// SPDX-License-Identifier: GPL-2.0-only1/* Copyright (c) 2026 Meta Platforms, Inc. and affiliates. */2#include <linux/bpf.h>3#include <linux/bpf_verifier.h>4#include <linux/filter.h>5#include <linux/bitmap.h>67#define verbose(env, fmt, args...) bpf_verifier_log_write(env, fmt, ##args)89/* for any branch, call, exit record the history of jmps in the given state */10int bpf_push_jmp_history(struct bpf_verifier_env *env, struct bpf_verifier_state *cur,11int insn_flags, u64 linked_regs)12{13u32 cnt = cur->jmp_history_cnt;14struct bpf_jmp_history_entry *p;15size_t alloc_size;1617/* combine instruction flags if we already recorded this instruction */18if (env->cur_hist_ent) {19/* atomic instructions push insn_flags twice, for READ and20* WRITE sides, but they should agree on stack slot21*/22verifier_bug_if((env->cur_hist_ent->flags & insn_flags) &&23(env->cur_hist_ent->flags & insn_flags) != insn_flags,24env, "insn history: insn_idx %d cur flags %x new flags %x",25env->insn_idx, env->cur_hist_ent->flags, insn_flags);26env->cur_hist_ent->flags |= insn_flags;27verifier_bug_if(env->cur_hist_ent->linked_regs != 0, env,28"insn history: insn_idx %d linked_regs: %#llx",29env->insn_idx, env->cur_hist_ent->linked_regs);30env->cur_hist_ent->linked_regs = linked_regs;31return 0;32}3334cnt++;35alloc_size = kmalloc_size_roundup(size_mul(cnt, sizeof(*p)));36p = krealloc(cur->jmp_history, alloc_size, GFP_KERNEL_ACCOUNT);37if (!p)38return -ENOMEM;39cur->jmp_history = p;4041p = &cur->jmp_history[cnt - 1];42p->idx = env->insn_idx;43p->prev_idx = env->prev_insn_idx;44p->flags = insn_flags;45p->linked_regs = linked_regs;46cur->jmp_history_cnt = cnt;47env->cur_hist_ent = p;4849return 0;50}5152static bool is_atomic_load_insn(const struct bpf_insn *insn)53{54return BPF_CLASS(insn->code) == BPF_STX &&55BPF_MODE(insn->code) == BPF_ATOMIC &&56insn->imm == BPF_LOAD_ACQ;57}5859static bool is_atomic_fetch_insn(const struct bpf_insn *insn)60{61return BPF_CLASS(insn->code) == BPF_STX &&62BPF_MODE(insn->code) == BPF_ATOMIC &&63(insn->imm & BPF_FETCH);64}6566static int insn_stack_access_spi(int insn_flags)67{68return (insn_flags >> INSN_F_SPI_SHIFT) & INSN_F_SPI_MASK;69}7071static int insn_stack_access_frameno(int insn_flags)72{73return insn_flags & INSN_F_FRAMENO_MASK;74}7576/* Backtrack one insn at a time. If idx is not at the top of recorded77* history then previous instruction came from straight line execution.78* Return -ENOENT if we exhausted all instructions within given state.79*80* It's legal to have a bit of a looping with the same starting and ending81* insn index within the same state, e.g.: 3->4->5->3, so just because current82* instruction index is the same as state's first_idx doesn't mean we are83* done. If there is still some jump history left, we should keep going. We84* need to take into account that we might have a jump history between given85* state's parent and itself, due to checkpointing. In this case, we'll have86* history entry recording a jump from last instruction of parent state and87* first instruction of given state.88*/89static int get_prev_insn_idx(struct bpf_verifier_state *st, int i,90u32 *history)91{92u32 cnt = *history;9394if (i == st->first_insn_idx) {95if (cnt == 0)96return -ENOENT;97if (cnt == 1 && st->jmp_history[0].idx == i)98return -ENOENT;99}100101if (cnt && st->jmp_history[cnt - 1].idx == i) {102i = st->jmp_history[cnt - 1].prev_idx;103(*history)--;104} else {105i--;106}107return i;108}109110static struct bpf_jmp_history_entry *get_jmp_hist_entry(struct bpf_verifier_state *st,111u32 hist_end, int insn_idx)112{113if (hist_end > 0 && st->jmp_history[hist_end - 1].idx == insn_idx)114return &st->jmp_history[hist_end - 1];115return NULL;116}117118static inline void bt_init(struct backtrack_state *bt, u32 frame)119{120bt->frame = frame;121}122123static inline void bt_reset(struct backtrack_state *bt)124{125struct bpf_verifier_env *env = bt->env;126127memset(bt, 0, sizeof(*bt));128bt->env = env;129}130131static inline u32 bt_empty(struct backtrack_state *bt)132{133u64 mask = 0;134int i;135136for (i = 0; i <= bt->frame; i++)137mask |= bt->reg_masks[i] | bt->stack_masks[i];138139return mask == 0;140}141142static inline int bt_subprog_enter(struct backtrack_state *bt)143{144if (bt->frame == MAX_CALL_FRAMES - 1) {145verifier_bug(bt->env, "subprog enter from frame %d", bt->frame);146return -EFAULT;147}148bt->frame++;149return 0;150}151152static inline int bt_subprog_exit(struct backtrack_state *bt)153{154if (bt->frame == 0) {155verifier_bug(bt->env, "subprog exit from frame 0");156return -EFAULT;157}158bt->frame--;159return 0;160}161162static inline void bt_clear_frame_reg(struct backtrack_state *bt, u32 frame, u32 reg)163{164bt->reg_masks[frame] &= ~(1 << reg);165}166167static inline void bt_set_reg(struct backtrack_state *bt, u32 reg)168{169bpf_bt_set_frame_reg(bt, bt->frame, reg);170}171172static inline void bt_clear_reg(struct backtrack_state *bt, u32 reg)173{174bt_clear_frame_reg(bt, bt->frame, reg);175}176177static inline void bt_clear_frame_slot(struct backtrack_state *bt, u32 frame, u32 slot)178{179bt->stack_masks[frame] &= ~(1ull << slot);180}181182static inline u32 bt_frame_reg_mask(struct backtrack_state *bt, u32 frame)183{184return bt->reg_masks[frame];185}186187static inline u32 bt_reg_mask(struct backtrack_state *bt)188{189return bt->reg_masks[bt->frame];190}191192static inline u64 bt_frame_stack_mask(struct backtrack_state *bt, u32 frame)193{194return bt->stack_masks[frame];195}196197static inline u64 bt_stack_mask(struct backtrack_state *bt)198{199return bt->stack_masks[bt->frame];200}201202static inline bool bt_is_reg_set(struct backtrack_state *bt, u32 reg)203{204return bt->reg_masks[bt->frame] & (1 << reg);205}206207208/* format registers bitmask, e.g., "r0,r2,r4" for 0x15 mask */209static void fmt_reg_mask(char *buf, ssize_t buf_sz, u32 reg_mask)210{211DECLARE_BITMAP(mask, 64);212bool first = true;213int i, n;214215buf[0] = '\0';216217bitmap_from_u64(mask, reg_mask);218for_each_set_bit(i, mask, 32) {219n = snprintf(buf, buf_sz, "%sr%d", first ? "" : ",", i);220first = false;221buf += n;222buf_sz -= n;223if (buf_sz < 0)224break;225}226}227/* format stack slots bitmask, e.g., "-8,-24,-40" for 0x15 mask */228void bpf_fmt_stack_mask(char *buf, ssize_t buf_sz, u64 stack_mask)229{230DECLARE_BITMAP(mask, 64);231bool first = true;232int i, n;233234buf[0] = '\0';235236bitmap_from_u64(mask, stack_mask);237for_each_set_bit(i, mask, 64) {238n = snprintf(buf, buf_sz, "%s%d", first ? "" : ",", -(i + 1) * 8);239first = false;240buf += n;241buf_sz -= n;242if (buf_sz < 0)243break;244}245}246247248/* For given verifier state backtrack_insn() is called from the last insn to249* the first insn. Its purpose is to compute a bitmask of registers and250* stack slots that needs precision in the parent verifier state.251*252* @idx is an index of the instruction we are currently processing;253* @subseq_idx is an index of the subsequent instruction that:254* - *would be* executed next, if jump history is viewed in forward order;255* - *was* processed previously during backtracking.256*/257static int backtrack_insn(struct bpf_verifier_env *env, int idx, int subseq_idx,258struct bpf_jmp_history_entry *hist, struct backtrack_state *bt)259{260struct bpf_insn *insn = env->prog->insnsi + idx;261u8 class = BPF_CLASS(insn->code);262u8 opcode = BPF_OP(insn->code);263u8 mode = BPF_MODE(insn->code);264u32 dreg = insn->dst_reg;265u32 sreg = insn->src_reg;266u32 spi, i, fr;267268if (insn->code == 0)269return 0;270if (env->log.level & BPF_LOG_LEVEL2) {271fmt_reg_mask(env->tmp_str_buf, TMP_STR_BUF_LEN, bt_reg_mask(bt));272verbose(env, "mark_precise: frame%d: regs=%s ",273bt->frame, env->tmp_str_buf);274bpf_fmt_stack_mask(env->tmp_str_buf, TMP_STR_BUF_LEN, bt_stack_mask(bt));275verbose(env, "stack=%s before ", env->tmp_str_buf);276verbose(env, "%d: ", idx);277bpf_verbose_insn(env, insn);278}279280/* If there is a history record that some registers gained range at this insn,281* propagate precision marks to those registers, so that bt_is_reg_set()282* accounts for these registers.283*/284bpf_bt_sync_linked_regs(bt, hist);285286if (class == BPF_ALU || class == BPF_ALU64) {287if (!bt_is_reg_set(bt, dreg))288return 0;289if (opcode == BPF_END || opcode == BPF_NEG) {290/* sreg is reserved and unused291* dreg still need precision before this insn292*/293return 0;294} else if (opcode == BPF_MOV) {295if (BPF_SRC(insn->code) == BPF_X) {296/* dreg = sreg or dreg = (s8, s16, s32)sreg297* dreg needs precision after this insn298* sreg needs precision before this insn299*/300bt_clear_reg(bt, dreg);301if (sreg != BPF_REG_FP)302bt_set_reg(bt, sreg);303} else {304/* dreg = K305* dreg needs precision after this insn.306* Corresponding register is already marked307* as precise=true in this verifier state.308* No further markings in parent are necessary309*/310bt_clear_reg(bt, dreg);311}312} else {313if (BPF_SRC(insn->code) == BPF_X) {314/* dreg += sreg315* both dreg and sreg need precision316* before this insn317*/318if (sreg != BPF_REG_FP)319bt_set_reg(bt, sreg);320} /* else dreg += K321* dreg still needs precision before this insn322*/323}324} else if (class == BPF_LDX ||325is_atomic_load_insn(insn) ||326is_atomic_fetch_insn(insn)) {327u32 load_reg = dreg;328329/*330* Atomic fetch operation writes the old value into331* a register (sreg or r0) and if it was tracked for332* precision, propagate to the stack slot like we do333* in regular ldx.334*/335if (is_atomic_fetch_insn(insn))336load_reg = insn->imm == BPF_CMPXCHG ?337BPF_REG_0 : sreg;338339if (!bt_is_reg_set(bt, load_reg))340return 0;341bt_clear_reg(bt, load_reg);342343/* scalars can only be spilled into stack w/o losing precision.344* Load from any other memory can be zero extended.345* The desire to keep that precision is already indicated346* by 'precise' mark in corresponding register of this state.347* No further tracking necessary.348*/349if (!hist || !(hist->flags & INSN_F_STACK_ACCESS))350return 0;351/* dreg = *(u64 *)[fp - off] was a fill from the stack.352* that [fp - off] slot contains scalar that needs to be353* tracked with precision354*/355spi = insn_stack_access_spi(hist->flags);356fr = insn_stack_access_frameno(hist->flags);357bpf_bt_set_frame_slot(bt, fr, spi);358} else if (class == BPF_STX || class == BPF_ST) {359if (bt_is_reg_set(bt, dreg))360/* stx & st shouldn't be using _scalar_ dst_reg361* to access memory. It means backtracking362* encountered a case of pointer subtraction.363*/364return -ENOTSUPP;365/* scalars can only be spilled into stack */366if (!hist || !(hist->flags & INSN_F_STACK_ACCESS))367return 0;368spi = insn_stack_access_spi(hist->flags);369fr = insn_stack_access_frameno(hist->flags);370if (!bt_is_frame_slot_set(bt, fr, spi))371return 0;372bt_clear_frame_slot(bt, fr, spi);373if (class == BPF_STX)374bt_set_reg(bt, sreg);375} else if (class == BPF_JMP || class == BPF_JMP32) {376if (bpf_pseudo_call(insn)) {377int subprog_insn_idx, subprog;378379subprog_insn_idx = idx + insn->imm + 1;380subprog = bpf_find_subprog(env, subprog_insn_idx);381if (subprog < 0)382return -EFAULT;383384if (bpf_subprog_is_global(env, subprog)) {385/* check that jump history doesn't have any386* extra instructions from subprog; the next387* instruction after call to global subprog388* should be literally next instruction in389* caller program390*/391verifier_bug_if(idx + 1 != subseq_idx, env,392"extra insn from subprog");393/* r1-r5 are invalidated after subprog call,394* so for global func call it shouldn't be set395* anymore396*/397if (bt_reg_mask(bt) & BPF_REGMASK_ARGS) {398verifier_bug(env, "global subprog unexpected regs %x",399bt_reg_mask(bt));400return -EFAULT;401}402/* global subprog always sets R0 */403bt_clear_reg(bt, BPF_REG_0);404return 0;405} else {406/* static subprog call instruction, which407* means that we are exiting current subprog,408* so only r1-r5 could be still requested as409* precise, r0 and r6-r10 or any stack slot in410* the current frame should be zero by now411*/412if (bt_reg_mask(bt) & ~BPF_REGMASK_ARGS) {413verifier_bug(env, "static subprog unexpected regs %x",414bt_reg_mask(bt));415return -EFAULT;416}417/* we are now tracking register spills correctly,418* so any instance of leftover slots is a bug419*/420if (bt_stack_mask(bt) != 0) {421verifier_bug(env,422"static subprog leftover stack slots %llx",423bt_stack_mask(bt));424return -EFAULT;425}426/* propagate r1-r5 to the caller */427for (i = BPF_REG_1; i <= BPF_REG_5; i++) {428if (bt_is_reg_set(bt, i)) {429bt_clear_reg(bt, i);430bpf_bt_set_frame_reg(bt, bt->frame - 1, i);431}432}433if (bt_subprog_exit(bt))434return -EFAULT;435return 0;436}437} else if (bpf_is_sync_callback_calling_insn(insn) && idx != subseq_idx - 1) {438/* exit from callback subprog to callback-calling helper or439* kfunc call. Use idx/subseq_idx check to discern it from440* straight line code backtracking.441* Unlike the subprog call handling above, we shouldn't442* propagate precision of r1-r5 (if any requested), as they are443* not actually arguments passed directly to callback subprogs444*/445if (bt_reg_mask(bt) & ~BPF_REGMASK_ARGS) {446verifier_bug(env, "callback unexpected regs %x",447bt_reg_mask(bt));448return -EFAULT;449}450if (bt_stack_mask(bt) != 0) {451verifier_bug(env, "callback leftover stack slots %llx",452bt_stack_mask(bt));453return -EFAULT;454}455/* clear r1-r5 in callback subprog's mask */456for (i = BPF_REG_1; i <= BPF_REG_5; i++)457bt_clear_reg(bt, i);458if (bt_subprog_exit(bt))459return -EFAULT;460return 0;461} else if (opcode == BPF_CALL) {462/* kfunc with imm==0 is invalid and fixup_kfunc_call will463* catch this error later. Make backtracking conservative464* with ENOTSUPP.465*/466if (insn->src_reg == BPF_PSEUDO_KFUNC_CALL && insn->imm == 0)467return -ENOTSUPP;468/* regular helper call sets R0 */469bt_clear_reg(bt, BPF_REG_0);470if (bt_reg_mask(bt) & BPF_REGMASK_ARGS) {471/* if backtracking was looking for registers R1-R5472* they should have been found already.473*/474verifier_bug(env, "backtracking call unexpected regs %x",475bt_reg_mask(bt));476return -EFAULT;477}478if (insn->src_reg == BPF_REG_0 && insn->imm == BPF_FUNC_tail_call479&& subseq_idx - idx != 1) {480if (bt_subprog_enter(bt))481return -EFAULT;482}483} else if (opcode == BPF_EXIT) {484bool r0_precise;485486/* Backtracking to a nested function call, 'idx' is a part of487* the inner frame 'subseq_idx' is a part of the outer frame.488* In case of a regular function call, instructions giving489* precision to registers R1-R5 should have been found already.490* In case of a callback, it is ok to have R1-R5 marked for491* backtracking, as these registers are set by the function492* invoking callback.493*/494if (subseq_idx >= 0 && bpf_calls_callback(env, subseq_idx))495for (i = BPF_REG_1; i <= BPF_REG_5; i++)496bt_clear_reg(bt, i);497if (bt_reg_mask(bt) & BPF_REGMASK_ARGS) {498verifier_bug(env, "backtracking exit unexpected regs %x",499bt_reg_mask(bt));500return -EFAULT;501}502503/* BPF_EXIT in subprog or callback always returns504* right after the call instruction, so by checking505* whether the instruction at subseq_idx-1 is subprog506* call or not we can distinguish actual exit from507* *subprog* from exit from *callback*. In the former508* case, we need to propagate r0 precision, if509* necessary. In the former we never do that.510*/511r0_precise = subseq_idx - 1 >= 0 &&512bpf_pseudo_call(&env->prog->insnsi[subseq_idx - 1]) &&513bt_is_reg_set(bt, BPF_REG_0);514515bt_clear_reg(bt, BPF_REG_0);516if (bt_subprog_enter(bt))517return -EFAULT;518519if (r0_precise)520bt_set_reg(bt, BPF_REG_0);521/* r6-r9 and stack slots will stay set in caller frame522* bitmasks until we return back from callee(s)523*/524return 0;525} else if (BPF_SRC(insn->code) == BPF_X) {526if (!bt_is_reg_set(bt, dreg) && !bt_is_reg_set(bt, sreg))527return 0;528/* dreg <cond> sreg529* Both dreg and sreg need precision before530* this insn. If only sreg was marked precise531* before it would be equally necessary to532* propagate it to dreg.533*/534if (!hist || !(hist->flags & INSN_F_SRC_REG_STACK))535bt_set_reg(bt, sreg);536if (!hist || !(hist->flags & INSN_F_DST_REG_STACK))537bt_set_reg(bt, dreg);538} else if (BPF_SRC(insn->code) == BPF_K) {539/* dreg <cond> K540* Only dreg still needs precision before541* this insn, so for the K-based conditional542* there is nothing new to be marked.543*/544}545} else if (class == BPF_LD) {546if (!bt_is_reg_set(bt, dreg))547return 0;548bt_clear_reg(bt, dreg);549/* It's ld_imm64 or ld_abs or ld_ind.550* For ld_imm64 no further tracking of precision551* into parent is necessary552*/553if (mode == BPF_IND || mode == BPF_ABS)554/* to be analyzed */555return -ENOTSUPP;556}557/* Propagate precision marks to linked registers, to account for558* registers marked as precise in this function.559*/560bpf_bt_sync_linked_regs(bt, hist);561return 0;562}563564/* the scalar precision tracking algorithm:565* . at the start all registers have precise=false.566* . scalar ranges are tracked as normal through alu and jmp insns.567* . once precise value of the scalar register is used in:568* . ptr + scalar alu569* . if (scalar cond K|scalar)570* . helper_call(.., scalar, ...) where ARG_CONST is expected571* backtrack through the verifier states and mark all registers and572* stack slots with spilled constants that these scalar registers573* should be precise.574* . during state pruning two registers (or spilled stack slots)575* are equivalent if both are not precise.576*577* Note the verifier cannot simply walk register parentage chain,578* since many different registers and stack slots could have been579* used to compute single precise scalar.580*581* The approach of starting with precise=true for all registers and then582* backtrack to mark a register as not precise when the verifier detects583* that program doesn't care about specific value (e.g., when helper584* takes register as ARG_ANYTHING parameter) is not safe.585*586* It's ok to walk single parentage chain of the verifier states.587* It's possible that this backtracking will go all the way till 1st insn.588* All other branches will be explored for needing precision later.589*590* The backtracking needs to deal with cases like:591* R8=map_value(id=0,off=0,ks=4,vs=1952,imm=0) R9_w=map_value(id=0,off=40,ks=4,vs=1952,imm=0)592* r9 -= r8593* r5 = r9594* if r5 > 0x79f goto pc+7595* R5_w=inv(id=0,umax_value=1951,var_off=(0x0; 0x7ff))596* r5 += 1597* ...598* call bpf_perf_event_output#25599* where .arg5_type = ARG_CONST_SIZE_OR_ZERO600*601* and this case:602* r6 = 1603* call foo // uses callee's r6 inside to compute r0604* r0 += r6605* if r0 == 0 goto606*607* to track above reg_mask/stack_mask needs to be independent for each frame.608*609* Also if parent's curframe > frame where backtracking started,610* the verifier need to mark registers in both frames, otherwise callees611* may incorrectly prune callers. This is similar to612* commit 7640ead93924 ("bpf: verifier: make sure callees don't prune with caller differences")613*614* For now backtracking falls back into conservative marking.615*/616void bpf_mark_all_scalars_precise(struct bpf_verifier_env *env,617struct bpf_verifier_state *st)618{619struct bpf_func_state *func;620struct bpf_reg_state *reg;621int i, j;622623if (env->log.level & BPF_LOG_LEVEL2) {624verbose(env, "mark_precise: frame%d: falling back to forcing all scalars precise\n",625st->curframe);626}627628/* big