aboutsummaryrefslogtreecommitdiffstats
path: root/kernel/bpf/verifier.c
diff options
context:
space:
mode:
Diffstat (limited to 'kernel/bpf/verifier.c')
-rw-r--r--kernel/bpf/verifier.c397
1 files changed, 345 insertions, 52 deletions
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 95f9354495ad..5c2cb5bd84ce 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -176,7 +176,7 @@ struct bpf_verifier_stack_elem {
176 struct bpf_verifier_stack_elem *next; 176 struct bpf_verifier_stack_elem *next;
177}; 177};
178 178
179#define BPF_COMPLEXITY_LIMIT_STACK 1024 179#define BPF_COMPLEXITY_LIMIT_JMP_SEQ 8192
180#define BPF_COMPLEXITY_LIMIT_STATES 64 180#define BPF_COMPLEXITY_LIMIT_STATES 64
181 181
182#define BPF_MAP_PTR_UNPRIV 1UL 182#define BPF_MAP_PTR_UNPRIV 1UL
@@ -782,8 +782,9 @@ static struct bpf_verifier_state *push_stack(struct bpf_verifier_env *env,
782 if (err) 782 if (err)
783 goto err; 783 goto err;
784 elem->st.speculative |= speculative; 784 elem->st.speculative |= speculative;
785 if (env->stack_size > BPF_COMPLEXITY_LIMIT_STACK) { 785 if (env->stack_size > BPF_COMPLEXITY_LIMIT_JMP_SEQ) {
786 verbose(env, "BPF program is too complex\n"); 786 verbose(env, "The sequence of %d jumps is too complex.\n",
787 env->stack_size);
787 goto err; 788 goto err;
788 } 789 }
789 return &elem->st; 790 return &elem->st;
@@ -981,6 +982,7 @@ static void mark_reg_not_init(struct bpf_verifier_env *env,
981 __mark_reg_not_init(regs + regno); 982 __mark_reg_not_init(regs + regno);
982} 983}
983 984
985#define DEF_NOT_SUBREG (0)
984static void init_reg_state(struct bpf_verifier_env *env, 986static void init_reg_state(struct bpf_verifier_env *env,
985 struct bpf_func_state *state) 987 struct bpf_func_state *state)
986{ 988{
@@ -991,6 +993,7 @@ static void init_reg_state(struct bpf_verifier_env *env,
991 mark_reg_not_init(env, regs, i); 993 mark_reg_not_init(env, regs, i);
992 regs[i].live = REG_LIVE_NONE; 994 regs[i].live = REG_LIVE_NONE;
993 regs[i].parent = NULL; 995 regs[i].parent = NULL;
996 regs[i].subreg_def = DEF_NOT_SUBREG;
994 } 997 }
995 998
996 /* frame pointer */ 999 /* frame pointer */
@@ -1136,7 +1139,7 @@ next:
1136 */ 1139 */
1137static int mark_reg_read(struct bpf_verifier_env *env, 1140static int mark_reg_read(struct bpf_verifier_env *env,
1138 const struct bpf_reg_state *state, 1141 const struct bpf_reg_state *state,
1139 struct bpf_reg_state *parent) 1142 struct bpf_reg_state *parent, u8 flag)
1140{ 1143{
1141 bool writes = parent == state->parent; /* Observe write marks */ 1144 bool writes = parent == state->parent; /* Observe write marks */
1142 int cnt = 0; 1145 int cnt = 0;
@@ -1151,17 +1154,26 @@ static int mark_reg_read(struct bpf_verifier_env *env,
1151 parent->var_off.value, parent->off); 1154 parent->var_off.value, parent->off);
1152 return -EFAULT; 1155 return -EFAULT;
1153 } 1156 }
1154 if (parent->live & REG_LIVE_READ) 1157 /* The first condition is more likely to be true than the
1158 * second, checked it first.
1159 */
1160 if ((parent->live & REG_LIVE_READ) == flag ||
1161 parent->live & REG_LIVE_READ64)
1155 /* The parentage chain never changes and 1162 /* The parentage chain never changes and
1156 * this parent was already marked as LIVE_READ. 1163 * this parent was already marked as LIVE_READ.
1157 * There is no need to keep walking the chain again and 1164 * There is no need to keep walking the chain again and
1158 * keep re-marking all parents as LIVE_READ. 1165 * keep re-marking all parents as LIVE_READ.
1159 * This case happens when the same register is read 1166 * This case happens when the same register is read
1160 * multiple times without writes into it in-between. 1167 * multiple times without writes into it in-between.
1168 * Also, if parent has the stronger REG_LIVE_READ64 set,
1169 * then no need to set the weak REG_LIVE_READ32.
1161 */ 1170 */
1162 break; 1171 break;
1163 /* ... then we depend on parent's value */ 1172 /* ... then we depend on parent's value */
1164 parent->live |= REG_LIVE_READ; 1173 parent->live |= flag;
1174 /* REG_LIVE_READ64 overrides REG_LIVE_READ32. */
1175 if (flag == REG_LIVE_READ64)
1176 parent->live &= ~REG_LIVE_READ32;
1165 state = parent; 1177 state = parent;
1166 parent = state->parent; 1178 parent = state->parent;
1167 writes = true; 1179 writes = true;
@@ -1173,12 +1185,129 @@ static int mark_reg_read(struct bpf_verifier_env *env,
1173 return 0; 1185 return 0;
1174} 1186}
1175 1187
1188/* This function is supposed to be used by the following 32-bit optimization
1189 * code only. It returns TRUE if the source or destination register operates
1190 * on 64-bit, otherwise return FALSE.
