xref: /OK3568_Linux_fs/kernel/tools/testing/selftests/bpf/verifier/runtime_jit.c (revision 4882a59341e53eb6f0b4789bf948001014eff981) 
1*4882a593Smuzhiyun {
2*4882a593Smuzhiyun 	"runtime/jit: tail_call within bounds, prog once",
3*4882a593Smuzhiyun 	.insns = {
4*4882a593Smuzhiyun 	BPF_MOV64_IMM(BPF_REG_3, 0),
5*4882a593Smuzhiyun 	BPF_LD_MAP_FD(BPF_REG_2, 0),
6*4882a593Smuzhiyun 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_tail_call),
7*4882a593Smuzhiyun 	BPF_MOV64_IMM(BPF_REG_0, 1),
8*4882a593Smuzhiyun 	BPF_EXIT_INSN(),
9*4882a593Smuzhiyun 	},
10*4882a593Smuzhiyun 	.fixup_prog1 = { 1 },
11*4882a593Smuzhiyun 	.result = ACCEPT,
12*4882a593Smuzhiyun 	.retval = 42,
13*4882a593Smuzhiyun },
14*4882a593Smuzhiyun {
15*4882a593Smuzhiyun 	"runtime/jit: tail_call within bounds, prog loop",
16*4882a593Smuzhiyun 	.insns = {
17*4882a593Smuzhiyun 	BPF_MOV64_IMM(BPF_REG_3, 1),
18*4882a593Smuzhiyun 	BPF_LD_MAP_FD(BPF_REG_2, 0),
19*4882a593Smuzhiyun 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_tail_call),
20*4882a593Smuzhiyun 	BPF_MOV64_IMM(BPF_REG_0, 1),
21*4882a593Smuzhiyun 	BPF_EXIT_INSN(),
22*4882a593Smuzhiyun 	},
23*4882a593Smuzhiyun 	.fixup_prog1 = { 1 },
24*4882a593Smuzhiyun 	.result = ACCEPT,
25*4882a593Smuzhiyun 	.retval = 41,
26*4882a593Smuzhiyun },
27*4882a593Smuzhiyun {
28*4882a593Smuzhiyun 	"runtime/jit: tail_call within bounds, no prog",
29*4882a593Smuzhiyun 	.insns = {
30*4882a593Smuzhiyun 	BPF_MOV64_IMM(BPF_REG_3, 3),
31*4882a593Smuzhiyun 	BPF_LD_MAP_FD(BPF_REG_2, 0),
32*4882a593Smuzhiyun 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_tail_call),
33*4882a593Smuzhiyun 	BPF_MOV64_IMM(BPF_REG_0, 1),
34*4882a593Smuzhiyun 	BPF_EXIT_INSN(),
35*4882a593Smuzhiyun 	},
36*4882a593Smuzhiyun 	.fixup_prog1 = { 1 },
37*4882a593Smuzhiyun 	.result = ACCEPT,
38*4882a593Smuzhiyun 	.retval = 1,
39*4882a593Smuzhiyun },
40*4882a593Smuzhiyun {
41*4882a593Smuzhiyun 	"runtime/jit: tail_call within bounds, key 2",
42*4882a593Smuzhiyun 	.insns = {
43*4882a593Smuzhiyun 	BPF_MOV64_IMM(BPF_REG_3, 2),
44*4882a593Smuzhiyun 	BPF_LD_MAP_FD(BPF_REG_2, 0),
45*4882a593Smuzhiyun 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_tail_call),
46*4882a593Smuzhiyun 	BPF_MOV64_IMM(BPF_REG_0, 1),
47*4882a593Smuzhiyun 	BPF_EXIT_INSN(),
48*4882a593Smuzhiyun 	},
49*4882a593Smuzhiyun 	.fixup_prog1 = { 1 },
50*4882a593Smuzhiyun 	.result = ACCEPT,
51*4882a593Smuzhiyun 	.retval = 24,
52*4882a593Smuzhiyun },
53*4882a593Smuzhiyun {
54*4882a593Smuzhiyun 	"runtime/jit: tail_call within bounds, key 2 / key 2, first branch",
55*4882a593Smuzhiyun 	.insns = {
56*4882a593Smuzhiyun 	BPF_MOV64_IMM(BPF_REG_0, 13),
57*4882a593Smuzhiyun 	BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
58*4882a593Smuzhiyun 		    offsetof(struct __sk_buff, cb[0])),
59*4882a593Smuzhiyun 	BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
60*4882a593Smuzhiyun 		    offsetof(struct __sk_buff, cb[0])),
