bpf: Add verifier tests for the bpf_sk_storage
authorMartin KaFai Lau <kafai@fb.com>
Fri, 26 Apr 2019 23:39:49 +0000 (16:39 -0700)
committerAlexei Starovoitov <ast@kernel.org>
Sat, 27 Apr 2019 16:07:05 +0000 (09:07 -0700)
This patch adds verifier tests for the bpf_sk_storage:
1. ARG_PTR_TO_MAP_VALUE_OR_NULL
2. Map and helper compatibility (e.g. disallow bpf_map_loookup_elem)

It also takes this chance to remove the unused struct btf_raw_data
and uses the BTF encoding macros from "test_btf.h".

Acked-by: Yonghong Song <yhs@fb.com>
Signed-off-by: Martin KaFai Lau <kafai@fb.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
tools/testing/selftests/bpf/test_verifier.c
tools/testing/selftests/bpf/verifier/sock.c

index ed9e894afef3c1034961e84fc78dcb64f18b5d44..ccd896b98cacc56be75be3e9e4053a590cd14121 100644 (file)
 #include "bpf_rlimit.h"
 #include "bpf_rand.h"
 #include "bpf_util.h"
+#include "test_btf.h"
 #include "../../../include/linux/filter.h"
 
 #define MAX_INSNS      BPF_MAXINSNS
 #define MAX_TEST_INSNS 1000000
 #define MAX_FIXUPS     8
-#define MAX_NR_MAPS    17
+#define MAX_NR_MAPS    18
 #define MAX_TEST_RUNS  8
 #define POINTER_VALUE  0xcafe4all
 #define TEST_DATA_LEN  64
@@ -85,6 +86,7 @@ struct bpf_test {
        int fixup_map_array_ro[MAX_FIXUPS];
        int fixup_map_array_wo[MAX_FIXUPS];
        int fixup_map_array_small[MAX_FIXUPS];
+       int fixup_sk_storage_map[MAX_FIXUPS];
        const char *errstr;
        const char *errstr_unpriv;
        uint32_t retval, retval_unpriv, insn_processed;
@@ -497,24 +499,6 @@ static int create_cgroup_storage(bool percpu)
        return fd;
 }
 
-#define BTF_INFO_ENC(kind, kind_flag, vlen) \
-       ((!!(kind_flag) << 31) | ((kind) << 24) | ((vlen) & BTF_MAX_VLEN))
-#define BTF_TYPE_ENC(name, info, size_or_type) \
-       (name), (info), (size_or_type)
-#define BTF_INT_ENC(encoding, bits_offset, nr_bits) \
-       ((encoding) << 24 | (bits_offset) << 16 | (nr_bits))
-#define BTF_TYPE_INT_ENC(name, encoding, bits_offset, bits, sz) \
-       BTF_TYPE_ENC(name, BTF_INFO_ENC(BTF_KIND_INT, 0, 0), sz), \
-       BTF_INT_ENC(encoding, bits_offset, bits)
-#define BTF_MEMBER_ENC(name, type, bits_offset) \
-       (name), (type), (bits_offset)
-
-struct btf_raw_data {
-       __u32 raw_types[64];
-       const char *str_sec;
-       __u32 str_sec_size;
-};
-
 /* struct bpf_spin_lock {
  *   int val;
  * };
@@ -589,6 +573,31 @@ static int create_map_spin_lock(void)
        return fd;
 }
 
+static int create_sk_storage_map(void)
+{
+       struct bpf_create_map_attr attr = {
+               .name = "test_map",
+               .map_type = BPF_MAP_TYPE_SK_STORAGE,
+               .key_size = 4,
+               .value_size = 8,
+               .max_entries = 0,
+               .map_flags = BPF_F_NO_PREALLOC,
+               .btf_key_type_id = 1,
+               .btf_value_type_id = 3,
+       };
+       int fd, btf_fd;
+
+       btf_fd = load_btf();
+       if (btf_fd < 0)
+               return -1;
+       attr.btf_fd = btf_fd;
+       fd = bpf_create_map_xattr(&attr);
+       close(attr.btf_fd);
+       if (fd < 0)
+               printf("Failed to create sk_storage_map\n");
+       return fd;
+}
+
 static char bpf_vlog[UINT_MAX >> 8];
 
 static void do_test_fixup(struct bpf_test *test, enum bpf_prog_type prog_type,
@@ -611,6 +620,7 @@ static void do_test_fixup(struct bpf_test *test, enum bpf_prog_type prog_type,
        int *fixup_map_array_ro = test->fixup_map_array_ro;
        int *fixup_map_array_wo = test->fixup_map_array_wo;
        int *fixup_map_array_small = test->fixup_map_array_small;
+       int *fixup_sk_storage_map = test->fixup_sk_storage_map;
 
        if (test->fill_helper) {
                test->fill_insns = calloc(MAX_TEST_INSNS, sizeof(struct bpf_insn));
@@ -765,6 +775,13 @@ static void do_test_fixup(struct bpf_test *test, enum bpf_prog_type prog_type,
                        fixup_map_array_small++;
                } while (*fixup_map_array_small);
        }
+       if (*fixup_sk_storage_map) {
+               map_fds[17] = create_sk_storage_map();
+               do {
+                       prog[*fixup_sk_storage_map].imm = map_fds[17];
+                       fixup_sk_storage_map++;
+               } while (*fixup_sk_storage_map);
+       }
 }
 
 static int set_admin(bool admin)
index 416436231fab011aeebfbed0f0f253ad25bef912..b31cd2cf50d0fab72ba38e08877e4b1471cd407d 100644 (file)
        .result = REJECT,
        .errstr = "reference has not been acquired before",
 },
+{
+       "sk_storage_get(map, skb->sk, NULL, 0): value == NULL",
+       .insns = {
+       BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)),
+       BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
+       BPF_MOV64_IMM(BPF_REG_0, 0),
+       BPF_EXIT_INSN(),
+       BPF_EMIT_CALL(BPF_FUNC_sk_fullsock),
+       BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
+       BPF_MOV64_IMM(BPF_REG_0, 0),
+       BPF_EXIT_INSN(),
+       BPF_MOV64_IMM(BPF_REG_4, 0),
+       BPF_MOV64_IMM(BPF_REG_3, 0),
+       BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
+       BPF_LD_MAP_FD(BPF_REG_1, 0),
+       BPF_EMIT_CALL(BPF_FUNC_sk_storage_get),
+       BPF_MOV64_IMM(BPF_REG_0, 0),
+       BPF_EXIT_INSN(),
+       },
+       .fixup_sk_storage_map = { 11 },
+       .prog_type = BPF_PROG_TYPE_SCHED_CLS,
+       .result = ACCEPT,
+},
+{
+       "sk_storage_get(map, skb->sk, 1, 1): value == 1",
+       .insns = {
+       BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)),
+       BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
+       BPF_MOV64_IMM(BPF_REG_0, 0),
+       BPF_EXIT_INSN(),
+       BPF_EMIT_CALL(BPF_FUNC_sk_fullsock),
+       BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
+       BPF_MOV64_IMM(BPF_REG_0, 0),
+       BPF_EXIT_INSN(),
+       BPF_MOV64_IMM(BPF_REG_4, 1),
+       BPF_MOV64_IMM(BPF_REG_3, 1),
+       BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
+       BPF_LD_MAP_FD(BPF_REG_1, 0),
+       BPF_EMIT_CALL(BPF_FUNC_sk_storage_get),
+       BPF_MOV64_IMM(BPF_REG_0, 0),
+       BPF_EXIT_INSN(),
+       },
+       .fixup_sk_storage_map = { 11 },
+       .prog_type = BPF_PROG_TYPE_SCHED_CLS,
+       .result = REJECT,
+       .errstr = "R3 type=inv expected=fp",
+},
+{
+       "sk_storage_get(map, skb->sk, &stack_value, 1): stack_value",
+       .insns = {
+       BPF_MOV64_IMM(BPF_REG_2, 0),
+       BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -8),
+       BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)),
+       BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
+       BPF_MOV64_IMM(BPF_REG_0, 0),
+       BPF_EXIT_INSN(),
+       BPF_EMIT_CALL(BPF_FUNC_sk_fullsock),
+       BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
+       BPF_MOV64_IMM(BPF_REG_0, 0),
+       BPF_EXIT_INSN(),
+       BPF_MOV64_IMM(BPF_REG_4, 1),
+       BPF_MOV64_REG(BPF_REG_3, BPF_REG_10),
+       BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, -8),
+       BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
+       BPF_LD_MAP_FD(BPF_REG_1, 0),
+       BPF_EMIT_CALL(BPF_FUNC_sk_storage_get),
+       BPF_MOV64_IMM(BPF_REG_0, 0),
+       BPF_EXIT_INSN(),
+       },
+       .fixup_sk_storage_map = { 14 },
+       .prog_type = BPF_PROG_TYPE_SCHED_CLS,
+       .result = ACCEPT,
+},
+{
+       "sk_storage_get(map, skb->sk, &stack_value, 1): partially init stack_value",
+       .insns = {
+       BPF_MOV64_IMM(BPF_REG_2, 0),
+       BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_2, -8),
+       BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)),
+       BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
+       BPF_MOV64_IMM(BPF_REG_0, 0),
+       BPF_EXIT_INSN(),
+       BPF_EMIT_CALL(BPF_FUNC_sk_fullsock),
+       BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
+       BPF_MOV64_IMM(BPF_REG_0, 0),
+       BPF_EXIT_INSN(),
+       BPF_MOV64_IMM(BPF_REG_4, 1),
+       BPF_MOV64_REG(BPF_REG_3, BPF_REG_10),
+       BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, -8),
+       BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
+       BPF_LD_MAP_FD(BPF_REG_1, 0),
+       BPF_EMIT_CALL(BPF_FUNC_sk_storage_get),
+       BPF_MOV64_IMM(BPF_REG_0, 0),
+       BPF_EXIT_INSN(),
+       },
+       .fixup_sk_storage_map = { 14 },
+       .prog_type = BPF_PROG_TYPE_SCHED_CLS,
+       .result = REJECT,
+       .errstr = "invalid indirect read from stack",
+},
+{
+       "bpf_map_lookup_elem(smap, &key)",
+       .insns = {
+       BPF_ST_MEM(BPF_W, BPF_REG_10, -4, 0),
+       BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
+       BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
+       BPF_LD_MAP_FD(BPF_REG_1, 0),
+       BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
+       BPF_MOV64_IMM(BPF_REG_0, 0),
+       BPF_EXIT_INSN(),
+       },
+       .fixup_sk_storage_map = { 3 },
+       .prog_type = BPF_PROG_TYPE_SCHED_CLS,
+       .result = REJECT,
+       .errstr = "cannot pass map_type 24 into func bpf_map_lookup_elem",
+},