1 /* Copyright (c) 2011-2014 PLUMgrid, http://plumgrid.com
3 * This program is free software; you can redistribute it and/or
4 * modify it under the terms of version 2 of the GNU General Public
5 * License as published by the Free Software Foundation.
7 * This program is distributed in the hope that it will be useful, but
8 * WITHOUT ANY WARRANTY; without even the implied warranty of
9 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
10 * General Public License for more details.
12 #include <linux/bpf.h>
13 #include <linux/syscalls.h>
14 #include <linux/slab.h>
15 #include <linux/anon_inodes.h>
16 #include <linux/file.h>
17 #include <linux/license.h>
18 #include <linux/filter.h>
19 #include <linux/version.h>
21 int sysctl_unprivileged_bpf_disabled __read_mostly;
23 static LIST_HEAD(bpf_map_types);
25 static struct bpf_map *find_and_alloc_map(union bpf_attr *attr)
27 struct bpf_map_type_list *tl;
30 list_for_each_entry(tl, &bpf_map_types, list_node) {
31 if (tl->type == attr->map_type) {
32 map = tl->ops->map_alloc(attr);
36 map->map_type = attr->map_type;
40 return ERR_PTR(-EINVAL);
43 /* boot time registration of different map implementations */
44 void bpf_register_map_type(struct bpf_map_type_list *tl)
46 list_add(&tl->list_node, &bpf_map_types);
49 /* called from workqueue */
50 static void bpf_map_free_deferred(struct work_struct *work)
52 struct bpf_map *map = container_of(work, struct bpf_map, work);
54 /* implementation dependent freeing */
55 map->ops->map_free(map);
58 /* decrement map refcnt and schedule it for freeing via workqueue
59 * (unrelying map implementation ops->map_free() might sleep)
61 void bpf_map_put(struct bpf_map *map)
63 if (atomic_dec_and_test(&map->refcnt)) {
64 INIT_WORK(&map->work, bpf_map_free_deferred);
65 schedule_work(&map->work);
69 static int bpf_map_release(struct inode *inode, struct file *filp)
71 struct bpf_map *map = filp->private_data;
73 if (map->map_type == BPF_MAP_TYPE_PROG_ARRAY)
74 /* prog_array stores refcnt-ed bpf_prog pointers
75 * release them all when user space closes prog_array_fd
77 bpf_fd_array_map_clear(map);
83 static const struct file_operations bpf_map_fops = {
84 .release = bpf_map_release,
87 /* helper macro to check that unused fields 'union bpf_attr' are zero */
88 #define CHECK_ATTR(CMD) \
89 memchr_inv((void *) &attr->CMD##_LAST_FIELD + \
90 sizeof(attr->CMD##_LAST_FIELD), 0, \
92 offsetof(union bpf_attr, CMD##_LAST_FIELD) - \
93 sizeof(attr->CMD##_LAST_FIELD)) != NULL
95 #define BPF_MAP_CREATE_LAST_FIELD max_entries
96 /* called via syscall */
97 static int map_create(union bpf_attr *attr)
102 err = CHECK_ATTR(BPF_MAP_CREATE);
106 /* find map type and init map: hashtable vs rbtree vs bloom vs ... */
107 map = find_and_alloc_map(attr);
111 atomic_set(&map->refcnt, 1);
113 err = anon_inode_getfd("bpf-map", &bpf_map_fops, map, O_RDWR | O_CLOEXEC);
116 /* failed to allocate fd */
122 map->ops->map_free(map);
126 /* if error is returned, fd is released.
127 * On success caller should complete fd access with matching fdput()
129 struct bpf_map *bpf_map_get(struct fd f)
134 return ERR_PTR(-EBADF);
136 if (f.file->f_op != &bpf_map_fops) {
138 return ERR_PTR(-EINVAL);
141 map = f.file->private_data;
146 /* helper to convert user pointers passed inside __aligned_u64 fields */
147 static void __user *u64_to_ptr(__u64 val)
149 return (void __user *) (unsigned long) val;
152 /* last field in 'union bpf_attr' used by this command */
153 #define BPF_MAP_LOOKUP_ELEM_LAST_FIELD value
155 static int map_lookup_elem(union bpf_attr *attr)
157 void __user *ukey = u64_to_ptr(attr->key);
158 void __user *uvalue = u64_to_ptr(attr->value);
159 int ufd = attr->map_fd;
161 void *key, *value, *ptr;
165 if (CHECK_ATTR(BPF_MAP_LOOKUP_ELEM))
169 map = bpf_map_get(f);
174 key = kmalloc(map->key_size, GFP_USER);
179 if (copy_from_user(key, ukey, map->key_size) != 0)
183 value = kmalloc(map->value_size, GFP_USER);
188 ptr = map->ops->map_lookup_elem(map, key);
