From: Jiong Wang <jiong.wang@netronome.com>
To: alexei.starovoitov@gmail.com, daniel@iogearbox.net
Cc: bpf@vger.kernel.org, netdev@vger.kernel.org,
oss-drivers@netronome.com, davem@davemloft.net,
paul.burton@mips.com, udknight@gmail.com, zlim.lnx@gmail.com,
illusionist.neo@gmail.com, naveen.n.rao@linux.ibm.com,
sandipan@linux.ibm.com, schwidefsky@de.ibm.com,
heiko.carstens@de.ibm.com, jakub.kicinski@netronome.com,
Jiong Wang <jiong.wang@netronome.com>
Subject: [PATCH v8 bpf-next 06/16] bpf: verifier: randomize high 32-bit when BPF_F_TEST_RND_HI32 is set
Date: Fri, 24 May 2019 12:35:16 +0100 [thread overview]
Message-ID: <1558697726-4058-7-git-send-email-jiong.wang@netronome.com> (raw)
In-Reply-To: <1558697726-4058-1-git-send-email-jiong.wang@netronome.com>
This patch randomizes high 32-bit of a definition when BPF_F_TEST_RND_HI32
is set.
Suggested-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Jiong Wang <jiong.wang@netronome.com>
---
kernel/bpf/verifier.c | 68 ++++++++++++++++++++++++++++++++++++++++++---------
1 file changed, 57 insertions(+), 11 deletions(-)
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index d4394a8..2778417 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -7640,33 +7640,79 @@ static int opt_remove_nops(struct bpf_verifier_env *env)
return 0;
}
-static int opt_subreg_zext_lo32(struct bpf_verifier_env *env)
+static int opt_subreg_zext_lo32_rnd_hi32(struct bpf_verifier_env *env,
+ const union bpf_attr *attr)
{
+ struct bpf_insn *patch, zext_patch[2], rnd_hi32_patch[4];
struct bpf_insn_aux_data *aux = env->insn_aux_data;
+ int i, patch_len, delta = 0, len = env->prog->len;
struct bpf_insn *insns = env->prog->insnsi;
- int i, delta = 0, len = env->prog->len;
- struct bpf_insn zext_patch[2];
struct bpf_prog *new_prog;
+ bool rnd_hi32;
+ rnd_hi32 = attr->prog_flags & BPF_F_TEST_RND_HI32;
zext_patch[1] = BPF_ZEXT_REG(0);
+ rnd_hi32_patch[1] = BPF_ALU64_IMM(BPF_MOV, BPF_REG_AX, 0);
+ rnd_hi32_patch[2] = BPF_ALU64_IMM(BPF_LSH, BPF_REG_AX, 32);
+ rnd_hi32_patch[3] = BPF_ALU64_REG(BPF_OR, 0, BPF_REG_AX);
for (i = 0; i < len; i++) {
int adj_idx = i + delta;
struct bpf_insn insn;
- if (!aux[adj_idx].zext_dst)
+ insn = insns[adj_idx];
+ if (!aux[adj_idx].zext_dst) {
+ u8 code, class;
+ u32 imm_rnd;
+
+ if (!rnd_hi32)
+ continue;
+
+ code = insn.code;
+ class = BPF_CLASS(code);
+ if (insn_no_def(&insn))
+ continue;
+
+ /* NOTE: arg "reg" (the fourth one) is only used for
+ * BPF_STX which has been ruled out in above
+ * check, it is safe to pass NULL here.
+ */
+ if (is_reg64(env, &insn, insn.dst_reg, NULL, DST_OP)) {
+ if (class == BPF_LD &&
+ BPF_MODE(code) == BPF_IMM)
+ i++;
+ continue;
+ }
+
+ /* ctx load could be transformed into wider load. */
+ if (class == BPF_LDX &&
+ aux[adj_idx].ptr_type == PTR_TO_CTX)
+ continue;
+
+ imm_rnd = get_random_int();
+ rnd_hi32_patch[0] = insn;
+ rnd_hi32_patch[1].imm = imm_rnd;
+ rnd_hi32_patch[3].dst_reg = insn.dst_reg;
+ patch = rnd_hi32_patch;
+ patch_len = 4;
+ goto apply_patch_buffer;
+ }
+
+ if (!bpf_jit_needs_zext())
continue;
- insn = insns[adj_idx];
zext_patch[0] = insn;
zext_patch[1].dst_reg = insn.dst_reg;
zext_patch[1].src_reg = insn.dst_reg;
- new_prog = bpf_patch_insn_data(env, adj_idx, zext_patch, 2);
+ patch = zext_patch;
+ patch_len = 2;
+apply_patch_buffer:
+ new_prog = bpf_patch_insn_data(env, adj_idx, patch, patch_len);
if (!new_prog)
return -ENOMEM;
env->prog = new_prog;
insns = new_prog->insnsi;
aux = env->insn_aux_data;
- delta += 2;
+ delta += patch_len - 1;
}
return 0;
@@ -8525,10 +8571,10 @@ int bpf_check(struct bpf_prog **prog, union bpf_attr *attr,
/* do 32-bit optimization after insn patching has done so those patched
* insns could be handled correctly.
