From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-ej1-f66.google.com (mail-ej1-f66.google.com [209.85.218.66]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5E0B621ABC9 for ; Thu, 5 Mar 2026 11:39:23 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.218.66 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772710764; cv=none; b=hSuXCgvbwDAEdUI9WdQHkv+76C3yxHIDEI/mSX3IFbnIju2c6YBOfZ+W1TIGHadq2mZw1VQj9DVu5pr5TOZfpbNPs80tsVOYk6Lm1tm2Tny4UQjDa/DMdwrPN8ZA+tb2aA4DnyJuMAijFwuwiu7I9gIu34jCgyAXs4MRrErRf9g= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772710764; c=relaxed/simple; bh=bRM+Z8TRqy+7khM6Y/tE2QgluvkMOuKZQbK7SF0Kjr4=; h=From:To:Cc:Subject:In-Reply-To:References:Date:Message-ID: MIME-Version:Content-Type; b=S+nVibvuHgZv0v7DbY24/zD8w3DTk64O4pF2FdmjqrFWORwukmz4IYUTvMqchGM2o394he2aYMKh+voLOVD9gZ4wH1/N1QfBR/r/x8nHbzLu8IhV0EMFmpXyad0NKTmWmQyA3RoMqku2N3PvMpNoChwp9jrW2EeakJQq06qztOw= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=cloudflare.com; spf=pass smtp.mailfrom=cloudflare.com; dkim=pass (2048-bit key) header.d=cloudflare.com header.i=@cloudflare.com header.b=Qq868KBM; arc=none smtp.client-ip=209.85.218.66 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=cloudflare.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=cloudflare.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=cloudflare.com header.i=@cloudflare.com header.b="Qq868KBM" Received: by mail-ej1-f66.google.com with SMTP id a640c23a62f3a-b935a74b7c2so1078325866b.3 for ; Thu, 05 Mar 2026 03:39:23 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google09082023; t=1772710762; x=1773315562; darn=vger.kernel.org; h=mime-version:message-id:date:references:in-reply-to:subject:cc:to :from:from:to:cc:subject:date:message-id:reply-to; bh=dAOkhEnhzPo5xZRNqtX6dTKBEVvp+75/lvQ1sFK3ki4=; b=Qq868KBMP2TERpLw12dWHqEKRLWzTRwcOk1Qs5IngnDB/svTRb2/9bWt8H8qDpCREv CO8UNa+4OJheZHQm3uRZLp4utHYua2399cTs3pSdohi1dFYqiG7xsApNkqJ568wSdPot CCwCsR2JqeFFJHLde7lIFPn0fGkGdV+aOJo0uA3Lv/sK3TL63tZ35xc5iatDrSkZhQGC 33AAirHxhlt/mUNB3L7ekA6HQU6CysrrCbJpr6+BihxQ8z4woKH9pEDIWKaxwa3iQ+C+ c8OakZ78Nc8iMz6Sqx+JTC/wUf65WaCahDqYqyzNiEPdbDkSlt1HMzMoG8Jdi7ltFRi9 9l3g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1772710762; x=1773315562; h=mime-version:message-id:date:references:in-reply-to:subject:cc:to :from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=dAOkhEnhzPo5xZRNqtX6dTKBEVvp+75/lvQ1sFK3ki4=; b=Ps1jwPiWMKI1b3USu4L9ZpIHLOtihKmJ3XR11SL09z6MnZUhOthPB8fZs86ZlS0CO/ IilAMWpKGW5CeDUBxEtKZ1SOLk0PlJ73Tc7XI4S/RVOFK5UxYQm8/zf+rT7X7oiCYCyM clqGHIrnWkR8EF2N6IQEc8v/XGjBfsHCEcrEut6i6o5r9qDb2J+dPF5q2QOO2yrWnkiT KnqcvxAFj4+78PTRqAxaDSqkJ6hZfGxvvaBlm4AKT5bM40rOPx4wXgp9DvtT9PqZpEQx qwn/JzUnfHhMP6OETfpsAn/g3xMWBhJ+cEU4bpayiu2ljB5j4HghfS/RhJ/zO3dEl/vA Gk5w== X-Forwarded-Encrypted: i=1; AJvYcCV+kHMooki9ar1jCVkIvCYxfg5nFQJcYKF/pCjTnV/ARx6Vj3CN33mgV8re4OcRkryUOjw=@vger.kernel.org X-Gm-Message-State: AOJu0YxqD/1Isw0nK9OX4JeOHr5wYC+Fm6p2DmFfsLruFSCfOA8RyNwX nGdsM45kgTSqNBV9gE8YFf4Yw226A44tyi9Lwy8NW3BIvLulKRHKqf5gzi21WfvoF7k8PJNIbWa YS0yFZGF7e12N X-Gm-Gg: ATEYQzwPT/4Hft1eh+xAj4gC6o7C8/FziC6jur6DljuyS4mpEiguPeNiMakalLBNv4e Dp1AfXlrOVJ0PmqqwYJG1LxogbKOfQSZ4vg2Lk02ZtczHikng+eUcL2O7qioNq+r65bYMbQz6/G eTxR7+YmF6twWCO8wldCeBzxXNUYQyPzdH5JzgkWyVU51xS0lvHwO/Bf1VhhKcV9HX5bmlm2KUb W9tOT4S+qVHuGLdnQFpA2mX4s37WcTy00OO2h9qQJpSlIgUHzqKPrCKAQijaCQoYSASDmmNGDvn BH2Dd5rUFRNJXG4+jkb1/hSj/7cpZRoCBhrh4CZQf+TU/q2FHx3qZdLcBc0oN5Voy9JOY4uW7lw AuELNl8Zb6eVs4azCjrZIzyas2zy+++Zi3UmnZmjgYk2iZyNnQgA0/GPBzEHKRbBwrMk+F4nKcg w677kkcQ849zMjUpr40IEbdJs6YR8ZozV6VO+BGM0Ro1abmYje0IDIo/E3cak1PFGMBujz8A== X-Received: by 2002:a17:906:c148:b0:b93:609a:1519 with SMTP id a640c23a62f3a-b93f15a7d55mr401408566b.48.1772710761619; Thu, 05 Mar 2026 03:39:21 -0800 (PST) Received: from cloudflare.com (79.184.124.63.ipv4.supernova.orange.pl. [79.184.124.63]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-b935ac513bcsm891702966b.19.2026.03.05.03.39.20 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 05 Mar 2026 03:39:21 -0800 (PST) From: Jakub Sitnicki To: Kuniyuki Iwashima Cc: John Fastabend , Willem de Bruijn , Kuniyuki Iwashima , bpf@vger.kernel.org, netdev@vger.kernel.org, syzbot+9307c991a6d07ce6e6d8@syzkaller.appspotmail.com Subject: Re: [PATCH v4 bpf/net 3/6] sockmap: Fix use-after-free in udp_bpf_recvmsg(). In-Reply-To: <20260221233234.3814768-4-kuniyu@google.com> (Kuniyuki Iwashima's message of "Sat, 21 Feb 2026 23:30:50 +0000") References: <20260221233234.3814768-1-kuniyu@google.com> <20260221233234.3814768-4-kuniyu@google.com> Date: Thu, 05 Mar 2026 12:39:20 +0100 Message-ID: <875x7ao68n.fsf@cloudflare.com> Precedence: bulk X-Mailing-List: bpf@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain On Sat, Feb 21, 2026 at 11:30 PM GMT, Kuniyuki Iwashima wrote: > syzbot reported use-after-free of struct sk_msg in sk_msg_recvmsg(). [0] > > sk_msg_recvmsg() peeks sk_msg from psock->ingress_msg under a lock, > but its processing is lockless. > > Thus, sk_msg_recvmsg() must be serialised by callers, otherwise > multiple threads could touch the same sk_msg. > > For example, TCP uses lock_sock(), and AF_UNIX uses unix_sk(sk)->iolock. > > Initially, udp_bpf_recvmsg() had used lock_sock(), but the cited > commit accidentally removed it. FWIW, it doesn't sound like commit 9f2470fbc4cb ("skmsg: Improve udp_bpf_recvmsg() accuracy") removed it by accident. The commit message calls it out explicitly: Also, UDP does not lock the sock during BH Rx path, it makes no sense for its ->recvmsg() to lock the sock. It is always possible for ->recvmsg() to be called before packets actually arrive in the receive queue, we just use best effort to make it accurate here. Looks like we just didn't understand the consequences at that time. > > Let's serialise sk_msg_recvmsg() with lock_sock() in udp_bpf_recvmsg(). > > Note that holding