61*4882a593Smuzhiyun 	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 13, 4),
62*4882a593Smuzhiyun 	BPF_MOV64_IMM(BPF_REG_3, 2),
63*4882a593Smuzhiyun 	BPF_LD_MAP_FD(BPF_REG_2, 0),
64*4882a593Smuzhiyun 	BPF_JMP_IMM(BPF_JA, 0, 0, 3),
65*4882a593Smuzhiyun 	BPF_MOV64_IMM(BPF_REG_3, 2),
66*4882a593Smuzhiyun 	BPF_LD_MAP_FD(BPF_REG_2, 0),
67*4882a593Smuzhiyun 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_tail_call),
68*4882a593Smuzhiyun 	BPF_MOV64_IMM(BPF_REG_0, 1),
69*4882a593Smuzhiyun 	BPF_EXIT_INSN(),
70*4882a593Smuzhiyun 	},
71*4882a593Smuzhiyun 	.fixup_prog1 = { 5, 9 },
72*4882a593Smuzhiyun 	.result = ACCEPT,
73*4882a593Smuzhiyun 	.retval = 24,
74*4882a593Smuzhiyun },
75*4882a593Smuzhiyun {
76*4882a593Smuzhiyun 	"runtime/jit: tail_call within bounds, key 2 / key 2, second branch",
77*4882a593Smuzhiyun 	.insns = {
78*4882a593Smuzhiyun 	BPF_MOV64_IMM(BPF_REG_0, 14),
79*4882a593Smuzhiyun 	BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
80*4882a593Smuzhiyun 		    offsetof(struct __sk_buff, cb[0])),
81*4882a593Smuzhiyun 	BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
82*4882a593Smuzhiyun 		    offsetof(struct __sk_buff, cb[0])),
83*4882a593Smuzhiyun 	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 13, 4),
84*4882a593Smuzhiyun 	BPF_MOV64_IMM(BPF_REG_3, 2),
85*4882a593Smuzhiyun 	BPF_LD_MAP_FD(BPF_REG_2, 0),
86*4882a593Smuzhiyun 	BPF_JMP_IMM(BPF_JA, 0, 0, 3),
87*4882a593Smuzhiyun 	BPF_MOV64_IMM(BPF_REG_3, 2),
88*4882a593Smuzhiyun 	BPF_LD_MAP_FD(BPF_REG_2, 0),
89*4882a593Smuzhiyun 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_tail_call),
90*4882a593Smuzhiyun 	BPF_MOV64_IMM(BPF_REG_0, 1),
91*4882a593Smuzhiyun 	BPF_EXIT_INSN(),
92*4882a593Smuzhiyun 	},
93*4882a593Smuzhiyun 	.fixup_prog1 = { 5, 9 },
94*4882a593Smuzhiyun 	.result = ACCEPT,
95*4882a593Smuzhiyun 	.retval = 24,
96*4882a593Smuzhiyun },
97*4882a593Smuzhiyun {
98*4882a593Smuzhiyun 	"runtime/jit: tail_call within bounds, key 0 / key 2, first branch",
99*4882a593Smuzhiyun 	.insns = {
100*4882a593Smuzhiyun 	BPF_MOV64_IMM(BPF_REG_0, 13),
101*4882a593Smuzhiyun 	BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
102*4882a593Smuzhiyun 		    offsetof(struct __sk_buff, cb[0])),
103*4882a593Smuzhiyun 	BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
104*4882a593Smuzhiyun 		    offsetof(struct __sk_buff, cb[0])),
105*4882a593Smuzhiyun 	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 13, 4),
106*4882a593Smuzhiyun 	BPF_MOV64_IMM(BPF_REG_3, 0),
107*4882a593Smuzhiyun 	BPF_LD_MAP_FD(BPF_REG_2, 0),
108*4882a593Smuzhiyun 	BPF_JMP_IMM(BPF_JA, 0, 0, 3),
109*4882a593Smuzhiyun 	BPF_MOV64_IMM(BPF_REG_3, 2),
110*4882a593Smuzhiyun 	BPF_LD_MAP_FD(BPF_REG_2, 0),
111*4882a593Smuzhiyun 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_tail_call),
112*4882a593Smuzhiyun 	BPF_MOV64_IMM(BPF_REG_0, 1),
113*4882a593Smuzhiyun 	BPF_EXIT_INSN(),
114*4882a593Smuzhiyun 	},
115*4882a593Smuzhiyun 	.fixup_prog1 = { 5, 9 },
