xref: /linux/tools/testing/selftests/bpf/progs/verifier_scalar_ids.c (revision cdd30ebb1b9f36159d66f088b61aee264e649d7a)
1 // SPDX-License-Identifier: GPL-2.0
2 
3 #include <linux/bpf.h>
4 #include <bpf/bpf_helpers.h>
5 #include "bpf_misc.h"
6 
7 /* Check that precision marks propagate through scalar IDs.
8  * Registers r{0,1,2} have the same scalar ID.
9  * Range information is propagated for scalars sharing same ID.
10  * Check that precision mark for r0 causes precision marks for r{1,2}
11  * when range information is propagated for 'if <reg> <op> <const>' insn.
12  */
13 SEC("socket")
14 __success __log_level(2)
15 /* first 'if' branch */
16 __msg("6: (0f) r3 += r0")
17 __msg("frame0: regs=r0 stack= before 4: (25) if r1 > 0x7 goto pc+0")
18 __msg("frame0: parent state regs=r0,r1,r2 stack=:")
19 __msg("frame0: regs=r0,r1,r2 stack= before 3: (bf) r2 = r0")
20 /* second 'if' branch */
21 __msg("from 4 to 5: ")
22 __msg("6: (0f) r3 += r0")
23 __msg("frame0: regs=r0 stack= before 5: (bf) r3 = r10")
24 __msg("frame0: regs=r0 stack= before 4: (25) if r1 > 0x7 goto pc+0")
25 /* parent state already has r{0,1,2} as precise */
26 __msg("frame0: parent state regs= stack=:")
27 __flag(BPF_F_TEST_STATE_FREQ)
28 __naked void linked_regs_bpf_k(void)
29 {
30 	asm volatile (
31 	/* r0 = random number up to 0xff */
32 	"call %[bpf_ktime_get_ns];"
33 	"r0 &= 0xff;"
34 	/* tie r0.id == r1.id == r2.id */
35 	"r1 = r0;"
36 	"r2 = r0;"
37 	"if r1 > 7 goto +0;"
38 	/* force r0 to be precise, this eventually marks r1 and r2 as
39 	 * precise as well because of shared IDs
40 	 */
41 	"r3 = r10;"
42 	"r3 += r0;"
43 	"r0 = 0;"
44 	"exit;"
45 	:
46 	: __imm(bpf_ktime_get_ns)
47 	: __clobber_all);
48 }
49 
50 /* Registers r{0,1,2} share same ID when 'if r1 > ...' insn is processed,
51  * check that verifier marks r{1,2} as precise while backtracking
52  * 'if r1 > ...' with r0 already marked.
53  */
54 SEC("socket")
55 __success __log_level(2)
56 __flag(BPF_F_TEST_STATE_FREQ)
57 __msg("frame0: regs=r0 stack= before 5: (2d) if r1 > r3 goto pc+0")
58 __msg("frame0: parent state regs=r0,r1,r2,r3 stack=:")
59 __msg("frame0: regs=r0,r1,r2,r3 stack= before 4: (b7) r3 = 7")
60 __naked void linked_regs_bpf_x_src(void)
61 {
62 	asm volatile (
63 	/* r0 = random number up to 0xff */
64 	"call %[bpf_ktime_get_ns];"
65 	"r0 &= 0xff;"
66 	/* tie r0.id == r1.id == r2.id */
67 	"r1 = r0;"
68 	"r2 = r0;"
69 	"r3 = 7;"
70 	"if r1 > r3 goto +0;"
71 	/* force r0 to be precise, this eventually marks r1 and r2 as
72 	 * precise as well because of shared IDs
73 	 */
74 	"r4 = r10;"
75 	"r4 += r0;"
76 	"r0 = 0;"
77 	"exit;"
78 	:
79 	: __imm(bpf_ktime_get_ns)
80 	: __clobber_all);
81 }
82 
83 /* Registers r{0,1,2} share same ID when 'if r1 > r3' insn is processed,
84  * check that verifier marks r{0,1,2} as precise while backtracking
85  * 'if r1 > r3' with r3 already marked.
