From nobody Thu Apr 2 22:21:32 2026 Received: from out-183.mta0.migadu.com (out-183.mta0.migadu.com [91.218.175.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7F65E396B7C for ; Thu, 26 Mar 2026 06:27:23 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=91.218.175.183 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774506446; cv=none; b=Bcz1sdUcU6RCwyzDjRMrURRAvTJk5sWWp1Rk5ltNI3F2/Z8icnWKiaQoEmLczZGkjO+L8ivBHIQLrlgPt/Z1VThGVX0oKwFQAOrAa4cwsTnQ6U/OLOEL/ROKTb4Dh/0FkcoK9MqA6AQPNp1Qmhk6c6l3SGVBM0eVjQwUMtqEtTo= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774506446; c=relaxed/simple; bh=GlyVI328UZrCnzmU5KHsALeteWXWSWoXTaaeXlzCh34=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=h5FQ1oW5LR17nLFpsvnFfrqI2EWsmBYG5EARtkoiLtS8SmAB0uD4bfYj9PBGE2j66ZmJOKGCLSsi1FL9eMH3gOR30K6ikAwYsV8z5opkJFFIj+FrADtVSdQ16P1mXHiTxZMlEB+Ta5wqvftFIup8A9XgxJhbz8G7uNlNjGS8qAY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev; spf=pass smtp.mailfrom=linux.dev; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b=ayzh/g0A; arc=none smtp.client-ip=91.218.175.183 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.dev Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b="ayzh/g0A" X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1; t=1774506442; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=VydxBtB0UN61er6jnHwkE260xpfMKjvzxeAl/0WONPI=; b=ayzh/g0Ap3QmlZslSySNQr9ALP9KyXtZzZ5ipPGRjHCMcmk3ItbWpjj8NkuA8dcD7StEJM d59LEHkrTrcFUEQTFSm3RWE8h8ZkzKv2kf/7RUvw9d+uUIhdCmJA13wp1jcq5n8amXfVNz BqNRb6hNUmmtgZnqwI92OpgRyba8a3o= From: Jiayuan Chen To: netdev@vger.kernel.org Cc: Jiayuan Chen , Jiayuan Chen , Kuniyuki Iwashima , Martin KaFai Lau , Daniel Borkmann , John Fastabend , Stanislav Fomichev , Alexei Starovoitov , Andrii Nakryiko , Eduard Zingerman , Song Liu , Yonghong Song , KP Singh , Hao Luo , Jiri Olsa , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman , Shuah Khan , bpf@vger.kernel.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org Subject: [PATCH bpf v2 1/2] bpf: tcp: Reject non-TCP skb in bpf_sk_assign_tcp_reqsk() Date: Thu, 26 Mar 2026 14:26:35 +0800 Message-ID: <20260326062657.88446-2-jiayuan.chen@linux.dev> In-Reply-To: <20260326062657.88446-1-jiayuan.chen@linux.dev> References: <20260326062657.88446-1-jiayuan.chen@linux.dev> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Migadu-Flow: FLOW_OUT Content-Type: text/plain; charset="utf-8" From: Jiayuan Chen bpf_sk_assign_tcp_reqsk() only validates skb->protocol (L3) but does not check the L4 protocol in the IP header. A BPF program can call this kfunc on a UDP skb with a valid TCP listener socket, which will succeed and attach a TCP reqsk to the UDP skb. When the UDP skb enters the UDP receive path, skb_steal_sock() returns the TCP listener from the reqsk. The UDP code then passes this TCP socket to udp_unicast_rcv_skb() -> __udp_enqueue_schedule_skb(), which casts it to udp_sock and accesses UDP-specific fields at invalid offsets, causing a null pointer dereference and kernel panic: BUG: KASAN: null-ptr-deref in __udp_enqueue_schedule_skb+0x19d/0x1df0 Read of size 4 at addr 0000000000000008 by task test_progs/537 CPU: 1 UID: 0 PID: 537 Comm: test_progs Not tainted 7.0.0-rc4+ #46 PREEMPT Call Trace: dump_stack_lvl (lib/dump_stack.c:123) print_report (mm/kasan/report.c:487) kasan_report (mm/kasan/report.c:597) __kasan_check_read (mm/kasan/shadow.c:32) __udp_enqueue_schedule_skb (net/ipv4/udp.c:1719) udp_queue_rcv_one_skb (net/ipv4/udp.c:2370 net/ipv4/udp.c:2500) udp_queue_rcv_skb (net/ipv4/udp.c:2532) udp_unicast_rcv_skb (net/ipv4/udp.c:2684) __udp4_lib_rcv (net/ipv4/udp.c:2742) udp_rcv (net/ipv4/udp.c:2937) ip_protocol_deliver_rcu (net/ipv4/ip_input.c:209) ip_local_deliver_finish (./include/linux/rcupdate.h:879 net/ipv4/ip_inpu= t.c:242) ip_local_deliver (net/ipv4/ip_input.c:265) __netif_receive_skb_one_core (net/core/dev.c:6164 (discriminator 4)) __netif_receive_skb (net/core/dev.c:6280) Fix this by checking the IP header's protocol field in bpf_sk_assign_tcp_reqsk() and rejecting non-TCP skbs with -EINVAL. Fixes: e472f88891ab ("bpf: tcp: Support arbitrary SYN Cookie.") Cc: Jiayuan Chen Reviewed-by: Kuniyuki Iwashima Signed-off-by: Jiayuan Chen --- net/core/filter.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/net/core/filter.c b/net/core/filter.c index 78b548158fb0..fb975bcce804 100644 --- a/net/core/filter.c +++ b/net/core/filter.c @@ -12248,11 +12248,17 @@ __bpf_kfunc int bpf_sk_assign_tcp_reqsk(struct __= sk_buff *s, struct sock *sk, =20 switch (skb->protocol) { case htons(ETH_P_IP): + if (ip_hdr(skb)->protocol !=3D IPPROTO_TCP) + return -EINVAL; + ops =3D &tcp_request_sock_ops; min_mss =3D 536; break; #if IS_BUILTIN(CONFIG_IPV6) case htons(ETH_P_IPV6): + if (ipv6_hdr(skb)->nexthdr !=3D IPPROTO_TCP) + return -EINVAL; + ops =3D &tcp6_request_sock_ops; min_mss =3D IPV6_MIN_MTU - 60; break; --=20 2.43.0 From nobody Thu Apr 2 22:21:32 2026 Received: from out-185.mta0.migadu.com (out-185.mta0.migadu.com [91.218.175.185]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D8A533B38BC for ; Thu, 26 Mar 2026 06:27:36 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=91.218.175.185 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774506460; cv=none; b=JlAMjBnaNGNE07RCrp7vfwTUYT/6CN3SSmc/AgI0jiB5OZgRwoh4L5msbB/F5JoTUjqcKGe0rwr+FRbVtVnVc1pccWbzrvUxSDbAOQ6X02NSkrxPblFr6QfuXXj3vvp9qgAbiY27tnXHRiNLz8GehpqC3p6Mru/DWPQbwIeqX5s= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774506460; c=relaxed/simple; bh=29zamgTScbbg5vvuvvtNvA6s4drRxnMdyD/RkK4l7BU=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=SPQnWN2qlHzFA3/hEx5F77U4fLseh90a+a5qzDKVLNenDKVBsIJPRbRqlmB+e5nVKevH/kJYwy1EoT/ws9nLolwBU78WlYpSw3xxTZi/0oPW2Ek+Z2MOgg22WE29wzdrEWSsgE0FVfuo2W6JsvkzY8RDFVVUIV1WkOa13FJ8pwQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev; spf=pass smtp.mailfrom=linux.dev; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b=ROL0o+Td; arc=none smtp.client-ip=91.218.175.185 