1191 */
1192static bool is_reg64(struct bpf_verifier_env *env, struct bpf_insn *insn,
1193 u32 regno, struct bpf_reg_state *reg, enum reg_arg_type t)
1194{
1195 u8 code, class, op;
1196
1197 code = insn->code;
1198 class = BPF_CLASS(code);
1199 op = BPF_OP(code);
1200 if (class == BPF_JMP) {
1201 /* BPF_EXIT for "main" will reach here. Return TRUE
1202 * conservatively.
1203 */
1204 if (op == BPF_EXIT)
1205 return true;
1206 if (op == BPF_CALL) {
1207 /* BPF to BPF call will reach here because of marking
1208 * caller saved clobber with DST_OP_NO_MARK for which we
1209 * don't care the register def because they are anyway
1210 * marked as NOT_INIT already.
1211 */
1212 if (insn->src_reg == BPF_PSEUDO_CALL)
1213 return false;
1214 /* Helper call will reach here because of arg type
1215 * check, conservatively return TRUE.
1216 */
1217 if (t == SRC_OP)
1218 return true;
1219
1220 return false;
1221 }
1222 }
1223
1224 if (class == BPF_ALU64 || class == BPF_JMP ||
1225 /* BPF_END always use BPF_ALU class. */
1226 (class == BPF_ALU && op == BPF_END && insn->imm == 64))
1227 return true;
1228
1229 if (class == BPF_ALU || class == BPF_JMP32)
1230 return false;
1231
1232 if (class == BPF_LDX) {
1233 if (t != SRC_OP)
1234 return BPF_SIZE(code) == BPF_DW;
1235 /* LDX source must be ptr. */
1236 return true;
1237 }
1238
1239 if (class == BPF_STX) {
1240 if (reg->type != SCALAR_VALUE)
1241 return true;
1242 return BPF_SIZE(code) == BPF_DW;
1243 }
1244
1245 if (class == BPF_LD) {
1246 u8 mode = BPF_MODE(code);
1247
1248 /* LD_IMM64 */
1249 if (mode == BPF_IMM)
1250 return true;
1251
1252 /* Both LD_IND and LD_ABS return 32-bit data. */
1253 if (t != SRC_OP)
1254 return false;
1255
1256 /* Implicit ctx ptr. */
1257 if (regno == BPF_REG_6)
1258 return true;
1259
1260 /* Explicit source could be any width. */
1261 return true;
1262 }
1263
1264 if (class == BPF_ST)
1265 /* The only source register for BPF_ST is a ptr. */
1266 return true;
1267
1268 /* Conservatively return true at default. */
1269 return true;
1270}
1271
1272/* Return TRUE if INSN doesn't have explicit value define. */
1273static bool insn_no_def(struct bpf_insn *insn)
1274{
1275 u8 class = BPF_CLASS(insn->code);
1276
1277 return (class == BPF_JMP || class == BPF_JMP32 ||
1278 class == BPF_STX || class == BPF_ST);
1279}
1280
1281/* Return TRUE if INSN has defined any 32-bit value explicitly. */
1282static bool insn_has_def32(struct bpf_verifier_env *env, struct bpf_insn *insn)
1283{
1284 if (insn_no_def(insn))
1285 return false;
1286
1287 return !is_reg64(env, insn, insn->dst_reg, NULL, DST_OP);
1288}
1289
1290static void mark_insn_zext(struct bpf_verifier_env *env,
1291 struct bpf_reg_state *reg)
1292{
1293 s32 def_idx = reg->subreg_def;
1294
1295 if (def_idx == DEF_NOT_SUBREG)
1296 return;
1297
1298 env->insn_aux_data[def_idx - 1].zext_dst = true;
1299 /* The dst will be zero extended, so won't be sub-register anymore. */
1300 reg->subreg_def = DEF_NOT_SUBREG;
1301}
1302
1176static int check_reg_arg(struct bpf_verifier_env *env, u32 regno, 1303static int check_reg_arg(struct bpf_verifier_env *env, u32 regno,
1177 enum reg_arg_type t) 1304 enum reg_arg_type t)
1178{ 1305{
1179 struct bpf_verifier_state *vstate = env->cur_state; 1306 struct bpf_verifier_state *vstate = env->cur_state;
1180 struct bpf_func_state *state = vstate->frame[vstate->curframe]; 1307 struct bpf_func_state *state = vstate->frame[vstate->curframe];
1308 struct bpf_insn *insn = env->prog->insnsi + env->insn_idx;
1181 struct bpf_reg_state *reg, *regs = state->regs; 1309 struct bpf_reg_state *reg, *regs = state->regs;
1310 bool rw64;
1182 1311
1183 if (regno >= MAX_BPF_REG) { 1312 if (regno >= MAX_BPF_REG) {
1184 verbose(env, "R%d is invalid\n", regno); 1313 verbose(env, "R%d is invalid\n", regno);
@@ -1186,6 +1315,7 @@ static int check_reg_arg(struct bpf_verifier_env *env, u32 regno,
1186 } 1315 }
1187 1316
1188 reg = &regs[regno]; 1317 reg = &regs[regno];
1318 rw64 = is_reg64(env, insn, regno, reg, t);
1189 if (t == SRC_OP) { 1319 if (t == SRC_OP) {
1190 /* check whether register used as source operand can be read */ 1320 /* check whether register used as source operand can be read */
1191 if (reg->type == NOT_INIT) { 1321 if (reg->type == NOT_INIT) {
@@ -1196,7 +1326,11 @@ static int check_reg_arg(struct bpf_verifier_env *env, u32 regno,
1196 if (regno == BPF_REG_FP) 1326 if (regno == BPF_REG_FP)
1197 return 0; 1327 return 0;
1198 1328
1199 return mark_reg_read(env, reg, reg->parent); 1329 if (rw64)
1330 mark_insn_zext(env, reg);
1331
1332 return mark_reg_read(env, reg, reg->parent,
1333 rw64 ? REG_LIVE_READ64 : REG_LIVE_READ32);
1200 } else { 1334 } else {
1201 /* check whether register used as dest operand can be written to */ 1335 /* check whether register used as dest operand can be written to */
1202 if (regno == BPF_REG_FP) { 1336 if (regno == BPF_REG_FP) {
@@ -1204,6 +1338,7 @@ static int check_reg_arg(struct bpf_verifier_env *env, u32 regno,
1204 return -EACCES; 1338 return -EACCES;
1205 } 1339 }
1206 reg->live |= REG_LIVE_WRITTEN; 1340 reg->live |= REG_LIVE_WRITTEN;
1341 reg->subreg_def = rw64 ? DEF_NOT_SUBREG : env->insn_idx + 1;
1207 if (t == DST_OP) 1342 if (t == DST_OP)
1208 mark_reg_unknown(env, regs, regno); 1343 mark_reg_unknown(env, regs, regno);
1209 } 1344 }
@@ -1383,7 +1518,8 @@ static int check_stack_read(struct bpf_verifier_env *env,
1383 state->regs[value_regno].live |= REG_LIVE_WRITTEN; 1518 state->regs[value_regno].live |= REG_LIVE_WRITTEN;
1384 } 1519 }
1385 mark_reg_read(env, &reg_state->stack[spi].spilled_ptr, 1520 mark_reg_read(env, &reg_state->stack[spi].spilled_ptr,
1386 reg_state->stack[spi].spilled_ptr.parent); 1521 reg_state->stack[spi].spilled_ptr.parent,
1522 REG_LIVE_READ64);
1387 return 0; 1523 return 0;
1388 } else { 1524 } else {
1389 int zeros = 0; 1525 int zeros = 0;
@@ -1400,7 +1536,8 @@ static int check_stack_read(struct bpf_verifier_env *env,
1400 return -EACCES; 1536 return -EACCES;
1401 } 1537 }
1402 mark_reg_read(env, &reg_state->stack[spi].spilled_ptr, 1538 mark_reg_read(env, &reg_state->stack[spi].spilled_ptr,
1403 reg_state->stack[spi].spilled_ptr.parent); 1539 reg_state->stack[spi].spilled_ptr.parent,
1540 REG_LIVE_READ64);
1404 if (value_regno >= 0) { 1541 if (value_regno >= 0) {
1405 if (zeros == size) { 1542 if (zeros == size) {
1406 /* any size read into register is zero extended, 1543 /* any size read into register is zero extended,
@@ -2109,6 +2246,12 @@ static int check_mem_access(struct bpf_verifier_env *env, int insn_idx, u32 regn
2109 value_regno); 2246 value_regno);
2110 if (reg_type_may_be_null(reg_type)) 2247 if (reg_type_may_be_null(reg_type))
2111 regs[value_regno].id = ++env->id_gen; 2248 regs[value_regno].id = ++env->id_gen;
2249 /* A load of ctx field could have different
2250 * actual load size with the one encoded in the
2251 * insn. When the dst is PTR, it is for sure not
2252 * a sub-register.
2253 */
2254 regs[value_regno].subreg_def = DEF_NOT_SUBREG;
2112 } 2255 }
2113 regs[value_regno].type = reg_type; 2256 regs[value_regno].type = reg_type;
2114 } 2257 }
@@ -2368,7 +2511,8 @@ mark:
2368 * the whole slot to be marked as 'read' 2511 * the whole slot to be marked as 'read'
2369 */ 2512 */
2370 mark_reg_read(env, &state->stack[spi].spilled_ptr, 2513 mark_reg_read(env, &state->stack[spi].spilled_ptr,
2371 state->stack[spi].spilled_ptr.parent); 2514 state->stack[spi].spilled_ptr.parent,
2515 REG_LIVE_READ64);
2372 } 2516 }
2373 return update_stack_depth(env, state, min_off); 2517 return update_stack_depth(env, state, min_off);
2374} 2518}
@@ -3332,6 +3476,9 @@ static int check_helper_call(struct bpf_verifier_env *env, int func_id, int insn
3332 check_reg_arg(env, caller_saved[i], DST_OP_NO_MARK); 3476 check_reg_arg(env, caller_saved[i], DST_OP_NO_MARK);
3333 } 3477 }
3334 3478
3479 /* helper call returns 64-bit value. */
3480 regs[BPF_REG_0].subreg_def = DEF_NOT_SUBREG;
3481
3335 /* update return register (already marked as written above) */ 3482 /* update return register (already marked as written above) */
3336 if (fn->ret_type == RET_INTEGER) { 3483 if (fn->ret_type == RET_INTEGER) {
3337 /* sets type to SCALAR_VALUE */ 3484 /* sets type to SCALAR_VALUE */
@@ -4263,6 +4410,7 @@ static int check_alu_op(struct bpf_verifier_env *env, struct bpf_insn *insn)
4263 */ 4410 */
4264 *dst_reg = *src_reg; 4411 *dst_reg = *src_reg;
4265 dst_reg->live |= REG_LIVE_WRITTEN; 4412 dst_reg->live |= REG_LIVE_WRITTEN;
4413 dst_reg->subreg_def = DEF_NOT_SUBREG;
4266 } else { 4414 } else {
4267 /* R1 = (u32) R2 */ 4415 /* R1 = (u32) R2 */
4268 if (is_pointer_value(env, insn->src_reg)) { 4416 if (is_pointer_value(env, insn->src_reg)) {
@@ -4273,6 +4421,7 @@ static int check_alu_op(struct bpf_verifier_env *env, struct bpf_insn *insn)
4273 } else if (src_reg->type == SCALAR_VALUE) { 4421 } else if (src_reg->type == SCALAR_VALUE) {
4274 *dst_reg = *src_reg; 4422 *dst_reg = *src_reg;
4275 dst_reg->live |= REG_LIVE_WRITTEN; 4423 dst_reg->live |= REG_LIVE_WRITTEN;
4424 dst_reg->subreg_def = env->insn_idx + 1;
4276 } else { 4425 } else {
4277 mark_reg_unknown(env, regs, 4426 mark_reg_unknown(env, regs,
4278 insn->dst_reg); 4427 insn->dst_reg);
@@ -5352,16 +5501,23 @@ static int check_ld_abs(struct bpf_verifier_env *env, struct bpf_insn *insn)
5352 * Already marked as written above. 5501 * Already marked as written above.
5353 */ 5502 */
5354 mark_reg_unknown(env, regs, BPF_REG_0); 5503 mark_reg_unknown(env, regs, BPF_REG_0);
5504 /* ld_abs load up to 32-bit skb data. */
5505 regs[BPF_REG_0].subreg_def = env->insn_idx + 1;
5355 return 0; 5506 return 0;
5356} 5507}
5357 5508
5358static int check_return_code(struct bpf_verifier_env *env) 5509static int check_return_code(struct bpf_verifier_env *env)
5359{ 5510{
5511 struct tnum enforce_attach_type_range = tnum_unknown;
5360 struct bpf_reg_state *reg; 5512 struct bpf_reg_state *reg;
5361 struct tnum range = tnum_range(0, 1); 5513 struct tnum range = tnum_range(0, 1);
5362 5514
5363 switch (env->prog->type) { 5515 switch (env->prog->type) {
5364 case BPF_PROG_TYPE_CGROUP_SKB: 5516 case BPF_PROG_TYPE_CGROUP_SKB:
5517 if (env->prog->expected_attach_type == BPF_CGROUP_INET_EGRESS) {
5518 range = tnum_range(0, 3);
5519 enforce_attach_type_range = tnum_range(2, 3);
5520 }
5365 case BPF_PROG_TYPE_CGROUP_SOCK: 5521 case BPF_PROG_TYPE_CGROUP_SOCK:
5366 case BPF_PROG_TYPE_CGROUP_SOCK_ADDR: 5522 case BPF_PROG_TYPE_CGROUP_SOCK_ADDR:
5367 case BPF_PROG_TYPE_SOCK_OPS: 5523 case BPF_PROG_TYPE_SOCK_OPS:
@@ -5380,18 +5536,23 @@ static int check_return_code(struct bpf_verifier_env *env)
5380 } 5536 }
5381 5537
5382 if (!tnum_in(range, reg->var_off)) { 5538 if (!tnum_in(range, reg->var_off)) {
5539 char tn_buf[48];
5540
5383 verbose(env, "At program exit the register R0 "); 5541 verbose(env, "At program exit the register R0 ");
5384 if (!tnum_is_unknown(reg->var_off)) { 5542 if (!tnum_is_unknown(reg->var_off)) {
5385 char tn_buf[48];
5386
5387 tnum_strn(tn_buf, sizeof(tn_buf), reg->var_off); 5543 tnum_strn(tn_buf, sizeof(tn_buf), reg->var_off);
5388 verbose(env, "has value %s", tn_buf); 5544 verbose(env, "has value %s", tn_buf);
5389 } else { 5545 } else {
5390 verbose(env, "has unknown scalar value"); 5546 verbose(env, "has unknown scalar value");
5391 } 5547 }
5392 verbose(env, " should have been 0 or 1\n"); 5548 tnum_strn(tn_buf, sizeof(tn_buf), range);
5549 verbose(env, " should have been %s\n", tn_buf);
5393 return -EINVAL; 5550 return -EINVAL;
5394 } 5551 }
5552
