On 5/22/25 4:25 PM, Jason Xing wrote:
On Fri, May 23, 2025 at 7:17 AM Sasha Levin sashal@kernel.org wrote:
This is a note to let you know that I've just added the patch titled
bpf: Prevent unsafe access to the sock fields in the BPF timestamping callbackto the 6.1-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git%3Ba=su...
The filename of the patch is: bpf-prevent-unsafe-access-to-the-sock-fields-in-the-.patch and it can be found in the queue-6.1 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree, please let stable@vger.kernel.org know about it.
Hi,
I'm notified that this patch has been added into many branches, which is against my expectations. The BPF timestaping feature was implemented in 6.14 and the patch you are handling is just one of them.
The function of this patch prevents unexpected bpf programs using this feature from triggering fatal problems. So, IMHO, we don't need this patch in all the older/stable branches:)
Thanks, Jason
commit 00b709040e0fdf5949dfbf02f38521e0b10943ac Author: Jason Xing kerneljasonxing@gmail.com Date: Thu Feb 20 15:29:31 2025 +0800
bpf: Prevent unsafe access to the sock fields in the BPF timestamping callback [ Upstream commit fd93eaffb3f977b23bc0a48d4c8616e654fcf133 ] The subsequent patch will implement BPF TX timestamping. It will
Agree. The patch is a preparation work for the new bpf tx timestamping feature. It is not stable material.
Thanks, Martin
call the sockops BPF program without holding the sock lock. This breaks the current assumption that all sock ops programs will hold the sock lock. The sock's fields of the uapi's bpf_sock_ops requires this assumption. To address this, a new "u8 is_locked_tcp_sock;" field is added. This patch sets it in the current sock_ops callbacks. The "is_fullsock" test is then replaced by the "is_locked_tcp_sock" test during sock_ops_convert_ctx_access(). The new TX timestamping callbacks added in the subsequent patch will not have this set. This will prevent unsafe access from the new timestamping callbacks. Potentially, we could allow read-only access. However, this would require identifying which callback is read-safe-only and also requires additional BPF instruction rewrites in the covert_ctx. Since the BPF program can always read everything from a socket (e.g., by using bpf_core_cast), this patch keeps it simple and disables all read and write access to any socket fields through the bpf_sock_ops UAPI from the new TX timestamping callback. Moreover, note that some of the fields in bpf_sock_ops are specific to tcp_sock, and sock_ops currently only supports tcp_sock. In the future, UDP timestamping will be added, which will also break this assumption. The same idea used in this patch will be reused. Considering that the current sock_ops only supports tcp_sock, the variable is named is_locked_"tcp"_sock. Signed-off-by: Jason Xing <kerneljasonxing@gmail.com> Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org> Link: https://patch.msgid.link/20250220072940.99994-4-kerneljasonxing@gmail.com Signed-off-by: Sasha Levin <sashal@kernel.org>