[Patch bpf 1/2] bpf: check negative offsets in __bpf_skb_min_len()

[Patch bpf 1/2] bpf: check negative offsets in __bpf_skb_min_len()

[Cong Wang]

From: Cong Wang <cong.wang@bytedance.com>

skb_transport_offset() and skb_transport_offset() can be negative when
they are called after we pull the transport header, for example, when
we use eBPF sockmap (aka at the point of ->sk_data_ready()).

__bpf_skb_min_len() uses an unsigned int to get these offsets, this
leads to a very large number which then causes bpf_skb_change_tail()
failed unexpectedly.

Fix this by using a signed int to get these offsets and ensure the
minimum is at least zero.

Fixes: 5293efe62df8 ("bpf: add bpf_skb_change_tail helper")
Cc: John Fastabend <john.fastabend@gmail.com>
Cc: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Cong Wang <cong.wang@bytedance.com>
---
 net/core/filter.c | 21 +++++++++++++++------
 1 file changed, 15 insertions(+), 6 deletions(-)

diff --git a/net/core/filter.c b/net/core/filter.c
index e31ee8be2de0..fd263c22944d 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -3737,13 +3737,22 @@ static const struct bpf_func_proto bpf_skb_adjust_room_proto = {
 
 static u32 __bpf_skb_min_len(const struct sk_buff *skb)
 {
-	u32 min_len = skb_network_offset(skb);
+	int offset = skb_network_offset(skb);
+	u32 min_len = 0;
 
-	if (skb_transport_header_was_set(skb))
-		min_len = skb_transport_offset(skb);
-	if (skb->ip_summed == CHECKSUM_PARTIAL)
-		min_len = skb_checksum_start_offset(skb) +
-			  skb->csum_offset + sizeof(__sum16);
+	if (offset > 0)
+		min_len = offset;
+	if (skb_transport_header_was_set(skb)) {
+		offset = skb_transport_offset(skb);
+		if (offset > 0)
+			min_len = offset;
+	}
+	if (skb->ip_summed == CHECKSUM_PARTIAL) {
+		offset = skb_checksum_start_offset(skb) +
+			 skb->csum_offset + sizeof(__sum16);
+		if (offset > 0)
+			min_len = offset;
+	}
 	return min_len;
 }
 
-- 
2.34.1

[Patch bpf 2/2] selftests/bpf: Add a BPF selftest for bpf_skb_change_tail()

[Cong Wang]

From: Cong Wang <cong.wang@bytedance.com>

As requested by Daniel, we need to add a selftest to cover
bpf_skb_change_tail() cases in skb_verdict. Here we test trimming,
growing and error cases, and validate its expected return values.

Cc: John Fastabend <john.fastabend@gmail.com>
Cc: Daniel Borkmann <daniel@iogearbox.net>
Cc: Zijian Zhang <zijianzhang@bytedance.com>
Signed-off-by: Cong Wang <cong.wang@bytedance.com>
---
 .../selftests/bpf/prog_tests/sockmap_basic.c  | 51 +++++++++++++++++++
 .../bpf/progs/test_sockmap_change_tail.c      | 40 +++++++++++++++
 2 files changed, 91 insertions(+)
 create mode 100644 tools/testing/selftests/bpf/progs/test_sockmap_change_tail.c

diff --git a/tools/testing/selftests/bpf/prog_tests/sockmap_basic.c b/tools/testing/selftests/bpf/prog_tests/sockmap_basic.c
index 82bfb266741c..fe735fced836 100644
--- a/tools/testing/selftests/bpf/prog_tests/sockmap_basic.c
+++ b/tools/testing/selftests/bpf/prog_tests/sockmap_basic.c
@@ -12,6 +12,7 @@
 #include "test_sockmap_progs_query.skel.h"
 #include "test_sockmap_pass_prog.skel.h"
 #include "test_sockmap_drop_prog.skel.h"
+#include "test_sockmap_change_tail.skel.h"
 #include "bpf_iter_sockmap.skel.h"
 
 #include "sockmap_helpers.h"
@@ -562,6 +563,54 @@ static void test_sockmap_skb_verdict_fionread(bool pass_prog)
 		test_sockmap_drop_prog__destroy(drop);
 }
 
