[PATCH bpf-next] bpftool: Fix cgroup command to only show cgroup bpf programs

[PATCH bpf-next] bpftool: Fix cgroup command to only show cgroup bpf programs

[Martin KaFai Lau]

From: Martin KaFai Lau <martin.lau@kernel.org>

The netkit program is not a cgroup bpf program and should not be shown
in the output of the "bpftool cgroup show" command.

However, if the netkit device happens to have ifindex 3,
the "bpftool cgroup show" command will output the netkit
bpf program as well:

> ip -d link show dev nk1
3: nk1@if2: ...
    link/ether ...
    netkit mode ...

> bpftool net show
tc:
nk1(3) netkit/peer tw_ns_nk2phy prog_id 469447

> bpftool cgroup show /sys/fs/cgroup/...
ID       AttachType      AttachFlags     Name
...      ...                             ...
469447   netkit_peer                     tw_ns_nk2phy

The reason is that the target_fd (which is the cgroup_fd here) and
the target_ifindex are in a union in the uapi/linux/bpf.h. The bpftool
iterates all values in "enum bpf_attach_type" which includes
non cgroup attach types like netkit. The cgroup_fd is usually 3 here,
so the bug is triggered when the netkit ifindex just happens
to be 3 as well.

The bpftool's cgroup.c already has a list of cgroup-only attach type
defined in "cgroup_attach_types[]". This patch fixes it by iterating
over "cgroup_attach_types[]" instead of "__MAX_BPF_ATTACH_TYPE".

Cc: Quentin Monnet <qmo@kernel.org>
Reported-by: Takshak Chahande <ctakshak@meta.com>
Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
---
 tools/bpf/bpftool/cgroup.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/tools/bpf/bpftool/cgroup.c b/tools/bpf/bpftool/cgroup.c
index 3f1d6be51215..944ebe21a216 100644
--- a/tools/bpf/bpftool/cgroup.c
+++ b/tools/bpf/bpftool/cgroup.c
@@ -318,11 +318,11 @@ static int show_bpf_progs(int cgroup_fd, enum bpf_attach_type type,
 
 static int do_show(int argc, char **argv)
 {
-	enum bpf_attach_type type;
 	int has_attached_progs;
 	const char *path;
 	int cgroup_fd;
 	int ret = -1;
+	unsigned int i;
 
 	query_flags = 0;
 
@@ -370,14 +370,14 @@ static int do_show(int argc, char **argv)
 		       "AttachFlags", "Name");
 
 	btf_vmlinux = libbpf_find_kernel_btf();
-	for (type = 0; type < __MAX_BPF_ATTACH_TYPE; type++) {
+	for (i = 0; i < ARRAY_SIZE(cgroup_attach_types); i++) {
 		/*
 		 * Not all attach types may be supported, so it's expected,
 		 * that some requests will fail.
 		 * If we were able to get the show for at least one
 		 * attach type, let's return 0.
 		 */
-		if (show_bpf_progs(cgroup_fd, type, 0) == 0)
+		if (show_bpf_progs(cgroup_fd, cgroup_attach_types[i], 0) == 0)
 			ret = 0;
 	}
 
@@ -400,9 +400,9 @@ static int do_show(int argc, char **argv)
 static int do_show_tree_fn(const char *fpath, const struct stat *sb,
 			   int typeflag, struct FTW *ftw)
 {
-	enum bpf_attach_type type;
 	int has_attached_progs;
 	int cgroup_fd;
+	unsigned int i;
 
 	if (typeflag != FTW_D)
 		return 0;
@@ -434,8 +434,8 @@ static int do_show_tree_fn(const char *fpath, const struct stat *sb,
 	}
 
 	btf_vmlinux = libbpf_find_kernel_btf();
-	for (type = 0; type < __MAX_BPF_ATTACH_TYPE; type++)
-		show_bpf_progs(cgroup_fd, type, ftw->level);
+	for (i = 0; i < ARRAY_SIZE(cgroup_attach_types); i++)
+		show_bpf_progs(cgroup_fd, cgroup_attach_types[i], ftw->level);
 
 	if (errno == EINVAL)
 		/* Last attach type does not support query.
-- 
2.47.1

Re: [PATCH bpf-next] bpftool: Fix cgroup command to only show cgroup bpf programs

[Daniel Borkmann]

