1 /* Copyright (c) 2011-2014 PLUMgrid, http://plumgrid.com
3 * This program is free software; you can redistribute it and/or
4 * modify it under the terms of version 2 of the GNU General Public
5 * License as published by the Free Software Foundation.
7 * This program is distributed in the hope that it will be useful, but
8 * WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
10 * General Public License for more details.
12 #include <linux/bpf.h>
13 #include <linux/bpf_trace.h>
14 #include <linux/btf.h>
15 #include <linux/syscalls.h>
16 #include <linux/slab.h>
17 #include <linux/sched/signal.h>
18 #include <linux/vmalloc.h>
19 #include <linux/mmzone.h>
20 #include <linux/anon_inodes.h>
21 #include <linux/file.h>
22 #include <linux/license.h>
23 #include <linux/filter.h>
24 #include <linux/version.h>
25 #include <linux/kernel.h>
26 #include <linux/idr.h>
27 #include <linux/cred.h>
28 #include <linux/timekeeping.h>
29 #include <linux/ctype.h>
30 #include <linux/btf.h>
31 #include <linux/nospec.h>
33 #define IS_FD_ARRAY(map) ((map)->map_type == BPF_MAP_TYPE_PROG_ARRAY || \
34 (map)->map_type == BPF_MAP_TYPE_PERF_EVENT_ARRAY || \
35 (map)->map_type == BPF_MAP_TYPE_CGROUP_ARRAY || \
36 (map)->map_type == BPF_MAP_TYPE_ARRAY_OF_MAPS)
37 #define IS_FD_HASH(map) ((map)->map_type == BPF_MAP_TYPE_HASH_OF_MAPS)
38 #define IS_FD_MAP(map) (IS_FD_ARRAY(map) || IS_FD_HASH(map))
40 #define BPF_OBJ_FLAG_MASK (BPF_F_RDONLY | BPF_F_WRONLY)
42 DEFINE_PER_CPU(int, bpf_prog_active);
43 static DEFINE_IDR(prog_idr);
44 static DEFINE_SPINLOCK(prog_idr_lock);
45 static DEFINE_IDR(map_idr);
46 static DEFINE_SPINLOCK(map_idr_lock);
48 int sysctl_unprivileged_bpf_disabled __read_mostly;
50 static const struct bpf_map_ops * const bpf_map_types[] = {
51 #define BPF_PROG_TYPE(_id, _ops)
52 #define BPF_MAP_TYPE(_id, _ops) \
54 #include <linux/bpf_types.h>
60 * If we're handed a bigger struct than we know of, ensure all the unknown bits
61 * are 0 - i.e. new user-space does not rely on any kernel feature extensions
62 * we don't know about yet.
64 * There is a ToCToU between this function call and the following
65 * copy_from_user() call. However, this is not a concern since this function is
66 * meant to be a future-proofing of bits.
68 static int check_uarg_tail_zero(void __user *uaddr,
72 unsigned char __user *addr;
73 unsigned char __user *end;
77 if (unlikely(actual_size > PAGE_SIZE)) /* silly large */
80 if (unlikely(!access_ok(VERIFY_READ, uaddr, actual_size)))
83 if (actual_size <= expected_size)
86 addr = uaddr + expected_size;
87 end = uaddr + actual_size;
89 for (; addr < end; addr++) {
90 err = get_user(val, addr);
100 const struct bpf_map_ops bpf_map_offload_ops = {
101 .map_alloc = bpf_map_offload_map_alloc,
102 .map_free = bpf_map_offload_map_free,
105 static struct bpf_map *find_and_alloc_map(union bpf_attr *attr)
107 const struct bpf_map_ops *ops;
108 u32 type = attr->map_type;
112 if (type >= ARRAY_SIZE(bpf_map_types))
113 return ERR_PTR(-EINVAL);
114 type = array_index_nospec(type, ARRAY_SIZE(bpf_map_types));
115 ops = bpf_map_types[type];
117 return ERR_PTR(-EINVAL);
119 if (ops->map_alloc_check) {
120 err = ops->map_alloc_check(attr);
124 if (attr->map_ifindex)
125 ops = &bpf_map_offload_ops;
126 map = ops->map_alloc(attr);
130 map->map_type = type;
134 void *bpf_map_area_alloc(size_t size, int numa_node)
136 /* We definitely need __GFP_NORETRY, so OOM killer doesn't
137 * trigger under memory pressure as we really just want to
140 const gfp_t flags = __GFP_NOWARN | __GFP_NORETRY | __GFP_ZERO;
143 if (size <= (PAGE_SIZE << PAGE_ALLOC_COSTLY_ORDER)) {
144 area = kmalloc_node(size, GFP_USER | flags, numa_node);
149 return __vmalloc_node_flags_caller(size, numa_node, GFP_KERNEL | flags,
150 __builtin_return_address(0));
153 void bpf_map_area_free(void *area)
158 void bpf_map_init_from_attr(struct bpf_map *map, union bpf_attr *attr)
160 map->map_type = attr->map_type;
161 map->key_size = attr->key_size;
162 map->value_size = attr->value_size;
163 map->max_entries = attr->max_entries;
164 map->map_flags = attr->map_flags;
165 map->numa_node = bpf_map_attr_numa_node(attr);
168 int bpf_map_precharge_memlock(u32 pages)
170 struct user_struct *user = get_current_user();
171 unsigned long memlock_limit, cur;
173 memlock_limit = rlimit(RLIMIT_MEMLOCK) >> PAGE_SHIFT;
174 cur = atomic_long_read(&user->locked_vm);
176 if (cur + pages > memlock_limit)
181 static int bpf_map_charge_memlock(struct bpf_map *map)
183 struct user_struct *user = get_current_user();
184 unsigned long memlock_limit;
186 memlock_limit = rlimit(RLIMIT_MEMLOCK) >> PAGE_SHIFT;
188 atomic_long_add(map->pages, &user->locked_vm);
190 if (atomic_long_read(&user->locked_vm) > memlock_limit) {
191 atomic_long_sub(map->pages, &user->locked_vm);
199 static void bpf_map_uncharge_memlock(struct bpf_map *map)
201 struct user_struct *user = map->user;
203 atomic_long_sub(map->pages, &user->locked_vm);
207 static int bpf_map_alloc_id(struct bpf_map *map)
211 idr_preload(GFP_KERNEL);
212 spin_lock_bh(&map_idr_lock);
213 id = idr_alloc_cyclic(&map_idr, map, 1, INT_MAX, GFP_ATOMIC);
216 spin_unlock_bh(&map_idr_lock);
219 if (WARN_ON_ONCE(!id))
222 return id > 0 ? 0 : id;
225 void bpf_map_free_id(struct bpf_map *map, bool do_idr_lock)
229 /* Offloaded maps are removed from the IDR store when their device
230 * disappears - even if someone holds an fd to them they are unusable,
231 * the memory is gone, all ops will fail; they are simply waiting for
232 * refcnt to drop to be freed.
238 spin_lock_irqsave(&map_idr_lock, flags);
240 __acquire(&map_idr_lock);
242 idr_remove(&map_idr, map->id);
246 spin_unlock_irqrestore(&map_idr_lock, flags);
248 __release(&map_idr_lock);
251 /* called from workqueue */
252 static void bpf_map_free_deferred(struct work_struct *work)
254 struct bpf_map *map = container_of(work, struct bpf_map, work);
256 bpf_map_uncharge_memlock(map);
257 security_bpf_map_free(map);
258 /* implementation dependent freeing */
259 map->ops->map_free(map);
262 static void bpf_map_put_uref(struct bpf_map *map)
264 if (atomic_dec_and_test(&map->usercnt)) {
265 if (map->ops->map_release_uref)
266 map->ops->map_release_uref(map);
270 /* decrement map refcnt and schedule it for freeing via workqueue
271 * (unrelying map implementation ops->map_free() might sleep)
273 static void __bpf_map_put(struct bpf_map *map, bool do_idr_lock)
275 if (atomic_dec_and_test(&map->refcnt)) {
276 /* bpf_map_free_id() must be called first */
277 bpf_map_free_id(map, do_idr_lock);
279 INIT_WORK(&map->work, bpf_map_free_deferred);
280 schedule_work(&map->work);
284 void bpf_map_put(struct bpf_map *map)
286 __bpf_map_put(map, true);
288 EXPORT_SYMBOL_GPL(bpf_map_put);
290 void bpf_map_put_with_uref(struct bpf_map *map)
292 bpf_map_put_uref(map);
296 static int bpf_map_release(struct inode *inode, struct file *filp)
298 struct bpf_map *map = filp->private_data;
300 if (map->ops->map_release)
301 map->ops->map_release(map, filp);
303 bpf_map_put_with_uref(map);
307 #ifdef CONFIG_PROC_FS
308 static void bpf_map_show_fdinfo(struct seq_file *m, struct file *filp)
310 const struct bpf_map *map = filp->private_data;
311 const struct bpf_array *array;
312 u32 owner_prog_type = 0;
315 if (map->map_type == BPF_MAP_TYPE_PROG_ARRAY) {
316 array = container_of(map, struct bpf_array, map);
317 owner_prog_type = array->owner_prog_type;
318 owner_jited = array->owner_jited;
333 map->pages * 1ULL << PAGE_SHIFT);
335 if (owner_prog_type) {
336 seq_printf(m, "owner_prog_type:\t%u\n",
338 seq_printf(m, "owner_jited:\t%u\n",
344 static ssize_t bpf_dummy_read(struct file *filp, char __user *buf, size_t siz,
347 /* We need this handler such that alloc_file() enables
348 * f_mode with FMODE_CAN_READ.
353 static ssize_t bpf_dummy_write(struct file *filp, const char __user *buf,
354 size_t siz, loff_t *ppos)
356 /* We need this handler such that alloc_file() enables
357 * f_mode with FMODE_CAN_WRITE.
362 const struct file_operations bpf_map_fops = {
363 #ifdef CONFIG_PROC_FS
364 .show_fdinfo = bpf_map_show_fdinfo,
366 .release = bpf_map_release,
367 .read = bpf_dummy_read,
368 .write = bpf_dummy_write,
371 int bpf_map_new_fd(struct bpf_map *map, int flags)
375 ret = security_bpf_map(map, OPEN_FMODE(flags));
379 return anon_inode_getfd("bpf-map", &bpf_map_fops, map,
383 int bpf_get_file_flag(int flags)
385 if ((flags & BPF_F_RDONLY) && (flags & BPF_F_WRONLY))
387 if (flags & BPF_F_RDONLY)
389 if (flags & BPF_F_WRONLY)
394 /* helper macro to check that unused fields 'union bpf_attr' are zero */
395 #define CHECK_ATTR(CMD) \
396 memchr_inv((void *) &attr->CMD##_LAST_FIELD + \
397 sizeof(attr->CMD##_LAST_FIELD), 0, \
399 offsetof(union bpf_attr, CMD##_LAST_FIELD) - \
400 sizeof(attr->CMD##_LAST_FIELD)) != NULL
402 /* dst and src must have at least BPF_OBJ_NAME_LEN number of bytes.
403 * Return 0 on success and < 0 on error.
405 static int bpf_obj_name_cpy(char *dst, const char *src)
407 const char *end = src + BPF_OBJ_NAME_LEN;
409 memset(dst, 0, BPF_OBJ_NAME_LEN);
411 /* Copy all isalnum() and '_' char */
412 while (src < end && *src) {
413 if (!isalnum(*src) && *src != '_')
418 /* No '\0' found in BPF_OBJ_NAME_LEN number of bytes */
425 #define BPF_MAP_CREATE_LAST_FIELD btf_value_id
426 /* called via syscall */
427 static int map_create(union bpf_attr *attr)
429 int numa_node = bpf_map_attr_numa_node(attr);
434 err = CHECK_ATTR(BPF_MAP_CREATE);
438 f_flags = bpf_get_file_flag(attr->map_flags);
442 if (numa_node != NUMA_NO_NODE &&
443 ((unsigned int)numa_node >= nr_node_ids ||
444 !node_online(numa_node)))
447 /* find map type and init map: hashtable vs rbtree vs bloom vs ... */
448 map = find_and_alloc_map(attr);
452 err = bpf_obj_name_cpy(map->name, attr->map_name);
454 goto free_map_nouncharge;
456 atomic_set(&map->refcnt, 1);
457 atomic_set(&map->usercnt, 1);
459 if (bpf_map_support_seq_show(map) &&
460 (attr->btf_key_id || attr->btf_value_id)) {
463 if (!attr->btf_key_id || !attr->btf_value_id) {
465 goto free_map_nouncharge;
468 btf = btf_get_by_fd(attr->btf_fd);
471 goto free_map_nouncharge;
474 err = map->ops->map_check_btf(map, btf, attr->btf_key_id,
478 goto free_map_nouncharge;
482 map->btf_key_id = attr->btf_key_id;
483 map->btf_value_id = attr->btf_value_id;
486 err = security_bpf_map_alloc(map);
488 goto free_map_nouncharge;
490 err = bpf_map_charge_memlock(map);
494 err = bpf_map_alloc_id(map);
498 err = bpf_map_new_fd(map, f_flags);
500 /* failed to allocate fd.
501 * bpf_map_put() is needed because the above
502 * bpf_map_alloc_id() has published the map
503 * to the userspace and the userspace may
504 * have refcnt-ed it through BPF_MAP_GET_FD_BY_ID.
513 bpf_map_uncharge_memlock(map);
515 security_bpf_map_free(map);
518 map->ops->map_free(map);
522 /* if error is returned, fd is released.
523 * On success caller should complete fd access with matching fdput()
525 struct bpf_map *__bpf_map_get(struct fd f)
528 return ERR_PTR(-EBADF);
529 if (f.file->f_op != &bpf_map_fops) {
531 return ERR_PTR(-EINVAL);
534 return f.file->private_data;
537 /* prog's and map's refcnt limit */
538 #define BPF_MAX_REFCNT 32768
540 struct bpf_map *bpf_map_inc(struct bpf_map *map, bool uref)
542 if (atomic_inc_return(&map->refcnt) > BPF_MAX_REFCNT) {
543 atomic_dec(&map->refcnt);
544 return ERR_PTR(-EBUSY);
547 atomic_inc(&map->usercnt);
550 EXPORT_SYMBOL_GPL(bpf_map_inc);
552 struct bpf_map *bpf_map_get_with_uref(u32 ufd)
554 struct fd f = fdget(ufd);
557 map = __bpf_map_get(f);
561 map = bpf_map_inc(map, true);
567 /* map_idr_lock should have been held */
568 static struct bpf_map *bpf_map_inc_not_zero(struct bpf_map *map,
573 refold = __atomic_add_unless(&map->refcnt, 1, 0);
575 if (refold >= BPF_MAX_REFCNT) {
576 __bpf_map_put(map, false);
577 return ERR_PTR(-EBUSY);
581 return ERR_PTR(-ENOENT);
584 atomic_inc(&map->usercnt);
589 int __weak bpf_stackmap_copy(struct bpf_map *map, void *key, void *value)
594 /* last field in 'union bpf_attr' used by this command */
595 #define BPF_MAP_LOOKUP_ELEM_LAST_FIELD value
597 static int map_lookup_elem(union bpf_attr *attr)
599 void __user *ukey = u64_to_user_ptr(attr->key);
600 void __user *uvalue = u64_to_user_ptr(attr->value);
601 int ufd = attr->map_fd;
603 void *key, *value, *ptr;
608 if (CHECK_ATTR(BPF_MAP_LOOKUP_ELEM))
612 map = __bpf_map_get(f);
616 if (!(f.file->f_mode & FMODE_CAN_READ)) {
621 key = memdup_user(ukey, map->key_size);
627 if (map->map_type == BPF_MAP_TYPE_PERCPU_HASH ||
628 map->map_type == BPF_MAP_TYPE_LRU_PERCPU_HASH ||
629 map->map_type == BPF_MAP_TYPE_PERCPU_ARRAY)
630 value_size = round_up(map->value_size, 8) * num_possible_cpus();
631 else if (IS_FD_MAP(map))
632 value_size = sizeof(u32);
634 value_size = map->value_size;
637 value = kmalloc(value_size, GFP_USER | __GFP_NOWARN);
641 if (bpf_map_is_dev_bound(map)) {
642 err = bpf_map_offload_lookup_elem(map, key, value);
643 } else if (map->map_type == BPF_MAP_TYPE_PERCPU_HASH ||
644 map->map_type == BPF_MAP_TYPE_LRU_PERCPU_HASH) {
645 err = bpf_percpu_hash_copy(map, key, value);
646 } else if (map->map_type == BPF_MAP_TYPE_PERCPU_ARRAY) {
647 err = bpf_percpu_array_copy(map, key, value);
648 } else if (map->map_type == BPF_MAP_TYPE_STACK_TRACE) {
649 err = bpf_stackmap_copy(map, key, value);
650 } else if (IS_FD_ARRAY(map)) {
651 err = bpf_fd_array_map_lookup_elem(map, key, value);
652 } else if (IS_FD_HASH(map)) {
653 err = bpf_fd_htab_map_lookup_elem(map, key, value);
656 ptr = map->ops->map_lookup_elem(map, key);
658 memcpy(value, ptr, value_size);
660 err = ptr ? 0 : -ENOENT;
667 if (copy_to_user(uvalue, value, value_size) != 0)
681 #define BPF_MAP_UPDATE_ELEM_LAST_FIELD flags
683 static int map_update_elem(union bpf_attr *attr)
685 void __user *ukey = u64_to_user_ptr(attr->key);
686 void __user *uvalue = u64_to_user_ptr(attr->value);
687 int ufd = attr->map_fd;
694 if (CHECK_ATTR(BPF_MAP_UPDATE_ELEM))
698 map = __bpf_map_get(f);
702 if (!(f.file->f_mode & FMODE_CAN_WRITE)) {
707 key = memdup_user(ukey, map->key_size);
713 if (map->map_type == BPF_MAP_TYPE_PERCPU_HASH ||
714 map->map_type == BPF_MAP_TYPE_LRU_PERCPU_HASH ||
715 map->map_type == BPF_MAP_TYPE_PERCPU_ARRAY)
716 value_size = round_up(map->value_size, 8) * num_possible_cpus();
718 value_size = map->value_size;
721 value = kmalloc(value_size, GFP_USER | __GFP_NOWARN);
726 if (copy_from_user(value, uvalue, value_size) != 0)
729 /* Need to create a kthread, thus must support schedule */
730 if (bpf_map_is_dev_bound(map)) {
731 err = bpf_map_offload_update_elem(map, key, value, attr->flags);
733 } else if (map->map_type == BPF_MAP_TYPE_CPUMAP) {
734 err = map->ops->map_update_elem(map, key, value, attr->flags);
738 /* must increment bpf_prog_active to avoid kprobe+bpf triggering from
739 * inside bpf map update or delete otherwise deadlocks are possible
742 __this_cpu_inc(bpf_prog_active);
743 if (map->map_type == BPF_MAP_TYPE_PERCPU_HASH ||
744 map->map_type == BPF_MAP_TYPE_LRU_PERCPU_HASH) {
745 err = bpf_percpu_hash_update(map, key, value, attr->flags);
746 } else if (map->map_type == BPF_MAP_TYPE_PERCPU_ARRAY) {
747 err = bpf_percpu_array_update(map, key, value, attr->flags);
748 } else if (IS_FD_ARRAY(map)) {
750 err = bpf_fd_array_map_update_elem(map, f.file, key, value,
753 } else if (map->map_type == BPF_MAP_TYPE_HASH_OF_MAPS) {
755 err = bpf_fd_htab_map_update_elem(map, f.file, key, value,
760 err = map->ops->map_update_elem(map, key, value, attr->flags);
763 __this_cpu_dec(bpf_prog_active);
775 #define BPF_MAP_DELETE_ELEM_LAST_FIELD key
777 static int map_delete_elem(union bpf_attr *attr)
779 void __user *ukey = u64_to_user_ptr(attr->key);
780 int ufd = attr->map_fd;
786 if (CHECK_ATTR(BPF_MAP_DELETE_ELEM))
790 map = __bpf_map_get(f);
794 if (!(f.file->f_mode & FMODE_CAN_WRITE)) {
799 key = memdup_user(ukey, map->key_size);
805 if (bpf_map_is_dev_bound(map)) {
806 err = bpf_map_offload_delete_elem(map, key);
811 __this_cpu_inc(bpf_prog_active);
813 err = map->ops->map_delete_elem(map, key);
815 __this_cpu_dec(bpf_prog_active);
824 /* last field in 'union bpf_attr' used by this command */
825 #define BPF_MAP_GET_NEXT_KEY_LAST_FIELD next_key
827 static int map_get_next_key(union bpf_attr *attr)
829 void __user *ukey = u64_to_user_ptr(attr->key);
830 void __user *unext_key = u64_to_user_ptr(attr->next_key);
831 int ufd = attr->map_fd;
833 void *key, *next_key;
837 if (CHECK_ATTR(BPF_MAP_GET_NEXT_KEY))
841 map = __bpf_map_get(f);
845 if (!(f.file->f_mode & FMODE_CAN_READ)) {
851 key = memdup_user(ukey, map->key_size);
861 next_key = kmalloc(map->key_size, GFP_USER);
865 if (bpf_map_is_dev_bound(map)) {
866 err = bpf_map_offload_get_next_key(map, key, next_key);
871 err = map->ops->map_get_next_key(map, key, next_key);
878 if (copy_to_user(unext_key, next_key, map->key_size) != 0)
892 static const struct bpf_prog_ops * const bpf_prog_types[] = {
893 #define BPF_PROG_TYPE(_id, _name) \
894 [_id] = & _name ## _prog_ops,
895 #define BPF_MAP_TYPE(_id, _ops)
896 #include <linux/bpf_types.h>
901 static int find_prog_type(enum bpf_prog_type type, struct bpf_prog *prog)
903 const struct bpf_prog_ops *ops;
905 if (type >= ARRAY_SIZE(bpf_prog_types))
907 type = array_index_nospec(type, ARRAY_SIZE(bpf_prog_types));
908 ops = bpf_prog_types[type];
912 if (!bpf_prog_is_dev_bound(prog->aux))
913 prog->aux->ops = ops;
915 prog->aux->ops = &bpf_offload_prog_ops;
920 /* drop refcnt on maps used by eBPF program and free auxilary data */
921 static void free_used_maps(struct bpf_prog_aux *aux)
925 for (i = 0; i < aux->used_map_cnt; i++)
926 bpf_map_put(aux->used_maps[i]);
928 kfree(aux->used_maps);
931 int __bpf_prog_charge(struct user_struct *user, u32 pages)
933 unsigned long memlock_limit = rlimit(RLIMIT_MEMLOCK) >> PAGE_SHIFT;
934 unsigned long user_bufs;
937 user_bufs = atomic_long_add_return(pages, &user->locked_vm);
938 if (user_bufs > memlock_limit) {
939 atomic_long_sub(pages, &user->locked_vm);
947 void __bpf_prog_uncharge(struct user_struct *user, u32 pages)
950 atomic_long_sub(pages, &user->locked_vm);
953 static int bpf_prog_charge_memlock(struct bpf_prog *prog)
955 struct user_struct *user = get_current_user();
958 ret = __bpf_prog_charge(user, prog->pages);
964 prog->aux->user = user;
968 static void bpf_prog_uncharge_memlock(struct bpf_prog *prog)
970 struct user_struct *user = prog->aux->user;
972 __bpf_prog_uncharge(user, prog->pages);
976 static int bpf_prog_alloc_id(struct bpf_prog *prog)
980 idr_preload(GFP_KERNEL);
981 spin_lock_bh(&prog_idr_lock);
982 id = idr_alloc_cyclic(&prog_idr, prog, 1, INT_MAX, GFP_ATOMIC);
985 spin_unlock_bh(&prog_idr_lock);
988 /* id is in [1, INT_MAX) */
989 if (WARN_ON_ONCE(!id))
992 return id > 0 ? 0 : id;
995 void bpf_prog_free_id(struct bpf_prog *prog, bool do_idr_lock)
997 /* cBPF to eBPF migrations are currently not in the idr store.
998 * Offloaded programs are removed from the store when their device
999 * disappears - even if someone grabs an fd to them they are unusable,
1000 * simply waiting for refcnt to drop to be freed.
1006 spin_lock_bh(&prog_idr_lock);
1008 __acquire(&prog_idr_lock);
1010 idr_remove(&prog_idr, prog->aux->id);
1014 spin_unlock_bh(&prog_idr_lock);
1016 __release(&prog_idr_lock);
1019 static void __bpf_prog_put_rcu(struct rcu_head *rcu)
1021 struct bpf_prog_aux *aux = container_of(rcu, struct bpf_prog_aux, rcu);
1023 free_used_maps(aux);
1024 bpf_prog_uncharge_memlock(aux->prog);
1025 security_bpf_prog_free(aux);
1026 bpf_prog_free(aux->prog);
1029 static void __bpf_prog_put(struct bpf_prog *prog, bool do_idr_lock)
1031 if (atomic_dec_and_test(&prog->aux->refcnt)) {
1034 /* bpf_prog_free_id() must be called first */
1035 bpf_prog_free_id(prog, do_idr_lock);
1037 for (i = 0; i < prog->aux->func_cnt; i++)
1038 bpf_prog_kallsyms_del(prog->aux->func[i]);
1039 bpf_prog_kallsyms_del(prog);
1041 call_rcu(&prog->aux->rcu, __bpf_prog_put_rcu);
1045 void bpf_prog_put(struct bpf_prog *prog)
1047 __bpf_prog_put(prog, true);
1049 EXPORT_SYMBOL_GPL(bpf_prog_put);
1051 static int bpf_prog_release(struct inode *inode, struct file *filp)
1053 struct bpf_prog *prog = filp->private_data;
1059 #ifdef CONFIG_PROC_FS
1060 static void bpf_prog_show_fdinfo(struct seq_file *m, struct file *filp)
1062 const struct bpf_prog *prog = filp->private_data;
1063 char prog_tag[sizeof(prog->tag) * 2 + 1] = { };
1065 bin2hex(prog_tag, prog->tag, sizeof(prog->tag));
1074 prog->pages * 1ULL << PAGE_SHIFT);
1078 const struct file_operations bpf_prog_fops = {
1079 #ifdef CONFIG_PROC_FS
1080 .show_fdinfo = bpf_prog_show_fdinfo,
1082 .release = bpf_prog_release,
1083 .read = bpf_dummy_read,
1084 .write = bpf_dummy_write,
1087 int bpf_prog_new_fd(struct bpf_prog *prog)
1091 ret = security_bpf_prog(prog);
1095 return anon_inode_getfd("bpf-prog", &bpf_prog_fops, prog,
1096 O_RDWR | O_CLOEXEC);
1099 static struct bpf_prog *____bpf_prog_get(struct fd f)
1102 return ERR_PTR(-EBADF);
1103 if (f.file->f_op != &bpf_prog_fops) {
1105 return ERR_PTR(-EINVAL);
1108 return f.file->private_data;
1111 struct bpf_prog *bpf_prog_add(struct bpf_prog *prog, int i)
1113 if (atomic_add_return(i, &prog->aux->refcnt) > BPF_MAX_REFCNT) {
1114 atomic_sub(i, &prog->aux->refcnt);
1115 return ERR_PTR(-EBUSY);
1119 EXPORT_SYMBOL_GPL(bpf_prog_add);
1121 void bpf_prog_sub(struct bpf_prog *prog, int i)
1123 /* Only to be used for undoing previous bpf_prog_add() in some
1124 * error path. We still know that another entity in our call
1125 * path holds a reference to the program, thus atomic_sub() can
1126 * be safely used in such cases!
1128 WARN_ON(atomic_sub_return(i, &prog->aux->refcnt) == 0);
1130 EXPORT_SYMBOL_GPL(bpf_prog_sub);
1132 struct bpf_prog *bpf_prog_inc(struct bpf_prog *prog)
1134 return bpf_prog_add(prog, 1);
1136 EXPORT_SYMBOL_GPL(bpf_prog_inc);
1138 /* prog_idr_lock should have been held */
1139 struct bpf_prog *bpf_prog_inc_not_zero(struct bpf_prog *prog)
1143 refold = __atomic_add_unless(&prog->aux->refcnt, 1, 0);
1145 if (refold >= BPF_MAX_REFCNT) {
1146 __bpf_prog_put(prog, false);
1147 return ERR_PTR(-EBUSY);
1151 return ERR_PTR(-ENOENT);
1155 EXPORT_SYMBOL_GPL(bpf_prog_inc_not_zero);
1157 bool bpf_prog_get_ok(struct bpf_prog *prog,
1158 enum bpf_prog_type *attach_type, bool attach_drv)
1160 /* not an attachment, just a refcount inc, always allow */
1164 if (prog->type != *attach_type)
1166 if (bpf_prog_is_dev_bound(prog->aux) && !attach_drv)
1172 static struct bpf_prog *__bpf_prog_get(u32 ufd, enum bpf_prog_type *attach_type,
1175 struct fd f = fdget(ufd);
1176 struct bpf_prog *prog;
1178 prog = ____bpf_prog_get(f);
1181 if (!bpf_prog_get_ok(prog, attach_type, attach_drv)) {
1182 prog = ERR_PTR(-EINVAL);
1186 prog = bpf_prog_inc(prog);
1192 struct bpf_prog *bpf_prog_get(u32 ufd)
1194 return __bpf_prog_get(ufd, NULL, false);
1197 struct bpf_prog *bpf_prog_get_type_dev(u32 ufd, enum bpf_prog_type type,
1200 return __bpf_prog_get(ufd, &type, attach_drv);
1202 EXPORT_SYMBOL_GPL(bpf_prog_get_type_dev);
1204 /* Initially all BPF programs could be loaded w/o specifying
1205 * expected_attach_type. Later for some of them specifying expected_attach_type
1206 * at load time became required so that program could be validated properly.
