Skip to content

Commit b6ff639

Browse files
yonghong-songdavem330
yonghong-song
authored and
davem330
committed
bpf: fix and add test cases for ARG_CONST_SIZE_OR_ZERO semantics change
Fix a few test cases to allow non-NULL map/packet/stack pointer with size = 0. Change a few tests using bpf_probe_read to use bpf_probe_write_user so ARG_CONST_SIZE arg can still be properly tested. One existing test case already covers size = 0 with non-NULL packet pointer, so add additional tests so all cases of size = 0 and 0 <= size <= legal_upper_bound with non-NULL map/packet/stack pointer are covered. Signed-off-by: Yonghong Song <yhs@fb.com> Acked-by: Alexei Starovoitov <ast@kernel.org> Acked-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: David S. Miller <davem@davemloft.net>
1 parent 9c019e2 commit b6ff639

File tree

1 file changed

+112
-19
lines changed

1 file changed

+112
-19
lines changed

tools/testing/selftests/bpf/test_verifier.c

Lines changed: 112 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -3579,7 +3579,7 @@ static struct bpf_test tests[] = {
35793579
.prog_type = BPF_PROG_TYPE_SCHED_CLS,
35803580
},
35813581
{
3582-
"helper access to packet: test19, cls helper fail range zero",
3582+
"helper access to packet: test19, cls helper range zero",
35833583
.insns = {
35843584
BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
35853585
offsetof(struct __sk_buff, data)),
@@ -3599,8 +3599,7 @@ static struct bpf_test tests[] = {
35993599
BPF_MOV64_IMM(BPF_REG_0, 0),
36003600
BPF_EXIT_INSN(),
36013601
},
3602-
.result = REJECT,
3603-
.errstr = "invalid access to packet",
3602+
.result = ACCEPT,
36043603
.prog_type = BPF_PROG_TYPE_SCHED_CLS,
36053604
},
36063605
{
@@ -4379,10 +4378,10 @@ static struct bpf_test tests[] = {
43794378
BPF_LD_MAP_FD(BPF_REG_1, 0),
43804379
BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
43814380
BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4382-
BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4383-
BPF_MOV64_IMM(BPF_REG_2, 0),
4381+
BPF_MOV64_IMM(BPF_REG_1, 0),
4382+
BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
43844383
BPF_MOV64_IMM(BPF_REG_3, 0),
4385-
BPF_EMIT_CALL(BPF_FUNC_probe_read),
4384+
BPF_EMIT_CALL(BPF_FUNC_probe_write_user),
43864385
BPF_EXIT_INSN(),
43874386
},
43884387
.fixup_map2 = { 3 },
@@ -4486,9 +4485,10 @@ static struct bpf_test tests[] = {
44864485
BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
44874486
BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
44884487
offsetof(struct test_val, foo)),
4489-
BPF_MOV64_IMM(BPF_REG_2, 0),
4488+
BPF_MOV64_REG(BPF_REG_2, BPF_REG_1),
4489+
BPF_MOV64_IMM(BPF_REG_1, 0),
44904490
BPF_MOV64_IMM(BPF_REG_3, 0),
4491-
BPF_EMIT_CALL(BPF_FUNC_probe_read),
4491+
BPF_EMIT_CALL(BPF_FUNC_probe_write_user),
44924492
BPF_EXIT_INSN(),
44934493
},
44944494
.fixup_map2 = { 3 },
@@ -4622,13 +4622,14 @@ static struct bpf_test tests[] = {
46224622
BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
46234623
BPF_MOV64_IMM(BPF_REG_3, 0),
46244624
BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4625-
BPF_MOV64_IMM(BPF_REG_2, 0),
4625+
BPF_MOV64_REG(BPF_REG_2, BPF_REG_1),
4626+
BPF_MOV64_IMM(BPF_REG_1, 0),
46264627
BPF_MOV64_IMM(BPF_REG_3, 0),
4627-
BPF_EMIT_CALL(BPF_FUNC_probe_read),
4628+
BPF_EMIT_CALL(BPF_FUNC_probe_write_user),
46284629
BPF_EXIT_INSN(),
46294630
},
46304631
.fixup_map2 = { 3 },
4631-
.errstr = "R1 min value is outside of the array range",
4632+
.errstr = "R2 min value is outside of the array range",
46324633
.result = REJECT,
46334634
.prog_type = BPF_PROG_TYPE_TRACEPOINT,
46344635
},
@@ -4765,13 +4766,14 @@ static struct bpf_test tests[] = {
47654766
BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
47664767
offsetof(struct test_val, foo), 4),
47674768
BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4768-
BPF_MOV64_IMM(BPF_REG_2, 0),
4769+
BPF_MOV64_REG(BPF_REG_2, BPF_REG_1),
4770+
BPF_MOV64_IMM(BPF_REG_1, 0),
47694771
BPF_MOV64_IMM(BPF_REG_3, 0),
4770-
BPF_EMIT_CALL(BPF_FUNC_probe_read),
4772+
BPF_EMIT_CALL(BPF_FUNC_probe_write_user),
47714773
BPF_EXIT_INSN(),
47724774
},
47734775
.fixup_map2 = { 3 },
4774-
.errstr = "R1 min value is outside of the array range",
4776+
.errstr = "R2 min value is outside of the array range",
47754777
.result = REJECT,
47764778
.prog_type = BPF_PROG_TYPE_TRACEPOINT,
47774779
},
@@ -5350,7 +5352,7 @@ static struct bpf_test tests[] = {
53505352
BPF_EMIT_CALL(BPF_FUNC_probe_read),
53515353
BPF_EXIT_INSN(),
53525354
},
5353-
.errstr = "invalid stack type R1 off=-64 access_size=0",
5355+
.errstr = "invalid indirect read from stack off -64+0 size 64",
53545356
.result = REJECT,
53555357
.prog_type = BPF_PROG_TYPE_TRACEPOINT,
53565358
},
@@ -5505,7 +5507,7 @@ static struct bpf_test tests[] = {
55055507
BPF_MOV64_IMM(BPF_REG_0, 0),
55065508
BPF_EXIT_INSN(),
55075509
},
5508-
.errstr = "invalid stack type R1 off=-64 access_size=0",
5510+
.errstr = "invalid indirect read from stack off -64+0 size 64",
55095511
.result = REJECT,
55105512
.prog_type = BPF_PROG_TYPE_TRACEPOINT,
55115513
},
@@ -5668,7 +5670,7 @@ static struct bpf_test tests[] = {
56685670
.prog_type = BPF_PROG_TYPE_SCHED_CLS,
56695671
},
56705672
{
5671-
"helper access to variable memory: size = 0 not allowed on != NULL",
5673+
"helper access to variable memory: size = 0 allowed on != NULL stack pointer",
56725674
.insns = {
56735675
BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
56745676
BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
@@ -5681,8 +5683,99 @@ static struct bpf_test tests[] = {
56815683
BPF_EMIT_CALL(BPF_FUNC_csum_diff),
56825684
BPF_EXIT_INSN(),
56835685
},
5684-
.errstr = "invalid stack type R1 off=-8 access_size=0",
5685-
.result = REJECT,
5686+
.result = ACCEPT,
5687+
.prog_type = BPF_PROG_TYPE_SCHED_CLS,
5688+
},
5689+
{
5690+
"helper access to variable memory: size = 0 allowed on != NULL map pointer",
5691+
.insns = {
5692+
BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5693+
BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5694+
BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5695+
BPF_LD_MAP_FD(BPF_REG_1, 0),
5696+
BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5697+
BPF_FUNC_map_lookup_elem),
5698+
BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5699+
BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5700+
BPF_MOV64_IMM(BPF_REG_2, 0),
5701+
BPF_MOV64_IMM(BPF_REG_3, 0),
5702+
BPF_MOV64_IMM(BPF_REG_4, 0),
5703+
BPF_MOV64_IMM(BPF_REG_5, 0),
5704+
BPF_EMIT_CALL(BPF_FUNC_csum_diff),
5705+
BPF_EXIT_INSN(),
5706+
},
5707+
.fixup_map1 = { 3 },
5708+
.result = ACCEPT,
5709+
.prog_type = BPF_PROG_TYPE_SCHED_CLS,
5710+
},
5711+
{
5712+
"helper access to variable memory: size possible = 0 allowed on != NULL stack pointer",
5713+
.insns = {
5714+
BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5715+
BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5716+
BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5717+
BPF_LD_MAP_FD(BPF_REG_1, 0),
5718+
BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5719+
BPF_FUNC_map_lookup_elem),
5720+
BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
5721+
BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
5722+
BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 7),
5723+
BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5724+
BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
5725+
BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, 0),
5726+
BPF_MOV64_IMM(BPF_REG_3, 0),
5727+
BPF_MOV64_IMM(BPF_REG_4, 0),
5728+
BPF_MOV64_IMM(BPF_REG_5, 0),
5729+
BPF_EMIT_CALL(BPF_FUNC_csum_diff),
5730+
BPF_EXIT_INSN(),
5731+
},
5732+
.fixup_map1 = { 3 },
5733+
.result = ACCEPT,
5734+
.prog_type = BPF_PROG_TYPE_SCHED_CLS,
5735+
},
5736+
{
5737+
"helper access to variable memory: size possible = 0 allowed on != NULL map pointer",
5738+
.insns = {
5739+
BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5740+
BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5741+
BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5742+
BPF_LD_MAP_FD(BPF_REG_1, 0),
5743+
BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5744+
BPF_FUNC_map_lookup_elem),
5745+
BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
5746+
BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5747+
BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
5748+
BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4),
5749+
BPF_MOV64_IMM(BPF_REG_3, 0),
5750+
BPF_MOV64_IMM(BPF_REG_4, 0),
5751+
BPF_MOV64_IMM(BPF_REG_5, 0),
5752+
BPF_EMIT_CALL(BPF_FUNC_csum_diff),
5753+
BPF_EXIT_INSN(),
5754+
},
5755+
.fixup_map1 = { 3 },
5756+
.result = ACCEPT,
5757+
.prog_type = BPF_PROG_TYPE_SCHED_CLS,
5758+
},
5759+
{
5760+
"helper access to variable memory: size possible = 0 allowed on != NULL packet pointer",
5761+
.insns = {
5762+
BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
5763+
offsetof(struct __sk_buff, data)),
5764+
BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5765+
offsetof(struct __sk_buff, data_end)),
5766+
BPF_MOV64_REG(BPF_REG_0, BPF_REG_6),
5767+
BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5768+
BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 7),
5769+
BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
5770+
BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 0),
5771+
BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4),
5772+
BPF_MOV64_IMM(BPF_REG_3, 0),
5773+
BPF_MOV64_IMM(BPF_REG_4, 0),
5774+
BPF_MOV64_IMM(BPF_REG_5, 0),
5775+
BPF_EMIT_CALL(BPF_FUNC_csum_diff),
5776+
BPF_EXIT_INSN(),
5777+
},
5778+
.result = ACCEPT,
56865779
.prog_type = BPF_PROG_TYPE_SCHED_CLS,
56875780
},
56885781
{

0 commit comments

Comments
 (0)