+static void test_sockmap_skb_verdict_change_tail(void)
+{
+	struct test_sockmap_change_tail *skel;
+	int err, map, verdict;
+	int c1, p1, sent, recvd;
+	int zero = 0;
+	char b[3];
+
+	skel = test_sockmap_change_tail__open_and_load();
+	if (!ASSERT_OK_PTR(skel, "open_and_load"))
+		return;
+	verdict = bpf_program__fd(skel->progs.prog_skb_verdict);
+	map = bpf_map__fd(skel->maps.sock_map_rx);
+
+	err = bpf_prog_attach(verdict, map, BPF_SK_SKB_STREAM_VERDICT, 0);
+	if (!ASSERT_OK(err, "bpf_prog_attach"))
+		goto out;
+	err = create_pair(AF_INET, SOCK_STREAM, &c1, &p1);
+	if (!ASSERT_OK(err, "create_pair()"))
+		goto out;
+	err = bpf_map_update_elem(map, &zero, &c1, BPF_NOEXIST);
+	if (!ASSERT_OK(err, "bpf_map_update_elem(c1)"))
+		goto out_close;
+	sent = xsend(p1, "Tr", 2, 0);
+	ASSERT_EQ(sent, 2, "xsend(p1)");
+	recvd = recv(c1, b, 2, 0);
+	ASSERT_EQ(recvd, 1, "recv(c1)");
+	ASSERT_EQ(skel->data->change_tail_ret, 0, "change_tail_ret");
+
+	sent = xsend(p1, "G", 1, 0);
+	ASSERT_EQ(sent, 1, "xsend(p1)");
+	recvd = recv(c1, b, 2, 0);
+	ASSERT_EQ(recvd, 2, "recv(c1)");
+	ASSERT_EQ(skel->data->change_tail_ret, 0, "change_tail_ret");
+
+	sent = xsend(p1, "E", 1, 0);
+	ASSERT_EQ(sent, 1, "xsend(p1)");
+	recvd = recv(c1, b, 1, 0);
+	ASSERT_EQ(recvd, 1, "recv(c1)");
+	ASSERT_EQ(skel->data->change_tail_ret, -EINVAL, "change_tail_ret");
+
+out_close:
+	close(c1);
+	close(p1);
+out:
+	test_sockmap_change_tail__destroy(skel);
+}
+
 static void test_sockmap_skb_verdict_peek_helper(int map)
 {
 	int err, c1, p1, zero = 0, sent, recvd, avail;
@@ -927,6 +976,8 @@ void test_sockmap_basic(void)
 		test_sockmap_skb_verdict_fionread(true);
 	if (test__start_subtest("sockmap skb_verdict fionread on drop"))
 		test_sockmap_skb_verdict_fionread(false);
+	if (test__start_subtest("sockmap skb_verdict change tail"))
+		test_sockmap_skb_verdict_change_tail();
 	if (test__start_subtest("sockmap skb_verdict msg_f_peek"))
 		test_sockmap_skb_verdict_peek();
 	if (test__start_subtest("sockmap skb_verdict msg_f_peek with link"))
diff --git a/tools/testing/selftests/bpf/progs/test_sockmap_change_tail.c b/tools/testing/selftests/bpf/progs/test_sockmap_change_tail.c
new file mode 100644
index 000000000000..2796dd8545eb
--- /dev/null
+++ b/tools/testing/selftests/bpf/progs/test_sockmap_change_tail.c
@@ -0,0 +1,40 @@
+// SPDX-License-Identifier: GPL-2.0
+/* Copyright (c) 2024 ByteDance */
+#include <linux/bpf.h>
+#include <bpf/bpf_helpers.h>
+
+struct {
+	__uint(type, BPF_MAP_TYPE_SOCKMAP);
+	__uint(max_entries, 1);
+	__type(key, int);
+	__type(value, int);
+} sock_map_rx SEC(".maps");
+
+long change_tail_ret = 1;
+
+SEC("sk_skb")
+int prog_skb_verdict(struct __sk_buff *skb)
+{
+	char *data, *data_end;
+
+	bpf_skb_pull_data(skb, 1);
+	data = (char *)(unsigned long)skb->data;
+	data_end = (char *)(unsigned long)skb->data_end;
+
+	if (data + 1 > data_end)
+		return SK_PASS;
+
+	if (data[0] == 'T') { /* Trim the packet */
+		change_tail_ret = bpf_skb_change_tail(skb, skb->len - 1, 0);
+		return SK_PASS;
+	} else if (data[0] == 'G') { /* Grow the packet */
+		change_tail_ret = bpf_skb_change_tail(skb, skb->len + 1, 0);
+		return SK_PASS;
+	} else if (data[0] == 'E') { /* Error */
+		change_tail_ret = bpf_skb_change_tail(skb, 65535, 0);
+		return SK_PASS;
+	}
+	return SK_PASS;
+}
+
+char _license[] SEC("license") = "GPL";
-- 
2.34.1

Re: [External] [Patch bpf 2/2] selftests/bpf: Add a BPF selftest for bpf_skb_change_tail()

[Zijian Zhang]

On 11/6/24 7:41 PM, Cong Wang wrote:
> From: Cong Wang <cong.wang@bytedance.com>
> 
> As requested by Daniel, we need to add a selftest to cover
> bpf_skb_change_tail() cases in skb_verdict. Here we test trimming,
> growing and error cases, and validate its expected return values.
> 
> Cc: John Fastabend <john.fastabend@gmail.com>
> Cc: Daniel Borkmann <daniel@iogearbox.net>
> Cc: Zijian Zhang <zijianzhang@bytedance.com>
> Signed-off-by: Cong Wang <cong.wang@bytedance.com>
> ---
>   .../selftests/bpf/prog_tests/sockmap_basic.c  | 51 +++++++++++++++++++
>   .../bpf/progs/test_sockmap_change_tail.c      | 40 +++++++++++++++
>   2 files changed, 91 insertions(+)
>   create mode 100644 tools/testing/selftests/bpf/progs/test_sockmap_change_tail.c
> 
> diff --git a/tools/testing/selftests/bpf/prog_tests/sockmap_basic.c b/tools/testing/selftests/bpf/prog_tests/sockmap_basic.c
> index 82bfb266741c..fe735fced836 100644
> --- a/tools/testing/selftests/bpf/prog_tests/sockmap_basic.c
> +++ b/tools/testing/selftests/bpf/prog_tests/sockmap_basic.c
> @@ -12,6 +12,7 @@
>   #include "test_sockmap_progs_query.skel.h"
>   #include "test_sockmap_pass_prog.skel.h"
>   #include "test_sockmap_drop_prog.skel.h"
> +#include "test_sockmap_change_tail.skel.h"
>   #include "bpf_iter_sockmap.skel.h"
>   
>   #include "sockmap_helpers.h"
> @@ -562,6 +563,54 @@ static void test_sockmap_skb_verdict_fionread(bool pass_prog)
>   		test_sockmap_drop_prog__destroy(drop);
>   }
>   
> +static void test_sockmap_skb_verdict_change_tail(void)
> +{
> +	struct test_sockmap_change_tail *skel;
> +	int err, map, verdict;
> +	int c1, p1, sent, recvd;
> +	int zero = 0;
> +	char b[3];
> +
> +	skel = test_sockmap_change_tail__open_and_load();
> +	if (!ASSERT_OK_PTR(skel, "open_and_load"))
> +		return;
> +	verdict = bpf_program__fd(skel->progs.prog_skb_verdict);
> +	map = bpf_map__fd(skel->maps.sock_map_rx);
> +
> +	err = bpf_prog_attach(verdict, map, BPF_SK_SKB_STREAM_VERDICT, 0);
> +	if (!ASSERT_OK(err, "bpf_prog_attach"))
> +		goto out;
> +	err = create_pair(AF_INET, SOCK_STREAM, &c1, &p1);
> +	if (!ASSERT_OK(err, "create_pair()"))
> +		goto out;
> +	err = bpf_map_update_elem(map, &zero, &c1, BPF_NOEXIST);
> +	if (!ASSERT_OK(err, "bpf_map_update_elem(c1)"))
> +		goto out_close;
> +	sent = xsend(p1, "Tr", 2, 0);
> +	ASSERT_EQ(sent, 2, "xsend(p1)");
> +	recvd = recv(c1, b, 2, 0);
> +	ASSERT_EQ(recvd, 1, "recv(c1)");
> +	ASSERT_EQ(skel->data->change_tail_ret, 0, "change_tail_ret");
> +
> +	sent = xsend(p1, "G", 1, 0);
> +	ASSERT_EQ(sent, 1, "xsend(p1)");