1207 * Programs of types that are allowed to be loaded both w/ and w/o (for
1208 * backward compatibility) expected_attach_type, should have the default attach
1209 * type assigned to expected_attach_type for the latter case, so that it can be
1210 * validated later at attach time.
1212 * bpf_prog_load_fixup_attach_type() sets expected_attach_type in @attr if
1213 * prog type requires it but has some attach types that have to be backward
1216 static void bpf_prog_load_fixup_attach_type(union bpf_attr *attr)
1218 switch (attr->prog_type) {
1219 case BPF_PROG_TYPE_CGROUP_SOCK:
1220 /* Unfortunately BPF_ATTACH_TYPE_UNSPEC enumeration doesn't
1221 * exist so checking for non-zero is the way to go here.
1223 if (!attr->expected_attach_type)
1224 attr->expected_attach_type =
1225 BPF_CGROUP_INET_SOCK_CREATE;
1231 bpf_prog_load_check_attach_type(enum bpf_prog_type prog_type,
1232 enum bpf_attach_type expected_attach_type)
1234 switch (prog_type) {
1235 case BPF_PROG_TYPE_CGROUP_SOCK:
1236 switch (expected_attach_type) {
1237 case BPF_CGROUP_INET_SOCK_CREATE:
1238 case BPF_CGROUP_INET4_POST_BIND:
1239 case BPF_CGROUP_INET6_POST_BIND:
1244 case BPF_PROG_TYPE_CGROUP_SOCK_ADDR:
1245 switch (expected_attach_type) {
1246 case BPF_CGROUP_INET4_BIND:
1247 case BPF_CGROUP_INET6_BIND:
1248 case BPF_CGROUP_INET4_CONNECT:
1249 case BPF_CGROUP_INET6_CONNECT:
1259 /* last field in 'union bpf_attr' used by this command */
1260 #define BPF_PROG_LOAD_LAST_FIELD expected_attach_type
1262 static int bpf_prog_load(union bpf_attr *attr)
1264 enum bpf_prog_type type = attr->prog_type;
1265 struct bpf_prog *prog;
1270 if (CHECK_ATTR(BPF_PROG_LOAD))
1273 if (attr->prog_flags & ~BPF_F_STRICT_ALIGNMENT)
1276 /* copy eBPF program license from user space */
1277 if (strncpy_from_user(license, u64_to_user_ptr(attr->license),
1278 sizeof(license) - 1) < 0)
1280 license[sizeof(license) - 1] = 0;
1282 /* eBPF programs must be GPL compatible to use GPL-ed functions */
1283 is_gpl = license_is_gpl_compatible(license);
1285 if (attr->insn_cnt == 0 || attr->insn_cnt > BPF_MAXINSNS)
1288 if (type == BPF_PROG_TYPE_KPROBE &&
1289 attr->kern_version != LINUX_VERSION_CODE)
1292 if (type != BPF_PROG_TYPE_SOCKET_FILTER &&
1293 type != BPF_PROG_TYPE_CGROUP_SKB &&
1294 !capable(CAP_SYS_ADMIN))
1297 bpf_prog_load_fixup_attach_type(attr);
1298 if (bpf_prog_load_check_attach_type(type, attr->expected_attach_type))
1301 /* plain bpf_prog allocation */
1302 prog = bpf_prog_alloc(bpf_prog_size(attr->insn_cnt), GFP_USER);
1306 prog->expected_attach_type = attr->expected_attach_type;
1308 prog->aux->offload_requested = !!attr->prog_ifindex;
1310 err = security_bpf_prog_alloc(prog->aux);
1312 goto free_prog_nouncharge;
1314 err = bpf_prog_charge_memlock(prog);
1318 prog->len = attr->insn_cnt;
1321 if (copy_from_user(prog->insns, u64_to_user_ptr(attr->insns),
1322 bpf_prog_insn_size(prog)) != 0)
1325 prog->orig_prog = NULL;
1328 atomic_set(&prog->aux->refcnt, 1);
1329 prog->gpl_compatible = is_gpl ? 1 : 0;
1331 if (bpf_prog_is_dev_bound(prog->aux)) {
1332 err = bpf_prog_offload_init(prog, attr);
1337 /* find program type: socket_filter vs tracing_filter */
1338 err = find_prog_type(type, prog);
1342 prog->aux->load_time = ktime_get_boot_ns();
1343 err = bpf_obj_name_cpy(prog->aux->name, attr->prog_name);
1347 /* run eBPF verifier */
1348 err = bpf_check(&prog, attr);
1350 goto free_used_maps;
1352 /* eBPF program is ready to be JITed */
1353 if (!prog->bpf_func)
1354 prog = bpf_prog_select_runtime(prog, &err);
1356 goto free_used_maps;
1358 err = bpf_prog_alloc_id(prog);
1360 goto free_used_maps;
1362 err = bpf_prog_new_fd(prog);
1364 /* failed to allocate fd.
1365 * bpf_prog_put() is needed because the above
1366 * bpf_prog_alloc_id() has published the prog
1367 * to the userspace and the userspace may
1368 * have refcnt-ed it through BPF_PROG_GET_FD_BY_ID.
