1. 01 10月, 2018 10 次提交
  2. 28 9月, 2018 9 次提交
    • Y
      bpf: permit CGROUP_DEVICE programs accessing helper bpf_get_current_cgroup_id() · 5bf7a60b
      Yonghong Song 提交于
      Currently, helper bpf_get_current_cgroup_id() is not permitted
      for CGROUP_DEVICE type of programs. If the helper is used
      in such cases, the verifier will log the following error:
      
        0: (bf) r6 = r1
        1: (69) r7 = *(u16 *)(r6 +0)
        2: (85) call bpf_get_current_cgroup_id#80
        unknown func bpf_get_current_cgroup_id#80
      
      The bpf_get_current_cgroup_id() is useful for CGROUP_DEVICE
      type of programs in order to customize action based on cgroup id.
      This patch added such a support.
      
      Cc: Roman Gushchin <guro@fb.com>
      Signed-off-by: NYonghong Song <yhs@fb.com>
      Acked-by: NAlexei Starovoitov <ast@kernel.org>
      Acked-by: NRoman Gushchin <guro@fb.com>
      Signed-off-by: NDaniel Borkmann <daniel@iogearbox.net>
      5bf7a60b
    • D
      Merge branch 'bpf-libbpf-attach-by-name' · 78e6e5c1
      Daniel Borkmann 提交于
      Andrey Ignatov says:
      
      ====================
      This patch set introduces libbpf_attach_type_by_name function in libbpf
      to identify attach type by section name.
      
      This is useful to avoid writing same logic over and over again in user
      space applications that leverage libbpf.
      
      Patch 1 has more details on the new function and problem being solved.
      Patches 2 and 3 add support for new section names.
      Patch 4 uses new function in a selftest.
      Patch 5 adds selftest for libbpf_{prog,attach}_type_by_name.
      
      As a side note there are a lot of inconsistencies now between names used
      by libbpf and bpftool (e.g. cgroup/skb vs cgroup_skb, cgroup_device and
      device vs cgroup/dev, sockops vs sock_ops, etc). This patch set does not
      address it but it tries not to make it harder to address it in the future.
      ====================
      Signed-off-by: NDaniel Borkmann <daniel@iogearbox.net>
      78e6e5c1
    • A
      selftests/bpf: Test libbpf_{prog,attach}_type_by_name · 370920c4
      Andrey Ignatov 提交于
      Add selftest for libbpf functions libbpf_prog_type_by_name and
      libbpf_attach_type_by_name.
      
      Example of output:
        % ./tools/testing/selftests/bpf/test_section_names
        Summary: 35 PASSED, 0 FAILED
      Signed-off-by: NAndrey Ignatov <rdna@fb.com>
      Signed-off-by: NDaniel Borkmann <daniel@iogearbox.net>
      370920c4
    • A
      selftests/bpf: Use libbpf_attach_type_by_name in test_socket_cookie · c9bf507d
      Andrey Ignatov 提交于
      Use newly introduced libbpf_attach_type_by_name in test_socket_cookie
      selftest.
      Signed-off-by: NAndrey Ignatov <rdna@fb.com>
      Signed-off-by: NDaniel Borkmann <daniel@iogearbox.net>
      c9bf507d
    • A
      libbpf: Support sk_skb/stream_{parser, verdict} section names · c6f6851b
      Andrey Ignatov 提交于
      Add section names for BPF_SK_SKB_STREAM_PARSER and
      BPF_SK_SKB_STREAM_VERDICT attach types to be able to identify them in
      libbpf_attach_type_by_name.
      
      "stream_parser" and "stream_verdict" are used instead of simple "parser"
      and "verdict" just to avoid possible confusion in a place where attach
      type is used alone (e.g. in bpftool's show sub-commands) since there is
      another attach point that can be named as "verdict": BPF_SK_MSG_VERDICT.
      Signed-off-by: NAndrey Ignatov <rdna@fb.com>
      Signed-off-by: NDaniel Borkmann <daniel@iogearbox.net>
      c6f6851b
    • A
      libbpf: Support cgroup_skb/{e,in}gress section names · bafa7afe
      Andrey Ignatov 提交于
      Add section names for BPF_CGROUP_INET_INGRESS and BPF_CGROUP_INET_EGRESS
      attach types to be able to identify them in libbpf_attach_type_by_name.
      
