| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <66cdd29d21fc3_2986412942f@willemb.c.googlers.com.notmuch>
Date: Tue, 27 Aug 2024 09:20:29 -0400
From: Willem de Bruijn <willemdebruijn.kernel@...il.com>
To: Jason Xing <kerneljasonxing@...il.com>,
Willem de Bruijn <willemdebruijn.kernel@...il.com>
Cc: davem@...emloft.net,
edumazet@...gle.com,
kuba@...nel.org,
pabeni@...hat.com,
dsahern@...nel.org,
willemb@...gle.com,
netdev@...r.kernel.org,
Jason Xing <kernelxing@...cent.com>
Subject: Re: [PATCH net-next 1/2] tcp: make SOF_TIMESTAMPING_RX_SOFTWARE
feature per socket
Jason Xing wrote:
> On Tue, Aug 27, 2024 at 2:43 AM Willem de Bruijn
> <willemdebruijn.kernel@...il.com> wrote:
> >
> > Jason Xing wrote:
> > > On Tue, Aug 27, 2024 at 12:03 AM Willem de Bruijn
> > > <willemdebruijn.kernel@...il.com> wrote:
> > > >
> > > > Jason Xing wrote:
> > > > > Hello Willem,
> > > > >
> > > > > On Mon, Aug 26, 2024 at 9:24 PM Willem de Bruijn
> > > > > <willemdebruijn.kernel@...il.com> wrote:
> > > > > >
> > > > > > Jason Xing wrote:
> > > > > > > From: Jason Xing <kernelxing@...cent.com>
> > > > > > >
> > > > > > > Normally, if we want to record and print the rx timestamp after
> > > > > > > tcp_recvmsg_locked(), we must enable both SOF_TIMESTAMPING_SOFTWARE
> > > > > > > and SOF_TIMESTAMPING_RX_SOFTWARE flags, from which we also can notice
> > > > > > > through running rxtimestamp binary in selftests (see testcase 7).
> > > > > > >
> > > > > > > However, there is one particular case that fails the selftests with
> > > > > > > "./rxtimestamp: Expected swtstamp to not be set." error printing in
> > > > > > > testcase 6.
> > > > > > >
> > > > > > > How does it happen? When we keep running a thread starting a socket
> > > > > > > and set SOF_TIMESTAMPING_RX_HARDWARE option first, then running
> > > > > > > ./rxtimestamp, it will fail. The reason is the former thread
> > > > > > > switching on netstamp_needed_key that makes the feature global,
> > > > > > > every skb going through netif_receive_skb_list_internal() function
> > > > > > > will get a current timestamp in net_timestamp_check(). So the skb
> > > > > > > will have timestamp regardless of whether its socket option has
> > > > > > > SOF_TIMESTAMPING_RX_SOFTWARE or not.
> > > > > > >
> > > > > > > After this patch, we can pass the selftest and control each socket
> > > > > > > as we want when using rx timestamp feature.
> > > > > > >
> > > > > > > Signed-off-by: Jason Xing <kernelxing@...cent.com>
> > > > > > > ---
> > > > > > > net/ipv4/tcp.c | 10 ++++++++--
> > > > > > > 1 file changed, 8 insertions(+), 2 deletions(-)
> > > > > > >
> > > > > > > diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
> > > > > > > index 8514257f4ecd..49e73d66c57d 100644
> > > > > > > --- a/net/ipv4/tcp.c
> > > > > > > +++ b/net/ipv4/tcp.c
> > > > > > > @@ -2235,6 +2235,7 @@ void tcp_recv_timestamp(struct msghdr *msg, const struct sock *sk,
> > > > > > > struct scm_timestamping_internal *tss)
> > > > > > > {
> > > > > > > int new_tstamp = sock_flag(sk, SOCK_TSTAMP_NEW);
> > > > > > > + u32 tsflags = READ_ONCE(sk->sk_tsflags);
> > > > > > > bool has_timestamping = false;
> > > > > > >
> > > > > > > if (tss->ts[0].tv_sec || tss->ts[0].tv_nsec) {
> > > > > > > @@ -2274,14 +2275,19 @@ void tcp_recv_timestamp(struct msghdr *msg, const struct sock *sk,
> > > > > > > }
> > > > > > > }
> > > > > > >
> > > > > > > - if (READ_ONCE(sk->sk_tsflags) & SOF_TIMESTAMPING_SOFTWARE)
> > > > > > > + /* skb may contain timestamp because another socket
> > > > > > > + * turned on netstamp_needed_key which allows generate
> > > > > > > + * the timestamp. So we need to check the current socket.
