1 // SPDX-License-Identifier: GPL-2.0-only 2 /* Copyright (c) 2025 Meta Platforms, Inc. and affiliates. */ 3 4 #include <linux/bpf_verifier.h> 5 #include <linux/btf.h> 6 #include <linux/hashtable.h> 7 #include <linux/jhash.h> 8 #include <linux/slab.h> 9 #include <linux/sort.h> 10 11 #define verbose(env, fmt, args...) bpf_verifier_log_write(env, fmt, ##args) 12 13 struct per_frame_masks { 14 spis_t may_read; /* stack slots that may be read by this instruction */ 15 spis_t must_write; /* stack slots written by this instruction */ 16 spis_t live_before; /* stack slots that may be read by this insn and its successors */ 17 }; 18 19 /* 20 * A function instance keyed by (callsite, depth). 21 * Encapsulates read and write marks for each instruction in the function. 22 * Marks are tracked for each frame up to @depth. 23 */ 24 struct func_instance { 25 struct hlist_node hl_node; 26 u32 callsite; /* call insn that invoked this subprog (subprog_start for depth 0) */ 27 u32 depth; /* call depth (0 = entry subprog) */ 28 u32 subprog; /* subprog index */ 29 u32 subprog_start; /* cached env->subprog_info[subprog].start */ 30 u32 insn_cnt; /* cached number of insns in the function */ 31 /* Per frame, per instruction masks, frames allocated lazily. */ 32 struct per_frame_masks *frames[MAX_CALL_FRAMES]; 33 bool must_write_initialized; 34 }; 35 36 struct live_stack_query { 37 struct func_instance *instances[MAX_CALL_FRAMES]; /* valid in range [0..curframe] */ 38 u32 callsites[MAX_CALL_FRAMES]; /* callsite[i] = insn calling frame i+1 */ 39 u32 curframe; 40 u32 insn_idx; 41 }; 42 43 struct bpf_liveness { 44 DECLARE_HASHTABLE(func_instances, 8); /* maps (depth, callsite) to func_instance */ 45 struct live_stack_query live_stack_query; /* cache to avoid repetitive ht lookups */ 46 u32 subprog_calls; /* analyze_subprog() invocations */ 47 }; 48 49 /* 50 * Hash/compare key for func_instance: (depth, callsite). 51 * For depth == 0 (entry subprog), @callsite is the subprog start insn. 52 * For depth > 0, @callsite is the call instruction index that invoked the subprog. 53 */ 54 static u32 instance_hash(u32 callsite, u32 depth) 55 { 56 u32 key[2] = { depth, callsite }; 57 58 return jhash2(key, 2, 0); 59 } 60 61 static struct func_instance *find_instance(struct bpf_verifier_env *env, 62 u32 callsite, u32 depth) 63 { 64 struct bpf_liveness *liveness = env->liveness; 65 struct func_instance *f; 66 u32 key = instance_hash(callsite, depth); 67 68 hash_for_each_possible(liveness->func_instances, f, hl_node, key) 69 if (f->depth == depth && f->callsite == callsite) 70 return f; 71 return NULL; 72 } 73 74 static struct func_instance *call_instance(struct bpf_verifier_env *env, 75 struct func_instance *caller, 76 u32 callsite, int subprog) 77 { 78 u32 depth = caller ? caller->depth + 1 : 0; 79 u32 subprog_start = env->subprog_info[subprog].start; 80 u32 lookup_key = depth > 0 ? callsite : subprog_start; 81 struct func_instance *f; 82 u32 hash; 83 84 f = find_instance(env, lookup_key, depth); 85 if (f) 86 return f; 87 88 f = kvzalloc(sizeof(*f), GFP_KERNEL_ACCOUNT); 89 if (!f) 90 return ERR_PTR(-ENOMEM); 91 f->callsite = lookup_key; 92 f->depth = depth; 93 f->subprog = subprog; 94 f->subprog_start = subprog_start; 95 f->insn_cnt = (env->subprog_info + subprog + 1)->start - subprog_start; 96 hash = instance_hash(lookup_key, depth); 97 hash_add(env->liveness->func_instances, &f->hl_node, hash); 98 return f; 99 } 100 101 static struct func_instance *lookup_instance(struct bpf_verifier_env *env, 102 struct bpf_verifier_state *st, 103 u32 frameno) 104 { 105 u32 callsite, subprog_start; 106 struct func_instance *f; 107 u32 key, depth; 108 109 subprog_start = env->subprog_info[st->frame[frameno]->subprogno].start; 110 callsite = frameno > 0 ? st->frame[frameno]->callsite : subprog_start; 111 112 for (depth = frameno; ; depth--) { 113 key = depth > 0 ? callsite : subprog_start; 114 f = find_instance(env, key, depth); 115 if (f || depth == 0) 116 return f; 117 } 118 } 119 120 int bpf_stack_liveness_init(struct bpf_verifier_env *env) 121 { 122 env->liveness = kvzalloc_obj(*env->liveness, GFP_KERNEL_ACCOUNT); 123 if (!env->liveness) 124 return -ENOMEM; 125 hash_init(env->liveness->func_instances); 126 return 0; 127 } 128 129 void bpf_stack_liveness_free(struct bpf_verifier_env *env) 130 { 131 struct func_instance *instance; 132 struct hlist_node *tmp; 133 int bkt, i; 134 135 if (!env->liveness) 136 return; 137 hash_for_each_safe(env->liveness->func_instances, bkt, tmp, instance, hl_node) { 138 for (i = 0; i <= instance->depth; i++) 139 kvfree(instance->frames[i]); 140 kvfree(instance); 141 } 142 kvfree(env->liveness); 143 } 144 145 /* 146 * Convert absolute instruction index @insn_idx to an index relative 147 * to start of the function corresponding to @instance. 148 */ 149 static int relative_idx(struct func_instance *instance, u32 insn_idx) 150 { 151 return insn_idx - instance->subprog_start; 152 } 153 154 static struct per_frame_masks *get_frame_masks(struct func_instance *instance, 155 u32 frame, u32 insn_idx) 156 { 157 if (!instance->frames[frame]) 158 return NULL; 159 160 return &instance->frames[frame][relative_idx(instance, insn_idx)]; 161 } 162 163 static struct per_frame_masks *alloc_frame_masks(struct func_instance *instance, 164 u32 frame, u32 insn_idx) 165 { 166 struct per_frame_masks *arr; 167 168 if (!instance->frames[frame]) { 169 arr = kvzalloc_objs(*arr, instance->insn_cnt, 170 GFP_KERNEL_ACCOUNT); 171 instance->frames[frame] = arr; 172 if (!arr) 173 return ERR_PTR(-ENOMEM); 174 } 175 return get_frame_masks(instance, frame, insn_idx); 176 } 177 178 /* Accumulate may_read masks for @frame at @insn_idx */ 179 static int mark_stack_read(struct func_instance *instance, u32 frame, u32 insn_idx, spis_t mask) 180 { 181 struct per_frame_masks *masks; 182 183 masks = alloc_frame_masks(instance, frame, insn_idx); 184 if (IS_ERR(masks)) 185 return PTR_ERR(masks); 186 masks->may_read = spis_or(masks->may_read, mask); 187 return 0; 188 } 189 190 static int mark_stack_write(struct func_instance *instance, u32 frame, u32 insn_idx, spis_t mask) 191 { 192 struct per_frame_masks *masks; 193 194 masks = alloc_frame_masks(instance, frame, insn_idx); 195 if (IS_ERR(masks)) 196 return PTR_ERR(masks); 197 masks->must_write = spis_or(masks->must_write, mask); 198 return 0; 199 } 200 201 int bpf_jmp_offset(struct bpf_insn *insn) 202 { 203 u8 code = insn->code; 204 205 if (code == (BPF_JMP32 | BPF_JA)) 206 return insn->imm; 207 return insn->off; 208 } 209 210 __diag_push(); 211 __diag_ignore_all("-Woverride-init", "Allow field initialization overrides for opcode_info_tbl"); 212 213 /* 214 * Returns an array of instructions succ, with succ->items[0], ..., 215 * succ->items[n-1] with successor instructions, where n=succ->cnt 216 */ 217 inline struct bpf_iarray * 218 bpf_insn_successors(struct bpf_verifier_env *env, u32 idx) 219 { 220 static const struct opcode_info { 221 bool can_jump; 222 bool can_fallthrough; 223 } opcode_info_tbl[256] = { 224 [0 ... 255] = {.can_jump = false, .can_fallthrough = true}, 225 #define _J(code, ...) \ 226 [BPF_JMP | code] = __VA_ARGS__, \ 227 [BPF_JMP32 | code] = __VA_ARGS__ 228 229 _J(BPF_EXIT, {.can_jump = false, .can_fallthrough = false}), 230 _J(BPF_JA, {.can_jump = true, .can_fallthrough = false}), 231 _J(BPF_JEQ, {.can_jump = true, .can_fallthrough = true}), 232 _J(BPF_JNE, {.can_jump = true, .can_fallthrough = true}), 233 _J(BPF_JLT, {.can_jump = true, .can_fallthrough = true}), 234 _J(BPF_JLE, {.can_jump = true, .can_fallthrough = true}), 235 _J(BPF_JGT, {.can_jump = true, .can_fallthrough = true}), 236 _J(BPF_JGE, {.can_jump = true, .can_fallthrough = true}), 237 _J(BPF_JSGT, {.can_jump = true, .can_fallthrough = true}), 238 _J(BPF_JSGE, {.can_jump = true, .can_fallthrough = true}), 239 _J(BPF_JSLT, {.can_jump = true, .can_fallthrough = true}), 240 _J(BPF_JSLE, {.can_jump = true, .can_fallthrough = true}), 241 _J(BPF_JCOND, {.can_jump = true, .can_fallthrough = true}), 242 _J(BPF_JSET, {.can_jump = true, .can_fallthrough = true}), 243 #undef _J 244 }; 245 struct bpf_prog *prog = env->prog; 246 struct bpf_insn *insn = &prog->insnsi[idx]; 247 const struct opcode_info *opcode_info; 248 struct bpf_iarray *succ, *jt; 249 int insn_sz; 250 251 jt = env->insn_aux_data[idx].jt; 252 if (unlikely(jt)) 253 return jt; 254 255 /* pre-allocated array of size up to 2; reset cnt, as it may have been used already */ 256 succ = env->succ; 257 succ->cnt = 0; 258 259 opcode_info = &opcode_info_tbl[BPF_CLASS(insn->code) | BPF_OP(insn->code)]; 260 insn_sz = bpf_is_ldimm64(insn) ? 