1 /* 2 * Testsuite for eBPF verifier 3 * 4 * Copyright (c) 2014 PLUMgrid, http://plumgrid.com 5 * Copyright (c) 2017 Facebook 6 * Copyright (c) 2018 Covalent IO, Inc. http://covalent.io 7 * 8 * This program is free software; you can redistribute it and/or 9 * modify it under the terms of version 2 of the GNU General Public 10 * License as published by the Free Software Foundation. 11 */ 12 13 #include <endian.h> 14 #include <asm/types.h> 15 #include <linux/types.h> 16 #include <stdint.h> 17 #include <stdio.h> 18 #include <stdlib.h> 19 #include <unistd.h> 20 #include <errno.h> 21 #include <string.h> 22 #include <stddef.h> 23 #include <stdbool.h> 24 #include <sched.h> 25 #include <limits.h> 26 #include <assert.h> 27 28 #include <sys/capability.h> 29 30 #include <linux/unistd.h> 31 #include <linux/filter.h> 32 #include <linux/bpf_perf_event.h> 33 #include <linux/bpf.h> 34 #include <linux/if_ether.h> 35 #include <linux/btf.h> 36 37 #include <bpf/bpf.h> 38 #include <bpf/libbpf.h> 39 40 #ifdef HAVE_GENHDR 41 # include "autoconf.h" 42 #else 43 # if defined(__i386) || defined(__x86_64) || defined(__s390x__) || defined(__aarch64__) 44 # define CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS 1 45 # endif 46 #endif 47 #include "bpf_rlimit.h" 48 #include "bpf_rand.h" 49 #include "bpf_util.h" 50 #include "test_btf.h" 51 #include "../../../include/linux/filter.h" 52 53 #define MAX_INSNS BPF_MAXINSNS 54 #define MAX_TEST_INSNS 1000000 55 #define MAX_FIXUPS 8 56 #define MAX_NR_MAPS 18 57 #define MAX_TEST_RUNS 8 58 #define POINTER_VALUE 0xcafe4all 59 #define TEST_DATA_LEN 64 60 61 #define F_NEEDS_EFFICIENT_UNALIGNED_ACCESS (1 << 0) 62 #define F_LOAD_WITH_STRICT_ALIGNMENT (1 << 1) 63 64 #define UNPRIV_SYSCTL "kernel/unprivileged_bpf_disabled" 65 static bool unpriv_disabled = false; 66 static int skips; 67 68 struct bpf_test { 69 const char *descr; 70 struct bpf_insn insns[MAX_INSNS]; 71 struct bpf_insn *fill_insns; 72 int fixup_map_hash_8b[MAX_FIXUPS]; 73 int fixup_map_hash_48b[MAX_FIXUPS]; 74 int fixup_map_hash_16b[MAX_FIXUPS]; 75 int fixup_map_array_48b[MAX_FIXUPS]; 76 int fixup_map_sockmap[MAX_FIXUPS]; 77 int fixup_map_sockhash[MAX_FIXUPS]; 78 int fixup_map_xskmap[MAX_FIXUPS]; 79 int fixup_map_stacktrace[MAX_FIXUPS]; 80 int fixup_prog1[MAX_FIXUPS]; 81 int fixup_prog2[MAX_FIXUPS]; 82 int fixup_map_in_map[MAX_FIXUPS]; 83 int fixup_cgroup_storage[MAX_FIXUPS]; 84 int fixup_percpu_cgroup_storage[MAX_FIXUPS]; 85 int fixup_map_spin_lock[MAX_FIXUPS]; 86 int fixup_map_array_ro[MAX_FIXUPS]; 87 int fixup_map_array_wo[MAX_FIXUPS]; 88 int fixup_map_array_small[MAX_FIXUPS]; 89 int fixup_sk_storage_map[MAX_FIXUPS]; 90 const char *errstr; 91 const char *errstr_unpriv; 92 uint32_t retval, retval_unpriv, insn_processed; 93 int prog_len; 94 enum { 95 UNDEF, 96 ACCEPT, 97 REJECT 98 } result, result_unpriv; 99 enum bpf_prog_type prog_type; 100 uint8_t flags; 101 __u8 data[TEST_DATA_LEN]; 102 void (*fill_helper)(struct bpf_test *self); 103 uint8_t runs; 104 struct { 105 uint32_t retval, retval_unpriv; 106 union { 107 __u8 data[TEST_DATA_LEN]; 108 __u64 data64[TEST_DATA_LEN / 8]; 109 }; 110 } retvals[MAX_TEST_RUNS]; 111 }; 112 113 /* Note we want this to be 64 bit aligned so that the end of our array is 114 * actually the end of the structure. 115 */ 116 #define MAX_ENTRIES 11 117 118 struct test_val { 119 unsigned int index; 120 int foo[MAX_ENTRIES]; 121 }; 122 123 struct other_val { 124 long long foo; 125 long long bar; 126 }; 127 128 static void bpf_fill_ld_abs_vlan_push_pop(struct bpf_test *self) 129 { 130 /* test: {skb->data[0], vlan_push} x 51 + {skb->data[0], vlan_pop} x 51 */ 131 #define PUSH_CNT 51 132 /* jump range is limited to 16 bit. PUSH_CNT of ld_abs needs room */ 133 unsigned int len = (1 << 15) - PUSH_CNT * 2 * 5 * 6; 134 struct bpf_insn *insn = self->fill_insns; 135 int i = 0, j, k = 0; 136 137 insn[i++] = BPF_MOV64_REG(BPF_REG_6, BPF_REG_1); 138 loop: 139 for (j = 0; j < PUSH_CNT; j++) { 140 insn[i++] = BPF_LD_ABS(BPF_B, 0); 141 insn[i] = BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x34, len - i - 2); 142 i++; 143 insn[i++] = BPF_MOV64_REG(BPF_REG_1, BPF_REG_6); 144 insn[i++] = BPF_MOV64_IMM(BPF_REG_2, 1); 145 insn[i++] = BPF_MOV64_IMM(BPF_REG_3, 2); 146 insn[i++] = BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 147 BPF_FUNC_skb_vlan_push), 148 insn[i] = BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, len - i - 2); 149 i++; 150 } 151 152 for (j = 0; j < PUSH_CNT; j++) { 153 insn[i++] = BPF_LD_ABS(BPF_B, 0); 154 insn[i] = BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x34, len - i - 2); 155 i++; 156 insn[i++] = BPF_MOV64_REG(BPF_REG_1, BPF_REG_6); 157 insn[i++] = BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 158 BPF_FUNC_skb_vlan_pop), 159 insn[i] = BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, len - i - 2); 160 i++; 161 } 162 if (++k < 5) 163 goto loop; 164 165 for (; i < len - 1; i++) 166 insn[i] = BPF_ALU32_IMM(BPF_MOV, BPF_REG_0, 0xbef); 167 insn[len - 1] = BPF_EXIT_INSN(); 168 self->prog_len = len; 169 } 170 171 static void bpf_fill_jump_around_ld_abs(struct bpf_test *self) 172 { 173 struct bpf_insn *insn = self->fill_insns; 174 /* jump range is limited to 16 bit. every ld_abs is replaced by 6 insns */ 175 unsigned int len = (1 << 15) / 6; 176 int i = 0; 177 178 insn[i++] = BPF_MOV64_REG(BPF_REG_6, BPF_REG_1); 179 insn[i++] = BPF_LD_ABS(BPF_B, 0); 180 insn[i] = BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 10, len - i - 2); 181 i++; 182 while (i < len - 1) 183 insn[i++] = BPF_LD_ABS(BPF_B, 1); 184 insn[i] = BPF_EXIT_INSN(); 185 self->prog_len = i + 1; 186 } 187 188 static void bpf_fill_rand_ld_dw(struct bpf_test *self) 189 { 190 struct bpf_insn *insn = self->fill_insns; 191 uint64_t res = 0; 192 int i = 0; 193 194 insn[i++] = BPF_MOV32_IMM(BPF_REG_0, 0); 195 while (i < self->retval) { 196 uint64_t val = bpf_semi_rand_get(); 197 struct bpf_insn tmp[2] = { BPF_LD_IMM64(BPF_REG_1, val) }; 198 199 res ^= val; 200 insn[i++] = tmp[0]; 201 insn[i++] = tmp[1]; 202 insn[i++] = BPF_ALU64_REG(BPF_XOR, BPF_REG_0, BPF_REG_1); 203 } 204 insn[i++] = BPF_MOV64_REG(BPF_REG_1, BPF_REG_0); 205 insn[i++] = BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 32); 206 insn[i++] = BPF_ALU64_REG(BPF_XOR, BPF_REG_0, BPF_REG_1); 207 insn[i] = BPF_EXIT_INSN(); 208 self->prog_len = i + 1; 209 res ^= (res >> 32); 210 self->retval = (uint32_t)res; 211 } 212 213 #define MAX_JMP_SEQ 8192 214 215 /* test the sequence of 8k jumps */ 216 static void bpf_fill_scale1(struct bpf_test *self) 217 { 218 struct bpf_insn *insn = self->fill_insns; 219 int i = 0, k = 0; 220 221 insn[i++] = BPF_MOV64_REG(BPF_REG_6, BPF_REG_1); 222 /* test to check that the long sequence of jumps is acceptable */ 223 while (k++ < MAX_JMP_SEQ) { 224 insn[i++] = BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 225 BPF_FUNC_get_prandom_u32); 226 insn[i++] = BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, bpf_semi_rand_get(), 2); 227 insn[i++] = BPF_MOV64_REG(BPF_REG_1, BPF_REG_10); 228 insn[i++] = BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 229 -8 * (k % 64 + 1)); 230 } 231 /* every jump adds 1 step to insn_processed, so to stay exactly 232 * within 1m limit add MAX_TEST_INSNS - MAX_JMP_SEQ - 1 MOVs and 1 EXIT 233 */ 234 while (i < MAX_TEST_INSNS - MAX_JMP_SEQ - 1) 235 insn[i++] = BPF_ALU32_IMM(BPF_MOV, BPF_REG_0, 42); 236 insn[i] = BPF_EXIT_INSN(); 237 self->prog_len = i + 1; 238 self->retval = 42; 239 } 240 241 /* test the sequence of 8k jumps in inner most function (function depth 8)*/ 242 static void bpf_fill_scale2(struct bpf_test *self) 243 { 244 struct bpf_insn *insn = self->fill_insns; 245 int i = 0, k = 0; 246 247 #define FUNC_NEST 7 248 for (k = 0; k < FUNC_NEST; k++) { 249 insn[i++] = BPF_CALL_REL(1); 250 insn[i++] = BPF_EXIT_INSN(); 251 } 252 insn[i++] = BPF_MOV64_REG(BPF_REG_6, BPF_REG_1); 253 /* test to check that the long sequence of jumps is acceptable */ 254 k = 0; 255 while (k++ < MAX_JMP_SEQ) { 256 insn[i++] = BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 257 BPF_FUNC_get_prandom_u32); 258 insn[i++] = BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, bpf_semi_rand_get(), 2); 259 insn[i++] = BPF_MOV64_REG(BPF_REG_1, BPF_REG_10); 260 insn[i++] = BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 261 -8 * (k % (64 - 4 * FUNC_NEST) + 1)); 262 } 263 /* every jump adds 1 step to insn_processed, so to stay exactly 264 * within 1m limit add MAX_TEST_INSNS - MAX_JMP_SEQ - 1 MOVs and 1 EXIT 265 */ 266 while (i < MAX_TEST_INSNS - MAX_JMP_SEQ - 1) 267 insn[i++] = BPF_ALU32_IMM(BPF_MOV, BPF_REG_0, 42); 268 insn[i] = BPF_EXIT_INSN(); 269 self->prog_len = i + 1; 270 self->retval = 42; 271 } 272 273 static void bpf_fill_scale(struct bpf_test *self) 274 { 275 switch (self->retval) { 276 case 1: 277 return bpf_fill_scale1(self); 278 case 2: 279 return bpf_fill_scale2(self); 280 default: 281 self->prog_len = 0; 282 break; 283 } 284 } 285 286 /* BPF_SK_LOOKUP contains 13 instructions, if you need to fix up maps */ 287 #define BPF_SK_LOOKUP(func) \ 288 /* struct bpf_sock_tuple tuple = {} */ \ 289 BPF_MOV64_IMM(BPF_REG_2, 0), \ 290 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_2, -8), \ 291 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -16), \ 292 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -24), \ 293 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -32), \ 294 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -40), \ 295 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -48), \ 296 /* sk = func(ctx, &tuple, sizeof tuple, 0, 0) */ \ 297 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), \ 298 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -48), \ 299 BPF_MOV64_IMM(BPF_REG_3, sizeof(struct bpf_sock_tuple)), \ 300 BPF_MOV64_IMM(BPF_REG_4, 0), \ 301 BPF_MOV64_IMM(BPF_REG_5, 0), \ 302 BPF_EMIT_CALL(BPF_FUNC_ ## func) 303 304 /* BPF_DIRECT_PKT_R2 contains 7 instructions, it initializes default return 305 * value into 0 and does necessary preparation for direct packet access 306 * through r2. The allowed access range is 8 bytes. 307 */ 308 #define BPF_DIRECT_PKT_R2 \ 309 BPF_MOV64_IMM(BPF_REG_0, 0), \ 310 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, \ 311 offsetof(struct __sk_buff, data)), \ 312 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, \ 313 offsetof(struct __sk_buff, data_end)), \ 314 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2), \ 315 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8), \ 316 BPF_JMP_REG(BPF_JLE, BPF_REG_4, BPF_REG_3, 1), \ 317 BPF_EXIT_INSN() 318 319 /* BPF_RAND_UEXT_R7 contains 4 instructions, it initializes R7 into a random 320 * positive u32, and zero-extend it into 64-bit. 321 */ 322 #define BPF_RAND_UEXT_R7 \ 323 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, \ 324 BPF_FUNC_get_prandom_u32), \ 325 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0), \ 326 BPF_ALU64_IMM(BPF_LSH, BPF_REG_7, 33), \ 327 BPF_ALU64_IMM(BPF_RSH, BPF_REG_7, 33) 328 329 /* BPF_RAND_SEXT_R7 contains 5 instructions, it initializes R7 into a random 330 * negative u32, and sign-extend it into 64-bit. 331 */ 332 #define BPF_RAND_SEXT_R7 \ 333 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, \ 334 BPF_FUNC_get_prandom_u32), \ 335 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0), \ 336 BPF_ALU64_IMM(BPF_OR, BPF_REG_7, 0x80000000), \ 337 BPF_ALU64_IMM(BPF_LSH, BPF_REG_7, 32), \ 338 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_7, 32) 339 340 static struct bpf_test tests[] = { 341 #define FILL_ARRAY 342 #include <verifier/tests.h> 343 #undef FILL_ARRAY 344 }; 345 346 static int probe_filter_length(const struct bpf_insn *fp) 347 { 348 int len; 349 350 for (len = MAX_INSNS - 1; len > 0; --len) 351 if (fp[len].code != 0 || fp[len].imm != 0) 352 break; 353 return len + 1; 354 } 355 356 static bool skip_unsupported_map(enum bpf_map_type map_type) 357 { 358 if (!bpf_probe_map_type(map_type, 0)) { 359 printf("SKIP (unsupported map type %d)\n", map_type); 360 skips++; 361 return true; 362 } 363 return false; 364 } 365 366 static int __create_map(uint32_t type, uint32_t size_key, 367 uint32_t size_value, uint32_t max_elem, 368 uint32_t extra_flags) 369 { 370 int fd; 371 372 fd = bpf_create_map(type, size_key, size_value, max_elem, 373 (type == BPF_MAP_TYPE_HASH ? 374 BPF_F_NO_PREALLOC : 0) | extra_flags); 375 if (fd < 0) { 376 if (skip_unsupported_map(type)) 377 return -1; 378 printf("Failed to create hash map '%s'!\n", strerror(errno)); 379 } 380 381 return fd; 382 } 383 384 static int create_map(uint32_t type, uint32_t size_key, 385 uint32_t size_value, uint32_t max_elem) 386 { 387 return __create_map(type, size_key, size_value, max_elem, 0); 388 } 389 390 static void update_map(int fd, int index) 391 { 392 struct test_val value = { 393 .index = (6 + 1) * sizeof(int), 394 .foo[6] = 0xabcdef12, 395 }; 396 397 assert(!bpf_map_update_elem(fd, &index, &value, 0)); 398 } 399 400 static int create_prog_dummy1(enum bpf_prog_type prog_type) 401 { 402 struct bpf_insn prog[] = { 403 BPF_MOV64_IMM(BPF_REG_0, 42), 404 BPF_EXIT_INSN(), 405 }; 406 407 return bpf_load_program(prog_type, prog, 408 ARRAY_SIZE(prog), "GPL", 0, NULL, 0); 409 } 410 411 static int create_prog_dummy2(enum bpf_prog_type prog_type, int mfd, int idx) 412 { 413 struct bpf_insn prog[] = { 414 BPF_MOV64_IMM(BPF_REG_3, idx), 415 BPF_LD_MAP_FD(BPF_REG_2, mfd), 416 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 417 BPF_FUNC_tail_call), 418 BPF_MOV64_IMM(BPF_REG_0, 41), 419 BPF_EXIT_INSN(), 420 }; 421 422 return bpf_load_program(prog_type, prog, 423 ARRAY_SIZE(prog), "GPL", 0, NULL, 0); 424 } 425 426 static int create_prog_array(enum bpf_prog_type prog_type, uint32_t max_elem, 427 int p1key) 428 { 429 int p2key = 1; 430 int mfd, p1fd, p2fd; 431 432 mfd = bpf_create_map(BPF_MAP_TYPE_PROG_ARRAY, sizeof(int), 433 sizeof(int), max_elem, 0); 434 if (mfd < 0) { 435 if (skip_unsupported_map(BPF_MAP_TYPE_PROG_ARRAY)) 436 return -1; 437 printf("Failed to create prog array '%s'!\n", strerror(errno)); 438 return -1; 439 } 440 441 p1fd = create_prog_dummy1(prog_type); 442 p2fd = create_prog_dummy2(prog_type, mfd, p2key); 443 if (p1fd < 0 || p2fd < 0) 444 goto out; 445 if (bpf_map_update_elem(mfd, &p1key, &p1fd, BPF_ANY) < 0) 446 goto out; 447 if (bpf_map_update_elem(mfd, &p2key, &p2fd, BPF_ANY) < 0) 448 goto out; 449 close(p2fd); 450 close(p1fd); 451 452 return mfd; 453 out: 454 close(p2fd); 455 close(p1fd); 456 close(mfd); 457 return -1; 458 } 459 460 static int create_map_in_map(void) 461 { 462 int inner_map_fd, outer_map_fd; 463 464 inner_map_fd = bpf_create_map(BPF_MAP_TYPE_ARRAY, sizeof(int), 465 sizeof(int), 1, 0); 466 if (inner_map_fd < 0) { 467 if (skip_unsupported_map(BPF_MAP_TYPE_ARRAY)) 468 return -1; 469 printf("Failed to create array '%s'!\n", strerror(errno)); 470 return inner_map_fd; 471 } 472 473 outer_map_fd = bpf_create_map_in_map(BPF_MAP_TYPE_ARRAY_OF_MAPS, NULL, 474 sizeof(int), inner_map_fd, 1, 0); 475 if (outer_map_fd < 0) { 476 if (skip_unsupported_map(BPF_MAP_TYPE_ARRAY_OF_MAPS)) 477 return -1; 478 printf("Failed to create array of maps '%s'!\n", 479 strerror(errno)); 480 } 481 482 close(inner_map_fd); 483 484 return outer_map_fd; 485 } 486 487 static int create_cgroup_storage(bool percpu) 488 { 489 enum bpf_map_type type = percpu ? BPF_MAP_TYPE_PERCPU_CGROUP_STORAGE : 490 BPF_MAP_TYPE_CGROUP_STORAGE; 491 int fd; 492 493 fd = bpf_create_map(type, sizeof(struct bpf_cgroup_storage_key), 494 TEST_DATA_LEN, 0, 0); 495 if (fd < 0) { 496 if (skip_unsupported_map(type)) 497 return -1; 498 printf("Failed to create cgroup storage '%s'!\n", 499 strerror(errno)); 500 } 501 502 return fd; 503 } 504 505 /* struct bpf_spin_lock { 506 * int val; 507 * }; 508 * struct val { 509 * int cnt; 510 * struct bpf_spin_lock l; 511 * }; 512 */ 513 static const char btf_str_sec[] = "\0bpf_spin_lock\0val\0cnt\0l"; 514 static __u32 btf_raw_types[] = { 515 /* int */ 516 BTF_TYPE_INT_ENC(0, BTF_INT_SIGNED, 0, 32, 4), /* [1] */ 517 /* struct bpf_spin_lock */ /* [2] */ 518 BTF_TYPE_ENC(1, BTF_INFO_ENC(BTF_KIND_STRUCT, 0, 1), 4), 519 BTF_MEMBER_ENC(15, 1, 0), /* int val; */ 520 /* struct val */ /* [3] */ 521 BTF_TYPE_ENC(15, BTF_INFO_ENC(BTF_KIND_STRUCT, 0, 2), 8), 522 BTF_MEMBER_ENC(19, 1, 0), /* int cnt; */ 523 BTF_MEMBER_ENC(23, 2, 32),/* struct bpf_spin_lock l; */ 524 }; 525 526 static int load_btf(void) 527 { 528 struct btf_header hdr = { 529 .magic = BTF_MAGIC, 530 .version = BTF_VERSION, 531 .hdr_len = sizeof(struct btf_header), 532 .type_len = sizeof(btf_raw_types), 533 .str_off = sizeof(btf_raw_types), 534 .str_len = sizeof(btf_str_sec), 535 }; 536 void *ptr, *raw_btf; 537 int btf_fd; 538 539 ptr = raw_btf = malloc(sizeof(hdr) + sizeof(btf_raw_types) + 540 sizeof(btf_str_sec)); 541 542 memcpy(ptr, &hdr, sizeof(hdr)); 543 ptr += sizeof(hdr); 544 memcpy(ptr, btf_raw_types, hdr.type_len); 545 ptr += hdr.type_len; 546 memcpy(ptr, btf_str_sec, hdr.str_len); 547 ptr += hdr.str_len; 548 549 btf_fd = bpf_load_btf(raw_btf, ptr - raw_btf, 0, 0, 0); 550 free(raw_btf); 551 if (btf_fd < 0) 552 return -1; 553 return btf_fd; 554 } 555 556 static int create_map_spin_lock(void) 557 { 558 struct bpf_create_map_attr attr = { 559 .name = "test_map", 560 .map_type = BPF_MAP_TYPE_ARRAY, 561 .key_size = 4, 562 .value_size = 8, 563 .max_entries = 1, 564 .btf_key_type_id = 1, 565 .btf_value_type_id = 3, 566 }; 567 int fd, btf_fd; 568 569 btf_fd = load_btf(); 570 if (btf_fd < 0) 571 return -1; 572 attr.btf_fd = btf_fd; 573 fd = bpf_create_map_xattr(&attr); 574 if (fd < 0) 575 printf("Failed to create map with spin_lock\n"); 576 return fd; 577 } 578 579 static int create_sk_storage_map(void) 580 { 581 struct bpf_create_map_attr attr = { 582 .name = "test_map", 583 .map_type = BPF_MAP_TYPE_SK_STORAGE, 584 .key_size = 4, 585 .value_size = 8, 586 .max_entries = 0, 587 .map_flags = BPF_F_NO_PREALLOC, 588 .btf_key_type_id = 1, 589 .btf_value_type_id = 3, 590 }; 591 int fd, btf_fd; 592 593 btf_fd = load_btf(); 594 if (btf_fd < 0) 595 return -1; 596 attr.btf_fd = btf_fd; 597 fd = bpf_create_map_xattr(&attr); 598 close(attr.btf_fd); 599 if (fd < 0) 600 printf("Failed to create sk_storage_map\n"); 601 return fd; 602 } 603 604 static char bpf_vlog[UINT_MAX >> 8]; 605 606 static void do_test_fixup(struct bpf_test *test, enum bpf_prog_type prog_type, 607 struct bpf_insn *prog, int *map_fds) 608 { 609 int *fixup_map_hash_8b = test->fixup_map_hash_8b; 610 int *fixup_map_hash_48b = test->fixup_map_hash_48b; 611 int *fixup_map_hash_16b = test->fixup_map_hash_16b; 612 int *fixup_map_array_48b = test->fixup_map_array_48b; 613 int *fixup_map_sockmap = test->fixup_map_sockmap; 614 int *fixup_map_sockhash = test->fixup_map_sockhash; 615 int *fixup_map_xskmap = test->fixup_map_xskmap; 616 int *fixup_map_stacktrace = test->fixup_map_stacktrace; 617 int *fixup_prog1 = test->fixup_prog1; 618 int *fixup_prog2 = test->fixup_prog2; 619 int *fixup_map_in_map = test->fixup_map_in_map; 620 int *fixup_cgroup_storage = test->fixup_cgroup_storage; 621 int *fixup_percpu_cgroup_storage = test->fixup_percpu_cgroup_storage; 622 int *fixup_map_spin_lock = test->fixup_map_spin_lock; 623 int *fixup_map_array_ro = test->fixup_map_array_ro; 624 int *fixup_map_array_wo = test->fixup_map_array_wo; 625 int *fixup_map_array_small = test->fixup_map_array_small; 626 int *fixup_sk_storage_map = test->fixup_sk_storage_map; 627 628 if (test->fill_helper) { 629 test->fill_insns = calloc(MAX_TEST_INSNS, sizeof(struct bpf_insn)); 630 test->fill_helper(test); 631 } 632 633 /* Allocating HTs with 1 elem is fine here, since we only test 634 * for verifier and not do a runtime lookup, so the only thing 635 * that really matters is value size in this case. 636 */ 637 if (*fixup_map_hash_8b) { 638 map_fds[0] = create_map(BPF_MAP_TYPE_HASH, sizeof(long long), 639 sizeof(long long), 1); 640 do { 641 prog[*fixup_map_hash_8b].imm = map_fds[0]; 642 fixup_map_hash_8b++; 643 } while (*fixup_map_hash_8b); 644 } 645 646 if (*fixup_map_hash_48b) { 647 map_fds[1] = create_map(BPF_MAP_TYPE_HASH, sizeof(long long), 648 sizeof(struct test_val), 1); 649 do { 650 prog[*fixup_map_hash_48b].imm = map_fds[1]; 651 fixup_map_hash_48b++; 652 } while (*fixup_map_hash_48b); 653 } 654 655 if (*fixup_map_hash_16b) { 656 map_fds[2] = create_map(BPF_MAP_TYPE_HASH, sizeof(long long), 657 sizeof(struct other_val), 1); 658 do { 659 prog[*fixup_map_hash_16b].imm = map_fds[2]; 660 fixup_map_hash_16b++; 661 } while (*fixup_map_hash_16b); 662 } 663 664 if (*fixup_map_array_48b) { 665 map_fds[3] = create_map(BPF_MAP_TYPE_ARRAY, sizeof(int), 666 sizeof(struct test_val), 1); 667 update_map(map_fds[3], 0); 668 do { 669 prog[*fixup_map_array_48b].imm = map_fds[3]; 670 fixup_map_array_48b++; 671 } while (*fixup_map_array_48b); 672 } 673 674 if (*fixup_prog1) { 675 map_fds[4] = create_prog_array(prog_type, 4, 0); 676 do { 677 prog[*fixup_prog1].imm = map_fds[4]; 678 fixup_prog1++; 679 } while (*fixup_prog1); 680 } 681 682 if (*fixup_prog2) { 683 map_fds[5] = create_prog_array(prog_type, 8, 7); 684 do { 685 prog[*fixup_prog2].imm = map_fds[5]; 686 fixup_prog2++; 687 } while (*fixup_prog2); 688 } 689 690 if (*fixup_map_in_map) { 691 map_fds[6] = create_map_in_map(); 692 do { 693 prog[*fixup_map_in_map].imm = map_fds[6]; 694 fixup_map_in_map++; 695 } while (*fixup_map_in_map); 696 } 697 698 if (*fixup_cgroup_storage) { 699 map_fds[7] = create_cgroup_storage(false); 700 do { 701 prog[*fixup_cgroup_storage].imm = map_fds[7]; 702 fixup_cgroup_storage++; 703 } while (*fixup_cgroup_storage); 704 } 705 706 if (*fixup_percpu_cgroup_storage) { 707 map_fds[8] = create_cgroup_storage(true); 708 do { 709 prog[*fixup_percpu_cgroup_storage].imm = map_fds[8]; 710 fixup_percpu_cgroup_storage++; 711 } while (*fixup_percpu_cgroup_storage); 712 } 713 if (*fixup_map_sockmap) { 714 map_fds[9] = create_map(BPF_MAP_TYPE_SOCKMAP, sizeof(int), 715 sizeof(int), 1); 716 do { 717 prog[*fixup_map_sockmap].imm = map_fds[9]; 718 fixup_map_sockmap++; 719 } while (*fixup_map_sockmap); 720 } 721 if (*fixup_map_sockhash) { 722 map_fds[10] = create_map(BPF_MAP_TYPE_SOCKHASH, sizeof(int), 723 sizeof(int), 1); 724 do { 725 prog[*fixup_map_sockhash].imm = map_fds[10]; 726 fixup_map_sockhash++; 727 } while (*fixup_map_sockhash); 728 } 729 if (*fixup_map_xskmap) { 730 map_fds[11] = create_map(BPF_MAP_TYPE_XSKMAP, sizeof(int), 731 sizeof(int), 1); 732 do { 733 prog[*fixup_map_xskmap].imm = map_fds[11]; 734 fixup_map_xskmap++; 735 } while (*fixup_map_xskmap); 736 } 737 if (*fixup_map_stacktrace) { 738 map_fds[12] = create_map(BPF_MAP_TYPE_STACK_TRACE, sizeof(u32), 739 sizeof(u64), 1); 740 do { 741 prog[*fixup_map_stacktrace].imm = map_fds[12]; 742 fixup_map_stacktrace++; 743 } while (*fixup_map_stacktrace); 744 } 745 if (*fixup_map_spin_lock) { 746 map_fds[13] = create_map_spin_lock(); 747 do { 748 prog[*fixup_map_spin_lock].imm = map_fds[13]; 749 fixup_map_spin_lock++; 750 } while (*fixup_map_spin_lock); 751 } 752 if (*fixup_map_array_ro) { 753 map_fds[14] = __create_map(BPF_MAP_TYPE_ARRAY, sizeof(int), 754 sizeof(struct test_val), 1, 755 BPF_F_RDONLY_PROG); 756 update_map(map_fds[14], 0); 757 do { 758 prog[*fixup_map_array_ro].imm = map_fds[14]; 759 fixup_map_array_ro++; 760 } while (*fixup_map_array_ro); 761 } 762 if (*fixup_map_array_wo) { 763 map_fds[15] = __create_map(BPF_MAP_TYPE_ARRAY, sizeof(int), 764 sizeof(struct test_val), 1, 765 BPF_F_WRONLY_PROG); 766 update_map(map_fds[15], 0); 767 do { 768 prog[*fixup_map_array_wo].imm = map_fds[15]; 769 fixup_map_array_wo++; 770 } while (*fixup_map_array_wo); 771 } 772 if (*fixup_map_array_small) { 773 map_fds[16] = __create_map(BPF_MAP_TYPE_ARRAY, sizeof(int), 774 1, 1, 0); 775 update_map(map_fds[16], 0); 776 do { 777 prog[*fixup_map_array_small].imm = map_fds[16]; 778 fixup_map_array_small++; 779 } while (*fixup_map_array_small); 780 } 781 if (*fixup_sk_storage_map) { 782 map_fds[17] = create_sk_storage_map(); 783 do { 784 prog[*fixup_sk_storage_map].imm = map_fds[17]; 785 fixup_sk_storage_map++; 786 } while (*fixup_sk_storage_map); 787 } 788 } 789 790 static int set_admin(bool admin) 791 { 792 cap_t caps; 793 const cap_value_t cap_val = CAP_SYS_ADMIN; 794 int ret = -1; 795 796 caps = cap_get_proc(); 797 if (!caps) { 798 perror("cap_get_proc"); 799 return -1; 800 } 801 if (cap_set_flag(caps, CAP_EFFECTIVE, 1, &cap_val, 802 admin ? CAP_SET : CAP_CLEAR)) { 803 perror("cap_set_flag"); 804 goto out; 805 } 806 if (cap_set_proc(caps)) { 807 perror("cap_set_proc"); 808 goto out; 809 } 810 ret = 0; 811 out: 812 if (cap_free(caps)) 813 perror("cap_free"); 814 return ret; 815 } 816 817 static int do_prog_test_run(int fd_prog, bool unpriv, uint32_t expected_val, 818 void *data, size_t size_data) 819 { 820 __u8 tmp[TEST_DATA_LEN << 2]; 821 __u32 size_tmp = sizeof(tmp); 822 uint32_t retval; 823 int err; 824 825 if (unpriv) 826 set_admin(true); 827 err = bpf_prog_test_run(fd_prog, 1, data, size_data, 828 tmp, &size_tmp, &retval, NULL); 829 if (unpriv) 830 set_admin(false); 831 if (err && errno != 524/*ENOTSUPP*/ && errno != EPERM) { 832 printf("Unexpected bpf_prog_test_run error "); 833 return err; 834 } 835 if (!err && retval != expected_val && 836 expected_val != POINTER_VALUE) { 837 printf("FAIL retval %d != %d ", retval, expected_val); 838 return 1; 839 } 840 841 return 0; 842 } 843 844 static void do_test_single(struct bpf_test *test, bool unpriv, 845 int *passes, int *errors) 846 { 847 int fd_prog, expected_ret, alignment_prevented_execution; 848 int prog_len, prog_type = test->prog_type; 849 struct bpf_insn *prog = test->insns; 850 int run_errs, run_successes; 851 int map_fds[MAX_NR_MAPS]; 852 const char *expected_err; 853 int fixup_skips; 854 __u32 pflags; 855 int i, err; 856 857 for (i = 0; i < MAX_NR_MAPS; i++) 858 map_fds[i] = -1; 859 860 if (!prog_type) 861 prog_type = BPF_PROG_TYPE_SOCKET_FILTER; 862 fixup_skips = skips; 863 do_test_fixup(test, prog_type, prog, map_fds); 864 if (test->fill_insns) { 865 prog = test->fill_insns; 866 prog_len = test->prog_len; 867 } else { 868 prog_len = probe_filter_length(prog); 869 } 870 /* If there were some map skips during fixup due to missing bpf 871 * features, skip this test. 872 */ 873 if (fixup_skips != skips) 874 return; 875 876 pflags = 0; 877 if (test->flags & F_LOAD_WITH_STRICT_ALIGNMENT) 878 pflags |= BPF_F_STRICT_ALIGNMENT; 879 if (test->flags & F_NEEDS_EFFICIENT_UNALIGNED_ACCESS) 880 pflags |= BPF_F_ANY_ALIGNMENT; 881 fd_prog = bpf_verify_program(prog_type, prog, prog_len, pflags, 882 "GPL", 0, bpf_vlog, sizeof(bpf_vlog), 4); 883 if (fd_prog < 0 && !bpf_probe_prog_type(prog_type, 0)) { 884 printf("SKIP (unsupported program type %d)\n", prog_type); 885 skips++; 886 goto close_fds; 887 } 888 889 expected_ret = unpriv && test->result_unpriv != UNDEF ? 890 test->result_unpriv : test->result; 891 expected_err = unpriv && test->errstr_unpriv ? 892 test->errstr_unpriv : test->errstr; 893 894 alignment_prevented_execution = 0; 895 896 if (expected_ret == ACCEPT) { 897 if (fd_prog < 0) { 898 printf("FAIL\nFailed to load prog '%s'!\n", 899 strerror(errno)); 900 goto fail_log; 901 } 902 #ifndef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS 903 if (fd_prog >= 0 && 904 (test->flags & F_NEEDS_EFFICIENT_UNALIGNED_ACCESS)) 905 alignment_prevented_execution = 1; 906 #endif 907 } else { 908 if (fd_prog >= 0) { 909 printf("FAIL\nUnexpected success to load!\n"); 910 goto fail_log; 911 } 912 if (!strstr(bpf_vlog, expected_err)) { 913 printf("FAIL\nUnexpected error message!\n\tEXP: %s\n\tRES: %s\n", 914 expected_err, bpf_vlog); 915 goto fail_log; 916 } 917 } 918 919 if (test->insn_processed) { 920 uint32_t insn_processed; 921 char *proc; 922 923 proc = strstr(bpf_vlog, "processed "); 924 insn_processed = atoi(proc + 10); 925 if (test->insn_processed != insn_processed) { 926 printf("FAIL\nUnexpected insn_processed %u vs %u\n", 927 insn_processed, test->insn_processed); 928 goto fail_log; 929 } 930 } 931 932 run_errs = 0; 933 run_successes = 0; 934 if (!alignment_prevented_execution && fd_prog >= 0) { 935 uint32_t expected_val; 936 int i; 937 938 if (!test->runs) { 939 expected_val = unpriv && test->retval_unpriv ? 940 test->retval_unpriv : test->retval; 941 942 err = do_prog_test_run(fd_prog, unpriv, expected_val, 943 test->data, sizeof(test->data)); 944 if (err) 945 run_errs++; 946 else 947 run_successes++; 948 } 949 950 for (i = 0; i < test->runs; i++) { 951 if (unpriv && test->retvals[i].retval_unpriv) 952 expected_val = test->retvals[i].retval_unpriv; 953 else 954 expected_val = test->retvals[i].retval; 955 956 err = do_prog_test_run(fd_prog, unpriv, expected_val, 957 test->retvals[i].data, 958 sizeof(test->retvals[i].data)); 959 if (err) { 960 printf("(run %d/%d) ", i + 1, test->runs); 961 run_errs++; 962 } else { 963 run_successes++; 964 } 965 } 966 } 967 968 if (!run_errs) { 969 (*passes)++; 970 if (run_successes > 1) 971 printf("%d cases ", run_successes); 972 printf("OK"); 973 if (alignment_prevented_execution) 974 printf(" (NOTE: not executed due to unknown alignment)"); 975 printf("\n"); 976 } else { 977 printf("\n"); 978 goto fail_log; 979 } 980 close_fds: 981 if (test->fill_insns) 982 free(test->fill_insns); 983 close(fd_prog); 984 for (i = 0; i < MAX_NR_MAPS; i++) 985 close(map_fds[i]); 986 sched_yield(); 987 return; 988 fail_log: 989 (*errors)++; 990 printf("%s", bpf_vlog); 991 goto close_fds; 992 } 993 994 static bool is_admin(void) 995 { 996 cap_t caps; 997 cap_flag_value_t sysadmin = CAP_CLEAR; 998 const cap_value_t cap_val = CAP_SYS_ADMIN; 999 1000 #ifdef CAP_IS_SUPPORTED 1001 if (!CAP_IS_SUPPORTED(CAP_SETFCAP)) { 1002 perror("cap_get_flag"); 1003 return false; 1004 } 1005 #endif 1006 caps = cap_get_proc(); 1007 if (!caps) { 1008 perror("cap_get_proc"); 1009 return false; 1010 } 1011 if (cap_get_flag(caps, cap_val, CAP_EFFECTIVE, &sysadmin)) 1012 perror("cap_get_flag"); 1013 if (cap_free(caps)) 1014 perror("cap_free"); 1015 return (sysadmin == CAP_SET); 1016 } 1017 1018 static void get_unpriv_disabled() 1019 { 1020 char buf[2]; 1021 FILE *fd; 1022 1023 fd = fopen("/proc/sys/"UNPRIV_SYSCTL, "r"); 1024 if (!fd) { 1025 perror("fopen /proc/sys/"UNPRIV_SYSCTL); 1026 unpriv_disabled = true; 1027 return; 1028 } 1029 if (fgets(buf, 2, fd) == buf && atoi(buf)) 1030 unpriv_disabled = true; 1031 fclose(fd); 1032 } 1033 1034 static bool test_as_unpriv(struct bpf_test *test) 1035 { 1036 return !test->prog_type || 1037 test->prog_type == BPF_PROG_TYPE_SOCKET_FILTER || 1038 test->prog_type == BPF_PROG_TYPE_CGROUP_SKB; 1039 } 1040 1041 static int do_test(bool unpriv, unsigned int from, unsigned int to) 1042 { 1043 int i, passes = 0, errors = 0; 1044 1045 for (i = from; i < to; i++) { 1046 struct bpf_test *test = &tests[i]; 1047 1048 /* Program types that are not supported by non-root we 1049 * skip right away. 1050 */ 1051 if (test_as_unpriv(test) && unpriv_disabled) { 1052 printf("#%d/u %s SKIP\n", i, test->descr); 1053 skips++; 1054 } else if (test_as_unpriv(test)) { 1055 if (!unpriv) 1056 set_admin(false); 1057 printf("#%d/u %s ", i, test->descr); 1058 do_test_single(test, true, &passes, &errors); 1059 if (!unpriv) 1060 set_admin(true); 1061 } 1062 1063 if (unpriv) { 1064 printf("#%d/p %s SKIP\n", i, test->descr); 1065 skips++; 1066 } else { 1067 printf("#%d/p %s ", i, test->descr); 1068 do_test_single(test, false, &passes, &errors); 1069 } 1070 } 1071 1072 printf("Summary: %d PASSED, %d SKIPPED, %d FAILED\n", passes, 1073 skips, errors); 1074 return errors ? EXIT_FAILURE : EXIT_SUCCESS; 1075 } 1076 1077 int main(int argc, char **argv) 1078 { 1079 unsigned int from = 0, to = ARRAY_SIZE(tests); 1080 bool unpriv = !is_admin(); 1081 1082 if (argc == 3) { 1083 unsigned int l = atoi(argv[argc - 2]); 1084 unsigned int u = atoi(argv[argc - 1]); 1085 1086 if (l < to && u < to) { 1087 from = l; 1088 to = u + 1; 1089 } 1090 } else if (argc == 2) { 1091 unsigned int t = atoi(argv[argc - 1]); 1092 1093 if (t < to) { 1094 from = t; 1095 to = t + 1; 1096 } 1097 } 1098 1099 get_unpriv_disabled(); 1100 if (unpriv && unpriv_disabled) { 1101 printf("Cannot run as unprivileged user with sysctl %s.\n", 1102 UNPRIV_SYSCTL); 1103 return EXIT_FAILURE; 1104 } 1105 1106 bpf_semi_rand_init(); 1107 return do_test(unpriv, from, to); 1108 } 1109