1 // SPDX-License-Identifier: GPL-2.0-only
2 /* Copyright (c) 2011-2014 PLUMgrid, http://plumgrid.com
5 #include <linux/bpf_trace.h>
6 #include <linux/bpf_lirc.h>
8 #include <linux/syscalls.h>
9 #include <linux/slab.h>
10 #include <linux/sched/signal.h>
11 #include <linux/vmalloc.h>
12 #include <linux/mmzone.h>
13 #include <linux/anon_inodes.h>
14 #include <linux/fdtable.h>
15 #include <linux/file.h>
17 #include <linux/license.h>
18 #include <linux/filter.h>
19 #include <linux/version.h>
20 #include <linux/kernel.h>
21 #include <linux/idr.h>
22 #include <linux/cred.h>
23 #include <linux/timekeeping.h>
24 #include <linux/ctype.h>
25 #include <linux/nospec.h>
26 #include <linux/audit.h>
27 #include <uapi/linux/btf.h>
28 #include <linux/bpf_lsm.h>
30 #define IS_FD_ARRAY(map) ((map)->map_type == BPF_MAP_TYPE_PERF_EVENT_ARRAY || \
31 (map)->map_type == BPF_MAP_TYPE_CGROUP_ARRAY || \
32 (map)->map_type == BPF_MAP_TYPE_ARRAY_OF_MAPS)
33 #define IS_FD_PROG_ARRAY(map) ((map)->map_type == BPF_MAP_TYPE_PROG_ARRAY)
34 #define IS_FD_HASH(map) ((map)->map_type == BPF_MAP_TYPE_HASH_OF_MAPS)
35 #define IS_FD_MAP(map) (IS_FD_ARRAY(map) || IS_FD_PROG_ARRAY(map) || \
38 #define BPF_OBJ_FLAG_MASK (BPF_F_RDONLY | BPF_F_WRONLY)
40 DEFINE_PER_CPU(int, bpf_prog_active);
41 static DEFINE_IDR(prog_idr);
42 static DEFINE_SPINLOCK(prog_idr_lock);
43 static DEFINE_IDR(map_idr);
44 static DEFINE_SPINLOCK(map_idr_lock);
46 int sysctl_unprivileged_bpf_disabled __read_mostly;
48 static const struct bpf_map_ops * const bpf_map_types[] = {
49 #define BPF_PROG_TYPE(_id, _name, prog_ctx_type, kern_ctx_type)
50 #define BPF_MAP_TYPE(_id, _ops) \
52 #include <linux/bpf_types.h>
58 * If we're handed a bigger struct than we know of, ensure all the unknown bits
59 * are 0 - i.e. new user-space does not rely on any kernel feature extensions
60 * we don't know about yet.
62 * There is a ToCToU between this function call and the following
63 * copy_from_user() call. However, this is not a concern since this function is
64 * meant to be a future-proofing of bits.
66 int bpf_check_uarg_tail_zero(void __user *uaddr,
70 unsigned char __user *addr;
71 unsigned char __user *end;
75 if (unlikely(actual_size > PAGE_SIZE)) /* silly large */
78 if (unlikely(!access_ok(uaddr, actual_size)))
81 if (actual_size <= expected_size)
84 addr = uaddr + expected_size;
85 end = uaddr + actual_size;
87 for (; addr < end; addr++) {
88 err = get_user(val, addr);
98 const struct bpf_map_ops bpf_map_offload_ops = {
99 .map_alloc = bpf_map_offload_map_alloc,
100 .map_free = bpf_map_offload_map_free,
101 .map_check_btf = map_check_no_btf,
104 static struct bpf_map *find_and_alloc_map(union bpf_attr *attr)
106 const struct bpf_map_ops *ops;
107 u32 type = attr->map_type;
111 if (type >= ARRAY_SIZE(bpf_map_types))
112 return ERR_PTR(-EINVAL);
113 type = array_index_nospec(type, ARRAY_SIZE(bpf_map_types));
114 ops = bpf_map_types[type];
116 return ERR_PTR(-EINVAL);
118 if (ops->map_alloc_check) {
119 err = ops->map_alloc_check(attr);
123 if (attr->map_ifindex)
124 ops = &bpf_map_offload_ops;
125 map = ops->map_alloc(attr);
129 map->map_type = type;
133 static u32 bpf_map_value_size(struct bpf_map *map)
135 if (map->map_type == BPF_MAP_TYPE_PERCPU_HASH ||
136 map->map_type == BPF_MAP_TYPE_LRU_PERCPU_HASH ||
137 map->map_type == BPF_MAP_TYPE_PERCPU_ARRAY ||
138 map->map_type == BPF_MAP_TYPE_PERCPU_CGROUP_STORAGE)
139 return round_up(map->value_size, 8) * num_possible_cpus();
140 else if (IS_FD_MAP(map))
143 return map->value_size;
146 static void maybe_wait_bpf_programs(struct bpf_map *map)
148 /* Wait for any running BPF programs to complete so that
149 * userspace, when we return to it, knows that all programs
150 * that could be running use the new map value.
152 if (map->map_type == BPF_MAP_TYPE_HASH_OF_MAPS ||
153 map->map_type == BPF_MAP_TYPE_ARRAY_OF_MAPS)
157 static int bpf_map_update_value(struct bpf_map *map, struct fd f, void *key,
158 void *value, __u64 flags)
162 /* Need to create a kthread, thus must support schedule */
163 if (bpf_map_is_dev_bound(map)) {
164 return bpf_map_offload_update_elem(map, key, value, flags);
165 } else if (map->map_type == BPF_MAP_TYPE_CPUMAP ||
166 map->map_type == BPF_MAP_TYPE_SOCKHASH ||
167 map->map_type == BPF_MAP_TYPE_SOCKMAP ||
168 map->map_type == BPF_MAP_TYPE_STRUCT_OPS) {
169 return map->ops->map_update_elem(map, key, value, flags);
170 } else if (IS_FD_PROG_ARRAY(map)) {
171 return bpf_fd_array_map_update_elem(map, f.file, key, value,
175 bpf_disable_instrumentation();
176 if (map->map_type == BPF_MAP_TYPE_PERCPU_HASH ||
177 map->map_type == BPF_MAP_TYPE_LRU_PERCPU_HASH) {
178 err = bpf_percpu_hash_update(map, key, value, flags);
179 } else if (map->map_type == BPF_MAP_TYPE_PERCPU_ARRAY) {
180 err = bpf_percpu_array_update(map, key, value, flags);
181 } else if (map->map_type == BPF_MAP_TYPE_PERCPU_CGROUP_STORAGE) {
182 err = bpf_percpu_cgroup_storage_update(map, key, value,
184 } else if (IS_FD_ARRAY(map)) {
186 err = bpf_fd_array_map_update_elem(map, f.file, key, value,
189 } else if (map->map_type == BPF_MAP_TYPE_HASH_OF_MAPS) {
191 err = bpf_fd_htab_map_update_elem(map, f.file, key, value,
194 } else if (map->map_type == BPF_MAP_TYPE_REUSEPORT_SOCKARRAY) {
195 /* rcu_read_lock() is not needed */
196 err = bpf_fd_reuseport_array_update_elem(map, key, value,
198 } else if (map->map_type == BPF_MAP_TYPE_QUEUE ||
199 map->map_type == BPF_MAP_TYPE_STACK) {
200 err = map->ops->map_push_elem(map, value, flags);
203 err = map->ops->map_update_elem(map, key, value, flags);
206 bpf_enable_instrumentation();
207 maybe_wait_bpf_programs(map);
212 static int bpf_map_copy_value(struct bpf_map *map, void *key, void *value,
218 if (bpf_map_is_dev_bound(map))
219 return bpf_map_offload_lookup_elem(map, key, value);
221 bpf_disable_instrumentation();
222 if (map->map_type == BPF_MAP_TYPE_PERCPU_HASH ||
223 map->map_type == BPF_MAP_TYPE_LRU_PERCPU_HASH) {
224 err = bpf_percpu_hash_copy(map, key, value);
225 } else if (map->map_type == BPF_MAP_TYPE_PERCPU_ARRAY) {
226 err = bpf_percpu_array_copy(map, key, value);
227 } else if (map->map_type == BPF_MAP_TYPE_PERCPU_CGROUP_STORAGE) {
228 err = bpf_percpu_cgroup_storage_copy(map, key, value);
229 } else if (map->map_type == BPF_MAP_TYPE_STACK_TRACE) {
230 err = bpf_stackmap_copy(map, key, value);
231 } else if (IS_FD_ARRAY(map) || IS_FD_PROG_ARRAY(map)) {
232 err = bpf_fd_array_map_lookup_elem(map, key, value);
233 } else if (IS_FD_HASH(map)) {
234 err = bpf_fd_htab_map_lookup_elem(map, key, value);
235 } else if (map->map_type == BPF_MAP_TYPE_REUSEPORT_SOCKARRAY) {
236 err = bpf_fd_reuseport_array_lookup_elem(map, key, value);
237 } else if (map->map_type == BPF_MAP_TYPE_QUEUE ||
238 map->map_type == BPF_MAP_TYPE_STACK) {
239 err = map->ops->map_peek_elem(map, value);
240 } else if (map->map_type == BPF_MAP_TYPE_STRUCT_OPS) {
241 /* struct_ops map requires directly updating "value" */
242 err = bpf_struct_ops_map_sys_lookup_elem(map, key, value);
245 if (map->ops->map_lookup_elem_sys_only)
246 ptr = map->ops->map_lookup_elem_sys_only(map, key);
248 ptr = map->ops->map_lookup_elem(map, key);
255 if (flags & BPF_F_LOCK)
256 /* lock 'ptr' and copy everything but lock */
257 copy_map_value_locked(map, value, ptr, true);
259 copy_map_value(map, value, ptr);
260 /* mask lock, since value wasn't zero inited */
261 check_and_init_map_lock(map, value);
266 bpf_enable_instrumentation();
267 maybe_wait_bpf_programs(map);
272 static void *__bpf_map_area_alloc(u64 size, int numa_node, bool mmapable)
274 /* We really just want to fail instead of triggering OOM killer
275 * under memory pressure, therefore we set __GFP_NORETRY to kmalloc,
276 * which is used for lower order allocation requests.
278 * It has been observed that higher order allocation requests done by
279 * vmalloc with __GFP_NORETRY being set might fail due to not trying
280 * to reclaim memory from the page cache, thus we set
281 * __GFP_RETRY_MAYFAIL to avoid such situations.
284 const gfp_t flags = __GFP_NOWARN | __GFP_ZERO;
287 if (size >= SIZE_MAX)
290 /* kmalloc()'ed memory can't be mmap()'ed */
291 if (!mmapable && size <= (PAGE_SIZE << PAGE_ALLOC_COSTLY_ORDER)) {
292 area = kmalloc_node(size, GFP_USER | __GFP_NORETRY | flags,
298 BUG_ON(!PAGE_ALIGNED(size));
299 return vmalloc_user_node_flags(size, numa_node, GFP_KERNEL |
300 __GFP_RETRY_MAYFAIL | flags);
302 return __vmalloc_node_flags_caller(size, numa_node,
303 GFP_KERNEL | __GFP_RETRY_MAYFAIL |
304 flags, __builtin_return_address(0));
307 void *bpf_map_area_alloc(u64 size, int numa_node)
309 return __bpf_map_area_alloc(size, numa_node, false);
312 void *bpf_map_area_mmapable_alloc(u64 size, int numa_node)
314 return __bpf_map_area_alloc(size, numa_node, true);
317 void bpf_map_area_free(void *area)
322 static u32 bpf_map_flags_retain_permanent(u32 flags)
324 /* Some map creation flags are not tied to the map object but
325 * rather to the map fd instead, so they have no meaning upon
326 * map object inspection since multiple file descriptors with
327 * different (access) properties can exist here. Thus, given
328 * this has zero meaning for the map itself, lets clear these
331 return flags & ~(BPF_F_RDONLY | BPF_F_WRONLY);
334 void bpf_map_init_from_attr(struct bpf_map *map, union bpf_attr *attr)
336 map->map_type = attr->map_type;
337 map->key_size = attr->key_size;
338 map->value_size = attr->value_size;
339 map->max_entries = attr->max_entries;
340 map->map_flags = bpf_map_flags_retain_permanent(attr->map_flags);
341 map->numa_node = bpf_map_attr_numa_node(attr);
344 static int bpf_charge_memlock(struct user_struct *user, u32 pages)
346 unsigned long memlock_limit = rlimit(RLIMIT_MEMLOCK) >> PAGE_SHIFT;
348 if (atomic_long_add_return(pages, &user->locked_vm) > memlock_limit) {
349 atomic_long_sub(pages, &user->locked_vm);
355 static void bpf_uncharge_memlock(struct user_struct *user, u32 pages)
358 atomic_long_sub(pages, &user->locked_vm);
361 int bpf_map_charge_init(struct bpf_map_memory *mem, u64 size)
363 u32 pages = round_up(size, PAGE_SIZE) >> PAGE_SHIFT;
364 struct user_struct *user;
367 if (size >= U32_MAX - PAGE_SIZE)
370 user = get_current_user();
371 ret = bpf_charge_memlock(user, pages);
383 void bpf_map_charge_finish(struct bpf_map_memory *mem)
385 bpf_uncharge_memlock(mem->user, mem->pages);
389 void bpf_map_charge_move(struct bpf_map_memory *dst,
390 struct bpf_map_memory *src)
394 /* Make sure src will not be used for the redundant uncharging. */
395 memset(src, 0, sizeof(struct bpf_map_memory));
398 int bpf_map_charge_memlock(struct bpf_map *map, u32 pages)
402 ret = bpf_charge_memlock(map->memory.user, pages);
405 map->memory.pages += pages;
409 void bpf_map_uncharge_memlock(struct bpf_map *map, u32 pages)
411 bpf_uncharge_memlock(map->memory.user, pages);
412 map->memory.pages -= pages;
415 static int bpf_map_alloc_id(struct bpf_map *map)
419 idr_preload(GFP_KERNEL);
420 spin_lock_bh(&map_idr_lock);
421 id = idr_alloc_cyclic(&map_idr, map, 1, INT_MAX, GFP_ATOMIC);
424 spin_unlock_bh(&map_idr_lock);
427 if (WARN_ON_ONCE(!id))
430 return id > 0 ? 0 : id;
433 void bpf_map_free_id(struct bpf_map *map, bool do_idr_lock)
437 /* Offloaded maps are removed from the IDR store when their device
438 * disappears - even if someone holds an fd to them they are unusable,
439 * the memory is gone, all ops will fail; they are simply waiting for
440 * refcnt to drop to be freed.
446 spin_lock_irqsave(&map_idr_lock, flags);
448 __acquire(&map_idr_lock);
450 idr_remove(&map_idr, map->id);
454 spin_unlock_irqrestore(&map_idr_lock, flags);
456 __release(&map_idr_lock);
459 /* called from workqueue */
460 static void bpf_map_free_deferred(struct work_struct *work)
462 struct bpf_map *map = container_of(work, struct bpf_map, work);
463 struct bpf_map_memory mem;
465 bpf_map_charge_move(&mem, &map->memory);
466 security_bpf_map_free(map);
467 /* implementation dependent freeing */
468 map->ops->map_free(map);
469 bpf_map_charge_finish(&mem);
472 static void bpf_map_put_uref(struct bpf_map *map)
474 if (atomic64_dec_and_test(&map->usercnt)) {
475 if (map->ops->map_release_uref)
476 map->ops->map_release_uref(map);
480 /* decrement map refcnt and schedule it for freeing via workqueue
481 * (unrelying map implementation ops->map_free() might sleep)
483 static void __bpf_map_put(struct bpf_map *map, bool do_idr_lock)
485 if (atomic64_dec_and_test(&map->refcnt)) {
486 /* bpf_map_free_id() must be called first */
487 bpf_map_free_id(map, do_idr_lock);
489 INIT_WORK(&map->work, bpf_map_free_deferred);
490 schedule_work(&map->work);
494 void bpf_map_put(struct bpf_map *map)
496 __bpf_map_put(map, true);
498 EXPORT_SYMBOL_GPL(bpf_map_put);
500 void bpf_map_put_with_uref(struct bpf_map *map)
502 bpf_map_put_uref(map);
506 static int bpf_map_release(struct inode *inode, struct file *filp)
508 struct bpf_map *map = filp->private_data;
510 if (map->ops->map_release)
511 map->ops->map_release(map, filp);
513 bpf_map_put_with_uref(map);
517 static fmode_t map_get_sys_perms(struct bpf_map *map, struct fd f)
519 fmode_t mode = f.file->f_mode;
521 /* Our file permissions may have been overridden by global
522 * map permissions facing syscall side.
524 if (READ_ONCE(map->frozen))
525 mode &= ~FMODE_CAN_WRITE;
529 #ifdef CONFIG_PROC_FS
530 static void bpf_map_show_fdinfo(struct seq_file *m, struct file *filp)
532 const struct bpf_map *map = filp->private_data;
533 const struct bpf_array *array;
534 u32 type = 0, jited = 0;
536 if (map->map_type == BPF_MAP_TYPE_PROG_ARRAY) {
537 array = container_of(map, struct bpf_array, map);
538 type = array->aux->type;
539 jited = array->aux->jited;
556 map->memory.pages * 1ULL << PAGE_SHIFT,
558 READ_ONCE(map->frozen));
560 seq_printf(m, "owner_prog_type:\t%u\n", type);
561 seq_printf(m, "owner_jited:\t%u\n", jited);
566 static ssize_t bpf_dummy_read(struct file *filp, char __user *buf, size_t siz,
569 /* We need this handler such that alloc_file() enables
570 * f_mode with FMODE_CAN_READ.
575 static ssize_t bpf_dummy_write(struct file *filp, const char __user *buf,
576 size_t siz, loff_t *ppos)
578 /* We need this handler such that alloc_file() enables
579 * f_mode with FMODE_CAN_WRITE.
584 /* called for any extra memory-mapped regions (except initial) */
585 static void bpf_map_mmap_open(struct vm_area_struct *vma)
587 struct bpf_map *map = vma->vm_file->private_data;
589 if (vma->vm_flags & VM_MAYWRITE) {
590 mutex_lock(&map->freeze_mutex);
592 mutex_unlock(&map->freeze_mutex);
596 /* called for all unmapped memory region (including initial) */
597 static void bpf_map_mmap_close(struct vm_area_struct *vma)
599 struct bpf_map *map = vma->vm_file->private_data;
601 if (vma->vm_flags & VM_MAYWRITE) {
602 mutex_lock(&map->freeze_mutex);
604 mutex_unlock(&map->freeze_mutex);
608 static const struct vm_operations_struct bpf_map_default_vmops = {
609 .open = bpf_map_mmap_open,
610 .close = bpf_map_mmap_close,
613 static int bpf_map_mmap(struct file *filp, struct vm_area_struct *vma)
615 struct bpf_map *map = filp->private_data;
618 if (!map->ops->map_mmap || map_value_has_spin_lock(map))
621 if (!(vma->vm_flags & VM_SHARED))
624 mutex_lock(&map->freeze_mutex);
626 if (vma->vm_flags & VM_WRITE) {
631 /* map is meant to be read-only, so do not allow mapping as
632 * writable, because it's possible to leak a writable page
633 * reference and allows user-space to still modify it after
634 * freezing, while verifier will assume contents do not change
636 if (map->map_flags & BPF_F_RDONLY_PROG) {
642 /* set default open/close callbacks */
643 vma->vm_ops = &bpf_map_default_vmops;
644 vma->vm_private_data = map;
645 vma->vm_flags &= ~VM_MAYEXEC;
646 if (!(vma->vm_flags & VM_WRITE))
647 /* disallow re-mapping with PROT_WRITE */
648 vma->vm_flags &= ~VM_MAYWRITE;
650 err = map->ops->map_mmap(map, vma);
654 if (vma->vm_flags & VM_MAYWRITE)
657 mutex_unlock(&map->freeze_mutex);
661 const struct file_operations bpf_map_fops = {
662 #ifdef CONFIG_PROC_FS
663 .show_fdinfo = bpf_map_show_fdinfo,
665 .release = bpf_map_release,
666 .read = bpf_dummy_read,
667 .write = bpf_dummy_write,
668 .mmap = bpf_map_mmap,
671 int bpf_map_new_fd(struct bpf_map *map, int flags)
675 ret = security_bpf_map(map, OPEN_FMODE(flags));
679 return anon_inode_getfd("bpf-map", &bpf_map_fops, map,
683 int bpf_get_file_flag(int flags)
685 if ((flags & BPF_F_RDONLY) && (flags & BPF_F_WRONLY))
687 if (flags & BPF_F_RDONLY)
689 if (flags & BPF_F_WRONLY)
694 /* helper macro to check that unused fields 'union bpf_attr' are zero */
695 #define CHECK_ATTR(CMD) \
696 memchr_inv((void *) &attr->CMD##_LAST_FIELD + \
697 sizeof(attr->CMD##_LAST_FIELD), 0, \
699 offsetof(union bpf_attr, CMD##_LAST_FIELD) - \
700 sizeof(attr->CMD##_LAST_FIELD)) != NULL
702 /* dst and src must have at least "size" number of bytes.
703 * Return strlen on success and < 0 on error.
705 int bpf_obj_name_cpy(char *dst, const char *src, unsigned int size)
707 const char *end = src + size;
708 const char *orig_src = src;
710 memset(dst, 0, size);
711 /* Copy all isalnum(), '_' and '.' chars. */
712 while (src < end && *src) {
713 if (!isalnum(*src) &&
714 *src != '_' && *src != '.')
719 /* No '\0' found in "size" number of bytes */
723 return src - orig_src;
726 int map_check_no_btf(const struct bpf_map *map,
727 const struct btf *btf,
728 const struct btf_type *key_type,
729 const struct btf_type *value_type)
734 static int map_check_btf(struct bpf_map *map, const struct btf *btf,
735 u32 btf_key_id, u32 btf_value_id)
737 const struct btf_type *key_type, *value_type;
738 u32 key_size, value_size;
741 /* Some maps allow key to be unspecified. */
743 key_type = btf_type_id_size(btf, &btf_key_id, &key_size);
744 if (!key_type || key_size != map->key_size)
747 key_type = btf_type_by_id(btf, 0);
748 if (!map->ops->map_check_btf)
752 value_type = btf_type_id_size(btf, &btf_value_id, &value_size);
753 if (!value_type || value_size != map->value_size)
756 map->spin_lock_off = btf_find_spin_lock(btf, value_type);
758 if (map_value_has_spin_lock(map)) {
759 if (map->map_flags & BPF_F_RDONLY_PROG)
761 if (map->map_type != BPF_MAP_TYPE_HASH &&
762 map->map_type != BPF_MAP_TYPE_ARRAY &&
763 map->map_type != BPF_MAP_TYPE_CGROUP_STORAGE &&
764 map->map_type != BPF_MAP_TYPE_SK_STORAGE)
766 if (map->spin_lock_off + sizeof(struct bpf_spin_lock) >
769 "verifier bug spin_lock_off %d value_size %d\n",
770 map->spin_lock_off, map->value_size);
775 if (map->ops->map_check_btf)
776 ret = map->ops->map_check_btf(map, btf, key_type, value_type);
781 #define BPF_MAP_CREATE_LAST_FIELD btf_vmlinux_value_type_id
782 /* called via syscall */
783 static int map_create(union bpf_attr *attr)
785 int numa_node = bpf_map_attr_numa_node(attr);
786 struct bpf_map_memory mem;
791 err = CHECK_ATTR(BPF_MAP_CREATE);
795 if (attr->btf_vmlinux_value_type_id) {
796 if (attr->map_type != BPF_MAP_TYPE_STRUCT_OPS ||
797 attr->btf_key_type_id || attr->btf_value_type_id)
799 } else if (attr->btf_key_type_id && !attr->btf_value_type_id) {
803 f_flags = bpf_get_file_flag(attr->map_flags);
807 if (numa_node != NUMA_NO_NODE &&
808 ((unsigned int)numa_node >= nr_node_ids ||
809 !node_online(numa_node)))
812 /* find map type and init map: hashtable vs rbtree vs bloom vs ... */
813 map = find_and_alloc_map(attr);
817 err = bpf_obj_name_cpy(map->name, attr->map_name,
818 sizeof(attr->map_name));
822 atomic64_set(&map->refcnt, 1);
823 atomic64_set(&map->usercnt, 1);
824 mutex_init(&map->freeze_mutex);
826 map->spin_lock_off = -EINVAL;
827 if (attr->btf_key_type_id || attr->btf_value_type_id ||
828 /* Even the map's value is a kernel's struct,
829 * the bpf_prog.o must have BTF to begin with
830 * to figure out the corresponding kernel's
831 * counter part. Thus, attr->btf_fd has
834 attr->btf_vmlinux_value_type_id) {
837 btf = btf_get_by_fd(attr->btf_fd);
844 if (attr->btf_value_type_id) {
845 err = map_check_btf(map, btf, attr->btf_key_type_id,
846 attr->btf_value_type_id);
851 map->btf_key_type_id = attr->btf_key_type_id;
852 map->btf_value_type_id = attr->btf_value_type_id;
853 map->btf_vmlinux_value_type_id =
854 attr->btf_vmlinux_value_type_id;
857 err = security_bpf_map_alloc(map);
861 err = bpf_map_alloc_id(map);
865 err = bpf_map_new_fd(map, f_flags);
867 /* failed to allocate fd.
868 * bpf_map_put_with_uref() is needed because the above
869 * bpf_map_alloc_id() has published the map
870 * to the userspace and the userspace may
871 * have refcnt-ed it through BPF_MAP_GET_FD_BY_ID.
873 bpf_map_put_with_uref(map);
880 security_bpf_map_free(map);
883 bpf_map_charge_move(&mem, &map->memory);
884 map->ops->map_free(map);
885 bpf_map_charge_finish(&mem);
889 /* if error is returned, fd is released.
