diff options
| author | Daniel Borkmann <daniel@iogearbox.net> | 2018-12-20 23:47:10 +0100 |
|---|---|---|
| committer | Daniel Borkmann <daniel@iogearbox.net> | 2018-12-20 23:47:11 +0100 |
| commit | 1cf4a0ccc506b5c027afc5eaf3fddc83f96f31e7 (patch) | |
| tree | cd64f2bdd6ac693f204b18938c5836df2bcc698e /net/ipv4 | |
| parent | 77ea5f4cbe2084db9ab021ba73fb7eadf1610884 (diff) | |
| parent | 28cb6f1eaffdc5a6a9707cac55f4a43aa3fd7895 (diff) | |
| download | linux-1cf4a0ccc506b5c027afc5eaf3fddc83f96f31e7.tar.bz2 | |
Merge branch 'bpf-sockmap-fixes-and-improvements'
John Fastabend says:
====================
Set of bpf fixes and improvements to make sockmap with kTLS usable
with "real" applications. This set came as the fallout of pulling
kTLS+sockmap into Cilium[1] and running in container environment.
Roughly broken into three parts,
Patches 1-3: resolve/improve handling of size field in sk_msg_md
Patch 4: it became difficult to use this in Cilium when the
SK_PASS verdict was not correctly handle. So handle
the case correctly.
Patch 5-8: Set of issues found while running OpenSSL TX kTLS
enabled applications. This resolves the most obvious
issues and gets applications using kTLS TX up and
running with sock{map|has}.
Other than the "sk_msg, zap ingress queue on psock down" (PATCH 6/8)
which can potentially cause a WARNING the issues fixed in this
series do not cause kernel side warnings, BUG, etc. but instead
cause stalls and other odd behavior in the user space applications
when using kTLS with BPF policies applied.
Primarily tested with 'curl' compiled with latest openssl and
also 'openssl s_client/s_server' containers using Cilium network
plugin with docker/k8s. Some basic testing with httpd was also
enabled. Cilium CI tests will be added shortly to cover these
cases as well. We also have 'wrk' and other test and benchmarking
tools we can run now.
We have two more sets of patches currently under testing that
will be sent shortly to address a few more issues. First the
OpenSSL RX kTLS side breaks when both sk_msg and sk_skb_verdict
programs are used with kTLS, the sk_skb_verdict programs are
not enforced. Second skmsg needs to call into tcp stack to
send to indicate consumed data.
====================
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Diffstat (limited to 'net/ipv4')
| -rw-r--r-- | net/ipv4/tcp_bpf.c | 15 |
1 files changed, 13 insertions, 2 deletions
diff --git a/net/ipv4/tcp_bpf.c b/net/ipv4/tcp_bpf.c index a47c1cdf90fc..1bb7321a256d 100644 --- a/net/ipv4/tcp_bpf.c +++ b/net/ipv4/tcp_bpf.c @@ -8,6 +8,7 @@ #include <linux/wait.h> #include <net/inet_common.h> +#include <net/tls.h> static bool tcp_bpf_stream_read(const struct sock *sk) { @@ -198,7 +199,7 @@ static int bpf_tcp_ingress(struct sock *sk, struct sk_psock *psock, msg->sg.start = i; msg->sg.size -= apply_bytes; sk_psock_queue_msg(psock, tmp); - sk->sk_data_ready(sk); + sk_psock_data_ready(sk, psock); } else { sk_msg_free(sk, tmp); kfree(tmp); @@ -218,6 +219,8 @@ static int tcp_bpf_push(struct sock *sk, struct sk_msg *msg, u32 apply_bytes, u32 off; while (1) { + bool has_tx_ulp; + sge = sk_msg_elem(msg, msg->sg.start); size = (apply && apply_bytes < sge->length) ? apply_bytes : sge->length; @@ -226,7 +229,15 @@ static int tcp_bpf_push(struct sock *sk, struct sk_msg *msg, u32 apply_bytes, tcp_rate_check_app_limited(sk); retry: - ret = do_tcp_sendpages(sk, page, off, size, flags); + has_tx_ulp = tls_sw_has_ctx_tx(sk); + if (has_tx_ulp) { + flags |= MSG_SENDPAGE_NOPOLICY; + ret = kernel_sendpage_locked(sk, + page, off, size, flags); + } else { + ret = do_tcp_sendpages(sk, page, off, size, flags); + } + if (ret <= 0) return ret; if (apply) |