On 2026-06-19 7:44 p.m., Sechang Lim wrote:
A BPF_PROG_TYPE_SK_SKB stream parser runs on strparser's message head,
which can chain skbs through frag_list. A parser that resizes the skb
frees the frag_list segments that strparser still tracks through
skb_nextp, leading to a use-after-free.

A stream parser is only meant to measure the next message, not to modify
the packet, so reject a packet-modifying parser at attach time.

v5:
  - target bpf-next instead of bpf
  - add Reviewed-by tag (Jiayuan Chen)

v4:
  - https://lore.kernel.org/all/[email protected]/

v3:
  - https://lore.kernel.org/all/[email protected]/

v2:
  - https://lore.kernel.org/all/[email protected]/

v1:
  - https://lore.kernel.org/all/[email protected]/

Sechang Lim (3):
   selftests/bpf: don't modify the skb in the strparser parser prog
   bpf, sockmap: reject a packet-modifying SK_SKB stream parser
   selftests/bpf: test rejection of a packet-modifying SK_SKB stream
     parser


Hi Sechang, all,

This series broke test_maps (test_sockmap subtest) on the bpf
tree. Currently on BPF CI the test fails on bpf, but passes on
bpf-next (it doesn't have the series yet).

test_maps fails with:

    + taskset 0xF ./test_maps
    [    8.352378] clocksource: Watchdog remote CPU 2 read timed out
    Failed sockmap unexpected timeout

See test_maps.c:995 in test_sockmap(): the 30s select() times out and
test_maps exits 1. Note there is no "Failed stream parser bpf prog
attach" message, the parser attaches fine.

The series was merged into bpf on 2026-06-26 00:42 UTC

CI runs:
last good (pre-merge, 06-25): https://github.com/kernel-patches/bpf/actions/runs/28158326456 first bad (post-merge, 06-26): https://github.com/kernel-patches/bpf/actions/runs/28210181858 recent bad (06-30): https://github.com/kernel-patches/bpf/actions/runs/28475936023

Confirmed locally reverting the 3 commits and rebuilding makes
test_sockmap pass again.

Could you please help investigate?

Thanks!



  net/core/sock_map.c                           | 20 ++++++++++++
  .../selftests/bpf/prog_tests/sockmap_strp.c   | 31 +++++++++++++++++++
  .../selftests/bpf/progs/sockmap_parse_prog.c  | 22 -------------
  .../selftests/bpf/progs/test_sockmap_strp.c   |  7 +++++
  4 files changed, 58 insertions(+), 22 deletions(-)



Reply via email to