Merge branch 'bpf-verifier-improvements'

	/* the following constraints used to prototype bpf_memcmp() and other

	 * functions that access data on eBPF program stack

	 */

	ARG_PTR_TO_STACK,	/* any pointer to eBPF program stack */

	ARG_PTR_TO_RAW_STACK,	/* any pointer to eBPF program stack, area does not

				 * need to be initialized, helper function must fill

				 * all bytes or clear them in error case.

	ARG_PTR_TO_MEM,		/* pointer to valid memory (stack, packet, map value) */

	ARG_PTR_TO_UNINIT_MEM,	/* pointer to memory does not need to be initialized,

				 * helper function must fill all bytes or clear

				 * them in error case.

				 */

	ARG_CONST_STACK_SIZE,	/* number of bytes accessed from stack */

	ARG_CONST_STACK_SIZE_OR_ZERO, /* number of bytes accessed from stack or 0 */

	ARG_CONST_SIZE,		/* number of bytes accessed from memory */

	ARG_CONST_SIZE_OR_ZERO,	/* number of bytes accessed from memory or 0 */

	ARG_PTR_TO_CTX,		/* pointer to context */

	ARG_ANYTHING,		/* any (initialized) argument is ok */

	.func		= bpf_get_current_comm,

	.gpl_only	= false,

	.ret_type	= RET_INTEGER,

	.arg1_type	= ARG_PTR_TO_RAW_STACK,

	.arg2_type	= ARG_CONST_STACK_SIZE,

	.arg1_type	= ARG_PTR_TO_UNINIT_MEM,

	.arg2_type	= ARG_CONST_SIZE,

};

	regs[regno].max_value = BPF_REGISTER_MAX_RANGE;

}

static void mark_reg_unknown_value_and_range(struct bpf_reg_state *regs,

					     u32 regno)

{

	mark_reg_unknown_value(regs, regno);

	reset_reg_range_values(regs, regno);

}

enum reg_arg_type {

	SRC_OP,		/* register is used as source operand */

	DST_OP,		/* register is used as destination operand */

	switch (type) {

	case PTR_TO_MAP_VALUE:

	case PTR_TO_MAP_VALUE_OR_NULL:

	case PTR_TO_MAP_VALUE_ADJ:

	case PTR_TO_STACK:

	case PTR_TO_CTX:

	case PTR_TO_PACKET:

		}

		if (value_regno >= 0)

			/* have read misc data from the stack */

			mark_reg_unknown_value(state->regs, value_regno);

			mark_reg_unknown_value_and_range(state->regs,

							 value_regno);

		return 0;

	}

}

{

	struct bpf_map *map = env->cur_state.regs[regno].map_ptr;

	if (off < 0 || off + size > map->value_size) {

	if (off < 0 || size <= 0 || off + size > map->value_size) {

		verbose("invalid access to map value, value_size=%d off=%d size=%d\n",

			map->value_size, off, size);

		return -EACCES;

	return 0;

}

/* check read/write into an adjusted map element */

static int check_map_access_adj(struct bpf_verifier_env *env, u32 regno,

				int off, int size)

{

	struct bpf_verifier_state *state = &env->cur_state;

	struct bpf_reg_state *reg = &state->regs[regno];

	int err;

	/* We adjusted the register to this map value, so we

	 * need to change off and size to min_value and max_value

	 * respectively to make sure our theoretical access will be

	 * safe.

	 */

	if (log_level)

		print_verifier_state(state);

	env->varlen_map_value_access = true;

	/* The minimum value is only important with signed

	 * comparisons where we can't assume the floor of a

	 * value is 0.  If we are using signed variables for our

	 * index'es we need to make sure that whatever we use

	 * will have a set floor within our range.

	 */

	if (reg->min_value < 0) {

		verbose("R%d min value is negative, either use unsigned index or do a if (index >=0) check.\n",

			regno);

		return -EACCES;

	}

	err = check_map_access(env, regno, reg->min_value + off, size);

	if (err) {

		verbose("R%d min value is outside of the array range\n",

			regno);

		return err;

	}

	/* If we haven't set a max value then we need to bail

	 * since we can't be sure we won't do bad things.

	 */

	if (reg->max_value == BPF_REGISTER_MAX_RANGE) {

		verbose("R%d unbounded memory access, make sure to bounds check any array access into a map\n",

			regno);

		return -EACCES;

	}

	return check_map_access(env, regno, reg->max_value + off, size);

}

#define MAX_PACKET_OFF 0xffff

static bool may_access_direct_pkt_data(struct bpf_verifier_env *env,

			return -EACCES;

		}

		/* If we adjusted the register to this map value at all then we

		 * need to change off and size to min_value and max_value

		 * respectively to make sure our theoretical access will be

		 * safe.

		 */

		if (reg->type == PTR_TO_MAP_VALUE_ADJ) {

			if (log_level)

				print_verifier_state(state);

			env->varlen_map_value_access = true;

			/* The minimum value is only important with signed

			 * comparisons where we can't assume the floor of a

			 * value is 0.  If we are using signed variables for our

			 * index'es we need to make sure that whatever we use

			 * will have a set floor within our range.

			 */

			if (reg->min_value < 0) {

				verbose("R%d min value is negative, either use unsigned index or do a if (index >=0) check.\n",

					regno);

				return -EACCES;

			}

			err = check_map_access(env, regno, reg->min_value + off,

					       size);

			if (err) {

				verbose("R%d min value is outside of the array range\n",

					regno);

				return err;

			}

			/* If we haven't set a max value then we need to bail

			 * since we can't be sure we won't do bad things.

			 */

			if (reg->max_value == BPF_REGISTER_MAX_RANGE) {

				verbose("R%d unbounded memory access, make sure to bounds check any array access into a map\n",

					regno);

				return -EACCES;

			}

			off += reg->max_value;

		}

		if (reg->type == PTR_TO_MAP_VALUE_ADJ)

			err = check_map_access_adj(env, regno, off, size);

		else

			err = check_map_access(env, regno, off, size);

		if (!err && t == BPF_READ && value_regno >= 0)

			mark_reg_unknown_value(state->regs, value_regno);

			mark_reg_unknown_value_and_range(state->regs,

							 value_regno);

	} else if (reg->type == PTR_TO_CTX) {

		enum bpf_reg_type reg_type = UNKNOWN_VALUE;

		}

		err = check_ctx_access(env, off, size, t, &reg_type);

		if (!err && t == BPF_READ && value_regno >= 0) {

			mark_reg_unknown_value(state->regs, value_regno);

			mark_reg_unknown_value_and_range(state->regs,

							 value_regno);

			/* note that reg.[id|off|range] == 0 */

			state->regs[value_regno].type = reg_type;

		}

		}

		err = check_packet_access(env, regno, off, size);

		if (!err && t == BPF_READ && value_regno >= 0)

			mark_reg_unknown_value(state->regs, value_regno);

			mark_reg_unknown_value_and_range(state->regs,

							 value_regno);

	} else {

		verbose("R%d invalid mem access '%s'\n",

			regno, reg_type_str[reg->type]);

	return 0;

}

static int check_helper_mem_access(struct bpf_verifier_env *env, int regno,

				   int access_size, bool zero_size_allowed,

				   struct bpf_call_arg_meta *meta)

{

	struct bpf_reg_state *regs = env->cur_state.regs;

	switch (regs[regno].type) {

	case PTR_TO_PACKET:

		return check_packet_access(env, regno, 0, access_size);

	case PTR_TO_MAP_VALUE:

		return check_map_access(env, regno, 0, access_size);

	case PTR_TO_MAP_VALUE_ADJ:

		return check_map_access_adj(env, regno, 0, access_size);

	default: /* const_imm|ptr_to_stack or invalid ptr */

		return check_stack_boundary(env, regno, access_size,

					    zero_size_allowed, meta);

	}

}

static int check_func_arg(struct bpf_verifier_env *env, u32 regno,

			  enum bpf_arg_type arg_type,

			  struct bpf_call_arg_meta *meta)

		expected_type = PTR_TO_STACK;

		if (type != PTR_TO_PACKET && type != expected_type)

			goto err_type;

	} else if (arg_type == ARG_CONST_STACK_SIZE ||

		   arg_type == ARG_CONST_STACK_SIZE_OR_ZERO) {

	} else if (arg_type == ARG_CONST_SIZE ||

		   arg_type == ARG_CONST_SIZE_OR_ZERO) {

		expected_type = CONST_IMM;

		if (type != expected_type)

		/* One exception. Allow UNKNOWN_VALUE registers when the

		 * boundaries are known and don't cause unsafe memory accesses

		 */

		if (type != UNKNOWN_VALUE && type != expected_type)

			goto err_type;

	} else if (arg_type == ARG_CONST_MAP_PTR) {

		expected_type = CONST_PTR_TO_MAP;

		expected_type = PTR_TO_CTX;

		if (type != expected_type)

			goto err_type;

	} else if (arg_type == ARG_PTR_TO_STACK ||

		   arg_type == ARG_PTR_TO_RAW_STACK) {

	} else if (arg_type == ARG_PTR_TO_MEM ||

		   arg_type == ARG_PTR_TO_UNINIT_MEM) {

		expected_type = PTR_TO_STACK;

		/* One exception here. In case function allows for NULL to be

		 * passed in as argument, it's a CONST_IMM type. Final test

		 */

		if (type == CONST_IMM && reg->imm == 0)

			/* final test in check_stack_boundary() */;

		else if (type != PTR_TO_PACKET && type != expected_type)

		else if (type != PTR_TO_PACKET && type != PTR_TO_MAP_VALUE &&

			 type != PTR_TO_MAP_VALUE_ADJ && type != expected_type)

			goto err_type;

		meta->raw_mode = arg_type == ARG_PTR_TO_RAW_STACK;

		meta->raw_mode = arg_type == ARG_PTR_TO_UNINIT_MEM;

	} else {

		verbose("unsupported arg_type %d\n", arg_type);

		return -EFAULT;

			err = check_stack_boundary(env, regno,

						   meta->map_ptr->value_size,

						   false, NULL);

	} else if (arg_type == ARG_CONST_STACK_SIZE ||

		   arg_type == ARG_CONST_STACK_SIZE_OR_ZERO) {

		bool zero_size_allowed = (arg_type == ARG_CONST_STACK_SIZE_OR_ZERO);

	} else if (arg_type == ARG_CONST_SIZE ||

		   arg_type == ARG_CONST_SIZE_OR_ZERO) {

		bool zero_size_allowed = (arg_type == ARG_CONST_SIZE_OR_ZERO);

		/* bpf_xxx(..., buf, len) call will access 'len' bytes

		 * from stack pointer 'buf'. Check it

		 */

		if (regno == 0) {

			/* kernel subsystem misconfigured verifier */

			verbose("ARG_CONST_STACK_SIZE cannot be first argument\n");

			verbose("ARG_CONST_SIZE cannot be first argument\n");

			return -EACCES;

		}

		if (regs[regno - 1].type == PTR_TO_PACKET)

			err = check_packet_access(env, regno - 1, 0, reg->imm);

		else

			err = check_stack_boundary(env, regno - 1, reg->imm,

		/* If the register is UNKNOWN_VALUE, the access check happens

		 * using its boundaries. Otherwise, just use its imm

		 */

		if (type == UNKNOWN_VALUE) {

			/* For unprivileged variable accesses, disable raw

			 * mode so that the program is required to

			 * initialize all the memory that the helper could

			 * just partially fill up.

			 */

			meta = NULL;

			if (reg->min_value < 0) {

				verbose("R%d min value is negative, either use unsigned or 'var &= const'\n",

					regno);

				return -EACCES;

			}

			if (reg->min_value == 0) {

				err = check_helper_mem_access(env, regno - 1, 0,

							      zero_size_allowed,

							      meta);

				if (err)

					return err;

			}

			if (reg->max_value == BPF_REGISTER_MAX_RANGE) {

				verbose("R%d unbounded memory access, use 'var &= const' or 'if (var < const)'\n",

					regno);

				return -EACCES;

			}

			err = check_helper_mem_access(env, regno - 1,

						      reg->max_value,

						      zero_size_allowed, meta);

			if (err)

				return err;

		} else {

			/* register is CONST_IMM */

			err = check_helper_mem_access(env, regno - 1, reg->imm,

						      zero_size_allowed, meta);

		}

	}

	return err;

{

	int count = 0;

	if (fn->arg1_type == ARG_PTR_TO_RAW_STACK)

	if (fn->arg1_type == ARG_PTR_TO_UNINIT_MEM)

		count++;

	if (fn->arg2_type == ARG_PTR_TO_RAW_STACK)

	if (fn->arg2_type == ARG_PTR_TO_UNINIT_MEM)

		count++;

	if (fn->arg3_type == ARG_PTR_TO_RAW_STACK)

	if (fn->arg3_type == ARG_PTR_TO_UNINIT_MEM)

		count++;

	if (fn->arg4_type == ARG_PTR_TO_RAW_STACK)

	if (fn->arg4_type == ARG_PTR_TO_UNINIT_MEM)

		count++;

	if (fn->arg5_type == ARG_PTR_TO_RAW_STACK)

	if (fn->arg5_type == ARG_PTR_TO_UNINIT_MEM)

		count++;

	return count > 1 ? -EINVAL : 0;

			if (err)

				return err;

			reset_reg_range_values(regs, insn->dst_reg);

			if (BPF_SIZE(insn->code) != BPF_W &&

			    BPF_SIZE(insn->code) != BPF_DW) {

				insn_idx++;

	.func		= bpf_probe_read,

	.gpl_only	= true,

	.ret_type	= RET_INTEGER,

	.arg1_type	= ARG_PTR_TO_RAW_STACK,

	.arg2_type	= ARG_CONST_STACK_SIZE,

	.arg1_type	= ARG_PTR_TO_UNINIT_MEM,

	.arg2_type	= ARG_CONST_SIZE,

	.arg3_type	= ARG_ANYTHING,

};

	.gpl_only	= true,

	.ret_type	= RET_INTEGER,

	.arg1_type	= ARG_ANYTHING,

	.arg2_type	= ARG_PTR_TO_STACK,

	.arg3_type	= ARG_CONST_STACK_SIZE,

	.arg2_type	= ARG_PTR_TO_MEM,

	.arg3_type	= ARG_CONST_SIZE,

};

static const struct bpf_func_proto *bpf_get_probe_write_proto(void)

	.func		= bpf_trace_printk,

	.gpl_only	= true,

	.ret_type	= RET_INTEGER,

	.arg1_type	= ARG_PTR_TO_STACK,

	.arg2_type	= ARG_CONST_STACK_SIZE,

	.arg1_type	= ARG_PTR_TO_MEM,

	.arg2_type	= ARG_CONST_SIZE,

};

const struct bpf_func_proto *bpf_get_trace_printk_proto(void)

	.arg1_type	= ARG_PTR_TO_CTX,

	.arg2_type	= ARG_CONST_MAP_PTR,

	.arg3_type	= ARG_ANYTHING,

	.arg4_type	= ARG_PTR_TO_STACK,

	.arg5_type	= ARG_CONST_STACK_SIZE,

	.arg4_type	= ARG_PTR_TO_MEM,

	.arg5_type	= ARG_CONST_SIZE,

};

static DEFINE_PER_CPU(struct pt_regs, bpf_pt_regs);

	.arg1_type	= ARG_PTR_TO_CTX,

	.arg2_type	= ARG_CONST_MAP_PTR,

	.arg3_type	= ARG_ANYTHING,

	.arg4_type	= ARG_PTR_TO_STACK,

	.arg5_type	= ARG_CONST_STACK_SIZE,

	.arg4_type	= ARG_PTR_TO_MEM,

	.arg5_type	= ARG_CONST_SIZE,

};

BPF_CALL_3(bpf_get_stackid_tp, void *, tp_buff, struct bpf_map *, map,

	.ret_type	= RET_INTEGER,

	.arg1_type	= ARG_PTR_TO_CTX,

	.arg2_type	= ARG_ANYTHING,

	.arg3_type	= ARG_PTR_TO_STACK,

	.arg4_type	= ARG_CONST_STACK_SIZE,

	.arg3_type	= ARG_PTR_TO_MEM,

	.arg4_type	= ARG_CONST_SIZE,

	.arg5_type	= ARG_ANYTHING,

};

	.ret_type	= RET_INTEGER,

	.arg1_type	= ARG_PTR_TO_CTX,

	.arg2_type	= ARG_ANYTHING,

	.arg3_type	= ARG_PTR_TO_RAW_STACK,

	.arg4_type	= ARG_CONST_STACK_SIZE,

	.arg3_type	= ARG_PTR_TO_UNINIT_MEM,

	.arg4_type	= ARG_CONST_SIZE,

};

BPF_CALL_2(bpf_skb_pull_data, struct sk_buff *, skb, u32, len)

	.gpl_only	= false,

	.pkt_access	= true,

	.ret_type	= RET_INTEGER,

	.arg1_type	= ARG_PTR_TO_STACK,

	.arg2_type	= ARG_CONST_STACK_SIZE_OR_ZERO,

	.arg3_type	= ARG_PTR_TO_STACK,

	.arg4_type	= ARG_CONST_STACK_SIZE_OR_ZERO,

	.arg1_type	= ARG_PTR_TO_MEM,

	.arg2_type	= ARG_CONST_SIZE_OR_ZERO,

	.arg3_type	= ARG_PTR_TO_MEM,

	.arg4_type	= ARG_CONST_SIZE_OR_ZERO,

	.arg5_type	= ARG_ANYTHING,

};

	.arg1_type	= ARG_PTR_TO_CTX,

	.arg2_type	= ARG_CONST_MAP_PTR,

	.arg3_type	= ARG_ANYTHING,

	.arg4_type	= ARG_PTR_TO_STACK,

	.arg5_type	= ARG_CONST_STACK_SIZE,

	.arg4_type	= ARG_PTR_TO_MEM,

	.arg5_type	= ARG_CONST_SIZE,

};

static unsigned short bpf_tunnel_key_af(u64 flags)

	.gpl_only	= false,

	.ret_type	= RET_INTEGER,

	.arg1_type	= ARG_PTR_TO_CTX,

	.arg2_type	= ARG_PTR_TO_RAW_STACK,

	.arg3_type	= ARG_CONST_STACK_SIZE,

	.arg2_type	= ARG_PTR_TO_UNINIT_MEM,

	.arg3_type	= ARG_CONST_SIZE,

	.arg4_type	= ARG_ANYTHING,

};

	.gpl_only	= false,

	.ret_type	= RET_INTEGER,

	.arg1_type	= ARG_PTR_TO_CTX,

	.arg2_type	= ARG_PTR_TO_RAW_STACK,

	.arg3_type	= ARG_CONST_STACK_SIZE,

	.arg2_type	= ARG_PTR_TO_UNINIT_MEM,

	.arg3_type	= ARG_CONST_SIZE,

};

static struct metadata_dst __percpu *md_dst;

	.gpl_only	= false,

	.ret_type	= RET_INTEGER,

	.arg1_type	= ARG_PTR_TO_CTX,

	.arg2_type	= ARG_PTR_TO_STACK,

	.arg3_type	= ARG_CONST_STACK_SIZE,

	.arg2_type	= ARG_PTR_TO_MEM,

	.arg3_type	= ARG_CONST_SIZE,

	.arg4_type	= ARG_ANYTHING,

};

	.gpl_only	= false,

	.ret_type	= RET_INTEGER,

	.arg1_type	= ARG_PTR_TO_CTX,

	.arg2_type	= ARG_PTR_TO_STACK,

	.arg3_type	= ARG_CONST_STACK_SIZE,

	.arg2_type	= ARG_PTR_TO_MEM,

	.arg3_type	= ARG_CONST_SIZE,

};

static const struct bpf_func_proto *

	.arg1_type	= ARG_PTR_TO_CTX,

	.arg2_type	= ARG_CONST_MAP_PTR,

	.arg3_type	= ARG_ANYTHING,

	.arg4_type	= ARG_PTR_TO_STACK,

	.arg5_type	= ARG_CONST_STACK_SIZE,

	.arg4_type	= ARG_PTR_TO_MEM,

	.arg5_type	= ARG_CONST_SIZE,

};

static const struct bpf_func_proto *