From 9af201005e9cda726dfe47332769583faf23fdc7 Mon Sep 17 00:00:00 2001
From: Gregory Detal <gregory.detal@gmail.com>
Date: Fri, 3 May 2024 19:33:25 +0000
Subject: [PATCH] Squash to "mptcp: add bpf_mptcp_sched_ops" -- fix bpf access

The current behavior allows to write to mptcp_sock at offset that is
defined in mptcp_subflow_context and vice versa.

This fixes this by splitting the checks for each struct type.

Signed-off-by: Gregory Detal <gregory.detal@gmail.com>
---
 net/mptcp/bpf.c | 42 +++++++++++++++++++++++++-----------------
 1 file changed, 25 insertions(+), 17 deletions(-)

diff --git a/net/mptcp/bpf.c b/net/mptcp/bpf.c
index 208e5d3f066ff4..57c47bb430b1e9 100644
--- a/net/mptcp/bpf.c
+++ b/net/mptcp/bpf.c
@@ -47,24 +47,32 @@ static int bpf_mptcp_sched_btf_struct_access(struct bpf_verifier_log *log,
 	size_t end;
 
 	t = btf_type_by_id(reg->btf, reg->btf_id);
-	if (t != mptcp_sock_type && t != mptcp_subflow_type) {
-		bpf_log(log, "only access to mptcp sock or subflow is supported\n");
-		return -EACCES;
-	}
 
-	switch (off) {
-	case offsetof(struct mptcp_sock, snd_burst):
-		end = offsetofend(struct mptcp_sock, snd_burst);
-		break;
-	case offsetof(struct mptcp_subflow_context, scheduled):
-		end = offsetofend(struct mptcp_subflow_context, scheduled);
-		break;
-	case offsetof(struct mptcp_subflow_context, avg_pacing_rate):
-		end = offsetofend(struct mptcp_subflow_context, avg_pacing_rate);
-		break;
-	default:
-		bpf_log(log, "no write support to %s at off %d\n",
-			t == mptcp_sock_type ? "mptcp_sock" : "mptcp_subflow_context", off);
+	if (t == mptcp_sock_type) {
+		switch (off) {
+		case offsetof(struct mptcp_sock, snd_burst):
+			end = offsetofend(struct mptcp_sock, snd_burst);
+			break;
+		default:
+			bpf_log(log, "no write support to mptcp_sock at off %d\n",
+				off);
+			return -EACCES;
+		}
+	} else if (t == mptcp_subflow_type) {
+		switch (off) {
+		case offsetof(struct mptcp_subflow_context, scheduled):
+			end = offsetofend(struct mptcp_subflow_context, scheduled);
+			break;
+		case offsetof(struct mptcp_subflow_context, avg_pacing_rate):
+			end = offsetofend(struct mptcp_subflow_context, avg_pacing_rate);
+			break;
+		default:
+			bpf_log(log, "no write support to mptcp_subflow_context at off %d\n",
+				off);
+			return -EACCES;
+		}
+	} else {
+		bpf_log(log, "only access to mptcp sock or subflow is supported\n");
 		return -EACCES;
 	}