// SPDX-License-Identifier: GPL-2.0-only
/* Copyright (c) 2011-2014 PLUMgrid, http://plumgrid.com
 * Copyright (c) 2016 Facebook
 * Copyright (c) 2018 Covalent IO, Inc. http://covalent.io
 */
#include <uapi/linux/btf.h>
#include <linux/kernel.h>
#include <linux/types.h>
#include <linux/slab.h>
#include <linux/bpf.h>
#include <linux/btf.h>
#include <linux/bpf_verifier.h>
#include <linux/filter.h>
#include <net/netlink.h>
#include <linux/file.h>
#include <linux/vmalloc.h>
#include <linux/stringify.h>
#include <linux/bsearch.h>
#include <linux/sort.h>
#include <linux/perf_event.h>
#include <linux/ctype.h>
#include <linux/error-injection.h>
#include <linux/bpf_lsm.h>
#include <linux/btf_ids.h>

#include "disasm.h"

static const struct bpf_verifier_ops * const bpf_verifier_ops[] = {
#define BPF_PROG_TYPE(_id, _name, prog_ctx_type, kern_ctx_type) \
        [_id] = & _name ## _verifier_ops,
#define BPF_MAP_TYPE(_id, _ops)
#define BPF_LINK_TYPE(_id, _name)
#include <linux/bpf_types.h>
#undef BPF_PROG_TYPE
#undef BPF_MAP_TYPE
#undef BPF_LINK_TYPE
};

/* bpf_check() is a static code analyzer that walks eBPF program
 * instruction by instruction and updates register/stack state.
 * All paths of conditional branches are analyzed until 'bpf_exit' insn.
 *
 * The first pass is depth-first-search to check that the program is a DAG.
 * It rejects the following programs:
 * - larger than BPF_MAXINSNS insns
 * - if loop is present (detected via back-edge)
 * - unreachable insns exist (shouldn't be a forest. program = one function)
 * - out of bounds or malformed jumps
 * The second pass is all possible path descent from the 1st insn.
 * Since it's analyzing all paths through the program, the length of the
 * analysis is limited to 64k insn, which may be hit even if total number of
 * insn is less then 4K, but there are too many branches that change stack/regs.
 * Number of 'branches to be analyzed' is limited to 1k
 *
 * On entry to each instruction, each register has a type, and the instruction
 * changes the types of the registers depending on instruction semantics.
 * If instruction is BPF_MOV64_REG(BPF_REG_1, BPF_REG_5), then type of R5 is
 * copied to R1.
 *
 * All registers are 64-bit.
 * R0 - return register
 * R1-R5 argument passing registers
 * R6-R9 callee saved registers
 * R10 - frame pointer read-only
 *
 * At the start of BPF program the register R1 contains a pointer to bpf_context
 * and has type PTR_TO_CTX.
 *
 * Verifier tracks arithmetic operations on pointers in case:
 *    BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
 *    BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -20),
 * 1st insn copies R10 (which has FRAME_PTR) type into R1
 * and 2nd arithmetic instruction is pattern matched to recognize
 * that it wants to construct a pointer to some element within stack.
 * So after 2nd insn, the register R1 has type PTR_TO_STACK
 * (and -20 constant is saved for further stack bounds checking).
 * Meaning that this reg is a pointer to stack plus known immediate constant.
 *
 * Most of the time the registers have SCALAR_VALUE type, which
 * means the register has some value, but it's not a valid pointer.
 * (like pointer plus pointer becomes SCALAR_VALUE type)
 *
 * When verifier sees load or store instructions the type of base register
 * can be: PTR_TO_MAP_VALUE, PTR_TO_CTX, PTR_TO_STACK, PTR_TO_SOCKET. These are
 * four pointer types recognized by check_mem_access() function.
 *
 * PTR_TO_MAP_VALUE means that this register is pointing to 'map element value'
 * and the range of [ptr, ptr + map's value_size) is accessible.
 *
 * registers used to pass values to function calls are checked against
 * function argument constraints.
 *
 * ARG_PTR_TO_MAP_KEY is one of such argument constraints.
 * It means that the register type passed to this function must be
 * PTR_TO_STACK and it will be used inside the function as
 * 'pointer to map element key'
 *
 * For example the argument constraints for bpf_map_lookup_elem():
 *   .ret_type = RET_PTR_TO_MAP_VALUE_OR_NULL,
 *   .arg1_type = ARG_CONST_MAP_PTR,
 *   .arg2_type = ARG_PTR_TO_MAP_KEY,
 *
 * ret_type says that this function returns 'pointer to map elem value or null'
 * function expects 1st argument to be a const pointer to 'struct bpf_map' and
 * 2nd argument should be a pointer to stack, which will be used inside
 * the helper function as a pointer to map element key.
 *
 * On the kernel side the helper function looks like:
 * u64 bpf_map_lookup_elem(u64 r1, u64 r2, u64 r3, u64 r4, u64 r5)
 * {
 *    struct bpf_map *map = (struct bpf_map *) (unsigned long) r1;
 *    void *key = (void *) (unsigned long) r2;
 *    void *value;
 *
 *    here kernel can access 'key' and 'map' pointers safely, knowing that
 *    [key, key + map->key_size) bytes are valid and were initialized on
 *    the stack of eBPF program.
 * }
 *
 * Corresponding eBPF program may look like:
 *    BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),  // after this insn R2 type is FRAME_PTR
 *    BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), // after this insn R2 type is PTR_TO_STACK
 *    BPF_LD_MAP_FD(BPF_REG_1, map_fd),      // after this insn R1 type is CONST_PTR_TO_MAP
 *    BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
 * here verifier looks at prototype of map_lookup_elem() and sees:
 * .arg1_type == ARG_CONST_MAP_PTR and R1->type == CONST_PTR_TO_MAP, which is ok,
 * Now verifier knows that this map has key of R1->map_ptr->key_size bytes
 *
 * Then .arg2_type == ARG_PTR_TO_MAP_KEY and R2->type == PTR_TO_STACK, ok so far,
 * Now verifier checks that [R2, R2 + map's key_size) are within stack limits
 * and were initialized prior to this call.
 * If it's ok, then verifier allows this BPF_CALL insn and looks at
 * .ret_type which is RET_PTR_TO_MAP_VALUE_OR_NULL, so it sets
 * R0->type = PTR_TO_MAP_VALUE_OR_NULL which means bpf_map_lookup_elem() function
 * returns either pointer to map value or NULL.
 *
 * When type PTR_TO_MAP_VALUE_OR_NULL passes through 'if (reg != 0) goto +off'
 * insn, the register holding that pointer in the true branch changes state to
 * PTR_TO_MAP_VALUE and the same register changes state to CONST_IMM in the false
 * branch. See check_cond_jmp_op().
 *
 * After the call R0 is set to return type of the function and registers R1-R5
 * are set to NOT_INIT to indicate that they are no longer readable.
 *
 * The following reference types represent a potential reference to a kernel
 * resource which, after first being allocated, must be checked and freed by
 * the BPF program:
 * - PTR_TO_SOCKET_OR_NULL, PTR_TO_SOCKET
 *
 * When the verifier sees a helper call return a reference type, it allocates a
 * pointer id for the reference and stores it in the current function state.
 * Similar to the way that PTR_TO_MAP_VALUE_OR_NULL is converted into
 * PTR_TO_MAP_VALUE, PTR_TO_SOCKET_OR_NULL becomes PTR_TO_SOCKET when the type
 * passes through a NULL-check conditional. For the branch wherein the state is
 * changed to CONST_IMM, the verifier releases the reference.
 *
 * For each helper function that allocates a reference, such as
 * bpf_sk_lookup_tcp(), there is a corresponding release function, such as
 * bpf_sk_release(). When a reference type passes into the release function,
 * the verifier also releases the reference. If any unchecked or unreleased
 * reference remains at the end of the program, the verifier rejects it.
 */

/* verifier_state + insn_idx are pushed to stack when branch is encountered */
struct bpf_verifier_stack_elem {
        /* verifer state is 'st'
         * before processing instruction 'insn_idx'
         * and after processing instruction 'prev_insn_idx'
         */
        struct bpf_verifier_state st;
        int insn_idx;
        int prev_insn_idx;
        struct bpf_verifier_stack_elem *next;
        /* length of verifier log at the time this state was pushed on stack */
        u32 log_pos;
};

#define BPF_COMPLEXITY_LIMIT_JMP_SEQ    8192
#define BPF_COMPLEXITY_LIMIT_STATES     64

#define BPF_MAP_KEY_POISON      (1ULL << 63)
#define BPF_MAP_KEY_SEEN        (1ULL << 62)

#define BPF_MAP_PTR_UNPRIV      1UL
#define BPF_MAP_PTR_POISON      ((void *)((0xeB9FUL << 1) +     \
                                          POISON_POINTER_DELTA))
#define BPF_MAP_PTR(X)          ((struct bpf_map *)((X) & ~BPF_MAP_PTR_UNPRIV))

static bool bpf_map_ptr_poisoned(const struct bpf_insn_aux_data *aux)
{
        return BPF_MAP_PTR(aux->map_ptr_state) == BPF_MAP_PTR_POISON;
}

static bool bpf_map_ptr_unpriv(const struct bpf_insn_aux_data *aux)
{
        return aux->map_ptr_state & BPF_MAP_PTR_UNPRIV;
}

static void bpf_map_ptr_store(struct bpf_insn_aux_data *aux,
                              const struct bpf_map *map, bool unpriv)
{
        BUILD_BUG_ON((unsigned long)BPF_MAP_PTR_POISON & BPF_MAP_PTR_UNPRIV);
        unpriv |= bpf_map_ptr_unpriv(aux);
        aux->map_ptr_state = (unsigned long)map |
                             (unpriv ? BPF_MAP_PTR_UNPRIV : 0UL);
}

static bool bpf_map_key_poisoned(const struct bpf_insn_aux_data *aux)
{
        return aux->map_key_state & BPF_MAP_KEY_POISON;
}

