[PATCH bpf v1 0/2] bpf: tcp: Fix null-ptr-deref in arbitrary SYN Cookie

[PATCH bpf v1 0/2] bpf: tcp: Fix null-ptr-deref in arbitrary SYN Cookie

[Jiayuan Chen]

From: Jiayuan Chen <jiayuan.chen@shopee.com>

bpf_sk_assign_tcp_reqsk() does not validate the L4 protocol of the skb,
only checking skb->protocol (L3). A BPF program that calls this kfunc on
a non-TCP skb (e.g. UDP) will succeed, attaching a TCP reqsk to the skb.

When the skb enters the UDP receive path, skb_steal_sock() returns the
TCP listener socket from the reqsk. The UDP code then casts this TCP
socket to udp_sock and accesses UDP-specific fields at invalid offsets,
causing a null pointer dereference:

  BUG: KASAN: null-ptr-deref in __udp_enqueue_schedule_skb+0x19d/0x1df0
  Read of size 4 at addr 0000000000000008 by task test_progs/537

  CPU: 1 UID: 0 PID: 537 Comm: test_progs Not tainted 7.0.0-rc4+ #46 PREEMPT
  Call Trace:
   <IRQ>
   dump_stack_lvl (lib/dump_stack.c:123)
   print_report (mm/kasan/report.c:487)
   kasan_report (mm/kasan/report.c:597)
   __kasan_check_read (mm/kasan/shadow.c:32)
   __udp_enqueue_schedule_skb (net/ipv4/udp.c:1719)
   udp_queue_rcv_one_skb (net/ipv4/udp.c:2370 net/ipv4/udp.c:2500)
   udp_queue_rcv_skb (net/ipv4/udp.c:2532)
   udp_unicast_rcv_skb (net/ipv4/udp.c:2684)
   __udp4_lib_rcv (net/ipv4/udp.c:2742)
   udp_rcv (net/ipv4/udp.c:2937)
   ip_protocol_deliver_rcu (net/ipv4/ip_input.c:209)
   ip_local_deliver_finish (./include/linux/rcupdate.h:879 net/ipv4/ip_input.c:242)
   ip_local_deliver (net/ipv4/ip_input.c:265)
   __netif_receive_skb_one_core (net/core/dev.c:6164 (discriminator 4))
   __netif_receive_skb (net/core/dev.c:6280)

Solution

Patch 1: Add L4 protocol validation in bpf_sk_assign_tcp_reqsk(). Check
ip_hdr(skb)->protocol (IPv4) and ipv6_hdr(skb)->nexthdr (IPv6) against
IPPROTO_TCP, returning -EINVAL for non-TCP skbs.
Patch 2: Add selftest that calls bpf_sk_assign_tcp_reqsk() on a UDP skb
and verifies the kfunc rejects it.

Jiayuan Chen (2):
  bpf: tcp: Reject non-TCP skb in bpf_sk_assign_tcp_reqsk()
  selftests/bpf: Add protocol check test for bpf_sk_assign_tcp_reqsk()

 net/core/filter.c                             |  6 ++
 .../bpf/prog_tests/tcp_custom_syncookie.c     | 81 ++++++++++++++++++-
 .../bpf/progs/test_tcp_custom_syncookie.c     | 79 ++++++++++++++++++
 3 files changed, 162 insertions(+), 4 deletions(-)

-- 
2.43.0

[PATCH bpf v1 1/2] bpf: tcp: Reject non-TCP skb in bpf_sk_assign_tcp_reqsk()

[Jiayuan Chen]

From: Jiayuan Chen <jiayuan.chen@shopee.com>

bpf_sk_assign_tcp_reqsk() only validates skb->protocol (L3) but does not
check the L4 protocol in the IP header. A BPF program can call this kfunc
on a UDP skb with a valid TCP listener socket, which will succeed and
attach a TCP reqsk to the UDP skb.

When the UDP skb enters the UDP receive path, skb_steal_sock() returns
the TCP listener from the reqsk. The UDP code then passes this TCP socket
to udp_unicast_rcv_skb() -> __udp_enqueue_schedule_skb(), which casts
it to udp_sock and accesses UDP-specific fields at invalid offsets,
causing a null pointer dereference and kernel panic:

  BUG: KASAN: null-ptr-deref in __udp_enqueue_schedule_skb+0x19d/0x1df0
  Read of size 4 at addr 0000000000000008 by task test_progs/537

  CPU: 1 UID: 0 PID: 537 Comm: test_progs Not tainted 7.0.0-rc4+ #46 PREEMPT
  Call Trace:
   <IRQ>
   dump_stack_lvl (lib/dump_stack.c:123)
   print_report (mm/kasan/report.c:487)
   kasan_report (mm/kasan/report.c:597)
   __kasan_check_read (mm/kasan/shadow.c:32)
   __udp_enqueue_schedule_skb (net/ipv4/udp.c:1719)
   udp_queue_rcv_one_skb (net/ipv4/udp.c:2370 net/ipv4/udp.c:2500)
   udp_queue_rcv_skb (net/ipv4/udp.c:2532)
   udp_unicast_rcv_skb (net/ipv4/udp.c:2684)
   __udp4_lib_rcv (net/ipv4/udp.c:2742)
   udp_rcv (net/ipv4/udp.c:2937)
   ip_protocol_deliver_rcu (net/ipv4/ip_input.c:209)
   ip_local_deliver_finish (./include/linux/rcupdate.h:879 net/ipv4/ip_input.c:242)
   ip_local_deliver (net/ipv4/ip_input.c:265)
   __netif_receive_skb_one_core (net/core/dev.c:6164 (discriminator 4))
   __netif_receive_skb (net/core/dev.c:6280)

Fix this by checking the IP header's protocol field in
bpf_sk_assign_tcp_reqsk() and rejecting non-TCP skbs with -EINVAL.

