When a user program updates a map value, every uptr will be pinned and
translated to an address in the kernel. This process is initiated by
calling bpf_map_update_elem() from user programs.
Currently, uptr is only supported by task storage maps and can only be set
by user programs through syscalls.
When the value of an uptr is overwritten or destroyed, the memory pointed
to by the old value must be unpinned. This is ensured by calling
bpf_obj_uptrcpy() and copy_map_uptr_locked() when updating map value and by
bpf_obj_free_fields() when destroying map value.
Signed-off-by: Kui-Feng Lee <thinker.li@xxxxxxxxx>
---
kernel/bpf/bpf_local_storage.c | 23 ++++++++++++++-----
kernel/bpf/syscall.c | 40 +++++++++++++++++++++++++++++++---
2 files changed, 55 insertions(+), 8 deletions(-)
diff --git a/kernel/bpf/bpf_local_storage.c b/kernel/bpf/bpf_local_storage.c
index c938dea5ddbf..2fafad53b9d9 100644
--- a/kernel/bpf/bpf_local_storage.c
+++ b/kernel/bpf/bpf_local_storage.c
@@ -99,8 +99,11 @@ bpf_selem_alloc(struct bpf_local_storage_map *smap, void *owner,
}
if (selem) {
- if (value)
+ if (value) {
copy_map_value(&smap->map, SDATA(selem)->data, value);
+ if (smap->map.map_type == BPF_MAP_TYPE_TASK_STORAGE)
+ bpf_obj_uptrcpy(smap->map.record, SDATA(selem)->data, value);
+ }
/* No need to call check_and_init_map_value as memory is zero init */
return selem;
}
@@ -575,8 +578,13 @@ bpf_local_storage_update(void *owner, struct bpf_local_storage_map *smap,
if (err)
return ERR_PTR(err);
if (old_sdata && selem_linked_to_storage_lockless(SELEM(old_sdata))) {
- copy_map_value_locked(&smap->map, old_sdata->data,
- value, false);
+ if (smap->map.map_type == BPF_MAP_TYPE_TASK_STORAGE &&
+ btf_record_has_field(smap->map.record, BPF_UPTR))
+ copy_map_uptr_locked(&smap->map, old_sdata->data,
+ value, false);
+ else
+ copy_map_value_locked(&smap->map, old_sdata->data,
+ value, false);
return old_sdata;
}
}
@@ -607,8 +615,13 @@ bpf_local_storage_update(void *owner, struct bpf_local_storage_map *smap,
goto unlock;
if (old_sdata && (map_flags & BPF_F_LOCK)) {
- copy_map_value_locked(&smap->map, old_sdata->data, value,
- false);
+ if (smap->map.map_type == BPF_MAP_TYPE_TASK_STORAGE &&
+ btf_record_has_field(smap->map.record, BPF_UPTR))
+ copy_map_uptr_locked(&smap->map, old_sdata->data,
+ value, false);
+ else
+ copy_map_value_locked(&smap->map, old_sdata->data,
+ value, false);
selem = SELEM(old_sdata);
goto unlock;
}
diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
index d504f5eb955a..1854aeb13ff7 100644
--- a/kernel/bpf/syscall.c
+++ b/kernel/bpf/syscall.c
@@ -287,8 +287,8 @@ static void bpf_obj_unpin_uptrs(struct btf_record *rec, void *src)
bpf_obj_unpin_uptrs_cnt(rec, rec->cnt, src);
}
-static int bpf_map_update_value(struct bpf_map *map, struct file *map_file,
- void *key, void *value, __u64 flags)
+static int bpf_map_update_value_inner(struct bpf_map *map, struct file *map_file,
+ void *key, void *value, __u64 flags)
{
int err;
@@ -340,6 +340,29 @@ static int bpf_map_update_value(struct bpf_map *map, struct file *map_file,
return err;
}
+static int bpf_map_update_value(struct bpf_map *map, struct file *map_file,
+ void *key, void *value, __u64 flags)
+{
+ int err;
+
+ if (map->map_type == BPF_MAP_TYPE_TASK_STORAGE) {
+ /* Pin user memory can lead to context switch, so we need
+ * to do it before potential RCU lock.
+ */
+ err = bpf_obj_trans_pin_uptrs(map->record, value,
+ bpf_map_value_size(map));
+ if (err)
+ return err;
+ }
+
+ err = bpf_map_update_value_inner(map, map_file, key, value, flags);
+
+ if (err && map->map_type == BPF_MAP_TYPE_TASK_STORAGE)
+ bpf_obj_unpin_uptrs(map->record, value);
+
+ return err;
+}
+
static int bpf_map_copy_value(struct bpf_map *map, void *key, void *value,
__u64 flags)
{
@@ -846,6 +869,11 @@ void bpf_obj_free_fields(const struct btf_record *rec, void *obj)
field->kptr.dtor(xchgd_field);
}
break;
+ case BPF_UPTR:
+ if (*(void **)field_ptr)
+ bpf_obj_unpin_uptr(field, *(void **)field_ptr);
+ *(void **)field_ptr = NULL;
+ break;
case BPF_LIST_HEAD:
if (WARN_ON_ONCE(rec->spin_lock_off < 0))
continue;
@@ -1231,7 +1259,7 @@ static int map_check_btf(struct bpf_map *map, struct bpf_token *token,
map->record = btf_parse_fields(btf, value_type,
BPF_SPIN_LOCK | BPF_TIMER | BPF_KPTR | BPF_LIST_HEAD |
- BPF_RB_ROOT | BPF_REFCOUNT | BPF_WORKQUEUE,
+ BPF_RB_ROOT | BPF_REFCOUNT | BPF_WORKQUEUE | BPF_UPTR,
map->value_size);
if (!IS_ERR_OR_NULL(map->record)) {
int i;
@@ -1287,6 +1315,12 @@ static int map_check_btf(struct bpf_map *map, struct bpf_token *token,
goto free_map_tab;
}
break;
+ case BPF_UPTR:
+ if (map->map_type != BPF_MAP_TYPE_TASK_STORAGE) {
+ ret = -EOPNOTSUPP;
+ goto free_map_tab;
+ }
+ break;
case BPF_LIST_HEAD:
case BPF_RB_ROOT:
if (map->map_type != BPF_MAP_TYPE_HASH &&
--
2.34.1
