1 // SPDX-License-Identifier: GPL-2.0-only 2 /* Copyright (c) 2011-2014 PLUMgrid, http://plumgrid.com 3 */ 4 #include <linux/bpf.h> 5 #include <linux/rcupdate.h> 6 #include <linux/random.h> 7 #include <linux/smp.h> 8 #include <linux/topology.h> 9 #include <linux/ktime.h> 10 #include <linux/sched.h> 11 #include <linux/uidgid.h> 12 #include <linux/filter.h> 13 #include <linux/ctype.h> 14 #include <linux/jiffies.h> 15 #include <linux/pid_namespace.h> 16 #include <linux/proc_ns.h> 17 18 #include "../../lib/kstrtox.h" 19 20 /* If kernel subsystem is allowing eBPF programs to call this function, 21 * inside its own verifier_ops->get_func_proto() callback it should return 22 * bpf_map_lookup_elem_proto, so that verifier can properly check the arguments 23 * 24 * Different map implementations will rely on rcu in map methods 25 * lookup/update/delete, therefore eBPF programs must run under rcu lock 26 * if program is allowed to access maps, so check rcu_read_lock_held in 27 * all three functions. 28 */ 29 BPF_CALL_2(bpf_map_lookup_elem, struct bpf_map *, map, void *, key) 30 { 31 WARN_ON_ONCE(!rcu_read_lock_held()); 32 return (unsigned long) map->ops->map_lookup_elem(map, key); 33 } 34 35 const struct bpf_func_proto bpf_map_lookup_elem_proto = { 36 .func = bpf_map_lookup_elem, 37 .gpl_only = false, 38 .pkt_access = true, 39 .ret_type = RET_PTR_TO_MAP_VALUE_OR_NULL, 40 .arg1_type = ARG_CONST_MAP_PTR, 41 .arg2_type = ARG_PTR_TO_MAP_KEY, 42 }; 43 44 BPF_CALL_4(bpf_map_update_elem, struct bpf_map *, map, void *, key, 45 void *, value, u64, flags) 46 { 47 WARN_ON_ONCE(!rcu_read_lock_held()); 48 return map->ops->map_update_elem(map, key, value, flags); 49 } 50 51 const struct bpf_func_proto bpf_map_update_elem_proto = { 52 .func = bpf_map_update_elem, 53 .gpl_only = false, 54 .pkt_access = true, 55 .ret_type = RET_INTEGER, 56 .arg1_type = ARG_CONST_MAP_PTR, 57 .arg2_type = ARG_PTR_TO_MAP_KEY, 58 .arg3_type = ARG_PTR_TO_MAP_VALUE, 59 .arg4_type = ARG_ANYTHING, 60 }; 61 62 BPF_CALL_2(bpf_map_delete_elem, struct bpf_map *, map, void *, key) 63 { 64 WARN_ON_ONCE(!rcu_read_lock_held()); 65 return map->ops->map_delete_elem(map, key); 66 } 67 68 const struct bpf_func_proto bpf_map_delete_elem_proto = { 69 .func = bpf_map_delete_elem, 70 .gpl_only = false, 71 .pkt_access = true, 72 .ret_type = RET_INTEGER, 73 .arg1_type = ARG_CONST_MAP_PTR, 74 .arg2_type = ARG_PTR_TO_MAP_KEY, 75 }; 76 77 BPF_CALL_3(bpf_map_push_elem, struct bpf_map *, map, void *, value, u64, flags) 78 { 79 return map->ops->map_push_elem(map, value, flags); 80 } 81 82 const struct bpf_func_proto bpf_map_push_elem_proto = { 83 .func = bpf_map_push_elem, 84 .gpl_only = false, 85 .pkt_access = true, 86 .ret_type = RET_INTEGER, 87 .arg1_type = ARG_CONST_MAP_PTR, 88 .arg2_type = ARG_PTR_TO_MAP_VALUE, 89 .arg3_type = ARG_ANYTHING, 