1 // SPDX-License-Identifier: GPL-2.0
2 /* Copyright (c) 2023 Meta Platforms, Inc. and affiliates. */
6 #include <bpf/bpf_helpers.h>
9 #define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
11 static volatile int zero = 0;
15 int small_arr[16] SEC(".data.small_arr");
18 __uint(type, BPF_MAP_TYPE_HASH);
19 __uint(max_entries, 10);
25 #define MY_PID_GUARD() if (my_pid != (bpf_get_current_pid_tgid() >> 32)) return 0
27 #define MY_PID_GUARD() ({ })
31 __failure __msg("math between map_value pointer and register with unbounded min value is not allowed")
32 int iter_err_unsafe_c_loop(const void *ctx)
34 struct bpf_iter_num it;
35 int *v, i = zero; /* obscure initial value of i */
39 bpf_iter_num_new(&it, 0, 1000);
40 while ((v = bpf_iter_num_next(&it))) {
43 bpf_iter_num_destroy(&it);
45 small_arr[i] = 123; /* invalid */
51 __failure __msg("unbounded memory access")
52 int iter_err_unsafe_asm_loop(const void *ctx)
54 struct bpf_iter_num it;
59 "r6 = %[zero];" /* iteration counter */
60 "r1 = %[it];" /* iterator state */
64 "call %[bpf_iter_num_new];"
67 "call %[bpf_iter_num_next];"
68 "if r0 == 0 goto out;"
73 "call %[bpf_iter_num_destroy];"
78 "*(u32 *)(r1 + 0) = r6;" /* invalid */
81 [small_arr]"p"(small_arr),
83 __imm(bpf_iter_num_new),
84 __imm(bpf_iter_num_next),
85 __imm(bpf_iter_num_destroy)
86 : __clobber_common, "r6"
94 int iter_while_loop(const void *ctx)
96 struct bpf_iter_num it;
101 bpf_iter_num_new(&it, 0, 3);
102 while ((v = bpf_iter_num_next(&it))) {
103 bpf_printk("ITER_BASIC: E1 VAL: v=%d", *v);
105 bpf_iter_num_destroy(&it);
112 int iter_while_loop_auto_cleanup(const void *ctx)
114 __attribute__((cleanup(bpf_iter_num_destroy))) struct bpf_iter_num it;
119 bpf_iter_num_new(&it, 0, 3);
120 while ((v = bpf_iter_num_next(&it))) {
121 bpf_printk("ITER_BASIC: E1 VAL: v=%d", *v);
123 /* (!) no explicit bpf_iter_num_destroy() */
130 int iter_for_loop(const void *ctx)
132 struct bpf_iter_num it;
137 bpf_iter_num_new(&it, 5, 10);
138 for (v = bpf_iter_num_next(&it); v; v = bpf_iter_num_next(&it)) {
139 bpf_printk("ITER_BASIC: E2 VAL: v=%d", *v);
141 bpf_iter_num_destroy(&it);
148 int iter_bpf_for_each_macro(const void *ctx)
154 bpf_for_each(num, v, 5, 10) {
155 bpf_printk("ITER_BASIC: E2 VAL: v=%d", *v);
163 int iter_bpf_for_macro(const void *ctx)
170 bpf_printk("ITER_BASIC: E2 VAL: v=%d", i);
178 int iter_pragma_unroll_loop(const void *ctx)
180 struct bpf_iter_num it;
185 bpf_iter_num_new(&it, 0, 2);
187 for (i = 0; i < 3; i++) {
188 v = bpf_iter_num_next(&it);
189 bpf_printk("ITER_BASIC: E3 VAL: i=%d v=%d", i, v ? *v : -1);
191 bpf_iter_num_destroy(&it);
198 int iter_manual_unroll_loop(const void *ctx)
200 struct bpf_iter_num it;
205 bpf_iter_num_new(&it, 100, 200);
206 v = bpf_iter_num_next(&it);
207 bpf_printk("ITER_BASIC: E4 VAL: v=%d", v ? *v : -1);
208 v = bpf_iter_num_next(&it);
209 bpf_printk("ITER_BASIC: E4 VAL: v=%d", v ? *v : -1);
210 v = bpf_iter_num_next(&it);
211 bpf_printk("ITER_BASIC: E4 VAL: v=%d", v ? *v : -1);
212 v = bpf_iter_num_next(&it);
213 bpf_printk("ITER_BASIC: E4 VAL: v=%d\n", v ? *v : -1);
214 bpf_iter_num_destroy(&it);
221 int iter_multiple_sequential_loops(const void *ctx)
223 struct bpf_iter_num it;
228 bpf_iter_num_new(&it, 0, 3);
229 while ((v = bpf_iter_num_next(&it))) {
230 bpf_printk("ITER_BASIC: E1 VAL: v=%d", *v);
232 bpf_iter_num_destroy(&it);
234 bpf_iter_num_new(&it, 5, 10);
235 for (v = bpf_iter_num_next(&it); v; v = bpf_iter_num_next(&it)) {
236 bpf_printk("ITER_BASIC: E2 VAL: v=%d", *v);
238 bpf_iter_num_destroy(&it);
240 bpf_iter_num_new(&it, 0, 2);
242 for (i = 0; i < 3; i++) {
243 v = bpf_iter_num_next(&it);
244 bpf_printk("ITER_BASIC: E3 VAL: i=%d v=%d", i, v ? *v : -1);
246 bpf_iter_num_destroy(&it);
248 bpf_iter_num_new(&it, 100, 200);
249 v = bpf_iter_num_next(&it);
250 bpf_printk("ITER_BASIC: E4 VAL: v=%d", v ? *v : -1);
251 v = bpf_iter_num_next(&it);
252 bpf_printk("ITER_BASIC: E4 VAL: v=%d", v ? *v : -1);
253 v = bpf_iter_num_next(&it);
254 bpf_printk("ITER_BASIC: E4 VAL: v=%d", v ? *v : -1);
255 v = bpf_iter_num_next(&it);
256 bpf_printk("ITER_BASIC: E4 VAL: v=%d\n", v ? *v : -1);
257 bpf_iter_num_destroy(&it);
264 int iter_limit_cond_break_loop(const void *ctx)
266 struct bpf_iter_num it;
267 int *v, i = 0, sum = 0;
271 bpf_iter_num_new(&it, 0, 10);
272 while ((v = bpf_iter_num_next(&it))) {
273 bpf_printk("ITER_SIMPLE: i=%d v=%d", i, *v);
280 bpf_iter_num_destroy(&it);
282 bpf_printk("ITER_SIMPLE: sum=%d\n", sum);
289 int iter_obfuscate_counter(const void *ctx)
291 struct bpf_iter_num it;
293 /* Make i's initial value unknowable for verifier to prevent it from
294 * pruning if/else branch inside the loop body and marking i as precise.
300 bpf_iter_num_new(&it, 0, 10);
301 while ((v = bpf_iter_num_next(&it))) {
306 /* If we initialized i as `int i = 0;` above, verifier would
307 * track that i becomes 1 on first iteration after increment
308 * above, and here verifier would eagerly prune else branch
309 * and mark i as precise, ruining open-coded iterator logic
310 * completely, as each next iteration would have a different
311 * *precise* value of i, and thus there would be no
312 * convergence of state. This would result in reaching maximum
313 * instruction limit, no matter what the limit is.
