1 files changed, 227 insertions, 59 deletions
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index c97bce6a0e0e..c14003840bc5 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -186,6 +186,14 @@ struct verifier_stack_elem {
        struct verifier_stack_elem *next;
 };
+struct bpf_insn_aux_data {
+        union {
+                enum bpf_reg_type ptr_type;     /* pointer type for load/store insns */
+                struct bpf_map *map_ptr;        /* pointer for call insn into lookup_elem */
+        };
+        bool seen; /* this insn was processed by the verifier */
+};
 #define MAX_USED_MAPS 64 /* max number of maps accessed by one eBPF program */
 /* single container for all structs
@@ -200,6 +208,7 @@ struct verifier_env {
        struct bpf_map *used_maps[MAX_USED_MAPS]; /* array of map's used by eBPF program */
        u32 used_map_cnt;               /* number of used maps */
        bool allow_ptr_leaks;
+        struct bpf_insn_aux_data *insn_aux_data; /* array of per-insn state */
 };
 /* verbose verifier prints what it's seeing
@@ -674,6 +683,13 @@ static bool is_pointer_value(struct verifier_env *env, int regno)
        }
 }
+static bool is_ctx_reg(struct verifier_env *env, int regno)
+{
+        const struct reg_state *reg = &env->cur_state.regs[regno];
+        return reg->type == PTR_TO_CTX;
+}
 /* check whether memory at (regno + off) is accessible for t = (read | write)
 * if t==write, value_regno is a register which value is stored into memory
 * if t==read, value_regno is a register which will receive the value from memory
@@ -770,6 +786,12 @@ static int check_xadd(struct verifier_env *env, struct bpf_insn *insn)
                return -EACCES;
        }
+        if (is_ctx_reg(env, insn->dst_reg)) {
+                verbose("BPF_XADD stores into R%d context is not allowed\n",
+                        insn->dst_reg);
+                return -EACCES;
+        }
        /* check whether atomic_add can read the memory */
        err = check_mem_access(env, insn->dst_reg, insn->off,
                               BPF_SIZE(insn->code), BPF_READ, -1);
@@ -945,7 +967,7 @@ error:
        return -EINVAL;
 }
-static int check_call(struct verifier_env *env, int func_id)
+static int check_call(struct verifier_env *env, int func_id, int insn_idx)
 {
        struct verifier_state *state = &env->cur_state;
        const struct bpf_func_proto *fn = NULL;
@@ -981,6 +1003,13 @@ static int check_call(struct verifier_env *env, int func_id)
        err = check_func_arg(env, BPF_REG_2, fn->arg2_type, &map);
        if (err)
                return err;
+        if (func_id == BPF_FUNC_tail_call) {
+                if (map == NULL) {
+                        verbose("verifier bug\n");
+                        return -EINVAL;
+                }
+                env->insn_aux_data[insn_idx].map_ptr = map;
+        }
        err = check_func_arg(env, BPF_REG_3, fn->arg3_type, &map);
        if (err)
                return err;
@@ -1044,7 +1073,8 @@ static int check_alu_op(struct verifier_env *env, struct bpf_insn *insn)
                        }
                } else {
                        if (insn->src_reg != BPF_REG_0 || insn->off != 0 ||
-                            (insn->imm != 16 && insn->imm != 32 && insn->imm != 64)) {
+                            (insn->imm != 16 && insn->imm != 32 && insn->imm != 64) ||
+                            BPF_CLASS(insn->code) == BPF_ALU64) {
                                verbose("BPF_END uses reserved fields\n");
                                return -EINVAL;
                        }
@@ -1148,6 +1178,11 @@ static int check_alu_op(struct verifier_env *env, struct bpf_insn *insn)
                        return -EINVAL;
                }
+                if (opcode == BPF_ARSH && BPF_CLASS(insn->code) != BPF_ALU64) {
+                        verbose("BPF_ARSH not supported for 32 bit ALU\n");
+                        return -EINVAL;
+                }
                if ((opcode == BPF_LSH || opcode == BPF_RSH ||
                     opcode == BPF_ARSH) && BPF_SRC(insn->code) == BPF_K) {
                        int size = BPF_CLASS(insn->code) == BPF_ALU64 ? 64 : 32;
@@ -1777,13 +1812,14 @@ static int do_check(struct verifier_env *env)
                        print_bpf_insn(env, insn);
                }
+                env->insn_aux_data[insn_idx].seen = true;
                if (class == BPF_ALU || class == BPF_ALU64) {
                        err = check_alu_op(env, insn);
                        if (err)
                                return err;
                } else if (class == BPF_LDX) {
-                        enum bpf_reg_type src_reg_type;
+                        enum bpf_reg_type *prev_src_type, src_reg_type;
                        /* check for reserved fields is already done */
@@ -1812,16 +1848,18 @@ static int do_check(struct verifier_env *env)
                                continue;
                        }
-                        if (insn->imm == 0) {
+                        prev_src_type = &env->insn_aux_data[insn_idx].ptr_type;
+                        if (*prev_src_type == NOT_INIT) {
                                /* saw a valid insn
                                 * dst_reg = *(u32 *)(src_reg + off)
-                                 * use reserved 'imm' field to mark this insn
+                                 * save type to validate intersecting paths
                                 */
-                                insn->imm = src_reg_type;
+                                *prev_src_type = src_reg_type;
-                        } else if (src_reg_type != insn->imm &&
+                        } else if (src_reg_type != *prev_src_type &&
                                   (src_reg_type == PTR_TO_CTX ||
-                                    insn->imm == PTR_TO_CTX)) {
+                                    *prev_src_type == PTR_TO_CTX)) {
                                /* ABuser program is trying to use the same insn
                                 * dst_reg = *(u32*) (src_reg + off)
                                 * with different pointer types:
@@ -1834,7 +1872,7 @@ static int do_check(struct verifier_env *env)
                        }
                } else if (class == BPF_STX) {
-                        enum bpf_reg_type dst_reg_type;
+                        enum bpf_reg_type *prev_dst_type, dst_reg_type;
                        if (BPF_MODE(insn->code) == BPF_XADD) {
                                err = check_xadd(env, insn);
@@ -1862,11 +1900,13 @@ static int do_check(struct verifier_env *env)
                        if (err)
                                return err;
-                        if (insn->imm == 0) {
+                        prev_dst_type = &env->insn_aux_data[insn_idx].ptr_type;
-                                insn->imm = dst_reg_type;
-                        } else if (dst_reg_type != insn->imm &&
+                        if (*prev_dst_type == NOT_INIT) {
+                                *prev_dst_type = dst_reg_type;
+                        } else if (dst_reg_type != *prev_dst_type &&
                                   (dst_reg_type == PTR_TO_CTX ||
-                                    insn->imm == PTR_TO_CTX)) {
+                                    *prev_dst_type == PTR_TO_CTX)) {
                                verbose("same insn cannot be used with different pointers\n");
                                return -EINVAL;
                        }
@@ -1882,6 +1922,12 @@ static int do_check(struct verifier_env *env)
                        if (err)
                                return err;
+                        if (is_ctx_reg(env, insn->dst_reg)) {
+                                verbose("BPF_ST stores into R%d context is not allowed\n",
+                                        insn->dst_reg);
+                                return -EACCES;
+                        }
                        /* check that memory (dst_reg + off) is writeable */
                        err = check_mem_access(env, insn->dst_reg, insn->off,
                                               BPF_SIZE(insn->code), BPF_WRITE,
@@ -1901,7 +1947,7 @@ static int do_check(struct verifier_env *env)
                                        return -EINVAL;
                                }
-                                err = check_call(env, insn->imm);
+                                err = check_call(env, insn->imm, insn_idx);
                                if (err)
                                        return err;
@@ -1968,6 +2014,7 @@ process_bpf_exit:
                                        return err;
                                insn_idx++;
+                                env->insn_aux_data[insn_idx].seen = true;
                        } else {
                                verbose("invalid BPF_LD mode\n");
                                return -EINVAL;
@@ -2097,23 +2144,60 @@ static void convert_pseudo_ld_imm64(struct verifier_env *env)
                        insn->src_reg = 0;
 }
-static void adjust_branches(struct bpf_prog *prog, int pos, int delta)
+/* single env->prog->insni[off] instruction was replaced with the range
+ * insni[off, off + cnt).  Adjust corresponding insn_aux_data by copying
+ * [0, off) and [off, end) to new locations, so the patched range stays zero
+ */
+static int adjust_insn_aux_data(struct verifier_env *env, u32 prog_len,
+                                u32 off, u32 cnt)
 {
-        struct bpf_insn *insn = prog->insnsi;
+        struct bpf_insn_aux_data *new_data, *old_data = env->insn_aux_data;
-        int insn_cnt = prog->len;
        int i;
-        for (i = 0; i < insn_cnt; i++, insn++) {
+        if (cnt == 1)
-                if (BPF_CLASS(insn->code) != BPF_JMP ||
+                return 0;
-                    BPF_OP(insn->code) == BPF_CALL ||
+        new_data = vzalloc(sizeof(struct bpf_insn_aux_data) * prog_len);
-                    BPF_OP(insn->code) == BPF_EXIT)
+        if (!new_data)
-                        continue;
+                return -ENOMEM;
+        memcpy(new_data, old_data, sizeof(struct bpf_insn_aux_data) * off);
+        memcpy(new_data + off + cnt - 1, old_data + off,
+               sizeof(struct bpf_insn_aux_data) * (prog_len - off - cnt + 1));
+        for (i = off; i < off + cnt - 1; i++)
+                new_data[i].seen = true;
+        env->insn_aux_data = new_data;
+        vfree(old_data);
+        return 0;
+}
+static struct bpf_prog *bpf_patch_insn_data(struct verifier_env *env, u32 off,
+                                            const struct bpf_insn *patch, u32 len)
+{
+        struct bpf_prog *new_prog;
-                /* adjust offset of jmps if necessary */
+        new_prog = bpf_patch_insn_single(env->prog, off, patch, len);
-                if (i < pos && i + insn->off + 1 > pos)
+        if (!new_prog)
-                        insn->off += delta;
+                return NULL;
-                else if (i > pos + delta && i + insn->off + 1 <= pos + delta)
+        if (adjust_insn_aux_data(env, new_prog->len, off, len))
-                        insn->off -= delta;
+                return NULL;
+        return new_prog;
+}
+/* The verifier does more data flow analysis than llvm and will not explore
+ * branches that are dead at run time. Malicious programs can have dead code
+ * too. Therefore replace all dead at-run-time code with nops.
+ */
+static void sanitize_dead_code(struct verifier_env *env)
+{
+        struct bpf_insn_aux_data *aux_data = env->insn_aux_data;
+        struct bpf_insn nop = BPF_MOV64_REG(BPF_REG_0, BPF_REG_0);
+        struct bpf_insn *insn = env->prog->insnsi;
+        const int insn_cnt = env->prog->len;
+        int i;
+        for (i = 0; i < insn_cnt; i++) {
+                if (aux_data[i].seen)
+                        continue;
+                memcpy(insn + i, &nop, sizeof(nop));
        }
 }
@@ -2123,17 +2207,18 @@ static void adjust_branches(struct bpf_prog *prog, int pos, int delta)
 static int convert_ctx_accesses(struct verifier_env *env)
 {
        struct bpf_insn *insn = env->prog->insnsi;
-        int insn_cnt = env->prog->len;
+        const int insn_cnt = env->prog->len;
        struct bpf_insn insn_buf[16];
        struct bpf_prog *new_prog;
-        u32 cnt;
-        int i;
        enum bpf_access_type type;
+        int i, delta = 0;
        if (!env->prog->aux->ops->convert_ctx_access)
                return 0;
        for (i = 0; i < insn_cnt; i++, insn++) {
+                u32 cnt;
                if (insn->code == (BPF_LDX | BPF_MEM | BPF_W))
                        type = BPF_READ;
                else if (insn->code == (BPF_STX | BPF_MEM | BPF_W))
@@ -2141,11 +2226,8 @@ static int convert_ctx_accesses(struct verifier_env *env)
                else
                        continue;
-                if (insn->imm != PTR_TO_CTX) {
+                if (env->insn_aux_data[i + delta].ptr_type != PTR_TO_CTX)
-                        /* clear internal mark */
-                        insn->imm = 0;
                        continue;
-                }
                cnt = env->prog->aux->ops->
                        convert_ctx_access(type, insn->dst_reg, insn->src_reg,
@@ -2155,34 +2237,107 @@ static int convert_ctx_accesses(struct verifier_env *env)
                        return -EINVAL;
                }
-                if (cnt == 1) {
+                new_prog = bpf_patch_insn_data(env, i + delta, insn_buf, cnt);
-                        memcpy(insn, insn_buf, sizeof(*insn));
-                        continue;
-                }
-                /* several new insns need to be inserted. Make room for them */
-                insn_cnt += cnt - 1;
-                new_prog = bpf_prog_realloc(env->prog,
-                                            bpf_prog_size(insn_cnt),
-                                            GFP_USER);
                if (!new_prog)
                        return -ENOMEM;
-                new_prog->len = insn_cnt;
+                delta += cnt - 1;
-                memmove(new_prog->insnsi + i + cnt, new_prog->insns + i + 1,
+                /* keep walking new program and skip insns we just inserted */
-                        sizeof(*insn) * (insn_cnt - i - cnt));
+                env->prog = new_prog;
+                insn      = new_prog->insnsi + i + delta;
+        }
-                /* copy substitute insns in place of load instruction */
+        return 0;
-                memcpy(new_prog->insnsi + i, insn_buf, sizeof(*insn) * cnt);
+}
-                /* adjust branches in the whole program */
+/* fixup insn->imm field of bpf_call instructions
-                adjust_branches(new_prog, i, cnt - 1);
+ *
+ * this function is called after eBPF program passed verification
+ */
+static int fixup_bpf_calls(struct verifier_env *env)
+{
+        struct bpf_prog *prog = env->prog;
+        struct bpf_insn *insn = prog->insnsi;
+        const struct bpf_func_proto *fn;
+        const int insn_cnt = prog->len;
+        struct bpf_insn insn_buf[16];
+        struct bpf_prog *new_prog;
+        struct bpf_map *map_ptr;
+        int i, cnt, delta = 0;
-                /* keep walking new program and skip insns we just inserted */
+        for (i = 0; i < insn_cnt; i++, insn++) {
-                env->prog = new_prog;
+                if (insn->code == (BPF_ALU | BPF_MOD | BPF_X) ||
-                insn = new_prog->insnsi + i + cnt - 1;
+                    insn->code == (BPF_ALU | BPF_DIV | BPF_X)) {
-                i += cnt - 1;
+                        /* due to JIT bugs clear upper 32-bits of src register
+                         * before div/mod operation
+                         */
+                        insn_buf[0] = BPF_MOV32_REG(insn->src_reg, insn->src_reg);
+                        insn_buf[1] = *insn;
+                        cnt = 2;
+                        new_prog = bpf_patch_insn_data(env, i + delta, insn_buf, cnt);
+                        if (!new_prog)
+                                return -ENOMEM;
+                        delta    += cnt - 1;
+                        env->prog = prog = new_prog;
+                        insn      = new_prog->insnsi + i + delta;
+                        continue;
+                }
+                if (insn->code != (BPF_JMP | BPF_CALL))
+                        continue;
+                if (insn->imm == BPF_FUNC_get_route_realm)
+                        prog->dst_needed = 1;
+                if (insn->imm == BPF_FUNC_get_prandom_u32)
+                        bpf_user_rnd_init_once();
+                if (insn->imm == BPF_FUNC_tail_call) {
+                        /* mark bpf_tail_call as different opcode to avoid
+                         * conditional branch in the interpeter for every normal
+                         * call and to prevent accidental JITing by JIT compiler
+                         * that doesn't support bpf_tail_call yet
+                         */
+                        insn->imm = 0;
+                        insn->code |= BPF_X;
+                        /* instead of changing every JIT dealing with tail_call
+                         * emit two extra insns:
+                         * if (index >= max_entries) goto out;
+                         * index &= array->index_mask;
+                         * to avoid out-of-bounds cpu speculation
+                         */
+                        map_ptr = env->insn_aux_data[i + delta].map_ptr;
+                        if (!map_ptr->unpriv_array)
+                                continue;
+                        insn_buf[0] = BPF_JMP_IMM(BPF_JGE, BPF_REG_3,
+                                                  map_ptr->max_entries, 2);
+                        insn_buf[1] = BPF_ALU32_IMM(BPF_AND, BPF_REG_3,
+                                                    container_of(map_ptr,
+                                                                 struct bpf_array,
+                                                                 map)->index_mask);
+                        insn_buf[2] = *insn;
+                        cnt = 3;
+                        new_prog = bpf_patch_insn_data(env, i + delta, insn_buf, cnt);
+                        if (!new_prog)
+                                return -ENOMEM;
+                        delta    += cnt - 1;
+                        env->prog = prog = new_prog;
+                        insn      = new_prog->insnsi + i + delta;
+                        continue;
+                }
+                fn = prog->aux->ops->get_func_proto(insn->imm);
+                /* all functions that have prototype and verifier allowed
+                 * programs to call them, must be real in-kernel functions
+                 */
+                if (!fn->func) {
+                        verbose("kernel subsystem misconfigured func %d\n",
+                                insn->imm);
+                        return -EFAULT;
+                }
+                insn->imm = fn->func - __bpf_call_base;
        }
        return 0;
@@ -2226,6 +2381,11 @@ int bpf_check(struct bpf_prog **prog, union bpf_attr *attr)
        if (!env)
                return -ENOMEM;
+        env->insn_aux_data = vzalloc(sizeof(struct bpf_insn_aux_data) *
+                                     (*prog)->len);
+        ret = -ENOMEM;
+        if (!env->insn_aux_data)
+                goto err_free_env;
        env->prog = *prog;
        /* grab the mutex to protect few globals used by verifier */
@@ -2244,12 +2404,12 @@ int bpf_check(struct bpf_prog **prog, union bpf_attr *attr)
                /* log_* values have to be sane */
                if (log_size < 128 || log_size > UINT_MAX >> 8 ||
                    log_level == 0 || log_ubuf == NULL)
-                        goto free_env;
+                        goto err_unlock;
                ret = -ENOMEM;
                log_buf = vmalloc(log_size);
                if (!log_buf)
-                        goto free_env;
+                        goto err_unlock;
        } else {
                log_level = 0;
        }
@@ -2278,9 +2438,15 @@ skip_full_check:
        free_states(env);
        if (ret == 0)
+                sanitize_dead_code(env);
+        if (ret == 0)
                /* program is valid, convert *(u32*)(ctx + off) accesses */
                ret = convert_ctx_accesses(env);
+        if (ret == 0)
+                ret = fixup_bpf_calls(env);
        if (log_level && log_len >= log_size - 1) {
                BUG_ON(log_len >= log_size);
                /* verifier log exceeded user supplied buffer */
@@ -2318,14 +2484,16 @@ skip_full_check:
 free_log_buf:
        if (log_level)
                vfree(log_buf);
-free_env:
        if (!env->prog->aux->used_maps)
                /* if we didn't copy map pointers into bpf_prog_info, release
                 * them now. Otherwise free_bpf_prog_info() will release them.
                 */
                release_maps(env);
        *prog = env->prog;
-        kfree(env);
+err_unlock:
        mutex_unlock(&bpf_verifier_lock);
+        vfree(env->insn_aux_data);
+err_free_env:
+        kfree(env);
        return ret;
 }

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index c97bce6a0e0e..c14003840bc5 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c
@@ -186,6 +186,14 @@ struct verifier_stack_elem {
186	struct verifier_stack_elem *next;	186	struct verifier_stack_elem *next;
187	};	187	};
188		188
		189	struct bpf_insn_aux_data {
		190	union {
		191	enum bpf_reg_type ptr_type; /* pointer type for load/store insns */
		192	struct bpf_map map_ptr; / pointer for call insn into lookup_elem */
		193	};
		194	bool seen; /* this insn was processed by the verifier */
		195	};
		196
189	#define MAX_USED_MAPS 64 /* max number of maps accessed by one eBPF program */	197	#define MAX_USED_MAPS 64 /* max number of maps accessed by one eBPF program */
190		198
191	/* single container for all structs	199	/* single container for all structs
@@ -200,6 +208,7 @@ struct verifier_env {
200	struct bpf_map used_maps[MAX_USED_MAPS]; / array of map's used by eBPF program */	208	struct bpf_map used_maps[MAX_USED_MAPS]; / array of map's used by eBPF program */
201	u32 used_map_cnt; /* number of used maps */	209	u32 used_map_cnt; /* number of used maps */
202	bool allow_ptr_leaks;	210	bool allow_ptr_leaks;
		211	struct bpf_insn_aux_data insn_aux_data; / array of per-insn state */
203	};	212	};
204		213
205	/* verbose verifier prints what it's seeing	214	/* verbose verifier prints what it's seeing
@@ -674,6 +683,13 @@ static bool is_pointer_value(struct verifier_env *env, int regno)
674	}	683	}
675	}	684	}
676		685
		686	static bool is_ctx_reg(struct verifier_env *env, int regno)
		687	{
		688	const struct reg_state *reg = &env->cur_state.regs[regno];
		689
		690	return reg->type == PTR_TO_CTX;
		691	}
		692
677	/* check whether memory at (regno + off) is accessible for t = (read \| write)	693	/* check whether memory at (regno + off) is accessible for t = (read \| write)
678	* if t==write, value_regno is a register which value is stored into memory	694	* if t==write, value_regno is a register which value is stored into memory
679	* if t==read, value_regno is a register which will receive the value from memory	695	* if t==read, value_regno is a register which will receive the value from memory
@@ -770,6 +786,12 @@ static int check_xadd(struct verifier_env env, struct bpf_insn insn)
770	return -EACCES;	786	return -EACCES;
771	}	787	}
772		788
		789	if (is_ctx_reg(env, insn->dst_reg)) {
		790	verbose("BPF_XADD stores into R%d context is not allowed\n",
		791	insn->dst_reg);
		792	return -EACCES;
		793	}
		794
773	/* check whether atomic_add can read the memory */	795	/* check whether atomic_add can read the memory */
774	err = check_mem_access(env, insn->dst_reg, insn->off,	796	err = check_mem_access(env, insn->dst_reg, insn->off,
775	BPF_SIZE(insn->code), BPF_READ, -1);	797	BPF_SIZE(insn->code), BPF_READ, -1);
@@ -945,7 +967,7 @@ error:
945	return -EINVAL;	967	return -EINVAL;
946	}	968	}
947		969
948	static int check_call(struct verifier_env *env, int func_id)	970	static int check_call(struct verifier_env *env, int func_id, int insn_idx)
949	{	971	{
950	struct verifier_state *state = &env->cur_state;	972	struct verifier_state *state = &env->cur_state;
951	const struct bpf_func_proto *fn = NULL;	973	const struct bpf_func_proto *fn = NULL;
@@ -981,6 +1003,13 @@ static int check_call(struct verifier_env *env, int func_id)
981	err = check_func_arg(env, BPF_REG_2, fn->arg2_type, &map);	1003	err = check_func_arg(env, BPF_REG_2, fn->arg2_type, &map);
982	if (err)	1004	if (err)
983	return err;	1005	return err;
		1006	if (func_id == BPF_FUNC_tail_call) {
		1007	if (map == NULL) {
		1008	verbose("verifier bug\n");
		1009	return -EINVAL;
		1010	}
		1011	env->insn_aux_data[insn_idx].map_ptr = map;
		1012	}
984	err = check_func_arg(env, BPF_REG_3, fn->arg3_type, &map);	1013	err = check_func_arg(env, BPF_REG_3, fn->arg3_type, &map);
985	if (err)	1014	if (err)
986	return err;	1015	return err;
@@ -1044,7 +1073,8 @@ static int check_alu_op(struct verifier_env env, struct bpf_insn insn)
1044	}	1073	}
1045	} else {	1074	} else {
1046	if (insn->src_reg != BPF_REG_0 \|\| insn->off != 0 \|\|	1075	if (insn->src_reg != BPF_REG_0 \|\| insn->off != 0 \|\|
1047	(insn->imm != 16 && insn->imm != 32 && insn->imm != 64)) {	1076	(insn->imm != 16 && insn->imm != 32 && insn->imm != 64) \|\|
		1077	BPF_CLASS(insn->code) == BPF_ALU64) {
1048	verbose("BPF_END uses reserved fields\n");	1078	verbose("BPF_END uses reserved fields\n");
1049	return -EINVAL;	1079	return -EINVAL;
1050	}	1080	}
@@ -1148,6 +1178,11 @@ static int check_alu_op(struct verifier_env env, struct bpf_insn insn)
1148	return -EINVAL;	1178	return -EINVAL;
1149	}	1179	}
1150		1180
		1181	if (opcode == BPF_ARSH && BPF_CLASS(insn->code) != BPF_ALU64) {
		1182	verbose("BPF_ARSH not supported for 32 bit ALU\n");
		1183	return -EINVAL;
		1184	}
		1185
1151	if ((opcode == BPF_LSH \|\| opcode == BPF_RSH \|\|	1186	if ((opcode == BPF_LSH \|\| opcode == BPF_RSH \|\|
1152	opcode == BPF_ARSH) && BPF_SRC(insn->code) == BPF_K) {	1187	opcode == BPF_ARSH) && BPF_SRC(insn->code) == BPF_K) {
1153	int size = BPF_CLASS(insn->code) == BPF_ALU64 ? 64 : 32;	1188	int size = BPF_CLASS(insn->code) == BPF_ALU64 ? 64 : 32;
@@ -1777,13 +1812,14 @@ static int do_check(struct verifier_env *env)
1777	print_bpf_insn(env, insn);	1812	print_bpf_insn(env, insn);
1778	}	1813	}
1779		1814
		1815	env->insn_aux_data[insn_idx].seen = true;
1780	if (class == BPF_ALU \|\| class == BPF_ALU64) {	1816	if (class == BPF_ALU \|\| class == BPF_ALU64) {
1781	err = check_alu_op(env, insn);	1817	err = check_alu_op(env, insn);
1782	if (err)	1818	if (err)
1783	return err;	1819	return err;
1784		1820
1785	} else if (class == BPF_LDX) {	1821	} else if (class == BPF_LDX) {
1786	enum bpf_reg_type src_reg_type;	1822	enum bpf_reg_type *prev_src_type, src_reg_type;
1787		1823
1788	/* check for reserved fields is already done */	1824	/* check for reserved fields is already done */
1789		1825
@@ -1812,16 +1848,18 @@ static int do_check(struct verifier_env *env)
1812	continue;	1848	continue;
1813	}	1849	}
1814		1850
1815	if (insn->imm == 0) {	1851	prev_src_type = &env->insn_aux_data[insn_idx].ptr_type;
		1852
		1853	if (*prev_src_type == NOT_INIT) {
1816	/* saw a valid insn	1854	/* saw a valid insn
1817	* dst_reg = (u32 )(src_reg + off)	1855	* dst_reg = (u32 )(src_reg + off)
1818	* use reserved 'imm' field to mark this insn	1856	* save type to validate intersecting paths
1819	*/	1857	*/
1820	insn->imm = src_reg_type;	1858	*prev_src_type = src_reg_type;
1821		1859
1822	} else if (src_reg_type != insn->imm &&	1860	} else if (src_reg_type != *prev_src_type &&
1823	(src_reg_type == PTR_TO_CTX \|\|	1861	(src_reg_type == PTR_TO_CTX \|\|
1824	insn->imm == PTR_TO_CTX)) {	1862	*prev_src_type == PTR_TO_CTX)) {
1825	/* ABuser program is trying to use the same insn	1863	/* ABuser program is trying to use the same insn
1826	* dst_reg = (u32) (src_reg + off)	1864	* dst_reg = (u32) (src_reg + off)
1827	* with different pointer types:	1865	* with different pointer types:
@@ -1834,7 +1872,7 @@ static int do_check(struct verifier_env *env)
1834	}	1872	}
1835		1873
1836	} else if (class == BPF_STX) {	1874	} else if (class == BPF_STX) {
1837	enum bpf_reg_type dst_reg_type;	1875	enum bpf_reg_type *prev_dst_type, dst_reg_type;
1838		1876
1839	if (BPF_MODE(insn->code) == BPF_XADD) {	1877	if (BPF_MODE(insn->code) == BPF_XADD) {
1840	err = check_xadd(env, insn);	1878	err = check_xadd(env, insn);
@@ -1862,11 +1900,13 @@ static int do_check(struct verifier_env *env)
1862	if (err)	1900	if (err)
1863	return err;	1901	return err;
1864		1902
1865	if (insn->imm == 0) {	1903	prev_dst_type = &env->insn_aux_data[insn_idx].ptr_type;
1866	insn->imm = dst_reg_type;	1904
1867	} else if (dst_reg_type != insn->imm &&	1905	if (*prev_dst_type == NOT_INIT) {
		1906	*prev_dst_type = dst_reg_type;
		1907	} else if (dst_reg_type != *prev_dst_type &&
1868	(dst_reg_type == PTR_TO_CTX \|\|	1908	(dst_reg_type == PTR_TO_CTX \|\|
1869	insn->imm == PTR_TO_CTX)) {	1909	*prev_dst_type == PTR_TO_CTX)) {
1870	verbose("same insn cannot be used with different pointers\n");	1910	verbose("same insn cannot be used with different pointers\n");
1871	return -EINVAL;	1911	return -EINVAL;
1872	}	1912	}
@@ -1882,6 +1922,12 @@ static int do_check(struct verifier_env *env)
1882	if (err)	1922	if (err)
1883	return err;	1923	return err;
1884		1924
		1925	if (is_ctx_reg(env, insn->dst_reg)) {
		1926	verbose("BPF_ST stores into R%d context is not allowed\n",
		1927	insn->dst_reg);
		1928	return -EACCES;
		1929	}
		1930
1885	/* check that memory (dst_reg + off) is writeable */	1931	/* check that memory (dst_reg + off) is writeable */
1886	err = check_mem_access(env, insn->dst_reg, insn->off,	1932	err = check_mem_access(env, insn->dst_reg, insn->off,
1887	BPF_SIZE(insn->code), BPF_WRITE,	1933	BPF_SIZE(insn->code), BPF_WRITE,
@@ -1901,7 +1947,7 @@ static int do_check(struct verifier_env *env)
1901	return -EINVAL;	1947	return -EINVAL;
1902	}	1948	}
1903		1949
1904	err = check_call(env, insn->imm);	1950	err = check_call(env, insn->imm, insn_idx);
1905	if (err)	1951	if (err)
1906	return err;	1952	return err;
1907		1953
@@ -1968,6 +2014,7 @@ process_bpf_exit:
1968	return err;	2014	return err;
1969		2015
1970	insn_idx++;	2016	insn_idx++;
		2017	env->insn_aux_data[insn_idx].seen = true;
1971	} else {	2018	} else {
1972	verbose("invalid BPF_LD mode\n");	2019	verbose("invalid BPF_LD mode\n");
1973	return -EINVAL;	2020	return -EINVAL;
@@ -2097,23 +2144,60 @@ static void convert_pseudo_ld_imm64(struct verifier_env *env)
2097	insn->src_reg = 0;	2144	insn->src_reg = 0;
2098	}	2145	}
2099		2146
2100	static void adjust_branches(struct bpf_prog *prog, int pos, int delta)	2147	/* single env->prog->insni[off] instruction was replaced with the range
		2148	* insni[off, off + cnt). Adjust corresponding insn_aux_data by copying
		2149	* [0, off) and [off, end) to new locations, so the patched range stays zero
		2150	*/
		2151	static int adjust_insn_aux_data(struct verifier_env *env, u32 prog_len,
		2152	u32 off, u32 cnt)
2101	{	2153	{
2102	struct bpf_insn *insn = prog->insnsi;	2154	struct bpf_insn_aux_data new_data, old_data = env->insn_aux_data;
2103	int insn_cnt = prog->len;
2104	int i;	2155	int i;
2105		2156
2106	for (i = 0; i < insn_cnt; i++, insn++) {	2157	if (cnt == 1)
2107	if (BPF_CLASS(insn->code) != BPF_JMP \|\|	2158	return 0;
2108	BPF_OP(insn->code) == BPF_CALL \|\|	2159	new_data = vzalloc(sizeof(struct bpf_insn_aux_data) * prog_len);
2109	BPF_OP(insn->code) == BPF_EXIT)	2160	if (!new_data)
2110	continue;	2161	return -ENOMEM;
		2162	memcpy(new_data, old_data, sizeof(struct bpf_insn_aux_data) * off);
		2163	memcpy(new_data + off + cnt - 1, old_data + off,
		2164	sizeof(struct bpf_insn_aux_data) * (prog_len - off - cnt + 1));
		2165	for (i = off; i < off + cnt - 1; i++)
		2166	new_data[i].seen = true;
		2167	env->insn_aux_data = new_data;
		2168	vfree(old_data);
		2169	return 0;
		2170	}
		2171
		2172	static struct bpf_prog bpf_patch_insn_data(struct verifier_env env, u32 off,
		2173	const struct bpf_insn *patch, u32 len)
		2174	{
		2175	struct bpf_prog *new_prog;
2111		2176
2112	/* adjust offset of jmps if necessary */	2177	new_prog = bpf_patch_insn_single(env->prog, off, patch, len);
2113	if (i < pos && i + insn->off + 1 > pos)	2178	if (!new_prog)
2114	insn->off += delta;	2179	return NULL;
2115	else if (i > pos + delta && i + insn->off + 1 <= pos + delta)	2180	if (adjust_insn_aux_data(env, new_prog->len, off, len))
2116	insn->off -= delta;	2181	return NULL;
		2182	return new_prog;
		2183	}
		2184
		2185	/* The verifier does more data flow analysis than llvm and will not explore
		2186	* branches that are dead at run time. Malicious programs can have dead code
		2187	* too. Therefore replace all dead at-run-time code with nops.
