]> git.proxmox.com Git - mirror_ubuntu-hirsute-kernel.git/blame - kernel/bpf/verifier.c
projects / mirror_ubuntu-hirsute-kernel.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
bpf: improve verification speed by not remarking live_read
[mirror_ubuntu-hirsute-kernel.git] / kernel / bpf / verifier.c
CommitLineData
51580e79 1/* Copyright (c) 2011-2014 PLUMgrid, http://plumgrid.com
969bf05e 2 * Copyright (c) 2016 Facebook
fd978bf7 3 * Copyright (c) 2018 Covalent IO, Inc. http://covalent.io
51580e79
AS		 4 *
5 * This program is free software; you can redistribute it and/or
6 * modify it under the terms of version 2 of the GNU General Public
7 * License as published by the Free Software Foundation.
8 *
9 * This program is distributed in the hope that it will be useful, but
10 * WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
12 * General Public License for more details.
13 */
838e9690 14#include <uapi/linux/btf.h>
51580e79
AS		 15#include <linux/kernel.h>
16#include <linux/types.h>
17#include <linux/slab.h>
18#include <linux/bpf.h>
838e9690 19#include <linux/btf.h>
58e2af8b 20#include <linux/bpf_verifier.h>
51580e79
AS		 21#include <linux/filter.h>
22#include <net/netlink.h>
23#include <linux/file.h>
24#include <linux/vmalloc.h>
ebb676da 25#include <linux/stringify.h>
cc8b0b92
AS		 26#include <linux/bsearch.h>
27#include <linux/sort.h>
c195651e 28#include <linux/perf_event.h>
d9762e84 29#include <linux/ctype.h>
51580e79 30
f4ac7e0b
JK		 31#include "disasm.h"
32
00176a34
JK		 33static const struct bpf_verifier_ops * const bpf_verifier_ops[] = {
34#define BPF_PROG_TYPE(_id, _name) \
35 [_id] = & _name ## _verifier_ops,
36#define BPF_MAP_TYPE(_id, _ops)
37#include <linux/bpf_types.h>
38#undef BPF_PROG_TYPE
39#undef BPF_MAP_TYPE
40};
41
51580e79
AS		 42/* bpf_check() is a static code analyzer that walks eBPF program
43 * instruction by instruction and updates register/stack state.
44 * All paths of conditional branches are analyzed until 'bpf_exit' insn.
45 *
46 * The first pass is depth-first-search to check that the program is a DAG.
47 * It rejects the following programs:
48 * - larger than BPF_MAXINSNS insns
49 * - if loop is present (detected via back-edge)
50 * - unreachable insns exist (shouldn't be a forest. program = one function)
51 * - out of bounds or malformed jumps
52 * The second pass is all possible path descent from the 1st insn.
53 * Since it's analyzing all pathes through the program, the length of the
eba38a96 54 * analysis is limited to 64k insn, which may be hit even if total number of
51580e79
AS		 55 * insn is less then 4K, but there are too many branches that change stack/regs.
56 * Number of 'branches to be analyzed' is limited to 1k
57 *
58 * On entry to each instruction, each register has a type, and the instruction
59 * changes the types of the registers depending on instruction semantics.
60 * If instruction is BPF_MOV64_REG(BPF_REG_1, BPF_REG_5), then type of R5 is
61 * copied to R1.
62 *
63 * All registers are 64-bit.
64 * R0 - return register
65 * R1-R5 argument passing registers
66 * R6-R9 callee saved registers
67 * R10 - frame pointer read-only
68 *
69 * At the start of BPF program the register R1 contains a pointer to bpf_context
70 * and has type PTR_TO_CTX.
71 *
72 * Verifier tracks arithmetic operations on pointers in case:
73 * BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
74 * BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -20),
75 * 1st insn copies R10 (which has FRAME_PTR) type into R1
76 * and 2nd arithmetic instruction is pattern matched to recognize
77 * that it wants to construct a pointer to some element within stack.
78 * So after 2nd insn, the register R1 has type PTR_TO_STACK
79 * (and -20 constant is saved for further stack bounds checking).
80 * Meaning that this reg is a pointer to stack plus known immediate constant.
81 *
f1174f77 82 * Most of the time the registers have SCALAR_VALUE type, which
51580e79 83 * means the register has some value, but it's not a valid pointer.
f1174f77 84 * (like pointer plus pointer becomes SCALAR_VALUE type)
51580e79
AS		 85 *
86 * When verifier sees load or store instructions the type of base register
c64b7983
JS		 87 * can be: PTR_TO_MAP_VALUE, PTR_TO_CTX, PTR_TO_STACK, PTR_TO_SOCKET. These are
88 * four pointer types recognized by check_mem_access() function.
51580e79
AS		 89 *
90 * PTR_TO_MAP_VALUE means that this register is pointing to 'map element value'
91 * and the range of [ptr, ptr + map's value_size) is accessible.
92 *
93 * registers used to pass values to function calls are checked against
94 * function argument constraints.
95 *
96 * ARG_PTR_TO_MAP_KEY is one of such argument constraints.
97 * It means that the register type passed to this function must be
98 * PTR_TO_STACK and it will be used inside the function as
99 * 'pointer to map element key'
100 *
101 * For example the argument constraints for bpf_map_lookup_elem():
102 * .ret_type = RET_PTR_TO_MAP_VALUE_OR_NULL,
103 * .arg1_type = ARG_CONST_MAP_PTR,
104 * .arg2_type = ARG_PTR_TO_MAP_KEY,
105 *
106 * ret_type says that this function returns 'pointer to map elem value or null'
107 * function expects 1st argument to be a const pointer to 'struct bpf_map' and
108 * 2nd argument should be a pointer to stack, which will be used inside
109 * the helper function as a pointer to map element key.
110 *
111 * On the kernel side the helper function looks like:
112 * u64 bpf_map_lookup_elem(u64 r1, u64 r2, u64 r3, u64 r4, u64 r5)
113 * {
114 * struct bpf_map *map = (struct bpf_map *) (unsigned long) r1;
115 * void *key = (void *) (unsigned long) r2;
116 * void *value;
117 *
118 * here kernel can access 'key' and 'map' pointers safely, knowing that
119 * [key, key + map->key_size) bytes are valid and were initialized on
120 * the stack of eBPF program.
121 * }
122 *
123 * Corresponding eBPF program may look like:
124 * BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), // after this insn R2 type is FRAME_PTR
125 * BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), // after this insn R2 type is PTR_TO_STACK
126 * BPF_LD_MAP_FD(BPF_REG_1, map_fd), // after this insn R1 type is CONST_PTR_TO_MAP
127 * BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
128 * here verifier looks at prototype of map_lookup_elem() and sees:
129 * .arg1_type == ARG_CONST_MAP_PTR and R1->type == CONST_PTR_TO_MAP, which is ok,
130 * Now verifier knows that this map has key of R1->map_ptr->key_size bytes
131 *
132 * Then .arg2_type == ARG_PTR_TO_MAP_KEY and R2->type == PTR_TO_STACK, ok so far,
133 * Now verifier checks that [R2, R2 + map's key_size) are within stack limits
134 * and were initialized prior to this call.
135 * If it's ok, then verifier allows this BPF_CALL insn and looks at
136 * .ret_type which is RET_PTR_TO_MAP_VALUE_OR_NULL, so it sets
137 * R0->type = PTR_TO_MAP_VALUE_OR_NULL which means bpf_map_lookup_elem() function
138 * returns ether pointer to map value or NULL.
139 *
140 * When type PTR_TO_MAP_VALUE_OR_NULL passes through 'if (reg != 0) goto +off'
141 * insn, the register holding that pointer in the true branch changes state to
142 * PTR_TO_MAP_VALUE and the same register changes state to CONST_IMM in the false
143 * branch. See check_cond_jmp_op().
144 *
145 * After the call R0 is set to return type of the function and registers R1-R5
146 * are set to NOT_INIT to indicate that they are no longer readable.
fd978bf7
JS		 147 *
148 * The following reference types represent a potential reference to a kernel
149 * resource which, after first being allocated, must be checked and freed by
150 * the BPF program:
151 * - PTR_TO_SOCKET_OR_NULL, PTR_TO_SOCKET
152 *
153 * When the verifier sees a helper call return a reference type, it allocates a
154 * pointer id for the reference and stores it in the current function state.
155 * Similar to the way that PTR_TO_MAP_VALUE_OR_NULL is converted into
156 * PTR_TO_MAP_VALUE, PTR_TO_SOCKET_OR_NULL becomes PTR_TO_SOCKET when the type
157 * passes through a NULL-check conditional. For the branch wherein the state is
158 * changed to CONST_IMM, the verifier releases the reference.
6acc9b43
JS		 159 *
160 * For each helper function that allocates a reference, such as
161 * bpf_sk_lookup_tcp(), there is a corresponding release function, such as
162 * bpf_sk_release(). When a reference type passes into the release function,
163 * the verifier also releases the reference. If any unchecked or unreleased
164 * reference remains at the end of the program, the verifier rejects it.
51580e79
AS		 165 */
166
17a52670 167/* verifier_state + insn_idx are pushed to stack when branch is encountered */
58e2af8b 168struct bpf_verifier_stack_elem {
17a52670
AS		 169 /* verifer state is 'st'
170 * before processing instruction 'insn_idx'
171 * and after processing instruction 'prev_insn_idx'
172 */
58e2af8b 173 struct bpf_verifier_state st;
17a52670
AS		 174 int insn_idx;
175 int prev_insn_idx;
58e2af8b 176 struct bpf_verifier_stack_elem *next;
cbd35700
AS		 177};
178
8e17c1b1 179#define BPF_COMPLEXITY_LIMIT_INSNS 131072
07016151 180#define BPF_COMPLEXITY_LIMIT_STACK 1024
ceefbc96 181#define BPF_COMPLEXITY_LIMIT_STATES 64
07016151 182
c93552c4
DB		 183#define BPF_MAP_PTR_UNPRIV 1UL
184#define BPF_MAP_PTR_POISON ((void *)((0xeB9FUL << 1) + \
185 POISON_POINTER_DELTA))
186#define BPF_MAP_PTR(X) ((struct bpf_map *)((X) & ~BPF_MAP_PTR_UNPRIV))
187
188static bool bpf_map_ptr_poisoned(const struct bpf_insn_aux_data *aux)
189{
190 return BPF_MAP_PTR(aux->map_state) == BPF_MAP_PTR_POISON;
191}
192
193static bool bpf_map_ptr_unpriv(const struct bpf_insn_aux_data *aux)
194{
195 return aux->map_state & BPF_MAP_PTR_UNPRIV;
196}
197
198static void bpf_map_ptr_store(struct bpf_insn_aux_data *aux,
199 const struct bpf_map *map, bool unpriv)
200{
201 BUILD_BUG_ON((unsigned long)BPF_MAP_PTR_POISON & BPF_MAP_PTR_UNPRIV);
202 unpriv |= bpf_map_ptr_unpriv(aux);
203 aux->map_state = (unsigned long)map |
204 (unpriv ? BPF_MAP_PTR_UNPRIV : 0UL);
205}
fad73a1a 206
33ff9823
DB		 207struct bpf_call_arg_meta {
208 struct bpf_map *map_ptr;
435faee1 209 bool raw_mode;
36bbef52 210 bool pkt_access;
435faee1
DB		 211 int regno;
212 int access_size;
849fa506
YS		 213 s64 msize_smax_value;
214 u64 msize_umax_value;
1b986589 215 int ref_obj_id;
d83525ca 216 int func_id;
33ff9823
DB		 217};
218
cbd35700
AS		 219static DEFINE_MUTEX(bpf_verifier_lock);
220
d9762e84
MKL		 221static const struct bpf_line_info *
222find_linfo(const struct bpf_verifier_env *env, u32 insn_off)
223{
224 const struct bpf_line_info *linfo;
225 const struct bpf_prog *prog;
226 u32 i, nr_linfo;
227
228 prog = env->prog;
229 nr_linfo = prog->aux->nr_linfo;
230
231 if (!nr_linfo || insn_off >= prog->len)
232 return NULL;
233
234 linfo = prog->aux->linfo;
235 for (i = 1; i < nr_linfo; i++)
236 if (insn_off < linfo[i].insn_off)
237 break;
238
239 return &linfo[i - 1];
240}
241
77d2e05a
MKL		 242void bpf_verifier_vlog(struct bpf_verifier_log *log, const char *fmt,
243 va_list args)
cbd35700 244{
a2a7d570 245 unsigned int n;
cbd35700 246
a2a7d570 247 n = vscnprintf(log->kbuf, BPF_VERIFIER_TMP_LOG_SIZE, fmt, args);
a2a7d570
JK		 248
249 WARN_ONCE(n >= BPF_VERIFIER_TMP_LOG_SIZE - 1,
250 "verifier log line truncated - local buffer too short\n");
251
252 n = min(log->len_total - log->len_used - 1, n);
253 log->kbuf[n] = '\0';
254
255 if (!copy_to_user(log->ubuf + log->len_used, log->kbuf, n + 1))
256 log->len_used += n;
257 else
258 log->ubuf = NULL;
cbd35700 259}
abe08840
JO		 260
261/* log_level controls verbosity level of eBPF verifier.
262 * bpf_verifier_log_write() is used to dump the verification trace to the log,
263 * so the user can figure out what's wrong with the program
430e68d1 264 */
abe08840
JO		 265__printf(2, 3) void bpf_verifier_log_write(struct bpf_verifier_env *env,
266 const char *fmt, ...)
267{
268 va_list args;
269
77d2e05a
MKL		 270 if (!bpf_verifier_log_needed(&env->log))
271 return;
272
abe08840 273 va_start(args, fmt);
77d2e05a 274 bpf_verifier_vlog(&env->log, fmt, args);
abe08840
JO		 275 va_end(args);
276}
277EXPORT_SYMBOL_GPL(bpf_verifier_log_write);
278
279__printf(2, 3) static void verbose(void *private_data, const char *fmt, ...)
280{
77d2e05a 281 struct bpf_verifier_env *env = private_data;
abe08840
JO		 282 va_list args;
283
77d2e05a
MKL		 284 if (!bpf_verifier_log_needed(&env->log))
285 return;
286
abe08840 287 va_start(args, fmt);
77d2e05a 288 bpf_verifier_vlog(&env->log, fmt, args);
abe08840
JO		 289 va_end(args);
290}
cbd35700 291
d9762e84
MKL		 292static const char *ltrim(const char *s)
293{
294 while (isspace(*s))
295 s++;
296
297 return s;
298}
299
300__printf(3, 4) static void verbose_linfo(struct bpf_verifier_env *env,
301 u32 insn_off,
302 const char *prefix_fmt, ...)
303{
304 const struct bpf_line_info *linfo;
305
306 if (!bpf_verifier_log_needed(&env->log))
307 return;
308
309 linfo = find_linfo(env, insn_off);
310 if (!linfo || linfo == env->prev_linfo)
311 return;
312
313 if (prefix_fmt) {
314 va_list args;
315
316 va_start(args, prefix_fmt);
317 bpf_verifier_vlog(&env->log, prefix_fmt, args);
318 va_end(args);
319 }
320
321 verbose(env, "%s\n",
322 ltrim(btf_name_by_offset(env->prog->aux->btf,
323 linfo->line_off)));
324
325 env->prev_linfo = linfo;
326}
327
de8f3a83
DB		 328static bool type_is_pkt_pointer(enum bpf_reg_type type)
329{
330 return type == PTR_TO_PACKET ||
331 type == PTR_TO_PACKET_META;
332}
333
46f8bc92
MKL		 334static bool type_is_sk_pointer(enum bpf_reg_type type)
335{
336 return type == PTR_TO_SOCKET ||
655a51e5
MKL		 337 type == PTR_TO_SOCK_COMMON ||
338 type == PTR_TO_TCP_SOCK;
46f8bc92
MKL		 339}
340
840b9615
JS		 341static bool reg_type_may_be_null(enum bpf_reg_type type)
342{
fd978bf7 343 return type == PTR_TO_MAP_VALUE_OR_NULL ||
46f8bc92 344 type == PTR_TO_SOCKET_OR_NULL ||
655a51e5
MKL		 345 type == PTR_TO_SOCK_COMMON_OR_NULL ||
346 type == PTR_TO_TCP_SOCK_OR_NULL;
fd978bf7
JS		 347}
348
d83525ca
AS		 349static bool reg_may_point_to_spin_lock(const struct bpf_reg_state *reg)
350{
351 return reg->type == PTR_TO_MAP_VALUE &&
352 map_value_has_spin_lock(reg->map_ptr);
353}
354
cba368c1
MKL		 355static bool reg_type_may_be_refcounted_or_null(enum bpf_reg_type type)
356{
357 return type == PTR_TO_SOCKET ||
358 type == PTR_TO_SOCKET_OR_NULL ||
359 type == PTR_TO_TCP_SOCK ||
360 type == PTR_TO_TCP_SOCK_OR_NULL;
361}
362
1b986589 363static bool arg_type_may_be_refcounted(enum bpf_arg_type type)
fd978bf7 364{
1b986589 365 return type == ARG_PTR_TO_SOCK_COMMON;
fd978bf7
JS		 366}
367
368/* Determine whether the function releases some resources allocated by another
369 * function call. The first reference type argument will be assumed to be
370 * released by release_reference().
371 */
372static bool is_release_function(enum bpf_func_id func_id)
373{
6acc9b43 374 return func_id == BPF_FUNC_sk_release;
840b9615
JS		 375}
376
46f8bc92
MKL		 377static bool is_acquire_function(enum bpf_func_id func_id)
378{
379 return func_id == BPF_FUNC_sk_lookup_tcp ||
edbf8c01
LB		 380 func_id == BPF_FUNC_sk_lookup_udp ||
381 func_id == BPF_FUNC_skc_lookup_tcp;
46f8bc92
MKL		 382}
383
1b986589
MKL		 384static bool is_ptr_cast_function(enum bpf_func_id func_id)
385{
386 return func_id == BPF_FUNC_tcp_sock ||
387 func_id == BPF_FUNC_sk_fullsock;
388}
389
17a52670
AS		 390/* string representation of 'enum bpf_reg_type' */
391static const char * const reg_type_str[] = {
392 [NOT_INIT] = "?",
f1174f77 393 [SCALAR_VALUE] = "inv",
17a52670
AS		 394 [PTR_TO_CTX] = "ctx",
395 [CONST_PTR_TO_MAP] = "map_ptr",
396 [PTR_TO_MAP_VALUE] = "map_value",
397 [PTR_TO_MAP_VALUE_OR_NULL] = "map_value_or_null",
17a52670 398 [PTR_TO_STACK] = "fp",
969bf05e 399 [PTR_TO_PACKET] = "pkt",
de8f3a83 400 [PTR_TO_PACKET_META] = "pkt_meta",
969bf05e 401 [PTR_TO_PACKET_END] = "pkt_end",
d58e468b 402 [PTR_TO_FLOW_KEYS] = "flow_keys",
c64b7983
JS		 403 [PTR_TO_SOCKET] = "sock",
404 [PTR_TO_SOCKET_OR_NULL] = "sock_or_null",
46f8bc92
MKL		 405 [PTR_TO_SOCK_COMMON] = "sock_common",
406 [PTR_TO_SOCK_COMMON_OR_NULL] = "sock_common_or_null",
655a51e5
MKL		 407 [PTR_TO_TCP_SOCK] = "tcp_sock",
408 [PTR_TO_TCP_SOCK_OR_NULL] = "tcp_sock_or_null",
17a52670
AS		 409};
410
8efea21d
EC		 411static char slot_type_char[] = {
412 [STACK_INVALID] = '?',
413 [STACK_SPILL] = 'r',
414 [STACK_MISC] = 'm',
415 [STACK_ZERO] = '0',
416};
417
4e92024a
AS		 418static void print_liveness(struct bpf_verifier_env *env,
419 enum bpf_reg_liveness live)
420{
9242b5f5 421 if (live & (REG_LIVE_READ | REG_LIVE_WRITTEN | REG_LIVE_DONE))
4e92024a
AS		 422 verbose(env, "_");
423 if (live & REG_LIVE_READ)
424 verbose(env, "r");
425 if (live & REG_LIVE_WRITTEN)
426 verbose(env, "w");
9242b5f5
AS		 427 if (live & REG_LIVE_DONE)
428 verbose(env, "D");
4e92024a
AS		 429}
430
f4d7e40a
AS		 431static struct bpf_func_state *func(struct bpf_verifier_env *env,
432 const struct bpf_reg_state *reg)
433{
434 struct bpf_verifier_state *cur = env->cur_state;
435
436 return cur->frame[reg->frameno];
437}
438
61bd5218 439static void print_verifier_state(struct bpf_verifier_env *env,
f4d7e40a 440 const struct bpf_func_state *state)
17a52670 441{
f4d7e40a 442 const struct bpf_reg_state *reg;
17a52670
AS		 443 enum bpf_reg_type t;
444 int i;
445
f4d7e40a
AS		 446 if (state->frameno)
447 verbose(env, " frame%d:", state->frameno);
17a52670 448 for (i = 0; i < MAX_BPF_REG; i++) {
1a0dc1ac
AS		 449 reg = &state->regs[i];
450 t = reg->type;
17a52670
AS		 451 if (t == NOT_INIT)
452 continue;
4e92024a
AS		 453 verbose(env, " R%d", i);
454 print_liveness(env, reg->live);
455 verbose(env, "=%s", reg_type_str[t]);
f1174f77
EC		 456 if ((t == SCALAR_VALUE || t == PTR_TO_STACK) &&
457 tnum_is_const(reg->var_off)) {
458 /* reg->off should be 0 for SCALAR_VALUE */
61bd5218 459 verbose(env, "%lld", reg->var_off.value + reg->off);
f4d7e40a
AS		 460 if (t == PTR_TO_STACK)
461 verbose(env, ",call_%d", func(env, reg)->callsite);
f1174f77 462 } else {
cba368c1
MKL		 463 verbose(env, "(id=%d", reg->id);
464 if (reg_type_may_be_refcounted_or_null(t))
465 verbose(env, ",ref_obj_id=%d", reg->ref_obj_id);
f1174f77 466 if (t != SCALAR_VALUE)
61bd5218 467 verbose(env, ",off=%d", reg->off);
de8f3a83 468 if (type_is_pkt_pointer(t))
61bd5218 469 verbose(env, ",r=%d", reg->range);
f1174f77
EC		 470 else if (t == CONST_PTR_TO_MAP ||
471 t == PTR_TO_MAP_VALUE ||
472 t == PTR_TO_MAP_VALUE_OR_NULL)
61bd5218 473 verbose(env, ",ks=%d,vs=%d",
f1174f77
EC		 474 reg->map_ptr->key_size,
475 reg->map_ptr->value_size);
7d1238f2
EC		 476 if (tnum_is_const(reg->var_off)) {
477 /* Typically an immediate SCALAR_VALUE, but
478 * could be a pointer whose offset is too big
479 * for reg->off
480 */
61bd5218 481 verbose(env, ",imm=%llx", reg->var_off.value);
7d1238f2
EC		 482 } else {
483 if (reg->smin_value != reg->umin_value &&
484 reg->smin_value != S64_MIN)
61bd5218 485 verbose(env, ",smin_value=%lld",
7d1238f2
EC		 486 (long long)reg->smin_value);
487 if (reg->smax_value != reg->umax_value &&
488 reg->smax_value != S64_MAX)
61bd5218 489 verbose(env, ",smax_value=%lld",
7d1238f2
EC		 490 (long long)reg->smax_value);
491 if (reg->umin_value != 0)
61bd5218 492 verbose(env, ",umin_value=%llu",
7d1238f2
EC		 493 (unsigned long long)reg->umin_value);
494 if (reg->umax_value != U64_MAX)
61bd5218 495 verbose(env, ",umax_value=%llu",
7d1238f2
EC		 496 (unsigned long long)reg->umax_value);
497 if (!tnum_is_unknown(reg->var_off)) {
498 char tn_buf[48];
f1174f77 499
7d1238f2 500 tnum_strn(tn_buf, sizeof(tn_buf), reg->var_off);
61bd5218 501 verbose(env, ",var_off=%s", tn_buf);
7d1238f2 502 }
f1174f77 503 }
61bd5218 504 verbose(env, ")");
f1174f77 505 }
17a52670 506 }
638f5b90 507 for (i = 0; i < state->allocated_stack / BPF_REG_SIZE; i++) {
8efea21d
EC		 508 char types_buf[BPF_REG_SIZE + 1];
509 bool valid = false;
510 int j;
511
512 for (j = 0; j < BPF_REG_SIZE; j++) {
513 if (state->stack[i].slot_type[j] != STACK_INVALID)
514 valid = true;
515 types_buf[j] = slot_type_char[
516 state->stack[i].slot_type[j]];
517 }
518 types_buf[BPF_REG_SIZE] = 0;
519 if (!valid)
520 continue;
521 verbose(env, " fp%d", (-i - 1) * BPF_REG_SIZE);
522 print_liveness(env, state->stack[i].spilled_ptr.live);
523 if (state->stack[i].slot_type[0] == STACK_SPILL)
4e92024a 524 verbose(env, "=%s",
638f5b90 525 reg_type_str[state->stack[i].spilled_ptr.type]);
8efea21d
EC		 526 else
527 verbose(env, "=%s", types_buf);
17a52670 528 }
fd978bf7
JS		 529 if (state->acquired_refs && state->refs[0].id) {
530 verbose(env, " refs=%d", state->refs[0].id);
531 for (i = 1; i < state->acquired_refs; i++)
532 if (state->refs[i].id)
533 verbose(env, ",%d", state->refs[i].id);
534 }
61bd5218 535 verbose(env, "\n");
17a52670
AS		 536}
537
84dbf350
JS		 538#define COPY_STATE_FN(NAME, COUNT, FIELD, SIZE) \
539static int copy_##NAME##_state(struct bpf_func_state *dst, \
540 const struct bpf_func_state *src) \
541{ \
542 if (!src->FIELD) \
543 return 0; \
544 if (WARN_ON_ONCE(dst->COUNT < src->COUNT)) { \
545 /* internal bug, make state invalid to reject the program */ \
546 memset(dst, 0, sizeof(*dst)); \
547 return -EFAULT; \
548 } \
549 memcpy(dst->FIELD, src->FIELD, \
550 sizeof(*src->FIELD) * (src->COUNT / SIZE)); \
551 return 0; \
638f5b90 552}
fd978bf7
JS		 553/* copy_reference_state() */
554COPY_STATE_FN(reference, acquired_refs, refs, 1)
84dbf350
JS		 555/* copy_stack_state() */
556COPY_STATE_FN(stack, allocated_stack, stack, BPF_REG_SIZE)
557#undef COPY_STATE_FN
558
559#define REALLOC_STATE_FN(NAME, COUNT, FIELD, SIZE) \
560static int realloc_##NAME##_state(struct bpf_func_state *state, int size, \
561 bool copy_old) \
562{ \
563 u32 old_size = state->COUNT; \
564 struct bpf_##NAME##_state *new_##FIELD; \
565 int slot = size / SIZE; \
566 \
567 if (size <= old_size || !size) { \
568 if (copy_old) \
569 return 0; \
570 state->COUNT = slot * SIZE; \
571 if (!size && old_size) { \
572 kfree(state->FIELD); \
573 state->FIELD = NULL; \
574 } \
575 return 0; \
576 } \
577 new_##FIELD = kmalloc_array(slot, sizeof(struct bpf_##NAME##_state), \
578 GFP_KERNEL); \
579 if (!new_##FIELD) \
580 return -ENOMEM; \
581 if (copy_old) { \
582 if (state->FIELD) \
583 memcpy(new_##FIELD, state->FIELD, \
584 sizeof(*new_##FIELD) * (old_size / SIZE)); \
585 memset(new_##FIELD + old_size / SIZE, 0, \
586 sizeof(*new_##FIELD) * (size - old_size) / SIZE); \
587 } \
588 state->COUNT = slot * SIZE; \
589 kfree(state->FIELD); \
590 state->FIELD = new_##FIELD; \
591 return 0; \
592}
fd978bf7
JS		 593/* realloc_reference_state() */
594REALLOC_STATE_FN(reference, acquired_refs, refs, 1)
84dbf350
JS		 595/* realloc_stack_state() */
596REALLOC_STATE_FN(stack, allocated_stack, stack, BPF_REG_SIZE)
597#undef REALLOC_STATE_FN
638f5b90
AS		 598
599/* do_check() starts with zero-sized stack in struct bpf_verifier_state to
600 * make it consume minimal amount of memory. check_stack_write() access from
f4d7e40a 601 * the program calls into realloc_func_state() to grow the stack size.
84dbf350
JS		 602 * Note there is a non-zero 'parent' pointer inside bpf_verifier_state
603 * which realloc_stack_state() copies over. It points to previous
604 * bpf_verifier_state which is never reallocated.
638f5b90 605 */
fd978bf7
JS		 606static int realloc_func_state(struct bpf_func_state *state, int stack_size,
607 int refs_size, bool copy_old)
638f5b90 608{
fd978bf7
JS		 609 int err = realloc_reference_state(state, refs_size, copy_old);
610 if (err)
611 return err;
612 return realloc_stack_state(state, stack_size, copy_old);
613}
614
615/* Acquire a pointer id from the env and update the state->refs to include
616 * this new pointer reference.
617 * On success, returns a valid pointer id to associate with the register
618 * On failure, returns a negative errno.
638f5b90 619 */
fd978bf7 620static int acquire_reference_state(struct bpf_verifier_env *env, int insn_idx)
638f5b90 621{
fd978bf7
JS		 622 struct bpf_func_state *state = cur_func(env);
623 int new_ofs = state->acquired_refs;
624 int id, err;
625
626 err = realloc_reference_state(state, state->acquired_refs + 1, true);
627 if (err)
628 return err;
629 id = ++env->id_gen;
630 state->refs[new_ofs].id = id;
631 state->refs[new_ofs].insn_idx = insn_idx;
638f5b90 632
fd978bf7
JS		 633 return id;
634}
635
636/* release function corresponding to acquire_reference_state(). Idempotent. */
46f8bc92 637static int release_reference_state(struct bpf_func_state *state, int ptr_id)
fd978bf7
JS		 638{
639 int i, last_idx;
640
fd978bf7
JS		 641 last_idx = state->acquired_refs - 1;
642 for (i = 0; i < state->acquired_refs; i++) {
643 if (state->refs[i].id == ptr_id) {
644 if (last_idx && i != last_idx)
645 memcpy(&state->refs[i], &state->refs[last_idx],
646 sizeof(*state->refs));
647 memset(&state->refs[last_idx], 0, sizeof(*state->refs));
648 state->acquired_refs--;
638f5b90 649 return 0;
638f5b90 650 }
638f5b90 651 }
46f8bc92 652 return -EINVAL;
fd978bf7
JS		 653}
654
655static int transfer_reference_state(struct bpf_func_state *dst,
656 struct bpf_func_state *src)
657{
658 int err = realloc_reference_state(dst, src->acquired_refs, false);
659 if (err)
660 return err;
661 err = copy_reference_state(dst, src);
662 if (err)
663 return err;
638f5b90
AS		 664 return 0;
665}
666
f4d7e40a
AS		 667static void free_func_state(struct bpf_func_state *state)
668{
5896351e
AS		 669 if (!state)
670 return;
fd978bf7 671 kfree(state->refs);
f4d7e40a
AS		 672 kfree(state->stack);
673 kfree(state);
674}
675
1969db47
AS		 676static void free_verifier_state(struct bpf_verifier_state *state,
677 bool free_self)
638f5b90 678{
f4d7e40a
AS		 679 int i;
680
681 for (i = 0; i <= state->curframe; i++) {
682 free_func_state(state->frame[i]);
683 state->frame[i] = NULL;
684 }
1969db47
AS		 685 if (free_self)
686 kfree(state);
638f5b90
AS		 687}
688
689/* copy verifier state from src to dst growing dst stack space
690 * when necessary to accommodate larger src stack
691 */
f4d7e40a
AS		 692static int copy_func_state(struct bpf_func_state *dst,
693 const struct bpf_func_state *src)
638f5b90
AS		 694{
695 int err;
696
fd978bf7
JS		 697 err = realloc_func_state(dst, src->allocated_stack, src->acquired_refs,
698 false);
699 if (err)
700 return err;
701 memcpy(dst, src, offsetof(struct bpf_func_state, acquired_refs));
702 err = copy_reference_state(dst, src);
638f5b90
AS		 703 if (err)
704 return err;
638f5b90
AS		 705 return copy_stack_state(dst, src);
706}
707
f4d7e40a
AS		 708static int copy_verifier_state(struct bpf_verifier_state *dst_state,
709 const struct bpf_verifier_state *src)
710{
711 struct bpf_func_state *dst;
712 int i, err;
713
714 /* if dst has more stack frames then src frame, free them */
715 for (i = src->curframe + 1; i <= dst_state->curframe; i++) {
716 free_func_state(dst_state->frame[i]);
717 dst_state->frame[i] = NULL;
718 }
979d63d5 719 dst_state->speculative = src->speculative;
f4d7e40a 720 dst_state->curframe = src->curframe;
d83525ca 721 dst_state->active_spin_lock = src->active_spin_lock;
f4d7e40a
AS		 722 for (i = 0; i <= src->curframe; i++) {
723 dst = dst_state->frame[i];
724 if (!dst) {
725 dst = kzalloc(sizeof(*dst), GFP_KERNEL);
726 if (!dst)
727 return -ENOMEM;
728 dst_state->frame[i] = dst;
729 }
730 err = copy_func_state(dst, src->frame[i]);
731 if (err)
732 return err;
733 }
734 return 0;
735}
736
638f5b90
AS		 737static int pop_stack(struct bpf_verifier_env *env, int *prev_insn_idx,
738 int *insn_idx)
739{
740 struct bpf_verifier_state *cur = env->cur_state;
741 struct bpf_verifier_stack_elem *elem, *head = env->head;
742 int err;
17a52670
AS		 743
744 if (env->head == NULL)
638f5b90 745 return -ENOENT;
17a52670 746
638f5b90
AS		 747 if (cur) {
748 err = copy_verifier_state(cur, &head->st);
749 if (err)
750 return err;
751 }
752 if (insn_idx)
753 *insn_idx = head->insn_idx;
17a52670 754 if (prev_insn_idx)
638f5b90
AS		 755 *prev_insn_idx = head->prev_insn_idx;
756 elem = head->next;
1969db47 757 free_verifier_state(&head->st, false);
638f5b90 758 kfree(head);
17a52670
AS		 759 env->head = elem;
760 env->stack_size--;
638f5b90 761 return 0;
17a52670
AS		 762}
763
58e2af8b 764static struct bpf_verifier_state *push_stack(struct bpf_verifier_env *env,
979d63d5
DB		 765 int insn_idx, int prev_insn_idx,
766 bool speculative)
17a52670 767{
638f5b90 768 struct bpf_verifier_state *cur = env->cur_state;
58e2af8b 769 struct bpf_verifier_stack_elem *elem;
638f5b90 770 int err;
17a52670 771
638f5b90 772 elem = kzalloc(sizeof(struct bpf_verifier_stack_elem), GFP_KERNEL);
17a52670
AS		 773 if (!elem)
774 goto err;
775
17a52670
AS		 776 elem->insn_idx = insn_idx;
777 elem->prev_insn_idx = prev_insn_idx;
778 elem->next = env->head;
779 env->head = elem;
780 env->stack_size++;
1969db47
AS		 781 err = copy_verifier_state(&elem->st, cur);
782 if (err)
783 goto err;
979d63d5 784 elem->st.speculative |= speculative;
07016151 785 if (env->stack_size > BPF_COMPLEXITY_LIMIT_STACK) {
61bd5218 786 verbose(env, "BPF program is too complex\n");
17a52670
AS		 787 goto err;
788 }
789 return &elem->st;
790err:
5896351e
AS		 791 free_verifier_state(env->cur_state, true);
792 env->cur_state = NULL;
17a52670 793 /* pop all elements and return */
638f5b90 794 while (!pop_stack(env, NULL, NULL));
17a52670
AS		 795 return NULL;
796}
797
798#define CALLER_SAVED_REGS 6
799static const int caller_saved[CALLER_SAVED_REGS] = {
800 BPF_REG_0, BPF_REG_1, BPF_REG_2, BPF_REG_3, BPF_REG_4, BPF_REG_5
801};
802
f1174f77
EC		 803static void __mark_reg_not_init(struct bpf_reg_state *reg);
804
b03c9f9f
EC		 805/* Mark the unknown part of a register (variable offset or scalar value) as
806 * known to have the value @imm.
807 */
808static void __mark_reg_known(struct bpf_reg_state *reg, u64 imm)
809{
a9c676bc
AS		 810 /* Clear id, off, and union(map_ptr, range) */
811 memset(((u8 *)reg) + sizeof(reg->type), 0,
812 offsetof(struct bpf_reg_state, var_off) - sizeof(reg->type));
b03c9f9f
EC		 813 reg->var_off = tnum_const(imm);
814 reg->smin_value = (s64)imm;
815 reg->smax_value = (s64)imm;
816 reg->umin_value = imm;
817 reg->umax_value = imm;
818}
819
f1174f77
EC		 820/* Mark the 'variable offset' part of a register as zero. This should be
821 * used only on registers holding a pointer type.
822 */
823static void __mark_reg_known_zero(struct bpf_reg_state *reg)
a9789ef9 824{
b03c9f9f 825 __mark_reg_known(reg, 0);
f1174f77 826}
a9789ef9 827
cc2b14d5
AS		 828static void __mark_reg_const_zero(struct bpf_reg_state *reg)
829{
830 __mark_reg_known(reg, 0);
cc2b14d5
AS		 831 reg->type = SCALAR_VALUE;
832}
833
61bd5218
JK		 834static void mark_reg_known_zero(struct bpf_verifier_env *env,
835 struct bpf_reg_state *regs, u32 regno)
f1174f77
EC		 836{
837 if (WARN_ON(regno >= MAX_BPF_REG)) {
61bd5218 838 verbose(env, "mark_reg_known_zero(regs, %u)\n", regno);
f1174f77
EC		 839 /* Something bad happened, let's kill all regs */
840 for (regno = 0; regno < MAX_BPF_REG; regno++)
841 __mark_reg_not_init(regs + regno);
842 return;
843 }
844 __mark_reg_known_zero(regs + regno);
845}
846
de8f3a83
DB		 847static bool reg_is_pkt_pointer(const struct bpf_reg_state *reg)
848{
849 return type_is_pkt_pointer(reg->type);
850}
851
852static bool reg_is_pkt_pointer_any(const struct bpf_reg_state *reg)
853{
854 return reg_is_pkt_pointer(reg) ||
855 reg->type == PTR_TO_PACKET_END;
856}
857
858/* Unmodified PTR_TO_PACKET[_META,_END] register from ctx access. */
859static bool reg_is_init_pkt_pointer(const struct bpf_reg_state *reg,
860 enum bpf_reg_type which)
861{
862 /* The register can already have a range from prior markings.
863 * This is fine as long as it hasn't been advanced from its
864 * origin.
865 */
866 return reg->type == which &&
867 reg->id == 0 &&
868 reg->off == 0 &&
869 tnum_equals_const(reg->var_off, 0);
870}
871
b03c9f9f
EC		 872/* Attempts to improve min/max values based on var_off information */
873static void __update_reg_bounds(struct bpf_reg_state *reg)
874{
875 /* min signed is max(sign bit) | min(other bits) */
876 reg->smin_value = max_t(s64, reg->smin_value,
877 reg->var_off.value | (reg->var_off.mask & S64_MIN));
878 /* max signed is min(sign bit) | max(other bits) */
879 reg->smax_value = min_t(s64, reg->smax_value,
880 reg->var_off.value | (reg->var_off.mask & S64_MAX));
881 reg->umin_value = max(reg->umin_value, reg->var_off.value);
882 reg->umax_value = min(reg->umax_value,
883 reg->var_off.value | reg->var_off.mask);
884}
885
886/* Uses signed min/max values to inform unsigned, and vice-versa */
887static void __reg_deduce_bounds(struct bpf_reg_state *reg)
888{
889 /* Learn sign from signed bounds.
890 * If we cannot cross the sign boundary, then signed and unsigned bounds
891 * are the same, so combine. This works even in the negative case, e.g.
892 * -3 s<= x s<= -1 implies 0xf...fd u<= x u<= 0xf...ff.
893 */
894 if (reg->smin_value >= 0 || reg->smax_value < 0) {
895 reg->smin_value = reg->umin_value = max_t(u64, reg->smin_value,
896 reg->umin_value);
897 reg->smax_value = reg->umax_value = min_t(u64, reg->smax_value,
898 reg->umax_value);
899 return;
900 }
901 /* Learn sign from unsigned bounds. Signed bounds cross the sign
902 * boundary, so we must be careful.
903 */
904 if ((s64)reg->umax_value >= 0) {
905 /* Positive. We can't learn anything from the smin, but smax
906 * is positive, hence safe.
907 */
908 reg->smin_value = reg->umin_value;
909 reg->smax_value = reg->umax_value = min_t(u64, reg->smax_value,
910 reg->umax_value);
911 } else if ((s64)reg->umin_value < 0) {
912 /* Negative. We can't learn anything from the smax, but smin
913 * is negative, hence safe.
914 */
915 reg->smin_value = reg->umin_value = max_t(u64, reg->smin_value,
916 reg->umin_value);
917 reg->smax_value = reg->umax_value;
918 }
919}
920
921/* Attempts to improve var_off based on unsigned min/max information */
922static void __reg_bound_offset(struct bpf_reg_state *reg)
923{
924 reg->var_off = tnum_intersect(reg->var_off,
925 tnum_range(reg->umin_value,
926 reg->umax_value));
927}
928
929/* Reset the min/max bounds of a register */
930static void __mark_reg_unbounded(struct bpf_reg_state *reg)
931{
932 reg->smin_value = S64_MIN;
933 reg->smax_value = S64_MAX;
934 reg->umin_value = 0;
935 reg->umax_value = U64_MAX;
936}
937
f1174f77
EC		 938/* Mark a register as having a completely unknown (scalar) value. */
939static void __mark_reg_unknown(struct bpf_reg_state *reg)
940{
a9c676bc
AS		 941 /*
942 * Clear type, id, off, and union(map_ptr, range) and
943 * padding between 'type' and union
944 */
945 memset(reg, 0, offsetof(struct bpf_reg_state, var_off));
f1174f77 946 reg->type = SCALAR_VALUE;
f1174f77 947 reg->var_off = tnum_unknown;
f4d7e40a 948 reg->frameno = 0;
b03c9f9f 949 __mark_reg_unbounded(reg);
f1174f77
EC		 950}
951
61bd5218
JK		 952static void mark_reg_unknown(struct bpf_verifier_env *env,
953 struct bpf_reg_state *regs, u32 regno)
f1174f77
EC		 954{
955 if (WARN_ON(regno >= MAX_BPF_REG)) {
61bd5218 956 verbose(env, "mark_reg_unknown(regs, %u)\n", regno);
19ceb417
AS		 957 /* Something bad happened, let's kill all regs except FP */
958 for (regno = 0; regno < BPF_REG_FP; regno++)
f1174f77
EC		 959 __mark_reg_not_init(regs + regno);
960 return;
961 }
962 __mark_reg_unknown(regs + regno);
963}
964
965static void __mark_reg_not_init(struct bpf_reg_state *reg)
966{
967 __mark_reg_unknown(reg);
968 reg->type = NOT_INIT;
969}
970
61bd5218
JK		 971static void mark_reg_not_init(struct bpf_verifier_env *env,
972 struct bpf_reg_state *regs, u32 regno)
f1174f77
EC		 973{
974 if (WARN_ON(regno >= MAX_BPF_REG)) {
61bd5218 975 verbose(env, "mark_reg_not_init(regs, %u)\n", regno);
19ceb417
AS		 976 /* Something bad happened, let's kill all regs except FP */
977 for (regno = 0; regno < BPF_REG_FP; regno++)
f1174f77
EC		 978 __mark_reg_not_init(regs + regno);
979 return;
980 }
981 __mark_reg_not_init(regs + regno);
a9789ef9
DB		 982}
983
61bd5218 984static void init_reg_state(struct bpf_verifier_env *env,
f4d7e40a 985 struct bpf_func_state *state)
17a52670 986{
f4d7e40a 987 struct bpf_reg_state *regs = state->regs;
17a52670
AS		 988 int i;
989
dc503a8a 990 for (i = 0; i < MAX_BPF_REG; i++) {
61bd5218 991 mark_reg_not_init(env, regs, i);
dc503a8a 992 regs[i].live = REG_LIVE_NONE;
679c782d 993 regs[i].parent = NULL;
dc503a8a 994 }
17a52670
AS		 995
996 /* frame pointer */
f1174f77 997 regs[BPF_REG_FP].type = PTR_TO_STACK;
61bd5218 998 mark_reg_known_zero(env, regs, BPF_REG_FP);
f4d7e40a 999 regs[BPF_REG_FP].frameno = state->frameno;
17a52670
AS		 1000
1001 /* 1st arg to a function */
1002 regs[BPF_REG_1].type = PTR_TO_CTX;
61bd5218 1003 mark_reg_known_zero(env, regs, BPF_REG_1);
6760bf2d
DB		 1004}
1005
f4d7e40a
AS		 1006#define BPF_MAIN_FUNC (-1)
1007static void init_func_state(struct bpf_verifier_env *env,
1008 struct bpf_func_state *state,
1009 int callsite, int frameno, int subprogno)
1010{
1011 state->callsite = callsite;
1012 state->frameno = frameno;
1013 state->subprogno = subprogno;
1014 init_reg_state(env, state);
1015}
1016
17a52670
AS		 1017enum reg_arg_type {
1018 SRC_OP, /* register is used as source operand */
1019 DST_OP, /* register is used as destination operand */
1020 DST_OP_NO_MARK /* same as above, check only, don't mark */
1021};
1022
cc8b0b92
AS		 1023static int cmp_subprogs(const void *a, const void *b)
1024{
9c8105bd
JW		 1025 return ((struct bpf_subprog_info *)a)->start -
1026 ((struct bpf_subprog_info *)b)->start;
cc8b0b92
AS		 1027}
1028
1029static int find_subprog(struct bpf_verifier_env *env, int off)
1030{
9c8105bd 1031 struct bpf_subprog_info *p;
cc8b0b92 1032
9c8105bd
JW		 1033 p = bsearch(&off, env->subprog_info, env->subprog_cnt,
1034 sizeof(env->subprog_info[0]), cmp_subprogs);
cc8b0b92
AS		 1035 if (!p)
1036 return -ENOENT;
9c8105bd 1037 return p - env->subprog_info;
cc8b0b92
AS		 1038
1039}
1040
1041static int add_subprog(struct bpf_verifier_env *env, int off)
1042{
1043 int insn_cnt = env->prog->len;
1044 int ret;
1045
1046 if (off >= insn_cnt || off < 0) {
1047 verbose(env, "call to invalid destination\n");
1048 return -EINVAL;
1049 }
1050 ret = find_subprog(env, off);
1051 if (ret >= 0)
1052 return 0;
4cb3d99c 1053 if (env->subprog_cnt >= BPF_MAX_SUBPROGS) {
cc8b0b92
AS		 1054 verbose(env, "too many subprograms\n");
1055 return -E2BIG;
1056 }
9c8105bd
JW		 1057 env->subprog_info[env->subprog_cnt++].start = off;
1058 sort(env->subprog_info, env->subprog_cnt,
1059 sizeof(env->subprog_info[0]), cmp_subprogs, NULL);
cc8b0b92
AS		 1060 return 0;
1061}
1062
1063static int check_subprogs(struct bpf_verifier_env *env)
1064{
1065 int i, ret, subprog_start, subprog_end, off, cur_subprog = 0;
9c8105bd 1066 struct bpf_subprog_info *subprog = env->subprog_info;
cc8b0b92
AS		 1067 struct bpf_insn *insn = env->prog->insnsi;
1068 int insn_cnt = env->prog->len;
1069
f910cefa
JW		 1070 /* Add entry function. */
1071 ret = add_subprog(env, 0);
1072 if (ret < 0)
1073 return ret;
1074
cc8b0b92
AS		 1075 /* determine subprog starts. The end is one before the next starts */
1076 for (i = 0; i < insn_cnt; i++) {
1077 if (insn[i].code != (BPF_JMP | BPF_CALL))
1078 continue;
1079 if (insn[i].src_reg != BPF_PSEUDO_CALL)
1080 continue;
1081 if (!env->allow_ptr_leaks) {
1082 verbose(env, "function calls to other bpf functions are allowed for root only\n");
1083 return -EPERM;
1084 }
cc8b0b92
AS		 1085 ret = add_subprog(env, i + insn[i].imm + 1);
1086 if (ret < 0)
1087 return ret;
1088 }
1089
4cb3d99c
JW		 1090 /* Add a fake 'exit' subprog which could simplify subprog iteration
1091 * logic. 'subprog_cnt' should not be increased.
1092 */
1093 subprog[env->subprog_cnt].start = insn_cnt;
1094
06ee7115 1095 if (env->log.level & BPF_LOG_LEVEL2)
cc8b0b92 1096 for (i = 0; i < env->subprog_cnt; i++)
9c8105bd 1097 verbose(env, "func#%d @%d\n", i, subprog[i].start);
cc8b0b92
AS		 1098
1099 /* now check that all jumps are within the same subprog */
4cb3d99c
JW		 1100 subprog_start = subprog[cur_subprog].start;
1101 subprog_end = subprog[cur_subprog + 1].start;
cc8b0b92
AS		 1102 for (i = 0; i < insn_cnt; i++) {
1103 u8 code = insn[i].code;
1104
092ed096 1105 if (BPF_CLASS(code) != BPF_JMP && BPF_CLASS(code) != BPF_JMP32)
cc8b0b92
AS		 1106 goto next;
1107 if (BPF_OP(code) == BPF_EXIT || BPF_OP(code) == BPF_CALL)
1108 goto next;
1109 off = i + insn[i].off + 1;
1110 if (off < subprog_start || off >= subprog_end) {
1111 verbose(env, "jump out of range from insn %d to %d\n", i, off);
1112 return -EINVAL;
1113 }
1114next:
1115 if (i == subprog_end - 1) {
1116 /* to avoid fall-through from one subprog into another
1117 * the last insn of the subprog should be either exit
1118 * or unconditional jump back
1119 */
1120 if (code != (BPF_JMP | BPF_EXIT) &&
1121 code != (BPF_JMP | BPF_JA)) {
1122 verbose(env, "last insn is not an exit or jmp\n");
1123 return -EINVAL;
1124 }
1125 subprog_start = subprog_end;
4cb3d99c
JW		 1126 cur_subprog++;
1127 if (cur_subprog < env->subprog_cnt)
9c8105bd 1128 subprog_end = subprog[cur_subprog + 1].start;
cc8b0b92
AS		 1129 }
1130 }
1131 return 0;
1132}
1133
679c782d
EC		 1134/* Parentage chain of this register (or stack slot) should take care of all
1135 * issues like callee-saved registers, stack slot allocation time, etc.
1136 */
f4d7e40a 1137static int mark_reg_read(struct bpf_verifier_env *env,
679c782d
EC		 1138 const struct bpf_reg_state *state,
1139 struct bpf_reg_state *parent)
f4d7e40a
AS		 1140{
1141 bool writes = parent == state->parent; /* Observe write marks */
06ee7115 1142 int cnt = 0;
dc503a8a
EC		 1143
1144 while (parent) {
1145 /* if read wasn't screened by an earlier write ... */
679c782d 1146 if (writes && state->live & REG_LIVE_WRITTEN)
dc503a8a 1147 break;
9242b5f5
AS		 1148 if (parent->live & REG_LIVE_DONE) {
1149 verbose(env, "verifier BUG type %s var_off %lld off %d\n",
1150 reg_type_str[parent->type],
1151 parent->var_off.value, parent->off);
1152 return -EFAULT;
1153 }
25af32da
AS		 1154 if (parent->live & REG_LIVE_READ)
1155 /* The parentage chain never changes and
1156 * this parent was already marked as LIVE_READ.
1157 * There is no need to keep walking the chain again and
1158 * keep re-marking all parents as LIVE_READ.
1159 * This case happens when the same register is read
1160 * multiple times without writes into it in-between.
1161 */
1162 break;
dc503a8a 1163 /* ... then we depend on parent's value */
679c782d 1164 parent->live |= REG_LIVE_READ;
dc503a8a
EC		 1165 state = parent;
1166 parent = state->parent;
f4d7e40a 1167 writes = true;
06ee7115 1168 cnt++;
dc503a8a 1169 }
06ee7115
AS		 1170
1171 if (env->longest_mark_read_walk < cnt)
1172 env->longest_mark_read_walk = cnt;
f4d7e40a 1173 return 0;
dc503a8a
EC		 1174}
1175
1176static int check_reg_arg(struct bpf_verifier_env *env, u32 regno,
17a52670
AS		 1177 enum reg_arg_type t)
1178{
f4d7e40a
AS		 1179 struct bpf_verifier_state *vstate = env->cur_state;
1180 struct bpf_func_state *state = vstate->frame[vstate->curframe];
1181 struct bpf_reg_state *regs = state->regs;
dc503a8a 1182
17a52670 1183 if (regno >= MAX_BPF_REG) {
61bd5218 1184 verbose(env, "R%d is invalid\n", regno);
17a52670
AS		 1185 return -EINVAL;
1186 }
1187
1188 if (t == SRC_OP) {
1189 /* check whether register used as source operand can be read */
1190 if (regs[regno].type == NOT_INIT) {
61bd5218 1191 verbose(env, "R%d !read_ok\n", regno);
17a52670
AS		 1192 return -EACCES;
1193 }
679c782d
EC		 1194 /* We don't need to worry about FP liveness because it's read-only */
1195 if (regno != BPF_REG_FP)
1196 return mark_reg_read(env, &regs[regno],
1197 regs[regno].parent);
17a52670
AS		 1198 } else {
1199 /* check whether register used as dest operand can be written to */
1200 if (regno == BPF_REG_FP) {
61bd5218 1201 verbose(env, "frame pointer is read only\n");
17a52670
AS		 1202 return -EACCES;
1203 }
dc503a8a 1204 regs[regno].live |= REG_LIVE_WRITTEN;
17a52670 1205 if (t == DST_OP)
61bd5218 1206 mark_reg_unknown(env, regs, regno);
17a52670
AS		 1207 }
1208 return 0;
1209}
1210
1be7f75d
AS		 1211static bool is_spillable_regtype(enum bpf_reg_type type)
1212{
1213 switch (type) {
1214 case PTR_TO_MAP_VALUE:
1215 case PTR_TO_MAP_VALUE_OR_NULL:
1216 case PTR_TO_STACK:
1217 case PTR_TO_CTX:
969bf05e 1218 case PTR_TO_PACKET:
de8f3a83 1219 case PTR_TO_PACKET_META:
969bf05e 1220 case PTR_TO_PACKET_END:
d58e468b 1221 case PTR_TO_FLOW_KEYS:
1be7f75d 1222 case CONST_PTR_TO_MAP:
c64b7983
JS		 1223 case PTR_TO_SOCKET:
1224 case PTR_TO_SOCKET_OR_NULL:
46f8bc92
MKL		 1225 case PTR_TO_SOCK_COMMON:
1226 case PTR_TO_SOCK_COMMON_OR_NULL:
655a51e5
MKL		 1227 case PTR_TO_TCP_SOCK:
1228 case PTR_TO_TCP_SOCK_OR_NULL:
1be7f75d
AS		 1229 return true;
1230 default:
1231 return false;
1232 }
1233}
1234
cc2b14d5
AS		 1235/* Does this register contain a constant zero? */
1236static bool register_is_null(struct bpf_reg_state *reg)
1237{
1238 return reg->type == SCALAR_VALUE && tnum_equals_const(reg->var_off, 0);
1239}
1240
17a52670
AS		 1241/* check_stack_read/write functions track spill/fill of registers,
1242 * stack boundary and alignment are checked in check_mem_access()
1243 */
61bd5218 1244static int check_stack_write(struct bpf_verifier_env *env,
f4d7e40a 1245 struct bpf_func_state *state, /* func where register points to */
af86ca4e 1246 int off, int size, int value_regno, int insn_idx)
17a52670 1247{
f4d7e40a 1248 struct bpf_func_state *cur; /* state of the current function */
638f5b90 1249 int i, slot = -off - 1, spi = slot / BPF_REG_SIZE, err;
f4d7e40a 1250 enum bpf_reg_type type;
638f5b90 1251
f4d7e40a 1252 err = realloc_func_state(state, round_up(slot + 1, BPF_REG_SIZE),
fd978bf7 1253 state->acquired_refs, true);
638f5b90
AS		 1254 if (err)
1255 return err;
9c399760
AS		 1256 /* caller checked that off % size == 0 and -MAX_BPF_STACK <= off < 0,
1257 * so it's aligned access and [off, off + size) are within stack limits
1258 */
638f5b90
AS		 1259 if (!env->allow_ptr_leaks &&
1260 state->stack[spi].slot_type[0] == STACK_SPILL &&
1261 size != BPF_REG_SIZE) {
1262 verbose(env, "attempt to corrupt spilled pointer on stack\n");
1263 return -EACCES;
1264 }
17a52670 1265
f4d7e40a 1266 cur = env->cur_state->frame[env->cur_state->curframe];
17a52670 1267 if (value_regno >= 0 &&
f4d7e40a 1268 is_spillable_regtype((type = cur->regs[value_regno].type))) {
17a52670
AS		 1269
1270 /* register containing pointer is being spilled into stack */
9c399760 1271 if (size != BPF_REG_SIZE) {
61bd5218 1272 verbose(env, "invalid size of register spill\n");
17a52670
AS		 1273 return -EACCES;
1274 }
1275
f4d7e40a
AS		 1276 if (state != cur && type == PTR_TO_STACK) {
1277 verbose(env, "cannot spill pointers to stack into stack frame of the caller\n");
1278 return -EINVAL;
1279 }
1280
17a52670 1281 /* save register state */
f4d7e40a 1282 state->stack[spi].spilled_ptr = cur->regs[value_regno];
638f5b90 1283 state->stack[spi].spilled_ptr.live |= REG_LIVE_WRITTEN;
17a52670 1284
af86ca4e
AS		 1285 for (i = 0; i < BPF_REG_SIZE; i++) {
1286 if (state->stack[spi].slot_type[i] == STACK_MISC &&
1287 !env->allow_ptr_leaks) {
1288 int *poff = &env->insn_aux_data[insn_idx].sanitize_stack_off;
1289 int soff = (-spi - 1) * BPF_REG_SIZE;
1290
1291 /* detected reuse of integer stack slot with a pointer
1292 * which means either llvm is reusing stack slot or
1293 * an attacker is trying to exploit CVE-2018-3639
1294 * (speculative store bypass)
1295 * Have to sanitize that slot with preemptive
1296 * store of zero.
1297 */
1298 if (*poff && *poff != soff) {
1299 /* disallow programs where single insn stores
1300 * into two different stack slots, since verifier
1301 * cannot sanitize them
1302 */
1303 verbose(env,
1304 "insn %d cannot access two stack slots fp%d and fp%d",
1305 insn_idx, *poff, soff);
1306 return -EINVAL;
1307 }
1308 *poff = soff;
1309 }
638f5b90 1310 state->stack[spi].slot_type[i] = STACK_SPILL;
af86ca4e 1311 }
9c399760 1312 } else {
cc2b14d5
AS		 1313 u8 type = STACK_MISC;
1314
679c782d
EC		 1315 /* regular write of data into stack destroys any spilled ptr */
1316 state->stack[spi].spilled_ptr.type = NOT_INIT;
0bae2d4d
JW		 1317 /* Mark slots as STACK_MISC if they belonged to spilled ptr. */
1318 if (state->stack[spi].slot_type[0] == STACK_SPILL)
1319 for (i = 0; i < BPF_REG_SIZE; i++)
1320 state->stack[spi].slot_type[i] = STACK_MISC;
9c399760 1321
cc2b14d5
AS		 1322 /* only mark the slot as written if all 8 bytes were written
1323 * otherwise read propagation may incorrectly stop too soon
1324 * when stack slots are partially written.
1325 * This heuristic means that read propagation will be
1326 * conservative, since it will add reg_live_read marks
1327 * to stack slots all the way to first state when programs
1328 * writes+reads less than 8 bytes
1329 */
1330 if (size == BPF_REG_SIZE)
1331 state->stack[spi].spilled_ptr.live |= REG_LIVE_WRITTEN;
1332
1333 /* when we zero initialize stack slots mark them as such */
1334 if (value_regno >= 0 &&
1335 register_is_null(&cur->regs[value_regno]))
1336 type = STACK_ZERO;
1337
0bae2d4d 1338 /* Mark slots affected by this stack write. */
9c399760 1339 for (i = 0; i < size; i++)
638f5b90 1340 state->stack[spi].slot_type[(slot - i) % BPF_REG_SIZE] =
cc2b14d5 1341 type;
17a52670
AS		 1342 }
1343 return 0;
1344}
1345
61bd5218 1346static int check_stack_read(struct bpf_verifier_env *env,
f4d7e40a
AS		 1347 struct bpf_func_state *reg_state /* func where register points to */,
1348 int off, int size, int value_regno)
17a52670 1349{
f4d7e40a
AS		 1350 struct bpf_verifier_state *vstate = env->cur_state;
1351 struct bpf_func_state *state = vstate->frame[vstate->curframe];
638f5b90
AS		 1352 int i, slot = -off - 1, spi = slot / BPF_REG_SIZE;
1353 u8 *stype;
17a52670 1354
f4d7e40a 1355 if (reg_state->allocated_stack <= slot) {
638f5b90
AS		 1356 verbose(env, "invalid read from stack off %d+0 size %d\n",
1357 off, size);
1358 return -EACCES;
1359 }
f4d7e40a 1360 stype = reg_state->stack[spi].slot_type;
17a52670 1361
638f5b90 1362 if (stype[0] == STACK_SPILL) {
9c399760 1363 if (size != BPF_REG_SIZE) {
61bd5218 1364 verbose(env, "invalid size of register spill\n");
17a52670
AS		 1365 return -EACCES;
1366 }
9c399760 1367 for (i = 1; i < BPF_REG_SIZE; i++) {
638f5b90 1368 if (stype[(slot - i) % BPF_REG_SIZE] != STACK_SPILL) {
61bd5218 1369 verbose(env, "corrupted spill memory\n");
17a52670
AS		 1370 return -EACCES;
1371 }
1372 }
1373
dc503a8a 1374 if (value_regno >= 0) {
17a52670 1375 /* restore register state from stack */
f4d7e40a 1376 state->regs[value_regno] = reg_state->stack[spi].spilled_ptr;
2f18f62e
AS		 1377 /* mark reg as written since spilled pointer state likely
1378 * has its liveness marks cleared by is_state_visited()
1379 * which resets stack/reg liveness for state transitions
1380 */
1381 state->regs[value_regno].live |= REG_LIVE_WRITTEN;
dc503a8a 1382 }
679c782d
EC		 1383 mark_reg_read(env, &reg_state->stack[spi].spilled_ptr,
1384 reg_state->stack[spi].spilled_ptr.parent);
17a52670
AS		 1385 return 0;
1386 } else {
cc2b14d5
AS		 1387 int zeros = 0;
1388
17a52670 1389 for (i = 0; i < size; i++) {
cc2b14d5
AS		 1390 if (stype[(slot - i) % BPF_REG_SIZE] == STACK_MISC)
1391 continue;
1392 if (stype[(slot - i) % BPF_REG_SIZE] == STACK_ZERO) {
1393 zeros++;
1394 continue;
17a52670 1395 }
cc2b14d5
AS		 1396 verbose(env, "invalid read from stack off %d+%d size %d\n",
1397 off, i, size);
1398 return -EACCES;
1399 }
679c782d
EC		 1400 mark_reg_read(env, &reg_state->stack[spi].spilled_ptr,
1401 reg_state->stack[spi].spilled_ptr.parent);
cc2b14d5
AS		 1402 if (value_regno >= 0) {
1403 if (zeros == size) {
1404 /* any size read into register is zero extended,
1405 * so the whole register == const_zero
1406 */
1407 __mark_reg_const_zero(&state->regs[value_regno]);
1408 } else {
1409 /* have read misc data from the stack */
1410 mark_reg_unknown(env, state->regs, value_regno);
1411 }
1412 state->regs[value_regno].live |= REG_LIVE_WRITTEN;
17a52670 1413 }
17a52670
AS		 1414 return 0;
1415 }
1416}
1417
e4298d25
DB		 1418static int check_stack_access(struct bpf_verifier_env *env,
1419 const struct bpf_reg_state *reg,
1420 int off, int size)
1421{
1422 /* Stack accesses must be at a fixed offset, so that we
1423 * can determine what type of data were returned. See
1424 * check_stack_read().
1425 */
1426 if (!tnum_is_const(reg->var_off)) {
1427 char tn_buf[48];
1428
1429 tnum_strn(tn_buf, sizeof(tn_buf), reg->var_off);
1430 verbose(env, "variable stack access var_off=%s off=%d size=%d",
1431 tn_buf, off, size);
1432 return -EACCES;
1433 }
1434
1435 if (off >= 0 || off < -MAX_BPF_STACK) {
1436 verbose(env, "invalid stack off=%d size=%d\n", off, size);
1437 return -EACCES;
1438 }
1439
1440 return 0;
1441}
1442
17a52670 1443/* check read/write into map element returned by bpf_map_lookup_elem() */
f1174f77 1444static int __check_map_access(struct bpf_verifier_env *env, u32 regno, int off,
9fd29c08 1445 int size, bool zero_size_allowed)
17a52670 1446{
638f5b90
AS		 1447 struct bpf_reg_state *regs = cur_regs(env);
1448 struct bpf_map *map = regs[regno].map_ptr;
17a52670 1449
9fd29c08
YS		 1450 if (off < 0 || size < 0 || (size == 0 && !zero_size_allowed) ||
1451 off + size > map->value_size) {
61bd5218 1452 verbose(env, "invalid access to map value, value_size=%d off=%d size=%d\n",
17a52670
AS		 1453 map->value_size, off, size);
1454 return -EACCES;
1455 }
1456 return 0;
1457}
1458
f1174f77
EC		 1459/* check read/write into a map element with possible variable offset */
1460static int check_map_access(struct bpf_verifier_env *env, u32 regno,
9fd29c08 1461 int off, int size, bool zero_size_allowed)
dbcfe5f7 1462{
f4d7e40a
AS		 1463 struct bpf_verifier_state *vstate = env->cur_state;
1464 struct bpf_func_state *state = vstate->frame[vstate->curframe];
dbcfe5f7
GB		 1465 struct bpf_reg_state *reg = &state->regs[regno];
1466 int err;
1467
f1174f77
EC		 1468 /* We may have adjusted the register to this map value, so we
1469 * need to try adding each of min_value and max_value to off
1470 * to make sure our theoretical access will be safe.
dbcfe5f7 1471 */
06ee7115 1472 if (env->log.level & BPF_LOG_LEVEL)
61bd5218 1473 print_verifier_state(env, state);
b7137c4e 1474
dbcfe5f7
GB		 1475 /* The minimum value is only important with signed
1476 * comparisons where we can't assume the floor of a
1477 * value is 0. If we are using signed variables for our
1478 * index'es we need to make sure that whatever we use
1479 * will have a set floor within our range.
1480 */
b7137c4e
DB		 1481 if (reg->smin_value < 0 &&
1482 (reg->smin_value == S64_MIN ||
1483 (off + reg->smin_value != (s64)(s32)(off + reg->smin_value)) ||
1484 reg->smin_value + off < 0)) {
61bd5218 1485 verbose(env, "R%d min value is negative, either use unsigned index or do a if (index >=0) check.\n",
dbcfe5f7
GB		 1486 regno);
1487 return -EACCES;
1488 }
9fd29c08
YS		 1489 err = __check_map_access(env, regno, reg->smin_value + off, size,
1490 zero_size_allowed);
dbcfe5f7 1491 if (err) {
61bd5218
JK		 1492 verbose(env, "R%d min value is outside of the array range\n",
1493 regno);
dbcfe5f7
GB		 1494 return err;
1495 }
1496
b03c9f9f
EC		 1497 /* If we haven't set a max value then we need to bail since we can't be
1498 * sure we won't do bad things.
1499 * If reg->umax_value + off could overflow, treat that as unbounded too.
dbcfe5f7 1500 */
b03c9f9f 1501 if (reg->umax_value >= BPF_MAX_VAR_OFF) {
61bd5218 1502 verbose(env, "R%d unbounded memory access, make sure to bounds check any array access into a map\n",
dbcfe5f7
GB		 1503 regno);
1504 return -EACCES;
1505 }
9fd29c08
YS		 1506 err = __check_map_access(env, regno, reg->umax_value + off, size,
1507 zero_size_allowed);
f1174f77 1508 if (err)
61bd5218
JK		 1509 verbose(env, "R%d max value is outside of the array range\n",
1510 regno);
d83525ca
AS		 1511
1512 if (map_value_has_spin_lock(reg->map_ptr)) {
1513 u32 lock = reg->map_ptr->spin_lock_off;
1514
1515 /* if any part of struct bpf_spin_lock can be touched by
1516 * load/store reject this program.
1517 * To check that [x1, x2) overlaps with [y1, y2)
1518 * it is sufficient to check x1 < y2 && y1 < x2.
1519 */
1520 if (reg->smin_value + off < lock + sizeof(struct bpf_spin_lock) &&
1521 lock < reg->umax_value + off + size) {
1522 verbose(env, "bpf_spin_lock cannot be accessed directly by load/store\n");
1523 return -EACCES;
1524 }
1525 }
f1174f77 1526 return err;
dbcfe5f7
GB		 1527}
1528
969bf05e
AS		 1529#define MAX_PACKET_OFF 0xffff
1530
58e2af8b 1531static bool may_access_direct_pkt_data(struct bpf_verifier_env *env,
3a0af8fd
TG		 1532 const struct bpf_call_arg_meta *meta,
1533 enum bpf_access_type t)
4acf6c0b 1534{
36bbef52 1535 switch (env->prog->type) {
5d66fa7d 1536 /* Program types only with direct read access go here! */
3a0af8fd
TG		 1537 case BPF_PROG_TYPE_LWT_IN:
1538 case BPF_PROG_TYPE_LWT_OUT:
004d4b27 1539 case BPF_PROG_TYPE_LWT_SEG6LOCAL:
2dbb9b9e 1540 case BPF_PROG_TYPE_SK_REUSEPORT:
5d66fa7d 1541 case BPF_PROG_TYPE_FLOW_DISSECTOR:
d5563d36 1542 case BPF_PROG_TYPE_CGROUP_SKB:
3a0af8fd
TG		 1543 if (t == BPF_WRITE)
1544 return false;
7e57fbb2 1545 /* fallthrough */
5d66fa7d
DB		 1546
1547 /* Program types with direct read + write access go here! */
36bbef52
DB		 1548 case BPF_PROG_TYPE_SCHED_CLS:
1549 case BPF_PROG_TYPE_SCHED_ACT:
4acf6c0b 1550 case BPF_PROG_TYPE_XDP:
3a0af8fd 1551 case BPF_PROG_TYPE_LWT_XMIT:
8a31db56 1552 case BPF_PROG_TYPE_SK_SKB:
4f738adb 1553 case BPF_PROG_TYPE_SK_MSG:
36bbef52
DB		 1554 if (meta)
1555 return meta->pkt_access;
1556
1557 env->seen_direct_write = true;
4acf6c0b
BB		 1558 return true;
1559 default:
1560 return false;
1561 }
1562}
1563
f1174f77 1564static int __check_packet_access(struct bpf_verifier_env *env, u32 regno,
9fd29c08 1565 int off, int size, bool zero_size_allowed)
969bf05e 1566{
638f5b90 1567 struct bpf_reg_state *regs = cur_regs(env);
58e2af8b 1568 struct bpf_reg_state *reg = &regs[regno];
969bf05e 1569
9fd29c08
YS		 1570 if (off < 0 || size < 0 || (size == 0 && !zero_size_allowed) ||
1571 (u64)off + size > reg->range) {
61bd5218 1572 verbose(env, "invalid access to packet, off=%d size=%d, R%d(id=%d,off=%d,r=%d)\n",
d91b28ed 1573 off, size, regno, reg->id, reg->off, reg->range);
969bf05e
AS		 1574 return -EACCES;
1575 }
1576 return 0;
1577}
1578
f1174f77 1579static int check_packet_access(struct bpf_verifier_env *env, u32 regno, int off,
9fd29c08 1580 int size, bool zero_size_allowed)
f1174f77 1581{
638f5b90 1582 struct bpf_reg_state *regs = cur_regs(env);
f1174f77
EC		 1583 struct bpf_reg_state *reg = &regs[regno];
1584 int err;
1585
1586 /* We may have added a variable offset to the packet pointer; but any
1587 * reg->range we have comes after that. We are only checking the fixed
1588 * offset.
1589 */
1590
1591 /* We don't allow negative numbers, because we aren't tracking enough
1592 * detail to prove they're safe.
1593 */
b03c9f9f 1594 if (reg->smin_value < 0) {
61bd5218 1595 verbose(env, "R%d min value is negative, either use unsigned index or do a if (index >=0) check.\n",
f1174f77
EC		 1596 regno);
1597 return -EACCES;
1598 }
9fd29c08 1599 err = __check_packet_access(env, regno, off, size, zero_size_allowed);
f1174f77 1600 if (err) {
61bd5218 1601 verbose(env, "R%d offset is outside of the packet\n", regno);
f1174f77
EC		 1602 return err;
1603 }
e647815a
JW		 1604
1605 /* __check_packet_access has made sure "off + size - 1" is within u16.
1606 * reg->umax_value can't be bigger than MAX_PACKET_OFF which is 0xffff,
1607 * otherwise find_good_pkt_pointers would have refused to set range info
1608 * that __check_packet_access would have rejected this pkt access.
1609 * Therefore, "off + reg->umax_value + size - 1" won't overflow u32.
1610 */
1611 env->prog->aux->max_pkt_offset =
1612 max_t(u32, env->prog->aux->max_pkt_offset,
1613 off + reg->umax_value + size - 1);
1614
f1174f77
EC		 1615 return err;
1616}
1617
1618/* check access to 'struct bpf_context' fields. Supports fixed offsets only */
31fd8581 1619static int check_ctx_access(struct bpf_verifier_env *env, int insn_idx, int off, int size,
19de99f7 1620 enum bpf_access_type t, enum bpf_reg_type *reg_type)
17a52670 1621{
f96da094
DB		 1622 struct bpf_insn_access_aux info = {
1623 .reg_type = *reg_type,
1624 };
31fd8581 1625
4f9218aa 1626 if (env->ops->is_valid_access &&
5e43f899 1627 env->ops->is_valid_access(off, size, t, env->prog, &info)) {
f96da094
DB		 1628 /* A non zero info.ctx_field_size indicates that this field is a
1629 * candidate for later verifier transformation to load the whole
1630 * field and then apply a mask when accessed with a narrower
1631 * access than actual ctx access size. A zero info.ctx_field_size
1632 * will only allow for whole field access and rejects any other
1633 * type of narrower access.
31fd8581 1634 */
23994631 1635 *reg_type = info.reg_type;
31fd8581 1636
4f9218aa 1637 env->insn_aux_data[insn_idx].ctx_field_size = info.ctx_field_size;
32bbe007
AS		 1638 /* remember the offset of last byte accessed in ctx */
1639 if (env->prog->aux->max_ctx_offset < off + size)
1640 env->prog->aux->max_ctx_offset = off + size;
17a52670 1641 return 0;
32bbe007 1642 }
17a52670 1643
61bd5218 1644 verbose(env, "invalid bpf_context access off=%d size=%d\n", off, size);
17a52670
AS		 1645 return -EACCES;
1646}
1647
d58e468b
PP		 1648static int check_flow_keys_access(struct bpf_verifier_env *env, int off,
1649 int size)
1650{
1651 if (size < 0 || off < 0 ||
1652 (u64)off + size > sizeof(struct bpf_flow_keys)) {
1653 verbose(env, "invalid access to flow keys off=%d size=%d\n",
1654 off, size);
1655 return -EACCES;
1656 }
1657 return 0;
1658}
1659
5f456649
MKL		 1660static int check_sock_access(struct bpf_verifier_env *env, int insn_idx,
1661 u32 regno, int off, int size,
1662 enum bpf_access_type t)
c64b7983
JS		 1663{
1664 struct bpf_reg_state *regs = cur_regs(env);
1665 struct bpf_reg_state *reg = &regs[regno];
5f456649 1666 struct bpf_insn_access_aux info = {};
46f8bc92 1667 bool valid;
c64b7983
JS		 1668
1669 if (reg->smin_value < 0) {
1670 verbose(env, "R%d min value is negative, either use unsigned index or do a if (index >=0) check.\n",
1671 regno);
1672 return -EACCES;
1673 }
1674
46f8bc92
MKL		 1675 switch (reg->type) {
1676 case PTR_TO_SOCK_COMMON:
1677 valid = bpf_sock_common_is_valid_access(off, size, t, &info);
1678 break;
1679 case PTR_TO_SOCKET:
1680 valid = bpf_sock_is_valid_access(off, size, t, &info);
1681 break;
655a51e5
MKL		 1682 case PTR_TO_TCP_SOCK:
1683 valid = bpf_tcp_sock_is_valid_access(off, size, t, &info);
1684 break;
46f8bc92
MKL		 1685 default:
1686 valid = false;
c64b7983
JS		 1687 }
1688
5f456649 1689
46f8bc92
MKL		 1690 if (valid) {
1691 env->insn_aux_data[insn_idx].ctx_field_size =
1692 info.ctx_field_size;
1693 return 0;
1694 }
1695
1696 verbose(env, "R%d invalid %s access off=%d size=%d\n",
1697 regno, reg_type_str[reg->type], off, size);
1698
1699 return -EACCES;
c64b7983
JS		 1700}
1701
4cabc5b1
DB		 1702static bool __is_pointer_value(bool allow_ptr_leaks,
1703 const struct bpf_reg_state *reg)
1be7f75d 1704{
4cabc5b1 1705 if (allow_ptr_leaks)
1be7f75d
AS		 1706 return false;
1707
f1174f77 1708 return reg->type != SCALAR_VALUE;
1be7f75d
AS		 1709}
1710
2a159c6f
DB		 1711static struct bpf_reg_state *reg_state(struct bpf_verifier_env *env, int regno)
1712{
1713 return cur_regs(env) + regno;
1714}
1715
4cabc5b1
DB		 1716static bool is_pointer_value(struct bpf_verifier_env *env, int regno)
1717{
2a159c6f 1718 return __is_pointer_value(env->allow_ptr_leaks, reg_state(env, regno));
4cabc5b1
DB		 1719}
1720
f37a8cb8
DB		 1721static bool is_ctx_reg(struct bpf_verifier_env *env, int regno)
1722{
2a159c6f 1723 const struct bpf_reg_state *reg = reg_state(env, regno);
f37a8cb8 1724
46f8bc92
MKL		 1725 return reg->type == PTR_TO_CTX;
1726}
1727
1728static bool is_sk_reg(struct bpf_verifier_env *env, int regno)
1729{
1730 const struct bpf_reg_state *reg = reg_state(env, regno);
1731
1732 return type_is_sk_pointer(reg->type);
f37a8cb8
DB		 1733}
1734
ca369602
DB		 1735static bool is_pkt_reg(struct bpf_verifier_env *env, int regno)
1736{
2a159c6f 1737 const struct bpf_reg_state *reg = reg_state(env, regno);
ca369602
DB		 1738
1739 return type_is_pkt_pointer(reg->type);
1740}
1741
4b5defde
DB		 1742static bool is_flow_key_reg(struct bpf_verifier_env *env, int regno)
1743{
1744 const struct bpf_reg_state *reg = reg_state(env, regno);
1745
1746 /* Separate to is_ctx_reg() since we still want to allow BPF_ST here. */
1747 return reg->type == PTR_TO_FLOW_KEYS;
1748}
1749
61bd5218
JK		 1750static int check_pkt_ptr_alignment(struct bpf_verifier_env *env,
1751 const struct bpf_reg_state *reg,
d1174416 1752 int off, int size, bool strict)
969bf05e 1753{
f1174f77 1754 struct tnum reg_off;
e07b98d9 1755 int ip_align;
d1174416
DM		 1756
1757 /* Byte size accesses are always allowed. */
1758 if (!strict || size == 1)
1759 return 0;
1760
e4eda884
DM		 1761 /* For platforms that do not have a Kconfig enabling
1762 * CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS the value of
1763 * NET_IP_ALIGN is universally set to '2'. And on platforms
1764 * that do set CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS, we get
1765 * to this code only in strict mode where we want to emulate
1766 * the NET_IP_ALIGN==2 checking. Therefore use an
1767 * unconditional IP align value of '2'.
e07b98d9 1768 */
e4eda884 1769 ip_align = 2;
f1174f77
EC		 1770
1771 reg_off = tnum_add(reg->var_off, tnum_const(ip_align + reg->off + off));
1772 if (!tnum_is_aligned(reg_off, size)) {
1773 char tn_buf[48];
1774
1775 tnum_strn(tn_buf, sizeof(tn_buf), reg->var_off);
61bd5218
JK		 1776 verbose(env,
1777 "misaligned packet access off %d+%s+%d+%d size %d\n",
f1174f77 1778 ip_align, tn_buf, reg->off, off, size);
969bf05e
AS		 1779 return -EACCES;
1780 }
79adffcd 1781
969bf05e
AS		 1782 return 0;
1783}
1784
61bd5218
JK		 1785static int check_generic_ptr_alignment(struct bpf_verifier_env *env,
1786 const struct bpf_reg_state *reg,
f1174f77
EC		 1787 const char *pointer_desc,
1788 int off, int size, bool strict)
79adffcd 1789{
f1174f77
EC		 1790 struct tnum reg_off;
1791
1792 /* Byte size accesses are always allowed. */
1793 if (!strict || size == 1)
1794 return 0;
1795
1796 reg_off = tnum_add(reg->var_off, tnum_const(reg->off + off));
1797 if (!tnum_is_aligned(reg_off, size)) {
1798 char tn_buf[48];
1799
1800 tnum_strn(tn_buf, sizeof(tn_buf), reg->var_off);
61bd5218 1801 verbose(env, "misaligned %saccess off %s+%d+%d size %d\n",
f1174f77 1802 pointer_desc, tn_buf, reg->off, off, size);
79adffcd
DB		 1803 return -EACCES;
1804 }
1805
969bf05e
AS		 1806 return 0;
1807}
1808
e07b98d9 1809static int check_ptr_alignment(struct bpf_verifier_env *env,
ca369602
DB		 1810 const struct bpf_reg_state *reg, int off,
1811 int size, bool strict_alignment_once)
79adffcd 1812{
ca369602 1813 bool strict = env->strict_alignment || strict_alignment_once;
f1174f77 1814 const char *pointer_desc = "";
d1174416 1815
79adffcd
DB		 1816 switch (reg->type) {
1817 case PTR_TO_PACKET:
de8f3a83
DB		 1818 case PTR_TO_PACKET_META:
1819 /* Special case, because of NET_IP_ALIGN. Given metadata sits
1820 * right in front, treat it the very same way.
1821 */
61bd5218 1822 return check_pkt_ptr_alignment(env, reg, off, size, strict);
d58e468b
PP		 1823 case PTR_TO_FLOW_KEYS:
1824 pointer_desc = "flow keys ";
1825 break;
f1174f77
EC		 1826 case PTR_TO_MAP_VALUE:
1827 pointer_desc = "value ";
1828 break;
1829 case PTR_TO_CTX:
1830 pointer_desc = "context ";
1831 break;
1832 case PTR_TO_STACK:
1833 pointer_desc = "stack ";
a5ec6ae1
JH		 1834 /* The stack spill tracking logic in check_stack_write()
1835 * and check_stack_read() relies on stack accesses being
1836 * aligned.
1837 */
1838 strict = true;
f1174f77 1839 break;
c64b7983
JS		 1840 case PTR_TO_SOCKET:
1841 pointer_desc = "sock ";
1842 break;
46f8bc92
MKL		 1843 case PTR_TO_SOCK_COMMON:
1844 pointer_desc = "sock_common ";
1845 break;
655a51e5
MKL		 1846 case PTR_TO_TCP_SOCK:
1847 pointer_desc = "tcp_sock ";
1848 break;
79adffcd 1849 default:
f1174f77 1850 break;
79adffcd 1851 }
61bd5218
JK		 1852 return check_generic_ptr_alignment(env, reg, pointer_desc, off, size,
1853 strict);
79adffcd
DB		 1854}
1855
f4d7e40a
AS		 1856static int update_stack_depth(struct bpf_verifier_env *env,
1857 const struct bpf_func_state *func,
1858 int off)
1859{
9c8105bd 1860 u16 stack = env->subprog_info[func->subprogno].stack_depth;
f4d7e40a
AS		 1861
1862 if (stack >= -off)
1863 return 0;
1864
1865 /* update known max for given subprogram */
9c8105bd 1866 env->subprog_info[func->subprogno].stack_depth = -off;
70a87ffe
AS		 1867 return 0;
1868}
f4d7e40a 1869
70a87ffe
AS		 1870/* starting from main bpf function walk all instructions of the function
1871 * and recursively walk all callees that given function can call.
1872 * Ignore jump and exit insns.
1873 * Since recursion is prevented by check_cfg() this algorithm
1874 * only needs a local stack of MAX_CALL_FRAMES to remember callsites
1875 */
1876static int check_max_stack_depth(struct bpf_verifier_env *env)
1877{
9c8105bd
JW		 1878 int depth = 0, frame = 0, idx = 0, i = 0, subprog_end;
1879 struct bpf_subprog_info *subprog = env->subprog_info;
70a87ffe 1880 struct bpf_insn *insn = env->prog->insnsi;
70a87ffe
AS		 1881 int ret_insn[MAX_CALL_FRAMES];
1882 int ret_prog[MAX_CALL_FRAMES];
f4d7e40a 1883
70a87ffe
AS		 1884process_func:
1885 /* round up to 32-bytes, since this is granularity
1886 * of interpreter stack size
1887 */
9c8105bd 1888 depth += round_up(max_t(u32, subprog[idx].stack_depth, 1), 32);
70a87ffe 1889 if (depth > MAX_BPF_STACK) {
f4d7e40a 1890 verbose(env, "combined stack size of %d calls is %d. Too large\n",
70a87ffe 1891 frame + 1, depth);
f4d7e40a
AS		 1892 return -EACCES;
1893 }
70a87ffe 1894continue_func:
4cb3d99c 1895 subprog_end = subprog[idx + 1].start;
70a87ffe
AS		 1896 for (; i < subprog_end; i++) {
1897 if (insn[i].code != (BPF_JMP | BPF_CALL))
1898 continue;
1899 if (insn[i].src_reg != BPF_PSEUDO_CALL)
1900 continue;
1901 /* remember insn and function to return to */
1902 ret_insn[frame] = i + 1;
9c8105bd 1903 ret_prog[frame] = idx;
70a87ffe
AS		 1904
1905 /* find the callee */
1906 i = i + insn[i].imm + 1;
9c8105bd
JW		 1907 idx = find_subprog(env, i);
1908 if (idx < 0) {
70a87ffe
AS		 1909 WARN_ONCE(1, "verifier bug. No program starts at insn %d\n",
1910 i);
1911 return -EFAULT;
1912 }
70a87ffe
AS		 1913 frame++;
1914 if (frame >= MAX_CALL_FRAMES) {
1915 WARN_ONCE(1, "verifier bug. Call stack is too deep\n");
1916 return -EFAULT;
1917 }
1918 goto process_func;
1919 }
1920 /* end of for() loop means the last insn of the 'subprog'
1921 * was reached. Doesn't matter whether it was JA or EXIT
1922 */
1923 if (frame == 0)
1924 return 0;
9c8105bd 1925 depth -= round_up(max_t(u32, subprog[idx].stack_depth, 1), 32);
70a87ffe
AS		 1926 frame--;
1927 i = ret_insn[frame];
9c8105bd 1928 idx = ret_prog[frame];
70a87ffe 1929 goto continue_func;
f4d7e40a
AS		 1930}
1931
19d28fbd 1932#ifndef CONFIG_BPF_JIT_ALWAYS_ON
1ea47e01
AS		 1933static int get_callee_stack_depth(struct bpf_verifier_env *env,
1934 const struct bpf_insn *insn, int idx)
1935{
1936 int start = idx + insn->imm + 1, subprog;
1937
1938 subprog = find_subprog(env, start);
1939 if (subprog < 0) {
1940 WARN_ONCE(1, "verifier bug. No program starts at insn %d\n",
1941 start);
1942 return -EFAULT;
1943 }
9c8105bd 1944 return env->subprog_info[subprog].stack_depth;
1ea47e01 1945}
19d28fbd 1946#endif
1ea47e01 1947
58990d1f
DB		 1948static int check_ctx_reg(struct bpf_verifier_env *env,
1949 const struct bpf_reg_state *reg, int regno)
1950{
1951 /* Access to ctx or passing it to a helper is only allowed in
1952 * its original, unmodified form.
1953 */
1954
1955 if (reg->off) {
1956 verbose(env, "dereference of modified ctx ptr R%d off=%d disallowed\n",
1957 regno, reg->off);
1958 return -EACCES;
1959 }
1960
1961 if (!tnum_is_const(reg->var_off) || reg->var_off.value) {
1962 char tn_buf[48];
1963
1964 tnum_strn(tn_buf, sizeof(tn_buf), reg->var_off);
1965 verbose(env, "variable ctx access var_off=%s disallowed\n", tn_buf);
1966 return -EACCES;
1967 }
1968
1969 return 0;
1970}
1971
0c17d1d2
JH		 1972/* truncate register to smaller size (in bytes)
1973 * must be called with size < BPF_REG_SIZE
1974 */
1975static void coerce_reg_to_size(struct bpf_reg_state *reg, int size)
1976{
1977 u64 mask;
1978
1979 /* clear high bits in bit representation */
1980 reg->var_off = tnum_cast(reg->var_off, size);
1981
1982 /* fix arithmetic bounds */
1983 mask = ((u64)1 << (size * 8)) - 1;
1984 if ((reg->umin_value & ~mask) == (reg->umax_value & ~mask)) {
1985 reg->umin_value &= mask;
1986 reg->umax_value &= mask;
1987 } else {
1988 reg->umin_value = 0;
1989 reg->umax_value = mask;
1990 }
1991 reg->smin_value = reg->umin_value;
1992 reg->smax_value = reg->umax_value;
1993}
1994
17a52670
AS		 1995/* check whether memory at (regno + off) is accessible for t = (read | write)
1996 * if t==write, value_regno is a register which value is stored into memory
1997 * if t==read, value_regno is a register which will receive the value from memory
1998 * if t==write && value_regno==-1, some unknown value is stored into memory
1999 * if t==read && value_regno==-1, don't care what we read from memory
2000 */
ca369602
DB		 2001static int check_mem_access(struct bpf_verifier_env *env, int insn_idx, u32 regno,
2002 int off, int bpf_size, enum bpf_access_type t,
2003 int value_regno, bool strict_alignment_once)
17a52670 2004{
638f5b90
AS		 2005 struct bpf_reg_state *regs = cur_regs(env);
2006 struct bpf_reg_state *reg = regs + regno;
f4d7e40a 2007 struct bpf_func_state *state;
17a52670
AS		 2008 int size, err = 0;
2009
2010 size = bpf_size_to_bytes(bpf_size);
2011 if (size < 0)
2012 return size;
2013
f1174f77 2014 /* alignment checks will add in reg->off themselves */
ca369602 2015 err = check_ptr_alignment(env, reg, off, size, strict_alignment_once);
969bf05e
AS		 2016 if (err)
2017 return err;
17a52670 2018
f1174f77
EC		 2019 /* for access checks, reg->off is just part of off */
2020 off += reg->off;
2021
2022 if (reg->type == PTR_TO_MAP_VALUE) {
1be7f75d
AS		 2023 if (t == BPF_WRITE && value_regno >= 0 &&
2024 is_pointer_value(env, value_regno)) {
61bd5218 2025 verbose(env, "R%d leaks addr into map\n", value_regno);
1be7f75d
AS		 2026 return -EACCES;
2027 }
48461135 2028
9fd29c08 2029 err = check_map_access(env, regno, off, size, false);
17a52670 2030 if (!err && t == BPF_READ && value_regno >= 0)
638f5b90 2031 mark_reg_unknown(env, regs, value_regno);
17a52670 2032
1a0dc1ac 2033 } else if (reg->type == PTR_TO_CTX) {
f1174f77 2034 enum bpf_reg_type reg_type = SCALAR_VALUE;
19de99f7 2035
1be7f75d
AS		 2036 if (t == BPF_WRITE && value_regno >= 0 &&
2037 is_pointer_value(env, value_regno)) {
61bd5218 2038 verbose(env, "R%d leaks addr into ctx\n", value_regno);
1be7f75d
AS		 2039 return -EACCES;
2040 }
f1174f77 2041
58990d1f
DB		 2042 err = check_ctx_reg(env, reg, regno);
2043 if (err < 0)
2044 return err;
2045
31fd8581 2046 err = check_ctx_access(env, insn_idx, off, size, t, &reg_type);
969bf05e 2047 if (!err && t == BPF_READ && value_regno >= 0) {
f1174f77 2048 /* ctx access returns either a scalar, or a
de8f3a83
DB		 2049 * PTR_TO_PACKET[_META,_END]. In the latter
2050 * case, we know the offset is zero.
f1174f77 2051 */
46f8bc92 2052 if (reg_type == SCALAR_VALUE) {
638f5b90 2053 mark_reg_unknown(env, regs, value_regno);
46f8bc92 2054 } else {
638f5b90 2055 mark_reg_known_zero(env, regs,
61bd5218 2056 value_regno);
46f8bc92
MKL		 2057 if (reg_type_may_be_null(reg_type))
2058 regs[value_regno].id = ++env->id_gen;
2059 }
638f5b90 2060 regs[value_regno].type = reg_type;
969bf05e 2061 }
17a52670 2062
f1174f77 2063 } else if (reg->type == PTR_TO_STACK) {
f1174f77 2064 off += reg->var_off.value;
e4298d25
DB		 2065 err = check_stack_access(env, reg, off, size);
2066 if (err)
2067 return err;
8726679a 2068
f4d7e40a
AS		 2069 state = func(env, reg);
2070 err = update_stack_depth(env, state, off);
2071 if (err)
2072 return err;
8726679a 2073
638f5b90 2074 if (t == BPF_WRITE)
61bd5218 2075 err = check_stack_write(env, state, off, size,
af86ca4e 2076 value_regno, insn_idx);
638f5b90 2077 else
61bd5218
JK		 2078 err = check_stack_read(env, state, off, size,
2079 value_regno);
de8f3a83 2080 } else if (reg_is_pkt_pointer(reg)) {
3a0af8fd 2081 if (t == BPF_WRITE && !may_access_direct_pkt_data(env, NULL, t)) {
61bd5218 2082 verbose(env, "cannot write into packet\n");
969bf05e
AS		 2083 return -EACCES;
2084 }
4acf6c0b
BB		 2085 if (t == BPF_WRITE && value_regno >= 0 &&
2086 is_pointer_value(env, value_regno)) {
61bd5218
JK		 2087 verbose(env, "R%d leaks addr into packet\n",
2088 value_regno);
4acf6c0b
BB		 2089 return -EACCES;
2090 }
9fd29c08 2091 err = check_packet_access(env, regno, off, size, false);
969bf05e 2092 if (!err && t == BPF_READ && value_regno >= 0)
638f5b90 2093 mark_reg_unknown(env, regs, value_regno);
d58e468b
PP		 2094 } else if (reg->type == PTR_TO_FLOW_KEYS) {
2095 if (t == BPF_WRITE && value_regno >= 0 &&
2096 is_pointer_value(env, value_regno)) {
2097 verbose(env, "R%d leaks addr into flow keys\n",
2098 value_regno);
2099 return -EACCES;
2100 }
2101
2102 err = check_flow_keys_access(env, off, size);
2103 if (!err && t == BPF_READ && value_regno >= 0)
2104 mark_reg_unknown(env, regs, value_regno);
46f8bc92 2105 } else if (type_is_sk_pointer(reg->type)) {
c64b7983 2106 if (t == BPF_WRITE) {
46f8bc92
MKL		 2107 verbose(env, "R%d cannot write into %s\n",
2108 regno, reg_type_str[reg->type]);
c64b7983
JS		 2109 return -EACCES;
2110 }
5f456649 2111 err = check_sock_access(env, insn_idx, regno, off, size, t);
c64b7983
JS		 2112 if (!err && value_regno >= 0)
2113 mark_reg_unknown(env, regs, value_regno);
17a52670 2114 } else {
61bd5218
JK		 2115 verbose(env, "R%d invalid mem access '%s'\n", regno,
2116 reg_type_str[reg->type]);
17a52670
AS		 2117 return -EACCES;
2118 }
969bf05e 2119
f1174f77 2120 if (!err && size < BPF_REG_SIZE && value_regno >= 0 && t == BPF_READ &&
638f5b90 2121 regs[value_regno].type == SCALAR_VALUE) {
f1174f77 2122 /* b/h/w load zero-extends, mark upper bits as known 0 */
0c17d1d2 2123 coerce_reg_to_size(&regs[value_regno], size);
969bf05e 2124 }
17a52670
AS		 2125 return err;
2126}
2127
31fd8581 2128static int check_xadd(struct bpf_verifier_env *env, int insn_idx, struct bpf_insn *insn)
17a52670 2129{
17a52670
AS		 2130 int err;
2131
2132 if ((BPF_SIZE(insn->code) != BPF_W && BPF_SIZE(insn->code) != BPF_DW) ||
2133 insn->imm != 0) {
61bd5218 2134 verbose(env, "BPF_XADD uses reserved fields\n");
17a52670
AS		 2135 return -EINVAL;
2136 }
2137
2138 /* check src1 operand */
dc503a8a 2139 err = check_reg_arg(env, insn->src_reg, SRC_OP);
17a52670
AS		 2140 if (err)
2141 return err;
2142
2143 /* check src2 operand */
dc503a8a 2144 err = check_reg_arg(env, insn->dst_reg, SRC_OP);
17a52670
AS		 2145 if (err)
2146 return err;
2147
6bdf6abc 2148 if (is_pointer_value(env, insn->src_reg)) {
61bd5218 2149 verbose(env, "R%d leaks addr into mem\n", insn->src_reg);
6bdf6abc
DB		 2150 return -EACCES;
2151 }
2152
ca369602 2153 if (is_ctx_reg(env, insn->dst_reg) ||
4b5defde 2154 is_pkt_reg(env, insn->dst_reg) ||
46f8bc92
MKL		 2155 is_flow_key_reg(env, insn->dst_reg) ||
2156 is_sk_reg(env, insn->dst_reg)) {
ca369602 2157 verbose(env, "BPF_XADD stores into R%d %s is not allowed\n",
2a159c6f
DB		 2158 insn->dst_reg,
2159 reg_type_str[reg_state(env, insn->dst_reg)->type]);
f37a8cb8
DB		 2160 return -EACCES;
2161 }
2162
17a52670 2163 /* check whether atomic_add can read the memory */
31fd8581 2164 err = check_mem_access(env, insn_idx, insn->dst_reg, insn->off,
ca369602 2165 BPF_SIZE(insn->code), BPF_READ, -1, true);
17a52670
AS		 2166 if (err)
2167 return err;
2168
2169 /* check whether atomic_add can write into the same memory */
31fd8581 2170 return check_mem_access(env, insn_idx, insn->dst_reg, insn->off,
ca369602 2171 BPF_SIZE(insn->code), BPF_WRITE, -1, true);
17a52670
AS		 2172}
2173
2011fccf
AI		 2174static int __check_stack_boundary(struct bpf_verifier_env *env, u32 regno,
2175 int off, int access_size,
2176 bool zero_size_allowed)
2177{
2178 struct bpf_reg_state *reg = reg_state(env, regno);
2179
2180 if (off >= 0 || off < -MAX_BPF_STACK || off + access_size > 0 ||
2181 access_size < 0 || (access_size == 0 && !zero_size_allowed)) {
2182 if (tnum_is_const(reg->var_off)) {
2183 verbose(env, "invalid stack type R%d off=%d access_size=%d\n",
2184 regno, off, access_size);
2185 } else {
2186 char tn_buf[48];
2187
2188 tnum_strn(tn_buf, sizeof(tn_buf), reg->var_off);
2189 verbose(env, "invalid stack type R%d var_off=%s access_size=%d\n",
2190 regno, tn_buf, access_size);
2191 }
2192 return -EACCES;
2193 }
2194 return 0;
2195}
2196
17a52670
AS		 2197/* when register 'regno' is passed into function that will read 'access_size'
2198 * bytes from that pointer, make sure that it's within stack boundary
f1174f77
EC		 2199 * and all elements of stack are initialized.
2200 * Unlike most pointer bounds-checking functions, this one doesn't take an
2201 * 'off' argument, so it has to add in reg->off itself.
17a52670 2202 */
58e2af8b 2203static int check_stack_boundary(struct bpf_verifier_env *env, int regno,
435faee1
DB		 2204 int access_size, bool zero_size_allowed,
2205 struct bpf_call_arg_meta *meta)
17a52670 2206{
2a159c6f 2207 struct bpf_reg_state *reg = reg_state(env, regno);
f4d7e40a 2208 struct bpf_func_state *state = func(env, reg);
2011fccf 2209 int err, min_off, max_off, i, slot, spi;
17a52670 2210
914cb781 2211 if (reg->type != PTR_TO_STACK) {
f1174f77 2212 /* Allow zero-byte read from NULL, regardless of pointer type */
8e2fe1d9 2213 if (zero_size_allowed && access_size == 0 &&
914cb781 2214 register_is_null(reg))
8e2fe1d9
DB		 2215 return 0;
2216
61bd5218 2217 verbose(env, "R%d type=%s expected=%s\n", regno,
914cb781 2218 reg_type_str[reg->type],
8e2fe1d9 2219 reg_type_str[PTR_TO_STACK]);
17a52670 2220 return -EACCES;
8e2fe1d9 2221 }
17a52670 2222
2011fccf
AI		 2223 if (tnum_is_const(reg->var_off)) {
2224 min_off = max_off = reg->var_off.value + reg->off;
2225 err = __check_stack_boundary(env, regno, min_off, access_size,
2226 zero_size_allowed);
2227 if (err)
2228 return err;
2229 } else {
2230 min_off = reg->smin_value + reg->off;
2231 max_off = reg->umax_value + reg->off;
2232 err = __check_stack_boundary(env, regno, min_off, access_size,
2233 zero_size_allowed);
2234 if (err)
2235 return err;
2236 err = __check_stack_boundary(env, regno, max_off, access_size,
2237 zero_size_allowed);
2238 if (err)
2239 return err;
17a52670
AS		 2240 }
2241
435faee1
DB		 2242 if (meta && meta->raw_mode) {
2243 meta->access_size = access_size;
2244 meta->regno = regno;
2245 return 0;
2246 }
2247
2011fccf 2248 for (i = min_off; i < max_off + access_size; i++) {
cc2b14d5
AS		 2249 u8 *stype;
2250
2011fccf 2251 slot = -i - 1;
638f5b90 2252 spi = slot / BPF_REG_SIZE;
cc2b14d5
AS		 2253 if (state->allocated_stack <= slot)
2254 goto err;
2255 stype = &state->stack[spi].slot_type[slot % BPF_REG_SIZE];
2256 if (*stype == STACK_MISC)
2257 goto mark;
2258 if (*stype == STACK_ZERO) {
2259 /* helper can write anything into the stack */
2260 *stype = STACK_MISC;
2261 goto mark;
17a52670 2262 }
cc2b14d5 2263err:
2011fccf
AI		 2264 if (tnum_is_const(reg->var_off)) {
2265 verbose(env, "invalid indirect read from stack off %d+%d size %d\n",
2266 min_off, i - min_off, access_size);
2267 } else {
2268 char tn_buf[48];
2269
2270 tnum_strn(tn_buf, sizeof(tn_buf), reg->var_off);
2271 verbose(env, "invalid indirect read from stack var_off %s+%d size %d\n",
2272 tn_buf, i - min_off, access_size);
2273 }
cc2b14d5
AS		 2274 return -EACCES;
2275mark:
2276 /* reading any byte out of 8-byte 'spill_slot' will cause
2277 * the whole slot to be marked as 'read'
2278 */
679c782d
EC		 2279 mark_reg_read(env, &state->stack[spi].spilled_ptr,
2280 state->stack[spi].spilled_ptr.parent);
17a52670 2281 }
2011fccf 2282 return update_stack_depth(env, state, min_off);
17a52670
AS		 2283}
2284
06c1c049
GB		 2285static int check_helper_mem_access(struct bpf_verifier_env *env, int regno,
2286 int access_size, bool zero_size_allowed,
2287 struct bpf_call_arg_meta *meta)
2288{
638f5b90 2289 struct bpf_reg_state *regs = cur_regs(env), *reg = &regs[regno];
06c1c049 2290
f1174f77 2291 switch (reg->type) {
06c1c049 2292 case PTR_TO_PACKET:
de8f3a83 2293 case PTR_TO_PACKET_META:
9fd29c08
YS		 2294 return check_packet_access(env, regno, reg->off, access_size,
2295 zero_size_allowed);
06c1c049 2296 case PTR_TO_MAP_VALUE:
9fd29c08
YS		 2297 return check_map_access(env, regno, reg->off, access_size,
2298 zero_size_allowed);
f1174f77 2299 default: /* scalar_value|ptr_to_stack or invalid ptr */
06c1c049
GB		 2300 return check_stack_boundary(env, regno, access_size,
2301 zero_size_allowed, meta);
2302 }
2303}
2304
d83525ca
AS		 2305/* Implementation details:
2306 * bpf_map_lookup returns PTR_TO_MAP_VALUE_OR_NULL
2307 * Two bpf_map_lookups (even with the same key) will have different reg->id.
2308 * For traditional PTR_TO_MAP_VALUE the verifier clears reg->id after
2309 * value_or_null->value transition, since the verifier only cares about
2310 * the range of access to valid map value pointer and doesn't care about actual
2311 * address of the map element.
2312 * For maps with 'struct bpf_spin_lock' inside map value the verifier keeps
2313 * reg->id > 0 after value_or_null->value transition. By doing so
2314 * two bpf_map_lookups will be considered two different pointers that
2315 * point to different bpf_spin_locks.
2316 * The verifier allows taking only one bpf_spin_lock at a time to avoid
2317 * dead-locks.
2318 * Since only one bpf_spin_lock is allowed the checks are simpler than
2319 * reg_is_refcounted() logic. The verifier needs to remember only
2320 * one spin_lock instead of array of acquired_refs.
2321 * cur_state->active_spin_lock remembers which map value element got locked
2322 * and clears it after bpf_spin_unlock.
2323 */
2324static int process_spin_lock(struct bpf_verifier_env *env, int regno,
2325 bool is_lock)
2326{
2327 struct bpf_reg_state *regs = cur_regs(env), *reg = &regs[regno];
2328 struct bpf_verifier_state *cur = env->cur_state;
2329 bool is_const = tnum_is_const(reg->var_off);
2330 struct bpf_map *map = reg->map_ptr;
2331 u64 val = reg->var_off.value;
2332
2333 if (reg->type != PTR_TO_MAP_VALUE) {
2334 verbose(env, "R%d is not a pointer to map_value\n", regno);
2335 return -EINVAL;
2336 }
2337 if (!is_const) {
2338 verbose(env,
2339 "R%d doesn't have constant offset. bpf_spin_lock has to be at the constant offset\n",
2340 regno);
2341 return -EINVAL;
2342 }
2343 if (!map->btf) {
2344 verbose(env,
2345 "map '%s' has to have BTF in order to use bpf_spin_lock\n",
2346 map->name);
2347 return -EINVAL;
2348 }
2349 if (!map_value_has_spin_lock(map)) {
2350 if (map->spin_lock_off == -E2BIG)
2351 verbose(env,
2352 "map '%s' has more than one 'struct bpf_spin_lock'\n",
2353 map->name);
2354 else if (map->spin_lock_off == -ENOENT)
2355 verbose(env,
2356 "map '%s' doesn't have 'struct bpf_spin_lock'\n",
2357 map->name);
2358 else
2359 verbose(env,
2360 "map '%s' is not a struct type or bpf_spin_lock is mangled\n",
2361 map->name);
2362 return -EINVAL;
2363 }
2364 if (map->spin_lock_off != val + reg->off) {
2365 verbose(env, "off %lld doesn't point to 'struct bpf_spin_lock'\n",
2366 val + reg->off);
2367 return -EINVAL;
2368 }
2369 if (is_lock) {
2370 if (cur->active_spin_lock) {
2371 verbose(env,
2372 "Locking two bpf_spin_locks are not allowed\n");
2373 return -EINVAL;
2374 }
2375 cur->active_spin_lock = reg->id;
2376 } else {
2377 if (!cur->active_spin_lock) {
2378 verbose(env, "bpf_spin_unlock without taking a lock\n");
2379 return -EINVAL;
2380 }
2381 if (cur->active_spin_lock != reg->id) {
2382 verbose(env, "bpf_spin_unlock of different lock\n");
2383 return -EINVAL;
2384 }
2385 cur->active_spin_lock = 0;
2386 }
2387 return 0;
2388}
2389
90133415
DB		 2390static bool arg_type_is_mem_ptr(enum bpf_arg_type type)
2391{
2392 return type == ARG_PTR_TO_MEM ||
2393 type == ARG_PTR_TO_MEM_OR_NULL ||
2394 type == ARG_PTR_TO_UNINIT_MEM;
2395}
2396
2397static bool arg_type_is_mem_size(enum bpf_arg_type type)
2398{
2399 return type == ARG_CONST_SIZE ||
2400 type == ARG_CONST_SIZE_OR_ZERO;
2401}
2402
58e2af8b 2403static int check_func_arg(struct bpf_verifier_env *env, u32 regno,
33ff9823
DB		 2404 enum bpf_arg_type arg_type,
2405 struct bpf_call_arg_meta *meta)
17a52670 2406{
638f5b90 2407 struct bpf_reg_state *regs = cur_regs(env), *reg = &regs[regno];
6841de8b 2408 enum bpf_reg_type expected_type, type = reg->type;
17a52670
AS		 2409 int err = 0;
2410
80f1d68c 2411 if (arg_type == ARG_DONTCARE)
17a52670
AS		 2412 return 0;
2413
dc503a8a
EC		 2414 err = check_reg_arg(env, regno, SRC_OP);
2415 if (err)
2416 return err;
17a52670 2417
1be7f75d
AS		 2418 if (arg_type == ARG_ANYTHING) {
2419 if (is_pointer_value(env, regno)) {
61bd5218
JK		 2420 verbose(env, "R%d leaks addr into helper function\n",
2421 regno);
1be7f75d
AS		 2422 return -EACCES;
2423 }
80f1d68c 2424 return 0;
1be7f75d 2425 }
80f1d68c 2426
de8f3a83 2427 if (type_is_pkt_pointer(type) &&
3a0af8fd 2428 !may_access_direct_pkt_data(env, meta, BPF_READ)) {
61bd5218 2429 verbose(env, "helper access to the packet is not allowed\n");
6841de8b
AS		 2430 return -EACCES;
2431 }
2432
8e2fe1d9 2433 if (arg_type == ARG_PTR_TO_MAP_KEY ||
2ea864c5
MV		 2434 arg_type == ARG_PTR_TO_MAP_VALUE ||
2435 arg_type == ARG_PTR_TO_UNINIT_MAP_VALUE) {
17a52670 2436 expected_type = PTR_TO_STACK;
d71962f3 2437 if (!type_is_pkt_pointer(type) && type != PTR_TO_MAP_VALUE &&
de8f3a83 2438 type != expected_type)
6841de8b 2439 goto err_type;
39f19ebb
AS		 2440 } else if (arg_type == ARG_CONST_SIZE ||
2441 arg_type == ARG_CONST_SIZE_OR_ZERO) {
f1174f77
EC		 2442 expected_type = SCALAR_VALUE;
2443 if (type != expected_type)
6841de8b 2444 goto err_type;
17a52670
AS		 2445 } else if (arg_type == ARG_CONST_MAP_PTR) {
2446 expected_type = CONST_PTR_TO_MAP;
6841de8b
AS		 2447 if (type != expected_type)
2448 goto err_type;
608cd71a
AS		 2449 } else if (arg_type == ARG_PTR_TO_CTX) {
2450 expected_type = PTR_TO_CTX;
6841de8b
AS		 2451 if (type != expected_type)
2452 goto err_type;
58990d1f
DB		 2453 err = check_ctx_reg(env, reg, regno);
2454 if (err < 0)
2455 return err;
46f8bc92
MKL		 2456 } else if (arg_type == ARG_PTR_TO_SOCK_COMMON) {
2457 expected_type = PTR_TO_SOCK_COMMON;
2458 /* Any sk pointer can be ARG_PTR_TO_SOCK_COMMON */
2459 if (!type_is_sk_pointer(type))
2460 goto err_type;
1b986589
MKL		 2461 if (reg->ref_obj_id) {
2462 if (meta->ref_obj_id) {
2463 verbose(env, "verifier internal error: more than one arg with ref_obj_id R%d %u %u\n",
2464 regno, reg->ref_obj_id,
2465 meta->ref_obj_id);
2466 return -EFAULT;
2467 }
2468 meta->ref_obj_id = reg->ref_obj_id;
fd978bf7 2469 }
d83525ca
AS		 2470 } else if (arg_type == ARG_PTR_TO_SPIN_LOCK) {
2471 if (meta->func_id == BPF_FUNC_spin_lock) {
2472 if (process_spin_lock(env, regno, true))
2473 return -EACCES;
2474 } else if (meta->func_id == BPF_FUNC_spin_unlock) {
2475 if (process_spin_lock(env, regno, false))
2476 return -EACCES;
2477 } else {
2478 verbose(env, "verifier internal error\n");
2479 return -EFAULT;
2480 }
90133415 2481 } else if (arg_type_is_mem_ptr(arg_type)) {
8e2fe1d9
DB		 2482 expected_type = PTR_TO_STACK;
2483 /* One exception here. In case function allows for NULL to be
f1174f77 2484 * passed in as argument, it's a SCALAR_VALUE type. Final test
8e2fe1d9
DB		 2485 * happens during stack boundary checking.
2486 */
914cb781 2487 if (register_is_null(reg) &&
db1ac496 2488 arg_type == ARG_PTR_TO_MEM_OR_NULL)
6841de8b 2489 /* final test in check_stack_boundary() */;
de8f3a83
DB		 2490 else if (!type_is_pkt_pointer(type) &&
2491 type != PTR_TO_MAP_VALUE &&
f1174f77 2492 type != expected_type)
6841de8b 2493 goto err_type;
39f19ebb 2494 meta->raw_mode = arg_type == ARG_PTR_TO_UNINIT_MEM;
17a52670 2495 } else {
61bd5218 2496 verbose(env, "unsupported arg_type %d\n", arg_type);
17a52670
AS		 2497 return -EFAULT;
2498 }
2499
17a52670
AS		 2500 if (arg_type == ARG_CONST_MAP_PTR) {
2501 /* bpf_map_xxx(map_ptr) call: remember that map_ptr */
33ff9823 2502 meta->map_ptr = reg->map_ptr;
17a52670
AS		 2503 } else if (arg_type == ARG_PTR_TO_MAP_KEY) {
2504 /* bpf_map_xxx(..., map_ptr, ..., key) call:
2505 * check that [key, key + map->key_size) are within
2506 * stack limits and initialized
2507 */
33ff9823 2508 if (!meta->map_ptr) {
17a52670
AS		 2509 /* in function declaration map_ptr must come before
2510 * map_key, so that it's verified and known before
2511 * we have to check map_key here. Otherwise it means
2512 * that kernel subsystem misconfigured verifier
2513 */
61bd5218 2514 verbose(env, "invalid map_ptr to access map->key\n");
17a52670
AS		 2515 return -EACCES;
2516 }
d71962f3
PC		 2517 err = check_helper_mem_access(env, regno,
2518 meta->map_ptr->key_size, false,
2519 NULL);
2ea864c5
MV		 2520 } else if (arg_type == ARG_PTR_TO_MAP_VALUE ||
2521 arg_type == ARG_PTR_TO_UNINIT_MAP_VALUE) {
17a52670
AS		 2522 /* bpf_map_xxx(..., map_ptr, ..., value) call:
2523 * check [value, value + map->value_size) validity
2524 */
33ff9823 2525 if (!meta->map_ptr) {
17a52670 2526 /* kernel subsystem misconfigured verifier */
61bd5218 2527 verbose(env, "invalid map_ptr to access map->value\n");
17a52670
AS		 2528 return -EACCES;
2529 }
2ea864c5 2530 meta->raw_mode = (arg_type == ARG_PTR_TO_UNINIT_MAP_VALUE);
d71962f3
PC		 2531 err = check_helper_mem_access(env, regno,
2532 meta->map_ptr->value_size, false,
2ea864c5 2533 meta);
90133415 2534 } else if (arg_type_is_mem_size(arg_type)) {
39f19ebb 2535 bool zero_size_allowed = (arg_type == ARG_CONST_SIZE_OR_ZERO);
17a52670 2536
849fa506
YS		 2537 /* remember the mem_size which may be used later
2538 * to refine return values.
2539 */
2540 meta->msize_smax_value = reg->smax_value;
2541 meta->msize_umax_value = reg->umax_value;
2542
f1174f77
EC		 2543 /* The register is SCALAR_VALUE; the access check
2544 * happens using its boundaries.
06c1c049 2545 */
f1174f77 2546 if (!tnum_is_const(reg->var_off))
06c1c049
GB		 2547 /* For unprivileged variable accesses, disable raw
2548 * mode so that the program is required to
2549 * initialize all the memory that the helper could
2550 * just partially fill up.
2551 */
2552 meta = NULL;
2553
b03c9f9f 2554 if (reg->smin_value < 0) {
61bd5218 2555 verbose(env, "R%d min value is negative, either use unsigned or 'var &= const'\n",
f1174f77
EC		 2556 regno);
2557 return -EACCES;
2558 }
06c1c049 2559
b03c9f9f 2560 if (reg->umin_value == 0) {
f1174f77
EC		 2561 err = check_helper_mem_access(env, regno - 1, 0,
2562 zero_size_allowed,
2563 meta);
06c1c049
GB		 2564 if (err)
2565 return err;
06c1c049 2566 }
f1174f77 2567
b03c9f9f 2568 if (reg->umax_value >= BPF_MAX_VAR_SIZ) {
61bd5218 2569 verbose(env, "R%d unbounded memory access, use 'var &= const' or 'if (var < const)'\n",
f1174f77
EC		 2570 regno);
2571 return -EACCES;
2572 }
2573 err = check_helper_mem_access(env, regno - 1,
b03c9f9f 2574 reg->umax_value,
f1174f77 2575 zero_size_allowed, meta);
17a52670
AS		 2576 }
2577
2578 return err;
6841de8b 2579err_type:
61bd5218 2580 verbose(env, "R%d type=%s expected=%s\n", regno,
6841de8b
AS		 2581 reg_type_str[type], reg_type_str[expected_type]);
2582 return -EACCES;
17a52670
AS		 2583}
2584
61bd5218
JK		 2585static int check_map_func_compatibility(struct bpf_verifier_env *env,
2586 struct bpf_map *map, int func_id)
35578d79 2587{
35578d79
KX		 2588 if (!map)
2589 return 0;
2590
6aff67c8
AS		 2591 /* We need a two way check, first is from map perspective ... */
2592 switch (map->map_type) {
2593 case BPF_MAP_TYPE_PROG_ARRAY:
2594 if (func_id != BPF_FUNC_tail_call)
2595 goto error;
2596 break;
2597 case BPF_MAP_TYPE_PERF_EVENT_ARRAY:
2598 if (func_id != BPF_FUNC_perf_event_read &&
908432ca
YS		 2599 func_id != BPF_FUNC_perf_event_output &&
2600 func_id != BPF_FUNC_perf_event_read_value)
6aff67c8
AS		 2601 goto error;
2602 break;
2603 case BPF_MAP_TYPE_STACK_TRACE:
2604 if (func_id != BPF_FUNC_get_stackid)
2605 goto error;
2606 break;
4ed8ec52 2607 case BPF_MAP_TYPE_CGROUP_ARRAY:
60747ef4 2608 if (func_id != BPF_FUNC_skb_under_cgroup &&
60d20f91 2609 func_id != BPF_FUNC_current_task_under_cgroup)
4a482f34
MKL		 2610 goto error;
2611 break;
cd339431 2612 case BPF_MAP_TYPE_CGROUP_STORAGE:
b741f163 2613 case BPF_MAP_TYPE_PERCPU_CGROUP_STORAGE:
cd339431
RG		 2614 if (func_id != BPF_FUNC_get_local_storage)
2615 goto error;
2616 break;
546ac1ff
JF		 2617 /* devmap returns a pointer to a live net_device ifindex that we cannot
2618 * allow to be modified from bpf side. So do not allow lookup elements
2619 * for now.
2620 */
2621 case BPF_MAP_TYPE_DEVMAP:
2ddf71e2 2622 if (func_id != BPF_FUNC_redirect_map)
546ac1ff
JF		 2623 goto error;
2624 break;
fbfc504a
BT		 2625 /* Restrict bpf side of cpumap and xskmap, open when use-cases
2626 * appear.
2627 */
6710e112 2628 case BPF_MAP_TYPE_CPUMAP:
fbfc504a 2629 case BPF_MAP_TYPE_XSKMAP:
6710e112
JDB		 2630 if (func_id != BPF_FUNC_redirect_map)
2631 goto error;
2632 break;
56f668df 2633 case BPF_MAP_TYPE_ARRAY_OF_MAPS:
bcc6b1b7 2634 case BPF_MAP_TYPE_HASH_OF_MAPS:
56f668df
MKL		 2635 if (func_id != BPF_FUNC_map_lookup_elem)
2636 goto error;
16a43625 2637 break;
174a79ff
JF		 2638 case BPF_MAP_TYPE_SOCKMAP:
2639 if (func_id != BPF_FUNC_sk_redirect_map &&
2640 func_id != BPF_FUNC_sock_map_update &&
4f738adb
JF		 2641 func_id != BPF_FUNC_map_delete_elem &&
2642 func_id != BPF_FUNC_msg_redirect_map)
174a79ff
JF		 2643 goto error;
2644 break;
81110384
JF		 2645 case BPF_MAP_TYPE_SOCKHASH:
2646 if (func_id != BPF_FUNC_sk_redirect_hash &&
2647 func_id != BPF_FUNC_sock_hash_update &&
2648 func_id != BPF_FUNC_map_delete_elem &&
2649 func_id != BPF_FUNC_msg_redirect_hash)
2650 goto error;
2651 break;
2dbb9b9e
MKL		 2652 case BPF_MAP_TYPE_REUSEPORT_SOCKARRAY:
2653 if (func_id != BPF_FUNC_sk_select_reuseport)
2654 goto error;
2655 break;
f1a2e44a
MV		 2656 case BPF_MAP_TYPE_QUEUE:
2657 case BPF_MAP_TYPE_STACK:
2658 if (func_id != BPF_FUNC_map_peek_elem &&
2659 func_id != BPF_FUNC_map_pop_elem &&
2660 func_id != BPF_FUNC_map_push_elem)
2661 goto error;
2662 break;
6aff67c8
AS		 2663 default:
2664 break;
2665 }
2666
2667 /* ... and second from the function itself. */
2668 switch (func_id) {
2669 case BPF_FUNC_tail_call:
2670 if (map->map_type != BPF_MAP_TYPE_PROG_ARRAY)
2671 goto error;
f910cefa 2672 if (env->subprog_cnt > 1) {
f4d7e40a
AS		 2673 verbose(env, "tail_calls are not allowed in programs with bpf-to-bpf calls\n");
2674 return -EINVAL;
2675 }
6aff67c8
AS		 2676 break;
2677 case BPF_FUNC_perf_event_read:
2678 case BPF_FUNC_perf_event_output:
908432ca 2679 case BPF_FUNC_perf_event_read_value:
6aff67c8
AS		 2680 if (map->map_type != BPF_MAP_TYPE_PERF_EVENT_ARRAY)
2681 goto error;
2682 break;
2683 case BPF_FUNC_get_stackid:
2684 if (map->map_type != BPF_MAP_TYPE_STACK_TRACE)
2685 goto error;
2686 break;
60d20f91 2687 case BPF_FUNC_current_task_under_cgroup:
747ea55e 2688 case BPF_FUNC_skb_under_cgroup:
4a482f34
MKL		 2689 if (map->map_type != BPF_MAP_TYPE_CGROUP_ARRAY)
2690 goto error;
2691 break;
97f91a7c 2692 case BPF_FUNC_redirect_map:
9c270af3 2693 if (map->map_type != BPF_MAP_TYPE_DEVMAP &&
fbfc504a
BT		 2694 map->map_type != BPF_MAP_TYPE_CPUMAP &&
2695 map->map_type != BPF_MAP_TYPE_XSKMAP)
97f91a7c
JF		 2696 goto error;
2697 break;
174a79ff 2698 case BPF_FUNC_sk_redirect_map:
4f738adb 2699 case BPF_FUNC_msg_redirect_map:
81110384 2700 case BPF_FUNC_sock_map_update:
174a79ff
JF		 2701 if (map->map_type != BPF_MAP_TYPE_SOCKMAP)
2702 goto error;
2703 break;
81110384
JF		 2704 case BPF_FUNC_sk_redirect_hash:
2705 case BPF_FUNC_msg_redirect_hash:
2706 case BPF_FUNC_sock_hash_update:
2707 if (map->map_type != BPF_MAP_TYPE_SOCKHASH)
174a79ff
JF		 2708 goto error;
2709 break;
cd339431 2710 case BPF_FUNC_get_local_storage:
b741f163
RG		 2711 if (map->map_type != BPF_MAP_TYPE_CGROUP_STORAGE &&
2712 map->map_type != BPF_MAP_TYPE_PERCPU_CGROUP_STORAGE)
cd339431
RG		 2713 goto error;
2714 break;
2dbb9b9e
MKL		 2715 case BPF_FUNC_sk_select_reuseport:
2716 if (map->map_type != BPF_MAP_TYPE_REUSEPORT_SOCKARRAY)
2717 goto error;
2718 break;
f1a2e44a
MV		 2719 case BPF_FUNC_map_peek_elem:
2720 case BPF_FUNC_map_pop_elem:
2721 case BPF_FUNC_map_push_elem:
2722 if (map->map_type != BPF_MAP_TYPE_QUEUE &&
2723 map->map_type != BPF_MAP_TYPE_STACK)
2724 goto error;
2725 break;
6aff67c8
AS		 2726 default:
2727 break;
35578d79
KX		 2728 }
2729
2730 return 0;
6aff67c8 2731error:
61bd5218 2732 verbose(env, "cannot pass map_type %d into func %s#%d\n",
ebb676da 2733 map->map_type, func_id_name(func_id), func_id);
6aff67c8 2734 return -EINVAL;
35578d79
KX		 2735}
2736
90133415 2737static bool check_raw_mode_ok(const struct bpf_func_proto *fn)
435faee1
DB		 2738{
2739 int count = 0;
2740
39f19ebb 2741 if (fn->arg1_type == ARG_PTR_TO_UNINIT_MEM)
435faee1 2742 count++;
39f19ebb 2743 if (fn->arg2_type == ARG_PTR_TO_UNINIT_MEM)
435faee1 2744 count++;
39f19ebb 2745 if (fn->arg3_type == ARG_PTR_TO_UNINIT_MEM)
435faee1 2746 count++;
39f19ebb 2747 if (fn->arg4_type == ARG_PTR_TO_UNINIT_MEM)
435faee1 2748 count++;
39f19ebb 2749 if (fn->arg5_type == ARG_PTR_TO_UNINIT_MEM)
435faee1
DB		 2750 count++;
2751
90133415
DB		 2752 /* We only support one arg being in raw mode at the moment,
2753 * which is sufficient for the helper functions we have
2754 * right now.
2755 */
2756 return count <= 1;
2757}
2758
2759static bool check_args_pair_invalid(enum bpf_arg_type arg_curr,
2760 enum bpf_arg_type arg_next)
2761{
2762 return (arg_type_is_mem_ptr(arg_curr) &&
2763 !arg_type_is_mem_size(arg_next)) ||
2764 (!arg_type_is_mem_ptr(arg_curr) &&
2765 arg_type_is_mem_size(arg_next));
2766}
2767
2768static bool check_arg_pair_ok(const struct bpf_func_proto *fn)
2769{
2770 /* bpf_xxx(..., buf, len) call will access 'len'
2771 * bytes from memory 'buf'. Both arg types need
2772 * to be paired, so make sure there's no buggy
2773 * helper function specification.
2774 */
2775 if (arg_type_is_mem_size(fn->arg1_type) ||
2776 arg_type_is_mem_ptr(fn->arg5_type) ||
2777 check_args_pair_invalid(fn->arg1_type, fn->arg2_type) ||
2778 check_args_pair_invalid(fn->arg2_type, fn->arg3_type) ||
2779 check_args_pair_invalid(fn->arg3_type, fn->arg4_type) ||
2780 check_args_pair_invalid(fn->arg4_type, fn->arg5_type))
2781 return false;
2782
2783 return true;
2784}
2785
1b986589 2786static bool check_refcount_ok(const struct bpf_func_proto *fn, int func_id)
fd978bf7
JS		 2787{
2788 int count = 0;
2789
1b986589 2790 if (arg_type_may_be_refcounted(fn->arg1_type))
fd978bf7 2791 count++;
1b986589 2792 if (arg_type_may_be_refcounted(fn->arg2_type))
fd978bf7 2793 count++;
1b986589 2794 if (arg_type_may_be_refcounted(fn->arg3_type))
fd978bf7 2795 count++;
1b986589 2796 if (arg_type_may_be_refcounted(fn->arg4_type))
fd978bf7 2797 count++;
1b986589 2798 if (arg_type_may_be_refcounted(fn->arg5_type))
fd978bf7
JS		 2799 count++;
2800
1b986589
MKL		 2801 /* A reference acquiring function cannot acquire
2802 * another refcounted ptr.
2803 */
2804 if (is_acquire_function(func_id) && count)
2805 return false;
2806
fd978bf7
JS		 2807 /* We only support one arg being unreferenced at the moment,
2808 * which is sufficient for the helper functions we have right now.
2809 */
2810 return count <= 1;
2811}
2812
1b986589 2813static int check_func_proto(const struct bpf_func_proto *fn, int func_id)
90133415
DB		 2814{
2815 return check_raw_mode_ok(fn) &&
fd978bf7 2816 check_arg_pair_ok(fn) &&
1b986589 2817 check_refcount_ok(fn, func_id) ? 0 : -EINVAL;
435faee1
DB		 2818}
2819
de8f3a83
DB		 2820/* Packet data might have moved, any old PTR_TO_PACKET[_META,_END]
2821 * are now invalid, so turn them into unknown SCALAR_VALUE.
f1174f77 2822 */
f4d7e40a
AS		 2823static void __clear_all_pkt_pointers(struct bpf_verifier_env *env,
2824 struct bpf_func_state *state)
969bf05e 2825{
58e2af8b 2826 struct bpf_reg_state *regs = state->regs, *reg;
969bf05e
AS		 2827 int i;
2828
2829 for (i = 0; i < MAX_BPF_REG; i++)
de8f3a83 2830 if (reg_is_pkt_pointer_any(&regs[i]))
61bd5218 2831 mark_reg_unknown(env, regs, i);
969bf05e 2832
f3709f69
JS		 2833 bpf_for_each_spilled_reg(i, state, reg) {
2834 if (!reg)
969bf05e 2835 continue;
de8f3a83
DB		 2836 if (reg_is_pkt_pointer_any(reg))
2837 __mark_reg_unknown(reg);
969bf05e
AS		 2838 }
2839}
2840
f4d7e40a
AS		 2841static void clear_all_pkt_pointers(struct bpf_verifier_env *env)
2842{
2843 struct bpf_verifier_state *vstate = env->cur_state;
2844 int i;
2845
2846 for (i = 0; i <= vstate->curframe; i++)
2847 __clear_all_pkt_pointers(env, vstate->frame[i]);
2848}
2849
fd978bf7 2850static void release_reg_references(struct bpf_verifier_env *env,
1b986589
MKL		 2851 struct bpf_func_state *state,
2852 int ref_obj_id)
fd978bf7
JS		 2853{
2854 struct bpf_reg_state *regs = state->regs, *reg;
2855 int i;
2856
2857 for (i = 0; i < MAX_BPF_REG; i++)
1b986589 2858 if (regs[i].ref_obj_id == ref_obj_id)
fd978bf7
JS		 2859 mark_reg_unknown(env, regs, i);
2860
2861 bpf_for_each_spilled_reg(i, state, reg) {
2862 if (!reg)
2863 continue;
1b986589 2864 if (reg->ref_obj_id == ref_obj_id)
fd978bf7
JS		 2865 __mark_reg_unknown(reg);
2866 }
2867}
2868
2869/* The pointer with the specified id has released its reference to kernel
2870 * resources. Identify all copies of the same pointer and clear the reference.
2871 */
2872static int release_reference(struct bpf_verifier_env *env,
1b986589 2873 int ref_obj_id)
fd978bf7
JS		 2874{
2875 struct bpf_verifier_state *vstate = env->cur_state;
1b986589 2876 int err;
fd978bf7
JS		 2877 int i;
2878
1b986589
MKL		 2879 err = release_reference_state(cur_func(env), ref_obj_id);
2880 if (err)
2881 return err;
2882
fd978bf7 2883 for (i = 0; i <= vstate->curframe; i++)
1b986589 2884 release_reg_references(env, vstate->frame[i], ref_obj_id);
fd978bf7 2885
1b986589 2886 return 0;
fd978bf7
JS		 2887}
2888
f4d7e40a
AS		 2889static int check_func_call(struct bpf_verifier_env *env, struct bpf_insn *insn,
2890 int *insn_idx)
2891{
2892 struct bpf_verifier_state *state = env->cur_state;
2893 struct bpf_func_state *caller, *callee;
fd978bf7 2894 int i, err, subprog, target_insn;
f4d7e40a 2895
aada9ce6 2896 if (state->curframe + 1 >= MAX_CALL_FRAMES) {
f4d7e40a 2897 verbose(env, "the call stack of %d frames is too deep\n",
aada9ce6 2898 state->curframe + 2);
f4d7e40a
AS		 2899 return -E2BIG;
2900 }
2901
2902 target_insn = *insn_idx + insn->imm;
2903 subprog = find_subprog(env, target_insn + 1);
2904 if (subprog < 0) {
2905 verbose(env, "verifier bug. No program starts at insn %d\n",
2906 target_insn + 1);
2907 return -EFAULT;
2908 }
2909
2910 caller = state->frame[state->curframe];
2911 if (state->frame[state->curframe + 1]) {
2912 verbose(env, "verifier bug. Frame %d already allocated\n",
2913 state->curframe + 1);
2914 return -EFAULT;
2915 }
2916
2917 callee = kzalloc(sizeof(*callee), GFP_KERNEL);
2918 if (!callee)
2919 return -ENOMEM;
2920 state->frame[state->curframe + 1] = callee;
2921
2922 /* callee cannot access r0, r6 - r9 for reading and has to write
2923 * into its own stack before reading from it.
2924 * callee can read/write into caller's stack
2925 */
2926 init_func_state(env, callee,
2927 /* remember the callsite, it will be used by bpf_exit */
2928 *insn_idx /* callsite */,
2929 state->curframe + 1 /* frameno within this callchain */,
f910cefa 2930 subprog /* subprog number within this prog */);
f4d7e40a 2931
fd978bf7
JS		 2932 /* Transfer references to the callee */
2933 err = transfer_reference_state(callee, caller);
2934 if (err)
2935 return err;
2936
679c782d
EC		 2937 /* copy r1 - r5 args that callee can access. The copy includes parent
2938 * pointers, which connects us up to the liveness chain
2939 */
f4d7e40a
AS		 2940 for (i = BPF_REG_1; i <= BPF_REG_5; i++)
2941 callee->regs[i] = caller->regs[i];
2942
679c782d 2943 /* after the call registers r0 - r5 were scratched */
f4d7e40a
AS		 2944 for (i = 0; i < CALLER_SAVED_REGS; i++) {
2945 mark_reg_not_init(env, caller->regs, caller_saved[i]);
2946 check_reg_arg(env, caller_saved[i], DST_OP_NO_MARK);
2947 }
2948
2949 /* only increment it after check_reg_arg() finished */
2950 state->curframe++;
2951
2952 /* and go analyze first insn of the callee */
2953 *insn_idx = target_insn;
2954
06ee7115 2955 if (env->log.level & BPF_LOG_LEVEL) {
f4d7e40a
AS		 2956 verbose(env, "caller:\n");
2957 print_verifier_state(env, caller);
2958 verbose(env, "callee:\n");
2959 print_verifier_state(env, callee);
2960 }
2961 return 0;
2962}
2963
2964static int prepare_func_exit(struct bpf_verifier_env *env, int *insn_idx)
2965{
2966 struct bpf_verifier_state *state = env->cur_state;
2967 struct bpf_func_state *caller, *callee;
2968 struct bpf_reg_state *r0;
fd978bf7 2969 int err;
f4d7e40a
AS		 2970
2971 callee = state->frame[state->curframe];
2972 r0 = &callee->regs[BPF_REG_0];
2973 if (r0->type == PTR_TO_STACK) {
2974 /* technically it's ok to return caller's stack pointer
2975 * (or caller's caller's pointer) back to the caller,
2976 * since these pointers are valid. Only current stack
2977 * pointer will be invalid as soon as function exits,
2978 * but let's be conservative
2979 */
2980 verbose(env, "cannot return stack pointer to the caller\n");
2981 return -EINVAL;
2982 }
2983
2984 state->curframe--;
2985 caller = state->frame[state->curframe];
2986 /* return to the caller whatever r0 had in the callee */
2987 caller->regs[BPF_REG_0] = *r0;
2988
fd978bf7
JS		 2989 /* Transfer references to the caller */
2990 err = transfer_reference_state(caller, callee);
2991 if (err)
2992 return err;
2993
f4d7e40a 2994 *insn_idx = callee->callsite + 1;
06ee7115 2995 if (env->log.level & BPF_LOG_LEVEL) {
f4d7e40a
AS		 2996 verbose(env, "returning from callee:\n");
2997 print_verifier_state(env, callee);
2998 verbose(env, "to caller at %d:\n", *insn_idx);
2999 print_verifier_state(env, caller);
3000 }
3001 /* clear everything in the callee */
3002 free_func_state(callee);
3003 state->frame[state->curframe + 1] = NULL;
3004 return 0;
3005}
3006
849fa506
YS		 3007static void do_refine_retval_range(struct bpf_reg_state *regs, int ret_type,
3008 int func_id,
3009 struct bpf_call_arg_meta *meta)
3010{
3011 struct bpf_reg_state *ret_reg = &regs[BPF_REG_0];
3012
3013 if (ret_type != RET_INTEGER ||
3014 (func_id != BPF_FUNC_get_stack &&
3015 func_id != BPF_FUNC_probe_read_str))
3016 return;
3017
3018 ret_reg->smax_value = meta->msize_smax_value;
3019 ret_reg->umax_value = meta->msize_umax_value;
3020 __reg_deduce_bounds(ret_reg);
3021 __reg_bound_offset(ret_reg);
3022}
3023
c93552c4
DB		 3024static int
3025record_func_map(struct bpf_verifier_env *env, struct bpf_call_arg_meta *meta,
3026 int func_id, int insn_idx)
3027{
3028 struct bpf_insn_aux_data *aux = &env->insn_aux_data[insn_idx];
3029
3030 if (func_id != BPF_FUNC_tail_call &&
09772d92
DB		 3031 func_id != BPF_FUNC_map_lookup_elem &&
3032 func_id != BPF_FUNC_map_update_elem &&
f1a2e44a
MV		 3033 func_id != BPF_FUNC_map_delete_elem &&
3034 func_id != BPF_FUNC_map_push_elem &&
3035 func_id != BPF_FUNC_map_pop_elem &&
3036 func_id != BPF_FUNC_map_peek_elem)
c93552c4 3037 return 0;
09772d92 3038
c93552c4
DB		 3039 if (meta->map_ptr == NULL) {
3040 verbose(env, "kernel subsystem misconfigured verifier\n");
3041 return -EINVAL;
3042 }
3043
3044 if (!BPF_MAP_PTR(aux->map_state))
3045 bpf_map_ptr_store(aux, meta->map_ptr,
3046 meta->map_ptr->unpriv_array);
3047 else if (BPF_MAP_PTR(aux->map_state) != meta->map_ptr)
3048 bpf_map_ptr_store(aux, BPF_MAP_PTR_POISON,
3049 meta->map_ptr->unpriv_array);
3050 return 0;
3051}
3052
fd978bf7
JS		 3053static int check_reference_leak(struct bpf_verifier_env *env)
3054{
3055 struct bpf_func_state *state = cur_func(env);
3056 int i;
3057
3058 for (i = 0; i < state->acquired_refs; i++) {
3059 verbose(env, "Unreleased reference id=%d alloc_insn=%d\n",
3060 state->refs[i].id, state->refs[i].insn_idx);
3061 }
3062 return state->acquired_refs ? -EINVAL : 0;
3063}
3064
f4d7e40a 3065static int check_helper_call(struct bpf_verifier_env *env, int func_id, int insn_idx)
17a52670 3066{
17a52670 3067 const struct bpf_func_proto *fn = NULL;
638f5b90 3068 struct bpf_reg_state *regs;
33ff9823 3069 struct bpf_call_arg_meta meta;
969bf05e 3070 bool changes_data;
17a52670
AS		 3071 int i, err;
3072
3073 /* find function prototype */
3074 if (func_id < 0 || func_id >= __BPF_FUNC_MAX_ID) {
61bd5218
JK		 3075 verbose(env, "invalid func %s#%d\n", func_id_name(func_id),
3076 func_id);
17a52670
AS		 3077 return -EINVAL;
3078 }
3079
00176a34 3080 if (env->ops->get_func_proto)
5e43f899 3081 fn = env->ops->get_func_proto(func_id, env->prog);
17a52670 3082 if (!fn) {
61bd5218
JK		 3083 verbose(env, "unknown func %s#%d\n", func_id_name(func_id),
3084 func_id);
17a52670
AS		 3085 return -EINVAL;
3086 }
3087
3088 /* eBPF programs must be GPL compatible to use GPL-ed functions */
24701ece 3089 if (!env->prog->gpl_compatible && fn->gpl_only) {
3fe2867c 3090 verbose(env, "cannot call GPL-restricted function from non-GPL compatible program\n");
17a52670
AS		 3091 return -EINVAL;
3092 }
3093
04514d13 3094 /* With LD_ABS/IND some JITs save/restore skb from r1. */
17bedab2 3095 changes_data = bpf_helper_changes_pkt_data(fn->func);
04514d13
DB		 3096 if (changes_data && fn->arg1_type != ARG_PTR_TO_CTX) {
3097 verbose(env, "kernel subsystem misconfigured func %s#%d: r1 != ctx\n",
3098 func_id_name(func_id), func_id);
3099 return -EINVAL;
3100 }
969bf05e 3101
33ff9823 3102 memset(&meta, 0, sizeof(meta));
36bbef52 3103 meta.pkt_access = fn->pkt_access;
33ff9823 3104
1b986589 3105 err = check_func_proto(fn, func_id);
435faee1 3106 if (err) {
61bd5218 3107 verbose(env, "kernel subsystem misconfigured func %s#%d\n",
ebb676da 3108 func_id_name(func_id), func_id);
435faee1
DB		 3109 return err;
3110 }
3111
d83525ca 3112 meta.func_id = func_id;
17a52670 3113 /* check args */
33ff9823 3114 err = check_func_arg(env, BPF_REG_1, fn->arg1_type, &meta);
17a52670
AS		 3115 if (err)
3116 return err;
33ff9823 3117 err = check_func_arg(env, BPF_REG_2, fn->arg2_type, &meta);
17a52670
AS		 3118 if (err)
3119 return err;
33ff9823 3120 err = check_func_arg(env, BPF_REG_3, fn->arg3_type, &meta);
17a52670
AS		 3121 if (err)
3122 return err;
33ff9823 3123 err = check_func_arg(env, BPF_REG_4, fn->arg4_type, &meta);
17a52670
AS		 3124 if (err)
3125 return err;
33ff9823 3126 err = check_func_arg(env, BPF_REG_5, fn->arg5_type, &meta);
17a52670
AS		 3127 if (err)
3128 return err;
3129
c93552c4
DB		 3130 err = record_func_map(env, &meta, func_id, insn_idx);
3131 if (err)
3132 return err;
3133
435faee1
DB		 3134 /* Mark slots with STACK_MISC in case of raw mode, stack offset
3135 * is inferred from register state.
3136 */
3137 for (i = 0; i < meta.access_size; i++) {
ca369602
DB		 3138 err = check_mem_access(env, insn_idx, meta.regno, i, BPF_B,
3139 BPF_WRITE, -1, false);
435faee1
DB		 3140 if (err)
3141 return err;
3142 }
3143
fd978bf7
JS		 3144 if (func_id == BPF_FUNC_tail_call) {
3145 err = check_reference_leak(env);
3146 if (err) {
3147 verbose(env, "tail_call would lead to reference leak\n");
3148 return err;
3149 }
3150 } else if (is_release_function(func_id)) {
1b986589 3151 err = release_reference(env, meta.ref_obj_id);
46f8bc92
MKL		 3152 if (err) {
3153 verbose(env, "func %s#%d reference has not been acquired before\n",
3154 func_id_name(func_id), func_id);
fd978bf7 3155 return err;
46f8bc92 3156 }
fd978bf7
JS		 3157 }
3158
638f5b90 3159 regs = cur_regs(env);
cd339431
RG		 3160
3161 /* check that flags argument in get_local_storage(map, flags) is 0,
3162 * this is required because get_local_storage() can't return an error.
3163 */
3164 if (func_id == BPF_FUNC_get_local_storage &&
3165 !register_is_null(&regs[BPF_REG_2])) {
3166 verbose(env, "get_local_storage() doesn't support non-zero flags\n");
3167 return -EINVAL;
3168 }
3169
17a52670 3170 /* reset caller saved regs */
dc503a8a 3171 for (i = 0; i < CALLER_SAVED_REGS; i++) {
61bd5218 3172 mark_reg_not_init(env, regs, caller_saved[i]);
dc503a8a
EC		 3173 check_reg_arg(env, caller_saved[i], DST_OP_NO_MARK);
3174 }
17a52670 3175
dc503a8a 3176 /* update return register (already marked as written above) */
17a52670 3177 if (fn->ret_type == RET_INTEGER) {
f1174f77 3178 /* sets type to SCALAR_VALUE */
61bd5218 3179 mark_reg_unknown(env, regs, BPF_REG_0);
17a52670
AS		 3180 } else if (fn->ret_type == RET_VOID) {
3181 regs[BPF_REG_0].type = NOT_INIT;
3e6a4b3e
RG		 3182 } else if (fn->ret_type == RET_PTR_TO_MAP_VALUE_OR_NULL ||
3183 fn->ret_type == RET_PTR_TO_MAP_VALUE) {
f1174f77 3184 /* There is no offset yet applied, variable or fixed */
61bd5218 3185 mark_reg_known_zero(env, regs, BPF_REG_0);
17a52670
AS		 3186 /* remember map_ptr, so that check_map_access()
3187 * can check 'value_size' boundary of memory access
3188 * to map element returned from bpf_map_lookup_elem()
3189 */
33ff9823 3190 if (meta.map_ptr == NULL) {
61bd5218
JK		 3191 verbose(env,
3192 "kernel subsystem misconfigured verifier\n");
17a52670
AS		 3193 return -EINVAL;
3194 }
33ff9823 3195 regs[BPF_REG_0].map_ptr = meta.map_ptr;
4d31f301
DB		 3196 if (fn->ret_type == RET_PTR_TO_MAP_VALUE) {
3197 regs[BPF_REG_0].type = PTR_TO_MAP_VALUE;
e16d2f1a
AS		 3198 if (map_value_has_spin_lock(meta.map_ptr))
3199 regs[BPF_REG_0].id = ++env->id_gen;
4d31f301
DB		 3200 } else {
3201 regs[BPF_REG_0].type = PTR_TO_MAP_VALUE_OR_NULL;
3202 regs[BPF_REG_0].id = ++env->id_gen;
3203 }
c64b7983
JS		 3204 } else if (fn->ret_type == RET_PTR_TO_SOCKET_OR_NULL) {
3205 mark_reg_known_zero(env, regs, BPF_REG_0);
3206 regs[BPF_REG_0].type = PTR_TO_SOCKET_OR_NULL;
0f3adc28 3207 regs[BPF_REG_0].id = ++env->id_gen;
85a51f8c
LB		 3208 } else if (fn->ret_type == RET_PTR_TO_SOCK_COMMON_OR_NULL) {
3209 mark_reg_known_zero(env, regs, BPF_REG_0);
3210 regs[BPF_REG_0].type = PTR_TO_SOCK_COMMON_OR_NULL;
3211 regs[BPF_REG_0].id = ++env->id_gen;
655a51e5
MKL		 3212 } else if (fn->ret_type == RET_PTR_TO_TCP_SOCK_OR_NULL) {
3213 mark_reg_known_zero(env, regs, BPF_REG_0);
3214 regs[BPF_REG_0].type = PTR_TO_TCP_SOCK_OR_NULL;
3215 regs[BPF_REG_0].id = ++env->id_gen;
17a52670 3216 } else {
61bd5218 3217 verbose(env, "unknown return type %d of func %s#%d\n",
ebb676da 3218 fn->ret_type, func_id_name(func_id), func_id);
17a52670
AS		 3219 return -EINVAL;
3220 }
04fd61ab 3221
0f3adc28 3222 if (is_ptr_cast_function(func_id)) {
1b986589
MKL		 3223 /* For release_reference() */
3224 regs[BPF_REG_0].ref_obj_id = meta.ref_obj_id;
0f3adc28
LB		 3225 } else if (is_acquire_function(func_id)) {
3226 int id = acquire_reference_state(env, insn_idx);
3227
3228 if (id < 0)
3229 return id;
3230 /* For mark_ptr_or_null_reg() */
3231 regs[BPF_REG_0].id = id;
3232 /* For release_reference() */
3233 regs[BPF_REG_0].ref_obj_id = id;
3234 }
1b986589 3235
849fa506
YS		 3236 do_refine_retval_range(regs, fn->ret_type, func_id, &meta);
3237
61bd5218 3238 err = check_map_func_compatibility(env, meta.map_ptr, func_id);
35578d79
KX		 3239 if (err)
3240 return err;
04fd61ab 3241
c195651e
YS		 3242 if (func_id == BPF_FUNC_get_stack && !env->prog->has_callchain_buf) {
3243 const char *err_str;
3244
3245#ifdef CONFIG_PERF_EVENTS
3246 err = get_callchain_buffers(sysctl_perf_event_max_stack);
3247 err_str = "cannot get callchain buffer for func %s#%d\n";
3248#else
3249 err = -ENOTSUPP;
3250 err_str = "func %s#%d not supported without CONFIG_PERF_EVENTS\n";
3251#endif
3252 if (err) {
3253 verbose(env, err_str, func_id_name(func_id), func_id);
3254 return err;
3255 }
3256
3257 env->prog->has_callchain_buf = true;
3258 }
3259
969bf05e
AS		 3260 if (changes_data)
3261 clear_all_pkt_pointers(env);
3262 return 0;
3263}
3264
b03c9f9f
EC		 3265static bool signed_add_overflows(s64 a, s64 b)
3266{
3267 /* Do the add in u64, where overflow is well-defined */
3268 s64 res = (s64)((u64)a + (u64)b);
3269
3270 if (b < 0)
3271 return res > a;
3272 return res < a;
3273}
3274
3275static bool signed_sub_overflows(s64 a, s64 b)
3276{
3277 /* Do the sub in u64, where overflow is well-defined */
3278 s64 res = (s64)((u64)a - (u64)b);
3279
3280 if (b < 0)
3281 return res < a;
3282 return res > a;
969bf05e
AS		 3283}
3284
bb7f0f98
AS		 3285static bool check_reg_sane_offset(struct bpf_verifier_env *env,
3286 const struct bpf_reg_state *reg,
3287 enum bpf_reg_type type)
3288{
3289 bool known = tnum_is_const(reg->var_off);
3290 s64 val = reg->var_off.value;
3291 s64 smin = reg->smin_value;
3292
3293 if (known && (val >= BPF_MAX_VAR_OFF || val <= -BPF_MAX_VAR_OFF)) {
3294 verbose(env, "math between %s pointer and %lld is not allowed\n",
3295 reg_type_str[type], val);
3296 return false;
3297 }
3298
3299 if (reg->off >= BPF_MAX_VAR_OFF || reg->off <= -BPF_MAX_VAR_OFF) {
3300 verbose(env, "%s pointer offset %d is not allowed\n",
3301 reg_type_str[type], reg->off);
3302 return false;
3303 }
3304
3305 if (smin == S64_MIN) {
3306 verbose(env, "math between %s pointer and register with unbounded min value is not allowed\n",
3307 reg_type_str[type]);
3308 return false;
3309 }
3310
3311 if (smin >= BPF_MAX_VAR_OFF || smin <= -BPF_MAX_VAR_OFF) {
3312 verbose(env, "value %lld makes %s pointer be out of bounds\n",
3313 smin, reg_type_str[type]);
3314 return false;
3315 }
3316
3317 return true;
3318}
3319
979d63d5
DB		 3320static struct bpf_insn_aux_data *cur_aux(struct bpf_verifier_env *env)
3321{
3322 return &env->insn_aux_data[env->insn_idx];
3323}
3324
3325static int retrieve_ptr_limit(const struct bpf_reg_state *ptr_reg,
3326 u32 *ptr_limit, u8 opcode, bool off_is_neg)
3327{
3328 bool mask_to_left = (opcode == BPF_ADD && off_is_neg) ||
3329 (opcode == BPF_SUB && !off_is_neg);
3330 u32 off;
3331
3332 switch (ptr_reg->type) {
3333 case PTR_TO_STACK:
3334 off = ptr_reg->off + ptr_reg->var_off.value;
3335 if (mask_to_left)
3336 *ptr_limit = MAX_BPF_STACK + off;
3337 else
3338 *ptr_limit = -off;
3339 return 0;
3340 case PTR_TO_MAP_VALUE:
3341 if (mask_to_left) {
3342 *ptr_limit = ptr_reg->umax_value + ptr_reg->off;
3343 } else {
3344 off = ptr_reg->smin_value + ptr_reg->off;
3345 *ptr_limit = ptr_reg->map_ptr->value_size - off;
3346 }
3347 return 0;
3348 default:
3349 return -EINVAL;
3350 }
3351}
3352
d3bd7413
DB		 3353static bool can_skip_alu_sanitation(const struct bpf_verifier_env *env,
3354 const struct bpf_insn *insn)
3355{
3356 return env->allow_ptr_leaks || BPF_SRC(insn->code) == BPF_K;
3357}
3358
3359static int update_alu_sanitation_state(struct bpf_insn_aux_data *aux,
3360 u32 alu_state, u32 alu_limit)
3361{
3362 /* If we arrived here from different branches with different
3363 * state or limits to sanitize, then this won't work.
3364 */
3365 if (aux->alu_state &&
3366 (aux->alu_state != alu_state ||
3367 aux->alu_limit != alu_limit))
3368 return -EACCES;
3369
3370 /* Corresponding fixup done in fixup_bpf_calls(). */
3371 aux->alu_state = alu_state;
3372 aux->alu_limit = alu_limit;
3373 return 0;
3374}
3375
3376static int sanitize_val_alu(struct bpf_verifier_env *env,
3377 struct bpf_insn *insn)
3378{
3379 struct bpf_insn_aux_data *aux = cur_aux(env);
3380
3381 if (can_skip_alu_sanitation(env, insn))
3382 return 0;
3383
3384 return update_alu_sanitation_state(aux, BPF_ALU_NON_POINTER, 0);
3385}
3386
979d63d5
DB		 3387static int sanitize_ptr_alu(struct bpf_verifier_env *env,
3388 struct bpf_insn *insn,
3389 const struct bpf_reg_state *ptr_reg,
3390 struct bpf_reg_state *dst_reg,
3391 bool off_is_neg)
3392{
3393 struct bpf_verifier_state *vstate = env->cur_state;
3394 struct bpf_insn_aux_data *aux = cur_aux(env);
3395 bool ptr_is_dst_reg = ptr_reg == dst_reg;
3396 u8 opcode = BPF_OP(insn->code);
3397 u32 alu_state, alu_limit;
3398 struct bpf_reg_state tmp;
3399 bool ret;
3400
d3bd7413 3401 if (can_skip_alu_sanitation(env, insn))
979d63d5
DB		 3402 return 0;
3403
3404 /* We already marked aux for masking from non-speculative
3405 * paths, thus we got here in the first place. We only care
3406 * to explore bad access from here.
3407 */
3408 if (vstate->speculative)
3409 goto do_sim;
3410
3411 alu_state = off_is_neg ? BPF_ALU_NEG_VALUE : 0;
3412 alu_state |= ptr_is_dst_reg ?
3413 BPF_ALU_SANITIZE_SRC : BPF_ALU_SANITIZE_DST;
3414
3415 if (retrieve_ptr_limit(ptr_reg, &alu_limit, opcode, off_is_neg))
3416 return 0;
d3bd7413 3417 if (update_alu_sanitation_state(aux, alu_state, alu_limit))
979d63d5 3418 return -EACCES;
979d63d5
DB		 3419do_sim:
3420 /* Simulate and find potential out-of-bounds access under
3421 * speculative execution from truncation as a result of
3422 * masking when off was not within expected range. If off
3423 * sits in dst, then we temporarily need to move ptr there
3424 * to simulate dst (== 0) +/-= ptr. Needed, for example,
3425 * for cases where we use K-based arithmetic in one direction
3426 * and truncated reg-based in the other in order to explore
3427 * bad access.
3428 */
3429 if (!ptr_is_dst_reg) {
3430 tmp = *dst_reg;
3431 *dst_reg = *ptr_reg;
3432 }
3433 ret = push_stack(env, env->insn_idx + 1, env->insn_idx, true);
0803278b 3434 if (!ptr_is_dst_reg && ret)
979d63d5
DB		 3435 *dst_reg = tmp;
3436 return !ret ? -EFAULT : 0;
3437}
3438
f1174f77 3439/* Handles arithmetic on a pointer and a scalar: computes new min/max and var_off.
f1174f77
EC		 3440 * Caller should also handle BPF_MOV case separately.
3441 * If we return -EACCES, caller may want to try again treating pointer as a
3442 * scalar. So we only emit a diagnostic if !env->allow_ptr_leaks.
3443 */
3444static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env,
3445 struct bpf_insn *insn,
3446 const struct bpf_reg_state *ptr_reg,
3447 const struct bpf_reg_state *off_reg)
969bf05e 3448{
f4d7e40a
AS		 3449 struct bpf_verifier_state *vstate = env->cur_state;
3450 struct bpf_func_state *state = vstate->frame[vstate->curframe];
3451 struct bpf_reg_state *regs = state->regs, *dst_reg;
f1174f77 3452 bool known = tnum_is_const(off_reg->var_off);
b03c9f9f
EC		 3453 s64 smin_val = off_reg->smin_value, smax_val = off_reg->smax_value,
3454 smin_ptr = ptr_reg->smin_value, smax_ptr = ptr_reg->smax_value;
3455 u64 umin_val = off_reg->umin_value, umax_val = off_reg->umax_value,
3456 umin_ptr = ptr_reg->umin_value, umax_ptr = ptr_reg->umax_value;
9d7eceed 3457 u32 dst = insn->dst_reg, src = insn->src_reg;
969bf05e 3458 u8 opcode = BPF_OP(insn->code);
979d63d5 3459 int ret;
969bf05e 3460
f1174f77 3461 dst_reg = &regs[dst];
969bf05e 3462
6f16101e
DB		 3463 if ((known && (smin_val != smax_val || umin_val != umax_val)) ||
3464 smin_val > smax_val || umin_val > umax_val) {
3465 /* Taint dst register if offset had invalid bounds derived from
3466 * e.g. dead branches.
3467 */
3468 __mark_reg_unknown(dst_reg);
3469 return 0;
f1174f77
EC		 3470 }
3471
3472 if (BPF_CLASS(insn->code) != BPF_ALU64) {
3473 /* 32-bit ALU ops on pointers produce (meaningless) scalars */
82abbf8d
AS		 3474 verbose(env,
3475 "R%d 32-bit pointer arithmetic prohibited\n",
3476 dst);
f1174f77 3477 return -EACCES;
969bf05e
AS		 3478 }
3479
aad2eeaf
JS		 3480 switch (ptr_reg->type) {
3481 case PTR_TO_MAP_VALUE_OR_NULL:
3482 verbose(env, "R%d pointer arithmetic on %s prohibited, null-check it first\n",
3483 dst, reg_type_str[ptr_reg->type]);
f1174f77 3484 return -EACCES;
aad2eeaf
JS		 3485 case CONST_PTR_TO_MAP:
3486 case PTR_TO_PACKET_END:
c64b7983
JS		 3487 case PTR_TO_SOCKET:
3488 case PTR_TO_SOCKET_OR_NULL:
46f8bc92
MKL		 3489 case PTR_TO_SOCK_COMMON:
3490 case PTR_TO_SOCK_COMMON_OR_NULL:
655a51e5
MKL		 3491 case PTR_TO_TCP_SOCK:
3492 case PTR_TO_TCP_SOCK_OR_NULL:
aad2eeaf
JS		 3493 verbose(env, "R%d pointer arithmetic on %s prohibited\n",
3494 dst, reg_type_str[ptr_reg->type]);
f1174f77 3495 return -EACCES;
9d7eceed
DB		 3496 case PTR_TO_MAP_VALUE:
3497 if (!env->allow_ptr_leaks && !known && (smin_val < 0) != (smax_val < 0)) {
3498 verbose(env, "R%d has unknown scalar with mixed signed bounds, pointer arithmetic with it prohibited for !root\n",
3499 off_reg == dst_reg ? dst : src);
3500 return -EACCES;
3501 }
3502 /* fall-through */
aad2eeaf
JS		 3503 default:
3504 break;
f1174f77
EC		 3505 }
3506
3507 /* In case of 'scalar += pointer', dst_reg inherits pointer type and id.
3508 * The id may be overwritten later if we create a new variable offset.
969bf05e 3509 */
f1174f77
EC		 3510 dst_reg->type = ptr_reg->type;
3511 dst_reg->id = ptr_reg->id;
969bf05e 3512
bb7f0f98
AS		 3513 if (!check_reg_sane_offset(env, off_reg, ptr_reg->type) ||
3514 !check_reg_sane_offset(env, ptr_reg, ptr_reg->type))
3515 return -EINVAL;
3516
f1174f77
EC		 3517 switch (opcode) {
3518 case BPF_ADD:
979d63d5
DB		 3519 ret = sanitize_ptr_alu(env, insn, ptr_reg, dst_reg, smin_val < 0);
3520 if (ret < 0) {
3521 verbose(env, "R%d tried to add from different maps or paths\n", dst);
3522 return ret;
3523 }
f1174f77
EC		 3524 /* We can take a fixed offset as long as it doesn't overflow
3525 * the s32 'off' field
969bf05e 3526 */
b03c9f9f
EC		 3527 if (known && (ptr_reg->off + smin_val ==
3528 (s64)(s32)(ptr_reg->off + smin_val))) {
f1174f77 3529 /* pointer += K. Accumulate it into fixed offset */
b03c9f9f
EC		 3530 dst_reg->smin_value = smin_ptr;
3531 dst_reg->smax_value = smax_ptr;
3532 dst_reg->umin_value = umin_ptr;
3533 dst_reg->umax_value = umax_ptr;
f1174f77 3534 dst_reg->var_off = ptr_reg->var_off;
b03c9f9f 3535 dst_reg->off = ptr_reg->off + smin_val;
0962590e 3536 dst_reg->raw = ptr_reg->raw;
f1174f77
EC		 3537 break;
3538 }
f1174f77
EC		 3539 /* A new variable offset is created. Note that off_reg->off
3540 * == 0, since it's a scalar.
3541 * dst_reg gets the pointer type and since some positive
3542 * integer value was added to the pointer, give it a new 'id'
3543 * if it's a PTR_TO_PACKET.
3544 * this creates a new 'base' pointer, off_reg (variable) gets
3545 * added into the variable offset, and we copy the fixed offset
3546 * from ptr_reg.
969bf05e 3547 */
b03c9f9f
EC		 3548 if (signed_add_overflows(smin_ptr, smin_val) ||
3549 signed_add_overflows(smax_ptr, smax_val)) {
3550 dst_reg->smin_value = S64_MIN;
3551 dst_reg->smax_value = S64_MAX;
3552 } else {
3553 dst_reg->smin_value = smin_ptr + smin_val;
3554 dst_reg->smax_value = smax_ptr + smax_val;
3555 }
3556 if (umin_ptr + umin_val < umin_ptr ||
3557 umax_ptr + umax_val < umax_ptr) {
3558 dst_reg->umin_value = 0;
3559 dst_reg->umax_value = U64_MAX;
3560 } else {
3561 dst_reg->umin_value = umin_ptr + umin_val;
3562 dst_reg->umax_value = umax_ptr + umax_val;
3563 }
f1174f77
EC		 3564 dst_reg->var_off = tnum_add(ptr_reg->var_off, off_reg->var_off);
3565 dst_reg->off = ptr_reg->off;
0962590e 3566 dst_reg->raw = ptr_reg->raw;
de8f3a83 3567 if (reg_is_pkt_pointer(ptr_reg)) {
f1174f77
EC		 3568 dst_reg->id = ++env->id_gen;
3569 /* something was added to pkt_ptr, set range to zero */
0962590e 3570 dst_reg->raw = 0;
f1174f77
EC		 3571 }
3572 break;
3573 case BPF_SUB:
979d63d5
DB		 3574 ret = sanitize_ptr_alu(env, insn, ptr_reg, dst_reg, smin_val < 0);
3575 if (ret < 0) {
3576 verbose(env, "R%d tried to sub from different maps or paths\n", dst);
3577 return ret;
3578 }
f1174f77
EC		 3579 if (dst_reg == off_reg) {
3580 /* scalar -= pointer. Creates an unknown scalar */
82abbf8d
AS		 3581 verbose(env, "R%d tried to subtract pointer from scalar\n",
3582 dst);
f1174f77
EC		 3583 return -EACCES;
3584 }
3585 /* We don't allow subtraction from FP, because (according to
3586 * test_verifier.c test "invalid fp arithmetic", JITs might not
3587 * be able to deal with it.
969bf05e 3588 */
f1174f77 3589 if (ptr_reg->type == PTR_TO_STACK) {
82abbf8d
AS		 3590 verbose(env, "R%d subtraction from stack pointer prohibited\n",
3591 dst);
f1174f77
EC		 3592 return -EACCES;
3593 }
b03c9f9f
EC		 3594 if (known && (ptr_reg->off - smin_val ==
3595 (s64)(s32)(ptr_reg->off - smin_val))) {
f1174f77 3596 /* pointer -= K. Subtract it from fixed offset */
b03c9f9f
EC		 3597 dst_reg->smin_value = smin_ptr;
3598 dst_reg->smax_value = smax_ptr;
3599 dst_reg->umin_value = umin_ptr;
3600 dst_reg->umax_value = umax_ptr;
f1174f77
EC		 3601 dst_reg->var_off = ptr_reg->var_off;
3602 dst_reg->id = ptr_reg->id;
b03c9f9f 3603 dst_reg->off = ptr_reg->off - smin_val;
0962590e 3604 dst_reg->raw = ptr_reg->raw;
f1174f77
EC		 3605 break;
3606 }
f1174f77
EC		 3607 /* A new variable offset is created. If the subtrahend is known
3608 * nonnegative, then any reg->range we had before is still good.
969bf05e 3609 */
b03c9f9f
EC		 3610 if (signed_sub_overflows(smin_ptr, smax_val) ||
3611 signed_sub_overflows(smax_ptr, smin_val)) {
3612 /* Overflow possible, we know nothing */
3613 dst_reg->smin_value = S64_MIN;
3614 dst_reg->smax_value = S64_MAX;
3615 } else {
3616 dst_reg->smin_value = smin_ptr - smax_val;
3617 dst_reg->smax_value = smax_ptr - smin_val;
3618 }
3619 if (umin_ptr < umax_val) {
3620 /* Overflow possible, we know nothing */
3621 dst_reg->umin_value = 0;
3622 dst_reg->umax_value = U64_MAX;
3623 } else {
3624 /* Cannot overflow (as long as bounds are consistent) */
3625 dst_reg->umin_value = umin_ptr - umax_val;
3626 dst_reg->umax_value = umax_ptr - umin_val;
3627 }
f1174f77
EC		 3628 dst_reg->var_off = tnum_sub(ptr_reg->var_off, off_reg->var_off);
3629 dst_reg->off = ptr_reg->off;
0962590e 3630 dst_reg->raw = ptr_reg->raw;
de8f3a83 3631 if (reg_is_pkt_pointer(ptr_reg)) {
f1174f77
EC		 3632 dst_reg->id = ++env->id_gen;
3633 /* something was added to pkt_ptr, set range to zero */
b03c9f9f 3634 if (smin_val < 0)
0962590e 3635 dst_reg->raw = 0;
43188702 3636 }
f1174f77
EC		 3637 break;
3638 case BPF_AND:
3639 case BPF_OR:
3640 case BPF_XOR:
82abbf8d
AS		 3641 /* bitwise ops on pointers are troublesome, prohibit. */
3642 verbose(env, "R%d bitwise operator %s on pointer prohibited\n",
3643 dst, bpf_alu_string[opcode >> 4]);
f1174f77
EC		 3644 return -EACCES;
3645 default:
3646 /* other operators (e.g. MUL,LSH) produce non-pointer results */
82abbf8d
AS		 3647 verbose(env, "R%d pointer arithmetic with %s operator prohibited\n",
3648 dst, bpf_alu_string[opcode >> 4]);
f1174f77 3649 return -EACCES;
43188702
JF		 3650 }
3651
bb7f0f98
AS		 3652 if (!check_reg_sane_offset(env, dst_reg, ptr_reg->type))
3653 return -EINVAL;
3654
b03c9f9f
EC		 3655 __update_reg_bounds(dst_reg);
3656 __reg_deduce_bounds(dst_reg);
3657 __reg_bound_offset(dst_reg);
0d6303db
DB		 3658
3659 /* For unprivileged we require that resulting offset must be in bounds
3660 * in order to be able to sanitize access later on.
3661 */
e4298d25
DB		 3662 if (!env->allow_ptr_leaks) {
3663 if (dst_reg->type == PTR_TO_MAP_VALUE &&
3664 check_map_access(env, dst, dst_reg->off, 1, false)) {
3665 verbose(env, "R%d pointer arithmetic of map value goes out of range, "
3666 "prohibited for !root\n", dst);
3667 return -EACCES;
3668 } else if (dst_reg->type == PTR_TO_STACK &&
3669 check_stack_access(env, dst_reg, dst_reg->off +
3670 dst_reg->var_off.value, 1)) {
3671 verbose(env, "R%d stack pointer arithmetic goes out of range, "
3672 "prohibited for !root\n", dst);
3673 return -EACCES;
3674 }
0d6303db
DB		 3675 }
3676
43188702
JF		 3677 return 0;
3678}
3679
468f6eaf
JH		 3680/* WARNING: This function does calculations on 64-bit values, but the actual
3681 * execution may occur on 32-bit values. Therefore, things like bitshifts
3682 * need extra checks in the 32-bit case.
3683 */
f1174f77
EC		 3684static int adjust_scalar_min_max_vals(struct bpf_verifier_env *env,
3685 struct bpf_insn *insn,
3686 struct bpf_reg_state *dst_reg,
3687 struct bpf_reg_state src_reg)
969bf05e 3688{
638f5b90 3689 struct bpf_reg_state *regs = cur_regs(env);
48461135 3690 u8 opcode = BPF_OP(insn->code);
f1174f77 3691 bool src_known, dst_known;
b03c9f9f
EC		 3692 s64 smin_val, smax_val;
3693 u64 umin_val, umax_val;
468f6eaf 3694 u64 insn_bitness = (BPF_CLASS(insn->code) == BPF_ALU64) ? 64 : 32;
d3bd7413
DB		 3695 u32 dst = insn->dst_reg;
3696 int ret;
48461135 3697
b799207e
JH		 3698 if (insn_bitness == 32) {
3699 /* Relevant for 32-bit RSH: Information can propagate towards
3700 * LSB, so it isn't sufficient to only truncate the output to
3701 * 32 bits.
3702 */
3703 coerce_reg_to_size(dst_reg, 4);
3704 coerce_reg_to_size(&src_reg, 4);
3705 }
3706
b03c9f9f
EC		 3707 smin_val = src_reg.smin_value;
3708 smax_val = src_reg.smax_value;
3709 umin_val = src_reg.umin_value;
3710 umax_val = src_reg.umax_value;
f1174f77
EC		 3711 src_known = tnum_is_const(src_reg.var_off);
3712 dst_known = tnum_is_const(dst_reg->var_off);
f23cc643 3713
6f16101e
DB		 3714 if ((src_known && (smin_val != smax_val || umin_val != umax_val)) ||
3715 smin_val > smax_val || umin_val > umax_val) {
3716 /* Taint dst register if offset had invalid bounds derived from
3717 * e.g. dead branches.
3718 */
3719 __mark_reg_unknown(dst_reg);
3720 return 0;
3721 }
3722
bb7f0f98
AS		 3723 if (!src_known &&
3724 opcode != BPF_ADD && opcode != BPF_SUB && opcode != BPF_AND) {
3725 __mark_reg_unknown(dst_reg);
3726 return 0;
3727 }
3728
48461135
JB		 3729 switch (opcode) {
3730 case BPF_ADD:
d3bd7413
DB		 3731 ret = sanitize_val_alu(env, insn);
3732 if (ret < 0) {
3733 verbose(env, "R%d tried to add from different pointers or scalars\n", dst);
3734 return ret;
3735 }
b03c9f9f
EC		 3736 if (signed_add_overflows(dst_reg->smin_value, smin_val) ||
3737 signed_add_overflows(dst_reg->smax_value, smax_val)) {
3738 dst_reg->smin_value = S64_MIN;
3739 dst_reg->smax_value = S64_MAX;
3740 } else {
3741 dst_reg->smin_value += smin_val;
3742 dst_reg->smax_value += smax_val;
3743 }
3744 if (dst_reg->umin_value + umin_val < umin_val ||
3745 dst_reg->umax_value + umax_val < umax_val) {
3746 dst_reg->umin_value = 0;
3747 dst_reg->umax_value = U64_MAX;
3748 } else {
3749 dst_reg->umin_value += umin_val;
3750 dst_reg->umax_value += umax_val;
3751 }
f1174f77 3752 dst_reg->var_off = tnum_add(dst_reg->var_off, src_reg.var_off);
48461135
JB		 3753 break;
3754 case BPF_SUB:
d3bd7413
DB		 3755 ret = sanitize_val_alu(env, insn);
3756 if (ret < 0) {
3757 verbose(env, "R%d tried to sub from different pointers or scalars\n", dst);
3758 return ret;
3759 }
b03c9f9f
EC		 3760 if (signed_sub_overflows(dst_reg->smin_value, smax_val) ||
3761 signed_sub_overflows(dst_reg->smax_value, smin_val)) {
3762 /* Overflow possible, we know nothing */
3763 dst_reg->smin_value = S64_MIN;
3764 dst_reg->smax_value = S64_MAX;
3765 } else {
3766 dst_reg->smin_value -= smax_val;
3767 dst_reg->smax_value -= smin_val;
3768 }
3769 if (dst_reg->umin_value < umax_val) {
3770 /* Overflow possible, we know nothing */
3771 dst_reg->umin_value = 0;
3772 dst_reg->umax_value = U64_MAX;
3773 } else {
3774 /* Cannot overflow (as long as bounds are consistent) */
3775 dst_reg->umin_value -= umax_val;
3776 dst_reg->umax_value -= umin_val;
3777 }
f1174f77 3778 dst_reg->var_off = tnum_sub(dst_reg->var_off, src_reg.var_off);
48461135
JB		 3779 break;
3780 case BPF_MUL:
b03c9f9f
EC		 3781 dst_reg->var_off = tnum_mul(dst_reg->var_off, src_reg.var_off);
3782 if (smin_val < 0 || dst_reg->smin_value < 0) {
f1174f77 3783 /* Ain't nobody got time to multiply that sign */
b03c9f9f
EC		 3784 __mark_reg_unbounded(dst_reg);
3785 __update_reg_bounds(dst_reg);
f1174f77
EC		 3786 break;
3787 }
b03c9f9f
EC		 3788 /* Both values are positive, so we can work with unsigned and
3789 * copy the result to signed (unless it exceeds S64_MAX).
f1174f77 3790 */
b03c9f9f
EC		 3791 if (umax_val > U32_MAX || dst_reg->umax_value > U32_MAX) {
3792 /* Potential overflow, we know nothing */
3793 __mark_reg_unbounded(dst_reg);
3794 /* (except what we can learn from the var_off) */
3795 __update_reg_bounds(dst_reg);
3796 break;
3797 }
3798 dst_reg->umin_value *= umin_val;
3799 dst_reg->umax_value *= umax_val;
3800 if (dst_reg->umax_value > S64_MAX) {
3801 /* Overflow possible, we know nothing */
3802 dst_reg->smin_value = S64_MIN;
3803 dst_reg->smax_value = S64_MAX;
3804 } else {
3805 dst_reg->smin_value = dst_reg->umin_value;
3806 dst_reg->smax_value = dst_reg->umax_value;
3807 }
48461135
JB		 3808 break;
3809 case BPF_AND:
f1174f77 3810 if (src_known && dst_known) {
b03c9f9f
EC		 3811 __mark_reg_known(dst_reg, dst_reg->var_off.value &
3812 src_reg.var_off.value);
f1174f77
EC		 3813 break;
3814 }
b03c9f9f
EC		 3815 /* We get our minimum from the var_off, since that's inherently
3816 * bitwise. Our maximum is the minimum of the operands' maxima.
f23cc643 3817 */
f1174f77 3818 dst_reg->var_off = tnum_and(dst_reg->var_off, src_reg.var_off);
b03c9f9f
EC		 3819 dst_reg->umin_value = dst_reg->var_off.value;
3820 dst_reg->umax_value = min(dst_reg->umax_value, umax_val);
3821 if (dst_reg->smin_value < 0 || smin_val < 0) {
3822 /* Lose signed bounds when ANDing negative numbers,
3823 * ain't nobody got time for that.
3824 */
3825 dst_reg->smin_value = S64_MIN;
3826 dst_reg->smax_value = S64_MAX;
3827 } else {
3828 /* ANDing two positives gives a positive, so safe to
3829 * cast result into s64.
3830 */
3831 dst_reg->smin_value = dst_reg->umin_value;
3832 dst_reg->smax_value = dst_reg->umax_value;
3833 }
3834 /* We may learn something more from the var_off */
3835 __update_reg_bounds(dst_reg);
f1174f77
EC		 3836 break;
3837 case BPF_OR:
3838 if (src_known && dst_known) {
b03c9f9f
EC		 3839 __mark_reg_known(dst_reg, dst_reg->var_off.value |
3840 src_reg.var_off.value);
f1174f77
EC		 3841 break;
3842 }
b03c9f9f
EC		 3843 /* We get our maximum from the var_off, and our minimum is the
3844 * maximum of the operands' minima
f1174f77
EC		 3845 */
3846 dst_reg->var_off = tnum_or(dst_reg->var_off, src_reg.var_off);
b03c9f9f
EC		 3847 dst_reg->umin_value = max(dst_reg->umin_value, umin_val);
3848 dst_reg->umax_value = dst_reg->var_off.value |
3849 dst_reg->var_off.mask;
3850 if (dst_reg->smin_value < 0 || smin_val < 0) {
3851 /* Lose signed bounds when ORing negative numbers,
3852 * ain't nobody got time for that.
3853 */
3854 dst_reg->smin_value = S64_MIN;
3855 dst_reg->smax_value = S64_MAX;
f1174f77 3856 } else {
b03c9f9f
EC		 3857 /* ORing two positives gives a positive, so safe to
3858 * cast result into s64.
3859 */
3860 dst_reg->smin_value = dst_reg->umin_value;
3861 dst_reg->smax_value = dst_reg->umax_value;
f1174f77 3862 }
b03c9f9f
EC		 3863 /* We may learn something more from the var_off */
3864 __update_reg_bounds(dst_reg);
48461135
JB		 3865 break;
3866 case BPF_LSH:
468f6eaf
JH		 3867 if (umax_val >= insn_bitness) {
3868 /* Shifts greater than 31 or 63 are undefined.
3869 * This includes shifts by a negative number.
b03c9f9f 3870 */
61bd5218 3871 mark_reg_unknown(env, regs, insn->dst_reg);
f1174f77
EC		 3872 break;
3873 }
b03c9f9f
EC		 3874 /* We lose all sign bit information (except what we can pick
3875 * up from var_off)
48461135 3876 */
b03c9f9f
EC		 3877 dst_reg->smin_value = S64_MIN;
3878 dst_reg->smax_value = S64_MAX;
3879 /* If we might shift our top bit out, then we know nothing */
3880 if (dst_reg->umax_value > 1ULL << (63 - umax_val)) {
3881 dst_reg->umin_value = 0;
3882 dst_reg->umax_value = U64_MAX;
d1174416 3883 } else {
b03c9f9f
EC		 3884 dst_reg->umin_value <<= umin_val;
3885 dst_reg->umax_value <<= umax_val;
d1174416 3886 }
afbe1a5b 3887 dst_reg->var_off = tnum_lshift(dst_reg->var_off, umin_val);
b03c9f9f
EC		 3888 /* We may learn something more from the var_off */
3889 __update_reg_bounds(dst_reg);
48461135
JB		 3890 break;
3891 case BPF_RSH:
468f6eaf
JH		 3892 if (umax_val >= insn_bitness) {
3893 /* Shifts greater than 31 or 63 are undefined.
3894 * This includes shifts by a negative number.
b03c9f9f 3895 */
61bd5218 3896 mark_reg_unknown(env, regs, insn->dst_reg);
f1174f77
EC		 3897 break;
3898 }
4374f256
EC		 3899 /* BPF_RSH is an unsigned shift. If the value in dst_reg might
3900 * be negative, then either:
3901 * 1) src_reg might be zero, so the sign bit of the result is
3902 * unknown, so we lose our signed bounds
3903 * 2) it's known negative, thus the unsigned bounds capture the
3904 * signed bounds
3905 * 3) the signed bounds cross zero, so they tell us nothing
3906 * about the result
3907 * If the value in dst_reg is known nonnegative, then again the
3908 * unsigned bounts capture the signed bounds.
3909 * Thus, in all cases it suffices to blow away our signed bounds
3910 * and rely on inferring new ones from the unsigned bounds and
3911 * var_off of the result.
3912 */
3913 dst_reg->smin_value = S64_MIN;
3914 dst_reg->smax_value = S64_MAX;
afbe1a5b 3915 dst_reg->var_off = tnum_rshift(dst_reg->var_off, umin_val);
b03c9f9f
EC		 3916 dst_reg->umin_value >>= umax_val;
3917 dst_reg->umax_value >>= umin_val;
3918 /* We may learn something more from the var_off */
3919 __update_reg_bounds(dst_reg);
48461135 3920 break;
9cbe1f5a
YS		 3921 case BPF_ARSH:
3922 if (umax_val >= insn_bitness) {
3923 /* Shifts greater than 31 or 63 are undefined.
3924 * This includes shifts by a negative number.
3925 */
3926 mark_reg_unknown(env, regs, insn->dst_reg);
3927 break;
3928 }
3929
3930 /* Upon reaching here, src_known is true and
3931 * umax_val is equal to umin_val.
3932 */
3933 dst_reg->smin_value >>= umin_val;
3934 dst_reg->smax_value >>= umin_val;
3935 dst_reg->var_off = tnum_arshift(dst_reg->var_off, umin_val);
3936
3937 /* blow away the dst_reg umin_value/umax_value and rely on
3938 * dst_reg var_off to refine the result.
3939 */
3940 dst_reg->umin_value = 0;
3941 dst_reg->umax_value = U64_MAX;
3942 __update_reg_bounds(dst_reg);
3943 break;
48461135 3944 default:
61bd5218 3945 mark_reg_unknown(env, regs, insn->dst_reg);
48461135
JB		 3946 break;
3947 }
3948
468f6eaf
JH		 3949 if (BPF_CLASS(insn->code) != BPF_ALU64) {
3950 /* 32-bit ALU ops are (32,32)->32 */
3951 coerce_reg_to_size(dst_reg, 4);
468f6eaf
JH		 3952 }
3953
b03c9f9f
EC		 3954 __reg_deduce_bounds(dst_reg);
3955 __reg_bound_offset(dst_reg);
f1174f77
EC		 3956 return 0;
3957}
3958
3959/* Handles ALU ops other than BPF_END, BPF_NEG and BPF_MOV: computes new min/max
3960 * and var_off.
