| Message ID | 20221111202719.982118-3-memxor@gmail.com (mailing list archive) |
|---|---|
| State | Changes Requested |
| Delegated to: | BPF |
| Headers | show |
| Series | Fix map value pruning check | expand |
On 11/12, Kumar Kartikeya Dwivedi wrote: > Test that when reg->id is not same for the same register of type > PTR_TO_MAP_VALUE between current and old explored state, we currently > return false from regsafe and continue exploring. > Without the fix in prior commit, the test case fails. > Signed-off-by: Kumar Kartikeya Dwivedi <memxor@gmail.com> Acked-by: Stanislav Fomichev <sdf@google.com> > --- > .../selftests/bpf/verifier/spin_lock.c | 39 +++++++++++++++++++ > 1 file changed, 39 insertions(+) > diff --git a/tools/testing/selftests/bpf/verifier/spin_lock.c > b/tools/testing/selftests/bpf/verifier/spin_lock.c > index 781621facae4..0a8dcfc37fc6 100644 > --- a/tools/testing/selftests/bpf/verifier/spin_lock.c > +++ b/tools/testing/selftests/bpf/verifier/spin_lock.c > @@ -331,3 +331,42 @@ > .errstr = "inside bpf_spin_lock", > .prog_type = BPF_PROG_TYPE_SCHED_CLS, > }, > +{ > + "spin_lock: regsafe compare reg->id for map value", > + .insns = { > + BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), > + BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_6, offsetof(struct __sk_buff, > mark)), > + BPF_LD_MAP_FD(BPF_REG_1, 0), > + BPF_MOV64_REG(BPF_REG_9, BPF_REG_1), > + BPF_ST_MEM(BPF_W, BPF_REG_10, -4, 0), > + BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), > + BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), > + BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), > + BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), > + BPF_EXIT_INSN(), > + BPF_MOV64_REG(BPF_REG_7, BPF_REG_0), > + BPF_MOV64_REG(BPF_REG_1, BPF_REG_9), > + BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), > + BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), > + BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), > + BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), > + BPF_EXIT_INSN(), > + BPF_MOV64_REG(BPF_REG_8, BPF_REG_0), > + BPF_MOV64_REG(BPF_REG_1, BPF_REG_7), > + BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 4), > + BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_spin_lock), > + BPF_JMP_IMM(BPF_JEQ, BPF_REG_6, 0, 1), > + BPF_JMP_IMM(BPF_JA, 0, 0, 1), > + BPF_MOV64_REG(BPF_REG_7, BPF_REG_8), > + BPF_MOV64_REG(BPF_REG_1, BPF_REG_7), > + BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 4), > + BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_spin_unlock), > + BPF_MOV64_IMM(BPF_REG_0, 0), > + BPF_EXIT_INSN(), > + }, > + .fixup_map_spin_lock = { 2 }, > + .result = REJECT, > + .errstr = "bpf_spin_unlock of different lock", > + .prog_type = BPF_PROG_TYPE_SCHED_CLS, > + .flags = BPF_F_TEST_STATE_FREQ, > +}, > -- > 2.38.1
diff --git a/tools/testing/selftests/bpf/verifier/spin_lock.c b/tools/testing/selftests/bpf/verifier/spin_lock.c index 781621facae4..0a8dcfc37fc6 100644 --- a/tools/testing/selftests/bpf/verifier/spin_lock.c +++ b/tools/testing/selftests/bpf/verifier/spin_lock.c @@ -331,3 +331,42 @@ .errstr = "inside bpf_spin_lock", .prog_type = BPF_PROG_TYPE_SCHED_CLS, }, +{ + "spin_lock: regsafe compare reg->id for map value", + .insns = { + BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), + BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_6, offsetof(struct __sk_buff, mark)), + BPF_LD_MAP_FD(BPF_REG_1, 0), + BPF_MOV64_REG(BPF_REG_9, BPF_REG_1), + BPF_ST_MEM(BPF_W, BPF_REG_10, -4, 0), + BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), + BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), + BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), + BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), + BPF_EXIT_INSN(), + BPF_MOV64_REG(BPF_REG_7, BPF_REG_0), + BPF_MOV64_REG(BPF_REG_1, BPF_REG_9), + BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), + BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), + BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), + BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), + BPF_EXIT_INSN(), + BPF_MOV64_REG(BPF_REG_8, BPF_REG_0), + BPF_MOV64_REG(BPF_REG_1, BPF_REG_7), + BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 4), + BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_spin_lock), + BPF_JMP_IMM(BPF_JEQ, BPF_REG_6, 0, 1), + BPF_JMP_IMM(BPF_JA, 0, 0, 1), + BPF_MOV64_REG(BPF_REG_7, BPF_REG_8), + BPF_MOV64_REG(BPF_REG_1, BPF_REG_7), + BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 4), + BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_spin_unlock), + BPF_MOV64_IMM(BPF_REG_0, 0), + BPF_EXIT_INSN(), + }, + .fixup_map_spin_lock = { 2 }, + .result = REJECT, + .errstr = "bpf_spin_unlock of different lock", + .prog_type = BPF_PROG_TYPE_SCHED_CLS, + .flags = BPF_F_TEST_STATE_FREQ, +},
Test that when reg->id is not same for the same register of type PTR_TO_MAP_VALUE between current and old explored state, we currently return false from regsafe and continue exploring. Without the fix in prior commit, the test case fails. Signed-off-by: Kumar Kartikeya Dwivedi <memxor@gmail.com> --- .../selftests/bpf/verifier/spin_lock.c | 39 +++++++++++++++++++ 1 file changed, 39 insertions(+)