Re: [PATCH net-next v1] mptcp: fix incorrect IPv4/IPv6 check

["Jiayuan Chen" <jiayuan.chen@linux.dev>]

October 14, 2025 at 23:27, "Matthieu Baerts" <matttbe@kernel.org mailto:matttbe@kernel.org?to=%22Matthieu%20Baerts%22%20%3Cmatttbe%40kernel.org%3E > wrote:


> 
> Hi Jiayuan,
> 
> Thank you for sharing this patch!
> 
> On 14/10/2025 14:26, Jiayuan Chen wrote:
> 
> > 
> > When MPTCP falls back to normal TCP, it needs to reset proto_ops. However,
> >  for sockmap and TLS, they have their own custom proto_ops, so simply
> >  checking sk->sk_prot is insufficient.
> >  
> >  For example, an IPv6 request might incorrectly follow the IPv4 code path,
> >  leading to kernel panic.
> > 
> Did you experiment issues, or is it a supposition? If yes, do you have
> traces containing such panics (or just a WARN()?), and ideally the
> userspace code that was leading to this?
> 


Thank you, Matthieu, for your suggestions. I spent some time revisiting the MPTCP logic.


Now I need to describe how sockmap/skmsg works to explain its conflict with MPTCP:

1. skmsg works by replacing sk_data_ready, recvmsg, sendmsg operations and implementing
fast socket-level forwarding logic

2. Users can obtain file descriptors through userspace socket()/accept() interfaces, then
   call BPF syscall to perform these replacements.
3. Users can also use the bpf_sock_hash_update helper (in sockops programs) to replace
   handlers when TCP connections enter ESTABLISHED state (BPF_SOCK_OPS_PASSIVE_ESTABLISHED_CB or BPF_SOCK_OPS_ACTIVE_ESTABLISHED_CB)

For MPTCP to work with sockmap, I believe we need to address the following points
(please correct me if I have any conceptual misunderstandings about MPTCP):

1. From client perspective: When a user connects to a server via socket(), the kernel
   creates one master sk and at least two subflow sk's. Since the master sk doesn't participate
   in the three-way handshake, in the sockops flow we can only access the subflow sk's.
   In this case, we need to replace the handlers of mptcp_subflow_ctx(sk)->conn rather
   than the subflow sk itself.

2. From server perspective: In BPF_SOCK_OPS_PASSIVE_ESTABLISHED_CB, the sk is the MP_CAPABLE
   subflow sk, so similar to the client perspective, we need to replace the handlers of
   mptcp_subflow_ctx(sk)->conn.

If the above description is correct, then my current patch is incorrect. I should focus on
handling the sockmap handler replacement flow properly instead.

Of course, this would require comprehensive selftests to validate.

Returning to the initial issue, the panic occurred on kernel 6.1, but when I tested with the
latest upstream test environment, it only triggered a WARN().
I suspect there have been significant changes in MPTCP during this period.