[PATCH net-next v2 0/6] bpf: Fix bugs in sock_ops samples

[PATCH net-next v2 0/6] bpf: Fix bugs in sock_ops samples

[Lawrence Brakmo]

The programs were returning -1 in some cases when they should
only return 0 or 1. Changes in the verifier now catch this
issue and the programs fail to load. This is now fixed.

[PATCH net-next v2 1/6] bpf: Fix tcp_synrto_kern.c sample program
[PATCH net-next v2 2/6] bpf: Fix tcp_rwnd_kern.c sample program
[PATCH net-next v2 3/6] bpf: Fix tcp_bufs_kern.c sample program
[PATCH net-next v2 4/6] bpf: Fix tcp_cong_kern.c sample program
[PATCH net-next v2 5/6] bpf: Fix tcp_iw_kern.c sample program
[PATCH net-next v2 6/6] bpf: Fix tcp_clamp_kern.c sample program

samples/bpf/tcp_bufs_kern.c   | 14 ++++++++------
samples/bpf/tcp_clamp_kern.c  | 24 +++++++++++++-----------
samples/bpf/tcp_cong_kern.c   |  6 ++++--
samples/bpf/tcp_iw_kern.c     | 14 ++++++++------
samples/bpf/tcp_rwnd_kern.c   |  6 ++++--
samples/bpf/tcp_synrto_kern.c |  6 ++++--
files changed, 41 insertions(+), 29 deletions(-)

[PATCH net-next v2 1/6] bpf: Fix tcp_synrto_kern.c sample program

[Lawrence Brakmo]

The program was returning -1 in some cases which is not allowed
by the verifier any longer.

Fixes: 390ee7e29fc8 ("bpf: enforce return code for cgroup-bpf programs")
Signed-off-by: Lawrence Brakmo <brakmo@fb.com>
---
 samples/bpf/tcp_synrto_kern.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/samples/bpf/tcp_synrto_kern.c b/samples/bpf/tcp_synrto_kern.c
index 3c3fc83..232bb24 100644
--- a/samples/bpf/tcp_synrto_kern.c
+++ b/samples/bpf/tcp_synrto_kern.c
@@ -38,8 +38,10 @@ int bpf_synrto(struct bpf_sock_ops *skops)
 	 * if neither port numberis 55601
 	 */
 	if (bpf_ntohl(skops->remote_port) != 55601 &&
-	    skops->local_port != 55601)
-		return -1;
+	    skops->local_port != 55601) {
+		skops->reply = -1;
+		return 1;
+	}
 
 	op = (int) skops->op;
 
-- 
2.9.5

[PATCH net-next v2 2/6] bpf: Fix tcp_rwnd_kern.c sample program

[Lawrence Brakmo]

The program was returning -1 in some cases which is not allowed
by the verifier any longer.

Fixes: 390ee7e29fc8 ("bpf: enforce return code for cgroup-bpf programs")
Signed-off-by: Lawrence Brakmo <brakmo@fb.com>
---
 samples/bpf/tcp_rwnd_kern.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/samples/bpf/tcp_rwnd_kern.c b/samples/bpf/tcp_rwnd_kern.c
index 3f2a228..09ff65b 100644
--- a/samples/bpf/tcp_rwnd_kern.c
+++ b/samples/bpf/tcp_rwnd_kern.c
@@ -38,8 +38,10 @@ int bpf_rwnd(struct bpf_sock_ops *skops)
 	 * if neither port numberis 55601
 	 */
 	if (bpf_ntohl(skops->remote_port) !=
-	    55601 && skops->local_port != 55601)
-		return -1;
+	    55601 && skops->local_port != 55601) {
+		skops->reply = -1;
+		return 1;
+	}
 
 	op = (int) skops->op;
 
-- 
2.9.5

[PATCH net-next v2 3/6] bpf: Fix tcp_bufs_kern.c sample program

[Lawrence Brakmo]

The program was returning -1 in some cases which is not allowed
by the verifier any longer.

Fixes: 390ee7e29fc8 ("bpf: enforce return code for cgroup-bpf programs")
Signed-off-by: Lawrence Brakmo <brakmo@fb.com>
---
 samples/bpf/tcp_bufs_kern.c | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/samples/bpf/tcp_bufs_kern.c b/samples/bpf/tcp_bufs_kern.c
index ee83bba..0566b7f 100644
--- a/samples/bpf/tcp_bufs_kern.c
+++ b/samples/bpf/tcp_bufs_kern.c
@@ -41,8 +41,10 @@ int bpf_bufs(struct bpf_sock_ops *skops)
 	 * if neither port numberis 55601
 	 */
 	if (bpf_ntohl(skops->remote_port) != 55601 &&
-	    skops->local_port != 55601)
-		return -1;
+	    skops->local_port != 55601) {
+		skops->reply = -1;
+		return 1;
+	}
 
 	op = (int) skops->op;
 
@@ -61,8 +63,8 @@ int bpf_bufs(struct bpf_sock_ops *skops)
 		/* Set sndbuf and rcvbuf of active connections */
 		rv = bpf_setsockopt(skops, SOL_SOCKET, SO_SNDBUF, &bufsize,
 				    sizeof(bufsize));
-		rv = rv*100 + bpf_setsockopt(skops, SOL_SOCKET, SO_RCVBUF,
-					     &bufsize, sizeof(bufsize));
+		rv += bpf_setsockopt(skops, SOL_SOCKET, SO_RCVBUF,
+				     &bufsize, sizeof(bufsize));
 		break;
 	case BPF_SOCK_OPS_ACTIVE_ESTABLISHED_CB:
 		/* Nothing to do */
@@ -71,8 +73,8 @@ int bpf_bufs(struct bpf_sock_ops *skops)
 		/* Set sndbuf and rcvbuf of passive connections */
 		rv = bpf_setsockopt(skops, SOL_SOCKET, SO_SNDBUF, &bufsize,
 				    sizeof(bufsize));
-		rv = rv*100 + bpf_setsockopt(skops, SOL_SOCKET, SO_RCVBUF,
-					     &bufsize, sizeof(bufsize));
+		rv += bpf_setsockopt(skops, SOL_SOCKET, SO_RCVBUF,
+				     &bufsize, sizeof(bufsize));
 		break;
 	default:
 		rv = -1;
-- 
2.9.5

[PATCH net-next v2 4/6] bpf: Fix tcp_cong_kern.c sample program

[Lawrence Brakmo]

The program was returning -1 in some cases which is not allowed
by the verifier any longer.

Fixes: 390ee7e29fc8 ("bpf: enforce return code for cgroup-bpf programs")
Signed-off-by: Lawrence Brakmo <brakmo@fb.com>
---
 samples/bpf/tcp_cong_kern.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/samples/bpf/tcp_cong_kern.c b/samples/bpf/tcp_cong_kern.c
index dac15bc..ad0f1ba 100644
--- a/samples/bpf/tcp_cong_kern.c
+++ b/samples/bpf/tcp_cong_kern.c
@@ -39,8 +39,10 @@ int bpf_cong(struct bpf_sock_ops *skops)
 	 * if neither port numberis 55601
 	 */
 	if (bpf_ntohl(skops->remote_port) != 55601 &&
-	    skops->local_port != 55601)
-		return -1;
+	    skops->local_port != 55601) {
+		skops->reply = -1;
+		return 1;
+	}
 
 	op = (int) skops->op;
 
-- 
2.9.5

[PATCH net-next v2 5/6] bpf: Fix tcp_iw_kern.c sample program

[Lawrence Brakmo]

The program was returning -1 in some cases which is not allowed
by the verifier any longer.

Fixes: 390ee7e29fc8 ("bpf: enforce return code for cgroup-bpf programs")
Signed-off-by: Lawrence Brakmo <brakmo@fb.com>
---
 samples/bpf/tcp_iw_kern.c | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/samples/bpf/tcp_iw_kern.c b/samples/bpf/tcp_iw_kern.c
index 23c5122..4ca5ecc 100644
--- a/samples/bpf/tcp_iw_kern.c
+++ b/samples/bpf/tcp_iw_kern.c
@@ -42,8 +42,10 @@ int bpf_iw(struct bpf_sock_ops *skops)
 	 * if neither port numberis 55601
 	 */
 	if (bpf_ntohl(skops->remote_port) != 55601 &&
-	    skops->local_port != 55601)
-		return -1;
+	    skops->local_port != 55601) {
+		skops->reply = -1;
+		return 1;
+	}
 
 	op = (int) skops->op;
 
