From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.0 required=3.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI, SPF_PASS autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 86E27C43381 for ; Fri, 22 Feb 2019 00:36:42 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 528F22077B for ; Fri, 22 Feb 2019 00:36:41 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=netronome-com.20150623.gappssmtp.com header.i=@netronome-com.20150623.gappssmtp.com header.b="sW3S8RcT" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726706AbfBVAgk (ORCPT ); Thu, 21 Feb 2019 19:36:40 -0500 Received: from mail-qk1-f195.google.com ([209.85.222.195]:41738 "EHLO mail-qk1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726067AbfBVAgj (ORCPT ); Thu, 21 Feb 2019 19:36:39 -0500 Received: by mail-qk1-f195.google.com with SMTP id y15so194739qki.8 for ; Thu, 21 Feb 2019 16:36:38 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=netronome-com.20150623.gappssmtp.com; s=20150623; h=date:from:to:cc:subject:message-id:in-reply-to:references :organization:mime-version:content-transfer-encoding; bh=Q9odZfWqPrBpdASUuGl7t8ORf0ggLoXiReUMdRhgliQ=; b=sW3S8RcT+p3Qedk/9WvWL+IF4be6epK+hR8uzG/h0ngSxB651+wzgJdkqw0k1TCLfV ISWZAs8NicLc4Xrz21XNprB/IS9nx3QW6hMj3O9zUXMT/Y+E1+rrgMhSEH4fHvdZCOEc Pq+fOUVjY5ZUXeQvB+ZxD3LRIIKT9G424q52z1hZiNArtWDCb3LGAhNwDYFmmaG+DKp1 oHkp4+RZIHFEjPrA/K7ZoctL+T1F6UBrzFL2DCodOtMPdIZu6LGWYl3CjMhihAPMd7hw 0WCBGaNE2CJZyzI3bfUlV95qFcKUBZD/zCSpbCYIaA/+CnrEUDoToq8NBTjU2hhrUvru VI0g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:in-reply-to :references:organization:mime-version:content-transfer-encoding; bh=Q9odZfWqPrBpdASUuGl7t8ORf0ggLoXiReUMdRhgliQ=; b=cRChRyCMft9Lq4YSRqrWFpsTHVB1TLXnTTVIFodCF0lFX2crcjVNyInYrXLTXOZzsN EyPyC52O1vE+yLCZAhJ0M+HgRq8c/xNqqO8DQlaCStsiwnUm9jlbq9mmtJv+a7DwE7Se 3Cq9DBa6nlI7QpnDayZ9MPny3pIeDgIcOcYMqy/wetWQTtdhOFjU4h5+b/fzRpQimBY5 I1ROkG76slY5iverlHXtWbRiyAUXpLqTuIln9omC2fKIkNlYqNabB501TLS9vLM2RIwQ wJUtPaPAvIxF5fuJ+1l31jxVoYTKDJUpsJGeIbpWjV8WLlaocF/FS1fjKF4KrLnvBM8Y /Kxg== X-Gm-Message-State: AHQUAua466hIKBhnsm4oI10v+YX8IHS4QPad4bDPX85z+axfp4bFoi39 hZYVBQIA2OLqWnvJ6OYCo1T+8g== X-Google-Smtp-Source: AHgI3IY1lnL6YcsZtQSu8Hhcq5chgqTYmBG85968t4vO2Ww70wjVA/3y5sepGJx0IOq9TZp8YXQlxw== X-Received: by 2002:a37:4ca:: with SMTP id 193mr1000533qke.21.1550795798073; Thu, 21 Feb 2019 16:36:38 -0800 (PST) Received: from cakuba.netronome.com ([66.60.152.14]) by smtp.gmail.com with ESMTPSA id u32sm509485qtc.54.2019.02.21.16.36.37 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Thu, 21 Feb 2019 16:36:37 -0800 (PST) Date: Thu, 21 Feb 2019 16:36:27 -0800 From: Jakub Kicinski To: Toke =?UTF-8?B?SMO4aWxhbmQtSsO4cmdlbnNlbg==?= Cc: David Miller , netdev@vger.kernel.org, Jesper Dangaard Brouer , Daniel Borkmann , Alexei Starovoitov Subject: Re: [PATCH net-next 1/2] xdp: Always use a devmap for XDP_REDIRECT to a device Message-ID: <20190221163627.7b8aa2ce@cakuba.netronome.com> In-Reply-To: <155075021399.13610.12521373406832889226.stgit@alrua-x1> References: <155075021399.13610.12521373406832889226.stgit@alrua-x1> Organization: Netronome Systems, Ltd. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org On Thu, 21 Feb 2019 12:56:54 +0100, Toke H=C3=B8iland-J=C3=B8rgensen wrote: > diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c > index b63bc77af2d1..629661db36ee 100644 > --- a/kernel/bpf/verifier.c > +++ b/kernel/bpf/verifier.c > @@ -7527,6 +7527,12 @@ static int fixup_bpf_calls(struct bpf_verifier_env= *env) > prog->dst_needed =3D 1; > if (insn->imm =3D=3D BPF_FUNC_get_prandom_u32) > bpf_user_rnd_init_once(); > + if (insn->imm =3D=3D BPF_FUNC_redirect) { > + int err =3D dev_map_alloc_default_map(); > + > + if (err) > + return err; > + } > if (insn->imm =3D=3D BPF_FUNC_override_return) > prog->kprobe_override =3D 1; > if (insn->imm =3D=3D BPF_FUNC_tail_call) { > +int dev_map_alloc_default_map(void) > +{ > + struct net *net =3D current->nsproxy->net_ns; > + struct bpf_dtab *dtab, *old_dtab; > + struct net_device *netdev; > + union bpf_attr attr =3D {}; > + u32 idx; > + int err; BPF programs don't obey by netns boundaries. The fact the program is verified in one ns doesn't mean this is the only ns it will be used in :( Meaning if any program is using the redirect map you may need a secret map in every ns.. no?