1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Testsuite for eBPF verifier 4 * 5 * Copyright (c) 2014 PLUMgrid, http://plumgrid.com 6 * Copyright (c) 2017 Facebook 7 * Copyright (c) 2018 Covalent IO, Inc. http://covalent.io 8 */ 9 10 #include <endian.h> 11 #include <asm/types.h> 12 #include <linux/types.h> 13 #include <stdint.h> 14 #include <stdio.h> 15 #include <stdlib.h> 16 #include <unistd.h> 17 #include <errno.h> 18 #include <string.h> 19 #include <stddef.h> 20 #include <stdbool.h> 21 #include <sched.h> 22 #include <limits.h> 23 #include <assert.h> 24 25 #include <sys/capability.h> 26 27 #include <linux/unistd.h> 28 #include <linux/filter.h> 29 #include <linux/bpf_perf_event.h> 30 #include <linux/bpf.h> 31 #include <linux/if_ether.h> 32 #include <linux/btf.h> 33 34 #include <bpf/bpf.h> 35 #include <bpf/libbpf.h> 36 37 #ifdef HAVE_GENHDR 38 # include "autoconf.h" 39 #else 40 # if defined(__i386) || defined(__x86_64) || defined(__s390x__) || defined(__aarch64__) 41 # define CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS 1 42 # endif 43 #endif 44 #include "bpf_rlimit.h" 45 #include "bpf_rand.h" 46 #include "bpf_util.h" 47 #include "test_btf.h" 48 #include "../../../include/linux/filter.h" 49 50 #define MAX_INSNS BPF_MAXINSNS 51 #define MAX_TEST_INSNS 1000000 52 #define MAX_FIXUPS 8 53 #define MAX_NR_MAPS 18 54 #define MAX_TEST_RUNS 8 55 #define POINTER_VALUE 0xcafe4all 56 #define TEST_DATA_LEN 64 57 58 #define F_NEEDS_EFFICIENT_UNALIGNED_ACCESS (1 << 0) 59 #define F_LOAD_WITH_STRICT_ALIGNMENT (1 << 1) 60 61 #define UNPRIV_SYSCTL "kernel/unprivileged_bpf_disabled" 62 static bool unpriv_disabled = false; 63 static int skips; 64 65 struct bpf_test { 66 const char *descr; 67 struct bpf_insn insns[MAX_INSNS]; 68 struct bpf_insn *fill_insns; 69 int fixup_map_hash_8b[MAX_FIXUPS]; 70 int fixup_map_hash_48b[MAX_FIXUPS]; 71 int fixup_map_hash_16b[MAX_FIXUPS]; 72 int fixup_map_array_48b[MAX_FIXUPS]; 73 int fixup_map_sockmap[MAX_FIXUPS]; 74 int fixup_map_sockhash[MAX_FIXUPS]; 75 int fixup_map_xskmap[MAX_FIXUPS]; 76 int fixup_map_stacktrace[MAX_FIXUPS]; 77 int fixup_prog1[MAX_FIXUPS]; 78 int fixup_prog2[MAX_FIXUPS]; 79 int fixup_map_in_map[MAX_FIXUPS]; 80 int fixup_cgroup_storage[MAX_FIXUPS]; 81 int fixup_percpu_cgroup_storage[MAX_FIXUPS]; 82 int fixup_map_spin_lock[MAX_FIXUPS]; 83 int fixup_map_array_ro[MAX_FIXUPS]; 84 int fixup_map_array_wo[MAX_FIXUPS]; 85 int fixup_map_array_small[MAX_FIXUPS]; 86 int fixup_sk_storage_map[MAX_FIXUPS]; 87 const char *errstr; 88 const char *errstr_unpriv; 89 uint32_t retval, retval_unpriv, insn_processed; 90 int prog_len; 91 enum { 92 UNDEF, 93 ACCEPT, 94 REJECT 95 } result, result_unpriv; 96 enum bpf_prog_type prog_type; 97 uint8_t flags; 98 __u8 data[TEST_DATA_LEN]; 99 void (*fill_helper)(struct bpf_test *self); 100 uint8_t runs; 101 struct { 102 uint32_t retval, retval_unpriv; 103 union { 104 __u8 data[TEST_DATA_LEN]; 105 __u64 data64[TEST_DATA_LEN / 8]; 106 }; 107 } retvals[MAX_TEST_RUNS]; 108 }; 109 110 /* Note we want this to be 64 bit aligned so that the end of our array is 111 * actually the end of the structure. 112 */ 113 #define MAX_ENTRIES 11 114 115 struct test_val { 116 unsigned int index; 117 int foo[MAX_ENTRIES]; 118 }; 119 120 struct other_val { 121 long long foo; 122 long long bar; 123 }; 124 125 static void bpf_fill_ld_abs_vlan_push_pop(struct bpf_test *self) 126 { 127 /* test: {skb->data[0], vlan_push} x 51 + {skb->data[0], vlan_pop} x 51 */ 128 #define PUSH_CNT 51 129 /* jump range is limited to 16 bit. PUSH_CNT of ld_abs needs room */ 130 unsigned int len = (1 << 15) - PUSH_CNT * 2 * 5 * 6; 131 struct bpf_insn *insn = self->fill_insns; 132 int i = 0, j, k = 0; 133 134 insn[i++] = BPF_MOV64_REG(BPF_REG_6, BPF_REG_1); 135 loop: 136 for (j = 0; j < PUSH_CNT; j++) { 137 insn[i++] = BPF_LD_ABS(BPF_B, 0); 138 insn[i] = BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x34, len - i - 2); 139 i++; 140 insn[i++] = BPF_MOV64_REG(BPF_REG_1, BPF_REG_6); 141 insn[i++] = BPF_MOV64_IMM(BPF_REG_2, 1); 142 insn[i++] = BPF_MOV64_IMM(BPF_REG_3, 2); 143 insn[i++] = BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 144 BPF_FUNC_skb_vlan_push), 145 insn[i] = BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, len - i - 2); 146 i++; 147 } 148 149 for (j = 0; j < PUSH_CNT; j++) { 150 insn[i++] = BPF_LD_ABS(BPF_B, 0); 151 insn[i] = BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x34, len - i - 2); 152 i++; 153 insn[i++] = BPF_MOV64_REG(BPF_REG_1, BPF_REG_6); 154 insn[i++] = BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 155 BPF_FUNC_skb_vlan_pop), 156 insn[i] = BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, len - i - 2); 157 i++; 158 } 159 if (++k < 5) 160 goto loop; 161 162 for (; i < len - 1; i++) 163 insn[i] = BPF_ALU32_IMM(BPF_MOV, BPF_REG_0, 0xbef); 164 insn[len - 1] = BPF_EXIT_INSN(); 165 self->prog_len = len; 166 } 167 168 static void bpf_fill_jump_around_ld_abs(struct bpf_test *self) 169 { 170 struct bpf_insn *insn = self->fill_insns; 171 /* jump range is limited to 16 bit. every ld_abs is replaced by 6 insns */ 172 unsigned int len = (1 << 15) / 6; 173 int i = 0; 174 175 insn[i++] = BPF_MOV64_REG(BPF_REG_6, BPF_REG_1); 176 insn[i++] = BPF_LD_ABS(BPF_B, 0); 177 insn[i] = BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 10, len - i - 2); 178 i++; 179 while (i < len - 1) 180 insn[i++] = BPF_LD_ABS(BPF_B, 1); 181 insn[i] = BPF_EXIT_INSN(); 182 self->prog_len = i + 1; 183 } 184 185 static void bpf_fill_rand_ld_dw(struct bpf_test *self) 186 { 187 struct bpf_insn *insn = self->fill_insns; 188 uint64_t res = 0; 189 int i = 0; 190 191 insn[i++] = BPF_MOV32_IMM(BPF_REG_0, 0); 192 while (i < self->retval) { 193 uint64_t val = bpf_semi_rand_get(); 194 struct bpf_insn tmp[2] = { BPF_LD_IMM64(BPF_REG_1, val) }; 195 196 res ^= val; 197 insn[i++] = tmp[0]; 198 insn[i++] = tmp[1]; 199 insn[i++] = BPF_ALU64_REG(BPF_XOR, BPF_REG_0, BPF_REG_1); 200 } 201 insn[i++] = BPF_MOV64_REG(BPF_REG_1, BPF_REG_0); 202 insn[i++] = BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 32); 203 insn[i++] = BPF_ALU64_REG(BPF_XOR, BPF_REG_0, BPF_REG_1); 204 insn[i] = BPF_EXIT_INSN(); 205 self->prog_len = i + 1; 206 res ^= (res >> 32); 207 self->retval = (uint32_t)res; 208 } 209 210 /* test the sequence of 1k jumps */ 211 static void bpf_fill_scale1(struct bpf_test *self) 212 { 213 struct bpf_insn *insn = self->fill_insns; 214 int i = 0, k = 0; 215 216 insn[i++] = BPF_MOV64_REG(BPF_REG_6, BPF_REG_1); 217 /* test to check that the sequence of 1024 jumps is acceptable */ 218 while (k++ < 1024) { 219 insn[i++] = BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 220 BPF_FUNC_get_prandom_u32); 221 insn[i++] = BPF_JMP_IMM(BPF_JGT, BPF_REG_0, bpf_semi_rand_get(), 2); 222 insn[i++] = BPF_MOV64_REG(BPF_REG_1, BPF_REG_10); 223 insn[i++] = BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 224 -8 * (k % 64 + 1)); 225 } 226 /* every jump adds 1024 steps to insn_processed, so to stay exactly 227 * within 1m limit add MAX_TEST_INSNS - 1025 MOVs and 1 EXIT 228 */ 229 while (i < MAX_TEST_INSNS - 1025) 230 insn[i++] = BPF_ALU32_IMM(BPF_MOV, BPF_REG_0, 42); 231 insn[i] = BPF_EXIT_INSN(); 232 self->prog_len = i + 1; 233 self->retval = 42; 234 } 235 236 /* test the sequence of 1k jumps in inner most function (function depth 8)*/ 237 static void bpf_fill_scale2(struct bpf_test *self) 238 { 239 struct bpf_insn *insn = self->fill_insns; 240 int i = 0, k = 0; 241 242 #define FUNC_NEST 7 243 for (k = 0; k < FUNC_NEST; k++) { 244 insn[i++] = BPF_CALL_REL(1); 245 insn[i++] = BPF_EXIT_INSN(); 246 } 247 insn[i++] = BPF_MOV64_REG(BPF_REG_6, BPF_REG_1); 248 /* test to check that the sequence of 1024 jumps is acceptable */ 249 while (k++ < 1024) { 250 insn[i++] = BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 251 BPF_FUNC_get_prandom_u32); 252 insn[i++] = BPF_JMP_IMM(BPF_JGT, BPF_REG_0, bpf_semi_rand_get(), 2); 253 insn[i++] = BPF_MOV64_REG(BPF_REG_1, BPF_REG_10); 254 insn[i++] = BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 255 -8 * (k % (64 - 4 * FUNC_NEST) + 1)); 256 } 257 /* every jump adds 1024 steps to insn_processed, so to stay exactly 258 * within 1m limit add MAX_TEST_INSNS - 1025 MOVs and 1 EXIT 259 */ 260 while (i < MAX_TEST_INSNS - 1025) 261 insn[i++] = BPF_ALU32_IMM(BPF_MOV, BPF_REG_0, 42); 262 insn[i] = BPF_EXIT_INSN(); 263 self->prog_len = i + 1; 264 self->retval = 42; 265 } 266 267 static void bpf_fill_scale(struct bpf_test *self) 268 { 269 switch (self->retval) { 270 case 1: 271 return bpf_fill_scale1(self); 272 case 2: 273 return bpf_fill_scale2(self); 274 default: 275 self->prog_len = 0; 276 break; 277 } 278 } 279 280 /* BPF_SK_LOOKUP contains 13 instructions, if you need to fix up maps */ 281 #define BPF_SK_LOOKUP(func) \ 282 /* struct bpf_sock_tuple tuple = {} */ \ 283 BPF_MOV64_IMM(BPF_REG_2, 0), \ 284 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_2, -8), \ 285 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -16), \ 286 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -24), \ 287 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -32), \ 288 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -40), \ 289 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -48), \ 290 /* sk = func(ctx, &tuple, sizeof tuple, 0, 0) */ \ 291 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), \ 292 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -48), \ 293 BPF_MOV64_IMM(BPF_REG_3, sizeof(struct bpf_sock_tuple)), \ 294 BPF_MOV64_IMM(BPF_REG_4, 0), \ 295 BPF_MOV64_IMM(BPF_REG_5, 0), \ 296 BPF_EMIT_CALL(BPF_FUNC_ ## func) 297 298 /* BPF_DIRECT_PKT_R2 contains 7 instructions, it initializes default return 299 * value into 0 and does necessary preparation for direct packet access 300 * through r2. The allowed access range is 8 bytes. 301 */ 302 #define BPF_DIRECT_PKT_R2 \ 303 BPF_MOV64_IMM(BPF_REG_0, 0), \ 304 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, \ 305 offsetof(struct __sk_buff, data)), \ 306 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, \ 307 offsetof(struct __sk_buff, data_end)), \ 308 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2), \ 309 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8), \ 310 BPF_JMP_REG(BPF_JLE, BPF_REG_4, BPF_REG_3, 1), \ 311 BPF_EXIT_INSN() 312 313 /* BPF_RAND_UEXT_R7 contains 4 instructions, it initializes R7 into a random 314 * positive u32, and zero-extend it into 64-bit. 315 */ 316 #define BPF_RAND_UEXT_R7 \ 317 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, \ 318 BPF_FUNC_get_prandom_u32), \ 319 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0), \ 320 BPF_ALU64_IMM(BPF_LSH, BPF_REG_7, 33), \ 321 BPF_ALU64_IMM(BPF_RSH, BPF_REG_7, 33) 322 323 /* BPF_RAND_SEXT_R7 contains 5 instructions, it initializes R7 into a random 324 * negative u32, and sign-extend it into 64-bit. 325 */ 326 #define BPF_RAND_SEXT_R7 \ 327 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, \ 328 BPF_FUNC_get_prandom_u32), \ 329 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0), \ 330 BPF_ALU64_IMM(BPF_OR, BPF_REG_7, 0x80000000), \ 331 BPF_ALU64_IMM(BPF_LSH, BPF_REG_7, 32), \ 332 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_7, 32) 333 334 static struct bpf_test tests[] = { 335 #define FILL_ARRAY 336 #include <verifier/tests.h> 337 #undef FILL_ARRAY 338 }; 339 340 static int probe_filter_length(const struct bpf_insn *fp) 341 { 342 int len; 343 344 for (len = MAX_INSNS - 1; len > 0; --len) 345 if (fp[len].code != 0 || fp[len].imm != 0) 346 break; 347 return len + 1; 348 } 349 350 static bool skip_unsupported_map(enum bpf_map_type map_type) 351 { 352 if (!bpf_probe_map_type(map_type, 0)) { 353 printf("SKIP (unsupported map type %d)\n", map_type); 354 skips++; 355 return true; 356 } 357 return false; 358 } 359 360 static int __create_map(uint32_t type, uint32_t size_key, 361 uint32_t size_value, uint32_t max_elem, 362 uint32_t extra_flags) 363 { 364 int fd; 365 366 fd = bpf_create_map(type, size_key, size_value, max_elem, 367 (type == BPF_MAP_TYPE_HASH ? 