timer_crash.c (1213B)
1// SPDX-License-Identifier: GPL-2.0 2 3#include <vmlinux.h> 4#include <bpf/bpf_tracing.h> 5#include <bpf/bpf_helpers.h> 6 7struct map_elem { 8 struct bpf_timer timer; 9 struct bpf_spin_lock lock; 10}; 11 12struct { 13 __uint(type, BPF_MAP_TYPE_ARRAY); 14 __uint(max_entries, 1); 15 __type(key, int); 16 __type(value, struct map_elem); 17} amap SEC(".maps"); 18 19struct { 20 __uint(type, BPF_MAP_TYPE_HASH); 21 __uint(max_entries, 1); 22 __type(key, int); 23 __type(value, struct map_elem); 24} hmap SEC(".maps"); 25 26int pid = 0; 27int crash_map = 0; /* 0 for amap, 1 for hmap */ 28 29SEC("fentry/do_nanosleep") 30int sys_enter(void *ctx) 31{ 32 struct map_elem *e, value = {}; 33 void *map = crash_map ? (void *)&hmap : (void *)&amap; 34 35 if (bpf_get_current_task_btf()->tgid != pid) 36 return 0; 37 38 *(void **)&value = (void *)0xdeadcaf3; 39 40 bpf_map_update_elem(map, &(int){0}, &value, 0); 41 /* For array map, doing bpf_map_update_elem will do a 42 * check_and_free_timer_in_array, which will trigger the crash if timer 43 * pointer was overwritten, for hmap we need to use bpf_timer_cancel. 44 */ 45 if (crash_map == 1) { 46 e = bpf_map_lookup_elem(map, &(int){0}); 47 if (!e) 48 return 0; 49 bpf_timer_cancel(&e->timer); 50 } 51 return 0; 52} 53 54char _license[] SEC("license") = "GPL";