函数逻辑报告

Linux Kernel

v5.5.9

Brick Technologies Co., Ltd

Source Code:kernel\bpf\verifier.c Create Date:2022-07-27 14:14:01
Last Modify:2022-05-19 20:02:10 Copyright©Brick
首页 函数Tree
注解内核,赢得工具下载SCCTEnglish

函数名称:check_helper_call

函数原型:static int check_helper_call(struct bpf_verifier_env *env, int func_id, int insn_idx)

返回类型:int

参数:

类型参数名称
struct bpf_verifier_env *env
intfunc_id
intinsn_idx
4182  const struct bpf_func_proto * fn = NULL
4189  如果func_id小于0或func_id大于等于__BPF_FUNC_MAX_ID
4190  verbose(env, "invalid func %s#%d\n", func_id_name(func_id), func_id)
4192  返回:负EINVAL
4195  如果get_func_protofn等于get_func_proto(func_id, BPF program being verified )
4197  如果非fn
4198  verbose(env, "unknown func %s#%d\n", func_id_name(func_id), func_id)
4200  返回:负EINVAL
4204  如果非 Is filter GPL compatible? gpl_only
4205  verbose(env, "cannot call GPL-restricted function from non-GPL compatible program\n")
4206  返回:负EINVAL
4210  changes_data等于bpf_helper_changes_pkt_data(func)
4211  如果changes_dataarg1_type不等于pointer to context
4212  verbose(env, "kernel subsystem misconfigured func %s#%d: r1 != ctx\n", func_id_name(func_id), func_id)
4214  返回:负EINVAL
4217  memset( & meta, 0, meta的长度)
4218  pkt_access等于pkt_access
4220  err等于check_func_proto(fn, func_id)
4221  如果err
4222  verbose(env, "kernel subsystem misconfigured func %s#%d\n", func_id_name(func_id), func_id)
4224  返回:err
4227  func_id等于func_id
4229 i小于5循环
4230  err等于btf_resolve_helper_id( & log, fn, i)
4231  如果err大于0则btf_id等于err
4233  err等于check_func_arg(env, BPF_REG_1 + i, arg_type[i], & meta)
4234  如果err则返回:err
4238  err等于record_func_map(env, & meta, func_id, insn_idx)
4239  如果err则返回:err
4242  err等于record_func_key(env, & meta, func_id, insn_idx)
4243  如果err则返回:err
4249 i小于access_size循环
4250  err等于heck whether memory at (regno + off) is accessible for t = (read | write)* if t==write, value_regno is a register which value is stored into memory* if t==read, value_regno is a register which will receive the value from memory* if t==write &&
4252  如果err则返回:err
4256  如果func_id恒等于BPF_FUNC_tail_call
4257  err等于check_reference_leak(env)
4258  如果err
4259  verbose(env, "tail_call would lead to reference leak\n")
4260  返回:err
4262  否则如果Determine whether the function releases some resources allocated by another* function call. The first reference type argument will be assumed to be* released by release_reference().
4263  err等于The pointer with the specified id has released its reference to kernel* resources. Identify all copies of the same pointer and clear the reference.
4264  如果err
4265  verbose(env, "func %s#%d reference has not been acquired before\n", func_id_name(func_id), func_id)
4267  返回:err
4271  regs等于cur_regs(env)
4276  如果func_id恒等于BPF_FUNC_get_local_storage且非Does this register contain a constant zero?
4278  verbose(env, "get_local_storage() doesn't support non-zero flags\n")
4279  返回:负EINVAL
4283 i小于CALLER_SAVED_REGS循环
4284  mark_reg_not_init(env, regs, caller_saved[i])
4285  check_reg_arg(env, caller_saved[i], DST_OP_NO_MARK)
4289  Tracks subreg definition. The stored value is the insn_idx of the * writing insn. This is safe because subreg_def is used before any insn * patching which only happens after main verification finished.等于DEF_NOT_SUBREG
4292  如果ret_type恒等于RET_INTEGER
4294  mark_reg_unknown(env, regs, BPF_REG_0)
4295  否则如果ret_type恒等于RET_VOID
4296  Ordering of fields matters. See states_equal() 等于hing was written into register
4297  否则如果ret_type恒等于RET_PTR_TO_MAP_VALUE_OR_NULLret_type恒等于RET_PTR_TO_MAP_VALUE
4300  mark_reg_known_zero(env, regs, BPF_REG_0)
4305  如果(map_ptr == NULL)则
4306  verbose(env, "kernel subsystem misconfigured verifier\n")
4308  返回:负EINVAL
4310  valid when type == CONST_PTR_TO_MAP | PTR_TO_MAP_VALUE | * PTR_TO_MAP_VALUE_OR_NULL等于map_ptr
4311  如果ret_type恒等于RET_PTR_TO_MAP_VALUE
4312  Ordering of fields matters. See states_equal() 等于g points to map element value
4313  如果map_value_has_spin_lock(map_ptr)则 For PTR_TO_PACKET, used to find other pointers with the same variable * offset, so they can share range knowledge. * For PTR_TO_MAP_VALUE_OR_NULL this is used to share which map value we * came from, when one is tested for != NULL. * For PTR_TO_SOCKET thi等于used to generate unique reg IDs 先自加
4315  否则
4316  Ordering of fields matters. See states_equal() 等于points to map elem value or NULL
4317  For PTR_TO_PACKET, used to find other pointers with the same variable * offset, so they can share range knowledge. * For PTR_TO_MAP_VALUE_OR_NULL this is used to share which map value we * came from, when one is tested for != NULL. * For PTR_TO_SOCKET thi等于used to generate unique reg IDs 先自加
4319  否则如果ret_type恒等于RET_PTR_TO_SOCKET_OR_NULL
4320  mark_reg_known_zero(env, regs, BPF_REG_0)
4321  Ordering of fields matters. See states_equal() 等于g points to struct bpf_sock or NULL
4322  For PTR_TO_PACKET, used to find other pointers with the same variable * offset, so they can share range knowledge. * For PTR_TO_MAP_VALUE_OR_NULL this is used to share which map value we * came from, when one is tested for != NULL. * For PTR_TO_SOCKET thi等于used to generate unique reg IDs 先自加
4323  否则如果ret_type恒等于RET_PTR_TO_SOCK_COMMON_OR_NULL
4324  mark_reg_known_zero(env, regs, BPF_REG_0)
4325  Ordering of fields matters. See states_equal() 等于g points to sock_common or NULL
4326  For PTR_TO_PACKET, used to find other pointers with the same variable * offset, so they can share range knowledge. * For PTR_TO_MAP_VALUE_OR_NULL this is used to share which map value we * came from, when one is tested for != NULL. * For PTR_TO_SOCKET thi等于used to generate unique reg IDs 先自加
4327  否则如果ret_type恒等于RET_PTR_TO_TCP_SOCK_OR_NULL
4328  mark_reg_known_zero(env, regs, BPF_REG_0)
4329  Ordering of fields matters. See states_equal() 等于g points to struct tcp_sock or NULL
4330  For PTR_TO_PACKET, used to find other pointers with the same variable * offset, so they can share range knowledge. * For PTR_TO_MAP_VALUE_OR_NULL this is used to share which map value we * came from, when one is tested for != NULL. * For PTR_TO_SOCKET thi等于used to generate unique reg IDs 先自加
4331  否则
4332  verbose(env, "unknown return type %d of func %s#%d\n", ret_type, func_id_name(func_id), func_id)
4334  返回:负EINVAL
4337  如果is_ptr_cast_function(func_id)则
4339  PTR_TO_SOCKET and PTR_TO_TCP_SOCK could be a ptr returned * from a pointer-cast helper, bpf_sk_fullsock() and * bpf_tcp_sock(). * Consider the following where "sk" is a reference counted * pointer returned from "sk = bpf_sk_lookup_tcp();": * 1: sk = bpf_s等于ref_obj_id
4340  否则如果is_acquire_function(func_id)则
4341  id等于Acquire a pointer id from the env and update the state->refs to include* this new pointer reference.* On success, returns a valid pointer id to associate with the register* On failure, returns a negative errno.
4343  如果id小于0则返回:id
4346  For PTR_TO_PACKET, used to find other pointers with the same variable * offset, so they can share range knowledge. * For PTR_TO_MAP_VALUE_OR_NULL this is used to share which map value we * came from, when one is tested for != NULL. * For PTR_TO_SOCKET thi等于id
4348  PTR_TO_SOCKET and PTR_TO_TCP_SOCK could be a ptr returned * from a pointer-cast helper, bpf_sk_fullsock() and * bpf_tcp_sock(). * Consider the following where "sk" is a reference counted * pointer returned from "sk = bpf_sk_lookup_tcp();": * 1: sk = bpf_s等于id
4351  do_refine_retval_range(regs, ret_type, func_id, & meta)
4353  err等于check_map_func_compatibility(env, map_ptr, func_id)
4354  如果err则返回:err
4357  如果func_id恒等于BPF_FUNC_get_stack且非 callchain buffer allocated?
4364  err等于负Operation is not supported
4365  err_str等于"func %s#%d not supported without CONFIG_PERF_EVENTS\n"
4367  如果err
4368  verbose(env, err_str, func_id_name(func_id), func_id)
4369  返回:err
4372  callchain buffer allocated? = true
4375  如果changes_dataclear_all_pkt_pointers(env)
4377  返回:0
调用者
名称描述
do_check