1. Patchew
  2. linux
  3. [PATCH bpf v3 0/2] bpf: tcp: Fix null-ptr-deref in arbitrary SYN Cookie
  4. View patch

[PATCH bpf v3 2/2] selftests/bpf: Add protocol check test for bpf_sk_assign_tcp_reqsk()

Jiayuan Chen posted 2 patches 6 days, 2 hours ago
There is a newer version of this series
[PATCH bpf v3 2/2] selftests/bpf: Add protocol check test for bpf_sk_assign_tcp_reqsk()
Posted by Jiayuan Chen 6 days, 2 hours ago 
From: Jiayuan Chen <jiayuan.chen@shopee.com>

Add test_tcp_custom_syncookie_protocol_check to verify that
bpf_sk_assign_tcp_reqsk() rejects non-TCP skbs. The test sends a UDP
packet through TC ingress where a BPF program calls
bpf_sk_assign_tcp_reqsk() on it and checks that the kfunc returns an
error. A UDP server recv() is used as synchronization to ensure the
BPF program has finished processing before checking the result.

Without the fix in bpf_sk_assign_tcp_reqsk(), the kfunc succeeds and
attaches a TCP reqsk to the UDP skb, which causes a null pointer
dereference panic when the kernel processes it through the UDP receive
path.

Test result:

  ./test_progs -a tcp_custom_syncookie_protocol_check -v
  setup_netns:PASS:create netns 0 nsec
  setup_netns:PASS:ip 0 nsec
  write_sysctl:PASS:open sysctl 0 nsec
  write_sysctl:PASS:write sysctl 0 nsec
  setup_netns:PASS:write_sysctl 0 nsec
  test_tcp_custom_syncookie_protocol_check:PASS:open_and_load 0 nsec
  setup_tc:PASS:qdisc add dev lo clsact 0 nsec
  setup_tc:PASS:filter add dev lo ingress 0 nsec
  run_protocol_check:PASS:start tcp_server 0 nsec
  run_protocol_check:PASS:start udp_server 0 nsec
  run_protocol_check:PASS:connect udp_client 0 nsec
  run_protocol_check:PASS:send udp 0 nsec
  run_protocol_check:PASS:recv udp 0 nsec
  run_protocol_check:PASS:udp_intercepted 0 nsec
  run_protocol_check:PASS:assign_ret 0 nsec
  #471/1   tcp_custom_syncookie_protocol_check/IPv4 TCP:OK
  run_protocol_check:PASS:start tcp_server 0 nsec
  run_protocol_check:PASS:start udp_server 0 nsec
  run_protocol_check:PASS:connect udp_client 0 nsec
  run_protocol_check:PASS:send udp 0 nsec
  run_protocol_check:PASS:recv udp 0 nsec
  run_protocol_check:PASS:udp_intercepted 0 nsec
  run_protocol_check:PASS:assign_ret 0 nsec
  #471/2   tcp_custom_syncookie_protocol_check/IPv6 TCP:OK
  #471     tcp_custom_syncookie_protocol_check:OK
  Summary: 1/2 PASSED, 0 SKIPPED, 0 FAILED

Cc: Jiayuan Chen <jiayuan.chen@linux.dev>
Signed-off-by: Jiayuan Chen <jiayuan.chen@shopee.com>
---
 .../bpf/prog_tests/tcp_custom_syncookie.c     |  94 ++++++++++++++-
 .../bpf/progs/test_tcp_custom_syncookie.c     | 109 ++++++++++++++++++
 2 files changed, 199 insertions(+), 4 deletions(-)

diff --git a/tools/testing/selftests/bpf/prog_tests/tcp_custom_syncookie.c b/tools/testing/selftests/bpf/prog_tests/tcp_custom_syncookie.c
index eaf441dc7e79..e46031d0786b 100644
--- a/tools/testing/selftests/bpf/prog_tests/tcp_custom_syncookie.c
+++ b/tools/testing/selftests/bpf/prog_tests/tcp_custom_syncookie.c
@@ -5,6 +5,7 @@
 #include <sched.h>
 #include <stdlib.h>
 #include <net/if.h>
+#include <netinet/in.h>
 
