From patchwork Tue Jan 12 09:14:03 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gilad Reti X-Patchwork-Id: 12012835 X-Patchwork-Delegate: bpf@iogearbox.net Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-15.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id DB974C433E0 for ; Tue, 12 Jan 2021 09:15:30 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id AB21522D58 for ; Tue, 12 Jan 2021 09:15:30 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2389734AbhALJO5 (ORCPT ); Tue, 12 Jan 2021 04:14:57 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53814 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729821AbhALJO5 (ORCPT ); Tue, 12 Jan 2021 04:14:57 -0500 Received: from mail-wr1-x433.google.com (mail-wr1-x433.google.com [IPv6:2a00:1450:4864:20::433]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A6BCCC061794; Tue, 12 Jan 2021 01:14:16 -0800 (PST) Received: by mail-wr1-x433.google.com with SMTP id d26so1612780wrb.12; Tue, 12 Jan 2021 01:14:16 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=aLveLxeFrNvjHmoCR9A2oV0J+t8vyyrnKRnubdghhuU=; b=r2ZJ4ok+qcVmu0I2jzjZu0MSgognlZXsiDDUsoUpv+1D3BJAYs2T5/ZLUOcUkxWsgE eGOhsrXNXqcK2NNQObqqK3PuK/Gc9ptXmTSGsNkAC6LZ3hN65ldOXqBri/TAxN5xy3B/ h8/4GHSJu7p9xOEoZkyqaLKUaSrHkmIlOtkNAmaBLM39TOz6tfoyxbk6d9EZ8NmV0gCe y38QmY6dKD/wQvpI9nDJqRUJQcmFg9lQpSGaKUCRaYRchqHRzZX5RB84YQYpnixKDmuF HDr2uw9847Ky3yKFsKZlQUnXK2nUYJXSu3YKUQ/Mj5wJsNXlgnzFjOU1soU2/EpbuTNe L7VQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=aLveLxeFrNvjHmoCR9A2oV0J+t8vyyrnKRnubdghhuU=; b=lgaXN//BaqHvzMxNXUQOBU4rXZe5cRyTLc+1YX6vrOUsmaPqcjeSwMvBGjuYfPxOE1 ugdpfRoE19cMEOyjoK+GHgpLDiSLIDJEommmsdsswGLqITPhweWh9Vt47UXVKjVNnwvq H3aXCsMYy0iTjUt175N/vS7OueSNVPwStC0oyvyTykei4zqxzLkyIgMqqnKp3v+8CAYP s33YMxefCdzoxOcPDjV7Zqr4JFHV7Yy7ZKrIbE5NsIqlsWSfXEFbOpHpqC2+H5gyvSdq SlPFwRaARELs+A/eeDpBcdCbjhQUq9M78zijuWKWwqS7zVz3UiU+/zvDzSQu3ADKG+4A 61Og== X-Gm-Message-State: AOAM5332ZiOSLm2BOrI0Q0BShraZGE2MvOndwrTGMI6Up/QAnz/seJbT pSmrgZIpdmxcKkeWY+VWJsyF8bn0qcMlLpsu X-Google-Smtp-Source: ABdhPJzm0yhMovj3Ab546X1eJnZs7ddAADGvQziQllXXPgWOqTQca81g/eYkvRZfdq49xeTN3Xm6cw== X-Received: by 2002:a05:6000:18a3:: with SMTP id b3mr234261wri.373.1610442855164; Tue, 12 Jan 2021 01:14:15 -0800 (PST) Received: from ubuntu.localdomain (bzq-233-168-31-62.red.bezeqint.net. [31.168.233.62]) by smtp.googlemail.com with ESMTPSA id b10sm3085995wmj.5.2021.01.12.01.14.13 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 12 Jan 2021 01:14:14 -0800 (PST) From: Gilad Reti To: bpf@vger.kernel.org Cc: gilad.reti@gmail.com, Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , Martin KaFai Lau , Song Liu , Yonghong Song , John Fastabend , KP Singh , netdev@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH bpf 1/2] bpf: support PTR_TO_MEM{,_OR_NULL} register spilling Date: Tue, 12 Jan 2021 11:14:03 +0200 Message-Id: <20210112091403.10458-1-gilad.reti@gmail.com> X-Mailer: git-send-email 2.27.0 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: bpf@vger.kernel.org X-Patchwork-Delegate: bpf@iogearbox.net Add support for pointer to mem register spilling, to allow the verifier to track pointer to valid memory addresses. Such pointers are returned for example by a successful call of the bpf_ringbuf_reserve helper. This patch was suggested as a solution by Yonghong Song. The patch was partially contibuted by CyberArk Software, Inc. Fixes: 457f44363a88 ("bpf: Implement BPF ring buffer and verifier support for it") Signed-off-by: Gilad Reti Acked-by: KP Singh --- kernel/bpf/verifier.