Re: [PATCH bpf-next v2 1/3] bpf: Expose bpf_get_socket_cookie to tracing programs

From: Daniel Borkmann
Date: Wed Dec 09 2020 - 03:30:10 EST


On 12/8/20 8:30 PM, Florent Revest wrote:
On Fri, 2020-12-04 at 20:03 +0100, Daniel Borkmann wrote:
On 12/4/20 7:56 PM, Daniel Borkmann wrote:
On 12/3/20 10:33 PM, Florent Revest wrote:
This creates a new helper proto because the existing
bpf_get_socket_cookie_sock_proto has a ARG_PTR_TO_CTX argument
and only
works for BPF programs where the context is a sock.

This helper could also be useful to other BPF program types such
as LSM.

Signed-off-by: Florent Revest <revest@xxxxxxxxxx>
---
include/uapi/linux/bpf.h | 7 +++++++
kernel/trace/bpf_trace.c | 4 ++++
net/core/filter.c | 7 +++++++
tools/include/uapi/linux/bpf.h | 7 +++++++
4 files changed, 25 insertions(+)

diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h
index c3458ec1f30a..3e0e33c43998 100644
--- a/include/uapi/linux/bpf.h
+++ b/include/uapi/linux/bpf.h
@@ -1662,6 +1662,13 @@ union bpf_attr {
* Return
* A 8-byte long non-decreasing number.
*
+ * u64 bpf_get_socket_cookie(void *sk)
+ * Description
+ * Equivalent to **bpf_get_socket_cookie**\ () helper
that accepts
+ * *sk*, but gets socket from a BTF **struct sock**.
+ * Return
+ * A 8-byte long non-decreasing number.

I would not mention this here since it's not fully correct and we
should avoid users taking non-decreasing granted in their progs.
The only assumption you can make is that it can be considered a
unique number. See also [0] with reverse counter..

[0]
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=92acdc58ab11af66fcaef485433fde61b5e32fac

Ah this is a good point, thank you! I will send a v3 with an extra
patch that s/non-decreasing/unique/ in the other descriptions. I had
not given it any extra thought, I just stupidly copied/pasted existing
descriptions. :)

One more thought, in case you plan to use this from sleepable
context, you would need to use sock_gen_cookie() variant in the BPF
helper instead.

Out of curiosity, why don't we just always call sock_gen_cookie? Is it
to avoid the performance impact of increasing the preempt counter and
introducing a memory barriers ?

Yes, all the other contexts where the existing helpers are used already have
preemption disabled, so the extra preempt_{disable,enable}() is unnecessary
overhead given we want the cookie generation be efficient.

Thanks,
Daniel