diff mbox series

[v4,3/4] net/sched: Load modules via their alias

Message ID 20240123135242.11430-4-mkoutny@suse.com (mailing list archive)
State Superseded
Delegated to: Netdev Maintainers
Headers show
Series net/sched: Load modules via alias | expand

Checks

Context Check Description
bpf/vmtest-bpf-next-VM_Test-9 success Logs for s390x-gcc / build-release
bpf/vmtest-bpf-next-VM_Test-1 success Logs for ShellCheck
bpf/vmtest-bpf-next-VM_Test-0 success Logs for Lint
bpf/vmtest-bpf-next-VM_Test-6 success Logs for aarch64-gcc / test
bpf/vmtest-bpf-next-VM_Test-2 success Logs for Unittests
bpf/vmtest-bpf-next-VM_Test-5 success Logs for aarch64-gcc / build-release
bpf/vmtest-bpf-next-VM_Test-4 fail Logs for aarch64-gcc / build / build for aarch64 with gcc
bpf/vmtest-bpf-next-VM_Test-3 success Logs for Validate matrix.py
bpf/vmtest-bpf-next-VM_Test-7 success Logs for aarch64-gcc / veristat
bpf/vmtest-bpf-next-VM_Test-18 fail Logs for x86_64-llvm-17 / build-release / build for x86_64 with llvm-17 and -O2 optimization
bpf/vmtest-bpf-next-VM_Test-17 fail Logs for x86_64-llvm-17 / build / build for x86_64 with llvm-17
bpf/vmtest-bpf-next-VM_Test-19 success Logs for x86_64-llvm-17 / test
bpf/vmtest-bpf-next-VM_Test-20 success Logs for x86_64-llvm-17 / veristat
bpf/vmtest-bpf-next-PR fail PR summary
bpf/vmtest-bpf-next-VM_Test-11 success Logs for s390x-gcc / veristat
bpf/vmtest-bpf-next-VM_Test-15 success Logs for x86_64-gcc / test
bpf/vmtest-bpf-next-VM_Test-12 success Logs for set-matrix
bpf/vmtest-bpf-next-VM_Test-8 fail Logs for s390x-gcc / build / build for s390x with gcc
bpf/vmtest-bpf-next-VM_Test-23 success Logs for x86_64-llvm-18 / test
bpf/vmtest-bpf-next-VM_Test-22 fail Logs for x86_64-llvm-18 / build-release / build for x86_64 with llvm-18 and -O2 optimization
bpf/vmtest-bpf-next-VM_Test-21 fail Logs for x86_64-llvm-18 / build / build for x86_64 with llvm-18
bpf/vmtest-bpf-next-VM_Test-10 success Logs for s390x-gcc / test
bpf/vmtest-bpf-next-VM_Test-14 success Logs for x86_64-gcc / build-release
bpf/vmtest-bpf-next-VM_Test-13 fail Logs for x86_64-gcc / build / build for x86_64 with gcc
bpf/vmtest-bpf-next-VM_Test-16 success Logs for x86_64-gcc / veristat
bpf/vmtest-bpf-next-VM_Test-24 success Logs for x86_64-llvm-18 / veristat
netdev/series_format warning Target tree name not specified in the subject
netdev/tree_selection success Guessed tree name to be net-next
netdev/ynl success Generated files up to date; no warnings/errors; no diff in generated;
netdev/fixes_present success Fixes tag not required for -next series
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit fail Errors and warnings before: 1086 this patch: 17
netdev/build_tools success No tools touched, skip
netdev/cc_maintainers success CCed 0 of 0 maintainers
netdev/build_clang fail Errors and warnings before: 1096 this patch: 19
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/deprecated_api success None detected
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success No Fixes tag
netdev/build_allmodconfig_warn fail Errors and warnings before: 1104 this patch: 17
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 32 lines checked
netdev/build_clang_rust success No Rust files in patch. Skipping build
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0

Commit Message

Michal Koutný Jan. 23, 2024, 1:52 p.m. UTC 
The cls_,sch_,act_ modules may be loaded lazily during network
configuration but without user's awareness and control.

Switch the lazy loading from canonical module names to a module alias.
This allows finer control over lazy loading, the precedent from
commit 7f78e0351394 ("fs: Limit sys_mount to only request filesystem
modules.") explains it already:

	Using aliases means user space can control the policy of which
	filesystem^W net/sched modules are auto-loaded by editing
	/etc/modprobe.d/*.conf with blacklist and alias directives.
	Allowing simple, safe, well understood work-arounds to known
	problematic software.

By default, nothing changes. However, if a specific module is
blacklisted (its canonical name), it won't be modprobe'd when requested
under its alias (i.e. kernel auto-loading). It would appear as if the
given module was unknown.

The module can still be loaded under its canonical name, which is an
explicit (privileged) user action.

