forked from STMicroelectronics/linux
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
selftests/bpf: Add test for bpf_timer overwriting crash
[ Upstream commit a7e7501 ] Add a test that validates that timer value is not overwritten when doing a copy_map_value call in the kernel. Without the prior fix, this test triggers a crash. Signed-off-by: Kumar Kartikeya Dwivedi <[email protected]> Signed-off-by: Alexei Starovoitov <[email protected]> Link: https://lore.kernel.org/bpf/[email protected] Signed-off-by: Sasha Levin <[email protected]>
- Loading branch information
Showing
2 changed files
with
86 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,32 @@ | ||
| // SPDX-License-Identifier: GPL-2.0 | ||
| #include <test_progs.h> | ||
| #include "timer_crash.skel.h" | ||
|
|
||
| enum { | ||
| MODE_ARRAY, | ||
| MODE_HASH, | ||
| }; | ||
|
|
||
| static void test_timer_crash_mode(int mode) | ||
| { | ||
| struct timer_crash *skel; | ||
|
|
||
| skel = timer_crash__open_and_load(); | ||
| if (!ASSERT_OK_PTR(skel, "timer_crash__open_and_load")) | ||
| return; | ||
| skel->bss->pid = getpid(); | ||
| skel->bss->crash_map = mode; | ||
| if (!ASSERT_OK(timer_crash__attach(skel), "timer_crash__attach")) | ||
| goto end; | ||
| usleep(1); | ||
| end: | ||
| timer_crash__destroy(skel); | ||
| } | ||
|
|
||
| void test_timer_crash(void) | ||
| { | ||
| if (test__start_subtest("array")) | ||
| test_timer_crash_mode(MODE_ARRAY); | ||
| if (test__start_subtest("hash")) | ||
| test_timer_crash_mode(MODE_HASH); | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,54 @@ | ||
| // SPDX-License-Identifier: GPL-2.0 | ||
|
|
||
| #include <vmlinux.h> | ||
| #include <bpf/bpf_tracing.h> | ||
| #include <bpf/bpf_helpers.h> | ||
|
|
||
| struct map_elem { | ||
| struct bpf_timer timer; | ||
| struct bpf_spin_lock lock; | ||
| }; | ||
|
|
||
| struct { | ||
| __uint(type, BPF_MAP_TYPE_ARRAY); | ||
| __uint(max_entries, 1); | ||
| __type(key, int); | ||
| __type(value, struct map_elem); | ||
| } amap SEC(".maps"); | ||
|
|
||
| struct { | ||
| __uint(type, BPF_MAP_TYPE_HASH); | ||
| __uint(max_entries, 1); | ||
| __type(key, int); | ||
| __type(value, struct map_elem); | ||
| } hmap SEC(".maps"); | ||
|
|
||
| int pid = 0; | ||
| int crash_map = 0; /* 0 for amap, 1 for hmap */ | ||
|
|
||
| SEC("fentry/do_nanosleep") | ||
| int sys_enter(void *ctx) | ||
| { | ||
| struct map_elem *e, value = {}; | ||
| void *map = crash_map ? (void *)&hmap : (void *)&amap; | ||
|
|
||
| if (bpf_get_current_task_btf()->tgid != pid) | ||
| return 0; | ||
|
|
||
| *(void **)&value = (void *)0xdeadcaf3; | ||
|
|
||
| bpf_map_update_elem(map, &(int){0}, &value, 0); | ||
| /* For array map, doing bpf_map_update_elem will do a | ||
| * check_and_free_timer_in_array, which will trigger the crash if timer | ||
| * pointer was overwritten, for hmap we need to use bpf_timer_cancel. | ||
| */ | ||
| if (crash_map == 1) { | ||
| e = bpf_map_lookup_elem(map, &(int){0}); | ||
| if (!e) | ||
| return 0; | ||
| bpf_timer_cancel(&e->timer); | ||
| } | ||
| return 0; | ||
| } | ||
|
|
||
| char _license[] SEC("license") = "GPL"; |