spin_lock_bh(&sk->sk_receive_queue.lock) is not > an option due to copy_page_to_iter() in sk_msg_recvmsg(). > > [0]: > BUG: KASAN: slab-use-after-free in sk_msg_recvmsg+0xb54/0xc30 net/core/skmsg.c:428 > Read of size 4 at addr ffff88814cdcf000 by task syz.0.24/6020 > > CPU: 1 UID: 0 PID: 6020 Comm: syz.0.24 Not tainted syzkaller #0 PREEMPT(full) > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/13/2026 > Call Trace: > > dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 > print_address_description mm/kasan/report.c:378 [inline] > print_report+0xba/0x230 mm/kasan/report.c:482 > kasan_report+0x117/0x150 mm/kasan/report.c:595 > sk_msg_recvmsg+0xb54/0xc30 net/core/skmsg.c:428 > udp_bpf_recvmsg+0x4bd/0xe00 net/ipv4/udp_bpf.c:84 > inet_recvmsg+0x260/0x270 net/ipv4/af_inet.c:891 > sock_recvmsg_nosec net/socket.c:1078 [inline] > sock_recvmsg+0x1a8/0x270 net/socket.c:1100 > ____sys_recvmsg+0x1e6/0x4a0 net/socket.c:2812 > ___sys_recvmsg+0x215/0x590 net/socket.c:2854 > do_recvmmsg+0x334/0x800 net/socket.c:2949 > __sys_recvmmsg net/socket.c:3023 [inline] > __do_sys_recvmmsg net/socket.c:3046 [inline] > __se_sys_recvmmsg net/socket.c:3039 [inline] > __x64_sys_recvmmsg+0x198/0x250 net/socket.c:3039 > do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] > do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94 > entry_SYSCALL_64_after_hwframe+0x77/0x7f > RIP: 0033:0x7fb319f9aeb9 > Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 > RSP: 002b:00007fb31ad97028 EFLAGS: 00000246 ORIG_RAX: 000000000000012b > RAX: ffffffffffffffda RBX: 00007fb31a216090 RCX: 00007fb319f9aeb9 > RDX: 0000000000000001 RSI: 0000200000000400 RDI: 0000000000000004 > RBP: 00007fb31a008c1f R08: 0000000000000000 R09: 0000000000000000 > R10: 0000000040000021 R11: 0000000000000246 R12: 0000000000000000 > R13: 00007fb31a216128 R14: 00007fb31a216090 R15: 00007ffe21dd0a98 > > > Allocated by task 6019: > kasan_save_stack mm/kasan/common.c:57 [inline] > kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 > poison_kmalloc_redzone mm/kasan/common.c:398 [inline] > __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:415 > kasan_kmalloc include/linux/kasan.h:263 [inline] > __kmalloc_cache_noprof+0x3d1/0x6e0 mm/slub.c:5780 > kmalloc_noprof include/linux/slab.h:957 [inline] > kzalloc_noprof include/linux/slab.h:1094 [inline] > alloc_sk_msg net/core/skmsg.c:510 [inline] > sk_psock_skb_ingress_self+0x60/0x350 net/core/skmsg.c:612 > sk_psock_verdict_apply net/core/skmsg.c:1038 [inline] > sk_psock_verdict_recv+0x7d9/0x8d0 net/core/skmsg.c:1236 > udp_read_skb+0x73e/0x7e0 net/ipv4/udp.c:2045 > sk_psock_verdict_data_ready+0x12d/0x550 net/core/skmsg.c:1257 > __udp_enqueue_schedule_skb+0xc54/0x10b0 net/ipv4/udp.c:1789 > __udp_queue_rcv_skb net/ipv4/udp.c:2346 [inline] > udp_queue_rcv_one_skb+0xac5/0x19c0 net/ipv4/udp.c:2475 > __udp4_lib_mcast_deliver+0xc06/0xcf0 net/ipv4/udp.c:2585 > __udp4_lib_rcv+0x10f6/0x2620 net/ipv4/udp.c:2724 > ip_protocol_deliver_rcu+0x282/0x440 net/ipv4/ip_input.c:207 > ip_local_deliver_finish+0x3bb/0x6f0 net/ipv4/ip_input.c:241 > NF_HOOK+0x336/0x3c0 include/linux/netfilter.h:318 > dst_input include/net/dst.h:474 [inline] > ip_sublist_rcv_finish+0x221/0x2a0 net/ipv4/ip_input.c:584 > ip_list_rcv_finish net/ipv4/ip_input.c:628 [inline] > ip_sublist_rcv+0x5c6/0xa70 net/ipv4/ip_input.c:644 > ip_list_rcv+0x3f1/0x450 net/ipv4/ip_input.c:678 > __netif_receive_skb_list_ptype net/core/dev.c:6195 [inline] > __netif_receive_skb_list_core+0x7e5/0x810 net/core/dev.c:6242 > __netif_receive_skb_list net/core/dev.c:6294 [inline] > netif_receive_skb_list_internal+0x995/0xcf0 net/core/dev.c:6385 > netif_receive_skb_list+0x54/0x410 net/core/dev.c:6437 > xdp_recv_frames net/bpf/test_run.c:269 [inline] > xdp_test_run_batch net/bpf/test_run.c:350 [inline] > bpf_test_run_xdp_live+0x1946/0x1cf0 net/bpf/test_run.c:379 > bpf_prog_test_run_xdp+0x81c/0x1160 net/bpf/test_run.c:1396 > bpf_prog_test_run+0x2c7/0x340 kernel/bpf/syscall.c:4703 > __sys_bpf+0x5cb/0x920 kernel/bpf/syscall.c:6182 > __do_sys_bpf kernel/bpf/syscall.c:6274 [inline] > __se_sys_bpf kernel/bpf/syscall.c:6272 [inline] > __x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:6272 > do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] > do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94 > entry_SYSCALL_64_after_hwframe+0x77/0x7f > > Freed by task 6021: > kasan_save_stack mm/kasan/common.c:57 [inline] > kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 > kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584 > poison_slab_object mm/kasan/common.c:253 [inline] > __kasan_slab_free+0x5c/0x80 mm/kasan/common.c:285 > kasan_slab_free include/linux/kasan.h:235 [inline] > slab_free_hook mm/slub.c:2540 [inline] > slab_free mm/slub.c:6674 [inline] > kfree+0x1be/0x650 mm/slub.c:6882 > kfree_sk_msg include/linux/skmsg.h:385 [inline] > sk_msg_recvmsg+0xaa8/0xc30 net/core/skmsg.c:483 > udp_bpf_recvmsg+0x4bd/0xe00 net/ipv4/udp_bpf.c:84 > inet_recvmsg+0x260/0x270 net/ipv4/af_inet.c:891 > sock_recvmsg_nosec net/socket.c:1078 [inline] > sock_recvmsg+0x1a8/0x270 net/socket.c:1100 > ____sys_recvmsg+0x1e6/0x4a0 net/socket.c:2812 > ___sys_recvmsg+0x215/0x590 net/socket.c:2854 > do_recvmmsg+0x334/0x800 net/socket.c:2949 > __sys_recvmmsg net/socket.c:3023 [inline] > __do_sys_recvmmsg net/socket.c:3046 [inline] > __se_sys_recvmmsg net/socket.c:3039 [inline] > __x64_sys_recvmmsg+0x198/0x250 net/socket.c:3039 > do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] > do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94 > entry_SYSCALL_64_after_hwframe+0x77/0x7f > > Fixes: 9f2470fbc4cb ("skmsg: Improve udp_bpf_recvmsg() accuracy") > Reported-by: syzbot+9307c991a6d07ce6e6d8@syzkaller.appspotmail.com > Closes: https://lore.kernel.org/netdev/69922ac9.a70a0220.2c38d7.00e0.GAE@google.com/ > Signed-off-by: Kuniyuki Iwashima > --- Reviewed-by: Jakub Sitnicki