Lines Matching defs:stack
39 * instruction by instruction and updates register/stack state.
51 * insn is less then 4K, but there are too many branches that change stack/regs.
73 * that it wants to construct a pointer to some element within stack.
75 * (and -20 constant is saved for further stack bounds checking).
76 * Meaning that this reg is a pointer to stack plus known immediate constant.
104 * 2nd argument should be a pointer to stack, which will be used inside
116 * the stack of eBPF program.
129 * Now verifier checks that [R2, R2 + map's key_size) are within stack limits
163 /* verifier_state + insn_idx are pushed to stack when branch is encountered */
173 /* length of verifier log at the time this state was pushed on stack */
647 if (state->stack[i].slot_type[j] != STACK_INVALID) {
650 types_buf[j] = slot_type_char[state->stack[i].slot_type[j]];
657 print_liveness(env, state->stack[i].spilled_ptr.live);
658 if (state->stack[i].slot_type[0] == STACK_SPILL) {
659 reg = &state->stack[i].spilled_ptr;
699 COPY_STATE_FN(stack, allocated_stack, stack, BPF_REG_SIZE)
735 REALLOC_STATE_FN(stack, allocated_stack, stack, BPF_REG_SIZE)
738 /* do_check() starts with zero-sized stack in struct bpf_verifier_state to
740 * the program calls into realloc_func_state() to grow the stack size.
814 kfree(state->stack);
839 /* copy verifier state from src to dst growing dst stack space
840 * when necessary to accommodate larger src stack
874 /* if dst has more stack frames then src frame, free them */
1534 /* Parentage chain of this register (or stack slot) should take care of all
1535 * issues like callee-saved registers, stack slot allocation time, etc.
1793 * stack slots that needs precision in the parent verifier state.
1813 verbose(env, "regs=%x stack=%llx before ", *reg_mask, *stack_mask);
1857 /* scalars can only be spilled into stack w/o losing precision.
1870 /* dreg = *(u64 *)[fp - off] was a fill from the stack.
1889 /* scalars can only be spilled into stack */
1952 * stack slots with spilled constants that these scalar regisers
1954 * . during state pruning two registers (or spilled stack slots)
1958 * since many different registers and stack slots could have been
2016 if (func->stack[j].slot_type[0] != STACK_SPILL) {
2019 reg = &func->stack[j].spilled_ptr;
2062 if (func->stack[spi].slot_type[0] != STACK_SPILL) {
2066 reg = &func->stack[spi].spilled_ptr;
2161 * stack access, so at the end of backtracking
2162 * stack slot fp-8 is still marked in stack_mask.
2164 * fp-8 and it's "unallocated" stack space.
2171 if (func->stack[i].slot_type[0] != STACK_SPILL) {
2175 reg = &func->stack[i].spilled_ptr;
2187 verbose(env, "parent %s regs=%x stack=%llx marks\n", new_marks ? "didn't have" : "already had", reg_mask,
2275 state->stack[spi].spilled_ptr = *reg;
2276 state->stack[spi].spilled_ptr.live |= REG_LIVE_WRITTEN;
2279 state->stack[spi].slot_type[i] = STACK_SPILL;
2284 * stack boundary and alignment are checked in check_mem_access()
2287 /* stack frame we're writing to */
2300 * so it's aligned access and [off, off + size) are within stack limits
2302 if (!env->allow_ptr_leaks && state->stack[spi].slot_type[0] == STACK_SPILL && size != BPF_REG_SIZE) {
2303 verbose(env, "attempt to corrupt spilled pointer on stack\n");
2315 if (state->stack[spi].slot_type[i] == STACK_INVALID) {
2329 * stack slot address like [fp - 8]. Other spill of
2341 /* register containing pointer is being spilled into stack */
2348 verbose(env, "cannot spill pointers to stack into stack frame of the caller\n");
2355 /* regular write of data into stack destroys any spilled ptr */
2356 state->stack[spi].spilled_ptr.type = NOT_INIT;
2358 if (state->stack[spi].slot_type[0] == STACK_SPILL) {
2360 state->stack[spi].slot_type[i] = STACK_MISC;
2366 * when stack slots are partially written.
2369 * to stack slots all the way to first state when programs
2373 state->stack[spi].spilled_ptr.live |= REG_LIVE_WRITTEN;
2376 /* when we zero initialize stack slots mark them as such */
2386 /* Mark slots affected by this stack write. */
2388 state->stack[spi].slot_type[(slot - i) % BPF_REG_SIZE] = type;
2394 /* Write the stack: 'stack[ptr_regno + off] = value_regno'. 'ptr_regno' is
2397 * tracks the effects of the write, considering that each stack slot in the
2402 * the stack.
2408 * For privileged programs, uninitialized stack slots are considered
2424 * stack slots remain STACK_ZERO
2451 stype = &state->stack[spi].slot_type[slot % BPF_REG_SIZE];
2460 verbose(env, "spilled ptr in range of var-offset stack write; insn %d, ptr off: %d", insn_idx, i);
2465 state->stack[spi].spilled_ptr.type = NOT_INIT;
2482 verbose(env, "uninit stack in range of var-offset write prohibited for !root; insn %d, off: %d", insn_idx,
2498 /* When register 'dst_regno' is assigned some values from stack[min_off,
2500 * respective stack slots. If all the stack values are known to be zeros, then
2503 * ensure that all spilled registers in the stack range have been marked as
2519 stype = ptr_state->stack[spi].slot_type;
2542 /* have read misc data from the stack */
2548 /* Read the stack at 'off' and put the results into the register indicated by
2549 * 'dst_regno'. It handles reg filling if the addressed stack slot is a
2555 * The access is assumed to be within the current stack bounds.
2567 stype = reg_state->stack[spi].slot_type;
2568 reg = ®_state->stack[spi].spilled_ptr;
2592 /* restore register state from stack */
2596 * which resets stack/reg liveness for state transitions
2606 verbose(env, "leaking pointer from stack off %d\n", off);
2621 verbose(env, "invalid read from stack off %d+%d size %d\n", off, i, size);
2646 /* Read the stack at 'ptr_regno + off' and put the result into the register
2683 * The caller must ensure that the offset falls within the allocated stack
2686 * 'dst_regno' is a register which will receive the value from the stack. It
2704 verbose(env, "variable offset stack pointer cannot be passed into helper function; var_off=%s off=%d size=%d\n",
2709 * since it requires corresponding support in Spectre masking for stack
2716 verbose(env, "R%d variable offset stack access prohibited for !root, var_off=%s\n", ptr_regno, tn_buf);
2724 /* Variable offset stack reads need more conservative handling
2736 * 'ptr_regno' is the register used as a pointer into the stack.
2738 * 'value_regno' is the register whose value we're writing to the stack. It can
2741 * The caller must ensure that the offset falls within the maximum stack size.
2754 /* Variable offset stack reads need more conservative handling
3173 pointer_desc = "stack ";
3174 /* The stack spill tracking logic in check_stack_write_fixed_off()
3175 * and check_stack_read_fixed_off() relies on stack accesses being
3200 u16 stack = env->subprog_info[func->subprogno].stack_depth;
3202 if (stack >= -off) {
3215 * only needs a local stack of MAX_CALL_FRAMES to remember callsites
3231 /* protect against potential stack overflow that might happen when
3232 * bpf2bpf calls get combined with tailcalls. Limit the caller's stack
3234 * would result in 8k stack size (32 which is tailcall limit * 256 =
3241 * func2 -> sub rsp, 192 (total stack size = 128 + 192 = 320)
3245 * func3 -> sub rsp, 32 (total stack size 128 + 192 + 64 + 32 = 416)
3247 * tailcall will unwind the current stack frame but it will not get rid
3248 * of caller's stack as shown on the example above.
3251 verbose(env, "tail_calls are not allowed when call stack of previous frames is %d bytes. Too large\n",
3256 * of interpreter stack size
3260 verbose(env, "combined stack size of %d calls is %d. Too large\n", frame + 1, depth);
3292 verbose(env, "the call stack of %d frames is too deep !\n", frame);
3598 /* Check that the stack access at the given offset is within bounds. The
3620 /* Check that the stack access at 'regno + off' falls within the maximum stack
3653 verbose(env, "invalid unbounded variable-offset%s stack R%d\n", err_extra, regno);
3671 verbose(env, "invalid%s stack R%d off=%d size=%d\n", err_extra, regno, off, access_size);
3676 verbose(env, "invalid variable-offset%s stack R%d var_off=%s size=%d\n", err_extra, regno, tn_buf,
3938 /* When register 'regno' is used to read the stack (either directly or through
3939 * a helper function) make sure that it's within stack boundary and, depending
3940 * on the access type, that all elements of the stack are initialized.
3944 * All registers that have been spilled on the stack in the slots within the
3956 /* Some accesses can write anything into the stack, others are
3986 * Spectre masking for stack ALU.
3993 verbose(env, "R%d%s variable offset stack access prohibited for !root, var_off=%s\n", regno, err_extra,
3997 /* Only initialized buffer on stack is allowed to be accessed
4001 * cause uninitialized stack leaking.
