aboutsummaryrefslogtreecommitdiffstats
path: root/kernel/bpf
diff options
context:
space:
mode:
authorAlexei Starovoitov <ast@kernel.org>2019-06-15 15:12:25 -0400
committerDaniel Borkmann <daniel@iogearbox.net>2019-06-18 20:22:52 -0400
commitb5dc0163d8fd78e64a7e21f309cf932fda34353e (patch)
tree2901e802c5161bb29dc5882fa14043f46de96cd0 /kernel/bpf
parentb061017f8b4d0e05d4c11486581a702fb2a975b2 (diff)
bpf: precise scalar_value tracking
Introduce precision tracking logic that helps cilium programs the most: old clang old clang new clang new clang with all patches with all patches bpf_lb-DLB_L3.o 1838 2283 1923 1863 bpf_lb-DLB_L4.o 3218 2657 3077 2468 bpf_lb-DUNKNOWN.o 1064 545 1062 544 bpf_lxc-DDROP_ALL.o 26935 23045 166729 22629 bpf_lxc-DUNKNOWN.o 34439 35240 174607 28805 bpf_netdev.o 9721 8753 8407 6801 bpf_overlay.o 6184 7901 5420 4754 bpf_lxc_jit.o 39389 50925 39389 50925 Consider code: 654: (85) call bpf_get_hash_recalc#34 655: (bf) r7 = r0 656: (15) if r8 == 0x0 goto pc+29 657: (bf) r2 = r10 658: (07) r2 += -48 659: (18) r1 = 0xffff8881e41e1b00 661: (85) call bpf_map_lookup_elem#1 662: (15) if r0 == 0x0 goto pc+23 663: (69) r1 = *(u16 *)(r0 +0) 664: (15) if r1 == 0x0 goto pc+21 665: (bf) r8 = r7 666: (57) r8 &= 65535 667: (bf) r2 = r8 668: (3f) r2 /= r1 669: (2f) r2 *= r1 670: (bf) r1 = r8 671: (1f) r1 -= r2 672: (57) r1 &= 255 673: (25) if r1 > 0x1e goto pc+12 R0=map_value(id=0,off=0,ks=20,vs=64,imm=0) R1_w=inv(id=0,umax_value=30,var_off=(0x0; 0x1f)) 674: (67) r1 <<= 1 675: (0f) r0 += r1 At this point the verifier will notice that scalar R1 is used in map pointer adjustment. R1 has to be precise for later operations on R0 to be validated properly. The verifier will backtrack the above code in the following way: last_idx 675 first_idx 664 regs=2 stack=0 before 675: (0f) r0 += r1 // started backtracking R1 regs=2 is a bitmask regs=2 stack=0 before 674: (67) r1 <<= 1 regs=2 stack=0 before 673: (25) if r1 > 0x1e goto pc+12 regs=2 stack=0 before 672: (57) r1 &= 255 regs=2 stack=0 before 671: (1f) r1 -= r2 // now both R1 and R2 has to be precise -> regs=6 mask regs=6 stack=0 before 670: (bf) r1 = r8 // after this insn R8 and R2 has to be precise regs=104 stack=0 before 669: (2f) r2 *= r1 // after this one R8, R2, and R1 regs=106 stack=0 before 668: (3f) r2 /= r1 regs=106 stack=0 before 667: (bf) r2 = r8 regs=102 stack=0 before 666: (57) r8 &= 65535 regs=102 stack=0 before 665: (bf) r8 = r7 regs=82 stack=0 before 664: (15) if r1 == 0x0 goto pc+21 // this is the end of verifier state. The following regs will be marked precised: R1_rw=invP(id=0,umax_value=65535,var_off=(0x0; 0xffff)) R7_rw=invP(id=0) parent didn't have regs=82 stack=0 marks // so backtracking continues into parent state last_idx 663 first_idx 655 regs=82 stack=0 before 663: (69) r1 = *(u16 *)(r0 +0) // R1 was assigned no need to track it further regs=80 stack=0 before 662: (15) if r0 == 0x0 goto pc+23 // keep tracking R7 regs=80 stack=0 before 661: (85) call bpf_map_lookup_elem#1 // keep tracking R7 regs=80 stack=0 before 659: (18) r1 = 0xffff8881e41e1b00 regs=80 stack=0 before 658: (07) r2 += -48 regs=80 stack=0 before 657: (bf) r2 = r10 regs=80 stack=0 before 656: (15) if r8 == 0x0 goto pc+29 regs=80 stack=0 before 655: (bf) r7 = r0 // here the assignment into R7 // mark R0 to be precise: R0_rw=invP(id=0) parent didn't have regs=1 stack=0 marks // regs=1 -> tracking R0 last_idx 654 first_idx 644 regs=1 stack=0 before 654: (85) call bpf_get_hash_recalc#34 // and in the parent frame it was a return value // nothing further to backtrack Two scalar registers not marked precise are equivalent from state pruning point of view. More details in the patch comments. It doesn't support bpf2bpf calls yet and enabled for root only. Signed-off-by: Alexei Starovoitov <ast@kernel.org> Acked-by: Andrii Nakryiko <andriin@fb.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Diffstat (limited to 'kernel/bpf')
-rw-r--r--kernel/bpf/verifier.c491
1 files changed, 480 insertions, 11 deletions
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 870c8f19ce80..709ce4cef8ba 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -455,12 +455,12 @@ static void print_verifier_state(struct bpf_verifier_env *env,
