函数逻辑报告

Linux Kernel

v5.5.9

Brick Technologies Co., Ltd

Source Code:kernel\bpf\verifier.c Create Date:2022-07-27 14:20:24
Last Modify:2022-05-19 20:02:10 Copyright©Brick
首页 函数Tree
注解内核,赢得工具下载SCCTEnglish

函数名称:xup insn->imm field of bpf_call instructions* and inline eligible helpers as explicit sequence of BPF instructions* this function is called after eBPF program passed verification

函数原型:static int fixup_bpf_calls(struct bpf_verifier_env *env)

返回类型:int

参数:

类型参数名称
struct bpf_verifier_env *env
9139  prog等于BPF program being verified
9140  expect_blinding等于bpf_jit_blinding_enabled(prog)
9141  insn等于insnsi
9143  insn_cnt等于 Number of filter blocks
9149  delta等于0
9151 i小于insn_cnt循环
9152  如果 opcode 恒等于alu mode in double word width 按位或BPF_MOD按位或BPF_X的值或 opcode 恒等于alu mode in double word width 按位或BPF_DIV按位或BPF_X的值或 opcode 恒等于BPF_ALU按位或BPF_MOD按位或BPF_X的值或 opcode 恒等于BPF_ALU按位或BPF_DIV按位或BPF_X的值则
9156  is64等于Instruction classes ( opcode )恒等于alu mode in double word width
9157  struct bpf_insn mask_and_div[] = {BPF_MOV32_REG( source register , source register ), Conditional jumps against immediates, if (dst_reg 'op' imm32) goto pc + off16 (jump != , source register , 0, 2), BPF_ALU32_REG(BPF_XOR, dest register , dest register ), Conditional jumps against immediates, if (dst_reg 'op' imm32) goto pc + off16 (BPF_JA, 0, 0, 1), * insn, }
9165  struct bpf_insn mask_and_mod[] = {BPF_MOV32_REG( source register , source register ), Conditional jumps against immediates, if (dst_reg 'op' imm32) goto pc + off16 (BPF_JEQ, source register , 0, 1), * insn, }
9173  如果 opcode 恒等于alu mode in double word width 按位或BPF_DIV按位或BPF_X的值或 opcode 恒等于BPF_ALU按位或BPF_DIV按位或BPF_X的值则
9177  否则
9182  new_prog等于bpf_patch_insn_data(env, i + delta, patchlet, cnt)
9183  如果非new_prog则返回:负ENOMEM
9186  delta加等于cnt减1
9187  BPF program being verified 等于prog等于new_prog
9188  insn等于insnsiidelta
9189  继续下一循环
9192  如果Instruction classes ( opcode )恒等于BPF_LDBPF BPF_DW 0x18 64-bit ( opcode )恒等于BPF_ABSBPF BPF_DW 0x18 64-bit ( opcode )恒等于BPF_IND的值则
9195  cnt等于gen_ld_abs(insn, insn_buf)
9196  如果cnt恒等于0或cnt大于等于ARRAY_SIZE - get the number of elements in array @arr*@arr: array to be sized(insn_buf)则
9197  verbose(env, "bpf verifier is misconfigured\n")
9198  返回:负EINVAL
9201  new_prog等于bpf_patch_insn_data(env, i + delta, insn_buf, cnt)
9202  如果非new_prog则返回:负ENOMEM
9205  delta加等于cnt减1
9206  BPF program being verified 等于prog等于new_prog
9207  insn等于insnsiidelta
9208  继续下一循环
9211  如果 opcode 恒等于alu mode in double word width 按位或BPF_ADD按位或BPF_X的值或 opcode 恒等于alu mode in double word width 按位或BPF_SUB按位或BPF_X的值则
9213  code_add等于alu mode in double word width 按位或BPF_ADD按位或BPF_X
9214  code_sub等于alu mode in double word width 按位或BPF_SUB按位或BPF_X
9216  patch等于insn_buf[0]
9220  aux等于array of per-insn state [i + delta]
9221  如果非 used in combination with alu_limit used in combination with alu_limit 恒等于BPF_ALU_NON_POINTER则继续下一循环
9225  isneg等于 used in combination with alu_limit 按位与BPF_ALU_NEG_VALUE
9226  issrc等于 used in combination with alu_limit 按位与BPF_ALU_SANITIZE的值恒等于Possible states for alu_state member.
9229  off_reg等于如果issrc source register 否则 dest register
9230  如果isnegpatch自加等于ALU ops on immediates, bpf_add|sub|...: dst_reg += imm32 (BPF_MUL, off_reg, - 1)
9232  patch自加等于BPF_MOV32_IMM(Kernel hidden auxiliary/helper register. , limit for add/sub register with pointer - 1)
