Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf

	return 0;

}

/* Fix the branch target addresses for subprog calls */

static int bpf_jit_fixup_subprog_calls(struct bpf_prog *fp, u32 *image,

				       struct codegen_context *ctx, u32 *addrs)

{

	const struct bpf_insn *insn = fp->insnsi;

	bool func_addr_fixed;

	u64 func_addr;

	u32 tmp_idx;

	int i, ret;

	for (i = 0; i < fp->len; i++) {

		/*

		 * During the extra pass, only the branch target addresses for

		 * the subprog calls need to be fixed. All other instructions

		 * can left untouched.

		 *

		 * The JITed image length does not change because we already

		 * ensure that the JITed instruction sequence for these calls

		 * are of fixed length by padding them with NOPs.

		 */

		if (insn[i].code == (BPF_JMP | BPF_CALL) &&

		    insn[i].src_reg == BPF_PSEUDO_CALL) {

			ret = bpf_jit_get_func_addr(fp, &insn[i], true,

						    &func_addr,

						    &func_addr_fixed);

			if (ret < 0)

				return ret;

			/*

			 * Save ctx->idx as this would currently point to the

			 * end of the JITed image and set it to the offset of

			 * the instruction sequence corresponding to the

			 * subprog call temporarily.

			 */

			tmp_idx = ctx->idx;

			ctx->idx = addrs[i] / 4;

			bpf_jit_emit_func_call_rel(image, ctx, func_addr);

			/*

			 * Restore ctx->idx here. This is safe as the length

			 * of the JITed sequence remains unchanged.

			 */

			ctx->idx = tmp_idx;

		}

	}

	return 0;

}

struct powerpc64_jit_data {

	struct bpf_binary_header *header;

	u32 *addrs;

skip_init_ctx:

	code_base = (u32 *)(image + FUNCTION_DESCR_SIZE);

	if (extra_pass) {

		/*

		 * Do not touch the prologue and epilogue as they will remain

		 * unchanged. Only fix the branch target address for subprog

		 * calls in the body.

		 *

		 * This does not change the offsets and lengths of the subprog

		 * call instruction sequences and hence, the size of the JITed

		 * image as well.

		 */

		bpf_jit_fixup_subprog_calls(fp, code_base, &cgctx, addrs);

		/* There is no need to perform the usual passes. */

		goto skip_codegen_passes;

	}

	/* Code generation passes 1-2 */

	for (pass = 1; pass < 3; pass++) {

		/* Now build the prologue, body code & epilogue for real. */

				proglen - (cgctx.idx * 4), cgctx.seen);

	}

skip_codegen_passes:

	if (bpf_jit_enable > 1)

		/*

		 * Note that we output the base address of the code_base

	offsetof(TYPE, MEMBER) ... offsetofend(TYPE, MEMBER) - 1

#define bpf_ctx_range_till(TYPE, MEMBER1, MEMBER2)				\

	offsetof(TYPE, MEMBER1) ... offsetofend(TYPE, MEMBER2) - 1

#if BITS_PER_LONG == 64

# define bpf_ctx_range_ptr(TYPE, MEMBER)					\

	offsetof(TYPE, MEMBER) ... offsetofend(TYPE, MEMBER) - 1

#else

# define bpf_ctx_range_ptr(TYPE, MEMBER)					\

	offsetof(TYPE, MEMBER) ... offsetof(TYPE, MEMBER) + 8 - 1

#endif /* BITS_PER_LONG == 64 */

#define bpf_target_off(TYPE, MEMBER, SIZE, PTR_SIZE)				\

	({									\

 *	Return

 *		0 on success, or a negative error in case of failure.

 *

 * struct bpf_sock *bpf_sk_lookup_tcp(void *ctx, struct bpf_sock_tuple *tuple, u32 tuple_size, u32 netns, u64 flags)

 * struct bpf_sock *bpf_sk_lookup_tcp(void *ctx, struct bpf_sock_tuple *tuple, u32 tuple_size, u64 netns, u64 flags)

 *	Description

 *		Look for TCP socket matching *tuple*, optionally in a child

 *		network namespace *netns*. The return value must be checked,

 *		**sizeof**\ (*tuple*\ **->ipv6**)

 *			Look for an IPv6 socket.

 *

 *		If the *netns* is zero, then the socket lookup table in the

 *		netns associated with the *ctx* will be used. For the TC hooks,

 *		this in the netns of the device in the skb. For socket hooks,

 *		this in the netns of the socket. If *netns* is non-zero, then

 *		it specifies the ID of the netns relative to the netns

 *		associated with the *ctx*.

 *		If the *netns* is a negative signed 32-bit integer, then the

 *		socket lookup table in the netns associated with the *ctx* will

 *		will be used. For the TC hooks, this is the netns of the device

 *		in the skb. For socket hooks, this is the netns of the socket.

 *		If *netns* is any other signed 32-bit value greater than or

 *		equal to zero then it specifies the ID of the netns relative to

 *		the netns associated with the *ctx*. *netns* values beyond the

 *		range of 32-bit integers are reserved for future use.

 *

 *		All values for *flags* are reserved for future usage, and must

 *		be left at zero.

 *		**CONFIG_NET** configuration option.

 *	Return

 *		Pointer to *struct bpf_sock*, or NULL in case of failure.

 *		For sockets with reuseport option, the *struct bpf_sock*

 *		result is from reuse->socks[] using the hash of the tuple.

 *

 * struct bpf_sock *bpf_sk_lookup_udp(void *ctx, struct bpf_sock_tuple *tuple, u32 tuple_size, u32 netns, u64 flags)

 * struct bpf_sock *bpf_sk_lookup_udp(void *ctx, struct bpf_sock_tuple *tuple, u32 tuple_size, u64 netns, u64 flags)

 *	Description

 *		Look for UDP socket matching *tuple*, optionally in a child

 *		network namespace *netns*. The return value must be checked,

 *		**sizeof**\ (*tuple*\ **->ipv6**)

 *			Look for an IPv6 socket.

 *

 *		If the *netns* is zero, then the socket lookup table in the

 *		netns associated with the *ctx* will be used. For the TC hooks,

 *		this in the netns of the device in the skb. For socket hooks,

 *		this in the netns of the socket. If *netns* is non-zero, then

 *		it specifies the ID of the netns relative to the netns

 *		associated with the *ctx*.

 *		If the *netns* is a negative signed 32-bit integer, then the

 *		socket lookup table in the netns associated with the *ctx* will

 *		will be used. For the TC hooks, this is the netns of the device

 *		in the skb. For socket hooks, this is the netns of the socket.

 *		If *netns* is any other signed 32-bit value greater than or

 *		equal to zero then it specifies the ID of the netns relative to

 *		the netns associated with the *ctx*. *netns* values beyond the

 *		range of 32-bit integers are reserved for future use.

 *

 *		All values for *flags* are reserved for future usage, and must

 *		be left at zero.

 *		**CONFIG_NET** configuration option.

 *	Return

 *		Pointer to *struct bpf_sock*, or NULL in case of failure.

 *		For sockets with reuseport option, the *struct bpf_sock*

 *		result is from reuse->socks[] using the hash of the tuple.

 *

 * int bpf_sk_release(struct bpf_sock *sk)

 *	Description

/* BPF_FUNC_perf_event_output for sk_buff input context. */

#define BPF_F_CTXLEN_MASK		(0xfffffULL << 32)

/* Current network namespace */

#define BPF_F_CURRENT_NETNS		(-1L)

/* Mode for BPF_FUNC_skb_adjust_room helper. */

enum bpf_adj_room_mode {

	BPF_ADJ_ROOM_NET,

	BPF_LWT_ENCAP_SEG6_INLINE

};

#define __bpf_md_ptr(type, name)	\

union {					\

	type name;			\

	__u64 :64;			\

} __attribute__((aligned(8)))

/* user accessible mirror of in-kernel sk_buff.

 * new fields can only be added to the end of this structure

 */

	/* ... here. */

	__u32 data_meta;

	struct bpf_flow_keys *flow_keys;

	__bpf_md_ptr(struct bpf_flow_keys *, flow_keys);

};

struct bpf_tunnel_key {

 * be added to the end of this structure

 */

struct sk_msg_md {

	void *data;

	void *data_end;

	__bpf_md_ptr(void *, data);

	__bpf_md_ptr(void *, data_end);

	__u32 family;

	__u32 remote_ip4;	/* Stored in network byte order */

	 * Start of directly accessible data. It begins from

	 * the tcp/udp header.

	 */

	void *data;

	void *data_end;		/* End of directly accessible data */

	__bpf_md_ptr(void *, data);

	/* End of directly accessible data */

	__bpf_md_ptr(void *, data_end);

	/*

	 * Total length of packet (starting from the tcp/udp header).

	 * Note that the directly accessible bytes (data_end - data)

#include <uapi/linux/types.h>

#include <linux/seq_file.h>

#include <linux/compiler.h>

#include <linux/ctype.h>

#include <linux/errno.h>

#include <linux/slab.h>

#include <linux/anon_inodes.h>

		offset < btf->hdr.str_len;

}

/* Only C-style identifier is permitted. This can be relaxed if

 * necessary.

 */

static bool btf_name_valid_identifier(const struct btf *btf, u32 offset)

{

	/* offset must be valid */

	const char *src = &btf->strings[offset];

	const char *src_limit;

	if (!isalpha(*src) && *src != '_')

		return false;

	/* set a limit on identifier length */

	src_limit = src + KSYM_NAME_LEN;

	src++;

	while (*src && src < src_limit) {

		if (!isalnum(*src) && *src != '_')

			return false;

		src++;

	}

	return !*src;

}

static const char *btf_name_by_offset(const struct btf *btf, u32 offset)

{

	if (!offset)

		return -EINVAL;

	}

	/* typedef type must have a valid name, and other ref types,

	 * volatile, const, restrict, should have a null name.

	 */

	if (BTF_INFO_KIND(t->info) == BTF_KIND_TYPEDEF) {

		if (!t->name_off ||

		    !btf_name_valid_identifier(env->btf, t->name_off)) {

			btf_verifier_log_type(env, t, "Invalid name");

			return -EINVAL;

		}

	} else {

		if (t->name_off) {

			btf_verifier_log_type(env, t, "Invalid name");

			return -EINVAL;

		}

	}

	btf_verifier_log_type(env, t, NULL);

	return 0;

		return -EINVAL;

	}

	/* fwd type must have a valid name */

	if (!t->name_off ||

	    !btf_name_valid_identifier(env->btf, t->name_off)) {

		btf_verifier_log_type(env, t, "Invalid name");

		return -EINVAL;

	}

	btf_verifier_log_type(env, t, NULL);

	return 0;

		return -EINVAL;

	}

	/* array type should not have a name */

	if (t->name_off) {

		btf_verifier_log_type(env, t, "Invalid name");

		return -EINVAL;

	}

	if (btf_type_vlen(t)) {

		btf_verifier_log_type(env, t, "vlen != 0");

		return -EINVAL;

		return -EINVAL;

	}

	/* struct type either no name or a valid one */

	if (t->name_off &&

	    !btf_name_valid_identifier(env->btf, t->name_off)) {

		btf_verifier_log_type(env, t, "Invalid name");

		return -EINVAL;

	}

	btf_verifier_log_type(env, t, NULL);

	last_offset = 0;

			return -EINVAL;

		}

		/* struct member either no name or a valid one */

		if (member->name_off &&

		    !btf_name_valid_identifier(btf, member->name_off)) {

			btf_verifier_log_member(env, t, member, "Invalid name");

			return -EINVAL;

		}

		/* A member cannot be in type void */

		if (!member->type || !BTF_TYPE_ID_VALID(member->type)) {

			btf_verifier_log_member(env, t, member,

		return -EINVAL;

	}

	/* enum type either no name or a valid one */

	if (t->name_off &&

	    !btf_name_valid_identifier(env->btf, t->name_off)) {

		btf_verifier_log_type(env, t, "Invalid name");

		return -EINVAL;

	}

	btf_verifier_log_type(env, t, NULL);

	for (i = 0; i < nr_enums; i++) {

			return -EINVAL;

		}

		/* enum member must have a valid name */

		if (!enums[i].name_off ||

		    !btf_name_valid_identifier(btf, enums[i].name_off)) {

			btf_verifier_log_type(env, t, "Invalid name");

			return -EINVAL;

		}

		btf_verifier_log(env, "\t%s val=%d\n",

				 btf_name_by_offset(btf, enums[i].name_off),

				 enums[i].val);

#define BPF_COMPLEXITY_LIMIT_INSNS	131072

#define BPF_COMPLEXITY_LIMIT_STACK	1024

#define BPF_COMPLEXITY_LIMIT_STATES	64

#define BPF_MAP_PTR_UNPRIV	1UL

#define BPF_MAP_PTR_POISON	((void *)((0xeB9FUL << 1) +	\

	}

}

/* compute branch direction of the expression "if (reg opcode val) goto target;"

 * and return:

 *  1 - branch will be taken and "goto target" will be executed

 *  0 - branch will not be taken and fall-through to next insn

 * -1 - unknown. Example: "if (reg < 5)" is unknown when register value range [0,10]

 */

static int is_branch_taken(struct bpf_reg_state *reg, u64 val, u8 opcode)

{

	if (__is_pointer_value(false, reg))

		return -1;

	switch (opcode) {

	case BPF_JEQ:

		if (tnum_is_const(reg->var_off))

			return !!tnum_equals_const(reg->var_off, val);

		break;

	case BPF_JNE:

		if (tnum_is_const(reg->var_off))

			return !tnum_equals_const(reg->var_off, val);

		break;

	case BPF_JGT:

		if (reg->umin_value > val)

			return 1;

		else if (reg->umax_value <= val)

			return 0;

		break;

	case BPF_JSGT:

		if (reg->smin_value > (s64)val)

			return 1;

		else if (reg->smax_value < (s64)val)

			return 0;

		break;

	case BPF_JLT:

		if (reg->umax_value < val)

			return 1;

		else if (reg->umin_value >= val)

			return 0;

		break;

	case BPF_JSLT:

		if (reg->smax_value < (s64)val)

			return 1;

		else if (reg->smin_value >= (s64)val)

			return 0;

		break;

	case BPF_JGE:

		if (reg->umin_value >= val)

			return 1;

		else if (reg->umax_value < val)

			return 0;

		break;

	case BPF_JSGE:

		if (reg->smin_value >= (s64)val)

			return 1;

		else if (reg->smax_value < (s64)val)

			return 0;

		break;

	case BPF_JLE:

		if (reg->umax_value <= val)

			return 1;

		else if (reg->umin_value > val)

			return 0;

		break;

	case BPF_JSLE:

		if (reg->smax_value <= (s64)val)

			return 1;

		else if (reg->smin_value > (s64)val)

			return 0;

		break;

	}

	return -1;

}

/* Adjusts the register min/max values in the case that the dst_reg is the

 * variable register that we are working on, and src_reg is a constant or we're

 * simply doing a BPF_K check.

	dst_reg = &regs[insn->dst_reg];

	/* detect if R == 0 where R was initialized to zero earlier */

	if (BPF_SRC(insn->code) == BPF_K &&

	    (opcode == BPF_JEQ || opcode == BPF_JNE) &&

	    dst_reg->type == SCALAR_VALUE &&

	    tnum_is_const(dst_reg->var_off)) {

		if ((opcode == BPF_JEQ && dst_reg->var_off.value == insn->imm) ||

		    (opcode == BPF_JNE && dst_reg->var_off.value != insn->imm)) {

			/* if (imm == imm) goto pc+off;

			 * only follow the goto, ignore fall-through

			 */

	if (BPF_SRC(insn->code) == BPF_K) {

		int pred = is_branch_taken(dst_reg, insn->imm, opcode);

		if (pred == 1) {

			 /* only follow the goto, ignore fall-through */

			*insn_idx += insn->off;

			return 0;

		} else {

			/* if (imm != imm) goto pc+off;

			 * only follow fall-through branch, since

		} else if (pred == 0) {

			/* only follow fall-through branch, since

			 * that's where the program will go

			 */

			return 0;

	struct bpf_verifier_state_list *new_sl;

	struct bpf_verifier_state_list *sl;

	struct bpf_verifier_state *cur = env->cur_state, *new;

	int i, j, err;

	int i, j, err, states_cnt = 0;

	sl = env->explored_states[insn_idx];

	if (!sl)

			return 1;

		}

		sl = sl->next;

		states_cnt++;

	}

	if (!env->allow_ptr_leaks && states_cnt > BPF_COMPLEXITY_LIMIT_STATES)

		return 0;

	/* there were no equivalent states, remember current one.

	 * technically the current state is not proven to be safe yet,

	 * but it will either reach outer most bpf_exit (which means it's safe)

			goto process_bpf_exit;

		}

		if (signal_pending(current))

			return -EAGAIN;

		if (need_resched())

			cond_resched();