1374 bpf_prog_kallsyms_add(prog);
1378 free_used_maps(prog->aux);
1380 bpf_prog_uncharge_memlock(prog);
1382 security_bpf_prog_free(prog->aux);
1383 free_prog_nouncharge:
1384 bpf_prog_free(prog);
1388 #define BPF_OBJ_LAST_FIELD file_flags
1390 static int bpf_obj_pin(const union bpf_attr *attr)
1392 if (CHECK_ATTR(BPF_OBJ) || attr->file_flags != 0)
1395 return bpf_obj_pin_user(attr->bpf_fd, u64_to_user_ptr(attr->pathname));
1398 static int bpf_obj_get(const union bpf_attr *attr)
1400 if (CHECK_ATTR(BPF_OBJ) || attr->bpf_fd != 0 ||
1401 attr->file_flags & ~BPF_OBJ_FLAG_MASK)
1404 return bpf_obj_get_user(u64_to_user_ptr(attr->pathname),
1408 struct bpf_raw_tracepoint {
1409 struct bpf_raw_event_map *btp;
1410 struct bpf_prog *prog;
1413 static int bpf_raw_tracepoint_release(struct inode *inode, struct file *filp)
1415 struct bpf_raw_tracepoint *raw_tp = filp->private_data;
1418 bpf_probe_unregister(raw_tp->btp, raw_tp->prog);
1419 bpf_prog_put(raw_tp->prog);
1425 static const struct file_operations bpf_raw_tp_fops = {
1426 .release = bpf_raw_tracepoint_release,
1427 .read = bpf_dummy_read,
1428 .write = bpf_dummy_write,
1431 #define BPF_RAW_TRACEPOINT_OPEN_LAST_FIELD raw_tracepoint.prog_fd
1433 static int bpf_raw_tracepoint_open(const union bpf_attr *attr)
1435 struct bpf_raw_tracepoint *raw_tp;
1436 struct bpf_raw_event_map *btp;
1437 struct bpf_prog *prog;
1441 if (strncpy_from_user(tp_name, u64_to_user_ptr(attr->raw_tracepoint.name),
1442 sizeof(tp_name) - 1) < 0)
1444 tp_name[sizeof(tp_name) - 1] = 0;
1446 btp = bpf_find_raw_tracepoint(tp_name);
1450 raw_tp = kzalloc(sizeof(*raw_tp), GFP_USER);
1455 prog = bpf_prog_get_type(attr->raw_tracepoint.prog_fd,
1456 BPF_PROG_TYPE_RAW_TRACEPOINT);
1458 err = PTR_ERR(prog);
1462 err = bpf_probe_register(raw_tp->btp, prog);
1466 raw_tp->prog = prog;
1467 tp_fd = anon_inode_getfd("bpf-raw-tracepoint", &bpf_raw_tp_fops, raw_tp,
1470 bpf_probe_unregister(raw_tp->btp, prog);
1483 #ifdef CONFIG_CGROUP_BPF
1485 static int bpf_prog_attach_check_attach_type(const struct bpf_prog *prog,
1486 enum bpf_attach_type attach_type)
1488 switch (prog->type) {
1489 case BPF_PROG_TYPE_CGROUP_SOCK:
1490 case BPF_PROG_TYPE_CGROUP_SOCK_ADDR:
1491 return attach_type == prog->expected_attach_type ? 0 : -EINVAL;
1497 #define BPF_PROG_ATTACH_LAST_FIELD attach_flags
1499 static int sockmap_get_from_fd(const union bpf_attr *attr,
1500 int type, bool attach)
1502 struct bpf_prog *prog = NULL;
1503 int ufd = attr->target_fd;
1504 struct bpf_map *map;
1509 map = __bpf_map_get(f);
1511 return PTR_ERR(map);
1514 prog = bpf_prog_get_type(attr->attach_bpf_fd, type);
1517 return PTR_ERR(prog);
1521 err = sock_map_prog(map, prog, attr->attach_type);
1533 #define BPF_F_ATTACH_MASK \
1534 (BPF_F_ALLOW_OVERRIDE | BPF_F_ALLOW_MULTI)
1536 static int bpf_prog_attach(const union bpf_attr *attr)
1538 enum bpf_prog_type ptype;
1539 struct bpf_prog *prog;
1540 struct cgroup *cgrp;
1543 if (!capable(CAP_NET_ADMIN))
1546 if (CHECK_ATTR(BPF_PROG_ATTACH))
1549 if (attr->attach_flags & ~BPF_F_ATTACH_MASK)
1552 switch (attr->attach_type) {
1553 case BPF_CGROUP_INET_INGRESS:
1554 case BPF_CGROUP_INET_EGRESS:
1555 ptype = BPF_PROG_TYPE_CGROUP_SKB;
1557 case BPF_CGROUP_INET_SOCK_CREATE:
1558 case BPF_CGROUP_INET4_POST_BIND:
1559 case BPF_CGROUP_INET6_POST_BIND:
1560 ptype = BPF_PROG_TYPE_CGROUP_SOCK;
1562 case BPF_CGROUP_INET4_BIND:
1563 case BPF_CGROUP_INET6_BIND:
1564 case BPF_CGROUP_INET4_CONNECT:
1565 case BPF_CGROUP_INET6_CONNECT:
1566 ptype = BPF_PROG_TYPE_CGROUP_SOCK_ADDR;
1568 case BPF_CGROUP_SOCK_OPS:
1569 ptype = BPF_PROG_TYPE_SOCK_OPS;
1571 case BPF_CGROUP_DEVICE:
1572 ptype = BPF_PROG_TYPE_CGROUP_DEVICE;
1574 case BPF_SK_MSG_VERDICT:
1575 return sockmap_get_from_fd(attr, BPF_PROG_TYPE_SK_MSG, true);
1576 case BPF_SK_SKB_STREAM_PARSER:
1577 case BPF_SK_SKB_STREAM_VERDICT:
1578 return sockmap_get_from_fd(attr, BPF_PROG_TYPE_SK_SKB, true);
1583 prog = bpf_prog_get_type(attr->attach_bpf_fd, ptype);
1585 return PTR_ERR(prog);
1587 if (bpf_prog_attach_check_attach_type(prog, attr->attach_type)) {
1592 cgrp = cgroup_get_from_fd(attr->target_fd);
1595 return PTR_ERR(cgrp);
1598 ret = cgroup_bpf_attach(cgrp, prog, attr->attach_type,
1599 attr->attach_flags);
1607 #define BPF_PROG_DETACH_LAST_FIELD attach_type
1609 static int bpf_prog_detach(const union bpf_attr *attr)
1611 enum bpf_prog_type ptype;
1612 struct bpf_prog *prog;
1613 struct cgroup *cgrp;
1616 if (!capable(CAP_NET_ADMIN))
1619 if (CHECK_ATTR(BPF_PROG_DETACH))
1622 switch (attr->attach_type) {
1623 case BPF_CGROUP_INET_INGRESS:
1624 case BPF_CGROUP_INET_EGRESS:
1625 ptype = BPF_PROG_TYPE_CGROUP_SKB;
1627 case BPF_CGROUP_INET_SOCK_CREATE:
1628 case BPF_CGROUP_INET4_POST_BIND:
1629 case BPF_CGROUP_INET6_POST_BIND:
1630 ptype = BPF_PROG_TYPE_CGROUP_SOCK;
1632 case BPF_CGROUP_INET4_BIND:
1633 case BPF_CGROUP_INET6_BIND:
1634 case BPF_CGROUP_INET4_CONNECT:
1635 case BPF_CGROUP_INET6_CONNECT:
1636 ptype = BPF_PROG_TYPE_CGROUP_SOCK_ADDR;
1638 case BPF_CGROUP_SOCK_OPS:
1639 ptype = BPF_PROG_TYPE_SOCK_OPS;
1641 case BPF_CGROUP_DEVICE:
1642 ptype = BPF_PROG_TYPE_CGROUP_DEVICE;
1644 case BPF_SK_MSG_VERDICT:
1645 return sockmap_get_from_fd(attr, BPF_PROG_TYPE_SK_MSG, false);
1646 case BPF_SK_SKB_STREAM_PARSER:
1647 case BPF_SK_SKB_STREAM_VERDICT:
1648 return sockmap_get_from_fd(attr, BPF_PROG_TYPE_SK_SKB, false);
1653 cgrp = cgroup_get_from_fd(attr->target_fd);
1655 return PTR_ERR(cgrp);
1657 prog = bpf_prog_get_type(attr->attach_bpf_fd, ptype);
1661 ret = cgroup_bpf_detach(cgrp, prog, attr->attach_type, 0);
1668 #define BPF_PROG_QUERY_LAST_FIELD query.prog_cnt
1670 static int bpf_prog_query(const union bpf_attr *attr,
1671 union bpf_attr __user *uattr)
1673 struct cgroup *cgrp;