190 memcpy(value, ptr, map->value_size);
198 if (copy_to_user(uvalue, value, map->value_size) != 0)
212 #define BPF_MAP_UPDATE_ELEM_LAST_FIELD flags
214 static int map_update_elem(union bpf_attr *attr)
216 void __user *ukey = u64_to_ptr(attr->key);
217 void __user *uvalue = u64_to_ptr(attr->value);
218 int ufd = attr->map_fd;
224 if (CHECK_ATTR(BPF_MAP_UPDATE_ELEM))
228 map = bpf_map_get(f);
233 key = kmalloc(map->key_size, GFP_USER);
238 if (copy_from_user(key, ukey, map->key_size) != 0)
242 value = kmalloc(map->value_size, GFP_USER);
247 if (copy_from_user(value, uvalue, map->value_size) != 0)
250 /* eBPF program that use maps are running under rcu_read_lock(),
251 * therefore all map accessors rely on this fact, so do the same here
254 err = map->ops->map_update_elem(map, key, value, attr->flags);
266 #define BPF_MAP_DELETE_ELEM_LAST_FIELD key
268 static int map_delete_elem(union bpf_attr *attr)
270 void __user *ukey = u64_to_ptr(attr->key);
271 int ufd = attr->map_fd;
277 if (CHECK_ATTR(BPF_MAP_DELETE_ELEM))
281 map = bpf_map_get(f);
286 key = kmalloc(map->key_size, GFP_USER);
291 if (copy_from_user(key, ukey, map->key_size) != 0)
295 err = map->ops->map_delete_elem(map, key);
305 /* last field in 'union bpf_attr' used by this command */
306 #define BPF_MAP_GET_NEXT_KEY_LAST_FIELD next_key
308 static int map_get_next_key(union bpf_attr *attr)
310 void __user *ukey = u64_to_ptr(attr->key);
311 void __user *unext_key = u64_to_ptr(attr->next_key);
312 int ufd = attr->map_fd;
314 void *key, *next_key;
318 if (CHECK_ATTR(BPF_MAP_GET_NEXT_KEY))
322 map = bpf_map_get(f);
327 key = kmalloc(map->key_size, GFP_USER);
332 if (copy_from_user(key, ukey, map->key_size) != 0)
336 next_key = kmalloc(map->key_size, GFP_USER);
341 err = map->ops->map_get_next_key(map, key, next_key);
347 if (copy_to_user(unext_key, next_key, map->key_size) != 0)
361 static LIST_HEAD(bpf_prog_types);
363 static int find_prog_type(enum bpf_prog_type type, struct bpf_prog *prog)
365 struct bpf_prog_type_list *tl;
367 list_for_each_entry(tl, &bpf_prog_types, list_node) {
368 if (tl->type == type) {
369 prog->aux->ops = tl->ops;
378 void bpf_register_prog_type(struct bpf_prog_type_list *tl)
380 list_add(&tl->list_node, &bpf_prog_types);
383 /* fixup insn->imm field of bpf_call instructions:
384 * if (insn->imm == BPF_FUNC_map_lookup_elem)
385 * insn->imm = bpf_map_lookup_elem - __bpf_call_base;
386 * else if (insn->imm == BPF_FUNC_map_update_elem)
387 * insn->imm = bpf_map_update_elem - __bpf_call_base;
390 * this function is called after eBPF program passed verification
392 static void fixup_bpf_calls(struct bpf_prog *prog)
394 const struct bpf_func_proto *fn;
397 for (i = 0; i < prog->len; i++) {
398 struct bpf_insn *insn = &prog->insnsi[i];
400 if (insn->code == (BPF_JMP | BPF_CALL)) {
401 /* we reach here when program has bpf_call instructions
402 * and it passed bpf_check(), means that
403 * ops->get_func_proto must have been supplied, check it
405 BUG_ON(!prog->aux->ops->get_func_proto);
407 if (insn->imm == BPF_FUNC_get_route_realm)
408 prog->dst_needed = 1;
409 if (insn->imm == BPF_FUNC_get_prandom_u32)
410 bpf_user_rnd_init_once();
411 if (insn->imm == BPF_FUNC_tail_call) {
412 /* mark bpf_tail_call as different opcode
413 * to avoid conditional branch in
414 * interpeter for every normal call
415 * and to prevent accidental JITing by
416 * JIT compiler that doesn't support
424 fn = prog->aux->ops->get_func_proto(insn->imm);
425 /* all functions that have prototype and verifier allowed
426 * programs to call them, must be real in-kernel functions
429 insn->imm = fn->func - __bpf_call_base;
434 /* drop refcnt on maps used by eBPF program and free auxilary data */
435 static void free_used_maps(struct bpf_prog_aux *aux)
439 for (i = 0; i < aux->used_map_cnt; i++)
440 bpf_map_put(aux->used_maps[i]);
442 kfree(aux->used_maps);
445 static void __prog_put_rcu(struct rcu_head *rcu)
447 struct bpf_prog_aux *aux = container_of(rcu, struct bpf_prog_aux, rcu);
450 bpf_prog_free(aux->prog);
453 /* version of bpf_prog_put() that is called after a grace period */
454 void bpf_prog_put_rcu(struct bpf_prog *prog)
456 if (atomic_dec_and_test(&prog->aux->refcnt)) {
457 prog->aux->prog = prog;
458 call_rcu(&prog->aux->rcu, __prog_put_rcu);
462 void bpf_prog_put(struct bpf_prog *prog)
464 if (atomic_dec_and_test(&prog->aux->refcnt)) {
465 free_used_maps(prog->aux);
469 EXPORT_SYMBOL_GPL(bpf_prog_put);
471 static int bpf_prog_release(struct inode *inode, struct file *filp)
473 struct bpf_prog *prog = filp->private_data;
475 bpf_prog_put_rcu(prog);
479 static const struct file_operations bpf_prog_fops = {
480 .release = bpf_prog_release,
483 static struct bpf_prog *get_prog(struct fd f)
485 struct bpf_prog *prog;
488 return ERR_PTR(-EBADF);
490 if (f.file->f_op != &bpf_prog_fops) {
492 return ERR_PTR(-EINVAL);
495 prog = f.file->private_data;
500 /* called by sockets/tracing/seccomp before attaching program to an event
501 * pairs with bpf_prog_put()
503 struct bpf_prog *bpf_prog_get(u32 ufd)
505 struct fd f = fdget(ufd);
506 struct bpf_prog *prog;
513 atomic_inc(&prog->aux->refcnt);
517 EXPORT_SYMBOL_GPL(bpf_prog_get);
519 /* last field in 'union bpf_attr' used by this command */
520 #define BPF_PROG_LOAD_LAST_FIELD kern_version
522 static int bpf_prog_load(union bpf_attr *attr)
524 enum bpf_prog_type type = attr->prog_type;
525 struct bpf_prog *prog;
530 if (CHECK_ATTR(BPF_PROG_LOAD))
533 /* copy eBPF program license from user space */
534 if (strncpy_from_user(license, u64_to_ptr(attr->license),
535 sizeof(license) - 1) < 0)
537 license[sizeof(license) - 1] = 0;
539 /* eBPF programs must be GPL compatible to use GPL-ed functions */
540 is_gpl = license_is_gpl_compatible(license);
542 if (attr->insn_cnt >= BPF_MAXINSNS)
545 if (type == BPF_PROG_TYPE_KPROBE &&
546 attr->kern_version != LINUX_VERSION_CODE)
549 if (type != BPF_PROG_TYPE_SOCKET_FILTER && !capable(CAP_SYS_ADMIN))
552 /* plain bpf_prog allocation */
553 prog = bpf_prog_alloc(bpf_prog_size(attr->insn_cnt), GFP_USER);
557 prog->len = attr->insn_cnt;
560 if (copy_from_user(prog->insns, u64_to_ptr(attr->insns),
561 prog->len * sizeof(struct bpf_insn)) != 0)
564 prog->orig_prog = NULL;
567 atomic_set(&prog->aux->refcnt, 1);
568 prog->gpl_compatible = is_gpl ? 1 : 0;
570 /* find program type: socket_filter vs tracing_filter */
571 err = find_prog_type(type, prog);
575 /* run eBPF verifier */
576 err = bpf_check(&prog, attr);
580 /* fixup BPF_CALL->imm field */
581 fixup_bpf_calls(prog);
583 /* eBPF program is ready to be JITed */
584 err = bpf_prog_select_runtime(prog);
588 err = anon_inode_getfd("bpf-prog", &bpf_prog_fops, prog, O_RDWR | O_CLOEXEC);
590 /* failed to allocate fd */
596 free_used_maps(prog->aux);
602 SYSCALL_DEFINE3(bpf, int, cmd, union bpf_attr __user *, uattr, unsigned int, size)
604 union bpf_attr attr = {};
607 if (!capable(CAP_SYS_ADMIN) && sysctl_unprivileged_bpf_disabled)
610 if (!access_ok(VERIFY_READ, uattr, 1))
613 if (size > PAGE_SIZE) /* silly large */
616 /* If we're handed a bigger struct than we know of,
617 * ensure all the unknown bits are 0 - i.e. new
618 * user-space does not rely on any kernel feature
619 * extensions we dont know about yet.
621 if (size > sizeof(attr)) {
622 unsigned char __user *addr;
623 unsigned char __user *end;
626 addr = (void __user *)uattr + sizeof(attr);
627 end = (void __user *)uattr + size;
629 for (; addr < end; addr++) {
630 err = get_user(val, addr);
639 /* copy attributes from user space, may be less than sizeof(bpf_attr) */
640 if (copy_from_user(&attr, uattr, size) != 0)
645 err = map_create(&attr);
647 case BPF_MAP_LOOKUP_ELEM:
648 err = map_lookup_elem(&attr);
650 case BPF_MAP_UPDATE_ELEM:
651 err = map_update_elem(&attr);
653 case BPF_MAP_DELETE_ELEM:
654 err = map_delete_elem(&attr);
656 case BPF_MAP_GET_NEXT_KEY:
657 err = map_get_next_key(&attr);
660 err = bpf_prog_load(&attr);
projects / firefly-linux-kernel-4.4.55.git / blob