From: Alexander Filippov Date: Mon, 17 Sep 2018 09:49:40 +0000 (+0300) Subject: core: fix the check if CONFIG_CGROUP_BPF is on X-Git-Tag: v240~715 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=047de7e1b17ad1375502c08cc1b909f28a92bdac;p=thirdparty%2Fsystemd.git core: fix the check if CONFIG_CGROUP_BPF is on Since the commit torvalds/linux@fdb5c4531c1e0e50e609df83f736b6f3a02896e2 the syscall BPF_PROG_ATTACH return EBADF when CONFIG_CGROUP_BPF is turned off and as result the bpf_firewall_supported() returns the incorrect value. This commmit replaces the syscall BPF_PROG_ATTACH with BPF_PROG_DETACH which is still work as expected. Resolves openbmc/linux#159 See also systemd/systemd#7054 Signed-off-by: Alexander Filippov --- diff --git a/src/core/bpf-firewall.c b/src/core/bpf-firewall.c index 187fed12b2c..721b4bc9ce7 100644 --- a/src/core/bpf-firewall.c +++ b/src/core/bpf-firewall.c @@ -660,7 +660,7 @@ int bpf_firewall_supported(void) { * b) whether the unified hierarchy is being used * c) the BPF implementation in the kernel supports BPF LPM TRIE maps, which we require * d) the BPF implementation in the kernel supports BPF_PROG_TYPE_CGROUP_SKB programs, which we require - * e) the BPF implementation in the kernel supports the BPF_PROG_ATTACH call, which we require + * e) the BPF implementation in the kernel supports the BPF_PROG_DETACH call, which we require */ if (supported >= 0) @@ -713,7 +713,7 @@ int bpf_firewall_supported(void) { * is turned off at kernel compilation time. This sucks of course: why does it allow us to create a cgroup BPF * program if we can't do a thing with it later? * - * We detect this case by issuing the BPF_PROG_ATTACH bpf() call with invalid file descriptors: if + * We detect this case by issuing the BPF_PROG_DETACH bpf() call with invalid file descriptors: if * CONFIG_CGROUP_BPF is turned off, then the call will fail early with EINVAL. If it is turned on the * parameters are validated however, and that'll fail with EBADF then. */ @@ -723,22 +723,22 @@ int bpf_firewall_supported(void) { .attach_bpf_fd = -1, }; - if (bpf(BPF_PROG_ATTACH, &attr, sizeof(attr)) < 0) { + if (bpf(BPF_PROG_DETACH, &attr, sizeof(attr)) < 0) { if (errno != EBADF) { - log_debug_errno(errno, "Didn't get EBADF from BPF_PROG_ATTACH, BPF firewalling is not supported: %m"); + log_debug_errno(errno, "Didn't get EBADF from BPF_PROG_DETACH, BPF firewalling is not supported: %m"); return supported = BPF_FIREWALL_UNSUPPORTED; } /* YAY! */ } else { - log_debug("Wut? Kernel accepted our invalid BPF_PROG_ATTACH call? Something is weird, assuming BPF firewalling is broken and hence not supported."); + log_debug("Wut? Kernel accepted our invalid BPF_PROG_DETACH call? Something is weird, assuming BPF firewalling is broken and hence not supported."); return supported = BPF_FIREWALL_UNSUPPORTED; } /* So now we know that the BPF program is generally available, let's see if BPF_F_ALLOW_MULTI is also supported - * (which was added in kernel 4.15). We use a similar logic as before, but this time we use - * BPF_F_ALLOW_MULTI. Since the flags are checked early in the system call we'll get EINVAL if it's not - * supported, and EBADF as before if it is available. */ + * (which was added in kernel 4.15). We use a similar logic as before, but this time we use the BPF_PROG_ATTACH + * bpf() call and the BPF_F_ALLOW_MULTI flags value. Since the flags are checked early in the system call we'll + * get EINVAL if it's not supported, and EBADF as before if it is available. */ attr = (union bpf_attr) { .attach_type = BPF_CGROUP_INET_EGRESS,