bpf: Convert cgroup sockaddr filters to use sockaddr_unsized consistently

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Update BPF cgroup sockaddr filtering infrastructure to use sockaddr_unsized
consistently throughout the call chain, removing redundant explicit casts
from callers.

No binary changes expected.

Signed-off-by: Kees Cook <kees@kernel.org>
Link: https://patch.msgid.link/20251104002617.2752303-6-kees@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

authored by

Kees Cook and committed by

Jakub Kicinski 5 months ago 8116d803 449f68f8

+14 -11

3 changed files

expand all

include

linux

bpf-cgroup.h

kernel

bpf

cgroup.c

net

ipv4

af_inet.c

+10 -7

include/linux/bpf-cgroup.h

··· 120 120 enum cgroup_bpf_attach_type atype); 121 121 122 122 int __cgroup_bpf_run_filter_sock_addr(struct sock *sk, 123 - struct sockaddr *uaddr, 123 + struct sockaddr_unsized *uaddr, 124 124 int *uaddrlen, 125 125 enum cgroup_bpf_attach_type atype, 126 126 void *t_ctx, ··· 238 238 ({ \ 239 239 int __ret = 0; \ 240 240 if (cgroup_bpf_enabled(atype)) \ 241 - __ret = __cgroup_bpf_run_filter_sock_addr(sk, (struct sockaddr *)uaddr, uaddrlen, \ 242 - atype, NULL, NULL); \ 241 + __ret = __cgroup_bpf_run_filter_sock_addr(sk, \ 242 + (struct sockaddr_unsized *)uaddr, uaddrlen, \ 243 + atype, NULL, NULL); \ 243 244 __ret; \ 244 245 }) 245 246 ··· 249 248 int __ret = 0; \ 250 249 if (cgroup_bpf_enabled(atype)) { \ 251 250 lock_sock(sk); \ 252 - __ret = __cgroup_bpf_run_filter_sock_addr(sk, (struct sockaddr *)uaddr, uaddrlen, \ 253 - atype, t_ctx, NULL); \ 251 + __ret = __cgroup_bpf_run_filter_sock_addr(sk, \ 252 + (struct sockaddr_unsized *)uaddr, uaddrlen, \ 253 + atype, t_ctx, NULL); \ 254 254 release_sock(sk); \ 255 255 } \ 256 256 __ret; \ ··· 268 266 int __ret = 0; \ 269 267 if (cgroup_bpf_enabled(atype)) { \ 270 268 lock_sock(sk); \ 271 - __ret = __cgroup_bpf_run_filter_sock_addr(sk, (struct sockaddr *)uaddr, uaddrlen, \ 272 - atype, NULL, &__flags); \ 269 + __ret = __cgroup_bpf_run_filter_sock_addr(sk, \ 270 + (struct sockaddr_unsized *)uaddr, uaddrlen, \ 271 + atype, NULL, &__flags); \ 273 272 release_sock(sk); \ 274 273 if (__flags & BPF_RET_BIND_NO_CAP_NET_BIND_SERVICE) \ 275 274 *bind_flags |= BIND_NO_CAP_NET_BIND_SERVICE; \

+2 -2

kernel/bpf/cgroup.c

··· 1665 1665 * returned value != 1 during execution. In all other cases, 0 is returned. 1666 1666 */ 1667 1667 int __cgroup_bpf_run_filter_sock_addr(struct sock *sk, 1668 - struct sockaddr *uaddr, 1668 + struct sockaddr_unsized *uaddr, 1669 1669 int *uaddrlen, 1670 1670 enum cgroup_bpf_attach_type atype, 1671 1671 void *t_ctx, ··· 1673 1673 { 1674 1674 struct bpf_sock_addr_kern ctx = { 1675 1675 .sk = sk, 1676 - .uaddr = uaddr, 1676 + .uaddr = (struct sockaddr *)uaddr, 1677 1677 .t_ctx = t_ctx, 1678 1678 }; 1679 1679 struct sockaddr_storage unspec;

+2 -2

net/ipv4/af_inet.c

··· 834 834 } 835 835 sin->sin_port = inet->inet_dport; 836 836 sin->sin_addr.s_addr = inet->inet_daddr; 837 - BPF_CGROUP_RUN_SA_PROG(sk, (struct sockaddr *)sin, &sin_addr_len, 837 + BPF_CGROUP_RUN_SA_PROG(sk, sin, &sin_addr_len, 838 838 CGROUP_INET4_GETPEERNAME); 839 839 } else { 840 840 __be32 addr = inet->inet_rcv_saddr; ··· 842 842 addr = inet->inet_saddr; 843 843 sin->sin_port = inet->inet_sport; 844 844 sin->sin_addr.s_addr = addr; 845 - BPF_CGROUP_RUN_SA_PROG(sk, (struct sockaddr *)sin, &sin_addr_len, 845 + BPF_CGROUP_RUN_SA_PROG(sk, sin, &sin_addr_len, 846 846 CGROUP_INET4_GETSOCKNAME); 847 847 } 848 848 release_sock(sk);