tools/testing/selftests/bpf/prog_tests/bpf_mod_race.c

root/tools/testing/selftests/bpf/prog_tests/bpf_mod_race.c
// SPDX-License-Identifier: GPL-2.0
#include <unistd.h>
#include <pthread.h>
#include <sys/mman.h>
#include <stdatomic.h>
#include <test_progs.h>
#include <sys/syscall.h>
#include <linux/module.h>
#include <linux/userfaultfd.h>

#include "ksym_race.skel.h"
#include "bpf_mod_race.skel.h"
#include "kfunc_call_race.skel.h"
#include "testing_helpers.h"

/* This test crafts a race between btf_try_get_module and do_init_module, and
 * checks whether btf_try_get_module handles the invocation for a well-formed
 * but uninitialized module correctly. Unless the module has completed its
 * initcalls, the verifier should fail the program load and return ENXIO.
 *
 * userfaultfd is used to trigger a fault in an fmod_ret program, and make it
 * sleep, then the BPF program is loaded and the return value from verifier is
 * inspected. After this, the userfaultfd is closed so that the module loading
 * thread makes forward progress, and fmod_ret injects an error so that the
 * module load fails and it is freed.
 *
 * If the verifier succeeded in loading the supplied program, it will end up
 * taking reference to freed module, and trigger a crash when the program fd
 * is closed later. This is true for both kfuncs and ksyms. In both cases,
 * the crash is triggered inside bpf_prog_free_deferred, when module reference
 * is finally released.
 */

struct test_config {
        const char *str_open;
        void *(*bpf_open_and_load)();
        void (*bpf_destroy)(void *);
};

enum bpf_test_state {
        _TS_INVALID,
        TS_MODULE_LOAD,
        TS_MODULE_LOAD_FAIL,
};

static _Atomic enum bpf_test_state state = _TS_INVALID;

static void *load_module_thread(void *p)
{

        if (!ASSERT_NEQ(load_bpf_testmod(false), 0, "load_module_thread must fail"))
                atomic_store(&state, TS_MODULE_LOAD);
        else
                atomic_store(&state, TS_MODULE_LOAD_FAIL);
        return p;
}

static int sys_userfaultfd(int flags)
{
        return syscall(__NR_userfaultfd, flags);
}

static int test_setup_uffd(void *fault_addr)
{
        struct uffdio_register uffd_register = {};
        struct uffdio_api uffd_api = {};
        int uffd;

        uffd = sys_userfaultfd(O_CLOEXEC);
        if (uffd < 0)
                return -errno;

        uffd_api.api = UFFD_API;
        uffd_api.features = 0;
        if (ioctl(uffd, UFFDIO_API, &uffd_api)) {
                close(uffd);
                return -1;
        }

        uffd_register.range.start = (unsigned long)fault_addr;
        uffd_register.range.len = getpagesize();
        uffd_register.mode = UFFDIO_REGISTER_MODE_MISSING;
        if (ioctl(uffd, UFFDIO_REGISTER, &uffd_register)) {
                close(uffd);
                return -1;
        }
        return uffd;
}

static void test_bpf_mod_race_config(const struct test_config *config)
{
        void *fault_addr, *skel_fail;
        struct bpf_mod_race *skel;
        struct uffd_msg uffd_msg;
        pthread_t load_mod_thrd;
        _Atomic int *blockingp;
        int uffd, ret;

        fault_addr = mmap(0, 4096, PROT_READ, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
        if (!ASSERT_NEQ(fault_addr, MAP_FAILED, "mmap for uffd registration"))
                return;

        if (!ASSERT_OK(unload_bpf_testmod(false), "unload bpf_testmod"))
                goto end_mmap;

        skel = bpf_mod_race__open();
        if (!ASSERT_OK_PTR(skel, "bpf_mod_kfunc_race__open"))
                goto end_module;

        skel->rodata->bpf_mod_race_config.tgid = getpid();
        skel->rodata->bpf_mod_race_config.inject_error = -4242;
        skel->rodata->bpf_mod_race_config.fault_addr = fault_addr;
        if (!ASSERT_OK(bpf_mod_race__load(skel), "bpf_mod___load"))
                goto end_destroy;
        blockingp = (_Atomic int *)&skel->bss->bpf_blocking;

        if (!ASSERT_OK(bpf_mod_race__attach(skel), "bpf_mod_kfunc_race__attach"))
                goto end_destroy;

        uffd = test_setup_uffd(fault_addr);
        if (!ASSERT_GE(uffd, 0, "userfaultfd open + register address"))
                goto end_destroy;

        if (!ASSERT_OK(pthread_create(&load_mod_thrd, NULL, load_module_thread, NULL),
                       "load module thread"))
                goto end_uffd;

        /* Now, we either fail loading module, or block in bpf prog, spin to find out */
        while (!atomic_load(&state) && !atomic_load(blockingp))
                ;
        if (!ASSERT_EQ(state, _TS_INVALID, "module load should block"))
                goto end_join;
        if (!ASSERT_EQ(*blockingp, 1, "module load blocked")) {
                pthread_kill(load_mod_thrd, SIGKILL);
                goto end_uffd;
        }

        /* We might have set bpf_blocking to 1, but may have not blocked in
         * bpf_copy_from_user. Read userfaultfd descriptor to verify that.
         */
        if (!ASSERT_EQ(read(uffd, &uffd_msg, sizeof(uffd_msg)), sizeof(uffd_msg),
                       "read uffd block event"))
                goto end_join;
        if (!ASSERT_EQ(uffd_msg.event, UFFD_EVENT_PAGEFAULT, "read uffd event is pagefault"))
                goto end_join;

        /* We know that load_mod_thrd is blocked in the fmod_ret program, the
         * module state is still MODULE_STATE_COMING because mod->init hasn't
         * returned. This is the time we try to load a program calling kfunc and
         * check if we get ENXIO from verifier.
         */
        skel_fail = config->bpf_open_and_load();
        ret = errno;
        if (!ASSERT_EQ(skel_fail, NULL, config->str_open)) {
                /* Close uffd to unblock load_mod_thrd */
                close(uffd);
                uffd = -1;
                while (atomic_load(blockingp) != 2)
                        ;
                ASSERT_OK(kern_sync_rcu(), "kern_sync_rcu");
                config->bpf_destroy(skel_fail);
                goto end_join;

        }
        ASSERT_EQ(ret, ENXIO, "verifier returns ENXIO");
        ASSERT_EQ(skel->data->res_try_get_module, false, "btf_try_get_module == false");

        close(uffd);
        uffd = -1;
end_join:
        pthread_join(load_mod_thrd, NULL);
        if (uffd < 0)
                ASSERT_EQ(atomic_load(&state), TS_MODULE_LOAD_FAIL, "load_mod_thrd success");
end_uffd:
        if (uffd >= 0)
                close(uffd);
end_destroy:
        bpf_mod_race__destroy(skel);
        ASSERT_OK(kern_sync_rcu(), "kern_sync_rcu");
end_module:
        unload_bpf_testmod(false);
        ASSERT_OK(load_bpf_testmod(false), "restore bpf_testmod");
end_mmap:
        munmap(fault_addr, 4096);
        atomic_store(&state, _TS_INVALID);
}

static const struct test_config ksym_config = {
        .str_open = "ksym_race__open_and_load",
        .bpf_open_and_load = (void *)ksym_race__open_and_load,
        .bpf_destroy = (void *)ksym_race__destroy,
};

static const struct test_config kfunc_config = {
        .str_open = "kfunc_call_race__open_and_load",
        .bpf_open_and_load = (void *)kfunc_call_race__open_and_load,
        .bpf_destroy = (void *)kfunc_call_race__destroy,
};

void serial_test_bpf_mod_race(void)
{
        if (test__start_subtest("ksym (used_btfs UAF)"))
                test_bpf_mod_race_config(&ksym_config);
        if (test__start_subtest("kfunc (kfunc_btf_tab UAF)"))
                test_bpf_mod_race_config(&kfunc_config);
}
Linux
