Received: by 2002:a05:6a10:af89:0:0:0:0 with SMTP id iu9csp1362244pxb; Fri, 21 Jan 2022 16:32:46 -0800 (PST) X-Google-Smtp-Source: ABdhPJxX/bjVTPh2t6C4/8qJm6B03CQT58gihxd1MQckYt1vCd/dIKzMYWI4cEu4rvcvRzrHn1h6 X-Received: by 2002:a63:36c1:: with SMTP id d184mr4587335pga.102.1642811566728; Fri, 21 Jan 2022 16:32:46 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1642811566; cv=none; d=google.com; s=arc-20160816; b=mybysvBZYGUdRGw1IVE7JxKRRvhh2iACYvosVs+3dQkt1YfdgGewp2cARvW5S7TK3A IFjY5yLxgkZgLHlbXna4XlWdBCTAta8/1zwP8HfVkHn982v1N07wtqVSqQ2hfd41+3Re jYCFpQcHoGtnFy/1ukALKGqSwco67FQKmAuCrwvU8appHKOgHbZTOKpu/AEZNtKixJpw bOfzh8OSEqaDUPdfab4HowXju5tBWiYDZoia4t0YOUU9r4whVFwrQsHCstiHwB+Vxr3W yKocQqLKZ4jG81+u0KhN02wC31qwXRDrBaGCDddg6blCOnNvW8mlO8Q3alzIchTwg8lh NInA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=bunDHCeKO61OtYgL6XTkwDh49ksDeJZwuYnkiCJjD/k=; b=qe+chiFtX44nWqrB5FGPyQMB0Kx5VUmv7SPIrh1cmmv/BclzCy1bUDrB73aVMCBaSq BeBT+hUk07w62CoXjmT7IpocnPrz77kEdypb/jC8A1aF+JoK8X/jpSwIplnHpJUcPX3b CRfqTN45HFbiZwColUaOCd84Pks8X1Ny9YNOKyK5GCjD1B1MJEYPah+oiorutL1F/2Ls 9h/tupdVSQX7hMqbaKLfyJYNvcNJ0aLS+vKq9iRecHB1HBRbEnNfe0Y7FQ/sWpeDCUbl VC79RqOZAQIrp3gPvAqoCYYjg0W+DoVhOy+CEx3266j309J2LEiOCW8elE9zqL0Coa0O EtdA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=NUJtW1US; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id r9si7708159pgi.487.2022.01.21.16.32.34; Fri, 21 Jan 2022 16:32:46 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=NUJtW1US; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230359AbiAUFRk (ORCPT + 99 others); Fri, 21 Jan 2022 00:17:40 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:32900 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229608AbiAUFRj (ORCPT ); Fri, 21 Jan 2022 00:17:39 -0500 Received: from mail-pj1-x1036.google.com (mail-pj1-x1036.google.com [IPv6:2607:f8b0:4864:20::1036]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BE49DC061574; Thu, 20 Jan 2022 21:17:38 -0800 (PST) Received: by mail-pj1-x1036.google.com with SMTP id l16so8388040pjl.4; Thu, 20 Jan 2022 21:17:38 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=bunDHCeKO61OtYgL6XTkwDh49ksDeJZwuYnkiCJjD/k=; b=NUJtW1USk5ESjbrnfPaFxNndMaw6rESK9PforxuBh8OPDpgNPt3uf9069PBe0f9lX3 8qX7sJ3m3HWKQrbkG0yOSFJp3afKkgda+Vx9/SA2/aybRD7yH0y3aGmCTtzoStvNO1KX 7TzDMFicsgTRZrDcQNc3ukXTSL7jHbTYA/ZUliv2wmxhSzg8sVdXjBeJ08gDqJPtDKSU gIDuP9XR61LcQcpOWJ3/ZpoURnwbgeDdRYXvkj/CMCsBT3KuMqIXrC4QJXbMvR1+CW3C cWSXG73DQtkjfIDIHkcEAAs/D3mnfK0PVbMDiLag2NdySjUMU9JTJYyKZDWBqRSH03BW tfeg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=bunDHCeKO61OtYgL6XTkwDh49ksDeJZwuYnkiCJjD/k=; b=vPNBtqC2ohqtRcXC+wefwgTKGK8JSEZ5eGC3AebJ9vgl6KKrdDlALGXuXfzaiAMvXx Mtmweln5/zMKftgBz/K+Yw/y/cPSq0WLoClxLrpoyHOdITzzNtX7Z5uL4PbT3IuWqYSK I+M0n1rplnyMWsC4g5I35UaUdbZ1vDmP25q2SYMhXaHbqSNq48d6TgajCPeo4G6ZjGTK Z6vf2NyxWqaI95a6bK/P4V7TZx3BxzqNbAX3dbh2MKGPfFtLoNeCIn4w76bLmRWrlkMW 8+6/k0bphU+Pau+SUVVhSXzPEPdwHsud2G/0+FNpPQh4cByDeaxT2XBgHl5JbdW82Sbl 06hQ== X-Gm-Message-State: AOAM5330bX1qXP7MRt9EJnjWrRVUXr7xAqSJmEdNFLgdyMRiRp057QKo P11s/CJk5bNz8PI2gRIEQsmFgWhFNxy1dmw/8l5Asf6OgYY= X-Received: by 2002:a17:90a:de8e:: with SMTP id n14mr14803977pjv.122.1642742258116; Thu, 20 Jan 2022 21:17:38 -0800 (PST) MIME-Version: 1.0 References: <20220113070245.791577-1-imagedong@tencent.com> <20220120041754.scj3hsrxmwckl7pd@ast-mbp.dhcp.thefacebook.com> In-Reply-To: From: Alexei Starovoitov Date: Thu, 20 Jan 2022 21:17:27 -0800 Message-ID: Subject: Re: [PATCH bpf-next] bpf: Add document for 'dst_port' of 'struct bpf_sock' To: Menglong Dong , Jakub Sitnicki , John Fastabend Cc: Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , Martin KaFai Lau , Song Liu , Yonghong Song , KP Singh , Network Development , bpf , LKML , Mengen Sun , flyingpeng@tencent.com, mungerjiang@tencent.com, Menglong Dong Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Jan 20, 