root/kernel/bpf/verifier.c

DEFINITIONS

1. bpf_map_ptr_poisoned
2. bpf_map_ptr_unpriv
3. bpf_map_ptr_store
4. find_linfo
5. bpf_verifier_vlog
6. __printf
7. __printf
8. ltrim
9. __printf
10. type_is_pkt_pointer
11. type_is_sk_pointer
12. reg_type_may_be_null
13. reg_may_point_to_spin_lock
14. reg_type_may_be_refcounted_or_null
15. arg_type_may_be_refcounted
16. is_release_function
17. is_acquire_function
18. is_ptr_cast_function
19. print_liveness
20. print_verifier_state
21. REALLOC_STATE_FN
22. acquire_reference_state
23. release_reference_state
24. transfer_reference_state
25. free_func_state
26. clear_jmp_history
27. free_verifier_state
28. copy_func_state
29. copy_verifier_state
30. update_branch_counts
31. pop_stack
32. push_stack
33. __mark_reg_known
34. __mark_reg_known_zero
35. __mark_reg_const_zero
36. mark_reg_known_zero
37. reg_is_pkt_pointer
38. reg_is_pkt_pointer_any
39. reg_is_init_pkt_pointer
40. __update_reg_bounds
41. __reg_deduce_bounds
42. __reg_bound_offset
43. __mark_reg_unbounded
44. __mark_reg_unknown
45. mark_reg_unknown
46. __mark_reg_not_init
47. mark_reg_not_init
48. init_reg_state
49. init_func_state
50. cmp_subprogs
51. find_subprog
52. add_subprog
53. check_subprogs
54. mark_reg_read
55. is_reg64
56. insn_no_def
57. insn_has_def32
58. mark_insn_zext
59. check_reg_arg
60. push_jmp_history
61. get_prev_insn_idx
62. backtrack_insn
63. mark_all_scalars_precise
64. __mark_chain_precision
65. mark_chain_precision
66. mark_chain_precision_stack
67. is_spillable_regtype
68. register_is_null
69. register_is_const
70. __is_pointer_value
71. save_register_state
72. check_stack_write
73. check_stack_read
74. check_stack_access
75. check_map_access_type
76. __check_map_access
77. check_map_access
78. may_access_direct_pkt_data
79. __check_packet_access
80. check_packet_access
81. check_ctx_access
82. check_flow_keys_access
83. check_sock_access
84. is_pointer_value
85. is_ctx_reg
86. is_sk_reg
87. is_pkt_reg
88. is_flow_key_reg
89. check_pkt_ptr_alignment
90. check_generic_ptr_alignment
91. check_ptr_alignment
92. update_stack_depth
93. check_max_stack_depth
94. get_callee_stack_depth
95. check_ctx_reg
96. check_tp_buffer_access
97. coerce_reg_to_size
98. check_mem_access
99. check_xadd
100. __check_stack_boundary
101. check_stack_boundary
102. check_helper_mem_access
103. process_spin_lock
104. arg_type_is_mem_ptr
105. arg_type_is_mem_size
106. arg_type_is_int_ptr
107. int_ptr_type_to_size
108. check_func_arg
109. check_map_func_compatibility
110. check_raw_mode_ok
111. check_args_pair_invalid
112. check_arg_pair_ok
113. check_refcount_ok
114. check_func_proto
115. __clear_all_pkt_pointers
116. clear_all_pkt_pointers
117. release_reg_references
118. release_reference
119. check_func_call
120. prepare_func_exit
121. do_refine_retval_range
122. record_func_map
123. check_reference_leak
124. check_helper_call
125. signed_add_overflows
126. signed_sub_overflows
127. check_reg_sane_offset
128. cur_aux
129. retrieve_ptr_limit
130. can_skip_alu_sanitation
131. update_alu_sanitation_state
132. sanitize_val_alu
133. sanitize_ptr_alu
134. adjust_ptr_min_max_vals
135. adjust_scalar_min_max_vals
136. adjust_reg_min_max_vals
137. check_alu_op
138. __find_good_pkt_pointers
139. find_good_pkt_pointers
140. is_branch_taken
141. gen_hi_min
142. gen_hi_max
143. cmp_val_with_extended_s64
144. set_upper_bound
145. set_lower_bound
146. reg_set_min_max
147. reg_set_min_max_inv
148. __reg_combine_min_max
149. reg_combine_min_max
150. mark_ptr_or_null_reg
151. __mark_ptr_or_null_regs
152. mark_ptr_or_null_regs
153. try_match_pkt_pointers
154. check_cond_jmp_op
155. check_ld_imm
156. may_access_skb
157. check_ld_abs
158. check_return_code
159. state_htab_size
160. explored_state
161. init_explored_state
162. push_insn
163. check_cfg
164. check_btf_func
165. adjust_btf_func
166. check_btf_line
167. check_btf_info
168. range_within
169. check_ids
170. clean_func_state
171. clean_verifier_state
172. clean_live_states
173. regsafe
174. stacksafe
175. refsafe
176. func_states_equal
177. states_equal
178. propagate_liveness_reg
179. propagate_liveness
180. propagate_precision
181. states_maybe_looping
182. is_state_visited
183. reg_type_mismatch_ok
184. reg_type_mismatch
185. do_check
186. check_map_prealloc
187. is_tracing_prog_type
188. check_map_prog_compatibility
189. bpf_map_is_cgroup_storage
190. replace_map_fd_with_map_ptr
191. release_maps
192. convert_pseudo_ld_imm64
193. adjust_insn_aux_data
194. adjust_subprog_starts
195. bpf_patch_insn_data
196. adjust_subprog_starts_after_remove
197. bpf_adj_linfo_after_remove
198. verifier_remove_insns
199. sanitize_dead_code
200. insn_is_cond_jump
201. opt_hard_wire_dead_code_branches
202. opt_remove_dead_code
203. opt_remove_nops
204. opt_subreg_zext_lo32_rnd_hi32
205. convert_ctx_accesses
206. jit_subprogs
207. fixup_call_args
208. fixup_bpf_calls
209. free_states
210. print_verification_stats
211. bpf_check

   1 // SPDX-License-Identifier: GPL-2.0-only
   2 /* Copyright (c) 2011-2014 PLUMgrid, http://plumgrid.com
   3  * Copyright (c) 2016 Facebook
   4  * Copyright (c) 2018 Covalent IO, Inc. http://covalent.io
   5  */
   6 #include <uapi/linux/btf.h>
   7 #include <linux/kernel.h>
   8 #include <linux/types.h>
   9 #include <linux/slab.h>
  10 #include <linux/bpf.h>
  11 #include <linux/btf.h>
  12 #include <linux/bpf_verifier.h>
  13 #include <linux/filter.h>
  14 #include <net/netlink.h>
  15 #include <linux/file.h>
  16 #include <linux/vmalloc.h>
  17 #include <linux/stringify.h>
  18 #include <linux/bsearch.h>
  19 #include <linux/sort.h>
  20 #include <linux/perf_event.h>
  21 #include <linux/ctype.h>
  22 
  23 #include "disasm.h"
  24 
  25 static const struct bpf_verifier_ops * const bpf_verifier_ops[] = {
  26 #define BPF_PROG_TYPE(_id, _name) \
  27         [_id] = & _name ## _verifier_ops,
  28 #define BPF_MAP_TYPE(_id, _ops)
  29 #include <linux/bpf_types.h>
  30 #undef BPF_PROG_TYPE
  31 #undef BPF_MAP_TYPE
  32 };
  33 
  34 /* bpf_check() is a static code analyzer that walks eBPF program
  35  * instruction by instruction and updates register/stack state.
  36  * All paths of conditional branches are analyzed until 'bpf_exit' insn.
  37  *
  38  * The first pass is depth-first-search to check that the program is a DAG.
  39  * It rejects the following programs:
  40  * - larger than BPF_MAXINSNS insns
  41  * - if loop is present (detected via back-edge)
  42  * - unreachable insns exist (shouldn't be a forest. program = one function)
  43  * - out of bounds or malformed jumps
  44  * The second pass is all possible path descent from the 1st insn.
  45  * Since it's analyzing all pathes through the program, the length of the
  46  * analysis is limited to 64k insn, which may be hit even if total number of
  47  * insn is less then 4K, but there are too many branches that change stack/regs.
  48  * Number of 'branches to be analyzed' is limited to 1k
  49  *
  50  * On entry to each instruction, each register has a type, and the instruction
  51  * changes the types of the registers depending on instruction semantics.
  52  * If instruction is BPF_MOV64_REG(BPF_REG_1, BPF_REG_5), then type of R5 is
  53  * copied to R1.
  54  *
  55  * All registers are 64-bit.
  56  * R0 - return register
  57  * R1-R5 argument passing registers
  58  * R6-R9 callee saved registers
  59  * R10 - frame pointer read-only
  60  *
  61  * At the start of BPF program the register R1 contains a pointer to bpf_context
  62  * and has type PTR_TO_CTX.
  63  *
  64  * Verifier tracks arithmetic operations on pointers in case:
  65  *    BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
  66  *    BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -20),
  67  * 1st insn copies R10 (which has FRAME_PTR) type into R1
  68  * and 2nd arithmetic instruction is pattern matched to recognize
  69  * that it wants to construct a pointer to some element within stack.
  70  * So after 2nd insn, the register R1 has type PTR_TO_STACK
  71  * (and -20 constant is saved for further stack bounds checking).
  72  * Meaning that this reg is a pointer to stack plus known immediate constant.
  73  *
  74  * Most of the time the registers have SCALAR_VALUE type, which
  75  * means the register has some value, but it's not a valid pointer.
  76  * (like pointer plus pointer becomes SCALAR_VALUE type)
  77  *
  78  * When verifier sees load or store instructions the type of base register
  79  * can be: PTR_TO_MAP_VALUE, PTR_TO_CTX, PTR_TO_STACK, PTR_TO_SOCKET. These are
  80  * four pointer types recognized by check_mem_access() function.
  81  *
  82  * PTR_TO_MAP_VALUE means that this register is pointing to 'map element value'
  83  * and the range of [ptr, ptr + map's value_size) is accessible.
  84  *
  85  * registers used to pass values to function calls are checked against
  86  * function argument constraints.
  87  *
  88  * ARG_PTR_TO_MAP_KEY is one of such argument constraints.
  89  * It means that the register type passed to this function must be
  90  * PTR_TO_STACK and it will be used inside the function as
  91  * 'pointer to map element key'
  92  *
  93  * For example the argument constraints for bpf_map_lookup_elem():
  94  *   .ret_type = RET_PTR_TO_MAP_VALUE_OR_NULL,
  95  *   .arg1_type = ARG_CONST_MAP_PTR,
  96  *   .arg2_type = ARG_PTR_TO_MAP_KEY,
  97  *
  98  * ret_type says that this function returns 'pointer to map elem value or null'
  99  * function expects 1st argument to be a const pointer to 'struct bpf_map' and
 100  * 2nd argument should be a pointer to stack, which will be used inside
 101  * the helper function as a pointer to map element key.
 102  *
 103  * On the kernel side the helper function looks like:
 104  * u64 bpf_map_lookup_elem(u64 r1, u64 r2, u64 r3, u64 r4, u64 r5)
 105  * {
 106  *    struct bpf_map *map = (struct bpf_map *) (unsigned long) r1;
 107  *    void *key = (void *) (unsigned long) r2;
 108  *    void *value;
 109  *
 110  *    here kernel can access 'key' and 'map' pointers safely, knowing that
 111  *    [key, key + map->key_size) bytes are valid and were initialized on
 112  *    the stack of eBPF program.
 113  * }
 114  *
 115  * Corresponding eBPF program may look like:
 116  *    BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),  // after this insn R2 type is FRAME_PTR
 117  *    BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), // after this insn R2 type is PTR_TO_STACK
 118  *    BPF_LD_MAP_FD(BPF_REG_1, map_fd),      // after this insn R1 type is CONST_PTR_TO_MAP
 119  *    BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
 120  * here verifier looks at prototype of map_lookup_elem() and sees:
 121  * .arg1_type == ARG_CONST_MAP_PTR and R1->type == CONST_PTR_TO_MAP, which is ok,
 122  * Now verifier knows that this map has key of R1->map_ptr->key_size bytes
 123  *
 124  * Then .arg2_type == ARG_PTR_TO_MAP_KEY and R2->type == PTR_TO_STACK, ok so far,
 125  * Now verifier checks that [R2, R2 + map's key_size) are within stack limits
 126  * and were initialized prior to this call.
 127  * If it's ok, then verifier allows this BPF_CALL insn and looks at
 128  * .ret_type which is RET_PTR_TO_MAP_VALUE_OR_NULL, so it sets
 129  * R0->type = PTR_TO_MAP_VALUE_OR_NULL which means bpf_map_lookup_elem() function
 130  * returns ether pointer to map value or NULL.
 131  *
 132  * When type PTR_TO_MAP_VALUE_OR_NULL passes through 'if (reg != 0) goto +off'
 133  * insn, the register holding that pointer in the true branch changes state to
 134  * PTR_TO_MAP_VALUE and the same register changes state to CONST_IMM in the false
 135  * branch. See check_cond_jmp_op().
 136  *
 137  * After the call R0 is set to return type of the function and registers R1-R5
 138  * are set to NOT_INIT to indicate that they are no longer readable.
 139  *
 140  * The following reference types represent a potential reference to a kernel
 141  * resource which, after first being allocated, must be checked and freed by
 142  * the BPF program:
 143  * - PTR_TO_SOCKET_OR_NULL, PTR_TO_SOCKET
 144  *
 145  * When the verifier sees a helper call return a reference type, it allocates a
 146  * pointer id for the reference and stores it in the current function state.
 147  * Similar to the way that PTR_TO_MAP_VALUE_OR_NULL is converted into
 148  * PTR_TO_MAP_VALUE, PTR_TO_SOCKET_OR_NULL becomes PTR_TO_SOCKET when the type
 149  * passes through a NULL-check conditional. For the branch wherein the state is
 150  * changed to CONST_IMM, the verifier releases the reference.
 151  *
 152  * For each helper function that allocates a reference, such as
 153  * bpf_sk_lookup_tcp(), there is a corresponding release function, such as
 154  * bpf_sk_release(). When a reference type passes into the release function,
 155  * the verifier also releases the reference. If any unchecked or unreleased
 156  * reference remains at the end of the program, the verifier rejects it.
 157  */
 158 
 159 /* verifier_state + insn_idx are pushed to stack when branch is encountered */
 160 struct bpf_verifier_stack_elem {
 161         /* verifer state is 'st'
 162          * before processing instruction 'insn_idx'
 163          * and after processing instruction 'prev_insn_idx'
 164          */
 165         struct bpf_verifier_state st;
 166         int insn_idx;
 167         int prev_insn_idx;
 168         struct bpf_verifier_stack_elem *next;
 169 };
 170 
 171 #define BPF_COMPLEXITY_LIMIT_JMP_SEQ    8192
 172 #define BPF_COMPLEXITY_LIMIT_STATES     64
 173 
 174 #define BPF_MAP_PTR_UNPRIV      1UL
 175 #define BPF_MAP_PTR_POISON      ((void *)((0xeB9FUL << 1) +     \
 176                                           POISON_POINTER_DELTA))
 177 #define BPF_MAP_PTR(X)          ((struct bpf_map *)((X) & ~BPF_MAP_PTR_UNPRIV))
 178 
 179 static bool bpf_map_ptr_poisoned(const struct bpf_insn_aux_data *aux)
 180 {
 181         return BPF_MAP_PTR(aux->map_state) == BPF_MAP_PTR_POISON;
 182 }
 183 
 184 static bool bpf_map_ptr_unpriv(const struct bpf_insn_aux_data *aux)
 185 {
 186         return aux->map_state & BPF_MAP_PTR_UNPRIV;
 187 }
 188 
 189 static void bpf_map_ptr_store(struct bpf_insn_aux_data *aux,
 190                               const struct bpf_map *map, bool unpriv)
 191 {
 192         BUILD_BUG_ON((unsigned long)BPF_MAP_PTR_POISON & BPF_MAP_PTR_UNPRIV);
 193         unpriv |= bpf_map_ptr_unpriv(aux);
 194         aux->map_state = (unsigned long)map |
 195                          (unpriv ? BPF_MAP_PTR_UNPRIV : 0UL);
 196 }
 197 
 198 struct bpf_call_arg_meta {
 199         struct bpf_map *map_ptr;
 200         bool raw_mode;
 201         bool pkt_access;
 202         int regno;
 203         int access_size;
 204         u64 msize_max_value;
 205         int ref_obj_id;
 206         int func_id;
 207 };
 208 
 209 static DEFINE_MUTEX(bpf_verifier_lock);
 210 
 211 static const struct bpf_line_info *
 212 find_linfo(const struct bpf_verifier_env *env, u32 insn_off)
 213 {
 214         const struct bpf_line_info *linfo;
 215         const struct bpf_prog *prog;
 216         u32 i, nr_linfo;
 217 
 218         prog = env->prog;
 219         nr_linfo = prog->aux->nr_linfo;
 220 
 221         if (!nr_linfo || insn_off >= prog->len)
 222                 return NULL;
 223 
 224         linfo = prog->aux->linfo;
 225         for (i = 1; i < nr_linfo; i++)
 226                 if (insn_off < linfo[i].insn_off)
 227                         break;
 228 
 229         return &linfo[i - 1];
 230 }
 231 
 232 void bpf_verifier_vlog(struct bpf_verifier_log *log, const char *fmt,
 233                        va_list args)
 234 {
 235         unsigned int n;
 236 
 237         n = vscnprintf(log->kbuf, BPF_VERIFIER_TMP_LOG_SIZE, fmt, args);
 238 
 239         WARN_ONCE(n >= BPF_VERIFIER_TMP_LOG_SIZE - 1,
 240                   "verifier log line truncated - local buffer too short\n");
 241 
 242         n = min(log->len_total - log->len_used - 1, n);
 243         log->kbuf[n] = '\0';
 244 
 245         if (!copy_to_user(log->ubuf + log->len_used, log->kbuf, n + 1))
 246                 log->len_used += n;
 247         else
 248                 log->ubuf = NULL;
 249 }
 250 
 251 /* log_level controls verbosity level of eBPF verifier.
 252  * bpf_verifier_log_write() is used to dump the verification trace to the log,
 253  * so the user can figure out what's wrong with the program
 254  */
 255 __printf(2, 3) void bpf_verifier_log_write(struct bpf_verifier_env *env,
 256                                            const char *fmt, ...)
 257 {
 258         va_list args;
 259 
 260         if (!bpf_verifier_log_needed(&env->log))
 261                 return;
 262 
 263         va_start(args, fmt);
 264         bpf_verifier_vlog(&env->log, fmt, args);
 265         va_end(args);
 266 }
 267 EXPORT_SYMBOL_GPL(bpf_verifier_log_write);
 268 
 269 __printf(2, 3) static void verbose(void *private_data, const char *fmt, ...)
 270 {
 271         struct bpf_verifier_env *env = private_data;
 272         va_list args;
 273 
 274         if (!bpf_verifier_log_needed(&env->log))
 275                 return;
 276 
 277         va_start(args, fmt);
 278         bpf_verifier_vlog(&env->log, fmt, args);
 279         va_end(args);
 280 }
 281 
 282 static const char *ltrim(const char *s)
 283 {
 284         while (isspace(*s))
 285                 s++;
 286 
 287         return s;
 288 }
 289 
 290 __printf(3, 4) static void verbose_linfo(struct bpf_verifier_env *env,
 291                                          u32 insn_off,
 292                                          const char *prefix_fmt, ...)
 293 {
 294         const struct bpf_line_info *linfo;
 295 
 296         if (!bpf_verifier_log_needed(&env->log))
 297                 return;
 298 
 299         linfo = find_linfo(env, insn_off);
 300         if (!linfo || linfo == env->prev_linfo)
 301                 return;
 302 
 303         if (prefix_fmt) {
 304                 va_list args;
 305 
 306                 va_start(args, prefix_fmt);
 307                 bpf_verifier_vlog(&env->log, prefix_fmt, args);
 308                 va_end(args);
 309         }
 310 
 311         verbose(env, "%s\n",
 312                 ltrim(btf_name_by_offset(env->prog->aux->btf,
 313                                          linfo->line_off)));
 314 
 315         env->prev_linfo = linfo;
 316 }
 317 
 318 static bool type_is_pkt_pointer(enum bpf_reg_type type)
 319 {
 320         return type == PTR_TO_PACKET ||
 321                type == PTR_TO_PACKET_META;
 322 }
 323 
 324 static bool type_is_sk_pointer(enum bpf_reg_type type)
 325 {
 326         return type == PTR_TO_SOCKET ||
 327                 type == PTR_TO_SOCK_COMMON ||
 328                 type == PTR_TO_TCP_SOCK ||
 329                 type == PTR_TO_XDP_SOCK;
 330 }
 331 
 332 static bool reg_type_may_be_null(enum bpf_reg_type type)
 333 {
 334         return type == PTR_TO_MAP_VALUE_OR_NULL ||
 335                type == PTR_TO_SOCKET_OR_NULL ||
 336                type == PTR_TO_SOCK_COMMON_OR_NULL ||
 337                type == PTR_TO_TCP_SOCK_OR_NULL;
 338 }
 339 
 340 static bool reg_may_point_to_spin_lock(const struct bpf_reg_state *reg)
 341 {
 342         return reg->type == PTR_TO_MAP_VALUE &&
 343                 map_value_has_spin_lock(reg->map_ptr);
 344 }
 345 
 346 static bool reg_type_may_be_refcounted_or_null(enum bpf_reg_type type)
 347 {
 348         return type == PTR_TO_SOCKET ||
 349                 type == PTR_TO_SOCKET_OR_NULL ||
 350                 type == PTR_TO_TCP_SOCK ||
 351                 type == PTR_TO_TCP_SOCK_OR_NULL;
 352 }
 353 
 354 static bool arg_type_may_be_refcounted(enum bpf_arg_type type)
 355 {
 356         return type == ARG_PTR_TO_SOCK_COMMON;
 357 }
 358 
 359 /* Determine whether the function releases some resources allocated by another
 360  * function call. The first reference type argument will be assumed to be
 361  * released by release_reference().
 362  */
 363 static bool is_release_function(enum bpf_func_id func_id)
 364 {
 365         return func_id == BPF_FUNC_sk_release;
 366 }
 367 
 368 static bool is_acquire_function(enum bpf_func_id func_id)
 369 {
 370         return func_id == BPF_FUNC_sk_lookup_tcp ||
 371                 func_id == BPF_FUNC_sk_lookup_udp ||
 372                 func_id == BPF_FUNC_skc_lookup_tcp;
 373 }
 374 
 375 static bool is_ptr_cast_function(enum bpf_func_id func_id)
 376 {
 377         return func_id == BPF_FUNC_tcp_sock ||
 378                 func_id == BPF_FUNC_sk_fullsock;
 379 }
 380 
 381 /* string representation of 'enum bpf_reg_type' */
 382 static const char * const reg_type_str[] = {
 383         [NOT_INIT]              = "?",
 384         [SCALAR_VALUE]          = "inv",
 385         [PTR_TO_CTX]            = "ctx",
 386         [CONST_PTR_TO_MAP]      = "map_ptr",
 387         [PTR_TO_MAP_VALUE]      = "map_value",
 388         [PTR_TO_MAP_VALUE_OR_NULL] = "map_value_or_null",
 389         [PTR_TO_STACK]          = "fp",
 390         [PTR_TO_PACKET]         = "pkt",
 391         [PTR_TO_PACKET_META]    = "pkt_meta",
 392         [PTR_TO_PACKET_END]     = "pkt_end",
 393         [PTR_TO_FLOW_KEYS]      = "flow_keys",
 394         [PTR_TO_SOCKET]         = "sock",
 395         [PTR_TO_SOCKET_OR_NULL] = "sock_or_null",
 396         [PTR_TO_SOCK_COMMON]    = "sock_common",
 397         [PTR_TO_SOCK_COMMON_OR_NULL] = "sock_common_or_null",
 398         [PTR_TO_TCP_SOCK]       = "tcp_sock",
 399         [PTR_TO_TCP_SOCK_OR_NULL] = "tcp_sock_or_null",
 400         [PTR_TO_TP_BUFFER]      = "tp_buffer",
 401         [PTR_TO_XDP_SOCK]       = "xdp_sock",
 402 };
 403 
 404 static char slot_type_char[] = {
 405         [STACK_INVALID] = '?',
 406         [STACK_SPILL]   = 'r',
 407         [STACK_MISC]    = 'm',
 408         [STACK_ZERO]    = '0',
 409 };
 410 
 411 static void print_liveness(struct bpf_verifier_env *env,
 412                            enum bpf_reg_liveness live)
 413 {
 414         if (live & (REG_LIVE_READ | REG_LIVE_WRITTEN | REG_LIVE_DONE))
 415             verbose(env, "_");
 416         if (live & REG_LIVE_READ)
 417                 verbose(env, "r");
 418         if (live & REG_LIVE_WRITTEN)
 419                 verbose(env, "w");
 420         if (live & REG_LIVE_DONE)
 421                 verbose(env, "D");
 422 }
 423 
 424 static struct bpf_func_state *func(struct bpf_verifier_env *env,
 425                                    const struct bpf_reg_state *reg)
 426 {
 427         struct bpf_verifier_state *cur = env->cur_state;
 428 
 429         return cur->frame[reg->frameno];
 430 }
 431 
 432 static void print_verifier_state(struct bpf_verifier_env *env,
 433                                  const struct bpf_func_state *state)
 434 {
 435         const struct bpf_reg_state *reg;
 436         enum bpf_reg_type t;
 437         int i;
 438 
 439         if (state->frameno)
 440                 verbose(env, " frame%d:", state->frameno);
 441         for (i = 0; i < MAX_BPF_REG; i++) {
 442                 reg = &state->regs[i];
 443                 t = reg->type;
 444                 if (t == NOT_INIT)
 445                         continue;
 446                 verbose(env, " R%d", i);
 447                 print_liveness(env, reg->live);
 448                 verbose(env, "=%s", reg_type_str[t]);
 449                 if (t == SCALAR_VALUE && reg->precise)
 450                         verbose(env, "P");
 451                 if ((t == SCALAR_VALUE || t == PTR_TO_STACK) &&
 452                     tnum_is_const(reg->var_off)) {
 453                         /* reg->off should be 0 for SCALAR_VALUE */
 454                         verbose(env, "%lld", reg->var_off.value + reg->off);
 455                 } else {
 456                         verbose(env, "(id=%d", reg->id);
 457                         if (reg_type_may_be_refcounted_or_null(t))
 458                                 verbose(env, ",ref_obj_id=%d", reg->ref_obj_id);
 459                         if (t != SCALAR_VALUE)
 460                                 verbose(env, ",off=%d", reg->off);
 461                         if (type_is_pkt_pointer(t))
 462                                 verbose(env, ",r=%d", reg->range);
 463                         else if (t == CONST_PTR_TO_MAP ||
 464                                  t == PTR_TO_MAP_VALUE ||
 465                                  t == PTR_TO_MAP_VALUE_OR_NULL)
 466                                 verbose(env, ",ks=%d,vs=%d",
 467                                         reg->map_ptr->key_size,
 468                                         reg->map_ptr->value_size);
 469                         if (tnum_is_const(reg->var_off)) {
 470                                 /* Typically an immediate SCALAR_VALUE, but
 471                                  * could be a pointer whose offset is too big
 472                                  * for reg->off
 473                                  */
 474                                 verbose(env, ",imm=%llx", reg->var_off.value);
 475                         } else {
 476                                 if (reg->smin_value != reg->umin_value &&
 477                                     reg->smin_value != S64_MIN)
 478                                         verbose(env, ",smin_value=%lld",
 479                                                 (long long)reg->smin_value);
 480                                 if (reg->smax_value != reg->umax_value &&
 481                                     reg->smax_value != S64_MAX)
 482                                         verbose(env, ",smax_value=%lld",
 483                                                 (long long)reg->smax_value);
 484                                 if (reg->umin_value != 0)
 485                                         verbose(env, ",umin_value=%llu",
 486                                                 (unsigned long long)reg->umin_value);
 487                                 if (reg->umax_value != U64_MAX)
 488                                         verbose(env, ",umax_value=%llu",
 489                                                 (unsigned long long)reg->umax_value);
 490                                 if (!tnum_is_unknown(reg->var_off)) {
 491                                         char tn_buf[48];
 492 
 493                                         tnum_strn(tn_buf, sizeof(tn_buf), reg->var_off);
 494                                         verbose(env, ",var_off=%s", tn_buf);
 495                                 }
 496                         }
 497                         verbose(env, ")");
 498                 }
 499         }
 500         for (i = 0; i < state->allocated_stack / BPF_REG_SIZE; i++) {
 501                 char types_buf[BPF_REG_SIZE + 1];
 502                 bool valid = false;
 503                 int j;
 504 
 505                 for (j = 0; j < BPF_REG_SIZE; j++) {
 506                         if (state->stack[i].slot_type[j] != STACK_INVALID)
 507                                 valid = true;
 508                         types_buf[j] = slot_type_char[
 509                                         state->stack[i].slot_type[j]];
 510                 }
 511                 types_buf[BPF_REG_SIZE] = 0;
 512                 if (!valid)
 513                         continue;
 514                 verbose(env, " fp%d", (-i - 1) * BPF_REG_SIZE);
 515                 print_liveness(env, state->stack[i].spilled_ptr.live);
 516                 if (state->stack[i].slot_type[0] == STACK_SPILL) {
 517                         reg = &state->stack[i].spilled_ptr;
 518                         t = reg->type;
 519                         verbose(env, "=%s", reg_type_str[t]);
 520                         if (t == SCALAR_VALUE && reg->precise)
 521                                 verbose(env, "P");
 522                         if (t == SCALAR_VALUE && tnum_is_const(reg->var_off))
 523                                 verbose(env, "%lld", reg->var_off.value + reg->off);
 524                 } else {
 525                         verbose(env, "=%s", types_buf);
 526                 }
 527         }
 528         if (state->acquired_refs && state->refs[0].id) {
 529                 verbose(env, " refs=%d", state->refs[0].id);
 530                 for (i = 1; i < state->acquired_refs; i++)
 531                         if (state->refs[i].id)
 532                                 verbose(env, ",%d", state->refs[i].id);
 533         }
 534         verbose(env, "\n");
 535 }
 536 
 537 #define COPY_STATE_FN(NAME, COUNT, FIELD, SIZE)                         \
 538 static int copy_##NAME##_state(struct bpf_func_state *dst,              \
 539                                const struct bpf_func_state *src)        \
 540 {                                                                       \
 541         if (!src->FIELD)                                                \
 542                 return 0;                                               \
 543         if (WARN_ON_ONCE(dst->COUNT < src->COUNT)) {                    \
 544                 /* internal bug, make state invalid to reject the program */ \
 545                 memset(dst, 0, sizeof(*dst));                           \
 546                 return -EFAULT;                                         \
 547         }                                                               \
 548         memcpy(dst->FIELD, src->FIELD,                                  \
 549                sizeof(*src->FIELD) * (src->COUNT / SIZE));              \
 550         return 0;                                                       \
 551 }
 552 /* copy_reference_state() */
 553 COPY_STATE_FN(reference, acquired_refs, refs, 1)
 554 /* copy_stack_state() */
 555 COPY_STATE_FN(stack, allocated_stack, stack, BPF_REG_SIZE)
 556 #undef COPY_STATE_FN
 557 
 558 #define REALLOC_STATE_FN(NAME, COUNT, FIELD, SIZE)                      \
 559 static int realloc_##NAME##_state(struct bpf_func_state *state, int size, \
 560                                   bool copy_old)                        \
 561 {                                                                       \
 562         u32 old_size = state->COUNT;                                    \
 563         struct bpf_##NAME##_state *new_##FIELD;                         \
 564         int slot = size / SIZE;                                         \
 565                                                                         \
 566         if (size <= old_size || !size) {                                \
 567                 if (copy_old)                                           \
 568                         return 0;                                       \
 569                 state->COUNT = slot * SIZE;                             \
 570                 if (!size && old_size) {                                \
 571                         kfree(state->FIELD);                            \
 572                         state->FIELD = NULL;                            \
 573                 }                                                       \
 574                 return 0;                                               \
 575         }                                                               \
 576         new_##FIELD = kmalloc_array(slot, sizeof(struct bpf_##NAME##_state), \
 577                                     GFP_KERNEL);                        \
 578         if (!new_##FIELD)                                               \
 579                 return -ENOMEM;                                         \
 580         if (copy_old) {                                                 \
 581                 if (state->FIELD)                                       \
 582                         memcpy(new_##FIELD, state->FIELD,               \
 583                                sizeof(*new_##FIELD) * (old_size / SIZE)); \
 584                 memset(new_##FIELD + old_size / SIZE, 0,                \
 585                        sizeof(*new_##FIELD) * (size - old_size) / SIZE); \
 586         }                                                               \
 587         state->COUNT = slot * SIZE;                                     \
 588         kfree(state->FIELD);                                            \
 589         state->FIELD = new_##FIELD;                                     \
 590         return 0;                                                       \
 591 }
 592 /* realloc_reference_state() */
 593 REALLOC_STATE_FN(reference, acquired_refs, refs, 1)
 594 /* realloc_stack_state() */
 595 REALLOC_STATE_FN(stack, allocated_stack, stack, BPF_REG_SIZE)
 596 #undef REALLOC_STATE_FN
 597 
 598 /* do_check() starts with zero-sized stack in struct bpf_verifier_state to
 599  * make it consume minimal amount of memory. check_stack_write() access from
 600  * the program calls into realloc_func_state() to grow the stack size.
 601  * Note there is a non-zero 'parent' pointer inside bpf_verifier_state
 602  * which realloc_stack_state() copies over. It points to previous
 603  * bpf_verifier_state which is never reallocated.
 604  */
 605 static int realloc_func_state(struct bpf_func_state *state, int stack_size,
 606                               int refs_size, bool copy_old)
 607 {
 608         int err = realloc_reference_state(state, refs_size, copy_old);
 609         if (err)
 610                 return err;
 611         return realloc_stack_state(state, stack_size, copy_old);
 612 }
 613 
 614 /* Acquire a pointer id from the env and update the state->refs to include
 615  * this new pointer reference.
 616  * On success, returns a valid pointer id to associate with the register
 617  * On failure, returns a negative errno.
 618  */
 619 static int acquire_reference_state(struct bpf_verifier_env *env, int insn_idx)
 620 {
 621         struct bpf_func_state *state = cur_func(env);
 622         int new_ofs = state->acquired_refs;
 623         int id, err;
 624 
 625         err = realloc_reference_state(state, state->acquired_refs + 1, true);
 626         if (err)
 627                 return err;
 628         id = ++env->id_gen;
 629         state->refs[new_ofs].id = id;
 630         state->refs[new_ofs].insn_idx = insn_idx;
 631 
 632         return id;
 633 }
 634 
 635 /* release function corresponding to acquire_reference_state(). Idempotent. */
 636 static int release_reference_state(struct bpf_func_state *state, int ptr_id)
 637 {
 638         int i, last_idx;
 639 
 640         last_idx = state->acquired_refs - 1;
 641         for (i = 0; i < state->acquired_refs; i++) {
 642                 if (state->refs[i].id == ptr_id) {
 643                         if (last_idx && i != last_idx)
 644                                 memcpy(&state->refs[i], &state->refs[last_idx],
 645                                        sizeof(*state->refs));
 646                         memset(&state->refs[last_idx], 0, sizeof(*state->refs));
 647                         state->acquired_refs--;
 648                         return 0;
 649                 }
 650         }
 651         return -EINVAL;
 652 }
 653 
 654 static int transfer_reference_state(struct bpf_func_state *dst,
 655                                     struct bpf_func_state *src)
 656 {
 657         int err = realloc_reference_state(dst, src->acquired_refs, false);
 658         if (err)
 659                 return err;
 660         err = copy_reference_state(dst, src);
 661         if (err)
 662                 return err;
 663         return 0;
 664 }
 665 
 666 static void free_func_state(struct bpf_func_state *state)
 667 {
 668         if (!state)
 669                 return;
 670         kfree(state->refs);
 671         kfree(state->stack);
 672         kfree(state);
 673 }
 674 
 675 static void clear_jmp_history(struct bpf_verifier_state *state)
 676 {
 677         kfree(state->jmp_history);
 678         state->jmp_history = NULL;
 679         state->jmp_history_cnt = 0;
 680 }
 681 
 682 static void free_verifier_state(struct bpf_verifier_state *state,
 683                                 bool free_self)
 684 {
 685         int i;
 686 
 687         for (i = 0; i <= state->curframe; i++) {
 688                 free_func_state(state->frame[i]);
 689                 state->frame[i] = NULL;
 690         }
 691         clear_jmp_history(state);
 692         if (free_self)
 693                 kfree(state);
 694 }
 695 
 696 /* copy verifier state from src to dst growing dst stack space
 697  * when necessary to accommodate larger src stack
 698  */
 699 static int copy_func_state(struct bpf_func_state *dst,
 700                            const struct bpf_func_state *src)
 701 {
 702         int err;
 703 
 704         err = realloc_func_state(dst, src->allocated_stack, src->acquired_refs,
 705                                  false);
 706         if (err)
 707                 return err;
 708         memcpy(dst, src, offsetof(struct bpf_func_state, acquired_refs));
 709         err = copy_reference_state(dst, src);
 710         if (err)
 711                 return err;
 712         return copy_stack_state(dst, src);
 713 }
 714 
 715 static int copy_verifier_state(struct bpf_verifier_state *dst_state,
 716                                const struct bpf_verifier_state *src)
 717 {
 718         struct bpf_func_state *dst;
 719         u32 jmp_sz = sizeof(struct bpf_idx_pair) * src->jmp_history_cnt;
 720         int i, err;
 721 
 722         if (dst_state->jmp_history_cnt < src->jmp_history_cnt) {
 723                 kfree(dst_state->jmp_history);
 724                 dst_state->jmp_history = kmalloc(jmp_sz, GFP_USER);
 725                 if (!dst_state->jmp_history)
 726                         return -ENOMEM;
 727         }
 728         memcpy(dst_state->jmp_history, src->jmp_history, jmp_sz);
 729         dst_state->jmp_history_cnt = src->jmp_history_cnt;
 730 
 731         /* if dst has more stack frames then src frame, free them */
 732         for (i = src->curframe + 1; i <= dst_state->curframe; i++) {
 733                 free_func_state(dst_state->frame[i]);
 734                 dst_state->frame[i] = NULL;
 735         }
 736         dst_state->speculative = src->speculative;
 737         dst_state->curframe = src->curframe;
 738         dst_state->active_spin_lock = src->active_spin_lock;
 739         dst_state->branches = src->branches;
 740         dst_state->parent = src->parent;
 741         dst_state->first_insn_idx = src->first_insn_idx;
 742         dst_state->last_insn_idx = src->last_insn_idx;
 743         for (i = 0; i <= src->curframe; i++) {
 744                 dst = dst_state->frame[i];
 745                 if (!dst) {
 746                         dst = kzalloc(sizeof(*dst), GFP_KERNEL);
 747                         if (!dst)
 748                                 return -ENOMEM;
 749                         dst_state->frame[i] = dst;
 750                 }
 751                 err = copy_func_state(dst, src->frame[i]);
 752                 if (err)
 753                         return err;
 754         }
 755         return 0;
 756 }
 757 
 758 static void update_branch_counts(struct bpf_verifier_env *env, struct bpf_verifier_state *st)
 759 {
 760         while (st) {
 761                 u32 br = --st->branches;
 762 
 763                 /* WARN_ON(br > 1) technically makes sense here,
 764                  * but see comment in push_stack(), hence:
 765                  */
 766                 WARN_ONCE((int)br < 0,
 767                           "BUG update_branch_counts:branches_to_explore=%d\n",
 768                           br);
 769                 if (br)
 770                         break;
 771                 st = st->parent;
 772         }
 773 }
 774 
 775 static int pop_stack(struct bpf_verifier_env *env, int *prev_insn_idx,
 776                      int *insn_idx)
 777 {
 778         struct bpf_verifier_state *cur = env->cur_state;
 779         struct bpf_verifier_stack_elem *elem, *head = env->head;
 780         int err;
 781 
 782         if (env->head == NULL)
 783                 return -ENOENT;
 784 
 785         if (cur) {
 786                 err = copy_verifier_state(cur, &head->st);
 787                 if (err)
 788                         return err;
 789         }
 790         if (insn_idx)
 791                 *insn_idx = head->insn_idx;
 792         if (prev_insn_idx)
 793                 *prev_insn_idx = head->prev_insn_idx;
 794         elem = head->next;
 795         free_verifier_state(&head->st, false);
 796         kfree(head);
 797         env->head = elem;
 798         env->stack_size--;
 799         return 0;
 800 }
 801 
 802 static struct bpf_verifier_state *push_stack(struct bpf_verifier_env *env,
 803                                              int insn_idx, int prev_insn_idx,
 804                                              bool speculative)
 805 {
 806         struct bpf_verifier_state *cur = env->cur_state;
 807         struct bpf_verifier_stack_elem *elem;
 808         int err;
 809 
 810         elem = kzalloc(sizeof(struct bpf_verifier_stack_elem), GFP_KERNEL);
 811         if (!elem)
 812                 goto err;
 813 
 814         elem->insn_idx = insn_idx;
 815         elem->prev_insn_idx = prev_insn_idx;
 816         elem->next = env->head;
 817         env->head = elem;
 818         env->stack_size++;
 819         err = copy_verifier_state(&elem->st, cur);
 820         if (err)
 821                 goto err;
 822         elem->st.speculative |= speculative;
 823         if (env->stack_size > BPF_COMPLEXITY_LIMIT_JMP_SEQ) {
 824                 verbose(env, "The sequence of %d jumps is too complex.\n",
 825                         env->stack_size);
 826                 goto err;
 827         }
 828         if (elem->st.parent) {
 829                 ++elem->st.parent->branches;
 830                 /* WARN_ON(branches > 2) technically makes sense here,
 831                  * but
 832                  * 1. speculative states will bump 'branches' for non-branch
 833                  * instructions
 834                  * 2. is_state_visited() heuristics may decide not to create
 835                  * a new state for a sequence of branches and all such current
 836                  * and cloned states will be pointing to a single parent state
 837                  * which might have large 'branches' count.
 838                  */
 839         }
 840         return &elem->st;
 841 err:
 842         free_verifier_state(env->cur_state, true);
 843         env->cur_state = NULL;
 844         /* pop all elements and return */
 845         while (!pop_stack(env, NULL, NULL));
 846         return NULL;
 847 }
 848 
 849 #define CALLER_SAVED_REGS 6
 850 static const int caller_saved[CALLER_SAVED_REGS] = {
 851         BPF_REG_0, BPF_REG_1, BPF_REG_2, BPF_REG_3, BPF_REG_4, BPF_REG_5
 852 };
 853 
 854 static void __mark_reg_not_init(const struct bpf_verifier_env *env,
 855                                 struct bpf_reg_state *reg);
 856 
 857 /* Mark the unknown part of a register (variable offset or scalar value) as
 858  * known to have the value @imm.
 859  */
 860 static void __mark_reg_known(struct bpf_reg_state *reg, u64 imm)
 861 {
 862         /* Clear id, off, and union(map_ptr, range) */
 863         memset(((u8 *)reg) + sizeof(reg->type), 0,
 864                offsetof(struct bpf_reg_state, var_off) - sizeof(reg->type));
 865         reg->var_off = tnum_const(imm);
 866         reg->smin_value = (s64)imm;
 867         reg->smax_value = (s64)imm;
 868         reg->umin_value = imm;
 869         reg->umax_value = imm;
 870 }
 871 
 872 /* Mark the 'variable offset' part of a register as zero.  This should be
 873  * used only on registers holding a pointer type.
 874  */
 875 static void __mark_reg_known_zero(struct bpf_reg_state *reg)
 876 {
 877         __mark_reg_known(reg, 0);
 878 }
 879 
 880 static void __mark_reg_const_zero(struct bpf_reg_state *reg)
 881 {
 882         __mark_reg_known(reg, 0);
 883         reg->type = SCALAR_VALUE;
 884 }
 885 
 886 static void mark_reg_known_zero(struct bpf_verifier_env *env,
 887                                 struct bpf_reg_state *regs, u32 regno)
 888 {
 889         if (WARN_ON(regno >= MAX_BPF_REG)) {
 890                 verbose(env, "mark_reg_known_zero(regs, %u)\n", regno);
 891                 /* Something bad happened, let's kill all regs */
 892                 for (regno = 0; regno < MAX_BPF_REG; regno++)
 893                         __mark_reg_not_init(env, regs + regno);
 894                 return;
 895         }
 896         __mark_reg_known_zero(regs + regno);
 897 }
 898 
 899 static bool reg_is_pkt_pointer(const struct bpf_reg_state *reg)
 900 {
 901         return type_is_pkt_pointer(reg->type);
 902 }
 903 
 904 static bool reg_is_pkt_pointer_any(const struct bpf_reg_state *reg)
 905 {
 906         return reg_is_pkt_pointer(reg) ||
 907                reg->type == PTR_TO_PACKET_END;
 908 }
 909 
 910 /* Unmodified PTR_TO_PACKET[_META,_END] register from ctx access. */
 911 static bool reg_is_init_pkt_pointer(const struct bpf_reg_state *reg,
 912                                     enum bpf_reg_type which)
 913 {
 914         /* The register can already have a range from prior markings.
 915          * This is fine as long as it hasn't been advanced from its
 916          * origin.
 917          */
 918         return reg->type == which &&
 919                reg->id == 0 &&
 920                reg->off == 0 &&
 921                tnum_equals_const(reg->var_off, 0);
 922 }
 923 
 924 /* Attempts to improve min/max values based on var_off information */
 925 static void __update_reg_bounds(struct bpf_reg_state *reg)
 926 {
 927         /* min signed is max(sign bit) | min(other bits) */
 928         reg->smin_value = max_t(s64, reg->smin_value,
 929                                 reg->var_off.value | (reg->var_off.mask & S64_MIN));
 930         /* max signed is min(sign bit) | max(other bits) */
 931         reg->smax_value = min_t(s64, reg->smax_value,
 932                                 reg->var_off.value | (reg->var_off.mask & S64_MAX));
 933         reg->umin_value = max(reg->umin_value, reg->var_off.value);
 934         reg->umax_value = min(reg->umax_value,
 935                               reg->var_off.value | reg->var_off.mask);
 936 }
 937 
 938 /* Uses signed min/max values to inform unsigned, and vice-versa */
 939 static void __reg_deduce_bounds(struct bpf_reg_state *reg)
 940 {
 941         /* Learn sign from signed bounds.
 942          * If we cannot cross the sign boundary, then signed and unsigned bounds
 943          * are the same, so combine.  This works even in the negative case, e.g.
 944          * -3 s<= x s<= -1 implies 0xf...fd u<= x u<= 0xf...ff.
 945          */
 946         if (reg->smin_value >= 0 || reg->smax_value < 0) {
 947                 reg->smin_value = reg->umin_value = max_t(u64, reg->smin_value,
 948                                                           reg->umin_value);
 949                 reg->smax_value = reg->umax_value = min_t(u64, reg->smax_value,
 950                                                           reg->umax_value);
 951                 return;
 952         }
 953         /* Learn sign from unsigned bounds.  Signed bounds cross the sign
 954          * boundary, so we must be careful.
 955          */
 956         if ((s64)reg->umax_value >= 0) {
 957                 /* Positive.  We can't learn anything from the smin, but smax
 958                  * is positive, hence safe.
 959                  */
 960                 reg->smin_value = reg->umin_value;
 961                 reg->smax_value = reg->umax_value = min_t(u64, reg->smax_value,
 962                                                           reg->umax_value);
 963         } else if ((s64)reg->umin_value < 0) {
 964                 /* Negative.  We can't learn anything from the smax, but smin
 965                  * is negative, hence safe.
 966                  */
 967                 reg->smin_value = reg->umin_value = max_t(u64, reg->smin_value,
 968                                                           reg->umin_value);
 969                 reg->smax_value = reg->umax_value;
 970         }
 971 }
 972 
 973 /* Attempts to improve var_off based on unsigned min/max information */
 974 static void __reg_bound_offset(struct bpf_reg_state *reg)
 975 {
 976         reg->var_off = tnum_intersect(reg->var_off,
 977                                       tnum_range(reg->umin_value,
 978                                                  reg->umax_value));
 979 }
 980 
 981 /* Reset the min/max bounds of a register */
 982 static void __mark_reg_unbounded(struct bpf_reg_state *reg)
 983 {
 984         reg->smin_value = S64_MIN;
 985         reg->smax_value = S64_MAX;
 986         reg->umin_value = 0;
 987         reg->umax_value = U64_MAX;
 988 }
 989 
 990 /* Mark a register as having a completely unknown (scalar) value. */
 991 static void __mark_reg_unknown(const struct bpf_verifier_env *env,
 992                                struct bpf_reg_state *reg)
 993 {
 994         /*
 995          * Clear type, id, off, and union(map_ptr, range) and
 996          * padding between 'type' and union
 997          */
 998         memset(reg, 0, offsetof(struct bpf_reg_state, var_off));
 999         reg->type = SCALAR_VALUE;
1000         reg->var_off = tnum_unknown;
1001         reg->frameno = 0;
1002         reg->precise = env->subprog_cnt > 1 || !env->allow_ptr_leaks ?
1003                        true : false;
1004         __mark_reg_unbounded(reg);
1005 }
1006 
1007 static void mark_reg_unknown(struct bpf_verifier_env *env,
1008                              struct bpf_reg_state *regs, u32 regno)
1009 {
1010         if (WARN_ON(regno >= MAX_BPF_REG)) {
1011                 verbose(env, "mark_reg_unknown(regs, %u)\n", regno);
1012                 /* Something bad happened, let's kill all regs except FP */
1013                 for (regno = 0; regno < BPF_REG_FP; regno++)
1014                         __mark_reg_not_init(env, regs + regno);
1015                 return;
1016         }
1017         __mark_reg_unknown(env, regs + regno);
1018 }
1019 
1020 static void __mark_reg_not_init(const struct bpf_verifier_env *env,
1021                                 struct bpf_reg_state *reg)
1022 {
1023         __mark_reg_unknown(env, reg);
1024         reg->type = NOT_INIT;
1025 }
1026 
1027 static void mark_reg_not_init(struct bpf_verifier_env *env,
1028                               struct bpf_reg_state *regs, u32 regno)
1029 {
1030         if (WARN_ON(regno >= MAX_BPF_REG)) {
1031                 verbose(env, "mark_reg_not_init(regs, %u)\n", regno);
1032                 /* Something bad happened, let's kill all regs except FP */
1033                 for (regno = 0; regno < BPF_REG_FP; regno++)
1034                         __mark_reg_not_init(env, regs + regno);
1035                 return;
1036         }
1037         __mark_reg_not_init(env, regs + regno);
1038 }
1039 
1040 #define DEF_NOT_SUBREG  (0)
1041 static void init_reg_state(struct bpf_verifier_env *env,
1042                            struct bpf_func_state *state)
1043 {
1044         struct bpf_reg_state *regs = state->regs;
1045         int i;
1046 
1047         for (i = 0; i < MAX_BPF_REG; i++) {
1048                 mark_reg_not_init(env, regs, i);
1049                 regs[i].live = REG_LIVE_NONE;
1050                 regs[i].parent = NULL;
1051                 regs[i].subreg_def = DEF_NOT_SUBREG;
1052         }
1053 
1054         /* frame pointer */
1055         regs[BPF_REG_FP].type = PTR_TO_STACK;
1056         mark_reg_known_zero(env, regs, BPF_REG_FP);
1057         regs[BPF_REG_FP].frameno = state->frameno;
1058 
1059         /* 1st arg to a function */
1060         regs[BPF_REG_1].type = PTR_TO_CTX;
1061         mark_reg_known_zero(env, regs, BPF_REG_1);
1062 }
1063 
1064 #define BPF_MAIN_FUNC (-1)
1065 static void init_func_state(struct bpf_verifier_env *env,
1066                             struct bpf_func_state *state,
1067                             int callsite, int frameno, int subprogno)
1068 {
1069         state->callsite = callsite;
1070         state->frameno = frameno;
1071         state->subprogno = subprogno;
1072         init_reg_state(env, state);
1073 }
1074 
1075 enum reg_arg_type {
1076         SRC_OP,         /* register is used as source operand */
1077         DST_OP,         /* register is used as destination operand */
1078         DST_OP_NO_MARK  /* same as above, check only, don't mark */
1079 };
1080 
1081 static int cmp_subprogs(const void *a, const void *b)
1082 {
1083         return ((struct bpf_subprog_info *)a)->start -
1084                ((struct bpf_subprog_info *)b)->start;
1085 }
1086 
1087 static int find_subprog(struct bpf_verifier_env *env, int off)
1088 {
1089         struct bpf_subprog_info *p;
1090 
1091         p = bsearch(&off, env->subprog_info, env->subprog_cnt,
1092                     sizeof(env->subprog_info[0]), cmp_subprogs);
1093         if (!p)
1094                 return -ENOENT;
1095         return p - env->subprog_info;
1096 
1097 }
1098 
1099 static int add_subprog(struct bpf_verifier_env *env, int off)
1100 {
1101         int insn_cnt = env->prog->len;
1102         int ret;
1103 
1104         if (off >= insn_cnt || off < 0) {
1105                 verbose(env, "call to invalid destination\n");
1106                 return -EINVAL;
1107         }
1108         ret = find_subprog(env, off);
1109         if (ret >= 0)
1110                 return 0;
1111         if (env->subprog_cnt >= BPF_MAX_SUBPROGS) {
1112                 verbose(env, "too many subprograms\n");
1113                 return -E2BIG;
1114         }
1115         env->subprog_info[env->subprog_cnt++].start = off;
1116         sort(env->subprog_info, env->subprog_cnt,
1117              sizeof(env->subprog_info[0]), cmp_subprogs, NULL);
1118         return 0;
1119 }
1120 
1121 static int check_subprogs(struct bpf_verifier_env *env)
1122 {
1123         int i, ret, subprog_start, subprog_end, off, cur_subprog = 0;
1124         struct bpf_subprog_info *subprog = env->subprog_info;
1125         struct bpf_insn *insn = env->prog->insnsi;
1126         int insn_cnt = env->prog->len;
1127 
1128         /* Add entry function. */
1129         ret = add_subprog(env, 0);
1130         if (ret < 0)
1131                 return ret;
1132 
1133         /* determine subprog starts. The end is one before the next starts */
1134         for (i = 0; i < insn_cnt; i++) {
1135                 if (insn[i].code != (BPF_JMP | BPF_CALL))
1136                         continue;
1137                 if (insn[i].src_reg != BPF_PSEUDO_CALL)
1138                         continue;
1139                 if (!env->allow_ptr_leaks) {
1140                         verbose(env, "function calls to other bpf functions are allowed for root only\n");
1141                         return -EPERM;
1142                 }
1143                 ret = add_subprog(env, i + insn[i].imm + 1);
1144                 if (ret < 0)
1145                         return ret;
1146         }
1147 
1148         /* Add a fake 'exit' subprog which could simplify subprog iteration
1149          * logic. 'subprog_cnt' should not be increased.
1150          */
1151         subprog[env->subprog_cnt].start = insn_cnt;
1152 
1153         if (env->log.level & BPF_LOG_LEVEL2)
1154                 for (i = 0; i < env->subprog_cnt; i++)
1155                         verbose(env, "func#%d @%d\n", i, subprog[i].start);
1156 
1157         /* now check that all jumps are within the same subprog */
1158         subprog_start = subprog[cur_subprog].start;
1159         subprog_end = subprog[cur_subprog + 1].start;
1160         for (i = 0; i < insn_cnt; i++) {
1161                 u8 code = insn[i].code;
1162 
1163                 if (BPF_CLASS(code) != BPF_JMP && BPF_CLASS(code) != BPF_JMP32)
1164                         goto next;
1165                 if (BPF_OP(code) == BPF_EXIT || BPF_OP(code) == BPF_CALL)
1166                         goto next;
1167                 off = i + insn[i].off + 1;
1168                 if (off < subprog_start || off >= subprog_end) {
1169                         verbose(env, "jump out of range from insn %d to %d\n", i, off);
1170                         return -EINVAL;
1171                 }
1172 next:
1173                 if (i == subprog_end - 1) {
1174                         /* to avoid fall-through from one subprog into another
1175                          * the last insn of the subprog should be either exit
1176                          * or unconditional jump back
1177                          */
1178                         if (code != (BPF_JMP | BPF_EXIT) &&
1179                             code != (BPF_JMP | BPF_JA)) {
1180                                 verbose(env, "last insn is not an exit or jmp\n");
1181                                 return -EINVAL;
1182                         }
1183                         subprog_start = subprog_end;
1184                         cur_subprog++;
1185                         if (cur_subprog < env->subprog_cnt)
1186                                 subprog_end = subprog[cur_subprog + 1].start;
1187                 }
1188         }
1189         return 0;
1190 }
1191 
1192 /* Parentage chain of this register (or stack slot) should take care of all
1193  * issues like callee-saved registers, stack slot allocation time, etc.
1194  */
1195 static int mark_reg_read(struct bpf_verifier_env *env,
1196                          const struct bpf_reg_state *state,
1197                          struct bpf_reg_state *parent, u8 flag)
1198 {
1199         bool writes = parent == state->parent; /* Observe write marks */
1200         int cnt = 0;
1201 
1202         while (parent) {
1203                 /* if read wasn't screened by an earlier write ... */
1204                 if (writes && state->live & REG_LIVE_WRITTEN)
1205                         break;
1206                 if (parent->live & REG_LIVE_DONE) {
1207                         verbose(env, "verifier BUG type %s var_off %lld off %d\n",
1208                                 reg_type_str[parent->type],
1209                                 parent->var_off.value, parent->off);
1210                         return -EFAULT;
1211                 }
1212                 /* The first condition is more likely to be true than the
1213                  * second, checked it first.
1214                  */
1215                 if ((parent->live & REG_LIVE_READ) == flag ||
1216                     parent->live & REG_LIVE_READ64)
1217                         /* The parentage chain never changes and
1218                          * this parent was already marked as LIVE_READ.
1219                          * There is no need to keep walking the chain again and
1220                          * keep re-marking all parents as LIVE_READ.
1221                          * This case happens when the same register is read
1222                          * multiple times without writes into it in-between.
1223                          * Also, if parent has the stronger REG_LIVE_READ64 set,
1224                          * then no need to set the weak REG_LIVE_READ32.
1225                          */
1226                         break;
1227                 /* ... then we depend on parent's value */
1228                 parent->live |= flag;
1229                 /* REG_LIVE_READ64 overrides REG_LIVE_READ32. */
1230                 if (flag == REG_LIVE_READ64)
1231                         parent->live &= ~REG_LIVE_READ32;
1232                 state = parent;
1233                 parent = state->parent;
1234                 writes = true;
1235                 cnt++;
1236         }
1237 
1238         if (env->longest_mark_read_walk < cnt)
1239                 env->longest_mark_read_walk = cnt;
1240         return 0;
1241 }
1242 
1243 /* This function is supposed to be used by the following 32-bit optimization
1244  * code only. It returns TRUE if the source or destination register operates
1245  * on 64-bit, otherwise return FALSE.
1246  */
1247 static bool is_reg64(struct bpf_verifier_env *env, struct bpf_insn *insn,
1248                      u32 regno, struct bpf_reg_state *reg, enum reg_arg_type t)
1249 {
1250         u8 code, class, op;
1251 
1252         code = insn->code;
1253         class = BPF_CLASS(code);
1254         op = BPF_OP(code);
1255         if (class == BPF_JMP) {
1256                 /* BPF_EXIT for "main" will reach here. Return TRUE
1257                  * conservatively.
1258                  */
1259                 if (op == BPF_EXIT)
1260                         return true;
1261                 if (op == BPF_CALL) {
1262                         /* BPF to BPF call will reach here because of marking
1263                          * caller saved clobber with DST_OP_NO_MARK for which we
1264                          * don't care the register def because they are anyway
1265                          * marked as NOT_INIT already.
1266                          */
1267                         if (insn->src_reg == BPF_PSEUDO_CALL)
1268                                 return false;
1269                         /* Helper call will reach here because of arg type
1270                          * check, conservatively return TRUE.
1271                          */
1272                         if (t == SRC_OP)
1273                                 return true;
1274 
1275                         return false;
1276                 }
1277         }
1278 
1279         if (class == BPF_ALU64 || class == BPF_JMP ||
1280             /* BPF_END always use BPF_ALU class. */
1281             (class == BPF_ALU && op == BPF_END && insn->imm == 64))
1282                 return true;
1283 
1284         if (class == BPF_ALU || class == BPF_JMP32)
1285                 return false;
1286 
1287         if (class == BPF_LDX) {
1288                 if (t != SRC_OP)
1289                         return BPF_SIZE(code) == BPF_DW;
1290                 /* LDX source must be ptr. */
1291                 return true;
1292         }
1293 
1294         if (class == BPF_STX) {
1295                 if (reg->type != SCALAR_VALUE)
1296                         return true;
1297                 return BPF_SIZE(code) == BPF_DW;
1298         }
1299 
1300         if (class == BPF_LD) {
1301                 u8 mode = BPF_MODE(code);
1302 
1303                 /* LD_IMM64 */
1304                 if (mode == BPF_IMM)
1305                         return true;
1306 
1307                 /* Both LD_IND and LD_ABS return 32-bit data. */
1308                 if (t != SRC_OP)
1309                         return  false;
1310 
1311                 /* Implicit ctx ptr. */
1312                 if (regno == BPF_REG_6)
1313                         return true;
1314 
1315                 /* Explicit source could be any width. */
1316                 return true;
1317         }
1318 
1319         if (class == BPF_ST)
1320                 /* The only source register for BPF_ST is a ptr. */
1321                 return true;
1322 
1323         /* Conservatively return true at default. */
1324         return true;
1325 }
1326 
1327 /* Return TRUE if INSN doesn't have explicit value define. */
1328 static bool insn_no_def(struct bpf_insn *insn)
1329 {
1330         u8 class = BPF_CLASS(insn->code);
1331 
1332         return (class == BPF_JMP || class == BPF_JMP32 ||
1333                 class == BPF_STX || class == BPF_ST);
1334 }
1335 
1336 /* Return TRUE if INSN has defined any 32-bit value explicitly. */
1337 static bool insn_has_def32(struct bpf_verifier_env *env, struct bpf_insn *insn)
1338 {
1339         if (insn_no_def(insn))
1340                 return false;
1341 
1342         return !is_reg64(env, insn, insn->dst_reg, NULL, DST_OP);
1343 }
1344 
1345 static void mark_insn_zext(struct bpf_verifier_env *env,
1346                            struct bpf_reg_state *reg)
1347 {
1348         s32 def_idx = reg->subreg_def;
1349 
1350         if (def_idx == DEF_NOT_SUBREG)
1351                 return;
1352 
1353         env->insn_aux_data[def_idx - 1].zext_dst = true;
1354         /* The dst will be zero extended, so won't be sub-register anymore. */
1355         reg->subreg_def = DEF_NOT_SUBREG;
1356 }
1357 
1358 static int check_reg_arg(struct bpf_verifier_env *env, u32 regno,
1359                          enum reg_arg_type t)
1360 {
1361         struct bpf_verifier_state *vstate = env->cur_state;
1362         struct bpf_func_state *state = vstate->frame[vstate->curframe];
1363         struct bpf_insn *insn = env->prog->insnsi + env->insn_idx;
1364         struct bpf_reg_state *reg, *regs = state->regs;
1365         bool rw64;
1366 
1367         if (regno >= MAX_BPF_REG) {
1368                 verbose(env, "R%d is invalid\n", regno);
1369                 return -EINVAL;
1370         }
1371 
1372         reg = &regs[regno];
1373         rw64 = is_reg64(env, insn, regno, reg, t);
1374         if (t == SRC_OP) {
1375                 /* check whether register used as source operand can be read */
1376                 if (reg->type == NOT_INIT) {
1377                         verbose(env, "R%d !read_ok\n", regno);
1378                         return -EACCES;
1379                 }
1380                 /* We don't need to worry about FP liveness because it's read-only */
1381                 if (regno == BPF_REG_FP)
1382                         return 0;
1383 
1384                 if (rw64)
1385                         mark_insn_zext(env, reg);
1386 
1387                 return mark_reg_read(env, reg, reg->parent,
1388                                      rw64 ? REG_LIVE_READ64 : REG_LIVE_READ32);
1389         } else {
1390                 /* check whether register used as dest operand can be written to */
1391                 if (regno == BPF_REG_FP) {
1392                         verbose(env, "frame pointer is read only\n");
1393                         return -EACCES;
1394                 }
1395                 reg->live |= REG_LIVE_WRITTEN;
1396                 reg->subreg_def = rw64 ? DEF_NOT_SUBREG : env->insn_idx + 1;
1397                 if (t == DST_OP)
1398                         mark_reg_unknown(env, regs, regno);
1399         }
1400         return 0;
1401 }
1402 
1403 /* for any branch, call, exit record the history of jmps in the given state */
1404 static int push_jmp_history(struct bpf_verifier_env *env,
1405                             struct bpf_verifier_state *cur)
1406 {
1407         u32 cnt = cur->jmp_history_cnt;
1408         struct bpf_idx_pair *p;
1409 
1410         cnt++;
1411         p = krealloc(cur->jmp_history, cnt * sizeof(*p), GFP_USER);
1412         if (!p)
1413                 return -ENOMEM;
1414         p[cnt - 1].idx = env->insn_idx;
1415         p[cnt - 1].prev_idx = env->prev_insn_idx;
1416         cur->jmp_history = p;
1417         cur->jmp_history_cnt = cnt;
1418         return 0;
1419 }
1420 
1421 /* Backtrack one insn at a time. If idx is not at the top of recorded
1422  * history then previous instruction came from straight line execution.
1423  */
1424 static int get_prev_insn_idx(struct bpf_verifier_state *st, int i,
1425                              u32 *history)
1426 {
1427         u32 cnt = *history;
1428 
1429         if (cnt && st->jmp_history[cnt - 1].idx == i) {
1430                 i = st->jmp_history[cnt - 1].prev_idx;
1431                 (*history)--;
1432         } else {
1433                 i--;
1434         }
1435         return i;
1436 }
1437 
1438 /* For given verifier state backtrack_insn() is called from the last insn to
1439  * the first insn. Its purpose is to compute a bitmask of registers and
1440  * stack slots that needs precision in the parent verifier state.
1441  */
1442 static int backtrack_insn(struct bpf_verifier_env *env, int idx,
1443                           u32 *reg_mask, u64 *stack_mask)
1444 {
1445         const struct bpf_insn_cbs cbs = {
1446                 .cb_print       = verbose,
1447                 .private_data   = env,
1448         };
1449         struct bpf_insn *insn = env->prog->insnsi + idx;
1450         u8 class = BPF_CLASS(insn->code);
1451         u8 opcode = BPF_OP(insn->code);
1452         u8 mode = BPF_MODE(insn->code);
1453         u32 dreg = 1u << insn->dst_reg;
1454         u32 sreg = 1u << insn->src_reg;
1455         u32 spi;
1456 
1457         if (insn->code == 0)
1458                 return 0;
1459         if (env->log.level & BPF_LOG_LEVEL) {
1460                 verbose(env, "regs=%x stack=%llx before ", *reg_mask, *stack_mask);
1461                 verbose(env, "%d: ", idx);
1462                 print_bpf_insn(&cbs, insn, env->allow_ptr_leaks);
1463         }
1464 
1465         if (class == BPF_ALU || class == BPF_ALU64) {
1466                 if (!(*reg_mask & dreg))
1467                         return 0;
1468                 if (opcode == BPF_MOV) {
1469                         if (BPF_SRC(insn->code) == BPF_X) {
1470                                 /* dreg = sreg
1471                                  * dreg needs precision after this insn
1472                                  * sreg needs precision before this insn
1473                                  */
1474                                 *reg_mask &= ~dreg;
1475                                 *reg_mask |= sreg;
1476                         } else {
1477                                 /* dreg = K
1478                                  * dreg needs precision after this insn.
1479                                  * Corresponding register is already marked
1480                                  * as precise=true in this verifier state.
1481                                  * No further markings in parent are necessary
1482                                  */
1483                                 *reg_mask &= ~dreg;
1484                         }
1485                 } else {
1486                         if (BPF_SRC(insn->code) == BPF_X) {
1487                                 /* dreg += sreg
1488                                  * both dreg and sreg need precision
1489                                  * before this insn
1490                                  */
1491                                 *reg_mask |= sreg;
1492                         } /* else dreg += K
1493                            * dreg still needs precision before this insn
1494                            */
1495                 }
1496         } else if (class == BPF_LDX) {
1497                 if (!(*reg_mask & dreg))
1498                         return 0;
1499                 *reg_mask &= ~dreg;
1500 
1501                 /* scalars can only be spilled into stack w/o losing precision.
1502                  * Load from any other memory can be zero extended.
1503                  * The desire to keep that precision is already indicated
1504                  * by 'precise' mark in corresponding register of this state.
1505                  * No further tracking necessary.
1506                  */
1507                 if (insn->src_reg != BPF_REG_FP)
1508                         return 0;
1509                 if (BPF_SIZE(insn->code) != BPF_DW)
1510                         return 0;
1511 
1512                 /* dreg = *(u64 *)[fp - off] was a fill from the stack.
1513                  * that [fp - off] slot contains scalar that needs to be
1514                  * tracked with precision
1515                  */
1516                 spi = (-insn->off - 1) / BPF_REG_SIZE;
1517                 if (spi >= 64) {
1518                         verbose(env, "BUG spi %d\n", spi);
1519                         WARN_ONCE(1, "verifier backtracking bug");
1520                         return -EFAULT;
1521                 }
1522                 *stack_mask |= 1ull << spi;
1523         } else if (class == BPF_STX || class == BPF_ST) {
1524                 if (*reg_mask & dreg)
1525                         /* stx & st shouldn't be using _scalar_ dst_reg
1526                          * to access memory. It means backtracking
1527                          * encountered a case of pointer subtraction.
1528                          */
1529                         return -ENOTSUPP;
1530                 /* scalars can only be spilled into stack */
1531                 if (insn->dst_reg != BPF_REG_FP)
1532                         return 0;
1533                 if (BPF_SIZE(insn->code) != BPF_DW)
1534                         return 0;
1535                 spi = (-insn->off - 1) / BPF_REG_SIZE;
1536                 if (spi >= 64) {
1537                         verbose(env, "BUG spi %d\n", spi);
1538                         WARN_ONCE(1, "verifier backtracking bug");
1539                         return -EFAULT;
1540                 }
1541                 if (!(*stack_mask & (1ull << spi)))
1542                         return 0;
1543                 *stack_mask &= ~(1ull << spi);
1544                 if (class == BPF_STX)
1545                         *reg_mask |= sreg;
1546         } else if (class == BPF_JMP || class == BPF_JMP32) {
1547                 if (opcode == BPF_CALL) {
1548                         if (insn->src_reg == BPF_PSEUDO_CALL)
1549                                 return -ENOTSUPP;
1550                         /* regular helper call sets R0 */
1551                         *reg_mask &= ~1;
1552                         if (*reg_mask & 0x3f) {
1553                                 /* if backtracing was looking for registers R1-R5
1554                                  * they should have been found already.
1555                                  */
1556                                 verbose(env, "BUG regs %x\n", *reg_mask);
1557                                 WARN_ONCE(1, "verifier backtracking bug");
1558                                 return -EFAULT;
1559                         }
1560                 } else if (opcode == BPF_EXIT) {
1561                         return -ENOTSUPP;
1562                 }
1563         } else if (class == BPF_LD) {
1564                 if (!(*reg_mask & dreg))
1565                         return 0;
1566                 *reg_mask &= ~dreg;
1567                 /* It's ld_imm64 or ld_abs or ld_ind.
1568                  * For ld_imm64 no further tracking of precision
1569                  * into parent is necessary
1570                  */
1571                 if (mode == BPF_IND || mode == BPF_ABS)
1572                         /* to be analyzed */
1573                         return -ENOTSUPP;
1574         }
1575         return 0;
1576 }
1577 
1578 /* the scalar precision tracking algorithm:
1579  * . at the start all registers have precise=false.
1580  * . scalar ranges are tracked as normal through alu and jmp insns.
1581  * . once precise value of the scalar register is used in:
1582  *   .  ptr + scalar alu
1583  *   . if (scalar cond K|scalar)
1584  *   .  helper_call(.., scalar, ...) where ARG_CONST is expected
1585  *   backtrack through the verifier states and mark all registers and
1586  *   stack slots with spilled constants that these scalar regisers
1587  *   should be precise.
1588  * . during state pruning two registers (or spilled stack slots)
1589  *   are equivalent if both are not precise.
1590  *
1591  * Note the verifier cannot simply walk register parentage chain,
1592  * since many different registers and stack slots could have been
1593  * used to compute single precise scalar.
1594  *
1595  * The approach of starting with precise=true for all registers and then
1596  * backtrack to mark a register as not precise when the verifier detects
1597  * that program doesn't care about specific value (e.g., when helper
1598  * takes register as ARG_ANYTHING parameter) is not safe.
1599  *
1600  * It's ok to walk single parentage chain of the verifier states.
1601  * It's possible that this backtracking will go all the way till 1st insn.
1602  * All other branches will be explored for needing precision later.
1603  *
1604  * The backtracking needs to deal with cases like:
1605  *   R8=map_value(id=0,off=0,ks=4,vs=1952,imm=0) R9_w=map_value(id=0,off=40,ks=4,vs=1952,imm=0)
1606  * r9 -= r8
1607  * r5 = r9
1608  * if r5 > 0x79f goto pc+7
1609  *    R5_w=inv(id=0,umax_value=1951,var_off=(0x0; 0x7ff))
1610  * r5 += 1
1611  * ...
1612  * call bpf_perf_event_output#25
1613  *   where .arg5_type = ARG_CONST_SIZE_OR_ZERO
1614  *
1615  * and this case:
1616  * r6 = 1
1617  * call foo // uses callee's r6 inside to compute r0
1618  * r0 += r6
1619  * if r0 == 0 goto
1620  *
1621  * to track above reg_mask/stack_mask needs to be independent for each frame.
1622  *
1623  * Also if parent's curframe > frame where backtracking started,
1624  * the verifier need to mark registers in both frames, otherwise callees
1625  * may incorrectly prune callers. This is similar to
1626  * commit 7640ead93924 ("bpf: verifier: make sure callees don't prune with caller differences")
1627  *
1628  * For now backtracking falls back into conservative marking.
1629  */
1630 static void mark_all_scalars_precise(struct bpf_verifier_env *env,
1631                                      struct bpf_verifier_state *st)
1632 {
1633         struct bpf_func_state *func;
1634         struct bpf_reg_state *reg;
1635         int i, j;
1636 
1637         /* big hammer: mark all scalars precise in this path.
1638          * pop_stack may still get !precise scalars.
1639          */
1640         for (; st; st = st->parent)
1641                 for (i = 0; i <= st->curframe; i++) {
1642                         func = st->frame[i];
1643                         for (j = 0; j < BPF_REG_FP; j++) {
1644                                 reg = &func->regs[j];
1645                                 if (reg->type != SCALAR_VALUE)
1646                                         continue;
1647                                 reg->precise = true;
1648                         }
1649                         for (j = 0; j < func->allocated_stack / BPF_REG_SIZE; j++) {
1650                                 if (func->stack[j].slot_type[0] != STACK_SPILL)
1651                                         continue;
1652                                 reg = &func->stack[j].spilled_ptr;
1653                                 if (reg->type != SCALAR_VALUE)
1654                                         continue;
1655                                 reg->precise = true;
1656                         }
1657                 }
1658 }
1659 
1660 static int __mark_chain_precision(struct bpf_verifier_env *env, int regno,
1661                                   int spi)
1662 {
1663         struct bpf_verifier_state *st = env->cur_state;
1664         int first_idx = st->first_insn_idx;
1665         int last_idx = env->insn_idx;
1666         struct bpf_func_state *func;
1667         struct bpf_reg_state *reg;
1668         u32 reg_mask = regno >= 0 ? 1u << regno : 0;
1669         u64 stack_mask = spi >= 0 ? 1ull << spi : 0;
1670         bool skip_first = true;
1671         bool new_marks = false;
1672         int i, err;
1673 
1674         if (!env->allow_ptr_leaks)
1675                 /* backtracking is root only for now */
1676                 return 0;
1677 
1678         func = st->frame[st->curframe];
1679         if (regno >= 0) {
1680                 reg = &func->regs[regno];
1681                 if (reg->type != SCALAR_VALUE) {
1682                         WARN_ONCE(1, "backtracing misuse");
1683                         return -EFAULT;
1684                 }
1685                 if (!reg->precise)
1686                         new_marks = true;
1687                 else
1688                         reg_mask = 0;
1689                 reg->precise = true;
1690         }
1691 
1692         while (spi >= 0) {
1693                 if (func->stack[spi].slot_type[0] != STACK_SPILL) {
1694                         stack_mask = 0;
1695                         break;
1696                 }
1697                 reg = &func->stack[spi].spilled_ptr;
1698                 if (reg->type != SCALAR_VALUE) {
1699                         stack_mask = 0;
1700                         break;
1701                 }
1702                 if (!reg->precise)
1703                         new_marks = true;
1704                 else
1705                         stack_mask = 0;
1706                 reg->precise = true;
1707                 break;
1708         }
1709 
1710         if (!new_marks)
1711                 return 0;
1712         if (!reg_mask && !stack_mask)
1713                 return 0;
1714         for (;;) {
1715                 DECLARE_BITMAP(mask, 64);
1716                 u32 history = st->jmp_history_cnt;
1717 
1718                 if (env->log.level & BPF_LOG_LEVEL)
1719                         verbose(env, "last_idx %d first_idx %d\n", last_idx, first_idx);
1720                 for (i = last_idx;;) {
1721                         if (skip_first) {
1722                                 err = 0;
1723                                 skip_first = false;
1724                         } else {
1725                                 err = backtrack_insn(env, i, &reg_mask, &stack_mask);
1726                         }
1727                         if (err == -ENOTSUPP) {
1728                                 mark_all_scalars_precise(env, st);
1729                                 return 0;
1730                         } else if (err) {
1731                                 return err;
1732                         }
1733                         if (!reg_mask && !stack_mask)
1734                                 /* Found assignment(s) into tracked register in this state.
1735                                  * Since this state is already marked, just return.
1736                                  * Nothing to be tracked further in the parent state.
1737                                  */
1738                                 return 0;
1739                         if (i == first_idx)
1740                                 break;
1741                         i = get_prev_insn_idx(st, i, &history);
1742                         if (i >= env->prog->len) {
1743                                 /* This can happen if backtracking reached insn 0
1744                                  * and there are still reg_mask or stack_mask
1745                                  * to backtrack.
1746                                  * It means the backtracking missed the spot where
1747                                  * particular register was initialized with a constant.
1748                                  */
1749                                 verbose(env, "BUG backtracking idx %d\n", i);
1750                                 WARN_ONCE(1, "verifier backtracking bug");
1751                                 return -EFAULT;
1752                         }
1753                 }
1754                 st = st->parent;
1755                 if (!st)
1756                         break;
1757 
1758                 new_marks = false;
1759                 func = st->frame[st->curframe];
1760                 bitmap_from_u64(mask, reg_mask);
1761                 for_each_set_bit(i, mask, 32) {
1762                         reg = &func->regs[i];
1763                         if (reg->type != SCALAR_VALUE) {
1764                                 reg_mask &= ~(1u << i);
1765                                 continue;
1766                         }
1767                         if (!reg->precise)
1768                                 new_marks = true;
1769                         reg->precise = true;
1770                 }
1771 
1772                 bitmap_from_u64(mask, stack_mask);
1773                 for_each_set_bit(i, mask, 64) {
1774                         if (i >= func->allocated_stack / BPF_REG_SIZE) {
1775                                 /* the sequence of instructions:
1776                                  * 2: (bf) r3 = r10
1777                                  * 3: (7b) *(u64 *)(r3 -8) = r0
1778                                  * 4: (79) r4 = *(u64 *)(r10 -8)
1779                                  * doesn't contain jmps. It's backtracked
1780                                  * as a single block.
1781                                  * During backtracking insn 3 is not recognized as
1782                                  * stack access, so at the end of backtracking
1783                                  * stack slot fp-8 is still marked in stack_mask.
1784                                  * However the parent state may not have accessed
1785                                  * fp-8 and it's "unallocated" stack space.
1786                                  * In such case fallback to conservative.
1787                                  */
1788                                 mark_all_scalars_precise(env, st);
1789                                 return 0;
1790                         }
1791 
1792                         if (func->stack[i].slot_type[0] != STACK_SPILL) {
1793                                 stack_mask &= ~(1ull << i);
1794                                 continue;
1795                         }
1796                         reg = &func->stack[i].spilled_ptr;
1797                         if (reg->type != SCALAR_VALUE) {
1798                                 stack_mask &= ~(1ull << i);
1799                                 continue;
1800                         }
1801                         if (!reg->precise)
1802                                 new_marks = true;
1803                         reg->precise = true;
1804                 }
1805                 if (env->log.level & BPF_LOG_LEVEL) {
1806                         print_verifier_state(env, func);
1807                         verbose(env, "parent %s regs=%x stack=%llx marks\n",
1808                                 new_marks ? "didn't have" : "already had",
1809                                 reg_mask, stack_mask);
1810                 }
1811 
1812                 if (!reg_mask && !stack_mask)
1813                         break;
1814                 if (!new_marks)
1815                         break;
1816 
1817                 last_idx = st->last_insn_idx;
1818                 first_idx = st->first_insn_idx;
1819         }
1820         return 0;
1821 }
1822 
1823 static int mark_chain_precision(struct bpf_verifier_env *env, int regno)
1824 {
1825         return __mark_chain_precision(env, regno, -1);
1826 }
1827 
1828 static int mark_chain_precision_stack(struct bpf_verifier_env *env, int spi)
1829 {
1830         return __mark_chain_precision(env, -1, spi);
1831 }
1832 
1833 static bool is_spillable_regtype(enum bpf_reg_type type)
1834 {
1835         switch (type) {
1836         case PTR_TO_MAP_VALUE:
1837         case PTR_TO_MAP_VALUE_OR_NULL:
1838         case PTR_TO_STACK:
1839         case PTR_TO_CTX:
1840         case PTR_TO_PACKET:
1841         case PTR_TO_PACKET_META:
1842         case PTR_TO_PACKET_END:
1843         case PTR_TO_FLOW_KEYS:
1844         case CONST_PTR_TO_MAP:
1845         case PTR_TO_SOCKET:
1846         case PTR_TO_SOCKET_OR_NULL:
1847         case PTR_TO_SOCK_COMMON:
1848         case PTR_TO_SOCK_COMMON_OR_NULL:
1849         case PTR_TO_TCP_SOCK:
1850         case PTR_TO_TCP_SOCK_OR_NULL:
1851         case PTR_TO_XDP_SOCK:
1852                 return true;
1853         default:
1854                 return false;
1855         }
1856 }
1857 
1858 /* Does this register contain a constant zero? */
1859 static bool register_is_null(struct bpf_reg_state *reg)
1860 {
1861         return reg->type == SCALAR_VALUE && tnum_equals_const(reg->var_off, 0);
1862 }
1863 
1864 static bool register_is_const(struct bpf_reg_state *reg)
1865 {
1866         return reg->type == SCALAR_VALUE && tnum_is_const(reg->var_off);
1867 }
1868 
1869 static bool __is_pointer_value(bool allow_ptr_leaks,
1870                                const struct bpf_reg_state *reg)
1871 {
1872         if (allow_ptr_leaks)
1873                 return false;
1874 
1875         return reg->type != SCALAR_VALUE;
1876 }
1877 
1878 static void save_register_state(struct bpf_func_state *state,
1879                                 int spi, struct bpf_reg_state *reg)
1880 {
1881         int i;
1882 
1883         state->stack[spi].spilled_ptr = *reg;
1884         state->stack[spi].spilled_ptr.live |= REG_LIVE_WRITTEN;
1885 
1886         for (i = 0; i < BPF_REG_SIZE; i++)
1887                 state->stack[spi].slot_type[i] = STACK_SPILL;
1888 }
1889 
1890 /* check_stack_read/write functions track spill/fill of registers,
1891  * stack boundary and alignment are checked in check_mem_access()
1892  */
1893 static int check_stack_write(struct bpf_verifier_env *env,
1894                              struct bpf_func_state *state, /* func where register points to */
1895                              int off, int size, int value_regno, int insn_idx)
1896 {
1897         struct bpf_func_state *cur; /* state of the current function */
1898         int i, slot = -off - 1, spi = slot / BPF_REG_SIZE, err;
1899         u32 dst_reg = env->prog->insnsi[insn_idx].dst_reg;
1900         struct bpf_reg_state *reg = NULL;
1901 
1902         err = realloc_func_state(state, round_up(slot + 1, BPF_REG_SIZE),
1903                                  state->acquired_refs, true);
1904         if (err)
1905                 return err;
1906         /* caller checked that off % size == 0 and -MAX_BPF_STACK <= off < 0,
1907          * so it's aligned access and [off, off + size) are within stack limits
1908          */
1909         if (!env->allow_ptr_leaks &&
1910             state->stack[spi].slot_type[0] == STACK_SPILL &&
1911             size != BPF_REG_SIZE) {
1912                 verbose(env, "attempt to corrupt spilled pointer on stack\n");
1913                 return -EACCES;
1914         }
1915 
1916         cur = env->cur_state->frame[env->cur_state->curframe];
1917         if (value_regno >= 0)
1918                 reg = &cur->regs[value_regno];
1919 
1920         if (reg && size == BPF_REG_SIZE && register_is_const(reg) &&
1921             !register_is_null(reg) && env->allow_ptr_leaks) {
1922                 if (dst_reg != BPF_REG_FP) {
1923                         /* The backtracking logic can only recognize explicit
1924                          * stack slot address like [fp - 8]. Other spill of
1925                          * scalar via different register has to be conervative.
1926                          * Backtrack from here and mark all registers as precise
1927                          * that contributed into 'reg' being a constant.
1928                          */
1929                         err = mark_chain_precision(env, value_regno);
1930                         if (err)
1931                                 return err;
1932                 }
1933                 save_register_state(state, spi, reg);
1934         } else if (reg && is_spillable_regtype(reg->type)) {
1935                 /* register containing pointer is being spilled into stack */
1936                 if (size != BPF_REG_SIZE) {
1937                         verbose_linfo(env, insn_idx, "; ");
1938                         verbose(env, "invalid size of register spill\n");
1939                         return -EACCES;
1940                 }
1941 
1942                 if (state != cur && reg->type == PTR_TO_STACK) {
1943                         verbose(env, "cannot spill pointers to stack into stack frame of the caller\n");
1944                         return -EINVAL;
1945                 }
1946 
1947                 if (!env->allow_ptr_leaks) {
1948                         bool sanitize = false;
1949 
1950                         if (state->stack[spi].slot_type[0] == STACK_SPILL &&
1951                             register_is_const(&state->stack[spi].spilled_ptr))
1952                                 sanitize = true;
1953                         for (i = 0; i < BPF_REG_SIZE; i++)
1954                                 if (state->stack[spi].slot_type[i] == STACK_MISC) {
1955                                         sanitize = true;
1956                                         break;
1957                                 }
1958                         if (sanitize) {
1959                                 int *poff = &env->insn_aux_data[insn_idx].sanitize_stack_off;
1960                                 int soff = (-spi - 1) * BPF_REG_SIZE;
1961 
1962                                 /* detected reuse of integer stack slot with a pointer
1963                                  * which means either llvm is reusing stack slot or
1964                                  * an attacker is trying to exploit CVE-2018-3639
1965                                  * (speculative store bypass)
1966                                  * Have to sanitize that slot with preemptive
1967                                  * store of zero.
1968                                  */
1969                                 if (*poff && *poff != soff) {
1970                                         /* disallow programs where single insn stores
1971                                          * into two different stack slots, since verifier
1972                                          * cannot sanitize them
1973                                          */
1974                                         verbose(env,
1975                                                 "insn %d cannot access two stack slots fp%d and fp%d",
1976                                                 insn_idx, *poff, soff);
1977                                         return -EINVAL;
1978                                 }
1979                                 *poff = soff;
1980                         }
1981                 }
1982                 save_register_state(state, spi, reg);
1983         } else {
1984                 u8 type = STACK_MISC;
1985 
1986                 /* regular write of data into stack destroys any spilled ptr */
1987                 state->stack[spi].spilled_ptr.type = NOT_INIT;
1988                 /* Mark slots as STACK_MISC if they belonged to spilled ptr. */
1989                 if (state->stack[spi].slot_type[0] == STACK_SPILL)
1990                         for (i = 0; i < BPF_REG_SIZE; i++)
1991                                 state->stack[spi].slot_type[i] = STACK_MISC;
1992 
1993                 /* only mark the slot as written if all 8 bytes were written
1994                  * otherwise read propagation may incorrectly stop too soon
1995                  * when stack slots are partially written.
1996                  * This heuristic means that read propagation will be
1997                  * conservative, since it will add reg_live_read marks
1998                  * to stack slots all the way to first state when programs
1999                  * writes+reads less than 8 bytes
2000                  */
2001                 if (size == BPF_REG_SIZE)
2002                         state->stack[spi].spilled_ptr.live |= REG_LIVE_WRITTEN;
2003 
2004                 /* when we zero initialize stack slots mark them as such */
2005                 if (reg && register_is_null(reg)) {
2006                         /* backtracking doesn't work for STACK_ZERO yet. */
2007                         err = mark_chain_precision(env, value_regno);
2008                         if (err)
2009                                 return err;
2010                         type = STACK_ZERO;
2011                 }
2012 
2013                 /* Mark slots affected by this stack write. */
2014                 for (i = 0; i < size; i++)
2015                         state->stack[spi].slot_type[(slot - i) % BPF_REG_SIZE] =
2016                                 type;
2017         }
2018         return 0;
2019 }
2020 
2021 static int check_stack_read(struct bpf_verifier_env *env,
2022                             struct bpf_func_state *reg_state /* func where register points to */,
2023                             int off, int size, int value_regno)
2024 {
2025         struct bpf_verifier_state *vstate = env->cur_state;
2026         struct bpf_func_state *state = vstate->frame[vstate->curframe];
2027         int i, slot = -off - 1, spi = slot / BPF_REG_SIZE;
2028         struct bpf_reg_state *reg;
2029         u8 *stype;
2030 
2031         if (reg_state->allocated_stack <= slot) {
2032                 verbose(env, "invalid read from stack off %d+0 size %d\n",
2033                         off, size);
2034                 return -EACCES;
2035         }
2036         stype = reg_state->stack[spi].slot_type;
2037         reg = &reg_state->stack[spi].spilled_ptr;
2038 
2039         if (stype[0] == STACK_SPILL) {
2040                 if (size != BPF_REG_SIZE) {
2041                         if (reg->type != SCALAR_VALUE) {
2042                                 verbose_linfo(env, env->insn_idx, "; ");
2043                                 verbose(env, "invalid size of register fill\n");
2044                                 return -EACCES;
2045                         }
2046                         if (value_regno >= 0) {
2047                                 mark_reg_unknown(env, state->regs, value_regno);
2048                                 state->regs[value_regno].live |= REG_LIVE_WRITTEN;
2049                         }
2050                         mark_reg_read(env, reg, reg->parent, REG_LIVE_READ64);
2051                         return 0;
2052                 }
2053                 for (i = 1; i < BPF_REG_SIZE; i++) {
2054                         if (stype[(slot - i) % BPF_REG_SIZE] != STACK_SPILL) {
2055                                 verbose(env, "corrupted spill memory\n");
2056                                 return -EACCES;
2057                         }
2058                 }
2059 
2060                 if (value_regno >= 0) {
2061                         /* restore register state from stack */
2062                         state->regs[value_regno] = *reg;
2063                         /* mark reg as written since spilled pointer state likely
2064                          * has its liveness marks cleared by is_state_visited()
2065                          * which resets stack/reg liveness for state transitions
2066                          */
2067                         state->regs[value_regno].live |= REG_LIVE_WRITTEN;
2068                 } else if (__is_pointer_value(env->allow_ptr_leaks, reg)) {
2069                         /* If value_regno==-1, the caller is asking us whether
2070                          * it is acceptable to use this value as a SCALAR_VALUE
2071                          * (e.g. for XADD).
2072                          * We must not allow unprivileged callers to do that
2073                          * with spilled pointers.
2074                          */
2075                         verbose(env, "leaking pointer from stack off %d\n",
2076                                 off);
2077                         return -EACCES;
2078                 }
2079                 mark_reg_read(env, reg, reg->parent, REG_LIVE_READ64);
2080         } else {
2081                 int zeros = 0;
2082 
2083                 for (i = 0; i < size; i++) {
2084                         if (stype[(slot - i) % BPF_REG_SIZE] == STACK_MISC)
2085                                 continue;
2086                         if (stype[(slot - i) % BPF_REG_SIZE] == STACK_ZERO) {
2087                                 zeros++;
2088                                 continue;
2089                         }
2090                         verbose(env, "invalid read from stack off %d+%d size %d\n",
2091                                 off, i, size);
2092                         return -EACCES;
2093                 }
2094                 mark_reg_read(env, reg, reg->parent, REG_LIVE_READ64);
2095                 if (value_regno >= 0) {
2096                         if (zeros == size) {
2097                                 /* any size read into register is zero extended,
2098                                  * so the whole register == const_zero
2099                                  */
2100                                 __mark_reg_const_zero(&state->regs[value_regno]);
2101                                 /* backtracking doesn't support STACK_ZERO yet,
2102                                  * so mark it precise here, so that later
2103                                  * backtracking can stop here.
2104                                  * Backtracking may not need this if this register
2105                                  * doesn't participate in pointer adjustment.
2106                                  * Forward propagation of precise flag is not
2107                                  * necessary either. This mark is only to stop
2108                                  * backtracking. Any register that contributed
2109                                  * to const 0 was marked precise before spill.
2110                                  */
2111                                 state->regs[value_regno].precise = true;
2112                         } else {
2113                                 /* have read misc data from the stack */
2114                                 mark_reg_unknown(env, state->regs, value_regno);
2115                         }
2116                         state->regs[value_regno].live |= REG_LIVE_WRITTEN;
2117                 }
2118         }
2119         return 0;
2120 }
2121 
2122 static int check_stack_access(struct bpf_verifier_env *env,
2123                               const struct bpf_reg_state *reg,
2124                               int off, int size)
2125 {
2126         /* Stack accesses must be at a fixed offset, so that we
2127          * can determine what type of data were returned. See
2128          * check_stack_read().
2129          */
2130         if (!tnum_is_const(reg->var_off)) {
2131                 char tn_buf[48];
2132 
2133                 tnum_strn(tn_buf, sizeof(tn_buf), reg->var_off);
2134                 verbose(env, "variable stack access var_off=%s off=%d size=%d\n",
2135                         tn_buf, off, size);
2136                 return -EACCES;
2137         }
2138 
2139         if (off >= 0 || off < -MAX_BPF_STACK) {
2140                 verbose(env, "invalid stack off=%d size=%d\n", off, size);
2141                 return -EACCES;
2142         }
2143 
2144         return 0;
2145 }
2146 
2147 static int check_map_access_type(struct bpf_verifier_env *env, u32 regno,
2148                                  int off, int size, enum bpf_access_type type)
2149 {
2150         struct bpf_reg_state *regs = cur_regs(env);
2151         struct bpf_map *map = regs[regno].map_ptr;
2152         u32 cap = bpf_map_flags_to_cap(map);
2153 
2154         if (type == BPF_WRITE && !(cap & BPF_MAP_CAN_WRITE)) {
2155                 verbose(env, "write into map forbidden, value_size=%d off=%d size=%d\n",
2156                         map->value_size, off, size);
2157                 return -EACCES;
2158         }
2159 
2160         if (type == BPF_READ && !(cap & BPF_MAP_CAN_READ)) {
2161                 verbose(env, "read from map forbidden, value_size=%d off=%d size=%d\n",
2162                         map->value_size, off, size);
2163                 return -EACCES;
2164         }
2165 
2166         return 0;
2167 }
2168 
2169 /* check read/write into map element returned by bpf_map_lookup_elem() */
2170 static int __check_map_access(struct bpf_verifier_env *env, u32 regno, int off,
2171                               int size, bool zero_size_allowed)
2172 {
2173         struct bpf_reg_state *regs = cur_regs(env);
2174         struct bpf_map *map = regs[regno].map_ptr;
2175 
2176         if (off < 0 || size < 0 || (size == 0 && !zero_size_allowed) ||
2177             off + size > map->value_size) {
2178                 verbose(env, "invalid access to map value, value_size=%d off=%d size=%d\n",
2179                         map->value_size, off, size);
2180                 return -EACCES;
2181         }
2182         return 0;
2183 }
2184 
2185 /* check read/write into a map element with possible variable offset */
2186 static int check_map_access(struct bpf_verifier_env *env, u32 regno,
2187                             int off, int size, bool zero_size_allowed)
2188 {
2189         struct bpf_verifier_state *vstate = env->cur_state;
2190         struct bpf_func_state *state = vstate->frame[vstate->curframe];
2191         struct bpf_reg_state *reg = &state->regs[regno];
2192         int err;
2193 
2194         /* We may have adjusted the register to this map value, so we
2195          * need to try adding each of min_value and max_value to off
2196          * to make sure our theoretical access will be safe.
2197          */
2198         if (env->log.level & BPF_LOG_LEVEL)
2199                 print_verifier_state(env, state);
2200 
2201         /* The minimum value is only important with signed
2202          * comparisons where we can't assume the floor of a
2203          * value is 0.  If we are using signed variables for our
2204          * index'es we need to make sure that whatever we use
2205          * will have a set floor within our range.
2206          */
2207         if (reg->smin_value < 0 &&
2208             (reg->smin_value == S64_MIN ||
2209              (off + reg->smin_value != (s64)(s32)(off + reg->smin_value)) ||
2210               reg->smin_value + off < 0)) {
2211                 verbose(env, "R%d min value is negative, either use unsigned index or do a if (index >=0) check.\n",
2212                         regno);
2213                 return -EACCES;
2214         }
2215         err = __check_map_access(env, regno, reg->smin_value + off, size,
2216                                  zero_size_allowed);
2217         if (err) {
2218                 verbose(env, "R%d min value is outside of the array range\n",
2219                         regno);
2220                 return err;
2221         }
2222 
2223         /* If we haven't set a max value then we need to bail since we can't be
2224          * sure we won't do bad things.
2225          * If reg->umax_value + off could overflow, treat that as unbounded too.
2226          */
2227         if (reg->umax_value >= BPF_MAX_VAR_OFF) {
2228                 verbose(env, "R%d unbounded memory access, make sure to bounds check any array access into a map\n",
2229                         regno);
2230                 return -EACCES;
2231         }
2232         err = __check_map_access(env, regno, reg->umax_value + off, size,
2233                                  zero_size_allowed);
2234         if (err)
2235                 verbose(env, "R%d max value is outside of the array range\n",
2236                         regno);
2237 
2238         if (map_value_has_spin_lock(reg->map_ptr)) {
2239                 u32 lock = reg->map_ptr->spin_lock_off;
2240 
2241                 /* if any part of struct bpf_spin_lock can be touched by
2242                  * load/store reject this program.
2243                  * To check that [x1, x2) overlaps with [y1, y2)
2244                  * it is sufficient to check x1 < y2 && y1 < x2.
2245                  */
2246                 if (reg->smin_value + off < lock + sizeof(struct bpf_spin_lock) &&
2247                      lock < reg->umax_value + off + size) {
2248                         verbose(env, "bpf_spin_lock cannot be accessed directly by load/store\n");
2249                         return -EACCES;
2250                 }
2251         }
2252         return err;
2253 }
2254 
2255 #define MAX_PACKET_OFF 0xffff
2256 
2257 static bool may_access_direct_pkt_data(struct bpf_verifier_env *env,
2258                                        const struct bpf_call_arg_meta *meta,
2259                                        enum bpf_access_type t)
2260 {
2261         switch (env->prog->type) {
2262         /* Program types only with direct read access go here! */
2263         case BPF_PROG_TYPE_LWT_IN:
2264         case BPF_PROG_TYPE_LWT_OUT:
2265         case BPF_PROG_TYPE_LWT_SEG6LOCAL:
2266         case BPF_PROG_TYPE_SK_REUSEPORT:
2267         case BPF_PROG_TYPE_FLOW_DISSECTOR:
2268         case BPF_PROG_TYPE_CGROUP_SKB:
2269                 if (t == BPF_WRITE)
2270                         return false;
2271                 /* fallthrough */
2272 
2273         /* Program types with direct read + write access go here! */
2274         case BPF_PROG_TYPE_SCHED_CLS:
2275         case BPF_PROG_TYPE_SCHED_ACT:
2276         case BPF_PROG_TYPE_XDP:
2277         case BPF_PROG_TYPE_LWT_XMIT:
2278         case BPF_PROG_TYPE_SK_SKB:
2279         case BPF_PROG_TYPE_SK_MSG:
2280                 if (meta)
2281                         return meta->pkt_access;
2282 
2283                 env->seen_direct_write = true;
2284                 return true;
2285 
2286         case BPF_PROG_TYPE_CGROUP_SOCKOPT:
2287                 if (t == BPF_WRITE)
2288                         env->seen_direct_write = true;
2289 
2290                 return true;
2291 
2292         default:
2293                 return false;
2294         }
2295 }
2296 
2297 static int __check_packet_access(struct bpf_verifier_env *env, u32 regno,
2298                                  int off, int size, bool zero_size_allowed)
2299 {
2300         struct bpf_reg_state *regs = cur_regs(env);
2301         struct bpf_reg_state *reg = &regs[regno];
2302 
2303         if (off < 0 || size < 0 || (size == 0 && !zero_size_allowed) ||
2304             (u64)off + size > reg->range) {
2305                 verbose(env, "invalid access to packet, off=%d size=%d, R%d(id=%d,off=%d,r=%d)\n",
2306                         off, size, regno, reg->id, reg->off, reg->range);
2307                 return -EACCES;
2308         }
2309         return 0;
2310 }
2311 
2312 static int check_packet_access(struct bpf_verifier_env *env, u32 regno, int off,
2313                                int size, bool zero_size_allowed)
2314 {
2315         struct bpf_reg_state *regs = cur_regs(env);
2316         struct bpf_reg_state *reg = &regs[regno];
2317         int err;
2318 
2319         /* We may have added a variable offset to the packet pointer; but any
2320          * reg->range we have comes after that.  We are only checking the fixed
2321          * offset.
2322          */
2323 
2324         /* We don't allow negative numbers, because we aren't tracking enough
2325          * detail to prove they're safe.
2326          */
2327         if (reg->smin_value < 0) {
2328                 verbose(env, "R%d min value is negative, either use unsigned index or do a if (index >=0) check.\n",
2329                         regno);
2330                 return -EACCES;
2331         }
2332         err = __check_packet_access(env, regno, off, size, zero_size_allowed);
2333         if (err) {
2334                 verbose(env, "R%d offset is outside of the packet\n", regno);
2335                 return err;
2336         }
2337 
2338         /* __check_packet_access has made sure "off + size - 1" is within u16.
2339          * reg->umax_value can't be bigger than MAX_PACKET_OFF which is 0xffff,
2340          * otherwise find_good_pkt_pointers would have refused to set range info
2341          * that __check_packet_access would have rejected this pkt access.
2342          * Therefore, "off + reg->umax_value + size - 1" won't overflow u32.
2343          */
2344         env->prog->aux->max_pkt_offset =
2345                 max_t(u32, env->prog->aux->max_pkt_offset,
2346                       off + reg->umax_value + size - 1);
2347 
2348         return err;
2349 }
2350 
2351 /* check access to 'struct bpf_context' fields.  Supports fixed offsets only */
2352 static int check_ctx_access(struct bpf_verifier_env *env, int insn_idx, int off, int size,
2353                             enum bpf_access_type t, enum bpf_reg_type *reg_type)
2354 {
2355         struct bpf_insn_access_aux info = {
2356                 .reg_type = *reg_type,
2357         };
2358 
2359         if (env->ops->is_valid_access &&
2360             env->ops->is_valid_access(off, size, t, env->prog, &info)) {
2361                 /* A non zero info.ctx_field_size indicates that this field is a
2362                  * candidate for later verifier transformation to load the whole
2363                  * field and then apply a mask when accessed with a narrower
2364                  * access than actual ctx access size. A zero info.ctx_field_size
2365                  * will only allow for whole field access and rejects any other
2366                  * type of narrower access.
2367                  */
2368                 *reg_type = info.reg_type;
2369 
2370                 env->insn_aux_data[insn_idx].ctx_field_size = info.ctx_field_size;
2371                 /* remember the offset of last byte accessed in ctx */
2372                 if (env->prog->aux->max_ctx_offset < off + size)
2373                         env->prog->aux->max_ctx_offset = off + size;
2374                 return 0;
2375         }
2376 
2377         verbose(env, "invalid bpf_context access off=%d size=%d\n", off, size);
2378         return -EACCES;
2379 }
2380 
2381 static int check_flow_keys_access(struct bpf_verifier_env *env, int off,
2382                                   int size)
2383 {
2384         if (size < 0 || off < 0 ||
2385             (u64)off + size > sizeof(struct bpf_flow_keys)) {
2386                 verbose(env, "invalid access to flow keys off=%d size=%d\n",
2387                         off, size);
2388                 return -EACCES;
2389         }
2390         return 0;
2391 }
2392 
2393 static int check_sock_access(struct bpf_verifier_env *env, int insn_idx,
2394                              u32 regno, int off, int size,
2395                              enum bpf_access_type t)
2396 {
2397         struct bpf_reg_state *regs = cur_regs(env);
2398         struct bpf_reg_state *reg = &regs[regno];
2399         struct bpf_insn_access_aux info = {};
2400         bool valid;
2401 
2402         if (reg->smin_value < 0) {
2403                 verbose(env, "R%d min value is negative, either use unsigned index or do a if (index >=0) check.\n",
2404                         regno);
2405                 return -EACCES;
2406         }
2407 
2408         switch (reg->type) {
2409         case PTR_TO_SOCK_COMMON:
2410                 valid = bpf_sock_common_is_valid_access(off, size, t, &info);
2411                 break;
2412         case PTR_TO_SOCKET:
2413                 valid = bpf_sock_is_valid_access(off, size, t, &info);
2414                 break;
2415         case PTR_TO_TCP_SOCK:
2416                 valid = bpf_tcp_sock_is_valid_access(off, size, t, &info);
2417                 break;
2418         case PTR_TO_XDP_SOCK:
2419                 valid = bpf_xdp_sock_is_valid_access(off, size, t, &info);
2420                 break;
2421         default:
2422                 valid = false;
2423         }
2424 
2425 
2426         if (valid) {
2427                 env->insn_aux_data[insn_idx].ctx_field_size =
2428                         info.ctx_field_size;
2429                 return 0;
2430         }
2431 
2432         verbose(env, "R%d invalid %s access off=%d size=%d\n",
2433                 regno, reg_type_str[reg->type], off, size);
2434 
2435         return -EACCES;
2436 }
2437 
2438 static struct bpf_reg_state *reg_state(struct bpf_verifier_env *env, int regno)
2439 {
2440         return cur_regs(env) + regno;
2441 }
2442 
2443 static bool is_pointer_value(struct bpf_verifier_env *env, int regno)
2444 {
2445         return __is_pointer_value(env->allow_ptr_leaks, reg_state(env, regno));
2446 }
2447 
2448 static bool is_ctx_reg(struct bpf_verifier_env *env, int regno)
2449 {
2450         const struct bpf_reg_state *reg = reg_state(env, regno);
2451 
2452         return reg->type == PTR_TO_CTX;
2453 }
2454 
2455 static bool is_sk_reg(struct bpf_verifier_env *env, int regno)
2456 {
2457         const struct bpf_reg_state *reg = reg_state(env, regno);
2458 
2459         return type_is_sk_pointer(reg->type);
2460 }
2461 
2462 static bool is_pkt_reg(struct bpf_verifier_env *env, int regno)
2463 {
2464         const struct bpf_reg_state *reg = reg_state(env, regno);
2465 
2466         return type_is_pkt_pointer(reg->type);
2467 }
2468 
2469 static bool is_flow_key_reg(struct bpf_verifier_env *env, int regno)
2470 {
2471         const struct bpf_reg_state *reg = reg_state(env, regno);
2472 
2473         /* Separate to is_ctx_reg() since we still want to allow BPF_ST here. */
2474         return reg->type == PTR_TO_FLOW_KEYS;
2475 }
2476 
2477 static int check_pkt_ptr_alignment(struct bpf_verifier_env *env,
2478                                    const struct bpf_reg_state *reg,
2479                                    int off, int size, bool strict)
2480 {
2481         struct tnum reg_off;
2482         int ip_align;
2483 
2484         /* Byte size accesses are always allowed. */
2485         if (!strict || size == 1)
2486                 return 0;
2487 
2488         /* For platforms that do not have a Kconfig enabling
2489          * CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS the value of
2490          * NET_IP_ALIGN is universally set to '2'.  And on platforms
2491          * that do set CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS, we get
2492          * to this code only in strict mode where we want to emulate
2493          * the NET_IP_ALIGN==2 checking.  Therefore use an
2494          * unconditional IP align value of '2'.
2495          */
2496         ip_align = 2;
2497 
2498         reg_off = tnum_add(reg->var_off, tnum_const(ip_align + reg->off + off));
2499         if (!tnum_is_aligned(reg_off, size)) {
2500                 char tn_buf[48];
2501 
2502                 tnum_strn(tn_buf, sizeof(tn_buf), reg->var_off);
2503                 verbose(env,
2504                         "misaligned packet access off %d+%s+%d+%d size %d\n",
2505                         ip_align, tn_buf, reg->off, off, size);
2506                 return -EACCES;
2507         }
2508 
2509         return 0;
2510 }
2511 
2512 static int check_generic_ptr_alignment(struct bpf_verifier_env *env,
2513                                        const struct bpf_reg_state *reg,
2514                                        const char *pointer_desc,
2515                                        int off, int size, bool strict)
2516 {
2517         struct tnum reg_off;
2518 
2519         /* Byte size accesses are always allowed. */
2520         if (!strict || size == 1)
2521                 return 0;
2522 
2523         reg_off = tnum_add(reg->var_off, tnum_const(reg->off + off));
2524         if (!tnum_is_aligned(reg_off, size)) {
2525                 char tn_buf[48];
2526 
2527                 tnum_strn(tn_buf, sizeof(tn_buf), reg->var_off);
2528                 verbose(env, "misaligned %saccess off %s+%d+%d size %d\n",
2529                         pointer_desc, tn_buf, reg->off, off, size);
2530                 return -EACCES;
2531         }
2532 
2533         return 0;
2534 }
2535 
2536 static int check_ptr_alignment(struct bpf_verifier_env *env,
2537                                const struct bpf_reg_state *reg, int off,
2538                                int size, bool strict_alignment_once)
2539 {
2540         bool strict = env->strict_alignment || strict_alignment_once;
2541         const char *pointer_desc = "";
2542 
2543         switch (reg->type) {
2544         case PTR_TO_PACKET:
2545         case PTR_TO_PACKET_META:
2546                 /* Special case, because of NET_IP_ALIGN. Given metadata sits
2547                  * right in front, treat it the very same way.
2548                  */
2549                 return check_pkt_ptr_alignment(env, reg, off, size, strict);
2550         case PTR_TO_FLOW_KEYS:
2551                 pointer_desc = "flow keys ";
2552                 break;
2553         case PTR_TO_MAP_VALUE:
2554                 pointer_desc = "value ";
2555                 break;
2556         case PTR_TO_CTX:
2557                 pointer_desc = "context ";
2558                 break;
2559         case PTR_TO_STACK:
2560                 pointer_desc = "stack ";
2561                 /* The stack spill tracking logic in check_stack_write()
2562                  * and check_stack_read() relies on stack accesses being
2563                  * aligned.
2564                  */
2565                 strict = true;
2566                 break;
2567         case PTR_TO_SOCKET:
2568                 pointer_desc = "sock ";
2569                 break;
2570         case PTR_TO_SOCK_COMMON:
2571                 pointer_desc = "sock_common ";
2572                 break;
2573         case PTR_TO_TCP_SOCK:
2574                 pointer_desc = "tcp_sock ";
2575                 break;
2576         case PTR_TO_XDP_SOCK:
2577                 pointer_desc = "xdp_sock ";
2578                 break;
2579         default:
2580                 break;
2581         }
2582         return check_generic_ptr_alignment(env, reg, pointer_desc, off, size,
2583                                            strict);
2584 }
2585 
2586 static int update_stack_depth(struct bpf_verifier_env *env,
2587                               const struct bpf_func_state *func,
2588                               int off)
2589 {
2590         u16 stack = env->subprog_info[func->subprogno].stack_depth;
2591 
2592         if (stack >= -off)
2593                 return 0;
2594 
2595         /* update known max for given subprogram */
2596         env->subprog_info[func->subprogno].stack_depth = -off;
2597         return 0;
2598 }
2599 
2600 /* starting from main bpf function walk all instructions of the function
2601  * and recursively walk all callees that given function can call.
2602  * Ignore jump and exit insns.
2603  * Since recursion is prevented by check_cfg() this algorithm
2604  * only needs a local stack of MAX_CALL_FRAMES to remember callsites
2605  */
2606 static int check_max_stack_depth(struct bpf_verifier_env *env)
2607 {
2608         int depth = 0, frame = 0, idx = 0, i = 0, subprog_end;
2609         struct bpf_subprog_info *subprog = env->subprog_info;
2610         struct bpf_insn *insn = env->prog->insnsi;
2611         int ret_insn[MAX_CALL_FRAMES];
2612         int ret_prog[MAX_CALL_FRAMES];
2613 
2614 process_func:
2615         /* round up to 32-bytes, since this is granularity
2616          * of interpreter stack size
2617          */
2618         depth += round_up(max_t(u32, subprog[idx].stack_depth, 1), 32);
2619         if (depth > MAX_BPF_STACK) {
2620                 verbose(env, "combined stack size of %d calls is %d. Too large\n",
2621                         frame + 1, depth);
2622                 return -EACCES;
2623         }
2624 continue_func:
2625         subprog_end = subprog[idx + 1].start;
2626         for (; i < subprog_end; i++) {
2627                 if (insn[i].code != (BPF_JMP | BPF_CALL))
2628                         continue;
2629                 if (insn[i].src_reg != BPF_PSEUDO_CALL)
2630                         continue;
2631                 /* remember insn and function to return to */
2632                 ret_insn[frame] = i + 1;
2633                 ret_prog[frame] = idx;
2634 
2635                 /* find the callee */
2636                 i = i + insn[i].imm + 1;
2637                 idx = find_subprog(env, i);
2638                 if (idx < 0) {
2639                         WARN_ONCE(1, "verifier bug. No program starts at insn %d\n",
2640                                   i);
2641                         return -EFAULT;
2642                 }
2643                 frame++;
2644                 if (frame >= MAX_CALL_FRAMES) {
2645                         verbose(env, "the call stack of %d frames is too deep !\n",
2646                                 frame);
2647                         return -E2BIG;
2648                 }
2649                 goto process_func;
2650         }
2651         /* end of for() loop means the last insn of the 'subprog'
2652          * was reached. Doesn't matter whether it was JA or EXIT
2653          */
2654         if (frame == 0)
2655                 return 0;
2656         depth -= round_up(max_t(u32, subprog[idx].stack_depth, 1), 32);
2657         frame--;
2658         i = ret_insn[frame];
2659         idx = ret_prog[frame];
2660         goto continue_func;
2661 }
2662 
2663 #ifndef CONFIG_BPF_JIT_ALWAYS_ON
2664 static int get_callee_stack_depth(struct bpf_verifier_env *env,
2665                                   const struct bpf_insn *insn, int idx)
2666 {
2667         int start = idx + insn->imm + 1, subprog;
2668 
2669         subprog = find_subprog(env, start);
2670         if (subprog < 0) {
2671                 WARN_ONCE(1, "verifier bug. No program starts at insn %d\n",
2672                           start);
2673                 return -EFAULT;
2674         }
2675         return env->subprog_info[subprog].stack_depth;
2676 }
2677 #endif
2678 
2679 static int check_ctx_reg(struct bpf_verifier_env *env,
2680                          const struct bpf_reg_state *reg, int regno)
2681 {
2682         /* Access to ctx or passing it to a helper is only allowed in
2683          * its original, unmodified form.
2684          */
2685 
2686         if (reg->off) {
2687                 verbose(env, "dereference of modified ctx ptr R%d off=%d disallowed\n",
2688                         regno, reg->off);
2689                 return -EACCES;
2690         }
2691 
2692         if (!tnum_is_const(reg->var_off) || reg->var_off.value) {
2693                 char tn_buf[48];
2694 
2695                 tnum_strn(tn_buf, sizeof(tn_buf), reg->var_off);
2696                 verbose(env, "variable ctx access var_off=%s disallowed\n", tn_buf);
2697                 return -EACCES;
2698         }
2699 
2700         return 0;
2701 }
2702 
2703 static int check_tp_buffer_access(struct bpf_verifier_env *env,
2704                                   const struct bpf_reg_state *reg,
2705                                   int regno, int off, int size)
2706 {
2707         if (off < 0) {
2708                 verbose(env,
2709                         "R%d invalid tracepoint buffer access: off=%d, size=%d",
2710                         regno, off, size);
2711                 return -EACCES;
2712         }
2713         if (!tnum_is_const(reg->var_off) || reg->var_off.value) {
2714                 char tn_buf[48];
2715 
2716                 tnum_strn(tn_buf, sizeof(tn_buf), reg->var_off);
2717                 verbose(env,
2718                         "R%d invalid variable buffer offset: off=%d, var_off=%s",
2719                         regno, off, tn_buf);
2720                 return -EACCES;
2721         }
2722         if (off + size > env->prog->aux->max_tp_access)
2723                 env->prog->aux->max_tp_access = off + size;
2724 
2725         return 0;
2726 }
2727 
2728 
2729 /* truncate register to smaller size (in bytes)
2730  * must be called with size < BPF_REG_SIZE
2731  */
2732 static void coerce_reg_to_size(struct bpf_reg_state *reg, int size)
2733 {
2734         u64 mask;
2735 
2736         /* clear high bits in bit representation */
2737         reg->var_off = tnum_cast(reg->var_off, size);
2738 
2739         /* fix arithmetic bounds */
2740         mask = ((u64)1 << (size * 8)) - 1;
2741         if ((reg->umin_value & ~mask) == (reg->umax_value & ~mask)) {
2742                 reg->umin_value &= mask;
2743                 reg->umax_value &= mask;
2744         } else {
2745                 reg->umin_value = 0;
2746                 reg->umax_value = mask;
2747         }
2748         reg->smin_value = reg->umin_value;
2749         reg->smax_value = reg->umax_value;
2750 }
2751 
2752 /* check whether memory at (regno + off) is accessible for t = (read | write)
2753  * if t==write, value_regno is a register which value is stored into memory
2754  * if t==read, value_regno is a register which will receive the value from memory
2755  * if t==write && value_regno==-1, some unknown value is stored into memory
2756  * if t==read && value_regno==-1, don't care what we read from memory
2757  */
2758 static int check_mem_access(struct bpf_verifier_env *env, int insn_idx, u32 regno,
2759                             int off, int bpf_size, enum bpf_access_type t,
2760                             int value_regno, bool strict_alignment_once)
2761 {
2762         struct bpf_reg_state *regs = cur_regs(env);
2763         struct bpf_reg_state *reg = regs + regno;
2764         struct bpf_func_state *state;
2765         int size, err = 0;
2766 
2767         size = bpf_size_to_bytes(bpf_size);
2768         if (size < 0)
2769                 return size;
2770 
2771         /* alignment checks will add in reg->off themselves */
2772         err = check_ptr_alignment(env, reg, off, size, strict_alignment_once);
2773         if (err)
2774                 return err;
2775 
2776         /* for access checks, reg->off is just part of off */
2777         off += reg->off;
2778 
2779         if (reg->type == PTR_TO_MAP_VALUE) {
2780                 if (t == BPF_WRITE && value_regno >= 0 &&
2781                     is_pointer_value(env, value_regno)) {
2782                         verbose(env, "R%d leaks addr into map\n", value_regno);
2783                         return -EACCES;
2784                 }
2785                 err = check_map_access_type(env, regno, off, size, t);
2786                 if (err)
2787                         return err;
2788                 err = check_map_access(env, regno, off, size, false);
2789                 if (!err && t == BPF_READ && value_regno >= 0)
2790                         mark_reg_unknown(env, regs, value_regno);
2791 
2792         } else if (reg->type == PTR_TO_CTX) {
2793                 enum bpf_reg_type reg_type = SCALAR_VALUE;
2794 
2795                 if (t == BPF_WRITE && value_regno >= 0 &&
2796                     is_pointer_value(env, value_regno)) {
2797                         verbose(env, "R%d leaks addr into ctx\n", value_regno);
2798                         return -EACCES;
2799                 }
2800 
2801                 err = check_ctx_reg(env, reg, regno);
2802                 if (err < 0)
2803                         return err;
2804 
2805                 err = check_ctx_access(env, insn_idx, off, size, t, &reg_type);
2806                 if (!err && t == BPF_READ && value_regno >= 0) {
2807                         /* ctx access returns either a scalar, or a
2808                          * PTR_TO_PACKET[_META,_END]. In the latter
2809                          * case, we know the offset is zero.
2810                          */
2811                         if (reg_type == SCALAR_VALUE) {
2812                                 mark_reg_unknown(env, regs, value_regno);
2813                         } else {
2814                                 mark_reg_known_zero(env, regs,
2815                                                     value_regno);
2816                                 if (reg_type_may_be_null(reg_type))
2817                                         regs[value_regno].id = ++env->id_gen;
2818                                 /* A load of ctx field could have different
2819                                  * actual load size with the one encoded in the
2820                                  * insn. When the dst is PTR, it is for sure not
2821                                  * a sub-register.
2822                                  */
2823                                 regs[value_regno].subreg_def = DEF_NOT_SUBREG;
2824                         }
2825                         regs[value_regno].type = reg_type;
2826                 }
2827 
2828         } else if (reg->type == PTR_TO_STACK) {
2829                 off += reg->var_off.value;
2830                 err = check_stack_access(env, reg, off, size);
2831                 if (err)
2832                         return err;
2833 
2834                 state = func(env, reg);
2835                 err = update_stack_depth(env, state, off);
2836                 if (err)
2837                         return err;
2838 
2839                 if (t == BPF_WRITE)
2840                         err = check_stack_write(env, state, off, size,
2841                                                 value_regno, insn_idx);
2842                 else
2843                         err = check_stack_read(env, state, off, size,
2844                                                value_regno);
2845         } else if (reg_is_pkt_pointer(reg)) {
2846                 if (t == BPF_WRITE && !may_access_direct_pkt_data(env, NULL, t)) {
2847                         verbose(env, "cannot write into packet\n");
2848                         return -EACCES;
2849                 }
2850                 if (t == BPF_WRITE && value_regno >= 0 &&
2851                     is_pointer_value(env, value_regno)) {
2852                         verbose(env, "R%d leaks addr into packet\n",
2853                                 value_regno);
2854                         return -EACCES;
2855                 }
2856                 err = check_packet_access(env, regno, off, size, false);
2857                 if (!err && t == BPF_READ && value_regno >= 0)
2858                         mark_reg_unknown(env, regs, value_regno);
2859         } else if (reg->type == PTR_TO_FLOW_KEYS) {
2860                 if (t == BPF_WRITE && value_regno >= 0 &&
2861                     is_pointer_value(env, value_regno)) {
2862                         verbose(env, "R%d leaks addr into flow keys\n",
2863                                 value_regno);
2864                         return -EACCES;
2865                 }
2866 
2867                 err = check_flow_keys_access(env, off, size);
2868                 if (!err && t == BPF_READ && value_regno >= 0)
2869                         mark_reg_unknown(env, regs, value_regno);
2870         } else if (type_is_sk_pointer(reg->type)) {
2871                 if (t == BPF_WRITE) {
2872                         verbose(env, "R%d cannot write into %s\n",
2873                                 regno, reg_type_str[reg->type]);
2874                         return -EACCES;
2875                 }
2876                 err = check_sock_access(env, insn_idx, regno, off, size, t);
2877                 if (!err && value_regno >= 0)
2878                         mark_reg_unknown(env, regs, value_regno);
2879         } else if (reg->type == PTR_TO_TP_BUFFER) {
2880                 err = check_tp_buffer_access(env, reg, regno, off, size);
2881                 if (!err && t == BPF_READ && value_regno >= 0)
2882                         mark_reg_unknown(env, regs, value_regno);
2883         } else {
2884                 verbose(env, "R%d invalid mem access '%s'\n", regno,
2885                         reg_type_str[reg->type]);
2886                 return -EACCES;
2887         }
2888 
2889         if (!err && size < BPF_REG_SIZE && value_regno >= 0 && t == BPF_READ &&
2890             regs[value_regno].type == SCALAR_VALUE) {
2891                 /* b/h/w load zero-extends, mark upper bits as known 0 */
2892                 coerce_reg_to_size(&regs[value_regno], size);
2893         }
2894         return err;
2895 }
2896 
2897 static int check_xadd(struct bpf_verifier_env *env, int insn_idx, struct bpf_insn *insn)
2898 {
2899         int err;
2900 
2901         if ((BPF_SIZE(insn->code) != BPF_W && BPF_SIZE(insn->code) != BPF_DW) ||
2902             insn->imm != 0) {
2903                 verbose(env, "BPF_XADD uses reserved fields\n");
2904                 return -EINVAL;
2905         }
2906 
2907         /* check src1 operand */
2908         err = check_reg_arg(env, insn->src_reg, SRC_OP);
2909         if (err)
2910                 return err;
2911 
2912         /* check src2 operand */
2913         err = check_reg_arg(env, insn->dst_reg, SRC_OP);
2914         if (err)
2915                 return err;
2916 
2917         if (is_pointer_value(env, insn->src_reg)) {
2918                 verbose(env, "R%d leaks addr into mem\n", insn->src_reg);
2919                 return -EACCES;
2920         }
2921 
2922         if (is_ctx_reg(env, insn->dst_reg) ||
2923             is_pkt_reg(env, insn->dst_reg) ||
2924             is_flow_key_reg(env, insn->dst_reg) ||
2925             is_sk_reg(env, insn->dst_reg)) {
2926                 verbose(env, "BPF_XADD stores into R%d %s is not allowed\n",
2927                         insn->dst_reg,
2928                         reg_type_str[reg_state(env, insn->dst_reg)->type]);
2929                 return -EACCES;
2930         }
2931 
2932         /* check whether atomic_add can read the memory */
2933         err = check_mem_access(env, insn_idx, insn->dst_reg, insn->off,
2934                                BPF_SIZE(insn->code), BPF_READ, -1, true);
2935         if (err)
2936                 return err;
2937 
2938         /* check whether atomic_add can write into the same memory */
2939         return check_mem_access(env, insn_idx, insn->dst_reg, insn->off,
2940                                 BPF_SIZE(insn->code), BPF_WRITE, -1, true);
2941 }
2942 
2943 static int __check_stack_boundary(struct bpf_verifier_env *env, u32 regno,
2944                                   int off, int access_size,
2945                                   bool zero_size_allowed)
2946 {
2947         struct bpf_reg_state *reg = reg_state(env, regno);
2948 
2949         if (off >= 0 || off < -MAX_BPF_STACK || off + access_size > 0 ||
2950             access_size < 0 || (access_size == 0 && !zero_size_allowed)) {
2951                 if (tnum_is_const(reg->var_off)) {
2952                         verbose(env, "invalid stack type R%d off=%d access_size=%d\n",
2953                                 regno, off, access_size);
2954                 } else {
2955                         char tn_buf[48];
2956 
2957                         tnum_strn(tn_buf, sizeof(tn_buf), reg->var_off);
2958                         verbose(env, "invalid stack type R%d var_off=%s access_size=%d\n",
2959                                 regno, tn_buf, access_size);
2960                 }
2961                 return -EACCES;
2962         }
2963         return 0;
2964 }
2965 
2966 /* when register 'regno' is passed into function that will read 'access_size'
2967  * bytes from that pointer, make sure that it's within stack boundary
2968  * and all elements of stack are initialized.
2969  * Unlike most pointer bounds-checking functions, this one doesn't take an
2970  * 'off' argument, so it has to add in reg->off itself.
2971  */
2972 static int check_stack_boundary(struct bpf_verifier_env *env, int regno,
2973                                 int access_size, bool zero_size_allowed,
2974                                 struct bpf_call_arg_meta *meta)
2975 {
2976         struct bpf_reg_state *reg = reg_state(env, regno);
2977         struct bpf_func_state *state = func(env, reg);
2978         int err, min_off, max_off, i, j, slot, spi;
2979 
2980         if (reg->type != PTR_TO_STACK) {
2981                 /* Allow zero-byte read from NULL, regardless of pointer type */
2982                 if (zero_size_allowed && access_size == 0 &&
2983                     register_is_null(reg))
2984                         return 0;
2985 
2986                 verbose(env, "R%d type=%s expected=%s\n", regno,
2987                         reg_type_str[reg->type],
2988                         reg_type_str[PTR_TO_STACK]);
2989                 return -EACCES;
2990         }
2991 
2992         if (tnum_is_const(reg->var_off)) {
2993                 min_off = max_off = reg->var_off.value + reg->off;
2994                 err = __check_stack_boundary(env, regno, min_off, access_size,
2995                                              zero_size_allowed);
2996                 if (err)
2997                         return err;
2998         } else {
2999                 /* Variable offset is prohibited for unprivileged mode for
3000                  * simplicity since it requires corresponding support in
3001                  * Spectre masking for stack ALU.
3002                  * See also retrieve_ptr_limit().
3003                  */
3004                 if (!env->allow_ptr_leaks) {
3005                         char tn_buf[48];
3006 
3007                         tnum_strn(tn_buf, sizeof(tn_buf), reg->var_off);
3008                         verbose(env, "R%d indirect variable offset stack access prohibited for !root, var_off=%s\n",
3009                                 regno, tn_buf);
3010                         return -EACCES;
3011                 }
3012                 /* Only initialized buffer on stack is allowed to be accessed
3013                  * with variable offset. With uninitialized buffer it's hard to
3014                  * guarantee that whole memory is marked as initialized on
3015                  * helper return since specific bounds are unknown what may
3016                  * cause uninitialized stack leaking.
3017                  */
3018                 if (meta && meta->raw_mode)
3019                         meta = NULL;
3020 
3021                 if (reg->smax_value >= BPF_MAX_VAR_OFF ||
3022                     reg->smax_value <= -BPF_MAX_VAR_OFF) {
3023                         verbose(env, "R%d unbounded indirect variable offset stack access\n",
3024                                 regno);
3025                         return -EACCES;
3026                 }
3027                 min_off = reg->smin_value + reg->off;
3028                 max_off = reg->smax_value + reg->off;
3029                 err = __check_stack_boundary(env, regno, min_off, access_size,
3030                                              zero_size_allowed);
3031                 if (err) {
3032                         verbose(env, "R%d min value is outside of stack bound\n",
3033                                 regno);
3034                         return err;
3035                 }
3036                 err = __check_stack_boundary(env, regno, max_off, access_size,
3037                                              zero_size_allowed);
3038                 if (err) {
3039                         verbose(env, "R%d max value is outside of stack bound\n",
3040                                 regno);
3041                         return err;
3042                 }
3043         }
3044 
3045         if (meta && meta->raw_mode) {
3046                 meta->access_size = access_size;
3047                 meta->regno = regno;
3048                 return 0;
3049         }
3050 
3051         for (i = min_off; i < max_off + access_size; i++) {
3052                 u8 *stype;
3053 
3054                 slot = -i - 1;
3055                 spi = slot / BPF_REG_SIZE;
3056                 if (state->allocated_stack <= slot)
3057                         goto err;
3058                 stype = &state->stack[spi].slot_type[slot % BPF_REG_SIZE];
3059                 if (*stype == STACK_MISC)
3060                         goto mark;
3061                 if (*stype == STACK_ZERO) {
3062                         /* helper can write anything into the stack */
3063                         *stype = STACK_MISC;
3064                         goto mark;
3065                 }
3066                 if (state->stack[spi].slot_type[0] == STACK_SPILL &&
3067                     state->stack[spi].spilled_ptr.type == SCALAR_VALUE) {
3068                         __mark_reg_unknown(env, &state->stack[spi].spilled_ptr);
3069                         for (j = 0; j < BPF_REG_SIZE; j++)
3070                                 state->stack[spi].slot_type[j] = STACK_MISC;
3071                         goto mark;
3072                 }
3073 
3074 err:
3075                 if (tnum_is_const(reg->var_off)) {
3076                         verbose(env, "invalid indirect read from stack off %d+%d size %d\n",
3077                                 min_off, i - min_off, access_size);
3078                 } else {
3079                         char tn_buf[48];
3080 
3081                         tnum_strn(tn_buf, sizeof(tn_buf), reg->var_off);
3082                         verbose(env, "invalid indirect read from stack var_off %s+%d size %d\n",
3083                                 tn_buf, i - min_off, access_size);
3084                 }
3085                 return -EACCES;
3086 mark:
3087                 /* reading any byte out of 8-byte 'spill_slot' will cause
3088                  * the whole slot to be marked as 'read'
3089                  */
3090                 mark_reg_read(env, &state->stack[spi].spilled_ptr,
3091                               state->stack[spi].spilled_ptr.parent,
3092                               REG_LIVE_READ64);
3093         }
3094         return update_stack_depth(env, state, min_off);
3095 }
3096 
3097 static int check_helper_mem_access(struct bpf_verifier_env *env, int regno,
3098                                    int access_size, bool zero_size_allowed,
3099                                    struct bpf_call_arg_meta *meta)
3100 {
3101         struct bpf_reg_state *regs = cur_regs(env), *reg = &regs[regno];
3102 
3103         switch (reg->type) {
3104         case PTR_TO_PACKET:
3105         case PTR_TO_PACKET_META:
3106                 return check_packet_access(env, regno, reg->off, access_size,
3107                                            zero_size_allowed);
3108         case PTR_TO_MAP_VALUE:
3109                 if (check_map_access_type(env, regno, reg->off, access_size,
3110                                           meta && meta->raw_mode ? BPF_WRITE :
3111                                           BPF_READ))
3112                         return -EACCES;
3113                 return check_map_access(env, regno, reg->off, access_size,
3114                                         zero_size_allowed);
3115         default: /* scalar_value|ptr_to_stack or invalid ptr */
3116                 return check_stack_boundary(env, regno, access_size,
3117                                             zero_size_allowed, meta);
3118         }
3119 }
3120 
3121 /* Implementation details:
3122  * bpf_map_lookup returns PTR_TO_MAP_VALUE_OR_NULL
3123  * Two bpf_map_lookups (even with the same key) will have different reg->id.
3124  * For traditional PTR_TO_MAP_VALUE the verifier clears reg->id after
3125  * value_or_null->value transition, since the verifier only cares about
3126  * the range of access to valid map value pointer and doesn't care about actual
3127  * address of the map element.
3128  * For maps with 'struct bpf_spin_lock' inside map value the verifier keeps
3129  * reg->id > 0 after value_or_null->value transition. By doing so
3130  * two bpf_map_lookups will be considered two different pointers that
3131  * point to different bpf_spin_locks.
3132  * The verifier allows taking only one bpf_spin_lock at a time to avoid
3133  * dead-locks.
3134  * Since only one bpf_spin_lock is allowed the checks are simpler than
3135  * reg_is_refcounted() logic. The verifier needs to remember only
3136  * one spin_lock instead of array of acquired_refs.
3137  * cur_state->active_spin_lock remembers which map value element got locked
3138  * and clears it after bpf_spin_unlock.
3139  */
3140 static int process_spin_lock(struct bpf_verifier_env *env, int regno,
3141                              bool is_lock)
3142 {
3143         struct bpf_reg_state *regs = cur_regs(env), *reg = &regs[regno];
3144         struct bpf_verifier_state *cur = env->cur_state;
3145         bool is_const = tnum_is_const(reg->var_off);
3146         struct bpf_map *map = reg->map_ptr;
3147         u64 val = reg->var_off.value;
3148 
3149         if (reg->type != PTR_TO_MAP_VALUE) {
3150                 verbose(env, "R%d is not a pointer to map_value\n", regno);
3151                 return -EINVAL;
3152         }
3153         if (!is_const) {
3154                 verbose(env,
3155                         "R%d doesn't have constant offset. bpf_spin_lock has to be at the constant offset\n",
3156                         regno);
3157                 return -EINVAL;
3158         }
3159         if (!map->btf) {
3160                 verbose(env,
3161                         "map '%s' has to have BTF in order to use bpf_spin_lock\n",
3162                         map->name);
3163                 return -EINVAL;
3164         }
3165         if (!map_value_has_spin_lock(map)) {
3166                 if (map->spin_lock_off == -E2BIG)
3167                         verbose(env,
3168                                 "map '%s' has more than one 'struct bpf_spin_lock'\n",
3169                                 map->name);
3170                 else if (map->spin_lock_off == -ENOENT)
3171                         verbose(env,
3172                                 "map '%s' doesn't have 'struct bpf_spin_lock'\n",
3173                                 map->name);
3174                 else
3175                         verbose(env,
3176                                 "map '%s' is not a struct type or bpf_spin_lock is mangled\n",
3177                                 map->name);
3178                 return -EINVAL;
3179         }
3180         if (map->spin_lock_off != val + reg->off) {
3181                 verbose(env, "off %lld doesn't point to 'struct bpf_spin_lock'\n",
3182                         val + reg->off);
3183                 return -EINVAL;
3184         }
3185         if (is_lock) {
3186                 if (cur->active_spin_lock) {
3187                         verbose(env,
3188                                 "Locking two bpf_spin_locks are not allowed\n");
3189                         return -EINVAL;
3190                 }
3191                 cur->active_spin_lock = reg->id;
3192         } else {
3193                 if (!cur->active_spin_lock) {
3194                         verbose(env, "bpf_spin_unlock without taking a lock\n");
3195                         return -EINVAL;
3196                 }
3197                 if (cur->active_spin_lock != reg->id) {
3198                         verbose(env, "bpf_spin_unlock of different lock\n");
3199                         return -EINVAL;
3200                 }
3201                 cur->active_spin_lock = 0;
3202         }
3203         return 0;
3204 }
3205 
3206 static bool arg_type_is_mem_ptr(enum bpf_arg_type type)
3207 {
3208         return type == ARG_PTR_TO_MEM ||
3209                type == ARG_PTR_TO_MEM_OR_NULL ||
3210                type == ARG_PTR_TO_UNINIT_MEM;
3211 }
3212 
3213 static bool arg_type_is_mem_size(enum bpf_arg_type type)
3214 {
3215         return type == ARG_CONST_SIZE ||
3216                type == ARG_CONST_SIZE_OR_ZERO;
3217 }
3218 
3219 static bool arg_type_is_int_ptr(enum bpf_arg_type type)
3220 {
3221         return type == ARG_PTR_TO_INT ||
3222                type == ARG_PTR_TO_LONG;
3223 }
3224 
3225 static int int_ptr_type_to_size(enum bpf_arg_type type)
3226 {
3227         if (type == ARG_PTR_TO_INT)
3228                 return sizeof(u32);
3229         else if (type == ARG_PTR_TO_LONG)
3230                 return sizeof(u64);
3231 
3232         return -EINVAL;
3233 }
3234 
3235 static int check_func_arg(struct bpf_verifier_env *env, u32 regno,
3236                           enum bpf_arg_type arg_type,
3237                           struct bpf_call_arg_meta *meta)
3238 {
3239         struct bpf_reg_state *regs = cur_regs(env), *reg = &regs[regno];
3240         enum bpf_reg_type expected_type, type = reg->type;
3241         int err = 0;
3242 
3243         if (arg_type == ARG_DONTCARE)
3244                 return 0;
3245 
3246         err = check_reg_arg(env, regno, SRC_OP);
3247         if (err)
3248                 return err;
3249 
3250         if (arg_type == ARG_ANYTHING) {
3251                 if (is_pointer_value(env, regno)) {
3252                         verbose(env, "R%d leaks addr into helper function\n",
3253                                 regno);
3254                         return -EACCES;
3255                 }
3256                 return 0;
3257         }
3258 
3259         if (type_is_pkt_pointer(type) &&
3260             !may_access_direct_pkt_data(env, meta, BPF_READ)) {
3261                 verbose(env, "helper access to the packet is not allowed\n");
3262                 return -EACCES;
3263         }
3264 
3265         if (arg_type == ARG_PTR_TO_MAP_KEY ||
3266             arg_type == ARG_PTR_TO_MAP_VALUE ||
3267             arg_type == ARG_PTR_TO_UNINIT_MAP_VALUE ||
3268             arg_type == ARG_PTR_TO_MAP_VALUE_OR_NULL) {
3269                 expected_type = PTR_TO_STACK;
3270                 if (register_is_null(reg) &&
3271                     arg_type == ARG_PTR_TO_MAP_VALUE_OR_NULL)
3272                         /* final test in check_stack_boundary() */;
3273                 else if (!type_is_pkt_pointer(type) &&
3274                          type != PTR_TO_MAP_VALUE &&
3275                          type != expected_type)
3276                         goto err_type;
3277         } else if (arg_type == ARG_CONST_SIZE ||
3278                    arg_type == ARG_CONST_SIZE_OR_ZERO) {
3279                 expected_type = SCALAR_VALUE;
3280                 if (type != expected_type)
3281                         goto err_type;
3282         } else if (arg_type == ARG_CONST_MAP_PTR) {
3283                 expected_type = CONST_PTR_TO_MAP;
3284                 if (type != expected_type)
3285                         goto err_type;
3286         } else if (arg_type == ARG_PTR_TO_CTX) {
3287                 expected_type = PTR_TO_CTX;
3288                 if (type != expected_type)
3289                         goto err_type;
3290                 err = check_ctx_reg(env, reg, regno);
3291                 if (err < 0)
3292                         return err;
3293         } else if (arg_type == ARG_PTR_TO_SOCK_COMMON) {
3294                 expected_type = PTR_TO_SOCK_COMMON;
3295                 /* Any sk pointer can be ARG_PTR_TO_SOCK_COMMON */
3296                 if (!type_is_sk_pointer(type))
3297                         goto err_type;
3298                 if (reg->ref_obj_id) {
3299                         if (meta->ref_obj_id) {
3300                                 verbose(env, "verifier internal error: more than one arg with ref_obj_id R%d %u %u\n",
3301                                         regno, reg->ref_obj_id,
3302                                         meta->ref_obj_id);
3303                                 return -EFAULT;
3304                         }
3305                         meta->ref_obj_id = reg->ref_obj_id;
3306                 }
3307         } else if (arg_type == ARG_PTR_TO_SOCKET) {
3308                 expected_type = PTR_TO_SOCKET;
3309                 if (type != expected_type)
3310                         goto err_type;
3311         } else if (arg_type == ARG_PTR_TO_SPIN_LOCK) {
3312                 if (meta->func_id == BPF_FUNC_spin_lock) {
3313                         if (process_spin_lock(env, regno, true))
3314                                 return -EACCES;
3315                 } else if (meta->func_id == BPF_FUNC_spin_unlock) {
3316                         if (process_spin_lock(env, regno, false))
3317                                 return -EACCES;
3318                 } else {
3319                         verbose(env, "verifier internal error\n");
3320                         return -EFAULT;
3321                 }
3322         } else if (arg_type_is_mem_ptr(arg_type)) {
3323                 expected_type = PTR_TO_STACK;
3324                 /* One exception here. In case function allows for NULL to be
3325                  * passed in as argument, it's a SCALAR_VALUE type. Final test
3326                  * happens during stack boundary checking.
3327                  */
3328                 if (register_is_null(reg) &&
3329                     arg_type == ARG_PTR_TO_MEM_OR_NULL)
3330                         /* final test in check_stack_boundary() */;
3331                 else if (!type_is_pkt_pointer(type) &&
3332                          type != PTR_TO_MAP_VALUE &&
3333                          type != expected_type)
3334                         goto err_type;
3335                 meta->raw_mode = arg_type == ARG_PTR_TO_UNINIT_MEM;
3336         } else if (arg_type_is_int_ptr(arg_type)) {
3337                 expected_type = PTR_TO_STACK;
3338                 if (!type_is_pkt_pointer(type) &&
3339                     type != PTR_TO_MAP_VALUE &&
3340                     type != expected_type)
3341                         goto err_type;
3342         } else {
3343                 verbose(env, "unsupported arg_type %d\n", arg_type);
3344                 return -EFAULT;
3345         }
3346 
3347         if (arg_type == ARG_CONST_MAP_PTR) {
3348                 /* bpf_map_xxx(map_ptr) call: remember that map_ptr */
3349                 meta->map_ptr = reg->map_ptr;
3350         } else if (arg_type == ARG_PTR_TO_MAP_KEY) {
3351                 /* bpf_map_xxx(..., map_ptr, ..., key) call:
3352                  * check that [key, key + map->key_size) are within
3353                  * stack limits and initialized
3354                  */
3355                 if (!meta->map_ptr) {
3356                         /* in function declaration map_ptr must come before
3357                          * map_key, so that it's verified and known before
3358                          * we have to check map_key here. Otherwise it means
3359                          * that kernel subsystem misconfigured verifier
3360                          */
3361                         verbose(env, "invalid map_ptr to access map->key\n");
3362                         return -EACCES;
3363                 }
3364                 err = check_helper_mem_access(env, regno,
3365                                               meta->map_ptr->key_size, false,
3366                                               NULL);
3367         } else if (arg_type == ARG_PTR_TO_MAP_VALUE ||
3368                    (arg_type == ARG_PTR_TO_MAP_VALUE_OR_NULL &&
3369                     !register_is_null(reg)) ||
3370                    arg_type == ARG_PTR_TO_UNINIT_MAP_VALUE) {
3371                 /* bpf_map_xxx(..., map_ptr, ..., value) call:
3372                  * check [value, value + map->value_size) validity
3373                  */
3374                 if (!meta->map_ptr) {
3375                         /* kernel subsystem misconfigured verifier */
3376                         verbose(env, "invalid map_ptr to access map->value\n");
3377                         return -EACCES;
3378                 }
3379                 meta->raw_mode = (arg_type == ARG_PTR_TO_UNINIT_MAP_VALUE);
3380                 err = check_helper_mem_access(env, regno,
3381                                               meta->map_ptr->value_size, false,
3382                                               meta);
3383         } else if (arg_type_is_mem_size(arg_type)) {
3384                 bool zero_size_allowed = (arg_type == ARG_CONST_SIZE_OR_ZERO);
3385 
3386                 /* remember the mem_size which may be used later
3387                  * to refine return values.
3388                  */
3389                 meta->msize_max_value = reg->umax_value;
3390 
3391                 /* The register is SCALAR_VALUE; the access check
3392                  * happens using its boundaries.
3393                  */
3394                 if (!tnum_is_const(reg->var_off))
3395                         /* For unprivileged variable accesses, disable raw
3396                          * mode so that the program is required to
3397                          * initialize all the memory that the helper could
3398                          * just partially fill up.
3399                          */
3400                         meta = NULL;
3401 
3402                 if (reg->smin_value < 0) {
3403                         verbose(env, "R%d min value is negative, either use unsigned or 'var &= const'\n",
3404                                 regno);
3405                         return -EACCES;
3406                 }
3407 
3408                 if (reg->umin_value == 0) {
3409                         err = check_helper_mem_access(env, regno - 1, 0,
3410                                                       zero_size_allowed,
3411                                                       meta);
3412                         if (err)
3413                                 return err;
3414                 }
3415 
3416                 if (reg->umax_value >= BPF_MAX_VAR_SIZ) {
3417                         verbose(env, "R%d unbounded memory access, use 'var &= const' or 'if (var < const)'\n",
3418                                 regno);
3419                         return -EACCES;
3420                 }
3421                 err = check_helper_mem_access(env, regno - 1,
3422                                               reg->umax_value,
3423                                               zero_size_allowed, meta);
3424                 if (!err)
3425                         err = mark_chain_precision(env, regno);
3426         } else if (arg_type_is_int_ptr(arg_type)) {
3427                 int size = int_ptr_type_to_size(arg_type);
3428 
3429                 err = check_helper_mem_access(env, regno, size, false, meta);
3430                 if (err)
3431                         return err;
3432                 err = check_ptr_alignment(env, reg, 0, size, true);
3433         }
3434 
3435         return err;
3436 err_type:
3437         verbose(env, "R%d type=%s expected=%s\n", regno,
3438                 reg_type_str[type], reg_type_str[expected_type]);
3439         return -EACCES;
3440 }
3441 
3442 static int check_map_func_compatibility(struct bpf_verifier_env *env,
3443                                         struct bpf_map *map, int func_id)
3444 {
3445         if (!map)
3446                 return 0;
3447 
3448         /* We need a two way check, first is from map perspective ... */
3449         switch (map->map_type) {
3450         case BPF_MAP_TYPE_PROG_ARRAY:
3451                 if (func_id != BPF_FUNC_tail_call)
3452                         goto error;
3453                 break;
3454         case BPF_MAP_TYPE_PERF_EVENT_ARRAY:
3455                 if (func_id != BPF_FUNC_perf_event_read &&
3456                     func_id != BPF_FUNC_perf_event_output &&
3457                     func_id != BPF_FUNC_perf_event_read_value)
3458                         goto error;
3459                 break;
3460         case BPF_MAP_TYPE_STACK_TRACE:
3461                 if (func_id != BPF_FUNC_get_stackid)
3462                         goto error;
3463                 break;
3464         case BPF_MAP_TYPE_CGROUP_ARRAY:
3465                 if (func_id != BPF_FUNC_skb_under_cgroup &&
3466                     func_id != BPF_FUNC_current_task_under_cgroup)
3467                         goto error;
3468                 break;
3469         case BPF_MAP_TYPE_CGROUP_STORAGE:
3470         case BPF_MAP_TYPE_PERCPU_CGROUP_STORAGE:
3471                 if (func_id != BPF_FUNC_get_local_storage)
3472                         goto error;
3473                 break;
3474         case BPF_MAP_TYPE_DEVMAP:
3475         case BPF_MAP_TYPE_DEVMAP_HASH:
3476                 if (func_id != BPF_FUNC_redirect_map &&
3477                     func_id != BPF_FUNC_map_lookup_elem)
3478                         goto error;
3479                 break;
3480         /* Restrict bpf side of cpumap and xskmap, open when use-cases
3481          * appear.
