1 // SPDX-License-Identifier: GPL-2.0
2 /* Copyright (c) 2022 Facebook */
8 #include <bpf/bpf_helpers.h>
9 #include <bpf/bpf_tracing.h>
10 #include <linux/if_ether.h>
12 #include "bpf_kfuncs.h"
14 char _license[] SEC("license") = "GPL";
18 struct bpf_dynptr ptr;
22 __uint(type, BPF_MAP_TYPE_ARRAY);
23 __uint(max_entries, 1);
25 __type(value, struct bpf_dynptr);
26 } array_map1 SEC(".maps");
29 __uint(type, BPF_MAP_TYPE_ARRAY);
30 __uint(max_entries, 1);
32 __type(value, struct test_info);
33 } array_map2 SEC(".maps");
36 __uint(type, BPF_MAP_TYPE_ARRAY);
37 __uint(max_entries, 1);
40 } array_map3 SEC(".maps");
43 __uint(type, BPF_MAP_TYPE_ARRAY);
44 __uint(max_entries, 1);
47 } array_map4 SEC(".maps");
56 __uint(type, BPF_MAP_TYPE_RINGBUF);
57 __uint(max_entries, 4096);
58 } ringbuf SEC(".maps");
62 static int get_map_val_dynptr(struct bpf_dynptr *ptr)
64 __u32 key = 0, *map_val;
66 bpf_map_update_elem(&array_map3, &key, &val, 0);
68 map_val = bpf_map_lookup_elem(&array_map3, &key);
72 bpf_dynptr_from_mem(map_val, sizeof(*map_val), 0, ptr);
77 /* Every bpf_ringbuf_reserve_dynptr call must have a corresponding
78 * bpf_ringbuf_submit/discard_dynptr call
81 __failure __msg("Unreleased reference id=2")
82 int ringbuf_missing_release1(void *ctx)
84 struct bpf_dynptr ptr = {};
86 bpf_ringbuf_reserve_dynptr(&ringbuf, val, 0, &ptr);
88 /* missing a call to bpf_ringbuf_discard/submit_dynptr */
94 __failure __msg("Unreleased reference id=4")
95 int ringbuf_missing_release2(void *ctx)
97 struct bpf_dynptr ptr1, ptr2;
98 struct sample *sample;
100 bpf_ringbuf_reserve_dynptr(&ringbuf, sizeof(*sample), 0, &ptr1);
101 bpf_ringbuf_reserve_dynptr(&ringbuf, sizeof(*sample), 0, &ptr2);
103 sample = bpf_dynptr_data(&ptr1, 0, sizeof(*sample));
105 bpf_ringbuf_discard_dynptr(&ptr1, 0);
106 bpf_ringbuf_discard_dynptr(&ptr2, 0);
110 bpf_ringbuf_submit_dynptr(&ptr1, 0);
112 /* missing a call to bpf_ringbuf_discard/submit_dynptr on ptr2 */
117 static int missing_release_callback_fn(__u32 index, void *data)
119 struct bpf_dynptr ptr;
121 bpf_ringbuf_reserve_dynptr(&ringbuf, val, 0, &ptr);
123 /* missing a call to bpf_ringbuf_discard/submit_dynptr */
128 /* Any dynptr initialized within a callback must have bpf_dynptr_put called */
130 __failure __msg("Unreleased reference id")
131 int ringbuf_missing_release_callback(void *ctx)
133 bpf_loop(10, missing_release_callback_fn, NULL, 0);
137 /* Can't call bpf_ringbuf_submit/discard_dynptr on a non-initialized dynptr */
139 __failure __msg("arg 1 is an unacquired reference")
140 int ringbuf_release_uninit_dynptr(void *ctx)
142 struct bpf_dynptr ptr;
144 /* this should fail */
145 bpf_ringbuf_submit_dynptr(&ptr, 0);
150 /* A dynptr can't be used after it has been invalidated */
152 __failure __msg("Expected an initialized dynptr as arg #2")
153 int use_after_invalid(void *ctx)
155 struct bpf_dynptr ptr;
158 bpf_ringbuf_reserve_dynptr(&ringbuf, sizeof(read_data), 0, &ptr);
160 bpf_dynptr_read(read_data, sizeof(read_data), &ptr, 0, 0);
162 bpf_ringbuf_submit_dynptr(&ptr, 0);
164 /* this should fail */
165 bpf_dynptr_read(read_data, sizeof(read_data), &ptr, 0, 0);
170 /* Can't call non-dynptr ringbuf APIs on a dynptr ringbuf sample */
172 __failure __msg("type=mem expected=ringbuf_mem")
173 int ringbuf_invalid_api(void *ctx)
175 struct bpf_dynptr ptr;
176 struct sample *sample;
178 bpf_ringbuf_reserve_dynptr(&ringbuf, sizeof(*sample), 0, &ptr);
179 sample = bpf_dynptr_data(&ptr, 0, sizeof(*sample));
185 /* invalid API use. need to use dynptr API to submit/discard */
186 bpf_ringbuf_submit(sample, 0);
189 bpf_ringbuf_discard_dynptr(&ptr, 0);
193 /* Can't add a dynptr to a map */
195 __failure __msg("invalid read from stack")
196 int add_dynptr_to_map1(void *ctx)
198 struct bpf_dynptr ptr;
201 bpf_ringbuf_reserve_dynptr(&ringbuf, val, 0, &ptr);
203 /* this should fail */
204 bpf_map_update_elem(&array_map1, &key, &ptr, 0);
206 bpf_ringbuf_submit_dynptr(&ptr, 0);
211 /* Can't add a struct with an embedded dynptr to a map */
213 __failure __msg("invalid read from stack")
214 int add_dynptr_to_map2(void *ctx)
