diff mbox series

[bpf-next,v5,3/3] selftests/bpf: Test PTR_MAYBE_NULL arguments of struct_ops operators.

Message ID 20240206063833.2520479-4-thinker.li@gmail.com (mailing list archive)
State Superseded
Delegated to: BPF
Headers show
Series Support PTR_MAYBE_NULL for struct_ops arguments. | expand

Checks

Context Check Description
bpf/vmtest-bpf-next-PR success PR summary
netdev/series_format success Posting correctly formatted
netdev/tree_selection success Clearly marked for bpf-next, async
netdev/ynl success Generated files up to date; no warnings/errors; no diff in generated;
netdev/fixes_present success Fixes tag not required for -next series
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 8 this patch: 8
netdev/build_tools success Errors and warnings before: 0 this patch: 0
netdev/cc_maintainers warning 15 maintainers not CCed: jolsa@kernel.org daniel@iogearbox.net john.fastabend@gmail.com mykolal@fb.com yonghong.song@linux.dev shuah@kernel.org alexandre.torgue@foss.st.com sdf@google.com linux-kselftest@vger.kernel.org mcoquelin.stm32@gmail.com linux-arm-kernel@lists.infradead.org linux-stm32@st-md-mailman.stormreply.com eddyz87@gmail.com kpsingh@kernel.org haoluo@google.com
netdev/build_clang success Errors and warnings before: 8 this patch: 8
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/deprecated_api success None detected
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success No Fixes tag
netdev/build_allmodconfig_warn success Errors and warnings before: 8 this patch: 8
netdev/checkpatch warning WARNING: added, moved or deleted file(s), does MAINTAINERS need updating?
netdev/build_clang_rust success No Rust files in patch. Skipping build
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0
bpf/vmtest-bpf-next-VM_Test-1 success Logs for ShellCheck
bpf/vmtest-bpf-next-VM_Test-0 success Logs for Lint
bpf/vmtest-bpf-next-VM_Test-3 success Logs for Validate matrix.py
bpf/vmtest-bpf-next-VM_Test-2 success Logs for Unittests
bpf/vmtest-bpf-next-VM_Test-5 success Logs for aarch64-gcc / build-release
bpf/vmtest-bpf-next-VM_Test-4 success Logs for aarch64-gcc / build / build for aarch64 with gcc
bpf/vmtest-bpf-next-VM_Test-10 success Logs for aarch64-gcc / veristat
bpf/vmtest-bpf-next-VM_Test-12 success Logs for s390x-gcc / build-release
bpf/vmtest-bpf-next-VM_Test-9 success Logs for aarch64-gcc / test (test_verifier, false, 360) / test_verifier on aarch64 with gcc
bpf/vmtest-bpf-next-VM_Test-8 success Logs for aarch64-gcc / test (test_progs_no_alu32, false, 360) / test_progs_no_alu32 on aarch64 with gcc
bpf/vmtest-bpf-next-VM_Test-6 success Logs for aarch64-gcc / test (test_maps, false, 360) / test_maps on aarch64 with gcc
bpf/vmtest-bpf-next-VM_Test-7 success Logs for aarch64-gcc / test (test_progs, false, 360) / test_progs on aarch64 with gcc
bpf/vmtest-bpf-next-VM_Test-11 success Logs for s390x-gcc / build / build for s390x with gcc
bpf/vmtest-bpf-next-VM_Test-33 success Logs for x86_64-llvm-17 / test (test_verifier, false, 360) / test_verifier on x86_64 with llvm-17
bpf/vmtest-bpf-next-VM_Test-32 success Logs for x86_64-llvm-17 / test (test_progs_no_alu32, false, 360) / test_progs_no_alu32 on x86_64 with llvm-17
bpf/vmtest-bpf-next-VM_Test-34 success Logs for x86_64-llvm-17 / veristat
bpf/vmtest-bpf-next-VM_Test-36 success Logs for x86_64-llvm-18 / build-release / build for x86_64 with llvm-18 and -O2 optimization
bpf/vmtest-bpf-next-VM_Test-38 success Logs for x86_64-llvm-18 / test (test_progs, false, 360) / test_progs on x86_64 with llvm-18
bpf/vmtest-bpf-next-VM_Test-42 success Logs for x86_64-llvm-18 / veristat
bpf/vmtest-bpf-next-VM_Test-40 success Logs for x86_64-llvm-18 / test (test_progs_no_alu32, false, 360) / test_progs_no_alu32 on x86_64 with llvm-18
bpf/vmtest-bpf-next-VM_Test-35 success Logs for x86_64-llvm-18 / build / build for x86_64 with llvm-18
bpf/vmtest-bpf-next-VM_Test-41 success Logs for x86_64-llvm-18 / test (test_verifier, false, 360) / test_verifier on x86_64 with llvm-18
bpf/vmtest-bpf-next-VM_Test-37 success Logs for x86_64-llvm-18 / test (test_maps, false, 360) / test_maps on x86_64 with llvm-18
bpf/vmtest-bpf-next-VM_Test-23 success Logs for x86_64-gcc / test (test_progs_no_alu32, false, 360) / test_progs_no_alu32 on x86_64 with gcc
bpf/vmtest-bpf-next-VM_Test-17 success Logs for s390x-gcc / veristat
bpf/vmtest-bpf-next-VM_Test-20 success Logs for x86_64-gcc / build-release
bpf/vmtest-bpf-next-VM_Test-21 success Logs for x86_64-gcc / test (test_maps, false, 360) / test_maps on x86_64 with gcc
bpf/vmtest-bpf-next-VM_Test-28 success Logs for x86_64-llvm-17 / build / build for x86_64 with llvm-17
bpf/vmtest-bpf-next-VM_Test-18 success Logs for set-matrix
bpf/vmtest-bpf-next-VM_Test-22 success Logs for x86_64-gcc / test (test_progs, false, 360) / test_progs on x86_64 with gcc
bpf/vmtest-bpf-next-VM_Test-25 success Logs for x86_64-gcc / test (test_progs_parallel, true, 30) / test_progs_parallel on x86_64 with gcc
bpf/vmtest-bpf-next-VM_Test-29 success Logs for x86_64-llvm-17 / build-release / build for x86_64 with llvm-17 and -O2 optimization
bpf/vmtest-bpf-next-VM_Test-26 success Logs for x86_64-gcc / test (test_verifier, false, 360) / test_verifier on x86_64 with gcc
bpf/vmtest-bpf-next-VM_Test-31 success Logs for x86_64-llvm-17 / test (test_progs, false, 360) / test_progs on x86_64 with llvm-17
bpf/vmtest-bpf-next-VM_Test-24 success Logs for x86_64-gcc / test (test_progs_no_alu32_parallel, true, 30) / test_progs_no_alu32_parallel on x86_64 with gcc
bpf/vmtest-bpf-next-VM_Test-27 success Logs for x86_64-gcc / veristat / veristat on x86_64 with gcc
bpf/vmtest-bpf-next-VM_Test-19 success Logs for x86_64-gcc / build / build for x86_64 with gcc
bpf/vmtest-bpf-next-VM_Test-30 success Logs for x86_64-llvm-17 / test (test_maps, false, 360) / test_maps on x86_64 with llvm-17
bpf/vmtest-bpf-next-VM_Test-39 success Logs for x86_64-llvm-18 / test (test_progs_cpuv4, false, 360) / test_progs_cpuv4 on x86_64 with llvm-18
bpf/vmtest-bpf-next-VM_Test-16 success Logs for s390x-gcc / test (test_verifier, false, 360) / test_verifier on s390x with gcc
bpf/vmtest-bpf-next-VM_Test-14 success Logs for s390x-gcc / test (test_progs, false, 360) / test_progs on s390x with gcc
bpf/vmtest-bpf-next-VM_Test-15 success Logs for s390x-gcc / test (test_progs_no_alu32, false, 360) / test_progs_no_alu32 on s390x with gcc
bpf/vmtest-bpf-next-VM_Test-13 success Logs for s390x-gcc / test (test_maps, false, 360) / test_maps on s390x with gcc

Commit Message

Kui-Feng Lee Feb. 6, 2024, 6:38 a.m. UTC 
From: Kui-Feng Lee <thinker.li@gmail.com>

Test if the verifier verifies nullable pointer arguments correctly for BPF
struct_ops programs.

"test_maybe_null" in struct bpf_testmod_ops is the operator defined for the
test cases here. It has several pointer arguments to various types. These
pointers are majorly classified to 3 categories; pointers to struct types,
pointers to scalar types, and pointers to array types. They are handled
sightly differently.

A BPF program should check a pointer for NULL beforehand to access the
value pointed by the nullable pointer arguments, or the verifier should
reject the programs. The test here includes two parts; the programs
checking pointers properly and the programs not checking pointers
beforehand. The test checks if the verifier accepts the programs checking
properly and rejects the programs not checking at all.

Signed-off-by: Kui-Feng Lee <thinker.li@gmail.com>
---
 .../selftests/bpf/bpf_testmod/bpf_testmod.c   | 12 ++++-
 .../selftests/bpf/bpf_testmod/bpf_testmod.h   |  7 +++
 .../prog_tests/test_struct_ops_maybe_null.c   | 47 +++++++++++++++++++
 .../bpf/progs/struct_ops_maybe_null.c         | 31 ++++++++++++
 .../bpf/progs/struct_ops_maybe_null_fail.c    | 25 ++++++++++
 5 files changed, 121 insertions(+), 1 deletion(-)
 create mode 100644 tools/testing/selftests/bpf/prog_tests/test_struct_ops_maybe_null.c
 create mode 100644 tools/testing/selftests/bpf/progs/struct_ops_maybe_null.c
 create mode 100644 tools/testing/selftests/bpf/progs/struct_ops_maybe_null_fail.c

Comments

Kui-Feng Lee Feb. 7, 2024, 7:35 p.m. UTC | #1 
On 2/5/24 22:38, thinker.li@gmail.com wrote:
> From: Kui-Feng Lee <thinker.li@gmail.com>
> 
> Test if the verifier verifies nullable pointer arguments correctly for BPF
> struct_ops programs.
> 
> "test_maybe_null" in struct bpf_testmod_ops is the operator defined for the
> test cases here. It has several pointer arguments to various types. These
> pointers are majorly classified to 3 categories; pointers to struct types,
> pointers to scalar types, and pointers to array types. They are handled
> sightly differently.
> 
> A BPF program should check a pointer for NULL beforehand to access the
> value pointed by the nullable pointer arguments, or the verifier should
> reject the programs. The test here includes two parts; the programs
> checking pointers properly and the programs not checking pointers
> beforehand. The test checks if the verifier accepts the programs checking
> properly and rejects the programs not checking at all.
> 
> Signed-off-by: Kui-Feng Lee <thinker.li@gmail.com>
> ---
>   .../selftests/bpf/bpf_testmod/bpf_testmod.c   | 12 ++++-
>   .../selftests/bpf/bpf_testmod/bpf_testmod.h   |  7 +++
>   .../prog_tests/test_struct_ops_maybe_null.c   | 47 +++++++++++++++++++
>   .../bpf/progs/struct_ops_maybe_null.c         | 31 ++++++++++++
>   .../bpf/progs/struct_ops_maybe_null_fail.c    | 25 ++++++++++
>   5 files changed, 121 insertions(+), 1 deletion(-)
>   create mode 100644 tools/testing/selftests/bpf/prog_tests/test_struct_ops_maybe_null.c
>   create mode 100644 tools/testing/selftests/bpf/progs/struct_ops_maybe_null.c
>   create mode 100644 tools/testing/selftests/bpf/progs/struct_ops_maybe_null_fail.c
> 
> diff --git a/tools/testing/selftests/bpf/bpf_testmod/bpf_testmod.c b/tools/testing/selftests/bpf/bpf_testmod/bpf_testmod.c
> index a06daebc75c9..891a2b5f422c 100644
> --- a/tools/testing/selftests/bpf/bpf_testmod/bpf_testmod.c
> +++ b/tools/testing/selftests/bpf/bpf_testmod/bpf_testmod.c
> @@ -555,7 +555,10 @@ static int bpf_dummy_reg(void *kdata)
>   {
>   	struct bpf_testmod_ops *ops = kdata;
>   
> -	ops->test_2(4, 3);
> +	if (ops->test_maybe_null)
> +		ops->test_maybe_null(0, NULL);
> +	else
> +		ops->test_2(4, 3);
>   
>   	return 0;
>   }
> @@ -573,9 +576,16 @@ static void bpf_testmod_test_2(int a, int b)
>   {
>   }
>   
> +static int bpf_testmod_ops__test_maybe_null(int dummy,
> +					    struct task_struct *task__nullable)
> +{
> +	return 0;
> +}
> +
>   static struct bpf_testmod_ops __bpf_testmod_ops = {
>   	.test_1 = bpf_testmod_test_1,
>   	.test_2 = bpf_testmod_test_2,
> +	.test_maybe_null = bpf_testmod_ops__test_maybe_null,
>   };
>   
>   struct bpf_struct_ops bpf_bpf_testmod_ops = {
> diff --git a/tools/testing/selftests/bpf/bpf_testmod/bpf_testmod.h b/tools/testing/selftests/bpf/bpf_testmod/bpf_testmod.h
> index 537beca42896..c51580c9119d 100644
> --- a/tools/testing/selftests/bpf/bpf_testmod/bpf_testmod.h
> +++ b/tools/testing/selftests/bpf/bpf_testmod/bpf_testmod.h
> @@ -5,6 +5,8 @@
>   
>   #include <linux/types.h>
>   
> +struct task_struct;
> +
>   struct bpf_testmod_test_read_ctx {
>   	char *buf;
>   	loff_t off;
> @@ -28,9 +30,14 @@ struct bpf_iter_testmod_seq {
>   	int cnt;
>   };
>   
> +typedef u32 (*ar_t)[2];
> +typedef u32 (*ar2_t)[];
> +
>   struct bpf_testmod_ops {
>   	int (*test_1)(void);
>   	void (*test_2)(int a, int b);
> +	/* Used to test nullable arguments. */
> +	int (*test_maybe_null)(int dummy, struct task_struct *task);
>   };
>   
>   #endif /* _BPF_TESTMOD_H */
> diff --git a/tools/testing/selftests/bpf/prog_tests/test_struct_ops_maybe_null.c b/tools/testing/selftests/bpf/prog_tests/test_struct_ops_maybe_null.c
> new file mode 100644
> index 000000000000..1c057c62d893
> --- /dev/null
> +++ b/tools/testing/selftests/bpf/prog_tests/test_struct_ops_maybe_null.c
> @@ -0,0 +1,47 @@
> +// SPDX-License-Identifier: GPL-2.0
> +/* Copyright (c) 2024 Meta Platforms, Inc. and affiliates. */
> +#include <test_progs.h>
> +#include <time.h>
> +
> +#include "struct_ops_maybe_null.skel.h"
> +#include "struct_ops_maybe_null_fail.skel.h"
> +
> +/* Test that the verifier accepts a program that access a nullable pointer
> + * with a proper check.
> + */
> +static void maybe_null(void)
> +{
> +	struct struct_ops_maybe_null *skel;
> +
> +	skel = struct_ops_maybe_null__open_and_load();
> +	if (!ASSERT_OK_PTR(skel, "struct_ops_module_open_and_load"))
> +		return;
> +
> +	struct_ops_maybe_null__destroy(skel);
> +}
> +
> +/* Test that the verifier rejects a program that access a nullable pointer
> + * without a check beforehand.
> + */
> +static void maybe_null_fail(void)
> +{
> +	struct struct_ops_maybe_null_fail *skel;
> +
> +	skel = struct_ops_maybe_null_fail__open_and_load();
> +	if (ASSERT_ERR_PTR(skel, "struct_ops_module_fail__open_and_load"))
> +		return;
> +
> +	struct_ops_maybe_null_fail__destroy(skel);
> +}
> +
> +void test_struct_ops_maybe_null(void)
> +{
> +	/* The verifier verifies the programs at load time, so testing both
> +	 * programs in the same compile-unit is complicated. We run them in
> +	 * separate objects to simplify the testing.
> +	 */
> +	if (test__start_subtest("maybe_null"))
> +		maybe_null();
> +	if (test__start_subtest("maybe_null_fail"))
> +		maybe_null_fail();
> +}
> diff --git a/tools/testing/selftests/bpf/progs/struct_ops_maybe_null.c b/tools/testing/selftests/bpf/progs/struct_ops_maybe_null.c
> new file mode 100644
> index 000000000000..c5769c742900
> --- /dev/null
> +++ b/tools/testing/selftests/bpf/progs/struct_ops_maybe_null.c
> @@ -0,0 +1,31 @@
> +// SPDX-License-Identifier: GPL-2.0
> +/* Copyright (c) 2024 Meta Platforms, Inc. and affiliates. */
> +#include <vmlinux.h>
> +#include <bpf/bpf_helpers.h>
> +#include <bpf/bpf_tracing.h>
> +#include "../bpf_testmod/bpf_testmod.h"
> +
> +char _license[] SEC("license") = "GPL";
> +
> +u64 tgid = 0;
> +
> +/* This is a test BPF program that uses struct_ops to access an argument
> + * that may be NULL. This is a test for the verifier to ensure that it can
> + * rip PTR_MAYBE_NULL correctly. There are tree pointers; task, scalar, and
> + * ar. They are used to test the cases of PTR_TO_BTF_ID, PTR_TO_BUF, and array.

Just found I didn't remove this comment.  I will remove the last two
sentences from the next version.

> + */
> +SEC("struct_ops/test_maybe_null")
> +int BPF_PROG(test_maybe_null, int dummy,
> +	     struct task_struct *task)
> +{
> +	if (task)
> +		tgid = task->tgid;
> +
> +	return 0;
> +}
> +
> +SEC(".struct_ops.link")
> +struct bpf_testmod_ops testmod_1 = {
> +	.test_maybe_null = (void *)test_maybe_null,
> +};
> +
> diff --git a/tools/testing/selftests/bpf/progs/struct_ops_maybe_null_fail.c b/tools/testing/selftests/bpf/progs/struct_ops_maybe_null_fail.c
> new file mode 100644
> index 000000000000..566be47fb40b
> --- /dev/null
> +++ b/tools/testing/selftests/bpf/progs/struct_ops_maybe_null_fail.c
> @@ -0,0 +1,25 @@
> +// SPDX-License-Identifier: GPL-2.0
> +/* Copyright (c) 2024 Meta Platforms, Inc. and affiliates. */
> +#include <vmlinux.h>
> +#include <bpf/bpf_helpers.h>
> +#include <bpf/bpf_tracing.h>
> +#include "../bpf_testmod/bpf_testmod.h"
> +
> +char _license[] SEC("license") = "GPL";
> +
> +int tgid = 0;
> +
> +SEC("struct_ops/test_maybe_null_struct_ptr")
> +int BPF_PROG(test_maybe_null_struct_ptr, int dummy,
> +	     struct task_struct *task)
> +{
> +	tgid = task->tgid;
> +
> +	return 0;
> +}
> +
> +SEC(".struct_ops.link")
> +struct bpf_testmod_ops testmod_struct_ptr = {
> +	.test_maybe_null = (void *)test_maybe_null_struct_ptr,
> +};
> +
Martin KaFai Lau Feb. 7, 2024, 10:38 p.m. UTC | #2 
On 2/5/24 10:38 PM, thinker.li@gmail.com wrote:
> From: Kui-Feng Lee <thinker.li@gmail.com>
> 
> Test if the verifier verifies nullable pointer arguments correctly for BPF
> struct_ops programs.
> 
> "test_maybe_null" in struct bpf_testmod_ops is the operator defined for the
> test cases here. It has several pointer arguments to various types. These
> pointers are majorly classified to 3 categories; pointers to struct types,
> pointers to scalar types, and pointers to array types. They are handled
> sightly differently.

The commit message needs an update. probably make sense to skip what pointer 
type is supported because this patch set does not change that.

> 
> A BPF program should check a pointer for NULL beforehand to access the
> value pointed by the nullable pointer arguments, or the verifier should
> reject the programs. The test here includes two parts; the programs
> checking pointers properly and the programs not checking pointers
> beforehand. The test checks if the verifier accepts the programs checking
> properly and rejects the programs not checking at all.
> 
> Signed-off-by: Kui-Feng Lee <thinker.li@gmail.com>
> ---
>   .../selftests/bpf/bpf_testmod/bpf_testmod.c   | 12 ++++-
>   .../selftests/bpf/bpf_testmod/bpf_testmod.h   |  7 +++
>   .../prog_tests/test_struct_ops_maybe_null.c   | 47 +++++++++++++++++++
>   .../bpf/progs/struct_ops_maybe_null.c         | 31 ++++++++++++
>   .../bpf/progs/struct_ops_maybe_null_fail.c    | 25 ++++++++++
>   5 files changed, 121 insertions(+), 1 deletion(-)
>   create mode 100644 tools/testing/selftests/bpf/prog_tests/test_struct_ops_maybe_null.c
>   create mode 100644 tools/testing/selftests/bpf/progs/struct_ops_maybe_null.c
>   create mode 100644 tools/testing/selftests/bpf/progs/struct_ops_maybe_null_fail.c
> 
> diff --git a/tools/testing/selftests/bpf/bpf_testmod/bpf_testmod.c b/tools/testing/selftests/bpf/bpf_testmod/bpf_testmod.c
> index a06daebc75c9..891a2b5f422c 100644
> --- a/tools/testing/selftests/bpf/bpf_testmod/bpf_testmod.c
> +++ b/tools/testing/selftests/bpf/bpf_testmod/bpf_testmod.c
> @@ -555,7 +555,10 @@ static int bpf_dummy_reg(void *kdata)
>   {
>   	struct bpf_testmod_ops *ops = kdata;
>   
> -	ops->test_2(4, 3);
> +	if (ops->test_maybe_null)
> +		ops->test_maybe_null(0, NULL);

afaict, the "static void maybe_null(void)" test below does not exercise this 
line of change.

> +	else
> +		ops->test_2(4, 3);
>   
>   	return 0;
>   }
> @@ -573,9 +576,16 @@ static void bpf_testmod_test_2(int a, int b)
>   {
>   }
>   
> +static int bpf_testmod_ops__test_maybe_null(int dummy,
> +					    struct task_struct *task__nullable)
> +{
> +	return 0;
> +}
> +
>   static struct bpf_testmod_ops __bpf_testmod_ops = {
>   	.test_1 = bpf_testmod_test_1,
>   	.test_2 = bpf_testmod_test_2,
> +	.test_maybe_null = bpf_testmod_ops__test_maybe_null,
>   };
>   
>   struct bpf_struct_ops bpf_bpf_testmod_ops = {
> diff --git a/tools/testing/selftests/bpf/bpf_testmod/bpf_testmod.h b/tools/testing/selftests/bpf/bpf_testmod/bpf_testmod.h
> index 537beca42896..c51580c9119d 100644
> --- a/tools/testing/selftests/bpf/bpf_testmod/bpf_testmod.h
> +++ b/tools/testing/selftests/bpf/bpf_testmod/bpf_testmod.h
> @@ -5,6 +5,8 @@
>   
>   #include <linux/types.h>
>   
> +struct task_struct;
> +
>   struct bpf_testmod_test_read_ctx {
>   	char *buf;
>   	loff_t off;
> @@ -28,9 +30,14 @@ struct bpf_iter_testmod_seq {
>   	int cnt;
>   };
>   
> +typedef u32 (*ar_t)[2];
> +typedef u32 (*ar2_t)[];

They are not needed in v5.

> +
>   struct bpf_testmod_ops {
>   	int (*test_1)(void);
>   	void (*test_2)(int a, int b);
> +	/* Used to test nullable arguments. */
> +	int (*test_maybe_null)(int dummy, struct task_struct *task);
>   };
>   
>   #endif /* _BPF_TESTMOD_H */
> diff --git a/tools/testing/selftests/bpf/prog_tests/test_struct_ops_maybe_null.c b/tools/testing/selftests/bpf/prog_tests/test_struct_ops_maybe_null.c
> new file mode 100644
> index 000000000000..1c057c62d893
> --- /dev/null
> +++ b/tools/testing/selftests/bpf/prog_tests/test_struct_ops_maybe_null.c
> @@ -0,0 +1,47 @@
> +// SPDX-License-Identifier: GPL-2.0
> +/* Copyright (c) 2024 Meta Platforms, Inc. and affiliates. */
> +#include <test_progs.h>
> +#include <time.h>

Why time.h?

> +
> +#include "struct_ops_maybe_null.skel.h"
> +#include "struct_ops_maybe_null_fail.skel.h"
> +
> +/* Test that the verifier accepts a program that access a nullable pointer
> + * with a proper check.
> + */
> +static void maybe_null(void)
> +{
> +	struct struct_ops_maybe_null *skel;
> +
> +	skel = struct_ops_maybe_null__open_and_load();
> +	if (!ASSERT_OK_PTR(skel, "struct_ops_module_open_and_load"))
> +		return;
> +
> +	struct_ops_maybe_null__destroy(skel);
> +}
> +
> +/* Test that the verifier rejects a program that access a nullable pointer
> + * without a check beforehand.
> + */
> +static void maybe_null_fail(void)
> +{
> +	struct struct_ops_maybe_null_fail *skel;
> +
> +	skel = struct_ops_maybe_null_fail__open_and_load();
> +	if (ASSERT_ERR_PTR(skel, "struct_ops_module_fail__open_and_load"))
> +		return;
> +
> +	struct_ops_maybe_null_fail__destroy(skel);
> +}
> +
> +void test_struct_ops_maybe_null(void)
> +{
> +	/* The verifier verifies the programs at load time, so testing both
> +	 * programs in the same compile-unit is complicated. We run them in
> +	 * separate objects to simplify the testing.
> +	 */
> +	if (test__start_subtest("maybe_null"))
> +		maybe_null();
> +	if (test__start_subtest("maybe_null_fail"))
> +		maybe_null_fail();
> +}
> diff --git a/tools/testing/selftests/bpf/progs/struct_ops_maybe_null.c b/tools/testing/selftests/bpf/progs/struct_ops_maybe_null.c
> new file mode 100644
> index 000000000000..c5769c742900
> --- /dev/null
> +++ b/tools/testing/selftests/bpf/progs/struct_ops_maybe_null.c
> @@ -0,0 +1,31 @@
> +// SPDX-License-Identifier: GPL-2.0
> +/* Copyright (c) 2024 Meta Platforms, Inc. and affiliates. */
> +#include <vmlinux.h>
> +#include <bpf/bpf_helpers.h>
> +#include <bpf/bpf_tracing.h>
> +#include "../bpf_testmod/bpf_testmod.h"
> +
> +char _license[] SEC("license") = "GPL";
> +
> +u64 tgid = 0;

u64 here.

> +
> +/* This is a test BPF program that uses struct_ops to access an argument
> + * that may be NULL. This is a test for the verifier to ensure that it can
> + * rip PTR_MAYBE_NULL correctly. There are tree pointers; task, scalar, and
> + * ar. They are used to test the cases of PTR_TO_BTF_ID, PTR_TO_BUF, and array.
> + */
> +SEC("struct_ops/test_maybe_null")
> +int BPF_PROG(test_maybe_null, int dummy,
> +	     struct task_struct *task)
> +{
> +	if (task)
> +		tgid = task->tgid;
> +
> +	return 0;
> +}
> +
> +SEC(".struct_ops.link")
> +struct bpf_testmod_ops testmod_1 = {
> +	.test_maybe_null = (void *)test_maybe_null,
> +};
> +
> diff --git a/tools/testing/selftests/bpf/progs/struct_ops_maybe_null_fail.c b/tools/testing/selftests/bpf/progs/struct_ops_maybe_null_fail.c
> new file mode 100644
> index 000000000000..566be47fb40b
> --- /dev/null
> +++ b/tools/testing/selftests/bpf/progs/struct_ops_maybe_null_fail.c
> @@ -0,0 +1,25 @@
> +// SPDX-License-Identifier: GPL-2.0
> +/* Copyright (c) 2024 Meta Platforms, Inc. and affiliates. */
> +#include <vmlinux.h>
> +#include <bpf/bpf_helpers.h>
> +#include <bpf/bpf_tracing.h>
> +#include "../bpf_testmod/bpf_testmod.h"
> +
> +char _license[] SEC("license") = "GPL";
> +
> +int tgid = 0;

but int here.

understand that it does not matter and not the focus of this test but still 
better be consistent and use the correct one.

> +
> +SEC("struct_ops/test_maybe_null_struct_ptr")
> +int BPF_PROG(test_maybe_null_struct_ptr, int dummy,
> +	     struct task_struct *task)
> +{
> +	tgid = task->tgid;
> +
> +	return 0;
> +}
> +
> +SEC(".struct_ops.link")
> +struct bpf_testmod_ops testmod_struct_ptr = {
> +	.test_maybe_null = (void *)test_maybe_null_struct_ptr,
> +};
> +
Kui-Feng Lee Feb. 8, 2024, 12:54 a.m. UTC | #3 
On 2/7/24 14:38, Martin KaFai Lau wrote:
> On 2/5/24 10:38 PM, thinker.li@gmail.com wrote:
>> From: Kui-Feng Lee <thinker.li@gmail.com>
>>
>> Test if the verifier verifies nullable pointer arguments correctly for 
>> BPF
>> struct_ops programs.
>>
>> "test_maybe_null" in struct bpf_testmod_ops is the operator defined 
>> for the
>> test cases here. It has several pointer arguments to various types. These
>> pointers are majorly classified to 3 categories; pointers to struct 
>> types,
>> pointers to scalar types, and pointers to array types. They are handled
>> sightly differently.
> 
> The commit message needs an update. probably make sense to skip what 
> pointer type is supported because this patch set does not change that.

