[PATCH bpf v2 0/2] bpf: Fix incorrect immediate spill
Immediate is incorrectly cast to u32 before being spilled, losing sign information. The range information is incorrect after load again. Fix immediate spill by remove the cast. The second patch add a test case for this. Signed-off-by: Hao Sun --- Changes in v2: - Add fix and cc tags. - Link to v1: https://lore.kernel.org/r/20231026-fix-check-stack-write-v1-0-6b325ef3c...@gmail.com --- Hao Sun (2): bpf: Fix check_stack_write_fixed_off() to correctly spill imm selftests/bpf: Add test for immediate spilled to stack kernel/bpf/verifier.c | 2 +- tools/testing/selftests/bpf/verifier/bpf_st_mem.c | 32 +++ 2 files changed, 33 insertions(+), 1 deletion(-) --- base-commit: f1c73396133cb3d913e2075298005644ee8dfade change-id: 20231026-fix-check-stack-write-c40996694dfa Best regards, -- Hao Sun
[PATCH bpf v2 1/2] bpf: Fix check_stack_write_fixed_off() to correctly spill imm
In check_stack_write_fixed_off(), imm value is cast to u32 before being
spilled to the stack. Therefore, the sign information is lost, and the
range information is incorrect when load from the stack again.
For the following prog:
0: r2 = r10
1: *(u64*)(r2 -40) = -44
2: r0 = *(u64*)(r2 - 40)
3: if r0 s<= 0xa goto +2
4: r0 = 1
5: exit
6: r0 = 0
7: exit
The verifier gives:
func#0 @0
0: R1=ctx(off=0,imm=0) R10=fp0
0: (bf) r2 = r10 ; R2_w=fp0 R10=fp0
1: (7a) *(u64 *)(r2 -40) = -44; R2_w=fp0 fp-40_w=4294967252
2: (79) r0 = *(u64 *)(r2 -40) ; R0_w=4294967252 R2_w=fp0
fp-40_w=4294967252
3: (c5) if r0 s< 0xa goto pc+2
mark_precise: frame0: last_idx 3 first_idx 0 subseq_idx -1
mark_precise: frame0: regs=r0 stack= before 2: (79) r0 = *(u64 *)(r2 -40)
3: R0_w=4294967252
4: (b7) r0 = 1; R0_w=1
5: (95) exit
verification time 7971 usec
stack depth 40
processed 6 insns (limit 100) max_states_per_insn 0 total_states 0
peak_states 0 mark_read 0
So remove the incorrect cast, since imm field is declared as s32, and
__mark_reg_known() takes u64, so imm would be correctly sign extended
by compiler.
Fixes: ecdf985d7615 ("bpf: track immediate values written to stack by BPF_ST
instruction")
Cc: sta...@vger.kernel.org
Signed-off-by: Hao Sun
---
kernel/bpf/verifier.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 857d76694517..44af69ce1301 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -4674,7 +4674,7 @@ static int check_stack_write_fixed_off(struct
bpf_verifier_env *env,
insn->imm != 0 && env->bpf_capable) {
struct bpf_reg_state fake_reg = {};
- __mark_reg_known(&fake_reg, (u32)insn->imm);
+ __mark_reg_known(&fake_reg, insn->imm);
fake_reg.type = SCALAR_VALUE;
save_register_state(state, spi, &fake_reg, size);
} else if (reg && is_spillable_regtype(reg->type)) {
--
2.34.1
[PATCH bpf v2 2/2] selftests/bpf: Add test for immediate spilled to stack
Add a test to check if the verifier correctly reason about the sign
of an immediate spilled to stack by BPF_ST instruction.
Signed-off-by: Hao Sun
---
tools/testing/selftests/bpf/verifier/bpf_st_mem.c | 32 +++
1 file changed, 32 insertions(+)
diff --git a/tools/testing/selftests/bpf/verifier/bpf_st_mem.c
b/tools/testing/selftests/bpf/verifier/bpf_st_mem.c
index 3af2501082b2..0ba23807c46c 100644
--- a/tools/testing/selftests/bpf/verifier/bpf_st_mem.c
+++ b/tools/testing/selftests/bpf/verifier/bpf_st_mem.c
@@ -65,3 +65,35 @@
.expected_attach_type = BPF_SK_LOOKUP,
.runs = -1,
},
+{
+ "BPF_ST_MEM stack imm sign",
+ /* Check if verifier correctly reasons about sign of an
+* immediate spilled to stack by BPF_ST instruction.
+*
+* fp[-8] = -44;
+* r0 = fp[-8];
+* if r0 s< 0 goto ret0;
+* r0 = -1;
+* exit;
+* ret0:
+* r0 = 0;
+* exit;
+*/
+ .insns = {
+ BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, -44),
+ BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
+ BPF_JMP_IMM(BPF_JSLT, BPF_REG_0, 0, 2),
+ BPF_MOV64_IMM(BPF_REG_0, -1),
+ BPF_EXIT_INSN(),
+ BPF_MOV64_IMM(BPF_REG_0, 0),
+ BPF_EXIT_INSN(),
+ },
+ /* Use prog type that requires return value in range [0, 1] */
+ .prog_type = BPF_PROG_TYPE_SK_LOOKUP,
+ .expected_attach_type = BPF_SK_LOOKUP,
+ .result = VERBOSE_ACCEPT,
+ .runs = -1,
+ .errstr = "0: (7a) *(u64 *)(r10 -8) = -44; R10=fp0 fp-8_w=-44\
+ 2: (c5) if r0 s< 0x0 goto pc+2\
+ 2: R0_w=-44",
+},
--
2.34.1
Re: [PATCH bpf v2 1/2] bpf: Fix check_stack_write_fixed_off() to correctly spill imm
On Wed, Nov 01, 2023 at 08:33:22AM +0100, Hao Sun wrote:
> In check_stack_write_fixed_off(), imm value is cast to u32 before being
> spilled to the stack. Therefore, the sign information is lost, and the
> range information is incorrect when load from the stack again.
>
> For the following prog:
> 0: r2 = r10
> 1: *(u64*)(r2 -40) = -44
> 2: r0 = *(u64*)(r2 - 40)
> 3: if r0 s<= 0xa goto +2
> 4: r0 = 1
> 5: exit
> 6: r0 = 0
> 7: exit
>
> The verifier gives:
> func#0 @0
> 0: R1=ctx(off=0,imm=0) R10=fp0
> 0: (bf) r2 = r10 ; R2_w=fp0 R10=fp0
> 1: (7a) *(u64 *)(r2 -40) = -44; R2_w=fp0 fp-40_w=4294967252
> 2: (79) r0 = *(u64 *)(r2 -40) ; R0_w=4294967252 R2_w=fp0
> fp-40_w=4294967252
> 3: (c5) if r0 s< 0xa goto pc+2
> mark_precise: frame0: last_idx 3 first_idx 0 subseq_idx -1
> mark_precise: frame0: regs=r0 stack= before 2: (79) r0 = *(u64 *)(r2 -40)
> 3: R0_w=4294967252
> 4: (b7) r0 = 1; R0_w=1
> 5: (95) exit
> verification time 7971 usec
> stack depth 40
> processed 6 insns (limit 100) max_states_per_insn 0 total_states 0
> peak_states 0 mark_read 0
>
> So remove the incorrect cast, since imm field is declared as s32, and
> __mark_reg_known() takes u64, so imm would be correctly sign extended
> by compiler.
>
> Fixes: ecdf985d7615 ("bpf: track immediate values written to stack by BPF_ST
> instruction")
> Cc: sta...@vger.kernel.org
> Signed-off-by: Hao Sun
Acked-by: Shung-Hsi Yu
Re: [RFC] drm/tests: annotate intentional stack trace in drm_test_rect_calc_hscale()
Let me add Richard to the CC list. See lore for more details. https://lore.kernel.org/all/CA+G9fYuA643RHHpPnz9Ww7rr3zV5a0y=7_uFcybBSL=qp_s...@mail.gmail.com/ On Tue, Oct 31, 2023 at 09:57:48PM +0530, Naresh Kamboju wrote: > On Mon, 30 Oct 2023 at 14:33, Dan Carpenter wrote: > > > > We have started printing more and more intentional stack traces. Whether > > it's testing KASAN is able to detect use after frees or it's part of a > > kunit test. > > > > These stack traces can be problematic. They suddenly show up as a new > > failure. Now the test team has to contact the developers. A bunch of > > people have to investigate the bug. We finally decide that it's > > intentional so now the test team has to update their filter scripts to > > mark it as intentional. These filters are ad-hoc because there is no > > standard format for warnings. > > > > A better way would be to mark it as intentional from the start. > > > > Here, I have marked the beginning and the end of the trace. It's more > > tricky for things like lkdtm_FORTIFY_MEM_MEMBER() where the flow doesn't > > reach the end of the function. I guess I would print a different > > warning for stack traces that can't have a > > "Intentional warning finished\n" message at the end. > > > > I haven't actually tested this patch... Daniel, do you have a > > list of intentional stack traces we could annotate? > > [My two cents] > > I have been noticing following kernel warnings / BUGs Some are intentional and some are not. I had a similar thing happen to me last week where I had too many Smatch false positives in my devel code so I accidentally sent a patch with a stupid bug. I've since updated my QC process to run both the devel and released versions of Smatch. But a similar thing is happening here where we have so many bogus warnings that we missed a real bug. > These are starting happening from next-20231009. > I am not sure which are "Intentional warnings" or real regressions. > > [ 37.378220] BUG: KASAN: slab-out-of-bounds in kmalloc_oob_right+0xc4/0x300 > [ 37.645506] BUG: KASAN: slab-out-of-bounds in kmalloc_oob_right+0xec/0x300 > .. > [ 632.407425] BUG: KASAN: null-ptr-deref in kobject_namespace+0x3c/0xb0 > > > Logs: [Sorry for sharing long logs ] Not your fault. These long warnings are the issue at hand. > == > > [ cut here ] > [ 629.699281] WARNING: CPU: 0 PID: 2834 at > drivers/gpu/drm/drm_rect.c:138 drm_rect_calc_hscale+0xbc/0xe8 Deliberate. > [ 629.914458] WARNING: CPU: 5 PID: 2836 at > drivers/gpu/drm/drm_rect.c:138 drm_rect_calc_hscale+0xbc/0xe8 > [drm_kms_helper] Deliberate. > [ 630.172564] WARNING: CPU: 5 PID: 2846 at > drivers/gpu/drm/drm_rect.c:138 drm_rect_calc_vscale+0xbc/0xe8 > [drm_kms_helper] Deliberate. > [ cut here ] > [ 630.388003] WARNING: CPU: 3 PID: 2848 at > drivers/gpu/drm/drm_rect.c:138 drm_rect_calc_vscale+0xbc/0xe8 > [drm_kms_helper] Deliberate. > [ cut here ] > [ 631.679963] kobject: '(null)' (f512f33b): is not > initialized, yet kobject_get() is being called. Not deliberate. This seems like a straight forward bug to fix. Failing a kobject_get() seems like it would obviously lead to a refcounting underflow and a use after free so I suspect some of the other warnings that follow are caused by this issue. We should fix it first and see which warnings disappear. So testing the Linux Kernel Dump Test Module is always going to create warnings. So intentional warnings are a part of life. We should annotate them. But having too many warnings is bad and has caused this kobject_get() bug. We should delete the warning in drm_calc_scale() or make it a WARN_ONCE() and mark it as intentional in the kunit test. regards, dan carpenter
Re: [PATCH bpf v2 1/2] bpf: Fix check_stack_write_fixed_off() to correctly spill imm
On Wed, 2023-11-01 at 08:33 +0100, Hao Sun wrote:
> In check_stack_write_fixed_off(), imm value is cast to u32 before being
> spilled to the stack. Therefore, the sign information is lost, and the
> range information is incorrect when load from the stack again.
>
> For the following prog:
> 0: r2 = r10
> 1: *(u64*)(r2 -40) = -44
> 2: r0 = *(u64*)(r2 - 40)
> 3: if r0 s<= 0xa goto +2
> 4: r0 = 1
> 5: exit
> 6: r0 = 0
> 7: exit
>
> The verifier gives:
> func#0 @0
> 0: R1=ctx(off=0,imm=0) R10=fp0
> 0: (bf) r2 = r10 ; R2_w=fp0 R10=fp0
> 1: (7a) *(u64 *)(r2 -40) = -44; R2_w=fp0 fp-40_w=4294967252
> 2: (79) r0 = *(u64 *)(r2 -40) ; R0_w=4294967252 R2_w=fp0
> fp-40_w=4294967252
> 3: (c5) if r0 s< 0xa goto pc+2
> mark_precise: frame0: last_idx 3 first_idx 0 subseq_idx -1
> mark_precise: frame0: regs=r0 stack= before 2: (79) r0 = *(u64 *)(r2 -40)
> 3: R0_w=4294967252
> 4: (b7) r0 = 1; R0_w=1
> 5: (95) exit
> verification time 7971 usec
> stack depth 40
> processed 6 insns (limit 100) max_states_per_insn 0 total_states 0
> peak_states 0 mark_read 0
>
> So remove the incorrect cast, since imm field is declared as s32, and
> __mark_reg_known() takes u64, so imm would be correctly sign extended
> by compiler.
>
> Fixes: ecdf985d7615 ("bpf: track immediate values written to stack by BPF_ST
> instruction")
> Cc: sta...@vger.kernel.org
> Signed-off-by: Hao Sun
Acked-by: Eduard Zingerman
> ---
> kernel/bpf/verifier.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> index 857d76694517..44af69ce1301 100644
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c
> @@ -4674,7 +4674,7 @@ static int check_stack_write_fixed_off(struct
> bpf_verifier_env *env,
> insn->imm != 0 && env->bpf_capable) {
> struct bpf_reg_state fake_reg = {};
>
> - __mark_reg_known(&fake_reg, (u32)insn->imm);
> + __mark_reg_known(&fake_reg, insn->imm);
> fake_reg.type = SCALAR_VALUE;
> save_register_state(state, spi, &fake_reg, size);
> } else if (reg && is_spillable_regtype(reg->type)) {
>
Re: [PATCH bpf v2 2/2] selftests/bpf: Add test for immediate spilled to stack
On Wed, 2023-11-01 at 08:33 +0100, Hao Sun wrote:
> Add a test to check if the verifier correctly reason about the sign
> of an immediate spilled to stack by BPF_ST instruction.
>
> Signed-off-by: Hao Sun
> ---
> tools/testing/selftests/bpf/verifier/bpf_st_mem.c | 32
> +++
> 1 file changed, 32 insertions(+)
>
> diff --git a/tools/testing/selftests/bpf/verifier/bpf_st_mem.c
> b/tools/testing/selftests/bpf/verifier/bpf_st_mem.c
> index 3af2501082b2..0ba23807c46c 100644
> --- a/tools/testing/selftests/bpf/verifier/bpf_st_mem.c
> +++ b/tools/testing/selftests/bpf/verifier/bpf_st_mem.c
> @@ -65,3 +65,35 @@
> .expected_attach_type = BPF_SK_LOOKUP,
> .runs = -1,
> },
> +{
> + "BPF_ST_MEM stack imm sign",
> + /* Check if verifier correctly reasons about sign of an
> + * immediate spilled to stack by BPF_ST instruction.
> + *
> + * fp[-8] = -44;
> + * r0 = fp[-8];
> + * if r0 s< 0 goto ret0;
> + * r0 = -1;
> + * exit;
> + * ret0:
> + * r0 = 0;
> + * exit;
> + */
> + .insns = {
> + BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, -44),
> + BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
> + BPF_JMP_IMM(BPF_JSLT, BPF_REG_0, 0, 2),
> + BPF_MOV64_IMM(BPF_REG_0, -1),
> + BPF_EXIT_INSN(),
> + BPF_MOV64_IMM(BPF_REG_0, 0),
> + BPF_EXIT_INSN(),
> + },
> + /* Use prog type that requires return value in range [0, 1] */
> + .prog_type = BPF_PROG_TYPE_SK_LOOKUP,
> + .expected_attach_type = BPF_SK_LOOKUP,
> + .result = VERBOSE_ACCEPT,
> + .runs = -1,
> + .errstr = "0: (7a) *(u64 *)(r10 -8) = -44; R10=fp0 fp-8_w=-44\
> + 2: (c5) if r0 s< 0x0 goto pc+2\
> + 2: R0_w=-44",
> +},
>
Please note that this test case fails on CI [0], full log below:
2023-11-01T07:49:51.2841702Z #116/p BPF_ST_MEM stack imm sign FAIL
2023-11-01T07:49:51.2843456Z Unexpected verifier log!
2023-11-01T07:49:51.2844968Z EXP: 2: R0_w=-44
2023-11-01T07:49:51.2845583Z RES:
2023-11-01T07:49:51.2846693Z func#0 @0
2023-11-01T07:49:51.2848932Z 0: R1=ctx(off=0,imm=0) R10=fp0
2023-11-01T07:49:51.2853045Z 0: (7a) *(u64 *)(r10 -8) = -44; R10=fp0
fp-8_w=-44
2023-11-01T07:49:51.2857391Z 1: (79) r0 = *(u64 *)(r10 -8) ; R0_w=-44
R10=fp0 fp-8_w=-44
2023-11-01T07:49:51.2859127Z 2: (c5) if r0 s< 0x0 goto pc+2
2023-11-01T07:49:51.2862943Z mark_precise: frame0: last_idx 2 first_idx 0
subseq_idx -1
2023-11-01T07:49:51.2867511Z mark_precise: frame0: regs=r0 stack= before 1:
(79) r0 = *(u64 *)(r10 -8)
2023-11-01T07:49:51.2872217Z mark_precise: frame0: regs= stack=-8 before 0:
(7a) *(u64 *)(r10 -8) = -44
2023-11-01T07:49:51.2872816Z 5: R0_w=-44
2023-11-01T07:49:51.2875653Z 5: (b7) r0 = 0; R0_w=0
2023-11-01T07:49:51.2876493Z 6: (95) exit
I suspect that after recent logging fixes instruction number printed
after jump changed and that's why test case no longer passes.
Note: you can check CI status for submitted patch-sets using link [1].
[0]
https://github.com/kernel-patches/bpf/actions/runs/6717053909/job/18254330860
[1] https://patchwork.kernel.org/project/netdevbpf/list/
Re: [PATCH bpf v2 2/2] selftests/bpf: Add test for immediate spilled to stack
On Wed, Nov 1, 2023 at 12:05 PM Eduard Zingerman wrote:
>
> On Wed, 2023-11-01 at 08:33 +0100, Hao Sun wrote:
> > Add a test to check if the verifier correctly reason about the sign
> > of an immediate spilled to stack by BPF_ST instruction.
> >
> > Signed-off-by: Hao Sun
> > ---
> > tools/testing/selftests/bpf/verifier/bpf_st_mem.c | 32
> > +++
> > 1 file changed, 32 insertions(+)
> >
> > diff --git a/tools/testing/selftests/bpf/verifier/bpf_st_mem.c
> > b/tools/testing/selftests/bpf/verifier/bpf_st_mem.c
> > index 3af2501082b2..0ba23807c46c 100644
> > --- a/tools/testing/selftests/bpf/verifier/bpf_st_mem.c
> > +++ b/tools/testing/selftests/bpf/verifier/bpf_st_mem.c
> > @@ -65,3 +65,35 @@
> > .expected_attach_type = BPF_SK_LOOKUP,
> > .runs = -1,
> > },
> > +{
> > + "BPF_ST_MEM stack imm sign",
> > + /* Check if verifier correctly reasons about sign of an
> > + * immediate spilled to stack by BPF_ST instruction.
> > + *
> > + * fp[-8] = -44;
> > + * r0 = fp[-8];
> > + * if r0 s< 0 goto ret0;
> > + * r0 = -1;
> > + * exit;
> > + * ret0:
> > + * r0 = 0;
> > + * exit;
> > + */
> > + .insns = {
> > + BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, -44),
> > + BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
> > + BPF_JMP_IMM(BPF_JSLT, BPF_REG_0, 0, 2),
> > + BPF_MOV64_IMM(BPF_REG_0, -1),
> > + BPF_EXIT_INSN(),
> > + BPF_MOV64_IMM(BPF_REG_0, 0),
> > + BPF_EXIT_INSN(),
> > + },
> > + /* Use prog type that requires return value in range [0, 1] */
> > + .prog_type = BPF_PROG_TYPE_SK_LOOKUP,
> > + .expected_attach_type = BPF_SK_LOOKUP,
> > + .result = VERBOSE_ACCEPT,
> > + .runs = -1,
> > + .errstr = "0: (7a) *(u64 *)(r10 -8) = -44; R10=fp0 fp-8_w=-44\
> > + 2: (c5) if r0 s< 0x0 goto pc+2\
> > + 2: R0_w=-44",
> > +},
> >
>
> Please note that this test case fails on CI [0], full log below:
>
> 2023-11-01T07:49:51.2841702Z #116/p BPF_ST_MEM stack imm sign FAIL
> 2023-11-01T07:49:51.2843456Z Unexpected verifier log!
> 2023-11-01T07:49:51.2844968Z EXP: 2: R0_w=-44
> 2023-11-01T07:49:51.2845583Z RES:
> 2023-11-01T07:49:51.2846693Z func#0 @0
> 2023-11-01T07:49:51.2848932Z 0: R1=ctx(off=0,imm=0) R10=fp0
> 2023-11-01T07:49:51.2853045Z 0: (7a) *(u64 *)(r10 -8) = -44; R10=fp0
> fp-8_w=-44
> 2023-11-01T07:49:51.2857391Z 1: (79) r0 = *(u64 *)(r10 -8) ; R0_w=-44
> R10=fp0 fp-8_w=-44
> 2023-11-01T07:49:51.2859127Z 2: (c5) if r0 s< 0x0 goto pc+2
> 2023-11-01T07:49:51.2862943Z mark_precise: frame0: last_idx 2 first_idx 0
> subseq_idx -1
> 2023-11-01T07:49:51.2867511Z mark_precise: frame0: regs=r0 stack= before 1:
> (79) r0 = *(u64 *)(r10 -8)
> 2023-11-01T07:49:51.2872217Z mark_precise: frame0: regs= stack=-8 before 0:
> (7a) *(u64 *)(r10 -8) = -44
> 2023-11-01T07:49:51.2872816Z 5: R0_w=-44
> 2023-11-01T07:49:51.2875653Z 5: (b7) r0 = 0; R0_w=0
> 2023-11-01T07:49:51.2876493Z 6: (95) exit
>
> I suspect that after recent logging fixes instruction number printed
> after jump changed and that's why test case no longer passes.
>
Yes, so I guess we can just drop the line number there, will send patch v3.
> Note: you can check CI status for submitted patch-sets using link [1].
>
> [0]
> https://github.com/kernel-patches/bpf/actions/runs/6717053909/job/18254330860
> [1] https://patchwork.kernel.org/project/netdevbpf/list/
Thanks.
[PATCH bpf v3 0/2] bpf: Fix incorrect immediate spill
Immediate is incorrectly cast to u32 before being spilled, losing sign information. The range information is incorrect after load again. Fix immediate spill by remove the cast. The second patch add a test case for this. Signed-off-by: Hao Sun --- Changes in v3: - Change the expected log to fix the test case - Link to v2: https://lore.kernel.org/r/20231101-fix-check-stack-write-v2-0-cb7c17b86...@gmail.com Changes in v2: - Add fix and cc tags. - Link to v1: https://lore.kernel.org/r/20231026-fix-check-stack-write-v1-0-6b325ef3c...@gmail.com --- Hao Sun (2): bpf: Fix check_stack_write_fixed_off() to correctly spill imm selftests/bpf: Add test for immediate spilled to stack kernel/bpf/verifier.c | 2 +- tools/testing/selftests/bpf/verifier/bpf_st_mem.c | 32 +++ 2 files changed, 33 insertions(+), 1 deletion(-) --- base-commit: f2fbb908112311423b09cd0d2b4978f174b99585 change-id: 20231026-fix-check-stack-write-c40996694dfa Best regards, -- Hao Sun
[PATCH bpf v3 2/2] selftests/bpf: Add test for immediate spilled to stack
Add a test to check if the verifier correctly reason about the sign
of an immediate spilled to stack by BPF_ST instruction.
Signed-off-by: Hao Sun
---
tools/testing/selftests/bpf/verifier/bpf_st_mem.c | 32 +++
1 file changed, 32 insertions(+)
diff --git a/tools/testing/selftests/bpf/verifier/bpf_st_mem.c
b/tools/testing/selftests/bpf/verifier/bpf_st_mem.c
index 3af2501082b2..b616575c3b00 100644
--- a/tools/testing/selftests/bpf/verifier/bpf_st_mem.c
+++ b/tools/testing/selftests/bpf/verifier/bpf_st_mem.c
@@ -65,3 +65,35 @@
.expected_attach_type = BPF_SK_LOOKUP,
.runs = -1,
},
+{
+ "BPF_ST_MEM stack imm sign",
+ /* Check if verifier correctly reasons about sign of an
+* immediate spilled to stack by BPF_ST instruction.
+*
+* fp[-8] = -44;
+* r0 = fp[-8];
+* if r0 s< 0 goto ret0;
+* r0 = -1;
+* exit;
+* ret0:
+* r0 = 0;
+* exit;
+*/
+ .insns = {
+ BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, -44),
+ BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
+ BPF_JMP_IMM(BPF_JSLT, BPF_REG_0, 0, 2),
+ BPF_MOV64_IMM(BPF_REG_0, -1),
+ BPF_EXIT_INSN(),
+ BPF_MOV64_IMM(BPF_REG_0, 0),
+ BPF_EXIT_INSN(),
+ },
+ /* Use prog type that requires return value in range [0, 1] */
+ .prog_type = BPF_PROG_TYPE_SK_LOOKUP,
+ .expected_attach_type = BPF_SK_LOOKUP,
+ .result = VERBOSE_ACCEPT,
+ .runs = -1,
+ .errstr = "0: (7a) *(u64 *)(r10 -8) = -44; R10=fp0 fp-8_w=-44\
+ 2: (c5) if r0 s< 0x0 goto pc+2\
+ R0_w=-44",
+},
--
2.34.1
[PATCH bpf v3 1/2] bpf: Fix check_stack_write_fixed_off() to correctly spill imm
In check_stack_write_fixed_off(), imm value is cast to u32 before being
spilled to the stack. Therefore, the sign information is lost, and the
range information is incorrect when load from the stack again.
For the following prog:
0: r2 = r10
1: *(u64*)(r2 -40) = -44
2: r0 = *(u64*)(r2 - 40)
3: if r0 s<= 0xa goto +2
4: r0 = 1
5: exit
6: r0 = 0
7: exit
The verifier gives:
func#0 @0
0: R1=ctx(off=0,imm=0) R10=fp0
0: (bf) r2 = r10 ; R2_w=fp0 R10=fp0
1: (7a) *(u64 *)(r2 -40) = -44; R2_w=fp0 fp-40_w=4294967252
2: (79) r0 = *(u64 *)(r2 -40) ; R0_w=4294967252 R2_w=fp0
fp-40_w=4294967252
3: (c5) if r0 s< 0xa goto pc+2
mark_precise: frame0: last_idx 3 first_idx 0 subseq_idx -1
mark_precise: frame0: regs=r0 stack= before 2: (79) r0 = *(u64 *)(r2 -40)
3: R0_w=4294967252
4: (b7) r0 = 1; R0_w=1
5: (95) exit
verification time 7971 usec
stack depth 40
processed 6 insns (limit 100) max_states_per_insn 0 total_states 0
peak_states 0 mark_read 0
So remove the incorrect cast, since imm field is declared as s32, and
__mark_reg_known() takes u64, so imm would be correctly sign extended
by compiler.
Fixes: ecdf985d7615 ("bpf: track immediate values written to stack by BPF_ST
instruction")
Cc: sta...@vger.kernel.org
Signed-off-by: Hao Sun
Acked-by: Shung-Hsi Yu
Acked-by: Eduard Zingerman
---
kernel/bpf/verifier.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 857d76694517..44af69ce1301 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -4674,7 +4674,7 @@ static int check_stack_write_fixed_off(struct
bpf_verifier_env *env,
insn->imm != 0 && env->bpf_capable) {
struct bpf_reg_state fake_reg = {};
- __mark_reg_known(&fake_reg, (u32)insn->imm);
+ __mark_reg_known(&fake_reg, insn->imm);
fake_reg.type = SCALAR_VALUE;
save_register_state(state, spi, &fake_reg, size);
} else if (reg && is_spillable_regtype(reg->type)) {
--
2.34.1
Re: [PATCH v2] selftests/net: synchronize udpgso_bench rx and tx
On Tue, Oct 31, 2023 at 05:11:59PM -0400, Willem de Bruijn wrote: > > The patch subject mentions UDP GSO, but the patch fixes the udpgro > scripts. > > There are separate udpgso testcases. So you probably want to s/gso/gro. > The patch synchronizes the connection between the two binaries; udpgso_bench_rx and udpgso_bench_tx, which are launched by the udpgro tests. I can remove their names and just specify "synchronize udpgro tests' tx and rx connection." > > > Might a grep be shorter and more readable? > Noted, will change it. Lucas
[GIT PULL] KUnit next update for Linux 6.7-rc1
Hi Linus,
Please pull the following KUnit next update for Linux 6.7-rc1.
This kunit update for Linux 6.7-rc1 consists of:
-- string-stream testing enhancements
-- several fixes memory leaks
-- fix to reset status during parameter handling
diff is attached.
thanks,
-- Shuah
The following changes since commit ce9ecca0238b140b88f43859b211c9fdfd8e5b70:
Linux 6.6-rc2 (2023-09-17 14:40:24 -0700)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest
tags/linux_kselftest-kunit-6.7-rc1
for you to fetch changes up to 8040345fdae4cb256c5d981f91ae0f22bea8adcc:
kunit: test: Fix the possible memory leak in executor_test (2023-09-28
08:51:07 -0600)
linux_kselftest-kunit-6.7-rc1
This kunit update for Linux 6.7-rc1 consists of:
-- string-stream testing enhancements
-- several fixes memory leaks
-- fix to reset status during parameter handling
Jinjie Ruan (4):
kunit: Fix missed memory release in kunit_free_suite_set()
kunit: Fix the wrong kfree of copy for kunit_filter_suites()
kunit: Fix possible memory leak in kunit_filter_suites()
kunit: test: Fix the possible memory leak in executor_test
Michal Wajdeczko (1):
kunit: Reset test status on each param iteration
Richard Fitzgerald (10):
kunit: string-stream: Don't create a fragment for empty strings
kunit: string-stream: Improve testing of string_stream
kunit: string-stream: Add option to make all lines end with newline
kunit: string-stream-test: Add cases for string_stream newline appending
kunit: Don't use a managed alloc in is_literal()
kunit: string-stream: Add kunit_alloc_string_stream()
kunit: string-stream: Decouple string_stream from kunit
kunit: string-stream: Add tests for freeing resource-managed string_stream
kunit: Use string_stream for test log
kunit: string-stream: Test performance of string_stream
include/kunit/test.h | 14 +-
lib/kunit/assert.c | 14 +-
lib/kunit/debugfs.c| 36 ++-
lib/kunit/executor.c | 23 +-
lib/kunit/executor_test.c | 36 +--
lib/kunit/kunit-example-test.c | 5 +-
lib/kunit/kunit-test.c | 56 -
lib/kunit/string-stream-test.c | 525 +++--
lib/kunit/string-stream.c | 100 ++--
lib/kunit/string-stream.h | 16 +-
lib/kunit/test.c | 56 +
11 files changed, 734 insertions(+), 147 deletions(-)
diff --git a/include/kunit/test.h b/include/kunit/test.h
index 68ff01aee244..20ed9f9275c9 100644
--- a/include/kunit/test.h
+++ b/include/kunit/test.h
@@ -33,9 +33,7 @@
DECLARE_STATIC_KEY_FALSE(kunit_running);
struct kunit;
-
-/* Size of log associated with test. */
-#define KUNIT_LOG_SIZE 2048
+struct string_stream;
/* Maximum size of parameter description string. */
#define KUNIT_PARAM_DESC_SIZE 128
@@ -133,7 +131,7 @@ struct kunit_case {
/* private: internal use only. */
enum kunit_status status;
char *module_name;
- char *log;
+ struct string_stream *log;
};
static inline char *kunit_status_to_ok_not_ok(enum kunit_status status)
@@ -253,7 +251,7 @@ struct kunit_suite {
/* private: internal use only */
char status_comment[KUNIT_STATUS_COMMENT_SIZE];
struct dentry *debugfs;
- char *log;
+ struct string_stream *log;
int suite_init_err;
};
@@ -279,7 +277,7 @@ struct kunit {
/* private: internal use only. */
const char *name; /* Read only after initialization! */
- char *log; /* Points at case log after initialization */
+ struct string_stream *log; /* Points at case log after initialization */
struct kunit_try_catch try_catch;
/* param_value is the current parameter value for a test case. */
const void *param_value;
@@ -315,7 +313,7 @@ const char *kunit_filter_glob(void);
char *kunit_filter(void);
char *kunit_filter_action(void);
-void kunit_init_test(struct kunit *test, const char *name, char *log);
+void kunit_init_test(struct kunit *test, const char *name, struct string_stream *log);
int kunit_run_tests(struct kunit_suite *suite);
@@ -473,7 +471,7 @@ static inline void *kunit_kcalloc(struct kunit *test, size_t n, size_t size, gfp
void kunit_cleanup(struct kunit *test);
-void __printf(2, 3) kunit_log_append(char *log, const char *fmt, ...);
+void __printf(2, 3) kunit_log_append(struct string_stream *log, const char *fmt, ...);
/**
* kunit_mark_skipped() - Marks @test_or_suite as skipped
diff --git a/lib/kunit/assert.c b/lib/kunit/assert.c
index 05a09652f5a1..dd1d633d0fe2 100644
--- a/lib/kunit/assert.c
+++ b/lib/kunit/assert.c
@@ -89,8 +89,7 @@ void kunit_ptr_not_err_assert_format(const struct kunit_assert *assert,
EXPORT_SYMBOL_GPL(k
[RFCv2 bpf-next 0/7] Add bpf_xdp_get_xfrm_state() kfunc
This patchset adds two kfunc helpers, bpf_xdp_get_xfrm_state() and bpf_xdp_xfrm_state_release() that wrap xfrm_state_lookup() and xfrm_state_put(). The intent is to support software RSS (via XDP) for the ongoing/upcoming ipsec pcpu work [0]. Recent experiments performed on (hopefully) reproducible AWS testbeds indicate that single tunnel pcpu ipsec can reach line rate on 100G ENA nics. Note this patchset only tests/shows generic xfrm_state access. The "secret sauce" (if you can really even call it that) involves accessing a soon-to-be-upstreamed pcpu_num field in xfrm_state. Early example is available here [1]. [0]: https://datatracker.ietf.org/doc/html/draft-ietf-ipsecme-multi-sa-performance-02 [1]: https://github.com/danobi/xdp-tools/blob/e89a1c617aba3b50d990f779357d6ce2863ecb27/xdp-bench/xdp_redirect_cpumap.bpf.c#L385-L406 Changes from RFCv1: * Add Antony's commit tags * Add KF_ACQUIRE and KF_RELEASE semantics Daniel Xu (7): bpf: xfrm: Add bpf_xdp_get_xfrm_state() kfunc bpf: xfrm: Add bpf_xdp_xfrm_state_release() kfunc bpf: selftests: test_tunnel: Use ping -6 over ping6 bpf: selftests: test_tunnel: Mount bpffs if necessary bpf: selftests: test_tunnel: Use vmlinux.h declarations bpf: selftests: test_tunnel: Disable CO-RE relocations bpf: xfrm: Add selftest for bpf_xdp_get_xfrm_state() include/net/xfrm.h| 9 ++ net/xfrm/Makefile | 1 + net/xfrm/xfrm_policy.c| 2 + net/xfrm/xfrm_state_bpf.c | 121 ++ .../selftests/bpf/progs/bpf_tracing_net.h | 1 + .../selftests/bpf/progs/test_tunnel_kern.c| 98 -- tools/testing/selftests/bpf/test_tunnel.sh| 43 +-- 7 files changed, 221 insertions(+), 54 deletions(-) create mode 100644 net/xfrm/xfrm_state_bpf.c -- 2.42.0
[RFCv2 bpf-next 3/7] bpf: selftests: test_tunnel: Use ping -6 over ping6
The ping6 binary went away over 7 years ago [0]. [0]: https://github.com/iputils/iputils/commit/ebad35fee3de851b809c7b72ccc654a72b6af61d Co-developed-by: Antony Antony Signed-off-by: Antony Antony Signed-off-by: Daniel Xu --- tools/testing/selftests/bpf/test_tunnel.sh | 18 +- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/tools/testing/selftests/bpf/test_tunnel.sh b/tools/testing/selftests/bpf/test_tunnel.sh index 2dec7dbf29a2..85ba39992461 100755 --- a/tools/testing/selftests/bpf/test_tunnel.sh +++ b/tools/testing/selftests/bpf/test_tunnel.sh @@ -295,13 +295,13 @@ test_ip6gre() add_ip6gretap_tunnel attach_bpf $DEV ip6gretap_set_tunnel ip6gretap_get_tunnel # underlay - ping6 $PING_ARG ::11 + ping -6 $PING_ARG ::11 # overlay: ipv4 over ipv6 ip netns exec at_ns0 ping $PING_ARG 10.1.1.200 ping $PING_ARG 10.1.1.100 check_err $? # overlay: ipv6 over ipv6 - ip netns exec at_ns0 ping6 $PING_ARG fc80::200 + ip netns exec at_ns0 ping -6 $PING_ARG fc80::200 check_err $? cleanup @@ -324,13 +324,13 @@ test_ip6gretap() add_ip6gretap_tunnel attach_bpf $DEV ip6gretap_set_tunnel ip6gretap_get_tunnel # underlay - ping6 $PING_ARG ::11 + ping -6 $PING_ARG ::11 # overlay: ipv4 over ipv6 ip netns exec at_ns0 ping $PING_ARG 10.1.1.200 ping $PING_ARG 10.1.1.100 check_err $? # overlay: ipv6 over ipv6 - ip netns exec at_ns0 ping6 $PING_ARG fc80::200 + ip netns exec at_ns0 ping -6 $PING_ARG fc80::200 check_err $? cleanup @@ -376,7 +376,7 @@ test_ip6erspan() config_device add_ip6erspan_tunnel $1 attach_bpf $DEV ip4ip6erspan_set_tunnel ip4ip6erspan_get_tunnel - ping6 $PING_ARG ::11 + ping -6 $PING_ARG ::11 ip netns exec at_ns0 ping $PING_ARG 10.1.1.200 check_err $? cleanup @@ -474,7 +474,7 @@ test_ipip6() ip link set dev veth1 mtu 1500 attach_bpf $DEV ipip6_set_tunnel ipip6_get_tunnel # underlay - ping6 $PING_ARG ::11 + ping -6 $PING_ARG ::11 # ip4 over ip6 ping $PING_ARG 10.1.1.100 check_err $? @@ -502,11 +502,11 @@ test_ip6ip6() ip link set dev veth1 mtu 1500 attach_bpf $DEV ip6ip6_set_tunnel ip6ip6_get_tunnel # underlay - ping6 $PING_ARG ::11 + ping -6 $PING_ARG ::11 # ip6 over ip6 - ping6 $PING_ARG 1::11 + ping -6 $PING_ARG 1::11 check_err $? - ip netns exec at_ns0 ping6 $PING_ARG 1::22 + ip netns exec at_ns0 ping -6 $PING_ARG 1::22 check_err $? cleanup -- 2.42.0
[RFCv2 bpf-next 4/7] bpf: selftests: test_tunnel: Mount bpffs if necessary
Previously, if bpffs was not already mounted, then the test suite would
fail during object file pinning steps. Fix by mounting bpffs if
necessary.
Co-developed-by: Antony Antony
Signed-off-by: Antony Antony
Signed-off-by: Daniel Xu
---
tools/testing/selftests/bpf/test_tunnel.sh | 13 -
1 file changed, 12 insertions(+), 1 deletion(-)
diff --git a/tools/testing/selftests/bpf/test_tunnel.sh
b/tools/testing/selftests/bpf/test_tunnel.sh
index 85ba39992461..dd3c79129e87 100755
--- a/tools/testing/selftests/bpf/test_tunnel.sh
+++ b/tools/testing/selftests/bpf/test_tunnel.sh
@@ -46,7 +46,8 @@
# 6) Forward the packet to the overlay tnl dev
BPF_FILE="test_tunnel_kern.bpf.o"
-BPF_PIN_TUNNEL_DIR="/sys/fs/bpf/tc/tunnel"
+BPF_FS="/sys/fs/bpf"
+BPF_PIN_TUNNEL_DIR="${BPF_FS}/tc/tunnel"
PING_ARG="-c 3 -w 10 -q"
ret=0
GREEN='\033[0;92m'
@@ -668,10 +669,20 @@ check_err()
fi
}
+mount_bpffs()
+{
+ if ! mount | grep "bpf on /sys/fs/bpf" &>/dev/null; then
+ mount -t bpf bpf "$BPF_FS"
+ fi
+}
+
bpf_tunnel_test()
{
local errors=0
+ echo "Mounting bpffs..."
+ mount_bpffs
+
echo "Testing GRE tunnel..."
test_gre
errors=$(( $errors + $? ))
--
2.42.0
[RFCv2 bpf-next 5/7] bpf: selftests: test_tunnel: Use vmlinux.h declarations
vmlinux.h declarations are more ergnomic, especially when working with
kfuncs. The uapi headers are often incomplete for kfunc definitions.
Co-developed-by: Antony Antony
Signed-off-by: Antony Antony
Signed-off-by: Daniel Xu
---
.../selftests/bpf/progs/bpf_tracing_net.h | 1 +
.../selftests/bpf/progs/test_tunnel_kern.c| 48 ---
2 files changed, 9 insertions(+), 40 deletions(-)
diff --git a/tools/testing/selftests/bpf/progs/bpf_tracing_net.h
b/tools/testing/selftests/bpf/progs/bpf_tracing_net.h
index 0b793a102791..1bdc680b0e0e 100644
--- a/tools/testing/selftests/bpf/progs/bpf_tracing_net.h
+++ b/tools/testing/selftests/bpf/progs/bpf_tracing_net.h
@@ -26,6 +26,7 @@
#define IPV6_AUTOFLOWLABEL 70
#define TC_ACT_UNSPEC (-1)
+#define TC_ACT_OK 0
#define TC_ACT_SHOT2
#define SOL_TCP6
diff --git a/tools/testing/selftests/bpf/progs/test_tunnel_kern.c
b/tools/testing/selftests/bpf/progs/test_tunnel_kern.c
index f66af753..3065a716544d 100644
--- a/tools/testing/selftests/bpf/progs/test_tunnel_kern.c
+++ b/tools/testing/selftests/bpf/progs/test_tunnel_kern.c
@@ -6,62 +6,30 @@
* modify it under the terms of version 2 of the GNU General Public
* License as published by the Free Software Foundation.
*/
-#include
-#include
-#include
-#include
-#include
-#include
-#include
-#include
-#include
-#include
-#include
-#include
-#include
-#include
-#include
+#include "vmlinux.h"
#include
#include
+#include "bpf_kfuncs.h"
+#include "bpf_tracing_net.h"
#define log_err(__ret) bpf_printk("ERROR line:%d ret:%d\n", __LINE__, __ret)
-#define VXLAN_UDP_PORT 4789
+#define VXLAN_UDP_PORT 4789
+#define ETH_P_IP 0x0800
+#define PACKET_HOST0
+#define TUNNEL_CSUMbpf_htons(0x01)
+#define TUNNEL_KEY bpf_htons(0x04)
/* Only IPv4 address assigned to veth1.
* 172.16.1.200
*/
#define ASSIGNED_ADDR_VETH1 0xac1001c8
-struct geneve_opt {
- __be16 opt_class;
- __u8type;
- __u8length:5;
- __u8r3:1;
- __u8r2:1;
- __u8r1:1;
- __u8opt_data[8]; /* hard-coded to 8 byte */
-};
-
struct vxlanhdr {
__be32 vx_flags;
__be32 vx_vni;
} __attribute__((packed));
-struct vxlan_metadata {
- __u32 gbp;
-};
-
-struct bpf_fou_encap {
- __be16 sport;
- __be16 dport;
-};
-
-enum bpf_fou_encap_type {
- FOU_BPF_ENCAP_FOU,
- FOU_BPF_ENCAP_GUE,
-};
-
int bpf_skb_set_fou_encap(struct __sk_buff *skb_ctx,
struct bpf_fou_encap *encap, int type) __ksym;
int bpf_skb_get_fou_encap(struct __sk_buff *skb_ctx,
--
2.42.0
[RFCv2 bpf-next 6/7] bpf: selftests: test_tunnel: Disable CO-RE relocations
Switching to vmlinux.h definitions seems to make the verifier very unhappy with bitfield accesses. The error is: ; md.u.md2.dir = direction; 33: (69) r1 = *(u16 *)(r2 +11) misaligned stack access off (0x0; 0x0)+-64+11 size 2 It looks like disabling CO-RE relocations seem to make the error go away. Co-developed-by: Antony Antony Signed-off-by: Antony Antony Signed-off-by: Daniel Xu --- tools/testing/selftests/bpf/progs/test_tunnel_kern.c | 1 + 1 file changed, 1 insertion(+) diff --git a/tools/testing/selftests/bpf/progs/test_tunnel_kern.c b/tools/testing/selftests/bpf/progs/test_tunnel_kern.c index 3065a716544d..ec7e04e012ae 100644 --- a/tools/testing/selftests/bpf/progs/test_tunnel_kern.c +++ b/tools/testing/selftests/bpf/progs/test_tunnel_kern.c @@ -6,6 +6,7 @@ * modify it under the terms of version 2 of the GNU General Public * License as published by the Free Software Foundation. */ +#define BPF_NO_PRESERVE_ACCESS_INDEX #include "vmlinux.h" #include #include -- 2.42.0
[RFCv2 bpf-next 7/7] bpf: xfrm: Add selftest for bpf_xdp_get_xfrm_state()
This commit extends test_tunnel selftest to test the new XDP xfrm state
lookup kfunc.
Co-developed-by: Antony Antony
Signed-off-by: Antony Antony
Signed-off-by: Daniel Xu
---
.../selftests/bpf/progs/test_tunnel_kern.c| 49 +++
tools/testing/selftests/bpf/test_tunnel.sh| 12 +++--
2 files changed, 57 insertions(+), 4 deletions(-)
diff --git a/tools/testing/selftests/bpf/progs/test_tunnel_kern.c
b/tools/testing/selftests/bpf/progs/test_tunnel_kern.c
index ec7e04e012ae..17bf9ce28460 100644
--- a/tools/testing/selftests/bpf/progs/test_tunnel_kern.c
+++ b/tools/testing/selftests/bpf/progs/test_tunnel_kern.c
@@ -35,6 +35,10 @@ int bpf_skb_set_fou_encap(struct __sk_buff *skb_ctx,
struct bpf_fou_encap *encap, int type) __ksym;
int bpf_skb_get_fou_encap(struct __sk_buff *skb_ctx,
struct bpf_fou_encap *encap) __ksym;
+struct xfrm_state *
+bpf_xdp_get_xfrm_state(struct xdp_md *ctx, struct bpf_xfrm_state_opts *opts,
+ u32 opts__sz) __ksym;
+void bpf_xdp_xfrm_state_release(struct xfrm_state *x) __ksym;
struct {
__uint(type, BPF_MAP_TYPE_ARRAY);
@@ -948,4 +952,49 @@ int xfrm_get_state(struct __sk_buff *skb)
return TC_ACT_OK;
}
+SEC("xdp")
+int xfrm_get_state_xdp(struct xdp_md *xdp)
+{
+ struct bpf_xfrm_state_opts opts = {};
+ struct xfrm_state *x = NULL;
+ struct ip_esp_hdr *esph;
+ struct bpf_dynptr ptr;
+ u8 esph_buf[8] = {};
+ u8 iph_buf[20] = {};
+ struct iphdr *iph;
+ u32 off;
+
+ if (bpf_dynptr_from_xdp(xdp, 0, &ptr))
+ goto out;
+
+ off = sizeof(struct ethhdr);
+ iph = bpf_dynptr_slice(&ptr, off, iph_buf, sizeof(iph_buf));
+ if (!iph || iph->protocol != IPPROTO_ESP)
+ goto out;
+
+ off += sizeof(struct iphdr);
+ esph = bpf_dynptr_slice(&ptr, off, esph_buf, sizeof(esph_buf));
