From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mail-pf1-f171.google.com (mail-pf1-f171.google.com [209.85.210.171])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id BCBB634C981
	for <linux-kernel@vger.kernel.org>; Thu, 18 Jun 2026 18:02:01 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.171
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1781805723; cv=none; b=GOwKyOLoaCcU5TB5dBArNio7DOaSrX9/i754Uj+KWB5sMakBMcw4NczdiwTR0g8STrFyEMH8h+ERkcYp3cqIkl54v0bvHAYLRT5g+cTD5nX4y3sLhruDVmkPbmFt2904R8zlM6ql2gI/ITrUl+xO6DyFra9ac0OPLxj3sKFwlvg=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1781805723; c=relaxed/simple;
	bh=rceMiOFNT5IbVb+Iy0f6uW9Ol5m+/2jK9nDJ80jiYkM=;
	h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:
	 Content-Type:Content-Disposition:In-Reply-To; b=QqkpUlnkKeUQtBBLodnpmuf0mUSmsqRVfqx5/2DBfJbb3yy8u2zAVotjhMk8YsxxQnj1UNsZljq/oXrq0Z467hXZHferHWc8W5w+fn9SSEToy6PQtw/R2ZNiqO4J+2OuFXhQNXda/CkDzAFDgiIoMMMzKsVEZ/4Bo96eKtOYgGA=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=XxYInc7h; arc=none smtp.client-ip=209.85.210.171
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="XxYInc7h"
Received: by mail-pf1-f171.google.com with SMTP id d2e1a72fcca58-84232e83ca9so556555b3a.2
        for <linux-kernel@vger.kernel.org>; Thu, 18 Jun 2026 11:02:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1781805721; x=1782410521; darn=vger.kernel.org;
        h=in-reply-to:content-transfer-encoding:content-disposition
         :mime-version:references:message-id:subject:cc:to:from:date:from:to
         :cc:subject:date:message-id:reply-to;
        bh=sAapUc3J2AoNA+b13H0L2cysqTGIB0y1ElmSTV/xFso=;
        b=XxYInc7hQMjWg1fPqfitpPuUpNQfQM8TsO1rgxAZVrOoY4YguYa0xWzZGaEavR3BpF
         3Vt94mtf7XrZMB7kBXbnPx73jqHYCUajZjuX1HpuEZk6l69FudC4E1NlL6n9EkQXLRlC
         0l2VA+66y5PiQDLVsftjTU/H4yTAh+ABM7oaKO/s0B081P9zc3fLnIXU3jjo8NnilYCP
         SIdKee7bmKpakf6KW3v64357QGOyizBNgxlwKAVIDHH/WbHrNSwiecXF3LlLv6oNhKOs
         s70Y0fRPPDhtlg3holLFBH9J9o3wjxRgAne97eYuhTTbhmZUIXsj9X6L2LnjzPeaDFVK
         BzdA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1781805721; x=1782410521;
        h=in-reply-to:content-transfer-encoding:content-disposition
         :mime-version:references:message-id:subject:cc:to:from:date:x-gm-gg
         :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=sAapUc3J2AoNA+b13H0L2cysqTGIB0y1ElmSTV/xFso=;
        b=Yur+YeYipK8um19g8q4hZpCl4N0aVcHj5yJCGUf89sTd7n/ab56MNjetcDRbjNOehe
         G8v/tguiJAMyipCz9i0nd20smB+B3sdNkkLrcdTF9Uxm0BL5Jx9z9G/Tp0KZkMdzJq1w
         K5GHiFDNACzmgZtn48xgW9Bw5odtPIbTRFcp+DT4k894xhTPh5yAR8WJz1rw2Ipa0Ipe
         2o0WV9KryVDvWd546LgjRBUtDtUywojGJqKyft6iC01c9Q1U0ZhzVGaPZa3kayYRPMW2
         yt5wRsKL95U/J2yf/nAl3IWCxdy/PgHeBa5VZZ8rlEh0Y2q5HpSe5H2Wk5pnheQ1DWBt
         hAzg==
X-Forwarded-Encrypted: i=1; AFNElJ+evIDIodSg2tQuW5ZzgIVeiVZfXyrhWaU/j8Er9uc6VFHHXAV57VZ/theizYNmwyq8bLASPes/U3v4Rwg=@vger.kernel.org
X-Gm-Message-State: AOJu0YxPDnKKAIcXyPSZ7ZiTv6tUMNqJ6fx5pICHiM+beXmZUrjbw8c2
	k/JNZPBzf+uLL0rvhOz0nJfeLXsuNsL2kkgXu8Yhq+DU7tWtR19S6RFMOtV8bw==
X-Gm-Gg: AfdE7cmNx58AenVRhCiNPazkI/OId3enrubuQlsUbV2Z90pSfNrqXgScmQmyQyzj5+p
	6BJKeMCMO9aWoSqiYaHeXI/Pw5ELjQwH91XWygVNWkBWtjwhsv7qfbrBZfOD9Aiss78jkJ2jTXG
	4Cgb1UKcvJUs/ooOu3IfXjmpj9k8GTAHYpJdd+6//Y8I3Qsk0DU0+lwvb6z0ySBhTtnYQ/k16Xf
	K9G57zgq4ra9D7NNEbkC8PLaLDJzGt+JbMFUQTKD2neWKIbqDPbh3fp5f+0Vs3wjNdLaKOHp27v
	cp/y0lhfXAPpNhZBr6Q9DHA6Rx3nT6HWn4cEbUtcdHJP6lxQ0r3VWzAUqCf+N5AEcltBK+vZjD0
	ZAw353RK2vTbZMU07TunlqmzZ7rQF7gKAvPsfQh77fu6P+oHeO/zvuru5fp5w96FGtf72nyu8j2
	38noDWgl9DHg==
X-Received: by 2002:a05:6a00:3e22:b0:845:36e8:7a96 with SMTP id d2e1a72fcca58-84536e8a65bmr6414763b3a.26.1781805721007;
        Thu, 18 Jun 2026 11:02:01 -0700 (PDT)
Received: from john-p8 ([98.97.43.82])
        by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-8434ad0118asm18772100b3a.27.2026.06.18.11.01.59
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 18 Jun 2026 11:01:59 -0700 (PDT)
Date: Thu, 18 Jun 2026 11:01:58 -0700
From: John Fastabend <john.fastabend@gmail.com>
To: Jiayuan Chen <jiayuan.chen@linux.dev>
Cc: netdev@vger.kernel.org, bpf@vger.kernel.org, 
	linux-kernel@vger.kernel.org, Jakub Kicinski <kuba@kernel.org>, 
	Sechang Lim <rhkrqnwk98@gmail.com>
Subject: Re: [PATCH bpf v3 1/2] bpf, sockmap: fix use-after-free when the
 stream parser resizes the skb
Message-ID: <ajQwWe4SC1M7MtJa@john-p8>
References: <20260618102718.2331468-1-rhkrqnwk98@gmail.com>
 <20260618102718.2331468-2-rhkrqnwk98@gmail.com>
 <34f330b8-60d2-4647-a6b4-a5b001c3715d@linux.dev>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <34f330b8-60d2-4647-a6b4-a5b001c3715d@linux.dev>

On Thu, Jun 18, 2026 at 07:56:34PM +0800, Jiayuan Chen wrote:
>
>On 6/18/26 6:27 PM, Sechang Lim wrote:
>>sk_psock_strp_parse() runs the BPF_PROG_TYPE_SK_SKB stream-parser program
>>to find the length of the next message. strparser assembles a message out
>>of several received skbs by chaining them onto the head's frag_list and
>>recording where to append the next one in strp->skb_nextp:
>>
>>	*strp->skb_nextp = skb;
>>	strp->skb_nextp = &skb->next;
>>
>>and then calls the parser on the head:
>>
>>	len = (*strp->cb.parse_msg)(strp, head);
>
>[...]
>
>>unaffected and may still modify the skb.
>>
>>Fixes: 8a31db561566 ("bpf: add access to sock fields and pkt data from sk_skb programs")
>
>Is the Fixes tag correct ?
>
>Anyway, I don't think this patch is a fix; it's more of a hardening. 
>So no Fixes tag needed, IMO.
>
>
>>Signed-off-by: Sechang Lim <rhkrqnwk98@gmail.com>
>>---

[...]

>
>
>CI failed:
>https://github.com/kernel-patches/bpf/actions/runs/27754218839/job/82113319982
>   Failed stream parser bpf prog attach
>
>Hi John
>I noticed that bpf_skb_pull_data was added to the skmsg test:
>https://github.com/torvalds/linux/commit/82a8616889d506cb690cfc0afb2ccadda120461d
>
>Can we drop bpf_skb_pull_data in parser prog(sockmap_parse_prog.c‎) ?
>And are there any scenarios where we need to modify skb len when using 
>strparser ?

We should never modify the skb from strparser. Just remove any tests
that do this and state its not safe. We haven't used strparser progs
for a long time anyways.