fixup_bpf

Type	Parameter	Name
struct bpf_verifier_env *	env

9152

If opcode == ( alu mode in double word width | BPF_MOD | BPF_X) || opcode == ( alu mode in double word width | BPF_DIV | BPF_X) || opcode == ( BPF_ALU | BPF_MOD | BPF_X) || opcode == ( BPF_ALU | BPF_DIV | BPF_X) Then

9156

is64 = Instruction classes ( opcode ) == alu mode in double word width

9157

struct bpf_insn mask_and_div[] = {BPF_MOV32_REG( source register , source register ), Conditional jumps against immediates, if (dst_reg 'op' imm32) goto pc + off16 (jump != , source register , 0, 2), BPF_ALU32_REG(BPF_XOR, dest register , dest register ), Conditional jumps against immediates, if (dst_reg 'op' imm32) goto pc + off16 (BPF_JA, 0, 0, 1), * insn, }

9165

struct bpf_insn mask_and_mod[] = {BPF_MOV32_REG( source register , source register ), Conditional jumps against immediates, if (dst_reg 'op' imm32) goto pc + off16 (BPF_JEQ, source register , 0, 1), * insn, }

9173

If opcode == ( alu mode in double word width | BPF_DIV | BPF_X) || opcode == ( BPF_ALU | BPF_DIV | BPF_X) Then

9175

patchlet = mask_and_div + If is64 Then 1 Else 0

9176

cnt = ARRAY_SIZE - get the number of elements in array @arr*@arr: array to be sized(mask_and_div) - If is64 Then 1 Else 0

9177

Else

9178

patchlet = mask_and_mod + If is64 Then 1 Else 0

9179

cnt = ARRAY_SIZE - get the number of elements in array @arr*@arr: array to be sized(mask_and_mod) - If is64 Then 1 Else 0

9182

new_prog = bpf_patch_insn_data(env, i + delta, patchlet, cnt)

9183

If Not new_prog Then Return -ENOMEM

9186

delta += cnt - 1

9187

BPF program being verified = prog = new_prog

9188

insn = insnsi + i + delta

9189

Continue

9192

If Instruction classes ( opcode ) == BPF_LD && ( BPF BPF_DW 0x18 64-bit ( opcode ) == BPF_ABS || BPF BPF_DW 0x18 64-bit ( opcode ) == BPF_IND ) Then

9195

cnt = gen_ld_abs(insn, insn_buf)

9196

If cnt == 0 || cnt >= ARRAY_SIZE - get the number of elements in array @arr*@arr: array to be sized(insn_buf) Then

9197

verbose(env, "bpf verifier is misconfigured\n")

9198

Return -EINVAL

9201

new_prog = bpf_patch_insn_data(env, i + delta, insn_buf, cnt)

9202

If Not new_prog Then Return -ENOMEM

9205

delta += cnt - 1

9206

BPF program being verified = prog = new_prog

9207

insn = insnsi + i + delta

9208

Continue

9211

If opcode == ( alu mode in double word width | BPF_ADD | BPF_X) || opcode == ( alu mode in double word width | BPF_SUB | BPF_X) Then

9213

code_add = alu mode in double word width | BPF_ADD | BPF_X

9214

code_sub = alu mode in double word width | BPF_SUB | BPF_X

9216

patch = insn_buf[0]

9220

aux = array of per-insn state [i + delta]

9221

If Not used in combination with alu_limit || used in combination with alu_limit == BPF_ALU_NON_POINTER Then Continue

9225

isneg = used in combination with alu_limit & BPF_ALU_NEG_VALUE

9226

issrc = ( used in combination with alu_limit & BPF_ALU_SANITIZE) == Possible states for alu_state member.

9229

off_reg = If issrc Then source register Else dest register

9230

If isneg Then patch++ = ALU ops on immediates, bpf_add|sub|...: dst_reg += imm32 (BPF_MUL, off_reg, - 1)

9232

patch++ = BPF_MOV32_IMM(Kernel hidden auxiliary/helper register. , limit for add/sub register with pointer - 1)

9233

patch++ = ALU ops on registers, bpf_add|sub|...: dst_reg += src_reg (BPF_SUB, Kernel hidden auxiliary/helper register. , off_reg)

9234

patch++ = ALU ops on registers, bpf_add|sub|...: dst_reg += src_reg (BPF_OR, Kernel hidden auxiliary/helper register. , off_reg)

9235

patch++ = ALU ops on immediates, bpf_add|sub|...: dst_reg += imm32 (BPF_NEG, Kernel hidden auxiliary/helper register. , 0)

9236

patch++ = ALU ops on immediates, bpf_add|sub|...: dst_reg += imm32 (sign extending arithmetic shift right , Kernel hidden auxiliary/helper register. , 63)

9237

If issrc Then

9238

patch++ = ALU ops on registers, bpf_add|sub|...: dst_reg += src_reg (BPF_AND, Kernel hidden auxiliary/helper register. , off_reg)

9240

source register = Kernel hidden auxiliary/helper register.

9241

Else

9242

patch++ = ALU ops on registers, bpf_add|sub|...: dst_reg += src_reg (BPF_AND, off_reg, Kernel hidden auxiliary/helper register. )

9245

If isneg Then opcode = If opcode == code_add Then code_sub Else code_add

9248

patch++ = insn

9249

If issrc && isneg Then patch++ = ALU ops on immediates, bpf_add|sub|...: dst_reg += imm32 (BPF_MUL, off_reg, - 1)

9251

cnt = patch - insn_buf

9253

new_prog = bpf_patch_insn_data(env, i + delta, insn_buf, cnt)

9254

If Not new_prog Then Return -ENOMEM

9257

delta += cnt - 1

9258

BPF program being verified = prog = new_prog

9259

insn = insnsi + i + delta

9260

Continue

9263

If opcode != (BPF_JMP | unction call ) Then Continue

9265

If source register == when bpf_call->src_reg == BPF_PSEUDO_CALL, bpf_call->imm == pc-relative* offset to another bpf function Then Continue

9268

If signed immediate constant == BPF_FUNC_get_route_realm Then Do we need dst entry? = 1

9270

If signed immediate constant == BPF_FUNC_get_prandom_u32 Then bpf_user_rnd_init_once()

9272

If signed immediate constant == BPF_FUNC_override_return Then Do we override a kprobe? = 1

9274

If signed immediate constant == BPF_FUNC_tail_call Then

9280

Is control block accessed? = 1

9281

stack_depth = BPF program can access up to 512 bytes of stack space.

9282

max_pkt_offset = MAX_PACKET_OFF

9289

signed immediate constant = 0

9290

opcode = BPF_JMP | unused opcode to mark special call to bpf_tail_call() helper

9292

aux = array of per-insn state [i + delta]

9293

If allow_ptr_leaks && Not expect_blinding && archs need to JIT the prog && Not bpf_map_key_poisoned(aux) && Not bpf_map_ptr_poisoned(aux) && Not bpf_map_ptr_unpriv(aux) Then

9298

struct bpf_jit_poke_descriptor desc = {reason = BPF_POKE_REASON_TAIL_CALL, map = BPF_MAP_PTR( pointer/poison value for maps ), key = bpf_map_key_immediate(aux), }

9304

ret = bpf_jit_add_poke_descriptor(prog, & desc)

9305

If ret < 0 Then

9306

verbose(env, "adding tail call poke descriptor failed\n")

9307

Return ret

9310

signed immediate constant = ret + 1

9311

Continue

9314

If Not bpf_map_ptr_unpriv(aux) Then Continue

9323

If bpf_map_ptr_poisoned(aux) Then

9324

verbose(env, "tail_call abusing map_ptr\n")

9325

Return -EINVAL

9328

map_ptr = BPF_MAP_PTR( pointer/poison value for maps )

9329

insn_buf[0] = Conditional jumps against immediates, if (dst_reg 'op' imm32) goto pc + off16 (BPF_JGE, BPF_REG_3, max_entries, 2)

9331

insn_buf[1] = BPF_ALU32_IMM(BPF_AND, BPF_REG_3, index_mask)

9335

insn_buf[2] = insn

9336

cnt = 3

9337

new_prog = bpf_patch_insn_data(env, i + delta, insn_buf, cnt)

9338

If Not new_prog Then Return -ENOMEM

9341

delta += cnt - 1

9342

BPF program being verified = prog = new_prog

9343

insn = insnsi + i + delta

9344

Continue

9351

If archs need to JIT the prog && BITS_PER_LONG == 64 && ( signed immediate constant == BPF_FUNC_map_lookup_elem || signed immediate constant == BPF_FUNC_map_update_elem || signed immediate constant == BPF_FUNC_map_delete_elem || signed immediate constant == BPF_FUNC_map_push_elem || signed immediate constant == BPF_FUNC_map_pop_elem || signed immediate constant == BPF_FUNC_map_peek_elem ) Then

9358

aux = array of per-insn state [i + delta]

9359

If bpf_map_ptr_poisoned(aux) Then Go to patch_call_imm

9362

map_ptr = BPF_MAP_PTR( pointer/poison value for maps )

9363

ops = The first two cachelines with read-mostly members of which some * are also accessed in fast-path (e.g. ops, max_entries).

9364

If signed immediate constant == BPF_FUNC_map_lookup_elem && map_gen_lookup Then

9366

cnt = map_gen_lookup(map_ptr, insn_buf)

9367

If cnt == 0 || cnt >= ARRAY_SIZE - get the number of elements in array @arr*@arr: array to be sized(insn_buf) Then

9368

verbose(env, "bpf verifier is misconfigured\n")

9369

Return -EINVAL

9372

new_prog = bpf_patch_insn_data(env, i + delta, insn_buf, cnt)

9374

If Not new_prog Then Return -ENOMEM

9377

delta += cnt - 1

9378

BPF program being verified = prog = new_prog

9379

insn = insnsi + i + delta

9380

Continue

9383

BUILD_BUG_ON - break compile if a condition is true(!Are two types/vars the same type (ignoring qualifiers)? (map_lookup_elem, (void * ( * )(structbpf_map * map, void * key))NULL))

9385

BUILD_BUG_ON - break compile if a condition is true(!Are two types/vars the same type (ignoring qualifiers)? (map_delete_elem, (int( * )(structbpf_map * map, void * key))NULL))

9387

BUILD_BUG_ON - break compile if a condition is true(!Are two types/vars the same type (ignoring qualifiers)? (map_update_elem, (int( * )(structbpf_map * map, void * key, void * value, u64 prefix, newline flags ))NULL))

9390

BUILD_BUG_ON - break compile if a condition is true(!Are two types/vars the same type (ignoring qualifiers)? (map_push_elem, (int( * )(structbpf_map * map, void * value, u64 prefix, newline flags ))NULL))

9393

BUILD_BUG_ON - break compile if a condition is true(!Are two types/vars the same type (ignoring qualifiers)? (map_pop_elem, (int( * )(structbpf_map * map, void * value))NULL))

9395

BUILD_BUG_ON - break compile if a condition is true(!Are two types/vars the same type (ignoring qualifiers)? (map_peek_elem, (int( * )(structbpf_map * map, void * value))NULL))

9399

Case signed immediate constant == BPF_FUNC_map_lookup_elem

9400

signed immediate constant = Function call (map_lookup_elem) - Base function for offset calculation. Needs to go into .text section,* therefore keeping it non-static as well; will also be used by JITs* anyway later on, so do not let the compiler omit it. This also needs* to go into kallsyms for correlation from e

9402

Continue

9403

Case signed immediate constant == BPF_FUNC_map_update_elem

9404

signed immediate constant = Function call (map_update_elem) - Base function for offset calculation. Needs to go into .text section,* therefore keeping it non-static as well; will also be used by JITs* anyway later on, so do not let the compiler omit it. This also needs* to go into kallsyms for correlation from e

9406

Continue

9407

Case signed immediate constant == BPF_FUNC_map_delete_elem

9408

signed immediate constant = Function call (map_delete_elem) - Base function for offset calculation. Needs to go into .text section,* therefore keeping it non-static as well; will also be used by JITs* anyway later on, so do not let the compiler omit it. This also needs* to go into kallsyms for correlation from e

9410

Continue

9411

Case signed immediate constant == BPF_FUNC_map_push_elem

9412

signed immediate constant = Function call (map_push_elem) - Base function for offset calculation. Needs to go into .text section,* therefore keeping it non-static as well; will also be used by JITs* anyway later on, so do not let the compiler omit it. This also needs* to go into kallsyms for correlation from e

9414

Continue

9415

Case signed immediate constant == BPF_FUNC_map_pop_elem

9416

signed immediate constant = Function call (map_pop_elem) - Base function for offset calculation. Needs to go into .text section,* therefore keeping it non-static as well; will also be used by JITs* anyway later on, so do not let the compiler omit it. This also needs* to go into kallsyms for correlation from e

9418

Continue

9419

Case signed immediate constant == BPF_FUNC_map_peek_elem

9420

signed immediate constant = Function call (map_peek_elem) - Base function for offset calculation. Needs to go into .text section,* therefore keeping it non-static as well; will also be used by JITs* anyway later on, so do not let the compiler omit it. This also needs* to go into kallsyms for correlation from e

9422

Continue

9425

Go to patch_call_imm

9428

patch_call_imm :

9429

fn = get_func_proto( signed immediate constant , BPF program being verified )

9433

If Not func Then

9434

verbose(env, "kernel subsystem misconfigured func %s#%d\n", func_id_name( signed immediate constant ), signed immediate constant )

9437

Return -EFAULT

9439

signed immediate constant = func - Base function for offset calculation. Needs to go into .text section,* therefore keeping it non-static as well; will also be used by JITs* anyway later on, so do not let the compiler omit it. This also needs* to go into kallsyms for correlation from e

Function report