1. Patchew
  2. MPTCP
  3. View series

[PATCH mptcp-net] mptcp: bpf: fix type confusion in bpf_mptcp_sock_from_subflow()

Matthieu Baerts (NGI0) posted 1 patch 4 days, 15 hours ago
Patches applied successfully (tree, apply log)
git fetch https://github.com/multipath-tcp/mptcp_net-next tags/patchew/20260430-mptcp-bpf-mptcp-sock-type-v1-1-d2ed5cda7da9@kernel.org
net/mptcp/bpf.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
[PATCH mptcp-net] mptcp: bpf: fix type confusion in bpf_mptcp_sock_from_subflow()
Posted by Matthieu Baerts (NGI0) 4 days, 15 hours ago 
bpf_mptcp_sock_from_subflow() only checks if sk->sk_protocol is
IPPROTO_TCP, but RAW socket can bypass it:

  socket(AF_INET, SOCK_RAW, IPPROTO_TCP)

In this case, it would NOT be valid to call sk_is_mptcp() which will
assume sk is a pointer to a struct tcp_sock, and wrongly checks for:
tcp_sk(sk)->is_mptcp.

This is similar to the modification done on TCP side [1], by Kuniyuki.

Fixes: 3bc253c2e652 ("bpf: Add bpf_skc_to_mptcp_sock_proto")
Link: https://lore.kernel.org/20260430184405.1227386-1-kuniyu@google.com [1]
Cc: Kuniyuki Iwashima <kuniyu@google.com>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
---
 net/mptcp/bpf.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/mptcp/bpf.c b/net/mptcp/bpf.c
index aeec9a3b8b05..08bb037f0951 100644
--- a/net/mptcp/bpf.c
+++ b/net/mptcp/bpf.c
@@ -193,7 +193,7 @@ static struct bpf_struct_ops bpf_mptcp_sched_ops = {
 
 struct mptcp_sock *bpf_mptcp_sock_from_subflow(struct sock *sk)
 {
-	if (sk && sk_fullsock(sk) && sk->sk_protocol == IPPROTO_TCP && sk_is_mptcp(sk))
+	if (sk && sk_fullsock(sk) && sk_is_tcp(sk) && sk_is_mptcp(sk))
 		return mptcp_sk(mptcp_subflow_ctx(sk)->conn);
 
 	return NULL;

---
base-commit: fb282c0c802d7e4444bc49867d71e3313315a0f9
change-id: 20260430-mptcp-bpf-mptcp-sock-type-7abeb0700b2c

Best regards,
--  
Matthieu Baerts (NGI0) <matttbe@kernel.org>
Re: [PATCH mptcp-net] mptcp: bpf: fix type confusion in bpf_mptcp_sock_from_subflow()
Posted by Kuniyuki Iwashima 4 days, 14 hours ago 
On Thu, Apr 30, 2026 at 1:27 PM Matthieu Baerts (NGI0)
<matttbe@kernel.org> wrote:
>
> bpf_mptcp_sock_from_subflow() only checks if sk->sk_protocol is
> IPPROTO_TCP, but RAW socket can bypass it:
>
>   socket(AF_INET, SOCK_RAW, IPPROTO_TCP)
>
> In this case, it would NOT be valid to call sk_is_mptcp() which will
> assume sk is a pointer to a struct tcp_sock, and wrongly checks for:
> tcp_sk(sk)->is_mptcp.
>
> This is similar to the modification done on TCP side [1], by Kuniyuki.
>
> Fixes: 3bc253c2e652 ("bpf: Add bpf_skc_to_mptcp_sock_proto")
> Link: https://lore.kernel.org/20260430184405.1227386-1-kuniyu@google.com [1]
> Cc: Kuniyuki Iwashima <kuniyu@google.com>
> Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>

Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
Re: [PATCH mptcp-net] mptcp: bpf: fix type confusion in bpf_mptcp_sock_from_subflow()
Posted by Matthieu Baerts 4 days, 14 hours ago 
Hi Kuniyuki,

On 30/04/2026 22:35, Kuniyuki Iwashima wrote:
> On Thu, Apr 30, 2026 at 1:27 PM Matthieu Baerts (NGI0)
> <matttbe@kernel.org> wrote:
>>
>> bpf_mptcp_sock_from_subflow() only checks if sk->sk_protocol is
>> IPPROTO_TCP, but RAW socket can bypass it:
>>
>>   socket(AF_INET, SOCK_RAW, IPPROTO_TCP)
>>
>> In this case, it would NOT be valid to call sk_is_mptcp() which will
>> assume sk is a pointer to a struct tcp_sock, and wrongly checks for:
>> tcp_sk(sk)->is_mptcp.
>>
>> This is similar to the modification done on TCP side [1], by Kuniyuki.
>>
>> Fixes: 3bc253c2e652 ("bpf: Add bpf_skc_to_mptcp_sock_proto")
>> Link: https://lore.kernel.org/20260430184405.1227386-1-kuniyu@google.com [1]
>> Cc: Kuniyuki Iwashima <kuniyu@google.com>
>> Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
> 
> Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>

Thank you for the review!

