BPF List
 help / color / mirror / Atom feed
From: sashiko-bot@kernel.org
To: "Sechang Lim" <rhkrqnwk98@gmail.com>
Cc: bpf@vger.kernel.org
Subject: Re: [PATCH bpf-next v3 1/2] bpf, sockmap: disallow update and delete from tc, xdp and flow_dissector
Date: Mon, 29 Jun 2026 17:42:50 +0000	[thread overview]
Message-ID: <20260629174250.F014B1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260629172704.1302218-2-rhkrqnwk98@gmail.com>

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:

Pre-existing issues:
- [High] Incomplete Deadlock Fix / Bypass Vector
--

commit 11c2a6f499580e1830b9a3c86513eb4f154d7710
Author: Sechang Lim <rhkrqnwk98@gmail.com>

bpf, sockmap: disallow update and delete from tc, xdp and flow_dissector

This commit aims to fix a circular locking dependency between
sk_callback_lock and stab->lock by disallowing sockmap updates and deletes
from tc, xdp, and flow_dissector programs.

> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c

[ ... ]

> @@ -8489,11 +8489,7 @@ static bool may_update_sockmap(struct bpf_verifier_env *env, int func_id)
>  			return true;
>  		break;
>  	case BPF_PROG_TYPE_SOCKET_FILTER:
> -	case BPF_PROG_TYPE_SCHED_CLS:
> -	case BPF_PROG_TYPE_SCHED_ACT:
> -	case BPF_PROG_TYPE_XDP:
>  	case BPF_PROG_TYPE_SK_REUSEPORT:
> -	case BPF_PROG_TYPE_FLOW_DISSECTOR:
>  	case BPF_PROG_TYPE_SK_LOOKUP:
>  		return true;

[Severity: High]
This is a pre-existing issue, but does leaving BPF_PROG_TYPE_SOCKET_FILTER
and BPF_PROG_TYPE_SOCK_OPS (located just above this block) allowed to
update/delete sockmaps leave the deadlock unresolved?

The commit message describes a deadlock where sk_callback_lock is held for
read, a TCP ACK goes out egress, and a BPF program modifies the sockmap,
acquiring stab->lock.

Can BPF_PROG_TYPE_SOCK_OPS execute synchronously during this same egress
path and trigger the same issue?

sk_psock_strp_data_ready()  // holds sk_callback_lock
   __tcp_cleanup_rbuf()
      tcp_send_ack()
         __tcp_transmit_skb()
            bpf_skops_write_hdr_opt()  // runs BPF_PROG_TYPE_SOCK_OPS

Similarly, can BPF_PROG_TYPE_SOCKET_FILTER be executed synchronously during
egress when dev_queue_xmit_nit() calls run_filter()?

If either of these programs calls a sockmap map update or delete helper,
wouldn't they acquire stab->lock and recreate the exact same circular
locking dependency?

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260629172704.1302218-1-rhkrqnwk98@gmail.com?part=1

  reply	other threads:[~2026-06-29 17:42 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-29 17:26 [PATCH bpf-next v3 0/2] bpf, sockmap: disallow sockmap mutation from tc, xdp and flow_dissector Sechang Lim
2026-06-29 17:27 ` [PATCH bpf-next v3 1/2] bpf, sockmap: disallow update and delete " Sechang Lim
2026-06-29 17:42   ` sashiko-bot [this message]
2026-06-29 18:06   ` bot+bpf-ci
2026-06-29 18:24   ` Alexei Starovoitov
2026-06-30  5:47     ` John Fastabend
2026-06-30  7:14       ` Sechang Lim
2026-06-29 17:27 ` [PATCH bpf-next v3 2/2] selftests/bpf: drop tc/xdp/flow_dissector sockmap mutation tests Sechang Lim
2026-06-29 17:48   ` sashiko-bot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260629174250.F014B1F000E9@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=rhkrqnwk98@gmail.com \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox