From patchwork Wed Dec 4 02:41:53 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kumar Kartikeya Dwivedi X-Patchwork-Id: 13893152 X-Patchwork-Delegate: bpf@iogearbox.net Received: from mail-wr1-f68.google.com (mail-wr1-f68.google.com [209.85.221.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id EF3662A8D0 for ; Wed, 4 Dec 2024 02:41:59 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.68 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1733280121; cv=none; b=WdtrfG0z408UvSsvPUKkVisCYTN9rq3+edU8JiMAKDu3MdzjF9YV/m0ErhlnpglsDP294Gth2BLRvIsaOgYWPDVMYdFSkeE7eKP8vaQDCCezR2C8Zf8BmrspIwJPtTMpRmb0G2SSVbPHuS/Fmr2y2djgh8l0z/SICWfZ/Ydn1iw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1733280121; c=relaxed/simple; bh=kr8LKcqxg60fcBZt62Nwvk3k3pyftJLPfJKNwyWiICc=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=ZAtpqAYEgi3sloAe3h6Hzn6Z9NbGn4/OllIKCDs+OC5AP1rM+SeiYsB48SEhg8eCGCfBRVvdxXMSZkHclltEFYuxE4wR6BkuVmHHV3hoC+135xdRqgnS4yPzix1HsHppLPfuGaL8SCV4qeyR6/+B2s8JiSrfRhWOnCvNyaVxUyY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=jAIYhgWl; arc=none smtp.client-ip=209.85.221.68 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="jAIYhgWl" Received: by mail-wr1-f68.google.com with SMTP id ffacd0b85a97d-385e0e224cbso3090882f8f.2 for ; Tue, 03 Dec 2024 18:41:59 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1733280117; x=1733884917; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=v6IibgXDbezQ+bSHsgMht2fdqkKOjGq0NApi11zMm0s=; b=jAIYhgWlR7SR9pmChk4cUVQ/ktUjbKNOMcw66yEYNefb6EXgoEru+WoBJO2TKgpChS uWGbcKuTjhXFHVxcvbOBLtl9UUQDjP4tIOrIKl8EGTx+xtdYlv6Wcwq0uDrxAQNrdh4c gfbdIAhLaIEJBcCbQ35DYjeVS+tGyEnVfBqoftLnXgX6GwnWf9BYT7SWbV1DzJTp9AcS nl1o3+YlkwTTsYPDIktQF5Tog4q0cCFygmzu/3x3OFONFK5WhlJW/K+TkKC3gttgIT+6 6OhIWCmdjYIbkVPyFMlZsrmCzjzMRFuA5TCtED1hMQBNFABDTBLPEGk26DUq9mguwywE YcYA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1733280117; x=1733884917; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=v6IibgXDbezQ+bSHsgMht2fdqkKOjGq0NApi11zMm0s=; b=KD9KBTXjqt6e+jZLnHqqC3/YXViQjKJ0kGh5O8Y6Q6ASiNpLpxXOlOHxTZPu2k7Tdh WZoc48QFoEsjdXV0PusFo6+f4KjUSI1cYeWwgYT6ehcmNAlMoNPRceZZLp+lw5CcHZoP Q79mhkUetpAP6xCWh6zu/O9ciiXqEBrEo7iFNme+wevdAM1R4Q30ZRAjVJ6uBjVYFIWv OEdrdn3GHpYq9ikNjqLOo2axk3g0aUb6yThOqoImrKtNE4jkcp0Im5nJF42RinbhSoMA Hki3UhfRCgcUvayRilF+hoI7S+OLeTM7rmhZv/EXU8OtuxGzsfTMzuO/nmpe3JxaLQJ1 8Vhw== X-Gm-Message-State: AOJu0YzWzGVPNP/v0ybH0ViitVDzAXatIcFGOzLQL5eK9Aa2DE/wIULV saUju6G1OQXYFw2JnlsSQMf0SWA+cArRI5kgKYpfOsQvKfnp6jeJUN4dpLiCfyI= X-Gm-Gg: ASbGnctVumdNxfmr8cWeX/DWy+bs/jPcRc/RfI3vZDPrWtoSTHd4ev9Pnsq+npv6wYo g9JYWqX9lokmxikBdAgXZ7smxiGscfaBxxNXVv65n98OFX6Q5Uh9XrxTWdJoVS5Emab+weXDpix P9uYoVxJC4J872207UTq9+znGu1VKm5DH/Za8rSeP06a09mfRx83KhBdiMMLHSaHB50lT6WzAcu 2j0h6j/Ksxhwy1ywsVoTOzs3uVOiZcaV2e0byH0Zq210UFgP9PwMGLz/fwtfm+XmulOh7K0j6ym