Lines Matching defs:regno
243 int regno;
1055 static void mark_reg_known_zero(struct bpf_verifier_env *env, struct bpf_reg_state *regs, u32 regno)
1057 if (WARN_ON(regno >= MAX_BPF_REG)) {
1058 verbose(env, "mark_reg_known_zero(regs, %u)\n", regno);
1060 for (regno = 0; regno < MAX_BPF_REG; regno++) {
1061 verifier_mark_reg_not_init(env, regs + regno);
1065 verifier_mark_reg_known_zero(regs + regno);
1332 static void mark_reg_unknown(struct bpf_verifier_env *env, struct bpf_reg_state *regs, u32 regno)
1334 if (WARN_ON(regno >= MAX_BPF_REG)) {
1335 verbose(env, "mark_reg_unknown(regs, %u)\n", regno);
1337 for (regno = 0; regno < BPF_REG_FP; regno++) {
1338 verifier_mark_reg_not_init(env, regs + regno);
1342 __mark_reg_unknown(env, regs + regno);
1351 static void mark_reg_not_init(struct bpf_verifier_env *env, struct bpf_reg_state *regs, u32 regno)
1353 if (WARN_ON(regno >= MAX_BPF_REG)) {
1354 verbose(env, "mark_reg_not_init(regs, %u)\n", regno);
1356 for (regno = 0; regno < BPF_REG_FP; regno++) {
1357 verifier_mark_reg_not_init(env, regs + regno);
1361 verifier_mark_reg_not_init(env, regs + regno);
1364 static void mark_btf_ld_reg(struct bpf_verifier_env *env, struct bpf_reg_state *regs, u32 regno,
1368 mark_reg_unknown(env, regs, regno);
1371 mark_reg_known_zero(env, regs, regno);
1372 regs[regno].type = PTR_TO_BTF_ID;
1373 regs[regno].btf_id = btf_id;
1590 static bool is_reg64(struct bpf_verifier_env *env, struct bpf_insn *insn, u32 regno, struct bpf_reg_state *reg,
1663 if (regno == BPF_REG_6) {
1711 static int check_reg_arg(struct bpf_verifier_env *env, u32 regno, enum reg_arg_type t)
1719 if (regno >= MAX_BPF_REG) {
1720 verbose(env, "R%d is invalid\n", regno);
1724 reg = ®s[regno];
1725 rw64 = is_reg64(env, insn, regno, reg, t);
1729 verbose(env, "R%d !read_ok\n", regno);
1733 if (regno == BPF_REG_FP) {
1744 if (regno == BPF_REG_FP) {
1751 mark_reg_unknown(env, regs, regno);
2029 static int __mark_chain_precision(struct bpf_verifier_env *env, int regno, int spi)
2036 u32 reg_mask = regno >= 0 ? 1u << regno : 0;
2047 if (regno >= 0) {
2048 reg = &func->regs[regno];
2204 static int mark_chain_precision(struct bpf_verifier_env *env, int regno)
2206 return __mark_chain_precision(env, regno, -1);
2400 * 'off' includes 'regno->off'.
2637 static int check_stack_range_initialized(struct bpf_verifier_env *env, int regno, int off, int access_size,
2641 static struct bpf_reg_state *reg_state(struct bpf_verifier_env *env, int regno)
2643 return cur_regs(env) + regno;
2762 static int check_map_access_type(struct bpf_verifier_env *env, u32 regno, int off, int size, enum bpf_access_type type)
2765 struct bpf_map *map = regs[regno].map_ptr;
2780 static int __check_mem_access(struct bpf_verifier_env *env, int regno, int off, int size, u32 mem_size,
2790 reg = &cur_regs(env)[regno];
2798 verbose(env, "invalid access to packet, off=%d size=%d, R%d(id=%d,off=%d,r=%d)\n", off, size, regno,
2810 static int check_mem_region_access(struct bpf_verifier_env *env, u32 regno, int off, int size, u32 mem_size,
2815 struct bpf_reg_state *reg = &state->regs[regno];
2835 verbose(env, "R%d min value is negative, either use unsigned index or do a if (index >=0) check.\n", regno);
2838 err = __check_mem_access(env, regno, reg->smin_value + off, size, mem_size, zero_size_allowed);
2840 verbose(env, "R%d min value is outside of the allowed memory range\n", regno);
2849 verbose(env, "R%d unbounded memory access, make sure to bounds check any such access\n", regno);
2852 err = __check_mem_access(env, regno, reg->umax_value + off, size, mem_size, zero_size_allowed);
2854 verbose(env, "R%d max value is outside of the allowed memory range\n", regno);
2862 static int check_map_access(struct bpf_verifier_env *env, u32 regno, int off, int size, bool zero_size_allowed)
2866 struct bpf_reg_state *reg = &state->regs[regno];
2870 err = check_mem_region_access(env, regno, off, size, map->value_size, zero_size_allowed);
2942 static int check_packet_access(struct bpf_verifier_env *env, u32 regno, int off, int size, bool zero_size_allowed)
2945 struct bpf_reg_state *reg = ®s[regno];
2957 verbose(env, "R%d min value is negative, either use unsigned index or do a if (index >=0) check.\n", regno);
2960 err = __check_mem_access(env, regno, off, size, reg->range, zero_size_allowed);
2962 verbose(env, "R%d offset is outside of the packet\n", regno);
3021 static int check_sock_access(struct bpf_verifier_env *env, int insn_idx, u32 regno, int off, int size,
3025 struct bpf_reg_state *reg = ®s[regno];
3030 verbose(env, "R%d min value is negative, either use unsigned index or do a if (index >=0) check.\n", regno);
3056 verbose(env, "R%d invalid %s access off=%d size=%d\n", regno, reg_type_str(env, reg->type), off, size);
3061 static bool is_pointer_value(struct bpf_verifier_env *env, int regno)
3063 return __is_pointer_value(env->allow_ptr_leaks, reg_state(env, regno));
3066 static bool is_ctx_reg(struct bpf_verifier_env *env, int regno)
3068 const struct bpf_reg_state *reg = reg_state(env, regno);
3073 static bool is_sk_reg(struct bpf_verifier_env *env, int regno)
3075 const struct bpf_reg_state *reg = reg_state(env, regno);
3080 static bool is_pkt_reg(struct bpf_verifier_env *env, int regno)
3082 const struct bpf_reg_state *reg = reg_state(env, regno);
3087 static bool is_flow_key_reg(struct bpf_verifier_env *env, int regno)
3089 const struct bpf_reg_state *reg = reg_state(env, regno);
3349 static int __check_ptr_off_reg(struct bpf_verifier_env *env, const struct bpf_reg_state *reg, int regno,
3357 verbose(env, "dereference of modified %s ptr R%d off=%d disallowed\n", reg_type_str(env, reg->type), regno,
3373 int check_ptr_off_reg(struct bpf_verifier_env *env, const struct bpf_reg_state *reg, int regno)
3375 return __check_ptr_off_reg(env, reg, regno, false);
3379 int regno, int off, int size)
3382 verbose(env, "R%d invalid %s buffer access: off=%d, size=%d\n", regno, buf_info, off, size);
3389 verbose(env, "R%d invalid variable buffer offset: off=%d, var_off=%s\n", regno, off, tn_buf);
3396 static int check_tp_buffer_access(struct bpf_verifier_env *env, const struct bpf_reg_state *reg, int regno, int off,
3401 err = __check_buffer_access(env, "tracepoint", reg, regno, off, size);
3413 static int check_buffer_access(struct bpf_verifier_env *env, const struct bpf_reg_state *reg, int regno, int off,
3418 err = __check_buffer_access(env, buf_info, reg, regno, off, size);
3505 static int check_ptr_to_btf_access(struct bpf_verifier_env *env, struct bpf_reg_state *regs, int regno, int off,
3508 struct bpf_reg_state *reg = regs + regno;
3515 verbose(env, "R%d is ptr_%s invalid negative access: off=%d\n", regno, tname, off);
3522 verbose(env, "R%d is ptr_%s invalid variable offset: off=%d, var_off=%s\n", regno, tname, off, tn_buf);
3548 static int check_ptr_to_map_access(struct bpf_verifier_env *env, struct bpf_reg_state *regs, int regno, int off,
3551 struct bpf_reg_state *reg = regs + regno;
3577 verbose(env, "R%d is %s invalid negative access: off=%d\n", regno, tname, off);
3620 /* Check that the stack access at 'regno + off' falls within the maximum stack
3623 * 'off' includes `regno->offset`, but not its dynamic part (if any).
3625 static int check_stack_access_within_bounds(struct bpf_verifier_env *env, int regno, int off, int access_size,
3629 struct bpf_reg_state *reg = regs + regno;
3653 verbose(env, "invalid unbounded variable-offset%s stack R%d\n", err_extra, regno);
3671 verbose(env, "invalid%s stack R%d off=%d size=%d\n", err_extra, regno, off, access_size);
3676 verbose(env, "invalid variable-offset%s stack R%d var_off=%s size=%d\n", err_extra, regno, tn_buf,
3683 /* check whether memory at (regno + off) is accessible for t = (read | write)
3689 static int check_mem_access(struct bpf_verifier_env *env, int insn_idx, u32 regno, int off, int bpf_size,
3693 struct bpf_reg_state *reg = regs + regno;
3716 err = check_map_access_type(env, regno, off, size, t);
3720 err = check_map_access(env, regno, off, size, false);
3744 verbose(env, "R%d invalid mem access '%s'\n", regno, reg_type_str(env, reg->type));
3749 verbose(env, "R%d cannot write into %s\n", regno, reg_type_str(env, reg->type));
3758 err = check_mem_region_access(env, regno, off, size, reg->mem_size, false);
3771 err = check_ptr_off_reg(env, reg, regno);
3806 err = check_stack_access_within_bounds(env, regno, off, size, ACCESS_DIRECT, t);
3817 err = check_stack_read(env, regno, off, size, value_regno);
3819 err = check_stack_write(env, regno, off, size, value_regno, insn_idx);
3830 err = check_packet_access(env, regno, off, size, false);
3846 verbose(env, "R%d cannot write into %s\n", regno, reg_type_str(env, reg->type));
3849 err = check_sock_access(env, insn_idx, regno, off, size, t);
3854 err = check_tp_buffer_access(env, reg, regno, off, size);
3859 err = check_ptr_to_btf_access(env, regs, regno, off, size, t, value_regno);
3861 err = check_ptr_to_map_access(env, regs, regno, off, size, t, value_regno);
3869 verbose(env, "R%d cannot write into %s\n", regno, reg_type_str(env, reg->type));
3879 err = check_buffer_access(env, reg, regno, off, size, false, buf_info, max_access);
3884 verbose(env, "R%d invalid mem access '%s'\n", regno, reg_type_str(env, reg->type));
3938 /* When register 'regno' is used to read the stack (either directly or through
3942 * 'off' includes 'regno->off', but not its dynamic part (if any).
3947 static int check_stack_range_initialized(struct bpf_verifier_env *env, int regno, int off, int access_size,
3951 struct bpf_reg_state *reg = reg_state(env, regno);
3976 err = check_stack_access_within_bounds(env, regno, off, access_size, type, bounds_check_type);
3993 verbose(env, "R%d%s variable offset stack access prohibited for !root, var_off=%s\n", regno, err_extra,
4013 meta->regno = regno;
4054 verbose(env, "invalid%s read from stack R%d off %d+%d size %d\n", err_extra, regno, min_off, i - min_off,
4060 verbose(env, "invalid%s read from stack R%d var_off %s+%d size %d\n", err_extra, regno, tn_buf, i - min_off,
4073 static int check_helper_mem_access(struct bpf_verifier_env *env, int regno, int access_size, bool zero_size_allowed,
4076 struct bpf_reg_state *regs = cur_regs(env), *reg = ®s[regno];
4083 return check_packet_access(env, regno, reg->off, access_size, zero_size_allowed);
4085 if (check_map_access_type(env, regno, reg->off, access_size,
4089 return check_map_access(env, regno, reg->off, access_size, zero_size_allowed);
4091 return check_mem_region_access(env, regno, reg->off, access_size, reg->mem_size, zero_size_allowed);
4104 return check_buffer_access(env, reg, regno, reg->off, access_size, zero_size_allowed, buf_info, max_access);
4106 return check_stack_range_initialized(env, regno, reg->off, access_size, zero_size_allowed, ACCESS_HELPER,
4114 verbose(env, "R%d type=%s ", regno, reg_type_str(env, reg->type));
4139 static int process_spin_lock(struct bpf_verifier_env *env, int regno, bool is_lock)
4141 struct bpf_reg_state *regs = cur_regs(env), *reg = ®s[regno];
4148 verbose(env, "R%d doesn't have constant offset. bpf_spin_lock has to be at the constant offset\n", regno);
4341 static int check_reg_type(struct bpf_verifier_env *env, u32 regno, enum bpf_arg_type arg_type, const u32 *arg_btf_id)
4343 struct bpf_reg_state *regs = cur_regs(env), *reg = ®s[regno];
4382 verbose(env, "R%d type=%s expected=", regno, reg_type_str(env, reg->type));
4400 verbose(env, "R%d is of type %s but %s is expected\n", regno, kernel_type_name(reg->btf_id),
4412 u32 regno = BPF_REG_1 + arg;
4413 struct bpf_reg_state *regs = cur_regs(env), *reg = ®s[regno];
4422 err = check_reg_arg(env, regno, SRC_OP);
4428 if (is_pointer_value(env, regno)) {
4429 verbose(env, "R%d leaks addr into helper function\n", regno);
4454 err = check_reg_type(env, regno, arg_type, fn->arg_btf_id[arg]);
4481 err = __check_ptr_off_reg(env, reg, regno, type == PTR_TO_BTF_ID);
4491 verbose(env, "verifier internal error: more than one arg with ref_obj_id R%d %u %u\n", regno,
4515 err = check_helper_mem_access(env, regno, meta->map_ptr->key_size, false, NULL);
4530 err = check_helper_mem_access(env, regno, meta->map_ptr->value_size, false, meta);
4533 verbose(env, "Helper has invalid btf_id in R%d\n", regno);
4539 if (process_spin_lock(env, regno, true)) {
4543 if (process_spin_lock(env, regno, false)) {
4581 verbose(env, "R%d min value is negative, either use unsigned or 'var &= const'\n", regno);
4586 err = check_helper_mem_access(env, regno - 1, 0, zero_size_allowed, meta);
4593 verbose(env, "R%d unbounded memory access, use 'var &= const' or 'if (var < const)'\n", regno);
4596 err = check_helper_mem_access(env, regno - 1, reg->umax_value, zero_size_allowed, meta);
4598 err = mark_chain_precision(env, regno);
4602 verbose(env, "R%d unbounded size, use 'var &= const' or 'if (var < const)'\n", regno);
4609 err = check_helper_mem_access(env, regno, size, false, meta);
5380 err = check_mem_access(env, insn_idx, meta.regno, i, BPF_B, BPF_WRITE, -1, false);
5881 static int check_stack_access_for_ptr_arithmetic(struct bpf_verifier_env *env, int regno,
5888 verbose(env, "R%d variable stack access prohibited for !root, var_off=%s off=%d\n", regno, tn_buf, off);
5896 regno, off);
7701 static void mark_ptr_or_null_regs(struct bpf_verifier_state *vstate, u32 regno, bool is_null)
7705 u32 ref_obj_id = regs[regno].ref_obj_id;
7706 u32 id = regs[regno].id;
7710 /* regs[regno] is in the " == NULL" branch.