Contributors: 2
Author Tokens Token Proportion Commits Commit Proportion
Eduard Zingerman 454 98.48% 3 75.00%
Andrii Nakryiko 7 1.52% 1 25.00%
Total 461 4 


// SPDX-License-Identifier: GPL-2.0
/* Converted from tools/testing/selftests/bpf/verifier/loops1.c */

#include <linux/bpf.h>
#include <bpf/bpf_helpers.h>
#include "bpf_misc.h"

SEC("xdp")
__description("bounded loop, count to 4")
__success __retval(4)
__naked void bounded_loop_count_to_4(void)
{
	asm volatile ("					\
	r0 = 0;						\
l0_%=:	r0 += 1;					\
	if r0 < 4 goto l0_%=;				\
	exit;						\
"	::: __clobber_all);
}

SEC("tracepoint")
__description("bounded loop, count to 20")
__success
__naked void bounded_loop_count_to_20(void)
{
	asm volatile ("					\
	r0 = 0;						\
l0_%=:	r0 += 3;					\
	if r0 < 20 goto l0_%=;				\
	exit;						\
"	::: __clobber_all);
}

SEC("tracepoint")
__description("bounded loop, count from positive unknown to 4")
__success
__naked void from_positive_unknown_to_4(void)
{
	asm volatile ("					\
	call %[bpf_get_prandom_u32];			\
	if r0 s< 0 goto l0_%=;				\
l1_%=:	r0 += 1;					\
	if r0 < 4 goto l1_%=;				\
l0_%=:	exit;						\
"	:
	: __imm(bpf_get_prandom_u32)
	: __clobber_all);
}

SEC("tracepoint")
__description("bounded loop, count from totally unknown to 4")
__success
__naked void from_totally_unknown_to_4(void)
{
	asm volatile ("					\
	call %[bpf_get_prandom_u32];			\
l0_%=:	r0 += 1;					\
	if r0 < 4 goto l0_%=;				\
	exit;						\
"	:
	: __imm(bpf_get_prandom_u32)
	: __clobber_all);
}

SEC("tracepoint")
__description("bounded loop, count to 4 with equality")
__success
__naked void count_to_4_with_equality(void)
{
	asm volatile ("					\
	r0 = 0;						\
l0_%=:	r0 += 1;					\
	if r0 != 4 goto l0_%=;				\
	exit;						\
"	::: __clobber_all);
}

SEC("socket")
__description("bounded loop, start in the middle")
__success
__failure_unpriv __msg_unpriv("back-edge")
__naked void loop_start_in_the_middle(void)
{
	asm volatile ("					\
	r0 = 0;						\
	goto l0_%=;					\
l1_%=:	r0 += 1;					\
l0_%=:	if r0 < 4 goto l1_%=;				\
	exit;						\
"	::: __clobber_all);
}

SEC("xdp")
__description("bounded loop containing a forward jump")
__success __retval(4)
__naked void loop_containing_a_forward_jump(void)
{
	asm volatile ("					\
	r0 = 0;						\
l1_%=:	r0 += 1;					\
	if r0 == r0 goto l0_%=;				\
l0_%=:	if r0 < 4 goto l1_%=;				\
	exit;						\
"	::: __clobber_all);
}

SEC("tracepoint")
__description("bounded loop that jumps out rather than in")
__success
__naked void jumps_out_rather_than_in(void)
{
	asm volatile ("					\
	r6 = 0;						\
l1_%=:	r6 += 1;					\
	if r6 > 10000 goto l0_%=;			\
	call %[bpf_get_prandom_u32];			\
	goto l1_%=;					\
l0_%=:	exit;						\
"	:
	: __imm(bpf_get_prandom_u32)
	: __clobber_all);
}

SEC("tracepoint")
__description("infinite loop after a conditional jump")
__failure __msg("program is too large")
__naked void loop_after_a_conditional_jump(void)
{
	asm volatile ("					\
	r0 = 5;						\
	if r0 < 4 goto l0_%=;				\
l1_%=:	r0 += 1;					\
	goto l1_%=;					\
l0_%=:	exit;						\
"	::: __clobber_all);
}

SEC("tracepoint")
__description("bounded recursion")
__failure
/* verifier limitation in detecting max stack depth */
__msg("the call stack of 8 frames is too deep !")
__naked void bounded_recursion(void)
{
	asm volatile ("					\
	r1 = 0;						\
	call bounded_recursion__1;			\
	exit;						\
"	::: __clobber_all);
}

static __naked __noinline __attribute__((used))
void bounded_recursion__1(void)
{
	asm volatile ("					\
	r1 += 1;					\
	r0 = r1;					\
	if r1 < 4 goto l0_%=;				\
	exit;						\
l0_%=:	call bounded_recursion__1;			\
	exit;						\
"	::: __clobber_all);
}