> +	recvd = recv(c1, b, 2, 0);
> +	ASSERT_EQ(recvd, 2, "recv(c1)");
> +	ASSERT_EQ(skel->data->change_tail_ret, 0, "change_tail_ret");
> +
> +	sent = xsend(p1, "E", 1, 0);
> +	ASSERT_EQ(sent, 1, "xsend(p1)");
> +	recvd = recv(c1, b, 1, 0);
> +	ASSERT_EQ(recvd, 1, "recv(c1)");
> +	ASSERT_EQ(skel->data->change_tail_ret, -EINVAL, "change_tail_ret");
> +
> +out_close:
> +	close(c1);
> +	close(p1);
> +out:
> +	test_sockmap_change_tail__destroy(skel);
> +}
> +
>   static void test_sockmap_skb_verdict_peek_helper(int map)
>   {
>   	int err, c1, p1, zero = 0, sent, recvd, avail;
> @@ -927,6 +976,8 @@ void test_sockmap_basic(void)
>   		test_sockmap_skb_verdict_fionread(true);
>   	if (test__start_subtest("sockmap skb_verdict fionread on drop"))
>   		test_sockmap_skb_verdict_fionread(false);
> +	if (test__start_subtest("sockmap skb_verdict change tail"))
> +		test_sockmap_skb_verdict_change_tail();
>   	if (test__start_subtest("sockmap skb_verdict msg_f_peek"))
>   		test_sockmap_skb_verdict_peek();
>   	if (test__start_subtest("sockmap skb_verdict msg_f_peek with link"))
> diff --git a/tools/testing/selftests/bpf/progs/test_sockmap_change_tail.c b/tools/testing/selftests/bpf/progs/test_sockmap_change_tail.c
> new file mode 100644
> index 000000000000..2796dd8545eb
> --- /dev/null
> +++ b/tools/testing/selftests/bpf/progs/test_sockmap_change_tail.c
> @@ -0,0 +1,40 @@
> +// SPDX-License-Identifier: GPL-2.0
> +/* Copyright (c) 2024 ByteDance */
> +#include <linux/bpf.h>
> +#include <bpf/bpf_helpers.h>
> +
> +struct {
> +	__uint(type, BPF_MAP_TYPE_SOCKMAP);
> +	__uint(max_entries, 1);
> +	__type(key, int);
> +	__type(value, int);
> +} sock_map_rx SEC(".maps");
> +
> +long change_tail_ret = 1;
> +
> +SEC("sk_skb")
> +int prog_skb_verdict(struct __sk_buff *skb)
> +{
> +	char *data, *data_end;
> +
> +	bpf_skb_pull_data(skb, 1);
> +	data = (char *)(unsigned long)skb->data;
> +	data_end = (char *)(unsigned long)skb->data_end;
> +
> +	if (data + 1 > data_end)
> +		return SK_PASS;
> +
> +	if (data[0] == 'T') { /* Trim the packet */
> +		change_tail_ret = bpf_skb_change_tail(skb, skb->len - 1, 0);
> +		return SK_PASS;
> +	} else if (data[0] == 'G') { /* Grow the packet */
> +		change_tail_ret = bpf_skb_change_tail(skb, skb->len + 1, 0);
> +		return SK_PASS;
> +	} else if (data[0] == 'E') { /* Error */
> +		change_tail_ret = bpf_skb_change_tail(skb, 65535, 0);
> +		return SK_PASS;
> +	}
> +	return SK_PASS;
> +}
> +
> +char _license[] SEC("license") = "GPL";

LGTM!

I think it will be better if the test could also cover the case you
indicated in the first patch, where skb_transport_offset is a negative
value.

