1 // SPDX-License-Identifier: GPL-2.0
2 /* Copyright (c) 2025 Meta Platforms, Inc. and affiliates. */
3
4 #include <vmlinux.h>
5 #include <string.h>
6 #include <stdbool.h>
7 #include <bpf/bpf_helpers.h>
8 #include <bpf/bpf_tracing.h>
9 #include "bpf_misc.h"
10
11 char _license[] SEC("license") = "GPL";
12
13 const void *user_ptr = NULL;
14
15 struct elem {
16 char data[128];
17 struct bpf_task_work tw;
18 };
19
20 struct {
21 __uint(type, BPF_MAP_TYPE_HASH);
22 __uint(map_flags, BPF_F_NO_PREALLOC);
23 __uint(max_entries, 1);
24 __type(key, int);
25 __type(value, struct elem);
26 } hmap SEC(".maps");
27
28 struct {
29 __uint(type, BPF_MAP_TYPE_ARRAY);
30 __uint(max_entries, 1);
31 __type(key, int);
32 __type(value, struct elem);
33 } arrmap SEC(".maps");
34
process_work(struct bpf_map * map,void * key,void * value)35 static int process_work(struct bpf_map *map, void *key, void *value)
36 {
37 struct elem *work = value;
38
39 bpf_copy_from_user_str(work->data, sizeof(work->data), (const void *)user_ptr, 0);
40 return 0;
41 }
42
43 int key = 0;
44
45 SEC("perf_event")
46 __failure __msg("doesn't match map pointer in R3")
mismatch_map(struct pt_regs * args)47 int mismatch_map(struct pt_regs *args)
48 {
49 struct elem *work;
50 struct task_struct *task;
51
52 task = bpf_get_current_task_btf();
53 work = bpf_map_lookup_elem(&arrmap, &key);
54 if (!work)
55 return 0;
56 bpf_task_work_schedule_resume_impl(task, &work->tw, &hmap, process_work, NULL);
57 return 0;
58 }
59
60 SEC("perf_event")
61 __failure __msg("arg#1 doesn't point to a map value")
no_map_task_work(struct pt_regs * args)62 int no_map_task_work(struct pt_regs *args)
63 {
64 struct task_struct *task;
65 struct bpf_task_work tw;
66
67 task = bpf_get_current_task_btf();
68 bpf_task_work_schedule_resume_impl(task, &tw, &hmap, process_work, NULL);
69 return 0;
70 }
71
72 SEC("perf_event")
73 __failure __msg("Possibly NULL pointer passed to trusted arg1")
task_work_null(struct pt_regs * args)74 int task_work_null(struct pt_regs *args)
75 {
76 struct task_struct *task;
77
78 task = bpf_get_current_task_btf();
79 bpf_task_work_schedule_resume_impl(task, NULL, &hmap, process_work, NULL);
80 return 0;
81 }
82
83 SEC("perf_event")
84 __failure __msg("Possibly NULL pointer passed to trusted arg2")
map_null(struct pt_regs * args)85 int map_null(struct pt_regs *args)
86 {
87 struct elem *work;
88 struct task_struct *task;
89
90 task = bpf_get_current_task_btf();
91 work = bpf_map_lookup_elem(&arrmap, &key);
92 if (!work)
93 return 0;
94 bpf_task_work_schedule_resume_impl(task, &work->tw, NULL, process_work, NULL);
95 return 0;
96 }
97