1 // SPDX-License-Identifier: GPL-2.0-only
2 /* Copyright (c) 2011-2014 PLUMgrid, http://plumgrid.com
5 #include <linux/bpf-cgroup.h>
6 #include <linux/bpf_trace.h>
7 #include <linux/bpf_lirc.h>
8 #include <linux/bpf_verifier.h>
9 #include <linux/bsearch.h>
10 #include <linux/btf.h>
11 #include <linux/syscalls.h>
12 #include <linux/slab.h>
13 #include <linux/sched/signal.h>
14 #include <linux/vmalloc.h>
15 #include <linux/mmzone.h>
16 #include <linux/anon_inodes.h>
17 #include <linux/fdtable.h>
18 #include <linux/file.h>
20 #include <linux/license.h>
21 #include <linux/filter.h>
22 #include <linux/kernel.h>
23 #include <linux/idr.h>
24 #include <linux/cred.h>
25 #include <linux/timekeeping.h>
26 #include <linux/ctype.h>
27 #include <linux/nospec.h>
28 #include <linux/audit.h>
29 #include <uapi/linux/btf.h>
30 #include <linux/pgtable.h>
31 #include <linux/bpf_lsm.h>
32 #include <linux/poll.h>
33 #include <linux/sort.h>
34 #include <linux/bpf-netns.h>
35 #include <linux/rcupdate_trace.h>
36 #include <linux/memcontrol.h>
37 #include <linux/trace_events.h>
39 #define IS_FD_ARRAY(map) ((map)->map_type == BPF_MAP_TYPE_PERF_EVENT_ARRAY || \
40 (map)->map_type == BPF_MAP_TYPE_CGROUP_ARRAY || \
41 (map)->map_type == BPF_MAP_TYPE_ARRAY_OF_MAPS)
42 #define IS_FD_PROG_ARRAY(map) ((map)->map_type == BPF_MAP_TYPE_PROG_ARRAY)
43 #define IS_FD_HASH(map) ((map)->map_type == BPF_MAP_TYPE_HASH_OF_MAPS)
44 #define IS_FD_MAP(map) (IS_FD_ARRAY(map) || IS_FD_PROG_ARRAY(map) || \
47 #define BPF_OBJ_FLAG_MASK (BPF_F_RDONLY | BPF_F_WRONLY)
49 DEFINE_PER_CPU(int, bpf_prog_active);
50 static DEFINE_IDR(prog_idr);
51 static DEFINE_SPINLOCK(prog_idr_lock);
52 static DEFINE_IDR(map_idr);
53 static DEFINE_SPINLOCK(map_idr_lock);
54 static DEFINE_IDR(link_idr);
55 static DEFINE_SPINLOCK(link_idr_lock);
57 int sysctl_unprivileged_bpf_disabled __read_mostly =
58 IS_BUILTIN(CONFIG_BPF_UNPRIV_DEFAULT_OFF) ? 2 : 0;
60 static const struct bpf_map_ops * const bpf_map_types[] = {
61 #define BPF_PROG_TYPE(_id, _name, prog_ctx_type, kern_ctx_type)
62 #define BPF_MAP_TYPE(_id, _ops) \
64 #define BPF_LINK_TYPE(_id, _name)
65 #include <linux/bpf_types.h>
72 * If we're handed a bigger struct than we know of, ensure all the unknown bits
73 * are 0 - i.e. new user-space does not rely on any kernel feature extensions
74 * we don't know about yet.
76 * There is a ToCToU between this function call and the following
77 * copy_from_user() call. However, this is not a concern since this function is
78 * meant to be a future-proofing of bits.
80 int bpf_check_uarg_tail_zero(bpfptr_t uaddr,
86 if (unlikely(actual_size > PAGE_SIZE)) /* silly large */
89 if (actual_size <= expected_size)
93 res = memchr_inv(uaddr.kernel + expected_size, 0,
94 actual_size - expected_size) == NULL;
96 res = check_zeroed_user(uaddr.user + expected_size,
97 actual_size - expected_size);
100 return res ? 0 : -E2BIG;
103 const struct bpf_map_ops bpf_map_offload_ops = {
104 .map_meta_equal = bpf_map_meta_equal,
105 .map_alloc = bpf_map_offload_map_alloc,
106 .map_free = bpf_map_offload_map_free,
107 .map_check_btf = map_check_no_btf,
110 static struct bpf_map *find_and_alloc_map(union bpf_attr *attr)
112 const struct bpf_map_ops *ops;
113 u32 type = attr->map_type;
117 if (type >= ARRAY_SIZE(bpf_map_types))
118 return ERR_PTR(-EINVAL);
119 type = array_index_nospec(type, ARRAY_SIZE(bpf_map_types));
120 ops = bpf_map_types[type];
122 return ERR_PTR(-EINVAL);
124 if (ops->map_alloc_check) {
125 err = ops->map_alloc_check(attr);
129 if (attr->map_ifindex)
130 ops = &bpf_map_offload_ops;
131 map = ops->map_alloc(attr);
135 map->map_type = type;
139 static void bpf_map_write_active_inc(struct bpf_map *map)
141 atomic64_inc(&map->writecnt);
144 static void bpf_map_write_active_dec(struct bpf_map *map)
146 atomic64_dec(&map->writecnt);
149 bool bpf_map_write_active(const struct bpf_map *map)
151 return atomic64_read(&map->writecnt) != 0;
154 static u32 bpf_map_value_size(const struct bpf_map *map)
156 if (map->map_type == BPF_MAP_TYPE_PERCPU_HASH ||
157 map->map_type == BPF_MAP_TYPE_LRU_PERCPU_HASH ||
158 map->map_type == BPF_MAP_TYPE_PERCPU_ARRAY ||
159 map->map_type == BPF_MAP_TYPE_PERCPU_CGROUP_STORAGE)
160 return round_up(map->value_size, 8) * num_possible_cpus();
161 else if (IS_FD_MAP(map))
164 return map->value_size;
167 static void maybe_wait_bpf_programs(struct bpf_map *map)
169 /* Wait for any running BPF programs to complete so that
170 * userspace, when we return to it, knows that all programs
171 * that could be running use the new map value.
173 if (map->map_type == BPF_MAP_TYPE_HASH_OF_MAPS ||
174 map->map_type == BPF_MAP_TYPE_ARRAY_OF_MAPS)
178 static int bpf_map_update_value(struct bpf_map *map, struct file *map_file,
179 void *key, void *value, __u64 flags)
183 /* Need to create a kthread, thus must support schedule */
184 if (bpf_map_is_dev_bound(map)) {
185 return bpf_map_offload_update_elem(map, key, value, flags);
186 } else if (map->map_type == BPF_MAP_TYPE_CPUMAP ||
187 map->map_type == BPF_MAP_TYPE_STRUCT_OPS) {
188 return map->ops->map_update_elem(map, key, value, flags);
189 } else if (map->map_type == BPF_MAP_TYPE_SOCKHASH ||
190 map->map_type == BPF_MAP_TYPE_SOCKMAP) {
191 return sock_map_update_elem_sys(map, key, value, flags);
192 } else if (IS_FD_PROG_ARRAY(map)) {
193 return bpf_fd_array_map_update_elem(map, map_file, key, value,
197 bpf_disable_instrumentation();
198 if (map->map_type == BPF_MAP_TYPE_PERCPU_HASH ||
199 map->map_type == BPF_MAP_TYPE_LRU_PERCPU_HASH) {
200 err = bpf_percpu_hash_update(map, key, value, flags);
201 } else if (map->map_type == BPF_MAP_TYPE_PERCPU_ARRAY) {
202 err = bpf_percpu_array_update(map, key, value, flags);
203 } else if (map->map_type == BPF_MAP_TYPE_PERCPU_CGROUP_STORAGE) {
204 err = bpf_percpu_cgroup_storage_update(map, key, value,
206 } else if (IS_FD_ARRAY(map)) {
208 err = bpf_fd_array_map_update_elem(map, map_file, key, value,
211 } else if (map->map_type == BPF_MAP_TYPE_HASH_OF_MAPS) {
213 err = bpf_fd_htab_map_update_elem(map, map_file, key, value,
216 } else if (map->map_type == BPF_MAP_TYPE_REUSEPORT_SOCKARRAY) {
217 /* rcu_read_lock() is not needed */
218 err = bpf_fd_reuseport_array_update_elem(map, key, value,
220 } else if (map->map_type == BPF_MAP_TYPE_QUEUE ||
221 map->map_type == BPF_MAP_TYPE_STACK ||
222 map->map_type == BPF_MAP_TYPE_BLOOM_FILTER) {
223 err = map->ops->map_push_elem(map, value, flags);
226 err = map->ops->map_update_elem(map, key, value, flags);
229 bpf_enable_instrumentation();
230 maybe_wait_bpf_programs(map);
235 static int bpf_map_copy_value(struct bpf_map *map, void *key, void *value,
241 if (bpf_map_is_dev_bound(map))
242 return bpf_map_offload_lookup_elem(map, key, value);
244 bpf_disable_instrumentation();
245 if (map->map_type == BPF_MAP_TYPE_PERCPU_HASH ||
246 map->map_type == BPF_MAP_TYPE_LRU_PERCPU_HASH) {
247 err = bpf_percpu_hash_copy(map, key, value);
248 } else if (map->map_type == BPF_MAP_TYPE_PERCPU_ARRAY) {
249 err = bpf_percpu_array_copy(map, key, value);
250 } else if (map->map_type == BPF_MAP_TYPE_PERCPU_CGROUP_STORAGE) {
251 err = bpf_percpu_cgroup_storage_copy(map, key, value);
252 } else if (map->map_type == BPF_MAP_TYPE_STACK_TRACE) {
253 err = bpf_stackmap_copy(map, key, value);
254 } else if (IS_FD_ARRAY(map) || IS_FD_PROG_ARRAY(map)) {
255 err = bpf_fd_array_map_lookup_elem(map, key, value);
256 } else if (IS_FD_HASH(map)) {
257 err = bpf_fd_htab_map_lookup_elem(map, key, value);
258 } else if (map->map_type == BPF_MAP_TYPE_REUSEPORT_SOCKARRAY) {
259 err = bpf_fd_reuseport_array_lookup_elem(map, key, value);
260 } else if (map->map_type == BPF_MAP_TYPE_QUEUE ||
261 map->map_type == BPF_MAP_TYPE_STACK ||
262 map->map_type == BPF_MAP_TYPE_BLOOM_FILTER) {
263 err = map->ops->map_peek_elem(map, value);
264 } else if (map->map_type == BPF_MAP_TYPE_STRUCT_OPS) {
265 /* struct_ops map requires directly updating "value" */
266 err = bpf_struct_ops_map_sys_lookup_elem(map, key, value);
269 if (map->ops->map_lookup_elem_sys_only)
270 ptr = map->ops->map_lookup_elem_sys_only(map, key);
272 ptr = map->ops->map_lookup_elem(map, key);
279 if (flags & BPF_F_LOCK)
280 /* lock 'ptr' and copy everything but lock */
281 copy_map_value_locked(map, value, ptr, true);
283 copy_map_value(map, value, ptr);
284 /* mask lock and timer, since value wasn't zero inited */
285 check_and_init_map_value(map, value);
290 bpf_enable_instrumentation();
291 maybe_wait_bpf_programs(map);
296 /* Please, do not use this function outside from the map creation path
297 * (e.g. in map update path) without taking care of setting the active
298 * memory cgroup (see at bpf_map_kmalloc_node() for example).
300 static void *__bpf_map_area_alloc(u64 size, int numa_node, bool mmapable)
302 /* We really just want to fail instead of triggering OOM killer
303 * under memory pressure, therefore we set __GFP_NORETRY to kmalloc,
304 * which is used for lower order allocation requests.
306 * It has been observed that higher order allocation requests done by
307 * vmalloc with __GFP_NORETRY being set might fail due to not trying
308 * to reclaim memory from the page cache, thus we set
309 * __GFP_RETRY_MAYFAIL to avoid such situations.
312 const gfp_t gfp = __GFP_NOWARN | __GFP_ZERO | __GFP_ACCOUNT;
313 unsigned int flags = 0;
314 unsigned long align = 1;
317 if (size >= SIZE_MAX)
320 /* kmalloc()'ed memory can't be mmap()'ed */
322 BUG_ON(!PAGE_ALIGNED(size));
325 } else if (size <= (PAGE_SIZE << PAGE_ALLOC_COSTLY_ORDER)) {
326 area = kmalloc_node(size, gfp | GFP_USER | __GFP_NORETRY,
332 return __vmalloc_node_range(size, align, VMALLOC_START, VMALLOC_END,
333 gfp | GFP_KERNEL | __GFP_RETRY_MAYFAIL, PAGE_KERNEL,
334 flags, numa_node, __builtin_return_address(0));
337 void *bpf_map_area_alloc(u64 size, int numa_node)
339 return __bpf_map_area_alloc(size, numa_node, false);
342 void *bpf_map_area_mmapable_alloc(u64 size, int numa_node)
344 return __bpf_map_area_alloc(size, numa_node, true);
347 void bpf_map_area_free(void *area)
352 static u32 bpf_map_flags_retain_permanent(u32 flags)
354 /* Some map creation flags are not tied to the map object but
355 * rather to the map fd instead, so they have no meaning upon
356 * map object inspection since multiple file descriptors with
357 * different (access) properties can exist here. Thus, given
358 * this has zero meaning for the map itself, lets clear these
361 return flags & ~(BPF_F_RDONLY | BPF_F_WRONLY);
364 void bpf_map_init_from_attr(struct bpf_map *map, union bpf_attr *attr)
366 map->map_type = attr->map_type;
367 map->key_size = attr->key_size;
368 map->value_size = attr->value_size;
369 map->max_entries = attr->max_entries;
370 map->map_flags = bpf_map_flags_retain_permanent(attr->map_flags);
371 map->numa_node = bpf_map_attr_numa_node(attr);
372 map->map_extra = attr->map_extra;
375 static int bpf_map_alloc_id(struct bpf_map *map)
379 idr_preload(GFP_KERNEL);
380 spin_lock_bh(&map_idr_lock);
381 id = idr_alloc_cyclic(&map_idr, map, 1, INT_MAX, GFP_ATOMIC);
384 spin_unlock_bh(&map_idr_lock);
387 if (WARN_ON_ONCE(!id))
390 return id > 0 ? 0 : id;
393 void bpf_map_free_id(struct bpf_map *map, bool do_idr_lock)
397 /* Offloaded maps are removed from the IDR store when their device
398 * disappears - even if someone holds an fd to them they are unusable,
399 * the memory is gone, all ops will fail; they are simply waiting for
400 * refcnt to drop to be freed.
406 spin_lock_irqsave(&map_idr_lock, flags);
408 __acquire(&map_idr_lock);
410 idr_remove(&map_idr, map->id);
414 spin_unlock_irqrestore(&map_idr_lock, flags);
416 __release(&map_idr_lock);
419 #ifdef CONFIG_MEMCG_KMEM
420 static void bpf_map_save_memcg(struct bpf_map *map)
422 /* Currently if a map is created by a process belonging to the root
423 * memory cgroup, get_obj_cgroup_from_current() will return NULL.
424 * So we have to check map->objcg for being NULL each time it's
427 map->objcg = get_obj_cgroup_from_current();
430 static void bpf_map_release_memcg(struct bpf_map *map)
433 obj_cgroup_put(map->objcg);
436 static struct mem_cgroup *bpf_map_get_memcg(const struct bpf_map *map)
439 return get_mem_cgroup_from_objcg(map->objcg);
441 return root_mem_cgroup;
444 void *bpf_map_kmalloc_node(const struct bpf_map *map, size_t size, gfp_t flags,
447 struct mem_cgroup *memcg, *old_memcg;
450 memcg = bpf_map_get_memcg(map);
451 old_memcg = set_active_memcg(memcg);
452 ptr = kmalloc_node(size, flags | __GFP_ACCOUNT, node);
453 set_active_memcg(old_memcg);
454 mem_cgroup_put(memcg);
459 void *bpf_map_kzalloc(const struct bpf_map *map, size_t size, gfp_t flags)
461 struct mem_cgroup *memcg, *old_memcg;
464 memcg = bpf_map_get_memcg(map);
465 old_memcg = set_active_memcg(memcg);
466 ptr = kzalloc(size, flags | __GFP_ACCOUNT);
467 set_active_memcg(old_memcg);
468 mem_cgroup_put(memcg);
473 void __percpu *bpf_map_alloc_percpu(const struct bpf_map *map, size_t size,
474 size_t align, gfp_t flags)
476 struct mem_cgroup *memcg, *old_memcg;
479 memcg = bpf_map_get_memcg(map);
480 old_memcg = set_active_memcg(memcg);
481 ptr = __alloc_percpu_gfp(size, align, flags | __GFP_ACCOUNT);
482 set_active_memcg(old_memcg);
483 mem_cgroup_put(memcg);
489 static void bpf_map_save_memcg(struct bpf_map *map)
493 static void bpf_map_release_memcg(struct bpf_map *map)
498 static int btf_field_cmp(const void *a, const void *b)
500 const struct btf_field *f1 = a, *f2 = b;
502 if (f1->offset < f2->offset)
504 else if (f1->offset > f2->offset)
509 struct btf_field *btf_record_find(const struct btf_record *rec, u32 offset,
510 enum btf_field_type type)
512 struct btf_field *field;
514 if (IS_ERR_OR_NULL(rec) || !(rec->field_mask & type))
516 field = bsearch(&offset, rec->fields, rec->cnt, sizeof(rec->fields[0]), btf_field_cmp);
517 if (!field || !(field->type & type))
522 void btf_record_free(struct btf_record *rec)
526 if (IS_ERR_OR_NULL(rec))
528 for (i = 0; i < rec->cnt; i++) {
529 switch (rec->fields[i].type) {
535 if (rec->fields[i].kptr.module)
536 module_put(rec->fields[i].kptr.module);
537 btf_put(rec->fields[i].kptr.btf);
541 /* Nothing to release for bpf_list_head */
551 void bpf_map_free_record(struct bpf_map *map)
553 btf_record_free(map->record);
557 struct btf_record *btf_record_dup(const struct btf_record *rec)
559 const struct btf_field *fields;
560 struct btf_record *new_rec;
563 if (IS_ERR_OR_NULL(rec))
565 size = offsetof(struct btf_record, fields[rec->cnt]);
566 new_rec = kmemdup(rec, size, GFP_KERNEL | __GFP_NOWARN);
568 return ERR_PTR(-ENOMEM);
569 /* Do a deep copy of the btf_record */
570 fields = rec->fields;
572 for (i = 0; i < rec->cnt; i++) {
573 switch (fields[i].type) {
579 btf_get(fields[i].kptr.btf);
580 if (fields[i].kptr.module && !try_module_get(fields[i].kptr.module)) {
587 /* Nothing to acquire for bpf_list_head */
598 btf_record_free(new_rec);
602 bool btf_record_equal(const struct btf_record *rec_a, const struct btf_record *rec_b)
604 bool a_has_fields = !IS_ERR_OR_NULL(rec_a), b_has_fields = !IS_ERR_OR_NULL(rec_b);
607 if (!a_has_fields && !b_has_fields)
609 if (a_has_fields != b_has_fields)
611 if (rec_a->cnt != rec_b->cnt)
613 size = offsetof(struct btf_record, fields[rec_a->cnt]);
614 /* btf_parse_fields uses kzalloc to allocate a btf_record, so unused
615 * members are zeroed out. So memcmp is safe to do without worrying
616 * about padding/unused fields.
618 * While spin_lock, timer, and kptr have no relation to map BTF,
619 * list_head metadata is specific to map BTF, the btf and value_rec
620 * members in particular. btf is the map BTF, while value_rec points to
621 * btf_record in that map BTF.
623 * So while by default, we don't rely on the map BTF (which the records
624 * were parsed from) matching for both records, which is not backwards
625 * compatible, in case list_head is part of it, we implicitly rely on
626 * that by way of depending on memcmp succeeding for it.
628 return !memcmp(rec_a, rec_b, size);
631 void bpf_obj_free_timer(const struct btf_record *rec, void *obj)
633 if (WARN_ON_ONCE(!btf_record_has_field(rec, BPF_TIMER)))
635 bpf_timer_cancel_and_free(obj + rec->timer_off);
638 void bpf_obj_free_fields(const struct btf_record *rec, void *obj)
640 const struct btf_field *fields;
643 if (IS_ERR_OR_NULL(rec))
645 fields = rec->fields;
646 for (i = 0; i < rec->cnt; i++) {
647 const struct btf_field *field = &fields[i];
648 void *field_ptr = obj + field->offset;
650 switch (fields[i].type) {
654 bpf_timer_cancel_and_free(field_ptr);
657 WRITE_ONCE(*(u64 *)field_ptr, 0);
660 field->kptr.dtor((void *)xchg((unsigned long *)field_ptr, 0));
663 if (WARN_ON_ONCE(rec->spin_lock_off < 0))
665 bpf_list_head_free(field, field_ptr, obj + rec->spin_lock_off);
676 /* called from workqueue */
677 static void bpf_map_free_deferred(struct work_struct *work)
679 struct bpf_map *map = container_of(work, struct bpf_map, work);
680 struct btf_field_offs *foffs = map->field_offs;
681 struct btf_record *rec = map->record;
683 security_bpf_map_free(map);
684 bpf_map_release_memcg(map);
685 /* implementation dependent freeing */
686 map->ops->map_free(map);
687 /* Delay freeing of field_offs and btf_record for maps, as map_free
688 * callback usually needs access to them. It is better to do it here
689 * than require each callback to do the free itself manually.
691 * Note that the btf_record stashed in map->inner_map_meta->record was
692 * already freed using the map_free callback for map in map case which
693 * eventually calls bpf_map_free_meta, since inner_map_meta is only a
694 * template bpf_map struct used during verification.
697 btf_record_free(rec);
700 static void bpf_map_put_uref(struct bpf_map *map)
702 if (atomic64_dec_and_test(&map->usercnt)) {
703 if (map->ops->map_release_uref)
704 map->ops->map_release_uref(map);
708 /* decrement map refcnt and schedule it for freeing via workqueue
709 * (unrelying map implementation ops->map_free() might sleep)
711 static void __bpf_map_put(struct bpf_map *map, bool do_idr_lock)
713 if (atomic64_dec_and_test(&map->refcnt)) {
714 /* bpf_map_free_id() must be called first */
715 bpf_map_free_id(map, do_idr_lock);
717 INIT_WORK(&map->work, bpf_map_free_deferred);
718 /* Avoid spawning kworkers, since they all might contend
719 * for the same mutex like slab_mutex.
721 queue_work(system_unbound_wq, &map->work);
725 void bpf_map_put(struct bpf_map *map)
727 __bpf_map_put(map, true);
729 EXPORT_SYMBOL_GPL(bpf_map_put);
731 void bpf_map_put_with_uref(struct bpf_map *map)
733 bpf_map_put_uref(map);
737 static int bpf_map_release(struct inode *inode, struct file *filp)
739 struct bpf_map *map = filp->private_data;
741 if (map->ops->map_release)
742 map->ops->map_release(map, filp);
744 bpf_map_put_with_uref(map);
748 static fmode_t map_get_sys_perms(struct bpf_map *map, struct fd f)
750 fmode_t mode = f.file->f_mode;
752 /* Our file permissions may have been overridden by global
753 * map permissions facing syscall side.
755 if (READ_ONCE(map->frozen))
756 mode &= ~FMODE_CAN_WRITE;
760 #ifdef CONFIG_PROC_FS
761 /* Provides an approximation of the map's memory footprint.
762 * Used only to provide a backward compatibility and display
763 * a reasonable "memlock" info.
765 static unsigned long bpf_map_memory_footprint(const struct bpf_map *map)
769 size = round_up(map->key_size + bpf_map_value_size(map), 8);
771 return round_up(map->max_entries * size, PAGE_SIZE);
774 static void bpf_map_show_fdinfo(struct seq_file *m, struct file *filp)
776 struct bpf_map *map = filp->private_data;
777 u32 type = 0, jited = 0;
779 if (map_type_contains_progs(map)) {
780 spin_lock(&map->owner.lock);
781 type = map->owner.type;
782 jited = map->owner.jited;
783 spin_unlock(&map->owner.lock);
792 "map_extra:\t%#llx\n"
801 (unsigned long long)map->map_extra,
802 bpf_map_memory_footprint(map),
804 READ_ONCE(map->frozen));
806 seq_printf(m, "owner_prog_type:\t%u\n", type);
807 seq_printf(m, "owner_jited:\t%u\n", jited);
812 static ssize_t bpf_dummy_read(struct file *filp, char __user *buf, size_t siz,
815 /* We need this handler such that alloc_file() enables
816 * f_mode with FMODE_CAN_READ.
821 static ssize_t bpf_dummy_write(struct file *filp, const char __user *buf,
822 size_t siz, loff_t *ppos)
824 /* We need this handler such that alloc_file() enables
825 * f_mode with FMODE_CAN_WRITE.
830 /* called for any extra memory-mapped regions (except initial) */
831 static void bpf_map_mmap_open(struct vm_area_struct *vma)
833 struct bpf_map *map = vma->vm_file->private_data;
835 if (vma->vm_flags & VM_MAYWRITE)
836 bpf_map_write_active_inc(map);
839 /* called for all unmapped memory region (including initial) */
840 static void bpf_map_mmap_close(struct vm_area_struct *vma)
842 struct bpf_map *map = vma->vm_file->private_data;
844 if (vma->vm_flags & VM_MAYWRITE)
845 bpf_map_write_active_dec(map);
848 static const struct vm_operations_struct bpf_map_default_vmops = {
849 .open = bpf_map_mmap_open,
850 .close = bpf_map_mmap_close,
853 static int bpf_map_mmap(struct file *filp, struct vm_area_struct *vma)
855 struct bpf_map *map = filp->private_data;
858 if (!map->ops->map_mmap || !IS_ERR_OR_NULL(map->record))
861 if (!(vma->vm_flags & VM_SHARED))
864 mutex_lock(&map->freeze_mutex);
866 if (vma->vm_flags & VM_WRITE) {
871 /* map is meant to be read-only, so do not allow mapping as
872 * writable, because it's possible to leak a writable page
873 * reference and allows user-space to still modify it after
874 * freezing, while verifier will assume contents do not change
876 if (map->map_flags & BPF_F_RDONLY_PROG) {
882 /* set default open/close callbacks */
883 vma->vm_ops = &bpf_map_default_vmops;
884 vma->vm_private_data = map;
885 vma->vm_flags &= ~VM_MAYEXEC;
886 if (!(vma->vm_flags & VM_WRITE))
887 /* disallow re-mapping with PROT_WRITE */
888 vma->vm_flags &= ~VM_MAYWRITE;
890 err = map->ops->map_mmap(map, vma);
894 if (vma->vm_flags & VM_MAYWRITE)
895 bpf_map_write_active_inc(map);
897 mutex_unlock(&map->freeze_mutex);
901 static __poll_t bpf_map_poll(struct file *filp, struct poll_table_struct *pts)
903 struct bpf_map *map = filp->private_data;
905 if (map->ops->map_poll)
906 return map->ops->map_poll(map, filp, pts);
911 const struct file_operations bpf_map_fops = {
912 #ifdef CONFIG_PROC_FS
913 .show_fdinfo = bpf_map_show_fdinfo,
915 .release = bpf_map_release,
916 .read = bpf_dummy_read,
917 .write = bpf_dummy_write,
918 .mmap = bpf_map_mmap,
919 .poll = bpf_map_poll,
922 int bpf_map_new_fd(struct bpf_map *map, int flags)
926 ret = security_bpf_map(map, OPEN_FMODE(flags));
930 return anon_inode_getfd("bpf-map", &bpf_map_fops, map,
934 int bpf_get_file_flag(int flags)
936 if ((flags & BPF_F_RDONLY) && (flags & BPF_F_WRONLY))
938 if (flags & BPF_F_RDONLY)
940 if (flags & BPF_F_WRONLY)
945 /* helper macro to check that unused fields 'union bpf_attr' are zero */
946 #define CHECK_ATTR(CMD) \
947 memchr_inv((void *) &attr->CMD##_LAST_FIELD + \
948 sizeof(attr->CMD##_LAST_FIELD), 0, \
950 offsetof(union bpf_attr, CMD##_LAST_FIELD) - \
951 sizeof(attr->CMD##_LAST_FIELD)) != NULL
953 /* dst and src must have at least "size" number of bytes.
954 * Return strlen on success and < 0 on error.
956 int bpf_obj_name_cpy(char *dst, const char *src, unsigned int size)
958 const char *end = src + size;
959 const char *orig_src = src;
961 memset(dst, 0, size);
962 /* Copy all isalnum(), '_' and '.' chars. */
963 while (src < end && *src) {
964 if (!isalnum(*src) &&
965 *src != '_' && *src != '.')
970 /* No '\0' found in "size" number of bytes */
974 return src - orig_src;
977 int map_check_no_btf(const struct bpf_map *map,
978 const struct btf *btf,
979 const struct btf_type *key_type,
980 const struct btf_type *value_type)
985 static int map_check_btf(struct bpf_map *map, const struct btf *btf,
986 u32 btf_key_id, u32 btf_value_id)
988 const struct btf_type *key_type, *value_type;
989 u32 key_size, value_size;
992 /* Some maps allow key to be unspecified. */
994 key_type = btf_type_id_size(btf, &btf_key_id, &key_size);
995 if (!key_type || key_size != map->key_size)
998 key_type = btf_type_by_id(btf, 0);
999 if (!map->ops->map_check_btf)
1003 value_type = btf_type_id_size(btf, &btf_value_id, &value_size);
1004 if (!value_type || value_size != map->value_size)
1007 map->record = btf_parse_fields(btf, value_type,
1008 BPF_SPIN_LOCK | BPF_TIMER | BPF_KPTR | BPF_LIST_HEAD,
1010 if (!IS_ERR_OR_NULL(map->record)) {
1013 if (!bpf_capable()) {
1017 if (map->map_flags & (BPF_F_RDONLY_PROG | BPF_F_WRONLY_PROG)) {
1021 for (i = 0; i < sizeof(map->record->field_mask) * 8; i++) {
1022 switch (map->record->field_mask & (1 << i)) {
1026 if (map->map_type != BPF_MAP_TYPE_HASH &&
1027 map->map_type != BPF_MAP_TYPE_ARRAY &&
1028 map->map_type != BPF_MAP_TYPE_CGROUP_STORAGE &&
1029 map->map_type != BPF_MAP_TYPE_SK_STORAGE &&
1030 map->map_type != BPF_MAP_TYPE_INODE_STORAGE &&
1031 map->map_type != BPF_MAP_TYPE_TASK_STORAGE &&
1032 map->map_type != BPF_MAP_TYPE_CGRP_STORAGE) {
1038 if (map->map_type != BPF_MAP_TYPE_HASH &&
1039 map->map_type != BPF_MAP_TYPE_LRU_HASH &&
1040 map->map_type != BPF_MAP_TYPE_ARRAY) {
1045 case BPF_KPTR_UNREF:
1047 if (map->map_type != BPF_MAP_TYPE_HASH &&
1048 map->map_type != BPF_MAP_TYPE_LRU_HASH &&
1049 map->map_type != BPF_MAP_TYPE_ARRAY &&
1050 map->map_type != BPF_MAP_TYPE_PERCPU_ARRAY) {
1056 if (map->map_type != BPF_MAP_TYPE_HASH &&
1057 map->map_type != BPF_MAP_TYPE_LRU_HASH &&
1058 map->map_type != BPF_MAP_TYPE_ARRAY) {
1064 /* Fail if map_type checks are missing for a field type */
1071 ret = btf_check_and_fixup_fields(btf, map->record);
1075 if (map->ops->map_check_btf) {
1076 ret = map->ops->map_check_btf(map, btf, key_type, value_type);
1083 bpf_map_free_record(map);
1087 #define BPF_MAP_CREATE_LAST_FIELD map_extra
1088 /* called via syscall */
1089 static int map_create(union bpf_attr *attr)
1091 int numa_node = bpf_map_attr_numa_node(attr);
1092 struct btf_field_offs *foffs;
1093 struct bpf_map *map;
1097 err = CHECK_ATTR(BPF_MAP_CREATE);
1101 if (attr->btf_vmlinux_value_type_id) {
1102 if (attr->map_type != BPF_MAP_TYPE_STRUCT_OPS ||
1103 attr->btf_key_type_id || attr->btf_value_type_id)
1105 } else if (attr->btf_key_type_id && !attr->btf_value_type_id) {
1109 if (attr->map_type != BPF_MAP_TYPE_BLOOM_FILTER &&
1110 attr->map_extra != 0)
1113 f_flags = bpf_get_file_flag(attr->map_flags);
1117 if (numa_node != NUMA_NO_NODE &&
1118 ((unsigned int)numa_node >= nr_node_ids ||
1119 !node_online(numa_node)))
1122 /* find map type and init map: hashtable vs rbtree vs bloom vs ... */
1123 map = find_and_alloc_map(attr);
1125 return PTR_ERR(map);
1127 err = bpf_obj_name_cpy(map->name, attr->map_name,
1128 sizeof(attr->map_name));
1132 atomic64_set(&map->refcnt, 1);
1133 atomic64_set(&map->usercnt, 1);
1134 mutex_init(&map->freeze_mutex);
1135 spin_lock_init(&map->owner.lock);
1137 if (attr->btf_key_type_id || attr->btf_value_type_id ||
1138 /* Even the map's value is a kernel's struct,
1139 * the bpf_prog.o must have BTF to begin with
1140 * to figure out the corresponding kernel's
1141 * counter part. Thus, attr->btf_fd has
1144 attr->btf_vmlinux_value_type_id) {
1147 btf = btf_get_by_fd(attr->btf_fd);
1152 if (btf_is_kernel(btf)) {
1159 if (attr->btf_value_type_id) {
1160 err = map_check_btf(map, btf, attr->btf_key_type_id,
1161 attr->btf_value_type_id);
1166 map->btf_key_type_id = attr->btf_key_type_id;
1167 map->btf_value_type_id = attr->btf_value_type_id;
1168 map->btf_vmlinux_value_type_id =
1169 attr->btf_vmlinux_value_type_id;
1173 foffs = btf_parse_field_offs(map->record);
1174 if (IS_ERR(foffs)) {
1175 err = PTR_ERR(foffs);
1178 map->field_offs = foffs;
1180 err = security_bpf_map_alloc(map);
1182 goto free_map_field_offs;
1184 err = bpf_map_alloc_id(map);
1188 bpf_map_save_memcg(map);
1190 err = bpf_map_new_fd(map, f_flags);
1192 /* failed to allocate fd.
1193 * bpf_map_put_with_uref() is needed because the above
1194 * bpf_map_alloc_id() has published the map
1195 * to the userspace and the userspace may
1196 * have refcnt-ed it through BPF_MAP_GET_FD_BY_ID.
1198 bpf_map_put_with_uref(map);
1205 security_bpf_map_free(map);
1206 free_map_field_offs:
1207 kfree(map->field_offs);
1210 map->ops->map_free(map);
1214 /* if error is returned, fd is released.
1215 * On success caller should complete fd access with matching fdput()
1217 struct bpf_map *__bpf_map_get(struct fd f)
1220 return ERR_PTR(-EBADF);
1221 if (f.file->f_op != &bpf_map_fops) {
1223 return ERR_PTR(-EINVAL);
1226 return f.file->private_data;
1229 void bpf_map_inc(struct bpf_map *map)
1231 atomic64_inc(&map->refcnt);
1233 EXPORT_SYMBOL_GPL(bpf_map_inc);
1235 void bpf_map_inc_with_uref(struct bpf_map *map)
1237 atomic64_inc(&map->refcnt);
1238 atomic64_inc(&map->usercnt);
1240 EXPORT_SYMBOL_GPL(bpf_map_inc_with_uref);
1242 struct bpf_map *bpf_map_get(u32 ufd)
1244 struct fd f = fdget(ufd);
1245 struct bpf_map *map;
1247 map = __bpf_map_get(f);
1256 EXPORT_SYMBOL(bpf_map_get);
1258 struct bpf_map *bpf_map_get_with_uref(u32 ufd)
1260 struct fd f = fdget(ufd);
1261 struct bpf_map *map;
1263 map = __bpf_map_get(f);
1267 bpf_map_inc_with_uref(map);
1273 /* map_idr_lock should have been held */
1274 static struct bpf_map *__bpf_map_inc_not_zero(struct bpf_map *map, bool uref)
1278 refold = atomic64_fetch_add_unless(&map->refcnt, 1, 0);
1280 return ERR_PTR(-ENOENT);
1282 atomic64_inc(&map->usercnt);
1287 struct bpf_map *bpf_map_inc_not_zero(struct bpf_map *map)
1289 spin_lock_bh(&map_idr_lock);
1290 map = __bpf_map_inc_not_zero(map, false);
1291 spin_unlock_bh(&map_idr_lock);
1295 EXPORT_SYMBOL_GPL(bpf_map_inc_not_zero);
1297 int __weak bpf_stackmap_copy(struct bpf_map *map, void *key, void *value)
1302 static void *__bpf_copy_key(void __user *ukey, u64 key_size)
1305 return vmemdup_user(ukey, key_size);
1308 return ERR_PTR(-EINVAL);
1313 static void *___bpf_copy_key(bpfptr_t ukey, u64 key_size)
1316 return kvmemdup_bpfptr(ukey, key_size);
1318 if (!bpfptr_is_null(ukey))
1319 return ERR_PTR(-EINVAL);
1324 /* last field in 'union bpf_attr' used by this command */
1325 #define BPF_MAP_LOOKUP_ELEM_LAST_FIELD flags
1327 static int map_lookup_elem(union bpf_attr *attr)
1329 void __user *ukey = u64_to_user_ptr(attr->key);
1330 void __user *uvalue = u64_to_user_ptr(attr->value);
1331 int ufd = attr->map_fd;
1332 struct bpf_map *map;
1338 if (CHECK_ATTR(BPF_MAP_LOOKUP_ELEM))
1341 if (attr->flags & ~BPF_F_LOCK)
1345 map = __bpf_map_get(f);
1347 return PTR_ERR(map);
1348 if (!(map_get_sys_perms(map, f) & FMODE_CAN_READ)) {
1353 if ((attr->flags & BPF_F_LOCK) &&
1354 !btf_record_has_field(map->record, BPF_SPIN_LOCK)) {
1359 key = __bpf_copy_key(ukey, map->key_size);
1365 value_size = bpf_map_value_size(map);
1368 value = kvmalloc(value_size, GFP_USER | __GFP_NOWARN);
1372 if (map->map_type == BPF_MAP_TYPE_BLOOM_FILTER) {
1373 if (copy_from_user(value, uvalue, value_size))
1376 err = bpf_map_copy_value(map, key, value, attr->flags);
1380 err = bpf_map_copy_value(map, key, value, attr->flags);
1385 if (copy_to_user(uvalue, value, value_size) != 0)
1400 #define BPF_MAP_UPDATE_ELEM_LAST_FIELD flags
1402 static int map_update_elem(union bpf_attr *attr, bpfptr_t uattr)
1404 bpfptr_t ukey = make_bpfptr(attr->key, uattr.is_kernel);
1405 bpfptr_t uvalue = make_bpfptr(attr->value, uattr.is_kernel);
1406 int ufd = attr->map_fd;
1407 struct bpf_map *map;
1413 if (CHECK_ATTR(BPF_MAP_UPDATE_ELEM))
1417 map = __bpf_map_get(f);
1419 return PTR_ERR(map);
1420 bpf_map_write_active_inc(map);
1421 if (!(map_get_sys_perms(map, f) & FMODE_CAN_WRITE)) {
1426 if ((attr->flags & BPF_F_LOCK) &&
1427 !btf_record_has_field(map->record, BPF_SPIN_LOCK)) {
1432 key = ___bpf_copy_key(ukey, map->key_size);
1438 value_size = bpf_map_value_size(map);
1439 value = kvmemdup_bpfptr(uvalue, value_size);
1440 if (IS_ERR(value)) {
1441 err = PTR_ERR(value);
1445 err = bpf_map_update_value(map, f.file, key, value, attr->flags);
1451 bpf_map_write_active_dec(map);
1456 #define BPF_MAP_DELETE_ELEM_LAST_FIELD key
1458 static int map_delete_elem(union bpf_attr *attr, bpfptr_t uattr)
1460 bpfptr_t ukey = make_bpfptr(attr->key, uattr.is_kernel);
1461 int ufd = attr->map_fd;
1462 struct bpf_map *map;
1467 if (CHECK_ATTR(BPF_MAP_DELETE_ELEM))
1471 map = __bpf_map_get(f);
1473 return PTR_ERR(map);
1474 bpf_map_write_active_inc(map);
1475 if (!(map_get_sys_perms(map, f) & FMODE_CAN_WRITE)) {
1480 key = ___bpf_copy_key(ukey, map->key_size);
1486 if (bpf_map_is_dev_bound(map)) {
1487 err = bpf_map_offload_delete_elem(map, key);
1489 } else if (IS_FD_PROG_ARRAY(map) ||
1490 map->map_type == BPF_MAP_TYPE_STRUCT_OPS) {
1491 /* These maps require sleepable context */
1492 err = map->ops->map_delete_elem(map, key);
1496 bpf_disable_instrumentation();
1498 err = map->ops->map_delete_elem(map, key);
1500 bpf_enable_instrumentation();
1501 maybe_wait_bpf_programs(map);
1505 bpf_map_write_active_dec(map);
1510 /* last field in 'union bpf_attr' used by this command */
1511 #define BPF_MAP_GET_NEXT_KEY_LAST_FIELD next_key
1513 static int map_get_next_key(union bpf_attr *attr)
1515 void __user *ukey = u64_to_user_ptr(attr->key);
1516 void __user *unext_key = u64_to_user_ptr(attr->next_key);
1517 int ufd = attr->map_fd;
1518 struct bpf_map *map;
1519 void *key, *next_key;
1523 if (CHECK_ATTR(BPF_MAP_GET_NEXT_KEY))
1527 map = __bpf_map_get(f);
1529 return PTR_ERR(map);
1530 if (!(map_get_sys_perms(map, f) & FMODE_CAN_READ)) {
1536 key = __bpf_copy_key(ukey, map->key_size);
1546 next_key = kvmalloc(map->key_size, GFP_USER);
1550 if (bpf_map_is_dev_bound(map)) {
1551 err = bpf_map_offload_get_next_key(map, key, next_key);
1556 err = map->ops->map_get_next_key(map, key, next_key);
1563 if (copy_to_user(unext_key, next_key, map->key_size) != 0)
1577 int generic_map_delete_batch(struct bpf_map *map,
1578 const union bpf_attr *attr,
1579 union bpf_attr __user *uattr)
1581 void __user *keys = u64_to_user_ptr(attr->batch.keys);
1586 if (attr->batch.elem_flags & ~BPF_F_LOCK)
1589 if ((attr->batch.elem_flags & BPF_F_LOCK) &&
1590 !btf_record_has_field(map->record, BPF_SPIN_LOCK)) {
1594 max_count = attr->batch.count;
1598 key = kvmalloc(map->key_size, GFP_USER | __GFP_NOWARN);
1602 for (cp = 0; cp < max_count; cp++) {
1604 if (copy_from_user(key, keys + cp * map->key_size,
1608 if (bpf_map_is_dev_bound(map)) {
1609 err = bpf_map_offload_delete_elem(map, key);
1613 bpf_disable_instrumentation();
1615 err = map->ops->map_delete_elem(map, key);
1617 bpf_enable_instrumentation();
1622 if (copy_to_user(&uattr->batch.count, &cp, sizeof(cp)))
1627 maybe_wait_bpf_programs(map);
1631 int generic_map_update_batch(struct bpf_map *map, struct file *map_file,
1632 const union bpf_attr *attr,
1633 union bpf_attr __user *uattr)
1635 void __user *values = u64_to_user_ptr(attr->batch.values);
1636 void __user *keys = u64_to_user_ptr(attr->batch.keys);
1637 u32 value_size, cp, max_count;
1641 if (attr->batch.elem_flags & ~BPF_F_LOCK)
1644 if ((attr->batch.elem_flags & BPF_F_LOCK) &&
1645 !btf_record_has_field(map->record, BPF_SPIN_LOCK)) {
1649 value_size = bpf_map_value_size(map);
1651 max_count = attr->batch.count;
1655 key = kvmalloc(map->key_size, GFP_USER | __GFP_NOWARN);
1659 value = kvmalloc(value_size, GFP_USER | __GFP_NOWARN);
1665 for (cp = 0; cp < max_count; cp++) {
1667 if (copy_from_user(key, keys + cp * map->key_size,
1669 copy_from_user(value, values + cp * value_size, value_size))
1672 err = bpf_map_update_value(map, map_file, key, value,
1673 attr->batch.elem_flags);
1680 if (copy_to_user(&uattr->batch.count, &cp, sizeof(cp)))
1688 #define MAP_LOOKUP_RETRIES 3
1690 int generic_map_lookup_batch(struct bpf_map *map,
1691 const union bpf_attr *attr,
1692 union bpf_attr __user *uattr)
1694 void __user *uobatch = u64_to_user_ptr(attr->batch.out_batch);
1695 void __user *ubatch = u64_to_user_ptr(attr->batch.in_batch);
1696 void __user *values = u64_to_user_ptr(attr->batch.values);
1697 void __user *keys = u64_to_user_ptr(attr->batch.keys);
1698 void *buf, *buf_prevkey, *prev_key, *key, *value;
1699 int err, retry = MAP_LOOKUP_RETRIES;
1700 u32 value_size, cp, max_count;
1702 if (attr->batch.elem_flags & ~BPF_F_LOCK)
1705 if ((attr->batch.elem_flags & BPF_F_LOCK) &&
1706 !btf_record_has_field(map->record, BPF_SPIN_LOCK))
1709 value_size = bpf_map_value_size(map);
1711 max_count = attr->batch.count;
1715 if (put_user(0, &uattr->batch.count))
1718 buf_prevkey = kvmalloc(map->key_size, GFP_USER | __GFP_NOWARN);
1722 buf = kvmalloc(map->key_size + value_size, GFP_USER | __GFP_NOWARN);
1724 kvfree(buf_prevkey);
1730 if (ubatch && copy_from_user(buf_prevkey, ubatch, map->key_size))
1733 value = key + map->key_size;
1735 prev_key = buf_prevkey;
1737 for (cp = 0; cp < max_count;) {
1739 err = map->ops->map_get_next_key(map, prev_key, key);
1743 err = bpf_map_copy_value(map, key, value,
1744 attr->batch.elem_flags);
1746 if (err == -ENOENT) {
1758 if (copy_to_user(keys + cp * map->key_size, key,
1763 if (copy_to_user(values + cp * value_size, value, value_size)) {
1769 prev_key = buf_prevkey;
1771 swap(prev_key, key);
1772 retry = MAP_LOOKUP_RETRIES;
1780 if ((copy_to_user(&uattr->batch.count, &cp, sizeof(cp)) ||
1781 (cp && copy_to_user(uobatch, prev_key, map->key_size))))
1785 kvfree(buf_prevkey);
1790 #define BPF_MAP_LOOKUP_AND_DELETE_ELEM_LAST_FIELD flags
1792 static int map_lookup_and_delete_elem(union bpf_attr *attr)
1794 void __user *ukey = u64_to_user_ptr(attr->key);
1795 void __user *uvalue = u64_to_user_ptr(attr->value);
1796 int ufd = attr->map_fd;
1797 struct bpf_map *map;
1803 if (CHECK_ATTR(BPF_MAP_LOOKUP_AND_DELETE_ELEM))
1806 if (attr->flags & ~BPF_F_LOCK)
1810 map = __bpf_map_get(f);
1812 return PTR_ERR(map);
1813 bpf_map_write_active_inc(map);
1814 if (!(map_get_sys_perms(map, f) & FMODE_CAN_READ) ||
1815 !(map_get_sys_perms(map, f) & FMODE_CAN_WRITE)) {
1821 (map->map_type == BPF_MAP_TYPE_QUEUE ||
1822 map->map_type == BPF_MAP_TYPE_STACK)) {
1827 if ((attr->flags & BPF_F_LOCK) &&
1828 !btf_record_has_field(map->record, BPF_SPIN_LOCK)) {
1833 key = __bpf_copy_key(ukey, map->key_size);
1839 value_size = bpf_map_value_size(map);
1842 value = kvmalloc(value_size, GFP_USER | __GFP_NOWARN);
1847 if (map->map_type == BPF_MAP_TYPE_QUEUE ||
1848 map->map_type == BPF_MAP_TYPE_STACK) {
1849 err = map->ops->map_pop_elem(map, value);
1850 } else if (map->map_type == BPF_MAP_TYPE_HASH ||
1851 map->map_type == BPF_MAP_TYPE_PERCPU_HASH ||
1852 map->map_type == BPF_MAP_TYPE_LRU_HASH ||
1853 map->map_type == BPF_MAP_TYPE_LRU_PERCPU_HASH) {
1854 if (!bpf_map_is_dev_bound(map)) {
1855 bpf_disable_instrumentation();
1857 err = map->ops->map_lookup_and_delete_elem(map, key, value, attr->flags);
1859 bpf_enable_instrumentation();
1866 if (copy_to_user(uvalue, value, value_size) != 0) {
1878 bpf_map_write_active_dec(map);
1883 #define BPF_MAP_FREEZE_LAST_FIELD map_fd
1885 static int map_freeze(const union bpf_attr *attr)
1887 int err = 0, ufd = attr->map_fd;
1888 struct bpf_map *map;
1891 if (CHECK_ATTR(BPF_MAP_FREEZE))
1895 map = __bpf_map_get(f);
1897 return PTR_ERR(map);
1899 if (map->map_type == BPF_MAP_TYPE_STRUCT_OPS || !IS_ERR_OR_NULL(map->record)) {
1904 mutex_lock(&map->freeze_mutex);
1905 if (bpf_map_write_active(map)) {
1909 if (READ_ONCE(map->frozen)) {
1913 if (!bpf_capable()) {
1918 WRITE_ONCE(map->frozen, true);
1920 mutex_unlock(&map->freeze_mutex);
1925 static const struct bpf_prog_ops * const bpf_prog_types[] = {
1926 #define BPF_PROG_TYPE(_id, _name, prog_ctx_type, kern_ctx_type) \
1927 [_id] = & _name ## _prog_ops,
1928 #define BPF_MAP_TYPE(_id, _ops)
1929 #define BPF_LINK_TYPE(_id, _name)
1930 #include <linux/bpf_types.h>
1931 #undef BPF_PROG_TYPE
1933 #undef BPF_LINK_TYPE
1936 static int find_prog_type(enum bpf_prog_type type, struct bpf_prog *prog)
1938 const struct bpf_prog_ops *ops;
1940 if (type >= ARRAY_SIZE(bpf_prog_types))
1942 type = array_index_nospec(type, ARRAY_SIZE(bpf_prog_types));
1943 ops = bpf_prog_types[type];
1947 if (!bpf_prog_is_dev_bound(prog->aux))
1948 prog->aux->ops = ops;
1950 prog->aux->ops = &bpf_offload_prog_ops;
1961 static const char * const bpf_audit_str[BPF_AUDIT_MAX] = {
1962 [BPF_AUDIT_LOAD] = "LOAD",
1963 [BPF_AUDIT_UNLOAD] = "UNLOAD",
1966 static void bpf_audit_prog(const struct bpf_prog *prog, unsigned int op)
1968 struct audit_context *ctx = NULL;
1969 struct audit_buffer *ab;
1971 if (WARN_ON_ONCE(op >= BPF_AUDIT_MAX))
1973 if (audit_enabled == AUDIT_OFF)
1975 if (op == BPF_AUDIT_LOAD)
1976 ctx = audit_context();
1977 ab = audit_log_start(ctx, GFP_ATOMIC, AUDIT_BPF);
1980 audit_log_format(ab, "prog-id=%u op=%s",
1981 prog->aux->id, bpf_audit_str[op]);
1985 static int bpf_prog_alloc_id(struct bpf_prog *prog)
1989 idr_preload(GFP_KERNEL);
1990 spin_lock_bh(&prog_idr_lock);
1991 id = idr_alloc_cyclic(&prog_idr, prog, 1, INT_MAX, GFP_ATOMIC);
1994 spin_unlock_bh(&prog_idr_lock);
1997 /* id is in [1, INT_MAX) */
1998 if (WARN_ON_ONCE(!id))
2001 return id > 0 ? 0 : id;
2004 void bpf_prog_free_id(struct bpf_prog *prog, bool do_idr_lock)
2006 unsigned long flags;
2008 /* cBPF to eBPF migrations are currently not in the idr store.
2009 * Offloaded programs are removed from the store when their device
2010 * disappears - even if someone grabs an fd to them they are unusable,
2011 * simply waiting for refcnt to drop to be freed.
2017 spin_lock_irqsave(&prog_idr_lock, flags);
2019 __acquire(&prog_idr_lock);
2021 idr_remove(&prog_idr, prog->aux->id);
2025 spin_unlock_irqrestore(&prog_idr_lock, flags);
2027 __release(&prog_idr_lock);
2030 static void __bpf_prog_put_rcu(struct rcu_head *rcu)
2032 struct bpf_prog_aux *aux = container_of(rcu, struct bpf_prog_aux, rcu);
2034 kvfree(aux->func_info);
2035 kfree(aux->func_info_aux);
2036 free_uid(aux->user);
2037 security_bpf_prog_free(aux);
2038 bpf_prog_free(aux->prog);
2041 static void __bpf_prog_put_noref(struct bpf_prog *prog, bool deferred)
2043 bpf_prog_kallsyms_del_all(prog);
2044 btf_put(prog->aux->btf);
2045 kvfree(prog->aux->jited_linfo);
2046 kvfree(prog->aux->linfo);
2047 kfree(prog->aux->kfunc_tab);
2048 if (prog->aux->attach_btf)
2049 btf_put(prog->aux->attach_btf);
2052 if (prog->aux->sleepable)
2053 call_rcu_tasks_trace(&prog->aux->rcu, __bpf_prog_put_rcu);
2055 call_rcu(&prog->aux->rcu, __bpf_prog_put_rcu);
2057 __bpf_prog_put_rcu(&prog->aux->rcu);
2061 static void bpf_prog_put_deferred(struct work_struct *work)
2063 struct bpf_prog_aux *aux;
2064 struct bpf_prog *prog;
2066 aux = container_of(work, struct bpf_prog_aux, work);
2068 perf_event_bpf_event(prog, PERF_BPF_EVENT_PROG_UNLOAD, 0);
2069 bpf_audit_prog(prog, BPF_AUDIT_UNLOAD);
2070 __bpf_prog_put_noref(prog, true);
2073 static void __bpf_prog_put(struct bpf_prog *prog, bool do_idr_lock)
2075 struct bpf_prog_aux *aux = prog->aux;
2077 if (atomic64_dec_and_test(&aux->refcnt)) {
2078 /* bpf_prog_free_id() must be called first */
2079 bpf_prog_free_id(prog, do_idr_lock);
2081 if (in_irq() || irqs_disabled()) {
2082 INIT_WORK(&aux->work, bpf_prog_put_deferred);
2083 schedule_work(&aux->work);
2085 bpf_prog_put_deferred(&aux->work);
2090 void bpf_prog_put(struct bpf_prog *prog)
2092 __bpf_prog_put(prog, true);
2094 EXPORT_SYMBOL_GPL(bpf_prog_put);
2096 static int bpf_prog_release(struct inode *inode, struct file *filp)
2098 struct bpf_prog *prog = filp->private_data;
2104 struct bpf_prog_kstats {
2110 void notrace bpf_prog_inc_misses_counter(struct bpf_prog *prog)
2112 struct bpf_prog_stats *stats;
2115 stats = this_cpu_ptr(prog->stats);
2116 flags = u64_stats_update_begin_irqsave(&stats->syncp);
2117 u64_stats_inc(&stats->misses);
2118 u64_stats_update_end_irqrestore(&stats->syncp, flags);
2121 static void bpf_prog_get_stats(const struct bpf_prog *prog,
2122 struct bpf_prog_kstats *stats)
2124 u64 nsecs = 0, cnt = 0, misses = 0;
2127 for_each_possible_cpu(cpu) {
2128 const struct bpf_prog_stats *st;
2130 u64 tnsecs, tcnt, tmisses;
2132 st = per_cpu_ptr(prog->stats, cpu);
2134 start = u64_stats_fetch_begin(&st->syncp);
2135 tnsecs = u64_stats_read(&st->nsecs);
2136 tcnt = u64_stats_read(&st->cnt);
2137 tmisses = u64_stats_read(&st->misses);
2138 } while (u64_stats_fetch_retry(&st->syncp, start));
2143 stats->nsecs = nsecs;
2145 stats->misses = misses;
2148 #ifdef CONFIG_PROC_FS
2149 static void bpf_prog_show_fdinfo(struct seq_file *m, struct file *filp)
2151 const struct bpf_prog *prog = filp->private_data;
2152 char prog_tag[sizeof(prog->tag) * 2 + 1] = { };
2153 struct bpf_prog_kstats stats;
2155 bpf_prog_get_stats(prog, &stats);
2156 bin2hex(prog_tag, prog->tag, sizeof(prog->tag));
2163 "run_time_ns:\t%llu\n"
2165 "recursion_misses:\t%llu\n"
2166 "verified_insns:\t%u\n",
2170 prog->pages * 1ULL << PAGE_SHIFT,
2175 prog->aux->verified_insns);
2179 const struct file_operations bpf_prog_fops = {
2180 #ifdef CONFIG_PROC_FS
2181 .show_fdinfo = bpf_prog_show_fdinfo,
2183 .release = bpf_prog_release,
2184 .read = bpf_dummy_read,
2185 .write = bpf_dummy_write,
2188 int bpf_prog_new_fd(struct bpf_prog *prog)
2192 ret = security_bpf_prog(prog);
2196 return anon_inode_getfd("bpf-prog", &bpf_prog_fops, prog,
2197 O_RDWR | O_CLOEXEC);
2200 static struct bpf_prog *____bpf_prog_get(struct fd f)
2203 return ERR_PTR(-EBADF);
2204 if (f.file->f_op != &bpf_prog_fops) {
2206 return ERR_PTR(-EINVAL);
2209 return f.file->private_data;
2212 void bpf_prog_add(struct bpf_prog *prog, int i)
2214 atomic64_add(i, &prog->aux->refcnt);
2216 EXPORT_SYMBOL_GPL(bpf_prog_add);
2218 void bpf_prog_sub(struct bpf_prog *prog, int i)
2220 /* Only to be used for undoing previous bpf_prog_add() in some
2221 * error path. We still know that another entity in our call
2222 * path holds a reference to the program, thus atomic_sub() can
2223 * be safely used in such cases!
2225 WARN_ON(atomic64_sub_return(i, &prog->aux->refcnt) == 0);
2227 EXPORT_SYMBOL_GPL(bpf_prog_sub);
2229 void bpf_prog_inc(struct bpf_prog *prog)
2231 atomic64_inc(&prog->aux->refcnt);
2233 EXPORT_SYMBOL_GPL(bpf_prog_inc);
2235 /* prog_idr_lock should have been held */
2236 struct bpf_prog *bpf_prog_inc_not_zero(struct bpf_prog *prog)
2240 refold = atomic64_fetch_add_unless(&prog->aux->refcnt, 1, 0);
2243 return ERR_PTR(-ENOENT);
2247 EXPORT_SYMBOL_GPL(bpf_prog_inc_not_zero);
2249 bool bpf_prog_get_ok(struct bpf_prog *prog,
2250 enum bpf_prog_type *attach_type, bool attach_drv)
2252 /* not an attachment, just a refcount inc, always allow */
2256 if (prog->type != *attach_type)
2258 if (bpf_prog_is_dev_bound(prog->aux) && !attach_drv)
2264 static struct bpf_prog *__bpf_prog_get(u32 ufd, enum bpf_prog_type *attach_type,
2267 struct fd f = fdget(ufd);
2268 struct bpf_prog *prog;
2270 prog = ____bpf_prog_get(f);
2273 if (!bpf_prog_get_ok(prog, attach_type, attach_drv)) {
2274 prog = ERR_PTR(-EINVAL);
2284 struct bpf_prog *bpf_prog_get(u32 ufd)
2286 return __bpf_prog_get(ufd, NULL, false);
2289 struct bpf_prog *bpf_prog_get_type_dev(u32 ufd, enum bpf_prog_type type,
2292 return __bpf_prog_get(ufd, &type, attach_drv);
2294 EXPORT_SYMBOL_GPL(bpf_prog_get_type_dev);
2296 /* Initially all BPF programs could be loaded w/o specifying
2297 * expected_attach_type. Later for some of them specifying expected_attach_type
2298 * at load time became required so that program could be validated properly.
2299 * Programs of types that are allowed to be loaded both w/ and w/o (for
2300 * backward compatibility) expected_attach_type, should have the default attach
2301 * type assigned to expected_attach_type for the latter case, so that it can be
2302 * validated later at attach time.
2304 * bpf_prog_load_fixup_attach_type() sets expected_attach_type in @attr if
2305 * prog type requires it but has some attach types that have to be backward
2308 static void bpf_prog_load_fixup_attach_type(union bpf_attr *attr)
2310 switch (attr->prog_type) {
2311 case BPF_PROG_TYPE_CGROUP_SOCK:
2312 /* Unfortunately BPF_ATTACH_TYPE_UNSPEC enumeration doesn't
2313 * exist so checking for non-zero is the way to go here.
2315 if (!attr->expected_attach_type)
2316 attr->expected_attach_type =
2317 BPF_CGROUP_INET_SOCK_CREATE;
2319 case BPF_PROG_TYPE_SK_REUSEPORT:
2320 if (!attr->expected_attach_type)
2321 attr->expected_attach_type =
2322 BPF_SK_REUSEPORT_SELECT;
2328 bpf_prog_load_check_attach(enum bpf_prog_type prog_type,
2329 enum bpf_attach_type expected_attach_type,
2330 struct btf *attach_btf, u32 btf_id,
2331 struct bpf_prog *dst_prog)
2334 if (btf_id > BTF_MAX_TYPE)
2337 if (!attach_btf && !dst_prog)
2340 switch (prog_type) {
2341 case BPF_PROG_TYPE_TRACING:
2342 case BPF_PROG_TYPE_LSM:
2343 case BPF_PROG_TYPE_STRUCT_OPS:
2344 case BPF_PROG_TYPE_EXT:
2351 if (attach_btf && (!btf_id || dst_prog))
2354 if (dst_prog && prog_type != BPF_PROG_TYPE_TRACING &&
2355 prog_type != BPF_PROG_TYPE_EXT)
2358 switch (prog_type) {
2359 case BPF_PROG_TYPE_CGROUP_SOCK:
2360 switch (expected_attach_type) {
2361 case BPF_CGROUP_INET_SOCK_CREATE:
2362 case BPF_CGROUP_INET_SOCK_RELEASE:
2363 case BPF_CGROUP_INET4_POST_BIND:
2364 case BPF_CGROUP_INET6_POST_BIND:
2369 case BPF_PROG_TYPE_CGROUP_SOCK_ADDR:
2370 switch (expected_attach_type) {
2371 case BPF_CGROUP_INET4_BIND:
2372 case BPF_CGROUP_INET6_BIND:
2373 case BPF_CGROUP_INET4_CONNECT:
2374 case BPF_CGROUP_INET6_CONNECT:
2375 case BPF_CGROUP_INET4_GETPEERNAME:
2376 case BPF_CGROUP_INET6_GETPEERNAME:
2377 case BPF_CGROUP_INET4_GETSOCKNAME:
2378 case BPF_CGROUP_INET6_GETSOCKNAME:
2379 case BPF_CGROUP_UDP4_SENDMSG:
2380 case BPF_CGROUP_UDP6_SENDMSG:
2381 case BPF_CGROUP_UDP4_RECVMSG:
2382 case BPF_CGROUP_UDP6_RECVMSG:
2387 case BPF_PROG_TYPE_CGROUP_SKB:
2388 switch (expected_attach_type) {
2389 case BPF_CGROUP_INET_INGRESS:
2390 case BPF_CGROUP_INET_EGRESS:
2395 case BPF_PROG_TYPE_CGROUP_SOCKOPT:
2396 switch (expected_attach_type) {
2397 case BPF_CGROUP_SETSOCKOPT:
2398 case BPF_CGROUP_GETSOCKOPT:
2403 case BPF_PROG_TYPE_SK_LOOKUP:
2404 if (expected_attach_type == BPF_SK_LOOKUP)
2407 case BPF_PROG_TYPE_SK_REUSEPORT:
2408 switch (expected_attach_type) {
2409 case BPF_SK_REUSEPORT_SELECT:
2410 case BPF_SK_REUSEPORT_SELECT_OR_MIGRATE:
2415 case BPF_PROG_TYPE_SYSCALL:
2416 case BPF_PROG_TYPE_EXT:
2417 if (expected_attach_type)
2425 static bool is_net_admin_prog_type(enum bpf_prog_type prog_type)
2427 switch (prog_type) {
2428 case BPF_PROG_TYPE_SCHED_CLS:
2429 case BPF_PROG_TYPE_SCHED_ACT:
2430 case BPF_PROG_TYPE_XDP:
2431 case BPF_PROG_TYPE_LWT_IN:
2432 case BPF_PROG_TYPE_LWT_OUT:
2433 case BPF_PROG_TYPE_LWT_XMIT:
2434 case BPF_PROG_TYPE_LWT_SEG6LOCAL:
2435 case BPF_PROG_TYPE_SK_SKB:
2436 case BPF_PROG_TYPE_SK_MSG:
2437 case BPF_PROG_TYPE_LIRC_MODE2:
2438 case BPF_PROG_TYPE_FLOW_DISSECTOR:
2439 case BPF_PROG_TYPE_CGROUP_DEVICE:
2440 case BPF_PROG_TYPE_CGROUP_SOCK:
2441 case BPF_PROG_TYPE_CGROUP_SOCK_ADDR:
2442 case BPF_PROG_TYPE_CGROUP_SOCKOPT:
2443 case BPF_PROG_TYPE_CGROUP_SYSCTL:
2444 case BPF_PROG_TYPE_SOCK_OPS:
2445 case BPF_PROG_TYPE_EXT: /* extends any prog */
2447 case BPF_PROG_TYPE_CGROUP_SKB:
2449 case BPF_PROG_TYPE_SK_REUSEPORT:
2450 /* equivalent to SOCKET_FILTER. need CAP_BPF only */
2456 static bool is_perfmon_prog_type(enum bpf_prog_type prog_type)
2458 switch (prog_type) {
2459 case BPF_PROG_TYPE_KPROBE:
2460 case BPF_PROG_TYPE_TRACEPOINT:
2461 case BPF_PROG_TYPE_PERF_EVENT:
2462 case BPF_PROG_TYPE_RAW_TRACEPOINT:
2463 case BPF_PROG_TYPE_RAW_TRACEPOINT_WRITABLE:
2464 case BPF_PROG_TYPE_TRACING:
2465 case BPF_PROG_TYPE_LSM:
2466 case BPF_PROG_TYPE_STRUCT_OPS: /* has access to struct sock */
2467 case BPF_PROG_TYPE_EXT: /* extends any prog */
2474 /* last field in 'union bpf_attr' used by this command */
2475 #define BPF_PROG_LOAD_LAST_FIELD core_relo_rec_size
2477 static int bpf_prog_load(union bpf_attr *attr, bpfptr_t uattr)
2479 enum bpf_prog_type type = attr->prog_type;
2480 struct bpf_prog *prog, *dst_prog = NULL;
2481 struct btf *attach_btf = NULL;
2486 if (CHECK_ATTR(BPF_PROG_LOAD))
2489 if (attr->prog_flags & ~(BPF_F_STRICT_ALIGNMENT |
2490 BPF_F_ANY_ALIGNMENT |
2491 BPF_F_TEST_STATE_FREQ |
2493 BPF_F_TEST_RND_HI32 |
2494 BPF_F_XDP_HAS_FRAGS))
2497 if (!IS_ENABLED(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS) &&
2498 (attr->prog_flags & BPF_F_ANY_ALIGNMENT) &&
2502 /* copy eBPF program license from user space */
2503 if (strncpy_from_bpfptr(license,
2504 make_bpfptr(attr->license, uattr.is_kernel),
2505 sizeof(license) - 1) < 0)
2507 license[sizeof(license) - 1] = 0;
2509 /* eBPF programs must be GPL compatible to use GPL-ed functions */
2510 is_gpl = license_is_gpl_compatible(license);
2512 if (attr->insn_cnt == 0 ||
2513 attr->insn_cnt > (bpf_capable() ? BPF_COMPLEXITY_LIMIT_INSNS : BPF_MAXINSNS))
2515 if (type != BPF_PROG_TYPE_SOCKET_FILTER &&
2516 type != BPF_PROG_TYPE_CGROUP_SKB &&
2520 if (is_net_admin_prog_type(type) && !capable(CAP_NET_ADMIN) && !capable(CAP_SYS_ADMIN))
2522 if (is_perfmon_prog_type(type) && !perfmon_capable())
2525 /* attach_prog_fd/attach_btf_obj_fd can specify fd of either bpf_prog
2526 * or btf, we need to check which one it is
2528 if (attr->attach_prog_fd) {
2529 dst_prog = bpf_prog_get(attr->attach_prog_fd);
2530 if (IS_ERR(dst_prog)) {
2532 attach_btf = btf_get_by_fd(attr->attach_btf_obj_fd);
2533 if (IS_ERR(attach_btf))
2535 if (!btf_is_kernel(attach_btf)) {
2536 /* attaching through specifying bpf_prog's BTF
2537 * objects directly might be supported eventually
2539 btf_put(attach_btf);
2543 } else if (attr->attach_btf_id) {
2544 /* fall back to vmlinux BTF, if BTF type ID is specified */
2545 attach_btf = bpf_get_btf_vmlinux();
2546 if (IS_ERR(attach_btf))
2547 return PTR_ERR(attach_btf);
2550 btf_get(attach_btf);
2553 bpf_prog_load_fixup_attach_type(attr);
2554 if (bpf_prog_load_check_attach(type, attr->expected_attach_type,
2555 attach_btf, attr->attach_btf_id,
2558 bpf_prog_put(dst_prog);
2560 btf_put(attach_btf);
2564 /* plain bpf_prog allocation */
2565 prog = bpf_prog_alloc(bpf_prog_size(attr->insn_cnt), GFP_USER);
2568 bpf_prog_put(dst_prog);
2570 btf_put(attach_btf);
2574 prog->expected_attach_type = attr->expected_attach_type;
2575 prog->aux->attach_btf = attach_btf;
2576 prog->aux->attach_btf_id = attr->attach_btf_id;
2577 prog->aux->dst_prog = dst_prog;
2578 prog->aux->offload_requested = !!attr->prog_ifindex;
2579 prog->aux->sleepable = attr->prog_flags & BPF_F_SLEEPABLE;
2580 prog->aux->xdp_has_frags = attr->prog_flags & BPF_F_XDP_HAS_FRAGS;
2582 err = security_bpf_prog_alloc(prog->aux);
2586 prog->aux->user = get_current_user();
2587 prog->len = attr->insn_cnt;
2590 if (copy_from_bpfptr(prog->insns,
2591 make_bpfptr(attr->insns, uattr.is_kernel),
2592 bpf_prog_insn_size(prog)) != 0)
2595 prog->orig_prog = NULL;
2598 atomic64_set(&prog->aux->refcnt, 1);
2599 prog->gpl_compatible = is_gpl ? 1 : 0;
2601 if (bpf_prog_is_dev_bound(prog->aux)) {
2602 err = bpf_prog_offload_init(prog, attr);
2607 /* find program type: socket_filter vs tracing_filter */
2608 err = find_prog_type(type, prog);
2612 prog->aux->load_time = ktime_get_boottime_ns();
2613 err = bpf_obj_name_cpy(prog->aux->name, attr->prog_name,
2614 sizeof(attr->prog_name));
2618 /* run eBPF verifier */
2619 err = bpf_check(&prog, attr, uattr);
2621 goto free_used_maps;
2623 prog = bpf_prog_select_runtime(prog, &err);
2625 goto free_used_maps;
2627 err = bpf_prog_alloc_id(prog);
2629 goto free_used_maps;
2631 /* Upon success of bpf_prog_alloc_id(), the BPF prog is
2632 * effectively publicly exposed. However, retrieving via
2633 * bpf_prog_get_fd_by_id() will take another reference,
2634 * therefore it cannot be gone underneath us.
2636 * Only for the time /after/ successful bpf_prog_new_fd()
2637 * and before returning to userspace, we might just hold
2638 * one reference and any parallel close on that fd could
2639 * rip everything out. Hence, below notifications must
2640 * happen before bpf_prog_new_fd().
2642 * Also, any failure handling from this point onwards must
2643 * be using bpf_prog_put() given the program is exposed.
2645 bpf_prog_kallsyms_add(prog);
2646 perf_event_bpf_event(prog, PERF_BPF_EVENT_PROG_LOAD, 0);
2647 bpf_audit_prog(prog, BPF_AUDIT_LOAD);
2649 err = bpf_prog_new_fd(prog);
2655 /* In case we have subprogs, we need to wait for a grace
2656 * period before we can tear down JIT memory since symbols
2657 * are already exposed under kallsyms.
2659 __bpf_prog_put_noref(prog, prog->aux->func_cnt);
2662 free_uid(prog->aux->user);
2663 security_bpf_prog_free(prog->aux);
2665 if (prog->aux->attach_btf)
2666 btf_put(prog->aux->attach_btf);
2667 bpf_prog_free(prog);
2671 #define BPF_OBJ_LAST_FIELD file_flags
2673 static int bpf_obj_pin(const union bpf_attr *attr)
2675 if (CHECK_ATTR(BPF_OBJ) || attr->file_flags != 0)
2678 return bpf_obj_pin_user(attr->bpf_fd, u64_to_user_ptr(attr->pathname));
2681 static int bpf_obj_get(const union bpf_attr *attr)
2683 if (CHECK_ATTR(BPF_OBJ) || attr->bpf_fd != 0 ||
2684 attr->file_flags & ~BPF_OBJ_FLAG_MASK)
2687 return bpf_obj_get_user(u64_to_user_ptr(attr->pathname),
2691 void bpf_link_init(struct bpf_link *link, enum bpf_link_type type,
2692 const struct bpf_link_ops *ops, struct bpf_prog *prog)
2694 atomic64_set(&link->refcnt, 1);
2701 static void bpf_link_free_id(int id)
2706 spin_lock_bh(&link_idr_lock);
2707 idr_remove(&link_idr, id);
2708 spin_unlock_bh(&link_idr_lock);
2711 /* Clean up bpf_link and corresponding anon_inode file and FD. After
2712 * anon_inode is created, bpf_link can't be just kfree()'d due to deferred
2713 * anon_inode's release() call. This helper marksbpf_link as
2714 * defunct, releases anon_inode file and puts reserved FD. bpf_prog's refcnt
2715 * is not decremented, it's the responsibility of a calling code that failed
2716 * to complete bpf_link initialization.