Fixes: e472f88891ab ("bpf: tcp: Support arbitrary SYN Cookie.")
Cc: Jiayuan Chen <jiayuan.chen@linux.dev>
Signed-off-by: Jiayuan Chen <jiayuan.chen@shopee.com>
---
 net/core/filter.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/net/core/filter.c b/net/core/filter.c
index 78b548158fb0..fb975bcce804 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -12248,11 +12248,17 @@ __bpf_kfunc int bpf_sk_assign_tcp_reqsk(struct __sk_buff *s, struct sock *sk,
 
 	switch (skb->protocol) {
 	case htons(ETH_P_IP):
+		if (ip_hdr(skb)->protocol != IPPROTO_TCP)
+			return -EINVAL;
+
 		ops = &tcp_request_sock_ops;
 		min_mss = 536;
 		break;
 #if IS_BUILTIN(CONFIG_IPV6)
 	case htons(ETH_P_IPV6):
+		if (ipv6_hdr(skb)->nexthdr != IPPROTO_TCP)
+			return -EINVAL;
+
 		ops = &tcp6_request_sock_ops;
 		min_mss = IPV6_MIN_MTU - 60;
 		break;
-- 
2.43.0

[PATCH bpf v1 2/2] selftests/bpf: Add protocol check test for bpf_sk_assign_tcp_reqsk()

[Jiayuan Chen]

From: Jiayuan Chen <jiayuan.chen@shopee.com>

Add test_tcp_custom_syncookie_protocol_check to verify that
bpf_sk_assign_tcp_reqsk() rejects non-TCP skbs. The test sends a UDP
packet through a BPF program that calls bpf_sk_assign_tcp_reqsk() on it
and checks that the kfunc returns an error.

Without the fix in bpf_sk_assign_tcp_reqsk(), the kfunc succeeds and
attaches a TCP reqsk to the UDP skb, which causes a null pointer
dereference panic when the kernel processes it through the UDP receive
path.

Test result:

  ./test_progs -a tcp_custom_syncookie_protocol_check -v
  setup_netns:PASS:create netns 0 nsec
  setup_netns:PASS:ip 0 nsec
  write_sysctl:PASS:open sysctl 0 nsec
  write_sysctl:PASS:write sysctl 0 nsec
  setup_netns:PASS:write_sysctl 0 nsec
  test_tcp_custom_syncookie_protocol_check:PASS:open_and_load 0 nsec
  test_tcp_custom_syncookie_protocol_check:PASS:start tcp_server 0 nsec
  test_tcp_custom_syncookie_protocol_check:PASS:getsockname 0 nsec
  setup_tc:PASS:qdisc add dev lo clsact 0 nsec
  setup_tc:PASS:filter add dev lo ingress 0 nsec
  test_tcp_custom_syncookie_protocol_check:PASS:udp socket 0 nsec
  test_tcp_custom_syncookie_protocol_check:PASS:sendto udp 0 nsec
  test_tcp_custom_syncookie_protocol_check:PASS:udp_intercepted 0 nsec
  test_tcp_custom_syncookie_protocol_check:PASS:assign_ret 0 nsec
  #471     tcp_custom_syncookie_protocol_check:OK
  Summary: 1/0 PASSED, 0 SKIPPED, 0 FAILED

Cc: Jiayuan Chen <jiayuan.chen@linux.dev>
Signed-off-by: Jiayuan Chen <jiayuan.chen@shopee.com>
---
 .../bpf/prog_tests/tcp_custom_syncookie.c     | 81 ++++++++++++++++++-
 .../bpf/progs/test_tcp_custom_syncookie.c     | 79 ++++++++++++++++++
 2 files changed, 156 insertions(+), 4 deletions(-)

diff --git a/tools/testing/selftests/bpf/prog_tests/tcp_custom_syncookie.c b/tools/testing/selftests/bpf/prog_tests/tcp_custom_syncookie.c
index eaf441dc7e79..e622c5befa70 100644
--- a/tools/testing/selftests/bpf/prog_tests/tcp_custom_syncookie.c
+++ b/tools/testing/selftests/bpf/prog_tests/tcp_custom_syncookie.c
@@ -5,6 +5,7 @@
 #include <sched.h>
 #include <stdlib.h>
 #include <net/if.h>
+#include <netinet/in.h>
 
 #include "test_progs.h"
 #include "cgroup_helpers.h"
@@ -47,11 +48,10 @@ static int setup_netns(void)
 	return -1;
 }
 
-static int setup_tc(struct test_tcp_custom_syncookie *skel)
+static int setup_tc(int prog_fd)
 {
 	LIBBPF_OPTS(bpf_tc_hook, qdisc_lo, .attach_point = BPF_TC_INGRESS);
-	LIBBPF_OPTS(bpf_tc_opts, tc_attach,
-		    .prog_fd = bpf_program__fd(skel->progs.tcp_custom_syncookie));
+	LIBBPF_OPTS(bpf_tc_opts, tc_attach, .prog_fd = prog_fd);
 
 	qdisc_lo.ifindex = if_nametoindex("lo");
 	if (!ASSERT_OK(bpf_tc_hook_create(&qdisc_lo), "qdisc add dev lo clsact"))
@@ -127,7 +127,7 @@ void test_tcp_custom_syncookie(void)
 	if (!ASSERT_OK_PTR(skel, "open_and_load"))
 		return;
 
-	if (setup_tc(skel))
+	if (setup_tc(bpf_program__fd(skel->progs.tcp_custom_syncookie)))
 		goto destroy_skel;
 
 	for (i = 0; i < ARRAY_SIZE(test_cases); i++) {
@@ -145,6 +145,79 @@ void test_tcp_custom_syncookie(void)
 
 destroy_skel:
 	system("tc qdisc del dev lo clsact");
+	test_tcp_custom_syncookie__destroy(skel);
+}
+
+/* Test: bpf_sk_assign_tcp_reqsk() should reject non-TCP skb.
+ *
+ * Send a UDP packet through a BPF program that calls
+ * bpf_sk_assign_tcp_reqsk() on it. The kfunc should return -EINVAL
+ * because the skb carries UDP, not TCP.
+ *
+ * Currently the kfunc lacks L4 protocol check, so assign_ret == 0
+ * indicates the bug is present.
+ */
+void test_tcp_custom_syncookie_protocol_check(void)
+{
+	struct test_tcp_custom_syncookie *skel;
+	struct sockaddr_in tcp_addr, udp_addr;
+	socklen_t addr_len = sizeof(tcp_addr);
+	int tcp_server = -1, udp_client = -1;
+	char buf[32] = "test";
+	int ret;
+
+	if (setup_netns())
+		return;
+
+	skel = test_tcp_custom_syncookie__open_and_load();
+	if (!ASSERT_OK_PTR(skel, "open_and_load"))
+		return;
 
+	/* Create a TCP listener so the BPF can find a LISTEN socket */
+	tcp_server = start_server(AF_INET, SOCK_STREAM, "127.0.0.1", 0, 0);
+	if (!ASSERT_NEQ(tcp_server, -1, "start tcp_server"))
+		goto destroy_skel;
+
+	ret = getsockname(tcp_server, (struct sockaddr *)&tcp_addr, &addr_len);
+	if (!ASSERT_OK(ret, "getsockname"))
+		goto close_tcp;
+
+	skel->bss->tcp_listener_port = ntohs(tcp_addr.sin_port);
+	skel->bss->udp_test_port = 9999;
+
+	ret = bpf_program__fd(skel->progs.tcp_custom_syncookie_badproto);
+	if (setup_tc(ret))
+		goto close_tcp;
+
+	udp_client = socket(AF_INET, SOCK_DGRAM, 0);
+	if (!ASSERT_NEQ(udp_client, -1, "udp socket"))
+		goto cleanup_tc;
+
+	memset(&udp_addr, 0, sizeof(udp_addr));
+	udp_addr.sin_family = AF_INET;
+	udp_addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
+	udp_addr.sin_port = htons(9999);
+
+	ret = sendto(udp_client, buf, sizeof(buf), 0,
+		     (struct sockaddr *)&udp_addr, sizeof(udp_addr));
+	ASSERT_EQ(ret, sizeof(buf), "sendto udp");
+
+	/* Wait for TC ingress BPF to process the skb. */
+	kern_sync_rcu();
+
+	ASSERT_EQ(skel->bss->udp_intercepted, true, "udp_intercepted");
+
+	/* assign_ret == 0 means kfunc accepted UDP skb (bug).
+	 * assign_ret < 0 means kfunc correctly rejected it (fixed).
+	 */
+	ASSERT_NEQ(skel->data->assign_ret, 0, "assign_ret");
+
+cleanup_tc:
+	system("tc qdisc del dev lo clsact");
+	if (udp_client >= 0)
+		close(udp_client);
+close_tcp:
+	close(tcp_server);
+destroy_skel:
 	test_tcp_custom_syncookie__destroy(skel);
 }
diff --git a/tools/testing/selftests/bpf/progs/test_tcp_custom_syncookie.c b/tools/testing/selftests/bpf/progs/test_tcp_custom_syncookie.c
index 7d5293de1952..386705b6c9f2 100644
--- a/tools/testing/selftests/bpf/progs/test_tcp_custom_syncookie.c
+++ b/tools/testing/selftests/bpf/progs/test_tcp_custom_syncookie.c
@@ -588,4 +588,83 @@ int tcp_custom_syncookie(struct __sk_buff *skb)
 	return tcp_handle_ack(&ctx);
 }
 
+/* Test: call bpf_sk_assign_tcp_reqsk() on a UDP skb.
+ * The kfunc should reject it, but currently it doesn't check L4 protocol.
+ */
+__u16 tcp_listener_port = 0;
+__u16 udp_test_port = 0;
+int assign_ret = -1;
+bool udp_intercepted = false;
+
+SEC("tc")
+int tcp_custom_syncookie_badproto(struct __sk_buff *skb)
+{
+	void *data = (void *)(long)skb->data;
+	void *data_end = (void *)(long)skb->data_end;
+	struct bpf_sock_tuple tuple = {};
+	struct bpf_tcp_req_attrs attrs = {};
+	struct ethhdr *eth;
+	struct iphdr *iph;
+	struct udphdr *udp;
+	struct bpf_sock *skc;
+	struct sock *sk;
+
+	eth = (struct ethhdr *)data;
+	if (eth + 1 > data_end)
+		return TC_ACT_OK;
+
+	if (bpf_ntohs(eth->h_proto) != ETH_P_IP)
+		return TC_ACT_OK;
+
+	iph = (struct iphdr *)(eth + 1);
+	if (iph + 1 > data_end)
+		return TC_ACT_OK;
+
+	if (iph->protocol != IPPROTO_UDP)
+		return TC_ACT_OK;
+
+	udp = (struct udphdr *)(iph + 1);
+	if (udp + 1 > data_end)
+		return TC_ACT_OK;
+
+	if (bpf_ntohs(udp->dest) != udp_test_port)
+		return TC_ACT_OK;
+
+	udp_intercepted = true;
+
+	tuple.ipv4.saddr = iph->saddr;
+	tuple.ipv4.daddr = iph->daddr;
+	tuple.ipv4.sport = udp->source;
+	tuple.ipv4.dport = bpf_htons(tcp_listener_port);
+
+	skc = bpf_skc_lookup_tcp(skb, &tuple, sizeof(tuple.ipv4), -1, 0);
+	if (!skc)
+		return TC_ACT_OK;
+
+	if (skc->state != TCP_LISTEN) {
+		bpf_sk_release(skc);
+		return TC_ACT_OK;
+	}
+
+	sk = (struct sock *)bpf_skc_to_tcp_sock(skc);
+	if (!sk) {
+		bpf_sk_release(skc);
+		return TC_ACT_OK;
+	}
+
+	attrs.mss = 1460;
+	attrs.wscale_ok = 1;
+	attrs.snd_wscale = 7;
+	attrs.rcv_wscale = 7;
+	attrs.sack_ok = 1;
+
+	/* Call bpf_sk_assign_tcp_reqsk on a UDP skb. */
+	assign_ret = bpf_sk_assign_tcp_reqsk(skb, sk, &attrs, sizeof(attrs));
+
+	bpf_sk_release(skc);
+
+	/* Let the packet continue into the kernel */
+	return TC_ACT_OK;
+}
+
 char _license[] SEC("license") = "GPL";
-- 
2.43.0

Re: [PATCH bpf v1 1/2] bpf: tcp: Reject non-TCP skb in bpf_sk_assign_tcp_reqsk()

[Martin KaFai Lau]

On 3/23/26 3:54 AM, Jiayuan Chen wrote:
> diff --git a/net/core/filter.c b/net/core/filter.c
> index 78b548158fb0..fb975bcce804 100644
> --- a/net/core/filter.c
> +++ b/net/core/filter.c
> @@ -12248,11 +12248,17 @@ __bpf_kfunc int bpf_sk_assign_tcp_reqsk(struct __sk_buff *s, struct sock *sk,
>   
>   	switch (skb->protocol) {
>   	case htons(ETH_P_IP):
> +		if (ip_hdr(skb)->protocol != IPPROTO_TCP)
> +			return -EINVAL;
> +
>   		ops = &tcp_request_sock_ops;
>   		min_mss = 536;
>   		break;
>   #if IS_BUILTIN(CONFIG_IPV6)
>   	case htons(ETH_P_IPV6):
> +		if (ipv6_hdr(skb)->nexthdr != IPPROTO_TCP)
> +			return -EINVAL;
> +

lgtm.

Kuniyuki, please take a look and ack if it looks good to you also. Thanks.

Re: [PATCH bpf v1 2/2] selftests/bpf: Add protocol check test for bpf_sk_assign_tcp_reqsk()

[Martin KaFai Lau]