116*4882a593Smuzhiyun 	.result = ACCEPT,
117*4882a593Smuzhiyun 	.retval = 24,
118*4882a593Smuzhiyun },
119*4882a593Smuzhiyun {
120*4882a593Smuzhiyun 	"runtime/jit: tail_call within bounds, key 0 / key 2, second branch",
121*4882a593Smuzhiyun 	.insns = {
122*4882a593Smuzhiyun 	BPF_MOV64_IMM(BPF_REG_0, 14),
123*4882a593Smuzhiyun 	BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
124*4882a593Smuzhiyun 		    offsetof(struct __sk_buff, cb[0])),
125*4882a593Smuzhiyun 	BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
126*4882a593Smuzhiyun 		    offsetof(struct __sk_buff, cb[0])),
127*4882a593Smuzhiyun 	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 13, 4),
128*4882a593Smuzhiyun 	BPF_MOV64_IMM(BPF_REG_3, 0),
129*4882a593Smuzhiyun 	BPF_LD_MAP_FD(BPF_REG_2, 0),
130*4882a593Smuzhiyun 	BPF_JMP_IMM(BPF_JA, 0, 0, 3),
131*4882a593Smuzhiyun 	BPF_MOV64_IMM(BPF_REG_3, 2),
132*4882a593Smuzhiyun 	BPF_LD_MAP_FD(BPF_REG_2, 0),
133*4882a593Smuzhiyun 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_tail_call),
134*4882a593Smuzhiyun 	BPF_MOV64_IMM(BPF_REG_0, 1),
135*4882a593Smuzhiyun 	BPF_EXIT_INSN(),
136*4882a593Smuzhiyun 	},
137*4882a593Smuzhiyun 	.fixup_prog1 = { 5, 9 },
138*4882a593Smuzhiyun 	.result = ACCEPT,
139*4882a593Smuzhiyun 	.retval = 42,
140*4882a593Smuzhiyun },
141*4882a593Smuzhiyun {
142*4882a593Smuzhiyun 	"runtime/jit: tail_call within bounds, different maps, first branch",
143*4882a593Smuzhiyun 	.insns = {
144*4882a593Smuzhiyun 	BPF_MOV64_IMM(BPF_REG_0, 13),
145*4882a593Smuzhiyun 	BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
146*4882a593Smuzhiyun 		    offsetof(struct __sk_buff, cb[0])),
147*4882a593Smuzhiyun 	BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
148*4882a593Smuzhiyun 		    offsetof(struct __sk_buff, cb[0])),
149*4882a593Smuzhiyun 	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 13, 4),
150*4882a593Smuzhiyun 	BPF_MOV64_IMM(BPF_REG_3, 0),
151*4882a593Smuzhiyun 	BPF_LD_MAP_FD(BPF_REG_2, 0),
152*4882a593Smuzhiyun 	BPF_JMP_IMM(BPF_JA, 0, 0, 3),
153*4882a593Smuzhiyun 	BPF_MOV64_IMM(BPF_REG_3, 0),
154*4882a593Smuzhiyun 	BPF_LD_MAP_FD(BPF_REG_2, 0),
155*4882a593Smuzhiyun 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_tail_call),
156*4882a593Smuzhiyun 	BPF_MOV64_IMM(BPF_REG_0, 1),
157*4882a593Smuzhiyun 	BPF_EXIT_INSN(),
158*4882a593Smuzhiyun 	},
159*4882a593Smuzhiyun 	.fixup_prog1 = { 5 },
160*4882a593Smuzhiyun 	.fixup_prog2 = { 9 },
161*4882a593Smuzhiyun 	.result_unpriv = REJECT,
162*4882a593Smuzhiyun 	.errstr_unpriv = "tail_call abusing map_ptr",
163*4882a593Smuzhiyun 	.result = ACCEPT,
164*4882a593Smuzhiyun 	.retval = 1,
165*4882a593Smuzhiyun },
166*4882a593Smuzhiyun {
167*4882a593Smuzhiyun 	"runtime/jit: tail_call within bounds, different maps, second branch",
168*4882a593Smuzhiyun 	.insns = {
169*4882a593Smuzhiyun 	BPF_MOV64_IMM(BPF_REG_0, 14),
170*4882a593Smuzhiyun 	BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