If you need to send a v2 of your series to the BPF ML, feel free to
include this patch (without the last sentence, the Link and the Cc
tags). But I can also send it separately later if preferred, up to you.

Cheers,
Matt
-- 
Sponsored by the NGI0 Core fund.
Re: [PATCH mptcp-net] mptcp: bpf: fix type confusion in bpf_mptcp_sock_from_subflow()
Posted by Kuniyuki Iwashima 4 days, 14 hours ago 
On Thu, Apr 30, 2026 at 1:45 PM Matthieu Baerts <matttbe@kernel.org> wrote:
>
> Hi Kuniyuki,
>
> On 30/04/2026 22:35, Kuniyuki Iwashima wrote:
> > On Thu, Apr 30, 2026 at 1:27 PM Matthieu Baerts (NGI0)
> > <matttbe@kernel.org> wrote:
> >>
> >> bpf_mptcp_sock_from_subflow() only checks if sk->sk_protocol is
> >> IPPROTO_TCP, but RAW socket can bypass it:
> >>
> >>   socket(AF_INET, SOCK_RAW, IPPROTO_TCP)
> >>
> >> In this case, it would NOT be valid to call sk_is_mptcp() which will
> >> assume sk is a pointer to a struct tcp_sock, and wrongly checks for:
> >> tcp_sk(sk)->is_mptcp.
> >>
> >> This is similar to the modification done on TCP side [1], by Kuniyuki.
> >>
> >> Fixes: 3bc253c2e652 ("bpf: Add bpf_skc_to_mptcp_sock_proto")
> >> Link: https://lore.kernel.org/20260430184405.1227386-1-kuniyu@google.com [1]
> >> Cc: Kuniyuki Iwashima <kuniyu@google.com>
> >> Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
> >
> > Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
>
> Thank you for the review!
>
> If you need to send a v2 of your series to the BPF ML, feel free to
> include this patch (without the last sentence, the Link and the Cc
> tags).

Sure, will include it in the series and extend the test accordingly.
(I was looking for variants but only in net/core/filter.c and
 missed mptcp one :p)

Thanks !
Re: [PATCH mptcp-net] mptcp: bpf: fix type confusion in bpf_mptcp_sock_from_subflow()
Posted by Matthieu Baerts 4 days, 14 hours ago 
On 30/04/2026 22:48, Kuniyuki Iwashima wrote:
> On Thu, Apr 30, 2026 at 1:45 PM Matthieu Baerts <matttbe@kernel.org> wrote:
>>
>> Hi Kuniyuki,
>>
>> On 30/04/2026 22:35, Kuniyuki Iwashima wrote:
>>> On Thu, Apr 30, 2026 at 1:27 PM Matthieu Baerts (NGI0)
>>> <matttbe@kernel.org> wrote:
>>>>
>>>> bpf_mptcp_sock_from_subflow() only checks if sk->sk_protocol is
>>>> IPPROTO_TCP, but RAW socket can bypass it:
>>>>
>>>>   socket(AF_INET, SOCK_RAW, IPPROTO_TCP)
>>>>
>>>> In this case, it would NOT be valid to call sk_is_mptcp() which will
>>>> assume sk is a pointer to a struct tcp_sock, and wrongly checks for:
>>>> tcp_sk(sk)->is_mptcp.
>>>>
>>>> This is similar to the modification done on TCP side [1], by Kuniyuki.
>>>>
>>>> Fixes: 3bc253c2e652 ("bpf: Add bpf_skc_to_mptcp_sock_proto")
>>>> Link: https://lore.kernel.org/20260430184405.1227386-1-kuniyu@google.com [1]
>>>> Cc: Kuniyuki Iwashima <kuniyu@google.com>
>>>> Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
>>>
>>> Reviewed-by: Kuniyuki Iwashima <kuniyu@google.com>
>>
>> Thank you for the review!
>>
>> If you need to send a v2 of your series to the BPF ML, feel free to
>> include this patch (without the last sentence, the Link and the Cc
>> tags).
> 
> Sure, will include it in the series and extend the test accordingly.

Great, thank you!

> (I was looking for variants but only in net/core/filter.c and
>  missed mptcp one :p)
No problem, that's not the first time it happens! For once, I managed to
catch that quickly :)

Cheers,
Matt
-- 
Sponsored by the NGI0 Core fund.

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.