455 verbose(env, " R%d", i); 455 verbose(env, " R%d", i);
456 print_liveness(env, reg->live); 456 print_liveness(env, reg->live);
457 verbose(env, "=%s", reg_type_str[t]); 457 verbose(env, "=%s", reg_type_str[t]);
458 if (t == SCALAR_VALUE && reg->precise)
459 verbose(env, "P");
458 if ((t == SCALAR_VALUE || t == PTR_TO_STACK) && 460 if ((t == SCALAR_VALUE || t == PTR_TO_STACK) &&
459 tnum_is_const(reg->var_off)) { 461 tnum_is_const(reg->var_off)) {
460 /* reg->off should be 0 for SCALAR_VALUE */ 462 /* reg->off should be 0 for SCALAR_VALUE */
461 verbose(env, "%lld", reg->var_off.value + reg->off); 463 verbose(env, "%lld", reg->var_off.value + reg->off);
462 if (t == PTR_TO_STACK)
463 verbose(env, ",call_%d", func(env, reg)->callsite);
464 } else { 464 } else {
465 verbose(env, "(id=%d", reg->id); 465 verbose(env, "(id=%d", reg->id);
466 if (reg_type_may_be_refcounted_or_null(t)) 466 if (reg_type_may_be_refcounted_or_null(t))
@@ -522,11 +522,17 @@ static void print_verifier_state(struct bpf_verifier_env *env,
522 continue; 522 continue;
523 verbose(env, " fp%d", (-i - 1) * BPF_REG_SIZE); 523 verbose(env, " fp%d", (-i - 1) * BPF_REG_SIZE);
524 print_liveness(env, state->stack[i].spilled_ptr.live); 524 print_liveness(env, state->stack[i].spilled_ptr.live);
525 if (state->stack[i].slot_type[0] == STACK_SPILL) 525 if (state->stack[i].slot_type[0] == STACK_SPILL) {
526 verbose(env, "=%s", 526 reg = &state->stack[i].spilled_ptr;
527 reg_type_str[state->stack[i].spilled_ptr.type]); 527 t = reg->type;
528 else 528 verbose(env, "=%s", reg_type_str[t]);
529 if (t == SCALAR_VALUE && reg->precise)
530 verbose(env, "P");
531 if (t == SCALAR_VALUE && tnum_is_const(reg->var_off))
532 verbose(env, "%lld", reg->var_off.value + reg->off);
533 } else {
529 verbose(env, "=%s", types_buf); 534 verbose(env, "=%s", types_buf);
535 }
530 } 536 }
531 if (state->acquired_refs && state->refs[0].id) { 537 if (state->acquired_refs && state->refs[0].id) {
532 verbose(env, " refs=%d", state->refs[0].id); 538 verbose(env, " refs=%d", state->refs[0].id);
@@ -675,6 +681,13 @@ static void free_func_state(struct bpf_func_state *state)
675 kfree(state); 681 kfree(state);
676} 682}
677 683
684static void clear_jmp_history(struct bpf_verifier_state *state)
685{
686 kfree(state->jmp_history);
687 state->jmp_history = NULL;
688 state->jmp_history_cnt = 0;
689}
690
678static void free_verifier_state(struct bpf_verifier_state *state, 691static void free_verifier_state(struct bpf_verifier_state *state,
679 bool free_self) 692 bool free_self)
680{ 693{
@@ -684,6 +697,7 @@ static void free_verifier_state(struct bpf_verifier_state *state,
684 free_func_state(state->frame[i]); 697 free_func_state(state->frame[i]);
685 state->frame[i] = NULL; 698 state->frame[i] = NULL;
686 } 699 }
700 clear_jmp_history(state);
687 if (free_self) 701 if (free_self)
688 kfree(state); 702 kfree(state);
689} 703}
@@ -711,8 +725,18 @@ static int copy_verifier_state(struct bpf_verifier_state *dst_state,
711 const struct bpf_verifier_state *src) 725 const struct bpf_verifier_state *src)
712{ 726{
713 struct bpf_func_state *dst; 727 struct bpf_func_state *dst;
728 u32 jmp_sz = sizeof(struct bpf_idx_pair) * src->jmp_history_cnt;
714 int i, err; 729 int i, err;
715 730
731 if (dst_state->jmp_history_cnt < src->jmp_history_cnt) {
732 kfree(dst_state->jmp_history);
733 dst_state->jmp_history = kmalloc(jmp_sz, GFP_USER);
734 if (!dst_state->jmp_history)
735 return -ENOMEM;
736 }
737 memcpy(dst_state->jmp_history, src->jmp_history, jmp_sz);
738 dst_state->jmp_history_cnt = src->jmp_history_cnt;
739
716 /* if dst has more stack frames then src frame, free them */ 740 /* if dst has more stack frames then src frame, free them */
717 for (i = src->curframe + 1; i <= dst_state->curframe; i++) { 741 for (i = src->curframe + 1; i <= dst_state->curframe; i++) {
718 free_func_state(dst_state->frame[i]); 742 free_func_state(dst_state->frame[i]);
@@ -723,6 +747,8 @@ static int copy_verifier_state(struct bpf_verifier_state *dst_state,
723 dst_state->active_spin_lock = src->active_spin_lock; 747 dst_state->active_spin_lock = src->active_spin_lock;
