From: Jakub Sitnicki <jakub@cloudflare.com>
To: Michal Luczaj <mhal@rbox.co>
Cc: sashiko-reviews@lists.linux.dev, bpf@vger.kernel.org
Subject: Re: [PATCH bpf v2 1/4] bpf, sockmap: Reject unhashed UDP sockets on sockmap update
Date: Wed, 01 Jul 2026 12:04:14 +0200 [thread overview]
Message-ID: <87echn2fhd.fsf@cloudflare.com> (raw)
In-Reply-To: <26ecbce0-48ad-4b53-a0b7-34b59870e010@rbox.co> (Michal Luczaj's message of "Mon, 29 Jun 2026 23:40:49 +0200")
On Mon, Jun 29, 2026 at 11:40 PM +02, Michal Luczaj wrote:
> On 6/29/26 13:37, Jakub Sitnicki wrote:
>> On Sun, Jun 28, 2026 at 11:59 PM +02, Michal Luczaj wrote:
>>> On 6/26/26 22:58, sashiko-bot@kernel.org wrote:
>>>> [Severity: High]
>>>> Could a memory ordering regression here allow unbound UDP sockets to still
>>>> bypass this check?
>>>>
>>>> In udp_v4_get_port(), the flag and hash are set:
>>>>
>>>> net/ipv4/udp.c:udp_v4_get_port() {
>>>> ...
>>>> sock_set_flag(sk, SOCK_RCU_FREE);
>>>> sk_add_node_rcu(sk, &hslot->head);
>>>> ...
>>>> }
>>>>
>>>> Because these stores lack a memory barrier between them, could sk_hashed(sk)
>>>> return true on another CPU while SOCK_RCU_FREE is not yet visible, allowing
>>>> the leak to still trigger?
>>>
>>> I'd like to verify it on a weakly-ordered CPU; please give me a day or two.
>>
>> False positive, IMO.
>> Both ->get_port and sock_map_sk_state_allowed run with sk_lock held.
>
> What about an update coming from iter/task_file? You get an unlocked socket
> via bpf_sock_from_file(ctx->file). And sock_map_update_elem()'s
> bh_lock_sock(sk) doesn't care if socket is owned.
You're right. No exclusive access to socket there.
I think we should block map updates from all iterators but iter/sockmap,
where we know the socket is already in the correct state.
This is in the spirit of the API lockdown that is in progress [1]
[1] https://msgid.link/akRZ_e7DJh2aP-2i@john-p8
> I was looking at iter/task_file in the context of [0]'s follow-up. With or
> without [1], we're getting closer to enforcing (stronger) locking in
> sock_map_update_elem(), per Martin's suggestion. Along the lines of
>
> if (!has_current_bpf_ctx() && sock_owned_by_user_nocheck(sk))
> ret = -EBUSY;
> else if (WARN_ON_ONCE(has_current_bpf_ctx() && !sock_owned_by_user_nocheck(sk)))
> ret = -EINVAL;
> ...
>
> Would that fly?
>
> [0]: https://lore.kernel.org/bpf/20260414-unix-proto-update-null-ptr-deref-v4-0-2af6fe97918e@rbox.co/
> [1]: https://lore.kernel.org/bpf/20260629172704.1302218-1-rhkrqnwk98@gmail.com/
next prev parent reply other threads:[~2026-07-01 10:04 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-26 20:36 [PATCH bpf v2 0/4] bpf, sockmap: Fix sockmap leaking UDP socks Michal Luczaj
2026-06-26 20:36 ` [PATCH bpf v2 1/4] bpf, sockmap: Reject unhashed UDP sockets on sockmap update Michal Luczaj
2026-06-26 20:45 ` Kuniyuki Iwashima
2026-06-26 20:58 ` sashiko-bot
2026-06-28 21:59 ` Michal Luczaj
2026-06-29 11:37 ` Jakub Sitnicki
2026-06-29 21:40 ` Michal Luczaj
2026-07-01 10:04 ` Jakub Sitnicki [this message]
2026-07-01 22:58 ` John Fastabend
2026-07-01 23:19 ` Michal Luczaj
2026-06-29 11:38 ` Jakub Sitnicki
2026-07-01 22:59 ` John Fastabend
2026-06-26 20:36 ` [PATCH bpf v2 2/4] selftests/bpf: Ensure UDP sockets are bound Michal Luczaj
2026-06-26 20:47 ` Kuniyuki Iwashima
2026-06-28 21:58 ` Michal Luczaj
2026-06-26 20:36 ` [PATCH bpf v2 3/4] selftests/bpf: Adapt sockmap update error handling Michal Luczaj
2026-06-26 20:43 ` sashiko-bot
2026-06-28 21:58 ` Michal Luczaj
2026-06-26 20:58 ` Kuniyuki Iwashima
2026-06-28 21:59 ` Michal Luczaj
2026-06-26 21:14 ` bot+bpf-ci
2026-06-26 20:36 ` [PATCH bpf v2 4/4] selftests/bpf: Fail unbound UDP on sockmap update Michal Luczaj
2026-06-26 20:41 ` sashiko-bot
2026-06-28 21:58 ` Michal Luczaj
2026-06-26 21:03 ` Kuniyuki Iwashima
2026-07-01 23:19 ` Michal Luczaj
2026-06-27 17:34 ` [PATCH bpf v2 0/4] bpf, sockmap: Fix sockmap leaking UDP socks sun jian
2026-06-28 22:00 ` Michal Luczaj
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87echn2fhd.fsf@cloudflare.com \
--to=jakub@cloudflare.com \
--cc=bpf@vger.kernel.org \
--cc=mhal@rbox.co \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox