diff mbox series

[bpf-next,v1] bpf: Fix bpf/sk_skb_pull_data for flags == 0

Message ID 20220713012621.2485047-1-joannelkoong@gmail.com (mailing list archive)
State Changes Requested
Delegated to: BPF
Headers show
Series [bpf-next,v1] bpf: Fix bpf/sk_skb_pull_data for flags == 0 | expand

Checks

Context Check Description
netdev/tree_selection success Clearly marked for bpf-next
netdev/fixes_present success Fixes tag not required for -next series
netdev/subject_prefix success Link
netdev/cover_letter success Single patches do not need cover letters
netdev/patch_count success Link
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 25 this patch: 25
netdev/cc_maintainers fail 1 blamed authors not CCed: davem@davemloft.net; 13 maintainers not CCed: haoluo@google.com netdev@vger.kernel.org song@kernel.org pabeni@redhat.com martin.lau@linux.dev edumazet@google.com yhs@fb.com john.fastabend@gmail.com davem@davemloft.net kuba@kernel.org jolsa@kernel.org sdf@google.com kpsingh@kernel.org
netdev/build_clang success Errors and warnings before: 6 this patch: 6
netdev/module_param success Was 0 now: 0
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes fail Problems with Fixes tag: 2
netdev/build_allmodconfig_warn success Errors and warnings before: 25 this patch: 25
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 16 lines checked
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0
bpf/vmtest-bpf-next-VM_Test-1 success Logs for Kernel LATEST on ubuntu-latest with gcc
bpf/vmtest-bpf-next-VM_Test-2 success Logs for Kernel LATEST on ubuntu-latest with llvm-15
bpf/vmtest-bpf-next-PR success PR summary
bpf/vmtest-bpf-next-VM_Test-3 success Logs for Kernel LATEST on z15 with gcc

Commit Message

Joanne Koong July 13, 2022, 1:26 a.m. UTC 
In the case where flags is 0, bpf_skb_pull_data and sk_skb_pull_data
should pull the entire skb payload including the bytes in the non-linear
page buffers.

This is documented in the uapi:
"If a zero value is passed for *len*, then the whole length of the *skb*
is pulled"

Fixes: 36bbef52c7eb6 ("bpf: direct packet write and access for helpers
for clsact progs")
Signed-off-by: Joanne Koong <joannelkoong@gmail.com>
---
 net/core/filter.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

Comments

Daniel Borkmann July 13, 2022, 7:23 a.m. UTC | #1 
On 7/13/22 3:26 AM, Joanne Koong wrote:
> In the case where flags is 0, bpf_skb_pull_data and sk_skb_pull_data
> should pull the entire skb payload including the bytes in the non-linear
> page buffers.
> 
> This is documented in the uapi:
> "If a zero value is passed for *len*, then the whole length of the *skb*
> is pulled"
> 
> Fixes: 36bbef52c7eb6 ("bpf: direct packet write and access for helpers
> for clsact progs")
> Signed-off-by: Joanne Koong <joannelkoong@gmail.com>

This is not correct. We should fix the helper doc fa15601ab31e ("bpf: add
documentation for eBPF helpers (33-41)"). It will make the head private
for writing (e.g. for direct packet access), but not linearize the entire
skb, so skb_headlen is correct here.

