Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf

tjh.dev / kernel

fork atom

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

fork atom

Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf

Alexei Starovoitov says:

====================
pull-request: bpf 2019-07-25

The following pull-request contains BPF updates for your *net* tree.

The main changes are:

1) fix segfault in libbpf, from Andrii.

2) fix gso_segs access, from Eric.

3) tls/sockmap fixes, from Jakub and John.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>

David S. Miller 6 years ago 28ba934d 47d858d0

+481 -95

18 changed files

expand all collapse all

Documentation

networking

tls-offload.rst

include

linux

filter.h

skmsg.h

net

tcp.h

tls.h

kernel

bpf

verifier.c

net

core

filter.c

skmsg.c

sock_map.c

ipv4

tcp_ulp.c

tls

tls_main.c

tls_sw.c

tools

lib

bpf

btf.c

libbpf.c

xsk.c

testing

selftests

bpf

progs

sendmsg6_prog.c

verifier

ctx_skb.c

net

tls.c

Documentation/networking/tls-offload.rst

reviewed

··· 513 513 514 514 In the RX direction, if segment has already been decrypted by the device 515 515 and it gets redirected or mirrored - clear text will be transmitted out. 516 516 + 517 517 + shutdown() doesn't clear TLS state 518 518 + ---------------------------------- 519 519 + 520 520 + shutdown() system call allows for a TLS socket to be reused as a different 521 521 + connection. Offload doesn't currently handle that.

+13

include/linux/filter.h

reviewed

··· 24 24 25 25 #include <net/sch_generic.h> 26 26 27 27 + #include <asm/byteorder.h> 27 28 #include <uapi/linux/filter.h> 28 29 #include <uapi/linux/bpf.h> 29 30 ··· 746 745 bpf_ctx_narrow_access_ok(u32 off, u32 size, u32 size_default) 747 746 { 748 747 return size <= size_default && (size & (size - 1)) == 0; 748 748 + } 749 749 + 750 750 + static inline u8 751 751 + bpf_ctx_narrow_load_shift(u32 off, u32 size, u32 size_default) 752 752 + { 753 753 + u8 load_off = off & (size_default - 1); 754 754 + 755 755 + #ifdef __LITTLE_ENDIAN 756 756 + return load_off * 8; 757 757 + #else 758 758 + return (size_default - (load_off + size)) * 8; 759 759 + #endif 749 760 } 750 761 751 762 #define bpf_ctx_wide_access_ok(off, size, type, field) \

+7 -1

include/linux/skmsg.h

reviewed

··· 354 354 sk->sk_write_space = psock->saved_write_space; 355 355 356 356 if (psock->sk_proto) { 357 357 - sk->sk_prot = psock->sk_proto; 357 357 + struct inet_connection_sock *icsk = inet_csk(sk); 358 358 + bool has_ulp = !!icsk->icsk_ulp_data; 359 359 + 360 360 + if (has_ulp) 361 361 + tcp_update_ulp(sk, psock->sk_proto); 362 362 + else 363 363 + sk->sk_prot = psock->sk_proto; 358 364 psock->sk_proto = NULL; 359 365 } 360 366 }

include/net/tcp.h

reviewed

··· 2108 2108 2109 2109 /* initialize ulp */ 2110 2110 int (*init)(struct sock *sk); 2111 2111 + /* update ulp */ 2112 2112 + void (*update)(struct sock *sk, struct proto *p); 2111 2113 /* cleanup ulp */ 2112 2114 void (*release)(struct sock *sk); 2113 2115 ··· 2121 2119 int tcp_set_ulp(struct sock *sk, const char *name); 2122 2120 void tcp_get_available_ulp(char *buf, size_t len); 2123 2121 void tcp_cleanup_ulp(struct sock *sk); 2122 2122 + void tcp_update_ulp(struct sock *sk, struct proto *p); 2124 2123 2125 2124 #define MODULE_ALIAS_TCP_ULP(name) \ 2126 2125 __MODULE_INFO(alias, alias_userspace, name); \

+11 -4

include/net/tls.h

reviewed

··· 107 107 enum { 108 108 TLS_BASE, 109 109 TLS_SW, 110 110 - #ifdef CONFIG_TLS_DEVICE 111 110 TLS_HW, 112 112 - #endif 113 111 TLS_HW_RECORD, 114 112 TLS_NUM_CONFIG, 115 113 }; ··· 160 162 int async_capable; 161 163 162 164 #define BIT_TX_SCHEDULED 0 165 165 + #define BIT_TX_CLOSING 1 163 166 unsigned long tx_bitmask; 164 167 }; 165 168 ··· 271 272 unsigned long flags; 272 273 273 274 /* cache cold stuff */ 275 275 + struct proto *sk_proto; 276 276 + 274 277 void (*sk_destruct)(struct sock *sk); 275 278 void (*sk_proto_close)(struct sock *sk, long timeout); 276 279 ··· 290 289 291 290 struct list_head list; 292 291 refcount_t refcount; 292 292 + 293 293 + struct work_struct gc; 293 294 }; 294 295 295 296 enum tls_offload_ctx_dir { ··· 358 355 unsigned int optlen); 359 356 360 357 int tls_set_sw_offload(struct sock *sk, struct tls_context *ctx, int tx); 358 358 + void tls_sw_strparser_arm(struct sock *sk, struct tls_context *ctx); 359 359 + void tls_sw_strparser_done(struct tls_context *tls_ctx); 361 360 int tls_sw_sendmsg(struct sock *sk, struct msghdr *msg, size_t size); 362 361 int tls_sw_sendpage(struct sock *sk, struct page *page, 363 362 int offset, size_t size, int flags); 364 364 - void tls_sw_close(struct sock *sk, long timeout); 365 365 - void tls_sw_free_resources_tx(struct sock *sk); 363 363 + void tls_sw_cancel_work_tx(struct tls_context *tls_ctx); 364 364 + void tls_sw_release_resources_tx(struct sock *sk); 365 365 + void tls_sw_free_ctx_tx(struct tls_context *tls_ctx); 366 366 void tls_sw_free_resources_rx(struct sock *sk); 367 367 void tls_sw_release_resources_rx(struct sock *sk); 368 368 + void tls_sw_free_ctx_rx(struct tls_context *tls_ctx); 368 369 int tls_sw_recvmsg(struct sock *sk, struct msghdr *msg, size_t len, 369 370 int nonblock, int flags, int *addr_len); 370 371 bool tls_sw_stream_read(const struct sock *sk);

+2 -2

kernel/bpf/verifier.c

reviewed

··· 8616 8616 } 8617 8617 8618 8618 if (is_narrower_load && size < target_size) { 8619 8619 - u8 shift = (off & (size_default - 1)) * 8; 8620 8620 - 8619 8619 + u8 shift = bpf_ctx_narrow_load_shift(off, size, 8620 8620 + size_default); 8621 8621 if (ctx_field_size <= 4) { 8622 8622 if (shift) 8623 8623 insn_buf[cnt++] = BPF_ALU32_IMM(BPF_RSH,

+3 -3

net/core/filter.c

reviewed

··· 7455 7455 case offsetof(struct __sk_buff, gso_segs): 7456 7456 /* si->dst_reg = skb_shinfo(SKB); */ 7457 7457 #ifdef NET_SKBUFF_DATA_USES_OFFSET 7458 7458 - *insn++ = BPF_LDX_MEM(BPF_FIELD_SIZEOF(struct sk_buff, head), 7459 7459 - si->dst_reg, si->src_reg, 7460 7460 - offsetof(struct sk_buff, head)); 7461 7458 *insn++ = BPF_LDX_MEM(BPF_FIELD_SIZEOF(struct sk_buff, end), 7462 7459 BPF_REG_AX, si->src_reg, 7463 7460 offsetof(struct sk_buff, end)); 7461 7461 + *insn++ = BPF_LDX_MEM(BPF_FIELD_SIZEOF(struct sk_buff, head), 7462 7462 + si->dst_reg, si->src_reg, 7463 7463 + offsetof(struct sk_buff, head)); 7464 7464 *insn++ = BPF_ALU64_REG(BPF_ADD, si->dst_reg, BPF_REG_AX); 7465 7465 #else 7466 7466 *insn++ = BPF_LDX_MEM(BPF_FIELD_SIZEOF(struct sk_buff, end),

+2 -2

net/core/skmsg.c

reviewed

··· 585 585 586 586 void sk_psock_drop(struct sock *sk, struct sk_psock *psock) 587 587 { 588 588 - rcu_assign_sk_user_data(sk, NULL); 589 588 sk_psock_cork_free(psock); 590 589 sk_psock_zap_ingress(psock); 591 591 - sk_psock_restore_proto(sk, psock); 592 590 593 591 write_lock_bh(&sk->sk_callback_lock); 592 592 + sk_psock_restore_proto(sk, psock); 593 593 + rcu_assign_sk_user_data(sk, NULL); 594 594 if (psock->progs.skb_parser) 595 595 sk_psock_stop_strp(sk, psock); 596 596 write_unlock_bh(&sk->sk_callback_lock);

+14 -5

net/core/sock_map.c

reviewed

··· 247 247 raw_spin_unlock_bh(&stab->lock); 248 248 rcu_read_unlock(); 249 249 250 250 + synchronize_rcu(); 251 251 + 250 252 bpf_map_area_free(stab->sks); 251 253 kfree(stab); 252 254 } ··· 278 276 struct sock **psk) 279 277 { 280 278 struct sock *sk; 279 279 + int err = 0; 281 280 282 281 raw_spin_lock_bh(&stab->lock); 283 282 sk = *psk; 284 283 if (!sk_test || sk_test == sk) 285 285 - *psk = NULL; 284 284 + sk = xchg(psk, NULL); 285 285 + 286 286 + if (likely(sk)) 287 287 + sock_map_unref(sk, psk); 288 288 + else 289 289 + err = -EINVAL; 290 290 + 286 291 raw_spin_unlock_bh(&stab->lock); 287 287 - if (unlikely(!sk)) 288 288 - return -EINVAL; 289 289 - sock_map_unref(sk, psk); 290 290 - return 0; 292 292 + return err; 291 293 } 292 294 293 295 static void sock_map_delete_from_link(struct bpf_map *map, struct sock *sk, ··· 334 328 struct sock *sk, u64 flags) 335 329 { 336 330 struct bpf_stab *stab = container_of(map, struct bpf_stab, map); 331 331 + struct inet_connection_sock *icsk = inet_csk(sk); 337 332 struct sk_psock_link *link; 338 333 struct sk_psock *psock; 339 334 struct sock *osk; ··· 345 338 return -EINVAL; 346 339 if (unlikely(idx >= map->max_entries)) 347 340 return -E2BIG; 341 341 + if (unlikely(icsk->icsk_ulp_data)) 342 342 + return -EINVAL; 348 343 349 344 link = sk_psock_init_link(); 350 345 if (!link)

+13

net/ipv4/tcp_ulp.c

reviewed

··· 96 96 rcu_read_unlock(); 97 97 } 98 98 99 99 + void tcp_update_ulp(struct sock *sk, struct proto *proto) 100 100 + { 101 101 + struct inet_connection_sock *icsk = inet_csk(sk); 102 102 + 103 103 + if (!icsk->icsk_ulp_ops) { 104 104 + sk->sk_prot = proto; 105 105 + return; 106 106 + } 107 107 + 108 108 + if (icsk->icsk_ulp_ops->update) 109 109 + icsk->icsk_ulp_ops->update(sk, proto); 110 110 + } 111 111 + 99 112 void tcp_cleanup_ulp(struct sock *sk) 100 113 { 101 114 struct inet_connection_sock *icsk = inet_csk(sk);