+ if (!esph)
+ goto out;
+
+ opts.netns_id = BPF_F_CURRENT_NETNS,
+ opts.daddr.a4 = iph->daddr;
+ opts.spi = esph->spi;
+ opts.proto = IPPROTO_ESP;
+ opts.family = AF_INET;
+
+ x = bpf_xdp_get_xfrm_state(xdp, &opts, sizeof(opts));
+ if (!x || opts.error)
+ goto out;
+
+ if (!x->replay_esn)
+ goto out;
+
+ bpf_printk("replay-window %d\n", x->replay_esn->replay_window);
+out:
+ if (x)
+ bpf_xdp_xfrm_state_release(x);
+ return XDP_PASS;
+}
+
char _license[] SEC("license") = "GPL";
diff --git a/tools/testing/selftests/bpf/test_tunnel.sh
b/tools/testing/selftests/bpf/test_tunnel.sh
index dd3c79129e87..17d263681c71 100755
--- a/tools/testing/selftests/bpf/test_tunnel.sh
+++ b/tools/testing/selftests/bpf/test_tunnel.sh
@@ -528,7 +528,7 @@ setup_xfrm_tunnel()
# at_ns0 -> root
ip netns exec at_ns0 \
ip xfrm state add src 172.16.1.100 dst 172.16.1.200 proto esp \
- spi $spi_in_to_out reqid 1 mode tunnel \
+ spi $spi_in_to_out reqid 1 mode tunnel replay-window 42
\
auth-trunc 'hmac(sha1)' $auth 96 enc 'cbc(aes)' $enc
ip netns exec at_ns0 \
ip xfrm policy add src 10.1.1.100/32 dst 10.1.1.200/32 dir out \
@@ -537,7 +537,7 @@ setup_xfrm_tunnel()
# root -> at_ns0
ip netns exec at_ns0 \
ip xfrm state add src 172.16.1.200 dst 172.16.1.100 proto esp \
- spi $spi_out_to_in reqid 2 mode tunnel \
+ spi $spi_out_to_in reqid 2 mode tunnel replay-window 42
\
auth-trunc 'hmac(sha1)' $auth 96 enc 'cbc(aes)' $enc
ip netns exec at_ns0 \
ip xfrm policy add src 10.1.1.200/32 dst 10.1.1.100/32 dir in \
@@ -553,14 +553,14 @@ setup_xfrm_tunnel()
# root namespace
# at_ns0 -> root
ip xfrm state add src 172.16.1.100 dst 172.16.1.200 proto esp \
- spi $spi_in_to_out reqid 1 mode tunnel \
+ spi $spi_in_to_out reqid 1 mode tunnel replay-window 42 \
auth-trunc 'hmac(sha1)' $auth 96 enc 'cbc(aes)' $enc
ip xfrm policy add src 10.1.1.100/32 dst 10.1.1.200/32 dir in \
tmpl src 172.16.1.100 dst 172.16.1.200 proto esp reqid 1 \
mode tunnel
# root -> at_ns0
ip xfrm state add src 172.16.1.200 dst 172.16.1.100 proto esp \
- spi $spi_out_to_in reqid 2 mode tunnel \
+ spi $spi_out_to_in reqid 2 mode tunnel replay-window 42 \
auth-trunc 'hmac(sha1)' $auth 96 enc 'cbc(aes)' $enc
ip xfrm policy add src 10.1.1.200/32 dst 10.1.1.100/32 dir out \
tmpl src 172.16.1.200 dst 172.16.1.100 proto esp reqid 2 \
@@ -585,6 +585,8 @@ test_xfrm_tunnel()
tc qdisc add dev veth1 clsact
tc filter add dev veth1 proto ip ingress bpf da object-pinned \
${BPF_PIN_TUNNEL_DIR}/xfrm_get_stat
Re: [GIT PULL] KUnit next update for Linux 6.7-rc1
The pull request you sent on Wed, 1 Nov 2023 12:37:36 -0600: > git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest > tags/linux_kselftest-kunit-6.7-rc1 has been merged into torvalds/linux.git: https://git.kernel.org/torvalds/c/5eda8f25377f3d6de697eaa1d9801b9781d09dbc Thank you! -- Deet-doot-dot, I am a bot. https://korg.docs.kernel.org/prtracker.html
Re: [GIT PULL] Kselftest next update for Linux 6.7-rc1
The pull request you sent on Wed, 1 Nov 2023 13:11:31 -0600: > git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest > tags/linux_kselftest-next-6.7-rc1 has been merged into torvalds/linux.git: https://git.kernel.org/torvalds/c/7dc0e9c7dda66bd91eeada00d90033e3eb647fc3 Thank you! -- Deet-doot-dot, I am a bot. https://korg.docs.kernel.org/prtracker.html
Re: [PATCH bpf v3 0/2] bpf: Fix incorrect immediate spill
Hello: This series was applied to bpf/bpf.git (master) by Alexei Starovoitov : On Wed, 01 Nov 2023 13:33:50 +0100 you wrote: > Immediate is incorrectly cast to u32 before being spilled, losing sign > information. The range information is incorrect after load again. Fix > immediate spill by remove the cast. The second patch add a test case > for this. > > Signed-off-by: Hao Sun > > [...] Here is the summary with links: - [bpf,v3,1/2] bpf: Fix check_stack_write_fixed_off() to correctly spill imm https://git.kernel.org/bpf/bpf/c/811c363645b3 - [bpf,v3,2/2] selftests/bpf: Add test for immediate spilled to stack https://git.kernel.org/bpf/bpf/c/85eb035e6cfd You are awesome, thank you! -- Deet-doot-dot, I am a bot. https://korg.docs.kernel.org/patchwork/pwbot.html
Re: [PATCH bpf-next v3 1/2] selftests/bpf: Convert CHECK macros to ASSERT_* macros in bpf_iter
Hello: This series was applied to bpf/bpf-next.git (master) by Alexei Starovoitov : On Sat, 28 Oct 2023 10:54:13 +0530 you wrote: > As it was pointed out by Yonghong Song [1], in the bpf selftests the use > of the ASSERT_* series of macros is preferred over the CHECK macro. > This patch replaces all CHECK calls in bpf_iter with the appropriate > ASSERT_* macros. > > [1] > https://lore.kernel.org/lkml/0a142924-633c-44e6-9a92-2dc019656...@linux.dev > > [...] Here is the summary with links: - [bpf-next,v3,1/2] selftests/bpf: Convert CHECK macros to ASSERT_* macros in bpf_iter https://git.kernel.org/bpf/bpf-next/c/ed47cb27586d - [bpf-next,v3,2/2] selftests/bpf: Add malloc failure checks in bpf_iter https://git.kernel.org/bpf/bpf-next/c/cb3c6a58be50 You are awesome, thank you! -- Deet-doot-dot, I am a bot. https://korg.docs.kernel.org/patchwork/pwbot.html
