From: Martin KaFai Lau <martin.lau@linux.dev>
To: Ji Rongfeng <SikoJobs@outlook.com>
Cc: daniel@iogearbox.net, john.fastabend@gmail.com, ast@kernel.org,
andrii@kernel.org, song@kernel.org, yhs@fb.com,
kpsingh@kernel.org, sdf@google.com, haoluo@google.com,
jolsa@kernel.org, davem@davemloft.net, edumazet@google.com,
kuba@kernel.org, pabeni@redhat.com, bpf@vger.kernel.org,
netdev@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH bpf-next v2] bpf: Upgrade bpf_{g,s}etsockopt return values
Date: Tue, 6 Dec 2022 10:36:20 -0800 [thread overview]
Message-ID: <deb77161-3091-a134-4b82-78fef06efe85@linux.dev> (raw)
In-Reply-To: <DU0P192MB1547FE6F35CC1A3EEA1AFDECD6179@DU0P192MB1547.EURP192.PROD.OUTLOOK.COM>
On 12/2/22 9:39 AM, Ji Rongfeng wrote:
> Returning -EINVAL almost all the time when error occurs is not very
> helpful for the bpf prog to figure out what is wrong. This patch
> upgrades some return values so that they will be much more helpful.
>
> * return -ENOPROTOOPT when optname is unsupported
>
> The same as {g,s}etsockopt() syscall does. Before this patch,
> bpf_setsockopt(TCP_SAVED_SYN) already returns -ENOPROTOOPT, which
> may confuse the user, as -EINVAL is returned on other unsupported
> optnames. This patch also rejects TCP_SAVED_SYN right in
> sol_tcp_sockopt() when getopt is false, since do_tcp_setsockopt()
> is just the executor and it's not its duty to discover such error
> in bpf. We should maintain a precise allowlist to control whether
> an optname is supported and allowed to enter the executor or not.
> Functions like do_tcp_setsockopt(), their behaviour are not fully
> controllable by bpf. Imagine we let an optname pass, expecting
> -ENOPROTOOPT will be returned, but someday that optname is
> actually processed and unfortunately causes deadlock when calling
> from bpf. Thus, precise access control is essential.
Please leave the current -EINVAL to distinguish between optnames rejected by bpf
and optnames rejected by the do_*_{get,set}sockopt().
>
> * return -EOPNOTSUPP on level-related errors
>
> In do_ip_getsockopt(), -EOPNOTSUPP will be returned if level !=
> SOL_IP. In ipv6_getsockopt(), -ENOPROTOOPT will be returned if
> level != SOL_IPV6. To be distinguishable, the former is chosen.
I would leave this one as is also. Are you sure the do_ip_*sockopt cannot
handle sk_family == AF_INET6? afaict, bpf is rejecting those optnames instead.
>
> * return -EBADFD when sk is not a full socket
>
> -EPERM or -EBUSY was an option, but in many cases one of them
> will be returned, especially under level SOL_TCP. -EBADFD is the
> better choice, since it is hardly returned in all cases. The bpf
> prog will be able to recognize it and decide what to do next.
This one makes sense and is useful.
next prev parent reply other threads:[~2022-12-06 18:36 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-12-02 17:39 [PATCH bpf-next v2] bpf: Upgrade bpf_{g,s}etsockopt return values Ji Rongfeng
2022-12-06 16:35 ` Ji Rongfeng
2022-12-06 18:37 ` Martin KaFai Lau
2022-12-07 11:47 ` Ji Rongfeng
2022-12-06 18:36 ` Martin KaFai Lau [this message]
2022-12-07 11:19 ` Ji Rongfeng
2022-12-07 21:08 ` Martin KaFai Lau
[not found] ` <7901fd2a-e6d5-8176-73bd-b910f8abee33@outlook.com>
2022-12-07 15:28 ` Ji Rongfeng
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=deb77161-3091-a134-4b82-78fef06efe85@linux.dev \
--to=martin.lau@linux.dev \
--cc=SikoJobs@outlook.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=haoluo@google.com \
--cc=john.fastabend@gmail.com \
--cc=jolsa@kernel.org \
--cc=kpsingh@kernel.org \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=sdf@google.com \
--cc=song@kernel.org \
--cc=yhs@fb.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.