2025-05-07 23:00 UTC+0200 ~ Daniel Borkmann <daniel@xxxxxxxxxxxxx> > On 5/7/25 10:32 PM, Martin KaFai Lau wrote: >> From: Martin KaFai Lau <martin.lau@xxxxxxxxxx> >> >> The netkit program is not a cgroup bpf program and should not be shown >> in the output of the "bpftool cgroup show" command. >> >> However, if the netkit device happens to have ifindex 3, >> the "bpftool cgroup show" command will output the netkit >> bpf program as well: >> >>> ip -d link show dev nk1 >> 3: nk1@if2: ... >> link/ether ... >> netkit mode ... >> >>> bpftool net show >> tc: >> nk1(3) netkit/peer tw_ns_nk2phy prog_id 469447 >> >>> bpftool cgroup show /sys/fs/cgroup/... >> ID AttachType AttachFlags Name >> ... ... ... >> 469447 netkit_peer tw_ns_nk2phy >> >> The reason is that the target_fd (which is the cgroup_fd here) and >> the target_ifindex are in a union in the uapi/linux/bpf.h. The bpftool >> iterates all values in "enum bpf_attach_type" which includes >> non cgroup attach types like netkit. The cgroup_fd is usually 3 here, >> so the bug is triggered when the netkit ifindex just happens >> to be 3 as well. >> >> The bpftool's cgroup.c already has a list of cgroup-only attach type >> defined in "cgroup_attach_types[]". This patch fixes it by iterating >> over "cgroup_attach_types[]" instead of "__MAX_BPF_ATTACH_TYPE". >> >> Cc: Quentin Monnet <qmo@xxxxxxxxxx> >> Reported-by: Takshak Chahande <ctakshak@xxxxxxxx> >> Signed-off-by: Martin KaFai Lau <martin.lau@xxxxxxxxxx> > > Outch, good catch! > > Acked-by: Daniel Borkmann <daniel@xxxxxxxxxxxxx> > Nice one indeed, thanks! Reviewed-by: Quentin Monnet <qmo@xxxxxxxxxx>
