[bpf-next,v1,5/8] selftests/bpf: Add dynptr pruning tests

Message ID	20230101083403.332783-6-memxor@gmail.com (mailing list archive)
State	Changes Requested
Delegated to:	BPF
Headers	show Return-Path: <bpf-owner@vger.kernel.org> From: Kumar Kartikeya Dwivedi <memxor@gmail.com> To: bpf@vger.kernel.org Cc: Alexei Starovoitov <ast@kernel.org>, Andrii Nakryiko <andrii@kernel.org>, Daniel Borkmann <daniel@iogearbox.net>, Martin KaFai Lau <martin.lau@kernel.org>, Joanne Koong <joannelkoong@gmail.com>, David Vernet <void@manifault.com>, Eduard Zingerman <eddyz87@gmail.com> Subject: [PATCH bpf-next v1 5/8] selftests/bpf: Add dynptr pruning tests Date: Sun, 1 Jan 2023 14:03:59 +0530 Message-Id: <20230101083403.332783-6-memxor@gmail.com> In-Reply-To: <20230101083403.332783-1-memxor@gmail.com> References: <20230101083403.332783-1-memxor@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	Dynptr fixes \| expand [bpf-next,v1,0/8] Dynptr fixes [bpf-next,v1,1/8] bpf: Fix state pruning for STACK_DYNPTR stack slots [bpf-next,v1,2/8] bpf: Fix missing var_off check for ARG_PTR_TO_DYNPTR [bpf-next,v1,3/8] bpf: Fix partial dynptr stack slot reads/writes [bpf-next,v1,4/8] bpf: Allow reinitializing unreferenced dynptr stack slots [bpf-next,v1,5/8] selftests/bpf: Add dynptr pruning tests [bpf-next,v1,6/8] selftests/bpf: Add dynptr var_off tests [bpf-next,v1,7/8] selftests/bpf: Add dynptr partial slot overwrite tests [bpf-next,v1,8/8] selftests/bpf: Add dynptr helper tests

Message ID

20230101083403.332783-6-memxor@gmail.com (mailing list archive)

State

Changes Requested

Delegated to:

BPF

Headers

From: Kumar Kartikeya Dwivedi <memxor@gmail.com>
To: bpf@vger.kernel.org
Cc: Alexei Starovoitov <ast@kernel.org>,
        Andrii Nakryiko <andrii@kernel.org>,
        Daniel Borkmann <daniel@iogearbox.net>,
        Martin KaFai Lau <martin.lau@kernel.org>,
        Joanne Koong <joannelkoong@gmail.com>,
        David Vernet <void@manifault.com>,
        Eduard Zingerman <eddyz87@gmail.com>
Subject: [PATCH bpf-next v1 5/8] selftests/bpf: Add dynptr pruning tests
Date: Sun,  1 Jan 2023 14:03:59 +0530
Message-Id: <20230101083403.332783-6-memxor@gmail.com>
In-Reply-To: <20230101083403.332783-1-memxor@gmail.com>
References: <20230101083403.332783-1-memxor@gmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk

Series

Dynptr fixes | expand

Context	Check	Description
bpf/vmtest-bpf-next-PR	success	PR summary
bpf/vmtest-bpf-next-VM_Test-1	success	Logs for ShellCheck
bpf/vmtest-bpf-next-VM_Test-2	success	Logs for build for aarch64 with gcc
bpf/vmtest-bpf-next-VM_Test-5	success	Logs for build for x86_64 with gcc
bpf/vmtest-bpf-next-VM_Test-7	success	Logs for llvm-toolchain
bpf/vmtest-bpf-next-VM_Test-8	success	Logs for set-matrix
bpf/vmtest-bpf-next-VM_Test-3	success	Logs for build for aarch64 with llvm-16
bpf/vmtest-bpf-next-VM_Test-6	success	Logs for build for x86_64 with llvm-16
bpf/vmtest-bpf-next-VM_Test-4	success	Logs for build for s390x with gcc
bpf/vmtest-bpf-next-VM_Test-9	success	Logs for test_maps on aarch64 with gcc
bpf/vmtest-bpf-next-VM_Test-10	success	Logs for test_maps on aarch64 with llvm-16
bpf/vmtest-bpf-next-VM_Test-12	success	Logs for test_maps on x86_64 with gcc
bpf/vmtest-bpf-next-VM_Test-13	success	Logs for test_maps on x86_64 with llvm-16
bpf/vmtest-bpf-next-VM_Test-14	fail	Logs for test_progs on aarch64 with gcc
bpf/vmtest-bpf-next-VM_Test-15	success	Logs for test_progs on aarch64 with llvm-16
bpf/vmtest-bpf-next-VM_Test-17	success	Logs for test_progs on x86_64 with gcc
bpf/vmtest-bpf-next-VM_Test-18	success	Logs for test_progs on x86_64 with llvm-16
bpf/vmtest-bpf-next-VM_Test-19	fail	Logs for test_progs_no_alu32 on aarch64 with gcc
bpf/vmtest-bpf-next-VM_Test-20	success	Logs for test_progs_no_alu32 on aarch64 with llvm-16
bpf/vmtest-bpf-next-VM_Test-22	success	Logs for test_progs_no_alu32 on x86_64 with gcc
bpf/vmtest-bpf-next-VM_Test-23	success	Logs for test_progs_no_alu32 on x86_64 with llvm-16
bpf/vmtest-bpf-next-VM_Test-24	success	Logs for test_progs_no_alu32_parallel on aarch64 with gcc
bpf/vmtest-bpf-next-VM_Test-25	success	Logs for test_progs_no_alu32_parallel on aarch64 with llvm-16
bpf/vmtest-bpf-next-VM_Test-27	success	Logs for test_progs_no_alu32_parallel on x86_64 with gcc
bpf/vmtest-bpf-next-VM_Test-28	success	Logs for test_progs_no_alu32_parallel on x86_64 with llvm-16
bpf/vmtest-bpf-next-VM_Test-29	success	Logs for test_progs_parallel on aarch64 with gcc
bpf/vmtest-bpf-next-VM_Test-30	success	Logs for test_progs_parallel on aarch64 with llvm-16
bpf/vmtest-bpf-next-VM_Test-32	success	Logs for test_progs_parallel on x86_64 with gcc
bpf/vmtest-bpf-next-VM_Test-33	success	Logs for test_progs_parallel on x86_64 with llvm-16
bpf/vmtest-bpf-next-VM_Test-34	success	Logs for test_verifier on aarch64 with gcc
bpf/vmtest-bpf-next-VM_Test-35	success	Logs for test_verifier on aarch64 with llvm-16
bpf/vmtest-bpf-next-VM_Test-36	success	Logs for test_verifier on s390x with gcc
bpf/vmtest-bpf-next-VM_Test-37	success	Logs for test_verifier on x86_64 with gcc
bpf/vmtest-bpf-next-VM_Test-38	success	Logs for test_verifier on x86_64 with llvm-16
bpf/vmtest-bpf-next-VM_Test-21	success	Logs for test_progs_no_alu32 on s390x with gcc
bpf/vmtest-bpf-next-VM_Test-26	success	Logs for test_progs_no_alu32_parallel on s390x with gcc
bpf/vmtest-bpf-next-VM_Test-31	success	Logs for test_progs_parallel on s390x with gcc
bpf/vmtest-bpf-next-VM_Test-16	success	Logs for test_progs on s390x with gcc
netdev/tree_selection	success	Clearly marked for bpf-next
netdev/fixes_present	success	Fixes tag not required for -next series
netdev/subject_prefix	success	Link
netdev/cover_letter	success	Series has a cover letter
netdev/patch_count	success	Link
netdev/header_inline	success	No static functions without inline keyword in header files
netdev/build_32bit	success	Errors and warnings before: 0 this patch: 0
netdev/cc_maintainers	warning	11 maintainers not CCed: linux-kselftest@vger.kernel.org kpsingh@kernel.org haoluo@google.com song@kernel.org yhs@fb.com martin.lau@linux.dev sdf@google.com john.fastabend@gmail.com shuah@kernel.org jolsa@kernel.org mykolal@fb.com
netdev/build_clang	success	Errors and warnings before: 0 this patch: 0
netdev/module_param	success	Was 0 now: 0
netdev/verify_signedoff	success	Signed-off-by tag matches author and committer
netdev/check_selftest	success	No net selftest shell script
netdev/verify_fixes	success	No Fixes tag
netdev/build_allmodconfig_warn	success	Errors and warnings before: 0 this patch: 0
netdev/checkpatch	fail	ERROR: code indent should use tabs where possible WARNING: Missing or malformed SPDX-License-Identifier tag in line 1 WARNING: added, moved or deleted file(s), does MAINTAINERS need updating? WARNING: line length of 82 exceeds 80 columns WARNING: line length of 83 exceeds 80 columns WARNING: line length of 85 exceeds 80 columns WARNING: please, no spaces at the start of a line
netdev/kdoc	success	Errors and warnings before: 0 this patch: 0
netdev/source_inline	success	Was 0 now: 0
bpf/vmtest-bpf-next-VM_Test-11	success	Logs for test_maps on s390x with gcc

