diff mbox series

[bpf-next] bpf, sockmap: Manual deletion of sockmap elements in user mode is not allowed

Message ID 20220314124432.3050394-1-wangyufen@huawei.com (mailing list archive)
State Changes Requested
Delegated to: BPF
Headers show
Series [bpf-next] bpf, sockmap: Manual deletion of sockmap elements in user mode is not allowed | expand

Checks

Context Check Description
netdev/tree_selection success Clearly marked for bpf-next
netdev/fixes_present success Fixes tag not required for -next series
netdev/subject_prefix success Link
netdev/cover_letter success Single patches do not need cover letters
netdev/patch_count success Link
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 1789 this patch: 1789
netdev/cc_maintainers warning 1 maintainers not CCed: andrii@kernel.org
netdev/build_clang success Errors and warnings before: 194 this patch: 194
netdev/module_param success Was 0 now: 0
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/verify_fixes success No Fixes tag
netdev/build_allmodconfig_warn success Errors and warnings before: 1808 this patch: 1808
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 27 lines checked
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0
bpf/vmtest-bpf-next-PR fail PR summary
bpf/vmtest-bpf-next fail VM_Test

Commit Message

wangyufen March 14, 2022, 12:44 p.m. UTC 
A tcp socket in a sockmap. If user invokes bpf_map_delete_elem to delete
the sockmap element, the tcp socket will switch to use the TCP protocol
stack to send and receive packets. The switching process may cause some
issues, such as if some msgs exist in the ingress queue and are cleared
by sk_psock_drop(), the packets are lost, and the tcp data is abnormal.

Signed-off-by: Wang Yufen <wangyufen@huawei.com>
---
 include/uapi/linux/bpf.h | 3 +++
 kernel/bpf/syscall.c     | 2 ++
 net/core/sock_map.c      | 3 +++
 3 files changed, 8 insertions(+)

Comments

Jakub Sitnicki March 14, 2022, 3:30 p.m. UTC | #1 
On Mon, Mar 14, 2022 at 08:44 PM +08, Wang Yufen wrote:
> A tcp socket in a sockmap. If user invokes bpf_map_delete_elem to delete
> the sockmap element, the tcp socket will switch to use the TCP protocol
> stack to send and receive packets. The switching process may cause some
> issues, such as if some msgs exist in the ingress queue and are cleared
> by sk_psock_drop(), the packets are lost, and the tcp data is abnormal.
>
> Signed-off-by: Wang Yufen <wangyufen@huawei.com>
> ---

Can you please tell us a bit more about the life-cycle of the socket in
your workload? Questions that come to mind:

1) What triggers the removal of the socket from sockmap in your case?

2) Would it still be a problem if removal from sockmap did not cause any
packets to get dropped?

[...]
wangyufen March 15, 2022, 7:24 a.m. UTC | #2 
在 2022/3/14 23:30, Jakub Sitnicki 写道:
> On Mon, Mar 14, 2022 at 08:44 PM +08, Wang Yufen wrote:
>> A tcp socket in a sockmap. If user invokes bpf_map_delete_elem to delete
>> the sockmap element, the tcp socket will switch to use the TCP protocol
>> stack to send and receive packets. The switching process may cause some
>> issues, such as if some msgs exist in the ingress queue and are cleared
>> by sk_psock_drop(), the packets are lost, and the tcp data is abnormal.
>>
>> Signed-off-by: Wang Yufen <wangyufen@huawei.com>
>> ---
> Can you please tell us a bit more about the life-cycle of the socket in
> your workload? Questions that come to mind:
>
> 1) What triggers the removal of the socket from sockmap in your case?
We use sk_msg to redirect with sock hash, like this:

  skA   redirect    skB
  Tx <-----------> skB,Rx

And construct a scenario where the packet sending speed is high, the
packet receiving speed is slow, so the packets are stacked in the ingress
queue on the receiving side. In this case, if run bpf_map_delete_elem() to
delete the sockmap entry, will trigger the following procedure:

sock_hash_delete_elem()
   sock_map_unref()
     sk_psock_put()
       sk_psock_drop()
         sk_psock_stop()
           __sk_psock_zap_ingress()
             __sk_psock_purge_ingress_msg()

> 2) Would it still be a problem if removal from sockmap did not cause any
> packets to get dropped?
Yes, it still be a problem. If removal from sockmap  did not cause any
packets to get dropped, packet receiving process switches to use TCP
protocol stack. The packets in the psock ingress queue cannot be received

by the user.


Thanks.

>
> [...]
> .
Jakub Sitnicki March 15, 2022, 12:12 p.m. UTC | #3 
On Tue, Mar 15, 2022 at 03:24 PM +08, wangyufen wrote:
> 在 2022/3/14 23:30, Jakub Sitnicki 写道:
>> On Mon, Mar 14, 2022 at 08:44 PM +08, Wang Yufen wrote:
>>> A tcp socket in a sockmap. If user invokes bpf_map_delete_elem to delete
>>> the sockmap element, the tcp socket will switch to use the TCP protocol
>>> stack to send and receive packets. The switching process may cause some
>>> issues, such as if some msgs exist in the ingress queue and are cleared
>>> by sk_psock_drop(), the packets are lost, and the tcp data is abnormal.
>>>
>>> Signed-off-by: Wang Yufen <wangyufen@huawei.com>
>>> ---
>> Can you please tell us a bit more about the life-cycle of the socket in
>> your workload? Questions that come to mind:
>>
>> 1) What triggers the removal of the socket from sockmap in your case?
> We use sk_msg to redirect with sock hash, like this:
>
>  skA   redirect    skB
>  Tx <-----------> skB,Rx
>
> And construct a scenario where the packet sending speed is high, the
> packet receiving speed is slow, so the packets are stacked in the ingress
> queue on the receiving side. In this case, if run bpf_map_delete_elem() to
> delete the sockmap entry, will trigger the following procedure:
>
> sock_hash_delete_elem()
>   sock_map_unref()
>     sk_psock_put()
>       sk_psock_drop()
>         sk_psock_stop()
>           __sk_psock_zap_ingress()
>             __sk_psock_purge_ingress_msg()
>
>> 2) Would it still be a problem if removal from sockmap did not cause any
>> packets to get dropped?
> Yes, it still be a problem. If removal from sockmap  did not cause any
> packets to get dropped, packet receiving process switches to use TCP
> protocol stack. The packets in the psock ingress queue cannot be received
>
> by the user.

Thanks for the context. So, if I understand correctly, you want to avoid
breaking the network pipe by updating the sockmap from user-space.

This sounds awfully similar to BPF_MAP_FREEZE. Have you considered that?
Daniel Borkmann March 15, 2022, 4:25 p.m. UTC | #4 
On 3/15/22 1:12 PM, Jakub Sitnicki wrote:
> On Tue, Mar 15, 2022 at 03:24 PM +08, wangyufen wrote:
>> 在 2022/3/14 23:30, Jakub Sitnicki 写道:
>>> On Mon, Mar 14, 2022 at 08:44 PM +08, Wang Yufen wrote:
>>>> A tcp socket in a sockmap. If user invokes bpf_map_delete_elem to delete
>>>> the sockmap element, the tcp socket will switch to use the TCP protocol
>>>> stack to send and receive packets. The switching process may cause some
>>>> issues, such as if some msgs exist in the ingress queue and are cleared
>>>> by sk_psock_drop(), the packets are lost, and the tcp data is abnormal.
>>>>
>>>> Signed-off-by: Wang Yufen <wangyufen@huawei.com>
>>>> ---
>>> Can you please tell us a bit more about the life-cycle of the socket in
>>> your workload? Questions that come to mind:
>>>
>>> 1) What triggers the removal of the socket from sockmap in your case?
>> We use sk_msg to redirect with sock hash, like this:
>>
>>   skA   redirect    skB
>>   Tx <-----------> skB,Rx
>>
>> And construct a scenario where the packet sending speed is high, the
>> packet receiving speed is slow, so the packets are stacked in the ingress
>> queue on the receiving side. In this case, if run bpf_map_delete_elem() to
>> delete the sockmap entry, will trigger the following procedure:
>>
>> sock_hash_delete_elem()
>>    sock_map_unref()
>>      sk_psock_put()
>>        sk_psock_drop()
>>          sk_psock_stop()
>>            __sk_psock_zap_ingress()
>>              __sk_psock_purge_ingress_msg()
>>
>>> 2) Would it still be a problem if removal from sockmap did not cause any
>>> packets to get dropped?
>> Yes, it still be a problem. If removal from sockmap  did not cause any
>> packets to get dropped, packet receiving process switches to use TCP
>> protocol stack. The packets in the psock ingress queue cannot be received
>>
>> by the user.
> 
> Thanks for the context. So, if I understand correctly, you want to avoid
> breaking the network pipe by updating the sockmap from user-space.
> 
> This sounds awfully similar to BPF_MAP_FREEZE. Have you considered that?

+1

Aside from that, the patch as-is also fails BPF CI in a lot of places, please
make sure to check selftests:

https://github.com/kernel-patches/bpf/runs/5537367301?check_suite_focus=true

   [...]
   #145/73 sockmap_listen/sockmap IPv6 test_udp_redir:OK
   #145/74 sockmap_listen/sockmap IPv6 test_udp_unix_redir:OK
   #145/75 sockmap_listen/sockmap Unix test_unix_redir:OK
   #145/76 sockmap_listen/sockmap Unix test_unix_redir:OK
   ./test_progs:test_ops_cleanup:1424: map_delete: expected EINVAL/ENOENT: Operation not supported
   test_ops_cleanup:FAIL:1424
   ./test_progs:test_ops_cleanup:1424: map_delete: expected EINVAL/ENOENT: Operation not supported
   test_ops_cleanup:FAIL:1424
   #145/77 sockmap_listen/sockhash IPv4 TCP test_insert_invalid:FAIL
   ./test_progs:test_ops_cleanup:1424: map_delete: expected EINVAL/ENOENT: Operation not supported
   test_ops_cleanup:FAIL:1424
   ./test_progs:test_ops_cleanup:1424: map_delete: expected EINVAL/ENOENT: Operation not supported
   test_ops_cleanup:FAIL:1424
   #145/78 sockmap_listen/sockhash IPv4 TCP test_insert_opened:FAIL
   ./test_progs:test_ops_cleanup:1424: map_delete: expected EINVAL/ENOENT: Operation not supported
   test_ops_cleanup:FAIL:1424
   ./test_progs:test_ops_cleanup:1424: map_delete: expected EINVAL/ENOENT: Operation not supported
   test_ops_cleanup:FAIL:1424
   #145/79 sockmap_listen/sockhash IPv4 TCP test_insert_bound:FAIL
   ./test_progs:test_ops_cleanup:1424: map_delete: expected EINVAL/ENOENT: Operation not supported
   test_ops_cleanup:FAIL:1424
   ./test_progs:test_ops_cleanup:1424: map_delete: expected EINVAL/ENOENT: Operation not supported
   test_ops_cleanup:FAIL:1424
   [...]

Thanks,
Daniel
Cong Wang March 16, 2022, 12:36 a.m. UTC | #5 
On Tue, Mar 15, 2022 at 01:12:08PM +0100, Jakub Sitnicki wrote:
> On Tue, Mar 15, 2022 at 03:24 PM +08, wangyufen wrote:
> > 在 2022/3/14 23:30, Jakub Sitnicki 写道:
> >> On Mon, Mar 14, 2022 at 08:44 PM +08, Wang Yufen wrote:
> >>> A tcp socket in a sockmap. If user invokes bpf_map_delete_elem to delete
> >>> the sockmap element, the tcp socket will switch to use the TCP protocol
> >>> stack to send and receive packets. The switching process may cause some
> >>> issues, such as if some msgs exist in the ingress queue and are cleared
> >>> by sk_psock_drop(), the packets are lost, and the tcp data is abnormal.
> >>>
> >>> Signed-off-by: Wang Yufen <wangyufen@huawei.com>
> >>> ---
> >> Can you please tell us a bit more about the life-cycle of the socket in
> >> your workload? Questions that come to mind:
> >>
> >> 1) What triggers the removal of the socket from sockmap in your case?
> > We use sk_msg to redirect with sock hash, like this:
> >
> >  skA   redirect    skB
> >  Tx <-----------> skB,Rx
> >
> > And construct a scenario where the packet sending speed is high, the
> > packet receiving speed is slow, so the packets are stacked in the ingress
> > queue on the receiving side. In this case, if run bpf_map_delete_elem() to
> > delete the sockmap entry, will trigger the following procedure:
> >
> > sock_hash_delete_elem()
> >   sock_map_unref()
> >     sk_psock_put()
> >       sk_psock_drop()
> >         sk_psock_stop()
> >           __sk_psock_zap_ingress()
> >             __sk_psock_purge_ingress_msg()
> >
> >> 2) Would it still be a problem if removal from sockmap did not cause any
> >> packets to get dropped?
> > Yes, it still be a problem. If removal from sockmap  did not cause any
> > packets to get dropped, packet receiving process switches to use TCP
> > protocol stack. The packets in the psock ingress queue cannot be received
> >
> > by the user.
> 
> Thanks for the context. So, if I understand correctly, you want to avoid
> breaking the network pipe by updating the sockmap from user-space.
> 
> This sounds awfully similar to BPF_MAP_FREEZE. Have you considered that?

Doesn't BPF_MAP_FREEZE only freeze write operations from syscalls?
For sockmap, receiving packets is not a part of map write operation.

The problem here is that skmsg can only be consumed when the socket is
still in the map, as it uses a separate queue and a separate type of
message (skmsg vs. skb). So, esstentially this behavior is by design.