86  */
87 SEC("socket")
88 __success __log_level(2)
89 __flag(BPF_F_TEST_STATE_FREQ)
90 __msg("frame0: regs=r3 stack= before 5: (2d) if r1 > r3 goto pc+0")
91 __msg("frame0: parent state regs=r0,r1,r2,r3 stack=:")
92 __msg("frame0: regs=r0,r1,r2,r3 stack= before 4: (b7) r3 = 7")
93 __naked void linked_regs_bpf_x_dst(void)
94 {
95 	asm volatile (
96 	/* r0 = random number up to 0xff */
97 	"call %[bpf_ktime_get_ns];"
98 	"r0 &= 0xff;"
99 	/* tie r0.id == r1.id == r2.id */
100 	"r1 = r0;"
101 	"r2 = r0;"
102 	"r3 = 7;"
103 	"if r1 > r3 goto +0;"
104 	/* force r0 to be precise, this eventually marks r1 and r2 as
105 	 * precise as well because of shared IDs
106 	 */
107 	"r4 = r10;"
108 	"r4 += r3;"
109 	"r0 = 0;"
110 	"exit;"
111 	:
112 	: __imm(bpf_ktime_get_ns)
113 	: __clobber_all);
114 }
115 
116 /* Same as linked_regs_bpf_k, but break one of the
117  * links, note that r1 is absent from regs=... in __msg below.
118  */
119 SEC("socket")
120 __success __log_level(2)
121 __msg("7: (0f) r3 += r0")
122 __msg("frame0: regs=r0 stack= before 6: (bf) r3 = r10")
123 __msg("frame0: parent state regs=r0 stack=:")
124 __msg("frame0: regs=r0 stack= before 5: (25) if r0 > 0x7 goto pc+0")
125 __msg("frame0: parent state regs=r0,r2 stack=:")
126 __flag(BPF_F_TEST_STATE_FREQ)
127 __naked void linked_regs_broken_link(void)
128 {
129 	asm volatile (
130 	/* r0 = random number up to 0xff */
131 	"call %[bpf_ktime_get_ns];"
132 	"r0 &= 0xff;"
133 	/* tie r0.id == r1.id == r2.id */
134 	"r1 = r0;"
135 	"r2 = r0;"
136 	/* break link for r1, this is the only line that differs
137 	 * compared to the previous test
138 	 */
139 	"r1 = 0;"
140 	"if r0 > 7 goto +0;"
141 	/* force r0 to be precise,
142 	 * this eventually marks r2 as precise because of shared IDs
143 	 */
144 	"r3 = r10;"
145 	"r3 += r0;"
146 	"r0 = 0;"
147 	"exit;"
148 	:
149 	: __imm(bpf_ktime_get_ns)
150 	: __clobber_all);
151 }
152 
153 /* Check that precision marks propagate through scalar IDs.
154  * Use the same scalar ID in multiple stack frames, check that
155  * precision information is propagated up the call stack.
156  */
157 SEC("socket")
158 __success __log_level(2)
159 __msg("12: (0f) r2 += r1")
160 /* Current state */
161 __msg("frame2: last_idx 12 first_idx 11 subseq_idx -1 ")
162 __msg("frame2: regs=r1 stack= before 11: (bf) r2 = r10")
163 __msg("frame2: parent state regs=r1 stack=")
164 __msg("frame1: parent state regs= stack=")
165 __msg("frame0: parent state regs= stack=")
166 /* Parent state */
167 __msg("frame2: last_idx 10 first_idx 10 subseq_idx 11 ")
168 __msg("frame2: regs=r1 stack= before 10: (25) if r1 > 0x7 goto pc+0")
169 __msg("frame2: parent state regs=r1 stack=")
170 /* frame1.r{6,7} are marked because mark_precise_scalar_ids()
171  * looks for all registers with frame2.r1.id in the current state
172  */
173 __msg("frame1: parent state regs=r6,r7 stack=")
174 __msg("frame0: parent state regs=r6 stack=")
175 /* Parent state */
176 __msg("frame2: last_idx 8 first_idx 8 subseq_idx 10")
177 __msg("frame2: regs=r1 stack= before 8: (85) call pc+1")
178 /* frame1.r1 is marked because of backtracking of call instruction */
179 __msg("frame1: parent state regs=r1,r6,r7 stack=")
180 __msg("frame0: parent state regs=r6 stack=")
181 /* Parent state */
182 __msg("frame1: last_idx 7 first_idx 6 subseq_idx 8")
183 __msg("frame1: regs=r1,r6,r7 stack= before 7: (bf) r7 = r1")
184 __msg("frame1: regs=r1,r6 stack= before 6: (bf) r6 = r1")