*/
- if (ret == 0 && bpf_jit_needs_zext() &&
- !bpf_prog_is_dev_bound(env->prog->aux)) {
- ret = opt_subreg_zext_lo32(env);
- env->prog->aux->verifier_zext = !ret;
+ if (ret == 0 && !bpf_prog_is_dev_bound(env->prog->aux)) {
+ ret = opt_subreg_zext_lo32_rnd_hi32(env, attr);
+ env->prog->aux->verifier_zext = bpf_jit_needs_zext() ? !ret
+ : false;
}
if (ret == 0)
--
2.7.4
next prev parent reply other threads:[~2019-05-24 11:35 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-05-24 11:35 [PATCH v8 bpf-next 00/16] bpf: eliminate zero extensions for sub-register writes Jiong Wang
2019-05-24 11:35 ` [PATCH v8 bpf-next 01/16] bpf: verifier: mark verified-insn with sub-register zext flag Jiong Wang
2019-05-24 11:35 ` [PATCH v8 bpf-next 02/16] bpf: verifier: mark patched-insn " Jiong Wang
2019-05-24 11:35 ` [PATCH v8 bpf-next 03/16] bpf: introduce new mov32 variant for doing explicit zero extension Jiong Wang
2019-05-24 11:35 ` [PATCH v8 bpf-next 04/16] bpf: verifier: insert zero extension according to analysis result Jiong Wang
2019-05-24 11:35 ` [PATCH v8 bpf-next 05/16] bpf: introduce new bpf prog load flags "BPF_F_TEST_RND_HI32" Jiong Wang
2019-05-24 20:43 ` Alexei Starovoitov
2019-05-24 21:37 ` Jiong Wang
2019-05-24 11:35 ` Jiong Wang [this message]
2019-05-24 11:35 ` [PATCH v8 bpf-next 07/16] libbpf: add "prog_flags" to bpf_program/bpf_prog_load_attr/bpf_load_program_attr Jiong Wang
2019-05-24 11:35 ` [PATCH v8 bpf-next 08/16] selftests: bpf: adjust several test_verifier helpers for insn insertion Jiong Wang
2019-05-24 11:35 ` [PATCH v8 bpf-next 09/16] selftests: bpf: enable hi32 randomization for all tests Jiong Wang
2019-05-24 11:35 ` [PATCH v8 bpf-next 10/16] arm: bpf: eliminate zero extension code-gen Jiong Wang
2019-05-24 11:35 ` [PATCH v8 bpf-next 11/16] powerpc: " Jiong Wang
2019-05-24 11:35 ` [PATCH v8 bpf-next 12/16] s390: " Jiong Wang
2019-05-24 11:35 ` [PATCH v8 bpf-next 13/16] sparc: " Jiong Wang
2019-05-24 11:35 ` [PATCH v8 bpf-next 14/16] x32: " Jiong Wang
2019-05-24 11:35 ` [PATCH v8 bpf-next 15/16] riscv: " Jiong Wang
2019-05-24 16:25 ` Björn Töpel
2019-05-24 16:36 ` Jiong Wang
2019-05-24 17:16 ` Björn Töpel
2019-05-24 11:35 ` [PATCH v8 bpf-next 16/16] nfp: " Jiong Wang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1558697726-4058-7-git-send-email-jiong.wang@netronome.com \
--to=jiong.wang@netronome.com \
--cc=alexei.starovoitov@gmail.com \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=heiko.carstens@de.ibm.com \
--cc=illusionist.neo@gmail.com \
--cc=jakub.kicinski@netronome.com \
--cc=naveen.n.rao@linux.ibm.com \
--cc=netdev@vger.kernel.org \
--cc=oss-drivers@netronome.com \
--cc=paul.burton@mips.com \
--cc=sandipan@linux.ibm.com \
--cc=schwidefsky@de.ibm.com \
--cc=udknight@gmail.com \
--cc=zlim.lnx@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.