[mptcp-next] Squash to "mptcp: add bpf_mptcp_sched_ops" -- fix bpf access

Commit Message

Gregory Detal May 3, 2024, 7:33 p.m. UTC

The current behavior allows to write to mptcp_sock at offset that is
defined in mptcp_subflow_context and vice versa.

This fixes this by splitting the checks for each struct type.

Signed-off-by: Gregory Detal <gregory.detal@gmail.com>
---
 net/mptcp/bpf.c | 42 +++++++++++++++++++++++++-----------------
 1 file changed, 25 insertions(+), 17 deletions(-)


---
base-commit: 56030f9d3812071365435354c0eb5ffb3504e58a
change-id: 20240503-bpf_fix_access-a360b88c1534

Best regards,

Comments

MPTCP CI May 3, 2024, 8:22 p.m. UTC | #1

Hi Gregory,

Thank you for your modifications, that's great!

Our CI did some validations and here is its report:

- KVM Validation: normal: Unstable: 1 failed test(s): selftest_simult_flows 

Geliang Tang May 4, 2024, 11:58 p.m. UTC | #2

Hi Gregory,

On Fri, May 03, 2024 at 07:33:25PM +0000, Gregory Detal wrote:
> The current behavior allows to write to mptcp_sock at offset that is
> defined in mptcp_subflow_context and vice versa.
> 
> This fixes this by splitting the checks for each struct type.
> 
> Signed-off-by: Gregory Detal <gregory.detal@gmail.com>

Thanks for this fix. Looks good to me.

Reviewed-by: Geliang Tang <geliang@kernel.org>

-Geliang

> ---
>  net/mptcp/bpf.c | 42 +++++++++++++++++++++++++-----------------
>  1 file changed, 25 insertions(+), 17 deletions(-)
> 
> diff --git a/net/mptcp/bpf.c b/net/mptcp/bpf.c
> index 208e5d3f066f..57c47bb430b1 100644
> --- a/net/mptcp/bpf.c
> +++ b/net/mptcp/bpf.c
> @@ -47,24 +47,32 @@ static int bpf_mptcp_sched_btf_struct_access(struct bpf_verifier_log *log,
>  	size_t end;
>  
>  	t = btf_type_by_id(reg->btf, reg->btf_id);
> -	if (t != mptcp_sock_type && t != mptcp_subflow_type) {
> -		bpf_log(log, "only access to mptcp sock or subflow is supported\n");
> -		return -EACCES;
> -	}
>  
> -	switch (off) {
> -	case offsetof(struct mptcp_sock, snd_burst):
> -		end = offsetofend(struct mptcp_sock, snd_burst);
> -		break;
> -	case offsetof(struct mptcp_subflow_context, scheduled):
> -		end = offsetofend(struct mptcp_subflow_context, scheduled);
> -		break;
> -	case offsetof(struct mptcp_subflow_context, avg_pacing_rate):
> -		end = offsetofend(struct mptcp_subflow_context, avg_pacing_rate);
> -		break;
> -	default:
> -		bpf_log(log, "no write support to %s at off %d\n",
> -			t == mptcp_sock_type ? "mptcp_sock" : "mptcp_subflow_context", off);
> +	if (t == mptcp_sock_type) {
> +		switch (off) {
> +		case offsetof(struct mptcp_sock, snd_burst):
> +			end = offsetofend(struct mptcp_sock, snd_burst);
> +			break;
> +		default:
> +			bpf_log(log, "no write support to mptcp_sock at off %d\n",
> +				off);
> +			return -EACCES;
> +		}
> +	} else if (t == mptcp_subflow_type) {
> +		switch (off) {
> +		case offsetof(struct mptcp_subflow_context, scheduled):
> +			end = offsetofend(struct mptcp_subflow_context, scheduled);
> +			break;
> +		case offsetof(struct mptcp_subflow_context, avg_pacing_rate):
> +			end = offsetofend(struct mptcp_subflow_context, avg_pacing_rate);
> +			break;
> +		default:
> +			bpf_log(log, "no write support to mptcp_subflow_context at off %d\n",
> +				off);
> +			return -EACCES;
> +		}
> +	} else {
> +		bpf_log(log, "only access to mptcp sock or subflow is supported\n");
>  		return -EACCES;
>  	}
>  
> 
> ---
> base-commit: 56030f9d3812071365435354c0eb5ffb3504e58a
> change-id: 20240503-bpf_fix_access-a360b88c1534
> 
> Best regards,
> -- 
> Gregory Detal <gregory.detal@gmail.com>
>

