aboutsummaryrefslogtreecommitdiffstats
path: root/kernel
diff options
context:
space:
mode:
Diffstat (limited to 'kernel')
-rw-r--r--kernel/bpf/verifier.c184
1 files changed, 44 insertions, 140 deletions
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 92246117d2b0..68568d22d6bd 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -380,9 +380,9 @@ static int copy_stack_state(struct bpf_func_state *dst,
380/* do_check() starts with zero-sized stack in struct bpf_verifier_state to 380/* do_check() starts with zero-sized stack in struct bpf_verifier_state to
381 * make it consume minimal amount of memory. check_stack_write() access from 381 * make it consume minimal amount of memory. check_stack_write() access from
382 * the program calls into realloc_func_state() to grow the stack size. 382 * the program calls into realloc_func_state() to grow the stack size.
383 * Note there is a non-zero 'parent' pointer inside bpf_verifier_state 383 * Note there is a non-zero parent pointer inside each reg of bpf_verifier_state
384 * which this function copies over. It points to previous bpf_verifier_state 384 * which this function copies over. It points to corresponding reg in previous
385 * which is never reallocated 385 * bpf_verifier_state which is never reallocated
386 */ 386 */
387static int realloc_func_state(struct bpf_func_state *state, int size, 387static int realloc_func_state(struct bpf_func_state *state, int size,
388 bool copy_old) 388 bool copy_old)
@@ -466,7 +466,6 @@ static int copy_verifier_state(struct bpf_verifier_state *dst_state,
466 dst_state->frame[i] = NULL; 466 dst_state->frame[i] = NULL;
467 } 467 }
468 dst_state->curframe = src->curframe; 468 dst_state->curframe = src->curframe;
469 dst_state->parent = src->parent;
470 for (i = 0; i <= src->curframe; i++) { 469 for (i = 0; i <= src->curframe; i++) {
471 dst = dst_state->frame[i]; 470 dst = dst_state->frame[i];
472 if (!dst) { 471 if (!dst) {
@@ -732,6 +731,7 @@ static void init_reg_state(struct bpf_verifier_env *env,
732 for (i = 0; i < MAX_BPF_REG; i++) { 731 for (i = 0; i < MAX_BPF_REG; i++) {
733 mark_reg_not_init(env, regs, i); 732 mark_reg_not_init(env, regs, i);
734 regs[i].live = REG_LIVE_NONE; 733 regs[i].live = REG_LIVE_NONE;
734 regs[i].parent = NULL;
735 } 735 }
736 736
737 /* frame pointer */ 737 /* frame pointer */
@@ -876,74 +876,21 @@ next:
876 return 0; 876 return 0;
877} 877}
878 878
879static 879/* Parentage chain of this register (or stack slot) should take care of all
880struct bpf_verifier_state *skip_callee(struct bpf_verifier_env *env, 880 * issues like callee-saved registers, stack slot allocation time, etc.
881 const struct bpf_verifier_state *state, 881 */
882 struct bpf_verifier_state *parent,
883 u32 regno)
884{
885 struct bpf_verifier_state *tmp = NULL;
886
887 /* 'parent' could be a state of caller and
888 * 'state' could be a state of callee. In such case
889 * parent->curframe < state->curframe
890 * and it's ok for r1 - r5 registers
891 *
892 * 'parent' could be a callee's state after it bpf_exit-ed.
893 * In such case parent->curframe > state->curframe
894 * and it's ok for r0 only
895 */
896 if (parent->curframe == state->curframe ||
897 (parent->curframe < state->curframe &&
898 regno >= BPF_REG_1 && regno <= BPF_REG_5) ||
899 (parent->curframe > state->curframe &&
900 regno == BPF_REG_0))
901 return parent;
902
903 if (parent->curframe > state->curframe &&
904 regno >= BPF_REG_6) {
905 /* for callee saved regs we have to skip the whole chain
906 * of states that belong to callee and mark as LIVE_READ
907 * the registers before the call
908 */
909 tmp = parent;
910 while (tmp && tmp->curframe != state->curframe) {
911 tmp = tmp->parent;
912 }
913 if (!tmp)
914 goto bug;
915 parent = tmp;
916 } else {
917 goto bug;
918 }
919 return parent;
920bug:
921 verbose(env, "verifier bug regno %d tmp %p\n", regno, tmp);
922 verbose(env, "regno %d parent frame %d current frame %d\n",
923 regno, parent->curframe, state->curframe);
924 return NULL;
925}
926
927static int mark_reg_read(struct bpf_verifier_env *env, 882static int mark_reg_read(struct bpf_verifier_env *env,
928 const struct bpf_verifier_state *state, 883 const struct bpf_reg_state *state,
929 struct bpf_verifier_state *parent, 884 struct bpf_reg_state *parent)
930 u32 regno)
931{ 885{
932 bool writes = parent == state->parent; /* Observe write marks */ 886 bool writes = parent == state->parent; /* Observe write marks */
933 887
934 if (regno == BPF_REG_FP)
935 /* We don't need to worry about FP liveness because it's read-only */
936 return 0;
937
938 while (parent) { 888 while (parent) {
939 /* if read wasn't screened by an earlier write ... */ 889 /* if read wasn't screened by an earlier write ... */
940 if (writes && state->frame[state->curframe]->regs[regno].live & REG_LIVE_WRITTEN) 890 if (writes && state->live & REG_LIVE_WRITTEN)
941 break; 891 break;
942 parent = skip_callee(env, state, parent, regno);
943 if (!parent)
944 return -EFAULT;
945 /* ... then we depend on parent's value */ 892 /* ... then we depend on parent's value */
946 parent->frame[parent->curframe]->regs[regno].live |= REG_LIVE_READ; 893 parent->live |= REG_LIVE_READ;
947 state = parent; 894 state = parent;
948 parent = state->parent; 895 parent = state->parent;
949 writes = true; 896 writes = true;
@@ -969,7 +916,10 @@ static int check_reg_arg(struct bpf_verifier_env *env, u32 regno,
969 verbose(env, "R%d !read_ok\n", regno); 916 verbose(env, "R%d !read_ok\n", regno);
970 return -EACCES; 917 return -EACCES;
971 } 918 }
972 return mark_reg_read(env, vstate, vstate->parent, regno); 919 /* We don't need to worry about FP liveness because it's read-only */
920 if (regno != BPF_REG_FP)
921 return mark_reg_read(env, &regs[regno],
922 regs[regno].parent);
973 } else { 923 } else {
974 /* check whether register used as dest operand can be written to */ 924 /* check whether register used as dest operand can be written to */
975 if (regno == BPF_REG_FP) { 925 if (regno == BPF_REG_FP) {
@@ -1080,8 +1030,8 @@ static int check_stack_write(struct bpf_verifier_env *env,
1080 } else { 1030 } else {
1081 u8 type = STACK_MISC; 1031 u8 type = STACK_MISC;
1082 1032
1083 /* regular write of data into stack */ 1033 /* regular write of data into stack destroys any spilled ptr */
1084 state->stack[spi].spilled_ptr = (struct bpf_reg_state) {}; 1034 state->stack[spi].spilled_ptr.type = NOT_INIT;
1085 1035
1086 /* only mark the slot as written if all 8 bytes were written 1036 /* only mark the slot as written if all 8 bytes were written
1087 * otherwise read propagation may incorrectly stop too soon 1037 * otherwise read propagation may incorrectly stop too soon
@@ -1106,61 +1056,6 @@ static int check_stack_write(struct bpf_verifier_env *env,
1106 return 0; 1056 return 0;
1107} 1057}
1108 1058
1109/* registers of every function are unique and mark_reg_read() propagates
1110 * the liveness in the following cases:
1111 * - from callee into caller for R1 - R5 that were used as arguments
1112 * - from caller into callee for R0 that used as result of the call
1113 * - from caller to the same caller skipping states of the callee for R6 - R9,
1114 * since R6 - R9 are callee saved by implicit function prologue and
1115 * caller's R6 != callee's R6, so when we propagate liveness up to
1116 * parent states we need to skip callee states for R6 - R9.
1117 *
1118 * stack slot marking is different, since stacks of caller and callee are
1119 * accessible in both (since caller can pass a pointer to caller's stack to
1120 * callee which can pass it to another function), hence mark_stack_slot_read()
1121 * has to propagate the stack liveness to all parent states at given frame number.
1122 * Consider code:
1123 * f1() {
1124 * ptr = fp - 8;
1125 * *ptr = ctx;
1126 * call f2 {
1127 * .. = *ptr;
1128 * }
1129 * .. = *ptr;
1130 * }
1131 * First *ptr is reading from f1's stack and mark_stack_slot_read() has
1132 * to mark liveness at the f1's frame and not f2's frame.
1133 * Second *ptr is also reading from f1's stack and mark_stack_slot_read() has
1134 * to propagate liveness to f2 states at f1's frame level and further into
1135 * f1 states at f1's frame level until write into that stack slot
1136 */
1137static void mark_stack_slot_read(struct bpf_verifier_env *env,
1138 const struct bpf_verifier_state *state,
1139 struct bpf_verifier_state *parent,
1140 int slot, int frameno)
1141{
1142 bool writes = parent == state->parent; /* Observe write marks */
1143
1144 while (parent) {
1145 if (parent->frame[frameno]->allocated_stack <= slot * BPF_REG_SIZE)
1146 /* since LIVE_WRITTEN mark is only done for full 8-byte
1147 * write the read marks are conservative and parent
1148 * state may not even have the stack allocated. In such case
1149 * end the propagation, since the loop reached beginning
1150 * of the function
1151 */
1152 break;
1153 /* if read wasn't screened by an earlier write ... */
1154 if (writes && state->frame[frameno]->stack[slot].spilled_ptr.live & REG_LIVE_WRITTEN)
1155 break;
1156 /* ... then we depend on parent's value */
1157 parent->frame[frameno]->stack[slot].spilled_ptr.live |= REG_LIVE_READ;
1158 state = parent;
1159 parent = state->parent;
1160 writes = true;
1161 }
1162}
1163
1164static int check_stack_read(struct bpf_verifier_env *env, 1059static int check_stack_read(struct bpf_verifier_env *env,
1165 struct bpf_func_state *reg_state /* func where register points to */, 1060 struct bpf_func_state *reg_state /* func where register points to */,
1166 int off, int size, int value_regno) 1061 int off, int size, int value_regno)
@@ -1198,8 +1093,8 @@ static int check_stack_read(struct bpf_verifier_env *env,
1198 */ 1093 */
1199 state->regs[value_regno].live |= REG_LIVE_WRITTEN; 1094 state->regs[value_regno].live |= REG_LIVE_WRITTEN;
1200 } 1095 }
1201 mark_stack_slot_read(env, vstate, vstate->parent, spi, 1096 mark_reg_read(env, &reg_state->stack[spi].spilled_ptr,
1202 reg_state->frameno); 1097 reg_state->stack[spi].spilled_ptr.parent);
1203 return 0; 1098 return 0;
1204 } else { 1099 } else {
1205 int zeros = 0; 1100 int zeros = 0;
@@ -1215,8 +1110,8 @@ static int check_stack_read(struct bpf_verifier_env *env,
1215 off, i, size); 1110 off, i, size);
1216 return -EACCES; 1111 return -EACCES;
1217 } 1112 }
1218 mark_stack_slot_read(env, vstate, vstate->parent, spi, 1113 mark_reg_read(env, &reg_state->stack[spi].spilled_ptr,
1219 reg_state->frameno); 1114 reg_state->stack[spi].spilled_ptr.parent);
1220 if (value_regno >= 0) { 1115 if (value_regno >= 0) {
1221 if (zeros == size) { 1116 if (zeros == size) {
1222 /* any size read into register is zero extended, 1117 /* any size read into register is zero extended,
@@ -1908,8 +1803,8 @@ mark:
1908 /* reading any byte out of 8-byte 'spill_slot' will cause 1803 /* reading any byte out of 8-byte 'spill_slot' will cause
1909 * the whole slot to be marked as 'read' 1804 * the whole slot to be marked as 'read'
1910 */ 1805 */
1911 mark_stack_slot_read(env, env->cur_state, env->cur_state->parent, 1806 mark_reg_read(env, &state->stack[spi].spilled_ptr,
1912 spi, state->frameno); 1807 state->stack[spi].spilled_ptr.parent);
1913 } 1808 }
1914 return update_stack_depth(env, state, off); 1809 return update_stack_depth(env, state, off);
1915} 1810}
@@ -2366,11 +2261,13 @@ static int check_func_call(struct bpf_verifier_env *env, struct bpf_insn *insn,
2366 state->curframe + 1 /* frameno within this callchain */, 2261 state->curframe + 1 /* frameno within this callchain */,
2367 subprog /* subprog number within this prog */); 2262 subprog /* subprog number within this prog */);
2368 2263
2369 /* copy r1 - r5 args that callee can access */ 2264 /* copy r1 - r5 args that callee can access. The copy includes parent
2265 * pointers, which connects us up to the liveness chain
2266 */
2370 for (i = BPF_REG_1; i <= BPF_REG_5; i++) 2267 for (i = BPF_REG_1; i <= BPF_REG_5; i++)
2371 callee->regs[i] = caller->regs[i]; 2268 callee->regs[i] = caller->regs[i];
2372 2269
2373 /* after the call regsiters r0 - r5 were scratched */ 2270 /* after the call registers r0 - r5 were scratched */
2374 for (i = 0; i < CALLER_SAVED_REGS; i++) { 2271 for (i = 0; i < CALLER_SAVED_REGS; i++) {
2375 mark_reg_not_init(env, caller->regs, caller_saved[i]); 2272 mark_reg_not_init(env, caller->regs, caller_saved[i]);
2376 check_reg_arg(env, caller_saved[i], DST_OP_NO_MARK); 2273 check_reg_arg(env, caller_saved[i], DST_OP_NO_MARK);
@@ -4370,7 +4267,7 @@ static bool regsafe(struct bpf_reg_state *rold, struct bpf_reg_state *rcur,
4370 /* explored state didn't use this */ 4267 /* explored state didn't use this */
4371 return true; 4268 return true;
4372 4269
4373 equal = memcmp(rold, rcur, offsetof(struct bpf_reg_state, frameno)) == 0; 4270 equal = memcmp(rold, rcur, offsetof(struct bpf_reg_state, parent)) == 0;
4374 4271
4375 if (rold->type == PTR_TO_STACK) 4272 if (rold->type == PTR_TO_STACK)
4376 /* two stack pointers are equal only if they're pointing to 4273 /* two stack pointers are equal only if they're pointing to
@@ -4603,7 +4500,7 @@ static bool states_equal(struct bpf_verifier_env *env,
4603 * equivalent state (jump target or such) we didn't arrive by the straight-line 4500 * equivalent state (jump target or such) we didn't arrive by the straight-line
4604 * code, so read marks in the state must propagate to the parent regardless 4501 * code, so read marks in the state must propagate to the parent regardless
4605 * of the state's write marks. That's what 'parent == state->parent' comparison 4502 * of the state's write marks. That's what 'parent == state->parent' comparison
4606 * in mark_reg_read() and mark_stack_slot_read() is for. 4503 * in mark_reg_read() is for.
4607 */ 4504 */
4608static int propagate_liveness(struct bpf_verifier_env *env, 4505static int propagate_liveness(struct bpf_verifier_env *env,
4609 const struct bpf_verifier_state *vstate, 4506 const struct bpf_verifier_state *vstate,
@@ -4624,7 +4521,8 @@ static int propagate_liveness(struct bpf_verifier_env *env,
4624 if (vparent->frame[vparent->curframe]->regs[i].live & REG_LIVE_READ) 4521 if (vparent->frame[vparent->curframe]->regs[i].live & REG_LIVE_READ)
4625 continue; 4522 continue;
4626 if (vstate->frame[vstate->curframe]->regs[i].live & REG_LIVE_READ) { 4523 if (vstate->frame[vstate->curframe]->regs[i].live & REG_LIVE_READ) {
4627 err = mark_reg_read(env, vstate, vparent, i); 4524 err = mark_reg_read(env, &vstate->frame[vstate->curframe]->regs[i],
4525 &vparent->frame[vstate->curframe]->regs[i]);
4628 if (err) 4526 if (err)
4629 return err; 4527 return err;
4630 } 4528 }
@@ -4639,7 +4537,8 @@ static int propagate_liveness(struct bpf_verifier_env *env,
4639 if (parent->stack[i].spilled_ptr.live & REG_LIVE_READ) 4537 if (parent->stack[i].spilled_ptr.live & REG_LIVE_READ)
4640 continue; 4538 continue;
4641 if (state->stack[i].spilled_ptr.live & REG_LIVE_READ) 4539 if (state->stack[i].spilled_ptr.live & REG_LIVE_READ)
4642 mark_stack_slot_read(env, vstate, vparent, i, frame); 4540 mark_reg_read(env, &state->stack[i].spilled_ptr,
4541 &parent->stack[i].spilled_ptr);
4643 } 4542 }
4644 } 4543 }
4645 return err; 4544 return err;
@@ -4649,7 +4548,7 @@ static int is_state_visited(struct bpf_verifier_env *env, int insn_idx)
4649{ 4548{
4650 struct bpf_verifier_state_list *new_sl; 4549 struct bpf_verifier_state_list *new_sl;
4651 struct bpf_verifier_state_list *sl; 4550 struct bpf_verifier_state_list *sl;
4652 struct bpf_verifier_state *cur = env->cur_state; 4551 struct bpf_verifier_state *cur = env->cur_state, *new;
4653 int i, j, err; 4552 int i, j, err;
4654 4553
4655 sl = env->explored_states[insn_idx]; 4554 sl = env->explored_states[insn_idx];
@@ -4691,16 +4590,18 @@ static int is_state_visited(struct bpf_verifier_env *env, int insn_idx)
4691 return -ENOMEM; 4590 return -ENOMEM;
4692 4591
4693 /* add new state to the head of linked list */ 4592 /* add new state to the head of linked list */
4694 err = copy_verifier_state(&new_sl->state, cur); 4593 new = &new_sl->state;
4594 err = copy_verifier_state(new, cur);
4695 if (err) { 4595 if (err) {
4696 free_verifier_state(&new_sl->state, false); 4596 free_verifier_state(new, false);
4697 kfree(new_sl); 4597 kfree(new_sl);
4698 return err; 4598 return err;
4699 } 4599 }
4700 new_sl->next = env->explored_states[insn_idx]; 4600 new_sl->next = env->explored_states[insn_idx];
4701 env->explored_states[insn_idx] = new_sl; 4601 env->explored_states[insn_idx] = new_sl;
4702 /* connect new state to parentage chain */ 4602 /* connect new state to parentage chain */
4703 cur->parent = &new_sl->state; 4603 for (i = 0; i < BPF_REG_FP; i++)
4604 cur_regs(env)[i].parent = &new->frame[new->curframe]->regs[i];
4704 /* clear write marks in current state: the writes we did are not writes 4605 /* clear write marks in current state: the writes we did are not writes
4705 * our child did, so they don't screen off its reads from us. 4606 * our child did, so they don't screen off its reads from us.
4706 * (There are no read marks in current state, because reads always mark 4607 * (There are no read marks in current state, because reads always mark
@@ -4713,9 +4614,13 @@ static int is_state_visited(struct bpf_verifier_env *env, int insn_idx)
4713 /* all stack frames are accessible from callee, clear them all */ 4614 /* all stack frames are accessible from callee, clear them all */
4714 for (j = 0; j <= cur->curframe; j++) { 4615 for (j = 0; j <= cur->curframe; j++) {
4715 struct bpf_func_state *frame = cur->frame[j]; 4616 struct bpf_func_state *frame = cur->frame[j];
4617 struct bpf_func_state *newframe = new->frame[j];
4716 4618
4717 for (i = 0; i < frame->allocated_stack / BPF_REG_SIZE; i++) 4619 for (i = 0; i < frame->allocated_stack / BPF_REG_SIZE; i++) {
4718 frame->stack[i].spilled_ptr.live = REG_LIVE_NONE; 4620 frame->stack[i].spilled_ptr.live = REG_LIVE_NONE;
4621 frame->stack[i].spilled_ptr.parent =
4622 &newframe->stack[i].spilled_ptr;
4623 }
4719 } 4624 }
4720 return 0; 4625 return 0;
4721} 4626}
@@ -4734,7 +4639,6 @@ static int do_check(struct bpf_verifier_env *env)
4734 if (!state) 4639 if (!state)
4735 return -ENOMEM; 4640 return -ENOMEM;
4736 state->curframe = 0; 4641 state->curframe = 0;
4737 state->parent = NULL;
4738 state->frame[0] = kzalloc(sizeof(struct bpf_func_state), GFP_KERNEL); 4642 state->frame[0] = kzalloc(sizeof(struct bpf_func_state), GFP_KERNEL);
4739 if (!state->frame[0]) { 4643 if (!state->frame[0]) {
4740 kfree(state); 4644 kfree(state);
generated by cgit v1.2.2 (git 2.25.0) at 2025-08-30 22:06:16 -0400