LXR linux/kernel/bpf/stackmap.c

   1/* Copyright (c) 2016 Facebook
   2 *
   3 * This program is free software; you can redistribute it and/or
   4 * modify it under the terms of version 2 of the GNU General Public
   5 * License as published by the Free Software Foundation.
   6 */
   7#include <linux/bpf.h>
   8#include <linux/jhash.h>
   9#include <linux/filter.h>
  10#include <linux/stacktrace.h>
  11#include <linux/perf_event.h>
  12#include <linux/elf.h>
  13#include <linux/pagemap.h>
  14#include "percpu_freelist.h"
  15
  16#define STACK_CREATE_FLAG_MASK                                  \
  17        (BPF_F_NUMA_NODE | BPF_F_RDONLY | BPF_F_WRONLY |        \
  18         BPF_F_STACK_BUILD_ID)
  19
  20struct stack_map_bucket {
  21        struct pcpu_freelist_node fnode;
  22        u32 hash;
  23        u32 nr;
  24        u64 data[];
  25};
  26
  27struct bpf_stack_map {
  28        struct bpf_map map;
  29        void *elems;
  30        struct pcpu_freelist freelist;
  31        u32 n_buckets;
  32        struct stack_map_bucket *buckets[];
  33};
  34
  35static inline bool stack_map_use_build_id(struct bpf_map *map)
  36{
  37        return (map->map_flags & BPF_F_STACK_BUILD_ID);
  38}
  39
  40static inline int stack_map_data_size(struct bpf_map *map)
  41{
  42        return stack_map_use_build_id(map) ?
  43                sizeof(struct bpf_stack_build_id) : sizeof(u64);
  44}
  45
  46static int prealloc_elems_and_freelist(struct bpf_stack_map *smap)
  47{
  48        u32 elem_size = sizeof(struct stack_map_bucket) + smap->map.value_size;
  49        int err;
  50
  51        smap->elems = bpf_map_area_alloc(elem_size * smap->map.max_entries,
  52                                         smap->map.numa_node);
  53        if (!smap->elems)
  54                return -ENOMEM;
  55
  56        err = pcpu_freelist_init(&smap->freelist);
  57        if (err)
  58                goto free_elems;
  59
  60        pcpu_freelist_populate(&smap->freelist, smap->elems, elem_size,
  61                               smap->map.max_entries);
  62        return 0;
  63
  64free_elems:
  65        bpf_map_area_free(smap->elems);
  66        return err;
  67}
  68
  69/* Called from syscall */
  70static struct bpf_map *stack_map_alloc(union bpf_attr *attr)
  71{
  72        u32 value_size = attr->value_size;
  73        struct bpf_stack_map *smap;
  74        u64 cost, n_buckets;
  75        int err;
  76
  77        if (!capable(CAP_SYS_ADMIN))
  78                return ERR_PTR(-EPERM);
  79
  80        if (attr->map_flags & ~STACK_CREATE_FLAG_MASK)
  81                return ERR_PTR(-EINVAL);
  82
  83        /* check sanity of attributes */
  84        if (attr->max_entries == 0 || attr->key_size != 4 ||
  85            value_size < 8 || value_size % 8)
  86                return ERR_PTR(-EINVAL);
  87
  88        BUILD_BUG_ON(sizeof(struct bpf_stack_build_id) % sizeof(u64));
  89        if (attr->map_flags & BPF_F_STACK_BUILD_ID) {
  90                if (value_size % sizeof(struct bpf_stack_build_id) ||
  91                    value_size / sizeof(struct bpf_stack_build_id)
  92                    > PERF_MAX_STACK_DEPTH)
  93                        return ERR_PTR(-EINVAL);
  94        } else if (value_size / 8 > PERF_MAX_STACK_DEPTH)
  95                return ERR_PTR(-EINVAL);
  96
  97        /* hash table size must be power of 2 */
  98        n_buckets = roundup_pow_of_two(attr->max_entries);
  99
 100        cost = n_buckets * sizeof(struct stack_map_bucket *) + sizeof(*smap);
