| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 1 Apr 2020 13:57:44 -0600
From: David Ahern <dsahern@...il.com>
To: Stefan Majer <stefan.majer@...il.com>, netdev@...r.kernel.org,
Stephen Hemminger <stephen@...workplumber.org>
Subject: Re: PATCH: Error message if set memlock=infinite failed during bpf
load
On 4/1/20 12:57 AM, Stefan Majer wrote:
> Executing ip vrf exec <vrfname> command sometimes fails with:
>
> bpf: Failed to load program: Operation not permitted
>
> This error message might be misleading because the underlying reason can be
> that memlock limit is to small.
>
> It is already implemented to set memlock to infinite, but without
> error handling.
>
> With this patch at least a warning is printed out to inform the user
> what might be the root cause.
>
>
> Signed-off-by: Stefan Majer <stefan.majer@...il.com>
>
> diff --git a/lib/bpf.c b/lib/bpf.c
> index 10cf9bf4..210830d9 100644
> --- a/lib/bpf.c
> +++ b/lib/bpf.c
> @@ -1416,8 +1416,8 @@ static void bpf_init_env(void)
> .rlim_max = RLIM_INFINITY,
> };
>
> - /* Don't bother in case we fail! */
> - setrlimit(RLIMIT_MEMLOCK, &limit);
> + if (!setrlimit(RLIMIT_MEMLOCK, &limit))
> + fprintf(stderr, "Continue without setting ulimit memlock=infinity.
> Error:%s\n", strerror(errno));
>
> if (!bpf_get_work_dir(BPF_PROG_TYPE_UNSPEC))
> fprintf(stderr, "Continuing without mounted eBPF fs. Too old kernel?\n");
>
bpf_init_env is not called for 'ip vrf exec'.
Since other bpf code raises the limit it would be consistent for 'ip vrf
exec' to do the same. I know this limit has been a pain for some users.
Powered by blists - more mailing lists