Commit 1624918b authored by Hou Tao's avatar Hou Tao Committed by Alexei Starovoitov
Browse files

selftests/bpf: Add test cases for inner map 



Add test cases to test the race between the destroy of inner map due to
map-in-map update and the access of inner map in bpf program. The
following 4 combinations are added:
(1) array map in map array + bpf program
(2) array map in map array + sleepable bpf program
(3) array map in map htab + bpf program
(4) array map in map htab + sleepable bpf program

Before applying the fixes, when running `./test_prog -a map_in_map`, the
following error was reported:

  ==================================================================
  BUG: KASAN: slab-use-after-free in array_map_update_elem+0x48/0x3e0
  Read of size 4 at addr ffff888114f33824 by task test_progs/1858

  CPU: 1 PID: 1858 Comm: test_progs Tainted: G           O     6.6.0+ #7
  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) ......
  Call Trace:
   <TASK>
   dump_stack_lvl+0x4a/0x90
   print_report+0xd2/0x620
   kasan_report+0xd1/0x110
   __asan_load4+0x81/0xa0
   array_map_update_elem+0x48/0x3e0
   bpf_prog_be94a9f26772f5b7_access_map_in_array+0xe6/0xf6
   trace_call_bpf+0x1aa/0x580
   kprobe_perf_func+0xdd/0x430
   kprobe_dispatcher+0xa0/0xb0
   kprobe_ftrace_handler+0x18b/0x2e0
   0xffffffffc02280f7
  RIP: 0010:__x64_sys_getpgid+0x1/0x30
  ......
   </TASK>

  Allocated by task 1857:
   kasan_save_stack+0x26/0x50
   kasan_set_track+0x25/0x40
   kasan_save_alloc_info+0x1e/0x30
   __kasan_kmalloc+0x98/0xa0
   __kmalloc_node+0x6a/0x150
   __bpf_map_area_alloc+0x141/0x170
   bpf_map_area_alloc+0x10/0x20
   array_map_alloc+0x11f/0x310
   map_create+0x28a/0xb40
   __sys_bpf+0x753/0x37c0
   __x64_sys_bpf+0x44/0x60
   do_syscall_64+0x36/0xb0
   entry_SYSCALL_64_after_hwframe+0x6e/0x76

  Freed by task 11:
   kasan_save_stack+0x26/0x50
   kasan_set_track+0x25/0x40
   kasan_save_free_info+0x2b/0x50
   __kasan_slab_free+0x113/0x190
   slab_free_freelist_hook+0xd7/0x1e0
   __kmem_cache_free+0x170/0x260
   kfree+0x9b/0x160
   kvfree+0x2d/0x40
   bpf_map_area_free+0xe/0x20
   array_map_free+0x120/0x2c0
   bpf_map_free_deferred+0xd7/0x1e0
   process_one_work+0x462/0x990
   worker_thread+0x370/0x670
   kthread+0x1b0/0x200
   ret_from_fork+0x3a/0x70
   ret_from_fork_asm+0x1b/0x30

  Last potentially related work creation:
   kasan_save_stack+0x26/0x50
   __kasan_record_aux_stack+0x94/0xb0
   kasan_record_aux_stack_noalloc+0xb/0x20
   __queue_work+0x331/0x950
   queue_work_on+0x75/0x80
   bpf_map_put+0xfa/0x160
   bpf_map_fd_put_ptr+0xe/0x20
   bpf_fd_array_map_update_elem+0x174/0x1b0
   bpf_map_update_value+0x2b7/0x4a0
   __sys_bpf+0x2551/0x37c0
   __x64_sys_bpf+0x44/0x60
   do_syscall_64+0x36/0xb0
   entry_SYSCALL_64_after_hwframe+0x6e/0x76

Signed-off-by: default avatarHou Tao <houtao1@huawei.com>
Link: https://lore.kernel.org/r/20231204140425.1480317-7-houtao@huaweicloud.com


Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
parent af66bfd3

tools/testing/selftests/bpf/prog_tests/map_in_map.c

0 → 100644
+141 −0
Original line number Diff line number Diff line 
// SPDX-License-Identifier: GPL-2.0

/* Copyright (C) 2023. Huawei Technologies Co., Ltd */

#define _GNU_SOURCE

#include <unistd.h>

#include <sys/syscall.h>

#include <test_progs.h>

#include <bpf/btf.h>

#include "access_map_in_map.skel.h"



struct thread_ctx {

	pthread_barrier_t barrier;

	int outer_map_fd;

	int start, abort;

	int loop, err;

};



static int wait_for_start_or_abort(struct thread_ctx *ctx)

{

	while (!ctx->start && !ctx->abort)

		usleep(1);

	return ctx->abort ? -1 : 0;

}



static void *update_map_fn(void *data)

{

	struct thread_ctx *ctx = data;

	int loop = ctx->loop, err = 0;



	if (wait_for_start_or_abort(ctx) < 0)

		return NULL;

	pthread_barrier_wait(&ctx->barrier);



	while (loop-- > 0) {

		int fd, zero = 0;



		fd = bpf_map_create(BPF_MAP_TYPE_ARRAY, NULL, 4, 4, 1, NULL);

		if (fd < 0) {

			err |= 1;

			pthread_barrier_wait(&ctx->barrier);

			continue;

		}



		/* Remove the old inner map */

		if (bpf_map_update_elem(ctx->outer_map_fd, &zero, &fd, 0) < 0)

			err |= 2;

		close(fd);

		pthread_barrier_wait(&ctx->barrier);

	}



	ctx->err = err;



	return NULL;

}



static void *access_map_fn(void *data)

{

	struct thread_ctx *ctx = data;

	int loop = ctx->loop;



	if (wait_for_start_or_abort(ctx) < 0)

		return NULL;

	pthread_barrier_wait(&ctx->barrier);



	while (loop-- > 0) {

		/* Access the old inner map */

		syscall(SYS_getpgid);

		pthread_barrier_wait(&ctx->barrier);

	}



	return NULL;

}



static void test_map_in_map_access(const char *prog_name, const char *map_name)

{

	struct access_map_in_map *skel;

	struct bpf_map *outer_map;

	struct bpf_program *prog;

	struct thread_ctx ctx;

	pthread_t tid[2];

	int err;



	skel = access_map_in_map__open();

	if (!ASSERT_OK_PTR(skel, "access_map_in_map open"))

		return;



	prog = bpf_object__find_program_by_name(skel->obj, prog_name);

	if (!ASSERT_OK_PTR(prog, "find program"))

		goto out;

	bpf_program__set_autoload(prog, true);



	outer_map = bpf_object__find_map_by_name(skel->obj, map_name);

	if (!ASSERT_OK_PTR(outer_map, "find map"))

		goto out;



	err = access_map_in_map__load(skel);

	if (!ASSERT_OK(err, "access_map_in_map load"))

		goto out;



	err = access_map_in_map__attach(skel);

	if (!ASSERT_OK(err, "access_map_in_map attach"))

		goto out;



	skel->bss->tgid = getpid();



	memset(&ctx, 0, sizeof(ctx));

	pthread_barrier_init(&ctx.barrier, NULL, 2);

	ctx.outer_map_fd = bpf_map__fd(outer_map);

	ctx.loop = 4;



	err = pthread_create(&tid[0], NULL, update_map_fn, &ctx);

	if (!ASSERT_OK(err, "close_thread"))

		goto out;



	err = pthread_create(&tid[1], NULL, access_map_fn, &ctx);

	if (!ASSERT_OK(err, "read_thread")) {

		ctx.abort = 1;

		pthread_join(tid[0], NULL);

		goto out;

	}



	ctx.start = 1;

	pthread_join(tid[0], NULL);

	pthread_join(tid[1], NULL);



	ASSERT_OK(ctx.err, "err");

out:

	access_map_in_map__destroy(skel);

}



void test_map_in_map(void)

{

	if (test__start_subtest("acc_map_in_array"))

		test_map_in_map_access("access_map_in_array", "outer_array_map");

	if (test__start_subtest("sleepable_acc_map_in_array"))

		test_map_in_map_access("sleepable_access_map_in_array", "outer_array_map");

	if (test__start_subtest("acc_map_in_htab"))

		test_map_in_map_access("access_map_in_htab", "outer_htab_map");

	if (test__start_subtest("sleepable_acc_map_in_htab"))

		test_map_in_map_access("sleepable_access_map_in_htab", "outer_htab_map");

}

tools/testing/selftests/bpf/progs/access_map_in_map.c

0 → 100644
+93 −0
Original line number Diff line number Diff line 
// SPDX-License-Identifier: GPL-2.0

/* Copyright (C) 2023. Huawei Technologies Co., Ltd */

#include <linux/bpf.h>

#include <time.h>

#include <bpf/bpf_helpers.h>



#include "bpf_misc.h"



struct inner_map_type {

	__uint(type, BPF_MAP_TYPE_ARRAY);

	__uint(key_size, 4);

	__uint(value_size, 4);

	__uint(max_entries, 1);

} inner_map SEC(".maps");



struct {

	__uint(type, BPF_MAP_TYPE_ARRAY_OF_MAPS);

	__type(key, int);

	__type(value, int);

	__uint(max_entries, 1);

	__array(values, struct inner_map_type);

} outer_array_map SEC(".maps") = {

	.values = {

		[0] = &inner_map,

	},

};



struct {

	__uint(type, BPF_MAP_TYPE_HASH_OF_MAPS);

	__type(key, int);

	__type(value, int);

	__uint(max_entries, 1);

	__array(values, struct inner_map_type);

} outer_htab_map SEC(".maps") = {

	.values = {

		[0] = &inner_map,

	},

};



char _license[] SEC("license") = "GPL";



int tgid = 0;



static int acc_map_in_map(void *outer_map)

{

	int i, key, value = 0xdeadbeef;

	void *inner_map;



	if ((bpf_get_current_pid_tgid() >> 32) != tgid)

		return 0;



	/* Find nonexistent inner map */

	key = 1;

	inner_map = bpf_map_lookup_elem(outer_map, &key);

	if (inner_map)

		return 0;



	/* Find the old inner map */

	key = 0;

	inner_map = bpf_map_lookup_elem(outer_map, &key);

	if (!inner_map)

		return 0;



	/* Wait for the old inner map to be replaced */

	for (i = 0; i < 2048; i++)

		bpf_map_update_elem(inner_map, &key, &value, 0);



	return 0;

}



SEC("?kprobe/" SYS_PREFIX "sys_getpgid")

int access_map_in_array(void *ctx)

{

	return acc_map_in_map(&outer_array_map);

}



SEC("?fentry.s/" SYS_PREFIX "sys_getpgid")

int sleepable_access_map_in_array(void *ctx)

{

	return acc_map_in_map(&outer_array_map);

}



SEC("?kprobe/" SYS_PREFIX "sys_getpgid")

int access_map_in_htab(void *ctx)

{

	return acc_map_in_map(&outer_htab_map);

}



SEC("?fentry.s/" SYS_PREFIX "sys_getpgid")

int sleepable_access_map_in_htab(void *ctx)

{

	return acc_map_in_map(&outer_htab_map);

}