From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from out-181.mta1.migadu.com (out-181.mta1.migadu.com [95.215.58.181]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 879D71E32DB for ; Mon, 25 Aug 2025 23:14:56 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=95.215.58.181 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1756163699; cv=none; b=BuGtWQVA/6PhSiRnGTja5emwmgWApqcAOUaPV1TBtpkbjdhO5eQ/5m+pyRVyxhuKe2v1ji7s2nRP5lk1X+PlnKdC4PhLU3e7NaqY6Kmjy5rv5itq5bCwVi5VKLaOZAfIgtJLtB8OrBkTert+DDD+iS+3t2DvKL2lX11PXLwKSqU= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1756163699; c=relaxed/simple; bh=LmSiDwcMgQKxO34arUC6nj7eXbX5FH5joo+FB1ueHu0=; h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From: In-Reply-To:Content-Type; b=W88y57+eCzj4XbUBhofYN5079d739mCtVNeEoVd9CNpBdAhC8LoVFBQh4CDSQ4AsF0vr/3A5stA8B5RQo4uPTXSn5TsZ+xYMsLJUyAE4lcwqxiZ69Yyaj/qzC0pJxSzPYv/X+QrGVSFjTD5tgF5kWTxbvXrSA9Te7W73oDdNpBk= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev; spf=pass smtp.mailfrom=linux.dev; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b=Cpf/btbt; arc=none smtp.client-ip=95.215.58.181 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.dev Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b="Cpf/btbt" Message-ID: DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1; t=1756163684; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=ldnAJsm7Vh9h0iyz9zBqvXyPfBR7apAayjwl7UWt4UI=; b=Cpf/btbt8uMGuiMspAtfSFgMpqPGrMg2jYgRj8l2CB3xPx172KkLPA+GYlpdWal6HqStRX TGlIylV2i+Um94TLdt8Zzg9asS4vlp+zVWfaKTQMpSyWERB8rafqu9MV4B7DM9I2onrHe+ Zg2XPOclYNuxOMuCeLjY+Oi6VAc3ZSE= Date: Mon, 25 Aug 2025 16:14:35 -0700 Precedence: bulk X-Mailing-List: bpf@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Subject: Re: [PATCH v1 bpf-next/net 2/8] bpf: Add a bpf hook in __inet_accept(). To: Kuniyuki Iwashima Cc: Alexei Starovoitov , Andrii Nakryiko , Daniel Borkmann , John Fastabend , Stanislav Fomichev , Johannes Weiner , Michal Hocko , Roman Gushchin , Shakeel Butt , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Neal Cardwell , Willem de Bruijn , Mina Almasry , Kuniyuki Iwashima , bpf@vger.kernel.org, netdev@vger.kernel.org References: <20250822221846.744252-1-kuniyu@google.com> <20250822221846.744252-3-kuniyu@google.com> Content-Language: en-US X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. From: Martin KaFai Lau In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Migadu-Flow: FLOW_OUT On 8/25/25 11:14 AM, Kuniyuki Iwashima wrote: > On Mon, Aug 25, 2025 at 10:57 AM Martin KaFai Lau wrote: >> >> On 8/22/25 3:17 PM, Kuniyuki Iwashima wrote: >>> diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c >>> index ae83ecda3983..ab613abdfaa4 100644 >>> --- a/net/ipv4/af_inet.c >>> +++ b/net/ipv4/af_inet.c >>> @@ -763,6 +763,8 @@ void __inet_accept(struct socket *sock, struct socket *newsock, struct sock *new >>> kmem_cache_charge(newsk, gfp); >>> } >>> >>> + BPF_CGROUP_RUN_PROG_INET_SOCK_ACCEPT(newsk); >>> + >>> if (mem_cgroup_sk_enabled(newsk)) { >>> int amt; >>> >>> diff --git a/tools/include/uapi/linux/bpf.h b/tools/include/uapi/linux/bpf.h >>> index 233de8677382..80df246d4741 100644 >>> --- a/tools/include/uapi/linux/bpf.h >>> +++ b/tools/include/uapi/linux/bpf.h >>> @@ -1133,6 +1133,7 @@ enum bpf_attach_type { >>> BPF_NETKIT_PEER, >>> BPF_TRACE_KPROBE_SESSION, >>> BPF_TRACE_UPROBE_SESSION, >>> + BPF_CGROUP_INET_SOCK_ACCEPT, >> >> Instead of adding another hook, can the SK_BPF_MEMCG_SOCK_ISOLATED bit be >> inherited from the listener? > > Since e876ecc67db80 and d752a4986532c , we defer memcg allocation to > accept() because the child socket could be created during irq context with > unrelated cgroup. This had another reason; if the listener was created in the > root cgroup and passed to a process under cgroup, child sockets would never > have sk_memcg if sk_memcg was inherited. > > So, the child's memcg is not always the same one with the listener's, and > we cannot rely on the listener's sk_memcg. I didn't mean to inherit the entire sk_memcg pointer. I meant to only inherit the SK_BPF_MEMCG_SOCK_ISOLATED bit. If it can only be done at accept, there is already an existing SEC("lsm_cgroup/socket_accept") hook. Take a look at tools/testing/selftests/bpf/progs/lsm_cgroup.c. The lsm socket_accept doesn't have access to the "newsock->sk" but it should have access to the "sock->sk", do bpf_setsockopt and then inherit by the newsock->sk (?) There are already quite enough cgroup-sk style hooks. I would prefer not to add another cgroup attach_type and instead see if some of the existing ones can be reused. There is also SEC("lsm/sock_graft").