Lines Matching refs:regno
280 int regno; member
2216 struct bpf_reg_state *regs, u32 regno) in mark_reg_known_zero() argument
2218 if (WARN_ON(regno >= MAX_BPF_REG)) { in mark_reg_known_zero()
2219 verbose(env, "mark_reg_known_zero(regs, %u)\n", regno); in mark_reg_known_zero()
2221 for (regno = 0; regno < MAX_BPF_REG; regno++) in mark_reg_known_zero()
2222 __mark_reg_not_init(env, regs + regno); in mark_reg_known_zero()
2225 __mark_reg_known_zero(regs + regno); in mark_reg_known_zero()
2272 static void mark_reg_graph_node(struct bpf_reg_state *regs, u32 regno, in mark_reg_graph_node() argument
2275 __mark_reg_known_zero(®s[regno]); in mark_reg_graph_node()
2276 regs[regno].type = PTR_TO_BTF_ID | MEM_ALLOC; in mark_reg_graph_node()
2277 regs[regno].btf = ds_head->btf; in mark_reg_graph_node()
2278 regs[regno].btf_id = ds_head->value_btf_id; in mark_reg_graph_node()
2279 regs[regno].off = ds_head->node_offset; in mark_reg_graph_node()
2807 struct bpf_reg_state *regs, u32 regno) in mark_reg_unknown() argument
2809 if (WARN_ON(regno >= MAX_BPF_REG)) { in mark_reg_unknown()
2810 verbose(env, "mark_reg_unknown(regs, %u)\n", regno); in mark_reg_unknown()
2812 for (regno = 0; regno < BPF_REG_FP; regno++) in mark_reg_unknown()
2813 __mark_reg_not_init(env, regs + regno); in mark_reg_unknown()
2816 __mark_reg_unknown(env, regs + regno); in mark_reg_unknown()
2821 u32 regno, in __mark_reg_s32_range() argument
2825 struct bpf_reg_state *reg = regs + regno; in __mark_reg_s32_range()
2846 struct bpf_reg_state *regs, u32 regno) in mark_reg_not_init() argument
2848 if (WARN_ON(regno >= MAX_BPF_REG)) { in mark_reg_not_init()
2849 verbose(env, "mark_reg_not_init(regs, %u)\n", regno); in mark_reg_not_init()
2851 for (regno = 0; regno < BPF_REG_FP; regno++) in mark_reg_not_init()
2852 __mark_reg_not_init(env, regs + regno); in mark_reg_not_init()
2855 __mark_reg_not_init(env, regs + regno); in mark_reg_not_init()
2859 struct bpf_reg_state *regs, u32 regno, in mark_btf_ld_reg() argument
2866 mark_reg_unknown(env, regs, regno); in mark_btf_ld_reg()
2869 mark_reg_known_zero(env, regs, regno); in mark_btf_ld_reg()
2870 regs[regno].type = PTR_TO_BTF_ID | flag; in mark_btf_ld_reg()
2871 regs[regno].btf = btf; in mark_btf_ld_reg()
2872 regs[regno].btf_id = btf_id; in mark_btf_ld_reg()
2874 regs[regno].id = ++env->id_gen; in mark_btf_ld_reg()
2877 mark_reg_known_zero(env, regs, regno); in mark_btf_ld_reg()
2878 regs[regno].type = PTR_TO_MEM | flag; in mark_btf_ld_reg()
2879 regs[regno].mem_size = 0; in mark_btf_ld_reg()
3645 u32 regno, struct bpf_reg_state *reg, enum reg_arg_type t) in is_reg64() argument
3715 if (regno == BPF_REG_6) in is_reg64()
3778 static int __check_reg_arg(struct bpf_verifier_env *env, struct bpf_reg_state *regs, u32 regno, in __check_reg_arg() argument
3785 if (regno >= MAX_BPF_REG) { in __check_reg_arg()
3786 verbose(env, "R%d is invalid\n", regno); in __check_reg_arg()
3790 mark_reg_scratched(env, regno); in __check_reg_arg()
3792 reg = ®s[regno]; in __check_reg_arg()
3793 rw64 = is_reg64(insn, regno, reg, t); in __check_reg_arg()
3797 verbose(env, "R%d !read_ok\n", regno); in __check_reg_arg()
3801 if (regno == BPF_REG_FP) in __check_reg_arg()
3810 if (regno == BPF_REG_FP) { in __check_reg_arg()
3816 mark_reg_unknown(env, regs, regno); in __check_reg_arg()
3821 static int check_reg_arg(struct bpf_verifier_env *env, u32 regno, in check_reg_arg() argument
3827 return __check_reg_arg(env, state->regs, regno, t); in check_reg_arg()
3870 u8 regno; member
4209 if ((e->is_reg && bt_is_frame_reg_set(bt, e->frameno, e->regno)) || in bt_sync_linked_regs()
4223 bt_set_frame_reg(bt, e->frameno, e->regno); in bt_sync_linked_regs()
4744 int regno, in __mark_chain_precision() argument
4769 if (regno >= 0) { in __mark_chain_precision()
4770 reg = &func->regs[regno]; in __mark_chain_precision()
4775 bt_set_reg(bt, regno); in __mark_chain_precision()
4927 int mark_chain_precision(struct bpf_verifier_env *env, int regno) in mark_chain_precision() argument
4929 return __mark_chain_precision(env, env->cur_state, regno, NULL); in mark_chain_precision()
5519 int regno, int off, int access_size,
5524 static struct bpf_reg_state *reg_state(struct bpf_verifier_env *env, int regno) in reg_state() argument
5526 return cur_regs(env) + regno; in reg_state()
5654 static int check_map_access_type(struct bpf_verifier_env *env, u32 regno, in check_map_access_type() argument
5658 struct bpf_map *map = regs[regno].map_ptr; in check_map_access_type()
5677 static int __check_mem_access(struct bpf_verifier_env *env, int regno, in __check_mem_access() argument
5687 reg = &cur_regs(env)[regno]; in __check_mem_access()
5701 off, size, regno, reg->id, off, mem_size); in __check_mem_access()
5713 static int check_mem_region_access(struct bpf_verifier_env *env, u32 regno, in check_mem_region_access() argument
5719 struct bpf_reg_state *reg = &state->regs[regno]; in check_mem_region_access()
5737 regno); in check_mem_region_access()
5740 err = __check_mem_access(env, regno, reg->smin_value + off, size, in check_mem_region_access()
5744 regno); in check_mem_region_access()
5754 regno); in check_mem_region_access()
5757 err = __check_mem_access(env, regno, reg->umax_value + off, size, in check_mem_region_access()
5761 regno); in check_mem_region_access()
5769 const struct bpf_reg_state *reg, int regno, in __check_ptr_off_reg() argument
5778 reg_type_str(env, reg->type), regno, reg->off); in __check_ptr_off_reg()
5784 reg_type_str(env, reg->type), regno, reg->off); in __check_ptr_off_reg()
5801 const struct bpf_reg_state *reg, int regno) in check_ptr_off_reg() argument
5803 return __check_ptr_off_reg(env, reg, regno, false); in check_ptr_off_reg()
5808 struct bpf_reg_state *reg, u32 regno) in map_kptr_match_type() argument
5838 if (__check_ptr_off_reg(env, reg, regno, true)) in map_kptr_match_type()
5871 verbose(env, "invalid kptr access, R%d type=%s%s ", regno, in map_kptr_match_type()
5965 static int mark_uptr_ld_reg(struct bpf_verifier_env *env, u32 regno, in mark_uptr_ld_reg() argument
5972 mark_reg_known_zero(env, cur_regs(env), regno); in mark_uptr_ld_reg()
5973 reg = reg_state(env, regno); in mark_uptr_ld_reg()
5981 static int check_map_kptr_access(struct bpf_verifier_env *env, u32 regno, in check_map_kptr_access() argument
6058 static int check_map_access(struct bpf_verifier_env *env, u32 regno, in check_map_access() argument
6064 struct bpf_reg_state *reg = &state->regs[regno]; in check_map_access()
6070 err = check_mem_region_access(env, regno, off, size, mem_size, zero_size_allowed); in check_map_access()
6168 static int check_packet_access(struct bpf_verifier_env *env, u32 regno, int off, in check_packet_access() argument
6172 struct bpf_reg_state *reg = ®s[regno]; in check_packet_access()
6185 regno); in check_packet_access()
6190 __check_mem_access(env, regno, off, size, reg->range, in check_packet_access()
6193 verbose(env, "R%d offset is outside of the packet\n", regno); in check_packet_access()
6256 u32 regno, int off, int size, in check_sock_access() argument
6260 struct bpf_reg_state *reg = ®s[regno]; in check_sock_access()
6266 regno); in check_sock_access()
6295 regno, reg_type_str(env, reg->type), off, size); in check_sock_access()
6300 static bool is_pointer_value(struct bpf_verifier_env *env, int regno) in is_pointer_value() argument
