From: Martin KaFai Lau <martin.lau@linux.dev>
To: Sun Jian <sun.jian.kdev@gmail.com>
Cc: ast@kernel.org, daniel@iogearbox.net, andrii@kernel.org,
eddyz87@gmail.com, song@kernel.org, yonghong.song@linux.dev,
john.fastabend@gmail.com, kpsingh@kernel.org, sdf@fomichev.me,
haoluo@google.com, jolsa@kernel.org, davem@davemloft.net,
edumazet@google.com, kuba@kernel.org, pabeni@redhat.com,
horms@kernel.org, shuah@kernel.org,
syzbot+619b9ef527f510a57cfc@syzkaller.appspotmail.com,
bpf@vger.kernel.org, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org
Subject: Re: [PATCH bpf-next v3] bpf: reject short IPv4/IPv6 inputs in bpf_prog_test_run_skb
Date: Mon, 6 Apr 2026 11:58:06 -0700 [thread overview]
Message-ID: <202646183934.lJx5.martin.lau@linux.dev> (raw)
In-Reply-To: <20260402160147.215499-1-sun.jian.kdev@gmail.com>
On Fri, Apr 03, 2026 at 12:01:47AM +0800, Sun Jian wrote:
> diff --git a/net/bpf/test_run.c b/net/bpf/test_run.c
> index 178c4738e63b..300e2bfc5a62 100644
> --- a/net/bpf/test_run.c
> +++ b/net/bpf/test_run.c
> @@ -1120,19 +1120,23 @@ int bpf_prog_test_run_skb(struct bpf_prog *prog, const union bpf_attr *kattr,
>
> switch (skb->protocol) {
> case htons(ETH_P_IP):
> - sk->sk_family = AF_INET;
> - if (sizeof(struct iphdr) <= skb_headlen(skb)) {
> - sk->sk_rcv_saddr = ip_hdr(skb)->saddr;
> - sk->sk_daddr = ip_hdr(skb)->daddr;
> + if (skb_headlen(skb) < sizeof(struct iphdr)) {
> + ret = -EINVAL;
> + goto out;
> }
> + sk->sk_family = AF_INET;
> + sk->sk_rcv_saddr = ip_hdr(skb)->saddr;
> + sk->sk_daddr = ip_hdr(skb)->daddr;
> break;
> #if IS_ENABLED(CONFIG_IPV6)
> case htons(ETH_P_IPV6):
> - sk->sk_family = AF_INET6;
> - if (sizeof(struct ipv6hdr) <= skb_headlen(skb)) {
> - sk->sk_v6_rcv_saddr = ipv6_hdr(skb)->saddr;
> - sk->sk_v6_daddr = ipv6_hdr(skb)->daddr;
> + if (skb_headlen(skb) < sizeof(struct ipv6hdr)) {
> + ret = -EINVAL;
> + goto out;
> }
> + sk->sk_family = AF_INET6;
> + sk->sk_v6_rcv_saddr = ipv6_hdr(skb)->saddr;
> + sk->sk_v6_daddr = ipv6_hdr(skb)->daddr;
> break;
> #endif
> default:
> diff --git a/tools/testing/selftests/bpf/prog_tests/empty_skb.c b/tools/testing/selftests/bpf/prog_tests/empty_skb.c
> index 438583e1f2d1..d53567e9cd77 100644
> --- a/tools/testing/selftests/bpf/prog_tests/empty_skb.c
> +++ b/tools/testing/selftests/bpf/prog_tests/empty_skb.c
> @@ -12,6 +12,8 @@ void test_empty_skb(void)
> struct bpf_program *prog;
> char eth_hlen_pp[15];
> char eth_hlen[14];
> + char ipv4_eth_hlen[14];
> + char ipv6_eth_hlen[14];
The eth_hlen_pp and eth_hlen needs to memset zero now.
Instead of adding two more ethhdrs, just reuse the current eth_hlen and
define it as 'struct ethhdr eth_hlen;' instead of a char array.
Add 'h_proto' to the anonymous 'struct { } tests[]'. Initialize
the eth_hlen.h_proto based on the tests[i].h_proto.
Also, this test does not actually reproduce the reading uninit memeory.
It needs a bpf prog to actually trigger it by calling bpf_skb_adjust_room()
based on the report in the "Closes" link. The test should be able
to trigger it without the change in test_run.c
The ai-review has flagged again that it is missing a "Fixes" tag. This
probably started since the bpf_skb_adjust_room helper was introduced.
The selftests should also be in a separate patch 2 following the patch 1
changes in test_run.c.
pw-bot: cr
next prev parent reply other threads:[~2026-04-06 18:58 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-02 16:01 [PATCH bpf-next v3] bpf: reject short IPv4/IPv6 inputs in bpf_prog_test_run_skb Sun Jian
2026-04-03 5:15 ` bot+bpf-ci
2026-04-06 18:58 ` Martin KaFai Lau [this message]
2026-04-07 1:34 ` sun jian
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202646183934.lJx5.martin.lau@linux.dev \
--to=martin.lau@linux.dev \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=eddyz87@gmail.com \
--cc=edumazet@google.com \
--cc=haoluo@google.com \
--cc=horms@kernel.org \
--cc=john.fastabend@gmail.com \
--cc=jolsa@kernel.org \
--cc=kpsingh@kernel.org \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=sdf@fomichev.me \
--cc=shuah@kernel.org \
--cc=song@kernel.org \
--cc=sun.jian.kdev@gmail.com \
--cc=syzbot+619b9ef527f510a57cfc@syzkaller.appspotmail.com \
--cc=yonghong.song@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.