selftests/bpf: Test with a very short loop

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

The test added is a simplified reproducer from syzbot report [1].
If verifier does not insert checkpoint somewhere inside the loop,
verification of the program would take a very long time.

This would happen because mark_chain_precision() for register r7 would
constantly trace jump history of the loop back, processing many
iterations for each mark_chain_precision() call.

[1] https://lore.kernel.org/bpf/670429f6.050a0220.49194.0517.GAE@google.com/

Signed-off-by: Eduard Zingerman <eddyz87@gmail.com>
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Link: https://lore.kernel.org/bpf/20241029172641.1042523-2-eddyz87@gmail.com

authored by

Eduard Zingerman and committed by

Andrii Nakryiko 1 year ago 1fb31589 aa30eb32

+24

2 changed files

expand all

tools

testing

selftests

bpf

progs

verifier_search_pruning.c

veristat.cfg

+23

tools/testing/selftests/bpf/progs/verifier_search_pruning.c

··· 2 2 /* Converted from tools/testing/selftests/bpf/verifier/search_pruning.c */ 3 3 4 4 #include <linux/bpf.h> 5 + #include <../../../include/linux/filter.h> 5 6 #include <bpf/bpf_helpers.h> 6 7 #include "bpf_misc.h" 7 8 ··· 334 333 exit; \ 335 334 " : 336 335 : __imm(bpf_ktime_get_ns) 336 + : __clobber_all); 337 + } 338 + 339 + /* Without checkpoint forcibly inserted at the back-edge a loop this 340 + * test would take a very long time to verify. 341 + */ 342 + SEC("kprobe") 343 + __failure __log_level(4) 344 + __msg("BPF program is too large.") 345 + __naked void short_loop1(void) 346 + { 347 + asm volatile ( 348 + " r7 = *(u16 *)(r1 +0);" 349 + "1: r7 += 0x1ab064b9;" 350 + " .8byte %[jset];" /* same as 'if r7 & 0x702000 goto 1b;' */ 351 + " r7 &= 0x1ee60e;" 352 + " r7 += r1;" 353 + " if r7 s> 0x37d2 goto +0;" 354 + " r0 = 0;" 355 + " exit;" 356 + : 357 + : __imm_insn(jset, BPF_JMP_IMM(BPF_JSET, BPF_REG_7, 0x702000, -2)) 337 358 : __clobber_all); 338 359 } 339 360

tools/testing/selftests/bpf/veristat.cfg

··· 15 15 test_verif_scale* 16 16 test_xdp_noinline* 17 17 xdp_synproxy* 18 + verifier_search_pruning*