tools/testing/selftests/bpf/progs/verifier_loops1.c

root/tools/testing/selftests/bpf/progs/verifier_loops1.c
// SPDX-License-Identifier: GPL-2.0
/* Converted from tools/testing/selftests/bpf/verifier/loops1.c */

#include <linux/bpf.h>
#include <bpf/bpf_helpers.h>
#include "bpf_misc.h"

SEC("xdp")
__description("bounded loop, count to 4")
__success __retval(4)
__naked void bounded_loop_count_to_4(void)
{
        asm volatile ("                                 \
        r0 = 0;                                         \
l0_%=:  r0 += 1;                                        \
        if r0 < 4 goto l0_%=;                           \
        exit;                                           \
"       ::: __clobber_all);
}

SEC("tracepoint")
__description("bounded loop, count to 20")
__success
__naked void bounded_loop_count_to_20(void)
{
        asm volatile ("                                 \
        r0 = 0;                                         \
l0_%=:  r0 += 3;                                        \
        if r0 < 20 goto l0_%=;                          \
        exit;                                           \
"       ::: __clobber_all);
}

SEC("tracepoint")
__description("bounded loop, count from positive unknown to 4")
__success
__naked void from_positive_unknown_to_4(void)
{
        asm volatile ("                                 \
        call %[bpf_get_prandom_u32];                    \
        if r0 s< 0 goto l0_%=;                          \
l1_%=:  r0 += 1;                                        \
        if r0 < 4 goto l1_%=;                           \
l0_%=:  exit;                                           \
"       :
        : __imm(bpf_get_prandom_u32)
        : __clobber_all);
}

SEC("tracepoint")
__description("bounded loop, count from totally unknown to 4")
__success
__naked void from_totally_unknown_to_4(void)
{
        asm volatile ("                                 \
        call %[bpf_get_prandom_u32];                    \
l0_%=:  r0 += 1;                                        \
        if r0 < 4 goto l0_%=;                           \
        exit;                                           \
"       :
        : __imm(bpf_get_prandom_u32)
        : __clobber_all);
}

SEC("tracepoint")
__description("bounded loop, count to 4 with equality")
__success
__naked void count_to_4_with_equality(void)
{
        asm volatile ("                                 \
        r0 = 0;                                         \
l0_%=:  r0 += 1;                                        \
        if r0 != 4 goto l0_%=;                          \
        exit;                                           \
"       ::: __clobber_all);
}

SEC("socket")
__description("bounded loop, start in the middle")
__success
__failure_unpriv __msg_unpriv("back-edge")
__naked void loop_start_in_the_middle(void)
{
        asm volatile ("                                 \
        r0 = 0;                                         \
        goto l0_%=;                                     \
l1_%=:  r0 += 1;                                        \
l0_%=:  if r0 < 4 goto l1_%=;                           \
        exit;                                           \
"       ::: __clobber_all);
}

SEC("xdp")
__description("bounded loop containing a forward jump")
__success __retval(4)
__naked void loop_containing_a_forward_jump(void)
{
        asm volatile ("                                 \
        r0 = 0;                                         \
l1_%=:  r0 += 1;                                        \
        if r0 == r0 goto l0_%=;                         \
l0_%=:  if r0 < 4 goto l1_%=;                           \
        exit;                                           \
"       ::: __clobber_all);
}

SEC("tracepoint")
__description("bounded loop that jumps out rather than in")
__success
__naked void jumps_out_rather_than_in(void)
{
        asm volatile ("                                 \
        r6 = 0;                                         \
l1_%=:  r6 += 1;                                        \
        if r6 > 10000 goto l0_%=;                       \
        call %[bpf_get_prandom_u32];                    \
        goto l1_%=;                                     \
l0_%=:  exit;                                           \
"       :
        : __imm(bpf_get_prandom_u32)
        : __clobber_all);
}

SEC("tracepoint")
__description("infinite loop after a conditional jump")
__failure __msg("program is too large")
__naked void loop_after_a_conditional_jump(void)
{
        asm volatile ("                                 \
        r0 = 5;                                         \
        if r0 < 4 goto l0_%=;                           \
l1_%=:  r0 += 1;                                        \
        goto l1_%=;                                     \
l0_%=:  exit;                                           \
"       ::: __clobber_all);
}

SEC("tracepoint")
__description("bounded recursion")
__failure
/* verifier limitation in detecting max stack depth */
__msg("the call stack of 8 frames is too deep !")
__naked void bounded_recursion(void)
{
        asm volatile ("                                 \
        r1 = 0;                                         \
        call bounded_recursion__1;                      \
        exit;                                           \
"       ::: __clobber_all);
}

static __naked __noinline __attribute__((used))
void bounded_recursion__1(void)
{
        asm volatile ("                                 \
        r1 += 1;                                        \
        r0 = r1;                                        \
        if r1 < 4 goto l0_%=;                           \
        exit;                                           \
l0_%=:  call bounded_recursion__1;                      \
        exit;                                           \
"       ::: __clobber_all);
}

SEC("tracepoint")
__description("infinite loop in two jumps")
__failure __msg("loop detected")
__naked void infinite_loop_in_two_jumps(void)
{
        asm volatile ("                                 \
        r0 = 0;                                         \
l1_%=:  goto l0_%=;                                     \
l0_%=:  if r0 < 4 goto l1_%=;                           \
        exit;                                           \
"       ::: __clobber_all);
}

SEC("tracepoint")
__description("infinite loop: three-jump trick")
__failure __msg("loop detected")
__naked void infinite_loop_three_jump_trick(void)
{
        asm volatile ("                                 \
        r0 = 0;                                         \
l2_%=:  r0 += 1;                                        \
        r0 &= 1;                                        \
        if r0 < 2 goto l0_%=;                           \
        exit;                                           \
l0_%=:  r0 += 1;                                        \
        r0 &= 1;                                        \
        if r0 < 2 goto l1_%=;                           \
        exit;                                           \
l1_%=:  r0 += 1;                                        \
        r0 &= 1;                                        \
        if r0 < 2 goto l2_%=;                           \
        exit;                                           \
"       ::: __clobber_all);
}

SEC("xdp")
__description("not-taken loop with back jump to 1st insn")
__success __retval(123)
__naked void back_jump_to_1st_insn_1(void)
{
        asm volatile ("                                 \
l0_%=:  r0 = 123;                                       \
        if r0 == 4 goto l0_%=;                          \
        exit;                                           \
"       ::: __clobber_all);
}

SEC("xdp")
__description("taken loop with back jump to 1st insn")
__success __retval(55)
__naked void back_jump_to_1st_insn_2(void)
{
        asm volatile ("                                 \
        r1 = 10;                                        \
        r2 = 0;                                         \
        call back_jump_to_1st_insn_2__1;                \
        exit;                                           \
"       ::: __clobber_all);
}

static __naked __noinline __attribute__((used))
void back_jump_to_1st_insn_2__1(void)
{
        asm volatile ("                                 \
l0_%=:  r2 += r1;                                       \
        r1 -= 1;                                        \
        if r1 != 0 goto l0_%=;                          \
        r0 = r2;                                        \
        exit;                                           \
"       ::: __clobber_all);
}

SEC("xdp")
__description("taken loop with back jump to 1st insn, 2")
__success __retval(55)
__naked void jump_to_1st_insn_2(void)
{
        asm volatile ("                                 \
        r1 = 10;                                        \
        r2 = 0;                                         \
        call jump_to_1st_insn_2__1;                     \
        exit;                                           \
"       ::: __clobber_all);
}

static __naked __noinline __attribute__((used))
void jump_to_1st_insn_2__1(void)
{
        asm volatile ("                                 \
l0_%=:  r2 += r1;                                       \
        r1 -= 1;                                        \
        if w1 != 0 goto l0_%=;                          \
        r0 = r2;                                        \
        exit;                                           \
"       ::: __clobber_all);
}

SEC("xdp")
__success
__naked void not_an_inifinite_loop(void)
{
        asm volatile ("                                 \
        call %[bpf_get_prandom_u32];                    \
        r0 &= 0xff;                                     \
        *(u64 *)(r10 - 8) = r0;                         \
        r0 = 0;                                         \
loop_%=:                                                \
        r0 = *(u64 *)(r10 - 8);                         \
        if r0 > 10 goto exit_%=;                        \
        r0 += 1;                                        \
        *(u64 *)(r10 - 8) = r0;                         \
        r0 = 0;                                         \
        goto loop_%=;                                   \
exit_%=:                                                \
        r0 = 0;                                         \
        exit;                                           \
"       :
        : __imm(bpf_get_prandom_u32)
        : __clobber_all);
}

/*
 * This test case triggered a bug in verifier.c:maybe_exit_scc().
 * Speculative execution path reaches stack access instruction,
 * stops and triggers maybe_exit_scc() w/o accompanying maybe_enter_scc() call.
 */
SEC("socket")
__arch_x86_64
__caps_unpriv(CAP_BPF)
__naked void maybe_exit_scc_bug1(void)
{
        asm volatile (
        "r0 = 100;"
"1:"
        /* Speculative execution path reaches and stops here. */
        "*(u64 *)(r10 - 512) = r0;"
        /* Condition is always false, but verifier speculatively executes the true branch. */
        "if r0 <= 0x0 goto 1b;"
        "exit;"
        ::: __clobber_all);
}

char _license[] SEC("license") = "GPL";
Linux
