BPF List
 help / color / mirror / Atom feed
From: Jiayuan Chen <jiayuan.chen@linux.dev>
To: sashiko-reviews@lists.linux.dev
Cc: bpf@vger.kernel.org
Subject: Re: [PATCH bpf] bpf: reject mini-sockets in bpf_sock_destroy()
Date: Fri, 3 Jul 2026 10:15:27 +0800	[thread overview]
Message-ID: <e6ec128e-1acf-4dc7-8884-e4d7ed14d25b@linux.dev> (raw)
In-Reply-To: <20260702230504.0E65E1F000E9@smtp.kernel.org>


On 7/3/26 7:05 AM, sashiko-bot@kernel.org wrote:
> Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
>
> New issues:
> - [High] The patch causes a functional regression by completely disabling bpf_sock_destroy() for TCP mini-sockets (TIME_WAIT and NEW_SYN_RECV).
>
> Pre-existing issues:
> - [High] The helpers bpf_tcp_check_syncookie and bpf_tcp_gen_syncookie suffer from the same type confusion and out-of-bounds read as bpf_sock_destroy, but remain unfixed.
> --
>
> commit cf46da8728e7f1fca4584ccdb089c82b7fd3061f
> Author: Xiang Mei (Microsoft) <xmei5@asu.edu>
>
> bpf: reject mini-sockets in bpf_sock_destroy()
>
> The patch tries to fix a KASAN slab-out-of-bounds read in
> bpf_sock_destroy() by checking sk_fullsock(sk) before accessing
> sk->sk_protocol. It casts sock_common to sock and early exits if it is
> a mini-socket.
>
> Fixes: 4ddbcb886268 ("bpf: Add bpf_sock_destroy kfunc")
> Reported-by: AutonomousCodeSecurity@microsoft.com
> Signed-off-by: Xiang Mei (Microsoft) <xmei5@asu.edu>
>
>> diff --git a/net/core/filter.c b/net/core/filter.c
>> index b446aa8be5c37..3e70c8ab5aab1 100644
>> --- a/net/core/filter.c
>> +++ b/net/core/filter.c
>> @@ -12665,6 +12665,9 @@ __bpf_kfunc int bpf_sock_destroy(struct sock_common *sock)
>>   {
>>   	struct sock *sk = (struct sock *)sock;
>>   
>> +	if (!sk_fullsock(sk))
>> +		return -EOPNOTSUPP;
>          ^^^^^^^^^^^^^^^^^^^^^^^^^^^
> [Severity: High]
> Does this unconditionally reject mini-sockets?
>
> The commit message states that mini-sockets have no diag_destroy() handler,
> but as documented in the original commit 4ddbcb886268, request sockets are
> explicitly supported because their protocol diag_destroy handler
> (tcp_abort) correctly handles TCP_TIME_WAIT and TCP_NEW_SYN_RECV states.
>
> If we unconditionally reject non-full sockets, wouldn't this break BPF
> programs that rely on bpf_sock_destroy() to forcefully terminate pending
> connections or TIME_WAIT sockets?

It's true. Please also include a selftest to reproduce the issue and, 
another one to cover the non-full socket.


>
> [Severity: High]
> This is a pre-existing issue, but does this same type confusion exist
> in bpf_tcp_check_syncookie() and bpf_tcp_gen_syncookie()?
>
> Both of those helpers take ARG_PTR_TO_BTF_ID_SOCK_COMMON and cast it to
> a full struct sock *. They then immediately dereference sk->sk_protocol
> without an sk_fullsock() check:
>
> net/core/filter.c:bpf_tcp_check_syncookie() {
>      ...
> 	if (sk->sk_protocol != IPPROTO_TCP || sk->sk_state != TCP_LISTEN)
> 		return -EINVAL;
>      ...
> }
>
> If an XDP or TC BPF program passes a tw_sock or req_sock from
> bpf_skc_lookup_tcp(), won't this result in the same KASAN
> slab-out-of-bounds read since sk_protocol resides outside the bounds
> of struct sock_common?
>
>> +
>>   	/* The locking semantics that allow for synchronous execution of the
>>   	 * destroy handlers are only supported for TCP and UDP.
>>   	 * Supporting protocols will need to acquire sock lock in the BPF context

      reply	other threads:[~2026-07-03  2:15 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-02 22:45 [PATCH bpf] bpf: reject mini-sockets in bpf_sock_destroy() Xiang Mei (Microsoft)
2026-07-02 23:05 ` sashiko-bot
2026-07-03  2:15   ` Jiayuan Chen [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=e6ec128e-1acf-4dc7-8884-e4d7ed14d25b@linux.dev \
    --to=jiayuan.chen@linux.dev \
    --cc=bpf@vger.kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox