!14593 CVE-2024-56702

	}

	}

}

}

struct bpf_raw_tp_null_args {

	const char *func;

	u64 mask;

};

static const struct bpf_raw_tp_null_args raw_tp_null_args[] = {

	/* sched */

	{ "sched_pi_setprio", 0x10 },

	/* ... from sched_numa_pair_template event class */

	{ "sched_stick_numa", 0x100 },

	{ "sched_swap_numa", 0x100 },

	/* afs */

	{ "afs_make_fs_call", 0x10 },

	{ "afs_make_fs_calli", 0x10 },

	{ "afs_make_fs_call1", 0x10 },

	{ "afs_make_fs_call2", 0x10 },

	{ "afs_protocol_error", 0x1 },

	{ "afs_flock_ev", 0x10 },

	/* cachefiles */

	{ "cachefiles_lookup", 0x1 | 0x200 },

	{ "cachefiles_unlink", 0x1 },

	{ "cachefiles_rename", 0x1 },

	{ "cachefiles_prep_read", 0x1 },

	{ "cachefiles_mark_active", 0x1 },

	{ "cachefiles_mark_failed", 0x1 },

	{ "cachefiles_mark_inactive", 0x1 },

	{ "cachefiles_vfs_error", 0x1 },

	{ "cachefiles_io_error", 0x1 },

	{ "cachefiles_ondemand_open", 0x1 },

	{ "cachefiles_ondemand_copen", 0x1 },

	{ "cachefiles_ondemand_close", 0x1 },

	{ "cachefiles_ondemand_read", 0x1 },

	{ "cachefiles_ondemand_cread", 0x1 },

	{ "cachefiles_ondemand_fd_write", 0x1 },

	{ "cachefiles_ondemand_fd_release", 0x1 },

	/* ext4, from ext4__mballoc event class */

	{ "ext4_mballoc_discard", 0x10 },

	{ "ext4_mballoc_free", 0x10 },

	/* fib */

	{ "fib_table_lookup", 0x100 },

	/* filelock */

	/* ... from filelock_lock event class */

	{ "posix_lock_inode", 0x10 },

	{ "fcntl_setlk", 0x10 },

	{ "locks_remove_posix", 0x10 },

	{ "flock_lock_inode", 0x10 },

	/* ... from filelock_lease event class */

	{ "break_lease_noblock", 0x10 },

	{ "break_lease_block", 0x10 },

	{ "break_lease_unblock", 0x10 },

	{ "generic_delete_lease", 0x10 },

	{ "time_out_leases", 0x10 },

	/* host1x */

	{ "host1x_cdma_push_gather", 0x10000 },

	/* huge_memory */

	{ "mm_khugepaged_scan_pmd", 0x10 },

	{ "mm_collapse_huge_page_isolate", 0x1 },

	{ "mm_khugepaged_scan_file", 0x10 },

	{ "mm_khugepaged_collapse_file", 0x10 },

	/* kmem */

	{ "mm_page_alloc", 0x1 },

	{ "mm_page_pcpu_drain", 0x1 },

	/* .. from mm_page event class */

	{ "mm_page_alloc_zone_locked", 0x1 },

	/* netfs */

	{ "netfs_failure", 0x10 },

	/* power */

	{ "device_pm_callback_start", 0x10 },

	/* qdisc */

	{ "qdisc_dequeue", 0x1000 },

	/* rxrpc */

	{ "rxrpc_recvdata", 0x1 },

	{ "rxrpc_resend", 0x10 },

	/* sunrpc */

	{ "xs_stream_read_data", 0x1 },

	/* ... from xprt_cong_event event class */

	{ "xprt_reserve_cong", 0x10 },

	{ "xprt_release_cong", 0x10 },

	{ "xprt_get_cong", 0x10 },

	{ "xprt_put_cong", 0x10 },

	/* tcp */

	{ "tcp_send_reset", 0x11 },

	/* tegra_apb_dma */

	{ "tegra_dma_tx_status", 0x100 },

	/* timer_migration */

	{ "tmigr_update_events", 0x1 },

	/* writeback, from writeback_folio_template event class */

	{ "writeback_dirty_folio", 0x10 },

	{ "folio_wait_writeback", 0x10 },

	/* rdma */

	{ "mr_integ_alloc", 0x2000 },

	/* bpf_testmod */

	{ "bpf_testmod_test_read", 0x0 },

};

bool btf_ctx_access(int off, int size, enum bpf_access_type type,

bool btf_ctx_access(int off, int size, enum bpf_access_type type,

		    const struct bpf_prog *prog,

		    const struct bpf_prog *prog,

		    struct bpf_insn_access_aux *info)

		    struct bpf_insn_access_aux *info)

	const char *tname = prog->aux->attach_func_name;

	const char *tname = prog->aux->attach_func_name;

	struct bpf_verifier_log *log = info->log;

	struct bpf_verifier_log *log = info->log;

	const struct btf_param *args;

	const struct btf_param *args;

	bool ptr_err_raw_tp = false;

	const char *tag_value;

	const char *tag_value;

	u32 nr_args, arg;

	u32 nr_args, arg;

	int i, ret;

	int i, ret;

	if (prog_args_trusted(prog))

	if (prog_args_trusted(prog))

		info->reg_type |= PTR_TRUSTED;

		info->reg_type |= PTR_TRUSTED;

	if (prog->expected_attach_type == BPF_TRACE_RAW_TP) {

		struct btf *btf = prog->aux->attach_btf;

		const struct btf_type *t;

		const char *tname;

		/* BTF lookups cannot fail, return false on error */

		t = btf_type_by_id(btf, prog->aux->attach_btf_id);

		if (!t)

			return false;

		tname = btf_name_by_offset(btf, t->name_off);

		if (!tname)

			return false;

		/* Checked by bpf_check_attach_target */

		tname += sizeof("btf_trace_") - 1;

		for (i = 0; i < ARRAY_SIZE(raw_tp_null_args); i++) {

			/* Is this a func with potential NULL args? */

			if (strcmp(tname, raw_tp_null_args[i].func))

				continue;

			if (raw_tp_null_args[i].mask & (0x1 << (arg * 4)))

				info->reg_type |= PTR_MAYBE_NULL;

			/* Is the current arg IS_ERR? */

			if (raw_tp_null_args[i].mask & (0x2 << (arg * 4)))

				ptr_err_raw_tp = true;

			break;

		}

		/* If we don't know NULL-ness specification and the tracepoint

		 * is coming from a loadable module, be conservative and mark

		 * argument as PTR_MAYBE_NULL.

		 */

		if (i == ARRAY_SIZE(raw_tp_null_args) && btf_is_module(btf))

			info->reg_type |= PTR_MAYBE_NULL;

	}

	if (tgt_prog) {

	if (tgt_prog) {

		enum bpf_prog_type tgt_type;

		enum bpf_prog_type tgt_type;

	bpf_log(log, "func '%s' arg%d has btf_id %d type %s '%s'\n",

	bpf_log(log, "func '%s' arg%d has btf_id %d type %s '%s'\n",

		tname, arg, info->btf_id, btf_type_str(t),

		tname, arg, info->btf_id, btf_type_str(t),

		__btf_name_by_offset(btf, t->name_off));

		__btf_name_by_offset(btf, t->name_off));

	/* Perform all checks on the validity of type for this argument, but if

	 * we know it can be IS_ERR at runtime, scrub pointer type and mark as

	 * scalar.

	 */

	if (ptr_err_raw_tp) {

		bpf_log(log, "marking pointer arg%d as scalar as it may encode error", arg);

		info->reg_type = SCALAR_VALUE;

	}

	return true;

	return true;

}

}