From 77fb079dedee5c8c2fc0c2e3781769b5978ce4fe Mon Sep 17 00:00:00 2001
From: Paul Chaignon <paul.chaignon@gmail.com>
Date: Mon, 6 Nov 2023 20:21:56 +0100
Subject: sys/linux: describe call to BPF helper bpf_ringbuf_reserve

Describe a full call to bpf_ringbuf_reserve, using the map type created
in the previous commit. The test corresponds to this simple line:

     u64 *e;
     e = bpf_ringbuf_reserve(&rb, sizeof(*e), 0);
     [...]
     return e;

The pointer returned by bpf_ringbuf_reserve is kept in R9. The goal is
to keep it around so we can use it in other instructions later; several
other helpers take a pointer to ringbuf data as argument. There's of
course a risk that some instruction in between will clobber R9, but I
don't know another way. R9 is at least safe for calls (only R1--R5 get
clobbered).

We expect the program loading to fail with EINVAL because we never
release the reference to the ringbuf data. The verifier will therefore
reject the program with:

    0: R1=ctx(off=0,imm=0) R10=fp0
    0: (18) r0 = 0x0                      ; R0_w=0
    2: (18) r1 = 0xffff984e4b55da00       ; R1_w=map_ptr(off=0,ks=0,vs=0,imm=0)
    4: (b7) r2 = 20                       ; R2_w=20
    5: (b7) r3 = 0                        ; R3_w=0
    6: (85) call bpf_ringbuf_reserve#131  ; R0_w=ringbuf_mem_or_null(id=2,ref_obj_id=2,off=0,imm=0) refs=2
    7: (bf) r9 = r0                       ; R0_w=ringbuf_mem_or_null(id=2,ref_obj_id=2,off=0,imm=0)
                                            R9_w=ringbuf_mem_or_null(id=2,ref_obj_id=2,off=0,imm=0) refs=2
    8: (95) exit
    Unreleased reference id=2 alloc_insn=6

Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
---
 sys/linux/bpf.txt | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

(limited to 'sys/linux/bpf.txt')

diff --git a/sys/linux/bpf.txt b/sys/linux/bpf.txt
index 974106867..eb1c2761b 100644
--- a/sys/linux/bpf.txt
+++ b/sys/linux/bpf.txt
@@ -387,6 +387,7 @@ bpf_core_relo {
 bpf_instructions [
 	raw	array[bpf_insn]
 	framed	bpf_framed_program
+	ringbuf	bpf_program_ringbuf
 ] [varlen]
 
 bpf_framed_program {
@@ -395,6 +396,13 @@ bpf_framed_program {
 	exit	bpf_insn_exit
 } [packed]
 
+bpf_program_ringbuf {
+	initr0	bpf_insn_init_r0
+	reserve	bpf_insn_ringbuf_reserve
+	body	array[bpf_insn]
+	exit	bpf_insn_exit
+} [packed]
+
 bpf_insn [
 	generic		bpf_insn_generic
 	ldst		bpf_insn_ldst
@@ -593,6 +601,7 @@ type bpf_insn_map_fd_t[DST, MAP_FD] {
 
 type bpf_insn_map_fd bpf_insn_map_fd_t[flags[bpf_reg, int8:4], fd_bpf_map]
 type bpf_insn_tail_call_map_fd[DST] bpf_insn_map_fd_t[const[DST, int8:4], tail_call_map]
+type bpf_insn_ringbuf_fd[DST] bpf_insn_map_fd_t[const[DST, int8:4], ringbuf_map_fd]
 
 bpf_insn_map_idx {
 	code	const[bpf_insn_load_imm_dw, int8]
@@ -727,6 +736,19 @@ bpf_insn_tail_call {
 	insn4	bpf_insn_mov_imm[BPF_REG_0, 0]
 }
 
+# (18) r1 = map[id:16]
+# (b7) r2 = 8
+# (b7) r3 = 0
+# (85) call bpf_ringbuf_reserve#320112
+# (bf) r9 = r0
+bpf_insn_ringbuf_reserve {
+	insn1	bpf_insn_ringbuf_fd[BPF_REG_1]
+	insn2	bpf_insn_mov_imm[BPF_REG_2, 20]
+	insn3	bpf_insn_mov_imm[BPF_REG_3, 0]
+	insn4	bpf_insn_call_helper_t[const[BPF_FUNC_ringbuf_reserve, int32]]
+	insn5	bpf_insn_mov_reg[BPF_REG_0, BPF_REG_9]
+}
+
 define MAX_BPF_REG	__MAX_BPF_REG
 
 bpf_obj_pin_map [
-- 
cgit mrf-deployment