Re: [RFC nf-next v2 1/2] netfilter: bpf: support prog update

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 





On 12/19/23 3:06 AM, Simon Horman wrote:
On Mon, Dec 18, 2023 at 12:18:20PM +0800, D. Wythe wrote:
From: "D. Wythe" <alibuda@xxxxxxxxxxxxxxxxx>

To support the prog update, we need to ensure that the prog seen
within the hook is always valid. Considering that hooks are always
protected by rcu_read_lock(), which provide us the ability to
access the prog under rcu.

Signed-off-by: D. Wythe <alibuda@xxxxxxxxxxxxxxxxx>
...

@@ -26,8 +17,20 @@ struct bpf_nf_link {
  	struct net *net;
  	u32 dead;
  	const struct nf_defrag_hook *defrag_hook;
+	struct rcu_head head;
  };
+static unsigned int nf_hook_run_bpf(void *bpf_link, struct sk_buff *skb,
+				    const struct nf_hook_state *s)
+{
+	const struct bpf_nf_link *nf_link = bpf_link;
+	struct bpf_nf_ctx ctx = {
+		.state = s,
+		.skb = skb,
+	};
+	return bpf_prog_run(rcu_dereference(nf_link->link.prog), &ctx);
Hi,

AFAICT nf_link->link.prog isn't annotated as __rcu,
so perhaps rcu_dereference() is not correct here?

In any case, sparse seems a bit unhappy:

   .../nf_bpf_link.c:31:29: error: incompatible types in comparison expression (different address spaces):
   .../nf_bpf_link.c:31:29:    struct bpf_prog [noderef] __rcu *
   .../nf_bpf_link.c:31:29:    struct bpf_prog *

Hi Simon,

thanks for the reporting.

Yes, I had anticipated that sparse would report an error. I tried to cast the type,
but it would compile an error likes that:


net/netfilter/nf_bpf_link.c: In function ‘nf_hook_run_bpf’:
./include/asm-generic/rwonce.h:44:70: error: lvalue required as unary ‘&’ operand    44 | #define __READ_ONCE(x) (*(const volatile __unqual_scalar_typeof(x) *)&(x))
| ^
./include/asm-generic/rwonce.h:50:2: note: in expansion of macro ‘__READ_ONCE’
   50 |  __READ_ONCE(x);       \
      |  ^~~~~~~~~~~
./include/linux/rcupdate.h:436:43: note: in expansion of macro ‘READ_ONCE’
  436 |  typeof(*p) *local = (typeof(*p) *__force)READ_ONCE(p); \
      |                                           ^~~~~~~~~
./include/linux/rcupdate.h:584:2: note: in expansion of macro ‘__rcu_dereference_check’
  584 |  __rcu_dereference_check((p), __UNIQUE_ID(rcu), \
      |  ^~~~~~~~~~~~~~~~~~~~~~~
./include/linux/rcupdate.h:656:28: note: in expansion of macro ‘rcu_dereference_check’
  656 | #define rcu_dereference(p) rcu_dereference_check(p, 0)
      |                            ^~~~~~~~~~~~~~~~~~~~~
net/netfilter/nf_bpf_link.c:31:22: note: in expansion of macro ‘rcu_dereference’    31 |  return bpf_prog_run(rcu_dereference((const struct bpf_prog __rcu *)nf_link->link.prog), &ctx);
      |                      ^~~~~~~~~~~~~~~

So, I think we might need to go back to version 1.

@ Florian , what do you think ?

D. Wythe

+}
+
  #if IS_ENABLED(CONFIG_NF_DEFRAG_IPV4) || IS_ENABLED(CONFIG_NF_DEFRAG_IPV6)
  static const struct nf_defrag_hook *
  get_proto_defrag_hook(struct bpf_nf_link *link,
...





[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux