1 /* 2 * Testsuite for eBPF verifier 3 * 4 * Copyright (c) 2014 PLUMgrid, http://plumgrid.com 5 * Copyright (c) 2017 Facebook 6 * Copyright (c) 2018 Covalent IO, Inc. http://covalent.io 7 * 8 * This program is free software; you can redistribute it and/or 9 * modify it under the terms of version 2 of the GNU General Public 10 * License as published by the Free Software Foundation. 11 */ 12 13 #include <endian.h> 14 #include <asm/types.h> 15 #include <linux/types.h> 16 #include <stdint.h> 17 #include <stdio.h> 18 #include <stdlib.h> 19 #include <unistd.h> 20 #include <errno.h> 21 #include <string.h> 22 #include <stddef.h> 23 #include <stdbool.h> 24 #include <sched.h> 25 #include <limits.h> 26 #include <assert.h> 27 28 #include <sys/capability.h> 29 30 #include <linux/unistd.h> 31 #include <linux/filter.h> 32 #include <linux/bpf_perf_event.h> 33 #include <linux/bpf.h> 34 #include <linux/if_ether.h> 35 #include <linux/btf.h> 36 37 #include <bpf/bpf.h> 38 #include <bpf/libbpf.h> 39 40 #ifdef HAVE_GENHDR 41 # include "autoconf.h" 42 #else 43 # if defined(__i386) || defined(__x86_64) || defined(__s390x__) || defined(__aarch64__) 44 # define CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS 1 45 # endif 46 #endif 47 #include "bpf_rlimit.h" 48 #include "bpf_rand.h" 49 #include "bpf_util.h" 50 #include "../../../include/linux/filter.h" 51 52 #define MAX_INSNS BPF_MAXINSNS 53 #define MAX_TEST_INSNS 1000000 54 #define MAX_FIXUPS 8 55 #define MAX_NR_MAPS 17 56 #define MAX_TEST_RUNS 8 57 #define POINTER_VALUE 0xcafe4all 58 #define TEST_DATA_LEN 64 59 60 #define F_NEEDS_EFFICIENT_UNALIGNED_ACCESS (1 << 0) 61 #define F_LOAD_WITH_STRICT_ALIGNMENT (1 << 1) 62 63 #define UNPRIV_SYSCTL "kernel/unprivileged_bpf_disabled" 64 static bool unpriv_disabled = false; 65 static int skips; 66 67 struct bpf_test { 68 const char *descr; 69 struct bpf_insn insns[MAX_INSNS]; 70 struct bpf_insn *fill_insns; 71 int fixup_map_hash_8b[MAX_FIXUPS]; 72 int fixup_map_hash_48b[MAX_FIXUPS]; 73 int fixup_map_hash_16b[MAX_FIXUPS]; 74 int fixup_map_array_48b[MAX_FIXUPS]; 75 int fixup_map_sockmap[MAX_FIXUPS]; 76 int fixup_map_sockhash[MAX_FIXUPS]; 77 int fixup_map_xskmap[MAX_FIXUPS]; 78 int fixup_map_stacktrace[MAX_FIXUPS]; 79 int fixup_prog1[MAX_FIXUPS]; 80 int fixup_prog2[MAX_FIXUPS]; 81 int fixup_map_in_map[MAX_FIXUPS]; 82 int fixup_cgroup_storage[MAX_FIXUPS]; 83 int fixup_percpu_cgroup_storage[MAX_FIXUPS]; 84 int fixup_map_spin_lock[MAX_FIXUPS]; 85 int fixup_map_array_ro[MAX_FIXUPS]; 86 int fixup_map_array_wo[MAX_FIXUPS]; 87 int fixup_map_array_small[MAX_FIXUPS]; 88 const char *errstr; 89 const char *errstr_unpriv; 90 uint32_t retval, retval_unpriv, insn_processed; 91 int prog_len; 92 enum { 93 UNDEF, 94 ACCEPT, 95 REJECT 96 } result, result_unpriv; 97 enum bpf_prog_type prog_type; 98 uint8_t flags; 99 __u8 data[TEST_DATA_LEN]; 100 void (*fill_helper)(struct bpf_test *self); 101 uint8_t runs; 102 struct { 103 uint32_t retval, retval_unpriv; 104 union { 105 __u8 data[TEST_DATA_LEN]; 106 __u64 data64[TEST_DATA_LEN / 8]; 107 }; 108 } retvals[MAX_TEST_RUNS]; 109 }; 110 111 /* Note we want this to be 64 bit aligned so that the end of our array is 112 * actually the end of the structure. 113 */ 114 #define MAX_ENTRIES 11 115 116 struct test_val { 117 unsigned int index; 118 int foo[MAX_ENTRIES]; 119 }; 120 121 struct other_val { 122 long long foo; 123 long long bar; 124 }; 125 126 static void bpf_fill_ld_abs_vlan_push_pop(struct bpf_test *self) 127 { 128 /* test: {skb->data[0], vlan_push} x 51 + {skb->data[0], vlan_pop} x 51 */ 129 #define PUSH_CNT 51 130 /* jump range is limited to 16 bit. PUSH_CNT of ld_abs needs room */ 131 unsigned int len = (1 << 15) - PUSH_CNT * 2 * 5 * 6; 132 struct bpf_insn *insn = self->fill_insns; 133 int i = 0, j, k = 0; 134 135 insn[i++] = BPF_MOV64_REG(BPF_REG_6, BPF_REG_1); 136 loop: 137 for (j = 0; j < PUSH_CNT; j++) { 138 insn[i++] = BPF_LD_ABS(BPF_B, 0); 139 insn[i] = BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x34, len - i - 2); 140 i++; 141 insn[i++] = BPF_MOV64_REG(BPF_REG_1, BPF_REG_6); 142 insn[i++] = BPF_MOV64_IMM(BPF_REG_2, 1); 143 insn[i++] = BPF_MOV64_IMM(BPF_REG_3, 2); 144 insn[i++] = BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 145 BPF_FUNC_skb_vlan_push), 146 insn[i] = BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, len - i - 2); 147 i++; 148 } 149 150 for (j = 0; j < PUSH_CNT; j++) { 151 insn[i++] = BPF_LD_ABS(BPF_B, 0); 152 insn[i] = BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x34, len - i - 2); 153 i++; 154 insn[i++] = BPF_MOV64_REG(BPF_REG_1, BPF_REG_6); 155 insn[i++] = BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 156 BPF_FUNC_skb_vlan_pop), 157 insn[i] = BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, len - i - 2); 158 i++; 159 } 160 if (++k < 5) 161 goto loop; 162 163 for (; i < len - 1; i++) 164 insn[i] = BPF_ALU32_IMM(BPF_MOV, BPF_REG_0, 0xbef); 165 insn[len - 1] = BPF_EXIT_INSN(); 166 self->prog_len = len; 167 } 168 169 static void bpf_fill_jump_around_ld_abs(struct bpf_test *self) 170 { 171 struct bpf_insn *insn = self->fill_insns; 172 /* jump range is limited to 16 bit. every ld_abs is replaced by 6 insns */ 173 unsigned int len = (1 << 15) / 6; 174 int i = 0; 175 176 insn[i++] = BPF_MOV64_REG(BPF_REG_6, BPF_REG_1); 177 insn[i++] = BPF_LD_ABS(BPF_B, 0); 178 insn[i] = BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 10, len - i - 2); 179 i++; 180 while (i < len - 1) 181 insn[i++] = BPF_LD_ABS(BPF_B, 1); 182 insn[i] = BPF_EXIT_INSN(); 183 self->prog_len = i + 1; 184 } 185 186 static void bpf_fill_rand_ld_dw(struct bpf_test *self) 187 { 188 struct bpf_insn *insn = self->fill_insns; 189 uint64_t res = 0; 190 int i = 0; 191 192 insn[i++] = BPF_MOV32_IMM(BPF_REG_0, 0); 193 while (i < self->retval) { 194 uint64_t val = bpf_semi_rand_get(); 195 struct bpf_insn tmp[2] = { BPF_LD_IMM64(BPF_REG_1, val) }; 196 197 res ^= val; 198 insn[i++] = tmp[0]; 199 insn[i++] = tmp[1]; 200 insn[i++] = BPF_ALU64_REG(BPF_XOR, BPF_REG_0, BPF_REG_1); 201 } 202 insn[i++] = BPF_MOV64_REG(BPF_REG_1, BPF_REG_0); 203 insn[i++] = BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 32); 204 insn[i++] = BPF_ALU64_REG(BPF_XOR, BPF_REG_0, BPF_REG_1); 205 insn[i] = BPF_EXIT_INSN(); 206 self->prog_len = i + 1; 207 res ^= (res >> 32); 208 self->retval = (uint32_t)res; 209 } 210 211 /* test the sequence of 1k jumps */ 212 static void bpf_fill_scale1(struct bpf_test *self) 213 { 214 struct bpf_insn *insn = self->fill_insns; 215 int i = 0, k = 0; 216 217 insn[i++] = BPF_MOV64_REG(BPF_REG_6, BPF_REG_1); 218 /* test to check that the sequence of 1024 jumps is acceptable */ 219 while (k++ < 1024) { 220 insn[i++] = BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 221 BPF_FUNC_get_prandom_u32); 222 insn[i++] = BPF_JMP_IMM(BPF_JGT, BPF_REG_0, bpf_semi_rand_get(), 2); 223 insn[i++] = BPF_MOV64_REG(BPF_REG_1, BPF_REG_10); 224 insn[i++] = BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 225 -8 * (k % 64 + 1)); 226 } 227 /* every jump adds 1024 steps to insn_processed, so to stay exactly 228 * within 1m limit add MAX_TEST_INSNS - 1025 MOVs and 1 EXIT 229 */ 230 while (i < MAX_TEST_INSNS - 1025) 231 insn[i++] = BPF_ALU32_IMM(BPF_MOV, BPF_REG_0, 42); 232 insn[i] = BPF_EXIT_INSN(); 233 self->prog_len = i + 1; 234 self->retval = 42; 235 } 236 237 /* test the sequence of 1k jumps in inner most function (function depth 8)*/ 238 static void bpf_fill_scale2(struct bpf_test *self) 239 { 240 struct bpf_insn *insn = self->fill_insns; 241 int i = 0, k = 0; 242 243 #define FUNC_NEST 7 244 for (k = 0; k < FUNC_NEST; k++) { 245 insn[i++] = BPF_CALL_REL(1); 246 insn[i++] = BPF_EXIT_INSN(); 247 } 248 insn[i++] = BPF_MOV64_REG(BPF_REG_6, BPF_REG_1); 249 /* test to check that the sequence of 1024 jumps is acceptable */ 250 while (k++ < 1024) { 251 insn[i++] = BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 252 BPF_FUNC_get_prandom_u32); 253 insn[i++] = BPF_JMP_IMM(BPF_JGT, BPF_REG_0, bpf_semi_rand_get(), 