| // SPDX-License-Identifier: GPL-2.0 |
| |
| #include <vmlinux.h> |
| #include <bpf/bpf_tracing.h> |
| #include <bpf/bpf_helpers.h> |
| |
| struct map_elem { |
| struct bpf_timer timer; |
| struct bpf_spin_lock lock; |
| }; |
| |
| struct { |
| __uint(type, BPF_MAP_TYPE_ARRAY); |
| __uint(max_entries, 1); |
| __type(key, int); |
| __type(value, struct map_elem); |
| } amap SEC(".maps"); |
| |
| struct { |
| __uint(type, BPF_MAP_TYPE_HASH); |
| __uint(max_entries, 1); |
| __type(key, int); |
| __type(value, struct map_elem); |
| } hmap SEC(".maps"); |
| |
| int pid = 0; |
| int crash_map = 0; /* 0 for amap, 1 for hmap */ |
| |
| SEC("fentry/do_nanosleep") |
| int sys_enter(void *ctx) |
| { |
| struct map_elem *e, value = {}; |
| void *map = crash_map ? (void *)&hmap : (void *)&amap; |
| |
| if (bpf_get_current_task_btf()->tgid != pid) |
| return 0; |
| |
| *(void **)&value = (void *)0xdeadcaf3; |
| |
| bpf_map_update_elem(map, &(int){0}, &value, 0); |
| /* For array map, doing bpf_map_update_elem will do a |
| * check_and_free_timer_in_array, which will trigger the crash if timer |
| * pointer was overwritten, for hmap we need to use bpf_timer_cancel. |
| */ |
| if (crash_map == 1) { |
| e = bpf_map_lookup_elem(map, &(int){0}); |
| if (!e) |
| return 0; |
| bpf_timer_cancel(&e->timer); |
| } |
| return 0; |
| } |
| |
| char _license[] SEC("license") = "GPL"; |