6302 return __is_pointer_value(env->allow_ptr_leaks, reg_state(env, regno)); in is_pointer_value()
6305 static bool is_ctx_reg(struct bpf_verifier_env *env, int regno) in is_ctx_reg() argument
6307 const struct bpf_reg_state *reg = reg_state(env, regno); in is_ctx_reg()
6312 static bool is_sk_reg(struct bpf_verifier_env *env, int regno) in is_sk_reg() argument
6314 const struct bpf_reg_state *reg = reg_state(env, regno); in is_sk_reg()
6319 static bool is_pkt_reg(struct bpf_verifier_env *env, int regno) in is_pkt_reg() argument
6321 const struct bpf_reg_state *reg = reg_state(env, regno); in is_pkt_reg()
6326 static bool is_flow_key_reg(struct bpf_verifier_env *env, int regno) in is_flow_key_reg() argument
6328 const struct bpf_reg_state *reg = reg_state(env, regno); in is_flow_key_reg()
6334 static bool is_arena_reg(struct bpf_verifier_env *env, int regno) in is_arena_reg() argument
6336 const struct bpf_reg_state *reg = reg_state(env, regno); in is_arena_reg()
6344 static bool atomic_ptr_type_ok(struct bpf_verifier_env *env, int regno, in atomic_ptr_type_ok() argument
6347 if (is_ctx_reg(env, regno)) in atomic_ptr_type_ok()
6349 if (is_pkt_reg(env, regno)) in atomic_ptr_type_ok()
6351 if (is_flow_key_reg(env, regno)) in atomic_ptr_type_ok()
6353 if (is_sk_reg(env, regno)) in atomic_ptr_type_ok()
6355 if (is_arena_reg(env, regno)) in atomic_ptr_type_ok()
6786 int regno, int off, int size) in __check_buffer_access() argument
6791 regno, buf_info, off, size); in __check_buffer_access()
6800 regno, off, tn_buf); in __check_buffer_access()
6809 int regno, int off, int size) in check_tp_buffer_access() argument
6813 err = __check_buffer_access(env, "tracepoint", reg, regno, off, size); in check_tp_buffer_access()
6825 int regno, int off, int size, in check_buffer_access() argument
6832 err = __check_buffer_access(env, buf_info, reg, regno, off, size); in check_buffer_access()
7206 int regno, int off, int size, in check_ptr_to_btf_access() argument
7210 struct bpf_reg_state *reg = regs + regno; in check_ptr_to_btf_access()
7233 regno, tname, off); in check_ptr_to_btf_access()
7242 regno, tname, off, tn_buf); in check_ptr_to_btf_access()
7249 regno, tname, off); in check_ptr_to_btf_access()
7256 regno, tname, off); in check_ptr_to_btf_access()
7359 int regno, int off, int size, in check_ptr_to_map_access() argument
7363 struct bpf_reg_state *reg = regs + regno; in check_ptr_to_map_access()
7395 regno, tname, off); in check_ptr_to_map_access()
7453 int regno, int off, int access_size, in check_stack_access_within_bounds() argument
7457 struct bpf_reg_state *reg = regs + regno; in check_stack_access_within_bounds()
7475 err_extra, regno); in check_stack_access_within_bounds()
7494 err_extra, regno, off, access_size); in check_stack_access_within_bounds()
7500 err_extra, regno, tn_buf, off, access_size); in check_stack_access_within_bounds()
7528 static int check_mem_access(struct bpf_verifier_env *env, int insn_idx, u32 regno, in check_mem_access() argument
7533 struct bpf_reg_state *reg = regs + regno; in check_mem_access()
7550 verbose(env, "write to change key R%d not allowed\n", regno); in check_mem_access()
7554 err = check_mem_region_access(env, regno, off, size, in check_mem_access()
7568 err = check_map_access_type(env, regno, off, size, t); in check_mem_access()
7571 err = check_map_access(env, regno, off, size, false, ACCESS_DIRECT); in check_mem_access()
7578 err = check_map_kptr_access(env, regno, value_regno, insn_idx, kptr_field); in check_mem_access()
7617 verbose(env, "R%d invalid mem access '%s'\n", regno, in check_mem_access()
7624 regno, reg_type_str(env, reg->type)); in check_mem_access()
7639 err = check_mem_region_access(env, regno, off, size, in check_mem_access()
7657 err = check_ptr_off_reg(env, reg, regno); in check_mem_access()
7700 err = check_stack_access_within_bounds(env, regno, off, size, t); in check_mem_access()
7705 err = check_stack_read(env, regno, off, size, in check_mem_access()
7708 err = check_stack_write(env, regno, off, size, in check_mem_access()
7721 err = check_packet_access(env, regno, off, size, false); in check_mem_access()
7738 regno, reg_type_str(env, reg->type)); in check_mem_access()
7741 err = check_sock_access(env, insn_idx, regno, off, size, t); in check_mem_access()
7745 err = check_tp_buffer_access(env, reg, regno, off, size); in check_mem_access()
7750 err = check_ptr_to_btf_access(env, regs, regno, off, size, t, in check_mem_access()
7753 err = check_ptr_to_map_access(env, regs, regno, off, size, t, in check_mem_access()
7762 regno, reg_type_str(env, reg->type)); in check_mem_access()
7770 err = check_buffer_access(env, reg, regno, off, size, false, in check_mem_access()
7779 verbose(env, "R%d invalid mem access '%s'\n", regno, in check_mem_access()
8032 struct bpf_verifier_env *env, int regno, int off, in check_stack_range_initialized() argument
8036 struct bpf_reg_state *reg = reg_state(env, regno); in check_stack_range_initialized()
8052 err = check_stack_access_within_bounds(env, regno, off, access_size, type); in check_stack_range_initialized()
8070 regno, tn_buf); in check_stack_range_initialized()
8113 meta->regno = regno; in check_stack_range_initialized()
8152 regno, min_off, i - min_off, access_size); in check_stack_range_initialized()
8158 regno, tn_buf, i - min_off, access_size); in check_stack_range_initialized()
8177 static int check_helper_mem_access(struct bpf_verifier_env *env, int regno, in check_helper_mem_access() argument
8182 struct bpf_reg_state *regs = cur_regs(env), *reg = ®s[regno]; in check_helper_mem_access()
8188 return check_packet_access(env, regno, reg->off, access_size, in check_helper_mem_access()
8192 verbose(env, "R%d cannot write into %s\n", regno, in check_helper_mem_access()
8196 return check_mem_region_access(env, regno, reg->off, access_size, in check_helper_mem_access()
8199 if (check_map_access_type(env, regno, reg->off, access_size, access_type)) in check_helper_mem_access()
8201 return check_map_access(env, regno, reg->off, access_size, in check_helper_mem_access()
8206 verbose(env, "R%d cannot write into %s\n", regno, in check_helper_mem_access()
8211 return check_mem_region_access(env, regno, reg->off, in check_helper_mem_access()
8217 verbose(env, "R%d cannot write into %s\n", regno, in check_helper_mem_access()
8226 return check_buffer_access(env, reg, regno, reg->off, in check_helper_mem_access()
8232 regno, reg->off, access_size, in check_helper_mem_access()
8235 return check_ptr_to_btf_access(env, regs, regno, reg->off, in check_helper_mem_access()
8250 return check_mem_access(env, env->insn_idx, regno, offset, BPF_B, in check_helper_mem_access()
8261 verbose(env, "R%d type=%s ", regno, in check_helper_mem_access()
8275 struct bpf_reg_state *reg, u32 regno, in check_mem_size_reg() argument
8302 regno); in check_mem_size_reg()
8308 regno, reg->umin_value, reg->umax_value); in check_mem_size_reg()
8314 regno); in check_mem_size_reg()
8317 err = check_helper_mem_access(env, regno - 1, reg->umax_value, in check_mem_size_reg()
8320 err = mark_chain_precision(env, regno); in check_mem_size_reg()
8325 u32 regno, u32 mem_size) in check_mem_reg() argument
8343 err = check_helper_mem_access(env, regno, mem_size, BPF_READ, true, NULL); in check_mem_reg()
8344 err = err ?: check_helper_mem_access(env, regno, mem_size, BPF_WRITE, true, NULL); in check_mem_reg()
8353 u32 regno) in check_kfunc_mem_size_reg() argument