2); 254 insn[i++] = BPF_MOV64_REG(BPF_REG_1, BPF_REG_10); 255 insn[i++] = BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 256 -8 * (k % (64 - 4 * FUNC_NEST) + 1)); 257 } 258 /* every jump adds 1024 steps to insn_processed, so to stay exactly 259 * within 1m limit add MAX_TEST_INSNS - 1025 MOVs and 1 EXIT 260 */ 261 while (i < MAX_TEST_INSNS - 1025) 262 insn[i++] = BPF_ALU32_IMM(BPF_MOV, BPF_REG_0, 42); 263 insn[i] = BPF_EXIT_INSN(); 264 self->prog_len = i + 1; 265 self->retval = 42; 266 } 267 268 static void bpf_fill_scale(struct bpf_test *self) 269 { 270 switch (self->retval) { 271 case 1: 272 return bpf_fill_scale1(self); 273 case 2: 274 return bpf_fill_scale2(self); 275 default: 276 self->prog_len = 0; 277 break; 278 } 279 } 280 281 /* BPF_SK_LOOKUP contains 13 instructions, if you need to fix up maps */ 282 #define BPF_SK_LOOKUP(func) \ 283 /* struct bpf_sock_tuple tuple = {} */ \ 284 BPF_MOV64_IMM(BPF_REG_2, 0), \ 285 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_2, -8), \ 286 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -16), \ 287 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -24), \ 288 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -32), \ 289 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -40), \ 290 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -48), \ 291 /* sk = func(ctx, &tuple, sizeof tuple, 0, 0) */ \ 292 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), \ 293 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -48), \ 294 BPF_MOV64_IMM(BPF_REG_3, sizeof(struct bpf_sock_tuple)), \ 295 BPF_MOV64_IMM(BPF_REG_4, 0), \ 296 BPF_MOV64_IMM(BPF_REG_5, 0), \ 297 BPF_EMIT_CALL(BPF_FUNC_ ## func) 298 299 /* BPF_DIRECT_PKT_R2 contains 7 instructions, it initializes default return 300 * value into 0 and does necessary preparation for direct packet access 301 * through r2. The allowed access range is 8 bytes. 302 */ 303 #define BPF_DIRECT_PKT_R2 \ 304 BPF_MOV64_IMM(BPF_REG_0, 0), \ 305 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, \ 306 offsetof(struct __sk_buff, data)), \ 307 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, \ 308 offsetof(struct __sk_buff, data_end)), \ 309 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2), \ 310 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8), \ 311 BPF_JMP_REG(BPF_JLE, BPF_REG_4, BPF_REG_3, 1), \ 312 BPF_EXIT_INSN() 313 314 /* BPF_RAND_UEXT_R7 contains 4 instructions, it initializes R7 into a random 315 * positive u32, and zero-extend it into 64-bit. 316 */ 317 #define BPF_RAND_UEXT_R7 \ 318 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, \ 319 BPF_FUNC_get_prandom_u32), \ 320 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0), \ 321 BPF_ALU64_IMM(BPF_LSH, BPF_REG_7, 33), \ 322 BPF_ALU64_IMM(BPF_RSH, BPF_REG_7, 33) 323 324 /* BPF_RAND_SEXT_R7 contains 5 instructions, it initializes R7 into a random 325 * negative u32, and sign-extend it into 64-bit. 326 */ 327 #define BPF_RAND_SEXT_R7 \ 328 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, \ 329 BPF_FUNC_get_prandom_u32), \ 330 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0), \ 331 BPF_ALU64_IMM(BPF_OR, BPF_REG_7, 0x80000000), \ 332 BPF_ALU64_IMM(BPF_LSH, BPF_REG_7, 32), \ 333 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_7, 32) 334 335 static struct bpf_test tests[] = { 336 #define FILL_ARRAY 337 #include <verifier/tests.h> 338 #undef FILL_ARRAY 339 }; 340 341 static int probe_filter_length(const struct bpf_insn *fp) 342 { 343 int len; 344 345 for (len = MAX_INSNS - 1; len > 0; --len) 346 if (fp[len].code != 0 || fp[len].imm != 0) 347 break; 348 return len + 1; 349 } 350 351 static bool skip_unsupported_map(enum bpf_map_type map_type) 352 { 353 if (!bpf_probe_map_type(map_type, 0)) { 354 printf("SKIP (unsupported map type %d)\n", map_type); 355 skips++; 356 return true; 357 } 358 return false; 359 } 360 361 static int __create_map(uint32_t type, uint32_t size_key, 362 uint32_t size_value, uint32_t max_elem, 363 uint32_t extra_flags) 364 { 365 int fd; 366 367 fd = bpf_create_map(type, size_key, size_value, max_elem, 368 (type == BPF_MAP_TYPE_HASH ? 369 BPF_F_NO_PREALLOC : 0) | extra_flags); 370 if (fd < 0) { 371 if (skip_unsupported_map(type)) 372 return -1; 373 printf("Failed to create hash map '%s'!\n", strerror(errno)); 374 } 375 376 return fd; 377 } 378 379 static int create_map(uint32_t type, uint32_t size_key, 380 uint32_t size_value, uint32_t max_elem) 381 { 382 return __create_map(type, size_key, size_value, max_elem, 0); 383 } 384 385 static void update_map(int fd, int index) 386 { 387 struct test_val value = { 388 .index = (6 + 1) * sizeof(int), 389 .foo[6] = 0xabcdef12, 390 }; 391 392 assert(!bpf_map_update_elem(fd, &index, &value, 0)); 393 } 394 395 static int create_prog_dummy1(enum bpf_prog_type prog_type) 396 { 397 struct bpf_insn prog[] = { 398 BPF_MOV64_IMM(BPF_REG_0, 42), 399 BPF_EXIT_INSN(), 400 }; 401 402 return bpf_load_program(prog_type, prog, 403 ARRAY_SIZE(prog), "GPL", 0, NULL, 0); 404 } 405 406 static int create_prog_dummy2(enum bpf_prog_type prog_type, int mfd, int idx) 407 { 408 struct bpf_insn prog[] = { 409 BPF_MOV64_IMM(BPF_REG_3, idx), 410 BPF_LD_MAP_FD(BPF_REG_2, mfd), 411 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 412 BPF_FUNC_tail_call), 413 BPF_MOV64_IMM(BPF_REG_0, 41), 414 BPF_EXIT_INSN(), 415 }; 416 417 return bpf_load_program(prog_type, prog, 418 ARRAY_SIZE(prog), "GPL", 0, NULL, 0); 419 } 420 421 static int create_prog_array(enum bpf_prog_type prog_type, uint32_t max_elem, 422 int p1key) 423 { 424 int p2key = 1; 425 int mfd, p1fd, p2fd; 426 427 mfd = bpf_create_map(BPF_MAP_TYPE_PROG_ARRAY, sizeof(int), 428 sizeof(int), max_elem, 0); 429 if (mfd < 0) { 430 if (skip_unsupported_map(BPF_MAP_TYPE_PROG_ARRAY)) 431 return -1; 432 printf("Failed to create prog array '%s'!\n", strerror(errno)); 433 return -1; 434 } 435 436 p1fd = create_prog_dummy1(prog_type); 437 p2fd = create_prog_dummy2(prog_type, mfd, p2key); 438 if (p1fd < 0 || p2fd < 0) 439 goto out; 440 if (bpf_map_update_elem(mfd, &p1key, &p1fd, BPF_ANY) < 0) 441 goto out; 442 if (bpf_map_update_elem(mfd, &p2key, &p2fd, BPF_ANY) < 0) 443 goto out; 444 close(p2fd); 445 close(p1fd); 446 447 return mfd; 448 out: 449 close(p2fd); 450 close(p1fd); 451 close(mfd); 452 return -1; 453 } 454 455 static int create_map_in_map(void) 456 { 457 int inner_map_fd, outer_map_fd; 458 459 inner_map_fd = bpf_create_map(BPF_MAP_TYPE_ARRAY, sizeof(int), 460 sizeof(int), 1, 0); 461 if (inner_map_fd < 0) { 462 if (skip_unsupported_map(BPF_MAP_TYPE_ARRAY)) 463 return -1; 464 printf("Failed to create array '%s'!\n", strerror(errno)); 465 return inner_map_fd; 466 } 467 468 outer_map_fd = bpf_create_map_in_map(BPF_MAP_TYPE_ARRAY_OF_MAPS, NULL, 469 sizeof(int), inner_map_fd, 1, 0); 470 if (outer_map_fd < 0) { 471 if (skip_unsupported_map(BPF_MAP_TYPE_ARRAY_OF_MAPS)) 472 return -1; 473 printf("Failed to create array of maps '%s'!\n", 474 strerror(errno)); 475 } 476 477 close(inner_map_fd); 478 479 return outer_map_fd; 480 } 481 482 static int create_cgroup_storage(bool percpu) 483 { 484 enum bpf_map_type type = percpu ? BPF_MAP_TYPE_PERCPU_CGROUP_STORAGE : 485 BPF_MAP_TYPE_CGROUP_STORAGE; 486 int fd; 487 488 fd = bpf_create_map(type, sizeof(struct bpf_cgroup_storage_key), 489 TEST_DATA_LEN, 0, 0); 490 if (fd < 0) { 491 if (skip_unsupported_map(type)) 492 return -1; 493 printf("Failed to create cgroup storage '%s'!\n", 494 strerror(errno)); 495 } 496 497 return fd; 498 } 499 500 #define BTF_INFO_ENC(kind, kind_flag, vlen) \ 501 ((!!