From patchwork Fri Dec 9 13:57:27 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eduard Zingerman X-Patchwork-Id: 13069579 X-Patchwork-Delegate: bpf@iogearbox.net Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 157ECC4167B for ; Fri, 9 Dec 2022 13:58:53 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229568AbiLIN6v (ORCPT ); Fri, 9 Dec 2022 08:58:51 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58684 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229470AbiLIN6u (ORCPT ); Fri, 9 Dec 2022 08:58:50 -0500 Received: from mail-ej1-x629.google.com (mail-ej1-x629.google.com [IPv6:2a00:1450:4864:20::629]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1BBA575BCC for ; Fri, 9 Dec 2022 05:58:49 -0800 (PST) Received: by mail-ej1-x629.google.com with SMTP id t17so11732070eju.1 for ; Fri, 09 Dec 2022 05:58:49 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=6yJ7ZyFEyQN7jPS3YYUIZ0tR6YmAAhUd4UH8MqxA4G0=; b=AR9GjI0oKD8HRn0iDZs/AcO8tzXXwBHw/mgAXBxvblOm46X8q8zjn+BuOcTrSrAwYb 8Cy4d7dr/s8/WtCK52tTfRmlgCgFw+q9ireSCGskGr7T8PtrWrtxYSCQgqM8B7kR3+8E WbRLKmPQ2Av2qzOvP4mfE7fAIM/FyV7HS2npvYbce9C39Uc1dY9qVxy6KhH/EFBJ+exH NSZWkohPqEJNCYi5vxTEcdxnNELa5gxUjRcu/IaAyvliUGWrbVExYOmE1+5bSCi8PU5i 7H1Ttb4HbegWsHNTLMGSa2vKyzWzv71EKWEJisO1e1tId0GI9DwSgk6DT5WMyABvWf22 Zqwg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=6yJ7ZyFEyQN7jPS3YYUIZ0tR6YmAAhUd4UH8MqxA4G0=; b=o2o5U08I+FxRaxoA+DFbNs+1+leZqPENZ2U5KMQ3ISmXJ9ni9Mia3NszMRXsVU8wsf F+svPbjVeW9TC08L7lExUGRncekyRbPjKrPGMO2+AgsyTTbPo7acV4ltZZFFwcMW4XWw B6BrIDaEDy9lcnfo0DxLnRPPDnq3+C0aIcD8veuGgBQp+p1hGRhCBu3U/TPxcmMNdstX B5az+Or1PSjKE+bDhsXz5jWIjNZYP31VfqdHK73xuzIN6psSQVfPEN8HNMS89xdqzo/v 8Z0KKczxnqLbtiWAcyww4ggCS2aiB4hbaW0gEFvgtJqbrg/NDIgQcASovGJoq3K8nCOU IoVQ== X-Gm-Message-State: ANoB5pleUeIK/bYpCShd/2y7FfN9y+8Ish7HjovHc3nB9/wHNMc7JGOq Z6CdAJC6ySyNA0MQyn17xkTn7IEUJt2XqA== X-Google-Smtp-Source: AA0mqf5X2F8HBDwp7PJSOYwkF03hMXtw1U1Aat5ltlu1b32PUtu5ga+7sYG1CwfCb2VtN8LgQ9C/AA== X-Received: by 2002:a17:906:850d:b0:7c0:d886:b9ff with SMTP id i13-20020a170906850d00b007c0d886b9ffmr7756678ejx.16.1670594327348; Fri, 09 Dec 2022 05:58:47 -0800 (PST) Received: from pluto.. (178-133-28-80.mobile.vf-ua.net. [178.133.28.80]) by smtp.gmail.com with ESMTPSA id j6-20020a170906830600b007c10fe64c5dsm589028ejx.86.2022.12.09.05.58.46 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 09 Dec 2022 05:58:47 -0800 (PST) From: Eduard Zingerman To: bpf@vger.kernel.org, ast@kernel.org Cc: andrii@kernel.org, daniel@iogearbox.net, kernel-team@fb.com, yhs@fb.com, memxor@gmail.com, ecree.xilinx@gmail.com, Eduard Zingerman Subject: [PATCH bpf-next 1/7] bpf: regsafe() must not skip check_ids() Date: Fri, 9 Dec 2022 15:57:27 +0200 Message-Id: <20221209135733.28851-2-eddyz87@gmail.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20221209135733.28851-1-eddyz87@gmail.com> References: <20221209135733.28851-1-eddyz87@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: bpf@vger.kernel.org X-Patchwork-Delegate: bpf@iogearbox.net The verifier.c:regsafe() has the following shortcut: equal = memcmp(rold, rcur, offsetof(struct bpf_reg_state, parent)) == 0; ... if (equal) return true; Which is executed regardless old register type. This is incorrect for register types that might have an ID checked by check_ids(), namely: - PTR_TO_MAP_KEY - PTR_TO_MAP_VALUE - PTR_TO_PACKET_META - PTR_TO_PACKET The following pattern could be used to exploit this: 0: r9 = map_lookup_elem(...) ; Returns PTR_TO_MAP_VALUE_OR_NULL id=1. 1: r8 = map_lookup_elem(...) ; Returns PTR_TO_MAP_VALUE_OR_NULL id=2. 2: r7 = ktime_get_ns() ; Unbound SCALAR_VALUE. 3: r6 = ktime_get_ns() ; Unbound SCALAR_VALUE. 4: if r6 > r7 goto +1 ; No new information about the state ; is derived from this check, thus ; produced verifier states differ only ; in 'insn_idx'. 5: r9 = r8 ; Optionally make r9.id == r8.id. --- checkpoint --- ; Assume is_state_visisted() creates a ; checkpoint here. 6: if r9 == 0 goto ; Nullness info is propagated to all ; registers with matching ID. 7: r1 = *(u64 *) r8 ; Not always safe. Verifier first visits path 1-7 where r8 is verified to be not null at (6). Later the jump from 4 to 6 is examined. The checkpoint for (6) looks as follows: R8_rD=map_value_or_null(id=2,off=0,ks=4,vs=8,imm=0) R9_rwD=map_value_or_null(id=2,off=0,ks=4,vs=8,imm=0) R10=fp0 The current state is: R0=... R6=... R7=... fp-8=... R8=map_value_or_null(id=2,off=0,ks=4,vs=8,imm=0) R9=map_value_or_null(id=1,off=0,ks=4,vs=8,imm=0) R10=fp0 Note that R8 states are byte-to-byte identical, so regsafe() would exit early and skip call to check_ids(), thus ID mapping 2->2 will not be added to 'idmap'. Next, states for R9 are compared: these are not identical and check_ids() is executed, but 'idmap' is empty, so check_ids() adds mapping 2->1 to 'idmap' and returns success. This commit pushes the 'equal' down to register types that don't need check_ids(). Signed-off-by: Eduard Zingerman --- kernel/bpf/verifier.c | 29 ++++++++--------------------- 1 file changed, 8 insertions(+), 21 deletions(-) diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 3194e9d9e4e4..d05c5d0344c6 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -12926,15 +12926,6 @@ static bool regsafe(struct bpf_verifier_env *env, struct bpf_reg_state *rold, equal = memcmp(rold, rcur, offsetof(struct bpf_reg_state, parent)) == 0; - if (rold->type == PTR_TO_STACK) - /* two stack pointers are equal only if they're pointing to - * the same stack frame, since fp-8 in foo != fp-8 in bar - */ - return equal && rold->frameno == rcur->frameno; - - if (equal) - return true; - if (rold->type == NOT_INIT) /* explored state can't have used this */ return true; @@ -12942,6 +12933,8 @@ static bool regsafe(struct bpf_verifier_env *env, struct bpf_reg_state *rold, return false; switch (base_type(rold->type)) { case SCALAR_VALUE: + if (equal) + return true; if (env->explore_alu_limits) return false; if (rcur->type == SCALAR_VALUE) { @@ -13012,20 +13005,14 @@ static bool regsafe(struct bpf_verifier_env *env, struct bpf_reg_state *rold, /* new val must satisfy old val knowledge */ return range_within(rold, rcur) && tnum_in(rold->var_off, rcur->var_off); - case PTR_TO_CTX: - case CONST_PTR_TO_MAP: - case PTR_TO_PACKET_END: - case PTR_TO_FLOW_KEYS: - case PTR_TO_SOCKET: - case PTR_TO_SOCK_COMMON: - case PTR_TO_TCP_SOCK: - case PTR_TO_XDP_SOCK: - /* Only valid matches are exact, which memcmp() above - * would have accepted + case PTR_TO_STACK: + /* two stack pointers are equal only if they're pointing to + * the same stack frame, since fp-8 in foo != fp-8 in bar */ + return equal && rold->frameno == rcur->frameno; default: - /* Don't know what's going on, just say it's not safe */ - return false; + /* Only valid matches are exact, which memcmp() */ + return equal; } /* Shouldn't get here; if we do, say it's not safe */ From patchwork Fri Dec 9 13:57:28 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eduard Zingerman X-Patchwork-Id: 13069580 X-Patchwork-Delegate: bpf@iogearbox.net Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 72798C4332F for ; Fri, 9 Dec 2022 13:58:55 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229759AbiLIN6y (ORCPT ); Fri, 9 Dec 2022 08:58:54 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58694 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229470AbiLIN6w (ORCPT ); Fri, 9 Dec 2022 08:58:52 -0500 Received: from mail-lj1-x234.google.com (mail-lj1-x234.google.com [IPv6:2a00:1450:4864:20::234]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 37E5754778 for ; Fri, 9 Dec 2022 05:58:51 -0800 (PST) Received: by mail-lj1-x234.google.com with SMTP id f20so5008809lja.4 for ; Fri, 09 Dec 2022 05:58:51 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=wkY/XWvbmBpF+aPRF1XnMxkztdOLE18mROLE5X78M7s=; b=XDxUAvMl/KgQEqiojkdpFcefu/4S0dTZ0wKasRJw0hlx24MwCtBEA4S5ySkU8dFNrz o7QKSwDOY1SqNqJ1E9nQzMQjJRiwmLP/8DBxdVXFynJqu/9Ao+klWECBgv9Qi89X20yu vbuufYbsrrt5X2zBEDrrnSItW+HpbCCrpKNpVzzlD0xdMoyneypwxKP3n8dOgenc/sxR blhvi8AOXKS2ezlMLsnThsMbcuiKtntcX6rrlpliFV34J6jWbKvMUDJ5DlvO/xMxIbhm lk9ksTk+erR2gQLbS/n3++YN3faP3RXokjTlcBYZhmFFpCNLQbs53EpiDsBP64mkWJx5 sD7g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=wkY/XWvbmBpF+aPRF1XnMxkztdOLE18mROLE5X78M7s=; b=eJMJ13+olghiHLuixpw2NdyKKaEf/1Fsay89P3j5rH3XxFwnEa5ejlR/HTpwgfFkUg OpT8XZWVwAabg5ZOD0co1Paei51r+ZnfqKU6b3ScBglpHtfo51VJ0f/irC0B384KmJc0 rsksLgk0oC2OdmUcJT7IY0Tg9UgbmNHz5EQryc0cUAvHxjeL13sTJebYLxOmLJ0dy1Yj lJthxIFyKejP53ZEBYPX5hm2ID3uyotuoSJHQfMSL9qXXBoBleIMZhYtIukLWXJMhSR7 AEac50VSDrT7pACYEpcru64fFfMCMUuwWmvTMy/qUKMtR6FGPnQgsnyebggLKXmGbmHY H4og== X-Gm-Message-State: ANoB5plj3V6dBi53ylgcvtR7ZCX79Scn+uU9BSOj+EtTiJLiwohvdAlI q/RKz3NipTZ4R300vkDZf+2Jv6Pkbre2AA== X-Google-Smtp-Source: AA0mqf5HOE7ZtgjZdiX6Xx2mUHG3e/Lub7/IukXh/gQMPW2QHaqYmdfWJ1/63/ETB55Jpgm3eqOBcA== X-Received: by 2002:a2e:b74e:0:b0:27a:3a56:3e29 with SMTP id k14-20020a2eb74e000000b0027a3a563e29mr444475ljo.45.1670594328588; Fri, 09 Dec 2022 05:58:48 -0800 (PST) Received: from pluto.. (178-133-28-80.mobile.vf-ua.net. [178.133.28.80]) by smtp.gmail.com with ESMTPSA id j6-20020a170906830600b007c10fe64c5dsm589028ejx.86.2022.12.09.05.58.47 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 09 Dec 2022 05:58:48 -0800 (PST) From: Eduard Zingerman To: bpf@vger.kernel.org, ast@kernel.org Cc: andrii@kernel.org, daniel@iogearbox.net, kernel-team@fb.com, yhs@fb.com, memxor@gmail.com, ecree.xilinx@gmail.com, Eduard Zingerman Subject: [PATCH bpf-next 2/7] selftests/bpf: test cases for regsafe() bug skipping check_id() Date: Fri, 9 Dec 2022 15:57:28 +0200 Message-Id: <20221209135733.28851-3-eddyz87@gmail.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20221209135733.28851-1-eddyz87@gmail.com> References: <20221209135733.28851-1-eddyz87@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: bpf@vger.kernel.org X-Patchwork-Delegate: bpf@iogearbox.net Under certain conditions it was possible for verifier.c:regsafe() to skip check_id() call. This commit adds negative test cases previously errorneously accepted as safe. Signed-off-by: Eduard Zingerman --- .../bpf/verifier/direct_packet_access.c | 54 +++++++++++++++++++ .../selftests/bpf/verifier/value_or_null.c | 49 +++++++++++++++++ 2 files changed, 103 insertions(+) diff --git a/tools/testing/selftests/bpf/verifier/direct_packet_access.c b/tools/testing/selftests/bpf/verifier/direct_packet_access.c index 11acd1855acf..dce2e28aeb43 100644 --- a/tools/testing/selftests/bpf/verifier/direct_packet_access.c +++ b/tools/testing/selftests/bpf/verifier/direct_packet_access.c @@ -654,3 +654,57 @@ .result = ACCEPT, .prog_type = BPF_PROG_TYPE_SCHED_CLS, }, +{ + "direct packet access: test30 (check_id() in regsafe(), bad access)", + .insns = { + /* r9 = ctx */ + BPF_MOV64_REG(BPF_REG_9, BPF_REG_1), + /* r7 = ktime_get_ns() */ + BPF_EMIT_CALL(BPF_FUNC_ktime_get_ns), + BPF_MOV64_REG(BPF_REG_7, BPF_REG_0), + /* r6 = ktime_get_ns() */ + BPF_EMIT_CALL(BPF_FUNC_ktime_get_ns), + BPF_MOV64_REG(BPF_REG_6, BPF_REG_0), + /* r2 = ctx->data + * r3 = ctx->data + * r4 = ctx->data_end + */ + BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_9, offsetof(struct __sk_buff, data)), + BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_9, offsetof(struct __sk_buff, data)), + BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_9, offsetof(struct __sk_buff, data_end)), + /* if