1 // SPDX-License-Identifier: GPL-2.0-only 2 /* Copyright (c) 2011-2014 PLUMgrid, http://plumgrid.com 3 */ 4 #include <linux/bpf.h> 5 #include <linux/rcupdate.h> 6 #include <linux/random.h> 7 #include <linux/smp.h> 8 #include <linux/topology.h> 9 #include <linux/ktime.h> 10 #include <linux/sched.h> 11 #include <linux/uidgid.h> 12 #include <linux/filter.h> 13 #include <linux/ctype.h> 14 #include <linux/jiffies.h> 15 #include <linux/pid_namespace.h> 16 #include <linux/proc_ns.h> 17 18 #include "../../lib/kstrtox.h" 19 20 /* If kernel subsystem is allowing eBPF programs to call this function, 21 * inside its own verifier_ops->get_func_proto() callback it should return 22 * bpf_map_lookup_elem_proto, so that verifier can properly check the arguments 23 * 24 * Different map implementations will rely on rcu in map methods 25 * lookup/update/delete, therefore eBPF programs must run under rcu lock 26 * if program is allowed to access maps, so check rcu_read_lock_held in 27 * all three functions. 28 */ 29 BPF_CALL_2(bpf_map_lookup_elem, struct bpf_map *, map, void *, key) 30 { 31 WARN_ON_ONCE(!rcu_read_lock_held()); 32 return (unsigned long) map->ops->map_lookup_elem(map, key); 33 } 34 35 const struct bpf_func_proto bpf_map_lookup_elem_proto = { 36 .func = bpf_map_lookup_elem, 37 .gpl_only = false, 38 .pkt_access = true, 39 .ret_type = RET_PTR_TO_MAP_VALUE_OR_NULL, 40 .arg1_type = ARG_CONST_MAP_PTR, 41 .arg2_type = ARG_PTR_TO_MAP_KEY, 42 }; 43 44 BPF_CALL_4(bpf_map_update_elem, struct bpf_map *, map, void *, key, 45 void *, value, u64, flags) 46 { 47 WARN_ON_ONCE(!rcu_read_lock_held()); 48 return map->ops->map_update_elem(map, key, value, flags); 49 } 50 51 const struct bpf_func_proto bpf_map_update_elem_proto = { 52 .func = bpf_map_update_elem, 53 .gpl_only = false, 54 .pkt_access = true, 55 .ret_type = RET_INTEGER, 56 .arg1_type = ARG_CONST_MAP_PTR, 57 .arg2_type = ARG_PTR_TO_MAP_KEY, 58 .arg3_type = ARG_PTR_TO_MAP_VALUE, 59 .arg4_type = ARG_ANYTHING, 60 }; 61 62 BPF_CALL_2(bpf_map_delete_elem, struct bpf_map *, map, void *, key) 63 { 64 WARN_ON_ONCE(!rcu_read_lock_held()); 65 return map->ops->map_delete_elem(map, key); 66 } 67 68 const struct bpf_func_proto bpf_map_delete_elem_proto = { 69 .func = bpf_map_delete_elem, 70 .gpl_only = false, 71 .pkt_access = true, 72 .ret_type = RET_INTEGER, 73 .arg1_type = ARG_CONST_MAP_PTR, 74 .arg2_type = ARG_PTR_TO_MAP_KEY, 75 }; 76 77 BPF_CALL_3(bpf_map_push_elem, struct bpf_map *, map, void *, value, u64, flags) 78 { 79 return map->ops->map_push_elem(map, value, flags); 80 } 81 82 const struct bpf_func_proto bpf_map_push_elem_proto = { 83 .func = bpf_map_push_elem, 84 .gpl_only = false, 85 .pkt_access = true, 86 .ret_type = RET_INTEGER, 87 .arg1_type = ARG_CONST_MAP_PTR, 88 .arg2_type = ARG_PTR_TO_MAP_VALUE, 89 .arg3_type = ARG_ANYTHING, 90 }; 91 92 BPF_CALL_2(bpf_map_pop_elem, struct bpf_map *, map, void *, value) 93 { 94 return