On 3/23/26 3:54 AM, Jiayuan Chen wrote:
> +void test_tcp_custom_syncookie_protocol_check(void)
> +{
> +	struct test_tcp_custom_syncookie *skel;
> +	struct sockaddr_in tcp_addr, udp_addr;
> +	socklen_t addr_len = sizeof(tcp_addr);
> +	int tcp_server = -1, udp_client = -1;
> +	char buf[32] = "test";
> +	int ret;
> +
> +	if (setup_netns())
> +		return;
> +
> +	skel = test_tcp_custom_syncookie__open_and_load();
> +	if (!ASSERT_OK_PTR(skel, "open_and_load"))
> +		return;
>   
> +	/* Create a TCP listener so the BPF can find a LISTEN socket */
> +	tcp_server = start_server(AF_INET, SOCK_STREAM, "127.0.0.1", 0, 0);
> +	if (!ASSERT_NEQ(tcp_server, -1, "start tcp_server"))
> +		goto destroy_skel;
> +
> +	ret = getsockname(tcp_server, (struct sockaddr *)&tcp_addr, &addr_len);
> +	if (!ASSERT_OK(ret, "getsockname"))
> +		goto close_tcp;
> +
> +	skel->bss->tcp_listener_port = ntohs(tcp_addr.sin_port);
> +	skel->bss->udp_test_port = 9999;
> +
> +	ret = bpf_program__fd(skel->progs.tcp_custom_syncookie_badproto);
> +	if (setup_tc(ret))
> +		goto close_tcp;
> +
> +	udp_client = socket(AF_INET, SOCK_DGRAM, 0);
> +	if (!ASSERT_NEQ(udp_client, -1, "udp socket"))
> +		goto cleanup_tc;
> +
> +	memset(&udp_addr, 0, sizeof(udp_addr));
> +	udp_addr.sin_family = AF_INET;
> +	udp_addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
> +	udp_addr.sin_port = htons(9999);
> +
> +	ret = sendto(udp_client, buf, sizeof(buf), 0,
> +		     (struct sockaddr *)&udp_addr, sizeof(udp_addr));
> +	ASSERT_EQ(ret, sizeof(buf), "sendto udp");
> +
> +	/* Wait for TC ingress BPF to process the skb. */
> +	kern_sync_rcu();

hmm... is it guaranteed to work? Regardless, it checks the error 
returned from bpf_sk_assign_tcp_reqsk(). Maybe bpf_prog_test_run is simpler?

pw-bot: cr

> +
> +	ASSERT_EQ(skel->bss->udp_intercepted, true, "udp_intercepted");
> +
> +	/* assign_ret == 0 means kfunc accepted UDP skb (bug).
> +	 * assign_ret < 0 means kfunc correctly rejected it (fixed).
> +	 */
> +	ASSERT_NEQ(skel->data->assign_ret, 0, "assign_ret");
> +
> +cleanup_tc:
> +	system("tc qdisc del dev lo clsact");
> +	if (udp_client >= 0)
> +		close(udp_client);
> +close_tcp:
> +	close(tcp_server);
> +destroy_skel:
>   	test_tcp_custom_syncookie__destroy(skel);
>   }

Re: [PATCH bpf v1 2/2] selftests/bpf: Add protocol check test for bpf_sk_assign_tcp_reqsk()

[Jiayuan Chen]

On 3/25/26 5:59 AM, Martin KaFai Lau wrote:
> On 3/23/26 3:54 AM, Jiayuan Chen wrote:
>> +void test_tcp_custom_syncookie_protocol_check(void)
>> +{
>> +    struct test_tcp_custom_syncookie *skel;
>> +    struct sockaddr_in tcp_addr, udp_addr;
>> +    socklen_t addr_len = sizeof(tcp_addr);
>> +    int tcp_server = -1, udp_client = -1;
>> +    char buf[32] = "test";
>> +    int ret;
>> +
>> +    if (setup_netns())
>> +        return;
>> +
>> +    skel = test_tcp_custom_syncookie__open_and_load();
>> +    if (!ASSERT_OK_PTR(skel, "open_and_load"))
>> +        return;
>>   +    /* Create a TCP listener so the BPF can find a LISTEN socket */
>> +    tcp_server = start_server(AF_INET, SOCK_STREAM, "127.0.0.1", 0, 0);
>> +    if (!ASSERT_NEQ(tcp_server, -1, "start tcp_server"))
>> +        goto destroy_skel;
>> +
>> +    ret = getsockname(tcp_server, (struct sockaddr *)&tcp_addr, 
>> &addr_len);
>> +    if (!ASSERT_OK(ret, "getsockname"))
>> +        goto close_tcp;
>> +
>> +    skel->bss->tcp_listener_port = ntohs(tcp_addr.sin_port);
>> +    skel->bss->udp_test_port = 9999;
>> +
>> +    ret = bpf_program__fd(skel->progs.tcp_custom_syncookie_badproto);
>> +    if (setup_tc(ret))
>> +        goto close_tcp;
>> +
>> +    udp_client = socket(AF_INET, SOCK_DGRAM, 0);
>> +    if (!ASSERT_NEQ(udp_client, -1, "udp socket"))
>> +        goto cleanup_tc;
>> +
>> +    memset(&udp_addr, 0, sizeof(udp_addr));
>> +    udp_addr.sin_family = AF_INET;
>> +    udp_addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
>> +    udp_addr.sin_port = htons(9999);
>> +
>> +    ret = sendto(udp_client, buf, sizeof(buf), 0,
>> +             (struct sockaddr *)&udp_addr, sizeof(udp_addr));
>> +    ASSERT_EQ(ret, sizeof(buf), "sendto udp");
>> +
>> +    /* Wait for TC ingress BPF to process the skb. */
>> +    kern_sync_rcu();
>
> hmm... is it guaranteed to work? Regardless, it checks the error 
> returned from bpf_sk_assign_tcp_reqsk(). Maybe bpf_prog_test_run is 
> simpler?
>
> pw-bot: cr
>


Hi Martin,

Thanks for your suggestion.