3482          */
3483         case BPF_MAP_TYPE_CPUMAP:
3484                 if (func_id != BPF_FUNC_redirect_map)
3485                         goto error;
3486                 break;
3487         case BPF_MAP_TYPE_XSKMAP:
3488                 if (func_id != BPF_FUNC_redirect_map &&
3489                     func_id != BPF_FUNC_map_lookup_elem)
3490                         goto error;
3491                 break;
3492         case BPF_MAP_TYPE_ARRAY_OF_MAPS:
3493         case BPF_MAP_TYPE_HASH_OF_MAPS:
3494                 if (func_id != BPF_FUNC_map_lookup_elem)
3495                         goto error;
3496                 break;
3497         case BPF_MAP_TYPE_SOCKMAP:
3498                 if (func_id != BPF_FUNC_sk_redirect_map &&
3499                     func_id != BPF_FUNC_sock_map_update &&
3500                     func_id != BPF_FUNC_map_delete_elem &&
3501                     func_id != BPF_FUNC_msg_redirect_map)
3502                         goto error;
3503                 break;
3504         case BPF_MAP_TYPE_SOCKHASH:
3505                 if (func_id != BPF_FUNC_sk_redirect_hash &&
3506                     func_id != BPF_FUNC_sock_hash_update &&
3507                     func_id != BPF_FUNC_map_delete_elem &&
3508                     func_id != BPF_FUNC_msg_redirect_hash)
3509                         goto error;
3510                 break;
3511         case BPF_MAP_TYPE_REUSEPORT_SOCKARRAY:
3512                 if (func_id != BPF_FUNC_sk_select_reuseport)
3513                         goto error;
3514                 break;
3515         case BPF_MAP_TYPE_QUEUE:
3516         case BPF_MAP_TYPE_STACK:
3517                 if (func_id != BPF_FUNC_map_peek_elem &&
3518                     func_id != BPF_FUNC_map_pop_elem &&
3519                     func_id != BPF_FUNC_map_push_elem)
3520                         goto error;
3521                 break;
3522         case BPF_MAP_TYPE_SK_STORAGE:
3523                 if (func_id != BPF_FUNC_sk_storage_get &&
3524                     func_id != BPF_FUNC_sk_storage_delete)
3525                         goto error;
3526                 break;
3527         default:
3528                 break;
3529         }
3530 
3531         /* ... and second from the function itself. */
3532         switch (func_id) {
3533         case BPF_FUNC_tail_call:
3534                 if (map->map_type != BPF_MAP_TYPE_PROG_ARRAY)
3535                         goto error;
3536                 if (env->subprog_cnt > 1) {
3537                         verbose(env, "tail_calls are not allowed in programs with bpf-to-bpf calls\n");
3538                         return -EINVAL;
3539                 }
3540                 break;
3541         case BPF_FUNC_perf_event_read:
3542         case BPF_FUNC_perf_event_output:
3543         case BPF_FUNC_perf_event_read_value:
3544                 if (map->map_type != BPF_MAP_TYPE_PERF_EVENT_ARRAY)
3545                         goto error;
3546                 break;
3547         case BPF_FUNC_get_stackid:
3548                 if (map->map_type != BPF_MAP_TYPE_STACK_TRACE)
3549                         goto error;
3550                 break;
3551         case BPF_FUNC_current_task_under_cgroup:
3552         case BPF_FUNC_skb_under_cgroup:
3553                 if (map->map_type != BPF_MAP_TYPE_CGROUP_ARRAY)
3554                         goto error;
3555                 break;
3556         case BPF_FUNC_redirect_map:
3557                 if (map->map_type != BPF_MAP_TYPE_DEVMAP &&
3558                     map->map_type != BPF_MAP_TYPE_DEVMAP_HASH &&
3559                     map->map_type != BPF_MAP_TYPE_CPUMAP &&
3560                     map->map_type != BPF_MAP_TYPE_XSKMAP)
3561                         goto error;
3562                 break;
3563         case BPF_FUNC_sk_redirect_map:
3564         case BPF_FUNC_msg_redirect_map:
3565         case BPF_FUNC_sock_map_update:
3566                 if (map->map_type != BPF_MAP_TYPE_SOCKMAP)
3567                         goto error;
3568                 break;
3569         case BPF_FUNC_sk_redirect_hash:
3570         case BPF_FUNC_msg_redirect_hash:
3571         case BPF_FUNC_sock_hash_update:
3572                 if (map->map_type != BPF_MAP_TYPE_SOCKHASH)
3573                         goto error;
3574                 break;
3575         case BPF_FUNC_get_local_storage:
3576                 if (map->map_type != BPF_MAP_TYPE_CGROUP_STORAGE &&
3577                     map->map_type != BPF_MAP_TYPE_PERCPU_CGROUP_STORAGE)
3578                         goto error;
3579                 break;
3580         case BPF_FUNC_sk_select_reuseport:
3581                 if (map->map_type != BPF_MAP_TYPE_REUSEPORT_SOCKARRAY)
3582                         goto error;
3583                 break;
3584         case BPF_FUNC_map_peek_elem:
3585         case BPF_FUNC_map_pop_elem:
3586         case BPF_FUNC_map_push_elem:
3587                 if (map->map_type != BPF_MAP_TYPE_QUEUE &&
3588                     map->map_type != BPF_MAP_TYPE_STACK)
3589                         goto error;
3590                 break;
3591         case BPF_FUNC_sk_storage_get:
3592         case BPF_FUNC_sk_storage_delete:
3593                 if (map->map_type != BPF_MAP_TYPE_SK_STORAGE)
3594                         goto error;
3595                 break;
3596         default:
3597                 break;
3598         }
3599 
3600         return 0;
3601 error:
3602         verbose(env, "cannot pass map_type %d into func %s#%d\n",
3603                 map->map_type, func_id_name(func_id), func_id);
3604         return -EINVAL;
3605 }
3606 
3607 static bool check_raw_mode_ok(const struct bpf_func_proto *fn)
3608 {
3609         int count = 0;
3610 
3611         if (fn->arg1_type == ARG_PTR_TO_UNINIT_MEM)
3612                 count++;
3613         if (fn->arg2_type == ARG_PTR_TO_UNINIT_MEM)
3614                 count++;
3615         if (fn->arg3_type == ARG_PTR_TO_UNINIT_MEM)
3616                 count++;
3617         if (fn->arg4_type == ARG_PTR_TO_UNINIT_MEM)
3618                 count++;
3619         if (fn->arg5_type == ARG_PTR_TO_UNINIT_MEM)
3620                 count++;
3621 
3622         /* We only support one arg being in raw mode at the moment,
3623          * which is sufficient for the helper functions we have
3624          * right now.
3625          */
3626         return count <= 1;
3627 }
3628 
3629 static bool check_args_pair_invalid(enum bpf_arg_type arg_curr,
3630                                     enum bpf_arg_type arg_next)
3631 {
3632         return (arg_type_is_mem_ptr(arg_curr) &&
3633                 !arg_type_is_mem_size(arg_next)) ||
3634                (!arg_type_is_mem_ptr(arg_curr) &&
3635                 arg_type_is_mem_size(arg_next));
3636 }
3637 
3638 static bool check_arg_pair_ok(const struct bpf_func_proto *fn)
3639 {
3640         /* bpf_xxx(..., buf, len) call will access 'len'
3641          * bytes from memory 'buf'. Both arg types need
3642          * to be paired, so make sure there's no buggy
3643          * helper function specification.
3644          */
3645         if (arg_type_is_mem_size(fn->arg1_type) ||
3646             arg_type_is_mem_ptr(fn->arg5_type)  ||
3647             check_args_pair_invalid(fn->arg1_type, fn->arg2_type) ||
3648             check_args_pair_invalid(fn->arg2_type, fn->arg3_type) ||
3649             check_args_pair_invalid(fn->arg3_type, fn->arg4_type) ||
3650             check_args_pair_invalid(fn->arg4_type, fn->arg5_type))
3651                 return false;
3652 
3653         return true;
3654 }
3655 
3656 static bool check_refcount_ok(const struct bpf_func_proto *fn, int func_id)
3657 {
3658         int count = 0;
3659 
3660         if (arg_type_may_be_refcounted(fn->arg1_type))
3661                 count++;
3662         if (arg_type_may_be_refcounted(fn->arg2_type))
3663                 count++;
3664         if (arg_type_may_be_refcounted(fn->arg3_type))
3665                 count++;
3666         if (arg_type_may_be_refcounted(fn->arg4_type))
3667                 count++;
3668         if (arg_type_may_be_refcounted(fn->arg5_type))
3669                 count++;
3670 
3671         /* A reference acquiring function cannot acquire
3672          * another refcounted ptr.
3673          */
3674         if (is_acquire_function(func_id) && count)
3675                 return false;
3676 
3677         /* We only support one arg being unreferenced at the moment,
3678          * which is sufficient for the helper functions we have right now.
3679          */
3680         return count <= 1;
3681 }
3682 
3683 static int check_func_proto(const struct bpf_func_proto *fn, int func_id)
3684 {
3685         return check_raw_mode_ok(fn) &&
3686                check_arg_pair_ok(fn) &&
3687                check_refcount_ok(fn, func_id) ? 0 : -EINVAL;
3688 }
3689 
3690 /* Packet data might have moved, any old PTR_TO_PACKET[_META,_END]
3691  * are now invalid, so turn them into unknown SCALAR_VALUE.
3692  */
3693 static void __clear_all_pkt_pointers(struct bpf_verifier_env *env,
3694                                      struct bpf_func_state *state)
3695 {
3696         struct bpf_reg_state *regs = state->regs, *reg;
3697         int i;
3698 
3699         for (i = 0; i < MAX_BPF_REG; i++)
3700                 if (reg_is_pkt_pointer_any(&regs[i]))
3701                         mark_reg_unknown(env, regs, i);
3702 
3703         bpf_for_each_spilled_reg(i, state, reg) {
3704                 if (!reg)
3705                         continue;
3706                 if (reg_is_pkt_pointer_any(reg))
3707                         __mark_reg_unknown(env, reg);
3708         }
3709 }
3710 
3711 static void clear_all_pkt_pointers(struct bpf_verifier_env *env)
3712 {
3713         struct bpf_verifier_state *vstate = env->cur_state;
3714         int i;
3715 
3716         for (i = 0; i <= vstate->curframe; i++)
3717                 __clear_all_pkt_pointers(env, vstate->frame[i]);
3718 }
3719 
3720 static void release_reg_references(struct bpf_verifier_env *env,
3721                                    struct bpf_func_state *state,
3722                                    int ref_obj_id)
3723 {
3724         struct bpf_reg_state *regs = state->regs, *reg;
3725         int i;
3726 
3727         for (i = 0; i < MAX_BPF_REG; i++)
3728                 if (regs[i].ref_obj_id == ref_obj_id)
3729                         mark_reg_unknown(env, regs, i);
3730 
3731         bpf_for_each_spilled_reg(i, state, reg) {
3732                 if (!reg)
3733                         continue;
3734                 if (reg->ref_obj_id == ref_obj_id)
3735                         __mark_reg_unknown(env, reg);
3736         }
3737 }
3738 
3739 /* The pointer with the specified id has released its reference to kernel
3740  * resources. Identify all copies of the same pointer and clear the reference.
3741  */
3742 static int release_reference(struct bpf_verifier_env *env,
3743                              int ref_obj_id)
3744 {
3745         struct bpf_verifier_state *vstate = env->cur_state;
3746         int err;
3747         int i;
3748 
3749         err = release_reference_state(cur_func(env), ref_obj_id);
3750         if (err)
3751                 return err;
3752 
3753         for (i = 0; i <= vstate->curframe; i++)
3754                 release_reg_references(env, vstate->frame[i], ref_obj_id);
3755 
3756         return 0;
3757 }
3758 
3759 static int check_func_call(struct bpf_verifier_env *env, struct bpf_insn *insn,
3760                            int *insn_idx)
3761 {
3762         struct bpf_verifier_state *state = env->cur_state;
3763         struct bpf_func_state *caller, *callee;
3764         int i, err, subprog, target_insn;
3765 
3766         if (state->curframe + 1 >= MAX_CALL_FRAMES) {
3767                 verbose(env, "the call stack of %d frames is too deep\n",
3768                         state->curframe + 2);
3769                 return -E2BIG;
3770         }
3771 
3772         target_insn = *insn_idx + insn->imm;
3773         subprog = find_subprog(env, target_insn + 1);
3774         if (subprog < 0) {
3775                 verbose(env, "verifier bug. No program starts at insn %d\n",
3776                         target_insn + 1);
3777                 return -EFAULT;
3778         }
3779 
3780         caller = state->frame[state->curframe];
3781         if (state->frame[state->curframe + 1]) {
3782                 verbose(env, "verifier bug. Frame %d already allocated\n",
3783                         state->curframe + 1);
3784                 return -EFAULT;
3785         }
3786 
3787         callee = kzalloc(sizeof(*callee), GFP_KERNEL);
3788         if (!callee)
3789                 return -ENOMEM;
3790         state->frame[state->curframe + 1] = callee;
3791 
3792         /* callee cannot access r0, r6 - r9 for reading and has to write
3793          * into its own stack before reading from it.
3794          * callee can read/write into caller's stack
3795          */
3796         init_func_state(env, callee,
3797                         /* remember the callsite, it will be used by bpf_exit */
3798                         *insn_idx /* callsite */,
3799                         state->curframe + 1 /* frameno within this callchain */,
3800                         subprog /* subprog number within this prog */);
3801 
3802         /* Transfer references to the callee */
3803         err = transfer_reference_state(callee, caller);
3804         if (err)
3805                 return err;
3806 
3807         /* copy r1 - r5 args that callee can access.  The copy includes parent
3808          * pointers, which connects us up to the liveness chain
3809          */
3810         for (i = BPF_REG_1; i <= BPF_REG_5; i++)
3811                 callee->regs[i] = caller->regs[i];
3812 
3813         /* after the call registers r0 - r5 were scratched */
3814         for (i = 0; i < CALLER_SAVED_REGS; i++) {
3815                 mark_reg_not_init(env, caller->regs, caller_saved[i]);
3816                 check_reg_arg(env, caller_saved[i], DST_OP_NO_MARK);
3817         }
3818 
3819         /* only increment it after check_reg_arg() finished */
3820         state->curframe++;
3821 
3822         /* and go analyze first insn of the callee */
3823         *insn_idx = target_insn;
3824 
3825         if (env->log.level & BPF_LOG_LEVEL) {
3826                 verbose(env, "caller:\n");
3827                 print_verifier_state(env, caller);
3828                 verbose(env, "callee:\n");
3829                 print_verifier_state(env, callee);
3830         }
3831         return 0;
3832 }
3833 
3834 static int prepare_func_exit(struct bpf_verifier_env *env, int *insn_idx)
3835 {
3836         struct bpf_verifier_state *state = env->cur_state;
3837         struct bpf_func_state *caller, *callee;
3838         struct bpf_reg_state *r0;
3839         int err;
3840 
3841         callee = state->frame[state->curframe];
3842         r0 = &callee->regs[BPF_REG_0];
3843         if (r0->type == PTR_TO_STACK) {
3844                 /* technically it's ok to return caller's stack pointer
3845                  * (or caller's caller's pointer) back to the caller,
3846                  * since these pointers are valid. Only current stack
3847                  * pointer will be invalid as soon as function exits,
3848                  * but let's be conservative
3849                  */
3850                 verbose(env, "cannot return stack pointer to the caller\n");
3851                 return -EINVAL;
3852         }
3853 
3854         state->curframe--;
3855         caller = state->frame[state->curframe];
3856         /* return to the caller whatever r0 had in the callee */
3857         caller->regs[BPF_REG_0] = *r0;
3858 
3859         /* Transfer references to the caller */
3860         err = transfer_reference_state(caller, callee);
3861         if (err)
3862                 return err;
3863 
3864         *insn_idx = callee->callsite + 1;
3865         if (env->log.level & BPF_LOG_LEVEL) {
3866                 verbose(env, "returning from callee:\n");
3867                 print_verifier_state(env, callee);
3868                 verbose(env, "to caller at %d:\n", *insn_idx);
3869                 print_verifier_state(env, caller);
3870         }
3871         /* clear everything in the callee */
3872         free_func_state(callee);
3873         state->frame[state->curframe + 1] = NULL;
3874         return 0;
3875 }
3876 
3877 static int do_refine_retval_range(struct bpf_verifier_env *env,
3878                                   struct bpf_reg_state *regs, int ret_type,
3879                                   int func_id, struct bpf_call_arg_meta *meta)
3880 {
3881         struct bpf_reg_state *ret_reg = &regs[BPF_REG_0];
3882         struct bpf_reg_state tmp_reg = *ret_reg;
3883         bool ret;
3884 
3885         if (ret_type != RET_INTEGER ||
3886             (func_id != BPF_FUNC_get_stack &&
3887              func_id != BPF_FUNC_probe_read_str))
3888                 return 0;
3889 
3890         /* Error case where ret is in interval [S32MIN, -1]. */
3891         ret_reg->smin_value = S32_MIN;
3892         ret_reg->smax_value = -1;
3893 
3894         __reg_deduce_bounds(ret_reg);
3895         __reg_bound_offset(ret_reg);
3896         __update_reg_bounds(ret_reg);
3897 
3898         ret = push_stack(env, env->insn_idx + 1, env->insn_idx, false);
3899         if (!ret)
3900                 return -EFAULT;
3901 
3902         *ret_reg = tmp_reg;
3903 
3904         /* Success case where ret is in range [0, msize_max_value]. */
3905         ret_reg->smin_value = 0;
3906         ret_reg->smax_value = meta->msize_max_value;
3907         ret_reg->umin_value = ret_reg->smin_value;
3908         ret_reg->umax_value = ret_reg->smax_value;
3909 
3910         __reg_deduce_bounds(ret_reg);
3911         __reg_bound_offset(ret_reg);
3912         __update_reg_bounds(ret_reg);
3913 
3914         return 0;
3915 }
3916 
3917 static int
3918 record_func_map(struct bpf_verifier_env *env, struct bpf_call_arg_meta *meta,
3919                 int func_id, int insn_idx)
3920 {
3921         struct bpf_insn_aux_data *aux = &env->insn_aux_data[insn_idx];
3922         struct bpf_map *map = meta->map_ptr;
3923 
3924         if (func_id != BPF_FUNC_tail_call &&
3925             func_id != BPF_FUNC_map_lookup_elem &&
3926             func_id != BPF_FUNC_map_update_elem &&
3927             func_id != BPF_FUNC_map_delete_elem &&
3928             func_id != BPF_FUNC_map_push_elem &&
3929             func_id != BPF_FUNC_map_pop_elem &&
3930             func_id != BPF_FUNC_map_peek_elem)
3931                 return 0;
3932 
3933         if (map == NULL) {
3934                 verbose(env, "kernel subsystem misconfigured verifier\n");
3935                 return -EINVAL;
3936         }
3937 
3938         /* In case of read-only, some additional restrictions
3939          * need to be applied in order to prevent altering the
3940          * state of the map from program side.
3941          */
3942         if ((map->map_flags & BPF_F_RDONLY_PROG) &&
3943             (func_id == BPF_FUNC_map_delete_elem ||
3944              func_id == BPF_FUNC_map_update_elem ||
3945              func_id == BPF_FUNC_map_push_elem ||
3946              func_id == BPF_FUNC_map_pop_elem)) {
3947                 verbose(env, "write into map forbidden\n");
3948                 return -EACCES;
3949         }
3950 
3951         if (!BPF_MAP_PTR(aux->map_state))
3952                 bpf_map_ptr_store(aux, meta->map_ptr,
3953                                   meta->map_ptr->unpriv_array);
3954         else if (BPF_MAP_PTR(aux->map_state) != meta->map_ptr)
3955                 bpf_map_ptr_store(aux, BPF_MAP_PTR_POISON,
3956                                   meta->map_ptr->unpriv_array);
3957         return 0;
3958 }
3959 
3960 static int check_reference_leak(struct bpf_verifier_env *env)
3961 {
3962         struct bpf_func_state *state = cur_func(env);
3963         int i;
3964 
3965         for (i = 0; i < state->acquired_refs; i++) {
3966                 verbose(env, "Unreleased reference id=%d alloc_insn=%d\n",
3967                         state->refs[i].id, state->refs[i].insn_idx);
3968         }
3969         return state->acquired_refs ? -EINVAL : 0;
3970 }
3971 
3972 static int check_helper_call(struct bpf_verifier_env *env, int func_id, int insn_idx)
3973 {
3974         const struct bpf_func_proto *fn = NULL;
3975         struct bpf_reg_state *regs;
3976         struct bpf_call_arg_meta meta;
3977         bool changes_data;
3978         int i, err;
3979 
3980         /* find function prototype */
3981         if (func_id < 0 || func_id >= __BPF_FUNC_MAX_ID) {
3982                 verbose(env, "invalid func %s#%d\n", func_id_name(func_id),
3983                         func_id);
3984                 return -EINVAL;
3985         }
3986 
3987         if (env->ops->get_func_proto)
3988                 fn = env->ops->get_func_proto(func_id, env->prog);
3989         if (!fn) {
3990                 verbose(env, "unknown func %s#%d\n", func_id_name(func_id),
3991                         func_id);
3992                 return -EINVAL;
3993         }
3994 
3995         /* eBPF programs must be GPL compatible to use GPL-ed functions */
3996         if (!env->prog->gpl_compatible && fn->gpl_only) {
3997                 verbose(env, "cannot call GPL-restricted function from non-GPL compatible program\n");
3998                 return -EINVAL;
3999         }
4000 
4001         /* With LD_ABS/IND some JITs save/restore skb from r1. */
4002         changes_data = bpf_helper_changes_pkt_data(fn->func);
4003         if (changes_data && fn->arg1_type != ARG_PTR_TO_CTX) {
4004                 verbose(env, "kernel subsystem misconfigured func %s#%d: r1 != ctx\n",
4005                         func_id_name(func_id), func_id);
4006                 return -EINVAL;
4007         }
4008 
4009         memset(&meta, 0, sizeof(meta));
4010         meta.pkt_access = fn->pkt_access;
4011 
4012         err = check_func_proto(fn, func_id);
4013         if (err) {
4014                 verbose(env, "kernel subsystem misconfigured func %s#%d\n",
4015                         func_id_name(func_id), func_id);
4016                 return err;
4017         }
4018 
4019         meta.func_id = func_id;
4020         /* check args */
4021         err = check_func_arg(env, BPF_REG_1, fn->arg1_type, &meta);
4022         if (err)
4023                 return err;
4024         err = check_func_arg(env, BPF_REG_2, fn->arg2_type, &meta);
4025         if (err)
4026                 return err;
4027         err = check_func_arg(env, BPF_REG_3, fn->arg3_type, &meta);
4028         if (err)
4029                 return err;
4030         err = check_func_arg(env, BPF_REG_4, fn->arg4_type, &meta);
4031         if (err)
4032                 return err;
4033         err = check_func_arg(env, BPF_REG_5, fn->arg5_type, &meta);
4034         if (err)
4035                 return err;
4036 
4037         err = record_func_map(env, &meta, func_id, insn_idx);
4038         if (err)
4039                 return err;
4040 
4041         /* Mark slots with STACK_MISC in case of raw mode, stack offset
4042          * is inferred from register state.
4043          */
4044         for (i = 0; i < meta.access_size; i++) {
4045                 err = check_mem_access(env, insn_idx, meta.regno, i, BPF_B,
4046                                        BPF_WRITE, -1, false);
4047                 if (err)
4048                         return err;
4049         }
4050 
4051         if (func_id == BPF_FUNC_tail_call) {
4052                 err = check_reference_leak(env);
4053                 if (err) {
4054                         verbose(env, "tail_call would lead to reference leak\n");
4055                         return err;
4056                 }
4057         } else if (is_release_function(func_id)) {
4058                 err = release_reference(env, meta.ref_obj_id);
4059                 if (err) {
4060                         verbose(env, "func %s#%d reference has not been acquired before\n",
4061                                 func_id_name(func_id), func_id);
4062                         return err;
4063                 }
4064         }
4065 
4066         regs = cur_regs(env);
4067 
4068         /* check that flags argument in get_local_storage(map, flags) is 0,
4069          * this is required because get_local_storage() can't return an error.
4070          */
4071         if (func_id == BPF_FUNC_get_local_storage &&
4072             !register_is_null(&regs[BPF_REG_2])) {
4073                 verbose(env, "get_local_storage() doesn't support non-zero flags\n");
4074                 return -EINVAL;
4075         }
4076 
4077         /* reset caller saved regs */
4078         for (i = 0; i < CALLER_SAVED_REGS; i++) {
4079                 mark_reg_not_init(env, regs, caller_saved[i]);
4080                 check_reg_arg(env, caller_saved[i], DST_OP_NO_MARK);
4081         }
4082 
4083         /* helper call returns 64-bit value. */
4084         regs[BPF_REG_0].subreg_def = DEF_NOT_SUBREG;
4085 
4086         /* update return register (already marked as written above) */
4087         if (fn->ret_type == RET_INTEGER) {
4088                 /* sets type to SCALAR_VALUE */
4089                 mark_reg_unknown(env, regs, BPF_REG_0);
4090         } else if (fn->ret_type == RET_VOID) {
4091                 regs[BPF_REG_0].type = NOT_INIT;
4092         } else if (fn->ret_type == RET_PTR_TO_MAP_VALUE_OR_NULL ||
4093                    fn->ret_type == RET_PTR_TO_MAP_VALUE) {
4094                 /* There is no offset yet applied, variable or fixed */
4095                 mark_reg_known_zero(env, regs, BPF_REG_0);
4096                 /* remember map_ptr, so that check_map_access()
4097                  * can check 'value_size' boundary of memory access
4098                  * to map element returned from bpf_map_lookup_elem()
4099                  */
4100                 if (meta.map_ptr == NULL) {
4101                         verbose(env,
4102                                 "kernel subsystem misconfigured verifier\n");
4103                         return -EINVAL;
4104                 }
4105                 regs[BPF_REG_0].map_ptr = meta.map_ptr;
4106                 if (fn->ret_type == RET_PTR_TO_MAP_VALUE) {
4107                         regs[BPF_REG_0].type = PTR_TO_MAP_VALUE;
4108                         if (map_value_has_spin_lock(meta.map_ptr))
4109                                 regs[BPF_REG_0].id = ++env->id_gen;
4110                 } else {
4111                         regs[BPF_REG_0].type = PTR_TO_MAP_VALUE_OR_NULL;
4112                         regs[BPF_REG_0].id = ++env->id_gen;
4113                 }
4114         } else if (fn->ret_type == RET_PTR_TO_SOCKET_OR_NULL) {
4115                 mark_reg_known_zero(env, regs, BPF_REG_0);
4116                 regs[BPF_REG_0].type = PTR_TO_SOCKET_OR_NULL;
4117                 regs[BPF_REG_0].id = ++env->id_gen;
4118         } else if (fn->ret_type == RET_PTR_TO_SOCK_COMMON_OR_NULL) {
4119                 mark_reg_known_zero(env, regs, BPF_REG_0);
4120                 regs[BPF_REG_0].type = PTR_TO_SOCK_COMMON_OR_NULL;
4121                 regs[BPF_REG_0].id = ++env->id_gen;
4122         } else if (fn->ret_type == RET_PTR_TO_TCP_SOCK_OR_NULL) {
4123                 mark_reg_known_zero(env, regs, BPF_REG_0);
4124                 regs[BPF_REG_0].type = PTR_TO_TCP_SOCK_OR_NULL;
4125                 regs[BPF_REG_0].id = ++env->id_gen;
4126         } else {
4127                 verbose(env, "unknown return type %d of func %s#%d\n",
4128                         fn->ret_type, func_id_name(func_id), func_id);
4129                 return -EINVAL;
4130         }
4131 
4132         if (is_ptr_cast_function(func_id)) {
4133                 /* For release_reference() */
4134                 regs[BPF_REG_0].ref_obj_id = meta.ref_obj_id;
4135         } else if (is_acquire_function(func_id)) {
4136                 int id = acquire_reference_state(env, insn_idx);
4137 
4138                 if (id < 0)
4139                         return id;
4140                 /* For mark_ptr_or_null_reg() */
4141                 regs[BPF_REG_0].id = id;
4142                 /* For release_reference() */
4143                 regs[BPF_REG_0].ref_obj_id = id;
4144         }
4145 
4146         err = do_refine_retval_range(env, regs, fn->ret_type, func_id, &meta);
4147         if (err)
4148                 return err;
4149 
4150         err = check_map_func_compatibility(env, meta.map_ptr, func_id);
4151         if (err)
4152                 return err;
4153 
4154         if (func_id == BPF_FUNC_get_stack && !env->prog->has_callchain_buf) {
4155                 const char *err_str;
4156 
4157 #ifdef CONFIG_PERF_EVENTS
4158                 err = get_callchain_buffers(sysctl_perf_event_max_stack);
4159                 err_str = "cannot get callchain buffer for func %s#%d\n";
4160 #else
4161                 err = -ENOTSUPP;
4162                 err_str = "func %s#%d not supported without CONFIG_PERF_EVENTS\n";
4163 #endif
4164                 if (err) {
4165                         verbose(env, err_str, func_id_name(func_id), func_id);
4166                         return err;
4167                 }
4168 
4169                 env->prog->has_callchain_buf = true;
4170         }
4171 
4172         if (changes_data)
4173                 clear_all_pkt_pointers(env);
4174         return 0;
4175 }
4176 
4177 static bool signed_add_overflows(s64 a, s64 b)
4178 {
4179         /* Do the add in u64, where overflow is well-defined */
4180         s64 res = (s64)((u64)a + (u64)b);
4181 
4182         if (b < 0)
4183                 return res > a;
4184         return res < a;
4185 }
4186 
4187 static bool signed_sub_overflows(s64 a, s64 b)
4188 {
4189         /* Do the sub in u64, where overflow is well-defined */
4190         s64 res = (s64)((u64)a - (u64)b);
4191 
4192         if (b < 0)
4193                 return res < a;
4194         return res > a;
4195 }
4196 
4197 static bool check_reg_sane_offset(struct bpf_verifier_env *env,
4198                                   const struct bpf_reg_state *reg,
4199                                   enum bpf_reg_type type)
4200 {
4201         bool known = tnum_is_const(reg->var_off);
4202         s64 val = reg->var_off.value;
4203         s64 smin = reg->smin_value;
4204 
4205         if (known && (val >= BPF_MAX_VAR_OFF || val <= -BPF_MAX_VAR_OFF)) {
4206                 verbose(env, "math between %s pointer and %lld is not allowed\n",
4207                         reg_type_str[type], val);
4208                 return false;
4209         }
4210 
4211         if (reg->off >= BPF_MAX_VAR_OFF || reg->off <= -BPF_MAX_VAR_OFF) {
4212                 verbose(env, "%s pointer offset %d is not allowed\n",
4213                         reg_type_str[type], reg->off);
4214                 return false;
4215         }
4216 
4217         if (smin == S64_MIN) {
4218                 verbose(env, "math between %s pointer and register with unbounded min value is not allowed\n",
4219                         reg_type_str[type]);
4220                 return false;
4221         }
4222 
4223         if (smin >= BPF_MAX_VAR_OFF || smin <= -BPF_MAX_VAR_OFF) {
4224                 verbose(env, "value %lld makes %s pointer be out of bounds\n",
4225                         smin, reg_type_str[type]);
4226                 return false;
4227         }
4228 
4229         return true;
4230 }
4231 
4232 static struct bpf_insn_aux_data *cur_aux(struct bpf_verifier_env *env)
4233 {
4234         return &env->insn_aux_data[env->insn_idx];
4235 }
4236 
4237 static int retrieve_ptr_limit(const struct bpf_reg_state *ptr_reg,
4238                               u32 *ptr_limit, u8 opcode, bool off_is_neg)
4239 {
4240         bool mask_to_left = (opcode == BPF_ADD &&  off_is_neg) ||
4241                             (opcode == BPF_SUB && !off_is_neg);
4242         u32 off;
4243 
4244         switch (ptr_reg->type) {
4245         case PTR_TO_STACK:
4246                 /* Indirect variable offset stack access is prohibited in
4247                  * unprivileged mode so it's not handled here.
4248                  */
4249                 off = ptr_reg->off + ptr_reg->var_off.value;
4250                 if (mask_to_left)
4251                         *ptr_limit = MAX_BPF_STACK + off;
4252                 else
4253                         *ptr_limit = -off;
4254                 return 0;
4255         case PTR_TO_MAP_VALUE:
4256                 if (mask_to_left) {
4257                         *ptr_limit = ptr_reg->umax_value + ptr_reg->off;
4258                 } else {
4259                         off = ptr_reg->smin_value + ptr_reg->off;
4260                         *ptr_limit = ptr_reg->map_ptr->value_size - off;
4261                 }
4262                 return 0;
4263         default:
4264                 return -EINVAL;
4265         }
4266 }
4267 
4268 static bool can_skip_alu_sanitation(const struct bpf_verifier_env *env,
4269                                     const struct bpf_insn *insn)
4270 {
4271         return env->allow_ptr_leaks || BPF_SRC(insn->code) == BPF_K;
4272 }
4273 
4274 static int update_alu_sanitation_state(struct bpf_insn_aux_data *aux,
4275                                        u32 alu_state, u32 alu_limit)
4276 {
4277         /* If we arrived here from different branches with different
4278          * state or limits to sanitize, then this won't work.
4279          */
4280         if (aux->alu_state &&
4281             (aux->alu_state != alu_state ||
4282              aux->alu_limit != alu_limit))
4283                 return -EACCES;
4284 
4285         /* Corresponding fixup done in fixup_bpf_calls(). */
4286         aux->alu_state = alu_state;
4287         aux->alu_limit = alu_limit;
4288         return 0;
4289 }
4290 
4291 static int sanitize_val_alu(struct bpf_verifier_env *env,
4292                             struct bpf_insn *insn)
4293 {
4294         struct bpf_insn_aux_data *aux = cur_aux(env);
4295 
4296         if (can_skip_alu_sanitation(env, insn))
4297                 return 0;
4298 
4299         return update_alu_sanitation_state(aux, BPF_ALU_NON_POINTER, 0);
4300 }
4301 
4302 static int sanitize_ptr_alu(struct bpf_verifier_env *env,
4303                             struct bpf_insn *insn,
4304                             const struct bpf_reg_state *ptr_reg,
4305                             struct bpf_reg_state *dst_reg,
4306                             bool off_is_neg)
4307 {
4308         struct bpf_verifier_state *vstate = env->cur_state;
4309         struct bpf_insn_aux_data *aux = cur_aux(env);
4310         bool ptr_is_dst_reg = ptr_reg == dst_reg;
4311         u8 opcode = BPF_OP(insn->code);
4312         u32 alu_state, alu_limit;
4313         struct bpf_reg_state tmp;
4314         bool ret;
4315 
4316         if (can_skip_alu_sanitation(env, insn))
4317                 return 0;
4318 
4319         /* We already marked aux for masking from non-speculative
4320          * paths, thus we got here in the first place. We only care
4321          * to explore bad access from here.
4322          */
4323         if (vstate->speculative)
4324                 goto do_sim;
4325 
4326         alu_state  = off_is_neg ? BPF_ALU_NEG_VALUE : 0;
4327         alu_state |= ptr_is_dst_reg ?
4328                      BPF_ALU_SANITIZE_SRC : BPF_ALU_SANITIZE_DST;
4329 
4330         if (retrieve_ptr_limit(ptr_reg, &alu_limit, opcode, off_is_neg))
4331                 return 0;
4332         if (update_alu_sanitation_state(aux, alu_state, alu_limit))
4333                 return -EACCES;
4334 do_sim:
4335         /* Simulate and find potential out-of-bounds access under
4336          * speculative execution from truncation as a result of
4337          * masking when off was not within expected range. If off
4338          * sits in dst, then we temporarily need to move ptr there
4339          * to simulate dst (== 0) +/-= ptr. Needed, for example,
4340          * for cases where we use K-based arithmetic in one direction
4341          * and truncated reg-based in the other in order to explore
4342          * bad access.
4343          */
4344         if (!ptr_is_dst_reg) {
4345                 tmp = *dst_reg;
4346                 *dst_reg = *ptr_reg;
4347         }
4348         ret = push_stack(env, env->insn_idx + 1, env->insn_idx, true);
4349         if (!ptr_is_dst_reg && ret)
4350                 *dst_reg = tmp;
4351         return !ret ? -EFAULT : 0;
4352 }
4353 
4354 /* Handles arithmetic on a pointer and a scalar: computes new min/max and var_off.
4355  * Caller should also handle BPF_MOV case separately.
4356  * If we return -EACCES, caller may want to try again treating pointer as a
4357  * scalar.  So we only emit a diagnostic if !env->allow_ptr_leaks.
4358  */
4359 static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env,
4360                                    struct bpf_insn *insn,
4361                                    const struct bpf_reg_state *ptr_reg,
4362                                    const struct bpf_reg_state *off_reg)
4363 {
4364         struct bpf_verifier_state *vstate = env->cur_state;
4365         struct bpf_func_state *state = vstate->frame[vstate->curframe];
4366         struct bpf_reg_state *regs = state->regs, *dst_reg;
4367         bool known = tnum_is_const(off_reg->var_off);
4368         s64 smin_val = off_reg->smin_value, smax_val = off_reg->smax_value,
4369             smin_ptr = ptr_reg->smin_value, smax_ptr = ptr_reg->smax_value;
4370         u64 umin_val = off_reg->umin_value, umax_val = off_reg->umax_value,
4371             umin_ptr = ptr_reg->umin_value, umax_ptr = ptr_reg->umax_value;
4372         u32 dst = insn->dst_reg, src = insn->src_reg;
4373         u8 opcode = BPF_OP(insn->code);
4374         int ret;
4375 
4376         dst_reg = &regs[dst];
4377 
4378         if ((known && (smin_val != smax_val || umin_val != umax_val)) ||
4379             smin_val > smax_val || umin_val > umax_val) {
4380                 /* Taint dst register if offset had invalid bounds derived from
4381                  * e.g. dead branches.
4382                  */
4383                 __mark_reg_unknown(env, dst_reg);
4384                 return 0;
4385         }
4386 
4387         if (BPF_CLASS(insn->code) != BPF_ALU64) {
4388                 /* 32-bit ALU ops on pointers produce (meaningless) scalars */
4389                 verbose(env,
4390                         "R%d 32-bit pointer arithmetic prohibited\n",
4391                         dst);
4392                 return -EACCES;
4393         }
4394 
4395         switch (ptr_reg->type) {
4396         case PTR_TO_MAP_VALUE_OR_NULL:
4397                 verbose(env, "R%d pointer arithmetic on %s prohibited, null-check it first\n",
4398                         dst, reg_type_str[ptr_reg->type]);
4399                 return -EACCES;
4400         case CONST_PTR_TO_MAP:
4401         case PTR_TO_PACKET_END:
4402         case PTR_TO_SOCKET:
4403         case PTR_TO_SOCKET_OR_NULL:
4404         case PTR_TO_SOCK_COMMON:
4405         case PTR_TO_SOCK_COMMON_OR_NULL:
4406         case PTR_TO_TCP_SOCK:
4407         case PTR_TO_TCP_SOCK_OR_NULL:
4408         case PTR_TO_XDP_SOCK:
4409                 verbose(env, "R%d pointer arithmetic on %s prohibited\n",
4410                         dst, reg_type_str[ptr_reg->type]);
4411                 return -EACCES;
4412         case PTR_TO_MAP_VALUE:
4413                 if (!env->allow_ptr_leaks && !known && (smin_val < 0) != (smax_val < 0)) {
4414                         verbose(env, "R%d has unknown scalar with mixed signed bounds, pointer arithmetic with it prohibited for !root\n",
4415                                 off_reg == dst_reg ? dst : src);
4416                         return -EACCES;
4417                 }
4418                 /* fall-through */
4419         default:
4420                 break;
4421         }
4422 
4423         /* In case of 'scalar += pointer', dst_reg inherits pointer type and id.
4424          * The id may be overwritten later if we create a new variable offset.
4425          */
4426         dst_reg->type = ptr_reg->type;
4427         dst_reg->id = ptr_reg->id;
4428 
4429         if (!check_reg_sane_offset(env, off_reg, ptr_reg->type) ||
4430             !check_reg_sane_offset(env, ptr_reg, ptr_reg->type))
4431                 return -EINVAL;
4432 
4433         switch (opcode) {
4434         case BPF_ADD:
4435                 ret = sanitize_ptr_alu(env, insn, ptr_reg, dst_reg, smin_val < 0);
4436                 if (ret < 0) {
4437                         verbose(env, "R%d tried to add from different maps or paths\n", dst);
4438                         return ret;
4439                 }
4440                 /* We can take a fixed offset as long as it doesn't overflow
4441                  * the s32 'off' field
4442                  */
4443                 if (known && (ptr_reg->off + smin_val ==
4444                               (s64)(s32)(ptr_reg->off + smin_val))) {
4445                         /* pointer += K.  Accumulate it into fixed offset */
4446                         dst_reg->smin_value = smin_ptr;
4447                         dst_reg->smax_value = smax_ptr;
4448                         dst_reg->umin_value = umin_ptr;
4449                         dst_reg->umax_value = umax_ptr;
4450                         dst_reg->var_off = ptr_reg->var_off;
4451                         dst_reg->off = ptr_reg->off + smin_val;
4452                         dst_reg->raw = ptr_reg->raw;
4453                         break;
4454                 }
4455                 /* A new variable offset is created.  Note that off_reg->off
4456                  * == 0, since it's a scalar.
4457                  * dst_reg gets the pointer type and since some positive
4458                  * integer value was added to the pointer, give it a new 'id'
4459                  * if it's a PTR_TO_PACKET.
4460                  * this creates a new 'base' pointer, off_reg (variable) gets
4461                  * added into the variable offset, and we copy the fixed offset
4462                  * from ptr_reg.
4463                  */
4464                 if (signed_add_overflows(smin_ptr, smin_val) ||
4465                     signed_add_overflows(smax_ptr, smax_val)) {
4466                         dst_reg->smin_value = S64_MIN;
4467                         dst_reg->smax_value = S64_MAX;
4468                 } else {
4469                         dst_reg->smin_value = smin_ptr + smin_val;
4470                         dst_reg->smax_value = smax_ptr + smax_val;
4471                 }
4472                 if (umin_ptr + umin_val < umin_ptr ||
4473                     umax_ptr + umax_val < umax_ptr) {
4474                         dst_reg->umin_value = 0;
4475                         dst_reg->umax_value = U64_MAX;
4476                 } else {
4477                         dst_reg->umin_value = umin_ptr + umin_val;
4478                         dst_reg->umax_value = umax_ptr + umax_val;
4479                 }
4480                 dst_reg->var_off = tnum_add(ptr_reg->var_off, off_reg->var_off);
4481                 dst_reg->off = ptr_reg->off;
4482                 dst_reg->raw = ptr_reg->raw;
4483                 if (reg_is_pkt_pointer(ptr_reg)) {
4484                         dst_reg->id = ++env->id_gen;
4485                         /* something was added to pkt_ptr, set range to zero */
4486                         dst_reg->raw = 0;
4487                 }
4488                 break;
4489         case BPF_SUB:
4490                 ret = sanitize_ptr_alu(env, insn, ptr_reg, dst_reg, smin_val < 0);
4491                 if (ret < 0) {
4492                         verbose(env, "R%d tried to sub from different maps or paths\n", dst);
4493                         return ret;
4494                 }
4495                 if (dst_reg == off_reg) {
4496                         /* scalar -= pointer.  Creates an unknown scalar */
4497                         verbose(env, "R%d tried to subtract pointer from scalar\n",
4498                                 dst);
4499                         return -EACCES;
4500                 }
4501                 /* We don't allow subtraction from FP, because (according to
4502                  * test_verifier.c test "invalid fp arithmetic", JITs might not
4503                  * be able to deal with it.
4504                  */
4505                 if (ptr_reg->type == PTR_TO_STACK) {
4506                         verbose(env, "R%d subtraction from stack pointer prohibited\n",
4507                                 dst);
4508                         return -EACCES;
4509                 }
4510                 if (known && (ptr_reg->off - smin_val ==
4511                               (s64)(s32)(ptr_reg->off - smin_val))) {
4512                         /* pointer -= K.  Subtract it from fixed offset */
4513                         dst_reg->smin_value = smin_ptr;
4514                         dst_reg->smax_value = smax_ptr;
4515                         dst_reg->umin_value = umin_ptr;
4516                         dst_reg->umax_value = umax_ptr;
4517                         dst_reg->var_off = ptr_reg->var_off;
4518                         dst_reg->id = ptr_reg->id;
4519                         dst_reg->off = ptr_reg->off - smin_val;
4520                         dst_reg->raw = ptr_reg->raw;
4521                         break;
4522                 }
4523                 /* A new variable offset is created.  If the subtrahend is known
4524                  * nonnegative, then any reg->range we had before is still good.
4525                  */
4526                 if (signed_sub_overflows(smin_ptr, smax_val) ||
4527                     signed_sub_overflows(smax_ptr, smin_val)) {
4528                         /* Overflow possible, we know nothing */
4529                         dst_reg->smin_value = S64_MIN;
4530                         dst_reg->smax_value = S64_MAX;
4531                 } else {
4532                         dst_reg->smin_value = smin_ptr - smax_val;
4533                         dst_reg->smax_value = smax_ptr - smin_val;
4534                 }
4535                 if (umin_ptr < umax_val) {
4536                         /* Overflow possible, we know nothing */
4537                         dst_reg->umin_value = 0;
4538                         dst_reg->umax_value = U64_MAX;
4539                 } else {
4540                         /* Cannot overflow (as long as bounds are consistent) */
4541                         dst_reg->umin_value = umin_ptr - umax_val;
4542                         dst_reg->umax_value = umax_ptr - umin_val;
4543                 }
4544                 dst_reg->var_off = tnum_sub(ptr_reg->var_off, off_reg->var_off);
4545                 dst_reg->off = ptr_reg->off;
4546                 dst_reg->raw = ptr_reg->raw;
4547                 if (reg_is_pkt_pointer(ptr_reg)) {
4548                         dst_reg->id = ++env->id_gen;
4549                         /* something was added to pkt_ptr, set range to zero */
4550                         if (smin_val < 0)
4551                                 dst_reg->raw = 0;
4552                 }
4553                 break;
4554         case BPF_AND:
4555         case BPF_OR:
4556         case BPF_XOR:
4557                 /* bitwise ops on pointers are troublesome, prohibit. */
4558                 verbose(env, "R%d bitwise operator %s on pointer prohibited\n",
4559                         dst, bpf_alu_string[opcode >> 4]);
4560                 return -EACCES;
4561         default:
4562                 /* other operators (e.g. MUL,LSH) produce non-pointer results */
4563                 verbose(env, "R%d pointer arithmetic with %s operator prohibited\n",
4564                         dst, bpf_alu_string[opcode >> 4]);
4565                 return -EACCES;
4566         }
4567 
4568         if (!check_reg_sane_offset(env, dst_reg, ptr_reg->type))
4569                 return -EINVAL;
4570 
4571         __update_reg_bounds(dst_reg);
4572         __reg_deduce_bounds(dst_reg);
4573         __reg_bound_offset(dst_reg);
4574 
4575         /* For unprivileged we require that resulting offset must be in bounds
4576          * in order to be able to sanitize access later on.
4577          */
4578         if (!env->allow_ptr_leaks) {
4579                 if (dst_reg->type == PTR_TO_MAP_VALUE &&
4580                     check_map_access(env, dst, dst_reg->off, 1, false)) {
4581                         verbose(env, "R%d pointer arithmetic of map value goes out of range, "
4582                                 "prohibited for !root\n", dst);
4583                         return -EACCES;
4584                 } else if (dst_reg->type == PTR_TO_STACK &&
4585                            check_stack_access(env, dst_reg, dst_reg->off +
4586                                               dst_reg->var_off.value, 1)) {
4587                         verbose(env, "R%d stack pointer arithmetic goes out of range, "
4588                                 "prohibited for !root\n", dst);
4589                         return -EACCES;
4590                 }
4591         }
4592 
4593         return 0;
4594 }
4595 
4596 /* WARNING: This function does calculations on 64-bit values, but the actual
4597  * execution may occur on 32-bit values. Therefore, things like bitshifts
4598  * need extra checks in the 32-bit case.
4599  */
4600 static int adjust_scalar_min_max_vals(struct bpf_verifier_env *env,
4601                                       struct bpf_insn *insn,
4602                                       struct bpf_reg_state *dst_reg,
4603                                       struct bpf_reg_state src_reg)
4604 {
4605         struct bpf_reg_state *regs = cur_regs(env);
4606         u8 opcode = BPF_OP(insn->code);
4607         bool src_known, dst_known;
4608         s64 smin_val, smax_val;
4609         u64 umin_val, umax_val;
4610         u64 insn_bitness = (BPF_CLASS(insn->code) == BPF_ALU64) ? 64 : 32;
4611         u32 dst = insn->dst_reg;
4612         int ret;
4613 
4614         if (insn_bitness == 32) {
4615                 /* Relevant for 32-bit RSH: Information can propagate towards
4616                  * LSB, so it isn't sufficient to only truncate the output to
4617                  * 32 bits.
4618                  */
4619                 coerce_reg_to_size(dst_reg, 4);
4620                 coerce_reg_to_size(&src_reg, 4);
4621         }
4622 
4623         smin_val = src_reg.smin_value;
4624         smax_val = src_reg.smax_value;
4625         umin_val = src_reg.umin_value;
4626         umax_val = src_reg.umax_value;
4627         src_known = tnum_is_const(src_reg.var_off);
4628         dst_known = tnum_is_const(dst_reg->var_off);
4629 
4630         if ((src_known && (smin_val != smax_val || umin_val != umax_val)) ||
4631             smin_val > smax_val || umin_val > umax_val) {
4632                 /* Taint dst register if offset had invalid bounds derived from
4633                  * e.g. dead branches.
4634                  */
4635                 __mark_reg_unknown(env, dst_reg);
4636                 return 0;
4637         }
4638 
4639         if (!src_known &&
4640             opcode != BPF_ADD && opcode != BPF_SUB && opcode != BPF_AND) {
4641                 __mark_reg_unknown(env, dst_reg);
4642                 return 0;
4643         }
4644 
4645         switch (opcode) {
4646         case BPF_ADD:
4647                 ret = sanitize_val_alu(env, insn);
4648                 if (ret < 0) {
4649                         verbose(env, "R%d tried to add from different pointers or scalars\n", dst);
4650                         return ret;
4651                 }
4652                 if (signed_add_overflows(dst_reg->smin_value, smin_val) ||
4653                     signed_add_overflows(dst_reg->smax_value, smax_val)) {
4654                         dst_reg->smin_value = S64_MIN;
4655                         dst_reg->smax_value = S64_MAX;
4656                 } else {
4657                         dst_reg->smin_value += smin_val;
4658                         dst_reg->smax_value += smax_val;
4659                 }
4660                 if (dst_reg->umin_value + umin_val < umin_val ||
4661                     dst_reg->umax_value + umax_val < umax_val) {
4662                         dst_reg->umin_value = 0;
4663                         dst_reg->umax_value = U64_MAX;
4664                 } else {
4665                         dst_reg->umin_value += umin_val;
4666                         dst_reg->umax_value += umax_val;
4667                 }
4668                 dst_reg->var_off = tnum_add(dst_reg->var_off, src_reg.var_off);
4669                 break;
4670         case BPF_SUB:
4671                 ret = sanitize_val_alu(env, insn);
4672                 if (ret < 0) {
4673                         verbose(env, "R%d tried to sub from different pointers or scalars\n", dst);
4674                         return ret;
4675                 }
4676                 if (signed_sub_overflows(dst_reg->smin_value, smax_val) ||
4677                     signed_sub_overflows(dst_reg->smax_value, smin_val)) {
4678                         /* Overflow possible, we know nothing */
4679                         dst_reg->smin_value = S64_MIN;
4680                         dst_reg->smax_value = S64_MAX;
4681                 } else {
4682                         dst_reg->smin_value -= smax_val;
4683                         dst_reg->smax_value -= smin_val;
4684                 }
4685                 if (dst_reg->umin_value < umax_val) {
4686                         /* Overflow possible, we know nothing */
4687                         dst_reg->umin_value = 0;
4688                         dst_reg->umax_value = U64_MAX;
4689                 } else {
4690                         /* Cannot overflow (as long as bounds are consistent) */
4691                         dst_reg->umin_value -= umax_val;
4692                         dst_reg->umax_value -= umin_val;
4693                 }
4694                 dst_reg->var_off = tnum_sub(dst_reg->var_off, src_reg.var_off);
4695                 break;
4696         case BPF_MUL:
4697                 dst_reg->var_off = tnum_mul(dst_reg->var_off, src_reg.var_off);
4698                 if (smin_val < 0 || dst_reg->smin_value < 0) {
4699                         /* Ain't nobody got time to multiply that sign */
4700                         __mark_reg_unbounded(dst_reg);
4701                         __update_reg_bounds(dst_reg);
4702                         break;
4703                 }
4704                 /* Both values are positive, so we can work with unsigned and
4705                  * copy the result to signed (unless it exceeds S64_MAX).
4706                  */
4707                 if (umax_val > U32_MAX || dst_reg->umax_value > U32_MAX) {
4708                         /* Potential overflow, we know nothing */
4709                         __mark_reg_unbounded(dst_reg);
4710                         /* (except what we can learn from the var_off) */
4711                         __update_reg_bounds(dst_reg);
4712                         break;
4713                 }
4714                 dst_reg->umin_value *= umin_val;
4715                 dst_reg->umax_value *= umax_val;
4716                 if (dst_reg->umax_value > S64_MAX) {
4717                         /* Overflow possible, we know nothing */
4718                         dst_reg->smin_value = S64_MIN;
4719                         dst_reg->smax_value = S64_MAX;
4720                 } else {
4721                         dst_reg->smin_value = dst_reg->umin_value;
4722                         dst_reg->smax_value = dst_reg->umax_value;
4723                 }
4724                 break;
4725         case BPF_AND:
4726                 if (src_known && dst_known) {
4727                         __mark_reg_known(dst_reg, dst_reg->var_off.value &
4728                                                   src_reg.var_off.value);
4729                         break;
4730                 }
4731                 /* We get our minimum from the var_off, since that's inherently
4732                  * bitwise.  Our maximum is the minimum of the operands' maxima.
4733                  */
4734                 dst_reg->var_off = tnum_and(dst_reg->var_off, src_reg.var_off);
4735                 dst_reg->umin_value = dst_reg->var_off.value;
4736                 dst_reg->umax_value = min(dst_reg->umax_value, umax_val);
4737                 if (dst_reg->smin_value < 0 || smin_val < 0) {
4738                         /* Lose signed bounds when ANDing negative numbers,
4739                          * ain't nobody got time for that.
4740                          */
4741                         dst_reg->smin_value = S64_MIN;
4742                         dst_reg->smax_value = S64_MAX;
4743                 } else {
4744                         /* ANDing two positives gives a positive, so safe to
4745                          * cast result into s64.
4746                          */
4747                         dst_reg->smin_value = dst_reg->umin_value;
4748                         dst_reg->smax_value = dst_reg->umax_value;
4749                 }
4750                 /* We may learn something more from the var_off */
4751                 __update_reg_bounds(dst_reg);
4752                 break;
4753         case BPF_OR:
4754                 if (src_known && dst_known) {
4755                         __mark_reg_known(dst_reg, dst_reg->var_off.value |
4756                                                   src_reg.var_off.value);
4757                         break;
4758                 }
4759                 /* We get our maximum from the var_off, and our minimum is the
4760                  * maximum of the operands' minima
4761                  */
4762                 dst_reg->var_off = tnum_or(dst_reg->var_off, src_reg.var_off);
4763                 dst_reg->umin_value = max(dst_reg->umin_value, umin_val);
4764                 dst_reg->umax_value = dst_reg->var_off.value |
4765                                       dst_reg->var_off.mask;
4766                 if (dst_reg->smin_value < 0 || smin_val < 0) {
4767                         /* Lose signed bounds when ORing negative numbers,
4768                          * ain't nobody got time for that.
4769                          */
4770                         dst_reg->smin_value = S64_MIN;
4771                         dst_reg->smax_value = S64_MAX;
4772                 } else {
4773                         /* ORing two positives gives a positive, so safe to
4774                          * cast result into s64.
4775                          */
4776                         dst_reg->smin_value = dst_reg->umin_value;
4777                         dst_reg->smax_value = dst_reg->umax_value;
4778                 }
4779                 /* We may learn something more from the var_off */
4780                 __update_reg_bounds(dst_reg);
4781                 break;
4782         case BPF_LSH:
4783                 if (umax_val >= insn_bitness) {
4784                         /* Shifts greater than 31 or 63 are undefined.
4785                          * This includes shifts by a negative number.
4786                          */
4787                         mark_reg_unknown(env, regs, insn->dst_reg);
4788                         break;
4789                 }
4790                 /* We lose all sign bit information (except what we can pick
4791                  * up from var_off)
4792                  */
4793                 dst_reg->smin_value = S64_MIN;
4794                 dst_reg->smax_value = S64_MAX;
4795                 /* If we might shift our top bit out, then we know nothing */
4796                 if (dst_reg->umax_value > 1ULL << (63 - umax_val)) {
4797                         dst_reg->umin_value = 0;
4798                         dst_reg->umax_value = U64_MAX;
4799                 } else {
4800                         dst_reg->umin_value <<= umin_val;
4801                         dst_reg->umax_value <<= umax_val;
4802                 }
4803                 dst_reg->var_off = tnum_lshift(dst_reg->var_off, umin_val);
4804                 /* We may learn something more from the var_off */
4805                 __update_reg_bounds(dst_reg);
4806                 break;
4807         case BPF_RSH:
4808                 if (umax_val >= insn_bitness) {
4809                         /* Shifts greater than 31 or 63 are undefined.
4810                          * This includes shifts by a negative number.
4811                          */
4812                         mark_reg_unknown(env, regs, insn->dst_reg);
4813                         break;
4814                 }
4815                 /* BPF_RSH is an unsigned shift.  If the value in dst_reg might
4816                  * be negative, then either:
4817                  * 1) src_reg might be zero, so the sign bit of the result is
4818                  *    unknown, so we lose our signed bounds
4819                  * 2) it's known negative, thus the unsigned bounds capture the
4820                  *    signed bounds
4821                  * 3) the signed bounds cross zero, so they tell us nothing
4822                  *    about the result
4823                  * If the value in dst_reg is known nonnegative, then again the
4824                  * unsigned bounts capture the signed bounds.
4825                  * Thus, in all cases it suffices to blow away our signed bounds
4826                  * and rely on inferring new ones from the unsigned bounds and
4827                  * var_off of the result.
4828                  */
4829                 dst_reg->smin_value = S64_MIN;
4830                 dst_reg->smax_value = S64_MAX;
4831                 dst_reg->var_off = tnum_rshift(dst_reg->var_off, umin_val);
4832                 dst_reg->umin_value >>= umax_val;
4833                 dst_reg->umax_value >>= umin_val;
4834                 /* We may learn something more from the var_off */
4835                 __update_reg_bounds(dst_reg);
4836                 break;
4837         case BPF_ARSH:
4838                 if (umax_val >= insn_bitness) {
4839                         /* Shifts greater than 31 or 63 are undefined.
4840                          * This includes shifts by a negative number.
4841                          */
4842                         mark_reg_unknown(env, regs, insn->dst_reg);
4843                         break;
4844                 }
4845 
4846                 /* Upon reaching here, src_known is true and
4847                  * umax_val is equal to umin_val.
4848                  */
4849                 if (insn_bitness == 32) {
4850                         dst_reg->smin_value = (u32)(((s32)dst_reg->smin_value) >> umin_val);
4851                         dst_reg->smax_value = (u32)(((s32)dst_reg->smax_value) >> umin_val);
4852                 } else {
4853                         dst_reg->smin_value >>= umin_val;
4854                         dst_reg->smax_value >>= umin_val;
4855                 }
4856 
4857                 dst_reg->var_off = tnum_arshift(dst_reg->var_off, umin_val,
4858                                                 insn_bitness);
4859 
4860                 /* blow away the dst_reg umin_value/umax_value and rely on
4861                  * dst_reg var_off to refine the result.
4862                  */
4863                 dst_reg->umin_value = 0;
4864                 dst_reg->umax_value = U64_MAX;
4865                 __update_reg_bounds(dst_reg);
4866                 break;
4867         default:
4868                 mark_reg_unknown(env, regs, insn->dst_reg);
4869                 break;
4870         }
4871 
4872         if (BPF_CLASS(insn->code) != BPF_ALU64) {
4873                 /* 32-bit ALU ops are (32,32)->32 */
4874                 coerce_reg_to_size(dst_reg, 4);
4875         }
4876 
4877         __reg_deduce_bounds(dst_reg);
4878         __reg_bound_offset(dst_reg);
4879         return 0;
4880 }
4881 
4882 /* Handles ALU ops other than BPF_END, BPF_NEG and BPF_MOV: computes new min/max
4883  * and var_off.
4884  */
4885 static int adjust_reg_min_max_vals(struct bpf_verifier_env *env,
4886                                    struct bpf_insn *insn)
4887 {
4888         struct bpf_verifier_state *vstate = env->cur_state;
4889         struct bpf_func_state *state = vstate->frame[vstate->curframe];
4890         struct bpf_reg_state *regs = state->regs, *dst_reg, *src_reg;
4891         struct bpf_reg_state *ptr_reg = NULL, off_reg = {0};
4892         u8 opcode = BPF_OP(insn->code);
4893         int err;
4894 
4895         dst_reg = &regs[insn->dst_reg];
4896         src_reg = NULL;
4897         if (dst_reg->type != SCALAR_VALUE)
4898                 ptr_reg = dst_reg;
4899         if (BPF_SRC(insn->code) == BPF_X) {
4900                 src_reg = &regs[insn->src_reg];
4901                 if (src_reg->type != SCALAR_VALUE) {
4902                         if (dst_reg->type != SCALAR_VALUE) {
4903                                 /* Combining two pointers by any ALU op yields
4904                                  * an arbitrary scalar. Disallow all math except
4905                                  * pointer subtraction
4906                                  */
4907                                 if (opcode == BPF_SUB && env->allow_ptr_leaks) {
4908                                         mark_reg_unknown(env, regs, insn->dst_reg);
4909                                         return 0;
4910                                 }
4911                                 verbose(env, "R%d pointer %s pointer prohibited\n",
4912                                         insn->dst_reg,
4913                                         bpf_alu_string[opcode >> 4]);
4914                                 return -EACCES;
4915                         } else {
4916                                 /* scalar += pointer
4917                                  * This is legal, but we have to reverse our
4918                                  * src/dest handling in computing the range
4919                                  */
4920                                 err = mark_chain_precision(env, insn->dst_reg);
4921                                 if (err)
4922                                         return err;
4923                                 return adjust_ptr_min_max_vals(env, insn,
4924                                                                src_reg, dst_reg);
4925                         }
4926                 } else if (ptr_reg) {
4927                         /* pointer += scalar */
4928                         err = mark_chain_precision(env, insn->src_reg);
4929                         if (err)
4930                                 return err;
4931                         return adjust_ptr_min_max_vals(env, insn,
4932                                                        dst_reg, src_reg);
4933                 }
4934         } else {
4935                 /* Pretend the src is a reg with a known value, since we only
4936                  * need to be able to read from this state.
4937                  */
4938                 off_reg.type = SCALAR_VALUE;
4939                 __mark_reg_known(&off_reg, insn->imm);
4940                 src_reg = &off_reg;
4941                 if (ptr_reg) /* pointer += K */
4942                         return adjust_ptr_min_max_vals(env, insn,
4943                                                        ptr_reg, src_reg);
4944         }
4945 
4946         /* Got here implies adding two SCALAR_VALUEs */
4947         if (WARN_ON_ONCE(ptr_reg)) {
4948                 print_verifier_state(env, state);
4949                 verbose(env, "verifier internal error: unexpected ptr_reg\n");
4950                 return -EINVAL;
4951         }
4952         if (WARN_ON(!src_reg)) {
4953                 print_verifier_state(env, state);
4954                 verbose(env, "verifier internal error: no src_reg\n");
4955                 return -EINVAL;
4956         }
4957         return adjust_scalar_min_max_vals(env, insn, dst_reg, *src_reg);
4958 }
4959 
4960 /* check validity of 32-bit and 64-bit arithmetic operations */
4961 static int check_alu_op(struct bpf_verifier_env *env, struct bpf_insn *insn)
4962 {
4963         struct bpf_reg_state *regs = cur_regs(env);
4964         u8 opcode = BPF_OP(insn->code);
4965         int err;
4966 
4967         if (opcode == BPF_END || opcode == BPF_NEG) {
4968                 if (opcode == BPF_NEG) {
4969                         if (BPF_SRC(insn->code) != 0 ||
4970                             insn->src_reg != BPF_REG_0 ||
4971                             insn->off != 0 || insn->imm != 0) {
4972                                 verbose(env, "BPF_NEG uses reserved fields\n");
4973                                 return -EINVAL;
4974                         }
4975                 } else {
4976                         if (insn->src_reg != BPF_REG_0 || insn->off != 0 ||
4977                             (insn->imm != 16 && insn->imm != 32 && insn->imm != 64) ||
4978                             BPF_CLASS(insn->code) == BPF_ALU64) {
4979                                 verbose(env, "BPF_END uses reserved fields\n");
4980                                 return -EINVAL;
4981                         }
4982                 }
4983 
4984                 /* check src operand */
4985                 err = check_reg_arg(env, insn->dst_reg, SRC_OP);
4986                 if (err)
4987                         return err;
4988 
4989                 if (is_pointer_value(env, insn->dst_reg)) {
4990                         verbose(env, "R%d pointer arithmetic prohibited\n",
4991                                 insn->dst_reg);
4992                         return -EACCES;
4993                 }
4994 
4995                 /* check dest operand */
4996                 err = check_reg_arg(env, insn->dst_reg, DST_OP);
4997                 if (err)
4998                         return err;
4999 
5000         } else if (opcode == BPF_MOV) {
5001 
5002                 if (BPF_SRC(insn->code) == BPF_X) {
5003                         if (insn->imm != 0 || insn->off != 0) {
5004                                 verbose(env, "BPF_MOV uses reserved fields\n");
5005                                 return -EINVAL;
5006                         }
5007 
5008                         /* check src operand */
5009                         err = check_reg_arg(env, insn->src_reg, SRC_OP);
5010                         if (err)
5011                                 return err;
5012                 } else {
5013                         if (insn->src_reg != BPF_REG_0 || insn->off != 0) {
5014                                 verbose(env, "BPF_MOV uses reserved fields\n");
5015                                 return -EINVAL;
5016                         }
5017                 }
5018 
5019                 /* check dest operand, mark as required later */
5020                 err = check_reg_arg(env, insn->dst_reg, DST_OP_NO_MARK);
5021                 if (err)
5022                         return err;
5023 
5024                 if (BPF_SRC(insn->code) == BPF_X) {
5025                         struct bpf_reg_state *src_reg = regs + insn->src_reg;
5026                         struct bpf_reg_state *dst_reg = regs + insn->dst_reg;
5027 
5028                         if (BPF_CLASS(insn->code) == BPF_ALU64) {
5029                                 /* case: R1 = R2
5030                                  * copy register state to dest reg
5031                                  */
5032                                 *dst_reg = *src_reg;
5033                                 dst_reg->live |= REG_LIVE_WRITTEN;
5034                                 dst_reg->subreg_def = DEF_NOT_SUBREG;
5035                         } else {
5036                                 /* R1 = (u32) R2 */
5037                                 if (is_pointer_value(env, insn->src_reg)) {
5038                                         verbose(env,
5039                                                 "R%d partial copy of pointer\n",
5040                                                 insn->src_reg);
5041                                         return -EACCES;
5042                                 } else if (src_reg->type == SCALAR_VALUE) {
5043                                         *dst_reg = *src_reg;
5044                                         dst_reg->live |= REG_LIVE_WRITTEN;
5045                                         dst_reg->subreg_def = env->insn_idx + 1;
5046                                 } else {
5047                                         mark_reg_unknown(env, regs,
5048                                                          insn->dst_reg);
5049                                 }
5050                                 coerce_reg_to_size(dst_reg, 4);
5051                         }
5052                 } else {
5053                         /* case: R = imm
5054                          * remember the value we stored into this reg
5055                          */
5056                         /* clear any state __mark_reg_known doesn't set */
5057                         mark_reg_unknown(env, regs, insn->dst_reg);
5058                         regs[insn->dst_reg].type = SCALAR_VALUE;
5059                         if (BPF_CLASS(insn->code) == BPF_ALU64) {
5060                                 __mark_reg_known(regs + insn->dst_reg,
5061                                                  insn->imm);
5062                         } else {
5063                                 __mark_reg_known(regs + insn->dst_reg,
5064                                                  (u32)insn->imm);
5065                         }
5066                 }
5067 
5068         } else if (opcode > BPF_END) {
5069                 verbose(env, "invalid BPF_ALU opcode %x\n", opcode);
5070                 return -EINVAL;
5071 
5072         } else {        /* all other ALU ops: and, sub, xor, add, ... */
5073 
5074                 if (BPF_SRC(insn->code) == BPF_X) {
5075                         if (insn->imm != 0 || insn->off != 0) {
5076                                 verbose(env, "BPF_ALU uses reserved fields\n");
5077                                 return -EINVAL;
5078                         }
5079                         /* check src1 operand */
5080                         err = check_reg_arg(env, insn->src_reg, SRC_OP);
5081                         if (err)
5082                                 return err;
5083                 } else {
5084                         if (insn->src_reg != BPF_REG_0 || insn->off != 0) {
5085                                 verbose(env, "BPF_ALU uses reserved fields\n");
5086                                 return -EINVAL;
5087                         }
5088                 }
5089 
5090                 /* check src2 operand */
5091                 err = check_reg_arg(env, insn->dst_reg, SRC_OP);
5092                 if (err)
5093                         return err;
5094 
5095                 if ((opcode == BPF_MOD || opcode == BPF_DIV) &&
5096                     BPF_SRC(insn->code) == BPF_K && insn->imm == 0) {
5097                         verbose(env, "div by zero\n");
5098                         return -EINVAL;
5099                 }
5100 
5101                 if ((opcode == BPF_LSH || opcode == BPF_RSH ||
5102                      opcode == BPF_ARSH) && BPF_SRC(insn->code) == BPF_K) {
5103                         int size = BPF_CLASS(insn->code) == BPF_ALU64 ? 64 : 32;
5104 
5105                         if (insn->imm < 0 || insn->imm >= size) {
5106                                 verbose(env, "invalid shift %d\n", insn->imm);
5107                                 return -EINVAL;
5108                         }
5109                 }
5110 
5111                 /* check dest operand */
5112                 err = check_reg_arg(env, insn->dst_reg, DST_OP_NO_MARK);
5113                 if (err)
5114                         return err;
5115 
5116                 return adjust_reg_min_max_vals(env, insn);
5117         }
5118 
5119         return 0;
5120 }
5121 
5122 static void __find_good_pkt_pointers(struct bpf_func_state *state,
5123                                      struct bpf_reg_state *dst_reg,
5124                                      enum bpf_reg_type type, u16 new_range)
5125 {
5126         struct bpf_reg_state *reg;
5127         int i;
5128 
5129         for (i = 0; i < MAX_BPF_REG; i++) {
5130                 reg = &state->regs[i];
5131                 if (reg->type == type && reg->id == dst_reg->id)
5132                         /* keep the maximum range already checked */
5133                         reg->range = max(reg->range, new_range);
5134         }
5135 
5136         bpf_for_each_spilled_reg(i, state, reg) {
5137                 if (!reg)
5138                         continue;
5139                 if (reg->type == type && reg->id == dst_reg->id)
5140                         reg->range = max(reg->range, new_range);
5141         }
5142 }
5143 
5144 static void find_good_pkt_pointers(struct bpf_verifier_state *vstate,
5145                                    struct bpf_reg_state *dst_reg,
5146                                    enum bpf_reg_type type,
5147                                    bool range_right_open)
5148 {
5149         u16 new_range;
5150         int i;
5151 
5152         if (dst_reg->off < 0 ||
5153             (dst_reg->off == 0 && range_right_open))
5154                 /* This doesn't give us any range */
5155                 return;
5156 
5157         if (dst_reg->umax_value > MAX_PACKET_OFF ||
5158             dst_reg->umax_value + dst_reg->off > MAX_PACKET_OFF)
5159                 /* Risk of overflow.  For instance, ptr + (1<<63) may be less
5160                  * than pkt_end, but that's because it's also less than pkt.
5161                  */
5162                 return;
5163 
5164         new_range = dst_reg->off;
5165         if (range_right_open)
5166                 new_range--;
5167 
5168         /* Examples for register markings:
5169          *
5170          * pkt_data in dst register:
5171          *
5172          *   r2 = r3;
5173          *   r2 += 8;
5174          *   if (r2 > pkt_end) goto <handle exception>
5175          *   <access okay>
5176          *
5177          *   r2 = r3;
5178          *   r2 += 8;
5179          *   if (r2 < pkt_end) goto <access okay>
5180          *   <handle exception>
5181          *
5182          *   Where:
5183          *     r2 == dst_reg, pkt_end == src_reg
5184          *     r2=pkt(id=n,off=8,r=0)
5185          *     r3=pkt(id=n,off=0,r=0)
5186          *
5187          * pkt_data in src register:
5188          *
5189          *   r2 = r3;
5190          *   r2 += 8;
5191          *   if (pkt_end >= r2) goto <access okay>
5192          *   <handle exception>
5193          *
5194          *   r2 = r3;
5195          *   r2 += 8;
5196          *   if (pkt_end <= r2) goto <handle exception>
5197          *   <access okay>
5198          *
5199          *   Where:
5200          *     pkt_end == dst_reg, r2 == src_reg
5201          *     r2=pkt(id=n,off=8,r=0)
5202          *     r3=pkt(id=n,off=0,r=0)
5203          *
5204          * Find register r3 and mark its range as r3=pkt(id=n,off=0,r=8)
5205          * or r3=pkt(id=n,off=0,r=8-1), so that range of bytes [r3, r3 + 8)
5206          * and [r3, r3 + 8-1) respectively is safe to access depending on
5207          * the check.
5208          */
5209 
5210         /* If our ids match, then we must have the same max_value.  And we
5211          * don't care about the other reg's fixed offset, since if it's too big
5212          * the range won't allow anything.
5213          * dst_reg->off is known < MAX_PACKET_OFF, therefore it fits in a u16.
5214          */
5215         for (i = 0; i <= vstate->curframe; i++)
5216                 __find_good_pkt_pointers(vstate->frame[i], dst_reg, type,
5217                                          new_range);
5218 }
5219 
5220 /* compute branch direction of the expression "if (reg opcode val) goto target;"
5221  * and return:
5222  *  1 - branch will be taken and "goto target" will be executed
5223  *  0 - branch will not be taken and fall-through to next insn
5224  * -1 - unknown. Example: "if (reg < 5)" is unknown when register value range [0,10]
5225  */
5226 static int is_branch_taken(struct bpf_reg_state *reg, u64 val, u8 opcode,
5227                            bool is_jmp32)
5228 {
5229         struct bpf_reg_state reg_lo;
5230         s64 sval;
5231 
5232         if (__is_pointer_value(false, reg))
5233                 return -1;
5234 
5235         if (is_jmp32) {
5236                 reg_lo = *reg;
5237                 reg = &reg_lo;
5238                 /* For JMP32, only low 32 bits are compared, coerce_reg_to_size
5239                  * could truncate high bits and update umin/umax according to
5240                  * information of low bits.
5241                  */
5242                 coerce_reg_to_size(reg, 4);
5243                 /* smin/smax need special handling. For example, after coerce,
5244                  * if smin_value is 0x00000000ffffffffLL, the value is -1 when
5245                  * used as operand to JMP32. It is a negative number from s32's
5246                  * point of view, while it is a positive number when seen as
5247                  * s64. The smin/smax are kept as s64, therefore, when used with
5248                  * JMP32, they need to be transformed into s32, then sign
5249                  * extended back to s64.
5250                  *
5251                  * Also, smin/smax were copied from umin/umax. If umin/umax has
5252                  * different sign bit, then min/max relationship doesn't
5253                  * maintain after casting into s32, for this case, set smin/smax
5254                  * to safest range.
5255                  */
5256                 if ((reg->umax_value ^ reg->umin_value) &
5257                     (1ULL << 31)) {
5258                         reg->smin_value = S32_MIN;
5259                         reg->smax_value = S32_MAX;
5260                 }
5261                 reg->smin_value = (s64)(s32)reg->smin_value;
5262                 reg->smax_value = (s64)(s32)reg->smax_value;
5263 
5264                 val = (u32)val;
5265                 sval = (s64)(s32)val;
5266         } else {
5267                 sval = (s64)val;
5268         }
5269 
5270         switch (opcode) {
5271         case BPF_JEQ:
5272                 if (tnum_is_const(reg->var_off))
5273                         return !!tnum_equals_const(reg->var_off, val);
5274                 break;
5275         case BPF_JNE:
5276                 if (tnum_is_const(reg->var_off))
5277                         return !tnum_equals_const(reg->var_off, val);
5278                 break;
5279         case BPF_JSET:
5280                 if ((~reg->var_off.mask & reg->var_off.value) & val)
5281                         return 1;
5282                 if (!((reg->var_off.mask | reg->var_off.value) & val))
5283                         return 0;
5284                 break;
5285         case BPF_JGT:
5286                 if (reg->umin_value > val)
5287                         return 1;
5288                 else if (reg->umax_value <= val)
5289                         return 0;
5290                 break;
5291         case BPF_JSGT:
5292                 if (reg->smin_value > sval)
5293                         return 1;
5294                 else if (reg->smax_value < sval)
5295                         return 0;
5296                 break;
5297         case BPF_JLT:
5298                 if (reg->umax_value < val)
5299                         return 1;
5300                 else if (reg->umin_value >= val)
5301                         return 0;
5302                 break;
5303         case BPF_JSLT:
5304                 if (reg->smax_value < sval)
5305                         return 1;
5306                 else if (reg->smin_value >= sval)
5307                         return 0;
5308                 break;
5309         case BPF_JGE:
5310                 if (reg->umin_value >= val)
5311                         return 1;
5312                 else if (reg->umax_value < val)
5313                         return 0;
5314                 break;
5315         case BPF_JSGE:
5316                 if (reg->smin_value >= sval)
5317                         return 1;
5318                 else if (reg->smax_value < sval)
5319                         return 0;
5320                 break;
5321         case BPF_JLE:
5322                 if (reg->umax_value <= val)
5323                         return 1;
5324                 else if (reg->umin_value > val)
5325                         return 0;
5326                 break;
5327         case BPF_JSLE:
5328                 if (reg->smax_value <= sval)
5329                         return 1;
5330                 else if (reg->smin_value > sval)
5331                         return 0;
5332                 break;
5333         }
5334 
5335         return -1;
5336 }
5337 
5338 /* Generate min value of the high 32-bit from TNUM info. */
5339 static u64 gen_hi_min(struct tnum var)
5340 {
5341         return var.value & ~0xffffffffULL;
5342 }
5343 
5344 /* Generate max value of the high 32-bit from TNUM info. */
5345 static u64 gen_hi_max(struct tnum var)
5346 {
5347         return (var.value | var.mask) & ~0xffffffffULL;
5348 }
5349 
5350 /* Return true if VAL is compared with a s64 sign extended from s32, and they
5351  * are with the same signedness.
5352  */
5353 static bool cmp_val_with_extended_s64(s64 sval, struct bpf_reg_state *reg)
5354 {
5355         return ((s32)sval >= 0 &&
5356                 reg->smin_value >= 0 && reg->smax_value <= S32_MAX) ||
5357                ((s32)sval < 0 &&
5358                 reg->smax_value <= 0 && reg->smin_value >= S32_MIN);
5359 }
5360 
5361 /* Constrain the possible values of @reg with unsigned upper bound @bound.
5362  * If @is_exclusive, @bound is an exclusive limit, otherwise it is inclusive.
5363  * If @is_jmp32, @bound is a 32-bit value that only constrains the low 32 bits
5364  * of @reg.
5365  */
5366 static void set_upper_bound(struct bpf_reg_state *reg, u64 bound, bool is_jmp32,
5367                             bool is_exclusive)
5368 {
5369         if (is_exclusive) {
5370                 /* There are no values for `reg` that make `reg<0` true. */
5371                 if (bound == 0)
5372                         return;
5373                 bound--;
5374         }
5375         if (is_jmp32) {
5376                 /* Constrain the register's value in the tnum representation.
5377                  * For 64-bit comparisons this happens later in
5378                  * __reg_bound_offset(), but for 32-bit comparisons, we can be
5379                  * more precise than what can be derived from the updated
5380                  * numeric bounds.
5381                  */
5382                 struct tnum t = tnum_range(0, bound);
5383 
5384                 t.mask |= ~0xffffffffULL; /* upper half is unknown */
5385                 reg->var_off = tnum_intersect(reg->var_off, t);
5386 
5387                 /* Compute the 64-bit bound from the 32-bit bound. */
5388                 bound += gen_hi_max(reg->var_off);
5389         }
5390         reg->umax_value = min(reg->umax_value, bound);
5391 }
5392 
5393 /* Constrain the possible values of @reg with unsigned lower bound @bound.
5394  * If @is_exclusive, @bound is an exclusive limit, otherwise it is inclusive.
5395  * If @is_jmp32, @bound is a 32-bit value that only constrains the low 32 bits
5396  * of @reg.
5397  */
5398 static void set_lower_bound(struct bpf_reg_state *reg, u64 bound, bool is_jmp32,
5399                             bool is_exclusive)
5400 {
5401         if (is_exclusive) {
5402                 /* There are no values for `reg` that make `reg>MAX` true. */
5403                 if (bound == (is_jmp32 ? U32_MAX : U64_MAX))
5404                         return;
5405                 bound++;
5406         }
5407         if (is_jmp32) {
5408                 /* Constrain the register's value in the tnum representation.
5409                  * For 64-bit comparisons this happens later in
5410                  * __reg_bound_offset(), but for 32-bit comparisons, we can be
5411                  * more precise than what can be derived from the updated
5412                  * numeric bounds.
5413                  */
5414                 struct tnum t = tnum_range(bound, U32_MAX);
5415 
5416                 t.mask |= ~0xffffffffULL; /* upper half is unknown */
5417                 reg->var_off = tnum_intersect(reg->var_off, t);
5418 
5419                 /* Compute the 64-bit bound from the 32-bit bound. */
5420                 bound += gen_hi_min(reg->var_off);
5421         }
5422         reg->umin_value = max(reg->umin_value, bound);
5423 }
5424 
5425 /* Adjusts the register min/max values in the case that the dst_reg is the
5426  * variable register that we are working on, and src_reg is a constant or we're
5427  * simply doing a BPF_K check.
5428  * In JEQ/JNE cases we also adjust the var_off values.
5429  */
5430 static void reg_set_min_max(struct bpf_reg_state *true_reg,
5431                             struct bpf_reg_state *false_reg, u64 val,
5432                             u8 opcode, bool is_jmp32)
5433 {
5434         s64 sval;
5435 
5436         /* If the dst_reg is a pointer, we can't learn anything about its
5437          * variable offset from the compare (unless src_reg were a pointer into
5438          * the same object, but we don't bother with that.
5439          * Since false_reg and true_reg have the same type by construction, we
5440          * only need to check one of them for pointerness.
5441          */
5442         if (__is_pointer_value(false, false_reg))
5443                 return;
5444 
5445         val = is_jmp32 ? (u32)val : val;
5446         sval = is_jmp32 ? (s64)(s32)val : (s64)val;
5447 
5448         switch (opcode) {
5449         case BPF_JEQ:
5450         case BPF_JNE:
5451         {
5452                 struct bpf_reg_state *reg =
5453                         opcode == BPF_JEQ ? true_reg : false_reg;
5454 
5455                 /* For BPF_JEQ, if this is false we know nothing Jon Snow, but
5456                  * if it is true we know the value for sure. Likewise for
5457                  * BPF_JNE.
5458                  */
5459                 if (is_jmp32) {
5460                         u64 old_v = reg->var_off.value;
5461                         u64 hi_mask = ~0xffffffffULL;
5462 
5463                         reg->var_off.value = (old_v & hi_mask) | val;
5464                         reg->var_off.mask &= hi_mask;
5465                 } else {
5466                         __mark_reg_known(reg, val);
5467                 }
5468                 break;
5469         }
5470         case BPF_JSET:
5471                 false_reg->var_off = tnum_and(false_reg->var_off,
5472                                               tnum_const(~val));
5473                 if (is_power_of_2(val))
5474                         true_reg->var_off = tnum_or(true_reg->var_off,
5475                                                     tnum_const(val));
5476                 break;
5477         case BPF_JGE:
5478         case BPF_JGT:
5479         {
5480                 set_upper_bound(false_reg, val, is_jmp32, opcode == BPF_JGE);
5481                 set_lower_bound(true_reg, val, is_jmp32, opcode == BPF_JGT);
5482                 break;
5483         }
5484         case BPF_JSGE:
5485         case BPF_JSGT:
5486         {
5487                 s64 false_smax = opcode == BPF_JSGT ? sval    : sval - 1;
5488                 s64 true_smin = opcode == BPF_JSGT ? sval + 1 : sval;
5489 
5490                 /* If the full s64 was not sign-extended from s32 then don't
5491                  * deduct further info.
5492                  */
5493                 if (is_jmp32 && !cmp_val_with_extended_s64(sval, false_reg))
5494                         break;
5495                 false_reg->smax_value = min(false_reg->smax_value, false_smax);
5496                 true_reg->smin_value = max(true_reg->smin_value, true_smin);
5497                 break;
5498         }
5499         case BPF_JLE:
5500         case BPF_JLT:
5501         {
5502                 set_lower_bound(false_reg, val, is_jmp32, opcode == BPF_JLE);
5503                 set_upper_bound(true_reg, val, is_jmp32, opcode == BPF_JLT);
5504                 break;
5505         }
5506         case BPF_JSLE:
5507         case BPF_JSLT:
5508         {
5509                 s64 false_smin = opcode == BPF_JSLT ? sval    : sval + 1;
5510                 s64 true_smax = opcode == BPF_JSLT ? sval - 1 : sval;
5511 
5512                 if (is_jmp32 && !cmp_val_with_extended_s64(sval, false_reg))
5513                         break;
5514                 false_reg->smin_value = max(false_reg->smin_value, false_smin);
5515                 true_reg->smax_value = min(true_reg->smax_value, true_smax);
5516                 break;
5517         }
5518         default:
5519                 break;
5520         }
5521 
5522         __reg_deduce_bounds(false_reg);
5523         __reg_deduce_bounds(true_reg);
5524         /* We might have learned some bits from the bounds. */
5525         __reg_bound_offset(false_reg);
5526         __reg_bound_offset(true_reg);
5527         /* Intersecting with the old var_off might have improved our bounds
5528          * slightly.  e.g. if umax was 0x7f...f and var_off was (0; 0xf...fc),
5529          * then new var_off is (0; 0x7f...fc) which improves our umax.
5530          */
5531         __update_reg_bounds(false_reg);
5532         __update_reg_bounds(true_reg);
5533 }
5534 
5535 /* Same as above, but for the case that dst_reg holds a constant and src_reg is
5536  * the variable reg.
5537  */
5538 static void reg_set_min_max_inv(struct bpf_reg_state *true_reg,
5539                                 struct bpf_reg_state *false_reg, u64 val,
5540                                 u8 opcode, bool is_jmp32)
5541 {
5542         s64 sval;
5543 
5544         if (__is_pointer_value(false, false_reg))
5545                 return;
5546 
5547         val = is_jmp32 ? (u32)val : val;
5548         sval = is_jmp32 ? (s64)(s32)val : (s64)val;
5549 
5550         switch (opcode) {
5551         case BPF_JEQ:
5552         case BPF_JNE:
5553         {
5554                 struct bpf_reg_state *reg =
5555                         opcode == BPF_JEQ ? true_reg : false_reg;
5556 
5557                 if (is_jmp32) {
5558                         u64 old_v = reg->var_off.value;
5559                         u64 hi_mask = ~0xffffffffULL;
5560 
5561                         reg->var_off.value = (old_v & hi_mask) | val;
5562                         reg->var_off.mask &= hi_mask;
5563                 } else {
5564                         __mark_reg_known(reg, val);
5565                 }
5566                 break;
5567         }
5568         case BPF_JSET:
5569                 false_reg->var_off = tnum_and(false_reg->var_off,
5570                                               tnum_const(~val));
5571                 if (is_power_of_2(val))
5572                         true_reg->var_off = tnum_or(true_reg->var_off,
5573                                                     tnum_const(val));
5574                 break;
5575         case BPF_JGE:
5576         case BPF_JGT:
5577         {
5578                 set_lower_bound(false_reg, val, is_jmp32, opcode == BPF_JGE);
5579                 set_upper_bound(true_reg, val, is_jmp32, opcode == BPF_JGT);
5580                 break;
5581         }
5582         case BPF_JSGE:
5583         case BPF_JSGT:
5584         {
5585                 s64 false_smin = opcode == BPF_JSGT ? sval    : sval + 1;
5586                 s64 true_smax = opcode == BPF_JSGT ? sval - 1 : sval;
5587 
5588                 if (is_jmp32 && !cmp_val_with_extended_s64(sval, false_reg))
5589                         break;
5590                 false_reg->smin_value = max(false_reg->smin_value, false_smin);
5591                 true_reg->smax_value = min(true_reg->smax_value, true_smax);
5592                 break;
5593         }
5594         case BPF_JLE:
5595         case BPF_JLT:
5596         {
5597                 set_upper_bound(false_reg, val, is_jmp32, opcode == BPF_JLE);
5598                 set_lower_bound(true_reg, val, is_jmp32, opcode == BPF_JLT);
5599                 break;
5600         }
5601         case BPF_JSLE:
5602         case BPF_JSLT:
5603         {
5604                 s64 false_smax = opcode == BPF_JSLT ? sval    : sval - 1;
5605                 s64 true_smin = opcode == BPF_JSLT ? sval + 1 : sval;
5606 
5607                 if (is_jmp32 && !cmp_val_with_extended_s64(sval, false_reg))
5608                         break;
5609                 false_reg->smax_value = min(false_reg->smax_value, false_smax);
5610                 true_reg->smin_value = max(true_reg->smin_value, true_smin);
5611                 break;
5612         }
5613         default:
5614                 break;
5615         }
5616 
5617         __reg_deduce_bounds(false_reg);
5618         __reg_deduce_bounds(true_reg);
5619         /* We might have learned some bits from the bounds. */
5620         __reg_bound_offset(false_reg);
5621         __reg_bound_offset(true_reg);
5622         /* Intersecting with the old var_off might have improved our bounds
5623          * slightly.  e.g. if umax was 0x7f...f and var_off was (0; 0xf...fc),
5624          * then new var_off is (0; 0x7f...fc) which improves our umax.
5625          */
5626         __update_reg_bounds(false_reg);
5627         __update_reg_bounds(true_reg);
5628 }
5629 
5630 /* Regs are known to be equal, so intersect their min/max/var_off */
5631 static void __reg_combine_min_max(struct bpf_reg_state *src_reg,
5632                                   struct bpf_reg_state *dst_reg)
5633 {
5634         src_reg->umin_value = dst_reg->umin_value = max(src_reg->umin_value,
5635                                                         dst_reg->umin_value);
5636         src_reg->umax_value = dst_reg->umax_value = min(src_reg->umax_value,
5637                                                         dst_reg->umax_value);
5638         src_reg->smin_value = dst_reg->smin_value = max(src_reg->smin_value,
5639                                                         dst_reg->smin_value);
5640         src_reg->smax_value = dst_reg->smax_value = min(src_reg->smax_value,
5641                                                         dst_reg->smax_value);
5642         src_reg->var_off = dst_reg->var_off = tnum_intersect(src_reg->var_off,
5643                                                              dst_reg->var_off);
5644         /* We might have learned new bounds from the var_off. */
5645         __update_reg_bounds(src_reg);
5646         __update_reg_bounds(dst_reg);
5647         /* We might have learned something about the sign bit. */
5648         __reg_deduce_bounds(src_reg);
5649         __reg_deduce_bounds(dst_reg);
5650         /* We might have learned some bits from the bounds. */
5651         __reg_bound_offset(src_reg);
5652         __reg_bound_offset(dst_reg);
5653         /* Intersecting with the old var_off might have improved our bounds
5654          * slightly.  e.g. if umax was 0x7f...f and var_off was (0; 0xf...fc),
5655          * then new var_off is (0; 0x7f...fc) which improves our umax.
5656          */
5657         __update_reg_bounds(src_reg);
5658         __update_reg_bounds(dst_reg);
5659 }
5660 
5661 static void reg_combine_min_max(struct bpf_reg_state *true_src,
5662                                 struct bpf_reg_state *true_dst,
5663                                 struct bpf_reg_state *false_src,
5664                                 struct bpf_reg_state *false_dst,
5665                                 u8 opcode)
5666 {
5667         switch (opcode) {
5668         case BPF_JEQ:
5669                 __reg_combine_min_max(true_src, true_dst);
5670                 break;
5671         case BPF_JNE:
5672                 __reg_combine_min_max(false_src, false_dst);
5673                 break;
5674         }
5675 }
5676 
5677 static void mark_ptr_or_null_reg(struct bpf_func_state *state,
5678                                  struct bpf_reg_state *reg, u32 id,
5679                                  bool is_null)
5680 {
5681         if (reg_type_may_be_null(reg->type) && reg->id == id) {
5682                 /* Old offset (both fixed and variable parts) should
5683                  * have been known-zero, because we don't allow pointer
5684                  * arithmetic on pointers that might be NULL.
5685                  */
5686                 if (WARN_ON_ONCE(reg->smin_value || reg->smax_value ||
5687                                  !tnum_equals_const(reg->var_off, 0) ||
5688                                  reg->off)) {
5689                         __mark_reg_known_zero(reg);
5690                         reg->off = 0;
5691                 }
5692                 if (is_null) {
5693                         reg->type = SCALAR_VALUE;
5694                 } else if (reg->type == PTR_TO_MAP_VALUE_OR_NULL) {
5695                         if (reg->map_ptr->inner_map_meta) {
5696                                 reg->type = CONST_PTR_TO_MAP;
5697                                 reg->map_ptr = reg->map_ptr->inner_map_meta;
5698                         } else if (reg->map_ptr->map_type ==
5699                                    BPF_MAP_TYPE_XSKMAP) {
5700                                 reg->type = PTR_TO_XDP_SOCK;
5701                         } else {
5702                                 reg->type = PTR_TO_MAP_VALUE;
5703                         }
5704                 } else if (reg->type == PTR_TO_SOCKET_OR_NULL) {
5705                         reg->type = PTR_TO_SOCKET;
5706                 } else if (reg->type == PTR_TO_SOCK_COMMON_OR_NULL) {
5707                         reg->type = PTR_TO_SOCK_COMMON;
5708                 } else if (reg->type == PTR_TO_TCP_SOCK_OR_NULL) {
5709                         reg->type = PTR_TO_TCP_SOCK;
5710                 }
5711                 if (is_null) {
5712                         /* We don't need id and ref_obj_id from this point
5713                          * onwards anymore, thus we should better reset it,
5714                          * so that state pruning has chances to take effect.
5715                          */
5716                         reg->id = 0;
5717                         reg->ref_obj_id = 0;
5718                 } else if (!reg_may_point_to_spin_lock(reg)) {
5719                         /* For not-NULL ptr, reg->ref_obj_id will be reset
5720                          * in release_reg_references().
5721                          *
5722                          * reg->id is still used by spin_lock ptr. Other
5723                          * than spin_lock ptr type, reg->id can be reset.
5724                          */
5725                         reg->id = 0;
5726                 }
5727         }
5728 }
5729 
5730 static void __mark_ptr_or_null_regs(struct bpf_func_state *state, u32 id,
5731                                     bool is_null)
5732 {
5733         struct bpf_reg_state *reg;
5734         int i;
5735 
5736         for (i = 0; i < MAX_BPF_REG; i++)
5737                 mark_ptr_or_null_reg(state, &state->regs[i], id, is_null);
5738 
5739         bpf_for_each_spilled_reg(i, state, reg) {
5740                 if (!reg)
5741                         continue;
5742                 mark_ptr_or_null_reg(state, reg, id, is_null);
5743         }
5744 }
5745 
5746 /* The logic is similar to find_good_pkt_pointers(), both could eventually
5747  * be folded together at some point.
5748  */
5749 static void mark_ptr_or_null_regs(struct bpf_verifier_state *vstate, u32 regno,
5750                                   bool is_null)
5751 {
5752         struct bpf_func_state *state = vstate->frame[vstate->curframe];
5753         struct bpf_reg_state *regs = state->regs;
5754         u32 ref_obj_id = regs[regno].ref_obj_id;
5755         u32 id = regs[regno].id;
5756         int i;
5757 
5758         if (ref_obj_id && ref_obj_id == id && is_null)
5759                 /* regs[regno] is in the " == NULL" branch.
5760                  * No one could have freed the reference state before
5761                  * doing the NULL check.
5762                  */
5763                 WARN_ON_ONCE(release_reference_state(state, id));
5764 
5765         for (i = 0; i <= vstate->curframe; i++)
5766                 __mark_ptr_or_null_regs(vstate->frame[i], id, is_null);
5767 }
5768 
5769 static bool try_match_pkt_pointers(const struct bpf_insn *insn,
5770                                    struct bpf_reg_state *dst_reg,
5771                                    struct bpf_reg_state *src_reg,
5772                                    struct bpf_verifier_state *this_branch,
5773                                    struct bpf_verifier_state *other_branch)
5774 {
5775         if (BPF_SRC(insn->code) != BPF_X)
5776                 return false;
5777 
5778         /* Pointers are always 64-bit. */
5779         if (BPF_CLASS(insn->code) == BPF_JMP32)
5780                 return false;
5781 
5782         switch (BPF_OP(insn->code)) {
5783         case BPF_JGT:
5784                 if ((dst_reg->type == PTR_TO_PACKET &&
5785                      src_reg->type == PTR_TO_PACKET_END) ||
5786                     (dst_reg->type == PTR_TO_PACKET_META &&
5787                      reg_is_init_pkt_pointer(src_reg, PTR_TO_PACKET))) {
5788                         /* pkt_data' > pkt_end, pkt_meta' > pkt_data */
5789                         find_good_pkt_pointers(this_branch, dst_reg,
5790                                                dst_reg->type, false);
5791                 } else if ((dst_reg->type == PTR_TO_PACKET_END &&
5792                             src_reg->type == PTR_TO_PACKET) ||
5793                            (reg_is_init_pkt_pointer(dst_reg, PTR_TO_PACKET) &&
5794                             src_reg->type == PTR_TO_PACKET_META)) {
5795                         /* pkt_end > pkt_data', pkt_data > pkt_meta' */
5796                         find_good_pkt_pointers(other_branch, src_reg,
5797                                                src_reg->type, true);
5798                 } else {
5799                         return false;
5800                 }
5801                 break;
5802         case BPF_JLT:
5803                 if ((dst_reg->type == PTR_TO_PACKET &&
5804                      src_reg->type == PTR_TO_PACKET_END) ||
5805                     (dst_reg->type == PTR_TO_PACKET_META &&
5806                      reg_is_init_pkt_pointer(src_reg, PTR_TO_PACKET))) {
5807                         /* pkt_data' < pkt_end, pkt_meta' < pkt_data */
5808                         find_good_pkt_pointers(other_branch, dst_reg,
5809                                                dst_reg->type, true);
5810                 } else if ((dst_reg->type == PTR_TO_PACKET_END &&
5811                             src_reg->type == PTR_TO_PACKET) ||
5812                            (reg_is_init_pkt_pointer(dst_reg, PTR_TO_PACKET) &&
5813                             src_reg->type == PTR_TO_PACKET_META)) {
5814                         /* pkt_end < pkt_data', pkt_data > pkt_meta' */
5815                         find_good_pkt_pointers(this_branch, src_reg,
5816                                                src_reg->type, false);
5817                 } else {
5818                         return false;
5819                 }
5820                 break;
5821         case BPF_JGE:
5822                 if ((dst_reg->type == PTR_TO_PACKET &&
5823                      src_reg->type == PTR_TO_PACKET_END) ||
5824                     (dst_reg->type == PTR_TO_PACKET_META &&
5825                      reg_is_init_pkt_pointer(src_reg, PTR_TO_PACKET))) {
5826                         /* pkt_data' >= pkt_end, pkt_meta' >= pkt_data */
5827                         find_good_pkt_pointers(this_branch, dst_reg,
5828                                                dst_reg->type, true);
5829                 } else if ((dst_reg->type == PTR_TO_PACKET_END &&
5830                             src_reg->type == PTR_TO_PACKET) ||
5831                            (reg_is_init_pkt_pointer(dst_reg, PTR_TO_PACKET) &&
5832                             src_reg->type == PTR_TO_PACKET_META)) {
5833                         /* pkt_end >= pkt_data', pkt_data >= pkt_meta' */
5834                         find_good_pkt_pointers(other_branch, src_reg,
5835                                                src_reg->type, false);
5836                 } else {
5837                         return false;
5838                 }
5839                 break;
5840         case BPF_JLE:
5841                 if ((dst_reg->type == PTR_TO_PACKET &&
5842                      src_reg->type == PTR_TO_PACKET_END) ||
5843                     (dst_reg->type == PTR_TO_PACKET_META &&
5844                      reg_is_init_pkt_pointer(src_reg, PTR_TO_PACKET))) {
5845                         /* pkt_data' <= pkt_end, pkt_meta' <= pkt_data */
5846                         find_good_pkt_pointers(other_branch, dst_reg,
5847                                                dst_reg->type, false);
5848                 } else if ((dst_reg->type == PTR_TO_PACKET_END &&
5849                             src_reg->type == PTR_TO_PACKET) ||
5850                            (reg_is_init_pkt_pointer(dst_reg, PTR_TO_PACKET) &&
5851                             src_reg->type == PTR_TO_PACKET_META)) {
5852                         /* pkt_end <= pkt_data', pkt_data <= pkt_meta' */
5853                         find_good_pkt_pointers(this_branch, src_reg,
5854                                                src_reg->type, true);
5855                 } else {
5856                         return false;
5857                 }
5858                 break;
5859         default:
5860                 return false;
5861         }
5862 
5863         return true;
5864 }
5865 
5866 static int check_cond_jmp_op(struct bpf_verifier_env *env,
5867                              struct bpf_insn *insn, int *insn_idx)
5868 {
5869         struct bpf_verifier_state *this_branch = env->cur_state;
5870         struct bpf_verifier_state *other_branch;
5871         struct bpf_reg_state *regs = this_branch->frame[this_branch->curframe]->regs;
5872         struct bpf_reg_state *dst_reg, *other_branch_regs, *src_reg = NULL;
5873         u8 opcode = BPF_OP(insn->code);
5874         bool is_jmp32;
5875         int pred = -1;
5876         int err;
5877 
5878         /* Only conditional jumps are expected to reach here. */
5879         if (opcode == BPF_JA || opcode > BPF_JSLE) {
5880                 verbose(env, "invalid BPF_JMP/JMP32 opcode %x\n", opcode);
5881                 return -EINVAL;
5882         }
5883 
5884         if (BPF_SRC(insn->code) == BPF_X) {
5885                 if (insn->imm != 0) {
5886                         verbose(env, "BPF_JMP/JMP32 uses reserved fields\n");
5887                         return -EINVAL;
5888                 }
5889 
5890                 /* check src1 operand */
5891                 err = check_reg_arg(env, insn->src_reg, SRC_OP);
5892                 if (err)
5893                         return err;
5894 
5895                 if (is_pointer_value(env, insn->src_reg)) {
5896                         verbose(env, "R%d pointer comparison prohibited\n",
5897                                 insn->src_reg);
5898                         return -EACCES;
5899                 }
5900                 src_reg = &regs[insn->src_reg];
5901         } else {
5902                 if (insn->src_reg != BPF_REG_0) {
5903                         verbose(env, "BPF_JMP/JMP32 uses reserved fields\n");
5904                         return -EINVAL;
5905                 }
5906         }
5907 
5908         /* check src2 operand */
5909         err = check_reg_arg(env, insn->dst_reg, SRC_OP);
5910         if (err)
5911                 return err;
5912 
5913         dst_reg = &regs[insn->dst_reg];
5914         is_jmp32 = BPF_CLASS(insn->code) == BPF_JMP32;
5915 
5916         if (BPF_SRC(insn->code) == BPF_K)
5917                 pred = is_branch_taken(dst_reg, insn->imm,
5918                                        opcode, is_jmp32);
5919         else if (src_reg->type == SCALAR_VALUE &&
5920                  tnum_is_const(src_reg->var_off))
5921                 pred = is_branch_taken(dst_reg, src_reg->var_off.value,
5922                                        opcode, is_jmp32);
5923         if (pred >= 0) {
5924                 err = mark_chain_precision(env, insn->dst_reg);
5925                 if (BPF_SRC(insn->code) == BPF_X && !err)
5926                         err = mark_chain_precision(env, insn->src_reg);
5927                 if (err)
5928                         return err;
5929         }
5930         if (pred == 1) {
5931                 /* only follow the goto, ignore fall-through */
5932                 *insn_idx += insn->off;
5933                 return 0;
5934         } else if (pred == 0) {
5935                 /* only follow fall-through branch, since
5936                  * that's where the program will go
5937                  */
5938                 return 0;
5939         }
5940 
5941         other_branch = push_stack(env, *insn_idx + insn->off + 1, *insn_idx,
5942                                   false);
5943         if (!other_branch)
5944                 return -EFAULT;
5945         other_branch_regs = other_branch->frame[other_branch->curframe]->regs;
5946 
5947         /* detect if we are comparing against a constant value so we can adjust
5948          * our min/max values for our dst register.
5949          * this is only legit if both are scalars (or pointers to the same
5950          * object, I suppose, but we don't support that right now), because
5951          * otherwise the different base pointers mean the offsets aren't
5952          * comparable.
5953          */
5954         if (BPF_SRC(insn->code) == BPF_X) {
5955                 struct bpf_reg_state *src_reg = &regs[insn->src_reg];
5956                 struct bpf_reg_state lo_reg0 = *dst_reg;
5957                 struct bpf_reg_state lo_reg1 = *src_reg;
5958                 struct bpf_reg_state *src_lo, *dst_lo;
5959 
5960                 dst_lo = &lo_reg0;
5961                 src_lo = &lo_reg1;
5962                 coerce_reg_to_size(dst_lo, 4);
5963                 coerce_reg_to_size(src_lo, 4);
5964 
5965                 if (dst_reg->type == SCALAR_VALUE &&
5966                     src_reg->type == SCALAR_VALUE) {
5967                         if (tnum_is_const(src_reg->var_off) ||
5968                             (is_jmp32 && tnum_is_const(src_lo->var_off)))
5969                                 reg_set_min_max(&other_branch_regs[insn->dst_reg],
5970                                                 dst_reg,
5971                                                 is_jmp32
5972                                                 ? src_lo->var_off.value
5973                                                 : src_reg->var_off.value,
5974                                                 opcode, is_jmp32);
5975                         else if (tnum_is_const(dst_reg->var_off) ||
5976                                  (is_jmp32 && tnum_is_const(dst_lo->var_off)))
5977                                 reg_set_min_max_inv(&other_branch_regs[insn->src_reg],
5978                                                     src_reg,
5979                                                     is_jmp32
5980                                                     ? dst_lo->var_off.value
5981                                                     : dst_reg->var_off.value,
5982                                                     opcode, is_jmp32);
5983                         else if (!is_jmp32 &&
5984                                  (opcode == BPF_JEQ || opcode == BPF_JNE))
5985                                 /* Comparing for equality, we can combine knowledge */
5986                                 reg_combine_min_max(&other_branch_regs[insn->src_reg],
5987                                                     &other_branch_regs[insn->dst_reg],
5988                                                     src_reg, dst_reg, opcode);
5989                 }
5990         } else if (dst_reg->type == SCALAR_VALUE) {
5991                 reg_set_min_max(&other_branch_regs[insn->dst_reg],
5992                                         dst_reg, insn->imm, opcode, is_jmp32);
5993         }
5994 
5995         /* detect if R == 0 where R is returned from bpf_map_lookup_elem().
5996          * NOTE: these optimizations below are related with pointer comparison
5997          *       which will never be JMP32.
5998          */
5999         if (!is_jmp32 && BPF_SRC(insn->code) == BPF_K &&
6000             insn->imm == 0 && (opcode == BPF_JEQ || opcode == BPF_JNE) &&
6001             reg_type_may_be_null(dst_reg->type)) {
6002                 /* Mark all identical registers in each branch as either
6003                  * safe or unknown depending R == 0 or R != 0 conditional.
6004                  */
6005                 mark_ptr_or_null_regs(this_branch, insn->dst_reg,
6006                                       opcode == BPF_JNE);
6007                 mark_ptr_or_null_regs(other_branch, insn->dst_reg,
6008                                       opcode == BPF_JEQ);
6009         } else if (!try_match_pkt_pointers(insn, dst_reg, &regs[insn->src_reg],
6010                                            this_branch, other_branch) &&
6011                    is_pointer_value(env, insn->dst_reg)) {
6012                 verbose(env, "R%d pointer comparison prohibited\n",
6013                         insn->dst_reg);
6014                 return -EACCES;
6015         }
6016         if (env->log.level & BPF_LOG_LEVEL)
6017                 print_verifier_state(env, this_branch->frame[this_branch->curframe]);
6018         return 0;
6019 }
6020 
6021 /* verify BPF_LD_IMM64 instruction */
6022 static int check_ld_imm(struct bpf_verifier_env *env, struct bpf_insn *insn)
6023 {
6024         struct bpf_insn_aux_data *aux = cur_aux(env);
6025         struct bpf_reg_state *regs = cur_regs(env);
6026         struct bpf_map *map;
6027         int err;
6028 
6029         if (BPF_SIZE(insn->code) != BPF_DW) {
6030                 verbose(env, "invalid BPF_LD_IMM insn\n");
6031                 return -EINVAL;
6032         }
6033         if (insn->off != 0) {
6034                 verbose(env, "BPF_LD_IMM64 uses reserved fields\n");
6035                 return -EINVAL;
6036         }
6037 
6038         err = check_reg_arg(env, insn->dst_reg, DST_OP);
6039         if (err)
6040                 return err;
6041 
6042         if (insn->src_reg == 0) {
6043                 u64 imm = ((u64)(insn + 1)->imm << 32) | (u32)insn->imm;
6044 
6045                 regs[insn->dst_reg].type = SCALAR_VALUE;
6046                 __mark_reg_known(&regs[insn->dst_reg], imm);
6047                 return 0;
6048         }
6049 
6050         map = env->used_maps[aux->map_index];
6051         mark_reg_known_zero(env, regs, insn->dst_reg);
6052         regs[insn->dst_reg].map_ptr = map;
6053 
6054         if (insn->src_reg == BPF_PSEUDO_MAP_VALUE) {
6055                 regs[insn->dst_reg].type = PTR_TO_MAP_VALUE;
6056                 regs[insn->dst_reg].off = aux->map_off;
6057                 if (map_value_has_spin_lock(map))
6058                         regs[insn->dst_reg].id = ++env->id_gen;
6059         } else if (insn->src_reg == BPF_PSEUDO_MAP_FD) {
6060                 regs[insn->dst_reg].type = CONST_PTR_TO_MAP;
6061         } else {
6062                 verbose(env, "bpf verifier is misconfigured\n");
6063                 return -EINVAL;
6064         }
6065 
6066         return 0;
6067 }
6068 
6069 static bool may_access_skb(enum bpf_prog_type type)
6070 {
6071         switch (type) {
6072         case BPF_PROG_TYPE_SOCKET_FILTER:
6073         case BPF_PROG_TYPE_SCHED_CLS:
6074         case BPF_PROG_TYPE_SCHED_ACT:
6075                 return true;
6076         default:
6077                 return false;
6078         }
6079 }
6080 
6081 /* verify safety of LD_ABS|LD_IND instructions:
6082  * - they can only appear in the programs where ctx == skb
6083  * - since they are wrappers of function calls, they scratch R1-R5 registers,
6084  *   preserve R6-R9, and store return value into R0
6085  *
6086  * Implicit input:
6087  *   ctx == skb == R6 == CTX
6088  *
6089  * Explicit input:
6090  *   SRC == any register
6091  *   IMM == 32-bit immediate
6092  *
6093  * Output:
6094  *   R0 - 8/16/32-bit skb data converted to cpu endianness
6095  */
6096 static int check_ld_abs(struct bpf_verifier_env *env, struct bpf_insn *insn)
6097 {
6098         struct bpf_reg_state *regs = cur_regs(env);
6099         static const int ctx_reg = BPF_REG_6;
6100         u8 mode = BPF_MODE(insn->code);
6101         int i, err;
6102 
6103         if (!may_access_skb(env->prog->type)) {
6104                 verbose(env, "BPF_LD_[ABS|IND] instructions not allowed for this program type\n");
6105                 return -EINVAL;
6106         }
6107 
6108         if (!env->ops->gen_ld_abs) {
6109                 verbose(env, "bpf verifier is misconfigured\n");
6110                 return -EINVAL;
6111         }
6112 
6113         if (env->subprog_cnt > 1) {
6114                 /* when program has LD_ABS insn JITs and interpreter assume
6115                  * that r1 == ctx == skb which is not the case for callees
6116                  * that can have arbitrary arguments. It's problematic
6117                  * for main prog as well since JITs would need to analyze
6118                  * all functions in order to make proper register save/restore
6119                  * decisions in the main prog. Hence disallow LD_ABS with calls
6120                  */
6121                 verbose(env, "BPF_LD_[ABS|IND] instructions cannot be mixed with bpf-to-bpf calls\n");
6122                 return -EINVAL;
6123         }
6124 
6125         if (insn->dst_reg != BPF_REG_0 || insn->off != 0 ||
6126             BPF_SIZE(insn->code) == BPF_DW ||
6127             (mode == BPF_ABS && insn->src_reg != BPF_REG_0)) {
6128                 verbose(env, "BPF_LD_[ABS|IND] uses reserved fields\n");
6129                 return -EINVAL;
6130         }
6131 
6132         /* check whether implicit source operand (register R6) is readable */
6133         err = check_reg_arg(env, ctx_reg, SRC_OP);
6134         if (err)
6135                 return err;
6136 
6137         /* Disallow usage of BPF_LD_[ABS|IND] with reference tracking, as
6138          * gen_ld_abs() may terminate the program at runtime, leading to
6139          * reference leak.
6140          */
6141         err = check_reference_leak(env);
6142         if (err) {
6143                 verbose(env, "BPF_LD_[ABS|IND] cannot be mixed with socket references\n");
6144                 return err;
6145         }
6146 
6147         if (env->cur_state->active_spin_lock) {
6148                 verbose(env, "BPF_LD_[ABS|IND] cannot be used inside bpf_spin_lock-ed region\n");
6149                 return -EINVAL;
6150         }
6151 
6152         if (regs[ctx_reg].type != PTR_TO_CTX) {
6153                 verbose(env,
6154                         "at the time of BPF_LD_ABS|IND R6 != pointer to skb\n");
6155                 return -EINVAL;
6156         }
6157 
6158         if (mode == BPF_IND) {
6159                 /* check explicit source operand */
6160                 err = check_reg_arg(env, insn->src_reg, SRC_OP);
6161                 if (err)
6162                         return err;
6163         }
6164 
6165         err = check_ctx_reg(env, &regs[ctx_reg], ctx_reg);
6166         if (err < 0)
6167                 return err;
6168 
6169         /* reset caller saved regs to unreadable */
6170         for (i = 0; i < CALLER_SAVED_REGS; i++) {
6171                 mark_reg_not_init(env, regs, caller_saved[i]);
6172                 check_reg_arg(env, caller_saved[i], DST_OP_NO_MARK);
6173         }
6174 
6175         /* mark destination R0 register as readable, since it contains
6176          * the value fetched from the packet.
6177          * Already marked as written above.
6178          */
6179         mark_reg_unknown(env, regs, BPF_REG_0);
6180         /* ld_abs load up to 32-bit skb data. */
6181         regs[BPF_REG_0].subreg_def = env->insn_idx + 1;
6182         return 0;
6183 }
6184 
6185 static int check_return_code(struct bpf_verifier_env *env)
6186 {
6187         struct tnum enforce_attach_type_range = tnum_unknown;
6188         struct bpf_reg_state *reg;
6189         struct tnum range = tnum_range(0, 1);
6190 
6191         switch (env->prog->type) {
6192         case BPF_PROG_TYPE_CGROUP_SOCK_ADDR:
6193                 if (env->prog->expected_attach_type == BPF_CGROUP_UDP4_RECVMSG ||
6194                     env->prog->expected_attach_type == BPF_CGROUP_UDP6_RECVMSG)
6195                         range = tnum_range(1, 1);
6196                 break;
6197         case BPF_PROG_TYPE_CGROUP_SKB:
6198                 if (env->prog->expected_attach_type == BPF_CGROUP_INET_EGRESS) {
6199                         range = tnum_range(0, 3);
6200                         enforce_attach_type_range = tnum_range(2, 3);
6201                 }
6202                 break;
6203         case BPF_PROG_TYPE_CGROUP_SOCK:
6204         case BPF_PROG_TYPE_SOCK_OPS:
6205         case BPF_PROG_TYPE_CGROUP_DEVICE:
6206         case BPF_PROG_TYPE_CGROUP_SYSCTL:
6207         case BPF_PROG_TYPE_CGROUP_SOCKOPT:
6208                 break;
6209         default:
6210                 return 0;
6211         }
6212 
6213         reg = cur_regs(env) + BPF_REG_0;
6214         if (reg->type != SCALAR_VALUE) {
6215                 verbose(env, "At program exit the register R0 is not a known value (%s)\n",
6216                         reg_type_str[reg->type]);
6217                 return -EINVAL;
6218         }
6219 
6220         if (!tnum_in(range, reg->var_off)) {
6221                 char tn_buf[48];
6222 
6223                 verbose(env, "At program exit the register R0 ");
6224                 if (!tnum_is_unknown(reg->var_off)) {
6225                         tnum_strn(tn_buf, sizeof(tn_buf), reg->var_off);
6226                         verbose(env, "has value %s", tn_buf);
6227                 } else {
6228                         verbose(env, "has unknown scalar value");
6229                 }
6230                 tnum_strn(tn_buf, sizeof(tn_buf), range);
6231                 verbose(env, " should have been in %s\n", tn_buf);
6232                 return -EINVAL;
6233         }
6234 
6235         if (!tnum_is_unknown(enforce_attach_type_range) &&
6236             tnum_in(enforce_attach_type_range, reg->var_off))
6237                 env->prog->enforce_expected_attach_type = 1;
6238         return 0;
6239 }
6240 
6241 /* non-recursive DFS pseudo code
6242  * 1  procedure DFS-iterative(G,v):
6243  * 2      label v as discovered
6244  * 3      let S be a stack
6245  * 4      S.push(v)
6246  * 5      while S is not empty
6247  * 6            t <- S.pop()
6248  * 7            if t is what we're looking for:
6249  * 8                return t
6250  * 9            for all edges e in G.adjacentEdges(t) do
6251  * 10               if edge e is already labelled
6252  * 11                   continue with the next edge
6253  * 12               w <- G.adjacentVertex(t,e)
6254  * 13               if vertex w is not discovered and not explored
6255  * 14                   label e as tree-edge
6256  * 15                   label w as discovered
6257  * 16                   S.push(w)
6258  * 17                   continue at 5
6259  * 18               else if vertex w is discovered
6260  * 19                   label e as back-edge
6261  * 20               else
6262  * 21                   // vertex w is explored
6263  * 22                   label e as forward- or cross-edge
6264  * 23           label t as explored
6265  * 24           S.pop()
6266  *
6267  * convention:
6268  * 0x10 - discovered
6269  * 0x11 - discovered and fall-through edge labelled
6270  * 0x12 - discovered and fall-through and branch edges labelled
6271  * 0x20 - explored
6272  */
6273 
6274 enum {
6275         DISCOVERED = 0x10,
6276         EXPLORED = 0x20,
6277         FALLTHROUGH = 1,
6278         BRANCH = 2,
6279 };
6280 
6281 static u32 state_htab_size(struct bpf_verifier_env *env)
6282 {
6283         return env->prog->len;
6284 }
6285 
6286 static struct bpf_verifier_state_list **explored_state(
6287                                         struct bpf_verifier_env *env,
6288                                         int idx)
6289 {
6290         struct bpf_verifier_state *cur = env->cur_state;
6291         struct bpf_func_state *state = cur->frame[cur->curframe];
6292 
6293         return &env->explored_states[(idx ^ state->callsite) % state_htab_size(env)];
6294 }
6295 
6296 static void init_explored_state(struct bpf_verifier_env *env, int idx)
6297 {
6298         env->insn_aux_data[idx].prune_point = true;
6299 }
6300 
6301 /* t, w, e - match pseudo-code above:
6302  * t - index of current instruction
6303  * w - next instruction
6304  * e - edge
6305  */
6306 static int push_insn(int t, int w, int e, struct bpf_verifier_env *env,
6307                      bool loop_ok)
6308 {
6309         int *insn_stack = env->cfg.insn_stack;
6310         int *insn_state = env->cfg.insn_state;
6311 
6312         if (e == FALLTHROUGH && insn_state[t] >= (DISCOVERED | FALLTHROUGH))
6313                 return 0;
6314 
6315         if (e == BRANCH && insn_state[t] >= (DISCOVERED | BRANCH))
6316                 return 0;
6317 
6318         if (w < 0 || w >= env->prog->len) {
6319                 verbose_linfo(env, t, "%d: ", t);
6320                 verbose(env, "jump out of range from insn %d to %d\n", t, w);
6321                 return -EINVAL;
6322         }
6323 
6324         if (e == BRANCH)
6325                 /* mark branch target for state pruning */
6326                 init_explored_state(env, w);
6327 
6328         if (insn_state[w] == 0) {
6329                 /* tree-edge */
6330                 insn_state[t] = DISCOVERED | e;
6331                 insn_state[w] = DISCOVERED;
6332                 if (env->cfg.cur_stack >= env->prog->len)
6333                         return -E2BIG;
6334                 insn_stack[env->cfg.cur_stack++] = w;
6335                 return 1;
6336         } else if ((insn_state[w] & 0xF0) == DISCOVERED) {
6337                 if (loop_ok && env->allow_ptr_leaks)
6338                         return 0;
6339                 verbose_linfo(env, t, "%d: ", t);
6340                 verbose_linfo(env, w, "%d: ", w);
6341                 verbose(env, "back-edge from insn %d to %d\n", t, w);
6342                 return -EINVAL;
6343         } else if (insn_state[w] == EXPLORED) {
6344                 /* forward- or cross-edge */
6345                 insn_state[t] = DISCOVERED | e;
6346         } else {
6347                 verbose(env, "insn state internal bug\n");
6348                 return -EFAULT;
6349         }
6350         return 0;
6351 }
6352 
6353 /* non-recursive depth-first-search to detect loops in BPF program
6354  * loop == back-edge in directed graph
6355  */
6356 static int check_cfg(struct bpf_verifier_env *env)
6357 {
6358         struct bpf_insn *insns = env->prog->insnsi;
6359         int insn_cnt = env->prog->len;
6360         int *insn_stack, *insn_state;
6361         int ret = 0;
6362         int i, t;
6363 
6364         insn_state = env->cfg.insn_state = kvcalloc(insn_cnt, sizeof(int), GFP_KERNEL);
6365         if (!insn_state)
6366                 return -ENOMEM;
6367 
6368         insn_stack = env->cfg.insn_stack = kvcalloc(insn_cnt, sizeof(int), GFP_KERNEL);
6369         if (!insn_stack) {
6370                 kvfree(insn_state);
6371                 return -ENOMEM;
6372         }
6373 
6374         insn_state[0] = DISCOVERED; /* mark 1st insn as discovered */
6375         insn_stack[0] = 0; /* 0 is the first instruction */
6376         env->cfg.cur_stack = 1;
6377 
6378 peek_stack:
6379         if (env->cfg.cur_stack == 0)
6380                 goto check_state;
6381         t = insn_stack[env->cfg.cur_stack - 1];
6382 
6383         if (BPF_CLASS(insns[t].code) == BPF_JMP ||
6384             BPF_CLASS(insns[t].code) == BPF_JMP32) {
6385                 u8 opcode = BPF_OP(insns[t].code);
6386 
6387                 if (opcode == BPF_EXIT) {
6388                         goto mark_explored;
6389                 } else if (opcode == BPF_CALL) {
6390                         ret = push_insn(t, t + 1, FALLTHROUGH, env, false);
6391                         if (ret == 1)
6392                                 goto peek_stack;
6393                         else if (ret < 0)
6394                                 goto err_free;
6395                         if (t + 1 < insn_cnt)
6396                                 init_explored_state(env, t + 1);
6397                         if (insns[t].src_reg == BPF_PSEUDO_CALL) {
6398                                 init_explored_state(env, t);
6399                                 ret = push_insn(t, t + insns[t].imm + 1, BRANCH,
6400                                                 env, false);
6401                                 if (ret == 1)
6402                                         goto peek_stack;
6403                                 else if (ret < 0)
6404                                         goto err_free;
6405                         }
6406                 } else if (opcode == BPF_JA) {
6407                         if (BPF_SRC(insns[t].code) != BPF_K) {
6408                                 ret = -EINVAL;
6409                                 goto err_free;
6410                         }
6411                         /* unconditional jump with single edge */
6412                         ret = push_insn(t, t + insns[t].off + 1,
6413                                         FALLTHROUGH, env, true);
6414                         if (ret == 1)
6415                                 goto peek_stack;
6416                         else if (ret < 0)
6417                                 goto err_free;
6418                         /* unconditional jmp is not a good pruning point,
6419                          * but it's marked, since backtracking needs
6420                          * to record jmp history in is_state_visited().
6421                          */
6422                         init_explored_state(env, t + insns[t].off + 1);
6423                         /* tell verifier to check for equivalent states
6424                          * after every call and jump
6425                          */
6426                         if (t + 1 < insn_cnt)
6427                                 init_explored_state(env, t + 1);
6428                 } else {
6429                         /* conditional jump with two edges */
6430                         init_explored_state(env, t);
6431                         ret = push_insn(t, t + 1, FALLTHROUGH, env, true);
6432                         if (ret == 1)
6433                                 goto peek_stack;
6434                         else if (ret < 0)
6435                                 goto err_free;
6436 
6437                         ret = push_insn(t, t + insns[t].off + 1, BRANCH, env, true);
6438                         if (ret == 1)
6439                                 goto peek_stack;
6440                         else if (ret < 0)
6441                                 goto err_free;
6442                 }
6443         } else {
6444                 /* all other non-branch instructions with single
6445                  * fall-through edge
6446                  */
6447                 ret = push_insn(t, t + 1, FALLTHROUGH, env, false);
6448                 if (ret == 1)
6449                         goto peek_stack;
6450                 else if (ret < 0)
6451                         goto err_free;
6452         }
6453 
6454 mark_explored:
6455         insn_state[t] = EXPLORED;
6456         if (env->cfg.cur_stack-- <= 0) {
6457                 verbose(env, "pop stack internal bug\n");
6458                 ret = -EFAULT;
6459                 goto err_free;
6460         }
6461         goto peek_stack;
6462 
6463 check_state:
6464         for (i = 0; i < insn_cnt; i++) {
6465                 if (insn_state[i] != EXPLORED) {
6466                         verbose(env, "unreachable insn %d\n", i);
6467                         ret = -EINVAL;
6468                         goto err_free;
6469                 }
6470         }
6471         ret = 0; /* cfg looks good */
6472 
6473 err_free:
6474         kvfree(insn_state);
6475         kvfree(insn_stack);
6476         env->cfg.insn_state = env->cfg.insn_stack = NULL;
6477         return ret;
6478 }
6479 
6480 /* The minimum supported BTF func info size */
6481 #define MIN_BPF_FUNCINFO_SIZE   8
6482 #define MAX_FUNCINFO_REC_SIZE   252
6483 
6484 static int check_btf_func(struct bpf_verifier_env *env,
6485                           const union bpf_attr *attr,
6486                           union bpf_attr __user *uattr)
6487 {
6488         u32 i, nfuncs, urec_size, min_size;
6489         u32 krec_size = sizeof(struct bpf_func_info);
6490         struct bpf_func_info *krecord;
6491         const struct btf_type *type;
6492         struct bpf_prog *prog;
6493         const struct btf *btf;
6494         void __user *urecord;
6495         u32 prev_offset = 0;
6496         int ret = 0;
6497 
6498         nfuncs = attr->func_info_cnt;
6499         if (!nfuncs)
6500                 return 0;
6501 
6502         if (nfuncs != env->subprog_cnt) {
6503                 verbose(env, "number of funcs in func_info doesn't match number of subprogs\n");
6504                 return -EINVAL;
6505         }
6506 
6507         urec_size = attr->func_info_rec_size;
6508         if (urec_size < MIN_BPF_FUNCINFO_SIZE ||
6509             urec_size > MAX_FUNCINFO_REC_SIZE ||
6510             urec_size % sizeof(u32)) {
6511                 verbose(env, "invalid func info rec size %u\n", urec_size);
6512                 return -EINVAL;
6513         }
6514 
6515         prog = env->prog;
6516         btf = prog->aux->btf;
6517 
6518         urecord = u64_to_user_ptr(attr->func_info);
6519         min_size = min_t(u32, krec_size, urec_size);
6520 
6521         krecord = kvcalloc(nfuncs, krec_size, GFP_KERNEL | __GFP_NOWARN);
6522         if (!krecord)
6523                 return -ENOMEM;
6524 
6525         for (i = 0; i < nfuncs; i++) {
6526                 ret = bpf_check_uarg_tail_zero(urecord, krec_size, urec_size);
6527                 if (ret) {
6528                         if (ret == -E2BIG) {
6529                                 verbose(env, "nonzero tailing record in func info");
6530                                 /* set the size kernel expects so loader can zero
6531                                  * out the rest of the record.
6532                                  */
6533                                 if (put_user(min_size, &uattr->func_info_rec_size))
6534                                         ret = -EFAULT;
6535                         }
6536                         goto err_free;
6537                 }
6538 
6539                 if (copy_from_user(&krecord[i], urecord, min_size)) {
6540                         ret = -EFAULT;
6541                         goto err_free;
6542                 }
6543 
6544                 /* check insn_off */
6545                 if (i == 0) {
6546                         if (krecord[i].insn_off) {
6547                                 verbose(env,
6548                                         "nonzero insn_off %u for the first func info record",
6549                                         krecord[i].insn_off);
6550                                 ret = -EINVAL;
6551                                 goto err_free;
6552                         }
6553                 } else if (krecord[i].insn_off <= prev_offset) {
6554                         verbose(env,
6555                                 "same or smaller insn offset (%u) than previous func info record (%u)",
6556                                 krecord[i].insn_off, prev_offset);
6557                         ret = -EINVAL;
6558                         goto err_free;
6559                 }
6560 
6561                 if (env->subprog_info[i].start != krecord[i].insn_off) {
6562                         verbose(env, "func_info BTF section doesn't match subprog layout in BPF program\n");
6563                         ret = -EINVAL;
6564                         goto err_free;
6565                 }
6566 
6567                 /* check type_id */
6568                 type = btf_type_by_id(btf, krecord[i].type_id);
6569                 if (!type || BTF_INFO_KIND(type->info) != BTF_KIND_FUNC) {
6570                         verbose(env, "invalid type id %d in func info",
6571                                 krecord[i].type_id);
6572                         ret = -EINVAL;
6573                         goto err_free;
6574                 }
6575 
6576                 prev_offset = krecord[i].insn_off;
6577                 urecord += urec_size;
6578         }
6579 
6580         prog->aux->func_info = krecord;
6581         prog->aux->func_info_cnt = nfuncs;
6582         return 0;
6583 
6584 err_free:
6585         kvfree(krecord);
6586         return ret;
6587 }
6588 
6589 static void adjust_btf_func(struct bpf_verifier_env *env)
6590 {
6591         int i;
6592 
6593         if (!env->prog->aux->func_info)
6594                 return;
6595 
6596         for (i = 0; i < env->subprog_cnt; i++)
6597                 env->prog->aux->func_info[i].insn_off = env->subprog_info[i].start;
6598 }
6599 
6600 #define MIN_BPF_LINEINFO_SIZE   (offsetof(struct bpf_line_info, line_col) + \
6601                 sizeof(((struct bpf_line_info *)(0))->line_col))
6602 #define MAX_LINEINFO_REC_SIZE   MAX_FUNCINFO_REC_SIZE
6603 
6604 static int check_btf_line(struct bpf_verifier_env *env,
6605                           const union bpf_attr *attr,
6606                           union bpf_attr __user *uattr)
6607 {
6608         u32 i, s, nr_linfo, ncopy, expected_size, rec_size, prev_offset = 0;
6609         struct bpf_subprog_info *sub;
6610         struct bpf_line_info *linfo;
6611         struct bpf_prog *prog;
6612         const struct btf *btf;
6613         void __user *ulinfo;
6614         int err;
6615 
6616         nr_linfo = attr->line_info_cnt;
6617         if (!nr_linfo)
6618                 return 0;
6619 
6620         rec_size = attr->line_info_rec_size;
6621         if (rec_size < MIN_BPF_LINEINFO_SIZE ||
6622             rec_size > MAX_LINEINFO_REC_SIZE ||
6623             rec_size & (sizeof(u32) - 1))
6624                 return -EINVAL;
6625 
6626         /* Need to zero it in case the userspace may
6627          * pass in a smaller bpf_line_info object.
6628          */
6629         linfo = kvcalloc(nr_linfo, sizeof(struct bpf_line_info),
6630                          GFP_KERNEL | __GFP_NOWARN);
6631         if (!linfo)
6632                 return -ENOMEM;
6633 
6634         prog = env->prog;
6635         btf = prog->aux->btf;
6636 
6637         s = 0;
6638         sub = env->subprog_info;
6639         ulinfo = u64_to_user_ptr(attr->line_info);
6640         expected_size = sizeof(struct bpf_line_info);
6641         ncopy = min_t(u32, expected_size, rec_size);
6642         for (i = 0; i < nr_linfo; i++) {
6643                 err = bpf_check_uarg_tail_zero(ulinfo, expected_size, rec_size);
6644                 if (err) {
6645                         if (err == -E2BIG) {
6646                                 verbose(env, "nonzero tailing record in line_info");
6647                                 if (put_user(expected_size,
6648                                              &uattr->line_info_rec_size))
6649                                         err = -EFAULT;
6650                         }
6651                         goto err_free;
6652                 }
6653 
6654                 if (copy_from_user(&linfo[i], ulinfo, ncopy)) {
6655                         err = -EFAULT;
6656                         goto err_free;
6657                 }
6658 
6659                 /*
6660                  * Check insn_off to ensure
6661                  * 1) strictly increasing AND
6662                  * 2) bounded by prog->len
6663                  *
6664                  * The linfo[0].insn_off == 0 check logically falls into
6665                  * the later "missing bpf_line_info for func..." case
6666                  * because the first linfo[0].insn_off must be the
6667                  * first sub also and the first sub must have
6668                  * subprog_info[0].start == 0.
6669                  */
6670                 if ((i && linfo[i].insn_off <= prev_offset) ||
6671                     linfo[i].insn_off >= prog->len) {
6672                         verbose(env, "Invalid line_info[%u].insn_off:%u (prev_offset:%u prog->len:%u)\n",
6673                                 i, linfo[i].insn_off, prev_offset,
6674                                 prog->len);
6675                         err = -EINVAL;
6676                         goto err_free;
6677                 }
6678 
6679                 if (!prog->insnsi[linfo[i].insn_off].code) {
6680                         verbose(env,
6681                                 "Invalid insn code at line_info[%u].insn_off\n",
6682                                 i);
6683                         err = -EINVAL;
6684                         goto err_free;
6685                 }
6686 
6687                 if (!btf_name_by_offset(btf, linfo[i].line_off) ||
6688                     !btf_name_by_offset(btf, linfo[i].file_name_off)) {
6689                         verbose(env, "Invalid line_info[%u].line_off or .file_name_off\n", i);
6690                         err = -EINVAL;
6691                         goto err_free;
6692                 }
6693 
6694                 if (s != env->subprog_cnt) {
6695                         if (linfo[i].insn_off == sub[s].start) {
6696                                 sub[s].linfo_idx = i;
6697                                 s++;
6698                         } else if (sub[s].start < linfo[i].insn_off) {
6699                                 verbose(env, "missing bpf_line_info for func#%u\n", s);
6700                                 err = -EINVAL;
6701                                 goto err_free;
6702                         }
6703                 }
6704 
6705                 prev_offset = linfo[i].insn_off;
6706                 ulinfo += rec_size;
6707         }
6708 
6709         if (s != env->subprog_cnt) {
6710                 verbose(env, "missing bpf_line_info for %u funcs starting from func#%u\n",
6711                         env->subprog_cnt - s, s);
6712                 err = -EINVAL;
6713                 goto err_free;
6714         }
6715 
6716         prog->aux->linfo = linfo;
6717         prog->aux->nr_linfo = nr_linfo;
6718 
6719         return 0;
6720 
6721 err_free:
6722         kvfree(linfo);
6723         return err;
6724 }
6725 
6726 static int check_btf_info(struct bpf_verifier_env *env,
6727                           const union bpf_attr *attr,
6728                           union bpf_attr __user *uattr)
6729 {
6730         struct btf *btf;
6731         int err;
6732 
6733         if (!attr->func_info_cnt && !attr->line_info_cnt)
6734                 return 0;
6735 
6736         btf = btf_get_by_fd(attr->prog_btf_fd);
6737         if (IS_ERR(btf))
6738                 return PTR_ERR(btf);
6739         env->prog->aux->btf = btf;
6740 
6741         err = check_btf_func(env, attr, uattr);
6742         if (err)
6743                 return err;
6744 
6745         err = check_btf_line(env, attr, uattr);
6746         if (err)
6747                 return err;
6748 
6749         return 0;
6750 }
6751 
6752 /* check %cur's range satisfies %old's */
6753 static bool range_within(struct bpf_reg_state *old,
6754                          struct bpf_reg_state *cur)
6755 {
6756         return old->umin_value <= cur->umin_value &&
6757                old->umax_value >= cur->umax_value &&
6758                old->smin_value <= cur->smin_value &&
6759                old->smax_value >= cur->smax_value;
6760 }
6761 
6762 /* Maximum number of register states that can exist at once */
6763 #define ID_MAP_SIZE     (MAX_BPF_REG + MAX_BPF_STACK / BPF_REG_SIZE)
6764 struct idpair {
6765         u32 old;
6766         u32 cur;
6767 };
6768 
6769 /* If in the old state two registers had the same id, then they need to have
6770  * the same id in the new state as well.  But that id could be different from
6771  * the old state, so we need to track the mapping from old to new ids.
6772  * Once we have seen that, say, a reg with old id 5 had new id 9, any subsequent
6773  * regs with old id 5 must also have new id 9 for the new state to be safe.  But
6774  * regs with a different old id could still have new id 9, we don't care about
6775  * that.
6776  * So we look through our idmap to see if this old id has been seen before.  If
6777  * so, we require the new id to match; otherwise, we add the id pair to the map.
6778  */
6779 static bool check_ids(u32 old_id, u32 cur_id, struct idpair *idmap)
6780 {
6781         unsigned int i;
6782 
6783         for (i = 0; i < ID_MAP_SIZE; i++) {
6784                 if (!idmap[i].old) {
6785                         /* Reached an empty slot; haven't seen this id before */
6786                         idmap[i].old = old_id;
6787                         idmap[i].cur = cur_id;
6788                         return true;
6789                 }
6790                 if (idmap[i].old == old_id)
6791                         return idmap[i].cur == cur_id;
6792         }
6793         /* We ran out of idmap slots, which should be impossible */
6794         WARN_ON_ONCE(1);
6795         return false;
6796 }
6797 
6798 static void clean_func_state(struct bpf_verifier_env *env,
6799                              struct bpf_func_state *st)
6800 {
6801         enum bpf_reg_liveness live;
6802         int i, j;
6803 
6804         for (i = 0; i < BPF_REG_FP; i++) {
6805                 live = st->regs[i].live;
6806                 /* liveness must not touch this register anymore */
6807                 st->regs[i].live |= REG_LIVE_DONE;
6808                 if (!(live & REG_LIVE_READ))
6809                         /* since the register is unused, clear its state
6810                          * to make further comparison simpler
6811                          */
6812                         __mark_reg_not_init(env, &st->regs[i]);
6813         }
6814 
6815         for (i = 0; i < st->allocated_stack / BPF_REG_SIZE; i++) {
6816                 live = st->stack[i].spilled_ptr.live;
6817                 /* liveness must not touch this stack slot anymore */
6818                 st->stack[i].spilled_ptr.live |= REG_LIVE_DONE;
6819                 if (!(live & REG_LIVE_READ)) {
6820                         __mark_reg_not_init(env, &st->stack[i].spilled_ptr);
6821                         for (j = 0; j < BPF_REG_SIZE; j++)
6822                                 st->stack[i].slot_type[j] = STACK_INVALID;
6823                 }
6824         }
6825 }
6826 
6827 static void clean_verifier_state(struct bpf_verifier_env *env,
6828                                  struct bpf_verifier_state *st)
6829 {
6830         int i;
6831 
6832         if (st->frame[0]->regs[0].live & REG_LIVE_DONE)
6833                 /* all regs in this state in all frames were already marked */
6834                 return;
6835 
6836         for (i = 0; i <= st->curframe; i++)
6837                 clean_func_state(env, st->frame[i]);
6838 }
6839 
6840 /* the parentage chains form a tree.
6841  * the verifier states are added to state lists at given insn and
6842  * pushed into state stack for future exploration.
6843  * when the verifier reaches bpf_exit insn some of the verifer states
6844  * stored in the state lists have their final liveness state already,
6845  * but a lot of states will get revised from liveness point of view when
6846  * the verifier explores other branches.
6847  * Example:
6848  * 1: r0 = 1
6849  * 2: if r1 == 100 goto pc+1
6850  * 3: r0 = 2
6851  * 4: exit
6852  * when the verifier reaches exit insn the register r0 in the state list of
6853  * insn 2 will be seen as !REG_LIVE_READ. Then the verifier pops the other_branch
6854  * of insn 2 and goes exploring further. At the insn 4 it will walk the
6855  * parentage chain from insn 4 into insn 2 and will mark r0 as REG_LIVE_READ.
6856  *
6857  * Since the verifier pushes the branch states as it sees them while exploring
6858  * the program the condition of walking the branch instruction for the second
6859  * time means that all states below this branch were already explored and
6860  * their final liveness markes are already propagated.
6861  * Hence when the verifier completes the search of state list in is_state_visited()
6862  * we can call this clean_live_states() function to mark all liveness states
6863  * as REG_LIVE_DONE to indicate that 'parent' pointers of 'struct bpf_reg_state'
6864  * will not be used.
6865  * This function also clears the registers and stack for states that !READ
6866  * to simplify state merging.
6867  *
6868  * Important note here that walking the same branch instruction in the callee
6869  * doesn't meant that the states are DONE. The verifier has to compare
6870  * the callsites
6871  */
6872 static void clean_live_states(struct bpf_verifier_env *env, int insn,
6873                               struct bpf_verifier_state *cur)
6874 {
6875         struct bpf_verifier_state_list *sl;
6876         int i;
6877 
6878         sl = *explored_state(env, insn);
6879         while (sl) {
6880                 if (sl->state.branches)
6881                         goto next;
6882                 if (sl->state.insn_idx != insn ||
6883                     sl->state.curframe != cur->curframe)
6884                         goto next;
6885                 for (i = 0; i <= cur->curframe; i++)
6886                         if (sl->state.frame[i]->callsite != cur->frame[i]->callsite)
6887                                 goto next;
6888                 clean_verifier_state(env, &sl->state);
6889 next:
6890                 sl = sl->next;
6891         }
6892 }
6893 
6894 /* Returns true if (rold safe implies rcur safe) */
6895 static bool regsafe(struct bpf_reg_state *rold, struct bpf_reg_state *rcur,
6896                     struct idpair *idmap)
6897 {
6898         bool equal;
6899 
6900         if (!(rold->live & REG_LIVE_READ))
6901                 /* explored state didn't use this */
6902                 return true;
6903 
6904         equal = memcmp(rold, rcur, offsetof(struct bpf_reg_state, parent)) == 0;
6905 
6906         if (rold->type == PTR_TO_STACK)
6907                 /* two stack pointers are equal only if they're pointing to
6908                  * the same stack frame, since fp-8 in foo != fp-8 in bar
6909                  */
6910                 return equal && rold->frameno == rcur->frameno;
6911 
6912         if (equal)
6913                 return true;
6914 
6915         if (rold->type == NOT_INIT)
6916                 /* explored state can't have used this */
6917                 return true;
6918         if (rcur->type == NOT_INIT)
6919                 return false;
6920         switch (rold->type) {
6921         case SCALAR_VALUE:
6922                 if (rcur->type == SCALAR_VALUE) {
6923                         if (!rold->precise && !rcur->precise)
6924                                 return true;
6925                         /* new val must satisfy old val knowledge */
6926                         return range_within(rold, rcur) &&
6927                                tnum_in(rold->var_off, rcur->var_off);
6928                 } else {
6929                         /* We're trying to use a pointer in place of a scalar.
6930                          * Even if the scalar was unbounded, this could lead to
6931                          * pointer leaks because scalars are allowed to leak
6932                          * while pointers are not. We could make this safe in
6933                          * special cases if root is calling us, but it's
6934                          * probably not worth the hassle.
6935                          */
6936                         return false;
6937                 }
6938         case PTR_TO_MAP_VALUE:
6939                 /* If the new min/max/var_off satisfy the old ones and
6940                  * everything else matches, we are OK.
6941                  * 'id' is not compared, since it's only used for maps with
6942                  * bpf_spin_lock inside map element and in such cases if
6943                  * the rest of the prog is valid for one map element then
6944                  * it's valid for all map elements regardless of the key
6945                  * used in bpf_map_lookup()
6946                  */
6947                 return memcmp(rold, rcur, offsetof(struct bpf_reg_state, id)) == 0 &&
6948                        range_within(rold, rcur) &&
6949                        tnum_in(rold->var_off, rcur->var_off);
6950         case PTR_TO_MAP_VALUE_OR_NULL:
6951                 /* a PTR_TO_MAP_VALUE could be safe to use as a
6952                  * PTR_TO_MAP_VALUE_OR_NULL into the same map.
6953                  * However, if the old PTR_TO_MAP_VALUE_OR_NULL then got NULL-
6954                  * checked, doing so could have affected others with the same
6955                  * id, and we can't check for that because we lost the id when
6956                  * we converted to a PTR_TO_MAP_VALUE.
6957                  */
6958                 if (rcur->type != PTR_TO_MAP_VALUE_OR_NULL)
6959                         return false;
6960                 if (memcmp(rold, rcur, offsetof(struct bpf_reg_state, id)))
6961                         return false;
6962                 /* Check our ids match any regs they're supposed to */
6963                 return check_ids(rold->id, rcur->id, idmap);
6964         case PTR_TO_PACKET_META:
6965         case PTR_TO_PACKET:
6966                 if (rcur->type != rold->type)
6967                         return false;
6968                 /* We must have at least as much range as the old ptr
6969                  * did, so that any accesses which were safe before are
6970                  * still safe.  This is true even if old range < old off,
6971                  * since someone could have accessed through (ptr - k), or
6972                  * even done ptr -= k in a register, to get a safe access.
6973                  */
6974                 if (rold->range > rcur->range)
6975                         return false;
6976                 /* If the offsets don't match, we can't trust our alignment;
6977                  * nor can we be sure that we won't fall out of range.
6978                  */
6979                 if (rold->off != rcur->off)
6980                         return false;
6981                 /* id relations must be preserved */
6982                 if (rold->id && !check_ids(rold->id, rcur->id, idmap))
6983                         return false;
6984                 /* new val must satisfy old val knowledge */
6985                 return range_within(rold, rcur) &&
6986                        tnum_in(rold->var_off, rcur->var_off);
6987         case PTR_TO_CTX:
6988         case CONST_PTR_TO_MAP:
6989         case PTR_TO_PACKET_END:
6990         case PTR_TO_FLOW_KEYS:
6991         case PTR_TO_SOCKET:
6992         case PTR_TO_SOCKET_OR_NULL:
6993         case PTR_TO_SOCK_COMMON:
6994         case PTR_TO_SOCK_COMMON_OR_NULL:
6995         case PTR_TO_TCP_SOCK:
6996         case PTR_TO_TCP_SOCK_OR_NULL:
6997         case PTR_TO_XDP_SOCK:
6998                 /* Only valid matches are exact, which memcmp() above
6999                  * would have accepted
7000                  */
7001         default:
7002                 /* Don't know what's going on, just say it's not safe */
7003                 return false;
7004         }
7005 
7006         /* Shouldn't get here; if we do, say it's not safe */
7007         WARN_ON_ONCE(1);
7008         return false;
7009 }
7010 
7011 static bool stacksafe(struct bpf_func_state *old,
7012                       struct bpf_func_state *cur,
7013                       struct idpair *idmap)
7014 {
7015         int i, spi;
7016 
7017         /* walk slots of the explored stack and ignore any additional
7018          * slots in the current stack, since explored(safe) state
7019          * didn't use them
7020          */
7021         for (i = 0; i < old->allocated_stack; i++) {
7022                 spi = i / BPF_REG_SIZE;
7023 
7024                 if (!(old->stack[spi].spilled_ptr.live & REG_LIVE_READ)) {
7025                         i += BPF_REG_SIZE - 1;
7026                         /* explored state didn't use this */
7027                         continue;
7028                 }
7029 
7030                 if (old->stack[spi].slot_type[i % BPF_REG_SIZE] == STACK_INVALID)
7031                         continue;
7032 
7033                 /* explored stack has more populated slots than current stack
7034                  * and these slots were used
7035                  */
7036                 if (i >= cur->allocated_stack)
7037                         return false;
7038 
7039                 /* if old state was safe with misc data in the stack
7040                  * it will be safe with zero-initialized stack.