9233  patch自加等于ALU ops on registers, bpf_add|sub|...: dst_reg += src_reg (BPF_SUB, Kernel hidden auxiliary/helper register. , off_reg)
9234  patch自加等于ALU ops on registers, bpf_add|sub|...: dst_reg += src_reg (BPF_OR, Kernel hidden auxiliary/helper register. , off_reg)
9235  patch自加等于ALU ops on immediates, bpf_add|sub|...: dst_reg += imm32 (BPF_NEG, Kernel hidden auxiliary/helper register. , 0)
9236  patch自加等于ALU ops on immediates, bpf_add|sub|...: dst_reg += imm32 (sign extending arithmetic shift right , Kernel hidden auxiliary/helper register. , 63)
9237  如果issrc
9241  否则
9245  如果isneg opcode 等于如果 opcode 恒等于code_addcode_sub否则code_add
9248  patch自加等于insn
9249  如果issrcisnegpatch自加等于ALU ops on immediates, bpf_add|sub|...: dst_reg += imm32 (BPF_MUL, off_reg, - 1)
9251  cnt等于patchinsn_buf
9253  new_prog等于bpf_patch_insn_data(env, i + delta, insn_buf, cnt)
9254  如果非new_prog则返回:负ENOMEM
9257  delta加等于cnt减1
9258  BPF program being verified 等于prog等于new_prog
9259  insn等于insnsiidelta
9260  继续下一循环
9263  如果 opcode 不等于BPF_JMP按位或unction call 的值则继续下一循环
9265  如果 source register 恒等于when bpf_call->src_reg == BPF_PSEUDO_CALL, bpf_call->imm == pc-relative* offset to another bpf function则继续下一循环
9268  如果 signed immediate constant 恒等于BPF_FUNC_get_route_realm Do we need dst entry? 等于1
9270  如果 signed immediate constant 恒等于BPF_FUNC_get_prandom_u32bpf_user_rnd_init_once()
9272  如果 signed immediate constant 恒等于BPF_FUNC_override_return Do we override a kprobe? 等于1
9274  如果 signed immediate constant 恒等于BPF_FUNC_tail_call
9280  Is control block accessed? 等于1
9281  stack_depth等于BPF program can access up to 512 bytes of stack space.
9282  max_pkt_offset等于MAX_PACKET_OFF
9289  signed immediate constant 等于0
9290  opcode 等于BPF_JMP按位或unused opcode to mark special call to bpf_tail_call() helper
9292  aux等于array of per-insn state [i + delta]
9293  如果allow_ptr_leaks且非expect_blinding archs need to JIT the prog 且非bpf_map_key_poisoned(aux)且非bpf_map_ptr_poisoned(aux)且非bpf_map_ptr_unpriv(aux)则
9298  struct bpf_jit_poke_descriptor desc = {reason = BPF_POKE_REASON_TAIL_CALL, map = BPF_MAP_PTR( pointer/poison value for maps ), key = bpf_map_key_immediate(aux), }
9304  ret等于bpf_jit_add_poke_descriptor(prog, & desc)
9305  如果ret小于0则
9306  verbose(env, "adding tail call poke descriptor failed\n")
9307  返回:ret
9310  signed immediate constant 等于ret加1
9311  继续下一循环
9314  如果非bpf_map_ptr_unpriv(aux)则继续下一循环
9323  如果bpf_map_ptr_poisoned(aux)则
9324  verbose(env, "tail_call abusing map_ptr\n")
9325  返回:负EINVAL
9328  map_ptr等于BPF_MAP_PTR( pointer/poison value for maps )
9329  insn_buf[0]等于Conditional jumps against immediates, if (dst_reg 'op' imm32) goto pc + off16 (BPF_JGE, BPF_REG_3, max_entries, 2)
9331  insn_buf[1]等于BPF_ALU32_IMM(BPF_AND, BPF_REG_3, index_mask)
9335  insn_buf[2]等于insn
9336  cnt等于3
9337  new_prog等于bpf_patch_insn_data(env, i + delta, insn_buf, cnt)
9338  如果非new_prog则返回:负ENOMEM
9341  delta加等于cnt减1
9342  BPF program being verified 等于prog等于new_prog
9343  insn等于insnsiidelta
9344  继续下一循环
9351  如果 archs need to JIT the prog BITS_PER_LONG恒等于64且 signed immediate constant 恒等于BPF_FUNC_map_lookup_elem signed immediate constant 恒等于BPF_FUNC_map_update_elem signed immediate constant 恒等于BPF_FUNC_map_delete_elem signed immediate constant 恒等于BPF_FUNC_map_push_elem signed immediate constant 恒等于BPF_FUNC_map_pop_elem signed immediate constant 恒等于BPF_FUNC_map_peek_elem的值则
9358  aux等于array of per-insn state [i + delta]
9359  如果bpf_map_ptr_poisoned(aux)则转到:patch_call_imm
9362  map_ptr等于BPF_MAP_PTR( pointer/poison value for maps )
9363  ops等于 The first two cachelines with read-mostly members of which some * are also accessed in fast-path (e.g. ops, max_entries).
9364  如果 signed immediate constant 恒等于BPF_FUNC_map_lookup_elemmap_gen_lookup
9366  cnt等于map_gen_lookup(map_ptr, insn_buf)
9367  如果cnt恒等于0或cnt大于等于ARRAY_SIZE - get the number of elements in array @arr*@arr: array to be sized(insn_buf)则
9368  verbose(env, "bpf verifier is misconfigured\n")
9369  返回:负EINVAL
9372  new_prog等于bpf_patch_insn_data(env, i + delta, insn_buf, cnt)
9374  如果非new_prog则返回:负ENOMEM
9377  delta加等于cnt减1
9378  BPF program being verified 等于prog等于new_prog
9379  insn等于insnsiidelta
9380  继续下一循环
9383  BUILD_BUG_ON - break compile if a condition is true(!Are two types/vars the same type (ignoring qualifiers)? (map_lookup_elem, (void * ( * )(structbpf_map * map, void * key))NULL))
9385  BUILD_BUG_ON - break compile if a condition is true(!Are two types/vars the same type (ignoring qualifiers)? (map_delete_elem, (int( * )(structbpf_map * map, void * key))NULL))
9387  BUILD_BUG_ON - break compile if a condition is true(!Are two types/vars the same type (ignoring qualifiers)? (map_update_elem, (int( * )(structbpf_map * map, void * key, void * value, u64prefix, newline flags ))NULL))
9390  BUILD_BUG_ON - break compile if a condition is true(!Are two types/vars the same type (ignoring qualifiers)? (map_push_elem, (int( * )(structbpf_map * map, void * value, u64prefix, newline flags ))NULL))
9393  BUILD_BUG_ON - break compile if a condition is true(!Are two types/vars the same type (ignoring qualifiers)? (map_pop_elem, (int( * )(structbpf_map * map, void * value))NULL))
9395  BUILD_BUG_ON - break compile if a condition is true(!Are two types/vars the same type (ignoring qualifiers)? (map_peek_elem, (int( * )(structbpf_map * map, void * value))NULL))
9399  : signed immediate constant 恒等于BPF_FUNC_map_lookup_elem
9403  : signed immediate constant 恒等于BPF_FUNC_map_update_elem
9407  : signed immediate constant 恒等于BPF_FUNC_map_delete_elem
9411  : signed immediate constant 恒等于BPF_FUNC_map_push_elem
9415  : signed immediate constant 恒等于BPF_FUNC_map_pop_elem
9419  : signed immediate constant 恒等于BPF_FUNC_map_peek_elem
9425  转到:patch_call_imm
9428  patch_call_imm :
9429  fn等于get_func_proto( signed immediate constant , BPF program being verified )
9433  如果非func
9434  verbose(env, "kernel subsystem misconfigured func %s#%d\n", func_id_name( signed immediate constant ), signed immediate constant )
9437  返回:负EFAULT
9439  signed immediate constant 等于funcBase function for offset calculation. Needs to go into .text section,* therefore keeping it non-static as well; will also be used by JITs* anyway later on, so do not let the compiler omit it. This also needs* to go into kallsyms for correlation from e
9443 i小于size_poke_tab循环
9444  map_ptr等于map
9445  如果非map_poke_track或非map_poke_untrack或非map_poke_run
9448  verbose(env, "bpf verifier is misconfigured\n")
9449  返回:负EINVAL
9452  ret等于map_poke_track(map_ptr, Auxiliary fields )
9453  如果ret小于0则
9454  verbose(env, "tracking tail call prog failed\n")
9455  返回:ret
9459  返回:0
调用者
名称描述
bpf_check