 #include "test_progs.h"
 #include "cgroup_helpers.h"
@@ -47,11 +48,10 @@ static int setup_netns(void)
 	return -1;
 }
 
-static int setup_tc(struct test_tcp_custom_syncookie *skel)
+static int setup_tc(int prog_fd)
 {
 	LIBBPF_OPTS(bpf_tc_hook, qdisc_lo, .attach_point = BPF_TC_INGRESS);
-	LIBBPF_OPTS(bpf_tc_opts, tc_attach,
-		    .prog_fd = bpf_program__fd(skel->progs.tcp_custom_syncookie));
+	LIBBPF_OPTS(bpf_tc_opts, tc_attach, .prog_fd = prog_fd);
 
 	qdisc_lo.ifindex = if_nametoindex("lo");
 	if (!ASSERT_OK(bpf_tc_hook_create(&qdisc_lo), "qdisc add dev lo clsact"))
@@ -127,7 +127,7 @@ void test_tcp_custom_syncookie(void)
 	if (!ASSERT_OK_PTR(skel, "open_and_load"))
 		return;
 
-	if (setup_tc(skel))
+	if (setup_tc(bpf_program__fd(skel->progs.tcp_custom_syncookie)))
 		goto destroy_skel;
 
 	for (i = 0; i < ARRAY_SIZE(test_cases); i++) {
@@ -145,6 +145,92 @@ void test_tcp_custom_syncookie(void)
 
 destroy_skel:
 	system("tc qdisc del dev lo clsact");
+	test_tcp_custom_syncookie__destroy(skel);
+}
+
+/* Test: bpf_sk_assign_tcp_reqsk() should reject non-TCP skb.
+ *
+ * Send a UDP packet through TC ingress where a BPF program calls
+ * bpf_sk_assign_tcp_reqsk() on it. The kfunc should return an error
+ * because the skb carries UDP, not TCP.
+ *
+ * TCP and UDP servers share the same port. The BPF program intercepts
+ * the UDP packet, looks up the TCP listener via the dest port, and
+ * attempts to assign a TCP reqsk to the UDP skb.
+ */
+static void run_protocol_check(struct test_tcp_custom_syncookie *skel,
+			       int family, const char *addr)
+{
+	int tcp_server = -1, udp_server = -1, udp_client = -1;
+	char buf[32] = "test";
+	int port, ret;
+
+	tcp_server = start_server(family, SOCK_STREAM, addr, 0, 0);
+	if (!ASSERT_NEQ(tcp_server, -1, "start tcp_server"))
+		return;
+
+	port = ntohs(get_socket_local_port(tcp_server));
+
+	/* UDP server on same port for synchronization and port sharing */
+	udp_server = start_server(family, SOCK_DGRAM, addr, port, 0);
+	if (!ASSERT_NEQ(udp_server, -1, "start udp_server"))
+		goto close_tcp;
+
+	skel->bss->udp_intercepted = false;
+	skel->data->assign_ret = -1;
+
+	udp_client = connect_to_fd(udp_server, 0);
+	if (!ASSERT_NEQ(udp_client, -1, "connect udp_client"))
+		goto close_udp_server;
 