2 : 1; 261 if (opcode_info->can_fallthrough) 262 succ->items[succ->cnt++] = idx + insn_sz; 263 264 if (opcode_info->can_jump) 265 succ->items[succ->cnt++] = idx + bpf_jmp_offset(insn) + 1; 266 267 return succ; 268 } 269 270 __diag_pop(); 271 272 273 static inline bool update_insn(struct bpf_verifier_env *env, 274 struct func_instance *instance, u32 frame, u32 insn_idx) 275 { 276 spis_t new_before, new_after; 277 struct per_frame_masks *insn, *succ_insn; 278 struct bpf_iarray *succ; 279 u32 s; 280 bool changed; 281 282 succ = bpf_insn_successors(env, insn_idx); 283 if (succ->cnt == 0) 284 return false; 285 286 changed = false; 287 insn = get_frame_masks(instance, frame, insn_idx); 288 new_before = SPIS_ZERO; 289 new_after = SPIS_ZERO; 290 for (s = 0; s < succ->cnt; ++s) { 291 succ_insn = get_frame_masks(instance, frame, succ->items[s]); 292 new_after = spis_or(new_after, succ_insn->live_before); 293 } 294 /* 295 * New "live_before" is a union of all "live_before" of successors 296 * minus slots written by instruction plus slots read by instruction. 297 * new_before = (new_after & ~insn->must_write) | insn->may_read 298 */ 299 new_before = spis_or(spis_and(new_after, spis_not(insn->must_write)), 300 insn->may_read); 301 changed |= !spis_equal(new_before, insn->live_before); 302 insn->live_before = new_before; 303 return changed; 304 } 305 306 /* Fixed-point computation of @live_before marks */ 307 static void update_instance(struct bpf_verifier_env *env, struct func_instance *instance) 308 { 309 u32 i, frame, po_start, po_end; 310 int *insn_postorder = env->cfg.insn_postorder; 311 struct bpf_subprog_info *subprog; 312 bool changed; 313 314 instance->must_write_initialized = true; 315 subprog = &env->subprog_info[instance->subprog]; 316 po_start = subprog->postorder_start; 317 po_end = (subprog + 1)->postorder_start; 318 /* repeat until fixed point is reached */ 319 do { 320 changed = false; 321 for (frame = 0; frame <= instance->depth; frame++) { 322 if (!instance->frames[frame]) 323 continue; 324 325 for (i = po_start; i < po_end; i++) 326 changed |= update_insn(env, instance, frame, insn_postorder[i]); 327 } 328 } while (changed); 329 } 330 331 static bool is_live_before(struct func_instance *instance, u32 insn_idx, u32 frameno, u32 half_spi) 332 { 333 struct per_frame_masks *masks; 334 335 masks = get_frame_masks(instance, frameno, insn_idx); 336 return masks && spis_test_bit(masks->live_before, half_spi); 337 } 338 339 int bpf_live_stack_query_init(struct bpf_verifier_env *env, struct bpf_verifier_state *st) 340 { 341 struct live_stack_query *q = &env->liveness->live_stack_query; 342 struct func_instance *instance; 343 u32 frame; 344 345 memset(q, 0, sizeof(*q)); 346 for (frame = 0; frame <= st->curframe; frame++) { 347 instance = lookup_instance(env, st, frame); 348 if (IS_ERR_OR_NULL(instance)) 349 q->instances[frame] = NULL; 350 else 351 q->instances[frame] = instance; 352 if (frame < st->curframe) 353 q->callsites[frame] = st->frame[frame + 1]->callsite; 354 } 355 q->curframe = st->curframe; 356 q->insn_idx = st->insn_idx; 357 return 0; 358 } 359 360 bool bpf_stack_slot_alive(struct bpf_verifier_env *env, u32 frameno, u32 half_spi) 361 { 362 /* 363 * Slot is alive if it is read before q->insn_idx in current func instance, 364 * or if for some outer func instance: 365 * - alive before callsite if callsite calls callback, otherwise 366 * - alive after callsite 367 */ 368 struct live_stack_query *q = &env->liveness->live_stack_query; 369 struct func_instance *instance, *curframe_instance; 370 u32 i, callsite, rel; 371 int cur_delta, delta; 372 bool alive = false; 373 374 curframe_instance = q->instances[q->curframe]; 375 if (!curframe_instance) 376 return true; 377 cur_delta = (int)curframe_instance->depth - (int)q->curframe; 378 rel = frameno + cur_delta; 379 if (rel <= curframe_instance->depth) 380 alive = is_live_before(curframe_instance, q->insn_idx, rel, half_spi); 381 382 if (alive) 383 return true; 384 385 for (i = frameno; i < q->curframe; i++) { 386 instance = q->instances[i]; 387 if (!instance) 388 return true; 389 /* Map actual frameno to frame index within this instance */ 390 delta = (int)instance->depth - (int)i; 391 rel = frameno + delta; 392 if (rel > instance->depth) 393 return true; 394 395 /* Get callsite from verifier state, not from instance callchain */ 396 callsite = q->callsites[i]; 397 398 alive = bpf_calls_callback(env, callsite) 399 ? is_live_before(instance, callsite, rel, half_spi) 400 : is_live_before(instance, callsite + 1, rel, half_spi); 401 if (alive) 402 return true; 403 } 404 405 return false; 406 } 407 408 static char *fmt_subprog(struct bpf_verifier_env *env, int subprog) 409 { 410 const char *name = env->subprog_info[subprog].name; 411 412 snprintf(env->tmp_str_buf, sizeof(env->tmp_str_buf), 413 "subprog#%d%s%s", subprog, name ? " " : "", name ? name : ""); 414 return env->tmp_str_buf; 415 } 416 417 static char *fmt_instance(struct bpf_verifier_env *env, struct func_instance *instance) 418 { 419 snprintf(env->tmp_str_buf, sizeof(env->tmp_str_buf), 420 "(d%d,cs%d)", instance->depth, instance->callsite); 421 return env->tmp_str_buf; 422 } 423 424 static int spi_off(int spi) 425 { 426 return -(spi + 1) * BPF_REG_SIZE; 427 } 428 429 /* 430 * When both halves of an 8-byte SPI are set, print as "-8","-16",... 431 * When only one half is set, print as "-4h","-8h",... 432 * Runs of 3+ consecutive fully-set SPIs are collapsed: "fp0-8..-24" 433 */ 434 static char *fmt_spis_mask(struct bpf_verifier_env *env, int frame, bool first, spis_t spis) 435 { 436 int buf_sz = sizeof(env->tmp_str_buf); 437 char *buf = env->tmp_str_buf; 438 int spi, n, run_start; 439 440 buf[0] = '\0'; 441 442 for (spi = 0; spi < STACK_SLOTS / 2 && buf_sz > 0; spi++) { 443 bool lo = spis_test_bit(spis, spi * 2); 444 bool hi = spis_test_bit(spis, spi * 2 + 1); 445 const char *space = first ? "" : " "; 446 447 if (!lo && !hi) 448 continue; 449 450 if (!lo || !hi) { 451 /* half-spi */ 452 n = scnprintf(buf, buf_sz, "%sfp%d%d%s", 453 space, frame, spi_off(spi) + (lo ? STACK_SLOT_SZ : 0), "h"); 454 } else if (spi + 2 < STACK_SLOTS / 2 && 455 spis_test_bit(spis, spi * 2 + 2) && 456 spis_test_bit(spis, spi * 2 + 3) && 457 spis_test_bit(spis, spi * 2 + 4) && 458 spis_test_bit(spis, spi * 2 + 5)) { 459 /* 3+ consecutive full spis */ 460 run_start = spi; 461 while (spi + 1 < STACK_SLOTS / 2 && 462 spis_test_bit(spis, (spi + 1) * 2) && 463 spis_test_bit(spis, (spi + 1) * 2 + 1)) 464 spi++; 465 n = scnprintf(buf, buf_sz, "%sfp%d%d..%d", 466 space, frame, spi_off(run_start), spi_off(spi)); 467 } else { 468 /* just a full spi */ 469 n = scnprintf(buf, buf_sz, "%sfp%d%d", space, frame, spi_off(spi)); 470 } 471 first = false; 472 buf += n; 473 buf_sz -= n; 474 } 475 return env->tmp_str_buf; 476 } 477 478 static void print_instance(struct bpf_verifier_env *env, struct func_instance *instance) 479 { 480 int start = env->subprog_info[instance->subprog].start; 481 struct bpf_insn *insns = env->prog->insnsi; 482 struct per_frame_masks *masks; 483 int len = instance->insn_cnt; 484 int insn_idx, frame, i; 485 bool has_use, has_def; 486 u64 pos, insn_pos; 487 488 if (!(env->log.level & BPF_LOG_LEVEL2)) 489 return; 490 491 verbose(env, "stack use/def %s ", fmt_subprog(env, instance->subprog)); 492 verbose(env, "%s:\n", fmt_instance(env, instance)); 493 for (i = 0; i < len; i++) { 494 insn_idx = start + i; 495 has_use = false; 496 has_def = false; 497 pos = env->log.end_pos; 498 verbose(env, "%3d: ", insn_idx); 499 bpf_verbose_insn(env, &insns[insn_idx]); 500 bpf_vlog_reset(&env->log, env->log.end_pos - 1); /* remove \n */ 501 insn_pos = env->log.end_pos; 502 verbose(env, "%*c;", bpf_vlog_alignment(insn_pos - pos), ' '); 503 pos = env->log.end_pos; 504 verbose(env, " use: "); 505 for (frame = instance->depth; frame >= 0; --frame) { 506 masks = get_frame_masks(instance, frame, insn_idx); 507 if (!masks || spis_is_zero(masks->may_read)) 508 continue; 509 verbose(env, "%s", fmt_spis_mask(env, frame, !has_use, masks->may_read)); 510 has_use = true; 511 } 512 if (!has_use) 513 bpf_vlog_reset(&env->log, pos); 514 pos = env->log.end_pos; 515 verbose(env, " def: "); 516 for (frame = instance->depth; frame >= 0; --frame) { 517 masks = get_frame_masks(instance, frame, insn_idx); 518 if (!masks || spis_is_zero(masks->must_write)) 519 continue; 520 verbose(env, "%s", fmt_spis_mask(env, frame, !has_def, masks->must_write)); 521 has_def = true; 522 } 523 if (!has_def) 524 bpf_vlog_reset(&env->log, has_use ? pos : insn_pos); 525 verbose(env, "\n"); 526 if (bpf_is_ldimm64(&insns[insn_idx])) 527 i++; 528 } 529 } 530 531 static int cmp_instances(const void *pa, const void *pb) 532 { 533 struct func_instance *a = *(struct func_instance **)pa; 534 struct func_instance *b = *(struct func_instance **)pb; 535 int dcallsite = (int)a->callsite - b->callsite; 536 int ddepth = (int)a->depth - b->depth; 537 538 if (dcallsite) 539 return dcallsite; 540 if (ddepth) 541 return ddepth; 542 return 0; 543 } 544 545 /* print use/def slots for all instances ordered by callsite first, then by depth */ 546 static int print_instances(struct bpf_verifier_env *env) 547 { 548 struct func_instance *instance, **sorted_instances; 549 struct bpf_liveness *liveness = env->liveness; 550 int i, bkt, cnt; 551 552 cnt = 0; 553 hash_for_each(liveness->func_instances, bkt, instance, hl_node) 554 cnt++; 555 sorted_instances = kvmalloc_objs(*sorted_instances, cnt, GFP_KERNEL_ACCOUNT); 556 if (!sorted_instances) 557 return -ENOMEM; 558 cnt = 0; 559 hash_for_each(liveness->func_instances, bkt, instance, hl_node) 560 sorted_instances[cnt++] = instance; 561 sort(sorted_instances, cnt, sizeof(*sorted_instances), cmp_instances, NULL); 562 for (i = 0; i < cnt; i++) 563 print_instance(env, sorted_instances[i]); 564 kvfree(sorted_instances); 565 return 0; 566 } 567 568 /* 569 * Per-register tracking state for compute_subprog_args(). 570 * Tracks which frame's FP a value is derived from 571 * and the byte offset from that frame's FP. 572 * 573 * The .frame field forms a lattice with three levels of precision: 574 * 575 * precise {frame=N, off=V} -- known absolute frame index and byte offset 576 * | 577 * offset-imprecise {frame=N, cnt=0} 578 * | -- known frame identity, unknown offset 579 * fully-imprecise {frame=ARG_IMPRECISE, mask=bitmask} 580 * -- unknown frame identity; .mask is a 581 * bitmask of which frame indices might be 582 * involved 583 * 584 * At CFG merge points, arg_track_join() moves down the lattice: 585 * - same frame + same offset -> precise 586 * - same frame + different offset -> offset-imprecise 587 * - different frames -> fully-imprecise (bitmask OR) 588 * 589 * At memory access sites (LDX/STX/ST), offset-imprecise marks only 590 * the known frame's access mask as SPIS_ALL, while fully-imprecise 591 * iterates bits in the bitmask and routes each frame to its target. 592 */ 593 #define MAX_ARG_OFFSETS 4 594 595 struct arg_track { 596 union { 597 s16 off[MAX_ARG_OFFSETS]; /* byte offsets; off_cnt says how many */ 598 u16 mask; /* arg bitmask when arg == ARG_IMPRECISE */ 599 }; 600 s8 frame; /* absolute frame index, or enum arg_track_state */ 601 s8 off_cnt; /* 0 = offset-imprecise, 1-4 = # of precise offsets */ 602 }; 603 604 enum arg_track_state { 605 ARG_NONE = -1, /* not derived from any argument */ 606 ARG_UNVISITED = -2, /* not yet reached by dataflow */ 607 ARG_IMPRECISE = -3, /* lost identity; .mask is arg bitmask */ 608 }; 609 610 /* Track callee stack slots fp-8 through fp-512 (64 slots of 8 bytes each) */ 611 #define MAX_ARG_SPILL_SLOTS 64 612 613 /* 614 * Combined register + stack arg tracking: R0-R10 at indices 0-10, 615 * outgoing stack arg slots at indices MAX_BPF_REG..MAX_BPF_REG+6. 616 */ 617 #define MAX_AT_TRACK_REGS (MAX_BPF_REG + MAX_STACK_ARG_SLOTS) 618 619 static int stack_arg_off_to_slot(s16 off) 620 { 621 int aoff = off < 0 ? -off : off; 622 623 if (aoff / 8 > MAX_STACK_ARG_SLOTS) 624 return -1; 625 return aoff / 8 - 1; 626 } 627 628 static bool arg_is_visited(const struct arg_track *at) 629 { 630 return at->frame != ARG_UNVISITED; 631 } 632 633 static bool arg_is_fp(const struct arg_track *at) 634 { 635 return at->frame >= 0 || at->frame == ARG_IMPRECISE; 636 } 637 638 static void verbose_arg_track(struct bpf_verifier_env *env, struct arg_track *at) 639 { 640 int i; 641 642 switch (at->frame) { 643 case ARG_NONE: verbose(env, "_"); break; 644 case ARG_UNVISITED: verbose(env, "?"); break; 645 case ARG_IMPRECISE: verbose(env, "IMP%x", at->mask); break; 646 default: 647 /* frame >= 0: absolute frame index */ 648 if (at->off_cnt == 0) { 649 verbose(env, "fp%d ?", at->frame); 650 } else { 651 for (i = 0; i < at->off_cnt; i++) { 652 if (i) 653 verbose(env, "|"); 654 verbose(env, "fp%d%+d", at->frame, at->off[i]); 655 } 656 } 657 break; 658 } 659 } 660 661 static bool arg_track_eq(const struct arg_track *a, const struct arg_track *b) 662 { 663 int i; 664 665 if (a->frame != b->frame) 666 return false; 667 if (a->frame == ARG_IMPRECISE) 668 return a->mask == b->mask; 669 if (a->frame < 0) 670 return true; 671 if (a->off_cnt != b->off_cnt) 672 return false; 673 for (i = 0; i < a->off_cnt; i++) 674 if (a->off[i] != b->off[i]) 675 return false; 676 return true; 677 } 678 679 static struct arg_track arg_single(s8 arg, s16 off) 680 { 681 struct arg_track at = {}; 682 683 at.frame = arg; 684 at.off[0] = off; 685 at.off_cnt = 1; 686 return at; 687 } 688 689 /* 690 * Merge two sorted offset arrays, deduplicate. 691 * Returns off_cnt=0 if the result exceeds MAX_ARG_OFFSETS. 692 * Both args must have the same frame and off_cnt > 0. 693 */ 694 static struct arg_track arg_merge_offsets(struct arg_track a, struct arg_track b) 695 { 696 struct arg_track result = { .frame = a.frame }; 697 struct arg_track imp = { .frame = a.frame }; 698 int i = 0, j = 0, k = 0; 699 700 while (i < a.off_cnt && j < b.off_cnt) { 701 s16 v; 702 703 if (a.off[i] <= b.off[j]) { 704 v = a.off[i++]; 705 if (v == b.off[j]) 706 j++; 707 } else { 708 v = b.off[j++]; 709 } 710 if (k > 0 && result.off[k - 1] == v) 711 continue; 712 if (k >= MAX_ARG_OFFSETS) 713 return imp; 714 result.off[k++] = v; 715 } 716 while (i < a.off_cnt) { 717 if (k >= MAX_ARG_OFFSETS) 718 return imp; 719 result.off[k++] = a.off[i++]; 720 } 721 while (j < b.off_cnt) { 722 if (k >= MAX_ARG_OFFSETS) 723 return imp; 724 result.off[k++] = b.off[j++]; 725 } 726 result.off_cnt = k; 727 return result; 728 } 729 730 /* 731 * Merge two arg_tracks into ARG_IMPRECISE, collecting the frame 732 * bits from both operands. Precise frame indices (frame >= 0) 733 * contribute a single bit; existing ARG_IMPRECISE values 734 * contribute their full bitmask. 735 */ 736 static struct arg_track arg_join_imprecise(struct arg_track a, struct arg_track b) 737 { 738 u32 m = 0; 739 740 if (a.frame >= 0) 741 m |= BIT(a.frame); 742 else if (a.frame == ARG_IMPRECISE) 743 m |= a.mask; 744 745 if (b.frame >= 0) 746 m |= BIT(b.frame); 747 else if (b.frame == ARG_IMPRECISE) 748 m |= b.mask; 749 750 return (struct arg_track){ .mask = m, .frame = ARG_IMPRECISE }; 751 } 752 753 /* Join two arg_track values at merge points */ 754 static struct arg_track __arg_track_join(struct arg_track a, struct arg_track b) 755 { 756 if (!arg_is_visited(&b)) 757 return a; 758 if (!arg_is_visited(&a)) 759 return b; 760 if (a.frame == b.frame && a.frame >= 0) { 761 /* Both offset-imprecise: stay imprecise */ 762 if (a.off_cnt == 0 || b.off_cnt == 0) 763 return (struct arg_track){ .frame = a.frame }; 764 /* Merge offset sets; falls back to off_cnt=0 if >4 */ 765 return arg_merge_offsets(a, b); 766 } 767 768 /* 769 * args are different, but one of them is known 770 * arg + none -> arg 771 * none + arg -> arg 772 * 773 * none + none -> none 774 */ 775 if (a.frame == ARG_NONE && b.frame == ARG_NONE) 776 return a; 777 if (a.frame >= 0 && b.frame == ARG_NONE) { 778 /* 779 * When joining single fp-N add fake fp+0 to 780 * keep stack_use and prevent stack_def 781 */ 782 if (a.off_cnt == 1) 783 return arg_merge_offsets(a, arg_single(a.frame, 0)); 784 return a; 785 } 786 if (b.frame >= 0 && a.frame == ARG_NONE) { 787 if (b.off_cnt == 1) 788 return arg_merge_offsets(b, arg_single(b.frame, 0)); 789 return b; 790 } 791 792 return arg_join_imprecise(a, b); 793 } 794 795 static bool arg_track_join(struct bpf_verifier_env *env, int idx, int target, int r, 796 struct arg_track *in, struct arg_track out) 797 { 798 struct arg_track old = *in; 799 struct arg_track new_val = __arg_track_join(old, out); 800 801 if (arg_track_eq(&new_val, &old)) 802 return false; 803 804 *in = new_val; 805 if (!(env->log.level & BPF_LOG_LEVEL2) || !arg_is_visited(&old)) 806 return true; 807 808 verbose(env, "arg JOIN insn %d -> %d ", idx, target); 809 if (r >= MAX_BPF_REG) 810 verbose(env, "sa%d: ", r - MAX_BPF_REG); 811 else if (r >= 0) 812 verbose(env, "r%d: ", r); 813 else 814 verbose(env, "fp%+d: ", r * 8); 815 verbose_arg_track(env, &old); 816 verbose(env, " + "); 817 verbose_arg_track(env, &out); 818 verbose(env, " => "); 819 verbose_arg_track(env, &new_val); 820 verbose(env, "\n"); 821 return true; 822 } 823 824 /* 825 * Compute the result when an ALU op destroys offset precision. 826 * If a single arg is identifiable, preserve it with OFF_IMPRECISE. 827 * If two different args are involved or one is already ARG_IMPRECISE, 828 * the result is fully ARG_IMPRECISE. 829 */ 830 static void arg_track_alu64(struct arg_track *dst, const struct arg_track *src) 831 { 832 WARN_ON_ONCE(!arg_is_visited(dst)); 833 WARN_ON_ONCE(!arg_is_visited(src)); 834 835 if (dst->frame >= 0 && (src->frame == ARG_NONE || src->frame == dst->frame)) { 836 /* 837 * rX += rY where rY is not arg derived 838 * rX += rX 839 */ 840 dst->off_cnt = 0; 841 return; 842 } 843 if (src->frame >= 0 && dst->frame == ARG_NONE) { 844 /* 845 * rX += rY where rX is not arg derived 846 * rY identity leaks into rX 847 */ 848 dst->off_cnt = 0; 849 dst->frame = src->frame; 850 return; 851 } 852 853 if (dst->frame == ARG_NONE && src->frame == ARG_NONE) 854 return; 855 856 *dst = arg_join_imprecise(*dst, *src); 857 } 858 859 static bool arg_add(s16 off, s64 delta, s16 *out) 860 { 861 s16 d = delta; 862 863 if (d != delta) 864 return true; 865 return check_add_overflow(off, d, out); 866 } 867 868 static void arg_padd(struct arg_track *at, s64 delta) 869 { 870 int i; 871 872 if (at->off_cnt == 0) 873 return; 874 for (i = 0; i < at->off_cnt; i++) { 875 s16 new_off; 876 877 if (arg_add(at->off[i], delta, &new_off)) { 878 at->off_cnt = 0; 879 return; 880 } 881 at->off[i] = new_off; 882 } 883 } 884 885 /* 886 * Convert a byte offset from FP to a callee stack slot index. 