| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 9 Feb 2024 12:33:58 -0800
From: Kui-Feng Lee <sinquersw@...il.com>
To: Stanislav Fomichev <sdf@...gle.com>, Oliver Crumrine <ozlinuxc@...il.com>
Cc: bpf@...r.kernel.org, linux-kernel@...r.kernel.org, thinker.li@...il.com
Subject: Re: [PATCH] net: remove check before __cgroup_bpf_run_filter_skb
On 2/9/24 11:00, Stanislav Fomichev wrote:
> On 02/08, Oliver Crumrine wrote:
>> On Thu, Feb 08, 2024 at 04:43:06PM -0800, Stanislav Fomichev wrote:
>>> The check is here to make sure we only run this hook on non-req sockets.
>>> Dropping it would mean we'd be running the hook on the listeners
>>> instead. I don't think we want that.
>>
>> You are correct that we don't want to run the code on listeners. However
>> the check for that is in the function this macro calls,
>> __cgroup_bpf_run_filter_skb (the check is on line 1367 of
>> kernel/bpf/cgroup.c, for 6.8.0-rc3). The check doesn't need to be done
>> twice, so it can be removed in this macro.
>
> Maybe we should instead remove "(!sk || !sk_fullsock(sk))" check from
> __cgroup_bpf_run_filter_skb? BPF_CGROUP_RUN_PROG_INET_EGRESS makes
> care of all those corner conditions. We just need to add those checks to
> BPF_CGROUP_RUN_PROG_INET_INGRESS.
>
> Let me also CC Kui-Feng, he was touching this part recently in commit
> 223f5f79f2ce ("bpf, net: Check skb ownership against full socket.").
>
Adding those checks in BPF_CGROUP_RUN_PROG_INET_INGRESS makes sense
to me if the point here is saving CPU cycles during runtime.
Powered by blists - more mailing lists