Thanks.
wangyufen March 16, 2022, 3:25 a.m. UTC | #6 
在 2022/3/15 20:12, Jakub Sitnicki 写道:
> On Tue, Mar 15, 2022 at 03:24 PM +08, wangyufen wrote:
>> 在 2022/3/14 23:30, Jakub Sitnicki 写道:
>>> On Mon, Mar 14, 2022 at 08:44 PM +08, Wang Yufen wrote:
>>>> A tcp socket in a sockmap. If user invokes bpf_map_delete_elem to delete
>>>> the sockmap element, the tcp socket will switch to use the TCP protocol
>>>> stack to send and receive packets. The switching process may cause some
>>>> issues, such as if some msgs exist in the ingress queue and are cleared
>>>> by sk_psock_drop(), the packets are lost, and the tcp data is abnormal.
>>>>
>>>> Signed-off-by: Wang Yufen <wangyufen@huawei.com>
>>>> ---
>>> Can you please tell us a bit more about the life-cycle of the socket in
>>> your workload? Questions that come to mind:
>>>
>>> 1) What triggers the removal of the socket from sockmap in your case?
>> We use sk_msg to redirect with sock hash, like this:
>>
>>   skA   redirect    skB
>>   Tx <-----------> skB,Rx
>>
>> And construct a scenario where the packet sending speed is high, the
>> packet receiving speed is slow, so the packets are stacked in the ingress
>> queue on the receiving side. In this case, if run bpf_map_delete_elem() to
>> delete the sockmap entry, will trigger the following procedure:
>>
>> sock_hash_delete_elem()
>>    sock_map_unref()
>>      sk_psock_put()
>>        sk_psock_drop()
>>          sk_psock_stop()
>>            __sk_psock_zap_ingress()
>>              __sk_psock_purge_ingress_msg()
>>
>>> 2) Would it still be a problem if removal from sockmap did not cause any
>>> packets to get dropped?
>> Yes, it still be a problem. If removal from sockmap  did not cause any
>> packets to get dropped, packet receiving process switches to use TCP
>> protocol stack. The packets in the psock ingress queue cannot be received
>>
>> by the user.
> Thanks for the context. So, if I understand correctly, you want to avoid
> breaking the network pipe by updating the sockmap from user-space.
>
> This sounds awfully similar to BPF_MAP_FREEZE. Have you considered that?
> .
Sorry, I didn't notice this. I used BPF_MAP_FREEZE to verify, can solve 
my problem, thanks.
John Fastabend March 16, 2022, 5:23 a.m. UTC | #7 
wangyufen wrote:
> 
> 在 2022/3/16 0:25, Daniel Borkmann 写道:
> > On 3/15/22 1:12 PM, Jakub Sitnicki wrote:
> >> On Tue, Mar 15, 2022 at 03:24 PM +08, wangyufen wrote:
> >>> 在 2022/3/14 23:30, Jakub Sitnicki 写道:
> >>>> On Mon, Mar 14, 2022 at 08:44 PM +08, Wang Yufen wrote:
> >>>>> A tcp socket in a sockmap. If user invokes bpf_map_delete_elem to 
> >>>>> delete
> >>>>> the sockmap element, the tcp socket will switch to use the TCP 
> >>>>> protocol
> >>>>> stack to send and receive packets. The switching process may cause 
> >>>>> some
> >>>>> issues, such as if some msgs exist in the ingress queue and are 
> >>>>> cleared
> >>>>> by sk_psock_drop(), the packets are lost, and the tcp data is 
> >>>>> abnormal.
> >>>>>
> >>>>> Signed-off-by: Wang Yufen <wangyufen@huawei.com>
> >>>>> ---
> >>>> Can you please tell us a bit more about the life-cycle of the 
> >>>> socket in
> >>>> your workload? Questions that come to mind:
> >>>>
> >>>> 1) What triggers the removal of the socket from sockmap in your case?
> >>> We use sk_msg to redirect with sock hash, like this:
> >>>
> >>>   skA   redirect    skB
> >>>   Tx <-----------> skB,Rx
> >>>
> >>> And construct a scenario where the packet sending speed is high, the
> >>> packet receiving speed is slow, so the packets are stacked in the 
> >>> ingress
> >>> queue on the receiving side. In this case, if run 
> >>> bpf_map_delete_elem() to
> >>> delete the sockmap entry, will trigger the following procedure:
> >>>
> >>> sock_hash_delete_elem()
> >>>    sock_map_unref()
> >>>      sk_psock_put()
> >>>        sk_psock_drop()
> >>>          sk_psock_stop()
> >>>            __sk_psock_zap_ingress()
> >>>              __sk_psock_purge_ingress_msg()
> >>>
> >>>> 2) Would it still be a problem if removal from sockmap did not 
> >>>> cause any
> >>>> packets to get dropped?
> >>> Yes, it still be a problem. If removal from sockmap  did not cause any
> >>> packets to get dropped, packet receiving process switches to use TCP
> >>> protocol stack. The packets in the psock ingress queue cannot be 
> >>> received
> >>>
> >>> by the user.
> >>
> >> Thanks for the context. So, if I understand correctly, you want to avoid
> >> breaking the network pipe by updating the sockmap from user-space.
> >>
> >> This sounds awfully similar to BPF_MAP_FREEZE. Have you considered that?
> >
> > +1
> >
> > Aside from that, the patch as-is also fails BPF CI in a lot of places, 
> > please
> > make sure to check selftests:
> >
> > https://github.com/kernel-patches/bpf/runs/5537367301?check_suite_focus=true 
> >
> >
> >   [...]
> >   #145/73 sockmap_listen/sockmap IPv6 test_udp_redir:OK
> >   #145/74 sockmap_listen/sockmap IPv6 test_udp_unix_redir:OK
> >   #145/75 sockmap_listen/sockmap Unix test_unix_redir:OK
> >   #145/76 sockmap_listen/sockmap Unix test_unix_redir:OK
> >   ./test_progs:test_ops_cleanup:1424: map_delete: expected 
> > EINVAL/ENOENT: Operation not supported
> >   test_ops_cleanup:FAIL:1424
> >   ./test_progs:test_ops_cleanup:1424: map_delete: expected 
> > EINVAL/ENOENT: Operation not supported
> >   test_ops_cleanup:FAIL:1424
> >   #145/77 sockmap_listen/sockhash IPv4 TCP test_insert_invalid:FAIL
> >   ./test_progs:test_ops_cleanup:1424: map_delete: expected 
> > EINVAL/ENOENT: Operation not supported
> >   test_ops_cleanup:FAIL:1424
> >   ./test_progs:test_ops_cleanup:1424: map_delete: expected 
> > EINVAL/ENOENT: Operation not supported
> >   test_ops_cleanup:FAIL:1424
> >   #145/78 sockmap_listen/sockhash IPv4 TCP test_insert_opened:FAIL
> >   ./test_progs:test_ops_cleanup:1424: map_delete: expected 
> > EINVAL/ENOENT: Operation not supported
> >   test_ops_cleanup:FAIL:1424
> >   ./test_progs:test_ops_cleanup:1424: map_delete: expected 
> > EINVAL/ENOENT: Operation not supported
> >   test_ops_cleanup:FAIL:1424
> >   #145/79 sockmap_listen/sockhash IPv4 TCP test_insert_bound:FAIL
> >   ./test_progs:test_ops_cleanup:1424: map_delete: expected 
> > EINVAL/ENOENT: Operation not supported
> >   test_ops_cleanup:FAIL:1424
> >   ./test_progs:test_ops_cleanup:1424: map_delete: expected 
> > EINVAL/ENOENT: Operation not supported
> >   test_ops_cleanup:FAIL:1424
> >   [...]
> >
> > Thanks,
> > Daniel
> > .
> 
> I'm not sure about this patch. The main purpose is to point out the 
> possible problems
> 
> when the socket is deleted from the map.I'm sorry for the trouble.
> 
> Thanks.

