From: sashiko-bot@kernel.org
To: "Kuniyuki Iwashima" <kuniyu@google.com>
Cc: bpf@vger.kernel.org
Subject: Re: [PATCH v1 bpf-next 8/8] selftest: bpf: Add test for BPF_SOCK_OPS_RCVLOWAT_CB.
Date: Fri, 08 May 2026 22:17:19 +0000 [thread overview]
Message-ID: <20260508221719.EED64C2BCB0@smtp.kernel.org> (raw)
In-Reply-To: <20260508073355.3916746-9-kuniyu@google.com>
Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
- [Medium] Flaky test design due to race condition between send() and epoll_wait()/getsockopt().
- [Medium] Pipelined data causes a TOCTOU race that permanently breaks and disables the BPF autolowat program.
--
commit 7be0b88b0617982ff63886ecdcf680fd3a6f0db8
Author: Kuniyuki Iwashima <kuniyu@google.com>
selftest: bpf: Add test for BPF_SOCK_OPS_RCVLOWAT_CB.
This commit adds a selftest simulating a production scenario where a BPF
program dynamically adjusts a socket's SO_RCVLOWAT based on the parsing
of RPC descriptors. The test exchanges partial and full RPC frames over
a local connection and verifies that epoll wakes up the application at
the correct boundaries.
> diff --git a/tools/testing/selftests/bpf/prog_tests/tcp_autolowat.c b/tools/testing/selftests/bpf/prog_tests/tcp_autolowat.c
> --- a/tools/testing/selftests/bpf/prog_tests/tcp_autolowat.c
> +++ b/tools/testing/selftests/bpf/prog_tests/tcp_autolowat.c
[ ... ]
> @@ -0,0 +1,350 @@
> +static void tcp_autolowat_run_rpc_test(struct tcp_autolowat_test_cb *cb,
> + struct rpc_test_case *test_case)
> +{
[ ... ]
> + switch (event->type) {
> + case RPC_EVENT_END:
> + return;
> + case RPC_EVENT_AUTOLOWAT:
> + err = setsockopt(cb->child, SOL_BPF, BPF_TCP_AUTOLOWAT,
> + &event->val, sizeof(event->val));
> + if (!ASSERT_OK(err, "setsockopt"))
> + return;
> + break;
> + case RPC_EVENT_SEND:
> + err = send(cb->client, ptr, event->len, 0);
> + if (!ASSERT_EQ(err, event->len, "send"))
> + return;
> +
> + ptr += event->len;
> + break;
[ ... ]
> + case RPC_EVENT_EPOLL:
> + err = epoll_wait(cb->epoll, &ev, 1, 0);
> + if (!ASSERT_EQ(err, event->nfds, "epoll_wait"))
> + return;
> + break;
> + case RPC_EVENT_RCVLOWAT:
> + optval = 0;
> + optlen = sizeof(optval);
> +
> + err = getsockopt(cb->child, SOL_SOCKET, SO_RCVLOWAT, &optval, &optlen);
> + if (!ASSERT_OK(err, "getsockopt") ||
> + !ASSERT_EQ(optval, event->rcvlowat, "rcvlowat"))
> + return;
> + break;
> + }
Are the epoll and getsockopt checks vulnerable to flaky failures
under load?
Since TCP loopback delivery can be deferred to softirq context, could
epoll_wait with a 0-millisecond timeout return 0 if the packet hasn't
been queued yet?
Similarly, could getsockopt read a stale SO_RCVLOWAT value before the
BPF program gets a chance to update it?
Would using a polling loop or a positive epoll timeout prevent
intermittent test failures?
> diff --git a/tools/testing/selftests/bpf/progs/tcp_autolowat.c b/tools/testing/selftests/bpf/progs/tcp_autolowat.c
> --- a/tools/testing/selftests/bpf/progs/tcp_autolowat.c
> +++ b/tools/testing/selftests/bpf/progs/tcp_autolowat.c
[ ... ]
> @@ -0,0 +1,316 @@
> +static int tcp_parse_descriptor(struct bpf_sock_ops *skops,
> + struct tcp_autolowat_cb *cb,
> + u32 seq, u32 end_seq)
> +{
> + struct rpc_descriptor *rpc_desc;
> + u32 rpc_copied_seq;
> + u32 copy_len;
> + u64 rpc_len;
> + int err;
> +
> + rpc_copied_seq = cb->rpc_desc_seq + cb->rpc_desc_buff_len;
> +
> + if (before(cb->rpc_desc_seq + RPC_DESC_SIZE, end_seq))
> + copy_len = RPC_DESC_SIZE - cb->rpc_desc_buff_len;
> + else
> + copy_len = end_seq - rpc_copied_seq;
> +
> + /* Since LLVM commit 324e27e8bad83ca23a3cd276d7e2e729b1b0b8c7,
> + * clang omits the "copy_len == 0" check below, which is necessary
> + * to satisfy the BPF verifier's range check for bpf_skb_load_bytes().
