lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 9 Feb 2024 12:33:58 -0800
From: Kui-Feng Lee <sinquersw@...il.com>
To: Stanislav Fomichev <sdf@...gle.com>, Oliver Crumrine <ozlinuxc@...il.com>
Cc: bpf@...r.kernel.org, linux-kernel@...r.kernel.org, thinker.li@...il.com
Subject: Re: [PATCH] net: remove check before __cgroup_bpf_run_filter_skb



On 2/9/24 11:00, Stanislav Fomichev wrote:
> On 02/08, Oliver Crumrine wrote:
>> On Thu, Feb 08, 2024 at 04:43:06PM -0800, Stanislav Fomichev wrote:
>>> The check is here to make sure we only run this hook on non-req sockets.
>>> Dropping it would mean we'd be running the hook on the listeners
>>> instead. I don't think we want that.
>>
>> You are correct that we don't want to run the code on listeners. However
>> the check for that is in the function this macro calls,
>> __cgroup_bpf_run_filter_skb (the check is on line 1367 of
>> kernel/bpf/cgroup.c, for 6.8.0-rc3). The check doesn't need to be done
>> twice, so it can be removed in this macro.
> 
> Maybe we should instead remove "(!sk || !sk_fullsock(sk))" check from
> __cgroup_bpf_run_filter_skb? BPF_CGROUP_RUN_PROG_INET_EGRESS makes
> care of all those corner conditions. We just need to add those checks to
> BPF_CGROUP_RUN_PROG_INET_INGRESS.
> 
> Let me also CC Kui-Feng, he was touching this part recently in commit
> 223f5f79f2ce ("bpf, net: Check skb ownership against full socket.").
> 

Adding those checks in BPF_CGROUP_RUN_PROG_INET_INGRESS makes sense
to me if the point here is saving CPU cycles during runtime.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