kernel/tools/testing/selftests/bpf/verifier, branch linux-5.1.y

bpf: fix div64 overflow tests to properly detect errors

2019-07-14T06:09:41Z

[ Upstream commit 3e0682695199bad51dd898fe064d1564637ff77a ] If the result of the division is LLONG_MIN, current tests do not detect the error since the return value is truncated to a 32-bit value and ends up being 0. Signed-off-by: Naveen N. Rao Signed-off-by: Daniel Borkmann Signed-off-by: Sasha Levin

selftests/bpf: test cases for pkt/null checks in subprogs

2019-04-26T00:20:06Z

The first test case, for pointer null checks, is equivalent to the following pseudo-code. It checks that the verifier does not complain on line 6 and recognizes that ptr isn't null. 1: ptr = bpf_map_lookup_elem(map, &key); 2: ret = subprog(ptr) { 3: return ptr != NULL; 4: } 5: if (ret) 6: value = *ptr; The second test case, for packet bound checks, is equivalent to the following pseudo-code. It checks that the verifier does not complain on line 7 and recognizes that the packet is at least 1 byte long. 1: pkt_end = ctx.pkt_end; 2: ptr = ctx.pkt + 8; 3: ret = subprog(ptr, pkt_end) { 4: return ptr <= pkt_end; 5: } 6: if (ret) 7: value = *(u8 *)ctx.pkt; Signed-off-by: Paul Chaignon Signed-off-by: Alexei Starovoitov

selftests/bpf: test case for invalid call stack in dead code

2019-03-26T20:02:16Z

This patch adds a test case with an excessive number of call stack frames in dead code. Signed-off-by: Paul Chaignon Tested-by: Xiao Han Signed-off-by: Alexei Starovoitov

bpf: verifier: propagate liveness on all frames

2019-03-22T02:57:02Z

Commit 7640ead93924 ("bpf: verifier: make sure callees don't prune with caller differences") connected up parentage chains of all frames of the stack. It didn't, however, ensure propagate_liveness() propagates all liveness information along those chains. This means pruning happening in the callee may generate explored states with incomplete liveness for the chains in lower frames of the stack. The included selftest is similar to the prior one from commit 7640ead93924 ("bpf: verifier: make sure callees don't prune with caller differences"), where callee would prune regardless of the difference in r8 state. Now we also initialize r9 to 0 or 1 based on a result from get_random(). r9 is never read so the walk with r9 = 0 gets pruned (correctly) after the walk with r9 = 1 completes. The selftest is so arranged that the pruning will happen in the callee. Since callee does not propagate read marks of r8, the explored state at the pruning point prior to the callee will now ignore r8. Propagate liveness on all frames of the stack when pruning. Fixes: f4d7e40a5b71 ("bpf: introduce function calls (verification)") Signed-off-by: Jakub Kicinski Signed-off-by: Alexei Starovoitov

bpf: Test ref release issue in bpf_tcp_sock and bpf_sk_fullsock

2019-03-13T19:04:35Z

Adding verifier tests to ensure the ptr returned from bpf_tcp_sock() and bpf_sk_fullsock() cannot be accessed after bpf_sk_release() is called. A few of the tests are derived from a reproducer test by Lorenz Bauer. Signed-off-by: Martin KaFai Lau Signed-off-by: Alexei Starovoitov

bpf: fix replace_map_fd_with_map_ptr's ldimm64 second imm field

2019-03-07T16:47:13Z

Non-zero imm value in the second part of the ldimm64 instruction for BPF_PSEUDO_MAP_FD is invalid, and thus must be rejected. The map fd only ever sits in the first instructions' imm field. None of the BPF loaders known to us are using it, so risk of regression is minimal. For clarity and consistency, the few insn->{src_reg,imm} occurrences are rewritten into insn[0].{src_reg,imm}. Add a test case to the BPF selftest suite as well. Fixes: 0246e64d9a5f ("bpf: handle pseudo BPF_LD_IMM64 insn") Signed-off-by: Daniel Borkmann Acked-by: Song Liu Signed-off-by: Alexei Starovoitov

bpf: add test cases for non-pointer sanitiation logic

2019-03-04T09:54:20Z

Add two additional tests for further asserting the BPF_ALU_NON_POINTER logic with cases that were missed previously. Cc: Marek Majkowski Cc: Arthur Fabre Acked-by: Song Liu Signed-off-by: Daniel Borkmann

bpf: Add skb->sk, bpf_sk_fullsock and bpf_tcp_sock tests to test_verifer

2019-02-11T03:46:17Z

This patch tests accessing the skb->sk and the new helpers, bpf_sk_fullsock and bpf_tcp_sock. The errstr of some existing "reference tracking" tests is changed with s/bpf_sock/sock/ and s/socket/sock/ where "sock" is from the verifier's reg_type_str[]. Acked-by: Alexei Starovoitov Signed-off-by: Martin KaFai Lau Signed-off-by: Alexei Starovoitov

selftests/bpf: add "any alignment" annotation for some tests

2019-02-05T15:56:10Z

RISC-V does, in-general, not have "efficient unaligned access". When testing the RISC-V BPF JIT, some selftests failed in the verification due to misaligned access. Annotate these tests with the F_NEEDS_EFFICIENT_UNALIGNED_ACCESS flag. Signed-off-by: Björn Töpel Signed-off-by: Daniel Borkmann

selftests/bpf: add bpf_spin_lock verifier tests

2019-02-01T19:55:39Z

add bpf_spin_lock tests to test_verifier.c that don't require latest llvm with BTF support Signed-off-by: Alexei Starovoitov Signed-off-by: Daniel Borkmann