> > > > > > > + */
> > > > > > > + if (tsflags & SOF_TIMESTAMPING_SOFTWARE &&
> > > > > > > + tsflags & SOF_TIMESTAMPING_RX_SOFTWARE)
> > > > > > > has_timestamping = true;
> > > > > > > else
> > > > > > > tss->ts[0] = (struct timespec64) {0};
> > > > > > > }
> > > > > >
> > > > > > The current behavior is as described in
> > > > > > Documentation/networking/timestamping.rst:
> > > > > >
> > > > > > "The socket option configures timestamp generation for individual
> > > > > > sk_buffs (1.3.1), timestamp reporting to the socket's error
> > > > > > queue (1.3.2)"
> > > > > >
> > > > > > SOF_TIMESTAMPING_RX_SOFTWARE is a timestamp generation option.
> > > > > > SOF_TIMESTAMPING_SOFTWARE is a timestamp reporting option.
> > > > >
> > > > > Thanks for your review.
> > > > >
> > > > > Yes, it's true.
> > > > >
> > > > > >
> > > > > > This patch changes that clearly defined behavior.
> > > > >
> > > > > Why?
> > > >
> > > > Because it repurposes generation flag SOF_TIMESTAMPING_RX_SOFTWARE in
> > > > timestamp reporting.
> > > >
> > > > If a single flag configures both generation and reporting, why bother
> > > > with two flags at all.
> > >
> > > Thanks for your full and detailed explanation :)
> > >
> > > I probably understand what you're saying. You think we should strictly
> > > distinguish these two concepts "generation" and "reporting".
> > >
> > > In my opinion, they are just concepts. We can make it clear by writing
> > > some sentences in the Documentation.
> > >
> > > >
> > > > > I don't get it. Please see those testcase in
> > > > > tools/testing/selftests/net/rxtimestamp.c.
> > > > >
> > > > > >
> > > > > > On Tx the separation between generation and reporting has value, as it
> > > > > > allows setting the generation on a per packet basis with SCM_TSTAMP_*.
> > > > >
> > > > > I didn't break the logic on the tx path. tcp_recv_timestamp() is only
> > > > > related to the rx path.
> > > > >
> > > > > Regarding the tx path, I carefully take care of this logic in
> > > > > patch[2/2], so now the series only handles the issue happening in the
> > > > > rx path.
> > > > >
> > > > > >
> > > > > > On Rx it is more subtle, but the two are still tested at different
> > > > > > points in the path, and can be updated by setsockopt in between a
> > > > > > packet arrival and a recvmsg().
> > > > > >
> > > > > > The interaction between sockets on software timestamping is a
> > > > > > longstanding issue. I don't think there is any urgency to change this
> > > > >
> > > > > Oh, now I see.
> > > > >
> > > > > > now. This proposed change makes the API less consistent, and may
> > > > > > also affect applications that depend on the current behavior.
> > > > > >
> > > > >
> > > > > Maybe. But, it's not the original design which we expect, right?
> > > >
> > > > It is. Your argument is against the current API design. This is not
> > > > a bug where behavior diverges from the intended interface. The doc is
> > > > clear on this.
> > > >
> > > > The API makes a distinction between generation and reporting bits. The
> > > > shared generation early in the Rx path is a long standing known issue.
> > > >
> > > > I'm not saying that the API is perfect. But it is clear in its use of
> > > > the bits. Muddling the distinction between reporting and generation
> > > > bits in one of the four cases makes the API less consistent and harder
> > > > to understand.
> > > >
> > > > If you think the API as is is wrong, then at a minimum that would
> > > > require an update to timestamping.rst. But I think that medicine may
> > > > be worse than the ailment.
> > >
> > > At least, I think it is against the use of setsockopt, that's the key
> > > reason: making people confused and thinking the setsockopt is not a
> > > per-socket fine-grained design. Don't you think it's a little bit
> > > strange?
> >
> > That is moot. This design was made many years ago and is now expected.
> >
> > I also don't see it as a huge issue.
>
> Sure, it's not a big problem.
>
> >
> > The effect you point out in rxtimestamp.c was known and reported in
> > the test commit itself.
> >
> > Perhaps a more interesting argument would be
> > SOF_TIMESTAMPING_SOFTWARE | SOF_TIMESTAMPING_TX_SOFTWARE. But
> > spurious software rx timestamps are trivially ignored.
> >
> > > Besides those two concepts you mentioned, could you explain if there
> > > are side effects that the series has and what kind of bad consequences
> > > that the series could bring?