Matthieu Baerts (NGI0) May 6, 2024, 8:33 a.m. UTC | #3

Hi Gregory, Geliang,

On 03/05/2024 21:33, Gregory Detal wrote:
> The current behavior allows to write to mptcp_sock at offset that is
> defined in mptcp_subflow_context and vice versa.
> 
> This fixes this by splitting the checks for each struct type.

Thank you for the fix and the review!

Now in our tree:

New patches for t/upstream:
- 17783ae38851: "squashed" in "bpf: Add bpf_mptcp_sched_ops"
- c0f6d508db13: "Signed-off-by" + "Co-developed-by"
- Results: 77024827f43c..f16f6f211e69 (export)

Tests are now in progress:

- export:
https://github.com/multipath-tcp/mptcp_net-next/commit/26924223a2c1354a5444e3e70b286fee1a3f1c67/checks

Cheers,
Matt

Patch

diff --git a/net/mptcp/bpf.c b/net/mptcp/bpf.c
index 208e5d3f066f..57c47bb430b1 100644
--- a/net/mptcp/bpf.c
+++ b/net/mptcp/bpf.c
@@ -47,24 +47,32 @@  static int bpf_mptcp_sched_btf_struct_access(struct bpf_verifier_log *log,
 	size_t end;
 
 	t = btf_type_by_id(reg->btf, reg->btf_id);
-	if (t != mptcp_sock_type && t != mptcp_subflow_type) {
-		bpf_log(log, "only access to mptcp sock or subflow is supported\n");
-		return -EACCES;
-	}
 
-	switch (off) {
-	case offsetof(struct mptcp_sock, snd_burst):
-		end = offsetofend(struct mptcp_sock, snd_burst);
-		break;
-	case offsetof(struct mptcp_subflow_context, scheduled):
-		end = offsetofend(struct mptcp_subflow_context, scheduled);
-		break;
-	case offsetof(struct mptcp_subflow_context, avg_pacing_rate):
-		end = offsetofend(struct mptcp_subflow_context, avg_pacing_rate);
-		break;
-	default:
-		bpf_log(log, "no write support to %s at off %d\n",
-			t == mptcp_sock_type ? "mptcp_sock" : "mptcp_subflow_context", off);
+	if (t == mptcp_sock_type) {
+		switch (off) {
+		case offsetof(struct mptcp_sock, snd_burst):
+			end = offsetofend(struct mptcp_sock, snd_burst);
+			break;
+		default:
+			bpf_log(log, "no write support to mptcp_sock at off %d\n",
+				off);
+			return -EACCES;
+		}
+	} else if (t == mptcp_subflow_type) {
+		switch (off) {
+		case offsetof(struct mptcp_subflow_context, scheduled):
+			end = offsetofend(struct mptcp_subflow_context, scheduled);
+			break;
+		case offsetof(struct mptcp_subflow_context, avg_pacing_rate):
+			end = offsetofend(struct mptcp_subflow_context, avg_pacing_rate);
+			break;
+		default:
+			bpf_log(log, "no write support to mptcp_subflow_context at off %d\n",
+				off);
+			return -EACCES;
+		}
+	} else {
+		bpf_log(log, "only access to mptcp sock or subflow is supported\n");
 		return -EACCES;
 	}