bw== X-Google-Smtp-Source: AGHT+IGhVC42yoECG0uqtF5SGUNluQCYdIn35tmQDJjTHXd1EAAyOzzGjFYrEYIWibTXe0cel+liug== X-Received: by 2002:a5d:5f45:0:b0:385:e4a7:def9 with SMTP id ffacd0b85a97d-385fd532811mr3442206f8f.50.1733280117428; Tue, 03 Dec 2024 18:41:57 -0800 (PST) Received: from localhost (fwdproxy-cln-020.fbsv.net. [2a03:2880:31ff:14::face:b00c]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-385f10a12dbsm7896468f8f.105.2024.12.03.18.41.56 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 03 Dec 2024 18:41:56 -0800 (PST) From: Kumar Kartikeya Dwivedi To: bpf@vger.kernel.org Cc: kkd@meta.com, Manu Bretelle , Alexei Starovoitov , Andrii Nakryiko , Daniel Borkmann , Martin KaFai Lau , Eduard Zingerman , kernel-team@fb.com Subject: [PATCH bpf v1 1/2] bpf: Suppress warning for non-zero off raw_tp arg NULL check Date: Tue, 3 Dec 2024 18:41:53 -0800 Message-ID: <20241204024154.21386-2-memxor@gmail.com> X-Mailer: git-send-email 2.43.5 In-Reply-To: <20241204024154.21386-1-memxor@gmail.com> References: <20241204024154.21386-1-memxor@gmail.com> Precedence: bulk X-Mailing-List: bpf@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=6311; h=from:subject; bh=kr8LKcqxg60fcBZt62Nwvk3k3pyftJLPfJKNwyWiICc=; b=owEBbQKS/ZANAwAIAUzgyIZIvxHKAcsmYgBnT8CAFZYji05D7JQsUu8CC191JRFpTWUCy2XNeqP0 3j9Md3aJAjMEAAEIAB0WIQRLvip+Buz51YI8YRFM4MiGSL8RygUCZ0/AgAAKCRBM4MiGSL8RyiwYD/ 9BvkJHn0/1z7j9otzZccpPOLMo2oRFlTaPvzOpLBKLRcRmTg8jCNTU2u5u7fVcbgcz3iBMwqFMl4gr GjmKfjc2QvXX6KA3MMuYOyL6ERVP2sJdK7eC4fkW1YCkPfax2BqLefa2Bdqp81dYuxfCAxlueyx7A/ 1ERFjoU23BytaPaGvVwGbKF29TYGWmXvX+bu78h/D8teW64B6uhbJeMY+WRwrnnt6ipJGRPeU2jNhv rkaKfaonCIx/ljYzbMRwVOZtb21er9r3wIxCAChOkTRUN7Ho8SbJdXobW4CIMHUFmR2ajW1iP5Uc8l YB8XdBGY6OU76Bdu0HZLR31IiZpJQnvXsYk/Z8QvOs/+IkONOiApj1d5l0nnHVoZ8n/M1M2Ba5Eo61 J6lDqQVEVCb2Taf+640h7n+4XtSuQflCGD69QrtLj6Kgi70h04BGxUMQrGUEJ+XZcwc6vbjpi1wlh6 cqrEedVtJKQph5UcjTmafnBXdoX2oYq0siSUv23cZq6P5CB2X336ORCMdLxVfDDdxnpwRPJQUaJiqs KBxYcvKXcX6MJ1plancfgYaArXMK6JN08agtC2Q6j9YdXzca5eFfYCkFvEWqeidBHDezY65vIzpXIp KuajIcdra3+7Fyyjqngaecw4/ahH3RfXhcqP9ebK2tQVe1pJTyUFjrRPF5Vw== X-Developer-Key: i=memxor@gmail.com; a=openpgp; fpr=4BBE2A7E06ECF9D5823C61114CE0C88648BF11CA X-Patchwork-Delegate: bpf@iogearbox.net The fixed commit began marking raw_tp arguments as PTR_MAYBE_NULL to avoid dead code elimination in the verifier, since raw_tp arguments may actually be NULL at runtime. However, to preserve compatibility, it simulated the raw_tp accesses as if the NULL marking was not present. One of the behaviors permitted by this simulation is offset modification for NULL pointers. Typically, this pattern is rejected by the verifier, and users make workarounds to prevent the compiler from producing such patterns. However, now that it is allowed, when the compiler emits such code, the offset modification is allowed and a PTR_MAYBE_NULL raw_tp arg with non-zero off can be formed. The failing example program had the following pseudo-code: r0 = 1024; r1 = ...; // r1 = trusted_or_null_(id=1) r3 = r1; // r3 = trusted_or_null_(id=1) r1 = trusted_or_null_(id=1) r3 += r0; // r3 = trusted_or_null_(id=1, off=1024) if r1 == 0 goto pc+X; At this point, while mark_ptr_or_null_reg will see PTR_MAYBE_NULL and off == 0 for r1, it will notice non-zero off for r3, and the WARN_ON_ONCE will fire, as the condition checks excluding register types do not include raw_tp argument type. This is a pattern produced by LLVM, therefore it is hard to suppress it everywhere in BPF programs. The right "generic" fix for this issue in general, will be permitting offset modification for PTR_MAYBE_NULL pointers everywhere, and enforcing that the instruction operand of a conditional jump has the offset as zero. It's other copies may still have non-zero offset, and that is fine. But this is more involved and will take longer to integrate. Hence, for now, when we notice raw_tp args with off != 0 when unmarking NULL modifier, simply allocate such pointer a fresh id and remove them from the "id" set being currently operated on, and leave them as is without removing PTR_MAYBE_NULL marking. Dereferencing such pointers will still work as the fixed commit allowed it for raw_tp args. This will mean that still, all registers with a given id and off = 0 will be unmarked, even if a register with off != 0 is NULL checked, but this shouldn't introducing any incorrectness. Just that any register with off != 0 excludes itself from the marking exercise by reassigning itself a new id. Fixes: cb4158ce8ec8 ("bpf: Mark raw_tp arguments with PTR_MAYBE_NULL") Reported-by: Manu Bretelle Signed-off-by: Kumar Kartikeya Dwivedi --- kernel/bpf/verifier.c | 44 ++++++++++++++++++++++++++++++++++++++----- 1 file changed, 39 insertions(+), 5 deletions(-) diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 1c4ebb326785..37504095a0bc 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -15335,7 +15335,8 @@ static int reg_set_min_max(struct bpf_verifier_env *env, return err; } -static void mark_ptr_or_null_reg(struct bpf_func_state *state, +static void mark_ptr_or_null_reg(struct bpf_verifier_env *env, + struct bpf_func_state *state, struct bpf_reg_state *reg, u32 id, bool is_null) { @@ -15352,6 +15353,38 @@ static void mark_ptr_or_null_reg(struct bpf_func_state *state, */ if (WARN_ON_ONCE(reg->smin_value || reg->smax_value || !tnum_equals_const(reg->var_off, 0))) return; + /* Unlike the MEM_ALLOC and NON_OWN_REF cases explicitly tested + * below, where verifier will set off != 0, we allow users to + * modify offset of PTR_MAYBE_NULL raw_tp args to preserve + * compatibility since