bpf: enforce return code for cgroup-bpf programs

with addition of tnum logic the verifier got smart enough and
we can enforce return codes at program load time.
For now do so for cgroup-bpf program types.

Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: David S. Miller <davem@davemloft.net>

1 files changed, 72 insertions, 0 deletions

diff --git a/tools/testing/selftests/bpf/test_verifier.c b/tools/testing/selftests/bpf/test_verifier.c
index 290d5056c165..cc91d0159f43 100644
--- a/tools/testing/selftests/bpf/test_verifier.c
+++ b/tools/testing/selftests/bpf/test_verifier.c
@@ -6892,6 +6892,78 @@ static struct bpf_test tests[] = {
                 .result = ACCEPT,
                 .prog_type = BPF_PROG_TYPE_XDP,
         },
+        {
+                "bpf_exit with invalid return code. test1",
+                .insns = {
+                        BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .errstr = "R0 has value (0x0; 0xffffffff)",
+                .result = REJECT,
+                .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
+        },
+        {
+                "bpf_exit with invalid return code. test2",
+                .insns = {
+                        BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
+                        BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
+                        BPF_EXIT_INSN(),
+                },
+                .result = ACCEPT,
+                .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
+        },
+        {
+                "bpf_exit with invalid return code. test3",
+                .insns = {
+                        BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
+                        BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 3),
+                        BPF_EXIT_INSN(),
+                },
+                .errstr = "R0 has value (0x0; 0x3)",
+                .result = REJECT,
+                .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
+        },
+        {
+                "bpf_exit with invalid return code. test4",
+                .insns = {
+                        BPF_MOV64_IMM(BPF_REG_0, 1),
+                        BPF_EXIT_INSN(),
+                },
+                .result = ACCEPT,
+                .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
+        },
+        {
+                "bpf_exit with invalid return code. test5",
+                .insns = {
+                        BPF_MOV64_IMM(BPF_REG_0, 2),
+                        BPF_EXIT_INSN(),
+                },
+                .errstr = "R0 has value (0x2; 0x0)",
+                .result = REJECT,
+                .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
+        },
+        {
+                "bpf_exit with invalid return code. test6",
+                .insns = {
+                        BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
+                        BPF_EXIT_INSN(),
+                },
+                .errstr = "R0 is not a known value (ctx)",
+                .result = REJECT,
+                .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
+        },
+        {
+                "bpf_exit with invalid return code. test7",
+                .insns = {
+                        BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
+                        BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 4),
+                        BPF_ALU64_REG(BPF_MUL, BPF_REG_0, BPF_REG_2),
+                        BPF_EXIT_INSN(),
+                },
+                .errstr = "R0 has unknown scalar value",
+                .result = REJECT,
+                .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
+        },
 };
 
 static int probe_filter_length(const struct bpf_insn *fp)