1676 if (!capable(CAP_NET_ADMIN))
1678 if (CHECK_ATTR(BPF_PROG_QUERY))
1680 if (attr->query.query_flags & ~BPF_F_QUERY_EFFECTIVE)
1683 switch (attr->query.attach_type) {
1684 case BPF_CGROUP_INET_INGRESS:
1685 case BPF_CGROUP_INET_EGRESS:
1686 case BPF_CGROUP_INET_SOCK_CREATE:
1687 case BPF_CGROUP_INET4_BIND:
1688 case BPF_CGROUP_INET6_BIND:
1689 case BPF_CGROUP_INET4_POST_BIND:
1690 case BPF_CGROUP_INET6_POST_BIND:
1691 case BPF_CGROUP_INET4_CONNECT:
1692 case BPF_CGROUP_INET6_CONNECT:
1693 case BPF_CGROUP_SOCK_OPS:
1694 case BPF_CGROUP_DEVICE:
1699 cgrp = cgroup_get_from_fd(attr->query.target_fd);
1701 return PTR_ERR(cgrp);
1702 ret = cgroup_bpf_query(cgrp, attr, uattr);
1706 #endif /* CONFIG_CGROUP_BPF */
1708 #define BPF_PROG_TEST_RUN_LAST_FIELD test.duration
1710 static int bpf_prog_test_run(const union bpf_attr *attr,
1711 union bpf_attr __user *uattr)
1713 struct bpf_prog *prog;
1714 int ret = -ENOTSUPP;
1716 if (!capable(CAP_SYS_ADMIN))
1718 if (CHECK_ATTR(BPF_PROG_TEST_RUN))
1721 prog = bpf_prog_get(attr->test.prog_fd);
1723 return PTR_ERR(prog);
1725 if (prog->aux->ops->test_run)
1726 ret = prog->aux->ops->test_run(prog, attr, uattr);
1732 #define BPF_OBJ_GET_NEXT_ID_LAST_FIELD next_id
1734 static int bpf_obj_get_next_id(const union bpf_attr *attr,
1735 union bpf_attr __user *uattr,
1739 u32 next_id = attr->start_id;
1742 if (CHECK_ATTR(BPF_OBJ_GET_NEXT_ID) || next_id >= INT_MAX)
1745 if (!capable(CAP_SYS_ADMIN))
1750 if (!idr_get_next(idr, &next_id))
1752 spin_unlock_bh(lock);
1755 err = put_user(next_id, &uattr->next_id);
1760 #define BPF_PROG_GET_FD_BY_ID_LAST_FIELD prog_id
1762 static int bpf_prog_get_fd_by_id(const union bpf_attr *attr)
1764 struct bpf_prog *prog;
1765 u32 id = attr->prog_id;
1768 if (CHECK_ATTR(BPF_PROG_GET_FD_BY_ID))
1771 if (!capable(CAP_SYS_ADMIN))
1774 spin_lock_bh(&prog_idr_lock);
1775 prog = idr_find(&prog_idr, id);
1777 prog = bpf_prog_inc_not_zero(prog);
1779 prog = ERR_PTR(-ENOENT);
1780 spin_unlock_bh(&prog_idr_lock);
1783 return PTR_ERR(prog);
1785 fd = bpf_prog_new_fd(prog);
1792 #define BPF_MAP_GET_FD_BY_ID_LAST_FIELD open_flags
1794 static int bpf_map_get_fd_by_id(const union bpf_attr *attr)
1796 struct bpf_map *map;
1797 u32 id = attr->map_id;
1801 if (CHECK_ATTR(BPF_MAP_GET_FD_BY_ID) ||
1802 attr->open_flags & ~BPF_OBJ_FLAG_MASK)
1805 if (!capable(CAP_SYS_ADMIN))
1808 f_flags = bpf_get_file_flag(attr->open_flags);
1812 spin_lock_bh(&map_idr_lock);
1813 map = idr_find(&map_idr, id);
1815 map = bpf_map_inc_not_zero(map, true);
1817 map = ERR_PTR(-ENOENT);
1818 spin_unlock_bh(&map_idr_lock);
1821 return PTR_ERR(map);
1823 fd = bpf_map_new_fd(map, f_flags);
1830 static const struct bpf_map *bpf_map_from_imm(const struct bpf_prog *prog,
1835 for (i = 0; i < prog->aux->used_map_cnt; i++)
1836 if (prog->aux->used_maps[i] == (void *)addr)
1837 return prog->aux->used_maps[i];
1841 static struct bpf_insn *bpf_insn_prepare_dump(const struct bpf_prog *prog)
1843 const struct bpf_map *map;
1844 struct bpf_insn *insns;
1848 insns = kmemdup(prog->insnsi, bpf_prog_insn_size(prog),
1853 for (i = 0; i < prog->len; i++) {
1854 if (insns[i].code == (BPF_JMP | BPF_TAIL_CALL)) {
1855 insns[i].code = BPF_JMP | BPF_CALL;
1856 insns[i].imm = BPF_FUNC_tail_call;
1859 if (insns[i].code == (BPF_JMP | BPF_CALL) ||
1860 insns[i].code == (BPF_JMP | BPF_CALL_ARGS)) {
1861 if (insns[i].code == (BPF_JMP | BPF_CALL_ARGS))
1862 insns[i].code = BPF_JMP | BPF_CALL;
1863 if (!bpf_dump_raw_ok())
1868 if (insns[i].code != (BPF_LD | BPF_IMM | BPF_DW))
1871 imm = ((u64)insns[i + 1].imm << 32) | (u32)insns[i].imm;
1872 map = bpf_map_from_imm(prog, imm);
1874 insns[i].src_reg = BPF_PSEUDO_MAP_FD;
1875 insns[i].imm = map->id;
1876 insns[i + 1].imm = 0;
1880 if (!bpf_dump_raw_ok() &&
1881 imm == (unsigned long)prog->aux) {
1883 insns[i + 1].imm = 0;
1891 static int bpf_prog_get_info_by_fd(struct bpf_prog *prog,
1892 const union bpf_attr *attr,
1893 union bpf_attr __user *uattr)
1895 struct bpf_prog_info __user *uinfo = u64_to_user_ptr(attr->info.info);
1896 struct bpf_prog_info info = {};
1897 u32 info_len = attr->info.info_len;
1898 char __user *uinsns;
1902 err = check_uarg_tail_zero(uinfo, sizeof(info), info_len);
1905 info_len = min_t(u32, sizeof(info), info_len);
1907 if (copy_from_user(&info, uinfo, info_len))
1910 info.type = prog->type;
1911 info.id = prog->aux->id;
1912 info.load_time = prog->aux->load_time;
1913 info.created_by_uid = from_kuid_munged(current_user_ns(),
1914 prog->aux->user->uid);
1915 info.gpl_compatible = prog->gpl_compatible;
1917 memcpy(info.tag, prog->tag, sizeof(prog->tag));
1918 memcpy(info.name, prog->aux->name, sizeof(prog->aux->name));
1920 ulen = info.nr_map_ids;
1921 info.nr_map_ids = prog->aux->used_map_cnt;
1922 ulen = min_t(u32, info.nr_map_ids, ulen);
1924 u32 __user *user_map_ids = u64_to_user_ptr(info.map_ids);
1927 for (i = 0; i < ulen; i++)
1928 if (put_user(prog->aux->used_maps[i]->id,
1933 if (!capable(CAP_SYS_ADMIN)) {
1934 info.jited_prog_len = 0;
1935 info.xlated_prog_len = 0;
1939 ulen = info.xlated_prog_len;
1940 info.xlated_prog_len = bpf_prog_insn_size(prog);
1941 if (info.xlated_prog_len && ulen) {
1942 struct bpf_insn *insns_sanitized;
1945 if (prog->blinded && !bpf_dump_raw_ok()) {
1946 info.xlated_prog_insns = 0;
1949 insns_sanitized = bpf_insn_prepare_dump(prog);
1950 if (!insns_sanitized)
1952 uinsns = u64_to_user_ptr(info.xlated_prog_insns);
1953 ulen = min_t(u32, info.xlated_prog_len, ulen);
1954 fault = copy_to_user(uinsns, insns_sanitized, ulen);
1955 kfree(insns_sanitized);
1960 if (bpf_prog_is_dev_bound(prog->aux)) {
1961 err = bpf_prog_offload_info_fill(&info, prog);
1967 /* NOTE: the following code is supposed to be skipped for offload.
