From nobody Mon Jun 8 09:51:25 2026 Received: from dggsgout11.his.huawei.com (dggsgout11.his.huawei.com [45.249.212.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id EAFB52EBBB7; Sat, 30 May 2026 06:18:48 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=45.249.212.51 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780121931; cv=none; b=aal6li7emcRwExOygdSccofgVDhFrl3khjIz2SFu7tx2no4p9ueY9o41F3ajxDvSAYeBuFLZfj4siJE8tW1k51vGmnU+Qkq1O/naI3eu+JWqtWjb9skDzRunfTKXwJiraCFZKB4sOX36P7K3VA476pSm0e8ejwqOnul0h0fWbP8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780121931; c=relaxed/simple; bh=+M+i3nOax9RksBPlwsG/TbwU7BRhpckL/nb1vxM5y/E=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=KZDtvUkQqd0k32qXY6deOgKgL79y6NL+zmfYLkBZJMCW8pmVCGbxCFZ06Cz44Q2VYBkkRkQZSuFtcDM6dox5hxVbf9EyTKbf4heuEFAF33IYDvuiP6vHaV22T+DLTViJ3aDn5kW0JmD8yu5cIaawhB4djQKI0sWU29hovQDcUKs= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=huaweicloud.com; spf=pass smtp.mailfrom=huaweicloud.com; arc=none smtp.client-ip=45.249.212.51 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=huaweicloud.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=huaweicloud.com Received: from mail.maildlp.com (unknown [172.19.163.177]) by dggsgout11.his.huawei.com (SkyGuard) with ESMTPS id 4gS94g6cjszYQtrj; Sat, 30 May 2026 14:17:39 +0800 (CST) Received: from mail02.huawei.com (unknown [10.116.40.128]) by mail.maildlp.com (Postfix) with ESMTP id E5C714058D; Sat, 30 May 2026 14:18:40 +0800 (CST) Received: from localhost.huawei.com (unknown [10.67.174.243]) by APP4 (Coremail) with SMTP id gCh0CgDnr1s8gRpqNcqdEA--.3341S3; Sat, 30 May 2026 14:18:40 +0800 (CST) From: Xu Kuohai To: bpf@vger.kernel.org, linux-kernel@vger.kernel.org Cc: Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , Martin KaFai Lau , Eduard Zingerman , Kumar Kartikeya Dwivedi , Yonghong Song , Stanislav Fomichev , YiFei Zhu , Matt Bobrowski , Quan Sun <2022090917019@std.uestc.edu.cn> Subject: [PATCH bpf v2 1/3] bpf: Add validation for bpf_set_retval argument Date: Sat, 30 May 2026 05:55:55 +0000 Message-ID: <20260530055557.549474-2-xukuohai@huaweicloud.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260530055557.549474-1-xukuohai@huaweicloud.com> References: <20260530055557.549474-1-xukuohai@huaweicloud.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-CM-TRANSID: gCh0CgDnr1s8gRpqNcqdEA--.3341S3 X-Coremail-Antispam: 1UD129KBjvJXoWxAFW8Xw1kCF45Kw47Jry7KFg_yoWrXF43pr 4fGryqyr1q9r4xWrs3t3WkZF1Fyw40g3ySkr97J34Sya13Kry3Wa4UW3yj9rySyF1kGw10 qF4jvFZ0va4jya7anT9S1TB71UUUUU7qnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUUPYb4IE77IF4wAFF20E14v26rWj6s0DM7CY07I20VC2zVCF04k2 6cxKx2IYs7xG6rWj6s0DM7CIcVAFz4kK6r1j6r18M28IrcIa0xkI8VA2jI8067AKxVWUGw A2048vs2IY020Ec7CjxVAFwI0_Gr0_Xr1l8cAvFVAK0II2c7xJM28CjxkF64kEwVA0rcxS w2x7M28EF7xvwVC0I7IYx2IY67AKxVW7JVWDJwA2z4x0Y4vE2Ix0cI8IcVCY1x0267AKxV WxJVW8Jr1l84ACjcxK6I8E87Iv67AKxVW0oVCq3wA2z4x0Y4vEx4A2jsIEc7CjxVAFwI0_ GcCE3s1le2I262IYc4CY6c8Ij28IcVAaY2xG8wAqx4xG64xvF2IEw4CE5I8CrVC2j2WlYx 0E2Ix0cI8IcVAFwI0_Jr0_Jr4lYx0Ex4A2jsIE14v26r1j6r4UMcvjeVCFs4IE7xkEbVWU JVW8JwACjcxG0xvY0x0EwIxGrwACI402YVCY1x02628vn2kIc2xKxwCY1x0262kKe7AKxV WUtVW8ZwCF04k20xvY0x0EwIxGrwCFx2IqxVCFs4IE7xkEbVWUJVW8JwC20s026c02F40E 14v26r1j6r18MI8I3I0E7480Y4vE14v26r106r1rMI8E67AF67kF1VAFwI0_Jw0_GFylIx kGc2Ij64vIr41lIxAIcVC0I7IYx2IY67AKxVWUJVWUCwCI42IY6xIIjxv20xvEc7CjxVAF wI0_Gr0_Cr1lIxAIcVCF04k26cxKx2IYs7xG6r1j6r1xMIIF0xvEx4A2jsIE14v26r1j6r 4UMIIF0xvEx4A2jsIEc7CjxVAFwI0_Gr0_Gr1UYxBIdaVFxhVjvjDU0xZFpf9x07jnpnQU UUUU= X-CM-SenderInfo: 50xn30hkdlqx5xdzvxpfor3voofrz/ Content-Type: text/plain; charset="utf-8" From: Xu Kuohai The bpf_set_retval() helper is used by cgroup BPF programs to set the return value of the target hook. The argument type for this helper is ARG_ANYTHING. This allows setting a positive value, which no cgroup hook expects and can cause issues, such as: - BPF_LSM_CGROUP: a positive value from bpf_lsm_socket_create bypasses the err < 0 check in __sock_create(), leaving the socket object unallocated. The positive return value is then propagated to the syscall entry __sys_socket(), which also bypasses the IS_ERR() guard and ultimately causes a NULL pointer dereference. - BPF_CGROUP_DEVICE: a positive value can be returned through cgroup device bpf prog -> devcgroup_check_permission() -> bdev_permission() -> bdev_file_open_by_dev(), where ERR_PTR(positive) produces a pointer that IS_ERR() does not catch, leading to a wild pointer dereference. - BPF_CGROUP_SOCK: a positive value can be returned through cgroup sock bpf prog -> __cgroup_bpf_run_filter_sk() -> inet_create() -> __sock_create(), where inet_create() frees the newly allocated sk via sk_common_release() and sets sock->sk =3D NULL on the non-zero return, but __sock_create() only checks err < 0 for cleanup, so a positive retval bypasses cleanup and returns a socket with NULL sk to userspace, triggering a NULL pointer dereference on subsequent socket operations. - BPF_CGROUP_SYSCTL: a positive value can be returned through the cgroup bpf prog -> __cgroup_bpf_run_filter_sysctl() -> proc_sys_call_handler(), where a non-zero return bypasses the normal sysctl proc_handler and is returned directly to userspace as the read()/write() syscall return value. So add validation for the argument of the bpf_set_retval() helper. For BPF_LSM_CGROUP, the same validation as BPF_LSM_MAC is enforced, i.e. validate the argument against the LSM hook specific range, which is returned by bpf_lsm_get_retval_range(). For all other cgroup program types, restrict the argument to [-MAX_ERRNO, 0], which matches the kernel convention of 0 for success and negative errno for error. Since the return value type is always int, also restrict the argument type to scalar. Fixes: b44123b4a3dc ("bpf: Add cgroup helpers bpf_{get,set}_retval to get/s= et syscall return value") Fixes: 69fd337a975c ("bpf: per-cgroup lsm flavor") Reported-by: Quan Sun <2022090917019@std.uestc.edu.cn> Closes: https://lore.kernel.org/all/567d3206-74a5-44e5-99c6-779c425f399e@st= d.uestc.edu.cn Signed-off-by: Xu Kuohai --- kernel/bpf/verifier.c | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 7fb88e1cd7c4..e82dedf871e8 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -10460,6 +10460,19 @@ static int check_helper_call(struct bpf_verifier_e= nv *env, struct bpf_insn *insn } break; case BPF_FUNC_set_retval: + { + struct bpf_retval_range range =3D { + .minval =3D -MAX_ERRNO, + .maxval =3D 0, + .return_32bit =3D true + }; + struct bpf_reg_state *r1 =3D ®s[BPF_REG_1]; + + if (r1->type !=3D SCALAR_VALUE) { + verbose(env, "R1 is not a scalar\n"); + return -EINVAL; + } + if (prog_type =3D=3D BPF_PROG_TYPE_LSM && env->prog->expected_attach_type =3D=3D BPF_LSM_CGROUP) { if (!env->prog->aux->attach_func_proto->type) { @@ -10469,8 +10482,16 @@ static int check_helper_call(struct bpf_verifier_e= nv *env, struct bpf_insn *insn verbose(env, "BPF_LSM_CGROUP that attach to void LSM hooks can't modif= y return value!\n"); return -EINVAL; } + bpf_lsm_get_retval_range(env->prog, &range); } + + if (!retval_range_within(range, r1)) { + verbose_invalid_scalar(env, r1, range, "At bpf_set_retval", "R1"); + return -EINVAL; + } + break; + } case BPF_FUNC_dynptr_data: { struct bpf_reg_state *reg; --=20 2.43.0 From nobody Mon Jun 8 09:51:25 2026 Received: from dggsgout11.his.huawei.com (dggsgout11.his.huawei.com [45.249.212.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5B2DA303A07; Sat, 30 May 2026 06:18:49 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=45.249.212.51 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780121931; cv=none; b=Ym/6xMvhPCqiSOpsKRnsnaIcszytZcYKWvObdi0mOltbSdxE33PIoTmOw1pQ0X5wxMaYpRUXzjjC/Y7tIawIrQlHo9+PwBF2bB5toOztFxf2Drx/mTL5CZbgodJmwxKpTe9Z9lvlXDCPNj8WN0lm/+sexbDSJyClGGSySgcR7tg= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780121931; c=relaxed/simple; bh=/Vk4rr1Vwwr9RA0LvbkzxGntrQW9C8p9yq6BjrGt89c=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=hJhc77y//aTvxAWgy3koht2ZUG+H/T8v+g1jaFKkk99+pfDyeIQCSsnv8z9JYDrclvTfxfP8l9nPbliVG2TZS5Vc+2pOEw+9vOXTO5MupFvgMM34skgkaS4FOe3atAqsvUHlikusDXWEXlnhyYa+fQXWsZC8p3ks8ea2nPe2XQQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=huaweicloud.com; spf=pass smtp.mailfrom=huaweicloud.com; arc=none smtp.client-ip=45.249.212.51 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=huaweicloud.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=huaweicloud.com Received: from mail.maildlp.com (unknown [172.19.163.177]) by dggsgout11.his.huawei.com (SkyGuard) with ESMTPS id 4gS94h00mHzYQtrj; Sat, 30 May 2026 14:17:39 +0800 (CST) Received: from mail02.huawei.com (unknown [10.116.40.128]) by mail.maildlp.com (Postfix) with ESMTP id 03C7A4058F; Sat, 30 May 2026 14:18:41 +0800 (CST) Received: from localhost.huawei.com (unknown [10.67.174.243]) by APP4 (Coremail) with SMTP id gCh0CgDnr1s8gRpqNcqdEA--.3341S4; Sat, 30 May 2026 14:18:40 +0800 (CST) From: Xu Kuohai To: bpf@vger.kernel.org, linux-kernel@vger.kernel.org Cc: Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , Martin KaFai Lau , Eduard Zingerman , Kumar Kartikeya Dwivedi , Yonghong Song , Stanislav Fomichev , YiFei Zhu , Matt Bobrowski , Quan Sun <2022090917019@std.uestc.edu.cn> Subject: [PATCH bpf v2 2/3] selftests/bpf: Fix cgroup bpf tests broken by bpf_set_retval validation Date: Sat, 30 May 2026 05:55:56 +0000 Message-ID: <20260530055557.549474-3-xukuohai@huaweicloud.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260530055557.549474-1-xukuohai@huaweicloud.com> References: <20260530055557.549474-1-xukuohai@huaweicloud.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-CM-TRANSID: gCh0CgDnr1s8gRpqNcqdEA--.3341S4 X-Coremail-Antispam: 1UD129KBjvJXoW7uFyxKFWDuF1DZry5uFWruFg_yoW8CFWfp3 Z7AFyqy3s3CF17Ja18GrsF9a1fKwsYqryYyw18XF1UZ3W3J3srXr4xKF45try3trZ3Zwsx uayag3s3ZF48Z3DanT9S1TB71UUUUU7qnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUUPYb4IE77IF4wAFF20E14v26rWj6s0DM7CY07I20VC2zVCF04k2 6cxKx2IYs7xG6rWj6s0DM7CIcVAFz4kK6r1j6r18M28IrcIa0xkI8VA2jI8067AKxVWUXw A2048vs2IY020Ec7CjxVAFwI0_Xr0E3s1l8cAvFVAK0II2c7xJM28CjxkF64kEwVA0rcxS w2x7M28EF7xvwVC0I7IYx2IY67AKxVW7JVWDJwA2z4x0Y4vE2Ix0cI8IcVCY1x0267AKxV WxJVW8Jr1l84ACjcxK6I8E87Iv67AKxVW0oVCq3wA2z4x0Y4vEx4A2jsIEc7CjxVAFwI0_ GcCE3s1le2I262IYc4CY6c8Ij28IcVAaY2xG8wAqx4xG64xvF2IEw4CE5I8CrVC2j2WlYx 0E2Ix0cI8IcVAFwI0_Jr0_Jr4lYx0Ex4A2jsIE14v26r1j6r4UMcvjeVCFs4IE7xkEbVWU JVW8JwACjcxG0xvY0x0EwIxGrwACI402YVCY1x02628vn2kIc2xKxwCY1x0262kKe7AKxV WUtVW8ZwCF04k20xvY0x0EwIxGrwCFx2IqxVCFs4IE7xkEbVWUJVW8JwC20s026c02F40E 14v26r1j6r18MI8I3I0E7480Y4vE14v26r106r1rMI8E67AF67kF1VAFwI0_Jw0_GFylIx kGc2Ij64vIr41lIxAIcVC0I7IYx2IY67AKxVWUJVWUCwCI42IY6xIIjxv20xvEc7CjxVAF wI0_Gr0_Cr1lIxAIcVCF04k26cxKx2IYs7xG6r1j6r1xMIIF0xvEx4A2jsIE14v26r1j6r 4UMIIF0xvEx4A2jsIEc7CjxVAFwI0_Gr0_Gr1UYxBIdaVFxhVjvjDU0xZFpf9x07UCZXrU UUUU= X-CM-SenderInfo: 50xn30hkdlqx5xdzvxpfor3voofrz/ Content-Type: text/plain; charset="utf-8" From: Xu Kuohai Add explicit return value checks for cgroup bpf progs rejected by the bpf_set_retval validation. Signed-off-by: Xu Kuohai --- .../selftests/bpf/progs/cgroup_getset_retval_hooks.c | 6 +++++- tools/testing/selftests/bpf/progs/sk_bypass_prot_mem.c | 2 ++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/tools/testing/selftests/bpf/progs/cgroup_getset_retval_hooks.c= b/tools/testing/selftests/bpf/progs/cgroup_getset_retval_hooks.c index 13dfb4bbfd28..c0bfa2d12dc7 100644 --- a/tools/testing/selftests/bpf/progs/cgroup_getset_retval_hooks.c +++ b/tools/testing/selftests/bpf/progs/cgroup_getset_retval_hooks.c @@ -2,12 +2,16 @@ =20 #include #include +#include +#include "err.h" =20 #define BPF_RETVAL_HOOK(name, section, ctx, expected_err) \ __attribute__((__section__("?" section))) \ int name(struct ctx *_ctx) \ { \ - bpf_set_retval(bpf_get_retval()); \ + int val =3D bpf_get_retval(); \ + set_if_not_errno_or_zero(val, -EFAULT); \ + bpf_set_retval(val); \ return 1; \ } =20 diff --git a/tools/testing/selftests/bpf/progs/sk_bypass_prot_mem.c b/tools= /testing/selftests/bpf/progs/sk_bypass_prot_mem.c index 09a00d11ffcc..bae5283fca6b 100644 --- a/tools/testing/selftests/bpf/progs/sk_bypass_prot_mem.c +++ b/tools/testing/selftests/bpf/progs/sk_bypass_prot_mem.c @@ -5,6 +5,7 @@ #include #include #include +#include "err.h" =20 extern int tcp_memory_per_cpu_fw_alloc __ksym; extern int udp_memory_per_cpu_fw_alloc __ksym; @@ -97,6 +98,7 @@ int sock_create(struct bpf_sock *ctx) return 1; =20 err: + set_if_not_errno_or_zero(err, -EFAULT); bpf_set_retval(err); return 0; } --=20 2.43.0 From nobody Mon Jun 8 09:51:25 2026 Received: from dggsgout12.his.huawei.com (dggsgout12.his.huawei.com [45.249.212.56]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5D5B4272E6D; Sat, 30 May 2026 06:18:44 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=45.249.212.56 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780121928; cv=none; b=TyfsFBHVdCDi12UGv3sqEFFwwm0mFcZdZmDkEpvTVgSAHRWaHIlY/NUcNpgbqT9RYrKwbThP7Wpy1Vw2kRvH/DChw+FP55IPEVQWzZH9MwomyZINkGWEwHCc3/7UQ5VibGSejPljEo5TaRPtWN3BIKmRAp9Q57C+/osfc/g5i9M= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780121928; c=relaxed/simple; bh=zgntWj+9/IpmJ1e/RdM8e9a3X3vZqNHP4WxcdAJ3Ne4=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=TRRZ5jnUrzD8d2+WscDJOq03AhUdEYZRsZGnx3eoQt0AFBMMrt0m0SwAOJXYslXXvPByo91Z4Y0yK6gVdsLg1ASp+ZROU4hei3NVz1w1+854NJ0ISwGt2QiVtKNmsemIp8h10JsTRfOVV+jagJIyIRFJ903PsXY3yiMIpZlBcxs= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=huaweicloud.com; spf=pass smtp.mailfrom=huaweicloud.com; arc=none smtp.client-ip=45.249.212.56 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=huaweicloud.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=huaweicloud.com Received: from mail.maildlp.com (unknown [172.19.163.198]) by dggsgout12.his.huawei.com (SkyGuard) with ESMTPS id 4gS95V0JPdzKHMSW; Sat, 30 May 2026 14:18:22 +0800 (CST) Received: from mail02.huawei.com (unknown [10.116.40.128]) by mail.maildlp.com (Postfix) with ESMTP id 14C4D40561; Sat, 30 May 2026 14:18:41 +0800 (CST) Received: from localhost.huawei.com (unknown [10.67.174.243]) by APP4 (Coremail) with SMTP id gCh0CgDnr1s8gRpqNcqdEA--.3341S5; Sat, 30 May 2026 14:18:40 +0800 (CST) From: Xu Kuohai To: bpf@vger.kernel.org, linux-kernel@vger.kernel.org Cc: Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , Martin KaFai Lau , Eduard Zingerman , Kumar Kartikeya Dwivedi , Yonghong Song , Stanislav Fomichev , YiFei Zhu , Matt Bobrowski , Quan Sun <2022090917019@std.uestc.edu.cn> Subject: [PATCH bpf v2 3/3] selftests/bpf: Add tests for bpf_set_retval validation Date: Sat, 30 May 2026 05:55:57 +0000 Message-ID: <20260530055557.549474-4-xukuohai@huaweicloud.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260530055557.549474-1-xukuohai@huaweicloud.com> References: <20260530055557.549474-1-xukuohai@huaweicloud.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-CM-TRANSID: gCh0CgDnr1s8gRpqNcqdEA--.3341S5 X-Coremail-Antispam: 1UD129KBjvJXoWxGw4fGF4fZF18JFy7Gr1fCrg_yoWrury3p3 WkCF9rW3sYywsxWFWxGay2vF1rGa1vv3yUZryxXw1jkFn7Jr4DJr1IkF13JasxGFZ8Zw1Y krWa9rWfCr1Ut3DanT9S1TB71UUUUU7qnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUUP2b4IE77IF4wAFF20E14v26rWj6s0DM7CY07I20VC2zVCF04k2 6cxKx2IYs7xG6rWj6s0DM7CIcVAFz4kK6r1j6r18M28IrcIa0xkI8VA2jI8067AKxVWUWw A2048vs2IY020Ec7CjxVAFwI0_Xr0E3s1l8cAvFVAK0II2c7xJM28CjxkF64kEwVA0rcxS w2x7M28EF7xvwVC0I7IYx2IY67AKxVW7JVWDJwA2z4x0Y4vE2Ix0cI8IcVCY1x0267AKxV W8Jr0_Cr1UM28EF7xvwVC2z280aVAFwI0_GcCE3s1l84ACjcxK6I8E87Iv6xkF7I0E14v2 6rxl6s0DM2AIxVAIcxkEcVAq07x20xvEncxIr21l5I8CrVACY4xI64kE6c02F40Ex7xfMc Ij6xIIjxv20xvE14v26r1j6r18McIj6I8E87Iv67AKxVWUJVW8JwAm72CE4IkC6x0Yz7v_ Jr0_Gr1lF7xvr2IYc2Ij64vIr41lFIxGxcIEc7CjxVA2Y2ka0xkIwI1lc7CjxVAaw2AFwI 0_Jw0_GFyl42xK82IYc2Ij64vIr41l4I8I3I0E4IkC6x0Yz7v_Jr0_Gr1lx2IqxVAqx4xG 67AKxVWUJVWUGwC20s026x8GjcxK67AKxVWUGVWUWwC2zVAF1VAY17CE14v26r1q6r43MI IYrxkI7VAKI48JMIIF0xvE2Ix0cI8IcVAFwI0_Jr0_JF4lIxAIcVC0I7IYx2IY6xkF7I0E 14v26F4j6r4UJwCI42IY6xAIw20EY4v20xvaj40_Jr0_JF4lIxAIcVC2z280aVAFwI0_Jr 0_Gr1lIxAIcVC2z280aVCY1x0267AKxVW8JVW8JrUvcSsGvfC2KfnxnUUI43ZEXa7IU14x RDUUUUU== X-CM-SenderInfo: 50xn30hkdlqx5xdzvxpfor3voofrz/ Content-Type: text/plain; charset="utf-8" From: Xu Kuohai Add verifier tests to validate bpf_set_retval argument for cgroup program types. Reviewed-by: Emil Tsalapatis #v1 Signed-off-by: Xu Kuohai --- .../selftests/bpf/prog_tests/verifier.c | 2 + .../selftests/bpf/progs/verifier_cgroup.c | 87 +++++++++++++++++++ 2 files changed, 89 insertions(+) create mode 100644 tools/testing/selftests/bpf/progs/verifier_cgroup.c diff --git a/tools/testing/selftests/bpf/prog_tests/verifier.c b/tools/test= ing/selftests/bpf/prog_tests/verifier.c index 06cd24e37b3f..d24d52a44425 100644 --- a/tools/testing/selftests/bpf/prog_tests/verifier.c +++ b/tools/testing/selftests/bpf/prog_tests/verifier.c @@ -115,6 +115,7 @@ #include "verifier_xdp.skel.h" #include "verifier_xdp_direct_packet_access.skel.h" #include "verifier_bits_iter.skel.h" +#include "verifier_cgroup.skel.h" #include "verifier_lsm.skel.h" #include "verifier_jit_inline.skel.h" #include "irq.skel.h" @@ -262,6 +263,7 @@ void test_verifier_xadd(void) { RUN(ver= ifier_xadd); } void test_verifier_xdp(void) { RUN(verifier_xdp); } void test_verifier_xdp_direct_packet_access(void) { RUN(verifier_xdp_direc= t_packet_access); } void