1 /* SPDX-License-Identifier: GPL-2.0 */ 2 /* 3 * Verify that context-sensitive SCX kfuncs (even "unlocked" ones) are 4 * restricted to only SCX struct_ops programs. Non-SCX struct_ops programs, 5 * such as TCP congestion control programs, should be rejected by the BPF 6 * verifier when attempting to call these kfuncs. 7 * 8 * Copyright (C) 2026 Ching-Chun (Jim) Huang <jserv@ccns.ncku.edu.tw> 9 * Copyright (C) 2026 Cheng-Yang Chou <yphbchou0911@gmail.com> 10 */ 11 12 #include <vmlinux.h> 13 #include <bpf/bpf_helpers.h> 14 #include <bpf/bpf_tracing.h> 15 16 /* SCX kfunc from scx_kfunc_ids_any set */ 17 void scx_bpf_kick_cpu(s32 cpu, u64 flags) __ksym; 18 19 SEC("struct_ops/ssthresh") 20 __u32 BPF_PROG(tcp_ca_ssthresh, struct sock *sk) 21 { 22 /* 23 * This call should be rejected by the verifier because this is a 24 * TCP congestion control program (non-SCX struct_ops). 25 */ 26 scx_bpf_kick_cpu(0, 0); 27 return 2; 28 } 29 30 SEC("struct_ops/cong_avoid") 31 void BPF_PROG(tcp_ca_cong_avoid, struct sock *sk, __u32 ack, __u32 acked) {} 32 33 SEC("struct_ops/undo_cwnd") 34 __u32 BPF_PROG(tcp_ca_undo_cwnd, struct sock *sk) { return 2; } 35 36 SEC(".struct_ops") 37 struct tcp_congestion_ops tcp_non_scx_ca = { 38 .ssthresh = (void *)tcp_ca_ssthresh, 39 .cong_avoid = (void *)tcp_ca_cong_avoid, 40 .undo_cwnd = (void *)tcp_ca_undo_cwnd, 41 .name = "tcp_kfunc_deny", 42 }; 43 44 char _license[] SEC("license") = "GPL"; 45