 101        if (cost >= U32_MAX - PAGE_SIZE)
 102                return ERR_PTR(-E2BIG);
 103
 104        smap = bpf_map_area_alloc(cost, bpf_map_attr_numa_node(attr));
 105        if (!smap)
 106                return ERR_PTR(-ENOMEM);
 107
 108        err = -E2BIG;
 109        cost += n_buckets * (value_size + sizeof(struct stack_map_bucket));
 110        if (cost >= U32_MAX - PAGE_SIZE)
 111                goto free_smap;
 112
 113        bpf_map_init_from_attr(&smap->map, attr);
 114        smap->map.value_size = value_size;
 115        smap->n_buckets = n_buckets;
 116        smap->map.pages = round_up(cost, PAGE_SIZE) >> PAGE_SHIFT;
 117
 118        err = bpf_map_precharge_memlock(smap->map.pages);
 119        if (err)
 120                goto free_smap;
 121
 122        err = get_callchain_buffers();
 123        if (err)
 124                goto free_smap;
 125
 126        err = prealloc_elems_and_freelist(smap);
 127        if (err)
 128                goto put_buffers;
 129
 130        return &smap->map;
 131
 132put_buffers:
 133        put_callchain_buffers();
 134free_smap:
 135        bpf_map_area_free(smap);
 136        return ERR_PTR(err);
 137}
 138
 139#define BPF_BUILD_ID 3
 140/*
 141 * Parse build id from the note segment. This logic can be shared between
 142 * 32-bit and 64-bit system, because Elf32_Nhdr and Elf64_Nhdr are
 143 * identical.
 144 */
 145static inline int stack_map_parse_build_id(void *page_addr,
 146                                           unsigned char *build_id,
 147                                           void *note_start,
 148                                           Elf32_Word note_size)
 149{
 150        Elf32_Word note_offs = 0, new_offs;
 151
 152        /* check for overflow */
 153        if (note_start < page_addr || note_start + note_size < note_start)
 154                return -EINVAL;
 155
 156        /* only supports note that fits in the first page */
 157        if (note_start + note_size > page_addr + PAGE_SIZE)
 158                return -EINVAL;
 159
 160        while (note_offs + sizeof(Elf32_Nhdr) < note_size) {
 161                Elf32_Nhdr *nhdr = (Elf32_Nhdr *)(note_start + note_offs);
 162
 163                if (nhdr->n_type == BPF_BUILD_ID &&
 164                    nhdr->n_namesz == sizeof("GNU") &&
 165                    nhdr->n_descsz == BPF_BUILD_ID_SIZE) {
 166                        memcpy(build_id,
 167                               note_start + note_offs +
 168                               ALIGN(sizeof("GNU"), 4) + sizeof(Elf32_Nhdr),
 169                               BPF_BUILD_ID_SIZE);
 170                        return 0;
 171                }
 172                new_offs = note_offs + sizeof(Elf32_Nhdr) +
 173                        ALIGN(nhdr->n_namesz, 4) + ALIGN(nhdr->n_descsz, 4);
 174                if (new_offs <= note_offs)  /* overflow */
 175                        break;
 176                note_offs = new_offs;
 177        }
 178        return -EINVAL;
 179}
 180
 181/* Parse build ID from 32-bit ELF */
 182static int stack_map_get_build_id_32(void *page_addr,
 183                                     unsigned char *build_id)
 184{
 185        Elf32_Ehdr *ehdr = (Elf32_Ehdr *)page_addr;
 186        Elf32_Phdr *phdr;
 187        int i;
 188
 189        /* only supports phdr that fits in one page */
 190        if (ehdr->e_phnum >
 191            (PAGE_SIZE - sizeof(Elf32_Ehdr)) / sizeof(Elf32_Phdr))
 192                return -EINVAL;
 193
 194        phdr = (Elf32_Phdr *)(page_addr + sizeof(Elf32_Ehdr));
 195
 196        for (i = 0; i < ehdr->e_phnum; ++i)
 197                if (phdr[i].p_type == PT_NOTE)
 198                        return stack_map_parse_build_id(page_addr, build_id,
 199                                        page_addr + phdr[i].p_offset,
 200                                        phdr[i].p_filesz);
 201        return -EINVAL;
 202}
 203
 204/* Parse build ID from 64-bit ELF */
 205static int stack_map_get_build_id_64(void *page_addr,
 206                                     unsigned char *build_id)
 207{
 208        Elf64_Ehdr *ehdr = (Elf64_Ehdr *)page_addr;
 209        Elf64_Phdr *phdr;
 210        int i;
 211
 212        /* only supports phdr that fits in one page */
 213        if (ehdr->e_phnum >
 214            (PAGE_SIZE - sizeof(Elf64_Ehdr)) / sizeof(Elf64_Phdr))
 215                return -EINVAL;
 216
 217        phdr = (Elf64_Phdr *)(page_addr + sizeof(Elf64_Ehdr));
 218
 219        for (i = 0; i < ehdr->e_phnum; ++i)
 220                if (phdr[i].p_type == PT_NOTE)
 221                        return stack_map_parse_build_id(page_addr, build_id,
 222                                        page_addr + phdr[i].p_offset,
 223                                        phdr[i].p_filesz);
 224        return -EINVAL;
 225}
 226
 227/* Parse build ID of ELF file mapped to vma */
 228static int stack_map_get_build_id(struct vm_area_struct *vma,
 229                                  unsigned char *build_id)
 230{
 231        Elf32_Ehdr *ehdr;
 232        struct page *page;
 233        void *page_addr;
 234        int ret;
 235
 236        /* only works for page backed storage  */
 237        if (!vma->vm_file)
 238                return -EINVAL;
 239
 240        page = find_get_page(vma->vm_file->f_mapping, 0);
 241        if (!page)
 242                return -EFAULT; /* page not mapped */
 243
 244        ret = -EINVAL;
 245        page_addr = page_address(page);
 246        ehdr = (Elf32_Ehdr *)page_addr;
 247
 248        /* compare magic x7f "ELF" */
 249        if (memcmp(ehdr->e_ident, ELFMAG, SELFMAG) != 0)
 250                goto out;
 251
 252        /* only support executable file and shared object file */
 253        if (ehdr->e_type != ET_EXEC && ehdr->e_type != ET_DYN)
 254                goto out;
 255
 256        if (ehdr->e_ident[EI_CLASS] == ELFCLASS32)
 257                ret = stack_map_get_build_id_32(page_addr, build_id);
 258        else if (ehdr->e_ident[EI_CLASS] == ELFCLASS64)
 259                ret = stack_map_get_build_id_64(page_addr, build_id);
 260out:
 261        put_page(page);
 262        return ret;
 263}
 264
 265static void stack_map_get_build_id_offset(struct bpf_map *map,
 266                                          struct stack_map_bucket *bucket,
 267                                          u64 *ips, u32 trace_nr, bool user)
 268{
 269        int i;
 270        struct vm_area_struct *vma;
 271        struct bpf_stack_build_id *id_offs;
 272
 273        bucket->nr = trace_nr;
 274        id_offs = (struct bpf_stack_build_id *)bucket->data;
 275
 276        /*
 277         * We cannot do up_read() in nmi context, so build_id lookup is
 278         * only supported for non-nmi events. If at some point, it is
 279         * possible to run find_vma() without taking the semaphore, we
 280         * would like to allow build_id lookup in nmi context.
 281         *
 282         * Same fallback is used for kernel stack (!user) on a stackmap
 283         * with build_id.
 284         */
 285        if (!user || !current || !current->mm || in_nmi() ||
 286            down_read_trylock(&current->mm->mmap_sem) == 0) {
 287                /* cannot access current->mm, fall back to ips */
 288                for (i = 0; i < trace_nr; i++) {
 289                        id_offs[i].status = BPF_STACK_BUILD_ID_IP;
 290                        id_offs[i].ip = ips[i];
 291                }
 292                return;
 293        }
 294
 295        for (i = 0; i < trace_nr; i++) {
 296                vma = find_vma(current->mm, ips[i]);
 297                if (!vma || stack_map_get_build_id(vma, id_offs[i].build_id)) {
 298                        /* per entry fall back to ips */
 299                        id_offs[i].status = BPF_STACK_BUILD_ID_IP;
 300                        id_offs[i].ip = ips[i];
 301                        continue;
 302                }
 303                id_offs[i].offset = (vma->vm_pgoff << PAGE_SHIFT) + ips[i]
 304                        - vma->vm_start;
 305                id_offs[i].status = BPF_STACK_BUILD_ID_VALID;
 306        }
 307        up_read(&current->mm->mmap_sem);
 308}
 309
 310BPF_CALL_3(bpf_get_stackid, struct pt_regs *, regs, struct bpf_map *, map,
 311           u64, flags)
 312{
 313        struct bpf_stack_map *smap = container_of(map, struct bpf_stack_map, map);
 314        struct perf_callchain_entry *trace;
 315        struct stack_map_bucket *bucket, *new_bucket, *old_bucket;
 316        u32 max_depth = map->value_size / stack_map_data_size(map);
 317        /* stack_map_alloc() checks that max_depth <= PERF_MAX_STACK_DEPTH */
 318        u32 init_nr = PERF_MAX_STACK_DEPTH - max_depth;
 319        u32 skip = flags & BPF_F_SKIP_FIELD_MASK;
 320        u32 hash, id, trace_nr, trace_len;
 321        bool user = flags & BPF_F_USER_STACK;
 322        bool kernel = !user;
 323        u64 *ips;
 324        bool hash_matches;
 325
 326        if (unlikely(flags & ~(BPF_F_SKIP_FIELD_MASK | BPF_F_USER_STACK |
 327                               BPF_F_FAST_STACK_CMP | BPF_F_REUSE_STACKID)))
 328                return -EINVAL;
 329
 330        trace = get_perf_callchain(regs, init_nr, kernel, user, false, false);
 331
 332        if (unlikely(!trace))
 333                /* couldn't fetch the stack trace */
 334                return -EFAULT;
 335
 336        /* get_perf_callchain() guarantees that trace->nr >= init_nr
 337         * and trace-nr <= PERF_MAX_STACK_DEPTH, so trace_nr <= max_depth
 338         */
 339        trace_nr = trace->nr - init_nr;
 340
 341        if (trace_nr <= skip)
 342                /* skipping more than usable stack trace */
 343                return -EFAULT;
 344
 345        trace_nr -= skip;
 346        trace_len = trace_nr * sizeof(u64);
 347        ips = trace->ip + skip + init_nr;
 348        hash = jhash2((u32 *)ips, trace_len / sizeof(u32), 0);
 349        id = hash & (smap->n_buckets - 1);
 350        bucket = READ_ONCE(smap->buckets[id]);
 351
 352        hash_matches = bucket && bucket->hash == hash;
 353        /* fast cmp */
 354        if (hash_matches && flags & BPF_F_FAST_STACK_CMP)
 355                return id;
 356
 357        if (stack_map_use_build_id(map)) {
 358                /* for build_id+offset, pop a bucket before slow cmp */
 359                new_bucket = (struct stack_map_bucket *)
 360                        pcpu_freelist_pop(&smap->freelist);
 361                if (unlikely(!new_bucket))
 362                        return -ENOMEM;
 363                stack_map_get_build_id_offset(map, new_bucket, ips,
 364                                              trace_nr, user);
 365                trace_len = trace_nr * sizeof(struct bpf_stack_build_id);
 366                if (hash_matches && bucket->nr == trace_nr &&
 367                    memcmp(bucket->data, new_bucket->data, trace_len) == 0) {
 368                        pcpu_freelist_push(&smap->freelist, &new_bucket->fnode);
 369                        return id;
 370                }
 371                if (bucket && !(flags & BPF_F_REUSE_STACKID)) {
 372                        pcpu_freelist_push(&smap->freelist, &new_bucket->fnode);
 373                        return -EEXIST;
 374                }
 375        } else {
 376                if (hash_matches && bucket->nr == trace_nr &&
 377                    memcmp(bucket->data, ips, trace_len) == 0)
 378                        return id;
 379                if (bucket && !(flags & BPF_F_REUSE_STACKID))
 380                        return -EEXIST;
 381