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 17270b8404f1..36af69fac591 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -2217,6 +2217,8 @@ static bool is_spillable_regtype(enum bpf_reg_type type) case PTR_TO_RDWR_BUF: case PTR_TO_RDWR_BUF_OR_NULL: case PTR_TO_PERCPU_BTF_ID: + case PTR_TO_MEM: + case PTR_TO_MEM_OR_NULL: return true; default: return false; From patchwork Tue Jan 12 09:15:43 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gilad Reti X-Patchwork-Id: 12012837 X-Patchwork-Delegate: bpf@iogearbox.net Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-15.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id DCA83C433E0 for ; Tue, 12 Jan 2021 09:17:23 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 8EDCF23103 for ; Tue, 12 Jan 2021 09:17:23 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2389865AbhALJQx (ORCPT ); Tue, 12 Jan 2021 04:16:53 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54226 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2389835AbhALJQw (ORCPT ); Tue, 12 Jan 2021 04:16:52 -0500 Received: from mail-wr1-x42f.google.com (mail-wr1-x42f.google.com [IPv6:2a00:1450:4864:20::42f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5A050C061575; Tue, 12 Jan 2021 01:16:12 -0800 (PST) Received: by mail-wr1-x42f.google.com with SMTP id r7so1655513wrc.5; Tue, 12 Jan 2021 01:16:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=VVyAtsTvxNsSXVa73xPOsWxQKIdaXYh6NzoQWrP8iMU=; b=a5sC/Xt7w+Nen9ksD27vQHXFW2cCb6lihxiRy/Wk1tC/8hmD+8lbFalxfapKGXvIIm s96ZufOi7ikg6vBJpco6seDgpovZk/AVr5RbbcWa8rUXplgFgajJ7V+za6WlffcwFE6h bIpV/7UsrTul0r5v4ELEFT3WYGf6Jl0ARBHrDdqm2pyV4ROMSHFOrN7l8pg/ZJYmqIFl 7dfovF7qSZIPfpRLhWo2HwngPNv5yaVE3vPJ7XgmWwBQTce68hSoAAhYKU8DMAOd/SXh pm9ACui8oSOij3DogAZRQv94sbEz+wmJmfh8JRoe+6JQUR2kd39CsxUQMwZ2UhFWWW3T jZCg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=VVyAtsTvxNsSXVa73xPOsWxQKIdaXYh6NzoQWrP8iMU=; b=tJfGbE4jhcLX+Q+IToy4ooZKImLm255jNUK3iMnRrVr/r676hscwA8yl2/qAGWs5sG 5V7XetUjw2hdfJmY5wKTnC35Ye80u+sgvJ/gTYnv9+8przoWPIFW3hgeqNGjBSXk0v/7 M4ueJSAVwxIzfXWkyDz9wUhgIHvZO+HFJFYxuKPaVMrVilPAx/dH5C3RR8/mF2qb15YJ 5FsP+sLTG9d/+e2G+imAP7kMArSvbHDcR7W3BCx2l6v3LGjUkhL1nTUOge6xcIDZmrly N3Ff7Z6teMi3FOwqpFpHjDxnFRwJOmhwOCaLTvQuU+6bz+VoDIxxpBngC7OSpO/oc9Ou OsRQ== X-Gm-Message-State: AOAM533KHat8Tdl8AK8/MfqOlPqKaagM5KRNIBXei2w9T4aV/oRGSnUi fr6zk00bU49bXRjfVzB3I9iq/S1obnGlG5u6 X-Google-Smtp-Source: ABdhPJyrbGVcaz+PXfql2/+s1kp6/CEJrYmqnU5p9MiAxAepQEQjmXm2Ii68yMygXKf18KElmCgaMQ== X-Received: by 2002:a5d:4682:: with SMTP id u2mr3163175wrq.265.1610442970895; Tue, 12 Jan 2021 01:16:10 -0800 (PST) Received: from ubuntu.localdomain (bzq-233-168-31-62.red.bezeqint.net. [31.168.233.62]) by smtp.googlemail.com with ESMTPSA id r82sm3073978wma.18.2021.01.12.01.16.09 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 12 Jan 2021 01:16:10 -0800 (PST) From: Gilad Reti To: bpf@vger.kernel.org Cc: gilad.reti@gmail.com, Shuah Khan , Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , Martin KaFai Lau , Song Liu , Yonghong Song , John Fastabend , KP Singh , linux-kselftest@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH 2/2] selftests/bpf: add verifier test for PTR_TO_MEM spill Date: Tue, 12 Jan 2021 11:15:43 +0200 Message-Id: <20210112091545.10535-1-gilad.reti@gmail.com> X-Mailer: git-send-email 2.27.0 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: bpf@vger.kernel.org X-Patchwork-Delegate: bpf@iogearbox.net Add test to check that the verifier is able to recognize spilling of PTR_TO_MEM registers. The patch was partially contibuted by CyberArk Software, Inc. Signed-off-by: Gilad Reti --- tools/testing/selftests/bpf/test_verifier.c | 12 +++++++- .../selftests/bpf/verifier/spill_fill.c | 30 +++++++++++++++++++ 2 files changed, 41 insertions(+), 1 deletion(-) diff --git a/tools/testing/selftests/bpf/test_verifier.c b/tools/testing/selftests/bpf/test_verifier.c index 777a81404fdb..f8569f04064b 100644 --- a/tools/testing/selftests/bpf/test_verifier.c +++ b/tools/testing/selftests/bpf/test_verifier.c @@ -50,7 +50,7 @@ #define MAX_INSNS BPF_MAXINSNS #define MAX_TEST_INSNS 1000000 #define MAX_FIXUPS 8 -#define MAX_NR_MAPS 20 +#define MAX_NR_MAPS 21 #define MAX_TEST_RUNS 8 #define POINTER_VALUE 0xcafe4all #define TEST_DATA_LEN 64 @@ -87,6 +87,7 @@ struct bpf_test { int fixup_sk_storage_map[MAX_FIXUPS]; int fixup_map_event_output[MAX_FIXUPS]; int fixup_map_reuseport_array[MAX_FIXUPS]; + int fixup_map_ringbuf[MAX_FIXUPS]; const char *errstr; const char *errstr_unpriv; uint32_t insn_processed; @@ -640,6 +641,7 @@ static void do_test_fixup(struct bpf_test *test, enum bpf_prog_type prog_type, int *fixup_sk_storage_map = test->fixup_sk_storage_map; int *fixup_map_event_output = test->fixup_map_event_output; int *fixup_map_reuseport_array = test->fixup_map_reuseport_array; + int *fixup_map_ringbuf = test->fixup_map_ringbuf; if (test->fill_helper) { test->fill_insns = calloc(MAX_TEST_INSNS, sizeof(struct bpf_insn)); @@ -817,6 +819,14 @@ static void do_test_fixup(struct bpf_test *test, enum bpf_prog_type prog_type, fixup_map_reuseport_array++; } while (*fixup_map_reuseport_array); } + if (*fixup_map_ringbuf) { + map_fds[20] = create_map(BPF_MAP_TYPE_RINGBUF, 0, + 0, 4096); + do { + prog[*fixup_map_ringbuf].imm = map_fds[20]; + fixup_map_ringbuf++; + } while (*fixup_map_ringbuf); + } } struct libcap { diff --git a/tools/testing/selftests/bpf/verifier/spill_fill.c b/tools/testing/selftests/bpf/verifier/spill_fill.c index 45d43bf82f26..1833b6c730dd 100644 --- a/tools/testing/selftests/bpf/verifier/spill_fill.c +++ b/tools/testing/selftests/bpf/verifier/spill_fill.c @@ -28,6 +28,36 @@ .result = ACCEPT, .result_unpriv = ACCEPT, }, +{ + "check valid spill/fill, ptr to mem", + .insns = { + /* reserve 8 byte ringbuf memory */ + BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), + BPF_LD_MAP_FD(BPF_REG_1, 0), + BPF_MOV64_IMM(BPF_REG_2, 8), + BPF_MOV64_IMM(BPF_REG_3, 0), + BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_ringbuf_reserve), + /* store a pointer to the reserved memory in R6 */ + BPF_MOV64_REG(BPF_REG_6, BPF_REG_0), + /* check whether the reservation was successful */ + BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), + /* spill R6(mem) into the stack */ + BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, -8), + /* fill it back in R7 */ + BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_10, -8), + /* should be able to access *(R7) = 0 */ + BPF_ST_MEM(BPF_DW, BPF_REG_7, 0, 0), + /* submit the reserved rungbuf memory */ + BPF_MOV64_REG(BPF_REG_1, BPF_REG_7), + BPF_MOV64_IMM(BPF_REG_2, 0), + BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_ringbuf_submit), + BPF_MOV64_IMM(BPF_REG_0, 0), + BPF_EXIT_INSN(), + }, + .fixup_map_ringbuf = { 1 }, + .result = ACCEPT, + .result_unpriv = ACCEPT, +}, { "check corrupted spill/fill", .insns = {