Replace bpf bitfields with a single u8 field and masks#12415
Replace bpf bitfields with a single u8 field and masks#12415borkmann merged 1 commit intocilium:masterfrom
Conversation
|
Commits 43960096b1ea086d3b8b1948b93890f9aa27ef00, f7f0d9da2ac85733f4744aaf3d98046b4bdb854d, c50ca4ed612f02313def428328944752b9b381a1 do not contain "Signed-off-by". Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin |
8a6548e to
042d0a6
Compare
There was a problem hiding this comment.
This filename could be bpf_abi_test.go instead?
There was a problem hiding this comment.
As discussed here: #12415 (comment), it seems that it is not possible to change the name to bpf_abi_test.go, because there is an error that using cgo in tests is not supported.
Per @tklauser suggestion, I looked at using alignchecker for performing the test, which resulted in #12436.
There was a problem hiding this comment.
This is using cgo which we preferably want to avoid. This seems to be only used for test code, so the easy fix would be to rename the file to bpf_abi_test.go so it only gets compiled for tests.
The other option, without using cgo for tests as well would be to somehow integrate it with the alignchecker which we already use to check struct alignment between bpf and Go code.
There was a problem hiding this comment.
Makes perfect sense.
Indeed, this was my first attempt, but tests do not seem to support cgo:
can't load package: package github.com/cilium/cilium/pkg/loadbalancer: use of cgo in test /home/kkourt/isovalent/src/cilium/pkg/loadbalancer/loadbalancer_test.go not supported
And the same for renaming bpf_abi.go to bpf_abi_test.go:
can't load package: package github.com/cilium/cilium/pkg/loadbalancer: use of cgo in test /home/kkourt/isovalent/src/cilium/pkg/loadbalancer/bpf_abi_test.go not supported
I'll have a look at the alignchecker.
There was a problem hiding this comment.
Added #12436 as a first step towards using alignchecker.
9f0f566 to
6ec01aa
Compare
This commit fixes a false positive in null.cocci, when the NULL variable is assigned before being dereferenced. This change was tested with the following change, originally introduced in #12415, to trigger the false positive. diff --git a/bpf/bpf_sock.c b/bpf/bpf_sock.c index d2ad4ce..ec3c3063a 100644 --- a/bpf/bpf_sock.c +++ b/bpf/bpf_sock.c @@ -265,7 +265,7 @@ static __always_inline int __sock4_xlate_fwd(struct bpf_sock_addr *ctx, svc = lb4_lookup_service(&key, true); if (!svc) { svc = sock4_nodeport_wildcard_lookup(&key, true, in_hostns); - if (svc && !lb4_svc_is_nodeport(svc)) + if (svc && !(svc->flags & SVC_CHECK_NODEPORT)) svc = NULL; } if (!svc) Fixes: 96d2d5a ("bpf: add cocci script to find wrong null checks") Reported-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Paul Chaignon <paul@cilium.io>
borkmann
left a comment
There was a problem hiding this comment.
bpf bits look good to me, thx
|
test-me-please |
This commit fixes a false positive in null.cocci, when the NULL variable is assigned before being dereferenced. This change was tested with the following change, originally introduced in #12415, to trigger the false positive. diff --git a/bpf/bpf_sock.c b/bpf/bpf_sock.c index d2ad4ce..ec3c3063a 100644 --- a/bpf/bpf_sock.c +++ b/bpf/bpf_sock.c @@ -265,7 +265,7 @@ static __always_inline int __sock4_xlate_fwd(struct bpf_sock_addr *ctx, svc = lb4_lookup_service(&key, true); if (!svc) { svc = sock4_nodeport_wildcard_lookup(&key, true, in_hostns); - if (svc && !lb4_svc_is_nodeport(svc)) + if (svc && !(svc->flags & SVC_CHECK_NODEPORT)) svc = NULL; } if (!svc) Fixes: 96d2d5a ("bpf: add cocci script to find wrong null checks") Reported-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Paul Chaignon <paul@cilium.io>
|
test-me-please |
|
test-me-please |
This avoids complications of the compiler reordering the fields which we also use from Go code, and also allows the use of masks in checks. Signed-off-by: Kornilios Kourtis <kornilios@isovalent.com>
|
test-me-please |
|
retest-4.9 (hit potential flake: https://jenkins.cilium.io/job/Cilium-PR-K8s-newest-kernel-4.9/1083/) |
There was a problem hiding this comment.
Is the plan to include this commit or to merge #12436?
There was a problem hiding this comment.
Depends on whether we want to avoid cgo.
If we don't mind using cgo, we can merge this as it is, and forget #12436.
If we want to avoid cgo, I would suggest the following: remove the second commit from this PR (i.e,. the bpf_abi test), so that it can be merged; and, add a test for the constants in this code as a subsequent commit to #12436.
Apologies for any confusion.
|
(Given the prior run was all green & only the last commit was taken out, I'll wait for Travis CI & smoke test to go through and then merge. Since #12446 is needed for 1.8 branch, I'll mark this one as well for backporting to 1.8 here.) |
The purpose of this is to ensure that the compiler will not rearrange the bitfields and create issues with the Go code that access them, and, also, allow for some optimizations on checks using flags.
The first commit changes the bitfields to a single field, the second uses masks for checks, and the third introduces a test that checks whether Go and bpf see the same values for the flags using cgo.
Instead of doing a test, we could use the cgo code to directly get the values for the flags for the Go side, but the code is somewhat ugly and I'm not sure we want to do that.