[bpf-next,v6,8/9] selftests/bpf: Add tracing prog private stack tests

Commit Message

Yonghong Song Oct. 20, 2024, 7:14 p.m. UTC

Some private stack tests are added including:
  - prog with stack size greater than BPF_PSTACK_MIN_SUBTREE_SIZE.
  - prog with stack size less than BPF_PSTACK_MIN_SUBTREE_SIZE.
  - prog with one subprog having MAX_BPF_STACK stack size and another
    subprog having non-zero stack size.
  - prog with callback function.
  - prog with exception in main prog or subprog.

Signed-off-by: Yonghong Song <yonghong.song@linux.dev>
---
 .../selftests/bpf/prog_tests/verifier.c       |   2 +
 .../bpf/progs/verifier_private_stack.c        | 216 ++++++++++++++++++
 2 files changed, 218 insertions(+)
 create mode 100644 tools/testing/selftests/bpf/progs/verifier_private_stack.c

Comments

Jiri Olsa Oct. 20, 2024, 9:59 p.m. UTC | #1

On Sun, Oct 20, 2024 at 12:14:31PM -0700, Yonghong Song wrote:

SNIP

> +__naked __noinline __used
> +static unsigned long loop_callback(void)
> +{
> +	asm volatile (
> +	"call %[bpf_get_prandom_u32];"
> +	"r1 = 42;"
> +	"*(u64 *)(r10 - 512) = r1;"
> +	"call cumulative_stack_depth_subprog;"
> +	"r0 = 0;"
> +	"exit;"
> +	:
> +	: __imm(bpf_get_prandom_u32)
> +	: __clobber_common);
> +}
> +
> +SEC("raw_tp")
> +__description("Private stack, callback")
> +__success
> +__arch_x86_64
> +/* for func loop_callback */
> +__jited("func #1")
> +__jited("	endbr64")

this should fail if CONFIG_X86_KERNEL_IBT is not enabled, right?

hm, but I can see that also in other tests, so I guess it's fine,
should we add it to config.x86_64 ?

jirka

Yonghong Song Oct. 21, 2024, 4:32 a.m. UTC | #2

On 10/20/24 2:59 PM, Jiri Olsa wrote:
> On Sun, Oct 20, 2024 at 12:14:31PM -0700, Yonghong Song wrote:
>
> SNIP
>
>> +__naked __noinline __used
>> +static unsigned long loop_callback(void)
>> +{
>> +	asm volatile (
>> +	"call %[bpf_get_prandom_u32];"
>> +	"r1 = 42;"
>> +	"*(u64 *)(r10 - 512) = r1;"
>> +	"call cumulative_stack_depth_subprog;"
>> +	"r0 = 0;"
>> +	"exit;"
>> +	:
>> +	: __imm(bpf_get_prandom_u32)
>> +	: __clobber_common);
>> +}
>> +
>> +SEC("raw_tp")
>> +__description("Private stack, callback")
>> +__success
>> +__arch_x86_64
>> +/* for func loop_callback */
>> +__jited("func #1")
>> +__jited("	endbr64")
> this should fail if CONFIG_X86_KERNEL_IBT is not enabled, right?
>
> hm, but I can see that also in other tests, so I guess it's fine,
> should we add it to config.x86_64 ?

The CI has CONFIG_X86_KERNEL_IBT as well.

I checked x86 kconfig, I see

config CC_HAS_IBT
         # GCC >= 9 and binutils >= 2.29
         # Retpoline check to work around https://gcc.gnu.org/bugzilla/show_bug.cgi?id=93654
         # Clang/LLVM >= 14
         # https://github.com/llvm/llvm-project/commit/e0b89df2e0f0130881bf6c39bf31d7f6aac00e0f
         # https://github.com/llvm/llvm-project/commit/dfcf69770bc522b9e411c66454934a37c1f35332
         def_bool ((CC_IS_GCC && $(cc-option, -fcf-protection=branch -mindirect-branch-register)) || \
                   (CC_IS_CLANG && CLANG_VERSION >= 140000)) && \
                   $(as-instr,endbr64)

config X86_KERNEL_IBT
         prompt "Indirect Branch Tracking"
         def_bool y
         depends on X86_64 && CC_HAS_IBT && HAVE_OBJTOOL
         # https://github.com/llvm/llvm-project/commit/9d7001eba9c4cb311e03cd8cdc231f9e579f2d0f
         depends on !LD_IS_LLD || LLD_VERSION >= 140000
         select OBJTOOL
         select X86_CET
         help
           Build the kernel with support for Indirect Branch Tracking, a
           hardware support course-grain forward-edge Control Flow Integrity
           protection. It enforces that all indirect calls must land on
           an ENDBR instruction, as such, the compiler will instrument the
           code with them to make this happen.
         
           In addition to building the kernel with IBT, seal all functions that
           are not indirect call targets, avoiding them ever becoming one.
           
           This requires LTO like objtool runs and will slow down the build. It
           does significantly reduce the number of ENDBR instructions in the
           kernel image.

So CONFIG_X86_KERNEL_IBT will be enabled if clang >= version_14 or newer gcc.
In my system, the gcc version is 13.1. So there is no need to explicitly add
CONFIG_X86_KERNEL_IBT to the selftests/bpf/config.x86_64 file.



>
> jirka

Jiri Olsa Oct. 21, 2024, 10:40 a.m. UTC | #3

On Sun, Oct 20, 2024 at 09:32:38PM -0700, Yonghong Song wrote:
> 
> On 10/20/24 2:59 PM, Jiri Olsa wrote:
> > On Sun, Oct 20, 2024 at 12:14:31PM -0700, Yonghong Song wrote:
> > 
> > SNIP
> > 
> > > +__naked __noinline __used
> > > +static unsigned long loop_callback(void)
> > > +{
> > > +	asm volatile (
> > > +	"call %[bpf_get_prandom_u32];"
> > > +	"r1 = 42;"
> > > +	"*(u64 *)(r10 - 512) = r1;"
> > > +	"call cumulative_stack_depth_subprog;"
> > > +	"r0 = 0;"
> > > +	"exit;"
> > > +	:
> > > +	: __imm(bpf_get_prandom_u32)
> > > +	: __clobber_common);
> > > +}
> > > +
> > > +SEC("raw_tp")
> > > +__description("Private stack, callback")
> > > +__success
> > > +__arch_x86_64
> > > +/* for func loop_callback */
> > > +__jited("func #1")
> > > +__jited("	endbr64")
> > this should fail if CONFIG_X86_KERNEL_IBT is not enabled, right?
> > 
> > hm, but I can see that also in other tests, so I guess it's fine,
> > should we add it to config.x86_64 ?
> 
> The CI has CONFIG_X86_KERNEL_IBT as well.
> 
> I checked x86 kconfig, I see
> 
> config CC_HAS_IBT
>         # GCC >= 9 and binutils >= 2.29
>         # Retpoline check to work around https://gcc.gnu.org/bugzilla/show_bug.cgi?id=93654
>         # Clang/LLVM >= 14
>         # https://github.com/llvm/llvm-project/commit/e0b89df2e0f0130881bf6c39bf31d7f6aac00e0f
>         # https://github.com/llvm/llvm-project/commit/dfcf69770bc522b9e411c66454934a37c1f35332
>         def_bool ((CC_IS_GCC && $(cc-option, -fcf-protection=branch -mindirect-branch-register)) || \
>                   (CC_IS_CLANG && CLANG_VERSION >= 140000)) && \
>                   $(as-instr,endbr64)
> 
> config X86_KERNEL_IBT
>         prompt "Indirect Branch Tracking"
>         def_bool y
>         depends on X86_64 && CC_HAS_IBT && HAVE_OBJTOOL
>         # https://github.com/llvm/llvm-project/commit/9d7001eba9c4cb311e03cd8cdc231f9e579f2d0f
>         depends on !LD_IS_LLD || LLD_VERSION >= 140000
>         select OBJTOOL
>         select X86_CET
>         help
>           Build the kernel with support for Indirect Branch Tracking, a
>           hardware support course-grain forward-edge Control Flow Integrity
>           protection. It enforces that all indirect calls must land on
>           an ENDBR instruction, as such, the compiler will instrument the
>           code with them to make this happen.
>           In addition to building the kernel with IBT, seal all functions that
>           are not indirect call targets, avoiding them ever becoming one.
>           This requires LTO like objtool runs and will slow down the build. It
>           does significantly reduce the number of ENDBR instructions in the
>           kernel image.
> 
> So CONFIG_X86_KERNEL_IBT will be enabled if clang >= version_14 or newer gcc.

IIUC it's just dependency, no? doesn't mean it'll get enabled automatically

> In my system, the gcc version is 13.1. So there is no need to explicitly add
> CONFIG_X86_KERNEL_IBT to the selftests/bpf/config.x86_64 file.

I had to enable it manualy for gcc 13.3.1

jirka

Yonghong Song Oct. 21, 2024, 4:19 p.m. UTC | #4

On 10/21/24 3:40 AM, Jiri Olsa wrote:
> On Sun, Oct 20, 2024 at 09:32:38PM -0700, Yonghong Song wrote:
>> On 10/20/24 2:59 PM, Jiri Olsa wrote:
>>> On Sun, Oct 20, 2024 at 12:14:31PM -0700, Yonghong Song wrote:
>>>
>>> SNIP
>>>
>>>> +__naked __noinline __used
>>>> +static unsigned long loop_callback(void)
>>>> +{
>>>> +	asm volatile (
>>>> +	"call %[bpf_get_prandom_u32];"
>>>> +	"r1 = 42;"
>>>> +	"*(u64 *)(r10 - 512) = r1;"
>>>> +	"call cumulative_stack_depth_subprog;"
>>>> +	"r0 = 0;"
>>>> +	"exit;"
>>>> +	:
>>>> +	: __imm(bpf_get_prandom_u32)
>>>> +	: __clobber_common);
>>>> +}
>>>> +
>>>> +SEC("raw_tp")
>>>> +__description("Private stack, callback")
>>>> +__success
>>>> +__arch_x86_64
>>>> +/* for func loop_callback */
>>>> +__jited("func #1")
>>>> +__jited("	endbr64")
>>> this should fail if CONFIG_X86_KERNEL_IBT is not enabled, right?
>>>
>>> hm, but I can see that also in other tests, so I guess it's fine,
>>> should we add it to config.x86_64 ?
>> The CI has CONFIG_X86_KERNEL_IBT as well.
>>
>> I checked x86 kconfig, I see
>>
>> config CC_HAS_IBT
>>          # GCC >= 9 and binutils >= 2.29
>>          # Retpoline check to work around https://gcc.gnu.org/bugzilla/show_bug.cgi?id=93654
>>          # Clang/LLVM >= 14
>>          # https://github.com/llvm/llvm-project/commit/e0b89df2e0f0130881bf6c39bf31d7f6aac00e0f
>>          # https://github.com/llvm/llvm-project/commit/dfcf69770bc522b9e411c66454934a37c1f35332
>>          def_bool ((CC_IS_GCC && $(cc-option, -fcf-protection=branch -mindirect-branch-register)) || \
>>                    (CC_IS_CLANG && CLANG_VERSION >= 140000)) && \
>>                    $(as-instr,endbr64)
>>
>> config X86_KERNEL_IBT
>>          prompt "Indirect Branch Tracking"
>>          def_bool y
>>          depends on X86_64 && CC_HAS_IBT && HAVE_OBJTOOL
>>          # https://github.com/llvm/llvm-project/commit/9d7001eba9c4cb311e03cd8cdc231f9e579f2d0f
>>          depends on !LD_IS_LLD || LLD_VERSION >= 140000
>>          select OBJTOOL
>>          select X86_CET
>>          help
>>            Build the kernel with support for Indirect Branch Tracking, a
>>            hardware support course-grain forward-edge Control Flow Integrity
>>            protection. It enforces that all indirect calls must land on
>>            an ENDBR instruction, as such, the compiler will instrument the
>>            code with them to make this happen.
>>            In addition to building the kernel with IBT, seal all functions that
>>            are not indirect call targets, avoiding them ever becoming one.
>>            This requires LTO like objtool runs and will slow down the build. It
>>            does significantly reduce the number of ENDBR instructions in the
>>            kernel image.
>>
>> So CONFIG_X86_KERNEL_IBT will be enabled if clang >= version_14 or newer gcc.
> IIUC it's just dependency, no? doesn't mean it'll get enabled automatically
>
>> In my system, the gcc version is 13.1. So there is no need to explicitly add
>> CONFIG_X86_KERNEL_IBT to the selftests/bpf/config.x86_64 file.
> I had to enable it manualy for gcc 13.3.1

IIUC, the ci config is generated based on config + config.x86_64 + config.vm
in tools/testing/selftests/bpf directory.

In my case .config is generated from config + config.x86_64 + config.vm
With my local gcc 11.5, I did
    make olddefconfig
and I see CONFIG_X86_KERNEL_IBT=y is set.

Maybe your base config is a little bit different from what ci used.
My local config is based on ci config + some more e.g. enabling KASAN etc.

Could you debug a little more on why CONFIG_X86_KERNEL_IBT not enabled
by default in your case? For

config X86_KERNEL_IBT
         prompt "Indirect Branch Tracking"
         def_bool y
         depends on X86_64 && CC_HAS_IBT && HAVE_OBJTOOL
         # https://github.com/llvm/llvm-project/commit/9d7001eba9c4cb311e03cd8cdc231f9e579f2d0f
         depends on !LD_IS_LLD || LLD_VERSION >= 140000
         select OBJTOOL
         select X86_CET

default is 'y' so if all dependencies are met, CONFIG_X86_KERNEL_IBT
is supposed to be on by default.

>
> jirka

Jiri Olsa Oct. 21, 2024, 9:13 p.m. UTC | #5

On Mon, Oct 21, 2024 at 09:19:57AM -0700, Yonghong Song wrote:

SNIP

> > > In my system, the gcc version is 13.1. So there is no need to explicitly add
> > > CONFIG_X86_KERNEL_IBT to the selftests/bpf/config.x86_64 file.
> > I had to enable it manualy for gcc 13.3.1
> 
> IIUC, the ci config is generated based on config + config.x86_64 + config.vm
> in tools/testing/selftests/bpf directory.
> 
> In my case .config is generated from config + config.x86_64 + config.vm
> With my local gcc 11.5, I did
>    make olddefconfig
> and I see CONFIG_X86_KERNEL_IBT=y is set.
> 
> Maybe your base config is a little bit different from what ci used.
> My local config is based on ci config + some more e.g. enabling KASAN etc.
> 
> Could you debug a little more on why CONFIG_X86_KERNEL_IBT not enabled
> by default in your case? For

ok, I think I disabled that manually

> 
> config X86_KERNEL_IBT
>         prompt "Indirect Branch Tracking"
>         def_bool y
>         depends on X86_64 && CC_HAS_IBT && HAVE_OBJTOOL
>         # https://github.com/llvm/llvm-project/commit/9d7001eba9c4cb311e03cd8cdc231f9e579f2d0f
>         depends on !LD_IS_LLD || LLD_VERSION >= 140000
>         select OBJTOOL
>         select X86_CET
> 
> default is 'y' so if all dependencies are met, CONFIG_X86_KERNEL_IBT
> is supposed to be on by default.

ah right, that should work then.. thanks for the details

jirka

Patch

diff --git a/tools/testing/selftests/bpf/prog_tests/verifier.c b/tools/testing/selftests/bpf/prog_tests/verifier.c
index e26b5150fc43..635ff3509403 100644
--- a/tools/testing/selftests/bpf/prog_tests/verifier.c
+++ b/tools/testing/selftests/bpf/prog_tests/verifier.c
@@ -59,6 +59,7 @@ 
 #include "verifier_or_jmp32_k.skel.h"
 #include "verifier_precision.skel.h"
 #include "verifier_prevent_map_lookup.skel.h"
+#include "verifier_private_stack.skel.h"
 #include "verifier_raw_stack.skel.h"
 #include "verifier_raw_tp_writable.skel.h"
 #include "verifier_reg_equal.skel.h"
@@ -185,6 +186,7 @@  void test_verifier_bpf_fastcall(void)         { RUN(verifier_bpf_fastcall); }
 void test_verifier_or_jmp32_k(void)           { RUN(verifier_or_jmp32_k); }
 void test_verifier_precision(void)            { RUN(verifier_precision); }
 void test_verifier_prevent_map_lookup(void)   { RUN(verifier_prevent_map_lookup); }
+void test_verifier_private_stack(void)        { RUN(verifier_private_stack); }
 void test_verifier_raw_stack(void)            { RUN(verifier_raw_stack); }
 void test_verifier_raw_tp_writable(void)      { RUN(verifier_raw_tp_writable); }
 void test_verifier_reg_equal(void)            { RUN(verifier_reg_equal); }
diff --git a/tools/testing/selftests/bpf/progs/verifier_private_stack.c b/tools/testing/selftests/bpf/progs/verifier_private_stack.c
new file mode 100644
index 000000000000..e8de565f8b34
--- /dev/null
+++ b/tools/testing/selftests/bpf/progs/verifier_private_stack.c
@@ -0,0 +1,216 @@ 
+// SPDX-License-Identifier: GPL-2.0
+
+#include <vmlinux.h>
+#include <bpf/bpf_helpers.h>
+#include "bpf_misc.h"
+#include "bpf_experimental.h"
+
+/* From include/linux/filter.h */
+#define MAX_BPF_STACK    512
+
+#if defined(__TARGET_ARCH_x86)
+
+SEC("kprobe")
+__description("Private stack, single prog")
+__success
+__arch_x86_64
+__jited("	movabsq	$0x{{.*}}, %r9")
+__jited("	addq	%gs:0x{{.*}}, %r9")
+__jited("	movl	$0x2a, %edi")
+__jited("	movq	%rdi, -0x100(%r9)")
+__naked void private_stack_single_prog(void)
+{
+	asm volatile (
+	"r1 = 42;"
+	"*(u64 *)(r10 - 256) = r1;"
+	"r0 = 0;"
+	"exit;"
+	:
+	:
+	: __clobber_all);
+}
+
+__used
+__naked static void cumulative_stack_depth_subprog(void)
+{
+        asm volatile (
+	"r1 = 41;"
+        "*(u64 *)(r10 - 32) = r1;"
+        "call %[bpf_get_smp_processor_id];"
+        "exit;"
+        :: __imm(bpf_get_smp_processor_id)
+	: __clobber_all);
+}
+
+SEC("kprobe")
+__description("Private stack, subtree > MAX_BPF_STACK")
+__success
+__arch_x86_64
+/* private stack fp for the main prog */
+__jited("	movabsq	$0x{{.*}}, %r9")
+__jited("	addq	%gs:0x{{.*}}, %r9")
+__jited("	movl	$0x2a, %edi")
+__jited("	movq	%rdi, -0x200(%r9)")
+__jited("	pushq	%r9")
+__jited("	callq	0x{{.*}}")
+__jited("	popq	%r9")
+__jited("	xorl	%eax, %eax")
+__naked void private_stack_nested_1(void)
+{
+	asm volatile (
+	"r1 = 42;"
+	"*(u64 *)(r10 - %[max_bpf_stack]) = r1;"
+	"call cumulative_stack_depth_subprog;"
+	"r0 = 0;"
+	"exit;"
+	:
+	: __imm_const(max_bpf_stack, MAX_BPF_STACK)
+	: __clobber_all);
+}
+
+SEC("kprobe")
+__description("Private stack, subtree > MAX_BPF_STACK")
+__success
+__arch_x86_64
+/* private stack fp for the subprog */
+__jited("	addq	$0x20, %r9")
+__naked void private_stack_nested_2(void)
+{
+	asm volatile (
+	"r1 = 42;"
+	"*(u64 *)(r10 - %[max_bpf_stack]) = r1;"
+	"call cumulative_stack_depth_subprog;"
+	"r0 = 0;"
+	"exit;"
+	:
+	: __imm_const(max_bpf_stack, MAX_BPF_STACK)
+	: __clobber_all);
+}
+
+SEC("raw_tp")
+__description("No private stack, nested")
+__success
+__arch_x86_64
+__jited("	subq	$0x8, %rsp")
+__naked void no_private_stack_nested(void)
+{
+	asm volatile (
+	"r1 = 42;"
+	"*(u64 *)(r10 - 8) = r1;"
+	"call cumulative_stack_depth_subprog;"
+	"r0 = 0;"
+	"exit;"
+	:
+	:
+	: __clobber_all);
+}
+
+__naked __noinline __used
+static unsigned long loop_callback(void)
+{
+	asm volatile (
+	"call %[bpf_get_prandom_u32];"
+	"r1 = 42;"
+	"*(u64 *)(r10 - 512) = r1;"
+	"call cumulative_stack_depth_subprog;"
+	"r0 = 0;"
+	"exit;"
+	:
+	: __imm(bpf_get_prandom_u32)
+	: __clobber_common);
+}
+
+SEC("raw_tp")
+__description("Private stack, callback")
+__success
+__arch_x86_64
+/* for func loop_callback */
+__jited("func #1")
+__jited("	endbr64")
+__jited("	nopl	(%rax,%rax)")
+__jited("	nopl	(%rax)")
+__jited("	pushq	%rbp")
+__jited("	movq	%rsp, %rbp")
+__jited("	endbr64")
+__jited("	movabsq	$0x{{.*}}, %r9")
+__jited("	addq	%gs:0x{{.*}}, %r9")
+__jited("	pushq	%r9")
+__jited("	callq")
+__jited("	popq	%r9")
+__jited("	movl	$0x2a, %edi")
+__jited("	movq	%rdi, -0x200(%r9)")
+__jited("	pushq	%r9")
+__jited("	callq")
+__jited("	popq	%r9")
+__naked void private_stack_callback(void)
+{
+	asm volatile (
+	"r1 = 1;"
+	"r2 = %[loop_callback];"
+	"r3 = 0;"
+	"r4 = 0;"
+	"call %[bpf_loop];"
+	"r0 = 0;"
+	"exit;"
+	:
+	: __imm_ptr(loop_callback),
+	  __imm(bpf_loop)
+	: __clobber_common);
+}
+
+SEC("fentry/bpf_fentry_test9")
+__description("Private stack, exception in main prog")
+__success __retval(0)
+__arch_x86_64
+__jited("	pushq	%r9")
+__jited("	callq")
+__jited("	popq	%r9")
+int private_stack_exception_main_prog(void)
+{
+	asm volatile (
+	"r1 = 42;"
+	"*(u64 *)(r10 - 512) = r1;"
+	::: __clobber_common);
+
+	bpf_throw(0);
+	return 0;
+}
+
+__used static int subprog_exception(void)
+{
+	bpf_throw(0);
+	return 0;
+}
+
+SEC("fentry/bpf_fentry_test9")
+__description("Private stack, exception in subprog")
+__success __retval(0)
+__arch_x86_64
+__jited("	movq	%rdi, -0x200(%r9)")
+__jited("	pushq	%r9")
+__jited("	callq")
+__jited("	popq	%r9")
+int private_stack_exception_sub_prog(void)
+{
+	asm volatile (
+	"r1 = 42;"
+	"*(u64 *)(r10 - 512) = r1;"
+	"call subprog_exception;"
+	::: __clobber_common);
+
+	return 0;
+}
+
+#else
+
+SEC("kprobe")
+__description("private stack is not supported, use a dummy test")
+__success
+int dummy_test(void)
+{
+        return 0;
+}
+
+#endif
+
+char _license[] SEC("license") = "GPL";