+	ret = send(udp_client, buf, sizeof(buf), 0);
+	if (!ASSERT_EQ(ret, sizeof(buf), "send udp"))
+		goto close_udp_client;
+
+	/* recv() ensures TC ingress BPF has processed the skb */
+	ret = recv(udp_server, buf, sizeof(buf), 0);
+	if (!ASSERT_EQ(ret, sizeof(buf), "recv udp"))
+		goto close_udp_client;
+
+	ASSERT_EQ(skel->bss->udp_intercepted, true, "udp_intercepted");
+
+	/* assign_ret == 0 means kfunc accepted UDP skb (bug).
+	 * assign_ret < 0 means kfunc correctly rejected it (fixed).
+	 */
+	ASSERT_NEQ(skel->data->assign_ret, 0, "assign_ret");
+
+close_udp_client:
+	close(udp_client);
+close_udp_server:
+	close(udp_server);
+close_tcp:
+	close(tcp_server);
+}
+
+void test_tcp_custom_syncookie_protocol_check(void)
+{
+	struct test_tcp_custom_syncookie *skel;
+	int i;
+
+	if (setup_netns())
+		return;
+
+	skel = test_tcp_custom_syncookie__open_and_load();
+	if (!ASSERT_OK_PTR(skel, "open_and_load"))
+		return;
+
+	if (setup_tc(bpf_program__fd(skel->progs.tcp_custom_syncookie_badproto)))
+		goto destroy_skel;
+
+	for (i = 0; i < ARRAY_SIZE(test_cases); i++) {
+		if (!test__start_subtest(test_cases[i].name))
+			continue;
+
+		run_protocol_check(skel, test_cases[i].family,
+				   test_cases[i].addr);
+	}
+
+destroy_skel:
+	system("tc qdisc del dev lo clsact");
 	test_tcp_custom_syncookie__destroy(skel);
 }
diff --git a/tools/testing/selftests/bpf/progs/test_tcp_custom_syncookie.c b/tools/testing/selftests/bpf/progs/test_tcp_custom_syncookie.c
index 7d5293de1952..c4834abea9c5 100644
--- a/tools/testing/selftests/bpf/progs/test_tcp_custom_syncookie.c
+++ b/tools/testing/selftests/bpf/progs/test_tcp_custom_syncookie.c
@@ -588,4 +588,113 @@ int tcp_custom_syncookie(struct __sk_buff *skb)
 	return tcp_handle_ack(&ctx);
 }
 