171*4882a593Smuzhiyun 		    offsetof(struct __sk_buff, cb[0])),
172*4882a593Smuzhiyun 	BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
173*4882a593Smuzhiyun 		    offsetof(struct __sk_buff, cb[0])),
174*4882a593Smuzhiyun 	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 13, 4),
175*4882a593Smuzhiyun 	BPF_MOV64_IMM(BPF_REG_3, 0),
176*4882a593Smuzhiyun 	BPF_LD_MAP_FD(BPF_REG_2, 0),
177*4882a593Smuzhiyun 	BPF_JMP_IMM(BPF_JA, 0, 0, 3),
178*4882a593Smuzhiyun 	BPF_MOV64_IMM(BPF_REG_3, 0),
179*4882a593Smuzhiyun 	BPF_LD_MAP_FD(BPF_REG_2, 0),
180*4882a593Smuzhiyun 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_tail_call),
181*4882a593Smuzhiyun 	BPF_MOV64_IMM(BPF_REG_0, 1),
182*4882a593Smuzhiyun 	BPF_EXIT_INSN(),
183*4882a593Smuzhiyun 	},
184*4882a593Smuzhiyun 	.fixup_prog1 = { 5 },
185*4882a593Smuzhiyun 	.fixup_prog2 = { 9 },
186*4882a593Smuzhiyun 	.result_unpriv = REJECT,
187*4882a593Smuzhiyun 	.errstr_unpriv = "tail_call abusing map_ptr",
188*4882a593Smuzhiyun 	.result = ACCEPT,
189*4882a593Smuzhiyun 	.retval = 42,
190*4882a593Smuzhiyun },
191*4882a593Smuzhiyun {
192*4882a593Smuzhiyun 	"runtime/jit: tail_call out of bounds",
193*4882a593Smuzhiyun 	.insns = {
194*4882a593Smuzhiyun 	BPF_MOV64_IMM(BPF_REG_3, 256),
195*4882a593Smuzhiyun 	BPF_LD_MAP_FD(BPF_REG_2, 0),
196*4882a593Smuzhiyun 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_tail_call),
197*4882a593Smuzhiyun 	BPF_MOV64_IMM(BPF_REG_0, 2),
198*4882a593Smuzhiyun 	BPF_EXIT_INSN(),
199*4882a593Smuzhiyun 	},
200*4882a593Smuzhiyun 	.fixup_prog1 = { 1 },
201*4882a593Smuzhiyun 	.result = ACCEPT,
202*4882a593Smuzhiyun 	.retval = 2,
203*4882a593Smuzhiyun },
204*4882a593Smuzhiyun {
205*4882a593Smuzhiyun 	"runtime/jit: pass negative index to tail_call",
206*4882a593Smuzhiyun 	.insns = {
207*4882a593Smuzhiyun 	BPF_MOV64_IMM(BPF_REG_3, -1),
208*4882a593Smuzhiyun 	BPF_LD_MAP_FD(BPF_REG_2, 0),
209*4882a593Smuzhiyun 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_tail_call),
210*4882a593Smuzhiyun 	BPF_MOV64_IMM(BPF_REG_0, 2),
211*4882a593Smuzhiyun 	BPF_EXIT_INSN(),
212*4882a593Smuzhiyun 	},
213*4882a593Smuzhiyun 	.fixup_prog1 = { 1 },
214*4882a593Smuzhiyun 	.result = ACCEPT,
215*4882a593Smuzhiyun 	.retval = 2,
216*4882a593Smuzhiyun },
217*4882a593Smuzhiyun {
218*4882a593Smuzhiyun 	"runtime/jit: pass > 32bit index to tail_call",
219*4882a593Smuzhiyun 	.insns = {
220*4882a593Smuzhiyun 	BPF_LD_IMM64(BPF_REG_3, 0x100000000ULL),
221*4882a593Smuzhiyun 	BPF_LD_MAP_FD(BPF_REG_2, 0),
222*4882a593Smuzhiyun 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_tail_call),
223*4882a593Smuzhiyun 	BPF_MOV64_IMM(BPF_REG_0, 2),
224*4882a593Smuzhiyun 	BPF_EXIT_INSN(),
225*4882a593Smuzhiyun 	},
226*4882a593Smuzhiyun 	.fixup_prog1 = { 2 },
227*4882a593Smuzhiyun 	.result = ACCEPT,
228*4882a593Smuzhiyun 	.retval = 42,
229*4882a593Smuzhiyun 	/* Verifier rewrite for unpriv skips tail call here. */
230*4882a593Smuzhiyun 	.retval_unpriv = 2,
231*4882a593Smuzhiyun },
232