1 // SPDX-License-Identifier: GPL-2.0-only
2 /* Copyright (c) 2011-2014 PLUMgrid, http://plumgrid.com
6 #include <linux/bpf-cgroup.h>
7 #include <linux/cgroup.h>
8 #include <linux/rcupdate.h>
9 #include <linux/random.h>
10 #include <linux/smp.h>
11 #include <linux/topology.h>
12 #include <linux/ktime.h>
13 #include <linux/sched.h>
14 #include <linux/uidgid.h>
15 #include <linux/filter.h>
16 #include <linux/ctype.h>
17 #include <linux/jiffies.h>
18 #include <linux/pid_namespace.h>
19 #include <linux/poison.h>
20 #include <linux/proc_ns.h>
21 #include <linux/sched/task.h>
22 #include <linux/security.h>
23 #include <linux/btf_ids.h>
24 #include <linux/bpf_mem_alloc.h>
26 #include "../../lib/kstrtox.h"
28 /* If kernel subsystem is allowing eBPF programs to call this function,
29 * inside its own verifier_ops->get_func_proto() callback it should return
30 * bpf_map_lookup_elem_proto, so that verifier can properly check the arguments
32 * Different map implementations will rely on rcu in map methods
33 * lookup/update/delete, therefore eBPF programs must run under rcu lock
34 * if program is allowed to access maps, so check rcu_read_lock_held in
35 * all three functions.
37 BPF_CALL_2(bpf_map_lookup_elem, struct bpf_map *, map, void *, key)
39 WARN_ON_ONCE(!rcu_read_lock_held() && !rcu_read_lock_bh_held());
40 return (unsigned long) map->ops->map_lookup_elem(map, key);
43 const struct bpf_func_proto bpf_map_lookup_elem_proto = {
44 .func = bpf_map_lookup_elem,
47 .ret_type = RET_PTR_TO_MAP_VALUE_OR_NULL,
48 .arg1_type = ARG_CONST_MAP_PTR,
49 .arg2_type = ARG_PTR_TO_MAP_KEY,
52 BPF_CALL_4(bpf_map_update_elem, struct bpf_map *, map, void *, key,
53 void *, value, u64, flags)
55 WARN_ON_ONCE(!rcu_read_lock_held() && !rcu_read_lock_bh_held());
56 return map->ops->map_update_elem(map, key, value, flags);
59 const struct bpf_func_proto bpf_map_update_elem_proto = {
60 .func = bpf_map_update_elem,
63 .ret_type = RET_INTEGER,
64 .arg1_type = ARG_CONST_MAP_PTR,
65 .arg2_type = ARG_PTR_TO_MAP_KEY,
66 .arg3_type = ARG_PTR_TO_MAP_VALUE,
67 .arg4_type = ARG_ANYTHING,
70 BPF_CALL_2(bpf_map_delete_elem, struct bpf_map *, map, void *, key)
72 WARN_ON_ONCE(!rcu_read_lock_held() && !rcu_read_lock_bh_held());
73 return map->ops->map_delete_elem(map, key);
76 const struct bpf_func_proto bpf_map_delete_elem_proto = {
77 .func = bpf_map_delete_elem,
80 .ret_type = RET_INTEGER,
81 .arg1_type = ARG_CONST_MAP_PTR,
82 .arg2_type = ARG_PTR_TO_MAP_KEY,
85 BPF_CALL_3(bpf_map_push_elem, struct bpf_map *, map, void *, value, u64, flags)
87 return map->ops->map_push_elem(map, value, flags);
90 const struct bpf_func_proto bpf_map_push_elem_proto = {
91 .func = bpf_map_push_elem,
94 .ret_type = RET_INTEGER,
95 .arg1_type = ARG_CONST_MAP_PTR,
96 .arg2_type = ARG_PTR_TO_MAP_VALUE,
97 .arg3_type = ARG_ANYTHING,
100 BPF_CALL_2(bpf_map_pop_elem, struct bpf_map *, map, void *, value)
102 return map->ops->map_pop_elem(map, value);
105 const struct bpf_func_proto bpf_map_pop_elem_proto = {
106 .func = bpf_map_pop_elem,
108 .ret_type = RET_INTEGER,
109 .arg1_type = ARG_CONST_MAP_PTR,
110 .arg2_type = ARG_PTR_TO_MAP_VALUE | MEM_UNINIT,
113 BPF_CALL_2(bpf_map_peek_elem, struct bpf_map *, map, void *, value)
115 return map->ops->map_peek_elem(map, value);
118 const struct bpf_func_proto bpf_map_peek_elem_proto = {
119 .func = bpf_map_peek_elem,
121 .ret_type = RET_INTEGER,
122 .arg1_type = ARG_CONST_MAP_PTR,
123 .arg2_type = ARG_PTR_TO_MAP_VALUE | MEM_UNINIT,
126 BPF_CALL_3(bpf_map_lookup_percpu_elem, struct bpf_map *, map, void *, key, u32, cpu)
128 WARN_ON_ONCE(!rcu_read_lock_held() && !rcu_read_lock_bh_held());
129 return (unsigned long) map->ops->map_lookup_percpu_elem(map, key, cpu);
132 const struct bpf_func_proto bpf_map_lookup_percpu_elem_proto = {
133 .func = bpf_map_lookup_percpu_elem,
136 .ret_type = RET_PTR_TO_MAP_VALUE_OR_NULL,
137 .arg1_type = ARG_CONST_MAP_PTR,
138 .arg2_type = ARG_PTR_TO_MAP_KEY,
139 .arg3_type = ARG_ANYTHING,
142 const struct bpf_func_proto bpf_get_prandom_u32_proto = {
143 .func = bpf_user_rnd_u32,
145 .ret_type = RET_INTEGER,
148 BPF_CALL_0(bpf_get_smp_processor_id)
150 return smp_processor_id();
153 const struct bpf_func_proto bpf_get_smp_processor_id_proto = {
154 .func = bpf_get_smp_processor_id,
156 .ret_type = RET_INTEGER,
159 BPF_CALL_0(bpf_get_numa_node_id)
161 return numa_node_id();
164 const struct bpf_func_proto bpf_get_numa_node_id_proto = {
165 .func = bpf_get_numa_node_id,
167 .ret_type = RET_INTEGER,
170 BPF_CALL_0(bpf_ktime_get_ns)
172 /* NMI safe access to clock monotonic */
173 return ktime_get_mono_fast_ns();
176 const struct bpf_func_proto bpf_ktime_get_ns_proto = {
177 .func = bpf_ktime_get_ns,
179 .ret_type = RET_INTEGER,
182 BPF_CALL_0(bpf_ktime_get_boot_ns)
184 /* NMI safe access to clock boottime */
185 return ktime_get_boot_fast_ns();
188 const struct bpf_func_proto bpf_ktime_get_boot_ns_proto = {
189 .func = bpf_ktime_get_boot_ns,
191 .ret_type = RET_INTEGER,
194 BPF_CALL_0(bpf_ktime_get_coarse_ns)
196 return ktime_get_coarse_ns();
199 const struct bpf_func_proto bpf_ktime_get_coarse_ns_proto = {
200 .func = bpf_ktime_get_coarse_ns,
202 .ret_type = RET_INTEGER,
205 BPF_CALL_0(bpf_ktime_get_tai_ns)
207 /* NMI safe access to clock tai */
208 return ktime_get_tai_fast_ns();
211 const struct bpf_func_proto bpf_ktime_get_tai_ns_proto = {
212 .func = bpf_ktime_get_tai_ns,
214 .ret_type = RET_INTEGER,
217 BPF_CALL_0(bpf_get_current_pid_tgid)
219 struct task_struct *task = current;
224 return (u64) task->tgid << 32 | task->pid;
227 const struct bpf_func_proto bpf_get_current_pid_tgid_proto = {
228 .func = bpf_get_current_pid_tgid,
230 .ret_type = RET_INTEGER,
233 BPF_CALL_0(bpf_get_current_uid_gid)
235 struct task_struct *task = current;
242 current_uid_gid(&uid, &gid);
243 return (u64) from_kgid(&init_user_ns, gid) << 32 |
244 from_kuid(&init_user_ns, uid);
247 const struct bpf_func_proto bpf_get_current_uid_gid_proto = {
248 .func = bpf_get_current_uid_gid,
250 .ret_type = RET_INTEGER,
253 BPF_CALL_2(bpf_get_current_comm, char *, buf, u32, size)
255 struct task_struct *task = current;
260 /* Verifier guarantees that size > 0 */
261 strscpy_pad(buf, task->comm, size);
264 memset(buf, 0, size);
268 const struct bpf_func_proto bpf_get_current_comm_proto = {
269 .func = bpf_get_current_comm,
271 .ret_type = RET_INTEGER,
272 .arg1_type = ARG_PTR_TO_UNINIT_MEM,
273 .arg2_type = ARG_CONST_SIZE,
276 #if defined(CONFIG_QUEUED_SPINLOCKS) || defined(CONFIG_BPF_ARCH_SPINLOCK)
278 static inline void __bpf_spin_lock(struct bpf_spin_lock *lock)
280 arch_spinlock_t *l = (void *)lock;
283 arch_spinlock_t lock;
284 } u = { .lock = __ARCH_SPIN_LOCK_UNLOCKED };
286 compiletime_assert(u.val == 0, "__ARCH_SPIN_LOCK_UNLOCKED not 0");
287 BUILD_BUG_ON(sizeof(*l) != sizeof(__u32));
288 BUILD_BUG_ON(sizeof(*lock) != sizeof(__u32));
292 static inline void __bpf_spin_unlock(struct bpf_spin_lock *lock)
294 arch_spinlock_t *l = (void *)lock;
301 static inline void __bpf_spin_lock(struct bpf_spin_lock *lock)
303 atomic_t *l = (void *)lock;
305 BUILD_BUG_ON(sizeof(*l) != sizeof(*lock));
307 atomic_cond_read_relaxed(l, !VAL);
308 } while (atomic_xchg(l, 1));
311 static inline void __bpf_spin_unlock(struct bpf_spin_lock *lock)
313 atomic_t *l = (void *)lock;
315 atomic_set_release(l, 0);
320 static DEFINE_PER_CPU(unsigned long, irqsave_flags);
322 static inline void __bpf_spin_lock_irqsave(struct bpf_spin_lock *lock)
326 local_irq_save(flags);
327 __bpf_spin_lock(lock);
328 __this_cpu_write(irqsave_flags, flags);
331 notrace BPF_CALL_1(bpf_spin_lock, struct bpf_spin_lock *, lock)
333 __bpf_spin_lock_irqsave(lock);
337 const struct bpf_func_proto bpf_spin_lock_proto = {
338 .func = bpf_spin_lock,
340 .ret_type = RET_VOID,
341 .arg1_type = ARG_PTR_TO_SPIN_LOCK,
342 .arg1_btf_id = BPF_PTR_POISON,
345 static inline void __bpf_spin_unlock_irqrestore(struct bpf_spin_lock *lock)
349 flags = __this_cpu_read(irqsave_flags);
350 __bpf_spin_unlock(lock);
351 local_irq_restore(flags);
354 notrace BPF_CALL_1(bpf_spin_unlock, struct bpf_spin_lock *, lock)
356 __bpf_spin_unlock_irqrestore(lock);
360 const struct bpf_func_proto bpf_spin_unlock_proto = {
361 .func = bpf_spin_unlock,
363 .ret_type = RET_VOID,
364 .arg1_type = ARG_PTR_TO_SPIN_LOCK,
365 .arg1_btf_id = BPF_PTR_POISON,
368 void copy_map_value_locked(struct bpf_map *map, void *dst, void *src,
371 struct bpf_spin_lock *lock;
374 lock = src + map->record->spin_lock_off;
376 lock = dst + map->record->spin_lock_off;
378 __bpf_spin_lock_irqsave(lock);
379 copy_map_value(map, dst, src);
380 __bpf_spin_unlock_irqrestore(lock);
384 BPF_CALL_0(bpf_jiffies64)
386 return get_jiffies_64();
389 const struct bpf_func_proto bpf_jiffies64_proto = {
390 .func = bpf_jiffies64,
392 .ret_type = RET_INTEGER,
395 #ifdef CONFIG_CGROUPS
396 BPF_CALL_0(bpf_get_current_cgroup_id)
402 cgrp = task_dfl_cgroup(current);
403 cgrp_id = cgroup_id(cgrp);
409 const struct bpf_func_proto bpf_get_current_cgroup_id_proto = {
410 .func = bpf_get_current_cgroup_id,
412 .ret_type = RET_INTEGER,
415 BPF_CALL_1(bpf_get_current_ancestor_cgroup_id, int, ancestor_level)
418 struct cgroup *ancestor;
422 cgrp = task_dfl_cgroup(current);
423 ancestor = cgroup_ancestor(cgrp, ancestor_level);
424 cgrp_id = ancestor ? cgroup_id(ancestor) : 0;
430 const struct bpf_func_proto bpf_get_current_ancestor_cgroup_id_proto = {
431 .func = bpf_get_current_ancestor_cgroup_id,
433 .ret_type = RET_INTEGER,
434 .arg1_type = ARG_ANYTHING,
436 #endif /* CONFIG_CGROUPS */
438 #define BPF_STRTOX_BASE_MASK 0x1F
440 static int __bpf_strtoull(const char *buf, size_t buf_len, u64 flags,
441 unsigned long long *res, bool *is_negative)
443 unsigned int base = flags & BPF_STRTOX_BASE_MASK;
444 const char *cur_buf = buf;
445 size_t cur_len = buf_len;
446 unsigned int consumed;
450 if (!buf || !buf_len || !res || !is_negative)
453 if (base != 0 && base != 8 && base != 10 && base != 16)
456 if (flags & ~BPF_STRTOX_BASE_MASK)
459 while (cur_buf < buf + buf_len && isspace(*cur_buf))
462 *is_negative = (cur_buf < buf + buf_len && *cur_buf == '-');
466 consumed = cur_buf - buf;
471 cur_len = min(cur_len, sizeof(str) - 1);
472 memcpy(str, cur_buf, cur_len);
476 cur_buf = _parse_integer_fixup_radix(cur_buf, &base);
477 val_len = _parse_integer(cur_buf, base, res);
479 if (val_len & KSTRTOX_OVERFLOW)
486 consumed += cur_buf - str;
491 static int __bpf_strtoll(const char *buf, size_t buf_len, u64 flags,
494 unsigned long long _res;
498 err = __bpf_strtoull(buf, buf_len, flags, &_res, &is_negative);
502 if ((long long)-_res > 0)
506 if ((long long)_res < 0)
513 BPF_CALL_4(bpf_strtol, const char *, buf, size_t, buf_len, u64, flags,
519 err = __bpf_strtoll(buf, buf_len, flags, &_res);
522 if (_res != (long)_res)
528 const struct bpf_func_proto bpf_strtol_proto = {
531 .ret_type = RET_INTEGER,
532 .arg1_type = ARG_PTR_TO_MEM | MEM_RDONLY,
533 .arg2_type = ARG_CONST_SIZE,
534 .arg3_type = ARG_ANYTHING,
535 .arg4_type = ARG_PTR_TO_LONG,
538 BPF_CALL_4(bpf_strtoul, const char *, buf, size_t, buf_len, u64, flags,
539 unsigned long *, res)
541 unsigned long long _res;
545 err = __bpf_strtoull(buf, buf_len, flags, &_res, &is_negative);
550 if (_res != (unsigned long)_res)
556 const struct bpf_func_proto bpf_strtoul_proto = {
559 .ret_type = RET_INTEGER,
560 .arg1_type = ARG_PTR_TO_MEM | MEM_RDONLY,
561 .arg2_type = ARG_CONST_SIZE,
562 .arg3_type = ARG_ANYTHING,
563 .arg4_type = ARG_PTR_TO_LONG,
566 BPF_CALL_3(bpf_strncmp, const char *, s1, u32, s1_sz, const char *, s2)
568 return strncmp(s1, s2, s1_sz);
571 static const struct bpf_func_proto bpf_strncmp_proto = {
574 .ret_type = RET_INTEGER,
575 .arg1_type = ARG_PTR_TO_MEM | MEM_RDONLY,
576 .arg2_type = ARG_CONST_SIZE,
577 .arg3_type = ARG_PTR_TO_CONST_STR,
580 BPF_CALL_4(bpf_get_ns_current_pid_tgid, u64, dev, u64, ino,
581 struct bpf_pidns_info *, nsdata, u32, size)
583 struct task_struct *task = current;
584 struct pid_namespace *pidns;
587 if (unlikely(size != sizeof(struct bpf_pidns_info)))
590 if (unlikely((u64)(dev_t)dev != dev))
596 pidns = task_active_pid_ns(task);
597 if (unlikely(!pidns)) {
602 if (!ns_match(&pidns->ns, (dev_t)dev, ino))
605 nsdata->pid = task_pid_nr_ns(task, pidns);
606 nsdata->tgid = task_tgid_nr_ns(task, pidns);
609 memset((void *)nsdata, 0, (size_t) size);
613 const struct bpf_func_proto bpf_get_ns_current_pid_tgid_proto = {
614 .func = bpf_get_ns_current_pid_tgid,
616 .ret_type = RET_INTEGER,
617 .arg1_type = ARG_ANYTHING,
618 .arg2_type = ARG_ANYTHING,
619 .arg3_type = ARG_PTR_TO_UNINIT_MEM,
620 .arg4_type = ARG_CONST_SIZE,
623 static const struct bpf_func_proto bpf_get_raw_smp_processor_id_proto = {
624 .func = bpf_get_raw_cpu_id,
626 .ret_type = RET_INTEGER,
629 BPF_CALL_5(bpf_event_output_data, void *, ctx, struct bpf_map *, map,
630 u64, flags, void *, data, u64, size)
632 if (unlikely(flags & ~(BPF_F_INDEX_MASK)))
635 return bpf_event_output(map, flags, data, size, NULL, 0, NULL);
638 const struct bpf_func_proto bpf_event_output_data_proto = {
639 .func = bpf_event_output_data,
641 .ret_type = RET_INTEGER,
642 .arg1_type = ARG_PTR_TO_CTX,
643 .arg2_type = ARG_CONST_MAP_PTR,
644 .arg3_type = ARG_ANYTHING,
645 .arg4_type = ARG_PTR_TO_MEM | MEM_RDONLY,
646 .arg5_type = ARG_CONST_SIZE_OR_ZERO,
649 BPF_CALL_3(bpf_copy_from_user, void *, dst, u32, size,
650 const void __user *, user_ptr)
652 int ret = copy_from_user(dst, user_ptr, size);
655 memset(dst, 0, size);
662 const struct bpf_func_proto bpf_copy_from_user_proto = {
663 .func = bpf_copy_from_user,
666 .ret_type = RET_INTEGER,
667 .arg1_type = ARG_PTR_TO_UNINIT_MEM,
668 .arg2_type = ARG_CONST_SIZE_OR_ZERO,
669 .arg3_type = ARG_ANYTHING,
672 BPF_CALL_5(bpf_copy_from_user_task, void *, dst, u32, size,
673 const void __user *, user_ptr, struct task_struct *, tsk, u64, flags)
677 /* flags is not used yet */
684 ret = access_process_vm(tsk, (unsigned long)user_ptr, dst, size, 0);
688 memset(dst, 0, size);
689 /* Return -EFAULT for partial read */
690 return ret < 0 ? ret : -EFAULT;
693 const struct bpf_func_proto bpf_copy_from_user_task_proto = {
694 .func = bpf_copy_from_user_task,
697 .ret_type = RET_INTEGER,
698 .arg1_type = ARG_PTR_TO_UNINIT_MEM,
699 .arg2_type = ARG_CONST_SIZE_OR_ZERO,
700 .arg3_type = ARG_ANYTHING,
701 .arg4_type = ARG_PTR_TO_BTF_ID,
702 .arg4_btf_id = &btf_tracing_ids[BTF_TRACING_TYPE_TASK],
703 .arg5_type = ARG_ANYTHING
706 BPF_CALL_2(bpf_per_cpu_ptr, const void *, ptr, u32, cpu)
708 if (cpu >= nr_cpu_ids)
709 return (unsigned long)NULL;
711 return (unsigned long)per_cpu_ptr((const void __percpu *)ptr, cpu);
714 const struct bpf_func_proto bpf_per_cpu_ptr_proto = {
715 .func = bpf_per_cpu_ptr,
717 .ret_type = RET_PTR_TO_MEM_OR_BTF_ID | PTR_MAYBE_NULL | MEM_RDONLY,
718 .arg1_type = ARG_PTR_TO_PERCPU_BTF_ID,
719 .arg2_type = ARG_ANYTHING,
722 BPF_CALL_1(bpf_this_cpu_ptr, const void *, percpu_ptr)
724 return (unsigned long)this_cpu_ptr((const void __percpu *)percpu_ptr);
727 const struct bpf_func_proto bpf_this_cpu_ptr_proto = {
728 .func = bpf_this_cpu_ptr,
730 .ret_type = RET_PTR_TO_MEM_OR_BTF_ID | MEM_RDONLY,
731 .arg1_type = ARG_PTR_TO_PERCPU_BTF_ID,
734 static int bpf_trace_copy_string(char *buf, void *unsafe_ptr, char fmt_ptype,
737 void __user *user_ptr = (__force void __user *)unsafe_ptr;
743 #ifdef CONFIG_ARCH_HAS_NON_OVERLAPPING_ADDRESS_SPACE
744 if ((unsigned long)unsafe_ptr < TASK_SIZE)
745 return strncpy_from_user_nofault(buf, user_ptr, bufsz);
749 return strncpy_from_kernel_nofault(buf, unsafe_ptr, bufsz);
751 return strncpy_from_user_nofault(buf, user_ptr, bufsz);
757 /* Per-cpu temp buffers used by printf-like helpers to store the bprintf binary
758 * arguments representation.
760 #define MAX_BPRINTF_BIN_ARGS 512
762 /* Support executing three nested bprintf helper calls on a given CPU */
763 #define MAX_BPRINTF_NEST_LEVEL 3
764 struct bpf_bprintf_buffers {
765 char bin_args[MAX_BPRINTF_BIN_ARGS];
766 char buf[MAX_BPRINTF_BUF];
769 static DEFINE_PER_CPU(struct bpf_bprintf_buffers[MAX_BPRINTF_NEST_LEVEL], bpf_bprintf_bufs);
770 static DEFINE_PER_CPU(int, bpf_bprintf_nest_level);
772 static int try_get_buffers(struct bpf_bprintf_buffers **bufs)
777 nest_level = this_cpu_inc_return(bpf_bprintf_nest_level);
778 if (WARN_ON_ONCE(nest_level > MAX_BPRINTF_NEST_LEVEL)) {
779 this_cpu_dec(bpf_bprintf_nest_level);
783 *bufs = this_cpu_ptr(&bpf_bprintf_bufs[nest_level - 1]);
788 void bpf_bprintf_cleanup(struct bpf_bprintf_data *data)
790 if (!data->bin_args && !data->buf)
792 if (WARN_ON_ONCE(this_cpu_read(bpf_bprintf_nest_level) == 0))
794 this_cpu_dec(bpf_bprintf_nest_level);
799 * bpf_bprintf_prepare - Generic pass on format strings for bprintf-like helpers
801 * Returns a negative value if fmt is an invalid format string or 0 otherwise.
803 * This can be used in two ways:
804 * - Format string verification only: when data->get_bin_args is false
805 * - Arguments preparation: in addition to the above verification, it writes in
806 * data->bin_args a binary representation of arguments usable by bstr_printf
807 * where pointers from BPF have been sanitized.
809 * In argument preparation mode, if 0 is returned, safe temporary buffers are
810 * allocated and bpf_bprintf_cleanup should be called to free them after use.
812 int bpf_bprintf_prepare(char *fmt, u32 fmt_size, const u64 *raw_args,
813 u32 num_args, struct bpf_bprintf_data *data)
815 bool get_buffers = (data->get_bin_args && num_args) || data->get_buf;
816 char *unsafe_ptr = NULL, *tmp_buf = NULL, *tmp_buf_end, *fmt_end;
817 struct bpf_bprintf_buffers *buffers = NULL;
818 size_t sizeof_cur_arg, sizeof_cur_ip;
819 int err, i, num_spec = 0;
821 char fmt_ptype, cur_ip[16], ip_spec[] = "%pXX";
823 fmt_end = strnchr(fmt, fmt_size, 0);
826 fmt_size = fmt_end - fmt;
828 if (get_buffers && try_get_buffers(&buffers))
831 if (data->get_bin_args) {
833 tmp_buf = buffers->bin_args;
834 tmp_buf_end = tmp_buf + MAX_BPRINTF_BIN_ARGS;
835 data->bin_args = (u32 *)tmp_buf;
839 data->buf = buffers->buf;
841 for (i = 0; i < fmt_size; i++) {
842 if ((!isprint(fmt[i]) && !isspace(fmt[i])) || !isascii(fmt[i])) {
850 if (fmt[i + 1] == '%') {
855 if (num_spec >= num_args) {
860 /* The string is zero-terminated so if fmt[i] != 0, we can
861 * always access fmt[i + 1], in the worst case it will be a 0
865 /* skip optional "[0 +-][num]" width formatting field */
866 while (fmt[i] == '0' || fmt[i] == '+' || fmt[i] == '-' ||
869 if (fmt[i] >= '1' && fmt[i] <= '9') {
871 while (fmt[i] >= '0' && fmt[i] <= '9')
876 sizeof_cur_arg = sizeof(long);
878 if ((fmt[i + 1] == 'k' || fmt[i + 1] == 'u') &&
880 fmt_ptype = fmt[i + 1];
885 if (fmt[i + 1] == 0 || isspace(fmt[i + 1]) ||
886 ispunct(fmt[i + 1]) || fmt[i + 1] == 'K' ||
887 fmt[i + 1] == 'x' || fmt[i + 1] == 's' ||
889 /* just kernel pointers */
891 cur_arg = raw_args[num_spec];
896 if (fmt[i + 1] == 'B') {
898 err = snprintf(tmp_buf,
899 (tmp_buf_end - tmp_buf),
901 (void *)(long)raw_args[num_spec]);
902 tmp_buf += (err + 1);
910 /* only support "%pI4", "%pi4", "%pI6" and "%pi6". */
911 if ((fmt[i + 1] != 'i' && fmt[i + 1] != 'I') ||
912 (fmt[i + 2] != '4' && fmt[i + 2] != '6')) {
921 sizeof_cur_ip = (fmt[i] == '4') ? 4 : 16;
922 if (tmp_buf_end - tmp_buf < sizeof_cur_ip) {
927 unsafe_ptr = (char *)(long)raw_args[num_spec];
928 err = copy_from_kernel_nofault(cur_ip, unsafe_ptr,
931 memset(cur_ip, 0, sizeof_cur_ip);
933 /* hack: bstr_printf expects IP addresses to be
934 * pre-formatted as strings, ironically, the easiest way
935 * to do that is to call snprintf.
937 ip_spec[2] = fmt[i - 1];
939 err = snprintf(tmp_buf, tmp_buf_end - tmp_buf,
946 } else if (fmt[i] == 's') {
949 if (fmt[i + 1] != 0 &&
950 !isspace(fmt[i + 1]) &&
951 !ispunct(fmt[i + 1])) {
959 if (tmp_buf_end == tmp_buf) {
964 unsafe_ptr = (char *)(long)raw_args[num_spec];
965 err = bpf_trace_copy_string(tmp_buf, unsafe_ptr,
967 tmp_buf_end - tmp_buf);
977 } else if (fmt[i] == 'c') {
981 if (tmp_buf_end == tmp_buf) {
986 *tmp_buf = raw_args[num_spec];
993 sizeof_cur_arg = sizeof(int);
996 sizeof_cur_arg = sizeof(long);
1000 sizeof_cur_arg = sizeof(long long);
1004 if (fmt[i] != 'i' && fmt[i] != 'd' && fmt[i] != 'u' &&
1005 fmt[i] != 'x' && fmt[i] != 'X') {
1011 cur_arg = raw_args[num_spec];
1014 tmp_buf = PTR_ALIGN(tmp_buf, sizeof(u32));
1015 if (tmp_buf_end - tmp_buf < sizeof_cur_arg) {
1020 if (sizeof_cur_arg == 8) {
1021 *(u32 *)tmp_buf = *(u32 *)&cur_arg;
1022 *(u32 *)(tmp_buf + 4) = *((u32 *)&cur_arg + 1);
1024 *(u32 *)tmp_buf = (u32)(long)cur_arg;
1026 tmp_buf += sizeof_cur_arg;
1034 bpf_bprintf_cleanup(data);
1038 BPF_CALL_5(bpf_snprintf, char *, str, u32, str_size, char *, fmt,
1039 const void *, args, u32, data_len)
1041 struct bpf_bprintf_data data = {
1042 .get_bin_args = true,
1046 if (data_len % 8 || data_len > MAX_BPRINTF_VARARGS * 8 ||
1047 (data_len && !args))
1049 num_args = data_len / 8;
1051 /* ARG_PTR_TO_CONST_STR guarantees that fmt is zero-terminated so we
1052 * can safely give an unbounded size.
1054 err = bpf_bprintf_prepare(fmt, UINT_MAX, args, num_args, &data);
1058 err = bstr_printf(str, str_size, fmt, data.bin_args);
1060 bpf_bprintf_cleanup(&data);
1065 const struct bpf_func_proto bpf_snprintf_proto = {
1066 .func = bpf_snprintf,
1068 .ret_type = RET_INTEGER,
1069 .arg1_type = ARG_PTR_TO_MEM_OR_NULL,
1070 .arg2_type = ARG_CONST_SIZE_OR_ZERO,
1071 .arg3_type = ARG_PTR_TO_CONST_STR,
1072 .arg4_type = ARG_PTR_TO_MEM | PTR_MAYBE_NULL | MEM_RDONLY,
1073 .arg5_type = ARG_CONST_SIZE_OR_ZERO,
1076 /* BPF map elements can contain 'struct bpf_timer'.
1077 * Such map owns all of its BPF timers.
1078 * 'struct bpf_timer' is allocated as part of map element allocation
1079 * and it's zero initialized.
1080 * That space is used to keep 'struct bpf_timer_kern'.
1081 * bpf_timer_init() allocates 'struct bpf_hrtimer', inits hrtimer, and
1082 * remembers 'struct bpf_map *' pointer it's part of.
1083 * bpf_timer_set_callback() increments prog refcnt and assign bpf callback_fn.
1084 * bpf_timer_start() arms the timer.
1085 * If user space reference to a map goes to zero at this point
1086 * ops->map_release_uref callback is responsible for cancelling the timers,
1087 * freeing their memory, and decrementing prog's refcnts.
1088 * bpf_timer_cancel() cancels the timer and decrements prog's refcnt.
1089 * Inner maps can contain bpf timers as well. ops->map_release_uref is
1090 * freeing the timers when inner map is replaced or deleted by user space.
1092 struct bpf_hrtimer {
1093 struct hrtimer timer;
1094 struct bpf_map *map;
1095 struct bpf_prog *prog;
1096 void __rcu *callback_fn;
1100 /* the actual struct hidden inside uapi struct bpf_timer */
1101 struct bpf_timer_kern {
1102 struct bpf_hrtimer *timer;
1103 /* bpf_spin_lock is used here instead of spinlock_t to make
1104 * sure that it always fits into space reserved by struct bpf_timer
1105 * regardless of LOCKDEP and spinlock debug flags.
1107 struct bpf_spin_lock lock;
1108 } __attribute__((aligned(8)));
1110 static DEFINE_PER_CPU(struct bpf_hrtimer *, hrtimer_running);
1112 static enum hrtimer_restart bpf_timer_cb(struct hrtimer *hrtimer)
1114 struct bpf_hrtimer *t = container_of(hrtimer, struct bpf_hrtimer, timer);
1115 struct bpf_map *map = t->map;
1116 void *value = t->value;
1117 bpf_callback_t callback_fn;
1121 BTF_TYPE_EMIT(struct bpf_timer);
1122 callback_fn = rcu_dereference_check(t->callback_fn, rcu_read_lock_bh_held());
1126 /* bpf_timer_cb() runs in hrtimer_run_softirq. It doesn't migrate and
1127 * cannot be preempted by another bpf_timer_cb() on the same cpu.
1128 * Remember the timer this callback is servicing to prevent
1129 * deadlock if callback_fn() calls bpf_timer_cancel() or
1130 * bpf_map_delete_elem() on the same timer.
1132 this_cpu_write(hrtimer_running, t);
1133 if (map->map_type == BPF_MAP_TYPE_ARRAY) {
1134 struct bpf_array *array = container_of(map, struct bpf_array, map);
1136 /* compute the key */
1137 idx = ((char *)value - array->value) / array->elem_size;
1139 } else { /* hash or lru */
1140 key = value - round_up(map->key_size, 8);
1143 callback_fn((u64)(long)map, (u64)(long)key, (u64)(long)value, 0, 0);
1144 /* The verifier checked that return value is zero. */
1146 this_cpu_write(hrtimer_running, NULL);
1148 return HRTIMER_NORESTART;
1151 BPF_CALL_3(bpf_timer_init, struct bpf_timer_kern *, timer, struct bpf_map *, map,
1154 clockid_t clockid = flags & (MAX_CLOCKS - 1);
1155 struct bpf_hrtimer *t;
1158 BUILD_BUG_ON(MAX_CLOCKS != 16);
1159 BUILD_BUG_ON(sizeof(struct bpf_timer_kern) > sizeof(struct bpf_timer));
1160 BUILD_BUG_ON(__alignof__(struct bpf_timer_kern) != __alignof__(struct bpf_timer));
1165 if (flags >= MAX_CLOCKS ||
1166 /* similar to timerfd except _ALARM variants are not supported */
1167 (clockid != CLOCK_MONOTONIC &&
1168 clockid != CLOCK_REALTIME &&
1169 clockid != CLOCK_BOOTTIME))
1171 __bpf_spin_lock_irqsave(&timer->lock);
1177 if (!atomic64_read(&map->usercnt)) {
1178 /* maps with timers must be either held by user space
1179 * or pinned in bpffs.
1184 /* allocate hrtimer via map_kmalloc to use memcg accounting */
1185 t = bpf_map_kmalloc_node(map, sizeof(*t), GFP_ATOMIC, map->numa_node);
1190 t->value = (void *)timer - map->record->timer_off;
1193 rcu_assign_pointer(t->callback_fn, NULL);
1194 hrtimer_init(&t->timer, clockid, HRTIMER_MODE_REL_SOFT);
1195 t->timer.function = bpf_timer_cb;
1198 __bpf_spin_unlock_irqrestore(&timer->lock);
1202 static const struct bpf_func_proto bpf_timer_init_proto = {
1203 .func = bpf_timer_init,
1205 .ret_type = RET_INTEGER,
1206 .arg1_type = ARG_PTR_TO_TIMER,
1207 .arg2_type = ARG_CONST_MAP_PTR,
1208 .arg3_type = ARG_ANYTHING,
1211 BPF_CALL_3(bpf_timer_set_callback, struct bpf_timer_kern *, timer, void *, callback_fn,
1212 struct bpf_prog_aux *, aux)
1214 struct bpf_prog *prev, *prog = aux->prog;
1215 struct bpf_hrtimer *t;
1220 __bpf_spin_lock_irqsave(&timer->lock);
1226 if (!atomic64_read(&t->map->usercnt)) {
1227 /* maps with timers must be either held by user space
1228 * or pinned in bpffs. Otherwise timer might still be
1229 * running even when bpf prog is detached and user space
1230 * is gone, since map_release_uref won't ever be called.
1237 /* Bump prog refcnt once. Every bpf_timer_set_callback()
1238 * can pick different callback_fn-s within the same prog.
1240 prog = bpf_prog_inc_not_zero(prog);
1242 ret = PTR_ERR(prog);
1246 /* Drop prev prog refcnt when swapping with new prog */
1250 rcu_assign_pointer(t->callback_fn, callback_fn);
1252 __bpf_spin_unlock_irqrestore(&timer->lock);
1256 static const struct bpf_func_proto bpf_timer_set_callback_proto = {
1257 .func = bpf_timer_set_callback,
1259 .ret_type = RET_INTEGER,
1260 .arg1_type = ARG_PTR_TO_TIMER,
1261 .arg2_type = ARG_PTR_TO_FUNC,
1264 BPF_CALL_3(bpf_timer_start, struct bpf_timer_kern *, timer, u64, nsecs, u64, flags)
1266 struct bpf_hrtimer *t;
1268 enum hrtimer_mode mode;
1272 if (flags > BPF_F_TIMER_ABS)
1274 __bpf_spin_lock_irqsave(&timer->lock);
1276 if (!t || !t->prog) {
1281 if (flags & BPF_F_TIMER_ABS)
1282 mode = HRTIMER_MODE_ABS_SOFT;
1284 mode = HRTIMER_MODE_REL_SOFT;
1286 hrtimer_start(&t->timer, ns_to_ktime(nsecs), mode);
1288 __bpf_spin_unlock_irqrestore(&timer->lock);
1292 static const struct bpf_func_proto bpf_timer_start_proto = {
1293 .func = bpf_timer_start,
1295 .ret_type = RET_INTEGER,
1296 .arg1_type = ARG_PTR_TO_TIMER,
1297 .arg2_type = ARG_ANYTHING,
1298 .arg3_type = ARG_ANYTHING,
1301 static void drop_prog_refcnt(struct bpf_hrtimer *t)
1303 struct bpf_prog *prog = t->prog;
1308 rcu_assign_pointer(t->callback_fn, NULL);
1312 BPF_CALL_1(bpf_timer_cancel, struct bpf_timer_kern *, timer)
1314 struct bpf_hrtimer *t;
1319 __bpf_spin_lock_irqsave(&timer->lock);
1325 if (this_cpu_read(hrtimer_running) == t) {
1326 /* If bpf callback_fn is trying to bpf_timer_cancel()
1327 * its own timer the hrtimer_cancel() will deadlock
1328 * since it waits for callback_fn to finish
1333 drop_prog_refcnt(t);
1335 __bpf_spin_unlock_irqrestore(&timer->lock);
1336 /* Cancel the timer and wait for associated callback to finish
1337 * if it was running.
1339 ret = ret ?: hrtimer_cancel(&t->timer);
1343 static const struct bpf_func_proto bpf_timer_cancel_proto = {
1344 .func = bpf_timer_cancel,
1346 .ret_type = RET_INTEGER,
1347 .arg1_type = ARG_PTR_TO_TIMER,
1350 /* This function is called by map_delete/update_elem for individual element and
1351 * by ops->map_release_uref when the user space reference to a map reaches zero.
1353 void bpf_timer_cancel_and_free(void *val)
1355 struct bpf_timer_kern *timer = val;
1356 struct bpf_hrtimer *t;
1358 /* Performance optimization: read timer->timer without lock first. */
1359 if (!READ_ONCE(timer->timer))
1362 __bpf_spin_lock_irqsave(&timer->lock);
1363 /* re-read it under lock */
1367 drop_prog_refcnt(t);
1368 /* The subsequent bpf_timer_start/cancel() helpers won't be able to use
1369 * this timer, since it won't be initialized.
1371 timer->timer = NULL;
1373 __bpf_spin_unlock_irqrestore(&timer->lock);
1376 /* Cancel the timer and wait for callback to complete if it was running.
1377 * If hrtimer_cancel() can be safely called it's safe to call kfree(t)
1378 * right after for both preallocated and non-preallocated maps.
1379 * The timer->timer = NULL was already done and no code path can
1380 * see address 't' anymore.
1382 * Check that bpf_map_delete/update_elem() wasn't called from timer
1383 * callback_fn. In such case don't call hrtimer_cancel() (since it will
1384 * deadlock) and don't call hrtimer_try_to_cancel() (since it will just
1385 * return -1). Though callback_fn is still running on this cpu it's
1386 * safe to do kfree(t) because bpf_timer_cb() read everything it needed
1387 * from 't'. The bpf subprog callback_fn won't be able to access 't',
1388 * since timer->timer = NULL was already done. The timer will be
1389 * effectively cancelled because bpf_timer_cb() will return
1390 * HRTIMER_NORESTART.
1392 if (this_cpu_read(hrtimer_running) != t)
1393 hrtimer_cancel(&t->timer);
1397 BPF_CALL_2(bpf_kptr_xchg, void *, map_value, void *, ptr)
1399 unsigned long *kptr = map_value;
1401 return xchg(kptr, (unsigned long)ptr);
1404 /* Unlike other PTR_TO_BTF_ID helpers the btf_id in bpf_kptr_xchg()
1405 * helper is determined dynamically by the verifier. Use BPF_PTR_POISON to
1406 * denote type that verifier will determine.
1408 static const struct bpf_func_proto bpf_kptr_xchg_proto = {
1409 .func = bpf_kptr_xchg,
1411 .ret_type = RET_PTR_TO_BTF_ID_OR_NULL,
1412 .ret_btf_id = BPF_PTR_POISON,
1413 .arg1_type = ARG_PTR_TO_KPTR,
1414 .arg2_type = ARG_PTR_TO_BTF_ID_OR_NULL | OBJ_RELEASE,
1415 .arg2_btf_id = BPF_PTR_POISON,
1418 /* Since the upper 8 bits of dynptr->size is reserved, the
1419 * maximum supported size is 2^24 - 1.
