Linux Audio

Check our new training course

Linux kernel drivers training

May 6-19, 2025
Register
Open Menu / tools / testing / selftests / bpf / progs / verifier_iterating_callbacks.c
Loading...
  1// SPDX-License-Identifier: GPL-2.0
  2#include "bpf_misc.h"
  3#include "bpf_experimental.h"
  4
  5struct {
  6	__uint(type, BPF_MAP_TYPE_ARRAY);
  7	__uint(max_entries, 8);
  8	__type(key, __u32);
  9	__type(value, __u64);
 10} map SEC(".maps");
 11
 12struct {
 13	__uint(type, BPF_MAP_TYPE_USER_RINGBUF);
 14	__uint(max_entries, 8);
 15} ringbuf SEC(".maps");
 16
 17struct vm_area_struct;
 18struct bpf_map;
 19
 20struct buf_context {
 21	char *buf;
 22};
 23
 24struct num_context {
 25	__u64 i;
 26	__u64 j;
 27};
 28
 29__u8 choice_arr[2] = { 0, 1 };
 30
 31static int unsafe_on_2nd_iter_cb(__u32 idx, struct buf_context *ctx)
 32{
 33	if (idx == 0) {
 34		ctx->buf = (char *)(0xDEAD);
 35		return 0;
 36	}
 37
 38	if (bpf_probe_read_user(ctx->buf, 8, (void *)(0xBADC0FFEE)))
 39		return 1;
 40
 41	return 0;
 42}
 43
 44SEC("?raw_tp")
 45__failure __msg("R1 type=scalar expected=fp")
 46int unsafe_on_2nd_iter(void *unused)
 47{
 48	char buf[4];
 49	struct buf_context loop_ctx = { .buf = buf };
 50
 51	bpf_loop(100, unsafe_on_2nd_iter_cb, &loop_ctx, 0);
 52	return 0;
 53}
 54
 55static int unsafe_on_zero_iter_cb(__u32 idx, struct num_context *ctx)
 56{
 57	ctx->i = 0;
 58	return 0;
 59}
 60
 61SEC("?raw_tp")
 62__failure __msg("invalid access to map value, value_size=2 off=32 size=1")
 63int unsafe_on_zero_iter(void *unused)
 64{
 65	struct num_context loop_ctx = { .i = 32 };
 66
 67	bpf_loop(100, unsafe_on_zero_iter_cb, &loop_ctx, 0);
 68	return choice_arr[loop_ctx.i];
 69}
 70
 71static int widening_cb(__u32 idx, struct num_context *ctx)
 72{
 73	++ctx->i;
 74	return 0;
 75}
 76
 77SEC("?raw_tp")
 78__success
 79int widening(void *unused)
 80{
 81	struct num_context loop_ctx = { .i = 0, .j = 1 };
 82
 83	bpf_loop(100, widening_cb, &loop_ctx, 0);
 84	/* loop_ctx.j is not changed during callback iteration,
 85	 * verifier should not apply widening to it.
 86	 */
 87	return choice_arr[loop_ctx.j];
 88}
 89
 90static int loop_detection_cb(__u32 idx, struct num_context *ctx)
 91{
 92	for (;;) {}
 93	return 0;
 94}
 95
 96SEC("?raw_tp")
 97__failure __msg("infinite loop detected")
 98int loop_detection(void *unused)
 99{
100	struct num_context loop_ctx = { .i = 0 };
101
102	bpf_loop(100, loop_detection_cb, &loop_ctx, 0);
103	return 0;
104}
105
106static __always_inline __u64 oob_state_machine(struct num_context *ctx)
107{
108	switch (ctx->i) {
109	case 0:
110		ctx->i = 1;
111		break;
112	case 1:
113		ctx->i = 32;
114		break;
115	}
116	return 0;
117}
118
119static __u64 for_each_map_elem_cb(struct bpf_map *map, __u32 *key, __u64 *val, void *data)
120{
121	return oob_state_machine(data);
122}
123
124SEC("?raw_tp")
125__failure __msg("invalid access to map value, value_size=2 off=32 size=1")
126int unsafe_for_each_map_elem(void *unused)
127{
128	struct num_context loop_ctx = { .i = 0 };
129
130	bpf_for_each_map_elem(&map, for_each_map_elem_cb, &loop_ctx, 0);
131	return choice_arr[loop_ctx.i];
132}
133
134static __u64 ringbuf_drain_cb(struct bpf_dynptr *dynptr, void *data)
135{
136	return oob_state_machine(data);
137}
138
139SEC("?raw_tp")
140__failure __msg("invalid access to map value, value_size=2 off=32 size=1")
141int unsafe_ringbuf_drain(void *unused)
142{
143	struct num_context loop_ctx = { .i = 0 };
144
145	bpf_user_ringbuf_drain(&ringbuf, ringbuf_drain_cb, &loop_ctx, 0);
146	return choice_arr[loop_ctx.i];
147}
148
149static __u64 find_vma_cb(struct task_struct *task, struct vm_area_struct *vma, void *data)
150{
151	return oob_state_machine(data);
152}
153
154SEC("?raw_tp")
155__failure __msg("invalid access to map value, value_size=2 off=32 size=1")
156int unsafe_find_vma(void *unused)
157{
158	struct task_struct *task = bpf_get_current_task_btf();
159	struct num_context loop_ctx = { .i = 0 };
160
161	bpf_find_vma(task, 0, find_vma_cb, &loop_ctx, 0);
162	return choice_arr[loop_ctx.i];
163}
164
165static int iter_limit_cb(__u32 idx, struct num_context *ctx)
166{
167	ctx->i++;
168	return 0;
169}
170
171SEC("?raw_tp")
172__success
173int bpf_loop_iter_limit_ok(void *unused)
174{
175	struct num_context ctx = { .i = 0 };
176
177	bpf_loop(1, iter_limit_cb, &ctx, 0);
178	return choice_arr[ctx.i];
179}
180
181SEC("?raw_tp")
182__failure __msg("invalid access to map value, value_size=2 off=2 size=1")
183int bpf_loop_iter_limit_overflow(void *unused)
184{
185	struct num_context ctx = { .i = 0 };
186
187	bpf_loop(2, iter_limit_cb, &ctx, 0);
188	return choice_arr[ctx.i];
189}
190
191static int iter_limit_level2a_cb(__u32 idx, struct num_context *ctx)
192{
193	ctx->i += 100;
194	return 0;
195}
196
197static int iter_limit_level2b_cb(__u32 idx, struct num_context *ctx)
198{
199	ctx->i += 10;
200	return 0;
201}
202
203static int iter_limit_level1_cb(__u32 idx, struct num_context *ctx)
204{
205	ctx->i += 1;
206	bpf_loop(1, iter_limit_level2a_cb, ctx, 0);
207	bpf_loop(1, iter_limit_level2b_cb, ctx, 0);
208	return 0;
209}
210
211/* Check that path visiting every callback function once had been
212 * reached by verifier. Variables 'ctx{1,2}i' below serve as flags,
213 * with each decimal digit corresponding to a callback visit marker.
214 */
215SEC("socket")
216__success __retval(111111)
217int bpf_loop_iter_limit_nested(void *unused)
218{
219	struct num_context ctx1 = { .i = 0 };
220	struct num_context ctx2 = { .i = 0 };
221	__u64 a, b, c;
222
223	bpf_loop(1, iter_limit_level1_cb, &ctx1, 0);
224	bpf_loop(1, iter_limit_level1_cb, &ctx2, 0);
225	a = ctx1.i;
226	b = ctx2.i;
227	/* Force 'ctx1.i' and 'ctx2.i' precise. */
228	c = choice_arr[(a + b) % 2];
229	/* This makes 'c' zero, but neither clang nor verifier know it. */
230	c /= 10;
231	/* Make sure that verifier does not visit 'impossible' states:
232	 * enumerate all possible callback visit masks.
233	 */
234	if (a != 0 && a != 1 && a != 11 && a != 101 && a != 111 &&
235	    b != 0 && b != 1 && b != 11 && b != 101 && b != 111)
236		asm volatile ("r0 /= 0;" ::: "r0");
237	return 1000 * a + b + c;
238}
239
240struct iter_limit_bug_ctx {
241	__u64 a;
242	__u64 b;
243	__u64 c;
244};
245
246static __naked void iter_limit_bug_cb(void)
247{
248	/* This is the same as C code below, but written
249	 * in assembly to control which branches are fall-through.
250	 *
251	 *   switch (bpf_get_prandom_u32()) {
252	 *   case 1:  ctx->a = 42; break;
253	 *   case 2:  ctx->b = 42; break;
254	 *   default: ctx->c = 42; break;
255	 *   }
256	 */
257	asm volatile (
258	"r9 = r2;"
259	"call %[bpf_get_prandom_u32];"
260	"r1 = r0;"
261	"r2 = 42;"
262	"r0 = 0;"
263	"if r1 == 0x1 goto 1f;"
264	"if r1 == 0x2 goto 2f;"
265	"*(u64 *)(r9 + 16) = r2;"
266	"exit;"
267	"1: *(u64 *)(r9 + 0) = r2;"
268	"exit;"
269	"2: *(u64 *)(r9 + 8) = r2;"
270	"exit;"
271	:
272	: __imm(bpf_get_prandom_u32)
273	: __clobber_all
274	);
275}
276
277SEC("tc")
278__failure
279__flag(BPF_F_TEST_STATE_FREQ)
280int iter_limit_bug(struct __sk_buff *skb)
281{
282	struct iter_limit_bug_ctx ctx = { 7, 7, 7 };
283
284	bpf_loop(2, iter_limit_bug_cb, &ctx, 0);
285
286	/* This is the same as C code below,
287	 * written in assembly to guarantee checks order.
288	 *
289	 *   if (ctx.a == 42 && ctx.b == 42 && ctx.c == 7)
290	 *     asm volatile("r1 /= 0;":::"r1");
291	 */
292	asm volatile (
293	"r1 = *(u64 *)%[ctx_a];"
294	"if r1 != 42 goto 1f;"
295	"r1 = *(u64 *)%[ctx_b];"
296	"if r1 != 42 goto 1f;"
297	"r1 = *(u64 *)%[ctx_c];"
298	"if r1 != 7 goto 1f;"
299	"r1 /= 0;"
300	"1:"
301	:
302	: [ctx_a]"m"(ctx.a),
303	  [ctx_b]"m"(ctx.b),
304	  [ctx_c]"m"(ctx.c)
305	: "r1"
306	);
307	return 0;
308}
309
310#define ARR_SZ 1000000
311int zero;
312char arr[ARR_SZ];
313
314SEC("socket")
315__success __retval(0xd495cdc0)
316int cond_break1(const void *ctx)
317{
318	unsigned long i;
319	unsigned int sum = 0;
320
321	for (i = zero; i < ARR_SZ; cond_break, i++)
322		sum += i;
323	for (i = zero; i < ARR_SZ; i++) {
324		barrier_var(i);
325		sum += i + arr[i];
326		cond_break;
327	}
328
329	return sum;
330}
331
332SEC("socket")
333__success __retval(999000000)
334int cond_break2(const void *ctx)
335{
336	int i, j;
337	int sum = 0;
338
339	for (i = zero; i < 1000; cond_break, i++)
340		for (j = zero; j < 1000; j++) {
341			sum += i + j;
342			cond_break;
343		}
344
345	return sum;
346}
347
348static __noinline int loop(void)
349{
350	int i, sum = 0;
351
352	for (i = zero; i <= 1000000; i++, cond_break)
353		sum += i;
354
355	return sum;
356}
357
358SEC("socket")
359__success __retval(0x6a5a2920)
360int cond_break3(const void *ctx)
361{
362	return loop();
363}
364
365SEC("socket")
366__success __retval(1)
367int cond_break4(const void *ctx)
368{
369	int cnt = zero;
370
371	for (;;) {
372		/* should eventually break out of the loop */
373		cond_break;
374		cnt++;
375	}
376	/* if we looped a bit, it's a success */
377	return cnt > 1 ? 1 : 0;
378}
379
380static __noinline int static_subprog(void)
381{
382	int cnt = zero;
383
384	for (;;) {
385		cond_break;
386		cnt++;
387	}
388
389	return cnt;
390}
391
392SEC("socket")
393__success __retval(1)
394int cond_break5(const void *ctx)
395{
396	int cnt1 = zero, cnt2;
397
398	for (;;) {
399		cond_break;
400		cnt1++;
401	}
402
403	cnt2 = static_subprog();
404
405	/* main and subprog have to loop a bit */
406	return cnt1 > 1 && cnt2 > 1 ? 1 : 0;
407}
408
409char _license[] SEC("license") = "GPL";

1