From patchwork Sun Feb 27 20:27:55 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jakub Sitnicki X-Patchwork-Id: 12762110 X-Patchwork-Delegate: bpf@iogearbox.net Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id ACC05C43217 for ; Sun, 27 Feb 2022 20:28:04 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231618AbiB0U2k (ORCPT ); Sun, 27 Feb 2022 15:28:40 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37506 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230404AbiB0U2i (ORCPT ); Sun, 27 Feb 2022 15:28:38 -0500 Received: from mail-lf1-x131.google.com (mail-lf1-x131.google.com [IPv6:2a00:1450:4864:20::131]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id EFA8D43AD9 for ; Sun, 27 Feb 2022 12:28:00 -0800 (PST) Received: by mail-lf1-x131.google.com with SMTP id f37so18033535lfv.8 for ; Sun, 27 Feb 2022 12:28:00 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=Zqijjm9f7tE414H1e1di3FMcR+kw5fFe69s6gA4efr4=; b=lLEGl2DGEVO3ZvIOrGppxJamauD7zIofXhj5lXh0IKzk1PmgyF4oli6/76w7c/cqwu muE7bALaBVTAnRnAZ86H/dpKSKMwTEMfGYXCqw8NGlNWmHcmwlRMycF1ih6/FmHtp7Aq D0EW02dE4nfN6H8KT3JLKPELEFDuuMwewld1A= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=Zqijjm9f7tE414H1e1di3FMcR+kw5fFe69s6gA4efr4=; b=UYeO4HUFGw1dAPE/GV7vFgO3b+yk0s/9g/OKnFIdPqrHfNckaEpr3GNH0NBM/xFZyW 8tNGMg3e0Wg+gkieYioMTHVg3R2hxthh1ycfMFz2iRtEtJCZd6gYZ8WGE/Cto3KsaWLj JVn6Ng5JPqZdOSLnxxCqQvQwdKXMBCzLiV7lCbh9l+XKeD9Km/J5OUxGJrgbQ/gt/+Bq VrsSoZefYEE0CTcw88P3mePRvWYnTFQtapWqLp44oqeZEN/5fshzL9BazC619G2U2WxQ uzANbQB21zDkhej0h6wtH49fDXt5mMF+vBmQuoVEx2CEVFmbI+eqbPH4pyPDH/ES/Eh8 9FsA== X-Gm-Message-State: AOAM532NG8g76QdGYOe7zn9thVx0ajr9/4gDrrR7Xa8+LKl+Sxmbut0v K8e4+S2egiE7CE6iQKbc5/rDJg== X-Google-Smtp-Source: ABdhPJx+i2OT02nbPabwT9eRqdyR8GwEcURjomc8O/fKemItuayS/d16eCegvN+G5UlrmVOxZl37wQ== X-Received: by 2002:a05:6512:260b:b0:444:18:fce5 with SMTP id bt11-20020a056512260b00b004440018fce5mr10599095lfb.119.1645993679281; Sun, 27 Feb 2022 12:27:59 -0800 (PST) Received: from cloudflare.com (2a01-110f-4809-d800-0000-0000-0000-0f9c.aa.ipv6.supernova.orange.pl. [2a01:110f:4809:d800::f9c]) by smtp.gmail.com with ESMTPSA id q5-20020a19a405000000b00443128c6c2bsm728034lfc.289.2022.02.27.12.27.58 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 27 Feb 2022 12:27:58 -0800 (PST) From: Jakub Sitnicki To: bpf@vger.kernel.org Cc: netdev@vger.kernel.org, Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , kernel-team@cloudflare.com, Martin KaFai Lau , Ilya Leoshkevich Subject: [PATCH bpf-next v2 1/3] selftests/bpf: Fix error reporting from sock_fields programs Date: Sun, 27 Feb 2022 21:27:55 +0100 Message-Id: <20220227202757.519015-2-jakub@cloudflare.com> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220227202757.519015-1-jakub@cloudflare.com> References: <20220227202757.519015-1-jakub@cloudflare.