7041                  * The opposite is not true
7042                  */
7043                 if (old->stack[spi].slot_type[i % BPF_REG_SIZE] == STACK_MISC &&
7044                     cur->stack[spi].slot_type[i % BPF_REG_SIZE] == STACK_ZERO)
7045                         continue;
7046                 if (old->stack[spi].slot_type[i % BPF_REG_SIZE] !=
7047                     cur->stack[spi].slot_type[i % BPF_REG_SIZE])
7048                         /* Ex: old explored (safe) state has STACK_SPILL in
7049                          * this stack slot, but current has has STACK_MISC ->
7050                          * this verifier states are not equivalent,
7051                          * return false to continue verification of this path
7052                          */
7053                         return false;
7054                 if (i % BPF_REG_SIZE)
7055                         continue;
7056                 if (old->stack[spi].slot_type[0] != STACK_SPILL)
7057                         continue;
7058                 if (!regsafe(&old->stack[spi].spilled_ptr,
7059                              &cur->stack[spi].spilled_ptr,
7060                              idmap))
7061                         /* when explored and current stack slot are both storing
7062                          * spilled registers, check that stored pointers types
7063                          * are the same as well.
7064                          * Ex: explored safe path could have stored
7065                          * (bpf_reg_state) {.type = PTR_TO_STACK, .off = -8}
7066                          * but current path has stored:
7067                          * (bpf_reg_state) {.type = PTR_TO_STACK, .off = -16}
7068                          * such verifier states are not equivalent.
7069                          * return false to continue verification of this path
7070                          */
7071                         return false;
7072         }
7073         return true;
7074 }
7075 
7076 static bool refsafe(struct bpf_func_state *old, struct bpf_func_state *cur)
7077 {
7078         if (old->acquired_refs != cur->acquired_refs)
7079                 return false;
7080         return !memcmp(old->refs, cur->refs,
7081                        sizeof(*old->refs) * old->acquired_refs);
7082 }
7083 
7084 /* compare two verifier states
7085  *
7086  * all states stored in state_list are known to be valid, since
7087  * verifier reached 'bpf_exit' instruction through them
7088  *
7089  * this function is called when verifier exploring different branches of
7090  * execution popped from the state stack. If it sees an old state that has
7091  * more strict register state and more strict stack state then this execution
7092  * branch doesn't need to be explored further, since verifier already
7093  * concluded that more strict state leads to valid finish.
7094  *
7095  * Therefore two states are equivalent if register state is more conservative
7096  * and explored stack state is more conservative than the current one.
7097  * Example:
7098  *       explored                   current
7099  * (slot1=INV slot2=MISC) == (slot1=MISC slot2=MISC)
7100  * (slot1=MISC slot2=MISC) != (slot1=INV slot2=MISC)
7101  *
7102  * In other words if current stack state (one being explored) has more
7103  * valid slots than old one that already passed validation, it means
7104  * the verifier can stop exploring and conclude that current state is valid too
7105  *
7106  * Similarly with registers. If explored state has register type as invalid
7107  * whereas register type in current state is meaningful, it means that
7108  * the current state will reach 'bpf_exit' instruction safely
7109  */
7110 static bool func_states_equal(struct bpf_func_state *old,
7111                               struct bpf_func_state *cur)
7112 {
7113         struct idpair *idmap;
7114         bool ret = false;
7115         int i;
7116 
7117         idmap = kcalloc(ID_MAP_SIZE, sizeof(struct idpair), GFP_KERNEL);
7118         /* If we failed to allocate the idmap, just say it's not safe */
7119         if (!idmap)
7120                 return false;
7121 
7122         for (i = 0; i < MAX_BPF_REG; i++) {
7123                 if (!regsafe(&old->regs[i], &cur->regs[i], idmap))
7124                         goto out_free;
7125         }
7126 
7127         if (!stacksafe(old, cur, idmap))
7128                 goto out_free;
7129 
7130         if (!refsafe(old, cur))
7131                 goto out_free;
7132         ret = true;
7133 out_free:
7134         kfree(idmap);
7135         return ret;
7136 }
7137 
7138 static bool states_equal(struct bpf_verifier_env *env,
7139                          struct bpf_verifier_state *old,
7140                          struct bpf_verifier_state *cur)
7141 {
7142         int i;
7143 
7144         if (old->curframe != cur->curframe)
7145                 return false;
7146 
7147         /* Verification state from speculative execution simulation
7148          * must never prune a non-speculative execution one.
7149          */
7150         if (old->speculative && !cur->speculative)
7151                 return false;
7152 
7153         if (old->active_spin_lock != cur->active_spin_lock)
7154                 return false;
7155 
7156         /* for states to be equal callsites have to be the same
7157          * and all frame states need to be equivalent
7158          */
7159         for (i = 0; i <= old->curframe; i++) {
7160                 if (old->frame[i]->callsite != cur->frame[i]->callsite)
7161                         return false;
7162                 if (!func_states_equal(old->frame[i], cur->frame[i]))
7163                         return false;
7164         }
7165         return true;
7166 }
7167 
7168 /* Return 0 if no propagation happened. Return negative error code if error
7169  * happened. Otherwise, return the propagated bit.
7170  */
7171 static int propagate_liveness_reg(struct bpf_verifier_env *env,
7172                                   struct bpf_reg_state *reg,
7173                                   struct bpf_reg_state *parent_reg)
7174 {
7175         u8 parent_flag = parent_reg->live & REG_LIVE_READ;
7176         u8 flag = reg->live & REG_LIVE_READ;
7177         int err;
7178 
7179         /* When comes here, read flags of PARENT_REG or REG could be any of
7180          * REG_LIVE_READ64, REG_LIVE_READ32, REG_LIVE_NONE. There is no need
7181          * of propagation if PARENT_REG has strongest REG_LIVE_READ64.
7182          */
7183         if (parent_flag == REG_LIVE_READ64 ||
7184             /* Or if there is no read flag from REG. */
7185             !flag ||
7186             /* Or if the read flag from REG is the same as PARENT_REG. */
7187             parent_flag == flag)
7188                 return 0;
7189 
7190         err = mark_reg_read(env, reg, parent_reg, flag);
7191         if (err)
7192                 return err;
7193 
7194         return flag;
7195 }
7196 
7197 /* A write screens off any subsequent reads; but write marks come from the
7198  * straight-line code between a state and its parent.  When we arrive at an
7199  * equivalent state (jump target or such) we didn't arrive by the straight-line
7200  * code, so read marks in the state must propagate to the parent regardless
7201  * of the state's write marks. That's what 'parent == state->parent' comparison
7202  * in mark_reg_read() is for.
7203  */
7204 static int propagate_liveness(struct bpf_verifier_env *env,
7205                               const struct bpf_verifier_state *vstate,
7206                               struct bpf_verifier_state *vparent)
7207 {
7208         struct bpf_reg_state *state_reg, *parent_reg;
7209         struct bpf_func_state *state, *parent;
7210         int i, frame, err = 0;
7211 
7212         if (vparent->curframe != vstate->curframe) {
7213                 WARN(1, "propagate_live: parent frame %d current frame %d\n",
7214                      vparent->curframe, vstate->curframe);
7215                 return -EFAULT;
7216         }
7217         /* Propagate read liveness of registers... */
7218         BUILD_BUG_ON(BPF_REG_FP + 1 != MAX_BPF_REG);
7219         for (frame = 0; frame <= vstate->curframe; frame++) {
7220                 parent = vparent->frame[frame];
7221                 state = vstate->frame[frame];
7222                 parent_reg = parent->regs;
7223                 state_reg = state->regs;
7224                 /* We don't need to worry about FP liveness, it's read-only */
7225                 for (i = frame < vstate->curframe ? BPF_REG_6 : 0; i < BPF_REG_FP; i++) {
7226                         err = propagate_liveness_reg(env, &state_reg[i],
7227                                                      &parent_reg[i]);
7228                         if (err < 0)
7229                                 return err;
7230                         if (err == REG_LIVE_READ64)
7231                                 mark_insn_zext(env, &parent_reg[i]);
7232                 }
7233 
7234                 /* Propagate stack slots. */
7235                 for (i = 0; i < state->allocated_stack / BPF_REG_SIZE &&
7236                             i < parent->allocated_stack / BPF_REG_SIZE; i++) {
7237                         parent_reg = &parent->stack[i].spilled_ptr;
7238                         state_reg = &state->stack[i].spilled_ptr;
7239                         err = propagate_liveness_reg(env, state_reg,
7240                                                      parent_reg);
7241                         if (err < 0)
7242                                 return err;
7243                 }
7244         }
7245         return 0;
7246 }
7247 
7248 /* find precise scalars in the previous equivalent state and
7249  * propagate them into the current state
7250  */
7251 static int propagate_precision(struct bpf_verifier_env *env,
7252                                const struct bpf_verifier_state *old)
7253 {
7254         struct bpf_reg_state *state_reg;
7255         struct bpf_func_state *state;
7256         int i, err = 0;
7257 
7258         state = old->frame[old->curframe];
7259         state_reg = state->regs;
7260         for (i = 0; i < BPF_REG_FP; i++, state_reg++) {
7261                 if (state_reg->type != SCALAR_VALUE ||
7262                     !state_reg->precise)
7263                         continue;
7264                 if (env->log.level & BPF_LOG_LEVEL2)
7265                         verbose(env, "propagating r%d\n", i);
7266                 err = mark_chain_precision(env, i);
7267                 if (err < 0)
7268                         return err;
7269         }
7270 
7271         for (i = 0; i < state->allocated_stack / BPF_REG_SIZE; i++) {
7272                 if (state->stack[i].slot_type[0] != STACK_SPILL)
7273                         continue;
7274                 state_reg = &state->stack[i].spilled_ptr;
7275                 if (state_reg->type != SCALAR_VALUE ||
7276                     !state_reg->precise)
7277                         continue;
7278                 if (env->log.level & BPF_LOG_LEVEL2)
7279                         verbose(env, "propagating fp%d\n",
7280                                 (-i - 1) * BPF_REG_SIZE);
7281                 err = mark_chain_precision_stack(env, i);
7282                 if (err < 0)
7283                         return err;
7284         }
7285         return 0;
7286 }
7287 
7288 static bool states_maybe_looping(struct bpf_verifier_state *old,
7289                                  struct bpf_verifier_state *cur)
7290 {
7291         struct bpf_func_state *fold, *fcur;
7292         int i, fr = cur->curframe;
7293 
7294         if (old->curframe != fr)
7295                 return false;
7296 
7297         fold = old->frame[fr];
7298         fcur = cur->frame[fr];
7299         for (i = 0; i < MAX_BPF_REG; i++)
7300                 if (memcmp(&fold->regs[i], &fcur->regs[i],
7301                            offsetof(struct bpf_reg_state, parent)))
7302                         return false;
7303         return true;
7304 }
7305 
7306 
7307 static int is_state_visited(struct bpf_verifier_env *env, int insn_idx)
7308 {
7309         struct bpf_verifier_state_list *new_sl;
7310         struct bpf_verifier_state_list *sl, **pprev;
7311         struct bpf_verifier_state *cur = env->cur_state, *new;
7312         int i, j, err, states_cnt = 0;
7313         bool add_new_state = env->test_state_freq ? true : false;
7314 
7315         cur->last_insn_idx = env->prev_insn_idx;
7316         if (!env->insn_aux_data[insn_idx].prune_point)
7317                 /* this 'insn_idx' instruction wasn't marked, so we will not
7318                  * be doing state search here
7319                  */
7320                 return 0;
7321 
7322         /* bpf progs typically have pruning point every 4 instructions
7323          * http://vger.kernel.org/bpfconf2019.html#session-1
7324          * Do not add new state for future pruning if the verifier hasn't seen
7325          * at least 2 jumps and at least 8 instructions.
7326          * This heuristics helps decrease 'total_states' and 'peak_states' metric.
7327          * In tests that amounts to up to 50% reduction into total verifier
7328          * memory consumption and 20% verifier time speedup.
7329          */
7330         if (env->jmps_processed - env->prev_jmps_processed >= 2 &&
7331             env->insn_processed - env->prev_insn_processed >= 8)
7332                 add_new_state = true;
7333 
7334         pprev = explored_state(env, insn_idx);
7335         sl = *pprev;
7336 
7337         clean_live_states(env, insn_idx, cur);
7338 
7339         while (sl) {
7340                 states_cnt++;
7341                 if (sl->state.insn_idx != insn_idx)
7342                         goto next;
7343                 if (sl->state.branches) {
7344                         if (states_maybe_looping(&sl->state, cur) &&
7345                             states_equal(env, &sl->state, cur)) {
7346                                 verbose_linfo(env, insn_idx, "; ");
7347                                 verbose(env, "infinite loop detected at insn %d\n", insn_idx);
7348                                 return -EINVAL;
7349                         }
7350                         /* if the verifier is processing a loop, avoid adding new state
7351                          * too often, since different loop iterations have distinct
7352                          * states and may not help future pruning.
7353                          * This threshold shouldn't be too low to make sure that
7354                          * a loop with large bound will be rejected quickly.
7355                          * The most abusive loop will be:
7356                          * r1 += 1
7357                          * if r1 < 1000000 goto pc-2
7358                          * 1M insn_procssed limit / 100 == 10k peak states.
7359                          * This threshold shouldn't be too high either, since states
7360                          * at the end of the loop are likely to be useful in pruning.
7361                          */
7362                         if (env->jmps_processed - env->prev_jmps_processed < 20 &&
7363                             env->insn_processed - env->prev_insn_processed < 100)
7364                                 add_new_state = false;
7365                         goto miss;
7366                 }
7367                 if (states_equal(env, &sl->state, cur)) {
7368                         sl->hit_cnt++;
7369                         /* reached equivalent register/stack state,
7370                          * prune the search.
7371                          * Registers read by the continuation are read by us.
7372                          * If we have any write marks in env->cur_state, they
7373                          * will prevent corresponding reads in the continuation
7374                          * from reaching our parent (an explored_state).  Our
7375                          * own state will get the read marks recorded, but
7376                          * they'll be immediately forgotten as we're pruning
7377                          * this state and will pop a new one.
7378                          */
7379                         err = propagate_liveness(env, &sl->state, cur);
7380 
7381                         /* if previous state reached the exit with precision and
7382                          * current state is equivalent to it (except precsion marks)
7383                          * the precision needs to be propagated back in
7384                          * the current state.
7385                          */
7386                         err = err ? : push_jmp_history(env, cur);
7387                         err = err ? : propagate_precision(env, &sl->state);
7388                         if (err)
7389                                 return err;
7390                         return 1;
7391                 }
7392 miss:
7393                 /* when new state is not going to be added do not increase miss count.
7394                  * Otherwise several loop iterations will remove the state
7395                  * recorded earlier. The goal of these heuristics is to have
7396                  * states from some iterations of the loop (some in the beginning
7397                  * and some at the end) to help pruning.
7398                  */
7399                 if (add_new_state)
7400                         sl->miss_cnt++;
7401                 /* heuristic to determine whether this state is beneficial
7402                  * to keep checking from state equivalence point of view.
7403                  * Higher numbers increase max_states_per_insn and verification time,
7404                  * but do not meaningfully decrease insn_processed.
7405                  */
7406                 if (sl->miss_cnt > sl->hit_cnt * 3 + 3) {
7407                         /* the state is unlikely to be useful. Remove it to
7408                          * speed up verification
7409                          */
7410                         *pprev = sl->next;
7411                         if (sl->state.frame[0]->regs[0].live & REG_LIVE_DONE) {
7412                                 u32 br = sl->state.branches;
7413 
7414                                 WARN_ONCE(br,
7415                                           "BUG live_done but branches_to_explore %d\n",
7416                                           br);
7417                                 free_verifier_state(&sl->state, false);
7418                                 kfree(sl);
7419                                 env->peak_states--;
7420                         } else {
7421                                 /* cannot free this state, since parentage chain may
7422                                  * walk it later. Add it for free_list instead to
7423                                  * be freed at the end of verification
7424                                  */
7425                                 sl->next = env->free_list;
7426                                 env->free_list = sl;
7427                         }
7428                         sl = *pprev;
7429                         continue;
7430                 }
7431 next:
7432                 pprev = &sl->next;
7433                 sl = *pprev;
7434         }
7435 
7436         if (env->max_states_per_insn < states_cnt)
7437                 env->max_states_per_insn = states_cnt;
7438 
7439         if (!env->allow_ptr_leaks && states_cnt > BPF_COMPLEXITY_LIMIT_STATES)
7440                 return push_jmp_history(env, cur);
7441 
7442         if (!add_new_state)
7443                 return push_jmp_history(env, cur);
7444 
7445         /* There were no equivalent states, remember the current one.
7446          * Technically the current state is not proven to be safe yet,
7447          * but it will either reach outer most bpf_exit (which means it's safe)
7448          * or it will be rejected. When there are no loops the verifier won't be
7449          * seeing this tuple (frame[0].callsite, frame[1].callsite, .. insn_idx)
7450          * again on the way to bpf_exit.
7451          * When looping the sl->state.branches will be > 0 and this state
7452          * will not be considered for equivalence until branches == 0.
7453          */
7454         new_sl = kzalloc(sizeof(struct bpf_verifier_state_list), GFP_KERNEL);
7455         if (!new_sl)
7456                 return -ENOMEM;
7457         env->total_states++;
7458         env->peak_states++;
7459         env->prev_jmps_processed = env->jmps_processed;
7460         env->prev_insn_processed = env->insn_processed;
7461 
7462         /* add new state to the head of linked list */
7463         new = &new_sl->state;
7464         err = copy_verifier_state(new, cur);
7465         if (err) {
7466                 free_verifier_state(new, false);
7467                 kfree(new_sl);
7468                 return err;
7469         }
7470         new->insn_idx = insn_idx;
7471         WARN_ONCE(new->branches != 1,
7472                   "BUG is_state_visited:branches_to_explore=%d insn %d\n", new->branches, insn_idx);
7473 
7474         cur->parent = new;
7475         cur->first_insn_idx = insn_idx;
7476         clear_jmp_history(cur);
7477         new_sl->next = *explored_state(env, insn_idx);
7478         *explored_state(env, insn_idx) = new_sl;
7479         /* connect new state to parentage chain. Current frame needs all
7480          * registers connected. Only r6 - r9 of the callers are alive (pushed
7481          * to the stack implicitly by JITs) so in callers' frames connect just
7482          * r6 - r9 as an optimization. Callers will have r1 - r5 connected to
7483          * the state of the call instruction (with WRITTEN set), and r0 comes
7484          * from callee with its full parentage chain, anyway.
7485          */
7486         /* clear write marks in current state: the writes we did are not writes
7487          * our child did, so they don't screen off its reads from us.
7488          * (There are no read marks in current state, because reads always mark
7489          * their parent and current state never has children yet.  Only
7490          * explored_states can get read marks.)
7491          */
7492         for (j = 0; j <= cur->curframe; j++) {
7493                 for (i = j < cur->curframe ? BPF_REG_6 : 0; i < BPF_REG_FP; i++)
7494                         cur->frame[j]->regs[i].parent = &new->frame[j]->regs[i];
7495                 for (i = 0; i < BPF_REG_FP; i++)
7496                         cur->frame[j]->regs[i].live = REG_LIVE_NONE;
7497         }
7498 
7499         /* all stack frames are accessible from callee, clear them all */
7500         for (j = 0; j <= cur->curframe; j++) {
7501                 struct bpf_func_state *frame = cur->frame[j];
7502                 struct bpf_func_state *newframe = new->frame[j];
7503 
7504                 for (i = 0; i < frame->allocated_stack / BPF_REG_SIZE; i++) {
7505                         frame->stack[i].spilled_ptr.live = REG_LIVE_NONE;
7506                         frame->stack[i].spilled_ptr.parent =
7507                                                 &newframe->stack[i].spilled_ptr;
7508                 }
7509         }
7510         return 0;
7511 }
7512 
7513 /* Return true if it's OK to have the same insn return a different type. */
7514 static bool reg_type_mismatch_ok(enum bpf_reg_type type)
7515 {
7516         switch (type) {
7517         case PTR_TO_CTX:
7518         case PTR_TO_SOCKET:
7519         case PTR_TO_SOCKET_OR_NULL:
7520         case PTR_TO_SOCK_COMMON:
7521         case PTR_TO_SOCK_COMMON_OR_NULL:
7522         case PTR_TO_TCP_SOCK:
7523         case PTR_TO_TCP_SOCK_OR_NULL:
7524         case PTR_TO_XDP_SOCK:
7525                 return false;
7526         default:
7527                 return true;
7528         }
7529 }
7530 
7531 /* If an instruction was previously used with particular pointer types, then we
7532  * need to be careful to avoid cases such as the below, where it may be ok
7533  * for one branch accessing the pointer, but not ok for the other branch:
7534  *
7535  * R1 = sock_ptr
7536  * goto X;
7537  * ...
7538  * R1 = some_other_valid_ptr;
7539  * goto X;
7540  * ...
7541  * R2 = *(u32 *)(R1 + 0);
7542  */
7543 static bool reg_type_mismatch(enum bpf_reg_type src, enum bpf_reg_type prev)
7544 {
7545         return src != prev && (!reg_type_mismatch_ok(src) ||
7546                                !reg_type_mismatch_ok(prev));
7547 }
7548 
7549 static int do_check(struct bpf_verifier_env *env)
7550 {
7551         struct bpf_verifier_state *state;
7552         struct bpf_insn *insns = env->prog->insnsi;
7553         struct bpf_reg_state *regs;
7554         int insn_cnt = env->prog->len;
7555         bool do_print_state = false;
7556         int prev_insn_idx = -1;
7557 
7558         env->prev_linfo = NULL;
7559 
7560         state = kzalloc(sizeof(struct bpf_verifier_state), GFP_KERNEL);
7561         if (!state)
7562                 return -ENOMEM;
7563         state->curframe = 0;
7564         state->speculative = false;
7565         state->branches = 1;
7566         state->frame[0] = kzalloc(sizeof(struct bpf_func_state), GFP_KERNEL);
7567         if (!state->frame[0]) {
7568                 kfree(state);
7569                 return -ENOMEM;
7570         }
7571         env->cur_state = state;
7572         init_func_state(env, state->frame[0],
7573                         BPF_MAIN_FUNC /* callsite */,
7574                         0 /* frameno */,
7575                         0 /* subprogno, zero == main subprog */);
7576 
7577         for (;;) {
7578                 struct bpf_insn *insn;
7579                 u8 class;
7580                 int err;
7581 
7582                 env->prev_insn_idx = prev_insn_idx;
7583                 if (env->insn_idx >= insn_cnt) {
7584                         verbose(env, "invalid insn idx %d insn_cnt %d\n",
7585                                 env->insn_idx, insn_cnt);
7586                         return -EFAULT;
7587                 }
7588 
7589                 insn = &insns[env->insn_idx];
7590                 class = BPF_CLASS(insn->code);
7591 
7592                 if (++env->insn_processed > BPF_COMPLEXITY_LIMIT_INSNS) {
7593                         verbose(env,
7594                                 "BPF program is too large. Processed %d insn\n",
7595                                 env->insn_processed);
7596                         return -E2BIG;
7597                 }
7598 
7599                 err = is_state_visited(env, env->insn_idx);
7600                 if (err < 0)
7601                         return err;
7602                 if (err == 1) {
7603                         /* found equivalent state, can prune the search */
7604                         if (env->log.level & BPF_LOG_LEVEL) {
7605                                 if (do_print_state)
7606                                         verbose(env, "\nfrom %d to %d%s: safe\n",
7607                                                 env->prev_insn_idx, env->insn_idx,
7608                                                 env->cur_state->speculative ?
7609                                                 " (speculative execution)" : "");
7610                                 else
7611                                         verbose(env, "%d: safe\n", env->insn_idx);
7612                         }
7613                         goto process_bpf_exit;
7614                 }
7615 
7616                 if (signal_pending(current))
7617                         return -EAGAIN;
7618 
7619                 if (need_resched())
7620                         cond_resched();
7621 
7622                 if (env->log.level & BPF_LOG_LEVEL2 ||
7623                     (env->log.level & BPF_LOG_LEVEL && do_print_state)) {
7624                         if (env->log.level & BPF_LOG_LEVEL2)
7625                                 verbose(env, "%d:", env->insn_idx);
7626                         else
7627                                 verbose(env, "\nfrom %d to %d%s:",
7628                                         env->prev_insn_idx, env->insn_idx,
7629                                         env->cur_state->speculative ?
7630                                         " (speculative execution)" : "");
7631                         print_verifier_state(env, state->frame[state->curframe]);
7632                         do_print_state = false;
7633                 }
7634 
7635                 if (env->log.level & BPF_LOG_LEVEL) {
7636                         const struct bpf_insn_cbs cbs = {
7637                                 .cb_print       = verbose,
7638                                 .private_data   = env,
7639                         };
7640 
7641                         verbose_linfo(env, env->insn_idx, "; ");
7642                         verbose(env, "%d: ", env->insn_idx);
7643                         print_bpf_insn(&cbs, insn, env->allow_ptr_leaks);
7644                 }
7645 
7646                 if (bpf_prog_is_dev_bound(env->prog->aux)) {
7647                         err = bpf_prog_offload_verify_insn(env, env->insn_idx,
7648                                                            env->prev_insn_idx);
7649                         if (err)
7650                                 return err;
7651                 }
7652 
7653                 regs = cur_regs(env);
7654                 env->insn_aux_data[env->insn_idx].seen = true;
7655                 prev_insn_idx = env->insn_idx;
7656 
7657                 if (class == BPF_ALU || class == BPF_ALU64) {
7658                         err = check_alu_op(env, insn);
7659                         if (err)
7660                                 return err;
7661 
7662                 } else if (class == BPF_LDX) {
7663                         enum bpf_reg_type *prev_src_type, src_reg_type;
7664 
7665                         /* check for reserved fields is already done */
7666 
7667                         /* check src operand */
7668                         err = check_reg_arg(env, insn->src_reg, SRC_OP);
7669                         if (err)
7670                                 return err;
7671 
7672                         err = check_reg_arg(env, insn->dst_reg, DST_OP_NO_MARK);
7673                         if (err)
7674                                 return err;
7675 
7676                         src_reg_type = regs[insn->src_reg].type;
7677 
7678                         /* check that memory (src_reg + off) is readable,
7679                          * the state of dst_reg will be updated by this func
7680                          */
7681                         err = check_mem_access(env, env->insn_idx, insn->src_reg,
7682                                                insn->off, BPF_SIZE(insn->code),
7683                                                BPF_READ, insn->dst_reg, false);
7684                         if (err)
7685                                 return err;
7686 
7687                         prev_src_type = &env->insn_aux_data[env->insn_idx].ptr_type;
7688 
7689                         if (*prev_src_type == NOT_INIT) {
7690                                 /* saw a valid insn
7691                                  * dst_reg = *(u32 *)(src_reg + off)
7692                                  * save type to validate intersecting paths
7693                                  */
7694                                 *prev_src_type = src_reg_type;
7695 
7696                         } else if (reg_type_mismatch(src_reg_type, *prev_src_type)) {
7697                                 /* ABuser program is trying to use the same insn
7698                                  * dst_reg = *(u32*) (src_reg + off)
7699                                  * with different pointer types:
7700                                  * src_reg == ctx in one branch and
7701                                  * src_reg == stack|map in some other branch.
7702                                  * Reject it.
7703                                  */
7704                                 verbose(env, "same insn cannot be used with different pointers\n");
7705                                 return -EINVAL;
7706                         }
7707 
7708                 } else if (class == BPF_STX) {
7709                         enum bpf_reg_type *prev_dst_type, dst_reg_type;
7710 
7711                         if (BPF_MODE(insn->code) == BPF_XADD) {
7712                                 err = check_xadd(env, env->insn_idx, insn);
7713                                 if (err)
7714                                         return err;
7715                                 env->insn_idx++;
7716                                 continue;
7717                         }
7718 
7719                         /* check src1 operand */
7720                         err = check_reg_arg(env, insn->src_reg, SRC_OP);
7721                         if (err)
7722                                 return err;
7723                         /* check src2 operand */
7724                         err = check_reg_arg(env, insn->dst_reg, SRC_OP);
7725                         if (err)
7726                                 return err;
7727 
7728                         dst_reg_type = regs[insn->dst_reg].type;
7729 
7730                         /* check that memory (dst_reg + off) is writeable */
7731                         err = check_mem_access(env, env->insn_idx, insn->dst_reg,
7732                                                insn->off, BPF_SIZE(insn->code),
7733                                                BPF_WRITE, insn->src_reg, false);
7734                         if (err)
7735                                 return err;
7736 
7737                         prev_dst_type = &env->insn_aux_data[env->insn_idx].ptr_type;
7738 
7739                         if (*prev_dst_type == NOT_INIT) {
7740                                 *prev_dst_type = dst_reg_type;
7741                         } else if (reg_type_mismatch(dst_reg_type, *prev_dst_type)) {
7742                                 verbose(env, "same insn cannot be used with different pointers\n");
7743                                 return -EINVAL;
7744                         }
7745 
7746                 } else if (class == BPF_ST) {
7747                         if (BPF_MODE(insn->code) != BPF_MEM ||
7748                             insn->src_reg != BPF_REG_0) {
7749                                 verbose(env, "BPF_ST uses reserved fields\n");
7750                                 return -EINVAL;
7751                         }
7752                         /* check src operand */
7753                         err = check_reg_arg(env, insn->dst_reg, SRC_OP);
7754                         if (err)
7755                                 return err;
7756 
7757                         if (is_ctx_reg(env, insn->dst_reg)) {
7758                                 verbose(env, "BPF_ST stores into R%d %s is not allowed\n",
7759                                         insn->dst_reg,
7760                                         reg_type_str[reg_state(env, insn->dst_reg)->type]);
7761                                 return -EACCES;
7762                         }
7763 
7764                         /* check that memory (dst_reg + off) is writeable */
7765                         err = check_mem_access(env, env->insn_idx, insn->dst_reg,
7766                                                insn->off, BPF_SIZE(insn->code),
7767                                                BPF_WRITE, -1, false);
7768                         if (err)
7769                                 return err;
7770 
7771                 } else if (class == BPF_JMP || class == BPF_JMP32) {
7772                         u8 opcode = BPF_OP(insn->code);
7773 
7774                         env->jmps_processed++;
7775                         if (opcode == BPF_CALL) {
7776                                 if (BPF_SRC(insn->code) != BPF_K ||
7777                                     insn->off != 0 ||
7778                                     (insn->src_reg != BPF_REG_0 &&
7779                                      insn->src_reg != BPF_PSEUDO_CALL) ||
7780                                     insn->dst_reg != BPF_REG_0 ||
7781                                     class == BPF_JMP32) {
7782                                         verbose(env, "BPF_CALL uses reserved fields\n");
7783                                         return -EINVAL;
7784                                 }
7785 
7786                                 if (env->cur_state->active_spin_lock &&
7787                                     (insn->src_reg == BPF_PSEUDO_CALL ||
7788                                      insn->imm != BPF_FUNC_spin_unlock)) {
7789                                         verbose(env, "function calls are not allowed while holding a lock\n");
7790                                         return -EINVAL;
7791                                 }
7792                                 if (insn->src_reg == BPF_PSEUDO_CALL)
7793                                         err = check_func_call(env, insn, &env->insn_idx);
7794                                 else
7795                                         err = check_helper_call(env, insn->imm, env->insn_idx);
7796                                 if (err)
7797                                         return err;
7798 
7799                         } else if (opcode == BPF_JA) {
7800                                 if (BPF_SRC(insn->code) != BPF_K ||
7801                                     insn->imm != 0 ||
7802                                     insn->src_reg != BPF_REG_0 ||
7803                                     insn->dst_reg != BPF_REG_0 ||
7804                                     class == BPF_JMP32) {
7805                                         verbose(env, "BPF_JA uses reserved fields\n");
7806                                         return -EINVAL;
7807                                 }
7808 
7809                                 env->insn_idx += insn->off + 1;
7810                                 continue;
7811 
7812                         } else if (opcode == BPF_EXIT) {
7813                                 if (BPF_SRC(insn->code) != BPF_K ||
7814                                     insn->imm != 0 ||
7815                                     insn->src_reg != BPF_REG_0 ||
7816                                     insn->dst_reg != BPF_REG_0 ||
7817                                     class == BPF_JMP32) {
7818                                         verbose(env, "BPF_EXIT uses reserved fields\n");
7819                                         return -EINVAL;
7820                                 }
7821 
7822                                 if (env->cur_state->active_spin_lock) {
7823                                         verbose(env, "bpf_spin_unlock is missing\n");
7824                                         return -EINVAL;
7825                                 }
7826 
7827                                 if (state->curframe) {
7828                                         /* exit from nested function */
7829                                         err = prepare_func_exit(env, &env->insn_idx);
7830                                         if (err)
7831                                                 return err;
7832                                         do_print_state = true;
7833                                         continue;
7834                                 }
7835 
7836                                 err = check_reference_leak(env);
7837                                 if (err)
7838                                         return err;
7839 
7840                                 /* eBPF calling convetion is such that R0 is used
7841                                  * to return the value from eBPF program.
7842                                  * Make sure that it's readable at this time
7843                                  * of bpf_exit, which means that program wrote
7844                                  * something into it earlier
7845                                  */
7846                                 err = check_reg_arg(env, BPF_REG_0, SRC_OP);
7847                                 if (err)
7848                                         return err;
7849 
7850                                 if (is_pointer_value(env, BPF_REG_0)) {
7851                                         verbose(env, "R0 leaks addr as return value\n");
7852                                         return -EACCES;
7853                                 }
7854 
7855                                 err = check_return_code(env);
7856                                 if (err)
7857                                         return err;
7858 process_bpf_exit:
7859                                 update_branch_counts(env, env->cur_state);
7860                                 err = pop_stack(env, &prev_insn_idx,
7861                                                 &env->insn_idx);
7862                                 if (err < 0) {
7863                                         if (err != -ENOENT)
7864                                                 return err;
7865                                         break;
7866                                 } else {
7867                                         do_print_state = true;
7868                                         continue;
7869                                 }
7870                         } else {
7871                                 err = check_cond_jmp_op(env, insn, &env->insn_idx);
7872                                 if (err)
7873                                         return err;
7874                         }
7875                 } else if (class == BPF_LD) {
7876                         u8 mode = BPF_MODE(insn->code);
7877 
7878                         if (mode == BPF_ABS || mode == BPF_IND) {
7879                                 err = check_ld_abs(env, insn);
7880                                 if (err)
7881                                         return err;
7882 
7883                         } else if (mode == BPF_IMM) {
7884                                 err = check_ld_imm(env, insn);
7885                                 if (err)
7886                                         return err;
7887 
7888                                 env->insn_idx++;
7889                                 env->insn_aux_data[env->insn_idx].seen = true;
7890                         } else {
7891                                 verbose(env, "invalid BPF_LD mode\n");
7892                                 return -EINVAL;
7893                         }
7894                 } else {
7895                         verbose(env, "unknown insn class %d\n", class);
7896                         return -EINVAL;
7897                 }
7898 
7899                 env->insn_idx++;
7900         }
7901 
7902         env->prog->aux->stack_depth = env->subprog_info[0].stack_depth;
7903         return 0;
7904 }
7905 
7906 static int check_map_prealloc(struct bpf_map *map)
7907 {
7908         return (map->map_type != BPF_MAP_TYPE_HASH &&
7909                 map->map_type != BPF_MAP_TYPE_PERCPU_HASH &&
7910                 map->map_type != BPF_MAP_TYPE_HASH_OF_MAPS) ||
7911                 !(map->map_flags & BPF_F_NO_PREALLOC);
7912 }
7913 
7914 static bool is_tracing_prog_type(enum bpf_prog_type type)
7915 {
7916         switch (type) {
7917         case BPF_PROG_TYPE_KPROBE:
7918         case BPF_PROG_TYPE_TRACEPOINT:
7919         case BPF_PROG_TYPE_PERF_EVENT:
7920         case BPF_PROG_TYPE_RAW_TRACEPOINT:
7921                 return true;
7922         default:
7923                 return false;
7924         }
7925 }
7926 
7927 static int check_map_prog_compatibility(struct bpf_verifier_env *env,
7928                                         struct bpf_map *map,
7929                                         struct bpf_prog *prog)
7930 
7931 {
7932         /* Make sure that BPF_PROG_TYPE_PERF_EVENT programs only use
7933          * preallocated hash maps, since doing memory allocation
7934          * in overflow_handler can crash depending on where nmi got
7935          * triggered.
7936          */
7937         if (prog->type == BPF_PROG_TYPE_PERF_EVENT) {
7938                 if (!check_map_prealloc(map)) {
7939                         verbose(env, "perf_event programs can only use preallocated hash map\n");
7940                         return -EINVAL;
7941                 }
7942                 if (map->inner_map_meta &&
7943                     !check_map_prealloc(map->inner_map_meta)) {
7944                         verbose(env, "perf_event programs can only use preallocated inner hash map\n");
7945                         return -EINVAL;
7946                 }
7947         }
7948 
7949         if ((is_tracing_prog_type(prog->type) ||
7950              prog->type == BPF_PROG_TYPE_SOCKET_FILTER) &&
7951             map_value_has_spin_lock(map)) {
7952                 verbose(env, "tracing progs cannot use bpf_spin_lock yet\n");
7953                 return -EINVAL;
7954         }
7955 
7956         if ((bpf_prog_is_dev_bound(prog->aux) || bpf_map_is_dev_bound(map)) &&
7957             !bpf_offload_prog_map_match(prog, map)) {
7958                 verbose(env, "offload device mismatch between prog and map\n");
7959                 return -EINVAL;
7960         }
7961 
7962         return 0;
7963 }
7964 
7965 static bool bpf_map_is_cgroup_storage(struct bpf_map *map)
7966 {
7967         return (map->map_type == BPF_MAP_TYPE_CGROUP_STORAGE ||
7968                 map->map_type == BPF_MAP_TYPE_PERCPU_CGROUP_STORAGE);
7969 }
7970 
7971 /* look for pseudo eBPF instructions that access map FDs and
7972  * replace them with actual map pointers
7973  */
7974 static int replace_map_fd_with_map_ptr(struct bpf_verifier_env *env)
7975 {
7976         struct bpf_insn *insn = env->prog->insnsi;
7977         int insn_cnt = env->prog->len;
7978         int i, j, err;
7979 
7980         err = bpf_prog_calc_tag(env->prog);
7981         if (err)
7982                 return err;
7983 
7984         for (i = 0; i < insn_cnt; i++, insn++) {
7985                 if (BPF_CLASS(insn->code) == BPF_LDX &&
7986                     (BPF_MODE(insn->code) != BPF_MEM || insn->imm != 0)) {
7987                         verbose(env, "BPF_LDX uses reserved fields\n");
7988                         return -EINVAL;
7989                 }
7990 
7991                 if (BPF_CLASS(insn->code) == BPF_STX &&
7992                     ((BPF_MODE(insn->code) != BPF_MEM &&
7993                       BPF_MODE(insn->code) != BPF_XADD) || insn->imm != 0)) {
7994                         verbose(env, "BPF_STX uses reserved fields\n");
7995                         return -EINVAL;
7996                 }
7997 
7998                 if (insn[0].code == (BPF_LD | BPF_IMM | BPF_DW)) {
7999                         struct bpf_insn_aux_data *aux;
8000                         struct bpf_map *map;
8001                         struct fd f;
8002                         u64 addr;
8003 
8004                         if (i == insn_cnt - 1 || insn[1].code != 0 ||
8005                             insn[1].dst_reg != 0 || insn[1].src_reg != 0 ||
8006                             insn[1].off != 0) {
8007                                 verbose(env, "invalid bpf_ld_imm64 insn\n");
8008                                 return -EINVAL;
8009                         }
8010 
8011                         if (insn[0].src_reg == 0)
8012                                 /* valid generic load 64-bit imm */
8013                                 goto next_insn;
8014 
8015                         /* In final convert_pseudo_ld_imm64() step, this is
8016                          * converted into regular 64-bit imm load insn.
8017                          */
8018                         if ((insn[0].src_reg != BPF_PSEUDO_MAP_FD &&
8019                              insn[0].src_reg != BPF_PSEUDO_MAP_VALUE) ||
8020                             (insn[0].src_reg == BPF_PSEUDO_MAP_FD &&
8021                              insn[1].imm != 0)) {
8022                                 verbose(env,
8023                                         "unrecognized bpf_ld_imm64 insn\n");
8024                                 return -EINVAL;
8025                         }
8026 
8027                         f = fdget(insn[0].imm);
8028                         map = __bpf_map_get(f);
8029                         if (IS_ERR(map)) {
8030                                 verbose(env, "fd %d is not pointing to valid bpf_map\n",
8031                                         insn[0].imm);
8032                                 return PTR_ERR(map);
8033                         }
8034 
8035                         err = check_map_prog_compatibility(env, map, env->prog);
8036                         if (err) {
8037                                 fdput(f);
8038                                 return err;
8039                         }
8040 
8041                         aux = &env->insn_aux_data[i];
8042                         if (insn->src_reg == BPF_PSEUDO_MAP_FD) {
8043                                 addr = (unsigned long)map;
8044                         } else {
8045                                 u32 off = insn[1].imm;
8046 
8047                                 if (off >= BPF_MAX_VAR_OFF) {
8048                                         verbose(env, "direct value offset of %u is not allowed\n", off);
8049                                         fdput(f);
8050                                         return -EINVAL;
8051                                 }
8052 
8053                                 if (!map->ops->map_direct_value_addr) {
8054                                         verbose(env, "no direct value access support for this map type\n");
8055                                         fdput(f);
8056                                         return -EINVAL;
8057                                 }
8058 
8059                                 err = map->ops->map_direct_value_addr(map, &addr, off);
8060                                 if (err) {
8061                                         verbose(env, "invalid access to map value pointer, value_size=%u off=%u\n",
8062                                                 map->value_size, off);
8063                                         fdput(f);
8064                                         return err;
8065                                 }
8066 
8067                                 aux->map_off = off;
8068                                 addr += off;
8069                         }
8070 
8071                         insn[0].imm = (u32)addr;
8072                         insn[1].imm = addr >> 32;
8073 
8074                         /* check whether we recorded this map already */
8075                         for (j = 0; j < env->used_map_cnt; j++) {
8076                                 if (env->used_maps[j] == map) {
8077                                         aux->map_index = j;
8078                                         fdput(f);
8079                                         goto next_insn;
8080                                 }
8081                         }
8082 
8083                         if (env->used_map_cnt >= MAX_USED_MAPS) {
8084                                 fdput(f);
8085                                 return -E2BIG;
8086                         }
8087 
8088                         /* hold the map. If the program is rejected by verifier,
8089                          * the map will be released by release_maps() or it
8090                          * will be used by the valid program until it's unloaded
8091                          * and all maps are released in free_used_maps()
8092                          */
8093                         map = bpf_map_inc(map, false);
8094                         if (IS_ERR(map)) {
8095                                 fdput(f);
8096                                 return PTR_ERR(map);
8097                         }
8098 
8099                         aux->map_index = env->used_map_cnt;
8100                         env->used_maps[env->used_map_cnt++] = map;
8101 
8102                         if (bpf_map_is_cgroup_storage(map) &&
8103                             bpf_cgroup_storage_assign(env->prog, map)) {
8104                                 verbose(env, "only one cgroup storage of each type is allowed\n");
8105                                 fdput(f);
8106                                 return -EBUSY;
8107                         }
8108 
8109                         fdput(f);
8110 next_insn:
8111                         insn++;
8112                         i++;
8113                         continue;
8114                 }
8115 
8116                 /* Basic sanity check before we invest more work here. */
8117                 if (!bpf_opcode_in_insntable(insn->code)) {
8118                         verbose(env, "unknown opcode %02x\n", insn->code);
8119                         return -EINVAL;
8120                 }
8121         }
8122 
8123         /* now all pseudo BPF_LD_IMM64 instructions load valid
8124          * 'struct bpf_map *' into a register instead of user map_fd.
8125          * These pointers will be used later by verifier to validate map access.
8126          */
8127         return 0;
8128 }
8129 
8130 /* drop refcnt of maps used by the rejected program */
8131 static void release_maps(struct bpf_verifier_env *env)
8132 {
8133         enum bpf_cgroup_storage_type stype;
8134         int i;
8135 
8136         for_each_cgroup_storage_type(stype) {
8137                 if (!env->prog->aux->cgroup_storage[stype])
8138                         continue;
8139                 bpf_cgroup_storage_release(env->prog,
8140                         env->prog->aux->cgroup_storage[stype]);
8141         }
8142 
8143         for (i = 0; i < env->used_map_cnt; i++)
8144                 bpf_map_put(env->used_maps[i]);
8145 }
8146 
8147 /* convert pseudo BPF_LD_IMM64 into generic BPF_LD_IMM64 */
8148 static void convert_pseudo_ld_imm64(struct bpf_verifier_env *env)
8149 {
8150         struct bpf_insn *insn = env->prog->insnsi;
8151         int insn_cnt = env->prog->len;
8152         int i;
8153 
8154         for (i = 0; i < insn_cnt; i++, insn++)
8155                 if (insn->code == (BPF_LD | BPF_IMM | BPF_DW))
8156                         insn->src_reg = 0;
8157 }
8158 
8159 /* single env->prog->insni[off] instruction was replaced with the range
8160  * insni[off, off + cnt).  Adjust corresponding insn_aux_data by copying
8161  * [0, off) and [off, end) to new locations, so the patched range stays zero
8162  */
8163 static int adjust_insn_aux_data(struct bpf_verifier_env *env,
8164                                 struct bpf_prog *new_prog, u32 off, u32 cnt)
8165 {
8166         struct bpf_insn_aux_data *new_data, *old_data = env->insn_aux_data;
8167         struct bpf_insn *insn = new_prog->insnsi;
8168         u32 prog_len;
8169         int i;
8170 
8171         /* aux info at OFF always needs adjustment, no matter fast path
8172          * (cnt == 1) is taken or not. There is no guarantee INSN at OFF is the
8173          * original insn at old prog.
8174          */
8175         old_data[off].zext_dst = insn_has_def32(env, insn + off + cnt - 1);
8176 
8177         if (cnt == 1)
8178                 return 0;
8179         prog_len = new_prog->len;
8180         new_data = vzalloc(array_size(prog_len,
8181                                       sizeof(struct bpf_insn_aux_data)));
8182         if (!new_data)
8183                 return -ENOMEM;
8184         memcpy(new_data, old_data, sizeof(struct bpf_insn_aux_data) * off);
8185         memcpy(new_data + off + cnt - 1, old_data + off,
8186                sizeof(struct bpf_insn_aux_data) * (prog_len - off - cnt + 1));
8187         for (i = off; i < off + cnt - 1; i++) {
8188                 new_data[i].seen = true;
8189                 new_data[i].zext_dst = insn_has_def32(env, insn + i);
8190         }
8191         env->insn_aux_data = new_data;
8192         vfree(old_data);
8193         return 0;
8194 }
8195 
8196 static void adjust_subprog_starts(struct bpf_verifier_env *env, u32 off, u32 len)
8197 {
8198         int i;
8199 
8200         if (len == 1)
8201                 return;
8202         /* NOTE: fake 'exit' subprog should be updated as well. */
8203         for (i = 0; i <= env->subprog_cnt; i++) {
8204                 if (env->subprog_info[i].start <= off)
8205                         continue;
8206                 env->subprog_info[i].start += len - 1;
8207         }
8208 }
8209 
8210 static struct bpf_prog *bpf_patch_insn_data(struct bpf_verifier_env *env, u32 off,
8211                                             const struct bpf_insn *patch, u32 len)
8212 {
8213         struct bpf_prog *new_prog;
8214 
8215         new_prog = bpf_patch_insn_single(env->prog, off, patch, len);
8216         if (IS_ERR(new_prog)) {
8217                 if (PTR_ERR(new_prog) == -ERANGE)
8218                         verbose(env,
8219                                 "insn %d cannot be patched due to 16-bit range\n",
8220                                 env->insn_aux_data[off].orig_idx);
8221                 return NULL;
8222         }
8223         if (adjust_insn_aux_data(env, new_prog, off, len))
8224                 return NULL;
8225         adjust_subprog_starts(env, off, len);
8226         return new_prog;
8227 }
8228 
8229 static int adjust_subprog_starts_after_remove(struct bpf_verifier_env *env,
8230                                               u32 off, u32 cnt)
8231 {
8232         int i, j;
8233 
8234         /* find first prog starting at or after off (first to remove) */
8235         for (i = 0; i < env->subprog_cnt; i++)
8236                 if (env->subprog_info[i].start >= off)
8237                         break;
8238         /* find first prog starting at or after off + cnt (first to stay) */
8239         for (j = i; j < env->subprog_cnt; j++)
8240                 if (env->subprog_info[j].start >= off + cnt)
8241                         break;
8242         /* if j doesn't start exactly at off + cnt, we are just removing
8243          * the front of previous prog
8244          */
8245         if (env->subprog_info[j].start != off + cnt)
8246                 j--;
8247 
8248         if (j > i) {
8249                 struct bpf_prog_aux *aux = env->prog->aux;
8250                 int move;
8251 
8252                 /* move fake 'exit' subprog as well */
8253                 move = env->subprog_cnt + 1 - j;
8254 
8255                 memmove(env->subprog_info + i,
8256                         env->subprog_info + j,
8257                         sizeof(*env->subprog_info) * move);
8258                 env->subprog_cnt -= j - i;
8259 
8260                 /* remove func_info */
8261                 if (aux->func_info) {
8262                         move = aux->func_info_cnt - j;
8263 
8264                         memmove(aux->func_info + i,
8265                                 aux->func_info + j,
8266                                 sizeof(*aux->func_info) * move);
8267                         aux->func_info_cnt -= j - i;
8268                         /* func_info->insn_off is set after all code rewrites,
8269                          * in adjust_btf_func() - no need to adjust
8270                          */
8271                 }
8272         } else {
8273                 /* convert i from "first prog to remove" to "first to adjust" */
8274                 if (env->subprog_info[i].start == off)
8275                         i++;
8276         }
8277 
8278         /* update fake 'exit' subprog as well */
8279         for (; i <= env->subprog_cnt; i++)
8280                 env->subprog_info[i].start -= cnt;
8281 
8282         return 0;
8283 }
8284 
8285 static int bpf_adj_linfo_after_remove(struct bpf_verifier_env *env, u32 off,
8286                                       u32 cnt)
8287 {
8288         struct bpf_prog *prog = env->prog;
8289         u32 i, l_off, l_cnt, nr_linfo;
8290         struct bpf_line_info *linfo;
8291 
8292         nr_linfo = prog->aux->nr_linfo;
8293         if (!nr_linfo)
8294                 return 0;
8295 
8296         linfo = prog->aux->linfo;
8297 
8298         /* find first line info to remove, count lines to be removed */
8299         for (i = 0; i < nr_linfo; i++)
8300                 if (linfo[i].insn_off >= off)
8301                         break;
8302 
8303         l_off = i;
8304         l_cnt = 0;
8305         for (; i < nr_linfo; i++)
8306                 if (linfo[i].insn_off < off + cnt)
8307                         l_cnt++;
8308                 else
8309                         break;
8310 
8311         /* First live insn doesn't match first live linfo, it needs to "inherit"
8312          * last removed linfo.  prog is already modified, so prog->len == off
8313          * means no live instructions after (tail of the program was removed).