> >
> > It doesn't do the same for hardware timestamping, creating
> > inconsistency.
Taking a closer look at the code, there are actually already two weird
special cases here.
SOF_TIMESTAMPING_RX_HARDWARE never has to be passed, as rx hardware
timestamp generation is configured through SIOCSHWTSTAMP.
SOF_TIMESTAMPING_RX_SOFTWARE already enables timestamp reporting from
sock_recv_timestamp(), while reporting should not be conditional on
this generation flag.
/*
* generate control messages if
* - receive time stamping in software requested
* - software time stamp available and wanted
* - hardware time stamps available and wanted
*/
if (sock_flag(sk, SOCK_RCVTSTAMP) ||
(tsflags & SOF_TIMESTAMPING_RX_SOFTWARE) ||
(kt && tsflags & SOF_TIMESTAMPING_SOFTWARE) ||
(hwtstamps->hwtstamp &&
(tsflags & SOF_TIMESTAMPING_RAW_HARDWARE)))
__sock_recv_timestamp(msg, sk, skb);
I evidently already noticed this back in 2014, when I left a note in
commit b9f40e21ef42 ("net-timestamp: move timestamp flags out of
sk_flags"):
SOCK_TIMESTAMPING_RX_SOFTWARE is also used to toggle the receive
timestamp logic (netstamp_needed). That can be simplified and this
last key removed, but will leave that for a separate patch.
But I do not see __sock_recv_timestamp toggling the feature either
then or now, so I think this is vestigial and can be removed.
> >
> > Changing established interfaces always risks production issues. In
> > this case, I'm not convinced that the benefit outweighs this risk.
>
> I got it.
>
> I'm thinking that I'm not the first one and the last one who know/find
> this long standing "issue", could we at least documentented it
> somewhere, like adding comments in the selftests or Documentation, to
> avoid the similar confusion in the future? Or change the behaviour in
> the rxtimestamp.c test? What do you think about it? Adding
> documentation or comments is the simplest way:)
I can see the value of your extra filter. Given the above examples, it
won't be the first subtle variance from the API design, either.
So either way is fine with me: change it or leave it.
But in both ways, yes: please update the documentation accordingly.
And if you do choose to change it, please be ready to revert on report
of breakage. Applications that only pass SOF_TIMESTAMPING_SOFTWARE,
because that always worked as they subtly relied on another daemon to
enable SOF_TIMESTAMPING_RX_SOFTWARE, for instance.
> Thanks,
> Jason
>
> >
> > > I tried to make it more logical and also don't want to break the
> > > existing use behaviour of applications.
> > >
> > > I believe that what I wrote doesn't have an impact on other cases and
> > > perfects what should be perfected. No offense. If the series does no
> > > harm and we keep it in the right direction, are there other reasons
> > > stopping it getting approved, I wonder.
> > >
> > > Thanks,
> > > Jason
> > >
> > > >
> > > > > I can make sure this series can fix the issue. This series is trying
> > > > > to ask users to use/set both flags to receive an expected timestamp.
> > > > > The purpose of using setsockopt is to control the socket itself
> > > > > insteading of interfering with others.
> > > > >
> > > > > About the breakage issue, let me assume, if the user only sets the
> > > > > SOF_TIMESTAMPING_SOFTWARE flag, he cannot expect the socket will
> > > > > receive a timestamp, right? So what might happen if we fix the issue?
> > > > > I think the logics in the rxtimestamp.c selftest are very clear :)
> > > > >
> > > > > Besides, test case 6 will fail under this circumstance
> > > >
> > > > Sorry about that. My team added that test, and we expanded it over
> > > > time. Crucially, the test was added well after the SO_TIMESTAMPING
> > > > API, so it was never intended to be prescriptive.
> > > >
> > > > Commit 0558c3960407 ("selftests/net: plug rxtimestamp test into
> > > > kselftest framework") actually mentions this issue:
> > > >
> > > > Also ignore failures of test case #6 by default. This case verifies
> > > > that a receive timestamp is not reported if timestamp reporting is
> > > > enabled for a socket, but generation is disabled. Receive timestamp
> > > > generation has to be enabled globally, as no associated socket is
> > > > known yet. A background process that enables rx timestamp generation
> > > > therefore causes a false positive. Ntpd is one example that does.
> > > >
> > > > Add a "--strict" option to cause failure in the event that any test
> > > > case fails, including test #6. This is useful for environments that
> > > > are known to not have such background processes.
> >
> >
Powered by blists - more mailing lists