From patchwork Mon Apr 30 17:15:05 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: William Tu <u9012063@gmail.com>
X-Patchwork-Id: 906794
X-Patchwork-Delegate: bpf@iogearbox.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming-netdev@ozlabs.org
Delivered-To: patchwork-incoming-netdev@ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=vger.kernel.org
	(client-ip=209.132.180.67; helo=vger.kernel.org;
	envelope-from=netdev-owner@vger.kernel.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: ozlabs.org; dkim=pass (2048-bit key;
	unprotected) header.d=gmail.com header.i=@gmail.com
	header.b="EEh1liCg"; dkim-atps=neutral
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 40ZWQQ6Xmgz9s0q
	for <patchwork-incoming-netdev@ozlabs.org>;
	Tue,  1 May 2018 03:15:42 +1000 (AEST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1753502AbeD3RPk (ORCPT
	<rfc822;patchwork-incoming-netdev@ozlabs.org>);
	Mon, 30 Apr 2018 13:15:40 -0400
Received: from mail-pg0-f66.google.com ([74.125.83.66]:46095 "EHLO
	mail-pg0-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1753425AbeD3RPh (ORCPT
	<rfc822;netdev@vger.kernel.org>); Mon, 30 Apr 2018 13:15:37 -0400
Received: by mail-pg0-f66.google.com with SMTP id z4-v6so6705716pgu.13
	for <netdev@vger.kernel.org>; Mon, 30 Apr 2018 10:15:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20161025;
	h=from:to:cc:subject:date:message-id;
	bh=kSakk6QwgvnQIDJrUNhw6AmBns3k+1RnxH2bH04XS8E=;
	b=EEh1liCg7tzQ2yBf+eMkWjRZztm5A3mhZm0jP3fysXBqtjC91YGa3z4SzYAzEMGXT1
	ZOl3/MF2i9K7ciLATBQ8jbfBuoFzPo6ScukeJ9AxAOSMXquQ9tkINO0qEf1ar961qH3U
	chiAXf9cPdHzyqiV0o9crPf809IGkkCpD2yC0R7t5b9JULifNGKnbB9JwUV5RmPRm4kO
	z6lMk4ldw4Ee3LBR8hS8b01OUfs4miRio3d8K2iVQdxdA99GQkrGMwLu9deSl/bLGv+8
	Jp4yFM6WYJ8gGIibueq5ErsTFGjngNxTJfXbPTenlD1leEQqyMMOHqXPSAPofLpu0G47
	Royg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id;
	bh=kSakk6QwgvnQIDJrUNhw6AmBns3k+1RnxH2bH04XS8E=;
	b=Gj2k6UaCJjxI1Mzozl3JSBhnNCCcJx8/ti/50xumnzIYJ+u4Nheq/OR3kNYdIowuG6
	b4to0hIQMjRg9pgGERDJQ4tXYuZ6bPYnapnr8bfQ2gnsLnAc2YoOuwpfCKM0bp1XRzeu
	8eYQWshhTGB7z+33MUN+2NcBO2J/uDzRu8KPi1tmhs+ZCyhI96wljz6EjD+DBpvqyEwO
	gwtzISgaEtQQLvSFD2j0uGIgA2AedoQDcV6kiDMe/vd9PlY2q3NwPbb1SnfTBAP8TtQm
	6/5F0r5EeqOXu4in67mNuTiJ3TO9dio7r9aFtgUu3NDxTAAS87F++I+jJY/eMLsbVaxb
	n0AA==
X-Gm-Message-State: ALQs6tBPFz+Yaw+0pcCFi060oUCq8WjrOjTL7CDfLmvQyFDEe6EuzBM4
	fbjFIIajd4DvmsGOYwId0iodbY7k
X-Google-Smtp-Source: 
 AB8JxZrxv0UT9I/oqAmAiuQ2dNKlVN2DHxHVbWWmKCekzjMm7GUmc5cIh7UbYDSraafQvinZLmWKZA==
X-Received: by 2002:a63:7f09:: with SMTP id
	a9-v6mr10897051pgd.347.1525108536680;
	Mon, 30 Apr 2018 10:15:36 -0700 (PDT)
Received: from sc9-mailhost2.vmware.com ([66.170.99.2])
	by smtp.gmail.com with ESMTPSA id
	e18sm8325613pfi.100.2018.04.30.10.15.35
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
	Mon, 30 Apr 2018 10:15:35 -0700 (PDT)
From: William Tu <u9012063@gmail.com>
To: netdev@vger.kernel.org
Cc: Yonghong Song <yhs@fb.com>, Yifeng Sun <pkusunyifeng@gmail.com>
Subject: [PATCH bpf-next] bpf/verifier: enable ctx + const + 0.
Date: Mon, 30 Apr 2018 10:15:05 -0700
Message-Id: <1525108505-21175-1-git-send-email-u9012063@gmail.com>
X-Mailer: git-send-email 2.7.4
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