map->ops->map_pop_elem(map, value); 95 } 96 97 const struct bpf_func_proto bpf_map_pop_elem_proto = { 98 .func = bpf_map_pop_elem, 99 .gpl_only = false, 100 .ret_type = RET_INTEGER, 101 .arg1_type = ARG_CONST_MAP_PTR, 102 .arg2_type = ARG_PTR_TO_UNINIT_MAP_VALUE, 103 }; 104 105 BPF_CALL_2(bpf_map_peek_elem, struct bpf_map *, map, void *, value) 106 { 107 return map->ops->map_peek_elem(map, value); 108 } 109 110 const struct bpf_func_proto bpf_map_peek_elem_proto = { 111 .func = bpf_map_pop_elem, 112 .gpl_only = false, 113 .ret_type = RET_INTEGER, 114 .arg1_type = ARG_CONST_MAP_PTR, 115 .arg2_type = ARG_PTR_TO_UNINIT_MAP_VALUE, 116 }; 117 118 const struct bpf_func_proto bpf_get_prandom_u32_proto = { 119 .func = bpf_user_rnd_u32, 120 .gpl_only = false, 121 .ret_type = RET_INTEGER, 122 }; 123 124 BPF_CALL_0(bpf_get_smp_processor_id) 125 { 126 return smp_processor_id(); 127 } 128 129 const struct bpf_func_proto bpf_get_smp_processor_id_proto = { 130 .func = bpf_get_smp_processor_id, 131 .gpl_only = false, 132 .ret_type = RET_INTEGER, 133 }; 134 135 BPF_CALL_0(bpf_get_numa_node_id) 136 { 137 return numa_node_id(); 138 } 139 140 const struct bpf_func_proto bpf_get_numa_node_id_proto = { 141 .func = bpf_get_numa_node_id, 142 .gpl_only = false, 143 .ret_type = RET_INTEGER, 144 }; 145 146 BPF_CALL_0(bpf_ktime_get_ns) 147 { 148 /* NMI safe access to clock monotonic */ 149 return ktime_get_mono_fast_ns(); 150 } 151 152 const struct bpf_func_proto bpf_ktime_get_ns_proto = { 153 .func = bpf_ktime_get_ns, 154 .gpl_only = true, 155 .ret_type = RET_INTEGER, 156 }; 157 158 BPF_CALL_0(bpf_get_current_pid_tgid) 159 { 160 struct task_struct *task = current; 161 162 if (unlikely(!task)) 163 return -EINVAL; 164 165 return (u64) task->tgid << 32 | task->pid; 166 } 167 168 const struct bpf_func_proto bpf_get_current_pid_tgid_proto = { 169 .func = bpf_get_current_pid_tgid, 170 .gpl_only = false, 171 .ret_type = RET_INTEGER, 172 }; 173 174 BPF_CALL_0(bpf_get_current_uid_gid) 175 { 176 struct task_struct *task = current; 177 kuid_t uid; 178 kgid_t gid; 179 180 if (unlikely(!task)) 181 return -EINVAL; 182 183 current_uid_gid(&uid, &gid); 184 return (u64) from_kgid(&init_user_ns, gid) << 32 | 185 from_kuid(&init_user_ns, uid); 186 } 187 188 const struct bpf_func_proto bpf_get_current_uid_gid_proto = { 189 .func = bpf_get_current_uid_gid, 190 .gpl_only = false, 191 .ret_type = RET_INTEGER, 192 }; 193 194 BPF_CALL_2(bpf_get_current_comm, char *, buf, u32, size) 195 { 196 struct task_struct *task = current; 197 198 if (unlikely(!task)) 199 goto err_clear; 200 201 strncpy(buf, task->comm, size); 202 203 /* Verifier guarantees that size > 0. For task->comm exceeding 204 * size, guarantee that buf is %NUL-terminated. Unconditionally 205 * done here to save the size test. 206 */ 207 buf[size - 1] = 0; 208 return 0; 209 err_clear: 210 memset(buf, 0, size); 211 return -EINVAL; 212 } 213 214 const struct