2718 void bpf_link_cleanup(struct bpf_link_primer *primer)
2720 primer->link->prog = NULL;
2721 bpf_link_free_id(primer->id);
2723 put_unused_fd(primer->fd);
2726 void bpf_link_inc(struct bpf_link *link)
2728 atomic64_inc(&link->refcnt);
2731 /* bpf_link_free is guaranteed to be called from process context */
2732 static void bpf_link_free(struct bpf_link *link)
2734 bpf_link_free_id(link->id);
2736 /* detach BPF program, clean up used resources */
2737 link->ops->release(link);
2738 bpf_prog_put(link->prog);
2740 /* free bpf_link and its containing memory */
2741 link->ops->dealloc(link);
2744 static void bpf_link_put_deferred(struct work_struct *work)
2746 struct bpf_link *link = container_of(work, struct bpf_link, work);
2748 bpf_link_free(link);
2751 /* bpf_link_put can be called from atomic context, but ensures that resources
2752 * are freed from process context
2754 void bpf_link_put(struct bpf_link *link)
2756 if (!atomic64_dec_and_test(&link->refcnt))
2760 INIT_WORK(&link->work, bpf_link_put_deferred);
2761 schedule_work(&link->work);
2763 bpf_link_free(link);
2766 EXPORT_SYMBOL(bpf_link_put);
2768 static int bpf_link_release(struct inode *inode, struct file *filp)
2770 struct bpf_link *link = filp->private_data;
2776 #ifdef CONFIG_PROC_FS
2777 #define BPF_PROG_TYPE(_id, _name, prog_ctx_type, kern_ctx_type)
2778 #define BPF_MAP_TYPE(_id, _ops)
2779 #define BPF_LINK_TYPE(_id, _name) [_id] = #_name,
2780 static const char *bpf_link_type_strs[] = {
2781 [BPF_LINK_TYPE_UNSPEC] = "<invalid>",
2782 #include <linux/bpf_types.h>
2784 #undef BPF_PROG_TYPE
2786 #undef BPF_LINK_TYPE
2788 static void bpf_link_show_fdinfo(struct seq_file *m, struct file *filp)
2790 const struct bpf_link *link = filp->private_data;
2791 const struct bpf_prog *prog = link->prog;
2792 char prog_tag[sizeof(prog->tag) * 2 + 1] = { };
2794 bin2hex(prog_tag, prog->tag, sizeof(prog->tag));
2800 bpf_link_type_strs[link->type],
2804 if (link->ops->show_fdinfo)
2805 link->ops->show_fdinfo(link, m);
2809 static const struct file_operations bpf_link_fops = {
2810 #ifdef CONFIG_PROC_FS
2811 .show_fdinfo = bpf_link_show_fdinfo,
2813 .release = bpf_link_release,
2814 .read = bpf_dummy_read,
2815 .write = bpf_dummy_write,
2818 static int bpf_link_alloc_id(struct bpf_link *link)
2822 idr_preload(GFP_KERNEL);
2823 spin_lock_bh(&link_idr_lock);
2824 id = idr_alloc_cyclic(&link_idr, link, 1, INT_MAX, GFP_ATOMIC);
2825 spin_unlock_bh(&link_idr_lock);
2831 /* Prepare bpf_link to be exposed to user-space by allocating anon_inode file,
2832 * reserving unused FD and allocating ID from link_idr. This is to be paired
2833 * with bpf_link_settle() to install FD and ID and expose bpf_link to
2834 * user-space, if bpf_link is successfully attached. If not, bpf_link and
2835 * pre-allocated resources are to be freed with bpf_cleanup() call. All the
2836 * transient state is passed around in struct bpf_link_primer.
2837 * This is preferred way to create and initialize bpf_link, especially when
2838 * there are complicated and expensive operations in between creating bpf_link
2839 * itself and attaching it to BPF hook. By using bpf_link_prime() and
2840 * bpf_link_settle() kernel code using bpf_link doesn't have to perform
2841 * expensive (and potentially failing) roll back operations in a rare case
2842 * that file, FD, or ID can't be allocated.
2844 int bpf_link_prime(struct bpf_link *link, struct bpf_link_primer *primer)
2849 fd = get_unused_fd_flags(O_CLOEXEC);
2854 id = bpf_link_alloc_id(link);
2860 file = anon_inode_getfile("bpf_link", &bpf_link_fops, link, O_CLOEXEC);
2862 bpf_link_free_id(id);
2864 return PTR_ERR(file);
2867 primer->link = link;
2868 primer->file = file;
2874 int bpf_link_settle(struct bpf_link_primer *primer)
2876 /* make bpf_link fetchable by ID */
2877 spin_lock_bh(&link_idr_lock);
2878 primer->link->id = primer->id;
2879 spin_unlock_bh(&link_idr_lock);
2880 /* make bpf_link fetchable by FD */
2881 fd_install(primer->fd, primer->file);
2882 /* pass through installed FD */
2886 int bpf_link_new_fd(struct bpf_link *link)
2888 return anon_inode_getfd("bpf-link", &bpf_link_fops, link, O_CLOEXEC);
2891 struct bpf_link *bpf_link_get_from_fd(u32 ufd)
2893 struct fd f = fdget(ufd);
2894 struct bpf_link *link;
2897 return ERR_PTR(-EBADF);
2898 if (f.file->f_op != &bpf_link_fops) {
2900 return ERR_PTR(-EINVAL);
2903 link = f.file->private_data;
2909 EXPORT_SYMBOL(bpf_link_get_from_fd);
2911 static void bpf_tracing_link_release(struct bpf_link *link)
2913 struct bpf_tracing_link *tr_link =
2914 container_of(link, struct bpf_tracing_link, link.link);
2916 WARN_ON_ONCE(bpf_trampoline_unlink_prog(&tr_link->link,
2917 tr_link->trampoline));
2919 bpf_trampoline_put(tr_link->trampoline);
2921 /* tgt_prog is NULL if target is a kernel function */
2922 if (tr_link->tgt_prog)
2923 bpf_prog_put(tr_link->tgt_prog);
2926 static void bpf_tracing_link_dealloc(struct bpf_link *link)
2928 struct bpf_tracing_link *tr_link =
2929 container_of(link, struct bpf_tracing_link, link.link);
2934 static void bpf_tracing_link_show_fdinfo(const struct bpf_link *link,
2935 struct seq_file *seq)
2937 struct bpf_tracing_link *tr_link =
2938 container_of(link, struct bpf_tracing_link, link.link);
2941 "attach_type:\t%d\n",
2942 tr_link->attach_type);
2945 static int bpf_tracing_link_fill_link_info(const struct bpf_link *link,
2946 struct bpf_link_info *info)
2948 struct bpf_tracing_link *tr_link =
2949 container_of(link, struct bpf_tracing_link, link.link);
2951 info->tracing.attach_type = tr_link->attach_type;
2952 bpf_trampoline_unpack_key(tr_link->trampoline->key,
2953 &info->tracing.target_obj_id,
2954 &info->tracing.target_btf_id);
2959 static const struct bpf_link_ops bpf_tracing_link_lops = {
2960 .release = bpf_tracing_link_release,
2961 .dealloc = bpf_tracing_link_dealloc,
2962 .show_fdinfo = bpf_tracing_link_show_fdinfo,
2963 .fill_link_info = bpf_tracing_link_fill_link_info,
2966 static int bpf_tracing_prog_attach(struct bpf_prog *prog,
2971 struct bpf_link_primer link_primer;
2972 struct bpf_prog *tgt_prog = NULL;
2973 struct bpf_trampoline *tr = NULL;
2974 struct bpf_tracing_link *link;
2978 switch (prog->type) {
2979 case BPF_PROG_TYPE_TRACING:
2980 if (prog->expected_attach_type != BPF_TRACE_FENTRY &&
2981 prog->expected_attach_type != BPF_TRACE_FEXIT &&
2982 prog->expected_attach_type != BPF_MODIFY_RETURN) {
2987 case BPF_PROG_TYPE_EXT:
2988 if (prog->expected_attach_type != 0) {
2993 case BPF_PROG_TYPE_LSM:
2994 if (prog->expected_attach_type != BPF_LSM_MAC) {
3004 if (!!tgt_prog_fd != !!btf_id) {
3010 /* For now we only allow new targets for BPF_PROG_TYPE_EXT */
3011 if (prog->type != BPF_PROG_TYPE_EXT) {
3016 tgt_prog = bpf_prog_get(tgt_prog_fd);
3017 if (IS_ERR(tgt_prog)) {
3018 err = PTR_ERR(tgt_prog);
3023 key = bpf_trampoline_compute_key(tgt_prog, NULL, btf_id);
3026 link = kzalloc(sizeof(*link), GFP_USER);
3031 bpf_link_init(&link->link.link, BPF_LINK_TYPE_TRACING,
3032 &bpf_tracing_link_lops, prog);
3033 link->attach_type = prog->expected_attach_type;
3034 link->link.cookie = bpf_cookie;
3036 mutex_lock(&prog->aux->dst_mutex);
3038 /* There are a few possible cases here:
3040 * - if prog->aux->dst_trampoline is set, the program was just loaded
3041 * and not yet attached to anything, so we can use the values stored
3044 * - if prog->aux->dst_trampoline is NULL, the program has already been
3045 * attached to a target and its initial target was cleared (below)
3047 * - if tgt_prog != NULL, the caller specified tgt_prog_fd +
3048 * target_btf_id using the link_create API.
3050 * - if tgt_prog == NULL when this function was called using the old
3051 * raw_tracepoint_open API, and we need a target from prog->aux
3053 * - if prog->aux->dst_trampoline and tgt_prog is NULL, the program
3054 * was detached and is going for re-attachment.
3056 if (!prog->aux->dst_trampoline && !tgt_prog) {
3058 * Allow re-attach for TRACING and LSM programs. If it's
3059 * currently linked, bpf_trampoline_link_prog will fail.
3060 * EXT programs need to specify tgt_prog_fd, so they
3061 * re-attach in separate code path.
3063 if (prog->type != BPF_PROG_TYPE_TRACING &&
3064 prog->type != BPF_PROG_TYPE_LSM) {
3068 btf_id = prog->aux->attach_btf_id;
3069 key = bpf_trampoline_compute_key(NULL, prog->aux->attach_btf, btf_id);
3072 if (!prog->aux->dst_trampoline ||
3073 (key && key != prog->aux->dst_trampoline->key)) {
3074 /* If there is no saved target, or the specified target is
3075 * different from the destination specified at load time, we
3076 * need a new trampoline and a check for compatibility
3078 struct bpf_attach_target_info tgt_info = {};
3080 err = bpf_check_attach_target(NULL, prog, tgt_prog, btf_id,
3085 tr = bpf_trampoline_get(key, &tgt_info);
3091 /* The caller didn't specify a target, or the target was the
3092 * same as the destination supplied during program load. This
3093 * means we can reuse the trampoline and reference from program
3094 * load time, and there is no need to allocate a new one. This
3095 * can only happen once for any program, as the saved values in
3096 * prog->aux are cleared below.
3098 tr = prog->aux->dst_trampoline;
3099 tgt_prog = prog->aux->dst_prog;
3102 err = bpf_link_prime(&link->link.link, &link_primer);
3106 err = bpf_trampoline_link_prog(&link->link, tr);
3108 bpf_link_cleanup(&link_primer);
3113 link->tgt_prog = tgt_prog;
3114 link->trampoline = tr;
3116 /* Always clear the trampoline and target prog from prog->aux to make
3117 * sure the original attach destination is not kept alive after a
3118 * program is (re-)attached to another target.
3120 if (prog->aux->dst_prog &&
3121 (tgt_prog_fd || tr != prog->aux->dst_trampoline))
3122 /* got extra prog ref from syscall, or attaching to different prog */
3123 bpf_prog_put(prog->aux->dst_prog);
3124 if (prog->aux->dst_trampoline && tr != prog->aux->dst_trampoline)
3125 /* we allocated a new trampoline, so free the old one */
3126 bpf_trampoline_put(prog->aux->dst_trampoline);
3128 prog->aux->dst_prog = NULL;
3129 prog->aux->dst_trampoline = NULL;
3130 mutex_unlock(&prog->aux->dst_mutex);
3132 return bpf_link_settle(&link_primer);
3134 if (tr && tr != prog->aux->dst_trampoline)
3135 bpf_trampoline_put(tr);
3136 mutex_unlock(&prog->aux->dst_mutex);
3139 if (tgt_prog_fd && tgt_prog)
3140 bpf_prog_put(tgt_prog);
3144 struct bpf_raw_tp_link {
3145 struct bpf_link link;
3146 struct bpf_raw_event_map *btp;
3149 static void bpf_raw_tp_link_release(struct bpf_link *link)
3151 struct bpf_raw_tp_link *raw_tp =
3152 container_of(link, struct bpf_raw_tp_link, link);
3154 bpf_probe_unregister(raw_tp->btp, raw_tp->link.prog);
3155 bpf_put_raw_tracepoint(raw_tp->btp);
3158 static void bpf_raw_tp_link_dealloc(struct bpf_link *link)
3160 struct bpf_raw_tp_link *raw_tp =
3161 container_of(link, struct bpf_raw_tp_link, link);
3166 static void bpf_raw_tp_link_show_fdinfo(const struct bpf_link *link,
3167 struct seq_file *seq)
3169 struct bpf_raw_tp_link *raw_tp_link =
3170 container_of(link, struct bpf_raw_tp_link, link);
3174 raw_tp_link->btp->tp->name);
3177 static int bpf_raw_tp_link_fill_link_info(const struct bpf_link *link,
3178 struct bpf_link_info *info)
3180 struct bpf_raw_tp_link *raw_tp_link =
3181 container_of(link, struct bpf_raw_tp_link, link);
3182 char __user *ubuf = u64_to_user_ptr(info->raw_tracepoint.tp_name);
3183 const char *tp_name = raw_tp_link->btp->tp->name;
3184 u32 ulen = info->raw_tracepoint.tp_name_len;
3185 size_t tp_len = strlen(tp_name);
3190 info->raw_tracepoint.tp_name_len = tp_len + 1;
3195 if (ulen >= tp_len + 1) {
3196 if (copy_to_user(ubuf, tp_name, tp_len + 1))
3201 if (copy_to_user(ubuf, tp_name, ulen - 1))
3203 if (put_user(zero, ubuf + ulen - 1))
3211 static const struct bpf_link_ops bpf_raw_tp_link_lops = {
3212 .release = bpf_raw_tp_link_release,
3213 .dealloc = bpf_raw_tp_link_dealloc,
3214 .show_fdinfo = bpf_raw_tp_link_show_fdinfo,
3215 .fill_link_info = bpf_raw_tp_link_fill_link_info,
3218 #ifdef CONFIG_PERF_EVENTS
3219 struct bpf_perf_link {
3220 struct bpf_link link;
3221 struct file *perf_file;
3224 static void bpf_perf_link_release(struct bpf_link *link)
3226 struct bpf_perf_link *perf_link = container_of(link, struct bpf_perf_link, link);
3227 struct perf_event *event = perf_link->perf_file->private_data;
3229 perf_event_free_bpf_prog(event);
3230 fput(perf_link->perf_file);
3233 static void bpf_perf_link_dealloc(struct bpf_link *link)
3235 struct bpf_perf_link *perf_link = container_of(link, struct bpf_perf_link, link);
3240 static const struct bpf_link_ops bpf_perf_link_lops = {
3241 .release = bpf_perf_link_release,
3242 .dealloc = bpf_perf_link_dealloc,
3245 static int bpf_perf_link_attach(const union bpf_attr *attr, struct bpf_prog *prog)
3247 struct bpf_link_primer link_primer;
3248 struct bpf_perf_link *link;
3249 struct perf_event *event;
3250 struct file *perf_file;
3253 if (attr->link_create.flags)
3256 perf_file = perf_event_get(attr->link_create.target_fd);
3257 if (IS_ERR(perf_file))
3258 return PTR_ERR(perf_file);
3260 link = kzalloc(sizeof(*link), GFP_USER);
3265 bpf_link_init(&link->link, BPF_LINK_TYPE_PERF_EVENT, &bpf_perf_link_lops, prog);
3266 link->perf_file = perf_file;
3268 err = bpf_link_prime(&link->link, &link_primer);
3274 event = perf_file->private_data;
3275 err = perf_event_set_bpf_prog(event, prog, attr->link_create.perf_event.bpf_cookie);
3277 bpf_link_cleanup(&link_primer);
3280 /* perf_event_set_bpf_prog() doesn't take its own refcnt on prog */
3283 return bpf_link_settle(&link_primer);
3290 static int bpf_perf_link_attach(const union bpf_attr *attr, struct bpf_prog *prog)
3294 #endif /* CONFIG_PERF_EVENTS */
3296 static int bpf_raw_tp_link_attach(struct bpf_prog *prog,
3297 const char __user *user_tp_name)
3299 struct bpf_link_primer link_primer;
3300 struct bpf_raw_tp_link *link;
3301 struct bpf_raw_event_map *btp;
3302 const char *tp_name;
3306 switch (prog->type) {
3307 case BPF_PROG_TYPE_TRACING:
3308 case BPF_PROG_TYPE_EXT:
3309 case BPF_PROG_TYPE_LSM:
3311 /* The attach point for this category of programs
3312 * should be specified via btf_id during program load.
3315 if (prog->type == BPF_PROG_TYPE_TRACING &&
3316 prog->expected_attach_type == BPF_TRACE_RAW_TP) {
3317 tp_name = prog->aux->attach_func_name;
3320 return bpf_tracing_prog_attach(prog, 0, 0, 0);
3321 case BPF_PROG_TYPE_RAW_TRACEPOINT:
3322 case BPF_PROG_TYPE_RAW_TRACEPOINT_WRITABLE:
3323 if (strncpy_from_user(buf, user_tp_name, sizeof(buf) - 1) < 0)
3325 buf[sizeof(buf) - 1] = 0;
3332 btp = bpf_get_raw_tracepoint(tp_name);
3336 link = kzalloc(sizeof(*link), GFP_USER);
3341 bpf_link_init(&link->link, BPF_LINK_TYPE_RAW_TRACEPOINT,
3342 &bpf_raw_tp_link_lops, prog);
3345 err = bpf_link_prime(&link->link, &link_primer);
3351 err = bpf_probe_register(link->btp, prog);
3353 bpf_link_cleanup(&link_primer);
3357 return bpf_link_settle(&link_primer);
3360 bpf_put_raw_tracepoint(btp);
3364 #define BPF_RAW_TRACEPOINT_OPEN_LAST_FIELD raw_tracepoint.prog_fd
3366 static int bpf_raw_tracepoint_open(const union bpf_attr *attr)
3368 struct bpf_prog *prog;
3371 if (CHECK_ATTR(BPF_RAW_TRACEPOINT_OPEN))
3374 prog = bpf_prog_get(attr->raw_tracepoint.prog_fd);
3376 return PTR_ERR(prog);
3378 fd = bpf_raw_tp_link_attach(prog, u64_to_user_ptr(attr->raw_tracepoint.name));
3384 static int bpf_prog_attach_check_attach_type(const struct bpf_prog *prog,
3385 enum bpf_attach_type attach_type)
3387 switch (prog->type) {
3388 case BPF_PROG_TYPE_CGROUP_SOCK:
3389 case BPF_PROG_TYPE_CGROUP_SOCK_ADDR:
3390 case BPF_PROG_TYPE_CGROUP_SOCKOPT:
3391 case BPF_PROG_TYPE_SK_LOOKUP:
3392 return attach_type == prog->expected_attach_type ? 0 : -EINVAL;
3393 case BPF_PROG_TYPE_CGROUP_SKB:
3394 if (!capable(CAP_NET_ADMIN))
3395 /* cg-skb progs can be loaded by unpriv user.
3396 * check permissions at attach time.
3399 return prog->enforce_expected_attach_type &&
3400 prog->expected_attach_type != attach_type ?
3407 static enum bpf_prog_type
3408 attach_type_to_prog_type(enum bpf_attach_type attach_type)
3410 switch (attach_type) {
3411 case BPF_CGROUP_INET_INGRESS:
3412 case BPF_CGROUP_INET_EGRESS:
3413 return BPF_PROG_TYPE_CGROUP_SKB;
3414 case BPF_CGROUP_INET_SOCK_CREATE:
3415 case BPF_CGROUP_INET_SOCK_RELEASE:
3416 case BPF_CGROUP_INET4_POST_BIND:
3417 case BPF_CGROUP_INET6_POST_BIND:
3418 return BPF_PROG_TYPE_CGROUP_SOCK;
3419 case BPF_CGROUP_INET4_BIND:
3420 case BPF_CGROUP_INET6_BIND:
3421 case BPF_CGROUP_INET4_CONNECT:
3422 case BPF_CGROUP_INET6_CONNECT:
3423 case BPF_CGROUP_INET4_GETPEERNAME:
3424 case BPF_CGROUP_INET6_GETPEERNAME:
3425 case BPF_CGROUP_INET4_GETSOCKNAME:
3426 case BPF_CGROUP_INET6_GETSOCKNAME:
3427 case BPF_CGROUP_UDP4_SENDMSG:
3428 case BPF_CGROUP_UDP6_SENDMSG:
3429 case BPF_CGROUP_UDP4_RECVMSG:
3430 case BPF_CGROUP_UDP6_RECVMSG:
3431 return BPF_PROG_TYPE_CGROUP_SOCK_ADDR;
3432 case BPF_CGROUP_SOCK_OPS:
3433 return BPF_PROG_TYPE_SOCK_OPS;
3434 case BPF_CGROUP_DEVICE:
3435 return BPF_PROG_TYPE_CGROUP_DEVICE;
3436 case BPF_SK_MSG_VERDICT:
3437 return BPF_PROG_TYPE_SK_MSG;
3438 case BPF_SK_SKB_STREAM_PARSER:
3439 case BPF_SK_SKB_STREAM_VERDICT:
3440 case BPF_SK_SKB_VERDICT:
3441 return BPF_PROG_TYPE_SK_SKB;
3442 case BPF_LIRC_MODE2:
3443 return BPF_PROG_TYPE_LIRC_MODE2;
3444 case BPF_FLOW_DISSECTOR:
3445 return BPF_PROG_TYPE_FLOW_DISSECTOR;
3446 case BPF_CGROUP_SYSCTL:
3447 return BPF_PROG_TYPE_CGROUP_SYSCTL;
3448 case BPF_CGROUP_GETSOCKOPT:
3449 case BPF_CGROUP_SETSOCKOPT:
3450 return BPF_PROG_TYPE_CGROUP_SOCKOPT;
3451 case BPF_TRACE_ITER:
3452 case BPF_TRACE_RAW_TP:
3453 case BPF_TRACE_FENTRY:
3454 case BPF_TRACE_FEXIT:
3455 case BPF_MODIFY_RETURN:
3456 return BPF_PROG_TYPE_TRACING;
3458 return BPF_PROG_TYPE_LSM;
3460 return BPF_PROG_TYPE_SK_LOOKUP;
3462 return BPF_PROG_TYPE_XDP;
3463 case BPF_LSM_CGROUP:
3464 return BPF_PROG_TYPE_LSM;
3466 return BPF_PROG_TYPE_UNSPEC;
3470 #define BPF_PROG_ATTACH_LAST_FIELD replace_bpf_fd
3472 #define BPF_F_ATTACH_MASK \
3473 (BPF_F_ALLOW_OVERRIDE | BPF_F_ALLOW_MULTI | BPF_F_REPLACE)
3475 static int bpf_prog_attach(const union bpf_attr *attr)
3477 enum bpf_prog_type ptype;
3478 struct bpf_prog *prog;
3481 if (CHECK_ATTR(BPF_PROG_ATTACH))
3484 if (attr->attach_flags & ~BPF_F_ATTACH_MASK)
3487 ptype = attach_type_to_prog_type(attr->attach_type);
3488 if (ptype == BPF_PROG_TYPE_UNSPEC)
3491 prog = bpf_prog_get_type(attr->attach_bpf_fd, ptype);
3493 return PTR_ERR(prog);
3495 if (bpf_prog_attach_check_attach_type(prog, attr->attach_type)) {
3501 case BPF_PROG_TYPE_SK_SKB:
3502 case BPF_PROG_TYPE_SK_MSG:
3503 ret = sock_map_get_from_fd(attr, prog);
3505 case BPF_PROG_TYPE_LIRC_MODE2:
3506 ret = lirc_prog_attach(attr, prog);
3508 case BPF_PROG_TYPE_FLOW_DISSECTOR:
3509 ret = netns_bpf_prog_attach(attr, prog);
3511 case BPF_PROG_TYPE_CGROUP_DEVICE:
3512 case BPF_PROG_TYPE_CGROUP_SKB:
3513 case BPF_PROG_TYPE_CGROUP_SOCK:
3514 case BPF_PROG_TYPE_CGROUP_SOCK_ADDR:
3515 case BPF_PROG_TYPE_CGROUP_SOCKOPT:
3516 case BPF_PROG_TYPE_CGROUP_SYSCTL:
3517 case BPF_PROG_TYPE_SOCK_OPS:
3518 case BPF_PROG_TYPE_LSM:
3519 if (ptype == BPF_PROG_TYPE_LSM &&
3520 prog->expected_attach_type != BPF_LSM_CGROUP)
3523 ret = cgroup_bpf_prog_attach(attr, ptype, prog);
3534 #define BPF_PROG_DETACH_LAST_FIELD attach_type
3536 static int bpf_prog_detach(const union bpf_attr *attr)
3538 enum bpf_prog_type ptype;
3540 if (CHECK_ATTR(BPF_PROG_DETACH))
3543 ptype = attach_type_to_prog_type(attr->attach_type);
3546 case BPF_PROG_TYPE_SK_MSG:
3547 case BPF_PROG_TYPE_SK_SKB:
3548 return sock_map_prog_detach(attr, ptype);
3549 case BPF_PROG_TYPE_LIRC_MODE2:
3550 return lirc_prog_detach(attr);
3551 case BPF_PROG_TYPE_FLOW_DISSECTOR:
3552 return netns_bpf_prog_detach(attr, ptype);
3553 case BPF_PROG_TYPE_CGROUP_DEVICE:
3554 case BPF_PROG_TYPE_CGROUP_SKB:
3555 case BPF_PROG_TYPE_CGROUP_SOCK:
3556 case BPF_PROG_TYPE_CGROUP_SOCK_ADDR:
3557 case BPF_PROG_TYPE_CGROUP_SOCKOPT:
3558 case BPF_PROG_TYPE_CGROUP_SYSCTL:
3559 case BPF_PROG_TYPE_SOCK_OPS:
3560 case BPF_PROG_TYPE_LSM:
3561 return cgroup_bpf_prog_detach(attr, ptype);
3567 #define BPF_PROG_QUERY_LAST_FIELD query.prog_attach_flags
3569 static int bpf_prog_query(const union bpf_attr *attr,
3570 union bpf_attr __user *uattr)
3572 if (!capable(CAP_NET_ADMIN))
3574 if (CHECK_ATTR(BPF_PROG_QUERY))
3576 if (attr->query.query_flags & ~BPF_F_QUERY_EFFECTIVE)
3579 switch (attr->query.attach_type) {
3580 case BPF_CGROUP_INET_INGRESS:
3581 case BPF_CGROUP_INET_EGRESS:
3582 case BPF_CGROUP_INET_SOCK_CREATE:
3583 case BPF_CGROUP_INET_SOCK_RELEASE:
3584 case BPF_CGROUP_INET4_BIND:
3585 case BPF_CGROUP_INET6_BIND:
3586 case BPF_CGROUP_INET4_POST_BIND:
3587 case BPF_CGROUP_INET6_POST_BIND:
3588 case BPF_CGROUP_INET4_CONNECT:
3589 case BPF_CGROUP_INET6_CONNECT:
3590 case BPF_CGROUP_INET4_GETPEERNAME:
3591 case BPF_CGROUP_INET6_GETPEERNAME:
3592 case BPF_CGROUP_INET4_GETSOCKNAME:
3593 case BPF_CGROUP_INET6_GETSOCKNAME:
3594 case BPF_CGROUP_UDP4_SENDMSG:
3595 case BPF_CGROUP_UDP6_SENDMSG:
3596 case BPF_CGROUP_UDP4_RECVMSG:
3597 case BPF_CGROUP_UDP6_RECVMSG:
3598 case BPF_CGROUP_SOCK_OPS:
3599 case BPF_CGROUP_DEVICE:
3600 case BPF_CGROUP_SYSCTL:
3601 case BPF_CGROUP_GETSOCKOPT:
3602 case BPF_CGROUP_SETSOCKOPT:
3603 case BPF_LSM_CGROUP:
3604 return cgroup_bpf_prog_query(attr, uattr);
3605 case BPF_LIRC_MODE2:
3606 return lirc_prog_query(attr, uattr);
3607 case BPF_FLOW_DISSECTOR:
3609 return netns_bpf_prog_query(attr, uattr);
3610 case BPF_SK_SKB_STREAM_PARSER:
3611 case BPF_SK_SKB_STREAM_VERDICT:
3612 case BPF_SK_MSG_VERDICT:
3613 case BPF_SK_SKB_VERDICT:
3614 return sock_map_bpf_prog_query(attr, uattr);
3620 #define BPF_PROG_TEST_RUN_LAST_FIELD test.batch_size
3622 static int bpf_prog_test_run(const union bpf_attr *attr,
3623 union bpf_attr __user *uattr)
3625 struct bpf_prog *prog;
3626 int ret = -ENOTSUPP;
3628 if (CHECK_ATTR(BPF_PROG_TEST_RUN))
3631 if ((attr->test.ctx_size_in && !attr->test.ctx_in) ||
3632 (!attr->test.ctx_size_in && attr->test.ctx_in))
3635 if ((attr->test.ctx_size_out && !attr->test.ctx_out) ||
3636 (!attr->test.ctx_size_out && attr->test.ctx_out))
3639 prog = bpf_prog_get(attr->test.prog_fd);
3641 return PTR_ERR(prog);
3643 if (prog->aux->ops->test_run)
3644 ret = prog->aux->ops->test_run(prog, attr, uattr);
3650 #define BPF_OBJ_GET_NEXT_ID_LAST_FIELD next_id
3652 static int bpf_obj_get_next_id(const union bpf_attr *attr,
3653 union bpf_attr __user *uattr,
3657 u32 next_id = attr->start_id;
3660 if (CHECK_ATTR(BPF_OBJ_GET_NEXT_ID) || next_id >= INT_MAX)
3663 if (!capable(CAP_SYS_ADMIN))
3668 if (!idr_get_next(idr, &next_id))
3670 spin_unlock_bh(lock);
3673 err = put_user(next_id, &uattr->next_id);
3678 struct bpf_map *bpf_map_get_curr_or_next(u32 *id)
3680 struct bpf_map *map;
3682 spin_lock_bh(&map_idr_lock);
3684 map = idr_get_next(&map_idr, id);
3686 map = __bpf_map_inc_not_zero(map, false);
3692 spin_unlock_bh(&map_idr_lock);
3697 struct bpf_prog *bpf_prog_get_curr_or_next(u32 *id)
3699 struct bpf_prog *prog;
3701 spin_lock_bh(&prog_idr_lock);
3703 prog = idr_get_next(&prog_idr, id);
3705 prog = bpf_prog_inc_not_zero(prog);
3711 spin_unlock_bh(&prog_idr_lock);
3716 #define BPF_PROG_GET_FD_BY_ID_LAST_FIELD prog_id
3718 struct bpf_prog *bpf_prog_by_id(u32 id)
3720 struct bpf_prog *prog;
3723 return ERR_PTR(-ENOENT);
3725 spin_lock_bh(&prog_idr_lock);
3726 prog = idr_find(&prog_idr, id);
3728 prog = bpf_prog_inc_not_zero(prog);
3730 prog = ERR_PTR(-ENOENT);
3731 spin_unlock_bh(&prog_idr_lock);
3735 static int bpf_prog_get_fd_by_id(const union bpf_attr *attr)
3737 struct bpf_prog *prog;
3738 u32 id = attr->prog_id;
3741 if (CHECK_ATTR(BPF_PROG_GET_FD_BY_ID))
3744 if (!capable(CAP_SYS_ADMIN))
3747 prog = bpf_prog_by_id(id);
3749 return PTR_ERR(prog);
3751 fd = bpf_prog_new_fd(prog);
3758 #define BPF_MAP_GET_FD_BY_ID_LAST_FIELD open_flags
3760 static int bpf_map_get_fd_by_id(const union bpf_attr *attr)
3762 struct bpf_map *map;
3763 u32 id = attr->map_id;
3767 if (CHECK_ATTR(BPF_MAP_GET_FD_BY_ID) ||
3768 attr->open_flags & ~BPF_OBJ_FLAG_MASK)
3771 if (!capable(CAP_SYS_ADMIN))
3774 f_flags = bpf_get_file_flag(attr->open_flags);
3778 spin_lock_bh(&map_idr_lock);
3779 map = idr_find(&map_idr, id);
3781 map = __bpf_map_inc_not_zero(map, true);
3783 map = ERR_PTR(-ENOENT);
3784 spin_unlock_bh(&map_idr_lock);
3787 return PTR_ERR(map);
3789 fd = bpf_map_new_fd(map, f_flags);
3791 bpf_map_put_with_uref(map);
3796 static const struct bpf_map *bpf_map_from_imm(const struct bpf_prog *prog,
3797 unsigned long addr, u32 *off,
3800 const struct bpf_map *map;
3803 mutex_lock(&prog->aux->used_maps_mutex);
3804 for (i = 0, *off = 0; i < prog->aux->used_map_cnt; i++) {
3805 map = prog->aux->used_maps[i];
3806 if (map == (void *)addr) {
3807 *type = BPF_PSEUDO_MAP_FD;
3810 if (!map->ops->map_direct_value_meta)
3812 if (!map->ops->map_direct_value_meta(map, addr, off)) {
3813 *type = BPF_PSEUDO_MAP_VALUE;
3820 mutex_unlock(&prog->aux->used_maps_mutex);
3824 static struct bpf_insn *bpf_insn_prepare_dump(const struct bpf_prog *prog,
3825 const struct cred *f_cred)
3827 const struct bpf_map *map;
3828 struct bpf_insn *insns;
3834 insns = kmemdup(prog->insnsi, bpf_prog_insn_size(prog),
3839 for (i = 0; i < prog->len; i++) {
3840 code = insns[i].code;
3842 if (code == (BPF_JMP | BPF_TAIL_CALL)) {
3843 insns[i].code = BPF_JMP | BPF_CALL;
3844 insns[i].imm = BPF_FUNC_tail_call;
3847 if (code == (BPF_JMP | BPF_CALL) ||
3848 code == (BPF_JMP | BPF_CALL_ARGS)) {
3849 if (code == (BPF_JMP | BPF_CALL_ARGS))
3850 insns[i].code = BPF_JMP | BPF_CALL;
3851 if (!bpf_dump_raw_ok(f_cred))
3855 if (BPF_CLASS(code) == BPF_LDX && BPF_MODE(code) == BPF_PROBE_MEM) {
3856 insns[i].code = BPF_LDX | BPF_SIZE(code) | BPF_MEM;
3860 if (code != (BPF_LD | BPF_IMM | BPF_DW))
3863 imm = ((u64)insns[i + 1].imm << 32) | (u32)insns[i].imm;
3864 map = bpf_map_from_imm(prog, imm, &off, &type);
3866 insns[i].src_reg = type;
3867 insns[i].imm = map->id;
3868 insns[i + 1].imm = off;
3876 static int set_info_rec_size(struct bpf_prog_info *info)
3879 * Ensure info.*_rec_size is the same as kernel expected size
3883 * Only allow zero *_rec_size if both _rec_size and _cnt are
3884 * zero. In this case, the kernel will set the expected
3885 * _rec_size back to the info.
3888 if ((info->nr_func_info || info->func_info_rec_size) &&
3889 info->func_info_rec_size != sizeof(struct bpf_func_info))
3892 if ((info->nr_line_info || info->line_info_rec_size) &&
3893 info->line_info_rec_size != sizeof(struct bpf_line_info))
3896 if ((info->nr_jited_line_info || info->jited_line_info_rec_size) &&
3897 info->jited_line_info_rec_size != sizeof(__u64))
3900 info->func_info_rec_size = sizeof(struct bpf_func_info);
3901 info->line_info_rec_size = sizeof(struct bpf_line_info);
3902 info->jited_line_info_rec_size = sizeof(__u64);
3907 static int bpf_prog_get_info_by_fd(struct file *file,
3908 struct bpf_prog *prog,
3909 const union bpf_attr *attr,
3910 union bpf_attr __user *uattr)
3912 struct bpf_prog_info __user *uinfo = u64_to_user_ptr(attr->info.info);
3913 struct btf *attach_btf = bpf_prog_get_target_btf(prog);
3914 struct bpf_prog_info info;
3915 u32 info_len = attr->info.info_len;
3916 struct bpf_prog_kstats stats;
3917 char __user *uinsns;
3921 err = bpf_check_uarg_tail_zero(USER_BPFPTR(uinfo), sizeof(info), info_len);
3924 info_len = min_t(u32, sizeof(info), info_len);
3926 memset(&info, 0, sizeof(info));
3927 if (copy_from_user(&info, uinfo, info_len))
3930 info.type = prog->type;
3931 info.id = prog->aux->id;
3932 info.load_time = prog->aux->load_time;
3933 info.created_by_uid = from_kuid_munged(current_user_ns(),
3934 prog->aux->user->uid);
3935 info.gpl_compatible = prog->gpl_compatible;
3937 memcpy(info.tag, prog->tag, sizeof(prog->tag));
3938 memcpy(info.name, prog->aux->name, sizeof(prog->aux->name));
3940 mutex_lock(&prog->aux->used_maps_mutex);
3941 ulen = info.nr_map_ids;
3942 info.nr_map_ids = prog->aux->used_map_cnt;
3943 ulen = min_t(u32, info.nr_map_ids, ulen);
3945 u32 __user *user_map_ids = u64_to_user_ptr(info.map_ids);
3948 for (i = 0; i < ulen; i++)
3949 if (put_user(prog->aux->used_maps[i]->id,
3950 &user_map_ids[i])) {
3951 mutex_unlock(&prog->aux->used_maps_mutex);
3955 mutex_unlock(&prog->aux->used_maps_mutex);
3957 err = set_info_rec_size(&info);
3961 bpf_prog_get_stats(prog, &stats);
3962 info.run_time_ns = stats.nsecs;
3963 info.run_cnt = stats.cnt;
3964 info.recursion_misses = stats.misses;
3966 info.verified_insns = prog->aux->verified_insns;
3968 if (!bpf_capable()) {
3969 info.jited_prog_len = 0;
3970 info.xlated_prog_len = 0;
3971 info.nr_jited_ksyms = 0;
3972 info.nr_jited_func_lens = 0;
3973 info.nr_func_info = 0;
3974 info.nr_line_info = 0;
3975 info.nr_jited_line_info = 0;
3979 ulen = info.xlated_prog_len;
3980 info.xlated_prog_len = bpf_prog_insn_size(prog);
3981 if (info.xlated_prog_len && ulen) {
3982 struct bpf_insn *insns_sanitized;
3985 if (prog->blinded && !bpf_dump_raw_ok(file->f_cred)) {
3986 info.xlated_prog_insns = 0;
3989 insns_sanitized = bpf_insn_prepare_dump(prog, file->f_cred);
3990 if (!insns_sanitized)
3992 uinsns = u64_to_user_ptr(info.xlated_prog_insns);
3993 ulen = min_t(u32, info.xlated_prog_len, ulen);
3994 fault = copy_to_user(uinsns, insns_sanitized, ulen);
3995 kfree(insns_sanitized);
4000 if (bpf_prog_is_dev_bound(prog->aux)) {
4001 err = bpf_prog_offload_info_fill(&info, prog);
4007 /* NOTE: the following code is supposed to be skipped for offload.
4008 * bpf_prog_offload_info_fill() is the place to fill similar fields
4011 ulen = info.jited_prog_len;
4012 if (prog->aux->func_cnt) {
4015 info.jited_prog_len = 0;
4016 for (i = 0; i < prog->aux->func_cnt; i++)
4017 info.jited_prog_len += prog->aux->func[i]->jited_len;
4019 info.jited_prog_len = prog->jited_len;
4022 if (info.jited_prog_len && ulen) {
4023 if (bpf_dump_raw_ok(file->f_cred)) {
4024 uinsns = u64_to_user_ptr(info.jited_prog_insns);
4025 ulen = min_t(u32, info.jited_prog_len, ulen);
4027 /* for multi-function programs, copy the JITed
4028 * instructions for all the functions
4030 if (prog->aux->func_cnt) {
4035 for (i = 0; i < prog->aux->func_cnt; i++) {
4036 len = prog->aux->func[i]->jited_len;
4037 len = min_t(u32, len, free);
4038 img = (u8 *) prog->aux->func[i]->bpf_func;
4039 if (copy_to_user(uinsns, img, len))
4047 if (copy_to_user(uinsns, prog->bpf_func, ulen))
4051 info.jited_prog_insns = 0;
4055 ulen = info.nr_jited_ksyms;
4056 info.nr_jited_ksyms = prog->aux->func_cnt ? : 1;
4058 if (bpf_dump_raw_ok(file->f_cred)) {
4059 unsigned long ksym_addr;
4060 u64 __user *user_ksyms;
4063 /* copy the address of the kernel symbol
4064 * corresponding to each function
4066 ulen = min_t(u32, info.nr_jited_ksyms, ulen);
4067 user_ksyms = u64_to_user_ptr(info.jited_ksyms);
4068 if (prog->aux->func_cnt) {
4069 for (i = 0; i < ulen; i++) {
4070 ksym_addr = (unsigned long)
4071 prog->aux->func[i]->bpf_func;
4072 if (put_user((u64) ksym_addr,
4077 ksym_addr = (unsigned long) prog->bpf_func;
4078 if (put_user((u64) ksym_addr, &user_ksyms[0]))
4082 info.jited_ksyms = 0;
4086 ulen = info.nr_jited_func_lens;
4087 info.nr_jited_func_lens = prog->aux->func_cnt ? : 1;
4089 if (bpf_dump_raw_ok(file->f_cred)) {
4090 u32 __user *user_lens;
4093 /* copy the JITed image lengths for each function */
4094 ulen = min_t(u32, info.nr_jited_func_lens, ulen);
4095 user_lens = u64_to_user_ptr(info.jited_func_lens);
4096 if (prog->aux->func_cnt) {
4097 for (i = 0; i < ulen; i++) {
4099 prog->aux->func[i]->jited_len;
4100 if (put_user(func_len, &user_lens[i]))
4104 func_len = prog->jited_len;
4105 if (put_user(func_len, &user_lens[0]))
4109 info.jited_func_lens = 0;
4114 info.btf_id = btf_obj_id(prog->aux->btf);
4115 info.attach_btf_id = prog->aux->attach_btf_id;
4117 info.attach_btf_obj_id = btf_obj_id(attach_btf);
4119 ulen = info.nr_func_info;
4120 info.nr_func_info = prog->aux->func_info_cnt;
4121 if (info.nr_func_info && ulen) {
4122 char __user *user_finfo;
4124 user_finfo = u64_to_user_ptr(info.func_info);
4125 ulen = min_t(u32, info.nr_func_info, ulen);
4126 if (copy_to_user(user_finfo, prog->aux->func_info,
4127 info.func_info_rec_size * ulen))
4131 ulen = info.nr_line_info;
4132 info.nr_line_info = prog->aux->nr_linfo;
4133 if (info.nr_line_info && ulen) {
4134 __u8 __user *user_linfo;
4136 user_linfo = u64_to_user_ptr(info.line_info);
4137 ulen = min_t(u32, info.nr_line_info, ulen);
4138 if (copy_to_user(user_linfo, prog->aux->linfo,
4139 info.line_info_rec_size * ulen))
4143 ulen = info.nr_jited_line_info;
4144 if (prog->aux->jited_linfo)
4145 info.nr_jited_line_info = prog->aux->nr_linfo;
4147 info.nr_jited_line_info = 0;
4148 if (info.nr_jited_line_info && ulen) {
4149 if (bpf_dump_raw_ok(file->f_cred)) {
4150 unsigned long line_addr;
4151 __u64 __user *user_linfo;
4154 user_linfo = u64_to_user_ptr(info.jited_line_info);
4155 ulen = min_t(u32, info.nr_jited_line_info, ulen);
4156 for (i = 0; i < ulen; i++) {
4157 line_addr = (unsigned long)prog->aux->jited_linfo[i];
4158 if (put_user((__u64)line_addr, &user_linfo[i]))
4162 info.jited_line_info = 0;
4166 ulen = info.nr_prog_tags;
4167 info.nr_prog_tags = prog->aux->func_cnt ? : 1;
4169 __u8 __user (*user_prog_tags)[BPF_TAG_SIZE];
4172 user_prog_tags = u64_to_user_ptr(info.prog_tags);
4173 ulen = min_t(u32, info.nr_prog_tags, ulen);
4174 if (prog->aux->func_cnt) {
4175 for (i = 0; i < ulen; i++) {
4176 if (copy_to_user(user_prog_tags[i],
4177 prog->aux->func[i]->tag,
4182 if (copy_to_user(user_prog_tags[0],
4183 prog->tag, BPF_TAG_SIZE))
4189 if (copy_to_user(uinfo, &info, info_len) ||
4190 put_user(info_len, &uattr->info.info_len))
4196 static int bpf_map_get_info_by_fd(struct file *file,
4197 struct bpf_map *map,
4198 const union bpf_attr *attr,
4199 union bpf_attr __user *uattr)
4201 struct bpf_map_info __user *uinfo = u64_to_user_ptr(attr->info.info);
4202 struct bpf_map_info info;
4203 u32 info_len = attr->info.info_len;
4206 err = bpf_check_uarg_tail_zero(USER_BPFPTR(uinfo), sizeof(info), info_len);
4209 info_len = min_t(u32, sizeof(info), info_len);
4211 memset(&info, 0, sizeof(info));
4212 info.type = map->map_type;
4214 info.key_size = map->key_size;
4215 info.value_size = map->value_size;
4216 info.max_entries = map->max_entries;
4217 info.map_flags = map->map_flags;
4218 info.map_extra = map->map_extra;
4219 memcpy(info.name, map->name, sizeof(map->name));
4222 info.btf_id = btf_obj_id(map->btf);
4223 info.btf_key_type_id = map->btf_key_type_id;
4224 info.btf_value_type_id = map->btf_value_type_id;
4226 info.btf_vmlinux_value_type_id = map->btf_vmlinux_value_type_id;
4228 if (bpf_map_is_dev_bound(map)) {
4229 err = bpf_map_offload_info_fill(&info, map);
4234 if (copy_to_user(uinfo, &info, info_len) ||
4235 put_user(info_len, &uattr->info.info_len))
4241 static int bpf_btf_get_info_by_fd(struct file *file,
4243 const union bpf_attr *attr,
4244 union bpf_attr __user *uattr)
4246 struct bpf_btf_info __user *uinfo = u64_to_user_ptr(attr->info.info);
4247 u32 info_len = attr->info.info_len;
4250 err = bpf_check_uarg_tail_zero(USER_BPFPTR(uinfo), sizeof(*uinfo), info_len);
4254 return btf_get_info_by_fd(btf, attr, uattr);
4257 static int bpf_link_get_info_by_fd(struct file *file,
4258 struct bpf_link *link,
4259 const union bpf_attr *attr,
4260 union bpf_attr __user *uattr)
4262 struct bpf_link_info __user *uinfo = u64_to_user_ptr(attr->info.info);
4263 struct bpf_link_info info;
4264 u32 info_len = attr->info.info_len;
4267 err = bpf_check_uarg_tail_zero(USER_BPFPTR(uinfo), sizeof(info), info_len);
4270 info_len = min_t(u32, sizeof(info), info_len);
4272 memset(&info, 0, sizeof(info));
4273 if (copy_from_user(&info, uinfo, info_len))
4276 info.type = link->type;
4278 info.prog_id = link->prog->aux->id;
4280 if (link->ops->fill_link_info) {
4281 err = link->ops->fill_link_info(link, &info);
4286 if (copy_to_user(uinfo, &info, info_len) ||
4287 put_user(info_len, &uattr->info.info_len))
4294 #define BPF_OBJ_GET_INFO_BY_FD_LAST_FIELD info.info
4296 static int bpf_obj_get_info_by_fd(const union bpf_attr *attr,
4297 union bpf_attr __user *uattr)
4299 int ufd = attr->info.bpf_fd;
4303 if (CHECK_ATTR(BPF_OBJ_GET_INFO_BY_FD))
4310 if (f.file->f_op == &bpf_prog_fops)
4311 err = bpf_prog_get_info_by_fd(f.file, f.file->private_data, attr,
4313 else if (f.file->f_op == &bpf_map_fops)
4314 err = bpf_map_get_info_by_fd(f.file, f.file->private_data, attr,
4316 else if (f.file->f_op == &btf_fops)
4317 err = bpf_btf_get_info_by_fd(f.file, f.file->private_data, attr, uattr);
4318 else if (f.file->f_op == &bpf_link_fops)
4319 err = bpf_link_get_info_by_fd(f.file, f.file->private_data,
4328 #define BPF_BTF_LOAD_LAST_FIELD btf_log_level
4330 static int bpf_btf_load(const union bpf_attr *attr, bpfptr_t uattr)
4332 if (CHECK_ATTR(BPF_BTF_LOAD))
4338 return btf_new_fd(attr, uattr);
4341 #define BPF_BTF_GET_FD_BY_ID_LAST_FIELD btf_id
4343 static int bpf_btf_get_fd_by_id(const union bpf_attr *attr)
4345 if (CHECK_ATTR(BPF_BTF_GET_FD_BY_ID))
4348 if (!capable(CAP_SYS_ADMIN))
4351 return btf_get_fd_by_id(attr->btf_id);
4354 static int bpf_task_fd_query_copy(const union bpf_attr *attr,
4355 union bpf_attr __user *uattr,
4356 u32 prog_id, u32 fd_type,
4357 const char *buf, u64 probe_offset,
4360 char __user *ubuf = u64_to_user_ptr(attr->task_fd_query.buf);
4361 u32 len = buf ? strlen(buf) : 0, input_len;
4364 if (put_user(len, &uattr->task_fd_query.buf_len))
4366 input_len = attr->task_fd_query.buf_len;
4367 if (input_len && ubuf) {
4369 /* nothing to copy, just make ubuf NULL terminated */
4372 if (put_user(zero, ubuf))
4374 } else if (input_len >= len + 1) {
4375 /* ubuf can hold the string with NULL terminator */
4376 if (copy_to_user(ubuf, buf, len + 1))
4379 /* ubuf cannot hold the string with NULL terminator,
4380 * do a partial copy with NULL terminator.
4385 if (copy_to_user(ubuf, buf, input_len - 1))
4387 if (put_user(zero, ubuf + input_len - 1))
4392 if (put_user(prog_id, &uattr->task_fd_query.prog_id) ||
4393 put_user(fd_type, &uattr->task_fd_query.fd_type) ||
4394 put_user(probe_offset, &uattr->task_fd_query.probe_offset) ||
4395 put_user(probe_addr, &uattr->task_fd_query.probe_addr))
4401 #define BPF_TASK_FD_QUERY_LAST_FIELD task_fd_query.probe_addr
4403 static int bpf_task_fd_query(const union bpf_attr *attr,
4404 union bpf_attr __user *uattr)
4406 pid_t pid = attr->task_fd_query.pid;
4407 u32 fd = attr->task_fd_query.fd;
4408 const struct perf_event *event;
4409 struct task_struct *task;
4413 if (CHECK_ATTR(BPF_TASK_FD_QUERY))
4416 if (!capable(CAP_SYS_ADMIN))
4419 if (attr->task_fd_query.flags != 0)
4423 task = get_pid_task(find_vpid(pid), PIDTYPE_PID);
4429 file = fget_task(task, fd);
4430 put_task_struct(task);
4434 if (file->f_op == &bpf_link_fops) {
4435 struct bpf_link *link = file->private_data;
4437 if (link->ops == &bpf_raw_tp_link_lops) {
4438 struct bpf_raw_tp_link *raw_tp =
4439 container_of(link, struct bpf_raw_tp_link, link);
4440 struct bpf_raw_event_map *btp = raw_tp->btp;
4442 err = bpf_task_fd_query_copy(attr, uattr,
4443 raw_tp->link.prog->aux->id,
4444 BPF_FD_TYPE_RAW_TRACEPOINT,
4445 btp->tp->name, 0, 0);
4451 event = perf_get_event(file);
4452 if (!IS_ERR(event)) {
4453 u64 probe_offset, probe_addr;
4454 u32 prog_id, fd_type;
4457 err = bpf_get_perf_event_info(event, &prog_id, &fd_type,
4458 &buf, &probe_offset,
4461 err = bpf_task_fd_query_copy(attr, uattr, prog_id,
4475 #define BPF_MAP_BATCH_LAST_FIELD batch.flags
4477 #define BPF_DO_BATCH(fn, ...) \
4483 err = fn(__VA_ARGS__); \
4486 static int bpf_map_do_batch(const union bpf_attr *attr,
4487 union bpf_attr __user *uattr,
4490 bool has_read = cmd == BPF_MAP_LOOKUP_BATCH ||
4491 cmd == BPF_MAP_LOOKUP_AND_DELETE_BATCH;
4492 bool has_write = cmd != BPF_MAP_LOOKUP_BATCH;
4493 struct bpf_map *map;
4497 if (CHECK_ATTR(BPF_MAP_BATCH))
4500 ufd = attr->batch.map_fd;
4502 map = __bpf_map_get(f);
4504 return PTR_ERR(map);
4506 bpf_map_write_active_inc(map);
4507 if (has_read && !(map_get_sys_perms(map, f) & FMODE_CAN_READ)) {
4511 if (has_write && !(map_get_sys_perms(map, f) & FMODE_CAN_WRITE)) {
4516 if (cmd == BPF_MAP_LOOKUP_BATCH)
4517 BPF_DO_BATCH(map->ops->map_lookup_batch, map, attr, uattr);
4518 else if (cmd == BPF_MAP_LOOKUP_AND_DELETE_BATCH)
4519 BPF_DO_BATCH(map->ops->map_lookup_and_delete_batch, map, attr, uattr);
4520 else if (cmd == BPF_MAP_UPDATE_BATCH)
4521 BPF_DO_BATCH(map->ops->map_update_batch, map, f.file, attr, uattr);
4523 BPF_DO_BATCH(map->ops->map_delete_batch, map, attr, uattr);
4526 bpf_map_write_active_dec(map);
4531 #define BPF_LINK_CREATE_LAST_FIELD link_create.kprobe_multi.cookies
4532 static int link_create(union bpf_attr *attr, bpfptr_t uattr)
4534 enum bpf_prog_type ptype;
4535 struct bpf_prog *prog;
4538 if (CHECK_ATTR(BPF_LINK_CREATE))
4541 prog = bpf_prog_get(attr->link_create.prog_fd);
4543 return PTR_ERR(prog);
4545 ret = bpf_prog_attach_check_attach_type(prog,
4546 attr->link_create.attach_type);
4550 switch (prog->type) {
4551 case BPF_PROG_TYPE_EXT:
4553 case BPF_PROG_TYPE_PERF_EVENT:
4554 case BPF_PROG_TYPE_TRACEPOINT:
4555 if (attr->link_create.attach_type != BPF_PERF_EVENT) {
4560 case BPF_PROG_TYPE_KPROBE:
4561 if (attr->link_create.attach_type != BPF_PERF_EVENT &&
4562 attr->link_create.attach_type != BPF_TRACE_KPROBE_MULTI) {
4568 ptype = attach_type_to_prog_type(attr->link_create.attach_type);
4569 if (ptype == BPF_PROG_TYPE_UNSPEC || ptype != prog->type) {
4576 switch (prog->type) {
4577 case BPF_PROG_TYPE_CGROUP_SKB:
4578 case BPF_PROG_TYPE_CGROUP_SOCK:
4579 case BPF_PROG_TYPE_CGROUP_SOCK_ADDR:
4580 case BPF_PROG_TYPE_SOCK_OPS:
4581 case BPF_PROG_TYPE_CGROUP_DEVICE:
4582 case BPF_PROG_TYPE_CGROUP_SYSCTL:
4583 case BPF_PROG_TYPE_CGROUP_SOCKOPT:
4584 ret = cgroup_bpf_link_attach(attr, prog);
4586 case BPF_PROG_TYPE_EXT:
4587 ret = bpf_tracing_prog_attach(prog,
4588 attr->link_create.target_fd,
4589 attr->link_create.target_btf_id,
4590 attr->link_create.tracing.cookie);
4592 case BPF_PROG_TYPE_LSM:
4593 case BPF_PROG_TYPE_TRACING:
4594 if (attr->link_create.attach_type != prog->expected_attach_type) {
4598 if (prog->expected_attach_type == BPF_TRACE_RAW_TP)
4599 ret = bpf_raw_tp_link_attach(prog, NULL);
4600 else if (prog->expected_attach_type == BPF_TRACE_ITER)
4601 ret = bpf_iter_link_attach(attr, uattr, prog);
4602 else if (prog->expected_attach_type == BPF_LSM_CGROUP)
4603 ret = cgroup_bpf_link_attach(attr, prog);
4605 ret = bpf_tracing_prog_attach(prog,
4606 attr->link_create.target_fd,
4607 attr->link_create.target_btf_id,
4608 attr->link_create.tracing.cookie);
4610 case BPF_PROG_TYPE_FLOW_DISSECTOR:
4611 case BPF_PROG_TYPE_SK_LOOKUP:
4612 ret = netns_bpf_link_create(attr, prog);
4615 case BPF_PROG_TYPE_XDP:
4616 ret = bpf_xdp_link_attach(attr, prog);
4619 case BPF_PROG_TYPE_PERF_EVENT:
4620 case BPF_PROG_TYPE_TRACEPOINT:
4621 ret = bpf_perf_link_attach(attr, prog);
4623 case BPF_PROG_TYPE_KPROBE:
4624 if (attr->link_create.attach_type == BPF_PERF_EVENT)
4625 ret = bpf_perf_link_attach(attr, prog);
4627 ret = bpf_kprobe_multi_link_attach(attr, prog);
4639 #define BPF_LINK_UPDATE_LAST_FIELD link_update.old_prog_fd
4641 static int link_update(union bpf_attr *attr)
4643 struct bpf_prog *old_prog = NULL, *new_prog;
4644 struct bpf_link *link;
4648 if (CHECK_ATTR(BPF_LINK_UPDATE))
4651 flags = attr->link_update.flags;
4652 if (flags & ~BPF_F_REPLACE)
4655 link = bpf_link_get_from_fd(attr->link_update.link_fd);
4657 return PTR_ERR(link);
4659 new_prog = bpf_prog_get(attr->link_update.new_prog_fd);
4660 if (IS_ERR(new_prog)) {