Existing verifier does not allow 'ctx + const + const'.  However, due to
compiler optimization, there is a case where BPF compilerit generates
'ctx + const + 0', as shown below:

  599: (1d) if r2 == r4 goto pc+2
   R0=inv(id=0) R1=ctx(id=0,off=40,imm=0)
   R2=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff))
   R3=inv(id=0,umax_value=65535,var_off=(0x0; 0xffff)) R4=inv0
   R6=ctx(id=0,off=0,imm=0) R7=inv2
  600: (bf) r1 = r6			// r1 is ctx
  601: (07) r1 += 36			// r1 has offset 36
  602: (61) r4 = *(u32 *)(r1 +0)	// r1 + 0
  dereference of modified ctx ptr R1 off=36+0, ctx+const is allowed,
  ctx+const+const is not

The reason for BPF backend generating this code is due optimization
likes this, explained from Yonghong:
    if (...)
        *(ctx + 60)
    else
        *(ctx + 56)

The compiler translates it to
    if (...)
       ptr = ctx + 60
    else
       ptr = ctx + 56
    *(ptr + 0)

So load ptr memory become an example of 'ctx + const + 0'.  This patch
enables support for this case.

Fixes: f8ddadc4db6c7 ("Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net")
Cc: Yonghong Song <yhs@fb.com>
Signed-off-by: Yifeng Sun <pkusunyifeng@gmail.com>
Signed-off-by: William Tu <u9012063@gmail.com>
---
 kernel/bpf/verifier.c                       |  2 +-
 tools/testing/selftests/bpf/test_verifier.c | 13 +++++++++++++
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 712d8655e916..c9a791b9cf2a 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -1638,7 +1638,7 @@ static int check_mem_access(struct bpf_verifier_env *env, int insn_idx, u32 regn
 		/* ctx accesses must be at a fixed offset, so that we can
 		 * determine what type of data were returned.
 		 */
-		if (reg->off) {
+		if (reg->off && off != reg->off) {
 			verbose(env,
 				"dereference of modified ctx ptr R%d off=%d+%d, ctx+const is allowed, ctx+const+const is not\n",
 				regno, reg->off, off - reg->off);
diff --git a/tools/testing/selftests/bpf/test_verifier.c b/tools/testing/selftests/bpf/test_verifier.c
index 1acafe26498b..95ad5d5723ae 100644
--- a/tools/testing/selftests/bpf/test_verifier.c
+++ b/tools/testing/selftests/bpf/test_verifier.c
@@ -8452,6 +8452,19 @@ static struct bpf_test tests[] = {
 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
 	},
 	{
+		"arithmetic ops make PTR_TO_CTX + const + 0 valid",
+		.insns = {
+			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
+				      offsetof(struct __sk_buff, data) -
+				      offsetof(struct __sk_buff, mark)),
+			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
+			BPF_MOV64_IMM(BPF_REG_0, 0),
+			BPF_EXIT_INSN(),
+		},
+		.result = ACCEPT,
+		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
+	},
+	{
 		"pkt_end - pkt_start is allowed",
 		.insns = {
 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,