Skip to content

Commit 116e30b

Browse files
kkdwivediNobody
kkdwivedi
authored and
Nobody
committed
selftests/bpf: Add tests for kfunc register offset checks
Include a few verifier selftests that test against the problems being fixed by previous commits, i.e. release kfunc always require PTR_TO_BTF_ID fixed and var_off to be 0, and negative offset is not permitted and returns a helpful error message. Signed-off-by: Kumar Kartikeya Dwivedi <[email protected]> Reported-by: kernel test robot <[email protected]>
1 parent 5fe2f33 commit 116e30b

File tree

2 files changed

+93
-0
lines changed

2 files changed

+93
-0
lines changed

net/bpf/test_run.c

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -270,9 +270,14 @@ struct sock * noinline bpf_kfunc_call_test3(struct sock *sk)
270270
return sk;
271271
}
272272

273+
struct prog_test_member {
274+
unsigned long c;
275+
};
276+
273277
struct prog_test_ref_kfunc {
274278
int a;
275279
int b;
280+
struct prog_test_member memb;
276281
struct prog_test_ref_kfunc *next;
277282
};
278283

@@ -295,6 +300,10 @@ noinline void bpf_kfunc_call_test_release(struct prog_test_ref_kfunc *p)
295300
{
296301
}
297302

303+
noinline void bpf_kfunc_call_memb_release(struct prog_test_member *p)
304+
{
305+
}
306+
298307
struct prog_test_pass1 {
299308
int x0;
300309
struct {
@@ -379,6 +388,7 @@ BTF_ID(func, bpf_kfunc_call_test2)
379388
BTF_ID(func, bpf_kfunc_call_test3)
380389
BTF_ID(func, bpf_kfunc_call_test_acquire)
381390
BTF_ID(func, bpf_kfunc_call_test_release)
391+
BTF_ID(func, bpf_kfunc_call_memb_release)
382392
BTF_ID(func, bpf_kfunc_call_test_pass_ctx)
383393
BTF_ID(func, bpf_kfunc_call_test_pass1)
384394
BTF_ID(func, bpf_kfunc_call_test_pass2)
@@ -396,6 +406,7 @@ BTF_SET_END(test_sk_acquire_kfunc_ids)
396406

397407
BTF_SET_START(test_sk_release_kfunc_ids)
398408
BTF_ID(func, bpf_kfunc_call_test_release)
409+
BTF_ID(func, bpf_kfunc_call_memb_release)
399410
BTF_SET_END(test_sk_release_kfunc_ids)
400411

401412
BTF_SET_START(test_sk_ret_null_kfunc_ids)

tools/testing/selftests/bpf/verifier/calls.c

Lines changed: 82 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -115,6 +115,88 @@
115115
{ "bpf_kfunc_call_test_release", 5 },
116116
},
117117
},
118+
{
119+
"calls: invalid kfunc call: reg->off must be zero when passed to release kfunc",
120+
.insns = {
121+
BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
122+
BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
123+
BPF_ST_MEM(BPF_DW, BPF_REG_1, 0, 0),
124+
BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, BPF_PSEUDO_KFUNC_CALL, 0, 0),
125+
BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
126+
BPF_EXIT_INSN(),
127+
BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
128+
BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
129+
BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, BPF_PSEUDO_KFUNC_CALL, 0, 0),
130+
BPF_MOV64_IMM(BPF_REG_0, 0),
131+
BPF_EXIT_INSN(),
132+
},
133+
.prog_type = BPF_PROG_TYPE_SCHED_CLS,
134+
.result = REJECT,
135+
.errstr = "R1 with ref_obj_id=2 must have zero offset when passed to release kfunc",
136+
.fixup_kfunc_btf_id = {
137+
{ "bpf_kfunc_call_test_acquire", 3 },
138+
{ "bpf_kfunc_call_memb_release", 8 },
139+
},
140+
},
141+
{
142+
"calls: invalid kfunc call: PTR_TO_BTF_ID with negative offset",
143+
.insns = {
144+
BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
145+
BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
146+
BPF_ST_MEM(BPF_DW, BPF_REG_1, 0, 0),
147+
BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, BPF_PSEUDO_KFUNC_CALL, 0, 0),
148+
BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
149+
BPF_EXIT_INSN(),
150+
BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
151+
BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -4),
152+
BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, BPF_PSEUDO_KFUNC_CALL, 0, 0),
153+
BPF_MOV64_IMM(BPF_REG_0, 0),
154+
BPF_EXIT_INSN(),
155+
},
156+
.prog_type = BPF_PROG_TYPE_SCHED_CLS,
157+
.fixup_kfunc_btf_id = {
158+
{ "bpf_kfunc_call_test_acquire", 3 },
159+
{ "bpf_kfunc_call_test_release", 8 },
160+
},
161+
.result_unpriv = REJECT,
162+
.result = REJECT,
163+
.errstr = "negative offset ptr_ ptr R1 off=-4 disallowed",
164+
},
165+
{
166+
"calls: invalid kfunc call: PTR_TO_BTF_ID with variable offset",
167+
.insns = {
168+
BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
169+
BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
170+
BPF_ST_MEM(BPF_DW, BPF_REG_1, 0, 0),
171+
BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, BPF_PSEUDO_KFUNC_CALL, 0, 0),
172+
BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
173+
BPF_EXIT_INSN(),
174+
BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
175+
BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_0, 4),
176+
BPF_JMP_IMM(BPF_JLE, BPF_REG_2, 4, 3),
177+
BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, BPF_PSEUDO_KFUNC_CALL, 0, 0),
178+
BPF_MOV64_IMM(BPF_REG_0, 0),
179+
BPF_EXIT_INSN(),
180+
BPF_JMP_IMM(BPF_JGE, BPF_REG_2, 0, 3),
181+
BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, BPF_PSEUDO_KFUNC_CALL, 0, 0),
182+
BPF_MOV64_IMM(BPF_REG_0, 0),
183+
BPF_EXIT_INSN(),
184+
BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
185+
BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, BPF_PSEUDO_KFUNC_CALL, 0, 0),
186+
BPF_MOV64_IMM(BPF_REG_0, 0),
187+
BPF_EXIT_INSN(),
188+
},
189+
.prog_type = BPF_PROG_TYPE_SCHED_CLS,
190+
.fixup_kfunc_btf_id = {
191+
{ "bpf_kfunc_call_test_acquire", 3 },
192+
{ "bpf_kfunc_call_test_release", 9 },
193+
{ "bpf_kfunc_call_test_release", 13 },
194+
{ "bpf_kfunc_call_test_release", 17 },
195+
},
196+
.result_unpriv = REJECT,
197+
.result = REJECT,
198+
.errstr = "variable ptr_ access var_off=(0x0; 0x7) disallowed",
199+
},
118200
{
119201
"calls: basic sanity",
120202
.insns = {

0 commit comments

Comments
 (0)