From: Geliang Tang <tanggeliang@kylinos.cn>
v3:
- Add sk_type == SOCK_STREAM check in bpf_iter_mptcp_subflow_new() to
prevent raw sockets from bypassing validation (new patch 1).
- Zero iterator state (kit->msk, kit->pos) on error paths in
bpf_iter_mptcp_subflow_new() to avoid uninitialized dereference.
- Change bpf_sk_stream_memory_free() signature to accept
struct mptcp_subflow_context * instead of struct sock *, to make it
work with burst scheduler.
v2:
- new patches 2-7, address Sashiko's comments to drop __ign in
arguments of bpf_sk_stream_memory_free() and bpf_mptcp_subflow_ctx().
- Link: https://patchwork.kernel.org/project/mptcp/cover/cover.1782106180.git.tanggeliang@kylinos.cn/
v1:
- Link: https://patchwork.kernel.org/project/mptcp/patch/10a30ed6484cc4d48009625f1ed8e12802e78e94.1781699193.git.tanggeliang@kylinos.cn/
This series addresses BPF verifier issues in the MPTCP packet scheduler
helpers and their selftests.
The initial motivation was to fix an incorrect return value in
bpf_sk_stream_memory_free(): the function returns bool but erroneously
returned NULL. This was fixed by changing it to false and dropping the
KF_RET_NULL flag.
However, further review revealed that both bpf_sk_stream_memory_free()
and bpf_mptcp_subflow_ctx() used the __ign suffix on their pointer
arguments to bypass verifier checks. This approach is unsafe because it
allows untrusted pointers to be passed into kfuncs, potentially leading
to verifier rejection or runtime issues. In practice, passing pointers
like msk->first (which are not marked as trusted) to these kfuncs
triggers the verifier error "R1 must be referenced or trusted".
To resolve this cleanly, the series:
- Removes bpf_sk_stream_memory_free() entirely, as its functionality can
be implemented inline in the BPF scheduler (burst) using MPTCP-specific
memory checks (msk->notsent_lowat and subflow send buffer).
- Removes the __ign suffix from bpf_mptcp_subflow_ctx() and updates all
BPF schedulers (first, rr, burst) to avoid calling it. Instead, they
use bpf_for_each(mptcp_subflow) iterations to obtain trusted subflow
pointers directly, eliminating the need for reverse lookup from an
untrusted sock pointer.
With these changes, all BPF scheduler tests pass verification and
function correctly.
Geliang Tang (6):
Squash to "bpf: Add mptcp_subflow bpf_iter"
Squash to "bpf: Export mptcp packet scheduler helpers"
Squash to "selftests/bpf: Add bpf_burst scheduler & test"
Squash to "bpf: Export mptcp packet scheduler helpers" 2
Squash to "selftests/bpf: Add bpf_first scheduler & test"
Squash to "selftests/bpf: Add bpf_rr scheduler & test"
net/mptcp/bpf.c | 28 ++++++++++-------
.../selftests/bpf/progs/mptcp_bpf_burst.c | 25 ++++++++--------
.../selftests/bpf/progs/mptcp_bpf_first.c | 17 ++++++-----
.../selftests/bpf/progs/mptcp_bpf_rr.c | 30 +++++++++++--------
4 files changed, 57 insertions(+), 43 deletions(-)
--
2.53.0