Agree!

> 
>>
>> A BPF program should check a pointer for NULL beforehand to access the
>> value pointed by the nullable pointer arguments, or the verifier should
>> reject the programs. The test here includes two parts; the programs
>> checking pointers properly and the programs not checking pointers
>> beforehand. The test checks if the verifier accepts the programs checking
>> properly and rejects the programs not checking at all.
>>
>> Signed-off-by: Kui-Feng Lee <thinker.li@gmail.com>
>> ---
>>   .../selftests/bpf/bpf_testmod/bpf_testmod.c   | 12 ++++-
>>   .../selftests/bpf/bpf_testmod/bpf_testmod.h   |  7 +++
>>   .../prog_tests/test_struct_ops_maybe_null.c   | 47 +++++++++++++++++++
>>   .../bpf/progs/struct_ops_maybe_null.c         | 31 ++++++++++++
>>   .../bpf/progs/struct_ops_maybe_null_fail.c    | 25 ++++++++++
>>   5 files changed, 121 insertions(+), 1 deletion(-)
>>   create mode 100644 
>> tools/testing/selftests/bpf/prog_tests/test_struct_ops_maybe_null.c
>>   create mode 100644 
>> tools/testing/selftests/bpf/progs/struct_ops_maybe_null.c
>>   create mode 100644 
>> tools/testing/selftests/bpf/progs/struct_ops_maybe_null_fail.c
>>
>> diff --git a/tools/testing/selftests/bpf/bpf_testmod/bpf_testmod.c 
>> b/tools/testing/selftests/bpf/bpf_testmod/bpf_testmod.c
>> index a06daebc75c9..891a2b5f422c 100644
>> --- a/tools/testing/selftests/bpf/bpf_testmod/bpf_testmod.c
>> +++ b/tools/testing/selftests/bpf/bpf_testmod/bpf_testmod.c
>> @@ -555,7 +555,10 @@ static int bpf_dummy_reg(void *kdata)
>>   {
>>       struct bpf_testmod_ops *ops = kdata;
>> -    ops->test_2(4, 3);
>> +    if (ops->test_maybe_null)
>> +        ops->test_maybe_null(0, NULL);
> 
> afaict, the "static void maybe_null(void)" test below does not exercise 
> this line of change.

I will remove it.

> 
>> +    else
>> +        ops->test_2(4, 3);
>>       return 0;
>>   }
>> @@ -573,9 +576,16 @@ static void bpf_testmod_test_2(int a, int b)
>>   {
>>   }
>> +static int bpf_testmod_ops__test_maybe_null(int dummy,
>> +                        struct task_struct *task__nullable)
>> +{
>> +    return 0;
>> +}
>> +
>>   static struct bpf_testmod_ops __bpf_testmod_ops = {
>>       .test_1 = bpf_testmod_test_1,
>>       .test_2 = bpf_testmod_test_2,
>> +    .test_maybe_null = bpf_testmod_ops__test_maybe_null,
>>   };
>>   struct bpf_struct_ops bpf_bpf_testmod_ops = {
>> diff --git a/tools/testing/selftests/bpf/bpf_testmod/bpf_testmod.h 
>> b/tools/testing/selftests/bpf/bpf_testmod/bpf_testmod.h
>> index 537beca42896..c51580c9119d 100644
>> --- a/tools/testing/selftests/bpf/bpf_testmod/bpf_testmod.h
>> +++ b/tools/testing/selftests/bpf/bpf_testmod/bpf_testmod.h
>> @@ -5,6 +5,8 @@
>>   #include <linux/types.h>
>> +struct task_struct;
>> +
>>   struct bpf_testmod_test_read_ctx {
>>       char *buf;
>>       loff_t off;
>> @@ -28,9 +30,14 @@ struct bpf_iter_testmod_seq {
>>       int cnt;
>>   };
>> +typedef u32 (*ar_t)[2];
>> +typedef u32 (*ar2_t)[];
> 
> They are not needed in v5.

Sure!

> 
>> +
>>   struct bpf_testmod_ops {
>>       int (*test_1)(void);
>>       void (*test_2)(int a, int b);
>> +    /* Used to test nullable arguments. */
>> +    int (*test_maybe_null)(int dummy, struct task_struct *task);
>>   };
>>   #endif /* _BPF_TESTMOD_H */
>> diff --git 
>> a/tools/testing/selftests/bpf/prog_tests/test_struct_ops_maybe_null.c 
>> b/tools/testing/selftests/bpf/prog_tests/test_struct_ops_maybe_null.c
>> new file mode 100644
>> index 000000000000..1c057c62d893
>> --- /dev/null
>> +++ b/tools/testing/selftests/bpf/prog_tests/test_struct_ops_maybe_null.c
>> @@ -0,0 +1,47 @@
>> +// SPDX-License-Identifier: GPL-2.0
>> +/* Copyright (c) 2024 Meta Platforms, Inc. and affiliates. */
>> +#include <test_progs.h>
>> +#include <time.h>
> 
> Why time.h?

It should be removed now.

