selftests/bpf: Add tests with stack ptr register in conditional jmp

commit 5ffb537e416ee22dbfb3d552102e50da33fec7f6 upstream.

Add two tests:
  - one test has 'rX <op> r10' where rX is not r10, and
  - another test has 'rX <op> rY' where rX and rY are not r10
    but there is an early insn 'rX = r10'.

Without previous verifier change, both tests will fail.

Signed-off-by: Yonghong Song <yonghong.song@linux.dev>
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Link: https://lore.kernel.org/bpf/20250524041340.4046304-1-yonghong.song@linux.dev
[ shung-hsi.yu: contains additional hunks for kernel/bpf/verifier.c that
  should be part of the previous patch in the series, commit
  e2d2115e56c4 "bpf: Do not include stack ptr register in precision
  backtracking bookkeeping", which already incorporated. ]
Link: https://lore.kernel.org/all/9b41f9f5-396f-47e0-9a12-46c52087df6c@linux.dev/
Signed-off-by: Shung-Hsi Yu <shung-hsi.yu@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index efa701411712903087f84b9711469dc7d92bc0ab..c12dfbeb78a744dc560d98f75e64cfc83d7e2ef0 100644 (file)
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -16441,6 +16441,8 @@ static int check_cond_jmp_op(struct bpf_verifier_env *env,
 
                if (src_reg->type == PTR_TO_STACK)
                        insn_flags |= INSN_F_SRC_REG_STACK;
+               if (dst_reg->type == PTR_TO_STACK)
+                       insn_flags |= INSN_F_DST_REG_STACK;
        } else {
                if (insn->src_reg != BPF_REG_0) {
                        verbose(env, "BPF_JMP/JMP32 uses reserved fields\n");
@@ -16450,10 +16452,11 @@ static int check_cond_jmp_op(struct bpf_verifier_env *env,
                memset(src_reg, 0, sizeof(*src_reg));
                src_reg->type = SCALAR_VALUE;
                __mark_reg_known(src_reg, insn->imm);
+
+               if (dst_reg->type == PTR_TO_STACK)
+                       insn_flags |= INSN_F_DST_REG_STACK;
        }
 
-       if (dst_reg->type == PTR_TO_STACK)
-               insn_flags |= INSN_F_DST_REG_STACK;
        if (insn_flags) {
                err = push_insn_history(env, this_branch, insn_flags, 0);
                if (err)

diff --git a/tools/testing/selftests/bpf/progs/verifier_precision.c b/tools/testing/selftests/bpf/progs/verifier_precision.c
index 6662d4b39969a0c0a54eb9cc011f52a4848bd0a4..c65d03782822318ead92df7bf1aff324a575f261 100644 (file)
--- a/tools/testing/selftests/bpf/progs/verifier_precision.c
+++ b/tools/testing/selftests/bpf/progs/verifier_precision.c
@@ -179,4 +179,57 @@ __naked int state_loop_first_last_equal(void)
        );
 }
 
+__used __naked static void __bpf_cond_op_r10(void)
+{
+       asm volatile (
+       "r2 = 2314885393468386424 ll;"
+       "goto +0;"
+       "if r2 <= r10 goto +3;"
+       "if r1 >= -1835016 goto +0;"
+       "if r2 <= 8 goto +0;"
+       "if r3 <= 0 goto +0;"
+       "exit;"
+       ::: __clobber_all);
+}
+
+SEC("?raw_tp")
+__success __log_level(2)
+__msg("8: (bd) if r2 <= r10 goto pc+3")
+__msg("9: (35) if r1 >= 0xffe3fff8 goto pc+0")
+__msg("10: (b5) if r2 <= 0x8 goto pc+0")
+__msg("mark_precise: frame1: last_idx 10 first_idx 0 subseq_idx -1")
+__msg("mark_precise: frame1: regs=r2 stack= before 9: (35) if r1 >= 0xffe3fff8 goto pc+0")
+__msg("mark_precise: frame1: regs=r2 stack= before 8: (bd) if r2 <= r10 goto pc+3")
+__msg("mark_precise: frame1: regs=r2 stack= before 7: (05) goto pc+0")
+__naked void bpf_cond_op_r10(void)
+{
+       asm volatile (
+       "r3 = 0 ll;"
+       "call __bpf_cond_op_r10;"
+       "r0 = 0;"
+       "exit;"
+       ::: __clobber_all);
+}
+
+SEC("?raw_tp")
+__success __log_level(2)
+__msg("3: (bf) r3 = r10")
+__msg("4: (bd) if r3 <= r2 goto pc+1")
+__msg("5: (b5) if r2 <= 0x8 goto pc+2")
+__msg("mark_precise: frame0: last_idx 5 first_idx 0 subseq_idx -1")
+__msg("mark_precise: frame0: regs=r2 stack= before 4: (bd) if r3 <= r2 goto pc+1")
+__msg("mark_precise: frame0: regs=r2 stack= before 3: (bf) r3 = r10")
+__naked void bpf_cond_op_not_r10(void)
+{
+       asm volatile (
+       "r0 = 0;"
+       "r2 = 2314885393468386424 ll;"
+       "r3 = r10;"
+       "if r3 <= r2 goto +1;"
+       "if r2 <= 8 goto +2;"
+       "r0 = 2 ll;"
+       "exit;"
+       ::: __clobber_all);
+}
+
 char _license[] SEC("license") = "GPL";