xref: /linux/tools/testing/selftests/bpf/progs/verifier_map_in_map.c (revision 0a91336e287ca2557fead5221d2c79e0effd034e) 
1 // SPDX-License-Identifier: GPL-2.0
2 /* Converted from tools/testing/selftests/bpf/verifier/map_in_map.c */
3 
4 #include <linux/bpf.h>
5 #include <bpf/bpf_helpers.h>
6 #include "bpf_misc.h"
7 
8 struct {
9 	__uint(type, BPF_MAP_TYPE_ARRAY_OF_MAPS);
10 	__uint(max_entries, 1);
11 	__type(key, int);
12 	__type(value, int);
13 	__array(values, struct {
14 		__uint(type, BPF_MAP_TYPE_ARRAY);
15 		__uint(max_entries, 1);
16 		__type(key, int);
17 		__type(value, int);
18 	});
19 } map_in_map SEC(".maps");
20 
21 SEC("socket")
22 __description("map in map access")
23 __success __success_unpriv __retval(0)
map_in_map_access(void)24 __naked void map_in_map_access(void)
25 {
26 	asm volatile ("					\
27 	r1 = 0;						\
28 	*(u32*)(r10 - 4) = r1;				\
29 	r2 = r10;					\
30 	r2 += -4;					\
31 	r1 = %[map_in_map] ll;				\
32 	call %[bpf_map_lookup_elem];			\
33 	if r0 == 0 goto l0_%=;				\
34 	r1 = 0;						\
35 	*(u32*)(r10 - 4) = r1;				\
36 	r2 = r10;					\
37 	r2 += -4;					\
38 	r1 = r0;					\
39 	call %[bpf_map_lookup_elem];			\
40 l0_%=:	r0 = 0;						\
41 	exit;						\
42 "	:
43 	: __imm(bpf_map_lookup_elem),
44 	  __imm_addr(map_in_map)
45 	: __clobber_all);
46 }
47 
48 SEC("xdp")
49 __description("map in map state pruning")
50 __success __msg("processed 15 insns")
__flag(BPF_F_TEST_STATE_FREQ)51 __log_level(2) __retval(0) __flag(BPF_F_TEST_STATE_FREQ)
52 __naked void map_in_map_state_pruning(void)
53 {
54 	asm volatile ("					\
55 	r1 = 0;						\
56 	*(u32*)(r10 - 4) = r1;				\
57 	r6 = r10;					\
58 	r6 += -4;					\
59 	r2 = r6;					\
60 	r1 = %[map_in_map] ll;				\
61 	call %[bpf_map_lookup_elem];			\
62 	if r0 != 0 goto l0_%=;				\
63 	exit;						\
64 l0_%=:	r2 = r6;					\
65 	r1 = r0;					\
66 	call %[bpf_map_lookup_elem];			\
67 	if r0 != 0 goto l1_%=;				\
68 	r2 = r6;					\
69 	r1 = %[map_in_map] ll;				\
70 	call %[bpf_map_lookup_elem];			\
71 	if r0 != 0 goto l2_%=;				\
72 	exit;						\
73 l2_%=:	r2 = r6;					\
74 	r1 = r0;					\
75 	call %[bpf_map_lookup_elem];			\
76 	if r0 != 0 goto l1_%=;				\
77 	exit;						\
78 l1_%=:	r0 = *(u32*)(r0 + 0);				\
79 	exit;						\
80 "	:
81 	: __imm(bpf_map_lookup_elem),
82 	  __imm_addr(map_in_map)
83 	: __clobber_all);
84 }
85 
86 SEC("socket")
87 __description("invalid inner map pointer")
88 __failure __msg("R1 pointer arithmetic on map_ptr prohibited")
89 __failure_unpriv
invalid_inner_map_pointer(void)90 __naked void invalid_inner_map_pointer(void)
91 {
92 	asm volatile ("					\
93 	r1 = 0;						\
94 	*(u32*)(r10 - 4) = r1;				\
95 	r2 = r10;					\
96 	r2 += -4;					\
97 	r1 = %[map_in_map] ll;				\
98 	call %[bpf_map_lookup_elem];			\
99 	if r0 == 0 goto l0_%=;				\
100 	r1 = 0;						\
101 	*(u32*)(r10 - 4) = r1;				\
102 	r2 = r10;					\
103 	r2 += -4;					\
104 	r1 = r0;					\
105 	r1 += 8;					\
106 	call %[bpf_map_lookup_elem];			\
107 l0_%=:	r0 = 0;						\
108 	exit;						\
109 "	:
110 	: __imm(bpf_map_lookup_elem),
111 	  __imm_addr(map_in_map)
112 	: __clobber_all);
113 }
114 
115 SEC("socket")
116 __description("forgot null checking on the inner map pointer")
117 __failure __msg("R1 type=map_value_or_null expected=map_ptr")
118 __failure_unpriv
on_the_inner_map_pointer(void)119 __naked void on_the_inner_map_pointer(void)
120 {
121 	asm volatile ("					\
122 	r1 = 0;						\
123 	*(u32*)(r10 - 4) = r1;				\
124 	r2 = r10;					\
125 	r2 += -4;					\
126 	r1 = %[map_in_map] ll;				\
127 	call %[bpf_map_lookup_elem];			\
128 	r1 = 0;						\
129 	*(u32*)(r10 - 4) = r1;				\
130 	r2 = r10;					\
131 	r2 += -4;					\
132 	r1 = r0;					\
133 	call %[bpf_map_lookup_elem];			\
134 	r0 = 0;						\
135 	exit;						\
136 "	:
137 	: __imm(bpf_map_lookup_elem),
138 	  __imm_addr(map_in_map)
139 	: __clobber_all);
140 }
141 
142 SEC("socket")
143 __description("map_ptr is never null")
144 __success
map_ptr_is_never_null(void)145 __naked void map_ptr_is_never_null(void)
146 {
147 	asm volatile ("					\
148 	r0 = 0;						\
149 	r1 = %[map_in_map] ll;				\
150 	if r1 != 0 goto l0_%=;				\
151 	r10 = 42;					\
152 l0_%=:	exit;						\
153 "	:
154 	: __imm(bpf_map_lookup_elem),
155 	  __imm_addr(map_in_map)
156 	: __clobber_all);
157 }
158 
159 SEC("socket")
160 __description("map_ptr is never null inner")
161 __success
map_ptr_is_never_null_inner(void)162 __naked void map_ptr_is_never_null_inner(void)
163 {
164 	asm volatile ("					\
165 	r1 = 0;						\
166 	*(u32*)(r10 - 4) = r1;				\
167 	r2 = r10;					\
168 	r2 += -4;					\
169 	r1 = %[map_in_map] ll;				\
170 	call %[bpf_map_lookup_elem];			\
171 	if r0 == 0 goto l0_%=;				\
172 	if r0 != 0 goto l0_%=;				\
173 	r10 = 42;					\
174 l0_%=:  exit;						\
175 "	:
176 	: __imm(bpf_map_lookup_elem),
177 	  __imm_addr(map_in_map)
178 	: __clobber_all);
179 }
180 
181 SEC("socket")
182 __description("map_ptr is never null inner spill fill")
183 __success
map_ptr_is_never_null_inner_spill_fill(void)184 __naked void map_ptr_is_never_null_inner_spill_fill(void)
185 {
186 	asm volatile ("					\
187 	r1 = 0;						\
188 	*(u32*)(r10 - 4) = r1;				\
189 	r2 = r10;					\
190 	r2 += -4;					\
191 	r1 = %[map_in_map] ll;				\
192 	call %[bpf_map_lookup_elem];			\
193 	if r0 != 0 goto l0_%=;				\
194 	exit;						\
195 l0_%=:	*(u64 *)(r10 -16) = r0;				\
196 	r1 = *(u64 *)(r10 -16);				\
197 	if r1 == 0 goto l1_%=;				\
198 	exit;						\
199 l1_%=:	r10 = 42;					\
200 	exit;						\
201 "	:
202 	: __imm(bpf_map_lookup_elem),
203 	  __imm_addr(map_in_map)
204 	: __clobber_all);
205 }
206 
207 struct {
208 	__uint(type, BPF_MAP_TYPE_ARRAY_OF_MAPS);
209 	__uint(max_entries, 1);
210 	__type(key, int);
211 	__type(value, int);
212 	__array(values, struct {
213 		__uint(type, BPF_MAP_TYPE_RINGBUF);
214 		__uint(max_entries, 64 * 1024);
215 	});
216 } rb_in_map SEC(".maps");
217 
218 struct rb_ctx {
219 	void *rb;
220 	struct bpf_dynptr dptr;
221 };
222 
__rb_event_reserve(__u32 sz)223 static __always_inline struct rb_ctx __rb_event_reserve(__u32 sz)
224 {
225 	struct rb_ctx rb_ctx = {};
226 	void *rb;
227 	__u32 cpu = bpf_get_smp_processor_id();
228 	__u32 rb_slot = cpu & 1;
229 
230 	rb = bpf_map_lookup_elem(&rb_in_map, &rb_slot);
231 	if (!rb)
232 		return rb_ctx;
233 
234 	rb_ctx.rb = rb;
235 	bpf_ringbuf_reserve_dynptr(rb, sz, 0, &rb_ctx.dptr);
236 
237 	return rb_ctx;
238 }
239 
__rb_event_submit(struct rb_ctx * ctx)240 static __noinline void __rb_event_submit(struct rb_ctx *ctx)
241 {
242 	if (!ctx->rb)
243 		return;
244 
245 	/* If the verifier (incorrectly) concludes that ctx->rb can be
246 	 * NULL at this point, we'll get "BPF_EXIT instruction in main
247 	 * prog would lead to reference leak" error
248 	 */
249 	bpf_ringbuf_submit_dynptr(&ctx->dptr, 0);
250 }
251 
252 SEC("socket")
map_ptr_is_never_null_rb(void * ctx)253 int map_ptr_is_never_null_rb(void *ctx)
254 {
255 	struct rb_ctx event_ctx = __rb_event_reserve(256);
256 	__rb_event_submit(&event_ctx);
257 	return 0;
258 }
259 
260 char _license[] SEC("license") = "GPL";
261