890 * On success caller should complete fd access with matching fdput()
892 struct bpf_map *__bpf_map_get(struct fd f)
895 return ERR_PTR(-EBADF);
896 if (f.file->f_op != &bpf_map_fops) {
898 return ERR_PTR(-EINVAL);
901 return f.file->private_data;
904 void bpf_map_inc(struct bpf_map *map)
906 atomic64_inc(&map->refcnt);
908 EXPORT_SYMBOL_GPL(bpf_map_inc);
910 void bpf_map_inc_with_uref(struct bpf_map *map)
912 atomic64_inc(&map->refcnt);
913 atomic64_inc(&map->usercnt);
915 EXPORT_SYMBOL_GPL(bpf_map_inc_with_uref);
917 struct bpf_map *bpf_map_get(u32 ufd)
919 struct fd f = fdget(ufd);
922 map = __bpf_map_get(f);
932 struct bpf_map *bpf_map_get_with_uref(u32 ufd)
934 struct fd f = fdget(ufd);
937 map = __bpf_map_get(f);
941 bpf_map_inc_with_uref(map);
947 /* map_idr_lock should have been held */
948 static struct bpf_map *__bpf_map_inc_not_zero(struct bpf_map *map, bool uref)
952 refold = atomic64_fetch_add_unless(&map->refcnt, 1, 0);
954 return ERR_PTR(-ENOENT);
956 atomic64_inc(&map->usercnt);
961 struct bpf_map *bpf_map_inc_not_zero(struct bpf_map *map)
963 spin_lock_bh(&map_idr_lock);
964 map = __bpf_map_inc_not_zero(map, false);
965 spin_unlock_bh(&map_idr_lock);
969 EXPORT_SYMBOL_GPL(bpf_map_inc_not_zero);
971 int __weak bpf_stackmap_copy(struct bpf_map *map, void *key, void *value)
976 static void *__bpf_copy_key(void __user *ukey, u64 key_size)
979 return memdup_user(ukey, key_size);
982 return ERR_PTR(-EINVAL);
987 /* last field in 'union bpf_attr' used by this command */
988 #define BPF_MAP_LOOKUP_ELEM_LAST_FIELD flags
990 static int map_lookup_elem(union bpf_attr *attr)
992 void __user *ukey = u64_to_user_ptr(attr->key);
993 void __user *uvalue = u64_to_user_ptr(attr->value);
994 int ufd = attr->map_fd;
1001 if (CHECK_ATTR(BPF_MAP_LOOKUP_ELEM))
1004 if (attr->flags & ~BPF_F_LOCK)
1008 map = __bpf_map_get(f);
1010 return PTR_ERR(map);
1011 if (!(map_get_sys_perms(map, f) & FMODE_CAN_READ)) {
1016 if ((attr->flags & BPF_F_LOCK) &&
1017 !map_value_has_spin_lock(map)) {
1022 key = __bpf_copy_key(ukey, map->key_size);
1028 value_size = bpf_map_value_size(map);
1031 value = kmalloc(value_size, GFP_USER | __GFP_NOWARN);
1035 err = bpf_map_copy_value(map, key, value, attr->flags);
1040 if (copy_to_user(uvalue, value, value_size) != 0)
1055 #define BPF_MAP_UPDATE_ELEM_LAST_FIELD flags
1057 static int map_update_elem(union bpf_attr *attr)
1059 void __user *ukey = u64_to_user_ptr(attr->key);
1060 void __user *uvalue = u64_to_user_ptr(attr->value);
1061 int ufd = attr->map_fd;
1062 struct bpf_map *map;
1068 if (CHECK_ATTR(BPF_MAP_UPDATE_ELEM))
1072 map = __bpf_map_get(f);
1074 return PTR_ERR(map);
1075 if (!(map_get_sys_perms(map, f) & FMODE_CAN_WRITE)) {
1080 if ((attr->flags & BPF_F_LOCK) &&
1081 !map_value_has_spin_lock(map)) {
1086 key = __bpf_copy_key(ukey, map->key_size);
1092 if (map->map_type == BPF_MAP_TYPE_PERCPU_HASH ||
1093 map->map_type == BPF_MAP_TYPE_LRU_PERCPU_HASH ||
1094 map->map_type == BPF_MAP_TYPE_PERCPU_ARRAY ||
1095 map->map_type == BPF_MAP_TYPE_PERCPU_CGROUP_STORAGE)
1096 value_size = round_up(map->value_size, 8) * num_possible_cpus();
1098 value_size = map->value_size;
1101 value = kmalloc(value_size, GFP_USER | __GFP_NOWARN);
1106 if (copy_from_user(value, uvalue, value_size) != 0)
1109 err = bpf_map_update_value(map, f, key, value, attr->flags);
1120 #define BPF_MAP_DELETE_ELEM_LAST_FIELD key
1122 static int map_delete_elem(union bpf_attr *attr)
1124 void __user *ukey = u64_to_user_ptr(attr->key);
1125 int ufd = attr->map_fd;
1126 struct bpf_map *map;
1131 if (CHECK_ATTR(BPF_MAP_DELETE_ELEM))
1135 map = __bpf_map_get(f);
1137 return PTR_ERR(map);
1138 if (!(map_get_sys_perms(map, f) & FMODE_CAN_WRITE)) {
1143 key = __bpf_copy_key(ukey, map->key_size);
1149 if (bpf_map_is_dev_bound(map)) {
1150 err = bpf_map_offload_delete_elem(map, key);
1152 } else if (IS_FD_PROG_ARRAY(map) ||
1153 map->map_type == BPF_MAP_TYPE_STRUCT_OPS) {
1154 /* These maps require sleepable context */
1155 err = map->ops->map_delete_elem(map, key);
1159 bpf_disable_instrumentation();
1161 err = map->ops->map_delete_elem(map, key);
1163 bpf_enable_instrumentation();
1164 maybe_wait_bpf_programs(map);
1172 /* last field in 'union bpf_attr' used by this command */
1173 #define BPF_MAP_GET_NEXT_KEY_LAST_FIELD next_key
1175 static int map_get_next_key(union bpf_attr *attr)
1177 void __user *ukey = u64_to_user_ptr(attr->key);
1178 void __user *unext_key = u64_to_user_ptr(attr->next_key);
1179 int ufd = attr->map_fd;
1180 struct bpf_map *map;
1181 void *key, *next_key;
1185 if (CHECK_ATTR(BPF_MAP_GET_NEXT_KEY))
1189 map = __bpf_map_get(f);
1191 return PTR_ERR(map);
1192 if (!(map_get_sys_perms(map, f) & FMODE_CAN_READ)) {
1198 key = __bpf_copy_key(ukey, map->key_size);
1208 next_key = kmalloc(map->key_size, GFP_USER);
1212 if (bpf_map_is_dev_bound(map)) {
1213 err = bpf_map_offload_get_next_key(map, key, next_key);
1218 err = map->ops->map_get_next_key(map, key, next_key);
1225 if (copy_to_user(unext_key, next_key, map->key_size) != 0)
1239 int generic_map_delete_batch(struct bpf_map *map,
1240 const union bpf_attr *attr,
1241 union bpf_attr __user *uattr)
1243 void __user *keys = u64_to_user_ptr(attr->batch.keys);
1248 if (attr->batch.elem_flags & ~BPF_F_LOCK)
1251 if ((attr->batch.elem_flags & BPF_F_LOCK) &&
1252 !map_value_has_spin_lock(map)) {
1256 max_count = attr->batch.count;
1260 key = kmalloc(map->key_size, GFP_USER | __GFP_NOWARN);
1264 for (cp = 0; cp < max_count; cp++) {
1266 if (copy_from_user(key, keys + cp * map->key_size,
1270 if (bpf_map_is_dev_bound(map)) {
1271 err = bpf_map_offload_delete_elem(map, key);
1275 bpf_disable_instrumentation();
1277 err = map->ops->map_delete_elem(map, key);
1279 bpf_enable_instrumentation();
1280 maybe_wait_bpf_programs(map);
1284 if (copy_to_user(&uattr->batch.count, &cp, sizeof(cp)))
1291 int generic_map_update_batch(struct bpf_map *map,
1292 const union bpf_attr *attr,
1293 union bpf_attr __user *uattr)
1295 void __user *values = u64_to_user_ptr(attr->batch.values);
1296 void __user *keys = u64_to_user_ptr(attr->batch.keys);
1297 u32 value_size, cp, max_count;
1298 int ufd = attr->map_fd;
1304 if (attr->batch.elem_flags & ~BPF_F_LOCK)
1307 if ((attr->batch.elem_flags & BPF_F_LOCK) &&
1308 !map_value_has_spin_lock(map)) {
1312 value_size = bpf_map_value_size(map);
1314 max_count = attr->batch.count;
1318 key = kmalloc(map->key_size, GFP_USER | __GFP_NOWARN);
1322 value = kmalloc(value_size, GFP_USER | __GFP_NOWARN);
1328 for (cp = 0; cp < max_count; cp++) {
1330 if (copy_from_user(key, keys + cp * map->key_size,
1332 copy_from_user(value, values + cp * value_size, value_size))
1335 err = bpf_map_update_value(map, f, key, value,
1336 attr->batch.elem_flags);
1342 if (copy_to_user(&uattr->batch.count, &cp, sizeof(cp)))
1350 #define MAP_LOOKUP_RETRIES 3
1352 int generic_map_lookup_batch(struct bpf_map *map,
1353 const union bpf_attr *attr,
1354 union bpf_attr __user *uattr)
1356 void __user *uobatch = u64_to_user_ptr(attr->batch.out_batch);
1357 void __user *ubatch = u64_to_user_ptr(attr->batch.in_batch);
1358 void __user *values = u64_to_user_ptr(attr->batch.values);
1359 void __user *keys = u64_to_user_ptr(attr->batch.keys);
1360 void *buf, *buf_prevkey, *prev_key, *key, *value;
1361 int err, retry = MAP_LOOKUP_RETRIES;
1362 u32 value_size, cp, max_count;
1364 if (attr->batch.elem_flags & ~BPF_F_LOCK)
1367 if ((attr->batch.elem_flags & BPF_F_LOCK) &&
1368 !map_value_has_spin_lock(map))
1371 value_size = bpf_map_value_size(map);
1373 max_count = attr->batch.count;
1377 if (put_user(0, &uattr->batch.count))
1380 buf_prevkey = kmalloc(map->key_size, GFP_USER | __GFP_NOWARN);
1384 buf = kmalloc(map->key_size + value_size, GFP_USER | __GFP_NOWARN);
1386 kvfree(buf_prevkey);
1392 if (ubatch && copy_from_user(buf_prevkey, ubatch, map->key_size))
1395 value = key + map->key_size;
1397 prev_key = buf_prevkey;
1399 for (cp = 0; cp < max_count;) {
1401 err = map->ops->map_get_next_key(map, prev_key, key);
1405 err = bpf_map_copy_value(map, key, value,
1406 attr->batch.elem_flags);
1408 if (err == -ENOENT) {
1420 if (copy_to_user(keys + cp * map->key_size, key,
1425 if (copy_to_user(values + cp * value_size, value, value_size)) {
1431 prev_key = buf_prevkey;
1433 swap(prev_key, key);
1434 retry = MAP_LOOKUP_RETRIES;
1441 if ((copy_to_user(&uattr->batch.count, &cp, sizeof(cp)) ||
1442 (cp && copy_to_user(uobatch, prev_key, map->key_size))))
1451 #define BPF_MAP_LOOKUP_AND_DELETE_ELEM_LAST_FIELD value
1453 static int map_lookup_and_delete_elem(union bpf_attr *attr)
1455 void __user *ukey = u64_to_user_ptr(attr->key);
1456 void __user *uvalue = u64_to_user_ptr(attr->value);
1457 int ufd = attr->map_fd;
1458 struct bpf_map *map;
1464 if (CHECK_ATTR(BPF_MAP_LOOKUP_AND_DELETE_ELEM))
1468 map = __bpf_map_get(f);
1470 return PTR_ERR(map);
1471 if (!(map_get_sys_perms(map, f) & FMODE_CAN_WRITE)) {
1476 key = __bpf_copy_key(ukey, map->key_size);
1482 value_size = map->value_size;
1485 value = kmalloc(value_size, GFP_USER | __GFP_NOWARN);
1489 if (map->map_type == BPF_MAP_TYPE_QUEUE ||
1490 map->map_type == BPF_MAP_TYPE_STACK) {
1491 err = map->ops->map_pop_elem(map, value);
1499 if (copy_to_user(uvalue, value, value_size) != 0) {
1515 #define BPF_MAP_FREEZE_LAST_FIELD map_fd
1517 static int map_freeze(const union bpf_attr *attr)
1519 int err = 0, ufd = attr->map_fd;
1520 struct bpf_map *map;
1523 if (CHECK_ATTR(BPF_MAP_FREEZE))
1527 map = __bpf_map_get(f);
1529 return PTR_ERR(map);
1531 if (map->map_type == BPF_MAP_TYPE_STRUCT_OPS) {
1536 mutex_lock(&map->freeze_mutex);
1538 if (map->writecnt) {
1542 if (READ_ONCE(map->frozen)) {
1546 if (!capable(CAP_SYS_ADMIN)) {
1551 WRITE_ONCE(map->frozen, true);
1553 mutex_unlock(&map->freeze_mutex);
1558 static const struct bpf_prog_ops * const bpf_prog_types[] = {
1559 #define BPF_PROG_TYPE(_id, _name, prog_ctx_type, kern_ctx_type) \
1560 [_id] = & _name ## _prog_ops,
1561 #define BPF_MAP_TYPE(_id, _ops)
1562 #include <linux/bpf_types.h>
1563 #undef BPF_PROG_TYPE
1567 static int find_prog_type(enum bpf_prog_type type, struct bpf_prog *prog)
1569 const struct bpf_prog_ops *ops;
1571 if (type >= ARRAY_SIZE(bpf_prog_types))
1573 type = array_index_nospec(type, ARRAY_SIZE(bpf_prog_types));
1574 ops = bpf_prog_types[type];
1578 if (!bpf_prog_is_dev_bound(prog->aux))
1579 prog->aux->ops = ops;
1581 prog->aux->ops = &bpf_offload_prog_ops;
1592 static const char * const bpf_audit_str[BPF_AUDIT_MAX] = {
1593 [BPF_AUDIT_LOAD] = "LOAD",
1594 [BPF_AUDIT_UNLOAD] = "UNLOAD",
1597 static void bpf_audit_prog(const struct bpf_prog *prog, unsigned int op)
1599 struct audit_context *ctx = NULL;
1600 struct audit_buffer *ab;
1602 if (WARN_ON_ONCE(op >= BPF_AUDIT_MAX))
1604 if (audit_enabled == AUDIT_OFF)
1606 if (op == BPF_AUDIT_LOAD)
1607 ctx = audit_context();
1608 ab = audit_log_start(ctx, GFP_ATOMIC, AUDIT_BPF);
1611 audit_log_format(ab, "prog-id=%u op=%s",
1612 prog->aux->id, bpf_audit_str[op]);
1616 int __bpf_prog_charge(struct user_struct *user, u32 pages)
1618 unsigned long memlock_limit = rlimit(RLIMIT_MEMLOCK) >> PAGE_SHIFT;
1619 unsigned long user_bufs;
1622 user_bufs = atomic_long_add_return(pages, &user->locked_vm);
1623 if (user_bufs > memlock_limit) {
1624 atomic_long_sub(pages, &user->locked_vm);
1632 void __bpf_prog_uncharge(struct user_struct *user, u32 pages)
1635 atomic_long_sub(pages, &user->locked_vm);
1638 static int bpf_prog_charge_memlock(struct bpf_prog *prog)
1640 struct user_struct *user = get_current_user();
1643 ret = __bpf_prog_charge(user, prog->pages);
1649 prog->aux->user = user;
1653 static void bpf_prog_uncharge_memlock(struct bpf_prog *prog)
1655 struct user_struct *user = prog->aux->user;
1657 __bpf_prog_uncharge(user, prog->pages);
1661 static int bpf_prog_alloc_id(struct bpf_prog *prog)
1665 idr_preload(GFP_KERNEL);
1666 spin_lock_bh(&prog_idr_lock);
1667 id = idr_alloc_cyclic(&prog_idr, prog, 1, INT_MAX, GFP_ATOMIC);
1670 spin_unlock_bh(&prog_idr_lock);
1673 /* id is in [1, INT_MAX) */
1674 if (WARN_ON_ONCE(!id))
1677 return id > 0 ? 0 : id;
1680 void bpf_prog_free_id(struct bpf_prog *prog, bool do_idr_lock)
1682 /* cBPF to eBPF migrations are currently not in the idr store.
