1 // SPDX-License-Identifier: GPL-2.0
2 /* Copyright (c) 2022 Meta Platforms, Inc. and affiliates. */
3 
4 #include <vmlinux.h>
5 #include <bpf/bpf_tracing.h>
6 #include <bpf/bpf_helpers.h>
7 #include <bpf/bpf_core_read.h>
8 #include "bpf_experimental.h"
9 
10 struct node_data {
11 	long key;
12 	long data;
13 	struct bpf_rb_node node;
14 };
15 
16 long less_callback_ran = -1;
17 long removed_key = -1;
18 long first_data[2] = {-1, -1};
19 
20 #define private(name) SEC(".data." #name) __hidden __attribute__((aligned(8)))
21 private(A) struct bpf_spin_lock glock;
22 private(A) struct bpf_rb_root groot __contains(node_data, node);
23 
less(struct bpf_rb_node * a,const struct bpf_rb_node * b)24 static bool less(struct bpf_rb_node *a, const struct bpf_rb_node *b)
25 {
26 	struct node_data *node_a;
27 	struct node_data *node_b;
28 
29 	node_a = container_of(a, struct node_data, node);
30 	node_b = container_of(b, struct node_data, node);
31 	less_callback_ran = 1;
32 
33 	return node_a->key < node_b->key;
34 }
35 
__add_three(struct bpf_rb_root * root,struct bpf_spin_lock * lock)36 static long __add_three(struct bpf_rb_root *root, struct bpf_spin_lock *lock)
37 {
38 	struct node_data *n, *m;
39 
40 	n = bpf_obj_new(typeof(*n));
41 	if (!n)
42 		return 1;
43 	n->key = 5;
44 
45 	m = bpf_obj_new(typeof(*m));
46 	if (!m) {
47 		bpf_obj_drop(n);
48 		return 2;
49 	}
50 	m->key = 1;
51 
52 	bpf_spin_lock(&glock);
53 	bpf_rbtree_add(&groot, &n->node, less);
54 	bpf_rbtree_add(&groot, &m->node, less);
55 	bpf_spin_unlock(&glock);
56 
57 	n = bpf_obj_new(typeof(*n));
58 	if (!n)
59 		return 3;
60 	n->key = 3;
61 
62 	bpf_spin_lock(&glock);
63 	bpf_rbtree_add(&groot, &n->node, less);
64 	bpf_spin_unlock(&glock);
65 	return 0;
66 }
67 
68 SEC("tc")
rbtree_add_nodes(void * ctx)69 long rbtree_add_nodes(void *ctx)
70 {
71 	return __add_three(&groot, &glock);
72 }
73 
74 SEC("tc")
rbtree_add_and_remove(void * ctx)75 long rbtree_add_and_remove(void *ctx)
76 {
77 	struct bpf_rb_node *res = NULL;
78 	struct node_data *n, *m = NULL;
79 
80 	n = bpf_obj_new(typeof(*n));
81 	if (!n)
82 		goto err_out;
83 	n->key = 5;
84 
85 	m = bpf_obj_new(typeof(*m));
86 	if (!m)
87 		goto err_out;
88 	m->key = 3;
89 
90 	bpf_spin_lock(&glock);
91 	bpf_rbtree_add(&groot, &n->node, less);
92 	bpf_rbtree_add(&groot, &m->node, less);
93 	res = bpf_rbtree_remove(&groot, &n->node);
94 	bpf_spin_unlock(&glock);
95 
96 	if (!res)
97 		return 1;
98 
99 	n = container_of(res, struct node_data, node);
100 	removed_key = n->key;
101 	bpf_obj_drop(n);
102 
103 	return 0;
104 err_out:
105 	if (n)
106 		bpf_obj_drop(n);
107 	if (m)
108 		bpf_obj_drop(m);
109 	return 1;
110 }
111 
112 SEC("tc")
rbtree_first_and_remove(void * ctx)113 long rbtree_first_and_remove(void *ctx)
114 {
115 	struct bpf_rb_node *res = NULL;
116 	struct node_data *n, *m, *o;
117 
118 	n = bpf_obj_new(typeof(*n));
119 	if (!n)
120 		return 1;
121 	n->key = 3;
122 	n->data = 4;
123 
124 	m = bpf_obj_new(typeof(*m));
125 	if (!m)
126 		goto err_out;
127 	m->key = 5;
128 	m->data = 6;
129 
130 	o = bpf_obj_new(typeof(*o));
131 	if (!o)
132 		goto err_out;
133 	o->key = 1;
134 	o->data = 2;
135 
136 	bpf_spin_lock(&glock);
137 	bpf_rbtree_add(&groot, &n->node, less);
138 	bpf_rbtree_add(&groot, &m->node, less);
139 	bpf_rbtree_add(&groot, &o->node, less);
140 
141 	res = bpf_rbtree_first(&groot);
142 	if (!res) {
143 		bpf_spin_unlock(&glock);
144 		return 2;
145 	}
146 
147 	o = container_of(res, struct node_data, node);
148 	first_data[0] = o->data;
149 
150 	res = bpf_rbtree_remove(&groot, &o->node);
151 	bpf_spin_unlock(&glock);
152 
153 	if (!res)
154 		return 5;
155 
156 	o = container_of(res, struct node_data, node);
157 	removed_key = o->key;
158 	bpf_obj_drop(o);
159 
160 	bpf_spin_lock(&glock);
161 	res = bpf_rbtree_first(&groot);
162 	if (!res) {
163 		bpf_spin_unlock(&glock);
164 		return 3;
165 	}
166 
167 	o = container_of(res, struct node_data, node);
168 	first_data[1] = o->data;
169 	bpf_spin_unlock(&glock);
170 
171 	return 0;
172 err_out:
173 	if (n)
174 		bpf_obj_drop(n);
175 	if (m)
176 		bpf_obj_drop(m);
177 	return 1;
178 }
179 
180 SEC("tc")
rbtree_api_release_aliasing(void * ctx)181 long rbtree_api_release_aliasing(void *ctx)
182 {
183 	struct node_data *n, *m, *o;
184 	struct bpf_rb_node *res, *res2;
185 
186 	n = bpf_obj_new(typeof(*n));
187 	if (!n)
188 		return 1;
189 	n->key = 41;
190 	n->data = 42;
191 
192 	bpf_spin_lock(&glock);
193 	bpf_rbtree_add(&groot, &n->node, less);
194 	bpf_spin_unlock(&glock);
195 
196 	bpf_spin_lock(&glock);
197 
198 	/* m and o point to the same node,
199 	 * but verifier doesn't know this
200 	 */
201 	res = bpf_rbtree_first(&groot);
202 	if (!res)
203 		goto err_out;
204 	o = container_of(res, struct node_data, node);
205 
206 	res = bpf_rbtree_first(&groot);
207 	if (!res)
208 		goto err_out;
209 	m = container_of(res, struct node_data, node);
210 
211 	res = bpf_rbtree_remove(&groot, &m->node);
212 	/* Retval of previous remove returns an owning reference to m,
213 	 * which is the same node non-owning ref o is pointing at.
214 	 * We can safely try to remove o as the second rbtree_remove will
215 	 * return NULL since the node isn't in a tree.
216 	 *
217 	 * Previously we relied on the verifier type system + rbtree_remove
218 	 * invalidating non-owning refs to ensure that rbtree_remove couldn't
219 	 * fail, but now rbtree_remove does runtime checking so we no longer
220 	 * invalidate non-owning refs after remove.
221 	 */
222 	res2 = bpf_rbtree_remove(&groot, &o->node);
223 
224 	bpf_spin_unlock(&glock);
225 
226 	if (res) {
227 		o = container_of(res, struct node_data, node);
228 		first_data[0] = o->data;
229 		bpf_obj_drop(o);
230 	}
231 	if (res2) {
232 		/* The second remove fails, so res2 is null and this doesn't
233 		 * execute
234 		 */
235 		m = container_of(res2, struct node_data, node);
236 		first_data[1] = m->data;
237 		bpf_obj_drop(m);
238 	}
239 	return 0;
240 
241 err_out:
242 	bpf_spin_unlock(&glock);
243 	return 1;
244 }
245 
246 char _license[] SEC("license") = "GPL";
247