+/* Test: call bpf_sk_assign_tcp_reqsk() on a UDP skb.
+ * The kfunc should reject it because the skb is not TCP.
+ *
+ * TCP and UDP servers share the same port. The BPF program intercepts
+ * UDP packets, looks up the TCP listener on the same port, and tries
+ * to assign a TCP reqsk to the UDP skb.
+ */
+int assign_ret = -1;
+bool udp_intercepted = false;
+
+static int badproto_lookup_assign(struct __sk_buff *skb, struct udphdr *udp,
+				  struct bpf_sock_tuple *tuple, u32 tuple_size)
+{
+	struct bpf_tcp_req_attrs attrs = {};
+	struct bpf_sock *skc;
+	struct sock *sk;
+
+	skc = bpf_skc_lookup_tcp(skb, tuple, tuple_size, -1, 0);
+	if (!skc)
+		return TC_ACT_OK;
+
+	if (skc->state != TCP_LISTEN) {
+		bpf_sk_release(skc);
+		return TC_ACT_OK;
+	}
+
+	sk = (struct sock *)bpf_skc_to_tcp_sock(skc);
+	if (!sk) {
+		bpf_sk_release(skc);
+		return TC_ACT_OK;
+	}
+
+	attrs.mss = 1460;
+	attrs.wscale_ok = 1;
+	attrs.snd_wscale = 7;
+	attrs.rcv_wscale = 7;
+	attrs.sack_ok = 1;
+
+	assign_ret = bpf_sk_assign_tcp_reqsk(skb, sk, &attrs, sizeof(attrs));
+
+	bpf_sk_release(skc);
+	return TC_ACT_OK;
+}
+
+SEC("tc")
+int tcp_custom_syncookie_badproto(struct __sk_buff *skb)
+{
+	void *data = (void *)(long)skb->data;
+	void *data_end = (void *)(long)skb->data_end;
+	struct bpf_sock_tuple tuple = {};
+	struct ethhdr *eth;
+	struct iphdr *iph;
+	struct ipv6hdr *ip6h;
+	struct udphdr *udp;
+
+	eth = (struct ethhdr *)data;
+	if (eth + 1 > data_end)
+		return TC_ACT_OK;
+
+	switch (bpf_ntohs(eth->h_proto)) {
+	case ETH_P_IP:
+		iph = (struct iphdr *)(eth + 1);
+		if (iph + 1 > data_end)
+			return TC_ACT_OK;
+
+		if (iph->protocol != IPPROTO_UDP)
+			return TC_ACT_OK;
+
+		udp = (struct udphdr *)(iph + 1);
+		if (udp + 1 > data_end)
+			return TC_ACT_OK;
+
+		udp_intercepted = true;
+
+		tuple.ipv4.saddr = iph->saddr;
+		tuple.ipv4.daddr = iph->daddr;
+		tuple.ipv4.sport = udp->source;
+		tuple.ipv4.dport = udp->dest;
+
+		return badproto_lookup_assign(skb, udp, &tuple,
+					      sizeof(tuple.ipv4));
+	case ETH_P_IPV6:
+		ip6h = (struct ipv6hdr *)(eth + 1);
+		if (ip6h + 1 > data_end)
+			return TC_ACT_OK;
+
+		if (ip6h->nexthdr != IPPROTO_UDP)
+			return TC_ACT_OK;
+
+		udp = (struct udphdr *)(ip6h + 1);
+		if (udp + 1 > data_end)
+			return TC_ACT_OK;
+
+		udp_intercepted = true;
+
+		__builtin_memcpy(tuple.ipv6.saddr, &ip6h->saddr,
+				 sizeof(tuple.ipv6.saddr));
+		__builtin_memcpy(tuple.ipv6.daddr, &ip6h->daddr,
+				 sizeof(tuple.ipv6.daddr));
+		tuple.ipv6.sport = udp->source;
+		tuple.ipv6.dport = udp->dest;
+
+		return badproto_lookup_assign(skb, udp, &tuple,
+					      sizeof(tuple.ipv6));
+	default:
+		return TC_ACT_OK;
+	}
+}
+
 char _license[] SEC("license") = "GPL";
-- 
2.43.0
Re: [PATCH bpf v3 2/2] selftests/bpf: Add protocol check test for bpf_sk_assign_tcp_reqsk()
Posted by Martin KaFai Lau 5 days, 19 hours ago 