1683 * Offloaded programs are removed from the store when their device
1684 * disappears - even if someone grabs an fd to them they are unusable,
1685 * simply waiting for refcnt to drop to be freed.
1691 spin_lock_bh(&prog_idr_lock);
1693 __acquire(&prog_idr_lock);
1695 idr_remove(&prog_idr, prog->aux->id);
1699 spin_unlock_bh(&prog_idr_lock);
1701 __release(&prog_idr_lock);
1704 static void __bpf_prog_put_rcu(struct rcu_head *rcu)
1706 struct bpf_prog_aux *aux = container_of(rcu, struct bpf_prog_aux, rcu);
1708 kvfree(aux->func_info);
1709 kfree(aux->func_info_aux);
1710 bpf_prog_uncharge_memlock(aux->prog);
1711 security_bpf_prog_free(aux);
1712 bpf_prog_free(aux->prog);
1715 static void __bpf_prog_put_noref(struct bpf_prog *prog, bool deferred)
1717 bpf_prog_kallsyms_del_all(prog);
1718 btf_put(prog->aux->btf);
1719 bpf_prog_free_linfo(prog);
1722 call_rcu(&prog->aux->rcu, __bpf_prog_put_rcu);
1724 __bpf_prog_put_rcu(&prog->aux->rcu);
1727 static void __bpf_prog_put(struct bpf_prog *prog, bool do_idr_lock)
1729 if (atomic64_dec_and_test(&prog->aux->refcnt)) {
1730 perf_event_bpf_event(prog, PERF_BPF_EVENT_PROG_UNLOAD, 0);
1731 bpf_audit_prog(prog, BPF_AUDIT_UNLOAD);
1732 /* bpf_prog_free_id() must be called first */
1733 bpf_prog_free_id(prog, do_idr_lock);
1734 __bpf_prog_put_noref(prog, true);
1738 void bpf_prog_put(struct bpf_prog *prog)
1740 __bpf_prog_put(prog, true);
1742 EXPORT_SYMBOL_GPL(bpf_prog_put);
1744 static int bpf_prog_release(struct inode *inode, struct file *filp)
1746 struct bpf_prog *prog = filp->private_data;
1752 static void bpf_prog_get_stats(const struct bpf_prog *prog,
1753 struct bpf_prog_stats *stats)
1755 u64 nsecs = 0, cnt = 0;
1758 for_each_possible_cpu(cpu) {
1759 const struct bpf_prog_stats *st;
1763 st = per_cpu_ptr(prog->aux->stats, cpu);
1765 start = u64_stats_fetch_begin_irq(&st->syncp);
1768 } while (u64_stats_fetch_retry_irq(&st->syncp, start));
1772 stats->nsecs = nsecs;
1776 #ifdef CONFIG_PROC_FS
1777 static void bpf_prog_show_fdinfo(struct seq_file *m, struct file *filp)
1779 const struct bpf_prog *prog = filp->private_data;
1780 char prog_tag[sizeof(prog->tag) * 2 + 1] = { };
1781 struct bpf_prog_stats stats;
1783 bpf_prog_get_stats(prog, &stats);
1784 bin2hex(prog_tag, prog->tag, sizeof(prog->tag));
1791 "run_time_ns:\t%llu\n"
1796 prog->pages * 1ULL << PAGE_SHIFT,
1803 const struct file_operations bpf_prog_fops = {
1804 #ifdef CONFIG_PROC_FS
1805 .show_fdinfo = bpf_prog_show_fdinfo,
1807 .release = bpf_prog_release,
1808 .read = bpf_dummy_read,
1809 .write = bpf_dummy_write,
1812 int bpf_prog_new_fd(struct bpf_prog *prog)
1816 ret = security_bpf_prog(prog);
1820 return anon_inode_getfd("bpf-prog", &bpf_prog_fops, prog,
1821 O_RDWR | O_CLOEXEC);
1824 static struct bpf_prog *____bpf_prog_get(struct fd f)
1827 return ERR_PTR(-EBADF);
1828 if (f.file->f_op != &bpf_prog_fops) {
1830 return ERR_PTR(-EINVAL);
1833 return f.file->private_data;
1836 void bpf_prog_add(struct bpf_prog *prog, int i)
1838 atomic64_add(i, &prog->aux->refcnt);
1840 EXPORT_SYMBOL_GPL(bpf_prog_add);
1842 void bpf_prog_sub(struct bpf_prog *prog, int i)
1844 /* Only to be used for undoing previous bpf_prog_add() in some
1845 * error path. We still know that another entity in our call
1846 * path holds a reference to the program, thus atomic_sub() can
1847 * be safely used in such cases!
1849 WARN_ON(atomic64_sub_return(i, &prog->aux->refcnt) == 0);
1851 EXPORT_SYMBOL_GPL(bpf_prog_sub);
1853 void bpf_prog_inc(struct bpf_prog *prog)
1855 atomic64_inc(&prog->aux->refcnt);
1857 EXPORT_SYMBOL_GPL(bpf_prog_inc);
1859 /* prog_idr_lock should have been held */
1860 struct bpf_prog *bpf_prog_inc_not_zero(struct bpf_prog *prog)
1864 refold = atomic64_fetch_add_unless(&prog->aux->refcnt, 1, 0);
1867 return ERR_PTR(-ENOENT);
1871 EXPORT_SYMBOL_GPL(bpf_prog_inc_not_zero);
1873 bool bpf_prog_get_ok(struct bpf_prog *prog,
1874 enum bpf_prog_type *attach_type, bool attach_drv)
1876 /* not an attachment, just a refcount inc, always allow */
1880 if (prog->type != *attach_type)
1882 if (bpf_prog_is_dev_bound(prog->aux) && !attach_drv)
1888 static struct bpf_prog *__bpf_prog_get(u32 ufd, enum bpf_prog_type *attach_type,
1891 struct fd f = fdget(ufd);
1892 struct bpf_prog *prog;
1894 prog = ____bpf_prog_get(f);
1897 if (!bpf_prog_get_ok(prog, attach_type, attach_drv)) {
1898 prog = ERR_PTR(-EINVAL);
1908 struct bpf_prog *bpf_prog_get(u32 ufd)
1910 return __bpf_prog_get(ufd, NULL, false);
1913 struct bpf_prog *bpf_prog_get_type_dev(u32 ufd, enum bpf_prog_type type,
1916 return __bpf_prog_get(ufd, &type, attach_drv);
1918 EXPORT_SYMBOL_GPL(bpf_prog_get_type_dev);
1920 /* Initially all BPF programs could be loaded w/o specifying
1921 * expected_attach_type. Later for some of them specifying expected_attach_type
1922 * at load time became required so that program could be validated properly.
1923 * Programs of types that are allowed to be loaded both w/ and w/o (for
1924 * backward compatibility) expected_attach_type, should have the default attach
1925 * type assigned to expected_attach_type for the latter case, so that it can be
1926 * validated later at attach time.
1928 * bpf_prog_load_fixup_attach_type() sets expected_attach_type in @attr if
1929 * prog type requires it but has some attach types that have to be backward
1932 static void bpf_prog_load_fixup_attach_type(union bpf_attr *attr)
1934 switch (attr->prog_type) {
1935 case BPF_PROG_TYPE_CGROUP_SOCK:
1936 /* Unfortunately BPF_ATTACH_TYPE_UNSPEC enumeration doesn't
1937 * exist so checking for non-zero is the way to go here.