r6 > 100 goto exit + * if r7 > 100 goto exit + */ + BPF_JMP_IMM(BPF_JGT, BPF_REG_6, 100, 9), + BPF_JMP_IMM(BPF_JGT, BPF_REG_7, 100, 8), + /* r2 += r6 ; this forces assignment of ID to r2 + * r2 += 1 ; get some fixed off for r2 + * r3 += r7 ; this forces assignment of ID to r3 + * r3 += 1 ; get some fixed off for r3 + */ + BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_6), + BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1), + BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_7), + BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 1), + /* if r6 > r7 goto +1 ; no new information about the state is derived from + * ; this check, thus produced verifier states differ + * ; only in 'insn_idx' + * r2 = r3 ; optionally share ID between r2 and r3 + */ + BPF_JMP_REG(BPF_JNE, BPF_REG_6, BPF_REG_7, 1), + BPF_MOV64_REG(BPF_REG_2, BPF_REG_3), + /* if r3 > ctx->data_end goto exit */ + BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_4, 1), + /* r5 = *(u8 *) (r2 - 1) ; access packet memory using r2, + * ; this is not always safe + */ + BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_2, -1), + /* exit(0) */ + BPF_MOV64_IMM(BPF_REG_0, 0), + BPF_EXIT_INSN(), + }, + .flags = BPF_F_TEST_STATE_FREQ, + .result = REJECT, + .errstr = "invalid access to packet, off=0 size=1, R2", + .prog_type = BPF_PROG_TYPE_SCHED_CLS, +}, diff --git a/tools/testing/selftests/bpf/verifier/value_or_null.c b/tools/testing/selftests/bpf/verifier/value_or_null.c index 3ecb70a3d939..52a8bca14f03 100644 --- a/tools/testing/selftests/bpf/verifier/value_or_null.c +++ b/tools/testing/selftests/bpf/verifier/value_or_null.c @@ -169,3 +169,52 @@ .prog_type = BPF_PROG_TYPE_SCHED_CLS, .result = ACCEPT, }, +{ + "MAP_VALUE_OR_NULL check_ids() in regsafe()", + .insns = { + BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), + /* r9 = map_lookup_elem(...) */ + BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), + BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), + BPF_LD_MAP_FD(BPF_REG_1, + 0), + BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), + BPF_MOV64_REG(BPF_REG_9, BPF_REG_0), + /* r8 = map_lookup_elem(...) */ + BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), + BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), + BPF_LD_MAP_FD(BPF_REG_1, + 0), + BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), + BPF_MOV64_REG(BPF_REG_8, BPF_REG_0), + /* r7 = ktime_get_ns() */ + BPF_EMIT_CALL(BPF_FUNC_ktime_get_ns), + BPF_MOV64_REG(BPF_REG_7, BPF_REG_0), + /* r6 = ktime_get_ns() */ + BPF_EMIT_CALL(BPF_FUNC_ktime_get_ns), + BPF_MOV64_REG(BPF_REG_6, BPF_REG_0), + /* if r6 > r7 goto +1 ; no new information about the state is derived from + * ; this check, thus produced verifier states differ + * ; only in 'insn_idx' + * r9 = r8 ; optionally share ID between r9 and r8 + */ + BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_7, 1), + BPF_MOV64_REG(BPF_REG_9, BPF_REG_8), + /* if r9 == 0 goto */ + BPF_JMP_IMM(BPF_JEQ, BPF_REG_9, 0, 1), + /* read map value via r8, this is not always + * safe because r8 might be not equal to r9. + */ + BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_8, 0), + /* exit 0 */ + BPF_MOV64_IMM(BPF_REG_0, 0), + BPF_EXIT_INSN(), + }, + .flags = BPF_F_TEST_STATE_FREQ, + .fixup_map_hash_8b = { 3, 9 }, + .result = REJECT, + .errstr = "R8 invalid mem access 'map_value_or_null'", + .result_unpriv = REJECT, + .errstr_unpriv = "", + .prog_type = BPF_PROG_TYPE_CGROUP_SKB, +}, From patchwork Fri Dec 9 13:57:29 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eduard Zingerman X-Patchwork-Id: 13069581 X-Patchwork-Delegate: bpf@iogearbox.net Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0D208C04FDE for ; Fri, 9 Dec 2022 13:58:57 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229750AbiLIN6y (ORCPT ); Fri, 9 Dec 2022 08:58:54 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58696 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229605AbiLIN6w (ORCPT ); Fri, 9 Dec 2022 08:58:52 -0500 Received: from mail-ej1-x632.google.com (mail-ej1-x632.google.com [IPv6:2a00:1450:4864:20::632]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B2FEA75BC5 for ; Fri, 9 Dec 2022 05:58:51 -0800 (PST) Received: by mail-ej1-x632.google.com with SMTP id m18so11670943eji.5 for ; Fri, 09 Dec 2022 05:58:51 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Ce9H78b0mHZuBP5UqB+KrWENWxRYvJN1Jl8hGp9aoGk=; b=YKbofFhgDO6g4RIYE+ShezvPmu0plzOwfj8/RI7daypdBflwjDdKRVHF+eUXFPuq2h LXbcTOypyDRm/SD38yTjgLZ7qFWMEiz02cQPLQo4EJijfsLdjKlQamSYsdDfeWFa+H0T ebpFq7cX4fwNq634/fNlbE8C/Wvkwyk60Mj8kn9BfmdbuPJXSCJESnw+oFJ/js3pOc5l tBd6gSfgQl6xnw+rbrfHmrKztQQ9KZ1JHHARVx7fFSR5bsdcF55pIlBAqhVukcPRESc5 s8WU1/d4omswzp36O+oB3qyl6tV3DsBoQLM9hOldpngGE7+p1FMXPycMVGao3FI2TlSD i68A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Ce9H78b0mHZuBP5UqB+KrWENWxRYvJN1Jl8hGp9aoGk=; b=UG1fszRQtfdi/swNueAVpssBNu28AhJIWHQvP5ccXV06Lwxf8KhvkJgl1wkT/XpLiY vnJyr+kI09AIrAFEbjuk41hKde8mSZXE0L5MIAUN72viDvwNa8QcVfp9bDyFILyPg1r/ vxFArfoouVXEfTi9Fq8artAgR/Zh8llKUHfIqYykdXhDld56FvLKpQJwGrEeQHD5f0NW d2TLzL/iIdlTq8r8y/ByMtAdffOHSPTKsC0W95mII8l6g6gdfmMKdp50EIb7Qc6GlF9J T4qKqK3SrFHucKAUqbbe9JyFjSpJ6nsm8HWOIt48wusdEh8cfazbr1X+bMpn4SKypv5g FTWw== X-Gm-Message-State: ANoB5pl8lKiRMtKiYdM17R1QA5U3wv0B81iRypuwvJopOm3uY02wHCJh 05YtOlgFginm92CaKh5IHDXnyNp86VDv0g== X-Google-Smtp-Source: AA0mqf4BZ6XjyD3koqjoGD1mk4cCV5U9PZF+ZEN9Q50brFV+wWHZLtLA4i8arTVAWiwGTKmU+T2VoA== X-Received: by 2002:a17:906:3702:b0:7ad:a797:5bbb with SMTP id d2-20020a170906370200b007ada7975bbbmr4780238ejc.63.1670594330063; Fri, 09 Dec 2022 05:58:50 -0800 (PST) Received: from pluto.. (178-133-28-80.mobile.vf-ua.net. [178.133.28.80]) by smtp.gmail.com with ESMTPSA id j6-20020a170906830600b007c10fe64c5dsm589028ejx.86.2022.12.09.05.58.48 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 09 Dec 2022 05:58:49 -0800 (PST) From: Eduard Zingerman To: bpf@vger.kernel.org, ast@kernel.org Cc: andrii@kernel.org, daniel@iogearbox.net, kernel-team@fb.com, yhs@fb.com, memxor@gmail.com, ecree.xilinx@gmail.com, Eduard Zingerman , Andrii Nakryiko Subject: [PATCH bpf-next 3/7] bpf: states_equal() must build idmap for all function frames Date: Fri, 9 Dec 2022 15:57:29 +0200 Message-Id: <20221209135733.28851-4-eddyz87@gmail.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20221209135733.28851-1-eddyz87@gmail.com> References: <20221209135733.28851-1-eddyz87@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: bpf@vger.kernel.org X-Patchwork-Delegate: bpf@iogearbox.net verifier.c:states_equal() must maintain register ID mapping across all function frames. Otherwise the following example might be erroneously marked as safe: main: fp[-24] = map_lookup_elem(...) ; frame[0].fp[-24].id == 1 fp[-32] = map_lookup_elem(...) ; frame[0].fp[-32].id == 2 r1 = &fp[-24] r2 = &fp[-32] call foo() r0 = 0 exit foo: 0: r9 = r1 1: r8 = r2 2: r7 = ktime_get_ns() 3: r6 = ktime_get_ns() 4: if (r6 > r7) goto skip_assign 5: r9 = r8 skip_assign: ; <--- checkpoint 6: r9 = *r9 ; (a) frame[1].r9.id == 2 ; (b) frame[1].r9.id == 1 7: if r9 == 0 goto exit: ; mark_ptr_or_null_regs() transfers != 0 info ; for all regs sharing ID: ; (a) r9 != 0 => &frame[0].fp[-32] != 0 ; (b) r9 != 0 => &frame[0].fp[-24] != 0 8: r8 = *r8 ; (a) r8 == &frame[0].fp[-32] ; (b) r8 == &frame[0].fp[-32] 9: r0 = *r8 ; (a) safe ; (b) unsafe exit: 10: exit While processing call to foo() verifier considers the following execution paths: (a) 0-10 (b) 0-4,6-10 (There is also path 0-7,10 but it is not interesting for the issue at hand. (a) is verified first.) Suppose that checkpoint is created at (6) when path (a) is verified, next path (b) is verified and (6) is reached. If states_equal() maintains separate 'idmap' for each frame the mapping at (6) for frame[1] would be empty and regsafe(r9)::check_ids() would add a pair 2->1 and return true, which is an error. If states_equal() maintains single 'idmap' for all frames the mapping at (6) would be { 1->1, 2->2 } and regsafe(r9)::check_ids() would return false when trying to add a pair 2->1. This issue was suggested in the following discussion: https://lore.kernel.org/bpf/CAEf4BzbFB5g4oUfyxk9rHy-PJSLQ3h8q9mV=rVoXfr_JVm8+1Q@mail.gmail.com/ Suggested-by: Andrii Nakryiko Signed-off-by: Eduard Zingerman --- include/linux/bpf_verifier.h | 4 ++-- kernel/bpf/verifier.c | 3 ++- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/include/linux/bpf_verifier.h b/include/linux/bpf_verifier.h index 70d06a99f0b8..c1f769515beb 100644 --- a/include/linux/bpf_verifier.h +++ b/include/linux/bpf_verifier.h @@ -273,9 +273,9 @@ struct bpf_id_pair { u32 cur; }; -/* Maximum number of register states that can exist at once */ -#define BPF_ID_MAP_SIZE (MAX_BPF_REG + MAX_BPF_STACK / BPF_REG_SIZE) #define MAX_CALL_FRAMES 8 +/* Maximum number of register states that can exist at once */ +#define BPF_ID_MAP_SIZE ((MAX_BPF_REG + MAX_BPF_STACK / BPF_REG_SIZE) * MAX_CALL_FRAMES) struct bpf_verifier_state { /* call stack tracking */ struct bpf_func_state *frame[MAX_CALL_FRAMES]; diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index d05c5d0344c6..9188370a7ebe 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -13122,7 +13122,6 @@ static bool func_states_equal(struct bpf_verifier_env *env, struct bpf_func_stat { int i; - memset(env->idmap_scratch, 0, sizeof(env->idmap_scratch)); for (i = 0; i < MAX_BPF_REG; i++) if (!regsafe(env, &old->regs[i], &cur->regs[i], env->idmap_scratch)) @@ -13146,6 +13145,8 @@ static bool states_equal(struct bpf_verifier_env *env, if (old->curframe != cur->curframe) return false; + memset(env->idmap_scratch, 0, sizeof(env->idmap_scratch)); + /* Verification state from speculative execution simulation * must never prune a non-speculative execution one. */ From patchwork Fri Dec 9 13:57:30 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eduard Zingerman X-Patchwork-Id: 13069582 X-Patchwork-Delegate: bpf@iogearbox.net Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id A8A5EC4332F for ; Fri, 9 Dec 2022 13:58:58 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229864AbiLIN64 (ORCPT ); Fri, 9 Dec 2022 08:58:56 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58714 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229470AbiLIN6y (ORCPT ); Fri, 9 Dec 2022 08:58:54 -0500 Received: from mail-ej1-x636.google.com (mail-ej1-x636.google.com [IPv6:2a00:1450:4864:20::636]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id F1E3D75BFC for ; Fri, 9 Dec 2022 05:58:52 -0800 (PST) Received: by mail-ej1-x636.google.com with SMTP id gh17so11688744ejb.6 for ; Fri, 09 Dec 2022 05:58:52 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=V0UShcuPPltA7nazPprqf2YmrY0QD6ji20xhTJBARHA=; b=mQfCHVjFgfDF63Pbvf9P3Bo8peSrUeiEfrN1p9JHDkh9zllQtf/Q//qnL1es2hoeyC EP2ZV/Wu9QqGMrgoaWh/3SRJMuRVYXa7EG3NRJ77m9MharvWRQm/BsHbT2+NUfqp12D9 tbjXHQ0eHObz0hIhSQhPTt7NgrC0c50TJNprTdTOaSQ4bv7TYfSqGAJdblxrxcwLv/2M aNImIwyUVtfzaCYC4oLEN9wLsfyxZg2SExsy+ipDQuU9KG/iQPa44gd7JKHr1K2uDlOS GaNmUB2c/JLqF6buKNAWcIenkBAB7DmUR3hifegmOQUsIpHtGJJJcc5JwHZoW2JqNbXk Bu5Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=V0UShcuPPltA7nazPprqf2YmrY0QD6ji20xhTJBARHA=; b=PsHXfOJAWokmA8iH41iin/aQrZxE1Yy+iGkjnDxZ+Tsxnoe5QiMUoSqKTDrIEa8s7t zghyjjZtfuqMLomtaKtTzL/t9Nb8GukS3aJ0nef3uOHiKQV143uVoXzwhLuq6N4JAXUA hFMnD7ybiYH3ZHuQ3Buc2r+nh7dhu+bIXTBqu5JUwOAZ4jwQxC3Gjg+LGD+ERprV0vp9 