Function report

Linux Kernel

v5.5.9

Brick Technologies Co., Ltd

Source Code:kernel\bpf\verifier.c Create Date:2022-07-28 13:00:03
Last Modify:2022-05-19 20:02:10 Copyright©Brick
home page Tree
Annotation kernel can get tool activityDownload SCCTChinese

Name:check_helper_call

Proto:static int check_helper_call(struct bpf_verifier_env *env, int func_id, int insn_idx)

Type:int

Parameter:

TypeParameterName
struct bpf_verifier_env *env
intfunc_id
intinsn_idx
4182  const struct bpf_func_proto * fn = NULL
4189  If func_id < 0 || func_id >= __BPF_FUNC_MAX_ID Then
4190  verbose(env, "invalid func %s#%d\n", func_id_name(func_id), func_id)
4192  Return -EINVAL
4195  If get_func_proto Then fn = get_func_proto(func_id, BPF program being verified )
4197  If Not fn Then
4198  verbose(env, "unknown func %s#%d\n", func_id_name(func_id), func_id)
4200  Return -EINVAL
4204  If Not Is filter GPL compatible? && gpl_only Then
4205  verbose(env, "cannot call GPL-restricted function from non-GPL compatible program\n")
4206  Return -EINVAL
4210  changes_data = bpf_helper_changes_pkt_data(func)
4211  If changes_data && arg1_type != pointer to context Then
4212  verbose(env, "kernel subsystem misconfigured func %s#%d: r1 != ctx\n", func_id_name(func_id), func_id)
4214  Return -EINVAL
4217  memset( & meta, 0, size of meta )
4218  pkt_access = pkt_access
4220  err = check_func_proto(fn, func_id)
4221  If err Then
4222  verbose(env, "kernel subsystem misconfigured func %s#%d\n", func_id_name(func_id), func_id)
4224  Return err
4227  func_id = func_id
4229  When i < 5 cycle
4230  err = btf_resolve_helper_id( & log, fn, i)
4231  If err > 0 Then btf_id = err
4233  err = check_func_arg(env, BPF_REG_1 + i, arg_type[i], & meta)
4234  If err Then Return err
4238  err = record_func_map(env, & meta, func_id, insn_idx)
4239  If err Then Return err
4242  err = record_func_key(env, & meta, func_id, insn_idx)
4243  If err Then Return err
4249  When i < access_size cycle
4250  err = heck whether memory at (regno + off) is accessible for t = (read | write)* if t==write, value_regno is a register which value is stored into memory* if t==read, value_regno is a register which will receive the value from memory* if t==write &&
4252  If err Then Return err
4256  If func_id == BPF_FUNC_tail_call Then
4257  err = check_reference_leak(env)
4258  If err Then
4259  verbose(env, "tail_call would lead to reference leak\n")
4260  Return err
4262  Else if Determine whether the function releases some resources allocated by another* function call. The first reference type argument will be assumed to be* released by release_reference(). Then
4263  err = The pointer with the specified id has released its reference to kernel* resources. Identify all copies of the same pointer and clear the reference.
4264  If err Then
4265  verbose(env, "func %s#%d reference has not been acquired before\n", func_id_name(func_id), func_id)
4267  Return err
4271  regs = cur_regs(env)
4276  If func_id == BPF_FUNC_get_local_storage && Not Does this register contain a constant zero? Then
4278  verbose(env, "get_local_storage() doesn't support non-zero flags\n")
4279  Return -EINVAL
4283  When i < CALLER_SAVED_REGS cycle
4284  mark_reg_not_init(env, regs, caller_saved[i])
4285  check_reg_arg(env, caller_saved[i], DST_OP_NO_MARK)
4289  Tracks subreg definition. The stored value is the insn_idx of the * writing insn. This is safe because subreg_def is used before any insn * patching which only happens after main verification finished. = DEF_NOT_SUBREG
4292  If ret_type == RET_INTEGER Then
4294  mark_reg_unknown(env, regs, BPF_REG_0)
4295  Else if ret_type == RET_VOID Then
4296  Ordering of fields matters. See states_equal() = hing was written into register
4297  Else if ret_type == RET_PTR_TO_MAP_VALUE_OR_NULL || ret_type == RET_PTR_TO_MAP_VALUE Then
4300  mark_reg_known_zero(env, regs, BPF_REG_0)
4305  If (map_ptr == NULL) Then
4306  verbose(env, "kernel subsystem misconfigured verifier\n")
4308  Return -EINVAL
4310  valid when type == CONST_PTR_TO_MAP | PTR_TO_MAP_VALUE | * PTR_TO_MAP_VALUE_OR_NULL = map_ptr
4311  If ret_type == RET_PTR_TO_MAP_VALUE Then
4312  Ordering of fields matters. See states_equal() = g points to map element value
4313  If map_value_has_spin_lock(map_ptr) Then For PTR_TO_PACKET, used to find other pointers with the same variable * offset, so they can share range knowledge. * For PTR_TO_MAP_VALUE_OR_NULL this is used to share which map value we * came from, when one is tested for != NULL. * For PTR_TO_SOCKET thi = ++used to generate unique reg IDs
4315  Else
4316  Ordering of fields matters. See states_equal() = points to map elem value or NULL
4317  For PTR_TO_PACKET, used to find other pointers with the same variable * offset, so they can share range knowledge. * For PTR_TO_MAP_VALUE_OR_NULL this is used to share which map value we * came from, when one is tested for != NULL. * For PTR_TO_SOCKET thi = ++used to generate unique reg IDs
4319  Else if ret_type == RET_PTR_TO_SOCKET_OR_NULL Then
4320  mark_reg_known_zero(env, regs, BPF_REG_0)
4321  Ordering of fields matters. See states_equal() = g points to struct bpf_sock or NULL
4322  For PTR_TO_PACKET, used to find other pointers with the same variable * offset, so they can share range knowledge. * For PTR_TO_MAP_VALUE_OR_NULL this is used to share which map value we * came from, when one is tested for != NULL. * For PTR_TO_SOCKET thi = ++used to generate unique reg IDs
4323  Else if ret_type == RET_PTR_TO_SOCK_COMMON_OR_NULL Then
4324  mark_reg_known_zero(env, regs, BPF_REG_0)
4325  Ordering of fields matters. See states_equal() = g points to sock_common or NULL
4326  For PTR_TO_PACKET, used to find other pointers with the same variable * offset, so they can share range knowledge. * For PTR_TO_MAP_VALUE_OR_NULL this is used to share which map value we * came from, when one is tested for != NULL. * For PTR_TO_SOCKET thi = ++used to generate unique reg IDs
4327  Else if ret_type == RET_PTR_TO_TCP_SOCK_OR_NULL Then
4328  mark_reg_known_zero(env, regs, BPF_REG_0)
4329  Ordering of fields matters. See states_equal() = g points to struct tcp_sock or NULL
4330  For PTR_TO_PACKET, used to find other pointers with the same variable * offset, so they can share range knowledge. * For PTR_TO_MAP_VALUE_OR_NULL this is used to share which map value we * came from, when one is tested for != NULL. * For PTR_TO_SOCKET thi = ++used to generate unique reg IDs
4331  Else
4332  verbose(env, "unknown return type %d of func %s#%d\n", ret_type, func_id_name(func_id), func_id)
4334  Return -EINVAL
4337  If is_ptr_cast_function(func_id) Then
4339  PTR_TO_SOCKET and PTR_TO_TCP_SOCK could be a ptr returned * from a pointer-cast helper, bpf_sk_fullsock() and * bpf_tcp_sock(). * Consider the following where "sk" is a reference counted * pointer returned from "sk = bpf_sk_lookup_tcp();": * 1: sk = bpf_s = ref_obj_id
4340  Else if is_acquire_function(func_id) Then
4341  id = Acquire a pointer id from the env and update the state->refs to include* this new pointer reference.* On success, returns a valid pointer id to associate with the register* On failure, returns a negative errno.
4343  If id < 0 Then Return id
4346  For PTR_TO_PACKET, used to find other pointers with the same variable * offset, so they can share range knowledge. * For PTR_TO_MAP_VALUE_OR_NULL this is used to share which map value we * came from, when one is tested for != NULL. * For PTR_TO_SOCKET thi = id
4348  PTR_TO_SOCKET and PTR_TO_TCP_SOCK could be a ptr returned * from a pointer-cast helper, bpf_sk_fullsock() and * bpf_tcp_sock(). * Consider the following where "sk" is a reference counted * pointer returned from "sk = bpf_sk_lookup_tcp();": * 1: sk = bpf_s = id
4351  do_refine_retval_range(regs, ret_type, func_id, & meta)
4353  err = check_map_func_compatibility(env, map_ptr, func_id)
4354  If err Then Return err
4357  If func_id == BPF_FUNC_get_stack && Not callchain buffer allocated? Then
4364  err = -Operation is not supported
4365  err_str = "func %s#%d not supported without CONFIG_PERF_EVENTS\n"
4367  If err Then
4368  verbose(env, err_str, func_id_name(func_id), func_id)
4369  Return err
4372  callchain buffer allocated? = true
4375  If changes_data Then clear_all_pkt_pointers(env)
4377  Return 0
Caller
NameDescribe
do_check