Function report

Linux Kernel

v5.5.9

Brick Technologies Co., Ltd

Source Code:kernel\bpf\verifier.c Create Date:2022-07-28 12:59:13
Last Modify:2022-05-19 20:02:10 Copyright©Brick
home page Tree
Annotation kernel can get tool activityDownload SCCTChinese

Name:check_func_arg

Proto:static int check_func_arg(struct bpf_verifier_env *env, u32 regno, enum bpf_arg_type arg_type, struct bpf_call_arg_meta *meta)

Type:int

Parameter:

TypeParameterName
struct bpf_verifier_env *env
u32regno
enum bpf_arg_typearg_type
struct bpf_call_arg_meta *meta
3409  regs = cur_regs(env) , reg = regs
3410  type = Ordering of fields matters. See states_equal()
3411  err = 0
3413  If arg_type == unused argument in helper function Then Return 0
3416  err = check_reg_arg(env, regno, register is used as source operand )
3417  If err Then Return err
3420  If arg_type == any (initialized) argument is ok Then
3421  If is_pointer_value(env, regno) Then
3422  verbose(env, "R%d leaks addr into helper function\n", regno)
3424  Return -EACCES
3426  Return 0
3429  If type_is_pkt_pointer(type) && Not may_access_direct_pkt_data(env, meta, BPF_READ) Then
3431  verbose(env, "helper access to the packet is not allowed\n")
3432  Return -EACCES
3435  If arg_type == pointer to stack used as map key || arg_type == pointer to stack used as map value || arg_type == pointer to valid memory used to store a map value || arg_type == pointer to stack used as map value or NULL Then
3439  expected_type = g == frame_pointer + offset
3440  If Does this register contain a constant zero? && arg_type == pointer to stack used as map value or NULL Then Else if Not type_is_pkt_pointer(type) && type != g points to map element value && type != expected_type Then
3446  Go to err_type
3447  Else if arg_type == umber of bytes accessed from memory || arg_type == umber of bytes accessed from memory or 0 Then
3449  expected_type = g doesn't contain a valid pointer
3450  If type != expected_type Then Go to err_type
3452  Else if arg_type == const argument used as pointer to bpf_map Then
3453  expected_type = g points to struct bpf_map
3454  If type != expected_type Then Go to err_type
3456  Else if arg_type == pointer to context Then
3457  expected_type = g points to bpf_context
3458  If type != expected_type Then Go to err_type
3460  err = check_ctx_reg(env, reg, regno)
3461  If err < 0 Then Return err
3463  Else if arg_type == pointer to sock_common Then
3464  expected_type = g points to sock_common
3466  If Not type_is_sk_pointer(type) Then Go to err_type
3468  If PTR_TO_SOCKET and PTR_TO_TCP_SOCK could be a ptr returned * from a pointer-cast helper, bpf_sk_fullsock() and * bpf_tcp_sock(). * Consider the following where "sk" is a reference counted * pointer returned from "sk = bpf_sk_lookup_tcp();": * 1: sk = bpf_s Then
3469  If ref_obj_id Then
3475  ref_obj_id = PTR_TO_SOCKET and PTR_TO_TCP_SOCK could be a ptr returned * from a pointer-cast helper, bpf_sk_fullsock() and * bpf_tcp_sock(). * Consider the following where "sk" is a reference counted * pointer returned from "sk = bpf_sk_lookup_tcp();": * 1: sk = bpf_s
3477  Else if arg_type == pointer to bpf_sock (fullsock) Then
3478  expected_type = g points to struct bpf_sock
3479  If type != expected_type Then Go to err_type
3481  Else if arg_type == pointer to in-kernel struct Then
3482  expected_type = g points to kernel struct
3483  If type != expected_type Then Go to err_type
3485  If for PTR_TO_BTF_ID != btf_id Then
3486  verbose(env, "Helper has type %s got %s in R%d\n", kernel_type_name(btf_id), kernel_type_name( for PTR_TO_BTF_ID ), regno)
3490  Return -EACCES
3492  If Not Returns true if @a is a known constant || value || Fixed part of pointer offset, pointer types only Then
3493  verbose(env, "R%d is a pointer to in-kernel struct with non-zero offset\n", regno)
3495  Return -EACCES
3497  Else if arg_type == pointer to bpf_spin_lock Then
3498  If func_id == BPF_FUNC_spin_lock Then
3499  If Implementation details:* bpf_map_lookup returns PTR_TO_MAP_VALUE_OR_NULL* Two bpf_map_lookups (even with the same key) will have different reg->id Then Return -EACCES
3501  Else if func_id == BPF_FUNC_spin_unlock Then
3502  If Implementation details:* bpf_map_lookup returns PTR_TO_MAP_VALUE_OR_NULL* Two bpf_map_lookups (even with the same key) will have different reg->id Then Return -EACCES
3504  Else
3505  verbose(env, "verifier internal error\n")
3506  Return -EFAULT
3508  Else if arg_type_is_mem_ptr(arg_type) Then
3509  expected_type = g == frame_pointer + offset
3514  If Does this register contain a constant zero? && arg_type == pointer to valid memory or NULL Then Else if Not type_is_pkt_pointer(type) && type != g points to map element value && type != expected_type Then
3520  Go to err_type
3521  raw_mode = arg_type == pointer to memory does not need to be initialized,* helper function must fill all bytes or clear* them in error case.
3522  Else if arg_type_is_int_ptr(arg_type) Then
3523  expected_type = g == frame_pointer + offset
3524  If Not type_is_pkt_pointer(type) && type != g points to map element value && type != expected_type Then Go to err_type
3528  Else
3529  verbose(env, "unsupported arg_type %d\n", arg_type)
3530  Return -EFAULT
3533  If arg_type == const argument used as pointer to bpf_map Then
3535  map_ptr = valid when type == CONST_PTR_TO_MAP | PTR_TO_MAP_VALUE | * PTR_TO_MAP_VALUE_OR_NULL
3536  Else if arg_type == pointer to stack used as map key Then
3541  If Not map_ptr Then
3547  verbose(env, "invalid map_ptr to access map->key\n")
3548  Return -EACCES
3550  err = check_helper_mem_access(env, regno, key_size, TSC's on different sockets may be reset asynchronously.* This may cause the TSC ADJUST value on socket 0 to be NOT 0., NULL)
3553  Else if arg_type == pointer to stack used as map value || arg_type == pointer to stack used as map value or NULL && Not Does this register contain a constant zero? || arg_type == pointer to valid memory used to store a map value Then
3560  If Not map_ptr Then
3562  verbose(env, "invalid map_ptr to access map->value\n")
3563  Return -EACCES
3565  raw_mode = arg_type == pointer to valid memory used to store a map value
3566  err = check_helper_mem_access(env, regno, value_size, TSC's on different sockets may be reset asynchronously.* This may cause the TSC ADJUST value on socket 0 to be NOT 0., meta)
3569  Else if arg_type_is_mem_size(arg_type) Then
3570  zero_size_allowed = arg_type == umber of bytes accessed from memory or 0
3575  msize_smax_value = maximum possible (s64)value
3576  msize_umax_value = maximum possible (u64)value
3581  If Not Returns true if @a is a known constant Then meta = NULL
3589  If minimum possible (s64)value < 0 Then
3590  verbose(env, "R%d min value is negative, either use unsigned or 'var &= const'\n", regno)
3592  Return -EACCES
3595  If minimum possible (u64)value == 0 Then
3596  err = check_helper_mem_access(env, regno - 1, 0, zero_size_allowed, meta)
3599  If err Then Return err
3603  If maximum possible (u64)value >= Maximum variable size permitted for ARG_CONST_SIZE[_OR_ZERO]. This ensures* that converting umax_value to int cannot overflow. Then
3604  verbose(env, "R%d unbounded memory access, use 'var &= const' or 'if (var < const)'\n", regno)
3606  Return -EACCES
3608  err = check_helper_mem_access(env, regno - 1, maximum possible (u64)value , zero_size_allowed, meta)
3611  If Not err Then err = mark_chain_precision(env, regno)
3613  Else if arg_type_is_int_ptr(arg_type) Then
3614  size = int_ptr_type_to_size(arg_type)
3616  err = check_helper_mem_access(env, regno, size, TSC's on different sockets may be reset asynchronously.* This may cause the TSC ADJUST value on socket 0 to be NOT 0., meta)
3617  If err Then Return err
3619  err = check_ptr_alignment(env, reg, 0, size, true)
3622  Return err
3623  err_type :
3624  verbose(env, "R%d type=%s expected=%s\n", regno, string representation of 'enum bpf_reg_type' [type], string representation of 'enum bpf_reg_type' [expected_type])
3626  Return -EACCES
Caller
NameDescribe
check_helper_call