On 3/27/26 6:38 AM, Jiayuan Chen wrote:
> From: Jiayuan Chen <jiayuan.chen@shopee.com>
> 
> Add test_tcp_custom_syncookie_protocol_check to verify that
> bpf_sk_assign_tcp_reqsk() rejects non-TCP skbs. The test sends a UDP
> packet through TC ingress where a BPF program calls
> bpf_sk_assign_tcp_reqsk() on it and checks that the kfunc returns an
> error. A UDP server recv() is used as synchronization to ensure the
> BPF program has finished processing before checking the result.
> 
> Without the fix in bpf_sk_assign_tcp_reqsk(), the kfunc succeeds and
> attaches a TCP reqsk to the UDP skb, which causes a null pointer
> dereference panic when the kernel processes it through the UDP receive
> path.
> 
> Test result:
> 
>    ./test_progs -a tcp_custom_syncookie_protocol_check -v
>    setup_netns:PASS:create netns 0 nsec
>    setup_netns:PASS:ip 0 nsec
>    write_sysctl:PASS:open sysctl 0 nsec
>    write_sysctl:PASS:write sysctl 0 nsec
>    setup_netns:PASS:write_sysctl 0 nsec
>    test_tcp_custom_syncookie_protocol_check:PASS:open_and_load 0 nsec
>    setup_tc:PASS:qdisc add dev lo clsact 0 nsec
>    setup_tc:PASS:filter add dev lo ingress 0 nsec
>    run_protocol_check:PASS:start tcp_server 0 nsec
>    run_protocol_check:PASS:start udp_server 0 nsec
>    run_protocol_check:PASS:connect udp_client 0 nsec
>    run_protocol_check:PASS:send udp 0 nsec
>    run_protocol_check:PASS:recv udp 0 nsec
>    run_protocol_check:PASS:udp_intercepted 0 nsec
>    run_protocol_check:PASS:assign_ret 0 nsec
>    #471/1   tcp_custom_syncookie_protocol_check/IPv4 TCP:OK
>    run_protocol_check:PASS:start tcp_server 0 nsec
>    run_protocol_check:PASS:start udp_server 0 nsec
>    run_protocol_check:PASS:connect udp_client 0 nsec
>    run_protocol_check:PASS:send udp 0 nsec
>    run_protocol_check:PASS:recv udp 0 nsec
>    run_protocol_check:PASS:udp_intercepted 0 nsec
>    run_protocol_check:PASS:assign_ret 0 nsec
>    #471/2   tcp_custom_syncookie_protocol_check/IPv6 TCP:OK
>    #471     tcp_custom_syncookie_protocol_check:OK
>    Summary: 1/2 PASSED, 0 SKIPPED, 0 FAILED
> 
> Cc: Jiayuan Chen <jiayuan.chen@linux.dev>
> Signed-off-by: Jiayuan Chen <jiayuan.chen@shopee.com>
> ---
>   .../bpf/prog_tests/tcp_custom_syncookie.c     |  94 ++++++++++++++-
>   .../bpf/progs/test_tcp_custom_syncookie.c     | 109 ++++++++++++++++++
>   2 files changed, 199 insertions(+), 4 deletions(-)
> 
> diff --git a/tools/testing/selftests/bpf/prog_tests/tcp_custom_syncookie.c b/tools/testing/selftests/bpf/prog_tests/tcp_custom_syncookie.c
> index eaf441dc7e79..e46031d0786b 100644
