1 // SPDX-License-Identifier: GPL-2.0-only 2 /* Copyright (c) 2017 Facebook 3 */ 4 #include <linux/bpf.h> 5 #include <linux/btf.h> 6 #include <linux/btf_ids.h> 7 #include <linux/slab.h> 8 #include <linux/init.h> 9 #include <linux/vmalloc.h> 10 #include <linux/etherdevice.h> 11 #include <linux/filter.h> 12 #include <linux/rcupdate_trace.h> 13 #include <linux/sched/signal.h> 14 #include <net/bpf_sk_storage.h> 15 #include <net/sock.h> 16 #include <net/tcp.h> 17 #include <net/net_namespace.h> 18 #include <net/page_pool.h> 19 #include <linux/error-injection.h> 20 #include <linux/smp.h> 21 #include <linux/sock_diag.h> 22 #include <linux/netfilter.h> 23 #include <net/xdp.h> 24 #include <net/netfilter/nf_bpf_link.h> 25 26 #define CREATE_TRACE_POINTS 27 #include <trace/events/bpf_test_run.h> 28 29 struct bpf_test_timer { 30 enum { NO_PREEMPT, NO_MIGRATE } mode; 31 u32 i; 32 u64 time_start, time_spent; 33 }; 34 35 static void bpf_test_timer_enter(struct bpf_test_timer *t) 36 __acquires(rcu) 37 { 38 rcu_read_lock(); 39 if (t->mode == NO_PREEMPT) 40 preempt_disable(); 41 else 42 migrate_disable(); 43 44 t->time_start = ktime_get_ns(); 45 } 46 47 static void bpf_test_timer_leave(struct bpf_test_timer *t) 48 __releases(rcu) 49 { 50 t->time_start = 0; 51 52 if (t->mode == NO_PREEMPT) 53 preempt_enable(); 54 else 55 migrate_enable(); 56 rcu_read_unlock(); 57 } 58 59 static bool bpf_test_timer_continue(struct bpf_test_timer *t, int iterations, 60 u32 repeat, int *err, u32 *duration) 61 __must_hold(rcu) 62 { 63 t->i += iterations; 64 if (t->i >= repeat) { 65 /* We're done. */ 66 t->time_spent += ktime_get_ns() - t->time_start; 67 do_div(t->time_spent, t->i); 68 *duration = t->time_spent > U32_MAX ? U32_MAX : (u32)t->time_spent; 69 *err = 0; 70 goto reset; 71 } 72 73 if (signal_pending(current)) { 74 /* During iteration: we've been cancelled, abort. */ 75 *err = -EINTR; 76 goto reset; 77 } 78 79 if (need_resched()) { 80 /* During iteration: we need to reschedule between runs. */ 81 t->time_spent += ktime_get_ns() - t->time_start; 82 bpf_test_timer_leave(t); 83 cond_resched(); 84 bpf_test_timer_enter(t); 85 } 86 87 /* Do another round. */ 88 return true; 89 90 reset: 91 t->i = 0; 92 return false; 93 } 94 95 /* We put this struct at the head of each page with a context and frame 96 * initialised when the page is allocated, so we don't have to do this on each 97 * repetition of the test run. 98 */ 99 struct xdp_page_head { 100 struct xdp_buff orig_ctx; 101 struct xdp_buff ctx; 102 union { 103 /* ::data_hard_start starts here */ 104 DECLARE_FLEX_ARRAY(struct xdp_frame, frame); 105 DECLARE_FLEX_ARRAY(u8, data); 106 }; 107 }; 108 109 struct xdp_test_data { 110 struct xdp_buff *orig_ctx; 111 struct xdp_rxq_info rxq; 112 struct net_device *dev; 113 struct page_pool *pp; 114 struct xdp_frame **frames; 115 struct sk_buff **skbs; 116 struct xdp_mem_info mem; 117 u32 batch_size; 118 u32 frame_cnt; 119 }; 120 121 /* tools/testing/selftests/bpf/prog_tests/xdp_do_redirect.c:%MAX_PKT_SIZE 122 * must be updated accordingly this gets changed, otherwise BPF selftests 123 * will fail. 124 */ 125 #define TEST_XDP_FRAME_SIZE (PAGE_SIZE - sizeof(struct xdp_page_head)) 126 #define TEST_XDP_MAX_BATCH 256 127 128 static void xdp_test_run_init_page(struct page *page, void *arg) 129 { 130 struct xdp_page_head *head = phys_to_virt(page_to_phys(page)); 131 struct xdp_buff *new_ctx, *orig_ctx; 132 u32 headroom = XDP_PACKET_HEADROOM; 133 struct xdp_test_data *xdp = arg; 134 size_t frm_len, meta_len; 135 struct xdp_frame *frm; 136 void *data; 137 138 orig_ctx = xdp->orig_ctx; 139 frm_len = orig_ctx->data_end - orig_ctx->data_meta; 140 meta_len = orig_ctx->data - orig_ctx->data_meta; 141 headroom -= meta_len; 142 143 new_ctx = &head->ctx; 144 frm = head->frame; 145 data = head->data; 146 memcpy(data + headroom, orig_ctx->data_meta, frm_len); 147 148 xdp_init_buff(new_ctx, TEST_XDP_FRAME_SIZE, &xdp->rxq); 149 xdp_prepare_buff(new_ctx, data, headroom, frm_len, true); 150 new_ctx->data = new_ctx->data_meta + meta_len; 151 152 xdp_update_frame_from_buff(new_ctx, frm); 153 frm->mem = new_ctx->rxq->mem; 154 155 memcpy(&head->orig_ctx, new_ctx, sizeof(head->orig_ctx)); 156 } 157 158 static int xdp_test_run_setup(struct xdp_test_data *xdp, struct xdp_buff *orig_ctx) 159 { 160 struct page_pool *pp; 161 int err = -ENOMEM; 162 struct page_pool_params pp_params = { 163 .order = 0, 164 .flags = 0, 165 .pool_size = xdp->batch_size, 166 .nid = NUMA_NO_NODE, 167 .init_callback = xdp_test_run_init_page, 168 .init_arg = xdp, 169 }; 170 171 xdp->frames = kvmalloc_array(xdp->batch_size, sizeof(void *), GFP_KERNEL); 172 if (!xdp->frames) 173 return -ENOMEM; 174 175 xdp->skbs = kvmalloc_array(xdp->batch_size, sizeof(void *), GFP_KERNEL); 176 if (!xdp->skbs) 177 goto err_skbs; 178 179 pp = page_pool_create(&pp_params); 180 if (IS_ERR(pp)) { 181 err = PTR_ERR(pp); 182 goto err_pp; 183 } 184 185 /* will copy 'mem.id' into pp->xdp_mem_id */ 186 err = xdp_reg_mem_model(&xdp->mem, MEM_TYPE_PAGE_POOL, pp); 187 if (err) 188 goto err_mmodel; 189 190 xdp->pp = pp; 191 192 /* We create a 'fake' RXQ referencing the original dev, but with an 193 * xdp_mem_info pointing to our page_pool 194 */ 195 xdp_rxq_info_reg(&xdp->rxq, orig_ctx->rxq->dev, 0, 0); 196 xdp->rxq.mem.type = MEM_TYPE_PAGE_POOL; 197 xdp->rxq.mem.id = pp->xdp_mem_id; 198 xdp->dev = orig_ctx->rxq->dev; 199 xdp->orig_ctx = orig_ctx; 200 201 return 0; 202 203 err_mmodel: 204 page_pool_destroy(pp); 205 err_pp: 206 kvfree(xdp->skbs); 207 err_skbs: 208 kvfree(xdp->frames); 209 return err; 210 } 211 212 static void xdp_test_run_teardown(struct xdp_test_data *xdp) 213 { 214 xdp_unreg_mem_model(&xdp->mem); 215 page_pool_destroy(xdp->pp); 216 kfree(xdp->frames); 217 kfree(xdp->skbs); 218 } 219 220 static bool frame_was_changed(const struct xdp_page_head *head) 221 { 222 /* xdp_scrub_frame() zeroes the data pointer, flags is the last field, 223 * i.e. has the highest chances to be overwritten. If those two are 224 * untouched, it's most likely safe to skip the context reset. 225 */ 226 return head->frame->data != head->orig_ctx.data || 227 head->frame->flags != head->orig_ctx.flags; 228 } 229 230 static bool ctx_was_changed(struct xdp_page_head *head) 231 { 232 return head->orig_ctx.data != head->ctx.data || 233 head->orig_ctx.data_meta != head->ctx.data_meta || 234 head->orig_ctx.data_end != head->ctx.data_end; 235 } 236 237 static void reset_ctx(struct xdp_page_head *head) 238 { 239 if (likely(!frame_was_changed(head) && !ctx_was_changed(head))) 240 return; 241 242 head->ctx.data = head->orig_ctx.data; 243 head->ctx.data_meta = head->orig_ctx.data_meta; 244 head->ctx.data_end = head->orig_ctx.data_end; 245 xdp_update_frame_from_buff(&head->ctx, head->frame); 246 } 247 248 static int xdp_recv_frames(struct xdp_frame **frames, int nframes, 249 struct sk_buff **skbs, 250 struct net_device *dev) 251 { 252 gfp_t gfp = __GFP_ZERO | GFP_ATOMIC; 253 int i, n; 254 LIST_HEAD(list); 255 256 n = kmem_cache_alloc_bulk(skbuff_cache, gfp, nframes, (void **)skbs); 257 if (unlikely(n == 0)) { 258 for (i = 0; i < nframes; i++) 259 xdp_return_frame(frames[i]); 260 return -ENOMEM; 261 } 262 263 for (i = 0; i < nframes; i++) { 264 struct xdp_frame *xdpf = frames[i]; 265 struct sk_buff *skb = skbs[i]; 266 267 skb = __xdp_build_skb_from_frame(xdpf, skb, dev); 268 if (!skb) { 269 xdp_return_frame(xdpf); 270 continue; 271 } 272 273 list_add_tail(&skb->list, &list); 274 } 275 netif_receive_skb_list(&list); 276 277 return 0; 278 } 279 280 static int xdp_test_run_batch(struct xdp_test_data *xdp, struct bpf_prog *prog, 281 u32 repeat) 282 { 283 struct bpf_redirect_info *ri = this_cpu_ptr(&bpf_redirect_info); 284 int err = 0, act, ret, i, nframes = 0, batch_sz; 285 struct xdp_frame **frames = xdp->frames; 286 struct xdp_page_head *head; 287 struct xdp_frame *frm; 288 bool redirect = false; 289 struct xdp_buff *ctx; 290 struct page *page; 291 292 batch_sz = min_t(u32, repeat, xdp->batch_size); 293 294 local_bh_disable(); 295 xdp_set_return_frame_no_direct(); 296 297 for (i = 0; i < batch_sz; i++) { 298 page = page_pool_dev_alloc_pages(xdp->pp); 299 if (!page) { 300 err = -ENOMEM; 301 goto out; 302 } 303 304 head = phys_to_virt(page_to_phys(page)); 305 reset_ctx(head); 306 ctx = &head->ctx; 307 frm = head->frame; 308 xdp->frame_cnt++; 309 310 act = bpf_prog_run_xdp(prog, ctx); 311 312 /* if program changed pkt bounds we need to update the xdp_frame */ 313 if (unlikely(ctx_was_changed(head))) { 314 ret = xdp_update_frame_from_buff(ctx, frm); 315 if (ret) { 316 xdp_return_buff(ctx); 317 continue; 318 } 319 } 320 321 switch (act) { 322 case XDP_TX: 323 /* we can't do a real XDP_TX since we're not in the 324 * driver, so turn it into a REDIRECT back to the same 325 * index 326 */ 327 ri->tgt_index = xdp->dev->ifindex; 328 ri->map_id = INT_MAX; 329 ri->map_type = BPF_MAP_TYPE_UNSPEC; 330 fallthrough; 331 case XDP_REDIRECT: 332 redirect = true; 333 ret = xdp_do_redirect_frame(xdp->dev, ctx, frm, prog); 334 if (ret) 335 xdp_return_buff(ctx); 336 break; 337 case XDP_PASS: 338 frames[nframes++] = frm; 339 break; 340 default: 341 bpf_warn_invalid_xdp_action(NULL, prog, act); 342 fallthrough; 343 case XDP_DROP: 344 xdp_return_buff(ctx); 345 break; 346 } 347 } 348 349 out: 350 if (redirect) 351 xdp_do_flush(); 352 if (nframes) { 353 ret = xdp_recv_frames(frames, nframes, xdp->skbs, xdp->dev); 354 if (ret) 355 err = ret; 356 } 357 358 xdp_clear_return_frame_no_direct(); 359 local_bh_enable(); 360 return err; 361 } 362 363 static int bpf_test_run_xdp_live(struct bpf_prog *prog, struct xdp_buff *ctx, 364 u32 repeat, u32 batch_size, u32 *time) 365 366 { 367 struct xdp_test_data xdp = { .batch_size = batch_size }; 368 struct bpf_test_timer t = { .mode = NO_MIGRATE }; 369 int ret; 370 371 if (!repeat) 372 repeat = 1; 373 374 ret = xdp_test_run_setup(&xdp, ctx); 375 if (ret) 376 return ret; 377 378 bpf_test_timer_enter(&t); 379 do { 380 xdp.frame_cnt = 0; 381 ret = xdp_test_run_batch(&xdp, prog, repeat - t.i); 382 if (unlikely(ret < 0)) 383 break; 384 } while (bpf_test_timer_continue(&t, xdp.frame_cnt, repeat, &ret, time)); 385 bpf_test_timer_leave(&t); 386 387 xdp_test_run_teardown(&xdp); 388 return ret; 389 } 390 391 static int bpf_test_run(struct bpf_prog *prog, void *ctx, u32 repeat, 392 u32 *retval, u32 *time, bool xdp) 393 { 394 struct bpf_prog_array_item item = {.prog = prog}; 395 struct bpf_run_ctx *old_ctx; 396 struct bpf_cg_run_ctx run_ctx; 397 struct bpf_test_timer t = { NO_MIGRATE }; 398 enum bpf_cgroup_storage_type stype; 399 int ret; 400 401 for_each_cgroup_storage_type(stype) { 402 item.cgroup_storage[stype] = bpf_cgroup_storage_alloc(prog, stype); 403 if (IS_ERR(item.cgroup_storage[stype])) { 404 item.cgroup_storage[stype] = NULL; 405 for_each_cgroup_storage_type(stype) 406 bpf_cgroup_storage_free(item.cgroup_storage[stype]); 407 return -ENOMEM; 408 } 409 } 410 411 if (!repeat) 412 repeat = 1; 413 414 bpf_test_timer_enter(&t); 415 old_ctx = bpf_set_run_ctx(&run_ctx.run_ctx); 416 do { 417 run_ctx.prog_item = &item; 418 local_bh_disable(); 419 if (xdp) 420 *retval = bpf_prog_run_xdp(prog, ctx); 421 else 422 *retval = bpf_prog_run(prog, ctx); 423 local_bh_enable(); 424 } while (bpf_test_timer_continue(&t, 1, repeat, &ret, time)); 425 bpf_reset_run_ctx(old_ctx); 426 bpf_test_timer_leave(&t); 427 428 for_each_cgroup_storage_type(stype) 429 bpf_cgroup_storage_free(item.cgroup_storage[stype]); 430 431 return ret; 432 } 433 434 static int bpf_test_finish(const union bpf_attr *kattr, 435 union bpf_attr __user *uattr, const void *data, 436 struct skb_shared_info *sinfo, u32 size, 437 u32 retval, u32 duration) 438 { 439 void __user *data_out = u64_to_user_ptr(kattr->test.data_out); 440 int err = -EFAULT; 441 u32 copy_size = size; 442 443 /* Clamp copy if the user has provided a size hint, but copy the full 444 * buffer if not to retain old behaviour. 445 */ 446 if (kattr->test.data_size_out && 447 copy_size > kattr->test.data_size_out) { 448 copy_size = kattr->test.data_size_out; 449 err = -ENOSPC; 450 } 451 452 if (data_out) { 453 int len = sinfo ? copy_size - sinfo->xdp_frags_size : copy_size; 454 455 if (len < 0) { 456 err = -ENOSPC; 457 goto out; 458 } 459 460 if (copy_to_user(data_out, data, len)) 461 goto out; 462 463 if (sinfo) { 464 int i, offset = len; 465 u32 data_len; 466 467 for (i = 0; i < sinfo->nr_frags; i++) { 468 skb_frag_t *frag = &sinfo->frags[i]; 469 470 if (offset >= copy_size) { 471 err = -ENOSPC; 472 break; 473 } 474 475 data_len = min_t(u32, copy_size - offset, 476 skb_frag_size(frag)); 477 478 if (copy_to_user(data_out + offset, 479 skb_frag_address(frag), 480 data_len)) 481 goto out; 482 483 offset += data_len; 484 } 485 } 486 } 487 488 if (copy_to_user(&uattr->test.data_size_out, &size, sizeof(size))) 489 goto out; 490 if (copy_to_user(&uattr->test.retval, &retval, sizeof(retval))) 491 goto out; 492 if (copy_to_user(&uattr->test.duration, &duration, sizeof(duration))) 493 goto out; 494 if (err != -ENOSPC) 495 err = 0; 496 out: 497 trace_bpf_test_finish(&err); 498 return err; 499 } 500 501 /* Integer types of various sizes and pointer combinations cover variety of 502 * architecture dependent calling conventions. 7+ can be supported in the 503 * future. 504 */ 505 __diag_push(); 506 __diag_ignore_all("-Wmissing-prototypes", 507 "Global functions as their definitions will be in vmlinux BTF"); 508 __bpf_kfunc int bpf_fentry_test1(int a) 509 { 510 return a + 1; 511 } 512 EXPORT_SYMBOL_GPL(bpf_fentry_test1); 513 514 int noinline bpf_fentry_test2(int a, u64 b) 515 { 516 return a + b; 517 } 518 519 int noinline bpf_fentry_test3(char a, int b, u64 c) 520 { 521 return a + b + c; 522 } 523 524 int noinline bpf_fentry_test4(void *a, char b, int c, u64 d) 525 { 526 return (long)a + b + c + d; 527 } 528 529 int noinline bpf_fentry_test5(u64 a, void *b, short c, int d, u64 e) 530 { 531 return a + (long)b + c + d + e; 532 } 533 534 int noinline bpf_fentry_test6(u64 a, void *b, short c, int d, void *e, u64 f) 535 { 536 return a + (long)b + c + d + (long)e + f; 537 } 538 539 struct bpf_fentry_test_t { 540 struct bpf_fentry_test_t *a; 541 }; 542 543 int noinline bpf_fentry_test7(struct bpf_fentry_test_t *arg) 544 { 545 return (long)arg; 546 } 547 548 int noinline bpf_fentry_test8(struct bpf_fentry_test_t *arg) 549 { 550 return (long)arg->a; 551 } 552 553 __bpf_kfunc u32 bpf_fentry_test9(u32 *a) 554 { 555 return *a; 556 } 557 558 __bpf_kfunc int bpf_modify_return_test(int a, int *b) 559 { 560 *b += 1; 561 return a + *b; 562 } 563 564 __bpf_kfunc u64 bpf_kfunc_call_test1(struct sock *sk, u32 a, u64 b, u32 c, u64 d) 565 { 566 return a + b + c + d; 567 } 568 569 __bpf_kfunc int bpf_kfunc_call_test2(struct sock *sk, u32 a, u32 b) 570 { 571 return a + b; 572 } 573 574 __bpf_kfunc struct sock *bpf_kfunc_call_test3(struct sock *sk) 575 { 576 return sk; 577 } 578 579 long noinline bpf_kfunc_call_test4(signed char a, short b, int c, long d) 580 { 581 /* Provoke the compiler to assume that the caller has sign-extended a, 582 * b and c on platforms where this is required (e.g. s390x). 583 */ 584 return (long)a + (long)b + (long)c + d; 585 } 586 587 int noinline bpf_fentry_shadow_test(int a) 588 { 589 return a + 1; 590 } 591 592 struct prog_test_member1 { 593 int a; 594 }; 595 596 struct prog_test_member { 597 struct prog_test_member1 m; 598 int c; 599 }; 600 601 struct prog_test_ref_kfunc { 602 int a; 603 int b; 604 struct prog_test_member memb; 605 struct prog_test_ref_kfunc *next; 606 refcount_t cnt; 607 }; 608 609 static struct prog_test_ref_kfunc prog_test_struct = { 610 .a = 42, 611 .b = 108, 612 .next = &prog_test_struct, 613 .cnt = REFCOUNT_INIT(1), 614 }; 615 616 __bpf_kfunc struct prog_test_ref_kfunc * 617 bpf_kfunc_call_test_acquire(unsigned long *scalar_ptr) 618 { 619 refcount_inc(&prog_test_struct.cnt); 620 return &prog_test_struct; 621 } 622 623 __bpf_kfunc void bpf_kfunc_call_test_offset(struct prog_test_ref_kfunc *p) 624 { 625 WARN_ON_ONCE(1); 626 } 627 628 __bpf_kfunc struct prog_test_member * 629 bpf_kfunc_call_memb_acquire(void) 630 { 631 WARN_ON_ONCE(1); 632 return NULL; 633 } 634 635 __bpf_kfunc void bpf_kfunc_call_test_release(struct prog_test_ref_kfunc *p) 636 { 637 refcount_dec(&p->cnt); 638 } 639 640 __bpf_kfunc void bpf_kfunc_call_memb_release(struct prog_test_member *p) 641 { 642 } 643 644 __bpf_kfunc void bpf_kfunc_call_memb1_release(struct prog_test_member1 *p) 645 { 646 WARN_ON_ONCE(1); 647 } 648 649 static int *__bpf_kfunc_call_test_get_mem(struct prog_test_ref_kfunc *p, const int size) 650 { 651 if (size > 2 * sizeof(int)) 652 return NULL; 653 654 return (int *)p; 655 } 656 657 __bpf_kfunc int *bpf_kfunc_call_test_get_rdwr_mem(struct prog_test_ref_kfunc *p, 658 const int rdwr_buf_size) 659 { 660 return __bpf_kfunc_call_test_get_mem(p, rdwr_buf_size); 661 } 662 663 __bpf_kfunc int *bpf_kfunc_call_test_get_rdonly_mem(struct prog_test_ref_kfunc *p, 664 const int rdonly_buf_size) 665 { 666 return __bpf_kfunc_call_test_get_mem(p, rdonly_buf_size); 667 } 668 669 /* the next 2 ones can't be really used for testing expect to ensure 670 * that the verifier rejects the call. 671 * Acquire functions must return struct pointers, so these ones are 672 * failing. 673 */ 674 __bpf_kfunc int *bpf_kfunc_call_test_acq_rdonly_mem(struct prog_test_ref_kfunc *p, 675 const int rdonly_buf_size) 676 { 677 return __bpf_kfunc_call_test_get_mem(p, rdonly_buf_size); 678 } 679 680 __bpf_kfunc void bpf_kfunc_call_int_mem_release(int *p) 681 { 682 } 683 684 struct prog_test_pass1 { 685 int x0; 686 struct { 687 int x1; 688 struct { 689 int x2; 690 struct { 691 int x3; 692 }; 693 }; 694 }; 695 }; 696 697 struct prog_test_pass2 { 698 int len; 699 short arr1[4]; 700 struct { 701 char arr2[4]; 702 unsigned long arr3[8]; 703 } x; 704 }; 705 706 struct prog_test_fail1 { 707 void *p; 708 int x; 709 }; 710 711 struct prog_test_fail2 { 712 int x8; 713 struct prog_test_pass1 x; 714 }; 715 716 struct prog_test_fail3 { 717 int len; 718 char arr1[2]; 719 char arr2[]; 720 }; 721 722 __bpf_kfunc void bpf_kfunc_call_test_pass_ctx(struct __sk_buff *skb) 723 { 724 } 725 726 __bpf_kfunc void bpf_kfunc_call_test_pass1(struct prog_test_pass1 *p) 727 { 728 } 729 730 __bpf_kfunc void bpf_kfunc_call_test_pass2(struct prog_test_pass2 *p) 731 { 732 } 733 734 __bpf_kfunc void bpf_kfunc_call_test_fail1(struct prog_test_fail1 *p) 735 { 736 } 737 738 __bpf_kfunc void bpf_kfunc_call_test_fail2(struct prog_test_fail2 *p) 739 { 740 } 741 742 __bpf_kfunc void bpf_kfunc_call_test_fail3(struct prog_test_fail3 *p) 743 { 744 } 745 746 __bpf_kfunc void bpf_kfunc_call_test_mem_len_pass1(void *mem, int mem__sz) 747 { 748 } 749 750 __bpf_kfunc void bpf_kfunc_call_test_mem_len_fail1(void *mem, int len) 751 { 752 } 753 754 __bpf_kfunc void bpf_kfunc_call_test_mem_len_fail2(u64 *mem, int len) 755 { 756 } 757 758 __bpf_kfunc void bpf_kfunc_call_test_ref(struct