185 __msg("frame1: parent state regs=r1 stack=")
186 __msg("frame0: parent state regs=r6 stack=")
187 /* Parent state */
188 __msg("frame1: last_idx 4 first_idx 4 subseq_idx 6")
189 __msg("frame1: regs=r1 stack= before 4: (85) call pc+1")
190 __msg("frame0: parent state regs=r1,r6 stack=")
191 /* Parent state */
192 __msg("frame0: last_idx 3 first_idx 1 subseq_idx 4")
193 __msg("frame0: regs=r1,r6 stack= before 3: (bf) r6 = r0")
194 __msg("frame0: regs=r0,r1 stack= before 2: (bf) r1 = r0")
195 __msg("frame0: regs=r0 stack= before 1: (57) r0 &= 255")
196 __flag(BPF_F_TEST_STATE_FREQ)
197 __naked void precision_many_frames(void)
198 {
199 	asm volatile (
200 	/* r0 = random number up to 0xff */
201 	"call %[bpf_ktime_get_ns];"
202 	"r0 &= 0xff;"
203 	/* tie r0.id == r1.id == r6.id */
204 	"r1 = r0;"
205 	"r6 = r0;"
206 	"call precision_many_frames__foo;"
207 	"exit;"
208 	:
209 	: __imm(bpf_ktime_get_ns)
210 	: __clobber_all);
211 }
212 
213 static __naked __noinline __used
214 void precision_many_frames__foo(void)
215 {
216 	asm volatile (
217 	/* conflate one of the register numbers (r6) with outer frame,
218 	 * to verify that those are tracked independently
219 	 */
220 	"r6 = r1;"
221 	"r7 = r1;"
222 	"call precision_many_frames__bar;"
223 	"exit"
224 	::: __clobber_all);
225 }
226 
227 static __naked __noinline __used
228 void precision_many_frames__bar(void)
229 {
230 	asm volatile (
231 	"if r1 > 7 goto +0;"
232 	/* force r1 to be precise, this eventually marks:
233 	 * - bar frame r1
234 	 * - foo frame r{1,6,7}
235 	 * - main frame r{1,6}
236 	 */
237 	"r2 = r10;"
238 	"r2 += r1;"
239 	"r0 = 0;"
240 	"exit;"
241 	::: __clobber_all);
242 }
243 
244 /* Check that scalars with the same IDs are marked precise on stack as
245  * well as in registers.
246  */
247 SEC("socket")
248 __success __log_level(2)
249 __msg("11: (0f) r2 += r1")
250 /* foo frame */
251 __msg("frame1: regs=r1 stack= before 10: (bf) r2 = r10")
252 __msg("frame1: regs=r1 stack= before 9: (25) if r1 > 0x7 goto pc+0")
253 __msg("frame1: regs=r1 stack=-8,-16 before 8: (7b) *(u64 *)(r10 -16) = r1")
254 __msg("frame1: regs=r1 stack=-8 before 7: (7b) *(u64 *)(r10 -8) = r1")
255 __msg("frame1: regs=r1 stack= before 4: (85) call pc+2")
256 /* main frame */
257 __msg("frame0: regs=r1 stack=-8 before 3: (7b) *(u64 *)(r10 -8) = r1")
258 __msg("frame0: regs=r1 stack= before 2: (bf) r1 = r0")
259 __msg("frame0: regs=r0 stack= before 1: (57) r0 &= 255")
260 __flag(BPF_F_TEST_STATE_FREQ)
261 __naked void precision_stack(void)
262 {
263 	asm volatile (
264 	/* r0 = random number up to 0xff */
265 	"call %[bpf_ktime_get_ns];"
266 	"r0 &= 0xff;"
267 	/* tie r0.id == r1.id == fp[-8].id */
268 	"r1 = r0;"
269 	"*(u64*)(r10 - 8) = r1;"
270 	"call precision_stack__foo;"
271 	"r0 = 0;"
272 	"exit;"
273 	:
274 	: __imm(bpf_ktime_get_ns)
275 	: __clobber_all);
276 }
277 
278 static __naked __noinline __used
279 void precision_stack__foo(void)
280 {
281 	asm volatile (
282 	/* conflate one of the register numbers (r6) with outer frame,
283 	 * to verify that those are tracked independently
284 	 */
285 	"*(u64*)(r10 - 8) = r1;"
286 	"*(u64*)(r10 - 16) = r1;"
287 	"if r1 > 7 goto +0;"
288 	/* force r1 to be precise, this eventually marks:
289 	 * - foo frame r1,fp{-8,-16}
290 	 * - main frame r1,fp{-8}
291 	 */
292 	"r2 = r10;"
293 	"r2 += r1;"
294 	"exit"
295 	::: __clobber_all);
296 }
297 
298 /* Use two separate scalar IDs to check that these are propagated
299  * independently.
