From: Werner Kasselman <werner@verivus.ai>
To: "bpf@vger.kernel.org" <bpf@vger.kernel.org>,
"netdev@vger.kernel.org" <netdev@vger.kernel.org>
Cc: Werner Kasselman <werner@verivus.ai>
Subject: [PATCH bpf v4 0/2] bpf: guard sock_ops rtt_min against non-locked tcp_sock
Date: Mon, 20 Apr 2026 22:16:24 +0000 [thread overview]
Message-ID: <20260420221621.1441707-1-werner@verivus.com> (raw)
In-Reply-To: <20260417023119.3830723-1-werner@verivus.com>
sock_ops ctx rewriting guards the direct tcp_sock field loads with
is_locked_tcp_sock, but rtt_min still used a raw load sequence. On
request_sock-backed sock_ops callbacks, that can read past the end of a
tcp_request_sock allocation.
This series switches rtt_min over to the shared guarded tcp_sock field
load helper and adds a tcpbpf runtime test that exercises the
same-register request_sock path.
v3 -> v4:
- reuse a shared guarded tcp_sock field load helper for rtt_min
- preserve the dst_reg == src_reg failure path that zeros the destination
register when the guard fails
- replace the weaker ctx_rewrite test with a runtime tcpbpf selftest that
exercises same-register request_sock access
Werner Kasselman (2):
bpf: guard sock_ops rtt_min against non-locked tcp_sock
selftests/bpf: cover same-reg sock_ops rtt_min request_sock access
net/core/filter.c | 39 ++++++++++---------
.../selftests/bpf/prog_tests/tcpbpf_user.c | 4 ++
.../selftests/bpf/progs/test_tcpbpf_kern.c | 14 +++++++
tools/testing/selftests/bpf/test_tcpbpf.h | 2 +
4 files changed, 40 insertions(+), 19 deletions(-)
--
2.43.0
next prev parent reply other threads:[~2026-04-20 22:16 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-17 2:31 [PATCH bpf v3 0/2] bpf: fix sock_ops rtt_min OOB read Werner Kasselman
2026-04-17 2:31 ` [PATCH 1/2] bpf: extract SOCK_OPS_LOAD_TCP_SOCK_FIELD from SOCK_OPS_GET_FIELD Werner Kasselman
2026-04-17 2:31 ` [PATCH 2/2] bpf: guard sock_ops rtt_min against non-locked tcp_sock Werner Kasselman
2026-04-20 20:43 ` Martin KaFai Lau
2026-04-20 22:16 ` Werner Kasselman [this message]
2026-04-20 22:16 ` [PATCH bpf v4 1/2] " Werner Kasselman
2026-04-20 22:16 ` [PATCH bpf v4 2/2] selftests/bpf: cover same-reg sock_ops rtt_min request_sock access Werner Kasselman
2026-04-20 23:00 ` [PATCH bpf v5 0/2] bpf: guard sock_ops rtt_min against non-locked tcp_sock Werner Kasselman
2026-04-20 23:00 ` [PATCH bpf v5 1/2] " Werner Kasselman
2026-04-20 23:00 ` [PATCH bpf v5 2/2] selftests/bpf: cover same-reg sock_ops rtt_min request_sock access Werner Kasselman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260420221621.1441707-1-werner@verivus.com \
--to=werner@verivus.ai \
--cc=bpf@vger.kernel.org \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox