1 // SPDX-License-Identifier: GPL-2.0-only 2 /* Copyright (c) 2017 Facebook 3 */ 4 #include <linux/bpf.h> 5 #include <linux/btf_ids.h> 6 #include <linux/slab.h> 7 #include <linux/vmalloc.h> 8 #include <linux/etherdevice.h> 9 #include <linux/filter.h> 10 #include <linux/rcupdate_trace.h> 11 #include <linux/sched/signal.h> 12 #include <net/bpf_sk_storage.h> 13 #include <net/sock.h> 14 #include <net/tcp.h> 15 #include <net/net_namespace.h> 16 #include <linux/error-injection.h> 17 #include <linux/smp.h> 18 #include <linux/sock_diag.h> 19 #include <net/xdp.h> 20 21 #define CREATE_TRACE_POINTS 22 #include <trace/events/bpf_test_run.h> 23 24 struct bpf_test_timer { 25 enum { NO_PREEMPT, NO_MIGRATE } mode; 26 u32 i; 27 u64 time_start, time_spent; 28 }; 29 bpf_test_timer_enter(struct bpf_test_timer * t)30 static void bpf_test_timer_enter(struct bpf_test_timer *t) 31 __acquires(rcu) 32 { 33 rcu_read_lock(); 34 if (t->mode == NO_PREEMPT) 35 preempt_disable(); 36 else 37 migrate_disable(); 38 39 t->time_start = ktime_get_ns(); 40 } 41 bpf_test_timer_leave(struct bpf_test_timer * t)42 static void bpf_test_timer_leave(struct bpf_test_timer *t) 43 __releases(rcu) 44 { 45 t->time_start = 0; 46 47 if (t->mode == NO_PREEMPT) 48 preempt_enable(); 49 else 50 migrate_enable(); 51 rcu_read_unlock(); 52 } 53 bpf_test_timer_continue(struct bpf_test_timer * t,u32 repeat,int * err,u32 * duration)54 static bool bpf_test_timer_continue(struct bpf_test_timer *t, u32 repeat, int *err, u32 *duration) 55 __must_hold(rcu) 56 { 57 t->i++; 58 if (t->i >= repeat) { 59 /* We're done. */ 60 t->time_spent += ktime_get_ns() - t->time_start; 61 do_div(t->time_spent, t->i); 62 *duration = t->time_spent > U32_MAX ? U32_MAX : (u32)t->time_spent; 63 *err = 0; 64 goto reset; 65 } 66 67 if (signal_pending(current)) { 68 /* During iteration: we've been cancelled, abort. */ 69 *err = -EINTR; 70 goto reset; 71 } 72 73 if (need_resched()) { 74 /* During iteration: we need to reschedule between runs. */ 75 t->time_spent += ktime_get_ns() - t->time_start; 76 bpf_test_timer_leave(t); 77 cond_resched(); 78 bpf_test_timer_enter(t); 79 } 80 81 /* Do another round. */ 82 return true; 83 84 reset: 85 t->i = 0; 86 return false; 87 } 88 bpf_test_run(struct bpf_prog * prog,void * ctx,u32 repeat,u32 * retval,u32 * time,bool xdp)89 static int bpf_test_run(struct bpf_prog *prog, void *ctx, u32 repeat, 90 u32 *retval, u32 *time, bool xdp) 91 { 92 struct bpf_prog_array_item item = {.prog = prog}; 93 struct bpf_run_ctx *old_ctx; 94 struct bpf_cg_run_ctx run_ctx; 95 struct bpf_test_timer t = { NO_MIGRATE }; 96 enum bpf_cgroup_storage_type stype; 97 int ret; 98 99 for_each_cgroup_storage_type(stype) { 100 item.cgroup_storage[stype] = bpf_cgroup_storage_alloc(prog, stype); 101 if (IS_ERR(item.cgroup_storage[stype])) { 102 item.cgroup_storage[stype] = NULL; 103 for_each_cgroup_storage_type(stype) 104 bpf_cgroup_storage_free(item.cgroup_storage[stype]); 105 return -ENOMEM; 106 } 107 } 108 109 if (!repeat) 110 repeat = 1; 111 112 bpf_test_timer_enter(&t); 113 old_ctx = bpf_set_run_ctx(&run_ctx.run_ctx); 114 do { 115 run_ctx.prog_item = &item; 116 if (xdp) 117 *retval = bpf_prog_run_xdp(prog, ctx); 118 else 119 *retval = bpf_prog_run(prog, ctx); 120 } while (bpf_test_timer_continue(&t, repeat, &ret, time)); 121 bpf_reset_run_ctx(old_ctx); 122 bpf_test_timer_leave(&t); 123 124 for_each_cgroup_storage_type(stype) 125 bpf_cgroup_storage_free(item.cgroup_storage[stype]); 126 127 return ret; 128 } 129 bpf_test_finish(const union bpf_attr * kattr,union bpf_attr __user * uattr,const void * data,u32 size,u32 retval,u32 duration)130 static int bpf_test_finish(const union bpf_attr *kattr, 131 union bpf_attr __user *uattr, const void *data, 132 u32 size, u32 retval, u32 duration) 133 { 134 void __user *data_out = u64_to_user_ptr(kattr->test.data_out); 135 int err = -EFAULT; 136 u32 copy_size = size; 137 138 /* Clamp copy if the user has provided a size hint, but copy the full 139 * buffer if not to retain old behaviour. 