On 2026-06-19 7:44 p.m., Sechang Lim wrote:
A BPF_PROG_TYPE_SK_SKB stream parser runs on strparser's message head,
which can chain skbs through frag_list. A parser that resizes the skb
frees the frag_list segments that strparser still tracks through
skb_nextp, leading to a use-after-free.
A stream parser is only meant to measure the next message, not to modify
the packet, so reject a packet-modifying parser at attach time.
v5:
- target bpf-next instead of bpf
- add Reviewed-by tag (Jiayuan Chen)
v4:
- https://lore.kernel.org/all/[email protected]/
v3:
- https://lore.kernel.org/all/[email protected]/
v2:
- https://lore.kernel.org/all/[email protected]/
v1:
- https://lore.kernel.org/all/[email protected]/
Sechang Lim (3):
selftests/bpf: don't modify the skb in the strparser parser prog
bpf, sockmap: reject a packet-modifying SK_SKB stream parser
selftests/bpf: test rejection of a packet-modifying SK_SKB stream
parser
Hi Sechang, all,
This series broke test_maps (test_sockmap subtest) on the bpf
tree. Currently on BPF CI the test fails on bpf, but passes on
bpf-next (it doesn't have the series yet).
test_maps fails with:
+ taskset 0xF ./test_maps
[ 8.352378] clocksource: Watchdog remote CPU 2 read timed out
Failed sockmap unexpected timeout
See test_maps.c:995 in test_sockmap(): the 30s select() times out and
test_maps exits 1. Note there is no "Failed stream parser bpf prog
attach" message, the parser attaches fine.
The series was merged into bpf on 2026-06-26 00:42 UTC
CI runs:
last good (pre-merge, 06-25):
https://github.com/kernel-patches/bpf/actions/runs/28158326456
first bad (post-merge, 06-26):
https://github.com/kernel-patches/bpf/actions/runs/28210181858
recent bad (06-30):
https://github.com/kernel-patches/bpf/actions/runs/28475936023
Confirmed locally reverting the 3 commits and rebuilding makes
test_sockmap pass again.
Could you please help investigate?
Thanks!
net/core/sock_map.c | 20 ++++++++++++
.../selftests/bpf/prog_tests/sockmap_strp.c | 31 +++++++++++++++++++
.../selftests/bpf/progs/sockmap_parse_prog.c | 22 -------------
.../selftests/bpf/progs/test_sockmap_strp.c | 7 +++++
4 files changed, 58 insertions(+), 22 deletions(-)