1 files changed, 46 insertions, 17 deletions

diff --git a/include/linux/bpf_verifier.h b/include/linux/bpf_verifier.h
index 1632bb13ad8a..6b66cd1aa0b9 100644
--- a/include/linux/bpf_verifier.h
+++ b/include/linux/bpf_verifier.h
@@ -76,6 +76,14 @@ struct bpf_reg_state {
         s64 smax_value; /* maximum possible (s64)value */
         u64 umin_value; /* minimum possible (u64)value */
         u64 umax_value; /* maximum possible (u64)value */
+        /* Inside the callee two registers can be both PTR_TO_STACK like
+         * R1=fp-8 and R2=fp-8, but one of them points to this function stack
+         * while another to the caller's stack. To differentiate them 'frameno'
+         * is used which is an index in bpf_verifier_state->frame[] array
+         * pointing to bpf_func_state.
+         * This field must be second to last, for states_equal() reasons.
+         */
+        u32 frameno;
         /* This field must be last, for states_equal() reasons. */
         enum bpf_reg_liveness live;
 };
@@ -83,7 +91,8 @@ struct bpf_reg_state {
 enum bpf_stack_slot_type {
         STACK_INVALID,    /* nothing was stored in this stack slot */
         STACK_SPILL,      /* register spilled into stack */
-        STACK_MISC        /* BPF program wrote some data into this slot */
+        STACK_MISC,       /* BPF program wrote some data into this slot */
+        STACK_ZERO,       /* BPF program wrote constant zero */
 };
 
 #define BPF_REG_SIZE 8  /* size of eBPF register in bytes */
@@ -96,13 +105,34 @@ struct bpf_stack_state {
 /* state of the program:
  * type of all registers and stack info
  */
-struct bpf_verifier_state {
+struct bpf_func_state {
         struct bpf_reg_state regs[MAX_BPF_REG];
         struct bpf_verifier_state *parent;
+        /* index of call instruction that called into this func */
+        int callsite;
+        /* stack frame number of this function state from pov of
+         * enclosing bpf_verifier_state.
+         * 0 = main function, 1 = first callee.
+         */
+        u32 frameno;
+        /* subprog number == index within subprog_stack_depth
+         * zero == main subprog
+         */
+        u32 subprogno;
+
+        /* should be second to last. See copy_func_state() */
         int allocated_stack;
         struct bpf_stack_state *stack;
 };
 
+#define MAX_CALL_FRAMES 8
+struct bpf_verifier_state {
+        /* call stack tracking */
+        struct bpf_func_state *frame[MAX_CALL_FRAMES];
+        struct bpf_verifier_state *parent;
+        u32 curframe;
+};
+
 /* linked list of verifier states used to prune search */
 struct bpf_verifier_state_list {
         struct bpf_verifier_state state;
@@ -113,6 +143,7 @@ struct bpf_insn_aux_data {
         union {
                 enum bpf_reg_type ptr_type;     /* pointer type for load/store insns */
                 struct bpf_map *map_ptr;        /* pointer for call insn into lookup_elem */
+                s32 call_imm;                   /* saved imm field of call insn */
         };
         int ctx_field_size; /* the ctx field size for load insn, maybe 0 */
         bool seen; /* this insn was processed by the verifier */
@@ -135,11 +166,7 @@ static inline bool bpf_verifier_log_full(const struct bpf_verifer_log *log)
         return log->len_used >= log->len_total - 1;
 }
 
-struct bpf_verifier_env;
-struct bpf_ext_analyzer_ops {
-        int (*insn_hook)(struct bpf_verifier_env *env,
-                         int insn_idx, int prev_insn_idx);
-};
+#define BPF_MAX_SUBPROGS 256
 
 /* single container for all structs
  * one verifier_env per bpf_check() call
@@ -152,29 +179,31 @@ struct bpf_verifier_env {
         bool strict_alignment;          /* perform strict pointer alignment checks */
         struct bpf_verifier_state *cur_state; /* current verifier state */
         struct bpf_verifier_state_list **explored_states; /* search pruning optimization */
-        const struct bpf_ext_analyzer_ops *dev_ops; /* device analyzer ops */
         struct bpf_map *used_maps[MAX_USED_MAPS]; /* array of map's used by eBPF program */
         u32 used_map_cnt;               /* number of used maps */
         u32 id_gen;                     /* used to generate unique reg IDs */
         bool allow_ptr_leaks;
         bool seen_direct_write;
         struct bpf_insn_aux_data *insn_aux_data; /* array of per-insn state */
-
         struct bpf_verifer_log log;
+        u32 subprog_starts[BPF_MAX_SUBPROGS];
+        /* computes the stack depth of each bpf function */
+        u16 subprog_stack_depth[BPF_MAX_SUBPROGS + 1];
+        u32 subprog_cnt;
 };
 
+__printf(2, 3) void bpf_verifier_log_write(struct bpf_verifier_env *env,
+                                           const char *fmt, ...);
+
 static inline struct bpf_reg_state *cur_regs(struct bpf_verifier_env *env)
 {
-        return env->cur_state->regs;
+        struct bpf_verifier_state *cur = env->cur_state;
+
+        return cur->frame[cur->curframe]->regs;
 }
 
-#if defined(CONFIG_NET) && defined(CONFIG_BPF_SYSCALL)
 int bpf_prog_offload_verifier_prep(struct bpf_verifier_env *env);
-#else
-static inline int bpf_prog_offload_verifier_prep(struct bpf_verifier_env *env)
-{
-        return -EOPNOTSUPP;
-}
-#endif
+int bpf_prog_offload_verify_insn(struct bpf_verifier_env *env,
+                                 int insn_idx, int prev_insn_idx);
 
 #endif /* _LINUX_BPF_VERIFIER_H */