@@ -62,8 +64,8 @@ int bpf_iw(struct bpf_sock_ops *skops)
 		/* Set sndbuf and rcvbuf of active connections */
 		rv = bpf_setsockopt(skops, SOL_SOCKET, SO_SNDBUF, &bufsize,
 				    sizeof(bufsize));
-		rv = rv*100 + bpf_setsockopt(skops, SOL_SOCKET, SO_RCVBUF,
-					     &bufsize, sizeof(bufsize));
+		rv += bpf_setsockopt(skops, SOL_SOCKET, SO_RCVBUF,
+				     &bufsize, sizeof(bufsize));
 		break;
 	case BPF_SOCK_OPS_ACTIVE_ESTABLISHED_CB:
 		rv = bpf_setsockopt(skops, SOL_TCP, TCP_BPF_IW, &iw,
@@ -73,8 +75,8 @@ int bpf_iw(struct bpf_sock_ops *skops)
 		/* Set sndbuf and rcvbuf of passive connections */
 		rv = bpf_setsockopt(skops, SOL_SOCKET, SO_SNDBUF, &bufsize,
 				    sizeof(bufsize));
-		rv = rv*100 + bpf_setsockopt(skops, SOL_SOCKET, SO_RCVBUF,
-					     &bufsize, sizeof(bufsize));
+		rv +=  bpf_setsockopt(skops, SOL_SOCKET, SO_RCVBUF,
+				      &bufsize, sizeof(bufsize));
 		break;
 	default:
 		rv = -1;
-- 
2.9.5

[PATCH net-next v2 6/6] bpf: Fix tcp_clamp_kern.c sample program

[Lawrence Brakmo]

The program was returning -1 in some cases which is not allowed
by the verifier any longer.

Fixes: 390ee7e29fc8 ("bpf: enforce return code for cgroup-bpf programs")
Signed-off-by: Lawrence Brakmo <brakmo@fb.com>
---
 samples/bpf/tcp_clamp_kern.c | 24 +++++++++++++-----------
 1 file changed, 13 insertions(+), 11 deletions(-)

diff --git a/samples/bpf/tcp_clamp_kern.c b/samples/bpf/tcp_clamp_kern.c
index d68eadd9..f4225c9 100644
--- a/samples/bpf/tcp_clamp_kern.c
+++ b/samples/bpf/tcp_clamp_kern.c
@@ -41,8 +41,10 @@ int bpf_clamp(struct bpf_sock_ops *skops)
 	/* For testing purposes, only execute rest of BPF program
 	 * if neither port numberis 55601
 	 */
-	if (bpf_ntohl(skops->remote_port) != 55601 && skops->local_port != 55601)
-		return -1;
+	if (bpf_ntohl(skops->remote_port) != 55601 && skops->local_port != 55601) {
+		skops->reply = -1;
+		return 0;
+	}
 
 	op = (int) skops->op;
 
@@ -66,9 +68,9 @@ int bpf_clamp(struct bpf_sock_ops *skops)
 			/* Set sndbuf and rcvbuf of active connections */
 			rv = bpf_setsockopt(skops, SOL_SOCKET, SO_SNDBUF,
 					    &bufsize, sizeof(bufsize));
-			rv = rv*100 + bpf_setsockopt(skops, SOL_SOCKET,
-						      SO_RCVBUF, &bufsize,
-						      sizeof(bufsize));
+			rv += bpf_setsockopt(skops, SOL_SOCKET,
+					     SO_RCVBUF, &bufsize,
+					     sizeof(bufsize));
 			break;
 		case BPF_SOCK_OPS_ACTIVE_ESTABLISHED_CB:
 			rv = bpf_setsockopt(skops, SOL_TCP,
@@ -80,12 +82,12 @@ int bpf_clamp(struct bpf_sock_ops *skops)
 			rv = bpf_setsockopt(skops, SOL_TCP,
 					    TCP_BPF_SNDCWND_CLAMP,
 					    &clamp, sizeof(clamp));
-			rv = rv*100 + bpf_setsockopt(skops, SOL_SOCKET,
-						      SO_SNDBUF, &bufsize,
-						      sizeof(bufsize));
-			rv = rv*100 + bpf_setsockopt(skops, SOL_SOCKET,
-						      SO_RCVBUF, &bufsize,
-						      sizeof(bufsize));
+			rv += bpf_setsockopt(skops, SOL_SOCKET,
+					     SO_SNDBUF, &bufsize,
+					     sizeof(bufsize));
+			rv += bpf_setsockopt(skops, SOL_SOCKET,
+					     SO_RCVBUF, &bufsize,
+					     sizeof(bufsize));
 			break;
 		default:
 			rv = -1;
-- 
2.9.5

Re: [PATCH net-next v2 0/6] bpf: Fix bugs in sock_ops samples

[David Miller]

From: Lawrence Brakmo <brakmo@fb.com>
Date: Fri, 10 Nov 2017 22:19:49 -0800

> The programs were returning -1 in some cases when they should
> only return 0 or 1. Changes in the verifier now catch this
> issue and the programs fail to load. This is now fixed.

Series applied, thanks Lawrence.