1 // SPDX-License-Identifier: GPL-2.0
3 #include <bpf/bpf_tracing.h>
4 #include <bpf/bpf_helpers.h>
5 #include <bpf/bpf_core_read.h>
7 #include "../bpf_testmod/bpf_testmod_kfunc.h"
11 struct prog_test_ref_kfunc __kptr_untrusted *unref_ptr;
12 struct prog_test_ref_kfunc __kptr *ref_ptr;
13 struct prog_test_member __kptr *ref_memb_ptr;
17 __uint(type, BPF_MAP_TYPE_ARRAY);
19 __type(value, struct map_value);
20 __uint(max_entries, 1);
21 } array_map SEC(".maps");
24 __failure __msg("kptr access size must be BPF_DW")
25 int size_not_bpf_dw(struct __sk_buff *ctx)
30 v = bpf_map_lookup_elem(&array_map, &key);
34 *(u32 *)&v->unref_ptr = 0;
39 __failure __msg("kptr access cannot have variable offset")
40 int non_const_var_off(struct __sk_buff *ctx)
45 v = bpf_map_lookup_elem(&array_map, &key);
50 if (id < 4 || id > 12)
52 *(u64 *)((void *)v + id) = 0;
58 __failure __msg("R1 doesn't have constant offset. kptr has to be")
59 int non_const_var_off_kptr_xchg(struct __sk_buff *ctx)
64 v = bpf_map_lookup_elem(&array_map, &key);
69 if (id < 4 || id > 12)
71 bpf_kptr_xchg((void *)v + id, NULL);
77 __failure __msg("kptr access misaligned expected=8 off=7")
78 int misaligned_access_write(struct __sk_buff *ctx)
83 v = bpf_map_lookup_elem(&array_map, &key);
87 *(void **)((void *)v + 7) = NULL;
93 __failure __msg("kptr access misaligned expected=8 off=1")
94 int misaligned_access_read(struct __sk_buff *ctx)
99 v = bpf_map_lookup_elem(&array_map, &key);
103 return *(u64 *)((void *)v + 1);
107 __failure __msg("variable untrusted_ptr_ access var_off=(0x0; 0x1e0)")
108 int reject_var_off_store(struct __sk_buff *ctx)
110 struct prog_test_ref_kfunc *unref_ptr;
114 v = bpf_map_lookup_elem(&array_map, &key);
118 unref_ptr = v->unref_ptr;
122 if (id < 4 || id > 12)
125 v->unref_ptr = unref_ptr;
131 __failure __msg("invalid kptr access, R1 type=untrusted_ptr_prog_test_ref_kfunc")
132 int reject_bad_type_match(struct __sk_buff *ctx)
134 struct prog_test_ref_kfunc *unref_ptr;
138 v = bpf_map_lookup_elem(&array_map, &key);
142 unref_ptr = v->unref_ptr;
145 unref_ptr = (void *)unref_ptr + 4;
146 v->unref_ptr = unref_ptr;
152 __failure __msg("R1 type=untrusted_ptr_or_null_ expected=percpu_ptr_")
153 int marked_as_untrusted_or_null(struct __sk_buff *ctx)
158 v = bpf_map_lookup_elem(&array_map, &key);
162 bpf_this_cpu_ptr(v->unref_ptr);
167 __failure __msg("access beyond struct prog_test_ref_kfunc at off 32 size 4")
168 int correct_btf_id_check_size(struct __sk_buff *ctx)
170 struct prog_test_ref_kfunc *p;
174 v = bpf_map_lookup_elem(&array_map, &key);
181 return *(int *)((void *)p + bpf_core_type_size(struct prog_test_ref_kfunc));
185 __failure __msg("R1 type=untrusted_ptr_ expected=percpu_ptr_")
186 int inherit_untrusted_on_walk(struct __sk_buff *ctx)
188 struct prog_test_ref_kfunc *unref_ptr;
192 v = bpf_map_lookup_elem(&array_map, &key);
196 unref_ptr = v->unref_ptr;
199 unref_ptr = unref_ptr->next;
200 bpf_this_cpu_ptr(unref_ptr);
205 __failure __msg("off=8 kptr isn't referenced kptr")
206 int reject_kptr_xchg_on_unref(struct __sk_buff *ctx)
211 v = bpf_map_lookup_elem(&array_map, &key);
215 bpf_kptr_xchg(&v->unref_ptr, NULL);
220 __failure __msg("R1 type=rcu_ptr_or_null_ expected=percpu_ptr_")
221 int mark_ref_as_untrusted_or_null(struct __sk_buff *ctx)
226 v = bpf_map_lookup_elem(&array_map, &key);
230 bpf_this_cpu_ptr(v->ref_ptr);
235 __failure __msg("store to referenced kptr disallowed")
236 int reject_untrusted_store_to_ref(struct __sk_buff *ctx)
238 struct prog_test_ref_kfunc *p;
242 v = bpf_map_lookup_elem(&array_map, &key);
249 /* Checkmate, clang */
250 *(struct prog_test_ref_kfunc * volatile *)&v->ref_ptr = p;
255 __failure __msg("R2 must be referenced")
256 int reject_untrusted_xchg(struct __sk_buff *ctx)
258 struct prog_test_ref_kfunc *p;
262 v = bpf_map_lookup_elem(&array_map, &key);
269 bpf_kptr_xchg(&v->ref_ptr, p);
275 __msg("invalid kptr access, R2 type=ptr_prog_test_ref_kfunc expected=ptr_prog_test_member")
276 int reject_bad_type_xchg(struct __sk_buff *ctx)
278 struct prog_test_ref_kfunc *ref_ptr;
282 v = bpf_map_lookup_elem(&array_map, &key);
286 ref_ptr = bpf_kfunc_call_test_acquire(&(unsigned long){0});
289 bpf_kptr_xchg(&v->ref_memb_ptr, ref_ptr);
294 __failure __msg("invalid kptr access, R2 type=ptr_prog_test_ref_kfunc")
295 int reject_member_of_ref_xchg(struct __sk_buff *ctx)
297 struct prog_test_ref_kfunc *ref_ptr;
301 v = bpf_map_lookup_elem(&array_map, &key);
305 ref_ptr = bpf_kfunc_call_test_acquire(&(unsigned long){0});
308 bpf_kptr_xchg(&v->ref_memb_ptr, &ref_ptr->memb);
313 __failure __msg("kptr cannot be accessed indirectly by helper")
314 int reject_indirect_helper_access(struct __sk_buff *ctx)
319 v = bpf_map_lookup_elem(&array_map, &key);
323 bpf_get_current_comm(v, sizeof(v->buf) + 1);
328 int write_func(int *p)
330 return p ? *p = 42 : 0;
334 __failure __msg("kptr cannot be accessed indirectly by helper")
335 int reject_indirect_global_func_access(struct __sk_buff *ctx)
340 v = bpf_map_lookup_elem(&array_map, &key);
344 return write_func((void *)v + 5);
348 __failure __msg("Unreleased reference id=5 alloc_insn=")
349 int kptr_xchg_ref_state(struct __sk_buff *ctx)
351 struct prog_test_ref_kfunc *p;
355 v = bpf_map_lookup_elem(&array_map, &key);
359 p = bpf_kfunc_call_test_acquire(&(unsigned long){0});
362 bpf_kptr_xchg(&v->ref_ptr, p);
367 __failure __msg("Possibly NULL pointer passed to helper arg2")
368 int kptr_xchg_possibly_null(struct __sk_buff *ctx)
370 struct prog_test_ref_kfunc *p;
374 v = bpf_map_lookup_elem(&array_map, &key);
378 p = bpf_kfunc_call_test_acquire(&(unsigned long){0});
380 /* PTR_TO_BTF_ID | PTR_MAYBE_NULL passed to bpf_kptr_xchg() */
381 p = bpf_kptr_xchg(&v->ref_ptr, p);
383 bpf_kfunc_call_test_release(p);
388 char _license[] SEC("license") = "GPL";