Merge branch 'Dynptr fixes'

			u32 btf_id;

		};

		u32 mem_size; /* for PTR_TO_MEM | PTR_TO_MEM_OR_NULL */

		struct { /* for PTR_TO_MEM | PTR_TO_MEM_OR_NULL */

			u32 mem_size;

			u32 dynptr_id; /* for dynptr slices */

		};

		/* For dynptr stack slots */

		struct {

	int mem_size;

	u64 msize_max_value;

	int ref_obj_id;

	int dynptr_id;

	int map_uid;

	int func_id;

	struct btf *btf;

		verbose(env, "D");

}

static int get_spi(s32 off)

static int __get_spi(s32 off)

{

	return (-off - 1) / BPF_REG_SIZE;

}

static struct bpf_func_state *func(struct bpf_verifier_env *env,

				   const struct bpf_reg_state *reg)

{

	struct bpf_verifier_state *cur = env->cur_state;

	return cur->frame[reg->frameno];

}

static bool is_spi_bounds_valid(struct bpf_func_state *state, int spi, int nr_slots)

{

       int allocated_slots = state->allocated_stack / BPF_REG_SIZE;

       return spi - nr_slots + 1 >= 0 && spi < allocated_slots;

}

static struct bpf_func_state *func(struct bpf_verifier_env *env,

				   const struct bpf_reg_state *reg)

static int dynptr_get_spi(struct bpf_verifier_env *env, struct bpf_reg_state *reg)

{

	struct bpf_verifier_state *cur = env->cur_state;

	int off, spi;

	return cur->frame[reg->frameno];

	if (!tnum_is_const(reg->var_off)) {

		verbose(env, "dynptr has to be at a constant offset\n");

		return -EINVAL;

	}

	off = reg->off + reg->var_off.value;

	if (off % BPF_REG_SIZE) {

		verbose(env, "cannot pass in dynptr at an offset=%d\n", off);

		return -EINVAL;

	}

	spi = __get_spi(off);

	if (spi < 1) {

		verbose(env, "cannot pass in dynptr at an offset=%d\n", off);

		return -EINVAL;

	}

	if (!is_spi_bounds_valid(func(env, reg), spi, BPF_DYNPTR_NR_SLOTS))

		return -ERANGE;

	return spi;

}

static const char *kernel_type_name(const struct btf* btf, u32 id)

static void __mark_dynptr_reg(struct bpf_reg_state *reg,

			      enum bpf_dynptr_type type,

			      bool first_slot);

			      bool first_slot, int dynptr_id);

static void __mark_reg_not_init(const struct bpf_verifier_env *env,

				struct bpf_reg_state *reg);

static void mark_dynptr_stack_regs(struct bpf_reg_state *sreg1,

static void mark_dynptr_stack_regs(struct bpf_verifier_env *env,

				   struct bpf_reg_state *sreg1,

				   struct bpf_reg_state *sreg2,

				   enum bpf_dynptr_type type)

{

	__mark_dynptr_reg(sreg1, type, true);

	__mark_dynptr_reg(sreg2, type, false);

	int id = ++env->id_gen;

	__mark_dynptr_reg(sreg1, type, true, id);

	__mark_dynptr_reg(sreg2, type, false, id);

}

static void mark_dynptr_cb_reg(struct bpf_reg_state *reg,

static void mark_dynptr_cb_reg(struct bpf_verifier_env *env,

			       struct bpf_reg_state *reg,

			       enum bpf_dynptr_type type)

{

	__mark_dynptr_reg(reg, type, true);

	__mark_dynptr_reg(reg, type, true, ++env->id_gen);

}

static int destroy_if_dynptr_stack_slot(struct bpf_verifier_env *env,

				        struct bpf_func_state *state, int spi);

static int mark_stack_slots_dynptr(struct bpf_verifier_env *env, struct bpf_reg_state *reg,

				   enum bpf_arg_type arg_type, int insn_idx)

{

	struct bpf_func_state *state = func(env, reg);

	enum bpf_dynptr_type type;

	int spi, i, id;

	spi = get_spi(reg->off);

	if (!is_spi_bounds_valid(state, spi, BPF_DYNPTR_NR_SLOTS))

		return -EINVAL;

	int spi, i, id, err;

	spi = dynptr_get_spi(env, reg);

	if (spi < 0)

		return spi;

	/* We cannot assume both spi and spi - 1 belong to the same dynptr,

	 * hence we need to call destroy_if_dynptr_stack_slot twice for both,

	 * to ensure that for the following example:

	 *	[d1][d1][d2][d2]

	 * spi    3   2   1   0

	 * So marking spi = 2 should lead to destruction of both d1 and d2. In

	 * case they do belong to same dynptr, second call won't see slot_type

	 * as STACK_DYNPTR and will simply skip destruction.

	 */

	err = destroy_if_dynptr_stack_slot(env, state, spi);

	if (err)

		return err;

	err = destroy_if_dynptr_stack_slot(env, state, spi - 1);

	if (err)

		return err;

	for (i = 0; i < BPF_REG_SIZE; i++) {

		state->stack[spi].slot_type[i] = STACK_DYNPTR;

	if (type == BPF_DYNPTR_TYPE_INVALID)

		return -EINVAL;

	mark_dynptr_stack_regs(&state->stack[spi].spilled_ptr,

	mark_dynptr_stack_regs(env, &state->stack[spi].spilled_ptr,

			       &state->stack[spi - 1].spilled_ptr, type);

	if (dynptr_type_refcounted(type)) {

		state->stack[spi - 1].spilled_ptr.ref_obj_id = id;

	}

	state->stack[spi].spilled_ptr.live |= REG_LIVE_WRITTEN;

	state->stack[spi - 1].spilled_ptr.live |= REG_LIVE_WRITTEN;

	return 0;

}

	struct bpf_func_state *state = func(env, reg);

	int spi, i;

	spi = get_spi(reg->off);

	if (!is_spi_bounds_valid(state, spi, BPF_DYNPTR_NR_SLOTS))

		return -EINVAL;

	spi = dynptr_get_spi(env, reg);

	if (spi < 0)

		return spi;

	for (i = 0; i < BPF_REG_SIZE; i++) {

		state->stack[spi].slot_type[i] = STACK_INVALID;

	__mark_reg_not_init(env, &state->stack[spi].spilled_ptr);

	__mark_reg_not_init(env, &state->stack[spi - 1].spilled_ptr);

	/* Why do we need to set REG_LIVE_WRITTEN for STACK_INVALID slot?

	 *

	 * While we don't allow reading STACK_INVALID, it is still possible to

	 * do <8 byte writes marking some but not all slots as STACK_MISC. Then,

	 * helpers or insns can do partial read of that part without failing,

	 * but check_stack_range_initialized, check_stack_read_var_off, and

	 * check_stack_read_fixed_off will do mark_reg_read for all 8-bytes of

	 * the slot conservatively. Hence we need to prevent those liveness

	 * marking walks.

	 *

	 * This was not a problem before because STACK_INVALID is only set by

	 * default (where the default reg state has its reg->parent as NULL), or

	 * in clean_live_states after REG_LIVE_DONE (at which point

	 * mark_reg_read won't walk reg->parent chain), but not randomly during

	 * verifier state exploration (like we did above). Hence, for our case

	 * parentage chain will still be live (i.e. reg->parent may be

	 * non-NULL), while earlier reg->parent was NULL, so we need

	 * REG_LIVE_WRITTEN to screen off read marker propagation when it is

	 * done later on reads or by mark_dynptr_read as well to unnecessary

	 * mark registers in verifier state.

	 */

	state->stack[spi].spilled_ptr.live |= REG_LIVE_WRITTEN;

	state->stack[spi - 1].spilled_ptr.live |= REG_LIVE_WRITTEN;

	return 0;

}

static bool is_dynptr_reg_valid_uninit(struct bpf_verifier_env *env, struct bpf_reg_state *reg)

static void __mark_reg_unknown(const struct bpf_verifier_env *env,

			       struct bpf_reg_state *reg);

static int destroy_if_dynptr_stack_slot(struct bpf_verifier_env *env,

				        struct bpf_func_state *state, int spi)

{

	struct bpf_func_state *state = func(env, reg);

	int spi, i;

	struct bpf_func_state *fstate;

	struct bpf_reg_state *dreg;

	int i, dynptr_id;

	if (reg->type == CONST_PTR_TO_DYNPTR)

		return false;

	/* We always ensure that STACK_DYNPTR is never set partially,

	 * hence just checking for slot_type[0] is enough. This is

	 * different for STACK_SPILL, where it may be only set for

	 * 1 byte, so code has to use is_spilled_reg.

	 */

	if (state->stack[spi].slot_type[0] != STACK_DYNPTR)

		return 0;

	spi = get_spi(reg->off);

	if (!is_spi_bounds_valid(state, spi, BPF_DYNPTR_NR_SLOTS))

		return true;

	/* Reposition spi to first slot */

	if (!state->stack[spi].spilled_ptr.dynptr.first_slot)

		spi = spi + 1;

	if (dynptr_type_refcounted(state->stack[spi].spilled_ptr.dynptr.type)) {

		verbose(env, "cannot overwrite referenced dynptr\n");

		return -EINVAL;

	}

	mark_stack_slot_scratched(env, spi);

	mark_stack_slot_scratched(env, spi - 1);

	/* Writing partially to one dynptr stack slot destroys both. */

	for (i = 0; i < BPF_REG_SIZE; i++) {

		if (state->stack[spi].slot_type[i] == STACK_DYNPTR ||

		    state->stack[spi - 1].slot_type[i] == STACK_DYNPTR)

			return false;

		state->stack[spi].slot_type[i] = STACK_INVALID;

		state->stack[spi - 1].slot_type[i] = STACK_INVALID;

	}

	dynptr_id = state->stack[spi].spilled_ptr.id;

	/* Invalidate any slices associated with this dynptr */

	bpf_for_each_reg_in_vstate(env->cur_state, fstate, dreg, ({

		/* Dynptr slices are only PTR_TO_MEM_OR_NULL and PTR_TO_MEM */

		if (dreg->type != (PTR_TO_MEM | PTR_MAYBE_NULL) && dreg->type != PTR_TO_MEM)

			continue;

		if (dreg->dynptr_id == dynptr_id) {

			if (!env->allow_ptr_leaks)

				__mark_reg_not_init(env, dreg);

			else

				__mark_reg_unknown(env, dreg);

		}

	}));

	/* Do not release reference state, we are destroying dynptr on stack,

	 * not using some helper to release it. Just reset register.

	 */

	__mark_reg_not_init(env, &state->stack[spi].spilled_ptr);

	__mark_reg_not_init(env, &state->stack[spi - 1].spilled_ptr);

	/* Same reason as unmark_stack_slots_dynptr above */

	state->stack[spi].spilled_ptr.live |= REG_LIVE_WRITTEN;

	state->stack[spi - 1].spilled_ptr.live |= REG_LIVE_WRITTEN;

	return 0;

}

static bool is_dynptr_reg_valid_uninit(struct bpf_verifier_env *env, struct bpf_reg_state *reg,

				       int spi)

{

	if (reg->type == CONST_PTR_TO_DYNPTR)

		return false;

	/* For -ERANGE (i.e. spi not falling into allocated stack slots), we

	 * will do check_mem_access to check and update stack bounds later, so

	 * return true for that case.

	 */

	if (spi < 0)

		return spi == -ERANGE;

	/* We allow overwriting existing unreferenced STACK_DYNPTR slots, see

	 * mark_stack_slots_dynptr which calls destroy_if_dynptr_stack_slot to

	 * ensure dynptr objects at the slots we are touching are completely

	 * destructed before we reinitialize them for a new one. For referenced

	 * ones, destroy_if_dynptr_stack_slot returns an error early instead of

	 * delaying it until the end where the user will get "Unreleased

	 * reference" error.

	 */

	return true;

}

static bool is_dynptr_reg_valid_init(struct bpf_verifier_env *env, struct bpf_reg_state *reg)

static bool is_dynptr_reg_valid_init(struct bpf_verifier_env *env, struct bpf_reg_state *reg,

				     int spi)

{

	struct bpf_func_state *state = func(env, reg);

	int spi;

	int i;

	/* This already represents first slot of initialized bpf_dynptr */

	if (reg->type == CONST_PTR_TO_DYNPTR)

		return true;

	spi = get_spi(reg->off);

	if (!is_spi_bounds_valid(state, spi, BPF_DYNPTR_NR_SLOTS) ||

	    !state->stack[spi].spilled_ptr.dynptr.first_slot)

	if (spi < 0)

		return false;

	if (!state->stack[spi].spilled_ptr.dynptr.first_slot)

		return false;

	for (i = 0; i < BPF_REG_SIZE; i++) {

	if (reg->type == CONST_PTR_TO_DYNPTR) {

		return reg->dynptr.type == dynptr_type;

	} else {

		spi = get_spi(reg->off);

		spi = dynptr_get_spi(env, reg);

		if (spi < 0)

			return false;

		return state->stack[spi].spilled_ptr.dynptr.type == dynptr_type;

	}

}

}

static void __mark_dynptr_reg(struct bpf_reg_state *reg, enum bpf_dynptr_type type,

			      bool first_slot)

			      bool first_slot, int dynptr_id)

{

	/* reg->type has no meaning for STACK_DYNPTR, but when we set reg for

	 * callback arguments, it does need to be CONST_PTR_TO_DYNPTR, so simply

	 */

	__mark_reg_known_zero(reg);

	reg->type = CONST_PTR_TO_DYNPTR;

	/* Give each dynptr a unique id to uniquely associate slices to it. */

	reg->id = dynptr_id;

	reg->dynptr.type = type;

	reg->dynptr.first_slot = first_slot;

}

	return 0;

}

static int mark_dynptr_read(struct bpf_verifier_env *env, struct bpf_reg_state *reg)

{

	struct bpf_func_state *state = func(env, reg);

	int spi, ret;

	/* For CONST_PTR_TO_DYNPTR, it must have already been done by

	 * check_reg_arg in check_helper_call and mark_btf_func_reg_size in

	 * check_kfunc_call.

	 */

	if (reg->type == CONST_PTR_TO_DYNPTR)

		return 0;

	spi = dynptr_get_spi(env, reg);

	if (spi < 0)

		return spi;

	/* Caller ensures dynptr is valid and initialized, which means spi is in

	 * bounds and spi is the first dynptr slot. Simply mark stack slot as

	 * read.

	 */

	ret = mark_reg_read(env, &state->stack[spi].spilled_ptr,

			    state->stack[spi].spilled_ptr.parent, REG_LIVE_READ64);

	if (ret)

		return ret;

	return mark_reg_read(env, &state->stack[spi - 1].spilled_ptr,

			     state->stack[spi - 1].spilled_ptr.parent, REG_LIVE_READ64);

}

/* This function is supposed to be used by the following 32-bit optimization

 * code only. It returns TRUE if the source or destination register operates

 * on 64-bit, otherwise return FALSE.

			env->insn_aux_data[insn_idx].sanitize_stack_spill = true;

	}

	err = destroy_if_dynptr_stack_slot(env, state, spi);

	if (err)

		return err;

	mark_stack_slot_scratched(env, spi);

	if (reg && !(off % BPF_REG_SIZE) && register_is_bounded(reg) &&

	    !register_is_null(reg) && env->bpf_capable) {

	if (err)

		return err;

	for (i = min_off; i < max_off; i++) {

		int spi;

		spi = __get_spi(i);

		err = destroy_if_dynptr_stack_slot(env, state, spi);

		if (err)

			return err;

	}

	/* Variable offset writes destroy any spilled pointers in range. */

	for (i = min_off; i < max_off; i++) {

	}

	if (meta && meta->raw_mode) {

		/* Ensure we won't be overwriting dynptrs when simulating byte

		 * by byte access in check_helper_call using meta.access_size.

		 * This would be a problem if we have a helper in the future

		 * which takes:

		 *

		 *	helper(uninit_mem, len, dynptr)

		 *

		 * Now, uninint_mem may overlap with dynptr pointer. Hence, it

		 * may end up writing to dynptr itself when touching memory from

		 * arg 1. This can be relaxed on a case by case basis for known

		 * safe cases, but reject due to the possibilitiy of aliasing by

		 * default.

		 */

		for (i = min_off; i < max_off + access_size; i++) {

			int stack_off = -i - 1;

			spi = __get_spi(i);

			/* raw_mode may write past allocated_stack */

			if (state->allocated_stack <= stack_off)

				continue;

			if (state->stack[spi].slot_type[stack_off % BPF_REG_SIZE] == STACK_DYNPTR) {

				verbose(env, "potential write to dynptr at off=%d disallowed\n", i);

				return -EACCES;

			}

		}

		meta->access_size = access_size;

		meta->regno = regno;

		return 0;

			enum bpf_arg_type arg_type, struct bpf_call_arg_meta *meta)

{

	struct bpf_reg_state *regs = cur_regs(env), *reg = &regs[regno];

	int spi = 0;

	/* MEM_UNINIT and MEM_RDONLY are exclusive, when applied to an

	 * ARG_PTR_TO_DYNPTR (or ARG_PTR_TO_DYNPTR | DYNPTR_TYPE_*):

	}

	/* CONST_PTR_TO_DYNPTR already has fixed and var_off as 0 due to

	 * check_func_arg_reg_off's logic. We only need to check offset

	 * alignment for PTR_TO_STACK.

	 * and its alignment for PTR_TO_STACK.

	 */

	if (reg->type == PTR_TO_STACK && (reg->off % BPF_REG_SIZE)) {

		verbose(env, "cannot pass in dynptr at an offset=%d\n", reg->off);

		return -EINVAL;

	if (reg->type == PTR_TO_STACK) {

		spi = dynptr_get_spi(env, reg);

		if (spi < 0 && spi != -ERANGE)

			return spi;

	}

	/*  MEM_UNINIT - Points to memory that is an appropriate candidate for

	 *		 constructing a mutable bpf_dynptr object.

	 *

	 *		 to.

	 */

	if (arg_type & MEM_UNINIT) {

		if (!is_dynptr_reg_valid_uninit(env, reg)) {

		if (!is_dynptr_reg_valid_uninit(env, reg, spi)) {

			verbose(env, "Dynptr has to be an uninitialized dynptr\n");

			return -EINVAL;

		}

		meta->uninit_dynptr_regno = regno;

	} else /* MEM_RDONLY and None case from above */ {

		int err;

		/* For the reg->type == PTR_TO_STACK case, bpf_dynptr is never const */

		if (reg->type == CONST_PTR_TO_DYNPTR && !(arg_type & MEM_RDONLY)) {

			verbose(env, "cannot pass pointer to const bpf_dynptr, the helper mutates it\n");

			return -EINVAL;

		}

		if (!is_dynptr_reg_valid_init(env, reg)) {

		if (!is_dynptr_reg_valid_init(env, reg, spi)) {

			verbose(env,

				"Expected an initialized dynptr as arg #%d\n",

				regno);

				err_extra, regno);

			return -EINVAL;

		}

		err = mark_dynptr_read(env, reg);

		if (err)

			return err;

	}

	return 0;

}

	}

}

static u32 dynptr_ref_obj_id(struct bpf_verifier_env *env, struct bpf_reg_state *reg)

static int dynptr_id(struct bpf_verifier_env *env, struct bpf_reg_state *reg)

{

	struct bpf_func_state *state = func(env, reg);

	int spi;

	if (reg->type == CONST_PTR_TO_DYNPTR)

		return reg->ref_obj_id;

		return reg->id;

	spi = dynptr_get_spi(env, reg);

	if (spi < 0)

		return spi;

	return state->stack[spi].spilled_ptr.id;

}

static int dynptr_ref_obj_id(struct bpf_verifier_env *env, struct bpf_reg_state *reg)

{

	struct bpf_func_state *state = func(env, reg);

	int spi;

	spi = get_spi(reg->off);

	if (reg->type == CONST_PTR_TO_DYNPTR)

		return reg->ref_obj_id;

	spi = dynptr_get_spi(env, reg);

	if (spi < 0)

		return spi;

	return state->stack[spi].spilled_ptr.ref_obj_id;

}

			 * PTR_TO_STACK.

			 */

			if (reg->type == PTR_TO_STACK) {

				spi = get_spi(reg->off);

				if (!is_spi_bounds_valid(state, spi, BPF_DYNPTR_NR_SLOTS) ||

				    !state->stack[spi].spilled_ptr.ref_obj_id) {

				spi = dynptr_get_spi(env, reg);

				if (spi < 0 || !state->stack[spi].spilled_ptr.ref_obj_id) {

					verbose(env, "arg %d is an unacquired reference\n", regno);

					return -EINVAL;

				}

	 * callback_fn(const struct bpf_dynptr_t* dynptr, void *callback_ctx);

	 */

	__mark_reg_not_init(env, &callee->regs[BPF_REG_0]);

	mark_dynptr_cb_reg(&callee->regs[BPF_REG_1], BPF_DYNPTR_TYPE_LOCAL);

	mark_dynptr_cb_reg(env, &callee->regs[BPF_REG_1], BPF_DYNPTR_TYPE_LOCAL);

	callee->regs[BPF_REG_2] = caller->regs[BPF_REG_3];

	/* unused */

		for (i = 0; i < MAX_BPF_FUNC_REG_ARGS; i++) {

			if (arg_type_is_dynptr(fn->arg_type[i])) {

				struct bpf_reg_state *reg = &regs[BPF_REG_1 + i];

				int id, ref_obj_id;

				if (meta.dynptr_id) {

					verbose(env, "verifier internal error: meta.dynptr_id already set\n");

					return -EFAULT;

				}

				if (meta.ref_obj_id) {

					verbose(env, "verifier internal error: meta.ref_obj_id already set\n");

					return -EFAULT;

				}

				meta.ref_obj_id = dynptr_ref_obj_id(env, reg);

				id = dynptr_id(env, reg);

				if (id < 0) {

					verbose(env, "verifier internal error: failed to obtain dynptr id\n");

					return id;

				}

				ref_obj_id = dynptr_ref_obj_id(env, reg);

				if (ref_obj_id < 0) {

					verbose(env, "verifier internal error: failed to obtain dynptr ref_obj_id\n");

					return ref_obj_id;

				}

				meta.dynptr_id = id;

				meta.ref_obj_id = ref_obj_id;

				break;

			}

		}

		return -EFAULT;

	}

	if (is_dynptr_ref_function(func_id))

		regs[BPF_REG_0].dynptr_id = meta.dynptr_id;

	if (is_ptr_cast_function(func_id) || is_dynptr_ref_function(func_id)) {

		/* For release_reference() */

		regs[BPF_REG_0].ref_obj_id = meta.ref_obj_id;

			return false;

		if (i % BPF_REG_SIZE != BPF_REG_SIZE - 1)

			continue;

		if (!is_spilled_reg(&old->stack[spi]))

			continue;

		if (!regsafe(env, &old->stack[spi].spilled_ptr,

			     &cur->stack[spi].spilled_ptr, idmap))

		/* Both old and cur are having same slot_type */

		switch (old->stack[spi].slot_type[BPF_REG_SIZE - 1]) {

		case STACK_SPILL:

			/* when explored and current stack slot are both storing

			 * spilled registers, check that stored pointers types

			 * are the same as well.