[PATCH mptcp-next 0/4] mptcp: bpf: fix scheduler kfunc socket type confusion

Shardul Bankar posted 4 patches 5 days, 16 hours ago
Patches applied successfully (tree, apply log)
git fetch https://github.com/multipath-tcp/mptcp_net-next tags/patchew/20260629-mptcp._5Fbpf._5Fkfunc._5Ffixes-v1-0-8cc875f36f53@mpiricsoftware.com
There is a newer version of this series
net/mptcp/bpf.c                                    |  17 +++-
tools/testing/selftests/bpf/prog_tests/mptcp.c     |  57 ++++++++++++
.../selftests/bpf/progs/mptcp_bpf_bad_sched.c      | 100 +++++++++++++++++++++
.../testing/selftests/bpf/progs/mptcp_bpf_burst.c  |   8 +-
4 files changed, 176 insertions(+), 6 deletions(-)
[PATCH mptcp-next 0/4] mptcp: bpf: fix scheduler kfunc socket type confusion
Posted by Shardul Bankar 5 days, 16 hours ago
Two BPF MPTCP packet-scheduler kfuncs accept a generic "struct sock *"
but internally reinterpret it as a specific role (the MPTCP-level
socket, or a subflow's TCP socket). The verifier only enforces that the
argument is a trusted struct sock, so a scheduler struct_ops program can
pass the wrong kind of socket; the kfunc then upcasts and dereferences
it, causing wild pointer use. Both are reachable from a scheduler hook
with no privilege beyond loading the scheduler.

Patch 1: mptcp_set_timeout() expects the msk. A subflow socket passed
  instead is cast via mptcp_sk() and walked as msk->conn_list, causing a
  GPF. Found by an MPTCP protocol-flow harness extending BRF
  (arXiv:2305.08782). Fixed by narrowing the kfunc arg to
  struct mptcp_sock *, so the verifier rejects a non-msk socket at load.

Patch 2: mptcp_pm_subflow_chk_stale()'s ssk arg is a subflow TCP
  socket; a non-subflow socket passed in is reinterpreted via
  mptcp_subflow_ctx() and both read and written through. This kfunc
  legitimately takes a generic socket, so it is fixed with a runtime
  role check in a __bpf_kfunc wrapper, like bpf_mptcp_subflow_ctx().

Patch 3: adds a negative selftest: a scheduler that passes a subflow
  socket to the narrowed bpf_mptcp_set_timeout() must be rejected by the
  verifier; the test asserts the specific load-time type-mismatch
  message.

Patch 4: extends that selftest into a small suite guarding both socket
  type-confusion directions across the narrow-typed scheduler kfunc
  surface (mptcp_wnd_end and mptcp_subflow_set_scheduled), so the
  contract cannot silently regress.

Patches 1 and 2 are squash-to "bpf: Export mptcp packet scheduler
helpers" and update the in-tree burst scheduler selftest to the new
kfunc names.

Signed-off-by: Shardul Bankar <shardul.b@mpiricsoftware.com>
---
Shardul Bankar (4):
      Squash to "bpf: Export mptcp packet scheduler helpers"
      Squash to "bpf: Export mptcp packet scheduler helpers"
      selftests/bpf: mptcp: verify scheduler rejects non-msk socket to set_timeout
      selftests/bpf: mptcp: extend bad scheduler test to the kfunc type contract

 net/mptcp/bpf.c                                    |  17 +++-
 tools/testing/selftests/bpf/prog_tests/mptcp.c     |  57 ++++++++++++
 .../selftests/bpf/progs/mptcp_bpf_bad_sched.c      | 100 +++++++++++++++++++++
 .../testing/selftests/bpf/progs/mptcp_bpf_burst.c  |   8 +-
 4 files changed, 176 insertions(+), 6 deletions(-)
---
base-commit: ba8940c77ff7e7f3081e7e3d8a9146000a3ff2aa
change-id: 20260629-mptcp_bpf_kfunc_fixes-7ab60edc2902

Best regards,
--  
Shardul Bankar <shardul.b@mpiricsoftware.com>
Re: [PATCH mptcp-next 0/4] mptcp: bpf: fix scheduler kfunc socket type confusion
Posted by MPTCP CI 5 days, 15 hours ago
Hi Shardul,

Thank you for your modifications, that's great!

Our CI did some validations and here is its report:

- KVM Validation: normal (except selftest_mptcp_join): Success! ✅
- KVM Validation: normal (only selftest_mptcp_join): Success! ✅
- KVM Validation: debug (except selftest_mptcp_join): Success! ✅
- KVM Validation: debug (only selftest_mptcp_join): Success! ✅
- KVM Validation: btf-normal (only bpftest_all): Success! ✅
- KVM Validation: btf-debug (only bpftest_all): Success! ✅
- Task: https://github.com/multipath-tcp/mptcp_net-next/actions/runs/28372391812

Initiator: Patchew Applier
Commits: https://github.com/multipath-tcp/mptcp_net-next/commits/c92d37631698
Patchwork: https://patchwork.kernel.org/project/mptcp/list/?series=1118165


If there are some issues, you can reproduce them using the same environment as
the one used by the CI thanks to a docker image, e.g.:

    $ cd [kernel source code]
    $ docker run -v "${PWD}:${PWD}:rw" -w "${PWD}" --privileged --rm -it \
        --pull always mptcp/mptcp-upstream-virtme-docker:latest \
        auto-normal

For more details:

    https://github.com/multipath-tcp/mptcp-upstream-virtme-docker


Please note that despite all the efforts that have been already done to have a
stable tests suite when executed on a public CI like here, it is possible some
reported issues are not due to your modifications. Still, do not hesitate to
help us improve that ;-)

Cheers,
MPTCP GH Action bot
Bot operated by Matthieu Baerts (NGI0 Core)