prog_test_ref_kfunc *p) 759 { 760 /* p != NULL, but p->cnt could be 0 */ 761 } 762 763 __bpf_kfunc void bpf_kfunc_call_test_destructive(void) 764 { 765 } 766 767 __bpf_kfunc static u32 bpf_kfunc_call_test_static_unused_arg(u32 arg, u32 unused) 768 { 769 return arg; 770 } 771 772 __diag_pop(); 773 774 BTF_SET8_START(bpf_test_modify_return_ids) 775 BTF_ID_FLAGS(func, bpf_modify_return_test) 776 BTF_ID_FLAGS(func, bpf_fentry_test1, KF_SLEEPABLE) 777 BTF_SET8_END(bpf_test_modify_return_ids) 778 779 static const struct btf_kfunc_id_set bpf_test_modify_return_set = { 780 .owner = THIS_MODULE, 781 .set = &bpf_test_modify_return_ids, 782 }; 783 784 BTF_SET8_START(test_sk_check_kfunc_ids) 785 BTF_ID_FLAGS(func, bpf_kfunc_call_test1) 786 BTF_ID_FLAGS(func, bpf_kfunc_call_test2) 787 BTF_ID_FLAGS(func, bpf_kfunc_call_test3) 788 BTF_ID_FLAGS(func, bpf_kfunc_call_test4) 789 BTF_ID_FLAGS(func, bpf_kfunc_call_test_acquire, KF_ACQUIRE | KF_RET_NULL) 790 BTF_ID_FLAGS(func, bpf_kfunc_call_memb_acquire, KF_ACQUIRE | KF_RET_NULL) 791 BTF_ID_FLAGS(func, bpf_kfunc_call_test_release, KF_RELEASE) 792 BTF_ID_FLAGS(func, bpf_kfunc_call_memb_release, KF_RELEASE) 793 BTF_ID_FLAGS(func, bpf_kfunc_call_memb1_release, KF_RELEASE) 794 BTF_ID_FLAGS(func, bpf_kfunc_call_test_get_rdwr_mem, KF_RET_NULL) 795 BTF_ID_FLAGS(func, bpf_kfunc_call_test_get_rdonly_mem, KF_RET_NULL) 796 BTF_ID_FLAGS(func, bpf_kfunc_call_test_acq_rdonly_mem, KF_ACQUIRE | KF_RET_NULL) 797 BTF_ID_FLAGS(func, bpf_kfunc_call_int_mem_release, KF_RELEASE) 798 BTF_ID_FLAGS(func, bpf_kfunc_call_test_pass_ctx) 799 BTF_ID_FLAGS(func, bpf_kfunc_call_test_pass1) 800 BTF_ID_FLAGS(func, bpf_kfunc_call_test_pass2) 801 BTF_ID_FLAGS(func, bpf_kfunc_call_test_fail1) 802 BTF_ID_FLAGS(func, bpf_kfunc_call_test_fail2) 803 BTF_ID_FLAGS(func, bpf_kfunc_call_test_fail3) 804 BTF_ID_FLAGS(func, bpf_kfunc_call_test_mem_len_pass1) 805 BTF_ID_FLAGS(func, bpf_kfunc_call_test_mem_len_fail1) 806 BTF_ID_FLAGS(func, bpf_kfunc_call_test_mem_len_fail2) 807 BTF_ID_FLAGS(func, bpf_kfunc_call_test_ref, KF_TRUSTED_ARGS | KF_RCU) 808 BTF_ID_FLAGS(func, bpf_kfunc_call_test_destructive, KF_DESTRUCTIVE) 809 BTF_ID_FLAGS(func, bpf_kfunc_call_test_static_unused_arg) 810 BTF_ID_FLAGS(func, bpf_kfunc_call_test_offset) 811 BTF_SET8_END(test_sk_check_kfunc_ids) 812 813 static void *bpf_test_init(const union bpf_attr *kattr, u32 user_size, 814 u32 size, u32 headroom, u32 tailroom) 815 { 816 void __user *data_in = u64_to_user_ptr(kattr->test.data_in); 817 void *data; 818 819 if (size < ETH_HLEN || size > PAGE_SIZE - headroom - tailroom) 820 return ERR_PTR(-EINVAL); 821 822 if (user_size > size) 823 return ERR_PTR(-EMSGSIZE); 824 825 size = SKB_DATA_ALIGN(size); 826 data = kzalloc(size + headroom + tailroom, GFP_USER); 827 if (!data) 828 return ERR_PTR(-ENOMEM); 829 830 if (copy_from_user(data + headroom, data_in, user_size)) { 831 kfree(data); 832 return ERR_PTR(-EFAULT); 833 } 834 835 return data; 836 } 837 838 int bpf_prog_test_run_tracing(struct bpf_prog *prog, 839 const union bpf_attr *kattr, 840 union bpf_attr __user *uattr) 841 { 842 struct bpf_fentry_test_t arg = {}; 843 u16 side_effect = 0, ret = 0; 844 int b = 2, err = -EFAULT; 845 u32 retval = 0; 846 847 if (kattr->test.flags || kattr->test.cpu || kattr->test.batch_size) 848 return -EINVAL; 849 850 switch (prog->expected_attach_type) { 851 case BPF_TRACE_FENTRY: 852 case BPF_TRACE_FEXIT: 853 if (bpf_fentry_test1(1) != 2 || 854 bpf_fentry_test2(2, 3) != 5 || 855 bpf_fentry_test3(4, 5, 6) != 15 || 856 bpf_fentry_test4((void *)7, 8, 9, 10) != 34 || 857 bpf_fentry_test5(11, (void *)12, 13, 14, 15) != 65 || 858 bpf_fentry_test6(16, (void *)17, 18, 19, (void *)20, 21) != 111 || 859 bpf_fentry_test7((struct bpf_fentry_test_t *)0) != 0 || 860 bpf_fentry_test8(&arg) != 0 || 861 bpf_fentry_test9(&retval) != 0) 862 goto out; 863 break; 864 case BPF_MODIFY_RETURN: 865 ret = bpf_modify_return_test(1, &b); 866 if (b != 2) 867 side_effect = 1; 868 break; 869 default: 870 goto out; 871 } 872 873 retval = ((u32)side_effect << 16) | ret; 874 if (copy_to_user(&uattr->test.retval, &retval, sizeof(retval))) 875 goto out; 876 877 err = 0; 878 out: 879 trace_bpf_test_finish(&err); 880 return err; 881 } 882 883 struct bpf_raw_tp_test_run_info { 884 struct bpf_prog *prog; 885 void *ctx; 886 u32 retval; 887 }; 888 889 static void 890 __bpf_prog_test_run_raw_tp(void *data) 891 { 892 struct bpf_raw_tp_test_run_info *info = data; 893 894 rcu_read_lock(); 895 info->retval = bpf_prog_run(info->prog, info->ctx); 896 rcu_read_unlock(); 897 } 898 899 int bpf_prog_test_run_raw_tp(struct bpf_prog *prog, 900 const union bpf_attr *kattr, 901 union bpf_attr __user *uattr) 902 { 903 void __user *ctx_in = u64_to_user_ptr(kattr->test.ctx_in); 904 __u32 ctx_size_in = kattr->test.ctx_size_in; 905 struct bpf_raw_tp_test_run_info info; 906 int cpu = kattr->test.cpu, err = 0; 907 int current_cpu; 908 909 /* doesn't support data_in/out, ctx_out, duration, or repeat */ 910 if (kattr->test.data_in || kattr->test.data_out || 911 kattr->test.ctx_out || kattr->test.duration || 912 kattr->test.repeat || kattr->test.batch_size) 913 return -EINVAL; 914 915 if (ctx_size_in < prog->aux->max_ctx_offset || 916 ctx_size_in > MAX_BPF_FUNC_ARGS * sizeof(u64)) 917 return -EINVAL; 918 919 if ((kattr->test.flags & BPF_F_TEST_RUN_ON_CPU) == 0 && cpu != 0) 920 return -EINVAL; 921 922 if (ctx_size_in) { 923 info.ctx = memdup_user(ctx_in, ctx_size_in); 924 if (IS_ERR(info.ctx)) 925 return PTR_ERR(info.ctx); 926 } else { 927 info.ctx = NULL; 928 } 929 930 info.prog = prog; 931 932 current_cpu = get_cpu(); 933 if ((kattr->test.flags & BPF_F_TEST_RUN_ON_CPU) == 0 || 934 cpu == current_cpu) { 935 __bpf_prog_test_run_raw_tp(&info); 936 } else if (cpu >= nr_cpu_ids || !cpu_online(cpu)) { 937 /* smp_call_function_single() also checks cpu_online() 938 * after csd_lock(). However, since cpu is from user 939 * space, let's do an extra quick check to filter out 940 * invalid value before smp_call_function_single(). 941 */ 942 err = -ENXIO; 943 } else { 944 err = smp_call_function_single(cpu, __bpf_prog_test_run_raw_tp, 945 &info, 1); 946 } 947 put_cpu(); 948 949 if (!err && 950 copy_to_user(&uattr->test.retval, &info.retval, sizeof(u32))) 951 err = -EFAULT; 952 953 kfree(info.ctx); 954 return err; 955 } 956 957 static void *bpf_ctx_init(const union bpf_attr *kattr, u32 max_size) 958 { 959 void __user *data_in = u64_to_user_ptr(kattr->test.ctx_in); 960 void __user *data_out = u64_to_user_ptr(kattr->test.ctx_out); 961 u32 size = kattr->test.ctx_size_in; 962 void *data; 963 int err; 964 965 if (!data_in && !data_out) 966 return NULL; 967 968 data = kzalloc(max_size, GFP_USER); 969 if (!data) 970 return ERR_PTR(-ENOMEM); 971 972 if (data_in) { 973 err = bpf_check_uarg_tail_zero(USER_BPFPTR(data_in), max_size, size); 974 if (err) { 975 kfree(data); 976 return ERR_PTR(err); 977 } 978 979 size = min_t(u32, max_size, size); 980 if (copy_from_user(data, data_in, size)) { 981 kfree(data); 982 return ERR_PTR(-EFAULT); 983 } 984 } 985 return data; 986 } 987 988 static int bpf_ctx_finish(const union bpf_attr *kattr, 989 union bpf_attr __user *uattr, const void *data, 990 u32 size) 991 { 992 void __user *data_out = u64_to_user_ptr(kattr->test.ctx_out); 993 int err = -EFAULT; 994 u32 copy_size = size; 995 996 if (!data || !data_out) 997 return 0; 998 999 if (copy_size > kattr->test.ctx_size_out) { 1000 copy_size = kattr->test.ctx_size_out; 1001 err = -ENOSPC; 1002 } 1003 1004 if (copy_to_user(data_out, data, copy_size)) 1005 goto out; 1006 if (copy_to_user(&uattr->test.ctx_size_out, &size, sizeof(size))) 1007 goto out; 1008 if (err != -ENOSPC) 1009 err = 0; 1010 out: 1011 return err; 1012 } 1013 1014 /** 1015 * range_is_zero - test whether buffer is initialized 1016 * @buf: buffer to check 1017 * @from: check from this position 1018 * @to: check up until (excluding) this position 1019 * 1020 * This function returns true if the there is a non-zero byte 1021 * in the buf in the range [from,to). 1022 */ 1023 static inline bool range_is_zero(void *buf, size_t from, size_t to) 1024 { 1025 return !memchr_inv((u8 *)buf + from, 0, to - from); 1026 } 1027 1028 static int convert___skb_to_skb(struct sk_buff *skb, struct __sk_buff *__skb) 1029 { 1030 struct qdisc_skb_cb *cb = (struct qdisc_skb_cb *)skb->cb; 1031 1032 if (!__skb) 1033 return 0; 1034 1035 /* make sure the fields we don't use are zeroed */ 1036 if (!range_is_zero(__skb, 0, offsetof(struct __sk_buff, mark))) 1037 return -EINVAL; 1038 1039 /* mark is allowed */ 1040 1041 if (!range_is_zero(__skb, offsetofend(struct __sk_buff, mark), 1042 offsetof(struct __sk_buff, priority))) 1043 return -EINVAL; 1044 1045 /* priority is allowed */ 1046 /* ingress_ifindex is allowed */ 1047 /* ifindex is allowed */ 1048 1049 if (!range_is_zero(__skb, offsetofend(struct __sk_buff, ifindex), 1050 offsetof(struct __sk_buff, cb))) 1051 return -EINVAL; 1052 1053 /* cb is allowed */ 1054 1055 if (!range_is_zero(__skb, offsetofend(struct __sk_buff, cb), 1056 offsetof(struct __sk_buff, tstamp))) 1057 return -EINVAL; 1058 1059 /* tstamp is allowed */ 1060 /* wire_len is allowed */ 1061 /* gso_segs is allowed */ 1062 1063 if (!range_is_zero(__skb, offsetofend(struct __sk_buff, gso_segs), 1064 offsetof(struct __sk_buff, gso_size))) 1065 return -EINVAL; 1066 1067 /* gso_size is allowed */ 1068 1069 if (!range_is_zero(__skb, offsetofend(struct __sk_buff, gso_size), 1070 offsetof(struct __sk_buff, hwtstamp))) 1071 return -EINVAL; 1072 1073 /* hwtstamp is allowed */ 1074 1075 if (!range_is_zero(__skb, offsetofend(struct __sk_buff, hwtstamp), 1076 sizeof(struct __sk_buff))) 1077 return -EINVAL; 1078 1079 skb->mark = __skb->mark; 1080 skb->priority = __skb->priority; 1081 skb->skb_iif = __skb->ingress_ifindex; 1082 skb->tstamp = __skb->tstamp; 1083 memcpy(&cb->data, __skb->cb, QDISC_CB_PRIV_LEN); 1084 1085 if (__skb->wire_len == 0) { 1086 cb->pkt_len = skb->len; 1087 } else { 1088 if (__skb->wire_len < skb->len || 1089 __skb->wire_len > GSO_LEGACY_MAX_SIZE) 1090 return -EINVAL; 1091 cb->pkt_len = __skb->wire_len; 1092 } 1093 1094 if (__skb->gso_segs > GSO_MAX_SEGS) 1095 return -EINVAL; 1096 skb_shinfo(skb)->gso_segs = __skb->gso_segs; 1097 skb_shinfo(skb)->gso_size = __skb->gso_size; 1098 skb_shinfo(skb)->hwtstamps.hwtstamp = __skb->hwtstamp; 1099 1100 return 0; 1101 } 1102 1103 static void convert_skb_to___skb(struct sk_buff *skb, struct __sk_buff *__skb) 1104 { 1105 struct qdisc_skb_cb *cb = (struct qdisc_skb_cb *)skb->cb; 1106 1107 if (!__skb) 1108 return; 1109 1110 __skb->mark = skb->mark; 1111 __skb->priority = skb->priority; 1112 __skb->ingress_ifindex = skb->skb_iif; 1113 __skb->ifindex = skb->dev->ifindex; 1114 __skb->tstamp = skb->tstamp; 1115 memcpy(__skb->cb, &cb->data, QDISC_CB_PRIV_LEN); 1116 __skb->wire_len = cb->pkt_len; 1117 __skb->gso_segs = skb_shinfo(skb)->gso_segs; 1118 __skb->hwtstamp = skb_shinfo(skb)->hwtstamps.hwtstamp; 1119 } 1120 1121 static struct proto bpf_dummy_proto = { 1122 .name = "bpf_dummy", 1123 .owner = THIS_MODULE, 1124 .obj_size = sizeof(struct sock), 1125 }; 1126 1127 int bpf_prog_test_run_skb(struct bpf_prog *prog, const union bpf_attr *kattr, 1128 union bpf_attr __user *uattr) 1129 { 1130 bool is_l2 = false, is_direct_pkt_access = false; 1131 struct net *net = current->nsproxy->net_ns; 1132 struct net_device *dev = net->loopback_dev; 1133 u32 size = kattr->test.data_size_in; 1134 u32 repeat = kattr->test.repeat; 1135 struct __sk_buff *ctx = NULL; 1136 u32 retval, duration; 1137 int hh_len = ETH_HLEN; 1138 struct sk_buff *skb; 1139 struct sock *sk; 1140 void *data; 1141 int ret; 1142 1143 if (kattr->test.flags || kattr->test.cpu || kattr->test.batch_size) 1144 return -EINVAL; 1145 1146 data = bpf_test_init(kattr, kattr->test.data_size_in, 1147 size, NET_SKB_PAD + NET_IP_ALIGN, 1148 SKB_DATA_ALIGN(sizeof(struct skb_shared_info))); 1149 if (IS_ERR(data)) 1150 return PTR_ERR(data); 1151 1152 ctx = bpf_ctx_init(kattr, sizeof(struct __sk_buff)); 1153 if (IS_ERR(ctx)) { 1154 kfree(data); 1155 return PTR_ERR(ctx); 1156 } 1157 1158 switch (prog->type) { 1159 case BPF_PROG_TYPE_SCHED_CLS: 1160 case BPF_PROG_TYPE_SCHED_ACT: 1161 is_l2 = true; 1162 fallthrough; 1163 case BPF_PROG_TYPE_LWT_IN: 1164 case BPF_PROG_TYPE_LWT_OUT: 1165 case BPF_PROG_TYPE_LWT_XMIT: 1166 is_direct_pkt_access = true; 1167 break; 1168 default: 1169 break; 1170 } 1171 1172 sk = sk_alloc(net, AF_UNSPEC, GFP_USER, &bpf_dummy_proto, 1); 1173 if (!sk) { 1174 kfree(data); 1175 kfree(ctx); 1176 return -ENOMEM; 1177 } 1178 sock_init_data(NULL, sk); 1179 1180 skb = slab_build_skb(data); 1181 if (!skb) { 1182 kfree(data); 1183 kfree(ctx); 1184 sk_free(sk); 1185 return -ENOMEM; 1186 } 1187 skb->sk = sk; 1188 1189 skb_reserve(skb, NET_SKB_PAD + NET_IP_ALIGN); 1190 __skb_put(skb, size); 1191 if (ctx && ctx->ifindex > 1) { 1192 dev = dev_get_by_index(net, ctx->ifindex); 1193 if (!dev) { 1194 ret = -ENODEV; 1195 goto out; 1196 } 1197 } 1198 skb->protocol = eth_type_trans(skb, dev); 1199 skb_reset_network_header(skb); 1200 1201 switch (skb->protocol) { 1202 case htons(ETH_P_IP): 1203 sk->sk_family = AF_INET; 1204 if (sizeof(struct iphdr) <= skb_headlen(skb)) { 1205 sk->sk_rcv_saddr = ip_hdr(skb)->saddr; 1206 sk->sk_daddr = ip_hdr(skb)->daddr; 1207 } 1208 break; 1209 #if IS_ENABLED(CONFIG_IPV6) 1210 case htons(ETH_P_IPV6): 1211 sk->sk_family = AF_INET6; 1212 if (sizeof(struct ipv6hdr) <= skb_headlen(skb)) { 1213 sk->sk_v6_rcv_saddr = ipv6_hdr(skb)->saddr; 1214 sk->sk_v6_daddr = ipv6_hdr(skb)->daddr; 1215 } 1216 break; 1217 #endif 1218 default: 1219 break; 1220 } 1221 1222 if (is_l2) 1223 __skb_push(skb, hh_len); 1224 if (is_direct_pkt_access) 1225 bpf_compute_data_pointers(skb); 1226 ret = convert___skb_to_skb(skb, ctx); 1227 if (ret) 1228 goto out; 1229 ret = bpf_test_run(prog, skb, repeat, &retval, &duration, false); 1230 if (ret) 1231 goto out; 1232 if (!is_l2) { 1233 if (skb_headroom(skb) < hh_len) { 1234 int nhead = HH_DATA_ALIGN(hh_len - skb_headroom(skb)); 1235 1236 if (pskb_expand_head(skb, nhead, 0, GFP_USER)) { 1237 ret = -ENOMEM; 1238 goto out; 1239 } 1240 } 1241 memset(__skb_push(skb, hh_len), 0, hh_len); 1242 } 1243 convert_skb_to___skb(skb, ctx); 1244 1245 size = skb->len; 1246 /* bpf program can never convert linear skb to non-linear */ 1247 if (WARN_ON_ONCE(skb_is_nonlinear(skb))) 1248 size = skb_headlen(skb); 1249 ret = bpf_test_finish(kattr, uattr, skb->data, NULL, size, retval, 1250 duration); 1251 if (!ret) 1252 ret = bpf_ctx_finish(kattr, uattr, ctx, 1253 sizeof(struct __sk_buff)); 1254 out: 1255 if (dev && dev != net->loopback_dev) 1256 dev_put(dev); 1257 kfree_skb(skb); 1258 sk_free(sk); 1259 kfree(ctx); 1260 return ret; 1261 } 1262 1263 static int xdp_convert_md_to_buff(struct xdp_md *xdp_md, struct xdp_buff *xdp) 1264 { 1265 unsigned int ingress_ifindex, rx_queue_index; 1266 struct netdev_rx_queue *rxqueue; 1267 struct net_device *device; 1268 1269 if (!xdp_md) 1270 return 0; 1271 1272 if (xdp_md->egress_ifindex != 0) 1273 return -EINVAL; 1274 1275 ingress_ifindex = xdp_md->ingress_ifindex; 1276 rx_queue_index = xdp_md->rx_queue_index; 1277 1278 if (!ingress_ifindex && rx_queue_index) 1279 return -EINVAL; 1280 1281 if (ingress_ifindex) { 1282 device = dev_get_by_index(current->nsproxy->net_ns, 1283 ingress_ifindex); 1284 if (!device) 1285 return -ENODEV; 1286 1287 if (rx_queue_index >= device->real_num_rx_queues) 1288 goto free_dev; 1289 1290 rxqueue = __netif_get_rx_queue(device, rx_queue_index); 1291 1292 if (!xdp_rxq_info_is_reg(&rxqueue->xdp_rxq)) 1293 goto free_dev; 1294 1295 xdp->rxq = &rxqueue->xdp_rxq; 1296 /* The device is now tracked in the xdp->rxq for later 1297 * dev_put() 1298 */ 1299 } 1300 1301 xdp->data = xdp->data_meta + xdp_md->data; 1302 return 0; 1303 1304 free_dev: 1305 dev_put(device); 1306 return -EINVAL; 1307 } 1308 1309 static void xdp_convert_buff_to_md(struct xdp_buff *xdp, struct xdp_md *xdp_md) 1310 { 1311 if (!xdp_md) 1312 return; 1313 1314 xdp_md->data = xdp->data - xdp->data_meta; 1315 xdp_md->data_end = xdp->data_end - xdp->data_meta; 1316 1317 if (xdp_md->ingress_ifindex) 1318 dev_put(xdp->rxq->dev); 1319 } 1320 1321 int bpf_prog_test_run_xdp(struct bpf_prog *prog, const union bpf_attr *kattr, 1322 union bpf_attr __user *uattr) 1323 { 1324 bool do_live = (kattr->test.flags & BPF_F_TEST_XDP_LIVE_FRAMES); 1325 u32 tailroom = SKB_DATA_ALIGN(sizeof(struct skb_shared_info)); 1326 u32 batch_size = kattr->test.batch_size; 1327 u32 retval = 0, duration, max_data_sz; 1328 u32 size = kattr->test.data_size_in; 1329 u32 headroom = XDP_PACKET_HEADROOM; 1330 u32 repeat = kattr->test.repeat; 1331 struct netdev_rx_queue *rxqueue; 1332 struct skb_shared_info *sinfo; 1333 struct xdp_buff xdp = {}; 1334 int i, ret = -EINVAL; 1335 struct xdp_md *ctx; 1336 void *data; 1337 1338 if (prog->expected_attach_type == BPF_XDP_DEVMAP || 1339 prog->expected_attach_type == BPF_XDP_CPUMAP) 1340 return -EINVAL; 1341 1342 if (kattr->test.flags & ~BPF_F_TEST_XDP_LIVE_FRAMES) 1343 return -EINVAL; 1344 1345 if (bpf_prog_is_dev_bound(prog->aux)) 1346 return -EINVAL; 1347 1348 if (do_live) { 1349 if (!batch_size) 1350 batch_size = NAPI_POLL_WEIGHT; 1351 else if (batch_size > TEST_XDP_MAX_BATCH) 1352 return -E2BIG; 1353 1354 headroom += sizeof(struct xdp_page_head); 1355 } else if (batch_size) { 1356 return -EINVAL; 1357 } 1358 1359 ctx = bpf_ctx_init(kattr, sizeof(struct xdp_md)); 1360 if (IS_ERR(ctx)) 1361 return PTR_ERR(ctx); 1362 1363 if (ctx) { 1364 /* There can't be user provided data before the meta data */ 1365 if (ctx->data_meta || ctx->data_end != size || 1366 ctx->data > ctx->data_end || 1367 unlikely(xdp_metalen_invalid(ctx->data)) || 1368 (do_live && (kattr->test.data_out || kattr->test.ctx_out))) 1369 goto free_ctx; 1370 /* Meta data is allocated from the headroom */ 1371 headroom -= ctx->data; 1372 } 1373 1374 max_data_sz = 4096 - headroom - tailroom; 1375 if (size > max_data_sz) { 1376 /* disallow live data mode for jumbo frames */ 1377 if (do_live) 1378 goto free_ctx; 1379 size = max_data_sz; 1380 } 1381 1382 data = bpf_test_init(kattr, size, max_data_sz, headroom, tailroom); 1383 if (IS_ERR(data)) { 1384 ret = PTR_ERR(data); 1385 goto free_ctx; 1386 } 1387 1388 rxqueue = __netif_get_rx_queue(current->nsproxy->net_ns->loopback_dev, 0); 1389 rxqueue->xdp_rxq.frag_size = headroom + max_data_sz + tailroom; 1390 xdp_init_buff(&xdp, rxqueue->xdp_rxq.frag_size, &rxqueue->xdp_rxq); 1391 xdp_prepare_buff(&xdp, data, headroom, size, true); 1392 sinfo = xdp_get_shared_info_from_buff(&xdp); 1393 1394 ret = xdp_convert_md_to_buff(ctx, &xdp); 1395 if (ret) 1396 goto free_data; 1397 1398 if (unlikely(kattr->test.data_size_in > size)) { 1399 void __user *data_in = u64_to_user_ptr(kattr->test.data_in); 1400 1401 while (size < kattr->test.data_size_in) { 1402 struct page *page; 1403 skb_frag_t *frag; 1404 u32 data_len; 1405 1406 if (sinfo->nr_frags == MAX_SKB_FRAGS) { 1407 ret = -ENOMEM; 1408 goto out; 1409 } 1410 1411 page = alloc_page(GFP_KERNEL); 1412 if (!page) { 1413 ret = -ENOMEM; 1414 goto out; 1415 } 1416 1417 frag = &sinfo->frags[sinfo->nr_frags++]; 1418 __skb_frag_set_page(frag, page); 1419 1420 data_len = min_t(u32, kattr->test.data_size_in - size, 1421 PAGE_SIZE); 1422 skb_frag_size_set(frag, data_len); 1423 1424 if (copy_from_user(page_address(page), data_in + size, 1425 data_len)) { 1426 ret = -EFAULT; 1427 goto out; 1428 } 1429 sinfo->xdp_frags_size += data_len; 1430 size += data_len; 1431 } 1432 xdp_buff_set_frags_flag(&xdp); 1433 } 1434 1435 if (repeat > 1) 1436 bpf_prog_change_xdp(NULL, prog); 1437 1438 if (do_live) 1439 ret = bpf_test_run_xdp_live(prog, &xdp, repeat, batch_size, &duration); 1440 else 1441 ret = bpf_test_run(prog, &xdp, repeat, &retval, &duration, true); 1442 /* We convert the xdp_buff back to an xdp_md before checking the return 1443 * code so the reference count of any held netdevice will be decremented 1444 * even if the test run failed. 1445 */ 1446 xdp_convert_buff_to_md(&xdp, ctx); 1447 if (ret) 1448 goto out; 1449 1450 size = xdp.data_end - xdp.data_meta + sinfo->xdp_frags_size; 1451 ret = bpf_test_finish(kattr, uattr, xdp.data_meta, sinfo, size, 1452 retval, duration); 1453 if (!ret) 1454 ret = bpf_ctx_finish(kattr, uattr, ctx, 1455 sizeof(struct xdp_md)); 1456 1457 out: 1458 if (repeat > 1) 1459 bpf_prog_change_xdp(prog, NULL); 1460 free_data: 1461 for (i = 0; i < sinfo->nr_frags; i++) 1462 __free_page(skb_frag_page(&sinfo->frags[i])); 1463 kfree(data); 1464 free_ctx: 1465 kfree(ctx); 1466 return ret; 1467 } 1468 1469 static int verify_user_bpf_flow_keys(struct bpf_flow_keys *ctx) 1470 { 1471 /* make sure the fields we don't use are zeroed */ 1472 if (!range_is_zero(ctx, 0, offsetof(struct bpf_flow_keys, flags))) 1473 return -EINVAL; 1474 1475 /* flags is allowed */ 1476 1477 if (!range_is_zero(ctx, offsetofend(struct bpf_flow_keys, flags), 1478 sizeof(struct bpf_flow_keys))) 1479 return -EINVAL; 1480 1481 return 0; 1482 } 1483 1484 int bpf_prog_test_run_flow_dissector(struct bpf_prog *prog, 1485 const union bpf_attr *kattr, 1486 union bpf_attr __user *uattr) 1487 { 1488 struct bpf_test_timer t = { NO_PREEMPT }; 1489 u32 size = kattr->test.data_size_in; 1490 struct bpf_flow_dissector ctx = {}; 1491 u32 repeat = kattr->test.repeat; 1492 struct bpf_flow_keys *user_ctx; 1493 struct bpf_flow_keys flow_keys; 1494 const struct ethhdr *eth; 1495 unsigned int flags = 0; 1496 u32 retval, duration; 1497 void *data; 1498 int ret; 1499 1500 if (kattr->test.flags || kattr->test.cpu || kattr->test.batch_size) 1501 return -EINVAL; 1502 1503 if (size < ETH_HLEN) 1504 return -EINVAL; 1505 1506 data = bpf_test_init(kattr, kattr->test.data_size_in, size, 0, 0); 1507 if (IS_ERR(data)) 1508 return PTR_ERR(data); 1509 1510 eth = (struct ethhdr *)data; 1511 1512 if (!repeat) 1513 repeat = 1; 1514 1515 user_ctx = bpf_ctx_init(kattr, sizeof(struct bpf_flow_keys)); 1516 if (IS_ERR(user_ctx)) { 1517 kfree(data); 1518 return PTR_ERR(user_ctx); 1519 } 1520 if (user_ctx) { 1521 ret = verify_user_bpf_flow_keys(user_ctx); 1522 if (ret) 1523 goto out; 1524 flags = user_ctx->flags; 1525 } 1526 1527 ctx.flow_keys = &flow_keys; 1528 ctx.data = data; 1529 ctx.data_end = (__u8 *)data + size; 1530 1531 bpf_test_timer_enter(&t); 1532 do { 1533 retval = bpf_flow_dissect(prog, &ctx, eth->h_proto, ETH_HLEN, 1534 size, flags); 1535 } while (bpf_test_timer_continue(&t, 1, repeat, &ret, &duration)); 1536 bpf_test_timer_leave(&t); 1537 1538 if (ret < 0) 1539 goto out; 1540 1541 ret = bpf_test_finish(kattr, uattr, &flow_keys, NULL, 1542 sizeof(flow_keys), retval, duration); 1543 if (!ret) 1544 ret = bpf_ctx_finish(kattr, uattr, user_ctx, 1545 sizeof(struct bpf_flow_keys)); 1546 1547 out: 1548 kfree(user_ctx); 1549 kfree(data); 1550 return ret; 1551 } 1552 1553 int bpf_prog_test_run_sk_lookup(struct bpf_prog *prog, const union bpf_attr *kattr, 1554 union bpf_attr __user *uattr) 1555 { 1556 struct bpf_test_timer t = { NO_PREEMPT }; 1557 struct bpf_prog_array *progs = NULL; 1558 struct bpf_sk_lookup_kern ctx = {}; 1559 u32 repeat = kattr->test.repeat; 1560 struct bpf_sk_lookup *user_ctx; 1561 u32 retval, duration; 1562 int ret = -EINVAL; 1563 1564 if (kattr->test.flags || kattr->test.cpu || kattr->test.batch_size) 1565 return -EINVAL; 1566 1567 if (kattr->test.data_in || kattr->test.data_size_in || kattr->test.data_out || 1568 kattr->test.data_size_out) 1569 return -EINVAL; 1570 1571 if (!repeat) 1572 repeat = 1; 1573 1574 user_ctx = bpf_ctx_init(kattr, sizeof(*user_ctx)); 1575 if (IS_ERR(user_ctx)) 1576 return PTR_ERR(user_ctx); 1577 1578 if (!user_ctx) 1579 return -EINVAL; 1580 1581 if (user_ctx->sk) 1582 goto out; 1583 1584 if (!range_is_zero(user_ctx, offsetofend(typeof(*user_ctx), local_port), sizeof(*user_ctx))) 1585 goto out; 1586 1587 if (user_ctx->local_port > U16_MAX) { 1588 ret = -ERANGE; 1589 goto out; 1590 } 1591 1592 ctx.family = (u16)user_ctx->family; 1593 ctx.protocol = (u16)user_ctx->protocol; 1594 ctx.dport = (u16)user_ctx->local_port; 1595 ctx.sport = user_ctx->remote_port; 1596 1597 switch (ctx.family) { 1598 case AF_INET: 1599 ctx.v4.daddr = (__force __be32)user_ctx->local_ip4; 1600 ctx.v4.saddr = (__force __be32)user_ctx->remote_ip4; 1601 break; 1602 1603 #if IS_ENABLED(CONFIG_IPV6) 1604 case AF_INET6: 1605 ctx.v6.daddr = (struct in6_addr *)user_ctx->local_ip6; 1606 ctx.v6.saddr = (struct in6_addr *)user_ctx->remote_ip6; 1607 break; 1608 #endif 1609 1610 default: 1611 ret = -EAFNOSUPPORT; 1612 goto out; 1613 } 1614 1615 progs = bpf_prog_array_alloc(1, GFP_KERNEL); 1616 if (!progs) { 1617 ret = -ENOMEM; 1618 goto out; 1619 } 1620 1621 progs->items[0].prog = prog; 1622 1623 bpf_test_timer_enter(&t); 1624 do { 1625 ctx.selected_sk = NULL; 1626 retval = BPF_PROG_SK_LOOKUP_RUN_ARRAY(progs, ctx, bpf_prog_run); 1627 } while (bpf_test_timer_continue(&t, 1, repeat, &ret, &duration)); 1628 bpf_test_timer_leave(&t); 1629 1630 if (ret < 0) 1631 goto out; 1632 1633 user_ctx->cookie = 0; 1634 if (ctx.selected_sk) { 1635 if (ctx.selected_sk->sk_reuseport && !ctx.no_reuseport) { 1636 ret = -EOPNOTSUPP; 1637 goto out; 1638 } 1639 1640 user_ctx->cookie = sock_gen_cookie(ctx.selected_sk); 1641 } 1642 1643 ret = bpf_test_finish(kattr, uattr, NULL, NULL, 0, retval, duration); 1644 if (!ret) 1645 ret = bpf_ctx_finish(kattr, uattr, user_ctx, sizeof(*user_ctx)); 1646 1647 out: 1648 bpf_prog_array_free(progs); 1649 kfree(user_ctx); 1650 return ret; 1651 } 1652 1653 int bpf_prog_test_run_syscall(struct bpf_prog *prog, 1654 const union bpf_attr *kattr, 1655 union bpf_attr __user *uattr) 1656 { 1657 void __user *ctx_in = u64_to_user_ptr(kattr->test.ctx_in); 1658 __u32 ctx_size_in = kattr->test.ctx_size_in; 1659 void *ctx = NULL; 1660 u32 retval; 1661 int err = 0; 1662 1663 /* doesn't support data_in/out, ctx_out, duration, or repeat or flags */ 1664 if (kattr->test.data_in || kattr->test.data_out || 1665 kattr->test.ctx_out || kattr->test.duration || 1666 kattr->test.repeat || kattr->test.flags || 1667 kattr->test.batch_size) 1668 return -EINVAL; 1669 1670 if (ctx_size_in < prog->aux->max_ctx_offset || 1671 ctx_size_in > U16_MAX) 1672 return -EINVAL; 1673 1674 if (ctx_size_in) { 1675 ctx = memdup_user(ctx_in, ctx_size_in); 1676 if (IS_ERR(ctx)) 1677 return PTR_ERR(ctx); 1678 } 1679 1680 rcu_read_lock_trace(); 1681 retval = bpf_prog_run_pin_on_cpu(prog, ctx); 1682 rcu_read_unlock_trace(); 1683 1684 if (copy_to_user(&uattr->test.retval, &retval, sizeof(u32))) { 1685 err = -EFAULT; 1686 goto out; 1687 } 1688 if (ctx_size_in) 1689 if (copy_to_user(ctx_in, ctx, ctx_size_in)) 1690 err = -EFAULT; 1691 out: 1692 kfree(ctx); 1693 return err; 1694 } 1695 1696 static int verify_and_copy_hook_state(struct nf_hook_state *state, 1697 const struct nf_hook_state *user, 1698 struct net_device *dev) 1699 { 1700 if (user->in || user->out) 1701 return -EINVAL; 1702 1703 if (user->net || user->sk || user->okfn) 1704 return -EINVAL; 1705 1706 switch (user->pf) { 1707 case NFPROTO_IPV4: 1708 case NFPROTO_IPV6: 1709 switch (state->hook) { 1710 case NF_INET_PRE_ROUTING: 1711 state->in = dev; 1712 break; 1713 case NF_INET_LOCAL_IN: 1714 state->in = dev; 1715 break; 1716 case NF_INET_FORWARD: 1717 state->in = dev; 1718 state->out = dev; 1719 break; 1720 case NF_INET_LOCAL_OUT: 1721 state->out = dev; 1722 break; 1723 case NF_INET_POST_ROUTING: 1724 state->out = dev; 1725 break; 1726 } 1727 1728 break; 1729 default: 1730 return -EINVAL; 1731 } 1732 1733 state->pf = user->pf; 1734 state->hook = user->hook; 1735 1736 return 0; 1737 } 1738 1739 static __be16 nfproto_eth(int nfproto) 1740 { 1741 switch (nfproto) { 1742 case NFPROTO_IPV4: 1743 return htons(ETH_P_IP); 1744 case NFPROTO_IPV6: 1745 break; 1746 } 1747 1748 return htons(ETH_P_IPV6); 1749 } 1750 1751 int bpf_prog_test_run_nf(struct bpf_prog *prog, 1752 const union bpf_attr *kattr, 1753 union bpf_attr __user *uattr) 1754 { 1755 struct net *net = current->nsproxy->net_ns; 1756 struct net_device *dev = net->loopback_dev; 1757 struct nf_hook_state *user_ctx, hook_state = { 1758 .pf = NFPROTO_IPV4, 1759 .hook = NF_INET_LOCAL_OUT, 1760 }; 1761 u32 size = kattr->test.data_size_in; 1762 u32 repeat = kattr->test.repeat; 1763 struct bpf_nf_ctx ctx = { 1764 .state = &hook_state, 1765 }; 1766 struct sk_buff *skb = NULL; 1767 u32 retval, duration; 1768 void *data; 1769 int ret; 1770 1771 if (kattr->test.flags || kattr->test.cpu || kattr->test.batch_size) 1772 return -EINVAL; 1773 1774 if (size < sizeof(struct iphdr)) 1775 return -EINVAL; 1776 1777 data = bpf_test_init(kattr, kattr->test.data_size_in, size, 1778 NET_SKB_PAD + NET_IP_ALIGN, 1779 SKB_DATA_ALIGN(sizeof(struct skb_shared_info))); 1780 if (IS_ERR(data)) 1781 return PTR_ERR(data); 1782 1783 if (!repeat) 1784 repeat = 1; 1785 1786 user_ctx = bpf_ctx_init(kattr, sizeof(struct nf_hook_state)); 1787 if (IS_ERR(user_ctx)) { 1788 kfree(data); 1789 return PTR_ERR(user_ctx); 1790 } 1791 1792 if (user_ctx) { 1793 ret = verify_and_copy_hook_state(&hook_state, user_ctx, dev); 1794 if (ret) 1795 goto out; 1796 } 1797 1798 skb = slab_build_skb(data); 1799 if (!skb) { 1800 ret = -ENOMEM; 1801 goto out; 1802 } 1803 1804 data = NULL; /* data released via kfree_skb */ 1805 1806 skb_reserve(skb, NET_SKB_PAD + NET_IP_ALIGN); 1807 __skb_put(skb, size); 1808 1809 ret = -EINVAL; 1810 1811 if (hook_state.hook != NF_INET_LOCAL_OUT) { 1812 if (size < ETH_HLEN + sizeof(struct iphdr)) 1813 goto out; 1814 1815 skb->protocol = eth_type_trans(skb, dev); 1816 switch (skb->protocol) { 1817 case htons(ETH_P_IP): 1818 if (hook_state.pf == NFPROTO_IPV4) 1819 break; 1820 goto out; 1821 case htons(ETH_P_IPV6): 1822 if (size < ETH_HLEN + sizeof(struct ipv6hdr)) 1823 goto out; 1824 if (hook_state.pf == NFPROTO_IPV6) 1825 break; 1826 goto out; 1827 default: 1828 ret = -EPROTO; 1829 goto out; 1830 } 1831 1832 skb_reset_network_header(skb); 1833 } else { 1834 skb->protocol = nfproto_eth(hook_state.pf); 1835 } 1836 1837 ctx.skb = skb; 1838 1839 ret = bpf_test_run(prog, &ctx, repeat, &retval, &duration, false); 1840 if (ret) 1841 goto out; 1842 1843 ret = bpf_test_finish(kattr, uattr, NULL, NULL, 0, retval, duration); 1844 1845 out: 1846 kfree(user_ctx); 1847 kfree_skb(skb); 1848 kfree(data); 1849 return ret; 1850 } 1851 1852 static const struct btf_kfunc_id_set bpf_prog_test_kfunc_set = { 1853 .owner = THIS_MODULE, 1854 .set = &test_sk_check_kfunc_ids, 1855 }; 1856 1857 BTF_ID_LIST(bpf_prog_test_dtor_kfunc_ids) 1858 BTF_ID(struct, prog_test_ref_kfunc) 1859 BTF_ID(func, bpf_kfunc_call_test_release) 1860 BTF_ID(struct, prog_test_member) 1861 BTF_ID(func, bpf_kfunc_call_memb_release) 1862 1863 static int __init bpf_prog_test_run_init(void) 1864 { 1865 const struct btf_id_dtor_kfunc bpf_prog_test_dtor_kfunc[] = { 1866 { 1867 .btf_id = bpf_prog_test_dtor_kfunc_ids[0], 1868 .kfunc_btf_id = bpf_prog_test_dtor_kfunc_ids[1] 1869 }, 1870 { 1871 .btf_id = bpf_prog_test_dtor_kfunc_ids[2], 1872 .kfunc_btf_id = bpf_prog_test_dtor_kfunc_ids[3], 1873 }, 1874 }; 1875 int ret; 1876 1877 ret = register_btf_fmodret_id_set(&bpf_test_modify_return_set); 1878 ret = ret ?: register_btf_kfunc_id_set(BPF_PROG_TYPE_SCHED_CLS, &bpf_prog_test_kfunc_set); 1879 ret = ret ?: register_btf_kfunc_id_set(BPF_PROG_TYPE_TRACING, &bpf_prog_test_kfunc_set); 1880 ret = ret ?: register_btf_kfunc_id_set(BPF_PROG_TYPE_SYSCALL, &bpf_prog_test_kfunc_set); 1881 return ret ?: register_btf_id_dtor_kfuncs(bpf_prog_test_dtor_kfunc, 1882 ARRAY_SIZE(bpf_prog_test_dtor_kfunc), 1883 THIS_MODULE); 1884 } 1885 late_initcall(bpf_prog_test_run_init); 1886