf: Mask pseudo pointer values in verifier logs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: patchwork-bot+netdevbpf

Date: Fri Jun 26 2026 - 08:28:52 EST

Hello:

This series was applied to bpf/bpf.git (master)
by Alexei Starovoitov <ast@xxxxxxxxxx>:

On Sat, 20 Jun 2026 02:44:15 +0000 you wrote:
> A BPF_PROG_TYPE_SK_SKB stream parser runs on strparser's message head,
> which can chain skbs through frag_list. A parser that resizes the skb
> frees the frag_list segments that strparser still tracks through
> skb_nextp, leading to a use-after-free.
>
> A stream parser is only meant to measure the next message, not to modify
> the packet, so reject a packet-modifying parser at attach time.
>
> [...]

Here is the summary with links:
- [bpf-next,v5,1/3] selftests/bpf: don't modify the skb in the strparser parser prog
https://git.kernel.org/bpf/bpf/c/22a0cc10dacb
- [bpf-next,v5,2/3] bpf, sockmap: reject a packet-modifying SK_SKB stream parser
https://git.kernel.org/bpf/bpf/c/31e2f36d3821
- [bpf-next,v5,3/3] selftests/bpf: test rejection of a packet-modifying SK_SKB stream parser
https://git.kernel.org/bpf/bpf/c/05fb34384d20

You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html