1421 #define DYNPTR_MAX_SIZE ((1UL << 24) - 1)
1422 #define DYNPTR_TYPE_SHIFT 28
1423 #define DYNPTR_SIZE_MASK 0xFFFFFF
1424 #define DYNPTR_RDONLY_BIT BIT(31)
1426 static bool __bpf_dynptr_is_rdonly(const struct bpf_dynptr_kern *ptr)
1428 return ptr->size & DYNPTR_RDONLY_BIT;
1431 void bpf_dynptr_set_rdonly(struct bpf_dynptr_kern *ptr)
1433 ptr->size |= DYNPTR_RDONLY_BIT;
1436 static void bpf_dynptr_set_type(struct bpf_dynptr_kern *ptr, enum bpf_dynptr_type type)
1438 ptr->size |= type << DYNPTR_TYPE_SHIFT;
1441 static enum bpf_dynptr_type bpf_dynptr_get_type(const struct bpf_dynptr_kern *ptr)
1443 return (ptr->size & ~(DYNPTR_RDONLY_BIT)) >> DYNPTR_TYPE_SHIFT;
1446 u32 __bpf_dynptr_size(const struct bpf_dynptr_kern *ptr)
1448 return ptr->size & DYNPTR_SIZE_MASK;
1451 static void bpf_dynptr_set_size(struct bpf_dynptr_kern *ptr, u32 new_size)
1453 u32 metadata = ptr->size & ~DYNPTR_SIZE_MASK;
1455 ptr->size = new_size | metadata;
1458 int bpf_dynptr_check_size(u32 size)
1460 return size > DYNPTR_MAX_SIZE ? -E2BIG : 0;
1463 void bpf_dynptr_init(struct bpf_dynptr_kern *ptr, void *data,
1464 enum bpf_dynptr_type type, u32 offset, u32 size)
1467 ptr->offset = offset;
1469 bpf_dynptr_set_type(ptr, type);
1472 void bpf_dynptr_set_null(struct bpf_dynptr_kern *ptr)
1474 memset(ptr, 0, sizeof(*ptr));
1477 static int bpf_dynptr_check_off_len(const struct bpf_dynptr_kern *ptr, u32 offset, u32 len)
1479 u32 size = __bpf_dynptr_size(ptr);
1481 if (len > size || offset > size - len)
1487 BPF_CALL_4(bpf_dynptr_from_mem, void *, data, u32, size, u64, flags, struct bpf_dynptr_kern *, ptr)
1491 BTF_TYPE_EMIT(struct bpf_dynptr);
1493 err = bpf_dynptr_check_size(size);
1497 /* flags is currently unsupported */
1503 bpf_dynptr_init(ptr, data, BPF_DYNPTR_TYPE_LOCAL, 0, size);
1508 bpf_dynptr_set_null(ptr);
1512 static const struct bpf_func_proto bpf_dynptr_from_mem_proto = {
1513 .func = bpf_dynptr_from_mem,
1515 .ret_type = RET_INTEGER,
1516 .arg1_type = ARG_PTR_TO_UNINIT_MEM,
1517 .arg2_type = ARG_CONST_SIZE_OR_ZERO,
1518 .arg3_type = ARG_ANYTHING,
1519 .arg4_type = ARG_PTR_TO_DYNPTR | DYNPTR_TYPE_LOCAL | MEM_UNINIT,
1522 BPF_CALL_5(bpf_dynptr_read, void *, dst, u32, len, const struct bpf_dynptr_kern *, src,
1523 u32, offset, u64, flags)
1525 enum bpf_dynptr_type type;
1528 if (!src->data || flags)
1531 err = bpf_dynptr_check_off_len(src, offset, len);
1535 type = bpf_dynptr_get_type(src);
1538 case BPF_DYNPTR_TYPE_LOCAL:
1539 case BPF_DYNPTR_TYPE_RINGBUF:
1540 /* Source and destination may possibly overlap, hence use memmove to
1541 * copy the data. E.g. bpf_dynptr_from_mem may create two dynptr
1542 * pointing to overlapping PTR_TO_MAP_VALUE regions.
1544 memmove(dst, src->data + src->offset + offset, len);
1546 case BPF_DYNPTR_TYPE_SKB:
1547 return __bpf_skb_load_bytes(src->data, src->offset + offset, dst, len);
1548 case BPF_DYNPTR_TYPE_XDP:
1549 return __bpf_xdp_load_bytes(src->data, src->offset + offset, dst, len);
1551 WARN_ONCE(true, "bpf_dynptr_read: unknown dynptr type %d\n", type);
1556 static const struct bpf_func_proto bpf_dynptr_read_proto = {
1557 .func = bpf_dynptr_read,
1559 .ret_type = RET_INTEGER,
1560 .arg1_type = ARG_PTR_TO_UNINIT_MEM,
1561 .arg2_type = ARG_CONST_SIZE_OR_ZERO,
1562 .arg3_type = ARG_PTR_TO_DYNPTR | MEM_RDONLY,
1563 .arg4_type = ARG_ANYTHING,
1564 .arg5_type = ARG_ANYTHING,
1567 BPF_CALL_5(bpf_dynptr_write, const struct bpf_dynptr_kern *, dst, u32, offset, void *, src,
1568 u32, len, u64, flags)
1570 enum bpf_dynptr_type type;
1573 if (!dst->data || __bpf_dynptr_is_rdonly(dst))
1576 err = bpf_dynptr_check_off_len(dst, offset, len);
1580 type = bpf_dynptr_get_type(dst);
1583 case BPF_DYNPTR_TYPE_LOCAL:
1584 case BPF_DYNPTR_TYPE_RINGBUF:
1587 /* Source and destination may possibly overlap, hence use memmove to
1588 * copy the data. E.g. bpf_dynptr_from_mem may create two dynptr
1589 * pointing to overlapping PTR_TO_MAP_VALUE regions.
1591 memmove(dst->data + dst->offset + offset, src, len);
1593 case BPF_DYNPTR_TYPE_SKB:
1594 return __bpf_skb_store_bytes(dst->data, dst->offset + offset, src, len,
1596 case BPF_DYNPTR_TYPE_XDP:
1599 return __bpf_xdp_store_bytes(dst->data, dst->offset + offset, src, len);
1601 WARN_ONCE(true, "bpf_dynptr_write: unknown dynptr type %d\n", type);
1606 static const struct bpf_func_proto bpf_dynptr_write_proto = {
1607 .func = bpf_dynptr_write,
1609 .ret_type = RET_INTEGER,
1610 .arg1_type = ARG_PTR_TO_DYNPTR | MEM_RDONLY,
1611 .arg2_type = ARG_ANYTHING,
1612 .arg3_type = ARG_PTR_TO_MEM | MEM_RDONLY,
1613 .arg4_type = ARG_CONST_SIZE_OR_ZERO,
1614 .arg5_type = ARG_ANYTHING,
1617 BPF_CALL_3(bpf_dynptr_data, const struct bpf_dynptr_kern *, ptr, u32, offset, u32, len)
1619 enum bpf_dynptr_type type;
1625 err = bpf_dynptr_check_off_len(ptr, offset, len);
1629 if (__bpf_dynptr_is_rdonly(ptr))
1632 type = bpf_dynptr_get_type(ptr);
1635 case BPF_DYNPTR_TYPE_LOCAL:
1636 case BPF_DYNPTR_TYPE_RINGBUF:
1637 return (unsigned long)(ptr->data + ptr->offset + offset);
1638 case BPF_DYNPTR_TYPE_SKB:
1639 case BPF_DYNPTR_TYPE_XDP:
1640 /* skb and xdp dynptrs should use bpf_dynptr_slice / bpf_dynptr_slice_rdwr */
1643 WARN_ONCE(true, "bpf_dynptr_data: unknown dynptr type %d\n", type);
1648 static const struct bpf_func_proto bpf_dynptr_data_proto = {
1649 .func = bpf_dynptr_data,
1651 .ret_type = RET_PTR_TO_DYNPTR_MEM_OR_NULL,
1652 .arg1_type = ARG_PTR_TO_DYNPTR | MEM_RDONLY,
1653 .arg2_type = ARG_ANYTHING,
1654 .arg3_type = ARG_CONST_ALLOC_SIZE_OR_ZERO,
1657 const struct bpf_func_proto bpf_get_current_task_proto __weak;
1658 const struct bpf_func_proto bpf_get_current_task_btf_proto __weak;
1659 const struct bpf_func_proto bpf_probe_read_user_proto __weak;
1660 const struct bpf_func_proto bpf_probe_read_user_str_proto __weak;
1661 const struct bpf_func_proto bpf_probe_read_kernel_proto __weak;
1662 const struct bpf_func_proto bpf_probe_read_kernel_str_proto __weak;
1663 const struct bpf_func_proto bpf_task_pt_regs_proto __weak;
1665 const struct bpf_func_proto *
1666 bpf_base_func_proto(enum bpf_func_id func_id)
1669 case BPF_FUNC_map_lookup_elem:
1670 return &bpf_map_lookup_elem_proto;
1671 case BPF_FUNC_map_update_elem:
1672 return &bpf_map_update_elem_proto;
1673 case BPF_FUNC_map_delete_elem:
1674 return &bpf_map_delete_elem_proto;
1675 case BPF_FUNC_map_push_elem:
1676 return &bpf_map_push_elem_proto;
1677 case BPF_FUNC_map_pop_elem:
1678 return &bpf_map_pop_elem_proto;
1679 case BPF_FUNC_map_peek_elem:
1680 return &bpf_map_peek_elem_proto;
1681 case BPF_FUNC_map_lookup_percpu_elem:
1682 return &bpf_map_lookup_percpu_elem_proto;
1683 case BPF_FUNC_get_prandom_u32:
1684 return &bpf_get_prandom_u32_proto;
1685 case BPF_FUNC_get_smp_processor_id:
1686 return &bpf_get_raw_smp_processor_id_proto;
1687 case BPF_FUNC_get_numa_node_id:
1688 return &bpf_get_numa_node_id_proto;
1689 case BPF_FUNC_tail_call:
1690 return &bpf_tail_call_proto;
1691 case BPF_FUNC_ktime_get_ns:
1692 return &bpf_ktime_get_ns_proto;
1693 case BPF_FUNC_ktime_get_boot_ns:
1694 return &bpf_ktime_get_boot_ns_proto;
1695 case BPF_FUNC_ktime_get_tai_ns:
1696 return &bpf_ktime_get_tai_ns_proto;
1697 case BPF_FUNC_ringbuf_output:
1698 return &bpf_ringbuf_output_proto;
1699 case BPF_FUNC_ringbuf_reserve:
1700 return &bpf_ringbuf_reserve_proto;
1701 case BPF_FUNC_ringbuf_submit:
1702 return &bpf_ringbuf_submit_proto;
1703 case BPF_FUNC_ringbuf_discard:
1704 return &bpf_ringbuf_discard_proto;
1705 case BPF_FUNC_ringbuf_query:
1706 return &bpf_ringbuf_query_proto;
1707 case BPF_FUNC_strncmp:
1708 return &bpf_strncmp_proto;
1709 case BPF_FUNC_strtol:
1710 return &bpf_strtol_proto;
1711 case BPF_FUNC_strtoul:
1712 return &bpf_strtoul_proto;
1721 case BPF_FUNC_spin_lock:
1722 return &bpf_spin_lock_proto;
1723 case BPF_FUNC_spin_unlock:
1724 return &bpf_spin_unlock_proto;
1725 case BPF_FUNC_jiffies64:
1726 return &bpf_jiffies64_proto;
1727 case BPF_FUNC_per_cpu_ptr:
1728 return &bpf_per_cpu_ptr_proto;
1729 case BPF_FUNC_this_cpu_ptr:
1730 return &bpf_this_cpu_ptr_proto;
1731 case BPF_FUNC_timer_init:
1732 return &bpf_timer_init_proto;
1733 case BPF_FUNC_timer_set_callback:
1734 return &bpf_timer_set_callback_proto;
1735 case BPF_FUNC_timer_start:
1736 return &bpf_timer_start_proto;
1737 case BPF_FUNC_timer_cancel:
1738 return &bpf_timer_cancel_proto;
1739 case BPF_FUNC_kptr_xchg:
1740 return &bpf_kptr_xchg_proto;
1741 case BPF_FUNC_for_each_map_elem:
1742 return &bpf_for_each_map_elem_proto;
1744 return &bpf_loop_proto;
1745 case BPF_FUNC_user_ringbuf_drain:
1746 return &bpf_user_ringbuf_drain_proto;
1747 case BPF_FUNC_ringbuf_reserve_dynptr:
1748 return &bpf_ringbuf_reserve_dynptr_proto;
1749 case BPF_FUNC_ringbuf_submit_dynptr:
1750 return &bpf_ringbuf_submit_dynptr_proto;
1751 case BPF_FUNC_ringbuf_discard_dynptr:
1752 return &bpf_ringbuf_discard_dynptr_proto;
1753 case BPF_FUNC_dynptr_from_mem:
1754 return &bpf_dynptr_from_mem_proto;
1755 case BPF_FUNC_dynptr_read:
1756 return &bpf_dynptr_read_proto;
1757 case BPF_FUNC_dynptr_write:
1758 return &bpf_dynptr_write_proto;
1759 case BPF_FUNC_dynptr_data:
1760 return &bpf_dynptr_data_proto;
1761 #ifdef CONFIG_CGROUPS
1762 case BPF_FUNC_cgrp_storage_get:
1763 return &bpf_cgrp_storage_get_proto;
1764 case BPF_FUNC_cgrp_storage_delete:
1765 return &bpf_cgrp_storage_delete_proto;
1766 case BPF_FUNC_get_current_cgroup_id:
1767 return &bpf_get_current_cgroup_id_proto;
1768 case BPF_FUNC_get_current_ancestor_cgroup_id:
1769 return &bpf_get_current_ancestor_cgroup_id_proto;
1775 if (!perfmon_capable())
1779 case BPF_FUNC_trace_printk:
1780 return bpf_get_trace_printk_proto();
1781 case BPF_FUNC_get_current_task:
1782 return &bpf_get_current_task_proto;
1783 case BPF_FUNC_get_current_task_btf:
1784 return &bpf_get_current_task_btf_proto;
1785 case BPF_FUNC_probe_read_user:
1786 return &bpf_probe_read_user_proto;
1787 case BPF_FUNC_probe_read_kernel:
1788 return security_locked_down(LOCKDOWN_BPF_READ_KERNEL) < 0 ?
1789 NULL : &bpf_probe_read_kernel_proto;
1790 case BPF_FUNC_probe_read_user_str:
1791 return &bpf_probe_read_user_str_proto;
1792 case BPF_FUNC_probe_read_kernel_str:
1793 return security_locked_down(LOCKDOWN_BPF_READ_KERNEL) < 0 ?
1794 NULL : &bpf_probe_read_kernel_str_proto;
1795 case BPF_FUNC_snprintf_btf:
1796 return &bpf_snprintf_btf_proto;
1797 case BPF_FUNC_snprintf:
1798 return &bpf_snprintf_proto;
1799 case BPF_FUNC_task_pt_regs:
1800 return &bpf_task_pt_regs_proto;
1801 case BPF_FUNC_trace_vprintk:
1802 return bpf_get_trace_vprintk_proto();
1808 void __bpf_obj_drop_impl(void *p, const struct btf_record *rec);
1810 void bpf_list_head_free(const struct btf_field *field, void *list_head,
1811 struct bpf_spin_lock *spin_lock)
1813 struct list_head *head = list_head, *orig_head = list_head;
1815 BUILD_BUG_ON(sizeof(struct list_head) > sizeof(struct bpf_list_head));
1816 BUILD_BUG_ON(__alignof__(struct list_head) > __alignof__(struct bpf_list_head));
1818 /* Do the actual list draining outside the lock to not hold the lock for
1819 * too long, and also prevent deadlocks if tracing programs end up
1820 * executing on entry/exit of functions called inside the critical
1821 * section, and end up doing map ops that call bpf_list_head_free for
1822 * the same map value again.
1824 __bpf_spin_lock_irqsave(spin_lock);
1825 if (!head->next || list_empty(head))
1829 INIT_LIST_HEAD(orig_head);
1830 __bpf_spin_unlock_irqrestore(spin_lock);
1832 while (head != orig_head) {
1835 obj -= field->graph_root.node_offset;
1837 /* The contained type can also have resources, including a
1838 * bpf_list_head which needs to be freed.
1841 __bpf_obj_drop_impl(obj, field->graph_root.value_rec);
1846 /* Like rbtree_postorder_for_each_entry_safe, but 'pos' and 'n' are
1847 * 'rb_node *', so field name of rb_node within containing struct is not
1850 * Since bpf_rb_tree's node type has a corresponding struct btf_field with
1851 * graph_root.node_offset, it's not necessary to know field name
1852 * or type of node struct
1854 #define bpf_rbtree_postorder_for_each_entry_safe(pos, n, root) \
1855 for (pos = rb_first_postorder(root); \
1856 pos && ({ n = rb_next_postorder(pos); 1; }); \
1859 void bpf_rb_root_free(const struct btf_field *field, void *rb_root,
1860 struct bpf_spin_lock *spin_lock)
1862 struct rb_root_cached orig_root, *root = rb_root;
1863 struct rb_node *pos, *n;
1866 BUILD_BUG_ON(sizeof(struct rb_root_cached) > sizeof(struct bpf_rb_root));
1867 BUILD_BUG_ON(__alignof__(struct rb_root_cached) > __alignof__(struct bpf_rb_root));
1869 __bpf_spin_lock_irqsave(spin_lock);
1871 *root = RB_ROOT_CACHED;
1872 __bpf_spin_unlock_irqrestore(spin_lock);
1874 bpf_rbtree_postorder_for_each_entry_safe(pos, n, &orig_root.rb_root) {
1876 obj -= field->graph_root.node_offset;
1880 __bpf_obj_drop_impl(obj, field->graph_root.value_rec);
1886 __diag_ignore_all("-Wmissing-prototypes",
1887 "Global functions as their definitions will be in vmlinux BTF");
1889 __bpf_kfunc void *bpf_obj_new_impl(u64 local_type_id__k, void *meta__ign)
1891 struct btf_struct_meta *meta = meta__ign;
1892 u64 size = local_type_id__k;
1895 p = bpf_mem_alloc(&bpf_global_ma, size);
1899 bpf_obj_init(meta->record, p);
1903 /* Must be called under migrate_disable(), as required by bpf_mem_free */
1904 void __bpf_obj_drop_impl(void *p, const struct btf_record *rec)
1906 if (rec && rec->refcount_off >= 0 &&
1907 !refcount_dec_and_test((refcount_t *)(p + rec->refcount_off))) {
1908 /* Object is refcounted and refcount_dec didn't result in 0
1909 * refcount. Return without freeing the object
1915 bpf_obj_free_fields(rec, p);
1917 if (rec && rec->refcount_off >= 0)
1918 bpf_mem_free_rcu(&bpf_global_ma, p);
1920 bpf_mem_free(&bpf_global_ma, p);
1923 __bpf_kfunc void bpf_obj_drop_impl(void *p__alloc, void *meta__ign)
1925 struct btf_struct_meta *meta = meta__ign;
1928 __bpf_obj_drop_impl(p, meta ? meta->record : NULL);
1931 __bpf_kfunc void *bpf_refcount_acquire_impl(void *p__refcounted_kptr, void *meta__ign)
1933 struct btf_struct_meta *meta = meta__ign;
1934 struct bpf_refcount *ref;
1936 /* Could just cast directly to refcount_t *, but need some code using
1937 * bpf_refcount type so that it is emitted in vmlinux BTF
1939 ref = (struct bpf_refcount *)(p__refcounted_kptr + meta->record->refcount_off);
1940 if (!refcount_inc_not_zero((refcount_t *)ref))
1943 /* Verifier strips KF_RET_NULL if input is owned ref, see is_kfunc_ret_null
1946 return (void *)p__refcounted_kptr;
1949 static int __bpf_list_add(struct bpf_list_node_kern *node,
1950 struct bpf_list_head *head,
1951 bool tail, struct btf_record *rec, u64 off)
1953 struct list_head *n = &node->list_head, *h = (void *)head;
1955 /* If list_head was 0-initialized by map, bpf_obj_init_field wasn't
1956 * called on its fields, so init here
1958 if (unlikely(!h->next))
1961 /* node->owner != NULL implies !list_empty(n), no need to separately
1964 if (cmpxchg(&node->owner, NULL, BPF_PTR_POISON)) {
1965 /* Only called from BPF prog, no need to migrate_disable */
1966 __bpf_obj_drop_impl((void *)n - off, rec);
1970 tail ? list_add_tail(n, h) : list_add(n, h);
1971 WRITE_ONCE(node->owner, head);
1976 __bpf_kfunc int bpf_list_push_front_impl(struct bpf_list_head *head,
1977 struct bpf_list_node *node,
1978 void *meta__ign, u64 off)
1980 struct bpf_list_node_kern *n = (void *)node;
1981 struct btf_struct_meta *meta = meta__ign;
1983 return __bpf_list_add(n, head, false, meta ? meta->record : NULL, off);
1986 __bpf_kfunc int bpf_list_push_back_impl(struct bpf_list_head *head,
1987 struct bpf_list_node *node,
1988 void *meta__ign, u64 off)
1990 struct bpf_list_node_kern *n = (void *)node;
1991 struct btf_struct_meta *meta = meta__ign;
1993 return __bpf_list_add(n, head, true, meta ? meta->record : NULL, off);
1996 static struct bpf_list_node *__bpf_list_del(struct bpf_list_head *head, bool tail)
1998 struct list_head *n, *h = (void *)head;
1999 struct bpf_list_node_kern *node;
2001 /* If list_head was 0-initialized by map, bpf_obj_init_field wasn't
2002 * called on its fields, so init here
2004 if (unlikely(!h->next))
2009 n = tail ? h->prev : h->next;
2010 node = container_of(n, struct bpf_list_node_kern, list_head);
