1 | // SPDX-License-Identifier: GPL-2.0 |
2 | /* Copyright (c) 2023 Meta Platforms, Inc. and affiliates. */ |
3 | |
4 | #include <vmlinux.h> |
5 | #include <bpf/bpf_tracing.h> |
6 | #include <bpf/bpf_helpers.h> |
7 | #include "bpf_misc.h" |
8 | |
9 | #include "cpumask_common.h" |
10 | |
11 | char _license[] SEC("license" ) = "GPL" ; |
12 | |
13 | /* Prototype for all of the program trace events below: |
14 | * |
15 | * TRACE_EVENT(task_newtask, |
16 | * TP_PROTO(struct task_struct *p, u64 clone_flags) |
17 | */ |
18 | |
19 | SEC("tp_btf/task_newtask" ) |
20 | __failure __msg("Unreleased reference" ) |
21 | int BPF_PROG(test_alloc_no_release, struct task_struct *task, u64 clone_flags) |
22 | { |
23 | struct bpf_cpumask *cpumask; |
24 | |
25 | cpumask = create_cpumask(); |
26 | __sink(cpumask); |
27 | |
28 | /* cpumask is never released. */ |
29 | return 0; |
30 | } |
31 | |
32 | SEC("tp_btf/task_newtask" ) |
33 | __failure __msg("NULL pointer passed to trusted arg0" ) |
34 | int BPF_PROG(test_alloc_double_release, struct task_struct *task, u64 clone_flags) |
35 | { |
36 | struct bpf_cpumask *cpumask; |
37 | |
38 | cpumask = create_cpumask(); |
39 | |
40 | /* cpumask is released twice. */ |
41 | bpf_cpumask_release(cpumask); |
42 | bpf_cpumask_release(cpumask); |
43 | |
44 | return 0; |
45 | } |
46 | |
47 | SEC("tp_btf/task_newtask" ) |
48 | __failure __msg("must be referenced" ) |
49 | int BPF_PROG(test_acquire_wrong_cpumask, struct task_struct *task, u64 clone_flags) |
50 | { |
51 | struct bpf_cpumask *cpumask; |
52 | |
53 | /* Can't acquire a non-struct bpf_cpumask. */ |
54 | cpumask = bpf_cpumask_acquire((struct bpf_cpumask *)task->cpus_ptr); |
55 | __sink(cpumask); |
56 | |
57 | return 0; |
58 | } |
59 | |
60 | SEC("tp_btf/task_newtask" ) |
61 | __failure __msg("bpf_cpumask_set_cpu args#1 expected pointer to STRUCT bpf_cpumask" ) |
62 | int BPF_PROG(test_mutate_cpumask, struct task_struct *task, u64 clone_flags) |
63 | { |
64 | struct bpf_cpumask *cpumask; |
65 | |
66 | /* Can't set the CPU of a non-struct bpf_cpumask. */ |
67 | bpf_cpumask_set_cpu(0, (struct bpf_cpumask *)task->cpus_ptr); |
68 | __sink(cpumask); |
69 | |
70 | return 0; |
71 | } |
72 | |
73 | SEC("tp_btf/task_newtask" ) |
74 | __failure __msg("Unreleased reference" ) |
75 | int BPF_PROG(test_insert_remove_no_release, struct task_struct *task, u64 clone_flags) |
76 | { |
77 | struct bpf_cpumask *cpumask; |
78 | struct __cpumask_map_value *v; |
79 | |
80 | cpumask = create_cpumask(); |
81 | if (!cpumask) |
82 | return 0; |
83 | |
84 | if (cpumask_map_insert(mask: cpumask)) |
85 | return 0; |
86 | |
87 | v = cpumask_map_value_lookup(); |
88 | if (!v) |
89 | return 0; |
90 | |
91 | cpumask = bpf_kptr_xchg(&v->cpumask, NULL); |
92 | |
93 | /* cpumask is never released. */ |
94 | return 0; |
95 | } |
96 | |
97 | SEC("tp_btf/task_newtask" ) |
98 | __failure __msg("NULL pointer passed to trusted arg0" ) |
99 | int BPF_PROG(test_cpumask_null, struct task_struct *task, u64 clone_flags) |
100 | { |
101 | /* NULL passed to KF_TRUSTED_ARGS kfunc. */ |
102 | bpf_cpumask_empty(NULL); |
103 | |
104 | return 0; |
105 | } |
106 | |
107 | SEC("tp_btf/task_newtask" ) |
108 | __failure __msg("R2 must be a rcu pointer" ) |
109 | int BPF_PROG(test_global_mask_out_of_rcu, struct task_struct *task, u64 clone_flags) |
110 | { |
111 | struct bpf_cpumask *local, *prev; |
112 | |
113 | local = create_cpumask(); |
114 | if (!local) |
115 | return 0; |
116 | |
117 | prev = bpf_kptr_xchg(&global_mask, local); |
118 | if (prev) { |
119 | bpf_cpumask_release(prev); |
120 | err = 3; |
121 | return 0; |
122 | } |
123 | |
124 | bpf_rcu_read_lock(); |
125 | local = global_mask; |
126 | if (!local) { |
127 | err = 4; |
128 | bpf_rcu_read_unlock(); |
129 | return 0; |
130 | } |
131 | |
132 | bpf_rcu_read_unlock(); |
133 | |
134 | /* RCU region is exited before calling KF_RCU kfunc. */ |
135 | |
136 | bpf_cpumask_test_cpu(0, (const struct cpumask *)local); |
137 | |
138 | return 0; |
139 | } |
140 | |
141 | SEC("tp_btf/task_newtask" ) |
142 | __failure __msg("NULL pointer passed to trusted arg1" ) |
143 | int BPF_PROG(test_global_mask_no_null_check, struct task_struct *task, u64 clone_flags) |
144 | { |
145 | struct bpf_cpumask *local, *prev; |
146 | |
147 | local = create_cpumask(); |
148 | if (!local) |
149 | return 0; |
150 | |
151 | prev = bpf_kptr_xchg(&global_mask, local); |
152 | if (prev) { |
153 | bpf_cpumask_release(prev); |
154 | err = 3; |
155 | return 0; |
156 | } |
157 | |
158 | bpf_rcu_read_lock(); |
159 | local = global_mask; |
160 | |
161 | /* No NULL check is performed on global cpumask kptr. */ |
162 | bpf_cpumask_test_cpu(0, (const struct cpumask *)local); |
163 | |
164 | bpf_rcu_read_unlock(); |
165 | |
166 | return 0; |
167 | } |
168 | |
169 | SEC("tp_btf/task_newtask" ) |
170 | __failure __msg("Possibly NULL pointer passed to helper arg2" ) |
171 | int BPF_PROG(test_global_mask_rcu_no_null_check, struct task_struct *task, u64 clone_flags) |
172 | { |
173 | struct bpf_cpumask *prev, *curr; |
174 | |
175 | curr = bpf_cpumask_create(); |
176 | if (!curr) |
177 | return 0; |
178 | |
179 | prev = bpf_kptr_xchg(&global_mask, curr); |
180 | if (prev) |
181 | bpf_cpumask_release(prev); |
182 | |
183 | bpf_rcu_read_lock(); |
184 | curr = global_mask; |
185 | /* PTR_TO_BTF_ID | PTR_MAYBE_NULL | MEM_RCU passed to bpf_kptr_xchg() */ |
186 | prev = bpf_kptr_xchg(&global_mask, curr); |
187 | bpf_rcu_read_unlock(); |
188 | if (prev) |
189 | bpf_cpumask_release(prev); |
190 | |
191 | return 0; |
192 | } |
193 | |