]> git.proxmox.com Git - mirror_ubuntu-jammy-kernel.git/blob - kernel/bpf/map_in_map.c
projects / mirror_ubuntu-jammy-kernel.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
slip: Fix use-after-free Read in slip_open
[mirror_ubuntu-jammy-kernel.git] / kernel / bpf / map_in_map.c
1 // SPDX-License-Identifier: GPL-2.0-only
2 /* Copyright (c) 2017 Facebook
3 */
4 #include <linux/slab.h>
5 #include <linux/bpf.h>
6
7 #include "map_in_map.h"
8
9 struct bpf_map *bpf_map_meta_alloc(int inner_map_ufd)
10 {
11 struct bpf_map *inner_map, *inner_map_meta;
12 u32 inner_map_meta_size;
13 struct fd f;
14
15 f = fdget(inner_map_ufd);
16 inner_map = __bpf_map_get(f);
17 if (IS_ERR(inner_map))
18 return inner_map;
19
20 /* prog_array->owner_prog_type and owner_jited
21 * is a runtime binding. Doing static check alone
22 * in the verifier is not enough.
23 */
24 if (inner_map->map_type == BPF_MAP_TYPE_PROG_ARRAY ||
25 inner_map->map_type == BPF_MAP_TYPE_CGROUP_STORAGE ||
26 inner_map->map_type == BPF_MAP_TYPE_PERCPU_CGROUP_STORAGE) {
27 fdput(f);
28 return ERR_PTR(-ENOTSUPP);
29 }
30
31 /* Does not support >1 level map-in-map */
32 if (inner_map->inner_map_meta) {
33 fdput(f);
34 return ERR_PTR(-EINVAL);
35 }
36
37 if (map_value_has_spin_lock(inner_map)) {
38 fdput(f);
39 return ERR_PTR(-ENOTSUPP);
40 }
41
42 inner_map_meta_size = sizeof(*inner_map_meta);
43 /* In some cases verifier needs to access beyond just base map. */
44 if (inner_map->ops == &array_map_ops)
45 inner_map_meta_size = sizeof(struct bpf_array);
46
47 inner_map_meta = kzalloc(inner_map_meta_size, GFP_USER);
48 if (!inner_map_meta) {
49 fdput(f);
50 return ERR_PTR(-ENOMEM);
51 }
52
53 inner_map_meta->map_type = inner_map->map_type;
54 inner_map_meta->key_size = inner_map->key_size;
55 inner_map_meta->value_size = inner_map->value_size;
56 inner_map_meta->map_flags = inner_map->map_flags;
57 inner_map_meta->max_entries = inner_map->max_entries;
58 inner_map_meta->spin_lock_off = inner_map->spin_lock_off;
59
60 /* Misc members not needed in bpf_map_meta_equal() check. */
61 inner_map_meta->ops = inner_map->ops;
62 if (inner_map->ops == &array_map_ops) {
63 inner_map_meta->unpriv_array = inner_map->unpriv_array;
64 container_of(inner_map_meta, struct bpf_array, map)->index_mask =
65 container_of(inner_map, struct bpf_array, map)->index_mask;
66 }
67
68 fdput(f);
69 return inner_map_meta;
70 }
71
72 void bpf_map_meta_free(struct bpf_map *map_meta)
73 {
74 kfree(map_meta);
75 }
76
77 bool bpf_map_meta_equal(const struct bpf_map *meta0,
78 const struct bpf_map *meta1)
79 {
80 /* No need to compare ops because it is covered by map_type */
81 return meta0->map_type == meta1->map_type &&
82 meta0->key_size == meta1->key_size &&
83 meta0->value_size == meta1->value_size &&
84 meta0->map_flags == meta1->map_flags &&
85 meta0->max_entries == meta1->max_entries;
86 }
87
88 void *bpf_map_fd_get_ptr(struct bpf_map *map,
89 struct file *map_file /* not used */,
90 int ufd)
91 {
92 struct bpf_map *inner_map;
93 struct fd f;
94
95 f = fdget(ufd);
96 inner_map = __bpf_map_get(f);
97 if (IS_ERR(inner_map))
98 return inner_map;
99
100 if (bpf_map_meta_equal(map->inner_map_meta, inner_map))
101 inner_map = bpf_map_inc(inner_map, false);
102 else
103 inner_map = ERR_PTR(-EINVAL);
104
105 fdput(f);
106 return inner_map;
107 }
108
109 void bpf_map_fd_put_ptr(void *ptr)
110 {
111 /* ptr->ops->map_free() has to go through one
112 * rcu grace period by itself.
113 */
114 bpf_map_put(ptr);
115 }
116
117 u32 bpf_map_fd_sys_lookup_elem(void *ptr)
118 {
119 return ((struct bpf_map *)ptr)->id;
120 }
Ubuntu Jammy Linux kernel mirror