3961 */
3962static int adjust_reg_min_max_vals(struct bpf_verifier_env *env,
3963 struct bpf_insn *insn)
3964{
f4d7e40a
AS		 3965 struct bpf_verifier_state *vstate = env->cur_state;
3966 struct bpf_func_state *state = vstate->frame[vstate->curframe];
3967 struct bpf_reg_state *regs = state->regs, *dst_reg, *src_reg;
f1174f77
EC		 3968 struct bpf_reg_state *ptr_reg = NULL, off_reg = {0};
3969 u8 opcode = BPF_OP(insn->code);
f1174f77
EC		 3970
3971 dst_reg = &regs[insn->dst_reg];
f1174f77
EC		 3972 src_reg = NULL;
3973 if (dst_reg->type != SCALAR_VALUE)
3974 ptr_reg = dst_reg;
3975 if (BPF_SRC(insn->code) == BPF_X) {
3976 src_reg = &regs[insn->src_reg];
f1174f77
EC		 3977 if (src_reg->type != SCALAR_VALUE) {
3978 if (dst_reg->type != SCALAR_VALUE) {
3979 /* Combining two pointers by any ALU op yields
82abbf8d
AS		 3980 * an arbitrary scalar. Disallow all math except
3981 * pointer subtraction
f1174f77 3982 */
dd066823 3983 if (opcode == BPF_SUB && env->allow_ptr_leaks) {
82abbf8d
AS		 3984 mark_reg_unknown(env, regs, insn->dst_reg);
3985 return 0;
f1174f77 3986 }
82abbf8d
AS		 3987 verbose(env, "R%d pointer %s pointer prohibited\n",
3988 insn->dst_reg,
3989 bpf_alu_string[opcode >> 4]);
3990 return -EACCES;
f1174f77
EC		 3991 } else {
3992 /* scalar += pointer
3993 * This is legal, but we have to reverse our
3994 * src/dest handling in computing the range
3995 */
82abbf8d
AS		 3996 return adjust_ptr_min_max_vals(env, insn,
3997 src_reg, dst_reg);
f1174f77
EC		 3998 }
3999 } else if (ptr_reg) {
4000 /* pointer += scalar */
82abbf8d
AS		 4001 return adjust_ptr_min_max_vals(env, insn,
4002 dst_reg, src_reg);
f1174f77
EC		 4003 }
4004 } else {
4005 /* Pretend the src is a reg with a known value, since we only
4006 * need to be able to read from this state.
4007 */
4008 off_reg.type = SCALAR_VALUE;
b03c9f9f 4009 __mark_reg_known(&off_reg, insn->imm);
f1174f77 4010 src_reg = &off_reg;
82abbf8d
AS		 4011 if (ptr_reg) /* pointer += K */
4012 return adjust_ptr_min_max_vals(env, insn,
4013 ptr_reg, src_reg);
f1174f77
EC		 4014 }
4015
4016 /* Got here implies adding two SCALAR_VALUEs */
4017 if (WARN_ON_ONCE(ptr_reg)) {
f4d7e40a 4018 print_verifier_state(env, state);
61bd5218 4019 verbose(env, "verifier internal error: unexpected ptr_reg\n");
f1174f77
EC		 4020 return -EINVAL;
4021 }
4022 if (WARN_ON(!src_reg)) {
f4d7e40a 4023 print_verifier_state(env, state);
61bd5218 4024 verbose(env, "verifier internal error: no src_reg\n");
f1174f77
EC		 4025 return -EINVAL;
4026 }
4027 return adjust_scalar_min_max_vals(env, insn, dst_reg, *src_reg);
48461135
JB		 4028}
4029
17a52670 4030/* check validity of 32-bit and 64-bit arithmetic operations */
58e2af8b 4031static int check_alu_op(struct bpf_verifier_env *env, struct bpf_insn *insn)
17a52670 4032{
638f5b90 4033 struct bpf_reg_state *regs = cur_regs(env);
17a52670
AS		 4034 u8 opcode = BPF_OP(insn->code);
4035 int err;
4036
4037 if (opcode == BPF_END || opcode == BPF_NEG) {
4038 if (opcode == BPF_NEG) {
4039 if (BPF_SRC(insn->code) != 0 ||
4040 insn->src_reg != BPF_REG_0 ||
4041 insn->off != 0 || insn->imm != 0) {
61bd5218 4042 verbose(env, "BPF_NEG uses reserved fields\n");
17a52670
AS		 4043 return -EINVAL;
4044 }
4045 } else {
4046 if (insn->src_reg != BPF_REG_0 || insn->off != 0 ||
e67b8a68
EC		 4047 (insn->imm != 16 && insn->imm != 32 && insn->imm != 64) ||
4048 BPF_CLASS(insn->code) == BPF_ALU64) {
61bd5218 4049 verbose(env, "BPF_END uses reserved fields\n");
17a52670
AS		 4050 return -EINVAL;
4051 }
4052 }
4053
4054 /* check src operand */
dc503a8a 4055 err = check_reg_arg(env, insn->dst_reg, SRC_OP);
17a52670
AS		 4056 if (err)
4057 return err;
4058
1be7f75d 4059 if (is_pointer_value(env, insn->dst_reg)) {
61bd5218 4060 verbose(env, "R%d pointer arithmetic prohibited\n",
1be7f75d
AS		 4061 insn->dst_reg);
4062 return -EACCES;
4063 }
4064
17a52670 4065 /* check dest operand */
dc503a8a 4066 err = check_reg_arg(env, insn->dst_reg, DST_OP);
17a52670
AS		 4067 if (err)
4068 return err;
4069
4070 } else if (opcode == BPF_MOV) {
4071
4072 if (BPF_SRC(insn->code) == BPF_X) {
4073 if (insn->imm != 0 || insn->off != 0) {
61bd5218 4074 verbose(env, "BPF_MOV uses reserved fields\n");
17a52670
AS		 4075 return -EINVAL;
4076 }
4077
4078 /* check src operand */
dc503a8a 4079 err = check_reg_arg(env, insn->src_reg, SRC_OP);
17a52670
AS		 4080 if (err)
4081 return err;
4082 } else {
4083 if (insn->src_reg != BPF_REG_0 || insn->off != 0) {
61bd5218 4084 verbose(env, "BPF_MOV uses reserved fields\n");
17a52670
AS		 4085 return -EINVAL;
4086 }
4087 }
4088
fbeb1603
AF		 4089 /* check dest operand, mark as required later */
4090 err = check_reg_arg(env, insn->dst_reg, DST_OP_NO_MARK);
17a52670
AS		 4091 if (err)
4092 return err;
4093
4094 if (BPF_SRC(insn->code) == BPF_X) {
e434b8cd
JW		 4095 struct bpf_reg_state *src_reg = regs + insn->src_reg;
4096 struct bpf_reg_state *dst_reg = regs + insn->dst_reg;
4097
17a52670
AS		 4098 if (BPF_CLASS(insn->code) == BPF_ALU64) {
4099 /* case: R1 = R2
4100 * copy register state to dest reg
4101 */
e434b8cd
JW		 4102 *dst_reg = *src_reg;
4103 dst_reg->live |= REG_LIVE_WRITTEN;
17a52670 4104 } else {
f1174f77 4105 /* R1 = (u32) R2 */
1be7f75d 4106 if (is_pointer_value(env, insn->src_reg)) {
61bd5218
JK		 4107 verbose(env,
4108 "R%d partial copy of pointer\n",
1be7f75d
AS		 4109 insn->src_reg);
4110 return -EACCES;
e434b8cd
JW		 4111 } else if (src_reg->type == SCALAR_VALUE) {
4112 *dst_reg = *src_reg;
4113 dst_reg->live |= REG_LIVE_WRITTEN;
4114 } else {
4115 mark_reg_unknown(env, regs,
4116 insn->dst_reg);
1be7f75d 4117 }
e434b8cd 4118 coerce_reg_to_size(dst_reg, 4);
17a52670
AS		 4119 }
4120 } else {
4121 /* case: R = imm
4122 * remember the value we stored into this reg
4123 */
fbeb1603
AF		 4124 /* clear any state __mark_reg_known doesn't set */
4125 mark_reg_unknown(env, regs, insn->dst_reg);
f1174f77 4126 regs[insn->dst_reg].type = SCALAR_VALUE;
95a762e2
JH		 4127 if (BPF_CLASS(insn->code) == BPF_ALU64) {
4128 __mark_reg_known(regs + insn->dst_reg,
4129 insn->imm);
4130 } else {
4131 __mark_reg_known(regs + insn->dst_reg,
4132 (u32)insn->imm);
4133 }
17a52670
AS		 4134 }
4135
4136 } else if (opcode > BPF_END) {
61bd5218 4137 verbose(env, "invalid BPF_ALU opcode %x\n", opcode);
17a52670
AS		 4138 return -EINVAL;
4139
4140 } else { /* all other ALU ops: and, sub, xor, add, ... */
4141
17a52670
AS		 4142 if (BPF_SRC(insn->code) == BPF_X) {
4143 if (insn->imm != 0 || insn->off != 0) {
61bd5218 4144 verbose(env, "BPF_ALU uses reserved fields\n");
17a52670
AS		 4145 return -EINVAL;
4146 }
4147 /* check src1 operand */
dc503a8a 4148 err = check_reg_arg(env, insn->src_reg, SRC_OP);
17a52670
AS		 4149 if (err)
4150 return err;
4151 } else {
4152 if (insn->src_reg != BPF_REG_0 || insn->off != 0) {
61bd5218 4153 verbose(env, "BPF_ALU uses reserved fields\n");
17a52670
AS		 4154 return -EINVAL;
4155 }
4156 }
4157
4158 /* check src2 operand */
dc503a8a 4159 err = check_reg_arg(env, insn->dst_reg, SRC_OP);
17a52670
AS		 4160 if (err)
4161 return err;
4162
4163 if ((opcode == BPF_MOD || opcode == BPF_DIV) &&
4164 BPF_SRC(insn->code) == BPF_K && insn->imm == 0) {
61bd5218 4165 verbose(env, "div by zero\n");
17a52670
AS		 4166 return -EINVAL;
4167 }
4168
229394e8
RV		 4169 if ((opcode == BPF_LSH || opcode == BPF_RSH ||
4170 opcode == BPF_ARSH) && BPF_SRC(insn->code) == BPF_K) {
4171 int size = BPF_CLASS(insn->code) == BPF_ALU64 ? 64 : 32;
4172
4173 if (insn->imm < 0 || insn->imm >= size) {
61bd5218 4174 verbose(env, "invalid shift %d\n", insn->imm);
229394e8
RV		 4175 return -EINVAL;
4176 }
4177 }
4178
1a0dc1ac 4179 /* check dest operand */
dc503a8a 4180 err = check_reg_arg(env, insn->dst_reg, DST_OP_NO_MARK);
1a0dc1ac
AS		 4181 if (err)
4182 return err;
4183
f1174f77 4184 return adjust_reg_min_max_vals(env, insn);
17a52670
AS		 4185 }
4186
4187 return 0;
4188}
4189
f4d7e40a 4190static void find_good_pkt_pointers(struct bpf_verifier_state *vstate,
de8f3a83 4191 struct bpf_reg_state *dst_reg,
f8ddadc4 4192 enum bpf_reg_type type,
fb2a311a 4193 bool range_right_open)
969bf05e 4194{
f4d7e40a 4195 struct bpf_func_state *state = vstate->frame[vstate->curframe];
58e2af8b 4196 struct bpf_reg_state *regs = state->regs, *reg;
fb2a311a 4197 u16 new_range;
f4d7e40a 4198 int i, j;
2d2be8ca 4199
fb2a311a
DB		 4200 if (dst_reg->off < 0 ||
4201 (dst_reg->off == 0 && range_right_open))
f1174f77
EC		 4202 /* This doesn't give us any range */
4203 return;
4204
b03c9f9f
EC		 4205 if (dst_reg->umax_value > MAX_PACKET_OFF ||
4206 dst_reg->umax_value + dst_reg->off > MAX_PACKET_OFF)
f1174f77
EC		 4207 /* Risk of overflow. For instance, ptr + (1<<63) may be less
4208 * than pkt_end, but that's because it's also less than pkt.
4209 */
4210 return;
4211
fb2a311a
DB		 4212 new_range = dst_reg->off;
4213 if (range_right_open)
4214 new_range--;
4215
4216 /* Examples for register markings:
2d2be8ca 4217 *
fb2a311a 4218 * pkt_data in dst register:
2d2be8ca
DB		 4219 *
4220 * r2 = r3;
4221 * r2 += 8;
4222 * if (r2 > pkt_end) goto <handle exception>
4223 * <access okay>
4224 *
b4e432f1
DB		 4225 * r2 = r3;
4226 * r2 += 8;
4227 * if (r2 < pkt_end) goto <access okay>
4228 * <handle exception>
4229 *
2d2be8ca
DB		 4230 * Where:
4231 * r2 == dst_reg, pkt_end == src_reg
4232 * r2=pkt(id=n,off=8,r=0)
4233 * r3=pkt(id=n,off=0,r=0)
4234 *
fb2a311a 4235 * pkt_data in src register:
2d2be8ca
DB		 4236 *
4237 * r2 = r3;
4238 * r2 += 8;
4239 * if (pkt_end >= r2) goto <access okay>
4240 * <handle exception>
4241 *
b4e432f1
DB		 4242 * r2 = r3;
4243 * r2 += 8;
4244 * if (pkt_end <= r2) goto <handle exception>
4245 * <access okay>
4246 *
2d2be8ca
DB		 4247 * Where:
4248 * pkt_end == dst_reg, r2 == src_reg
4249 * r2=pkt(id=n,off=8,r=0)
4250 * r3=pkt(id=n,off=0,r=0)
4251 *
4252 * Find register r3 and mark its range as r3=pkt(id=n,off=0,r=8)
fb2a311a
DB		 4253 * or r3=pkt(id=n,off=0,r=8-1), so that range of bytes [r3, r3 + 8)
4254 * and [r3, r3 + 8-1) respectively is safe to access depending on
4255 * the check.
969bf05e 4256 */
2d2be8ca 4257
f1174f77
EC		 4258 /* If our ids match, then we must have the same max_value. And we
4259 * don't care about the other reg's fixed offset, since if it's too big
4260 * the range won't allow anything.
4261 * dst_reg->off is known < MAX_PACKET_OFF, therefore it fits in a u16.
4262 */
969bf05e 4263 for (i = 0; i < MAX_BPF_REG; i++)
de8f3a83 4264 if (regs[i].type == type && regs[i].id == dst_reg->id)
b1977682 4265 /* keep the maximum range already checked */
fb2a311a 4266 regs[i].range = max(regs[i].range, new_range);
969bf05e 4267
f4d7e40a
AS		 4268 for (j = 0; j <= vstate->curframe; j++) {
4269 state = vstate->frame[j];
f3709f69
JS		 4270 bpf_for_each_spilled_reg(i, state, reg) {
4271 if (!reg)
f4d7e40a 4272 continue;
f4d7e40a
AS		 4273 if (reg->type == type && reg->id == dst_reg->id)
4274 reg->range = max(reg->range, new_range);
4275 }
969bf05e
AS		 4276 }
4277}
4278
4f7b3e82
AS		 4279/* compute branch direction of the expression "if (reg opcode val) goto target;"
4280 * and return:
4281 * 1 - branch will be taken and "goto target" will be executed
4282 * 0 - branch will not be taken and fall-through to next insn
4283 * -1 - unknown. Example: "if (reg < 5)" is unknown when register value range [0,10]
4284 */
092ed096
JW		 4285static int is_branch_taken(struct bpf_reg_state *reg, u64 val, u8 opcode,
4286 bool is_jmp32)
4f7b3e82 4287{
092ed096 4288 struct bpf_reg_state reg_lo;
a72dafaf
JW		 4289 s64 sval;
4290
4f7b3e82
AS		 4291 if (__is_pointer_value(false, reg))
4292 return -1;
4293
092ed096
JW		 4294 if (is_jmp32) {
4295 reg_lo = *reg;
4296 reg = &reg_lo;
4297 /* For JMP32, only low 32 bits are compared, coerce_reg_to_size
4298 * could truncate high bits and update umin/umax according to
4299 * information of low bits.
4300 */
4301 coerce_reg_to_size(reg, 4);
4302 /* smin/smax need special handling. For example, after coerce,
4303 * if smin_value is 0x00000000ffffffffLL, the value is -1 when
4304 * used as operand to JMP32. It is a negative number from s32's
4305 * point of view, while it is a positive number when seen as
4306 * s64. The smin/smax are kept as s64, therefore, when used with
4307 * JMP32, they need to be transformed into s32, then sign
4308 * extended back to s64.
4309 *
4310 * Also, smin/smax were copied from umin/umax. If umin/umax has
4311 * different sign bit, then min/max relationship doesn't
4312 * maintain after casting into s32, for this case, set smin/smax
4313 * to safest range.
4314 */
4315 if ((reg->umax_value ^ reg->umin_value) &
4316 (1ULL << 31)) {
4317 reg->smin_value = S32_MIN;
4318 reg->smax_value = S32_MAX;
4319 }
4320 reg->smin_value = (s64)(s32)reg->smin_value;
4321 reg->smax_value = (s64)(s32)reg->smax_value;
4322
4323 val = (u32)val;
4324 sval = (s64)(s32)val;
4325 } else {
4326 sval = (s64)val;
4327 }
a72dafaf 4328
4f7b3e82
AS		 4329 switch (opcode) {
4330 case BPF_JEQ:
4331 if (tnum_is_const(reg->var_off))
4332 return !!tnum_equals_const(reg->var_off, val);
4333 break;
4334 case BPF_JNE:
4335 if (tnum_is_const(reg->var_off))
4336 return !tnum_equals_const(reg->var_off, val);
4337 break;
960ea056
JK		 4338 case BPF_JSET:
4339 if ((~reg->var_off.mask & reg->var_off.value) & val)
4340 return 1;
4341 if (!((reg->var_off.mask | reg->var_off.value) & val))
4342 return 0;
4343 break;
4f7b3e82
AS		 4344 case BPF_JGT:
4345 if (reg->umin_value > val)
4346 return 1;
4347 else if (reg->umax_value <= val)
4348 return 0;
4349 break;
4350 case BPF_JSGT:
a72dafaf 4351 if (reg->smin_value > sval)
4f7b3e82 4352 return 1;
a72dafaf 4353 else if (reg->smax_value < sval)
4f7b3e82
AS		 4354 return 0;
4355 break;
4356 case BPF_JLT:
4357 if (reg->umax_value < val)
4358 return 1;
4359 else if (reg->umin_value >= val)
4360 return 0;
4361 break;
4362 case BPF_JSLT:
a72dafaf 4363 if (reg->smax_value < sval)
4f7b3e82 4364 return 1;
a72dafaf 4365 else if (reg->smin_value >= sval)
4f7b3e82
AS		 4366 return 0;
4367 break;
4368 case BPF_JGE:
4369 if (reg->umin_value >= val)
4370 return 1;
4371 else if (reg->umax_value < val)
4372 return 0;
4373 break;
4374 case BPF_JSGE:
a72dafaf 4375 if (reg->smin_value >= sval)
4f7b3e82 4376 return 1;
a72dafaf 4377 else if (reg->smax_value < sval)
4f7b3e82
AS		 4378 return 0;
4379 break;
4380 case BPF_JLE:
4381 if (reg->umax_value <= val)
4382 return 1;
4383 else if (reg->umin_value > val)
4384 return 0;
4385 break;
4386 case BPF_JSLE:
a72dafaf 4387 if (reg->smax_value <= sval)
4f7b3e82 4388 return 1;
a72dafaf 4389 else if (reg->smin_value > sval)
4f7b3e82
AS		 4390 return 0;
4391 break;
4392 }
4393
4394 return -1;
4395}
4396
092ed096
JW		 4397/* Generate min value of the high 32-bit from TNUM info. */
4398static u64 gen_hi_min(struct tnum var)
4399{
4400 return var.value & ~0xffffffffULL;
4401}
4402
4403/* Generate max value of the high 32-bit from TNUM info. */
4404static u64 gen_hi_max(struct tnum var)
4405{
4406 return (var.value | var.mask) & ~0xffffffffULL;
4407}
4408
4409/* Return true if VAL is compared with a s64 sign extended from s32, and they
4410 * are with the same signedness.
4411 */
4412static bool cmp_val_with_extended_s64(s64 sval, struct bpf_reg_state *reg)
4413{
4414 return ((s32)sval >= 0 &&
4415 reg->smin_value >= 0 && reg->smax_value <= S32_MAX) ||
4416 ((s32)sval < 0 &&
4417 reg->smax_value <= 0 && reg->smin_value >= S32_MIN);
4418}
4419
48461135
JB		 4420/* Adjusts the register min/max values in the case that the dst_reg is the
4421 * variable register that we are working on, and src_reg is a constant or we're
4422 * simply doing a BPF_K check.
f1174f77 4423 * In JEQ/JNE cases we also adjust the var_off values.
48461135
JB		 4424 */
4425static void reg_set_min_max(struct bpf_reg_state *true_reg,
4426 struct bpf_reg_state *false_reg, u64 val,
092ed096 4427 u8 opcode, bool is_jmp32)
48461135 4428{
a72dafaf
JW		 4429 s64 sval;
4430
f1174f77
EC		 4431 /* If the dst_reg is a pointer, we can't learn anything about its
4432 * variable offset from the compare (unless src_reg were a pointer into
4433 * the same object, but we don't bother with that.
4434 * Since false_reg and true_reg have the same type by construction, we
4435 * only need to check one of them for pointerness.
4436 */
4437 if (__is_pointer_value(false, false_reg))
4438 return;
4cabc5b1 4439
092ed096
JW		 4440 val = is_jmp32 ? (u32)val : val;
4441 sval = is_jmp32 ? (s64)(s32)val : (s64)val;
a72dafaf 4442
48461135
JB		 4443 switch (opcode) {
4444 case BPF_JEQ:
48461135 4445 case BPF_JNE:
a72dafaf
JW		 4446 {
4447 struct bpf_reg_state *reg =
4448 opcode == BPF_JEQ ? true_reg : false_reg;
4449
4450 /* For BPF_JEQ, if this is false we know nothing Jon Snow, but
4451 * if it is true we know the value for sure. Likewise for
4452 * BPF_JNE.
48461135 4453 */
092ed096
JW		 4454 if (is_jmp32) {
4455 u64 old_v = reg->var_off.value;
4456 u64 hi_mask = ~0xffffffffULL;
4457
4458 reg->var_off.value = (old_v & hi_mask) | val;
4459 reg->var_off.mask &= hi_mask;
4460 } else {
4461 __mark_reg_known(reg, val);
4462 }
48461135 4463 break;
a72dafaf 4464 }
960ea056
JK		 4465 case BPF_JSET:
4466 false_reg->var_off = tnum_and(false_reg->var_off,
4467 tnum_const(~val));
4468 if (is_power_of_2(val))
4469 true_reg->var_off = tnum_or(true_reg->var_off,
4470 tnum_const(val));
4471 break;
48461135 4472 case BPF_JGE:
a72dafaf
JW		 4473 case BPF_JGT:
4474 {
4475 u64 false_umax = opcode == BPF_JGT ? val : val - 1;
4476 u64 true_umin = opcode == BPF_JGT ? val + 1 : val;
4477
092ed096
JW		 4478 if (is_jmp32) {
4479 false_umax += gen_hi_max(false_reg->var_off);
4480 true_umin += gen_hi_min(true_reg->var_off);
4481 }
a72dafaf
JW		 4482 false_reg->umax_value = min(false_reg->umax_value, false_umax);
4483 true_reg->umin_value = max(true_reg->umin_value, true_umin);
b03c9f9f 4484 break;
a72dafaf 4485 }
48461135 4486 case BPF_JSGE:
a72dafaf
JW		 4487 case BPF_JSGT:
4488 {
4489 s64 false_smax = opcode == BPF_JSGT ? sval : sval - 1;
4490 s64 true_smin = opcode == BPF_JSGT ? sval + 1 : sval;
4491
092ed096
JW		 4492 /* If the full s64 was not sign-extended from s32 then don't
4493 * deduct further info.
4494 */
4495 if (is_jmp32 && !cmp_val_with_extended_s64(sval, false_reg))
4496 break;
a72dafaf
JW		 4497 false_reg->smax_value = min(false_reg->smax_value, false_smax);
4498 true_reg->smin_value = max(true_reg->smin_value, true_smin);
48461135 4499 break;
a72dafaf 4500 }
b4e432f1 4501 case BPF_JLE:
a72dafaf
JW		 4502 case BPF_JLT:
4503 {
4504 u64 false_umin = opcode == BPF_JLT ? val : val + 1;
4505 u64 true_umax = opcode == BPF_JLT ? val - 1 : val;
4506
092ed096
JW		 4507 if (is_jmp32) {
4508 false_umin += gen_hi_min(false_reg->var_off);
4509 true_umax += gen_hi_max(true_reg->var_off);
4510 }
a72dafaf
JW		 4511 false_reg->umin_value = max(false_reg->umin_value, false_umin);
4512 true_reg->umax_value = min(true_reg->umax_value, true_umax);
b4e432f1 4513 break;
a72dafaf 4514 }
b4e432f1 4515 case BPF_JSLE:
a72dafaf
JW		 4516 case BPF_JSLT:
4517 {
4518 s64 false_smin = opcode == BPF_JSLT ? sval : sval + 1;
4519 s64 true_smax = opcode == BPF_JSLT ? sval - 1 : sval;
4520
092ed096
JW		 4521 if (is_jmp32 && !cmp_val_with_extended_s64(sval, false_reg))
4522 break;
a72dafaf
JW		 4523 false_reg->smin_value = max(false_reg->smin_value, false_smin);
4524 true_reg->smax_value = min(true_reg->smax_value, true_smax);
b4e432f1 4525 break;
a72dafaf 4526 }
48461135
JB		 4527 default:
4528 break;
4529 }
4530
b03c9f9f
EC		 4531 __reg_deduce_bounds(false_reg);
4532 __reg_deduce_bounds(true_reg);
4533 /* We might have learned some bits from the bounds. */
4534 __reg_bound_offset(false_reg);
4535 __reg_bound_offset(true_reg);
4536 /* Intersecting with the old var_off might have improved our bounds
4537 * slightly. e.g. if umax was 0x7f...f and var_off was (0; 0xf...fc),
4538 * then new var_off is (0; 0x7f...fc) which improves our umax.
4539 */
4540 __update_reg_bounds(false_reg);
4541 __update_reg_bounds(true_reg);
48461135
JB		 4542}
4543
f1174f77
EC		 4544/* Same as above, but for the case that dst_reg holds a constant and src_reg is
4545 * the variable reg.
48461135
JB		 4546 */
4547static void reg_set_min_max_inv(struct bpf_reg_state *true_reg,
4548 struct bpf_reg_state *false_reg, u64 val,
092ed096 4549 u8 opcode, bool is_jmp32)
48461135 4550{
a72dafaf
JW		 4551 s64 sval;
4552
f1174f77
EC		 4553 if (__is_pointer_value(false, false_reg))
4554 return;
4cabc5b1 4555
092ed096
JW		 4556 val = is_jmp32 ? (u32)val : val;
4557 sval = is_jmp32 ? (s64)(s32)val : (s64)val;
a72dafaf 4558
48461135
JB		 4559 switch (opcode) {
4560 case BPF_JEQ:
48461135 4561 case BPF_JNE:
a72dafaf
JW		 4562 {
4563 struct bpf_reg_state *reg =
4564 opcode == BPF_JEQ ? true_reg : false_reg;
4565
092ed096
JW		 4566 if (is_jmp32) {
4567 u64 old_v = reg->var_off.value;
4568 u64 hi_mask = ~0xffffffffULL;
4569
4570 reg->var_off.value = (old_v & hi_mask) | val;
4571 reg->var_off.mask &= hi_mask;
4572 } else {
4573 __mark_reg_known(reg, val);
4574 }
48461135 4575 break;
a72dafaf 4576 }
960ea056
JK		 4577 case BPF_JSET:
4578 false_reg->var_off = tnum_and(false_reg->var_off,
4579 tnum_const(~val));
4580 if (is_power_of_2(val))
4581 true_reg->var_off = tnum_or(true_reg->var_off,
4582 tnum_const(val));
4583 break;
48461135 4584 case BPF_JGE:
a72dafaf
JW		 4585 case BPF_JGT:
4586 {
4587 u64 false_umin = opcode == BPF_JGT ? val : val + 1;
4588 u64 true_umax = opcode == BPF_JGT ? val - 1 : val;
4589
092ed096
JW		 4590 if (is_jmp32) {
4591 false_umin += gen_hi_min(false_reg->var_off);
4592 true_umax += gen_hi_max(true_reg->var_off);
4593 }
a72dafaf
JW		 4594 false_reg->umin_value = max(false_reg->umin_value, false_umin);
4595 true_reg->umax_value = min(true_reg->umax_value, true_umax);
b03c9f9f 4596 break;
a72dafaf 4597 }
48461135 4598 case BPF_JSGE:
a72dafaf
JW		 4599 case BPF_JSGT:
4600 {
4601 s64 false_smin = opcode == BPF_JSGT ? sval : sval + 1;
4602 s64 true_smax = opcode == BPF_JSGT ? sval - 1 : sval;
4603
092ed096
JW		 4604 if (is_jmp32 && !cmp_val_with_extended_s64(sval, false_reg))
4605 break;
a72dafaf
JW		 4606 false_reg->smin_value = max(false_reg->smin_value, false_smin);
4607 true_reg->smax_value = min(true_reg->smax_value, true_smax);
48461135 4608 break;
a72dafaf 4609 }
b4e432f1 4610 case BPF_JLE:
a72dafaf
JW		 4611 case BPF_JLT:
4612 {
4613 u64 false_umax = opcode == BPF_JLT ? val : val - 1;
4614 u64 true_umin = opcode == BPF_JLT ? val + 1 : val;
4615
092ed096
JW		 4616 if (is_jmp32) {
4617 false_umax += gen_hi_max(false_reg->var_off);
4618 true_umin += gen_hi_min(true_reg->var_off);
4619 }
a72dafaf
JW		 4620 false_reg->umax_value = min(false_reg->umax_value, false_umax);
4621 true_reg->umin_value = max(true_reg->umin_value, true_umin);
b4e432f1 4622 break;
a72dafaf 4623 }
b4e432f1 4624 case BPF_JSLE:
a72dafaf
JW		 4625 case BPF_JSLT:
4626 {
4627 s64 false_smax = opcode == BPF_JSLT ? sval : sval - 1;
4628 s64 true_smin = opcode == BPF_JSLT ? sval + 1 : sval;
4629
092ed096
JW		 4630 if (is_jmp32 && !cmp_val_with_extended_s64(sval, false_reg))
4631 break;
a72dafaf
JW		 4632 false_reg->smax_value = min(false_reg->smax_value, false_smax);
4633 true_reg->smin_value = max(true_reg->smin_value, true_smin);
b4e432f1 4634 break;
a72dafaf 4635 }
48461135
JB		 4636 default:
4637 break;
4638 }
4639
b03c9f9f
EC		 4640 __reg_deduce_bounds(false_reg);
4641 __reg_deduce_bounds(true_reg);
4642 /* We might have learned some bits from the bounds. */
4643 __reg_bound_offset(false_reg);
4644 __reg_bound_offset(true_reg);
4645 /* Intersecting with the old var_off might have improved our bounds
4646 * slightly. e.g. if umax was 0x7f...f and var_off was (0; 0xf...fc),
4647 * then new var_off is (0; 0x7f...fc) which improves our umax.
4648 */
4649 __update_reg_bounds(false_reg);
4650 __update_reg_bounds(true_reg);
f1174f77
EC		 4651}
4652
4653/* Regs are known to be equal, so intersect their min/max/var_off */
4654static void __reg_combine_min_max(struct bpf_reg_state *src_reg,
4655 struct bpf_reg_state *dst_reg)
4656{
b03c9f9f
EC		 4657 src_reg->umin_value = dst_reg->umin_value = max(src_reg->umin_value,
4658 dst_reg->umin_value);
4659 src_reg->umax_value = dst_reg->umax_value = min(src_reg->umax_value,
4660 dst_reg->umax_value);
4661 src_reg->smin_value = dst_reg->smin_value = max(src_reg->smin_value,
4662 dst_reg->smin_value);
4663 src_reg->smax_value = dst_reg->smax_value = min(src_reg->smax_value,
4664 dst_reg->smax_value);
f1174f77
EC		 4665 src_reg->var_off = dst_reg->var_off = tnum_intersect(src_reg->var_off,
4666 dst_reg->var_off);
b03c9f9f
EC		 4667 /* We might have learned new bounds from the var_off. */
4668 __update_reg_bounds(src_reg);
4669 __update_reg_bounds(dst_reg);
4670 /* We might have learned something about the sign bit. */
4671 __reg_deduce_bounds(src_reg);
4672 __reg_deduce_bounds(dst_reg);
4673 /* We might have learned some bits from the bounds. */
4674 __reg_bound_offset(src_reg);
4675 __reg_bound_offset(dst_reg);
4676 /* Intersecting with the old var_off might have improved our bounds
4677 * slightly. e.g. if umax was 0x7f...f and var_off was (0; 0xf...fc),
4678 * then new var_off is (0; 0x7f...fc) which improves our umax.
4679 */
4680 __update_reg_bounds(src_reg);
4681 __update_reg_bounds(dst_reg);
f1174f77
EC		 4682}
4683
4684static void reg_combine_min_max(struct bpf_reg_state *true_src,
4685 struct bpf_reg_state *true_dst,
4686 struct bpf_reg_state *false_src,
4687 struct bpf_reg_state *false_dst,
4688 u8 opcode)
4689{
4690 switch (opcode) {
4691 case BPF_JEQ:
4692 __reg_combine_min_max(true_src, true_dst);
4693 break;
4694 case BPF_JNE:
4695 __reg_combine_min_max(false_src, false_dst);
b03c9f9f 4696 break;
4cabc5b1 4697 }
48461135
JB		 4698}
4699
fd978bf7
JS		 4700static void mark_ptr_or_null_reg(struct bpf_func_state *state,
4701 struct bpf_reg_state *reg, u32 id,
840b9615 4702 bool is_null)
57a09bf0 4703{
840b9615 4704 if (reg_type_may_be_null(reg->type) && reg->id == id) {
f1174f77
EC		 4705 /* Old offset (both fixed and variable parts) should
4706 * have been known-zero, because we don't allow pointer
4707 * arithmetic on pointers that might be NULL.
4708 */
b03c9f9f
EC		 4709 if (WARN_ON_ONCE(reg->smin_value || reg->smax_value ||
4710 !tnum_equals_const(reg->var_off, 0) ||
f1174f77 4711 reg->off)) {
b03c9f9f
EC		 4712 __mark_reg_known_zero(reg);
4713 reg->off = 0;
f1174f77
EC		 4714 }
4715 if (is_null) {
4716 reg->type = SCALAR_VALUE;
840b9615
JS		 4717 } else if (reg->type == PTR_TO_MAP_VALUE_OR_NULL) {
4718 if (reg->map_ptr->inner_map_meta) {
4719 reg->type = CONST_PTR_TO_MAP;
4720 reg->map_ptr = reg->map_ptr->inner_map_meta;
4721 } else {
4722 reg->type = PTR_TO_MAP_VALUE;
4723 }
c64b7983
JS		 4724 } else if (reg->type == PTR_TO_SOCKET_OR_NULL) {
4725 reg->type = PTR_TO_SOCKET;
46f8bc92
MKL		 4726 } else if (reg->type == PTR_TO_SOCK_COMMON_OR_NULL) {
4727 reg->type = PTR_TO_SOCK_COMMON;
655a51e5
MKL		 4728 } else if (reg->type == PTR_TO_TCP_SOCK_OR_NULL) {
4729 reg->type = PTR_TO_TCP_SOCK;
56f668df 4730 }
1b986589
MKL		 4731 if (is_null) {
4732 /* We don't need id and ref_obj_id from this point
4733 * onwards anymore, thus we should better reset it,
4734 * so that state pruning has chances to take effect.
4735 */
4736 reg->id = 0;
4737 reg->ref_obj_id = 0;
4738 } else if (!reg_may_point_to_spin_lock(reg)) {
4739 /* For not-NULL ptr, reg->ref_obj_id will be reset
4740 * in release_reg_references().
4741 *
4742 * reg->id is still used by spin_lock ptr. Other
4743 * than spin_lock ptr type, reg->id can be reset.
fd978bf7
JS		 4744 */
4745 reg->id = 0;
56f668df 4746 }
57a09bf0
TG		 4747 }
4748}
4749
4750/* The logic is similar to find_good_pkt_pointers(), both could eventually
4751 * be folded together at some point.
4752 */
840b9615
JS		 4753static void mark_ptr_or_null_regs(struct bpf_verifier_state *vstate, u32 regno,
4754 bool is_null)
57a09bf0 4755{
f4d7e40a 4756 struct bpf_func_state *state = vstate->frame[vstate->curframe];
f3709f69 4757 struct bpf_reg_state *reg, *regs = state->regs;
1b986589 4758 u32 ref_obj_id = regs[regno].ref_obj_id;
a08dd0da 4759 u32 id = regs[regno].id;
f4d7e40a 4760 int i, j;
57a09bf0 4761
1b986589
MKL		 4762 if (ref_obj_id && ref_obj_id == id && is_null)
4763 /* regs[regno] is in the " == NULL" branch.
4764 * No one could have freed the reference state before
4765 * doing the NULL check.
4766 */
4767 WARN_ON_ONCE(release_reference_state(state, id));
fd978bf7 4768
57a09bf0 4769 for (i = 0; i < MAX_BPF_REG; i++)
fd978bf7 4770 mark_ptr_or_null_reg(state, &regs[i], id, is_null);
57a09bf0 4771
f4d7e40a
AS		 4772 for (j = 0; j <= vstate->curframe; j++) {
4773 state = vstate->frame[j];
f3709f69
JS		 4774 bpf_for_each_spilled_reg(i, state, reg) {
4775 if (!reg)
f4d7e40a 4776 continue;
fd978bf7 4777 mark_ptr_or_null_reg(state, reg, id, is_null);
f4d7e40a 4778 }
57a09bf0
TG		 4779 }
4780}
4781
5beca081
DB		 4782static bool try_match_pkt_pointers(const struct bpf_insn *insn,
4783 struct bpf_reg_state *dst_reg,
4784 struct bpf_reg_state *src_reg,
4785 struct bpf_verifier_state *this_branch,
4786 struct bpf_verifier_state *other_branch)
4787{
4788 if (BPF_SRC(insn->code) != BPF_X)
4789 return false;
4790
092ed096
JW		 4791 /* Pointers are always 64-bit. */
4792 if (BPF_CLASS(insn->code) == BPF_JMP32)
4793 return false;
4794
5beca081
DB		 4795 switch (BPF_OP(insn->code)) {
4796 case BPF_JGT:
4797 if ((dst_reg->type == PTR_TO_PACKET &&
4798 src_reg->type == PTR_TO_PACKET_END) ||
4799 (dst_reg->type == PTR_TO_PACKET_META &&
4800 reg_is_init_pkt_pointer(src_reg, PTR_TO_PACKET))) {
4801 /* pkt_data' > pkt_end, pkt_meta' > pkt_data */
4802 find_good_pkt_pointers(this_branch, dst_reg,
4803 dst_reg->type, false);
4804 } else if ((dst_reg->type == PTR_TO_PACKET_END &&
4805 src_reg->type == PTR_TO_PACKET) ||
4806 (reg_is_init_pkt_pointer(dst_reg, PTR_TO_PACKET) &&
4807 src_reg->type == PTR_TO_PACKET_META)) {
4808 /* pkt_end > pkt_data', pkt_data > pkt_meta' */
4809 find_good_pkt_pointers(other_branch, src_reg,
4810 src_reg->type, true);
4811 } else {
4812 return false;
4813 }
4814 break;
4815 case BPF_JLT:
4816 if ((dst_reg->type == PTR_TO_PACKET &&
4817 src_reg->type == PTR_TO_PACKET_END) ||
4818 (dst_reg->type == PTR_TO_PACKET_META &&
4819 reg_is_init_pkt_pointer(src_reg, PTR_TO_PACKET))) {
4820 /* pkt_data' < pkt_end, pkt_meta' < pkt_data */
4821 find_good_pkt_pointers(other_branch, dst_reg,
4822 dst_reg->type, true);
4823 } else if ((dst_reg->type == PTR_TO_PACKET_END &&
4824 src_reg->type == PTR_TO_PACKET) ||
4825 (reg_is_init_pkt_pointer(dst_reg, PTR_TO_PACKET) &&
4826 src_reg->type == PTR_TO_PACKET_META)) {
4827 /* pkt_end < pkt_data', pkt_data > pkt_meta' */
4828 find_good_pkt_pointers(this_branch, src_reg,
4829 src_reg->type, false);
4830 } else {
4831 return false;
4832 }
4833 break;
4834 case BPF_JGE:
4835 if ((dst_reg->type == PTR_TO_PACKET &&
4836 src_reg->type == PTR_TO_PACKET_END) ||
4837 (dst_reg->type == PTR_TO_PACKET_META &&
4838 reg_is_init_pkt_pointer(src_reg, PTR_TO_PACKET))) {
4839 /* pkt_data' >= pkt_end, pkt_meta' >= pkt_data */
4840 find_good_pkt_pointers(this_branch, dst_reg,
4841 dst_reg->type, true);
4842 } else if ((dst_reg->type == PTR_TO_PACKET_END &&
4843 src_reg->type == PTR_TO_PACKET) ||
4844 (reg_is_init_pkt_pointer(dst_reg, PTR_TO_PACKET) &&
4845 src_reg->type == PTR_TO_PACKET_META)) {
4846 /* pkt_end >= pkt_data', pkt_data >= pkt_meta' */
4847 find_good_pkt_pointers(other_branch, src_reg,
4848 src_reg->type, false);
4849 } else {
4850 return false;
4851 }
4852 break;
4853 case BPF_JLE:
4854 if ((dst_reg->type == PTR_TO_PACKET &&
4855 src_reg->type == PTR_TO_PACKET_END) ||
4856 (dst_reg->type == PTR_TO_PACKET_META &&
4857 reg_is_init_pkt_pointer(src_reg, PTR_TO_PACKET))) {
4858 /* pkt_data' <= pkt_end, pkt_meta' <= pkt_data */
4859 find_good_pkt_pointers(other_branch, dst_reg,
4860 dst_reg->type, false);
4861 } else if ((dst_reg->type == PTR_TO_PACKET_END &&
4862 src_reg->type == PTR_TO_PACKET) ||
4863 (reg_is_init_pkt_pointer(dst_reg, PTR_TO_PACKET) &&
4864 src_reg->type == PTR_TO_PACKET_META)) {
4865 /* pkt_end <= pkt_data', pkt_data <= pkt_meta' */
4866 find_good_pkt_pointers(this_branch, src_reg,
4867 src_reg->type, true);
4868 } else {
4869 return false;
4870 }
4871 break;
4872 default:
4873 return false;
4874 }
4875
4876 return true;
4877}
4878
58e2af8b 4879static int check_cond_jmp_op(struct bpf_verifier_env *env,
17a52670
AS		 4880 struct bpf_insn *insn, int *insn_idx)
4881{
f4d7e40a
AS		 4882 struct bpf_verifier_state *this_branch = env->cur_state;
4883 struct bpf_verifier_state *other_branch;
4884 struct bpf_reg_state *regs = this_branch->frame[this_branch->curframe]->regs;
4885 struct bpf_reg_state *dst_reg, *other_branch_regs;
17a52670 4886 u8 opcode = BPF_OP(insn->code);
092ed096 4887 bool is_jmp32;
17a52670
AS		 4888 int err;
4889
092ed096
JW		 4890 /* Only conditional jumps are expected to reach here. */
4891 if (opcode == BPF_JA || opcode > BPF_JSLE) {
4892 verbose(env, "invalid BPF_JMP/JMP32 opcode %x\n", opcode);
17a52670
AS		 4893 return -EINVAL;
4894 }
4895
4896 if (BPF_SRC(insn->code) == BPF_X) {
4897 if (insn->imm != 0) {
092ed096 4898 verbose(env, "BPF_JMP/JMP32 uses reserved fields\n");
17a52670
AS		 4899 return -EINVAL;
4900 }
4901
4902 /* check src1 operand */
dc503a8a 4903 err = check_reg_arg(env, insn->src_reg, SRC_OP);
17a52670
AS		 4904 if (err)
4905 return err;
1be7f75d
AS		 4906
4907 if (is_pointer_value(env, insn->src_reg)) {
61bd5218 4908 verbose(env, "R%d pointer comparison prohibited\n",
1be7f75d
AS		 4909 insn->src_reg);
4910 return -EACCES;
4911 }
17a52670
AS		 4912 } else {
4913 if (insn->src_reg != BPF_REG_0) {
092ed096 4914 verbose(env, "BPF_JMP/JMP32 uses reserved fields\n");
17a52670
AS		 4915 return -EINVAL;
4916 }
4917 }
4918
4919 /* check src2 operand */
dc503a8a 4920 err = check_reg_arg(env, insn->dst_reg, SRC_OP);
17a52670
AS		 4921 if (err)
4922 return err;
4923
1a0dc1ac 4924 dst_reg = &regs[insn->dst_reg];
092ed096 4925 is_jmp32 = BPF_CLASS(insn->code) == BPF_JMP32;
1a0dc1ac 4926
4f7b3e82 4927 if (BPF_SRC(insn->code) == BPF_K) {
092ed096
JW		 4928 int pred = is_branch_taken(dst_reg, insn->imm, opcode,
4929 is_jmp32);
4f7b3e82
AS		 4930
4931 if (pred == 1) {
4932 /* only follow the goto, ignore fall-through */
17a52670
AS		 4933 *insn_idx += insn->off;
4934 return 0;
4f7b3e82
AS		 4935 } else if (pred == 0) {
4936 /* only follow fall-through branch, since
17a52670
AS		 4937 * that's where the program will go
4938 */
4939 return 0;
4940 }
4941 }
4942
979d63d5
DB		 4943 other_branch = push_stack(env, *insn_idx + insn->off + 1, *insn_idx,
4944 false);
17a52670
AS		 4945 if (!other_branch)
4946 return -EFAULT;
f4d7e40a 4947 other_branch_regs = other_branch->frame[other_branch->curframe]->regs;
17a52670 4948
48461135
JB		 4949 /* detect if we are comparing against a constant value so we can adjust
4950 * our min/max values for our dst register.
f1174f77
EC		 4951 * this is only legit if both are scalars (or pointers to the same
4952 * object, I suppose, but we don't support that right now), because
4953 * otherwise the different base pointers mean the offsets aren't
4954 * comparable.