LRYcgCO4Z2HUxeJSrzxP32bLxUjYMWIFA5JuuHeEqDrqo11BT6qlsQMOdlJZDjAMMx2t 0gBwoDiaWxk7epU6F0dCojDMs+NBvTWPOF82iiVY3yUvgDTYnN5/rqDrj1fH9OPVpDTq 1W0A== X-Gm-Message-State: ANoB5pmUu1rVgZYDTwRlH6NkTQfQ/YeC8hI4HqJ4k7peFH+RuBDsn2Ev y5oDsDlfLbZH38GkmkkdNCK0w5BipcGWOA== X-Google-Smtp-Source: AA0mqf5m62txyql80Vgxnc/qSPLKhJD6/ajPiJalzM7ZewiwtKZ1T1KjQ4vyr6I7YbWpoMoqlhcU/g== X-Received: by 2002:a17:906:a050:b0:7a4:bbce:ddae with SMTP id bg16-20020a170906a05000b007a4bbceddaemr5307348ejb.59.1670594331362; Fri, 09 Dec 2022 05:58:51 -0800 (PST) Received: from pluto.. (178-133-28-80.mobile.vf-ua.net. [178.133.28.80]) by smtp.gmail.com with ESMTPSA id j6-20020a170906830600b007c10fe64c5dsm589028ejx.86.2022.12.09.05.58.50 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 09 Dec 2022 05:58:51 -0800 (PST) From: Eduard Zingerman To: bpf@vger.kernel.org, ast@kernel.org Cc: andrii@kernel.org, daniel@iogearbox.net, kernel-team@fb.com, yhs@fb.com, memxor@gmail.com, ecree.xilinx@gmail.com, Eduard Zingerman Subject: [PATCH bpf-next 4/7] selftests/bpf: verify states_equal() maintains idmap across all frames Date: Fri, 9 Dec 2022 15:57:30 +0200 Message-Id: <20221209135733.28851-5-eddyz87@gmail.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20221209135733.28851-1-eddyz87@gmail.com> References: <20221209135733.28851-1-eddyz87@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: bpf@vger.kernel.org X-Patchwork-Delegate: bpf@iogearbox.net A test case that would erroneously pass verification if verifier.c:states_equal() maintains separate register ID mappings for call frames. Signed-off-by: Eduard Zingerman --- tools/testing/selftests/bpf/verifier/calls.c | 82 ++++++++++++++++++++ 1 file changed, 82 insertions(+) diff --git a/tools/testing/selftests/bpf/verifier/calls.c b/tools/testing/selftests/bpf/verifier/calls.c index 3193915c5ee6..bcd15b26dcee 100644 --- a/tools/testing/selftests/bpf/verifier/calls.c +++ b/tools/testing/selftests/bpf/verifier/calls.c @@ -2305,3 +2305,85 @@ .errstr = "!read_ok", .result = REJECT, }, +/* Make sure that verifier.c:states_equal() considers IDs from all + * frames when building 'idmap' for check_ids(). + */ +{ + "calls: check_ids() across call boundary", + .insns = { + /* Function main() */ + BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), + /* fp[-24] = map_lookup_elem(...) ; get a MAP_VALUE_PTR_OR_NULL with some ID */ + BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), + BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), + BPF_LD_MAP_FD(BPF_REG_1, + 0), + BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), + BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_0, -24), + /* fp[-32] = map_lookup_elem(...) ; get a MAP_VALUE_PTR_OR_NULL with some ID */ + BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), + BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), + BPF_LD_MAP_FD(BPF_REG_1, + 0), + BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), + BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_0, -32), + /* call foo(&fp[-24], &fp[-32]) ; both arguments have IDs in the current + * ; stack frame + */ + BPF_MOV64_REG(BPF_REG_1, BPF_REG_FP), + BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -24), + BPF_MOV64_REG(BPF_REG_2, BPF_REG_FP), + BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -32), + BPF_CALL_REL(2), + /* exit 0 */ + BPF_MOV64_IMM(BPF_REG_0, 0), + BPF_EXIT_INSN(), + /* Function foo() + * + * r9 = &frame[0].fp[-24] ; save arguments in the callee saved registers, + * r8 = &frame[0].fp[-32] ; arguments are pointers to pointers to map value + */ + BPF_MOV64_REG(BPF_REG_9, BPF_REG_1), + BPF_MOV64_REG(BPF_REG_8, BPF_REG_2), + /* r7 = ktime_get_ns() */ + BPF_EMIT_CALL(BPF_FUNC_ktime_get_ns), + BPF_MOV64_REG(BPF_REG_7, BPF_REG_0), + /* r6 = ktime_get_ns() */ + BPF_EMIT_CALL(BPF_FUNC_ktime_get_ns), + BPF_MOV64_REG(BPF_REG_6, BPF_REG_0), + /* if r6 > r7 goto +1 ; no new information about the state is derived from + * ; this check, thus produced verifier states differ + * ; only in 'insn_idx' + * r9 = r8 + */ + BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_7, 1), + BPF_MOV64_REG(BPF_REG_9, BPF_REG_8), + /* r9 = *r9 ; verifier get's to this point via two paths: + * ; (I) one including r9 = r8, verified first; + * ; (II) one excluding r9 = r8, verified next. + * ; After load of *r9 to r9 the frame[0].fp[-24].id == r9.id. + * ; Suppose that checkpoint is created here via path (I). + * ; When verifying via (II) the r9.id must be compared against + * ; frame[0].fp[-24].id, otherwise (I) and (II) would be + * ; incorrectly deemed equivalent. + * if r9 == 0 goto + */ + BPF_LDX_MEM(BPF_DW, BPF_REG_9, BPF_REG_9, 0), + BPF_JMP_IMM(BPF_JEQ, BPF_REG_9, 0, 1), + /* r8 = *r8 ; read map value via r8, this is not safe + * r0 = *r8 ; because r8 might be not equal to r9. + */ + BPF_LDX_MEM(BPF_DW, BPF_REG_8, BPF_REG_8, 0), + BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_8, 0), + /* exit 0 */ + BPF_MOV64_IMM(BPF_REG_0, 0), + BPF_EXIT_INSN(), + }, + .flags = BPF_F_TEST_STATE_FREQ, + .fixup_map_hash_8b = { 3, 9 }, + .result = REJECT, + .errstr = "R8 invalid mem access 'map_value_or_null'", + .result_unpriv = REJECT, + .errstr_unpriv = "", + .prog_type = BPF_PROG_TYPE_CGROUP_SKB, +}, From patchwork Fri Dec 9 13:57:31 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eduard Zingerman X-Patchwork-Id: 13069584 X-Patchwork-Delegate: bpf@iogearbox.net Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7236FC4332F for ; Fri, 9 Dec 2022 13:59:01 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229809AbiLIN67 (ORCPT ); Fri, 9 Dec 2022 08:58:59 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58748 