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: bpf@iogearbox.net The helper macro that records an error in BPF programs that exercise sock fields access has been inadvertently broken by adaptation work that happened in commit b18c1f0aa477 ("bpf: selftest: Adapt sock_fields test to use skel and global variables"). BPF_NOEXIST flag cannot be used to update BPF_MAP_TYPE_ARRAY. The operation always fails with -EEXIST, which in turn means the error never gets recorded, and the checks for errors always pass. Revert the change in update flags. Fixes: b18c1f0aa477 ("bpf: selftest: Adapt sock_fields test to use skel and global variables") Acked-by: Martin KaFai Lau Signed-off-by: Jakub Sitnicki --- tools/testing/selftests/bpf/progs/test_sock_fields.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/testing/selftests/bpf/progs/test_sock_fields.c b/tools/testing/selftests/bpf/progs/test_sock_fields.c index 246f1f001813..3e2e3ee51cc9 100644 --- a/tools/testing/selftests/bpf/progs/test_sock_fields.c +++ b/tools/testing/selftests/bpf/progs/test_sock_fields.c @@ -114,7 +114,7 @@ static void tpcpy(struct bpf_tcp_sock *dst, #define RET_LOG() ({ \ linum = __LINE__; \ - bpf_map_update_elem(&linum_map, &linum_idx, &linum, BPF_NOEXIST); \ + bpf_map_update_elem(&linum_map, &linum_idx, &linum, BPF_ANY); \ return CG_OK; \ }) From patchwork Sun Feb 27 20:27:56 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jakub Sitnicki X-Patchwork-Id: 12762111 X-Patchwork-Delegate: bpf@iogearbox.net Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7DEE9C433F5 for ; Sun, 27 Feb 2022 20:28:08 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231667AbiB0U2n (ORCPT ); Sun, 27 Feb 2022 15:28:43 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37562 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231527AbiB0U2j (ORCPT ); Sun, 27 Feb 2022 15:28:39 -0500 Received: from mail-lj1-x231.google.com (mail-lj1-x231.google.com [IPv6:2a00:1450:4864:20::231]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DC4123ED3E for ; Sun, 27 Feb 2022 12:28:01 -0800 (PST) Received: by mail-lj1-x231.google.com with SMTP id l12so2857471ljh.12 for ; Sun, 27 Feb 2022 12:28:01 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=HcX6QIHBexFnM7/ZWxha4rDjE47zmHJGP0UcfZC2560=; b=gQM/q0fzcSYIYJwkT6qKUzrvOnhj6iEMs1hQslqLe2dTX9YJYPMnRWZGmTAOC81AY4 P8uUQeg8i3ZJB+sbbE2MzJTBW6VaLFR0ENEo7NIIokXgXSZtdXOnyzCZWwfUkCXEa2jZ TCT82eigO2QEJ6IfY4RJowpGjORFLNEivi6n0= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=HcX6QIHBexFnM7/ZWxha4rDjE47zmHJGP0UcfZC2560=; b=KuN5nM+FPNslwIYZUFrXFLwWWhO0dICVMlzOnj6RK0JEtxNmOlwUxWjSltFzv/3ceG iCXqTWwxVIYTFi2tHDn58p45Wc99+HQ+VZ5To3bO55DYYfmQTgCs6iLlTQr/E/49AU4O zbb3G9hUZ4zds3BFzozmLrw3Cdsait/R+QmlOvi8XT+iBNTzsHMz/j34qyHhkNhRpyvX aB+ICQJdhqTdoBvpZ/nMQtvKWP8BMSsXa+ATt6ul5aDAGC4OrMOrDJ4XFFgXSpMGtACf t58YqfD/nFCzOPsd/ufjwVWQ/HZIQw5U+OIjqbSLoUUVxANvnU75j2NfO1/Dev/j4v9e 8uSg== X-Gm-Message-State: AOAM533UYBUV2VbSDeTRJ16RhwZaBqxgLk4cvidJwhpYe2uvUkglSNpy mwczE7RGO6MljuKZVYTo3HMeFw== X-Google-Smtp-Source: ABdhPJx1y59iwtFIH2K6sqVTbgJgt53EYQL4uaLHm0VMbPbdlpoOAOwVJdKfcgDCC5773pUt00AnKg== X-Received: by 2002:a2e:94c:0:b0:246:3922:7bec with SMTP