From: Martin KaFai Lau <martin.lau@linux.dev>
To: Stanislav Fomichev <sdf@google.com>
Cc: bpf@vger.kernel.org, ast@kernel.org, andrii@kernel.org,
song@kernel.org, yhs@fb.com, john.fastabend@gmail.com,
kpsingh@kernel.org, haoluo@google.com, jolsa@kernel.org,
Martin KaFai Lau <martin.lau@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>
Subject: Re: [PATCH bpf-next 3/6] bpf: Don't EFAULT for {g,s}setsockopt with wrong optlen
Date: Tue, 25 Apr 2023 11:31:27 -0700 [thread overview]
Message-ID: <4d5e33ff-9e0a-aa2b-0482-49bda0d7fade@linux.dev> (raw)
In-Reply-To: <CAKH8qBsVw=my-pB5Mnmyq-Cp0a1by-nS_=Fyu7cZTmiKk8niXw@mail.gmail.com>
On 4/25/23 10:12 AM, Stanislav Fomichev wrote:
> On Mon, Apr 24, 2023 at 5:56 PM Martin KaFai Lau <martin.lau@linux.dev> wrote:
>>
>> On 4/21/23 9:09 AM, Stanislav Fomichev wrote:
>>> On Fri, Apr 21, 2023 at 8:24 AM Daniel Borkmann <daniel@iogearbox.net> wrote:
>>>>
>>>> On 4/19/23 12:53 AM, Stanislav Fomichev wrote:
>>>>> Over time, we've found out several special socket option cases which need
>>>>> special treatment. And if BPF program doesn't handle them correctly, this
>>>>> might EFAULT perfectly valid {g,s}setsockopt calls.
>>>>>
>>>>> The intention of the EFAULT was to make it apparent to the
>>>>> developers that the program is doing something wrong.
>>>>> However, this inadvertently might affect production workloads
>>>>> with the BPF programs that are not too careful.
>>>>
>>>> Took in the first two for now. It would be good if the commit description
>>>> in here could have more details for posterity given this is too vague.
>>>
>>> Thanks! Will try to repost next week with more details.
>>>
>>>>> Let's try to minimize the chance of BPF program screwing up userspace
>>>>> by ignoring the output of those BPF programs (instead of returning
>>>>> EFAULT to the userspace). pr_info_ratelimited those cases to
>>>>> the dmesg to help with figuring out what's going wrong.
>>>>>
>>>>> Fixes: 0d01da6afc54 ("bpf: implement getsockopt and setsockopt hooks")
>>>>> Suggested-by: Martin KaFai Lau <martin.lau@kernel.org>
>>>>> Signed-off-by: Stanislav Fomichev <sdf@google.com>
>>>>> ---
>>>>> kernel/bpf/cgroup.c | 8 ++++++--
>>>>> 1 file changed, 6 insertions(+), 2 deletions(-)
>>>>>
>>>>> diff --git a/kernel/bpf/cgroup.c b/kernel/bpf/cgroup.c
>>>>> index a06e118a9be5..af4d20864fb4 100644
>>>>> --- a/kernel/bpf/cgroup.c
>>>>> +++ b/kernel/bpf/cgroup.c
>>>>> @@ -1826,7 +1826,9 @@ int __cgroup_bpf_run_filter_setsockopt(struct sock *sk, int *level,
>>>>> ret = 1;
>>>>> } else if (ctx.optlen > max_optlen || ctx.optlen < -1) {
>>>>> /* optlen is out of bounds */
>>>>> - ret = -EFAULT;
>>>>> + pr_info_ratelimited(
>>>>> + "bpf setsockopt returned unexpected optlen=%d (max_optlen=%d)\n",
>>>>> + ctx.optlen, max_optlen);
>>>>
>>>> Does it help any regular user if this log message is seen? I kind of doubt it a bit,
>>>> it might create more confusion if log gets spammed with it, imo.
>>>
>>> Agreed, but we need some way to let the users know that their bpf
>>> program is doing the wrong thing (if they set the optlen too high for
>>> example).