      "cgroup_skb" is used instead of "cgroup/skb" mostly to easy possible
      unifying of how libbpf and bpftool works with section names:
      * bpftool uses "cgroup_skb" to in "prog list" sub-command;
      * bpftool uses "ingress" and "egress" in "cgroup list" sub-command;
      * having two parts instead of three in a string like "cgroup_skb/ingress"
        can be leveraged to split it to prog_type part and attach_type part,
        or vise versa: use two parts to make a section name.
      Signed-off-by: NAndrey Ignatov <rdna@fb.com>
      Signed-off-by: NDaniel Borkmann <daniel@iogearbox.net>
      bafa7afe
    • A
      libbpf: Introduce libbpf_attach_type_by_name · 956b620f
      Andrey Ignatov 提交于
      There is a common use-case when ELF object contains multiple BPF
      programs and every program has its own section name. If it's cgroup-bpf
      then programs have to be 1) loaded and 2) attached to a cgroup.
      
      It's convenient to have information necessary to load BPF program
      together with program itself. This is where section name works fine in
      conjunction with libbpf_prog_type_by_name that identifies prog_type and
      expected_attach_type and these can be used with BPF_PROG_LOAD.
      
      But there is currently no way to identify attach_type by section name
      and it leads to messy code in user space that reinvents guessing logic
      every time it has to identify attach type to use with BPF_PROG_ATTACH.
      
      The patch introduces libbpf_attach_type_by_name that guesses attach type
      by section name if a program can be attached.
      
      The difference between expected_attach_type provided by
      libbpf_prog_type_by_name and attach_type provided by
      libbpf_attach_type_by_name is the former is used at BPF_PROG_LOAD time
      and can be zero if a program of prog_type X has only one corresponding
      attach type Y whether the latter provides specific attach type to use
      with BPF_PROG_ATTACH.
      
      No new section names were added to section_names array. Only existing
      ones were reorganized and attach_type was added where appropriate.
      Signed-off-by: NAndrey Ignatov <rdna@fb.com>
      Signed-off-by: NDaniel Borkmann <daniel@iogearbox.net>
      956b620f
    • S
      bpf: test_bpf: add init_net to dev for flow_dissector · 10081193
      Song Liu 提交于
      Latest changes in __skb_flow_dissect() assume skb->dev has valid nd_net.
      However, this is not true for test_bpf. As a result, test_bpf.ko crashes
      the system with the following stack trace:
      
