memcg: Fix possible use-after-free in memcg_write_event_control()
[platform/kernel/linux-starfive.git] / kernel / bpf / map_in_map.c
1 // SPDX-License-Identifier: GPL-2.0-only
2 /* Copyright (c) 2017 Facebook
3  */
4 #include <linux/slab.h>
5 #include <linux/bpf.h>
6 #include <linux/btf.h>
7
8 #include "map_in_map.h"
9
10 struct bpf_map *bpf_map_meta_alloc(int inner_map_ufd)
11 {
12         struct bpf_map *inner_map, *inner_map_meta;
13         u32 inner_map_meta_size;
14         struct fd f;
15
16         f = fdget(inner_map_ufd);
17         inner_map = __bpf_map_get(f);
18         if (IS_ERR(inner_map))
19                 return inner_map;
20
21         /* Does not support >1 level map-in-map */
22         if (inner_map->inner_map_meta) {
23                 fdput(f);
24                 return ERR_PTR(-EINVAL);
25         }
26
27         if (!inner_map->ops->map_meta_equal) {
28                 fdput(f);
29                 return ERR_PTR(-ENOTSUPP);
30         }
31
32         if (map_value_has_spin_lock(inner_map)) {
33                 fdput(f);
34                 return ERR_PTR(-ENOTSUPP);
35         }
36
37         inner_map_meta_size = sizeof(*inner_map_meta);
38         /* In some cases verifier needs to access beyond just base map. */
39         if (inner_map->ops == &array_map_ops)
40                 inner_map_meta_size = sizeof(struct bpf_array);
41
42         inner_map_meta = kzalloc(inner_map_meta_size, GFP_USER);
43         if (!inner_map_meta) {
44                 fdput(f);
45                 return ERR_PTR(-ENOMEM);
46         }
47
48         inner_map_meta->map_type = inner_map->map_type;
49         inner_map_meta->key_size = inner_map->key_size;
50         inner_map_meta->value_size = inner_map->value_size;
51         inner_map_meta->map_flags = inner_map->map_flags;
52         inner_map_meta->max_entries = inner_map->max_entries;
53         inner_map_meta->spin_lock_off = inner_map->spin_lock_off;
54         inner_map_meta->timer_off = inner_map->timer_off;
55         inner_map_meta->kptr_off_tab = bpf_map_copy_kptr_off_tab(inner_map);
56         if (inner_map->btf) {
57                 btf_get(inner_map->btf);
58                 inner_map_meta->btf = inner_map->btf;
59         }
60
61         /* Misc members not needed in bpf_map_meta_equal() check. */
62         inner_map_meta->ops = inner_map->ops;
63         if (inner_map->ops == &array_map_ops) {
64                 inner_map_meta->bypass_spec_v1 = inner_map->bypass_spec_v1;
65                 container_of(inner_map_meta, struct bpf_array, map)->index_mask =
66                      container_of(inner_map, struct bpf_array, map)->index_mask;
67         }
68
69         fdput(f);
70         return inner_map_meta;
71 }
72
73 void bpf_map_meta_free(struct bpf_map *map_meta)
74 {
75         bpf_map_free_kptr_off_tab(map_meta);
76         btf_put(map_meta->btf);
77         kfree(map_meta);
78 }
79
80 bool bpf_map_meta_equal(const struct bpf_map *meta0,
81                         const struct bpf_map *meta1)
82 {
83         /* No need to compare ops because it is covered by map_type */
84         return meta0->map_type == meta1->map_type &&
85                 meta0->key_size == meta1->key_size &&
86                 meta0->value_size == meta1->value_size &&
87                 meta0->timer_off == meta1->timer_off &&
88                 meta0->map_flags == meta1->map_flags &&
89                 bpf_map_equal_kptr_off_tab(meta0, meta1);
90 }
91
92 void *bpf_map_fd_get_ptr(struct bpf_map *map,
93                          struct file *map_file /* not used */,
94                          int ufd)
95 {
96         struct bpf_map *inner_map, *inner_map_meta;
97         struct fd f;
98
99         f = fdget(ufd);
100         inner_map = __bpf_map_get(f);
101         if (IS_ERR(inner_map))
102                 return inner_map;
103
104         inner_map_meta = map->inner_map_meta;
105         if (inner_map_meta->ops->map_meta_equal(inner_map_meta, inner_map))
106                 bpf_map_inc(inner_map);
107         else
108                 inner_map = ERR_PTR(-EINVAL);
109
110         fdput(f);
111         return inner_map;
112 }
113
114 void bpf_map_fd_put_ptr(void *ptr)
115 {
116         /* ptr->ops->map_free() has to go through one
117          * rcu grace period by itself.
118          */
119         bpf_map_put(ptr);
120 }
121
122 u32 bpf_map_fd_sys_lookup_elem(void *ptr)
123 {
124         return ((struct bpf_map *)ptr)->id;
125 }