2011 if (WARN_ON_ONCE(READ_ONCE(node->owner) != head))
2015 WRITE_ONCE(node->owner, NULL);
2016 return (struct bpf_list_node *)n;
2019 __bpf_kfunc struct bpf_list_node *bpf_list_pop_front(struct bpf_list_head *head)
2021 return __bpf_list_del(head, false);
2024 __bpf_kfunc struct bpf_list_node *bpf_list_pop_back(struct bpf_list_head *head)
2026 return __bpf_list_del(head, true);
2029 __bpf_kfunc struct bpf_rb_node *bpf_rbtree_remove(struct bpf_rb_root *root,
2030 struct bpf_rb_node *node)
2032 struct bpf_rb_node_kern *node_internal = (struct bpf_rb_node_kern *)node;
2033 struct rb_root_cached *r = (struct rb_root_cached *)root;
2034 struct rb_node *n = &node_internal->rb_node;
2036 /* node_internal->owner != root implies either RB_EMPTY_NODE(n) or
2037 * n is owned by some other tree. No need to check RB_EMPTY_NODE(n)
2039 if (READ_ONCE(node_internal->owner) != root)
2042 rb_erase_cached(n, r);
2044 WRITE_ONCE(node_internal->owner, NULL);
2045 return (struct bpf_rb_node *)n;
2048 /* Need to copy rbtree_add_cached's logic here because our 'less' is a BPF
2051 static int __bpf_rbtree_add(struct bpf_rb_root *root,
2052 struct bpf_rb_node_kern *node,
2053 void *less, struct btf_record *rec, u64 off)
2055 struct rb_node **link = &((struct rb_root_cached *)root)->rb_root.rb_node;
2056 struct rb_node *parent = NULL, *n = &node->rb_node;
2057 bpf_callback_t cb = (bpf_callback_t)less;
2058 bool leftmost = true;
2060 /* node->owner != NULL implies !RB_EMPTY_NODE(n), no need to separately
2063 if (cmpxchg(&node->owner, NULL, BPF_PTR_POISON)) {
2064 /* Only called from BPF prog, no need to migrate_disable */
2065 __bpf_obj_drop_impl((void *)n - off, rec);
2071 if (cb((uintptr_t)node, (uintptr_t)parent, 0, 0, 0)) {
2072 link = &parent->rb_left;
2074 link = &parent->rb_right;
2079 rb_link_node(n, parent, link);
2080 rb_insert_color_cached(n, (struct rb_root_cached *)root, leftmost);
2081 WRITE_ONCE(node->owner, root);
2085 __bpf_kfunc int bpf_rbtree_add_impl(struct bpf_rb_root *root, struct bpf_rb_node *node,
2086 bool (less)(struct bpf_rb_node *a, const struct bpf_rb_node *b),
2087 void *meta__ign, u64 off)
2089 struct btf_struct_meta *meta = meta__ign;
2090 struct bpf_rb_node_kern *n = (void *)node;
2092 return __bpf_rbtree_add(root, n, (void *)less, meta ? meta->record : NULL, off);
2095 __bpf_kfunc struct bpf_rb_node *bpf_rbtree_first(struct bpf_rb_root *root)
2097 struct rb_root_cached *r = (struct rb_root_cached *)root;
2099 return (struct bpf_rb_node *)rb_first_cached(r);
2103 * bpf_task_acquire - Acquire a reference to a task. A task acquired by this
2104 * kfunc which is not stored in a map as a kptr, must be released by calling
2105 * bpf_task_release().
2106 * @p: The task on which a reference is being acquired.
2108 __bpf_kfunc struct task_struct *bpf_task_acquire(struct task_struct *p)
2110 if (refcount_inc_not_zero(&p->rcu_users))
2116 * bpf_task_release - Release the reference acquired on a task.
2117 * @p: The task on which a reference is being released.
2119 __bpf_kfunc void bpf_task_release(struct task_struct *p)
2121 put_task_struct_rcu_user(p);
2124 #ifdef CONFIG_CGROUPS
2126 * bpf_cgroup_acquire - Acquire a reference to a cgroup. A cgroup acquired by
2127 * this kfunc which is not stored in a map as a kptr, must be released by
2128 * calling bpf_cgroup_release().
2129 * @cgrp: The cgroup on which a reference is being acquired.
2131 __bpf_kfunc struct cgroup *bpf_cgroup_acquire(struct cgroup *cgrp)
2133 return cgroup_tryget(cgrp) ? cgrp : NULL;
2137 * bpf_cgroup_release - Release the reference acquired on a cgroup.
2138 * If this kfunc is invoked in an RCU read region, the cgroup is guaranteed to
2139 * not be freed until the current grace period has ended, even if its refcount
2141 * @cgrp: The cgroup on which a reference is being released.
2143 __bpf_kfunc void bpf_cgroup_release(struct cgroup *cgrp)
2149 * bpf_cgroup_ancestor - Perform a lookup on an entry in a cgroup's ancestor
2150 * array. A cgroup returned by this kfunc which is not subsequently stored in a
2151 * map, must be released by calling bpf_cgroup_release().
2152 * @cgrp: The cgroup for which we're performing a lookup.
2153 * @level: The level of ancestor to look up.
2155 __bpf_kfunc struct cgroup *bpf_cgroup_ancestor(struct cgroup *cgrp, int level)
2157 struct cgroup *ancestor;
2159 if (level > cgrp->level || level < 0)
2162 /* cgrp's refcnt could be 0 here, but ancestors can still be accessed */
2163 ancestor = cgrp->ancestors[level];
2164 if (!cgroup_tryget(ancestor))
2170 * bpf_cgroup_from_id - Find a cgroup from its ID. A cgroup returned by this
2171 * kfunc which is not subsequently stored in a map, must be released by calling
2172 * bpf_cgroup_release().
2175 __bpf_kfunc struct cgroup *bpf_cgroup_from_id(u64 cgid)
2177 struct cgroup *cgrp;
2179 cgrp = cgroup_get_from_id(cgid);
2186 * bpf_task_under_cgroup - wrap task_under_cgroup_hierarchy() as a kfunc, test
2187 * task's membership of cgroup ancestry.
2188 * @task: the task to be tested
2189 * @ancestor: possible ancestor of @task's cgroup
2191 * Tests whether @task's default cgroup hierarchy is a descendant of @ancestor.
2192 * It follows all the same rules as cgroup_is_descendant, and only applies
2193 * to the default hierarchy.
2195 __bpf_kfunc long bpf_task_under_cgroup(struct task_struct *task,
2196 struct cgroup *ancestor)
2198 return task_under_cgroup_hierarchy(task, ancestor);
2200 #endif /* CONFIG_CGROUPS */
2203 * bpf_task_from_pid - Find a struct task_struct from its pid by looking it up
2204 * in the root pid namespace idr. If a task is returned, it must either be
2205 * stored in a map, or released with bpf_task_release().
2206 * @pid: The pid of the task being looked up.
2208 __bpf_kfunc struct task_struct *bpf_task_from_pid(s32 pid)
2210 struct task_struct *p;
2213 p = find_task_by_pid_ns(pid, &init_pid_ns);
2215 p = bpf_task_acquire(p);
2222 * bpf_dynptr_slice() - Obtain a read-only pointer to the dynptr data.
2223 * @ptr: The dynptr whose data slice to retrieve
2224 * @offset: Offset into the dynptr
2225 * @buffer__opt: User-provided buffer to copy contents into. May be NULL
2226 * @buffer__szk: Size (in bytes) of the buffer if present. This is the
2227 * length of the requested slice. This must be a constant.
2229 * For non-skb and non-xdp type dynptrs, there is no difference between
2230 * bpf_dynptr_slice and bpf_dynptr_data.
2232 * If buffer__opt is NULL, the call will fail if buffer_opt was needed.
2234 * If the intention is to write to the data slice, please use
2235 * bpf_dynptr_slice_rdwr.
2237 * The user must check that the returned pointer is not null before using it.
2239 * Please note that in the case of skb and xdp dynptrs, bpf_dynptr_slice
2240 * does not change the underlying packet data pointers, so a call to
2241 * bpf_dynptr_slice will not invalidate any ctx->data/data_end pointers in
2244 * Return: NULL if the call failed (eg invalid dynptr), pointer to a read-only
2245 * data slice (can be either direct pointer to the data or a pointer to the user
2246 * provided buffer, with its contents containing the data, if unable to obtain
2249 __bpf_kfunc void *bpf_dynptr_slice(const struct bpf_dynptr_kern *ptr, u32 offset,
2250 void *buffer__opt, u32 buffer__szk)
2252 enum bpf_dynptr_type type;
2253 u32 len = buffer__szk;
2259 err = bpf_dynptr_check_off_len(ptr, offset, len);
2263 type = bpf_dynptr_get_type(ptr);
2266 case BPF_DYNPTR_TYPE_LOCAL:
2267 case BPF_DYNPTR_TYPE_RINGBUF:
2268 return ptr->data + ptr->offset + offset;
2269 case BPF_DYNPTR_TYPE_SKB:
2271 return skb_header_pointer(ptr->data, ptr->offset + offset, len, buffer__opt);
2273 return skb_pointer_if_linear(ptr->data, ptr->offset + offset, len);
2274 case BPF_DYNPTR_TYPE_XDP:
2276 void *xdp_ptr = bpf_xdp_pointer(ptr->data, ptr->offset + offset, len);
2277 if (!IS_ERR_OR_NULL(xdp_ptr))
2282 bpf_xdp_copy_buf(ptr->data, ptr->offset + offset, buffer__opt, len, false);
2286 WARN_ONCE(true, "unknown dynptr type %d\n", type);
2292 * bpf_dynptr_slice_rdwr() - Obtain a writable pointer to the dynptr data.