2022 at 6:18 AM Menglong Dong wrote: > > On Thu, Jan 20, 2022 at 12:17 PM Alexei Starovoitov > wrote: > > > > On Thu, Jan 20, 2022 at 11:02:27AM +0800, Menglong Dong wrote: > > > Hello! > > > > > > On Thu, Jan 20, 2022 at 6:03 AM Alexei Starovoitov > > > wrote: > > > > > > > [...] > > > > > > > > Looks like > > > > __sk_buff->remote_port > > > > bpf_sock_ops->remote_port > > > > sk_msg_md->remote_port > > > > are doing the right thing, > > > > but bpf_sock->dst_port is not correct? > > > > > > > > I think it's better to fix it, > > > > but probably need to consolidate it with > > > > convert_ctx_accesses() that deals with narrow access. > > > > I suspect reading u8 from three flavors of 'remote_port' > > > > won't be correct. > > > > > > What's the meaning of 'narrow access'? Do you mean to > > > make 'remote_port' u16? Or 'remote_port' should be made > > > accessible with u8? In fact, '*((u16 *)&skops->remote_port + 1)' > > > won't work, as it only is accessible with u32. > > > > u8 access to remote_port won't pass the verifier, > > but u8 access to dst_port will. > > Though it will return incorrect data. > > See how convert_ctx_accesses() handles narrow loads. > > I think we need to generalize it for different endian fields. > > Yeah, I understand narrower load in convert_ctx_accesses() > now. Seems u8 access to dst_port can't pass the verifier too, > which can be seen form bpf_sock_is_valid_access(): > > $ switch (off) { > $ case offsetof(struct bpf_sock, state): > $ case offsetof(struct bpf_sock, family): > $ case offsetof(struct bpf_sock, type): > $ case offsetof(struct bpf_sock, protocol): > $ case offsetof(struct bpf_sock, dst_port): // u8 access is not allowed > $ case offsetof(struct bpf_sock, src_port): > $ case offsetof(struct bpf_sock, rx_queue_mapping): > $ case bpf_ctx_range(struct bpf_sock, src_ip4): > $ case bpf_ctx_range_till(struct bpf_sock, src_ip6[0], src_ip6[3]): > $ case bpf_ctx_range(struct bpf_sock, dst_ip4): > $ case bpf_ctx_range_till(struct bpf_sock, dst_ip6[0], dst_ip6[3]): > $ bpf_ctx_record_field_size(info, size_default); > $ return bpf_ctx_narrow_access_ok(off, size, size_default); > $ } > > I'm still not sure what should we do now. Should we make all > remote_port and dst_port narrower accessable and endianness > right? For example the remote_port in struct bpf_sock_ops: > > --- a/net/core/filter.c > +++ b/net/core/filter.c > @@ -8414,6 +8414,7 @@ static bool sock_ops_is_valid_access(int off, int size, > return false; > info->reg_type = PTR_TO_PACKET_END; > break; > + case bpf_ctx_range(struct bpf_sock_ops, remote_port): Ahh. bpf_sock_ops don't have it. But bpf_sk_lookup and sk_msg_md have it. bpf_sk_lookup->remote_port supports narrow access. When it accesses sport from bpf_sk_lookup_kern. and we have tests that do u8 access from remote_port. See verifier/ctx_sk_lookup.c > case offsetof(struct bpf_sock_ops, skb_tcp_flags): > bpf_ctx_record_field_size(info, size_default); > return bpf_ctx_narrow_access_ok(off, size, > > If remote_port/dst_port are made narrower accessable, the > result will be right. Therefore, *((u16*)&sk->remote_port) will > be the port with network byte order. And the port in host byte > order can be get with: > bpf_ntohs(*((u16*)&sk->remote_port)) > or > bpf_htonl(sk->remote_port) So u8, u16, u32 will work if we make them narrow-accessible, right? The summary if I understood it: . only bpf_sk_lookup->remote_port is doing it correctly for u8,u16,u32 ? . bpf_sock->dst_port is not correct for u32, since it's missing bpf_ctx_range() ? . __sk_buff->remote_port bpf_sock_ops->remote_port sk_msg_md->remote_port correct for u32 access only. They don't support narrow access. but wait we have a test for bpf_sock->dst_port in progs/test_sock_fields.c. How does it work then? I think we need more eyes on the problem. cc-ing more experts.