From ce85d4183896b735669c38b5f6c441d4f31db1ca Mon Sep 17 00:00:00 2001
From: Paul Chaignon <paul.chaignon@gmail.com>
Date: Mon, 6 Nov 2023 23:02:24 +0100
Subject: sys/linux: describe call to BPF helper bpf_ringbuf_submit

This helper has the verifier prototype:

    .ret_type       = RET_VOID,
    .arg1_type      = ARG_PTR_TO_RINGBUF_MEM | OBJ_RELEASE,
    .arg2_type      = ARG_ANYTHING,

We therefore need to pass the pointer retrieved with bpf_ringbuf_reserve
via R2. We saved that pointer to R9 so we can retrieve it from there.

Since bpf_ringbuf_submit doesn't return anything, we need to write
something in R0 before we exit the program.

Our BPF program now looks like:

    u64 *e;
    e = bpf_ringbuf_reserve(&rb, sizeof(*e), 0);
    [...]
    bpf_ringbuf_submit(e, 0);
    return 0;

It will still fail, but with EACCES instead of EINVAL, due to the
following verifier error:

    0: R1=ctx(off=0,imm=0) R10=fp0
    0: (18) r0 = 0x0                      ; R0_w=0
    2: (18) r1 = 0xffff984f66f93600       ; R1_w=map_ptr(off=0,ks=0,vs=0,imm=0)
    4: (b7) r2 = 20                       ; R2_w=20
    5: (b7) r3 = 0                        ; R3_w=0
    6: (85) call bpf_ringbuf_reserve#131  ; R0_w=ringbuf_mem_or_null(id=2,ref_obj_id=2,off=0,imm=0) refs=2
    7: (bf) r9 = r0                       ; R0_w=ringbuf_mem_or_null(id=2,ref_obj_id=2,off=0,imm=0)
                                            R9_w=ringbuf_mem_or_null(id=2,ref_obj_id=2,off=0,imm=0) refs=2
    8: (bf) r1 = r9                       ; R1_w=ringbuf_mem_or_null(id=2,ref_obj_id=2,off=0,imm=0)
                                            R9_w=ringbuf_mem_or_null(id=2,ref_obj_id=2,off=0,imm=0) refs=2
    9: (b7) r2 = 0                        ; R2_w=0 refs=2
    10: (85) call bpf_ringbuf_submit#132
    R1 type=ringbuf_mem_or_null expected=ringbuf_mem

In short, we didn't check that the pointer returned by
bpf_ringbug_reserve isn't null.

Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
---
 sys/linux/test/bpf_helpers | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'sys/linux/test/bpf_helpers')

diff --git a/sys/linux/test/bpf_helpers b/sys/linux/test/bpf_helpers
index 0bc1ce513..598395ac2 100644
--- a/sys/linux/test/bpf_helpers
+++ b/sys/linux/test/bpf_helpers
@@ -25,4 +25,4 @@ r4 = bpf$PROG_LOAD(AUTO, &AUTO={0x3, AUTO, &AUTO=@framed={{AUTO, AUTO, AUTO, AUT
 
 r1 = bpf$MAP_CREATE_RINGBUF(AUTO, &AUTO={AUTO, AUTO, AUTO, 0x40000, AUTO, 0x0, 0x0, "00000000000000000000000000000000", 0x0, 0x0, 0x0, 0x0, 0x0, AUTO}, 0x48)
 
-r2 = bpf$PROG_LOAD(AUTO, &AUTO={0x3, AUTO, &AUTO=@ringbuf={{AUTO, AUTO, AUTO, AUTO, 0x0, AUTO, AUTO, AUTO, 0x0}, {{AUTO, AUTO, AUTO, AUTO, r1, AUTO, AUTO, AUTO, AUTO}, {AUTO, AUTO, AUTO, AUTO, AUTO, AUTO, AUTO}, {AUTO, AUTO, AUTO, AUTO, AUTO, AUTO, AUTO}, {AUTO, AUTO, AUTO, AUTO}, {AUTO, AUTO, AUTO, AUTO, AUTO, AUTO, AUTO}}, [], {AUTO, AUTO, AUTO, AUTO}}, &AUTO='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, "00000000000000000000000000000000", 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0xa0) # EINVAL
+r2 = bpf$PROG_LOAD(AUTO, &AUTO={0x3, AUTO, &AUTO=@ringbuf={{AUTO, AUTO, AUTO, AUTO, 0x0, AUTO, AUTO, AUTO, 0x0}, {{AUTO, AUTO, AUTO, AUTO, r1, AUTO, AUTO, AUTO, AUTO}, {AUTO, AUTO, AUTO, AUTO, AUTO, AUTO, AUTO}, {AUTO, AUTO, AUTO, AUTO, AUTO, AUTO, AUTO}, {AUTO, AUTO, AUTO, AUTO}, {AUTO, AUTO, AUTO, AUTO, AUTO, AUTO, AUTO}}, [], {{AUTO, AUTO, AUTO, AUTO, AUTO, AUTO, AUTO}, {AUTO, AUTO, AUTO, AUTO, AUTO, AUTO, AUTO}, {AUTO, AUTO, AUTO, AUTO}, {AUTO, AUTO, AUTO, AUTO, AUTO, AUTO, AUTO}}, {AUTO, AUTO, AUTO, AUTO}}, &AUTO='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, "00000000000000000000000000000000", 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0xa0)
-- 
cgit mrf-deployment