219 bpf_ringbuf_reserve_dynptr(&ringbuf, val, 0, &x.ptr);
221 /* this should fail */
222 bpf_map_update_elem(&array_map2, &key, &x, 0);
224 bpf_ringbuf_submit_dynptr(&x.ptr, 0);
229 /* A data slice can't be accessed out of bounds */
231 __failure __msg("value is outside of the allowed memory range")
232 int data_slice_out_of_bounds_ringbuf(void *ctx)
234 struct bpf_dynptr ptr;
237 bpf_ringbuf_reserve_dynptr(&ringbuf, 8, 0, &ptr);
239 data = bpf_dynptr_data(&ptr, 0, 8);
243 /* can't index out of bounds of the data slice */
244 val = *((char *)data + 8);
247 bpf_ringbuf_submit_dynptr(&ptr, 0);
251 /* A data slice can't be accessed out of bounds */
253 __failure __msg("value is outside of the allowed memory range")
254 int data_slice_out_of_bounds_skb(struct __sk_buff *skb)
256 struct bpf_dynptr ptr;
258 char buffer[sizeof(*hdr)] = {};
260 bpf_dynptr_from_skb(skb, 0, &ptr);
262 hdr = bpf_dynptr_slice_rdwr(&ptr, 0, buffer, sizeof(buffer));
266 /* this should fail */
267 *(__u8*)(hdr + 1) = 1;
273 __failure __msg("value is outside of the allowed memory range")
274 int data_slice_out_of_bounds_map_value(void *ctx)
277 struct bpf_dynptr ptr;
280 get_map_val_dynptr(&ptr);
282 data = bpf_dynptr_data(&ptr, 0, sizeof(map_val));
286 /* can't index out of bounds of the data slice */
287 val = *((char *)data + (sizeof(map_val) + 1));
292 /* A data slice can't be used after it has been released */
294 __failure __msg("invalid mem access 'scalar'")
295 int data_slice_use_after_release1(void *ctx)
297 struct bpf_dynptr ptr;
298 struct sample *sample;
300 bpf_ringbuf_reserve_dynptr(&ringbuf, sizeof(*sample), 0, &ptr);
301 sample = bpf_dynptr_data(&ptr, 0, sizeof(*sample));
307 bpf_ringbuf_submit_dynptr(&ptr, 0);
309 /* this should fail */
315 bpf_ringbuf_discard_dynptr(&ptr, 0);
319 /* A data slice can't be used after it has been released.
321 * This tests the case where the data slice tracks a dynptr (ptr2)
322 * that is at a non-zero offset from the frame pointer (ptr1 is at fp,
323 * ptr2 is at fp - 16).
326 __failure __msg("invalid mem access 'scalar'")
327 int data_slice_use_after_release2(void *ctx)
329 struct bpf_dynptr ptr1, ptr2;
330 struct sample *sample;
332 bpf_ringbuf_reserve_dynptr(&ringbuf, 64, 0, &ptr1);
333 bpf_ringbuf_reserve_dynptr(&ringbuf, sizeof(*sample), 0, &ptr2);
335 sample = bpf_dynptr_data(&ptr2, 0, sizeof(*sample));
341 bpf_ringbuf_submit_dynptr(&ptr2, 0);
343 /* this should fail */
346 bpf_ringbuf_submit_dynptr(&ptr1, 0);
351 bpf_ringbuf_discard_dynptr(&ptr2, 0);
352 bpf_ringbuf_discard_dynptr(&ptr1, 0);
356 /* A data slice must be first checked for NULL */
358 __failure __msg("invalid mem access 'mem_or_null'")
359 int data_slice_missing_null_check1(void *ctx)
361 struct bpf_dynptr ptr;
364 bpf_ringbuf_reserve_dynptr(&ringbuf, 8, 0, &ptr);
366 data = bpf_dynptr_data(&ptr, 0, 8);
368 /* missing if (!data) check */
370 /* this should fail */
373 bpf_ringbuf_submit_dynptr(&ptr, 0);
377 /* A data slice can't be dereferenced if it wasn't checked for null */
379 __failure __msg("invalid mem access 'mem_or_null'")
380 int data_slice_missing_null_check2(void *ctx)
382 struct bpf_dynptr ptr;
383 __u64 *data1, *data2;
385 bpf_ringbuf_reserve_dynptr(&ringbuf, 16, 0, &ptr);
387 data1 = bpf_dynptr_data(&ptr, 0, 8);
388 data2 = bpf_dynptr_data(&ptr, 0, 8);
390 /* this should fail */
393 bpf_ringbuf_discard_dynptr(&ptr, 0);
397 /* Can't pass in a dynptr as an arg to a helper function that doesn't take in a
401 __failure __msg("invalid read from stack")
402 int invalid_helper1(void *ctx)
404 struct bpf_dynptr ptr;
406 get_map_val_dynptr(&ptr);
408 /* this should fail */
409 bpf_strncmp((const char *)&ptr, sizeof(ptr), "hello!");
414 /* A dynptr can't be passed into a helper function at a non-zero offset */
416 __failure __msg("cannot pass in dynptr at an offset=-8")
417 int invalid_helper2(void *ctx)
419 struct bpf_dynptr ptr;
422 get_map_val_dynptr(&ptr);
424 /* this should fail */
425 bpf_dynptr_read(read_data, sizeof(read_data), (void *)&ptr + 8, 0, 0);
429 /* A bpf_dynptr is invalidated if it's been written into */
431 __failure __msg("Expected an initialized dynptr as arg #0")