+111 -33

net/tls/tls_main.c

reviewed

··· 261 261 kfree(ctx); 262 262 } 263 263 264 264 - static void tls_sk_proto_close(struct sock *sk, long timeout) 264 264 + static void tls_ctx_free_deferred(struct work_struct *gc) 265 265 { 266 266 - struct tls_context *ctx = tls_get_ctx(sk); 267 267 - long timeo = sock_sndtimeo(sk, 0); 268 268 - void (*sk_proto_close)(struct sock *sk, long timeout); 269 269 - bool free_ctx = false; 266 266 + struct tls_context *ctx = container_of(gc, struct tls_context, gc); 270 267 271 271 - lock_sock(sk); 272 272 - sk_proto_close = ctx->sk_proto_close; 273 273 - 274 274 - if (ctx->tx_conf == TLS_HW_RECORD && ctx->rx_conf == TLS_HW_RECORD) 275 275 - goto skip_tx_cleanup; 276 276 - 277 277 - if (ctx->tx_conf == TLS_BASE && ctx->rx_conf == TLS_BASE) { 278 278 - free_ctx = true; 279 279 - goto skip_tx_cleanup; 268 268 + /* Ensure any remaining work items are completed. The sk will 269 269 + * already have lost its tls_ctx reference by the time we get 270 270 + * here so no xmit operation will actually be performed. 271 271 + */ 272 272 + if (ctx->tx_conf == TLS_SW) { 273 273 + tls_sw_cancel_work_tx(ctx); 274 274 + tls_sw_free_ctx_tx(ctx); 280 275 } 281 276 277 277 + if (ctx->rx_conf == TLS_SW) { 278 278 + tls_sw_strparser_done(ctx); 279 279 + tls_sw_free_ctx_rx(ctx); 280 280 + } 281 281 + 282 282 + tls_ctx_free(ctx); 283 283 + } 284 284 + 285 285 + static void tls_ctx_free_wq(struct tls_context *ctx) 286 286 + { 287 287 + INIT_WORK(&ctx->gc, tls_ctx_free_deferred); 288 288 + schedule_work(&ctx->gc); 289 289 + } 290 290 + 291 291 + static void tls_sk_proto_cleanup(struct sock *sk, 292 292 + struct tls_context *ctx, long timeo) 293 293 + { 282 294 if (unlikely(sk->sk_write_pending) && 283 295 !wait_on_pending_writer(sk, &timeo)) 284 296 tls_handle_open_record(sk, 0); ··· 299 287 if (ctx->tx_conf == TLS_SW) { 300 288 kfree(ctx->tx.rec_seq); 301 289 kfree(ctx->tx.iv); 302 302 - tls_sw_free_resources_tx(sk); 290 290 + tls_sw_release_resources_tx(sk); 303 291 #ifdef CONFIG_TLS_DEVICE 304 292 } else if (ctx->tx_conf == TLS_HW) { 305 293 tls_device_free_resources_tx(sk); ··· 307 295 } 308 296 309 297 if (ctx->rx_conf == TLS_SW) 310 310 - tls_sw_free_resources_rx(sk); 298 298 + tls_sw_release_resources_rx(sk); 311 299 312 300 #ifdef CONFIG_TLS_DEVICE 313 301 if (ctx->rx_conf == TLS_HW) 314 302 tls_device_offload_cleanup_rx(sk); 315 315 - 316 316 - if (ctx->tx_conf != TLS_HW && ctx->rx_conf != TLS_HW) { 317 317 - #else 318 318 - { 319 303 #endif 320 320 - tls_ctx_free(ctx); 321 321 - ctx = NULL; 304 304 + } 305 305 + 306 306 + static void tls_sk_proto_unhash(struct sock *sk) 307 307 + { 308 308 + struct inet_connection_sock *icsk = inet_csk(sk); 309 309 + long timeo = sock_sndtimeo(sk, 0); 310 310 + struct tls_context *ctx; 311 311 + 312 312 + if (unlikely(!icsk->icsk_ulp_data)) { 313 313 + if (sk->sk_prot->unhash) 314 314 + sk->sk_prot->unhash(sk); 322 315 } 323 316 324 324 - skip_tx_cleanup: 317 317 + ctx = tls_get_ctx(sk); 318 318 + tls_sk_proto_cleanup(sk, ctx, timeo); 319 319 + write_lock_bh(&sk->sk_callback_lock); 320 320 + icsk->icsk_ulp_data = NULL; 321 321 + sk->sk_prot = ctx->sk_proto; 322 322 + write_unlock_bh(&sk->sk_callback_lock); 323 323 + 324 324 + if (ctx->sk_proto->unhash) 325 325 + ctx->sk_proto->unhash(sk); 326 326 + tls_ctx_free_wq(ctx); 327 327 + } 328 328 + 329 329 + static void tls_sk_proto_close(struct sock *sk, long timeout) 330 330 + { 331 331 + struct inet_connection_sock *icsk = inet_csk(sk); 332 332 + struct tls_context *ctx = tls_get_ctx(sk); 333 333 + long timeo = sock_sndtimeo(sk, 0); 334 334 + bool free_ctx; 335 335 + 336 336 + if (ctx->tx_conf == TLS_SW) 337 337 + tls_sw_cancel_work_tx(ctx); 338 338 + 339 339 + lock_sock(sk); 340 340 + free_ctx = ctx->tx_conf != TLS_HW && ctx->rx_conf != TLS_HW; 341 341 + 342 342 + if (ctx->tx_conf != TLS_BASE || ctx->rx_conf != TLS_BASE) 343 343 + tls_sk_proto_cleanup(sk, ctx, timeo); 344 344 + 345 345 + write_lock_bh(&sk->sk_callback_lock); 346 346 + if (free_ctx) 347 347 + icsk->icsk_ulp_data = NULL; 348 348 + sk->sk_prot = ctx->sk_proto; 349 349 + write_unlock_bh(&sk->sk_callback_lock); 325 350 release_sock(sk); 326 326 - sk_proto_close(sk, timeout); 327 327 - /* free ctx for TLS_HW_RECORD, used by tcp_set_state 328 328 - * for sk->sk_prot->unhash [tls_hw_unhash] 329 329 - */ 351 351 + if (ctx->tx_conf == TLS_SW) 352 352 + tls_sw_free_ctx_tx(ctx); 353 353 + if (ctx->rx_conf == TLS_SW || ctx->rx_conf == TLS_HW) 354 354 + tls_sw_strparser_done(ctx); 355 355 + if (ctx->rx_conf == TLS_SW) 356 356 + tls_sw_free_ctx_rx(ctx); 357 357 + ctx->sk_proto_close(sk, timeout); 358 358 + 330 359 if (free_ctx) 331 360 tls_ctx_free(ctx); 332 361 } ··· 579 526 { 580 527 #endif 581 528 rc = tls_set_sw_offload(sk, ctx, 1); 529 529 + if (rc) 530 530 + goto err_crypto_info; 582 531 conf = TLS_SW; 583 532 } 584 533 } else { ··· 592 537 { 593 538 #endif 594 539 rc = tls_set_sw_offload(sk, ctx, 0); 540 540 + if (rc) 541 541 + goto err_crypto_info; 595 542 conf = TLS_SW; 596 543 } 544 544 + tls_sw_strparser_arm(sk, ctx); 597 545 } 598 598 - 599 599 - if (rc) 600 600 - goto err_crypto_info; 601 546 602 547 if (tx) 603 548 ctx->tx_conf = conf; ··· 662 607 ctx->setsockopt = sk->sk_prot->setsockopt; 663 608 ctx->getsockopt = sk->sk_prot->getsockopt; 664 609 ctx->sk_proto_close = sk->sk_prot->close; 610 610 + ctx->unhash = sk->sk_prot->unhash; 665 611 return ctx; 666 612 } 667 613 ··· 786 730 prot[TLS_BASE][TLS_BASE].setsockopt = tls_setsockopt; 787 731 prot[TLS_BASE][TLS_BASE].getsockopt = tls_getsockopt; 788 732 prot[TLS_BASE][TLS_BASE].close = tls_sk_proto_close; 733 733 + prot[TLS_BASE][TLS_BASE].unhash = tls_sk_proto_unhash; 789 734 790 735 prot[TLS_SW][TLS_BASE] = prot[TLS_BASE][TLS_BASE]; 791 736 prot[TLS_SW][TLS_BASE].sendmsg = tls_sw_sendmsg; ··· 804 747 805 748 #ifdef CONFIG_TLS_DEVICE 806 749 prot[TLS_HW][TLS_BASE] = prot[TLS_BASE][TLS_BASE]; 750 750 + prot[TLS_HW][TLS_BASE].unhash = base->unhash; 807 751 prot[TLS_HW][TLS_BASE].sendmsg = tls_device_sendmsg; 808 752 prot[TLS_HW][TLS_BASE].sendpage = tls_device_sendpage; 809 753 810 754 prot[TLS_HW][TLS_SW] = prot[TLS_BASE][TLS_SW]; 755 755 + prot[TLS_HW][TLS_SW].unhash = base->unhash; 811 756 prot[TLS_HW][TLS_SW].sendmsg = tls_device_sendmsg; 812 757 prot[TLS_HW][TLS_SW].sendpage = tls_device_sendpage; 813 758 814 759 prot[TLS_BASE][TLS_HW] = prot[TLS_BASE][TLS_SW]; 760 760 + prot[TLS_BASE][TLS_HW].unhash = base->unhash; 815 761 816 762 prot[TLS_SW][TLS_HW] = prot[TLS_SW][TLS_SW]; 763 763 + prot[TLS_SW][TLS_HW].unhash = base->unhash; 817 764 818 765 prot[TLS_HW][TLS_HW] = prot[TLS_HW][TLS_SW]; 819 766 #endif ··· 825 764 prot[TLS_HW_RECORD][TLS_HW_RECORD] = *base; 826 765 prot[TLS_HW_RECORD][TLS_HW_RECORD].hash = tls_hw_hash; 827 766 prot[TLS_HW_RECORD][TLS_HW_RECORD].unhash = tls_hw_unhash; 828 828 - prot[TLS_HW_RECORD][TLS_HW_RECORD].close = tls_sk_proto_close; 829 767 } 830 768 831 769 static int tls_init(struct sock *sk) ··· 833 773 int rc = 0; 834 774 835 775 if (tls_hw_prot(sk)) 836 836 - goto out; 776 776 + return 0; 837 777 838 778 /* The TLS ulp is currently supported only for TCP sockets 839 779 * in ESTABLISHED state. ··· 844 784 if (sk->sk_state != TCP_ESTABLISHED) 845 785 return -ENOTSUPP; 846 786 787 787 + tls_build_proto(sk); 788 788 + 847 789 /* allocate tls context */ 790 790 + write_lock_bh(&sk->sk_callback_lock); 848 791 ctx = create_ctx(sk); 849 792 if (!ctx) { 850 793 rc = -ENOMEM; 851 794 goto out; 852 795 } 853 796 854 854 - tls_build_proto(sk); 855 797 ctx->tx_conf = TLS_BASE; 856 798 ctx->rx_conf = TLS_BASE; 799 799 + ctx->sk_proto = sk->sk_prot; 857 800 update_sk_prot(sk, ctx); 858 801 out: 802 802 + write_unlock_bh(&sk->sk_callback_lock); 859 803 return rc; 804 804 + } 805 805 + 806 806 + static void tls_update(struct sock *sk, struct proto *p) 807 807 + { 808 808 + struct tls_context *ctx; 809 809 + 810 810 + ctx = tls_get_ctx(sk); 811 811 + if (likely(ctx)) { 812 812 + ctx->sk_proto_close = p->close; 813 813 + ctx->sk_proto = p; 814 814 + } else { 815 815 + sk->sk_prot = p; 816 816 + } 860 817 } 861 818 862 819 void tls_register_device(struct tls_device *device) ··· 896 819 .name = "tls", 897 820 .owner = THIS_MODULE, 898 821 .init = tls_init, 822 822 + .update = tls_update, 899 823 }; 900 824 901 825 static int __init tls_register(void)

