- 26 Mar, 2023 38 commits
-
-
Eduard Zingerman authored
Test verifier/value.c automatically converted to use inline assembly. Signed-off-by:
Eduard Zingerman <eddyz87@gmail.com> Link: https://lore.kernel.org/r/20230325025524.144043-39-eddyz87@gmail.comSigned-off-by:
Alexei Starovoitov <ast@kernel.org>
-
Eduard Zingerman authored
Test verifier/value_adj_spill.c automatically converted to use inline assembly. Signed-off-by:
-
Eduard Zingerman authored
Test verifier/uninit.c automatically converted to use inline assembly. Signed-off-by:
-
Eduard Zingerman authored
Test verifier/stack_ptr.c automatically converted to use inline assembly. Signed-off-by:
-
Eduard Zingerman authored
Test verifier/spill_fill.c automatically converted to use inline assembly. Signed-off-by:
-
Eduard Zingerman authored
Test verifier/ringbuf.c automatically converted to use inline assembly. Signed-off-by:
-
Eduard Zingerman authored
Test verifier/raw_tp_writable.c automatically converted to use inline assembly. Signed-off-by:
-
Eduard Zingerman authored
Test verifier/raw_stack.c automatically converted to use inline assembly. Signed-off-by:
-
Eduard Zingerman authored
Test verifier/meta_access.c automatically converted to use inline assembly. Signed-off-by:
-
Eduard Zingerman authored
Test verifier/masking.c automatically converted to use inline assembly. Signed-off-by:
-
Eduard Zingerman authored
Test verifier/map_ret_val.c automatically converted to use inline assembly. Signed-off-by:
-
Eduard Zingerman authored
Test verifier/map_ptr.c automatically converted to use inline assembly. Signed-off-by:
-
Eduard Zingerman authored
Test verifier/leak_ptr.c automatically converted to use inline assembly. Signed-off-by:
-
Eduard Zingerman authored
Test verifier/ld_ind.c automatically converted to use inline assembly. Signed-off-by:
-
Eduard Zingerman authored
Test verifier/int_ptr.c automatically converted to use inline assembly. Signed-off-by:
-
Eduard Zingerman authored
Test verifier/helper_value_access.c automatically converted to use inline assembly. Signed-off-by:
-
Eduard Zingerman authored
Test verifier/helper_restricted.c automatically converted to use inline assembly. Signed-off-by:
-
Eduard Zingerman authored
Test verifier/helper_packet_access.c automatically converted to use inline assembly. Signed-off-by:
-
Eduard Zingerman authored
Test verifier/helper_access_var_len.c automatically converted to use inline assembly. Signed-off-by:
-
Eduard Zingerman authored
Test verifier/div_overflow.c automatically converted to use inline assembly. Signed-off-by:
-
Eduard Zingerman authored
Test verifier/div0.c automatically converted to use inline assembly. Signed-off-by:
-
Eduard Zingerman authored
Test verifier/direct_stack_access_wraparound.c automatically converted to use inline assembly. Signed-off-by:
-
Eduard Zingerman authored
Test verifier/ctx_sk_msg.c automatically converted to use inline assembly. Signed-off-by:
-
Eduard Zingerman authored
Test verifier/const_or.c automatically converted to use inline assembly. Signed-off-by:
-
Eduard Zingerman authored
Test verifier/cgroup_storage.c automatically converted to use inline assembly. Signed-off-by:
-
Eduard Zingerman authored
Test verifier/cgroup_skb.c automatically converted to use inline assembly. Signed-off-by:
-
Eduard Zingerman authored
Test verifier/cgroup_inv_retcode.c automatically converted to use inline assembly. Signed-off-by:
-
Eduard Zingerman authored
Test verifier/cfg.c automatically converted to use inline assembly. Signed-off-by:
-
Eduard Zingerman authored
Test verifier/bounds_mix_sign_unsign.c automatically converted to use inline assembly. Signed-off-by:
-
Eduard Zingerman authored
Test verifier/bounds_deduction.c automatically converted to use inline assembly. Signed-off-by:
-
Eduard Zingerman authored
Test verifier/basic_stack.c automatically converted to use inline assembly. Signed-off-by:
-
Eduard Zingerman authored
Test verifier/array_access.c automatically converted to use inline assembly. Signed-off-by:
-
Eduard Zingerman authored
Test verifier/and.c automatically converted to use inline assembly. Signed-off-by:
-
Eduard Zingerman authored
prog_tests/verifier.c would be used as a host for verifier/*.c tests migrated to use inline assembly and run from test_progs. The run_test_aux() function mimics the test_verifier behavior dropping CAP_SYS_ADMIN upon entry. Signed-off-by:
-
Eduard Zingerman authored
Extends test_loader.c:test_loader__run_subtests() by allowing to execute BPF_PROG_TEST_RUN bpf command for selected programs. This is similar to functionality provided by test_verifier. Adds the following new attributes controlling test_loader behavior: __retval(...) __retval_unpriv(...) * If any of these attributes is present, the annotated program would be executed using libbpf's bpf_prog_test_run_opts() function. * If __retval is present, the test run would be done for program loaded in privileged mode. * If __retval_unpriv is present, the test run would be done for program loaded in unprivileged mode. * To mimic test_verifier behavior, the actual run is initiated in privileged mode. * The value returned by a test run is compared against retval parameter. The retval attribute takes one of the following parameters: - a decimal number - a hexadecimal number (must start from '0x') - any of a three special literals (provided for compatibility with test_verifier): - INT_MIN - POINTER_VALUE - TEST_DATA_LEN An example of the attribute usage: SEC("socket") __description("return 42") __success __success_unpriv __retval(42) __naked void the_42_test(void) { asm volatile (" \ r0 = 42; \ exit; \ " ::: __clobber_all); } Signed-off-by: -
Eduard Zingerman authored
Extends test_loader.c:test_loader__run_subtests() by allowing to execute tests in unprivileged mode, similar to test_verifier.c. Adds the following new attributes controlling test_loader behavior: __msg_unpriv __success_unpriv __failure_unpriv * If any of these attributes is present the test would be loaded in unprivileged mode. * If only "privileged" attributes are present the test would be loaded only in privileged mode. * If both "privileged" and "unprivileged" attributes are present the test would be loaded in both modes. * If test has to be executed in both modes, __msg(text) is specified and __msg_unpriv is not specified the behavior is the same as if __msg_unpriv(text) is specified. * For test filtering purposes the name of the program loaded in unprivileged mode is derived from the usual program name by adding `@unpriv' suffix. Also adds attribute '__description'. This attribute specifies text to be used instead of a program name for display and filtering purposes. Signed-off-by:
-
Eduard Zingerman authored
Add two convenience macro for BPF test cases, allowing the following usage: #include <linux/filter.h> ... asm volatile ( ... ".8byte %[raw_insn];" ... "r1 += %[st_foo_offset];" ... : : __imm_insn(raw_insn, BPF_RAW_INSN(...)), __imm_const(st_foo_offset, offsetof(struct st, foo)) : __clobber_all); Signed-off-by: -
Eduard Zingerman authored
Change test_loader.c:run_subtest() behavior to show BPF program name when test spec for that program can't be parsed. Signed-off-by:
-
- 25 Mar, 2023 2 commits
-
-
Alexei Starovoitov authored
David Vernet says: ==================== When a map value is being freed, we loop over all of the fields of the corresponding BPF object and issue the appropriate cleanup calls corresponding to the field's type. If the field is a referenced kptr, we atomically xchg the value out of the map, and invoke the kptr's destructor on whatever was there before. Currently, we always invoke the destructor (or bpf_obj_drop() for a local kptr) on any kptr, including if no value was xchg'd out of the map. This means that any function serving as the kptr's KF_RELEASE destructor must always treat the argument as possibly NULL, and we invoke unnecessary (and seemingly unsafe) cleanup logic for the local kptr path as well. This is an odd requirement -- KF_RELEASE kfuncs that are invoked by BPF programs do not have this restriction, and the verifier will fail to load the program if the register containing the to-be-released type has any untrusted modifiers (e.g. PTR_UNTRUSTED or PTR_MAYBE_NULL). So as to simplify the expectations required for a KF_RELEASE kfunc, this patch set updates the KPTR_REF destructor logic to only be invoked when a non-NULL value is xchg'd out of the map. Additionally, the patch removes now-unnecessary KF_RELEASE calls from several kfuncs, and finally, updates the verifier to have KF_RELEASE automatically imply KF_TRUSTED_ARGS. This restriction was already implicitly happening because of the aforementioned logic in the verifier to reject any regs with untrusted modifiers, and to enforce that KF_RELEASE args are passed with a 0 offset. This change just updates the behavior to match that of other trusted args. This patch is left to the end of the series in case it happens to be controversial, as it arguably is slightly orthogonal to the purpose of the rest of the series. ==================== Signed-off-by: -
David Vernet authored
KF_RELEASE kfuncs are not currently treated as having KF_TRUSTED_ARGS, even though they have a superset of the requirements of KF_TRUSTED_ARGS. Like KF_TRUSTED_ARGS, KF_RELEASE kfuncs require a 0-offset argument, and don't allow NULL-able arguments. Unlike KF_TRUSTED_ARGS which require _either_ an argument with ref_obj_id > 0, _or_ (ref->type & BPF_REG_TRUSTED_MODIFIERS) (and no unsafe modifiers allowed), KF_RELEASE only allows for ref_obj_id > 0. Because KF_RELEASE today doesn't automatically imply KF_TRUSTED_ARGS, some of these requirements are enforced in different ways that can make the behavior of the verifier feel unpredictable. For example, a KF_RELEASE kfunc with a NULL-able argument will currently fail in the verifier with a message like, "arg#0 is ptr_or_null_ expected ptr_ or socket" rather than "Possibly NULL pointer passed to trusted arg0". Our intention is the same, but the semantics are different due to implemenetation details that kfunc authors and BPF program writers should not need to care about. Let's make the behavior of the verifier more consistent and intuitive by having KF_RELEASE kfuncs imply the presence of KF_TRUSTED_ARGS. Our eventual goal is to have all kfuncs assume KF_TRUSTED_ARGS by default anyways, so this takes us a step in that direction. Note that it does not make sense to assume KF_TRUSTED_ARGS for all KF_ACQUIRE kfuncs. KF_ACQUIRE kfuncs can have looser semantics than KF_RELEASE, with e.g. KF_RCU | KF_RET_NULL. We may want to have KF_ACQUIRE imply KF_TRUSTED_ARGS _unless_ KF_RCU is specified, but that can be left to another patch set, and there are no such subtleties to address for KF_RELEASE. Signed-off-by:
David Vernet <void@manifault.com> Link: https://lore.kernel.org/r/20230325213144.486885-4-void@manifault.comSigned-off-by:
-
