From: Jiayuan Chen <jiayuan.chen@linux.dev>
To: Martin KaFai Lau <martin.lau@linux.dev>
Cc: Jiayuan Chen <jiayuan.chen@shopee.com>,
Daniel Borkmann <daniel@iogearbox.net>,
John Fastabend <john.fastabend@gmail.com>,
Stanislav Fomichev <sdf@fomichev.me>,
Alexei Starovoitov <ast@kernel.org>,
Andrii Nakryiko <andrii@kernel.org>,
Eduard Zingerman <eddyz87@gmail.com>, Song Liu <song@kernel.org>,
Yonghong Song <yonghong.song@linux.dev>,
KP Singh <kpsingh@kernel.org>, Hao Luo <haoluo@google.com>,
Jiri Olsa <jolsa@kernel.org>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
Simon Horman <horms@kernel.org>, Shuah Khan <shuah@kernel.org>,
Kuniyuki Iwashima <kuniyu@google.com>,
bpf@vger.kernel.org, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org
Subject: Re: [PATCH bpf v3 2/2] selftests/bpf: Add protocol check test for bpf_sk_assign_tcp_reqsk()
Date: Sat, 28 Mar 2026 18:58:01 +0800 [thread overview]
Message-ID: <f33c5124-3865-455e-a048-73d87d020bec@linux.dev> (raw)
In-Reply-To: <8d619537-cb9a-4fdb-a440-20b59b7f5088@linux.dev>
On 3/28/26 3:53 AM, Martin KaFai Lau wrote:
>> From: Jiayuan Chen <jiayuan.chen@shopee.com>
>>
>> Add test_tcp_custom_syncookie_protocol_check to verify that
>> bpf_sk_assign_tcp_reqsk() rejects non-TCP skbs. The test sends a UDP
>> packet through TC ingress where a BPF program calls
>> bpf_sk_assign_tcp_reqsk() on it and checks that the kfunc returns an
>> error. A UDP server recv() is used as synchronization to ensure the
>> BPF program has finished processing before checking the result.
>>
>> Without the fix in bpf_sk_assign_tcp_reqsk(), the kfunc succeeds and
>> attaches a TCP reqsk to the UDP skb, which causes a null pointer
>> dereference panic when the kernel processes it through the UDP receive
>> path.
>>
>> Test result:
>>
>> ./test_progs -a tcp_custom_syncookie_protocol_check -v
>> setup_netns:PASS:create netns 0 nsec
>> setup_netns:PASS:ip 0 nsec
>> write_sysctl:PASS:open sysctl 0 nsec
>> write_sysctl:PASS:write sysctl 0 nsec
>> setup_netns:PASS:write_sysctl 0 nsec
>> test_tcp_custom_syncookie_protocol_check:PASS:open_and_load 0 nsec
>> setup_tc:PASS:qdisc add dev lo clsact 0 nsec
>> setup_tc:PASS:filter add dev lo ingress 0 nsec
>> run_protocol_check:PASS:start tcp_server 0 nsec
>> run_protocol_check:PASS:start udp_server 0 nsec
>> run_protocol_check:PASS:connect udp_client 0 nsec
>> run_protocol_check:PASS:send udp 0 nsec
>> run_protocol_check:PASS:recv udp 0 nsec
>> run_protocol_check:PASS:udp_intercepted 0 nsec
>> run_protocol_check:PASS:assign_ret 0 nsec
>> #471/1 tcp_custom_syncookie_protocol_check/IPv4 TCP:OK
>> run_protocol_check:PASS:start tcp_server 0 nsec
>> run_protocol_check:PASS:start udp_server 0 nsec
>> run_protocol_check:PASS:connect udp_client 0 nsec
>> run_protocol_check:PASS:send udp 0 nsec
>> run_protocol_check:PASS:recv udp 0 nsec
>> run_protocol_check:PASS:udp_intercepted 0 nsec
>> run_protocol_check:PASS:assign_ret 0 nsec
>> #471/2 tcp_custom_syncookie_protocol_check/IPv6 TCP:OK
>> #471 tcp_custom_syncookie_protocol_check:OK
>> Summary: 1/2 PASSED, 0 SKIPPED, 0 FAILED
>>
>> Cc: Jiayuan Chen <jiayuan.chen@linux.dev>
>> Signed-off-by: Jiayuan Chen <jiayuan.chen@shopee.com>
>> ---
>> .../bpf/prog_tests/tcp_custom_syncookie.c | 94 ++++++++++++++-
>> .../bpf/progs/test_tcp_custom_syncookie.c | 109 ++++++++++++++++++
>> 2 files changed, 199 insertions(+), 4 deletions(-)
>>
>> diff --git
>> a/tools/testing/selftests/bpf/prog_tests/tcp_custom_syncookie.c
>> b/tools/testing/selftests/bpf/prog_tests/tcp_custom_syncookie.c
>> index eaf441dc7e79..e46031d0786b 100644
>> --- a/tools/testing/selftests/bpf/prog_tests/tcp_custom_syncookie.c
>> +++ b/tools/testing/selftests/bpf/prog_tests/tcp_custom_syncookie.c
>> @@ -5,6 +5,7 @@
>> #include <sched.h>
>> #include <stdlib.h>
>> #include <net/if.h>
>> +#include <netinet/in.h>
>> #include "test_progs.h"
>> #include "cgroup_helpers.h"
>> @@ -47,11 +48,10 @@ static int setup_netns(void)
>> return -1;
>> }
>> -static int setup_tc(struct test_tcp_custom_syncookie *skel)
>> +static int setup_tc(int prog_fd)
>> {
>> LIBBPF_OPTS(bpf_tc_hook, qdisc_lo, .attach_point =
>> BPF_TC_INGRESS);
>> - LIBBPF_OPTS(bpf_tc_opts, tc_attach,
>> - .prog_fd =
>> bpf_program__fd(skel->progs.tcp_custom_syncookie));
>> + LIBBPF_OPTS(bpf_tc_opts, tc_attach, .prog_fd = prog_fd);
>> qdisc_lo.ifindex = if_nametoindex("lo");
>> if (!ASSERT_OK(bpf_tc_hook_create(&qdisc_lo), "qdisc add dev lo
>> clsact"))
>> @@ -127,7 +127,7 @@ void test_tcp_custom_syncookie(void)
>> if (!ASSERT_OK_PTR(skel, "open_and_load"))
>> return;
>> - if (setup_tc(skel))
>> + if (setup_tc(bpf_program__fd(skel->progs.tcp_custom_syncookie)))
>> goto destroy_skel;
>> for (i = 0; i < ARRAY_SIZE(test_cases); i++) {
>> @@ -145,6 +145,92 @@ void test_tcp_custom_syncookie(void)
>> destroy_skel:
>> system("tc qdisc del dev lo clsact");
>> + test_tcp_custom_syncookie__destroy(skel);
>> +}
>> +
>> +/* Test: bpf_sk_assign_tcp_reqsk() should reject non-TCP skb.
