Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf

	/* call stack tracking */

	struct bpf_func_state *frame[MAX_CALL_FRAMES];

	u32 curframe;

	bool speculative;

};

#define bpf_get_spilled_reg(slot, frame)				\

	struct bpf_verifier_state_list *next;

};

/* Possible states for alu_state member. */

#define BPF_ALU_SANITIZE_SRC		1U

#define BPF_ALU_SANITIZE_DST		2U

#define BPF_ALU_NEG_VALUE		(1U << 2)

#define BPF_ALU_SANITIZE		(BPF_ALU_SANITIZE_SRC | \

					 BPF_ALU_SANITIZE_DST)

struct bpf_insn_aux_data {

	union {

		enum bpf_reg_type ptr_type;	/* pointer type for load/store insns */

		unsigned long map_state;	/* pointer/poison value for maps */

		s32 call_imm;			/* saved imm field of call insn */

		u32 alu_limit;			/* limit for add/sub register with pointer */

	};

	int ctx_field_size; /* the ctx field size for load insn, maybe 0 */

	int sanitize_stack_off; /* stack slot to be cleared */

	bool seen; /* this insn was processed by the verifier */

	u8 alu_state; /* used in combination with alu_limit */

};

#define MAX_USED_MAPS 64 /* max number of maps accessed by one eBPF program */

 * one verifier_env per bpf_check() call

 */

struct bpf_verifier_env {

	u32 insn_idx;

	u32 prev_insn_idx;

	struct bpf_prog *prog;		/* eBPF program being verified */

	const struct bpf_verifier_ops *ops;

	struct bpf_verifier_stack_elem *head; /* stack of verifier states to be processed */

#define BPF_REG_D	BPF_REG_8	/* data, callee-saved */

#define BPF_REG_H	BPF_REG_9	/* hlen, callee-saved */

/* Kernel hidden auxiliary/helper register for hardening step.

 * Only used by eBPF JITs. It's nothing more than a temporary

 * register that JITs use internally, only that here it's part

 * of eBPF instructions that have been rewritten for blinding

 * constants. See JIT pre-step in bpf_jit_blind_constants().

 */

/* Kernel hidden auxiliary/helper register. */

#define BPF_REG_AX		MAX_BPF_REG

#define MAX_BPF_JIT_REG		(MAX_BPF_REG + 1)

#define MAX_BPF_EXT_REG		(MAX_BPF_REG + 1)

#define MAX_BPF_JIT_REG		MAX_BPF_EXT_REG

/* unused opcode to mark special call to bpf_tail_call() helper */

#define BPF_TAIL_CALL	0xf0

#define DST	regs[insn->dst_reg]

#define SRC	regs[insn->src_reg]

#define FP	regs[BPF_REG_FP]

#define AX	regs[BPF_REG_AX]

#define ARG1	regs[BPF_REG_ARG1]

#define CTX	regs[BPF_REG_CTX]

#define IMM	insn->imm

	BUILD_BUG_ON(BPF_REG_AX  + 1 != MAX_BPF_JIT_REG);

	BUILD_BUG_ON(MAX_BPF_REG + 1 != MAX_BPF_JIT_REG);

	/* Constraints on AX register:

	 *

	 * AX register is inaccessible from user space. It is mapped in

	 * all JITs, and used here for constant blinding rewrites. It is

	 * typically "stateless" meaning its contents are only valid within

	 * the executed instruction, but not across several instructions.

	 * There are a few exceptions however which are further detailed

	 * below.

	 *

	 * Constant blinding is only used by JITs, not in the interpreter.

	 * The interpreter uses AX in some occasions as a local temporary

	 * register e.g. in DIV or MOD instructions.

	 *

	 * In restricted circumstances, the verifier can also use the AX

	 * register for rewrites as long as they do not interfere with

	 * the above cases!

	 */

	if (from->dst_reg == BPF_REG_AX || from->src_reg == BPF_REG_AX)

		goto out;

	if (from->imm == 0 &&

	    (from->code == (BPF_ALU   | BPF_MOV | BPF_K) ||

	     from->code == (BPF_ALU64 | BPF_MOV | BPF_K))) {

 */

static u64 ___bpf_prog_run(u64 *regs, const struct bpf_insn *insn, u64 *stack)

{

	u64 tmp;

#define BPF_INSN_2_LBL(x, y)    [BPF_##x | BPF_##y] = &&x##_##y

#define BPF_INSN_3_LBL(x, y, z) [BPF_##x | BPF_##y | BPF_##z] = &&x##_##y##_##z

	static const void *jumptable[256] = {

		(*(s64 *) &DST) >>= IMM;

		CONT;

	ALU64_MOD_X:

		div64_u64_rem(DST, SRC, &tmp);

		DST = tmp;

		div64_u64_rem(DST, SRC, &AX);

		DST = AX;

		CONT;

	ALU_MOD_X:

		tmp = (u32) DST;

		DST = do_div(tmp, (u32) SRC);

		AX = (u32) DST;

		DST = do_div(AX, (u32) SRC);

		CONT;

	ALU64_MOD_K:

		div64_u64_rem(DST, IMM, &tmp);

		DST = tmp;

		div64_u64_rem(DST, IMM, &AX);

		DST = AX;

		CONT;

	ALU_MOD_K:

		tmp = (u32) DST;

		DST = do_div(tmp, (u32) IMM);

		AX = (u32) DST;

		DST = do_div(AX, (u32) IMM);

		CONT;

	ALU64_DIV_X:

		DST = div64_u64(DST, SRC);

		CONT;

	ALU_DIV_X:

		tmp = (u32) DST;

		do_div(tmp, (u32) SRC);

		DST = (u32) tmp;

		AX = (u32) DST;

		do_div(AX, (u32) SRC);

		DST = (u32) AX;

		CONT;

	ALU64_DIV_K:

		DST = div64_u64(DST, IMM);

		CONT;

	ALU_DIV_K:

		tmp = (u32) DST;

		do_div(tmp, (u32) IMM);

		DST = (u32) tmp;

		AX = (u32) DST;

		do_div(AX, (u32) IMM);

		DST = (u32) AX;

		CONT;

	ALU_END_TO_BE:

		switch (IMM) {

static unsigned int PROG_NAME(stack_size)(const void *ctx, const struct bpf_insn *insn) \

{ \

	u64 stack[stack_size / sizeof(u64)]; \

	u64 regs[MAX_BPF_REG]; \

	u64 regs[MAX_BPF_EXT_REG]; \

\

	FP = (u64) (unsigned long) &stack[ARRAY_SIZE(stack)]; \

	ARG1 = (u64) (unsigned long) ctx; \

				      const struct bpf_insn *insn) \

{ \

	u64 stack[stack_size / sizeof(u64)]; \

	u64 regs[MAX_BPF_REG]; \

	u64 regs[MAX_BPF_EXT_REG]; \

\

	FP = (u64) (unsigned long) &stack[ARRAY_SIZE(stack)]; \

	BPF_R1 = r1; \

		free_func_state(dst_state->frame[i]);

		dst_state->frame[i] = NULL;

	}

	dst_state->speculative = src->speculative;

	dst_state->curframe = src->curframe;

	for (i = 0; i <= src->curframe; i++) {

		dst = dst_state->frame[i];

}

static struct bpf_verifier_state *push_stack(struct bpf_verifier_env *env,

					     int insn_idx, int prev_insn_idx)

					     int insn_idx, int prev_insn_idx,

					     bool speculative)

{

	struct bpf_verifier_state *cur = env->cur_state;

	struct bpf_verifier_stack_elem *elem;

	err = copy_verifier_state(&elem->st, cur);

	if (err)

		goto err;

	elem->st.speculative |= speculative;

	if (env->stack_size > BPF_COMPLEXITY_LIMIT_STACK) {

		verbose(env, "BPF program is too complex\n");

		goto err;

	}

}

static int check_stack_access(struct bpf_verifier_env *env,

			      const struct bpf_reg_state *reg,

			      int off, int size)

{

	/* Stack accesses must be at a fixed offset, so that we

	 * can determine what type of data were returned. See

	 * check_stack_read().

	 */

	if (!tnum_is_const(reg->var_off)) {

		char tn_buf[48];

		tnum_strn(tn_buf, sizeof(tn_buf), reg->var_off);

		verbose(env, "variable stack access var_off=%s off=%d size=%d",

			tn_buf, off, size);

		return -EACCES;

	}

	if (off >= 0 || off < -MAX_BPF_STACK) {

		verbose(env, "invalid stack off=%d size=%d\n", off, size);

		return -EACCES;

	}

	return 0;

}

/* check read/write into map element returned by bpf_map_lookup_elem() */

static int __check_map_access(struct bpf_verifier_env *env, u32 regno, int off,

			      int size, bool zero_size_allowed)

	 */

	if (env->log.level)

		print_verifier_state(env, state);

	/* The minimum value is only important with signed

	 * comparisons where we can't assume the floor of a

	 * value is 0.  If we are using signed variables for our

	 * index'es we need to make sure that whatever we use

	 * will have a set floor within our range.

	 */

	if (reg->smin_value < 0) {

	if (reg->smin_value < 0 &&

	    (reg->smin_value == S64_MIN ||

	     (off + reg->smin_value != (s64)(s32)(off + reg->smin_value)) ||

	      reg->smin_value + off < 0)) {

		verbose(env, "R%d min value is negative, either use unsigned index or do a if (index >=0) check.\n",

			regno);

		return -EACCES;

		}

	} else if (reg->type == PTR_TO_STACK) {

		/* stack accesses must be at a fixed offset, so that we can

		 * determine what type of data were returned.

		 * See check_stack_read().

		 */

		if (!tnum_is_const(reg->var_off)) {

			char tn_buf[48];

			tnum_strn(tn_buf, sizeof(tn_buf), reg->var_off);

			verbose(env, "variable stack access var_off=%s off=%d size=%d",

				tn_buf, off, size);

			return -EACCES;

		}

		off += reg->var_off.value;

		if (off >= 0 || off < -MAX_BPF_STACK) {

			verbose(env, "invalid stack off=%d size=%d\n", off,

				size);

			return -EACCES;

		}

		err = check_stack_access(env, reg, off, size);

		if (err)

			return err;

		state = func(env, reg);

		err = update_stack_depth(env, state, off);

	return true;

}

static struct bpf_insn_aux_data *cur_aux(struct bpf_verifier_env *env)

{

	return &env->insn_aux_data[env->insn_idx];

}

static int retrieve_ptr_limit(const struct bpf_reg_state *ptr_reg,

			      u32 *ptr_limit, u8 opcode, bool off_is_neg)

{

	bool mask_to_left = (opcode == BPF_ADD &&  off_is_neg) ||

			    (opcode == BPF_SUB && !off_is_neg);

	u32 off;

	switch (ptr_reg->type) {

	case PTR_TO_STACK:

		off = ptr_reg->off + ptr_reg->var_off.value;

		if (mask_to_left)

			*ptr_limit = MAX_BPF_STACK + off;

		else

			*ptr_limit = -off;

		return 0;

	case PTR_TO_MAP_VALUE:

		if (mask_to_left) {

			*ptr_limit = ptr_reg->umax_value + ptr_reg->off;

		} else {

			off = ptr_reg->smin_value + ptr_reg->off;

			*ptr_limit = ptr_reg->map_ptr->value_size - off;

		}

		return 0;

	default:

		return -EINVAL;

	}

}

static int sanitize_ptr_alu(struct bpf_verifier_env *env,

			    struct bpf_insn *insn,

			    const struct bpf_reg_state *ptr_reg,

			    struct bpf_reg_state *dst_reg,

			    bool off_is_neg)

{

	struct bpf_verifier_state *vstate = env->cur_state;

	struct bpf_insn_aux_data *aux = cur_aux(env);

	bool ptr_is_dst_reg = ptr_reg == dst_reg;

	u8 opcode = BPF_OP(insn->code);

	u32 alu_state, alu_limit;

	struct bpf_reg_state tmp;

	bool ret;

	if (env->allow_ptr_leaks || BPF_SRC(insn->code) == BPF_K)

		return 0;

	/* We already marked aux for masking from non-speculative

	 * paths, thus we got here in the first place. We only care

	 * to explore bad access from here.

	 */

	if (vstate->speculative)

		goto do_sim;

	alu_state  = off_is_neg ? BPF_ALU_NEG_VALUE : 0;

	alu_state |= ptr_is_dst_reg ?

		     BPF_ALU_SANITIZE_SRC : BPF_ALU_SANITIZE_DST;

	if (retrieve_ptr_limit(ptr_reg, &alu_limit, opcode, off_is_neg))

		return 0;

	/* If we arrived here from different branches with different

	 * limits to sanitize, then this won't work.

	 */

	if (aux->alu_state &&

	    (aux->alu_state != alu_state ||

	     aux->alu_limit != alu_limit))

		return -EACCES;

	/* Corresponding fixup done in fixup_bpf_calls(). */

	aux->alu_state = alu_state;

	aux->alu_limit = alu_limit;

do_sim:

	/* Simulate and find potential out-of-bounds access under

	 * speculative execution from truncation as a result of

	 * masking when off was not within expected range. If off

	 * sits in dst, then we temporarily need to move ptr there

	 * to simulate dst (== 0) +/-= ptr. Needed, for example,

	 * for cases where we use K-based arithmetic in one direction

	 * and truncated reg-based in the other in order to explore

	 * bad access.

	 */

	if (!ptr_is_dst_reg) {

		tmp = *dst_reg;

		*dst_reg = *ptr_reg;

	}

	ret = push_stack(env, env->insn_idx + 1, env->insn_idx, true);

	if (!ptr_is_dst_reg)

		*dst_reg = tmp;

	return !ret ? -EFAULT : 0;

}

/* Handles arithmetic on a pointer and a scalar: computes new min/max and var_off.

 * Caller should also handle BPF_MOV case separately.

 * If we return -EACCES, caller may want to try again treating pointer as a

	    smin_ptr = ptr_reg->smin_value, smax_ptr = ptr_reg->smax_value;

	u64 umin_val = off_reg->umin_value, umax_val = off_reg->umax_value,

	    umin_ptr = ptr_reg->umin_value, umax_ptr = ptr_reg->umax_value;

	u32 dst = insn->dst_reg, src = insn->src_reg;

	u8 opcode = BPF_OP(insn->code);

	u32 dst = insn->dst_reg;

	int ret;

	dst_reg = &regs[dst];

		verbose(env, "R%d pointer arithmetic on %s prohibited\n",

			dst, reg_type_str[ptr_reg->type]);

		return -EACCES;

	case PTR_TO_MAP_VALUE:

		if (!env->allow_ptr_leaks && !known && (smin_val < 0) != (smax_val < 0)) {

			verbose(env, "R%d has unknown scalar with mixed signed bounds, pointer arithmetic with it prohibited for !root\n",

				off_reg == dst_reg ? dst : src);

			return -EACCES;

		}

		/* fall-through */

	default:

		break;

	}

	switch (opcode) {

	case BPF_ADD:

		ret = sanitize_ptr_alu(env, insn, ptr_reg, dst_reg, smin_val < 0);

		if (ret < 0) {

			verbose(env, "R%d tried to add from different maps or paths\n", dst);

			return ret;

		}

		/* We can take a fixed offset as long as it doesn't overflow

		 * the s32 'off' field

		 */

		}

		break;

	case BPF_SUB:

		ret = sanitize_ptr_alu(env, insn, ptr_reg, dst_reg, smin_val < 0);

		if (ret < 0) {

			verbose(env, "R%d tried to sub from different maps or paths\n", dst);

			return ret;

		}

		if (dst_reg == off_reg) {

			/* scalar -= pointer.  Creates an unknown scalar */

			verbose(env, "R%d tried to subtract pointer from scalar\n",

	__update_reg_bounds(dst_reg);

	__reg_deduce_bounds(dst_reg);

	__reg_bound_offset(dst_reg);

	/* For unprivileged we require that resulting offset must be in bounds

	 * in order to be able to sanitize access later on.

	 */

	if (!env->allow_ptr_leaks) {

		if (dst_reg->type == PTR_TO_MAP_VALUE &&

		    check_map_access(env, dst, dst_reg->off, 1, false)) {

			verbose(env, "R%d pointer arithmetic of map value goes out of range, "

				"prohibited for !root\n", dst);

			return -EACCES;

		} else if (dst_reg->type == PTR_TO_STACK &&

			   check_stack_access(env, dst_reg, dst_reg->off +

					      dst_reg->var_off.value, 1)) {

			verbose(env, "R%d stack pointer arithmetic goes out of range, "

				"prohibited for !root\n", dst);

			return -EACCES;

		}

	}

	return 0;

}

		}

	}

	other_branch = push_stack(env, *insn_idx + insn->off + 1, *insn_idx);

	other_branch = push_stack(env, *insn_idx + insn->off + 1, *insn_idx,

				  false);

	if (!other_branch)

		return -EFAULT;

	other_branch_regs = other_branch->frame[other_branch->curframe]->regs;

	if (old->curframe != cur->curframe)

		return false;

	/* Verification state from speculative execution simulation

	 * must never prune a non-speculative execution one.

	 */

	if (old->speculative && !cur->speculative)

		return false;

	/* for states to be equal callsites have to be the same

	 * and all frame states need to be equivalent

	 */

	struct bpf_insn *insns = env->prog->insnsi;

	struct bpf_reg_state *regs;

	int insn_cnt = env->prog->len, i;

	int insn_idx, prev_insn_idx = 0;

	int insn_processed = 0;

	bool do_print_state = false;

	if (!state)

		return -ENOMEM;

	state->curframe = 0;

	state->speculative = false;

	state->frame[0] = kzalloc(sizeof(struct bpf_func_state), GFP_KERNEL);

	if (!state->frame[0]) {

		kfree(state);

			BPF_MAIN_FUNC /* callsite */,

			0 /* frameno */,

			0 /* subprogno, zero == main subprog */);

	insn_idx = 0;

	for (;;) {

		struct bpf_insn *insn;

		u8 class;

		int err;

		if (insn_idx >= insn_cnt) {

		if (env->insn_idx >= insn_cnt) {

			verbose(env, "invalid insn idx %d insn_cnt %d\n",

				insn_idx, insn_cnt);

				env->insn_idx, insn_cnt);

			return -EFAULT;

		}

		insn = &insns[insn_idx];

		insn = &insns[env->insn_idx];

		class = BPF_CLASS(insn->code);

		if (++insn_processed > BPF_COMPLEXITY_LIMIT_INSNS) {

			return -E2BIG;

		}

		err = is_state_visited(env, insn_idx);

		err = is_state_visited(env, env->insn_idx);

		if (err < 0)

			return err;

		if (err == 1) {

			/* found equivalent state, can prune the search */

			if (env->log.level) {

				if (do_print_state)

					verbose(env, "\nfrom %d to %d: safe\n",

						prev_insn_idx, insn_idx);

					verbose(env, "\nfrom %d to %d%s: safe\n",

						env->prev_insn_idx, env->insn_idx,

						env->cur_state->speculative ?

						" (speculative execution)" : "");

				else

					verbose(env, "%d: safe\n", insn_idx);

					verbose(env, "%d: safe\n", env->insn_idx);

			}

			goto process_bpf_exit;

		}

		if (env->log.level > 1 || (env->log.level && do_print_state)) {

			if (env->log.level > 1)

				verbose(env, "%d:", insn_idx);

				verbose(env, "%d:", env->insn_idx);

			else

				verbose(env, "\nfrom %d to %d:",

					prev_insn_idx, insn_idx);

				verbose(env, "\nfrom %d to %d%s:",

					env->prev_insn_idx, env->insn_idx,

					env->cur_state->speculative ?

					" (speculative execution)" : "");

			print_verifier_state(env, state->frame[state->curframe]);

			do_print_state = false;

		}

				.private_data	= env,

			};

			verbose_linfo(env, insn_idx, "; ");

			verbose(env, "%d: ", insn_idx);

			verbose_linfo(env, env->insn_idx, "; ");

			verbose(env, "%d: ", env->insn_idx);

			print_bpf_insn(&cbs, insn, env->allow_ptr_leaks);

		}

		if (bpf_prog_is_dev_bound(env->prog->aux)) {

			err = bpf_prog_offload_verify_insn(env, insn_idx,

							   prev_insn_idx);

			err = bpf_prog_offload_verify_insn(env, env->insn_idx,

							   env->prev_insn_idx);

			if (err)

				return err;

		}

		regs = cur_regs(env);

		env->insn_aux_data[insn_idx].seen = true;

		env->insn_aux_data[env->insn_idx].seen = true;

		if (class == BPF_ALU || class == BPF_ALU64) {

			err = check_alu_op(env, insn);

			/* check that memory (src_reg + off) is readable,

			 * the state of dst_reg will be updated by this func

			 */

			err = check_mem_access(env, insn_idx, insn->src_reg, insn->off,

					       BPF_SIZE(insn->code), BPF_READ,

					       insn->dst_reg, false);

			err = check_mem_access(env, env->insn_idx, insn->src_reg,

					       insn->off, BPF_SIZE(insn->code),

					       BPF_READ, insn->dst_reg, false);

			if (err)

				return err;

			prev_src_type = &env->insn_aux_data[insn_idx].ptr_type;

			prev_src_type = &env->insn_aux_data[env->insn_idx].ptr_type;

			if (*prev_src_type == NOT_INIT) {

				/* saw a valid insn

			enum bpf_reg_type *prev_dst_type, dst_reg_type;

			if (BPF_MODE(insn->code) == BPF_XADD) {

				err = check_xadd(env, insn_idx, insn);

				err = check_xadd(env, env->insn_idx, insn);

				if (err)

					return err;

				insn_idx++;

				env->insn_idx++;

				continue;

			}

			dst_reg_type = regs[insn->dst_reg].type;

			/* check that memory (dst_reg + off) is writeable */

			err = check_mem_access(env, insn_idx, insn->dst_reg, insn->off,

					       BPF_SIZE(insn->code), BPF_WRITE,

					       insn->src_reg, false);

			err = check_mem_access(env, env->insn_idx, insn->dst_reg,

					       insn->off, BPF_SIZE(insn->code),

					       BPF_WRITE, insn->src_reg, false);

			if (err)