net: remove check before __cgroup_bpf_run_filter_skb

Commit Message

Oliver Crumrine Feb. 8, 2024, 5:50 p.m. UTC

Checking if __sk is a full socket in macro 
BPF_CGROUP_RUN_PROG_INET_EGRESS is redundant, as the same check is 
done in function __cgroup_bpf_run_filter_skb, called as part of the 
macro.

Signed-off-by: Oliver Crumrine <ozlinuxc@gmail.com>
---
 include/linux/bpf-cgroup.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Oliver Crumrine Feb. 8, 2024, 9:50 p.m. UTC | #1

On Thu, Feb 08, 2024 at 04:43:06PM -0800, Stanislav Fomichev wrote:
> The check is here to make sure we only run this hook on non-req sockets.
> Dropping it would mean we'd be running the hook on the listeners
> instead. I don't think we want that.

You are correct that we don't want to run the code on listeners. However
the check for that is in the function this macro calls,
__cgroup_bpf_run_filter_skb (the check is on line 1367 of
kernel/bpf/cgroup.c, for 6.8.0-rc3). The check doesn't need to be done
twice, so it can be removed in this macro.

Stanislav Fomichev Feb. 9, 2024, 12:43 a.m. UTC | #2

On 02/08, Oliver Crumrine wrote:
> Checking if __sk is a full socket in macro 
> BPF_CGROUP_RUN_PROG_INET_EGRESS is redundant, as the same check is 
> done in function __cgroup_bpf_run_filter_skb, called as part of the 
> macro.

The check is here to make sure we only run this hook on non-req sockets.
Dropping it would mean we'd be running the hook on the listeners
instead. I don't think we want that.

Oliver Crumrine Feb. 9, 2024, 3:36 p.m. UTC | #3

On Fri, Feb 09, 2024 at 11:00:09AM -0800, Stanislav Fomichev wrote:
> Maybe we should instead remove "(!sk || !sk_fullsock(sk))" check from
> __cgroup_bpf_run_filter_skb? BPF_CGROUP_RUN_PROG_INET_EGRESS makes
> care of all those corner conditions. We just need to add those checks to
> BPF_CGROUP_RUN_PROG_INET_INGRESS.
> 
> Let me also CC Kui-Feng, he was touching this part recently in commit
> 223f5f79f2ce ("bpf, net: Check skb ownership against full socket.").

Completely agree with this -- it would be best from a performance
standpoint. I will send out a v2 of this patch in a few hours.

Stanislav Fomichev Feb. 9, 2024, 7 p.m. UTC | #4

On 02/08, Oliver Crumrine wrote:
> On Thu, Feb 08, 2024 at 04:43:06PM -0800, Stanislav Fomichev wrote:
> > The check is here to make sure we only run this hook on non-req sockets.
> > Dropping it would mean we'd be running the hook on the listeners
> > instead. I don't think we want that.
> 
> You are correct that we don't want to run the code on listeners. However
> the check for that is in the function this macro calls,
> __cgroup_bpf_run_filter_skb (the check is on line 1367 of
> kernel/bpf/cgroup.c, for 6.8.0-rc3). The check doesn't need to be done
> twice, so it can be removed in this macro. 

Maybe we should instead remove "(!sk || !sk_fullsock(sk))" check from
__cgroup_bpf_run_filter_skb? BPF_CGROUP_RUN_PROG_INET_EGRESS makes
care of all those corner conditions. We just need to add those checks to
BPF_CGROUP_RUN_PROG_INET_INGRESS.

Let me also CC Kui-Feng, he was touching this part recently in commit
223f5f79f2ce ("bpf, net: Check skb ownership against full socket.").

Kui-Feng Lee Feb. 9, 2024, 8:33 p.m. UTC | #5

On 2/9/24 11:00, Stanislav Fomichev wrote:
> On 02/08, Oliver Crumrine wrote:
>> On Thu, Feb 08, 2024 at 04:43:06PM -0800, Stanislav Fomichev wrote:
>>> The check is here to make sure we only run this hook on non-req sockets.
>>> Dropping it would mean we'd be running the hook on the listeners
>>> instead. I don't think we want that.
>>
>> You are correct that we don't want to run the code on listeners. However
>> the check for that is in the function this macro calls,
>> __cgroup_bpf_run_filter_skb (the check is on line 1367 of
>> kernel/bpf/cgroup.c, for 6.8.0-rc3). The check doesn't need to be done
>> twice, so it can be removed in this macro.
> 
> Maybe we should instead remove "(!sk || !sk_fullsock(sk))" check from
> __cgroup_bpf_run_filter_skb? BPF_CGROUP_RUN_PROG_INET_EGRESS makes
> care of all those corner conditions. We just need to add those checks to
> BPF_CGROUP_RUN_PROG_INET_INGRESS.
> 
> Let me also CC Kui-Feng, he was touching this part recently in commit
> 223f5f79f2ce ("bpf, net: Check skb ownership against full socket.").
> 

Adding those checks in BPF_CGROUP_RUN_PROG_INET_INGRESS makes sense
to me if the point here is saving CPU cycles during runtime.

Patch

diff --git a/include/linux/bpf-cgroup.h b/include/linux/bpf-cgroup.h
index a789266feac3..95b4a4715d60 100644
--- a/include/linux/bpf-cgroup.h
+++ b/include/linux/bpf-cgroup.h
@@ -208,7 +208,7 @@  static inline bool cgroup_bpf_sock_enabled(struct sock *sk,
 	int __ret = 0;							       \
 	if (cgroup_bpf_enabled(CGROUP_INET_EGRESS) && sk) {		       \
 		typeof(sk) __sk = sk_to_full_sk(sk);			       \
-		if (sk_fullsock(__sk) && __sk == skb_to_full_sk(skb) &&	       \
+		if (__sk == skb_to_full_sk(skb) &&			       \
 		    cgroup_bpf_sock_enabled(__sk, CGROUP_INET_EGRESS))	       \
 			__ret = __cgroup_bpf_run_filter_skb(__sk, skb,	       \
 						      CGROUP_INET_EGRESS); \