1939 if (!attr->expected_attach_type)
1940 attr->expected_attach_type =
1941 BPF_CGROUP_INET_SOCK_CREATE;
1947 bpf_prog_load_check_attach(enum bpf_prog_type prog_type,
1948 enum bpf_attach_type expected_attach_type,
1949 u32 btf_id, u32 prog_fd)
1952 if (btf_id > BTF_MAX_TYPE)
1955 switch (prog_type) {
1956 case BPF_PROG_TYPE_TRACING:
1957 case BPF_PROG_TYPE_LSM:
1958 case BPF_PROG_TYPE_STRUCT_OPS:
1959 case BPF_PROG_TYPE_EXT:
1966 if (prog_fd && prog_type != BPF_PROG_TYPE_TRACING &&
1967 prog_type != BPF_PROG_TYPE_EXT)
1970 switch (prog_type) {
1971 case BPF_PROG_TYPE_CGROUP_SOCK:
1972 switch (expected_attach_type) {
1973 case BPF_CGROUP_INET_SOCK_CREATE:
1974 case BPF_CGROUP_INET4_POST_BIND:
1975 case BPF_CGROUP_INET6_POST_BIND:
1980 case BPF_PROG_TYPE_CGROUP_SOCK_ADDR:
1981 switch (expected_attach_type) {
1982 case BPF_CGROUP_INET4_BIND:
1983 case BPF_CGROUP_INET6_BIND:
1984 case BPF_CGROUP_INET4_CONNECT:
1985 case BPF_CGROUP_INET6_CONNECT:
1986 case BPF_CGROUP_UDP4_SENDMSG:
1987 case BPF_CGROUP_UDP6_SENDMSG:
1988 case BPF_CGROUP_UDP4_RECVMSG:
1989 case BPF_CGROUP_UDP6_RECVMSG:
1994 case BPF_PROG_TYPE_CGROUP_SKB:
1995 switch (expected_attach_type) {
1996 case BPF_CGROUP_INET_INGRESS:
1997 case BPF_CGROUP_INET_EGRESS:
2002 case BPF_PROG_TYPE_CGROUP_SOCKOPT:
2003 switch (expected_attach_type) {
2004 case BPF_CGROUP_SETSOCKOPT:
2005 case BPF_CGROUP_GETSOCKOPT:
2010 case BPF_PROG_TYPE_EXT:
2011 if (expected_attach_type)
2019 /* last field in 'union bpf_attr' used by this command */
2020 #define BPF_PROG_LOAD_LAST_FIELD attach_prog_fd
2022 static int bpf_prog_load(union bpf_attr *attr, union bpf_attr __user *uattr)
2024 enum bpf_prog_type type = attr->prog_type;
2025 struct bpf_prog *prog;
2030 if (CHECK_ATTR(BPF_PROG_LOAD))
2033 if (attr->prog_flags & ~(BPF_F_STRICT_ALIGNMENT |
2034 BPF_F_ANY_ALIGNMENT |
2035 BPF_F_TEST_STATE_FREQ |
2036 BPF_F_TEST_RND_HI32))
2039 if (!IS_ENABLED(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS) &&
2040 (attr->prog_flags & BPF_F_ANY_ALIGNMENT) &&
2041 !capable(CAP_SYS_ADMIN))
2044 /* copy eBPF program license from user space */
2045 if (strncpy_from_user(license, u64_to_user_ptr(attr->license),
2046 sizeof(license) - 1) < 0)
2048 license[sizeof(license) - 1] = 0;
2050 /* eBPF programs must be GPL compatible to use GPL-ed functions */
2051 is_gpl = license_is_gpl_compatible(license);
2053 if (attr->insn_cnt == 0 ||
2054 attr->insn_cnt > (capable(CAP_SYS_ADMIN) ? BPF_COMPLEXITY_LIMIT_INSNS : BPF_MAXINSNS))
2056 if (type != BPF_PROG_TYPE_SOCKET_FILTER &&
2057 type != BPF_PROG_TYPE_CGROUP_SKB &&
2058 !capable(CAP_SYS_ADMIN))
2061 bpf_prog_load_fixup_attach_type(attr);
2062 if (bpf_prog_load_check_attach(type, attr->expected_attach_type,
2063 attr->attach_btf_id,
2064 attr->attach_prog_fd))
2067 /* plain bpf_prog allocation */
2068 prog = bpf_prog_alloc(bpf_prog_size(attr->insn_cnt), GFP_USER);
2072 prog->expected_attach_type = attr->expected_attach_type;
2073 prog->aux->attach_btf_id = attr->attach_btf_id;
2074 if (attr->attach_prog_fd) {
2075 struct bpf_prog *tgt_prog;
2077 tgt_prog = bpf_prog_get(attr->attach_prog_fd);
2078 if (IS_ERR(tgt_prog)) {
2079 err = PTR_ERR(tgt_prog);
2080 goto free_prog_nouncharge;
2082 prog->aux->linked_prog = tgt_prog;
2085 prog->aux->offload_requested = !!attr->prog_ifindex;
2087 err = security_bpf_prog_alloc(prog->aux);
2089 goto free_prog_nouncharge;
2091 err = bpf_prog_charge_memlock(prog);
2095 prog->len = attr->insn_cnt;
2098 if (copy_from_user(prog->insns, u64_to_user_ptr(attr->insns),
2099 bpf_prog_insn_size(prog)) != 0)
2102 prog->orig_prog = NULL;
2105 atomic64_set(&prog->aux->refcnt, 1);
2106 prog->gpl_compatible = is_gpl ? 1 : 0;
2108 if (bpf_prog_is_dev_bound(prog->aux)) {
2109 err = bpf_prog_offload_init(prog, attr);
2114 /* find program type: socket_filter vs tracing_filter */
2115 err = find_prog_type(type, prog);
2119 prog->aux->load_time = ktime_get_boottime_ns();
2120 err = bpf_obj_name_cpy(prog->aux->name, attr->prog_name,
2121 sizeof(attr->prog_name));
2125 /* run eBPF verifier */
2126 err = bpf_check(&prog, attr, uattr);
2128 goto free_used_maps;
2130 prog = bpf_prog_select_runtime(prog, &err);
2132 goto free_used_maps;
2134 err = bpf_prog_alloc_id(prog);
2136 goto free_used_maps;
2138 /* Upon success of bpf_prog_alloc_id(), the BPF prog is
2139 * effectively publicly exposed. However, retrieving via
2140 * bpf_prog_get_fd_by_id() will take another reference,
2141 * therefore it cannot be gone underneath us.
2143 * Only for the time /after/ successful bpf_prog_new_fd()
2144 * and before returning to userspace, we might just hold
2145 * one reference and any parallel close on that fd could
2146 * rip everything out. Hence, below notifications must
2147 * happen before bpf_prog_new_fd().
2149 * Also, any failure handling from this point onwards must
2150 * be using bpf_prog_put() given the program is exposed.
2152 bpf_prog_kallsyms_add(prog);
2153 perf_event_bpf_event(prog, PERF_BPF_EVENT_PROG_LOAD, 0);
2154 bpf_audit_prog(prog, BPF_AUDIT_LOAD);
2156 err = bpf_prog_new_fd(prog);
2162 /* In case we have subprogs, we need to wait for a grace
2163 * period before we can tear down JIT memory since symbols
2164 * are already exposed under kallsyms.
2166 __bpf_prog_put_noref(prog, prog->aux->func_cnt);
2169 bpf_prog_uncharge_memlock(prog);
2171 security_bpf_prog_free(prog->aux);
2172 free_prog_nouncharge:
2173 bpf_prog_free(prog);
2177 #define BPF_OBJ_LAST_FIELD file_flags
2179 static int bpf_obj_pin(const union bpf_attr *attr)
2181 if (CHECK_ATTR(BPF_OBJ) || attr->file_flags != 0)
2184 return bpf_obj_pin_user(attr->bpf_fd, u64_to_user_ptr(attr->pathname));
2187 static int bpf_obj_get(const union bpf_attr *attr)
2189 if (CHECK_ATTR(BPF_OBJ) || attr->bpf_fd != 0 ||
2190 attr->file_flags & ~BPF_OBJ_FLAG_MASK)
2193 return bpf_obj_get_user(u64_to_user_ptr(attr->pathname),
2197 void bpf_link_init(struct bpf_link *link, const struct bpf_link_ops *ops,
2198 struct bpf_prog *prog)
2200 atomic64_set(&link->refcnt, 1);
2205 /* Clean up bpf_link and corresponding anon_inode file and FD. After
2206 * anon_inode is created, bpf_link can't be just kfree()'d due to deferred
2207 * anon_inode's release() call. This helper manages marking bpf_link as
2208 * defunct, releases anon_inode file and puts reserved FD.
2210 void bpf_link_cleanup(struct bpf_link *link, struct file *link_file,
2215 put_unused_fd(link_fd);
2218 void bpf_link_inc(struct bpf_link *link)
2220 atomic64_inc(&link->refcnt);
2223 /* bpf_link_free is guaranteed to be called from process context */
2224 static void bpf_link_free(struct bpf_link *link)
2227 /* detach BPF program, clean up used resources */
2228 link->ops->release(link);
2229 bpf_prog_put(link->prog);
2231 /* free bpf_link and its containing memory */
2232 link->ops->dealloc(link);
2235 static void bpf_link_put_deferred(struct work_struct *work)
2237 struct bpf_link *link = container_of(work, struct bpf_link, work);
2239 bpf_link_free(link);
2242 /* bpf_link_put can be called from atomic context, but ensures that resources
2243 * are freed from process context
2245 void bpf_link_put(struct bpf_link *link)
2247 if (!atomic64_dec_and_test(&link->refcnt))
2251 INIT_WORK(&link->work, bpf_link_put_deferred);
2252 schedule_work(&link->work);
2254 bpf_link_free(link);
2258 static int bpf_link_release(struct inode *inode, struct file *filp)
2260 struct bpf_link *link = filp->private_data;
2266 #ifdef CONFIG_PROC_FS
2267 static const struct bpf_link_ops bpf_raw_tp_lops;
2268 static const struct bpf_link_ops bpf_tracing_link_lops;
2270 static void bpf_link_show_fdinfo(struct seq_file *m, struct file *filp)
2272 const struct bpf_link *link = filp->private_data;
2273 const struct bpf_prog *prog = link->prog;
2274 char prog_tag[sizeof(prog->tag) * 2 + 1] = { };
2275 const char *link_type;
2277 if (link->ops == &bpf_raw_tp_lops)
2278 link_type = "raw_tracepoint";
2279 else if (link->ops == &bpf_tracing_link_lops)
2280 link_type = "tracing";
2281 #ifdef CONFIG_CGROUP_BPF
2282 else if (link->ops == &bpf_cgroup_link_lops)
2283 link_type = "cgroup";
2286 link_type = "unknown";
2288 bin2hex(prog_tag, prog->tag, sizeof(prog->tag));
2299 static const struct file_operations bpf_link_fops = {
2300 #ifdef CONFIG_PROC_FS
2301 .show_fdinfo = bpf_link_show_fdinfo,
2303 .release = bpf_link_release,
2304 .read = bpf_dummy_read,
2305 .write = bpf_dummy_write,
2308 int bpf_link_new_fd(struct bpf_link *link)
2310 return anon_inode_getfd("bpf-link", &bpf_link_fops, link, O_CLOEXEC);
2313 /* Similar to bpf_link_new_fd, create anon_inode for given bpf_link, but
2314 * instead of immediately installing fd in fdtable, just reserve it and
2315 * return. Caller then need to either install it with fd_install(fd, file) or
2316 * release with put_unused_fd(fd).
2317 * This is useful for cases when bpf_link attachment/detachment are
2318 * complicated and expensive operations and should be delayed until all the fd
2319 * reservation and anon_inode creation succeeds.
2321 struct file *bpf_link_new_file(struct bpf_link *link, int *reserved_fd)
2326 fd = get_unused_fd_flags(O_CLOEXEC);
2330 file = anon_inode_getfile("bpf_link", &bpf_link_fops, link, O_CLOEXEC);
2340 struct bpf_link *bpf_link_get_from_fd(u32 ufd)
2342 struct fd f = fdget(ufd);
2343 struct bpf_link *link;
2346 return ERR_PTR(-EBADF);
2347 if (f.file->f_op != &bpf_link_fops) {
2349 return ERR_PTR(-EINVAL);
2352 link = f.file->private_data;
2359 struct bpf_tracing_link {
2360 struct bpf_link link;
2363 static void bpf_tracing_link_release(struct bpf_link *link)
2365 WARN_ON_ONCE(bpf_trampoline_unlink_prog(link->prog));
2368 static void bpf_tracing_link_dealloc(struct bpf_link *link)
2370 struct bpf_tracing_link *tr_link =
2371 container_of(link, struct bpf_tracing_link, link);
2376 static const struct bpf_link_ops bpf_tracing_link_lops = {
2377 .release = bpf_tracing_link_release,
2378 .dealloc = bpf_tracing_link_dealloc,
2381 static int bpf_tracing_prog_attach(struct bpf_prog *prog)
2383 struct bpf_tracing_link *link;
2384 struct file *link_file;
2387 switch (prog->type) {
2388 case BPF_PROG_TYPE_TRACING:
2389 if (prog->expected_attach_type != BPF_TRACE_FENTRY &&
2390 prog->expected_attach_type != BPF_TRACE_FEXIT &&
2391 prog->expected_attach_type != BPF_MODIFY_RETURN) {
2396 case BPF_PROG_TYPE_EXT:
2397 if (prog->expected_attach_type != 0) {
2402 case BPF_PROG_TYPE_LSM:
2403 if (prog->expected_attach_type != BPF_LSM_MAC) {
2413 link = kzalloc(sizeof(*link), GFP_USER);
2418 bpf_link_init(&link->link, &bpf_tracing_link_lops, prog);
2420 link_file = bpf_link_new_file(&link->link, &link_fd);
2421 if (IS_ERR(link_file)) {
2423 err = PTR_ERR(link_file);
2427 err = bpf_trampoline_link_prog(prog);
2429 bpf_link_cleanup(&link->link, link_file, link_fd);
2433 fd_install(link_fd, link_file);
2441 struct bpf_raw_tp_link {
2442 struct bpf_link link;
2443 struct bpf_raw_event_map *btp;
2446 static void bpf_raw_tp_link_release(struct bpf_link *link)
2448 struct bpf_raw_tp_link *raw_tp =
2449 container_of(link, struct bpf_raw_tp_link, link);
2451 bpf_probe_unregister(raw_tp->btp, raw_tp->link.prog);
2452 bpf_put_raw_tracepoint(raw_tp->btp);
2455 static void bpf_raw_tp_link_dealloc(struct bpf_link *link)
2457 struct bpf_raw_tp_link *raw_tp =
2458 container_of(link, struct bpf_raw_tp_link, link);
2463 static const struct bpf_link_ops bpf_raw_tp_lops = {
2464 .release = bpf_raw_tp_link_release,
2465 .dealloc = bpf_raw_tp_link_dealloc,
2468 #define BPF_RAW_TRACEPOINT_OPEN_LAST_FIELD raw_tracepoint.prog_fd
2470 static int bpf_raw_tracepoint_open(const union bpf_attr *attr)
2472 struct bpf_raw_tp_link *link;
2473 struct bpf_raw_event_map *btp;
2474 struct file *link_file;
2475 struct bpf_prog *prog;
2476 const char *tp_name;
2480 if (CHECK_ATTR(BPF_RAW_TRACEPOINT_OPEN))
2483 prog = bpf_prog_get(attr->raw_tracepoint.prog_fd);
2485 return PTR_ERR(prog);
2487 switch (prog->type) {
2488 case BPF_PROG_TYPE_TRACING:
2489 case BPF_PROG_TYPE_EXT:
2490 case BPF_PROG_TYPE_LSM:
2491 if (attr->raw_tracepoint.name) {
2492 /* The attach point for this category of programs
2493 * should be specified via btf_id during program load.