Thanks,
Zijian

Re: [External] [Patch bpf 2/2] selftests/bpf: Add a BPF selftest for bpf_skb_change_tail()

[John Fastabend]

Zijian Zhang wrote:
> On 11/6/24 7:41 PM, Cong Wang wrote:
> > From: Cong Wang <cong.wang@bytedance.com>
> > 
> > As requested by Daniel, we need to add a selftest to cover
> > bpf_skb_change_tail() cases in skb_verdict. Here we test trimming,
> > growing and error cases, and validate its expected return values.
> > 
> > Cc: John Fastabend <john.fastabend@gmail.com>
> > Cc: Daniel Borkmann <daniel@iogearbox.net>
> > Cc: Zijian Zhang <zijianzhang@bytedance.com>
> > Signed-off-by: Cong Wang <cong.wang@bytedance.com>
> > ---
> >   .../selftests/bpf/prog_tests/sockmap_basic.c  | 51 +++++++++++++++++++
> >   .../bpf/progs/test_sockmap_change_tail.c      | 40 +++++++++++++++
> >   2 files changed, 91 insertions(+)
> >   create mode 100644 tools/testing/selftests/bpf/progs/test_sockmap_change_tail.c
> > 
> > diff --git a/tools/testing/selftests/bpf/prog_tests/sockmap_basic.c b/tools/testing/selftests/bpf/prog_tests/sockmap_basic.c
> > index 82bfb266741c..fe735fced836 100644
> > --- a/tools/testing/selftests/bpf/prog_tests/sockmap_basic.c
> > +++ b/tools/testing/selftests/bpf/prog_tests/sockmap_basic.c
> > @@ -12,6 +12,7 @@
> >   #include "test_sockmap_progs_query.skel.h"
> >   #include "test_sockmap_pass_prog.skel.h"
> >   #include "test_sockmap_drop_prog.skel.h"
> > +#include "test_sockmap_change_tail.skel.h"
> >   #include "bpf_iter_sockmap.skel.h"
> >   
> >   #include "sockmap_helpers.h"
> > @@ -562,6 +563,54 @@ static void test_sockmap_skb_verdict_fionread(bool pass_prog)
> >   		test_sockmap_drop_prog__destroy(drop);
> >   }
> >   
> > +static void test_sockmap_skb_verdict_change_tail(void)
> > +{
> > +	struct test_sockmap_change_tail *skel;
> > +	int err, map, verdict;
> > +	int c1, p1, sent, recvd;
> > +	int zero = 0;
> > +	char b[3];
> > +
> > +	skel = test_sockmap_change_tail__open_and_load();
> > +	if (!ASSERT_OK_PTR(skel, "open_and_load"))
> > +		return;
> > +	verdict = bpf_program__fd(skel->progs.prog_skb_verdict);
> > +	map = bpf_map__fd(skel->maps.sock_map_rx);
> > +
> > +	err = bpf_prog_attach(verdict, map, BPF_SK_SKB_STREAM_VERDICT, 0);
> > +	if (!ASSERT_OK(err, "bpf_prog_attach"))
> > +		goto out;
> > +	err = create_pair(AF_INET, SOCK_STREAM, &c1, &p1);
> > +	if (!ASSERT_OK(err, "create_pair()"))
> > +		goto out;
> > +	err = bpf_map_update_elem(map, &zero, &c1, BPF_NOEXIST);
> > +	if (!ASSERT_OK(err, "bpf_map_update_elem(c1)"))
> > +		goto out_close;
> > +	sent = xsend(p1, "Tr", 2, 0);
> > +	ASSERT_EQ(sent, 2, "xsend(p1)");
> > +	recvd = recv(c1, b, 2, 0);
> > +	ASSERT_EQ(recvd, 1, "recv(c1)");
> > +	ASSERT_EQ(skel->data->change_tail_ret, 0, "change_tail_ret");
> > +
> > +	sent = xsend(p1, "G", 1, 0);
> > +	ASSERT_EQ(sent, 1, "xsend(p1)");
> > +	recvd = recv(c1, b, 2, 0);
> > +	ASSERT_EQ(recvd, 2, "recv(c1)");
> > +	ASSERT_EQ(skel->data->change_tail_ret, 0, "change_tail_ret");
> > +
> > +	sent = xsend(p1, "E", 1, 0);
> > +	ASSERT_EQ(sent, 1, "xsend(p1)");
> > +	recvd = recv(c1, b, 1, 0);
> > +	ASSERT_EQ(recvd, 1, "recv(c1)");
> > +	ASSERT_EQ(skel->data->change_tail_ret, -EINVAL, "change_tail_ret");
> > +
> > +out_close:
> > +	close(c1);
> > +	close(p1);
> > +out:
> > +	test_sockmap_change_tail__destroy(skel);
> > +}
> > +
> >   static void test_sockmap_skb_verdict_peek_helper(int map)
> >   {
> >   	int err, c1, p1, zero = 0, sent, recvd, avail;