The intent of using the real network stack was to demonstrate the
actual null-ptr-deref panic, so reviewers can better understand the
issue. Once we agree the root cause is the missing protocol check in
bpf_sk_assign_tcp_reqsk(), switching to bpf_prog_test_run to just
validate the return value makes sense.

Re: [PATCH bpf v1 1/2] bpf: tcp: Reject non-TCP skb in bpf_sk_assign_tcp_reqsk()

[Kuniyuki Iwashima]

On Mon, Mar 23, 2026 at 3:55 AM Jiayuan Chen <jiayuan.chen@linux.dev> wrote:
>
> From: Jiayuan Chen <jiayuan.chen@shopee.com>
>
> bpf_sk_assign_tcp_reqsk() only validates skb->protocol (L3) but does not
> check the L4 protocol in the IP header. A BPF program can call this kfunc
> on a UDP skb with a valid TCP listener socket, which will succeed and
> attach a TCP reqsk to the UDP skb.
>
> When the UDP skb enters the UDP receive path, skb_steal_sock() returns
> the TCP listener from the reqsk. The UDP code then passes this TCP socket
> to udp_unicast_rcv_skb() -> __udp_enqueue_schedule_skb(), which casts
> it to udp_sock and accesses UDP-specific fields at invalid offsets,
> causing a null pointer dereference and kernel panic:
>
>   BUG: KASAN: null-ptr-deref in __udp_enqueue_schedule_skb+0x19d/0x1df0
>   Read of size 4 at addr 0000000000000008 by task test_progs/537
>
>   CPU: 1 UID: 0 PID: 537 Comm: test_progs Not tainted 7.0.0-rc4+ #46 PREEMPT
>   Call Trace:
>    <IRQ>
>    dump_stack_lvl (lib/dump_stack.c:123)
>    print_report (mm/kasan/report.c:487)
>    kasan_report (mm/kasan/report.c:597)
>    __kasan_check_read (mm/kasan/shadow.c:32)
>    __udp_enqueue_schedule_skb (net/ipv4/udp.c:1719)
>    udp_queue_rcv_one_skb (net/ipv4/udp.c:2370 net/ipv4/udp.c:2500)
>    udp_queue_rcv_skb (net/ipv4/udp.c:2532)
>    udp_unicast_rcv_skb (net/ipv4/udp.c:2684)
>    __udp4_lib_rcv (net/ipv4/udp.c:2742)
>    udp_rcv (net/ipv4/udp.c:2937)
>    ip_protocol_deliver_rcu (net/ipv4/ip_input.c:209)
>    ip_local_deliver_finish (./include/linux/rcupdate.h:879 net/ipv4/ip_input.c:242)
>    ip_local_deliver (net/ipv4/ip_input.c:265)
>    __netif_receive_skb_one_core (net/core/dev.c:6164 (discriminator 4))
>    __netif_receive_skb (net/core/dev.c:6280)
>
> Fix this by checking the IP header's protocol field in
> bpf_sk_assign_tcp_reqsk() and rejecting non-TCP skbs with -EINVAL.
>
> Fixes: e472f88891ab ("bpf: tcp: Support arbitrary SYN Cookie.")
> Cc: Jiayuan Chen <jiayuan.chen@linux.dev>
> Signed-off-by: Jiayuan Chen <jiayuan.chen@shopee.com>

Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>

Thanks, the fix looks good.
Just curious how you found this, are you trying to use this
feature for CDN or AI just found it ?


> ---
>  net/core/filter.c | 6 ++++++
>  1 file changed, 6 insertions(+)
>
> diff --git a/net/core/filter.c b/net/core/filter.c
> index 78b548158fb0..fb975bcce804 100644
> --- a/net/core/filter.c
> +++ b/net/core/filter.c
> @@ -12248,11 +12248,17 @@ __bpf_kfunc int bpf_sk_assign_tcp_reqsk(struct __sk_buff *s, struct sock *sk,
>
>         switch (skb->protocol) {
>         case htons(ETH_P_IP):
> +               if (ip_hdr(skb)->protocol != IPPROTO_TCP)
> +                       return -EINVAL;
> +
>                 ops = &tcp_request_sock_ops;
>                 min_mss = 536;
>                 break;
>  #if IS_BUILTIN(CONFIG_IPV6)
>         case htons(ETH_P_IPV6):
> +               if (ipv6_hdr(skb)->nexthdr != IPPROTO_TCP)
> +                       return -EINVAL;
> +
>                 ops = &tcp6_request_sock_ops;
>                 min_mss = IPV6_MIN_MTU - 60;
>                 break;
> --
> 2.43.0
>

Re: [PATCH bpf v1 1/2] bpf: tcp: Reject non-TCP skb in bpf_sk_assign_tcp_reqsk()

[Jiayuan Chen]