368 BPF_F_NO_PREALLOC : 0) | extra_flags); 369 if (fd < 0) { 370 if (skip_unsupported_map(type)) 371 return -1; 372 printf("Failed to create hash map '%s'!\n", strerror(errno)); 373 } 374 375 return fd; 376 } 377 378 static int create_map(uint32_t type, uint32_t size_key, 379 uint32_t size_value, uint32_t max_elem) 380 { 381 return __create_map(type, size_key, size_value, max_elem, 0); 382 } 383 384 static void update_map(int fd, int index) 385 { 386 struct test_val value = { 387 .index = (6 + 1) * sizeof(int), 388 .foo[6] = 0xabcdef12, 389 }; 390 391 assert(!bpf_map_update_elem(fd, &index, &value, 0)); 392 } 393 394 static int create_prog_dummy1(enum bpf_prog_type prog_type) 395 { 396 struct bpf_insn prog[] = { 397 BPF_MOV64_IMM(BPF_REG_0, 42), 398 BPF_EXIT_INSN(), 399 }; 400 401 return bpf_load_program(prog_type, prog, 402 ARRAY_SIZE(prog), "GPL", 0, NULL, 0); 403 } 404 405 static int create_prog_dummy2(enum bpf_prog_type prog_type, int mfd, int idx) 406 { 407 struct bpf_insn prog[] = { 408 BPF_MOV64_IMM(BPF_REG_3, idx), 409 BPF_LD_MAP_FD(BPF_REG_2, mfd), 410 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 411 BPF_FUNC_tail_call), 412 BPF_MOV64_IMM(BPF_REG_0, 41), 413 BPF_EXIT_INSN(), 414 }; 415 416 return bpf_load_program(prog_type, prog, 417 ARRAY_SIZE(prog), "GPL", 0, NULL, 0); 418 } 419 420 static int create_prog_array(enum bpf_prog_type prog_type, uint32_t max_elem, 421 int p1key) 422 { 423 int p2key = 1; 424 int mfd, p1fd, p2fd; 425 426 mfd = bpf_create_map(BPF_MAP_TYPE_PROG_ARRAY, sizeof(int), 427 sizeof(int), max_elem, 0); 428 if (mfd < 0) { 429 if (skip_unsupported_map(BPF_MAP_TYPE_PROG_ARRAY)) 430 return -1; 431 printf("Failed to create prog array '%s'!\n", strerror(errno)); 432 return -1; 433 } 434 435 p1fd = create_prog_dummy1(prog_type); 436 p2fd = create_prog_dummy2(prog_type, mfd, p2key); 437 if (p1fd < 0 || p2fd < 0) 438 goto out; 439 if (bpf_map_update_elem(mfd, &p1key, &p1fd, BPF_ANY) < 0) 440 goto out; 441 if (bpf_map_update_elem(mfd, &p2key, &p2fd, BPF_ANY) < 0) 442 goto out; 443 close(p2fd); 444 close(p1fd); 445 446 return mfd; 447 out: 448 close(p2fd); 449 close(p1fd); 450 close(mfd); 451 return -1; 452 } 453 454 static int create_map_in_map(void) 455 { 456 int inner_map_fd, outer_map_fd; 457 458 inner_map_fd = bpf_create_map(BPF_MAP_TYPE_ARRAY, sizeof(int), 459 sizeof(int), 1, 0); 460 if (inner_map_fd < 0) { 461 if (skip_unsupported_map(BPF_MAP_TYPE_ARRAY)) 462 return -1; 463 printf("Failed to create array '%s'!\n", strerror(errno)); 464 return inner_map_fd; 465 } 466 467 outer_map_fd = bpf_create_map_in_map(BPF_MAP_TYPE_ARRAY_OF_MAPS, NULL, 468 sizeof(int), inner_map_fd, 1, 0); 469 if (outer_map_fd < 0) { 470 if (skip_unsupported_map(BPF_MAP_TYPE_ARRAY_OF_MAPS)) 471 return -1; 472 printf("Failed to create array of maps '%s'!\n", 473 strerror(errno)); 474 } 475 476 close(inner_map_fd); 477 478 return outer_map_fd; 479 } 480 481 static int create_cgroup_storage(bool percpu) 482 { 483 enum bpf_map_type type = percpu ? BPF_MAP_TYPE_PERCPU_CGROUP_STORAGE : 484 BPF_MAP_TYPE_CGROUP_STORAGE; 485 int fd; 486 487 fd = bpf_create_map(type, sizeof(struct bpf_cgroup_storage_key), 488 TEST_DATA_LEN, 0, 0); 489 if (fd < 0) { 490 if (skip_unsupported_map(type)) 491 return -1; 492 printf("Failed to create cgroup storage '%s'!\n", 493 strerror(errno)); 494 } 495 496 return fd; 497 } 498 499 /* struct bpf_spin_lock { 500 * int val; 501 * }; 502 * struct val { 503 * int cnt; 504 * struct bpf_spin_lock l; 505 * }; 506 */ 507 static const char btf_str_sec[] = "\0bpf_spin_lock\0val\0cnt\0l"; 508 static __u32 btf_raw_types[] = { 509 /* int */ 510 BTF_TYPE_INT_ENC(0, BTF_INT_SIGNED, 0, 32, 4), /* [1] */ 511 /* struct bpf_spin_lock */ /* [2] */ 512 BTF_TYPE_ENC(1, BTF_INFO_ENC(BTF_KIND_STRUCT, 0, 1), 4), 513 BTF_MEMBER_ENC(15, 1, 0), /* int val; */ 514 /* struct val */ /* [3] */ 515 BTF_TYPE_ENC(15, BTF_INFO_ENC(BTF_KIND_STRUCT, 0, 2), 8), 516 BTF_MEMBER_ENC(19, 1, 0), /* int cnt; */ 517 BTF_MEMBER_ENC(23, 2, 32),/* struct bpf_spin_lock l; */ 518 }; 519 520 static int load_btf(void) 521 { 522 struct btf_header hdr = { 523 .magic = BTF_MAGIC, 524 .version = BTF_VERSION, 525 .hdr_len = sizeof(struct btf_header), 526 .type_len = sizeof(btf_raw_types), 527 .str_off = sizeof(btf_raw_types), 528 .str_len = sizeof(btf_str_sec), 529 }; 530 void *ptr, *raw_btf; 531 int btf_fd; 532 533 ptr = raw_btf = malloc(sizeof(hdr) + sizeof(btf_raw_types) + 534 sizeof(btf_str_sec)); 535 536 memcpy(ptr, &hdr, sizeof(hdr)); 537 ptr += sizeof(hdr); 538 memcpy(ptr, btf_raw_types, hdr.type_len); 539 ptr += hdr.type_len; 540 memcpy(ptr, btf_str_sec, hdr.str_len); 541 ptr += hdr.str_len; 542 543 btf_fd = bpf_load_btf(raw_btf, ptr - raw_btf, 0, 0, 0); 544 free(raw_btf); 545 if (btf_fd < 0) 546 return -1; 547 return btf_fd; 548 } 549 550 static int create_map_spin_lock(void) 551 { 552 struct bpf_create_map_attr attr = { 553 .name = "test_map", 554 .map_type = BPF_MAP_TYPE_ARRAY, 555 .key_size = 4, 556 .value_size = 8, 557 .max_entries = 1, 558 .btf_key_type_id = 1, 559 .btf_value_type_id = 3, 560 }; 561 int fd, btf_fd; 562 563 btf_fd = load_btf(); 564 if (btf_fd < 0) 565 return -1; 566 attr.btf_fd = btf_fd; 567 fd = bpf_create_map_xattr(&attr); 568 if (fd < 0) 569 printf("Failed to create map with spin_lock\n"); 570 return fd; 571 } 572 573 static int create_sk_storage_map(void) 574 { 575 struct bpf_create_map_attr attr = { 576 .name = "test_map", 577 .map_type = BPF_MAP_TYPE_SK_STORAGE, 578 .key_size = 4, 579 .value_size = 8, 580 .max_entries = 0, 581 .map_flags = BPF_F_NO_PREALLOC, 582 .btf_key_type_id = 1, 583 .btf_value_type_id = 3, 584 }; 585 int fd, btf_fd; 586 587 btf_fd = load_btf(); 588 if (btf_fd < 0) 589 return -1; 590 attr.btf_fd = btf_fd; 591 fd = bpf_create_map_xattr(&attr); 592 close(attr.btf_fd); 593 if (fd < 0) 594 printf("Failed to create sk_storage_map\n"); 595 return fd; 596 } 597 598 static char bpf_vlog[UINT_MAX >> 8]; 599 600 static void do_test_fixup(struct bpf_test *test, enum bpf_prog_type prog_type, 601 struct bpf_insn *prog, int *map_fds) 602 { 603 int *fixup_map_hash_8b = test->fixup_map_hash_8b; 604 int *fixup_map_hash_48b = test->fixup_map_hash_48b; 605 int *fixup_map_hash_16b = test->fixup_map_hash_16b; 606 int *fixup_map_array_48b = test->fixup_map_array_48b; 607 int *fixup_map_sockmap = test->fixup_map_sockmap; 608 int *fixup_map_sockhash = test->fixup_map_sockhash; 609 int *fixup_map_xskmap = test->fixup_map_xskmap; 610 int *fixup_map_stacktrace = test->fixup_map_stacktrace; 611 int *fixup_prog1 = test->fixup_prog1; 612 int *fixup_prog2 = test->fixup_prog2; 613 int *fixup_map_in_map = test->fixup_map_in_map; 614 int *fixup_cgroup_storage = test->fixup_cgroup_storage; 615 int *fixup_percpu_cgroup_storage = test->fixup_percpu_cgroup_storage; 616 int *fixup_map_spin_lock = test->fixup_map_spin_lock; 617 int *fixup_map_array_ro = test->fixup_map_array_ro; 618 int *fixup_map_array_wo = test->fixup_map_array_wo; 619 int *fixup_map_array_small = test->fixup_map_array_small; 620 int *fixup_sk_storage_map = test->fixup_sk_storage_map; 621 622 if (test->fill_helper) { 623 test->fill_insns = calloc(MAX_TEST_INSNS, sizeof(struct bpf_insn)); 624 test->fill_helper(test); 625 } 626 627 /* Allocating HTs with 1 elem is fine here, since we only test 628 * for verifier and not do a runtime lookup, so the only thing 629 * that really matters is value size in this case. 630 */ 631 if (*fixup_map_hash_8b) { 632 map_fds[0] = create_map(BPF_MAP_TYPE_HASH, sizeof(long long), 633 sizeof(long long), 1); 634 do { 635 prog[*fixup_map_hash_8b].imm = map_fds[0]; 636 fixup_map_hash_8b++; 637 } while (*fixup_map_hash_8b); 638 } 639 640 if (*fixup_map_hash_48b) { 641 map_fds[1] = create_map(BPF_MAP_TYPE_HASH, sizeof(long long), 642 sizeof(struct test_val), 1); 643 do { 644 prog[*fixup_map_hash_48b].imm = map_fds[1]; 645 fixup_map_hash_48b++; 646 } while (*fixup_map_hash_48b); 647 } 648 649 if (*fixup_map_hash_16b) { 650 map_fds[2] = create_map(BPF_MAP_TYPE_HASH, sizeof(long long), 651 sizeof(struct other_val), 1); 652 do { 653 prog[*fixup_map_hash_16b].imm = map_fds[2]; 654 fixup_map_hash_16b++; 655 } while (*fixup_map_hash_16b); 656 } 657 658 if (*fixup_map_array_48b) { 659 map_fds[3] = create_map(BPF_MAP_TYPE_ARRAY, sizeof(int), 660 sizeof(struct test_val), 1); 661 update_map(map_fds[3], 0); 662 do { 663 prog[*fixup_map_array_48b].imm = map_fds[3]; 664 fixup_map_array_48b++; 665 } while (*fixup_map_array_48b); 666 } 667 668 if (*fixup_prog1) { 669 map_fds[4] = create_prog_array(prog_type, 4, 0); 670 do { 671 prog[*fixup_prog1].imm = map_fds[4]; 672 fixup_prog1++; 673 } while (*fixup_prog1); 674 } 675 676 if (*fixup_prog2) { 677 map_fds[5] = create_prog_array(prog_type, 8, 7); 678 do { 679 prog[*fixup_prog2].imm = map_fds[5]; 680 fixup_prog2++; 681 } while (*fixup_prog2); 682 } 683 684 if (*fixup_map_in_map) { 685 map_fds[6] = create_map_in_map(); 686 do { 687 prog[*fixup_map_in_map].imm = map_fds[6]; 688 fixup_map_in_map++; 689 } while (*fixup_map_in_map); 690 } 691 692 if (*fixup_cgroup_storage) { 693 map_fds[7] = create_cgroup_storage(false); 694 do { 695 prog[*fixup_cgroup_storage].imm = map_fds[7]; 696 fixup_cgroup_storage++; 697 } while (*fixup_cgroup_storage); 698 } 699 700 if (*fixup_percpu_cgroup_storage) { 701 map_fds[8] = create_cgroup_storage(true); 702 do { 703 prog[*fixup_percpu_cgroup_storage].imm = map_fds[8]; 704 fixup_percpu_cgroup_storage++; 705 } while (*fixup_percpu_cgroup_storage); 706 } 707 if (*fixup_map_sockmap) { 708 map_fds[9] = create_map(BPF_MAP_TYPE_SOCKMAP, sizeof(int), 709 sizeof(int), 1); 710 do { 711 prog[*fixup_map_sockmap].imm = map_fds[9]; 712 fixup_map_sockmap++; 713 } while (*fixup_map_sockmap); 714 } 715 if (*fixup_map_sockhash) { 716 map_fds[10] = create_map(BPF_MAP_TYPE_SOCKHASH, sizeof(int), 717 sizeof(int), 1); 718 do { 719 prog[*fixup_map_sockhash].imm = map_fds[10]; 720 fixup_map_sockhash++; 721 } while (*fixup_map_sockhash); 722 } 723 if (*fixup_map_xskmap) { 724 map_fds[11] = create_map(BPF_MAP_TYPE_XSKMAP, sizeof(int), 725 sizeof(int), 1); 726 do { 727 prog[*fixup_map_xskmap].imm = map_fds[11]; 728 fixup_map_xskmap++; 729 } while (*fixup_map_xskmap); 730 } 731 if (*fixup_map_stacktrace) { 732 map_fds[12] = create_map(BPF_MAP_TYPE_STACK_TRACE, sizeof(u32), 733 sizeof(u64), 1); 734 do { 735 prog[*fixup_map_stacktrace].imm = map_fds[12]; 736 fixup_map_stacktrace++; 737 } while (*fixup_map_stacktrace); 738 } 739 if (*fixup_map_spin_lock) { 740 map_fds[13] = create_map_spin_lock(); 741 do { 742 prog[*fixup_map_spin_lock].imm = map_fds[13]; 743 fixup_map_spin_lock++; 744 } while (*fixup_map_spin_lock); 745 } 746 if (*fixup_map_array_ro) { 747 map_fds[14] = __create_map(BPF_MAP_TYPE_ARRAY, sizeof(int), 748 sizeof(struct test_val), 1, 749 BPF_F_RDONLY_PROG); 750 update_map(map_fds[14], 0); 751 do { 752 prog[*fixup_map_array_ro].imm = map_fds[14]; 753 fixup_map_array_ro++; 754 } while (*fixup_map_array_ro); 755 } 756 if (*fixup_map_array_wo) { 757 map_fds[15] = __create_map(BPF_MAP_TYPE_ARRAY, sizeof(int), 758 sizeof(struct test_val), 1, 759 BPF_F_WRONLY_PROG); 760 update_map(map_fds[15], 0); 761 do { 762 prog[*fixup_map_array_wo].imm = map_fds[15]; 763 fixup_map_array_wo++; 764 } while (*fixup_map_array_wo); 765 } 766 if (*fixup_map_array_small) { 767 map_fds[16] = __create_map(BPF_MAP_TYPE_ARRAY, sizeof(int), 768 1, 1, 0); 769 update_map(map_fds[16], 0); 770 do { 771 prog[*fixup_map_array_small].imm = map_fds[16]; 772 fixup_map_array_small++; 773 } while (*fixup_map_array_small); 774 } 775 if (*fixup_sk_storage_map) { 776 map_fds[17] = create_sk_storage_map(); 777 do { 778 prog[*fixup_sk_storage_map].imm = map_fds[17]; 779 fixup_sk_storage_map++; 780 } while (*fixup_sk_storage_map); 781 } 782 } 783 784 static int set_admin(bool admin) 785 { 786 cap_t caps; 787 const cap_value_t cap_val = CAP_SYS_ADMIN; 788 int ret = -1; 789 790 caps = cap_get_proc(); 791 if (!caps) { 792 perror("cap_get_proc"); 793 return -1; 794 } 795 if (cap_set_flag(caps, CAP_EFFECTIVE, 1, &cap_val, 796 admin ? CAP_SET : CAP_CLEAR)) { 797 perror("cap_set_flag"); 798 goto out; 799 } 800 if (cap_set_proc(caps)) { 801 perror("cap_set_proc"); 802 goto out; 803 } 804 ret = 0; 805 out: 806 if (cap_free(caps)) 807 perror("cap_free"); 808 return ret; 809 } 810 811 static int do_prog_test_run(int fd_prog, bool unpriv, uint32_t expected_val, 812 void *data, size_t size_data) 813 { 814 __u8 tmp[TEST_DATA_LEN << 2]; 815 __u32 size_tmp = sizeof(tmp); 816 uint32_t retval; 817 int err; 818 819 if (unpriv) 820 set_admin(true); 821 err = bpf_prog_test_run(fd_prog, 1, data, size_data, 822 tmp, &size_tmp, &retval, NULL); 823 if (unpriv) 824 set_admin(false); 825 if (err && errno != 524/*ENOTSUPP*/ && errno != EPERM) { 826 printf("Unexpected bpf_prog_test_run error "); 827 return err; 828 } 829 if (!err && retval != expected_val && 830 expected_val != POINTER_VALUE) { 831 printf("FAIL retval %d != %d ", retval, expected_val); 832 return 1; 833 } 834 835 return 0; 836 } 837 838 static void do_test_single(struct bpf_test *test, bool unpriv, 839 int *passes, int *errors) 840 { 841 int fd_prog, expected_ret, alignment_prevented_execution; 842 int prog_len, prog_type = test->prog_type; 843 struct bpf_insn *prog = test->insns; 844 int run_errs, run_successes; 845 int map_fds[MAX_NR_MAPS]; 846 const char *expected_err; 847 int fixup_skips; 848 __u32 pflags; 849 int i, err; 850 851 for (i = 0; i < MAX_NR_MAPS; i++) 852 map_fds[i] = -1; 853 854 if (!prog_type) 855 prog_type = BPF_PROG_TYPE_SOCKET_FILTER; 856 fixup_skips = skips; 857 do_test_fixup(test, prog_type, prog, map_fds); 858 if (test->fill_insns) { 859 prog = test->fill_insns; 860 prog_len = test->prog_len; 861 } else { 862 prog_len = probe_filter_length(prog); 863 } 864 /* If there were some map skips during fixup due to missing bpf 865 * features, skip this test. 866 */ 867 if (fixup_skips != skips) 868 return; 869 870 pflags = 0; 871 if (test->flags & F_LOAD_WITH_STRICT_ALIGNMENT) 872 pflags |= BPF_F_STRICT_ALIGNMENT; 873 if (test->flags & F_NEEDS_EFFICIENT_UNALIGNED_ACCESS) 874 pflags |= BPF_F_ANY_ALIGNMENT; 875 fd_prog = bpf_verify_program(prog_type, prog, prog_len, pflags, 876 "GPL", 0, bpf_vlog, sizeof(bpf_vlog), 4); 877 if (fd_prog < 0 && !bpf_probe_prog_type(prog_type, 0)) { 878 printf("SKIP (unsupported program type %d)\n", prog_type); 879 skips++; 880 goto close_fds; 881 } 882 883 expected_ret = unpriv && test->result_unpriv != UNDEF ? 884 test->result_unpriv : test->result; 885 expected_err = unpriv && test->errstr_unpriv ? 886 test->errstr_unpriv : test->errstr; 887 888 alignment_prevented_execution = 0; 889 890 if (expected_ret == ACCEPT) { 891 if (fd_prog < 0) { 892 printf("FAIL\nFailed to load prog '%s'!\n", 893 strerror(errno)); 894 goto fail_log; 895 } 896 #ifndef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS 897 if (fd_prog >= 0 && 898 (test->flags & F_NEEDS_EFFICIENT_UNALIGNED_ACCESS)) 899 alignment_prevented_execution = 1; 900 #endif 901 } else { 902 if (fd_prog >= 0) { 903 printf("FAIL\nUnexpected success to load!\n"); 904 goto fail_log; 905 } 906 if (!strstr(bpf_vlog, expected_err)) { 907 printf("FAIL\nUnexpected error message!\n\tEXP: %s\n\tRES: %s\n", 908 expected_err, bpf_vlog); 909 goto fail_log; 910 } 911 } 912 913 if (test->insn_processed) { 914 uint32_t insn_processed; 915 char *proc; 916 917 proc = strstr(bpf_vlog, "processed "); 918 insn_processed = atoi(proc + 10); 919 if (test->insn_processed != insn_processed) { 920 printf("FAIL\nUnexpected insn_processed %u vs %u\n", 921 insn_processed, test->insn_processed); 922 goto fail_log; 923 } 924 } 925 926 run_errs = 0; 927 run_successes = 0; 928 if (!alignment_prevented_execution && fd_prog >= 0) { 929 uint32_t expected_val; 930 int i; 931 932 if (!test->runs) { 933 expected_val = unpriv && test->retval_unpriv ? 934 test->retval_unpriv : test->retval; 935 936 err = do_prog_test_run(fd_prog, unpriv, expected_val, 937 test->data, sizeof(test->data)); 938 if (err) 939 run_errs++; 940 else 941 run_successes++; 942 } 943 944 for (i = 0; i < test->runs; i++) { 945 if (unpriv && test->retvals[i].retval_unpriv) 946 expected_val = test->retvals[i].retval_unpriv; 947 else 948 expected_val = test->retvals[i].retval; 949 950 err = do_prog_test_run(fd_prog, unpriv, expected_val, 951 test->retvals[i].data, 952 sizeof(test->retvals[i].data)); 953 if (err) { 954 printf("(run %d/%d) ", i + 1, test->runs); 955 run_errs++; 956 } else { 957 run_successes++; 958 } 959 } 960 } 961 962 if (!run_errs) { 963 (*passes)++; 964 if (run_successes > 1) 965 printf("%d cases ", run_successes); 966 printf("OK"); 967 if (alignment_prevented_execution) 968 printf(" (NOTE: not executed due to unknown alignment)"); 969 printf("\n"); 970 } else { 971 printf("\n"); 972 goto fail_log; 973 } 974 close_fds: 975 if (test->fill_insns) 976 free(test->fill_insns); 977 close(fd_prog); 978 for (i = 0; i < MAX_NR_MAPS; i++) 979 close(map_fds[i]); 980 sched_yield(); 981 return; 982 fail_log: 983 (*errors)++; 984 printf("%s", bpf_vlog); 985 goto close_fds; 986 } 987 988 static bool is_admin(void) 989 { 990 cap_t caps; 991 cap_flag_value_t sysadmin = CAP_CLEAR; 992 const cap_value_t cap_val = CAP_SYS_ADMIN; 993 994 #ifdef CAP_IS_SUPPORTED 995 if (!CAP_IS_SUPPORTED(CAP_SETFCAP)) { 996 perror("cap_get_flag"); 997 return false; 998 } 999 #endif 1000 caps = cap_get_proc(); 1001 if (!caps) { 1002 perror("cap_get_proc"); 1003 return false; 1004 } 1005 if (cap_get_flag(caps, cap_val, CAP_EFFECTIVE, &sysadmin)) 1006 perror("cap_get_flag"); 1007 if (cap_free(caps)) 1008 perror("cap_free"); 1009 return (sysadmin == CAP_SET); 1010 } 1011 1012 static void get_unpriv_disabled() 1013 { 1014 char buf[2]; 1015 FILE *fd; 1016 1017 fd = fopen("/proc/sys/"UNPRIV_SYSCTL, "r"); 1018 if (!fd) { 1019 perror("fopen /proc/sys/"UNPRIV_SYSCTL); 1020 unpriv_disabled = true; 1021 return; 1022 } 1023 if (fgets(buf, 2, fd) == buf && atoi(buf)) 1024 unpriv_disabled = true; 1025 fclose(fd); 1026 } 1027 1028 static bool test_as_unpriv(struct bpf_test *test) 1029 { 1030 return !test->prog_type || 1031 test->prog_type == BPF_PROG_TYPE_SOCKET_FILTER || 1032 test->prog_type == BPF_PROG_TYPE_CGROUP_SKB; 1033 } 1034 1035 static int do_test(bool unpriv, unsigned int from, unsigned int to) 1036 { 1037 int i, passes = 0, errors = 0; 1038 1039 for (i = from; i < to; i++) { 1040 struct bpf_test *test = &tests[i]; 1041 1042 /* Program types that are not supported by non-root we 1043 * skip right away. 1044 */ 1045 if (test_as_unpriv(test) && unpriv_disabled) { 1046 printf("#%d/u %s SKIP\n", i, test->descr); 1047 skips++; 1048 } else if (test_as_unpriv(test)) { 1049 if (!unpriv) 1050 set_admin(false); 1051 printf("#%d/u %s ", i, test->descr); 1052 do_test_single(test, true, &passes, &errors); 1053 if (!unpriv) 1054 set_admin(true); 1055 } 1056 1057 if (unpriv) { 1058 printf("#%d/p %s SKIP\n", i, test->descr); 1059 skips++; 1060 } else { 1061 printf("#%d/p %s ", i, test->descr); 1062 do_test_single(test, false, &passes, &errors); 1063 } 1064 } 1065 1066 printf("Summary: %d PASSED, %d SKIPPED, %d FAILED\n", passes, 1067 skips, errors); 1068 return errors ? EXIT_FAILURE : EXIT_SUCCESS; 1069 } 1070 1071 int main(int argc, char **argv) 1072 { 1073 unsigned int from = 0, to = ARRAY_SIZE(tests); 1074 bool unpriv = !is_admin(); 1075 1076 if (argc == 3) { 1077 unsigned int l = atoi(argv[argc - 2]); 1078 unsigned int u = atoi(argv[argc - 1]); 1079 1080 if (l < to && u < to) { 1081 from = l; 1082 to = u + 1; 1083 } 1084 } else if (argc == 2) { 1085 unsigned int t = atoi(argv[argc - 1]); 1086 1087 if (t < to) { 1088 from = t; 1089 to = t + 1; 1090 } 1091 } 1092 1093 get_unpriv_disabled(); 1094 if (unpriv && unpriv_disabled) { 1095 printf("Cannot run as unprivileged user with sysctl %s.\n", 1096 UNPRIV_SYSCTL); 1097 return EXIT_FAILURE; 1098 } 1099 1100 bpf_semi_rand_init(); 1101 return do_test(unpriv, from, to); 1102 } 1103