724 dst_state->branches = src->branches; 748 dst_state->branches = src->branches;
725 dst_state->parent = src->parent; 749 dst_state->parent = src->parent;
750 dst_state->first_insn_idx = src->first_insn_idx;
751 dst_state->last_insn_idx = src->last_insn_idx;
726 for (i = 0; i <= src->curframe; i++) { 752 for (i = 0; i <= src->curframe; i++) {
727 dst = dst_state->frame[i]; 753 dst = dst_state->frame[i];
728 if (!dst) { 754 if (!dst) {
@@ -967,6 +993,9 @@ static void __mark_reg_unbounded(struct bpf_reg_state *reg)
967 reg->smax_value = S64_MAX; 993 reg->smax_value = S64_MAX;
968 reg->umin_value = 0; 994 reg->umin_value = 0;
969 reg->umax_value = U64_MAX; 995 reg->umax_value = U64_MAX;
996
997 /* constant backtracking is enabled for root only for now */
998 reg->precise = capable(CAP_SYS_ADMIN) ? false : true;
970} 999}
971 1000
972/* Mark a register as having a completely unknown (scalar) value. */ 1001/* Mark a register as having a completely unknown (scalar) value. */
@@ -1378,6 +1407,389 @@ static int check_reg_arg(struct bpf_verifier_env *env, u32 regno,
1378 return 0; 1407 return 0;
1379} 1408}
1380 1409
1410/* for any branch, call, exit record the history of jmps in the given state */
1411static int push_jmp_history(struct bpf_verifier_env *env,
1412 struct bpf_verifier_state *cur)
1413{
1414 u32 cnt = cur->jmp_history_cnt;
1415 struct bpf_idx_pair *p;
1416
1417 cnt++;
1418 p = krealloc(cur->jmp_history, cnt * sizeof(*p), GFP_USER);
1419 if (!p)
1420 return -ENOMEM;
1421 p[cnt - 1].idx = env->insn_idx;
1422 p[cnt - 1].prev_idx = env->prev_insn_idx;
1423 cur->jmp_history = p;
1424 cur->jmp_history_cnt = cnt;
1425 return 0;
1426}
1427
1428/* Backtrack one insn at a time. If idx is not at the top of recorded
1429 * history then previous instruction came from straight line execution.
1430 */
1431static int get_prev_insn_idx(struct bpf_verifier_state *st, int i,
1432 u32 *history)
1433{
1434 u32 cnt = *history;
1435
1436 if (cnt && st->jmp_history[cnt - 1].idx == i) {
1437 i = st->jmp_history[cnt - 1].prev_idx;
1438 (*history)--;
1439 } else {
1440 i--;
1441 }
1442 return i;
1443}
1444
1445/* For given verifier state backtrack_insn() is called from the last insn to
1446 * the first insn. Its purpose is to compute a bitmask of registers and
1447 * stack slots that needs precision in the parent verifier state.
1448 */
1449static int backtrack_insn(struct bpf_verifier_env *env, int idx,
1450 u32 *reg_mask, u64 *stack_mask)
1451{
1452 const struct bpf_insn_cbs cbs = {
1453 .cb_print = verbose,
1454 .private_data = env,
1455 };
1456 struct bpf_insn *insn = env->prog->insnsi + idx;
1457 u8 class = BPF_CLASS(insn->code);
1458 u8 opcode = BPF_OP(insn->code);
1459 u8 mode = BPF_MODE(insn->code);
1460 u32 dreg = 1u << insn->dst_reg;
1461 u32 sreg = 1u << insn->src_reg;
1462 u32 spi;
1463
1464 if (insn->code == 0)
1465 return 0;
1466 if (env->log.level & BPF_LOG_LEVEL) {
1467 verbose(env, "regs=%x stack=%llx before ", *reg_mask, *stack_mask);
1468 verbose(env, "%d: ", idx);
1469 print_bpf_insn(&cbs, insn, env->allow_ptr_leaks);
1470 }
1471
1472 if (class == BPF_ALU || class == BPF_ALU64) {
1473 if (!(*reg_mask & dreg))
1474 return 0;
1475 if (opcode == BPF_MOV) {
1476 if (BPF_SRC(insn->code) == BPF_X) {
1477 /* dreg = sreg
1478 * dreg needs precision after this insn
1479 * sreg needs precision before this insn
1480 */
1481 *reg_mask &= ~dreg;
1482 *reg_mask |= sreg;
1483 } else {
1484 /* dreg = K
1485 * dreg needs precision after this insn.
1486 * Corresponding register is already marked
1487 * as precise=true in this verifier state.
1488 * No further markings in parent are necessary
1489 */
1490 *reg_mask &= ~dreg;
1491 }
1492 } else {
1493 if (BPF_SRC(insn->code) == BPF_X) {
1494 /* dreg += sreg
1495 * both dreg and sreg need precision
1496 * before this insn
1497 */
1498 *reg_mask |= sreg;
1499 } /* else dreg += K
1500 * dreg still needs precision before this insn
1501 */
1502 }
1503 } else if (class == BPF_LDX) {
1504 if (!(*reg_mask & dreg))
1505 return 0;
1506 *reg_mask &= ~dreg;
1507
1508 /* scalars can only be spilled into stack w/o losing precision.
1509 * Load from any other memory can be zero extended.
1510 * The desire to keep that precision is already indicated
1511 * by 'precise' mark in corresponding register of this state.
1512 * No further tracking necessary.
1513 */
1514 if (insn->src_reg != BPF_REG_FP)
1515 return 0;
1516 if (BPF_SIZE(insn->code) != BPF_DW)
1517 return 0;
1518
1519 /* dreg = *(u64 *)[fp - off] was a fill from the stack.
1520 * that [fp - off] slot contains scalar that needs to be
1521 * tracked with precision
1522 */
1523 spi = (-insn->off - 1) / BPF_REG_SIZE;
1524 if (spi >= 64) {
1525 verbose(env, "BUG spi %d\n", spi);
1526 WARN_ONCE(1, "verifier backtracking bug");
1527 return -EFAULT;
1528 }
1529 *stack_mask |= 1ull << spi;
1530 } else if (class == BPF_STX) {
1531 if (*reg_mask & dreg)
1532 /* stx shouldn't be using _scalar_ dst_reg
1533 * to access memory. It means backtracking
1534 * encountered a case of pointer subtraction.
1535 */
1536 return -ENOTSUPP;
1537 /* scalars can only be spilled into stack */
1538 if (insn->dst_reg != BPF_REG_FP)
1539 return 0;
1540 if (BPF_SIZE(insn->code) != BPF_DW)
1541 return 0;
1542 spi = (-insn->off - 1) / BPF_REG_SIZE;
1543 if (spi >= 64) {
1544 verbose(env, "BUG spi %d\n", spi);
1545 WARN_ONCE(1, "verifier backtracking bug");
1546 return -EFAULT;
1547 }
1548 if (!(*stack_mask & (1ull << spi)))
1549 return 0;
1550 *stack_mask &= ~(1ull << spi);
1551 *reg_mask |= sreg;
1552 } else if (class == BPF_JMP || class == BPF_JMP32) {
1553 if (opcode == BPF_CALL) {
1554 if (insn->src_reg == BPF_PSEUDO_CALL)
1555 return -ENOTSUPP;
1556 /* regular helper call sets R0 */
1557 *reg_mask &= ~1;
1558 if (*reg_mask & 0x3f) {
1559 /* if backtracing was looking for registers R1-R5
1560 * they should have been found already.
1561 */
1562 verbose(env, "BUG regs %x\n", *reg_mask);
1563 WARN_ONCE(1, "verifier backtracking bug");
1564 return -EFAULT;
1565 }
1566 } else if (opcode == BPF_EXIT) {
1567 return -ENOTSUPP;
1568 }
1569 } else if (class == BPF_LD) {
1570 if (!(*reg_mask & dreg))
1571 return 0;
1572 *reg_mask &= ~dreg;
1573 /* It's ld_imm64 or ld_abs or ld_ind.
1574 * For ld_imm64 no further tracking of precision
1575 * into parent is necessary
1576 */
1577 if (mode == BPF_IND || mode == BPF_ABS)
1578 /* to be analyzed */
1579 return -ENOTSUPP;
1580 } else if (class == BPF_ST) {
1581 if (*reg_mask & dreg)
1582 /* likely pointer subtraction */
1583 return -ENOTSUPP;
1584 }
1585 return 0;
1586}
1587
1588/* the scalar precision tracking algorithm:
1589 * . at the start all registers have precise=false.
1590 * . scalar ranges are tracked as normal through alu and jmp insns.
1591 * . once precise value of the scalar register is used in:
1592 * . ptr + scalar alu
1593 * . if (scalar cond K|scalar)
1594 * . helper_call(.., scalar, ...) where ARG_CONST is expected
1595 * backtrack through the verifier states and mark all registers and
1596 * stack slots with spilled constants that these scalar regisers
1597 * should be precise.
1598 * . during state pruning two registers (or spilled stack slots)
1599 * are equivalent if both are not precise.
1600 *
1601 * Note the verifier cannot simply walk register parentage chain,
1602 * since many different registers and stack slots could have been
1603 * used to compute single precise scalar.
1604 *
1605 * The approach of starting with precise=true for all registers and then
1606 * backtrack to mark a register as not precise when the verifier detects
1607 * that program doesn't care about specific value (e.g., when helper
1608 * takes register as ARG_ANYTHING parameter) is not safe.
1609 *
1610 * It's ok to walk single parentage chain of the verifier states.
1611 * It's possible that this backtracking will go all the way till 1st insn.
1612 * All other branches will be explored for needing precision later.
1613 *
1614 * The backtracking needs to deal with cases like:
1615 * R8=map_value(id=0,off=0,ks=4,vs=1952,imm=0) R9_w=map_value(id=0,off=40,ks=4,vs=1952,imm=0)
1616 * r9 -= r8
1617 * r5 = r9
1618 * if r5 > 0x79f goto pc+7
1619 * R5_w=inv(id=0,umax_value=1951,var_off=(0x0; 0x7ff))
1620 * r5 += 1
1621 * ...
