2020-05-15 12:49:04 -07:00
|
|
|
// SPDX-License-Identifier: GPL-2.0
|
|
|
|
|
#include <test_progs.h>
|
2017-05-10 11:43:51 -07:00
|
|
|
|
|
|
|
|
#define MAX_INSNS 512
|
2022-11-04 09:36:49 -07:00
|
|
|
#define MAX_MATCHES 24
|
2017-05-10 11:43:51 -07:00
|
|
|
|
2017-08-07 15:27:34 +01:00
|
|
|
struct bpf_reg_match {
|
|
|
|
|
unsigned int line;
|
2023-10-11 15:37:26 -07:00
|
|
|
const char *reg;
|
2017-08-07 15:27:34 +01:00
|
|
|
const char *match;
|
|
|
|
|
};
|
|
|
|
|
|
2017-05-10 11:43:51 -07:00
|
|
|
struct bpf_align_test {
|
|
|
|
|
const char *descr;
|
|
|
|
|
struct bpf_insn insns[MAX_INSNS];
|
|
|
|
|
enum {
|
|
|
|
|
UNDEF,
|
|
|
|
|
ACCEPT,
|
|
|
|
|
REJECT
|
|
|
|
|
} result;
|
|
|
|
|
enum bpf_prog_type prog_type;
|
2017-08-07 15:27:34 +01:00
|
|
|
/* Matches must be in order of increasing line */
|
|
|
|
|
struct bpf_reg_match matches[MAX_MATCHES];
|
2017-05-10 11:43:51 -07:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
static struct bpf_align_test tests[] = {
|
2017-08-07 15:27:34 +01:00
|
|
|
/* Four tests of known constants. These aren't staggeringly
|
|
|
|
|
* interesting since we track exact values now.
|
|
|
|
|
*/
|
2017-05-10 11:43:51 -07:00
|
|
|
{
|
|
|
|
|
.descr = "mov",
|
|
|
|
|
.insns = {
|
|
|
|
|
BPF_MOV64_IMM(BPF_REG_3, 2),
|
|
|
|
|
BPF_MOV64_IMM(BPF_REG_3, 4),
|
|
|
|
|
BPF_MOV64_IMM(BPF_REG_3, 8),
|
|
|
|
|
BPF_MOV64_IMM(BPF_REG_3, 16),
|
|
|
|
|
BPF_MOV64_IMM(BPF_REG_3, 32),
|
|
|
|
|
BPF_MOV64_IMM(BPF_REG_0, 0),
|
|
|
|
|
BPF_EXIT_INSN(),
|
|
|
|
|
},
|
|
|
|
|
.prog_type = BPF_PROG_TYPE_SCHED_CLS,
|
|
|
|
|
.matches = {
|
2023-11-17 19:46:21 -08:00
|
|
|
{0, "R1", "ctx()"},
|
2023-10-11 15:37:26 -07:00
|
|
|
{0, "R10", "fp0"},
|
|
|
|
|
{0, "R3_w", "2"},
|
|
|
|
|
{1, "R3_w", "4"},
|
|
|
|
|
{2, "R3_w", "8"},
|
|
|
|
|
{3, "R3_w", "16"},
|
|
|
|
|
{4, "R3_w", "32"},
|
2017-05-10 11:43:51 -07:00
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
.descr = "shift",
|
|
|
|
|
.insns = {
|
|
|
|
|
BPF_MOV64_IMM(BPF_REG_3, 1),
|
|
|
|
|
BPF_ALU64_IMM(BPF_LSH, BPF_REG_3, 1),
|
|
|
|
|
BPF_ALU64_IMM(BPF_LSH, BPF_REG_3, 1),
|
|
|
|
|
BPF_ALU64_IMM(BPF_LSH, BPF_REG_3, 1),
|
|
|
|
|
BPF_ALU64_IMM(BPF_LSH, BPF_REG_3, 1),
|
|
|
|
|
BPF_ALU64_IMM(BPF_RSH, BPF_REG_3, 4),
|
|
|
|
|
BPF_MOV64_IMM(BPF_REG_4, 32),
|
|
|
|
|
BPF_ALU64_IMM(BPF_RSH, BPF_REG_4, 1),
|
|
|
|
|
BPF_ALU64_IMM(BPF_RSH, BPF_REG_4, 1),
|
|
|
|
|
BPF_ALU64_IMM(BPF_RSH, BPF_REG_4, 1),
|
|
|
|
|
BPF_ALU64_IMM(BPF_RSH, BPF_REG_4, 1),
|
|
|
|
|
BPF_MOV64_IMM(BPF_REG_0, 0),
|
|
|
|
|
BPF_EXIT_INSN(),
|
|
|
|
|
},
|
|
|
|
|
.prog_type = BPF_PROG_TYPE_SCHED_CLS,
|
|
|
|
|
.matches = {
|
2023-11-17 19:46:21 -08:00
|
|
|
{0, "R1", "ctx()"},
|
2023-10-11 15:37:26 -07:00
|
|
|
{0, "R10", "fp0"},
|
|
|
|
|
{0, "R3_w", "1"},
|
|
|
|
|
{1, "R3_w", "2"},
|
|
|
|
|
{2, "R3_w", "4"},
|
|
|
|
|
{3, "R3_w", "8"},
|
|
|
|
|
{4, "R3_w", "16"},
|
|
|
|
|
{5, "R3_w", "1"},
|
|
|
|
|
{6, "R4_w", "32"},
|
|
|
|
|
{7, "R4_w", "16"},
|
|
|
|
|
{8, "R4_w", "8"},
|
|
|
|
|
{9, "R4_w", "4"},
|
|
|
|
|
{10, "R4_w", "2"},
|
2017-05-10 11:43:51 -07:00
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
.descr = "addsub",
|
|
|
|
|
.insns = {
|
|
|
|
|
BPF_MOV64_IMM(BPF_REG_3, 4),
|
|
|
|
|
BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 4),
|
|
|
|
|
BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 2),
|
|
|
|
|
BPF_MOV64_IMM(BPF_REG_4, 8),
|
|
|
|
|
BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 4),
|
|
|
|
|
BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 2),
|
|
|
|
|
BPF_MOV64_IMM(BPF_REG_0, 0),
|
|
|
|
|
BPF_EXIT_INSN(),
|
|
|
|
|
},
|
|
|
|
|
.prog_type = BPF_PROG_TYPE_SCHED_CLS,
|
|
|
|
|
.matches = {
|
2023-11-17 19:46:21 -08:00
|
|
|
{0, "R1", "ctx()"},
|
2023-10-11 15:37:26 -07:00
|
|
|
{0, "R10", "fp0"},
|
|
|
|
|
{0, "R3_w", "4"},
|
|
|
|
|
{1, "R3_w", "8"},
|
|
|
|
|
{2, "R3_w", "10"},
|
|
|
|
|
{3, "R4_w", "8"},
|
|
|
|
|
{4, "R4_w", "12"},
|
|
|
|
|
{5, "R4_w", "14"},
|
2017-05-10 11:43:51 -07:00
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
.descr = "mul",
|
|
|
|
|
.insns = {
|
|
|
|
|
BPF_MOV64_IMM(BPF_REG_3, 7),
|
|
|
|
|
BPF_ALU64_IMM(BPF_MUL, BPF_REG_3, 1),
|
|
|
|
|
BPF_ALU64_IMM(BPF_MUL, BPF_REG_3, 2),
|
|
|
|
|
BPF_ALU64_IMM(BPF_MUL, BPF_REG_3, 4),
|
|
|
|
|
BPF_MOV64_IMM(BPF_REG_0, 0),
|
|
|
|
|
BPF_EXIT_INSN(),
|
|
|
|
|
},
|
|
|
|
|
.prog_type = BPF_PROG_TYPE_SCHED_CLS,
|
|
|
|
|
.matches = {
|
2023-11-17 19:46:21 -08:00
|
|
|
{0, "R1", "ctx()"},
|
2023-10-11 15:37:26 -07:00
|
|
|
{0, "R10", "fp0"},
|
|
|
|
|
{0, "R3_w", "7"},
|
|
|
|
|
{1, "R3_w", "7"},
|
|
|
|
|
{2, "R3_w", "14"},
|
|
|
|
|
{3, "R3_w", "56"},
|
2017-05-10 11:43:51 -07:00
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
|
2017-08-07 15:27:34 +01:00
|
|
|
/* Tests using unknown values */
|
2017-05-10 11:43:51 -07:00
|
|
|
#define PREP_PKT_POINTERS \
|
|
|
|
|
BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, \
|
|
|
|
|
offsetof(struct __sk_buff, data)), \
|
|
|
|
|
BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, \
|
|
|
|
|
offsetof(struct __sk_buff, data_end))
|
|
|
|
|
|
|
|
|
|
#define LOAD_UNKNOWN(DST_REG) \
|
|
|
|
|
PREP_PKT_POINTERS, \
|
|
|
|
|
BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), \
|
|
|
|
|
BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), \
|
|
|
|
|
BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 1), \
|
|
|
|
|
BPF_EXIT_INSN(), \
|
|
|
|
|
BPF_LDX_MEM(BPF_B, DST_REG, BPF_REG_2, 0)
|
|
|
|
|
|
|
|
|
|
{
|
|
|
|
|
.descr = "unknown shift",
|
|
|
|
|
.insns = {
|
|
|
|
|
LOAD_UNKNOWN(BPF_REG_3),
|
|
|
|
|
BPF_ALU64_IMM(BPF_LSH, BPF_REG_3, 1),
|
|
|
|
|
BPF_ALU64_IMM(BPF_LSH, BPF_REG_3, 1),
|
|
|
|
|
BPF_ALU64_IMM(BPF_LSH, BPF_REG_3, 1),
|
|
|
|
|
BPF_ALU64_IMM(BPF_LSH, BPF_REG_3, 1),
|
|
|
|
|
LOAD_UNKNOWN(BPF_REG_4),
|
|
|
|
|
BPF_ALU64_IMM(BPF_LSH, BPF_REG_4, 5),
|
|
|
|
|
BPF_ALU64_IMM(BPF_RSH, BPF_REG_4, 1),
|
|
|
|
|
BPF_ALU64_IMM(BPF_RSH, BPF_REG_4, 1),
|
|
|
|
|
BPF_ALU64_IMM(BPF_RSH, BPF_REG_4, 1),
|
|
|
|
|
BPF_ALU64_IMM(BPF_RSH, BPF_REG_4, 1),
|
|
|
|
|
BPF_MOV64_IMM(BPF_REG_0, 0),
|
|
|
|
|
BPF_EXIT_INSN(),
|
|
|
|
|
},
|
|
|
|
|
.prog_type = BPF_PROG_TYPE_SCHED_CLS,
|
|
|
|
|
.matches = {
|
2023-11-17 19:46:21 -08:00
|
|
|
{6, "R0_w", "pkt(off=8,r=8)"},
|
2023-10-11 15:37:26 -07:00
|
|
|
{6, "R3_w", "var_off=(0x0; 0xff)"},
|
|
|
|
|
{7, "R3_w", "var_off=(0x0; 0x1fe)"},
|
|
|
|
|
{8, "R3_w", "var_off=(0x0; 0x3fc)"},
|
|
|
|
|
{9, "R3_w", "var_off=(0x0; 0x7f8)"},
|
|
|
|
|
{10, "R3_w", "var_off=(0x0; 0xff0)"},
|
2023-11-17 19:46:21 -08:00
|
|
|
{12, "R3_w", "pkt_end()"},
|
2023-10-11 15:37:26 -07:00
|
|
|
{17, "R4_w", "var_off=(0x0; 0xff)"},
|
|
|
|
|
{18, "R4_w", "var_off=(0x0; 0x1fe0)"},
|
|
|
|
|
{19, "R4_w", "var_off=(0x0; 0xff0)"},
|
|
|
|
|
{20, "R4_w", "var_off=(0x0; 0x7f8)"},
|
|
|
|
|
{21, "R4_w", "var_off=(0x0; 0x3fc)"},
|
|
|
|
|
{22, "R4_w", "var_off=(0x0; 0x1fe)"},
|
2017-05-10 11:43:51 -07:00
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
.descr = "unknown mul",
|
|
|
|
|
.insns = {
|
|
|
|
|
LOAD_UNKNOWN(BPF_REG_3),
|
|
|
|
|
BPF_MOV64_REG(BPF_REG_4, BPF_REG_3),
|
|
|
|
|
BPF_ALU64_IMM(BPF_MUL, BPF_REG_4, 1),
|
|
|
|
|
BPF_MOV64_REG(BPF_REG_4, BPF_REG_3),
|
|
|
|
|
BPF_ALU64_IMM(BPF_MUL, BPF_REG_4, 2),
|
|
|
|
|
BPF_MOV64_REG(BPF_REG_4, BPF_REG_3),
|
|
|
|
|
BPF_ALU64_IMM(BPF_MUL, BPF_REG_4, 4),
|
|
|
|
|
BPF_MOV64_REG(BPF_REG_4, BPF_REG_3),
|
|
|
|
|
BPF_ALU64_IMM(BPF_MUL, BPF_REG_4, 8),
|
|
|
|
|
BPF_ALU64_IMM(BPF_MUL, BPF_REG_4, 2),
|
|
|
|
|
BPF_MOV64_IMM(BPF_REG_0, 0),
|
|
|
|
|
BPF_EXIT_INSN(),
|
|
|
|
|
},
|
|
|
|
|
.prog_type = BPF_PROG_TYPE_SCHED_CLS,
|
|
|
|
|
.matches = {
|
2023-10-11 15:37:26 -07:00
|
|
|
{6, "R3_w", "var_off=(0x0; 0xff)"},
|
|
|
|
|
{7, "R4_w", "var_off=(0x0; 0xff)"},
|
|
|
|
|
{8, "R4_w", "var_off=(0x0; 0xff)"},
|
|
|
|
|
{9, "R4_w", "var_off=(0x0; 0xff)"},
|
|
|
|
|
{10, "R4_w", "var_off=(0x0; 0x1fe)"},
|
|
|
|
|
{11, "R4_w", "var_off=(0x0; 0xff)"},
|
|
|
|
|
{12, "R4_w", "var_off=(0x0; 0x3fc)"},
|
|
|
|
|
{13, "R4_w", "var_off=(0x0; 0xff)"},
|
|
|
|
|
{14, "R4_w", "var_off=(0x0; 0x7f8)"},
|
|
|
|
|
{15, "R4_w", "var_off=(0x0; 0xff0)"},
|
2017-05-10 11:43:51 -07:00
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
.descr = "packet const offset",
|
|
|
|
|
.insns = {
|
|
|
|
|
PREP_PKT_POINTERS,
|
|
|
|
|
BPF_MOV64_REG(BPF_REG_5, BPF_REG_2),
|
|
|
|
|
|
|
|
|
|
BPF_MOV64_IMM(BPF_REG_0, 0),
|
|
|
|
|
|
|
|
|
|
/* Skip over ethernet header. */
|
|
|
|
|
BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 14),
|
|
|
|
|
BPF_MOV64_REG(BPF_REG_4, BPF_REG_5),
|
|
|
|
|
BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 4),
|
|
|
|
|
BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_4, 1),
|
|
|
|
|
BPF_EXIT_INSN(),
|
|
|
|
|
|
|
|
|
|
BPF_LDX_MEM(BPF_B, BPF_REG_4, BPF_REG_5, 0),
|
|
|
|
|
BPF_LDX_MEM(BPF_B, BPF_REG_4, BPF_REG_5, 1),
|
|
|
|
|
BPF_LDX_MEM(BPF_B, BPF_REG_4, BPF_REG_5, 2),
|
|
|
|
|
BPF_LDX_MEM(BPF_B, BPF_REG_4, BPF_REG_5, 3),
|
|
|
|
|
BPF_LDX_MEM(BPF_H, BPF_REG_4, BPF_REG_5, 0),
|
|
|
|
|
BPF_LDX_MEM(BPF_H, BPF_REG_4, BPF_REG_5, 2),
|
|
|
|
|
BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_5, 0),
|
|
|
|
|
|
|
|
|
|
BPF_MOV64_IMM(BPF_REG_0, 0),
|
|
|
|
|
BPF_EXIT_INSN(),
|
|
|
|
|
},
|
|
|
|
|
.prog_type = BPF_PROG_TYPE_SCHED_CLS,
|
|
|
|
|
.matches = {
|
2023-11-17 19:46:21 -08:00
|
|
|
{2, "R5_w", "pkt(r=0)"},
|
|
|
|
|
{4, "R5_w", "pkt(off=14,r=0)"},
|
|
|
|
|
{5, "R4_w", "pkt(off=14,r=0)"},
|
|
|
|
|
{9, "R2", "pkt(r=18)"},
|
|
|
|
|
{10, "R5", "pkt(off=14,r=18)"},
|
2023-10-11 15:37:26 -07:00
|
|
|
{10, "R4_w", "var_off=(0x0; 0xff)"},
|
|
|
|
|
{13, "R4_w", "var_off=(0x0; 0xffff)"},
|
|
|
|
|
{14, "R4_w", "var_off=(0x0; 0xffff)"},
|
2017-05-10 11:43:51 -07:00
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
.descr = "packet variable offset",
|
|
|
|
|
.insns = {
|
|
|
|
|
LOAD_UNKNOWN(BPF_REG_6),
|
|
|
|
|
BPF_ALU64_IMM(BPF_LSH, BPF_REG_6, 2),
|
|
|
|
|
|
|
|
|
|
/* First, add a constant to the R5 packet pointer,
|
|
|
|
|
* then a variable with a known alignment.
|
|
|
|
|
*/
|
|
|
|
|
BPF_MOV64_REG(BPF_REG_5, BPF_REG_2),
|
|
|
|
|
BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 14),
|
|
|
|
|
BPF_ALU64_REG(BPF_ADD, BPF_REG_5, BPF_REG_6),
|
|
|
|
|
BPF_MOV64_REG(BPF_REG_4, BPF_REG_5),
|
|
|
|
|
BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 4),
|
|
|
|
|
BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_4, 1),
|
|
|
|
|
BPF_EXIT_INSN(),
|
|
|
|
|
BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_5, 0),
|
|
|
|
|
|
|
|
|
|
/* Now, test in the other direction. Adding first
|
|
|
|
|
* the variable offset to R5, then the constant.
|
|
|
|
|
*/
|
|
|
|
|
BPF_MOV64_REG(BPF_REG_5, BPF_REG_2),
|
|
|
|
|
BPF_ALU64_REG(BPF_ADD, BPF_REG_5, BPF_REG_6),
|
2022-11-04 09:36:49 -07:00
|
|
|
BPF_MOV64_REG(BPF_REG_4, BPF_REG_5),
|
2017-05-10 11:43:51 -07:00
|
|
|
BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 14),
|
|
|
|
|
BPF_MOV64_REG(BPF_REG_4, BPF_REG_5),
|
|
|
|
|
BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 4),
|
|
|
|
|
BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_4, 1),
|
|
|
|
|
BPF_EXIT_INSN(),
|
|
|
|
|
BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_5, 0),
|
|
|
|
|
|
2017-05-11 19:30:02 -07:00
|
|
|
/* Test multiple accumulations of unknown values
|
|
|
|
|
* into a packet pointer.