90 }; 91 92 BPF_CALL_2(bpf_map_pop_elem, struct bpf_map *, map, void *, value) 93 { 94 return map->ops->map_pop_elem(map, value); 95 } 96 97 const struct bpf_func_proto bpf_map_pop_elem_proto = { 98 .func = bpf_map_pop_elem, 99 .gpl_only = false, 100 .ret_type = RET_INTEGER, 101 .arg1_type = ARG_CONST_MAP_PTR, 102 .arg2_type = ARG_PTR_TO_UNINIT_MAP_VALUE, 103 }; 104 105 BPF_CALL_2(bpf_map_peek_elem, struct bpf_map *, map, void *, value) 106 { 107 return map->ops->map_peek_elem(map, value); 108 } 109 110 const struct bpf_func_proto bpf_map_peek_elem_proto = { 111 .func = bpf_map_pop_elem, 112 .gpl_only = false, 113 .ret_type = RET_INTEGER, 114 .arg1_type = ARG_CONST_MAP_PTR, 115 .arg2_type = ARG_PTR_TO_UNINIT_MAP_VALUE, 116 }; 117 118 const struct bpf_func_proto bpf_get_prandom_u32_proto = { 119 .func = bpf_user_rnd_u32, 120 .gpl_only = false, 121 .ret_type = RET_INTEGER, 122 }; 123 124 BPF_CALL_0(bpf_get_smp_processor_id) 125 { 126 return smp_processor_id(); 127 } 128 129 const struct bpf_func_proto bpf_get_smp_processor_id_proto = { 130 .func = bpf_get_smp_processor_id, 131 .gpl_only = false, 132 .ret_type = RET_INTEGER, 133 }; 134 135 BPF_CALL_0(bpf_get_numa_node_id) 136 { 137 return numa_node_id(); 138 } 139 140 const struct bpf_func_proto bpf_get_numa_node_id_proto = { 141 .func = bpf_get_numa_node_id, 142 .gpl_only = false, 143 .ret_type = RET_INTEGER, 144 }; 145 146 BPF_CALL_0(bpf_ktime_get_ns) 147 { 148 /* NMI safe access to clock monotonic */ 149 return ktime_get_mono_fast_ns(); 150 } 151 152 const struct bpf_func_proto bpf_ktime_get_ns_proto = { 153 .func = bpf_ktime_get_ns, 154 .gpl_only = true, 155 .ret_type = RET_INTEGER, 156 }; 157 158 BPF_CALL_0(bpf_get_current_pid_tgid) 159 { 160 struct task_struct *task = current; 161 162 if (unlikely(!task)) 163 return -EINVAL; 164 165 return (u64) task->tgid << 32 | task->pid; 166 } 167 168 const struct bpf_func_proto bpf_get_current_pid_tgid_proto = { 169 .func = bpf_get_current_pid_tgid, 170 .gpl_only = false, 171 .ret_type = RET_INTEGER, 172 }; 173 174 BPF_CALL_0(bpf_get_current_uid_gid) 175 { 176 struct task_struct *task = current; 177 kuid_t uid; 178 kgid_t gid; 179 180 if (unlikely(!task)) 181 return -EINVAL; 182 183 current_uid_gid(&uid, &gid); 184 return (u64) from_kgid(&init_user_ns, gid) << 32 | 185 from_kuid(&init_user_ns, uid); 186 } 187 188 const struct bpf_func_proto bpf_get_current_uid_gid_proto = { 189 .func = bpf_get_current_uid_gid, 190 .gpl_only = false, 191 .ret_type = RET_INTEGER, 192 }; 193 194 BPF_CALL_2(bpf_get_current_comm, char *, buf, u32, size) 195 { 196 struct task_struct *task = current; 197 198 if (unlikely(!task)) 199 goto err_clear; 200 201 strncpy(buf, task->comm, size); 202 203 /* Verifier guarantees that size > 0. For task->comm exceeding 204 * size, guarantee that buf is %NUL-terminated. Unconditionally 205 * done here to save the size test. 206 */ 207 buf[size - 1] = 0; 208 return 0; 209 err_clear: 210 memset(buf, 0, size); 211 return -EINVAL; 212 } 213 214 const struct bpf_func_proto bpf_get_current_comm_proto = { 215 .func = bpf_get_current_comm, 216 .gpl_only = false, 217 .ret_type = RET_INTEGER, 218 .arg1_type = ARG_PTR_TO_UNINIT_MEM, 219 .arg2_type = ARG_CONST_SIZE, 220 }; 221 222 #if defined(CONFIG_QUEUED_SPINLOCKS) || defined(CONFIG_BPF_ARCH_SPINLOCK) 223 224 static inline void __bpf_spin_lock(struct bpf_spin_lock *lock) 225 { 226 arch_spinlock_t *l = (void *)lock; 227 union { 228 __u32 val; 229 arch_spinlock_t lock; 230 } u = { .lock = __ARCH_SPIN_LOCK_UNLOCKED }; 231 232 compiletime_assert(u.val == 0, "__ARCH_SPIN_LOCK_UNLOCKED not 0"); 233 BUILD_BUG_ON(sizeof(*l) != sizeof(__u32)); 234 BUILD_BUG_ON(sizeof(*lock) != sizeof(__u32)); 235 arch_spin_lock(l); 236 } 237 238 static inline void __bpf_spin_unlock(struct bpf_spin_lock *lock) 239 { 240 arch_spinlock_t *l = (void *)lock; 241 242 arch_spin_unlock(l); 243 } 244 245 #else 246 247 static inline void __bpf_spin_lock(struct bpf_spin_lock *lock) 248 { 249 atomic_t *l = (void *)lock; 250 251 BUILD_BUG_ON(sizeof(*l) != sizeof(*lock)); 252 do { 253 atomic_cond_read_relaxed(l, !VAL); 254 } while (atomic_xchg(l, 1)); 255 } 256 257 static inline void __bpf_spin_unlock(struct bpf_spin_lock *lock) 258 { 259 atomic_t *l = (void *)lock; 260 261 atomic_set_release(l, 0); 262 } 263 264 #endif 265 266 static DEFINE_PER_CPU(unsigned long, irqsave_flags); 267 268 notrace BPF_CALL_1(bpf_spin_lock, struct bpf_spin_lock *, lock) 269 { 270 unsigned long flags; 271 272 local_irq_save(flags); 273 __bpf_spin_lock(lock); 274 __this_cpu_write(irqsave_flags, flags); 275 return 0; 276 } 277 278 const struct bpf_func_proto bpf_spin_lock_proto = { 279 .func = bpf_spin_lock, 280 .gpl_only = false, 281 .ret_type = RET_VOID, 282 .arg1_type = ARG_PTR_TO_SPIN_LOCK, 283 }; 284 285 notrace BPF_CALL_1(bpf_spin_unlock, struct bpf_spin_lock *, lock) 286 { 287 unsigned long flags; 288 289 flags = __this_cpu_read(irqsave_flags); 290 __bpf_spin_unlock(lock); 291 local_irq_restore(flags); 292 return 0; 293 } 294 295 const struct bpf_func_proto bpf_spin_unlock_proto = { 296 .func = bpf_spin_unlock, 297 .gpl_only = false, 298 .ret_type = RET_VOID, 299 .arg1_type = ARG_PTR_TO_SPIN_LOCK, 300 }; 301 302 void copy_map_value_locked(struct bpf_map *map, void *dst, void *src, 303 bool lock_src) 304 { 305 struct bpf_spin_lock *lock; 306 307 if (lock_src) 308 lock = src + map->spin_lock_off; 309 else 310 lock = dst + map->spin_lock_off; 311 preempt_disable(); 312 ____bpf_spin_lock(lock); 313 copy_map_value(map, dst, src); 314 ____bpf_spin_unlock(lock); 315 preempt_enable(); 316 } 317 318 BPF_CALL_0(bpf_jiffies64) 319 { 320 