887 * Returns -1 if out of range or not 8-byte aligned. 888 * Slot 0 = fp-8, slot 1 = fp-16, ..., slot 7 = fp-64, .... 889 */ 890 static int fp_off_to_slot(s16 off) 891 { 892 if (off >= 0 || off < -(int)(MAX_ARG_SPILL_SLOTS * 8)) 893 return -1; 894 if (off % 8) 895 return -1; 896 return (-off) / 8 - 1; 897 } 898 899 static struct arg_track fill_from_stack(struct bpf_insn *insn, 900 struct arg_track *at_out, int reg, 901 struct arg_track *at_stack_out, 902 int depth) 903 { 904 struct arg_track imp = { 905 .mask = (1u << (depth + 1)) - 1, 906 .frame = ARG_IMPRECISE 907 }; 908 struct arg_track result = { .frame = ARG_NONE }; 909 int cnt, i; 910 911 if (reg == BPF_REG_FP) { 912 int slot = fp_off_to_slot(insn->off); 913 914 return slot >= 0 ? at_stack_out[slot] : imp; 915 } 916 cnt = at_out[reg].off_cnt; 917 if (cnt == 0) 918 return imp; 919 920 for (i = 0; i < cnt; i++) { 921 s16 fp_off, slot; 922 923 if (arg_add(at_out[reg].off[i], insn->off, &fp_off)) 924 return imp; 925 slot = fp_off_to_slot(fp_off); 926 if (slot < 0) 927 return imp; 928 result = __arg_track_join(result, at_stack_out[slot]); 929 } 930 return result; 931 } 932 933 /* 934 * Spill @val to all possible stack slots indicated by the FP offsets in @reg. 935 * For an 8-byte store, single candidate slot gets @val. multi-slots are joined. 936 * sub-8-byte store joins with ARG_NONE. 937 * When exact offset is unknown conservatively add reg values to all slots in at_stack_out. 938 */ 939 static void spill_to_stack(struct bpf_insn *insn, struct arg_track *at_out, 940 int reg, struct arg_track *at_stack_out, 941 struct arg_track *val, u32 sz) 942 { 943 struct arg_track none = { .frame = ARG_NONE }; 944 struct arg_track new_val = sz == 8 ? *val : none; 945 int cnt, i; 946 947 if (reg == BPF_REG_FP) { 948 int slot = fp_off_to_slot(insn->off); 949 950 if (slot >= 0) 951 at_stack_out[slot] = new_val; 952 return; 953 } 954 cnt = at_out[reg].off_cnt; 955 if (cnt == 0) { 956 for (int slot = 0; slot < MAX_ARG_SPILL_SLOTS; slot++) 957 at_stack_out[slot] = __arg_track_join(at_stack_out[slot], new_val); 958 return; 959 } 960 for (i = 0; i < cnt; i++) { 961 s16 fp_off; 962 int slot; 963 964 if (arg_add(at_out[reg].off[i], insn->off, &fp_off)) 965 continue; 966 slot = fp_off_to_slot(fp_off); 967 if (slot < 0) 968 continue; 969 if (cnt == 1) 970 at_stack_out[slot] = new_val; 971 else 972 at_stack_out[slot] = __arg_track_join(at_stack_out[slot], new_val); 973 } 974 } 975 976 /* 977 * Clear all tracked callee stack slots overlapping the byte range 978 * [off, off+sz-1] where off is a negative FP-relative offset. 979 */ 980 static void clear_overlapping_stack_slots(struct arg_track *at_stack, s16 off, u32 sz, int cnt) 981 { 982 struct arg_track none = { .frame = ARG_NONE }; 983 984 if (cnt == 0) { 985 for (int i = 0; i < MAX_ARG_SPILL_SLOTS; i++) 986 at_stack[i] = __arg_track_join(at_stack[i], none); 987 return; 988 } 989 for (int i = 0; i < MAX_ARG_SPILL_SLOTS; i++) { 990 int slot_start = -((i + 1) * 8); 991 int slot_end = slot_start + 8; 992 993 if (slot_start < off + (int)sz && slot_end > off) { 994 if (cnt == 1) 995 at_stack[i] = none; 996 else 997 at_stack[i] = __arg_track_join(at_stack[i], none); 998 } 999 } 1000 } 1001 1002 /* 1003 * Clear stack slots overlapping all possible FP offsets in @reg. 1004 */ 1005 static void clear_stack_for_all_offs(struct bpf_insn *insn, 1006 struct arg_track *at_out, int reg, 1007 struct arg_track *at_stack_out, u32 sz) 1008 { 1009 int cnt, i; 1010 1011 if (reg == BPF_REG_FP) { 1012 clear_overlapping_stack_slots(at_stack_out, insn->off, sz, 1); 1013 return; 1014 } 1015 cnt = at_out[reg].off_cnt; 1016 if (cnt == 0) { 1017 clear_overlapping_stack_slots(at_stack_out, 0, sz, cnt); 1018 return; 1019 } 1020 for (i = 0; i < cnt; i++) { 1021 s16 fp_off; 1022 1023 if (arg_add(at_out[reg].off[i], insn->off, &fp_off)) { 1024 clear_overlapping_stack_slots(at_stack_out, 0, sz, 0); 1025 break; 1026 } 1027 clear_overlapping_stack_slots(at_stack_out, fp_off, sz, cnt); 1028 } 1029 } 1030 1031 static void arg_track_log(struct bpf_verifier_env *env, struct bpf_insn *insn, int idx, 1032 struct arg_track *at_in, struct arg_track *at_stack_in, 1033 struct arg_track *at_out, struct arg_track *at_stack_out) 1034 { 1035 bool printed = false; 1036 int i; 1037 1038 if (!(env->log.level & BPF_LOG_LEVEL2)) 1039 return; 1040 for (i = 0; i < MAX_BPF_REG; i++) { 1041 if (arg_track_eq(&at_out[i], &at_in[i])) 1042 continue; 1043 if (!printed) { 1044 verbose(env, "%3d: ", idx); 1045 bpf_verbose_insn(env, insn); 1046 bpf_vlog_reset(&env->log, env->log.end_pos - 1); 1047 printed = true; 1048 } 1049 verbose(env, "\tr%d: ", i); verbose_arg_track(env, &at_in[i]); 1050 verbose(env, " -> "); verbose_arg_track(env, &at_out[i]); 1051 } 1052 /* Log outgoing stack arg slot transitions at indices MAX_BPF_REG..MAX_AT_TRACK_REGS-1 */ 1053 for (i = 0; i < MAX_STACK_ARG_SLOTS; i++) { 1054 int ai = MAX_BPF_REG + i; 1055 1056 if (arg_track_eq(&at_out[ai], &at_in[ai])) 1057 continue; 1058 if (!printed) { 1059 verbose(env, "%3d: ", idx); 1060 bpf_verbose_insn(env, insn); 1061 bpf_vlog_reset(&env->log, env->log.end_pos - 1); 1062 printed = true; 1063 } 1064 verbose(env, "\tsa%d: ", i); verbose_arg_track(env, &at_in[ai]); 1065 verbose(env, " -> "); verbose_arg_track(env, &at_out[ai]); 1066 } 1067 for (i = 0; i < MAX_ARG_SPILL_SLOTS; i++) { 1068 if (arg_track_eq(&at_stack_out[i], &at_stack_in[i])) 1069 continue; 1070 if (!printed) { 1071 verbose(env, "%3d: ", idx); 1072 bpf_verbose_insn(env, insn); 1073 bpf_vlog_reset(&env->log, env->log.end_pos - 1); 1074 printed = true; 1075 } 1076 verbose(env, "\tfp%+d: ", -(i + 1) * 8); verbose_arg_track(env, &at_stack_in[i]); 1077 verbose(env, " -> "); verbose_arg_track(env, &at_stack_out[i]); 1078 } 1079 if (printed) 1080 verbose(env, "\n"); 1081 } 1082 1083 static bool can_be_local_fp(int depth, int regno, struct arg_track *at) 1084 { 1085 return regno == BPF_REG_FP || at->frame == depth || 1086 (at->frame == ARG_IMPRECISE && (at->mask & BIT(depth))); 1087 } 1088 1089 /* 1090 * Pure dataflow transfer function for arg_track state. 1091 * Updates at_out[] based on how the instruction modifies registers. 1092 * Tracks spill/fill, but not other memory accesses. 1093 */ 1094 static void arg_track_xfer(struct bpf_verifier_env *env, struct bpf_insn *insn, 1095 int insn_idx, 1096 struct arg_track *at_out, struct arg_track *at_stack_out, 1097 const struct arg_track *at_stack_arg_entry, 1098 struct func_instance *instance, 1099 u32 *callsites) 1100 { 1101 int depth = instance->depth; 1102 u8 class = BPF_CLASS(insn->code); 1103 u8 code = BPF_OP(insn->code); 1104 struct arg_track *dst = &at_out[insn->dst_reg]; 1105 struct arg_track *src = &at_out[insn->src_reg]; 1106 struct arg_track none = { .frame = ARG_NONE }; 1107 int r, slot; 1108 1109 /* Handle stack arg stores and loads. */ 1110 if (is_stack_arg_st(insn) || is_stack_arg_stx(insn)) { 1111 slot = stack_arg_off_to_slot(insn->off); 1112 if (slot >= 0) { 1113 if (is_stack_arg_stx(insn)) 1114 at_out[MAX_BPF_REG + slot] = at_out[insn->src_reg]; 1115 else 1116 at_out[MAX_BPF_REG + slot] = none; 1117 } 1118 } else if (is_stack_arg_ldx(insn)) { 1119 slot = stack_arg_off_to_slot(insn->off); 1120 at_out[insn->dst_reg] = (slot >= 0) ? at_stack_arg_entry[slot] : none; 1121 } else if (class == BPF_ALU64 && BPF_SRC(insn->code) == BPF_K) { 1122 if (code == BPF_MOV) { 1123 *dst = none; 1124 } else if (dst->frame >= 0) { 1125 if (code == BPF_ADD) 1126 arg_padd(dst, insn->imm); 1127 else if (code == BPF_SUB) 1128 arg_padd(dst, -(s64)insn->imm); 1129 else 1130 /* Any other 64-bit alu on the pointer makes it imprecise */ 1131 dst->off_cnt = 0; 1132 } /* else if dst->frame is imprecise it stays so */ 1133 } else if (class == BPF_ALU64 && BPF_SRC(insn->code) == BPF_X) { 1134 if (code == BPF_MOV) { 1135 if (insn->off == 0) { 1136 *dst = *src; 1137 } else { 1138 /* addr_space_cast destroys a pointer */ 1139 *dst = none; 1140 } 1141 } else { 1142 arg_track_alu64(dst, src); 1143 } 1144 } else if (class == BPF_ALU) { 1145 /* 1146 * 32-bit alu destroys the pointer. 1147 * If src was a pointer it cannot leak into dst 1148 */ 1149 *dst = none; 1150 } else if (class == BPF_JMP && code == BPF_CALL) { 1151 /* 1152 * at_stack_out[slot] is not cleared by the helper and subprog calls. 