lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <fkwti7loufn3rc5ecwid5nvhbvxjdxuo5yeztyolyd2376cqu4@ev3g3dsn5kdk>
Date:   Sat, 25 Nov 2023 22:38:18 -0600
From:   Daniel Xu <dxu@...uu.xyz>
To:     Yonghong Song <yonghong.song@...ux.dev>
Cc:     john.fastabend@...il.com, Herbert Xu <herbert@...dor.apana.org.au>,
        davem@...emloft.net, ast@...nel.org, daniel@...earbox.net,
        pabeni@...hat.com, hawk@...nel.org, kuba@...nel.org,
        edumazet@...gle.com, steffen.klassert@...unet.com,
        antony.antony@...unet.com, alexei.starovoitov@...il.com,
        linux-kernel@...r.kernel.org, netdev@...r.kernel.org,
        bpf@...r.kernel.org, devel@...ux-ipsec.org
Subject: Re: [PATCH ipsec-next v1 1/7] bpf: xfrm: Add
 bpf_xdp_get_xfrm_state() kfunc

On Sat, Nov 25, 2023 at 12:36:29PM -0800, Yonghong Song wrote:
> 
> On 11/22/23 1:20 PM, Daniel Xu wrote:
> > This commit adds an unstable kfunc helper to access internal xfrm_state
> > associated with an SA. This is intended to be used for the upcoming
> > IPsec pcpu work to assign special pcpu SAs to a particular CPU. In other
> > words: for custom software RSS.
> > 
> > That being said, the function that this kfunc wraps is fairly generic
> > and used for a lot of xfrm tasks. I'm sure people will find uses
> > elsewhere over time.
> > 
> > Co-developed-by: Antony Antony <antony.antony@...unet.com>
> > Signed-off-by: Antony Antony <antony.antony@...unet.com>
> > Signed-off-by: Daniel Xu <dxu@...uu.xyz>
> > ---
> >   include/net/xfrm.h        |   9 ++++
> >   net/xfrm/Makefile         |   1 +
> >   net/xfrm/xfrm_policy.c    |   2 +
> >   net/xfrm/xfrm_state_bpf.c | 111 ++++++++++++++++++++++++++++++++++++++
> >   4 files changed, 123 insertions(+)
> >   create mode 100644 net/xfrm/xfrm_state_bpf.c
> > 
> > diff --git a/include/net/xfrm.h b/include/net/xfrm.h
> > index c9bb0f892f55..1d107241b901 100644
> > --- a/include/net/xfrm.h
> > +++ b/include/net/xfrm.h
> > @@ -2190,4 +2190,13 @@ static inline int register_xfrm_interface_bpf(void)
> >   #endif
> > +#if IS_ENABLED(CONFIG_DEBUG_INFO_BTF)
> > +int register_xfrm_state_bpf(void);
> > +#else
> > +static inline int register_xfrm_state_bpf(void)
> > +{
> > +	return 0;
> > +}
> > +#endif
> > +
> >   #endif	/* _NET_XFRM_H */
> > diff --git a/net/xfrm/Makefile b/net/xfrm/Makefile
> > index cd47f88921f5..547cec77ba03 100644
> > --- a/net/xfrm/Makefile
> > +++ b/net/xfrm/Makefile
> > @@ -21,3 +21,4 @@ obj-$(CONFIG_XFRM_USER_COMPAT) += xfrm_compat.o
> >   obj-$(CONFIG_XFRM_IPCOMP) += xfrm_ipcomp.o
> >   obj-$(CONFIG_XFRM_INTERFACE) += xfrm_interface.o
> >   obj-$(CONFIG_XFRM_ESPINTCP) += espintcp.o
> > +obj-$(CONFIG_DEBUG_INFO_BTF) += xfrm_state_bpf.o
> > diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
> > index c13dc3ef7910..1b7e75159727 100644
> > --- a/net/xfrm/xfrm_policy.c
> > +++ b/net/xfrm/xfrm_policy.c
> > @@ -4218,6 +4218,8 @@ void __init xfrm_init(void)
> >   #ifdef CONFIG_XFRM_ESPINTCP
> >   	espintcp_init();
> >   #endif
> > +
> > +	register_xfrm_state_bpf();
> >   }
> >   #ifdef CONFIG_AUDITSYSCALL
