1 // SPDX-License-Identifier: GPL-2.0-only 2 /* Copyright (c) 2017 Facebook 3 */ 4 #include <linux/bpf.h> 5 #include <linux/btf.h> 6 #include <linux/btf_ids.h> 7 #include <linux/slab.h> 8 #include <linux/init.h> 9 #include <linux/vmalloc.h> 10 #include <linux/etherdevice.h> 11 #include <linux/filter.h> 12 #include <linux/rcupdate_trace.h> 13 #include <linux/sched/signal.h> 14 #include <net/bpf_sk_storage.h> 15 #include <net/sock.h> 16 #include <net/tcp.h> 17 #include <net/net_namespace.h> 18 #include <net/page_pool.h> 19 #include <linux/error-injection.h> 20 #include <linux/smp.h> 21 #include <linux/sock_diag.h> 22 #include <linux/netfilter.h> 23 #include <net/xdp.h> 24 #include <net/netfilter/nf_bpf_link.h> 25 26 #define CREATE_TRACE_POINTS 27 #include <trace/events/bpf_test_run.h> 28 29 struct bpf_test_timer { 30 enum { NO_PREEMPT, NO_MIGRATE } mode; 31 u32 i; 32 u64 time_start, time_spent; 33 }; 34 35 static void bpf_test_timer_enter(struct bpf_test_timer *t) 36 __acquires(rcu) 37 { 38 rcu_read_lock(); 39 if (t->mode == NO_PREEMPT) 40 preempt_disable(); 41 else 42 migrate_disable(); 43 44 t->time_start = ktime_get_ns(); 45 } 46 47 static void bpf_test_timer_leave(struct bpf_test_timer *t) 48 __releases(rcu) 49 { 50 t->time_start = 0; 51 52 if (t->mode == NO_PREEMPT) 53 preempt_enable(); 54 else 55 migrate_enable(); 56 rcu_read_unlock(); 57 } 58 59 static bool bpf_test_timer_continue(struct bpf_test_timer *t, int iterations, 60 u32 repeat, int *err, u32 *duration) 61 __must_hold(rcu) 62 { 63 t->i += iterations; 64 if (t->i >= repeat) { 65 /* We're done. */ 66 t->time_spent += ktime_get_ns() - t->time_start; 67 do_div(t->time_spent, t->i); 68 *duration = t->time_spent > U32_MAX ? U32_MAX : (u32)t->time_spent; 69 *err = 0; 70 goto reset; 71 } 72 73 if (signal_pending(current)) { 74 /* During iteration: we've been cancelled, abort. */ 75 *err = -EINTR; 76 goto reset; 77 } 78 79 if (need_resched()) { 80 /* During iteration: we need to reschedule between runs. */ 81 t->time_spent += ktime_get_ns() - t->time_start; 82 bpf_test_timer_leave(t); 83 cond_resched(); 84 bpf_test_timer_enter(t); 85 } 86 87 /* Do another round. */ 88 return true; 89 90 reset: 91 t->i = 0; 92 return false; 93 } 94 95 /* We put this struct at the head of each page with a context and frame 96 * initialised when the page is allocated, so we don't have to do this on each 97 * repetition of the test run. 98 */ 99 struct xdp_page_head { 100 struct xdp_buff orig_ctx; 101 struct xdp_buff ctx; 102 union { 103 /* ::data_hard_start starts here */ 104 DECLARE_FLEX_ARRAY(struct xdp_frame, frame); 105 DECLARE_FLEX_ARRAY(u8, data); 106 }; 107 }; 108 109 struct xdp_test_data { 110 struct xdp_buff *orig_ctx; 111 struct xdp_rxq_info rxq; 112 struct net_device *dev; 113 struct page_pool *pp; 114 struct xdp_frame **frames; 115 struct sk_buff **skbs; 116 struct xdp_mem_info mem; 117 u32 batch_size; 118 u32 frame_cnt; 119 }; 120 121 /* tools/testing/selftests/bpf/prog_tests/xdp_do_redirect.c:%MAX_PKT_SIZE 122 * must be updated accordingly this gets changed, otherwise BPF selftests 123 * will fail. 124 */ 125 #define TEST_XDP_FRAME_SIZE (PAGE_SIZE - sizeof(struct xdp_page_head)) 126 #define TEST_XDP_MAX_BATCH 256 127 128 static void xdp_test_run_init_page(struct page *page, void *arg) 129 { 130 struct xdp_page_head *head = phys_to_virt(page_to_phys(page)); 131 struct xdp_buff *new_ctx, *orig_ctx; 132 u32 headroom = XDP_PACKET_HEADROOM; 133 struct xdp_test_data *xdp = arg; 134 size_t frm_len, meta_len; 135 struct xdp_frame *frm; 136 void *data; 137 138 orig_ctx = xdp->orig_ctx; 139 frm_len = orig_ctx->data_end - orig_ctx->data_meta; 140 meta_len = orig_ctx->data - orig_ctx->data_meta; 141 headroom -= meta_len; 142 143 new_ctx = &head->ctx; 144 frm = head->frame; 145 data = head->data; 146 memcpy(data + headroom, orig_ctx->data_meta, frm_len); 147 148 xdp_init_buff(new_ctx, TEST_XDP_FRAME_SIZE, &xdp->rxq); 149 xdp_prepare_buff(new_ctx, data, headroom, frm_len, true); 150 new_ctx->data = new_ctx->data_meta + meta_len; 151 152 xdp_update_frame_from_buff(new_ctx, frm); 153 frm->mem = new_ctx->rxq->mem; 154 155 memcpy(&head->orig_ctx, new_ctx, sizeof(head->orig_ctx)); 156 } 157 158 static int xdp_test_run_setup(struct xdp_test_data *xdp, struct xdp_buff *orig_ctx) 159 { 160 struct page_pool *pp; 161 int err = -ENOMEM; 162 struct page_pool_params pp_params = { 163 .order = 0, 164 .flags = 0, 165 .pool_size = xdp->batch_size, 166 .nid = NUMA_NO_NODE, 167 .init_callback = xdp_test_run_init_page, 168 .init_arg = xdp, 169 }; 170 171 xdp->frames = kvmalloc_array(xdp->batch_size, sizeof(void *), GFP_KERNEL); 172 if (!xdp->frames) 173 return -ENOMEM; 174 175 xdp->skbs = kvmalloc_array(xdp->batch_size, sizeof(void *), GFP_KERNEL); 176 if (!xdp->skbs) 177 goto err_skbs; 178 179 pp = page_pool_create(&pp_params); 180 if (IS_ERR(pp)) { 181 err = PTR_ERR(pp); 182 goto err_pp; 183 } 184 185 /* will copy 'mem.id' into pp->xdp_mem_id */ 186 err = xdp_reg_mem_model(&xdp->mem, MEM_TYPE_PAGE_POOL, pp); 187 if (err) 188 goto err_mmodel; 189 190 xdp->pp = pp; 191 192 /* We create a 'fake' RXQ referencing the original dev, but with an 193 * xdp_mem_info pointing to our page_pool 194 */ 195 xdp_rxq_info_reg(&xdp->rxq, orig_ctx->rxq->dev, 0, 0); 196 xdp->rxq.mem.type = MEM_TYPE_PAGE_POOL; 197 xdp->rxq.mem.id = pp->xdp_mem_id; 198 xdp->dev = orig_ctx->rxq->dev; 199 xdp->orig_ctx = orig_ctx; 200 201 return 0; 202 203 err_mmodel: 204 page_pool_destroy(pp); 205 err_pp: 206 kvfree(xdp->skbs); 207 err_skbs: 208 kvfree(xdp->frames); 209 return err; 210 } 211 212 static void xdp_test_run_teardown(struct xdp_test_data *xdp) 213 { 214 xdp_unreg_mem_model(&xdp->mem); 215 page_pool_destroy(xdp->pp); 216 kfree(xdp->frames); 217 kfree(xdp->skbs); 218 } 219 220 static bool frame_was_changed(const struct xdp_page_head *head) 221 { 222 /* xdp_scrub_frame() zeroes the data pointer, flags is the last field, 223 * i.e. has the highest chances to be overwritten. If those two are 224 * untouched, it's most likely safe to skip the context reset. 225 */ 226 return head->frame->data != head->orig_ctx.data || 227 head->frame->flags != head->orig_ctx.flags; 228 } 229 230 static bool ctx_was_changed(struct xdp_page_head *head) 231 { 232 return head->orig_ctx.data != head->ctx.data || 233 head->orig_ctx.data_meta != head->ctx.data_meta || 234 head->orig_ctx.data_end != head->ctx.data_end; 235 } 236 237 static void reset_ctx(struct xdp_page_head *head) 238 { 239 if (likely(!frame_was_changed(head) && !ctx_was_changed(head))) 240 return; 241 242 head->ctx.data = head->orig_ctx.data; 243 head->ctx.data_meta = head->orig_ctx.data_meta; 244 head->ctx.data_end = head->orig_ctx.data_end; 245 xdp_update_frame_from_buff(&head->ctx, head->frame); 246 } 247 248 static int xdp_recv_frames(struct xdp_frame **frames, int nframes, 249 struct sk_buff **skbs, 250 struct net_device *dev) 251 { 252 gfp_t gfp = __GFP_ZERO | GFP_ATOMIC; 253 int i, n; 254 LIST_HEAD(list); 255 256 n = kmem_cache_alloc_bulk(skbuff_cache, gfp, nframes, (void **)skbs); 257 if (unlikely(n == 0)) { 258 for (i = 0; i < nframes; i++) 259 xdp_return_frame(frames[i]); 260 return -ENOMEM; 261 } 262 263 for (i = 0; i < nframes; i++) { 264 struct xdp_frame *xdpf = frames[i]; 265 struct sk_buff *skb = skbs[i]; 266 267 skb = __xdp_build_skb_from_frame(xdpf, skb, dev); 268 if (!skb) { 269 xdp_return_frame(xdpf); 270 continue; 271 } 272 273 list_add_tail(&skb->list, &list); 274 } 275 netif_receive_skb_list(&list); 276 277 return 0; 278 } 279 280 static int xdp_test_run_batch(struct xdp_test_data *xdp, struct bpf_prog *prog, 281 u32 repeat) 282 { 283 struct bpf_redirect_info *ri = this_cpu_ptr(&bpf_redirect_info); 284 int err = 0, act, ret, i, nframes = 0, batch_sz; 285 struct xdp_frame **frames = xdp->frames; 286 struct xdp_page_head *head; 287 struct xdp_frame *frm; 288 bool redirect = false; 289 struct xdp_buff *ctx; 290 struct page *page; 291 292 batch_sz = min_t(u32, repeat, xdp->batch_size); 293 294 local_bh_disable(); 295 xdp_set_return_frame_no_direct(); 296 297 for (i = 0; i < batch_sz; i++) { 298 page = page_pool_dev_alloc_pages(xdp->pp); 299 if (!page) { 300 err = -ENOMEM; 301 goto out; 302 } 303 304 head = phys_to_virt(page_to_phys(page)); 305 reset_ctx(head); 306 ctx = &head->ctx; 307 frm = head->frame; 308 xdp->frame_cnt++; 309 310 act = bpf_prog_run_xdp(prog, ctx); 311 312 /* if program changed pkt bounds we need to update the xdp_frame */ 313 if (unlikely(ctx_was_changed(head))) { 314 ret = xdp_update_frame_from_buff(ctx, frm); 315 if (ret) { 316 xdp_return_buff(ctx); 317 continue; 318 } 319 } 320 321 switch (act) { 322 case XDP_TX: 323 /* we can't do a real XDP_TX since we're not in the 324 * driver, so turn it into a REDIRECT back to the same 325 * index 326 */ 327 ri->tgt_index = xdp->dev->ifindex; 328 ri->map_id = INT_MAX; 329 ri->map_type = BPF_MAP_TYPE_UNSPEC; 330 fallthrough; 331 case XDP_REDIRECT: 332 redirect = true; 333 ret = xdp_do_redirect_frame(xdp->dev, ctx, frm, prog); 334 if (ret) 335 xdp_return_buff(ctx); 336 break; 337 case XDP_PASS: 338 frames[nframes++] = frm; 339 break; 340 default: 341 bpf_warn_invalid_xdp_action(NULL, prog, act); 342 fallthrough; 343 case XDP_DROP: 344 xdp_return_buff(ctx); 345 break; 346 } 347 } 348 349 out: 350 if (redirect) 351 xdp_do_flush(); 352 if (nframes) { 353 ret = xdp_recv_frames(frames, nframes, xdp->skbs, xdp->dev); 354 if (ret) 355 err = ret; 356 } 357 358 xdp_clear_return_frame_no_direct(); 359 local_bh_enable(); 360 return err; 361 } 362 363 static int bpf_test_run_xdp_live(struct bpf_prog *prog, struct xdp_buff *ctx, 364 u32 repeat, u32 batch_size, u32 *time) 365 366 { 367 struct xdp_test_data xdp = { .batch_size = batch_size }; 368 struct bpf_test_timer t = { .mode = NO_MIGRATE }; 369 int ret; 370 371 if (!repeat) 372 repeat = 1; 373 374 ret = xdp_test_run_setup(&xdp, ctx); 375 if (ret) 376 return ret; 377 378 bpf_test_timer_enter(&t); 379 do { 380 xdp.frame_cnt = 0; 381 ret = xdp_test_run_batch(&xdp, prog, repeat - t.i); 382 if (unlikely(ret < 0)) 383 break; 384 } while (bpf_test_timer_continue(&t, xdp.frame_cnt, repeat, &ret, time)); 385 bpf_test_timer_leave(&t); 386 387 xdp_test_run_teardown(&xdp); 388 return ret; 389 } 390 391 static int bpf_test_run(struct bpf_prog *prog, void *ctx, u32 repeat, 392 u32 *retval, u32 *time, bool xdp) 393 { 394 struct bpf_prog_array_item item = {.prog = prog}; 395 struct bpf_run_ctx *old_ctx; 396 struct bpf_cg_run_ctx run_ctx; 397 struct bpf_test_timer t = { NO_MIGRATE }; 398 enum bpf_cgroup_storage_type stype; 399 int ret; 400 401 for_each_cgroup_storage_type(stype) { 402 item.cgroup_storage[stype] = bpf_cgroup_storage_alloc(prog, stype); 403 if (IS_ERR(item.cgroup_storage[stype])) { 404 item.cgroup_storage[stype] = NULL; 405 for_each_cgroup_storage_type(stype) 406 bpf_cgroup_storage_free(item.cgroup_storage[stype]); 407 return -ENOMEM; 408 } 409 } 410 411 if (!repeat) 412 repeat = 1; 413 414 bpf_test_timer_enter(&t); 415 old_ctx = bpf_set_run_ctx(&run_ctx.run_ctx); 416 do { 417 run_ctx.prog_item = &item; 418 local_bh_disable(); 419 if (xdp) 420 *retval = bpf_prog_run_xdp(prog, ctx); 421 else 422 *retval = bpf_prog_run(prog, ctx); 423 local_bh_enable(); 424 } while (bpf_test_timer_continue(&t, 1, repeat, &ret, time)); 425 bpf_reset_run_ctx(old_ctx); 426 bpf_test_timer_leave(&t); 427 428 for_each_cgroup_storage_type(stype) 429 bpf_cgroup_storage_free(item.cgroup_storage[stype]); 430 431 return ret; 432 } 433 434 static int bpf_test_finish(const union bpf_attr *kattr, 435 union bpf_attr __user *uattr, const void *data, 436 struct skb_shared_info *sinfo, u32 size, 437 u32 retval, u32 duration) 438 { 439 void __user *data_out = u64_to_user_ptr(kattr->test.data_out); 440 int err = -EFAULT; 441 u32 copy_size = size; 442 443 /* Clamp copy if the user has provided a size hint, but copy the full 444 * buffer if not to retain old behaviour. 445 */ 446 if (kattr->test.data_size_out && 447 copy_size > kattr->test.data_size_out) { 448 copy_size = kattr->test.data_size_out; 449 err = -ENOSPC; 450 } 451 452 if (data_out) { 453 int len = sinfo ? copy_size - sinfo->xdp_frags_size : copy_size; 454 455 if (len < 0) { 456 err = -ENOSPC; 457 goto out; 458 } 459 460 if (copy_to_user(data_out, data, len)) 461 goto out; 462 463 if (sinfo) { 464 int i, offset = len; 465 u32 data_len; 466 467 for (i = 0; i < sinfo->nr_frags; i++) { 468 skb_frag_t *frag = &sinfo->frags[i]; 469 470 if (offset >= copy_size) { 471 err = -ENOSPC; 472 break; 473 } 474 475 data_len = min_t(u32, copy_size - offset, 476 skb_frag_size(frag)); 477 478 if (copy_to_user(data_out + offset, 479 skb_frag_address(frag), 480 data_len)) 481 goto out; 482 483 offset += data_len; 484 } 485 } 486 } 487 488 if (copy_to_user(&uattr->test.data_size_out, &size, sizeof(size))) 489 goto out; 490 if (copy_to_user(&uattr->test.retval, &retval, sizeof(retval))) 491 goto out; 492 if (copy_to_user(&uattr->test.duration, &duration, sizeof(duration))) 493 goto out; 494 if (err != -ENOSPC) 495 err = 0; 496 out: 497 trace_bpf_test_finish(&err); 498 return err; 499 } 500 501 /* Integer types of various sizes and pointer combinations cover variety of 502 * architecture dependent calling conventions. 7+ can be supported in the 503 * future. 504 */ 505 __diag_push(); 506 __diag_ignore_all("-Wmissing-prototypes", 507 "Global functions as their definitions will be in vmlinux BTF"); 508 __bpf_kfunc int bpf_fentry_test1(int a) 509 { 510 return a + 1; 511 } 512 EXPORT_SYMBOL_GPL(bpf_fentry_test1); 513 514 int noinline bpf_fentry_test2(int a, u64 b) 515 { 516 return a + b; 517 } 518 519 int noinline bpf_fentry_test3(char a, int b, u64 c) 520 { 521 return a + b + c; 522 } 523 524 int noinline bpf_fentry_test4(void *a, char b, int c, u64 d) 525 { 526 return (long)a + b + c + d; 527 } 528 529 int noinline bpf_fentry_test5(u64 a, void *b, short c, int d, u64 e) 530 { 531 return a + (long)b + c + d + e; 532 } 533 534 int noinline bpf_fentry_test6(u64 a, void *b, short c, int d, void *e, u64 f) 535 { 536 return a + (long)b + c + d + (long)e + f; 537 } 538 539 struct bpf_fentry_test_t { 540 struct bpf_fentry_test_t *a; 541 }; 542 543 int noinline bpf_fentry_test7(struct bpf_fentry_test_t *arg) 544 { 545 return (long)arg; 546 } 547 548 int noinline bpf_fentry_test8(struct bpf_fentry_test_t *arg) 549 { 550 return (long)arg->a; 551 } 552 553 __bpf_kfunc u32 bpf_fentry_test9(u32 *a) 554 { 555 return *a; 556 } 557 558 void noinline bpf_fentry_test_sinfo(struct skb_shared_info *sinfo) 559 { 560 } 561 562 __bpf_kfunc int bpf_modify_return_test(int a, int *b) 563 { 564 *b += 1; 565 return a + *b; 566 } 567 568 __bpf_kfunc int bpf_modify_return_test2(int a, int *b, short c, int d, 569 void *e, char f, int g) 570 { 571 *b += 1; 572 return a + *b + c + d + (long)e + f + g; 573 } 574 575 int noinline bpf_fentry_shadow_test(int a) 576 { 577 return a + 1; 578 } 579 580 struct prog_test_member1 { 581 int a; 582 }; 583 584 struct prog_test_member { 585 struct prog_test_member1 m; 586 int c; 587 }; 588 589 struct prog_test_ref_kfunc { 590 int a; 591 int b; 592 struct prog_test_member memb; 593 struct prog_test_ref_kfunc *next; 594 refcount_t cnt; 595 }; 596 597 __bpf_kfunc void bpf_kfunc_call_test_release(struct prog_test_ref_kfunc *p) 598 { 599 refcount_dec(&p->cnt); 600 } 601 602 __bpf_kfunc void bpf_kfunc_call_memb_release(struct prog_test_member *p) 603 { 604 } 605 606 __diag_pop(); 607 608 BTF_SET8_START(bpf_test_modify_return_ids) 609 BTF_ID_FLAGS(func, bpf_modify_return_test) 610 BTF_ID_FLAGS(func, bpf_modify_return_test2) 611 BTF_ID_FLAGS(func, bpf_fentry_test1, KF_SLEEPABLE) 612 BTF_SET8_END(bpf_test_modify_return_ids) 613 614 static const struct btf_kfunc_id_set bpf_test_modify_return_set = { 615 .owner = THIS_MODULE, 616 .set = &bpf_test_modify_return_ids, 617 }; 618 619 BTF_SET8_START(test_sk_check_kfunc_ids) 620 BTF_ID_FLAGS(func, bpf_kfunc_call_test_release, KF_RELEASE) 621 BTF_ID_FLAGS(func, bpf_kfunc_call_memb_release, KF_RELEASE) 622 BTF_SET8_END(test_sk_check_kfunc_ids) 623 624 static void *bpf_test_init(const union bpf_attr *kattr, u32 user_size, 625 u32 size, u32 headroom, u32 tailroom) 626 { 627 void __user *data_in = u64_to_user_ptr(kattr->test.data_in); 628 void *data; 629 630 if (size < ETH_HLEN || size > PAGE_SIZE - headroom - tailroom) 631 return ERR_PTR(-EINVAL); 632 633 if (user_size > size) 634 return ERR_PTR(-EMSGSIZE); 635 636 size = SKB_DATA_ALIGN(size); 637 data = kzalloc(size + headroom + tailroom, GFP_USER); 638 if (!data) 639 return ERR_PTR(-ENOMEM); 640 641 if (copy_from_user(data + headroom, data_in, user_size)) { 642 kfree(data); 643 return ERR_PTR(-EFAULT); 644 } 645 646 return data; 647 } 648 649 int bpf_prog_test_run_tracing(struct bpf_prog *prog, 650 const union bpf_attr *kattr, 651 union bpf_attr __user *uattr) 652 { 653 struct bpf_fentry_test_t arg = {}; 654 u16 side_effect = 0, ret = 0; 655 int b = 2, err = -EFAULT; 656 u32 retval = 0; 657 658 if (kattr->test.flags || kattr->test.cpu || kattr->test.batch_size) 659 return -EINVAL; 660 661 switch (prog->expected_attach_type) { 662 case BPF_TRACE_FENTRY: 663 case BPF_TRACE_FEXIT: 664 if (bpf_fentry_test1(1) != 2 || 665 bpf_fentry_test2(2, 3) != 5 || 666 bpf_fentry_test3(4, 5, 6) != 15 || 667 bpf_fentry_test4((void *)7, 8, 9, 10) != 34 || 668 bpf_fentry_test5(11, (void *)12, 13, 14, 15) != 65 || 669 bpf_fentry_test6(16, (void *)17, 18, 19, (void *)20, 21) != 111 || 670 bpf_fentry_test7((struct bpf_fentry_test_t *)0) != 0 || 671 bpf_fentry_test8(&arg) != 0 || 672 bpf_fentry_test9(&retval) != 0) 673 goto out; 674 break; 675 case BPF_MODIFY_RETURN: 676 ret = bpf_modify_return_test(1, &b); 677 if (b != 2) 678 side_effect++; 679 b = 2; 680 ret += bpf_modify_return_test2(1, &b, 3, 4, (void *)5, 6, 7); 681 if (b != 2) 682 side_effect++; 683 break; 684 default: 685 goto out; 686 } 687 688 retval = ((u32)side_effect << 16) | ret; 689 if (copy_to_user(&uattr->test.retval, &retval, sizeof(retval))) 690 goto out; 691 692 err = 0; 693 out: 694 trace_bpf_test_finish(&err); 695 return err; 696 } 697 698 struct bpf_raw_tp_test_run_info { 699 struct bpf_prog *prog; 700 void *ctx; 701 u32 retval; 702 }; 703 704 static void 705 __bpf_prog_test_run_raw_tp(void *data) 706 { 707 struct bpf_raw_tp_test_run_info *info = data; 708 709 rcu_read_lock(); 710 info->retval = bpf_prog_run(info->prog, info->ctx); 711 rcu_read_unlock(); 712 } 713 714 int bpf_prog_test_run_raw_tp(struct bpf_prog *prog, 715 const union bpf_attr *kattr, 716 union bpf_attr __user *uattr) 717 { 718 void __user *ctx_in = u64_to_user_ptr(kattr->test.ctx_in); 719 __u32 ctx_size_in = kattr->test.ctx_size_in; 720 struct bpf_raw_tp_test_run_info info; 721 int cpu = kattr->test.cpu, err = 0; 722 int current_cpu; 723 724 /* doesn't support data_in/out, ctx_out, duration, or repeat */ 725 if (kattr->test.data_in || kattr->test.data_out || 726 kattr->test.ctx_out || kattr->test.duration || 727 kattr->test.repeat || kattr->test.batch_size) 728 return -EINVAL; 729 730 if (ctx_size_in < prog->aux->max_ctx_offset || 731 ctx_size_in > MAX_BPF_FUNC_ARGS * sizeof(u64)) 732 return -EINVAL; 733 734 if ((kattr->test.flags & BPF_F_TEST_RUN_ON_CPU) == 0 && cpu != 0) 735 return -EINVAL; 736 737 if (ctx_size_in) { 738 info.ctx = memdup_user(ctx_in, ctx_size_in); 739 if (IS_ERR(info.ctx)) 740 return PTR_ERR(info.ctx); 741 } else { 742 info.ctx = NULL; 743 } 744 745 info.prog = prog; 746 747 current_cpu = get_cpu(); 748 if ((kattr->test.flags & BPF_F_TEST_RUN_ON_CPU) == 0 || 749 cpu == current_cpu) { 750 __bpf_prog_test_run_raw_tp(&info); 751 } else if (cpu >= nr_cpu_ids || !cpu_online(cpu)) { 752 /* smp_call_function_single() also checks cpu_online() 753 * after csd_lock(). However, since cpu is from user 754 * space, let's do an extra quick check to filter out 755 * invalid value before smp_call_function_single(). 756 */ 757 err = -ENXIO; 758 } else { 759 err = smp_call_function_single(cpu, __bpf_prog_test_run_raw_tp, 760 &info, 1); 761 } 762 put_cpu(); 763 764 if (!err && 765 copy_to_user(&uattr->test.retval, &info.retval, sizeof(u32))) 766 err = -EFAULT; 767 768 kfree(info.ctx); 769 return err; 770 } 771 772 static void *bpf_ctx_init(const union bpf_attr *kattr, u32 max_size) 773 { 774 void __user *data_in = u64_to_user_ptr(kattr->test.ctx_in); 775 void __user *data_out = u64_to_user_ptr(kattr->test.ctx_out); 776 u32 size = kattr->test.ctx_size_in; 777 void *data; 778 int err; 779 780 if (!data_in && !data_out) 781 return NULL; 782 783 data = kzalloc(max_size, GFP_USER); 784 if (!data) 785 return ERR_PTR(-ENOMEM); 786 787 if (data_in) { 788 err = bpf_check_uarg_tail_zero(USER_BPFPTR(data_in), max_size, size); 789 if (err) { 790 kfree(data); 791 return ERR_PTR(err); 792 } 793 794 size = min_t(u32, max_size, size); 795 if (copy_from_user(data, data_in, size)) { 796 kfree(data); 797 return ERR_PTR(-EFAULT); 798 } 799 } 800 return data; 801 } 802 803 static int bpf_ctx_finish(const union bpf_attr *kattr, 804 union bpf_attr __user *uattr, const void *data, 805 u32 size) 806 { 807 void __user *data_out = u64_to_user_ptr(kattr->test.ctx_out); 808 int err = -EFAULT; 809 u32 copy_size = size; 810 811 if (!data || !data_out) 812 return 0; 813 814 if (copy_size > kattr->test.ctx_size_out) { 815 copy_size = kattr->test.ctx_size_out; 816 err = -ENOSPC; 817 } 818 819 if (copy_to_user(data_out, data, copy_size)) 820 goto out; 821 if (copy_to_user(&uattr->test.ctx_size_out, &size, sizeof(size))) 822 goto out; 823 if (err != -ENOSPC) 824 err = 0; 825 out: 826 return err; 827 } 828 829 /** 830 * range_is_zero - test whether buffer is initialized 831 * @buf: buffer to check 832 * @from: check from this position 833 * @to: check up until (excluding) this position 834 * 835 * This function returns true if the there is a non-zero byte 836 * in the buf in the range [from,to). 837 */ 838 static inline bool range_is_zero(void *buf, size_t from, size_t to) 839 { 840 return !memchr_inv((u8 *)buf + from, 0, to - from); 841 } 842 843 static int convert___skb_to_skb(struct sk_buff *skb, struct __sk_buff *__skb) 844 { 845 struct qdisc_skb_cb *cb = (struct qdisc_skb_cb *)skb->cb; 846 847 if (!__skb) 848 return 0; 849 850 /* make sure the fields we don't use are zeroed */ 851 if (!range_is_zero(__skb, 0, offsetof(struct __sk_buff, mark))) 852 return -EINVAL; 853 854 /* mark is allowed */ 855 856 if (!range_is_zero(__skb, offsetofend(struct __sk_buff, mark), 857 offsetof(struct __sk_buff, priority))) 858 return -EINVAL; 859 860 /* priority is allowed */ 861 /* ingress_ifindex is allowed */ 862 /* ifindex is allowed */ 863 864 if (!range_is_zero(__skb, offsetofend(struct __sk_buff, ifindex), 865 offsetof(struct __sk_buff, cb))) 866 return -EINVAL; 867 868 /* cb is allowed */ 869 870 if (!range_is_zero(__skb, offsetofend(struct __sk_buff, cb), 871 offsetof(struct __sk_buff, tstamp))) 872 return -EINVAL; 873 874 /* tstamp is allowed */ 875 /* wire_len is allowed */ 876 /* gso_segs is allowed */ 877 878 if (!range_is_zero(__skb, offsetofend(struct __sk_buff, gso_segs), 879 offsetof(struct __sk_buff, gso_size))) 880 return -EINVAL; 881 882 /* gso_size is allowed */ 883 884 if (!range_is_zero(__skb, offsetofend(struct __sk_buff, gso_size), 885 offsetof(struct __sk_buff, hwtstamp))) 886 return -EINVAL; 887 888 /* hwtstamp is allowed */ 889 890 if (!range_is_zero(__skb, offsetofend(struct __sk_buff, hwtstamp), 891 sizeof(struct __sk_buff))) 892 return -EINVAL; 893 894 skb->mark = __skb->mark; 895 skb->priority = __skb->priority; 896 skb->skb_iif = __skb->ingress_ifindex; 897 skb->tstamp = __skb->tstamp; 898 memcpy(&cb->data, __skb->cb, QDISC_CB_PRIV_LEN); 899 900 if (__skb->wire_len == 0) { 901 cb->pkt_len = skb->len; 902 } else { 903 if (__skb->wire_len < skb->len || 904 __skb->wire_len > GSO_LEGACY_MAX_SIZE) 905 return -EINVAL; 906 cb->pkt_len = __skb->wire_len; 907 } 908 909 if (__skb->gso_segs > GSO_MAX_SEGS) 910 return -EINVAL; 911 skb_shinfo(skb)->gso_segs = __skb->gso_segs; 912 skb_shinfo(skb)->gso_size = __skb->gso_size; 913 skb_shinfo(skb)->hwtstamps.hwtstamp = __skb->hwtstamp; 914 915 return 0; 916 } 917 918 static void convert_skb_to___skb(struct sk_buff *skb, struct __sk_buff *__skb) 919 { 920 struct qdisc_skb_cb *cb = (struct qdisc_skb_cb *)skb->cb; 921 922 if (!__skb) 923 return; 924 925 __skb->mark = skb->mark; 926 __skb->priority = skb->priority; 927 __skb->ingress_ifindex = skb->skb_iif; 928 __skb->ifindex = skb->dev->ifindex; 929 __skb->tstamp = skb->tstamp; 930 memcpy(__skb->cb, &cb->data, QDISC_CB_PRIV_LEN); 931 __skb->wire_len = cb->pkt_len; 932 __skb->gso_segs = skb_shinfo(skb)->gso_segs; 933 __skb->hwtstamp = skb_shinfo(skb)->hwtstamps.hwtstamp; 934 } 935 936 static struct proto bpf_dummy_proto = { 937 .name = "bpf_dummy", 938 .owner = THIS_MODULE, 939 .obj_size = sizeof(struct sock), 940 }; 941 942 int bpf_prog_test_run_skb(struct bpf_prog *prog, const union bpf_attr *kattr, 943 union bpf_attr __user *uattr) 944 { 945 bool is_l2 = false, is_direct_pkt_access = false; 946 struct net *net = current->nsproxy->net_ns; 947 struct net_device *dev = net->loopback_dev; 948 u32 size = kattr->test.data_size_in; 949 u32 repeat = kattr->test.repeat; 950 struct __sk_buff *ctx = NULL; 951 u32 retval, duration; 952 int hh_len = ETH_HLEN; 953 struct sk_buff *skb; 954 struct sock *sk; 955 void *data; 956 int ret; 957 958 if (kattr->test.flags || kattr->test.cpu || kattr->test.batch_size) 959 return -EINVAL; 960 961 data = bpf_test_init(kattr, kattr->test.data_size_in, 962 size, NET_SKB_PAD + NET_IP_ALIGN, 963 SKB_DATA_ALIGN(sizeof(struct skb_shared_info))); 964 if (IS_ERR(data)) 965 return PTR_ERR(data); 966 967 ctx = bpf_ctx_init(kattr, sizeof(struct __sk_buff)); 968 if (IS_ERR(ctx)) { 969 kfree(data); 970 return PTR_ERR(ctx); 971 } 972 973 switch (prog->type) { 974 case BPF_PROG_TYPE_SCHED_CLS: 975 case BPF_PROG_TYPE_SCHED_ACT: 976 is_l2 = true; 977 fallthrough; 978 case BPF_PROG_TYPE_LWT_IN: 979 case BPF_PROG_TYPE_LWT_OUT: 980 case BPF_PROG_TYPE_LWT_XMIT: 981 is_direct_pkt_access = true; 982 break; 983 default: 984 break; 985 } 986 987 sk = sk_alloc(net, AF_UNSPEC, GFP_USER, &bpf_dummy_proto, 1); 988 if (!sk) { 989 kfree(data); 990 kfree(ctx); 991 return -ENOMEM; 992 } 993 sock_init_data(NULL, sk); 994 995 skb = slab_build_skb(data); 996 if (!skb) { 997 kfree(data); 998 kfree(ctx); 999 sk_free(sk); 1000 return -ENOMEM; 1001 } 1002 skb->sk = sk; 1003 1004 skb_reserve(skb, NET_SKB_PAD + NET_IP_ALIGN); 1005 __skb_put(skb, size); 1006 if (ctx && ctx->ifindex > 1) { 1007 dev = dev_get_by_index(net, ctx->ifindex); 1008 if (!dev) { 1009 ret = -ENODEV; 1010 goto out; 1011 } 1012 } 1013 skb->protocol = eth_type_trans(skb, dev); 1014 skb_reset_network_header(skb); 1015 1016 switch (skb->protocol) { 1017 case htons(ETH_P_IP): 1018 sk->sk_family = AF_INET; 1019 if (sizeof(struct iphdr) <= skb_headlen(skb)) { 1020 sk->sk_rcv_saddr = ip_hdr(skb)->saddr; 1021 sk->sk_daddr = ip_hdr(skb)->daddr; 1022 } 1023 break; 1024 #if IS_ENABLED(CONFIG_IPV6) 1025 case htons(ETH_P_IPV6): 1026 sk->sk_family = AF_INET6; 1027 if (sizeof(struct ipv6hdr) <= skb_headlen(skb)) { 1028 sk->sk_v6_rcv_saddr = ipv6_hdr(skb)->saddr; 1029 sk->sk_v6_daddr = ipv6_hdr(skb)->daddr; 1030 } 1031 break; 1032 #endif 1033 default: 1034 break; 1035 } 1036 1037 if (is_l2) 1038 __skb_push(skb, hh_len); 1039 if (is_direct_pkt_access) 1040 bpf_compute_data_pointers(skb); 1041 ret = convert___skb_to_skb(skb, ctx); 1042 if (ret) 1043 goto out; 1044 ret = bpf_test_run(prog, skb, repeat, &retval, &duration, false); 1045 if (ret) 1046 goto out; 1047 if (!is_l2) { 1048 if (skb_headroom(skb) < hh_len) { 1049 int nhead = HH_DATA_ALIGN(hh_len - skb_headroom(skb)); 1050 1051 if (pskb_expand_head(skb, nhead, 0, GFP_USER)) { 1052 ret = -ENOMEM; 1053 goto out; 1054 } 1055 } 1056 memset(__skb_push(skb, hh_len), 0, hh_len); 1057 } 1058 convert_skb_to___skb(skb, ctx); 1059 1060 size = skb->len; 1061 /* bpf program can never convert linear skb to non-linear */ 1062 if (WARN_ON_ONCE(skb_is_nonlinear(skb))) 1063 size = skb_headlen(skb); 1064 ret = bpf_test_finish(kattr, uattr, skb->data, NULL, size, retval, 1065 duration); 1066 if (!ret) 1067 ret = bpf_ctx_finish(kattr, uattr, ctx, 1068 sizeof(struct __sk_buff)); 1069 out: 1070 if (dev && dev != net->loopback_dev) 1071 dev_put(dev); 1072 kfree_skb(skb); 1073 sk_free(sk); 1074 kfree(ctx); 1075 return ret; 1076 } 1077 1078 static int xdp_convert_md_to_buff(struct xdp_md *xdp_md, struct xdp_buff *xdp) 1079 { 1080 unsigned int ingress_ifindex, rx_queue_index; 1081 struct netdev_rx_queue *rxqueue; 1082 struct net_device *device; 1083 1084 if (!xdp_md) 1085 return 0; 1086 1087 if (xdp_md->egress_ifindex != 0) 1088 return -EINVAL; 1089 1090 ingress_ifindex = xdp_md->ingress_ifindex; 1091 rx_queue_index = xdp_md->rx_queue_index; 1092 1093 if (!ingress_ifindex && rx_queue_index) 1094 return -EINVAL; 1095 1096 if (ingress_ifindex) { 1097 device = dev_get_by_index(current->nsproxy->net_ns, 1098 ingress_ifindex); 1099 if (!device) 1100 return -ENODEV; 1101 1102 if (rx_queue_index >= device->real_num_rx_queues) 1103 goto free_dev; 1104 1105 rxqueue = __netif_get_rx_queue(device, rx_queue_index); 1106 1107 if (!xdp_rxq_info_is_reg(&rxqueue->xdp_rxq)) 1108 goto free_dev; 1109 1110 xdp->rxq = &rxqueue->xdp_rxq; 1111 /* The device is now tracked in the xdp->rxq for later 1112 * dev_put() 1113 */ 1114 } 1115 1116 xdp->data = xdp->data_meta + xdp_md->data; 1117 return 0; 1118 1119 free_dev: 1120 dev_put(device); 1121 return -EINVAL; 1122 } 1123 1124 static void xdp_convert_buff_to_md(struct xdp_buff *xdp, struct xdp_md *xdp_md) 1125 { 1126 if (!xdp_md) 1127 return; 1128 1129 xdp_md->data = xdp->data - xdp->data_meta; 1130 xdp_md->data_end = xdp->data_end - xdp->data_meta; 1131 1132 if (xdp_md->ingress_ifindex) 1133 dev_put(xdp->rxq->dev); 1134 } 1135 1136 int bpf_prog_test_run_xdp(struct bpf_prog *prog, const union bpf_attr *kattr, 1137 union bpf_attr __user *uattr) 1138 { 1139 bool do_live = (kattr->test.flags & BPF_F_TEST_XDP_LIVE_FRAMES); 1140 u32 tailroom = SKB_DATA_ALIGN(sizeof(struct skb_shared_info)); 1141 u32 batch_size = kattr->test.batch_size; 1142 u32 retval = 0, duration, max_data_sz; 1143 u32 size = kattr->test.data_size_in; 1144 u32 headroom = XDP_PACKET_HEADROOM; 1145 u32 repeat = kattr->test.repeat; 1146 struct netdev_rx_queue *rxqueue; 1147 struct skb_shared_info *sinfo; 1148 struct xdp_buff xdp = {}; 1149 int i, ret = -EINVAL; 1150 struct xdp_md *ctx; 1151 void *data; 1152 1153 if (prog->expected_attach_type == BPF_XDP_DEVMAP || 1154 prog->expected_attach_type == BPF_XDP_CPUMAP) 1155 return -EINVAL; 1156 1157 if (kattr->test.flags & ~BPF_F_TEST_XDP_LIVE_FRAMES) 1158 return -EINVAL; 1159 1160 if (bpf_prog_is_dev_bound(prog->aux)) 1161 return -EINVAL; 1162 1163 if (do_live) { 1164 if (!batch_size) 1165 batch_size = NAPI_POLL_WEIGHT; 1166 else if (batch_size > TEST_XDP_MAX_BATCH) 1167 return -E2BIG; 1168 1169 headroom += sizeof(struct xdp_page_head); 1170 } else if (batch_size) { 1171 return -EINVAL; 1172 } 1173 1174 ctx = bpf_ctx_init(kattr, sizeof(struct xdp_md)); 1175 if (IS_ERR(ctx)) 1176 return PTR_ERR(ctx); 1177 1178 if (ctx) { 1179 /* There can't be user provided data before the meta data */ 1180 if (ctx->data_meta || ctx->data_end != size || 1181 ctx->data > ctx->data_end || 1182 unlikely(xdp_metalen_invalid(ctx->data)) || 1183 (do_live && (kattr->test.data_out || kattr->test.ctx_out))) 1184 goto free_ctx; 1185 /* Meta data is allocated from the headroom */ 1186 headroom -= ctx->data; 1187 } 1188 1189 max_data_sz = 4096 - headroom - tailroom; 1190 if (size > max_data_sz) { 1191 /* disallow live data mode for jumbo frames */ 1192 if (do_live) 1193 goto free_ctx; 1194 size = max_data_sz; 1195 } 1196 1197 data = bpf_test_init(kattr, size, max_data_sz, headroom, tailroom); 1198 if (IS_ERR(data)) { 1199 ret = PTR_ERR(data); 1200 goto free_ctx; 1201 } 1202 1203 rxqueue = __netif_get_rx_queue(current->nsproxy->net_ns->loopback_dev, 0); 1204 rxqueue->xdp_rxq.frag_size = headroom + max_data_sz + tailroom; 1205 xdp_init_buff(&xdp, rxqueue->xdp_rxq.frag_size, &rxqueue->xdp_rxq); 1206 xdp_prepare_buff(&xdp, data, headroom, size, true); 1207 sinfo = xdp_get_shared_info_from_buff(&xdp); 1208 1209 ret = xdp_convert_md_to_buff(ctx, &xdp); 1210 if (ret) 1211 goto free_data; 1212 1213 if (unlikely(kattr->test.data_size_in > size)) { 1214 void __user *data_in = u64_to_user_ptr(kattr->test.data_in); 1215 1216 while (size < kattr->test.data_size_in) { 1217 struct page *page; 1218 skb_frag_t *frag; 1219 u32 data_len; 1220 1221 if (sinfo->nr_frags == MAX_SKB_FRAGS) { 1222 ret = -ENOMEM; 1223 goto out; 1224 } 1225 1226 page = alloc_page(GFP_KERNEL); 1227 if (!page) { 1228 ret = -ENOMEM; 1229 goto out; 1230 } 1231 1232 frag = &sinfo->frags[sinfo->nr_frags++]; 1233 1234 data_len = min_t(u32, kattr->test.data_size_in - size, 1235 PAGE_SIZE); 1236 skb_frag_fill_page_desc(frag, page, 0, data_len); 1237 1238 if (copy_from_user(page_address(page), data_in + size, 1239 data_len)) { 1240 ret = -EFAULT; 1241 goto out; 1242 } 1243 sinfo->xdp_frags_size += data_len; 1244 size += data_len; 1245 } 1246 xdp_buff_set_frags_flag(&xdp); 1247 } 1248 1249 if (repeat > 1) 1250 bpf_prog_change_xdp(NULL, prog); 1251 1252 if (do_live) 1253 ret = bpf_test_run_xdp_live(prog, &xdp, repeat, batch_size, &duration); 1254 else 1255 ret = bpf_test_run(prog, &xdp, repeat, &retval, &duration, true); 1256 /* We convert the xdp_buff back to an xdp_md before checking the return 1257 * code so the reference count of any held netdevice will be decremented 1258 * even if the test run failed. 1259 */ 1260 xdp_convert_buff_to_md(&xdp, ctx); 1261 if (ret) 1262 goto out; 1263 1264 size = xdp.data_end - xdp.data_meta + sinfo->xdp_frags_size; 1265 ret = bpf_test_finish(kattr, uattr, xdp.data_meta, sinfo, size, 1266 retval, duration); 1267 if (!ret) 1268 ret = bpf_ctx_finish(kattr, uattr, ctx, 1269 sizeof(struct xdp_md)); 1270 1271 out: 1272 if (repeat > 1) 1273 bpf_prog_change_xdp(prog, NULL); 1274 free_data: 1275 for (i = 0; i < sinfo->nr_frags; i++) 1276 __free_page(skb_frag_page(&sinfo->frags[i])); 1277 kfree(data); 1278 free_ctx: 1279 kfree(ctx); 1280 return ret; 1281 } 1282 1283 static int verify_user_bpf_flow_keys(struct bpf_flow_keys *ctx) 1284 { 1285 /* make sure the fields we don't use are zeroed */ 1286 if (!range_is_zero(ctx, 0, offsetof(struct bpf_flow_keys, flags))) 1287 return -EINVAL; 1288 1289 /* flags is allowed */ 1290 1291 if (!range_is_zero(ctx, offsetofend(struct bpf_flow_keys, flags), 1292 sizeof(struct bpf_flow_keys))) 1293 return -EINVAL; 1294 1295 return 0; 1296 } 1297 1298 int bpf_prog_test_run_flow_dissector(struct bpf_prog *prog, 1299 const union bpf_attr *kattr, 1300 union bpf_attr __user *uattr) 1301 { 1302 struct bpf_test_timer t = { NO_PREEMPT }; 1303 u32 size = kattr->test.data_size_in; 1304 struct bpf_flow_dissector ctx = {}; 1305 u32 repeat = kattr->test.repeat; 1306 struct bpf_flow_keys *user_ctx; 1307 struct bpf_flow_keys flow_keys; 1308 const struct ethhdr *eth; 1309 unsigned int flags = 0; 1310 u32 retval, duration; 1311 void *data; 1312 int ret; 1313 1314 if (kattr->test.flags || kattr->test.cpu || kattr->test.batch_size) 1315 return -EINVAL; 1316 1317 if (size < ETH_HLEN) 1318 return -EINVAL; 1319 1320 data = bpf_test_init(kattr, kattr->test.data_size_in, size, 0, 0); 1321 if (IS_ERR(data)) 1322 return PTR_ERR(data); 1323 1324 eth = (struct ethhdr *)data; 1325 1326 if (!repeat) 1327 repeat = 1; 1328 1329 user_ctx = bpf_ctx_init(kattr, sizeof(struct bpf_flow_keys)); 1330 if (IS_ERR(user_ctx)) { 1331 kfree(data); 1332 return PTR_ERR(user_ctx); 1333 } 1334 if (user_ctx) { 1335 ret = verify_user_bpf_flow_keys(user_ctx); 1336 if (ret) 1337 goto out; 1338 flags = user_ctx->flags; 1339 } 1340 1341 ctx.flow_keys = &flow_keys; 1342 ctx.data = data; 1343 ctx.data_end = (__u8 *)data + size; 1344 1345 bpf_test_timer_enter(&t); 1346 do { 1347 retval = bpf_flow_dissect(prog, &ctx, eth->h_proto, ETH_HLEN, 1348 size, flags); 1349 } while (bpf_test_timer_continue(&t, 1, repeat, &ret, &duration)); 1350 bpf_test_timer_leave(&t); 1351 1352 if (ret < 0) 1353 goto out; 1354 1355 ret = bpf_test_finish(kattr, uattr, &flow_keys, NULL, 1356 sizeof(flow_keys), retval, duration); 1357 if (!ret) 1358 ret = bpf_ctx_finish(kattr, uattr, user_ctx, 1359 sizeof(struct bpf_flow_keys)); 1360 1361 out: 1362 kfree(user_ctx); 1363 kfree(data); 1364 return ret; 1365 } 1366 1367 int bpf_prog_test_run_sk_lookup(struct bpf_prog *prog, const union bpf_attr *kattr, 1368 union bpf_attr __user *uattr) 1369 { 1370 struct bpf_test_timer t = { NO_PREEMPT }; 1371 struct bpf_prog_array *progs = NULL; 1372 struct bpf_sk_lookup_kern ctx = {}; 1373 u32 repeat = kattr->test.repeat; 1374 struct bpf_sk_lookup *user_ctx; 1375 u32 retval, duration; 1376 int ret = -EINVAL; 1377 1378 if (kattr->test.flags || kattr->test.cpu || kattr->test.batch_size) 1379 return -EINVAL; 1380 1381 if (kattr->test.data_in || kattr->test.data_size_in || kattr->test.data_out || 1382 kattr->test.data_size_out) 1383 return -EINVAL; 1384 1385 if (!repeat) 1386 repeat = 1; 1387 1388 user_ctx = bpf_ctx_init(kattr, sizeof(*user_ctx)); 1389 if (IS_ERR(user_ctx)) 1390 return PTR_ERR(user_ctx); 1391 1392 if (!user_ctx) 1393 return -EINVAL; 1394 1395 if (user_ctx->sk) 1396 goto out; 1397 1398 if (!range_is_zero(user_ctx, offsetofend(typeof(*user_ctx), local_port), sizeof(*user_ctx))) 1399 goto out; 1400 1401 if (user_ctx->local_port > U16_MAX) { 1402 ret = -ERANGE; 1403 goto out; 1404 } 1405 1406 ctx.family = (u16)user_ctx->family; 1407 ctx.protocol = (u16)user_ctx->protocol; 1408 ctx.dport = (u16)user_ctx->local_port; 1409 ctx.sport = user_ctx->remote_port; 1410 1411 switch (ctx.family) { 1412 case AF_INET: 1413 ctx.v4.daddr = (__force __be32)user_ctx->local_ip4; 1414 ctx.v4.saddr = (__force __be32)user_ctx->remote_ip4; 1415 break; 1416 1417 #if IS_ENABLED(CONFIG_IPV6) 1418 case AF_INET6: 1419 ctx.v6.daddr = (struct in6_addr *)user_ctx->local_ip6; 1420 ctx.v6.saddr = (struct in6_addr *)user_ctx->remote_ip6; 1421 break; 1422 #endif 1423 1424 default: 1425 ret = -EAFNOSUPPORT; 1426 goto out; 1427 } 1428 1429 progs = bpf_prog_array_alloc(1, GFP_KERNEL); 1430 if (!progs) { 1431 ret = -ENOMEM; 1432 goto out; 1433 } 1434 1435 progs->items[0].prog = prog; 1436 1437 bpf_test_timer_enter(&t); 1438 do { 1439 ctx.selected_sk = NULL; 1440 retval = BPF_PROG_SK_LOOKUP_RUN_ARRAY(progs, ctx, bpf_prog_run); 1441 } while (bpf_test_timer_continue(&t, 1, repeat, &ret, &duration)); 1442 bpf_test_timer_leave(&t); 1443 1444 if (ret < 0) 1445 goto out; 1446 1447 user_ctx->cookie = 0; 1448 if (ctx.selected_sk) { 1449 if (ctx.selected_sk->sk_reuseport && !ctx.no_reuseport) { 1450 ret = -EOPNOTSUPP; 1451 goto out; 1452 } 1453 1454 user_ctx->cookie = sock_gen_cookie(ctx.selected_sk); 1455 } 1456 1457 ret = bpf_test_finish(kattr, uattr, NULL, NULL, 0, retval, duration); 1458 if (!ret) 1459 ret = bpf_ctx_finish(kattr, uattr, user_ctx, sizeof(*user_ctx)); 1460 1461 out: 1462 bpf_prog_array_free(progs); 1463 kfree(user_ctx); 1464 return ret; 1465 } 1466 1467 int bpf_prog_test_run_syscall(struct bpf_prog *prog, 1468 const union bpf_attr *kattr, 1469 union bpf_attr __user *uattr) 1470 { 1471 void __user *ctx_in = u64_to_user_ptr(kattr->test.ctx_in); 1472 __u32 ctx_size_in = kattr->test.ctx_size_in; 1473 void *ctx = NULL; 1474 u32 retval; 1475 int err = 0; 1476 1477 /* doesn't support data_in/out, ctx_out, duration, or repeat or flags */ 1478 if (kattr->test.data_in || kattr->test.data_out || 1479 kattr->test.ctx_out || kattr->test.duration || 1480 kattr->test.repeat || kattr->test.flags || 1481 kattr->test.batch_size) 1482 return -EINVAL; 1483 1484 if (ctx_size_in < prog->aux->max_ctx_offset || 1485 ctx_size_in > U16_MAX) 1486 return -EINVAL; 1487 1488 if (ctx_size_in) { 1489 ctx = memdup_user(ctx_in, ctx_size_in); 1490 if (IS_ERR(ctx)) 1491 return PTR_ERR(ctx); 1492 } 1493 1494 rcu_read_lock_trace(); 1495 retval = bpf_prog_run_pin_on_cpu(prog, ctx); 1496 rcu_read_unlock_trace(); 1497 1498 if (copy_to_user(&uattr->test.retval, &retval, sizeof(u32))) { 1499 err = -EFAULT; 1500 goto out; 1501 } 1502 if (ctx_size_in) 1503 if (copy_to_user(ctx_in, ctx, ctx_size_in)) 1504 err = -EFAULT; 1505 out: 1506 kfree(ctx); 1507 return err; 1508 } 1509 1510 static int verify_and_copy_hook_state(struct nf_hook_state *state, 1511 const struct nf_hook_state *user, 1512 struct net_device *dev) 1513 { 1514 if (user->in || user->out) 1515 return -EINVAL; 1516 1517 if (user->net || user->sk || user->okfn) 1518 return -EINVAL; 1519 1520 switch (user->pf) { 1521 case NFPROTO_IPV4: 1522 case NFPROTO_IPV6: 1523 switch (state->hook) { 1524 case NF_INET_PRE_ROUTING: 1525 state->in = dev; 1526 break; 1527 case NF_INET_LOCAL_IN: 1528 state->in = dev; 1529 break; 1530 case NF_INET_FORWARD: 1531 state->in = dev; 1532 state->out = dev; 1533 break; 1534 case NF_INET_LOCAL_OUT: 1535 state->out = dev; 1536 break; 1537 case NF_INET_POST_ROUTING: 1538 state->out = dev; 1539 break; 1540 } 1541 1542 break; 1543 default: 1544 return -EINVAL; 1545 } 1546 1547 state->pf = user->pf; 1548 state->hook = user->hook; 1549 1550 return 0; 1551 } 1552 1553 static __be16 nfproto_eth(int nfproto) 1554 { 1555 switch (nfproto) { 1556 case NFPROTO_IPV4: 1557 return htons(ETH_P_IP); 1558 case NFPROTO_IPV6: 1559 break; 1560 } 1561 1562 return htons(ETH_P_IPV6); 1563 } 1564 1565 int bpf_prog_test_run_nf(struct bpf_prog *prog, 1566 const union bpf_attr *kattr, 1567 union bpf_attr __user *uattr) 1568 { 1569 struct net *net = current->nsproxy->net_ns; 1570 struct net_device *dev = net->loopback_dev; 1571 struct nf_hook_state *user_ctx, hook_state = { 1572 .pf = NFPROTO_IPV4, 1573 .hook = NF_INET_LOCAL_OUT, 1574 }; 1575 u32 size = kattr->test.data_size_in; 1576 u32 repeat = kattr->test.repeat; 1577 struct bpf_nf_ctx ctx = { 1578 .state = &hook_state, 1579 }; 1580 struct sk_buff *skb = NULL; 1581 u32 retval, duration; 1582 void *data; 1583 int ret; 1584 1585 if (kattr->test.flags || kattr->test.cpu || kattr->test.batch_size) 1586 return -EINVAL; 1587 1588 if (size < sizeof(struct iphdr)) 1589 return -EINVAL; 1590 1591 data = bpf_test_init(kattr, kattr->test.data_size_in, size, 1592 NET_SKB_PAD + NET_IP_ALIGN, 1593 SKB_DATA_ALIGN(sizeof(struct skb_shared_info))); 1594 if (IS_ERR(data)) 1595 return PTR_ERR(data); 1596 1597 if (!repeat) 1598 repeat = 1; 1599 1600 user_ctx = bpf_ctx_init(kattr, sizeof(struct nf_hook_state)); 1601 if (IS_ERR(user_ctx)) { 1602 kfree(data); 1603 return PTR_ERR(user_ctx); 1604 } 1605 1606 if (user_ctx) { 1607 ret = verify_and_copy_hook_state(&hook_state, user_ctx, dev); 1608 if (ret) 1609 goto out; 1610 } 1611 1612 skb = slab_build_skb(data); 1613 if (!skb) { 1614 ret = -ENOMEM; 1615 goto out; 1616 } 1617 1618 data = NULL; /* data released via kfree_skb */ 1619 1620 skb_reserve(skb, NET_SKB_PAD + NET_IP_ALIGN); 1621 __skb_put(skb, size); 1622 1623 ret = -EINVAL; 1624 1625 if (hook_state.hook != NF_INET_LOCAL_OUT) { 1626 if (size < ETH_HLEN + sizeof(struct iphdr)) 1627 goto out; 1628 1629 skb->protocol = eth_type_trans(skb, dev); 1630 switch (skb->protocol) { 1631 case htons(ETH_P_IP): 1632 if (hook_state.pf == NFPROTO_IPV4) 1633 break; 1634 goto out; 1635 case htons(ETH_P_IPV6): 1636 if (size < ETH_HLEN + sizeof(struct ipv6hdr)) 1637 goto out; 1638 if (hook_state.pf == NFPROTO_IPV6) 1639 break; 1640 goto out; 1641 default: 1642 ret = -EPROTO; 1643 goto out; 1644 } 1645 1646 skb_reset_network_header(skb); 1647 } else { 1648 skb->protocol = nfproto_eth(hook_state.pf); 1649 } 1650 1651 ctx.skb = skb; 1652 1653 ret = bpf_test_run(prog, &ctx, repeat, &retval, &duration, false); 1654 if (ret) 1655 goto out; 1656 1657 ret = bpf_test_finish(kattr, uattr, NULL, NULL, 0, retval, duration); 1658 1659 out: 1660 kfree(user_ctx); 1661 kfree_skb(skb); 1662 kfree(data); 1663 return ret; 1664 } 1665 1666 static const struct btf_kfunc_id_set bpf_prog_test_kfunc_set = { 1667 .owner = THIS_MODULE, 1668 .set = &test_sk_check_kfunc_ids, 1669 }; 1670 1671 BTF_ID_LIST(bpf_prog_test_dtor_kfunc_ids) 1672 BTF_ID(struct, prog_test_ref_kfunc) 1673 BTF_ID(func, bpf_kfunc_call_test_release) 1674 BTF_ID(struct, prog_test_member) 1675 BTF_ID(func, bpf_kfunc_call_memb_release) 1676 1677 static int __init bpf_prog_test_run_init(void) 1678 { 1679 const struct btf_id_dtor_kfunc bpf_prog_test_dtor_kfunc[] = { 1680 { 1681 .btf_id = bpf_prog_test_dtor_kfunc_ids[0], 1682 .kfunc_btf_id = bpf_prog_test_dtor_kfunc_ids[1] 1683 }, 1684 { 1685 .btf_id = bpf_prog_test_dtor_kfunc_ids[2], 1686 .kfunc_btf_id = bpf_prog_test_dtor_kfunc_ids[3], 1687 }, 1688 }; 1689 int ret; 1690 1691 ret = register_btf_fmodret_id_set(&bpf_test_modify_return_set); 1692 ret = ret ?: register_btf_kfunc_id_set(BPF_PROG_TYPE_SCHED_CLS, &bpf_prog_test_kfunc_set); 1693 ret = ret ?: register_btf_kfunc_id_set(BPF_PROG_TYPE_TRACING, &bpf_prog_test_kfunc_set); 1694 ret = ret ?: register_btf_kfunc_id_set(BPF_PROG_TYPE_SYSCALL, &bpf_prog_test_kfunc_set); 1695 return ret ?: register_btf_id_dtor_kfuncs(bpf_prog_test_dtor_kfunc, 1696 ARRAY_SIZE(bpf_prog_test_dtor_kfunc), 1697 THIS_MODULE); 1698 } 1699 late_initcall(bpf_prog_test_run_init); 1700