From: Jakub Sitnicki <jakub@cloudflare.com>
To: Kuniyuki Iwashima <kuniyu@google.com>
Cc: John Fastabend <john.fastabend@gmail.com>,
Willem de Bruijn <willemdebruijn.kernel@gmail.com>,
Kuniyuki Iwashima <kuni1840@gmail.com>,
bpf@vger.kernel.org, netdev@vger.kernel.org,
syzbot+113cea56c13a8a1e95ab@syzkaller.appspotmail.com
Subject: Re: [PATCH v4 bpf/net 1/6] sockmap: Annotate sk->sk_data_ready() for UDP.
Date: Thu, 05 Mar 2026 12:05:23 +0100 [thread overview]
Message-ID: <87a4wmo7t8.fsf@cloudflare.com> (raw)
In-Reply-To: <20260221233234.3814768-2-kuniyu@google.com> (Kuniyuki Iwashima's message of "Sat, 21 Feb 2026 23:30:48 +0000")
On Sat, Feb 21, 2026 at 11:30 PM GMT, Kuniyuki Iwashima wrote:
> syzbot reported data race of sk->sk_data_ready(). [0]
>
> UDP fast path does not hold bh_lock_sock(), instead
> spin_lock_bh(&sk->sk_receive_queue.lock) is used.
>
> Let's use WRITE_ONCE() and READ_ONCE() for sk->sk_data_ready().
>
> Another option is to hold sk->sk_receive_queue.lock in
> sock_map_sk_acquire() if sk_is_udp() is true, but this is
> overkill and also does not work for sk->sk_write_space().
>
> [0]:
> BUG: KCSAN: data-race in __udp_enqueue_schedule_skb / sk_psock_drop
>
> write to 0xffff88811d063048 of 8 bytes by task 23114 on cpu 0:
> sk_psock_stop_verdict net/core/skmsg.c:1287 [inline]
> sk_psock_drop+0x12f/0x270 net/core/skmsg.c:873
> sk_psock_put include/linux/skmsg.h:473 [inline]
> sock_map_unref+0x2a5/0x300 net/core/sock_map.c:185
> __sock_map_delete net/core/sock_map.c:426 [inline]
> sock_map_delete_from_link net/core/sock_map.c:439 [inline]
> sock_map_unlink net/core/sock_map.c:1608 [inline]
> sock_map_remove_links+0x228/0x340 net/core/sock_map.c:1623
> sock_map_close+0xa1/0x340 net/core/sock_map.c:1684
> inet_release+0xcd/0xf0 net/ipv4/af_inet.c:437
> __sock_release net/socket.c:662 [inline]
> sock_close+0x6b/0x150 net/socket.c:1455
> __fput+0x29b/0x650 fs/file_table.c:468
> ____fput+0x1c/0x30 fs/file_table.c:496
> task_work_run+0x130/0x1a0 kernel/task_work.c:233
> resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
> __exit_to_user_mode_loop kernel/entry/common.c:44 [inline]
> exit_to_user_mode_loop+0x1f7/0x6f0 kernel/entry/common.c:75
> __exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline]
> syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline]
> syscall_exit_to_user_mode_work include/linux/entry-common.h:159 [inline]
> syscall_exit_to_user_mode include/linux/entry-common.h:194 [inline]
> do_syscall_64+0x1d3/0x2a0 arch/x86/entry/syscall_64.c:100
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
>
> read to 0xffff88811d063048 of 8 bytes by task 23117 on cpu 1:
> __udp_enqueue_schedule_skb+0x6c1/0x840 net/ipv4/udp.c:1789
> __udp_queue_rcv_skb net/ipv4/udp.c:2346 [inline]
> udp_queue_rcv_one_skb+0x709/0xc20 net/ipv4/udp.c:2475
> udp_queue_rcv_skb+0x20e/0x2b0 net/ipv4/udp.c:2493
> __udp4_lib_mcast_deliver+0x6e8/0x790 net/ipv4/udp.c:2585
> __udp4_lib_rcv+0x96f/0x1260 net/ipv4/udp.c:2724
> udp_rcv+0x4f/0x60 net/ipv4/udp.c:2911
> ip_protocol_deliver_rcu+0x3f9/0x780 net/ipv4/ip_input.c:207
> ip_local_deliver_finish+0x1fc/0x2f0 net/ipv4/ip_input.c:241
> NF_HOOK include/linux/netfilter.h:318 [inline]
> ip_local_deliver+0xe8/0x1e0 net/ipv4/ip_input.c:262
> dst_input include/net/dst.h:474 [inline]
> ip_sublist_rcv_finish net/ipv4/ip_input.c:584 [inline]
> ip_list_rcv_finish net/ipv4/ip_input.c:628 [inline]
> ip_sublist_rcv+0x42b/0x6d0 net/ipv4/ip_input.c:644
> ip_list_rcv+0x261/0x290 net/ipv4/ip_input.c:678
> __netif_receive_skb_list_ptype net/core/dev.c:6195 [inline]
> __netif_receive_skb_list_core+0x4dc/0x500 net/core/dev.c:6242
