diff options
| author | Edward Cree <ecree@solarflare.com> | 2018-08-22 15:02:19 -0400 |
|---|---|---|
| committer | Alexei Starovoitov <ast@kernel.org> | 2018-08-29 21:52:12 -0400 |
| commit | 679c782de14bd48c19dd74cd1af20a2bc05dd936 (patch) | |
| tree | 6e5dc6750d497c1b081e3d347af3ca6e3c045cda /kernel/bpf | |
| parent | 29b5e0f34359f0e1c95aa644bdd92e459c1231ee (diff) | |
bpf/verifier: per-register parent pointers
By giving each register its own liveness chain, we elide the skip_callee()
logic. Instead, each register's parent is the state it inherits from;
both check_func_call() and prepare_func_exit() automatically connect
reg states to the correct chain since when they copy the reg state across
(r1-r5 into the callee as args, and r0 out as the return value) they also
copy the parent pointer.
Signed-off-by: Edward Cree <ecree@solarflare.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Diffstat (limited to 'kernel/bpf')
| -rw-r--r-- | kernel/bpf/verifier.c | 184 |
1 files changed, 44 insertions, 140 deletions
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 92246117d2b0..68568d22d6bd 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c | |||
| @@ -380,9 +380,9 @@ static int copy_stack_state(struct bpf_func_state *dst, | |||
| 380 | /* do_check() starts with zero-sized stack in struct bpf_verifier_state to | 380 | /* do_check() starts with zero-sized stack in struct bpf_verifier_state to |
| 381 | * make it consume minimal amount of memory. check_stack_write() access from | 381 | * make it consume minimal amount of memory. check_stack_write() access from |
| 382 | * the program calls into realloc_func_state() to grow the stack size. | 382 | * the program calls into realloc_func_state() to grow the stack size. |
| 383 | * Note there is a non-zero 'parent' pointer inside bpf_verifier_state | 383 | * Note there is a non-zero parent pointer inside each reg of bpf_verifier_state |
| 384 | * which this function copies over. It points to previous bpf_verifier_state | 384 | * which this function copies over. It points to corresponding reg in previous |
| 385 | * which is never reallocated | 385 | * bpf_verifier_state which is never reallocated |
| 386 | */ | 386 | */ |
| 387 | static int realloc_func_state(struct bpf_func_state *state, int size, | 387 | static int realloc_func_state(struct bpf_func_state *state, int size, |
| 388 | bool copy_old) | 388 | bool copy_old) |
| @@ -466,7 +466,6 @@ static int copy_verifier_state(struct bpf_verifier_state *dst_state, | |||
| 466 | dst_state->frame[i] = NULL; | 466 | dst_state->frame[i] = NULL; |
| 467 | } | 467 | } |
| 468 | dst_state->curframe = src->curframe; | 468 | dst_state->curframe = src->curframe; |
| 469 | dst_state->parent = src->parent; | ||
| 470 | for (i = 0; i <= src->curframe; i++) { | 469 | for (i = 0; i <= src->curframe; i++) { |
| 471 | dst = dst_state->frame[i]; | 470 | dst = dst_state->frame[i]; |
| 472 | if (!dst) { | 471 | if (!dst) { |
| @@ -732,6 +731,7 @@ static void init_reg_state(struct bpf_verifier_env *env, | |||
| 732 | for (i = 0; i < MAX_BPF_REG; i++) { | 731 | for (i = 0; i < MAX_BPF_REG; i++) { |
| 733 | mark_reg_not_init(env, regs, i); | 732 | mark_reg_not_init(env, regs, i); |
| 734 | regs[i].live = REG_LIVE_NONE; | 733 | regs[i].live = REG_LIVE_NONE; |
| 734 | regs[i].parent = NULL; | ||
| 735 | } | 735 | } |
| 736 | 736 | ||
| 737 | /* frame pointer */ | 737 | /* frame pointer */ |
| @@ -876,74 +876,21 @@ next: | |||
| 876 | return 0; | 876 | return 0; |
| 877 | } | 877 | } |
| 878 | 878 | ||
| 879 | static | 879 | /* Parentage chain of this register (or stack slot) should take care of all |
| 880 | struct bpf_verifier_state *skip_callee(struct bpf_verifier_env *env, | 880 | * issues like callee-saved registers, stack slot allocation time, etc. |
| 881 | const struct bpf_verifier_state *state, | 881 | */ |
| 882 | struct bpf_verifier_state *parent, | ||
| 883 | u32 regno) | ||
| 884 | { | ||
| 885 | struct bpf_verifier_state *tmp = NULL; | ||
| 886 | |||
| 887 | /* 'parent' could be a state of caller and | ||
| 888 | * 'state' could be a state of callee. In such case | ||
| 889 | * parent->curframe < state->curframe | ||
| 890 | * and it's ok for r1 - r5 registers | ||
| 891 | * | ||
| 892 | * 'parent' could be a callee's state after it bpf_exit-ed. | ||
| 893 | * In such case parent->curframe > state->curframe | ||
| 894 | * and it's ok for r0 only | ||
| 895 | */ | ||
| 896 | if (parent->curframe == state->curframe || | ||
| 897 | (parent->curframe < state->curframe && | ||
| 898 | regno >= BPF_REG_1 && regno <= BPF_REG_5) || | ||
| 899 | (parent->curframe > state->curframe && | ||
| 900 | regno == BPF_REG_0)) | ||
| 901 | return parent; | ||
| 902 | |||
| 903 | if (parent->curframe > state->curframe && | ||
| 904 | regno >= BPF_REG_6) { | ||
| 905 | /* for callee saved regs we have to skip the whole chain | ||
| 906 | * of states that belong to callee and mark as LIVE_READ | ||
| 907 | * the registers before the call | ||
| 908 | */ | ||
| 909 | tmp = parent; | ||
| 910 | while (tmp && tmp->curframe != state->curframe) { | ||
| 911 | tmp = tmp->parent; | ||
| 912 | } | ||
| 913 | if (!tmp) | ||
| 914 | goto bug; | ||
| 915 | parent = tmp; | ||
| 916 | } else { | ||
| 917 | goto bug; | ||
| 918 | } | ||
| 919 | return parent; | ||
| 920 | bug: | ||
| 921 | verbose(env, "verifier bug regno %d tmp %p\n", regno, tmp); | ||
| 922 | verbose(env, "regno %d parent frame %d current frame %d\n", | ||
| 923 | regno, parent->curframe, state->curframe); | ||
| 924 | return NULL; | ||
| 925 | } | ||
| 926 | |||
| 927 | static int mark_reg_read(struct bpf_verifier_env *env, | 882 | static int mark_reg_read(struct bpf_verifier_env *env, |
| 928 | const struct bpf_verifier_state *state, | 883 | const struct bpf_reg_state *state, |
| 929 | struct bpf_verifier_state *parent, | 884 | struct bpf_reg_state *parent) |
| 930 | u32 regno) | ||
| 931 | { | 885 | { |
| 932 | bool writes = parent == state->parent; /* Observe write marks */ | 886 | bool writes = parent == state->parent; /* Observe write marks */ |
| 933 | 887 | ||
| 934 | if (regno == BPF_REG_FP) | ||
| 935 | /* We don't need to worry about FP liveness because it's read-only */ | ||
| 936 | return 0; | ||
| 937 | |||
| 938 | while (parent) { | 888 | while (parent) { |
| 939 | /* if read wasn't screened by an earlier write ... */ | 889 | /* if read wasn't screened by an earlier write ... */ |
| 940 | if (writes && state->frame[state->curframe]->regs[regno].live & REG_LIVE_WRITTEN) | 890 | if (writes && state->live & REG_LIVE_WRITTEN) |
| 941 | break; | 891 | break; |
| 942 | parent = skip_callee(env, state, parent, regno); | ||
| 943 | if (!parent) | ||
| 944 | return -EFAULT; | ||
| 945 | /* ... then we depend on parent's value */ | 892 | /* ... then we depend on parent's value */ |
| 946 | parent->frame[parent->curframe]->regs[regno].live |= REG_LIVE_READ; | 893 | parent->live |= REG_LIVE_READ; |
| 947 | state = parent; | 894 | state = parent; |
| 948 | parent = state->parent; | 895 | parent = state->parent; |
| 949 | writes = true; | 896 | writes = true; |
| @@ -969,7 +916,10 @@ static int check_reg_arg(struct bpf_verifier_env *env, u32 regno, | |||
| 969 | verbose(env, "R%d !read_ok\n", regno); | 916 | verbose(env, "R%d !read_ok\n", regno); |
| 970 | return -EACCES; | 917 | return -EACCES; |
| 971 | } | 918 | } |
| 972 | return mark_reg_read(env, vstate, vstate->parent, regno); | 919 | /* We don't need to worry about FP liveness because it's read-only */ |
| 920 | if (regno != BPF_REG_FP) | ||
| 921 | return mark_reg_read(env, ®s[regno], | ||
| 922 | regs[regno].parent); | ||
| 973 | } else { | 923 | } else { |
| 974 | /* check whether register used as dest operand can be written to */ | 924 | /* check whether register used as dest operand can be written to */ |
| 975 | if (regno == BPF_REG_FP) { | 925 | if (regno == BPF_REG_FP) { |
| @@ -1080,8 +1030,8 @@ static int check_stack_write(struct bpf_verifier_env *env, | |||
| 1080 | } else { | 1030 | } else { |
| 1081 | u8 type = STACK_MISC; | 1031 | u8 type = STACK_MISC; |
| 1082 | 1032 | ||
| 1083 | /* regular write of data into stack */ | 1033 | /* regular write of data into stack destroys any spilled ptr */ |
| 1084 | state->stack[spi].spilled_ptr = (struct bpf_reg_state) {}; | 1034 | state->stack[spi].spilled_ptr.type = NOT_INIT; |
| 1085 | 1035 | ||
| 1086 | /* only mark the slot as written if all 8 bytes were written | 1036 | /* only mark the slot as written if all 8 bytes were written |
| 1087 | * otherwise read propagation may incorrectly stop too soon | 1037 | * otherwise read propagation may incorrectly stop too soon |
| @@ -1106,61 +1056,6 @@ static int check_stack_write(struct bpf_verifier_env *env, | |||
| 1106 | return 0; | 1056 | return 0; |
| 1107 | } | 1057 | } |
| 1108 | 1058 | ||
| 1109 | /* registers of every function are unique and mark_reg_read() propagates | ||
| 1110 | * the liveness in the following cases: | ||
| 1111 | * - from callee into caller for R1 - R5 that were used as arguments | ||
| 1112 | * - from caller into callee for R0 that used as result of the call | ||
| 1113 | * - from caller to the same caller skipping states of the callee for R6 - R9, | ||
| 1114 | * since R6 - R9 are callee saved by implicit function prologue and | ||
| 1115 | * caller's R6 != callee's R6, so when we propagate liveness up to | ||
| 1116 | * parent states we need to skip callee states for R6 - R9. | ||
| 1117 | * | ||
| 1118 | * stack slot marking is different, since stacks of caller and callee are | ||
| 1119 | * accessible in both (since caller can pass a pointer to caller's stack to | ||
| 1120 | * callee which can pass it to another function), hence mark_stack_slot_read() | ||
| 1121 | * has to propagate the stack liveness to all parent states at given frame number. | ||
| 1122 | * Consider code: | ||
| 1123 | * f1() { | ||
| 1124 | * ptr = fp - 8; | ||
| 1125 | * *ptr = ctx; | ||
| 1126 | * call f2 { | ||
| 1127 | * .. = *ptr; | ||
| 1128 | * } | ||
| 1129 | * .. = *ptr; | ||
| 1130 | * } | ||
| 1131 | * First *ptr is reading from f1's stack and mark_stack_slot_read() has | ||
| 1132 | * to mark liveness at the f1's frame and not f2's frame. | ||
| 1133 | * Second *ptr is also reading from f1's stack and mark_stack_slot_read() has | ||
| 1134 | * to propagate liveness to f2 states at f1's frame level and further into | ||
| 1135 | * f1 states at f1's frame level until write into that stack slot | ||
| 1136 | */ | ||
| 1137 | static void mark_stack_slot_read(struct bpf_verifier_env *env, | ||
| 1138 | const struct bpf_verifier_state *state, | ||
| 1139 | struct bpf_verifier_state *parent, | ||
| 1140 | int slot, int frameno) | ||
| 1141 | { | ||
| 1142 | bool writes = parent == state->parent; /* Observe write marks */ | ||
| 1143 | |||
| 1144 | while (parent) { | ||
| 1145 | if (parent->frame[frameno]->allocated_stack <= slot * BPF_REG_SIZE) | ||
| 1146 | /* since LIVE_WRITTEN mark is only done for full 8-byte | ||
| 1147 | * write the read marks are conservative and parent | ||
| 1148 | * state may not even have the stack allocated. In such case | ||
| 1149 | * end the propagation, since the loop reached beginning | ||
| 1150 | * of the function | ||
| 1151 | */ | ||
| 1152 | break; | ||
| 1153 | /* if read wasn't screened by an earlier write ... */ | ||
| 1154 | if (writes && state->frame[frameno]->stack[slot].spilled_ptr.live & REG_LIVE_WRITTEN) | ||
| 1155 | break; | ||
| 1156 | /* ... then we depend on parent's value */ | ||
| 1157 | parent->frame[frameno]->stack[slot].spilled_ptr.live |= REG_LIVE_READ; | ||
| 1158 | state = parent; | ||
| 1159 | parent = state->parent; | ||
| 1160 | writes = true; | ||
| 1161 | } | ||
| 1162 | } | ||
| 1163 | |||
| 1164 | static int check_stack_read(struct bpf_verifier_env *env, | 1059 | static int check_stack_read(struct bpf_verifier_env *env, |
| 1165 | struct bpf_func_state *reg_state /* func where register points to */, | 1060 | struct bpf_func_state *reg_state /* func where register points to */, |
| 1166 | int off, int size, int value_regno) | 1061 | int off, int size, int value_regno) |
| @@ -1198,8 +1093,8 @@ static int check_stack_read(struct bpf_verifier_env *env, | |||
| 1198 | */ | 1093 | */ |
| 1199 | state->regs[value_regno].live |= REG_LIVE_WRITTEN; | 1094 | state->regs[value_regno].live |= REG_LIVE_WRITTEN; |
| 1200 | } | 1095 | } |
| 1201 | mark_stack_slot_read(env, vstate, vstate->parent, spi, | 1096 | mark_reg_read(env, ®_state->stack[spi].spilled_ptr, |
| 1202 | reg_state->frameno); | 1097 | reg_state->stack[spi].spilled_ptr.parent); |
| 1203 | return 0; | 1098 | return 0; |
| 1204 | } else { | 1099 | } else { |
| 1205 | int zeros = 0; | 1100 | int zeros = 0; |
| @@ -1215,8 +1110,8 @@ static int check_stack_read(struct bpf_verifier_env *env, | |||
| 1215 | off, i, size); | 1110 | off, i, size); |
| 1216 | return -EACCES; | 1111 | return -EACCES; |
| 1217 | } | 1112 | } |
| 1218 | mark_stack_slot_read(env, vstate, vstate->parent, spi, | 1113 | mark_reg_read(env, ®_state->stack[spi].spilled_ptr, |
| 1219 | reg_state->frameno); | 1114 | reg_state->stack[spi].spilled_ptr.parent); |
| 1220 | if (value_regno >= 0) { | 1115 | if (value_regno >= 0) { |
| 1221 | if (zeros == size) { | 1116 | if (zeros == size) { |
| 1222 | /* any size read into register is zero extended, | 1117 | /* any size read into register is zero extended, |
| @@ -1908,8 +1803,8 @@ mark: | |||
| 1908 | /* reading any byte out of 8-byte 'spill_slot' will cause | 1803 | /* reading any byte out of 8-byte 'spill_slot' will cause |
| 1909 | * the whole slot to be marked as 'read' | 1804 | * the whole slot to be marked as 'read' |
| 1910 | */ | 1805 | */ |
| 1911 | mark_stack_slot_read(env, env->cur_state, env->cur_state->parent, | 1806 | mark_reg_read(env, &state->stack[spi].spilled_ptr, |
| 1912 | spi, state->frameno); | 1807 | state->stack[spi].spilled_ptr.parent); |
| 1913 | } | 1808 | } |
| 1914 | return update_stack_depth(env, state, off); | 1809 | return update_stack_depth(env, state, off); |
| 1915 | } | 1810 | } |
| @@ -2366,11 +2261,13 @@ static int check_func_call(struct bpf_verifier_env *env, struct bpf_insn *insn, | |||
| 2366 | state->curframe + 1 /* frameno within this callchain */, | 2261 | state->curframe + 1 /* frameno within this callchain */, |
| 2367 | subprog /* subprog number within this prog */); | 2262 | subprog /* subprog number within this prog */); |
| 2368 | 2263 | ||
| 2369 | /* copy r1 - r5 args that callee can access */ | 2264 | /* copy r1 - r5 args that callee can access. The copy includes parent |
| 2265 | * pointers, which connects us up to the liveness chain | ||
| 2266 | */ | ||
| 2370 | for (i = BPF_REG_1; i <= BPF_REG_5; i++) | 2267 | for (i = BPF_REG_1; i <= BPF_REG_5; i++) |
| 2371 | callee->regs[i] = caller->regs[i]; | 2268 | callee->regs[i] = caller->regs[i]; |
| 2372 | 2269 | ||
| 2373 | /* after the call regsiters r0 - r5 were scratched */ | 2270 | /* after the call registers r0 - r5 were scratched */ |
| 2374 | for (i = 0; i < CALLER_SAVED_REGS; i++) { | 2271 | for (i = 0; i < CALLER_SAVED_REGS; i++) { |
| 2375 | mark_reg_not_init(env, caller->regs, caller_saved[i]); | 2272 | mark_reg_not_init(env, caller->regs, caller_saved[i]); |
| 2376 | check_reg_arg(env, caller_saved[i], DST_OP_NO_MARK); | 2273 | check_reg_arg(env, caller_saved[i], DST_OP_NO_MARK); |
| @@ -4370,7 +4267,7 @@ static bool regsafe(struct bpf_reg_state *rold, struct bpf_reg_state *rcur, | |||
| 4370 | /* explored state didn't use this */ | 4267 | /* explored state didn't use this */ |
| 4371 | return true; | 4268 | return true; |
| 4372 | 4269 | ||
| 4373 | equal = memcmp(rold, rcur, offsetof(struct bpf_reg_state, frameno)) == 0; | 4270 | equal = memcmp(rold, rcur, offsetof(struct bpf_reg_state, parent)) == 0; |
| 4374 | 4271 | ||
| 4375 | if (rold->type == PTR_TO_STACK) | 4272 | if (rold->type == PTR_TO_STACK) |