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.dev Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b="ROL0o+Td" X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1; t=1774506454; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=9M3Pk1nKD0tOE5JdHLR3DyEbI3+wrZAKNOKkx5NkEK0=; b=ROL0o+TdwMkUlRMbyt3+ck1m5f2b/8rXVxtKzzgaYiPa/kR7EWEZJSwcJ+8GiHlD2eyQdN OxIk54G+GGF1Wy78LBC28SYE30PZJC1HBg4w6UeV1g5KExgIdZdzJwSBKPY2hzips3+IIy jQhCsebZQkZmRBL9kHxC9hSnsIDaqVw= From: Jiayuan Chen To: netdev@vger.kernel.org Cc: Jiayuan Chen , Jiayuan Chen , Martin KaFai Lau , Daniel Borkmann , John Fastabend , Stanislav Fomichev , Alexei Starovoitov , Andrii Nakryiko , Eduard Zingerman , Song Liu , Yonghong Song , KP Singh , Hao Luo , Jiri Olsa , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman , Shuah Khan , Kuniyuki Iwashima , bpf@vger.kernel.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org Subject: [PATCH bpf v2 2/2] selftests/bpf: Add protocol check test for bpf_sk_assign_tcp_reqsk() Date: Thu, 26 Mar 2026 14:26:36 +0800 Message-ID: <20260326062657.88446-3-jiayuan.chen@linux.dev> In-Reply-To: <20260326062657.88446-1-jiayuan.chen@linux.dev> References: <20260326062657.88446-1-jiayuan.chen@linux.dev> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Migadu-Flow: FLOW_OUT Content-Type: text/plain; charset="utf-8" From: Jiayuan Chen Add test_tcp_custom_syncookie_protocol_check to verify that bpf_sk_assign_tcp_reqsk() rejects non-TCP skbs. The test sends a UDP packet through TC ingress where a BPF program calls bpf_sk_assign_tcp_reqsk() on it and checks that the kfunc returns an error. A UDP server recv() is used as synchronization to ensure the BPF program has finished processing before checking the result. Without the fix in bpf_sk_assign_tcp_reqsk(), the kfunc succeeds and attaches a TCP reqsk to the UDP skb, which causes a null pointer dereference panic when the kernel processes it through the UDP receive path. Test result: ./test_progs -a tcp_custom_syncookie_protocol_check -v setup_netns:PASS:create netns 0 nsec setup_netns:PASS:ip 0 nsec write_sysctl:PASS:open sysctl 0 nsec write_sysctl:PASS:write sysctl 0 nsec setup_netns:PASS:write_sysctl 0 nsec test_tcp_custom_syncookie_protocol_check:PASS:open_and_load 0 nsec test_tcp_custom_syncookie_protocol_check:PASS:start tcp_server 0 nsec test_tcp_custom_syncookie_protocol_check:PASS:start udp_server 0 nsec setup_tc:PASS:qdisc add dev lo clsact 0 nsec setup_tc:PASS:filter add dev lo ingress 0 nsec test_tcp_custom_syncookie_protocol_check:PASS:udp socket 0 nsec test_tcp_custom_syncookie_protocol_check:PASS:sendto udp 0 nsec test_tcp_custom_syncookie_protocol_check:PASS:recv udp 0 nsec test_tcp_custom_syncookie_protocol_check:PASS:udp_intercepted 0 nsec test_tcp_custom_syncookie_protocol_check:PASS:assign_ret 0 nsec #471 tcp_custom_syncookie_protocol_check:OK Summary: 1/0 PASSED, 0 SKIPPED, 0 FAILED Cc: Jiayuan Chen Signed-off-by: Jiayuan Chen --- .../bpf/prog_tests/tcp_custom_syncookie.c | 84 ++++++++++++++++++- .../bpf/progs/test_tcp_custom_syncookie.c | 79 +++++++++++++++++ 2 files changed, 159 insertions(+), 4 deletions(-) diff --git a/tools/testing/selftests/bpf/prog_tests/tcp_custom_syncookie.c = b/tools/testing/selftests/bpf/prog_tests/tcp_custom_syncookie.c index eaf441dc7e79..c50b76f70988 100644 --- a/tools/testing/selftests/bpf/prog_tests/tcp_custom_syncookie.c +++ b/tools/testing/selftests/bpf/prog_tests/tcp_custom_syncookie.c @@ -5,6 +5,7 @@ #include #include #include +#include =20 #include "test_progs.h" #include "cgroup_helpers.h" @@ -47,11 +48,10 @@ static int setup_netns(void) return -1; } =20 -static int setup_tc(struct test_tcp_custom_syncookie *skel) +static int setup_tc(int prog_fd) { LIBBPF_OPTS(bpf_tc_hook, qdisc_lo, .attach_point =3D BPF_TC_INGRESS); - LIBBPF_OPTS(bpf_tc_opts, tc_attach, - .prog_fd =3D bpf_program__fd(skel->progs.tcp_custom_syncookie)); + LIBBPF_OPTS(bpf_tc_opts, tc_attach, .prog_fd =3D prog_fd); =20 qdisc_lo.ifindex =3D if_nametoindex("lo"); if (!ASSERT_OK(bpf_tc_hook_create(&qdisc_lo), "qdisc add dev lo clsact")) @@ -127,7 +127,7 @@ void test_tcp_custom_syncookie(void) if (!ASSERT_OK_PTR(skel, "open_and_load")) return; =20 - if (setup_tc(skel)) + if (setup_tc(bpf_program__fd(skel->progs.tcp_custom_syncookie))) goto destroy_skel; =20 for (i =3D 0; i < ARRAY_SIZE(test_cases); i++) { @@ -145,6 +145,82 @@ void test_tcp_custom_syncookie(void) =20 destroy_skel: system("tc qdisc del dev lo clsact"); + test_tcp_custom_syncookie__destroy(skel); +} =20 +/* Test: bpf_sk_assign_tcp_reqsk() should reject non-TCP skb. + * + * Send a UDP packet through TC ingress where a BPF program calls + * bpf_sk_assign_tcp_reqsk() on it. The kfunc should return an error + * because the skb carries UDP, not TCP. + */ +void test_tcp_custom_syncookie_protocol_check(void) +{ + int tcp_server =3D -1, udp_server =3D -1, udp_client =3D -1; + struct test_tcp_custom_syncookie *skel; + struct sockaddr_in udp_addr; + char buf[32] =3D "test"; + int udp_port, ret; + + if (setup_netns()) + return; + + skel =3D test_tcp_custom_syncookie__open_and_load(); + if (!ASSERT_OK_PTR(skel, "open_and_load")) + return; + + /* Create a TCP listener so the BPF can find a LISTEN socket */ + tcp_server =3D start_server(AF_INET, SOCK_STREAM, "127.0.0.1", 0, 0); + if (!ASSERT_NEQ(tcp_server, -1, "start tcp_server")) + goto destroy_skel; + + /* Create a UDP server to receive the packet as synchronization */ + udp_server =3D start_server(AF_INET, SOCK_DGRAM, "127.0.0.1", 0, 0); + if (!ASSERT_NEQ(udp_server, -1, "start udp_server")) + goto close_tcp; + + skel->bss->tcp_listener_port =3D ntohs(get_socket_local_port(tcp_server)); + udp_port =3D ntohs(get_socket_local_port(udp_server)); + skel->bss->udp_test_port =3D udp_port; + + ret =3D bpf_program__fd(skel->progs.tcp_custom_syncookie_badproto); + if (setup_tc(ret)) + goto close_udp_server; + + udp_client =3D socket(AF_INET, SOCK_DGRAM, 0); + if (!ASSERT_NEQ(udp_client, -1, "udp socket")) + goto cleanup_tc; + + memset(&udp_addr, 0, sizeof(udp_addr)); + udp_addr.sin_family =3D AF_INET; + udp_addr.sin_addr.s_addr =3D htonl(INADDR_LOOPBACK); + udp_addr.sin_port =3D htons(udp_port); + + ret =3D sendto(udp_client, buf, sizeof(buf), 0, + (struct sockaddr *)&udp_addr, sizeof(udp_addr)); + if (!ASSERT_EQ(ret, sizeof(buf), "sendto