This patch randomizes high 32-bit of a definition when BPF_F_TEST_RND_HI32
is set.
It does this once the flag set no matter there is hardware zero extension
support or not. Because this is a test feature and we want to deliver the
most stressful test.
Suggested-by: Alexei Starovoitov <a...@kernel.org>
Signed-off-by: Jiong Wang <jiong.w...@netronome.com>
---
kernel/bpf/verifier.c | 85 ++++++++++++++++++++++++++++++++++++++++-----------
1 file changed, 68 insertions(+), 17 deletions(-)
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 9141a9a..33407c5 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -7520,24 +7520,70 @@ static int opt_remove_nops(struct bpf_verifier_env *env)
return 0;
}
-static int opt_subreg_zext_lo32(struct bpf_verifier_env *env)
+static int opt_subreg_zext_lo32_rnd_hi32(struct bpf_verifier_env *env,
+ const union bpf_attr *attr)
{
struct bpf_insn_aux_data orig_aux, *aux = env->insn_aux_data;
+ struct bpf_insn *patch, zext_patch[3], rnd_hi32_patch[4];
+ int i, patch_len, delta = 0, len = env->prog->len;
struct bpf_insn *insns = env->prog->insnsi;
- int i, delta = 0, len = env->prog->len;
- struct bpf_insn zext_patch[3];
struct bpf_prog *new_prog;
+ bool rnd_hi32;
+
+ rnd_hi32 = attr->prog_flags & BPF_F_TEST_RND_HI32;
zext_patch[1] = BPF_ALU64_IMM(BPF_LSH, 0, 32);
zext_patch[2] = BPF_ALU64_IMM(BPF_RSH, 0, 32);
+ rnd_hi32_patch[1] = BPF_ALU64_IMM(BPF_MOV, BPF_REG_AX, 0);
+ rnd_hi32_patch[2] = BPF_ALU64_IMM(BPF_LSH, BPF_REG_AX, 32);
+ rnd_hi32_patch[3] = BPF_ALU64_REG(BPF_OR, 0, BPF_REG_AX);
for (i = 0; i < len; i++) {
int adj_idx = i + delta;
struct bpf_insn insn;
- if (!aux[adj_idx].zext_dst)
+ insn = insns[adj_idx];
+ if (!aux[adj_idx].zext_dst) {
+ u8 code, class;
+ u32 imm_rnd;
+
+ if (!rnd_hi32)
+ continue;
+
+ code = insn.code;
+ class = BPF_CLASS(code);
+ /* Insns doesn't define any value. */
+ if (class == BPF_JMP || class == BPF_JMP32 ||
+ class == BPF_STX || class == BPF_ST)
+ continue;
+
+ /* NOTE: arg "reg" is only used for BPF_STX, as it has
+ * been ruled out in above check, it is safe to
+ * pass NULL here.
+ */
+ if (is_reg64(env, &insn, insn.dst_reg, NULL, DST_OP)) {
+ if (class == BPF_LD &&
+ BPF_MODE(code) == BPF_IMM)
+ i++;
+ continue;
+ }
+
+ /* ctx load could be transformed into wider load. */
+ if (class == BPF_LDX &&
+ aux[adj_idx].ptr_type == PTR_TO_CTX)
+ continue;
+
+ imm_rnd = get_random_int();
+ rnd_hi32_patch[0] = insns[adj_idx];
+ rnd_hi32_patch[1].imm = imm_rnd;
+ rnd_hi32_patch[3].dst_reg = insn.dst_reg;
+ patch = rnd_hi32_patch;
+ patch_len = 4;
+ goto apply_patch_buffer;
+ }
+
+ if (bpf_jit_hardware_zext())
continue;
- insn = insns[adj_idx];
/* "adjust_insn_aux_data" only retains the original insn aux
* data if insn at patched offset is at the end of the patch
* buffer. That is to say, given the following insn sequence:
@@ -7580,15 +7626,18 @@ static int opt_subreg_zext_lo32(struct bpf_verifier_env
*env)
zext_patch[0] = insns[adj_idx];
zext_patch[1].dst_reg = insn.dst_reg;
zext_patch[2].dst_reg = insn.dst_reg;
+ patch = zext_patch;
+ patch_len = 3;
+apply_patch_buffer:
memcpy(&orig_aux, &aux[adj_idx], sizeof(orig_aux));
- new_prog = bpf_patch_insn_data(env, adj_idx, zext_patch, 3);
+ new_prog = bpf_patch_insn_data(env, adj_idx, patch, patch_len);
if (!new_prog)
return -ENOMEM;
env->prog = new_prog;
insns = new_prog->insnsi;
aux = env->insn_aux_data;
memcpy(&aux[adj_idx], &orig_aux, sizeof(orig_aux));
- delta += 2;
+ delta += patch_len - 1;
}
return 0;
@@ -8425,16 +8474,18 @@ int bpf_check(struct bpf_prog **prog, union bpf_attr
*attr,
if (ret == 0)
ret = check_max_stack_depth(env);
- /* Instruction rewrites happen after this point.
- * For offload target, finalize hook has all aux insn info, do any
- * customized work there.
- */
- if (ret == 0 && !bpf_jit_hardware_zext() &&
- !bpf_prog_is_dev_bound(env->prog->aux)) {
- ret = opt_subreg_zext_lo32(env);
- env->prog->aux->no_verifier_zext = !!ret;
- } else {
- env->prog->aux->no_verifier_zext = true;
+ /* Instruction rewrites happen after this point. */
+ if (ret == 0) {
+ if (bpf_prog_is_dev_bound(env->prog->aux)) {
+ /* For offload target, finalize hook has all aux insn
+ * info, copy the analysis result at there.
+ */
+ env->prog->aux->no_verifier_zext = true;
+ } else {
+ ret = opt_subreg_zext_lo32_rnd_hi32(env, attr);
+ env->prog->aux->no_verifier_zext =
+ bpf_jit_hardware_zext() ? true : !!ret;
+ }
}
if (is_priv) {
--
2.7.4