id 73-20020a2e094c000000b0024639227becmr12247514ljj.430.1645993680246; Sun, 27 Feb 2022 12:28:00 -0800 (PST) Received: from cloudflare.com (2a01-110f-4809-d800-0000-0000-0000-0f9c.aa.ipv6.supernova.orange.pl. [2a01:110f:4809:d800::f9c]) by smtp.gmail.com with ESMTPSA id 22-20020a05651c009600b002447ce4b34esm1034472ljq.116.2022.02.27.12.27.59 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 27 Feb 2022 12:27:59 -0800 (PST) From: Jakub Sitnicki To: bpf@vger.kernel.org Cc: netdev@vger.kernel.org, Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , kernel-team@cloudflare.com, Martin KaFai Lau , Ilya Leoshkevich Subject: [PATCH bpf-next v2 2/3] selftests/bpf: Check dst_port only on the client socket Date: Sun, 27 Feb 2022 21:27:56 +0100 Message-Id: <20220227202757.519015-3-jakub@cloudflare.com> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220227202757.519015-1-jakub@cloudflare.com> References: <20220227202757.519015-1-jakub@cloudflare.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: bpf@iogearbox.net cgroup_skb/egress programs which sock_fields test installs process packets flying in both directions, from the client to the server, and in reverse direction. Recently added dst_port check relies on the fact that destination port (remote peer port) of the socket which sends the packet is known ahead of time. This holds true only for the client socket, which connects to the known server port. Filter out any traffic that is not bound to be egressing from the client socket in the test program for reading the dst_port. Fixes: 8f50f16ff39d ("selftests/bpf: Extend verifier and bpf_sock tests for dst_port loads") Signed-off-by: Jakub Sitnicki Acked-by: Martin KaFai Lau --- .../testing/selftests/bpf/progs/test_sock_fields.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/tools/testing/selftests/bpf/progs/test_sock_fields.c b/tools/testing/selftests/bpf/progs/test_sock_fields.c index 3e2e3ee51cc9..186fed1deaab 100644 --- a/tools/testing/selftests/bpf/progs/test_sock_fields.c +++ b/tools/testing/selftests/bpf/progs/test_sock_fields.c @@ -42,6 +42,11 @@ struct { __type(value, struct bpf_spinlock_cnt); } sk_pkt_out_cnt10 SEC(".maps"); +enum { + TCP_SYN_SENT = 2, + TCP_LISTEN = 10, +}; + struct bpf_tcp_sock listen_tp = {}; struct sockaddr_in6 srv_sa6 = {}; struct bpf_tcp_sock cli_tp = {}; @@ -138,7 +143,7 @@ int egress_read_sock_fields(struct __sk_buff *skb) * TCP_LISTEN (10) socket will be copied at the ingress side. */ if (sk->family != AF_INET6 || !is_loopback6(sk->src_ip6) || - sk->state == 10) + sk->state == TCP_LISTEN) return CG_OK; if (sk->src_port == bpf_ntohs(srv_sa6.sin6_port)) { @@ -233,7 +238,7 @@ int ingress_read_sock_fields(struct __sk_buff *skb) return CG_OK; /* Only interested in TCP_LISTEN */ - if (sk->state != 10) + if (sk->state != TCP_LISTEN) return CG_OK; /* It must be a fullsock for cgroup_skb/ingress prog */ @@ -281,6 +286,10 @@ int read_sk_dst_port(struct __sk_buff *skb) if (!sk) RET_LOG(); + /* Ignore