1 // SPDX-License-Identifier: GPL-2.0
2 #include <vmlinux.h>
3 #include <bpf/bpf_tracing.h>
4 #include <bpf/bpf_helpers.h>
5 #include "../bpf_testmod/bpf_testmod_kfunc.h"
6 
7 struct map_value {
8 	struct prog_test_ref_kfunc __kptr_untrusted *unref_ptr;
9 	struct prog_test_ref_kfunc __kptr *ref_ptr;
10 };
11 
12 struct array_map {
13 	__uint(type, BPF_MAP_TYPE_ARRAY);
14 	__type(key, int);
15 	__type(value, struct map_value);
16 	__uint(max_entries, 1);
17 } array_map SEC(".maps");
18 
19 struct pcpu_array_map {
20 	__uint(type, BPF_MAP_TYPE_PERCPU_ARRAY);
21 	__type(key, int);
22 	__type(value, struct map_value);
23 	__uint(max_entries, 1);
24 } pcpu_array_map SEC(".maps");
25 
26 struct hash_map {
27 	__uint(type, BPF_MAP_TYPE_HASH);
28 	__type(key, int);
29 	__type(value, struct map_value);
30 	__uint(max_entries, 1);
31 } hash_map SEC(".maps");
32 
33 struct pcpu_hash_map {
34 	__uint(type, BPF_MAP_TYPE_PERCPU_HASH);
35 	__type(key, int);
36 	__type(value, struct map_value);
37 	__uint(max_entries, 1);
38 } pcpu_hash_map SEC(".maps");
39 
40 struct hash_malloc_map {
41 	__uint(type, BPF_MAP_TYPE_HASH);
42 	__type(key, int);
43 	__type(value, struct map_value);
44 	__uint(max_entries, 1);
45 	__uint(map_flags, BPF_F_NO_PREALLOC);
46 } hash_malloc_map SEC(".maps");
47 
48 struct pcpu_hash_malloc_map {
49 	__uint(type, BPF_MAP_TYPE_PERCPU_HASH);
50 	__type(key, int);
51 	__type(value, struct map_value);
52 	__uint(max_entries, 1);
53 	__uint(map_flags, BPF_F_NO_PREALLOC);
54 } pcpu_hash_malloc_map SEC(".maps");
55 
56 struct lru_hash_map {
57 	__uint(type, BPF_MAP_TYPE_LRU_HASH);
58 	__type(key, int);
59 	__type(value, struct map_value);
60 	__uint(max_entries, 1);
61 } lru_hash_map SEC(".maps");
62 
63 struct lru_pcpu_hash_map {
64 	__uint(type, BPF_MAP_TYPE_LRU_PERCPU_HASH);
65 	__type(key, int);
66 	__type(value, struct map_value);
67 	__uint(max_entries, 1);
68 } lru_pcpu_hash_map SEC(".maps");
69 
70 struct cgrp_ls_map {
71 	__uint(type, BPF_MAP_TYPE_CGRP_STORAGE);
72 	__uint(map_flags, BPF_F_NO_PREALLOC);
73 	__type(key, int);
74 	__type(value, struct map_value);
75 } cgrp_ls_map SEC(".maps");
76 
77 struct task_ls_map {
78 	__uint(type, BPF_MAP_TYPE_TASK_STORAGE);
79 	__uint(map_flags, BPF_F_NO_PREALLOC);
80 	__type(key, int);
81 	__type(value, struct map_value);
82 } task_ls_map SEC(".maps");
83 
84 struct inode_ls_map {
85 	__uint(type, BPF_MAP_TYPE_INODE_STORAGE);
86 	__uint(map_flags, BPF_F_NO_PREALLOC);
87 	__type(key, int);
88 	__type(value, struct map_value);
89 } inode_ls_map SEC(".maps");
90 
91 struct sk_ls_map {
92 	__uint(type, BPF_MAP_TYPE_SK_STORAGE);
93 	__uint(map_flags, BPF_F_NO_PREALLOC);
94 	__type(key, int);
95 	__type(value, struct map_value);
96 } sk_ls_map SEC(".maps");
97 
98 #define DEFINE_MAP_OF_MAP(map_type, inner_map_type, name)       \
99 	struct {                                                \
100 		__uint(type, map_type);                         \
101 		__uint(max_entries, 1);                         \
102 		__uint(key_size, sizeof(int));                  \
103 		__uint(value_size, sizeof(int));                \
104 		__array(values, struct inner_map_type);         \
105 	} name SEC(".maps") = {                                 \
106 		.values = { [0] = &inner_map_type },            \
107 	}
108 
109 DEFINE_MAP_OF_MAP(BPF_MAP_TYPE_ARRAY_OF_MAPS, array_map, array_of_array_maps);
110 DEFINE_MAP_OF_MAP(BPF_MAP_TYPE_ARRAY_OF_MAPS, hash_map, array_of_hash_maps);
111 DEFINE_MAP_OF_MAP(BPF_MAP_TYPE_ARRAY_OF_MAPS, hash_malloc_map, array_of_hash_malloc_maps);
112 DEFINE_MAP_OF_MAP(BPF_MAP_TYPE_ARRAY_OF_MAPS, lru_hash_map, array_of_lru_hash_maps);
113 DEFINE_MAP_OF_MAP(BPF_MAP_TYPE_ARRAY_OF_MAPS, pcpu_array_map, array_of_pcpu_array_maps);
114 DEFINE_MAP_OF_MAP(BPF_MAP_TYPE_ARRAY_OF_MAPS, pcpu_hash_map, array_of_pcpu_hash_maps);
115 DEFINE_MAP_OF_MAP(BPF_MAP_TYPE_HASH_OF_MAPS, array_map, hash_of_array_maps);
116 DEFINE_MAP_OF_MAP(BPF_MAP_TYPE_HASH_OF_MAPS, hash_map, hash_of_hash_maps);
117 DEFINE_MAP_OF_MAP(BPF_MAP_TYPE_HASH_OF_MAPS, hash_malloc_map, hash_of_hash_malloc_maps);
118 DEFINE_MAP_OF_MAP(BPF_MAP_TYPE_HASH_OF_MAPS, lru_hash_map, hash_of_lru_hash_maps);
119 DEFINE_MAP_OF_MAP(BPF_MAP_TYPE_HASH_OF_MAPS, pcpu_array_map, hash_of_pcpu_array_maps);
120 DEFINE_MAP_OF_MAP(BPF_MAP_TYPE_HASH_OF_MAPS, pcpu_hash_map, hash_of_pcpu_hash_maps);
121 
122 #define WRITE_ONCE(x, val) ((*(volatile typeof(x) *) &(x)) = (val))
123 
test_kptr_unref(struct map_value * v)124 static void test_kptr_unref(struct map_value *v)
125 {
126 	struct prog_test_ref_kfunc *p;
127 
128 	p = v->unref_ptr;
129 	/* store untrusted_ptr_or_null_ */
130 	WRITE_ONCE(v->unref_ptr, p);
131 	if (!p)
132 		return;
133 	if (p->a + p->b > 100)
134 		return;
135 	/* store untrusted_ptr_ */
136 	WRITE_ONCE(v->unref_ptr, p);
137 	/* store NULL */
138 	WRITE_ONCE(v->unref_ptr, NULL);
139 }
140 
test_kptr_ref(struct map_value * v)141 static void test_kptr_ref(struct map_value *v)
142 {
143 	struct prog_test_ref_kfunc *p;
144 
145 	p = v->ref_ptr;
146 	/* store ptr_or_null_ */
147 	WRITE_ONCE(v->unref_ptr, p);
148 	if (!p)
149 		return;
150 	/*
151 	 * p is rcu_ptr_prog_test_ref_kfunc,
152 	 * because bpf prog is non-sleepable and runs in RCU CS.
153 	 * p can be passed to kfunc that requires KF_RCU.
154 	 */
155 	bpf_kfunc_call_test_ref(p);
156 	if (p->a + p->b > 100)
157 		return;
158 	/* store NULL */
159 	p = bpf_kptr_xchg(&v->ref_ptr, NULL);
160 	if (!p)
161 		return;
162 	/*
163 	 * p is trusted_ptr_prog_test_ref_kfunc.
164 	 * p can be passed to kfunc that requires KF_RCU.
165 	 */
166 	bpf_kfunc_call_test_ref(p);
167 	if (p->a + p->b > 100) {
168 		bpf_kfunc_call_test_release(p);
169 		return;
170 	}
171 	/* store ptr_ */
172 	WRITE_ONCE(v->unref_ptr, p);
173 	bpf_kfunc_call_test_release(p);
174 
175 	p = bpf_kfunc_call_test_acquire(&(unsigned long){0});
176 	if (!p)
177 		return;
178 	/* store ptr_ */
179 	p = bpf_kptr_xchg(&v->ref_ptr, p);
180 	if (!p)
181 		return;
182 	if (p->a + p->b > 100) {
183 		bpf_kfunc_call_test_release(p);
184 		return;
185 	}
186 	bpf_kfunc_call_test_release(p);
187 }
188 
test_kptr(struct map_value * v)189 static void test_kptr(struct map_value *v)
190 {
191 	test_kptr_unref(v);
192 	test_kptr_ref(v);
193 }
194 
195 SEC("tc")
test_map_kptr(struct __sk_buff * ctx)196 int test_map_kptr(struct __sk_buff *ctx)
197 {
198 	struct map_value *v;
199 	int key = 0;
200 
201 #define TEST(map)					\
202 	v = bpf_map_lookup_elem(&map, &key);		\
203 	if (!v)						\
204 		return 0;				\
205 	test_kptr(v)
206 
207 	TEST(array_map);
208 	TEST(hash_map);
209 	TEST(hash_malloc_map);
210 	TEST(lru_hash_map);
211 	TEST(pcpu_array_map);
212 	TEST(pcpu_hash_map);
213 
214 #undef TEST
215 	return 0;
216 }
217 
218 SEC("tp_btf/cgroup_mkdir")
BPF_PROG(test_cgrp_map_kptr,struct cgroup * cgrp,const char * path)219 int BPF_PROG(test_cgrp_map_kptr, struct cgroup *cgrp, const char *path)
220 {
221 	struct map_value *v;
222 
223 	v = bpf_cgrp_storage_get(&cgrp_ls_map, cgrp, NULL, BPF_LOCAL_STORAGE_GET_F_CREATE);
224 	if (v)
225 		test_kptr(v);
226 	return 0;
227 }
228 
229 SEC("lsm/inode_unlink")
BPF_PROG(test_task_map_kptr,struct inode * inode,struct dentry * victim)230 int BPF_PROG(test_task_map_kptr, struct inode *inode, struct dentry *victim)
231 {
232 	struct task_struct *task;
233 	struct map_value *v;
234 
235 	task = bpf_get_current_task_btf();
236 	if (!task)
237 		return 0;
238 	v = bpf_task_storage_get(&task_ls_map, task, NULL, BPF_LOCAL_STORAGE_GET_F_CREATE);
239 	if (v)
240 		test_kptr(v);
241 	return 0;
242 }
243 
244 SEC("lsm/inode_unlink")
BPF_PROG(test_inode_map_kptr,struct inode * inode,struct dentry * victim)245 int BPF_PROG(test_inode_map_kptr, struct inode *inode, struct dentry *victim)
246 {
247 	struct map_value *v;
248 
249 	v = bpf_inode_storage_get(&inode_ls_map, inode, NULL, BPF_LOCAL_STORAGE_GET_F_CREATE);
250 	if (v)
251 		test_kptr(v);
252 	return 0;
253 }
254 
255 SEC("tc")
test_sk_map_kptr(struct __sk_buff * ctx)256 int test_sk_map_kptr(struct __sk_buff *ctx)
257 {
258 	struct map_value *v;
259 	struct bpf_sock *sk;
260 
261 	sk = ctx->sk;
262 	if (!sk)
263 		return 0;
264 	v = bpf_sk_storage_get(&sk_ls_map, sk, NULL, BPF_LOCAL_STORAGE_GET_F_CREATE);
265 	if (v)
266 		test_kptr(v);
267 	return 0;
268 }
269 
270 SEC("tc")
test_map_in_map_kptr(struct __sk_buff * ctx)271 int test_map_in_map_kptr(struct __sk_buff *ctx)
272 {
273 	struct map_value *v;
274 	int key = 0;
275 	void *map;
276 
277 #define TEST(map_in_map)                                \
278 	map = bpf_map_lookup_elem(&map_in_map, &key);   \
279 	if (!map)                                       \
280 		return 0;                               \
281 	v = bpf_map_lookup_elem(map, &key);		\
282 	if (!v)						\
283 		return 0;				\
284 	test_kptr(v)
285 
286 	TEST(array_of_array_maps);
287 	TEST(array_of_hash_maps);
288 	TEST(array_of_hash_malloc_maps);
289 	TEST(array_of_lru_hash_maps);
290 	TEST(array_of_pcpu_array_maps);
291 	TEST(array_of_pcpu_hash_maps);
292 	TEST(hash_of_array_maps);
293 	TEST(hash_of_hash_maps);
294 	TEST(hash_of_hash_malloc_maps);
295 	TEST(hash_of_lru_hash_maps);
296 	TEST(hash_of_pcpu_array_maps);
297 	TEST(hash_of_pcpu_hash_maps);
298 
299 #undef TEST
300 	return 0;
301 }
302 
303 int ref = 1;
304 
305 static __always_inline
test_map_kptr_ref_pre(struct map_value * v)306 int test_map_kptr_ref_pre(struct map_value *v)
307 {
308 	struct prog_test_ref_kfunc *p, *p_st;
309 	unsigned long arg = 0;
310 	int ret;
311 
312 	p = bpf_kfunc_call_test_acquire(&arg);
313 	if (!p)
314 		return 1;
315 	ref++;
316 
317 	p_st = p->next;
318 	if (p_st->cnt.refs.counter != ref) {
319 		ret = 2;
320 		goto end;
321 	}
322 
323 	p = bpf_kptr_xchg(&v->ref_ptr, p);
324 	if (p) {
325 		ret = 3;
326 		goto end;
327 	}
328 	if (p_st->cnt.refs.counter != ref)
329 		return 4;
330 
331 	p = bpf_kptr_xchg(&v->ref_ptr, NULL);
332 	if (!p)
333 		return 5;
334 	bpf_kfunc_call_test_release(p);
335 	ref--;
336 	if (p_st->cnt.refs.counter != ref)
337 		return 6;
338 
339 	p = bpf_kfunc_call_test_acquire(&arg);
340 	if (!p)
341 		return 7;
342 	ref++;
343 	p = bpf_kptr_xchg(&v->ref_ptr, p);
344 	if (p) {
345 		ret = 8;
346 		goto end;
347 	}
348 	if (p_st->cnt.refs.counter != ref)
349 		return 9;
350 	/* Leave in map */
351 
352 	return 0;
353 end:
354 	ref--;
355 	bpf_kfunc_call_test_release(p);
356 	return ret;
357 }
358 
359 static __always_inline
test_map_kptr_ref_post(struct map_value * v)360 int test_map_kptr_ref_post(struct map_value *v)
361 {
362 	struct prog_test_ref_kfunc *p, *p_st;
363 
364 	p_st = v->ref_ptr;
365 	if (!p_st || p_st->cnt.refs.counter != ref)
366 		return 1;
367 
368 	p = bpf_kptr_xchg(&v->ref_ptr, NULL);
369 	if (!p)
370 		return 2;
371 	if (p_st->cnt.refs.counter != ref) {
372 		bpf_kfunc_call_test_release(p);
373 		return 3;
374 	}
375 
376 	p = bpf_kptr_xchg(&v->ref_ptr, p);
377 	if (p) {
378 		bpf_kfunc_call_test_release(p);
379 		return 4;
380 	}
381 	if (p_st->cnt.refs.counter != ref)
382 		return 5;
383 
384 	return 0;
385 }
386 
387 #define TEST(map)                            \
388 	v = bpf_map_lookup_elem(&map, &key); \
389 	if (!v)                              \
390 		return -1;                   \
391 	ret = test_map_kptr_ref_pre(v);      \
392 	if (ret)                             \
393 		return ret;
394 
395 #define TEST_PCPU(map)                                 \
396 	v = bpf_map_lookup_percpu_elem(&map, &key, 0); \
397 	if (!v)                                        \
398 		return -1;                             \
399 	ret = test_map_kptr_ref_pre(v);                \
400 	if (ret)                                       \
401 		return ret;
402 
403 SEC("tc")
test_map_kptr_ref1(struct __sk_buff * ctx)404 int test_map_kptr_ref1(struct __sk_buff *ctx)
405 {
406 	struct map_value *v, val = {};
407 	int key = 0, ret;
408 
409 	bpf_map_update_elem(&hash_map, &key, &val, 0);
410 	bpf_map_update_elem(&hash_malloc_map, &key, &val, 0);
411 	bpf_map_update_elem(&lru_hash_map, &key, &val, 0);
412 
413 	bpf_map_update_elem(&pcpu_hash_map, &key, &val, 0);
414 	bpf_map_update_elem(&pcpu_hash_malloc_map, &key, &val, 0);
415 	bpf_map_update_elem(&lru_pcpu_hash_map, &key, &val, 0);
416 
417 	TEST(array_map);
418 	TEST(hash_map);
419 	TEST(hash_malloc_map);
420 	TEST(lru_hash_map);
421 
422 	TEST_PCPU(pcpu_array_map);
423 	TEST_PCPU(pcpu_hash_map);
424 	TEST_PCPU(pcpu_hash_malloc_map);
425 	TEST_PCPU(lru_pcpu_hash_map);
426 
427 	return 0;
428 }
429 
430 #undef TEST
431 #undef TEST_PCPU
432 
433 #define TEST(map)                            \
434 	v = bpf_map_lookup_elem(&map, &key); \
435 	if (!v)                              \
436 		return -1;                   \
437 	ret = test_map_kptr_ref_post(v);     \
438 	if (ret)                             \
439 		return ret;
440 
441 #define TEST_PCPU(map)                                 \
442 	v = bpf_map_lookup_percpu_elem(&map, &key, 0); \
443 	if (!v)                                        \
444 		return -1;                             \
445 	ret = test_map_kptr_ref_post(v);               \
446 	if (ret)                                       \
447 		return ret;
448 
449 SEC("tc")
test_map_kptr_ref2(struct __sk_buff * ctx)450 int test_map_kptr_ref2(struct __sk_buff *ctx)
451 {
452 	struct map_value *v;
453 	int key = 0, ret;
454 
455 	TEST(array_map);
456 	TEST(hash_map);
457 	TEST(hash_malloc_map);
458 	TEST(lru_hash_map);
459 
460 	TEST_PCPU(pcpu_array_map);
461 	TEST_PCPU(pcpu_hash_map);
462 	TEST_PCPU(pcpu_hash_malloc_map);
463 	TEST_PCPU(lru_pcpu_hash_map);
464 
465 	return 0;
466 }
467 
468 #undef TEST
469 #undef TEST_PCPU
470 
471 SEC("tc")
test_map_kptr_ref3(struct __sk_buff * ctx)472 int test_map_kptr_ref3(struct __sk_buff *ctx)
473 {
474 	struct prog_test_ref_kfunc *p;
475 	unsigned long sp = 0;
476 
477 	p = bpf_kfunc_call_test_acquire(&sp);
478 	if (!p)
479 		return 1;
480 	ref++;
481 	if (p->cnt.refs.counter != ref) {
482 		bpf_kfunc_call_test_release(p);
483 		return 2;
484 	}
485 	bpf_kfunc_call_test_release(p);
486 	ref--;
487 	return 0;
488 }
489 
490 SEC("syscall")
test_ls_map_kptr_ref1(void * ctx)491 int test_ls_map_kptr_ref1(void *ctx)
492 {
493 	struct task_struct *current;
494 	struct map_value *v;
495 
496 	current = bpf_get_current_task_btf();
497 	if (!current)
498 		return 100;
499 	v = bpf_task_storage_get(&task_ls_map, current, NULL, 0);
500 	if (v)
501 		return 150;
502 	v = bpf_task_storage_get(&task_ls_map, current, NULL, BPF_LOCAL_STORAGE_GET_F_CREATE);
503 	if (!v)
504 		return 200;
505 	return test_map_kptr_ref_pre(v);
506 }
507 
508 SEC("syscall")
test_ls_map_kptr_ref2(void * ctx)509 int test_ls_map_kptr_ref2(void *ctx)
510 {
511 	struct task_struct *current;
512 	struct map_value *v;
513 
514 	current = bpf_get_current_task_btf();
515 	if (!current)
516 		return 100;
517 	v = bpf_task_storage_get(&task_ls_map, current, NULL, 0);
518 	if (!v)
519 		return 200;
520 	return test_map_kptr_ref_post(v);
521 }
522 
523 SEC("syscall")
test_ls_map_kptr_ref_del(void * ctx)524 int test_ls_map_kptr_ref_del(void *ctx)
525 {
526 	struct task_struct *current;
527 	struct map_value *v;
528 
529 	current = bpf_get_current_task_btf();
530 	if (!current)
531 		return 100;
532 	v = bpf_task_storage_get(&task_ls_map, current, NULL, 0);
533 	if (!v)
534 		return 200;
535 	if (!v->ref_ptr)
536 		return 300;
537 	return bpf_task_storage_delete(&task_ls_map, current);
538 }
539 
540 char _license[] SEC("license") = "GPL";
541