+59 -24

net/tls/tls_sw.c

reviewed

··· 2054 2054 } 2055 2055 } 2056 2056 2057 2057 - void tls_sw_free_resources_tx(struct sock *sk) 2057 2057 + void tls_sw_cancel_work_tx(struct tls_context *tls_ctx) 2058 2058 + { 2059 2059 + struct tls_sw_context_tx *ctx = tls_sw_ctx_tx(tls_ctx); 2060 2060 + 2061 2061 + set_bit(BIT_TX_CLOSING, &ctx->tx_bitmask); 2062 2062 + set_bit(BIT_TX_SCHEDULED, &ctx->tx_bitmask); 2063 2063 + cancel_delayed_work_sync(&ctx->tx_work.work); 2064 2064 + } 2065 2065 + 2066 2066 + void tls_sw_release_resources_tx(struct sock *sk) 2058 2067 { 2059 2068 struct tls_context *tls_ctx = tls_get_ctx(sk); 2060 2069 struct tls_sw_context_tx *ctx = tls_sw_ctx_tx(tls_ctx); ··· 2074 2065 if (atomic_read(&ctx->encrypt_pending)) 2075 2066 crypto_wait_req(-EINPROGRESS, &ctx->async_wait); 2076 2067 2077 2077 - release_sock(sk); 2078 2078 - cancel_delayed_work_sync(&ctx->tx_work.work); 2079 2079 - lock_sock(sk); 2080 2080 - 2081 2081 - /* Tx whatever records we can transmit and abandon the rest */ 2082 2068 tls_tx_records(sk, -1); 2083 2069 2084 2070 /* Free up un-sent records in tx_list. First, free ··· 2096 2092 2097 2093 crypto_free_aead(ctx->aead_send); 2098 2094 tls_free_open_rec(sk); 2095 2095 + } 2096 2096 + 2097 2097 + void tls_sw_free_ctx_tx(struct tls_context *tls_ctx) 2098 2098 + { 2099 2099 + struct tls_sw_context_tx *ctx = tls_sw_ctx_tx(tls_ctx); 2099 2100 2100 2101 kfree(ctx); 2101 2102 } ··· 2119 2110 skb_queue_purge(&ctx->rx_list); 2120 2111 crypto_free_aead(ctx->aead_recv); 2121 2112 strp_stop(&ctx->strp); 2122 2122 - write_lock_bh(&sk->sk_callback_lock); 2123 2123 - sk->sk_data_ready = ctx->saved_data_ready; 2124 2124 - write_unlock_bh(&sk->sk_callback_lock); 2125 2125 - release_sock(sk); 2126 2126 - strp_done(&ctx->strp); 2127 2127 - lock_sock(sk); 2113 2113 + /* If tls_sw_strparser_arm() was not called (cleanup paths) 2114 2114 + * we still want to strp_stop(), but sk->sk_data_ready was 2115 2115 + * never swapped. 2116 2116 + */ 2117 2117 + if (ctx->saved_data_ready) { 2118 2118 + write_lock_bh(&sk->sk_callback_lock); 2119 2119 + sk->sk_data_ready = ctx->saved_data_ready; 2120 2120 + write_unlock_bh(&sk->sk_callback_lock); 2121 2121 + } 2128 2122 } 2123 2123 + } 2124 2124 + 2125 2125 + void tls_sw_strparser_done(struct tls_context *tls_ctx) 2126 2126 + { 2127 2127 + struct tls_sw_context_rx *ctx = tls_sw_ctx_rx(tls_ctx); 2128 2128 + 2129 2129 + strp_done(&ctx->strp); 2130 2130 + } 2131 2131 + 2132 2132 + void tls_sw_free_ctx_rx(struct tls_context *tls_ctx) 2133 2133 + { 2134 2134 + struct tls_sw_context_rx *ctx = tls_sw_ctx_rx(tls_ctx); 2135 2135 + 2136 2136 + kfree(ctx); 2129 2137 } 2130 2138 2131 2139 void tls_sw_free_resources_rx(struct sock *sk) 2132 2140 { 2133 2141 struct tls_context *tls_ctx = tls_get_ctx(sk); 2134 2134 - struct tls_sw_context_rx *ctx = tls_sw_ctx_rx(tls_ctx); 2135 2142 2136 2143 tls_sw_release_resources_rx(sk); 2137 2137 - 2138 2138 - kfree(ctx); 2144 2144 + tls_sw_free_ctx_rx(tls_ctx); 2139 2145 } 2140 2146 2141 2147 /* The work handler to transmitt the encrypted records in tx_list */ ··· 2161 2137 struct tx_work, work); 2162 2138 struct sock *sk = tx_work->sk; 2163 2139 struct tls_context *tls_ctx = tls_get_ctx(sk); 2164 2164 - struct tls_sw_context_tx *ctx = tls_sw_ctx_tx(tls_ctx); 2140 2140 + struct tls_sw_context_tx *ctx; 2141 2141 + 2142 2142 + if (unlikely(!tls_ctx)) 2143 2143 + return; 2144 2144 + 2145 2145 + ctx = tls_sw_ctx_tx(tls_ctx); 2146 2146 + if (test_bit(BIT_TX_CLOSING, &ctx->tx_bitmask)) 2147 2147 + return; 2165 2148 2166 2149 if (!test_and_clear_bit(BIT_TX_SCHEDULED, &ctx->tx_bitmask)) 2167 2150 return; 2168 2168 - 2169 2151 lock_sock(sk); 2170 2152 tls_tx_records(sk, -1); 2171 2153 release_sock(sk); ··· 2188 2158 &tx_ctx->tx_bitmask)) 2189 2159 schedule_delayed_work(&tx_ctx->tx_work.work, 0); 2190 2160 } 2161 2161 + } 2162 2162 + 2163 2163 + void tls_sw_strparser_arm(struct sock *sk, struct tls_context *tls_ctx) 2164 2164 + { 2165 2165 + struct tls_sw_context_rx *rx_ctx = tls_sw_ctx_rx(tls_ctx); 2166 2166 + 2167 2167 + write_lock_bh(&sk->sk_callback_lock); 2168 2168 + rx_ctx->saved_data_ready = sk->sk_data_ready; 2169 2169 + sk->sk_data_ready = tls_data_ready; 2170 2170 + write_unlock_bh(&sk->sk_callback_lock); 2171 2171 + 2172 2172 + strp_check_rcv(&rx_ctx->strp); 2191 2173 } 2192 2174 2193 2175 int tls_set_sw_offload(struct sock *sk, struct tls_context *ctx, int tx) ··· 2399 2357 cb.parse_msg = tls_read_size; 2400 2358 2401 2359 strp_init(&sw_ctx_rx->strp, sk, &cb); 2402 2402 - 2403 2403 - write_lock_bh(&sk->sk_callback_lock); 2404 2404 - sw_ctx_rx->saved_data_ready = sk->sk_data_ready; 2405 2405 - sk->sk_data_ready = tls_data_ready; 2406 2406 - write_unlock_bh(&sk->sk_callback_lock); 2407 2407 - 2408 2408 - strp_check_rcv(&sw_ctx_rx->strp); 2409 2360 } 2410 2361 2411 2362 goto out;