48461135
JB		 4955 */
4956 if (BPF_SRC(insn->code) == BPF_X) {
092ed096
JW		 4957 struct bpf_reg_state *src_reg = &regs[insn->src_reg];
4958 struct bpf_reg_state lo_reg0 = *dst_reg;
4959 struct bpf_reg_state lo_reg1 = *src_reg;
4960 struct bpf_reg_state *src_lo, *dst_lo;
4961
4962 dst_lo = &lo_reg0;
4963 src_lo = &lo_reg1;
4964 coerce_reg_to_size(dst_lo, 4);
4965 coerce_reg_to_size(src_lo, 4);
4966
f1174f77 4967 if (dst_reg->type == SCALAR_VALUE &&
092ed096
JW		 4968 src_reg->type == SCALAR_VALUE) {
4969 if (tnum_is_const(src_reg->var_off) ||
4970 (is_jmp32 && tnum_is_const(src_lo->var_off)))
f4d7e40a 4971 reg_set_min_max(&other_branch_regs[insn->dst_reg],
092ed096
JW		 4972 dst_reg,
4973 is_jmp32
4974 ? src_lo->var_off.value
4975 : src_reg->var_off.value,
4976 opcode, is_jmp32);
4977 else if (tnum_is_const(dst_reg->var_off) ||
4978 (is_jmp32 && tnum_is_const(dst_lo->var_off)))
f4d7e40a 4979 reg_set_min_max_inv(&other_branch_regs[insn->src_reg],
092ed096
JW		 4980 src_reg,
4981 is_jmp32
4982 ? dst_lo->var_off.value
4983 : dst_reg->var_off.value,
4984 opcode, is_jmp32);
4985 else if (!is_jmp32 &&
4986 (opcode == BPF_JEQ || opcode == BPF_JNE))
f1174f77 4987 /* Comparing for equality, we can combine knowledge */
f4d7e40a
AS		 4988 reg_combine_min_max(&other_branch_regs[insn->src_reg],
4989 &other_branch_regs[insn->dst_reg],
092ed096 4990 src_reg, dst_reg, opcode);
f1174f77
EC		 4991 }
4992 } else if (dst_reg->type == SCALAR_VALUE) {
f4d7e40a 4993 reg_set_min_max(&other_branch_regs[insn->dst_reg],
092ed096 4994 dst_reg, insn->imm, opcode, is_jmp32);
48461135
JB		 4995 }
4996
092ed096
JW		 4997 /* detect if R == 0 where R is returned from bpf_map_lookup_elem().
4998 * NOTE: these optimizations below are related with pointer comparison
4999 * which will never be JMP32.
5000 */
5001 if (!is_jmp32 && BPF_SRC(insn->code) == BPF_K &&
1a0dc1ac 5002 insn->imm == 0 && (opcode == BPF_JEQ || opcode == BPF_JNE) &&
840b9615
JS		 5003 reg_type_may_be_null(dst_reg->type)) {
5004 /* Mark all identical registers in each branch as either
57a09bf0
TG		 5005 * safe or unknown depending R == 0 or R != 0 conditional.
5006 */
840b9615
JS		 5007 mark_ptr_or_null_regs(this_branch, insn->dst_reg,
5008 opcode == BPF_JNE);
5009 mark_ptr_or_null_regs(other_branch, insn->dst_reg,
5010 opcode == BPF_JEQ);
5beca081
DB		 5011 } else if (!try_match_pkt_pointers(insn, dst_reg, &regs[insn->src_reg],
5012 this_branch, other_branch) &&
5013 is_pointer_value(env, insn->dst_reg)) {
61bd5218
JK		 5014 verbose(env, "R%d pointer comparison prohibited\n",
5015 insn->dst_reg);
1be7f75d 5016 return -EACCES;
17a52670 5017 }
06ee7115 5018 if (env->log.level & BPF_LOG_LEVEL)
f4d7e40a 5019 print_verifier_state(env, this_branch->frame[this_branch->curframe]);
17a52670
AS		 5020 return 0;
5021}
5022
0246e64d
AS		 5023/* return the map pointer stored inside BPF_LD_IMM64 instruction */
5024static struct bpf_map *ld_imm64_to_map_ptr(struct bpf_insn *insn)
5025{
5026 u64 imm64 = ((u64) (u32) insn[0].imm) | ((u64) (u32) insn[1].imm) << 32;
5027
5028 return (struct bpf_map *) (unsigned long) imm64;
5029}
5030
17a52670 5031/* verify BPF_LD_IMM64 instruction */
58e2af8b 5032static int check_ld_imm(struct bpf_verifier_env *env, struct bpf_insn *insn)
17a52670 5033{
638f5b90 5034 struct bpf_reg_state *regs = cur_regs(env);
17a52670
AS		 5035 int err;
5036
5037 if (BPF_SIZE(insn->code) != BPF_DW) {
61bd5218 5038 verbose(env, "invalid BPF_LD_IMM insn\n");
17a52670
AS		 5039 return -EINVAL;
5040 }
5041 if (insn->off != 0) {
61bd5218 5042 verbose(env, "BPF_LD_IMM64 uses reserved fields\n");
17a52670
AS		 5043 return -EINVAL;
5044 }
5045
dc503a8a 5046 err = check_reg_arg(env, insn->dst_reg, DST_OP);
17a52670
AS		 5047 if (err)
5048 return err;
5049
6b173873 5050 if (insn->src_reg == 0) {
6b173873
JK		 5051 u64 imm = ((u64)(insn + 1)->imm << 32) | (u32)insn->imm;
5052
f1174f77 5053 regs[insn->dst_reg].type = SCALAR_VALUE;
b03c9f9f 5054 __mark_reg_known(&regs[insn->dst_reg], imm);
17a52670 5055 return 0;
6b173873 5056 }
17a52670
AS		 5057
5058 /* replace_map_fd_with_map_ptr() should have caught bad ld_imm64 */
5059 BUG_ON(insn->src_reg != BPF_PSEUDO_MAP_FD);
5060
5061 regs[insn->dst_reg].type = CONST_PTR_TO_MAP;
5062 regs[insn->dst_reg].map_ptr = ld_imm64_to_map_ptr(insn);
5063 return 0;
5064}
5065
96be4325
DB		 5066static bool may_access_skb(enum bpf_prog_type type)
5067{
5068 switch (type) {
5069 case BPF_PROG_TYPE_SOCKET_FILTER:
5070 case BPF_PROG_TYPE_SCHED_CLS:
94caee8c 5071 case BPF_PROG_TYPE_SCHED_ACT:
96be4325
DB		 5072 return true;
5073 default:
5074 return false;
5075 }
5076}
5077
ddd872bc
AS		 5078/* verify safety of LD_ABS|LD_IND instructions:
5079 * - they can only appear in the programs where ctx == skb
5080 * - since they are wrappers of function calls, they scratch R1-R5 registers,
5081 * preserve R6-R9, and store return value into R0
5082 *
5083 * Implicit input:
5084 * ctx == skb == R6 == CTX
5085 *
5086 * Explicit input:
5087 * SRC == any register
5088 * IMM == 32-bit immediate
5089 *
5090 * Output:
5091 * R0 - 8/16/32-bit skb data converted to cpu endianness
5092 */
58e2af8b 5093static int check_ld_abs(struct bpf_verifier_env *env, struct bpf_insn *insn)
ddd872bc 5094{
638f5b90 5095 struct bpf_reg_state *regs = cur_regs(env);
ddd872bc 5096 u8 mode = BPF_MODE(insn->code);
ddd872bc
AS		 5097 int i, err;
5098
24701ece 5099 if (!may_access_skb(env->prog->type)) {
61bd5218 5100 verbose(env, "BPF_LD_[ABS|IND] instructions not allowed for this program type\n");
ddd872bc
AS		 5101 return -EINVAL;
5102 }
5103
e0cea7ce
DB		 5104 if (!env->ops->gen_ld_abs) {
5105 verbose(env, "bpf verifier is misconfigured\n");
5106 return -EINVAL;
5107 }
5108
f910cefa 5109 if (env->subprog_cnt > 1) {
f4d7e40a
AS		 5110 /* when program has LD_ABS insn JITs and interpreter assume
5111 * that r1 == ctx == skb which is not the case for callees
5112 * that can have arbitrary arguments. It's problematic
5113 * for main prog as well since JITs would need to analyze
5114 * all functions in order to make proper register save/restore
5115 * decisions in the main prog. Hence disallow LD_ABS with calls
5116 */
5117 verbose(env, "BPF_LD_[ABS|IND] instructions cannot be mixed with bpf-to-bpf calls\n");
5118 return -EINVAL;
5119 }
5120
ddd872bc 5121 if (insn->dst_reg != BPF_REG_0 || insn->off != 0 ||
d82bccc6 5122 BPF_SIZE(insn->code) == BPF_DW ||
ddd872bc 5123 (mode == BPF_ABS && insn->src_reg != BPF_REG_0)) {
61bd5218 5124 verbose(env, "BPF_LD_[ABS|IND] uses reserved fields\n");
ddd872bc
AS		 5125 return -EINVAL;
5126 }
5127
5128 /* check whether implicit source operand (register R6) is readable */
dc503a8a 5129 err = check_reg_arg(env, BPF_REG_6, SRC_OP);
ddd872bc
AS		 5130 if (err)
5131 return err;
5132
fd978bf7
JS		 5133 /* Disallow usage of BPF_LD_[ABS|IND] with reference tracking, as
5134 * gen_ld_abs() may terminate the program at runtime, leading to
5135 * reference leak.
5136 */
5137 err = check_reference_leak(env);
5138 if (err) {
5139 verbose(env, "BPF_LD_[ABS|IND] cannot be mixed with socket references\n");
5140 return err;
5141 }
5142
d83525ca
AS		 5143 if (env->cur_state->active_spin_lock) {
5144 verbose(env, "BPF_LD_[ABS|IND] cannot be used inside bpf_spin_lock-ed region\n");
5145 return -EINVAL;
5146 }
5147
ddd872bc 5148 if (regs[BPF_REG_6].type != PTR_TO_CTX) {
61bd5218
JK		 5149 verbose(env,
5150 "at the time of BPF_LD_ABS|IND R6 != pointer to skb\n");
ddd872bc
AS		 5151 return -EINVAL;
5152 }
5153
5154 if (mode == BPF_IND) {
5155 /* check explicit source operand */
dc503a8a 5156 err = check_reg_arg(env, insn->src_reg, SRC_OP);
ddd872bc
AS		 5157 if (err)
5158 return err;
5159 }
5160
5161 /* reset caller saved regs to unreadable */
dc503a8a 5162 for (i = 0; i < CALLER_SAVED_REGS; i++) {
61bd5218 5163 mark_reg_not_init(env, regs, caller_saved[i]);
dc503a8a
EC		 5164 check_reg_arg(env, caller_saved[i], DST_OP_NO_MARK);
5165 }
ddd872bc
AS		 5166
5167 /* mark destination R0 register as readable, since it contains
dc503a8a
EC		 5168 * the value fetched from the packet.
5169 * Already marked as written above.
ddd872bc 5170 */
61bd5218 5171 mark_reg_unknown(env, regs, BPF_REG_0);
ddd872bc
AS		 5172 return 0;
5173}
5174
390ee7e2
AS		 5175static int check_return_code(struct bpf_verifier_env *env)
5176{
5177 struct bpf_reg_state *reg;
5178 struct tnum range = tnum_range(0, 1);
5179
5180 switch (env->prog->type) {
5181 case BPF_PROG_TYPE_CGROUP_SKB:
5182 case BPF_PROG_TYPE_CGROUP_SOCK:
4fbac77d 5183 case BPF_PROG_TYPE_CGROUP_SOCK_ADDR:
390ee7e2 5184 case BPF_PROG_TYPE_SOCK_OPS:
ebc614f6 5185 case BPF_PROG_TYPE_CGROUP_DEVICE:
390ee7e2
AS		 5186 break;
5187 default:
5188 return 0;
5189 }
5190
638f5b90 5191 reg = cur_regs(env) + BPF_REG_0;
390ee7e2 5192 if (reg->type != SCALAR_VALUE) {
61bd5218 5193 verbose(env, "At program exit the register R0 is not a known value (%s)\n",
390ee7e2
AS		 5194 reg_type_str[reg->type]);
5195 return -EINVAL;
5196 }
5197
5198 if (!tnum_in(range, reg->var_off)) {
61bd5218 5199 verbose(env, "At program exit the register R0 ");
390ee7e2
AS		 5200 if (!tnum_is_unknown(reg->var_off)) {
5201 char tn_buf[48];
5202
5203 tnum_strn(tn_buf, sizeof(tn_buf), reg->var_off);
61bd5218 5204 verbose(env, "has value %s", tn_buf);
390ee7e2 5205 } else {
61bd5218 5206 verbose(env, "has unknown scalar value");
390ee7e2 5207 }
61bd5218 5208 verbose(env, " should have been 0 or 1\n");
390ee7e2
AS		 5209 return -EINVAL;
5210 }
5211 return 0;
5212}
5213
475fb78f
AS		 5214/* non-recursive DFS pseudo code
5215 * 1 procedure DFS-iterative(G,v):
5216 * 2 label v as discovered
5217 * 3 let S be a stack
5218 * 4 S.push(v)
5219 * 5 while S is not empty
5220 * 6 t <- S.pop()
5221 * 7 if t is what we're looking for:
5222 * 8 return t
5223 * 9 for all edges e in G.adjacentEdges(t) do
5224 * 10 if edge e is already labelled
5225 * 11 continue with the next edge
5226 * 12 w <- G.adjacentVertex(t,e)
5227 * 13 if vertex w is not discovered and not explored
5228 * 14 label e as tree-edge
5229 * 15 label w as discovered
5230 * 16 S.push(w)
5231 * 17 continue at 5
5232 * 18 else if vertex w is discovered
5233 * 19 label e as back-edge
5234 * 20 else
5235 * 21 // vertex w is explored
5236 * 22 label e as forward- or cross-edge
5237 * 23 label t as explored
5238 * 24 S.pop()
5239 *
5240 * convention:
5241 * 0x10 - discovered
5242 * 0x11 - discovered and fall-through edge labelled
5243 * 0x12 - discovered and fall-through and branch edges labelled
5244 * 0x20 - explored
5245 */
5246
5247enum {
5248 DISCOVERED = 0x10,
5249 EXPLORED = 0x20,
5250 FALLTHROUGH = 1,
5251 BRANCH = 2,
5252};
5253
58e2af8b 5254#define STATE_LIST_MARK ((struct bpf_verifier_state_list *) -1L)
f1bca824 5255
475fb78f
AS		 5256static int *insn_stack; /* stack of insns to process */
5257static int cur_stack; /* current stack index */
5258static int *insn_state;
5259
5260/* t, w, e - match pseudo-code above:
5261 * t - index of current instruction
5262 * w - next instruction
5263 * e - edge
5264 */
58e2af8b 5265static int push_insn(int t, int w, int e, struct bpf_verifier_env *env)
475fb78f
AS		 5266{
5267 if (e == FALLTHROUGH && insn_state[t] >= (DISCOVERED | FALLTHROUGH))
5268 return 0;
5269
5270 if (e == BRANCH && insn_state[t] >= (DISCOVERED | BRANCH))
5271 return 0;
5272
5273 if (w < 0 || w >= env->prog->len) {
d9762e84 5274 verbose_linfo(env, t, "%d: ", t);
61bd5218 5275 verbose(env, "jump out of range from insn %d to %d\n", t, w);
475fb78f
AS		 5276 return -EINVAL;
5277 }
5278
f1bca824
AS		 5279 if (e == BRANCH)
5280 /* mark branch target for state pruning */
5281 env->explored_states[w] = STATE_LIST_MARK;
5282
475fb78f
AS		 5283 if (insn_state[w] == 0) {
5284 /* tree-edge */
5285 insn_state[t] = DISCOVERED | e;
5286 insn_state[w] = DISCOVERED;
5287 if (cur_stack >= env->prog->len)
5288 return -E2BIG;
5289 insn_stack[cur_stack++] = w;
5290 return 1;
5291 } else if ((insn_state[w] & 0xF0) == DISCOVERED) {
d9762e84
MKL		 5292 verbose_linfo(env, t, "%d: ", t);
5293 verbose_linfo(env, w, "%d: ", w);
61bd5218 5294 verbose(env, "back-edge from insn %d to %d\n", t, w);
475fb78f
AS		 5295 return -EINVAL;
5296 } else if (insn_state[w] == EXPLORED) {
5297 /* forward- or cross-edge */
5298 insn_state[t] = DISCOVERED | e;
5299 } else {
61bd5218 5300 verbose(env, "insn state internal bug\n");
475fb78f
AS		 5301 return -EFAULT;
5302 }
5303 return 0;
5304}
5305
5306/* non-recursive depth-first-search to detect loops in BPF program
5307 * loop == back-edge in directed graph
5308 */
58e2af8b 5309static int check_cfg(struct bpf_verifier_env *env)
475fb78f
AS		 5310{
5311 struct bpf_insn *insns = env->prog->insnsi;
5312 int insn_cnt = env->prog->len;
5313 int ret = 0;
5314 int i, t;
5315
5316 insn_state = kcalloc(insn_cnt, sizeof(int), GFP_KERNEL);
5317 if (!insn_state)
5318 return -ENOMEM;
5319
5320 insn_stack = kcalloc(insn_cnt, sizeof(int), GFP_KERNEL);
5321 if (!insn_stack) {
5322 kfree(insn_state);
5323 return -ENOMEM;
5324 }
5325
5326 insn_state[0] = DISCOVERED; /* mark 1st insn as discovered */
5327 insn_stack[0] = 0; /* 0 is the first instruction */
5328 cur_stack = 1;
5329
5330peek_stack:
5331 if (cur_stack == 0)
5332 goto check_state;
5333 t = insn_stack[cur_stack - 1];
5334
092ed096
JW		 5335 if (BPF_CLASS(insns[t].code) == BPF_JMP ||
5336 BPF_CLASS(insns[t].code) == BPF_JMP32) {
475fb78f
AS		 5337 u8 opcode = BPF_OP(insns[t].code);
5338
5339 if (opcode == BPF_EXIT) {
5340 goto mark_explored;
5341 } else if (opcode == BPF_CALL) {
5342 ret = push_insn(t, t + 1, FALLTHROUGH, env);
5343 if (ret == 1)
5344 goto peek_stack;
5345 else if (ret < 0)
5346 goto err_free;
07016151
DB		 5347 if (t + 1 < insn_cnt)
5348 env->explored_states[t + 1] = STATE_LIST_MARK;
cc8b0b92
AS		 5349 if (insns[t].src_reg == BPF_PSEUDO_CALL) {
5350 env->explored_states[t] = STATE_LIST_MARK;
5351 ret = push_insn(t, t + insns[t].imm + 1, BRANCH, env);
5352 if (ret == 1)
5353 goto peek_stack;
5354 else if (ret < 0)
5355 goto err_free;
5356 }
475fb78f
AS		 5357 } else if (opcode == BPF_JA) {
5358 if (BPF_SRC(insns[t].code) != BPF_K) {
5359 ret = -EINVAL;
5360 goto err_free;
5361 }
5362 /* unconditional jump with single edge */
5363 ret = push_insn(t, t + insns[t].off + 1,
5364 FALLTHROUGH, env);
5365 if (ret == 1)
5366 goto peek_stack;
5367 else if (ret < 0)
5368 goto err_free;
f1bca824
AS		 5369 /* tell verifier to check for equivalent states
5370 * after every call and jump
5371 */
c3de6317
AS		 5372 if (t + 1 < insn_cnt)
5373 env->explored_states[t + 1] = STATE_LIST_MARK;
475fb78f
AS		 5374 } else {
5375 /* conditional jump with two edges */
3c2ce60b 5376 env->explored_states[t] = STATE_LIST_MARK;
475fb78f
AS		 5377 ret = push_insn(t, t + 1, FALLTHROUGH, env);
5378 if (ret == 1)
5379 goto peek_stack;
5380 else if (ret < 0)
5381 goto err_free;
5382
5383 ret = push_insn(t, t + insns[t].off + 1, BRANCH, env);
5384 if (ret == 1)
5385 goto peek_stack;
5386 else if (ret < 0)
5387 goto err_free;
5388 }
5389 } else {
5390 /* all other non-branch instructions with single
5391 * fall-through edge
5392 */
5393 ret = push_insn(t, t + 1, FALLTHROUGH, env);
5394 if (ret == 1)
5395 goto peek_stack;
5396 else if (ret < 0)
5397 goto err_free;
5398 }
5399
5400mark_explored:
5401 insn_state[t] = EXPLORED;
5402 if (cur_stack-- <= 0) {
61bd5218 5403 verbose(env, "pop stack internal bug\n");
475fb78f
AS		 5404 ret = -EFAULT;
5405 goto err_free;
5406 }
5407 goto peek_stack;
5408
5409check_state:
5410 for (i = 0; i < insn_cnt; i++) {
5411 if (insn_state[i] != EXPLORED) {
61bd5218 5412 verbose(env, "unreachable insn %d\n", i);
475fb78f
AS		 5413 ret = -EINVAL;
5414 goto err_free;
5415 }
5416 }
5417 ret = 0; /* cfg looks good */
5418
5419err_free:
5420 kfree(insn_state);
5421 kfree(insn_stack);
5422 return ret;
5423}
5424
838e9690
YS		 5425/* The minimum supported BTF func info size */
5426#define MIN_BPF_FUNCINFO_SIZE 8
5427#define MAX_FUNCINFO_REC_SIZE 252
5428
c454a46b
MKL		 5429static int check_btf_func(struct bpf_verifier_env *env,
5430 const union bpf_attr *attr,
5431 union bpf_attr __user *uattr)
838e9690 5432{
d0b2818e 5433 u32 i, nfuncs, urec_size, min_size;
838e9690 5434 u32 krec_size = sizeof(struct bpf_func_info);
c454a46b 5435 struct bpf_func_info *krecord;
838e9690 5436 const struct btf_type *type;
c454a46b
MKL		 5437 struct bpf_prog *prog;
5438 const struct btf *btf;
838e9690 5439 void __user *urecord;
d0b2818e 5440 u32 prev_offset = 0;
838e9690
YS		 5441 int ret = 0;
5442
5443 nfuncs = attr->func_info_cnt;
5444 if (!nfuncs)
5445 return 0;
5446
5447 if (nfuncs != env->subprog_cnt) {
5448 verbose(env, "number of funcs in func_info doesn't match number of subprogs\n");
5449 return -EINVAL;
5450 }
5451
5452 urec_size = attr->func_info_rec_size;
5453 if (urec_size < MIN_BPF_FUNCINFO_SIZE ||
5454 urec_size > MAX_FUNCINFO_REC_SIZE ||
5455 urec_size % sizeof(u32)) {
5456 verbose(env, "invalid func info rec size %u\n", urec_size);
5457 return -EINVAL;
5458 }
5459
c454a46b
MKL		 5460 prog = env->prog;
5461 btf = prog->aux->btf;
838e9690
YS		 5462
5463 urecord = u64_to_user_ptr(attr->func_info);
5464 min_size = min_t(u32, krec_size, urec_size);
5465
ba64e7d8 5466 krecord = kvcalloc(nfuncs, krec_size, GFP_KERNEL | __GFP_NOWARN);
c454a46b
MKL		 5467 if (!krecord)
5468 return -ENOMEM;
ba64e7d8 5469
838e9690
YS		 5470 for (i = 0; i < nfuncs; i++) {
5471 ret = bpf_check_uarg_tail_zero(urecord, krec_size, urec_size);
5472 if (ret) {
5473 if (ret == -E2BIG) {
5474 verbose(env, "nonzero tailing record in func info");
5475 /* set the size kernel expects so loader can zero
5476 * out the rest of the record.
5477 */
5478 if (put_user(min_size, &uattr->func_info_rec_size))
5479 ret = -EFAULT;
5480 }
c454a46b 5481 goto err_free;
838e9690
YS		 5482 }
5483
ba64e7d8 5484 if (copy_from_user(&krecord[i], urecord, min_size)) {
838e9690 5485 ret = -EFAULT;
c454a46b 5486 goto err_free;
838e9690
YS		 5487 }
5488
d30d42e0 5489 /* check insn_off */
838e9690 5490 if (i == 0) {
d30d42e0 5491 if (krecord[i].insn_off) {
838e9690 5492 verbose(env,
d30d42e0
MKL		 5493 "nonzero insn_off %u for the first func info record",
5494 krecord[i].insn_off);
838e9690 5495 ret = -EINVAL;
c454a46b 5496 goto err_free;
838e9690 5497 }
d30d42e0 5498 } else if (krecord[i].insn_off <= prev_offset) {
838e9690
YS		 5499 verbose(env,
5500 "same or smaller insn offset (%u) than previous func info record (%u)",
d30d42e0 5501 krecord[i].insn_off, prev_offset);
838e9690 5502 ret = -EINVAL;
c454a46b 5503 goto err_free;
838e9690
YS		 5504 }
5505
d30d42e0 5506 if (env->subprog_info[i].start != krecord[i].insn_off) {
838e9690
YS		 5507 verbose(env, "func_info BTF section doesn't match subprog layout in BPF program\n");
5508 ret = -EINVAL;
c454a46b 5509 goto err_free;
838e9690
YS		 5510 }
5511
5512 /* check type_id */
ba64e7d8 5513 type = btf_type_by_id(btf, krecord[i].type_id);
838e9690
YS		 5514 if (!type || BTF_INFO_KIND(type->info) != BTF_KIND_FUNC) {
5515 verbose(env, "invalid type id %d in func info",
ba64e7d8 5516 krecord[i].type_id);
838e9690 5517 ret = -EINVAL;
c454a46b 5518 goto err_free;
838e9690
YS		 5519 }
5520
d30d42e0 5521 prev_offset = krecord[i].insn_off;
838e9690
YS		 5522 urecord += urec_size;
5523 }
5524
ba64e7d8
YS		 5525 prog->aux->func_info = krecord;
5526 prog->aux->func_info_cnt = nfuncs;
838e9690
YS		 5527 return 0;
5528
c454a46b 5529err_free:
ba64e7d8 5530 kvfree(krecord);
838e9690
YS		 5531 return ret;
5532}
5533
ba64e7d8
YS		 5534static void adjust_btf_func(struct bpf_verifier_env *env)
5535{
5536 int i;
5537
5538 if (!env->prog->aux->func_info)
5539 return;
5540
5541 for (i = 0; i < env->subprog_cnt; i++)
d30d42e0 5542 env->prog->aux->func_info[i].insn_off = env->subprog_info[i].start;
ba64e7d8
YS		 5543}
5544
c454a46b
MKL		 5545#define MIN_BPF_LINEINFO_SIZE (offsetof(struct bpf_line_info, line_col) + \
5546 sizeof(((struct bpf_line_info *)(0))->line_col))
5547#define MAX_LINEINFO_REC_SIZE MAX_FUNCINFO_REC_SIZE
5548
5549static int check_btf_line(struct bpf_verifier_env *env,
5550 const union bpf_attr *attr,
5551 union bpf_attr __user *uattr)
5552{
5553 u32 i, s, nr_linfo, ncopy, expected_size, rec_size, prev_offset = 0;
5554 struct bpf_subprog_info *sub;
5555 struct bpf_line_info *linfo;
5556 struct bpf_prog *prog;
5557 const struct btf *btf;
5558 void __user *ulinfo;
5559 int err;
5560
5561 nr_linfo = attr->line_info_cnt;
5562 if (!nr_linfo)
5563 return 0;
5564
5565 rec_size = attr->line_info_rec_size;
5566 if (rec_size < MIN_BPF_LINEINFO_SIZE ||
5567 rec_size > MAX_LINEINFO_REC_SIZE ||
5568 rec_size & (sizeof(u32) - 1))
5569 return -EINVAL;
5570
5571 /* Need to zero it in case the userspace may
5572 * pass in a smaller bpf_line_info object.
5573 */
5574 linfo = kvcalloc(nr_linfo, sizeof(struct bpf_line_info),
5575 GFP_KERNEL | __GFP_NOWARN);
5576 if (!linfo)
5577 return -ENOMEM;
5578
5579 prog = env->prog;
5580 btf = prog->aux->btf;
5581
5582 s = 0;
5583 sub = env->subprog_info;
5584 ulinfo = u64_to_user_ptr(attr->line_info);
5585 expected_size = sizeof(struct bpf_line_info);
5586 ncopy = min_t(u32, expected_size, rec_size);
5587 for (i = 0; i < nr_linfo; i++) {
5588 err = bpf_check_uarg_tail_zero(ulinfo, expected_size, rec_size);
5589 if (err) {
5590 if (err == -E2BIG) {
5591 verbose(env, "nonzero tailing record in line_info");
5592 if (put_user(expected_size,
5593 &uattr->line_info_rec_size))
5594 err = -EFAULT;
5595 }
5596 goto err_free;
5597 }
5598
5599 if (copy_from_user(&linfo[i], ulinfo, ncopy)) {
5600 err = -EFAULT;
5601 goto err_free;
5602 }
5603
5604 /*
5605 * Check insn_off to ensure
5606 * 1) strictly increasing AND
5607 * 2) bounded by prog->len
5608 *
5609 * The linfo[0].insn_off == 0 check logically falls into
5610 * the later "missing bpf_line_info for func..." case
5611 * because the first linfo[0].insn_off must be the
5612 * first sub also and the first sub must have
5613 * subprog_info[0].start == 0.
5614 */
5615 if ((i && linfo[i].insn_off <= prev_offset) ||
5616 linfo[i].insn_off >= prog->len) {
5617 verbose(env, "Invalid line_info[%u].insn_off:%u (prev_offset:%u prog->len:%u)\n",
5618 i, linfo[i].insn_off, prev_offset,
5619 prog->len);
5620 err = -EINVAL;
5621 goto err_free;
5622 }
5623
fdbaa0be
MKL		 5624 if (!prog->insnsi[linfo[i].insn_off].code) {
5625 verbose(env,
5626 "Invalid insn code at line_info[%u].insn_off\n",
5627 i);
5628 err = -EINVAL;
5629 goto err_free;
5630 }
5631
23127b33
MKL		 5632 if (!btf_name_by_offset(btf, linfo[i].line_off) ||
5633 !btf_name_by_offset(btf, linfo[i].file_name_off)) {
c454a46b
MKL		 5634 verbose(env, "Invalid line_info[%u].line_off or .file_name_off\n", i);
5635 err = -EINVAL;
5636 goto err_free;
5637 }
5638
5639 if (s != env->subprog_cnt) {
5640 if (linfo[i].insn_off == sub[s].start) {
5641 sub[s].linfo_idx = i;
5642 s++;
5643 } else if (sub[s].start < linfo[i].insn_off) {
5644 verbose(env, "missing bpf_line_info for func#%u\n", s);
5645 err = -EINVAL;
5646 goto err_free;
5647 }
5648 }
5649
5650 prev_offset = linfo[i].insn_off;
5651 ulinfo += rec_size;
5652 }
5653
5654 if (s != env->subprog_cnt) {
5655 verbose(env, "missing bpf_line_info for %u funcs starting from func#%u\n",
5656 env->subprog_cnt - s, s);
5657 err = -EINVAL;
5658 goto err_free;
5659 }
5660
5661 prog->aux->linfo = linfo;
5662 prog->aux->nr_linfo = nr_linfo;
5663
5664 return 0;
5665
5666err_free:
5667 kvfree(linfo);
5668 return err;
5669}
5670
5671static int check_btf_info(struct bpf_verifier_env *env,
5672 const union bpf_attr *attr,
5673 union bpf_attr __user *uattr)
5674{
5675 struct btf *btf;
5676 int err;
5677
5678 if (!attr->func_info_cnt && !attr->line_info_cnt)
5679 return 0;
5680
5681 btf = btf_get_by_fd(attr->prog_btf_fd);
5682 if (IS_ERR(btf))
5683 return PTR_ERR(btf);
5684 env->prog->aux->btf = btf;
5685
5686 err = check_btf_func(env, attr, uattr);
5687 if (err)
5688 return err;
5689
5690 err = check_btf_line(env, attr, uattr);
5691 if (err)
5692 return err;
5693
5694 return 0;
ba64e7d8
YS		 5695}
5696
f1174f77
EC		 5697/* check %cur's range satisfies %old's */
5698static bool range_within(struct bpf_reg_state *old,
5699 struct bpf_reg_state *cur)
5700{
b03c9f9f
EC		 5701 return old->umin_value <= cur->umin_value &&
5702 old->umax_value >= cur->umax_value &&
5703 old->smin_value <= cur->smin_value &&
5704 old->smax_value >= cur->smax_value;
f1174f77
EC		 5705}
5706
5707/* Maximum number of register states that can exist at once */
5708#define ID_MAP_SIZE (MAX_BPF_REG + MAX_BPF_STACK / BPF_REG_SIZE)
5709struct idpair {
5710 u32 old;
5711 u32 cur;
5712};
5713
5714/* If in the old state two registers had the same id, then they need to have
5715 * the same id in the new state as well. But that id could be different from
5716 * the old state, so we need to track the mapping from old to new ids.
5717 * Once we have seen that, say, a reg with old id 5 had new id 9, any subsequent
5718 * regs with old id 5 must also have new id 9 for the new state to be safe. But
5719 * regs with a different old id could still have new id 9, we don't care about
5720 * that.
5721 * So we look through our idmap to see if this old id has been seen before. If
5722 * so, we require the new id to match; otherwise, we add the id pair to the map.
969bf05e 5723 */
f1174f77 5724static bool check_ids(u32 old_id, u32 cur_id, struct idpair *idmap)
969bf05e 5725{
f1174f77 5726 unsigned int i;
969bf05e 5727
f1174f77
EC		 5728 for (i = 0; i < ID_MAP_SIZE; i++) {
5729 if (!idmap[i].old) {
5730 /* Reached an empty slot; haven't seen this id before */
5731 idmap[i].old = old_id;
5732 idmap[i].cur = cur_id;
5733 return true;
5734 }
5735 if (idmap[i].old == old_id)
5736 return idmap[i].cur == cur_id;
5737 }
5738 /* We ran out of idmap slots, which should be impossible */
5739 WARN_ON_ONCE(1);
5740 return false;
5741}
5742
9242b5f5
AS		 5743static void clean_func_state(struct bpf_verifier_env *env,
5744 struct bpf_func_state *st)
5745{
5746 enum bpf_reg_liveness live;
5747 int i, j;
5748
5749 for (i = 0; i < BPF_REG_FP; i++) {
5750 live = st->regs[i].live;
5751 /* liveness must not touch this register anymore */
5752 st->regs[i].live |= REG_LIVE_DONE;
5753 if (!(live & REG_LIVE_READ))
5754 /* since the register is unused, clear its state
5755 * to make further comparison simpler
5756 */
5757 __mark_reg_not_init(&st->regs[i]);
5758 }
5759
5760 for (i = 0; i < st->allocated_stack / BPF_REG_SIZE; i++) {
5761 live = st->stack[i].spilled_ptr.live;
5762 /* liveness must not touch this stack slot anymore */
5763 st->stack[i].spilled_ptr.live |= REG_LIVE_DONE;
5764 if (!(live & REG_LIVE_READ)) {
5765 __mark_reg_not_init(&st->stack[i].spilled_ptr);
5766 for (j = 0; j < BPF_REG_SIZE; j++)
5767 st->stack[i].slot_type[j] = STACK_INVALID;
5768 }
5769 }
5770}
5771
5772static void clean_verifier_state(struct bpf_verifier_env *env,
5773 struct bpf_verifier_state *st)
5774{
5775 int i;
5776
5777 if (st->frame[0]->regs[0].live & REG_LIVE_DONE)
5778 /* all regs in this state in all frames were already marked */
5779 return;
5780
5781 for (i = 0; i <= st->curframe; i++)
5782 clean_func_state(env, st->frame[i]);
5783}
5784
5785/* the parentage chains form a tree.
5786 * the verifier states are added to state lists at given insn and
5787 * pushed into state stack for future exploration.
5788 * when the verifier reaches bpf_exit insn some of the verifer states
5789 * stored in the state lists have their final liveness state already,
5790 * but a lot of states will get revised from liveness point of view when
5791 * the verifier explores other branches.
5792 * Example:
5793 * 1: r0 = 1
5794 * 2: if r1 == 100 goto pc+1
5795 * 3: r0 = 2
5796 * 4: exit
5797 * when the verifier reaches exit insn the register r0 in the state list of
5798 * insn 2 will be seen as !REG_LIVE_READ. Then the verifier pops the other_branch
5799 * of insn 2 and goes exploring further. At the insn 4 it will walk the
5800 * parentage chain from insn 4 into insn 2 and will mark r0 as REG_LIVE_READ.
5801 *
5802 * Since the verifier pushes the branch states as it sees them while exploring
5803 * the program the condition of walking the branch instruction for the second
5804 * time means that all states below this branch were already explored and
5805 * their final liveness markes are already propagated.
5806 * Hence when the verifier completes the search of state list in is_state_visited()
5807 * we can call this clean_live_states() function to mark all liveness states
5808 * as REG_LIVE_DONE to indicate that 'parent' pointers of 'struct bpf_reg_state'
5809 * will not be used.
5810 * This function also clears the registers and stack for states that !READ
5811 * to simplify state merging.
5812 *
5813 * Important note here that walking the same branch instruction in the callee
5814 * doesn't meant that the states are DONE. The verifier has to compare
5815 * the callsites
5816 */
5817static void clean_live_states(struct bpf_verifier_env *env, int insn,
5818 struct bpf_verifier_state *cur)
5819{
5820 struct bpf_verifier_state_list *sl;
5821 int i;
5822
5823 sl = env->explored_states[insn];
5824 if (!sl)
5825 return;
5826
5827 while (sl != STATE_LIST_MARK) {
5828 if (sl->state.curframe != cur->curframe)
5829 goto next;
5830 for (i = 0; i <= cur->curframe; i++)
5831 if (sl->state.frame[i]->callsite != cur->frame[i]->callsite)
5832 goto next;
5833 clean_verifier_state(env, &sl->state);
5834next:
5835 sl = sl->next;
5836 }
5837}
5838
f1174f77 5839/* Returns true if (rold safe implies rcur safe) */
1b688a19
EC		 5840static bool regsafe(struct bpf_reg_state *rold, struct bpf_reg_state *rcur,
5841 struct idpair *idmap)
f1174f77 5842{
f4d7e40a
AS		 5843 bool equal;
5844
dc503a8a
EC		 5845 if (!(rold->live & REG_LIVE_READ))
5846 /* explored state didn't use this */
5847 return true;
5848
679c782d 5849 equal = memcmp(rold, rcur, offsetof(struct bpf_reg_state, parent)) == 0;
f4d7e40a
AS		 5850
5851 if (rold->type == PTR_TO_STACK)
5852 /* two stack pointers are equal only if they're pointing to
5853 * the same stack frame, since fp-8 in foo != fp-8 in bar
5854 */
5855 return equal && rold->frameno == rcur->frameno;
5856
5857 if (equal)
969bf05e
AS		 5858 return true;
5859
f1174f77
EC		 5860 if (rold->type == NOT_INIT)
5861 /* explored state can't have used this */
969bf05e 5862 return true;
f1174f77
EC		 5863 if (rcur->type == NOT_INIT)
5864 return false;
5865 switch (rold->type) {
5866 case SCALAR_VALUE:
5867 if (rcur->type == SCALAR_VALUE) {
5868 /* new val must satisfy old val knowledge */
5869 return range_within(rold, rcur) &&
5870 tnum_in(rold->var_off, rcur->var_off);
5871 } else {
179d1c56
JH		 5872 /* We're trying to use a pointer in place of a scalar.
5873 * Even if the scalar was unbounded, this could lead to
5874 * pointer leaks because scalars are allowed to leak
5875 * while pointers are not. We could make this safe in
5876 * special cases if root is calling us, but it's
5877 * probably not worth the hassle.
f1174f77 5878 */
179d1c56 5879 return false;
f1174f77
EC		 5880 }
5881 case PTR_TO_MAP_VALUE:
1b688a19
EC		 5882 /* If the new min/max/var_off satisfy the old ones and
5883 * everything else matches, we are OK.
d83525ca
AS		 5884 * 'id' is not compared, since it's only used for maps with
5885 * bpf_spin_lock inside map element and in such cases if
5886 * the rest of the prog is valid for one map element then
5887 * it's valid for all map elements regardless of the key
5888 * used in bpf_map_lookup()
1b688a19
EC		 5889 */
5890 return memcmp(rold, rcur, offsetof(struct bpf_reg_state, id)) == 0 &&
5891 range_within(rold, rcur) &&
5892 tnum_in(rold->var_off, rcur->var_off);
f1174f77
EC		 5893 case PTR_TO_MAP_VALUE_OR_NULL:
5894 /* a PTR_TO_MAP_VALUE could be safe to use as a
5895 * PTR_TO_MAP_VALUE_OR_NULL into the same map.
5896 * However, if the old PTR_TO_MAP_VALUE_OR_NULL then got NULL-
5897 * checked, doing so could have affected others with the same
5898 * id, and we can't check for that because we lost the id when
5899 * we converted to a PTR_TO_MAP_VALUE.
5900 */
5901 if (rcur->type != PTR_TO_MAP_VALUE_OR_NULL)
5902 return false;
5903 if (memcmp(rold, rcur, offsetof(struct bpf_reg_state, id)))
5904 return false;
5905 /* Check our ids match any regs they're supposed to */
5906 return check_ids(rold->id, rcur->id, idmap);
de8f3a83 5907 case PTR_TO_PACKET_META:
f1174f77 5908 case PTR_TO_PACKET:
de8f3a83 5909 if (rcur->type != rold->type)
f1174f77
EC		 5910 return false;
5911 /* We must have at least as much range as the old ptr
5912 * did, so that any accesses which were safe before are
5913 * still safe. This is true even if old range < old off,
5914 * since someone could have accessed through (ptr - k), or
5915 * even done ptr -= k in a register, to get a safe access.
5916 */
5917 if (rold->range > rcur->range)
5918 return false;
5919 /* If the offsets don't match, we can't trust our alignment;
5920 * nor can we be sure that we won't fall out of range.
5921 */
5922 if (rold->off != rcur->off)
5923 return false;
5924 /* id relations must be preserved */
5925 if (rold->id && !check_ids(rold->id, rcur->id, idmap))
5926 return false;
5927 /* new val must satisfy old val knowledge */
5928 return range_within(rold, rcur) &&
5929 tnum_in(rold->var_off, rcur->var_off);
5930 case PTR_TO_CTX:
5931 case CONST_PTR_TO_MAP:
f1174f77 5932 case PTR_TO_PACKET_END:
d58e468b 5933 case PTR_TO_FLOW_KEYS:
c64b7983
JS		 5934 case PTR_TO_SOCKET:
5935 case PTR_TO_SOCKET_OR_NULL:
46f8bc92
MKL		 5936 case PTR_TO_SOCK_COMMON:
5937 case PTR_TO_SOCK_COMMON_OR_NULL:
655a51e5
MKL		 5938 case PTR_TO_TCP_SOCK:
5939 case PTR_TO_TCP_SOCK_OR_NULL:
f1174f77
EC		 5940 /* Only valid matches are exact, which memcmp() above
5941 * would have accepted
5942 */
5943 default:
5944 /* Don't know what's going on, just say it's not safe */
5945 return false;
5946 }
969bf05e 5947
f1174f77
EC		 5948 /* Shouldn't get here; if we do, say it's not safe */
5949 WARN_ON_ONCE(1);
969bf05e
AS		 5950 return false;
5951}
5952
f4d7e40a
AS		 5953static bool stacksafe(struct bpf_func_state *old,
5954 struct bpf_func_state *cur,
638f5b90
AS		 5955 struct idpair *idmap)
5956{
5957 int i, spi;
5958
638f5b90
AS		 5959 /* walk slots of the explored stack and ignore any additional
5960 * slots in the current stack, since explored(safe) state
5961 * didn't use them
5962 */
5963 for (i = 0; i < old->allocated_stack; i++) {
5964 spi = i / BPF_REG_SIZE;
5965
b233920c
AS		 5966 if (!(old->stack[spi].spilled_ptr.live & REG_LIVE_READ)) {
5967 i += BPF_REG_SIZE - 1;
cc2b14d5 5968 /* explored state didn't use this */
fd05e57b 5969 continue;
b233920c 5970 }
cc2b14d5 5971
638f5b90
AS		 5972 if (old->stack[spi].slot_type[i % BPF_REG_SIZE] == STACK_INVALID)
5973 continue;
19e2dbb7
AS		 5974
5975 /* explored stack has more populated slots than current stack
5976 * and these slots were used
5977 */
5978 if (i >= cur->allocated_stack)
5979 return false;
5980
cc2b14d5
AS		 5981 /* if old state was safe with misc data in the stack
5982 * it will be safe with zero-initialized stack.
5983 * The opposite is not true
5984 */
5985 if (old->stack[spi].slot_type[i % BPF_REG_SIZE] == STACK_MISC &&
5986 cur->stack[spi].slot_type[i % BPF_REG_SIZE] == STACK_ZERO)
5987 continue;
638f5b90
AS		 5988 if (old->stack[spi].slot_type[i % BPF_REG_SIZE] !=
5989 cur->stack[spi].slot_type[i % BPF_REG_SIZE])
5990 /* Ex: old explored (safe) state has STACK_SPILL in
5991 * this stack slot, but current has has STACK_MISC ->
5992 * this verifier states are not equivalent,
5993 * return false to continue verification of this path
5994 */
5995 return false;
5996 if (i % BPF_REG_SIZE)
5997 continue;
5998 if (old->stack[spi].slot_type[0] != STACK_SPILL)
5999 continue;
6000 if (!regsafe(&old->stack[spi].spilled_ptr,
6001 &cur->stack[spi].spilled_ptr,
6002 idmap))
6003 /* when explored and current stack slot are both storing
6004 * spilled registers, check that stored pointers types
6005 * are the same as well.
6006 * Ex: explored safe path could have stored
6007 * (bpf_reg_state) {.type = PTR_TO_STACK, .off = -8}
6008 * but current path has stored:
6009 * (bpf_reg_state) {.type = PTR_TO_STACK, .off = -16}
6010 * such verifier states are not equivalent.
6011 * return false to continue verification of this path
6012 */
6013 return false;
6014 }
6015 return true;
6016}
6017
fd978bf7
JS		 6018static bool refsafe(struct bpf_func_state *old, struct bpf_func_state *cur)
6019{
6020 if (old->acquired_refs != cur->acquired_refs)
6021 return false;
6022 return !memcmp(old->refs, cur->refs,
6023 sizeof(*old->refs) * old->acquired_refs);
6024}
6025
f1bca824
AS		 6026/* compare two verifier states
6027 *
6028 * all states stored in state_list are known to be valid, since
6029 * verifier reached 'bpf_exit' instruction through them
6030 *
6031 * this function is called when verifier exploring different branches of
6032 * execution popped from the state stack. If it sees an old state that has
6033 * more strict register state and more strict stack state then this execution
6034 * branch doesn't need to be explored further, since verifier already
6035 * concluded that more strict state leads to valid finish.
6036 *
6037 * Therefore two states are equivalent if register state is more conservative
6038 * and explored stack state is more conservative than the current one.