1153 * The fill_from_stack() may return the stale spill — which is an FP-derived arg_track 1154 * (the value that was originally spilled there). The loaded register then carries 1155 * a phantom FP-derived identity that doesn't correspond to what's actually in the slot. 1156 * This phantom FP pointer propagates forward, and wherever it's subsequently used 1157 * (as a helper argument, another store, etc.), it sets stack liveness bits. 1158 * Those bits correspond to stack accesses that don't actually happen. 1159 * So the effect is over-reporting stack liveness — marking slots as live that aren't 1160 * actually accessed. The verifier preserves more state than necessary across calls, 1161 * which is conservative. 1162 * 1163 * helpers can scratch stack slots, but they won't make a valid pointer out of it. 1164 * subprogs are allowed to write into parent slots, but they cannot write 1165 * _any_ FP-derived pointer into it (either their own or parent's FP). 1166 */ 1167 for (r = BPF_REG_0; r <= BPF_REG_5; r++) 1168 at_out[r] = none; 1169 } else if (class == BPF_LDX) { 1170 u32 sz = bpf_size_to_bytes(BPF_SIZE(insn->code)); 1171 bool src_is_local_fp = can_be_local_fp(depth, insn->src_reg, src); 1172 1173 /* 1174 * Reload from callee stack: if src is current-frame FP-derived 1175 * and the load is an 8-byte BPF_MEM, try to restore the spill 1176 * identity. For imprecise sources fill_from_stack() returns 1177 * ARG_IMPRECISE (off_cnt == 0). 1178 */ 1179 if (src_is_local_fp && BPF_MODE(insn->code) == BPF_MEM && sz == 8) { 1180 *dst = fill_from_stack(insn, at_out, insn->src_reg, at_stack_out, depth); 1181 } else if (src->frame >= 0 && src->frame < depth && 1182 BPF_MODE(insn->code) == BPF_MEM && sz == 8) { 1183 struct arg_track *parent_stack = 1184 env->callsite_at_stack[callsites[src->frame]]; 1185 1186 *dst = fill_from_stack(insn, at_out, insn->src_reg, 1187 parent_stack, src->frame); 1188 } else if (src->frame == ARG_IMPRECISE && 1189 !(src->mask & BIT(depth)) && src->mask && 1190 BPF_MODE(insn->code) == BPF_MEM && sz == 8) { 1191 /* 1192 * Imprecise src with only parent-frame bits: 1193 * conservative fallback. 1194 */ 1195 *dst = *src; 1196 } else { 1197 *dst = none; 1198 } 1199 } else if (class == BPF_LD && BPF_MODE(insn->code) == BPF_IMM) { 1200 *dst = none; 1201 } else if (class == BPF_STX) { 1202 u32 sz = bpf_size_to_bytes(BPF_SIZE(insn->code)); 1203 bool dst_is_local_fp; 1204 1205 /* Track spills to current-frame FP-derived callee stack */ 1206 dst_is_local_fp = can_be_local_fp(depth, insn->dst_reg, dst); 1207 if (dst_is_local_fp && BPF_MODE(insn->code) == BPF_MEM) 1208 spill_to_stack(insn, at_out, insn->dst_reg, 1209 at_stack_out, src, sz); 1210 1211 if (BPF_MODE(insn->code) == BPF_ATOMIC) { 1212 if (dst_is_local_fp && insn->imm != BPF_LOAD_ACQ) 1213 clear_stack_for_all_offs(insn, at_out, insn->dst_reg, 1214 at_stack_out, sz); 1215 1216 if (insn->imm == BPF_CMPXCHG) 1217 at_out[BPF_REG_0] = none; 1218 else if (insn->imm == BPF_LOAD_ACQ) 1219 *dst = none; 1220 else if (insn->imm & BPF_FETCH) 1221 *src = none; 1222 } 1223 } else if (class == BPF_ST && BPF_MODE(insn->code) == BPF_MEM) { 1224 u32 sz = bpf_size_to_bytes(BPF_SIZE(insn->code)); 1225 bool dst_is_local_fp = can_be_local_fp(depth, insn->dst_reg, dst); 1226 1227 /* BPF_ST to FP-derived dst: clear overlapping stack slots */ 1228 if (dst_is_local_fp) 1229 clear_stack_for_all_offs(insn, at_out, insn->dst_reg, 1230 at_stack_out, sz); 1231 } 1232 } 1233 1234 /* 1235 * Record access_bytes from helper/kfunc or load/store insn. 1236 * access_bytes > 0: stack read 1237 * access_bytes < 0: stack write 1238 * access_bytes == S64_MIN: unknown — conservative, mark [0..slot] as read 1239 * access_bytes == 0: no access 1240 * 1241 */ 1242 static int record_stack_access_off(struct func_instance *instance, s64 fp_off, 1243 s64 access_bytes, u32 frame, u32 insn_idx) 1244 { 1245 s32 slot_hi, slot_lo; 1246 spis_t mask; 1247 1248 if (fp_off >= 0) 1249 /* 1250 * out of bounds stack access doesn't contribute 1251 * into actual stack liveness. It will be rejected 1252 * by the main verifier pass later. 1253 */ 1254 return 0; 1255 if (access_bytes == S64_MIN) { 1256 /* helper/kfunc read unknown amount of bytes from fp_off until fp+0 */ 1257 slot_hi = (-fp_off - 1) / STACK_SLOT_SZ; 1258 mask = SPIS_ZERO; 1259 spis_or_range(&mask, 0, slot_hi); 1260 return mark_stack_read(instance, frame, insn_idx, mask); 1261 } 1262 if (access_bytes > 0) { 1263 /* Mark any touched slot as use */ 1264 slot_hi = (-fp_off - 1) / STACK_SLOT_SZ; 1265 slot_lo = max_t(s32, (-fp_off - access_bytes) / STACK_SLOT_SZ, 0); 1266 mask = SPIS_ZERO; 1267 spis_or_range(&mask, slot_lo, slot_hi); 1268 return mark_stack_read(instance, frame, insn_idx, mask); 1269 } else if (access_bytes < 0) { 1270 /* Mark only fully covered slots as def */ 1271 access_bytes = -access_bytes; 1272 slot_hi = (-fp_off) / STACK_SLOT_SZ - 1; 1273 slot_lo = max_t(s32, (-fp_off - access_bytes + STACK_SLOT_SZ - 1) / STACK_SLOT_SZ, 0); 1274 if (slot_lo <= slot_hi) { 1275 mask = SPIS_ZERO; 1276 spis_or_range(&mask, slot_lo, slot_hi); 1277 return mark_stack_write(instance, frame, insn_idx, mask); 1278 } 1279 } 1280 return 0; 1281 } 1282 1283 /* 1284 * 'arg' is FP-derived argument to helper/kfunc or load/store that 1285 * reads (positive) or writes (negative) 'access_bytes' into 'use' or 'def'. 1286 */ 1287 static int record_stack_access(struct func_instance *instance, 1288 const struct arg_track *arg, 1289 s64 access_bytes, u32 frame, u32 insn_idx) 1290 { 1291 int i, err; 1292 1293 if (access_bytes == 0) 1294 return 0; 1295 if (arg->off_cnt == 0) { 1296 if (access_bytes > 0 || access_bytes == S64_MIN) 1297 return mark_stack_read(instance, frame, insn_idx, SPIS_ALL); 1298 return 0; 1299 } 1300 if (access_bytes != S64_MIN && access_bytes < 0 && arg->off_cnt != 1) 1301 /* multi-offset write cannot set stack_def */ 1302 return 0; 1303 1304 for (i = 0; i < arg->off_cnt; i++) { 1305 err = record_stack_access_off(instance, arg->off[i], access_bytes, frame, insn_idx); 1306 if (err) 1307 return err; 1308 } 1309 return 0; 1310 } 1311 1312 /* 1313 * When a pointer is ARG_IMPRECISE, conservatively mark every frame in 1314 * the bitmask as fully used. 1315 */ 1316 static int record_imprecise(struct func_instance *instance, u32 mask, u32 insn_idx) 1317 { 1318 int depth = instance->depth; 1319 int f, err; 1320 1321 for (f = 0; mask; f++, mask >>= 1) { 1322 if (!(mask & 1)) 1323 continue; 1324 if (f <= depth) { 1325 err = mark_stack_read(instance, f, insn_idx, SPIS_ALL); 1326 if (err) 1327 return err; 1328 } 1329 } 1330 return 0; 1331 } 1332 1333 /* Record load/store access for a given 'at' state of 'insn'. */ 1334 static int record_load_store_access(struct bpf_verifier_env *env, 1335 struct func_instance *instance, 1336 struct arg_track *at, int insn_idx) 1337 { 1338 struct bpf_insn *insn = &env->prog->insnsi[insn_idx]; 1339 int depth = instance->depth; 1340 s32 sz = bpf_size_to_bytes(BPF_SIZE(insn->code)); 1341 u8 class = BPF_CLASS(insn->code); 1342 struct arg_track resolved, *ptr; 1343 int oi; 1344 1345 /* 1346 * Stack arg insns use dst_reg/src_reg=BPF_REG_PARAMS(11). Since at[] 1347 * is extended to MAX_AT_TRACK_REGS, at[11] holds the arg_track for 1348 * outgoing stack arg slot 0 — not the pointer used for the memory 1349 * access. Skip so the slot's tracked value isn't confused with the 1350 * base register that record_stack_access() expects. 1351 */ 1352 if (is_stack_arg_stx(insn) || is_stack_arg_st(insn) || is_stack_arg_ldx(insn)) 1353 return 0; 1354 1355 switch (class) { 1356 case BPF_LDX: 1357 ptr = &at[insn->src_reg]; 1358 break; 1359 case BPF_STX: 1360 if (BPF_MODE(insn->code) == BPF_ATOMIC) { 1361 if (insn->imm == BPF_STORE_REL) 1362 sz = -sz; 1363 if (insn->imm == BPF_LOAD_ACQ) 1364 ptr = &at[insn->src_reg]; 1365 else 1366 ptr = &at[insn->dst_reg]; 1367 } else { 1368 ptr = &at[insn->dst_reg]; 1369 sz = -sz; 1370 } 1371 break; 1372 case BPF_ST: 1373 ptr = &at[insn->dst_reg]; 1374 sz = -sz; 1375 break; 1376 default: 1377 return 0; 1378 } 1379 1380 /* Resolve offsets: fold insn->off into arg_track */ 1381 if (ptr->off_cnt > 0) { 1382 resolved.off_cnt = ptr->off_cnt; 1383 resolved.frame = ptr->frame; 1384 for (oi = 0; oi < ptr->off_cnt; oi++) { 1385 if (arg_add(ptr->off[oi], insn->off, &resolved.off[oi])) { 1386 resolved.off_cnt = 0; 1387 break; 1388 } 1389 } 1390 ptr = &resolved; 1391 } 1392 1393 if (ptr->frame >= 0 && ptr->frame <= depth) 1394 return record_stack_access(instance, ptr, sz, ptr->frame, insn_idx); 1395 if (ptr->frame == ARG_IMPRECISE) 1396 return record_imprecise(instance, ptr->mask, insn_idx); 1397 /* ARG_NONE: not derived from any frame pointer, skip */ 1398 return 0; 1399 } 1400 1401 static int record_arg_access(struct bpf_verifier_env *env, 1402 struct func_instance *instance, 1403 struct bpf_insn *insn, 1404 struct arg_track *at, int arg_idx, 1405 int insn_idx) 1406 { 1407 int depth = instance->depth; 1408 int frame = at->frame; 1409 int err = 0; 1410 s64 bytes; 1411 1412 if (!arg_is_fp(at)) 1413 return 0; 1414 1415 if (bpf_helper_call(insn)) { 1416 bytes = bpf_helper_stack_access_bytes(env, insn, arg_idx, insn_idx); 1417 } else if (bpf_pseudo_kfunc_call(insn)) { 1418 bytes = bpf_kfunc_stack_access_bytes(env, insn, arg_idx, insn_idx); 1419 } else { 1420 for (int f = 0; f <= depth; f++) { 1421 err = mark_stack_read(instance, f, insn_idx, SPIS_ALL); 1422 if (err) 1423 return err; 1424 } 1425 return 0; 1426 } 1427 if (bytes == 0) 1428 return 0; 1429 1430 if (frame >= 0 && frame <= depth) 1431 err = record_stack_access(instance, at, bytes, frame, insn_idx); 1432 else if (frame == ARG_IMPRECISE) 1433 err = record_imprecise(instance, at->mask, insn_idx); 1434 return err; 1435 } 1436 1437 /* Record stack access for a given 'at' state of helper/kfunc 'insn' */ 1438 static int record_call_access(struct bpf_verifier_env *env, 1439 struct func_instance *instance, 1440 struct arg_track *at, 1441 int insn_idx) 1442 { 1443 struct bpf_insn *insn = &env->prog->insnsi[insn_idx]; 1444 struct bpf_call_summary cs; 1445 int r, err, num_params = 5; 1446 1447 if (bpf_pseudo_call(insn)) 1448 return 0; 1449 1450 if (bpf_get_call_summary(env, insn, &cs)) 1451 num_params = cs.num_params; 1452 1453 for (r = BPF_REG_1; r < BPF_REG_1 + min(num_params, MAX_BPF_FUNC_REG_ARGS); r++) { 1454 err = record_arg_access(env, instance, insn, &at[r], r - 1, insn_idx); 1455 if (err) 1456 return err; 1457 } 1458 1459 for (r = 0; r < MAX_STACK_ARG_SLOTS && r < num_params - MAX_BPF_FUNC_REG_ARGS; r++) { 1460 err = record_arg_access(env, instance, insn, &at[MAX_BPF_REG + r], 1461 r + MAX_BPF_FUNC_REG_ARGS, insn_idx); 1462 if (err) 1463 return err; 1464 } 1465 return 0; 1466 } 1467 1468 /* 1469 * For a calls_callback helper, find the callback subprog and determine 1470 * which caller register maps to which callback register for FP passthrough. 1471 */ 1472 static int find_callback_subprog(struct bpf_verifier_env *env, 1473 struct bpf_insn *insn, int insn_idx, 1474 int *caller_reg, int *callee_reg) 1475 { 1476 struct bpf_insn_aux_data *aux = &env->insn_aux_data[insn_idx]; 1477 int cb_reg = -1; 1478 1479 *caller_reg = -1; 1480 *callee_reg = -1; 1481 1482 if (!bpf_helper_call(insn)) 1483 return -1; 1484 switch (insn->imm) { 1485 case BPF_FUNC_loop: 1486 /* bpf_loop(nr, cb, ctx, flags): cb=R2, R3->cb R2 */ 1487 cb_reg = BPF_REG_2; 1488 *caller_reg = BPF_REG_3; 1489 *callee_reg = BPF_REG_2; 1490 break; 1491 case BPF_FUNC_for_each_map_elem: 1492 /* for_each_map_elem(map, cb, ctx, flags): cb=R2, R3->cb R4 */ 1493 cb_reg = BPF_REG_2; 1494 *caller_reg = BPF_REG_3; 1495 *callee_reg = BPF_REG_4; 1496 break; 1497 case BPF_FUNC_find_vma: 1498 /* find_vma(task, addr, cb, ctx, flags): cb=R3, R4->cb R3 */ 1499 cb_reg = BPF_REG_3; 1500 *caller_reg = BPF_REG_4; 1501 *callee_reg = BPF_REG_3; 1502 break; 1503 case BPF_FUNC_user_ringbuf_drain: 1504 /* user_ringbuf_drain(map, cb, ctx, flags): cb=R2, R3->cb R2 */ 1505 cb_reg = BPF_REG_2; 1506 *caller_reg = BPF_REG_3; 1507 *callee_reg = BPF_REG_2; 1508 break; 1509 default: 1510 return -1; 1511 } 1512 1513 if (!(aux->const_reg_subprog_mask & BIT(cb_reg))) 1514 return -2; 1515 1516 return aux->const_reg_vals[cb_reg]; 1517 } 1518 1519 /* Per-subprog intermediate state kept alive across analysis phases */ 1520 struct subprog_at_info { 1521 struct arg_track (*at_in)[MAX_AT_TRACK_REGS]; 1522 int len; 1523 }; 1524 1525 static void print_subprog_arg_access(struct bpf_verifier_env *env, 1526 int subprog, 1527 struct subprog_at_info *info, 1528 struct arg_track (*at_stack_in)[MAX_ARG_SPILL_SLOTS]) 1529 { 1530 struct bpf_insn *insns = env->prog->insnsi; 1531 int start = env->subprog_info[subprog].start; 1532 int len = info->len; 1533 int i, r; 1534 1535 if (!(env->log.level & BPF_LOG_LEVEL2)) 1536 return; 1537 1538 verbose(env, "%s:\n", fmt_subprog(env, subprog)); 1539 for (i = 0; i < len; i++) { 1540 int idx = start + i; 1541 bool has_extra = false; 1542 u8 cls = BPF_CLASS(insns[idx].code); 1543 bool is_ldx_stx_call = cls == BPF_LDX || cls == BPF_STX || 1544 insns[idx].code == (BPF_JMP | BPF_CALL); 1545 1546 verbose(env, "%3d: ", idx); 1547 bpf_verbose_insn(env, &insns[idx]); 1548 1549 /* Collect what needs printing */ 1550 if (is_ldx_stx_call && 1551 arg_is_visited(&info->at_in[i][0])) { 1552 for (r = 0; r < MAX_BPF_REG - 1; r++) 1553 if (arg_is_fp(&info->at_in[i][r])) 1554 has_extra = true; 1555 for (r = 0; r < MAX_STACK_ARG_SLOTS; r++) 1556 if (arg_is_fp(&info->at_in[i][MAX_BPF_REG + r])) 1557 has_extra = true; 1558 } 1559 if (is_ldx_stx_call) { 1560 for (r = 0; r < MAX_ARG_SPILL_SLOTS; r++) 1561 if (arg_is_fp(&at_stack_in[i][r])) 1562 has_extra = true; 1563 } 1564 1565 if (!has_extra) { 1566 if (bpf_is_ldimm64(&insns[idx])) 1567 i++; 1568 continue; 1569 } 1570 1571 bpf_vlog_reset(&env->log, env->log.end_pos - 1); 1572 verbose(env, " //"); 1573 1574 if (is_ldx_stx_call && info->at_in && 1575 arg_is_visited(&info->at_in[i][0])) { 1576 for (r = 0; r < MAX_BPF_REG - 1; r++) { 1577 if (!arg_is_fp(&info->at_in[i][r])) 1578 continue; 1579 verbose(env, " r%d=", r); 1580 verbose_arg_track(env, &info->at_in[i][r]); 1581 } 1582 for (r = 0; r < MAX_STACK_ARG_SLOTS; r++) { 1583 if (!arg_is_fp(&info->at_in[i][MAX_BPF_REG + r])) 1584 continue; 1585 verbose(env, " sa%d=", r); 1586 verbose_arg_track(env, &info->at_in[i][MAX_BPF_REG + r]); 1587 } 1588 } 1589 1590 if (is_ldx_stx_call) { 1591 for (r = 0; r < MAX_ARG_SPILL_SLOTS; r++) { 1592 if (!arg_is_fp(&at_stack_in[i][r])) 1593 continue; 1594 verbose(env, " fp%+d=", -(r + 1) * 8); 1595 verbose_arg_track(env, &at_stack_in[i][r]); 1596 } 1597 } 1598 1599 verbose(env, "\n"); 1600 if (bpf_is_ldimm64(&insns[idx])) 1601 i++; 1602 } 1603 } 1604 1605 /* 1606 * Compute arg tracking dataflow for a single subprog. 1607 * Runs forward fixed-point with arg_track_xfer(), then records 1608 * memory accesses in a single linear pass over converged state. 1609 * 1610 * @callee_entry: pre-populated entry state for R1-R5 and stack args 1611 * NULL for main (subprog 0). 1612 * @info: stores at_in, len for debug printing. 1613 */ 1614 static int compute_subprog_args(struct bpf_verifier_env *env, 1615 struct subprog_at_info *info, 1616 struct arg_track *callee_entry, 1617 struct func_instance *instance, 1618 u32 *callsites) 1619 { 1620 int subprog = instance->subprog; 1621 struct bpf_insn *insns = env->prog->insnsi; 1622 int depth = instance->depth; 1623 int start = env->subprog_info[subprog].start; 1624 int po_start = env->subprog_info[subprog].postorder_start; 1625 int end = env->subprog_info[subprog + 1].start; 1626 int po_end = env->subprog_info[subprog + 1].postorder_start; 1627 int len = end - start; 1628 struct arg_track (*at_in)[MAX_AT_TRACK_REGS] = NULL; 1629 struct arg_track at_out[MAX_AT_TRACK_REGS]; 1630 struct arg_track (*at_stack_in)[MAX_ARG_SPILL_SLOTS] = NULL; 1631 struct arg_track *at_stack_out = NULL; 1632 struct arg_track at_stack_arg_entry[MAX_STACK_ARG_SLOTS]; 1633 struct arg_track unvisited = { .frame = ARG_UNVISITED }; 1634 struct arg_track none = { .frame = ARG_NONE }; 1635 bool changed; 1636 int i, p, r, err = -ENOMEM; 1637 1638 at_in = kvmalloc_objs(*at_in, len, GFP_KERNEL_ACCOUNT); 1639 if (!at_in) 1640 goto err_free; 1641 1642 at_stack_in = kvmalloc_objs(*at_stack_in, len, GFP_KERNEL_ACCOUNT); 1643 if (!at_stack_in) 1644 goto err_free; 1645 1646 at_stack_out = kvmalloc_objs(*at_stack_out, MAX_ARG_SPILL_SLOTS, GFP_KERNEL_ACCOUNT); 1647 if (!at_stack_out) 1648 goto err_free; 1649 1650 for (i = 0; i < len; i++) { 1651 for (r = 0; r < MAX_AT_TRACK_REGS; r++) 1652 at_in[i][r] = unvisited; 1653 for (r = 0; r < MAX_ARG_SPILL_SLOTS; r++) 1654 at_stack_in[i][r] = unvisited; 1655 } 1656 1657 for (r = 0; r < MAX_AT_TRACK_REGS; r++) 1658 at_in[0][r] = none; 1659 1660 /* Entry: R10 is always precisely the current frame's FP */ 1661 at_in[0][BPF_REG_FP] = arg_single(depth, 0); 1662 1663 /* R1-R5: from caller or ARG_NONE for main */ 1664 if (callee_entry) { 1665 for (r = BPF_REG_1; r <= BPF_REG_5; r++) 1666 at_in[0][r] = callee_entry[r]; 1667 } 1668 1669 /* Entry: all stack slots are ARG_NONE */ 1670 for (r = 0; r < MAX_ARG_SPILL_SLOTS; r++) 1671 at_stack_in[0][r] = none; 1672 1673 /* Entry: incoming stack args from caller, or ARG_NONE for main */ 1674 for (r = 0; r < MAX_STACK_ARG_SLOTS; r++) 1675 at_stack_arg_entry[r] = callee_entry ? callee_entry[MAX_BPF_REG + r] : none; 1676 1677 if (env->log.level & BPF_LOG_LEVEL2) 1678 verbose(env, "subprog#%d: analyzing (depth %d)...\n", subprog, depth); 1679 1680 /* Forward fixed-point iteration in reverse post order */ 1681 redo: 1682 changed = false; 1683 for (p = po_end - 1; p >= po_start; p--) { 1684 int idx = env->cfg.insn_postorder[p]; 1685 int i = idx - start; 1686 struct bpf_insn *insn = &insns[idx]; 1687 struct bpf_iarray *succ; 1688 1689 if (!arg_is_visited(&at_in[i][0]) && !arg_is_visited(&at_in[i][1])) 1690 continue; 1691 1692 memcpy(at_out, at_in[i], sizeof(at_out)); 1693 memcpy(at_stack_out, at_stack_in[i], MAX_ARG_SPILL_SLOTS * sizeof(*at_stack_out)); 1694 1695 arg_track_xfer(env, insn, idx, at_out, at_stack_out, 1696 at_stack_arg_entry, instance, callsites); 1697 arg_track_log(env, insn, idx, at_in[i], at_stack_in[i], at_out, at_stack_out); 1698 1699 /* Propagate to successors within this subprogram */ 1700 succ = bpf_insn_successors(env, idx); 1701 for (int s = 0; s < succ->cnt; s++) { 1702 int target = succ->items[s]; 1703 int ti; 1704 1705 /* Filter: stay within the subprogram's range */ 1706 if (target < start || target >= end) 1707 continue; 1708 ti = target - start; 1709 1710 for (r = 0; r < MAX_AT_TRACK_REGS; r++) 1711 changed |= arg_track_join(env, idx, target, r, 1712 &at_in[ti][r], at_out[r]); 1713 1714 for (r = 0; r < MAX_ARG_SPILL_SLOTS; r++) 1715 changed |= arg_track_join(env, idx, target, -r - 1, 1716 &at_stack_in[ti][r], at_stack_out[r]); 1717 } 1718 } 1719 if (changed) 1720 goto redo; 1721 1722 /* Record memory accesses using converged at_in (RPO skips dead code) */ 1723 for (p = po_end - 1; p >= po_start; p--) { 1724 int idx = env->cfg.insn_postorder[p]; 1725 int i = idx - start; 1726 struct bpf_insn *insn = &insns[idx]; 1727 1728 err = record_load_store_access(env, instance, at_in[i], idx); 1729 if (err) 1730 goto err_free; 1731 1732 if (insn->code == (BPF_JMP | BPF_CALL)) { 1733 err = record_call_access(env, instance, at_in[i], idx); 1734 if (err) 1735 goto err_free; 1736 } 1737 1738 if (bpf_pseudo_call(insn) || bpf_calls_callback(env, idx)) { 1739 kvfree(env->callsite_at_stack[idx]); 1740 env->callsite_at_stack[idx] = 1741 kvmalloc_objs(*env->callsite_at_stack[idx], 1742 MAX_ARG_SPILL_SLOTS, GFP_KERNEL_ACCOUNT); 1743 if (!env->callsite_at_stack[idx]) { 1744 err = -ENOMEM; 1745 goto err_free; 1746 } 1747 memcpy(env->callsite_at_stack[idx], 1748 at_stack_in[i], sizeof(struct arg_track) * MAX_ARG_SPILL_SLOTS); 1749 } 1750 } 1751 1752 info->at_in = at_in; 1753 at_in = NULL; 1754 info->len = len; 1755 print_subprog_arg_access(env, subprog, info, at_stack_in); 1756 err = 0; 1757 1758 err_free: 1759 kvfree(at_stack_out); 1760 kvfree(at_stack_in); 1761 kvfree(at_in); 1762 return err; 1763 } 1764 1765 /* Return true if any of R1-R5 or stack args is derived from a frame pointer. */ 1766 static bool has_fp_args(struct arg_track *args) 1767 { 1768 for (int r = BPF_REG_1; r <= BPF_REG_5; r++) 1769 if (arg_is_fp(&args[r])) 1770 return true; 1771 for (int r = 0; r < MAX_STACK_ARG_SLOTS; r++) 1772 if (arg_is_fp(&args[MAX_BPF_REG + r])) 1773 return true; 1774 return false; 1775 } 1776 1777 /* 1778 * Merge a freshly analyzed instance into the original. 1779 * may_read: union (any pass might read the slot). 1780 * must_write: intersection (only slots written on ALL passes are guaranteed). 1781 * live_before is recomputed by a subsequent update_instance() on @dst. 1782 */ 1783 static void merge_instances(struct func_instance *dst, struct func_instance *src) 1784 { 1785 int f, i; 1786 1787 for (f = 0; f <= dst->depth; f++) { 1788 if (!src->frames[f]) { 1789 /* This pass didn't touch frame f — must_write intersects with empty. */ 1790 if (dst->frames[f]) 1791 for (i = 0; i < dst->insn_cnt; i++) 1792 dst->frames[f][i].must_write = SPIS_ZERO; 1793 continue; 1794 } 1795 if (!dst->frames[f]) { 1796 /* Previous pass didn't touch frame f — take src, zero must_write. */ 1797 dst->frames[f] = src->frames[f]; 1798 src->frames[f] = NULL; 1799 for (i = 0; i < dst->insn_cnt; i++) 1800 dst->frames[f][i].must_write = SPIS_ZERO; 1801 continue; 1802 } 1803 for (i = 0; i < dst->insn_cnt; i++) { 1804 dst->frames[f][i].may_read = 1805 spis_or(dst->frames[f][i].may_read, 1806 src->frames[f][i].may_read); 1807 dst->frames[f][i].must_write = 1808 spis_and(dst->frames[f][i].must_write, 1809 src->frames[f][i].must_write); 1810 } 1811 } 1812 } 1813 1814 static struct func_instance *fresh_instance(struct func_instance *src) 1815 { 1816 struct func_instance *f; 1817 1818 f = kvzalloc_obj(*f, GFP_KERNEL_ACCOUNT); 1819 if (!f) 1820 return ERR_PTR(-ENOMEM); 1821 f->callsite = src->callsite; 1822 f->depth = src->depth; 1823 f->subprog = src->subprog; 1824 f->subprog_start = src->subprog_start; 1825 f->insn_cnt = src->insn_cnt; 1826 return f; 1827 } 1828 1829 static void free_instance(struct func_instance *instance) 1830 { 1831 int i; 1832 1833 for (i = 0; i <= instance->depth; i++) 1834 kvfree(instance->frames[i]); 1835 kvfree(instance); 1836 } 1837 1838 /* 1839 * Recursively analyze a subprog with specific 'entry_args'. 1840 * Each callee is analyzed with the exact args from its call site. 1841 * 1842 * Args are recomputed for each call because the dataflow result at_in[] 1843 * depends on the entry args and frame depth. Consider: A->C->D and B->C->D 1844 * Callsites in A and B pass different args into C, so C is recomputed. 1845 * Then within C the same callsite passes different args into D. 1846 */ 1847 static int analyze_subprog(struct bpf_verifier_env *env, 1848 struct arg_track *entry_args, 1849 struct subprog_at_info *info, 1850 struct func_instance *instance, 1851 u32 *callsites) 1852 { 1853 int subprog = instance->subprog; 1854 int depth = instance->depth; 1855 struct bpf_insn *insns = env->prog->insnsi; 1856 int start = env->subprog_info[subprog].start; 1857 int po_start = env->subprog_info[subprog].postorder_start; 1858 int po_end = env->subprog_info[subprog + 1].postorder_start; 1859 struct func_instance *prev_instance = NULL; 1860 int j, err; 1861 1862 if (++env->liveness->subprog_calls > 10000) { 1863 verbose(env, "liveness analysis exceeded complexity limit (%d calls)\n", 1864 env->liveness->subprog_calls); 1865 return -E2BIG; 1866 } 1867 1868 if (need_resched()) 1869 cond_resched(); 1870 1871 1872 /* 1873 * When an instance is reused (must_write_initialized == true), 1874 * record into a fresh instance and merge afterward. This avoids 1875 * stale must_write marks for instructions not reached in this pass. 1876 */ 1877 if (instance->must_write_initialized) { 1878 struct func_instance *fresh = fresh_instance(instance); 1879 1880 if (IS_ERR(fresh)) 1881 return PTR_ERR(fresh); 1882 prev_instance = instance; 1883 instance = fresh; 1884 } 1885 1886 /* Free prior analysis if this subprog was already visited */ 1887 kvfree(info[subprog].at_in); 1888 info[subprog].at_in = NULL; 1889 1890 err = compute_subprog_args(env, &info[subprog], entry_args, instance, callsites); 1891 if (err) 1892 goto out_free; 1893 1894 /* For each reachable call site in the subprog, recurse into callees */ 1895 for (int p = po_start; p < po_end; p++) { 1896 int idx = env->cfg.insn_postorder[p]; 1897 struct arg_track callee_args[MAX_AT_TRACK_REGS] = {}; 1898 struct arg_track none = { .frame = ARG_NONE }; 1899 struct bpf_insn *insn = &insns[idx]; 1900 struct func_instance *callee_instance; 1901 int callee, target; 1902 int caller_reg, cb_callee_reg; 1903 1904 j = idx - start; /* relative index within this subprog */ 1905 1906 if (bpf_pseudo_call(insn)) { 1907 target = idx + insn->imm + 1; 1908 callee = bpf_find_subprog(env, target); 1909 if (callee < 0) 1910 continue; 1911 1912 /* Build entry args: R1-R5 and stack args from at_in at call site */ 1913 for (int r = BPF_REG_1; r <= BPF_REG_5; r++) 1914 callee_args[r] = info[subprog].at_in[j][r]; 1915 for (int r = 0; r < MAX_STACK_ARG_SLOTS; r++) 1916 callee_args[MAX_BPF_REG + r] = info[subprog].at_in[j][MAX_BPF_REG + r]; 1917 } else if (bpf_calls_callback(env, idx)) { 1918 callee = find_callback_subprog(env, insn, idx, &caller_reg, &cb_callee_reg); 1919 if (callee == -2) { 1920 /* 1921 * same bpf_loop() calls two different callbacks and passes 1922 * stack pointer to them 1923 */ 1924 if (info[subprog].at_in[j][caller_reg].frame == ARG_NONE) 1925 continue; 1926 for (int f = 0; f <= depth; f++) { 1927 err = mark_stack_read(instance, f, idx, SPIS_ALL); 1928 if (err) 1929 goto out_free; 1930 } 1931 continue; 1932 } 1933 if (callee < 0) 1934 continue; 1935 1936 for (int r = BPF_REG_1; r <= BPF_REG_5; r++) 1937 callee_args[r] = none; 1938 for (int r = 0; r < MAX_STACK_ARG_SLOTS; r++) 1939 callee_args[MAX_BPF_REG + r] = none; 1940 callee_args[cb_callee_reg] = info[subprog].at_in[j][caller_reg]; 1941 } else { 1942 continue; 1943 } 1944 1945 if (!has_fp_args(callee_args)) 1946 continue; 1947 1948 if (depth == MAX_CALL_FRAMES - 1) { 1949 err = -EINVAL; 1950 goto out_free; 1951 } 1952 1953 callee_instance = call_instance(env, instance, idx, callee); 1954 if (IS_ERR(callee_instance)) { 1955 err = PTR_ERR(callee_instance); 1956 goto out_free; 1957 } 1958 callsites[depth] = idx; 1959 err = analyze_subprog(env, callee_args, info, callee_instance, callsites); 1960 if (err) 1961 goto out_free; 1962 1963 /* Pull callee's entry liveness back to caller's callsite */ 1964 { 1965 u32 callee_start = callee_instance->subprog_start; 