On 3/26/26 8:04 AM, Kuniyuki Iwashima wrote:
> On Mon, Mar 23, 2026 at 3:55 AM Jiayuan Chen <jiayuan.chen@linux.dev> wrote:
>> From: Jiayuan Chen <jiayuan.chen@shopee.com>
>>
>> bpf_sk_assign_tcp_reqsk() only validates skb->protocol (L3) but does not
>> check the L4 protocol in the IP header. A BPF program can call this kfunc
>> on a UDP skb with a valid TCP listener socket, which will succeed and
>> attach a TCP reqsk to the UDP skb.
>>
>> When the UDP skb enters the UDP receive path, skb_steal_sock() returns
>> the TCP listener from the reqsk. The UDP code then passes this TCP socket
>> to udp_unicast_rcv_skb() -> __udp_enqueue_schedule_skb(), which casts
>> it to udp_sock and accesses UDP-specific fields at invalid offsets,
>> causing a null pointer dereference and kernel panic:
>>
>>    BUG: KASAN: null-ptr-deref in __udp_enqueue_schedule_skb+0x19d/0x1df0
>>    Read of size 4 at addr 0000000000000008 by task test_progs/537
>>
>>    CPU: 1 UID: 0 PID: 537 Comm: test_progs Not tainted 7.0.0-rc4+ #46 PREEMPT
>>    Call Trace:
>>     <IRQ>
>>     dump_stack_lvl (lib/dump_stack.c:123)
>>     print_report (mm/kasan/report.c:487)
>>     kasan_report (mm/kasan/report.c:597)
>>     __kasan_check_read (mm/kasan/shadow.c:32)
>>     __udp_enqueue_schedule_skb (net/ipv4/udp.c:1719)
>>     udp_queue_rcv_one_skb (net/ipv4/udp.c:2370 net/ipv4/udp.c:2500)
>>     udp_queue_rcv_skb (net/ipv4/udp.c:2532)
>>     udp_unicast_rcv_skb (net/ipv4/udp.c:2684)
>>     __udp4_lib_rcv (net/ipv4/udp.c:2742)
>>     udp_rcv (net/ipv4/udp.c:2937)
>>     ip_protocol_deliver_rcu (net/ipv4/ip_input.c:209)
>>     ip_local_deliver_finish (./include/linux/rcupdate.h:879 net/ipv4/ip_input.c:242)
>>     ip_local_deliver (net/ipv4/ip_input.c:265)
>>     __netif_receive_skb_one_core (net/core/dev.c:6164 (discriminator 4))
>>     __netif_receive_skb (net/core/dev.c:6280)
>>
>> Fix this by checking the IP header's protocol field in
>> bpf_sk_assign_tcp_reqsk() and rejecting non-TCP skbs with -EINVAL.
>>
>> Fixes: e472f88891ab ("bpf: tcp: Support arbitrary SYN Cookie.")
>> Cc: Jiayuan Chen <jiayuan.chen@linux.dev>
>> Signed-off-by: Jiayuan Chen <jiayuan.chen@shopee.com>
> Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
>
> Thanks, the fix looks good.
> Just curious how you found this, are you trying to use this
> feature for CDN or AI just found it ?
>
Hi Kuniyuki,

Thanks for the review!

While investigating this feature for gateway optimization,
we reviewed the implementation and discovered these bugs.

We haven't deployed this yet, but it's on our roadmap.

Re: [PATCH bpf v1 2/2] selftests/bpf: Add protocol check test for bpf_sk_assign_tcp_reqsk()

[Jiayuan Chen]

On 3/25/26 5:59 AM, Martin KaFai Lau wrote:
> On 3/23/26 3:54 AM, Jiayuan Chen wrote:
>> +void test_tcp_custom_syncookie_protocol_check(void)
>> +{
>> +    struct test_tcp_custom_syncookie *skel;
>> +    struct sockaddr_in tcp_addr, udp_addr;
>> +    socklen_t addr_len = sizeof(tcp_addr);
>> +    int tcp_server = -1, udp_client = -1;
>> +    char buf[32] = "test";
>> +    int ret;
>> +
>> +    if (setup_netns())
>> +        return;
>> +
>> +    skel = test_tcp_custom_syncookie__open_and_load();
>> +    if (!ASSERT_OK_PTR(skel, "open_and_load"))
>> +        return;
>>   +    /* Create a TCP listener so the BPF can find a LISTEN socket */
>> +    tcp_server = start_server(AF_INET, SOCK_STREAM, "127.0.0.1", 0, 0);
>> +    if (!ASSERT_NEQ(tcp_server, -1, "start tcp_server"))
>> +        goto destroy_skel;
>> +
>> +    ret = getsockname(tcp_server, (struct sockaddr *)&tcp_addr, 
>> &addr_len);
>> +    if (!ASSERT_OK(ret, "getsockname"))
>> +        goto close_tcp;
>> +
>> +    skel->bss->tcp_listener_port = ntohs(tcp_addr.sin_port);
>> +    skel->bss->udp_test_port = 9999;
>> +
>> +    ret = bpf_program__fd(skel->progs.tcp_custom_syncookie_badproto);
>> +    if (setup_tc(ret))
>> +        goto close_tcp;
>> +
>> +    udp_client = socket(AF_INET, SOCK_DGRAM, 0);
>> +    if (!ASSERT_NEQ(udp_client, -1, "udp socket"))
>> +        goto cleanup_tc;
>> +
>> +    memset(&udp_addr, 0, sizeof(udp_addr));
>> +    udp_addr.sin_family = AF_INET;
>> +    udp_addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
>> +    udp_addr.sin_port = htons(9999);
>> +
>> +    ret = sendto(udp_client, buf, sizeof(buf), 0,
>> +             (struct sockaddr *)&udp_addr, sizeof(udp_addr));
>> +    ASSERT_EQ(ret, sizeof(buf), "sendto udp");
>> +
>> +    /* Wait for TC ingress BPF to process the skb. */
>> +    kern_sync_rcu();
>
> hmm... is it guaranteed to work? Regardless, it checks the error 
> returned from bpf_sk_assign_tcp_reqsk(). Maybe bpf_prog_test_run is 
> simpler?
>
> pw-bot: cr
>
>> +
>>
I looked into using bpf_prog_test_run, but it won't work here
because bpf_sk_assign_tcp_reqsk() requires the skb to come from TC ingress
— it checks skb_at_tc_ingress() internally and returns -EINVAL otherwise.