> --- a/tools/testing/selftests/bpf/prog_tests/tcp_custom_syncookie.c
> +++ b/tools/testing/selftests/bpf/prog_tests/tcp_custom_syncookie.c
> @@ -5,6 +5,7 @@
>   #include <sched.h>
>   #include <stdlib.h>
>   #include <net/if.h>
> +#include <netinet/in.h>
>   
>   #include "test_progs.h"
>   #include "cgroup_helpers.h"
> @@ -47,11 +48,10 @@ static int setup_netns(void)
>   	return -1;
>   }
>   
> -static int setup_tc(struct test_tcp_custom_syncookie *skel)
> +static int setup_tc(int prog_fd)
>   {
>   	LIBBPF_OPTS(bpf_tc_hook, qdisc_lo, .attach_point = BPF_TC_INGRESS);
> -	LIBBPF_OPTS(bpf_tc_opts, tc_attach,
> -		    .prog_fd = bpf_program__fd(skel->progs.tcp_custom_syncookie));
> +	LIBBPF_OPTS(bpf_tc_opts, tc_attach, .prog_fd = prog_fd);
>   
>   	qdisc_lo.ifindex = if_nametoindex("lo");
>   	if (!ASSERT_OK(bpf_tc_hook_create(&qdisc_lo), "qdisc add dev lo clsact"))
> @@ -127,7 +127,7 @@ void test_tcp_custom_syncookie(void)
>   	if (!ASSERT_OK_PTR(skel, "open_and_load"))
>   		return;
>   
> -	if (setup_tc(skel))
> +	if (setup_tc(bpf_program__fd(skel->progs.tcp_custom_syncookie)))
>   		goto destroy_skel;
>   
>   	for (i = 0; i < ARRAY_SIZE(test_cases); i++) {
> @@ -145,6 +145,92 @@ void test_tcp_custom_syncookie(void)
>   
>   destroy_skel:
>   	system("tc qdisc del dev lo clsact");
> +	test_tcp_custom_syncookie__destroy(skel);
> +}
> +
> +/* Test: bpf_sk_assign_tcp_reqsk() should reject non-TCP skb.
> + *
> + * Send a UDP packet through TC ingress where a BPF program calls
> + * bpf_sk_assign_tcp_reqsk() on it. The kfunc should return an error
> + * because the skb carries UDP, not TCP.
> + *
> + * TCP and UDP servers share the same port. The BPF program intercepts
> + * the UDP packet, looks up the TCP listener via the dest port, and
> + * attempts to assign a TCP reqsk to the UDP skb.
> + */
> +static void run_protocol_check(struct test_tcp_custom_syncookie *skel,
> +			       int family, const char *addr)
> +{
> +	int tcp_server = -1, udp_server = -1, udp_client = -1;
> +	char buf[32] = "test";
> +	int port, ret;
> +
> +	tcp_server = start_server(family, SOCK_STREAM, addr, 0, 0);
> +	if (!ASSERT_NEQ(tcp_server, -1, "start tcp_server"))
> +		return;
> +
> +	port = ntohs(get_socket_local_port(tcp_server));
> +
> +	/* UDP server on same port for synchronization and port sharing */
> +	udp_server = start_server(family, SOCK_DGRAM, addr, port, 0);
> +	if (!ASSERT_NEQ(udp_server, -1, "start udp_server"))
> +		goto close_tcp;
> +
> +	skel->bss->udp_intercepted = false;
> +	skel->data->assign_ret = -1;