300  */
301 SEC("socket")
302 __success __log_level(2)
303 /* r{6,7} */
304 __msg("12: (0f) r3 += r7")
305 __msg("frame0: regs=r7 stack= before 11: (bf) r3 = r10")
306 __msg("frame0: regs=r7 stack= before 9: (25) if r7 > 0x7 goto pc+0")
307 /* ... skip some insns ... */
308 __msg("frame0: regs=r6,r7 stack= before 3: (bf) r7 = r0")
309 __msg("frame0: regs=r0,r6 stack= before 2: (bf) r6 = r0")
310 /* r{8,9} */
311 __msg("13: (0f) r3 += r9")
312 __msg("frame0: regs=r9 stack= before 12: (0f) r3 += r7")
313 /* ... skip some insns ... */
314 __msg("frame0: regs=r9 stack= before 10: (25) if r9 > 0x7 goto pc+0")
315 __msg("frame0: regs=r8,r9 stack= before 7: (bf) r9 = r0")
316 __msg("frame0: regs=r0,r8 stack= before 6: (bf) r8 = r0")
317 __flag(BPF_F_TEST_STATE_FREQ)
318 __naked void precision_two_ids(void)
319 {
320 	asm volatile (
321 	/* r6 = random number up to 0xff
322 	 * r6.id == r7.id
323 	 */
324 	"call %[bpf_ktime_get_ns];"
325 	"r0 &= 0xff;"
326 	"r6 = r0;"
327 	"r7 = r0;"
328 	/* same, but for r{8,9} */
329 	"call %[bpf_ktime_get_ns];"
330 	"r0 &= 0xff;"
331 	"r8 = r0;"
332 	"r9 = r0;"
333 	/* clear r0 id */
334 	"r0 = 0;"
335 	/* propagate equal scalars precision */
336 	"if r7 > 7 goto +0;"
337 	"if r9 > 7 goto +0;"
338 	"r3 = r10;"
339 	/* force r7 to be precise, this also marks r6 */
340 	"r3 += r7;"
341 	/* force r9 to be precise, this also marks r8 */
342 	"r3 += r9;"
343 	"exit;"
344 	:
345 	: __imm(bpf_ktime_get_ns)
346 	: __clobber_all);
347 }
348 
349 SEC("socket")
350 __success __log_level(2)
351 __flag(BPF_F_TEST_STATE_FREQ)
352 /* check thar r0 and r6 have different IDs after 'if',
353  * collect_linked_regs() can't tie more than 6 registers for a single insn.
354  */
355 __msg("8: (25) if r0 > 0x7 goto pc+0         ; R0=scalar(id=1")
356 __msg("9: (bf) r6 = r6                       ; R6_w=scalar(id=2")
357 /* check that r{0-5} are marked precise after 'if' */
358 __msg("frame0: regs=r0 stack= before 8: (25) if r0 > 0x7 goto pc+0")
359 __msg("frame0: parent state regs=r0,r1,r2,r3,r4,r5 stack=:")
360 __naked void linked_regs_too_many_regs(void)
361 {
362 	asm volatile (
363 	/* r0 = random number up to 0xff */
364 	"call %[bpf_ktime_get_ns];"
365 	"r0 &= 0xff;"
366 	/* tie r{0-6} IDs */
367 	"r1 = r0;"
368 	"r2 = r0;"
369 	"r3 = r0;"
370 	"r4 = r0;"
371 	"r5 = r0;"
372 	"r6 = r0;"
373 	/* propagate range for r{0-6} */
374 	"if r0 > 7 goto +0;"
375 	/* make r6 appear in the log */
376 	"r6 = r6;"
377 	/* force r0 to be precise,
378 	 * this would cause r{0-4} to be precise because of shared IDs
379 	 */
380 	"r7 = r10;"
381 	"r7 += r0;"
382 	"r0 = 0;"
383 	"exit;"
384 	:
385 	: __imm(bpf_ktime_get_ns)
386 	: __clobber_all);
387 }
388 
389 SEC("socket")
390 __failure __log_level(2)
391 __flag(BPF_F_TEST_STATE_FREQ)
392 __msg("regs=r7 stack= before 5: (3d) if r8 >= r0")
393 __msg("parent state regs=r0,r7,r8")
394 __msg("regs=r0,r7,r8 stack= before 4: (25) if r0 > 0x1")
395 __msg("div by zero")
396 __naked void linked_regs_broken_link_2(void)
397 {
398 	asm volatile (
399 	"call %[bpf_get_prandom_u32];"
400 	"r7 = r0;"
401 	"r8 = r0;"
402 	"call %[bpf_get_prandom_u32];"
403 	"if r0 > 1 goto +0;"
404 	/* r7.id == r8.id,
405 	 * thus r7 precision implies r8 precision,
406 	 * which implies r0 precision because of the conditional below.
407 	 */
408 	"if r8 >= r0 goto 1f;"
409 	/* break id relation between r7 and r8 */
410 	"r8 += r8;"
411 	/* make r7 precise */
412 	"if r7 == 0 goto 1f;"
413 	"r0 /= 0;"
414 "1:"
415 	"r0 = 42;"
416 	"exit;"
417 	:
418 	: __imm(bpf_get_prandom_u32)
419 	: __clobber_all);
420 }
421 
422 /* Check that mark_chain_precision() for one of the conditional jump
423  * operands does not trigger equal scalars precision propagation.
424  */
425 SEC("socket")
426 __success __log_level(2)
427 __msg("3: (25) if r1 > 0x100 goto pc+0")
428 __msg("frame0: regs=r1 stack= before 2: (bf) r1 = r0")
429 __naked void cjmp_no_linked_regs_trigger(void)
430 {
431 	asm volatile (
432 	/* r0 = random number up to 0xff */
433 	"call %[bpf_ktime_get_ns];"
434 	"r0 &= 0xff;"
435 	/* tie r0.id == r1.id */
436 	"r1 = r0;"
437 	/* the jump below would be predicted, thus r1 would be marked precise,
438 	 * this should not imply precision mark for r0
439 	 */
440 	"if r1 > 256 goto +0;"
441 	"r0 = 0;"
442 	"exit;"
443 	:
444 	: __imm(bpf_ktime_get_ns)
445 	: __clobber_all);
446 }
447 
448 /* Verify that check_ids() is used by regsafe() for scalars.
449  *
450  * r9 = ... some pointer with range X ...
451  * r6 = ... unbound scalar ID=a ...
452  * r7 = ... unbound scalar ID=b ...
453  * if (r6 > r7) goto +1
454  * r7 = r6
455  * if (r7 > X) goto exit
456  * r9 += r6
457  * ... access memory using r9 ...
458  *
459  * The memory access is safe only if r7 is bounded,
460  * which is true for one branch and not true for another.
461  */
462 SEC("socket")
463 __failure __msg("register with unbounded min value")
464 __flag(BPF_F_TEST_STATE_FREQ)
465 __naked void check_ids_in_regsafe(void)
466 {
467 	asm volatile (
468 	/* Bump allocated stack */
469 	"r1 = 0;"
470 	"*(u64*)(r10 - 8) = r1;"
471 	/* r9 = pointer to stack */
472 	"r9 = r10;"
473 	"r9 += -8;"
474 	/* r7 = ktime_get_ns() */
475 	"call %[bpf_ktime_get_ns];"
476 	"r7 = r0;"
477 	/* r6 = ktime_get_ns() */
478 	"call %[bpf_ktime_get_ns];"
479 	"r6 = r0;"
480 	/* if r6 > r7 is an unpredictable jump */
481 	"if r6 > r7 goto l1_%=;"
482 	"r7 = r6;"
483 "l1_%=:"
484 	/* if r7 > 4 ...; transfers range to r6 on one execution path
485 	 * but does not transfer on another
486 	 */
487 	"if r7 > 4 goto l2_%=;"
488 	/* Access memory at r9[r6], r6 is not always bounded */
489 	"r9 += r6;"
490 	"r0 = *(u8*)(r9 + 0);"
491 "l2_%=:"
492 	"r0 = 0;"
493 	"exit;"
494 	:
495 	: __imm(bpf_ktime_get_ns)
496 	: __clobber_all);
497 }
498 
499 /* Similar to check_ids_in_regsafe.
500  * The l0 could be reached in two states:
501  *
502  *   (1) r6{.id=A}, r7{.id=A}, r8{.id=B}
503  *   (2) r6{.id=B}, r7{.id=A}, r8{.id=B}
504  *
505  * Where (2) is not safe, as "r7 > 4" check won't propagate range for it.
506  * This example would be considered safe without changes to
507  * mark_chain_precision() to track scalar values with equal IDs.
508  */
509 SEC("socket")
510 __failure __msg("register with unbounded min value")
511 __flag(BPF_F_TEST_STATE_FREQ)
512 __naked void check_ids_in_regsafe_2(void)
513 {
514 	asm volatile (
515 	/* Bump allocated stack */
516 	"r1 = 0;"
517 	"*(u64*)(r10 - 8) = r1;"
518 	/* r9 = pointer to stack */
519 	"r9 = r10;"
520 	"r9 += -8;"
521 	/* r8 = ktime_get_ns() */
522 	"call %[bpf_ktime_get_ns];"
523 	"r8 = r0;"
524 	/* r7 = ktime_get_ns() */
525 	"call %[bpf_ktime_get_ns];"
526 	"r7 = r0;"
527 	/* r6 = ktime_get_ns() */
528 	"call %[bpf_ktime_get_ns];"
529 	"r6 = r0;"
530 	/* scratch .id from r0 */
531 	"r0 = 0;"
532 	/* if r6 > r7 is an unpredictable jump */
533 	"if r6 > r7 goto l1_%=;"
534 	/* tie r6 and r7 .id */
535 	"r6 = r7;"
536 "l0_%=:"
537 	/* if r7 > 4 exit(0) */
538 	"if r7 > 4 goto l2_%=;"
539 	/* Access memory at r9[r6] */
540 	"r9 += r6;"
541 	"r0 = *(u8*)(r9 + 0);"
542 "l2_%=:"
543 	"r0 = 0;"
544 	"exit;"
545 "l1_%=:"
546 	/* tie r6 and r8 .id */
547 	"r6 = r8;"
548 	"goto l0_%=;"
549 	:
550 	: __imm(bpf_ktime_get_ns)
551 	: __clobber_all);
552 }
553 
554 /* Check that scalar IDs *are not* generated on register to register
555  * assignments if source register is a constant.
556  *
557  * If such IDs *are* generated the 'l1' below would be reached in
558  * two states:
559  *
560  *   (1) r1{.id=A}, r2{.id=A}
561  *   (2) r1{.id=C}, r2{.id=C}
562  *
563  * Thus forcing 'if r1 == r2' verification twice.
564  */
565 SEC("socket")
566 __success __log_level(2)
567 __msg("11: (1d) if r3 == r4 goto pc+0")
568 __msg("frame 0: propagating r3,r4")
569 __msg("11: safe")
570 __msg("processed 15 insns")
571 __flag(BPF_F_TEST_STATE_FREQ)
572 __naked void no_scalar_id_for_const(void)
573 {
574 	asm volatile (
575 	"call %[bpf_ktime_get_ns];"
576 	/* unpredictable jump */
577 	"if r0 > 7 goto l0_%=;"
578 	/* possibly generate same scalar ids for r3 and r4 */
579 	"r1 = 0;"
580 	"r1 = r1;"
581 	"r3 = r1;"
582 	"r4 = r1;"
583 	"goto l1_%=;"
584 "l0_%=:"
585 	/* possibly generate different scalar ids for r3 and r4 */
586 	"r1 = 0;"
587 	"r2 = 0;"
588 	"r3 = r1;"
589 	"r4 = r2;"
590 "l1_%=:"
591 	/* predictable jump, marks r3 and r4 precise */
592 	"if r3 == r4 goto +0;"
593 	"r0 = 0;"
594 	"exit;"
595 	:
596 	: __imm(bpf_ktime_get_ns)
597 	: __clobber_all);
598 }
599 
600 /* Same as no_scalar_id_for_const() but for 32-bit values */
601 SEC("socket")
602 __success __log_level(2)
603 __msg("11: (1e) if w3 == w4 goto pc+0")
604 __msg("frame 0: propagating r3,r4")
605 __msg("11: safe")
606 __msg("processed 15 insns")
607 __flag(BPF_F_TEST_STATE_FREQ)
608 __naked void no_scalar_id_for_const32(void)
609 {
610 	asm volatile (
611 	"call %[bpf_ktime_get_ns];"
612 	/* unpredictable jump */