1622 * call bpf_perf_event_output#25
1623 * where .arg5_type = ARG_CONST_SIZE_OR_ZERO
1624 *
1625 * and this case:
1626 * r6 = 1
1627 * call foo // uses callee's r6 inside to compute r0
1628 * r0 += r6
1629 * if r0 == 0 goto
1630 *
1631 * to track above reg_mask/stack_mask needs to be independent for each frame.
1632 *
1633 * Also if parent's curframe > frame where backtracking started,
1634 * the verifier need to mark registers in both frames, otherwise callees
1635 * may incorrectly prune callers. This is similar to
1636 * commit 7640ead93924 ("bpf: verifier: make sure callees don't prune with caller differences")
1637 *
1638 * For now backtracking falls back into conservative marking.
1639 */
1640static void mark_all_scalars_precise(struct bpf_verifier_env *env,
1641 struct bpf_verifier_state *st)
1642{
1643 struct bpf_func_state *func;
1644 struct bpf_reg_state *reg;
1645 int i, j;
1646
1647 /* big hammer: mark all scalars precise in this path.
1648 * pop_stack may still get !precise scalars.
1649 */
1650 for (; st; st = st->parent)
1651 for (i = 0; i <= st->curframe; i++) {
1652 func = st->frame[i];
1653 for (j = 0; j < BPF_REG_FP; j++) {
1654 reg = &func->regs[j];
1655 if (reg->type != SCALAR_VALUE)
1656 continue;
1657 reg->precise = true;
1658 }
1659 for (j = 0; j < func->allocated_stack / BPF_REG_SIZE; j++) {
1660 if (func->stack[j].slot_type[0] != STACK_SPILL)
1661 continue;
1662 reg = &func->stack[j].spilled_ptr;
1663 if (reg->type != SCALAR_VALUE)
1664 continue;
1665 reg->precise = true;
1666 }
1667 }
1668}
1669
1670static int mark_chain_precision(struct bpf_verifier_env *env, int regno)
1671{
1672 struct bpf_verifier_state *st = env->cur_state;
1673 int first_idx = st->first_insn_idx;
1674 int last_idx = env->insn_idx;
1675 struct bpf_func_state *func;
1676 struct bpf_reg_state *reg;
1677 u32 reg_mask = 1u << regno;
1678 u64 stack_mask = 0;
1679 bool skip_first = true;
1680 int i, err;
1681
1682 if (!env->allow_ptr_leaks)
1683 /* backtracking is root only for now */
1684 return 0;
1685
1686 func = st->frame[st->curframe];
1687 reg = &func->regs[regno];
1688 if (reg->type != SCALAR_VALUE) {
1689 WARN_ONCE(1, "backtracing misuse");
1690 return -EFAULT;
1691 }
1692 if (reg->precise)
1693 return 0;
1694 func->regs[regno].precise = true;
1695
1696 for (;;) {
1697 DECLARE_BITMAP(mask, 64);
1698 bool new_marks = false;
1699 u32 history = st->jmp_history_cnt;
1700
1701 if (env->log.level & BPF_LOG_LEVEL)
1702 verbose(env, "last_idx %d first_idx %d\n", last_idx, first_idx);
1703 for (i = last_idx;;) {
1704 if (skip_first) {
1705 err = 0;
1706 skip_first = false;
1707 } else {
1708 err = backtrack_insn(env, i, &reg_mask, &stack_mask);
1709 }
1710 if (err == -ENOTSUPP) {
1711 mark_all_scalars_precise(env, st);
1712 return 0;
1713 } else if (err) {
1714 return err;
1715 }
1716 if (!reg_mask && !stack_mask)
1717 /* Found assignment(s) into tracked register in this state.
1718 * Since this state is already marked, just return.
1719 * Nothing to be tracked further in the parent state.
1720 */
1721 return 0;
1722 if (i == first_idx)
1723 break;
1724 i = get_prev_insn_idx(st, i, &history);
1725 if (i >= env->prog->len) {
1726 /* This can happen if backtracking reached insn 0
1727 * and there are still reg_mask or stack_mask
1728 * to backtrack.
1729 * It means the backtracking missed the spot where
1730 * particular register was initialized with a constant.
1731 */
1732 verbose(env, "BUG backtracking idx %d\n", i);
1733 WARN_ONCE(1, "verifier backtracking bug");
1734 return -EFAULT;
1735 }
1736 }
1737 st = st->parent;
1738 if (!st)
1739 break;
1740
1741 func = st->frame[st->curframe];
1742 bitmap_from_u64(mask, reg_mask);
1743 for_each_set_bit(i, mask, 32) {
1744 reg = &func->regs[i];
1745 if (reg->type != SCALAR_VALUE)
1746 continue;
1747 if (!reg->precise)
1748 new_marks = true;
1749 reg->precise = true;
1750 }
1751
1752 bitmap_from_u64(mask, stack_mask);
1753 for_each_set_bit(i, mask, 64) {
1754 if (i >= func->allocated_stack / BPF_REG_SIZE) {
1755 /* This can happen if backtracking
1756 * is propagating stack precision where
1757 * caller has larger stack frame
1758 * than callee, but backtrack_insn() should
1759 * have returned -ENOTSUPP.
1760 */
1761 verbose(env, "BUG spi %d stack_size %d\n",
1762 i, func->allocated_stack);
1763 WARN_ONCE(1, "verifier backtracking bug");
1764 return -EFAULT;
1765 }
1766
1767 if (func->stack[i].slot_type[0] != STACK_SPILL)
1768 continue;
1769 reg = &func->stack[i].spilled_ptr;
1770 if (reg->type != SCALAR_VALUE)
1771 continue;
1772 if (!reg->precise)
1773 new_marks = true;
1774 reg->precise = true;
1775 }
1776 if (env->log.level & BPF_LOG_LEVEL) {
1777 print_verifier_state(env, func);
1778 verbose(env, "parent %s regs=%x stack=%llx marks\n",
1779 new_marks ? "didn't have" : "already had",
1780 reg_mask, stack_mask);
1781 }
1782
1783 if (!new_marks)
1784 break;
1785
1786 last_idx = st->last_insn_idx;
1787 first_idx = st->first_insn_idx;
1788 }
1789 return 0;
1790}
1791
1792
1381static bool is_spillable_regtype(enum bpf_reg_type type) 1793static bool is_spillable_regtype(enum bpf_reg_type type)
1382{ 1794{
1383 switch (type) { 1795 switch (type) {
@@ -1435,6 +1847,7 @@ static int check_stack_write(struct bpf_verifier_env *env,
1435{ 1847{
1436 struct bpf_func_state *cur; /* state of the current function */ 1848 struct bpf_func_state *cur; /* state of the current function */
1437 int i, slot = -off - 1, spi = slot / BPF_REG_SIZE, err; 1849 int i, slot = -off - 1, spi = slot / BPF_REG_SIZE, err;
1850 u32 dst_reg = env->prog->insnsi[insn_idx].dst_reg;
1438 struct bpf_reg_state *reg = NULL; 1851 struct bpf_reg_state *reg = NULL;
1439 1852
1440 err = realloc_func_state(state, round_up(slot + 1, BPF_REG_SIZE), 1853 err = realloc_func_state(state, round_up(slot + 1, BPF_REG_SIZE),
@@ -1457,6 +1870,17 @@ static int check_stack_write(struct bpf_verifier_env *env,
1457 1870
1458 if (reg && size == BPF_REG_SIZE && register_is_const(reg) && 1871 if (reg && size == BPF_REG_SIZE && register_is_const(reg) &&
1459 !register_is_null(reg) && env->allow_ptr_leaks) { 1872 !register_is_null(reg) && env->allow_ptr_leaks) {
1873 if (dst_reg != BPF_REG_FP) {
1874 /* The backtracking logic can only recognize explicit
1875 * stack slot address like [fp - 8]. Other spill of
1876 * scalar via different register has to be conervative.
1877 * Backtrack from here and mark all registers as precise
1878 * that contributed into 'reg' being a constant.
1879 */
1880 err = mark_chain_precision(env, value_regno);
1881 if (err)
1882 return err;
1883 }
1460 save_register_state(state, spi, reg); 1884 save_register_state(state, spi, reg);
1461 } else if (reg && is_spillable_regtype(reg->type)) { 1885 } else if (reg && is_spillable_regtype(reg->type)) {
1462 /* register containing pointer is being spilled into stack */ 1886 /* register containing pointer is being spilled into stack */
@@ -1529,8 +1953,13 @@ static int check_stack_write(struct bpf_verifier_env *env,
1529 state->stack[spi].spilled_ptr.live |= REG_LIVE_WRITTEN; 1953 state->stack[spi].spilled_ptr.live |= REG_LIVE_WRITTEN;
1530 1954
1531 /* when we zero initialize stack slots mark them as such */ 1955 /* when we zero initialize stack slots mark them as such */
1532 if (reg && register_is_null(reg)) 1956 if (reg && register_is_null(reg)) {
1957 /* backtracking doesn't work for STACK_ZERO yet. */
1958 err = mark_chain_precision(env, value_regno);
1959 if (err)
1960 return err;
1533 type = STACK_ZERO; 1961 type = STACK_ZERO;
1962 }
1534 1963
1535 /* Mark slots affected by this stack write. */ 1964 /* Mark slots affected by this stack write. */
1536 for (i = 0; i < size; i++) 1965 for (i = 0; i < size; i++)
@@ -1610,6 +2039,17 @@ static int check_stack_read(struct bpf_verifier_env *env,
1610 * so the whole register == const_zero 2039 * so the whole register == const_zero
1611 */ 2040 */
1612 __mark_reg_const_zero(&state->regs[value_regno]); 2041 __mark_reg_const_zero(&state->regs[value_regno]);
2042 /* backtracking doesn't support STACK_ZERO yet,
2043 * so mark it precise here, so that later
2044 * backtracking can stop here.
2045 * Backtracking may not need this if this register
2046 * doesn't participate in pointer adjustment.
2047 * Forward propagation of precise flag is not
2048 * necessary either. This mark is only to stop
2049 * backtracking. Any register that contributed
2050 * to const 0 was marked precise before spill.