>>
>> imo, I also think a printk here will be a noise in dmesg most of the time (but
>> much better than an unexpected -EFAULT).
>
> I was thinking for a v2, maybe print it at least once? Similar to
> current bpf_warn_invalid_xdp_action?
>
>
>>> Any other better alternatives to expose those events?
>>
>> Is it possible to only -EFAULT when the bpf prog setting a ctx.optlen larger
>> than the "original" user provided optlen?
Nevermind the "ctx.optlen larger than the original user provided optlen" part. I
mis-read something in __cgroup_bpf_run_filter_getsockopt(). max_optlen is the
right limit that the kernel needs to bound the ctx.optlen written by bpf prog.
>> Ignore for all other cases that is due to the current PAGE_SIZE limitation?
>
> Should be possible. That "ctx.optlen > PAGE_SIZE && ctx.optlen <
> original_optlen" is the condition where we'd silently ignore BPF
> output.
and should the -ve ctx.optlen be treated separately? like in
__cgroup_bpf_run_filter_getsockopt():
if (ctx.optlen < 0) {
ret = -EFAULT;
goto out;
}
if (optval && ctx.optlen > max_optlen) {
ret = original_optlen > PAGE_SIZE ? 0 : -EFAULT;
goto out;
}
> As per above, I'll stick a line to the dmest (similar
> bpf_warn_invalid_xdp_action), at least to record that this has
> happened once.
> LMK if you or Danial still don't see a value in printing this..
pr_info_once? hmm... I think it is ok-ish. At least not a warning.
I think almost all of the time the bpf prog forgets to set it to 0 for the long
optval that it has no interest in. However, to suppress this pr_info_once,
setting optlen to 0 will disable the following cgroup-bpf prog from using the
optval as read-only. The case that the printk that may flag is that the bpf prog
did indeed want to change the long optval?
next prev parent reply other threads:[~2023-04-25 18:31 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-04-18 22:53 [PATCH bpf-next 0/6] bpf: handle another corner case in getsockopt Stanislav Fomichev
2023-04-18 22:53 ` [PATCH bpf-next 1/6] bpf: Don't EFAULT for getsockopt with optval=NULL Stanislav Fomichev
2023-04-18 22:53 ` [PATCH bpf-next 2/6] selftests/bpf: Verify optval=NULL case Stanislav Fomichev
2023-04-18 22:53 ` [PATCH bpf-next 3/6] bpf: Don't EFAULT for {g,s}setsockopt with wrong optlen Stanislav Fomichev
2023-04-21 15:24 ` Daniel Borkmann
2023-04-21 16:09 ` Stanislav Fomichev
2023-04-25 0:56 ` Martin KaFai Lau
2023-04-25 17:12 ` Stanislav Fomichev
2023-04-25 18:31 ` Martin KaFai Lau [this message]
2023-04-26 17:27 ` Stanislav Fomichev
2023-04-26 18:07 ` Martin KaFai Lau
2023-04-18 22:53 ` [PATCH bpf-next 4/6] selftests/bpf: Update EFAULT {g,s}etsockopt selftests Stanislav Fomichev
2023-04-18 22:53 ` [PATCH bpf-next 5/6] selftests/bpf: Correctly handle optlen > 4096 Stanislav Fomichev
2023-04-18 22:53 ` [PATCH bpf-next 6/6] bpf: Document EFAULT changes for sockopt Stanislav Fomichev
2023-04-19 20:08 ` kernel test robot
2023-04-20 18:17 ` Stanislav Fomichev
2023-04-21 15:20 ` [PATCH bpf-next 0/6] bpf: handle another corner case in getsockopt patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4d5e33ff-9e0a-aa2b-0482-49bda0d7fade@linux.dev \
--to=martin.lau@linux.dev \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=haoluo@google.com \
--cc=john.fastabend@gmail.com \
--cc=jolsa@kernel.org \
--cc=kpsingh@kernel.org \
--cc=martin.lau@kernel.org \
--cc=sdf@google.com \
--cc=song@kernel.org \
--cc=yhs@fb.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.