v3:
-- Rebase on the latest bpf-next tree.
-- Address the review comments by Hou Tao,
remove the second argument "0" of open(),
check only once whether jit is disabled,
check fd_prog, saved_errno and jit_disabled to skip.
Tiezhu Yang (2):
selftests/bpf: Move is_jit_enabled() to testing_helpers
selftests/bpf: Skip callback tests if jit is disabled in test_verifier
tools/testing/selftests/bpf/test_progs.c | 18 ---------------
tools/testing/selftests/bpf/test_verifier.c | 23 +++++++++++++++++++
tools/testing/selftests/bpf/testing_helpers.c | 18 +++++++++++++++
tools/testing/selftests/bpf/testing_helpers.h | 1 +
4 files changed, 42 insertions(+), 18 deletions(-)
--
2.42.0
If CONFIG_BPF_JIT_ALWAYS_ON is not set and bpf_jit_enable is 0, there
exist 6 failed tests.
[root@linux bpf]# echo 0 > /proc/sys/net/core/bpf_jit_enable
[root@linux bpf]# echo 0 > /proc/sys/kernel/unprivileged_bpf_disabled
[root@linux bpf]# ./test_verifier | grep FAIL
#106/p inline simple bpf_loop call FAIL
#107/p don't inline bpf_loop call, flags non-zero FAIL
#108/p don't inline bpf_loop call, callback non-constant FAIL
#109/p bpf_loop_inline and a dead func FAIL
#110/p bpf_loop_inline stack locations for loop vars FAIL
#111/p inline bpf_loop call in a big program FAIL
Summary: 768 PASSED, 15 SKIPPED, 6 FAILED
The test log shows that callbacks are not allowed in non-JITed programs,
interpreter doesn't support them yet, thus these tests should be skipped
if jit is disabled, copy some check functions from the other places under
tools directory, and then handle this case in do_test_single().
With this patch:
[root@linux bpf]# echo 0 > /proc/sys/net/core/bpf_jit_enable
[root@linux bpf]# echo 0 > /proc/sys/kernel/unprivileged_bpf_disabled
[root@linux bpf]# ./test_verifier | grep FAIL
Summary: 768 PASSED, 21 SKIPPED, 0 FAILED
Signed-off-by: Tiezhu Yang <[email protected]>
---
tools/testing/selftests/bpf/test_verifier.c | 23 +++++++++++++++++++++
1 file changed, 23 insertions(+)
diff --git a/tools/testing/selftests/bpf/test_verifier.c b/tools/testing/selftests/bpf/test_verifier.c
index 1a09fc34d093..70f903e869b7 100644
--- a/tools/testing/selftests/bpf/test_verifier.c
+++ b/tools/testing/selftests/bpf/test_verifier.c
@@ -74,6 +74,7 @@
1ULL << CAP_BPF)
#define UNPRIV_SYSCTL "kernel/unprivileged_bpf_disabled"
static bool unpriv_disabled = false;
+static bool jit_disabled;
static int skips;
static bool verbose = false;
static int verif_log_level = 0;
@@ -1355,6 +1356,16 @@ static bool is_skip_insn(struct bpf_insn *insn)
return memcmp(insn, &skip_insn, sizeof(skip_insn)) == 0;
}
+static bool is_ldimm64_insn(struct bpf_insn *insn)
+{
+ return insn->code == (BPF_LD | BPF_IMM | BPF_DW);
+}
+
+static bool insn_is_pseudo_func(struct bpf_insn *insn)
+{
+ return is_ldimm64_insn(insn) && insn->src_reg == BPF_PSEUDO_FUNC;
+}
+
static int null_terminated_insn_len(struct bpf_insn *seq, int max_len)
{
int i;
@@ -1619,6 +1630,16 @@ static void do_test_single(struct bpf_test *test, bool unpriv,
goto close_fds;
}
+ if (fd_prog < 0 && saved_errno == EINVAL && jit_disabled) {
+ for (i = 0; i < prog_len; i++, prog++) {
+ if (insn_is_pseudo_func(prog)) {
+ printf("SKIP (callbacks are not allowed in non-JITed programs)\n");
+ skips++;
+ goto close_fds;
+ }
+ }
+ }
+
alignment_prevented_execution = 0;
if (expected_ret == ACCEPT || expected_ret == VERBOSE_ACCEPT) {
@@ -1844,6 +1865,8 @@ int main(int argc, char **argv)
return EXIT_FAILURE;
}
+ jit_disabled = !is_jit_enabled();
+
/* Use libbpf 1.0 API mode */
libbpf_set_strict_mode(LIBBPF_STRICT_ALL);
--
2.42.0
Currently, is_jit_enabled() is only used in test_progs, move it to
testing_helpers so that it can be used in test_verifier. While at
it, remove the second argument "0" of open() as Hou Tao suggested.
