bpf, selftests: Update test case for atomic cmpxchg on r0 with pointer

commit e523102cb719cbad1673b6aa2a4d5c1fa6f13799 upstream.

Fix up unprivileged test case results for 'Dest pointer in r0' verifier tests
given they now need to reject R0 containing a pointer value, and add a couple
of new related ones with 32bit cmpxchg as well.

  root@foo:~/bpf/tools/testing/selftests/bpf# ./test_verifier
  #0/u invalid and of negative number OK
  #0/p invalid and of negative number OK
  [...]
  #1268/p XDP pkt read, pkt_meta' <= pkt_data, bad access 1 OK
  #1269/p XDP pkt read, pkt_meta' <= pkt_data, bad access 2 OK
  #1270/p XDP pkt read, pkt_data <= pkt_meta', good access OK
  #1271/p XDP pkt read, pkt_data <= pkt_meta', bad access 1 OK
  #1272/p XDP pkt read, pkt_data <= pkt_meta', bad access 2 OK
  Summary: 1900 PASSED, 0 SKIPPED, 0 FAILED

Acked-by: Brendan Jackman <jackmanb@google.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/tools/testing/selftests/bpf/verifier/atomic_cmpxchg.c b/tools/testing/selftests/bpf/verifier/atomic_cmpxchg.c
index ad17e382d06e9123cfd304143d7e26e6127c07f7..6fb52d8cfd889a9013a39389f3b0c3a2f10fb007 100644 (file)
--- a/tools/testing/selftests/bpf/verifier/atomic_cmpxchg.c
+++ b/tools/testing/selftests/bpf/verifier/atomic_cmpxchg.c
@@ -71,6 +71,8 @@
                BPF_EXIT_INSN(),
        },
        .result = ACCEPT,
+       .result_unpriv = REJECT,
+       .errstr_unpriv = "R0 leaks addr into mem",
 },
 {
        "Can't use cmpxchg on uninit src reg",
@@ -119,7 +121,7 @@
        },
        .result = ACCEPT,
        .result_unpriv = REJECT,
-       .errstr_unpriv = "leaking pointer from stack off -8",
+       .errstr_unpriv = "R0 leaks addr into mem",
 },
 {
        "Dest pointer in r0 - succeed, check 2",
@@ -140,5 +142,66 @@
        },
        .result = ACCEPT,
        .result_unpriv = REJECT,
-       .errstr_unpriv = "R5 leaks addr into mem",
+       .errstr_unpriv = "R0 leaks addr into mem",
+},
+{
+       "Dest pointer in r0 - succeed, check 3",
+       .insns = {
+               /* r0 = &val */
+               BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
+               /* val = r0; */
+               BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
+               /* r5 = &val */
+               BPF_MOV64_REG(BPF_REG_5, BPF_REG_10),
+               /* r0 = atomic_cmpxchg(&val, r0, r5); */
+               BPF_ATOMIC_OP(BPF_W, BPF_CMPXCHG, BPF_REG_10, BPF_REG_5, -8),
+               /* exit(0); */
+               BPF_MOV64_IMM(BPF_REG_0, 0),
+               BPF_EXIT_INSN(),
+       },
+       .result = REJECT,
+       .errstr = "invalid size of register fill",
+       .errstr_unpriv = "R0 leaks addr into mem",
+},
+{
+       "Dest pointer in r0 - succeed, check 4",
+       .insns = {
+               /* r0 = &val */
+               BPF_MOV32_REG(BPF_REG_0, BPF_REG_10),
+               /* val = r0; */
+               BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -8),
+               /* r5 = &val */
+               BPF_MOV32_REG(BPF_REG_5, BPF_REG_10),
+               /* r0 = atomic_cmpxchg(&val, r0, r5); */
+               BPF_ATOMIC_OP(BPF_W, BPF_CMPXCHG, BPF_REG_10, BPF_REG_5, -8),
+               /* r1 = *r10 */
+               BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_10, -8),
+               /* exit(0); */
+               BPF_MOV64_IMM(BPF_REG_0, 0),
+               BPF_EXIT_INSN(),
+       },
+       .result = ACCEPT,
+       .result_unpriv = REJECT,
+       .errstr_unpriv = "R10 partial copy of pointer",
+},
+{
+       "Dest pointer in r0 - succeed, check 5",
+       .insns = {
+               /* r0 = &val */
+               BPF_MOV32_REG(BPF_REG_0, BPF_REG_10),
+               /* val = r0; */
+               BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -8),
+               /* r5 = &val */
+               BPF_MOV32_REG(BPF_REG_5, BPF_REG_10),
+               /* r0 = atomic_cmpxchg(&val, r0, r5); */
+               BPF_ATOMIC_OP(BPF_W, BPF_CMPXCHG, BPF_REG_10, BPF_REG_5, -8),
+               /* r1 = *r0 */
+               BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, -8),
+               /* exit(0); */
+               BPF_MOV64_IMM(BPF_REG_0, 0),
+               BPF_EXIT_INSN(),
+       },
+       .result = REJECT,
+       .errstr = "R0 invalid mem access",
+       .errstr_unpriv = "R10 partial copy of pointer",
 },