| Author | Tokens | Token Proportion | Commits | Commit Proportion |
|---|---|---|---|---|
| Alexei Starovoitov | 529 | 100.00% | 1 | 100.00% |
| Total | 529 | 1 |
// SPDX-License-Identifier: GPL-2.0 /* Copyright (c) 2026 Meta Platforms, Inc. and affiliates. */ #define _GNU_SOURCE #include <sched.h> #include <pthread.h> #include <test_progs.h> #include "timer_start_delete_race.skel.h" /* * Test for race between bpf_timer_start() and map element deletion. * * The race scenario: * - CPU 1: bpf_timer_start() proceeds to bpf_async_process() and is about * to call hrtimer_start() but hasn't yet * - CPU 2: map_delete_elem() calls __bpf_async_cancel_and_free(), since * timer is not scheduled yet hrtimer_try_to_cancel() is a nop, * then calls bpf_async_refcount_put() dropping refcnt to zero * and scheduling call_rcu_tasks_trace() * - CPU 1: continues and calls hrtimer_start() * - After RCU tasks trace grace period: memory is freed * - Timer callback fires on freed memory: UAF! * * This test stresses this race by having two threads: * - Thread 1: repeatedly starts timers * - Thread 2: repeatedly deletes map elements * * KASAN should detect use-after-free. */ #define ITERATIONS 1000 struct ctx { struct timer_start_delete_race *skel; volatile bool start; volatile bool stop; int errors; }; static void *start_timer_thread(void *arg) { struct ctx *ctx = arg; cpu_set_t cpuset; int fd, i; CPU_ZERO(&cpuset); CPU_SET(0, &cpuset); pthread_setaffinity_np(pthread_self(), sizeof(cpuset), &cpuset); while (!ctx->start && !ctx->stop) usleep(1); if (ctx->stop) return NULL; fd = bpf_program__fd(ctx->skel->progs.start_timer); for (i = 0; i < ITERATIONS && !ctx->stop; i++) { LIBBPF_OPTS(bpf_test_run_opts, opts); int err; err = bpf_prog_test_run_opts(fd, &opts); if (err || opts.retval) { ctx->errors++; break; } } return NULL; } static void *delete_elem_thread(void *arg) { struct ctx *ctx = arg; cpu_set_t cpuset; int fd, i; CPU_ZERO(&cpuset); CPU_SET(1, &cpuset); pthread_setaffinity_np(pthread_self(), sizeof(cpuset), &cpuset); while (!ctx->start && !ctx->stop) usleep(1); if (ctx->stop) return NULL; fd = bpf_program__fd(ctx->skel->progs.delete_elem); for (i = 0; i < ITERATIONS && !ctx->stop; i++) { LIBBPF_OPTS(bpf_test_run_opts, opts); int err; err = bpf_prog_test_run_opts(fd, &opts); if (err || opts.retval) { ctx->errors++; break; } } return NULL; } void test_timer_start_delete_race(void) { struct timer_start_delete_race *skel; pthread_t threads[2]; struct ctx ctx = {}; int err; skel = timer_start_delete_race__open_and_load(); if (!ASSERT_OK_PTR(skel, "skel_open_and_load")) return; ctx.skel = skel; err = pthread_create(&threads[0], NULL, start_timer_thread, &ctx); if (!ASSERT_OK(err, "create start_timer_thread")) { ctx.stop = true; goto cleanup; } err = pthread_create(&threads[1], NULL, delete_elem_thread, &ctx); if (!ASSERT_OK(err, "create delete_elem_thread")) { ctx.stop = true; pthread_join(threads[0], NULL); goto cleanup; } ctx.start = true; pthread_join(threads[0], NULL); pthread_join(threads[1], NULL); ASSERT_EQ(ctx.errors, 0, "thread_errors"); /* Either KASAN will catch UAF or kernel will crash or nothing happens */ cleanup: timer_start_delete_race__destroy(skel); }
Information contained on this website is for historical information purposes only and does not indicate or represent copyright ownership.
Created with Cregit http://github.com/cregit/cregit
Version 2.0-RC1