> > @@ -927,6 +976,8 @@ void test_sockmap_basic(void)
> >   		test_sockmap_skb_verdict_fionread(true);
> >   	if (test__start_subtest("sockmap skb_verdict fionread on drop"))
> >   		test_sockmap_skb_verdict_fionread(false);
> > +	if (test__start_subtest("sockmap skb_verdict change tail"))
> > +		test_sockmap_skb_verdict_change_tail();
> >   	if (test__start_subtest("sockmap skb_verdict msg_f_peek"))
> >   		test_sockmap_skb_verdict_peek();
> >   	if (test__start_subtest("sockmap skb_verdict msg_f_peek with link"))
> > diff --git a/tools/testing/selftests/bpf/progs/test_sockmap_change_tail.c b/tools/testing/selftests/bpf/progs/test_sockmap_change_tail.c
> > new file mode 100644
> > index 000000000000..2796dd8545eb
> > --- /dev/null
> > +++ b/tools/testing/selftests/bpf/progs/test_sockmap_change_tail.c
> > @@ -0,0 +1,40 @@
> > +// SPDX-License-Identifier: GPL-2.0
> > +/* Copyright (c) 2024 ByteDance */
> > +#include <linux/bpf.h>
> > +#include <bpf/bpf_helpers.h>
> > +
> > +struct {
> > +	__uint(type, BPF_MAP_TYPE_SOCKMAP);
> > +	__uint(max_entries, 1);
> > +	__type(key, int);
> > +	__type(value, int);
> > +} sock_map_rx SEC(".maps");
> > +
> > +long change_tail_ret = 1;
> > +
> > +SEC("sk_skb")
> > +int prog_skb_verdict(struct __sk_buff *skb)
> > +{
> > +	char *data, *data_end;
> > +
> > +	bpf_skb_pull_data(skb, 1);
> > +	data = (char *)(unsigned long)skb->data;
> > +	data_end = (char *)(unsigned long)skb->data_end;
> > +
> > +	if (data + 1 > data_end)
> > +		return SK_PASS;
> > +
> > +	if (data[0] == 'T') { /* Trim the packet */
> > +		change_tail_ret = bpf_skb_change_tail(skb, skb->len - 1, 0);
> > +		return SK_PASS;
> > +	} else if (data[0] == 'G') { /* Grow the packet */
> > +		change_tail_ret = bpf_skb_change_tail(skb, skb->len + 1, 0);
> > +		return SK_PASS;
> > +	} else if (data[0] == 'E') { /* Error */
> > +		change_tail_ret = bpf_skb_change_tail(skb, 65535, 0);
> > +		return SK_PASS;
> > +	}
> > +	return SK_PASS;
> > +}
> > +
> > +char _license[] SEC("license") = "GPL";
> 
> LGTM!
> 
> I think it will be better if the test could also cover the case you
> indicated in the first patch, where skb_transport_offset is a negative
> value.
> 
> Thanks,
> Zijian
> 

Hi Cong,

I agree it would be great to see the skb_transport_offset is
negative pattern. Could we add it?

Thanks,
John

Re: [External] [Patch bpf 2/2] selftests/bpf: Add a BPF selftest for bpf_skb_change_tail()

[Cong Wang]

On Tue, Nov 26, 2024 at 11:34:25PM -0800, John Fastabend wrote:
> Zijian Zhang wrote:
> > 
> > LGTM!
> > 
> > I think it will be better if the test could also cover the case you
> > indicated in the first patch, where skb_transport_offset is a negative
> > value.
> > 
> > Thanks,
> > Zijian
> > 
> 
> Hi Cong,
> 
> I agree it would be great to see the skb_transport_offset is
> negative pattern. Could we add it?

Hmm? It is already negative for sockmap, as I already mentioned in patch
1/1:

"skb_transport_offset() and skb_transport_offset() can be negative when
they are called after we pull the transport header, for example, when
we use eBPF sockmap (aka at the point of ->sk_data_ready())."

My test case uses skb verdict, which is one of the sockmap hooks.

Or I guess you mean positive? In that case, we would need hook different
locations, like TC. I can certainly add it, but once again, it would
make backporting this patchset even harder.

Thanks!