Files
linux/tools/testing/selftests/bpf/progs/cb_refs.c
Eduard Zingerman ab5cfac139 bpf: verify callbacks as if they are called unknown number of times
Prior to this patch callbacks were handled as regular function calls,
execution of callback body was modeled exactly once.
This patch updates callbacks handling logic as follows:
- introduces a function push_callback_call() that schedules callback
  body verification in env->head stack;
- updates prepare_func_exit() to reschedule callback body verification
  upon BPF_EXIT;
- as calls to bpf_*_iter_next(), calls to callback invoking functions
  are marked as checkpoints;
- is_state_visited() is updated to stop callback based iteration when
  some identical parent state is found.

Paths with callback function invoked zero times are now verified first,
which leads to necessity to modify some selftests:
- the following negative tests required adding release/unlock/drop
  calls to avoid previously masked unrelated error reports:
  - cb_refs.c:underflow_prog
  - exceptions_fail.c:reject_rbtree_add_throw
  - exceptions_fail.c:reject_with_cp_reference
- the following precision tracking selftests needed change in expected
  log trace:
  - verifier_subprog_precision.c:callback_result_precise
    (note: r0 precision is no longer propagated inside callback and
           I think this is a correct behavior)
  - verifier_subprog_precision.c:parent_callee_saved_reg_precise_with_callback
  - verifier_subprog_precision.c:parent_stack_slot_precise_with_callback

Reported-by: Andrew Werner <awerner32@gmail.com>
Closes: https://lore.kernel.org/bpf/CA+vRuzPChFNXmouzGG+wsy=6eMcfr1mFG0F3g7rbg-sedGKW3w@mail.gmail.com/
Acked-by: Andrii Nakryiko <andrii@kernel.org>
Signed-off-by: Eduard Zingerman <eddyz87@gmail.com>
Link: https://lore.kernel.org/r/20231121020701.26440-7-eddyz87@gmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2023-11-20 18:35:44 -08:00

115 lines
2.3 KiB
C

// SPDX-License-Identifier: GPL-2.0
#include <vmlinux.h>
#include <bpf/bpf_tracing.h>
#include <bpf/bpf_helpers.h>
#include "../bpf_testmod/bpf_testmod_kfunc.h"
struct map_value {
struct prog_test_ref_kfunc __kptr *ptr;
};
struct {
__uint(type, BPF_MAP_TYPE_ARRAY);
__type(key, int);
__type(value, struct map_value);
__uint(max_entries, 16);
} array_map SEC(".maps");
static __noinline int cb1(void *map, void *key, void *value, void *ctx)
{
void *p = *(void **)ctx;
bpf_kfunc_call_test_release(p);
/* Without the fix this would cause underflow */
return 0;
}
SEC("?tc")
int underflow_prog(void *ctx)
{
struct prog_test_ref_kfunc *p;
unsigned long sl = 0;
p = bpf_kfunc_call_test_acquire(&sl);
if (!p)
return 0;
bpf_for_each_map_elem(&array_map, cb1, &p, 0);
bpf_kfunc_call_test_release(p);
return 0;
}
static __always_inline int cb2(void *map, void *key, void *value, void *ctx)
{
unsigned long sl = 0;
*(void **)ctx = bpf_kfunc_call_test_acquire(&sl);
/* Without the fix this would leak memory */
return 0;
}
SEC("?tc")
int leak_prog(void *ctx)
{
struct prog_test_ref_kfunc *p;
struct map_value *v;
v = bpf_map_lookup_elem(&array_map, &(int){0});
if (!v)
return 0;
p = NULL;
bpf_for_each_map_elem(&array_map, cb2, &p, 0);
p = bpf_kptr_xchg(&v->ptr, p);
if (p)
bpf_kfunc_call_test_release(p);
return 0;
}
static __always_inline int cb(void *map, void *key, void *value, void *ctx)
{
return 0;
}
static __always_inline int cb3(void *map, void *key, void *value, void *ctx)
{
unsigned long sl = 0;
void *p;
bpf_kfunc_call_test_acquire(&sl);
bpf_for_each_map_elem(&array_map, cb, &p, 0);
/* It should only complain here, not in cb. This is why we need
* callback_ref to be set to frameno.
*/
return 0;
}
SEC("?tc")
int nested_cb(void *ctx)
{
struct prog_test_ref_kfunc *p;
unsigned long sl = 0;
int sp = 0;
p = bpf_kfunc_call_test_acquire(&sl);
if (!p)
return 0;
bpf_for_each_map_elem(&array_map, cb3, &sp, 0);
bpf_kfunc_call_test_release(p);
return 0;
}
SEC("?tc")
int non_cb_transfer_ref(void *ctx)
{
struct prog_test_ref_kfunc *p;
unsigned long sl = 0;
p = bpf_kfunc_call_test_acquire(&sl);
if (!p)
return 0;
cb1(NULL, NULL, NULL, &p);
bpf_kfunc_call_test_acquire(&sl);
return 0;
}
char _license[] SEC("license") = "GPL";