From nobody Mon Jun 8 08:53:09 2026 Received: from mail-pf1-f177.google.com (mail-pf1-f177.google.com [209.85.210.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 09AAD3E717A for ; Wed, 3 Jun 2026 16:21:45 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.177 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780503707; cv=none; b=sEJ/C5zJ1hVDkIDacqGJyqkHoRxf93wBqhC/hCy6rc68VcLWZ6Id6gtUaCpUdhfpCG5LckjNDT4QXs5i9E1q9QVuvOLLrK2FJWWtN4O7RXF7CzSwDzeeH8mKtZBCuXFJHmc/VjNGc2D9GJt7PmtXZNVv7PdmNsgYmkxZ6hPegsY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780503707; c=relaxed/simple; bh=bZWAhI/SNWesR7lukDoX5NGLCgeYv7Rk10k9NwhATLA=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=CSEfX4cNHerzSR9CXnIZWizUw5Hpv6jClCOEUr3OITesLtrMoMRU3bORwhYVw7nHnNcApcLLQLT53XDCP4j/SDxT+nmXNSJWm3oPKS4AN0RdauEJ2va7OIth97wocdad6+yXc55ac6uTN3FwLsL7adcPX9XHrZ+dnbNevAb1D3w= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=P4f0WGQQ; arc=none smtp.client-ip=209.85.210.177 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="P4f0WGQQ" Received: by mail-pf1-f177.google.com with SMTP id d2e1a72fcca58-84229481d44so1828746b3a.0 for ; Wed, 03 Jun 2026 09:21:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1780503705; x=1781108505; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Pd5YhtxLNp2KnXGrb45Y+o+N5pgMe2J5d5AaYwVVkHo=; b=P4f0WGQQLlTaVlQ5kO7uvNsKxIialrmV+hL9STXbyod7nCYXk6QlXzbj6wY9BMR3JR oaMu9ovTjj6l1T5daCPH4t+4O+miA/EwD+6wapQ5T13qSoXBDIaOzpwFW7MDSKqDi5gx qWecZQCU9Hde8UYq82yHdQfMIApt5lLc1r4iyCWkQ3ILm8/Ae7v1/qtCOKBSDg108pRF EZnJ6yVhEln5EzkILYTQh/lrPk3I1RgBa17yTXkk8PwaJ7hwqhV7ff+57CjzogAcGBFD e4hWo7fuxP+33DVFgdOQ7FTIHJJ2GC6+TPklE+ZVA8sCJaTIQSYwcasNIIw7cnntecB4 mUrQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780503705; x=1781108505; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=Pd5YhtxLNp2KnXGrb45Y+o+N5pgMe2J5d5AaYwVVkHo=; b=Mvrwnl/MiU9gTRt43WX9OKLHXElCxAUUCUGjNZgGqwP1tmIMh9BxRJ/J6v6XyBy/fn aTmjIa28ufNBtVNYRQ5LKVFNNrykWPwaSyXV3dqET2g4WVcFgiW4coc4akcSwcEF0nzV mxhpeAQ4qix8WHHd8MC2Pft1UZtQ0O83S1x5wyycSJM/LNS5G1dK5TuPLS4rso3cCNg3 FoAMTPzBTvuU9+Jj2o6Wv4eUYfyAAu7iAHA/v99hG0THWs/1N13b9Gua9kZZnyvU7+Cu GSkCCEZZJRR5jLKw6OTNOsdse2k3FTf+HWygs5v0o1JRxqMBsuSeiXEIwM35+KNKmWEQ QWsA== X-Forwarded-Encrypted: i=1; AFNElJ9iN0hyUhOYWD+8Jf8M+LvP78MrFXz0s1Wu+mgvpBh1A6ysvQUC5amk0weiaGdIX4YEnEPwrftC6AEOVM4=@vger.kernel.org X-Gm-Message-State: AOJu0YwQyaGxxHIx3k5w1kGgwDdsPFa2ZJolvipL6aotfXmmVHc3kOEl tXVYUe8qNmMAke8LbUuGmn3/EGBwuS39JZkNAi1TZ5bNv9YhW/uo9RAf X-Gm-Gg: Acq92OFBNdcSSQV0Kel20Q2KoHn+LPs61hmmfRsDug7ldiDckOglE7p1HCto+56lXPJ 1jvg2PN++N0s8RJUwov7Kz6WKbaJBTtZFRMjX4F166eaXiKYePGM6THy+6JW0G2Hv40Wuk0NeJq PKYFf7VytiZuBca2eNZ+DuSDUn23aBBI4J/uOMzE/wg4g/sCcQWphqD+F4PCJvQfwvLPIO8DF7E RKRdfDAR/s/43moafDGkTVk8u4oROgHc0EiXE7/eBnho7CbxqOEBtEMdvnSQ8Px9zrpZfc09ZtW Nu2gNrmYH2/huvhIK72mdBj+1B65zsqqGUSFmka7LeE4x6VnY0ULEIrfETFu00bZbYqU8ZdcDac PaWIpLcD4ic6G/dtkrd5C7SsRJA/xnUnfcvO25eSXEvZw9yMsH2p+zFFPnfZFJJlUXkSql4WU3w 9qmmI5SngP6yEY/1zT9Wx9F9RmYMaLi7cTU3aIu5EvdppE5ec2IE+xUr7j/E5+HHDKadGVq03y X-Received: by 2002:a05:6a00:b45:b0:842:678a:a7dc with SMTP id d2e1a72fcca58-84284e3668fmr4088859b3a.2.1780503705270; Wed, 03 Jun 2026 09:21:45 -0700 (PDT) Received: from cps-manycore-1.. ([147.46.174.222]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-8428221cc3dsm3505602b3a.1.2026.06.03.09.21.40 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 03 Jun 2026 09:21:44 -0700 (PDT) From: Sechang Lim To: willemdebruijn.kernel@gmail.com, davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com Cc: horms@kernel.org, daniel@iogearbox.net, john.fastabend@gmail.com, jakub@cloudflare.com, aleksander.lobakin@intel.com, netdev@vger.kernel.org, bpf@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org Subject: [PATCH net v2] udp: clear skb->dev before running a sockmap verdict Date: Wed, 3 Jun 2026 16:21:10 +0000 Message-ID: <20260603162120.694986-1-rhkrqnwk98@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260603122639.615994-1-rhkrqnwk98@gmail.com> References: <20260603122639.615994-1-rhkrqnwk98@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" On the UDP receive path skb->dev is repurposed as dev_scratch (the truesize/state cache set by udp_set_dev_scratch()), through the union { struct net_device *dev; unsigned long dev_scratch; } in sk_buff. When a UDP socket is in a sockmap, sk_data_ready is sk_psock_verdict_data_ready(), which calls udp_read_skb() -> recv_actor() (sk_psock_verdict_recv) to run the attached SK_SKB verdict program in softi= rq. If that program calls a socket-lookup helper (bpf_sk_lookup_tcp/udp, bpf_skc_lookup_tcp), bpf_skc_lookup() does: if (skb->dev) caller_net =3D dev_net(skb->dev); skb->dev still holds the dev_scratch value (a non-NULL integer), so dev_net= () dereferences it as a struct net_device * and the kernel takes a general protection fault on a non-canonical address in softirq: Oops: general protection fault, probably for non-canonical address 0x1010= 000800004a0 CPU: 1 UID: 0 PID: 1406 Comm: syz.2.19 Not tainted 7.1.0-rc6 #1 PREEMPT(f= ull) RIP: 0010:bpf_skc_lookup net/core/filter.c:7033 [inline] RIP: 0010:bpf_sk_lookup+0x45/0x160 net/core/filter.c:7047 Call Trace: bpf_prog_4675cb904b7071f8+0x12e/0x14e bpf_prog_run_pin_on_cpu+0xc6/0x1f0 sk_psock_verdict_recv+0x1ba/0x350 udp_read_skb+0x31a/0x370 sk_psock_verdict_data_ready+0x2e3/0x600 __udp_enqueue_schedule_skb+0x4c8/0x650 udpv6_queue_rcv_one_skb+0x3ec/0x740 udp6_unicast_rcv_skb+0x11d/0x140 ip6_protocol_deliver_rcu+0x61e/0x950 ip6_input_finish+0xa9/0x150 NF_HOOK+0x286/0x2f0 ip6_input+0x117/0x220 NF_HOOK+0x286/0x2f0 __netif_receive_skb+0x85/0x200 process_backlog+0x374/0x9a0 __napi_poll+0x4f/0x1c0 net_rx_action+0x3b0/0x770 handle_softirqs+0x15a/0x460 do_softirq+0x57/0x80 The rmem charge that dev_scratch accounted for is released by skb_recv_udp(= ) on dequeue, just above, so the scratch is dead by the time recv_actor() runs. = Clear skb->dev so bpf_skc_lookup() falls back to sock_net(skb->sk), which skb_set_owner_sk_safe() set just above. Fixes: 965b57b469a5 ("net: Introduce a new proto_ops ->read_skb()") Cc: stable@vger.kernel.org Signed-off-by: Sechang Lim --- v2: - add blank lines around the added codes (Olek) - use generic block comment style (Olek) - Cc: stable net/ipv4/udp.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c index 0ac2bf4f8759..70f6cbd4ef73 100644 --- a/net/ipv4/udp.c +++ b/net/ipv4/udp.c @@ -2011,6 +2011,14 @@ int udp_read_skb(struct sock *sk, skb_read_actor_t r= ecv_actor) } =20 WARN_ON_ONCE(!skb_set_owner_sk_safe(skb, sk)); + + /* + * skb->dev still aliases the UDP rx dev_scratch (its charge was freed + * on dequeue above); a sockmap verdict program may deref it via + * bpf_sk_lookup_*(), so clear it -> bpf_skc_lookup() uses skb->sk + */ + skb->dev =3D NULL; + return recv_actor(sk, skb); } =20 --=20 2.43.0