Re: [PATCH bpf-next v4 07/16] bpf: Make bpf_skb_adjust_room metadata-safe

[Jakub Sitnicki <jakub@cloudflare.com>]

On Wed, Nov 05, 2025 at 08:42 PM GMT, bot+bpf-ci@kernel.org wrote:
>> diff --git a/net/core/filter.c b/net/core/filter.c
>> index 96714eab9..370ddc61b 100644
>> --- a/net/core/filter.c
>> +++ b/net/core/filter.c
>> @@ -3260,11 +3260,11 @@ static void bpf_skb_change_protocol(struct sk_buff *skb, u16 proto)
>>
>>  static int bpf_skb_generic_push(struct sk_buff *skb, u32 off, u32 len)
>>  {
>> -	/* Caller already did skb_cow() with len as headroom,
>> +	/* Caller already did skb_cow() with meta_len+len as headroom,
>>  	 * so no need to do it here.
>>  	 */
>>  	skb_push(skb, len);
>> -	memmove(skb->data, skb->data + len, off);
>> +	skb_postpush_data_move(skb, len, off);
>>  	memset(skb->data + off, 0, len);
>
> The comment update says callers provide meta_len+len as headroom, but
> is this true for all callers?
>
> bpf_skb_proto_4_to_6() calls skb_cow(skb, len_diff) then calls
> bpf_skb_net_hdr_push()->bpf_skb_generic_push(). Similarly,
> bpf_lwt_seg6_adjust_srh() calls skb_cow_head(skb, len) then calls
> bpf_skb_net_hdr_push()->bpf_skb_generic_push().
>
> Neither accounts for meta_len in their headroom calculation. When
> skb_postpush_data_move()->skb_data_move() runs, if meta_len >
> skb_headroom(skb) after the push, the metadata gets silently cleared
> (see the WARN_ON_ONCE check in skb_data_move() at skbuff.h).
>
> Can the metadata be lost when these functions are called on skbs with
> metadata?

bpf_skb_proto_4_to_6() is handled by the next patch (8/16).

LWT and other encap facilities are out of scope for this series.
bpf_lwt_seg6_adjust_srh() is on my todo list.

[...]