Signed-off-by: Tiezhu Yang <[email protected]>
---
tools/testing/selftests/bpf/test_progs.c | 18 ------------------
tools/testing/selftests/bpf/testing_helpers.c | 18 ++++++++++++++++++
tools/testing/selftests/bpf/testing_helpers.h | 1 +
3 files changed, 19 insertions(+), 18 deletions(-)
diff --git a/tools/testing/selftests/bpf/test_progs.c b/tools/testing/selftests/bpf/test_progs.c
index 1b9387890148..808550986f30 100644
--- a/tools/testing/selftests/bpf/test_progs.c
+++ b/tools/testing/selftests/bpf/test_progs.c
@@ -547,24 +547,6 @@ int bpf_find_map(const char *test, struct bpf_object *obj, const char *name)
return bpf_map__fd(map);
}
-static bool is_jit_enabled(void)
-{
- const char *jit_sysctl = "/proc/sys/net/core/bpf_jit_enable";
- bool enabled = false;
- int sysctl_fd;
-
- sysctl_fd = open(jit_sysctl, 0, O_RDONLY);
- if (sysctl_fd != -1) {
- char tmpc;
-
- if (read(sysctl_fd, &tmpc, sizeof(tmpc)) == 1)
- enabled = (tmpc != '0');
- close(sysctl_fd);
- }
-
- return enabled;
-}
-
int compare_map_keys(int map1_fd, int map2_fd)
{
__u32 key, next_key;
diff --git a/tools/testing/selftests/bpf/testing_helpers.c b/tools/testing/selftests/bpf/testing_helpers.c
index 106ef05586b8..a59e56d804ee 100644
--- a/tools/testing/selftests/bpf/testing_helpers.c
+++ b/tools/testing/selftests/bpf/testing_helpers.c
@@ -457,3 +457,21 @@ int get_xlated_program(int fd_prog, struct bpf_insn **buf, __u32 *cnt)
*buf = NULL;
return -1;
}
+
+bool is_jit_enabled(void)
+{
+ const char *jit_sysctl = "/proc/sys/net/core/bpf_jit_enable";
+ bool enabled = false;
+ int sysctl_fd;
+
+ sysctl_fd = open(jit_sysctl, O_RDONLY);
+ if (sysctl_fd != -1) {
+ char tmpc;
+
+ if (read(sysctl_fd, &tmpc, sizeof(tmpc)) == 1)
+ enabled = (tmpc != '0');
+ close(sysctl_fd);
+ }
+
+ return enabled;
+}
diff --git a/tools/testing/selftests/bpf/testing_helpers.h b/tools/testing/selftests/bpf/testing_helpers.h
index e099aa4da611..d14de81727e6 100644
--- a/tools/testing/selftests/bpf/testing_helpers.h
+++ b/tools/testing/selftests/bpf/testing_helpers.h
@@ -52,5 +52,6 @@ struct bpf_insn;
*/
int get_xlated_program(int fd_prog, struct bpf_insn **buf, __u32 *cnt);
int testing_prog_flags(void);
+bool is_jit_enabled(void);
#endif /* __TESTING_HELPERS_H */
--
2.42.0
On 1/15/2024 3:00 PM, Tiezhu Yang wrote:
> Currently, is_jit_enabled() is only used in test_progs, move it to
> testing_helpers so that it can be used in test_verifier. While at
> it, remove the second argument "0" of open() as Hou Tao suggested.
>
> Signed-off-by: Tiezhu Yang <[email protected]>
Acked-by: Hou Tao <[email protected]>
Hi,
On 1/15/2024 3:00 PM, Tiezhu Yang wrote:
> If CONFIG_BPF_JIT_ALWAYS_ON is not set and bpf_jit_enable is 0, there
> exist 6 failed tests.