8314          */
8315         if (prog->len != off && l_cnt &&
8316             (i == nr_linfo || linfo[i].insn_off != off + cnt)) {
8317                 l_cnt--;
8318                 linfo[--i].insn_off = off + cnt;
8319         }
8320 
8321         /* remove the line info which refer to the removed instructions */
8322         if (l_cnt) {
8323                 memmove(linfo + l_off, linfo + i,
8324                         sizeof(*linfo) * (nr_linfo - i));
8325 
8326                 prog->aux->nr_linfo -= l_cnt;
8327                 nr_linfo = prog->aux->nr_linfo;
8328         }
8329 
8330         /* pull all linfo[i].insn_off >= off + cnt in by cnt */
8331         for (i = l_off; i < nr_linfo; i++)
8332                 linfo[i].insn_off -= cnt;
8333 
8334         /* fix up all subprogs (incl. 'exit') which start >= off */
8335         for (i = 0; i <= env->subprog_cnt; i++)
8336                 if (env->subprog_info[i].linfo_idx > l_off) {
8337                         /* program may have started in the removed region but
8338                          * may not be fully removed
8339                          */
8340                         if (env->subprog_info[i].linfo_idx >= l_off + l_cnt)
8341                                 env->subprog_info[i].linfo_idx -= l_cnt;
8342                         else
8343                                 env->subprog_info[i].linfo_idx = l_off;
8344                 }
8345 
8346         return 0;
8347 }
8348 
8349 static int verifier_remove_insns(struct bpf_verifier_env *env, u32 off, u32 cnt)
8350 {
8351         struct bpf_insn_aux_data *aux_data = env->insn_aux_data;
8352         unsigned int orig_prog_len = env->prog->len;
8353         int err;
8354 
8355         if (bpf_prog_is_dev_bound(env->prog->aux))
8356                 bpf_prog_offload_remove_insns(env, off, cnt);
8357 
8358         err = bpf_remove_insns(env->prog, off, cnt);
8359         if (err)
8360                 return err;
8361 
8362         err = adjust_subprog_starts_after_remove(env, off, cnt);
8363         if (err)
8364                 return err;
8365 
8366         err = bpf_adj_linfo_after_remove(env, off, cnt);
8367         if (err)
8368                 return err;
8369 
8370         memmove(aux_data + off, aux_data + off + cnt,
8371                 sizeof(*aux_data) * (orig_prog_len - off - cnt));
8372 
8373         return 0;
8374 }
8375 
8376 /* The verifier does more data flow analysis than llvm and will not
8377  * explore branches that are dead at run time. Malicious programs can
8378  * have dead code too. Therefore replace all dead at-run-time code
8379  * with 'ja -1'.
8380  *
8381  * Just nops are not optimal, e.g. if they would sit at the end of the
8382  * program and through another bug we would manage to jump there, then
8383  * we'd execute beyond program memory otherwise. Returning exception
8384  * code also wouldn't work since we can have subprogs where the dead
8385  * code could be located.
8386  */
8387 static void sanitize_dead_code(struct bpf_verifier_env *env)
8388 {
8389         struct bpf_insn_aux_data *aux_data = env->insn_aux_data;
8390         struct bpf_insn trap = BPF_JMP_IMM(BPF_JA, 0, 0, -1);
8391         struct bpf_insn *insn = env->prog->insnsi;
8392         const int insn_cnt = env->prog->len;
8393         int i;
8394 
8395         for (i = 0; i < insn_cnt; i++) {
8396                 if (aux_data[i].seen)
8397                         continue;
8398                 memcpy(insn + i, &trap, sizeof(trap));
8399         }
8400 }
8401 
8402 static bool insn_is_cond_jump(u8 code)
8403 {
8404         u8 op;
8405 
8406         if (BPF_CLASS(code) == BPF_JMP32)
8407                 return true;
8408 
8409         if (BPF_CLASS(code) != BPF_JMP)
8410                 return false;
8411 
8412         op = BPF_OP(code);
8413         return op != BPF_JA && op != BPF_EXIT && op != BPF_CALL;
8414 }
8415 
8416 static void opt_hard_wire_dead_code_branches(struct bpf_verifier_env *env)
8417 {
8418         struct bpf_insn_aux_data *aux_data = env->insn_aux_data;
8419         struct bpf_insn ja = BPF_JMP_IMM(BPF_JA, 0, 0, 0);
8420         struct bpf_insn *insn = env->prog->insnsi;
8421         const int insn_cnt = env->prog->len;
8422         int i;
8423 
8424         for (i = 0; i < insn_cnt; i++, insn++) {
8425                 if (!insn_is_cond_jump(insn->code))
8426                         continue;
8427 
8428                 if (!aux_data[i + 1].seen)
8429                         ja.off = insn->off;
8430                 else if (!aux_data[i + 1 + insn->off].seen)
8431                         ja.off = 0;
8432                 else
8433                         continue;
8434 
8435                 if (bpf_prog_is_dev_bound(env->prog->aux))
8436                         bpf_prog_offload_replace_insn(env, i, &ja);
8437 
8438                 memcpy(insn, &ja, sizeof(ja));
8439         }
8440 }
8441 
8442 static int opt_remove_dead_code(struct bpf_verifier_env *env)
8443 {
8444         struct bpf_insn_aux_data *aux_data = env->insn_aux_data;
8445         int insn_cnt = env->prog->len;
8446         int i, err;
8447 
8448         for (i = 0; i < insn_cnt; i++) {
8449                 int j;
8450 
8451                 j = 0;
8452                 while (i + j < insn_cnt && !aux_data[i + j].seen)
8453                         j++;
8454                 if (!j)
8455                         continue;
8456 
8457                 err = verifier_remove_insns(env, i, j);
8458                 if (err)
8459                         return err;
8460                 insn_cnt = env->prog->len;
8461         }
8462 
8463         return 0;
8464 }
8465 
8466 static int opt_remove_nops(struct bpf_verifier_env *env)
8467 {
8468         const struct bpf_insn ja = BPF_JMP_IMM(BPF_JA, 0, 0, 0);
8469         struct bpf_insn *insn = env->prog->insnsi;
8470         int insn_cnt = env->prog->len;
8471         int i, err;
8472 
8473         for (i = 0; i < insn_cnt; i++) {
8474                 if (memcmp(&insn[i], &ja, sizeof(ja)))
8475                         continue;
8476 
8477                 err = verifier_remove_insns(env, i, 1);
8478                 if (err)
8479                         return err;
8480                 insn_cnt--;
8481                 i--;
8482         }
8483 
8484         return 0;
8485 }
8486 
8487 static int opt_subreg_zext_lo32_rnd_hi32(struct bpf_verifier_env *env,
8488                                          const union bpf_attr *attr)
8489 {
8490         struct bpf_insn *patch, zext_patch[2], rnd_hi32_patch[4];
8491         struct bpf_insn_aux_data *aux = env->insn_aux_data;
8492         int i, patch_len, delta = 0, len = env->prog->len;
8493         struct bpf_insn *insns = env->prog->insnsi;
8494         struct bpf_prog *new_prog;
8495         bool rnd_hi32;
8496 
8497         rnd_hi32 = attr->prog_flags & BPF_F_TEST_RND_HI32;
8498         zext_patch[1] = BPF_ZEXT_REG(0);
8499         rnd_hi32_patch[1] = BPF_ALU64_IMM(BPF_MOV, BPF_REG_AX, 0);
8500         rnd_hi32_patch[2] = BPF_ALU64_IMM(BPF_LSH, BPF_REG_AX, 32);
8501         rnd_hi32_patch[3] = BPF_ALU64_REG(BPF_OR, 0, BPF_REG_AX);
8502         for (i = 0; i < len; i++) {
8503                 int adj_idx = i + delta;
8504                 struct bpf_insn insn;
8505 
8506                 insn = insns[adj_idx];
8507                 if (!aux[adj_idx].zext_dst) {
8508                         u8 code, class;
8509                         u32 imm_rnd;
8510 
8511                         if (!rnd_hi32)
8512                                 continue;
8513 
8514                         code = insn.code;
8515                         class = BPF_CLASS(code);
8516                         if (insn_no_def(&insn))
8517                                 continue;
8518 
8519                         /* NOTE: arg "reg" (the fourth one) is only used for
8520                          *       BPF_STX which has been ruled out in above
8521                          *       check, it is safe to pass NULL here.
8522                          */
8523                         if (is_reg64(env, &insn, insn.dst_reg, NULL, DST_OP)) {
8524                                 if (class == BPF_LD &&
8525                                     BPF_MODE(code) == BPF_IMM)
8526                                         i++;
8527                                 continue;
8528                         }
8529 
8530                         /* ctx load could be transformed into wider load. */
8531                         if (class == BPF_LDX &&
8532                             aux[adj_idx].ptr_type == PTR_TO_CTX)
8533                                 continue;
8534 
8535                         imm_rnd = get_random_int();
8536                         rnd_hi32_patch[0] = insn;
8537                         rnd_hi32_patch[1].imm = imm_rnd;
8538                         rnd_hi32_patch[3].dst_reg = insn.dst_reg;
8539                         patch = rnd_hi32_patch;
8540                         patch_len = 4;
8541                         goto apply_patch_buffer;
8542                 }
8543 
8544                 if (!bpf_jit_needs_zext())
8545                         continue;
8546 
8547                 zext_patch[0] = insn;
8548                 zext_patch[1].dst_reg = insn.dst_reg;
8549                 zext_patch[1].src_reg = insn.dst_reg;
8550                 patch = zext_patch;
8551                 patch_len = 2;
8552 apply_patch_buffer:
8553                 new_prog = bpf_patch_insn_data(env, adj_idx, patch, patch_len);
8554                 if (!new_prog)
8555                         return -ENOMEM;
8556                 env->prog = new_prog;
8557                 insns = new_prog->insnsi;
8558                 aux = env->insn_aux_data;
8559                 delta += patch_len - 1;
8560         }
8561 
8562         return 0;
8563 }
8564 
8565 /* convert load instructions that access fields of a context type into a
8566  * sequence of instructions that access fields of the underlying structure:
8567  *     struct __sk_buff    -> struct sk_buff
8568  *     struct bpf_sock_ops -> struct sock
8569  */
8570 static int convert_ctx_accesses(struct bpf_verifier_env *env)
8571 {
8572         const struct bpf_verifier_ops *ops = env->ops;
8573         int i, cnt, size, ctx_field_size, delta = 0;
8574         const int insn_cnt = env->prog->len;
8575         struct bpf_insn insn_buf[16], *insn;
8576         u32 target_size, size_default, off;
8577         struct bpf_prog *new_prog;
8578         enum bpf_access_type type;
8579         bool is_narrower_load;
8580 
8581         if (ops->gen_prologue || env->seen_direct_write) {
8582                 if (!ops->gen_prologue) {
8583                         verbose(env, "bpf verifier is misconfigured\n");
8584                         return -EINVAL;
8585                 }
8586                 cnt = ops->gen_prologue(insn_buf, env->seen_direct_write,
8587                                         env->prog);
8588                 if (cnt >= ARRAY_SIZE(insn_buf)) {
8589                         verbose(env, "bpf verifier is misconfigured\n");
8590                         return -EINVAL;
8591                 } else if (cnt) {
8592                         new_prog = bpf_patch_insn_data(env, 0, insn_buf, cnt);
8593                         if (!new_prog)
8594                                 return -ENOMEM;
8595 
8596                         env->prog = new_prog;
8597                         delta += cnt - 1;
8598                 }
8599         }
8600 
8601         if (bpf_prog_is_dev_bound(env->prog->aux))
8602                 return 0;
8603 
8604         insn = env->prog->insnsi + delta;
8605 
8606         for (i = 0; i < insn_cnt; i++, insn++) {
8607                 bpf_convert_ctx_access_t convert_ctx_access;
8608 
8609                 if (insn->code == (BPF_LDX | BPF_MEM | BPF_B) ||
8610                     insn->code == (BPF_LDX | BPF_MEM | BPF_H) ||
8611                     insn->code == (BPF_LDX | BPF_MEM | BPF_W) ||
8612                     insn->code == (BPF_LDX | BPF_MEM | BPF_DW))
8613                         type = BPF_READ;
8614                 else if (insn->code == (BPF_STX | BPF_MEM | BPF_B) ||
8615                          insn->code == (BPF_STX | BPF_MEM | BPF_H) ||
8616                          insn->code == (BPF_STX | BPF_MEM | BPF_W) ||
8617                          insn->code == (BPF_STX | BPF_MEM | BPF_DW))
8618                         type = BPF_WRITE;
8619                 else
8620                         continue;
8621 
8622                 if (type == BPF_WRITE &&
8623                     env->insn_aux_data[i + delta].sanitize_stack_off) {
8624                         struct bpf_insn patch[] = {
8625                                 /* Sanitize suspicious stack slot with zero.
8626                                  * There are no memory dependencies for this store,
8627                                  * since it's only using frame pointer and immediate
8628                                  * constant of zero
8629                                  */
8630                                 BPF_ST_MEM(BPF_DW, BPF_REG_FP,
8631                                            env->insn_aux_data[i + delta].sanitize_stack_off,
8632                                            0),
8633                                 /* the original STX instruction will immediately
8634                                  * overwrite the same stack slot with appropriate value
8635                                  */
8636                                 *insn,
8637                         };
8638 
8639                         cnt = ARRAY_SIZE(patch);
8640                         new_prog = bpf_patch_insn_data(env, i + delta, patch, cnt);
8641                         if (!new_prog)
8642                                 return -ENOMEM;
8643 
8644                         delta    += cnt - 1;
8645                         env->prog = new_prog;
8646                         insn      = new_prog->insnsi + i + delta;
8647                         continue;
8648                 }
8649 
8650                 switch (env->insn_aux_data[i + delta].ptr_type) {
8651                 case PTR_TO_CTX:
8652                         if (!ops->convert_ctx_access)
8653                                 continue;
8654                         convert_ctx_access = ops->convert_ctx_access;
8655                         break;
8656                 case PTR_TO_SOCKET:
8657                 case PTR_TO_SOCK_COMMON:
8658                         convert_ctx_access = bpf_sock_convert_ctx_access;
8659                         break;
8660                 case PTR_TO_TCP_SOCK:
8661                         convert_ctx_access = bpf_tcp_sock_convert_ctx_access;
8662                         break;
8663                 case PTR_TO_XDP_SOCK:
8664                         convert_ctx_access = bpf_xdp_sock_convert_ctx_access;
8665                         break;
8666                 default:
8667                         continue;
8668                 }
8669 
8670                 ctx_field_size = env->insn_aux_data[i + delta].ctx_field_size;
8671                 size = BPF_LDST_BYTES(insn);
8672 
8673                 /* If the read access is a narrower load of the field,
8674                  * convert to a 4/8-byte load, to minimum program type specific
8675                  * convert_ctx_access changes. If conversion is successful,
8676                  * we will apply proper mask to the result.
8677                  */
8678                 is_narrower_load = size < ctx_field_size;
8679                 size_default = bpf_ctx_off_adjust_machine(ctx_field_size);
8680                 off = insn->off;
8681                 if (is_narrower_load) {
8682                         u8 size_code;
8683 
8684                         if (type == BPF_WRITE) {
8685                                 verbose(env, "bpf verifier narrow ctx access misconfigured\n");
8686                                 return -EINVAL;
8687                         }
8688 
8689                         size_code = BPF_H;
8690                         if (ctx_field_size == 4)
8691                                 size_code = BPF_W;
8692                         else if (ctx_field_size == 8)
8693                                 size_code = BPF_DW;
8694 
8695                         insn->off = off & ~(size_default - 1);
8696                         insn->code = BPF_LDX | BPF_MEM | size_code;
8697                 }
8698 
8699                 target_size = 0;
8700                 cnt = convert_ctx_access(type, insn, insn_buf, env->prog,
8701                                          &target_size);
8702                 if (cnt == 0 || cnt >= ARRAY_SIZE(insn_buf) ||
8703                     (ctx_field_size && !target_size)) {
8704                         verbose(env, "bpf verifier is misconfigured\n");
8705                         return -EINVAL;
8706                 }
8707 
8708                 if (is_narrower_load && size < target_size) {
8709                         u8 shift = bpf_ctx_narrow_access_offset(
8710                                 off, size, size_default) * 8;
8711                         if (ctx_field_size <= 4) {
8712                                 if (shift)
8713                                         insn_buf[cnt++] = BPF_ALU32_IMM(BPF_RSH,
8714                                                                         insn->dst_reg,
8715                                                                         shift);
8716                                 insn_buf[cnt++] = BPF_ALU32_IMM(BPF_AND, insn->dst_reg,
8717                                                                 (1 << size * 8) - 1);
8718                         } else {
8719                                 if (shift)
8720                                         insn_buf[cnt++] = BPF_ALU64_IMM(BPF_RSH,
8721                                                                         insn->dst_reg,
8722                                                                         shift);
8723                                 insn_buf[cnt++] = BPF_ALU64_IMM(BPF_AND, insn->dst_reg,
8724                                                                 (1ULL << size * 8) - 1);
8725                         }
8726                 }
8727 
8728                 new_prog = bpf_patch_insn_data(env, i + delta, insn_buf, cnt);
8729                 if (!new_prog)
8730                         return -ENOMEM;
8731 
8732                 delta += cnt - 1;
8733 
8734                 /* keep walking new program and skip insns we just inserted */
8735                 env->prog = new_prog;
8736                 insn      = new_prog->insnsi + i + delta;
8737         }
8738 
8739         return 0;
8740 }
8741 
8742 static int jit_subprogs(struct bpf_verifier_env *env)
8743 {
8744         struct bpf_prog *prog = env->prog, **func, *tmp;
8745         int i, j, subprog_start, subprog_end = 0, len, subprog;
8746         struct bpf_insn *insn;
8747         void *old_bpf_func;
8748         int err;
8749 
8750         if (env->subprog_cnt <= 1)
8751                 return 0;
8752 
8753         for (i = 0, insn = prog->insnsi; i < prog->len; i++, insn++) {
8754                 if (insn->code != (BPF_JMP | BPF_CALL) ||
8755                     insn->src_reg != BPF_PSEUDO_CALL)
8756                         continue;
8757                 /* Upon error here we cannot fall back to interpreter but
8758                  * need a hard reject of the program. Thus -EFAULT is
8759                  * propagated in any case.
8760                  */
8761                 subprog = find_subprog(env, i + insn->imm + 1);
8762                 if (subprog < 0) {
8763                         WARN_ONCE(1, "verifier bug. No program starts at insn %d\n",
8764                                   i + insn->imm + 1);
8765                         return -EFAULT;
8766                 }
8767                 /* temporarily remember subprog id inside insn instead of
8768                  * aux_data, since next loop will split up all insns into funcs
8769                  */
8770                 insn->off = subprog;
8771                 /* remember original imm in case JIT fails and fallback
8772                  * to interpreter will be needed
8773                  */
8774                 env->insn_aux_data[i].call_imm = insn->imm;
8775                 /* point imm to __bpf_call_base+1 from JITs point of view */
8776                 insn->imm = 1;
8777         }
8778 
8779         err = bpf_prog_alloc_jited_linfo(prog);
8780         if (err)
8781                 goto out_undo_insn;
8782 
8783         err = -ENOMEM;
8784         func = kcalloc(env->subprog_cnt, sizeof(prog), GFP_KERNEL);
8785         if (!func)
8786                 goto out_undo_insn;
8787 
8788         for (i = 0; i < env->subprog_cnt; i++) {
8789                 subprog_start = subprog_end;
8790                 subprog_end = env->subprog_info[i + 1].start;
8791 
8792                 len = subprog_end - subprog_start;
8793                 /* BPF_PROG_RUN doesn't call subprogs directly,
8794                  * hence main prog stats include the runtime of subprogs.
8795                  * subprogs don't have IDs and not reachable via prog_get_next_id
8796                  * func[i]->aux->stats will never be accessed and stays NULL
8797                  */
8798                 func[i] = bpf_prog_alloc_no_stats(bpf_prog_size(len), GFP_USER);
8799                 if (!func[i])
8800                         goto out_free;
8801                 memcpy(func[i]->insnsi, &prog->insnsi[subprog_start],
8802                        len * sizeof(struct bpf_insn));
8803                 func[i]->type = prog->type;
8804                 func[i]->len = len;
8805                 if (bpf_prog_calc_tag(func[i]))
8806                         goto out_free;
8807                 func[i]->is_func = 1;
8808                 func[i]->aux->func_idx = i;
8809                 /* the btf and func_info will be freed only at prog->aux */
8810                 func[i]->aux->btf = prog->aux->btf;
8811                 func[i]->aux->func_info = prog->aux->func_info;
8812 
8813                 /* Use bpf_prog_F_tag to indicate functions in stack traces.
8814                  * Long term would need debug info to populate names
8815                  */
8816                 func[i]->aux->name[0] = 'F';
8817                 func[i]->aux->stack_depth = env->subprog_info[i].stack_depth;
8818                 func[i]->jit_requested = 1;
8819                 func[i]->aux->linfo = prog->aux->linfo;
8820                 func[i]->aux->nr_linfo = prog->aux->nr_linfo;
8821                 func[i]->aux->jited_linfo = prog->aux->jited_linfo;
8822                 func[i]->aux->linfo_idx = env->subprog_info[i].linfo_idx;
8823                 func[i] = bpf_int_jit_compile(func[i]);
8824                 if (!func[i]->jited) {
8825                         err = -ENOTSUPP;
8826                         goto out_free;
8827                 }
8828                 cond_resched();
8829         }
8830         /* at this point all bpf functions were successfully JITed
8831          * now populate all bpf_calls with correct addresses and
8832          * run last pass of JIT
8833          */
8834         for (i = 0; i < env->subprog_cnt; i++) {
8835                 insn = func[i]->insnsi;
8836                 for (j = 0; j < func[i]->len; j++, insn++) {
8837                         if (insn->code != (BPF_JMP | BPF_CALL) ||
8838                             insn->src_reg != BPF_PSEUDO_CALL)
8839                                 continue;
8840                         subprog = insn->off;
8841                         insn->imm = BPF_CAST_CALL(func[subprog]->bpf_func) -
8842                                     __bpf_call_base;
8843                 }
8844 
8845                 /* we use the aux data to keep a list of the start addresses
8846                  * of the JITed images for each function in the program
8847                  *
8848                  * for some architectures, such as powerpc64, the imm field
8849                  * might not be large enough to hold the offset of the start
8850                  * address of the callee's JITed image from __bpf_call_base
8851                  *
8852                  * in such cases, we can lookup the start address of a callee
8853                  * by using its subprog id, available from the off field of
8854                  * the call instruction, as an index for this list
8855                  */
8856                 func[i]->aux->func = func;
8857                 func[i]->aux->func_cnt = env->subprog_cnt;
8858         }
8859         for (i = 0; i < env->subprog_cnt; i++) {
8860                 old_bpf_func = func[i]->bpf_func;
8861                 tmp = bpf_int_jit_compile(func[i]);
8862                 if (tmp != func[i] || func[i]->bpf_func != old_bpf_func) {
8863                         verbose(env, "JIT doesn't support bpf-to-bpf calls\n");
8864                         err = -ENOTSUPP;
8865                         goto out_free;
8866                 }
8867                 cond_resched();
8868         }
8869 
8870         /* finally lock prog and jit images for all functions and
8871          * populate kallsysm
8872          */
8873         for (i = 0; i < env->subprog_cnt; i++) {
8874                 bpf_prog_lock_ro(func[i]);
8875                 bpf_prog_kallsyms_add(func[i]);
8876         }
8877 
8878         /* Last step: make now unused interpreter insns from main
8879          * prog consistent for later dump requests, so they can
8880          * later look the same as if they were interpreted only.
8881          */
8882         for (i = 0, insn = prog->insnsi; i < prog->len; i++, insn++) {
8883                 if (insn->code != (BPF_JMP | BPF_CALL) ||
8884                     insn->src_reg != BPF_PSEUDO_CALL)
8885                         continue;
8886                 insn->off = env->insn_aux_data[i].call_imm;
8887                 subprog = find_subprog(env, i + insn->off + 1);
8888                 insn->imm = subprog;
8889         }
8890 
8891         prog->jited = 1;
8892         prog->bpf_func = func[0]->bpf_func;
8893         prog->aux->func = func;
8894         prog->aux->func_cnt = env->subprog_cnt;
8895         bpf_prog_free_unused_jited_linfo(prog);
8896         return 0;
8897 out_free:
8898         for (i = 0; i < env->subprog_cnt; i++)
8899                 if (func[i])
8900                         bpf_jit_free(func[i]);
8901         kfree(func);
8902 out_undo_insn:
8903         /* cleanup main prog to be interpreted */
8904         prog->jit_requested = 0;
8905         for (i = 0, insn = prog->insnsi; i < prog->len; i++, insn++) {
8906                 if (insn->code != (BPF_JMP | BPF_CALL) ||
8907                     insn->src_reg != BPF_PSEUDO_CALL)
8908                         continue;
8909                 insn->off = 0;
8910                 insn->imm = env->insn_aux_data[i].call_imm;
8911         }
8912         bpf_prog_free_jited_linfo(prog);
8913         return err;
8914 }
8915 
8916 static int fixup_call_args(struct bpf_verifier_env *env)
8917 {
8918 #ifndef CONFIG_BPF_JIT_ALWAYS_ON
8919         struct bpf_prog *prog = env->prog;
8920         struct bpf_insn *insn = prog->insnsi;
8921         int i, depth;
8922 #endif
8923         int err = 0;
8924 
8925         if (env->prog->jit_requested &&
8926             !bpf_prog_is_dev_bound(env->prog->aux)) {
8927                 err = jit_subprogs(env);
8928                 if (err == 0)
8929                         return 0;
8930                 if (err == -EFAULT)
8931                         return err;
8932         }
8933 #ifndef CONFIG_BPF_JIT_ALWAYS_ON
8934         for (i = 0; i < prog->len; i++, insn++) {
8935                 if (insn->code != (BPF_JMP | BPF_CALL) ||
8936                     insn->src_reg != BPF_PSEUDO_CALL)
8937                         continue;
8938                 depth = get_callee_stack_depth(env, insn, i);
8939                 if (depth < 0)
8940                         return depth;
8941                 bpf_patch_call_args(insn, depth);
8942         }
8943         err = 0;
8944 #endif
8945         return err;
8946 }
8947 
8948 /* fixup insn->imm field of bpf_call instructions
8949  * and inline eligible helpers as explicit sequence of BPF instructions
8950  *
8951  * this function is called after eBPF program passed verification
8952  */
8953 static int fixup_bpf_calls(struct bpf_verifier_env *env)
8954 {
8955         struct bpf_prog *prog = env->prog;
8956         struct bpf_insn *insn = prog->insnsi;
8957         const struct bpf_func_proto *fn;
8958         const int insn_cnt = prog->len;
8959         const struct bpf_map_ops *ops;
8960         struct bpf_insn_aux_data *aux;
8961         struct bpf_insn insn_buf[16];
8962         struct bpf_prog *new_prog;
8963         struct bpf_map *map_ptr;
8964         int i, cnt, delta = 0;
8965 
8966         for (i = 0; i < insn_cnt; i++, insn++) {
8967                 if (insn->code == (BPF_ALU64 | BPF_MOD | BPF_X) ||
8968                     insn->code == (BPF_ALU64 | BPF_DIV | BPF_X) ||
8969                     insn->code == (BPF_ALU | BPF_MOD | BPF_X) ||
8970                     insn->code == (BPF_ALU | BPF_DIV | BPF_X)) {
8971                         bool is64 = BPF_CLASS(insn->code) == BPF_ALU64;
8972                         struct bpf_insn mask_and_div[] = {
8973                                 BPF_MOV32_REG(insn->src_reg, insn->src_reg),
8974                                 /* Rx div 0 -> 0 */
8975                                 BPF_JMP_IMM(BPF_JNE, insn->src_reg, 0, 2),
8976                                 BPF_ALU32_REG(BPF_XOR, insn->dst_reg, insn->dst_reg),
8977                                 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8978                                 *insn,
8979                         };
8980                         struct bpf_insn mask_and_mod[] = {
8981                                 BPF_MOV32_REG(insn->src_reg, insn->src_reg),
8982                                 /* Rx mod 0 -> Rx */
8983                                 BPF_JMP_IMM(BPF_JEQ, insn->src_reg, 0, 1),
8984                                 *insn,
8985                         };
8986                         struct bpf_insn *patchlet;
8987 
8988                         if (insn->code == (BPF_ALU64 | BPF_DIV | BPF_X) ||
8989                             insn->code == (BPF_ALU | BPF_DIV | BPF_X)) {
8990                                 patchlet = mask_and_div + (is64 ? 1 : 0);
8991                                 cnt = ARRAY_SIZE(mask_and_div) - (is64 ? 1 : 0);
8992                         } else {
8993                                 patchlet = mask_and_mod + (is64 ? 1 : 0);
8994                                 cnt = ARRAY_SIZE(mask_and_mod) - (is64 ? 1 : 0);
8995                         }
8996 
8997                         new_prog = bpf_patch_insn_data(env, i + delta, patchlet, cnt);
8998                         if (!new_prog)
8999                                 return -ENOMEM;
9000 
9001                         delta    += cnt - 1;
9002                         env->prog = prog = new_prog;
9003                         insn      = new_prog->insnsi + i + delta;
9004                         continue;
9005                 }
9006 
9007                 if (BPF_CLASS(insn->code) == BPF_LD &&
9008                     (BPF_MODE(insn->code) == BPF_ABS ||
9009                      BPF_MODE(insn->code) == BPF_IND)) {
9010                         cnt = env->ops->gen_ld_abs(insn, insn_buf);
9011                         if (cnt == 0 || cnt >= ARRAY_SIZE(insn_buf)) {
9012                                 verbose(env, "bpf verifier is misconfigured\n");
9013                                 return -EINVAL;
9014                         }
9015 
9016                         new_prog = bpf_patch_insn_data(env, i + delta, insn_buf, cnt);
9017                         if (!new_prog)
9018                                 return -ENOMEM;
9019 
9020                         delta    += cnt - 1;
9021                         env->prog = prog = new_prog;
9022                         insn      = new_prog->insnsi + i + delta;
9023                         continue;
9024                 }
9025 
9026                 if (insn->code == (BPF_ALU64 | BPF_ADD | BPF_X) ||
9027                     insn->code == (BPF_ALU64 | BPF_SUB | BPF_X)) {
9028                         const u8 code_add = BPF_ALU64 | BPF_ADD | BPF_X;
9029                         const u8 code_sub = BPF_ALU64 | BPF_SUB | BPF_X;
9030                         struct bpf_insn insn_buf[16];
9031                         struct bpf_insn *patch = &insn_buf[0];
9032                         bool issrc, isneg;
9033                         u32 off_reg;
9034 
9035                         aux = &env->insn_aux_data[i + delta];
9036                         if (!aux->alu_state ||
9037                             aux->alu_state == BPF_ALU_NON_POINTER)
9038                                 continue;
9039 
9040                         isneg = aux->alu_state & BPF_ALU_NEG_VALUE;
9041                         issrc = (aux->alu_state & BPF_ALU_SANITIZE) ==
9042                                 BPF_ALU_SANITIZE_SRC;
9043 
9044                         off_reg = issrc ? insn->src_reg : insn->dst_reg;
9045                         if (isneg)
9046                                 *patch++ = BPF_ALU64_IMM(BPF_MUL, off_reg, -1);
9047                         *patch++ = BPF_MOV32_IMM(BPF_REG_AX, aux->alu_limit - 1);
9048                         *patch++ = BPF_ALU64_REG(BPF_SUB, BPF_REG_AX, off_reg);
9049                         *patch++ = BPF_ALU64_REG(BPF_OR, BPF_REG_AX, off_reg);
9050                         *patch++ = BPF_ALU64_IMM(BPF_NEG, BPF_REG_AX, 0);
9051                         *patch++ = BPF_ALU64_IMM(BPF_ARSH, BPF_REG_AX, 63);
9052                         if (issrc) {
9053                                 *patch++ = BPF_ALU64_REG(BPF_AND, BPF_REG_AX,
9054                                                          off_reg);
9055                                 insn->src_reg = BPF_REG_AX;
9056                         } else {
9057                                 *patch++ = BPF_ALU64_REG(BPF_AND, off_reg,
9058                                                          BPF_REG_AX);
9059                         }
9060                         if (isneg)
9061                                 insn->code = insn->code == code_add ?
9062                                              code_sub : code_add;
9063                         *patch++ = *insn;
9064                         if (issrc && isneg)
9065                                 *patch++ = BPF_ALU64_IMM(BPF_MUL, off_reg, -1);
9066                         cnt = patch - insn_buf;
9067 
9068                         new_prog = bpf_patch_insn_data(env, i + delta, insn_buf, cnt);
9069                         if (!new_prog)
9070                                 return -ENOMEM;
9071 
9072                         delta    += cnt - 1;
9073                         env->prog = prog = new_prog;
9074                         insn      = new_prog->insnsi + i + delta;
9075                         continue;
9076                 }
9077 
9078                 if (insn->code != (BPF_JMP | BPF_CALL))
9079                         continue;
9080                 if (insn->src_reg == BPF_PSEUDO_CALL)
9081                         continue;
9082 
9083                 if (insn->imm == BPF_FUNC_get_route_realm)
9084                         prog->dst_needed = 1;
9085                 if (insn->imm == BPF_FUNC_get_prandom_u32)
9086                         bpf_user_rnd_init_once();
9087                 if (insn->imm == BPF_FUNC_override_return)
9088                         prog->kprobe_override = 1;
9089                 if (insn->imm == BPF_FUNC_tail_call) {
9090                         /* If we tail call into other programs, we
9091                          * cannot make any assumptions since they can
9092                          * be replaced dynamically during runtime in
9093                          * the program array.
9094                          */
9095                         prog->cb_access = 1;
9096                         env->prog->aux->stack_depth = MAX_BPF_STACK;
9097                         env->prog->aux->max_pkt_offset = MAX_PACKET_OFF;
9098 
9099                         /* mark bpf_tail_call as different opcode to avoid
9100                          * conditional branch in the interpeter for every normal
9101                          * call and to prevent accidental JITing by JIT compiler
9102                          * that doesn't support bpf_tail_call yet
9103                          */
9104                         insn->imm = 0;
9105                         insn->code = BPF_JMP | BPF_TAIL_CALL;
9106 
9107                         aux = &env->insn_aux_data[i + delta];
9108                         if (!bpf_map_ptr_unpriv(aux))
9109                                 continue;
9110 
9111                         /* instead of changing every JIT dealing with tail_call
9112                          * emit two extra insns:
9113                          * if (index >= max_entries) goto out;
9114                          * index &= array->index_mask;
9115                          * to avoid out-of-bounds cpu speculation
9116                          */
9117                         if (bpf_map_ptr_poisoned(aux)) {
9118                                 verbose(env, "tail_call abusing map_ptr\n");
9119                                 return -EINVAL;
9120                         }
9121 
9122                         map_ptr = BPF_MAP_PTR(aux->map_state);
9123                         insn_buf[0] = BPF_JMP_IMM(BPF_JGE, BPF_REG_3,
9124                                                   map_ptr->max_entries, 2);
9125                         insn_buf[1] = BPF_ALU32_IMM(BPF_AND, BPF_REG_3,
9126                                                     container_of(map_ptr,
9127                                                                  struct bpf_array,
9128                                                                  map)->index_mask);
9129                         insn_buf[2] = *insn;
9130                         cnt = 3;
9131                         new_prog = bpf_patch_insn_data(env, i + delta, insn_buf, cnt);
9132                         if (!new_prog)
9133                                 return -ENOMEM;
9134 
9135                         delta    += cnt - 1;
9136                         env->prog = prog = new_prog;
9137                         insn      = new_prog->insnsi + i + delta;
9138                         continue;
9139                 }
9140 
9141                 /* BPF_EMIT_CALL() assumptions in some of the map_gen_lookup
9142                  * and other inlining handlers are currently limited to 64 bit
9143                  * only.
9144                  */
9145                 if (prog->jit_requested && BITS_PER_LONG == 64 &&
9146                     (insn->imm == BPF_FUNC_map_lookup_elem ||
9147                      insn->imm == BPF_FUNC_map_update_elem ||
9148                      insn->imm == BPF_FUNC_map_delete_elem ||
9149                      insn->imm == BPF_FUNC_map_push_elem   ||
9150                      insn->imm == BPF_FUNC_map_pop_elem    ||
9151                      insn->imm == BPF_FUNC_map_peek_elem)) {
9152                         aux = &env->insn_aux_data[i + delta];
9153                         if (bpf_map_ptr_poisoned(aux))
9154                                 goto patch_call_imm;
9155 
9156                         map_ptr = BPF_MAP_PTR(aux->map_state);
9157                         ops = map_ptr->ops;
9158                         if (insn->imm == BPF_FUNC_map_lookup_elem &&
9159                             ops->map_gen_lookup) {
9160                                 cnt = ops->map_gen_lookup(map_ptr, insn_buf);
9161                                 if (cnt == 0 || cnt >= ARRAY_SIZE(insn_buf)) {
9162                                         verbose(env, "bpf verifier is misconfigured\n");
9163                                         return -EINVAL;
9164                                 }
9165 
9166                                 new_prog = bpf_patch_insn_data(env, i + delta,
9167                                                                insn_buf, cnt);
9168                                 if (!new_prog)
9169                                         return -ENOMEM;
9170 
9171                                 delta    += cnt - 1;
9172                                 env->prog = prog = new_prog;
9173                                 insn      = new_prog->insnsi + i + delta;
9174                                 continue;
9175                         }
9176 
9177                         BUILD_BUG_ON(!__same_type(ops->map_lookup_elem,
9178                                      (void *(*)(struct bpf_map *map, void *key))NULL));
9179                         BUILD_BUG_ON(!__same_type(ops->map_delete_elem,
9180                                      (int (*)(struct bpf_map *map, void *key))NULL));
9181                         BUILD_BUG_ON(!__same_type(ops->map_update_elem,
9182                                      (int (*)(struct bpf_map *map, void *key, void *value,
9183                                               u64 flags))NULL));
9184                         BUILD_BUG_ON(!__same_type(ops->map_push_elem,
9185                                      (int (*)(struct bpf_map *map, void *value,
9186                                               u64 flags))NULL));
9187                         BUILD_BUG_ON(!__same_type(ops->map_pop_elem,
9188                                      (int (*)(struct bpf_map *map, void *value))NULL));
9189                         BUILD_BUG_ON(!__same_type(ops->map_peek_elem,
9190                                      (int (*)(struct bpf_map *map, void *value))NULL));
9191 
9192                         switch (insn->imm) {
9193                         case BPF_FUNC_map_lookup_elem:
9194                                 insn->imm = BPF_CAST_CALL(ops->map_lookup_elem) -
9195                                             __bpf_call_base;
9196                                 continue;
9197                         case BPF_FUNC_map_update_elem:
9198                                 insn->imm = BPF_CAST_CALL(ops->map_update_elem) -
9199                                             __bpf_call_base;
9200                                 continue;
9201                         case BPF_FUNC_map_delete_elem:
9202                                 insn->imm = BPF_CAST_CALL(ops->map_delete_elem) -
9203                                             __bpf_call_base;
9204                                 continue;
9205                         case BPF_FUNC_map_push_elem:
9206                                 insn->imm = BPF_CAST_CALL(ops->map_push_elem) -
9207                                             __bpf_call_base;
9208                                 continue;
9209                         case BPF_FUNC_map_pop_elem:
9210                                 insn->imm = BPF_CAST_CALL(ops->map_pop_elem) -
9211                                             __bpf_call_base;
9212                                 continue;
9213                         case BPF_FUNC_map_peek_elem:
9214                                 insn->imm = BPF_CAST_CALL(ops->map_peek_elem) -
9215                                             __bpf_call_base;
9216                                 continue;
9217                         }
9218 
9219                         goto patch_call_imm;
9220                 }
9221 
9222 patch_call_imm:
9223                 fn = env->ops->get_func_proto(insn->imm, env->prog);
9224                 /* all functions that have prototype and verifier allowed
9225                  * programs to call them, must be real in-kernel functions
9226                  */
9227                 if (!fn->func) {
9228                         verbose(env,
9229                                 "kernel subsystem misconfigured func %s#%d\n",
9230                                 func_id_name(insn->imm), insn->imm);
9231                         return -EFAULT;
9232                 }
9233                 insn->imm = fn->func - __bpf_call_base;
9234         }
9235 
9236         return 0;
9237 }
9238 
9239 static void free_states(struct bpf_verifier_env *env)
9240 {
9241         struct bpf_verifier_state_list *sl, *sln;
9242         int i;
9243 
9244         sl = env->free_list;
9245         while (sl) {
9246                 sln = sl->next;
9247                 free_verifier_state(&sl->state, false);
9248                 kfree(sl);
9249                 sl = sln;
9250         }
9251 
9252         if (!env->explored_states)
9253                 return;
9254 
9255         for (i = 0; i < state_htab_size(env); i++) {
9256                 sl = env->explored_states[i];
9257 
9258                 while (sl) {
9259                         sln = sl->next;
9260                         free_verifier_state(&sl->state, false);
9261                         kfree(sl);
9262                         sl = sln;
9263                 }
9264         }
9265 
9266         kvfree(env->explored_states);
9267 }
9268 
9269 static void print_verification_stats(struct bpf_verifier_env *env)
9270 {
9271         int i;
9272 
9273         if (env->log.level & BPF_LOG_STATS) {
9274                 verbose(env, "verification time %lld usec\n",
9275                         div_u64(env->verification_time, 1000));
9276                 verbose(env, "stack depth ");
9277                 for (i = 0; i < env->subprog_cnt; i++) {
9278                         u32 depth = env->subprog_info[i].stack_depth;
9279 
9280                         verbose(env, "%d", depth);
9281                         if (i + 1 < env->subprog_cnt)
9282                                 verbose(env, "+");
9283                 }
9284                 verbose(env, "\n");
9285         }
9286         verbose(env, "processed %d insns (limit %d) max_states_per_insn %d "
9287                 "total_states %d peak_states %d mark_read %d\n",
9288                 env->insn_processed, BPF_COMPLEXITY_LIMIT_INSNS,
9289                 env->max_states_per_insn, env->total_states,
9290                 env->peak_states, env->longest_mark_read_walk);
9291 }
9292 
9293 int bpf_check(struct bpf_prog **prog, union bpf_attr *attr,
9294               union bpf_attr __user *uattr)
9295 {
9296         u64 start_time = ktime_get_ns();
9297         struct bpf_verifier_env *env;
9298         struct bpf_verifier_log *log;
9299         int i, len, ret = -EINVAL;
9300         bool is_priv;
9301 
9302         /* no program is valid */
9303         if (ARRAY_SIZE(bpf_verifier_ops) == 0)
9304                 return -EINVAL;
9305 
9306         /* 'struct bpf_verifier_env' can be global, but since it's not small,
9307          * allocate/free it every time bpf_check() is called
9308          */
9309         env = kzalloc(sizeof(struct bpf_verifier_env), GFP_KERNEL);
9310         if (!env)
9311                 return -ENOMEM;
9312         log = &env->log;
9313 
9314         len = (*prog)->len;
9315         env->insn_aux_data =
9316                 vzalloc(array_size(sizeof(struct bpf_insn_aux_data), len));
9317         ret = -ENOMEM;
9318         if (!env->insn_aux_data)
9319                 goto err_free_env;
9320         for (i = 0; i < len; i++)
9321                 env->insn_aux_data[i].orig_idx = i;
9322         env->prog = *prog;
9323         env->ops = bpf_verifier_ops[env->prog->type];
9324         is_priv = capable(CAP_SYS_ADMIN);
9325 
9326         /* grab the mutex to protect few globals used by verifier */
9327         if (!is_priv)
9328                 mutex_lock(&bpf_verifier_lock);
9329 
9330         if (attr->log_level || attr->log_buf || attr->log_size) {
9331                 /* user requested verbose verifier output
9332                  * and supplied buffer to store the verification trace
9333                  */
9334                 log->level = attr->log_level;
9335                 log->ubuf = (char __user *) (unsigned long) attr->log_buf;
9336                 log->len_total = attr->log_size;
9337 
9338                 ret = -EINVAL;
9339                 /* log attributes have to be sane */
9340                 if (log->len_total < 128 || log->len_total > UINT_MAX >> 2 ||
9341                     !log->level || !log->ubuf || log->level & ~BPF_LOG_MASK)
9342                         goto err_unlock;
9343         }
9344 
9345         env->strict_alignment = !!(attr->prog_flags & BPF_F_STRICT_ALIGNMENT);
9346         if (!IS_ENABLED(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS))
9347                 env->strict_alignment = true;
9348         if (attr->prog_flags & BPF_F_ANY_ALIGNMENT)
9349                 env->strict_alignment = false;
9350 
9351         env->allow_ptr_leaks = is_priv;
9352 
9353         if (is_priv)
9354                 env->test_state_freq = attr->prog_flags & BPF_F_TEST_STATE_FREQ;
9355 
9356         ret = replace_map_fd_with_map_ptr(env);
9357         if (ret < 0)
9358                 goto skip_full_check;
9359 
9360         if (bpf_prog_is_dev_bound(env->prog->aux)) {
9361                 ret = bpf_prog_offload_verifier_prep(env->prog);
9362                 if (ret)
9363                         goto skip_full_check;
9364         }
9365 
9366         env->explored_states = kvcalloc(state_htab_size(env),
9367                                        sizeof(struct bpf_verifier_state_list *),
9368                                        GFP_USER);
9369         ret = -ENOMEM;
9370         if (!env->explored_states)
9371                 goto skip_full_check;
9372 
9373         ret = check_subprogs(env);
9374         if (ret < 0)
9375                 goto skip_full_check;
9376 
9377         ret = check_btf_info(env, attr, uattr);
9378         if (ret < 0)
9379                 goto skip_full_check;
9380 
9381         ret = check_cfg(env);
9382         if (ret < 0)
9383                 goto skip_full_check;
9384 
9385         ret = do_check(env);
9386         if (env->cur_state) {
9387                 free_verifier_state(env->cur_state, true);
9388                 env->cur_state = NULL;
9389         }
9390 
9391         if (ret == 0 && bpf_prog_is_dev_bound(env->prog->aux))
9392                 ret = bpf_prog_offload_finalize(env);
9393 
9394 skip_full_check:
9395         while (!pop_stack(env, NULL, NULL));
9396         free_states(env);
9397 
9398         if (ret == 0)
9399                 ret = check_max_stack_depth(env);
9400 
9401         /* instruction rewrites happen after this point */
9402         if (is_priv) {
9403                 if (ret == 0)
9404                         opt_hard_wire_dead_code_branches(env);
9405                 if (ret == 0)
9406                         ret = opt_remove_dead_code(env);
9407                 if (ret == 0)
9408                         ret = opt_remove_nops(env);
9409         } else {
9410                 if (ret == 0)
9411                         sanitize_dead_code(env);
9412         }
9413 
9414         if (ret == 0)
9415                 /* program is valid, convert *(u32*)(ctx + off) accesses */
9416                 ret = convert_ctx_accesses(env);
9417 
9418         if (ret == 0)
9419                 ret = fixup_bpf_calls(env);
9420 
9421         /* do 32-bit optimization after insn patching has done so those patched
9422          * insns could be handled correctly.
9423          */
9424         if (ret == 0 && !bpf_prog_is_dev_bound(env->prog->aux)) {
9425                 ret = opt_subreg_zext_lo32_rnd_hi32(env, attr);
9426                 env->prog->aux->verifier_zext = bpf_jit_needs_zext() ? !ret
9427                                                                      : false;
9428         }
9429 
9430         if (ret == 0)
9431                 ret = fixup_call_args(env);
9432 
9433         env->verification_time = ktime_get_ns() - start_time;
9434         print_verification_stats(env);
9435 
9436         if (log->level && bpf_verifier_log_full(log))
9437                 ret = -ENOSPC;
9438         if (log->level && !log->ubuf) {
9439                 ret = -EFAULT;
9440                 goto err_release_maps;
9441         }
9442 
9443         if (ret == 0 && env->used_map_cnt) {
9444                 /* if program passed verifier, update used_maps in bpf_prog_info */
9445                 env->prog->aux->used_maps = kmalloc_array(env->used_map_cnt,
9446                                                           sizeof(env->used_maps[0]),
9447                                                           GFP_KERNEL);
9448 
9449                 if (!env->prog->aux->used_maps) {
9450                         ret = -ENOMEM;
9451                         goto err_release_maps;
9452                 }
9453 
9454                 memcpy(env->prog->aux->used_maps, env->used_maps,
9455                        sizeof(env->used_maps[0]) * env->used_map_cnt);
9456                 env->prog->aux->used_map_cnt = env->used_map_cnt;
9457 
9458                 /* program is valid. Convert pseudo bpf_ld_imm64 into generic
9459                  * bpf_ld_imm64 instructions
9460                  */
9461                 convert_pseudo_ld_imm64(env);
9462         }
9463 
9464         if (ret == 0)
9465                 adjust_btf_func(env);
9466 
9467 err_release_maps:
9468         if (!env->prog->aux->used_maps)
9469                 /* if we didn't copy map pointers into bpf_prog_info, release
9470                  * them now. Otherwise free_used_maps() will release them.
9471                  */
9472                 release_maps(env);
9473         *prog = env->prog;
9474 err_unlock:
9475         if (!is_priv)
9476                 mutex_unlock(&bpf_verifier_lock);
9477         vfree(env->insn_aux_data);
9478 err_free_env:
9479         kfree(env);
9480         return ret;
9481 }