|
|
|
|
|
*/
|
|
|
|
|
BPF_MOV64_REG(BPF_REG_5, BPF_REG_2),
|
|
|
|
|
BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 14),
|
|
|
|
|
BPF_ALU64_REG(BPF_ADD, BPF_REG_5, BPF_REG_6),
|
2022-11-04 09:36:49 -07:00
|
|
|
BPF_MOV64_REG(BPF_REG_4, BPF_REG_5),
|
2017-05-11 19:30:02 -07:00
|
|
|
BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 4),
|
|
|
|
|
BPF_ALU64_REG(BPF_ADD, BPF_REG_5, BPF_REG_6),
|
|
|
|
|
BPF_MOV64_REG(BPF_REG_4, BPF_REG_5),
|
|
|
|
|
BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 4),
|
|
|
|
|
BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_4, 1),
|
|
|
|
|
BPF_EXIT_INSN(),
|
|
|
|
|
BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_5, 0),
|
|
|
|
|
|
2017-05-10 11:43:51 -07:00
|
|
|
BPF_MOV64_IMM(BPF_REG_0, 0),
|
|
|
|
|
BPF_EXIT_INSN(),
|
|
|
|
|
},
|
|
|
|
|
.prog_type = BPF_PROG_TYPE_SCHED_CLS,
|
|
|
|
|
.matches = {
|
|
|
|
|
/* Calculated offset in R6 has unknown value, but known
|
|
|
|
|
* alignment of 4.
|
|
|
|
|
*/
|
2023-11-17 19:46:21 -08:00
|
|
|
{6, "R2_w", "pkt(r=8)"},
|
2023-10-11 15:37:26 -07:00
|
|
|
{7, "R6_w", "var_off=(0x0; 0x3fc)"},
|
2017-08-07 15:27:34 +01:00
|
|
|
/* Offset is added to packet pointer R5, resulting in
|
|
|
|
|
* known fixed offset, and variable offset from R6.
|
2017-05-10 11:43:51 -07:00
|
|
|
*/
|
2023-10-11 15:37:26 -07:00
|
|
|
{11, "R5_w", "pkt(id=1,off=14,"},
|
2017-05-10 11:43:51 -07:00
|
|
|
/* At the time the word size load is performed from R5,
|
|
|
|
|
* it's total offset is NET_IP_ALIGN + reg->off (0) +
|
|
|
|
|
* reg->aux_off (14) which is 16. Then the variable
|
|
|
|
|
* offset is considered using reg->aux_off_align which
|
|
|
|
|
* is 4 and meets the load's requirements.
|
|
|
|
|
*/
|
2023-10-11 15:37:26 -07:00
|
|
|
{15, "R4", "var_off=(0x0; 0x3fc)"},
|
|
|
|
|
{15, "R5", "var_off=(0x0; 0x3fc)"},
|
2017-05-10 11:43:51 -07:00
|
|
|
/* Variable offset is added to R5 packet pointer,
|
2022-11-04 09:36:49 -07:00
|
|
|
* resulting in auxiliary alignment of 4. To avoid BPF
|
|
|
|
|
* verifier's precision backtracking logging
|
|
|
|
|
* interfering we also have a no-op R4 = R5
|
|
|
|
|
* instruction to validate R5 state. We also check
|
|
|
|
|
* that R4 is what it should be in such case.
|
2017-05-10 11:43:51 -07:00
|
|
|
*/
|
2023-10-11 15:37:26 -07:00
|
|
|
{18, "R4_w", "var_off=(0x0; 0x3fc)"},
|
|
|
|
|
{18, "R5_w", "var_off=(0x0; 0x3fc)"},
|
2017-05-10 11:43:51 -07:00
|
|
|
/* Constant offset is added to R5, resulting in
|
|
|
|
|
* reg->off of 14.
|
|
|
|
|
*/
|
2023-10-11 15:37:26 -07:00
|
|
|
{19, "R5_w", "pkt(id=2,off=14,"},
|
2017-05-10 11:43:51 -07:00
|
|
|
/* At the time the word size load is performed from R5,
|
2017-08-07 15:27:34 +01:00
|
|
|
* its total fixed offset is NET_IP_ALIGN + reg->off
|
|
|
|
|
* (14) which is 16. Then the variable offset is 4-byte
|
|
|
|
|
* aligned, so the total offset is 4-byte aligned and
|
|
|
|
|
* meets the load's requirements.
|
2017-05-10 11:43:51 -07:00
|
|
|
*/
|
2023-10-11 15:37:26 -07:00
|
|
|
{24, "R4", "var_off=(0x0; 0x3fc)"},
|
|
|
|
|
{24, "R5", "var_off=(0x0; 0x3fc)"},
|
2017-05-11 19:30:02 -07:00
|
|
|
/* Constant offset is added to R5 packet pointer,
|
|
|
|
|
* resulting in reg->off value of 14.
|
|
|
|
|
*/
|
2023-11-17 19:46:21 -08:00
|
|
|
{26, "R5_w", "pkt(off=14,r=8)"},
|
2017-08-07 15:27:34 +01:00
|
|
|
/* Variable offset is added to R5, resulting in a
|
2022-11-04 09:36:49 -07:00
|
|
|
* variable offset of (4n). See comment for insn #18
|
|
|
|
|
* for R4 = R5 trick.
|
2017-05-11 19:30:02 -07:00
|
|
|
*/
|
2023-10-11 15:37:26 -07:00
|
|
|
{28, "R4_w", "var_off=(0x0; 0x3fc)"},
|
|
|
|
|
{28, "R5_w", "var_off=(0x0; 0x3fc)"},
|
2017-08-07 15:27:34 +01:00
|
|
|
/* Constant is added to R5 again, setting reg->off to 18. */
|
2023-10-11 15:37:26 -07:00
|
|
|
{29, "R5_w", "pkt(id=3,off=18,"},
|
2017-08-07 15:27:34 +01:00
|
|
|
/* And once more we add a variable; resulting var_off
|
|
|
|
|
* is still (4n), fixed offset is not changed.
|
|
|
|
|
* Also, we create a new reg->id.
|
2017-05-11 19:30:02 -07:00
|
|
|
*/
|
2023-10-11 15:37:26 -07:00
|
|
|
{31, "R4_w", "var_off=(0x0; 0x7fc)"},
|
|
|
|
|
{31, "R5_w", "var_off=(0x0; 0x7fc)"},
|
2017-05-11 19:30:02 -07:00
|
|
|
/* At the time the word size load is performed from R5,
|
2017-08-07 15:27:34 +01:00
|
|
|
* its total fixed offset is NET_IP_ALIGN + reg->off (18)
|
|
|
|
|
* which is 20. Then the variable offset is (4n), so
|
|
|
|
|
* the total offset is 4-byte aligned and meets the
|
|
|
|
|
* load's requirements.
|
2017-05-11 19:30:02 -07:00
|
|
|
*/
|
2023-10-11 15:37:26 -07:00
|
|
|
{35, "R4", "var_off=(0x0; 0x7fc)"},
|
|
|
|
|
{35, "R5", "var_off=(0x0; 0x7fc)"},
|
2017-05-10 11:43:51 -07:00
|
|
|
},
|
|
|
|
|
},
|
2017-08-07 15:28:00 +01:00
|
|
|
{
|
|
|
|
|
.descr = "packet variable offset 2",
|
|
|
|
|
.insns = {
|
|
|
|
|
/* Create an unknown offset, (4n+2)-aligned */
|
|
|
|
|
LOAD_UNKNOWN(BPF_REG_6),
|
|
|
|
|
BPF_ALU64_IMM(BPF_LSH, BPF_REG_6, 2),
|
|
|
|
|
BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 14),
|
|
|
|
|
/* Add it to the packet pointer */
|
|
|
|
|
BPF_MOV64_REG(BPF_REG_5, BPF_REG_2),
|
|
|
|
|
BPF_ALU64_REG(BPF_ADD, BPF_REG_5, BPF_REG_6),
|
|
|
|
|
/* Check bounds and perform a read */
|
|
|
|
|
BPF_MOV64_REG(BPF_REG_4, BPF_REG_5),
|
|
|
|
|
BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 4),
|
|
|
|
|
BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_4, 1),
|
|
|
|
|
BPF_EXIT_INSN(),
|
|
|
|
|
BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_5, 0),
|
|
|
|
|
/* Make a (4n) offset from the value we just read */
|
|
|
|
|
BPF_ALU64_IMM(BPF_AND, BPF_REG_6, 0xff),
|
|
|
|
|
BPF_ALU64_IMM(BPF_LSH, BPF_REG_6, 2),
|
|
|
|
|
/* Add it to the packet pointer */
|
|
|
|
|
BPF_ALU64_REG(BPF_ADD, BPF_REG_5, BPF_REG_6),
|
|
|
|
|
/* Check bounds and perform a read */
|
|
|
|
|
BPF_MOV64_REG(BPF_REG_4, BPF_REG_5),
|
|
|
|
|
BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 4),
|
|
|
|
|
BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_4, 1),
|
|
|
|
|
BPF_EXIT_INSN(),
|
|
|
|
|
BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_5, 0),
|
|
|
|
|
BPF_MOV64_IMM(BPF_REG_0, 0),
|
|
|
|
|
BPF_EXIT_INSN(),
|
|
|
|
|
},
|
|
|
|
|
.prog_type = BPF_PROG_TYPE_SCHED_CLS,
|
|
|
|
|
.matches = {
|
|
|
|
|
/* Calculated offset in R6 has unknown value, but known
|
|
|
|
|
* alignment of 4.
