(poisoned ? BPF_MAP_KEY_POISON : 0ULL);
}
+static void update_ref_obj(struct ref_obj_desc *ref_obj, struct bpf_reg_state *reg)
+{
+ ref_obj->id = reg->id;
+ ref_obj->parent_id = reg->parent_id;
+ ref_obj->cnt++;
+}
+
+static int validate_ref_obj(struct bpf_verifier_env *env, struct ref_obj_desc *ref_obj)
+{
+ if (ref_obj->cnt > 1) {
+ verifier_bug(env, "function expects only one referenced object but got %d\n",
+ ref_obj->cnt);
+ return -EFAULT;
+ }
+
+ return 0;
+}
+
struct bpf_call_arg_meta {
struct bpf_map_desc map;
struct bpf_dynptr_desc dynptr;
+ struct ref_obj_desc ref_obj;
bool raw_mode;
bool pkt_access;
u8 release_regno;
int access_size;
int mem_size;
u64 msize_max_value;
- u32 id;
int func_id;
struct btf *btf;
u32 btf_id;
return insn->code == (BPF_JMP | BPF_JCOND) && insn->src_reg == BPF_MAY_GOTO;
}
-static bool helper_multiple_ref_obj_use(enum bpf_func_id func_id,
- const struct bpf_map *map)
-{
- int ref_obj_uses = 0;
-
- if (is_ptr_cast_function(func_id))
- ref_obj_uses++;
- if (is_acquire_function(func_id, map))
- ref_obj_uses++;
-
- return ref_obj_uses > 1;
-}
-
-
static bool is_spi_bounds_valid(struct bpf_func_state *state, int spi, int nr_slots)
{
int allocated_slots = state->allocated_stack / BPF_REG_SIZE;
struct bpf_func_state *state, int spi);
static int mark_stack_slots_dynptr(struct bpf_verifier_env *env, struct bpf_reg_state *reg,
- enum bpf_arg_type arg_type, int insn_idx, int parent_id,
- struct bpf_dynptr_desc *dynptr)
+ enum bpf_arg_type arg_type, int insn_idx,
+ struct ref_obj_desc *ref_obj, struct bpf_dynptr_desc *dynptr)
{
struct bpf_func_state *state = bpf_func(env, reg);
- int spi, i, err;
+ int spi, i, err, parent_id = 0;
enum bpf_dynptr_type type;
spi = dynptr_get_spi(env, reg);
return -EINVAL;
if (dynptr->type == BPF_DYNPTR_TYPE_INVALID) { /* dynptr constructors */
+ err = validate_ref_obj(env, ref_obj);
+ if (err)
+ return err;
+
+ /* Track parent's id if the parent is a referenced object */
+ parent_id = ref_obj->id;
+
if (dynptr_type_referenced(type)) {
int id;
*/
static int process_dynptr_func(struct bpf_verifier_env *env, struct bpf_reg_state *reg,
argno_t argno, int insn_idx, enum bpf_arg_type arg_type,
- int parent_id, struct bpf_dynptr_desc *dynptr)
+ struct ref_obj_desc *ref_obj, struct bpf_dynptr_desc *dynptr)
{
int spi, err = 0;
return err;
}
- err = mark_stack_slots_dynptr(env, reg, arg_type, insn_idx, parent_id, dynptr);
+ err = mark_stack_slots_dynptr(env, reg, arg_type, insn_idx, ref_obj, dynptr);
} else /* OBJ_RELEASE and None case from above */ {
/* For the reg->type == PTR_TO_STACK case, bpf_dynptr is never const */
if (reg->type == CONST_PTR_TO_DYNPTR && (arg_type & OBJ_RELEASE)) {
return err;
}
-static u32 iter_ref_id(struct bpf_verifier_env *env, struct bpf_reg_state *reg, int spi)
-{
- struct bpf_func_state *state = bpf_func(env, reg);
-
- return state->stack[spi].spilled_ptr.id;
-}
-
static bool is_iter_kfunc(struct bpf_kfunc_call_arg_meta *meta)
{
return meta->kfunc_flags & (KF_ITER_NEW | KF_ITER_NEXT | KF_ITER_DESTROY);
static int process_iter_arg(struct bpf_verifier_env *env, struct bpf_reg_state *reg, argno_t argno, int insn_idx,
struct bpf_kfunc_call_arg_meta *meta)
{
+ struct bpf_func_state *state = bpf_func(env, reg);
const struct btf_type *t;
u32 arg_idx = arg_idx_from_argno(argno);
int spi, err, i, nr_slots, btf_id;
/* remember meta->iter info for process_iter_next_call() */
meta->iter.spi = spi;
meta->iter.frameno = reg->frameno;
- meta->id = iter_ref_id(env, reg, spi);
+ update_ref_obj(&meta->ref_obj, &state->stack[spi].spilled_ptr);
if (is_iter_destroy_kfunc(meta)) {
err = unmark_stack_slots_iter(env, reg, nr_slots);
u32 regno = BPF_REG_1 + arg;
struct bpf_reg_state *reg = reg_state(env, regno);
enum bpf_arg_type arg_type = fn->arg_type[arg];
+ argno_t argno = argno_from_arg(arg + 1);
enum bpf_reg_type type = reg->type;
u32 *arg_btf_id = NULL;
u32 key_size;
meta->release_regno = regno;
}
- if (reg_is_referenced(env, reg) && base_type(arg_type) != ARG_KPTR_XCHG_DEST) {
- if (meta->id) {
- verbose(env, "more than one arg with referenced id R%d %u %u",
- regno, reg->id,
- meta->id);
- return -EACCES;
- }
- meta->id = reg->id;
- }
+ if (reg_is_referenced(env, reg))
+ update_ref_obj(&meta->ref_obj, reg);
switch (base_type(arg_type)) {
case ARG_CONST_MAP_PTR:
true, meta);
break;
case ARG_PTR_TO_DYNPTR:
- err = process_dynptr_func(env, reg, argno_from_reg(regno), insn_idx, arg_type, 0,
+ err = process_dynptr_func(env, reg, argno_from_reg(regno), insn_idx, arg_type, &meta->ref_obj,
&meta->dynptr);
if (err)
return err;
struct bpf_subprog_info *sub = subprog_info(env, subprog);
struct bpf_func_state *caller = cur_func(env);
struct bpf_verifier_log *log = &env->log;
+ struct ref_obj_desc ref_obj = {};
u32 i;
int ret, err;
if (ret)
return ret;
- ret = process_dynptr_func(env, reg, argno, -1, arg->arg_type, 0, NULL);
+ ret = process_dynptr_func(env, reg, argno, -1, arg->arg_type, &ref_obj, NULL);
if (ret)
return ret;
} else if (base_type(arg->arg_type) == ARG_PTR_TO_BTF_ID) {
err = -EINVAL;
if (arg_type_is_dynptr(fn->arg_type[meta.release_regno - BPF_REG_1])) {
err = unmark_stack_slots_dynptr(env, ®s[meta.release_regno]);
- } else if (func_id == BPF_FUNC_kptr_xchg && meta.id) {
- u32 id = meta.id;
+ } else if (func_id == BPF_FUNC_kptr_xchg && meta.ref_obj.id) {
+ u32 id = meta.ref_obj.id;
bool in_rcu = in_rcu_cs(env);
struct bpf_func_state *state;
struct bpf_reg_state *reg;
}
}));
}
- } else if (meta.id) {
- err = release_reference(env, meta.id);
+ } else if (meta.ref_obj.id) {
+ err = release_reference(env, meta.ref_obj.id);
} else if (bpf_register_is_null(®s[meta.release_regno])) {
- /* meta.id can only be 0 if register that is meant to be
+ /* meta.ref_obj.id can only be 0 if register that is meant to be
* released is NULL, which must be > R0.
*/
err = 0;
if (type_may_be_null(regs[BPF_REG_0].type))
regs[BPF_REG_0].id = ++env->id_gen;
- if (helper_multiple_ref_obj_use(func_id, meta.map.ptr)) {
- verifier_bug(env, "func %s#%d sets ref_obj_id more than once",
- func_id_name(func_id), func_id);
- return -EFAULT;
- }
-
if (is_ptr_cast_function(func_id) &&
- find_reference_state(env->cur_state, meta.id)) {
+ find_reference_state(env->cur_state, meta.ref_obj.id)) {
struct bpf_verifier_state *branch;
struct bpf_reg_state *r0;
+ err = validate_ref_obj(env, &meta.ref_obj);
+ if (err)
+ return err;
+
/*
* In order for a release of any of the original or cast pointers
* to invalidate all other pointers, reuse the same reference id for
r0->type = SCALAR_VALUE;
regs[BPF_REG_0].type &= ~PTR_MAYBE_NULL;
- regs[BPF_REG_0].id = meta.id;
+ regs[BPF_REG_0].id = meta.ref_obj.id;
} else if (is_acquire_function(func_id, meta.map.ptr)) {
int id = acquire_reference(env, insn_idx, 0);
}
if (reg_is_referenced(env, reg)) {
- if (is_kfunc_release(meta) && meta->id) {
- verifier_bug(env, "more than one arg with referenced id %s %u %u",
- reg_arg_name(env, argno), reg->id,
- meta->id);
+ if (is_kfunc_release(meta) && meta->ref_obj.cnt) {
+ verbose(env, "more than one arg with referenced id %s %u %u",
+ reg_arg_name(env, argno), reg->id,
+ meta->ref_obj.id);
return -EFAULT;
}
- meta->id = reg->id;
+ update_ref_obj(&meta->ref_obj, reg);
if (is_kfunc_release(meta)) {
if (regno < 0) {
verbose(env, "%s release arg cannot be a stack argument\n",
}
ret = process_dynptr_func(env, reg, argno, insn_idx, dynptr_arg_type,
- meta->id, &meta->dynptr);
+ &meta->ref_obj, &meta->dynptr);
if (ret < 0)
return ret;
break;
regs[BPF_REG_0].type |= MEM_RDONLY;
/* Ensures we don't access the memory after a release_reference() */
- if (meta.id)
- regs[BPF_REG_0].parent_id = meta.id;
+ if (meta.ref_obj.id) {
+ err = validate_ref_obj(env, &meta.ref_obj);
+ if (err)
+ return err;
+ regs[BPF_REG_0].parent_id = meta.ref_obj.id;
+ }
if (is_kfunc_rcu_protected(&meta))
regs[BPF_REG_0].type |= MEM_RCU;
projects / thirdparty / linux.git / commitdiff
