1 /* SPDX-License-Identifier: GPL-2.0 */
2 /*
3 * Verify that context-sensitive SCX kfuncs (even "unlocked" ones) are
4 * restricted to only SCX struct_ops programs. Non-SCX struct_ops programs,
5 * such as TCP congestion control programs, should be rejected by the BPF
6 * verifier when attempting to call these kfuncs.
7 *
8 * Copyright (C) 2026 Ching-Chun (Jim) Huang <jserv@ccns.ncku.edu.tw>
9 * Copyright (C) 2026 Cheng-Yang Chou <yphbchou0911@gmail.com>
10 */
11
12 #include <vmlinux.h>
13 #include <bpf/bpf_helpers.h>
14 #include <bpf/bpf_tracing.h>
15
16 /* SCX kfunc from scx_kfunc_ids_any set */
17 void scx_bpf_kick_cpu(s32 cpu, u64 flags) __ksym;
18
19 SEC("struct_ops/ssthresh")
BPF_PROG(tcp_ca_ssthresh,struct sock * sk)20 __u32 BPF_PROG(tcp_ca_ssthresh, struct sock *sk)
21 {
22 /*
23 * This call should be rejected by the verifier because this is a
24 * TCP congestion control program (non-SCX struct_ops).
25 */
26 scx_bpf_kick_cpu(0, 0);
27 return 2;
28 }
29
30 SEC("struct_ops/cong_avoid")
BPF_PROG(tcp_ca_cong_avoid,struct sock * sk,__u32 ack,__u32 acked)31 void BPF_PROG(tcp_ca_cong_avoid, struct sock *sk, __u32 ack, __u32 acked) {}
32
33 SEC("struct_ops/undo_cwnd")
BPF_PROG(tcp_ca_undo_cwnd,struct sock * sk)34 __u32 BPF_PROG(tcp_ca_undo_cwnd, struct sock *sk) { return 2; }
35
36 SEC(".struct_ops")
37 struct tcp_congestion_ops tcp_non_scx_ca = {
38 .ssthresh = (void *)tcp_ca_ssthresh,
39 .cong_avoid = (void *)tcp_ca_cong_avoid,
40 .undo_cwnd = (void *)tcp_ca_undo_cwnd,
41 .name = "tcp_kfunc_deny",
42 };
43
44 char _license[] SEC("license") = "GPL";
45