2051 */
2052 state->regs[value_regno].precise = true;
1613 } else { 2053 } else {
1614 /* have read misc data from the stack */ 2054 /* have read misc data from the stack */
1615 mark_reg_unknown(env, state->regs, value_regno); 2055 mark_reg_unknown(env, state->regs, value_regno);
@@ -2925,6 +3365,8 @@ static int check_func_arg(struct bpf_verifier_env *env, u32 regno,
2925 err = check_helper_mem_access(env, regno - 1, 3365 err = check_helper_mem_access(env, regno - 1,
2926 reg->umax_value, 3366 reg->umax_value,
2927 zero_size_allowed, meta); 3367 zero_size_allowed, meta);
3368 if (!err)
3369 err = mark_chain_precision(env, regno);
2928 } else if (arg_type_is_int_ptr(arg_type)) { 3370 } else if (arg_type_is_int_ptr(arg_type)) {
2929 int size = int_ptr_type_to_size(arg_type); 3371 int size = int_ptr_type_to_size(arg_type);
2930 3372
@@ -4361,6 +4803,7 @@ static int adjust_reg_min_max_vals(struct bpf_verifier_env *env,
4361 struct bpf_reg_state *regs = state->regs, *dst_reg, *src_reg; 4803 struct bpf_reg_state *regs = state->regs, *dst_reg, *src_reg;
4362 struct bpf_reg_state *ptr_reg = NULL, off_reg = {0}; 4804 struct bpf_reg_state *ptr_reg = NULL, off_reg = {0};
4363 u8 opcode = BPF_OP(insn->code); 4805 u8 opcode = BPF_OP(insn->code);
4806 int err;
4364 4807
4365 dst_reg = &regs[insn->dst_reg]; 4808 dst_reg = &regs[insn->dst_reg];
4366 src_reg = NULL; 4809 src_reg = NULL;
@@ -4387,11 +4830,17 @@ static int adjust_reg_min_max_vals(struct bpf_verifier_env *env,
4387 * This is legal, but we have to reverse our 4830 * This is legal, but we have to reverse our
4388 * src/dest handling in computing the range 4831 * src/dest handling in computing the range
4389 */ 4832 */
4833 err = mark_chain_precision(env, insn->dst_reg);
4834 if (err)
4835 return err;
4390 return adjust_ptr_min_max_vals(env, insn, 4836 return adjust_ptr_min_max_vals(env, insn,
4391 src_reg, dst_reg); 4837 src_reg, dst_reg);
4392 } 4838 }
4393 } else if (ptr_reg) { 4839 } else if (ptr_reg) {
4394 /* pointer += scalar */ 4840 /* pointer += scalar */
4841 err = mark_chain_precision(env, insn->src_reg);
4842 if (err)
4843 return err;
4395 return adjust_ptr_min_max_vals(env, insn, 4844 return adjust_ptr_min_max_vals(env, insn,
4396 dst_reg, src_reg); 4845 dst_reg, src_reg);
4397 } 4846 }
@@ -5348,6 +5797,13 @@ static int check_cond_jmp_op(struct bpf_verifier_env *env,
5348 tnum_is_const(src_reg->var_off)) 5797 tnum_is_const(src_reg->var_off))
5349 pred = is_branch_taken(dst_reg, src_reg->var_off.value, 5798 pred = is_branch_taken(dst_reg, src_reg->var_off.value,
5350 opcode, is_jmp32); 5799 opcode, is_jmp32);
5800 if (pred >= 0) {
5801 err = mark_chain_precision(env, insn->dst_reg);
5802 if (BPF_SRC(insn->code) == BPF_X && !err)
5803 err = mark_chain_precision(env, insn->src_reg);
5804 if (err)
5805 return err;
5806 }
5351 if (pred == 1) { 5807 if (pred == 1) {
5352 /* only follow the goto, ignore fall-through */ 5808 /* only follow the goto, ignore fall-through */
5353 *insn_idx += insn->off; 5809 *insn_idx += insn->off;
@@ -5825,6 +6281,11 @@ peek_stack:
5825 goto peek_stack; 6281 goto peek_stack;
5826 else if (ret < 0) 6282 else if (ret < 0)
5827 goto err_free; 6283 goto err_free;
6284 /* unconditional jmp is not a good pruning point,
6285 * but it's marked, since backtracking needs
6286 * to record jmp history in is_state_visited().
6287 */
6288 init_explored_state(env, t + insns[t].off + 1);
5828 /* tell verifier to check for equivalent states 6289 /* tell verifier to check for equivalent states
5829 * after every call and jump 6290 * after every call and jump
5830 */ 6291 */
@@ -6325,6 +6786,8 @@ static bool regsafe(struct bpf_reg_state *rold, struct bpf_reg_state *rcur,
6325 switch (rold->type) { 6786 switch (rold->type) {
6326 case SCALAR_VALUE: 6787 case SCALAR_VALUE:
6327 if (rcur->type == SCALAR_VALUE) { 6788 if (rcur->type == SCALAR_VALUE) {
6789 if (!rold->precise && !rcur->precise)
6790 return true;
6328 /* new val must satisfy old val knowledge */ 6791 /* new val must satisfy old val knowledge */
6329 return range_within(rold, rcur) && 6792 return range_within(rold, rcur) &&
6330 tnum_in(rold->var_off, rcur->var_off); 6793 tnum_in(rold->var_off, rcur->var_off);
@@ -6675,6 +7138,7 @@ static int is_state_visited(struct bpf_verifier_env *env, int insn_idx)
6675 int i, j, err, states_cnt = 0; 7138 int i, j, err, states_cnt = 0;
6676 bool add_new_state = false; 7139 bool add_new_state = false;
6677 7140
7141 cur->last_insn_idx = env->prev_insn_idx;
6678 if (!env->insn_aux_data[insn_idx].prune_point) 7142 if (!env->insn_aux_data[insn_idx].prune_point)
6679 /* this 'insn_idx' instruction wasn't marked, so we will not 7143 /* this 'insn_idx' instruction wasn't marked, so we will not
6680 * be doing state search here 7144 * be doing state search here
@@ -6791,10 +7255,10 @@ next:
6791 env->max_states_per_insn = states_cnt; 7255 env->max_states_per_insn = states_cnt;
6792 7256
6793 if (!env->allow_ptr_leaks && states_cnt > BPF_COMPLEXITY_LIMIT_STATES) 7257 if (!env->allow_ptr_leaks && states_cnt > BPF_COMPLEXITY_LIMIT_STATES)
6794 return 0; 7258 return push_jmp_history(env, cur);
6795 7259
6796 if (!add_new_state) 7260 if (!add_new_state)
6797 return 0; 7261 return push_jmp_history(env, cur);
6798 7262
6799 /* There were no equivalent states, remember the current one. 7263 /* There were no equivalent states, remember the current one.