| 4376 | /* two stack pointers are equal only if they're pointing to | 4273 | /* two stack pointers are equal only if they're pointing to |
| @@ -4603,7 +4500,7 @@ static bool states_equal(struct bpf_verifier_env *env, | |||
| 4603 | * equivalent state (jump target or such) we didn't arrive by the straight-line | 4500 | * equivalent state (jump target or such) we didn't arrive by the straight-line |
| 4604 | * code, so read marks in the state must propagate to the parent regardless | 4501 | * code, so read marks in the state must propagate to the parent regardless |
| 4605 | * of the state's write marks. That's what 'parent == state->parent' comparison | 4502 | * of the state's write marks. That's what 'parent == state->parent' comparison |
| 4606 | * in mark_reg_read() and mark_stack_slot_read() is for. | 4503 | * in mark_reg_read() is for. |
| 4607 | */ | 4504 | */ |
| 4608 | static int propagate_liveness(struct bpf_verifier_env *env, | 4505 | static int propagate_liveness(struct bpf_verifier_env *env, |
| 4609 | const struct bpf_verifier_state *vstate, | 4506 | const struct bpf_verifier_state *vstate, |
| @@ -4624,7 +4521,8 @@ static int propagate_liveness(struct bpf_verifier_env *env, | |||
| 4624 | if (vparent->frame[vparent->curframe]->regs[i].live & REG_LIVE_READ) | 4521 | if (vparent->frame[vparent->curframe]->regs[i].live & REG_LIVE_READ) |
| 4625 | continue; | 4522 | continue; |
| 4626 | if (vstate->frame[vstate->curframe]->regs[i].live & REG_LIVE_READ) { | 4523 | if (vstate->frame[vstate->curframe]->regs[i].live & REG_LIVE_READ) { |
| 4627 | err = mark_reg_read(env, vstate, vparent, i); | 4524 | err = mark_reg_read(env, &vstate->frame[vstate->curframe]->regs[i], |
| 4525 | &vparent->frame[vstate->curframe]->regs[i]); | ||
| 4628 | if (err) | 4526 | if (err) |
| 4629 | return err; | 4527 | return err; |
| 4630 | } | 4528 | } |
| @@ -4639,7 +4537,8 @@ static int propagate_liveness(struct bpf_verifier_env *env, | |||
| 4639 | if (parent->stack[i].spilled_ptr.live & REG_LIVE_READ) | 4537 | if (parent->stack[i].spilled_ptr.live & REG_LIVE_READ) |
| 4640 | continue; | 4538 | continue; |
| 4641 | if (state->stack[i].spilled_ptr.live & REG_LIVE_READ) | 4539 | if (state->stack[i].spilled_ptr.live & REG_LIVE_READ) |
| 4642 | mark_stack_slot_read(env, vstate, vparent, i, frame); | 4540 | mark_reg_read(env, &state->stack[i].spilled_ptr, |
| 4541 | &parent->stack[i].spilled_ptr); | ||
| 4643 | } | 4542 | } |
| 4644 | } | 4543 | } |
| 4645 | return err; | 4544 | return err; |
| @@ -4649,7 +4548,7 @@ static int is_state_visited(struct bpf_verifier_env *env, int insn_idx) | |||
| 4649 | { | 4548 | { |
| 4650 | struct bpf_verifier_state_list *new_sl; | 4549 | struct bpf_verifier_state_list *new_sl; |
| 4651 | struct bpf_verifier_state_list *sl; | 4550 | struct bpf_verifier_state_list *sl; |
| 4652 | struct bpf_verifier_state *cur = env->cur_state; | 4551 | struct bpf_verifier_state *cur = env->cur_state, *new; |
| 4653 | int i, j, err; | 4552 | int i, j, err; |
| 4654 | 4553 | ||
| 4655 | sl = env->explored_states[insn_idx]; | 4554 | sl = env->explored_states[insn_idx]; |
