+cc Hengqi
On Mon, Jan 24, 2022 at 6:20 AM Kenta Tada <Kenta.Tada@xxxxxxxx> wrote:
>
> Add a selftest to verify the behavior of PT_REGS_xxx
> and the CORE variant.
>
> Signed-off-by: Kenta Tada <Kenta.Tada@xxxxxxxx>
> ---
> .../bpf/prog_tests/test_bpf_syscall_macro.c | 63 ++++++++++++++++++
> .../selftests/bpf/progs/bpf_syscall_macro.c | 64 +++++++++++++++++++
> 2 files changed, 127 insertions(+)
> create mode 100644 tools/testing/selftests/bpf/prog_tests/test_bpf_syscall_macro.c
> create mode 100644 tools/testing/selftests/bpf/progs/bpf_syscall_macro.c
>
[...]
> diff --git a/tools/testing/selftests/bpf/progs/bpf_syscall_macro.c b/tools/testing/selftests/bpf/progs/bpf_syscall_macro.c
> new file mode 100644
> index 000000000000..cfeccd85f40e
> --- /dev/null
> +++ b/tools/testing/selftests/bpf/progs/bpf_syscall_macro.c
> @@ -0,0 +1,64 @@
> +// SPDX-License-Identifier: GPL-2.0
> +/* Copyright 2022 Sony Group Corporation */
> +#include <vmlinux.h>
> +
> +#include <bpf/bpf_core_read.h>
> +#include <bpf/bpf_helpers.h>
> +#include <bpf/bpf_tracing.h>
> +#include "bpf_misc.h"
> +
> +int arg1 = 0;
> +unsigned long arg2 = 0;
> +unsigned long arg3 = 0;
> +unsigned long arg4_cx = 0;
> +unsigned long arg4 = 0;
> +unsigned long arg5 = 0;
> +
> +int arg1_core = 0;
> +unsigned long arg2_core = 0;
> +unsigned long arg3_core = 0;
> +unsigned long arg4_core_cx = 0;
> +unsigned long arg4_core = 0;
> +unsigned long arg5_core = 0;
> +
> +const volatile pid_t filter_pid = 0;
> +
> +SEC("kprobe/" SYS_PREFIX "sys_prctl")
> +int BPF_KPROBE(handle_sys_prctl)
> +{
> + struct pt_regs *real_regs;
> + int orig_arg1;
> + unsigned long orig_arg2, orig_arg3, orig_arg4_cx, orig_arg4, orig_arg5;
> + pid_t pid = bpf_get_current_pid_tgid() >> 32;
> +
> + if (pid != filter_pid)
> + return 0;
> +
> + /* test for PT_REGS_PARM */
> + real_regs = (struct pt_regs *)PT_REGS_PARM1(ctx);
> + bpf_probe_read_kernel(&orig_arg1, sizeof(orig_arg1), &PT_REGS_PARM1_SYSCALL(real_regs));
> + bpf_probe_read_kernel(&orig_arg2, sizeof(orig_arg2), &PT_REGS_PARM2_SYSCALL(real_regs));
> + bpf_probe_read_kernel(&orig_arg3, sizeof(orig_arg3), &PT_REGS_PARM3_SYSCALL(real_regs));
> + bpf_probe_read_kernel(&orig_arg4_cx, sizeof(orig_arg4_cx), &PT_REGS_PARM4(real_regs));
> + bpf_probe_read_kernel(&orig_arg4, sizeof(orig_arg4), &PT_REGS_PARM4_SYSCALL(real_regs));
> + bpf_probe_read_kernel(&orig_arg5, sizeof(orig_arg5), &PT_REGS_PARM5_SYSCALL(real_regs));
> + /* copy all actual args and the wrong arg4 on x86_64 */
> + arg1 = orig_arg1;
> + arg2 = orig_arg2;
> + arg3 = orig_arg3;
> + arg4_cx = orig_arg4_cx;
> + arg4 = orig_arg4;
> + arg5 = orig_arg5;
I don't get why you needed orig_argX variables and then copying them
into argX variables. I changed this to read directly into argX. I
suspect arg1 handling might break on big-endian arches due to int vs
long differences, please check that and send a follow up fix.
Also keep in mind that selftest changes should come with
"selftests/bpf:" subject prefix, not "libbpf:". Fixed that up as well.
Applied to bpf-next, thanks.
Hopefully Hengqi will build his SYSCALL prog wrapper macros on top of
this as a follow up as well.
> +
> + /* test for the CORE variant of PT_REGS_PARM */
> + arg1_core = PT_REGS_PARM1_CORE_SYSCALL(real_regs);
> + arg2_core = PT_REGS_PARM2_CORE_SYSCALL(real_regs);
> + arg3_core = PT_REGS_PARM3_CORE_SYSCALL(real_regs);
> + arg4_core_cx = PT_REGS_PARM4_CORE(real_regs);
> + arg4_core = PT_REGS_PARM4_CORE_SYSCALL(real_regs);
> + arg5_core = PT_REGS_PARM5_CORE_SYSCALL(real_regs);
> +
> + return 0;
> +}
> +
> +char _license[] SEC("license") = "GPL";
> --
> 2.32.0
>
