9e5bd1f763
The current assumption is that the lifetime of a cgroup storage is tied to the program's attachment. The storage is created in cgroup_bpf_attach, and released upon cgroup_bpf_detach and cgroup_bpf_release. Because the current semantics is that each attachment gets a completely independent cgroup storage, and you can have multiple programs attached to the same (cgroup, attach type) pair, the key of the CGROUP_STORAGE map, looking up the map with this pair could yield multiple storages, and that is not permitted. Therefore, the kernel verifier checks that two programs cannot share the same CGROUP_STORAGE map, even if they have different expected attach types, considering that the actual attach type does not always have to be equal to the expected attach type. The test creates a CGROUP_STORAGE map and make it shared across two different programs, one cgroup_skb/egress and one /ingress. It asserts that the two programs cannot be both loaded, due to verifier failure from the above reason. Signed-off-by: YiFei Zhu <zhuyifei@google.com> Signed-off-by: Alexei Starovoitov <ast@kernel.org> Link: https://lore.kernel.org/bpf/30a6b0da67ae6b0296c4d511bfb19c5f3d035916.1595565795.git.zhuyifei@google.com |
||
|---|---|---|
| .. | ||
| benchs | ||
| gnu | ||
| map_tests | ||
| prog_tests | ||
| progs | ||
| verifier | ||
| .gitignore | ||
| bench.c | ||
| bench.h | ||
| bpf_legacy.h | ||
| bpf_rand.h | ||
| bpf_rlimit.h | ||
| bpf_tcp_helpers.h | ||
| bpf_util.h | ||
| cgroup_helpers.c | ||
| cgroup_helpers.h | ||
| config | ||
| flow_dissector_load.c | ||
| flow_dissector_load.h | ||
| get_cgroup_id_user.c | ||
| Makefile | ||
| netcnt_common.h | ||
| network_helpers.c | ||
| network_helpers.h | ||
| README.rst | ||
| tcp_client.py | ||
| tcp_server.py | ||
| test_bpftool_build.sh | ||
| test_bpftool.py | ||
| test_bpftool.sh | ||
| test_btf.c | ||
| test_btf.h | ||
| test_cgroup_storage.c | ||
| test_cpp.cpp | ||
| test_current_pid_tgid_new_ns.c | ||
| test_dev_cgroup.c | ||
| test_flow_dissector.c | ||
| test_flow_dissector.sh | ||
| test_ftrace.sh | ||
| test_iptunnel_common.h | ||
| test_kmod.sh | ||
| test_lirc_mode2_user.c | ||
| test_lirc_mode2.sh | ||
| test_lpm_map.c | ||
| test_lru_map.c | ||
| test_lwt_ip_encap.sh | ||
| test_lwt_seg6local.sh | ||
| test_maps.c | ||
| test_maps.h | ||
| test_netcnt.c | ||
| test_offload.py | ||
| test_progs.c | ||
| test_progs.h | ||
| test_select_reuseport_common.h | ||
| test_skb_cgroup_id_user.c | ||
| test_skb_cgroup_id.sh | ||
| test_sock_addr.c | ||
| test_sock_addr.sh | ||
| test_sock_fields.c | ||
| test_sock.c | ||
| test_socket_cookie.c | ||
| test_sockmap.c | ||
| test_stub.c | ||
| test_sysctl.c | ||
| test_tag.c | ||
| test_tc_edt.sh | ||
| test_tc_tunnel.sh | ||
| test_tcp_check_syncookie_user.c | ||
| test_tcp_check_syncookie.sh | ||
| test_tcpbpf_user.c | ||
| test_tcpbpf.h | ||
| test_tcpnotify_user.c | ||
| test_tcpnotify.h | ||
| test_tunnel.sh | ||
| test_verifier_log.c | ||
| test_verifier.c | ||
| test_xdp_meta.sh | ||
| test_xdp_redirect.sh | ||
| test_xdp_veth.sh | ||
| test_xdp_vlan_mode_generic.sh | ||
| test_xdp_vlan_mode_native.sh | ||
| test_xdp_vlan.sh | ||
| test_xdping.sh | ||
| testing_helpers.c | ||
| testing_helpers.h | ||
| trace_helpers.c | ||
| trace_helpers.h | ||
| urandom_read.c | ||
| with_addr.sh | ||
| with_tunnels.sh | ||
| xdping.c | ||
| xdping.h | ||
================== BPF Selftest Notes ================== General instructions on running selftests can be found in `Documentation/bpf/bpf_devel_QA.rst`_. Additional information about selftest failures are documented here. bpf_iter test failures with clang/llvm 10.0.0 ============================================= With clang/llvm 10.0.0, the following two bpf_iter tests failed: * ``bpf_iter/ipv6_route`` * ``bpf_iter/netlink`` The symptom for ``bpf_iter/ipv6_route`` looks like .. code-block:: c 2: (79) r8 = *(u64 *)(r1 +8) ... 14: (bf) r2 = r8 15: (0f) r2 += r1 ; BPF_SEQ_PRINTF(seq, "%pi6 %02x ", &rt->fib6_dst.addr, rt->fib6_dst.plen); 16: (7b) *(u64 *)(r8 +64) = r2 only read is supported The symptom for ``bpf_iter/netlink`` looks like .. code-block:: c ; struct netlink_sock *nlk = ctx->sk; 2: (79) r7 = *(u64 *)(r1 +8) ... 15: (bf) r2 = r7 16: (0f) r2 += r1 ; BPF_SEQ_PRINTF(seq, "%pK %-3d ", s, s->sk_protocol); 17: (7b) *(u64 *)(r7 +0) = r2 only read is supported This is due to a llvm BPF backend bug. The fix https://reviews.llvm.org/D78466 has been pushed to llvm 10.x release branch and will be available in 10.0.1. The fix is available in llvm 11.0.0 trunk.