(kind_flag) << 31) | ((kind) << 24) | ((vlen) & BTF_MAX_VLEN)) 502 #define BTF_TYPE_ENC(name, info, size_or_type) \ 503 (name), (info), (size_or_type) 504 #define BTF_INT_ENC(encoding, bits_offset, nr_bits) \ 505 ((encoding) << 24 | (bits_offset) << 16 | (nr_bits)) 506 #define BTF_TYPE_INT_ENC(name, encoding, bits_offset, bits, sz) \ 507 BTF_TYPE_ENC(name, BTF_INFO_ENC(BTF_KIND_INT, 0, 0), sz), \ 508 BTF_INT_ENC(encoding, bits_offset, bits) 509 #define BTF_MEMBER_ENC(name, type, bits_offset) \ 510 (name), (type), (bits_offset) 511 512 struct btf_raw_data { 513 __u32 raw_types[64]; 514 const char *str_sec; 515 __u32 str_sec_size; 516 }; 517 518 /* struct bpf_spin_lock { 519 * int val; 520 * }; 521 * struct val { 522 * int cnt; 523 * struct bpf_spin_lock l; 524 * }; 525 */ 526 static const char btf_str_sec[] = "\0bpf_spin_lock\0val\0cnt\0l"; 527 static __u32 btf_raw_types[] = { 528 /* int */ 529 BTF_TYPE_INT_ENC(0, BTF_INT_SIGNED, 0, 32, 4), /* [1] */ 530 /* struct bpf_spin_lock */ /* [2] */ 531 BTF_TYPE_ENC(1, BTF_INFO_ENC(BTF_KIND_STRUCT, 0, 1), 4), 532 BTF_MEMBER_ENC(15, 1, 0), /* int val; */ 533 /* struct val */ /* [3] */ 534 BTF_TYPE_ENC(15, BTF_INFO_ENC(BTF_KIND_STRUCT, 0, 2), 8), 535 BTF_MEMBER_ENC(19, 1, 0), /* int cnt; */ 536 BTF_MEMBER_ENC(23, 2, 32),/* struct bpf_spin_lock l; */ 537 }; 538 539 static int load_btf(void) 540 { 541 struct btf_header hdr = { 542 .magic = BTF_MAGIC, 543 .version = BTF_VERSION, 544 .hdr_len = sizeof(struct btf_header), 545 .type_len = sizeof(btf_raw_types), 546 .str_off = sizeof(btf_raw_types), 547 .str_len = sizeof(btf_str_sec), 548 }; 549 void *ptr, *raw_btf; 550 int btf_fd; 551 552 ptr = raw_btf = malloc(sizeof(hdr) + sizeof(btf_raw_types) + 553 sizeof(btf_str_sec)); 554 555 memcpy(ptr, &hdr, sizeof(hdr)); 556 ptr += sizeof(hdr); 557 memcpy(ptr, btf_raw_types, hdr.type_len); 558 ptr += hdr.type_len; 559 memcpy(ptr, btf_str_sec, hdr.str_len); 560 ptr += hdr.str_len; 561 562 btf_fd = bpf_load_btf(raw_btf, ptr - raw_btf, 0, 0, 0); 563 free(raw_btf); 564 if (btf_fd < 0) 565 return -1; 566 return btf_fd; 567 } 568 569 static int create_map_spin_lock(void) 570 { 571 struct bpf_create_map_attr attr = { 572 .name = "test_map", 573 .map_type = BPF_MAP_TYPE_ARRAY, 574 .key_size = 4, 575 .value_size = 8, 576 .max_entries = 1, 577 .btf_key_type_id = 1, 578 .btf_value_type_id = 3, 579 }; 580 int fd, btf_fd; 581 582 btf_fd = load_btf(); 583 if (btf_fd < 0) 584 return -1; 585 attr.btf_fd = btf_fd; 586 fd = bpf_create_map_xattr(&attr); 587 if (fd < 0) 588 printf("Failed to create map with spin_lock\n"); 589 return fd; 590 } 591 592 static char bpf_vlog[UINT_MAX >> 8]; 593 594 static void do_test_fixup(struct bpf_test *test, enum bpf_prog_type prog_type, 595 struct bpf_insn *prog, int *map_fds) 596 { 597 int *fixup_map_hash_8b = test->fixup_map_hash_8b; 598 int *fixup_map_hash_48b = test->fixup_map_hash_48b; 599 int *fixup_map_hash_16b = test->fixup_map_hash_16b; 600 int *fixup_map_array_48b = test->fixup_map_array_48b; 601 int *fixup_map_sockmap = test->fixup_map_sockmap; 602 int *fixup_map_sockhash = test->fixup_map_sockhash; 603 int *fixup_map_xskmap = test->fixup_map_xskmap; 604 int *fixup_map_stacktrace = test->fixup_map_stacktrace; 605 int *fixup_prog1 = test->fixup_prog1; 606 int *fixup_prog2 = test->fixup_prog2; 607 int *fixup_map_in_map = test->fixup_map_in_map; 608 int *fixup_cgroup_storage = test->fixup_cgroup_storage; 609 int *fixup_percpu_cgroup_storage = test->fixup_percpu_cgroup_storage; 610 int *fixup_map_spin_lock = test->fixup_map_spin_lock; 611 int *fixup_map_array_ro = test->fixup_map_array_ro; 612 int *fixup_map_array_wo = test->fixup_map_array_wo; 613 int *fixup_map_array_small = test->fixup_map_array_small; 614 615 if (test->fill_helper) { 616 test->fill_insns = calloc(MAX_TEST_INSNS, sizeof(struct bpf_insn)); 617 test->fill_helper(test); 618 } 619 620 /* Allocating HTs with 1 elem is fine here, since we only test 621 * for verifier and not do a runtime lookup, so the only thing 622 * that really matters is value size in this case. 623 */ 624 if (*fixup_map_hash_8b) { 625 map_fds[0] = create_map(BPF_MAP_TYPE_HASH, sizeof(long long), 626 sizeof(long long), 1); 627 do { 628 prog[*fixup_map_hash_8b].imm = map_fds[0]; 629 fixup_map_hash_8b++; 630 } while (*fixup_map_hash_8b); 631 } 632 633 if (*fixup_map_hash_48b) { 634 map_fds[1] = create_map(BPF_MAP_TYPE_HASH, sizeof(long