summaryrefslogtreecommitdiff
path: root/tools/testing/selftests/bpf/verifier/atomic_fetch_add.c
blob: a91de8cd9defb0c64f9411a5371e45aaa0fd4041 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
{
	"BPF_ATOMIC_FETCH_ADD smoketest - 64bit",
	.insns = {
		BPF_MOV64_IMM(BPF_REG_0, 0),
		/* Write 3 to stack */
		BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 3),
		/* Put a 1 in R1, add it to the 3 on the stack, and load the value back into R1 */
		BPF_MOV64_IMM(BPF_REG_1, 1),
		BPF_ATOMIC_OP(BPF_DW, BPF_ADD | BPF_FETCH, BPF_REG_10, BPF_REG_1, -8),
		/* Check the value we loaded back was 3 */
		BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 2),
		BPF_MOV64_IMM(BPF_REG_0, 1),
		BPF_EXIT_INSN(),
		/* Load value from stack */
		BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -8),
		/* Check value loaded from stack was 4 */
		BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 1),
		BPF_MOV64_IMM(BPF_REG_0, 2),
		BPF_EXIT_INSN(),
	},
	.result = ACCEPT,
},
{
	"BPF_ATOMIC_FETCH_ADD smoketest - 32bit",
	.insns = {
		BPF_MOV64_IMM(BPF_REG_0, 0),
		/* Write 3 to stack */
		BPF_ST_MEM(BPF_W, BPF_REG_10, -4, 3),
		/* Put a 1 in R1, add it to the 3 on the stack, and load the value back into R1 */
		BPF_MOV32_IMM(BPF_REG_1, 1),
		BPF_ATOMIC_OP(BPF_W, BPF_ADD | BPF_FETCH, BPF_REG_10, BPF_REG_1, -4),
		/* Check the value we loaded back was 3 */
		BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 2),
		BPF_MOV64_IMM(BPF_REG_0, 1),
		BPF_EXIT_INSN(),
		/* Load value from stack */
		BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_10, -4),
		/* Check value loaded from stack was 4 */
		BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 1),
		BPF_MOV64_IMM(BPF_REG_0, 2),
		BPF_EXIT_INSN(),
	},
	.result = ACCEPT,
},
{
	"Can't use ATM_FETCH_ADD on frame pointer",
	.insns = {
		BPF_MOV64_IMM(BPF_REG_0, 0),
		BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 3),
		BPF_ATOMIC_OP(BPF_DW, BPF_ADD | BPF_FETCH, BPF_REG_10, BPF_REG_10, -8),
		BPF_EXIT_INSN(),
	},
	.result = REJECT,
	.errstr_unpriv = "R10 leaks addr into mem",
	.errstr = "frame pointer is read only",
},
{
	"Can't use ATM_FETCH_ADD on uninit src reg",
	.insns = {
		BPF_MOV64_IMM(BPF_REG_0, 0),
		BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 3),
		BPF_ATOMIC_OP(BPF_DW, BPF_ADD | BPF_FETCH, BPF_REG_10, BPF_REG_2, -8),
		BPF_EXIT_INSN(),
	},
	.result = REJECT,
	/* It happens that the address leak check is first, but it would also be
	 * complain about the fact that we're trying to modify R10.
	 */
	.errstr = "!read_ok",
},
{
	"Can't use ATM_FETCH_ADD on uninit dst reg",
	.insns = {
		BPF_MOV64_IMM(BPF_REG_0, 0),
		BPF_ATOMIC_OP(BPF_DW, BPF_ADD | BPF_FETCH, BPF_REG_2, BPF_REG_0, -8),
		BPF_EXIT_INSN(),
	},
	.result = REJECT,
	/* It happens that the address leak check is first, but it would also be
	 * complain about the fact that we're trying to modify R10.
	 */
	.errstr = "!read_ok",
},
{
	"Can't use ATM_FETCH_ADD on kernel memory",
	.insns = {
		/* This is an fentry prog, context is array of the args of the
		 * kernel function being called. Load first arg into R2.
		 */
		BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, 0),
		/* First arg of bpf_fentry_test7 is a pointer to a struct.
		 * Attempt to modify that struct. Verifier shouldn't let us
		 * because it's kernel memory.
		 */
		BPF_MOV64_IMM(BPF_REG_3, 1),
		BPF_ATOMIC_OP(BPF_DW, BPF_ADD | BPF_FETCH, BPF_REG_2, BPF_REG_3, 0),
		/* Done */
		BPF_MOV64_IMM(BPF_REG_0, 0),
		BPF_EXIT_INSN(),
	},
	.prog_type = BPF_PROG_TYPE_TRACING,
	.expected_attach_type = BPF_TRACE_FENTRY,
	.kfunc = "bpf_fentry_test7",
	.result = REJECT,
	.errstr = "only read is supported",
},