From: Yu Watanabe Date: Tue, 23 Sep 2025 19:45:21 +0000 (+0900) Subject: core/bpf-firewall: replace unnecessary unit_setup_cgroup_runtime() with unit_get_cgro... X-Git-Tag: v258.1~16 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=87bbee1c9623064d2eb3fe974ceea03d4042e2cb;p=thirdparty%2Fsystemd.git core/bpf-firewall: replace unnecessary unit_setup_cgroup_runtime() with unit_get_cgroup_runtime() Except for the test, bpf_firewall_compile() is only called by the following: cgroup_context_apply() -> cgroup_apply_firewall() -> bpf_firewall_compile() and in the early stage of cgroup_context_apply(), it checks if the cgroup runtime exists. Hence, it is not necessary to try to allocate the runtime in bpf_firewall_compile(). (cherry picked from commit e8a5cda4714fc6fe622a03cfca6c75888d63e354) --- diff --git a/src/core/bpf-firewall.c b/src/core/bpf-firewall.c index e0cbe16463c..fce885da875 100644 --- a/src/core/bpf-firewall.c +++ b/src/core/bpf-firewall.c @@ -547,9 +547,9 @@ int bpf_firewall_compile(Unit *u) { if (!cc) return -EINVAL; - crt = unit_setup_cgroup_runtime(u); + crt = unit_get_cgroup_runtime(u); if (!crt) - return -ENOMEM; + return -ESTALE; if (bpf_program_supported() <= 0) return log_unit_debug_errno(u, SYNTHETIC_ERRNO(EOPNOTSUPP), diff --git a/src/test/test-bpf-firewall.c b/src/test/test-bpf-firewall.c index 6c82e3d2966..af44a0e6d9e 100644 --- a/src/test/test-bpf-firewall.c +++ b/src/test/test-bpf-firewall.c @@ -50,7 +50,8 @@ int main(int argc, char *argv[]) { if (!can_memlock()) return log_tests_skipped("Can't use mlock()"); - r = enter_cgroup_subroot(NULL); + _cleanup_free_ char *cgroup_path = NULL; + r = enter_cgroup_subroot(&cgroup_path); if (r == -ENOMEDIUM) return log_tests_skipped("cgroupfs not available"); @@ -129,6 +130,8 @@ int main(int argc, char *argv[]) { SERVICE(u)->type = SERVICE_ONESHOT; u->load_state = UNIT_LOADED; + CGroupRuntime *crt = ASSERT_PTR(unit_setup_cgroup_runtime(u)); + unit_dump(u, stdout, NULL); r = bpf_firewall_compile(u); @@ -136,7 +139,6 @@ int main(int argc, char *argv[]) { return log_tests_skipped("Kernel doesn't support the necessary bpf bits (masked out via seccomp?)"); ASSERT_OK(r); - CGroupRuntime *crt = ASSERT_PTR(unit_get_cgroup_runtime(u)); ASSERT_NOT_NULL(crt->ip_bpf_ingress); ASSERT_NOT_NULL(crt->ip_bpf_egress);