From: Jiayuan Chen <jiayuan.chen@linux.dev>
To: KaFai Wan <kafai.wan@linux.dev>,
ast@kernel.org, daniel@iogearbox.net, john.fastabend@gmail.com,
andrii@kernel.org, martin.lau@linux.dev, eddyz87@gmail.com,
memxor@gmail.com, song@kernel.org, yonghong.song@linux.dev,
jolsa@kernel.org, sdf@fomichev.me, davem@davemloft.net,
edumazet@google.com, kuba@kernel.org, pabeni@redhat.com,
horms@kernel.org, dsahern@kernel.org, shuah@kernel.org,
ihor.solodrai@linux.dev, jiayuan.chen@linux.dev,
hoyeon.lee@suse.com, ameryhung@gmail.com, bpf@vger.kernel.org,
linux-kernel@vger.kernel.org, netdev@vger.kernel.org,
linux-kselftest@vger.kernel.org
Subject: Re: [PATCH bpf-next v4 2/4] bpf: Reject TCP_NODELAY in bpf-tcp-cc
Date: Wed, 22 Apr 2026 13:05:49 +0800 [thread overview]
Message-ID: <e03558e0-e097-4480-b5d7-de2979b576ea@linux.dev> (raw)
In-Reply-To: <20260421155804.135786-3-kafai.wan@linux.dev>
On 4/21/26 11:58 PM, KaFai Wan wrote:
> A BPF TCP congestion control program can call bpf_setsockopt() from
> its callbacks. In current kernels, if it calls
> bpf_setsockopt(TCP_NODELAY) from cwnd_event_tx_start(), the call can
> re-enter the TCP transmit path before the outer tcp_transmit_skb()
> has completed and advanced the send head.
>
> This can re-trigger CA_EVENT_TX_START and lead to unbounded recursion:
>
> tcp_transmit_skb()
> -> tcp_event_data_sent()
> -> tcp_ca_event(sk, CA_EVENT_TX_START)
> -> cwnd_event_tx_start()
> -> bpf_setsockopt(TCP_NODELAY)
> -> tcp_push_pending_frames()
> -> tcp_write_xmit()
> -> tcp_transmit_skb()
>
> This leads to unbounded recursion and can overflow the kernel stack.
>
> Reject TCP_NODELAY with -EOPNOTSUPP for bpf-tcp-cc by introducing
> a dedicated setsockopt proto for BPF_PROG_TYPE_STRUCT_OPS TCP
> congestion control programs.
>
> Fixes: 7e41df5dbba2 ("bpf: Add a few optnames to bpf_setsockopt")
> Suggested-by: Martin KaFai Lau <martin.lau@linux.dev>
> Signed-off-by: KaFai Wan <kafai.wan@linux.dev>
Reviewed-by: Jiayuan Chen <jiayuan.chen@linux.dev>
next prev parent reply other threads:[~2026-04-22 5:06 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-21 15:58 [PATCH bpf-next v4 0/4] bpf: Reject TCP_NODELAY in TCP header option KaFai Wan
2026-04-21 15:58 ` [PATCH bpf-next v4 1/4] bpf: Reject TCP_NODELAY in TCP header option callbacks KaFai Wan
2026-04-21 16:51 ` bot+bpf-ci
2026-04-21 23:53 ` KaFai Wan
2026-04-21 15:58 ` [PATCH bpf-next v4 2/4] bpf: Reject TCP_NODELAY in bpf-tcp-cc KaFai Wan
2026-04-22 5:05 ` Jiayuan Chen [this message]
2026-04-21 15:58 ` [PATCH bpf-next v4 3/4] selftests/bpf: Test TCP_NODELAY in TCP hdr opt callbacks KaFai Wan
2026-04-21 15:58 ` [PATCH bpf-next v4 4/4] selftests/bpf: Verify bpf-tcp-cc rejects TCP_NODELAY KaFai Wan
2026-04-22 16:43 ` sashiko-bot
2026-04-22 20:36 ` [PATCH bpf-next v4 0/4] bpf: Reject TCP_NODELAY in TCP header option patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=e03558e0-e097-4480-b5d7-de2979b576ea@linux.dev \
--to=jiayuan.chen@linux.dev \
--cc=ameryhung@gmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=dsahern@kernel.org \
--cc=eddyz87@gmail.com \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=hoyeon.lee@suse.com \
--cc=ihor.solodrai@linux.dev \
--cc=john.fastabend@gmail.com \
--cc=jolsa@kernel.org \
--cc=kafai.wan@linux.dev \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=martin.lau@linux.dev \
--cc=memxor@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=sdf@fomichev.me \
--cc=shuah@kernel.org \
--cc=song@kernel.org \
--cc=yonghong.song@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.