1 /* SPDX-License-Identifier: GPL-2.0-only */
2 /* Copyright (c) 2011-2014 PLUMgrid, http://plumgrid.com
14  * ensures that umax_value + (int)off + (int)size cannot overflow a u64.
17 /* Maximum variable size permitted for ARG_CONST_SIZE[_OR_ZERO].  This ensures
21 /* size of tmp_str_buf in bpf_verifier.
23  * (in the "-8,-16,...,-512" form)
27 /* Liveness marks, used for registers and spilled-regs (in stack slots).
32  * straight-line code that reached this state (from its parent) wrote this reg"
43 	REG_LIVE_READ64 = 0x2, /* likewise, but full 64-bit content matters */
55 	/* This can either be reg->map_ptr or reg->btf. If ptr is NULL,
57 	 * meaning. If non-NULL, it indicates that a lock is held and
58 	 * id member has the reg->id of the register which can be >= 0.
61 	/* This will be reg->id */
68 	BPF_ITER_STATE_INVALID, /* for non-first slot */
88 			 * the map_uid is non-zero for registers
129 		/* Max size from any of the above. */
140 	 * from the pointed-to object, and is shared with all bpf_reg_states
172 	 * from a pointer-cast helper, bpf_sk_fullsock() and
185 	 * 8: snd_cwnd = tp->snd_cwnd;  // verifier will complain
190 	 * the original refcounted ptr id (i.e. sk_reg->id) in ref_obj_id
192 	 * ref_obj_id matching the sk_reg->id.
194 	 * sk_reg->ref_obj_id is set to sk_reg->id at line 1.
195 	 * sk_reg->id will stay as NULL-marking purpose only.
196 	 * After NULL-marking is done, sk_reg->id can be reset to 0.
199 	 * fullsock_reg->ref_obj_id is set to sk_reg->ref_obj_id.
202 	 * tp_reg->ref_obj_id is set to fullsock_reg->ref_obj_id
203 	 * which is the same as sk_reg->ref_obj_id.
207 	 * reg->type.  In particular, bpf_sk_release(tp) is also
214 	 * R1=fp-8 and R2=fp-8, but one of them points to this function stack
216 	 * is used which is an index in bpf_verifier_state->frame[] array
226 	/* if (!precise && SCALAR_VALUE) min/max/tnum don't affect safety */
236 	 * is stored in bpf_stack_state->spilled_ptr.dynptr.type
242 #define BPF_REG_SIZE 8	/* size of eBPF register in bytes */
266 	 * main (frame 0)
267 	 *  cb (frame 1)
268 	 *   func (frame 3)
269 	 *    cb (frame 4)
270 	 * Hence for frame 4, if callback_ref just stored boolean, it would be
290 	/* stack frame number of this function state from pov of
312 	 * Value in frame N refers to number of times callback with frame
315 	 *   bpf_loop(..., fn, ...); | suppose current frame is N
316 	 *                           | fn would be simulated in frame N+1
317 	 *                           | number of simulations is tracked in frame N
326 	 * stack[0] represents bytes [*(r10-8)..*(r10-1)]
327 	 * stack[1] represents bytes [*(r10-16)..*(r10-9)]
329 	 * stack[allocated_stack/8 - 1] represents [*(r10-allocated_stack)..*(r10-allocated_stack+7)]
332 	/* Size of the current stack, in bytes. The stack state is tracked below, in
343 	 * we also store stack's frame number in lower 3 bits (MAX_CALL_FRAMES is 8)
370 	struct bpf_func_state *frame[MAX_CALL_FRAMES];  member
374 	 * 0 - all possible paths from this state reached bpf_exit or
376 	 * 1 - at least one path is being explored.
378 	 * 2 - at least two paths are being explored.
386 	 * 2 -> 1 (first 'if' pushed into stack)
388 	 * 2 -> 1 (second 'if' pushed into stack)
397 	 * 2 -> 1 (first 'if' pushed into stack)
399 	 * 1 -> 1 (second 'if' pushed into stack)
410 	 * states_maybe_looping() function. It's a stronger pre-check and
424 	/* If this state was ever pointed-to by other state's loop_entry field
435 	 * - it is also a member of the same states loop;
436 	 * - DFS states traversal starting from initial state visits loop_entry
445 	 * For most states jmp_history_cnt is [0-3].
454 #define bpf_get_spilled_reg(slot, frame, mask)				\  argument
455 	(((slot < frame->allocated_stack / BPF_REG_SIZE) &&		\
456 	  ((1 << frame->stack[slot].slot_type[0]) & (mask))) \
457 	 ? &frame->stack[slot].spilled_ptr : NULL)
459 /* Iterate over 'frame', setting 'reg' to either NULL or a spilled register. */
460 #define bpf_for_each_spilled_reg(iter, frame, reg, mask)			\  argument
461 	for (iter = 0, reg = bpf_get_spilled_reg(iter, frame, mask);		\
462 	     iter < frame->allocated_stack / BPF_REG_SIZE;		\
463 	     iter++, reg = bpf_get_spilled_reg(iter, frame, mask))
469 		for (___i = 0; ___i <= ___vstate->curframe; ___i++) {    \
471 			__state = ___vstate->frame[___i];                \
472 			___regs = __state->regs;                         \
530 				u32 mem_size;	/* mem_size for non-struct typed var */
539 		/* remember the size of type passed to bpf_obj_new to rewrite R1 */
546 	int ctx_field_size; /* the ctx field size for load insn, maybe 0 */
547 	u32 seen; /* this insn was processed by the verifier at env->pass_cnt */
569 #define MAX_USED_MAPS 64 /* max number of maps accessed by one eBPF program */
570 #define MAX_USED_BTFS 64 /* max number of BTFs accessed by one BPF program */
578 	 * except during log reset situations, in which (end_pos - start_pos)
580 	 * Generally, (end_pos - start_pos) gives number of useful data in
604 	return log && log->level;  in bpf_verifier_log_needed()
619 	u32 linfo_idx; /* The idx to the main_prog->aux->linfo */
620 	u16 stack_depth; /* max. stack depth used by this function */
637 	u32 frame;  member
692 	struct bpf_insn_aux_data *insn_aux_data; /* array of per-insn state */
695 …struct bpf_subprog_info subprog_info[BPF_MAX_SUBPROGS + 2]; /* max + 2 for the fake and exception …
743 	return &env->prog->aux->func_info_aux[subprog];  in subprog_aux()
748 	return &env->subprog_info[subprog];  in subprog_info()
768 	struct bpf_verifier_state *cur = env->cur_state;  in cur_func()
770 	return cur->frame[cur->curframe];  in cur_func()
775 	return cur_func(env)->regs;  in cur_regs()
793 		return ((u64)tgt_prog->aux->id << 32) | btf_id;  in bpf_trampoline_compute_key()
816 #define BPF_BASE_TYPE_MASK	GENMASK(BPF_BASE_TYPE_BITS - 1, 0)
833 	return prog->type == BPF_PROG_TYPE_EXT ?  in resolve_prog_type()
834 		prog->aux->dst_prog->type : prog->type;  in resolve_prog_type()
841 		return prog->expected_attach_type != BPF_TRACE_ITER;  in bpf_prog_check_recur()
884 	env->scratched_regs |= 1U << regno;  in mark_reg_scratched()
889 	env->scratched_stack_slots |= 1ULL << spi;  in mark_stack_slot_scratched()
894 	return (env->scratched_regs >> regno) & 1;  in reg_scratched()
899 	return (env->scratched_stack_slots >> regno) & 1;  in stack_slot_scratched()
904 	return env->scratched_regs || env->scratched_stack_slots;  in verifier_state_scratched()
909 	env->scratched_regs = 0U;  in mark_verifier_state_clean()
910 	env->scratched_stack_slots = 0ULL;  in mark_verifier_state_clean()
916 	env->scratched_regs = ~0U;  in mark_verifier_state_scratched()
917 	env->scratched_stack_slots = ~0ULL;  in mark_verifier_state_scratched()