		2188	*/
		2189	static void sanitize_dead_code(struct verifier_env *env)
		2190	{
		2191	struct bpf_insn_aux_data *aux_data = env->insn_aux_data;
		2192	struct bpf_insn nop = BPF_MOV64_REG(BPF_REG_0, BPF_REG_0);
		2193	struct bpf_insn *insn = env->prog->insnsi;
		2194	const int insn_cnt = env->prog->len;
		2195	int i;
		2196
		2197	for (i = 0; i < insn_cnt; i++) {
		2198	if (aux_data[i].seen)
		2199	continue;
		2200	memcpy(insn + i, &nop, sizeof(nop));
2117	}	2201	}
2118	}	2202	}
2119		2203
@@ -2123,17 +2207,18 @@ static void adjust_branches(struct bpf_prog *prog, int pos, int delta)
2123	static int convert_ctx_accesses(struct verifier_env *env)	2207	static int convert_ctx_accesses(struct verifier_env *env)
2124	{	2208	{
2125	struct bpf_insn *insn = env->prog->insnsi;	2209	struct bpf_insn *insn = env->prog->insnsi;
2126	int insn_cnt = env->prog->len;	2210	const int insn_cnt = env->prog->len;
2127	struct bpf_insn insn_buf[16];	2211	struct bpf_insn insn_buf[16];
2128	struct bpf_prog *new_prog;	2212	struct bpf_prog *new_prog;
2129	u32 cnt;
2130	int i;
2131	enum bpf_access_type type;	2213	enum bpf_access_type type;
		2214	int i, delta = 0;
2132		2215
2133	if (!env->prog->aux->ops->convert_ctx_access)	2216	if (!env->prog->aux->ops->convert_ctx_access)
2134	return 0;	2217	return 0;
2135		2218
2136	for (i = 0; i < insn_cnt; i++, insn++) {	2219	for (i = 0; i < insn_cnt; i++, insn++) {
		2220	u32 cnt;
		2221
2137	if (insn->code == (BPF_LDX \| BPF_MEM \| BPF_W))	2222	if (insn->code == (BPF_LDX \| BPF_MEM \| BPF_W))
2138	type = BPF_READ;	2223	type = BPF_READ;
2139	else if (insn->code == (BPF_STX \| BPF_MEM \| BPF_W))	2224	else if (insn->code == (BPF_STX \| BPF_MEM \| BPF_W))
@@ -2141,11 +2226,8 @@ static int convert_ctx_accesses(struct verifier_env *env)
2141	else	2226	else
2142	continue;	2227	continue;
2143		2228
2144	if (insn->imm != PTR_TO_CTX) {	2229	if (env->insn_aux_data[i + delta].ptr_type != PTR_TO_CTX)
2145	/* clear internal mark */
2146	insn->imm = 0;
2147	continue;	2230	continue;
2148	}
2149		2231
2150	cnt = env->prog->aux->ops->	2232	cnt = env->prog->aux->ops->
2151	convert_ctx_access(type, insn->dst_reg, insn->src_reg,	2233	convert_ctx_access(type, insn->dst_reg, insn->src_reg,
@@ -2155,34 +2237,107 @@ static int convert_ctx_accesses(struct verifier_env *env)
2155	return -EINVAL;	2237	return -EINVAL;
2156	}	2238	}
2157		2239
2158	if (cnt == 1) {	2240	new_prog = bpf_patch_insn_data(env, i + delta, insn_buf, cnt);
2159	memcpy(insn, insn_buf, sizeof(*insn));
2160	continue;
2161	}
2162
2163	/* several new insns need to be inserted. Make room for them */
2164	insn_cnt += cnt - 1;
2165	new_prog = bpf_prog_realloc(env->prog,
2166	bpf_prog_size(insn_cnt),
2167	GFP_USER);
2168	if (!new_prog)	2241	if (!new_prog)
2169	return -ENOMEM;	2242	return -ENOMEM;
2170		2243
2171	new_prog->len = insn_cnt;	2244	delta += cnt - 1;
2172		2245
2173	memmove(new_prog->insnsi + i + cnt, new_prog->insns + i + 1,	2246	/* keep walking new program and skip insns we just inserted */
2174	sizeof(insn) (insn_cnt - i - cnt));	2247	env->prog = new_prog;
		2248	insn = new_prog->insnsi + i + delta;
		2249	}
2175		2250
2176	/* copy substitute insns in place of load instruction */	2251	return 0;
2177	memcpy(new_prog->insnsi + i, insn_buf, sizeof(insn) cnt);	2252	}
2178		2253
2179	/* adjust branches in the whole program */	2254	/* fixup insn->imm field of bpf_call instructions
2180	adjust_branches(new_prog, i, cnt - 1);	2255	*
		2256	* this function is called after eBPF program passed verification
		2257	*/
		2258	static int fixup_bpf_calls(struct verifier_env *env)
		2259	{
		2260	struct bpf_prog *prog = env->prog;
		2261	struct bpf_insn *insn = prog->insnsi;
		2262	const struct bpf_func_proto *fn;
		2263	const int insn_cnt = prog->len;
		2264	struct bpf_insn insn_buf[16];
		2265	struct bpf_prog *new_prog;
		2266	struct bpf_map *map_ptr;
		2267	int i, cnt, delta = 0;
2181		2268
2182	/* keep walking new program and skip insns we just inserted */	2269	for (i = 0; i < insn_cnt; i++, insn++) {
2183	env->prog = new_prog;	2270	if (insn->code == (BPF_ALU \| BPF_MOD \| BPF_X) \|\|
2184	insn = new_prog->insnsi + i + cnt - 1;	2271	insn->code == (BPF_ALU \| BPF_DIV \| BPF_X)) {
2185	i += cnt - 1;	2272	/* due to JIT bugs clear upper 32-bits of src register
		2273	* before div/mod operation
		2274	*/
		2275	insn_buf[0] = BPF_MOV32_REG(insn->src_reg, insn->src_reg);
		2276	insn_buf[1] = *insn;
		2277	cnt = 2;
		2278	new_prog = bpf_patch_insn_data(env, i + delta, insn_buf, cnt);
		2279	if (!new_prog)
		2280	return -ENOMEM;
		2281
		2282	delta += cnt - 1;
		2283	env->prog = prog = new_prog;
		2284	insn = new_prog->insnsi + i + delta;
		2285	continue;
		2286	}
		2287