>
> [root@linux bpf]# echo 0 > /proc/sys/net/core/bpf_jit_enable
> [root@linux bpf]# echo 0 > /proc/sys/kernel/unprivileged_bpf_disabled
> [root@linux bpf]# ./test_verifier | grep FAIL
> #106/p inline simple bpf_loop call FAIL
> #107/p don't inline bpf_loop call, flags non-zero FAIL
> #108/p don't inline bpf_loop call, callback non-constant FAIL
> #109/p bpf_loop_inline and a dead func FAIL
> #110/p bpf_loop_inline stack locations for loop vars FAIL
> #111/p inline bpf_loop call in a big program FAIL
> Summary: 768 PASSED, 15 SKIPPED, 6 FAILED
>
> The test log shows that callbacks are not allowed in non-JITed programs,
> interpreter doesn't support them yet, thus these tests should be skipped
> if jit is disabled, copy some check functions from the other places under
> tools directory, and then handle this case in do_test_single().
>
> With this patch:
>
> [root@linux bpf]# echo 0 > /proc/sys/net/core/bpf_jit_enable
> [root@linux bpf]# echo 0 > /proc/sys/kernel/unprivileged_bpf_disabled
> [root@linux bpf]# ./test_verifier | grep FAIL
> Summary: 768 PASSED, 21 SKIPPED, 0 FAILED
>
> Signed-off-by: Tiezhu Yang <[email protected]>
> ---
> tools/testing/selftests/bpf/test_verifier.c | 23 +++++++++++++++++++++
> 1 file changed, 23 insertions(+)
>
> diff --git a/tools/testing/selftests/bpf/test_verifier.c b/tools/testing/selftests/bpf/test_verifier.c
> index 1a09fc34d093..70f903e869b7 100644
> --- a/tools/testing/selftests/bpf/test_verifier.c
> +++ b/tools/testing/selftests/bpf/test_verifier.c
> @@ -74,6 +74,7 @@
> 1ULL << CAP_BPF)
> #define UNPRIV_SYSCTL "kernel/unprivileged_bpf_disabled"
> static bool unpriv_disabled = false;
> +static bool jit_disabled;
> static int skips;
> static bool verbose = false;
> static int verif_log_level = 0;
> @@ -1355,6 +1356,16 @@ static bool is_skip_insn(struct bpf_insn *insn)
> return memcmp(insn, &skip_insn, sizeof(skip_insn)) == 0;
> }
>
> +static bool is_ldimm64_insn(struct bpf_insn *insn)
> +{
> + return insn->code == (BPF_LD | BPF_IMM | BPF_DW);
> +}
> +
> +static bool insn_is_pseudo_func(struct bpf_insn *insn)
> +{
> + return is_ldimm64_insn(insn) && insn->src_reg == BPF_PSEUDO_FUNC;
> +}
> +
> static int null_terminated_insn_len(struct bpf_insn *seq, int max_len)
> {
> int i;
> @@ -1619,6 +1630,16 @@ static void do_test_single(struct bpf_test *test, bool unpriv,
> goto close_fds;
> }
>
> + if (fd_prog < 0 && saved_errno == EINVAL && jit_disabled) {
> + for (i = 0; i < prog_len; i++, prog++) {
> + if (insn_is_pseudo_func(prog)) {
> + printf("SKIP (callbacks are not allowed in non-JITed programs)\n");
> + skips++;
> + goto close_fds;
> + }
> + }
> + }
I ran test_verifier before applying the patch set, it seems all
expected_ret for these failed programs are ACCEPT, so I think it would
be better to move the not-allowed-checking into "if (expected_ret ==
ACCEPT || expected_ret == VERBOSE_ACCEPT)" block. I should suggest such
modification in v2, sorry about that.
> +
> alignment_prevented_execution = 0;
>
> if (expected_ret == ACCEPT || expected_ret == VERBOSE_ACCEPT) {
> @@ -1844,6 +1865,8 @@ int main(int argc, char **argv)
> return EXIT_FAILURE;
> }
>
> + jit_disabled = !is_jit_enabled();
> +
> /* Use libbpf 1.0 API mode */
> libbpf_set_strict_mode(LIBBPF_STRICT_ALL);
>