release/5.2.42/bpf-Test_progs-add-test-to-catch-retval-refine-error.patch - pub/scm/linux/kernel/git/paulg/longterm-queue-5.2 - Git at Google

 From 2e7b822217cf08620397bb067083d14e328c171d Mon Sep 17 00:00:00 2001
 From: John Fastabend <john.fastabend@gmail.com>
 Date: Mon, 30 Mar 2020 14:37:19 -0700
 Subject: [PATCH] bpf: Test_progs, add test to catch retval refine error
  handling

 commit d2db08c7a14e0b5eed6132baf258b80622e041a9 upstream.

 Before this series the verifier would clamp return bounds of
 bpf_get_stack() to [0, X] and this led the verifier to believe
 that a JMP_JSLT 0 would be false and so would prune that path.

 The result is anything hidden behind that JSLT would be unverified.
 Add a test to catch this case by hiding an goto pc-1 behind the
 check which will cause an infinite loop if not rejected.

 Signed-off-by: John Fastabend <john.fastabend@gmail.com>
 Signed-off-by: Alexei Starovoitov <ast@kernel.org>
 Link: https://lore.kernel.org/bpf/158560423908.10843.11783152347709008373.stgit@john-Precision-5820-Tower
 Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>

 diff --git a/tools/testing/selftests/bpf/prog_tests/get_stack_raw_tp.c b/tools/testing/selftests/bpf/prog_tests/get_stack_raw_tp.c
 index c2a0a9d5591b..1b46764265f6 100644
 --- a/tools/testing/selftests/bpf/prog_tests/get_stack_raw_tp.c
 +++ b/tools/testing/selftests/bpf/prog_tests/get_stack_raw_tp.c
 @@ -77,12 +77,17 @@ static int get_stack_print_output(void *data, int size)
  void test_get_stack_raw_tp(void)
  {
  	const char *file = "./test_get_stack_rawtp.o";
 +	const char *file_err = "./test_get_stack_rawtp_err.o";
  	int i, efd, err, prog_fd, pmu_fd, perfmap_fd;
  	struct perf_event_attr attr = {};
  	struct timespec tv = {0, 10};
  	__u32 key = 0, duration = 0;
  	struct bpf_object *obj;

 +	err = bpf_prog_load(file_err, BPF_PROG_TYPE_RAW_TRACEPOINT, &obj, &prog_fd);
 +	if (CHECK(err >= 0, "prog_load raw tp", "err %d errno %d\n", err, errno))
 +		return;
 +
  	err = bpf_prog_load(file, BPF_PROG_TYPE_RAW_TRACEPOINT, &obj, &prog_fd);
  	if (CHECK(err, "prog_load raw tp", "err %d errno %d\n", err, errno))
  		return;
 diff --git a/tools/testing/selftests/bpf/progs/test_get_stack_rawtp_err.c b/tools/testing/selftests/bpf/progs/test_get_stack_rawtp_err.c
 new file mode 100644
 index 000000000000..8941a41c2a55
 --- /dev/null
 +++ b/tools/testing/selftests/bpf/progs/test_get_stack_rawtp_err.c
 @@ -0,0 +1,26 @@
 +// SPDX-License-Identifier: GPL-2.0
 +
 +#include <linux/bpf.h>
 +#include <bpf/bpf_helpers.h>
 +
 +#define MAX_STACK_RAWTP 10
 +
 +SEC("raw_tracepoint/sys_enter")
 +int bpf_prog2(void *ctx)
 +{
 +	__u64 stack[MAX_STACK_RAWTP];
 +	int error;
 +
 +	/* set all the flags which should return -EINVAL */
 +	error = bpf_get_stack(ctx, stack, 0, -1);
 +	if (error < 0)
 +		goto loop;
 +
 +	return error;
 +loop:
 +	while (1) {
 +		error++;
 +	}
 +}
 +
 +char _license[] SEC("license") = "GPL";
 --
 2.7.4
	From 2e7b822217cf08620397bb067083d14e328c171d Mon Sep 17 00:00:00 2001
	From: John Fastabend <john.fastabend@gmail.com>
	Date: Mon, 30 Mar 2020 14:37:19 -0700
	Subject: [PATCH] bpf: Test_progs, add test to catch retval refine error
	handling

	commit d2db08c7a14e0b5eed6132baf258b80622e041a9 upstream.

	Before this series the verifier would clamp return bounds of
	bpf_get_stack() to [0, X] and this led the verifier to believe
	that a JMP_JSLT 0 would be false and so would prune that path.

	The result is anything hidden behind that JSLT would be unverified.
	Add a test to catch this case by hiding an goto pc-1 behind the
	check which will cause an infinite loop if not rejected.

	Signed-off-by: John Fastabend <john.fastabend@gmail.com>
	Signed-off-by: Alexei Starovoitov <ast@kernel.org>
	Link: https://lore.kernel.org/bpf/158560423908.10843.11783152347709008373.stgit@john-Precision-5820-Tower
	Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>

	diff --git a/tools/testing/selftests/bpf/prog_tests/get_stack_raw_tp.c b/tools/testing/selftests/bpf/prog_tests/get_stack_raw_tp.c
	index c2a0a9d5591b..1b46764265f6 100644
	--- a/tools/testing/selftests/bpf/prog_tests/get_stack_raw_tp.c
	+++ b/tools/testing/selftests/bpf/prog_tests/get_stack_raw_tp.c
	@@ -77,12 +77,17 @@ static int get_stack_print_output(void *data, int size)
	void test_get_stack_raw_tp(void)
	{
	const char *file = "./test_get_stack_rawtp.o";
	+ const char *file_err = "./test_get_stack_rawtp_err.o";
	int i, efd, err, prog_fd, pmu_fd, perfmap_fd;
	struct perf_event_attr attr = {};
	struct timespec tv = {0, 10};
	__u32 key = 0, duration = 0;
	struct bpf_object *obj;

	+ err = bpf_prog_load(file_err, BPF_PROG_TYPE_RAW_TRACEPOINT, &obj, &prog_fd);
	+ if (CHECK(err >= 0, "prog_load raw tp", "err %d errno %d\n", err, errno))
	+ return;
	+
	err = bpf_prog_load(file, BPF_PROG_TYPE_RAW_TRACEPOINT, &obj, &prog_fd);
	if (CHECK(err, "prog_load raw tp", "err %d errno %d\n", err, errno))
	return;
	diff --git a/tools/testing/selftests/bpf/progs/test_get_stack_rawtp_err.c b/tools/testing/selftests/bpf/progs/test_get_stack_rawtp_err.c
	new file mode 100644
	index 000000000000..8941a41c2a55
	--- /dev/null
	+++ b/tools/testing/selftests/bpf/progs/test_get_stack_rawtp_err.c
	@@ -0,0 +1,26 @@
	+// SPDX-License-Identifier: GPL-2.0
	+
	+#include <linux/bpf.h>
	+#include <bpf/bpf_helpers.h>
	+
	+#define MAX_STACK_RAWTP 10
	+
	+SEC("raw_tracepoint/sys_enter")
	+int bpf_prog2(void *ctx)
	+{
	+ __u64 stack[MAX_STACK_RAWTP];
	+ int error;
	+
	+ /* set all the flags which should return -EINVAL */
	+ error = bpf_get_stack(ctx, stack, 0, -1);
	+ if (error < 0)
	+ goto loop;
	+
	+ return error;
	+loop:
	+ while (1) {
	+ error++;
	+ }
	+}
	+
	+char _license[] SEC("license") = "GPL";
	--
	2.7.4