SEC("tracepoint")
__description("infinite loop in two jumps")
__failure __msg("loop detected")
__naked void infinite_loop_in_two_jumps(void)
{
	asm volatile ("					\
	r0 = 0;						\
l1_%=:	goto l0_%=;					\
l0_%=:	if r0 < 4 goto l1_%=;				\
	exit;						\
"	::: __clobber_all);
}

SEC("tracepoint")
__description("infinite loop: three-jump trick")
__failure __msg("loop detected")
__naked void infinite_loop_three_jump_trick(void)
{
	asm volatile ("					\
	r0 = 0;						\
l2_%=:	r0 += 1;					\
	r0 &= 1;					\
	if r0 < 2 goto l0_%=;				\
	exit;						\
l0_%=:	r0 += 1;					\
	r0 &= 1;					\
	if r0 < 2 goto l1_%=;				\
	exit;						\
l1_%=:	r0 += 1;					\
	r0 &= 1;					\
	if r0 < 2 goto l2_%=;				\
	exit;						\
"	::: __clobber_all);
}

SEC("xdp")
__description("not-taken loop with back jump to 1st insn")
__success __retval(123)
__naked void back_jump_to_1st_insn_1(void)
{
	asm volatile ("					\
l0_%=:	r0 = 123;					\
	if r0 == 4 goto l0_%=;				\
	exit;						\
"	::: __clobber_all);
}

SEC("xdp")
__description("taken loop with back jump to 1st insn")
__success __retval(55)
__naked void back_jump_to_1st_insn_2(void)
{
	asm volatile ("					\
	r1 = 10;					\
	r2 = 0;						\
	call back_jump_to_1st_insn_2__1;		\
	exit;						\
"	::: __clobber_all);
}

static __naked __noinline __attribute__((used))
void back_jump_to_1st_insn_2__1(void)
{
	asm volatile ("					\
l0_%=:	r2 += r1;					\
	r1 -= 1;					\
	if r1 != 0 goto l0_%=;				\
	r0 = r2;					\
	exit;						\
"	::: __clobber_all);
}

SEC("xdp")
__description("taken loop with back jump to 1st insn, 2")
__success __retval(55)
__naked void jump_to_1st_insn_2(void)
{
	asm volatile ("					\
	r1 = 10;					\
	r2 = 0;						\
	call jump_to_1st_insn_2__1;			\
	exit;						\
"	::: __clobber_all);
}

static __naked __noinline __attribute__((used))
void jump_to_1st_insn_2__1(void)
{
	asm volatile ("					\
l0_%=:	r2 += r1;					\
	r1 -= 1;					\
	if w1 != 0 goto l0_%=;				\
	r0 = r2;					\
	exit;						\
"	::: __clobber_all);
}

SEC("xdp")
__success
__naked void not_an_inifinite_loop(void)
{
	asm volatile ("					\
	call %[bpf_get_prandom_u32];			\
	r0 &= 0xff;					\
	*(u64 *)(r10 - 8) = r0;				\
	r0 = 0;						\
loop_%=:						\
	r0 = *(u64 *)(r10 - 8);				\
	if r0 > 10 goto exit_%=;			\
	r0 += 1;					\
	*(u64 *)(r10 - 8) = r0;				\
	r0 = 0;						\
	goto loop_%=;					\
exit_%=:						\
	r0 = 0;						\
	exit;						\
"	:
	: __imm(bpf_get_prandom_u32)
	: __clobber_all);
}

/*
 * This test case triggered a bug in verifier.c:maybe_exit_scc().
 * Speculative execution path reaches stack access instruction,
 * stops and triggers maybe_exit_scc() w/o accompanying maybe_enter_scc() call.
 */
SEC("socket")
__arch_x86_64
__caps_unpriv(CAP_BPF)
__naked void maybe_exit_scc_bug1(void)
{
	asm volatile (
	"r0 = 100;"
"1:"
	/* Speculative execution path reaches and stops here. */
	"*(u64 *)(r10 - 512) = r0;"
	/* Condition is always false, but verifier speculatively executes the true branch. */
	"if r0 <= 0x0 goto 1b;"
	"exit;"
	::: __clobber_all);
}

char _license[] SEC("license") = "GPL";