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229840AbiLIN6z (ORCPT ); Fri, 9 Dec 2022 08:58:55 -0500 Received: from mail-ej1-x635.google.com (mail-ej1-x635.google.com [IPv6:2a00:1450:4864:20::635]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3A75675BCC for ; Fri, 9 Dec 2022 05:58:54 -0800 (PST) Received: by mail-ej1-x635.google.com with SMTP id b2so11663522eja.7 for ; Fri, 09 Dec 2022 05:58:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=abgGM9CUNndqrEA1w+pChD0KCjzJooML7RT1geS+xYQ=; b=VcqW1lfHmpWiDG3Bwhfkor4jx4FT+jvCSMBU8zoKfOkwIE4RtD076wS4ZWopaMtL+V f1MHCyRyfjd18s1QaNkMAqwVqvHkGCzleaoSB3LgumozUxB3AeINNtnVHPzhyWgxHi2s YzRZuEW1z/662635Wz6TPLBTu85RypGmTwC7afpxLzx/32qwVIq8wq1mGO/QargEPFIM 763Omdp7epNNNxt7CHmcxcACgpzpWwHMewHbNVzw0rQxeonVGKyJwE2+kILf+wN1k8YA bVQQrCmJGdBxZBc1Vdn5WpVqMUDm0RhTGBw+9JlMwG//ThOjUgZfItgY7zI662YTmR1o g2eA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=abgGM9CUNndqrEA1w+pChD0KCjzJooML7RT1geS+xYQ=; b=dS+HLbCaIIDfsOc5AusEGM9nlIiKfmNzQpwYLqByDkMH9tzN/9QZ391fWwS7PUP+2k qB0Sax+w3Fxbdr7CuPX5js1tqdVuyy2r+qWJzWdkKqA4cxne5Uq9CiMKClkDzWZmUvy3 VGCTRcMwWPlXScIGuXb0ZiHNjc0SCxzASHvc9r6gPsSWTKtmvbarE1eN7ikyTF97AGuE RgNarjVOWukiqBvAlQ0oLaNvfHYv2D7YKtW+s7Pa/gGmhrrbGfGGLRTm1AGNHa1k6jpd 83NTt/c/wPWPlxHTJwJa9DtwKV1UOfLParlA0O6E7ZSV2LPItUUUQK4+kjhGqpfziTz6 PEcA== X-Gm-Message-State: ANoB5pn7ac0gAcLdvWp1eYhVnOFYeCizc9e3d9rtX9DCANv9PzQX144R dAtX8tZgoLjVlo4gWZCPDnUluU6JeOMhwg== X-Google-Smtp-Source: AA0mqf5MZ+LnJWJEyy9N4h0OupkaJcKMqmRNUs46Sv4pr9+jbF0uelk4vgECRD9uozvF2zfe1O1uAg== X-Received: by 2002:a17:906:1685:b0:7c1:458b:a947 with SMTP id s5-20020a170906168500b007c1458ba947mr1911436ejd.26.1670594332472; Fri, 09 Dec 2022 05:58:52 -0800 (PST) Received: from pluto.. (178-133-28-80.mobile.vf-ua.net. [178.133.28.80]) by smtp.gmail.com with ESMTPSA id j6-20020a170906830600b007c10fe64c5dsm589028ejx.86.2022.12.09.05.58.51 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 09 Dec 2022 05:58:52 -0800 (PST) From: Eduard Zingerman To: bpf@vger.kernel.org, ast@kernel.org Cc: andrii@kernel.org, daniel@iogearbox.net, kernel-team@fb.com, yhs@fb.com, memxor@gmail.com, ecree.xilinx@gmail.com, Eduard Zingerman Subject: [PATCH bpf-next 5/7] bpf: use check_ids() for active_lock comparison Date: Fri, 9 Dec 2022 15:57:31 +0200 Message-Id: <20221209135733.28851-6-eddyz87@gmail.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20221209135733.28851-1-eddyz87@gmail.com> References: <20221209135733.28851-1-eddyz87@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: bpf@vger.kernel.org X-Patchwork-Delegate: bpf@iogearbox.net An update for verifier.c:states_equal()/regsafe() to use check_ids() for active spin lock comparisons. This fixes the issue reported by Kumar Kartikeya Dwivedi in [1] using technique suggested by Edward Cree. W/o this commit the verifier might be tricked to accept the following program working with a map containing spin locks: 0: r9 = map_lookup_elem(...) ; Returns PTR_TO_MAP_VALUE_OR_NULL id=1. 1: r8 = map_lookup_elem(...) ; Returns PTR_TO_MAP_VALUE_OR_NULL id=2. 2: if r9 == 0 goto exit ; r9 -> PTR_TO_MAP_VALUE. 3: if r8 == 0 goto exit ; r8 -> PTR_TO_MAP_VALUE. 4: r7 = ktime_get_ns() ; Unbound SCALAR_VALUE. 5: r6 = ktime_get_ns() ; Unbound SCALAR_VALUE. 6: bpf_spin_lock(r8) ; active_lock.id == 2. 7: if r6 > r7 goto +1 ; No new information about the state ; is derived from this check, thus ; produced verifier states differ only ; in 'insn_idx'. 8: r9 = r8 ; Optionally make r9.id == r8.id. --- checkpoint --- ; Assume is_state_visisted() creates a ; checkpoint here. 9: bpf_spin_unlock(r9) ; (a,b) active_lock.id == 2. ; (a) r9.id == 2, (b) r9.id == 1. 10: exit(0) Consider two verification paths: (a) 0-10 (b) 0-7,9-10 The path (a) is verified first. If checkpoint is created at (8) the (b) would assume that (8) is safe because regsafe() does not compare register ids for registers of type PTR_TO_MAP_VALUE. [1] https://lore.kernel.org/bpf/20221111202719.982118-1-memxor@gmail.com/ Reported-by: Kumar Kartikeya Dwivedi Suggested-by: Edward Cree Signed-off-by: Eduard Zingerman --- kernel/bpf/verifier.c | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 9188370a7ebe..27caea773491 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -12981,7 +12981,8 @@ static bool regsafe(struct bpf_verifier_env *env, struct bpf_reg_state *rold, */ return memcmp(rold, rcur, offsetof(struct bpf_reg_state, id)) == 0 && range_within(rold, rcur) && - tnum_in(rold->var_off, rcur->var_off); + tnum_in(rold->var_off, rcur->var_off) && + check_ids(rold->id, rcur->id, idmap); case PTR_TO_PACKET_META: case PTR_TO_PACKET: if (rcur->type != rold->type) @@ -13153,8 +13154,17 @@ static bool states_equal(struct bpf_verifier_env *env, if (old->speculative && !cur->speculative) return false; - if (old->active_lock.ptr != cur->active_lock.ptr || - old->active_lock.id != cur->active_lock.id) + if (old->active_lock.ptr != cur->active_lock.ptr) + return false; + + /* Old and cur active_lock's have to be either both present + * or both absent. + */ + if (!!old->active_lock.id != !!cur->active_lock.id) + return false; + + if (old->active_lock.id && + !check_ids(old->active_lock.id, cur->active_lock.id, env->idmap_scratch)) return false; if (old->active_rcu_lock != cur->active_rcu_lock) From patchwork Fri Dec 9 13:57:32 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eduard Zingerman X-Patchwork-Id: 13069583 X-Patchwork-Delegate: bpf@iogearbox.net Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id A5044C04FDE for ; Fri, 9 Dec 2022 13:59:00 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229605AbiLIN66 (ORCPT ); Fri, 9 Dec 2022 08:58:58 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58716 