320 bpf_printk("ITER_OBFUSCATE_COUNTER: i=%d v=%d x=%d", i, *v, x);
324 bpf_iter_num_destroy(&it);
326 bpf_printk("ITER_OBFUSCATE_COUNTER: sum=%d\n", sum);
333 int iter_search_loop(const void *ctx)
335 struct bpf_iter_num it;
336 int *v, *elem = NULL;
341 bpf_iter_num_new(&it, 0, 10);
343 while ((v = bpf_iter_num_next(&it))) {
344 bpf_printk("ITER_SEARCH_LOOP: v=%d", *v);
353 /* should fail to verify if bpf_iter_num_destroy() is here */
356 /* here found element will be wrong, we should have copied
357 * value to a variable, but here we want to make sure we can
358 * access memory after the loop anyways
360 bpf_printk("ITER_SEARCH_LOOP: FOUND IT = %d!\n", *elem);
362 bpf_printk("ITER_SEARCH_LOOP: NOT FOUND IT!\n");
364 bpf_iter_num_destroy(&it);
371 int iter_array_fill(const void *ctx)
377 bpf_for(i, 0, ARRAY_SIZE(arr)) {
382 bpf_for(i, 0, ARRAY_SIZE(arr)) {
386 bpf_printk("ITER_ARRAY_FILL: sum=%d (should be %d)\n", sum, 255 * 256);
391 static int arr2d[4][5];
392 static int arr2d_row_sums[4];
393 static int arr2d_col_sums[5];
397 int iter_nested_iters(const void *ctx)
403 bpf_for(row, 0, ARRAY_SIZE(arr2d)) {
404 bpf_for( col, 0, ARRAY_SIZE(arr2d[0])) {
405 arr2d[row][col] = row * col;
409 /* zero-initialize sums */
411 bpf_for(row, 0, ARRAY_SIZE(arr2d)) {
412 arr2d_row_sums[row] = 0;
414 bpf_for(col, 0, ARRAY_SIZE(arr2d[0])) {
415 arr2d_col_sums[col] = 0;
419 bpf_for(row, 0, ARRAY_SIZE(arr2d)) {
420 bpf_for(col, 0, ARRAY_SIZE(arr2d[0])) {
421 sum += arr2d[row][col];
422 arr2d_row_sums[row] += arr2d[row][col];
423 arr2d_col_sums[col] += arr2d[row][col];
427 bpf_printk("ITER_NESTED_ITERS: total sum=%d", sum);
428 bpf_for(row, 0, ARRAY_SIZE(arr2d)) {
429 bpf_printk("ITER_NESTED_ITERS: row #%d sum=%d", row, arr2d_row_sums[row]);
431 bpf_for(col, 0, ARRAY_SIZE(arr2d[0])) {
432 bpf_printk("ITER_NESTED_ITERS: col #%d sum=%d%s",
433 col, arr2d_col_sums[col],
434 col == ARRAY_SIZE(arr2d[0]) - 1 ? "\n" : "");
442 int iter_nested_deeply_iters(const void *ctx)
458 /* validate that we can break from inside bpf_repeat() */
465 static __noinline void fill_inner_dimension(int row)
469 bpf_for(col, 0, ARRAY_SIZE(arr2d[0])) {
470 arr2d[row][col] = row * col;
474 static __noinline int sum_inner_dimension(int row)
478 bpf_for(col, 0, ARRAY_SIZE(arr2d[0])) {
479 sum += arr2d[row][col];
480 arr2d_row_sums[row] += arr2d[row][col];
481 arr2d_col_sums[col] += arr2d[row][col];
489 int iter_subprog_iters(const void *ctx)
495 bpf_for(row, 0, ARRAY_SIZE(arr2d)) {
496 fill_inner_dimension(row);
499 /* zero-initialize sums */
501 bpf_for(row, 0, ARRAY_SIZE(arr2d)) {
502 arr2d_row_sums[row] = 0;
504 bpf_for(col, 0, ARRAY_SIZE(arr2d[0])) {
505 arr2d_col_sums[col] = 0;
509 bpf_for(row, 0, ARRAY_SIZE(arr2d)) {
510 sum += sum_inner_dimension(row);
513 bpf_printk("ITER_SUBPROG_ITERS: total sum=%d", sum);
514 bpf_for(row, 0, ARRAY_SIZE(arr2d)) {
515 bpf_printk("ITER_SUBPROG_ITERS: row #%d sum=%d",
516 row, arr2d_row_sums[row]);
518 bpf_for(col, 0, ARRAY_SIZE(arr2d[0])) {
519 bpf_printk("ITER_SUBPROG_ITERS: col #%d sum=%d%s",
520 col, arr2d_col_sums[col],
521 col == ARRAY_SIZE(arr2d[0]) - 1 ? "\n" : "");
528 __uint(type, BPF_MAP_TYPE_ARRAY);
531 __uint(max_entries, 1000);
532 } arr_map SEC(".maps");
535 __failure __msg("invalid mem access 'scalar'")
536 int iter_err_too_permissive1(const void *ctx)
543 map_val = bpf_map_lookup_elem(&arr_map, &key);
547 bpf_repeat(1000000) {
557 __failure __msg("invalid mem access 'map_value_or_null'")