		2288	if (insn->code != (BPF_JMP \| BPF_CALL))
		2289	continue;
		2290
		2291	if (insn->imm == BPF_FUNC_get_route_realm)
		2292	prog->dst_needed = 1;
		2293	if (insn->imm == BPF_FUNC_get_prandom_u32)
		2294	bpf_user_rnd_init_once();
		2295	if (insn->imm == BPF_FUNC_tail_call) {
		2296	/* mark bpf_tail_call as different opcode to avoid
		2297	* conditional branch in the interpeter for every normal
		2298	* call and to prevent accidental JITing by JIT compiler
		2299	* that doesn't support bpf_tail_call yet
		2300	*/
		2301	insn->imm = 0;
		2302	insn->code \|= BPF_X;
		2303
		2304	/* instead of changing every JIT dealing with tail_call
		2305	* emit two extra insns:
		2306	* if (index >= max_entries) goto out;
		2307	* index &= array->index_mask;
		2308	* to avoid out-of-bounds cpu speculation
		2309	*/
		2310	map_ptr = env->insn_aux_data[i + delta].map_ptr;
		2311	if (!map_ptr->unpriv_array)
		2312	continue;
		2313	insn_buf[0] = BPF_JMP_IMM(BPF_JGE, BPF_REG_3,
		2314	map_ptr->max_entries, 2);
		2315	insn_buf[1] = BPF_ALU32_IMM(BPF_AND, BPF_REG_3,
		2316	container_of(map_ptr,
		2317	struct bpf_array,
		2318	map)->index_mask);
		2319	insn_buf[2] = *insn;
		2320	cnt = 3;
		2321	new_prog = bpf_patch_insn_data(env, i + delta, insn_buf, cnt);
		2322	if (!new_prog)
		2323	return -ENOMEM;
		2324
		2325	delta += cnt - 1;
		2326	env->prog = prog = new_prog;
		2327	insn = new_prog->insnsi + i + delta;
		2328	continue;
		2329	}
		2330
		2331	fn = prog->aux->ops->get_func_proto(insn->imm);
		2332	/* all functions that have prototype and verifier allowed
		2333	* programs to call them, must be real in-kernel functions
		2334	*/
		2335	if (!fn->func) {
		2336	verbose("kernel subsystem misconfigured func %d\n",
		2337	insn->imm);
		2338	return -EFAULT;
		2339	}
		2340	insn->imm = fn->func - __bpf_call_base;
2186	}	2341	}
2187		2342
2188	return 0;	2343	return 0;
@@ -2226,6 +2381,11 @@ int bpf_check(struct bpf_prog *prog, union bpf_attr attr)
2226	if (!env)	2381	if (!env)
2227	return -ENOMEM;	2382	return -ENOMEM;
2228		2383
		2384	env->insn_aux_data = vzalloc(sizeof(struct bpf_insn_aux_data) *
		2385	(*prog)->len);
		2386	ret = -ENOMEM;
		2387	if (!env->insn_aux_data)
		2388	goto err_free_env;
2229	env->prog = *prog;	2389	env->prog = *prog;
2230		2390
2231	/* grab the mutex to protect few globals used by verifier */	2391	/* grab the mutex to protect few globals used by verifier */
@@ -2244,12 +2404,12 @@ int bpf_check(struct bpf_prog *prog, union bpf_attr attr)
2244	/* log_* values have to be sane */	2404	/* log_* values have to be sane */
2245	if (log_size < 128 \|\| log_size > UINT_MAX >> 8 \|\|	2405	if (log_size < 128 \|\| log_size > UINT_MAX >> 8 \|\|
2246	log_level == 0 \|\| log_ubuf == NULL)	2406	log_level == 0 \|\| log_ubuf == NULL)
2247	goto free_env;	2407	goto err_unlock;
2248		2408
2249	ret = -ENOMEM;	2409	ret = -ENOMEM;
2250	log_buf = vmalloc(log_size);	2410	log_buf = vmalloc(log_size);
2251	if (!log_buf)	2411	if (!log_buf)
2252	goto free_env;	2412	goto err_unlock;
2253	} else {	2413	} else {
2254	log_level = 0;	2414	log_level = 0;
2255	}	2415	}
@@ -2278,9 +2438,15 @@ skip_full_check:
2278	free_states(env);	2438	free_states(env);
2279		2439
2280	if (ret == 0)	2440	if (ret == 0)
		2441	sanitize_dead_code(env);
		2442
		2443	if (ret == 0)
2281	/* program is valid, convert (u32)(ctx + off) accesses */	2444	/* program is valid, convert (u32)(ctx + off) accesses */
2282	ret = convert_ctx_accesses(env);	2445	ret = convert_ctx_accesses(env);
2283		2446
		2447	if (ret == 0)
		2448	ret = fixup_bpf_calls(env);
		2449
2284	if (log_level && log_len >= log_size - 1) {	2450	if (log_level && log_len >= log_size - 1) {
2285	BUG_ON(log_len >= log_size);	2451	BUG_ON(log_len >= log_size);
2286	/* verifier log exceeded user supplied buffer */	2452	/* verifier log exceeded user supplied buffer */
@@ -2318,14 +2484,16 @@ skip_full_check:
2318	free_log_buf:	2484	free_log_buf:
2319	if (log_level)	2485	if (log_level)
2320	vfree(log_buf);	2486	vfree(log_buf);
2321	free_env:
2322	if (!env->prog->aux->used_maps)	2487	if (!env->prog->aux->used_maps)
2323	/* if we didn't copy map pointers into bpf_prog_info, release	2488	/* if we didn't copy map pointers into bpf_prog_info, release
2324	* them now. Otherwise free_bpf_prog_info() will release them.	2489	* them now. Otherwise free_bpf_prog_info() will release them.
2325	*/	2490	*/
2326	release_maps(env);	2491	release_maps(env);
2327	*prog = env->prog;	2492	*prog = env->prog;
2328	kfree(env);	2493	err_unlock:
2329	mutex_unlock(&bpf_verifier_lock);	2494	mutex_unlock(&bpf_verifier_lock);
		2495	vfree(env->insn_aux_data);
		2496	err_free_env:
		2497	kfree(env);
2330	return ret;	2498	return ret;
2331	}	2499	}