If you want to delete a socket you should flush it first. To do this
stop redirecting traffic to it and then read all the data out. At
the moment its a bit tricky to know when the recieving socket is
empty though. Adding a flag on delete to only delete when the
ingress qlen == 0 might be a possibility if you need delete to
work and are trying to work out how to safely delete sockets.
Jakub Sitnicki March 16, 2022, 2:57 p.m. UTC | #8 
On Wed, Mar 16, 2022 at 11:42 AM +08, wangyufen wrote:

[...]

> I'm not sure about this patch. The main purpose is to point out the possible problems
>
> when the socket is deleted from the map. I'm sorry for the trouble. 

No problem at all. Happy to see sockmap gaining wider adoption.
diff mbox series

Patch

diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h
index 4eebea830613..1dab090f271c 100644
--- a/include/uapi/linux/bpf.h
+++ b/include/uapi/linux/bpf.h
@@ -1218,6 +1218,9 @@  enum {
 
 /* Create a map that is suitable to be an inner map with dynamic max entries */
 	BPF_F_INNER_MAP		= (1U << 12),
+
+/* This should only be used for bpf_map_delete_elem called by user. */
+	BPF_F_TCP_SOCKMAP	= (1U << 13),
 };
 
 /* Flags for BPF_PROG_QUERY. */
diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
index db402ebc5570..57aa98087322 100644
--- a/kernel/bpf/syscall.c
+++ b/kernel/bpf/syscall.c
@@ -1232,7 +1232,9 @@  static int map_delete_elem(union bpf_attr *attr)
 
 	bpf_disable_instrumentation();
 	rcu_read_lock();
+	map->map_flags |= BPF_F_TCP_SOCKMAP;
 	err = map->ops->map_delete_elem(map, key);
+	map->map_flags &= ~BPF_F_TCP_SOCKMAP;
 	rcu_read_unlock();
 	bpf_enable_instrumentation();
 	maybe_wait_bpf_programs(map);
diff --git a/net/core/sock_map.c b/net/core/sock_map.c
index 2d213c4011db..5b90a35d1d23 100644
--- a/net/core/sock_map.c
+++ b/net/core/sock_map.c
@@ -914,6 +914,9 @@  static int sock_hash_delete_elem(struct bpf_map *map, void *key)
 	struct bpf_shtab_elem *elem;
 	int ret = -ENOENT;
 
+	if (map->map_flags & BPF_F_TCP_SOCKMAP)
+		return -EOPNOTSUPP;
+
 	hash = sock_hash_bucket_hash(key, key_size);
 	bucket = sock_hash_select_bucket(htab, hash);