From mboxrd@z Thu Jan 1 00:00:00 1970 From: Song Liu Subject: [PATCH bpf-next 1/2] bpf: add cg_skb_is_valid_access for BPF_PROG_TYPE_CGROUP_SKB Date: Tue, 16 Oct 2018 22:56:05 -0700 Message-ID: <20181017055606.353449-2-songliubraving@fb.com> References: <20181017055606.353449-1-songliubraving@fb.com> Mime-Version: 1.0 Content-Type: text/plain Cc: , , , Song Liu To: Return-path: Received: from mx0a-00082601.pphosted.com ([67.231.145.42]:60290 "EHLO mx0a-00082601.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726429AbeJQNus (ORCPT ); Wed, 17 Oct 2018 09:50:48 -0400 Received: from pps.filterd (m0148461.ppops.net [127.0.0.1]) by mx0a-00082601.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w9H5rGsi025739 for ; Tue, 16 Oct 2018 22:56:49 -0700 Received: from mail.thefacebook.com ([199.201.64.23]) by mx0a-00082601.pphosted.com with ESMTP id 2n5xk9044m-12 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT) for ; Tue, 16 Oct 2018 22:56:49 -0700 In-Reply-To: <20181017055606.353449-1-songliubraving@fb.com> Sender: netdev-owner@vger.kernel.org List-ID: BPF programs of BPF_PROG_TYPE_CGROUP_SKB need to access headers in the skb. This patch enables direct access of skb for these programs. In __cgroup_bpf_run_filter_skb(), bpf_compute_data_pointers() is called to compute proper data_end for the BPF program. Signed-off-by: Song Liu --- kernel/bpf/cgroup.c | 4 ++++ net/core/filter.c | 26 +++++++++++++++++++++++++- 2 files changed, 29 insertions(+), 1 deletion(-) diff --git a/kernel/bpf/cgroup.c b/kernel/bpf/cgroup.c index 00f6ed2e4f9a..340d496f35bd 100644 --- a/kernel/bpf/cgroup.c +++ b/kernel/bpf/cgroup.c @@ -566,6 +566,10 @@ int __cgroup_bpf_run_filter_skb(struct sock *sk, save_sk = skb->sk; skb->sk = sk; __skb_push(skb, offset); + + /* compute pointers for the bpf prog */ + bpf_compute_data_pointers(skb); + ret = BPF_PROG_RUN_ARRAY(cgrp->bpf.effective[type], skb, bpf_prog_run_save_cb); __skb_pull(skb, offset); diff --git a/net/core/filter.c b/net/core/filter.c index 1a3ac6c46873..8b5a502e241f 100644 --- a/net/core/filter.c +++ b/net/core/filter.c @@ -5346,6 +5346,30 @@ static bool sk_filter_is_valid_access(int off, int size, return bpf_skb_is_valid_access(off, size, type, prog, info); } +static bool cg_skb_is_valid_access(int off, int size, + enum bpf_access_type type, + const struct bpf_prog *prog, + struct bpf_insn_access_aux *info) +{ + if (type == BPF_WRITE) + return false; + + switch (off) { + case bpf_ctx_range(struct __sk_buff, len): + break; + case bpf_ctx_range(struct __sk_buff, data): + info->reg_type = PTR_TO_PACKET; + break; + case bpf_ctx_range(struct __sk_buff, data_end): + info->reg_type = PTR_TO_PACKET_END; + break; + default: + return false; + } + + return bpf_skb_is_valid_access(off, size, type, prog, info); +} + static bool lwt_is_valid_access(int off, int size, enum bpf_access_type type, const struct bpf_prog *prog, @@ -7038,7 +7062,7 @@ const struct bpf_prog_ops xdp_prog_ops = { const struct bpf_verifier_ops cg_skb_verifier_ops = { .get_func_proto = cg_skb_func_proto, - .is_valid_access = sk_filter_is_valid_access, + .is_valid_access = cg_skb_is_valid_access, .convert_ctx_access = bpf_convert_ctx_access, }; -- 2.17.1