|
|
|
|
|
*/
|
2023-11-17 19:46:21 -08:00
|
|
|
{6, "R2_w", "pkt(r=8)"},
|
2023-10-11 15:37:26 -07:00
|
|
|
{7, "R6_w", "var_off=(0x0; 0x3fc)"},
|
2017-08-07 15:28:00 +01:00
|
|
|
/* Adding 14 makes R6 be (4n+2) */
|
2023-10-11 15:37:26 -07:00
|
|
|
{8, "R6_w", "var_off=(0x2; 0x7fc)"},
|
2017-08-07 15:28:00 +01:00
|
|
|
/* Packet pointer has (4n+2) offset */
|
2023-10-11 15:37:26 -07:00
|
|
|
{11, "R5_w", "var_off=(0x2; 0x7fc)"},
|
|
|
|
|
{12, "R4", "var_off=(0x2; 0x7fc)"},
|
2017-08-07 15:28:00 +01:00
|
|
|
/* At the time the word size load is performed from R5,
|
|
|
|
|
* its total fixed offset is NET_IP_ALIGN + reg->off (0)
|
|
|
|
|
* which is 2. Then the variable offset is (4n+2), so
|
|
|
|
|
* the total offset is 4-byte aligned and meets the
|
|
|
|
|
* load's requirements.
|
|
|
|
|
*/
|
2023-10-11 15:37:26 -07:00
|
|
|
{15, "R5", "var_off=(0x2; 0x7fc)"},
|
2017-08-07 15:28:00 +01:00
|
|
|
/* Newly read value in R6 was shifted left by 2, so has
|
|
|
|
|
* known alignment of 4.
|
|
|
|
|
*/
|
2023-10-11 15:37:26 -07:00
|
|
|
{17, "R6_w", "var_off=(0x0; 0x3fc)"},
|
2017-08-07 15:28:00 +01:00
|
|
|
/* Added (4n) to packet pointer's (4n+2) var_off, giving
|
|
|
|
|
* another (4n+2).
|
|
|
|
|
*/
|
2023-10-11 15:37:26 -07:00
|
|
|
{19, "R5_w", "var_off=(0x2; 0xffc)"},
|
|
|
|
|
{20, "R4", "var_off=(0x2; 0xffc)"},
|
2017-08-07 15:28:00 +01:00
|
|
|
/* At the time the word size load is performed from R5,
|
|
|
|
|
* its total fixed offset is NET_IP_ALIGN + reg->off (0)
|
|
|
|
|
* which is 2. Then the variable offset is (4n+2), so
|
|
|
|
|
* the total offset is 4-byte aligned and meets the
|
|
|
|
|
* load's requirements.
|
|
|
|
|
*/
|
2023-10-11 15:37:26 -07:00
|
|
|
{23, "R5", "var_off=(0x2; 0xffc)"},
|
2017-08-07 15:28:00 +01:00
|
|
|
},
|
|
|
|
|
},
|
2017-08-07 15:28:45 +01:00
|
|
|
{
|
|
|
|
|
.descr = "dubious pointer arithmetic",
|
|
|
|
|
.insns = {
|
|
|
|
|
PREP_PKT_POINTERS,
|
|
|
|
|
BPF_MOV64_IMM(BPF_REG_0, 0),
|
2018-01-23 20:05:51 -08:00
|
|
|
/* (ptr - ptr) << 2 */
|
|
|
|
|
BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
|
|
|
|
|
BPF_ALU64_REG(BPF_SUB, BPF_REG_5, BPF_REG_2),
|
2017-08-07 15:28:45 +01:00
|
|
|
BPF_ALU64_IMM(BPF_LSH, BPF_REG_5, 2),
|
|
|
|
|
/* We have a (4n) value. Let's make a packet offset
|
|
|
|
|
* out of it. First add 14, to make it a (4n+2)
|
|
|
|
|
*/
|
|
|
|
|
BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 14),
|
|
|
|
|
/* Then make sure it's nonnegative */
|
|
|
|
|
BPF_JMP_IMM(BPF_JSGE, BPF_REG_5, 0, 1),
|
|
|
|
|
BPF_EXIT_INSN(),
|
|
|
|
|
/* Add it to packet pointer */
|
|
|
|
|
BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
|
|
|
|
|
BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
|
|
|
|
|
/* Check bounds and perform a read */
|
|
|
|
|
BPF_MOV64_REG(BPF_REG_4, BPF_REG_6),
|
|
|
|
|
BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 4),
|
|
|
|
|
BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_4, 1),
|
|
|
|
|
BPF_EXIT_INSN(),
|
|
|
|
|
BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_6, 0),
|
|
|
|
|
BPF_EXIT_INSN(),
|
|
|
|
|
},
|
|
|
|
|
.prog_type = BPF_PROG_TYPE_SCHED_CLS,
|
|
|
|
|
.result = REJECT,
|
|
|
|
|
.matches = {
|
2023-11-17 19:46:21 -08:00
|
|
|
{3, "R5_w", "pkt_end()"},
|
2018-01-23 20:05:51 -08:00
|
|
|
/* (ptr - ptr) << 2 == unknown, (4n) */
|
2023-10-11 15:37:26 -07:00
|
|
|
{5, "R5_w", "var_off=(0x0; 0xfffffffffffffffc)"},
|
2018-01-23 20:05:51 -08:00
|
|
|
/* (4n) + 14 == (4n+2). We blow our bounds, because
|
|
|
|
|
* the add could overflow.
|
|
|
|
|
*/
|
2023-10-11 15:37:26 -07:00
|
|
|
{6, "R5_w", "var_off=(0x2; 0xfffffffffffffffc)"},
|
2018-01-23 20:05:51 -08:00
|
|
|
/* Checked s>=0 */
|
2023-10-11 15:37:26 -07:00
|
|
|
{9, "R5", "var_off=(0x2; 0x7ffffffffffffffc)"},
|
2018-01-23 20:05:51 -08:00
|
|
|
/* packet pointer + nonnegative (4n+2) */
|
2023-10-11 15:37:26 -07:00
|
|
|
{11, "R6_w", "var_off=(0x2; 0x7ffffffffffffffc)"},
|
|
|
|
|
{12, "R4_w", "var_off=(0x2; 0x7ffffffffffffffc)"},
|
2018-01-23 20:05:51 -08:00
|
|
|
/* NET_IP_ALIGN + (4n+2) == (4n), alignment is fine.
|
|
|
|
|
* We checked the bounds, but it might have been able
|
|
|
|
|
* to overflow if the packet pointer started in the
|
|
|
|
|
* upper half of the address space.
|
|
|
|
|
* So we did not get a 'range' on R6, and the access
|
|
|
|
|
* attempt will fail.
|
|
|
|
|
*/
|
2023-10-11 15:37:26 -07:00
|
|
|
{15, "R6_w", "var_off=(0x2; 0x7ffffffffffffffc)"},
|
2017-08-07 15:28:45 +01:00
|
|
|
}
|
|
|
|
|
},
|
2017-08-07 15:29:34 +01:00
|
|
|
{
|
|
|
|
|
.descr = "variable subtraction",
|
|
|
|
|
.insns = {
|
|
|
|
|
/* Create an unknown offset, (4n+2)-aligned */
|
|
|
|
|
LOAD_UNKNOWN(BPF_REG_6),
|
|
|
|
|
BPF_MOV64_REG(BPF_REG_7, BPF_REG_6),
|
|
|
|
|
BPF_ALU64_IMM(BPF_LSH, BPF_REG_6, 2),
|
|
|
|
|
BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 14),
|
|
|
|
|
/* Create another unknown, (4n)-aligned, and subtract
|
|
|
|
|
* it from the first one
|
|
|
|
|
*/
|
|
|
|
|
BPF_ALU64_IMM(BPF_LSH, BPF_REG_7, 2),
|
|
|
|
|
BPF_ALU64_REG(BPF_SUB, BPF_REG_6, BPF_REG_7),
|
|
|
|
|
/* Bounds-check the result */
|
|
|
|
|
BPF_JMP_IMM(BPF_JSGE, BPF_REG_6, 0, 1),
|
|
|
|
|
BPF_EXIT_INSN(),
|
|
|
|
|
/* Add it to the packet pointer */
|
|
|
|
|
BPF_MOV64_REG(BPF_REG_5, BPF_REG_2),
|
|
|
|
|
BPF_ALU64_REG(BPF_ADD, BPF_REG_5, BPF_REG_6),
|
|
|
|
|
/* Check bounds and perform a read */
|
|
|
|
|
BPF_MOV64_REG(BPF_REG_4, BPF_REG_5),
|
|
|
|
|
BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 4),
|
|
|
|
|
BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_4, 1),
|
|
|
|
|
BPF_EXIT_INSN(),
|
|
|
|
|
BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_5, 0),
|
|
|
|
|
BPF_EXIT_INSN(),
|
|
|
|
|
},
|
|
|
|
|
.prog_type = BPF_PROG_TYPE_SCHED_CLS,
|
|
|
|
|
.matches = {
|
|
|
|
|
/* Calculated offset in R6 has unknown value, but known
|
|
|
|
|
* alignment of 4.
|
|
|
|
|
*/
|
2023-11-17 19:46:21 -08:00
|
|
|
{6, "R2_w", "pkt(r=8)"},
|
2023-10-11 15:37:26 -07:00
|
|
|
{8, "R6_w", "var_off=(0x0; 0x3fc)"},
|
2017-08-07 15:29:34 +01:00
|
|
|
/* Adding 14 makes R6 be (4n+2) */
|
2023-10-11 15:37:26 -07:00
|
|
|
{9, "R6_w", "var_off=(0x2; 0x7fc)"},
|
2017-08-07 15:29:34 +01:00
|
|
|
/* New unknown value in R7 is (4n) */
|
2023-10-11 15:37:26 -07:00
|
|
|
{10, "R7_w", "var_off=(0x0; 0x3fc)"},
|
2017-08-07 15:29:34 +01:00
|
|
|
/* Subtracting it from R6 blows our unsigned bounds */
|
2023-10-11 15:37:26 -07:00
|
|
|
{11, "R6", "var_off=(0x2; 0xfffffffffffffffc)"},
|
2017-08-07 15:29:34 +01:00
|
|
|
/* Checked s>= 0 */
|
2023-10-11 15:37:26 -07:00
|
|
|
{14, "R6", "var_off=(0x2; 0x7fc)"},
|
2017-08-07 15:29:34 +01:00
|
|
|
/* At the time the word size load is performed from R5,
|
|
|
|
|
* its total fixed offset is NET_IP_ALIGN + reg->off (0)
|
|
|
|
|
* which is 2. Then the variable offset is (4n+2), so
|
|
|
|
|
* the total offset is 4-byte aligned and meets the
|
|
|
|
|
* load's requirements.
|
|
|
|
|
*/
|
2023-10-11 15:37:26 -07:00
|
|
|
{20, "R5", "var_off=(0x2; 0x7fc)"},
|
2017-08-07 15:29:34 +01:00
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
.descr = "pointer variable subtraction",
|
|
|
|
|
.insns = {
|
|
|
|
|
/* Create an unknown offset, (4n+2)-aligned and bounded
|
|
|
|
|
* to [14,74]
|
|
|
|
|
*/
|
|
|
|
|
LOAD_UNKNOWN(BPF_REG_6),
|
|
|
|
|
BPF_MOV64_REG(BPF_REG_7, BPF_REG_6),
|
|
|
|
|
BPF_ALU64_IMM(BPF_AND, BPF_REG_6, 0xf),
|
|
|
|
|
BPF_ALU64_IMM(BPF_LSH, BPF_REG_6, 2),
|
|
|
|
|
BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 14),
|
|
|
|
|
/* Subtract it from the packet pointer */
|
|
|
|
|
BPF_MOV64_REG(BPF_REG_5, BPF_REG_2),
|
|
|
|
|
BPF_ALU64_REG(BPF_SUB, BPF_REG_5, BPF_REG_6),
|
|
|
|
|
/* Create another unknown, (4n)-aligned and >= 74.
|
|
|
|
|
* That in fact means >= 76, since 74 % 4 == 2
|
|
|
|
|
*/
|
|
|
|
|
BPF_ALU64_IMM(BPF_LSH, BPF_REG_7, 2),
|
|
|
|
|
BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, 76),
|
|
|
|
|
/* Add it to the packet pointer */
|
|
|
|
|
BPF_ALU64_REG(BPF_ADD, BPF_REG_5, BPF_REG_7),
|
|
|
|
|
/* Check bounds and perform a read */
|
|
|
|
|
BPF_MOV64_REG(BPF_REG_4, BPF_REG_5),
|
|
|
|
|
BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 4),
|
|
|
|
|
BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_4, 1),
|
|
|
|
|
BPF_EXIT_INSN(),
|
|
|
|
|
BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_5, 0),
|
|
|
|
|
BPF_EXIT_INSN(),
|
|
|
|
|
},
|
|
|
|
|
.prog_type = BPF_PROG_TYPE_SCHED_CLS,
|
|
|
|
|
.matches = {
|
|
|
|
|
/* Calculated offset in R6 has unknown value, but known
|
|
|
|
|
* alignment of 4.
|
|
|
|
|
*/
|
2023-11-17 19:46:21 -08:00
|
|
|
{6, "R2_w", "pkt(r=8)"},
|
2023-10-11 15:37:26 -07:00
|
|
|
{9, "R6_w", "var_off=(0x0; 0x3c)"},
|
2017-08-07 15:29:34 +01:00
|
|
|
/* Adding 14 makes R6 be (4n+2) */
|
2023-10-11 15:37:26 -07:00
|
|
|
{10, "R6_w", "var_off=(0x2; 0x7c)"},
|
2017-08-07 15:29:34 +01:00
|
|
|
/* Subtracting from packet pointer overflows ubounds */
|
2023-10-11 15:37:26 -07:00
|
|
|
{13, "R5_w", "var_off=(0xffffffffffffff82; 0x7c)"},
|
2017-08-07 15:29:34 +01:00
|
|
|
/* New unknown value in R7 is (4n), >= 76 */
|
2023-10-11 15:37:26 -07:00
|
|
|
{14, "R7_w", "var_off=(0x0; 0x7fc)"},
|
2017-08-07 15:29:34 +01:00
|
|
|
/* Adding it to packet pointer gives nice bounds again */
|
2023-10-11 15:37:26 -07:00
|
|
|
{16, "R5_w", "var_off=(0x2; 0x7fc)"},
|
2017-08-07 15:29:34 +01:00
|
|
|
/* At the time the word size load is performed from R5,
|
|
|
|
|
* its total fixed offset is NET_IP_ALIGN + reg->off (0)
|
|
|
|
|
* which is 2. Then the variable offset is (4n+2), so
|
|
|
|
|
* the total offset is 4-byte aligned and meets the
|
|
|
|
|
* load's requirements.
|
|
|
|
|
*/
|
2023-10-11 15:37:26 -07:00
|
|
|
{20, "R5", "var_off=(0x2; 0x7fc)"},
|
2017-08-07 15:29:34 +01:00
|
|
|
},
|
|
|
|
|
},
|
2017-05-10 11:43:51 -07:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
static int probe_filter_length(const struct bpf_insn *fp)
|
|
|
|
|
{
|
|
|
|
|
int len;
|
|
|
|
|
|
|
|
|
|
for (len = MAX_INSNS - 1; len > 0; --len)
|
|
|
|
|
if (fp[len].code != 0 || fp[len].imm != 0)
|
|
|
|
|
break;
|
|
|
|
|
return len + 1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static char bpf_vlog[32768];
|
|
|
|
|
|
|
|
|
|
static int do_test_single(struct bpf_align_test *test)
|
|
|
|
|
{
|
|
|
|
|
struct bpf_insn *prog = test->insns;
|
|
|
|
|
int prog_type = test->prog_type;
|
2017-08-07 15:27:34 +01:00
|
|
|
char bpf_vlog_copy[32768];
|
2021-11-03 15:08:42 -07:00
|
|
|
LIBBPF_OPTS(bpf_prog_load_opts, opts,
|
|
|
|
|
.prog_flags = BPF_F_STRICT_ALIGNMENT,
|
|
|
|
|
.log_buf = bpf_vlog,
|
|
|
|
|
.log_size = sizeof(bpf_vlog),
|
|
|
|
|
.log_level = 2,
|
|
|
|
|
);
|
bpf: simple DFA-based live registers analysis
Compute may-live registers before each instruction in the program.
The register is live before the instruction I if it is read by I or
some instruction S following I during program execution and is not
overwritten between I and S.
This information would be used in the next patch as a hint in
func_states_equal().
Use a simple algorithm described in [1] to compute this information:
- define the following:
- I.use : a set of all registers read by instruction I;
- I.def : a set of all registers written by instruction I;
- I.in : a set of all registers that may be alive before I execution;
- I.out : a set of all registers that may be alive after I execution;
- I.successors : a set of instructions S that might immediately
follow I for some program execution;
- associate separate empty sets 'I.in' and 'I.out' with each instruction;
- visit each instruction in a postorder and update corresponding
'I.in' and 'I.out' sets as follows:
I.out = U [S.in for S in I.successors]
I.in = (I.out / I.def) U I.use
(where U stands for set union, / stands for set difference)
- repeat the computation while I.{in,out} changes for any instruction.
On implementation side keep things as simple, as possible:
- check_cfg() already marks instructions EXPLORED in post-order,
modify it to save the index of each EXPLORED instruction in a vector;
- represent I.{in,out,use,def} as bitmasks;
- don't split the program into basic blocks and don't maintain the
work queue, instead:
- do fixed-point computation by visiting each instruction;
- maintain a simple 'changed' flag if I.{in,out} for any instruction
change;
Measurements show that even such simplistic implementation does not
add measurable verification time overhead (for selftests, at-least).
Note on check_cfg() ex_insn_beg/ex_done change:
To avoid out of bounds access to env->cfg.insn_postorder array,
it should be guaranteed that instruction transitions to EXPLORED state
only once. Previously this was not the fact for incorrect programs
with direct calls to exception callbacks.
The 'align' selftest needs adjustment to skip computed insn/live
registers printout. Otherwise it matches lines from the live registers
printout.
[1] https://en.wikipedia.org/wiki/Live-variable_analysis
Signed-off-by: Eduard Zingerman <eddyz87@gmail.com>
Link: https://lore.kernel.org/r/20250304195024.2478889-4-eddyz87@gmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2025-03-04 11:50:22 -08:00
|
|
|
const char *main_pass_start = "0: R1=ctx() R10=fp0";
|
2017-08-07 15:27:34 +01:00
|
|
|
const char *line_ptr;
|
|
|
|
|
int cur_line = -1;
|
2017-05-10 11:43:51 -07:00
|
|
|
int prog_len, i;
|
bpf: simple DFA-based live registers analysis
Compute may-live registers before each instruction in the program.
The register is live before the instruction I if it is read by I or
some instruction S following I during program execution and is not
overwritten between I and S.
This information would be used in the next patch as a hint in
func_states_equal().
Use a simple algorithm described in [1] to compute this information:
- define the following:
- I.use : a set of all registers read by instruction I;
- I.def : a set of all registers written by instruction I;
- I.in : a set of all registers that may be alive before I execution;
- I.out : a set of all registers that may be alive after I execution;
- I.successors : a set of instructions S that might immediately
follow I for some program execution;
- associate separate empty sets 'I.in' and 'I.out' with each instruction;
- visit each instruction in a postorder and update corresponding
'I.in' and 'I.out' sets as follows:
I.out = U [S.in for S in I.successors]
I.in = (I.out / I.def) U I.use
(where U stands for set union, / stands for set difference)
- repeat the computation while I.{in,out} changes for any instruction.
On implementation side keep things as simple, as possible:
- check_cfg() already marks instructions EXPLORED in post-order,
modify it to save the index of each EXPLORED instruction in a vector;
- represent I.{in,out,use,def} as bitmasks;
- don't split the program into basic blocks and don't maintain the
work queue, instead:
- do fixed-point computation by visiting each instruction;
- maintain a simple 'changed' flag if I.{in,out} for any instruction
change;
Measurements show that even such simplistic implementation does not
add measurable verification time overhead (for selftests, at-least).
Note on check_cfg() ex_insn_beg/ex_done change:
To avoid out of bounds access to env->cfg.insn_postorder array,
it should be guaranteed that instruction transitions to EXPLORED state
only once. Previously this was not the fact for incorrect programs
with direct calls to exception callbacks.
The 'align' selftest needs adjustment to skip computed insn/live
registers printout. Otherwise it matches lines from the live registers
printout.
[1] https://en.wikipedia.org/wiki/Live-variable_analysis
Signed-off-by: Eduard Zingerman <eddyz87@gmail.com>
Link: https://lore.kernel.org/r/20250304195024.2478889-4-eddyz87@gmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2025-03-04 11:50:22 -08:00
|
|
|
char *start;
|
2017-05-10 11:43:51 -07:00
|
|
|
int fd_prog;
|
|
|
|
|
int ret;
|
|
|
|
|
|
|
|
|
|
prog_len = probe_filter_length(prog);
|
2021-11-03 15:08:42 -07:00
|
|
|
fd_prog = bpf_prog_load(prog_type ? : BPF_PROG_TYPE_SOCKET_FILTER, NULL, "GPL",
|
|
|
|
|
prog, prog_len, &opts);
|
2017-08-07 15:28:45 +01:00
|
|
|
if (fd_prog < 0 && test->result != REJECT) {
|
2017-05-10 11:43:51 -07:00
|
|
|
printf("Failed to load program.\n");
|
|
|
|
|
printf("%s", bpf_vlog);
|
|
|
|
|
ret = 1;
|
2017-08-07 15:28:45 +01:00
|
|
|
} else if (fd_prog >= 0 && test->result == REJECT) {
|
|
|
|
|
printf("Unexpected success to load!\n");
|
|
|
|
|
printf("%s", bpf_vlog);
|
|
|
|
|
ret = 1;
|
|
|
|
|
close(fd_prog);
|
2017-05-10 11:43:51 -07:00
|
|
|
} else {
|
|
|
|
|
ret = 0;
|
2017-08-07 15:27:34 +01:00
|
|
|
/* We make a local copy so that we can strtok() it */
|
|
|
|
|
strncpy(bpf_vlog_copy, bpf_vlog, sizeof(bpf_vlog_copy));
|
bpf: simple DFA-based live registers analysis
Compute may-live registers before each instruction in the program.
The register is live before the instruction I if it is read by I or
some instruction S following I during program execution and is not
overwritten between I and S.
This information would be used in the next patch as a hint in
func_states_equal().
Use a simple algorithm described in [1] to compute this information:
- define the following:
- I.use : a set of all registers read by instruction I;
- I.def : a set of all registers written by instruction I;
- I.in : a set of all registers that may be alive before I execution;
- I.out : a set of all registers that may be alive after I execution;
- I.successors : a set of instructions S that might immediately
follow I for some program execution;
- associate separate empty sets 'I.in' and 'I.out' with each instruction;
- visit each instruction in a postorder and update corresponding
'I.in' and 'I.out' sets as follows:
I.out = U [S.in for S in I.successors]
I.in = (I.out / I.def) U I.use
(where U stands for set union, / stands for set difference)
- repeat the computation while I.{in,out} changes for any instruction.
On implementation side keep things as simple, as possible:
- check_cfg() already marks instructions EXPLORED in post-order,
modify it to save the index of each EXPLORED instruction in a vector;
- represent I.{in,out,use,def} as bitmasks;
- don't split the program into basic blocks and don't maintain the
work queue, instead:
- do fixed-point computation by visiting each instruction;
- maintain a simple 'changed' flag if I.{in,out} for any instruction
change;
Measurements show that even such simplistic implementation does not
add measurable verification time overhead (for selftests, at-least).
Note on check_cfg() ex_insn_beg/ex_done change:
To avoid out of bounds access to env->cfg.insn_postorder array,
it should be guaranteed that instruction transitions to EXPLORED state
only once. Previously this was not the fact for incorrect programs
with direct calls to exception callbacks.
The 'align' selftest needs adjustment to skip computed insn/live
registers printout. Otherwise it matches lines from the live registers
printout.
[1] https://en.wikipedia.org/wiki/Live-variable_analysis
Signed-off-by: Eduard Zingerman <eddyz87@gmail.com>
Link: https://lore.kernel.org/r/20250304195024.2478889-4-eddyz87@gmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2025-03-04 11:50:22 -08:00
|
|
|
start = strstr(bpf_vlog_copy, main_pass_start);
|
|
|
|
|
if (!start) {
|
|
|
|
|
ret = 1;
|
|
|
|
|
printf("Can't find initial line '%s'\n", main_pass_start);
|
|
|
|
|
goto out;
|
|
|
|
|
}
|
|
|
|
|
line_ptr = strtok(start, "\n");
|
2017-05-10 11:43:51 -07:00
|
|
|
for (i = 0; i < MAX_MATCHES; i++) {
|
2017-08-07 15:27:34 +01:00
|
|
|
struct bpf_reg_match m = test->matches[i];
|
2023-10-11 15:37:26 -07:00
|
|
|
const char *p;
|
bpf: Right align verifier states in verifier logs.
Make the verifier logs more readable, print the verifier states
on the corresponding instruction line. If the previous line was
not a bpf instruction, then print the verifier states on its own
line.
Before:
Validating test_pkt_access_subprog3() func#3...
86: R1=invP(id=0) R2=ctx(id=0,off=0,imm=0) R10=fp0
; int test_pkt_access_subprog3(int val, struct __sk_buff *skb)
86: (bf) r6 = r2
87: R2=ctx(id=0,off=0,imm=0) R6_w=ctx(id=0,off=0,imm=0)
87: (bc) w7 = w1
88: R1=invP(id=0) R7_w=invP(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff))
; return get_skb_len(skb) * get_skb_ifindex(val, skb, get_constant(123));
88: (bf) r1 = r6
89: R1_w=ctx(id=0,off=0,imm=0) R6_w=ctx(id=0,off=0,imm=0)
89: (85) call pc+9
Func#4 is global and valid. Skipping.
90: R0_w=invP(id=0)
90: (bc) w8 = w0
91: R0_w=invP(id=0) R8_w=invP(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff))
; return get_skb_len(skb) * get_skb_ifindex(val, skb, get_constant(123));
91: (b7) r1 = 123
92: R1_w=invP123
92: (85) call pc+65
Func#5 is global and valid. Skipping.
93: R0=invP(id=0)
After:
86: R1=invP(id=0) R2=ctx(id=0,off=0,imm=0) R10=fp0
; int test_pkt_access_subprog3(int val, struct __sk_buff *skb)
86: (bf) r6 = r2 ; R2=ctx(id=0,off=0,imm=0) R6_w=ctx(id=0,off=0,imm=0)
87: (bc) w7 = w1 ; R1=invP(id=0) R7_w=invP(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff))
; return get_skb_len(skb) * get_skb_ifindex(val, skb, get_constant(123));
88: (bf) r1 = r6 ; R1_w=ctx(id=0,off=0,imm=0) R6_w=ctx(id=0,off=0,imm=0)
89: (85) call pc+9
Func#4 is global and valid. Skipping.
90: R0_w=invP(id=0)
90: (bc) w8 = w0 ; R0_w=invP(id=0) R8_w=invP(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff))
; return get_skb_len(skb) * get_skb_ifindex(val, skb, get_constant(123));
91: (b7) r1 = 123 ; R1_w=invP123
92: (85) call pc+65
Func#5 is global and valid. Skipping.
93: R0=invP(id=0)
Signed-off-by: Christy Lee <christylee@fb.com>
Acked-by: Andrii Nakryiko <andrii@kernel.org>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2021-12-16 19:42:45 -08:00
|
|
|
int tmp;
|
2017-05-10 11:43:51 -07:00
|
|
|
|
2017-08-07 15:27:34 +01:00
|
|
|
if (!m.match)
|
2017-05-10 11:43:51 -07:00
|
|
|
break;
|
2017-08-07 15:27:34 +01:00
|
|
|
while (line_ptr) {
|
|
|
|
|
cur_line = -1;
|
|
|
|
|
sscanf(line_ptr, "%u: ", &cur_line);
|
bpf: Right align verifier states in verifier logs.
Make the verifier logs more readable, print the verifier states
on the corresponding instruction line. If the previous line was
not a bpf instruction, then print the verifier states on its own
line.
Before:
Validating test_pkt_access_subprog3() func#3...
86: R1=invP(id=0) R2=ctx(id=0,off=0,imm=0) R10=fp0
; int test_pkt_access_subprog3(int val, struct __sk_buff *skb)
86: (bf) r6 = r2
87: R2=ctx(id=0,off=0,imm=0) R6_w=ctx(id=0,off=0,imm=0)
87: (bc) w7 = w1
88: R1=invP(id=0) R7_w=invP(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff))
; return get_skb_len(skb) * get_skb_ifindex(val, skb, get_constant(123));
88: (bf) r1 = r6
89: R1_w=ctx(id=0,off=0,imm=0) R6_w=ctx(id=0,off=0,imm=0)
89: (85) call pc+9
Func#4 is global and valid. Skipping.
90: R0_w=invP(id=0)
90: (bc) w8 = w0
91: R0_w=invP(id=0) R8_w=invP(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff))
; return get_skb_len(skb) * get_skb_ifindex(val, skb, get_constant(123));
91: (b7) r1 = 123
92: R1_w=invP123
92: (85) call pc+65
Func#5 is global and valid. Skipping.
93: R0=invP(id=0)
After:
86: R1=invP(id=0) R2=ctx(id=0,off=0,imm=0) R10=fp0
; int test_pkt_access_subprog3(int val, struct __sk_buff *skb)
86: (bf) r6 = r2 ; R2=ctx(id=0,off=0,imm=0) R6_w=ctx(id=0,off=0,imm=0)
87: (bc) w7 = w1 ; R1=invP(id=0) R7_w=invP(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff))
; return get_skb_len(skb) * get_skb_ifindex(val, skb, get_constant(123));
88: (bf) r1 = r6 ; R1_w=ctx(id=0,off=0,imm=0) R6_w=ctx(id=0,off=0,imm=0)
89: (85) call pc+9
Func#4 is global and valid. Skipping.
90: R0_w=invP(id=0)
90: (bc) w8 = w0 ; R0_w=invP(id=0) R8_w=invP(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff))
; return get_skb_len(skb) * get_skb_ifindex(val, skb, get_constant(123));
91: (b7) r1 = 123 ; R1_w=invP123
92: (85) call pc+65
Func#5 is global and valid. Skipping.
93: R0=invP(id=0)
Signed-off-by: Christy Lee <christylee@fb.com>
Acked-by: Andrii Nakryiko <andrii@kernel.org>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2021-12-16 19:42:45 -08:00
|
|
|
if (cur_line == -1)
|
|
|
|
|
sscanf(line_ptr, "from %u to %u: ", &tmp, &cur_line);
|
2017-08-07 15:27:34 +01:00
|
|
|
if (cur_line == m.line)
|
|
|
|
|
break;
|
|
|
|
|
line_ptr = strtok(NULL, "\n");
|
|
|
|
|
}
|
|
|
|
|
if (!line_ptr) {
|
2023-10-11 15:37:26 -07:00
|
|
|
printf("Failed to find line %u for match: %s=%s\n",
|
|
|
|
|
m.line, m.reg, m.match);
|
2017-08-07 15:27:34 +01:00
|
|
|
ret = 1;
|
|
|
|
|
printf("%s", bpf_vlog);
|
|
|
|
|
break;
|
|
|
|
|
}
|
bpf: Right align verifier states in verifier logs.
Make the verifier logs more readable, print the verifier states
on the corresponding instruction line. If the previous line was
not a bpf instruction, then print the verifier states on its own
line.
Before:
Validating test_pkt_access_subprog3() func#3...
86: R1=invP(id=0) R2=ctx(id=0,off=0,imm=0) R10=fp0
; int test_pkt_access_subprog3(int val, struct __sk_buff *skb)
86: (bf) r6 = r2
87: R2=ctx(id=0,off=0,imm=0) R6_w=ctx(id=0,off=0,imm=0)
87: (bc) w7 = w1
88: R1=invP(id=0) R7_w=invP(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff))
; return get_skb_len(skb) * get_skb_ifindex(val, skb, get_constant(123));
88: (bf) r1 = r6
89: R1_w=ctx(id=0,off=0,imm=0) R6_w=ctx(id=0,off=0,imm=0)
89: (85) call pc+9
Func#4 is global and valid. Skipping.
90: R0_w=invP(id=0)
90: (bc) w8 = w0
91: R0_w=invP(id=0) R8_w=invP(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff))
; return get_skb_len(skb) * get_skb_ifindex(val, skb, get_constant(123));
91: (b7) r1 = 123
92: R1_w=invP123
92: (85) call pc+65
Func#5 is global and valid. Skipping.
93: R0=invP(id=0)
After:
86: R1=invP(id=0) R2=ctx(id=0,off=0,imm=0) R10=fp0
; int test_pkt_access_subprog3(int val, struct __sk_buff *skb)
86: (bf) r6 = r2 ; R2=ctx(id=0,off=0,imm=0) R6_w=ctx(id=0,off=0,imm=0)
87: (bc) w7 = w1 ; R1=invP(id=0) R7_w=invP(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff))
; return get_skb_len(skb) * get_skb_ifindex(val, skb, get_constant(123));
88: (bf) r1 = r6 ; R1_w=ctx(id=0,off=0,imm=0) R6_w=ctx(id=0,off=0,imm=0)
89: (85) call pc+9
Func#4 is global and valid. Skipping.
90: R0_w=invP(id=0)
90: (bc) w8 = w0 ; R0_w=invP(id=0) R8_w=invP(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff))
; return get_skb_len(skb) * get_skb_ifindex(val, skb, get_constant(123));
91: (b7) r1 = 123 ; R1_w=invP123
92: (85) call pc+65
Func#5 is global and valid. Skipping.
93: R0=invP(id=0)
Signed-off-by: Christy Lee <christylee@fb.com>
Acked-by: Andrii Nakryiko <andrii@kernel.org>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2021-12-16 19:42:45 -08:00
|
|
|
/* Check the next line as well in case the previous line
|
|
|
|
|
* did not have a corresponding bpf insn. Example:
|
|
|
|
|
* func#0 @0
|
2023-11-17 19:46:21 -08:00
|
|
|
* 0: R1=ctx() R10=fp0
|
2022-03-01 14:27:45 -08:00
|
|
|
* 0: (b7) r3 = 2 ; R3_w=2
|
2023-03-02 15:50:01 -08:00
|
|
|
*
|
|
|
|
|
* Sometimes it's actually two lines below, e.g. when
|
|
|
|
|
* searching for "6: R3_w=scalar(umax=255,var_off=(0x0; 0xff))":
|
2023-11-17 19:46:21 -08:00
|
|
|
* from 4 to 6: R0_w=pkt(off=8,r=8) R1=ctx() R2_w=pkt(r=8) R3_w=pkt_end() R10=fp0
|
|
|
|
|
* 6: R0_w=pkt(off=8,r=8) R1=ctx() R2_w=pkt(r=8) R3_w=pkt_end() R10=fp0
|
|
|
|
|
* 6: (71) r3 = *(u8 *)(r2 +0) ; R2_w=pkt(r=8) R3_w=scalar(umax=255,var_off=(0x0; 0xff))
|
bpf: Right align verifier states in verifier logs.
Make the verifier logs more readable, print the verifier states
on the corresponding instruction line. If the previous line was
not a bpf instruction, then print the verifier states on its own
line.
Before:
Validating test_pkt_access_subprog3() func#3...
86: R1=invP(id=0) R2=ctx(id=0,off=0,imm=0) R10=fp0
; int test_pkt_access_subprog3(int val, struct __sk_buff *skb)
86: (bf) r6 = r2
87: R2=ctx(id=0,off=0,imm=0) R6_w=ctx(id=0,off=0,imm=0)
87: (bc) w7 = w1
88: R1=invP(id=0) R7_w=invP(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff))
; return get_skb_len(skb) * get_skb_ifindex(val, skb, get_constant(123));
88: (bf) r1 = r6
89: R1_w=ctx(id=0,off=0,imm=0) R6_w=ctx(id=0,off=0,imm=0)
89: (85) call pc+9
Func#4 is global and valid. Skipping.
90: R0_w=invP(id=0)
90: (bc) w8 = w0
91: R0_w=invP(id=0) R8_w=invP(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff))
; return get_skb_len(skb) * get_skb_ifindex(val, skb, get_constant(123));
91: (b7) r1 = 123
92: R1_w=invP123
92: (85) call pc+65
Func#5 is global and valid. Skipping.
93: R0=invP(id=0)
After:
86: R1=invP(id=0) R2=ctx(id=0,off=0,imm=0) R10=fp0
; int test_pkt_access_subprog3(int val, struct __sk_buff *skb)
86: (bf) r6 = r2 ; R2=ctx(id=0,off=0,imm=0) R6_w=ctx(id=0,off=0,imm=0)
87: (bc) w7 = w1 ; R1=invP(id=0) R7_w=invP(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff))
; return get_skb_len(skb) * get_skb_ifindex(val, skb, get_constant(123));
88: (bf) r1 = r6 ; R1_w=ctx(id=0,off=0,imm=0) R6_w=ctx(id=0,off=0,imm=0)
89: (85) call pc+9
Func#4 is global and valid. Skipping.
90: R0_w=invP(id=0)
90: (bc) w8 = w0 ; R0_w=invP(id=0) R8_w=invP(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff))
; return get_skb_len(skb) * get_skb_ifindex(val, skb, get_constant(123));
91: (b7) r1 = 123 ; R1_w=invP123
92: (85) call pc+65
Func#5 is global and valid. Skipping.
