From: Jiayuan Chen <[email protected]> Date: Fri, 12 Jun 2026 21:07:48 +0800 > From: Zhang Cen <[email protected]> > > SK_MSG uses msg->sg.copy as per-scatterlist-entry provenance. Entries > with this bit set are copied before data/data_end are exposed to SK_MSG > BPF programs for direct packet access. > > bpf_msg_pull_data(), bpf_msg_push_data(), and bpf_msg_pop_data() > rewrite the sk_msg scatterlist ring by collapsing, splitting, and > shifting entries. These operations move msg->sg.data[] entries, but the > parallel copy bitmap can be left behind on the old slot. A copied entry > can then return to msg->sg.start with its copy bit clear and be exposed > as directly writable packet data. > > This corruption path requires an attached SK_MSG BPF program that calls > the mutating helpers; ordinary sockmap/TLS traffic that never runs > push/pop/pull helper sequences is not affected. > > Keep msg->sg.copy synchronized with scatterlist entry moves, preserve > the copy bit when an entry is split, clear it when a helper replaces an > entry with a private page, and clear slots vacated by pull-data > compaction. > > Fixes: 015632bb30da ("bpf: sk_msg program helper bpf_sk_msg_pull_data") > Fixes: 6fff607e2f14 ("bpf: sk_msg program helper bpf_msg_push_data") > Fixes: 7246d8ed4dcc ("bpf: helper to pop data from messages") > Cc: [email protected] > Co-developed-by: Han Guidong <[email protected]> > Reviewed-by: John Fastabend <[email protected]> > Reviewed-by: Emil Tsalapatis <[email protected]> > Signed-off-by: Han Guidong <[email protected]> > Signed-off-by: Zhang Cen <[email protected]> > Signed-off-by: Jiayuan Chen <[email protected]>
Reviewed-by: Kuniyuki Iwashima <[email protected]>