hammer: mark all scalars precise in this path.629* pop_stack may still get !precise scalars.630* We also skip current state and go straight to first parent state,631* because precision markings in current non-checkpointed state are632* not needed. See why in the comment in __mark_chain_precision below.633*/634for (st = st->parent; st; st = st->parent) {635for (i = 0; i <= st->curframe; i++) {636func = st->frame[i];637for (j = 0; j < BPF_REG_FP; j++) {638reg = &func->regs[j];639if (reg->type != SCALAR_VALUE || reg->precise)640continue;641reg->precise = true;642if (env->log.level & BPF_LOG_LEVEL2) {643verbose(env, "force_precise: frame%d: forcing r%d to be precise\n",644i, j);645}646}647for (j = 0; j < func->allocated_stack / BPF_REG_SIZE; j++) {648if (!bpf_is_spilled_reg(&func->stack[j]))649continue;650reg = &func->stack[j].spilled_ptr;651if (reg->type != SCALAR_VALUE || reg->precise)652continue;653reg->precise = true;654if (env->log.level & BPF_LOG_LEVEL2) {655verbose(env, "force_precise: frame%d: forcing fp%d to be precise\n",656i, -(j + 1) * 8);657}658}659}660}661}662663/*664* bpf_mark_chain_precision() backtracks BPF program instruction sequence and665* chain of verifier states making sure that register *regno* (if regno >= 0)666* and/or stack slot *spi* (if spi >= 0) are marked as precisely tracked667* SCALARS, as well as any other registers and slots that contribute to668* a tracked state of given registers/stack slots, depending on specific BPF669* assembly instructions (see backtrack_insns() for exact instruction handling670* logic). This backtracking relies on recorded jmp_history and is able to671* traverse entire chain of parent states. This process ends only when all the672* necessary registers/slots and their transitive dependencies are marked as673* precise.674*675* One important and subtle aspect is that precise marks *do not matter* in676* the currently verified state (current state). It is important to understand677* why this is the case.678*679* First, note that current state is the state that is not yet "checkpointed",680* i.e., it is not yet put into env->explored_states, and it has no children681* states as well. It's ephemeral, and can end up either a) being discarded if682* compatible explored state is found at some point or BPF_EXIT instruction is683* reached or b) checkpointed and put into env->explored_states, branching out684* into one or more children states.685*686* In the former case, precise markings in current state are completely687* ignored by state comparison code (see regsafe() for details). Only688* checkpointed ("old") state precise markings are important, and if old689* state's register/slot is precise, regsafe() assumes current state's690* register/slot as precise and checks value ranges exactly and precisely. If691* states turn out to be compatible, current state's necessary precise692* markings and any required parent states' precise markings are enforced693* after the fact with propagate_precision() logic, after the fact. But it's694* important to realize that in this case, even after marking current state695* registers/slots as precise, we immediately discard current state. So what696* actually matters is any of the precise markings propagated into current697* state's parent states, which are always checkpointed (due to b) case above).698* As such, for scenario a) it doesn't matter if current state has precise699* markings set or not.700*701* Now, for the scenario b), checkpointing and forking into child(ren)702* state(s). Note that before current state gets to checkpointing step, any703* processed instruction always assumes precise SCALAR register/slot704* knowledge: if precise value or range is useful to prune jump branch, BPF705* verifier takes this opportunity enthusiastically. Similarly, when706* register's value is used to calculate offset or memory address, exact707* knowledge of SCALAR range is assumed, checked, and enforced. So, similar to708* what we mentioned above about state comparison ignoring precise markings709* during state comparison, BPF verifier ignores and also assumes precise710* markings *at will* during instruction verification process. But as verifier711* assumes precision, it also propagates any precision dependencies across712* parent states, which are not yet finalized, so can be further restricted713* based on new knowledge gained from restrictions enforced by their children714* states. This is so that once those parent states are finalized, i.e., when715* they have no more active children state, state comparison logic in716* is_state_visited() would enforce strict and precise SCALAR ranges, if717* required for correctness.718*719* To build a bit more intuition, note also that once a state is checkpointed,720* the path we took to get to that state is not important. This is crucial721* property for state pruning. When state is checkpointed and finalized at722* some instruction index, it can be correctly and safely used to "short723* circuit" any *compatible* state that reaches exactly the same instruction724* index. I.e., if we jumped to that instruction from a completely different725* code path than original finalized state was derived from, it doesn't726* matter, current state can be discarded because from that instruction727* forward having a compatible state will ensure we will safely reach the728* exit. States describe preconditions for further exploration, but completely729* forget the history of how we got here.730*731* This also means that even if we needed precise SCALAR range to get to732* finalized state, but from that point forward *that same* SCALAR register is733* never used in a precise context (i.e., it's precise value is not needed for734* correctness), it's correct and safe to mark such register as "imprecise"735* (i.e., precise marking set to false). This is what we rely on when we do736* not set precise marking in current state. If no child state requires737* precision for any given SCALAR register, it's safe to dictate that it can738* be imprecise. If any child state does require this register to be precise,739* we'll mark it precise later retroactively during precise markings740* propagation from child state to parent states.741*742* Skipping precise marking setting in current state is a mild version of743* relying on the above observation. But we can utilize this property even744* more aggressively by proactively forgetting any precise marking in the745* current state (which we inherited from the parent state), right before we746* checkpoint it and branch off into new child state. This is done by747* mark_all_scalars_imprecise() to hopefully get more permissive and generic748* finalized states which help in short circuiting more future states.749*/750int bpf_mark_chain_precision(struct bpf_verifier_env *env,751struct bpf_verifier_state *starting_state,752int regno,753bool *changed)754{755struct bpf_verifier_state *st = starting_state;756struct backtrack_state *bt = &env->bt;757int first_idx = st->first_insn_idx;758int last_idx = starting_state->insn_idx;759int subseq_idx = -1;760struct bpf_func_state *func;761bool tmp, skip_first = true;762struct bpf_reg_state *reg;763int i, fr, err;764765if (!env->bpf_capable)766return 0;767768changed = changed ?: &tmp;769/* set frame number from which we are starting to backtrack */770bt_init(bt, starting_state->curframe);771772/* Do sanity checks against current state of register and/or stack773* slot, but don't set precise flag in current state, as precision774* tracking in the current state is unnecessary.775*/776func = st->frame[bt->frame];777if (regno >= 0) {778reg = &func->regs[regno];779if (reg->type != SCALAR_VALUE) {780verifier_bug(env, "backtracking misuse");781return -EFAULT;782}783bt_set_reg(bt, regno);784}785786if (bt_empty(bt))787return 0;788789for (;;) {790DECLARE_BITMAP(mask, 64);791u32 history = st->jmp_history_cnt;792struct bpf_jmp_history_entry *hist;793794if (env->log.level & BPF_LOG_LEVEL2) {795verbose(env, "mark_precise: frame%d: last_idx %d first_idx %d subseq_idx %d \n",796bt->frame, last_idx, first_idx, subseq_idx);797}798799if (last_idx < 0) {800/* we are at the entry into subprog, which801* is expected for global funcs, but only if802* requested precise registers are R1-R5803* (which are global func's input arguments)804*/805if (st->curframe == 0 &&806st->frame[0]->subprogno > 0 &&807st->frame[0]->callsite == BPF_MAIN_FUNC &&808bt_stack_mask(bt) == 0 &&809(bt_reg_mask(bt) & ~BPF_REGMASK_ARGS) == 0) {810bitmap_from_u64(mask, bt_reg_mask(bt));811for_each_set_bit(i, mask, 32) {812reg = &st->frame[0]->regs[i];813bt_clear_reg(bt, i);814if (reg->type == SCALAR_VALUE) {815reg->precise = true;816*changed = true;817}818}819return 0;820}821822verifier_bug(env, "backtracking func entry subprog %d reg_mask %x stack_mask %llx",823st->frame[0]->subprogno, bt_reg_mask(bt), bt_stack_mask(bt));824return -EFAULT;825}826827for (i = last_idx;;) {828if (skip_first) {829err = 0;830skip_first = false;831} else {832hist = get_jmp_hist_entry(st, history, i);833err = backtrack_insn(env, i, subseq_idx, hist, bt);834}835if (err == -ENOTSUPP) {836bpf_mark_all_scalars_precise(env, starting_state);837bt_reset(bt);838return 0;839} else if (err) {840return err;841}842if (bt_empty(bt))843/* Found assignment(s) into tracked register in this state.844* Since this state is already marked, just return.845* Nothing to be tracked further in the parent state.846*/847return 0;848subseq_idx = i;849i = get_prev_insn_idx(st, i, &history);850if (i == -ENOENT)851break;852if (i >= env->prog->len) {853/* This can happen if backtracking reached insn 0854* and there are still reg_mask or stack_mask855* to backtrack.856* It means the backtracking missed the spot where857* particular register was initialized with a constant.858*/859verifier_bug(env, "backtracking idx %d", i);860return -EFAULT;861}862}863st = st->parent;864if (!st)865break;866867for (fr = bt->frame; fr >= 0; fr--) {868func = st->frame[fr];869bitmap_from_u64(mask, bt_frame_reg_mask(bt, fr));870for_each_set_bit(i, mask, 32) {871reg = &func->regs[i];872if (reg->type != SCALAR_VALUE) {873bt_clear_frame_reg(bt, fr, i);874continue;875}876if (reg->precise) {877bt_clear_frame_reg(bt, fr, i);878} else {879reg->precise = true;880*changed = true;881}882}883884bitmap_from_u64(mask, bt_frame_stack_mask(bt, fr));885for_each_set_bit(i, mask, 64) {886if (verifier_bug_if(i >= func->allocated_stack / BPF_REG_SIZE,887env, "stack slot %d, total slots %d",888i, func->allocated_stack / BPF_REG_SIZE))889return -EFAULT;890891if (!bpf_is_spilled_scalar_reg(&func->stack[i])) {892bt_clear_frame_slot(bt, fr, i);893continue;894}895reg = &func->stack[i].spilled_ptr;896if (reg->precise) {897bt_clear_frame_slot(bt, fr, i);898} else {899reg->precise = true;900*changed = true;901}902}903if (env->log.level & BPF_LOG_LEVEL2) {904fmt_reg_mask(env->tmp_str_buf, TMP_STR_BUF_LEN,905bt_frame_reg_mask(bt, fr));906verbose(env, "mark_precise: frame%d: parent state regs=%s ",907fr, env->tmp_str_buf);908bpf_fmt_stack_mask(env->tmp_str_buf, TMP_STR_BUF_LEN,909bt_frame_stack_mask(bt, fr));910verbose(env, "stack=%s: ", env->tmp_str_buf);911print_verifier_state(env, st, fr, true);912}913}914915if (bt_empty(bt))916return 0;917918subseq_idx = first_idx;919last_idx = st->last_insn_idx;920first_idx = st->first_insn_idx;921}922923/* if we still have requested precise regs or slots, we missed924* something (e.g., stack access through non-r10 register), so925* fallback to marking all precise926*/927if (!bt_empty(bt)) {928bpf_mark_all_scalars_precise(env, starting_state);929bt_reset(bt);930}931932return 0;933}934935936