6800 * Technically the current state is not proven to be safe yet, 7264 * Technically the current state is not proven to be safe yet,
@@ -6824,7 +7288,10 @@ next:
6824 new->insn_idx = insn_idx; 7288 new->insn_idx = insn_idx;
6825 WARN_ONCE(new->branches != 1, 7289 WARN_ONCE(new->branches != 1,
6826 "BUG is_state_visited:branches_to_explore=%d insn %d\n", new->branches, insn_idx); 7290 "BUG is_state_visited:branches_to_explore=%d insn %d\n", new->branches, insn_idx);
7291
6827 cur->parent = new; 7292 cur->parent = new;
7293 cur->first_insn_idx = insn_idx;
7294 clear_jmp_history(cur);
6828 new_sl->next = *explored_state(env, insn_idx); 7295 new_sl->next = *explored_state(env, insn_idx);
6829 *explored_state(env, insn_idx) = new_sl; 7296 *explored_state(env, insn_idx) = new_sl;
6830 /* connect new state to parentage chain. Current frame needs all 7297 /* connect new state to parentage chain. Current frame needs all
@@ -6904,6 +7371,7 @@ static int do_check(struct bpf_verifier_env *env)
6904 struct bpf_reg_state *regs; 7371 struct bpf_reg_state *regs;
6905 int insn_cnt = env->prog->len; 7372 int insn_cnt = env->prog->len;
6906 bool do_print_state = false; 7373 bool do_print_state = false;
7374 int prev_insn_idx = -1;
6907 7375
6908 env->prev_linfo = NULL; 7376 env->prev_linfo = NULL;
6909 7377
@@ -6929,6 +7397,7 @@ static int do_check(struct bpf_verifier_env *env)
6929 u8 class; 7397 u8 class;
6930 int err; 7398 int err;
6931 7399
7400 env->prev_insn_idx = prev_insn_idx;
6932 if (env->insn_idx >= insn_cnt) { 7401 if (env->insn_idx >= insn_cnt) {
6933 verbose(env, "invalid insn idx %d insn_cnt %d\n", 7402 verbose(env, "invalid insn idx %d insn_cnt %d\n",
6934 env->insn_idx, insn_cnt); 7403 env->insn_idx, insn_cnt);
@@ -7001,6 +7470,7 @@ static int do_check(struct bpf_verifier_env *env)
7001 7470
7002 regs = cur_regs(env); 7471 regs = cur_regs(env);
7003 env->insn_aux_data[env->insn_idx].seen = true; 7472 env->insn_aux_data[env->insn_idx].seen = true;
7473 prev_insn_idx = env->insn_idx;
7004 7474
7005 if (class == BPF_ALU || class == BPF_ALU64) { 7475 if (class == BPF_ALU || class == BPF_ALU64) {
7006 err = check_alu_op(env, insn); 7476 err = check_alu_op(env, insn);
@@ -7174,7 +7644,6 @@ static int do_check(struct bpf_verifier_env *env)
7174 7644
7175 if (state->curframe) { 7645 if (state->curframe) {
7176 /* exit from nested function */ 7646 /* exit from nested function */
7177 env->prev_insn_idx = env->insn_idx;
7178 err = prepare_func_exit(env, &env->insn_idx); 7647 err = prepare_func_exit(env, &env->insn_idx);
7179 if (err) 7648 if (err)
7180 return err; 7649 return err;
@@ -7206,7 +7675,7 @@ static int do_check(struct bpf_verifier_env *env)
7206 return err; 7675 return err;
7207process_bpf_exit: 7676process_bpf_exit:
7208 update_branch_counts(env, env->cur_state); 7677 update_branch_counts(env, env->cur_state);
7209 err = pop_stack(env, &env->prev_insn_idx, 7678 err = pop_stack(env, &prev_insn_idx,
7210 &env->insn_idx); 7679 &env->insn_idx);
7211 if (err < 0) { 7680 if (err < 0) {
7212 if (err != -ENOENT) 7681 if (err != -ENOENT)
generated by cgit v1.2.2 (git 2.25.0) at 2026-05-29 21:34:01 -0400