2498 if (prog->type == BPF_PROG_TYPE_TRACING &&
2499 prog->expected_attach_type == BPF_TRACE_RAW_TP) {
2500 tp_name = prog->aux->attach_func_name;
2503 return bpf_tracing_prog_attach(prog);
2504 case BPF_PROG_TYPE_RAW_TRACEPOINT:
2505 case BPF_PROG_TYPE_RAW_TRACEPOINT_WRITABLE:
2506 if (strncpy_from_user(buf,
2507 u64_to_user_ptr(attr->raw_tracepoint.name),
2508 sizeof(buf) - 1) < 0) {
2512 buf[sizeof(buf) - 1] = 0;
2520 btp = bpf_get_raw_tracepoint(tp_name);
2526 link = kzalloc(sizeof(*link), GFP_USER);
2531 bpf_link_init(&link->link, &bpf_raw_tp_lops, prog);
2534 link_file = bpf_link_new_file(&link->link, &link_fd);
2535 if (IS_ERR(link_file)) {
2537 err = PTR_ERR(link_file);
2541 err = bpf_probe_register(link->btp, prog);
2543 bpf_link_cleanup(&link->link, link_file, link_fd);
2547 fd_install(link_fd, link_file);
2551 bpf_put_raw_tracepoint(btp);
2557 static int bpf_prog_attach_check_attach_type(const struct bpf_prog *prog,
2558 enum bpf_attach_type attach_type)
2560 switch (prog->type) {
2561 case BPF_PROG_TYPE_CGROUP_SOCK:
2562 case BPF_PROG_TYPE_CGROUP_SOCK_ADDR:
2563 case BPF_PROG_TYPE_CGROUP_SOCKOPT:
2564 return attach_type == prog->expected_attach_type ? 0 : -EINVAL;
2565 case BPF_PROG_TYPE_CGROUP_SKB:
2566 return prog->enforce_expected_attach_type &&
2567 prog->expected_attach_type != attach_type ?
2574 static enum bpf_prog_type
2575 attach_type_to_prog_type(enum bpf_attach_type attach_type)
2577 switch (attach_type) {
2578 case BPF_CGROUP_INET_INGRESS:
2579 case BPF_CGROUP_INET_EGRESS:
2580 return BPF_PROG_TYPE_CGROUP_SKB;
2582 case BPF_CGROUP_INET_SOCK_CREATE:
2583 case BPF_CGROUP_INET4_POST_BIND:
2584 case BPF_CGROUP_INET6_POST_BIND:
2585 return BPF_PROG_TYPE_CGROUP_SOCK;
2586 case BPF_CGROUP_INET4_BIND:
2587 case BPF_CGROUP_INET6_BIND:
2588 case BPF_CGROUP_INET4_CONNECT:
2589 case BPF_CGROUP_INET6_CONNECT:
2590 case BPF_CGROUP_UDP4_SENDMSG:
2591 case BPF_CGROUP_UDP6_SENDMSG:
2592 case BPF_CGROUP_UDP4_RECVMSG:
2593 case BPF_CGROUP_UDP6_RECVMSG:
2594 return BPF_PROG_TYPE_CGROUP_SOCK_ADDR;
2595 case BPF_CGROUP_SOCK_OPS:
2596 return BPF_PROG_TYPE_SOCK_OPS;
2597 case BPF_CGROUP_DEVICE:
2598 return BPF_PROG_TYPE_CGROUP_DEVICE;
2599 case BPF_SK_MSG_VERDICT:
2600 return BPF_PROG_TYPE_SK_MSG;
2601 case BPF_SK_SKB_STREAM_PARSER:
2602 case BPF_SK_SKB_STREAM_VERDICT:
2603 return BPF_PROG_TYPE_SK_SKB;
2604 case BPF_LIRC_MODE2:
2605 return BPF_PROG_TYPE_LIRC_MODE2;
2606 case BPF_FLOW_DISSECTOR:
2607 return BPF_PROG_TYPE_FLOW_DISSECTOR;
2608 case BPF_CGROUP_SYSCTL:
2609 return BPF_PROG_TYPE_CGROUP_SYSCTL;
2610 case BPF_CGROUP_GETSOCKOPT:
2611 case BPF_CGROUP_SETSOCKOPT:
2612 return BPF_PROG_TYPE_CGROUP_SOCKOPT;
2614 return BPF_PROG_TYPE_UNSPEC;
2618 #define BPF_PROG_ATTACH_LAST_FIELD replace_bpf_fd
2620 #define BPF_F_ATTACH_MASK \
2621 (BPF_F_ALLOW_OVERRIDE | BPF_F_ALLOW_MULTI | BPF_F_REPLACE)
2623 static int bpf_prog_attach(const union bpf_attr *attr)
2625 enum bpf_prog_type ptype;
2626 struct bpf_prog *prog;
2629 if (!capable(CAP_NET_ADMIN))
2632 if (CHECK_ATTR(BPF_PROG_ATTACH))
2635 if (attr->attach_flags & ~BPF_F_ATTACH_MASK)
2638 ptype = attach_type_to_prog_type(attr->attach_type);
2639 if (ptype == BPF_PROG_TYPE_UNSPEC)
2642 prog = bpf_prog_get_type(attr->attach_bpf_fd, ptype);
2644 return PTR_ERR(prog);
2646 if (bpf_prog_attach_check_attach_type(prog, attr->attach_type)) {
2652 case BPF_PROG_TYPE_SK_SKB:
2653 case BPF_PROG_TYPE_SK_MSG:
2654 ret = sock_map_get_from_fd(attr, prog);
2656 case BPF_PROG_TYPE_LIRC_MODE2:
2657 ret = lirc_prog_attach(attr, prog);
2659 case BPF_PROG_TYPE_FLOW_DISSECTOR:
2660 ret = skb_flow_dissector_bpf_prog_attach(attr, prog);
2662 case BPF_PROG_TYPE_CGROUP_DEVICE:
2663 case BPF_PROG_TYPE_CGROUP_SKB:
2664 case BPF_PROG_TYPE_CGROUP_SOCK:
2665 case BPF_PROG_TYPE_CGROUP_SOCK_ADDR:
2666 case BPF_PROG_TYPE_CGROUP_SOCKOPT:
2667 case BPF_PROG_TYPE_CGROUP_SYSCTL:
2668 case BPF_PROG_TYPE_SOCK_OPS:
2669 ret = cgroup_bpf_prog_attach(attr, ptype, prog);
2680 #define BPF_PROG_DETACH_LAST_FIELD attach_type
2682 static int bpf_prog_detach(const union bpf_attr *attr)
2684 enum bpf_prog_type ptype;
2686 if (!capable(CAP_NET_ADMIN))
2689 if (CHECK_ATTR(BPF_PROG_DETACH))
2692 ptype = attach_type_to_prog_type(attr->attach_type);
2695 case BPF_PROG_TYPE_SK_MSG:
2696 case BPF_PROG_TYPE_SK_SKB:
2697 return sock_map_get_from_fd(attr, NULL);
2698 case BPF_PROG_TYPE_LIRC_MODE2:
2699 return lirc_prog_detach(attr);
2700 case BPF_PROG_TYPE_FLOW_DISSECTOR:
2701 return skb_flow_dissector_bpf_prog_detach(attr);
2702 case BPF_PROG_TYPE_CGROUP_DEVICE:
2703 case BPF_PROG_TYPE_CGROUP_SKB:
2704 case BPF_PROG_TYPE_CGROUP_SOCK:
2705 case BPF_PROG_TYPE_CGROUP_SOCK_ADDR:
2706 case BPF_PROG_TYPE_CGROUP_SOCKOPT:
2707 case BPF_PROG_TYPE_CGROUP_SYSCTL:
2708 case BPF_PROG_TYPE_SOCK_OPS:
2709 return cgroup_bpf_prog_detach(attr, ptype);
2715 #define BPF_PROG_QUERY_LAST_FIELD query.prog_cnt
2717 static int bpf_prog_query(const union bpf_attr *attr,
2718 union bpf_attr __user *uattr)
2720 if (!capable(CAP_NET_ADMIN))
2722 if (CHECK_ATTR(BPF_PROG_QUERY))
2724 if (attr->query.query_flags & ~BPF_F_QUERY_EFFECTIVE)
2727 switch (attr->query.attach_type) {
2728 case BPF_CGROUP_INET_INGRESS:
2729 case BPF_CGROUP_INET_EGRESS:
2730 case BPF_CGROUP_INET_SOCK_CREATE:
2731 case BPF_CGROUP_INET4_BIND:
2732 case BPF_CGROUP_INET6_BIND:
2733 case BPF_CGROUP_INET4_POST_BIND:
2734 case BPF_CGROUP_INET6_POST_BIND:
2735 case BPF_CGROUP_INET4_CONNECT:
2736 case BPF_CGROUP_INET6_CONNECT:
2737 case BPF_CGROUP_UDP4_SENDMSG:
2738 case BPF_CGROUP_UDP6_SENDMSG:
2739 case BPF_CGROUP_UDP4_RECVMSG:
2740 case BPF_CGROUP_UDP6_RECVMSG:
2741 case BPF_CGROUP_SOCK_OPS:
2742 case BPF_CGROUP_DEVICE:
2743 case BPF_CGROUP_SYSCTL:
2744 case BPF_CGROUP_GETSOCKOPT:
2745 case BPF_CGROUP_SETSOCKOPT:
2746 return cgroup_bpf_prog_query(attr, uattr);
2747 case BPF_LIRC_MODE2:
2748 return lirc_prog_query(attr, uattr);
2749 case BPF_FLOW_DISSECTOR:
2750 return skb_flow_dissector_prog_query(attr, uattr);
2756 #define BPF_PROG_TEST_RUN_LAST_FIELD test.ctx_out
2758 static int bpf_prog_test_run(const union bpf_attr *attr,
2759 union bpf_attr __user *uattr)
2761 struct bpf_prog *prog;
2762 int ret = -ENOTSUPP;
2764 if (!capable(CAP_SYS_ADMIN))
2766 if (CHECK_ATTR(BPF_PROG_TEST_RUN))
2769 if ((attr->test.ctx_size_in && !attr->test.ctx_in) ||
2770 (!attr->test.ctx_size_in && attr->test.ctx_in))
2773 if ((attr->test.ctx_size_out && !attr->test.ctx_out) ||
2774 (!attr->test.ctx_size_out && attr->test.ctx_out))
2777 prog = bpf_prog_get(attr->test.prog_fd);
2779 return PTR_ERR(prog);
2781 if (prog->aux->ops->test_run)
2782 ret = prog->aux->ops->test_run(prog, attr, uattr);
2788 #define BPF_OBJ_GET_NEXT_ID_LAST_FIELD next_id
2790 static int bpf_obj_get_next_id(const union bpf_attr *attr,
2791 union bpf_attr __user *uattr,
2795 u32 next_id = attr->start_id;
2798 if (CHECK_ATTR(BPF_OBJ_GET_NEXT_ID) || next_id >= INT_MAX)
2801 if (!capable(CAP_SYS_ADMIN))
2806 if (!idr_get_next(idr, &next_id))
2808 spin_unlock_bh(lock);
2811 err = put_user(next_id, &uattr->next_id);
2816 #define BPF_PROG_GET_FD_BY_ID_LAST_FIELD prog_id
2818 struct bpf_prog *bpf_prog_by_id(u32 id)
2820 struct bpf_prog *prog;
2823 return ERR_PTR(-ENOENT);
2825 spin_lock_bh(&prog_idr_lock);
2826 prog = idr_find(&prog_idr, id);
2828 prog = bpf_prog_inc_not_zero(prog);
2830 prog = ERR_PTR(-ENOENT);
2831 spin_unlock_bh(&prog_idr_lock);
2835 static int bpf_prog_get_fd_by_id(const union bpf_attr *attr)
2837 struct bpf_prog *prog;
2838 u32 id = attr->prog_id;
2841 if (CHECK_ATTR(BPF_PROG_GET_FD_BY_ID))
2844 if (!capable(CAP_SYS_ADMIN))
2847 prog = bpf_prog_by_id(id);
2849 return PTR_ERR(prog);
2851 fd = bpf_prog_new_fd(prog);
2858 #define BPF_MAP_GET_FD_BY_ID_LAST_FIELD open_flags
2860 static int bpf_map_get_fd_by_id(const union bpf_attr *attr)
2862 struct bpf_map *map;
2863 u32 id = attr->map_id;
2867 if (CHECK_ATTR(BPF_MAP_GET_FD_BY_ID) ||
2868 attr->open_flags & ~BPF_OBJ_FLAG_MASK)
2871 if (!capable(CAP_SYS_ADMIN))
2874 f_flags = bpf_get_file_flag(attr->open_flags);
2878 spin_lock_bh(&map_idr_lock);
2879 map = idr_find(&map_idr, id);
2881 map = __bpf_map_inc_not_zero(map, true);
2883 map = ERR_PTR(-ENOENT);
2884 spin_unlock_bh(&map_idr_lock);
2887 return PTR_ERR(map);
2889 fd = bpf_map_new_fd(map, f_flags);
2891 bpf_map_put_with_uref(map);
2896 static const struct bpf_map *bpf_map_from_imm(const struct bpf_prog *prog,
2897 unsigned long addr, u32 *off,
2900 const struct bpf_map *map;
2903 for (i = 0, *off = 0; i < prog->aux->used_map_cnt; i++) {
2904 map = prog->aux->used_maps[i];
2905 if (map == (void *)addr) {
2906 *type = BPF_PSEUDO_MAP_FD;
2909 if (!map->ops->map_direct_value_meta)
2911 if (!map->ops->map_direct_value_meta(map, addr, off)) {
2912 *type = BPF_PSEUDO_MAP_VALUE;
2920 static struct bpf_insn *bpf_insn_prepare_dump(const struct bpf_prog *prog)
2922 const struct bpf_map *map;
2923 struct bpf_insn *insns;
2928 insns = kmemdup(prog->insnsi, bpf_prog_insn_size(prog),
2933 for (i = 0; i < prog->len; i++) {
2934 if (insns[i].code == (BPF_JMP | BPF_TAIL_CALL)) {
2935 insns[i].code = BPF_JMP | BPF_CALL;
2936 insns[i].imm = BPF_FUNC_tail_call;
2939 if (insns[i].code == (BPF_JMP | BPF_CALL) ||
2940 insns[i].code == (BPF_JMP | BPF_CALL_ARGS)) {
2941 if (insns[i].code == (BPF_JMP | BPF_CALL_ARGS))
2942 insns[i].code = BPF_JMP | BPF_CALL;
2943 if (!bpf_dump_raw_ok())
2948 if (insns[i].code != (BPF_LD | BPF_IMM | BPF_DW))
2951 imm = ((u64)insns[i + 1].imm << 32) | (u32)insns[i].imm;
2952 map = bpf_map_from_imm(prog, imm, &off, &type);
2954 insns[i].src_reg = type;
2955 insns[i].imm = map->id;
2956 insns[i + 1].imm = off;
2964 static int set_info_rec_size(struct bpf_prog_info *info)
2967 * Ensure info.*_rec_size is the same as kernel expected size
2971 * Only allow zero *_rec_size if both _rec_size and _cnt are
2972 * zero. In this case, the kernel will set the expected
2973 * _rec_size back to the info.