140 */ 141 if (kattr->test.data_size_out && 142 copy_size > kattr->test.data_size_out) { 143 copy_size = kattr->test.data_size_out; 144 err = -ENOSPC; 145 } 146 147 if (data_out && copy_to_user(data_out, data, copy_size)) 148 goto out; 149 if (copy_to_user(&uattr->test.data_size_out, &size, sizeof(size))) 150 goto out; 151 if (copy_to_user(&uattr->test.retval, &retval, sizeof(retval))) 152 goto out; 153 if (copy_to_user(&uattr->test.duration, &duration, sizeof(duration))) 154 goto out; 155 if (err != -ENOSPC) 156 err = 0; 157 out: 158 trace_bpf_test_finish(&err); 159 return err; 160 } 161 162 /* Integer types of various sizes and pointer combinations cover variety of 163 * architecture dependent calling conventions. 7+ can be supported in the 164 * future. 165 */ 166 __diag_push(); 167 __diag_ignore(GCC, 8, "-Wmissing-prototypes", 168 "Global functions as their definitions will be in vmlinux BTF"); bpf_fentry_test1(int a)169 int noinline bpf_fentry_test1(int a) 170 { 171 return a + 1; 172 } 173 bpf_fentry_test2(int a,u64 b)174 int noinline bpf_fentry_test2(int a, u64 b) 175 { 176 return a + b; 177 } 178 bpf_fentry_test3(char a,int b,u64 c)179 int noinline bpf_fentry_test3(char a, int b, u64 c) 180 { 181 return a + b + c; 182 } 183 bpf_fentry_test4(void * a,char b,int c,u64 d)184 int noinline bpf_fentry_test4(void *a, char b, int c, u64 d) 185 { 186 return (long)a + b + c + d; 187 } 188 bpf_fentry_test5(u64 a,void * b,short c,int d,u64 e)189 int noinline bpf_fentry_test5(u64 a, void *b, short c, int d, u64 e) 190 { 191 return a + (long)b + c + d + e; 192 } 193 bpf_fentry_test6(u64 a,void * b,short c,int d,void * e,u64 f)194 int noinline bpf_fentry_test6(u64 a, void *b, short c, int d, void *e, u64 f) 195 { 196 return a + (long)b + c + d + (long)e + f; 197 } 198 199 struct bpf_fentry_test_t { 200 struct bpf_fentry_test_t *a; 201 }; 202 bpf_fentry_test7(struct bpf_fentry_test_t * arg)203 int noinline bpf_fentry_test7(struct bpf_fentry_test_t *arg) 204 { 205 return (long)arg; 206 } 207 bpf_fentry_test8(struct bpf_fentry_test_t * arg)208 int noinline bpf_fentry_test8(struct bpf_fentry_test_t *arg) 209 { 210 return (long)arg->a; 211 } 212 bpf_modify_return_test(int a,int * b)213 int noinline bpf_modify_return_test(int a, int *b) 214 { 215 *b += 1; 216 return a + *b; 217 } 218 bpf_kfunc_call_test1(struct sock * sk,u32 a,u64 b,u32 c,u64 d)219 u64 noinline bpf_kfunc_call_test1(struct sock *sk, u32 a, u64 b, u32 c, u64 d) 220 { 221 return a + b + c + d; 222 } 223 bpf_kfunc_call_test2(struct sock * sk,u32 a,u32 b)224 int noinline bpf_kfunc_call_test2(struct sock *sk, u32 a, u32 b) 225 { 226 return a + b; 227 } 228 bpf_kfunc_call_test3(struct sock * sk)229 struct sock * noinline bpf_kfunc_call_test3(struct sock *sk) 230 { 231 return sk; 232 } 233 234 __diag_pop(); 235 236 ALLOW_ERROR_INJECTION(bpf_modify_return_test, ERRNO); 237 238 BTF_SET_START(test_sk_kfunc_ids) BTF_ID(func,bpf_kfunc_call_test1)239 BTF_ID(func, bpf_kfunc_call_test1) 240 BTF_ID(func, bpf_kfunc_call_test2) 241 BTF_ID(func, bpf_kfunc_call_test3) 242 BTF_SET_END(test_sk_kfunc_ids) 243 244 bool bpf_prog_test_check_kfunc_call(u32 kfunc_id) 245 { 246 return btf_id_set_contains(&test_sk_kfunc_ids, kfunc_id); 247 } 248 bpf_test_init(const union bpf_attr * kattr,u32 size,u32 headroom,u32 tailroom)249 static void *bpf_test_init(const union bpf_attr *kattr, u32 size, 250 u32 headroom, u32 tailroom) 251 { 252 void __user *data_in = u64_to_user_ptr(kattr->test.data_in); 253 u32 user_size = kattr->test.data_size_in; 254 void *data; 255 256 if (size < ETH_HLEN || size > PAGE_SIZE - headroom - tailroom) 257 return ERR_PTR(-EINVAL); 258 259 if (user_size > size) 260 return ERR_PTR(-EMSGSIZE); 261 262 size = SKB_DATA_ALIGN(size); 263 data = kzalloc(size + headroom + tailroom, GFP_USER); 264 if (!data) 265 return ERR_PTR(-ENOMEM); 266 267 if (copy_from_user(data + headroom, data_in, user_size)) { 268 kfree(data); 269 return ERR_PTR(-EFAULT); 270 } 271 272 return data; 273 } 274 bpf_prog_test_run_tracing(struct bpf_prog * prog,const union bpf_attr * kattr,union bpf_attr __user * uattr)275 int bpf_prog_test_run_tracing(struct bpf_prog *prog, 276 const union bpf_attr *kattr, 277 union bpf_attr __user *uattr) 278 { 279 struct bpf_fentry_test_t arg = {}; 280 u16 side_effect = 0, ret = 0; 281 int b = 2, err = -EFAULT; 282 u32 retval = 0; 283 284 if (kattr->test.flags || kattr->test.cpu) 285 return -EINVAL; 286 287 switch (prog->expected_attach_type) { 288 case BPF_TRACE_FENTRY: 289 case BPF_TRACE_FEXIT: 290 if (bpf_fentry_test1(1) != 2 || 291 bpf_fentry_test2(2, 3) != 5 || 292 bpf_fentry_test3(4, 5, 6) != 15 || 293 bpf_fentry_test4((void *)7, 8, 9, 10) != 34 || 294 bpf_fentry_test5(11, (void *)12, 13, 14, 15) != 65 || 295 bpf_fentry_test6(16, (void *)17, 18, 19, (void *)20, 21) != 111 || 296 bpf_fentry_test7((struct bpf_fentry_test_t *)0) != 0 || 297 bpf_fentry_test8(&arg) != 0) 298 goto out; 299 break; 300 case BPF_MODIFY_RETURN: 301 ret = bpf_modify_return_test(1, &b); 302 if (b != 2) 303 side_effect = 1; 304 break; 305 default: 306 goto out; 307 } 308 309 retval = ((u32)side_effect << 16) | ret; 310 if (copy_to_user(&uattr->test.retval, &retval, sizeof(retval))) 311 goto out; 312 313 err = 0; 314 out: 315 trace_bpf_test_finish(&err); 316 return err; 317 } 318 319 struct bpf_raw_tp_test_run_info { 320 struct bpf_prog *prog; 321 void *ctx; 322 u32 retval; 323 }; 324 325 static void __bpf_prog_test_run_raw_tp(void * data)326 __bpf_prog_test_run_raw_tp(void *data) 327 { 328 struct bpf_raw_tp_test_run_info *info = data; 329 330 rcu_read_lock(); 331 info->retval = bpf_prog_run(info->prog, info->ctx); 332 rcu_read_unlock(); 333 } 334 bpf_prog_test_run_raw_tp(struct bpf_prog * prog,const union bpf_attr * kattr,union bpf_attr __user * uattr)335 int bpf_prog_test_run_raw_tp(struct bpf_prog *prog, 336 const union bpf_attr *kattr, 337 union bpf_attr __user *uattr) 338 { 339 void __user *ctx_in = u64_to_user_ptr(kattr->test.ctx_in); 340 __u32 ctx_size_in = kattr->test.ctx_size_in; 341 struct bpf_raw_tp_test_run_info info; 342 int cpu = kattr->test.cpu, err = 0; 343 int current_cpu; 344 345 /* doesn't support data_in/out, ctx_out, duration, or repeat */ 346 if (kattr->test.data_in || kattr->test.data_out || 347 kattr->test.ctx_out || kattr->test.duration || 348 kattr->test.repeat) 349 return -EINVAL; 350 351 if (ctx_size_in < prog->aux->max_ctx_offset || 352 ctx_size_in > MAX_BPF_FUNC_ARGS * sizeof(u64)) 353 return -EINVAL; 354 355 if ((kattr->test.flags & BPF_F_TEST_RUN_ON_CPU) == 0 && cpu != 0) 356 return -EINVAL; 357 358 if (ctx_size_in) { 359 info.ctx = kzalloc(ctx_size_in, GFP_USER); 360 if (!info.ctx) 361 return -ENOMEM; 362 if (copy_from_user(info.ctx, ctx_in, ctx_size_in)) { 363 err = -EFAULT; 364 goto out; 365 } 366 } else { 367 info.ctx = NULL; 368 } 369 370 info.prog = prog; 371 372 current_cpu = get_cpu(); 373 if ((kattr->test.flags & BPF_F_TEST_RUN_ON_CPU) == 0 || 374 cpu == current_cpu) { 375 __bpf_prog_test_run_raw_tp(&info); 376 } else if (cpu >= nr_cpu_ids || !cpu_online(cpu)) { 377 /* smp_call_function_single() also checks cpu_online() 378 * after csd_lock(). However, since cpu is from user 379 * space, let's do an extra quick check to filter out 380 * invalid value before smp_call_function_single(). 381 */ 382 err = -ENXIO; 383 } else { 384 err = smp_call_function_single(cpu, __bpf_prog_test_run_raw_tp, 385 &info, 1); 386 } 387 put_cpu(); 388 389 if (!err && 390 copy_to_user(&uattr->test.retval, &info.retval, sizeof(u32))) 391 err = -EFAULT; 392 393 out: 394 kfree(info.ctx); 395 return err; 396 } 397 bpf_ctx_init(const union bpf_attr * kattr,u32 max_size)398 static void *bpf_ctx_init(const union bpf_attr *kattr, u32 max_size) 399 { 400 void __user *data_in = u64_to_user_ptr(kattr->test.ctx_in); 401 void __user *data_out = u64_to_user_ptr(kattr->test.ctx_out); 402 u32 size = kattr->test.ctx_size_in; 403 void *data; 404 int err; 405 406 if (!data_in && !data_out) 407 return NULL; 408 409 data = kzalloc(max_size, GFP_USER); 410 if (!data) 411 return ERR_PTR(-ENOMEM); 412 413 if (data_in) { 414 err = bpf_check_uarg_tail_zero(USER_BPFPTR(data_in), max_size, size); 415 if (err) { 416 kfree(data); 417 return ERR_PTR(err); 418 } 419 420 size = min_t(u32, max_size, size); 421 if (copy_from_user(data, data_in, size)) { 422 kfree(data); 423 return ERR_PTR(-EFAULT); 424 } 425 } 426 return data; 427 } 428 bpf_ctx_finish(const union bpf_attr * kattr,union bpf_attr __user * uattr,const void * data,u32 size)429 static int bpf_ctx_finish(const union bpf_attr *kattr, 430 union bpf_attr __user *uattr, const void *data, 431 u32 size) 432 { 433 void __user *data_out = u64_to_user_ptr(kattr->test.ctx_out); 434 int err = -EFAULT; 435 u32 copy_size = size; 436 437 if (!data || !data_out) 438 return 0; 439 440 if (copy_size > kattr->test.ctx_size_out) { 441 copy_size = kattr->test.ctx_size_out; 442 err = -ENOSPC; 443 } 444 445 if (copy_to_user(data_out, data, copy_size)) 446 goto out; 447 if (copy_to_user(&uattr->test.ctx_size_out, &size, sizeof(size))) 448 goto out; 449 if (err != -ENOSPC) 450 err = 0; 451 out: 452 return err; 453 } 454 455 /** 456 * range_is_zero - test whether buffer is initialized 457 * @buf: buffer to check 458 * @from: check from this position 459 * @to: check up until (excluding) this position 460 * 461 * This function returns true if the there is a non-zero byte 462 * in the buf in the range [from,to). 463 */ range_is_zero(void * buf,size_t from,size_t to)464 static inline bool range_is_zero(void *buf, size_t from, size_t to) 465 { 466 return !memchr_inv((u8 *)buf + from, 0, to - from); 467 } 468 convert___skb_to_skb(struct sk_buff * skb,struct __sk_buff * __skb)469 static int convert___skb_to_skb(struct sk_buff *skb, struct __sk_buff *__skb) 470 { 471 struct qdisc_skb_cb *cb = (struct qdisc_skb_cb *)skb->cb; 472 473 if (!__skb) 474 return 0; 475 476 /* make sure the fields we don't use are zeroed */ 477 if (!range_is_zero(__skb, 0, offsetof(struct __sk_buff, mark))) 478 return -EINVAL; 479 480 /* mark is allowed */ 481 482 if (!range_is_zero(__skb, offsetofend(struct __sk_buff, mark), 483 offsetof(struct __sk_buff, priority))) 484 return -EINVAL; 485 486 /* priority is allowed */ 487 488 if (!range_is_zero(__skb, offsetofend(struct __sk_buff, priority), 489 offsetof(struct __sk_buff, ifindex))) 490 return -EINVAL; 491 492 /* ifindex is allowed */ 493 494 if (!range_is_zero(__skb, offsetofend(struct __sk_buff, ifindex), 495 offsetof(struct __sk_buff, cb))) 496 return -EINVAL; 497 498 /* cb is allowed */ 499 500 if (!range_is_zero(__skb, offsetofend(struct __sk_buff, cb), 501 offsetof(struct __sk_buff, tstamp))) 502 return -EINVAL; 503 504 /* tstamp is allowed */ 505 /* wire_len is allowed */ 506 /* gso_segs is allowed */ 507 508 if (!range_is_zero(__skb, offsetofend(struct __sk_buff, gso_segs), 509 offsetof(struct __sk_buff, gso_size))) 510 return -EINVAL; 511 512 /* gso_size is allowed */ 513 514 if (!range_is_zero(__skb, offsetofend(struct __sk_buff, gso_size), 515 sizeof(struct __sk_buff))) 516 return -EINVAL; 517 518 skb->mark = __skb->mark; 519 skb->priority = __skb->priority; 520 skb->tstamp = __skb->tstamp; 521 memcpy(&cb->data, __skb->cb, QDISC_CB_PRIV_LEN); 522 523 if (__skb->wire_len == 0) { 524 cb->pkt_len = skb->len; 525 } else { 526 if (__skb->wire_len < skb->len || 527 __skb->wire_len > GSO_MAX_SIZE) 528 return -EINVAL; 529 cb->pkt_len = __skb->wire_len; 530 } 531 532 if (__skb->gso_segs > GSO_MAX_SEGS) 533 return -EINVAL; 534 skb_shinfo(skb)->gso_segs = __skb->gso_segs; 535 skb_shinfo(skb)->gso_size = __skb->gso_size; 536 537 return 0; 538 } 539 convert_skb_to___skb(struct sk_buff * skb,struct __sk_buff * __skb)540 static void convert_skb_to___skb(struct sk_buff *skb, struct __sk_buff *__skb) 541 { 542 struct qdisc_skb_cb *cb = (struct qdisc_skb_cb *)skb->cb; 543 544 if (!__skb) 545 return; 546 547 __skb->mark = skb->mark; 548 __skb->priority = skb->priority; 549 __skb->ifindex = skb->dev->ifindex; 550 __skb->tstamp = skb->tstamp; 551 memcpy(__skb->cb, &cb->data, QDISC_CB_PRIV_LEN); 552 __skb->wire_len = cb->pkt_len; 553 __skb->gso_segs = skb_shinfo(skb)->gso_segs; 554 } 555 556 static struct proto bpf_dummy_proto = { 557 .name = "bpf_dummy", 558 .owner = THIS_MODULE, 559 .obj_size = sizeof(struct sock), 560 }; 561 bpf_prog_test_run_skb(struct bpf_prog * prog,const union bpf_attr * kattr,union bpf_attr __user * uattr)562 int bpf_prog_test_run_skb(struct bpf_prog *prog, const union bpf_attr *kattr, 563 union bpf_attr __user *uattr) 564 { 565 bool is_l2 = false, is_direct_pkt_access = false; 566 struct net *net = current->nsproxy->net_ns; 567 struct net_device *dev = net->loopback_dev; 568 u32 size = kattr->test.data_size_in; 569 u32 repeat = kattr->test.repeat; 570 struct __sk_buff *ctx = NULL; 571 u32 retval, duration; 572 int hh_len = ETH_HLEN; 573 struct sk_buff *skb; 574 struct sock *sk; 575 void *data; 576 int ret; 577 578 if (kattr->test.flags || kattr->test.cpu) 579 return -EINVAL; 580 581 data = bpf_test_init(kattr, size, NET_SKB_PAD + NET_IP_ALIGN, 582 SKB_DATA_ALIGN(sizeof(struct skb_shared_info))); 583 if (IS_ERR(data)) 584 return PTR_ERR(data); 585 586 ctx = bpf_ctx_init(kattr, sizeof(struct __sk_buff)); 587 if (IS_ERR(ctx)) { 588 kfree(data); 589 return PTR_ERR(ctx); 590 } 591 592 switch (prog->type) { 593 case BPF_PROG_TYPE_SCHED_CLS: 594 case BPF_PROG_TYPE_SCHED_ACT: 595 is_l2 = true; 596 fallthrough; 597 case BPF_PROG_TYPE_LWT_IN: 598 case BPF_PROG_TYPE_LWT_OUT: 599 case BPF_PROG_TYPE_LWT_XMIT: 600 is_direct_pkt_access = true; 601 break; 602 default: 603 break; 604 } 605 606 sk = sk_alloc(net, AF_UNSPEC, GFP_USER, &bpf_dummy_proto, 1); 607 if (!sk) { 608 kfree(data); 609 kfree(ctx); 610 return -ENOMEM; 611 } 612 sock_init_data(NULL, sk); 613 614 skb = build_skb(data, 0); 615 if (!skb) { 616 kfree(data); 617 kfree(ctx); 618 sk_free(sk); 619 return -ENOMEM; 620 } 621 skb->sk = sk; 622 623 skb_reserve(skb, NET_SKB_PAD + NET_IP_ALIGN); 624 __skb_put(skb, size); 625 if (ctx && ctx->ifindex > 1) { 626 dev = dev_get_by_index(net, ctx->ifindex); 627 if (!dev) { 628 ret = -ENODEV; 629 goto out; 630 } 631 } 632 skb->protocol = eth_type_trans(skb, dev); 633 skb_reset_network_header(skb); 634 635 switch (skb->protocol) { 636 case htons(ETH_P_IP): 637 sk->sk_family = AF_INET; 638 if (sizeof(struct iphdr) <= skb_headlen(skb)) { 639 sk->sk_rcv_saddr = ip_hdr(skb)->saddr; 640 sk->sk_daddr = ip_hdr(skb)->daddr; 641 } 642 break; 643 #if IS_ENABLED(CONFIG_IPV6) 644 case htons(ETH_P_IPV6): 645 sk->sk_family = AF_INET6; 646 if (sizeof(struct ipv6hdr) <= skb_headlen(skb)) { 647 sk->sk_v6_rcv_saddr = ipv6_hdr(skb)->saddr; 648 sk->sk_v6_daddr = ipv6_hdr(skb)->daddr; 649 } 650 break; 651 #endif 652 default: 653 break; 654 } 655 656 if (is_l2) 657 __skb_push(skb, hh_len); 658 if (is_direct_pkt_access) 659 bpf_compute_data_pointers(skb); 660 ret = convert___skb_to_skb(skb, ctx); 661 if (ret) 662 goto out; 663 ret = bpf_test_run(prog, skb, repeat, &retval, &duration, false); 664 if (ret) 665 goto out; 666 if (!is_l2) { 667 if (skb_headroom(skb) < hh_len) { 668 int nhead = HH_DATA_ALIGN(hh_len - skb_headroom(skb)); 669 670 if (pskb_expand_head(skb, nhead, 0, GFP_USER)) { 671 ret = -ENOMEM; 672 goto out; 673 } 674 } 675 memset(__skb_push(skb, hh_len), 0, hh_len); 676 } 677 convert_skb_to___skb(skb, ctx); 678 679 size = skb->len; 680 /* bpf program can never convert linear skb to non-linear */ 681 if (WARN_ON_ONCE(skb_is_nonlinear(skb))) 682 size = skb_headlen(skb); 683 ret = bpf_test_finish(kattr, uattr, skb->data, size, retval, duration); 684 if (!ret) 685 ret = bpf_ctx_finish(kattr, uattr, ctx, 686 sizeof(struct __sk_buff)); 687 out: 688 if (dev && dev != net->loopback_dev) 689 dev_put(dev); 690 kfree_skb(skb); 691 sk_free(sk); 692 kfree(ctx); 693 return ret; 694 } 695 xdp_convert_md_to_buff(struct xdp_md * xdp_md,struct xdp_buff * xdp)696 static int xdp_convert_md_to_buff(struct xdp_md *xdp_md, struct xdp_buff *xdp) 697 { 698 unsigned int ingress_ifindex, rx_queue_index; 699 struct netdev_rx_queue *rxqueue; 700 struct net_device *device; 701 702 if (!xdp_md) 703 return 0; 704 705 if (xdp_md->egress_ifindex != 0) 706 return -EINVAL; 707 708 ingress_ifindex = xdp_md->ingress_ifindex; 709 rx_queue_index = xdp_md->rx_queue_index; 710 711 if (!ingress_ifindex && rx_queue_index) 712 return -EINVAL; 713 714 if (ingress_ifindex) { 715 device = dev_get_by_index(current->nsproxy->net_ns, 716 ingress_ifindex); 717 if (!device) 718 return -ENODEV; 719 720 if (rx_queue_index >= device->real_num_rx_queues) 721 goto free_dev; 722 723 rxqueue = __netif_get_rx_queue(device, rx_queue_index); 724 725 if (!xdp_rxq_info_is_reg(&rxqueue->xdp_rxq)) 726 goto free_dev; 727 728 xdp->rxq = &rxqueue->xdp_rxq; 729 /* The device is now tracked in the xdp->rxq for later 730 * dev_put() 731 */ 732 } 733 734 xdp->data = xdp->data_meta + xdp_md->data; 735 return 0; 736 737 free_dev: 738 dev_put(device); 739 return -EINVAL; 740 } 741 xdp_convert_buff_to_md(struct xdp_buff * xdp,struct xdp_md * xdp_md)742 static void xdp_convert_buff_to_md(struct xdp_buff *xdp, struct xdp_md *xdp_md) 743 { 744 if (!xdp_md) 745 return; 746 747 xdp_md->data = xdp->data - xdp->data_meta; 748 xdp_md->data_end = xdp->data_end - xdp->data_meta; 749 750 if (xdp_md->ingress_ifindex) 751 dev_put(xdp->rxq->dev); 752 } 753 bpf_prog_test_run_xdp(struct bpf_prog * prog,const union bpf_attr * kattr,union bpf_attr __user * uattr)754 int bpf_prog_test_run_xdp(struct bpf_prog *prog, const union bpf_attr *kattr, 755 union bpf_attr __user *uattr) 756 { 757 u32 tailroom = SKB_DATA_ALIGN(sizeof(struct skb_shared_info)); 758 u32 headroom = XDP_PACKET_HEADROOM; 759 u32 size = kattr->test.data_size_in; 760 u32 repeat = kattr->test.repeat; 761 struct netdev_rx_queue *rxqueue; 762 struct xdp_buff xdp = {}; 763 u32 retval, duration; 764 struct xdp_md *ctx; 765 u32 max_data_sz; 766 void *data; 767 int ret = -EINVAL; 768 769 if (prog->expected_attach_type == BPF_XDP_DEVMAP || 770 prog->expected_attach_type == BPF_XDP_CPUMAP) 771 return -EINVAL; 772 773 ctx = bpf_ctx_init(kattr, sizeof(struct xdp_md)); 774 if (IS_ERR(ctx)) 775 return PTR_ERR(ctx); 776 777 if (ctx) { 778 /* There can't be user provided data before the meta data */ 779 if (ctx->data_meta || ctx->data_end != size || 780 ctx->data > ctx->data_end || 781 unlikely(xdp_metalen_invalid(ctx->data))) 782 goto free_ctx; 783 /* Meta data is allocated from the headroom */ 784 headroom -= ctx->data; 785 } 786 787 /* XDP have extra tailroom as (most) drivers use full page */ 788 max_data_sz = 4096 - headroom - tailroom; 789 790 data = bpf_test_init(kattr, max_data_sz, headroom, tailroom); 791 if (IS_ERR(data)) { 792 ret = PTR_ERR(data); 793 goto free_ctx; 794 } 795 796 rxqueue = __netif_get_rx_queue(current->nsproxy->net_ns->loopback_dev, 0); 797 xdp_init_buff(&xdp, headroom + max_data_sz + tailroom, 798 &rxqueue->xdp_rxq); 799 xdp_prepare_buff(&xdp, data, headroom, size, true); 800 801 ret = xdp_convert_md_to_buff(ctx, &xdp); 802 if (ret) 803 goto free_data; 804 805 bpf_prog_change_xdp(NULL, prog); 806 ret = bpf_test_run(prog, &xdp, repeat, &retval, &duration, true); 807 /* We convert the xdp_buff back to an xdp_md before checking the return 808 * code so the reference count of any held netdevice will be decremented 809 * even if the test run failed. 810 */ 811 xdp_convert_buff_to_md(&xdp, ctx); 812 if (ret) 813 goto out; 814 815 if (xdp.data_meta != data + headroom || 816 xdp.data_end != xdp.data_meta + size) 817 size = xdp.data_end - xdp.data_meta; 818 819 ret = bpf_test_finish(kattr, uattr, xdp.data_meta, size, retval, 820 duration); 821 if (!ret) 822 ret = bpf_ctx_finish(kattr, uattr, ctx, 823 sizeof(struct xdp_md)); 824 825 out: 826 bpf_prog_change_xdp(prog, NULL); 827 free_data: 828 kfree(data); 829 free_ctx: 830 kfree(ctx); 831 return ret; 832 } 833 verify_user_bpf_flow_keys(struct bpf_flow_keys * ctx)834 static int verify_user_bpf_flow_keys(struct bpf_flow_keys *ctx) 835 { 836 /* make sure the fields we don't use are zeroed */ 837 if (!range_is_zero(ctx, 0, offsetof(struct bpf_flow_keys, flags))) 838 return -EINVAL; 839 840 /* flags is allowed */ 841 842 if (!range_is_zero(ctx, offsetofend(struct bpf_flow_keys, flags), 843 sizeof(struct bpf_flow_keys))) 844 return -EINVAL; 845 846 return 0; 847 } 848 bpf_prog_test_run_flow_dissector(struct bpf_prog * prog,const union bpf_attr * kattr,union bpf_attr __user * uattr)849 int bpf_prog_test_run_flow_dissector(struct bpf_prog *prog, 850 const union bpf_attr *kattr, 851 union bpf_attr __user *uattr) 852 { 853 struct bpf_test_timer t = { NO_PREEMPT }; 854 u32 size = kattr->test.data_size_in; 855 struct bpf_flow_dissector ctx = {}; 856 u32 repeat = kattr->test.repeat; 857 struct bpf_flow_keys *user_ctx; 858 struct bpf_flow_keys flow_keys; 859 const struct ethhdr *eth; 860 unsigned int flags = 0; 861 u32 retval, duration; 862 void *data; 863 int ret; 864 865 if (prog->type != BPF_PROG_TYPE_FLOW_DISSECTOR) 866 return -EINVAL; 867 868 if (kattr->test.flags || kattr->test.cpu) 869 return -EINVAL; 870 871 if (size < ETH_HLEN) 872 return -EINVAL; 873 874 data = bpf_test_init(kattr, size, 0, 0); 875 if (IS_ERR(data)) 876 return PTR_ERR(data); 877 878 eth = (struct ethhdr *)data; 879 880 if (!repeat) 881 repeat = 1; 882 883 user_ctx = bpf_ctx_init(kattr, sizeof(struct bpf_flow_keys)); 884 if (IS_ERR(user_ctx)) { 885 kfree(data); 886 return PTR_ERR(user_ctx); 887 } 888 if (user_ctx) { 889 ret = verify_user_bpf_flow_keys(user_ctx); 890 if (ret) 891 goto out; 892 flags = user_ctx->flags; 893 } 894 895 ctx.flow_keys = &flow_keys; 896 ctx.data = data; 897 ctx.data_end = (__u8 *)data + size; 898 899 bpf_test_timer_enter(&t); 900 do { 901 retval = bpf_flow_dissect(prog, &ctx, eth->h_proto, ETH_HLEN, 902 size, flags); 903 } while (bpf_test_timer_continue(&t, repeat, &ret, &duration)); 904 bpf_test_timer_leave(&t); 905 906 if (ret < 0) 907 goto out; 908 909 ret = bpf_test_finish(kattr, uattr, &flow_keys, sizeof(flow_keys), 910 retval, duration); 911 if (!ret) 912 ret = bpf_ctx_finish(kattr, uattr, user_ctx, 913 sizeof(struct bpf_flow_keys)); 914 915 out: 916 kfree(user_ctx); 917 kfree(data); 918 return ret; 919 } 920 bpf_prog_test_run_sk_lookup(struct bpf_prog * prog,const union bpf_attr * kattr,union bpf_attr __user * uattr)921 int bpf_prog_test_run_sk_lookup(struct bpf_prog *prog, const union bpf_attr *kattr, 922 union bpf_attr __user *uattr) 923 { 924 struct bpf_test_timer t = { NO_PREEMPT }; 925 struct bpf_prog_array *progs = NULL; 926 struct bpf_sk_lookup_kern ctx = {}; 927 u32 repeat = kattr->test.repeat; 928 struct bpf_sk_lookup *user_ctx; 929 u32 retval, duration; 930 int ret = -EINVAL; 931 932 if (prog->type != BPF_PROG_TYPE_SK_LOOKUP) 933 return -EINVAL; 934 935 if (kattr->test.flags || kattr->test.cpu) 936 return -EINVAL; 937 938 if (kattr->test.data_in || kattr->test.data_size_in || kattr->test.data_out || 939 kattr->test.data_size_out) 940 return -EINVAL; 941 942 if (!repeat) 943 repeat = 1; 944 945 user_ctx = bpf_ctx_init(kattr, sizeof(*user_ctx)); 946 if (IS_ERR(user_ctx)) 947 return PTR_ERR(user_ctx); 948 949 if (!user_ctx) 950 return -EINVAL; 951 952 if (user_ctx->sk) 953 goto out; 954 955 if (!range_is_zero(user_ctx, offsetofend(typeof(*user_ctx), local_port), sizeof(*user_ctx))) 956 goto out; 957 958 if (user_ctx->local_port > U16_MAX) { 959 ret = -ERANGE; 960 goto out; 961 } 962 963 ctx.family = (u16)user_ctx->family; 964 ctx.protocol = (u16)user_ctx->protocol; 965 ctx.dport = (u16)user_ctx->local_port; 966 ctx.sport = user_ctx->remote_port; 967 968 switch (ctx.family) { 969 case AF_INET: 970 ctx.v4.daddr = (__force __be32)user_ctx->local_ip4; 971 ctx.v4.saddr = (__force __be32)user_ctx->remote_ip4; 972 break; 973 974 #if IS_ENABLED(CONFIG_IPV6) 975 case AF_INET6: 976 ctx.v6.daddr = (struct in6_addr *)user_ctx->local_ip6; 977 ctx.v6.saddr = (struct in6_addr *)user_ctx->remote_ip6; 978 break; 979 #endif 980 981 default: 982 ret = -EAFNOSUPPORT; 983 goto out; 984 } 985 986 progs = bpf_prog_array_alloc(1, GFP_KERNEL); 987 if (!progs) { 988 ret = -ENOMEM; 989 goto out; 990 } 991 992 progs->items[0].prog = prog; 993 994 bpf_test_timer_enter(&t); 995 do { 996 ctx.selected_sk = NULL; 997 retval = BPF_PROG_SK_LOOKUP_RUN_ARRAY(progs, ctx, bpf_prog_run); 998 } while (bpf_test_timer_continue(&t, repeat, &ret, &duration)); 999 bpf_test_timer_leave(&t); 1000 1001 if (ret < 0) 1002 goto out; 1003 1004 user_ctx->cookie = 0; 1005 if (ctx.selected_sk) { 1006 if (ctx.selected_sk->sk_reuseport && !ctx.no_reuseport) { 1007 ret = -EOPNOTSUPP; 1008 goto out; 1009 } 1010 1011 user_ctx->cookie = sock_gen_cookie(ctx.selected_sk); 1012 } 1013 1014 ret = bpf_test_finish(kattr, uattr, NULL, 0, retval, duration); 1015 if (!ret) 1016 ret = bpf_ctx_finish(kattr, uattr, user_ctx, sizeof(*user_ctx)); 1017 1018 out: 1019 bpf_prog_array_free(progs); 1020 kfree(user_ctx); 1021 return ret; 1022 } 1023 bpf_prog_test_run_syscall(struct bpf_prog * prog,const union bpf_attr * kattr,union bpf_attr __user * uattr)1024 int bpf_prog_test_run_syscall(struct bpf_prog *prog, 1025 const union bpf_attr *kattr, 1026 union bpf_attr __user *uattr) 1027 { 1028 void __user *ctx_in = u64_to_user_ptr(kattr->test.ctx_in); 1029 __u32 ctx_size_in = kattr->test.ctx_size_in; 1030 void *ctx = NULL; 1031 u32 retval; 1032 int err = 0; 1033 1034 /* doesn't support data_in/out, ctx_out, duration, or repeat or flags */ 1035 if (kattr->test.data_in || kattr->test.data_out || 1036 kattr->test.ctx_out || kattr->test.duration || 1037 kattr->test.repeat || kattr->test.flags) 1038 return -EINVAL; 1039 1040 if (ctx_size_in < prog->aux->max_ctx_offset || 1041 ctx_size_in > U16_MAX) 1042 return -EINVAL; 1043 1044 if (ctx_size_in) { 1045 ctx = kzalloc(ctx_size_in, GFP_USER); 1046 if (!ctx) 1047 return -ENOMEM; 1048 if (copy_from_user(ctx, ctx_in, ctx_size_in)) { 1049 err = -EFAULT; 1050 goto out; 1051 } 1052 } 1053 1054 rcu_read_lock_trace(); 1055 retval = bpf_prog_run_pin_on_cpu(prog, ctx); 1056 rcu_read_unlock_trace(); 1057 1058 if (copy_to_user(&uattr->test.retval, &retval, sizeof(u32))) { 1059 err = -EFAULT; 1060 goto out; 1061 } 1062 if (ctx_size_in) 1063 if (copy_to_user(ctx_in, ctx, ctx_size_in)) 1064 err = -EFAULT; 1065 out: 1066 kfree(ctx); 1067 return err; 1068 } 1069