5553 if (!tnum_is_unknown(enforce_attach_type_range) &&
5554 tnum_in(enforce_attach_type_range, reg->var_off))
5555 env->prog->enforce_expected_attach_type = 1;
5395 return 0; 5556 return 0;
5396} 5557}
5397 5558
@@ -5435,7 +5596,25 @@ enum {
5435 BRANCH = 2, 5596 BRANCH = 2,
5436}; 5597};
5437 5598
5438#define STATE_LIST_MARK ((struct bpf_verifier_state_list *) -1L) 5599static u32 state_htab_size(struct bpf_verifier_env *env)
5600{
5601 return env->prog->len;
5602}
5603
5604static struct bpf_verifier_state_list **explored_state(
5605 struct bpf_verifier_env *env,
5606 int idx)
5607{
5608 struct bpf_verifier_state *cur = env->cur_state;
5609 struct bpf_func_state *state = cur->frame[cur->curframe];
5610
5611 return &env->explored_states[(idx ^ state->callsite) % state_htab_size(env)];
5612}
5613
5614static void init_explored_state(struct bpf_verifier_env *env, int idx)
5615{
5616 env->insn_aux_data[idx].prune_point = true;
5617}
5439 5618
5440/* t, w, e - match pseudo-code above: 5619/* t, w, e - match pseudo-code above:
5441 * t - index of current instruction 5620 * t - index of current instruction
@@ -5461,7 +5640,7 @@ static int push_insn(int t, int w, int e, struct bpf_verifier_env *env)
5461 5640
5462 if (e == BRANCH) 5641 if (e == BRANCH)
5463 /* mark branch target for state pruning */ 5642 /* mark branch target for state pruning */
5464 env->explored_states[w] = STATE_LIST_MARK; 5643 init_explored_state(env, w);
5465 5644
5466 if (insn_state[w] == 0) { 5645 if (insn_state[w] == 0) {
5467 /* tree-edge */ 5646 /* tree-edge */
@@ -5529,9 +5708,9 @@ peek_stack:
5529 else if (ret < 0) 5708 else if (ret < 0)
5530 goto err_free; 5709 goto err_free;
5531 if (t + 1 < insn_cnt) 5710 if (t + 1 < insn_cnt)
5532 env->explored_states[t + 1] = STATE_LIST_MARK; 5711 init_explored_state(env, t + 1);
5533 if (insns[t].src_reg == BPF_PSEUDO_CALL) { 5712 if (insns[t].src_reg == BPF_PSEUDO_CALL) {
5534 env->explored_states[t] = STATE_LIST_MARK; 5713 init_explored_state(env, t);
5535 ret = push_insn(t, t + insns[t].imm + 1, BRANCH, env); 5714 ret = push_insn(t, t + insns[t].imm + 1, BRANCH, env);
5536 if (ret == 1) 5715 if (ret == 1)
5537 goto peek_stack; 5716 goto peek_stack;
@@ -5554,10 +5733,10 @@ peek_stack:
5554 * after every call and jump 5733 * after every call and jump
5555 */ 5734 */
5556 if (t + 1 < insn_cnt) 5735 if (t + 1 < insn_cnt)
5557 env->explored_states[t + 1] = STATE_LIST_MARK; 5736 init_explored_state(env, t + 1);
5558 } else { 5737 } else {
5559 /* conditional jump with two edges */ 5738 /* conditional jump with two edges */
5560 env->explored_states[t] = STATE_LIST_MARK; 5739 init_explored_state(env, t);
5561 ret = push_insn(t, t + 1, FALLTHROUGH, env); 5740 ret = push_insn(t, t + 1, FALLTHROUGH, env);
5562 if (ret == 1) 5741 if (ret == 1)
5563 goto peek_stack; 5742 goto peek_stack;
@@ -6005,12 +6184,10 @@ static void clean_live_states(struct bpf_verifier_env *env, int insn,
6005 struct bpf_verifier_state_list *sl; 6184 struct bpf_verifier_state_list *sl;
6006 int i; 6185 int i;
6007 6186
6008 sl = env->explored_states[insn]; 6187 sl = *explored_state(env, insn);
6009 if (!sl) 6188 while (sl) {
6010 return; 6189 if (sl->state.insn_idx != insn ||
6011 6190 sl->state.curframe != cur->curframe)
6012 while (sl != STATE_LIST_MARK) {
6013 if (sl->state.curframe != cur->curframe)
6014 goto next; 6191 goto next;
6015 for (i = 0; i <= cur->curframe; i++) 6192 for (i = 0; i <= cur->curframe; i++)
6016 if (sl->state.frame[i]->callsite != cur->frame[i]->callsite) 6193 if (sl->state.frame[i]->callsite != cur->frame[i]->callsite)
@@ -6292,20 +6469,33 @@ static bool states_equal(struct bpf_verifier_env *env,
6292 return true; 6469 return true;
6293} 6470}
6294 6471
6472/* Return 0 if no propagation happened. Return negative error code if error
6473 * happened. Otherwise, return the propagated bit.
6474 */
6295static int propagate_liveness_reg(struct bpf_verifier_env *env, 6475static int propagate_liveness_reg(struct bpf_verifier_env *env,
6296 struct bpf_reg_state *reg, 6476 struct bpf_reg_state *reg,
6297 struct bpf_reg_state *parent_reg) 6477 struct bpf_reg_state *parent_reg)
6298{ 6478{
6479 u8 parent_flag = parent_reg->live & REG_LIVE_READ;
6480 u8 flag = reg->live & REG_LIVE_READ;
6299 int err; 6481 int err;
6300 6482
6301 if (parent_reg->live & REG_LIVE_READ || !(reg->live & REG_LIVE_READ)) 6483 /* When comes here, read flags of PARENT_REG or REG could be any of
6484 * REG_LIVE_READ64, REG_LIVE_READ32, REG_LIVE_NONE. There is no need
6485 * of propagation if PARENT_REG has strongest REG_LIVE_READ64.
6486 */
6487 if (parent_flag == REG_LIVE_READ64 ||
6488 /* Or if there is no read flag from REG. */
6489 !flag ||
6490 /* Or if the read flag from REG is the same as PARENT_REG. */
6491 parent_flag == flag)
6302 return 0; 6492 return 0;
6303 6493
6304 err = mark_reg_read(env, reg, parent_reg); 6494 err = mark_reg_read(env, reg, parent_reg, flag);
6305 if (err) 6495 if (err)
6306 return err; 6496 return err;
6307 6497
6308 return 0; 6498 return flag;
6309} 6499}
6310 6500
6311/* A write screens off any subsequent reads; but write marks come from the 6501/* A write screens off any subsequent reads; but write marks come from the
@@ -6339,8 +6529,10 @@ static int propagate_liveness(struct bpf_verifier_env *env,
6339 for (i = frame < vstate->curframe ? BPF_REG_6 : 0; i < BPF_REG_FP; i++) { 6529 for (i = frame < vstate->curframe ? BPF_REG_6 : 0; i < BPF_REG_FP; i++) {
6340 err = propagate_liveness_reg(env, &state_reg[i], 6530 err = propagate_liveness_reg(env, &state_reg[i],
6341 &parent_reg[i]); 6531 &parent_reg[i]);
6342 if (err) 6532 if (err < 0)
6343 return err; 6533 return err;
6534 if (err == REG_LIVE_READ64)
6535 mark_insn_zext(env, &parent_reg[i]);
6344 } 6536 }
6345 6537
6346 /* Propagate stack slots. */ 6538 /* Propagate stack slots. */
@@ -6350,11 +6542,11 @@ static int propagate_liveness(struct bpf_verifier_env *env,
6350 state_reg = &state->stack[i].spilled_ptr; 6542 state_reg = &state->stack[i].spilled_ptr;
6351 err = propagate_liveness_reg(env, state_reg, 6543 err = propagate_liveness_reg(env, state_reg,
6352 parent_reg); 6544 parent_reg);
6353 if (err) 6545 if (err < 0)
6354 return err; 6546 return err;
6355 } 6547 }
6356 } 6548 }
6357 return err; 6549 return 0;
6358} 6550}
6359 6551
6360static int is_state_visited(struct bpf_verifier_env *env, int insn_idx) 6552static int is_state_visited(struct bpf_verifier_env *env, int insn_idx)
@@ -6364,18 +6556,21 @@ static int is_state_visited(struct bpf_verifier_env *env, int insn_idx)
6364 struct bpf_verifier_state *cur = env->cur_state, *new; 6556 struct bpf_verifier_state *cur = env->cur_state, *new;
6365 int i, j, err, states_cnt = 0; 6557 int i, j, err, states_cnt = 0;
6366 6558
6367 pprev = &env->explored_states[insn_idx]; 6559 if (!env->insn_aux_data[insn_idx].prune_point)
6368 sl = *pprev;
6369
6370 if (!sl)
6371 /* this 'insn_idx' instruction wasn't marked, so we will not 6560 /* this 'insn_idx' instruction wasn't marked, so we will not
6372 * be doing state search here 6561 * be doing state search here
6373 */ 6562 */
6374 return 0; 6563 return 0;
6375 6564
6565 pprev = explored_state(env, insn_idx);
6566 sl = *pprev;
6567
6376 clean_live_states(env, insn_idx, cur); 6568 clean_live_states(env, insn_idx, cur);
6377 6569
6378 while (sl != STATE_LIST_MARK) { 6570 while (sl) {
6571 states_cnt++;
6572 if (sl->state.insn_idx != insn_idx)
6573 goto next;
6379 if (states_equal(env, &sl->state, cur)) { 6574 if (states_equal(env, &sl->state, cur)) {
6380 sl->hit_cnt++; 6575 sl->hit_cnt++;
6381 /* reached equivalent register/stack state, 6576 /* reached equivalent register/stack state,
@@ -6393,7 +6588,6 @@ static int is_state_visited(struct bpf_verifier_env *env, int insn_idx)
6393 return err; 6588 return err;
6394 return 1; 6589 return 1;
6395 } 6590 }
6396 states_cnt++;
6397 sl->miss_cnt++; 6591 sl->miss_cnt++;
6398 /* heuristic to determine whether this state is beneficial 6592 /* heuristic to determine whether this state is beneficial
6399 * to keep checking from state equivalence point of view. 6593 * to keep checking from state equivalence point of view.