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229875AbiLIN64 (ORCPT ); Fri, 9 Dec 2022 08:58:56 -0500 Received: from mail-ej1-x636.google.com (mail-ej1-x636.google.com [IPv6:2a00:1450:4864:20::636]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 457B976165 for ; Fri, 9 Dec 2022 05:58:55 -0800 (PST) Received: by mail-ej1-x636.google.com with SMTP id vp12so11664601ejc.8 for ; Fri, 09 Dec 2022 05:58:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=DvK1Et8SyzpumnwYURWJzUwXW3OX+TLtUGxkUllETWQ=; b=YHTOw4avlKUA6WG6sPeBZ1upI3LwloFG4A5fipQYAPj2Q9dtlgowv/6F8+MnpHVPMW vgcSMyqFrR7r3voeagbYU+zA1Byzd+9mPj1lufnlQJeXeoRPQ4c3CghZ9QMrbqziTQSi 7Dd3EvvUgq6HAJVfzfKTS36Ur8ROZKR7K3xkqOC+wFmiHL6Uu9NME6dUA0Ah0QxgB4n9 KAzer9/vdJpQzmRhOdvU9+3q7rYhhsRFHBfrMJtkg+XC4wD75xVa2W/W5aOYSlAi3e2/ 4T3gzGjLLBPn7YCrVvCzHXK3v2IKyEdOkvccMk430N+aD8eaqwMfvMYen9wlpR635vBa nvGA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=DvK1Et8SyzpumnwYURWJzUwXW3OX+TLtUGxkUllETWQ=; b=qK30TWo86w/3jCOB+NjKkVv1erIP5gsb/rJXk94MOUARxKRXCMG7ZDwzad9XyJZEpP 7JcTkwlqIKsH4fox55vG42WI4LlE++NwMC/S+bwQX8/63NmXnvbKsu3g1URfTwJCy0O4 BavrG2HaIOC3+IY4b2eD2Cz3DtxzlC1SpDT03uB8TCWFXfEVAH4cUzkTivFAG1ASJTIj Qcm+SdIqEfvB0Z58RKB/86wKacM6DxvJRj3akN87sdhHHAQ1PQqIIwqshDRb9A7plsGp 4LCA/Sefazyn66B5L8qWTivg9zamOW951cBgto+1wKLc9d55dSwK/yRLJjp56R0QJJnb U9DA== X-Gm-Message-State: ANoB5pnP2VwOg+/uJ6YPOIVve8zy4m3UV6pBG1GBRsiUxxevjlubkEyp zEc8zP+yrL1dXgWNqjCoT/aBLNYNvRx3cw== X-Google-Smtp-Source: AA0mqf4gPL2KyA+FxOS005TF3teuGPQpSbTE/1ItRgqZ4MrJ7FX/NQW1zrud7QcG53FANoLpxlIyyA== X-Received: by 2002:a17:907:8746:b0:7bc:1e7e:6b8e with SMTP id qo6-20020a170907874600b007bc1e7e6b8emr5604535ejc.43.1670594333604; Fri, 09 Dec 2022 05:58:53 -0800 (PST) Received: from pluto.. (178-133-28-80.mobile.vf-ua.net. [178.133.28.80]) by smtp.gmail.com with ESMTPSA id j6-20020a170906830600b007c10fe64c5dsm589028ejx.86.2022.12.09.05.58.52 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 09 Dec 2022 05:58:53 -0800 (PST) From: Eduard Zingerman To: bpf@vger.kernel.org, ast@kernel.org Cc: andrii@kernel.org, daniel@iogearbox.net, kernel-team@fb.com, yhs@fb.com, memxor@gmail.com, ecree.xilinx@gmail.com Subject: [PATCH bpf-next 6/7] selftests/bpf: Add pruning test case for bpf_spin_lock Date: Fri, 9 Dec 2022 15:57:32 +0200 Message-Id: <20221209135733.28851-7-eddyz87@gmail.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20221209135733.28851-1-eddyz87@gmail.com> References: <20221209135733.28851-1-eddyz87@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: bpf@vger.kernel.org X-Patchwork-Delegate: bpf@iogearbox.net From: Kumar Kartikeya Dwivedi Test that when reg->id is not same for the same register of type PTR_TO_MAP_VALUE between current and old explored state, we currently return false from regsafe and continue exploring. Without the fix in prior commit, the test case fails. Signed-off-by: Kumar Kartikeya Dwivedi --- .../selftests/bpf/verifier/spin_lock.c | 39 +++++++++++++++++++ 1 file changed, 39 insertions(+) diff --git a/tools/testing/selftests/bpf/verifier/spin_lock.c b/tools/testing/selftests/bpf/verifier/spin_lock.c index 781621facae4..0a8dcfc37fc6 100644 --- a/tools/testing/selftests/bpf/verifier/spin_lock.c +++ b/tools/testing/selftests/bpf/verifier/spin_lock.c @@ -331,3 +331,42 @@ .errstr = "inside bpf_spin_lock", .prog_type = BPF_PROG_TYPE_SCHED_CLS, }, +{ + "spin_lock: regsafe compare reg->id for map value", + .insns = { + BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), + BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_6, offsetof(struct __sk_buff, mark)), + BPF_LD_MAP_FD(BPF_REG_1, 0), + BPF_MOV64_REG(BPF_REG_9, BPF_REG_1), + BPF_ST_MEM(BPF_W, BPF_REG_10, -4, 0), + BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), + BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), + BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), + BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), + BPF_EXIT_INSN(), + BPF_MOV64_REG(BPF_REG_7, BPF_REG_0), + BPF_MOV64_REG(BPF_REG_1, BPF_REG_9), + BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), + BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), + BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), + BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), + BPF_EXIT_INSN(), + BPF_MOV64_REG(BPF_REG_8, BPF_REG_0), + BPF_MOV64_REG(BPF_REG_1, BPF_REG_7), + BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 4), + BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_spin_lock), + BPF_JMP_IMM(BPF_JEQ, BPF_REG_6, 0, 1), + BPF_JMP_IMM(BPF_JA, 0, 0, 1), + BPF_MOV64_REG(BPF_REG_7, BPF_REG_8), + BPF_MOV64_REG(BPF_REG_1, BPF_REG_7), + BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 4), + BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_spin_unlock), + BPF_MOV64_IMM(BPF_REG_0, 0), + BPF_EXIT_INSN(), + }, + .fixup_map_spin_lock = { 2 }, + .result = REJECT, + .errstr = "bpf_spin_unlock of different lock", + .prog_type = BPF_PROG_TYPE_SCHED_CLS, + .flags = BPF_F_TEST_STATE_FREQ, +}, From patchwork Fri Dec 9 13:57:33 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eduard Zingerman X-Patchwork-Id: 13069585 X-Patchwork-Delegate: bpf@iogearbox.net Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 71CB8C10F31 for ; Fri, 9 Dec 2022 13:59:02 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229751AbiLIN7A (ORCPT ); Fri, 9 Dec 2022 08:59:00 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58750 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229894AbiLIN66 (ORCPT ); Fri, 9 Dec 2022 08:58:58 -0500 Received: from mail-ej1-x636.google.com (mail-ej1-x636.google.com [IPv6:2a00:1450:4864:20::636]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id