1966 struct per_frame_masks *entry; 1967 1968 for (int f = 0; f < callee_instance->depth; f++) { 1969 entry = get_frame_masks(callee_instance, f, callee_start); 1970 if (!entry) 1971 continue; 1972 err = mark_stack_read(instance, f, idx, entry->live_before); 1973 if (err) 1974 goto out_free; 1975 } 1976 } 1977 } 1978 1979 if (prev_instance) { 1980 merge_instances(prev_instance, instance); 1981 free_instance(instance); 1982 instance = prev_instance; 1983 } 1984 update_instance(env, instance); 1985 return 0; 1986 1987 out_free: 1988 if (prev_instance) 1989 free_instance(instance); 1990 return err; 1991 } 1992 1993 int bpf_compute_subprog_arg_access(struct bpf_verifier_env *env) 1994 { 1995 u32 callsites[MAX_CALL_FRAMES] = {}; 1996 int insn_cnt = env->prog->len; 1997 struct func_instance *instance; 1998 struct subprog_at_info *info; 1999 int k, err = 0; 2000 2001 info = kvzalloc_objs(*info, env->subprog_cnt, GFP_KERNEL_ACCOUNT); 2002 if (!info) 2003 return -ENOMEM; 2004 2005 env->callsite_at_stack = kvzalloc_objs(*env->callsite_at_stack, insn_cnt, 2006 GFP_KERNEL_ACCOUNT); 2007 if (!env->callsite_at_stack) { 2008 kvfree(info); 2009 return -ENOMEM; 2010 } 2011 2012 /* 2013 * Analyze every subprog in reverse topological order (callers 2014 * before callees) so that each subprog is analyzed before its 2015 * callees, allowing the recursive walk inside analyze_subprog() 2016 * to naturally reach callees that receive FP-derived args. 2017 * 2018 * Subprogs and callbacks that don't receive FP-derived arguments 2019 * cannot access ancestor stack frames are analyzed independently. 2020 * Async callbacks (timer, workqueue) are handled the same way. 2021 */ 2022 for (k = env->subprog_cnt - 1; k >= 0; k--) { 2023 int sub = env->subprog_topo_order[k]; 2024 2025 if (info[sub].at_in && !bpf_subprog_is_global(env, sub)) 2026 continue; 2027 instance = call_instance(env, NULL, 0, sub); 2028 if (IS_ERR(instance)) { 2029 err = PTR_ERR(instance); 2030 goto out; 2031 } 2032 err = analyze_subprog(env, NULL, info, instance, callsites); 2033 if (err) 2034 goto out; 2035 } 2036 2037 if (env->log.level & BPF_LOG_LEVEL2) 2038 err = print_instances(env); 2039 2040 out: 2041 for (k = 0; k < insn_cnt; k++) 2042 kvfree(env->callsite_at_stack[k]); 2043 kvfree(env->callsite_at_stack); 2044 env->callsite_at_stack = NULL; 2045 for (k = 0; k < env->subprog_cnt; k++) 2046 kvfree(info[k].at_in); 2047 kvfree(info); 2048 return err; 2049 } 2050 2051 /* Each field is a register bitmask */ 2052 struct insn_live_regs { 2053 u16 use; /* registers read by instruction */ 2054 u16 def; /* registers written by instruction */ 2055 u16 in; /* registers that may be alive before instruction */ 2056 u16 out; /* registers that may be alive after instruction */ 2057 }; 2058 2059 /* Bitmask with 1s for all caller saved registers */ 2060 #define ALL_CALLER_SAVED_REGS ((1u << CALLER_SAVED_REGS) - 1) 2061 2062 /* Compute info->{use,def} fields for the instruction */ 2063 static void compute_insn_live_regs(struct bpf_verifier_env *env, 2064 struct bpf_insn *insn, 2065 struct insn_live_regs *info) 2066 { 2067 struct bpf_call_summary cs; 2068 u8 class = BPF_CLASS(insn->code); 2069 u8 code = BPF_OP(insn->code); 2070 u8 mode = BPF_MODE(insn->code); 2071 u16 src = BIT(insn->src_reg); 2072 u16 dst = BIT(insn->dst_reg); 2073 u16 r0 = BIT(0); 2074 u16 def = 0; 2075 u16 use = 0xffff; 2076 2077 switch (class) { 2078 case BPF_LD: 2079 switch (mode) { 2080 case BPF_IMM: 2081 if (BPF_SIZE(insn->code) == BPF_DW) { 2082 def = dst; 2083 use = 0; 2084 } 2085 break; 2086 case BPF_LD | BPF_ABS: 2087 case BPF_LD | BPF_IND: 2088 /* stick with defaults */ 2089 break; 2090 } 2091 break; 2092 case BPF_LDX: 2093 switch (mode) { 2094 case BPF_MEM: 2095 case BPF_MEMSX: 2096 def = dst; 2097 use = src; 2098 break; 2099 } 2100 break; 2101 case BPF_ST: 2102 switch (mode) { 2103 case BPF_MEM: 2104 def = 0; 2105 use = dst; 2106 break; 2107 } 2108 break; 2109 case BPF_STX: 2110 switch (mode) { 2111 case BPF_MEM: 2112 def = 0; 2113 use = dst | src; 2114 break; 2115 case BPF_ATOMIC: 2116 switch (insn->imm) { 2117 case BPF_CMPXCHG: 2118 use = r0 | dst | src; 2119 def = r0; 2120 break; 2121 case BPF_LOAD_ACQ: 2122 def = dst; 2123 use = src; 2124 break; 2125 case BPF_STORE_REL: 2126 def = 0; 2127 use = dst | src; 2128 break; 2129 default: 2130 use = dst | src; 2131 if (insn->imm & BPF_FETCH) 2132 def = src; 2133 else 2134 def = 0; 2135 } 2136 break; 2137 } 2138 break; 2139 case BPF_ALU: 2140 case BPF_ALU64: 2141 switch (code) { 2142 case BPF_END: 2143 use = dst; 2144 def = dst; 2145 break; 2146 case BPF_MOV: 2147 def = dst; 2148 if (BPF_SRC(insn->code) == BPF_K) 2149 use = 0; 2150 else 2151 use = src; 2152 break; 2153 default: 2154 def = dst; 2155 if (BPF_SRC(insn->code) == BPF_K) 2156 use = dst; 2157 else 2158 use = dst | src; 2159 } 2160 break; 2161 case BPF_JMP: 2162 case BPF_JMP32: 2163 switch (code) { 2164 case BPF_JA: 2165 def = 0; 2166 if (BPF_SRC(insn->code) == BPF_X) 2167 use = dst; 2168 else 2169 use = 0; 2170 break; 2171 case BPF_JCOND: 2172 def = 0; 2173 use = 0; 2174 break; 2175 case BPF_EXIT: 2176 def = 0; 2177 use = r0; 2178 break; 2179 case BPF_CALL: 2180 def = ALL_CALLER_SAVED_REGS; 2181 use = def & ~BIT(BPF_REG_0); 2182 if (bpf_get_call_summary(env, insn, &cs)) 2183 use = GENMASK(min_t(u8, cs.num_params, MAX_BPF_FUNC_REG_ARGS), 1); 2184 break; 2185 default: 2186 def = 0; 2187 if (BPF_SRC(insn->code) == BPF_K) 2188 use = dst; 2189 else 2190 use = dst | src; 2191 } 2192 break; 2193 } 2194 2195 info->def = def; 2196 info->use = use; 2197 } 2198 2199 /* Compute may-live registers after each instruction in the program. 2200 * The register is live after the instruction I if it is read by some 2201 * instruction S following I during program execution and is not 2202 * overwritten between I and S. 2203 * 2204 * Store result in env->insn_aux_data[i].live_regs. 2205 */ 2206 int bpf_compute_live_registers(struct bpf_verifier_env *env) 2207 { 2208 struct bpf_insn_aux_data *insn_aux = env->insn_aux_data; 2209 struct bpf_insn *insns = env->prog->insnsi; 2210 struct insn_live_regs *state; 2211 int insn_cnt = env->prog->len; 2212 int err = 0, i, j; 2213 bool changed; 2214 2215 /* Use the following algorithm: 2216 * - define the following: 2217 * - I.use : a set of all registers read by instruction I; 2218 * - I.def : a set of all registers written by instruction I; 2219 * - I.in : a set of all registers that may be alive before I execution; 2220 * - I.out : a set of all registers that may be alive after I execution; 2221 * - insn_successors(I): a set of instructions S that might immediately 2222 * follow I for some program execution; 2223 * - associate separate empty sets 'I.in' and 'I.out' with each instruction; 2224 * - visit each instruction in a postorder and update 2225 * state[i].in, state[i].out as follows: 2226 * 2227 * state[i].out = U [state[s].in for S in insn_successors(i)] 2228 * state[i].in = (state[i].out / state[i].def) U state[i].use 2229 * 2230 * (where U stands for set union, / stands for set difference) 2231 * - repeat the computation while {in,out} fields changes for 2232 * any instruction. 2233 */ 2234 state = kvzalloc_objs(*state, insn_cnt, GFP_KERNEL_ACCOUNT); 2235 if (!state) { 2236 err = -ENOMEM; 2237 goto out; 2238 } 2239 2240 for (i = 0; i < insn_cnt; ++i) 2241 compute_insn_live_regs(env, &insns[i], &state[i]); 2242 2243 /* Forward pass: resolve stack access through FP-derived pointers */ 2244 err = bpf_compute_subprog_arg_access(env); 2245 if (err) 2246 goto out; 2247 2248 changed = true; 2249 while (changed) { 2250 changed = false; 2251 for (i = 0; i < env->cfg.cur_postorder; ++i) { 2252 int insn_idx = env->cfg.insn_postorder[i]; 2253 struct insn_live_regs *live = &state[insn_idx]; 2254 struct bpf_iarray *succ; 2255 u16 new_out = 0; 2256 u16 new_in = 0; 2257 2258 succ = bpf_insn_successors(env, insn_idx); 2259 for (int s = 0; s < succ->cnt; ++s) 2260 new_out |= state[succ->items[s]].in; 2261 new_in = (new_out & ~live->def) | live->use; 2262 if (new_out != live->out || new_in != live->in) { 2263 live->in = new_in; 2264 live->out = new_out; 2265 changed = true; 2266 } 2267 } 2268 } 2269 2270 for (i = 0; i < insn_cnt; ++i) 2271 insn_aux[i].live_regs_before = state[i].in; 2272 2273 if (env->log.level & BPF_LOG_LEVEL2) { 2274 verbose(env, "Live regs before insn:\n"); 2275 for (i = 0; i < insn_cnt; ++i) { 2276 if (env->insn_aux_data[i].scc) 2277 verbose(env, "%3d ", env->insn_aux_data[i].scc); 2278 else 2279 verbose(env, " "); 2280 verbose(env, "%3d: ", i); 2281 for (j = BPF_REG_0; j < BPF_REG_10; ++j) 2282 if (insn_aux[i].live_regs_before & BIT(j)) 2283 verbose(env, "%d", j); 2284 else 2285 verbose(env, "."); 2286 verbose(env, " "); 2287 bpf_verbose_insn(env, &insns[i]); 2288 if (bpf_is_ldimm64(&insns[i])) 2289 i++; 2290 } 2291 } 2292 2293 out: 2294 kvfree(state); 2295 return err; 2296 } 2297