On 2025-07-21 17:08:05, Eduard Zingerman wrote:
> On Mon, 2025-07-21 at 14:57 +0200, Paul Chaignon wrote:
>
> [...]
>
> > diff --git a/kernel/bpf/cgroup.c b/kernel/bpf/cgroup.c
> > index 72c8b50dca0a..3a4ad9f124e1 100644
> > --- a/kernel/bpf/cgroup.c
> > +++ b/kernel/bpf/cgroup.c
> > @@ -2577,17 +2577,17 @@ static bool cg_sockopt_is_valid_access(int off, int size,
> > }
> >
> > switch (off) {
> > - case offsetof(struct bpf_sockopt, sk):
> > + case bpf_ctx_range_ptr(struct bpf_sockopt, sk):
> > if (size != sizeof(__u64))
> > return false;
> > info->reg_type = PTR_TO_SOCKET;
> > break;
> > - case offsetof(struct bpf_sockopt, optval):
> > + case bpf_ctx_range_ptr(struct bpf_sockopt, optval):
> > if (size != sizeof(__u64))
> > return false;
> > info->reg_type = PTR_TO_PACKET;
> > break;
> > - case offsetof(struct bpf_sockopt, optval_end):
> > + case bpf_ctx_range_ptr(struct bpf_sockopt, optval_end):
> > if (size != sizeof(__u64))
> > return false;
> > info->reg_type = PTR_TO_PACKET_END;
>
> Nit: I'd also convert `case offsetof(struct bpf_sockopt, retval):`
> just below. Otherwise reader would spend some time figuring out
> why `retval` is special (it's not).
>
> > diff --git a/net/core/filter.c b/net/core/filter.c
> > index 7a72f766aacf..458908c5f1f4 100644
> > --- a/net/core/filter.c
> > +++ b/net/core/filter.c
> > @@ -8690,7 +8690,7 @@ static bool bpf_skb_is_valid_access(int off, int size, enum bpf_access_type type
> > if (size != sizeof(__u64))
> > return false;
> > break;
> > - case offsetof(struct __sk_buff, sk):
> > + case bpf_ctx_range_ptr(struct __sk_buff, sk):
> > if (type == BPF_WRITE || size != sizeof(__u64))
> > return false;
> > info->reg_type = PTR_TO_SOCK_COMMON_OR_NULL;
> > @@ -9268,7 +9268,7 @@ static bool sock_addr_is_valid_access(int off, int size,
> > return false;
> > }
> > break;
> > - case offsetof(struct bpf_sock_addr, sk):
> > + case bpf_ctx_range_ptr(struct bpf_sock_addr, sk):
> > if (type != BPF_READ)
> > return false;
> > if (size != sizeof(__u64))
> > @@ -9318,17 +9318,17 @@ static bool sock_ops_is_valid_access(int off, int size,
> > if (size != sizeof(__u64))
> > return false;
> > break;
> > - case offsetof(struct bpf_sock_ops, sk):
> > + case bpf_ctx_range_ptr(struct bpf_sock_ops, sk):
> > if (size != sizeof(__u64))
> > return false;
> > info->reg_type = PTR_TO_SOCKET_OR_NULL;
> > break;
> > - case offsetof(struct bpf_sock_ops, skb_data):
> > + case bpf_ctx_range_ptr(struct bpf_sock_ops, skb_data):
> > if (size != sizeof(__u64))
> > return false;
> > info->reg_type = PTR_TO_PACKET;
> > break;
> > - case offsetof(struct bpf_sock_ops, skb_data_end):
> > + case bpf_ctx_range_ptr(struct bpf_sock_ops, skb_data_end):
> > if (size != sizeof(__u64))
> > return false;
> > info->reg_type = PTR_TO_PACKET_END;
>
> I think this function is buggy for `skb_hwtstamp` as well.
> The skb_hwtstamp field is u64, side_default is sizeof(u32).
> So access at `offsetof(struct bpf_sock_ops, skb_hwtstamp) + 4` would
> be permitted by the default branch. But this range is not handled by
> accompanying sock_ops_convert_ctx_access().
+1 looks that way to me.
>
>
> > @@ -9417,7 +9417,7 @@ static bool sk_msg_is_valid_access(int off, int size,
> > if (size != sizeof(__u64))
> > return false;
> > break;
> > - case offsetof(struct sk_msg_md, sk):
> > + case bpf_ctx_range_ptr(struct sk_msg_md, sk):
> > if (size != sizeof(__u64))
> > return false;
> > info->reg_type = PTR_TO_SOCKET;
>
> I don't think this change is necessary, the default branch rejects
> access at any not matched offset. Otherwise `data` and `data_end`
> should be converted for uniformity.
I sort of like it if all the ptr types are referenced with
bpf_ctx_range_ptr seems more consistent to me. So its it
is a bpf-next change I would do data and data_end as well.
>
> > @@ -11623,7 +11623,7 @@ static bool sk_lookup_is_valid_access(int off, int size,
> > return false;
> >
> > switch (off) {
> > - case offsetof(struct bpf_sk_lookup, sk):
> > + case bpf_ctx_range_ptr(struct bpf_sk_lookup, sk):
> > info->reg_type = PTR_TO_SOCKET_OR_NULL;
> > return size == sizeof(__u64);
> >
>
> Same here, the default branch would reject access at the wrong offset already.
>
Other than above patch LGTM.