4025 stype = &state->stack[spi].slot_type[slot % BPF_REG_SIZE];
4031 /* helper can write anything into the stack */
4037 if (state->stack[spi].slot_type[0] == STACK_SPILL && state->stack[spi].spilled_ptr.type == PTR_TO_BTF_ID) {
4041 if (state->stack[spi].slot_type[0] == STACK_SPILL &&
4042 (state->stack[spi].spilled_ptr.type == SCALAR_VALUE || env->allow_ptr_leaks)) {
4044 __mark_reg_unknown(env, &state->stack[spi].spilled_ptr);
4046 state->stack[spi].slot_type[j] = STACK_MISC;
4054 verbose(env, "invalid%s read from stack R%d off %d+%d size %d\n", err_extra, regno, min_off, i - min_off,
4060 verbose(env, "invalid%s read from stack R%d var_off %s+%d size %d\n", err_extra, regno, tn_buf, i - min_off,
4068 mark_reg_read(env, &state->stack[spi].spilled_ptr, state->stack[spi].spilled_ptr.parent, REG_LIVE_READ64);
4504 * stack limits and initialized
5071 verbose(env, "the call stack of %d frames is too deep\n", state->curframe + 2);
5122 * into its own stack before reading from it.
5123 * callee can read/write into caller's stack
5170 /* technically it's ok to return caller's stack pointer
5172 * since these pointers are valid. Only current stack
5176 verbose(env, "cannot return stack pointer to the caller\n");
5376 /* Mark slots with STACK_MISC in case of raw mode, stack offset
5796 * stack.
5871 /* check that stack access falls within stack limits and that 'reg' doesn't
5875 * requires corresponding support in Spectre masking for stack ALU. See also
5888 verbose(env, "R%d variable stack access prohibited for !root, var_off=%s off=%d\n", regno, tn_buf, off);
5894 "R%d stack pointer arithmetic goes out of range, "
6086 verbose(env, "R%d subtraction from stack pointer prohibited\n", dst);
8286 * 3 let S be a stack
8507 verbose(env, "pop stack internal bug\n");
8900 live = st->stack[i].spilled_ptr.live;
8901 /* liveness must not touch this stack slot anymore */
8902 st->stack[i].spilled_ptr.live |= REG_LIVE_DONE;
8904 verifier_mark_reg_not_init(env, &st->stack[i].spilled_ptr);
8906 st->stack[i].slot_type[j] = STACK_INVALID;
8928 * pushed into state stack for future exploration.
8950 * This function also clears the registers and stack for states that !READ
8995 /* two stack pointers are equal only if they're pointing to
8996 * the same stack frame, since fp-8 in foo != fp-8 in bar
9114 /* walk slots of the explored stack and ignore any additional
9115 * slots in the current stack, since explored(safe) state
9121 if (!(old->stack[spi].spilled_ptr.live & REG_LIVE_READ)) {
9127 if (old->stack[spi].slot_type[i % BPF_REG_SIZE] == STACK_INVALID) {
9131 /* explored stack has more populated slots than current stack
9138 /* if old state was safe with misc data in the stack
9139 * it will be safe with zero-initialized stack.
9142 if (old->stack[spi].slot_type[i % BPF_REG_SIZE] == STACK_MISC &&
9143 cur->stack[spi].slot_type[i % BPF_REG_SIZE] == STACK_ZERO) {
9146 if (old->stack[spi].slot_type[i % BPF_REG_SIZE] != cur->stack[spi].slot_type[i % BPF_REG_SIZE]) {
9148 * this stack slot, but current has STACK_MISC ->
9157 if (old->stack[spi].slot_type[0] != STACK_SPILL) {
9160 if (!regsafe(env, &old->stack[spi].spilled_ptr, &cur->stack[spi].spilled_ptr, idmap)) {
9161 /* when explored and current stack slot are both storing
9191 * execution popped from the state stack. If it sees an old state that has
9192 * more strict register state and more strict stack state then this execution
9197 * and explored stack state is more conservative than the current one.
9203 * In other words if current stack state (one being explored) has more
9332 /* Propagate stack slots. */
9334 parent_reg = &parent->stack[i].spilled_ptr;
9335 state_reg = &state->stack[i].spilled_ptr;
9370 if (state->stack[i].slot_type[0] != STACK_SPILL) {
9373 state_reg = &state->stack[i].spilled_ptr;
9471 /* reached equivalent register/stack state,
9586 * to the stack implicitly by JITs) so in callers' frames connect just
9606 /* all stack frames are accessible from callee, clear them all */
9612 frame->stack[i].spilled_ptr.live = REG_LIVE_NONE;
9613 frame->stack[i].spilled_ptr.parent = &newframe->stack[i].spilled_ptr;
9784 * src_reg == stack|map in some other branch.
11050 /* Use bpf_prog_F_tag to indicate functions in stack traces.
11722 verbose(env, "stack depth ");
11912 * reasonable stack size. Hence extending fentry is not