1 // SPDX-License-Identifier: GPL-2.0 2 3 #include <linux/bpf.h> 4 #include <bpf/bpf_helpers.h> 5 #include "bpf_misc.h" 6 7 /* Check that precision marks propagate through scalar IDs. 8 * Registers r{0,1,2} have the same scalar ID at the moment when r0 is 9 * marked to be precise, this mark is immediately propagated to r{1,2}. 10 */ 11 SEC("socket") 12 __success __log_level(2) 13 __msg("frame0: regs=r0,r1,r2 stack= before 4: (bf) r3 = r10") 14 __msg("frame0: regs=r0,r1,r2 stack= before 3: (bf) r2 = r0") 15 __msg("frame0: regs=r0,r1 stack= before 2: (bf) r1 = r0") 16 __msg("frame0: regs=r0 stack= before 1: (57) r0 &= 255") 17 __msg("frame0: regs=r0 stack= before 0: (85) call bpf_ktime_get_ns") 18 __flag(BPF_F_TEST_STATE_FREQ) 19 __naked void precision_same_state(void) 20 { 21 asm volatile ( 22 /* r0 = random number up to 0xff */ 23 "call %[bpf_ktime_get_ns];" 24 "r0 &= 0xff;" 25 /* tie r0.id == r1.id == r2.id */ 26 "r1 = r0;" 27 "r2 = r0;" 28 /* force r0 to be precise, this immediately marks r1 and r2 as 29 * precise as well because of shared IDs 30 */ 31 "r3 = r10;" 32 "r3 += r0;" 33 "r0 = 0;" 34 "exit;" 35 : 36 : __imm(bpf_ktime_get_ns) 37 : __clobber_all); 38 } 39 40 /* Same as precision_same_state, but mark propagates through state / 41 * parent state boundary. 42 */ 43 SEC("socket") 44 __success __log_level(2) 45 __msg("frame0: last_idx 6 first_idx 5 subseq_idx -1") 46 __msg("frame0: regs=r0,r1,r2 stack= before 5: (bf) r3 = r10") 47 __msg("frame0: parent state regs=r0,r1,r2 stack=:") 48 __msg("frame0: regs=r0,r1,r2 stack= before 4: (05) goto pc+0") 49 __msg("frame0: regs=r0,r1,r2 stack= before 3: (bf) r2 = r0") 50 __msg("frame0: regs=r0,r1 stack= before 2: (bf) r1 = r0") 51 __msg("frame0: regs=r0 stack= before 1: (57) r0 &= 255") 52 __msg("frame0: parent state regs=r0 stack=:") 53 __msg("frame0: regs=r0 stack= before 0: (85) call bpf_ktime_get_ns") 54 __flag(BPF_F_TEST_STATE_FREQ) 55 __naked void precision_cross_state(void) 56 { 57 asm volatile ( 58 /* r0 = random number up to 0xff */ 59 "call %[bpf_ktime_get_ns];" 60 "r0 &= 0xff;" 61 /* tie r0.id == r1.id == r2.id */ 62 "r1 = r0;" 63 "r2 = r0;" 64 /* force checkpoint */ 65 "goto +0;" 66 /* force r0 to be precise, this immediately marks r1 and r2 as 67 * precise as well because of shared IDs 68 */ 69 "r3 = r10;" 70 "r3 += r0;" 71 "r0 = 0;" 72 "exit;" 73 : 74 : __imm(bpf_ktime_get_ns) 75 : __clobber_all); 76 } 77 78 /* Same as precision_same_state, but break one of the 79 * links, note that r1 is absent from regs=... in __msg below. 80 */ 81 SEC("socket") 82 __success __log_level(2) 83 __msg("frame0: regs=r0,r2 stack= before 5: (bf) r3 = r10") 84 __msg("frame0: regs=r0,r2 stack= before 4: (b7) r1 = 0") 85 __msg("frame0: regs=r0,r2 stack= before 3: (bf) r2 = r0") 86 __msg("frame0: regs=r0 stack= before 2: (bf) r1 = r0") 87 __msg("frame0: regs=r0 stack= before 1: (57) r0 &= 255") 88 __msg("frame0: regs=r0 stack= before 0: (85) call bpf_ktime_get_ns") 89 __flag(BPF_F_TEST_STATE_FREQ) 90 __naked void precision_same_state_broken_link(void) 91 { 92 asm volatile ( 93 /* r0 = random number up to 0xff */ 94 "call %[bpf_ktime_get_ns];" 95 "r0 &= 0xff;" 96 /* tie r0.id == r1.id == r2.id */ 97 "r1 = r0;" 98 "r2 = r0;" 99 /* break link for r1, this is the only line that differs 100 * compared to the previous test 101 */ 102 "r1 = 0;" 103 /* force r0 to be precise, this immediately marks r1 and r2 as 104 * precise as well because of shared IDs 105 */ 106 "r3 = r10;" 107 "r3 += r0;" 108 "r0 = 0;" 109 "exit;" 110 : 111 : __imm(bpf_ktime_get_ns) 112 : __clobber_all); 113 } 114 115 /* Same as precision_same_state_broken_link, but with state / 116 * parent state boundary. 117 */ 118 SEC("socket") 119 __success __log_level(2) 120 __msg("frame0: regs=r0,r2 stack= before 6: (bf) r3 = r10") 121 __msg("frame0: regs=r0,r2 stack= before 5: (b7) r1 = 0") 122 __msg("frame0: parent state regs=r0,r2 stack=:") 123 __msg("frame0: regs=r0,r1,r2 stack= before 4: (05) goto pc+0") 124 __msg("frame0: regs=r0,r1,r2 stack= before 3: (bf) r2 = r0") 125 __msg("frame0: regs=r0,r1 stack= before 2: (bf) r1 = r0") 126 __msg("frame0: regs=r0 stack= before 1: (57) r0 &= 255") 127 __msg("frame0: parent state regs=r0 stack=:") 128 __msg("frame0: regs=r0 stack= before 0: (85) call bpf_ktime_get_ns") 129 __flag(BPF_F_TEST_STATE_FREQ) 130 __naked void precision_cross_state_broken_link(void) 131 { 132 asm volatile ( 133 /* r0 = random number up to 0xff */ 134 "call %[bpf_ktime_get_ns];" 135 "r0 &= 0xff;" 136 /* tie r0.id == r1.id == r2.id */ 137 "r1 = r0;" 138 "r2 = r0;" 139 /* force checkpoint, although link between r1 and r{0,2} is 140 * broken by the next statement current precision tracking 141 * algorithm can't react to it and propagates mark for r1 to 142 * the parent state. 143 */ 144 "goto +0;" 145 /* break link for r1, this is the only line that differs 146 * compared to precision_cross_state() 147 */ 148 "r1 = 0;" 149 /* force r0 to be precise, this immediately marks r1 and r2 as 150 * precise as well because of shared IDs 151 */ 152 "r3 = r10;" 153 "r3 += r0;" 154 "r0 = 0;" 155 "exit;" 156 : 157 : __imm(bpf_ktime_get_ns) 158 : __clobber_all); 159 } 160 161 /* Check that precision marks propagate through scalar IDs. 162 * Use the same scalar ID in multiple stack frames, check that 163 * precision information is propagated up the call stack. 164 */ 165 SEC("socket") 166 __success __log_level(2) 167 __msg("11: (0f) r2 += r1") 168 /* Current state */ 169 __msg("frame2: last_idx 11 first_idx 10 subseq_idx -1") 170 __msg("frame2: regs=r1 stack= before 10: (bf) r2 = r10") 171 __msg("frame2: parent state regs=r1 stack=") 172 /* frame1.r{6,7} are marked because mark_precise_scalar_ids() 173 * looks for all registers with frame2.r1.id in the current state 174 */ 175 __msg("frame1: parent state regs=r6,r7 stack=") 176 __msg("frame0: parent state regs=r6 stack=") 177 /* Parent state */ 178 __msg("frame2: last_idx 8 first_idx 8 subseq_idx 10") 179 __msg("frame2: regs=r1 stack= before 8: (85) call pc+1") 180 /* frame1.r1 is marked because of backtracking of call instruction */ 181 __msg("frame1: parent state regs=r1,r6,r7 stack=") 182 __msg("frame0: parent state regs=r6 stack=") 183 /* Parent state */ 184 __msg("frame1: last_idx 7 first_idx 6 subseq_idx 8") 185 __msg("frame1: regs=r1,r6,r7 stack= before 7: (bf) r7 = r1") 186 __msg("frame1: regs=r1,r6 stack= before 6: (bf) r6 = r1") 187 __msg("frame1: parent state regs=r1 stack=") 188 __msg("frame0: parent state regs=r6 stack=") 189 /* Parent state */ 190 __msg("frame1: last_idx 4 first_idx 4 subseq_idx 6") 191 __msg("frame1: regs=r1 stack= before 4: (85) call pc+1") 192 __msg("frame0: parent state regs=r1,r6 stack=") 193 /* Parent state */ 194 __msg("frame0: last_idx 3 first_idx 1 subseq_idx 4") 195 __msg("frame0: regs=r0,r1,r6 stack= before 3: (bf) r6 = r0") 196 __msg("frame0: regs=r0,r1 stack= before 2: (bf) r1 = r0") 197 __msg("frame0: regs=r0 stack= before 1: (57) r0 &= 255") 198 __flag(BPF_F_TEST_STATE_FREQ) 199 __naked void precision_many_frames(void) 200 { 201 asm volatile ( 202 /* r0 = random number up to 0xff */ 203 "call %[bpf_ktime_get_ns];" 204 "r0 &= 0xff;" 205 /* tie r0.id == r1.id == r6.id */ 206 "r1 = r0;" 207 "r6 = r0;" 208 "call precision_many_frames__foo;" 209 "exit;" 210 : 211 : __imm(bpf_ktime_get_ns) 212 : __clobber_all); 213 } 214 215 static __naked __noinline __used 216 void precision_many_frames__foo(void) 217 { 218 asm volatile ( 219 /* conflate one of the register numbers (r6) with outer frame, 220 * to verify that those are tracked independently 221 */ 222 "r6 = r1;" 223 "r7 = r1;" 224 "call precision_many_frames__bar;" 225 "exit" 226 ::: __clobber_all); 227 } 228 229 static __naked __noinline __used 230 void precision_many_frames__bar(void) 231 { 232 asm volatile ( 233 /* force r1 to be precise, this immediately marks: 234 * - bar frame r1 235 * - foo frame r{1,6,7} 236 * - main frame r{1,6} 237 */ 238 "r2 = r10;" 239 "r2 += r1;" 240 "r0 = 0;" 241 "exit;" 242 ::: __clobber_all); 243 } 244 245 /* Check that scalars with the same IDs are marked precise on stack as 246 * well as in registers. 247 */ 248 SEC("socket") 249 __success __log_level(2) 250 /* foo frame */ 251 __msg("frame1: regs=r1 stack=-8,-16 before 9: (bf) r2 = r10") 252 __msg("frame1: regs=r1 stack=-8,-16 before 8: (7b) *(u64 *)(r10 -16) = r1") 253 __msg("frame1: regs=r1 stack=-8 before 7: (7b) *(u64 *)(r10 -8) = r1") 254 __msg("frame1: regs=r1 stack= before 4: (85) call pc+2") 255 /* main frame */ 256 __msg("frame0: regs=r0,r1 stack=-8 before 3: (7b) *(u64 *)(r10 -8) = r1") 257 __msg("frame0: regs=r0,r1 stack= before 2: (bf) r1 = r0") 258 __msg("frame0: regs=r0 stack= before 1: (57) r0 &= 255") 259 __flag(BPF_F_TEST_STATE_FREQ) 260 __naked void precision_stack(void) 261 { 262 asm volatile ( 263 /* r0 = random number up to 0xff */ 264 "call %[bpf_ktime_get_ns];" 265 "r0 &= 0xff;" 266 /* tie r0.id == r1.id == fp[-8].id */ 267 "r1 = r0;" 268 "*(u64*)(r10 - 8) = r1;" 269 "call precision_stack__foo;" 270 "r0 = 0;" 271 "exit;" 272 : 273 : __imm(bpf_ktime_get_ns) 274 : __clobber_all); 275 } 276 277 static __naked __noinline __used 278 void precision_stack__foo(void) 279 { 280 asm volatile ( 281 /* conflate one of the register numbers (r6) with outer frame, 282 * to verify that those are tracked independently 283 */ 284 "*(u64*)(r10 - 8) = r1;" 285 "*(u64*)(r10 - 16) = r1;" 286 /* force r1 to be precise, this immediately marks: 287 * - foo frame r1,fp{-8,-16} 288 * - main frame r1,fp{-8} 289 */ 290 "r2 = r10;" 291 "r2 += r1;" 292 "exit" 293 ::: __clobber_all); 294 } 295 296 /* Use two separate scalar IDs to check that these are propagated 297 * independently. 298 */ 299 SEC("socket") 300 __success __log_level(2) 301 /* r{6,7} */ 302 __msg("11: (0f) r3 += r7") 303 __msg("frame0: regs=r6,r7 stack= before 10: (bf) r3 = r10") 304 /* ... skip some insns ... */ 305 __msg("frame0: regs=r6,r7 stack= before 3: (bf) r7 = r0") 306 __msg("frame0: regs=r0,r6 stack= before 2: (bf) r6 = r0") 307 /* r{8,9} */ 308 __msg("12: (0f) r3 += r9") 309 __msg("frame0: regs=r8,r9 stack= before 11: (0f) r3 += r7") 310 /* ... skip some insns ... */ 311 __msg("frame0: regs=r8,r9 stack= before 7: (bf) r9 = r0") 312 __msg("frame0: regs=r0,r8 stack= before 6: (bf) r8 = r0") 313 __flag(BPF_F_TEST_STATE_FREQ) 314 __naked void precision_two_ids(void) 315 { 316 asm volatile ( 317 /* r6 = random number up to 0xff 318 * r6.id == r7.id 319 */ 320 "call %[bpf_ktime_get_ns];" 321 "r0 &= 0xff;" 322 "r6 = r0;" 323 "r7 = r0;" 324 /* same, but for r{8,9} */ 325 "call %[bpf_ktime_get_ns];" 326 "r0 &= 0xff;" 327 "r8 = r0;" 328 "r9 = r0;" 329 /* clear r0 id */ 330 "r0 = 0;" 331 /* force checkpoint */ 332 "goto +0;" 333 "r3 = r10;" 334 /* force r7 to be precise, this also marks r6 */ 335 "r3 += r7;" 336 /* force r9 to be precise, this also marks r8 */ 337 "r3 += r9;" 338 "exit;" 339 : 340 : __imm(bpf_ktime_get_ns) 341 : __clobber_all); 342 } 343 344 /* Verify that check_ids() is used by regsafe() for scalars. 345 * 346 * r9 = ... some pointer with range X ... 347 * r6 = ... unbound scalar ID=a ... 348 * r7 = ... unbound scalar ID=b ... 349 * if (r6 > r7) goto +1 350 * r7 = r6 351 * if (r7 > X) goto exit 352 * r9 += r6 353 * ... access memory using r9 ... 354 * 355 * The memory access is safe only if r7 is bounded, 356 * which is true for one branch and not true for another. 357 */ 358 SEC("socket") 359 __failure __msg("register with unbounded min value") 360 __flag(BPF_F_TEST_STATE_FREQ) 361 __naked void check_ids_in_regsafe(void) 362 { 363 asm volatile ( 364 /* Bump allocated stack */ 365 "r1 = 0;" 366 "*(u64*)(r10 - 8) = r1;" 367 /* r9 = pointer to stack */ 368 "r9 = r10;" 369 "r9 += -8;" 370 /* r7 = ktime_get_ns() */ 371 "call %[bpf_ktime_get_ns];" 372 "r7 = r0;" 373 /* r6 = ktime_get_ns() */ 374 "call %[bpf_ktime_get_ns];" 375 "r6 = r0;" 376 /* if r6 > r7 is an unpredictable jump */ 377 "if r6 > r7 goto l1_%=;" 378 "r7 = r6;" 379 "l1_%=:" 380 /* if r7 > 4 ...; transfers range to r6 on one execution path 381 * but does not transfer on another 382 */ 383 "if r7 > 4 goto l2_%=;" 384 /* Access memory at r9[r6], r6 is not always bounded */ 385 "r9 += r6;" 386 "r0 = *(u8*)(r9 + 0);" 387 "l2_%=:" 388 "r0 = 0;" 389 "exit;" 390 : 391 : __imm(bpf_ktime_get_ns) 392 : __clobber_all); 393 } 394 395 /* Similar to check_ids_in_regsafe. 396 * The l0 could be reached in two states: 397 * 398 * (1) r6{.id=A}, r7{.id=A}, r8{.id=B} 399 * (2) r6{.id=B}, r7{.id=A}, r8{.id=B} 400 * 401 * Where (2) is not safe, as "r7 > 4" check won't propagate range for it. 402 * This example would be considered safe without changes to 403 * mark_chain_precision() to track scalar values with equal IDs. 404 */ 405 SEC("socket") 406 __failure __msg("register with unbounded min value") 407 __flag(BPF_F_TEST_STATE_FREQ) 408 __naked void check_ids_in_regsafe_2(void) 409 { 410 asm volatile ( 411 /* Bump allocated stack */ 412 "r1 = 0;" 413 "*(u64*)(r10 - 8) = r1;" 414 /* r9 = pointer to stack */ 415 "r9 = r10;" 416 "r9 += -8;" 417 /* r8 = ktime_get_ns() */ 418 "call %[bpf_ktime_get_ns];" 419 "r8 = r0;" 420 /* r7 = ktime_get_ns() */ 421 "call %[bpf_ktime_get_ns];" 422 "r7 = r0;" 423 /* r6 = ktime_get_ns() */ 424 "call %[bpf_ktime_get_ns];" 425 "r6 = r0;" 426 /* scratch .id from r0 */ 427 "r0 = 0;" 428 /* if r6 > r7 is an unpredictable jump */ 429 "if r6 > r7 goto l1_%=;" 430 /* tie r6 and r7 .id */ 431 "r6 = r7;" 432 "l0_%=:" 433 /* if r7 > 4 exit(0) */ 434 "if r7 > 4 goto l2_%=;" 435 /* Access memory at r9[r6] */ 436 "r9 += r6;" 437 "r0 = *(u8*)(r9 + 0);" 438 "l2_%=:" 439 "r0 = 0;" 440 "exit;" 441 "l1_%=:" 442 /* tie r6 and r8 .id */ 443 "r6 = r8;" 444 "goto l0_%=;" 445 : 446 : __imm(bpf_ktime_get_ns) 447 : __clobber_all); 448 } 449 450 /* Check that scalar IDs *are not* generated on register to register 451 * assignments if source register is a constant. 452 * 453 * If such IDs *are* generated the 'l1' below would be reached in 454 * two states: 455 * 456 * (1) r1{.id=A}, r2{.id=A} 457 * (2) r1{.id=C}, r2{.id=C} 458 * 459 * Thus forcing 'if r1 == r2' verification twice. 460 */ 461 SEC("socket") 462 __success __log_level(2) 463 __msg("11: (1d) if r3 == r4 goto pc+0") 464 __msg("frame 0: propagating r3,r4") 465 __msg("11: safe") 466 __msg("processed 15 insns") 467 __flag(BPF_F_TEST_STATE_FREQ) 468 __naked void no_scalar_id_for_const(void) 469 { 470 asm volatile ( 471 "call %[bpf_ktime_get_ns];" 472 /* unpredictable jump */ 473 "if r0 > 7 goto l0_%=;" 474 /* possibly generate same scalar ids for r3 and r4 */ 475 "r1 = 0;" 476 "r1 = r1;" 477 "r3 = r1;" 478 "r4 = r1;" 479 "goto l1_%=;" 480 "l0_%=:" 481 /* possibly generate different scalar ids for r3 and r4 */ 482 "r1 = 0;" 483 "r2 = 0;" 484 "r3 = r1;" 485 "r4 = r2;" 486 "l1_%=:" 487 /* predictable jump, marks r3 and r4 precise */ 488 "if r3 == r4 goto +0;" 489 "r0 = 0;" 490 "exit;" 491 : 492 : __imm(bpf_ktime_get_ns) 493 : __clobber_all); 494 } 495 496 /* Same as no_scalar_id_for_const() but for 32-bit values */ 497 SEC("socket") 498 __success __log_level(2) 499 __msg("11: (1e) if w3 == w4 goto pc+0") 500 __msg("frame 0: propagating r3,r4") 501 __msg("11: safe") 502 __msg("processed 15 insns") 503 __flag(BPF_F_TEST_STATE_FREQ) 504 __naked void no_scalar_id_for_const32(void) 505 { 506 asm volatile ( 507 "call %[bpf_ktime_get_ns];" 508 /* unpredictable jump */ 509 "if r0 > 7 goto l0_%=;" 510 /* possibly generate same scalar ids for r3 and r4 */ 511 "w1 = 0;" 512 "w1 = w1;" 513 "w3 = w1;" 514 "w4 = w1;" 515 "goto l1_%=;" 516 "l0_%=:" 517 /* possibly generate different scalar ids for r3 and r4 */ 518 "w1 = 0;" 519 "w2 = 0;" 520 "w3 = w1;" 521 "w4 = w2;" 522 "l1_%=:" 523 /* predictable jump, marks r1 and r2 precise */ 524 "if w3 == w4 goto +0;" 525 "r0 = 0;" 526 "exit;" 527 : 528 : __imm(bpf_ktime_get_ns) 529 : __clobber_all); 530 } 531 532 /* Check that unique scalar IDs are ignored when new verifier state is 533 * compared to cached verifier state. For this test: 534 * - cached state has no id on r1 535 * - new state has a unique id on r1 536 */ 537 SEC("socket") 538 __success __log_level(2) 539 __msg("6: (25) if r6 > 0x7 goto pc+1") 540 __msg("7: (57) r1 &= 255") 541 __msg("8: (bf) r2 = r10") 542 __msg("from 6 to 8: safe") 543 __msg("processed 12 insns") 544 __flag(BPF_F_TEST_STATE_FREQ) 545 __naked void ignore_unique_scalar_ids_cur(void) 546 { 547 asm volatile ( 548 "call %[bpf_ktime_get_ns];" 549 "r6 = r0;" 550 "call %[bpf_ktime_get_ns];" 551 "r0 &= 0xff;" 552 /* r1.id == r0.id */ 553 "r1 = r0;" 554 /* make r1.id unique */ 555 "r0 = 0;" 556 "if r6 > 7 goto l0_%=;" 557 /* clear r1 id, but keep the range compatible */ 558 "r1 &= 0xff;" 559 "l0_%=:" 560 /* get here in two states: 561 * - first: r1 has no id (cached state) 562 * - second: r1 has a unique id (should be considered equivalent) 563 */ 564 "r2 = r10;" 565 "r2 += r1;" 566 "exit;" 567 : 568 : __imm(bpf_ktime_get_ns) 569 : __clobber_all); 570 } 571 572 /* Check that unique scalar IDs are ignored when new verifier state is 573 * compared to cached verifier state. For this test: 574 * - cached state has a unique id on r1 575 * - new state has no id on r1 576 */ 577 SEC("socket") 578 __success __log_level(2) 579 __msg("6: (25) if r6 > 0x7 goto pc+1") 580 __msg("7: (05) goto pc+1") 581 __msg("9: (bf) r2 = r10") 582 __msg("9: safe") 583 __msg("processed 13 insns") 584 __flag(BPF_F_TEST_STATE_FREQ) 585 __naked void ignore_unique_scalar_ids_old(void) 586 { 587 asm volatile ( 588 "call %[bpf_ktime_get_ns];" 589 "r6 = r0;" 590 "call %[bpf_ktime_get_ns];" 591 "r0 &= 0xff;" 592 /* r1.id == r0.id */ 593 "r1 = r0;" 594 /* make r1.id unique */ 595 "r0 = 0;" 596 "if r6 > 7 goto l1_%=;" 597 "goto l0_%=;" 598 "l1_%=:" 599 /* clear r1 id, but keep the range compatible */ 600 "r1 &= 0xff;" 601 "l0_%=:" 602 /* get here in two states: 603 * - first: r1 has a unique id (cached state) 604 * - second: r1 has no id (should be considered equivalent) 605 */ 606 "r2 = r10;" 607 "r2 += r1;" 608 "exit;" 609 : 610 : __imm(bpf_ktime_get_ns) 611 : __clobber_all); 612 } 613 614 /* Check that two different scalar IDs in a verified state can't be 615 * mapped to the same scalar ID in current state. 616 */ 617 SEC("socket") 618 __success __log_level(2) 619 /* The exit instruction should be reachable from two states, 620 * use two matches and "processed .. insns" to ensure this. 621 */ 622 __msg("13: (95) exit") 623 __msg("13: (95) exit") 624 __msg("processed 18 insns") 625 __flag(BPF_F_TEST_STATE_FREQ) 626 __naked void two_old_ids_one_cur_id(void) 627 { 628 asm volatile ( 629 /* Give unique scalar IDs to r{6,7} */ 630 "call %[bpf_ktime_get_ns];" 631 "r0 &= 0xff;" 632 "r6 = r0;" 633 "call %[bpf_ktime_get_ns];" 634 "r0 &= 0xff;" 635 "r7 = r0;" 636 "r0 = 0;" 637 /* Maybe make r{6,7} IDs identical */ 638 "if r6 > r7 goto l0_%=;" 639 "goto l1_%=;" 640 "l0_%=:" 641 "r6 = r7;" 642 "l1_%=:" 643 /* Mark r{6,7} precise. 644 * Get here in two states: 645 * - first: r6{.id=A}, r7{.id=B} (cached state) 646 * - second: r6{.id=A}, r7{.id=A} 647 * Currently we don't want to consider such states equivalent. 648 * Thus "exit;" would be verified twice. 649 */ 650 "r2 = r10;" 651 "r2 += r6;" 652 "r2 += r7;" 653 "exit;" 654 : 655 : __imm(bpf_ktime_get_ns) 656 : __clobber_all); 657 } 658 659 SEC("socket") 660 /* Note the flag, see verifier.c:opt_subreg_zext_lo32_rnd_hi32() */ 661 __flag(BPF_F_TEST_RND_HI32) 662 __success 663 /* This test was added because of a bug in verifier.c:sync_linked_regs(), 664 * upon range propagation it destroyed subreg_def marks for registers. 665 * The subreg_def mark is used to decide whether zero extension instructions 666 * are needed when register is read. When BPF_F_TEST_RND_HI32 is set it 667 * also causes generation of statements to randomize upper halves of 668 * read registers. 669 * 670 * The test is written in a way to return an upper half of a register 671 * that is affected by range propagation and must have it's subreg_def 672 * preserved. This gives a return value of 0 and leads to undefined 673 * return value if subreg_def mark is not preserved. 674 */ 675 __retval(0) 676 /* Check that verifier believes r1/r0 are zero at exit */ 677 __log_level(2) 678 __msg("4: (77) r1 >>= 32 ; R1_w=0") 679 __msg("5: (bf) r0 = r1 ; R0_w=0 R1_w=0") 680 __msg("6: (95) exit") 681 __msg("from 3 to 4") 682 __msg("4: (77) r1 >>= 32 ; R1_w=0") 683 __msg("5: (bf) r0 = r1 ; R0_w=0 R1_w=0") 684 __msg("6: (95) exit") 685 /* Verify that statements to randomize upper half of r1 had not been 686 * generated. 687 */ 688 __xlated("call unknown") 689 __xlated("r0 &= 2147483647") 690 __xlated("w1 = w0") 691 /* This is how disasm.c prints BPF_ZEXT_REG at the moment, x86 and arm 692 * are the only CI archs that do not need zero extension for subregs. 693 */ 694 #if !defined(__TARGET_ARCH_x86) && !defined(__TARGET_ARCH_arm64) 695 __xlated("w1 = w1") 696 #endif 697 __xlated("if w0 < 0xa goto pc+0") 698 __xlated("r1 >>= 32") 699 __xlated("r0 = r1") 700 __xlated("exit") 701 __naked void linked_regs_and_subreg_def(void) 702 { 703 asm volatile ( 704 "call %[bpf_ktime_get_ns];" 705 /* make sure r0 is in 32-bit range, otherwise w1 = w0 won't 706 * assign same IDs to registers. 707 */ 708 "r0 &= 0x7fffffff;" 709 /* link w1 and w0 via ID */ 710 "w1 = w0;" 711 /* 'if' statement propagates range info from w0 to w1, 712 * but should not affect w1->subreg_def property. 713 */ 714 "if w0 < 10 goto +0;" 715 /* r1 is read here, on archs that require subreg zero 716 * extension this would cause zext patch generation. 717 */ 718 "r1 >>= 32;" 719 "r0 = r1;" 720 "exit;" 721 : 722 : __imm(bpf_ktime_get_ns) 723 : __clobber_all); 724 } 725 726 char _license[] SEC("license") = "GPL"; 727