6039 * Example:
6040 * explored current
6041 * (slot1=INV slot2=MISC) == (slot1=MISC slot2=MISC)
6042 * (slot1=MISC slot2=MISC) != (slot1=INV slot2=MISC)
6043 *
6044 * In other words if current stack state (one being explored) has more
6045 * valid slots than old one that already passed validation, it means
6046 * the verifier can stop exploring and conclude that current state is valid too
6047 *
6048 * Similarly with registers. If explored state has register type as invalid
6049 * whereas register type in current state is meaningful, it means that
6050 * the current state will reach 'bpf_exit' instruction safely
6051 */
f4d7e40a
AS		 6052static bool func_states_equal(struct bpf_func_state *old,
6053 struct bpf_func_state *cur)
f1bca824 6054{
f1174f77
EC		 6055 struct idpair *idmap;
6056 bool ret = false;
f1bca824
AS		 6057 int i;
6058
f1174f77
EC		 6059 idmap = kcalloc(ID_MAP_SIZE, sizeof(struct idpair), GFP_KERNEL);
6060 /* If we failed to allocate the idmap, just say it's not safe */
6061 if (!idmap)
1a0dc1ac 6062 return false;
f1174f77
EC		 6063
6064 for (i = 0; i < MAX_BPF_REG; i++) {
1b688a19 6065 if (!regsafe(&old->regs[i], &cur->regs[i], idmap))
f1174f77 6066 goto out_free;
f1bca824
AS		 6067 }
6068
638f5b90
AS		 6069 if (!stacksafe(old, cur, idmap))
6070 goto out_free;
fd978bf7
JS		 6071
6072 if (!refsafe(old, cur))
6073 goto out_free;
f1174f77
EC		 6074 ret = true;
6075out_free:
6076 kfree(idmap);
6077 return ret;
f1bca824
AS		 6078}
6079
f4d7e40a
AS		 6080static bool states_equal(struct bpf_verifier_env *env,
6081 struct bpf_verifier_state *old,
6082 struct bpf_verifier_state *cur)
6083{
6084 int i;
6085
6086 if (old->curframe != cur->curframe)
6087 return false;
6088
979d63d5
DB		 6089 /* Verification state from speculative execution simulation
6090 * must never prune a non-speculative execution one.
6091 */
6092 if (old->speculative && !cur->speculative)
6093 return false;
6094
d83525ca
AS		 6095 if (old->active_spin_lock != cur->active_spin_lock)
6096 return false;
6097
f4d7e40a
AS		 6098 /* for states to be equal callsites have to be the same
6099 * and all frame states need to be equivalent
6100 */
6101 for (i = 0; i <= old->curframe; i++) {
6102 if (old->frame[i]->callsite != cur->frame[i]->callsite)
6103 return false;
6104 if (!func_states_equal(old->frame[i], cur->frame[i]))
6105 return false;
6106 }
6107 return true;
6108}
6109
8e9cd9ce 6110/* A write screens off any subsequent reads; but write marks come from the
f4d7e40a
AS		 6111 * straight-line code between a state and its parent. When we arrive at an
6112 * equivalent state (jump target or such) we didn't arrive by the straight-line
6113 * code, so read marks in the state must propagate to the parent regardless
6114 * of the state's write marks. That's what 'parent == state->parent' comparison
679c782d 6115 * in mark_reg_read() is for.
8e9cd9ce 6116 */
f4d7e40a
AS		 6117static int propagate_liveness(struct bpf_verifier_env *env,
6118 const struct bpf_verifier_state *vstate,
6119 struct bpf_verifier_state *vparent)
dc503a8a 6120{
f4d7e40a
AS		 6121 int i, frame, err = 0;
6122 struct bpf_func_state *state, *parent;
dc503a8a 6123
f4d7e40a
AS		 6124 if (vparent->curframe != vstate->curframe) {
6125 WARN(1, "propagate_live: parent frame %d current frame %d\n",
6126 vparent->curframe, vstate->curframe);
6127 return -EFAULT;
6128 }
dc503a8a
EC		 6129 /* Propagate read liveness of registers... */
6130 BUILD_BUG_ON(BPF_REG_FP + 1 != MAX_BPF_REG);
83d16312
JK		 6131 for (frame = 0; frame <= vstate->curframe; frame++) {
6132 /* We don't need to worry about FP liveness, it's read-only */
6133 for (i = frame < vstate->curframe ? BPF_REG_6 : 0; i < BPF_REG_FP; i++) {
6134 if (vparent->frame[frame]->regs[i].live & REG_LIVE_READ)
6135 continue;
6136 if (vstate->frame[frame]->regs[i].live & REG_LIVE_READ) {
6137 err = mark_reg_read(env, &vstate->frame[frame]->regs[i],
6138 &vparent->frame[frame]->regs[i]);
6139 if (err)
6140 return err;
6141 }
dc503a8a
EC		 6142 }
6143 }
f4d7e40a 6144
dc503a8a 6145 /* ... and stack slots */
f4d7e40a
AS		 6146 for (frame = 0; frame <= vstate->curframe; frame++) {
6147 state = vstate->frame[frame];
6148 parent = vparent->frame[frame];
6149 for (i = 0; i < state->allocated_stack / BPF_REG_SIZE &&
6150 i < parent->allocated_stack / BPF_REG_SIZE; i++) {
f4d7e40a
AS		 6151 if (parent->stack[i].spilled_ptr.live & REG_LIVE_READ)
6152 continue;
6153 if (state->stack[i].spilled_ptr.live & REG_LIVE_READ)
679c782d
EC		 6154 mark_reg_read(env, &state->stack[i].spilled_ptr,
6155 &parent->stack[i].spilled_ptr);
dc503a8a
EC		 6156 }
6157 }
f4d7e40a 6158 return err;
dc503a8a
EC		 6159}
6160
58e2af8b 6161static int is_state_visited(struct bpf_verifier_env *env, int insn_idx)
f1bca824 6162{
58e2af8b 6163 struct bpf_verifier_state_list *new_sl;
9f4686c4 6164 struct bpf_verifier_state_list *sl, **pprev;
679c782d 6165 struct bpf_verifier_state *cur = env->cur_state, *new;
ceefbc96 6166 int i, j, err, states_cnt = 0;
f1bca824 6167
9f4686c4
AS		 6168 pprev = &env->explored_states[insn_idx];
6169 sl = *pprev;
6170
f1bca824
AS		 6171 if (!sl)
6172 /* this 'insn_idx' instruction wasn't marked, so we will not
6173 * be doing state search here
6174 */
6175 return 0;
6176
9242b5f5
AS		 6177 clean_live_states(env, insn_idx, cur);
6178
f1bca824 6179 while (sl != STATE_LIST_MARK) {
638f5b90 6180 if (states_equal(env, &sl->state, cur)) {
9f4686c4 6181 sl->hit_cnt++;
f1bca824 6182 /* reached equivalent register/stack state,
dc503a8a
EC		 6183 * prune the search.
6184 * Registers read by the continuation are read by us.
8e9cd9ce
EC		 6185 * If we have any write marks in env->cur_state, they
6186 * will prevent corresponding reads in the continuation
6187 * from reaching our parent (an explored_state). Our
6188 * own state will get the read marks recorded, but
6189 * they'll be immediately forgotten as we're pruning
6190 * this state and will pop a new one.
f1bca824 6191 */
f4d7e40a
AS		 6192 err = propagate_liveness(env, &sl->state, cur);
6193 if (err)
6194 return err;
f1bca824 6195 return 1;
dc503a8a 6196 }
ceefbc96 6197 states_cnt++;
9f4686c4
AS		 6198 sl->miss_cnt++;
6199 /* heuristic to determine whether this state is beneficial
6200 * to keep checking from state equivalence point of view.
6201 * Higher numbers increase max_states_per_insn and verification time,
6202 * but do not meaningfully decrease insn_processed.
6203 */
6204 if (sl->miss_cnt > sl->hit_cnt * 3 + 3) {
6205 /* the state is unlikely to be useful. Remove it to
6206 * speed up verification
6207 */
6208 *pprev = sl->next;
6209 if (sl->state.frame[0]->regs[0].live & REG_LIVE_DONE) {
6210 free_verifier_state(&sl->state, false);
6211 kfree(sl);
6212 env->peak_states--;
6213 } else {
6214 /* cannot free this state, since parentage chain may
6215 * walk it later. Add it for free_list instead to
6216 * be freed at the end of verification
6217 */
6218 sl->next = env->free_list;
6219 env->free_list = sl;
6220 }
6221 sl = *pprev;
6222 continue;
6223 }
6224 pprev = &sl->next;
6225 sl = *pprev;
f1bca824
AS		 6226 }
6227
06ee7115
AS		 6228 if (env->max_states_per_insn < states_cnt)
6229 env->max_states_per_insn = states_cnt;
6230
ceefbc96
AS		 6231 if (!env->allow_ptr_leaks && states_cnt > BPF_COMPLEXITY_LIMIT_STATES)
6232 return 0;
6233
f1bca824
AS		 6234 /* there were no equivalent states, remember current one.
6235 * technically the current state is not proven to be safe yet,
f4d7e40a
AS		 6236 * but it will either reach outer most bpf_exit (which means it's safe)
6237 * or it will be rejected. Since there are no loops, we won't be
6238 * seeing this tuple (frame[0].callsite, frame[1].callsite, .. insn_idx)
6239 * again on the way to bpf_exit
f1bca824 6240 */
638f5b90 6241 new_sl = kzalloc(sizeof(struct bpf_verifier_state_list), GFP_KERNEL);
f1bca824
AS		 6242 if (!new_sl)
6243 return -ENOMEM;
06ee7115
AS		 6244 env->total_states++;
6245 env->peak_states++;
f1bca824
AS		 6246
6247 /* add new state to the head of linked list */
679c782d
EC		 6248 new = &new_sl->state;
6249 err = copy_verifier_state(new, cur);
1969db47 6250 if (err) {
679c782d 6251 free_verifier_state(new, false);
1969db47
AS		 6252 kfree(new_sl);
6253 return err;
6254 }
f1bca824
AS		 6255 new_sl->next = env->explored_states[insn_idx];
6256 env->explored_states[insn_idx] = new_sl;
7640ead9
JK		 6257 /* connect new state to parentage chain. Current frame needs all
6258 * registers connected. Only r6 - r9 of the callers are alive (pushed
6259 * to the stack implicitly by JITs) so in callers' frames connect just
6260 * r6 - r9 as an optimization. Callers will have r1 - r5 connected to
6261 * the state of the call instruction (with WRITTEN set), and r0 comes
6262 * from callee with its full parentage chain, anyway.
6263 */
6264 for (j = 0; j <= cur->curframe; j++)
6265 for (i = j < cur->curframe ? BPF_REG_6 : 0; i < BPF_REG_FP; i++)
6266 cur->frame[j]->regs[i].parent = &new->frame[j]->regs[i];
8e9cd9ce
EC		 6267 /* clear write marks in current state: the writes we did are not writes
6268 * our child did, so they don't screen off its reads from us.
6269 * (There are no read marks in current state, because reads always mark
6270 * their parent and current state never has children yet. Only
6271 * explored_states can get read marks.)
6272 */
dc503a8a 6273 for (i = 0; i < BPF_REG_FP; i++)
f4d7e40a
AS		 6274 cur->frame[cur->curframe]->regs[i].live = REG_LIVE_NONE;
6275
6276 /* all stack frames are accessible from callee, clear them all */
6277 for (j = 0; j <= cur->curframe; j++) {
6278 struct bpf_func_state *frame = cur->frame[j];
679c782d 6279 struct bpf_func_state *newframe = new->frame[j];
f4d7e40a 6280
679c782d 6281 for (i = 0; i < frame->allocated_stack / BPF_REG_SIZE; i++) {
cc2b14d5 6282 frame->stack[i].spilled_ptr.live = REG_LIVE_NONE;
679c782d
EC		 6283 frame->stack[i].spilled_ptr.parent =
6284 &newframe->stack[i].spilled_ptr;
6285 }
f4d7e40a 6286 }
f1bca824
AS		 6287 return 0;
6288}
6289
c64b7983
JS		 6290/* Return true if it's OK to have the same insn return a different type. */
6291static bool reg_type_mismatch_ok(enum bpf_reg_type type)
6292{
6293 switch (type) {
6294 case PTR_TO_CTX:
6295 case PTR_TO_SOCKET:
6296 case PTR_TO_SOCKET_OR_NULL:
46f8bc92
MKL		 6297 case PTR_TO_SOCK_COMMON:
6298 case PTR_TO_SOCK_COMMON_OR_NULL:
655a51e5
MKL		 6299 case PTR_TO_TCP_SOCK:
6300 case PTR_TO_TCP_SOCK_OR_NULL:
c64b7983
JS		 6301 return false;
6302 default:
6303 return true;
6304 }
6305}
6306
6307/* If an instruction was previously used with particular pointer types, then we
6308 * need to be careful to avoid cases such as the below, where it may be ok
6309 * for one branch accessing the pointer, but not ok for the other branch:
6310 *
6311 * R1 = sock_ptr
6312 * goto X;
6313 * ...
6314 * R1 = some_other_valid_ptr;
6315 * goto X;
6316 * ...
6317 * R2 = *(u32 *)(R1 + 0);
6318 */
6319static bool reg_type_mismatch(enum bpf_reg_type src, enum bpf_reg_type prev)
6320{
6321 return src != prev && (!reg_type_mismatch_ok(src) ||
6322 !reg_type_mismatch_ok(prev));
6323}
6324
58e2af8b 6325static int do_check(struct bpf_verifier_env *env)
17a52670 6326{
638f5b90 6327 struct bpf_verifier_state *state;
17a52670 6328 struct bpf_insn *insns = env->prog->insnsi;
638f5b90 6329 struct bpf_reg_state *regs;
06ee7115 6330 int insn_cnt = env->prog->len;
17a52670
AS		 6331 bool do_print_state = false;
6332
d9762e84
MKL		 6333 env->prev_linfo = NULL;
6334
638f5b90
AS		 6335 state = kzalloc(sizeof(struct bpf_verifier_state), GFP_KERNEL);
6336 if (!state)
6337 return -ENOMEM;
f4d7e40a 6338 state->curframe = 0;
979d63d5 6339 state->speculative = false;
f4d7e40a
AS		 6340 state->frame[0] = kzalloc(sizeof(struct bpf_func_state), GFP_KERNEL);
6341 if (!state->frame[0]) {
6342 kfree(state);
6343 return -ENOMEM;
6344 }
6345 env->cur_state = state;
6346 init_func_state(env, state->frame[0],
6347 BPF_MAIN_FUNC /* callsite */,
6348 0 /* frameno */,
6349 0 /* subprogno, zero == main subprog */);
c08435ec 6350
17a52670
AS		 6351 for (;;) {
6352 struct bpf_insn *insn;
6353 u8 class;
6354 int err;
6355
c08435ec 6356 if (env->insn_idx >= insn_cnt) {
61bd5218 6357 verbose(env, "invalid insn idx %d insn_cnt %d\n",
c08435ec 6358 env->insn_idx, insn_cnt);
17a52670
AS		 6359 return -EFAULT;
6360 }
6361
c08435ec 6362 insn = &insns[env->insn_idx];
17a52670
AS		 6363 class = BPF_CLASS(insn->code);
6364
06ee7115 6365 if (++env->insn_processed > BPF_COMPLEXITY_LIMIT_INSNS) {
61bd5218
JK		 6366 verbose(env,
6367 "BPF program is too large. Processed %d insn\n",
06ee7115 6368 env->insn_processed);
17a52670
AS		 6369 return -E2BIG;
6370 }
6371
c08435ec 6372 err = is_state_visited(env, env->insn_idx);
f1bca824
AS		 6373 if (err < 0)
6374 return err;
6375 if (err == 1) {
6376 /* found equivalent state, can prune the search */
06ee7115 6377 if (env->log.level & BPF_LOG_LEVEL) {
f1bca824 6378 if (do_print_state)
979d63d5
DB		 6379 verbose(env, "\nfrom %d to %d%s: safe\n",
6380 env->prev_insn_idx, env->insn_idx,
6381 env->cur_state->speculative ?
6382 " (speculative execution)" : "");
f1bca824 6383 else
c08435ec 6384 verbose(env, "%d: safe\n", env->insn_idx);
f1bca824
AS		 6385 }
6386 goto process_bpf_exit;
6387 }
6388
c3494801
AS		 6389 if (signal_pending(current))
6390 return -EAGAIN;
6391
3c2ce60b
DB		 6392 if (need_resched())
6393 cond_resched();
6394
06ee7115
AS		 6395 if (env->log.level & BPF_LOG_LEVEL2 ||
6396 (env->log.level & BPF_LOG_LEVEL && do_print_state)) {
6397 if (env->log.level & BPF_LOG_LEVEL2)
c08435ec 6398 verbose(env, "%d:", env->insn_idx);
c5fc9692 6399 else
979d63d5
DB		 6400 verbose(env, "\nfrom %d to %d%s:",
6401 env->prev_insn_idx, env->insn_idx,
6402 env->cur_state->speculative ?
6403 " (speculative execution)" : "");
f4d7e40a 6404 print_verifier_state(env, state->frame[state->curframe]);
17a52670
AS		 6405 do_print_state = false;
6406 }
6407
06ee7115 6408 if (env->log.level & BPF_LOG_LEVEL) {
7105e828
DB		 6409 const struct bpf_insn_cbs cbs = {
6410 .cb_print = verbose,
abe08840 6411 .private_data = env,
7105e828
DB		 6412 };
6413
c08435ec
DB		 6414 verbose_linfo(env, env->insn_idx, "; ");
6415 verbose(env, "%d: ", env->insn_idx);
abe08840 6416 print_bpf_insn(&cbs, insn, env->allow_ptr_leaks);
17a52670
AS		 6417 }
6418
cae1927c 6419 if (bpf_prog_is_dev_bound(env->prog->aux)) {
c08435ec
DB		 6420 err = bpf_prog_offload_verify_insn(env, env->insn_idx,
6421 env->prev_insn_idx);
cae1927c
JK		 6422 if (err)
6423 return err;
6424 }
13a27dfc 6425
638f5b90 6426 regs = cur_regs(env);
c08435ec 6427 env->insn_aux_data[env->insn_idx].seen = true;
fd978bf7 6428
17a52670 6429 if (class == BPF_ALU || class == BPF_ALU64) {
1be7f75d 6430 err = check_alu_op(env, insn);
17a52670
AS		 6431 if (err)
6432 return err;
6433
6434 } else if (class == BPF_LDX) {
3df126f3 6435 enum bpf_reg_type *prev_src_type, src_reg_type;
9bac3d6d
AS		 6436
6437 /* check for reserved fields is already done */
6438
17a52670 6439 /* check src operand */
dc503a8a 6440 err = check_reg_arg(env, insn->src_reg, SRC_OP);
17a52670
AS		 6441 if (err)
6442 return err;
6443
dc503a8a 6444 err = check_reg_arg(env, insn->dst_reg, DST_OP_NO_MARK);
17a52670
AS		 6445 if (err)
6446 return err;
6447
725f9dcd
AS		 6448 src_reg_type = regs[insn->src_reg].type;
6449
17a52670
AS		 6450 /* check that memory (src_reg + off) is readable,
6451 * the state of dst_reg will be updated by this func
6452 */
c08435ec
DB		 6453 err = check_mem_access(env, env->insn_idx, insn->src_reg,
6454 insn->off, BPF_SIZE(insn->code),
6455 BPF_READ, insn->dst_reg, false);
17a52670
AS		 6456 if (err)
6457 return err;
6458
c08435ec 6459 prev_src_type = &env->insn_aux_data[env->insn_idx].ptr_type;
3df126f3
JK		 6460
6461 if (*prev_src_type == NOT_INIT) {
9bac3d6d
AS		 6462 /* saw a valid insn
6463 * dst_reg = *(u32 *)(src_reg + off)
3df126f3 6464 * save type to validate intersecting paths
9bac3d6d 6465 */
3df126f3 6466 *prev_src_type = src_reg_type;
9bac3d6d 6467
c64b7983 6468 } else if (reg_type_mismatch(src_reg_type, *prev_src_type)) {
9bac3d6d
AS		 6469 /* ABuser program is trying to use the same insn
6470 * dst_reg = *(u32*) (src_reg + off)
6471 * with different pointer types:
6472 * src_reg == ctx in one branch and
6473 * src_reg == stack|map in some other branch.
6474 * Reject it.
6475 */
61bd5218 6476 verbose(env, "same insn cannot be used with different pointers\n");
9bac3d6d
AS		 6477 return -EINVAL;
6478 }
6479
17a52670 6480 } else if (class == BPF_STX) {
3df126f3 6481 enum bpf_reg_type *prev_dst_type, dst_reg_type;
d691f9e8 6482
17a52670 6483 if (BPF_MODE(insn->code) == BPF_XADD) {
c08435ec 6484 err = check_xadd(env, env->insn_idx, insn);
17a52670
AS		 6485 if (err)
6486 return err;
c08435ec 6487 env->insn_idx++;
17a52670
AS		 6488 continue;
6489 }
6490
17a52670 6491 /* check src1 operand */
dc503a8a 6492 err = check_reg_arg(env, insn->src_reg, SRC_OP);
17a52670
AS		 6493 if (err)
6494 return err;
6495 /* check src2 operand */
dc503a8a 6496 err = check_reg_arg(env, insn->dst_reg, SRC_OP);
17a52670
AS		 6497 if (err)
6498 return err;
6499
d691f9e8
AS		 6500 dst_reg_type = regs[insn->dst_reg].type;
6501
17a52670 6502 /* check that memory (dst_reg + off) is writeable */
c08435ec
DB		 6503 err = check_mem_access(env, env->insn_idx, insn->dst_reg,
6504 insn->off, BPF_SIZE(insn->code),
6505 BPF_WRITE, insn->src_reg, false);
17a52670
AS		 6506 if (err)
6507 return err;
6508
c08435ec 6509 prev_dst_type = &env->insn_aux_data[env->insn_idx].ptr_type;
3df126f3
JK		 6510
6511 if (*prev_dst_type == NOT_INIT) {
6512 *prev_dst_type = dst_reg_type;
c64b7983 6513 } else if (reg_type_mismatch(dst_reg_type, *prev_dst_type)) {
61bd5218 6514 verbose(env, "same insn cannot be used with different pointers\n");
d691f9e8
AS		 6515 return -EINVAL;
6516 }
6517
17a52670
AS		 6518 } else if (class == BPF_ST) {
6519 if (BPF_MODE(insn->code) != BPF_MEM ||
6520 insn->src_reg != BPF_REG_0) {
61bd5218 6521 verbose(env, "BPF_ST uses reserved fields\n");
17a52670
AS		 6522 return -EINVAL;
6523 }
6524 /* check src operand */
dc503a8a 6525 err = check_reg_arg(env, insn->dst_reg, SRC_OP);
17a52670
AS		 6526 if (err)
6527 return err;
6528
f37a8cb8 6529 if (is_ctx_reg(env, insn->dst_reg)) {
9d2be44a 6530 verbose(env, "BPF_ST stores into R%d %s is not allowed\n",
2a159c6f
DB		 6531 insn->dst_reg,
6532 reg_type_str[reg_state(env, insn->dst_reg)->type]);
f37a8cb8
DB		 6533 return -EACCES;
6534 }
6535
17a52670 6536 /* check that memory (dst_reg + off) is writeable */
c08435ec
DB		 6537 err = check_mem_access(env, env->insn_idx, insn->dst_reg,
6538 insn->off, BPF_SIZE(insn->code),
6539 BPF_WRITE, -1, false);
17a52670
AS		 6540 if (err)
6541 return err;
6542
092ed096 6543 } else if (class == BPF_JMP || class == BPF_JMP32) {
17a52670
AS		 6544 u8 opcode = BPF_OP(insn->code);
6545
6546 if (opcode == BPF_CALL) {
6547 if (BPF_SRC(insn->code) != BPF_K ||
6548 insn->off != 0 ||
f4d7e40a
AS		 6549 (insn->src_reg != BPF_REG_0 &&
6550 insn->src_reg != BPF_PSEUDO_CALL) ||
092ed096
JW		 6551 insn->dst_reg != BPF_REG_0 ||
6552 class == BPF_JMP32) {
61bd5218 6553 verbose(env, "BPF_CALL uses reserved fields\n");
17a52670
AS		 6554 return -EINVAL;
6555 }
6556
d83525ca
AS		 6557 if (env->cur_state->active_spin_lock &&
6558 (insn->src_reg == BPF_PSEUDO_CALL ||
6559 insn->imm != BPF_FUNC_spin_unlock)) {
6560 verbose(env, "function calls are not allowed while holding a lock\n");
6561 return -EINVAL;
6562 }
f4d7e40a 6563 if (insn->src_reg == BPF_PSEUDO_CALL)
c08435ec 6564 err = check_func_call(env, insn, &env->insn_idx);
f4d7e40a 6565 else
c08435ec 6566 err = check_helper_call(env, insn->imm, env->insn_idx);
17a52670
AS		 6567 if (err)
6568 return err;
6569
6570 } else if (opcode == BPF_JA) {
6571 if (BPF_SRC(insn->code) != BPF_K ||
6572 insn->imm != 0 ||
6573 insn->src_reg != BPF_REG_0 ||
092ed096
JW		 6574 insn->dst_reg != BPF_REG_0 ||
6575 class == BPF_JMP32) {
61bd5218 6576 verbose(env, "BPF_JA uses reserved fields\n");
17a52670
AS		 6577 return -EINVAL;
6578 }
6579
c08435ec 6580 env->insn_idx += insn->off + 1;
17a52670
AS		 6581 continue;
6582
6583 } else if (opcode == BPF_EXIT) {
6584 if (BPF_SRC(insn->code) != BPF_K ||
6585 insn->imm != 0 ||
6586 insn->src_reg != BPF_REG_0 ||
092ed096
JW		 6587 insn->dst_reg != BPF_REG_0 ||
6588 class == BPF_JMP32) {
61bd5218 6589 verbose(env, "BPF_EXIT uses reserved fields\n");
17a52670
AS		 6590 return -EINVAL;
6591 }
6592
d83525ca
AS		 6593 if (env->cur_state->active_spin_lock) {
6594 verbose(env, "bpf_spin_unlock is missing\n");
6595 return -EINVAL;
6596 }
6597
f4d7e40a
AS		 6598 if (state->curframe) {
6599 /* exit from nested function */
c08435ec
DB		 6600 env->prev_insn_idx = env->insn_idx;
6601 err = prepare_func_exit(env, &env->insn_idx);
f4d7e40a
AS		 6602 if (err)
6603 return err;
6604 do_print_state = true;
6605 continue;
6606 }
6607
fd978bf7
JS		 6608 err = check_reference_leak(env);
6609 if (err)
6610 return err;
6611
17a52670
AS		 6612 /* eBPF calling convetion is such that R0 is used
6613 * to return the value from eBPF program.
6614 * Make sure that it's readable at this time
6615 * of bpf_exit, which means that program wrote
6616 * something into it earlier
6617 */
dc503a8a 6618 err = check_reg_arg(env, BPF_REG_0, SRC_OP);
17a52670
AS		 6619 if (err)
6620 return err;
6621
1be7f75d 6622 if (is_pointer_value(env, BPF_REG_0)) {
61bd5218 6623 verbose(env, "R0 leaks addr as return value\n");
1be7f75d
AS		 6624 return -EACCES;
6625 }
6626
390ee7e2
AS		 6627 err = check_return_code(env);
6628 if (err)
6629 return err;
f1bca824 6630process_bpf_exit:
c08435ec
DB		 6631 err = pop_stack(env, &env->prev_insn_idx,
6632 &env->insn_idx);
638f5b90
AS		 6633 if (err < 0) {
6634 if (err != -ENOENT)
6635 return err;
17a52670
AS		 6636 break;
6637 } else {
6638 do_print_state = true;
6639 continue;
6640 }
6641 } else {
c08435ec 6642 err = check_cond_jmp_op(env, insn, &env->insn_idx);
17a52670
AS		 6643 if (err)
6644 return err;
6645 }
6646 } else if (class == BPF_LD) {
6647 u8 mode = BPF_MODE(insn->code);
6648
6649 if (mode == BPF_ABS || mode == BPF_IND) {
ddd872bc
AS		 6650 err = check_ld_abs(env, insn);
6651 if (err)
6652 return err;
6653
17a52670
AS		 6654 } else if (mode == BPF_IMM) {
6655 err = check_ld_imm(env, insn);
6656 if (err)
6657 return err;
6658
c08435ec
DB		 6659 env->insn_idx++;
6660 env->insn_aux_data[env->insn_idx].seen = true;
17a52670 6661 } else {
61bd5218 6662 verbose(env, "invalid BPF_LD mode\n");
17a52670
AS		 6663 return -EINVAL;
6664 }
6665 } else {
61bd5218 6666 verbose(env, "unknown insn class %d\n", class);
17a52670
AS		 6667 return -EINVAL;
6668 }
6669
c08435ec 6670 env->insn_idx++;
17a52670
AS		 6671 }
6672
9c8105bd 6673 env->prog->aux->stack_depth = env->subprog_info[0].stack_depth;
17a52670
AS		 6674 return 0;
6675}
6676
56f668df
MKL		 6677static int check_map_prealloc(struct bpf_map *map)
6678{
6679 return (map->map_type != BPF_MAP_TYPE_HASH &&
bcc6b1b7
MKL		 6680 map->map_type != BPF_MAP_TYPE_PERCPU_HASH &&
6681 map->map_type != BPF_MAP_TYPE_HASH_OF_MAPS) ||
56f668df
MKL		 6682 !(map->map_flags & BPF_F_NO_PREALLOC);
6683}
6684
d83525ca
AS		 6685static bool is_tracing_prog_type(enum bpf_prog_type type)
6686{
6687 switch (type) {
6688 case BPF_PROG_TYPE_KPROBE:
6689 case BPF_PROG_TYPE_TRACEPOINT:
6690 case BPF_PROG_TYPE_PERF_EVENT:
6691 case BPF_PROG_TYPE_RAW_TRACEPOINT:
6692 return true;
6693 default:
6694 return false;
6695 }
6696}
6697
61bd5218
JK		 6698static int check_map_prog_compatibility(struct bpf_verifier_env *env,
6699 struct bpf_map *map,
fdc15d38
AS		 6700 struct bpf_prog *prog)
6701
6702{
56f668df
MKL		 6703 /* Make sure that BPF_PROG_TYPE_PERF_EVENT programs only use
6704 * preallocated hash maps, since doing memory allocation
6705 * in overflow_handler can crash depending on where nmi got
6706 * triggered.
6707 */
6708 if (prog->type == BPF_PROG_TYPE_PERF_EVENT) {
6709 if (!check_map_prealloc(map)) {
61bd5218 6710 verbose(env, "perf_event programs can only use preallocated hash map\n");
56f668df
MKL		 6711 return -EINVAL;
6712 }
6713 if (map->inner_map_meta &&
6714 !check_map_prealloc(map->inner_map_meta)) {
61bd5218 6715 verbose(env, "perf_event programs can only use preallocated inner hash map\n");
56f668df
MKL		 6716 return -EINVAL;
6717 }
fdc15d38 6718 }
a3884572 6719
d83525ca
AS		 6720 if ((is_tracing_prog_type(prog->type) ||
6721 prog->type == BPF_PROG_TYPE_SOCKET_FILTER) &&
6722 map_value_has_spin_lock(map)) {
6723 verbose(env, "tracing progs cannot use bpf_spin_lock yet\n");
6724 return -EINVAL;
6725 }
6726
a3884572 6727 if ((bpf_prog_is_dev_bound(prog->aux) || bpf_map_is_dev_bound(map)) &&
09728266 6728 !bpf_offload_prog_map_match(prog, map)) {
a3884572
JK		 6729 verbose(env, "offload device mismatch between prog and map\n");
6730 return -EINVAL;
6731 }
6732
fdc15d38
AS		 6733 return 0;
6734}
6735
b741f163
RG		 6736static bool bpf_map_is_cgroup_storage(struct bpf_map *map)
6737{
6738 return (map->map_type == BPF_MAP_TYPE_CGROUP_STORAGE ||
6739 map->map_type == BPF_MAP_TYPE_PERCPU_CGROUP_STORAGE);
6740}
6741
0246e64d
AS		 6742/* look for pseudo eBPF instructions that access map FDs and
6743 * replace them with actual map pointers
6744 */
58e2af8b 6745static int replace_map_fd_with_map_ptr(struct bpf_verifier_env *env)
0246e64d
AS		 6746{
6747 struct bpf_insn *insn = env->prog->insnsi;
6748 int insn_cnt = env->prog->len;
fdc15d38 6749 int i, j, err;
0246e64d 6750
f1f7714e 6751 err = bpf_prog_calc_tag(env->prog);
aafe6ae9
DB		 6752 if (err)
6753 return err;
6754
0246e64d 6755 for (i = 0; i < insn_cnt; i++, insn++) {
9bac3d6d 6756 if (BPF_CLASS(insn->code) == BPF_LDX &&
d691f9e8 6757 (BPF_MODE(insn->code) != BPF_MEM || insn->imm != 0)) {
61bd5218 6758 verbose(env, "BPF_LDX uses reserved fields\n");
9bac3d6d
AS		 6759 return -EINVAL;
6760 }
6761
d691f9e8
AS		 6762 if (BPF_CLASS(insn->code) == BPF_STX &&
6763 ((BPF_MODE(insn->code) != BPF_MEM &&
6764 BPF_MODE(insn->code) != BPF_XADD) || insn->imm != 0)) {
61bd5218 6765 verbose(env, "BPF_STX uses reserved fields\n");
d691f9e8
AS		 6766 return -EINVAL;
6767 }
6768
0246e64d
AS		 6769 if (insn[0].code == (BPF_LD | BPF_IMM | BPF_DW)) {
6770 struct bpf_map *map;
6771 struct fd f;
6772
6773 if (i == insn_cnt - 1 || insn[1].code != 0 ||
6774 insn[1].dst_reg != 0 || insn[1].src_reg != 0 ||
6775 insn[1].off != 0) {
61bd5218 6776 verbose(env, "invalid bpf_ld_imm64 insn\n");
0246e64d
AS		 6777 return -EINVAL;
6778 }
6779
6780 if (insn->src_reg == 0)
6781 /* valid generic load 64-bit imm */
6782 goto next_insn;
6783
20182390
DB		 6784 if (insn[0].src_reg != BPF_PSEUDO_MAP_FD ||
6785 insn[1].imm != 0) {
6786 verbose(env, "unrecognized bpf_ld_imm64 insn\n");
0246e64d
AS		 6787 return -EINVAL;
6788 }
6789
20182390 6790 f = fdget(insn[0].imm);
c2101297 6791 map = __bpf_map_get(f);
0246e64d 6792 if (IS_ERR(map)) {
61bd5218 6793 verbose(env, "fd %d is not pointing to valid bpf_map\n",
20182390 6794 insn[0].imm);
0246e64d
AS		 6795 return PTR_ERR(map);
6796 }
6797
61bd5218 6798 err = check_map_prog_compatibility(env, map, env->prog);
fdc15d38
AS		 6799 if (err) {
6800 fdput(f);
6801 return err;
6802 }
6803
0246e64d
AS		 6804 /* store map pointer inside BPF_LD_IMM64 instruction */
6805 insn[0].imm = (u32) (unsigned long) map;
6806 insn[1].imm = ((u64) (unsigned long) map) >> 32;
6807
6808 /* check whether we recorded this map already */
6809 for (j = 0; j < env->used_map_cnt; j++)
6810 if (env->used_maps[j] == map) {
6811 fdput(f);
6812 goto next_insn;
6813 }
6814
6815 if (env->used_map_cnt >= MAX_USED_MAPS) {
6816 fdput(f);
6817 return -E2BIG;
6818 }
6819
0246e64d
AS		 6820 /* hold the map. If the program is rejected by verifier,
6821 * the map will be released by release_maps() or it
6822 * will be used by the valid program until it's unloaded
ab7f5bf0 6823 * and all maps are released in free_used_maps()
0246e64d 6824 */
92117d84
AS		 6825 map = bpf_map_inc(map, false);
6826 if (IS_ERR(map)) {
6827 fdput(f);
6828 return PTR_ERR(map);
6829 }
6830 env->used_maps[env->used_map_cnt++] = map;
6831
b741f163 6832 if (bpf_map_is_cgroup_storage(map) &&
de9cbbaa 6833 bpf_cgroup_storage_assign(env->prog, map)) {
b741f163 6834 verbose(env, "only one cgroup storage of each type is allowed\n");
de9cbbaa
RG		 6835 fdput(f);
6836 return -EBUSY;
6837 }
6838
0246e64d
AS		 6839 fdput(f);
6840next_insn:
6841 insn++;
6842 i++;
5e581dad
DB		 6843 continue;
6844 }
6845
6846 /* Basic sanity check before we invest more work here. */
6847 if (!bpf_opcode_in_insntable(insn->code)) {
6848 verbose(env, "unknown opcode %02x\n", insn->code);
6849 return -EINVAL;
0246e64d
AS		 6850 }
6851 }
6852
6853 /* now all pseudo BPF_LD_IMM64 instructions load valid
6854 * 'struct bpf_map *' into a register instead of user map_fd.
6855 * These pointers will be used later by verifier to validate map access.
6856 */
6857 return 0;
6858}
6859
6860/* drop refcnt of maps used by the rejected program */
58e2af8b 6861static void release_maps(struct bpf_verifier_env *env)
0246e64d 6862{
8bad74f9 6863 enum bpf_cgroup_storage_type stype;
0246e64d
AS		 6864 int i;
6865
8bad74f9
RG		 6866 for_each_cgroup_storage_type(stype) {
6867 if (!env->prog->aux->cgroup_storage[stype])
6868 continue;
de9cbbaa 6869 bpf_cgroup_storage_release(env->prog,
8bad74f9
RG		 6870 env->prog->aux->cgroup_storage[stype]);
6871 }
de9cbbaa 6872
0246e64d
AS		 6873 for (i = 0; i < env->used_map_cnt; i++)
6874 bpf_map_put(env->used_maps[i]);
6875}
6876
6877/* convert pseudo BPF_LD_IMM64 into generic BPF_LD_IMM64 */
58e2af8b 6878static void convert_pseudo_ld_imm64(struct bpf_verifier_env *env)
0246e64d
AS		 6879{
6880 struct bpf_insn *insn = env->prog->insnsi;
6881 int insn_cnt = env->prog->len;
6882 int i;
6883
6884 for (i = 0; i < insn_cnt; i++, insn++)
6885 if (insn->code == (BPF_LD | BPF_IMM | BPF_DW))
6886 insn->src_reg = 0;
6887}
6888
8041902d
AS		 6889/* single env->prog->insni[off] instruction was replaced with the range
6890 * insni[off, off + cnt). Adjust corresponding insn_aux_data by copying
6891 * [0, off) and [off, end) to new locations, so the patched range stays zero
6892 */
6893static int adjust_insn_aux_data(struct bpf_verifier_env *env, u32 prog_len,
6894 u32 off, u32 cnt)
6895{
6896 struct bpf_insn_aux_data *new_data, *old_data = env->insn_aux_data;
c131187d 6897 int i;
8041902d
AS		 6898
6899 if (cnt == 1)
6900 return 0;
fad953ce
KC		 6901 new_data = vzalloc(array_size(prog_len,
6902 sizeof(struct bpf_insn_aux_data)));
8041902d
AS		 6903 if (!new_data)
6904 return -ENOMEM;
6905 memcpy(new_data, old_data, sizeof(struct bpf_insn_aux_data) * off);
6906 memcpy(new_data + off + cnt - 1, old_data + off,
6907 sizeof(struct bpf_insn_aux_data) * (prog_len - off - cnt + 1));
c131187d
AS		 6908 for (i = off; i < off + cnt - 1; i++)
6909 new_data[i].seen = true;
8041902d
AS		 6910 env->insn_aux_data = new_data;
6911 vfree(old_data);
6912 return 0;
6913}
6914
cc8b0b92
AS		 6915static void adjust_subprog_starts(struct bpf_verifier_env *env, u32 off, u32 len)
6916{
6917 int i;
6918
6919 if (len == 1)
6920 return;
4cb3d99c
JW		 6921 /* NOTE: fake 'exit' subprog should be updated as well. */
6922 for (i = 0; i <= env->subprog_cnt; i++) {
afd59424 6923 if (env->subprog_info[i].start <= off)
cc8b0b92 6924 continue;
9c8105bd 6925 env->subprog_info[i].start += len - 1;
cc8b0b92
AS		 6926 }
6927}
6928
8041902d
AS		 6929static struct bpf_prog *bpf_patch_insn_data(struct bpf_verifier_env *env, u32 off,
6930 const struct bpf_insn *patch, u32 len)
6931{
6932 struct bpf_prog *new_prog;
6933
6934 new_prog = bpf_patch_insn_single(env->prog, off, patch, len);
6935 if (!new_prog)
6936 return NULL;
6937 if (adjust_insn_aux_data(env, new_prog->len, off, len))
6938 return NULL;
cc8b0b92 6939 adjust_subprog_starts(env, off, len);
8041902d
AS		 6940 return new_prog;
6941}
6942
52875a04
JK		 6943static int adjust_subprog_starts_after_remove(struct bpf_verifier_env *env,
6944 u32 off, u32 cnt)
6945{
6946 int i, j;
6947
6948 /* find first prog starting at or after off (first to remove) */
6949 for (i = 0; i < env->subprog_cnt; i++)
6950 if (env->subprog_info[i].start >= off)
6951 break;
6952 /* find first prog starting at or after off + cnt (first to stay) */
6953 for (j = i; j < env->subprog_cnt; j++)
6954 if (env->subprog_info[j].start >= off + cnt)
6955 break;
6956 /* if j doesn't start exactly at off + cnt, we are just removing
6957 * the front of previous prog
6958 */
6959 if (env->subprog_info[j].start != off + cnt)
6960 j--;
6961
6962 if (j > i) {
6963 struct bpf_prog_aux *aux = env->prog->aux;
6964 int move;
6965
6966 /* move fake 'exit' subprog as well */
6967 move = env->subprog_cnt + 1 - j;
6968
6969 memmove(env->subprog_info + i,
6970 env->subprog_info + j,
6971 sizeof(*env->subprog_info) * move);
6972 env->subprog_cnt -= j - i;
6973
6974 /* remove func_info */
6975 if (aux->func_info) {
6976 move = aux->func_info_cnt - j;
6977
6978 memmove(aux->func_info + i,
6979 aux->func_info + j,
6980 sizeof(*aux->func_info) * move);
6981 aux->func_info_cnt -= j - i;
6982 /* func_info->insn_off is set after all code rewrites,
6983 * in adjust_btf_func() - no need to adjust
6984 */
6985 }
6986 } else {
6987 /* convert i from "first prog to remove" to "first to adjust" */
6988 if (env->subprog_info[i].start == off)
6989 i++;
6990 }
6991
6992 /* update fake 'exit' subprog as well */
6993 for (; i <= env->subprog_cnt; i++)
6994 env->subprog_info[i].start -= cnt;
6995
6996 return 0;
6997}
6998
6999static int bpf_adj_linfo_after_remove(struct bpf_verifier_env *env, u32 off,
7000 u32 cnt)
7001{
7002 struct bpf_prog *prog = env->prog;
7003 u32 i, l_off, l_cnt, nr_linfo;
7004 struct bpf_line_info *linfo;
7005
7006 nr_linfo = prog->aux->nr_linfo;
7007 if (!nr_linfo)
7008 return 0;
7009
7010 linfo = prog->aux->linfo;
7011
7012 /* find first line info to remove, count lines to be removed */
7013 for (i = 0; i < nr_linfo; i++)
7014 if (linfo[i].insn_off >= off)
7015 break;
7016
7017 l_off = i;
7018 l_cnt = 0;
7019 for (; i < nr_linfo; i++)
7020 if (linfo[i].insn_off < off + cnt)
7021 l_cnt++;
7022 else
7023 break;
7024
7025 /* First live insn doesn't match first live linfo, it needs to "inherit"
7026 * last removed linfo. prog is already modified, so prog->len == off
7027 * means no live instructions after (tail of the program was removed).
7028 */
7029 if (prog->len != off && l_cnt &&
7030 (i == nr_linfo || linfo[i].insn_off != off + cnt)) {
7031 l_cnt--;
7032 linfo[--i].insn_off = off + cnt;
7033 }
7034
7035 /* remove the line info which refer to the removed instructions */
7036 if (l_cnt) {
7037 memmove(linfo + l_off, linfo + i,
7038 sizeof(*linfo) * (nr_linfo - i));
7039
7040 prog->aux->nr_linfo -= l_cnt;
7041 nr_linfo = prog->aux->nr_linfo;
7042 }
7043
7044 /* pull all linfo[i].insn_off >= off + cnt in by cnt */
7045 for (i = l_off; i < nr_linfo; i++)
7046 linfo[i].insn_off -= cnt;
7047
7048 /* fix up all subprogs (incl. 'exit') which start >= off */
7049 for (i = 0; i <= env->subprog_cnt; i++)
7050 if (env->subprog_info[i].linfo_idx > l_off) {
7051 /* program may have started in the removed region but
7052 * may not be fully removed
7053 */
7054 if (env->subprog_info[i].linfo_idx >= l_off + l_cnt)
7055 env->subprog_info[i].linfo_idx -= l_cnt;
7056 else
7057 env->subprog_info[i].linfo_idx = l_off;
7058 }
7059
7060 return 0;
7061}
7062
7063static int verifier_remove_insns(struct bpf_verifier_env *env, u32 off, u32 cnt)
7064{
7065 struct bpf_insn_aux_data *aux_data = env->insn_aux_data;
7066 unsigned int orig_prog_len = env->prog->len;
7067 int err;
7068
08ca90af
JK		 7069 if (bpf_prog_is_dev_bound(env->prog->aux))
7070 bpf_prog_offload_remove_insns(env, off, cnt);
7071
52875a04
JK		 7072 err = bpf_remove_insns(env->prog, off, cnt);
7073 if (err)
7074 return err;
7075
7076 err = adjust_subprog_starts_after_remove(env, off, cnt);
7077 if (err)
7078 return err;
7079
7080 err = bpf_adj_linfo_after_remove(env, off, cnt);
7081 if (err)
7082 return err;
7083
7084 memmove(aux_data + off, aux_data + off + cnt,
7085 sizeof(*aux_data) * (orig_prog_len - off - cnt));
7086
7087 return 0;
7088}
7089
2a5418a1
DB		 7090/* The verifier does more data flow analysis than llvm and will not
7091 * explore branches that are dead at run time. Malicious programs can
7092 * have dead code too. Therefore replace all dead at-run-time code
7093 * with 'ja -1'.