+3 -2

tools/lib/bpf/btf.c

reviewed

··· 1 1 // SPDX-License-Identifier: (LGPL-2.1 OR BSD-2-Clause) 2 2 /* Copyright (c) 2018 Facebook */ 3 3 4 4 + #include <endian.h> 4 5 #include <stdio.h> 5 6 #include <stdlib.h> 6 7 #include <string.h> ··· 420 419 421 420 static bool btf_check_endianness(const GElf_Ehdr *ehdr) 422 421 { 423 423 - #if __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__ 422 422 + #if __BYTE_ORDER == __LITTLE_ENDIAN 424 423 return ehdr->e_ident[EI_DATA] == ELFDATA2LSB; 425 425 - #elif __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__ 424 424 + #elif __BYTE_ORDER == __BIG_ENDIAN 426 425 return ehdr->e_ident[EI_DATA] == ELFDATA2MSB; 427 426 #else 428 427 # error "Unrecognized __BYTE_ORDER__"

+23 -11

tools/lib/bpf/libbpf.c

reviewed

··· 20 20 #include <inttypes.h> 21 21 #include <string.h> 22 22 #include <unistd.h> 23 23 + #include <endian.h> 23 24 #include <fcntl.h> 24 25 #include <errno.h> 25 26 #include <asm/unistd.h> ··· 613 612 614 613 static int bpf_object__check_endianness(struct bpf_object *obj) 615 614 { 616 616 - #if __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__ 615 615 + #if __BYTE_ORDER == __LITTLE_ENDIAN 617 616 if (obj->efile.ehdr.e_ident[EI_DATA] == ELFDATA2LSB) 618 617 return 0; 619 619 - #elif __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__ 618 618 + #elif __BYTE_ORDER == __BIG_ENDIAN 620 619 if (obj->efile.ehdr.e_ident[EI_DATA] == ELFDATA2MSB) 621 620 return 0; 622 621 #else ··· 1378 1377 if (!has_datasec && kind == BTF_KIND_VAR) { 1379 1378 /* replace VAR with INT */ 1380 1379 t->info = BTF_INFO_ENC(BTF_KIND_INT, 0, 0); 1381 1381 - t->size = sizeof(int); 1382 1382 - *(int *)(t+1) = BTF_INT_ENC(0, 0, 32); 1380 1380 + /* 1381 1381 + * using size = 1 is the safest choice, 4 will be too 1382 1382 + * big and cause kernel BTF validation failure if 1383 1383 + * original variable took less than 4 bytes 1384 1384 + */ 1385 1385 + t->size = 1; 1386 1386 + *(int *)(t+1) = BTF_INT_ENC(0, 0, 8); 1383 1387 } else if (!has_datasec && kind == BTF_KIND_DATASEC) { 1384 1388 /* replace DATASEC with STRUCT */ 1385 1389 struct btf_var_secinfo *v = (void *)(t + 1); ··· 1506 1500 BTF_ELF_SEC, err); 1507 1501 btf__free(obj->btf); 1508 1502 obj->btf = NULL; 1503 1503 + /* btf_ext can't exist without btf, so free it as well */ 1504 1504 + if (obj->btf_ext) { 1505 1505 + btf_ext__free(obj->btf_ext); 1506 1506 + obj->btf_ext = NULL; 1507 1507 + } 1508 1508 + 1509 1509 if (bpf_object__is_btf_mandatory(obj)) 1510 1510 return err; 1511 1511 } ··· 4519 4507 const struct perf_buffer_opts *opts) 4520 4508 { 4521 4509 struct perf_buffer_params p = {}; 4522 4522 - struct perf_event_attr attr = { 4523 4523 - .config = PERF_COUNT_SW_BPF_OUTPUT, 4524 4524 - .type = PERF_TYPE_SOFTWARE, 4525 4525 - .sample_type = PERF_SAMPLE_RAW, 4526 4526 - .sample_period = 1, 4527 4527 - .wakeup_events = 1, 4528 4528 - }; 4510 4510 + struct perf_event_attr attr = { 0, }; 4511 4511 + 4512 4512 + attr.config = PERF_COUNT_SW_BPF_OUTPUT, 4513 4513 + attr.type = PERF_TYPE_SOFTWARE; 4514 4514 + attr.sample_type = PERF_SAMPLE_RAW; 4515 4515 + attr.sample_period = 1; 4516 4516 + attr.wakeup_events = 1; 4529 4517 4530 4518 p.attr = &attr; 4531 4519 p.sample_cb = opts ? opts->sample_cb : NULL;

+5 -6

tools/lib/bpf/xsk.c

reviewed

··· 317 317 318 318 static int xsk_get_max_queues(struct xsk_socket *xsk) 319 319 { 320 320 - struct ethtool_channels channels; 321 321 - struct ifreq ifr; 320 320 + struct ethtool_channels channels = { .cmd = ETHTOOL_GCHANNELS }; 321 321 + struct ifreq ifr = {}; 322 322 int fd, err, ret; 323 323 324 324 fd = socket(AF_INET, SOCK_DGRAM, 0); 325 325 if (fd < 0) 326 326 return -errno; 327 327 328 328 - channels.cmd = ETHTOOL_GCHANNELS; 329 328 ifr.ifr_data = (void *)&channels; 330 330 - strncpy(ifr.ifr_name, xsk->ifname, IFNAMSIZ - 1); 329 329 + memcpy(ifr.ifr_name, xsk->ifname, IFNAMSIZ - 1); 331 330 ifr.ifr_name[IFNAMSIZ - 1] = '\0'; 332 331 err = ioctl(fd, SIOCETHTOOL, &ifr); 333 332 if (err && errno != EOPNOTSUPP) { ··· 334 335 goto out; 335 336 } 336 337 337 337 - if (channels.max_combined == 0 || errno == EOPNOTSUPP) 338 338 + if (err || channels.max_combined == 0) 338 339 /* If the device says it has no channels, then all traffic 339 340 * is sent to a single stream, so max queues = 1. 340 341 */ ··· 516 517 err = -errno; 517 518 goto out_socket; 518 519 } 519 519 - strncpy(xsk->ifname, ifname, IFNAMSIZ - 1); 520 520 + memcpy(xsk->ifname, ifname, IFNAMSIZ - 1); 520 521 xsk->ifname[IFNAMSIZ - 1] = '\0'; 521 522 522 523 err = xsk_set_xdp_socket_config(&xsk->config, usr_config);