For the synchronization concern, instead of kern_sync_rcu(), I now create
a UDP server bound to the target port and recv() the packet after sendto().
Since the BPF program returns TC_ACT_OK, the packet passes through TC 
ingress
and arrives at the UDP socket. The recv() naturally blocks until the BPF 
program
has finished processing, so no timing tricks are needed.

Re: [PATCH bpf v1 2/2] selftests/bpf: Add protocol check test for bpf_sk_assign_tcp_reqsk()

[Martin KaFai Lau]

On 3/25/26 8:24 PM, Jiayuan Chen wrote:
> 
> On 3/25/26 5:59 AM, Martin KaFai Lau wrote:
>> On 3/23/26 3:54 AM, Jiayuan Chen wrote:
>>> +void test_tcp_custom_syncookie_protocol_check(void)
>>> +{
>>> +    struct test_tcp_custom_syncookie *skel;
>>> +    struct sockaddr_in tcp_addr, udp_addr;
>>> +    socklen_t addr_len = sizeof(tcp_addr);
>>> +    int tcp_server = -1, udp_client = -1;
>>> +    char buf[32] = "test";
>>> +    int ret;
>>> +
>>> +    if (setup_netns())
>>> +        return;
>>> +
>>> +    skel = test_tcp_custom_syncookie__open_and_load();
>>> +    if (!ASSERT_OK_PTR(skel, "open_and_load"))
>>> +        return;
>>>   +    /* Create a TCP listener so the BPF can find a LISTEN socket */
>>> +    tcp_server = start_server(AF_INET, SOCK_STREAM, "127.0.0.1", 0, 0);
>>> +    if (!ASSERT_NEQ(tcp_server, -1, "start tcp_server"))
>>> +        goto destroy_skel;
>>> +
>>> +    ret = getsockname(tcp_server, (struct sockaddr *)&tcp_addr, 
>>> &addr_len);
>>> +    if (!ASSERT_OK(ret, "getsockname"))
>>> +        goto close_tcp;
>>> +
>>> +    skel->bss->tcp_listener_port = ntohs(tcp_addr.sin_port);
>>> +    skel->bss->udp_test_port = 9999;
>>> +
>>> +    ret = bpf_program__fd(skel->progs.tcp_custom_syncookie_badproto);
>>> +    if (setup_tc(ret))
>>> +        goto close_tcp;
>>> +
>>> +    udp_client = socket(AF_INET, SOCK_DGRAM, 0);
>>> +    if (!ASSERT_NEQ(udp_client, -1, "udp socket"))
>>> +        goto cleanup_tc;
>>> +
>>> +    memset(&udp_addr, 0, sizeof(udp_addr));
>>> +    udp_addr.sin_family = AF_INET;
>>> +    udp_addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
>>> +    udp_addr.sin_port = htons(9999);
>>> +
>>> +    ret = sendto(udp_client, buf, sizeof(buf), 0,
>>> +             (struct sockaddr *)&udp_addr, sizeof(udp_addr));
>>> +    ASSERT_EQ(ret, sizeof(buf), "sendto udp");
>>> +
>>> +    /* Wait for TC ingress BPF to process the skb. */
>>> +    kern_sync_rcu();
>>
>> hmm... is it guaranteed to work? Regardless, it checks the error 
>> returned from bpf_sk_assign_tcp_reqsk(). Maybe bpf_prog_test_run is 
>> simpler?
>>
>> pw-bot: cr
>>
>>> +
>>>
> I looked into using bpf_prog_test_run, but it won't work here
> because bpf_sk_assign_tcp_reqsk() requires the skb to come from TC ingress
> — it checks skb_at_tc_ingress() internally and returns -EINVAL otherwise.

Thanks for trying.

> 
> For the synchronization concern, instead of kern_sync_rcu(), I now create
> a UDP server bound to the target port and recv() the packet after sendto().
> Since the BPF program returns TC_ACT_OK, the packet passes through TC 
> ingress
> and arrives at the UDP socket. The recv() naturally blocks until the BPF 
> program
> has finished processing, so no timing tricks are needed.
> 

sgtm.