lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CANn89i+9GmBLCdgsfH=WWe-tyFYpiO27wONyxaxiU6aOBC6G8g@mail.gmail.com>
Date: Fri, 13 Sep 2024 16:44:03 +0200
From: Eric Dumazet <edumazet@...gle.com>
To: Feng Zhou <zhoufeng.zf@...edance.com>
Cc: Martin KaFai Lau <martin.lau@...ux.dev>, davem@...emloft.net, kuba@...nel.org, 
	pabeni@...hat.com, ast@...nel.org, daniel@...earbox.net, andrii@...nel.org, 
	eddyz87@...il.com, song@...nel.org, yonghong.song@...ux.dev, 
	john.fastabend@...il.com, kpsingh@...nel.org, sdf@...ichev.me, 
	haoluo@...gle.com, jolsa@...nel.org, dsahern@...nel.org, 
	netdev@...r.kernel.org, linux-kernel@...r.kernel.org, bpf@...r.kernel.org, 
	yangzhenze@...edance.com, wangdongdong.6@...edance.com, 
	YiFei Zhu <zhuyifei@...gle.com>
Subject: Re: [External] Re: [PATCH bpf-next v2] bpf: Fix bpf_get/setsockopt to
 tos not take effect when TCP over IPv4 via INET6 API

On Tue, Aug 27, 2024 at 10:08 AM Feng Zhou <zhoufeng.zf@...edance.com> wrote:
>
> 在 2024/8/24 02:53, Eric Dumazet 写道:
> > On Fri, Aug 23, 2024 at 8:49 PM Martin KaFai Lau <martin.lau@...ux.dev> wrote:
> >>
> >> On 8/23/24 6:35 AM, Eric Dumazet wrote:
> >>> On Fri, Aug 23, 2024 at 10:53 AM Feng zhou <zhoufeng.zf@...edance.com> wrote:
> >>>>
> >>>> From: Feng Zhou <zhoufeng.zf@...edance.com>
> >>>>
> >>>> when TCP over IPv4 via INET6 API, bpf_get/setsockopt with ipv4 will
> >>>> fail, because sk->sk_family is AF_INET6. With ipv6 will success, not
> >>>> take effect, because inet_csk(sk)->icsk_af_ops is ipv6_mapped and
> >>>> use ip_queue_xmit, inet_sk(sk)->tos.
> >>>>
> >>>> So bpf_get/setsockopt needs add the judgment of this case. Just check
> >>>> "inet_csk(sk)->icsk_af_ops == &ipv6_mapped".
> >>>>
> >>>> | Reported-by: kernel test robot <lkp@...el.com>
> >>>> | Closes: https://lore.kernel.org/oe-kbuild-all/202408152034.lw9Ilsj6-lkp@intel.com/
> >>>> Signed-off-by: Feng Zhou <zhoufeng.zf@...edance.com>
> >>>> ---
> >>>> Changelog:
> >>>> v1->v2: Addressed comments from kernel test robot
> >>>> - Fix compilation error
> >>>> Details in here:
> >>>> https://lore.kernel.org/bpf/202408152058.YXAnhLgZ-lkp@intel.com/T/
> >>>>
> >>>>    include/net/tcp.h   | 2 ++
> >>>>    net/core/filter.c   | 6 +++++-
> >>>>    net/ipv6/tcp_ipv6.c | 6 ++++++
> >>>>    3 files changed, 13 insertions(+), 1 deletion(-)
> >>>>
> >>>> diff --git a/include/net/tcp.h b/include/net/tcp.h
> >>>> index 2aac11e7e1cc..ea673f88c900 100644
> >>>> --- a/include/net/tcp.h
> >>>> +++ b/include/net/tcp.h
> >>>> @@ -493,6 +493,8 @@ struct request_sock *cookie_tcp_reqsk_alloc(const struct request_sock_ops *ops,
> >>>>                                               struct tcp_options_received *tcp_opt,
> >>>>                                               int mss, u32 tsoff);
> >>>>
> >>>> +bool is_tcp_sock_ipv6_mapped(struct sock *sk);
> >>>> +
> >>>>    #if IS_ENABLED(CONFIG_BPF)
> >>>>    struct bpf_tcp_req_attrs {
> >>>>           u32 rcv_tsval;
> >>>> diff --git a/net/core/filter.c b/net/core/filter.c
> >>>> index ecf2ddf633bf..02a825e35c4d 100644
> >>>> --- a/net/core/filter.c
> >>>> +++ b/net/core/filter.c
> >>>> @@ -5399,7 +5399,11 @@ static int sol_ip_sockopt(struct sock *sk, int optname,
> >>>>                             char *optval, int *optlen,
> >>>>                             bool getopt)
> >>>>    {
> >>>> -       if (sk->sk_family != AF_INET)
> >>>> +       if (sk->sk_family != AF_INET
> >>>> +#if IS_BUILTIN(CONFIG_IPV6)
> >>>> +           && !is_tcp_sock_ipv6_mapped(sk)
> >>>> +#endif
> >>>> +           )
> >>>>                   return -EINVAL;
> >>>
> >>> This does not look right to me.
> >>>
> >>> I would remove the test completely.
> >>>
> >>> SOL_IP socket options are available on AF_INET6 sockets just fine.
> >>
> >> Good point on the SOL_IP options.
> >>
> >> The sk could be neither AF_INET nor AF_INET6. e.g. the bpf_get/setsockopt
> >> calling from the bpf_lsm's socket_post_create). so the AF_INET test is still needed.
> >>
> >
> > OK, then I suggest using sk_is_inet() helper.
> >
> >> Adding "&& sk->sk_family != AF_INET6" should do. From ipv6_setsockopt, I think
> >> it also needs to consider the "sk->sk_type != SOCK_RAW".
> >>
> >> Please add a test in the next re-spin.
> >>
> >> pw-bot: cr
>
> Thanks for your suggestion, I will add it in the next version.

Gentle ping.

Have you sent the new version ?

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