432 int invalid_write1(void *ctx)
434 struct bpf_dynptr ptr;
438 get_map_val_dynptr(&ptr);
440 memcpy(&ptr, &x, sizeof(x));
442 /* this should fail */
443 data = bpf_dynptr_data(&ptr, 0, 1);
450 * A bpf_dynptr can't be used as a dynptr if it has been written into at a fixed
454 __failure __msg("cannot overwrite referenced dynptr")
455 int invalid_write2(void *ctx)
457 struct bpf_dynptr ptr;
461 bpf_ringbuf_reserve_dynptr(&ringbuf, 64, 0, &ptr);
463 memcpy((void *)&ptr + 8, &x, sizeof(x));
465 /* this should fail */
466 bpf_dynptr_read(read_data, sizeof(read_data), &ptr, 0, 0);
468 bpf_ringbuf_submit_dynptr(&ptr, 0);
474 * A bpf_dynptr can't be used as a dynptr if it has been written into at a
478 __failure __msg("cannot overwrite referenced dynptr")
479 int invalid_write3(void *ctx)
481 struct bpf_dynptr ptr;
486 bpf_ringbuf_reserve_dynptr(&ringbuf, 8, 0, &ptr);
488 memcpy(stack_buf, &val, sizeof(val));
489 len = stack_buf[0] & 0xf;
491 memcpy((void *)&ptr + len, &x, sizeof(x));
493 /* this should fail */
494 bpf_ringbuf_submit_dynptr(&ptr, 0);
499 static int invalid_write4_callback(__u32 index, void *data)
501 *(__u32 *)data = 123;
506 /* If the dynptr is written into in a callback function, it should
507 * be invalidated as a dynptr
510 __failure __msg("cannot overwrite referenced dynptr")
511 int invalid_write4(void *ctx)
513 struct bpf_dynptr ptr;
515 bpf_ringbuf_reserve_dynptr(&ringbuf, 64, 0, &ptr);
517 bpf_loop(10, invalid_write4_callback, &ptr, 0);
519 /* this should fail */
520 bpf_ringbuf_submit_dynptr(&ptr, 0);
525 /* A globally-defined bpf_dynptr can't be used (it must reside as a stack frame) */
526 struct bpf_dynptr global_dynptr;
529 __failure __msg("type=map_value expected=fp")
530 int global(void *ctx)
532 /* this should fail */
533 bpf_ringbuf_reserve_dynptr(&ringbuf, 16, 0, &global_dynptr);
535 bpf_ringbuf_discard_dynptr(&global_dynptr, 0);
540 /* A direct read should fail */
542 __failure __msg("invalid read from stack")
543 int invalid_read1(void *ctx)
545 struct bpf_dynptr ptr;
547 bpf_ringbuf_reserve_dynptr(&ringbuf, 64, 0, &ptr);
549 /* this should fail */
552 bpf_ringbuf_discard_dynptr(&ptr, 0);
557 /* A direct read at an offset should fail */
559 __failure __msg("cannot pass in dynptr at an offset")
560 int invalid_read2(void *ctx)
562 struct bpf_dynptr ptr;
565 get_map_val_dynptr(&ptr);
567 /* this should fail */
568 bpf_dynptr_read(read_data, sizeof(read_data), (void *)&ptr + 1, 0, 0);
573 /* A direct read at an offset into the lower stack slot should fail */
575 __failure __msg("invalid read from stack")
576 int invalid_read3(void *ctx)
578 struct bpf_dynptr ptr1, ptr2;
580 bpf_ringbuf_reserve_dynptr(&ringbuf, 16, 0, &ptr1);
581 bpf_ringbuf_reserve_dynptr(&ringbuf, 16, 0, &ptr2);
583 /* this should fail */
584 memcpy(&val, (void *)&ptr1 + 8, sizeof(val));
586 bpf_ringbuf_discard_dynptr(&ptr1, 0);
587 bpf_ringbuf_discard_dynptr(&ptr2, 0);
592 static int invalid_read4_callback(__u32 index, void *data)
594 /* this should fail */
595 val = *(__u32 *)data;
600 /* A direct read within a callback function should fail */
602 __failure __msg("invalid read from stack")
603 int invalid_read4(void *ctx)
605 struct bpf_dynptr ptr;
607 bpf_ringbuf_reserve_dynptr(&ringbuf, 64, 0, &ptr);
609 bpf_loop(10, invalid_read4_callback, &ptr, 0);
611 bpf_ringbuf_submit_dynptr(&ptr, 0);
616 /* Initializing a dynptr on an offset should fail */
618 __failure __msg("cannot pass in dynptr at an offset=0")
619 int invalid_offset(void *ctx)
621 struct bpf_dynptr ptr;
623 /* this should fail */
624 bpf_ringbuf_reserve_dynptr(&ringbuf, 64, 0, &ptr + 1);
626 bpf_ringbuf_discard_dynptr(&ptr, 0);
631 /* Can't release a dynptr twice */
633 __failure __msg("arg 1 is an unacquired reference")
634 int release_twice(void *ctx)
636 struct bpf_dynptr ptr;
638 bpf_ringbuf_reserve_dynptr(&ringbuf, 16, 0, &ptr);
640 bpf_ringbuf_discard_dynptr(&ptr, 0);
642 /* this second release should fail */
643 bpf_ringbuf_discard_dynptr(&ptr, 0);
648 static int release_twice_callback_fn(__u32 index, void *data)
650 /* this should fail */
651 bpf_ringbuf_discard_dynptr(data, 0);
656 /* Test that releasing a dynptr twice, where one of the releases happens
657 * within a callback function, fails
660 __failure __msg("arg 1 is an unacquired reference")
661 int release_twice_callback(void *ctx)
663 struct bpf_dynptr ptr;
665 bpf_ringbuf_reserve_dynptr(&ringbuf, 32, 0, &ptr);
667 bpf_ringbuf_discard_dynptr(&ptr, 0);
669 bpf_loop(10, release_twice_callback_fn, &ptr, 0);
674 /* Reject unsupported local mem types for dynptr_from_mem API */
676 __failure __msg("Unsupported reg type fp for bpf_dynptr_from_mem data")
677 int dynptr_from_mem_invalid_api(void *ctx)
679 struct bpf_dynptr ptr;
682 /* this should fail */
683 bpf_dynptr_from_mem(&x, sizeof(x), 0, &ptr);
689 __failure __msg("cannot overwrite referenced dynptr") __log_level(2)
690 int dynptr_pruning_overwrite(struct __sk_buff *ctx)
694 r6 = %[ringbuf] ll; \
700 call %[bpf_ringbuf_reserve_dynptr]; \
701 if r0 == 0 goto pjmp1; \
704 *(u64 *)(r10 - 16) = r9; \
709 call %[bpf_ringbuf_discard_dynptr]; "
711 : __imm(bpf_ringbuf_reserve_dynptr),
712 __imm(bpf_ringbuf_discard_dynptr),
720 __success __msg("12: safe") __log_level(2)
721 int dynptr_pruning_stacksafe(struct __sk_buff *ctx)
725 r6 = %[ringbuf] ll; \
731 call %[bpf_ringbuf_reserve_dynptr]; \
732 if r0 == 0 goto stjmp1; \
740 call %[bpf_ringbuf_discard_dynptr]; "
742 : __imm(bpf_ringbuf_reserve_dynptr),
743 __imm(bpf_ringbuf_discard_dynptr),
751 __failure __msg("cannot overwrite referenced dynptr") __log_level(2)
752 int dynptr_pruning_type_confusion(struct __sk_buff *ctx)
755 "r6 = %[array_map4] ll; \
756 r7 = %[ringbuf] ll; \
761 *(u64 *)(r2 + 0) = r9; \
765 *(u64 *)(r10 - 16) = r9; \
766 *(u64 *)(r10 - 24) = r9; \
770 call %[bpf_map_update_elem]; \
773 call %[bpf_map_lookup_elem]; \
774 if r0 != 0 goto tjmp1; \
783 r0 = *(u64 *)(r0 + 0); \
784 call %[bpf_ringbuf_reserve_dynptr]; \
785 if r0 == 0 goto tjmp2; \
795 *(u64 *)(r10 - 8) = r9; \
796 *(u64 *)(r10 - 16) = r9; \
803 call %[bpf_dynptr_from_mem]; \
808 call %[bpf_ringbuf_discard_dynptr]; "
810 : __imm(bpf_map_update_elem),
811 __imm(bpf_map_lookup_elem),
812 __imm(bpf_ringbuf_reserve_dynptr),
813 __imm(bpf_dynptr_from_mem),
814 __imm(bpf_ringbuf_discard_dynptr),
815 __imm_addr(array_map4),
823 __failure __msg("dynptr has to be at a constant offset") __log_level(2)
824 int dynptr_var_off_overwrite(struct __sk_buff *ctx)
828 *(u32 *)(r10 - 4) = r9; \
829 r8 = *(u32 *)(r10 - 4); \
830 if r8 >= 0 goto vjmp1; \
834 if r8 <= 16 goto vjmp2; \
839 r1 = %[ringbuf] ll; \
845 call %[bpf_ringbuf_reserve_dynptr]; \
847 *(u64 *)(r10 - 16) = r9; \
852 call %[bpf_ringbuf_discard_dynptr]; "
854 : __imm(bpf_ringbuf_reserve_dynptr),
855 __imm(bpf_ringbuf_discard_dynptr),
863 __failure __msg("cannot overwrite referenced dynptr") __log_level(2)
864 int dynptr_partial_slot_invalidate(struct __sk_buff *ctx)
867 "r6 = %[ringbuf] ll; \
868 r7 = %[array_map4] ll; \
873 *(u64 *)(r2 + 0) = r9; \
877 call %[bpf_map_update_elem]; \
880 call %[bpf_map_lookup_elem]; \
881 if r0 != 0 goto sjmp1; \
890 call %[bpf_ringbuf_reserve_dynptr]; \
891 *(u64 *)(r10 - 16) = r9; \
897 call %[bpf_dynptr_from_mem]; \
905 call %[bpf_dynptr_read]; \
907 if r0 != 0 goto sjmp2; \
913 call %[bpf_ringbuf_discard_dynptr]; "
915 : __imm(bpf_map_update_elem),
916 __imm(bpf_map_lookup_elem),
917 __imm(bpf_ringbuf_reserve_dynptr),
918 __imm(bpf_ringbuf_discard_dynptr),
919 __imm(bpf_dynptr_from_mem),
920 __imm(bpf_dynptr_read),
922 __imm_addr(array_map4)
928 /* Test that it is allowed to overwrite unreferenced dynptr. */
931 int dynptr_overwrite_unref(void *ctx)
933 struct bpf_dynptr ptr;
935 if (get_map_val_dynptr(&ptr))
937 if (get_map_val_dynptr(&ptr))
939 if (get_map_val_dynptr(&ptr))
945 /* Test that slices are invalidated on reinitializing a dynptr. */
947 __failure __msg("invalid mem access 'scalar'")
948 int dynptr_invalidate_slice_reinit(void *ctx)
950 struct bpf_dynptr ptr;
953 if (get_map_val_dynptr(&ptr))
955 p = bpf_dynptr_data(&ptr, 0, 1);
958 if (get_map_val_dynptr(&ptr))
960 /* this should fail */
964 /* Invalidation of dynptr slices on destruction of dynptr should not miss
965 * mem_or_null pointers.