Signed-off-by: Michal Koutný <mkoutny@suse.com>
---
 net/sched/act_api.c | 2 +-
 net/sched/cls_api.c | 2 +-
 net/sched/sch_api.c | 4 ++--
 3 files changed, 4 insertions(+), 4 deletions(-)

Comments

Simon Horman Jan. 23, 2024, 5:40 p.m. UTC | #1 
On Tue, Jan 23, 2024 at 02:52:41PM +0100, Michal Koutný wrote:
> The cls_,sch_,act_ modules may be loaded lazily during network
> configuration but without user's awareness and control.
> 
> Switch the lazy loading from canonical module names to a module alias.
> This allows finer control over lazy loading, the precedent from
> commit 7f78e0351394 ("fs: Limit sys_mount to only request filesystem
> modules.") explains it already:
> 
> 	Using aliases means user space can control the policy of which
> 	filesystem^W net/sched modules are auto-loaded by editing
> 	/etc/modprobe.d/*.conf with blacklist and alias directives.
> 	Allowing simple, safe, well understood work-arounds to known
> 	problematic software.
> 
> By default, nothing changes. However, if a specific module is
> blacklisted (its canonical name), it won't be modprobe'd when requested
> under its alias (i.e. kernel auto-loading). It would appear as if the
> given module was unknown.
> 
> The module can still be loaded under its canonical name, which is an
> explicit (privileged) user action.
> 
> Signed-off-by: Michal Koutný <mkoutny@suse.com>
> ---
>  net/sched/act_api.c | 2 +-
>  net/sched/cls_api.c | 2 +-
>  net/sched/sch_api.c | 4 ++--
>  3 files changed, 4 insertions(+), 4 deletions(-)
> 
> diff --git a/net/sched/act_api.c b/net/sched/act_api.c
> index 3e30d7260493..60c0fadfac6d 100644
> --- a/net/sched/act_api.c
> +++ b/net/sched/act_api.c
> @@ -1363,7 +1363,7 @@ struct tc_action_ops *tc_action_load_ops(struct nlattr *nla, u32 flags,
>  
>  		if (rtnl_held)
>  			rtnl_unlock();
> -		request_module("act_%s", act_name);
> +		request_module(NET_ACT_ALIAS_PREFIX "%s", name);

Hi Michal,

name doesn't exist in this context, perhaps the line above should be:

		request_module(NET_ACT_ALIAS_PREFIX "%s", act_name);

>  		if (rtnl_held)
>  			rtnl_lock();
>  
> diff --git a/net/sched/cls_api.c b/net/sched/cls_api.c
> index 92a12e3d0fe6..b31b832598e7 100644
> --- a/net/sched/cls_api.c
> +++ b/net/sched/cls_api.c
> @@ -257,7 +257,7 @@ tcf_proto_lookup_ops(const char *kind, bool rtnl_held,
>  #ifdef CONFIG_MODULES
>  	if (rtnl_held)
>  		rtnl_unlock();
> -	request_module("cls_%s", kind);
> +	request_module(NET_CLS_ALIAS_PREFIX "%s", name);

Likewise, perhaps the line above should be:

	request_module(NET_CLS_ALIAS_PREFIX "%s", kind);

>  	if (rtnl_held)
>  		rtnl_lock();
>  	ops = __tcf_proto_lookup_ops(kind);

...
Michal Koutný Jan. 24, 2024, 10:45 a.m. UTC | #2 
On Tue, Jan 23, 2024 at 05:40:02PM +0000, Simon Horman <horms@kernel.org> wrote:
> name doesn't exist in this context, perhaps the line above should be:

Well spotted (and shame on me for unchecked last-moment edits).

I will resend after some more feedback or time.

Thanks,
Michal
diff mbox series

Patch

diff --git a/net/sched/act_api.c b/net/sched/act_api.c
index 3e30d7260493..60c0fadfac6d 100644
--- a/net/sched/act_api.c
+++ b/net/sched/act_api.c
@@ -1363,7 +1363,7 @@  struct tc_action_ops *tc_action_load_ops(struct nlattr *nla, u32 flags,
 
 		if (rtnl_held)
 			rtnl_unlock();
-		request_module("act_%s", act_name);
+		request_module(NET_ACT_ALIAS_PREFIX "%s", name);
 		if (rtnl_held)
 			rtnl_lock();
 
diff --git a/net/sched/cls_api.c b/net/sched/cls_api.c
index 92a12e3d0fe6..b31b832598e7 100644
--- a/net/sched/cls_api.c
+++ b/net/sched/cls_api.c
@@ -257,7 +257,7 @@  tcf_proto_lookup_ops(const char *kind, bool rtnl_held,
 #ifdef CONFIG_MODULES
 	if (rtnl_held)
 		rtnl_unlock();
-	request_module("cls_%s", kind);
+	request_module(NET_CLS_ALIAS_PREFIX "%s", name);
 	if (rtnl_held)
 		rtnl_lock();
 	ops = __tcf_proto_lookup_ops(kind);
diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c
index 36b025cc4fd2..9d928f6a473a 100644
--- a/net/sched/sch_api.c
+++ b/net/sched/sch_api.c
@@ -228,7 +228,7 @@  int qdisc_set_default(const char *name)
 	if (!ops) {
 		/* Not found, drop lock and try to load module */
 		write_unlock(&qdisc_mod_lock);
-		request_module("sch_%s", name);
+		request_module(NET_SCH_ALIAS_PREFIX "%s", name);
 		write_lock(&qdisc_mod_lock);
 
 		ops = qdisc_lookup_default(name);
@@ -1275,7 +1275,7 @@  static struct Qdisc *qdisc_create(struct net_device *dev,
 			 * go away in the mean time.
 			 */
 			rtnl_unlock();
-			request_module("sch_%s", name);
+			request_module(NET_SCH_ALIAS_PREFIX "%s", name);
 			rtnl_lock();
 			ops = qdisc_lookup_ops(kind);
 			if (ops != NULL) {