long), 635 sizeof(struct test_val), 1); 636 do { 637 prog[*fixup_map_hash_48b].imm = map_fds[1]; 638 fixup_map_hash_48b++; 639 } while (*fixup_map_hash_48b); 640 } 641 642 if (*fixup_map_hash_16b) { 643 map_fds[2] = create_map(BPF_MAP_TYPE_HASH, sizeof(long long), 644 sizeof(struct other_val), 1); 645 do { 646 prog[*fixup_map_hash_16b].imm = map_fds[2]; 647 fixup_map_hash_16b++; 648 } while (*fixup_map_hash_16b); 649 } 650 651 if (*fixup_map_array_48b) { 652 map_fds[3] = create_map(BPF_MAP_TYPE_ARRAY, sizeof(int), 653 sizeof(struct test_val), 1); 654 update_map(map_fds[3], 0); 655 do { 656 prog[*fixup_map_array_48b].imm = map_fds[3]; 657 fixup_map_array_48b++; 658 } while (*fixup_map_array_48b); 659 } 660 661 if (*fixup_prog1) { 662 map_fds[4] = create_prog_array(prog_type, 4, 0); 663 do { 664 prog[*fixup_prog1].imm = map_fds[4]; 665 fixup_prog1++; 666 } while (*fixup_prog1); 667 } 668 669 if (*fixup_prog2) { 670 map_fds[5] = create_prog_array(prog_type, 8, 7); 671 do { 672 prog[*fixup_prog2].imm = map_fds[5]; 673 fixup_prog2++; 674 } while (*fixup_prog2); 675 } 676 677 if (*fixup_map_in_map) { 678 map_fds[6] = create_map_in_map(); 679 do { 680 prog[*fixup_map_in_map].imm = map_fds[6]; 681 fixup_map_in_map++; 682 } while (*fixup_map_in_map); 683 } 684 685 if (*fixup_cgroup_storage) { 686 map_fds[7] = create_cgroup_storage(false); 687 do { 688 prog[*fixup_cgroup_storage].imm = map_fds[7]; 689 fixup_cgroup_storage++; 690 } while (*fixup_cgroup_storage); 691 } 692 693 if (*fixup_percpu_cgroup_storage) { 694 map_fds[8] = create_cgroup_storage(true); 695 do { 696 prog[*fixup_percpu_cgroup_storage].imm = map_fds[8]; 697 fixup_percpu_cgroup_storage++; 698 } while (*fixup_percpu_cgroup_storage); 699 } 700 if (*fixup_map_sockmap) { 701 map_fds[9] = create_map(BPF_MAP_TYPE_SOCKMAP, sizeof(int), 702 sizeof(int), 1); 703 do { 704 prog[*fixup_map_sockmap].imm = map_fds[9]; 705 fixup_map_sockmap++; 706 } while (*fixup_map_sockmap); 707 } 708 if (*fixup_map_sockhash) { 709 map_fds[10] = create_map(BPF_MAP_TYPE_SOCKHASH, sizeof(int), 710 sizeof(int), 1); 711 do { 712 prog[*fixup_map_sockhash].imm = map_fds[10]; 713 fixup_map_sockhash++; 714 } while (*fixup_map_sockhash); 715 } 716 if (*fixup_map_xskmap) { 717 map_fds[11] = create_map(BPF_MAP_TYPE_XSKMAP, sizeof(int), 718 sizeof(int), 1); 719 do { 720 prog[*fixup_map_xskmap].imm = map_fds[11]; 721 fixup_map_xskmap++; 722 } while (*fixup_map_xskmap); 723 } 724 if (*fixup_map_stacktrace) { 725 map_fds[12] = create_map(BPF_MAP_TYPE_STACK_TRACE, sizeof(u32), 726 sizeof(u64), 1); 727 do { 728 prog[*fixup_map_stacktrace].imm = map_fds[12]; 729 fixup_map_stacktrace++; 730 } while (*fixup_map_stacktrace); 731 } 732 if (*fixup_map_spin_lock) { 733 map_fds[13] = create_map_spin_lock(); 734 do { 735 prog[*fixup_map_spin_lock].imm = map_fds[13]; 736 fixup_map_spin_lock++; 737 } while (*fixup_map_spin_lock); 738 } 739 if (*fixup_map_array_ro) { 740 map_fds[14] = __create_map(BPF_MAP_TYPE_ARRAY, sizeof(int), 741 sizeof(struct test_val), 1, 742 BPF_F_RDONLY_PROG); 743 update_map(map_fds[14], 0); 744 do { 745 prog[*fixup_map_array_ro].imm = map_fds[14]; 746 fixup_map_array_ro++; 747 } while (*fixup_map_array_ro); 748 } 749 if (*fixup_map_array_wo) { 750 map_fds[15] = __create_map(BPF_MAP_TYPE_ARRAY, sizeof(int), 751 sizeof(struct test_val), 1, 752 BPF_F_WRONLY_PROG); 753 update_map(map_fds[15], 0); 754 do { 755 prog[*fixup_map_array_wo].imm = map_fds[15]; 756 fixup_map_array_wo++; 757 } while (*fixup_map_array_wo); 758 } 759 if (*fixup_map_array_small) { 760 map_fds[16] = __create_map(BPF_MAP_TYPE_ARRAY, sizeof(int), 761 1, 1, 0); 762 update_map(map_fds[16], 0); 763 do { 764 prog[*fixup_map_array_small].imm = map_fds[16]; 765 fixup_map_array_small++; 766 } while (*fixup_map_array_small); 767 } 768 } 769 770 static int set_admin(bool admin) 771 { 772 cap_t caps; 773 const cap_value_t cap_val = CAP_SYS_ADMIN; 774 int ret = -1; 775 776 caps = cap_get_proc(); 777 if (!caps) { 778 perror("cap_get_proc"); 779 return -1; 780 } 781 if (cap_set_flag(caps, CAP_EFFECTIVE, 1, &cap_val, 782 admin ? CAP_SET : CAP_CLEAR)) { 783 perror("cap_set_flag"); 784 goto out; 785 } 786 if (cap_set_proc(caps)) { 787 perror("cap_set_proc"); 788 goto out; 789 } 790 ret = 0; 791 out: 792 if (cap_free(caps)) 793 perror("cap_free"); 794 return ret; 795 } 796 797 static int do_prog_test_run(int fd_prog, bool unpriv, uint32_t expected_val, 798 void *data, size_t size_data) 799 { 800 __u8 tmp[TEST_DATA_LEN << 2]; 801 __u32 size_tmp = sizeof(tmp); 802 uint32_t retval; 803 int err; 804 805 if (unpriv) 806 set_admin(true); 807 err = bpf_prog_test_run(fd_prog, 1, data, size_data, 808 tmp, &size_tmp, &retval, NULL); 809 if (unpriv) 810 set_admin(false); 811 if (err && errno != 524/*ENOTSUPP*/ && errno != EPERM) { 812 printf("Unexpected bpf_prog_test_run error "); 813 return err; 814 } 815 if (!err && retval != expected_val && 816 expected_val != POINTER_VALUE) { 817 printf("FAIL retval %d != %d ", retval, expected_val); 818 return 1; 819 } 820 821 return 0; 822 } 823 824 static void do_test_single(struct bpf_test *test, bool unpriv, 825 int *passes, int *errors) 826 { 827 int fd_prog, expected_ret, alignment_prevented_execution; 828 int prog_len, prog_type = test->prog_type; 829 struct bpf_insn *prog = test->insns; 830 int run_errs, run_successes; 831 int map_fds[MAX_NR_MAPS]; 832 const char *expected_err; 833 int fixup_skips; 834 __u32 pflags; 835 int i, err; 836 837 for (i = 0; i < MAX_NR_MAPS; i++) 838 map_fds[i] = -1; 839 840 if (!prog_type) 841 prog_type = BPF_PROG_TYPE_SOCKET_FILTER; 842 fixup_skips = skips; 843 do_test_fixup(test, prog_type, prog, map_fds); 844 if (test->fill_insns) { 845 prog = test->fill_insns; 846 prog_len = test->prog_len; 847 } else { 848 prog_len = probe_filter_length(prog); 849 } 850 /* If there were some map skips during fixup due to missing bpf 851 * features, skip this test. 852 */ 853 if (fixup_skips != skips) 854 return; 855 856 pflags = 0; 857 if (test->flags & F_LOAD_WITH_STRICT_ALIGNMENT) 858 pflags |= BPF_F_STRICT_ALIGNMENT; 859 if (test->flags & F_NEEDS_EFFICIENT_UNALIGNED_ACCESS) 860 pflags |= BPF_F_ANY_ALIGNMENT; 861 fd_prog = bpf_verify_program(prog_type, prog, prog_len, pflags, 862 "GPL", 0, bpf_vlog, sizeof(bpf_vlog), 4); 863 if (fd_prog < 0 && !bpf_probe_prog_type(prog_type, 0)) { 864 printf("SKIP (unsupported program type %d)\n", prog_type); 865 skips++; 866 goto close_fds; 867 } 868 869 expected_ret = unpriv && test->result_unpriv != UNDEF ? 870 test->result_unpriv : test->result; 871 expected_err = unpriv && test->errstr_unpriv ? 872 test->errstr_unpriv : test->errstr; 873 874 alignment_prevented_execution = 0; 875 876 if (expected_ret == ACCEPT) { 877 if (fd_prog < 0) { 878 printf("FAIL\nFailed to load prog '%s'!\n", 879 strerror(errno)); 880 goto fail_log; 881 } 882 #ifndef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS 883 if (fd_prog >= 0 && 884 (test->flags & F_NEEDS_EFFICIENT_UNALIGNED_ACCESS)) 885 alignment_prevented_execution = 1; 886 #endif 887 } else { 888 if (fd_prog >= 0) { 889 printf("FAIL\nUnexpected success to load!\n"); 890 goto fail_log; 891 } 892 if (!strstr(bpf_vlog, expected_err)) { 893 printf("FAIL\nUnexpected error message!\n\tEXP: %s\n\tRES: %s\n", 894 expected_err, bpf_vlog); 895 goto fail_log; 896 } 897 } 898 899 if (test->insn_processed) { 900 uint32_t insn_processed; 901 char *proc; 902 903 proc = strstr(bpf_vlog, "processed "); 904 insn_processed = atoi(proc + 10); 905 if (test->insn_processed != insn_processed) { 906 printf("FAIL\nUnexpected insn_processed %u vs %u\n", 907 insn_processed, test->insn_processed); 908 goto fail_log; 909 } 910 } 911 912 run_errs = 0; 913 run_successes = 0; 914 if (!alignment_prevented_execution && fd_prog >= 0) { 915 uint32_t expected_val; 916 int i; 917 918 if (!test->runs) { 919 expected_val = unpriv && test->retval_unpriv ? 920 test->retval_unpriv : test->retval; 921 922 err = do_prog_test_run(fd_prog, unpriv, expected_val, 923 test->data, sizeof(test->data)); 924 if (err) 925 run_errs++; 926 else 927 run_successes++; 928 } 929 930 for (i = 0; i < test->runs; i++) { 931 if (unpriv && test->retvals[i].retval_unpriv) 932 expected_val = test->retvals[i].retval_unpriv; 933 else 934 expected_val = test->retvals[i].retval; 935 936 err = do_prog_test_run(fd_prog, unpriv, expected_val, 937 test->retvals[i].data, 938 sizeof(test->retvals[i].data)); 939 if (err) { 940 printf("(run %d/%d) ", i + 1, test->runs); 941 run_errs++; 942 } else { 943 run_successes++; 944 } 945 } 946 } 947 948 if (!run_errs) { 949 (*passes)++; 950 if (run_successes > 1) 951 printf("%d cases ", run_successes); 952 printf("OK"); 953 if (alignment_prevented_execution) 954 printf(" (NOTE: not executed due to unknown alignment)"); 955 printf("\n"); 956 } else { 957 printf("\n"); 958 goto fail_log; 959 } 960 close_fds: 961 if (test->fill_insns) 962 free(test->fill_insns); 963 close(fd_prog); 964 for (i = 0; i < MAX_NR_MAPS; i++) 965 close(map_fds[i]); 966 sched_yield(); 967 return; 968 fail_log: 969 (*errors)++; 970 printf("%s", bpf_vlog); 971 goto close_fds; 972 } 973 974 static bool is_admin(void) 975 { 976 cap_t caps; 977 cap_flag_value_t sysadmin = CAP_CLEAR; 978 const cap_value_t cap_val = CAP_SYS_ADMIN; 979 980 #ifdef CAP_IS_SUPPORTED 981 if (!CAP_IS_SUPPORTED(CAP_SETFCAP)) { 982 perror("cap_get_flag"); 983 return false; 984 } 985 #endif 986 caps = cap_get_proc(); 987 if (!caps) { 988 perror("cap_get_proc"); 989 return false; 990 } 991 if (cap_get_flag(caps, cap_val, CAP_EFFECTIVE, &sysadmin)) 992 perror("cap_get_flag"); 993 if (cap_free(caps)) 994 perror("cap_free"); 995 return (sysadmin == CAP_SET); 996 } 997 998 static void get_unpriv_disabled() 999 { 1000 char buf[2]; 1001 FILE *fd; 1002 1003 fd = fopen("/proc/sys/"UNPRIV_SYSCTL, "r"); 1004 if (!fd) { 1005 perror("fopen /proc/sys/"UNPRIV_SYSCTL); 1006 unpriv_disabled = true; 1007 return; 1008 } 1009 if (fgets(buf, 2, fd) == buf && atoi(buf)) 1010 unpriv_disabled = true; 1011 fclose(fd); 1012 } 1013 1014 static bool test_as_unpriv(struct bpf_test *test) 1015 { 1016 return !test->prog_type || 1017 test->prog_type == BPF_PROG_TYPE_SOCKET_FILTER || 1018 test->prog_type == BPF_PROG_TYPE_CGROUP_SKB; 1019 } 1020 1021 static int do_test(bool unpriv, unsigned int from, unsigned int to) 1022 { 1023 int i, passes = 0, errors = 0; 1024 1025 for (i = from; i < to; i++) { 1026 struct bpf_test *test = &tests[i]; 1027 1028 /* Program types that are not supported by non-root we 1029 * skip right away. 1030 */ 1031 if (test_as_unpriv(test) && unpriv_disabled) { 1032 printf("#%d/u %s SKIP\n", i, test->descr); 1033 skips++; 1034 } else if (test_as_unpriv(test)) { 1035 if (!unpriv) 1036 set_admin(false); 1037 printf("#%d/u %s ", i, test->descr); 1038 do_test_single(test, true, &passes, &errors); 1039 if (!unpriv) 1040 set_admin(true); 1041 } 1042 1043 if (unpriv) { 1044 printf("#%d/p %s SKIP\n", i, test->descr); 1045 skips++; 1046 } else { 1047 printf("#%d/p %s ", i, test->descr); 1048 do_test_single(test, false, &passes, &errors); 1049 } 1050 } 1051 1052 printf("Summary: %d PASSED, %d SKIPPED, %d FAILED\n", passes, 1053 skips, errors); 1054 return errors ? EXIT_FAILURE : EXIT_SUCCESS; 1055 } 1056 1057 int main(int argc, char **argv) 1058 { 1059 unsigned int from = 0, to = ARRAY_SIZE(tests); 1060 bool unpriv = !is_admin(); 1061 1062 if (argc == 3) { 1063 unsigned int l = atoi(argv[argc - 2]); 1064 unsigned int u = atoi(argv[argc - 1]); 1065 1066 if (l < to && u < to) { 1067 from = l; 1068 to = u + 1; 1069 } 1070 } else if (argc == 2) { 1071 unsigned int t = atoi(argv[argc - 1]); 1072 1073 if (t < to) { 1074 from = t; 1075 to = t + 1; 1076 } 1077 } 1078 1079 get_unpriv_disabled(); 1080 if (unpriv && unpriv_disabled) { 1081 printf("Cannot run as unprivileged user with sysctl %s.\n", 1082 UNPRIV_SYSCTL); 1083 return EXIT_FAILURE; 1084 } 1085 1086 bpf_semi_rand_init(); 1087 return do_test(unpriv, from, to); 1088 } 1089