968 __failure __msg("R{{[0-9]+}} type=scalar expected=percpu_ptr_")
969 int dynptr_invalidate_slice_or_null(void *ctx)
971 struct bpf_dynptr ptr;
974 if (get_map_val_dynptr(&ptr))
977 p = bpf_dynptr_data(&ptr, 0, 1);
979 /* this should fail */
984 /* Destruction of dynptr should also any slices obtained from it */
986 __failure __msg("R{{[0-9]+}} invalid mem access 'scalar'")
987 int dynptr_invalidate_slice_failure(void *ctx)
989 struct bpf_dynptr ptr1;
990 struct bpf_dynptr ptr2;
993 if (get_map_val_dynptr(&ptr1))
995 if (get_map_val_dynptr(&ptr2))
998 p1 = bpf_dynptr_data(&ptr1, 0, 1);
1001 p2 = bpf_dynptr_data(&ptr2, 0, 1);
1006 /* this should fail */
1010 /* Invalidation of slices should be scoped and should not prevent dereferencing
1011 * slices of another dynptr after destroying unrelated dynptr
1015 int dynptr_invalidate_slice_success(void *ctx)
1017 struct bpf_dynptr ptr1;
1018 struct bpf_dynptr ptr2;
1021 if (get_map_val_dynptr(&ptr1))
1023 if (get_map_val_dynptr(&ptr2))
1026 p1 = bpf_dynptr_data(&ptr1, 0, 1);
1029 p2 = bpf_dynptr_data(&ptr2, 0, 1);
1037 /* Overwriting referenced dynptr should be rejected */
1039 __failure __msg("cannot overwrite referenced dynptr")
1040 int dynptr_overwrite_ref(void *ctx)
1042 struct bpf_dynptr ptr;
1044 bpf_ringbuf_reserve_dynptr(&ringbuf, 64, 0, &ptr);
1045 /* this should fail */
1046 if (get_map_val_dynptr(&ptr))
1047 bpf_ringbuf_discard_dynptr(&ptr, 0);
1051 /* Reject writes to dynptr slot from bpf_dynptr_read */
1053 __failure __msg("potential write to dynptr at off=-16")
1054 int dynptr_read_into_slot(void *ctx)
1059 struct bpf_dynptr ptr;
1064 bpf_ringbuf_reserve_dynptr(&ringbuf, 64, 0, &data.ptr);
1065 /* this should fail */
1066 bpf_dynptr_read(data.buf, sizeof(data.buf), &data.ptr, 0, 0);
1071 /* bpf_dynptr_slice()s are read-only and cannot be written to */
1073 __failure __msg("R{{[0-9]+}} cannot write into rdonly_mem")
1074 int skb_invalid_slice_write(struct __sk_buff *skb)
1076 struct bpf_dynptr ptr;
1078 char buffer[sizeof(*hdr)] = {};
1080 bpf_dynptr_from_skb(skb, 0, &ptr);
1082 hdr = bpf_dynptr_slice(&ptr, 0, buffer, sizeof(buffer));
1086 /* this should fail */
1092 /* The read-only data slice is invalidated whenever a helper changes packet data */
1094 __failure __msg("invalid mem access 'scalar'")
1095 int skb_invalid_data_slice1(struct __sk_buff *skb)
1097 struct bpf_dynptr ptr;
1099 char buffer[sizeof(*hdr)] = {};
1101 bpf_dynptr_from_skb(skb, 0, &ptr);
1103 hdr = bpf_dynptr_slice(&ptr, 0, buffer, sizeof(buffer));
1109 if (bpf_skb_pull_data(skb, skb->len))
1112 /* this should fail */
1118 /* The read-write data slice is invalidated whenever a helper changes packet data */
1120 __failure __msg("invalid mem access 'scalar'")
1121 int skb_invalid_data_slice2(struct __sk_buff *skb)
1123 struct bpf_dynptr ptr;
1125 char buffer[sizeof(*hdr)] = {};
1127 bpf_dynptr_from_skb(skb, 0, &ptr);
1129 hdr = bpf_dynptr_slice_rdwr(&ptr, 0, buffer, sizeof(buffer));
1135 if (bpf_skb_pull_data(skb, skb->len))
1138 /* this should fail */
1144 /* The read-only data slice is invalidated whenever bpf_dynptr_write() is called */
1146 __failure __msg("invalid mem access 'scalar'")
1147 int skb_invalid_data_slice3(struct __sk_buff *skb)
1149 char write_data[64] = "hello there, world!!";
1150 struct bpf_dynptr ptr;
1152 char buffer[sizeof(*hdr)] = {};
1154 bpf_dynptr_from_skb(skb, 0, &ptr);
1156 hdr = bpf_dynptr_slice(&ptr, 0, buffer, sizeof(buffer));
1162 bpf_dynptr_write(&ptr, 0, write_data, sizeof(write_data), 0);
1164 /* this should fail */
1170 /* The read-write data slice is invalidated whenever bpf_dynptr_write() is called */
1172 __failure __msg("invalid mem access 'scalar'")
1173 int skb_invalid_data_slice4(struct __sk_buff *skb)
1175 char write_data[64] = "hello there, world!!";
1176 struct bpf_dynptr ptr;
1178 char buffer[sizeof(*hdr)] = {};
1180 bpf_dynptr_from_skb(skb, 0, &ptr);
1181 hdr = bpf_dynptr_slice_rdwr(&ptr, 0, buffer, sizeof(buffer));
1187 bpf_dynptr_write(&ptr, 0, write_data, sizeof(write_data), 0);
1189 /* this should fail */
1195 /* The read-only data slice is invalidated whenever a helper changes packet data */
1197 __failure __msg("invalid mem access 'scalar'")
1198 int xdp_invalid_data_slice1(struct xdp_md *xdp)
1200 struct bpf_dynptr ptr;
1202 char buffer[sizeof(*hdr)] = {};
1204 bpf_dynptr_from_xdp(xdp, 0, &ptr);
1205 hdr = bpf_dynptr_slice(&ptr, 0, buffer, sizeof(buffer));
1211 if (bpf_xdp_adjust_head(xdp, 0 - (int)sizeof(*hdr)))
1214 /* this should fail */
1220 /* The read-write data slice is invalidated whenever a helper changes packet data */
1222 __failure __msg("invalid mem access 'scalar'")
1223 int xdp_invalid_data_slice2(struct xdp_md *xdp)
1225 struct bpf_dynptr ptr;
1227 char buffer[sizeof(*hdr)] = {};
1229 bpf_dynptr_from_xdp(xdp, 0, &ptr);
1230 hdr = bpf_dynptr_slice_rdwr(&ptr, 0, buffer, sizeof(buffer));
1236 if (bpf_xdp_adjust_head(xdp, 0 - (int)sizeof(*hdr)))
1239 /* this should fail */
1245 /* Only supported prog type can create skb-type dynptrs */
1247 __failure __msg("calling kernel function bpf_dynptr_from_skb is not allowed")
1248 int skb_invalid_ctx(void *ctx)
1250 struct bpf_dynptr ptr;
1252 /* this should fail */
1253 bpf_dynptr_from_skb(ctx, 0, &ptr);
1258 SEC("fentry/skb_tx_error")
1259 __failure __msg("must be referenced or trusted")
1260 int BPF_PROG(skb_invalid_ctx_fentry, void *skb)
1262 struct bpf_dynptr ptr;
1264 /* this should fail */
1265 bpf_dynptr_from_skb(skb, 0, &ptr);
1270 SEC("fexit/skb_tx_error")
1271 __failure __msg("must be referenced or trusted")
1272 int BPF_PROG(skb_invalid_ctx_fexit, void *skb)
1274 struct bpf_dynptr ptr;
1276 /* this should fail */
1277 bpf_dynptr_from_skb(skb, 0, &ptr);
1282 /* Reject writes to dynptr slot for uninit arg */
1284 __failure __msg("potential write to dynptr at off=-16")
1285 int uninit_write_into_slot(void *ctx)
1289 struct bpf_dynptr ptr;
1292 bpf_ringbuf_reserve_dynptr(&ringbuf, 80, 0, &data.ptr);
1293 /* this should fail */
1294 bpf_get_current_comm(data.buf, 80);
1299 /* Only supported prog type can create xdp-type dynptrs */
1301 __failure __msg("calling kernel function bpf_dynptr_from_xdp is not allowed")
1302 int xdp_invalid_ctx(void *ctx)
1304 struct bpf_dynptr ptr;
1306 /* this should fail */
1307 bpf_dynptr_from_xdp(ctx, 0, &ptr);
1312 __u32 hdr_size = sizeof(struct ethhdr);
1313 /* Can't pass in variable-sized len to bpf_dynptr_slice */
1315 __failure __msg("unbounded memory access")
1316 int dynptr_slice_var_len1(struct __sk_buff *skb)
1318 struct bpf_dynptr ptr;
1320 char buffer[sizeof(*hdr)] = {};
1322 bpf_dynptr_from_skb(skb, 0, &ptr);
1324 /* this should fail */
1325 hdr = bpf_dynptr_slice(&ptr, 0, buffer, hdr_size);
1332 /* Can't pass in variable-sized len to bpf_dynptr_slice */
1334 __failure __msg("must be a known constant")
1335 int dynptr_slice_var_len2(struct __sk_buff *skb)
1337 char buffer[sizeof(struct ethhdr)] = {};
1338 struct bpf_dynptr ptr;
1341 bpf_dynptr_from_skb(skb, 0, &ptr);
1343 if (hdr_size <= sizeof(buffer)) {
1344 /* this should fail */
1345 hdr = bpf_dynptr_slice_rdwr(&ptr, 0, buffer, hdr_size);
1354 static int callback(__u32 index, void *data)
1356 *(__u32 *)data = 123;
1361 /* If the dynptr is written into in a callback function, its data
1362 * slices should be invalidated as well.
1365 __failure __msg("invalid mem access 'scalar'")
1366 int invalid_data_slices(void *ctx)
1368 struct bpf_dynptr ptr;
1371 if (get_map_val_dynptr(&ptr))
1374 slice = bpf_dynptr_data(&ptr, 0, sizeof(__u32));
1378 bpf_loop(10, callback, &ptr, 0);
1380 /* this should fail */
1386 /* Program types that don't allow writes to packet data should fail if
1387 * bpf_dynptr_slice_rdwr is called
1389 SEC("cgroup_skb/ingress")
1390 __failure __msg("the prog does not allow writes to packet data")
1391 int invalid_slice_rdwr_rdonly(struct __sk_buff *skb)
1393 char buffer[sizeof(struct ethhdr)] = {};
1394 struct bpf_dynptr ptr;
1397 bpf_dynptr_from_skb(skb, 0, &ptr);
1399 /* this should fail since cgroup_skb doesn't allow
1400 * changing packet data
1402 hdr = bpf_dynptr_slice_rdwr(&ptr, 0, buffer, sizeof(buffer));
1408 /* bpf_dynptr_adjust can only be called on initialized dynptrs */
1410 __failure __msg("Expected an initialized dynptr as arg #0")
1411 int dynptr_adjust_invalid(void *ctx)
1413 struct bpf_dynptr ptr = {};
1415 /* this should fail */
1416 bpf_dynptr_adjust(&ptr, 1, 2);
1421 /* bpf_dynptr_is_null can only be called on initialized dynptrs */
1423 __failure __msg("Expected an initialized dynptr as arg #0")
1424 int dynptr_is_null_invalid(void *ctx)
1426 struct bpf_dynptr ptr = {};
1428 /* this should fail */
1429 bpf_dynptr_is_null(&ptr);
1434 /* bpf_dynptr_is_rdonly can only be called on initialized dynptrs */
1436 __failure __msg("Expected an initialized dynptr as arg #0")
1437 int dynptr_is_rdonly_invalid(void *ctx)
1439 struct bpf_dynptr ptr = {};
1441 /* this should fail */
1442 bpf_dynptr_is_rdonly(&ptr);
1447 /* bpf_dynptr_size can only be called on initialized dynptrs */
1449 __failure __msg("Expected an initialized dynptr as arg #0")
1450 int dynptr_size_invalid(void *ctx)
1452 struct bpf_dynptr ptr = {};
1454 /* this should fail */
1455 bpf_dynptr_size(&ptr);
1460 /* Only initialized dynptrs can be cloned */
1462 __failure __msg("Expected an initialized dynptr as arg #0")
1463 int clone_invalid1(void *ctx)
1465 struct bpf_dynptr ptr1 = {};
1466 struct bpf_dynptr ptr2;
1468 /* this should fail */
1469 bpf_dynptr_clone(&ptr1, &ptr2);
1474 /* Can't overwrite an existing dynptr when cloning */
1476 __failure __msg("cannot overwrite referenced dynptr")
1477 int clone_invalid2(struct xdp_md *xdp)
1479 struct bpf_dynptr ptr1;
1480 struct bpf_dynptr clone;
1482 bpf_dynptr_from_xdp(xdp, 0, &ptr1);
1484 bpf_ringbuf_reserve_dynptr(&ringbuf, 64, 0, &clone);
1486 /* this should fail */
1487 bpf_dynptr_clone(&ptr1, &clone);
1489 bpf_ringbuf_submit_dynptr(&clone, 0);
1494 /* Invalidating a dynptr should invalidate its clones */
1496 __failure __msg("Expected an initialized dynptr as arg #2")
1497 int clone_invalidate1(void *ctx)
1499 struct bpf_dynptr clone;
1500 struct bpf_dynptr ptr;
1503 bpf_ringbuf_reserve_dynptr(&ringbuf, val, 0, &ptr);
1505 bpf_dynptr_clone(&ptr, &clone);
1507 bpf_ringbuf_submit_dynptr(&ptr, 0);
1509 /* this should fail */
1510 bpf_dynptr_read(read_data, sizeof(read_data), &clone, 0, 0);
1515 /* Invalidating a dynptr should invalidate its parent */
1517 __failure __msg("Expected an initialized dynptr as arg #2")
1518 int clone_invalidate2(void *ctx)
1520 struct bpf_dynptr ptr;
1521 struct bpf_dynptr clone;
1524 bpf_ringbuf_reserve_dynptr(&ringbuf, val, 0, &ptr);
1526 bpf_dynptr_clone(&ptr, &clone);
1528 bpf_ringbuf_submit_dynptr(&clone, 0);
1530 /* this should fail */
1531 bpf_dynptr_read(read_data, sizeof(read_data), &ptr, 0, 0);
1536 /* Invalidating a dynptr should invalidate its siblings */
1538 __failure __msg("Expected an initialized dynptr as arg #2")
1539 int clone_invalidate3(void *ctx)
1541 struct bpf_dynptr ptr;
1542 struct bpf_dynptr clone1;
