From: Werner Kasselman <werner@verivus.ai>
To: "bpf@vger.kernel.org" <bpf@vger.kernel.org>,
"netdev@vger.kernel.org" <netdev@vger.kernel.org>
Cc: Werner Kasselman <werner@verivus.ai>
Subject: [PATCH bpf v4 0/2] bpf: guard sock_ops rtt_min against non-locked tcp_sock
Date: Mon, 20 Apr 2026 22:16:24 +0000 [thread overview]
Message-ID: <20260420221621.1441707-1-werner@verivus.com> (raw)
In-Reply-To: <20260417023119.3830723-1-werner@verivus.com>
sock_ops ctx rewriting guards the direct tcp_sock field loads with
is_locked_tcp_sock, but rtt_min still used a raw load sequence. On
request_sock-backed sock_ops callbacks, that can read past the end of a
tcp_request_sock allocation.
This series switches rtt_min over to the shared guarded tcp_sock field
load helper and adds a tcpbpf runtime test that exercises the
same-register request_sock path.
v3 -> v4:
- reuse a shared guarded tcp_sock field load helper for rtt_min
- preserve the dst_reg == src_reg failure path that zeros the destination
register when the guard fails
- replace the weaker ctx_rewrite test with a runtime tcpbpf selftest that
exercises same-register request_sock access
Werner Kasselman (2):
bpf: guard sock_ops rtt_min against non-locked tcp_sock
selftests/bpf: cover same-reg sock_ops rtt_min request_sock access
net/core/filter.c | 39 ++++++++++---------
.../selftests/bpf/prog_tests/tcpbpf_user.c | 4 ++
.../selftests/bpf/progs/test_tcpbpf_kern.c | 14 +++++++
tools/testing/selftests/bpf/test_tcpbpf.h | 2 +
4 files changed, 40 insertions(+), 19 deletions(-)
--
2.43.0
next prev parent reply other threads:[~2026-04-20 22:16 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-17 2:31 [PATCH bpf v3 0/2] bpf: fix sock_ops rtt_min OOB read Werner Kasselman
2026-04-17 2:31 ` [PATCH 1/2] bpf: extract SOCK_OPS_LOAD_TCP_SOCK_FIELD from SOCK_OPS_GET_FIELD Werner Kasselman
2026-04-17 2:31 ` [PATCH 2/2] bpf: guard sock_ops rtt_min against non-locked tcp_sock Werner Kasselman
2026-04-20 20:43 ` Martin KaFai Lau
2026-04-20 22:16 ` Werner Kasselman [this message]
2026-04-20 22:16 ` [PATCH bpf v4 1/2] " Werner Kasselman
2026-04-20 22:16 ` [PATCH bpf v4 2/2] selftests/bpf: cover same-reg sock_ops rtt_min request_sock access Werner Kasselman
2026-04-20 23:00 ` [PATCH bpf v5 0/2] bpf: guard sock_ops rtt_min against non-locked tcp_sock Werner Kasselman
2026-04-20 23:00 ` [PATCH bpf v5 1/2] " Werner Kasselman
2026-04-22 21:03 ` Martin KaFai Lau
2026-04-20 23:00 ` [PATCH bpf v5 2/2] selftests/bpf: cover same-reg sock_ops rtt_min request_sock access Werner Kasselman
2026-04-22 21:11 ` Martin KaFai Lau
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260420221621.1441707-1-werner@verivus.com \
--to=werner@verivus.ai \
--cc=bpf@vger.kernel.org \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.