On 5/7/25 10:32 PM, Martin KaFai Lau wrote:
> From: Martin KaFai Lau <martin.lau@kernel.org>
> 
> The netkit program is not a cgroup bpf program and should not be shown
> in the output of the "bpftool cgroup show" command.
> 
> However, if the netkit device happens to have ifindex 3,
> the "bpftool cgroup show" command will output the netkit
> bpf program as well:
> 
>> ip -d link show dev nk1
> 3: nk1@if2: ...
>      link/ether ...
>      netkit mode ...
> 
>> bpftool net show
> tc:
> nk1(3) netkit/peer tw_ns_nk2phy prog_id 469447
> 
>> bpftool cgroup show /sys/fs/cgroup/...
> ID       AttachType      AttachFlags     Name
> ...      ...                             ...
> 469447   netkit_peer                     tw_ns_nk2phy
> 
> The reason is that the target_fd (which is the cgroup_fd here) and
> the target_ifindex are in a union in the uapi/linux/bpf.h. The bpftool
> iterates all values in "enum bpf_attach_type" which includes
> non cgroup attach types like netkit. The cgroup_fd is usually 3 here,
> so the bug is triggered when the netkit ifindex just happens
> to be 3 as well.
> 
> The bpftool's cgroup.c already has a list of cgroup-only attach type
> defined in "cgroup_attach_types[]". This patch fixes it by iterating
> over "cgroup_attach_types[]" instead of "__MAX_BPF_ATTACH_TYPE".
> 
> Cc: Quentin Monnet <qmo@kernel.org>
> Reported-by: Takshak Chahande <ctakshak@meta.com>
> Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>

Outch, good catch!

Acked-by: Daniel Borkmann <daniel@iogearbox.net>

Re: [PATCH bpf-next] bpftool: Fix cgroup command to only show cgroup bpf programs

[Quentin Monnet]

2025-05-07 23:00 UTC+0200 ~ Daniel Borkmann <daniel@iogearbox.net>
> On 5/7/25 10:32 PM, Martin KaFai Lau wrote:
>> From: Martin KaFai Lau <martin.lau@kernel.org>
>>
>> The netkit program is not a cgroup bpf program and should not be shown
>> in the output of the "bpftool cgroup show" command.
>>
>> However, if the netkit device happens to have ifindex 3,
>> the "bpftool cgroup show" command will output the netkit
>> bpf program as well:
>>
>>> ip -d link show dev nk1
>> 3: nk1@if2: ...
>>      link/ether ...
>>      netkit mode ...
>>
>>> bpftool net show
>> tc:
>> nk1(3) netkit/peer tw_ns_nk2phy prog_id 469447
>>
>>> bpftool cgroup show /sys/fs/cgroup/...
>> ID       AttachType      AttachFlags     Name
>> ...      ...                             ...
>> 469447   netkit_peer                     tw_ns_nk2phy
>>
>> The reason is that the target_fd (which is the cgroup_fd here) and
>> the target_ifindex are in a union in the uapi/linux/bpf.h. The bpftool
>> iterates all values in "enum bpf_attach_type" which includes
>> non cgroup attach types like netkit. The cgroup_fd is usually 3 here,
>> so the bug is triggered when the netkit ifindex just happens
>> to be 3 as well.
>>
>> The bpftool's cgroup.c already has a list of cgroup-only attach type
>> defined in "cgroup_attach_types[]". This patch fixes it by iterating
>> over "cgroup_attach_types[]" instead of "__MAX_BPF_ATTACH_TYPE".
>>
>> Cc: Quentin Monnet <qmo@kernel.org>
>> Reported-by: Takshak Chahande <ctakshak@meta.com>
>> Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
> 
> Outch, good catch!
> 
> Acked-by: Daniel Borkmann <daniel@iogearbox.net>
> 


Nice one indeed, thanks!

Reviewed-by: Quentin Monnet <qmo@kernel.org>

Re: [PATCH bpf-next] bpftool: Fix cgroup command to only show cgroup bpf programs

[patchwork-bot+netdevbpf]

Hello:

This patch was applied to bpf/bpf-next.git (master)
by Alexei Starovoitov <ast@kernel.org>:

On Wed,  7 May 2025 13:32:32 -0700 you wrote:
> From: Martin KaFai Lau <martin.lau@kernel.org>
> 
> The netkit program is not a cgroup bpf program and should not be shown
> in the output of the "bpftool cgroup show" command.
> 
> However, if the netkit device happens to have ifindex 3,
> the "bpftool cgroup show" command will output the netkit
> bpf program as well:
> 
> [...]

Here is the summary with links:
  - [bpf-next] bpftool: Fix cgroup command to only show cgroup bpf programs
    https://git.kernel.org/bpf/bpf-next/c/b69d4413aa19

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html