linux-zen-server/tools/testing/selftests/bpf/verifier/atomic_fetch_add.c

107 lines
3.2 KiB
C

{
"BPF_ATOMIC_FETCH_ADD smoketest - 64bit",
.insns = {
BPF_MOV64_IMM(BPF_REG_0, 0),
/* Write 3 to stack */
BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 3),
/* Put a 1 in R1, add it to the 3 on the stack, and load the value back into R1 */
BPF_MOV64_IMM(BPF_REG_1, 1),
BPF_ATOMIC_OP(BPF_DW, BPF_ADD | BPF_FETCH, BPF_REG_10, BPF_REG_1, -8),
/* Check the value we loaded back was 3 */
BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 2),
BPF_MOV64_IMM(BPF_REG_0, 1),
BPF_EXIT_INSN(),
/* Load value from stack */
BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -8),
/* Check value loaded from stack was 4 */
BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 1),
BPF_MOV64_IMM(BPF_REG_0, 2),
BPF_EXIT_INSN(),
},
.result = ACCEPT,
},
{
"BPF_ATOMIC_FETCH_ADD smoketest - 32bit",
.insns = {
BPF_MOV64_IMM(BPF_REG_0, 0),
/* Write 3 to stack */
BPF_ST_MEM(BPF_W, BPF_REG_10, -4, 3),
/* Put a 1 in R1, add it to the 3 on the stack, and load the value back into R1 */
BPF_MOV32_IMM(BPF_REG_1, 1),
BPF_ATOMIC_OP(BPF_W, BPF_ADD | BPF_FETCH, BPF_REG_10, BPF_REG_1, -4),
/* Check the value we loaded back was 3 */
BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 2),
BPF_MOV64_IMM(BPF_REG_0, 1),
BPF_EXIT_INSN(),
/* Load value from stack */
BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_10, -4),
/* Check value loaded from stack was 4 */
BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 1),
BPF_MOV64_IMM(BPF_REG_0, 2),
BPF_EXIT_INSN(),
},
.result = ACCEPT,
},
{
"Can't use ATM_FETCH_ADD on frame pointer",
.insns = {
BPF_MOV64_IMM(BPF_REG_0, 0),
BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 3),
BPF_ATOMIC_OP(BPF_DW, BPF_ADD | BPF_FETCH, BPF_REG_10, BPF_REG_10, -8),
BPF_EXIT_INSN(),
},
.result = REJECT,
.errstr_unpriv = "R10 leaks addr into mem",
.errstr = "frame pointer is read only",
},
{
"Can't use ATM_FETCH_ADD on uninit src reg",
.insns = {
BPF_MOV64_IMM(BPF_REG_0, 0),
BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 3),
BPF_ATOMIC_OP(BPF_DW, BPF_ADD | BPF_FETCH, BPF_REG_10, BPF_REG_2, -8),
BPF_EXIT_INSN(),
},
.result = REJECT,
/* It happens that the address leak check is first, but it would also be
* complain about the fact that we're trying to modify R10.
*/
.errstr = "!read_ok",
},
{
"Can't use ATM_FETCH_ADD on uninit dst reg",
.insns = {
BPF_MOV64_IMM(BPF_REG_0, 0),
BPF_ATOMIC_OP(BPF_DW, BPF_ADD | BPF_FETCH, BPF_REG_2, BPF_REG_0, -8),
BPF_EXIT_INSN(),
},
.result = REJECT,
/* It happens that the address leak check is first, but it would also be
* complain about the fact that we're trying to modify R10.
*/
.errstr = "!read_ok",
},
{
"Can't use ATM_FETCH_ADD on kernel memory",
.insns = {
/* This is an fentry prog, context is array of the args of the
* kernel function being called. Load first arg into R2.
*/
BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, 0),
/* First arg of bpf_fentry_test7 is a pointer to a struct.
* Attempt to modify that struct. Verifier shouldn't let us
* because it's kernel memory.
*/
BPF_MOV64_IMM(BPF_REG_3, 1),
BPF_ATOMIC_OP(BPF_DW, BPF_ADD | BPF_FETCH, BPF_REG_2, BPF_REG_3, 0),
/* Done */
BPF_MOV64_IMM(BPF_REG_0, 0),
BPF_EXIT_INSN(),
},
.prog_type = BPF_PROG_TYPE_TRACING,
.expected_attach_type = BPF_TRACE_FENTRY,
.kfunc = "bpf_fentry_test7",
.result = REJECT,
.errstr = "only read is supported",
},