 382                new_bucket = (struct stack_map_bucket *)
 383                        pcpu_freelist_pop(&smap->freelist);
 384                if (unlikely(!new_bucket))
 385                        return -ENOMEM;
 386                memcpy(new_bucket->data, ips, trace_len);
 387        }
 388
 389        new_bucket->hash = hash;
 390        new_bucket->nr = trace_nr;
 391
 392        old_bucket = xchg(&smap->buckets[id], new_bucket);
 393        if (old_bucket)
 394                pcpu_freelist_push(&smap->freelist, &old_bucket->fnode);
 395        return id;
 396}
 397
 398const struct bpf_func_proto bpf_get_stackid_proto = {
 399        .func           = bpf_get_stackid,
 400        .gpl_only       = true,
 401        .ret_type       = RET_INTEGER,
 402        .arg1_type      = ARG_PTR_TO_CTX,
 403        .arg2_type      = ARG_CONST_MAP_PTR,
 404        .arg3_type      = ARG_ANYTHING,
 405};
 406
 407/* Called from eBPF program */
 408static void *stack_map_lookup_elem(struct bpf_map *map, void *key)
 409{
 410        return NULL;
 411}
 412
 413/* Called from syscall */
 414int bpf_stackmap_copy(struct bpf_map *map, void *key, void *value)
 415{
 416        struct bpf_stack_map *smap = container_of(map, struct bpf_stack_map, map);
 417        struct stack_map_bucket *bucket, *old_bucket;
 418        u32 id = *(u32 *)key, trace_len;
 419
 420        if (unlikely(id >= smap->n_buckets))
 421                return -ENOENT;
 422
 423        bucket = xchg(&smap->buckets[id], NULL);
 424        if (!bucket)
 425                return -ENOENT;
 426
 427        trace_len = bucket->nr * stack_map_data_size(map);
 428        memcpy(value, bucket->data, trace_len);
 429        memset(value + trace_len, 0, map->value_size - trace_len);
 430
 431        old_bucket = xchg(&smap->buckets[id], bucket);
 432        if (old_bucket)
 433                pcpu_freelist_push(&smap->freelist, &old_bucket->fnode);
 434        return 0;
 435}
 436
 437static int stack_map_get_next_key(struct bpf_map *map, void *key,
 438                                  void *next_key)
 439{
 440        struct bpf_stack_map *smap = container_of(map,
 441                                                  struct bpf_stack_map, map);
 442        u32 id;
 443
 444        WARN_ON_ONCE(!rcu_read_lock_held());
 445
 446        if (!key) {
 447                id = 0;
 448        } else {
 449                id = *(u32 *)key;
 450                if (id >= smap->n_buckets || !smap->buckets[id])
 451                        id = 0;
 452                else
 453                        id++;
 454        }
 455
 456        while (id < smap->n_buckets && !smap->buckets[id])
 457                id++;
 458
 459        if (id >= smap->n_buckets)
 460                return -ENOENT;
 461
 462        *(u32 *)next_key = id;
 463        return 0;
 464}
 465
 466static int stack_map_update_elem(struct bpf_map *map, void *key, void *value,
 467                                 u64 map_flags)
 468{
 469        return -EINVAL;
 470}
 471
 472/* Called from syscall or from eBPF program */
 473static int stack_map_delete_elem(struct bpf_map *map, void *key)
 474{
 475        struct bpf_stack_map *smap = container_of(map, struct bpf_stack_map, map);
 476        struct stack_map_bucket *old_bucket;
 477        u32 id = *(u32 *)key;
 478
 479        if (unlikely(id >= smap->n_buckets))
 480                return -E2BIG;
 481
 482        old_bucket = xchg(&smap->buckets[id], NULL);
 483        if (old_bucket) {
 484                pcpu_freelist_push(&smap->freelist, &old_bucket->fnode);
 485                return 0;
 486        } else {
 487                return -ENOENT;
 488        }
 489}
 490
 491/* Called when map->refcnt goes to zero, either from workqueue or from syscall */
 492static void stack_map_free(struct bpf_map *map)
 493{
 494        struct bpf_stack_map *smap = container_of(map, struct bpf_stack_map, map);
 495
 496        /* wait for bpf programs to complete before freeing stack map */
 497        synchronize_rcu();
 498
 499        bpf_map_area_free(smap->elems);
 500        pcpu_freelist_destroy(&smap->freelist);
 501        bpf_map_area_free(smap);
 502        put_callchain_buffers();
 503}
 504
 505const struct bpf_map_ops stack_map_ops = {
 506        .map_alloc = stack_map_alloc,
 507        .map_free = stack_map_free,
 508        .map_get_next_key = stack_map_get_next_key,
 509        .map_lookup_elem = stack_map_lookup_elem,
 510        .map_update_elem = stack_map_update_elem,
 511        .map_delete_elem = stack_map_delete_elem,
 512};
 513