BACKPORT: bpf: Post-hooks for sys_bind

	__ret;								       \

})

#define BPF_CGROUP_RUN_PROG_INET_SOCK(sk)				       \

#define BPF_CGROUP_RUN_SK_PROG(sk, type)				       \

({									       \

	int __ret = 0;							       \

	if (cgroup_bpf_enabled && sk) {					       \

		__ret = __cgroup_bpf_run_filter_sk(sk,			       \

						 BPF_CGROUP_INET_SOCK_CREATE); \

		__ret = __cgroup_bpf_run_filter_sk(sk, type);		       \

	}								       \

	__ret;								       \

})

#define BPF_CGROUP_RUN_PROG_INET_SOCK(sk)				       \

	BPF_CGROUP_RUN_SK_PROG(sk, BPF_CGROUP_INET_SOCK_CREATE)

#define BPF_CGROUP_RUN_PROG_INET4_POST_BIND(sk)				       \

	BPF_CGROUP_RUN_SK_PROG(sk, BPF_CGROUP_INET4_POST_BIND)

#define BPF_CGROUP_RUN_PROG_INET6_POST_BIND(sk)				       \

	BPF_CGROUP_RUN_SK_PROG(sk, BPF_CGROUP_INET6_POST_BIND)

#define BPF_CGROUP_RUN_SA_PROG(sk, uaddr, type)				       \

({									       \

	int __ret = 0;							       \

#define BPF_CGROUP_RUN_PROG_INET_SOCK(sk) ({ 0; })

#define BPF_CGROUP_RUN_PROG_INET4_BIND(sk, uaddr) ({ 0; })

#define BPF_CGROUP_RUN_PROG_INET6_BIND(sk, uaddr) ({ 0; })

#define BPF_CGROUP_RUN_PROG_INET4_POST_BIND(sk) ({ 0; })

#define BPF_CGROUP_RUN_PROG_INET6_POST_BIND(sk) ({ 0; })

#define BPF_CGROUP_RUN_PROG_INET4_CONNECT(sk, uaddr) ({ 0; })

#define BPF_CGROUP_RUN_PROG_INET4_CONNECT_LOCK(sk, uaddr) ({ 0; })

#define BPF_CGROUP_RUN_PROG_INET6_CONNECT(sk, uaddr) ({ 0; })

	BPF_CGROUP_INET6_BIND = 9,

	BPF_CGROUP_INET4_CONNECT,

	BPF_CGROUP_INET6_CONNECT,

	BPF_CGROUP_INET4_POST_BIND,

	BPF_CGROUP_INET6_POST_BIND,

	__MAX_BPF_ATTACH_TYPE

};

	__u32 protocol;

	__u32 mark;

	__u32 priority;

	__u32 src_ip4;		/* Allows 1,2,4-byte read.

				 * Stored in network byte order.

				 */

	__u32 src_ip6[4];	/* Allows 1,2,4-byte read.

				 * Stored in network byte order.

				 */

	__u32 src_port;		/* Allows 4-byte read.

				 * Stored in host byte order

				 */

};

#define XDP_PACKET_HEADROOM 256

}

EXPORT_SYMBOL_GPL(bpf_prog_get_type);

/* Initially all BPF programs could be loaded w/o specifying

 * expected_attach_type. Later for some of them specifying expected_attach_type

 * at load time became required so that program could be validated properly.

 * Programs of types that are allowed to be loaded both w/ and w/o (for

 * backward compatibility) expected_attach_type, should have the default attach

 * type assigned to expected_attach_type for the latter case, so that it can be

 * validated later at attach time.

 *

 * bpf_prog_load_fixup_attach_type() sets expected_attach_type in @attr if

 * prog type requires it but has some attach types that have to be backward

 * compatible.

 */

static void bpf_prog_load_fixup_attach_type(union bpf_attr *attr)

{

	switch (attr->prog_type) {

	case BPF_PROG_TYPE_CGROUP_SOCK:

		/* Unfortunately BPF_ATTACH_TYPE_UNSPEC enumeration doesn't

		 * exist so checking for non-zero is the way to go here.

		 */

		if (!attr->expected_attach_type)

			attr->expected_attach_type =

				BPF_CGROUP_INET_SOCK_CREATE;

		break;

	}

}

static int

bpf_prog_load_check_attach_type(enum bpf_prog_type prog_type,

				enum bpf_attach_type expected_attach_type)

{

	switch (prog_type) {

	case BPF_PROG_TYPE_CGROUP_SOCK:

		switch (expected_attach_type) {

		case BPF_CGROUP_INET_SOCK_CREATE:

		case BPF_CGROUP_INET4_POST_BIND:

		case BPF_CGROUP_INET6_POST_BIND:

			return 0;

		default:

			return -EINVAL;

		}

	case BPF_PROG_TYPE_CGROUP_SOCK_ADDR:

		switch (expected_attach_type) {

		case BPF_CGROUP_INET4_BIND:

					     enum bpf_attach_type attach_type)

{

	switch (prog->type) {

	case BPF_PROG_TYPE_CGROUP_SOCK:

	case BPF_PROG_TYPE_CGROUP_SOCK_ADDR:

		return attach_type == prog->expected_attach_type ? 0 : -EINVAL;

	default:

	    !capable(CAP_SYS_ADMIN))

		return -EPERM;

	bpf_prog_load_fixup_attach_type(attr);

	if (bpf_prog_load_check_attach_type(type, attr->expected_attach_type))

		return -EINVAL;

		ptype = BPF_PROG_TYPE_CGROUP_SKB;

		break;

	case BPF_CGROUP_INET_SOCK_CREATE:

	case BPF_CGROUP_INET4_POST_BIND:

	case BPF_CGROUP_INET6_POST_BIND:

		ptype = BPF_PROG_TYPE_CGROUP_SOCK;

		break;

	case BPF_CGROUP_INET4_BIND:

		ptype = BPF_PROG_TYPE_CGROUP_SKB;

		break;

	case BPF_CGROUP_INET_SOCK_CREATE:

	case BPF_CGROUP_INET4_POST_BIND:

	case BPF_CGROUP_INET6_POST_BIND:

		ptype = BPF_PROG_TYPE_CGROUP_SOCK;

		break;

	case BPF_CGROUP_INET4_BIND:

	case BPF_CGROUP_INET_SOCK_CREATE:

	case BPF_CGROUP_INET4_BIND:

	case BPF_CGROUP_INET6_BIND:

	case BPF_CGROUP_INET4_POST_BIND:

	case BPF_CGROUP_INET6_POST_BIND:

	case BPF_CGROUP_INET4_CONNECT:

	case BPF_CGROUP_INET6_CONNECT:

	case BPF_CGROUP_SOCK_OPS:

	return bpf_skb_is_valid_access(off, size, type, prog, info);

}

static bool sock_filter_is_valid_access(int off, int size,

					enum bpf_access_type type,

					const struct bpf_prog *prog,

					struct bpf_insn_access_aux *info)

/* Attach type specific accesses */

static bool __sock_filter_check_attach_type(int off,

					    enum bpf_access_type access_type,

					    enum bpf_attach_type attach_type)

{

	if (type == BPF_WRITE) {

	switch (off) {

	case offsetof(struct bpf_sock, bound_dev_if):

	case offsetof(struct bpf_sock, mark):

	case offsetof(struct bpf_sock, priority):

			break;

		switch (attach_type) {

		case BPF_CGROUP_INET_SOCK_CREATE:

			goto full_access;

		default:

			return false;

		}

	case bpf_ctx_range(struct bpf_sock, src_ip4):

		switch (attach_type) {

		case BPF_CGROUP_INET4_POST_BIND:

			goto read_only;

		default:

			return false;

		}

	case bpf_ctx_range_till(struct bpf_sock, src_ip6[0], src_ip6[3]):

		switch (attach_type) {

		case BPF_CGROUP_INET6_POST_BIND:

			goto read_only;

		default:

			return false;

		}

	case bpf_ctx_range(struct bpf_sock, src_port):

		switch (attach_type) {

		case BPF_CGROUP_INET4_POST_BIND:

		case BPF_CGROUP_INET6_POST_BIND:

			goto read_only;

		default:

			return false;

		}

	}

read_only:

	return access_type == BPF_READ;

full_access:

	return true;

}

static bool __sock_filter_check_size(int off, int size,

				     struct bpf_insn_access_aux *info)

{

	const int size_default = sizeof(__u32);

	switch (off) {

	case bpf_ctx_range(struct bpf_sock, src_ip4):

	case bpf_ctx_range_till(struct bpf_sock, src_ip6[0], src_ip6[3]):

		bpf_ctx_record_field_size(info, size_default);

		return bpf_ctx_narrow_access_ok(off, size, size_default);

	}

	return size == size_default;

}

	if (off < 0 || off + size > sizeof(struct bpf_sock))

static bool sock_filter_is_valid_access(int off, int size,

					enum bpf_access_type type,

					const struct bpf_prog *prog,

					struct bpf_insn_access_aux *info)

{

	if (off < 0 || off >= sizeof(struct bpf_sock))

		return false;

	/* The verifier guarantees that size > 0. */

	if (off % size != 0)

		return false;

	if (size != sizeof(__u32))

	if (!__sock_filter_check_attach_type(off, type,

					     prog->expected_attach_type))

		return false;

	if (!__sock_filter_check_size(off, size, info))

		return false;

	return true;

}

					  struct bpf_prog *prog, u32 *target_size)

{

	struct bpf_insn *insn = insn_buf;

	int off;

	switch (si->off) {

	case offsetof(struct bpf_sock, bound_dev_if):

		*insn++ = BPF_ALU32_IMM(BPF_AND, si->dst_reg, SK_FL_PROTO_MASK);

		*insn++ = BPF_ALU32_IMM(BPF_RSH, si->dst_reg, SK_FL_PROTO_SHIFT);

		break;

	case offsetof(struct bpf_sock, src_ip4):

		*insn++ = BPF_LDX_MEM(

			BPF_SIZE(si->code), si->dst_reg, si->src_reg,

			bpf_target_off(struct sock_common, skc_rcv_saddr,

				       FIELD_SIZEOF(struct sock_common,

						    skc_rcv_saddr),

				       target_size));

		break;

	case bpf_ctx_range_till(struct bpf_sock, src_ip6[0], src_ip6[3]):

#if IS_ENABLED(CONFIG_IPV6)

		off = si->off;

		off -= offsetof(struct bpf_sock, src_ip6[0]);

		*insn++ = BPF_LDX_MEM(

			BPF_SIZE(si->code), si->dst_reg, si->src_reg,

			bpf_target_off(

				struct sock_common,

				skc_v6_rcv_saddr.s6_addr32[0],

				FIELD_SIZEOF(struct sock_common,

					     skc_v6_rcv_saddr.s6_addr32[0]),

				target_size) + off);

#else

		(void)off;

		*insn++ = BPF_MOV32_IMM(si->dst_reg, 0);

#endif

		break;

	case offsetof(struct bpf_sock, src_port):

		*insn++ = BPF_LDX_MEM(

			BPF_FIELD_SIZEOF(struct sock_common, skc_num),

			si->dst_reg, si->src_reg,

			bpf_target_off(struct sock_common, skc_num,

				       FIELD_SIZEOF(struct sock_common,

						    skc_num),

				       target_size));

		break;

	}

	return insn - insn_buf;

		inet->inet_saddr = 0;  /* Use device */

	/* Make sure we are allowed to bind here. */

	if ((snum || !(inet->bind_address_no_port ||

		       force_bind_address_no_port)) &&

	    sk->sk_prot->get_port(sk, snum)) {

	if (snum || !(inet->bind_address_no_port ||

		      force_bind_address_no_port)) {

		if (sk->sk_prot->get_port(sk, snum)) {

			inet->inet_saddr = inet->inet_rcv_saddr = 0;

			err = -EADDRINUSE;

			goto out_release_sock;

		}

		err = BPF_CGROUP_RUN_PROG_INET4_POST_BIND(sk);

		if (err) {

			inet->inet_saddr = inet->inet_rcv_saddr = 0;

			goto out_release_sock;

		}

	}

	if (inet->inet_rcv_saddr)

		sk->sk_userlocks |= SOCK_BINDADDR_LOCK;