From: John Fastabend <john.fastabend@gmail.com>
To: ast@kernel.org, daniel@iogearbox.net
Cc: netdev@vger.kernel.org
Subject: [bpf PATCH v2 2/6] bpf: sockmap only allow ESTABLISHED sock state
Date: Thu, 14 Jun 2018 09:44:52 -0700 [thread overview]
Message-ID: <20180614164451.24994.31096.stgit@john-Precision-Tower-5810> (raw)
In-Reply-To: <20180614164148.24994.65250.stgit@john-Precision-Tower-5810>
Per the note in the TLS ULP (which is actually a generic statement
regarding ULPs)
/* The TLS ulp is currently supported only for TCP sockets
* in ESTABLISHED state.
* Supporting sockets in LISTEN state will require us
* to modify the accept implementation to clone rather then
* share the ulp context.
*/
After this patch we only allow socks that are in ESTABLISHED state or
are being added via a sock_ops event that is transitioning into an
ESTABLISHED state. By allowing sock_ops events we allow users to
manage sockmaps directly from sock ops programs. The two supported
sock_ops ops are BPF_SOCK_OPS_PASSIVE_ESTABLISHED_CB and
BPF_SOCK_OPS_ACTIVE_ESTABLISHED_CB.
>From the userspace BPF update API the sock lock is also taken now
to ensure we don't race with state changes after the ESTABLISHED
check. The BPF program sock ops hook already has the sock lock
taken.
Also tested with 'netserver -6' and 'netperf -H [IPv6]' as well as
'netperf -H [IPv4]'.
Reported-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: John Fastabend <john.fastabend@gmail.com>
---
0 files changed
diff --git a/kernel/bpf/sockmap.c b/kernel/bpf/sockmap.c
index f6dd4cd..f1ab52d 100644
--- a/kernel/bpf/sockmap.c
+++ b/kernel/bpf/sockmap.c
@@ -1976,13 +1976,20 @@ static int sock_map_update_elem(struct bpf_map *map,
return -EINVAL;
}
+ lock_sock(skops.sk);
+ /* ULPs are currently supported only for TCP sockets in ESTABLISHED
+ * state.
+ */
if (skops.sk->sk_type != SOCK_STREAM ||
- skops.sk->sk_protocol != IPPROTO_TCP) {
- fput(socket->file);
- return -EOPNOTSUPP;
+ skops.sk->sk_protocol != IPPROTO_TCP ||
+ skops.sk->sk_state != TCP_ESTABLISHED) {
+ err = -EOPNOTSUPP;
+ goto out;
}
err = sock_map_ctx_update_elem(&skops, map, key, flags);
+out:
+ release_sock(skops.sk);
fput(socket->file);
return err;
}
@@ -2247,10 +2254,6 @@ static int sock_hash_ctx_update_elem(struct bpf_sock_ops_kern *skops,
sock = skops->sk;
- if (sock->sk_type != SOCK_STREAM ||
- sock->sk_protocol != IPPROTO_TCP)
- return -EOPNOTSUPP;
-
if (unlikely(map_flags > BPF_EXIST))
return -EINVAL;
@@ -2338,7 +2341,20 @@ static int sock_hash_update_elem(struct bpf_map *map,
return -EINVAL;
}
+ lock_sock(skops.sk);
+ /* ULPs are currently supported only for TCP sockets in ESTABLISHED
+ * state.
+ */
+ if (skops.sk->sk_type != SOCK_STREAM ||
+ skops.sk->sk_protocol != IPPROTO_TCP ||
+ skops.sk->sk_state != TCP_ESTABLISHED) {
+ err = -EOPNOTSUPP;
+ goto out;
+ }
+
err = sock_hash_ctx_update_elem(&skops, map, key, flags);
+out:
+ release_sock(skops.sk);
fput(socket->file);
return err;
}
@@ -2423,10 +2439,19 @@ struct sock *__sock_hash_lookup_elem(struct bpf_map *map, void *key)
.map_delete_elem = sock_hash_delete_elem,
};
+static bool bpf_is_valid_sock(struct bpf_sock_ops_kern *ops)
+{
+ return ops->op == BPF_SOCK_OPS_PASSIVE_ESTABLISHED_CB ||
+ ops->op == BPF_SOCK_OPS_ACTIVE_ESTABLISHED_CB;
+}
+
BPF_CALL_4(bpf_sock_map_update, struct bpf_sock_ops_kern *, bpf_sock,
struct bpf_map *, map, void *, key, u64, flags)
{
WARN_ON_ONCE(!rcu_read_lock_held());
+
+ if (!bpf_is_valid_sock(bpf_sock))
+ return -EOPNOTSUPP;
return sock_map_ctx_update_elem(bpf_sock, map, key, flags);
}
@@ -2445,6 +2470,9 @@ struct sock *__sock_hash_lookup_elem(struct bpf_map *map, void *key)
struct bpf_map *, map, void *, key, u64, flags)
{
WARN_ON_ONCE(!rcu_read_lock_held());
+
+ if (!bpf_is_valid_sock(bpf_sock))
+ return -EOPNOTSUPP;
return sock_hash_ctx_update_elem(bpf_sock, map, key, flags);
}
next prev parent reply other threads:[~2018-06-14 16:45 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-06-14 16:44 [bpf PATCH v2 0/6] BPF fixes for sockhash John Fastabend
2018-06-14 16:44 ` [bpf PATCH v2 1/6] bpf: sockmap, fix crash when ipv6 sock is added John Fastabend
2018-06-14 23:53 ` Martin KaFai Lau
2018-06-15 4:46 ` John Fastabend
2018-06-14 16:44 ` John Fastabend [this message]
2018-06-15 0:18 ` [bpf PATCH v2 2/6] bpf: sockmap only allow ESTABLISHED sock state Martin KaFai Lau
2018-06-18 14:50 ` John Fastabend
2018-06-18 21:17 ` Martin KaFai Lau
2018-06-20 22:15 ` John Fastabend
2018-06-14 16:44 ` [bpf PATCH v2 3/6] bpf: sockhash fix omitted bucket lock in sock_close John Fastabend
2018-06-15 5:41 ` Martin KaFai Lau
2018-06-15 15:23 ` John Fastabend
2018-06-15 15:45 ` Martin KaFai Lau
2018-06-14 16:45 ` [bpf PATCH v2 4/6] bpf: sockmap, tcp_disconnect to listen transition John Fastabend
2018-06-15 6:04 ` Martin KaFai Lau
2018-06-14 16:45 ` [bpf PATCH v2 5/6] bpf: sockhash, add release routine John Fastabend
2018-06-15 6:05 ` Martin KaFai Lau
2018-06-14 16:45 ` [bpf PATCH v2 6/6] bpf: selftest remove attempts to add LISTEN sockets to sockmap John Fastabend
2018-06-15 6:07 ` Martin KaFai Lau
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180614164451.24994.31096.stgit@john-Precision-Tower-5810 \
--to=john.fastabend@gmail.com \
--cc=ast@kernel.org \
--cc=daniel@iogearbox.net \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox