tools/testing/selftests/bpf/progs/verifier_map_in_map.c

root/tools/testing/selftests/bpf/progs/verifier_map_in_map.c
// SPDX-License-Identifier: GPL-2.0
/* Converted from tools/testing/selftests/bpf/verifier/map_in_map.c */

#include <linux/bpf.h>
#include <bpf/bpf_helpers.h>
#include "bpf_misc.h"

struct {
        __uint(type, BPF_MAP_TYPE_ARRAY_OF_MAPS);
        __uint(max_entries, 1);
        __type(key, int);
        __type(value, int);
        __array(values, struct {
                __uint(type, BPF_MAP_TYPE_ARRAY);
                __uint(max_entries, 1);
                __type(key, int);
                __type(value, int);
        });
} map_in_map SEC(".maps");

SEC("socket")
__description("map in map access")
__success __success_unpriv __retval(0)
__naked void map_in_map_access(void)
{
        asm volatile ("                                 \
        r1 = 0;                                         \
        *(u32*)(r10 - 4) = r1;                          \
        r2 = r10;                                       \
        r2 += -4;                                       \
        r1 = %[map_in_map] ll;                          \
        call %[bpf_map_lookup_elem];                    \
        if r0 == 0 goto l0_%=;                          \
        r1 = 0;                                         \
        *(u32*)(r10 - 4) = r1;                          \
        r2 = r10;                                       \
        r2 += -4;                                       \
        r1 = r0;                                        \
        call %[bpf_map_lookup_elem];                    \
l0_%=:  r0 = 0;                                         \
        exit;                                           \
"       :
        : __imm(bpf_map_lookup_elem),
          __imm_addr(map_in_map)
        : __clobber_all);
}

SEC("xdp")
__description("map in map state pruning")
__success __msg("processed 15 insns")
__log_level(2) __retval(0) __flag(BPF_F_TEST_STATE_FREQ)
__naked void map_in_map_state_pruning(void)
{
        asm volatile ("                                 \
        r1 = 0;                                         \
        *(u32*)(r10 - 4) = r1;                          \
        r6 = r10;                                       \
        r6 += -4;                                       \
        r2 = r6;                                        \
        r1 = %[map_in_map] ll;                          \
        call %[bpf_map_lookup_elem];                    \
        if r0 != 0 goto l0_%=;                          \
        exit;                                           \
l0_%=:  r2 = r6;                                        \
        r1 = r0;                                        \
        call %[bpf_map_lookup_elem];                    \
        if r0 != 0 goto l1_%=;                          \
        r2 = r6;                                        \
        r1 = %[map_in_map] ll;                          \
        call %[bpf_map_lookup_elem];                    \
        if r0 != 0 goto l2_%=;                          \
        exit;                                           \
l2_%=:  r2 = r6;                                        \
        r1 = r0;                                        \
        call %[bpf_map_lookup_elem];                    \
        if r0 != 0 goto l1_%=;                          \
        exit;                                           \
l1_%=:  r0 = *(u32*)(r0 + 0);                           \
        exit;                                           \
"       :
        : __imm(bpf_map_lookup_elem),
          __imm_addr(map_in_map)
        : __clobber_all);
}

SEC("socket")
__description("invalid inner map pointer")
__failure __msg("R1 pointer arithmetic on map_ptr prohibited")
__failure_unpriv
__naked void invalid_inner_map_pointer(void)
{
        asm volatile ("                                 \
        r1 = 0;                                         \
        *(u32*)(r10 - 4) = r1;                          \
        r2 = r10;                                       \
        r2 += -4;                                       \
        r1 = %[map_in_map] ll;                          \
        call %[bpf_map_lookup_elem];                    \
        if r0 == 0 goto l0_%=;                          \
        r1 = 0;                                         \
        *(u32*)(r10 - 4) = r1;                          \
        r2 = r10;                                       \
        r2 += -4;                                       \
        r1 = r0;                                        \
        r1 += 8;                                        \
        call %[bpf_map_lookup_elem];                    \
l0_%=:  r0 = 0;                                         \
        exit;                                           \
"       :
        : __imm(bpf_map_lookup_elem),
          __imm_addr(map_in_map)
        : __clobber_all);
}

SEC("socket")
__description("forgot null checking on the inner map pointer")
__failure __msg("R1 type=map_value_or_null expected=map_ptr")
__failure_unpriv
__naked void on_the_inner_map_pointer(void)
{
        asm volatile ("                                 \
        r1 = 0;                                         \
        *(u32*)(r10 - 4) = r1;                          \
        r2 = r10;                                       \
        r2 += -4;                                       \
        r1 = %[map_in_map] ll;                          \
        call %[bpf_map_lookup_elem];                    \
        r1 = 0;                                         \
        *(u32*)(r10 - 4) = r1;                          \
        r2 = r10;                                       \
        r2 += -4;                                       \
        r1 = r0;                                        \
        call %[bpf_map_lookup_elem];                    \
        r0 = 0;                                         \
        exit;                                           \
"       :
        : __imm(bpf_map_lookup_elem),
          __imm_addr(map_in_map)
        : __clobber_all);
}

SEC("socket")
__description("map_ptr is never null")
__success
__naked void map_ptr_is_never_null(void)
{
        asm volatile ("                                 \
        r0 = 0;                                         \
        r1 = %[map_in_map] ll;                          \
        if r1 != 0 goto l0_%=;                          \
        r10 = 42;                                       \
l0_%=:  exit;                                           \
"       :
        : __imm(bpf_map_lookup_elem),
          __imm_addr(map_in_map)
        : __clobber_all);
}

SEC("socket")
__description("map_ptr is never null inner")
__success
__naked void map_ptr_is_never_null_inner(void)
{
        asm volatile ("                                 \
        r1 = 0;                                         \
        *(u32*)(r10 - 4) = r1;                          \
        r2 = r10;                                       \
        r2 += -4;                                       \
        r1 = %[map_in_map] ll;                          \
        call %[bpf_map_lookup_elem];                    \
        if r0 == 0 goto l0_%=;                          \
        if r0 != 0 goto l0_%=;                          \
        r10 = 42;                                       \
l0_%=:  exit;                                           \
"       :
        : __imm(bpf_map_lookup_elem),
          __imm_addr(map_in_map)
        : __clobber_all);
}

SEC("socket")
__description("map_ptr is never null inner spill fill")
__success
__naked void map_ptr_is_never_null_inner_spill_fill(void)
{
        asm volatile ("                                 \
        r1 = 0;                                         \
        *(u32*)(r10 - 4) = r1;                          \
        r2 = r10;                                       \
        r2 += -4;                                       \
        r1 = %[map_in_map] ll;                          \
        call %[bpf_map_lookup_elem];                    \
        if r0 != 0 goto l0_%=;                          \
        exit;                                           \
l0_%=:  *(u64 *)(r10 -16) = r0;                         \
        r1 = *(u64 *)(r10 -16);                         \
        if r1 == 0 goto l1_%=;                          \
        exit;                                           \
l1_%=:  r10 = 42;                                       \
        exit;                                           \
"       :
        : __imm(bpf_map_lookup_elem),
          __imm_addr(map_in_map)
        : __clobber_all);
}

struct {
        __uint(type, BPF_MAP_TYPE_ARRAY_OF_MAPS);
        __uint(max_entries, 1);
        __type(key, int);
        __type(value, int);
        __array(values, struct {
                __uint(type, BPF_MAP_TYPE_RINGBUF);
                __uint(max_entries, 64 * 1024);
        });
} rb_in_map SEC(".maps");

struct rb_ctx {
        void *rb;
        struct bpf_dynptr dptr;
};

static __always_inline struct rb_ctx __rb_event_reserve(__u32 sz)
{
        struct rb_ctx rb_ctx = {};
        void *rb;
        __u32 cpu = bpf_get_smp_processor_id();
        __u32 rb_slot = cpu & 1;

        rb = bpf_map_lookup_elem(&rb_in_map, &rb_slot);
        if (!rb)
                return rb_ctx;

        rb_ctx.rb = rb;
        bpf_ringbuf_reserve_dynptr(rb, sz, 0, &rb_ctx.dptr);

        return rb_ctx;
}

static __noinline void __rb_event_submit(struct rb_ctx *ctx)
{
        if (!ctx->rb)
                return;

        /* If the verifier (incorrectly) concludes that ctx->rb can be
         * NULL at this point, we'll get "BPF_EXIT instruction in main
         * prog would lead to reference leak" error
         */
        bpf_ringbuf_submit_dynptr(&ctx->dptr, 0);
}

SEC("socket")
int map_ptr_is_never_null_rb(void *ctx)
{
        struct rb_ctx event_ctx = __rb_event_reserve(256);
        __rb_event_submit(&event_ctx);
        return 0;
}

char _license[] SEC("license") = "GPL";
Linux