>> + *
>> + * Send a UDP packet through TC ingress where a BPF program calls
>> + * bpf_sk_assign_tcp_reqsk() on it. The kfunc should return an error
>> + * because the skb carries UDP, not TCP.
>> + *
>> + * TCP and UDP servers share the same port. The BPF program intercepts
>> + * the UDP packet, looks up the TCP listener via the dest port, and
>> + * attempts to assign a TCP reqsk to the UDP skb.
>> + */
>> +static void run_protocol_check(struct test_tcp_custom_syncookie *skel,
>> + int family, const char *addr)
>> +{
>> + int tcp_server = -1, udp_server = -1, udp_client = -1;
>> + char buf[32] = "test";
>> + int port, ret;
>> +
>> + tcp_server = start_server(family, SOCK_STREAM, addr, 0, 0);
>> + if (!ASSERT_NEQ(tcp_server, -1, "start tcp_server"))
>> + return;
>> +
>> + port = ntohs(get_socket_local_port(tcp_server));
>> +
>> + /* UDP server on same port for synchronization and port sharing */
>> + udp_server = start_server(family, SOCK_DGRAM, addr, port, 0);
>> + if (!ASSERT_NEQ(udp_server, -1, "start udp_server"))
>> + goto close_tcp;
>> +
>> + skel->bss->udp_intercepted = false;
>> + skel->data->assign_ret = -1;
>
> assign_ret is init to -1
>
>> +
>> + udp_client = connect_to_fd(udp_server, 0);
>> + if (!ASSERT_NEQ(udp_client, -1, "connect udp_client"))
>> + goto close_udp_server;
>> + ret = send(udp_client, buf, sizeof(buf), 0);
>> + if (!ASSERT_EQ(ret, sizeof(buf), "send udp"))
>> + goto close_udp_client;
>> +
>> + /* recv() ensures TC ingress BPF has processed the skb */
>> + ret = recv(udp_server, buf, sizeof(buf), 0);
>> + if (!ASSERT_EQ(ret, sizeof(buf), "recv udp"))
>> + goto close_udp_client;
>> +
>> + ASSERT_EQ(skel->bss->udp_intercepted, true, "udp_intercepted");
>> +
>> + /* assign_ret == 0 means kfunc accepted UDP skb (bug).
>> + * assign_ret < 0 means kfunc correctly rejected it (fixed).
>> + */
>> + ASSERT_NEQ(skel->data->assign_ret, 0, "assign_ret");
>
> and here it checks NEQ 0....
>
> Maybe init assign_ret to 0?
>
> Also, why not specifically check for -EINVAL?
You're right, checking for -EINVAL is more precise and avoids hiding a
silent failure in the lookup path.
Will init assign_ret to 0 and check for -EINVAL instead.
prev parent reply other threads:[~2026-03-28 10:58 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-27 13:38 [PATCH bpf v3 0/2] bpf: tcp: Fix null-ptr-deref in arbitrary SYN Cookie Jiayuan Chen
2026-03-27 13:38 ` [PATCH bpf v3 1/2] bpf: tcp: Reject non-TCP skb in bpf_sk_assign_tcp_reqsk() Jiayuan Chen
2026-03-27 13:38 ` [PATCH bpf v3 2/2] selftests/bpf: Add protocol check test for bpf_sk_assign_tcp_reqsk() Jiayuan Chen
2026-03-27 19:53 ` Martin KaFai Lau
2026-03-28 10:58 ` Jiayuan Chen [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=f33c5124-3865-455e-a048-73d87d020bec@linux.dev \
--to=jiayuan.chen@linux.dev \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=eddyz87@gmail.com \
--cc=edumazet@google.com \
--cc=haoluo@google.com \
--cc=horms@kernel.org \
--cc=jiayuan.chen@shopee.com \
--cc=john.fastabend@gmail.com \
--cc=jolsa@kernel.org \
--cc=kpsingh@kernel.org \
--cc=kuba@kernel.org \
--cc=kuniyu@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=martin.lau@linux.dev \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=sdf@fomichev.me \
--cc=shuah@kernel.org \
--cc=song@kernel.org \
--cc=yonghong.song@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox