mirror of
https://mirrors.bfsu.edu.cn/git/linux.git
synced 2024-11-18 01:34:14 +08:00
cd7455f101
syzkaller managed to trigger the following crash: [...] BUG: unable to handle page fault for address: ffffc90001923030 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD aa551067 P4D aa551067 PUD aa552067 PMD a572b067 PTE 80000000a1173163 Oops: 0000 [#1] PREEMPT SMP KASAN CPU: 0 PID: 7982 Comm: syz-executor912 Not tainted 5.4.0-rc3+ #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:bpf_jit_binary_hdr include/linux/filter.h:787 [inline] RIP: 0010:bpf_get_prog_addr_region kernel/bpf/core.c:531 [inline] RIP: 0010:bpf_tree_comp kernel/bpf/core.c:600 [inline] RIP: 0010:__lt_find include/linux/rbtree_latch.h:115 [inline] RIP: 0010:latch_tree_find include/linux/rbtree_latch.h:208 [inline] RIP: 0010:bpf_prog_kallsyms_find kernel/bpf/core.c:674 [inline] RIP: 0010:is_bpf_text_address+0x184/0x3b0 kernel/bpf/core.c:709 [...] Call Trace: kernel_text_address kernel/extable.c:147 [inline] __kernel_text_address+0x9a/0x110 kernel/extable.c:102 unwind_get_return_address+0x4c/0x90 arch/x86/kernel/unwind_frame.c:19 arch_stack_walk+0x98/0xe0 arch/x86/kernel/stacktrace.c:26 stack_trace_save+0xb6/0x150 kernel/stacktrace.c:123 save_stack mm/kasan/common.c:69 [inline] set_track mm/kasan/common.c:77 [inline] __kasan_kmalloc+0x11c/0x1b0 mm/kasan/common.c:510 kasan_slab_alloc+0xf/0x20 mm/kasan/common.c:518 slab_post_alloc_hook mm/slab.h:584 [inline] slab_alloc mm/slab.c:3319 [inline] kmem_cache_alloc+0x1f5/0x2e0 mm/slab.c:3483 getname_flags+0xba/0x640 fs/namei.c:138 getname+0x19/0x20 fs/namei.c:209 do_sys_open+0x261/0x560 fs/open.c:1091 __do_sys_open fs/open.c:1115 [inline] __se_sys_open fs/open.c:1110 [inline] __x64_sys_open+0x87/0x90 fs/open.c:1110 do_syscall_64+0xf7/0x1c0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe [...] After further debugging it turns out that we walk kallsyms while in parallel we tear down a BPF program which contains subprograms that have been JITed though the program itself has not been fully exposed and is eventually bailing out with error. The bpf_prog_kallsyms_del_subprogs() in bpf_prog_load()'s error path removes the symbols, however, bpf_prog_free() tears down the JIT memory too early via scheduled work. Instead, it needs to properly respect RCU grace period as the kallsyms walk for BPF is under RCU. Fix it by refactoring __bpf_prog_put()'s tear down and reuse it in our error path where we defer final destruction when we have subprogs in the program. Fixes:7d1982b4e3
("bpf: fix panic in prog load calls cleanup") Fixes:1c2a088a66
("bpf: x64: add JIT support for multi-function programs") Reported-by: syzbot+710043c5d1d5b5013bc7@syzkaller.appspotmail.com Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Alexei Starovoitov <ast@kernel.org> Tested-by: syzbot+710043c5d1d5b5013bc7@syzkaller.appspotmail.com Link: https://lore.kernel.org/bpf/55f6367324c2d7e9583fa9ccf5385dcbba0d7a6e.1571752452.git.daniel@iogearbox.net
2117 lines
54 KiB
C
2117 lines
54 KiB
C
// SPDX-License-Identifier: GPL-2.0-or-later
|
|
/*
|
|
* Linux Socket Filter - Kernel level socket filtering
|
|
*
|
|
* Based on the design of the Berkeley Packet Filter. The new
|
|
* internal format has been designed by PLUMgrid:
|
|
*
|
|
* Copyright (c) 2011 - 2014 PLUMgrid, http://plumgrid.com
|
|
*
|
|
* Authors:
|
|
*
|
|
* Jay Schulist <jschlst@samba.org>
|
|
* Alexei Starovoitov <ast@plumgrid.com>
|
|
* Daniel Borkmann <dborkman@redhat.com>
|
|
*
|
|
* Andi Kleen - Fix a few bad bugs and races.
|
|
* Kris Katterjohn - Added many additional checks in bpf_check_classic()
|
|
*/
|
|
|
|
#include <uapi/linux/btf.h>
|
|
#include <linux/filter.h>
|
|
#include <linux/skbuff.h>
|
|
#include <linux/vmalloc.h>
|
|
#include <linux/random.h>
|
|
#include <linux/moduleloader.h>
|
|
#include <linux/bpf.h>
|
|
#include <linux/btf.h>
|
|
#include <linux/frame.h>
|
|
#include <linux/rbtree_latch.h>
|
|
#include <linux/kallsyms.h>
|
|
#include <linux/rcupdate.h>
|
|
#include <linux/perf_event.h>
|
|
|
|
#include <asm/unaligned.h>
|
|
|
|
/* Registers */
|
|
#define BPF_R0 regs[BPF_REG_0]
|
|
#define BPF_R1 regs[BPF_REG_1]
|
|
#define BPF_R2 regs[BPF_REG_2]
|
|
#define BPF_R3 regs[BPF_REG_3]
|
|
#define BPF_R4 regs[BPF_REG_4]
|
|
#define BPF_R5 regs[BPF_REG_5]
|
|
#define BPF_R6 regs[BPF_REG_6]
|
|
#define BPF_R7 regs[BPF_REG_7]
|
|
#define BPF_R8 regs[BPF_REG_8]
|
|
#define BPF_R9 regs[BPF_REG_9]
|
|
#define BPF_R10 regs[BPF_REG_10]
|
|
|
|
/* Named registers */
|
|
#define DST regs[insn->dst_reg]
|
|
#define SRC regs[insn->src_reg]
|
|
#define FP regs[BPF_REG_FP]
|
|
#define AX regs[BPF_REG_AX]
|
|
#define ARG1 regs[BPF_REG_ARG1]
|
|
#define CTX regs[BPF_REG_CTX]
|
|
#define IMM insn->imm
|
|
|
|
/* No hurry in this branch
|
|
*
|
|
* Exported for the bpf jit load helper.
|
|
*/
|
|
void *bpf_internal_load_pointer_neg_helper(const struct sk_buff *skb, int k, unsigned int size)
|
|
{
|
|
u8 *ptr = NULL;
|
|
|
|
if (k >= SKF_NET_OFF)
|
|
ptr = skb_network_header(skb) + k - SKF_NET_OFF;
|
|
else if (k >= SKF_LL_OFF)
|
|
ptr = skb_mac_header(skb) + k - SKF_LL_OFF;
|
|
|
|
if (ptr >= skb->head && ptr + size <= skb_tail_pointer(skb))
|
|
return ptr;
|
|
|
|
return NULL;
|
|
}
|
|
|
|
struct bpf_prog *bpf_prog_alloc_no_stats(unsigned int size, gfp_t gfp_extra_flags)
|
|
{
|
|
gfp_t gfp_flags = GFP_KERNEL | __GFP_ZERO | gfp_extra_flags;
|
|
struct bpf_prog_aux *aux;
|
|
struct bpf_prog *fp;
|
|
|
|
size = round_up(size, PAGE_SIZE);
|
|
fp = __vmalloc(size, gfp_flags, PAGE_KERNEL);
|
|
if (fp == NULL)
|
|
return NULL;
|
|
|
|
aux = kzalloc(sizeof(*aux), GFP_KERNEL | gfp_extra_flags);
|
|
if (aux == NULL) {
|
|
vfree(fp);
|
|
return NULL;
|
|
}
|
|
|
|
fp->pages = size / PAGE_SIZE;
|
|
fp->aux = aux;
|
|
fp->aux->prog = fp;
|
|
fp->jit_requested = ebpf_jit_enabled();
|
|
|
|
INIT_LIST_HEAD_RCU(&fp->aux->ksym_lnode);
|
|
|
|
return fp;
|
|
}
|
|
|
|
struct bpf_prog *bpf_prog_alloc(unsigned int size, gfp_t gfp_extra_flags)
|
|
{
|
|
gfp_t gfp_flags = GFP_KERNEL | __GFP_ZERO | gfp_extra_flags;
|
|
struct bpf_prog *prog;
|
|
int cpu;
|
|
|
|
prog = bpf_prog_alloc_no_stats(size, gfp_extra_flags);
|
|
if (!prog)
|
|
return NULL;
|
|
|
|
prog->aux->stats = alloc_percpu_gfp(struct bpf_prog_stats, gfp_flags);
|
|
if (!prog->aux->stats) {
|
|
kfree(prog->aux);
|
|
vfree(prog);
|
|
return NULL;
|
|
}
|
|
|
|
for_each_possible_cpu(cpu) {
|
|
struct bpf_prog_stats *pstats;
|
|
|
|
pstats = per_cpu_ptr(prog->aux->stats, cpu);
|
|
u64_stats_init(&pstats->syncp);
|
|
}
|
|
return prog;
|
|
}
|
|
EXPORT_SYMBOL_GPL(bpf_prog_alloc);
|
|
|
|
int bpf_prog_alloc_jited_linfo(struct bpf_prog *prog)
|
|
{
|
|
if (!prog->aux->nr_linfo || !prog->jit_requested)
|
|
return 0;
|
|
|
|
prog->aux->jited_linfo = kcalloc(prog->aux->nr_linfo,
|
|
sizeof(*prog->aux->jited_linfo),
|
|
GFP_KERNEL | __GFP_NOWARN);
|
|
if (!prog->aux->jited_linfo)
|
|
return -ENOMEM;
|
|
|
|
return 0;
|
|
}
|
|
|
|
void bpf_prog_free_jited_linfo(struct bpf_prog *prog)
|
|
{
|
|
kfree(prog->aux->jited_linfo);
|
|
prog->aux->jited_linfo = NULL;
|
|
}
|
|
|
|
void bpf_prog_free_unused_jited_linfo(struct bpf_prog *prog)
|
|
{
|
|
if (prog->aux->jited_linfo && !prog->aux->jited_linfo[0])
|
|
bpf_prog_free_jited_linfo(prog);
|
|
}
|
|
|
|
/* The jit engine is responsible to provide an array
|
|
* for insn_off to the jited_off mapping (insn_to_jit_off).
|
|
*
|
|
* The idx to this array is the insn_off. Hence, the insn_off
|
|
* here is relative to the prog itself instead of the main prog.
|
|
* This array has one entry for each xlated bpf insn.
|
|
*
|
|
* jited_off is the byte off to the last byte of the jited insn.
|
|
*
|
|
* Hence, with
|
|
* insn_start:
|
|
* The first bpf insn off of the prog. The insn off
|
|
* here is relative to the main prog.
|
|
* e.g. if prog is a subprog, insn_start > 0
|
|
* linfo_idx:
|
|
* The prog's idx to prog->aux->linfo and jited_linfo
|
|
*
|
|
* jited_linfo[linfo_idx] = prog->bpf_func
|
|
*
|
|
* For i > linfo_idx,
|
|
*
|
|
* jited_linfo[i] = prog->bpf_func +
|
|
* insn_to_jit_off[linfo[i].insn_off - insn_start - 1]
|
|
*/
|
|
void bpf_prog_fill_jited_linfo(struct bpf_prog *prog,
|
|
const u32 *insn_to_jit_off)
|
|
{
|
|
u32 linfo_idx, insn_start, insn_end, nr_linfo, i;
|
|
const struct bpf_line_info *linfo;
|
|
void **jited_linfo;
|
|
|
|
if (!prog->aux->jited_linfo)
|
|
/* Userspace did not provide linfo */
|
|
return;
|
|
|
|
linfo_idx = prog->aux->linfo_idx;
|
|
linfo = &prog->aux->linfo[linfo_idx];
|
|
insn_start = linfo[0].insn_off;
|
|
insn_end = insn_start + prog->len;
|
|
|
|
jited_linfo = &prog->aux->jited_linfo[linfo_idx];
|
|
jited_linfo[0] = prog->bpf_func;
|
|
|
|
nr_linfo = prog->aux->nr_linfo - linfo_idx;
|
|
|
|
for (i = 1; i < nr_linfo && linfo[i].insn_off < insn_end; i++)
|
|
/* The verifier ensures that linfo[i].insn_off is
|
|
* strictly increasing
|
|
*/
|
|
jited_linfo[i] = prog->bpf_func +
|
|
insn_to_jit_off[linfo[i].insn_off - insn_start - 1];
|
|
}
|
|
|
|
void bpf_prog_free_linfo(struct bpf_prog *prog)
|
|
{
|
|
bpf_prog_free_jited_linfo(prog);
|
|
kvfree(prog->aux->linfo);
|
|
}
|
|
|
|
struct bpf_prog *bpf_prog_realloc(struct bpf_prog *fp_old, unsigned int size,
|
|
gfp_t gfp_extra_flags)
|
|
{
|
|
gfp_t gfp_flags = GFP_KERNEL | __GFP_ZERO | gfp_extra_flags;
|
|
struct bpf_prog *fp;
|
|
u32 pages, delta;
|
|
int ret;
|
|
|
|
BUG_ON(fp_old == NULL);
|
|
|
|
size = round_up(size, PAGE_SIZE);
|
|
pages = size / PAGE_SIZE;
|
|
if (pages <= fp_old->pages)
|
|
return fp_old;
|
|
|
|
delta = pages - fp_old->pages;
|
|
ret = __bpf_prog_charge(fp_old->aux->user, delta);
|
|
if (ret)
|
|
return NULL;
|
|
|
|
fp = __vmalloc(size, gfp_flags, PAGE_KERNEL);
|
|
if (fp == NULL) {
|
|
__bpf_prog_uncharge(fp_old->aux->user, delta);
|
|
} else {
|
|
memcpy(fp, fp_old, fp_old->pages * PAGE_SIZE);
|
|
fp->pages = pages;
|
|
fp->aux->prog = fp;
|
|
|
|
/* We keep fp->aux from fp_old around in the new
|
|
* reallocated structure.
|
|
*/
|
|
fp_old->aux = NULL;
|
|
__bpf_prog_free(fp_old);
|
|
}
|
|
|
|
return fp;
|
|
}
|
|
|
|
void __bpf_prog_free(struct bpf_prog *fp)
|
|
{
|
|
if (fp->aux) {
|
|
free_percpu(fp->aux->stats);
|
|
kfree(fp->aux);
|
|
}
|
|
vfree(fp);
|
|
}
|
|
|
|
int bpf_prog_calc_tag(struct bpf_prog *fp)
|
|
{
|
|
const u32 bits_offset = SHA_MESSAGE_BYTES - sizeof(__be64);
|
|
u32 raw_size = bpf_prog_tag_scratch_size(fp);
|
|
u32 digest[SHA_DIGEST_WORDS];
|
|
u32 ws[SHA_WORKSPACE_WORDS];
|
|
u32 i, bsize, psize, blocks;
|
|
struct bpf_insn *dst;
|
|
bool was_ld_map;
|
|
u8 *raw, *todo;
|
|
__be32 *result;
|
|
__be64 *bits;
|
|
|
|
raw = vmalloc(raw_size);
|
|
if (!raw)
|
|
return -ENOMEM;
|
|
|
|
sha_init(digest);
|
|
memset(ws, 0, sizeof(ws));
|
|
|
|
/* We need to take out the map fd for the digest calculation
|
|
* since they are unstable from user space side.
|
|
*/
|
|
dst = (void *)raw;
|
|
for (i = 0, was_ld_map = false; i < fp->len; i++) {
|
|
dst[i] = fp->insnsi[i];
|
|
if (!was_ld_map &&
|
|
dst[i].code == (BPF_LD | BPF_IMM | BPF_DW) &&
|
|
(dst[i].src_reg == BPF_PSEUDO_MAP_FD ||
|
|
dst[i].src_reg == BPF_PSEUDO_MAP_VALUE)) {
|
|
was_ld_map = true;
|
|
dst[i].imm = 0;
|
|
} else if (was_ld_map &&
|
|
dst[i].code == 0 &&
|
|
dst[i].dst_reg == 0 &&
|
|
dst[i].src_reg == 0 &&
|
|
dst[i].off == 0) {
|
|
was_ld_map = false;
|
|
dst[i].imm = 0;
|
|
} else {
|
|
was_ld_map = false;
|
|
}
|
|
}
|
|
|
|
psize = bpf_prog_insn_size(fp);
|
|
memset(&raw[psize], 0, raw_size - psize);
|
|
raw[psize++] = 0x80;
|
|
|
|
bsize = round_up(psize, SHA_MESSAGE_BYTES);
|
|
blocks = bsize / SHA_MESSAGE_BYTES;
|
|
todo = raw;
|
|
if (bsize - psize >= sizeof(__be64)) {
|
|
bits = (__be64 *)(todo + bsize - sizeof(__be64));
|
|
} else {
|
|
bits = (__be64 *)(todo + bsize + bits_offset);
|
|
blocks++;
|
|
}
|
|
*bits = cpu_to_be64((psize - 1) << 3);
|
|
|
|
while (blocks--) {
|
|
sha_transform(digest, todo, ws);
|
|
todo += SHA_MESSAGE_BYTES;
|
|
}
|
|
|
|
result = (__force __be32 *)digest;
|
|
for (i = 0; i < SHA_DIGEST_WORDS; i++)
|
|
result[i] = cpu_to_be32(digest[i]);
|
|
memcpy(fp->tag, result, sizeof(fp->tag));
|
|
|
|
vfree(raw);
|
|
return 0;
|
|
}
|
|
|
|
static int bpf_adj_delta_to_imm(struct bpf_insn *insn, u32 pos, s32 end_old,
|
|
s32 end_new, s32 curr, const bool probe_pass)
|
|
{
|
|
const s64 imm_min = S32_MIN, imm_max = S32_MAX;
|
|
s32 delta = end_new - end_old;
|
|
s64 imm = insn->imm;
|
|
|
|
if (curr < pos && curr + imm + 1 >= end_old)
|
|
imm += delta;
|
|
else if (curr >= end_new && curr + imm + 1 < end_new)
|
|
imm -= delta;
|
|
if (imm < imm_min || imm > imm_max)
|
|
return -ERANGE;
|
|
if (!probe_pass)
|
|
insn->imm = imm;
|
|
return 0;
|
|
}
|
|
|
|
static int bpf_adj_delta_to_off(struct bpf_insn *insn, u32 pos, s32 end_old,
|
|
s32 end_new, s32 curr, const bool probe_pass)
|
|
{
|
|
const s32 off_min = S16_MIN, off_max = S16_MAX;
|
|
s32 delta = end_new - end_old;
|
|
s32 off = insn->off;
|
|
|
|
if (curr < pos && curr + off + 1 >= end_old)
|
|
off += delta;
|
|
else if (curr >= end_new && curr + off + 1 < end_new)
|
|
off -= delta;
|
|
if (off < off_min || off > off_max)
|
|
return -ERANGE;
|
|
if (!probe_pass)
|
|
insn->off = off;
|
|
return 0;
|
|
}
|
|
|
|
static int bpf_adj_branches(struct bpf_prog *prog, u32 pos, s32 end_old,
|
|
s32 end_new, const bool probe_pass)
|
|
{
|
|
u32 i, insn_cnt = prog->len + (probe_pass ? end_new - end_old : 0);
|
|
struct bpf_insn *insn = prog->insnsi;
|
|
int ret = 0;
|
|
|
|
for (i = 0; i < insn_cnt; i++, insn++) {
|
|
u8 code;
|
|
|
|
/* In the probing pass we still operate on the original,
|
|
* unpatched image in order to check overflows before we
|
|
* do any other adjustments. Therefore skip the patchlet.
|
|
*/
|
|
if (probe_pass && i == pos) {
|
|
i = end_new;
|
|
insn = prog->insnsi + end_old;
|
|
}
|
|
code = insn->code;
|
|
if ((BPF_CLASS(code) != BPF_JMP &&
|
|
BPF_CLASS(code) != BPF_JMP32) ||
|
|
BPF_OP(code) == BPF_EXIT)
|
|
continue;
|
|
/* Adjust offset of jmps if we cross patch boundaries. */
|
|
if (BPF_OP(code) == BPF_CALL) {
|
|
if (insn->src_reg != BPF_PSEUDO_CALL)
|
|
continue;
|
|
ret = bpf_adj_delta_to_imm(insn, pos, end_old,
|
|
end_new, i, probe_pass);
|
|
} else {
|
|
ret = bpf_adj_delta_to_off(insn, pos, end_old,
|
|
end_new, i, probe_pass);
|
|
}
|
|
if (ret)
|
|
break;
|
|
}
|
|
|
|
return ret;
|
|
}
|
|
|
|
static void bpf_adj_linfo(struct bpf_prog *prog, u32 off, u32 delta)
|
|
{
|
|
struct bpf_line_info *linfo;
|
|
u32 i, nr_linfo;
|
|
|
|
nr_linfo = prog->aux->nr_linfo;
|
|
if (!nr_linfo || !delta)
|
|
return;
|
|
|
|
linfo = prog->aux->linfo;
|
|
|
|
for (i = 0; i < nr_linfo; i++)
|
|
if (off < linfo[i].insn_off)
|
|
break;
|
|
|
|
/* Push all off < linfo[i].insn_off by delta */
|
|
for (; i < nr_linfo; i++)
|
|
linfo[i].insn_off += delta;
|
|
}
|
|
|
|
struct bpf_prog *bpf_patch_insn_single(struct bpf_prog *prog, u32 off,
|
|
const struct bpf_insn *patch, u32 len)
|
|
{
|
|
u32 insn_adj_cnt, insn_rest, insn_delta = len - 1;
|
|
const u32 cnt_max = S16_MAX;
|
|
struct bpf_prog *prog_adj;
|
|
int err;
|
|
|
|
/* Since our patchlet doesn't expand the image, we're done. */
|
|
if (insn_delta == 0) {
|
|
memcpy(prog->insnsi + off, patch, sizeof(*patch));
|
|
return prog;
|
|
}
|
|
|
|
insn_adj_cnt = prog->len + insn_delta;
|
|
|
|
/* Reject anything that would potentially let the insn->off
|
|
* target overflow when we have excessive program expansions.
|
|
* We need to probe here before we do any reallocation where
|
|
* we afterwards may not fail anymore.
|
|
*/
|
|
if (insn_adj_cnt > cnt_max &&
|
|
(err = bpf_adj_branches(prog, off, off + 1, off + len, true)))
|
|
return ERR_PTR(err);
|
|
|
|
/* Several new instructions need to be inserted. Make room
|
|
* for them. Likely, there's no need for a new allocation as
|
|
* last page could have large enough tailroom.
|
|
*/
|
|
prog_adj = bpf_prog_realloc(prog, bpf_prog_size(insn_adj_cnt),
|
|
GFP_USER);
|
|
if (!prog_adj)
|
|
return ERR_PTR(-ENOMEM);
|
|
|
|
prog_adj->len = insn_adj_cnt;
|
|
|
|
/* Patching happens in 3 steps:
|
|
*
|
|
* 1) Move over tail of insnsi from next instruction onwards,
|
|
* so we can patch the single target insn with one or more
|
|
* new ones (patching is always from 1 to n insns, n > 0).
|
|
* 2) Inject new instructions at the target location.
|
|
* 3) Adjust branch offsets if necessary.
|
|
*/
|
|
insn_rest = insn_adj_cnt - off - len;
|
|
|
|
memmove(prog_adj->insnsi + off + len, prog_adj->insnsi + off + 1,
|
|
sizeof(*patch) * insn_rest);
|
|
memcpy(prog_adj->insnsi + off, patch, sizeof(*patch) * len);
|
|
|
|
/* We are guaranteed to not fail at this point, otherwise
|
|
* the ship has sailed to reverse to the original state. An
|
|
* overflow cannot happen at this point.
|
|
*/
|
|
BUG_ON(bpf_adj_branches(prog_adj, off, off + 1, off + len, false));
|
|
|
|
bpf_adj_linfo(prog_adj, off, insn_delta);
|
|
|
|
return prog_adj;
|
|
}
|
|
|
|
int bpf_remove_insns(struct bpf_prog *prog, u32 off, u32 cnt)
|
|
{
|
|
/* Branch offsets can't overflow when program is shrinking, no need
|
|
* to call bpf_adj_branches(..., true) here
|
|
*/
|
|
memmove(prog->insnsi + off, prog->insnsi + off + cnt,
|
|
sizeof(struct bpf_insn) * (prog->len - off - cnt));
|
|
prog->len -= cnt;
|
|
|
|
return WARN_ON_ONCE(bpf_adj_branches(prog, off, off + cnt, off, false));
|
|
}
|
|
|
|
static void bpf_prog_kallsyms_del_subprogs(struct bpf_prog *fp)
|
|
{
|
|
int i;
|
|
|
|
for (i = 0; i < fp->aux->func_cnt; i++)
|
|
bpf_prog_kallsyms_del(fp->aux->func[i]);
|
|
}
|
|
|
|
void bpf_prog_kallsyms_del_all(struct bpf_prog *fp)
|
|
{
|
|
bpf_prog_kallsyms_del_subprogs(fp);
|
|
bpf_prog_kallsyms_del(fp);
|
|
}
|
|
|
|
#ifdef CONFIG_BPF_JIT
|
|
/* All BPF JIT sysctl knobs here. */
|
|
int bpf_jit_enable __read_mostly = IS_BUILTIN(CONFIG_BPF_JIT_ALWAYS_ON);
|
|
int bpf_jit_harden __read_mostly;
|
|
int bpf_jit_kallsyms __read_mostly;
|
|
long bpf_jit_limit __read_mostly;
|
|
|
|
static __always_inline void
|
|
bpf_get_prog_addr_region(const struct bpf_prog *prog,
|
|
unsigned long *symbol_start,
|
|
unsigned long *symbol_end)
|
|
{
|
|
const struct bpf_binary_header *hdr = bpf_jit_binary_hdr(prog);
|
|
unsigned long addr = (unsigned long)hdr;
|
|
|
|
WARN_ON_ONCE(!bpf_prog_ebpf_jited(prog));
|
|
|
|
*symbol_start = addr;
|
|
*symbol_end = addr + hdr->pages * PAGE_SIZE;
|
|
}
|
|
|
|
void bpf_get_prog_name(const struct bpf_prog *prog, char *sym)
|
|
{
|
|
const char *end = sym + KSYM_NAME_LEN;
|
|
const struct btf_type *type;
|
|
const char *func_name;
|
|
|
|
BUILD_BUG_ON(sizeof("bpf_prog_") +
|
|
sizeof(prog->tag) * 2 +
|
|
/* name has been null terminated.
|
|
* We should need +1 for the '_' preceding
|
|
* the name. However, the null character
|
|
* is double counted between the name and the
|
|
* sizeof("bpf_prog_") above, so we omit
|
|
* the +1 here.
|
|
*/
|
|
sizeof(prog->aux->name) > KSYM_NAME_LEN);
|
|
|
|
sym += snprintf(sym, KSYM_NAME_LEN, "bpf_prog_");
|
|
sym = bin2hex(sym, prog->tag, sizeof(prog->tag));
|
|
|
|
/* prog->aux->name will be ignored if full btf name is available */
|
|
if (prog->aux->func_info_cnt) {
|
|
type = btf_type_by_id(prog->aux->btf,
|
|
prog->aux->func_info[prog->aux->func_idx].type_id);
|
|
func_name = btf_name_by_offset(prog->aux->btf, type->name_off);
|
|
snprintf(sym, (size_t)(end - sym), "_%s", func_name);
|
|
return;
|
|
}
|
|
|
|
if (prog->aux->name[0])
|
|
snprintf(sym, (size_t)(end - sym), "_%s", prog->aux->name);
|
|
else
|
|
*sym = 0;
|
|
}
|
|
|
|
static __always_inline unsigned long
|
|
bpf_get_prog_addr_start(struct latch_tree_node *n)
|
|
{
|
|
unsigned long symbol_start, symbol_end;
|
|
const struct bpf_prog_aux *aux;
|
|
|
|
aux = container_of(n, struct bpf_prog_aux, ksym_tnode);
|
|
bpf_get_prog_addr_region(aux->prog, &symbol_start, &symbol_end);
|
|
|
|
return symbol_start;
|
|
}
|
|
|
|
static __always_inline bool bpf_tree_less(struct latch_tree_node *a,
|
|
struct latch_tree_node *b)
|
|
{
|
|
return bpf_get_prog_addr_start(a) < bpf_get_prog_addr_start(b);
|
|
}
|
|
|
|
static __always_inline int bpf_tree_comp(void *key, struct latch_tree_node *n)
|
|
{
|
|
unsigned long val = (unsigned long)key;
|
|
unsigned long symbol_start, symbol_end;
|
|
const struct bpf_prog_aux *aux;
|
|
|
|
aux = container_of(n, struct bpf_prog_aux, ksym_tnode);
|
|
bpf_get_prog_addr_region(aux->prog, &symbol_start, &symbol_end);
|
|
|
|
if (val < symbol_start)
|
|
return -1;
|
|
if (val >= symbol_end)
|
|
return 1;
|
|
|
|
return 0;
|
|
}
|
|
|
|
static const struct latch_tree_ops bpf_tree_ops = {
|
|
.less = bpf_tree_less,
|
|
.comp = bpf_tree_comp,
|
|
};
|
|
|
|
static DEFINE_SPINLOCK(bpf_lock);
|
|
static LIST_HEAD(bpf_kallsyms);
|
|
static struct latch_tree_root bpf_tree __cacheline_aligned;
|
|
|
|
static void bpf_prog_ksym_node_add(struct bpf_prog_aux *aux)
|
|
{
|
|
WARN_ON_ONCE(!list_empty(&aux->ksym_lnode));
|
|
list_add_tail_rcu(&aux->ksym_lnode, &bpf_kallsyms);
|
|
latch_tree_insert(&aux->ksym_tnode, &bpf_tree, &bpf_tree_ops);
|
|
}
|
|
|
|
static void bpf_prog_ksym_node_del(struct bpf_prog_aux *aux)
|
|
{
|
|
if (list_empty(&aux->ksym_lnode))
|
|
return;
|
|
|
|
latch_tree_erase(&aux->ksym_tnode, &bpf_tree, &bpf_tree_ops);
|
|
list_del_rcu(&aux->ksym_lnode);
|
|
}
|
|
|
|
static bool bpf_prog_kallsyms_candidate(const struct bpf_prog *fp)
|
|
{
|
|
return fp->jited && !bpf_prog_was_classic(fp);
|
|
}
|
|
|
|
static bool bpf_prog_kallsyms_verify_off(const struct bpf_prog *fp)
|
|
{
|
|
return list_empty(&fp->aux->ksym_lnode) ||
|
|
fp->aux->ksym_lnode.prev == LIST_POISON2;
|
|
}
|
|
|
|
void bpf_prog_kallsyms_add(struct bpf_prog *fp)
|
|
{
|
|
if (!bpf_prog_kallsyms_candidate(fp) ||
|
|
!capable(CAP_SYS_ADMIN))
|
|
return;
|
|
|
|
spin_lock_bh(&bpf_lock);
|
|
bpf_prog_ksym_node_add(fp->aux);
|
|
spin_unlock_bh(&bpf_lock);
|
|
}
|
|
|
|
void bpf_prog_kallsyms_del(struct bpf_prog *fp)
|
|
{
|
|
if (!bpf_prog_kallsyms_candidate(fp))
|
|
return;
|
|
|
|
spin_lock_bh(&bpf_lock);
|
|
bpf_prog_ksym_node_del(fp->aux);
|
|
spin_unlock_bh(&bpf_lock);
|
|
}
|
|
|
|
static struct bpf_prog *bpf_prog_kallsyms_find(unsigned long addr)
|
|
{
|
|
struct latch_tree_node *n;
|
|
|
|
if (!bpf_jit_kallsyms_enabled())
|
|
return NULL;
|
|
|
|
n = latch_tree_find((void *)addr, &bpf_tree, &bpf_tree_ops);
|
|
return n ?
|
|
container_of(n, struct bpf_prog_aux, ksym_tnode)->prog :
|
|
NULL;
|
|
}
|
|
|
|
const char *__bpf_address_lookup(unsigned long addr, unsigned long *size,
|
|
unsigned long *off, char *sym)
|
|
{
|
|
unsigned long symbol_start, symbol_end;
|
|
struct bpf_prog *prog;
|
|
char *ret = NULL;
|
|
|
|
rcu_read_lock();
|
|
prog = bpf_prog_kallsyms_find(addr);
|
|
if (prog) {
|
|
bpf_get_prog_addr_region(prog, &symbol_start, &symbol_end);
|
|
bpf_get_prog_name(prog, sym);
|
|
|
|
ret = sym;
|
|
if (size)
|
|
*size = symbol_end - symbol_start;
|
|
if (off)
|
|
*off = addr - symbol_start;
|
|
}
|
|
rcu_read_unlock();
|
|
|
|
return ret;
|
|
}
|
|
|
|
bool is_bpf_text_address(unsigned long addr)
|
|
{
|
|
bool ret;
|
|
|
|
rcu_read_lock();
|
|
ret = bpf_prog_kallsyms_find(addr) != NULL;
|
|
rcu_read_unlock();
|
|
|
|
return ret;
|
|
}
|
|
|
|
int bpf_get_kallsym(unsigned int symnum, unsigned long *value, char *type,
|
|
char *sym)
|
|
{
|
|
struct bpf_prog_aux *aux;
|
|
unsigned int it = 0;
|
|
int ret = -ERANGE;
|
|
|
|
if (!bpf_jit_kallsyms_enabled())
|
|
return ret;
|
|
|
|
rcu_read_lock();
|
|
list_for_each_entry_rcu(aux, &bpf_kallsyms, ksym_lnode) {
|
|
if (it++ != symnum)
|
|
continue;
|
|
|
|
bpf_get_prog_name(aux->prog, sym);
|
|
|
|
*value = (unsigned long)aux->prog->bpf_func;
|
|
*type = BPF_SYM_ELF_TYPE;
|
|
|
|
ret = 0;
|
|
break;
|
|
}
|
|
rcu_read_unlock();
|
|
|
|
return ret;
|
|
}
|
|
|
|
static atomic_long_t bpf_jit_current;
|
|
|
|
/* Can be overridden by an arch's JIT compiler if it has a custom,
|
|
* dedicated BPF backend memory area, or if neither of the two
|
|
* below apply.
|
|
*/
|
|
u64 __weak bpf_jit_alloc_exec_limit(void)
|
|
{
|
|
#if defined(MODULES_VADDR)
|
|
return MODULES_END - MODULES_VADDR;
|
|
#else
|
|
return VMALLOC_END - VMALLOC_START;
|
|
#endif
|
|
}
|
|
|
|
static int __init bpf_jit_charge_init(void)
|
|
{
|
|
/* Only used as heuristic here to derive limit. */
|
|
bpf_jit_limit = min_t(u64, round_up(bpf_jit_alloc_exec_limit() >> 2,
|
|
PAGE_SIZE), LONG_MAX);
|
|
return 0;
|
|
}
|
|
pure_initcall(bpf_jit_charge_init);
|
|
|
|
static int bpf_jit_charge_modmem(u32 pages)
|
|
{
|
|
if (atomic_long_add_return(pages, &bpf_jit_current) >
|
|
(bpf_jit_limit >> PAGE_SHIFT)) {
|
|
if (!capable(CAP_SYS_ADMIN)) {
|
|
atomic_long_sub(pages, &bpf_jit_current);
|
|
return -EPERM;
|
|
}
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|
|
static void bpf_jit_uncharge_modmem(u32 pages)
|
|
{
|
|
atomic_long_sub(pages, &bpf_jit_current);
|
|
}
|
|
|
|
void *__weak bpf_jit_alloc_exec(unsigned long size)
|
|
{
|
|
return module_alloc(size);
|
|
}
|
|
|
|
void __weak bpf_jit_free_exec(void *addr)
|
|
{
|
|
module_memfree(addr);
|
|
}
|
|
|
|
struct bpf_binary_header *
|
|
bpf_jit_binary_alloc(unsigned int proglen, u8 **image_ptr,
|
|
unsigned int alignment,
|
|
bpf_jit_fill_hole_t bpf_fill_ill_insns)
|
|
{
|
|
struct bpf_binary_header *hdr;
|
|
u32 size, hole, start, pages;
|
|
|
|
/* Most of BPF filters are really small, but if some of them
|
|
* fill a page, allow at least 128 extra bytes to insert a
|
|
* random section of illegal instructions.
|
|
*/
|
|
size = round_up(proglen + sizeof(*hdr) + 128, PAGE_SIZE);
|
|
pages = size / PAGE_SIZE;
|
|
|
|
if (bpf_jit_charge_modmem(pages))
|
|
return NULL;
|
|
hdr = bpf_jit_alloc_exec(size);
|
|
if (!hdr) {
|
|
bpf_jit_uncharge_modmem(pages);
|
|
return NULL;
|
|
}
|
|
|
|
/* Fill space with illegal/arch-dep instructions. */
|
|
bpf_fill_ill_insns(hdr, size);
|
|
|
|
hdr->pages = pages;
|
|
hole = min_t(unsigned int, size - (proglen + sizeof(*hdr)),
|
|
PAGE_SIZE - sizeof(*hdr));
|
|
start = (get_random_int() % hole) & ~(alignment - 1);
|
|
|
|
/* Leave a random number of instructions before BPF code. */
|
|
*image_ptr = &hdr->image[start];
|
|
|
|
return hdr;
|
|
}
|
|
|
|
void bpf_jit_binary_free(struct bpf_binary_header *hdr)
|
|
{
|
|
u32 pages = hdr->pages;
|
|
|
|
bpf_jit_free_exec(hdr);
|
|
bpf_jit_uncharge_modmem(pages);
|
|
}
|
|
|
|
/* This symbol is only overridden by archs that have different
|
|
* requirements than the usual eBPF JITs, f.e. when they only
|
|
* implement cBPF JIT, do not set images read-only, etc.
|
|
*/
|
|
void __weak bpf_jit_free(struct bpf_prog *fp)
|
|
{
|
|
if (fp->jited) {
|
|
struct bpf_binary_header *hdr = bpf_jit_binary_hdr(fp);
|
|
|
|
bpf_jit_binary_free(hdr);
|
|
|
|
WARN_ON_ONCE(!bpf_prog_kallsyms_verify_off(fp));
|
|
}
|
|
|
|
bpf_prog_unlock_free(fp);
|
|
}
|
|
|
|
int bpf_jit_get_func_addr(const struct bpf_prog *prog,
|
|
const struct bpf_insn *insn, bool extra_pass,
|
|
u64 *func_addr, bool *func_addr_fixed)
|
|
{
|
|
s16 off = insn->off;
|
|
s32 imm = insn->imm;
|
|
u8 *addr;
|
|
|
|
*func_addr_fixed = insn->src_reg != BPF_PSEUDO_CALL;
|
|
if (!*func_addr_fixed) {
|
|
/* Place-holder address till the last pass has collected
|
|
* all addresses for JITed subprograms in which case we
|
|
* can pick them up from prog->aux.
|
|
*/
|
|
if (!extra_pass)
|
|
addr = NULL;
|
|
else if (prog->aux->func &&
|
|
off >= 0 && off < prog->aux->func_cnt)
|
|
addr = (u8 *)prog->aux->func[off]->bpf_func;
|
|
else
|
|
return -EINVAL;
|
|
} else {
|
|
/* Address of a BPF helper call. Since part of the core
|
|
* kernel, it's always at a fixed location. __bpf_call_base
|
|
* and the helper with imm relative to it are both in core
|
|
* kernel.
|
|
*/
|
|
addr = (u8 *)__bpf_call_base + imm;
|
|
}
|
|
|
|
*func_addr = (unsigned long)addr;
|
|
return 0;
|
|
}
|
|
|
|
static int bpf_jit_blind_insn(const struct bpf_insn *from,
|
|
const struct bpf_insn *aux,
|
|
struct bpf_insn *to_buff,
|
|
bool emit_zext)
|
|
{
|
|
struct bpf_insn *to = to_buff;
|
|
u32 imm_rnd = get_random_int();
|
|
s16 off;
|
|
|
|
BUILD_BUG_ON(BPF_REG_AX + 1 != MAX_BPF_JIT_REG);
|
|
BUILD_BUG_ON(MAX_BPF_REG + 1 != MAX_BPF_JIT_REG);
|
|
|
|
/* Constraints on AX register:
|
|
*
|
|
* AX register is inaccessible from user space. It is mapped in
|
|
* all JITs, and used here for constant blinding rewrites. It is
|
|
* typically "stateless" meaning its contents are only valid within
|
|
* the executed instruction, but not across several instructions.
|
|
* There are a few exceptions however which are further detailed
|
|
* below.
|
|
*
|
|
* Constant blinding is only used by JITs, not in the interpreter.
|
|
* The interpreter uses AX in some occasions as a local temporary
|
|
* register e.g. in DIV or MOD instructions.
|
|
*
|
|
* In restricted circumstances, the verifier can also use the AX
|
|
* register for rewrites as long as they do not interfere with
|
|
* the above cases!
|
|
*/
|
|
if (from->dst_reg == BPF_REG_AX || from->src_reg == BPF_REG_AX)
|
|
goto out;
|
|
|
|
if (from->imm == 0 &&
|
|
(from->code == (BPF_ALU | BPF_MOV | BPF_K) ||
|
|
from->code == (BPF_ALU64 | BPF_MOV | BPF_K))) {
|
|
*to++ = BPF_ALU64_REG(BPF_XOR, from->dst_reg, from->dst_reg);
|
|
goto out;
|
|
}
|
|
|
|
switch (from->code) {
|
|
case BPF_ALU | BPF_ADD | BPF_K:
|
|
case BPF_ALU | BPF_SUB | BPF_K:
|
|
case BPF_ALU | BPF_AND | BPF_K:
|
|
case BPF_ALU | BPF_OR | BPF_K:
|
|
case BPF_ALU | BPF_XOR | BPF_K:
|
|
case BPF_ALU | BPF_MUL | BPF_K:
|
|
case BPF_ALU | BPF_MOV | BPF_K:
|
|
case BPF_ALU | BPF_DIV | BPF_K:
|
|
case BPF_ALU | BPF_MOD | BPF_K:
|
|
*to++ = BPF_ALU32_IMM(BPF_MOV, BPF_REG_AX, imm_rnd ^ from->imm);
|
|
*to++ = BPF_ALU32_IMM(BPF_XOR, BPF_REG_AX, imm_rnd);
|
|
*to++ = BPF_ALU32_REG(from->code, from->dst_reg, BPF_REG_AX);
|
|
break;
|
|
|
|
case BPF_ALU64 | BPF_ADD | BPF_K:
|
|
case BPF_ALU64 | BPF_SUB | BPF_K:
|
|
case BPF_ALU64 | BPF_AND | BPF_K:
|
|
case BPF_ALU64 | BPF_OR | BPF_K:
|
|
case BPF_ALU64 | BPF_XOR | BPF_K:
|
|
case BPF_ALU64 | BPF_MUL | BPF_K:
|
|
case BPF_ALU64 | BPF_MOV | BPF_K:
|
|
case BPF_ALU64 | BPF_DIV | BPF_K:
|
|
case BPF_ALU64 | BPF_MOD | BPF_K:
|
|
*to++ = BPF_ALU64_IMM(BPF_MOV, BPF_REG_AX, imm_rnd ^ from->imm);
|
|
*to++ = BPF_ALU64_IMM(BPF_XOR, BPF_REG_AX, imm_rnd);
|
|
*to++ = BPF_ALU64_REG(from->code, from->dst_reg, BPF_REG_AX);
|
|
break;
|
|
|
|
case BPF_JMP | BPF_JEQ | BPF_K:
|
|
case BPF_JMP | BPF_JNE | BPF_K:
|
|
case BPF_JMP | BPF_JGT | BPF_K:
|
|
case BPF_JMP | BPF_JLT | BPF_K:
|
|
case BPF_JMP | BPF_JGE | BPF_K:
|
|
case BPF_JMP | BPF_JLE | BPF_K:
|
|
case BPF_JMP | BPF_JSGT | BPF_K:
|
|
case BPF_JMP | BPF_JSLT | BPF_K:
|
|
case BPF_JMP | BPF_JSGE | BPF_K:
|
|
case BPF_JMP | BPF_JSLE | BPF_K:
|
|
case BPF_JMP | BPF_JSET | BPF_K:
|
|
/* Accommodate for extra offset in case of a backjump. */
|
|
off = from->off;
|
|
if (off < 0)
|
|
off -= 2;
|
|
*to++ = BPF_ALU64_IMM(BPF_MOV, BPF_REG_AX, imm_rnd ^ from->imm);
|
|
*to++ = BPF_ALU64_IMM(BPF_XOR, BPF_REG_AX, imm_rnd);
|
|
*to++ = BPF_JMP_REG(from->code, from->dst_reg, BPF_REG_AX, off);
|
|
break;
|
|
|
|
case BPF_JMP32 | BPF_JEQ | BPF_K:
|
|
case BPF_JMP32 | BPF_JNE | BPF_K:
|
|
case BPF_JMP32 | BPF_JGT | BPF_K:
|
|
case BPF_JMP32 | BPF_JLT | BPF_K:
|
|
case BPF_JMP32 | BPF_JGE | BPF_K:
|
|
case BPF_JMP32 | BPF_JLE | BPF_K:
|
|
case BPF_JMP32 | BPF_JSGT | BPF_K:
|
|
case BPF_JMP32 | BPF_JSLT | BPF_K:
|
|
case BPF_JMP32 | BPF_JSGE | BPF_K:
|
|
case BPF_JMP32 | BPF_JSLE | BPF_K:
|
|
case BPF_JMP32 | BPF_JSET | BPF_K:
|
|
/* Accommodate for extra offset in case of a backjump. */
|
|
off = from->off;
|
|
if (off < 0)
|
|
off -= 2;
|
|
*to++ = BPF_ALU32_IMM(BPF_MOV, BPF_REG_AX, imm_rnd ^ from->imm);
|
|
*to++ = BPF_ALU32_IMM(BPF_XOR, BPF_REG_AX, imm_rnd);
|
|
*to++ = BPF_JMP32_REG(from->code, from->dst_reg, BPF_REG_AX,
|
|
off);
|
|
break;
|
|
|
|
case BPF_LD | BPF_IMM | BPF_DW:
|
|
*to++ = BPF_ALU64_IMM(BPF_MOV, BPF_REG_AX, imm_rnd ^ aux[1].imm);
|
|
*to++ = BPF_ALU64_IMM(BPF_XOR, BPF_REG_AX, imm_rnd);
|
|
*to++ = BPF_ALU64_IMM(BPF_LSH, BPF_REG_AX, 32);
|
|
*to++ = BPF_ALU64_REG(BPF_MOV, aux[0].dst_reg, BPF_REG_AX);
|
|
break;
|
|
case 0: /* Part 2 of BPF_LD | BPF_IMM | BPF_DW. */
|
|
*to++ = BPF_ALU32_IMM(BPF_MOV, BPF_REG_AX, imm_rnd ^ aux[0].imm);
|
|
*to++ = BPF_ALU32_IMM(BPF_XOR, BPF_REG_AX, imm_rnd);
|
|
if (emit_zext)
|
|
*to++ = BPF_ZEXT_REG(BPF_REG_AX);
|
|
*to++ = BPF_ALU64_REG(BPF_OR, aux[0].dst_reg, BPF_REG_AX);
|
|
break;
|
|
|
|
case BPF_ST | BPF_MEM | BPF_DW:
|
|
case BPF_ST | BPF_MEM | BPF_W:
|
|
case BPF_ST | BPF_MEM | BPF_H:
|
|
case BPF_ST | BPF_MEM | BPF_B:
|
|
*to++ = BPF_ALU64_IMM(BPF_MOV, BPF_REG_AX, imm_rnd ^ from->imm);
|
|
*to++ = BPF_ALU64_IMM(BPF_XOR, BPF_REG_AX, imm_rnd);
|
|
*to++ = BPF_STX_MEM(from->code, from->dst_reg, BPF_REG_AX, from->off);
|
|
break;
|
|
}
|
|
out:
|
|
return to - to_buff;
|
|
}
|
|
|
|
static struct bpf_prog *bpf_prog_clone_create(struct bpf_prog *fp_other,
|
|
gfp_t gfp_extra_flags)
|
|
{
|
|
gfp_t gfp_flags = GFP_KERNEL | __GFP_ZERO | gfp_extra_flags;
|
|
struct bpf_prog *fp;
|
|
|
|
fp = __vmalloc(fp_other->pages * PAGE_SIZE, gfp_flags, PAGE_KERNEL);
|
|
if (fp != NULL) {
|
|
/* aux->prog still points to the fp_other one, so
|
|
* when promoting the clone to the real program,
|
|
* this still needs to be adapted.
|
|
*/
|
|
memcpy(fp, fp_other, fp_other->pages * PAGE_SIZE);
|
|
}
|
|
|
|
return fp;
|
|
}
|
|
|
|
static void bpf_prog_clone_free(struct bpf_prog *fp)
|
|
{
|
|
/* aux was stolen by the other clone, so we cannot free
|
|
* it from this path! It will be freed eventually by the
|
|
* other program on release.
|
|
*
|
|
* At this point, we don't need a deferred release since
|
|
* clone is guaranteed to not be locked.
|
|
*/
|
|
fp->aux = NULL;
|
|
__bpf_prog_free(fp);
|
|
}
|
|
|
|
void bpf_jit_prog_release_other(struct bpf_prog *fp, struct bpf_prog *fp_other)
|
|
{
|
|
/* We have to repoint aux->prog to self, as we don't
|
|
* know whether fp here is the clone or the original.
|
|
*/
|
|
fp->aux->prog = fp;
|
|
bpf_prog_clone_free(fp_other);
|
|
}
|
|
|
|
struct bpf_prog *bpf_jit_blind_constants(struct bpf_prog *prog)
|
|
{
|
|
struct bpf_insn insn_buff[16], aux[2];
|
|
struct bpf_prog *clone, *tmp;
|
|
int insn_delta, insn_cnt;
|
|
struct bpf_insn *insn;
|
|
int i, rewritten;
|
|
|
|
if (!bpf_jit_blinding_enabled(prog) || prog->blinded)
|
|
return prog;
|
|
|
|
clone = bpf_prog_clone_create(prog, GFP_USER);
|
|
if (!clone)
|
|
return ERR_PTR(-ENOMEM);
|
|
|
|
insn_cnt = clone->len;
|
|
insn = clone->insnsi;
|
|
|
|
for (i = 0; i < insn_cnt; i++, insn++) {
|
|
/* We temporarily need to hold the original ld64 insn
|
|
* so that we can still access the first part in the
|
|
* second blinding run.
|
|
*/
|
|
if (insn[0].code == (BPF_LD | BPF_IMM | BPF_DW) &&
|
|
insn[1].code == 0)
|
|
memcpy(aux, insn, sizeof(aux));
|
|
|
|
rewritten = bpf_jit_blind_insn(insn, aux, insn_buff,
|
|
clone->aux->verifier_zext);
|
|
if (!rewritten)
|
|
continue;
|
|
|
|
tmp = bpf_patch_insn_single(clone, i, insn_buff, rewritten);
|
|
if (IS_ERR(tmp)) {
|
|
/* Patching may have repointed aux->prog during
|
|
* realloc from the original one, so we need to
|
|
* fix it up here on error.
|
|
*/
|
|
bpf_jit_prog_release_other(prog, clone);
|
|
return tmp;
|
|
}
|
|
|
|
clone = tmp;
|
|
insn_delta = rewritten - 1;
|
|
|
|
/* Walk new program and skip insns we just inserted. */
|
|
insn = clone->insnsi + i + insn_delta;
|
|
insn_cnt += insn_delta;
|
|
i += insn_delta;
|
|
}
|
|
|
|
clone->blinded = 1;
|
|
return clone;
|
|
}
|
|
#endif /* CONFIG_BPF_JIT */
|
|
|
|
/* Base function for offset calculation. Needs to go into .text section,
|
|
* therefore keeping it non-static as well; will also be used by JITs
|
|
* anyway later on, so do not let the compiler omit it. This also needs
|
|
* to go into kallsyms for correlation from e.g. bpftool, so naming
|
|
* must not change.
|
|
*/
|
|
noinline u64 __bpf_call_base(u64 r1, u64 r2, u64 r3, u64 r4, u64 r5)
|
|
{
|
|
return 0;
|
|
}
|
|
EXPORT_SYMBOL_GPL(__bpf_call_base);
|
|
|
|
/* All UAPI available opcodes. */
|
|
#define BPF_INSN_MAP(INSN_2, INSN_3) \
|
|
/* 32 bit ALU operations. */ \
|
|
/* Register based. */ \
|
|
INSN_3(ALU, ADD, X), \
|
|
INSN_3(ALU, SUB, X), \
|
|
INSN_3(ALU, AND, X), \
|
|
INSN_3(ALU, OR, X), \
|
|
INSN_3(ALU, LSH, X), \
|
|
INSN_3(ALU, RSH, X), \
|
|
INSN_3(ALU, XOR, X), \
|
|
INSN_3(ALU, MUL, X), \
|
|
INSN_3(ALU, MOV, X), \
|
|
INSN_3(ALU, ARSH, X), \
|
|
INSN_3(ALU, DIV, X), \
|
|
INSN_3(ALU, MOD, X), \
|
|
INSN_2(ALU, NEG), \
|
|
INSN_3(ALU, END, TO_BE), \
|
|
INSN_3(ALU, END, TO_LE), \
|
|
/* Immediate based. */ \
|
|
INSN_3(ALU, ADD, K), \
|
|
INSN_3(ALU, SUB, K), \
|
|
INSN_3(ALU, AND, K), \
|
|
INSN_3(ALU, OR, K), \
|
|
INSN_3(ALU, LSH, K), \
|
|
INSN_3(ALU, RSH, K), \
|
|
INSN_3(ALU, XOR, K), \
|
|
INSN_3(ALU, MUL, K), \
|
|
INSN_3(ALU, MOV, K), \
|
|
INSN_3(ALU, ARSH, K), \
|
|
INSN_3(ALU, DIV, K), \
|
|
INSN_3(ALU, MOD, K), \
|
|
/* 64 bit ALU operations. */ \
|
|
/* Register based. */ \
|
|
INSN_3(ALU64, ADD, X), \
|
|
INSN_3(ALU64, SUB, X), \
|
|
INSN_3(ALU64, AND, X), \
|
|
INSN_3(ALU64, OR, X), \
|
|
INSN_3(ALU64, LSH, X), \
|
|
INSN_3(ALU64, RSH, X), \
|
|
INSN_3(ALU64, XOR, X), \
|
|
INSN_3(ALU64, MUL, X), \
|
|
INSN_3(ALU64, MOV, X), \
|
|
INSN_3(ALU64, ARSH, X), \
|
|
INSN_3(ALU64, DIV, X), \
|
|
INSN_3(ALU64, MOD, X), \
|
|
INSN_2(ALU64, NEG), \
|
|
/* Immediate based. */ \
|
|
INSN_3(ALU64, ADD, K), \
|
|
INSN_3(ALU64, SUB, K), \
|
|
INSN_3(ALU64, AND, K), \
|
|
INSN_3(ALU64, OR, K), \
|
|
INSN_3(ALU64, LSH, K), \
|
|
INSN_3(ALU64, RSH, K), \
|
|
INSN_3(ALU64, XOR, K), \
|
|
INSN_3(ALU64, MUL, K), \
|
|
INSN_3(ALU64, MOV, K), \
|
|
INSN_3(ALU64, ARSH, K), \
|
|
INSN_3(ALU64, DIV, K), \
|
|
INSN_3(ALU64, MOD, K), \
|
|
/* Call instruction. */ \
|
|
INSN_2(JMP, CALL), \
|
|
/* Exit instruction. */ \
|
|
INSN_2(JMP, EXIT), \
|
|
/* 32-bit Jump instructions. */ \
|
|
/* Register based. */ \
|
|
INSN_3(JMP32, JEQ, X), \
|
|
INSN_3(JMP32, JNE, X), \
|
|
INSN_3(JMP32, JGT, X), \
|
|
INSN_3(JMP32, JLT, X), \
|
|
INSN_3(JMP32, JGE, X), \
|
|
INSN_3(JMP32, JLE, X), \
|
|
INSN_3(JMP32, JSGT, X), \
|
|
INSN_3(JMP32, JSLT, X), \
|
|
INSN_3(JMP32, JSGE, X), \
|
|
INSN_3(JMP32, JSLE, X), \
|
|
INSN_3(JMP32, JSET, X), \
|
|
/* Immediate based. */ \
|
|
INSN_3(JMP32, JEQ, K), \
|
|
INSN_3(JMP32, JNE, K), \
|
|
INSN_3(JMP32, JGT, K), \
|
|
INSN_3(JMP32, JLT, K), \
|
|
INSN_3(JMP32, JGE, K), \
|
|
INSN_3(JMP32, JLE, K), \
|
|
INSN_3(JMP32, JSGT, K), \
|
|
INSN_3(JMP32, JSLT, K), \
|
|
INSN_3(JMP32, JSGE, K), \
|
|
INSN_3(JMP32, JSLE, K), \
|
|
INSN_3(JMP32, JSET, K), \
|
|
/* Jump instructions. */ \
|
|
/* Register based. */ \
|
|
INSN_3(JMP, JEQ, X), \
|
|
INSN_3(JMP, JNE, X), \
|
|
INSN_3(JMP, JGT, X), \
|
|
INSN_3(JMP, JLT, X), \
|
|
INSN_3(JMP, JGE, X), \
|
|
INSN_3(JMP, JLE, X), \
|
|
INSN_3(JMP, JSGT, X), \
|
|
INSN_3(JMP, JSLT, X), \
|
|
INSN_3(JMP, JSGE, X), \
|
|
INSN_3(JMP, JSLE, X), \
|
|
INSN_3(JMP, JSET, X), \
|
|
/* Immediate based. */ \
|
|
INSN_3(JMP, JEQ, K), \
|
|
INSN_3(JMP, JNE, K), \
|
|
INSN_3(JMP, JGT, K), \
|
|
INSN_3(JMP, JLT, K), \
|
|
INSN_3(JMP, JGE, K), \
|
|
INSN_3(JMP, JLE, K), \
|
|
INSN_3(JMP, JSGT, K), \
|
|
INSN_3(JMP, JSLT, K), \
|
|
INSN_3(JMP, JSGE, K), \
|
|
INSN_3(JMP, JSLE, K), \
|
|
INSN_3(JMP, JSET, K), \
|
|
INSN_2(JMP, JA), \
|
|
/* Store instructions. */ \
|
|
/* Register based. */ \
|
|
INSN_3(STX, MEM, B), \
|
|
INSN_3(STX, MEM, H), \
|
|
INSN_3(STX, MEM, W), \
|
|
INSN_3(STX, MEM, DW), \
|
|
INSN_3(STX, XADD, W), \
|
|
INSN_3(STX, XADD, DW), \
|
|
/* Immediate based. */ \
|
|
INSN_3(ST, MEM, B), \
|
|
INSN_3(ST, MEM, H), \
|
|
INSN_3(ST, MEM, W), \
|
|
INSN_3(ST, MEM, DW), \
|
|
/* Load instructions. */ \
|
|
/* Register based. */ \
|
|
INSN_3(LDX, MEM, B), \
|
|
INSN_3(LDX, MEM, H), \
|
|
INSN_3(LDX, MEM, W), \
|
|
INSN_3(LDX, MEM, DW), \
|
|
/* Immediate based. */ \
|
|
INSN_3(LD, IMM, DW)
|
|
|
|
bool bpf_opcode_in_insntable(u8 code)
|
|
{
|
|
#define BPF_INSN_2_TBL(x, y) [BPF_##x | BPF_##y] = true
|
|
#define BPF_INSN_3_TBL(x, y, z) [BPF_##x | BPF_##y | BPF_##z] = true
|
|
static const bool public_insntable[256] = {
|
|
[0 ... 255] = false,
|
|
/* Now overwrite non-defaults ... */
|
|
BPF_INSN_MAP(BPF_INSN_2_TBL, BPF_INSN_3_TBL),
|
|
/* UAPI exposed, but rewritten opcodes. cBPF carry-over. */
|
|
[BPF_LD | BPF_ABS | BPF_B] = true,
|
|
[BPF_LD | BPF_ABS | BPF_H] = true,
|
|
[BPF_LD | BPF_ABS | BPF_W] = true,
|
|
[BPF_LD | BPF_IND | BPF_B] = true,
|
|
[BPF_LD | BPF_IND | BPF_H] = true,
|
|
[BPF_LD | BPF_IND | BPF_W] = true,
|
|
};
|
|
#undef BPF_INSN_3_TBL
|
|
#undef BPF_INSN_2_TBL
|
|
return public_insntable[code];
|
|
}
|
|
|
|
#ifndef CONFIG_BPF_JIT_ALWAYS_ON
|
|
/**
|
|
* __bpf_prog_run - run eBPF program on a given context
|
|
* @regs: is the array of MAX_BPF_EXT_REG eBPF pseudo-registers
|
|
* @insn: is the array of eBPF instructions
|
|
* @stack: is the eBPF storage stack
|
|
*
|
|
* Decode and execute eBPF instructions.
|
|
*/
|
|
static u64 __no_fgcse ___bpf_prog_run(u64 *regs, const struct bpf_insn *insn, u64 *stack)
|
|
{
|
|
#define BPF_INSN_2_LBL(x, y) [BPF_##x | BPF_##y] = &&x##_##y
|
|
#define BPF_INSN_3_LBL(x, y, z) [BPF_##x | BPF_##y | BPF_##z] = &&x##_##y##_##z
|
|
static const void * const jumptable[256] __annotate_jump_table = {
|
|
[0 ... 255] = &&default_label,
|
|
/* Now overwrite non-defaults ... */
|
|
BPF_INSN_MAP(BPF_INSN_2_LBL, BPF_INSN_3_LBL),
|
|
/* Non-UAPI available opcodes. */
|
|
[BPF_JMP | BPF_CALL_ARGS] = &&JMP_CALL_ARGS,
|
|
[BPF_JMP | BPF_TAIL_CALL] = &&JMP_TAIL_CALL,
|
|
};
|
|
#undef BPF_INSN_3_LBL
|
|
#undef BPF_INSN_2_LBL
|
|
u32 tail_call_cnt = 0;
|
|
|
|
#define CONT ({ insn++; goto select_insn; })
|
|
#define CONT_JMP ({ insn++; goto select_insn; })
|
|
|
|
select_insn:
|
|
goto *jumptable[insn->code];
|
|
|
|
/* ALU */
|
|
#define ALU(OPCODE, OP) \
|
|
ALU64_##OPCODE##_X: \
|
|
DST = DST OP SRC; \
|
|
CONT; \
|
|
ALU_##OPCODE##_X: \
|
|
DST = (u32) DST OP (u32) SRC; \
|
|
CONT; \
|
|
ALU64_##OPCODE##_K: \
|
|
DST = DST OP IMM; \
|
|
CONT; \
|
|
ALU_##OPCODE##_K: \
|
|
DST = (u32) DST OP (u32) IMM; \
|
|
CONT;
|
|
|
|
ALU(ADD, +)
|
|
ALU(SUB, -)
|
|
ALU(AND, &)
|
|
ALU(OR, |)
|
|
ALU(LSH, <<)
|
|
ALU(RSH, >>)
|
|
ALU(XOR, ^)
|
|
ALU(MUL, *)
|
|
#undef ALU
|
|
ALU_NEG:
|
|
DST = (u32) -DST;
|
|
CONT;
|
|
ALU64_NEG:
|
|
DST = -DST;
|
|
CONT;
|
|
ALU_MOV_X:
|
|
DST = (u32) SRC;
|
|
CONT;
|
|
ALU_MOV_K:
|
|
DST = (u32) IMM;
|
|
CONT;
|
|
ALU64_MOV_X:
|
|
DST = SRC;
|
|
CONT;
|
|
ALU64_MOV_K:
|
|
DST = IMM;
|
|
CONT;
|
|
LD_IMM_DW:
|
|
DST = (u64) (u32) insn[0].imm | ((u64) (u32) insn[1].imm) << 32;
|
|
insn++;
|
|
CONT;
|
|
ALU_ARSH_X:
|
|
DST = (u64) (u32) (((s32) DST) >> SRC);
|
|
CONT;
|
|
ALU_ARSH_K:
|
|
DST = (u64) (u32) (((s32) DST) >> IMM);
|
|
CONT;
|
|
ALU64_ARSH_X:
|
|
(*(s64 *) &DST) >>= SRC;
|
|
CONT;
|
|
ALU64_ARSH_K:
|
|
(*(s64 *) &DST) >>= IMM;
|
|
CONT;
|
|
ALU64_MOD_X:
|
|
div64_u64_rem(DST, SRC, &AX);
|
|
DST = AX;
|
|
CONT;
|
|
ALU_MOD_X:
|
|
AX = (u32) DST;
|
|
DST = do_div(AX, (u32) SRC);
|
|
CONT;
|
|
ALU64_MOD_K:
|
|
div64_u64_rem(DST, IMM, &AX);
|
|
DST = AX;
|
|
CONT;
|
|
ALU_MOD_K:
|
|
AX = (u32) DST;
|
|
DST = do_div(AX, (u32) IMM);
|
|
CONT;
|
|
ALU64_DIV_X:
|
|
DST = div64_u64(DST, SRC);
|
|
CONT;
|
|
ALU_DIV_X:
|
|
AX = (u32) DST;
|
|
do_div(AX, (u32) SRC);
|
|
DST = (u32) AX;
|
|
CONT;
|
|
ALU64_DIV_K:
|
|
DST = div64_u64(DST, IMM);
|
|
CONT;
|
|
ALU_DIV_K:
|
|
AX = (u32) DST;
|
|
do_div(AX, (u32) IMM);
|
|
DST = (u32) AX;
|
|
CONT;
|
|
ALU_END_TO_BE:
|
|
switch (IMM) {
|
|
case 16:
|
|
DST = (__force u16) cpu_to_be16(DST);
|
|
break;
|
|
case 32:
|
|
DST = (__force u32) cpu_to_be32(DST);
|
|
break;
|
|
case 64:
|
|
DST = (__force u64) cpu_to_be64(DST);
|
|
break;
|
|
}
|
|
CONT;
|
|
ALU_END_TO_LE:
|
|
switch (IMM) {
|
|
case 16:
|
|
DST = (__force u16) cpu_to_le16(DST);
|
|
break;
|
|
case 32:
|
|
DST = (__force u32) cpu_to_le32(DST);
|
|
break;
|
|
case 64:
|
|
DST = (__force u64) cpu_to_le64(DST);
|
|
break;
|
|
}
|
|
CONT;
|
|
|
|
/* CALL */
|
|
JMP_CALL:
|
|
/* Function call scratches BPF_R1-BPF_R5 registers,
|
|
* preserves BPF_R6-BPF_R9, and stores return value
|
|
* into BPF_R0.
|
|
*/
|
|
BPF_R0 = (__bpf_call_base + insn->imm)(BPF_R1, BPF_R2, BPF_R3,
|
|
BPF_R4, BPF_R5);
|
|
CONT;
|
|
|
|
JMP_CALL_ARGS:
|
|
BPF_R0 = (__bpf_call_base_args + insn->imm)(BPF_R1, BPF_R2,
|
|
BPF_R3, BPF_R4,
|
|
BPF_R5,
|
|
insn + insn->off + 1);
|
|
CONT;
|
|
|
|
JMP_TAIL_CALL: {
|
|
struct bpf_map *map = (struct bpf_map *) (unsigned long) BPF_R2;
|
|
struct bpf_array *array = container_of(map, struct bpf_array, map);
|
|
struct bpf_prog *prog;
|
|
u32 index = BPF_R3;
|
|
|
|
if (unlikely(index >= array->map.max_entries))
|
|
goto out;
|
|
if (unlikely(tail_call_cnt > MAX_TAIL_CALL_CNT))
|
|
goto out;
|
|
|
|
tail_call_cnt++;
|
|
|
|
prog = READ_ONCE(array->ptrs[index]);
|
|
if (!prog)
|
|
goto out;
|
|
|
|
/* ARG1 at this point is guaranteed to point to CTX from
|
|
* the verifier side due to the fact that the tail call is
|
|
* handeled like a helper, that is, bpf_tail_call_proto,
|
|
* where arg1_type is ARG_PTR_TO_CTX.
|
|
*/
|
|
insn = prog->insnsi;
|
|
goto select_insn;
|
|
out:
|
|
CONT;
|
|
}
|
|
JMP_JA:
|
|
insn += insn->off;
|
|
CONT;
|
|
JMP_EXIT:
|
|
return BPF_R0;
|
|
/* JMP */
|
|
#define COND_JMP(SIGN, OPCODE, CMP_OP) \
|
|
JMP_##OPCODE##_X: \
|
|
if ((SIGN##64) DST CMP_OP (SIGN##64) SRC) { \
|
|
insn += insn->off; \
|
|
CONT_JMP; \
|
|
} \
|
|
CONT; \
|
|
JMP32_##OPCODE##_X: \
|
|
if ((SIGN##32) DST CMP_OP (SIGN##32) SRC) { \
|
|
insn += insn->off; \
|
|
CONT_JMP; \
|
|
} \
|
|
CONT; \
|
|
JMP_##OPCODE##_K: \
|
|
if ((SIGN##64) DST CMP_OP (SIGN##64) IMM) { \
|
|
insn += insn->off; \
|
|
CONT_JMP; \
|
|
} \
|
|
CONT; \
|
|
JMP32_##OPCODE##_K: \
|
|
if ((SIGN##32) DST CMP_OP (SIGN##32) IMM) { \
|
|
insn += insn->off; \
|
|
CONT_JMP; \
|
|
} \
|
|
CONT;
|
|
COND_JMP(u, JEQ, ==)
|
|
COND_JMP(u, JNE, !=)
|
|
COND_JMP(u, JGT, >)
|
|
COND_JMP(u, JLT, <)
|
|
COND_JMP(u, JGE, >=)
|
|
COND_JMP(u, JLE, <=)
|
|
COND_JMP(u, JSET, &)
|
|
COND_JMP(s, JSGT, >)
|
|
COND_JMP(s, JSLT, <)
|
|
COND_JMP(s, JSGE, >=)
|
|
COND_JMP(s, JSLE, <=)
|
|
#undef COND_JMP
|
|
/* STX and ST and LDX*/
|
|
#define LDST(SIZEOP, SIZE) \
|
|
STX_MEM_##SIZEOP: \
|
|
*(SIZE *)(unsigned long) (DST + insn->off) = SRC; \
|
|
CONT; \
|
|
ST_MEM_##SIZEOP: \
|
|
*(SIZE *)(unsigned long) (DST + insn->off) = IMM; \
|
|
CONT; \
|
|
LDX_MEM_##SIZEOP: \
|
|
DST = *(SIZE *)(unsigned long) (SRC + insn->off); \
|
|
CONT;
|
|
|
|
LDST(B, u8)
|
|
LDST(H, u16)
|
|
LDST(W, u32)
|
|
LDST(DW, u64)
|
|
#undef LDST
|
|
STX_XADD_W: /* lock xadd *(u32 *)(dst_reg + off16) += src_reg */
|
|
atomic_add((u32) SRC, (atomic_t *)(unsigned long)
|
|
(DST + insn->off));
|
|
CONT;
|
|
STX_XADD_DW: /* lock xadd *(u64 *)(dst_reg + off16) += src_reg */
|
|
atomic64_add((u64) SRC, (atomic64_t *)(unsigned long)
|
|
(DST + insn->off));
|
|
CONT;
|
|
|
|
default_label:
|
|
/* If we ever reach this, we have a bug somewhere. Die hard here
|
|
* instead of just returning 0; we could be somewhere in a subprog,
|
|
* so execution could continue otherwise which we do /not/ want.
|
|
*
|
|
* Note, verifier whitelists all opcodes in bpf_opcode_in_insntable().
|
|
*/
|
|
pr_warn("BPF interpreter: unknown opcode %02x\n", insn->code);
|
|
BUG_ON(1);
|
|
return 0;
|
|
}
|
|
|
|
#define PROG_NAME(stack_size) __bpf_prog_run##stack_size
|
|
#define DEFINE_BPF_PROG_RUN(stack_size) \
|
|
static unsigned int PROG_NAME(stack_size)(const void *ctx, const struct bpf_insn *insn) \
|
|
{ \
|
|
u64 stack[stack_size / sizeof(u64)]; \
|
|
u64 regs[MAX_BPF_EXT_REG]; \
|
|
\
|
|
FP = (u64) (unsigned long) &stack[ARRAY_SIZE(stack)]; \
|
|
ARG1 = (u64) (unsigned long) ctx; \
|
|
return ___bpf_prog_run(regs, insn, stack); \
|
|
}
|
|
|
|
#define PROG_NAME_ARGS(stack_size) __bpf_prog_run_args##stack_size
|
|
#define DEFINE_BPF_PROG_RUN_ARGS(stack_size) \
|
|
static u64 PROG_NAME_ARGS(stack_size)(u64 r1, u64 r2, u64 r3, u64 r4, u64 r5, \
|
|
const struct bpf_insn *insn) \
|
|
{ \
|
|
u64 stack[stack_size / sizeof(u64)]; \
|
|
u64 regs[MAX_BPF_EXT_REG]; \
|
|
\
|
|
FP = (u64) (unsigned long) &stack[ARRAY_SIZE(stack)]; \
|
|
BPF_R1 = r1; \
|
|
BPF_R2 = r2; \
|
|
BPF_R3 = r3; \
|
|
BPF_R4 = r4; \
|
|
BPF_R5 = r5; \
|
|
return ___bpf_prog_run(regs, insn, stack); \
|
|
}
|
|
|
|
#define EVAL1(FN, X) FN(X)
|
|
#define EVAL2(FN, X, Y...) FN(X) EVAL1(FN, Y)
|
|
#define EVAL3(FN, X, Y...) FN(X) EVAL2(FN, Y)
|
|
#define EVAL4(FN, X, Y...) FN(X) EVAL3(FN, Y)
|
|
#define EVAL5(FN, X, Y...) FN(X) EVAL4(FN, Y)
|
|
#define EVAL6(FN, X, Y...) FN(X) EVAL5(FN, Y)
|
|
|
|
EVAL6(DEFINE_BPF_PROG_RUN, 32, 64, 96, 128, 160, 192);
|
|
EVAL6(DEFINE_BPF_PROG_RUN, 224, 256, 288, 320, 352, 384);
|
|
EVAL4(DEFINE_BPF_PROG_RUN, 416, 448, 480, 512);
|
|
|
|
EVAL6(DEFINE_BPF_PROG_RUN_ARGS, 32, 64, 96, 128, 160, 192);
|
|
EVAL6(DEFINE_BPF_PROG_RUN_ARGS, 224, 256, 288, 320, 352, 384);
|
|
EVAL4(DEFINE_BPF_PROG_RUN_ARGS, 416, 448, 480, 512);
|
|
|
|
#define PROG_NAME_LIST(stack_size) PROG_NAME(stack_size),
|
|
|
|
static unsigned int (*interpreters[])(const void *ctx,
|
|
const struct bpf_insn *insn) = {
|
|
EVAL6(PROG_NAME_LIST, 32, 64, 96, 128, 160, 192)
|
|
EVAL6(PROG_NAME_LIST, 224, 256, 288, 320, 352, 384)
|
|
EVAL4(PROG_NAME_LIST, 416, 448, 480, 512)
|
|
};
|
|
#undef PROG_NAME_LIST
|
|
#define PROG_NAME_LIST(stack_size) PROG_NAME_ARGS(stack_size),
|
|
static u64 (*interpreters_args[])(u64 r1, u64 r2, u64 r3, u64 r4, u64 r5,
|
|
const struct bpf_insn *insn) = {
|
|
EVAL6(PROG_NAME_LIST, 32, 64, 96, 128, 160, 192)
|
|
EVAL6(PROG_NAME_LIST, 224, 256, 288, 320, 352, 384)
|
|
EVAL4(PROG_NAME_LIST, 416, 448, 480, 512)
|
|
};
|
|
#undef PROG_NAME_LIST
|
|
|
|
void bpf_patch_call_args(struct bpf_insn *insn, u32 stack_depth)
|
|
{
|
|
stack_depth = max_t(u32, stack_depth, 1);
|
|
insn->off = (s16) insn->imm;
|
|
insn->imm = interpreters_args[(round_up(stack_depth, 32) / 32) - 1] -
|
|
__bpf_call_base_args;
|
|
insn->code = BPF_JMP | BPF_CALL_ARGS;
|
|
}
|
|
|
|
#else
|
|
static unsigned int __bpf_prog_ret0_warn(const void *ctx,
|
|
const struct bpf_insn *insn)
|
|
{
|
|
/* If this handler ever gets executed, then BPF_JIT_ALWAYS_ON
|
|
* is not working properly, so warn about it!
|
|
*/
|
|
WARN_ON_ONCE(1);
|
|
return 0;
|
|
}
|
|
#endif
|
|
|
|
bool bpf_prog_array_compatible(struct bpf_array *array,
|
|
const struct bpf_prog *fp)
|
|
{
|
|
if (fp->kprobe_override)
|
|
return false;
|
|
|
|
if (!array->owner_prog_type) {
|
|
/* There's no owner yet where we could check for
|
|
* compatibility.
|
|
*/
|
|
array->owner_prog_type = fp->type;
|
|
array->owner_jited = fp->jited;
|
|
|
|
return true;
|
|
}
|
|
|
|
return array->owner_prog_type == fp->type &&
|
|
array->owner_jited == fp->jited;
|
|
}
|
|
|
|
static int bpf_check_tail_call(const struct bpf_prog *fp)
|
|
{
|
|
struct bpf_prog_aux *aux = fp->aux;
|
|
int i;
|
|
|
|
for (i = 0; i < aux->used_map_cnt; i++) {
|
|
struct bpf_map *map = aux->used_maps[i];
|
|
struct bpf_array *array;
|
|
|
|
if (map->map_type != BPF_MAP_TYPE_PROG_ARRAY)
|
|
continue;
|
|
|
|
array = container_of(map, struct bpf_array, map);
|
|
if (!bpf_prog_array_compatible(array, fp))
|
|
return -EINVAL;
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|
|
static void bpf_prog_select_func(struct bpf_prog *fp)
|
|
{
|
|
#ifndef CONFIG_BPF_JIT_ALWAYS_ON
|
|
u32 stack_depth = max_t(u32, fp->aux->stack_depth, 1);
|
|
|
|
fp->bpf_func = interpreters[(round_up(stack_depth, 32) / 32) - 1];
|
|
#else
|
|
fp->bpf_func = __bpf_prog_ret0_warn;
|
|
#endif
|
|
}
|
|
|
|
/**
|
|
* bpf_prog_select_runtime - select exec runtime for BPF program
|
|
* @fp: bpf_prog populated with internal BPF program
|
|
* @err: pointer to error variable
|
|
*
|
|
* Try to JIT eBPF program, if JIT is not available, use interpreter.
|
|
* The BPF program will be executed via BPF_PROG_RUN() macro.
|
|
*/
|
|
struct bpf_prog *bpf_prog_select_runtime(struct bpf_prog *fp, int *err)
|
|
{
|
|
/* In case of BPF to BPF calls, verifier did all the prep
|
|
* work with regards to JITing, etc.
|
|
*/
|
|
if (fp->bpf_func)
|
|
goto finalize;
|
|
|
|
bpf_prog_select_func(fp);
|
|
|
|
/* eBPF JITs can rewrite the program in case constant
|
|
* blinding is active. However, in case of error during
|
|
* blinding, bpf_int_jit_compile() must always return a
|
|
* valid program, which in this case would simply not
|
|
* be JITed, but falls back to the interpreter.
|
|
*/
|
|
if (!bpf_prog_is_dev_bound(fp->aux)) {
|
|
*err = bpf_prog_alloc_jited_linfo(fp);
|
|
if (*err)
|
|
return fp;
|
|
|
|
fp = bpf_int_jit_compile(fp);
|
|
if (!fp->jited) {
|
|
bpf_prog_free_jited_linfo(fp);
|
|
#ifdef CONFIG_BPF_JIT_ALWAYS_ON
|
|
*err = -ENOTSUPP;
|
|
return fp;
|
|
#endif
|
|
} else {
|
|
bpf_prog_free_unused_jited_linfo(fp);
|
|
}
|
|
} else {
|
|
*err = bpf_prog_offload_compile(fp);
|
|
if (*err)
|
|
return fp;
|
|
}
|
|
|
|
finalize:
|
|
bpf_prog_lock_ro(fp);
|
|
|
|
/* The tail call compatibility check can only be done at
|
|
* this late stage as we need to determine, if we deal
|
|
* with JITed or non JITed program concatenations and not
|
|
* all eBPF JITs might immediately support all features.
|
|
*/
|
|
*err = bpf_check_tail_call(fp);
|
|
|
|
return fp;
|
|
}
|
|
EXPORT_SYMBOL_GPL(bpf_prog_select_runtime);
|
|
|
|
static unsigned int __bpf_prog_ret1(const void *ctx,
|
|
const struct bpf_insn *insn)
|
|
{
|
|
return 1;
|
|
}
|
|
|
|
static struct bpf_prog_dummy {
|
|
struct bpf_prog prog;
|
|
} dummy_bpf_prog = {
|
|
.prog = {
|
|
.bpf_func = __bpf_prog_ret1,
|
|
},
|
|
};
|
|
|
|
/* to avoid allocating empty bpf_prog_array for cgroups that
|
|
* don't have bpf program attached use one global 'empty_prog_array'
|
|
* It will not be modified the caller of bpf_prog_array_alloc()
|
|
* (since caller requested prog_cnt == 0)
|
|
* that pointer should be 'freed' by bpf_prog_array_free()
|
|
*/
|
|
static struct {
|
|
struct bpf_prog_array hdr;
|
|
struct bpf_prog *null_prog;
|
|
} empty_prog_array = {
|
|
.null_prog = NULL,
|
|
};
|
|
|
|
struct bpf_prog_array *bpf_prog_array_alloc(u32 prog_cnt, gfp_t flags)
|
|
{
|
|
if (prog_cnt)
|
|
return kzalloc(sizeof(struct bpf_prog_array) +
|
|
sizeof(struct bpf_prog_array_item) *
|
|
(prog_cnt + 1),
|
|
flags);
|
|
|
|
return &empty_prog_array.hdr;
|
|
}
|
|
|
|
void bpf_prog_array_free(struct bpf_prog_array *progs)
|
|
{
|
|
if (!progs || progs == &empty_prog_array.hdr)
|
|
return;
|
|
kfree_rcu(progs, rcu);
|
|
}
|
|
|
|
int bpf_prog_array_length(struct bpf_prog_array *array)
|
|
{
|
|
struct bpf_prog_array_item *item;
|
|
u32 cnt = 0;
|
|
|
|
for (item = array->items; item->prog; item++)
|
|
if (item->prog != &dummy_bpf_prog.prog)
|
|
cnt++;
|
|
return cnt;
|
|
}
|
|
|
|
bool bpf_prog_array_is_empty(struct bpf_prog_array *array)
|
|
{
|
|
struct bpf_prog_array_item *item;
|
|
|
|
for (item = array->items; item->prog; item++)
|
|
if (item->prog != &dummy_bpf_prog.prog)
|
|
return false;
|
|
return true;
|
|
}
|
|
|
|
static bool bpf_prog_array_copy_core(struct bpf_prog_array *array,
|
|
u32 *prog_ids,
|
|
u32 request_cnt)
|
|
{
|
|
struct bpf_prog_array_item *item;
|
|
int i = 0;
|
|
|
|
for (item = array->items; item->prog; item++) {
|
|
if (item->prog == &dummy_bpf_prog.prog)
|
|
continue;
|
|
prog_ids[i] = item->prog->aux->id;
|
|
if (++i == request_cnt) {
|
|
item++;
|
|
break;
|
|
}
|
|
}
|
|
|
|
return !!(item->prog);
|
|
}
|
|
|
|
int bpf_prog_array_copy_to_user(struct bpf_prog_array *array,
|
|
__u32 __user *prog_ids, u32 cnt)
|
|
{
|
|
unsigned long err = 0;
|
|
bool nospc;
|
|
u32 *ids;
|
|
|
|
/* users of this function are doing:
|
|
* cnt = bpf_prog_array_length();
|
|
* if (cnt > 0)
|
|
* bpf_prog_array_copy_to_user(..., cnt);
|
|
* so below kcalloc doesn't need extra cnt > 0 check.
|
|
*/
|
|
ids = kcalloc(cnt, sizeof(u32), GFP_USER | __GFP_NOWARN);
|
|
if (!ids)
|
|
return -ENOMEM;
|
|
nospc = bpf_prog_array_copy_core(array, ids, cnt);
|
|
err = copy_to_user(prog_ids, ids, cnt * sizeof(u32));
|
|
kfree(ids);
|
|
if (err)
|
|
return -EFAULT;
|
|
if (nospc)
|
|
return -ENOSPC;
|
|
return 0;
|
|
}
|
|
|
|
void bpf_prog_array_delete_safe(struct bpf_prog_array *array,
|
|
struct bpf_prog *old_prog)
|
|
{
|
|
struct bpf_prog_array_item *item;
|
|
|
|
for (item = array->items; item->prog; item++)
|
|
if (item->prog == old_prog) {
|
|
WRITE_ONCE(item->prog, &dummy_bpf_prog.prog);
|
|
break;
|
|
}
|
|
}
|
|
|
|
int bpf_prog_array_copy(struct bpf_prog_array *old_array,
|
|
struct bpf_prog *exclude_prog,
|
|
struct bpf_prog *include_prog,
|
|
struct bpf_prog_array **new_array)
|
|
{
|
|
int new_prog_cnt, carry_prog_cnt = 0;
|
|
struct bpf_prog_array_item *existing;
|
|
struct bpf_prog_array *array;
|
|
bool found_exclude = false;
|
|
int new_prog_idx = 0;
|
|
|
|
/* Figure out how many existing progs we need to carry over to
|
|
* the new array.
|
|
*/
|
|
if (old_array) {
|
|
existing = old_array->items;
|
|
for (; existing->prog; existing++) {
|
|
if (existing->prog == exclude_prog) {
|
|
found_exclude = true;
|
|
continue;
|
|
}
|
|
if (existing->prog != &dummy_bpf_prog.prog)
|
|
carry_prog_cnt++;
|
|
if (existing->prog == include_prog)
|
|
return -EEXIST;
|
|
}
|
|
}
|
|
|
|
if (exclude_prog && !found_exclude)
|
|
return -ENOENT;
|
|
|
|
/* How many progs (not NULL) will be in the new array? */
|
|
new_prog_cnt = carry_prog_cnt;
|
|
if (include_prog)
|
|
new_prog_cnt += 1;
|
|
|
|
/* Do we have any prog (not NULL) in the new array? */
|
|
if (!new_prog_cnt) {
|
|
*new_array = NULL;
|
|
return 0;
|
|
}
|
|
|
|
/* +1 as the end of prog_array is marked with NULL */
|
|
array = bpf_prog_array_alloc(new_prog_cnt + 1, GFP_KERNEL);
|
|
if (!array)
|
|
return -ENOMEM;
|
|
|
|
/* Fill in the new prog array */
|
|
if (carry_prog_cnt) {
|
|
existing = old_array->items;
|
|
for (; existing->prog; existing++)
|
|
if (existing->prog != exclude_prog &&
|
|
existing->prog != &dummy_bpf_prog.prog) {
|
|
array->items[new_prog_idx++].prog =
|
|
existing->prog;
|
|
}
|
|
}
|
|
if (include_prog)
|
|
array->items[new_prog_idx++].prog = include_prog;
|
|
array->items[new_prog_idx].prog = NULL;
|
|
*new_array = array;
|
|
return 0;
|
|
}
|
|
|
|
int bpf_prog_array_copy_info(struct bpf_prog_array *array,
|
|
u32 *prog_ids, u32 request_cnt,
|
|
u32 *prog_cnt)
|
|
{
|
|
u32 cnt = 0;
|
|
|
|
if (array)
|
|
cnt = bpf_prog_array_length(array);
|
|
|
|
*prog_cnt = cnt;
|
|
|
|
/* return early if user requested only program count or nothing to copy */
|
|
if (!request_cnt || !cnt)
|
|
return 0;
|
|
|
|
/* this function is called under trace/bpf_trace.c: bpf_event_mutex */
|
|
return bpf_prog_array_copy_core(array, prog_ids, request_cnt) ? -ENOSPC
|
|
: 0;
|
|
}
|
|
|
|
static void bpf_prog_free_deferred(struct work_struct *work)
|
|
{
|
|
struct bpf_prog_aux *aux;
|
|
int i;
|
|
|
|
aux = container_of(work, struct bpf_prog_aux, work);
|
|
if (bpf_prog_is_dev_bound(aux))
|
|
bpf_prog_offload_destroy(aux->prog);
|
|
#ifdef CONFIG_PERF_EVENTS
|
|
if (aux->prog->has_callchain_buf)
|
|
put_callchain_buffers();
|
|
#endif
|
|
for (i = 0; i < aux->func_cnt; i++)
|
|
bpf_jit_free(aux->func[i]);
|
|
if (aux->func_cnt) {
|
|
kfree(aux->func);
|
|
bpf_prog_unlock_free(aux->prog);
|
|
} else {
|
|
bpf_jit_free(aux->prog);
|
|
}
|
|
}
|
|
|
|
/* Free internal BPF program */
|
|
void bpf_prog_free(struct bpf_prog *fp)
|
|
{
|
|
struct bpf_prog_aux *aux = fp->aux;
|
|
|
|
INIT_WORK(&aux->work, bpf_prog_free_deferred);
|
|
schedule_work(&aux->work);
|
|
}
|
|
EXPORT_SYMBOL_GPL(bpf_prog_free);
|
|
|
|
/* RNG for unpriviledged user space with separated state from prandom_u32(). */
|
|
static DEFINE_PER_CPU(struct rnd_state, bpf_user_rnd_state);
|
|
|
|
void bpf_user_rnd_init_once(void)
|
|
{
|
|
prandom_init_once(&bpf_user_rnd_state);
|
|
}
|
|
|
|
BPF_CALL_0(bpf_user_rnd_u32)
|
|
{
|
|
/* Should someone ever have the rather unwise idea to use some
|
|
* of the registers passed into this function, then note that
|
|
* this function is called from native eBPF and classic-to-eBPF
|
|
* transformations. Register assignments from both sides are
|
|
* different, f.e. classic always sets fn(ctx, A, X) here.
|
|
*/
|
|
struct rnd_state *state;
|
|
u32 res;
|
|
|
|
state = &get_cpu_var(bpf_user_rnd_state);
|
|
res = prandom_u32_state(state);
|
|
put_cpu_var(bpf_user_rnd_state);
|
|
|
|
return res;
|
|
}
|
|
|
|
/* Weak definitions of helper functions in case we don't have bpf syscall. */
|
|
const struct bpf_func_proto bpf_map_lookup_elem_proto __weak;
|
|
const struct bpf_func_proto bpf_map_update_elem_proto __weak;
|
|
const struct bpf_func_proto bpf_map_delete_elem_proto __weak;
|
|
const struct bpf_func_proto bpf_map_push_elem_proto __weak;
|
|
const struct bpf_func_proto bpf_map_pop_elem_proto __weak;
|
|
const struct bpf_func_proto bpf_map_peek_elem_proto __weak;
|
|
const struct bpf_func_proto bpf_spin_lock_proto __weak;
|
|
const struct bpf_func_proto bpf_spin_unlock_proto __weak;
|
|
|
|
const struct bpf_func_proto bpf_get_prandom_u32_proto __weak;
|
|
const struct bpf_func_proto bpf_get_smp_processor_id_proto __weak;
|
|
const struct bpf_func_proto bpf_get_numa_node_id_proto __weak;
|
|
const struct bpf_func_proto bpf_ktime_get_ns_proto __weak;
|
|
|
|
const struct bpf_func_proto bpf_get_current_pid_tgid_proto __weak;
|
|
const struct bpf_func_proto bpf_get_current_uid_gid_proto __weak;
|
|
const struct bpf_func_proto bpf_get_current_comm_proto __weak;
|
|
const struct bpf_func_proto bpf_get_current_cgroup_id_proto __weak;
|
|
const struct bpf_func_proto bpf_get_local_storage_proto __weak;
|
|
|
|
const struct bpf_func_proto * __weak bpf_get_trace_printk_proto(void)
|
|
{
|
|
return NULL;
|
|
}
|
|
|
|
u64 __weak
|
|
bpf_event_output(struct bpf_map *map, u64 flags, void *meta, u64 meta_size,
|
|
void *ctx, u64 ctx_size, bpf_ctx_copy_t ctx_copy)
|
|
{
|
|
return -ENOTSUPP;
|
|
}
|
|
EXPORT_SYMBOL_GPL(bpf_event_output);
|
|
|
|
/* Always built-in helper functions. */
|
|
const struct bpf_func_proto bpf_tail_call_proto = {
|
|
.func = NULL,
|
|
.gpl_only = false,
|
|
.ret_type = RET_VOID,
|
|
.arg1_type = ARG_PTR_TO_CTX,
|
|
.arg2_type = ARG_CONST_MAP_PTR,
|
|
.arg3_type = ARG_ANYTHING,
|
|
};
|
|
|
|
/* Stub for JITs that only support cBPF. eBPF programs are interpreted.
|
|
* It is encouraged to implement bpf_int_jit_compile() instead, so that
|
|
* eBPF and implicitly also cBPF can get JITed!
|
|
*/
|
|
struct bpf_prog * __weak bpf_int_jit_compile(struct bpf_prog *prog)
|
|
{
|
|
return prog;
|
|
}
|
|
|
|
/* Stub for JITs that support eBPF. All cBPF code gets transformed into
|
|
* eBPF by the kernel and is later compiled by bpf_int_jit_compile().
|
|
*/
|
|
void __weak bpf_jit_compile(struct bpf_prog *prog)
|
|
{
|
|
}
|
|
|
|
bool __weak bpf_helper_changes_pkt_data(void *func)
|
|
{
|
|
return false;
|
|
}
|
|
|
|
/* Return TRUE if the JIT backend wants verifier to enable sub-register usage
|
|
* analysis code and wants explicit zero extension inserted by verifier.
|
|
* Otherwise, return FALSE.
|
|
*/
|
|
bool __weak bpf_jit_needs_zext(void)
|
|
{
|
|
return false;
|
|
}
|
|
|
|
/* To execute LD_ABS/LD_IND instructions __bpf_prog_run() may call
|
|
* skb_copy_bits(), so provide a weak definition of it for NET-less config.
|
|
*/
|
|
int __weak skb_copy_bits(const struct sk_buff *skb, int offset, void *to,
|
|
int len)
|
|
{
|
|
return -EFAULT;
|
|
}
|
|
|
|
DEFINE_STATIC_KEY_FALSE(bpf_stats_enabled_key);
|
|
EXPORT_SYMBOL(bpf_stats_enabled_key);
|
|
|
|
/* All definitions of tracepoints related to BPF. */
|
|
#define CREATE_TRACE_POINTS
|
|
#include <linux/bpf_trace.h>
|
|
|
|
EXPORT_TRACEPOINT_SYMBOL_GPL(xdp_exception);
|
|
EXPORT_TRACEPOINT_SYMBOL_GPL(xdp_bulk_tx);
|