> __netif_receive_skb_list net/core/dev.c:6294 [inline]
> netif_receive_skb_list_internal+0x47d/0x5f0 net/core/dev.c:6385
> netif_receive_skb_list+0x31/0x1f0 net/core/dev.c:6437
> xdp_recv_frames net/bpf/test_run.c:269 [inline]
> xdp_test_run_batch net/bpf/test_run.c:350 [inline]
> bpf_test_run_xdp_live+0x104c/0x1360 net/bpf/test_run.c:379
> bpf_prog_test_run_xdp+0x57b/0xa10 net/bpf/test_run.c:1396
> bpf_prog_test_run+0x204/0x340 kernel/bpf/syscall.c:4703
> __sys_bpf+0x4c0/0x7b0 kernel/bpf/syscall.c:6182
> __do_sys_bpf kernel/bpf/syscall.c:6274 [inline]
> __se_sys_bpf kernel/bpf/syscall.c:6272 [inline]
> __x64_sys_bpf+0x41/0x50 kernel/bpf/syscall.c:6272
> x64_sys_call+0x28e1/0x3000 arch/x86/include/generated/asm/syscalls_64.h:322
> do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
> do_syscall_64+0xc0/0x2a0 arch/x86/entry/syscall_64.c:94
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
>
> value changed: 0xffffffff847b24d0 -> 0xffffffff84673410
>
> Reported by Kernel Concurrency Sanitizer on:
> CPU: 1 UID: 0 PID: 23117 Comm: syz.8.5085 Tainted: G W syzkaller #0 PREEMPT(voluntary)
> Tainted: [W]=WARN
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
>
> Fixes: 7b98cd42b049 ("bpf: sockmap: Add UDP support")
> Reported-by: syzbot+113cea56c13a8a1e95ab@syzkaller.appspotmail.com
> Closes: https://lore.kernel.org/netdev/69922ac9.a70a0220.2c38d7.00e1.GAE@google.com/
> Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
> ---
Sorry for the delay. Got caught up in skb metadata stuff...
Reviewed-by: Jakub Sitnicki <jakub@cloudflare.com>
next prev parent reply other threads:[~2026-03-05 11:05 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-21 23:30 [PATCH v4 bpf/net 0/6] sockmap: Fix UAF and broken memory accounting for UDP Kuniyuki Iwashima
2026-02-21 23:30 ` [PATCH v4 bpf/net 1/6] sockmap: Annotate sk->sk_data_ready() " Kuniyuki Iwashima
2026-03-05 11:05 ` Jakub Sitnicki [this message]
2026-03-05 11:27 ` Jiayuan Chen
2026-02-21 23:30 ` [PATCH v4 bpf/net 2/6] sockmap: Annotate sk->sk_write_space() " Kuniyuki Iwashima
2026-03-05 1:48 ` Jiayuan Chen
2026-03-05 3:43 ` Kuniyuki Iwashima
2026-03-07 0:03 ` Martin KaFai Lau
2026-03-07 2:51 ` Kuniyuki Iwashima
2026-03-05 11:35 ` Jiayuan Chen
2026-03-05 11:51 ` Jakub Sitnicki
2026-02-21 23:30 ` [PATCH v4 bpf/net 3/6] sockmap: Fix use-after-free in udp_bpf_recvmsg() Kuniyuki Iwashima
2026-03-05 2:30 ` Jiayuan Chen
2026-03-05 3:41 ` Kuniyuki Iwashima
2026-03-05 11:36 ` Jiayuan Chen
2026-03-05 11:39 ` Jakub Sitnicki
2026-03-05 17:46 ` Kuniyuki Iwashima
2026-02-21 23:30 ` [PATCH v4 bpf/net 4/6] sockmap: Inline sk_psock_create_ingress_msg() Kuniyuki Iwashima
2026-03-05 11:44 ` Jakub Sitnicki
2026-02-21 23:30 ` [PATCH v4 bpf/net 5/6] sockmap: Consolidate sk_psock_skb_ingress_self() Kuniyuki Iwashima
2026-02-21 23:30 ` [PATCH v4 bpf/net 6/6] sockmap: Fix broken memory accounting for UDP Kuniyuki Iwashima
2026-03-04 20:04 ` Martin KaFai Lau
2026-03-04 20:14 ` Kuniyuki Iwashima
2026-03-05 6:37 ` Jiayuan Chen
2026-03-05 7:48 ` Kuniyuki Iwashima
2026-03-05 8:30 ` Jiayuan Chen
2026-03-05 9:27 ` Kuniyuki Iwashima
2026-03-05 10:45 ` Jiayuan Chen
2026-03-05 11:04 ` Jiayuan Chen
2026-03-05 17:42 ` Kuniyuki Iwashima
2026-03-06 7:44 ` Jiayuan Chen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87a4wmo7t8.fsf@cloudflare.com \
--to=jakub@cloudflare.com \
--cc=bpf@vger.kernel.org \
--cc=john.fastabend@gmail.com \
--cc=kuni1840@gmail.com \
--cc=kuniyu@google.com \
--cc=netdev@vger.kernel.org \
--cc=syzbot+113cea56c13a8a1e95ab@syzkaller.appspotmail.com \
--cc=willemdebruijn.kernel@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.