558 int iter_err_too_permissive2(const void *ctx)
565 map_val = bpf_map_lookup_elem(&arr_map, &key);
569 bpf_repeat(1000000) {
570 map_val = bpf_map_lookup_elem(&arr_map, &key);
579 __failure __msg("invalid mem access 'map_value_or_null'")
580 int iter_err_too_permissive3(const void *ctx)
588 bpf_repeat(1000000) {
589 map_val = bpf_map_lookup_elem(&arr_map, &key);
601 int iter_tricky_but_fine(const void *ctx)
609 bpf_repeat(1000000) {
610 map_val = bpf_map_lookup_elem(&arr_map, &key);
623 #define __bpf_memzero(p, sz) bpf_probe_read_kernel((p), (sz), 0)
627 int iter_stack_array_loop(const void *ctx)
629 long arr1[16], arr2[16], sum = 0;
634 /* zero-init arr1 and arr2 in such a way that verifier doesn't know
635 * it's all zeros; if we don't do that, we'll make BPF verifier track
636 * all combination of zero/non-zero stack slots for arr1/arr2, which
637 * will lead to O(2^(ARRAY_SIZE(arr1)+ARRAY_SIZE(arr2))) different
640 __bpf_memzero(arr1, sizeof(arr1));
641 __bpf_memzero(arr2, sizeof(arr1));
643 /* validate that we can break and continue when using bpf_for() */
644 bpf_for(i, 0, ARRAY_SIZE(arr1)) {
654 bpf_for(i, 0, ARRAY_SIZE(arr1)) {
655 sum += arr1[i] + arr2[i];
661 static __noinline void fill(struct bpf_iter_num *it, int *arr, __u32 n, int mul)
665 while ((t = bpf_iter_num_next(it))) {
673 static __noinline int sum(struct bpf_iter_num *it, int *arr, __u32 n)
677 while ((t = bpf_iter_num_next(it))) {
689 int iter_pass_iter_ptr_to_subprog(const void *ctx)
691 int arr1[16], arr2[32];
692 struct bpf_iter_num it;
698 n = ARRAY_SIZE(arr1);
699 bpf_iter_num_new(&it, 0, n);
700 fill(&it, arr1, n, 2);
701 bpf_iter_num_destroy(&it);
704 n = ARRAY_SIZE(arr2);
705 bpf_iter_num_new(&it, 0, n);
706 fill(&it, arr2, n, 10);
707 bpf_iter_num_destroy(&it);
710 n = ARRAY_SIZE(arr1);
711 bpf_iter_num_new(&it, 0, n);
712 sum1 = sum(&it, arr1, n);
713 bpf_iter_num_destroy(&it);
716 n = ARRAY_SIZE(arr2);
717 bpf_iter_num_new(&it, 0, n);
718 sum2 = sum(&it, arr2, n);
719 bpf_iter_num_destroy(&it);
721 bpf_printk("sum1=%d, sum2=%d", sum1, sum2);
728 __msg("R1 type=scalar expected=fp")
729 __naked int delayed_read_mark(void)
731 /* This is equivalent to C program below.
732 * The call to bpf_iter_num_next() is reachable with r7 values &fp[-16] and 0xdead.
733 * State with r7=&fp[-16] is visited first and follows r6 != 42 ... continue branch.
734 * At this point iterator next() call is reached with r7 that has no read mark.
735 * Loop body with r7=0xdead would only be visited if verifier would decide to continue
736 * with second loop iteration. Absence of read mark on r7 might affect state
737 * equivalent logic used for iterator convergence tracking.
741 * r6 = bpf_get_prandom_u32()
742 * bpf_iter_num_new(&fp[-8], 0, 10)
743 * while (bpf_iter_num_next(&fp[-8])) {
749 * bpf_probe_read_user(r7, 8, 0xdeadbeef); // this is not safe
751 * bpf_iter_num_destroy(&fp[-8])
758 "*(u64 *)(r7 + 0) = r0;"
759 "call %[bpf_get_prandom_u32];"
765 "call %[bpf_iter_num_new];"
769 "call %[bpf_iter_num_next];"
770 "if r0 == 0 goto 2f;"
772 "if r6 != 42 goto 3f;"
779 "call %[bpf_probe_read_user];"
784 "call %[bpf_iter_num_destroy];"
788 : __imm(bpf_get_prandom_u32),
789 __imm(bpf_iter_num_new),
790 __imm(bpf_iter_num_next),
791 __imm(bpf_iter_num_destroy),
792 __imm(bpf_probe_read_user)
799 __msg("math between fp pointer and register with unbounded")
800 __naked int delayed_precision_mark(void)
802 /* This is equivalent to C program below.