2293 * @ptr: The dynptr whose data slice to retrieve
2294 * @offset: Offset into the dynptr
2295 * @buffer__opt: User-provided buffer to copy contents into. May be NULL
2296 * @buffer__szk: Size (in bytes) of the buffer if present. This is the
2297 * length of the requested slice. This must be a constant.
2299 * For non-skb and non-xdp type dynptrs, there is no difference between
2300 * bpf_dynptr_slice and bpf_dynptr_data.
2302 * If buffer__opt is NULL, the call will fail if buffer_opt was needed.
2304 * The returned pointer is writable and may point to either directly the dynptr
2305 * data at the requested offset or to the buffer if unable to obtain a direct
2306 * data pointer to (example: the requested slice is to the paged area of an skb
2307 * packet). In the case where the returned pointer is to the buffer, the user
2308 * is responsible for persisting writes through calling bpf_dynptr_write(). This
2309 * usually looks something like this pattern:
2311 * struct eth_hdr *eth = bpf_dynptr_slice_rdwr(&dynptr, 0, buffer, sizeof(buffer));
2313 * return TC_ACT_SHOT;
2315 * // mutate eth header //
2317 * if (eth == buffer)
2318 * bpf_dynptr_write(&ptr, 0, buffer, sizeof(buffer), 0);
2320 * Please note that, as in the example above, the user must check that the
2321 * returned pointer is not null before using it.
2323 * Please also note that in the case of skb and xdp dynptrs, bpf_dynptr_slice_rdwr
2324 * does not change the underlying packet data pointers, so a call to
2325 * bpf_dynptr_slice_rdwr will not invalidate any ctx->data/data_end pointers in
2328 * Return: NULL if the call failed (eg invalid dynptr), pointer to a
2329 * data slice (can be either direct pointer to the data or a pointer to the user
2330 * provided buffer, with its contents containing the data, if unable to obtain
2333 __bpf_kfunc void *bpf_dynptr_slice_rdwr(const struct bpf_dynptr_kern *ptr, u32 offset,
2334 void *buffer__opt, u32 buffer__szk)
2336 if (!ptr->data || __bpf_dynptr_is_rdonly(ptr))
2339 /* bpf_dynptr_slice_rdwr is the same logic as bpf_dynptr_slice.
2341 * For skb-type dynptrs, it is safe to write into the returned pointer
2342 * if the bpf program allows skb data writes. There are two possiblities
2343 * that may occur when calling bpf_dynptr_slice_rdwr:
2345 * 1) The requested slice is in the head of the skb. In this case, the
2346 * returned pointer is directly to skb data, and if the skb is cloned, the
2347 * verifier will have uncloned it (see bpf_unclone_prologue()) already.
2348 * The pointer can be directly written into.
2350 * 2) Some portion of the requested slice is in the paged buffer area.
2351 * In this case, the requested data will be copied out into the buffer
2352 * and the returned pointer will be a pointer to the buffer. The skb
2353 * will not be pulled. To persist the write, the user will need to call
2354 * bpf_dynptr_write(), which will pull the skb and commit the write.
2356 * Similarly for xdp programs, if the requested slice is not across xdp
2357 * fragments, then a direct pointer will be returned, otherwise the data
2358 * will be copied out into the buffer and the user will need to call
2359 * bpf_dynptr_write() to commit changes.
2361 return bpf_dynptr_slice(ptr, offset, buffer__opt, buffer__szk);
2364 __bpf_kfunc int bpf_dynptr_adjust(struct bpf_dynptr_kern *ptr, u32 start, u32 end)
2368 if (!ptr->data || start > end)
2371 size = __bpf_dynptr_size(ptr);
2373 if (start > size || end > size)
2376 ptr->offset += start;
2377 bpf_dynptr_set_size(ptr, end - start);
2382 __bpf_kfunc bool bpf_dynptr_is_null(struct bpf_dynptr_kern *ptr)
2387 __bpf_kfunc bool bpf_dynptr_is_rdonly(struct bpf_dynptr_kern *ptr)
2392 return __bpf_dynptr_is_rdonly(ptr);
2395 __bpf_kfunc __u32 bpf_dynptr_size(const struct bpf_dynptr_kern *ptr)
2400 return __bpf_dynptr_size(ptr);
2403 __bpf_kfunc int bpf_dynptr_clone(struct bpf_dynptr_kern *ptr,
2404 struct bpf_dynptr_kern *clone__uninit)
2407 bpf_dynptr_set_null(clone__uninit);
2411 *clone__uninit = *ptr;
2416 __bpf_kfunc void *bpf_cast_to_kern_ctx(void *obj)
2421 __bpf_kfunc void *bpf_rdonly_cast(void *obj__ign, u32 btf_id__k)
2426 __bpf_kfunc void bpf_rcu_read_lock(void)
2431 __bpf_kfunc void bpf_rcu_read_unlock(void)
2438 BTF_SET8_START(generic_btf_ids)
2439 #ifdef CONFIG_KEXEC_CORE
2440 BTF_ID_FLAGS(func, crash_kexec, KF_DESTRUCTIVE)
2442 BTF_ID_FLAGS(func, bpf_obj_new_impl, KF_ACQUIRE | KF_RET_NULL)
2443 BTF_ID_FLAGS(func, bpf_obj_drop_impl, KF_RELEASE)
2444 BTF_ID_FLAGS(func, bpf_refcount_acquire_impl, KF_ACQUIRE | KF_RET_NULL)
2445 BTF_ID_FLAGS(func, bpf_list_push_front_impl)
2446 BTF_ID_FLAGS(func, bpf_list_push_back_impl)
2447 BTF_ID_FLAGS(func, bpf_list_pop_front, KF_ACQUIRE | KF_RET_NULL)
2448 BTF_ID_FLAGS(func, bpf_list_pop_back, KF_ACQUIRE | KF_RET_NULL)
2449 BTF_ID_FLAGS(func, bpf_task_acquire, KF_ACQUIRE | KF_RCU | KF_RET_NULL)
2450 BTF_ID_FLAGS(func, bpf_task_release, KF_RELEASE)
2451 BTF_ID_FLAGS(func, bpf_rbtree_remove, KF_ACQUIRE | KF_RET_NULL)
2452 BTF_ID_FLAGS(func, bpf_rbtree_add_impl)
2453 BTF_ID_FLAGS(func, bpf_rbtree_first, KF_RET_NULL)
2455 #ifdef CONFIG_CGROUPS
2456 BTF_ID_FLAGS(func, bpf_cgroup_acquire, KF_ACQUIRE | KF_RCU | KF_RET_NULL)
2457 BTF_ID_FLAGS(func, bpf_cgroup_release, KF_RELEASE)
2458 BTF_ID_FLAGS(func, bpf_cgroup_ancestor, KF_ACQUIRE | KF_RCU | KF_RET_NULL)
2459 BTF_ID_FLAGS(func, bpf_cgroup_from_id, KF_ACQUIRE | KF_RET_NULL)
2460 BTF_ID_FLAGS(func, bpf_task_under_cgroup, KF_RCU)
2462 BTF_ID_FLAGS(func, bpf_task_from_pid, KF_ACQUIRE | KF_RET_NULL)
2463 BTF_SET8_END(generic_btf_ids)
2465 static const struct btf_kfunc_id_set generic_kfunc_set = {
2466 .owner = THIS_MODULE,
2467 .set = &generic_btf_ids,
2471 BTF_ID_LIST(generic_dtor_ids)
2472 BTF_ID(struct, task_struct)
2473 BTF_ID(func, bpf_task_release)
2474 #ifdef CONFIG_CGROUPS
2475 BTF_ID(struct, cgroup)
2476 BTF_ID(func, bpf_cgroup_release)
2479 BTF_SET8_START(common_btf_ids)
2480 BTF_ID_FLAGS(func, bpf_cast_to_kern_ctx)
2481 BTF_ID_FLAGS(func, bpf_rdonly_cast)
2482 BTF_ID_FLAGS(func, bpf_rcu_read_lock)
2483 BTF_ID_FLAGS(func, bpf_rcu_read_unlock)
2484 BTF_ID_FLAGS(func, bpf_dynptr_slice, KF_RET_NULL)
2485 BTF_ID_FLAGS(func, bpf_dynptr_slice_rdwr, KF_RET_NULL)
2486 BTF_ID_FLAGS(func, bpf_iter_num_new, KF_ITER_NEW)
2487 BTF_ID_FLAGS(func, bpf_iter_num_next, KF_ITER_NEXT | KF_RET_NULL)
2488 BTF_ID_FLAGS(func, bpf_iter_num_destroy, KF_ITER_DESTROY)
2489 BTF_ID_FLAGS(func, bpf_dynptr_adjust)
2490 BTF_ID_FLAGS(func, bpf_dynptr_is_null)
2491 BTF_ID_FLAGS(func, bpf_dynptr_is_rdonly)
2492 BTF_ID_FLAGS(func, bpf_dynptr_size)
2493 BTF_ID_FLAGS(func, bpf_dynptr_clone)
2494 BTF_SET8_END(common_btf_ids)
2496 static const struct btf_kfunc_id_set common_kfunc_set = {
2497 .owner = THIS_MODULE,
2498 .set = &common_btf_ids,
2501 static int __init kfunc_init(void)
2504 const struct btf_id_dtor_kfunc generic_dtors[] = {
2506 .btf_id = generic_dtor_ids[0],
2507 .kfunc_btf_id = generic_dtor_ids[1]
2509 #ifdef CONFIG_CGROUPS
2511 .btf_id = generic_dtor_ids[2],
2512 .kfunc_btf_id = generic_dtor_ids[3]
2517 ret = register_btf_kfunc_id_set(BPF_PROG_TYPE_TRACING, &generic_kfunc_set);
2518 ret = ret ?: register_btf_kfunc_id_set(BPF_PROG_TYPE_SCHED_CLS, &generic_kfunc_set);
2519 ret = ret ?: register_btf_kfunc_id_set(BPF_PROG_TYPE_STRUCT_OPS, &generic_kfunc_set);
2520 ret = ret ?: register_btf_id_dtor_kfuncs(generic_dtors,
2521 ARRAY_SIZE(generic_dtors),
2523 return ret ?: register_btf_kfunc_id_set(BPF_PROG_TYPE_UNSPEC, &common_kfunc_set);
2526 late_initcall(kfunc_init);
projects / platform / kernel / linux-rpi.git / blob