      [ 1133.716622] BUG: unable to handle kernel paging request at 0000000000001030
      [ 1133.716623] PGD 8000001fbf7ee067
      [ 1133.716624] P4D 8000001fbf7ee067
      [ 1133.716624] PUD 1f6c1cf067
      [ 1133.716625] PMD 0
      [ 1133.716628] Oops: 0000 [#1] SMP PTI
      [ 1133.716630] CPU: 7 PID: 40473 Comm: modprobe Kdump: loaded Not tainted 4.19.0-rc5-00805-gca11cc92ccd2 #1167
      [ 1133.716631] Hardware name: Wiwynn Leopard-Orv2/Leopard-DDR BW, BIOS LBM12.5 12/06/2017
      [ 1133.716638] RIP: 0010:__skb_flow_dissect+0x83/0x1680
      [ 1133.716639] Code: 04 00 00 41 0f b7 44 24 04 48 85 db 4d 8d 14 07 0f 84 01 02 00 00 48 8b 43 10 48 85 c0 0f 84 e5 01 00 00 48 8b 80 a8 04 00 00 <48> 8b 90 30 10 00 00 48 85 d2 0f 84 dd 01 00 00 31 c0 b9 05 00 00
      [ 1133.716640] RSP: 0018:ffffc900303c7a80 EFLAGS: 00010282
      [ 1133.716642] RAX: 0000000000000000 RBX: ffff881fea0b7400 RCX: 0000000000000000
      [ 1133.716643] RDX: ffffc900303c7bb4 RSI: ffffffff8235c3e0 RDI: ffff881fea0b7400
      [ 1133.716643] RBP: ffffc900303c7b80 R08: 0000000000000000 R09: 000000000000000e
      [ 1133.716644] R10: ffffc900303c7bb4 R11: ffff881fb6840400 R12: ffffffff8235c3e0
      [ 1133.716645] R13: 0000000000000008 R14: 000000000000001e R15: ffffc900303c7bb4
      [ 1133.716646] FS:  00007f54e75d3740(0000) GS:ffff881fff5c0000(0000) knlGS:0000000000000000
      [ 1133.716648] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [ 1133.716649] CR2: 0000000000001030 CR3: 0000001f6c226005 CR4: 00000000003606e0
      [ 1133.716649] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      [ 1133.716650] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      [ 1133.716651] Call Trace:
      [ 1133.716660]  ? sched_clock_cpu+0xc/0xa0
      [ 1133.716662]  ? sched_clock_cpu+0xc/0xa0
      [ 1133.716665]  ? log_store+0x1b5/0x260
      [ 1133.716667]  ? up+0x12/0x60
      [ 1133.716669]  ? skb_get_poff+0x4b/0xa0
      [ 1133.716674]  ? __kmalloc_reserve.isra.47+0x2e/0x80
      [ 1133.716675]  skb_get_poff+0x4b/0xa0
      [ 1133.716680]  bpf_skb_get_pay_offset+0xa/0x10
      [ 1133.716686]  ? test_bpf_init+0x578/0x1000 [test_bpf]
      [ 1133.716690]  ? netlink_broadcast_filtered+0x153/0x3d0
      [ 1133.716695]  ? free_pcppages_bulk+0x324/0x600
      [ 1133.716696]  ? 0xffffffffa0279000
      [ 1133.716699]  ? do_one_initcall+0x46/0x1bd
      [ 1133.716704]  ? kmem_cache_alloc_trace+0x144/0x1a0
      [ 1133.716709]  ? do_init_module+0x5b/0x209
      [ 1133.716712]  ? load_module+0x2136/0x25d0
      [ 1133.716715]  ? __do_sys_finit_module+0xba/0xe0
      [ 1133.716717]  ? __do_sys_finit_module+0xba/0xe0
      [ 1133.716719]  ? do_syscall_64+0x48/0x100
      [ 1133.716724]  ? entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      This patch fixes tes_bpf by using init_net in the dummy dev.
      
      Fixes: d58e468b ("flow_dissector: implements flow dissector BPF hook")
      Reported-by: NEric Dumazet <edumazet@google.com>
      Cc: Willem de Bruijn <willemb@google.com>
      Cc: Petar Penkov <ppenkov@google.com>
      Signed-off-by: NSong Liu <songliubraving@fb.com>
      Reviewed-by: NEric Dumazet <edumazet@google.com>
      Acked-by: NWillem de Bruijn <willemb@google.com>
      Signed-off-by: NDaniel Borkmann <daniel@iogearbox.net>
      10081193
    • A
      bpftool: Fix bpftool net output · 53d6eb08
      Andrey Ignatov 提交于
      Print `bpftool net` output to stdout instead of stderr. Only errors
      should be printed to stderr. Regular output should go to stdout and this
      is what all other subcommands of bpftool do, including --json and
      --pretty formats of `bpftool net` itself.
      
      Fixes: commit f6f3bac0 ("tools/bpf: bpftool: add net support")
      Signed-off-by: NAndrey Ignatov <rdna@fb.com>
      Acked-by: NYonghong Song <yhs@fb.com>
      Acked-by: NSong Liu <songliubraving@fb.com>
      Signed-off-by: NDaniel Borkmann <daniel@iogearbox.net>
      53d6eb08
  3. 27 9月, 2018 21 次提交