On Wed, Aug 27, 2025 at 3:23 PM Martin KaFai Lau <martin.lau@xxxxxxxxx> wrote:
>
> On 8/26/25 11:38 AM, Kuniyuki Iwashima wrote:
> > We will store a flag in sk->sk_memcg by bpf_setsockopt() during
> > socket() or before sk->sk_memcg is set in accept().
> >
> > BPF_CGROUP_INET_SOCK_CREATE is invoked by __cgroup_bpf_run_filter_sk()
> > that passes a pointer to struct sock to the bpf prog as void *ctx.
> >
> > But there are no bpf_func_proto for bpf_setsockopt() that receives
> > the ctx as a pointer to struct sock.
> >
> > Let's add a new bpf_setsockopt() variant for BPF_CGROUP_INET_SOCK_CREATE.
> >
> > Note that inet_create() is not under lock_sock().
> >
> > Signed-off-by: Kuniyuki Iwashima <kuniyu@xxxxxxxxxx>
> > ---
> > v3: Remove bpf_func_proto for accept()
> > v2: Make 2 new bpf_func_proto static
> > ---
> > net/core/filter.c | 24 ++++++++++++++++++++++++
> > 1 file changed, 24 insertions(+)
> >
> > diff --git a/net/core/filter.c b/net/core/filter.c
> > index 63f3baee2daf..443d12b7d3b2 100644
> > --- a/net/core/filter.c
> > +++ b/net/core/filter.c
> > @@ -5743,6 +5743,23 @@ static const struct bpf_func_proto bpf_sock_ops_setsockopt_proto = {
> > .arg5_type = ARG_CONST_SIZE,
> > };
> >
> > +BPF_CALL_5(bpf_unlocked_sock_setsockopt, struct sock *, sk, int, level,
> > + int, optname, char *, optval, int, optlen)
> > +{
> > + return _bpf_setsockopt(sk, level, optname, optval, optlen);
>
> The sock_owned_by_me() will warn.
>
> From CI:
> WARNING: CPU: 0 PID: 102 at include/net/sock.h:1756 bpf_unlocked_sock_setsockopt+0xc7/0x110
Oh sorry, I copied from a wrong place.. will fix it.
BTW, I'm thinking I should inherit flags from the listener
in sk_clone_lock() and disallow other bpf hooks.
Given the listener's flag and bpf hooks come from the
same cgroup, there is no point having other hooks.
>
> > +}
> > +
> > +static const struct bpf_func_proto bpf_unlocked_sock_setsockopt_proto = {
> > + .func = bpf_unlocked_sock_setsockopt,
> > + .gpl_only = false,
> > + .ret_type = RET_INTEGER,
> > + .arg1_type = ARG_PTR_TO_CTX,
> > + .arg2_type = ARG_ANYTHING,
> > + .arg3_type = ARG_ANYTHING,
> > + .arg4_type = ARG_PTR_TO_MEM | MEM_RDONLY,
> > + .arg5_type = ARG_CONST_SIZE,
> > +};
> > +
> > static int bpf_sock_ops_get_syn(struct bpf_sock_ops_kern *bpf_sock,
> > int optname, const u8 **start)
> > {
> > @@ -8051,6 +8068,13 @@ sock_filter_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
> > return &bpf_sk_storage_get_cg_sock_proto;
> > case BPF_FUNC_ktime_get_coarse_ns:
> > return &bpf_ktime_get_coarse_ns_proto;
> > + case BPF_FUNC_setsockopt:
> > + switch (prog->expected_attach_type) {
> > + case BPF_CGROUP_INET_SOCK_CREATE:
> > + return &bpf_unlocked_sock_setsockopt_proto;
> > + default:
> > + return NULL;
> > + }
> > default:
> > return bpf_base_func_proto(func_id, prog);
> > }
>