1968 * bpf_prog_offload_info_fill() is the place to fill similar fields
1971 ulen = info.jited_prog_len;
1972 info.jited_prog_len = prog->jited_len;
1973 if (info.jited_prog_len && ulen) {
1974 if (bpf_dump_raw_ok()) {
1975 uinsns = u64_to_user_ptr(info.jited_prog_insns);
1976 ulen = min_t(u32, info.jited_prog_len, ulen);
1977 if (copy_to_user(uinsns, prog->bpf_func, ulen))
1980 info.jited_prog_insns = 0;
1985 if (copy_to_user(uinfo, &info, info_len) ||
1986 put_user(info_len, &uattr->info.info_len))
1992 static int bpf_map_get_info_by_fd(struct bpf_map *map,
1993 const union bpf_attr *attr,
1994 union bpf_attr __user *uattr)
1996 struct bpf_map_info __user *uinfo = u64_to_user_ptr(attr->info.info);
1997 struct bpf_map_info info = {};
1998 u32 info_len = attr->info.info_len;
2001 err = check_uarg_tail_zero(uinfo, sizeof(info), info_len);
2004 info_len = min_t(u32, sizeof(info), info_len);
2006 info.type = map->map_type;
2008 info.key_size = map->key_size;
2009 info.value_size = map->value_size;
2010 info.max_entries = map->max_entries;
2011 info.map_flags = map->map_flags;
2012 memcpy(info.name, map->name, sizeof(map->name));
2015 info.btf_id = btf_id(map->btf);
2016 info.btf_key_id = map->btf_key_id;
2017 info.btf_value_id = map->btf_value_id;
2020 if (bpf_map_is_dev_bound(map)) {
2021 err = bpf_map_offload_info_fill(&info, map);
2026 if (copy_to_user(uinfo, &info, info_len) ||
2027 put_user(info_len, &uattr->info.info_len))
2033 static int bpf_btf_get_info_by_fd(struct btf *btf,
2034 const union bpf_attr *attr,
2035 union bpf_attr __user *uattr)
2037 struct bpf_btf_info __user *uinfo = u64_to_user_ptr(attr->info.info);
2038 u32 info_len = attr->info.info_len;
2041 err = check_uarg_tail_zero(uinfo, sizeof(*uinfo), info_len);
2045 return btf_get_info_by_fd(btf, attr, uattr);
2048 #define BPF_OBJ_GET_INFO_BY_FD_LAST_FIELD info.info
2050 static int bpf_obj_get_info_by_fd(const union bpf_attr *attr,
2051 union bpf_attr __user *uattr)
2053 int ufd = attr->info.bpf_fd;
2057 if (CHECK_ATTR(BPF_OBJ_GET_INFO_BY_FD))
2064 if (f.file->f_op == &bpf_prog_fops)
2065 err = bpf_prog_get_info_by_fd(f.file->private_data, attr,
2067 else if (f.file->f_op == &bpf_map_fops)
2068 err = bpf_map_get_info_by_fd(f.file->private_data, attr,
2070 else if (f.file->f_op == &btf_fops)
2071 err = bpf_btf_get_info_by_fd(f.file->private_data, attr, uattr);
2079 #define BPF_BTF_LOAD_LAST_FIELD btf_log_level
2081 static int bpf_btf_load(const union bpf_attr *attr)
2083 if (CHECK_ATTR(BPF_BTF_LOAD))
2086 if (!capable(CAP_SYS_ADMIN))
2089 return btf_new_fd(attr);
2092 #define BPF_BTF_GET_FD_BY_ID_LAST_FIELD btf_id
2094 static int bpf_btf_get_fd_by_id(const union bpf_attr *attr)
2096 if (CHECK_ATTR(BPF_BTF_GET_FD_BY_ID))
2099 if (!capable(CAP_SYS_ADMIN))
2102 return btf_get_fd_by_id(attr->btf_id);
2105 SYSCALL_DEFINE3(bpf, int, cmd, union bpf_attr __user *, uattr, unsigned int, size)
2107 union bpf_attr attr = {};
2110 if (sysctl_unprivileged_bpf_disabled && !capable(CAP_SYS_ADMIN))
2113 err = check_uarg_tail_zero(uattr, sizeof(attr), size);
2116 size = min_t(u32, size, sizeof(attr));
2118 /* copy attributes from user space, may be less than sizeof(bpf_attr) */
2119 if (copy_from_user(&attr, uattr, size) != 0)
2122 err = security_bpf(cmd, &attr, size);
2127 case BPF_MAP_CREATE:
2128 err = map_create(&attr);
2130 case BPF_MAP_LOOKUP_ELEM:
2131 err = map_lookup_elem(&attr);
2133 case BPF_MAP_UPDATE_ELEM:
2134 err = map_update_elem(&attr);
2136 case BPF_MAP_DELETE_ELEM:
2137 err = map_delete_elem(&attr);
2139 case BPF_MAP_GET_NEXT_KEY:
2140 err = map_get_next_key(&attr);
2143 err = bpf_prog_load(&attr);
2146 err = bpf_obj_pin(&attr);
2149 err = bpf_obj_get(&attr);
2151 #ifdef CONFIG_CGROUP_BPF
2152 case BPF_PROG_ATTACH:
2153 err = bpf_prog_attach(&attr);
2155 case BPF_PROG_DETACH:
2156 err = bpf_prog_detach(&attr);
2158 case BPF_PROG_QUERY:
2159 err = bpf_prog_query(&attr, uattr);
2162 case BPF_PROG_TEST_RUN:
2163 err = bpf_prog_test_run(&attr, uattr);
2165 case BPF_PROG_GET_NEXT_ID:
2166 err = bpf_obj_get_next_id(&attr, uattr,
2167 &prog_idr, &prog_idr_lock);
2169 case BPF_MAP_GET_NEXT_ID:
2170 err = bpf_obj_get_next_id(&attr, uattr,
2171 &map_idr, &map_idr_lock);
2173 case BPF_PROG_GET_FD_BY_ID:
2174 err = bpf_prog_get_fd_by_id(&attr);
2176 case BPF_MAP_GET_FD_BY_ID:
2177 err = bpf_map_get_fd_by_id(&attr);
2179 case BPF_OBJ_GET_INFO_BY_FD:
2180 err = bpf_obj_get_info_by_fd(&attr, uattr);
2182 case BPF_RAW_TRACEPOINT_OPEN:
2183 err = bpf_raw_tracepoint_open(&attr);
2186 err = bpf_btf_load(&attr);
2188 case BPF_BTF_GET_FD_BY_ID:
2189 err = bpf_btf_get_fd_by_id(&attr);