CCF7C54778 for ; Fri, 9 Dec 2022 05:58:56 -0800 (PST) Received: by mail-ej1-x636.google.com with SMTP id n20so11777124ejh.0 for ; Fri, 09 Dec 2022 05:58:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=wzjyzNxTIAqPjPKUEr8bfwrktvhNTDX4WTTNouBssS8=; b=lMHI2M6w2HVZot/sx0Llbpqjz41Nl5Omy24J25xLqTygY5cGHlPe5AOuvxYxDSsHYE lmJ+ynwGaeWJjMrt/G1vzWRKuGSDsvQ0hoWUKydPk3h7XQzWDsjh6MKE1sel5eT5gqQZ o1Lllgx2gJw+fWipMQbUjhuAAd311B7iHUTgqQvzekdMJ1KmiwrQCuNBOTq+AQ2I17Bc NpixJsuT0ydWcaHrcCh2zxZw1rgRz2FeL8fLS8v8xU7a2BxOaA5sQ9g0VCklkTg9bB37 Xen35NuSetLx3Mc6I5H/qzJJ0X3k/FItSv4pL25zr7q/DR2k3l1Tzh075sOlTR8RRmBh oLNg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=wzjyzNxTIAqPjPKUEr8bfwrktvhNTDX4WTTNouBssS8=; b=1sousk0c5NYeLurM8Wujc5RmfkHSN4cmj7OUoUN4Q/ptoNYeWoXdE/k+s56c36VZLD X57J+9Fh6rc0vEqw5woX0Ra5Kyzxqf+xYyEf8ph6ecY6fD5mQLhwcf6YPxyfZqlNeW0R +wDEmXm+RkFxSqhVx3Az50yWyF6uZ2vzc9S9w+Dxm2TjTHsM+wLEsl68A699fqnioCas jqJ+j7XjbIFCEkEx9sJH/r/v2u20MQg4z/IIYJUCd9gtzwliSN1emUivwcNP7NPaLsAs fSHRm6M+yFcowzIxUvwwzQslrrI4eY9fnV9E/CWkXfLkKt7/VoKT/JfZO4N+mcx5QPaY YpGg== X-Gm-Message-State: ANoB5pkDcv6mB9pNyPvGNwisSzChwSUqAO4Dcmch6EPOQoi/sOYyoLqs 43aqGDU2y467xt+75RuqjpGLjkdKY47x9g== X-Google-Smtp-Source: AA0mqf4Wm09JtaAmjklB366PY55uNsclwHTlXwbvs6OCIEkqwrZm66tVkhwEPsCn2u1KTxPLXRW9XQ== X-Received: by 2002:a17:906:3ac1:b0:7c0:ba3b:8e04 with SMTP id z1-20020a1709063ac100b007c0ba3b8e04mr4845627ejd.43.1670594334845; Fri, 09 Dec 2022 05:58:54 -0800 (PST) Received: from pluto.. (178-133-28-80.mobile.vf-ua.net. [178.133.28.80]) by smtp.gmail.com with ESMTPSA id j6-20020a170906830600b007c10fe64c5dsm589028ejx.86.2022.12.09.05.58.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 09 Dec 2022 05:58:54 -0800 (PST) From: Eduard Zingerman To: bpf@vger.kernel.org, ast@kernel.org Cc: andrii@kernel.org, daniel@iogearbox.net, kernel-team@fb.com, yhs@fb.com, memxor@gmail.com, ecree.xilinx@gmail.com, Eduard Zingerman Subject: [PATCH bpf-next 7/7] selftests/bpf: test case for relaxed prunning of active_lock.id Date: Fri, 9 Dec 2022 15:57:33 +0200 Message-Id: <20221209135733.28851-8-eddyz87@gmail.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20221209135733.28851-1-eddyz87@gmail.com> References: <20221209135733.28851-1-eddyz87@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: bpf@vger.kernel.org X-Patchwork-Delegate: bpf@iogearbox.net Check that verifier.c:states_equal() uses check_ids() to match consistent active_lock/map_value configurations. This allows to prune states with active spin locks even if numerical values of active_lock ids do not match across compared states. Signed-off-by: Eduard Zingerman --- .../selftests/bpf/verifier/spin_lock.c | 75 +++++++++++++++++++ 1 file changed, 75 insertions(+) diff --git a/tools/testing/selftests/bpf/verifier/spin_lock.c b/tools/testing/selftests/bpf/verifier/spin_lock.c index 0a8dcfc37fc6..eaf114f07e2e 100644 --- a/tools/testing/selftests/bpf/verifier/spin_lock.c +++ b/tools/testing/selftests/bpf/verifier/spin_lock.c @@ -370,3 +370,78 @@ .prog_type = BPF_PROG_TYPE_SCHED_CLS, .flags = BPF_F_TEST_STATE_FREQ, }, +/* Make sure that regsafe() compares ids for spin lock records using + * check_ids(): + * 1: r9 = map_lookup_elem(...) ; r9.id == 1 + * 2: r8 = map_lookup_elem(...) ; r8.id == 2 + * 3: r7 = ktime_get_ns() + * 4: r6 = ktime_get_ns() + * 5: if r6 > r7 goto <9> + * 6: spin_lock(r8) + * 7: r9 = r8 + * 8: goto <10> + * 9: spin_lock(r9) + * 10: spin_unlock(r9) ; r9.id == 1 || r9.id == 2 and lock is active, + * ; second visit to (10) should be considered safe + * ; if check_ids() is used. + * 11: exit(0) + */ +{ + "spin_lock: regsafe() check_ids() similar id mappings", + .insns = { + BPF_ST_MEM(BPF_W, BPF_REG_10, -4, 0), + /* r9 = map_lookup_elem(...) */ + BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), + BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), + BPF_LD_MAP_FD(BPF_REG_1, + 0), + BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), + BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 24), + BPF_MOV64_REG(BPF_REG_9, BPF_REG_0), + /* r8 = map_lookup_elem(...) */ + BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), + BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), + BPF_LD_MAP_FD(BPF_REG_1, + 0), + BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), + BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 18), + BPF_MOV64_REG(BPF_REG_8, BPF_REG_0), + /* r7 = ktime_get_ns() */ + BPF_EMIT_CALL(BPF_FUNC_ktime_get_ns), + BPF_MOV64_REG(BPF_REG_7, BPF_REG_0), + /* r6 = ktime_get_ns() */ + BPF_EMIT_CALL(BPF_FUNC_ktime_get_ns), + BPF_MOV64_REG(BPF_REG_6, BPF_REG_0), + /* if r6 > r7 goto +5 ; no new information about the state is derived from + * ; this check, thus produced verifier states differ + * ; only in 'insn_idx' + * spin_lock(r8) + * r9 = r8 + * goto unlock + */ + BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_7, 5), + BPF_MOV64_REG(BPF_REG_1, BPF_REG_8), + BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 4), + BPF_EMIT_CALL(BPF_FUNC_spin_lock), + BPF_MOV64_REG(BPF_REG_9, BPF_REG_8), + BPF_JMP_A(3), + /* spin_lock(r9) */ + BPF_MOV64_REG(BPF_REG_1, BPF_REG_9), + BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 4), + BPF_EMIT_CALL(BPF_FUNC_spin_lock), + /* spin_unlock(r9) */ + BPF_MOV64_REG(BPF_REG_1, BPF_REG_9), + BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 4), + BPF_EMIT_CALL(BPF_FUNC_spin_unlock), + /* exit(0) */ + BPF_MOV64_IMM(BPF_REG_0, 0), + BPF_EXIT_INSN(), + }, + .fixup_map_spin_lock = { 3, 10 }, + .result = VERBOSE_ACCEPT, + .errstr = "28: safe", + .result_unpriv = REJECT, + .errstr_unpriv = "", + .prog_type = BPF_PROG_TYPE_CGROUP_SKB, + .flags = BPF_F_TEST_STATE_FREQ, +},