everything but the SYN from the client socket */ + if (sk->state != TCP_SYN_SENT) + return CG_OK; + if (!sk_dst_port__load_word(sk)) RET_LOG(); if (!sk_dst_port__load_half(sk)) From patchwork Sun Feb 27 20:27:57 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jakub Sitnicki X-Patchwork-Id: 12762112 X-Patchwork-Delegate: bpf@iogearbox.net Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8692BC433EF for ; Sun, 27 Feb 2022 20:28:10 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231652AbiB0U2o (ORCPT ); Sun, 27 Feb 2022 15:28:44 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37650 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230394AbiB0U2k (ORCPT ); Sun, 27 Feb 2022 15:28:40 -0500 Received: from mail-lf1-x131.google.com (mail-lf1-x131.google.com [IPv6:2a00:1450:4864:20::131]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BC49545515 for ; Sun, 27 Feb 2022 12:28:02 -0800 (PST) Received: by mail-lf1-x131.google.com with SMTP id y24so18106603lfg.1 for ; Sun, 27 Feb 2022 12:28:02 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=8zVHv/5X9Y6MXMK9tQyqtUsITKzj6rXRl92iXL6AqQ4=; b=s5u2K6lsRN6HqtnlQkDcwnc5DiTw+2CzBEGwj8yiyCAv80seyb3Hz+SZ5qdB9/Grmh umbF77DDVfQebCjsblX4uvb0T/bE5bROlUZjEyAR8XA1lQfk6hdZwkL1atTUc7fLjy13 OPUie4vvQ62ROcAaaZAnct/yLWv5GIYx3J/DA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=8zVHv/5X9Y6MXMK9tQyqtUsITKzj6rXRl92iXL6AqQ4=; b=3jMi9qkjvde+1O33UPYqQFl/Nss1hEtW5KxMJyxswRS1Yc0Qnq18OhCfJh7ZJAhI4B rZ/8X5LtSD5ZLt23c9BmGeL7Vg4vqCUGpkPBqvjFH73PiQ6l8nECVMXyOzFOaPfsDYQ4 OZCG3ddibeKmrs9U8Lx+ZBfBps2pjC48RQT7UXj7TW1afp0cLEN2NmCTiRquBzjOxDmv owXUB7KWvz69CvphDPtb8KCc6z2x8HNYaTg22g/kR7HGEShKew1+UwYVplhWa5FpZE8O 3GFuz6n6oJRbJ5dfbfa5/3AYf45bkQp+brAO4t9SNRJ6sATWzsCfJ/NO30GC1OXmsKrY wnXg== X-Gm-Message-State: AOAM533NMKJLyNIZ488cjk9WQ+CrxxgzT7VipP9P8hK1Pmfw78RWOQkv XDE3LYIaOr7gSVrVoHgnKa07C7WpuOMuQg== X-Google-Smtp-Source: ABdhPJx/EiKXwyh5Rfmi4LFfeySH8NWbyZFSf5hpTvxAn6ICm4V3FpLGfApoo4U3WaqUNrQtDU1Z7Q== X-Received: by 2002:a05:6512:a8b:b0:43c:81fb:8b26 with SMTP id m11-20020a0565120a8b00b0043c81fb8b26mr10822124lfu.479.1645993681129; Sun, 27 Feb 2022 12:28:01 -0800 (PST) Received: from cloudflare.com (2a01-110f-4809-d800-0000-0000-0000-0f9c.aa.ipv6.supernova.orange.pl. [2a01:110f:4809:d800::f9c]) by smtp.gmail.com with ESMTPSA id v9-20020a2e9909000000b00245f269061esm1040422lji.33.2022.02.27.12.28.00 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 27 Feb 2022 12:28:00 -0800 (PST) From: Jakub Sitnicki To: bpf@vger.kernel.org Cc: netdev@vger.kernel.org, Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , kernel-team@cloudflare.com, Martin KaFai Lau , Ilya Leoshkevich Subject: [PATCH bpf-next v2 3/3] selftests/bpf: Fix test for 4-byte load from dst_port on big-endian Date: Sun, 27 Feb 2022 21:27:57 +0100 Message-Id: <20220227202757.519015-4-jakub@cloudflare.com> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220227202757.519015-1-jakub@cloudflare.com> References: <20220227202757.519015-1-jakub@cloudflare.