lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20210322200922.GA56104@ranger.igk.intel.com>
Date:   Mon, 22 Mar 2021 21:09:22 +0100
From:   Maciej Fijalkowski <maciej.fijalkowski@...el.com>
To:     Andrii Nakryiko <andrii.nakryiko@...il.com>
Cc:     bpf <bpf@...r.kernel.org>, Networking <netdev@...r.kernel.org>,
        Daniel Borkmann <daniel@...earbox.net>,
        Alexei Starovoitov <ast@...nel.org>,
        Björn Töpel <bjorn.topel@...el.com>,
        Magnus Karlsson <magnus.karlsson@...el.com>,
        ciara.loftus@...el.com, john fastabend <john.fastabend@...il.com>,
        Toke Høiland-Jørgensen <toke@...hat.com>
Subject: Re: [PATCH v2 bpf-next 06/17] libbpf: xsk: use bpf_link

On Mon, Mar 15, 2021 at 10:34:11PM -0700, Andrii Nakryiko wrote:
> On Thu, Mar 11, 2021 at 7:42 AM Maciej Fijalkowski
> <maciej.fijalkowski@...el.com> wrote:
> >
> > Currently, if there are multiple xdpsock instances running on a single
> > interface and in case one of the instances is terminated, the rest of
> > them are left in an inoperable state due to the fact of unloaded XDP
> > prog from interface.
> >
> > Consider the scenario below:
> >
> > // load xdp prog and xskmap and add entry to xskmap at idx 10
> > $ sudo ./xdpsock -i ens801f0 -t -q 10
> >
> > // add entry to xskmap at idx 11
> > $ sudo ./xdpsock -i ens801f0 -t -q 11
> >
> > terminate one of the processes and another one is unable to work due to
> > the fact that the XDP prog was unloaded from interface.
> >
> > To address that, step away from setting bpf prog in favour of bpf_link.
> > This means that refcounting of BPF resources will be done automatically
> > by bpf_link itself.
> >
> > When setting up BPF resources during xsk socket creation, check whether
> > bpf_link for a given ifindex already exists via set of calls to
> > bpf_link_get_next_id -> bpf_link_get_fd_by_id -> bpf_obj_get_info_by_fd
> > and comparing the ifindexes from bpf_link and xsk socket.
> >
> > If there's no bpf_link yet, create one for a given XDP prog. If bpf_link
> > is already at a given ifindex and underlying program is not AF-XDP one,
> > bail out or update the bpf_link's prog given the presence of
> > XDP_FLAGS_UPDATE_IF_NOEXIST.
> >
> > If there's netlink-based XDP prog running on a interface, bail out and
> > ask user to do removal by himself.
> >
> > Signed-off-by: Maciej Fijalkowski <maciej.fijalkowski@...el.com>
> > ---
> >  tools/lib/bpf/xsk.c | 139 ++++++++++++++++++++++++++++++++++++++------
> >  1 file changed, 120 insertions(+), 19 deletions(-)
> >
> 
> [...]
> 
> > +static int xsk_link_lookup(struct xsk_ctx *ctx, __u32 *prog_id)
> > +{
> > +       struct bpf_link_info link_info;
> > +       __u32 link_len;
> > +       __u32 id = 0;
> > +       int err;
> > +       int fd;
> > +
> > +       while (true) {
> > +               err = bpf_link_get_next_id(id, &id);
> > +               if (err) {
> > +                       if (errno == ENOENT) {
> > +                               err = 0;
> > +                               break;
> > +                       }
> > +                       pr_warn("can't get next link: %s\n", strerror(errno));
> > +                       break;
> > +               }
> > +
> > +               fd = bpf_link_get_fd_by_id(id);
> > +               if (fd < 0) {
> > +                       if (errno == ENOENT)
> > +                               continue;
> > +                       pr_warn("can't get link by id (%u): %s\n", id, strerror(errno));
> > +                       err = -errno;
> > +                       break;
> > +               }
> > +
> > +               link_len = sizeof(struct bpf_link_info);
> > +               memset(&link_info, 0, link_len);
> > +               err = bpf_obj_get_info_by_fd(fd, &link_info, &link_len);
> > +               if (err) {
> > +                       pr_warn("can't get link info: %s\n", strerror(errno));
> > +                       close(fd);
> > +                       break;
> > +               }
> > +               if (link_info.xdp.ifindex == ctx->ifindex) {
> 
> how do you know you are looking at XDP bpf_link? link_info.xdp.ifindex
> might as well be attach_type for tracing bpf_linke, netns_ino for
> netns bpf_link, and so on. Do check link_info.type before check other
> per-link type properties.

My mistake, good that you brought that up. I'll fix it.

> 
> > +                       ctx->link_fd = fd;
> > +                       *prog_id = link_info.prog_id;
> > +                       break;
> > +               }
> > +               close(fd);
> > +       }
> > +
> > +       return err;
> > +}
> > +
> >  static int __xsk_setup_xdp_prog(struct xsk_socket *_xdp,
> >                                 int *xsks_map_fd)
> >  {
> > @@ -675,8 +777,7 @@ static int __xsk_setup_xdp_prog(struct xsk_socket *_xdp,
> >         __u32 prog_id = 0;
> >         int err;
> >
> > -       err = bpf_get_link_xdp_id(ctx->ifindex, &prog_id,
> > -                                 xsk->config.xdp_flags);
> > +       err = xsk_link_lookup(ctx, &prog_id);
> >         if (err)
> >                 return err;
> >
> > @@ -686,9 +787,12 @@ static int __xsk_setup_xdp_prog(struct xsk_socket *_xdp,
> >                         return err;
> >
> >                 err = xsk_load_xdp_prog(xsk);
> > -               if (err) {
> > +               if (err)
> >                         goto err_load_xdp_prog;
> > -               }
> > +
> > +               err = xsk_create_bpf_link(xsk);
> > +               if (err)
> > +                       goto err_create_bpf_link;
> 
> what about the backwards compatibility with kernels that don't yet
> support bpf_link?

For that I'll be trying to create or lookup bpf_link on loopback device.
If it failed in any way, then use netlink based logic as the underlying
system doesn't support bpf_link.

Once again, thanks for catching it!

> 
> >         } else {
> >                 ctx->prog_fd = bpf_prog_get_fd_by_id(prog_id);
> >                 if (ctx->prog_fd < 0)
> 
> [...]

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