@@ -6420,6 +6614,7 @@ static int is_state_visited(struct bpf_verifier_env *env, int insn_idx)
6420 sl = *pprev; 6614 sl = *pprev;
6421 continue; 6615 continue;
6422 } 6616 }
6617next:
6423 pprev = &sl->next; 6618 pprev = &sl->next;
6424 sl = *pprev; 6619 sl = *pprev;
6425 } 6620 }
@@ -6451,8 +6646,9 @@ static int is_state_visited(struct bpf_verifier_env *env, int insn_idx)
6451 kfree(new_sl); 6646 kfree(new_sl);
6452 return err; 6647 return err;
6453 } 6648 }
6454 new_sl->next = env->explored_states[insn_idx]; 6649 new->insn_idx = insn_idx;
6455 env->explored_states[insn_idx] = new_sl; 6650 new_sl->next = *explored_state(env, insn_idx);
6651 *explored_state(env, insn_idx) = new_sl;
6456 /* connect new state to parentage chain. Current frame needs all 6652 /* connect new state to parentage chain. Current frame needs all
6457 * registers connected. Only r6 - r9 of the callers are alive (pushed 6653 * registers connected. Only r6 - r9 of the callers are alive (pushed
6458 * to the stack implicitly by JITs) so in callers' frames connect just 6654 * to the stack implicitly by JITs) so in callers' frames connect just
@@ -7130,14 +7326,23 @@ static void convert_pseudo_ld_imm64(struct bpf_verifier_env *env)
7130 * insni[off, off + cnt). Adjust corresponding insn_aux_data by copying 7326 * insni[off, off + cnt). Adjust corresponding insn_aux_data by copying
7131 * [0, off) and [off, end) to new locations, so the patched range stays zero 7327 * [0, off) and [off, end) to new locations, so the patched range stays zero
7132 */ 7328 */
7133static int adjust_insn_aux_data(struct bpf_verifier_env *env, u32 prog_len, 7329static int adjust_insn_aux_data(struct bpf_verifier_env *env,
7134 u32 off, u32 cnt) 7330 struct bpf_prog *new_prog, u32 off, u32 cnt)
7135{ 7331{
7136 struct bpf_insn_aux_data *new_data, *old_data = env->insn_aux_data; 7332 struct bpf_insn_aux_data *new_data, *old_data = env->insn_aux_data;
7333 struct bpf_insn *insn = new_prog->insnsi;
7334 u32 prog_len;
7137 int i; 7335 int i;
7138 7336
7337 /* aux info at OFF always needs adjustment, no matter fast path
7338 * (cnt == 1) is taken or not. There is no guarantee INSN at OFF is the
7339 * original insn at old prog.
7340 */
7341 old_data[off].zext_dst = insn_has_def32(env, insn + off + cnt - 1);
7342
7139 if (cnt == 1) 7343 if (cnt == 1)
7140 return 0; 7344 return 0;
7345 prog_len = new_prog->len;
7141 new_data = vzalloc(array_size(prog_len, 7346 new_data = vzalloc(array_size(prog_len,
7142 sizeof(struct bpf_insn_aux_data))); 7347 sizeof(struct bpf_insn_aux_data)));
7143 if (!new_data) 7348 if (!new_data)
@@ -7145,8 +7350,10 @@ static int adjust_insn_aux_data(struct bpf_verifier_env *env, u32 prog_len,
7145 memcpy(new_data, old_data, sizeof(struct bpf_insn_aux_data) * off); 7350 memcpy(new_data, old_data, sizeof(struct bpf_insn_aux_data) * off);
7146 memcpy(new_data + off + cnt - 1, old_data + off, 7351 memcpy(new_data + off + cnt - 1, old_data + off,
7147 sizeof(struct bpf_insn_aux_data) * (prog_len - off - cnt + 1)); 7352 sizeof(struct bpf_insn_aux_data) * (prog_len - off - cnt + 1));
7148 for (i = off; i < off + cnt - 1; i++) 7353 for (i = off; i < off + cnt - 1; i++) {
7149 new_data[i].seen = true; 7354 new_data[i].seen = true;
7355 new_data[i].zext_dst = insn_has_def32(env, insn + i);
7356 }
7150 env->insn_aux_data = new_data; 7357 env->insn_aux_data = new_data;
7151 vfree(old_data); 7358 vfree(old_data);
7152 return 0; 7359 return 0;
@@ -7179,7 +7386,7 @@ static struct bpf_prog *bpf_patch_insn_data(struct bpf_verifier_env *env, u32 of
7179 env->insn_aux_data[off].orig_idx); 7386 env->insn_aux_data[off].orig_idx);
7180 return NULL; 7387 return NULL;
7181 } 7388 }
7182 if (adjust_insn_aux_data(env, new_prog->len, off, len)) 7389 if (adjust_insn_aux_data(env, new_prog, off, len))
7183 return NULL; 7390 return NULL;
7184 adjust_subprog_starts(env, off, len); 7391 adjust_subprog_starts(env, off, len);
7185 return new_prog; 7392 return new_prog;
@@ -7443,6 +7650,84 @@ static int opt_remove_nops(struct bpf_verifier_env *env)
7443 return 0; 7650 return 0;
7444} 7651}
7445 7652
7653static int opt_subreg_zext_lo32_rnd_hi32(struct bpf_verifier_env *env,
7654 const union bpf_attr *attr)
7655{
7656 struct bpf_insn *patch, zext_patch[2], rnd_hi32_patch[4];
7657 struct bpf_insn_aux_data *aux = env->insn_aux_data;
7658 int i, patch_len, delta = 0, len = env->prog->len;
7659 struct bpf_insn *insns = env->prog->insnsi;
7660 struct bpf_prog *new_prog;
7661 bool rnd_hi32;
7662
7663 rnd_hi32 = attr->prog_flags & BPF_F_TEST_RND_HI32;
7664 zext_patch[1] = BPF_ZEXT_REG(0);
7665 rnd_hi32_patch[1] = BPF_ALU64_IMM(BPF_MOV, BPF_REG_AX, 0);
7666 rnd_hi32_patch[2] = BPF_ALU64_IMM(BPF_LSH, BPF_REG_AX, 32);
7667 rnd_hi32_patch[3] = BPF_ALU64_REG(BPF_OR, 0, BPF_REG_AX);
7668 for (i = 0; i < len; i++) {
7669 int adj_idx = i + delta;
7670 struct bpf_insn insn;
7671
7672 insn = insns[adj_idx];
7673 if (!aux[adj_idx].zext_dst) {
7674 u8 code, class;
7675 u32 imm_rnd;
7676
7677 if (!rnd_hi32)
7678 continue;
7679
7680 code = insn.code;
7681 class = BPF_CLASS(code);
7682 if (insn_no_def(&insn))
7683 continue;
7684
7685 /* NOTE: arg "reg" (the fourth one) is only used for
7686 * BPF_STX which has been ruled out in above
7687 * check, it is safe to pass NULL here.