> + */
> + barrier_var(copy_len);
> +
> + if (copy_len == 0)
> + goto disable; /* FIN. */
> + if (copy_len > RPC_DESC_SIZE)
> + goto disable; /* always false, only for verifier. */
> + if (cb->rpc_desc_buf + cb->rpc_desc_buff_len >= &cb->rpc_desc_buf[RPC_DESC_SIZE])
> + goto disable; /* always false, only for verifier. */
> +
> + err = bpf_skb_load_bytes(skops, rpc_copied_seq - seq,
> + cb->rpc_desc_buf + cb->rpc_desc_buff_len, copy_len);
> + if (err)
> + goto disable;
Is there a race condition if pipelined data is already in the receive
queue when BPF_TCP_AUTOLOWAT is enabled?
Looking at tcp_init_autolowat_cb(), cb->rpc_desc_seq is initialized to
tp->copied_seq. If there is already unread data in the queue, the next
packet arrival triggers BPF_SOCK_OPS_RCVLOWAT_CB.
Because seq (which comes from tcb->seq) corresponds to the new packet
and is greater than tp->copied_seq, will rpc_copied_seq - seq underflow?
If it underflows to a large positive value, won't bpf_skb_load_bytes()
fail with -EFAULT, causing the code to jump to the disable label and
permanently disable the autolowat functionality for this socket?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260508073355.3916746-1-kuniyu@google.com?part=8
next prev parent reply other threads:[~2026-05-08 22:17 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-08 7:33 [PATCH v1 bpf-next 0/8] bpf: Add SOCK_OPS hooks for TCP AutoLOWAT Kuniyuki Iwashima
2026-05-08 7:33 ` [PATCH v1 bpf-next 1/8] selftest: bpf: Use BPF_SOCK_OPS_ALL_CB_FLAGS + 1 for bad_cb_test_rv Kuniyuki Iwashima
2026-05-08 19:02 ` sashiko-bot
2026-05-08 20:21 ` Kuniyuki Iwashima
2026-05-08 7:33 ` [PATCH v1 bpf-next 2/8] bpf: tcp: Introduce BPF_SOCK_OPS_RCVLOWAT_CB Kuniyuki Iwashima
2026-05-08 19:17 ` sashiko-bot
2026-05-08 20:26 ` Kuniyuki Iwashima
2026-05-08 7:33 ` [PATCH v1 bpf-next 3/8] bpf: tcp: Support bpf_skb_load_bytes() for BPF_SOCK_OPS_RCVLOWAT_CB Kuniyuki Iwashima
2026-05-08 15:15 ` Stanislav Fomichev
2026-05-08 19:45 ` Kuniyuki Iwashima
2026-05-11 14:56 ` Stanislav Fomichev
2026-05-08 7:33 ` [PATCH v1 bpf-next 4/8] tcp: Split out __tcp_set_rcvlowat() Kuniyuki Iwashima
2026-05-08 7:33 ` [PATCH v1 bpf-next 5/8] bpf: tcp: Add kfunc to adjust sk->sk_rcvlowat Kuniyuki Iwashima
2026-05-11 12:34 ` Björn Töpel
2026-05-08 7:33 ` [PATCH v1 bpf-next 6/8] bpf: tcp: Factorise bpf_skops_established() Kuniyuki Iwashima
2026-05-08 7:33 ` [PATCH v1 bpf-next 7/8] bpf: tcp: Add SOCK_OPS rcvlowat hook Kuniyuki Iwashima
2026-05-08 10:37 ` Jiayuan Chen
2026-05-08 11:30 ` Kuniyuki Iwashima
2026-05-08 12:19 ` Jiayuan Chen
2026-05-08 15:28 ` Stanislav Fomichev
2026-05-08 20:05 ` Kuniyuki Iwashima
2026-05-11 14:55 ` Stanislav Fomichev
2026-05-08 21:46 ` sashiko-bot
2026-05-08 7:33 ` [PATCH v1 bpf-next 8/8] selftest: bpf: Add test for BPF_SOCK_OPS_RCVLOWAT_CB Kuniyuki Iwashima
2026-05-08 15:35 ` Stanislav Fomichev
2026-05-08 20:19 ` Kuniyuki Iwashima
2026-05-08 21:47 ` Stanislav Fomichev
2026-05-08 21:58 ` Kuniyuki Iwashima
2026-05-08 22:17 ` sashiko-bot [this message]
2026-05-08 22:47 ` Kuniyuki Iwashima
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260508221719.EED64C2BCB0@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=kuniyu@google.com \
--cc=sashiko@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox