aboutsummaryrefslogtreecommitdiffstats
path: root/kernel/bpf/verifier.c
diff options
context:
space:
mode:
Diffstat (limited to 'kernel/bpf/verifier.c')
-rw-r--r--kernel/bpf/verifier.c491
1 files changed, 480 insertions, 11 deletions
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 870c8f19ce80..709ce4cef8ba 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -455,12 +455,12 @@ static void print_verifier_state(struct bpf_verifier_env *env,
455 verbose(env, " R%d", i); 455 verbose(env, " R%d", i);
456 print_liveness(env, reg->live); 456 print_liveness(env, reg->live);
457 verbose(env, "=%s", reg_type_str[t]); 457 verbose(env, "=%s", reg_type_str[t]);
458 if (t == SCALAR_VALUE && reg->precise)
459 verbose(env, "P");
458 if ((t == SCALAR_VALUE || t == PTR_TO_STACK) && 460 if ((t == SCALAR_VALUE || t == PTR_TO_STACK) &&
459 tnum_is_const(reg->var_off)) { 461 tnum_is_const(reg->var_off)) {
460 /* reg->off should be 0 for SCALAR_VALUE */ 462 /* reg->off should be 0 for SCALAR_VALUE */
461 verbose(env, "%lld", reg->var_off.value + reg->off); 463 verbose(env, "%lld", reg->var_off.value + reg->off);
462 if (t == PTR_TO_STACK)
463 verbose(env, ",call_%d", func(env, reg)->callsite);
464 } else { 464 } else {
465 verbose(env, "(id=%d", reg->id); 465 verbose(env, "(id=%d", reg->id);
466 if (reg_type_may_be_refcounted_or_null(t)) 466 if (reg_type_may_be_refcounted_or_null(t))
@@ -522,11 +522,17 @@ static void print_verifier_state(struct bpf_verifier_env *env,
522 continue; 522 continue;
523 verbose(env, " fp%d", (-i - 1) * BPF_REG_SIZE); 523 verbose(env, " fp%d", (-i - 1) * BPF_REG_SIZE);
524 print_liveness(env, state->stack[i].spilled_ptr.live); 524 print_liveness(env, state->stack[i].spilled_ptr.live);
525 if (state->stack[i].slot_type[0] == STACK_SPILL) 525 if (state->stack[i].slot_type[0] == STACK_SPILL) {
526 verbose(env, "=%s", 526 reg = &state->stack[i].spilled_ptr;
527 reg_type_str[state->stack[i].spilled_ptr.type]); 527 t = reg->type;
528 else 528 verbose(env, "=%s", reg_type_str[t]);
529 if (t == SCALAR_VALUE && reg->precise)
530 verbose(env, "P");
531 if (t == SCALAR_VALUE && tnum_is_const(reg->var_off))
532 verbose(env, "%lld", reg->var_off.value + reg->off);
533 } else {
529 verbose(env, "=%s", types_buf); 534 verbose(env, "=%s", types_buf);
535 }
530 } 536 }
531 if (state->acquired_refs && state->refs[0].id) { 537 if (state->acquired_refs && state->refs[0].id) {
532 verbose(env, " refs=%d", state->refs[0].id); 538 verbose(env, " refs=%d", state->refs[0].id);
@@ -675,6 +681,13 @@ static void free_func_state(struct bpf_func_state *state)
675 kfree(state); 681 kfree(state);
676} 682}
677 683
684static void clear_jmp_history(struct bpf_verifier_state *state)
685{
686 kfree(state->jmp_history);
687 state->jmp_history = NULL;
688 state->jmp_history_cnt = 0;
689}
690
678static void free_verifier_state(struct bpf_verifier_state *state, 691static void free_verifier_state(struct bpf_verifier_state *state,
679 bool free_self) 692 bool free_self)
680{ 693{
@@ -684,6 +697,7 @@ static void free_verifier_state(struct bpf_verifier_state *state,
684 free_func_state(state->frame[i]); 697 free_func_state(state->frame[i]);
685 state->frame[i] = NULL; 698 state->frame[i] = NULL;
686 } 699 }
700 clear_jmp_history(state);
687 if (free_self) 701 if (free_self)
688 kfree(state); 702 kfree(state);
689} 703}
@@ -711,8 +725,18 @@ static int copy_verifier_state(struct bpf_verifier_state *dst_state,
711 const struct bpf_verifier_state *src) 725 const struct bpf_verifier_state *src)
712{ 726{
713 struct bpf_func_state *dst; 727 struct bpf_func_state *dst;
728 u32 jmp_sz = sizeof(struct bpf_idx_pair) * src->jmp_history_cnt;
714 int i, err; 729 int i, err;
715 730
731 if (dst_state->jmp_history_cnt < src->jmp_history_cnt) {
732 kfree(dst_state->jmp_history);
733 dst_state->jmp_history = kmalloc(jmp_sz, GFP_USER);
734 if (!dst_state->jmp_history)
735 return -ENOMEM;
736 }
737 memcpy(dst_state->jmp_history, src->jmp_history, jmp_sz);
738 dst_state->jmp_history_cnt = src->jmp_history_cnt;
739
716 /* if dst has more stack frames then src frame, free them */ 740 /* if dst has more stack frames then src frame, free them */
717 for (i = src->curframe + 1; i <= dst_state->curframe; i++) { 741 for (i = src->curframe + 1; i <= dst_state->curframe; i++) {
718 free_func_state(dst_state->frame[i]); 742 free_func_state(dst_state->frame[i]);
@@ -723,6 +747,8 @@ static int copy_verifier_state(struct bpf_verifier_state *dst_state,
723 dst_state->active_spin_lock = src->active_spin_lock; 747 dst_state->active_spin_lock = src->active_spin_lock;
724 dst_state->branches = src->branches; 748 dst_state->branches = src->branches;
725 dst_state->parent = src->parent; 749 dst_state->parent = src->parent;
750 dst_state->first_insn_idx = src->first_insn_idx;
751 dst_state->last_insn_idx = src->last_insn_idx;
726 for (i = 0; i <= src->curframe; i++) { 752 for (i = 0; i <= src->curframe; i++) {
727 dst = dst_state->frame[i]; 753 dst = dst_state->frame[i];
728 if (!dst) { 754 if (!dst) {
@@ -967,6 +993,9 @@ static void __mark_reg_unbounded(struct bpf_reg_state *reg)
967 reg->smax_value = S64_MAX; 993 reg->smax_value = S64_MAX;
968 reg->umin_value = 0; 994 reg->umin_value = 0;
969 reg->umax_value = U64_MAX; 995 reg->umax_value = U64_MAX;
996
997 /* constant backtracking is enabled for root only for now */
998 reg->precise = capable(CAP_SYS_ADMIN) ? false : true;
970} 999}
971 1000
972/* Mark a register as having a completely unknown (scalar) value. */ 1001/* Mark a register as having a completely unknown (scalar) value. */
@@ -1378,6 +1407,389 @@ static int check_reg_arg(struct bpf_verifier_env *env, u32 regno,
1378 return 0; 1407 return 0;
1379} 1408}
1380 1409
1410/* for any branch, call, exit record the history of jmps in the given state */
1411static int push_jmp_history(struct bpf_verifier_env *env,
1412 struct bpf_verifier_state *cur)
1413{
1414 u32 cnt = cur->jmp_history_cnt;
1415 struct bpf_idx_pair *p;
1416
1417 cnt++;
1418 p = krealloc(cur->jmp_history, cnt * sizeof(*p), GFP_USER);
1419 if (!p)
1420 return -ENOMEM;
1421 p[cnt - 1].idx = env->insn_idx;
1422 p[cnt - 1].prev_idx = env->prev_insn_idx;
1423 cur->jmp_history = p;
1424 cur->jmp_history_cnt = cnt;
1425 return 0;
1426}
1427
1428/* Backtrack one insn at a time. If idx is not at the top of recorded
1429 * history then previous instruction came from straight line execution.
1430 */
1431static int get_prev_insn_idx(struct bpf_verifier_state *st, int i,
1432 u32 *history)
1433{
1434 u32 cnt = *history;
1435
1436 if (cnt && st->jmp_history[cnt - 1].idx == i) {
1437 i = st->jmp_history[cnt - 1].prev_idx;
1438 (*history)--;
1439 } else {
1440 i--;
1441 }
1442 return i;
1443}
1444
1445/* For given verifier state backtrack_insn() is called from the last insn to
1446 * the first insn. Its purpose is to compute a bitmask of registers and
1447 * stack slots that needs precision in the parent verifier state.
1448 */
1449static int backtrack_insn(struct bpf_verifier_env *env, int idx,
1450 u32 *reg_mask, u64 *stack_mask)
1451{
1452 const struct bpf_insn_cbs cbs = {
1453 .cb_print = verbose,
1454 .private_data = env,
1455 };
1456 struct bpf_insn *insn = env->prog->insnsi + idx;
1457 u8 class = BPF_CLASS(insn->code);
1458 u8 opcode = BPF_OP(insn->code);
1459 u8 mode = BPF_MODE(insn->code);
1460 u32 dreg = 1u << insn->dst_reg;
1461 u32 sreg = 1u << insn->src_reg;
1462 u32 spi;
1463
1464 if (insn->code == 0)
1465 return 0;
1466 if (env->log.level & BPF_LOG_LEVEL) {
1467 verbose(env, "regs=%x stack=%llx before ", *reg_mask, *stack_mask);
1468 verbose(env, "%d: ", idx);
1469 print_bpf_insn(&cbs, insn, env->allow_ptr_leaks);
1470 }
1471
1472 if (class == BPF_ALU || class == BPF_ALU64) {
1473 if (!(*reg_mask & dreg))
1474 return 0;
1475 if (opcode == BPF_MOV) {
1476 if (BPF_SRC(insn->code) == BPF_X) {
1477 /* dreg = sreg
1478 * dreg needs precision after this insn
1479 * sreg needs precision before this insn
1480 */
1481 *reg_mask &= ~dreg;
1482 *reg_mask |= sreg;
1483 } else {
1484 /* dreg = K
1485 * dreg needs precision after this insn.
1486 * Corresponding register is already marked
1487 * as precise=true in this verifier state.
1488 * No further markings in parent are necessary
1489 */
1490 *reg_mask &= ~dreg;
1491 }
1492 } else {
1493 if (BPF_SRC(insn->code) == BPF_X) {
1494 /* dreg += sreg
1495 * both dreg and sreg need precision
1496 * before this insn
1497 */
1498 *reg_mask |= sreg;
1499 } /* else dreg += K
1500 * dreg still needs precision before this insn
1501 */
1502 }
1503 } else if (class == BPF_LDX) {
1504 if (!(*reg_mask & dreg))
1505 return 0;
1506 *reg_mask &= ~dreg;
1507
1508 /* scalars can only be spilled into stack w/o losing precision.
1509 * Load from any other memory can be zero extended.
1510 * The desire to keep that precision is already indicated
1511 * by 'precise' mark in corresponding register of this state.
1512 * No further tracking necessary.
1513 */
1514 if (insn->src_reg != BPF_REG_FP)
1515 return 0;
1516 if (BPF_SIZE(insn->code) != BPF_DW)
1517 return 0;
1518
1519 /* dreg = *(u64 *)[fp - off] was a fill from the stack.
1520 * that [fp - off] slot contains scalar that needs to be
1521 * tracked with precision
1522 */
1523 spi = (-insn->off - 1) / BPF_REG_SIZE;
1524 if (spi >= 64) {
1525 verbose(env, "BUG spi %d\n", spi);
1526 WARN_ONCE(1, "verifier backtracking bug");
1527 return -EFAULT;
1528 }
1529 *stack_mask |= 1ull << spi;
1530 } else if (class == BPF_STX) {
1531 if (*reg_mask & dreg)
1532 /* stx shouldn't be using _scalar_ dst_reg
1533 * to access memory. It means backtracking
1534 * encountered a case of pointer subtraction.
1535 */
1536 return -ENOTSUPP;
1537 /* scalars can only be spilled into stack */
1538 if (insn->dst_reg != BPF_REG_FP)
1539 return 0;
1540 if (BPF_SIZE(insn->code) != BPF_DW)
1541 return 0;
1542 spi = (-insn->off - 1) / BPF_REG_SIZE;
1543 if (spi >= 64) {
1544 verbose(env, "BUG spi %d\n", spi);
1545 WARN_ONCE(1, "verifier backtracking bug");
1546 return -EFAULT;
1547 }
1548 if (!(*stack_mask & (1ull << spi)))
1549 return 0;
1550 *stack_mask &= ~(1ull << spi);
1551 *reg_mask |= sreg;
1552 } else if (class == BPF_JMP || class == BPF_JMP32) {
1553 if (opcode == BPF_CALL) {
1554 if (insn->src_reg == BPF_PSEUDO_CALL)
1555 return -ENOTSUPP;
1556 /* regular helper call sets R0 */
1557 *reg_mask &= ~1;
1558 if (*reg_mask & 0x3f) {
1559 /* if backtracing was looking for registers R1-R5
1560 * they should have been found already.
1561 */
1562 verbose(env, "BUG regs %x\n", *reg_mask);
1563 WARN_ONCE(1, "verifier backtracking bug");
1564 return -EFAULT;
1565 }
1566 } else if (opcode == BPF_EXIT) {
1567 return -ENOTSUPP;
1568 }
1569 } else if (class == BPF_LD) {
1570 if (!(*reg_mask & dreg))
1571 return 0;
1572 *reg_mask &= ~dreg;
1573 /* It's ld_imm64 or ld_abs or ld_ind.
1574 * For ld_imm64 no further tracking of precision
1575 * into parent is necessary
1576 */
1577 if (mode == BPF_IND || mode == BPF_ABS)
1578 /* to be analyzed */
1579 return -ENOTSUPP;
1580 } else if (class == BPF_ST) {
1581 if (*reg_mask & dreg)
1582 /* likely pointer subtraction */
1583 return -ENOTSUPP;
1584 }
1585 return 0;
1586}
1587
1588/* the scalar precision tracking algorithm:
1589 * . at the start all registers have precise=false.
1590 * . scalar ranges are tracked as normal through alu and jmp insns.
1591 * . once precise value of the scalar register is used in:
1592 * . ptr + scalar alu
1593 * . if (scalar cond K|scalar)
1594 * . helper_call(.., scalar, ...) where ARG_CONST is expected
1595 * backtrack through the verifier states and mark all registers and
1596 * stack slots with spilled constants that these scalar regisers
1597 * should be precise.
1598 * . during state pruning two registers (or spilled stack slots)
1599 * are equivalent if both are not precise.
1600 *
1601 * Note the verifier cannot simply walk register parentage chain,
1602 * since many different registers and stack slots could have been
1603 * used to compute single precise scalar.
1604 *
1605 * The approach of starting with precise=true for all registers and then
1606 * backtrack to mark a register as not precise when the verifier detects
1607 * that program doesn't care about specific value (e.g., when helper
1608 * takes register as ARG_ANYTHING parameter) is not safe.
1609 *
1610 * It's ok to walk single parentage chain of the verifier states.
1611 * It's possible that this backtracking will go all the way till 1st insn.
1612 * All other branches will be explored for needing precision later.
1613 *
1614 * The backtracking needs to deal with cases like:
1615 * R8=map_value(id=0,off=0,ks=4,vs=1952,imm=0) R9_w=map_value(id=0,off=40,ks=4,vs=1952,imm=0)
1616 * r9 -= r8
1617 * r5 = r9
1618 * if r5 > 0x79f goto pc+7
1619 * R5_w=inv(id=0,umax_value=1951,var_off=(0x0; 0x7ff))
1620 * r5 += 1
1621 * ...
1622 * call bpf_perf_event_output#25
1623 * where .arg5_type = ARG_CONST_SIZE_OR_ZERO
1624 *
1625 * and this case:
1626 * r6 = 1
1627 * call foo // uses callee's r6 inside to compute r0
1628 * r0 += r6
1629 * if r0 == 0 goto
1630 *
1631 * to track above reg_mask/stack_mask needs to be independent for each frame.
1632 *
1633 * Also if parent's curframe > frame where backtracking started,
1634 * the verifier need to mark registers in both frames, otherwise callees
1635 * may incorrectly prune callers. This is similar to
1636 * commit 7640ead93924 ("bpf: verifier: make sure callees don't prune with caller differences")
1637 *
1638 * For now backtracking falls back into conservative marking.
1639 */
1640static void mark_all_scalars_precise(struct bpf_verifier_env *env,
1641 struct bpf_verifier_state *st)
1642{
1643 struct bpf_func_state *func;
1644 struct bpf_reg_state *reg;
1645 int i, j;
1646
1647 /* big hammer: mark all scalars precise in this path.
1648 * pop_stack may still get !precise scalars.
1649 */
1650 for (; st; st = st->parent)
1651 for (i = 0; i <= st->curframe; i++) {
1652 func = st->frame[i];
1653 for (j = 0; j < BPF_REG_FP; j++) {
1654 reg = &func->regs[j];
1655 if (reg->type != SCALAR_VALUE)
1656 continue;
1657 reg->precise = true;
1658 }
1659 for (j = 0; j < func->allocated_stack / BPF_REG_SIZE; j++) {
1660 if (func->stack[j].slot_type[0] != STACK_SPILL)
1661 continue;
1662 reg = &func->stack[j].spilled_ptr;
1663 if (reg->type != SCALAR_VALUE)
1664 continue;
1665 reg->precise = true;
1666 }
1667 }
1668}
1669
1670static int mark_chain_precision(struct bpf_verifier_env *env, int regno)
1671{
1672 struct bpf_verifier_state *st = env->cur_state;
1673 int first_idx = st->first_insn_idx;
1674 int last_idx = env->insn_idx;
1675 struct bpf_func_state *func;
1676 struct bpf_reg_state *reg;
1677 u32 reg_mask = 1u << regno;
1678 u64 stack_mask = 0;
1679 bool skip_first = true;
1680 int i, err;
1681
1682 if (!env->allow_ptr_leaks)
1683 /* backtracking is root only for now */
1684 return 0;
1685
1686 func = st->frame[st->curframe];
1687 reg = &func->regs[regno];
1688 if (reg->type != SCALAR_VALUE) {
1689 WARN_ONCE(1, "backtracing misuse");
1690 return -EFAULT;
1691 }
1692 if (reg->precise)
1693 return 0;
1694 func->regs[regno].precise = true;
1695
1696 for (;;) {
1697 DECLARE_BITMAP(mask, 64);
1698 bool new_marks = false;
1699 u32 history = st->jmp_history_cnt;
1700
1701 if (env->log.level & BPF_LOG_LEVEL)
1702 verbose(env, "last_idx %d first_idx %d\n", last_idx, first_idx);
1703 for (i = last_idx;;) {
1704 if (skip_first) {
1705 err = 0;
1706 skip_first = false;
1707 } else {
1708 err = backtrack_insn(env, i, &reg_mask, &stack_mask);
1709 }
1710 if (err == -ENOTSUPP) {
1711 mark_all_scalars_precise(env, st);
1712 return 0;
1713 } else if (err) {
1714 return err;
1715 }
1716 if (!reg_mask && !stack_mask)
1717 /* Found assignment(s) into tracked register in this state.
1718 * Since this state is already marked, just return.
1719 * Nothing to be tracked further in the parent state.
1720 */
1721 return 0;
1722 if (i == first_idx)
1723 break;
1724 i = get_prev_insn_idx(st, i, &history);
1725 if (i >= env->prog->len) {
1726 /* This can happen if backtracking reached insn 0
1727 * and there are still reg_mask or stack_mask
1728 * to backtrack.
1729 * It means the backtracking missed the spot where
1730 * particular register was initialized with a constant.
1731 */
1732 verbose(env, "BUG backtracking idx %d\n", i);
1733 WARN_ONCE(1, "verifier backtracking bug");
1734 return -EFAULT;
1735 }
1736 }
1737 st = st->parent;
1738 if (!st)
1739 break;
1740
1741 func = st->frame[st->curframe];
1742 bitmap_from_u64(mask, reg_mask);
1743 for_each_set_bit(i, mask, 32) {
1744 reg = &func->regs[i];
1745 if (reg->type != SCALAR_VALUE)
1746 continue;
1747 if (!reg->precise)
1748 new_marks = true;
1749 reg->precise = true;
1750 }
1751
1752 bitmap_from_u64(mask, stack_mask);
1753 for_each_set_bit(i, mask, 64) {
1754 if (i >= func->allocated_stack / BPF_REG_SIZE) {
1755 /* This can happen if backtracking
1756 * is propagating stack precision where
1757 * caller has larger stack frame
1758 * than callee, but backtrack_insn() should
1759 * have returned -ENOTSUPP.
1760 */
1761 verbose(env, "BUG spi %d stack_size %d\n",
1762 i, func->allocated_stack);
1763 WARN_ONCE(1, "verifier backtracking bug");
1764 return -EFAULT;
1765 }
1766
1767 if (func->stack[i].slot_type[0] != STACK_SPILL)
1768 continue;
1769 reg = &func->stack[i].spilled_ptr;
1770 if (reg->type != SCALAR_VALUE)
1771 continue;
1772 if (!reg->precise)
1773 new_marks = true;
1774 reg->precise = true;
1775 }
1776 if (env->log.level & BPF_LOG_LEVEL) {
1777 print_verifier_state(env, func);
1778 verbose(env, "parent %s regs=%x stack=%llx marks\n",
1779 new_marks ? "didn't have" : "already had",
1780 reg_mask, stack_mask);
1781 }
1782
1783 if (!new_marks)
1784 break;
1785
1786 last_idx = st->last_insn_idx;
1787 first_idx = st->first_insn_idx;
1788 }
1789 return 0;
1790}
1791
1792
1381static bool is_spillable_regtype(enum bpf_reg_type type) 1793static bool is_spillable_regtype(enum bpf_reg_type type)
1382{ 1794{
1383 switch (type) { 1795 switch (type) {
@@ -1435,6 +1847,7 @@ static int check_stack_write(struct bpf_verifier_env *env,
1435{ 1847{
1436 struct bpf_func_state *cur; /* state of the current function */ 1848 struct bpf_func_state *cur; /* state of the current function */
1437 int i, slot = -off - 1, spi = slot / BPF_REG_SIZE, err; 1849 int i, slot = -off - 1, spi = slot / BPF_REG_SIZE, err;
1850 u32 dst_reg = env->prog->insnsi[insn_idx].dst_reg;
1438 struct bpf_reg_state *reg = NULL; 1851 struct bpf_reg_state *reg = NULL;
1439 1852
1440 err = realloc_func_state(state, round_up(slot + 1, BPF_REG_SIZE), 1853 err = realloc_func_state(state, round_up(slot + 1, BPF_REG_SIZE),
@@ -1457,6 +1870,17 @@ static int check_stack_write(struct bpf_verifier_env *env,
1457 1870
1458 if (reg && size == BPF_REG_SIZE && register_is_const(reg) && 1871 if (reg && size == BPF_REG_SIZE && register_is_const(reg) &&
1459 !register_is_null(reg) && env->allow_ptr_leaks) { 1872 !register_is_null(reg) && env->allow_ptr_leaks) {
1873 if (dst_reg != BPF_REG_FP) {
1874 /* The backtracking logic can only recognize explicit
1875 * stack slot address like [fp - 8]. Other spill of
1876 * scalar via different register has to be conervative.
1877 * Backtrack from here and mark all registers as precise
1878 * that contributed into 'reg' being a constant.
1879 */
1880 err = mark_chain_precision(env, value_regno);
1881 if (err)
1882 return err;
1883 }
1460 save_register_state(state, spi, reg); 1884 save_register_state(state, spi, reg);
1461 } else if (reg && is_spillable_regtype(reg->type)) { 1885 } else if (reg && is_spillable_regtype(reg->type)) {
1462 /* register containing pointer is being spilled into stack */ 1886 /* register containing pointer is being spilled into stack */
@@ -1529,8 +1953,13 @@ static int check_stack_write(struct bpf_verifier_env *env,
1529 state->stack[spi].spilled_ptr.live |= REG_LIVE_WRITTEN; 1953 state->stack[spi].spilled_ptr.live |= REG_LIVE_WRITTEN;
1530 1954
1531 /* when we zero initialize stack slots mark them as such */ 1955 /* when we zero initialize stack slots mark them as such */
1532 if (reg && register_is_null(reg)) 1956 if (reg && register_is_null(reg)) {
1957 /* backtracking doesn't work for STACK_ZERO yet. */
1958 err = mark_chain_precision(env, value_regno);
1959 if (err)
1960 return err;
1533 type = STACK_ZERO; 1961 type = STACK_ZERO;
1962 }
1534 1963
1535 /* Mark slots affected by this stack write. */ 1964 /* Mark slots affected by this stack write. */
1536 for (i = 0; i < size; i++) 1965 for (i = 0; i < size; i++)
@@ -1610,6 +2039,17 @@ static int check_stack_read(struct bpf_verifier_env *env,
1610 * so the whole register == const_zero 2039 * so the whole register == const_zero
1611 */ 2040 */
1612 __mark_reg_const_zero(&state->regs[value_regno]); 2041 __mark_reg_const_zero(&state->regs[value_regno]);
2042 /* backtracking doesn't support STACK_ZERO yet,
2043 * so mark it precise here, so that later
2044 * backtracking can stop here.
2045 * Backtracking may not need this if this register
2046 * doesn't participate in pointer adjustment.
2047 * Forward propagation of precise flag is not
2048 * necessary either. This mark is only to stop
2049 * backtracking. Any register that contributed
2050 * to const 0 was marked precise before spill.
2051 */
2052 state->regs[value_regno].precise = true;
1613 } else { 2053 } else {
1614 /* have read misc data from the stack */ 2054 /* have read misc data from the stack */
1615 mark_reg_unknown(env, state->regs, value_regno); 2055 mark_reg_unknown(env, state->regs, value_regno);
@@ -2925,6 +3365,8 @@ static int check_func_arg(struct bpf_verifier_env *env, u32 regno,
2925 err = check_helper_mem_access(env, regno - 1, 3365 err = check_helper_mem_access(env, regno - 1,
2926 reg->umax_value, 3366 reg->umax_value,
2927 zero_size_allowed, meta); 3367 zero_size_allowed, meta);
3368 if (!err)
3369 err = mark_chain_precision(env, regno);
2928 } else if (arg_type_is_int_ptr(arg_type)) { 3370 } else if (arg_type_is_int_ptr(arg_type)) {
2929 int size = int_ptr_type_to_size(arg_type); 3371 int size = int_ptr_type_to_size(arg_type);
2930 3372
@@ -4361,6 +4803,7 @@ static int adjust_reg_min_max_vals(struct bpf_verifier_env *env,
4361 struct bpf_reg_state *regs = state->regs, *dst_reg, *src_reg; 4803 struct bpf_reg_state *regs = state->regs, *dst_reg, *src_reg;
4362 struct bpf_reg_state *ptr_reg = NULL, off_reg = {0}; 4804 struct bpf_reg_state *ptr_reg = NULL, off_reg = {0};
4363 u8 opcode = BPF_OP(insn->code); 4805 u8 opcode = BPF_OP(insn->code);
4806 int err;
4364 4807
4365 dst_reg = &regs[insn->dst_reg]; 4808 dst_reg = &regs[insn->dst_reg];
4366 src_reg = NULL; 4809 src_reg = NULL;
@@ -4387,11 +4830,17 @@ static int adjust_reg_min_max_vals(struct bpf_verifier_env *env,
4387 * This is legal, but we have to reverse our 4830 * This is legal, but we have to reverse our
4388 * src/dest handling in computing the range 4831 * src/dest handling in computing the range
4389 */ 4832 */
4833 err = mark_chain_precision(env, insn->dst_reg);
4834 if (err)
4835 return err;
4390 return adjust_ptr_min_max_vals(env, insn, 4836 return adjust_ptr_min_max_vals(env, insn,
4391 src_reg, dst_reg); 4837 src_reg, dst_reg);
4392 } 4838 }
4393 } else if (ptr_reg) { 4839 } else if (ptr_reg) {
4394 /* pointer += scalar */ 4840 /* pointer += scalar */
4841 err = mark_chain_precision(env, insn->src_reg);
4842 if (err)
4843 return err;
4395 return adjust_ptr_min_max_vals(env, insn, 4844 return adjust_ptr_min_max_vals(env, insn,
4396 dst_reg, src_reg); 4845 dst_reg, src_reg);
4397 } 4846 }
@@ -5348,6 +5797,13 @@ static int check_cond_jmp_op(struct bpf_verifier_env *env,
5348 tnum_is_const(src_reg->var_off)) 5797 tnum_is_const(src_reg->var_off))
5349 pred = is_branch_taken(dst_reg, src_reg->var_off.value, 5798 pred = is_branch_taken(dst_reg, src_reg->var_off.value,
5350 opcode, is_jmp32); 5799 opcode, is_jmp32);
5800 if (pred >= 0) {
5801 err = mark_chain_precision(env, insn->dst_reg);
5802 if (BPF_SRC(insn->code) == BPF_X && !err)
5803 err = mark_chain_precision(env, insn->src_reg);
5804 if (err)
5805 return err;
5806 }
5351 if (pred == 1) { 5807 if (pred == 1) {
5352 /* only follow the goto, ignore fall-through */ 5808 /* only follow the goto, ignore fall-through */
5353 *insn_idx += insn->off; 5809 *insn_idx += insn->off;
@@ -5825,6 +6281,11 @@ peek_stack:
5825 goto peek_stack; 6281 goto peek_stack;
5826 else if (ret < 0) 6282 else if (ret < 0)
5827 goto err_free; 6283 goto err_free;
6284 /* unconditional jmp is not a good pruning point,
6285 * but it's marked, since backtracking needs
6286 * to record jmp history in is_state_visited().
6287 */
6288 init_explored_state(env, t + insns[t].off + 1);
5828 /* tell verifier to check for equivalent states 6289 /* tell verifier to check for equivalent states
5829 * after every call and jump 6290 * after every call and jump
5830 */ 6291 */
@@ -6325,6 +6786,8 @@ static bool regsafe(struct bpf_reg_state *rold, struct bpf_reg_state *rcur,
6325 switch (rold->type) { 6786 switch (rold->type) {
6326 case SCALAR_VALUE: 6787 case SCALAR_VALUE:
6327 if (rcur->type == SCALAR_VALUE) { 6788 if (rcur->type == SCALAR_VALUE) {
6789 if (!rold->precise && !rcur->precise)
6790 return true;
6328 /* new val must satisfy old val knowledge */ 6791 /* new val must satisfy old val knowledge */
6329 return range_within(rold, rcur) && 6792 return range_within(rold, rcur) &&
6330 tnum_in(rold->var_off, rcur->var_off); 6793 tnum_in(rold->var_off, rcur->var_off);
@@ -6675,6 +7138,7 @@ static int is_state_visited(struct bpf_verifier_env *env, int insn_idx)
6675 int i, j, err, states_cnt = 0; 7138 int i, j, err, states_cnt = 0;
6676 bool add_new_state = false; 7139 bool add_new_state = false;
6677 7140
7141 cur->last_insn_idx = env->prev_insn_idx;
6678 if (!env->insn_aux_data[insn_idx].prune_point) 7142 if (!env->insn_aux_data[insn_idx].prune_point)
6679 /* this 'insn_idx' instruction wasn't marked, so we will not 7143 /* this 'insn_idx' instruction wasn't marked, so we will not
6680 * be doing state search here 7144 * be doing state search here
@@ -6791,10 +7255,10 @@ next:
6791 env->max_states_per_insn = states_cnt; 7255 env->max_states_per_insn = states_cnt;
6792 7256
6793 if (!env->allow_ptr_leaks && states_cnt > BPF_COMPLEXITY_LIMIT_STATES) 7257 if (!env->allow_ptr_leaks && states_cnt > BPF_COMPLEXITY_LIMIT_STATES)
6794 return 0; 7258 return push_jmp_history(env, cur);
6795 7259
6796 if (!add_new_state) 7260 if (!add_new_state)
6797 return 0; 7261 return push_jmp_history(env, cur);
6798 7262
6799 /* There were no equivalent states, remember the current one. 7263 /* There were no equivalent states, remember the current one.
6800 * Technically the current state is not proven to be safe yet, 7264 * Technically the current state is not proven to be safe yet,
@@ -6824,7 +7288,10 @@ next:
6824 new->insn_idx = insn_idx; 7288 new->insn_idx = insn_idx;
6825 WARN_ONCE(new->branches != 1, 7289 WARN_ONCE(new->branches != 1,
6826 "BUG is_state_visited:branches_to_explore=%d insn %d\n", new->branches, insn_idx); 7290 "BUG is_state_visited:branches_to_explore=%d insn %d\n", new->branches, insn_idx);
7291
6827 cur->parent = new; 7292 cur->parent = new;
7293 cur->first_insn_idx = insn_idx;
7294 clear_jmp_history(cur);
6828 new_sl->next = *explored_state(env, insn_idx); 7295 new_sl->next = *explored_state(env, insn_idx);
6829 *explored_state(env, insn_idx) = new_sl; 7296 *explored_state(env, insn_idx) = new_sl;
6830 /* connect new state to parentage chain. Current frame needs all 7297 /* connect new state to parentage chain. Current frame needs all
@@ -6904,6 +7371,7 @@ static int do_check(struct bpf_verifier_env *env)
6904 struct bpf_reg_state *regs; 7371 struct bpf_reg_state *regs;
6905 int insn_cnt = env->prog->len; 7372 int insn_cnt = env->prog->len;
6906 bool do_print_state = false; 7373 bool do_print_state = false;
7374 int prev_insn_idx = -1;
6907 7375
6908 env->prev_linfo = NULL; 7376 env->prev_linfo = NULL;
6909 7377
@@ -6929,6 +7397,7 @@ static int do_check(struct bpf_verifier_env *env)
6929 u8 class; 7397 u8 class;
6930 int err; 7398 int err;
6931 7399
7400 env->prev_insn_idx = prev_insn_idx;
6932 if (env->insn_idx >= insn_cnt) { 7401 if (env->insn_idx >= insn_cnt) {
6933 verbose(env, "invalid insn idx %d insn_cnt %d\n", 7402 verbose(env, "invalid insn idx %d insn_cnt %d\n",
6934 env->insn_idx, insn_cnt); 7403 env->insn_idx, insn_cnt);
@@ -7001,6 +7470,7 @@ static int do_check(struct bpf_verifier_env *env)
7001 7470
7002 regs = cur_regs(env); 7471 regs = cur_regs(env);
7003 env->insn_aux_data[env->insn_idx].seen = true; 7472 env->insn_aux_data[env->insn_idx].seen = true;
7473 prev_insn_idx = env->insn_idx;
7004 7474
7005 if (class == BPF_ALU || class == BPF_ALU64) { 7475 if (class == BPF_ALU || class == BPF_ALU64) {
7006 err = check_alu_op(env, insn); 7476 err = check_alu_op(env, insn);
@@ -7174,7 +7644,6 @@ static int do_check(struct bpf_verifier_env *env)
7174 7644
7175 if (state->curframe) { 7645 if (state->curframe) {
7176 /* exit from nested function */ 7646 /* exit from nested function */
7177 env->prev_insn_idx = env->insn_idx;
7178 err = prepare_func_exit(env, &env->insn_idx); 7647 err = prepare_func_exit(env, &env->insn_idx);
7179 if (err) 7648 if (err)
7180 return err; 7649 return err;
@@ -7206,7 +7675,7 @@ static int do_check(struct bpf_verifier_env *env)
7206 return err; 7675 return err;
7207process_bpf_exit: 7676process_bpf_exit:
7208 update_branch_counts(env, env->cur_state); 7677 update_branch_counts(env, env->cur_state);
7209 err = pop_stack(env, &env->prev_insn_idx, 7678 err = pop_stack(env, &prev_insn_idx,
7210 &env->insn_idx); 7679 &env->insn_idx);
7211 if (err < 0) { 7680 if (err < 0) {
7212 if (err != -ENOENT) 7681 if (err != -ENOENT)
generated by cgit v1.2.2 (git 2.25.0) at 2026-05-27 14:42:16 -0400