test_verifier_bits_iter(void) { RUN(verifier_bits_iter); } +void test_verifier_cgroup(void) { RUN(verifier_cgroup); } void test_verifier_lsm(void) { RUN(verifier_lsm); } void test_irq(void) { RUN(irq); } void test_verifier_mtu(void) { RUN(verifier_mtu); } diff --git a/tools/testing/selftests/bpf/progs/verifier_cgroup.c b/tools/te= sting/selftests/bpf/progs/verifier_cgroup.c new file mode 100644 index 000000000000..cc95e066bf61 --- /dev/null +++ b/tools/testing/selftests/bpf/progs/verifier_cgroup.c @@ -0,0 +1,87 @@ +// SPDX-License-Identifier: GPL-2.0 + +#include +#include +#include +#include +#include "bpf_misc.h" + +/* + * Cgroup programs set return values via bpf_set_retval() helper. + * The helper argument must be 0 (success) or negative errno. + * Positive values bypass IS_ERR() check and can cause kernel issues. + */ + +SEC("lsm_cgroup/socket_create") +__description("lsm_cgroup bpf_set_retval success") +__success +int BPF_PROG(lsm_cgroup_set_retval_zero_valid, int family, int type, int p= rotocol, int kern) +{ + bpf_set_retval(0); + return 0; +} + +SEC("lsm_cgroup/socket_create") +__description("lsm_cgroup bpf_set_retval valid errno") +__success +int BPF_PROG(lsm_cgroup_set_retval_negative_valid, int family, int type, i= nt protocol, int kern) +{ + bpf_set_retval(-12); + return 0; +} + +SEC("lsm_cgroup/socket_create") +__description("lsm_cgroup bpf_set_retval invalid negative value") +__failure __msg("should have been in [-4095, 0]") +int BPF_PROG(lsm_cgroup_set_retval_negative_invalid, int family, int type,= int protocol, int kern) +{ + bpf_set_retval(-4096); + return 0; +} + +SEC("lsm_cgroup/socket_create") +__description("lsm_cgroup bpf_set_retval invalid positive value") +__failure __msg("should have been in [-4095, 0]") +int BPF_PROG(lsm_cgroup_set_retval_positive_invalid, int family, int type,= int protocol, int kern) +{ + bpf_set_retval(1); + return 0; +} + +SEC("cgroup/dev") +__description("cgroup_device bpf_set_retval success") +__success +int cgroup_dev_set_retval_0(struct bpf_cgroup_dev_ctx *ctx) +{ + bpf_set_retval(0); + return 1; +} + +SEC("cgroup/dev") +__description("cgroup_device bpf_set_retval valid errno") +__success +int cgroup_dev_set_retval_neg_maxerrno(struct bpf_cgroup_dev_ctx *ctx) +{ + bpf_set_retval(-4095); + return 1; +} + +SEC("cgroup/dev") +__description("cgroup_device bpf_set_retval invalid positive value") +__failure __msg("should have been in [-4095, 0]") +int cgroup_dev_set_retval_1(struct bpf_cgroup_dev_ctx *ctx) +{ + bpf_set_retval(1); + return 1; +} + +SEC("cgroup/dev") +__description("cgroup_device bpf_set_retval invalid negative value") +__failure __msg("should have been in [-4095, 0]") +int cgroup_dev_set_retval_neg_4096(struct bpf_cgroup_dev_ctx *ctx) +{ + bpf_set_retval(-4096); + return 1; +} + +char _license[] SEC("license") =3D "GPL"; --=20 2.43.0