8355 struct bpf_reg_state *mem_reg = &cur_regs(env)[regno - 1]; in check_kfunc_mem_size_reg()
8361 WARN_ON_ONCE(regno < BPF_REG_2 || regno > BPF_REG_5); in check_kfunc_mem_size_reg()
8370 err = check_mem_size_reg(env, reg, regno, BPF_READ, true, &meta); in check_kfunc_mem_size_reg()
8371 err = err ?: check_mem_size_reg(env, reg, regno, BPF_WRITE, true, &meta); in check_kfunc_mem_size_reg()
8407 static int process_spin_lock(struct bpf_verifier_env *env, int regno, int flags) in process_spin_lock() argument
8411 struct bpf_reg_state *regs = cur_regs(env), *reg = ®s[regno]; in process_spin_lock()
8425 regno, lock_str); in process_spin_lock()
8524 static int check_map_field_pointer(struct bpf_verifier_env *env, u32 regno, in check_map_field_pointer() argument
8527 struct bpf_reg_state *regs = cur_regs(env), *reg = ®s[regno]; in check_map_field_pointer()
8537 regno, struct_name); in check_map_field_pointer()
8571 static int process_timer_func(struct bpf_verifier_env *env, int regno, in process_timer_func() argument
8574 struct bpf_reg_state *regs = cur_regs(env), *reg = ®s[regno]; in process_timer_func()
8578 err = check_map_field_pointer(env, regno, BPF_TIMER); in process_timer_func()
8595 static int process_wq_func(struct bpf_verifier_env *env, int regno, in process_wq_func() argument
8598 struct bpf_reg_state *regs = cur_regs(env), *reg = ®s[regno]; in process_wq_func()
8602 err = check_map_field_pointer(env, regno, BPF_WORKQUEUE); in process_wq_func()
8616 static int process_task_work_func(struct bpf_verifier_env *env, int regno, in process_task_work_func() argument
8619 struct bpf_reg_state *regs = cur_regs(env), *reg = ®s[regno]; in process_task_work_func()
8623 err = check_map_field_pointer(env, regno, BPF_TASK_WORK); in process_task_work_func()
8636 static int process_kptr_func(struct bpf_verifier_env *env, int regno, in process_kptr_func() argument
8639 struct bpf_reg_state *regs = cur_regs(env), *reg = ®s[regno]; in process_kptr_func()
8661 regno); in process_kptr_func()
8666 verbose(env, "R%d has no valid kptr\n", regno); in process_kptr_func()
8709 static int process_dynptr_func(struct bpf_verifier_env *env, int regno, int insn_idx, in process_dynptr_func() argument
8712 struct bpf_reg_state *regs = cur_regs(env), *reg = ®s[regno]; in process_dynptr_func()
8718 regno - 1); in process_dynptr_func()
8755 err = check_mem_access(env, insn_idx, regno, in process_dynptr_func()
8772 regno - 1); in process_dynptr_func()
8780 dynptr_type_str(arg_to_dynptr_type(arg_type)), regno - 1); in process_dynptr_func()
8829 static int process_iter_arg(struct bpf_verifier_env *env, int regno, int insn_idx, in process_iter_arg() argument
8832 struct bpf_reg_state *regs = cur_regs(env), *reg = ®s[regno]; in process_iter_arg()
8837 verbose(env, "arg#%d expected pointer to an iterator on stack\n", regno - 1); in process_iter_arg()
8847 btf_id = btf_check_iter_arg(meta->btf, meta->func_proto, regno - 1); in process_iter_arg()
8849 verbose(env, "expected valid iter pointer as arg #%d\n", regno - 1); in process_iter_arg()
8859 iter_type_str(meta->btf, btf_id), regno - 1); in process_iter_arg()
8864 err = check_mem_access(env, insn_idx, regno, in process_iter_arg()
8883 iter_type_str(meta->btf, btf_id), regno - 1); in process_iter_arg()
9299 static int check_reg_type(struct bpf_verifier_env *env, u32 regno, in check_reg_type() argument
9304 struct bpf_reg_state *regs = cur_regs(env), *reg = ®s[regno]; in check_reg_type()
9335 if (meta->func_id == BPF_FUNC_kptr_xchg && type_is_alloc(type) && regno == BPF_REG_2) { in check_reg_type()
9349 verbose(env, "R%d type=%s expected=", regno, reg_type_str(env, reg->type)); in check_reg_type()
9364 regno, reg_type_str(env, reg->type)); in check_reg_type()
9387 verbose(env, "Possibly NULL pointer passed to helper arg%d\n", regno); in check_reg_type()
9400 if (map_kptr_match_type(env, meta->kptr_field, reg, regno)) in check_reg_type()
9406 regno); in check_reg_type()
9414 regno, btf_type_name(reg->btf, reg->btf_id), in check_reg_type()
9429 if (meta->func_id == BPF_FUNC_kptr_xchg && regno == BPF_REG_2) { in check_reg_type()
9430 if (map_kptr_match_type(env, meta->kptr_field, reg, regno)) in check_reg_type()
9464 const struct bpf_reg_state *reg, int regno, in check_func_arg_reg_off() argument
9491 regno); in check_func_arg_reg_off()
9494 return __check_ptr_off_reg(env, reg, regno, false); in check_func_arg_reg_off()
9528 return __check_ptr_off_reg(env, reg, regno, true); in check_func_arg_reg_off()
9530 return __check_ptr_off_reg(env, reg, regno, false); in check_func_arg_reg_off()
9601 struct bpf_reg_state *reg, u32 regno) in check_reg_const_str() argument
9613 verbose(env, "R%d does not point to a readonly map'\n", regno); in check_reg_const_str()
9618 verbose(env, "R%d is not a constant address'\n", regno); in check_reg_const_str()
9627 err = check_map_access(env, regno, reg->off, in check_reg_const_str()
9716 u32 regno = BPF_REG_1 + arg; in check_func_arg() local
9717 struct bpf_reg_state *regs = cur_regs(env), *reg = ®s[regno]; in check_func_arg()
9727 err = check_reg_arg(env, regno, SRC_OP); in check_func_arg()
9732 if (is_pointer_value(env, regno)) { in check_func_arg()
9734 regno); in check_func_arg()
9763 err = check_reg_type(env, regno, arg_type, arg_btf_id, meta); in check_func_arg()
9767 err = check_func_arg_reg_off(env, reg, regno, arg_type); in check_func_arg()
9785 verbose(env, "arg %d is an unacquired reference\n", regno); in check_func_arg()
9794 regno); in check_func_arg()
9801 meta->release_regno = regno; in check_func_arg()
9807 regno, reg->ref_obj_id, in check_func_arg()
9856 err = check_helper_mem_access(env, regno, key_size, BPF_READ, false, NULL); in check_func_arg()
9883 err = check_helper_mem_access(env, regno, meta->map_ptr->value_size, in check_func_arg()
9889 verbose(env, "Helper has invalid btf_id in R%d\n", regno); in check_func_arg()
9901 err = process_spin_lock(env, regno, PROCESS_SPIN_LOCK); in check_func_arg()
9905 err = process_spin_lock(env, regno, 0); in check_func_arg()
9914 err = process_timer_func(env, regno, meta); in check_func_arg()
9927 err = check_helper_mem_access(env, regno, fn->arg_size[arg], in check_func_arg()
9937 err = check_mem_size_reg(env, reg, regno, in check_func_arg()
9943 err = check_mem_size_reg(env, reg, regno, in check_func_arg()
9949 err = process_dynptr_func(env, regno, insn_idx, arg_type, 0); in check_func_arg()
9956 regno); in check_func_arg()
9960 err = mark_chain_precision(env, regno); in check_func_arg()
9966 err = check_reg_const_str(env, reg, regno); in check_func_arg()
9972 err = process_kptr_func(env, regno, meta); in check_func_arg()
10538 u32 regno = i + 1; in btf_check_func_arg_match() local
10539 struct bpf_reg_state *reg = ®s[regno]; in btf_check_func_arg_match()
10544 bpf_log(log, "R%d is not a scalar\n", regno); in btf_check_func_arg_match()
10554 ret = check_func_arg_reg_off(env, reg, regno, ARG_DONTCARE); in btf_check_func_arg_match()
10565 ret = check_func_arg_reg_off(env, reg, regno, ARG_DONTCARE); in btf_check_func_arg_match()
10568 if (check_mem_reg(env, reg, regno, arg->mem_size)) in btf_check_func_arg_match()
10583 bpf_log(log, "R%d is not a pointer to arena or scalar.\n", regno); in btf_check_func_arg_match()
10587 ret = check_func_arg_reg_off(env, reg, regno, ARG_PTR_TO_DYNPTR); in btf_check_func_arg_match()
10591 ret = process_dynptr_func(env, regno, -1, arg->arg_type, 0); in btf_check_func_arg_match()
10602 err = check_reg_type(env, regno, arg->arg_type, &arg->btf_id, &meta); in btf_check_func_arg_match()
10603 err = err ?: check_func_arg_reg_off(env, reg, regno, arg->arg_type); in btf_check_func_arg_match()
11581 err = check_mem_access(env, insn_idx, meta.regno, i, BPF_B, in check_helper_call()
12013 u32 regno, size_t reg_size) in __mark_btf_func_reg_size() argument
12015 struct bpf_reg_state *reg = ®s[regno]; in __mark_btf_func_reg_size()
12017 if (regno == BPF_REG_0) { in __mark_btf_func_reg_size()
12027 static void mark_btf_func_reg_size(struct bpf_verifier_env *env, u32 regno, in mark_btf_func_reg_size() argument
12030 return __mark_btf_func_reg_size(env, cur_regs(env), regno, reg_size); in mark_btf_func_reg_size()
12506 u32 regno = argno + 1; in get_kfunc_ptr_arg_type() local
12508 struct bpf_reg_state *reg = ®s[regno]; in get_kfunc_ptr_arg_type()
12580 (is_kfunc_arg_mem_size(meta->btf, &args[argno + 1], ®s[regno + 1]) || in get_kfunc_ptr_arg_type()
12581 is_kfunc_arg_const_mem_size(meta->btf, &args[argno + 1], ®s[regno + 1]))) in get_kfunc_ptr_arg_type()
12670 static int process_irq_flag(struct bpf_verifier_env *env, int regno, in process_irq_flag() argument
12673 struct bpf_reg_state *regs = cur_regs(env), *reg = ®s[regno]; in process_irq_flag()
12694 verbose(env, "expected uninitialized irq flag as arg#%d\n", regno - 1); in process_irq_flag()
12698 err = check_mem_access(env, env->insn_idx, regno, 0, BPF_DW, BPF_WRITE, -1, false, false); in process_irq_flag()
12708 verbose(env, "expected an initialized irq flag as arg#%d\n", regno - 1); in process_irq_flag()
12986 struct bpf_reg_state *reg, u32 regno, in __process_kf_arg_ptr_to_graph_root() argument
13008 regno, head_type_name); in __process_kf_arg_ptr_to_graph_root()
13036 struct bpf_reg_state *reg, u32 regno, in process_kf_arg_ptr_to_list_head() argument
13039 return __process_kf_arg_ptr_to_graph_root(env, reg, regno, meta, BPF_LIST_HEAD, in process_kf_arg_ptr_to_list_head()
13044 struct bpf_reg_state *reg, u32 regno, in process_kf_arg_ptr_to_rbtree_root() argument
13047 return __process_kf_arg_ptr_to_graph_root(env, reg, regno, meta, BPF_RB_ROOT, in process_kf_arg_ptr_to_rbtree_root()
13053 struct bpf_reg_state *reg, u32 regno, in __process_kf_arg_ptr_to_graph_node() argument
13076 regno, node_type_name); in __process_kf_arg_ptr_to_graph_node()
13117 struct bpf_reg_state *reg, u32 regno, in process_kf_arg_ptr_to_list_node() argument
13120 return __process_kf_arg_ptr_to_graph_node(env, reg, regno, meta, in process_kf_arg_ptr_to_list_node()
13126 struct bpf_reg_state *reg, u32 regno, in process_kf_arg_ptr_to_rbtree_node() argument
13129 return __process_kf_arg_ptr_to_graph_node(env, reg, regno, meta, in process_kf_arg_ptr_to_rbtree_node()
13181 u32 regno = i + 1, ref_id, type_size; in check_kfunc_args() local
13197 cur_aux(env)->arg_prog = regno; in check_kfunc_args()
13203 verbose(env, "R%d is not a scalar\n", regno); in check_kfunc_args()
13213 verbose(env, "R%d must be a known constant\n", regno); in check_kfunc_args()
13216 ret = mark_chain_precision(env, regno); in check_kfunc_args()
13235 verbose(env, "R%d is not a const\n", regno); in check_kfunc_args()
13240 ret = mark_chain_precision(env, regno); in check_kfunc_args()
13262 regno, reg->ref_obj_id, in check_kfunc_args()
13268 meta->release_regno = regno; in check_kfunc_args()
13283 verbose(env, "pointer in R%d isn't map pointer\n", regno); in check_kfunc_args()
13324 verbose(env, "R%d must be referenced or trusted\n", regno); in check_kfunc_args()
13328 verbose(env, "R%d must be a rcu pointer\n", regno); in check_kfunc_args()