7094 *
7095 * Just nops are not optimal, e.g. if they would sit at the end of the
7096 * program and through another bug we would manage to jump there, then
7097 * we'd execute beyond program memory otherwise. Returning exception
7098 * code also wouldn't work since we can have subprogs where the dead
7099 * code could be located.
c131187d
AS		 7100 */
7101static void sanitize_dead_code(struct bpf_verifier_env *env)
7102{
7103 struct bpf_insn_aux_data *aux_data = env->insn_aux_data;
2a5418a1 7104 struct bpf_insn trap = BPF_JMP_IMM(BPF_JA, 0, 0, -1);
c131187d
AS		 7105 struct bpf_insn *insn = env->prog->insnsi;
7106 const int insn_cnt = env->prog->len;
7107 int i;
7108
7109 for (i = 0; i < insn_cnt; i++) {
7110 if (aux_data[i].seen)
7111 continue;
2a5418a1 7112 memcpy(insn + i, &trap, sizeof(trap));
c131187d
AS		 7113 }
7114}
7115
e2ae4ca2
JK		 7116static bool insn_is_cond_jump(u8 code)
7117{
7118 u8 op;
7119
092ed096
JW		 7120 if (BPF_CLASS(code) == BPF_JMP32)
7121 return true;
7122
e2ae4ca2
JK		 7123 if (BPF_CLASS(code) != BPF_JMP)
7124 return false;
7125
7126 op = BPF_OP(code);
7127 return op != BPF_JA && op != BPF_EXIT && op != BPF_CALL;
7128}
7129
7130static void opt_hard_wire_dead_code_branches(struct bpf_verifier_env *env)
7131{
7132 struct bpf_insn_aux_data *aux_data = env->insn_aux_data;
7133 struct bpf_insn ja = BPF_JMP_IMM(BPF_JA, 0, 0, 0);
7134 struct bpf_insn *insn = env->prog->insnsi;
7135 const int insn_cnt = env->prog->len;
7136 int i;
7137
7138 for (i = 0; i < insn_cnt; i++, insn++) {
7139 if (!insn_is_cond_jump(insn->code))
7140 continue;
7141
7142 if (!aux_data[i + 1].seen)
7143 ja.off = insn->off;
7144 else if (!aux_data[i + 1 + insn->off].seen)
7145 ja.off = 0;
7146 else
7147 continue;
7148
08ca90af
JK		 7149 if (bpf_prog_is_dev_bound(env->prog->aux))
7150 bpf_prog_offload_replace_insn(env, i, &ja);
7151
e2ae4ca2
JK		 7152 memcpy(insn, &ja, sizeof(ja));
7153 }
7154}
7155
52875a04
JK		 7156static int opt_remove_dead_code(struct bpf_verifier_env *env)
7157{
7158 struct bpf_insn_aux_data *aux_data = env->insn_aux_data;
7159 int insn_cnt = env->prog->len;
7160 int i, err;
7161
7162 for (i = 0; i < insn_cnt; i++) {
7163 int j;
7164
7165 j = 0;
7166 while (i + j < insn_cnt && !aux_data[i + j].seen)
7167 j++;
7168 if (!j)
7169 continue;
7170
7171 err = verifier_remove_insns(env, i, j);
7172 if (err)
7173 return err;
7174 insn_cnt = env->prog->len;
7175 }
7176
7177 return 0;
7178}
7179
a1b14abc
JK		 7180static int opt_remove_nops(struct bpf_verifier_env *env)
7181{
7182 const struct bpf_insn ja = BPF_JMP_IMM(BPF_JA, 0, 0, 0);
7183 struct bpf_insn *insn = env->prog->insnsi;
7184 int insn_cnt = env->prog->len;
7185 int i, err;
7186
7187 for (i = 0; i < insn_cnt; i++) {
7188 if (memcmp(&insn[i], &ja, sizeof(ja)))
7189 continue;
7190
7191 err = verifier_remove_insns(env, i, 1);
7192 if (err)
7193 return err;
7194 insn_cnt--;
7195 i--;
7196 }
7197
7198 return 0;
7199}
7200
c64b7983
JS		 7201/* convert load instructions that access fields of a context type into a
7202 * sequence of instructions that access fields of the underlying structure:
7203 * struct __sk_buff -> struct sk_buff
7204 * struct bpf_sock_ops -> struct sock
9bac3d6d 7205 */
58e2af8b 7206static int convert_ctx_accesses(struct bpf_verifier_env *env)
9bac3d6d 7207{
00176a34 7208 const struct bpf_verifier_ops *ops = env->ops;
f96da094 7209 int i, cnt, size, ctx_field_size, delta = 0;
3df126f3 7210 const int insn_cnt = env->prog->len;
36bbef52 7211 struct bpf_insn insn_buf[16], *insn;
46f53a65 7212 u32 target_size, size_default, off;
9bac3d6d 7213 struct bpf_prog *new_prog;
d691f9e8 7214 enum bpf_access_type type;
f96da094 7215 bool is_narrower_load;
9bac3d6d 7216
b09928b9
DB		 7217 if (ops->gen_prologue || env->seen_direct_write) {
7218 if (!ops->gen_prologue) {
7219 verbose(env, "bpf verifier is misconfigured\n");
7220 return -EINVAL;
7221 }
36bbef52
DB		 7222 cnt = ops->gen_prologue(insn_buf, env->seen_direct_write,
7223 env->prog);
7224 if (cnt >= ARRAY_SIZE(insn_buf)) {
61bd5218 7225 verbose(env, "bpf verifier is misconfigured\n");
36bbef52
DB		 7226 return -EINVAL;
7227 } else if (cnt) {
8041902d 7228 new_prog = bpf_patch_insn_data(env, 0, insn_buf, cnt);
36bbef52
DB		 7229 if (!new_prog)
7230 return -ENOMEM;
8041902d 7231
36bbef52 7232 env->prog = new_prog;
3df126f3 7233 delta += cnt - 1;
36bbef52
DB		 7234 }
7235 }
7236
c64b7983 7237 if (bpf_prog_is_dev_bound(env->prog->aux))
9bac3d6d
AS		 7238 return 0;
7239
3df126f3 7240 insn = env->prog->insnsi + delta;
36bbef52 7241
9bac3d6d 7242 for (i = 0; i < insn_cnt; i++, insn++) {
c64b7983
JS		 7243 bpf_convert_ctx_access_t convert_ctx_access;
7244
62c7989b
DB		 7245 if (insn->code == (BPF_LDX | BPF_MEM | BPF_B) ||
7246 insn->code == (BPF_LDX | BPF_MEM | BPF_H) ||
7247 insn->code == (BPF_LDX | BPF_MEM | BPF_W) ||
ea2e7ce5 7248 insn->code == (BPF_LDX | BPF_MEM | BPF_DW))
d691f9e8 7249 type = BPF_READ;
62c7989b
DB		 7250 else if (insn->code == (BPF_STX | BPF_MEM | BPF_B) ||
7251 insn->code == (BPF_STX | BPF_MEM | BPF_H) ||
7252 insn->code == (BPF_STX | BPF_MEM | BPF_W) ||
ea2e7ce5 7253 insn->code == (BPF_STX | BPF_MEM | BPF_DW))
d691f9e8
AS		 7254 type = BPF_WRITE;
7255 else
9bac3d6d
AS		 7256 continue;
7257
af86ca4e
AS		 7258 if (type == BPF_WRITE &&
7259 env->insn_aux_data[i + delta].sanitize_stack_off) {
7260 struct bpf_insn patch[] = {
7261 /* Sanitize suspicious stack slot with zero.
7262 * There are no memory dependencies for this store,
7263 * since it's only using frame pointer and immediate
7264 * constant of zero
7265 */
7266 BPF_ST_MEM(BPF_DW, BPF_REG_FP,
7267 env->insn_aux_data[i + delta].sanitize_stack_off,
7268 0),
7269 /* the original STX instruction will immediately
7270 * overwrite the same stack slot with appropriate value
7271 */
7272 *insn,
7273 };
7274
7275 cnt = ARRAY_SIZE(patch);
7276 new_prog = bpf_patch_insn_data(env, i + delta, patch, cnt);
7277 if (!new_prog)
7278 return -ENOMEM;
7279
7280 delta += cnt - 1;
7281 env->prog = new_prog;
7282 insn = new_prog->insnsi + i + delta;
7283 continue;
7284 }
7285
c64b7983
JS		 7286 switch (env->insn_aux_data[i + delta].ptr_type) {
7287 case PTR_TO_CTX:
7288 if (!ops->convert_ctx_access)
7289 continue;
7290 convert_ctx_access = ops->convert_ctx_access;
7291 break;
7292 case PTR_TO_SOCKET:
46f8bc92 7293 case PTR_TO_SOCK_COMMON:
c64b7983
JS		 7294 convert_ctx_access = bpf_sock_convert_ctx_access;
7295 break;
655a51e5
MKL		 7296 case PTR_TO_TCP_SOCK:
7297 convert_ctx_access = bpf_tcp_sock_convert_ctx_access;
7298 break;
c64b7983 7299 default:
9bac3d6d 7300 continue;
c64b7983 7301 }
9bac3d6d 7302
31fd8581 7303 ctx_field_size = env->insn_aux_data[i + delta].ctx_field_size;
f96da094 7304 size = BPF_LDST_BYTES(insn);
31fd8581
YS		 7305
7306 /* If the read access is a narrower load of the field,
7307 * convert to a 4/8-byte load, to minimum program type specific
7308 * convert_ctx_access changes. If conversion is successful,
7309 * we will apply proper mask to the result.
7310 */
f96da094 7311 is_narrower_load = size < ctx_field_size;
46f53a65
AI		 7312 size_default = bpf_ctx_off_adjust_machine(ctx_field_size);
7313 off = insn->off;
31fd8581 7314 if (is_narrower_load) {
f96da094
DB		 7315 u8 size_code;
7316
7317 if (type == BPF_WRITE) {
61bd5218 7318 verbose(env, "bpf verifier narrow ctx access misconfigured\n");
f96da094
DB		 7319 return -EINVAL;
7320 }
31fd8581 7321
f96da094 7322 size_code = BPF_H;
31fd8581
YS		 7323 if (ctx_field_size == 4)
7324 size_code = BPF_W;
7325 else if (ctx_field_size == 8)
7326 size_code = BPF_DW;
f96da094 7327
bc23105c 7328 insn->off = off & ~(size_default - 1);
31fd8581
YS		 7329 insn->code = BPF_LDX | BPF_MEM | size_code;
7330 }
f96da094
DB		 7331
7332 target_size = 0;
c64b7983
JS		 7333 cnt = convert_ctx_access(type, insn, insn_buf, env->prog,
7334 &target_size);
f96da094
DB		 7335 if (cnt == 0 || cnt >= ARRAY_SIZE(insn_buf) ||
7336 (ctx_field_size && !target_size)) {
61bd5218 7337 verbose(env, "bpf verifier is misconfigured\n");
9bac3d6d
AS		 7338 return -EINVAL;
7339 }
f96da094
DB		 7340
7341 if (is_narrower_load && size < target_size) {
46f53a65
AI		 7342 u8 shift = (off & (size_default - 1)) * 8;
7343
7344 if (ctx_field_size <= 4) {
7345 if (shift)
7346 insn_buf[cnt++] = BPF_ALU32_IMM(BPF_RSH,
7347 insn->dst_reg,
7348 shift);
31fd8581 7349 insn_buf[cnt++] = BPF_ALU32_IMM(BPF_AND, insn->dst_reg,
f96da094 7350 (1 << size * 8) - 1);
46f53a65
AI		 7351 } else {
7352 if (shift)
7353 insn_buf[cnt++] = BPF_ALU64_IMM(BPF_RSH,
7354 insn->dst_reg,
7355 shift);
31fd8581 7356 insn_buf[cnt++] = BPF_ALU64_IMM(BPF_AND, insn->dst_reg,
f96da094 7357 (1 << size * 8) - 1);
46f53a65 7358 }
31fd8581 7359 }
9bac3d6d 7360
8041902d 7361 new_prog = bpf_patch_insn_data(env, i + delta, insn_buf, cnt);
9bac3d6d
AS		 7362 if (!new_prog)
7363 return -ENOMEM;
7364
3df126f3 7365 delta += cnt - 1;
9bac3d6d
AS		 7366
7367 /* keep walking new program and skip insns we just inserted */
7368 env->prog = new_prog;
3df126f3 7369 insn = new_prog->insnsi + i + delta;
9bac3d6d
AS		 7370 }
7371
7372 return 0;
7373}
7374
1c2a088a
AS		 7375static int jit_subprogs(struct bpf_verifier_env *env)
7376{
7377 struct bpf_prog *prog = env->prog, **func, *tmp;
7378 int i, j, subprog_start, subprog_end = 0, len, subprog;
7105e828 7379 struct bpf_insn *insn;
1c2a088a 7380 void *old_bpf_func;
c454a46b 7381 int err;
1c2a088a 7382
f910cefa 7383 if (env->subprog_cnt <= 1)
1c2a088a
AS		 7384 return 0;
7385
7105e828 7386 for (i = 0, insn = prog->insnsi; i < prog->len; i++, insn++) {
1c2a088a
AS		 7387 if (insn->code != (BPF_JMP | BPF_CALL) ||
7388 insn->src_reg != BPF_PSEUDO_CALL)
7389 continue;
c7a89784
DB		 7390 /* Upon error here we cannot fall back to interpreter but
7391 * need a hard reject of the program. Thus -EFAULT is
7392 * propagated in any case.
7393 */
1c2a088a
AS		 7394 subprog = find_subprog(env, i + insn->imm + 1);
7395 if (subprog < 0) {
7396 WARN_ONCE(1, "verifier bug. No program starts at insn %d\n",
7397 i + insn->imm + 1);
7398 return -EFAULT;
7399 }
7400 /* temporarily remember subprog id inside insn instead of
7401 * aux_data, since next loop will split up all insns into funcs
7402 */
f910cefa 7403 insn->off = subprog;
1c2a088a
AS		 7404 /* remember original imm in case JIT fails and fallback
7405 * to interpreter will be needed
7406 */
7407 env->insn_aux_data[i].call_imm = insn->imm;
7408 /* point imm to __bpf_call_base+1 from JITs point of view */
7409 insn->imm = 1;
7410 }
7411
c454a46b
MKL		 7412 err = bpf_prog_alloc_jited_linfo(prog);
7413 if (err)
7414 goto out_undo_insn;
7415
7416 err = -ENOMEM;
6396bb22 7417 func = kcalloc(env->subprog_cnt, sizeof(prog), GFP_KERNEL);
1c2a088a 7418 if (!func)
c7a89784 7419 goto out_undo_insn;
1c2a088a 7420
f910cefa 7421 for (i = 0; i < env->subprog_cnt; i++) {
1c2a088a 7422 subprog_start = subprog_end;
4cb3d99c 7423 subprog_end = env->subprog_info[i + 1].start;
1c2a088a
AS		 7424
7425 len = subprog_end - subprog_start;
492ecee8
AS		 7426 /* BPF_PROG_RUN doesn't call subprogs directly,
7427 * hence main prog stats include the runtime of subprogs.
7428 * subprogs don't have IDs and not reachable via prog_get_next_id
7429 * func[i]->aux->stats will never be accessed and stays NULL
7430 */
7431 func[i] = bpf_prog_alloc_no_stats(bpf_prog_size(len), GFP_USER);
1c2a088a
AS		 7432 if (!func[i])
7433 goto out_free;
7434 memcpy(func[i]->insnsi, &prog->insnsi[subprog_start],
7435 len * sizeof(struct bpf_insn));
4f74d809 7436 func[i]->type = prog->type;
1c2a088a 7437 func[i]->len = len;
4f74d809
DB		 7438 if (bpf_prog_calc_tag(func[i]))
7439 goto out_free;
1c2a088a 7440 func[i]->is_func = 1;
ba64e7d8
YS		 7441 func[i]->aux->func_idx = i;
7442 /* the btf and func_info will be freed only at prog->aux */
7443 func[i]->aux->btf = prog->aux->btf;
7444 func[i]->aux->func_info = prog->aux->func_info;
7445
1c2a088a
AS		 7446 /* Use bpf_prog_F_tag to indicate functions in stack traces.
7447 * Long term would need debug info to populate names
7448 */
7449 func[i]->aux->name[0] = 'F';
9c8105bd 7450 func[i]->aux->stack_depth = env->subprog_info[i].stack_depth;
1c2a088a 7451 func[i]->jit_requested = 1;
c454a46b
MKL		 7452 func[i]->aux->linfo = prog->aux->linfo;
7453 func[i]->aux->nr_linfo = prog->aux->nr_linfo;
7454 func[i]->aux->jited_linfo = prog->aux->jited_linfo;
7455 func[i]->aux->linfo_idx = env->subprog_info[i].linfo_idx;
1c2a088a
AS		 7456 func[i] = bpf_int_jit_compile(func[i]);
7457 if (!func[i]->jited) {
7458 err = -ENOTSUPP;
7459 goto out_free;
7460 }
7461 cond_resched();
7462 }
7463 /* at this point all bpf functions were successfully JITed
7464 * now populate all bpf_calls with correct addresses and
7465 * run last pass of JIT
7466 */
f910cefa 7467 for (i = 0; i < env->subprog_cnt; i++) {
1c2a088a
AS		 7468 insn = func[i]->insnsi;
7469 for (j = 0; j < func[i]->len; j++, insn++) {
7470 if (insn->code != (BPF_JMP | BPF_CALL) ||
7471 insn->src_reg != BPF_PSEUDO_CALL)
7472 continue;
7473 subprog = insn->off;
1c2a088a
AS		 7474 insn->imm = (u64 (*)(u64, u64, u64, u64, u64))
7475 func[subprog]->bpf_func -
7476 __bpf_call_base;
7477 }
2162fed4
SD		 7478
7479 /* we use the aux data to keep a list of the start addresses
7480 * of the JITed images for each function in the program
7481 *
7482 * for some architectures, such as powerpc64, the imm field
7483 * might not be large enough to hold the offset of the start
7484 * address of the callee's JITed image from __bpf_call_base
7485 *
7486 * in such cases, we can lookup the start address of a callee
7487 * by using its subprog id, available from the off field of
7488 * the call instruction, as an index for this list
7489 */
7490 func[i]->aux->func = func;
7491 func[i]->aux->func_cnt = env->subprog_cnt;
1c2a088a 7492 }
f910cefa 7493 for (i = 0; i < env->subprog_cnt; i++) {
1c2a088a
AS		 7494 old_bpf_func = func[i]->bpf_func;
7495 tmp = bpf_int_jit_compile(func[i]);
7496 if (tmp != func[i] || func[i]->bpf_func != old_bpf_func) {
7497 verbose(env, "JIT doesn't support bpf-to-bpf calls\n");
c7a89784 7498 err = -ENOTSUPP;
1c2a088a
AS		 7499 goto out_free;
7500 }
7501 cond_resched();
7502 }
7503
7504 /* finally lock prog and jit images for all functions and
7505 * populate kallsysm
7506 */
f910cefa 7507 for (i = 0; i < env->subprog_cnt; i++) {
1c2a088a
AS		 7508 bpf_prog_lock_ro(func[i]);
7509 bpf_prog_kallsyms_add(func[i]);
7510 }
7105e828
DB		 7511
7512 /* Last step: make now unused interpreter insns from main
7513 * prog consistent for later dump requests, so they can
7514 * later look the same as if they were interpreted only.
7515 */
7516 for (i = 0, insn = prog->insnsi; i < prog->len; i++, insn++) {
7105e828
DB		 7517 if (insn->code != (BPF_JMP | BPF_CALL) ||
7518 insn->src_reg != BPF_PSEUDO_CALL)
7519 continue;
7520 insn->off = env->insn_aux_data[i].call_imm;
7521 subprog = find_subprog(env, i + insn->off + 1);
dbecd738 7522 insn->imm = subprog;
7105e828
DB		 7523 }
7524
1c2a088a
AS		 7525 prog->jited = 1;
7526 prog->bpf_func = func[0]->bpf_func;
7527 prog->aux->func = func;
f910cefa 7528 prog->aux->func_cnt = env->subprog_cnt;
c454a46b 7529 bpf_prog_free_unused_jited_linfo(prog);
1c2a088a
AS		 7530 return 0;
7531out_free:
f910cefa 7532 for (i = 0; i < env->subprog_cnt; i++)
1c2a088a
AS		 7533 if (func[i])
7534 bpf_jit_free(func[i]);
7535 kfree(func);
c7a89784 7536out_undo_insn:
1c2a088a
AS		 7537 /* cleanup main prog to be interpreted */
7538 prog->jit_requested = 0;
7539 for (i = 0, insn = prog->insnsi; i < prog->len; i++, insn++) {
7540 if (insn->code != (BPF_JMP | BPF_CALL) ||
7541 insn->src_reg != BPF_PSEUDO_CALL)
7542 continue;
7543 insn->off = 0;
7544 insn->imm = env->insn_aux_data[i].call_imm;
7545 }
c454a46b 7546 bpf_prog_free_jited_linfo(prog);
1c2a088a
AS		 7547 return err;
7548}
7549
1ea47e01
AS		 7550static int fixup_call_args(struct bpf_verifier_env *env)
7551{
19d28fbd 7552#ifndef CONFIG_BPF_JIT_ALWAYS_ON
1ea47e01
AS		 7553 struct bpf_prog *prog = env->prog;
7554 struct bpf_insn *insn = prog->insnsi;
7555 int i, depth;
19d28fbd 7556#endif
e4052d06 7557 int err = 0;
1ea47e01 7558
e4052d06
QM		 7559 if (env->prog->jit_requested &&
7560 !bpf_prog_is_dev_bound(env->prog->aux)) {
19d28fbd
DM		 7561 err = jit_subprogs(env);
7562 if (err == 0)
1c2a088a 7563 return 0;
c7a89784
DB		 7564 if (err == -EFAULT)
7565 return err;
19d28fbd
DM		 7566 }
7567#ifndef CONFIG_BPF_JIT_ALWAYS_ON
1ea47e01
AS		 7568 for (i = 0; i < prog->len; i++, insn++) {
7569 if (insn->code != (BPF_JMP | BPF_CALL) ||
7570 insn->src_reg != BPF_PSEUDO_CALL)
7571 continue;
7572 depth = get_callee_stack_depth(env, insn, i);
7573 if (depth < 0)
7574 return depth;
7575 bpf_patch_call_args(insn, depth);
7576 }
19d28fbd
DM		 7577 err = 0;
7578#endif
7579 return err;
1ea47e01
AS		 7580}
7581
79741b3b 7582/* fixup insn->imm field of bpf_call instructions
81ed18ab 7583 * and inline eligible helpers as explicit sequence of BPF instructions
e245c5c6
AS		 7584 *
7585 * this function is called after eBPF program passed verification
7586 */
79741b3b 7587static int fixup_bpf_calls(struct bpf_verifier_env *env)
e245c5c6 7588{
79741b3b
AS		 7589 struct bpf_prog *prog = env->prog;
7590 struct bpf_insn *insn = prog->insnsi;
e245c5c6 7591 const struct bpf_func_proto *fn;
79741b3b 7592 const int insn_cnt = prog->len;
09772d92 7593 const struct bpf_map_ops *ops;
c93552c4 7594 struct bpf_insn_aux_data *aux;
81ed18ab
AS		 7595 struct bpf_insn insn_buf[16];
7596 struct bpf_prog *new_prog;
7597 struct bpf_map *map_ptr;
7598 int i, cnt, delta = 0;
e245c5c6 7599
79741b3b 7600 for (i = 0; i < insn_cnt; i++, insn++) {
f6b1b3bf
DB		 7601 if (insn->code == (BPF_ALU64 | BPF_MOD | BPF_X) ||
7602 insn->code == (BPF_ALU64 | BPF_DIV | BPF_X) ||
7603 insn->code == (BPF_ALU | BPF_MOD | BPF_X) ||
68fda450 7604 insn->code == (BPF_ALU | BPF_DIV | BPF_X)) {
f6b1b3bf
DB		 7605 bool is64 = BPF_CLASS(insn->code) == BPF_ALU64;
7606 struct bpf_insn mask_and_div[] = {
7607 BPF_MOV32_REG(insn->src_reg, insn->src_reg),
7608 /* Rx div 0 -> 0 */
7609 BPF_JMP_IMM(BPF_JNE, insn->src_reg, 0, 2),
7610 BPF_ALU32_REG(BPF_XOR, insn->dst_reg, insn->dst_reg),
7611 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
7612 *insn,
7613 };
7614 struct bpf_insn mask_and_mod[] = {
7615 BPF_MOV32_REG(insn->src_reg, insn->src_reg),
7616 /* Rx mod 0 -> Rx */
7617 BPF_JMP_IMM(BPF_JEQ, insn->src_reg, 0, 1),
7618 *insn,
7619 };
7620 struct bpf_insn *patchlet;
7621
7622 if (insn->code == (BPF_ALU64 | BPF_DIV | BPF_X) ||
7623 insn->code == (BPF_ALU | BPF_DIV | BPF_X)) {
7624 patchlet = mask_and_div + (is64 ? 1 : 0);
7625 cnt = ARRAY_SIZE(mask_and_div) - (is64 ? 1 : 0);
7626 } else {
7627 patchlet = mask_and_mod + (is64 ? 1 : 0);
7628 cnt = ARRAY_SIZE(mask_and_mod) - (is64 ? 1 : 0);
7629 }
7630
7631 new_prog = bpf_patch_insn_data(env, i + delta, patchlet, cnt);
68fda450
AS		 7632 if (!new_prog)
7633 return -ENOMEM;
7634
7635 delta += cnt - 1;
7636 env->prog = prog = new_prog;
7637 insn = new_prog->insnsi + i + delta;
7638 continue;
7639 }
7640
e0cea7ce
DB		 7641 if (BPF_CLASS(insn->code) == BPF_LD &&
7642 (BPF_MODE(insn->code) == BPF_ABS ||
7643 BPF_MODE(insn->code) == BPF_IND)) {
7644 cnt = env->ops->gen_ld_abs(insn, insn_buf);
7645 if (cnt == 0 || cnt >= ARRAY_SIZE(insn_buf)) {
7646 verbose(env, "bpf verifier is misconfigured\n");
7647 return -EINVAL;
7648 }
7649
7650 new_prog = bpf_patch_insn_data(env, i + delta, insn_buf, cnt);
7651 if (!new_prog)
7652 return -ENOMEM;
7653
7654 delta += cnt - 1;
7655 env->prog = prog = new_prog;
7656 insn = new_prog->insnsi + i + delta;
7657 continue;
7658 }
7659
979d63d5
DB		 7660 if (insn->code == (BPF_ALU64 | BPF_ADD | BPF_X) ||
7661 insn->code == (BPF_ALU64 | BPF_SUB | BPF_X)) {
7662 const u8 code_add = BPF_ALU64 | BPF_ADD | BPF_X;
7663 const u8 code_sub = BPF_ALU64 | BPF_SUB | BPF_X;
7664 struct bpf_insn insn_buf[16];
7665 struct bpf_insn *patch = &insn_buf[0];
7666 bool issrc, isneg;
7667 u32 off_reg;
7668
7669 aux = &env->insn_aux_data[i + delta];
3612af78
DB		 7670 if (!aux->alu_state ||
7671 aux->alu_state == BPF_ALU_NON_POINTER)
979d63d5
DB		 7672 continue;
7673
7674 isneg = aux->alu_state & BPF_ALU_NEG_VALUE;
7675 issrc = (aux->alu_state & BPF_ALU_SANITIZE) ==
7676 BPF_ALU_SANITIZE_SRC;
7677
7678 off_reg = issrc ? insn->src_reg : insn->dst_reg;
7679 if (isneg)
7680 *patch++ = BPF_ALU64_IMM(BPF_MUL, off_reg, -1);
7681 *patch++ = BPF_MOV32_IMM(BPF_REG_AX, aux->alu_limit - 1);
7682 *patch++ = BPF_ALU64_REG(BPF_SUB, BPF_REG_AX, off_reg);
7683 *patch++ = BPF_ALU64_REG(BPF_OR, BPF_REG_AX, off_reg);
7684 *patch++ = BPF_ALU64_IMM(BPF_NEG, BPF_REG_AX, 0);
7685 *patch++ = BPF_ALU64_IMM(BPF_ARSH, BPF_REG_AX, 63);
7686 if (issrc) {
7687 *patch++ = BPF_ALU64_REG(BPF_AND, BPF_REG_AX,
7688 off_reg);
7689 insn->src_reg = BPF_REG_AX;
7690 } else {
7691 *patch++ = BPF_ALU64_REG(BPF_AND, off_reg,
7692 BPF_REG_AX);
7693 }
7694 if (isneg)
7695 insn->code = insn->code == code_add ?
7696 code_sub : code_add;
7697 *patch++ = *insn;
7698 if (issrc && isneg)
7699 *patch++ = BPF_ALU64_IMM(BPF_MUL, off_reg, -1);
7700 cnt = patch - insn_buf;
7701
7702 new_prog = bpf_patch_insn_data(env, i + delta, insn_buf, cnt);
7703 if (!new_prog)
7704 return -ENOMEM;
7705
7706 delta += cnt - 1;
7707 env->prog = prog = new_prog;
7708 insn = new_prog->insnsi + i + delta;
7709 continue;
7710 }
7711
79741b3b
AS		 7712 if (insn->code != (BPF_JMP | BPF_CALL))
7713 continue;
cc8b0b92
AS		 7714 if (insn->src_reg == BPF_PSEUDO_CALL)
7715 continue;
e245c5c6 7716
79741b3b
AS		 7717 if (insn->imm == BPF_FUNC_get_route_realm)
7718 prog->dst_needed = 1;
7719 if (insn->imm == BPF_FUNC_get_prandom_u32)
7720 bpf_user_rnd_init_once();
9802d865
JB		 7721 if (insn->imm == BPF_FUNC_override_return)
7722 prog->kprobe_override = 1;
79741b3b 7723 if (insn->imm == BPF_FUNC_tail_call) {
7b9f6da1
DM		 7724 /* If we tail call into other programs, we
7725 * cannot make any assumptions since they can
7726 * be replaced dynamically during runtime in
7727 * the program array.
7728 */
7729 prog->cb_access = 1;
80a58d02 7730 env->prog->aux->stack_depth = MAX_BPF_STACK;
e647815a 7731 env->prog->aux->max_pkt_offset = MAX_PACKET_OFF;
7b9f6da1 7732
79741b3b
AS		 7733 /* mark bpf_tail_call as different opcode to avoid
7734 * conditional branch in the interpeter for every normal
7735 * call and to prevent accidental JITing by JIT compiler
7736 * that doesn't support bpf_tail_call yet
e245c5c6 7737 */
79741b3b 7738 insn->imm = 0;
71189fa9 7739 insn->code = BPF_JMP | BPF_TAIL_CALL;
b2157399 7740
c93552c4
DB		 7741 aux = &env->insn_aux_data[i + delta];
7742 if (!bpf_map_ptr_unpriv(aux))
7743 continue;
7744
b2157399
AS		 7745 /* instead of changing every JIT dealing with tail_call
7746 * emit two extra insns:
7747 * if (index >= max_entries) goto out;
7748 * index &= array->index_mask;
7749 * to avoid out-of-bounds cpu speculation
7750 */
c93552c4 7751 if (bpf_map_ptr_poisoned(aux)) {
40950343 7752 verbose(env, "tail_call abusing map_ptr\n");
b2157399
AS		 7753 return -EINVAL;
7754 }
c93552c4
DB		 7755
7756 map_ptr = BPF_MAP_PTR(aux->map_state);
b2157399
AS		 7757 insn_buf[0] = BPF_JMP_IMM(BPF_JGE, BPF_REG_3,
7758 map_ptr->max_entries, 2);
7759 insn_buf[1] = BPF_ALU32_IMM(BPF_AND, BPF_REG_3,
7760 container_of(map_ptr,
7761 struct bpf_array,
7762 map)->index_mask);
7763 insn_buf[2] = *insn;
7764 cnt = 3;
7765 new_prog = bpf_patch_insn_data(env, i + delta, insn_buf, cnt);
7766 if (!new_prog)
7767 return -ENOMEM;
7768
7769 delta += cnt - 1;
7770 env->prog = prog = new_prog;
7771 insn = new_prog->insnsi + i + delta;
79741b3b
AS		 7772 continue;
7773 }
e245c5c6 7774
89c63074 7775 /* BPF_EMIT_CALL() assumptions in some of the map_gen_lookup
09772d92
DB		 7776 * and other inlining handlers are currently limited to 64 bit
7777 * only.
89c63074 7778 */
60b58afc 7779 if (prog->jit_requested && BITS_PER_LONG == 64 &&
09772d92
DB		 7780 (insn->imm == BPF_FUNC_map_lookup_elem ||
7781 insn->imm == BPF_FUNC_map_update_elem ||
84430d42
DB		 7782 insn->imm == BPF_FUNC_map_delete_elem ||
7783 insn->imm == BPF_FUNC_map_push_elem ||
7784 insn->imm == BPF_FUNC_map_pop_elem ||
7785 insn->imm == BPF_FUNC_map_peek_elem)) {
c93552c4
DB		 7786 aux = &env->insn_aux_data[i + delta];
7787 if (bpf_map_ptr_poisoned(aux))
7788 goto patch_call_imm;
7789
7790 map_ptr = BPF_MAP_PTR(aux->map_state);
09772d92
DB		 7791 ops = map_ptr->ops;
7792 if (insn->imm == BPF_FUNC_map_lookup_elem &&
7793 ops->map_gen_lookup) {
7794 cnt = ops->map_gen_lookup(map_ptr, insn_buf);
7795 if (cnt == 0 || cnt >= ARRAY_SIZE(insn_buf)) {
7796 verbose(env, "bpf verifier is misconfigured\n");
7797 return -EINVAL;
7798 }
81ed18ab 7799
09772d92
DB		 7800 new_prog = bpf_patch_insn_data(env, i + delta,
7801 insn_buf, cnt);
7802 if (!new_prog)
7803 return -ENOMEM;
81ed18ab 7804
09772d92
DB		 7805 delta += cnt - 1;
7806 env->prog = prog = new_prog;
7807 insn = new_prog->insnsi + i + delta;
7808 continue;
7809 }
81ed18ab 7810
09772d92
DB		 7811 BUILD_BUG_ON(!__same_type(ops->map_lookup_elem,
7812 (void *(*)(struct bpf_map *map, void *key))NULL));
7813 BUILD_BUG_ON(!__same_type(ops->map_delete_elem,
7814 (int (*)(struct bpf_map *map, void *key))NULL));
7815 BUILD_BUG_ON(!__same_type(ops->map_update_elem,
7816 (int (*)(struct bpf_map *map, void *key, void *value,
7817 u64 flags))NULL));
84430d42
DB		 7818 BUILD_BUG_ON(!__same_type(ops->map_push_elem,
7819 (int (*)(struct bpf_map *map, void *value,
7820 u64 flags))NULL));
7821 BUILD_BUG_ON(!__same_type(ops->map_pop_elem,
7822 (int (*)(struct bpf_map *map, void *value))NULL));
7823 BUILD_BUG_ON(!__same_type(ops->map_peek_elem,
7824 (int (*)(struct bpf_map *map, void *value))NULL));
7825
09772d92
DB		 7826 switch (insn->imm) {
7827 case BPF_FUNC_map_lookup_elem:
7828 insn->imm = BPF_CAST_CALL(ops->map_lookup_elem) -
7829 __bpf_call_base;
7830 continue;
7831 case BPF_FUNC_map_update_elem:
7832 insn->imm = BPF_CAST_CALL(ops->map_update_elem) -
7833 __bpf_call_base;
7834 continue;
7835 case BPF_FUNC_map_delete_elem:
7836 insn->imm = BPF_CAST_CALL(ops->map_delete_elem) -
7837 __bpf_call_base;
7838 continue;
84430d42
DB		 7839 case BPF_FUNC_map_push_elem:
7840 insn->imm = BPF_CAST_CALL(ops->map_push_elem) -
7841 __bpf_call_base;
7842 continue;
7843 case BPF_FUNC_map_pop_elem:
7844 insn->imm = BPF_CAST_CALL(ops->map_pop_elem) -
7845 __bpf_call_base;
7846 continue;
7847 case BPF_FUNC_map_peek_elem:
7848 insn->imm = BPF_CAST_CALL(ops->map_peek_elem) -
7849 __bpf_call_base;
7850 continue;
09772d92 7851 }
81ed18ab 7852
09772d92 7853 goto patch_call_imm;
81ed18ab
AS		 7854 }
7855
7856patch_call_imm:
5e43f899 7857 fn = env->ops->get_func_proto(insn->imm, env->prog);
79741b3b
AS		 7858 /* all functions that have prototype and verifier allowed
7859 * programs to call them, must be real in-kernel functions
7860 */
7861 if (!fn->func) {
61bd5218
JK		 7862 verbose(env,
7863 "kernel subsystem misconfigured func %s#%d\n",
79741b3b
AS		 7864 func_id_name(insn->imm), insn->imm);
7865 return -EFAULT;
e245c5c6 7866 }
79741b3b 7867 insn->imm = fn->func - __bpf_call_base;
e245c5c6 7868 }
e245c5c6 7869
79741b3b
AS		 7870 return 0;
7871}
e245c5c6 7872
58e2af8b 7873static void free_states(struct bpf_verifier_env *env)
f1bca824 7874{
58e2af8b 7875 struct bpf_verifier_state_list *sl, *sln;
f1bca824
AS		 7876 int i;
7877
9f4686c4
AS		 7878 sl = env->free_list;
7879 while (sl) {
7880 sln = sl->next;
7881 free_verifier_state(&sl->state, false);
7882 kfree(sl);
7883 sl = sln;
7884 }
7885
f1bca824
AS		 7886 if (!env->explored_states)
7887 return;
7888
7889 for (i = 0; i < env->prog->len; i++) {
7890 sl = env->explored_states[i];
7891
7892 if (sl)
7893 while (sl != STATE_LIST_MARK) {
7894 sln = sl->next;
1969db47 7895 free_verifier_state(&sl->state, false);
f1bca824
AS		 7896 kfree(sl);
7897 sl = sln;
7898 }
7899 }
7900
7901 kfree(env->explored_states);
7902}
7903
06ee7115
AS		 7904static void print_verification_stats(struct bpf_verifier_env *env)
7905{
7906 int i;
7907
7908 if (env->log.level & BPF_LOG_STATS) {
7909 verbose(env, "verification time %lld usec\n",
7910 div_u64(env->verification_time, 1000));
7911 verbose(env, "stack depth ");
7912 for (i = 0; i < env->subprog_cnt; i++) {
7913 u32 depth = env->subprog_info[i].stack_depth;
7914
7915 verbose(env, "%d", depth);
7916 if (i + 1 < env->subprog_cnt)
7917 verbose(env, "+");
7918 }
7919 verbose(env, "\n");
7920 }
7921 verbose(env, "processed %d insns (limit %d) max_states_per_insn %d "
7922 "total_states %d peak_states %d mark_read %d\n",
7923 env->insn_processed, BPF_COMPLEXITY_LIMIT_INSNS,
7924 env->max_states_per_insn, env->total_states,
7925 env->peak_states, env->longest_mark_read_walk);
7926}
7927
838e9690
YS		 7928int bpf_check(struct bpf_prog **prog, union bpf_attr *attr,
7929 union bpf_attr __user *uattr)
51580e79 7930{
06ee7115 7931 u64 start_time = ktime_get_ns();
58e2af8b 7932 struct bpf_verifier_env *env;
b9193c1b 7933 struct bpf_verifier_log *log;
9e4c24e7 7934 int i, len, ret = -EINVAL;
e2ae4ca2 7935 bool is_priv;
51580e79 7936
eba0c929
AB		 7937 /* no program is valid */
7938 if (ARRAY_SIZE(bpf_verifier_ops) == 0)
7939 return -EINVAL;
7940
58e2af8b 7941 /* 'struct bpf_verifier_env' can be global, but since it's not small,
cbd35700
AS		 7942 * allocate/free it every time bpf_check() is called
7943 */
58e2af8b 7944 env = kzalloc(sizeof(struct bpf_verifier_env), GFP_KERNEL);
cbd35700
AS		 7945 if (!env)
7946 return -ENOMEM;
61bd5218 7947 log = &env->log;
cbd35700 7948
9e4c24e7 7949 len = (*prog)->len;
fad953ce 7950 env->insn_aux_data =
9e4c24e7 7951 vzalloc(array_size(sizeof(struct bpf_insn_aux_data), len));
3df126f3
JK		 7952 ret = -ENOMEM;
7953 if (!env->insn_aux_data)
7954 goto err_free_env;
9e4c24e7
JK		 7955 for (i = 0; i < len; i++)
7956 env->insn_aux_data[i].orig_idx = i;
9bac3d6d 7957 env->prog = *prog;
00176a34 7958 env->ops = bpf_verifier_ops[env->prog->type];
0246e64d 7959
cbd35700
AS		 7960 /* grab the mutex to protect few globals used by verifier */
7961 mutex_lock(&bpf_verifier_lock);
7962
7963 if (attr->log_level || attr->log_buf || attr->log_size) {
7964 /* user requested verbose verifier output
7965 * and supplied buffer to store the verification trace
7966 */
e7bf8249
JK		 7967 log->level = attr->log_level;
7968 log->ubuf = (char __user *) (unsigned long) attr->log_buf;
7969 log->len_total = attr->log_size;
cbd35700
AS		 7970
7971 ret = -EINVAL;
e7bf8249
JK		 7972 /* log attributes have to be sane */
7973 if (log->len_total < 128 || log->len_total > UINT_MAX >> 8 ||
06ee7115 7974 !log->level || !log->ubuf || log->level & ~BPF_LOG_MASK)
3df126f3 7975 goto err_unlock;
cbd35700 7976 }
1ad2f583
DB		 7977
7978 env->strict_alignment = !!(attr->prog_flags & BPF_F_STRICT_ALIGNMENT);
7979 if (!IS_ENABLED(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS))
e07b98d9 7980 env->strict_alignment = true;
e9ee9efc
DM		 7981 if (attr->prog_flags & BPF_F_ANY_ALIGNMENT)
7982 env->strict_alignment = false;
cbd35700 7983
e2ae4ca2
JK		 7984 is_priv = capable(CAP_SYS_ADMIN);
7985 env->allow_ptr_leaks = is_priv;
7986
f4e3ec0d
JK		 7987 ret = replace_map_fd_with_map_ptr(env);
7988 if (ret < 0)
7989 goto skip_full_check;
7990
cae1927c 7991 if (bpf_prog_is_dev_bound(env->prog->aux)) {
a40a2632 7992 ret = bpf_prog_offload_verifier_prep(env->prog);
ab3f0063 7993 if (ret)
f4e3ec0d 7994 goto skip_full_check;
ab3f0063
JK		 7995 }
7996
9bac3d6d 7997 env->explored_states = kcalloc(env->prog->len,
58e2af8b 7998 sizeof(struct bpf_verifier_state_list *),
f1bca824
AS		 7999 GFP_USER);
8000 ret = -ENOMEM;
8001 if (!env->explored_states)
8002 goto skip_full_check;
8003
d9762e84 8004 ret = check_subprogs(env);
475fb78f
AS		 8005 if (ret < 0)
8006 goto skip_full_check;
8007
c454a46b 8008 ret = check_btf_info(env, attr, uattr);
838e9690
YS		 8009 if (ret < 0)
8010 goto skip_full_check;
8011
d9762e84
MKL		 8012 ret = check_cfg(env);
8013 if (ret < 0)
8014 goto skip_full_check;
8015
17a52670 8016 ret = do_check(env);
8c01c4f8
CG		 8017 if (env->cur_state) {
8018 free_verifier_state(env->cur_state, true);
8019 env->cur_state = NULL;
8020 }
cbd35700 8021
c941ce9c
QM		 8022 if (ret == 0 && bpf_prog_is_dev_bound(env->prog->aux))
8023 ret = bpf_prog_offload_finalize(env);
8024
0246e64d 8025skip_full_check:
638f5b90 8026 while (!pop_stack(env, NULL, NULL));
f1bca824 8027 free_states(env);
0246e64d 8028
c131187d 8029 if (ret == 0)
9b38c405 8030 ret = check_max_stack_depth(env);
c131187d 8031
9b38c405 8032 /* instruction rewrites happen after this point */
e2ae4ca2
JK		 8033 if (is_priv) {
8034 if (ret == 0)
8035 opt_hard_wire_dead_code_branches(env);
52875a04
JK		 8036 if (ret == 0)
8037 ret = opt_remove_dead_code(env);
a1b14abc
JK		 8038 if (ret == 0)
8039 ret = opt_remove_nops(env);
52875a04
JK		 8040 } else {
8041 if (ret == 0)
8042 sanitize_dead_code(env);
e2ae4ca2
JK		 8043 }
8044
9bac3d6d
AS		 8045 if (ret == 0)
8046 /* program is valid, convert *(u32*)(ctx + off) accesses */
8047 ret = convert_ctx_accesses(env);
8048
e245c5c6 8049 if (ret == 0)
79741b3b 8050 ret = fixup_bpf_calls(env);
e245c5c6 8051
1ea47e01
AS		 8052 if (ret == 0)
8053 ret = fixup_call_args(env);
8054
06ee7115
AS		 8055 env->verification_time = ktime_get_ns() - start_time;
8056 print_verification_stats(env);
8057
a2a7d570 8058 if (log->level && bpf_verifier_log_full(log))
cbd35700 8059 ret = -ENOSPC;
a2a7d570 8060 if (log->level && !log->ubuf) {
cbd35700 8061 ret = -EFAULT;
a2a7d570 8062 goto err_release_maps;
cbd35700
AS		 8063 }
8064
0246e64d
AS		 8065 if (ret == 0 && env->used_map_cnt) {
8066 /* if program passed verifier, update used_maps in bpf_prog_info */
9bac3d6d
AS		 8067 env->prog->aux->used_maps = kmalloc_array(env->used_map_cnt,
8068 sizeof(env->used_maps[0]),
8069 GFP_KERNEL);
0246e64d 8070
9bac3d6d 8071 if (!env->prog->aux->used_maps) {
0246e64d 8072 ret = -ENOMEM;
a2a7d570 8073 goto err_release_maps;
0246e64d
AS		 8074 }
8075
9bac3d6d 8076 memcpy(env->prog->aux->used_maps, env->used_maps,
0246e64d 8077 sizeof(env->used_maps[0]) * env->used_map_cnt);
9bac3d6d 8078 env->prog->aux->used_map_cnt = env->used_map_cnt;
0246e64d
AS		 8079
8080 /* program is valid. Convert pseudo bpf_ld_imm64 into generic
8081 * bpf_ld_imm64 instructions
8082 */
8083 convert_pseudo_ld_imm64(env);
8084 }
cbd35700 8085
ba64e7d8
YS		 8086 if (ret == 0)
8087 adjust_btf_func(env);
8088
a2a7d570 8089err_release_maps:
9bac3d6d 8090 if (!env->prog->aux->used_maps)
0246e64d 8091 /* if we didn't copy map pointers into bpf_prog_info, release
ab7f5bf0 8092 * them now. Otherwise free_used_maps() will release them.
0246e64d
AS		 8093 */
8094 release_maps(env);
9bac3d6d 8095 *prog = env->prog;
3df126f3 8096err_unlock:
cbd35700 8097 mutex_unlock(&bpf_verifier_lock);
3df126f3
JK		 8098 vfree(env->insn_aux_data);
8099err_free_env:
8100 kfree(env);
51580e79
AS		 8101 return ret;
8102}
Ubuntu Hirsute Linux kernel mirror