613 	"if r0 > 7 goto l0_%=;"
614 	/* possibly generate same scalar ids for r3 and r4 */
615 	"w1 = 0;"
616 	"w1 = w1;"
617 	"w3 = w1;"
618 	"w4 = w1;"
619 	"goto l1_%=;"
620 "l0_%=:"
621 	/* possibly generate different scalar ids for r3 and r4 */
622 	"w1 = 0;"
623 	"w2 = 0;"
624 	"w3 = w1;"
625 	"w4 = w2;"
626 "l1_%=:"
627 	/* predictable jump, marks r1 and r2 precise */
628 	"if w3 == w4 goto +0;"
629 	"r0 = 0;"
630 	"exit;"
631 	:
632 	: __imm(bpf_ktime_get_ns)
633 	: __clobber_all);
634 }
635 
636 /* Check that unique scalar IDs are ignored when new verifier state is
637  * compared to cached verifier state. For this test:
638  * - cached state has no id on r1
639  * - new state has a unique id on r1
640  */
641 SEC("socket")
642 __success __log_level(2)
643 __msg("6: (25) if r6 > 0x7 goto pc+1")
644 __msg("7: (57) r1 &= 255")
645 __msg("8: (bf) r2 = r10")
646 __msg("from 6 to 8: safe")
647 __msg("processed 12 insns")
648 __flag(BPF_F_TEST_STATE_FREQ)
649 __naked void ignore_unique_scalar_ids_cur(void)
650 {
651 	asm volatile (
652 	"call %[bpf_ktime_get_ns];"
653 	"r6 = r0;"
654 	"call %[bpf_ktime_get_ns];"
655 	"r0 &= 0xff;"
656 	/* r1.id == r0.id */
657 	"r1 = r0;"
658 	/* make r1.id unique */
659 	"r0 = 0;"
660 	"if r6 > 7 goto l0_%=;"
661 	/* clear r1 id, but keep the range compatible */
662 	"r1 &= 0xff;"
663 "l0_%=:"
664 	/* get here in two states:
665 	 * - first: r1 has no id (cached state)
666 	 * - second: r1 has a unique id (should be considered equivalent)
667 	 */
668 	"r2 = r10;"
669 	"r2 += r1;"
670 	"exit;"
671 	:
672 	: __imm(bpf_ktime_get_ns)
673 	: __clobber_all);
674 }
675 
676 /* Check that unique scalar IDs are ignored when new verifier state is
677  * compared to cached verifier state. For this test:
678  * - cached state has a unique id on r1
679  * - new state has no id on r1
680  */
681 SEC("socket")
682 __success __log_level(2)
683 __msg("6: (25) if r6 > 0x7 goto pc+1")
684 __msg("7: (05) goto pc+1")
685 __msg("9: (bf) r2 = r10")
686 __msg("9: safe")
687 __msg("processed 13 insns")
688 __flag(BPF_F_TEST_STATE_FREQ)
689 __naked void ignore_unique_scalar_ids_old(void)
690 {
691 	asm volatile (
692 	"call %[bpf_ktime_get_ns];"
693 	"r6 = r0;"
694 	"call %[bpf_ktime_get_ns];"
695 	"r0 &= 0xff;"
696 	/* r1.id == r0.id */
697 	"r1 = r0;"
698 	/* make r1.id unique */
699 	"r0 = 0;"
700 	"if r6 > 7 goto l1_%=;"
701 	"goto l0_%=;"
702 "l1_%=:"
703 	/* clear r1 id, but keep the range compatible */
704 	"r1 &= 0xff;"
705 "l0_%=:"
706 	/* get here in two states:
707 	 * - first: r1 has a unique id (cached state)
708 	 * - second: r1 has no id (should be considered equivalent)
709 	 */
710 	"r2 = r10;"
711 	"r2 += r1;"
712 	"exit;"
713 	:
714 	: __imm(bpf_ktime_get_ns)
715 	: __clobber_all);
716 }
717 
718 /* Check that two different scalar IDs in a verified state can't be
719  * mapped to the same scalar ID in current state.
720  */
721 SEC("socket")
722 __success __log_level(2)
723 /* The exit instruction should be reachable from two states,
724  * use two matches and "processed .. insns" to ensure this.
725  */
726 __msg("13: (95) exit")
727 __msg("13: (95) exit")
728 __msg("processed 18 insns")
729 __flag(BPF_F_TEST_STATE_FREQ)
730 __naked void two_old_ids_one_cur_id(void)
731 {
732 	asm volatile (
733 	/* Give unique scalar IDs to r{6,7} */
734 	"call %[bpf_ktime_get_ns];"
735 	"r0 &= 0xff;"
736 	"r6 = r0;"
737 	"call %[bpf_ktime_get_ns];"
738 	"r0 &= 0xff;"
739 	"r7 = r0;"
740 	"r0 = 0;"
741 	/* Maybe make r{6,7} IDs identical */
742 	"if r6 > r7 goto l0_%=;"
743 	"goto l1_%=;"
744 "l0_%=:"
745 	"r6 = r7;"
746 "l1_%=:"
747 	/* Mark r{6,7} precise.
748 	 * Get here in two states:
749 	 * - first:  r6{.id=A}, r7{.id=B} (cached state)
750 	 * - second: r6{.id=A}, r7{.id=A}
751 	 * Currently we don't want to consider such states equivalent.
752 	 * Thus "exit;" would be verified twice.
753 	 */
754 	"r2 = r10;"
755 	"r2 += r6;"
756 	"r2 += r7;"
757 	"exit;"
758 	:
759 	: __imm(bpf_ktime_get_ns)
760 	: __clobber_all);
761 }
762 
763 SEC("socket")
764 /* Note the flag, see verifier.c:opt_subreg_zext_lo32_rnd_hi32() */
765 __flag(BPF_F_TEST_RND_HI32)
766 __success
767 /* This test was added because of a bug in verifier.c:sync_linked_regs(),
768  * upon range propagation it destroyed subreg_def marks for registers.
769  * The subreg_def mark is used to decide whether zero extension instructions
770  * are needed when register is read. When BPF_F_TEST_RND_HI32 is set it
771  * also causes generation of statements to randomize upper halves of
772  * read registers.
773  *
774  * The test is written in a way to return an upper half of a register
775  * that is affected by range propagation and must have it's subreg_def
776  * preserved. This gives a return value of 0 and leads to undefined
777  * return value if subreg_def mark is not preserved.
778  */
779 __retval(0)
780 /* Check that verifier believes r1/r0 are zero at exit */
781 __log_level(2)
782 __msg("4: (77) r1 >>= 32                     ; R1_w=0")
783 __msg("5: (bf) r0 = r1                       ; R0_w=0 R1_w=0")
784 __msg("6: (95) exit")
785 __msg("from 3 to 4")
786 __msg("4: (77) r1 >>= 32                     ; R1_w=0")
787 __msg("5: (bf) r0 = r1                       ; R0_w=0 R1_w=0")
788 __msg("6: (95) exit")
789 /* Verify that statements to randomize upper half of r1 had not been
790  * generated.
791  */
792 __xlated("call unknown")
793 __xlated("r0 &= 2147483647")
794 __xlated("w1 = w0")
795 /* This is how disasm.c prints BPF_ZEXT_REG at the moment, x86 and arm
796  * are the only CI archs that do not need zero extension for subregs.
797  */
798 #if !defined(__TARGET_ARCH_x86) && !defined(__TARGET_ARCH_arm64)
799 __xlated("w1 = w1")
800 #endif
801 __xlated("if w0 < 0xa goto pc+0")
802 __xlated("r1 >>= 32")
803 __xlated("r0 = r1")
804 __xlated("exit")
805 __naked void linked_regs_and_subreg_def(void)
806 {
807 	asm volatile (
808 	"call %[bpf_ktime_get_ns];"
809 	/* make sure r0 is in 32-bit range, otherwise w1 = w0 won't
810 	 * assign same IDs to registers.
811 	 */
812 	"r0 &= 0x7fffffff;"
813 	/* link w1 and w0 via ID */
814 	"w1 = w0;"
815 	/* 'if' statement propagates range info from w0 to w1,
816 	 * but should not affect w1->subreg_def property.
817 	 */
818 	"if w0 < 10 goto +0;"
819 	/* r1 is read here, on archs that require subreg zero
820 	 * extension this would cause zext patch generation.
821 	 */
822 	"r1 >>= 32;"
823 	"r0 = r1;"
824 	"exit;"
825 	:
826 	: __imm(bpf_ktime_get_ns)
827 	: __clobber_all);
828 }
829 
830 char _license[] SEC("license") = "GPL";
831