> > diff --git a/net/xfrm/xfrm_state_bpf.c b/net/xfrm/xfrm_state_bpf.c
> > new file mode 100644
> > index 000000000000..0c1f2f91125c
> > --- /dev/null
> > +++ b/net/xfrm/xfrm_state_bpf.c
> > @@ -0,0 +1,111 @@
> > +// SPDX-License-Identifier: GPL-2.0-only
> > +/* Unstable XFRM state BPF helpers.
> > + *
> > + * Note that it is allowed to break compatibility for these functions since the
> > + * interface they are exposed through to BPF programs is explicitly unstable.
> > + */
> > +
> > +#include <linux/bpf.h>
> > +#include <linux/btf_ids.h>
> > +#include <net/xdp.h>
> > +#include <net/xfrm.h>
> > +
> > +/* bpf_xfrm_state_opts - Options for XFRM state lookup helpers
> > + *
> > + * Members:
> > + * @error      - Out parameter, set for any errors encountered
> > + *		 Values:
> > + *		   -EINVAL - netns_id is less than -1
> > + *		   -EINVAL - Passed NULL for opts
> > + *		   -EINVAL - opts__sz isn't BPF_XFRM_STATE_OPTS_SZ
> > + *		   -ENONET - No network namespace found for netns_id
> > + * @netns_id	- Specify the network namespace for lookup
> > + *		 Values:
> > + *		   BPF_F_CURRENT_NETNS (-1)
> > + *		     Use namespace associated with ctx
> > + *		   [0, S32_MAX]
> > + *		     Network Namespace ID
> > + * @mark	- XFRM mark to match on
> > + * @daddr	- Destination address to match on
> > + * @spi		- Security parameter index to match on
> > + * @proto	- L3 protocol to match on
> > + * @family	- L3 protocol family to match on
> > + */
> > +struct bpf_xfrm_state_opts {
> > +	s32 error;
> > +	s32 netns_id;
> > +	u32 mark;
> > +	xfrm_address_t daddr;
> > +	__be32 spi;
> > +	u8 proto;
> > +	u16 family;
> > +};
> > +
> > +enum {
> > +	BPF_XFRM_STATE_OPTS_SZ = sizeof(struct bpf_xfrm_state_opts),
> > +};
> > +
> > +__diag_push();
> > +__diag_ignore_all("-Wmissing-prototypes",
> > +		  "Global functions as their definitions will be in xfrm_state BTF");
> > +
> > +/* bpf_xdp_get_xfrm_state - Get XFRM state
> > + *
> > + * Parameters:
> > + * @ctx 	- Pointer to ctx (xdp_md) in XDP program
> > + *		    Cannot be NULL
> > + * @opts	- Options for lookup (documented above)
> > + *		    Cannot be NULL
> > + * @opts__sz	- Length of the bpf_xfrm_state_opts structure
> > + *		    Must be BPF_XFRM_STATE_OPTS_SZ
> > + */
> > +__bpf_kfunc struct xfrm_state *
> > +bpf_xdp_get_xfrm_state(struct xdp_md *ctx, struct bpf_xfrm_state_opts *opts, u32 opts__sz)
> > +{
> > +	struct xdp_buff *xdp = (struct xdp_buff *)ctx;
> > +	struct net *net = dev_net(xdp->rxq->dev);
> > +	struct xfrm_state *x;
> > +
> > +	if (!opts || opts__sz != BPF_XFRM_STATE_OPTS_SZ) {
> > +		opts->error = -EINVAL;
> 
> If opts is NULL, obvious we have issue opts->error access.
> If opts is not NULL and opts_sz < 4, we also have issue with
> opts->error access since it may override some other stuff
> on the stack.
> 
> In such cases, we do not need to do 'opts->error = -EINVAL'
> and can simply 'return NULL'. bpf program won't be able
> to check opts->error anyway since the opts is either NULL
> or opts_sz < 4.

Ack, will fix.

[...]


Thanks,
Daniel

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