+1 -2

tools/testing/selftests/bpf/progs/sendmsg6_prog.c

reviewed

··· 41 41 } 42 42 43 43 /* Rewrite destination. */ 44 44 - if ((ctx->user_ip6[0] & 0xFFFF) == bpf_htons(0xFACE) && 45 45 - ctx->user_ip6[0] >> 16 == bpf_htons(0xB00C)) { 44 44 + if (ctx->user_ip6[0] == bpf_htonl(0xFACEB00C)) { 46 45 ctx->user_ip6[0] = bpf_htonl(DST_REWRITE_IP6_0); 47 46 ctx->user_ip6[1] = bpf_htonl(DST_REWRITE_IP6_1); 48 47 ctx->user_ip6[2] = bpf_htonl(DST_REWRITE_IP6_2);

+11

tools/testing/selftests/bpf/verifier/ctx_skb.c

reviewed

··· 975 975 .prog_type = BPF_PROG_TYPE_CGROUP_SKB, 976 976 }, 977 977 { 978 978 + "read gso_segs from CGROUP_SKB", 979 979 + .insns = { 980 980 + BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1, 981 981 + offsetof(struct __sk_buff, gso_segs)), 982 982 + BPF_MOV64_IMM(BPF_REG_0, 0), 983 983 + BPF_EXIT_INSN(), 984 984 + }, 985 985 + .result = ACCEPT, 986 986 + .prog_type = BPF_PROG_TYPE_CGROUP_SKB, 987 987 + }, 988 988 + { 978 989 "write gso_segs from CGROUP_SKB", 979 990 .insns = { 980 991 BPF_MOV64_IMM(BPF_REG_0, 0),