| @@ -4691,16 +4590,18 @@ static int is_state_visited(struct bpf_verifier_env *env, int insn_idx) | |||
| 4691 | return -ENOMEM; | 4590 | return -ENOMEM; |
| 4692 | 4591 | ||
| 4693 | /* add new state to the head of linked list */ | 4592 | /* add new state to the head of linked list */ |
| 4694 | err = copy_verifier_state(&new_sl->state, cur); | 4593 | new = &new_sl->state; |
| 4594 | err = copy_verifier_state(new, cur); | ||
| 4695 | if (err) { | 4595 | if (err) { |
| 4696 | free_verifier_state(&new_sl->state, false); | 4596 | free_verifier_state(new, false); |
| 4697 | kfree(new_sl); | 4597 | kfree(new_sl); |
| 4698 | return err; | 4598 | return err; |
| 4699 | } | 4599 | } |
| 4700 | new_sl->next = env->explored_states[insn_idx]; | 4600 | new_sl->next = env->explored_states[insn_idx]; |
| 4701 | env->explored_states[insn_idx] = new_sl; | 4601 | env->explored_states[insn_idx] = new_sl; |
| 4702 | /* connect new state to parentage chain */ | 4602 | /* connect new state to parentage chain */ |
| 4703 | cur->parent = &new_sl->state; | 4603 | for (i = 0; i < BPF_REG_FP; i++) |
| 4604 | cur_regs(env)[i].parent = &new->frame[new->curframe]->regs[i]; | ||
| 4704 | /* clear write marks in current state: the writes we did are not writes | 4605 | /* clear write marks in current state: the writes we did are not writes |
| 4705 | * our child did, so they don't screen off its reads from us. | 4606 | * our child did, so they don't screen off its reads from us. |
| 4706 | * (There are no read marks in current state, because reads always mark | 4607 | * (There are no read marks in current state, because reads always mark |
| @@ -4713,9 +4614,13 @@ static int is_state_visited(struct bpf_verifier_env *env, int insn_idx) | |||
| 4713 | /* all stack frames are accessible from callee, clear them all */ | 4614 | /* all stack frames are accessible from callee, clear them all */ |
| 4714 | for (j = 0; j <= cur->curframe; j++) { | 4615 | for (j = 0; j <= cur->curframe; j++) { |
| 4715 | struct bpf_func_state *frame = cur->frame[j]; | 4616 | struct bpf_func_state *frame = cur->frame[j]; |
| 4617 | struct bpf_func_state *newframe = new->frame[j]; | ||
| 4716 | 4618 | ||
| 4717 | for (i = 0; i < frame->allocated_stack / BPF_REG_SIZE; i++) | 4619 | for (i = 0; i < frame->allocated_stack / BPF_REG_SIZE; i++) { |
| 4718 | frame->stack[i].spilled_ptr.live = REG_LIVE_NONE; | 4620 | frame->stack[i].spilled_ptr.live = REG_LIVE_NONE; |
| 4621 | frame->stack[i].spilled_ptr.parent = | ||
| 4622 | &newframe->stack[i].spilled_ptr; | ||
| 4623 | } | ||
| 4719 | } | 4624 | } |
| 4720 | return 0; | 4625 | return 0; |
| 4721 | } | 4626 | } |
| @@ -4734,7 +4639,6 @@ static int do_check(struct bpf_verifier_env *env) | |||
| 4734 | if (!state) | 4639 | if (!state) |
| 4735 | return -ENOMEM; | 4640 | return -ENOMEM; |
| 4736 | state->curframe = 0; | 4641 | state->curframe = 0; |
| 4737 | state->parent = NULL; | ||
| 4738 | state->frame[0] = kzalloc(sizeof(struct bpf_func_state), GFP_KERNEL); | 4642 | state->frame[0] = kzalloc(sizeof(struct bpf_func_state), GFP_KERNEL); |
| 4739 | if (!state->frame[0]) { | 4643 | if (!state->frame[0]) { |
| 4740 | kfree(state); | 4644 | kfree(state); |