> 
>> +
>> +#include "struct_ops_maybe_null.skel.h"
>> +#include "struct_ops_maybe_null_fail.skel.h"
>> +
>> +/* Test that the verifier accepts a program that access a nullable 
>> pointer
>> + * with a proper check.
>> + */
>> +static void maybe_null(void)
>> +{
>> +    struct struct_ops_maybe_null *skel;
>> +
>> +    skel = struct_ops_maybe_null__open_and_load();
>> +    if (!ASSERT_OK_PTR(skel, "struct_ops_module_open_and_load"))
>> +        return;
>> +
>> +    struct_ops_maybe_null__destroy(skel);
>> +}
>> +
>> +/* Test that the verifier rejects a program that access a nullable 
>> pointer
>> + * without a check beforehand.
>> + */
>> +static void maybe_null_fail(void)
>> +{
>> +    struct struct_ops_maybe_null_fail *skel;
>> +
>> +    skel = struct_ops_maybe_null_fail__open_and_load();
>> +    if (ASSERT_ERR_PTR(skel, "struct_ops_module_fail__open_and_load"))
>> +        return;
>> +
>> +    struct_ops_maybe_null_fail__destroy(skel);
>> +}
>> +
>> +void test_struct_ops_maybe_null(void)
>> +{
>> +    /* The verifier verifies the programs at load time, so testing both
>> +     * programs in the same compile-unit is complicated. We run them in
>> +     * separate objects to simplify the testing.
>> +     */
>> +    if (test__start_subtest("maybe_null"))
>> +        maybe_null();
>> +    if (test__start_subtest("maybe_null_fail"))
>> +        maybe_null_fail();
>> +}
>> diff --git a/tools/testing/selftests/bpf/progs/struct_ops_maybe_null.c 
>> b/tools/testing/selftests/bpf/progs/struct_ops_maybe_null.c
>> new file mode 100644
>> index 000000000000..c5769c742900
>> --- /dev/null
>> +++ b/tools/testing/selftests/bpf/progs/struct_ops_maybe_null.c
>> @@ -0,0 +1,31 @@
>> +// SPDX-License-Identifier: GPL-2.0
>> +/* Copyright (c) 2024 Meta Platforms, Inc. and affiliates. */
>> +#include <vmlinux.h>
>> +#include <bpf/bpf_helpers.h>
>> +#include <bpf/bpf_tracing.h>
>> +#include "../bpf_testmod/bpf_testmod.h"
>> +
>> +char _license[] SEC("license") = "GPL";
>> +
>> +u64 tgid = 0;
> 
> u64 here.
> 
>> +
>> +/* This is a test BPF program that uses struct_ops to access an argument
>> + * that may be NULL. This is a test for the verifier to ensure that 
>> it can
>> + * rip PTR_MAYBE_NULL correctly. There are tree pointers; task, 
>> scalar, and
>> + * ar. They are used to test the cases of PTR_TO_BTF_ID, PTR_TO_BUF, 
>> and array.
>> + */
>> +SEC("struct_ops/test_maybe_null")
>> +int BPF_PROG(test_maybe_null, int dummy,
>> +         struct task_struct *task)
>> +{
>> +    if (task)
>> +        tgid = task->tgid;
>> +
>> +    return 0;
>> +}
>> +
>> +SEC(".struct_ops.link")
>> +struct bpf_testmod_ops testmod_1 = {
>> +    .test_maybe_null = (void *)test_maybe_null,
>> +};
>> +
>> diff --git 
>> a/tools/testing/selftests/bpf/progs/struct_ops_maybe_null_fail.c 
>> b/tools/testing/selftests/bpf/progs/struct_ops_maybe_null_fail.c
>> new file mode 100644
>> index 000000000000..566be47fb40b
>> --- /dev/null
>> +++ b/tools/testing/selftests/bpf/progs/struct_ops_maybe_null_fail.c
>> @@ -0,0 +1,25 @@
>> +// SPDX-License-Identifier: GPL-2.0
>> +/* Copyright (c) 2024 Meta Platforms, Inc. and affiliates. */
>> +#include <vmlinux.h>
>> +#include <bpf/bpf_helpers.h>
>> +#include <bpf/bpf_tracing.h>
>> +#include "../bpf_testmod/bpf_testmod.h"
>> +
>> +char _license[] SEC("license") = "GPL";
>> +
>> +int tgid = 0;
> 
> but int here.
> 
> understand that it does not matter and not the focus of this test but 
> still better be consistent and use the correct one.

I will chnage them to pid_t.

> 
>> +
>> +SEC("struct_ops/test_maybe_null_struct_ptr")
>> +int BPF_PROG(test_maybe_null_struct_ptr, int dummy,
>> +         struct task_struct *task)
>> +{
>> +    tgid = task->tgid;
>> +
>> +    return 0;
>> +}
>> +
>> +SEC(".struct_ops.link")
>> +struct bpf_testmod_ops testmod_struct_ptr = {
>> +    .test_maybe_null = (void *)test_maybe_null_struct_ptr,
>> +};
>> +
>
diff mbox series

Patch

diff --git a/tools/testing/selftests/bpf/bpf_testmod/bpf_testmod.c b/tools/testing/selftests/bpf/bpf_testmod/bpf_testmod.c
index a06daebc75c9..891a2b5f422c 100644
--- a/tools/testing/selftests/bpf/bpf_testmod/bpf_testmod.c
+++ b/tools/testing/selftests/bpf/bpf_testmod/bpf_testmod.c
@@ -555,7 +555,10 @@  static int bpf_dummy_reg(void *kdata)
 {
 	struct bpf_testmod_ops *ops = kdata;
 
-	ops->test_2(4, 3);
+	if (ops->test_maybe_null)
+		ops->test_maybe_null(0, NULL);
+	else
+		ops->test_2(4, 3);
 
 	return 0;
 }
@@ -573,9 +576,16 @@  static void bpf_testmod_test_2(int a, int b)
 {
 }
 
+static int bpf_testmod_ops__test_maybe_null(int dummy,
+					    struct task_struct *task__nullable)
+{
+	return 0;
+}
+
 static struct bpf_testmod_ops __bpf_testmod_ops = {
 	.test_1 = bpf_testmod_test_1,
 	.test_2 = bpf_testmod_test_2,
+	.test_maybe_null = bpf_testmod_ops__test_maybe_null,
 };
 
 struct bpf_struct_ops bpf_bpf_testmod_ops = {
diff --git a/tools/testing/selftests/bpf/bpf_testmod/bpf_testmod.h b/tools/testing/selftests/bpf/bpf_testmod/bpf_testmod.h
index 537beca42896..c51580c9119d 100644
--- a/tools/testing/selftests/bpf/bpf_testmod/bpf_testmod.h
+++ b/tools/testing/selftests/bpf/bpf_testmod/bpf_testmod.h
@@ -5,6 +5,8 @@ 
 
 #include <linux/types.h>
 
+struct task_struct;
+
 struct bpf_testmod_test_read_ctx {
 	char *buf;
 	loff_t off;
@@ -28,9 +30,14 @@  struct bpf_iter_testmod_seq {
 	int cnt;
 };
 
+typedef u32 (*ar_t)[2];
+typedef u32 (*ar2_t)[];
+
 struct bpf_testmod_ops {
 	int (*test_1)(void);
 	void (*test_2)(int a, int b);
+	/* Used to test nullable arguments. */
+	int (*test_maybe_null)(int dummy, struct task_struct *task);
 };
 
 #endif /* _BPF_TESTMOD_H */
diff --git a/tools/testing/selftests/bpf/prog_tests/test_struct_ops_maybe_null.c b/tools/testing/selftests/bpf/prog_tests/test_struct_ops_maybe_null.c
new file mode 100644
index 000000000000..1c057c62d893
--- /dev/null
+++ b/tools/testing/selftests/bpf/prog_tests/test_struct_ops_maybe_null.c
@@ -0,0 +1,47 @@ 
+// SPDX-License-Identifier: GPL-2.0
+/* Copyright (c) 2024 Meta Platforms, Inc. and affiliates. */
+#include <test_progs.h>
+#include <time.h>
+
+#include "struct_ops_maybe_null.skel.h"
+#include "struct_ops_maybe_null_fail.skel.h"
+
+/* Test that the verifier accepts a program that access a nullable pointer
+ * with a proper check.
+ */
+static void maybe_null(void)
+{
+	struct struct_ops_maybe_null *skel;
+
+	skel = struct_ops_maybe_null__open_and_load();
+	if (!ASSERT_OK_PTR(skel, "struct_ops_module_open_and_load"))
+		return;
+
+	struct_ops_maybe_null__destroy(skel);
+}
+
+/* Test that the verifier rejects a program that access a nullable pointer
+ * without a check beforehand.
+ */
+static void maybe_null_fail(void)
+{
+	struct struct_ops_maybe_null_fail *skel;
+
+	skel = struct_ops_maybe_null_fail__open_and_load();
+	if (ASSERT_ERR_PTR(skel, "struct_ops_module_fail__open_and_load"))
+		return;
+
+	struct_ops_maybe_null_fail__destroy(skel);
+}
+
+void test_struct_ops_maybe_null(void)
+{
+	/* The verifier verifies the programs at load time, so testing both
+	 * programs in the same compile-unit is complicated. We run them in
+	 * separate objects to simplify the testing.
+	 */
+	if (test__start_subtest("maybe_null"))
+		maybe_null();
+	if (test__start_subtest("maybe_null_fail"))
+		maybe_null_fail();
+}
diff --git a/tools/testing/selftests/bpf/progs/struct_ops_maybe_null.c b/tools/testing/selftests/bpf/progs/struct_ops_maybe_null.c
new file mode 100644
index 000000000000..c5769c742900
--- /dev/null
+++ b/tools/testing/selftests/bpf/progs/struct_ops_maybe_null.c
@@ -0,0 +1,31 @@ 
+// SPDX-License-Identifier: GPL-2.0
+/* Copyright (c) 2024 Meta Platforms, Inc. and affiliates. */
+#include <vmlinux.h>
+#include <bpf/bpf_helpers.h>
+#include <bpf/bpf_tracing.h>
+#include "../bpf_testmod/bpf_testmod.h"
+
+char _license[] SEC("license") = "GPL";
+
+u64 tgid = 0;
+
+/* This is a test BPF program that uses struct_ops to access an argument
+ * that may be NULL. This is a test for the verifier to ensure that it can
+ * rip PTR_MAYBE_NULL correctly. There are tree pointers; task, scalar, and
+ * ar. They are used to test the cases of PTR_TO_BTF_ID, PTR_TO_BUF, and array.
+ */
+SEC("struct_ops/test_maybe_null")
+int BPF_PROG(test_maybe_null, int dummy,
+	     struct task_struct *task)
+{
+	if (task)
+		tgid = task->tgid;
+
+	return 0;
+}
+
+SEC(".struct_ops.link")
+struct bpf_testmod_ops testmod_1 = {
+	.test_maybe_null = (void *)test_maybe_null,
+};
+
diff --git a/tools/testing/selftests/bpf/progs/struct_ops_maybe_null_fail.c b/tools/testing/selftests/bpf/progs/struct_ops_maybe_null_fail.c
new file mode 100644
index 000000000000..566be47fb40b
--- /dev/null
+++ b/tools/testing/selftests/bpf/progs/struct_ops_maybe_null_fail.c
@@ -0,0 +1,25 @@ 
+// SPDX-License-Identifier: GPL-2.0
+/* Copyright (c) 2024 Meta Platforms, Inc. and affiliates. */
+#include <vmlinux.h>
+#include <bpf/bpf_helpers.h>
+#include <bpf/bpf_tracing.h>
+#include "../bpf_testmod/bpf_testmod.h"
+
+char _license[] SEC("license") = "GPL";
+
+int tgid = 0;
+
+SEC("struct_ops/test_maybe_null_struct_ptr")
+int BPF_PROG(test_maybe_null_struct_ptr, int dummy,
+	     struct task_struct *task)
+{
+	tgid = task->tgid;
+
+	return 0;
+}
+
+SEC(".struct_ops.link")
+struct bpf_testmod_ops testmod_struct_ptr = {
+	.test_maybe_null = (void *)test_maybe_null_struct_ptr,
+};
+