93: R0=invP(id=0)
Signed-off-by: Christy Lee <christylee@fb.com>
Acked-by: Andrii Nakryiko <andrii@kernel.org>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2021-12-16 19:42:45 -08:00
|
|
|
*/
|
2023-10-11 15:37:26 -07:00
|
|
|
while (!(p = strstr(line_ptr, m.reg)) || !strstr(p, m.match)) {
|
bpf: Right align verifier states in verifier logs.
Make the verifier logs more readable, print the verifier states
on the corresponding instruction line. If the previous line was
not a bpf instruction, then print the verifier states on its own
line.
Before:
Validating test_pkt_access_subprog3() func#3...
86: R1=invP(id=0) R2=ctx(id=0,off=0,imm=0) R10=fp0
; int test_pkt_access_subprog3(int val, struct __sk_buff *skb)
86: (bf) r6 = r2
87: R2=ctx(id=0,off=0,imm=0) R6_w=ctx(id=0,off=0,imm=0)
87: (bc) w7 = w1
88: R1=invP(id=0) R7_w=invP(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff))
; return get_skb_len(skb) * get_skb_ifindex(val, skb, get_constant(123));
88: (bf) r1 = r6
89: R1_w=ctx(id=0,off=0,imm=0) R6_w=ctx(id=0,off=0,imm=0)
89: (85) call pc+9
Func#4 is global and valid. Skipping.
90: R0_w=invP(id=0)
90: (bc) w8 = w0
91: R0_w=invP(id=0) R8_w=invP(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff))
; return get_skb_len(skb) * get_skb_ifindex(val, skb, get_constant(123));
91: (b7) r1 = 123
92: R1_w=invP123
92: (85) call pc+65
Func#5 is global and valid. Skipping.
93: R0=invP(id=0)
After:
86: R1=invP(id=0) R2=ctx(id=0,off=0,imm=0) R10=fp0
; int test_pkt_access_subprog3(int val, struct __sk_buff *skb)
86: (bf) r6 = r2 ; R2=ctx(id=0,off=0,imm=0) R6_w=ctx(id=0,off=0,imm=0)
87: (bc) w7 = w1 ; R1=invP(id=0) R7_w=invP(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff))
; return get_skb_len(skb) * get_skb_ifindex(val, skb, get_constant(123));
88: (bf) r1 = r6 ; R1_w=ctx(id=0,off=0,imm=0) R6_w=ctx(id=0,off=0,imm=0)
89: (85) call pc+9
Func#4 is global and valid. Skipping.
90: R0_w=invP(id=0)
90: (bc) w8 = w0 ; R0_w=invP(id=0) R8_w=invP(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff))
; return get_skb_len(skb) * get_skb_ifindex(val, skb, get_constant(123));
91: (b7) r1 = 123 ; R1_w=invP123
92: (85) call pc+65
Func#5 is global and valid. Skipping.
93: R0=invP(id=0)
Signed-off-by: Christy Lee <christylee@fb.com>
Acked-by: Andrii Nakryiko <andrii@kernel.org>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2021-12-16 19:42:45 -08:00
|
|
|
cur_line = -1;
|
|
|
|
|
line_ptr = strtok(NULL, "\n");
|
2023-03-02 15:50:01 -08:00
|
|
|
sscanf(line_ptr ?: "", "%u: ", &cur_line);
|
|
|
|
|
if (!line_ptr || cur_line != m.line)
|
|
|
|
|
break;
|
bpf: Right align verifier states in verifier logs.
Make the verifier logs more readable, print the verifier states
on the corresponding instruction line. If the previous line was
not a bpf instruction, then print the verifier states on its own
line.
Before:
Validating test_pkt_access_subprog3() func#3...
86: R1=invP(id=0) R2=ctx(id=0,off=0,imm=0) R10=fp0
; int test_pkt_access_subprog3(int val, struct __sk_buff *skb)
86: (bf) r6 = r2
87: R2=ctx(id=0,off=0,imm=0) R6_w=ctx(id=0,off=0,imm=0)
87: (bc) w7 = w1
88: R1=invP(id=0) R7_w=invP(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff))
; return get_skb_len(skb) * get_skb_ifindex(val, skb, get_constant(123));
88: (bf) r1 = r6
89: R1_w=ctx(id=0,off=0,imm=0) R6_w=ctx(id=0,off=0,imm=0)
89: (85) call pc+9
Func#4 is global and valid. Skipping.
90: R0_w=invP(id=0)
90: (bc) w8 = w0
91: R0_w=invP(id=0) R8_w=invP(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff))
; return get_skb_len(skb) * get_skb_ifindex(val, skb, get_constant(123));
91: (b7) r1 = 123
92: R1_w=invP123
92: (85) call pc+65
Func#5 is global and valid. Skipping.
93: R0=invP(id=0)
After:
86: R1=invP(id=0) R2=ctx(id=0,off=0,imm=0) R10=fp0
; int test_pkt_access_subprog3(int val, struct __sk_buff *skb)
86: (bf) r6 = r2 ; R2=ctx(id=0,off=0,imm=0) R6_w=ctx(id=0,off=0,imm=0)
87: (bc) w7 = w1 ; R1=invP(id=0) R7_w=invP(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff))
; return get_skb_len(skb) * get_skb_ifindex(val, skb, get_constant(123));
88: (bf) r1 = r6 ; R1_w=ctx(id=0,off=0,imm=0) R6_w=ctx(id=0,off=0,imm=0)
89: (85) call pc+9
Func#4 is global and valid. Skipping.
90: R0_w=invP(id=0)
90: (bc) w8 = w0 ; R0_w=invP(id=0) R8_w=invP(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff))
; return get_skb_len(skb) * get_skb_ifindex(val, skb, get_constant(123));
91: (b7) r1 = 123 ; R1_w=invP123
92: (85) call pc+65
Func#5 is global and valid. Skipping.
93: R0=invP(id=0)
Signed-off-by: Christy Lee <christylee@fb.com>
Acked-by: Andrii Nakryiko <andrii@kernel.org>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2021-12-16 19:42:45 -08:00
|
|
|
}
|
2023-10-11 15:37:26 -07:00
|
|
|
if (cur_line != m.line || !line_ptr || !(p = strstr(line_ptr, m.reg)) || !strstr(p, m.match)) {
|
|
|
|
|
printf("Failed to find match %u: %s=%s\n", m.line, m.reg, m.match);
|
2017-05-10 11:43:51 -07:00
|
|
|
ret = 1;
|
|
|
|
|
printf("%s", bpf_vlog);
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
}
|
bpf: simple DFA-based live registers analysis
Compute may-live registers before each instruction in the program.
The register is live before the instruction I if it is read by I or
some instruction S following I during program execution and is not
overwritten between I and S.
This information would be used in the next patch as a hint in
func_states_equal().
Use a simple algorithm described in [1] to compute this information:
- define the following:
- I.use : a set of all registers read by instruction I;
- I.def : a set of all registers written by instruction I;
- I.in : a set of all registers that may be alive before I execution;
- I.out : a set of all registers that may be alive after I execution;
- I.successors : a set of instructions S that might immediately
follow I for some program execution;
- associate separate empty sets 'I.in' and 'I.out' with each instruction;
- visit each instruction in a postorder and update corresponding
'I.in' and 'I.out' sets as follows:
I.out = U [S.in for S in I.successors]
I.in = (I.out / I.def) U I.use
(where U stands for set union, / stands for set difference)
- repeat the computation while I.{in,out} changes for any instruction.
On implementation side keep things as simple, as possible:
- check_cfg() already marks instructions EXPLORED in post-order,
modify it to save the index of each EXPLORED instruction in a vector;
- represent I.{in,out,use,def} as bitmasks;
- don't split the program into basic blocks and don't maintain the
work queue, instead:
- do fixed-point computation by visiting each instruction;
- maintain a simple 'changed' flag if I.{in,out} for any instruction
change;
Measurements show that even such simplistic implementation does not
add measurable verification time overhead (for selftests, at-least).
Note on check_cfg() ex_insn_beg/ex_done change:
To avoid out of bounds access to env->cfg.insn_postorder array,
it should be guaranteed that instruction transitions to EXPLORED state
only once. Previously this was not the fact for incorrect programs
with direct calls to exception callbacks.
The 'align' selftest needs adjustment to skip computed insn/live
registers printout. Otherwise it matches lines from the live registers
printout.
[1] https://en.wikipedia.org/wiki/Live-variable_analysis
Signed-off-by: Eduard Zingerman <eddyz87@gmail.com>
Link: https://lore.kernel.org/r/20250304195024.2478889-4-eddyz87@gmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2025-03-04 11:50:22 -08:00
|
|
|
out:
|
2017-08-07 15:28:45 +01:00
|
|
|
if (fd_prog >= 0)
|
|
|
|
|
close(fd_prog);
|
2017-05-10 11:43:51 -07:00
|
|
|
}
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
2020-05-15 12:49:04 -07:00
|
|
|
void test_align(void)
|
2017-05-10 11:43:51 -07:00
|
|
|
{
|
|
|
|
|
unsigned int i;
|
|
|
|
|
|
2020-05-15 12:49:04 -07:00
|
|
|
for (i = 0; i < ARRAY_SIZE(tests); i++) {
|
2017-05-10 11:43:51 -07:00
|
|
|
struct bpf_align_test *test = &tests[i];
|
|
|
|
|
|
2020-05-15 12:49:04 -07:00
|
|
|
if (!test__start_subtest(test->descr))
|
|
|
|
|
continue;
|
2017-05-10 11:43:51 -07:00
|
|
|
|
2022-11-04 09:36:49 -07:00
|
|
|
ASSERT_OK(do_test_single(test), test->descr);
|
2017-05-10 11:43:51 -07:00
|
|
|
}
|
|
|
|
|
}
|