Re: [PATCH bpf-next v6 2/3] bpf, sockmap: Fix FIONREAD for sockmap

Thu, 08 Jan 2026 08:51:57 -0800 

> diff --git a/net/ipv4/tcp_bpf.c b/net/ipv4/tcp_bpf.c

[ ... ]

> +static int tcp_bpf_ioctl(struct sock *sk, int cmd, int *karg)
> +{
> +     bool slow;
> +
> +     /* we only care about FIONREAD */
> +     if (cmd != SIOCINQ)
> +             return tcp_ioctl(sk, cmd, karg);
> +
> +     /* works similar as tcp_ioctl */
> +     if (sk->sk_state == TCP_LISTEN)
> +             return -EINVAL;
> +
> +     slow = lock_sock_fast(sk);
> +     *karg = sk_psock_msg_inq(sk);
> +     unlock_sock_fast(sk, slow);
> +
> +     return 0;
> +}

Can FIONREAD underreport available data here? The tcp_bpf_recvmsg()
function can read from both the BPF ingress_msg queue and the native TCP
receive queue:

    if (!skb_queue_empty(&sk->sk_receive_queue) &&
        sk_psock_queue_empty(psock)) {
        sk_psock_put(sk, psock);
        return tcp_recvmsg(sk, msg, len, flags, addr_len);
    }

But tcp_bpf_ioctl() only returns the BPF queue size via sk_psock_msg_inq(),
ignoring any data in sk_receive_queue. For TCP_BPF_BASE sockets (sockmap
without verdict program), incoming data stays in the native receive queue.
If such a socket has data in sk_receive_queue but an empty ingress_msg,
FIONREAD would return 0 even though tcp_bpf_recvmsg() would successfully
read data.

Should this return the sum of both queues, similar to how the original
tcp_ioctl() uses tcp_inq()?

> diff --git a/net/ipv4/udp_bpf.c b/net/ipv4/udp_bpf.c

[ ... ]

> +static int udp_bpf_ioctl(struct sock *sk, int cmd, int *karg)
> +{
> +     if (cmd != SIOCINQ)
> +             return udp_ioctl(sk, cmd, karg);
> +
> +     /* works similar as udp_ioctl. */
> +     *karg = sk_msg_first_len(sk);
> +     return 0;
> +}

Similar question for UDP: udp_bpf_recvmsg() checks psock_has_data() and
falls through to native udp recvmsg when the BPF queue is empty:

    if (!psock_has_data(psock)) {
        ret = sk_udp_recvmsg(sk, msg, len, flags, addr_len);
        goto out;
    }

If the BPF ingress_msg queue is empty but the native UDP receive queue has
a datagram, sk_msg_first_len() returns 0 while udp_bpf_recvmsg() would
successfully receive data. Should udp_bpf_ioctl() fall through to
udp_ioctl() when sk_msg_first_len() returns 0?


---
AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md

CI run summary: https://github.com/kernel-patches/bpf/actions/runs/20821477139

Reply via email to