7688 */
7689 if (is_reg64(env, &insn, insn.dst_reg, NULL, DST_OP)) {
7690 if (class == BPF_LD &&
7691 BPF_MODE(code) == BPF_IMM)
7692 i++;
7693 continue;
7694 }
7695
7696 /* ctx load could be transformed into wider load. */
7697 if (class == BPF_LDX &&
7698 aux[adj_idx].ptr_type == PTR_TO_CTX)
7699 continue;
7700
7701 imm_rnd = get_random_int();
7702 rnd_hi32_patch[0] = insn;
7703 rnd_hi32_patch[1].imm = imm_rnd;
7704 rnd_hi32_patch[3].dst_reg = insn.dst_reg;
7705 patch = rnd_hi32_patch;
7706 patch_len = 4;
7707 goto apply_patch_buffer;
7708 }
7709
7710 if (!bpf_jit_needs_zext())
7711 continue;
7712
7713 zext_patch[0] = insn;
7714 zext_patch[1].dst_reg = insn.dst_reg;
7715 zext_patch[1].src_reg = insn.dst_reg;
7716 patch = zext_patch;
7717 patch_len = 2;
7718apply_patch_buffer:
7719 new_prog = bpf_patch_insn_data(env, adj_idx, patch, patch_len);
7720 if (!new_prog)
7721 return -ENOMEM;
7722 env->prog = new_prog;
7723 insns = new_prog->insnsi;
7724 aux = env->insn_aux_data;
7725 delta += patch_len - 1;
7726 }
7727
7728 return 0;
7729}
7730
7446/* convert load instructions that access fields of a context type into a 7731/* convert load instructions that access fields of a context type into a
7447 * sequence of instructions that access fields of the underlying structure: 7732 * sequence of instructions that access fields of the underlying structure:
7448 * struct __sk_buff -> struct sk_buff 7733 * struct __sk_buff -> struct sk_buff
@@ -8130,16 +8415,15 @@ static void free_states(struct bpf_verifier_env *env)
8130 if (!env->explored_states) 8415 if (!env->explored_states)
8131 return; 8416 return;
8132 8417
8133 for (i = 0; i < env->prog->len; i++) { 8418 for (i = 0; i < state_htab_size(env); i++) {
8134 sl = env->explored_states[i]; 8419 sl = env->explored_states[i];
8135 8420
8136 if (sl) 8421 while (sl) {
8137 while (sl != STATE_LIST_MARK) { 8422 sln = sl->next;
8138 sln = sl->next; 8423 free_verifier_state(&sl->state, false);
8139 free_verifier_state(&sl->state, false); 8424 kfree(sl);
8140 kfree(sl); 8425 sl = sln;
8141 sl = sln; 8426 }
8142 }
8143 } 8427 }
8144 8428
8145 kvfree(env->explored_states); 8429 kvfree(env->explored_states);
@@ -8239,7 +8523,7 @@ int bpf_check(struct bpf_prog **prog, union bpf_attr *attr,
8239 goto skip_full_check; 8523 goto skip_full_check;
8240 } 8524 }
8241 8525
8242 env->explored_states = kvcalloc(env->prog->len, 8526 env->explored_states = kvcalloc(state_htab_size(env),
8243 sizeof(struct bpf_verifier_state_list *), 8527 sizeof(struct bpf_verifier_state_list *),
8244 GFP_USER); 8528 GFP_USER);
8245 ret = -ENOMEM; 8529 ret = -ENOMEM;
@@ -8294,6 +8578,15 @@ skip_full_check:
8294 if (ret == 0) 8578 if (ret == 0)
8295 ret = fixup_bpf_calls(env); 8579 ret = fixup_bpf_calls(env);
8296 8580
8581 /* do 32-bit optimization after insn patching has done so those patched
8582 * insns could be handled correctly.
8583 */
8584 if (ret == 0 && !bpf_prog_is_dev_bound(env->prog->aux)) {
8585 ret = opt_subreg_zext_lo32_rnd_hi32(env, attr);
8586 env->prog->aux->verifier_zext = bpf_jit_needs_zext() ? !ret
8587 : false;
8588 }
8589
8297 if (ret == 0) 8590 if (ret == 0)
8298 ret = fixup_call_args(env); 8591 ret = fixup_call_args(env);
8299 8592
generated by cgit v1.2.2 (git 2.25.0) at 2025-09-02 23:02:26 -0400