Re: [External] Re: [PATCH bpf-next v2] bpf: Fix bpf_get/setsockopt to tos not take effect when TCP over IPv4 via INET6 API
From: Eric Dumazet
Date: Fri Sep 13 2024 - 10:44:36 EST
On Tue, Aug 27, 2024 at 10:08 AM Feng Zhou <zhoufeng.zf@xxxxxxxxxxxxx> wrote:
>
> 在 2024/8/24 02:53, Eric Dumazet 写道:
> > On Fri, Aug 23, 2024 at 8:49 PM Martin KaFai Lau <martin.lau@xxxxxxxxx> wrote:
> >>
> >> On 8/23/24 6:35 AM, Eric Dumazet wrote:
> >>> On Fri, Aug 23, 2024 at 10:53 AM Feng zhou <zhoufeng.zf@xxxxxxxxxxxxx> wrote:
> >>>>
> >>>> From: Feng Zhou <zhoufeng.zf@xxxxxxxxxxxxx>
> >>>>
> >>>> when TCP over IPv4 via INET6 API, bpf_get/setsockopt with ipv4 will
> >>>> fail, because sk->sk_family is AF_INET6. With ipv6 will success, not
> >>>> take effect, because inet_csk(sk)->icsk_af_ops is ipv6_mapped and
> >>>> use ip_queue_xmit, inet_sk(sk)->tos.
> >>>>
> >>>> So bpf_get/setsockopt needs add the judgment of this case. Just check
> >>>> "inet_csk(sk)->icsk_af_ops == &ipv6_mapped".
> >>>>
> >>>> | Reported-by: kernel test robot <lkp@xxxxxxxxx>
> >>>> | Closes: https://lore.kernel.org/oe-kbuild-all/202408152034.lw9Ilsj6-lkp@xxxxxxxxx/
> >>>> Signed-off-by: Feng Zhou <zhoufeng.zf@xxxxxxxxxxxxx>
> >>>> ---
> >>>> Changelog:
> >>>> v1->v2: Addressed comments from kernel test robot
> >>>> - Fix compilation error
> >>>> Details in here:
> >>>> https://lore.kernel.org/bpf/202408152058.YXAnhLgZ-lkp@xxxxxxxxx/T/
> >>>>
> >>>> include/net/tcp.h | 2 ++
> >>>> net/core/filter.c | 6 +++++-
> >>>> net/ipv6/tcp_ipv6.c | 6 ++++++
> >>>> 3 files changed, 13 insertions(+), 1 deletion(-)
> >>>>
> >>>> diff --git a/include/net/tcp.h b/include/net/tcp.h
> >>>> index 2aac11e7e1cc..ea673f88c900 100644
> >>>> --- a/include/net/tcp.h
> >>>> +++ b/include/net/tcp.h
> >>>> @@ -493,6 +493,8 @@ struct request_sock *cookie_tcp_reqsk_alloc(const struct request_sock_ops *ops,
> >>>> struct tcp_options_received *tcp_opt,
> >>>> int mss, u32 tsoff);
> >>>>
> >>>> +bool is_tcp_sock_ipv6_mapped(struct sock *sk);
> >>>> +
> >>>> #if IS_ENABLED(CONFIG_BPF)
> >>>> struct bpf_tcp_req_attrs {
> >>>> u32 rcv_tsval;
> >>>> diff --git a/net/core/filter.c b/net/core/filter.c
> >>>> index ecf2ddf633bf..02a825e35c4d 100644
> >>>> --- a/net/core/filter.c
> >>>> +++ b/net/core/filter.c
> >>>> @@ -5399,7 +5399,11 @@ static int sol_ip_sockopt(struct sock *sk, int optname,
> >>>> char *optval, int *optlen,
> >>>> bool getopt)
> >>>> {
> >>>> - if (sk->sk_family != AF_INET)
> >>>> + if (sk->sk_family != AF_INET
> >>>> +#if IS_BUILTIN(CONFIG_IPV6)
> >>>> + && !is_tcp_sock_ipv6_mapped(sk)
> >>>> +#endif
> >>>> + )
> >>>> return -EINVAL;
> >>>
> >>> This does not look right to me.
> >>>
> >>> I would remove the test completely.
> >>>
> >>> SOL_IP socket options are available on AF_INET6 sockets just fine.
> >>
> >> Good point on the SOL_IP options.
> >>
> >> The sk could be neither AF_INET nor AF_INET6. e.g. the bpf_get/setsockopt
> >> calling from the bpf_lsm's socket_post_create). so the AF_INET test is still needed.
> >>
> >
> > OK, then I suggest using sk_is_inet() helper.
> >
> >> Adding "&& sk->sk_family != AF_INET6" should do. From ipv6_setsockopt, I think
> >> it also needs to consider the "sk->sk_type != SOCK_RAW".
> >>
> >> Please add a test in the next re-spin.
> >>
> >> pw-bot: cr
>
> Thanks for your suggestion, I will add it in the next version.
Gentle ping.
Have you sent the new version ?