udp")) + goto cleanup_tc; + + /* recv() ensures TC ingress BPF has processed the skb */ + ret =3D recv(udp_server, buf, sizeof(buf), 0); + if (!ASSERT_EQ(ret, sizeof(buf), "recv udp")) + goto cleanup_tc; + + ASSERT_EQ(skel->bss->udp_intercepted, true, "udp_intercepted"); + + /* assign_ret =3D=3D 0 means kfunc accepted UDP skb (bug). + * assign_ret < 0 means kfunc correctly rejected it (fixed). + */ + ASSERT_NEQ(skel->data->assign_ret, 0, "assign_ret"); + +cleanup_tc: + system("tc qdisc del dev lo clsact"); + if (udp_client >=3D 0) + close(udp_client); +close_udp_server: + close(udp_server); +close_tcp: + close(tcp_server); +destroy_skel: test_tcp_custom_syncookie__destroy(skel); } diff --git a/tools/testing/selftests/bpf/progs/test_tcp_custom_syncookie.c = b/tools/testing/selftests/bpf/progs/test_tcp_custom_syncookie.c index 7d5293de1952..386705b6c9f2 100644 --- a/tools/testing/selftests/bpf/progs/test_tcp_custom_syncookie.c +++ b/tools/testing/selftests/bpf/progs/test_tcp_custom_syncookie.c @@ -588,4 +588,83 @@ int tcp_custom_syncookie(struct __sk_buff *skb) return tcp_handle_ack(&ctx); } =20 +/* Test: call bpf_sk_assign_tcp_reqsk() on a UDP skb. + * The kfunc should reject it, but currently it doesn't check L4 protocol. + */ +__u16 tcp_listener_port =3D 0; +__u16 udp_test_port =3D 0; +int assign_ret =3D -1; +bool udp_intercepted =3D false; + +SEC("tc") +int tcp_custom_syncookie_badproto(struct __sk_buff *skb) +{ + void *data =3D (void *)(long)skb->data; + void *data_end =3D (void *)(long)skb->data_end; + struct bpf_sock_tuple tuple =3D {}; + struct bpf_tcp_req_attrs attrs =3D {}; + struct ethhdr *eth; + struct iphdr *iph; + struct udphdr *udp; + struct bpf_sock *skc; + struct sock *sk; + + eth =3D (struct ethhdr *)data; + if (eth + 1 > data_end) + return TC_ACT_OK; + + if (bpf_ntohs(eth->h_proto) !=3D ETH_P_IP) + return TC_ACT_OK; + + iph =3D (struct iphdr *)(eth + 1); + if (iph + 1 > data_end) + return TC_ACT_OK; + + if (iph->protocol !=3D IPPROTO_UDP) + return TC_ACT_OK; + + udp =3D (struct udphdr *)(iph + 1); + if (udp + 1 > data_end) + return TC_ACT_OK; + + if (bpf_ntohs(udp->dest) !=3D udp_test_port) + return TC_ACT_OK; + + udp_intercepted =3D true; + + tuple.ipv4.saddr =3D iph->saddr; + tuple.ipv4.daddr =3D iph->daddr; + tuple.ipv4.sport =3D udp->source; + tuple.ipv4.dport =3D bpf_htons(tcp_listener_port); + + skc =3D bpf_skc_lookup_tcp(skb, &tuple, sizeof(tuple.ipv4), -1, 0); + if (!skc) + return TC_ACT_OK; + + if (skc->state !=3D TCP_LISTEN) { + bpf_sk_release(skc); + return TC_ACT_OK; + } + + sk =3D (struct sock *)bpf_skc_to_tcp_sock(skc); + if (!sk) { + bpf_sk_release(skc); + return TC_ACT_OK; + } + + attrs.mss =3D 1460; + attrs.wscale_ok =3D 1; + attrs.snd_wscale =3D 7; + attrs.rcv_wscale =3D 7; + attrs.sack_ok =3D 1; + + /* Call bpf_sk_assign_tcp_reqsk on a UDP skb. */ + assign_ret =3D bpf_sk_assign_tcp_reqsk(skb, sk, &attrs, sizeof(attrs)); + + bpf_sk_release(skc); + + /* Let the packet continue into the kernel */ + return TC_ACT_OK; +} + char _license[] SEC("license") =3D "GPL"; --=20 2.43.0