Context

Check

Description

bpf/vmtest-bpf-next-PR

success

PR summary

bpf/vmtest-bpf-next-VM_Test-1

success

Logs for ShellCheck

bpf/vmtest-bpf-next-VM_Test-2

success

Logs for build for aarch64 with gcc

bpf/vmtest-bpf-next-VM_Test-5

success

Logs for build for x86_64 with gcc

bpf/vmtest-bpf-next-VM_Test-7

success

Logs for llvm-toolchain

bpf/vmtest-bpf-next-VM_Test-8

success

Logs for set-matrix

bpf/vmtest-bpf-next-VM_Test-3

success

Logs for build for aarch64 with llvm-16

bpf/vmtest-bpf-next-VM_Test-6

success

Logs for build for x86_64 with llvm-16

bpf/vmtest-bpf-next-VM_Test-4

success

Logs for build for s390x with gcc

bpf/vmtest-bpf-next-VM_Test-9

success

Logs for test_maps on aarch64 with gcc

bpf/vmtest-bpf-next-VM_Test-10

success

Logs for test_maps on aarch64 with llvm-16

bpf/vmtest-bpf-next-VM_Test-12

success

Logs for test_maps on x86_64 with gcc

bpf/vmtest-bpf-next-VM_Test-13

success

Logs for test_maps on x86_64 with llvm-16

bpf/vmtest-bpf-next-VM_Test-14

fail

Logs for test_progs on aarch64 with gcc

bpf/vmtest-bpf-next-VM_Test-15

success

Logs for test_progs on aarch64 with llvm-16

bpf/vmtest-bpf-next-VM_Test-17

success

Logs for test_progs on x86_64 with gcc

bpf/vmtest-bpf-next-VM_Test-18

success

Logs for test_progs on x86_64 with llvm-16

bpf/vmtest-bpf-next-VM_Test-19

fail

Logs for test_progs_no_alu32 on aarch64 with gcc

bpf/vmtest-bpf-next-VM_Test-20

success

Logs for test_progs_no_alu32 on aarch64 with llvm-16

bpf/vmtest-bpf-next-VM_Test-22

success

Logs for test_progs_no_alu32 on x86_64 with gcc

bpf/vmtest-bpf-next-VM_Test-23

success

Logs for test_progs_no_alu32 on x86_64 with llvm-16

bpf/vmtest-bpf-next-VM_Test-24

success

Logs for test_progs_no_alu32_parallel on aarch64 with gcc

bpf/vmtest-bpf-next-VM_Test-25

success

Logs for test_progs_no_alu32_parallel on aarch64 with llvm-16

bpf/vmtest-bpf-next-VM_Test-27

success

Logs for test_progs_no_alu32_parallel on x86_64 with gcc

bpf/vmtest-bpf-next-VM_Test-28

success

Logs for test_progs_no_alu32_parallel on x86_64 with llvm-16

bpf/vmtest-bpf-next-VM_Test-29

success

Logs for test_progs_parallel on aarch64 with gcc

bpf/vmtest-bpf-next-VM_Test-30

success

Logs for test_progs_parallel on aarch64 with llvm-16

bpf/vmtest-bpf-next-VM_Test-32

success

Logs for test_progs_parallel on x86_64 with gcc

bpf/vmtest-bpf-next-VM_Test-33

success

Logs for test_progs_parallel on x86_64 with llvm-16

bpf/vmtest-bpf-next-VM_Test-34

success

Logs for test_verifier on aarch64 with gcc

bpf/vmtest-bpf-next-VM_Test-35

success

Logs for test_verifier on aarch64 with llvm-16

bpf/vmtest-bpf-next-VM_Test-36

success

Logs for test_verifier on s390x with gcc

bpf/vmtest-bpf-next-VM_Test-37

success

Logs for test_verifier on x86_64 with gcc

bpf/vmtest-bpf-next-VM_Test-38

success

Logs for test_verifier on x86_64 with llvm-16

bpf/vmtest-bpf-next-VM_Test-21

success

Logs for test_progs_no_alu32 on s390x with gcc

bpf/vmtest-bpf-next-VM_Test-26

success

Logs for test_progs_no_alu32_parallel on s390x with gcc

bpf/vmtest-bpf-next-VM_Test-31

success

Logs for test_progs_parallel on s390x with gcc

bpf/vmtest-bpf-next-VM_Test-16

success

Logs for test_progs on s390x with gcc

netdev/tree_selection

success

Clearly marked for bpf-next

netdev/fixes_present

success

Fixes tag not required for -next series

netdev/subject_prefix

success

Link

netdev/cover_letter

success

Series has a cover letter

netdev/patch_count

success

Link

netdev/header_inline

success

No static functions without inline keyword in header files

netdev/build_32bit

success

Errors and warnings before: 0 this patch: 0

netdev/cc_maintainers

warning

11 maintainers not CCed: linux-kselftest@vger.kernel.org kpsingh@kernel.org haoluo@google.com song@kernel.org yhs@fb.com martin.lau@linux.dev sdf@google.com john.fastabend@gmail.com shuah@kernel.org jolsa@kernel.org mykolal@fb.com

netdev/build_clang

success

Errors and warnings before: 0 this patch: 0

netdev/module_param

success

Was 0 now: 0

netdev/verify_signedoff

success

Signed-off-by tag matches author and committer

netdev/check_selftest

success

No net selftest shell script

netdev/verify_fixes

success

No Fixes tag

netdev/build_allmodconfig_warn

success

Errors and warnings before: 0 this patch: 0

netdev/checkpatch

fail

ERROR: code indent should use tabs where possible WARNING: Missing or malformed SPDX-License-Identifier tag in line 1 WARNING: added, moved or deleted file(s), does MAINTAINERS need updating? WARNING: line length of 82 exceeds 80 columns WARNING: line length of 83 exceeds 80 columns WARNING: line length of 85 exceeds 80 columns WARNING: please, no spaces at the start of a line

netdev/kdoc

success

Errors and warnings before: 0 this patch: 0

netdev/source_inline

success

Was 0 now: 0

bpf/vmtest-bpf-next-VM_Test-11

success

Logs for test_maps on s390x with gcc

Commit Message

Kumar Kartikeya Dwivedi Jan. 1, 2023, 8:33 a.m. UTC

Add verifier tests that verify the new pruning behavior for STACK_DYNPTR
slots, and ensure that state equivalence takes into account changes to
the old and current verifier state correctly.

Without the prior fixes, both of these bugs trigger with unprivileged
BPF mode.

Signed-off-by: Kumar Kartikeya Dwivedi <memxor@gmail.com>
---
 tools/testing/selftests/bpf/verifier/dynptr.c | 90 +++++++++++++++++++
 1 file changed, 90 insertions(+)
 create mode 100644 tools/testing/selftests/bpf/verifier/dynptr.c

Comments

Andrii Nakryiko Jan. 4, 2023, 10:49 p.m. UTC | #1

On Sun, Jan 1, 2023 at 12:34 AM Kumar Kartikeya Dwivedi
<memxor@gmail.com> wrote:
>
> Add verifier tests that verify the new pruning behavior for STACK_DYNPTR
> slots, and ensure that state equivalence takes into account changes to
> the old and current verifier state correctly.
>
> Without the prior fixes, both of these bugs trigger with unprivileged
> BPF mode.
>
> Signed-off-by: Kumar Kartikeya Dwivedi <memxor@gmail.com>
> ---
>  tools/testing/selftests/bpf/verifier/dynptr.c | 90 +++++++++++++++++++
>  1 file changed, 90 insertions(+)
>  create mode 100644 tools/testing/selftests/bpf/verifier/dynptr.c
>
> diff --git a/tools/testing/selftests/bpf/verifier/dynptr.c b/tools/testing/selftests/bpf/verifier/dynptr.c
> new file mode 100644
> index 000000000000..798f4f7e0c57
> --- /dev/null
> +++ b/tools/testing/selftests/bpf/verifier/dynptr.c
> @@ -0,0 +1,90 @@
> +{
> +       "dynptr: rewrite dynptr slot",
> +        .insns = {
> +        BPF_MOV64_IMM(BPF_REG_0, 0),
> +        BPF_LD_MAP_FD(BPF_REG_6, 0),
> +        BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
> +        BPF_MOV64_IMM(BPF_REG_2, 8),
> +        BPF_MOV64_IMM(BPF_REG_3, 0),
> +        BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
> +        BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -16),
> +        BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_ringbuf_reserve_dynptr),
> +        BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
> +        BPF_JMP_IMM(BPF_JA, 0, 0, 1),
> +        BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, 0xeB9F),
> +        BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
> +        BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -16),
> +        BPF_MOV64_IMM(BPF_REG_2, 0),
> +        BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_ringbuf_discard_dynptr),
> +        BPF_MOV64_IMM(BPF_REG_0, 0),
> +        BPF_EXIT_INSN(),
> +        },
> +       .fixup_map_ringbuf = { 1 },
> +       .result_unpriv = REJECT,
> +       .errstr_unpriv = "unknown func bpf_ringbuf_reserve_dynptr#198",
> +       .result = REJECT,
> +       .errstr = "arg 1 is an unacquired reference",
> +},
> +{
> +       "dynptr: type confusion",
> +       .insns = {
> +       BPF_MOV64_IMM(BPF_REG_0, 0),
> +       BPF_LD_MAP_FD(BPF_REG_6, 0),
> +       BPF_LD_MAP_FD(BPF_REG_7, 0),
> +       BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
> +       BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
> +       BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
> +       BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
> +       BPF_MOV64_REG(BPF_REG_3, BPF_REG_10),
> +       BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, -24),
> +       BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, 0xeB9FeB9F),
> +       BPF_ST_MEM(BPF_DW, BPF_REG_10, -24, 0xeB9FeB9F),
> +       BPF_MOV64_IMM(BPF_REG_4, 0),
> +       BPF_MOV64_REG(BPF_REG_8, BPF_REG_2),
> +       BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_update_elem),
> +       BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
> +       BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
> +       BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
> +       BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
> +       BPF_EXIT_INSN(),
> +       BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
> +       BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
> +       BPF_MOV64_IMM(BPF_REG_2, 8),
> +       BPF_MOV64_IMM(BPF_REG_3, 0),
> +       BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
> +       BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -16),
> +       BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
> +       BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_ringbuf_reserve_dynptr),
> +       BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
> +       /* pad with insns to trigger add_new_state heuristic for straight line path */
> +       BPF_MOV64_REG(BPF_REG_8, BPF_REG_8),
> +       BPF_MOV64_REG(BPF_REG_8, BPF_REG_8),
> +       BPF_MOV64_REG(BPF_REG_8, BPF_REG_8),
> +       BPF_MOV64_REG(BPF_REG_8, BPF_REG_8),
> +       BPF_MOV64_REG(BPF_REG_8, BPF_REG_8),
> +       BPF_MOV64_REG(BPF_REG_8, BPF_REG_8),
> +       BPF_MOV64_REG(BPF_REG_8, BPF_REG_8),
> +       BPF_JMP_IMM(BPF_JA, 0, 0, 9),
> +       BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
> +       BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, 0),
> +       BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
> +       BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
> +       BPF_MOV64_IMM(BPF_REG_2, 0),
> +       BPF_MOV64_IMM(BPF_REG_3, 0),
> +       BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
> +       BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -16),
> +       BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_dynptr_from_mem),
> +       BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
> +       BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -16),
> +       BPF_MOV64_IMM(BPF_REG_2, 0),
> +       BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_ringbuf_discard_dynptr),
> +       BPF_MOV64_IMM(BPF_REG_0, 0),
> +       BPF_EXIT_INSN(),
> +       },
> +       .fixup_map_hash_16b = { 1 },
> +       .fixup_map_ringbuf = { 3 },
> +       .result_unpriv = REJECT,
> +       .errstr_unpriv = "unknown func bpf_ringbuf_reserve_dynptr#198",
> +       .result = REJECT,
> +       .errstr = "arg 1 is an unacquired reference",
> +},

have you tried to write these tests as embedded assembly in .bpf.c,
using __attribute__((naked)) and __failure and __msg("")
infrastructure? Eduard is working towards converting test_verifier's
test to this __naked + embed asm approach, so we might want to start
adding new tests in such form anyways? And they will be way more
readable. Defining and passing ringbuf map in C is also much more
obvious and easy.

> --
> 2.39.0
>

Kumar Kartikeya Dwivedi Jan. 9, 2023, 11:44 a.m. UTC | #2

On Thu, Jan 05, 2023 at 04:19:30AM IST, Andrii Nakryiko wrote:
> On Sun, Jan 1, 2023 at 12:34 AM Kumar Kartikeya Dwivedi
> <memxor@gmail.com> wrote:
> >
> > Add verifier tests that verify the new pruning behavior for STACK_DYNPTR
> > slots, and ensure that state equivalence takes into account changes to
> > the old and current verifier state correctly.
> >
> > Without the prior fixes, both of these bugs trigger with unprivileged
> > BPF mode.
> >
> > Signed-off-by: Kumar Kartikeya Dwivedi <memxor@gmail.com>
> > ---
> >  tools/testing/selftests/bpf/verifier/dynptr.c | 90 +++++++++++++++++++
> >  1 file changed, 90 insertions(+)
> >  create mode 100644 tools/testing/selftests/bpf/verifier/dynptr.c
> >
> > diff --git a/tools/testing/selftests/bpf/verifier/dynptr.c b/tools/testing/selftests/bpf/verifier/dynptr.c
> > new file mode 100644
> > index 000000000000..798f4f7e0c57
> > --- /dev/null
> > +++ b/tools/testing/selftests/bpf/verifier/dynptr.c
> > @@ -0,0 +1,90 @@
> > +{
> > +       "dynptr: rewrite dynptr slot",
> > +        .insns = {
> > +        BPF_MOV64_IMM(BPF_REG_0, 0),
> > +        BPF_LD_MAP_FD(BPF_REG_6, 0),
> > +        BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
> > +        BPF_MOV64_IMM(BPF_REG_2, 8),
> > +        BPF_MOV64_IMM(BPF_REG_3, 0),
> > +        BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
> > +        BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -16),
> > +        BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_ringbuf_reserve_dynptr),
> > +        BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
> > +        BPF_JMP_IMM(BPF_JA, 0, 0, 1),
> > +        BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, 0xeB9F),
> > +        BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
> > +        BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -16),
> > +        BPF_MOV64_IMM(BPF_REG_2, 0),
> > +        BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_ringbuf_discard_dynptr),
> > +        BPF_MOV64_IMM(BPF_REG_0, 0),
> > +        BPF_EXIT_INSN(),
> > +        },
> > +       .fixup_map_ringbuf = { 1 },
> > +       .result_unpriv = REJECT,
> > +       .errstr_unpriv = "unknown func bpf_ringbuf_reserve_dynptr#198",
> > +       .result = REJECT,
> > +       .errstr = "arg 1 is an unacquired reference",
> > +},
> > +{
> > +       "dynptr: type confusion",
> > +       .insns = {
> > +       BPF_MOV64_IMM(BPF_REG_0, 0),
> > +       BPF_LD_MAP_FD(BPF_REG_6, 0),
> > +       BPF_LD_MAP_FD(BPF_REG_7, 0),
> > +       BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
> > +       BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
> > +       BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
> > +       BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
> > +       BPF_MOV64_REG(BPF_REG_3, BPF_REG_10),
> > +       BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, -24),
> > +       BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, 0xeB9FeB9F),
> > +       BPF_ST_MEM(BPF_DW, BPF_REG_10, -24, 0xeB9FeB9F),
> > +       BPF_MOV64_IMM(BPF_REG_4, 0),
> > +       BPF_MOV64_REG(BPF_REG_8, BPF_REG_2),
> > +       BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_update_elem),
> > +       BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
> > +       BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
> > +       BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
> > +       BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
> > +       BPF_EXIT_INSN(),
> > +       BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
> > +       BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
> > +       BPF_MOV64_IMM(BPF_REG_2, 8),
> > +       BPF_MOV64_IMM(BPF_REG_3, 0),
> > +       BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
> > +       BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -16),
> > +       BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
> > +       BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_ringbuf_reserve_dynptr),
> > +       BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
> > +       /* pad with insns to trigger add_new_state heuristic for straight line path */
> > +       BPF_MOV64_REG(BPF_REG_8, BPF_REG_8),
> > +       BPF_MOV64_REG(BPF_REG_8, BPF_REG_8),
> > +       BPF_MOV64_REG(BPF_REG_8, BPF_REG_8),
> > +       BPF_MOV64_REG(BPF_REG_8, BPF_REG_8),
> > +       BPF_MOV64_REG(BPF_REG_8, BPF_REG_8),
> > +       BPF_MOV64_REG(BPF_REG_8, BPF_REG_8),
> > +       BPF_MOV64_REG(BPF_REG_8, BPF_REG_8),
> > +       BPF_JMP_IMM(BPF_JA, 0, 0, 9),
> > +       BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
> > +       BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, 0),
> > +       BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
> > +       BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
> > +       BPF_MOV64_IMM(BPF_REG_2, 0),
> > +       BPF_MOV64_IMM(BPF_REG_3, 0),
> > +       BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
> > +       BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -16),
> > +       BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_dynptr_from_mem),
> > +       BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
> > +       BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -16),
> > +       BPF_MOV64_IMM(BPF_REG_2, 0),
> > +       BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_ringbuf_discard_dynptr),
> > +       BPF_MOV64_IMM(BPF_REG_0, 0),
> > +       BPF_EXIT_INSN(),
> > +       },
> > +       .fixup_map_hash_16b = { 1 },
> > +       .fixup_map_ringbuf = { 3 },
> > +       .result_unpriv = REJECT,
> > +       .errstr_unpriv = "unknown func bpf_ringbuf_reserve_dynptr#198",
> > +       .result = REJECT,
> > +       .errstr = "arg 1 is an unacquired reference",
> > +},
>
> have you tried to write these tests as embedded assembly in .bpf.c,
> using __attribute__((naked)) and __failure and __msg("")
> infrastructure? Eduard is working towards converting test_verifier's
> test to this __naked + embed asm approach, so we might want to start
> adding new tests in such form anyways? And they will be way more
> readable. Defining and passing ringbuf map in C is also much more
> obvious and easy.
>

I have been away for a while and missed that discussion, I just saw it. I'll try
writing the tests like that. It does look much better. Thanks for the suggestion!

> > --
> > 2.39.0
> >

diff --git a/tools/testing/selftests/bpf/verifier/dynptr.c b/tools/testing/selftests/bpf/verifier/dynptr.c
new file mode 100644
index 000000000000..798f4f7e0c57
--- /dev/null
+++ b/tools/testing/selftests/bpf/verifier/dynptr.c
@@ -0,0 +1,90 @@ 
+{
+       "dynptr: rewrite dynptr slot",
+        .insns = {
+        BPF_MOV64_IMM(BPF_REG_0, 0),
+        BPF_LD_MAP_FD(BPF_REG_6, 0),
+        BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
+        BPF_MOV64_IMM(BPF_REG_2, 8),
+        BPF_MOV64_IMM(BPF_REG_3, 0),
+        BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
+        BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -16),
+        BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_ringbuf_reserve_dynptr),
+        BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
+        BPF_JMP_IMM(BPF_JA, 0, 0, 1),
+        BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, 0xeB9F),
+        BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
+        BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -16),
+        BPF_MOV64_IMM(BPF_REG_2, 0),
+        BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_ringbuf_discard_dynptr),
+        BPF_MOV64_IMM(BPF_REG_0, 0),
+        BPF_EXIT_INSN(),
+        },
+	.fixup_map_ringbuf = { 1 },
+	.result_unpriv = REJECT,
+	.errstr_unpriv = "unknown func bpf_ringbuf_reserve_dynptr#198",
+	.result = REJECT,
+	.errstr = "arg 1 is an unacquired reference",
+},
+{
+       "dynptr: type confusion",
+       .insns = {
+       BPF_MOV64_IMM(BPF_REG_0, 0),
+       BPF_LD_MAP_FD(BPF_REG_6, 0),
+       BPF_LD_MAP_FD(BPF_REG_7, 0),
+       BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
+       BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
+       BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
+       BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
+       BPF_MOV64_REG(BPF_REG_3, BPF_REG_10),
+       BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, -24),
+       BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, 0xeB9FeB9F),
+       BPF_ST_MEM(BPF_DW, BPF_REG_10, -24, 0xeB9FeB9F),
+       BPF_MOV64_IMM(BPF_REG_4, 0),
+       BPF_MOV64_REG(BPF_REG_8, BPF_REG_2),
+       BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_update_elem),
+       BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
+       BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
+       BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
+       BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
+       BPF_EXIT_INSN(),
+       BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
+       BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
+       BPF_MOV64_IMM(BPF_REG_2, 8),
+       BPF_MOV64_IMM(BPF_REG_3, 0),
+       BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
+       BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -16),
+       BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
+       BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_ringbuf_reserve_dynptr),
+       BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
+       /* pad with insns to trigger add_new_state heuristic for straight line path */
+       BPF_MOV64_REG(BPF_REG_8, BPF_REG_8),
+       BPF_MOV64_REG(BPF_REG_8, BPF_REG_8),
+       BPF_MOV64_REG(BPF_REG_8, BPF_REG_8),
+       BPF_MOV64_REG(BPF_REG_8, BPF_REG_8),
+       BPF_MOV64_REG(BPF_REG_8, BPF_REG_8),
+       BPF_MOV64_REG(BPF_REG_8, BPF_REG_8),
+       BPF_MOV64_REG(BPF_REG_8, BPF_REG_8),
+       BPF_JMP_IMM(BPF_JA, 0, 0, 9),
+       BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
+       BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, 0),
+       BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
+       BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
+       BPF_MOV64_IMM(BPF_REG_2, 0),
+       BPF_MOV64_IMM(BPF_REG_3, 0),
+       BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
+       BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -16),
+       BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_dynptr_from_mem),
+       BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
+       BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -16),
+       BPF_MOV64_IMM(BPF_REG_2, 0),
+       BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_ringbuf_discard_dynptr),
+       BPF_MOV64_IMM(BPF_REG_0, 0),
+       BPF_EXIT_INSN(),
+       },
+       .fixup_map_hash_16b = { 1 },
+       .fixup_map_ringbuf = { 3 },
+       .result_unpriv = REJECT,
+       .errstr_unpriv = "unknown func bpf_ringbuf_reserve_dynptr#198",
+       .result = REJECT,
+       .errstr = "arg 1 is an unacquired reference",
+},

[bpf-next,v1,5/8] selftests/bpf: Add dynptr pruning tests

Checks

Commit Message

Comments

Patch