13357 ret = check_func_arg_reg_off(env, reg, regno, arg_type); in check_kfunc_args()
13421 meta->release_regno = regno; in check_kfunc_args()
13439 ret = process_dynptr_func(env, regno, insn_idx, dynptr_arg_type, clone_ref_obj_id); in check_kfunc_args()
13464 ret = process_iter_arg(env, regno, insn_idx, meta); in check_kfunc_args()
13478 ret = process_kf_arg_ptr_to_list_head(env, reg, regno, meta); in check_kfunc_args()
13492 ret = process_kf_arg_ptr_to_rbtree_root(env, reg, regno, meta); in check_kfunc_args()
13505 ret = process_kf_arg_ptr_to_list_node(env, reg, regno, meta); in check_kfunc_args()
13530 ret = process_kf_arg_ptr_to_rbtree_node(env, reg, regno, meta); in check_kfunc_args()
13562 ret = check_mem_reg(env, reg, regno, type_size); in check_kfunc_args()
13568 struct bpf_reg_state *buff_reg = ®s[regno]; in check_kfunc_args()
13570 struct bpf_reg_state *size_reg = ®s[regno + 1]; in check_kfunc_args()
13574 ret = check_kfunc_mem_size_reg(env, size_reg, regno + 1); in check_kfunc_args()
13587 verbose(env, "R%d must be a known constant\n", regno + 1); in check_kfunc_args()
13632 ret = check_reg_const_str(env, reg, regno); in check_kfunc_args()
13641 ret = process_wq_func(env, regno, meta); in check_kfunc_args()
13650 ret = process_task_work_func(env, regno, meta); in check_kfunc_args()
13659 ret = process_irq_flag(env, regno, meta); in check_kfunc_args()
13680 ret = process_spin_lock(env, regno, flags); in check_kfunc_args()
13919 static int check_return_code(struct bpf_verifier_env *env, int regno, const char *reg_name);
14277 u32 regno = i + 1; in check_kfunc_call() local
14281 mark_btf_func_reg_size(env, regno, sizeof(void *)); in check_kfunc_call()
14284 mark_btf_func_reg_size(env, regno, t->size); in check_kfunc_call()
14595 int regno, in check_stack_access_for_ptr_arithmetic() argument
14604 regno, tn_buf, off); in check_stack_access_for_ptr_arithmetic()
14610 "prohibited for !root; off=%d\n", regno, off); in check_stack_access_for_ptr_arithmetic()
16627 static void mark_ptr_or_null_regs(struct bpf_verifier_state *vstate, u32 regno, in mark_ptr_or_null_regs() argument
16632 u32 ref_obj_id = regs[regno].ref_obj_id; in mark_ptr_or_null_regs()
16633 u32 id = regs[regno].id; in mark_ptr_or_null_regs()
16764 e->regno = spi_or_reg; in __collect_linked_regs()
16810 reg = e->is_reg ? &vstate->frame[e->frameno]->regs[e->regno] in sync_linked_regs()
17295 static int check_return_code(struct bpf_verifier_env *env, int regno, const char *reg_name) in check_return_code() argument
17300 struct bpf_reg_state *reg = reg_state(env, regno); in check_return_code()
17335 return __check_ptr_off_reg(env, reg, regno, false); in check_return_code()
17348 err = check_reg_arg(env, regno, SRC_OP); in check_return_code()
17352 if (is_pointer_value(env, regno)) { in check_return_code()
17353 verbose(env, "R%d leaks addr as return value\n", regno); in check_return_code()
17366 regno, reg_type_str(env, reg->type)); in check_return_code()
17470 exit_ctx, regno, reg_type_str(env, reg->type)); in check_return_code()
17474 err = mark_chain_precision(env, regno); in check_return_code()
20213 int regno, in indirect_jump_min_max_index() argument
20217 struct bpf_reg_state *reg = reg_state(env, regno); in indirect_jump_min_max_index()
20224 regno, reg->umin_value, reg->off); in indirect_jump_min_max_index()
20230 regno, reg->umax_value, reg->off); in indirect_jump_min_max_index()
20239 regno, min_index, max_index, map->max_entries); in indirect_jump_min_max_index()
22566 u32 regno = env->insn_aux_data[insn_idx].arg_prog; in fixup_kfunc_call() local
22567 struct bpf_insn ld_addrs[2] = { BPF_LD_IMM64(regno, (long)env->prog->aux) }; in fixup_kfunc_call()