803 * The test is similar to delayed_iter_mark but verifies that incomplete
804 * precision don't fool verifier.
805 * The call to bpf_iter_num_next() is reachable with r7 values -16 and -32.
806 * State with r7=-16 is visited first and follows r6 != 42 ... continue branch.
807 * At this point iterator next() call is reached with r7 that has no read
808 * and precision marks.
809 * Loop body with r7=-32 would only be visited if verifier would decide to continue
810 * with second loop iteration. Absence of precision mark on r7 might affect state
811 * equivalent logic used for iterator convergence tracking.
816 * r6 = bpf_get_prandom_u32()
817 * bpf_iter_num_new(&fp[-8], 0, 10)
818 * while (bpf_iter_num_next(&fp[-8])) {
821 * r6 = bpf_get_prandom_u32()
826 * r8 = *(u64 *)(r0 + 0) // this is not safe
827 * r6 = bpf_get_prandom_u32()
829 * bpf_iter_num_destroy(&fp[-8])
834 "*(u64 *)(r10 - 16) = r8;"
836 "call %[bpf_get_prandom_u32];"
842 "call %[bpf_iter_num_new];"
846 "call %[bpf_iter_num_next];"
847 "if r0 == 0 goto 2f;"
848 "if r6 != 42 goto 3f;"
850 "call %[bpf_get_prandom_u32];"
856 "r8 = *(u64 *)(r0 + 0);"
857 "call %[bpf_get_prandom_u32];"
863 "call %[bpf_iter_num_destroy];"
867 : __imm(bpf_get_prandom_u32),
868 __imm(bpf_iter_num_new),
869 __imm(bpf_iter_num_next),
870 __imm(bpf_iter_num_destroy),
871 __imm(bpf_probe_read_user)
878 __msg("math between fp pointer and register with unbounded")
879 __flag(BPF_F_TEST_STATE_FREQ)
880 __naked int loop_state_deps1(void)
882 /* This is equivalent to C program below.
884 * The case turns out to be tricky in a sense that:
885 * - states with c=-25 are explored only on a second iteration
887 * - states with read+precise mark on c are explored only on
888 * second iteration of the inner loop and in a state which
889 * is pushed to states stack first.
891 * Depending on the details of iterator convergence logic
892 * verifier might stop states traversal too early and miss
893 * unsafe c=-25 memory access.
895 * j = iter_new(); // fp[-16]
899 * while (iter_next(j)) {
900 * i = iter_new(); // fp[-8]
903 * while (iter_next(i)) {
907 * } else if (a == 0) {
909 * if (random() == 42)
912 * *(r10 + c) = 7; // this is not safe
932 "call %[bpf_iter_num_new];"
939 "call %[bpf_iter_num_next];"
940 "if r0 == 0 goto j_loop_end_%=;"
945 "call %[bpf_iter_num_new];"
951 "call %[bpf_iter_num_next];"
952 "if r0 == 0 goto i_loop_end_%=;"
954 "if r6 != 1 goto check_zero_r6_%=;"
959 "if r6 != 0 goto i_loop_%=;"
961 "call %[bpf_get_prandom_u32];"
962 "if r0 != 42 goto check_one_r7_%=;"
965 "if r7 != 1 goto i_loop_%=;"
969 "*(u64 *)(r0 + 0) = r1;"
972 "call %[bpf_iter_num_destroy];"
975 "call %[bpf_iter_num_destroy];"
981 "call %[bpf_iter_num_destroy];"
989 "call %[bpf_iter_num_destroy];"
993 : __imm(bpf_get_prandom_u32),
994 __imm(bpf_iter_num_new),
995 __imm(bpf_iter_num_next),
996 __imm(bpf_iter_num_destroy)
1003 __msg("math between fp pointer and register with unbounded")
1004 __flag(BPF_F_TEST_STATE_FREQ)
1005 __naked int loop_state_deps2(void)
1007 /* This is equivalent to C program below.