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: bpf@iogearbox.net The check for 4-byte load from dst_port offset into bpf_sock is failing on big-endian architecture - s390. The bpf access converter rewrites the 4-byte load to a 2-byte load from sock_common at skc_dport offset, as shown below. * s390 / llvm-objdump -S --no-show-raw-insn 00000000000002a0 : 84: r1 = *(u32 *)(r1 + 48) 85: w0 = 1 86: if w1 == 51966 goto +1 87: w0 = 0 00000000000002c0 : 88: exit * s390 / bpftool prog dump xlated _Bool sk_dst_port__load_word(struct bpf_sock * sk): 35: (69) r1 = *(u16 *)(r1 +12) 36: (bc) w1 = w1 37: (b4) w0 = 1 38: (16) if w1 == 0xcafe goto pc+1 39: (b4) w0 = 0 40: (95) exit * s390 / llvm-objdump -S --no-show-raw-insn 00000000000002a0 : 84: r1 = *(u32 *)(r1 + 48) 85: w0 = 1 86: if w1 == 65226 goto +1 87: w0 = 0 00000000000002c0 : 88: exit * x86_64 / bpftool prog dump xlated _Bool sk_dst_port__load_word(struct bpf_sock * sk): 33: (69) r1 = *(u16 *)(r1 +12) 34: (b4) w0 = 1 35: (16) if w1 == 0xfeca goto pc+1 36: (b4) w0 = 0 37: (95) exit This leads to surprisings results. On big-endian platforms, the loaded value is as expected. The user observes no difference between a 4-byte load and 2-byte load. However, on little-endian platforms, the access conversion is not what would be expected, that is the result is left shifted after converting the value to the native byte order. That said, 4-byte loads in BPF from sk->dst_port are not a use case we expect to see, now that the dst_port field is clearly declared as a u16. Account for the quirky behavior of the access converter in the test case, so that the check passes on both endian variants. Fixes: 8f50f16ff39d ("selftests/bpf: Extend verifier and bpf_sock tests for dst_port loads") Signed-off-by: Jakub Sitnicki --- .../selftests/bpf/progs/test_sock_fields.c | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/tools/testing/selftests/bpf/progs/test_sock_fields.c b/tools/testing/selftests/bpf/progs/test_sock_fields.c index 186fed1deaab..3dddc173070c 100644 --- a/tools/testing/selftests/bpf/progs/test_sock_fields.c +++ b/tools/testing/selftests/bpf/progs/test_sock_fields.c @@ -256,10 +256,23 @@ int ingress_read_sock_fields(struct __sk_buff *skb) return CG_OK; } +/* + * NOTE: 4-byte load from bpf_sock at dst_port offset is quirky. The + * result is left shifted on little-endian architectures because the + * access is converted to a 2-byte load. The quirky behavior is kept + * for backward compatibility. + */ static __noinline bool sk_dst_port__load_word(struct bpf_sock *sk) { +#if __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__ + const __u8 SHIFT = 16; +#elif __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__ + const __u8 SHIFT = 0; +#else +#error "Unrecognized __BYTE_ORDER__" +#endif __u32 *word = (__u32 *)&sk->dst_port; - return word[0] == bpf_htonl(0xcafe0000); + return word[0] == bpf_htonl(0xcafe << SHIFT); } static __noinline bool sk_dst_port__load_half(struct bpf_sock *sk)