assign_ret is init to -1

> +
> +	udp_client = connect_to_fd(udp_server, 0);
> +	if (!ASSERT_NEQ(udp_client, -1, "connect udp_client"))
> +		goto close_udp_server;
>   
> +	ret = send(udp_client, buf, sizeof(buf), 0);
> +	if (!ASSERT_EQ(ret, sizeof(buf), "send udp"))
> +		goto close_udp_client;
> +
> +	/* recv() ensures TC ingress BPF has processed the skb */
> +	ret = recv(udp_server, buf, sizeof(buf), 0);
> +	if (!ASSERT_EQ(ret, sizeof(buf), "recv udp"))
> +		goto close_udp_client;
> +
> +	ASSERT_EQ(skel->bss->udp_intercepted, true, "udp_intercepted");
> +
> +	/* assign_ret == 0 means kfunc accepted UDP skb (bug).
> +	 * assign_ret < 0 means kfunc correctly rejected it (fixed).
> +	 */
> +	ASSERT_NEQ(skel->data->assign_ret, 0, "assign_ret");

and here it checks NEQ 0....

Maybe init assign_ret to 0?

Also, why not specifically check for -EINVAL?
Re: [PATCH bpf v3 2/2] selftests/bpf: Add protocol check test for bpf_sk_assign_tcp_reqsk()
Posted by Jiayuan Chen 5 days, 4 hours ago 
On 3/28/26 3:53 AM, Martin KaFai Lau wrote:
>> From: Jiayuan Chen <jiayuan.chen@shopee.com>
>>
>> Add test_tcp_custom_syncookie_protocol_check to verify that
>> bpf_sk_assign_tcp_reqsk() rejects non-TCP skbs. The test sends a UDP
>> packet through TC ingress where a BPF program calls
>> bpf_sk_assign_tcp_reqsk() on it and checks that the kfunc returns an
>> error. A UDP server recv() is used as synchronization to ensure the
>> BPF program has finished processing before checking the result.
>>
>> Without the fix in bpf_sk_assign_tcp_reqsk(), the kfunc succeeds and
>> attaches a TCP reqsk to the UDP skb, which causes a null pointer
>> dereference panic when the kernel processes it through the UDP receive
>> path.
>>
>> Test result:
>>
>>    ./test_progs -a tcp_custom_syncookie_protocol_check -v
>>    setup_netns:PASS:create netns 0 nsec
>>    setup_netns:PASS:ip 0 nsec
>>    write_sysctl:PASS:open sysctl 0 nsec
>>    write_sysctl:PASS:write sysctl 0 nsec
>>    setup_netns:PASS:write_sysctl 0 nsec
>>    test_tcp_custom_syncookie_protocol_check:PASS:open_and_load 0 nsec
>>    setup_tc:PASS:qdisc add dev lo clsact 0 nsec
>>    setup_tc:PASS:filter add dev lo ingress 0 nsec
>>    run_protocol_check:PASS:start tcp_server 0 nsec
>>    run_protocol_check:PASS:start udp_server 0 nsec
>>    run_protocol_check:PASS:connect udp_client 0 nsec
>>    run_protocol_check:PASS:send udp 0 nsec
>>    run_protocol_check:PASS:recv udp 0 nsec
>>    run_protocol_check:PASS:udp_intercepted 0 nsec
>>    run_protocol_check:PASS:assign_ret 0 nsec
>>    #471/1   tcp_custom_syncookie_protocol_check/IPv4 TCP:OK
>>    run_protocol_check:PASS:start tcp_server 0 nsec
>>    run_protocol_check:PASS:start udp_server 0 nsec
>>    run_protocol_check:PASS:connect udp_client 0 nsec
>>    run_protocol_check:PASS:send udp 0 nsec
>>    run_protocol_check:PASS:recv udp 0 nsec
>>    run_protocol_check:PASS:udp_intercepted 0 nsec
>>    run_protocol_check:PASS:assign_ret 0 nsec
>>    #471/2   tcp_custom_syncookie_protocol_check/IPv6 TCP:OK
>>    #471     tcp_custom_syncookie_protocol_check:OK
>>    Summary: 1/2 PASSED, 0 SKIPPED, 0 FAILED
>>
>> Cc: Jiayuan Chen <jiayuan.chen@linux.dev>
>> Signed-off-by: Jiayuan Chen <jiayuan.chen@shopee.com>
>> ---
>>   .../bpf/prog_tests/tcp_custom_syncookie.c     |  94 ++++++++++++++-
>>   .../bpf/progs/test_tcp_custom_syncookie.c     | 109 ++++++++++++++++++
>>   2 files changed, 199 insertions(+), 4 deletions(-)
>>
>> diff --git 
>> a/tools/testing/selftests/bpf/prog_tests/tcp_custom_syncookie.c 
>> b/tools/testing/selftests/bpf/prog_tests/tcp_custom_syncookie.c
>> index eaf441dc7e79..e46031d0786b 100644
>> --- a/tools/testing/selftests/bpf/prog_tests/tcp_custom_syncookie.c
>> +++ b/tools/testing/selftests/bpf/prog_tests/tcp_custom_syncookie.c
