Commit 5ffb537e authored by Yonghong Song's avatar Yonghong Song Committed by Andrii Nakryiko
Browse files

selftests/bpf: Add tests with stack ptr register in conditional jmp 



Add two tests:
  - one test has 'rX <op> r10' where rX is not r10, and
  - another test has 'rX <op> rY' where rX and rY are not r10
    but there is an early insn 'rX = r10'.

Without previous verifier change, both tests will fail.

Signed-off-by: default avatarYonghong Song <yonghong.song@linux.dev>
Signed-off-by: default avatarAndrii Nakryiko <andrii@kernel.org>
Link: https://lore.kernel.org/bpf/20250524041340.4046304-1-yonghong.song@linux.dev
parent e2d2115e

kernel/bpf/verifier.c

+5 −2
Original line number Diff line number Diff line
@@ -16456,6 +16456,8 @@ static int check_cond_jmp_op(struct bpf_verifier_env *env, 








		if (src_reg->type == PTR_TO_STACK)









			insn_flags |= INSN_F_SRC_REG_STACK;









		if (dst_reg->type == PTR_TO_STACK)









			insn_flags |= INSN_F_DST_REG_STACK;









	} else {









		if (insn->src_reg != BPF_REG_0) {









			verbose(env, "BPF_JMP/JMP32 uses reserved fields\n");








@@ -16465,10 +16467,11 @@ static int check_cond_jmp_op(struct bpf_verifier_env *env,







		memset(src_reg, 0, sizeof(*src_reg));









		src_reg->type = SCALAR_VALUE;









		__mark_reg_known(src_reg, insn->imm);









	}

















		if (dst_reg->type == PTR_TO_STACK)









			insn_flags |= INSN_F_DST_REG_STACK;









	}

















	if (insn_flags) {









		err = push_insn_history(env, this_branch, insn_flags, 0);









		if (err)
































tools/testing/selftests/bpf/progs/verifier_precision.c



+53
−0






























Original line number
Diff line number
Diff line







@@ -178,4 +178,57 @@ __naked int state_loop_first_last_equal(void)







	);









}



















__used __naked static void __bpf_cond_op_r10(void)









{









	asm volatile (









	"r2 = 2314885393468386424 ll;"









	"goto +0;"









	"if r2 <= r10 goto +3;"









	"if r1 >= -1835016 goto +0;"









	"if r2 <= 8 goto +0;"









	"if r3 <= 0 goto +0;"









	"exit;"









	::: __clobber_all);









}



















SEC("?raw_tp")









__success __log_level(2)









__msg("8: (bd) if r2 <= r10 goto pc+3")









__msg("9: (35) if r1 >= 0xffe3fff8 goto pc+0")









__msg("10: (b5) if r2 <= 0x8 goto pc+0")









__msg("mark_precise: frame1: last_idx 10 first_idx 0 subseq_idx -1")









__msg("mark_precise: frame1: regs=r2 stack= before 9: (35) if r1 >= 0xffe3fff8 goto pc+0")









__msg("mark_precise: frame1: regs=r2 stack= before 8: (bd) if r2 <= r10 goto pc+3")









__msg("mark_precise: frame1: regs=r2 stack= before 7: (05) goto pc+0")









__naked void bpf_cond_op_r10(void)









{









	asm volatile (









	"r3 = 0 ll;"









	"call __bpf_cond_op_r10;"









	"r0 = 0;"









	"exit;"









	::: __clobber_all);









}



















SEC("?raw_tp")









__success __log_level(2)









__msg("3: (bf) r3 = r10")









__msg("4: (bd) if r3 <= r2 goto pc+1")









__msg("5: (b5) if r2 <= 0x8 goto pc+2")









__msg("mark_precise: frame0: last_idx 5 first_idx 0 subseq_idx -1")









__msg("mark_precise: frame0: regs=r2 stack= before 4: (bd) if r3 <= r2 goto pc+1")









__msg("mark_precise: frame0: regs=r2 stack= before 3: (bf) r3 = r10")









__naked void bpf_cond_op_not_r10(void)









{









	asm volatile (









	"r0 = 0;"









	"r2 = 2314885393468386424 ll;"









	"r3 = r10;"









	"if r3 <= r2 goto +1;"









	"if r2 <= 8 goto +2;"









	"r0 = 2 ll;"









	"exit;"









	::: __clobber_all);









}



















char _license[] SEC("license") = "GPL";