bpf_func_proto bpf_get_current_comm_proto = { 215 .func = bpf_get_current_comm, 216 .gpl_only = false, 217 .ret_type = RET_INTEGER, 218 .arg1_type = ARG_PTR_TO_UNINIT_MEM, 219 .arg2_type = ARG_CONST_SIZE, 220 }; 221 222 #if defined(CONFIG_QUEUED_SPINLOCKS) || defined(CONFIG_BPF_ARCH_SPINLOCK) 223 224 static inline void __bpf_spin_lock(struct bpf_spin_lock *lock) 225 { 226 arch_spinlock_t *l = (void *)lock; 227 union { 228 __u32 val; 229 arch_spinlock_t lock; 230 } u = { .lock = __ARCH_SPIN_LOCK_UNLOCKED }; 231 232 compiletime_assert(u.val == 0, "__ARCH_SPIN_LOCK_UNLOCKED not 0"); 233 BUILD_BUG_ON(sizeof(*l) != sizeof(__u32)); 234 BUILD_BUG_ON(sizeof(*lock) != sizeof(__u32)); 235 arch_spin_lock(l); 236 } 237 238 static inline void __bpf_spin_unlock(struct bpf_spin_lock *lock) 239 { 240 arch_spinlock_t *l = (void *)lock; 241 242 arch_spin_unlock(l); 243 } 244 245 #else 246 247 static inline void __bpf_spin_lock(struct bpf_spin_lock *lock) 248 { 249 atomic_t *l = (void *)lock; 250 251 BUILD_BUG_ON(sizeof(*l) != sizeof(*lock)); 252 do { 253 atomic_cond_read_relaxed(l, !VAL); 254 } while (atomic_xchg(l, 1)); 255 } 256 257 static inline void __bpf_spin_unlock(struct bpf_spin_lock *lock) 258 { 259 atomic_t *l = (void *)lock; 260 261 atomic_set_release(l, 0); 262 } 263 264 #endif 265 266 static DEFINE_PER_CPU(unsigned long, irqsave_flags); 267 268 notrace BPF_CALL_1(bpf_spin_lock, struct bpf_spin_lock *, lock) 269 { 270 unsigned long flags; 271 272 local_irq_save(flags); 273 __bpf_spin_lock(lock); 274 __this_cpu_write(irqsave_flags, flags); 275 return 0; 276 } 277 278 const struct bpf_func_proto bpf_spin_lock_proto = { 279 .func = bpf_spin_lock, 280 .gpl_only = false, 281 .ret_type = RET_VOID, 282 .arg1_type = ARG_PTR_TO_SPIN_LOCK, 283 }; 284 285 notrace BPF_CALL_1(bpf_spin_unlock, struct bpf_spin_lock *, lock) 286 { 287 unsigned long flags; 288 289 flags = __this_cpu_read(irqsave_flags); 290 __bpf_spin_unlock(lock); 291 local_irq_restore(flags); 292 return 0; 293 } 294 295 const struct bpf_func_proto bpf_spin_unlock_proto = { 296 .func = bpf_spin_unlock, 297 .gpl_only = false, 298 .ret_type = RET_VOID, 299 .arg1_type = ARG_PTR_TO_SPIN_LOCK, 300 }; 301 302 void copy_map_value_locked(struct bpf_map *map, void *dst, void *src, 303 bool lock_src) 304 { 305 struct bpf_spin_lock *lock; 306 307 if (lock_src) 308 lock = src + map->spin_lock_off; 309 else 310 lock = dst + map->spin_lock_off; 311 preempt_disable(); 312 ____bpf_spin_lock(lock); 313 copy_map_value(map, dst, src); 314 ____bpf_spin_unlock(lock); 315 preempt_enable(); 316 } 317 318 BPF_CALL_0(bpf_jiffies64) 319 { 320 return get_jiffies_64(); 321 } 322 323 const struct bpf_func_proto bpf_jiffies64_proto = { 324 .func = bpf_jiffies64, 325 .gpl_only = false, 326 .ret_type = RET_INTEGER, 327 }; 328 329 #ifdef CONFIG_CGROUPS 330 BPF_CALL_0(bpf_get_current_cgroup_id) 331 { 332 struct cgroup *cgrp = task_dfl_cgroup(current); 333 334 return cgroup_id(cgrp); 335 } 336 337 const struct bpf_func_proto bpf_get_current_cgroup_id_proto = { 338 .func = bpf_get_current_cgroup_id, 339 .gpl_only = false, 340 .ret_type = RET_INTEGER, 341 }; 342 343 BPF_CALL_1(bpf_get_current_ancestor_cgroup_id, int, ancestor_level) 344 { 345 struct cgroup *cgrp = task_dfl_cgroup(current); 346 struct cgroup *ancestor; 347 348 ancestor = cgroup_ancestor(cgrp, ancestor_level); 349 if (!ancestor) 350 return 0; 351 return cgroup_id(ancestor); 352 } 353 354 const struct bpf_func_proto bpf_get_current_ancestor_cgroup_id_proto = { 355 .func = bpf_get_current_ancestor_cgroup_id, 356 .gpl_only = false, 357 .ret_type = RET_INTEGER, 358 .arg1_type = ARG_ANYTHING, 359 }; 360 361 #ifdef CONFIG_CGROUP_BPF 362 DECLARE_PER_CPU(struct bpf_cgroup_storage*, 363 bpf_cgroup_storage[MAX_BPF_CGROUP_STORAGE_TYPE]); 364 365 BPF_CALL_2(bpf_get_local_storage, struct bpf_map *, map, u64, flags) 366 { 367 /* flags argument is not used now, 368 * but provides an ability to extend the API. 369 * verifier checks that its value is correct. 370 */ 371 enum bpf_cgroup_storage_type stype = cgroup_storage_type(map); 372 struct bpf_cgroup_storage *storage; 373 void *ptr; 374 375 storage = this_cpu_read(bpf_cgroup_storage[stype]); 376 377 if (stype == BPF_CGROUP_STORAGE_SHARED) 378 ptr = &READ_ONCE(storage->buf)->data[0]; 379 else 380 ptr = this_cpu_ptr(storage->percpu_buf); 381 382 return (unsigned long)ptr; 383 } 384 385 const struct bpf_func_proto bpf_get_local_storage_proto = { 386 .func = bpf_get_local_storage, 387 .gpl_only = false, 388 .ret_type = RET_PTR_TO_MAP_VALUE, 389 .arg1_type = ARG_CONST_MAP_PTR, 390 .arg2_type = ARG_ANYTHING, 391 }; 392 #endif 393 394 #define BPF_STRTOX_BASE_MASK 0x1F 395 396 static int __bpf_strtoull(const char *buf, size_t buf_len, u64 flags, 397 unsigned long long *res, bool *is_negative) 398 { 399 unsigned int base = flags & BPF_STRTOX_BASE_MASK; 400 const char *cur_buf = buf; 401 size_t cur_len = buf_len; 402 unsigned int consumed; 403 size_t val_len; 404 char str[64]; 405 406 if (!buf || !buf_len || !res || !is_negative) 407 return -EINVAL; 408 409 if (base != 0 && base != 8 && base != 10 && base != 16) 410 return -EINVAL; 411 412 if (flags & ~BPF_STRTOX_BASE_MASK) 413 return -EINVAL; 414 415 while (cur_buf < buf + buf_len && isspace(*cur_buf)) 416 ++cur_buf; 417 418 *is_negative = (cur_buf < buf + buf_len && *cur_buf == '-'); 419 if (*is_negative) 420 ++cur_buf; 421 422 consumed = cur_buf - buf; 423 cur_len -= consumed; 424 if (!cur_len) 425 return -EINVAL; 426 427 cur_len = min(cur_len, sizeof(str) - 1); 428 memcpy(str, cur_buf, cur_len); 429 str[cur_len] = '\0'; 430 cur_buf = str; 431 432 cur_buf = _parse_integer_fixup_radix(cur_buf, &base); 433 val_len = _parse_integer(cur_buf, base, res); 434 435 if (val_len & KSTRTOX_OVERFLOW) 436 return -ERANGE; 437 438 if (val_len == 0) 439 return -EINVAL; 440 441 cur_buf += val_len; 442 consumed += cur_buf - str; 443 444 return consumed; 445 } 446 447 static int __bpf_strtoll(const char *buf, size_t buf_len, u64 flags, 448 long long *res) 449 { 450 unsigned long long _res; 451 bool is_negative; 452 int err; 453 454 err = __bpf_strtoull(buf, buf_len, flags, &_res, &is_negative); 455 if (err < 0) 456 return err; 457 if (is_negative) { 458 if ((long long)-_res > 0) 459 return -ERANGE; 460 *res = -_res; 461 } else { 462 if ((long long)_res < 0) 463 return -ERANGE; 464 *res = _res; 465 } 466 return err; 467 } 468 469 BPF_CALL_4(bpf_strtol, const char *, buf, size_t, buf_len, u64, flags, 470 long *, res) 471 { 472 long long _res; 473 int err; 474 475 err = __bpf_strtoll(buf, buf_len, flags, &_res); 476 if (err < 0) 477 return err; 478 if (_res != (long)_res) 479 return -ERANGE; 480 *res = _res; 481 return err; 482 } 483 484 const struct bpf_func_proto bpf_strtol_proto = { 485 .func = bpf_strtol, 486 .gpl_only = false, 487 .ret_type = RET_INTEGER, 488 .arg1_type = ARG_PTR_TO_MEM, 489 .arg2_type = ARG_CONST_SIZE, 490 .arg3_type = ARG_ANYTHING, 491 .arg4_type = ARG_PTR_TO_LONG, 492 }; 493 494 BPF_CALL_4(bpf_strtoul, const char *, buf, size_t, buf_len, u64, flags, 495 unsigned long *, res) 496 { 497 unsigned long long _res; 498 bool is_negative; 499 int err; 500 501 err = __bpf_strtoull(buf, buf_len, flags, &_res, &is_negative); 502 if (err < 0) 503 return err; 504 if (is_negative) 505 return -EINVAL; 506 if (_res != (unsigned long)_res) 507 return -ERANGE; 508 *res = _res; 509 return err; 510 } 511 512 const struct bpf_func_proto bpf_strtoul_proto = { 513 .func = bpf_strtoul, 514 .gpl_only = false, 515 .ret_type = RET_INTEGER, 516 .arg1_type = ARG_PTR_TO_MEM, 517 .arg2_type = ARG_CONST_SIZE, 518 .arg3_type = ARG_ANYTHING, 519 .arg4_type = ARG_PTR_TO_LONG, 520 }; 521 #endif 522 523 BPF_CALL_4(bpf_get_ns_current_pid_tgid, u64, dev, u64, ino, 524 struct bpf_pidns_info *, nsdata, u32, size) 525 { 526 struct task_struct *task = current; 527 struct pid_namespace *pidns; 528 int err = -EINVAL; 529 530 if (unlikely(size != sizeof(struct bpf_pidns_info))) 531 goto clear; 532 533 if (unlikely((u64)(dev_t)dev != dev)) 534 goto clear; 535 536 if (unlikely(!task)) 537 goto clear; 538 539 pidns = task_active_pid_ns(task); 540 if (unlikely(!pidns)) { 541 err = -ENOENT; 542 goto clear; 543 } 544 545 if (!ns_match(&pidns->ns, (dev_t)dev, ino)) 546 goto clear; 547 548 nsdata->pid = task_pid_nr_ns(task, pidns); 549 nsdata->tgid = task_tgid_nr_ns(task, pidns); 550 return 0; 551 clear: 552 memset((void *)nsdata, 0, (size_t) size); 553 return err; 554 } 555 556 const struct bpf_func_proto bpf_get_ns_current_pid_tgid_proto = { 557 .func = bpf_get_ns_current_pid_tgid, 558 .gpl_only = false, 559 .ret_type = RET_INTEGER, 560 .arg1_type = ARG_ANYTHING, 561 .arg2_type = ARG_ANYTHING, 562 .arg3_type = ARG_PTR_TO_UNINIT_MEM, 563 .arg4_type = ARG_CONST_SIZE, 564 }; 565