1009 * The case turns out to be tricky in a sense that:
1010 * - states with read+precise mark on c are explored only on a second
1011 * iteration of the first inner loop and in a state which is pushed to
1012 * states stack first.
1013 * - states with c=-25 are explored only on a second iteration of the
1014 * second inner loop and in a state which is pushed to states stack
1017 * Depending on the details of iterator convergence logic
1018 * verifier might stop states traversal too early and miss
1019 * unsafe c=-25 memory access.
1021 * j = iter_new(); // fp[-16]
1025 * while (iter_next(j)) {
1026 * i = iter_new(); // fp[-8]
1029 * while (iter_next(i)) {
1033 * } else if (a == 0) {
1035 * if (random() == 42)
1038 * *(r10 + c) = 7; // this is not safe
1046 * i = iter_new(); // fp[-8]
1049 * while (iter_next(i)) {
1053 * } else if (a == 0) {
1055 * if (random() == 42)
1073 "call %[bpf_iter_num_new];"
1080 "call %[bpf_iter_num_next];"
1081 "if r0 == 0 goto j_loop_end_%=;"
1083 /* first inner loop */
1088 "call %[bpf_iter_num_new];"
1094 "call %[bpf_iter_num_next];"
1095 "if r0 == 0 goto i_loop_end_%=;"
1097 "if r6 != 1 goto check_zero_r6_%=;"
1102 "if r6 != 0 goto i_loop_%=;"
1104 "call %[bpf_get_prandom_u32];"
1105 "if r0 != 42 goto check_one_r7_%=;"
1108 "if r7 != 1 goto i_loop_%=;"
1112 "*(u64 *)(r0 + 0) = r1;"
1115 "call %[bpf_iter_num_destroy];"
1118 "call %[bpf_iter_num_destroy];"
1124 "call %[bpf_iter_num_destroy];"
1126 /* second inner loop */
1131 "call %[bpf_iter_num_new];"
1137 "call %[bpf_iter_num_next];"
1138 "if r0 == 0 goto i2_loop_end_%=;"
1140 "if r6 != 1 goto check2_zero_r6_%=;"
1144 "check2_zero_r6_%=:"
1145 "if r6 != 0 goto i2_loop_%=;"
1147 "call %[bpf_get_prandom_u32];"
1148 "if r0 != 42 goto check2_one_r7_%=;"
1151 "if r7 != 1 goto i2_loop_%=;"
1158 "call %[bpf_iter_num_destroy];"
1166 "call %[bpf_iter_num_destroy];"
1170 : __imm(bpf_get_prandom_u32),
1171 __imm(bpf_iter_num_new),
1172 __imm(bpf_iter_num_next),
1173 __imm(bpf_iter_num_destroy)
1180 __naked int triple_continue(void)
1182 /* This is equivalent to C program below.
1183 * High branching factor of the loop body turned out to be
1184 * problematic for one of the iterator convergence tracking
1185 * algorithms explored.
1187 * r6 = bpf_get_prandom_u32()
1188 * bpf_iter_num_new(&fp[-8], 0, 10)
1189 * while (bpf_iter_num_next(&fp[-8])) {
1190 * if (bpf_get_prandom_u32() != 42)
1192 * if (bpf_get_prandom_u32() != 42)
1194 * if (bpf_get_prandom_u32() != 42)
1198 * bpf_iter_num_destroy(&fp[-8])
1206 "call %[bpf_iter_num_new];"
1210 "call %[bpf_iter_num_next];"
1211 "if r0 == 0 goto loop_end_%=;"
1212 "call %[bpf_get_prandom_u32];"
1213 "if r0 != 42 goto loop_%=;"
1214 "call %[bpf_get_prandom_u32];"
1215 "if r0 != 42 goto loop_%=;"
1216 "call %[bpf_get_prandom_u32];"
1217 "if r0 != 42 goto loop_%=;"
1223 "call %[bpf_iter_num_destroy];"
1227 : __imm(bpf_get_prandom_u32),
1228 __imm(bpf_iter_num_new),
1229 __imm(bpf_iter_num_next),
1230 __imm(bpf_iter_num_destroy)
1237 __naked int widen_spill(void)
1239 /* This is equivalent to C program below.