>> @@ -5,6 +5,7 @@
>>   #include <sched.h>
>>   #include <stdlib.h>
>>   #include <net/if.h>
>> +#include <netinet/in.h>
>>     #include "test_progs.h"
>>   #include "cgroup_helpers.h"
>> @@ -47,11 +48,10 @@ static int setup_netns(void)
>>       return -1;
>>   }
>>   -static int setup_tc(struct test_tcp_custom_syncookie *skel)
>> +static int setup_tc(int prog_fd)
>>   {
>>       LIBBPF_OPTS(bpf_tc_hook, qdisc_lo, .attach_point = 
>> BPF_TC_INGRESS);
>> -    LIBBPF_OPTS(bpf_tc_opts, tc_attach,
>> -            .prog_fd = 
>> bpf_program__fd(skel->progs.tcp_custom_syncookie));
>> +    LIBBPF_OPTS(bpf_tc_opts, tc_attach, .prog_fd = prog_fd);
>>         qdisc_lo.ifindex = if_nametoindex("lo");
>>       if (!ASSERT_OK(bpf_tc_hook_create(&qdisc_lo), "qdisc add dev lo 
>> clsact"))
>> @@ -127,7 +127,7 @@ void test_tcp_custom_syncookie(void)
>>       if (!ASSERT_OK_PTR(skel, "open_and_load"))
>>           return;
>>   -    if (setup_tc(skel))
>> +    if (setup_tc(bpf_program__fd(skel->progs.tcp_custom_syncookie)))
>>           goto destroy_skel;
>>         for (i = 0; i < ARRAY_SIZE(test_cases); i++) {
>> @@ -145,6 +145,92 @@ void test_tcp_custom_syncookie(void)
>>     destroy_skel:
>>       system("tc qdisc del dev lo clsact");
>> +    test_tcp_custom_syncookie__destroy(skel);
>> +}
>> +
>> +/* Test: bpf_sk_assign_tcp_reqsk() should reject non-TCP skb.
>> + *
>> + * Send a UDP packet through TC ingress where a BPF program calls
>> + * bpf_sk_assign_tcp_reqsk() on it. The kfunc should return an error
>> + * because the skb carries UDP, not TCP.
>> + *
>> + * TCP and UDP servers share the same port. The BPF program intercepts
>> + * the UDP packet, looks up the TCP listener via the dest port, and
>> + * attempts to assign a TCP reqsk to the UDP skb.
>> + */
>> +static void run_protocol_check(struct test_tcp_custom_syncookie *skel,
>> +                   int family, const char *addr)
>> +{
>> +    int tcp_server = -1, udp_server = -1, udp_client = -1;
>> +    char buf[32] = "test";
>> +    int port, ret;
>> +
>> +    tcp_server = start_server(family, SOCK_STREAM, addr, 0, 0);
>> +    if (!ASSERT_NEQ(tcp_server, -1, "start tcp_server"))
>> +        return;
>> +
>> +    port = ntohs(get_socket_local_port(tcp_server));
>> +
>> +    /* UDP server on same port for synchronization and port sharing */
>> +    udp_server = start_server(family, SOCK_DGRAM, addr, port, 0);
>> +    if (!ASSERT_NEQ(udp_server, -1, "start udp_server"))
>> +        goto close_tcp;
>> +
>> +    skel->bss->udp_intercepted = false;
>> +    skel->data->assign_ret = -1;
>
> assign_ret is init to -1
>
>> +
>> +    udp_client = connect_to_fd(udp_server, 0);
>> +    if (!ASSERT_NEQ(udp_client, -1, "connect udp_client"))
>> +        goto close_udp_server;
>>   +    ret = send(udp_client, buf, sizeof(buf), 0);
>> +    if (!ASSERT_EQ(ret, sizeof(buf), "send udp"))
>> +        goto close_udp_client;
>> +
>> +    /* recv() ensures TC ingress BPF has processed the skb */
>> +    ret = recv(udp_server, buf, sizeof(buf), 0);
>> +    if (!ASSERT_EQ(ret, sizeof(buf), "recv udp"))
>> +        goto close_udp_client;
>> +
>> +    ASSERT_EQ(skel->bss->udp_intercepted, true, "udp_intercepted");
>> +
>> +    /* assign_ret == 0 means kfunc accepted UDP skb (bug).
>> +     * assign_ret < 0 means kfunc correctly rejected it (fixed).
>> +     */
>> +    ASSERT_NEQ(skel->data->assign_ret, 0, "assign_ret");
>
> and here it checks NEQ 0....
>
> Maybe init assign_ret to 0?
>
> Also, why not specifically check for -EINVAL?


You're right, checking for -EINVAL is more precise and avoids hiding a 
silent failure in the lookup path.

Will init assign_ret to 0 and check for -EINVAL instead.

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.