• Alexei Starovoitov's avatar
    bpf: verifier (add ability to receive verification log) · cbd35700
    Alexei Starovoitov authored
    add optional attributes for BPF_PROG_LOAD syscall:
    union bpf_attr {
        struct {
    	...
    	__u32         log_level; /* verbosity level of eBPF verifier */
    	__u32         log_size;  /* size of user buffer */
    	__aligned_u64 log_buf;   /* user supplied 'char *buffer' */
        };
    };
    
    when log_level > 0 the verifier will return its verification log in the user
    supplied buffer 'log_buf' which can be used by program author to analyze why
    verifier rejected given program.
    
    'Understanding eBPF verifier messages' section of Documentation/networking/filter.txt
    provides several examples of these messages, like the program:
    
      BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
      BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
      BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
      BPF_LD_MAP_FD(BPF_REG_1, 0),
      BPF_CALL_FUNC(BPF_FUNC_map_lookup_elem),
      BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
      BPF_ST_MEM(BPF_DW, BPF_REG_0, 4, 0),
      BPF_EXIT_INSN(),
    
    will be rejected with the following multi-line message in log_buf:
    
      0: (7a) *(u64 *)(r10 -8) = 0
      1: (bf) r2 = r10
      2: (07) r2 += -8
      3: (b7) r1 = 0
      4: (85) call 1
      5: (15) if r0 == 0x0 goto pc+1
       R0=map_ptr R10=fp
      6: (7a) *(u64 *)(r0 +4) = 0
      misaligned access off 4 size 8
    
    The format of the output can change at any time as verifier evolves.
    Signed-off-by: default avatarAlexei Starovoitov <ast@plumgrid.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    cbd35700
verifier.c 12.2 KB