1543 struct bpf_dynptr clone2;
1546 bpf_ringbuf_reserve_dynptr(&ringbuf, val, 0, &ptr);
1548 bpf_dynptr_clone(&ptr, &clone1);
1550 bpf_dynptr_clone(&ptr, &clone2);
1552 bpf_ringbuf_submit_dynptr(&clone2, 0);
1554 /* this should fail */
1555 bpf_dynptr_read(read_data, sizeof(read_data), &clone1, 0, 0);
1560 /* Invalidating a dynptr should invalidate any data slices
1564 __failure __msg("invalid mem access 'scalar'")
1565 int clone_invalidate4(void *ctx)
1567 struct bpf_dynptr ptr;
1568 struct bpf_dynptr clone;
1571 bpf_ringbuf_reserve_dynptr(&ringbuf, val, 0, &ptr);
1573 bpf_dynptr_clone(&ptr, &clone);
1574 data = bpf_dynptr_data(&clone, 0, sizeof(val));
1578 bpf_ringbuf_submit_dynptr(&ptr, 0);
1580 /* this should fail */
1586 /* Invalidating a dynptr should invalidate any data slices
1590 __failure __msg("invalid mem access 'scalar'")
1591 int clone_invalidate5(void *ctx)
1593 struct bpf_dynptr ptr;
1594 struct bpf_dynptr clone;
1597 bpf_ringbuf_reserve_dynptr(&ringbuf, val, 0, &ptr);
1598 data = bpf_dynptr_data(&ptr, 0, sizeof(val));
1602 bpf_dynptr_clone(&ptr, &clone);
1604 bpf_ringbuf_submit_dynptr(&clone, 0);
1606 /* this should fail */
1612 /* Invalidating a dynptr should invalidate any data slices
1616 __failure __msg("invalid mem access 'scalar'")
1617 int clone_invalidate6(void *ctx)
1619 struct bpf_dynptr ptr;
1620 struct bpf_dynptr clone1;
1621 struct bpf_dynptr clone2;
1624 bpf_ringbuf_reserve_dynptr(&ringbuf, val, 0, &ptr);
1626 bpf_dynptr_clone(&ptr, &clone1);
1628 bpf_dynptr_clone(&ptr, &clone2);
1630 data = bpf_dynptr_data(&clone1, 0, sizeof(val));
1634 bpf_ringbuf_submit_dynptr(&clone2, 0);
1636 /* this should fail */
1642 /* A skb clone's data slices should be invalid anytime packet data changes */
1644 __failure __msg("invalid mem access 'scalar'")
1645 int clone_skb_packet_data(struct __sk_buff *skb)
1647 char buffer[sizeof(__u32)] = {};
1648 struct bpf_dynptr clone;
1649 struct bpf_dynptr ptr;
1652 bpf_dynptr_from_skb(skb, 0, &ptr);
1654 bpf_dynptr_clone(&ptr, &clone);
1655 data = bpf_dynptr_slice_rdwr(&clone, 0, buffer, sizeof(buffer));
1659 if (bpf_skb_pull_data(skb, skb->len))
1662 /* this should fail */
1668 /* A xdp clone's data slices should be invalid anytime packet data changes */
1670 __failure __msg("invalid mem access 'scalar'")
1671 int clone_xdp_packet_data(struct xdp_md *xdp)
1673 char buffer[sizeof(__u32)] = {};
1674 struct bpf_dynptr clone;
1675 struct bpf_dynptr ptr;
1679 bpf_dynptr_from_xdp(xdp, 0, &ptr);
1681 bpf_dynptr_clone(&ptr, &clone);
1682 data = bpf_dynptr_slice_rdwr(&clone, 0, buffer, sizeof(buffer));
1686 if (bpf_xdp_adjust_head(xdp, 0 - (int)sizeof(*hdr)))
1689 /* this should fail */
1695 /* Buffers that are provided must be sufficiently long */
1696 SEC("?cgroup_skb/egress")
1697 __failure __msg("memory, len pair leads to invalid memory access")
1698 int test_dynptr_skb_small_buff(struct __sk_buff *skb)
1700 struct bpf_dynptr ptr;
1701 char buffer[8] = {};
1704 if (bpf_dynptr_from_skb(skb, 0, &ptr)) {
1709 /* This may return NULL. SKB may require a buffer */
1710 data = bpf_dynptr_slice(&ptr, 0, buffer, 9);
1715 __noinline long global_call_bpf_dynptr(const struct bpf_dynptr *dynptr)
1718 /* Avoid leaving this global function empty to avoid having the compiler
1719 * optimize away the call to this global function.
1726 __failure __msg("arg#0 expected pointer to stack or const struct bpf_dynptr")
1727 int test_dynptr_reg_type(void *ctx)
1729 struct task_struct *current = NULL;
1730 /* R1 should be holding a PTR_TO_BTF_ID, so this shouldn't be a
1731 * reg->type that can be passed to a function accepting a
1732 * ARG_PTR_TO_DYNPTR | MEM_RDONLY. process_dynptr_func() should catch
1735 global_call_bpf_dynptr((const struct bpf_dynptr *)current);