From nobody Wed Apr 1 22:11:54 2026 Received: from out-171.mta0.migadu.com (out-171.mta0.migadu.com [91.218.175.171]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id EE0FF2C030E for ; Wed, 1 Apr 2026 11:05:48 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=91.218.175.171 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775041551; cv=none; b=Cr45wrhhxaJPHkStjCxrcrFWtM8sv5IlOUbN3hhVsnW4ldIP7erTjFMb18o0yVaiPtRhF0S9/wdHxuQbaI+N4UgMnAQzybIjk6iwycbegg0jkq+ZrTN0jtqj45Mi4vjZzgWrzrgJRtYYVmkcchVUbKYmssrVUkY6sZQWLUci2oU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775041551; c=relaxed/simple; bh=Xj61EosfzjfHOO1sRpO/zWhpNA5ArLWmsHWmI2lirz0=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=AjfyvmKc7mGVpsYVU30StU1Qs3sDoMwcxY3s3WWmyAKcdL7OvIXR1udsH84Qknv7J9QUnIYsieTkaw3MdRRTtwTpy57iyeew9eUkgok0qOurH+bdbVnRWc9avFus/3RNMMgZLOene1iDzziafJZkhJJGOTl59drK66qZjCxZlPc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev; spf=pass smtp.mailfrom=linux.dev; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b=IEBtDruy; arc=none smtp.client-ip=91.218.175.171 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.dev Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b="IEBtDruy" X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1; t=1775041546; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=nVZBa8UEvqHRKoYhIdivobtFZ6ps7cQbsfMsNGbhoHs=; b=IEBtDruyY5LD0VUQf2G4SAU/UWeYTCExNtUepsyMrfNZzrbn2EXYIcosLinbOmMOwTRe2y ORN1Tqe3jP7MMoBvEoXJ0aB83Y3hNpPV4yuHQN/cEhnX3PYG/oWHSEEKnM12yPk0vRcwhI NJUk3ZAyR/k/ibf+LSdozax71r5XUiY= From: Jiayuan Chen To: bpf@vger.kernel.org Cc: Jiayuan Chen , Kuniyuki Iwashima , Martin KaFai Lau , Daniel Borkmann , John Fastabend , Stanislav Fomichev , Alexei Starovoitov , Andrii Nakryiko , Eduard Zingerman , Song Liu , Yonghong Song , KP Singh , Hao Luo , Jiri Olsa , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman , Shuah Khan , netdev@vger.kernel.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org Subject: [PATCH bpf v5 1/2] bpf: tcp: Reject non-TCP skb in bpf_sk_assign_tcp_reqsk() Date: Wed, 1 Apr 2026 19:04:49 +0800 Message-ID: <20260401110511.73355-2-jiayuan.chen@linux.dev> In-Reply-To: <20260401110511.73355-1-jiayuan.chen@linux.dev> References: <20260401110511.73355-1-jiayuan.chen@linux.dev> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Migadu-Flow: FLOW_OUT Content-Type: text/plain; charset="utf-8" bpf_sk_assign_tcp_reqsk() only validates skb->protocol (L3) but does not check the L4 protocol in the IP header. A BPF program can call this kfunc on a UDP skb with a valid TCP listener socket, which will succeed and attach a TCP reqsk to the UDP skb. When the UDP skb enters the UDP receive path, skb_steal_sock() returns the TCP listener from the reqsk. The UDP code then passes this TCP socket to udp_unicast_rcv_skb() -> __udp_enqueue_schedule_skb(), which casts it to udp_sock and accesses UDP-specific fields at invalid offsets, causing a null pointer dereference and kernel panic: BUG: KASAN: null-ptr-deref in __udp_enqueue_schedule_skb+0x19d/0x1df0 Read of size 4 at addr 0000000000000008 by task test_progs/537 CPU: 1 UID: 0 PID: 537 Comm: test_progs Not tainted 7.0.0-rc4+ #46 PREEMPT Call Trace: dump_stack_lvl (lib/dump_stack.c:123) print_report (mm/kasan/report.c:487) kasan_report (mm/kasan/report.c:597) __kasan_check_read (mm/kasan/shadow.c:32) __udp_enqueue_schedule_skb (net/ipv4/udp.c:1719) udp_queue_rcv_one_skb (net/ipv4/udp.c:2370 net/ipv4/udp.c:2500) udp_queue_rcv_skb (net/ipv4/udp.c:2532) udp_unicast_rcv_skb (net/ipv4/udp.c:2684) __udp4_lib_rcv (net/ipv4/udp.c:2742) udp_rcv (net/ipv4/udp.c:2937) ip_protocol_deliver_rcu (net/ipv4/ip_input.c:209) ip_local_deliver_finish (./include/linux/rcupdate.h:879 net/ipv4/ip_inpu= t.c:242) ip_local_deliver (net/ipv4/ip_input.c:265) __netif_receive_skb_one_core (net/core/dev.c:6164 (discriminator 4)) __netif_receive_skb (net/core/dev.c:6280) Fix this by checking the IP header's protocol field in bpf_sk_assign_tcp_reqsk() and rejecting non-TCP skbs with -EINVAL. Note that for IPv6, the nexthdr check does not walk extension headers. This is uncommon for TCP SYN packets in practice, and keeping it simple was agreed upon by Kuniyuki Iwashima. Fixes: e472f88891ab ("bpf: tcp: Support arbitrary SYN Cookie.") Reviewed-by: Kuniyuki Iwashima Signed-off-by: Jiayuan Chen --- net/core/filter.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/net/core/filter.c b/net/core/filter.c index 78b548158fb0..f251744025e2 100644 --- a/net/core/filter.c +++ b/net/core/filter.c @@ -12248,11 +12248,23 @@ __bpf_kfunc int bpf_sk_assign_tcp_reqsk(struct __= sk_buff *s, struct sock *sk, =20 switch (skb->protocol) { case htons(ETH_P_IP): + if (!pskb_may_pull(skb, sizeof(struct iphdr))) + return -EINVAL; + + if (ip_hdr(skb)->protocol !=3D IPPROTO_TCP) + return -EINVAL; + ops =3D &tcp_request_sock_ops; min_mss =3D 536; break; #if IS_BUILTIN(CONFIG_IPV6) case htons(ETH_P_IPV6): + if (!pskb_may_pull(skb, sizeof(struct ipv6hdr))) + return -EINVAL; + + if (ipv6_hdr(skb)->nexthdr !=3D IPPROTO_TCP) + return -EINVAL; + ops =3D &tcp6_request_sock_ops; min_mss =3D IPV6_MIN_MTU - 60; break; --=20 2.43.0