return get_jiffies_64(); 321 } 322 323 const struct bpf_func_proto bpf_jiffies64_proto = { 324 .func = bpf_jiffies64, 325 .gpl_only = false, 326 .ret_type = RET_INTEGER, 327 }; 328 329 #ifdef CONFIG_CGROUPS 330 BPF_CALL_0(bpf_get_current_cgroup_id) 331 { 332 struct cgroup *cgrp = task_dfl_cgroup(current); 333 334 return cgroup_id(cgrp); 335 } 336 337 const struct bpf_func_proto bpf_get_current_cgroup_id_proto = { 338 .func = bpf_get_current_cgroup_id, 339 .gpl_only = false, 340 .ret_type = RET_INTEGER, 341 }; 342 343 #ifdef CONFIG_CGROUP_BPF 344 DECLARE_PER_CPU(struct bpf_cgroup_storage*, 345 bpf_cgroup_storage[MAX_BPF_CGROUP_STORAGE_TYPE]); 346 347 BPF_CALL_2(bpf_get_local_storage, struct bpf_map *, map, u64, flags) 348 { 349 /* flags argument is not used now, 350 * but provides an ability to extend the API. 351 * verifier checks that its value is correct. 352 */ 353 enum bpf_cgroup_storage_type stype = cgroup_storage_type(map); 354 struct bpf_cgroup_storage *storage; 355 void *ptr; 356 357 storage = this_cpu_read(bpf_cgroup_storage[stype]); 358 359 if (stype == BPF_CGROUP_STORAGE_SHARED) 360 ptr = &READ_ONCE(storage->buf)->data[0]; 361 else 362 ptr = this_cpu_ptr(storage->percpu_buf); 363 364 return (unsigned long)ptr; 365 } 366 367 const struct bpf_func_proto bpf_get_local_storage_proto = { 368 .func = bpf_get_local_storage, 369 .gpl_only = false, 370 .ret_type = RET_PTR_TO_MAP_VALUE, 371 .arg1_type = ARG_CONST_MAP_PTR, 372 .arg2_type = ARG_ANYTHING, 373 }; 374 #endif 375 376 #define BPF_STRTOX_BASE_MASK 0x1F 377 378 static int __bpf_strtoull(const char *buf, size_t buf_len, u64 flags, 379 unsigned long long *res, bool *is_negative) 380 { 381 unsigned int base = flags & BPF_STRTOX_BASE_MASK; 382 const char *cur_buf = buf; 383 size_t cur_len = buf_len; 384 unsigned int consumed; 385 size_t val_len; 386 char str[64]; 387 388 if (!buf || !buf_len || !res || !is_negative) 389 return -EINVAL; 390 391 if (base != 0 && base != 8 && base != 10 && base != 16) 392 return -EINVAL; 393 394 if (flags & ~BPF_STRTOX_BASE_MASK) 395 return -EINVAL; 396 397 while (cur_buf < buf + buf_len && isspace(*cur_buf)) 398 ++cur_buf; 399 400 *is_negative = (cur_buf < buf + buf_len && *cur_buf == '-'); 401 if (*is_negative) 402 ++cur_buf; 403 404 consumed = cur_buf - buf; 405 cur_len -= consumed; 406 if (!cur_len) 407 return -EINVAL; 408 409 cur_len = min(cur_len, sizeof(str) - 1); 410 memcpy(str, cur_buf, cur_len); 411 str[cur_len] = '\0'; 412 cur_buf = str; 413 414 cur_buf = _parse_integer_fixup_radix(cur_buf, &base); 415 val_len = _parse_integer(cur_buf, base, res); 416 417 if (val_len & KSTRTOX_OVERFLOW) 418 return -ERANGE; 419 420 if (val_len == 0) 421 return -EINVAL; 422 423 cur_buf += val_len; 424 consumed += cur_buf - str; 425 426 return consumed; 427 } 428 429 static int __bpf_strtoll(const char *buf, size_t buf_len, u64 flags, 430 long long *res) 431 { 432 unsigned long long _res; 433 bool is_negative; 434 int err; 435 436 err = __bpf_strtoull(buf, buf_len, flags, &_res, &is_negative); 437 if (err < 0) 438 return err; 439 if (is_negative) { 440 if ((long long)-_res > 0) 441 return -ERANGE; 442 *res = -_res; 443 } else { 444 if ((long long)_res < 0) 445 return -ERANGE; 446 *res = _res; 447 } 448 return err; 449 } 450 451 BPF_CALL_4(bpf_strtol, const char *, buf, size_t, buf_len, u64, flags, 452 long *, res) 453 { 454 long long _res; 455 int err; 456 457 err = __bpf_strtoll(buf, buf_len, flags, &_res); 458 if (err < 0) 459 return err; 460 if (_res != (long)_res) 461 return -ERANGE; 462 *res = _res; 463 return err; 464 } 465 466 const struct bpf_func_proto bpf_strtol_proto = { 467 .func = bpf_strtol, 468 .gpl_only = false, 469 .ret_type = RET_INTEGER, 470 .arg1_type = ARG_PTR_TO_MEM, 471 .arg2_type = ARG_CONST_SIZE, 472 .arg3_type = ARG_ANYTHING, 473 .arg4_type = ARG_PTR_TO_LONG, 474 }; 475 476 BPF_CALL_4(bpf_strtoul, const char *, buf, size_t, buf_len, u64, flags, 477 unsigned long *, res) 478 { 479 unsigned long long _res; 480 bool is_negative; 481 int err; 482 483 err = __bpf_strtoull(buf, buf_len, flags, &_res, &is_negative); 484 if (err < 0) 485 return err; 486 if (is_negative) 487 return -EINVAL; 488 if (_res != (unsigned long)_res) 489 return -ERANGE; 490 *res = _res; 491 return err; 492 } 493 494 const struct bpf_func_proto bpf_strtoul_proto = { 495 .func = bpf_strtoul, 496 .gpl_only = false, 497 .ret_type = RET_INTEGER, 498 .arg1_type = ARG_PTR_TO_MEM, 499 .arg2_type = ARG_CONST_SIZE, 500 .arg3_type = ARG_ANYTHING, 501 .arg4_type = ARG_PTR_TO_LONG, 502 }; 503 #endif 504 505 BPF_CALL_4(bpf_get_ns_current_pid_tgid, u64, dev, u64, ino, 506 struct bpf_pidns_info *, nsdata, u32, size) 507 { 508 struct task_struct *task = current; 509 struct pid_namespace *pidns; 510 int err = -EINVAL; 511 512 if (unlikely(size != sizeof(struct bpf_pidns_info))) 513 goto clear; 514 515 if (unlikely((u64)(dev_t)dev != dev)) 516 goto clear; 517 518 if (unlikely(!task)) 519 goto clear; 520 521 pidns = task_active_pid_ns(task); 522 if (unlikely(!pidns)) { 523 err = -ENOENT; 524 goto clear; 525 } 526 527 if (!ns_match(&pidns->ns, (dev_t)dev, ino)) 528 goto clear; 529 530 nsdata->pid = task_pid_nr_ns(task, pidns); 531 nsdata->tgid = task_tgid_nr_ns(task, pidns); 532 return 0; 533 clear: 534 memset((void *)nsdata, 0, (size_t) size); 535 return err; 536 } 537 538 const struct bpf_func_proto bpf_get_ns_current_pid_tgid_proto = { 539 .func = bpf_get_ns_current_pid_tgid, 540 .gpl_only = false, 541 .ret_type = RET_INTEGER, 542 .arg1_type = ARG_ANYTHING, 543 .arg2_type = ARG_ANYTHING, 544 .arg3_type = ARG_PTR_TO_UNINIT_MEM, 545 .arg4_type = ARG_CONST_SIZE, 546 }; 547