2976 if ((info->nr_func_info || info->func_info_rec_size) &&
2977 info->func_info_rec_size != sizeof(struct bpf_func_info))
2980 if ((info->nr_line_info || info->line_info_rec_size) &&
2981 info->line_info_rec_size != sizeof(struct bpf_line_info))
2984 if ((info->nr_jited_line_info || info->jited_line_info_rec_size) &&
2985 info->jited_line_info_rec_size != sizeof(__u64))
2988 info->func_info_rec_size = sizeof(struct bpf_func_info);
2989 info->line_info_rec_size = sizeof(struct bpf_line_info);
2990 info->jited_line_info_rec_size = sizeof(__u64);
2995 static int bpf_prog_get_info_by_fd(struct bpf_prog *prog,
2996 const union bpf_attr *attr,
2997 union bpf_attr __user *uattr)
2999 struct bpf_prog_info __user *uinfo = u64_to_user_ptr(attr->info.info);
3000 struct bpf_prog_info info;
3001 u32 info_len = attr->info.info_len;
3002 struct bpf_prog_stats stats;
3003 char __user *uinsns;
3007 err = bpf_check_uarg_tail_zero(uinfo, sizeof(info), info_len);
3010 info_len = min_t(u32, sizeof(info), info_len);
3012 memset(&info, 0, sizeof(info));
3013 if (copy_from_user(&info, uinfo, info_len))
3016 info.type = prog->type;
3017 info.id = prog->aux->id;
3018 info.load_time = prog->aux->load_time;
3019 info.created_by_uid = from_kuid_munged(current_user_ns(),
3020 prog->aux->user->uid);
3021 info.gpl_compatible = prog->gpl_compatible;
3023 memcpy(info.tag, prog->tag, sizeof(prog->tag));
3024 memcpy(info.name, prog->aux->name, sizeof(prog->aux->name));
3026 ulen = info.nr_map_ids;
3027 info.nr_map_ids = prog->aux->used_map_cnt;
3028 ulen = min_t(u32, info.nr_map_ids, ulen);
3030 u32 __user *user_map_ids = u64_to_user_ptr(info.map_ids);
3033 for (i = 0; i < ulen; i++)
3034 if (put_user(prog->aux->used_maps[i]->id,
3039 err = set_info_rec_size(&info);
3043 bpf_prog_get_stats(prog, &stats);
3044 info.run_time_ns = stats.nsecs;
3045 info.run_cnt = stats.cnt;
3047 if (!capable(CAP_SYS_ADMIN)) {
3048 info.jited_prog_len = 0;
3049 info.xlated_prog_len = 0;
3050 info.nr_jited_ksyms = 0;
3051 info.nr_jited_func_lens = 0;
3052 info.nr_func_info = 0;
3053 info.nr_line_info = 0;
3054 info.nr_jited_line_info = 0;
3058 ulen = info.xlated_prog_len;
3059 info.xlated_prog_len = bpf_prog_insn_size(prog);
3060 if (info.xlated_prog_len && ulen) {
3061 struct bpf_insn *insns_sanitized;
3064 if (prog->blinded && !bpf_dump_raw_ok()) {
3065 info.xlated_prog_insns = 0;
3068 insns_sanitized = bpf_insn_prepare_dump(prog);
3069 if (!insns_sanitized)
3071 uinsns = u64_to_user_ptr(info.xlated_prog_insns);
3072 ulen = min_t(u32, info.xlated_prog_len, ulen);
3073 fault = copy_to_user(uinsns, insns_sanitized, ulen);
3074 kfree(insns_sanitized);
3079 if (bpf_prog_is_dev_bound(prog->aux)) {
3080 err = bpf_prog_offload_info_fill(&info, prog);
3086 /* NOTE: the following code is supposed to be skipped for offload.
3087 * bpf_prog_offload_info_fill() is the place to fill similar fields
3090 ulen = info.jited_prog_len;
3091 if (prog->aux->func_cnt) {
3094 info.jited_prog_len = 0;
3095 for (i = 0; i < prog->aux->func_cnt; i++)
3096 info.jited_prog_len += prog->aux->func[i]->jited_len;
3098 info.jited_prog_len = prog->jited_len;
3101 if (info.jited_prog_len && ulen) {
3102 if (bpf_dump_raw_ok()) {
3103 uinsns = u64_to_user_ptr(info.jited_prog_insns);
3104 ulen = min_t(u32, info.jited_prog_len, ulen);
3106 /* for multi-function programs, copy the JITed
3107 * instructions for all the functions
3109 if (prog->aux->func_cnt) {
3114 for (i = 0; i < prog->aux->func_cnt; i++) {
3115 len = prog->aux->func[i]->jited_len;
3116 len = min_t(u32, len, free);
3117 img = (u8 *) prog->aux->func[i]->bpf_func;
3118 if (copy_to_user(uinsns, img, len))
3126 if (copy_to_user(uinsns, prog->bpf_func, ulen))
3130 info.jited_prog_insns = 0;
3134 ulen = info.nr_jited_ksyms;
3135 info.nr_jited_ksyms = prog->aux->func_cnt ? : 1;
3137 if (bpf_dump_raw_ok()) {
3138 unsigned long ksym_addr;
3139 u64 __user *user_ksyms;
3142 /* copy the address of the kernel symbol
3143 * corresponding to each function
3145 ulen = min_t(u32, info.nr_jited_ksyms, ulen);
3146 user_ksyms = u64_to_user_ptr(info.jited_ksyms);
3147 if (prog->aux->func_cnt) {
3148 for (i = 0; i < ulen; i++) {
3149 ksym_addr = (unsigned long)
3150 prog->aux->func[i]->bpf_func;
3151 if (put_user((u64) ksym_addr,
3156 ksym_addr = (unsigned long) prog->bpf_func;
3157 if (put_user((u64) ksym_addr, &user_ksyms[0]))
3161 info.jited_ksyms = 0;
3165 ulen = info.nr_jited_func_lens;
3166 info.nr_jited_func_lens = prog->aux->func_cnt ? : 1;
3168 if (bpf_dump_raw_ok()) {
3169 u32 __user *user_lens;
3172 /* copy the JITed image lengths for each function */
3173 ulen = min_t(u32, info.nr_jited_func_lens, ulen);
3174 user_lens = u64_to_user_ptr(info.jited_func_lens);
3175 if (prog->aux->func_cnt) {
3176 for (i = 0; i < ulen; i++) {
3178 prog->aux->func[i]->jited_len;
3179 if (put_user(func_len, &user_lens[i]))
3183 func_len = prog->jited_len;
3184 if (put_user(func_len, &user_lens[0]))
3188 info.jited_func_lens = 0;
3193 info.btf_id = btf_id(prog->aux->btf);
3195 ulen = info.nr_func_info;
3196 info.nr_func_info = prog->aux->func_info_cnt;
3197 if (info.nr_func_info && ulen) {
3198 char __user *user_finfo;
3200 user_finfo = u64_to_user_ptr(info.func_info);
3201 ulen = min_t(u32, info.nr_func_info, ulen);
3202 if (copy_to_user(user_finfo, prog->aux->func_info,
3203 info.func_info_rec_size * ulen))
3207 ulen = info.nr_line_info;
3208 info.nr_line_info = prog->aux->nr_linfo;
3209 if (info.nr_line_info && ulen) {
3210 __u8 __user *user_linfo;
3212 user_linfo = u64_to_user_ptr(info.line_info);
3213 ulen = min_t(u32, info.nr_line_info, ulen);
3214 if (copy_to_user(user_linfo, prog->aux->linfo,
3215 info.line_info_rec_size * ulen))
3219 ulen = info.nr_jited_line_info;
3220 if (prog->aux->jited_linfo)
3221 info.nr_jited_line_info = prog->aux->nr_linfo;
3223 info.nr_jited_line_info = 0;
3224 if (info.nr_jited_line_info && ulen) {
3225 if (bpf_dump_raw_ok()) {
3226 __u64 __user *user_linfo;
3229 user_linfo = u64_to_user_ptr(info.jited_line_info);
3230 ulen = min_t(u32, info.nr_jited_line_info, ulen);
3231 for (i = 0; i < ulen; i++) {
3232 if (put_user((__u64)(long)prog->aux->jited_linfo[i],
3237 info.jited_line_info = 0;
3241 ulen = info.nr_prog_tags;
3242 info.nr_prog_tags = prog->aux->func_cnt ? : 1;
3244 __u8 __user (*user_prog_tags)[BPF_TAG_SIZE];
3247 user_prog_tags = u64_to_user_ptr(info.prog_tags);
3248 ulen = min_t(u32, info.nr_prog_tags, ulen);
3249 if (prog->aux->func_cnt) {
3250 for (i = 0; i < ulen; i++) {
3251 if (copy_to_user(user_prog_tags[i],
3252 prog->aux->func[i]->tag,
3257 if (copy_to_user(user_prog_tags[0],
3258 prog->tag, BPF_TAG_SIZE))
3264 if (copy_to_user(uinfo, &info, info_len) ||
3265 put_user(info_len, &uattr->info.info_len))
3271 static int bpf_map_get_info_by_fd(struct bpf_map *map,
3272 const union bpf_attr *attr,
3273 union bpf_attr __user *uattr)
3275 struct bpf_map_info __user *uinfo = u64_to_user_ptr(attr->info.info);
3276 struct bpf_map_info info;
3277 u32 info_len = attr->info.info_len;
3280 err = bpf_check_uarg_tail_zero(uinfo, sizeof(info), info_len);
3283 info_len = min_t(u32, sizeof(info), info_len);
3285 memset(&info, 0, sizeof(info));
3286 info.type = map->map_type;
3288 info.key_size = map->key_size;
3289 info.value_size = map->value_size;
3290 info.max_entries = map->max_entries;
3291 info.map_flags = map->map_flags;
3292 memcpy(info.name, map->name, sizeof(map->name));
3295 info.btf_id = btf_id(map->btf);
3296 info.btf_key_type_id = map->btf_key_type_id;
3297 info.btf_value_type_id = map->btf_value_type_id;
3299 info.btf_vmlinux_value_type_id = map->btf_vmlinux_value_type_id;
3301 if (bpf_map_is_dev_bound(map)) {
3302 err = bpf_map_offload_info_fill(&info, map);
3307 if (copy_to_user(uinfo, &info, info_len) ||
3308 put_user(info_len, &uattr->info.info_len))
3314 static int bpf_btf_get_info_by_fd(struct btf *btf,
3315 const union bpf_attr *attr,
3316 union bpf_attr __user *uattr)
3318 struct bpf_btf_info __user *uinfo = u64_to_user_ptr(attr->info.info);
3319 u32 info_len = attr->info.info_len;
3322 err = bpf_check_uarg_tail_zero(uinfo, sizeof(*uinfo), info_len);
3326 return btf_get_info_by_fd(btf, attr, uattr);
3329 #define BPF_OBJ_GET_INFO_BY_FD_LAST_FIELD info.info
3331 static int bpf_obj_get_info_by_fd(const union bpf_attr *attr,
3332 union bpf_attr __user *uattr)
3334 int ufd = attr->info.bpf_fd;
3338 if (CHECK_ATTR(BPF_OBJ_GET_INFO_BY_FD))
3345 if (f.file->f_op == &bpf_prog_fops)
3346 err = bpf_prog_get_info_by_fd(f.file->private_data, attr,
3348 else if (f.file->f_op == &bpf_map_fops)
3349 err = bpf_map_get_info_by_fd(f.file->private_data, attr,
3351 else if (f.file->f_op == &btf_fops)
3352 err = bpf_btf_get_info_by_fd(f.file->private_data, attr, uattr);
3360 #define BPF_BTF_LOAD_LAST_FIELD btf_log_level
3362 static int bpf_btf_load(const union bpf_attr *attr)
3364 if (CHECK_ATTR(BPF_BTF_LOAD))
3367 if (!capable(CAP_SYS_ADMIN))
3370 return btf_new_fd(attr);
3373 #define BPF_BTF_GET_FD_BY_ID_LAST_FIELD btf_id
3375 static int bpf_btf_get_fd_by_id(const union bpf_attr *attr)
3377 if (CHECK_ATTR(BPF_BTF_GET_FD_BY_ID))
3380 if (!capable(CAP_SYS_ADMIN))
3383 return btf_get_fd_by_id(attr->btf_id);
3386 static int bpf_task_fd_query_copy(const union bpf_attr *attr,
3387 union bpf_attr __user *uattr,
3388 u32 prog_id, u32 fd_type,
3389 const char *buf, u64 probe_offset,
3392 char __user *ubuf = u64_to_user_ptr(attr->task_fd_query.buf);
3393 u32 len = buf ? strlen(buf) : 0, input_len;
3396 if (put_user(len, &uattr->task_fd_query.buf_len))
3398 input_len = attr->task_fd_query.buf_len;
3399 if (input_len && ubuf) {
3401 /* nothing to copy, just make ubuf NULL terminated */
3404 if (put_user(zero, ubuf))
3406 } else if (input_len >= len + 1) {
3407 /* ubuf can hold the string with NULL terminator */
3408 if (copy_to_user(ubuf, buf, len + 1))
3411 /* ubuf cannot hold the string with NULL terminator,
3412 * do a partial copy with NULL terminator.
3417 if (copy_to_user(ubuf, buf, input_len - 1))
3419 if (put_user(zero, ubuf + input_len - 1))
3424 if (put_user(prog_id, &uattr->task_fd_query.prog_id) ||
3425 put_user(fd_type, &uattr->task_fd_query.fd_type) ||
3426 put_user(probe_offset, &uattr->task_fd_query.probe_offset) ||
3427 put_user(probe_addr, &uattr->task_fd_query.probe_addr))
3433 #define BPF_TASK_FD_QUERY_LAST_FIELD task_fd_query.probe_addr
3435 static int bpf_task_fd_query(const union bpf_attr *attr,
3436 union bpf_attr __user *uattr)
3438 pid_t pid = attr->task_fd_query.pid;
3439 u32 fd = attr->task_fd_query.fd;
3440 const struct perf_event *event;
3441 struct files_struct *files;
3442 struct task_struct *task;
3446 if (CHECK_ATTR(BPF_TASK_FD_QUERY))
3449 if (!capable(CAP_SYS_ADMIN))
3452 if (attr->task_fd_query.flags != 0)
3455 task = get_pid_task(find_vpid(pid), PIDTYPE_PID);
3459 files = get_files_struct(task);
3460 put_task_struct(task);
3465 spin_lock(&files->file_lock);
3466 file = fcheck_files(files, fd);
3471 spin_unlock(&files->file_lock);
3472 put_files_struct(files);
3477 if (file->f_op == &bpf_link_fops) {
3478 struct bpf_link *link = file->private_data;
3480 if (link->ops == &bpf_raw_tp_lops) {
3481 struct bpf_raw_tp_link *raw_tp =
3482 container_of(link, struct bpf_raw_tp_link, link);
3483 struct bpf_raw_event_map *btp = raw_tp->btp;
3485 err = bpf_task_fd_query_copy(attr, uattr,
3486 raw_tp->link.prog->aux->id,
3487 BPF_FD_TYPE_RAW_TRACEPOINT,
3488 btp->tp->name, 0, 0);
3494 event = perf_get_event(file);
3495 if (!IS_ERR(event)) {
3496 u64 probe_offset, probe_addr;
3497 u32 prog_id, fd_type;
3500 err = bpf_get_perf_event_info(event, &prog_id, &fd_type,
3501 &buf, &probe_offset,
3504 err = bpf_task_fd_query_copy(attr, uattr, prog_id,
3519 #define BPF_MAP_BATCH_LAST_FIELD batch.flags
3521 #define BPF_DO_BATCH(fn) \
3527 err = fn(map, attr, uattr); \
3530 static int bpf_map_do_batch(const union bpf_attr *attr,
3531 union bpf_attr __user *uattr,
3534 struct bpf_map *map;
3538 if (CHECK_ATTR(BPF_MAP_BATCH))
3541 ufd = attr->batch.map_fd;
3543 map = __bpf_map_get(f);
3545 return PTR_ERR(map);
3547 if ((cmd == BPF_MAP_LOOKUP_BATCH ||
3548 cmd == BPF_MAP_LOOKUP_AND_DELETE_BATCH) &&
3549 !(map_get_sys_perms(map, f) & FMODE_CAN_READ)) {
3554 if (cmd != BPF_MAP_LOOKUP_BATCH &&
3555 !(map_get_sys_perms(map, f) & FMODE_CAN_WRITE)) {
3560 if (cmd == BPF_MAP_LOOKUP_BATCH)
3561 BPF_DO_BATCH(map->ops->map_lookup_batch);
3562 else if (cmd == BPF_MAP_LOOKUP_AND_DELETE_BATCH)
3563 BPF_DO_BATCH(map->ops->map_lookup_and_delete_batch);
3564 else if (cmd == BPF_MAP_UPDATE_BATCH)
3565 BPF_DO_BATCH(map->ops->map_update_batch);
3567 BPF_DO_BATCH(map->ops->map_delete_batch);
3574 #define BPF_LINK_CREATE_LAST_FIELD link_create.flags
3575 static int link_create(union bpf_attr *attr)
3577 enum bpf_prog_type ptype;
3578 struct bpf_prog *prog;
3581 if (!capable(CAP_NET_ADMIN))
3584 if (CHECK_ATTR(BPF_LINK_CREATE))
3587 ptype = attach_type_to_prog_type(attr->link_create.attach_type);
3588 if (ptype == BPF_PROG_TYPE_UNSPEC)
3591 prog = bpf_prog_get_type(attr->link_create.prog_fd, ptype);
3593 return PTR_ERR(prog);
3595 ret = bpf_prog_attach_check_attach_type(prog,
3596 attr->link_create.attach_type);
3601 case BPF_PROG_TYPE_CGROUP_SKB:
3602 case BPF_PROG_TYPE_CGROUP_SOCK:
3603 case BPF_PROG_TYPE_CGROUP_SOCK_ADDR:
3604 case BPF_PROG_TYPE_SOCK_OPS:
3605 case BPF_PROG_TYPE_CGROUP_DEVICE:
3606 case BPF_PROG_TYPE_CGROUP_SYSCTL:
3607 case BPF_PROG_TYPE_CGROUP_SOCKOPT:
3608 ret = cgroup_bpf_link_attach(attr, prog);
3620 #define BPF_LINK_UPDATE_LAST_FIELD link_update.old_prog_fd
3622 static int link_update(union bpf_attr *attr)
3624 struct bpf_prog *old_prog = NULL, *new_prog;
3625 struct bpf_link *link;
3629 if (!capable(CAP_NET_ADMIN))
3632 if (CHECK_ATTR(BPF_LINK_UPDATE))
3635 flags = attr->link_update.flags;
3636 if (flags & ~BPF_F_REPLACE)
3639 link = bpf_link_get_from_fd(attr->link_update.link_fd);
3641 return PTR_ERR(link);
3643 new_prog = bpf_prog_get(attr->link_update.new_prog_fd);
3644 if (IS_ERR(new_prog)) {
3645 ret = PTR_ERR(new_prog);
3649 if (flags & BPF_F_REPLACE) {
3650 old_prog = bpf_prog_get(attr->link_update.old_prog_fd);
3651 if (IS_ERR(old_prog)) {
3652 ret = PTR_ERR(old_prog);
3656 } else if (attr->link_update.old_prog_fd) {
3661 #ifdef CONFIG_CGROUP_BPF
3662 if (link->ops == &bpf_cgroup_link_lops) {
3663 ret = cgroup_bpf_replace(link, old_prog, new_prog);
3671 bpf_prog_put(old_prog);
3673 bpf_prog_put(new_prog);
3679 SYSCALL_DEFINE3(bpf, int, cmd, union bpf_attr __user *, uattr, unsigned int, size)
3681 union bpf_attr attr;
3684 if (sysctl_unprivileged_bpf_disabled && !capable(CAP_SYS_ADMIN))
3687 err = bpf_check_uarg_tail_zero(uattr, sizeof(attr), size);
3690 size = min_t(u32, size, sizeof(attr));
3692 /* copy attributes from user space, may be less than sizeof(bpf_attr) */
3693 memset(&attr, 0, sizeof(attr));
3694 if (copy_from_user(&attr, uattr, size) != 0)
3697 err = security_bpf(cmd, &attr, size);
3702 case BPF_MAP_CREATE:
3703 err = map_create(&attr);
3705 case BPF_MAP_LOOKUP_ELEM:
3706 err = map_lookup_elem(&attr);
3708 case BPF_MAP_UPDATE_ELEM:
3709 err = map_update_elem(&attr);
3711 case BPF_MAP_DELETE_ELEM:
3712 err = map_delete_elem(&attr);
3714 case BPF_MAP_GET_NEXT_KEY:
3715 err = map_get_next_key(&attr);
3717 case BPF_MAP_FREEZE:
3718 err = map_freeze(&attr);
3721 err = bpf_prog_load(&attr, uattr);
3724 err = bpf_obj_pin(&attr);
3727 err = bpf_obj_get(&attr);
3729 case BPF_PROG_ATTACH:
3730 err = bpf_prog_attach(&attr);
3732 case BPF_PROG_DETACH:
3733 err = bpf_prog_detach(&attr);
3735 case BPF_PROG_QUERY:
3736 err = bpf_prog_query(&attr, uattr);
3738 case BPF_PROG_TEST_RUN:
3739 err = bpf_prog_test_run(&attr, uattr);
3741 case BPF_PROG_GET_NEXT_ID:
3742 err = bpf_obj_get_next_id(&attr, uattr,
3743 &prog_idr, &prog_idr_lock);
3745 case BPF_MAP_GET_NEXT_ID:
3746 err = bpf_obj_get_next_id(&attr, uattr,
3747 &map_idr, &map_idr_lock);
3749 case BPF_BTF_GET_NEXT_ID:
3750 err = bpf_obj_get_next_id(&attr, uattr,
3751 &btf_idr, &btf_idr_lock);
3753 case BPF_PROG_GET_FD_BY_ID:
3754 err = bpf_prog_get_fd_by_id(&attr);
3756 case BPF_MAP_GET_FD_BY_ID:
3757 err = bpf_map_get_fd_by_id(&attr);
3759 case BPF_OBJ_GET_INFO_BY_FD:
3760 err = bpf_obj_get_info_by_fd(&attr, uattr);
3762 case BPF_RAW_TRACEPOINT_OPEN:
3763 err = bpf_raw_tracepoint_open(&attr);
3766 err = bpf_btf_load(&attr);
3768 case BPF_BTF_GET_FD_BY_ID:
3769 err = bpf_btf_get_fd_by_id(&attr);
3771 case BPF_TASK_FD_QUERY:
3772 err = bpf_task_fd_query(&attr, uattr);
3774 case BPF_MAP_LOOKUP_AND_DELETE_ELEM:
3775 err = map_lookup_and_delete_elem(&attr);
3777 case BPF_MAP_LOOKUP_BATCH:
3778 err = bpf_map_do_batch(&attr, uattr, BPF_MAP_LOOKUP_BATCH);
3780 case BPF_MAP_LOOKUP_AND_DELETE_BATCH:
3781 err = bpf_map_do_batch(&attr, uattr,
3782 BPF_MAP_LOOKUP_AND_DELETE_BATCH);
3784 case BPF_MAP_UPDATE_BATCH:
3785 err = bpf_map_do_batch(&attr, uattr, BPF_MAP_UPDATE_BATCH);
3787 case BPF_MAP_DELETE_BATCH:
3788 err = bpf_map_do_batch(&attr, uattr, BPF_MAP_DELETE_BATCH);
3790 case BPF_LINK_CREATE:
3791 err = link_create(&attr);
3793 case BPF_LINK_UPDATE:
3794 err = link_update(&attr);
projects / linux-2.6-microblaze.git / blob