they were not marked NULL in older + * kernels. This however means we may see a non-zero offset + * register when marking them non-NULL in verifier state. + * This can happen for the operand of the instruction: + * + * r1 = trusted_or_null_(id=1); + * if r1 == 0 goto X; + * + * or a copy when LLVM produces code like below: + * + * r1 = trusted_or_null_(id=1); + * r3 = r1; // r3 = trusted_or_null(id=1) + * r3 += K; // r3 = trusted_or_null_(id=1, off=K) + * if r1 == 0 goto X; // see r3.off != 0 when unmarking _or_null + * + * The right fix would be more generic: lift the restriction on + * modifying reg->off for PTR_MAYBE_NULL pointers, and only + * enforce it for the instruction operand of a NULL check, while + * allowing non-zero off for other registers, but this is future + * work. + */ + if (mask_raw_tp_reg_cond(env, reg) && reg->off) { + /* We don't reset reg->id back to 0, as it's unexpected + * when PTR_MAYBE_NULL is set. Simply give this reg a + * new id in case user decides to NULL check it again. + */ + reg->id = ++env->id_gen; + return; + } if (!(type_is_ptr_alloc_obj(reg->type) || type_is_non_owning_ref(reg->type)) && WARN_ON_ONCE(reg->off)) return; @@ -15385,7 +15418,8 @@ static void mark_ptr_or_null_reg(struct bpf_func_state *state, /* The logic is similar to find_good_pkt_pointers(), both could eventually * be folded together at some point. */ -static void mark_ptr_or_null_regs(struct bpf_verifier_state *vstate, u32 regno, +static void mark_ptr_or_null_regs(struct bpf_verifier_env *env, + struct bpf_verifier_state *vstate, u32 regno, bool is_null) { struct bpf_func_state *state = vstate->frame[vstate->curframe]; @@ -15401,7 +15435,7 @@ static void mark_ptr_or_null_regs(struct bpf_verifier_state *vstate, u32 regno, WARN_ON_ONCE(release_reference_state(state, id)); bpf_for_each_reg_in_vstate(vstate, state, reg, ({ - mark_ptr_or_null_reg(state, reg, id, is_null); + mark_ptr_or_null_reg(env, state, reg, id, is_null); })); } @@ -15827,9 +15861,9 @@ static int check_cond_jmp_op(struct bpf_verifier_env *env, /* Mark all identical registers in each branch as either * safe or unknown depending R == 0 or R != 0 conditional. */ - mark_ptr_or_null_regs(this_branch, insn->dst_reg, + mark_ptr_or_null_regs(env, this_branch, insn->dst_reg, opcode == BPF_JNE); - mark_ptr_or_null_regs(other_branch, insn->dst_reg, + mark_ptr_or_null_regs(env, other_branch, insn->dst_reg, opcode == BPF_JEQ); } else if (!try_match_pkt_pointers(insn, dst_reg, ®s[insn->src_reg], this_branch, other_branch) && From patchwork Wed Dec 4 02:41:54 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kumar Kartikeya Dwivedi X-Patchwork-Id: 13893153 X-Patchwork-Delegate: bpf@iogearbox.net Received: from mail-wm1-f65.google.com (mail-wm1-f65.google.com [209.85.128.65]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 716E527715 for ; Wed, 4 Dec 2024 02:42:01 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.65 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1733280123; cv=none; b=SrVQ1syMx2qVghq7vbk6RVEMc7b48URALGIhzXuZLtMtFLOkSVCnWYEKhVo2vMV+ipqG1gKSzDKw6LBS2n6DR5wIKKn2j5bYYQqojOBYGLP6KrtdHMMAfdyufQj7k43nA7+UpczsXq+UfydSsWwTKjyZW/6oRJ23fUVlIL0+QYo= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1733280123; c=relaxed/simple; bh=GR4SqSfDa0L/6ZPFyKuaEdnvN+gm4aY9iaeV6W4XSDo=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=jbRoBtC0QREtPrknFDbG4nBDfHq/WsQ7+rqoiaBtf8ojz5kruxdVmtRAGQOP5R8yNSpJdwL80IJc+oXF+48eKaJukQFaOAXeKMUDFyOstJSRdHABcsI3d/R8N1yWuMG8jWIWRpazkwzS8oPpDKhdRaWhkIT7t0RKe0iatU/L34U= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=mdbszBNP; arc=none smtp.client-ip=209.85.128.65 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="mdbszBNP" Received: by mail-wm1-f65.google.com with SMTP id 5b1f17b1804b1-434a1fe2b43so56375485e9.2 for ; Tue, 03 Dec 2024 18:42:01 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1733280119; x=1733884919; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=o4d3mN0BuOSsoMkdYNxjchoayjyUz4nDXno21TpF1rY=; b=mdbszBNPCCQbr/vf+ft/obkiRzzfDvxfD48v1PWuOJUEjtcVk41BwXETaR/6MJmHFd 2ArzjX6146X+75pQfu7qVntaTtGYVbbPfqTq/JDRu2IG+nQCtaaA5mytKZow0duwouK5 rgs4gyoqE21tW2TXeDzZl/IQGt35jWO6oOAEGX4a85VLJWpKKUFNqimAwqgooStSPTA1 sMWyj5Yj7GX7C0oP48csZf+5nHqBFbae4CvsPBLCtLYV0iHfz+hCVdt8qUV6ea5WTOsP ooFGmEPzaiZv0yzoURCVcVzY8pYjlF1zYgDGbPGFvju6ZJAMjorP6ormavSSNSHN4X8C nTwQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1733280119; x=1733884919; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=o4d3mN0BuOSsoMkdYNxjchoayjyUz4nDXno21TpF1rY=; b=KdBdU5XoIWwEcGKtGPRYJY1msmlsTM4BMdFqVYWqhDQ7jX6YCkfejwm4Y0hdIyWiJG 05L29y9sfve+4oPkmy8+TzDj/snuDswVonV2wR2pOGpzm5ei86Cz+GPV0de9Sa6lqK/h QUKIgdenMdjsBdrdFgZYfEtQHRphDhCR9w6YsvubZDpq+akSpSRB93xRHC0gQ5Yb7WXo /0vMAUsCm0fsMp5dV6mvKuRBvN3POadTQNM3mEFjIQbnYpmUrjy0sx4uDb2T1FNJdACv KBphK9q70m8wKPkQkwD6ffxMNzzLsKljPLW2xfqjW1UZT/UCWoYN2SDvkjWwyliPzhFO 4FZw== X-Gm-Message-State: AOJu0YxuzrXgFnn9ZfEe9XcIIEoYrncy5xq6cphzOTDjcF/GJucnVOQp 5svobmRsTxF5xizNU6MOSHW/RKeVwUiGCVnGqsuAW3+O0xd7nquEHXsLhFwkPJw= X-Gm-Gg: ASbGnctBolIJuCUMbUqU7XEr0+UF3d3prh3epNYahDd7cpnh8/jwFlFkbVyLbHw8yiq WResmDGleIVFSm+wXHnoUNe7iTecl0XF6Zr4w4+7wlFBgUGsflBRyE6OIwUVsInmokKzQKCfFAn L11xYGh5oJ/G3GVlisgcaxLnCQO+oB6XXFnNTqhf+SpnetYvhlwCCo1F60TTr/5tP7GCf94hcKH iMf2I4Gn6CBDlrVfdaIQE+3PItbU3QRRrY83uhdXZiZqjjd//U70B7BFaqJvUWZzu/xbyqgjPdJ X-Google-Smtp-Source: AGHT+IGlIRD4EHevk9oopnW6Nt9t75Ei7CXGkyELI1JLobfFYrA9GNPAmZGEHwUK8bFWaWR4DN4keg== X-Received: by 2002:a05:600c:4ecf:b0:426:647b:1bfc with SMTP id 5b1f17b1804b1-434d0a14eb7mr47317085e9.30.1733280118866; Tue, 03 Dec 2024 18:41:58 -0800 (PST) Received: from localhost (fwdproxy-cln-003.fbsv.net. [2a03:2880:31ff:3::face:b00c]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-434d5273440sm7350535e9.18.2024.12.03.18.41.58 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 03 Dec 2024 18:41:58 -0800 (PST) From: Kumar Kartikeya Dwivedi To: bpf@vger.kernel.org Cc: kkd@meta.com, Alexei Starovoitov , Andrii Nakryiko , Daniel Borkmann , Martin KaFai Lau , Eduard Zingerman , Manu Bretelle , kernel-team@fb.com Subject: [PATCH bpf v1 2/2] selftests/bpf: Add raw_tp tests for PTR_MAYBE_NULL marking Date: Tue, 3 Dec 2024 18:41:54 -0800 Message-ID: <20241204024154.21386-3-memxor@gmail.com> X-Mailer: git-send-email 2.43.5 In-Reply-To: <20241204024154.21386-1-memxor@gmail.com> References: <20241204024154.21386-1-memxor@gmail.com> Precedence: bulk X-Mailing-List: bpf@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=4160; h=from:subject; bh=GR4SqSfDa0L/6ZPFyKuaEdnvN+gm4aY9iaeV6W4XSDo=; b=owEBbQKS/ZANAwAIAUzgyIZIvxHKAcsmYgBnT8CACeAztdDTrIuipP1NQ9au77EqAjkJfWW7NVj4 FnlDHWqJAjMEAAEIAB0WIQRLvip+Buz51YI8YRFM4MiGSL8RygUCZ0/AgAAKCRBM4MiGSL8RykkED/ 4yDbKf7Yht/GgxKa37kSeT+RfQViRXTCPMzAh+mYh56AdPu2yyfy1P9WzBwdj2jmhPvm+PCViRnEHV a+H6yw05SSLuUlvsPvBsAMUUG2mOWEm0XP6wkVTE/MBAcDIUJUWacfVK9IuH2kZOAPR54+zR1OA0Eh wlY42f5I+zxK3BjCCRmDFozpgehwA7eYe3VDsm2UZqgFCqbrvfnSVE9/BLnIwYzknaGAdWakRPahnb YRYfcBTLZTQPDicCA5OLwd/6yfOONYkmiW/stfewNXChmKF6SR/8215SdN24wDsPr1q2ApG5bwuhYP lJDn/qY2bj9JemoJe0Czctb8Z3Y6lvfRfxRSjyVpNsVsqVDp3aJMB/HMuPXR0wuD1o3JH7svy3Mvom xmFSsFBJdTwCOBw3/z7Zm2HtVeShGdpoMuJ393jqQA1oakCoXH1HtQtR1WMJ+7JzbW7spc76s6W3xs yRFTs7e3mLdRTliL3J+H8L+2hqjv2jPZ5oeq5CeHz5WBT0m8hRCaZG0/ea7r5apeGj8EAZxqtUIeUw TZMsg+cb6/tuCXzAt9MKgrvjfTTRLvrLMgtylSQzfoDTQvM7rELJEE7rMwH8SkJJmgqxQGX3kEedi0 tHJ+ptNwP1LVWjZQkIHm2o6avfuUjq+2D+aOk/U0vslZUb0WBLXzCGhPMIUQ== X-Developer-Key: i=memxor@gmail.com; a=openpgp; fpr=4BBE2A7E06ECF9D5823C61114CE0C88648BF11CA X-Patchwork-Delegate: bpf@iogearbox.net Ensure that pointers with off != 0 are never unmarked as PTR_MAYBE_NULL, pointers that have off == 0 continue getting unmarked, and pointers that don't get unmarked acquire a new id instead of resetting it to zero, so as to identify themselves uniquely and not hit other warnings where id == 0 is not expected with PTR_MAYBE_NULL. Signed-off-by: Kumar Kartikeya Dwivedi --- .../selftests/bpf/prog_tests/raw_tp_null.c | 6 ++ .../selftests/bpf/progs/raw_tp_null_fail.c | 81 +++++++++++++++++++ 2 files changed, 87 insertions(+) create mode 100644 tools/testing/selftests/bpf/progs/raw_tp_null_fail.c diff --git a/tools/testing/selftests/bpf/prog_tests/raw_tp_null.c b/tools/testing/selftests/bpf/prog_tests/raw_tp_null.c index 6fa19449297e..13fcd4c31034 100644 --- a/tools/testing/selftests/bpf/prog_tests/raw_tp_null.c +++ b/tools/testing/selftests/bpf/prog_tests/raw_tp_null.c @@ -3,6 +3,12 @@ #include #include "raw_tp_null.skel.h" +#include "raw_tp_null_fail.skel.h" + +void test_raw_tp_null_fail(void) +{ + RUN_TESTS(raw_tp_null_fail); +} void test_raw_tp_null(void) { diff --git a/tools/testing/selftests/bpf/progs/raw_tp_null_fail.c b/tools/testing/selftests/bpf/progs/raw_tp_null_fail.c new file mode 100644 index 000000000000..12096150a48c --- /dev/null +++ b/tools/testing/selftests/bpf/progs/raw_tp_null_fail.c @@ -0,0 +1,81 @@ +// SPDX-License-Identifier: GPL-2.0 +/* Copyright (c) 2024 Meta Platforms, Inc. and affiliates. */ + +#include +#include +#include "bpf_misc.h" + +/* r1 with off = 0 is checked, which marks new id for r0 with off=8 */ +SEC("tp_btf/bpf_testmod_test_raw_tp_null") +__failure +__msg("2: (b7) r2 = 0 ; R2_w=0") +__msg("3: (07) r0 += 8 ; R0_w=trusted_ptr_or_null_sk_buff(id=1,off=8)") +__msg("4: (15) if r1 == 0x0 goto pc+2 ; R1_w=trusted_ptr_sk_buff()") +__msg("5: (bf) r2 = r0 ; R0_w=trusted_ptr_or_null_sk_buff(id=2,off=8)") +int BPF_PROG(test_raw_tp_null_check_zero_off, struct sk_buff *skb) +{ + asm volatile ( + "r1 = *(u64 *)(r1 +0); \ + r0 = r1; \ + r2 = 0; \ + r0 += 8; \ + if r1 == 0 goto jmp; \ + r2 = r0; \ + *(u64 *)(r2 +0) = r2; \ + jmp: " + :: + : __clobber_all + ); + return 0; +} + +/* r2 with offset is checked, which marks r1 with off=0 as non-NULL */ +SEC("tp_btf/bpf_testmod_test_raw_tp_null") +__failure +__msg("3: (07) r2 += 8 ; R2_w=trusted_ptr_or_null_sk_buff(id=1,off=8)") +__msg("4: (15) if r2 == 0x0 goto pc+2 ; R2_w=trusted_ptr_or_null_sk_buff(id=2,off=8)") +__msg("5: (bf) r1 = r1 ; R1_w=trusted_ptr_sk_buff()") +int BPF_PROG(test_raw_tp_null_copy_check_with_off, struct sk_buff *skb) +{ + asm volatile ( + "r1 = *(u64 *)(r1 +0); \ + r2 = r1; \ + r3 = 0; \ + r2 += 8; \ + if r2 == 0 goto jmp2; \ + r1 = r1; \ + *(u64 *)(r3 +0) = r3; \ + jmp2: " + :: + : __clobber_all + ); + return 0; +} + +/* Ensure id's are incremented everytime things are checked.. */ +SEC("tp_btf/bpf_testmod_test_raw_tp_null") +__failure +__msg("2: (07) r0 += 8 ; R0_w=trusted_ptr_or_null_sk_buff(id=1,off=8)") +__msg("3: (15) if r0 == 0x0 goto pc+4 ; R0_w=trusted_ptr_or_null_sk_buff(id=2,off=8)") +__msg("4: (15) if r0 == 0x0 goto pc+3 ; R0_w=trusted_ptr_or_null_sk_buff(id=4,off=8)") +__msg("5: (15) if r0 == 0x0 goto pc+2 ; R0_w=trusted_ptr_or_null_sk_buff(id=6,off=8)") +__msg("6: (bf) r2 = r0 ; R0_w=trusted_ptr_or_null_sk_buff(id=6,off=8)") +int BPF_PROG(test_raw_tp_check_with_off, struct sk_buff *skb) +{ + asm volatile ( + "r1 = *(u64 *)(r1 +0); \ + r0 = r1; \ + r0 += 8; \ + if r0 == 0 goto jmp3; \ + if r0 == 0 goto jmp3; \ + if r0 == 0 goto jmp3; \ + r2 = r0; \ + *(u64 *)(r2 +0) = r2; \ + jmp3: " + :: + : __clobber_all + ); + return 0; +} + +char _license[] SEC("license") = "GPL";