+194

tools/testing/selftests/net/tls.c

reviewed

··· 25 25 #define TLS_PAYLOAD_MAX_LEN 16384 26 26 #define SOL_TLS 282 27 27 28 28 + #ifndef ENOTSUPP 29 29 + #define ENOTSUPP 524 30 30 + #endif 31 31 + 32 32 + FIXTURE(tls_basic) 33 33 + { 34 34 + int fd, cfd; 35 35 + bool notls; 36 36 + }; 37 37 + 38 38 + FIXTURE_SETUP(tls_basic) 39 39 + { 40 40 + struct sockaddr_in addr; 41 41 + socklen_t len; 42 42 + int sfd, ret; 43 43 + 44 44 + self->notls = false; 45 45 + len = sizeof(addr); 46 46 + 47 47 + addr.sin_family = AF_INET; 48 48 + addr.sin_addr.s_addr = htonl(INADDR_ANY); 49 49 + addr.sin_port = 0; 50 50 + 51 51 + self->fd = socket(AF_INET, SOCK_STREAM, 0); 52 52 + sfd = socket(AF_INET, SOCK_STREAM, 0); 53 53 + 54 54 + ret = bind(sfd, &addr, sizeof(addr)); 55 55 + ASSERT_EQ(ret, 0); 56 56 + ret = listen(sfd, 10); 57 57 + ASSERT_EQ(ret, 0); 58 58 + 59 59 + ret = getsockname(sfd, &addr, &len); 60 60 + ASSERT_EQ(ret, 0); 61 61 + 62 62 + ret = connect(self->fd, &addr, sizeof(addr)); 63 63 + ASSERT_EQ(ret, 0); 64 64 + 65 65 + self->cfd = accept(sfd, &addr, &len); 66 66 + ASSERT_GE(self->cfd, 0); 67 67 + 68 68 + close(sfd); 69 69 + 70 70 + ret = setsockopt(self->fd, IPPROTO_TCP, TCP_ULP, "tls", sizeof("tls")); 71 71 + if (ret != 0) { 72 72 + ASSERT_EQ(errno, ENOTSUPP); 73 73 + self->notls = true; 74 74 + printf("Failure setting TCP_ULP, testing without tls\n"); 75 75 + return; 76 76 + } 77 77 + 78 78 + ret = setsockopt(self->cfd, IPPROTO_TCP, TCP_ULP, "tls", sizeof("tls")); 79 79 + ASSERT_EQ(ret, 0); 80 80 + } 81 81 + 82 82 + FIXTURE_TEARDOWN(tls_basic) 83 83 + { 84 84 + close(self->fd); 85 85 + close(self->cfd); 86 86 + } 87 87 + 88 88 + /* Send some data through with ULP but no keys */ 89 89 + TEST_F(tls_basic, base_base) 90 90 + { 91 91 + char const *test_str = "test_read"; 92 92 + int send_len = 10; 93 93 + char buf[10]; 94 94 + 95 95 + ASSERT_EQ(strlen(test_str) + 1, send_len); 96 96 + 97 97 + EXPECT_EQ(send(self->fd, test_str, send_len, 0), send_len); 98 98 + EXPECT_NE(recv(self->cfd, buf, send_len, 0), -1); 99 99 + EXPECT_EQ(memcmp(buf, test_str, send_len), 0); 100 100 + }; 101 101 + 28 102 FIXTURE(tls) 29 103 { 30 104 int fd, cfd; ··· 237 163 EXPECT_EQ(recv(self->cfd, buf, send_len * 2, MSG_WAITALL), 238 164 send_len * 2); 239 165 EXPECT_EQ(memcmp(buf, test_str, send_len), 0); 166 166 + } 167 167 + 168 168 + TEST_F(tls, msg_more_unsent) 169 169 + { 170 170 + char const *test_str = "test_read"; 171 171 + int send_len = 10; 172 172 + char buf[10]; 173 173 + 174 174 + EXPECT_EQ(send(self->fd, test_str, send_len, MSG_MORE), send_len); 175 175 + EXPECT_EQ(recv(self->cfd, buf, send_len, MSG_DONTWAIT), -1); 240 176 } 241 177 242 178 TEST_F(tls, sendmsg_single) ··· 694 610 EXPECT_EQ(memcmp(send_mem, recv_mem + 10, 5), 0); 695 611 } 696 612 613 613 + TEST_F(tls, bidir) 614 614 + { 615 615 + struct tls12_crypto_info_aes_gcm_128 tls12; 616 616 + char const *test_str = "test_read"; 617 617 + int send_len = 10; 618 618 + char buf[10]; 619 619 + int ret; 620 620 + 621 621 + memset(&tls12, 0, sizeof(tls12)); 622 622 + tls12.info.version = TLS_1_3_VERSION; 623 623 + tls12.info.cipher_type = TLS_CIPHER_AES_GCM_128; 624 624 + 625 625 + ret = setsockopt(self->fd, SOL_TLS, TLS_RX, &tls12, sizeof(tls12)); 626 626 + ASSERT_EQ(ret, 0); 627 627 + 628 628 + ret = setsockopt(self->cfd, SOL_TLS, TLS_TX, &tls12, sizeof(tls12)); 629 629 + ASSERT_EQ(ret, 0); 630 630 + 631 631 + ASSERT_EQ(strlen(test_str) + 1, send_len); 632 632 + 633 633 + EXPECT_EQ(send(self->fd, test_str, send_len, 0), send_len); 634 634 + EXPECT_NE(recv(self->cfd, buf, send_len, 0), -1); 635 635 + EXPECT_EQ(memcmp(buf, test_str, send_len), 0); 636 636 + 637 637 + memset(buf, 0, sizeof(buf)); 638 638 + 639 639 + EXPECT_EQ(send(self->cfd, test_str, send_len, 0), send_len); 640 640 + EXPECT_NE(recv(self->fd, buf, send_len, 0), -1); 641 641 + EXPECT_EQ(memcmp(buf, test_str, send_len), 0); 642 642 + }; 643 643 + 697 644 TEST_F(tls, pollin) 698 645 { 699 646 char const *test_str = "test_poll"; ··· 950 835 record_type = *((unsigned char *)CMSG_DATA(cmsg)); 951 836 EXPECT_EQ(record_type, 100); 952 837 EXPECT_EQ(memcmp(buf, test_str, send_len), 0); 838 838 + } 839 839 + 840 840 + TEST_F(tls, shutdown) 841 841 + { 842 842 + char const *test_str = "test_read"; 843 843 + int send_len = 10; 844 844 + char buf[10]; 845 845 + 846 846 + ASSERT_EQ(strlen(test_str) + 1, send_len); 847 847 + 848 848 + EXPECT_EQ(send(self->fd, test_str, send_len, 0), send_len); 849 849 + EXPECT_NE(recv(self->cfd, buf, send_len, 0), -1); 850 850 + EXPECT_EQ(memcmp(buf, test_str, send_len), 0); 851 851 + 852 852 + shutdown(self->fd, SHUT_RDWR); 853 853 + shutdown(self->cfd, SHUT_RDWR); 854 854 + } 855 855 + 856 856 + TEST_F(tls, shutdown_unsent) 857 857 + { 858 858 + char const *test_str = "test_read"; 859 859 + int send_len = 10; 860 860 + 861 861 + EXPECT_EQ(send(self->fd, test_str, send_len, MSG_MORE), send_len); 862 862 + 863 863 + shutdown(self->fd, SHUT_RDWR); 864 864 + shutdown(self->cfd, SHUT_RDWR); 865 865 + } 866 866 + 867 867 + TEST(non_established) { 868 868 + struct tls12_crypto_info_aes_gcm_256 tls12; 869 869 + struct sockaddr_in addr; 870 870 + int sfd, ret, fd; 871 871 + socklen_t len; 872 872 + 873 873 + len = sizeof(addr); 874 874 + 875 875 + memset(&tls12, 0, sizeof(tls12)); 876 876 + tls12.info.version = TLS_1_2_VERSION; 877 877 + tls12.info.cipher_type = TLS_CIPHER_AES_GCM_256; 878 878 + 879 879 + addr.sin_family = AF_INET; 880 880 + addr.sin_addr.s_addr = htonl(INADDR_ANY); 881 881 + addr.sin_port = 0; 882 882 + 883 883 + fd = socket(AF_INET, SOCK_STREAM, 0); 884 884 + sfd = socket(AF_INET, SOCK_STREAM, 0); 885 885 + 886 886 + ret = bind(sfd, &addr, sizeof(addr)); 887 887 + ASSERT_EQ(ret, 0); 888 888 + ret = listen(sfd, 10); 889 889 + ASSERT_EQ(ret, 0); 890 890 + 891 891 + ret = setsockopt(fd, IPPROTO_TCP, TCP_ULP, "tls", sizeof("tls")); 892 892 + EXPECT_EQ(ret, -1); 893 893 + /* TLS ULP not supported */ 894 894 + if (errno == ENOENT) 895 895 + return; 896 896 + EXPECT_EQ(errno, ENOTSUPP); 897 897 + 898 898 + ret = setsockopt(sfd, IPPROTO_TCP, TCP_ULP, "tls", sizeof("tls")); 899 899 + EXPECT_EQ(ret, -1); 900 900 + EXPECT_EQ(errno, ENOTSUPP); 901 901 + 902 902 + ret = getsockname(sfd, &addr, &len); 903 903 + ASSERT_EQ(ret, 0); 904 904 + 905 905 + ret = connect(fd, &addr, sizeof(addr)); 906 906 + ASSERT_EQ(ret, 0); 907 907 + 908 908 + ret = setsockopt(fd, IPPROTO_TCP, TCP_ULP, "tls", sizeof("tls")); 909 909 + ASSERT_EQ(ret, 0); 910 910 + 911 911 + ret = setsockopt(fd, IPPROTO_TCP, TCP_ULP, "tls", sizeof("tls")); 912 912 + EXPECT_EQ(ret, -1); 913 913 + EXPECT_EQ(errno, EEXIST); 914 914 + 915 915 + close(fd); 916 916 + close(sfd); 953 917 } 954 918 955 919 TEST(keysizes) {