1240 * The counter is stored in fp[-16], if this counter is not widened
1241 * verifier states representing loop iterations would never converge.
1244 * bpf_iter_num_new(&fp[-8], 0, 10)
1245 * while (bpf_iter_num_next(&fp[-8])) {
1250 * bpf_iter_num_destroy(&fp[-8])
1255 "*(u64 *)(r10 - 16) = r0;"
1260 "call %[bpf_iter_num_new];"
1264 "call %[bpf_iter_num_next];"
1265 "if r0 == 0 goto loop_end_%=;"
1266 "r0 = *(u64 *)(r10 - 16);"
1268 "*(u64 *)(r10 - 16) = r0;"
1273 "call %[bpf_iter_num_destroy];"
1277 : __imm(bpf_iter_num_new),
1278 __imm(bpf_iter_num_next),
1279 __imm(bpf_iter_num_destroy)
1286 __naked int checkpoint_states_deletion(void)
1288 /* This is equivalent to C program below.
1290 * int *a, *b, *c, *d, *e, *f;
1292 * bpf_for(i, 0, 10) {
1293 * a = bpf_map_lookup_elem(&amap, &i);
1294 * b = bpf_map_lookup_elem(&amap, &i);
1295 * c = bpf_map_lookup_elem(&amap, &i);
1296 * d = bpf_map_lookup_elem(&amap, &i);
1297 * e = bpf_map_lookup_elem(&amap, &i);
1298 * f = bpf_map_lookup_elem(&amap, &i);
1308 * The body of the loop spawns multiple simulation paths
1309 * with different combination of NULL/non-NULL information for a/b/c/d/e/f.
1310 * Each combination is unique from states_equal() point of view.
1311 * Explored states checkpoint is created after each iterator next call.
1312 * Iterator convergence logic expects that eventually current state
1313 * would get equal to one of the explored states and thus loop
1314 * exploration would be finished (at-least for a specific path).
1315 * Verifier evicts explored states with high miss to hit ratio
1316 * to to avoid comparing current state with too many explored
1317 * states per instruction.
1318 * This test is designed to "stress test" eviction policy defined using formula:
1320 * sl->miss_cnt > sl->hit_cnt * N + N // if true sl->state is evicted
1322 * Currently N is set to 64, which allows for 6 variables in this test.
1328 "*(u64 *)(r10 - 24) = r6;" /* d */
1329 "*(u64 *)(r10 - 32) = r6;" /* e */
1330 "*(u64 *)(r10 - 40) = r6;" /* f */
1336 "call %[bpf_iter_num_new];"
1340 "call %[bpf_iter_num_next];"
1341 "if r0 == 0 goto loop_end_%=;"
1343 "*(u64 *)(r10 - 16) = r0;"
1348 "call %[bpf_map_lookup_elem];"
1354 "call %[bpf_map_lookup_elem];"
1360 "call %[bpf_map_lookup_elem];"
1366 "call %[bpf_map_lookup_elem];"
1367 "*(u64 *)(r10 - 24) = r0;"
1372 "call %[bpf_map_lookup_elem];"
1373 "*(u64 *)(r10 - 32) = r0;"
1378 "call %[bpf_map_lookup_elem];"
1379 "*(u64 *)(r10 - 40) = r0;"
1381 "if r6 == 0 goto +1;"
1383 "if r7 == 0 goto +1;"
1385 "if r8 == 0 goto +1;"
1387 "r0 = *(u64 *)(r10 - 24);"
1388 "if r0 == 0 goto +1;"
1390 "r0 = *(u64 *)(r10 - 32);"
1391 "if r0 == 0 goto +1;"
1393 "r0 = *(u64 *)(r10 - 40);"
1394 "if r0 == 0 goto +1;"
1401 "call %[bpf_iter_num_destroy];"
1405 : __imm(bpf_map_lookup_elem),
1406 __imm(bpf_iter_num_new),
1407 __imm(bpf_iter_num_next),
1408 __imm(bpf_iter_num_destroy),
1414 char _license[] SEC("license") = "GPL";
projects / platform / kernel / linux-rpi.git / blob