> ---
>   net/core/filter.c | 4 ++--
>   1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/net/core/filter.c b/net/core/filter.c
> index 4ef77ec5255e..97eb15891bfc 100644
> --- a/net/core/filter.c
> +++ b/net/core/filter.c
> @@ -1838,7 +1838,7 @@ BPF_CALL_2(bpf_skb_pull_data, struct sk_buff *, skb, u32, len)
>   	 * access case. By this we overcome limitations of only current
>   	 * headroom being accessible.
>   	 */
> -	return bpf_try_make_writable(skb, len ? : skb_headlen(skb));
> +	return bpf_try_make_writable(skb, len ? : skb->len);
>   }
>   
>   static const struct bpf_func_proto bpf_skb_pull_data_proto = {
> @@ -1878,7 +1878,7 @@ BPF_CALL_2(sk_skb_pull_data, struct sk_buff *, skb, u32, len)
>   	 * access case. By this we overcome limitations of only current
>   	 * headroom being accessible.
>   	 */
> -	return sk_skb_try_make_writable(skb, len ? : skb_headlen(skb));
> +	return sk_skb_try_make_writable(skb, len ? : skb->len);
>   }
>   
>   static const struct bpf_func_proto sk_skb_pull_data_proto = {
>
Joanne Koong July 13, 2022, 8:50 p.m. UTC | #2 
On Wed, Jul 13, 2022 at 12:23 AM Daniel Borkmann <daniel@iogearbox.net> wrote:
>
> On 7/13/22 3:26 AM, Joanne Koong wrote:
> > In the case where flags is 0, bpf_skb_pull_data and sk_skb_pull_data
> > should pull the entire skb payload including the bytes in the non-linear
> > page buffers.
> >
> > This is documented in the uapi:
> > "If a zero value is passed for *len*, then the whole length of the *skb*
> > is pulled"
> >
> > Fixes: 36bbef52c7eb6 ("bpf: direct packet write and access for helpers
> > for clsact progs")
> > Signed-off-by: Joanne Koong <joannelkoong@gmail.com>
>
> This is not correct. We should fix the helper doc fa15601ab31e ("bpf: add
> documentation for eBPF helpers (33-41)"). It will make the head private
> for writing (e.g. for direct packet access), but not linearize the entire
> skb, so skb_headlen is correct here.
>
Great, I'll fix up the uapi doc. I'll change it to something like: "If
a zero value is passed for *len*, then all bytes in the head of the
skb will be made readable and writable".
> > ---
> >   net/core/filter.c | 4 ++--
> >   1 file changed, 2 insertions(+), 2 deletions(-)
> >
> > diff --git a/net/core/filter.c b/net/core/filter.c
> > index 4ef77ec5255e..97eb15891bfc 100644
> > --- a/net/core/filter.c
> > +++ b/net/core/filter.c
> > @@ -1838,7 +1838,7 @@ BPF_CALL_2(bpf_skb_pull_data, struct sk_buff *, skb, u32, len)
> >        * access case. By this we overcome limitations of only current
> >        * headroom being accessible.
> >        */
> > -     return bpf_try_make_writable(skb, len ? : skb_headlen(skb));
> > +     return bpf_try_make_writable(skb, len ? : skb->len);
> >   }
> >
> >   static const struct bpf_func_proto bpf_skb_pull_data_proto = {
> > @@ -1878,7 +1878,7 @@ BPF_CALL_2(sk_skb_pull_data, struct sk_buff *, skb, u32, len)
> >        * access case. By this we overcome limitations of only current
> >        * headroom being accessible.
> >        */
> > -     return sk_skb_try_make_writable(skb, len ? : skb_headlen(skb));
> > +     return sk_skb_try_make_writable(skb, len ? : skb->len);
> >   }
> >
> >   static const struct bpf_func_proto sk_skb_pull_data_proto = {
> >
>
diff mbox series

Patch

diff --git a/net/core/filter.c b/net/core/filter.c
index 4ef77ec5255e..97eb15891bfc 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -1838,7 +1838,7 @@  BPF_CALL_2(bpf_skb_pull_data, struct sk_buff *, skb, u32, len)
 	 * access case. By this we overcome limitations of only current
 	 * headroom being accessible.
 	 */
-	return bpf_try_make_writable(skb, len ? : skb_headlen(skb));
+	return bpf_try_make_writable(skb, len ? : skb->len);
 }
 
 static const struct bpf_func_proto bpf_skb_pull_data_proto = {
@@ -1878,7 +1878,7 @@  BPF_CALL_2(sk_skb_pull_data, struct sk_buff *, skb, u32, len)
 	 * access case. By this we overcome limitations of only current
 	 * headroom being accessible.
 	 */
-	return sk_skb_try_make_writable(skb, len ? : skb_headlen(skb));
+	return sk_skb_try_make_writable(skb, len ? : skb->len);
 }
 
 static const struct bpf_func_proto sk_skb_pull_data_proto = {