tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

selftests/bpf: validate async callback return value check correctness

Adjust timer/timer_ret_1 test to validate more carefully verifier logic
of enforcing async callback return value. This test will pass only if
return result is marked precise and read.

Acked-by: Eduard Zingerman <eddyz87@gmail.com>
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Link: https://lore.kernel.org/r/20231202175705.885270-10-andrii@kernel.org
Signed-off-by: Alexei Starovoitov <ast@kernel.org>

authored by

Andrii Nakryiko and committed by
Alexei Starovoitov e02dea15 eabe518d

+28 -8
+28 -8
tools/testing/selftests/bpf/progs/timer_failure.c
··· 21 21 __type(value, struct elem); 22 22 } timer_map SEC(".maps"); 23 23 24 - static int timer_cb_ret1(void *map, int *key, struct bpf_timer *timer) 24 + __naked __noinline __used 25 + static unsigned long timer_cb_ret_bad() 25 26 { 26 - if (bpf_get_smp_processor_id() % 2) 27 - return 1; 28 - else 29 - return 0; 27 + asm volatile ( 28 + "call %[bpf_get_prandom_u32];" 29 + "if r0 s> 1000 goto 1f;" 30 + "r0 = 0;" 31 + "1:" 32 + "goto +0;" /* checkpoint */ 33 + /* async callback is expected to return 0, so branch above 34 + * skipping r0 = 0; should lead to a failure, but if exit 35 + * instruction doesn't enforce r0's precision, this callback 36 + * will be successfully verified 37 + */ 38 + "exit;" 39 + : 40 + : __imm(bpf_get_prandom_u32) 41 + : __clobber_common 42 + ); 30 43 } 31 44 32 45 SEC("fentry/bpf_fentry_test1") 33 - __failure __msg("should have been in [0, 0]") 34 - int BPF_PROG2(test_ret_1, int, a) 46 + __log_level(2) 47 + __flag(BPF_F_TEST_STATE_FREQ) 48 + __failure 49 + /* check that fallthrough code path marks r0 as precise */ 50 + __msg("mark_precise: frame0: regs=r0 stack= before 22: (b7) r0 = 0") 51 + /* check that branch code path marks r0 as precise */ 52 + __msg("mark_precise: frame0: regs=r0 stack= before 24: (85) call bpf_get_prandom_u32#7") 53 + __msg("should have been in [0, 0]") 54 + long BPF_PROG2(test_bad_ret, int, a) 35 55 { 36 56 int key = 0; 37 57 struct bpf_timer *timer; ··· 59 39 timer = bpf_map_lookup_elem(&timer_map, &key); 60 40 if (timer) { 61 41 bpf_timer_init(timer, &timer_map, CLOCK_BOOTTIME); 62 - bpf_timer_set_callback(timer, timer_cb_ret1); 42 + bpf_timer_set_callback(timer, timer_cb_ret_bad); 63 43 bpf_timer_start(timer, 1000, 0); 64 44 } 65 45