4661 ret = PTR_ERR(new_prog);
4665 if (flags & BPF_F_REPLACE) {
4666 old_prog = bpf_prog_get(attr->link_update.old_prog_fd);
4667 if (IS_ERR(old_prog)) {
4668 ret = PTR_ERR(old_prog);
4672 } else if (attr->link_update.old_prog_fd) {
4677 if (link->ops->update_prog)
4678 ret = link->ops->update_prog(link, new_prog, old_prog);
4684 bpf_prog_put(old_prog);
4686 bpf_prog_put(new_prog);
4692 #define BPF_LINK_DETACH_LAST_FIELD link_detach.link_fd
4694 static int link_detach(union bpf_attr *attr)
4696 struct bpf_link *link;
4699 if (CHECK_ATTR(BPF_LINK_DETACH))
4702 link = bpf_link_get_from_fd(attr->link_detach.link_fd);
4704 return PTR_ERR(link);
4706 if (link->ops->detach)
4707 ret = link->ops->detach(link);
4715 static struct bpf_link *bpf_link_inc_not_zero(struct bpf_link *link)
4717 return atomic64_fetch_add_unless(&link->refcnt, 1, 0) ? link : ERR_PTR(-ENOENT);
4720 struct bpf_link *bpf_link_by_id(u32 id)
4722 struct bpf_link *link;
4725 return ERR_PTR(-ENOENT);
4727 spin_lock_bh(&link_idr_lock);
4728 /* before link is "settled", ID is 0, pretend it doesn't exist yet */
4729 link = idr_find(&link_idr, id);
4732 link = bpf_link_inc_not_zero(link);
4734 link = ERR_PTR(-EAGAIN);
4736 link = ERR_PTR(-ENOENT);
4738 spin_unlock_bh(&link_idr_lock);
4742 struct bpf_link *bpf_link_get_curr_or_next(u32 *id)
4744 struct bpf_link *link;
4746 spin_lock_bh(&link_idr_lock);
4748 link = idr_get_next(&link_idr, id);
4750 link = bpf_link_inc_not_zero(link);
4756 spin_unlock_bh(&link_idr_lock);
4761 #define BPF_LINK_GET_FD_BY_ID_LAST_FIELD link_id
4763 static int bpf_link_get_fd_by_id(const union bpf_attr *attr)
4765 struct bpf_link *link;
4766 u32 id = attr->link_id;
4769 if (CHECK_ATTR(BPF_LINK_GET_FD_BY_ID))
4772 if (!capable(CAP_SYS_ADMIN))
4775 link = bpf_link_by_id(id);
4777 return PTR_ERR(link);
4779 fd = bpf_link_new_fd(link);
4786 DEFINE_MUTEX(bpf_stats_enabled_mutex);
4788 static int bpf_stats_release(struct inode *inode, struct file *file)
4790 mutex_lock(&bpf_stats_enabled_mutex);
4791 static_key_slow_dec(&bpf_stats_enabled_key.key);
4792 mutex_unlock(&bpf_stats_enabled_mutex);
4796 static const struct file_operations bpf_stats_fops = {
4797 .release = bpf_stats_release,
4800 static int bpf_enable_runtime_stats(void)
4804 mutex_lock(&bpf_stats_enabled_mutex);
4806 /* Set a very high limit to avoid overflow */
4807 if (static_key_count(&bpf_stats_enabled_key.key) > INT_MAX / 2) {
4808 mutex_unlock(&bpf_stats_enabled_mutex);
4812 fd = anon_inode_getfd("bpf-stats", &bpf_stats_fops, NULL, O_CLOEXEC);
4814 static_key_slow_inc(&bpf_stats_enabled_key.key);
4816 mutex_unlock(&bpf_stats_enabled_mutex);
4820 #define BPF_ENABLE_STATS_LAST_FIELD enable_stats.type
4822 static int bpf_enable_stats(union bpf_attr *attr)
4825 if (CHECK_ATTR(BPF_ENABLE_STATS))
4828 if (!capable(CAP_SYS_ADMIN))
4831 switch (attr->enable_stats.type) {
4832 case BPF_STATS_RUN_TIME:
4833 return bpf_enable_runtime_stats();
4840 #define BPF_ITER_CREATE_LAST_FIELD iter_create.flags
4842 static int bpf_iter_create(union bpf_attr *attr)
4844 struct bpf_link *link;
4847 if (CHECK_ATTR(BPF_ITER_CREATE))
4850 if (attr->iter_create.flags)
4853 link = bpf_link_get_from_fd(attr->iter_create.link_fd);
4855 return PTR_ERR(link);
4857 err = bpf_iter_new_fd(link);
4863 #define BPF_PROG_BIND_MAP_LAST_FIELD prog_bind_map.flags
4865 static int bpf_prog_bind_map(union bpf_attr *attr)
4867 struct bpf_prog *prog;
4868 struct bpf_map *map;
4869 struct bpf_map **used_maps_old, **used_maps_new;
4872 if (CHECK_ATTR(BPF_PROG_BIND_MAP))
4875 if (attr->prog_bind_map.flags)
4878 prog = bpf_prog_get(attr->prog_bind_map.prog_fd);
4880 return PTR_ERR(prog);
4882 map = bpf_map_get(attr->prog_bind_map.map_fd);
4888 mutex_lock(&prog->aux->used_maps_mutex);
4890 used_maps_old = prog->aux->used_maps;
4892 for (i = 0; i < prog->aux->used_map_cnt; i++)
4893 if (used_maps_old[i] == map) {
4898 used_maps_new = kmalloc_array(prog->aux->used_map_cnt + 1,
4899 sizeof(used_maps_new[0]),
4901 if (!used_maps_new) {
4906 memcpy(used_maps_new, used_maps_old,
4907 sizeof(used_maps_old[0]) * prog->aux->used_map_cnt);
4908 used_maps_new[prog->aux->used_map_cnt] = map;
4910 prog->aux->used_map_cnt++;
4911 prog->aux->used_maps = used_maps_new;
4913 kfree(used_maps_old);
4916 mutex_unlock(&prog->aux->used_maps_mutex);
4925 static int __sys_bpf(int cmd, bpfptr_t uattr, unsigned int size)
4927 union bpf_attr attr;
4931 capable = bpf_capable() || !sysctl_unprivileged_bpf_disabled;
4933 /* Intent here is for unprivileged_bpf_disabled to block key object
4934 * creation commands for unprivileged users; other actions depend
4935 * of fd availability and access to bpffs, so are dependent on
4936 * object creation success. Capabilities are later verified for
4937 * operations such as load and map create, so even with unprivileged
4938 * BPF disabled, capability checks are still carried out for these
4939 * and other operations.
4942 (cmd == BPF_MAP_CREATE || cmd == BPF_PROG_LOAD))
4945 err = bpf_check_uarg_tail_zero(uattr, sizeof(attr), size);
4948 size = min_t(u32, size, sizeof(attr));
4950 /* copy attributes from user space, may be less than sizeof(bpf_attr) */
4951 memset(&attr, 0, sizeof(attr));
4952 if (copy_from_bpfptr(&attr, uattr, size) != 0)
4955 err = security_bpf(cmd, &attr, size);
4960 case BPF_MAP_CREATE:
4961 err = map_create(&attr);
4963 case BPF_MAP_LOOKUP_ELEM:
4964 err = map_lookup_elem(&attr);
4966 case BPF_MAP_UPDATE_ELEM:
4967 err = map_update_elem(&attr, uattr);
4969 case BPF_MAP_DELETE_ELEM:
4970 err = map_delete_elem(&attr, uattr);
4972 case BPF_MAP_GET_NEXT_KEY:
4973 err = map_get_next_key(&attr);
4975 case BPF_MAP_FREEZE:
4976 err = map_freeze(&attr);
4979 err = bpf_prog_load(&attr, uattr);
4982 err = bpf_obj_pin(&attr);
4985 err = bpf_obj_get(&attr);
4987 case BPF_PROG_ATTACH:
4988 err = bpf_prog_attach(&attr);
4990 case BPF_PROG_DETACH:
4991 err = bpf_prog_detach(&attr);
4993 case BPF_PROG_QUERY:
4994 err = bpf_prog_query(&attr, uattr.user);
4996 case BPF_PROG_TEST_RUN:
4997 err = bpf_prog_test_run(&attr, uattr.user);
4999 case BPF_PROG_GET_NEXT_ID:
5000 err = bpf_obj_get_next_id(&attr, uattr.user,
5001 &prog_idr, &prog_idr_lock);
5003 case BPF_MAP_GET_NEXT_ID:
5004 err = bpf_obj_get_next_id(&attr, uattr.user,
5005 &map_idr, &map_idr_lock);
5007 case BPF_BTF_GET_NEXT_ID:
5008 err = bpf_obj_get_next_id(&attr, uattr.user,
5009 &btf_idr, &btf_idr_lock);
5011 case BPF_PROG_GET_FD_BY_ID:
5012 err = bpf_prog_get_fd_by_id(&attr);
5014 case BPF_MAP_GET_FD_BY_ID:
5015 err = bpf_map_get_fd_by_id(&attr);
5017 case BPF_OBJ_GET_INFO_BY_FD:
5018 err = bpf_obj_get_info_by_fd(&attr, uattr.user);
5020 case BPF_RAW_TRACEPOINT_OPEN:
5021 err = bpf_raw_tracepoint_open(&attr);
5024 err = bpf_btf_load(&attr, uattr);
5026 case BPF_BTF_GET_FD_BY_ID:
5027 err = bpf_btf_get_fd_by_id(&attr);
5029 case BPF_TASK_FD_QUERY:
5030 err = bpf_task_fd_query(&attr, uattr.user);
5032 case BPF_MAP_LOOKUP_AND_DELETE_ELEM:
5033 err = map_lookup_and_delete_elem(&attr);
5035 case BPF_MAP_LOOKUP_BATCH:
5036 err = bpf_map_do_batch(&attr, uattr.user, BPF_MAP_LOOKUP_BATCH);
5038 case BPF_MAP_LOOKUP_AND_DELETE_BATCH:
5039 err = bpf_map_do_batch(&attr, uattr.user,
5040 BPF_MAP_LOOKUP_AND_DELETE_BATCH);
5042 case BPF_MAP_UPDATE_BATCH:
5043 err = bpf_map_do_batch(&attr, uattr.user, BPF_MAP_UPDATE_BATCH);
5045 case BPF_MAP_DELETE_BATCH:
5046 err = bpf_map_do_batch(&attr, uattr.user, BPF_MAP_DELETE_BATCH);
5048 case BPF_LINK_CREATE:
5049 err = link_create(&attr, uattr);
5051 case BPF_LINK_UPDATE:
5052 err = link_update(&attr);
5054 case BPF_LINK_GET_FD_BY_ID:
5055 err = bpf_link_get_fd_by_id(&attr);
5057 case BPF_LINK_GET_NEXT_ID:
5058 err = bpf_obj_get_next_id(&attr, uattr.user,
5059 &link_idr, &link_idr_lock);
5061 case BPF_ENABLE_STATS:
5062 err = bpf_enable_stats(&attr);
5064 case BPF_ITER_CREATE:
5065 err = bpf_iter_create(&attr);
5067 case BPF_LINK_DETACH:
5068 err = link_detach(&attr);
5070 case BPF_PROG_BIND_MAP:
5071 err = bpf_prog_bind_map(&attr);
5081 SYSCALL_DEFINE3(bpf, int, cmd, union bpf_attr __user *, uattr, unsigned int, size)
5083 return __sys_bpf(cmd, USER_BPFPTR(uattr), size);
5086 static bool syscall_prog_is_valid_access(int off, int size,
5087 enum bpf_access_type type,
5088 const struct bpf_prog *prog,
5089 struct bpf_insn_access_aux *info)
5091 if (off < 0 || off >= U16_MAX)
5093 if (off % size != 0)
5098 BPF_CALL_3(bpf_sys_bpf, int, cmd, union bpf_attr *, attr, u32, attr_size)
5101 case BPF_MAP_CREATE:
5102 case BPF_MAP_DELETE_ELEM:
5103 case BPF_MAP_UPDATE_ELEM:
5104 case BPF_MAP_FREEZE:
5105 case BPF_MAP_GET_FD_BY_ID:
5108 case BPF_LINK_CREATE:
5109 case BPF_RAW_TRACEPOINT_OPEN:
5114 return __sys_bpf(cmd, KERNEL_BPFPTR(attr), attr_size);
5118 /* To shut up -Wmissing-prototypes.
5119 * This function is used by the kernel light skeleton
5120 * to load bpf programs when modules are loaded or during kernel boot.
5121 * See tools/lib/bpf/skel_internal.h
5123 int kern_sys_bpf(int cmd, union bpf_attr *attr, unsigned int size);
5125 int kern_sys_bpf(int cmd, union bpf_attr *attr, unsigned int size)
5127 struct bpf_prog * __maybe_unused prog;
5128 struct bpf_tramp_run_ctx __maybe_unused run_ctx;
5131 #ifdef CONFIG_BPF_JIT /* __bpf_prog_enter_sleepable used by trampoline and JIT */
5132 case BPF_PROG_TEST_RUN:
5133 if (attr->test.data_in || attr->test.data_out ||
5134 attr->test.ctx_out || attr->test.duration ||
5135 attr->test.repeat || attr->test.flags)
5138 prog = bpf_prog_get_type(attr->test.prog_fd, BPF_PROG_TYPE_SYSCALL);
5140 return PTR_ERR(prog);
5142 if (attr->test.ctx_size_in < prog->aux->max_ctx_offset ||
5143 attr->test.ctx_size_in > U16_MAX) {
5148 run_ctx.bpf_cookie = 0;
5149 run_ctx.saved_run_ctx = NULL;
5150 if (!__bpf_prog_enter_sleepable_recur(prog, &run_ctx)) {
5151 /* recursion detected */
5155 attr->test.retval = bpf_prog_run(prog, (void *) (long) attr->test.ctx_in);
5156 __bpf_prog_exit_sleepable_recur(prog, 0 /* bpf_prog_run does runtime stats */,
5162 return ____bpf_sys_bpf(cmd, attr, size);
5165 EXPORT_SYMBOL(kern_sys_bpf);
5167 static const struct bpf_func_proto bpf_sys_bpf_proto = {
5168 .func = bpf_sys_bpf,
5170 .ret_type = RET_INTEGER,
5171 .arg1_type = ARG_ANYTHING,
5172 .arg2_type = ARG_PTR_TO_MEM | MEM_RDONLY,
5173 .arg3_type = ARG_CONST_SIZE,
5176 const struct bpf_func_proto * __weak
5177 tracing_prog_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
5179 return bpf_base_func_proto(func_id);
5182 BPF_CALL_1(bpf_sys_close, u32, fd)
5184 /* When bpf program calls this helper there should not be
5185 * an fdget() without matching completed fdput().
5186 * This helper is allowed in the following callchain only:
5187 * sys_bpf->prog_test_run->bpf_prog->bpf_sys_close
5189 return close_fd(fd);
5192 static const struct bpf_func_proto bpf_sys_close_proto = {
5193 .func = bpf_sys_close,
5195 .ret_type = RET_INTEGER,
5196 .arg1_type = ARG_ANYTHING,
5199 BPF_CALL_4(bpf_kallsyms_lookup_name, const char *, name, int, name_sz, int, flags, u64 *, res)
5204 if (name_sz <= 1 || name[name_sz - 1])
5207 if (!bpf_dump_raw_ok(current_cred()))
5210 *res = kallsyms_lookup_name(name);
5211 return *res ? 0 : -ENOENT;
5214 static const struct bpf_func_proto bpf_kallsyms_lookup_name_proto = {
5215 .func = bpf_kallsyms_lookup_name,
5217 .ret_type = RET_INTEGER,
5218 .arg1_type = ARG_PTR_TO_MEM,
5219 .arg2_type = ARG_CONST_SIZE_OR_ZERO,
5220 .arg3_type = ARG_ANYTHING,
5221 .arg4_type = ARG_PTR_TO_LONG,
5224 static const struct bpf_func_proto *
5225 syscall_prog_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
5228 case BPF_FUNC_sys_bpf:
5229 return !perfmon_capable() ? NULL : &bpf_sys_bpf_proto;
5230 case BPF_FUNC_btf_find_by_name_kind:
5231 return &bpf_btf_find_by_name_kind_proto;
5232 case BPF_FUNC_sys_close:
5233 return &bpf_sys_close_proto;
5234 case BPF_FUNC_kallsyms_lookup_name:
5235 return &bpf_kallsyms_lookup_name_proto;
5237 return tracing_prog_func_proto(func_id, prog);
5241 const struct bpf_verifier_ops bpf_syscall_verifier_ops = {
5242 .get_func_proto = syscall_prog_func_proto,
5243 .is_valid_access = syscall_prog_is_valid_access,
5246 const struct bpf_prog_ops bpf_syscall_prog_ops = {
5247 .test_run = bpf_prog_test_run_syscall,
5250 #ifdef CONFIG_SYSCTL
5251 static int bpf_stats_handler(struct ctl_table *table, int write,
5252 void *buffer, size_t *lenp, loff_t *ppos)
5254 struct static_key *key = (struct static_key *)table->data;
5255 static int saved_val;
5257 struct ctl_table tmp = {
5259 .maxlen = sizeof(val),
5260 .mode = table->mode,
5261 .extra1 = SYSCTL_ZERO,
5262 .extra2 = SYSCTL_ONE,
5265 if (write && !capable(CAP_SYS_ADMIN))
5268 mutex_lock(&bpf_stats_enabled_mutex);
5270 ret = proc_dointvec_minmax(&tmp, write, buffer, lenp, ppos);
5271 if (write && !ret && val != saved_val) {
5273 static_key_slow_inc(key);
5275 static_key_slow_dec(key);
5278 mutex_unlock(&bpf_stats_enabled_mutex);
5282 void __weak unpriv_ebpf_notify(int new_state)
5286 static int bpf_unpriv_handler(struct ctl_table *table, int write,
5287 void *buffer, size_t *lenp, loff_t *ppos)
5289 int ret, unpriv_enable = *(int *)table->data;
5290 bool locked_state = unpriv_enable == 1;
5291 struct ctl_table tmp = *table;
5293 if (write && !capable(CAP_SYS_ADMIN))
5296 tmp.data = &unpriv_enable;
5297 ret = proc_dointvec_minmax(&tmp, write, buffer, lenp, ppos);
5298 if (write && !ret) {
5299 if (locked_state && unpriv_enable != 1)
5301 *(int *)table->data = unpriv_enable;
5304 unpriv_ebpf_notify(unpriv_enable);
5309 static struct ctl_table bpf_syscall_table[] = {
5311 .procname = "unprivileged_bpf_disabled",
5312 .data = &sysctl_unprivileged_bpf_disabled,
5313 .maxlen = sizeof(sysctl_unprivileged_bpf_disabled),
5315 .proc_handler = bpf_unpriv_handler,
5316 .extra1 = SYSCTL_ZERO,
5317 .extra2 = SYSCTL_TWO,
5320 .procname = "bpf_stats_enabled",
5321 .data = &bpf_stats_enabled_key.key,
5323 .proc_handler = bpf_stats_handler,
5328 static int __init bpf_syscall_sysctl_init(void)
5330 register_sysctl_init("kernel", bpf_syscall_table);
5333 late_initcall(bpf_syscall_sysctl_init);
5334 #endif /* CONFIG_SYSCTL */