static bool bpf_map_key_unseen(const struct bpf_insn_aux_data *aux)
{
        return !(aux->map_key_state & BPF_MAP_KEY_SEEN);
}

static u64 bpf_map_key_immediate(const struct bpf_insn_aux_data *aux)
{
        return aux->map_key_state & ~(BPF_MAP_KEY_SEEN | BPF_MAP_KEY_POISON);
}

static void bpf_map_key_store(struct bpf_insn_aux_data *aux, u64 state)
{
        bool poisoned = bpf_map_key_poisoned(aux);

        aux->map_key_state = state | BPF_MAP_KEY_SEEN |
                             (poisoned ? BPF_MAP_KEY_POISON : 0ULL);
}

static bool bpf_pseudo_call(const struct bpf_insn *insn)
{
        return insn->code == (BPF_JMP | BPF_CALL) &&
               insn->src_reg == BPF_PSEUDO_CALL;
}

static bool bpf_pseudo_kfunc_call(const struct bpf_insn *insn)
{
        return insn->code == (BPF_JMP | BPF_CALL) &&
               insn->src_reg == BPF_PSEUDO_KFUNC_CALL;
}

static bool bpf_pseudo_func(const struct bpf_insn *insn)
{
        return insn->code == (BPF_LD | BPF_IMM | BPF_DW) &&
               insn->src_reg == BPF_PSEUDO_FUNC;
}

struct bpf_call_arg_meta {
        struct bpf_map *map_ptr;
        bool raw_mode;
        bool pkt_access;
        int regno;
        int access_size;
        int mem_size;
        u64 msize_max_value;
        int ref_obj_id;
        int func_id;
        struct btf *btf;
        u32 btf_id;
        struct btf *ret_btf;
        u32 ret_btf_id;
        u32 subprogno;
};

struct btf *btf_vmlinux;

static DEFINE_MUTEX(bpf_verifier_lock);

static const struct bpf_line_info *
find_linfo(const struct bpf_verifier_env *env, u32 insn_off)
{
        const struct bpf_line_info *linfo;
        const struct bpf_prog *prog;
        u32 i, nr_linfo;

        prog = env->prog;
        nr_linfo = prog->aux->nr_linfo;

        if (!nr_linfo || insn_off >= prog->len)
                return NULL;

        linfo = prog->aux->linfo;
        for (i = 1; i < nr_linfo; i++)
                if (insn_off < linfo[i].insn_off)
                        break;

        return &linfo[i - 1];
}

void bpf_verifier_vlog(struct bpf_verifier_log *log, const char *fmt,
                       va_list args)
{
        unsigned int n;

        n = vscnprintf(log->kbuf, BPF_VERIFIER_TMP_LOG_SIZE, fmt, args);

        WARN_ONCE(n >= BPF_VERIFIER_TMP_LOG_SIZE - 1,
                  "verifier log line truncated - local buffer too short\n");

        n = min(log->len_total - log->len_used - 1, n);
        log->kbuf[n] = '\0';

        if (log->level == BPF_LOG_KERNEL) {
                pr_err("BPF:%s\n", log->kbuf);
                return;
        }
        if (!copy_to_user(log->ubuf + log->len_used, log->kbuf, n + 1))
                log->len_used += n;
        else
                log->ubuf = NULL;
}

static void bpf_vlog_reset(struct bpf_verifier_log *log, u32 new_pos)
{
        char zero = 0;

        if (!bpf_verifier_log_needed(log))
                return;

        log->len_used = new_pos;
        if (put_user(zero, log->ubuf + new_pos))
                log->ubuf = NULL;
}

/* log_level controls verbosity level of eBPF verifier.
 * bpf_verifier_log_write() is used to dump the verification trace to the log,
 * so the user can figure out what's wrong with the program
 */
__printf(2, 3) void bpf_verifier_log_write(struct bpf_verifier_env *env,
                                           const char *fmt, ...)
{
        va_list args;

        if (!bpf_verifier_log_needed(&env->log))
                return;

        va_start(args, fmt);
        bpf_verifier_vlog(&env->log, fmt, args);
        va_end(args);
}
EXPORT_SYMBOL_GPL(bpf_verifier_log_write);

__printf(2, 3) static void verbose(void *private_data, const char *fmt, ...)
{
        struct bpf_verifier_env *env = private_data;
        va_list args;

        if (!bpf_verifier_log_needed(&env->log))
                return;

        va_start(args, fmt);
        bpf_verifier_vlog(&env->log, fmt, args);
        va_end(args);
}

__printf(2, 3) void bpf_log(struct bpf_verifier_log *log,
                            const char *fmt, ...)
{
        va_list args;

        if (!bpf_verifier_log_needed(log))
                return;

        va_start(args, fmt);
        bpf_verifier_vlog(log, fmt, args);
        va_end(args);
}

static const char *ltrim(const char *s)
{
        while (isspace(*s))
                s++;

        return s;
}

__printf(3, 4) static void verbose_linfo(struct bpf_verifier_env *env,
                                         u32 insn_off,
                                         const char *prefix_fmt, ...)
{
        const struct bpf_line_info *linfo;

        if (!bpf_verifier_log_needed(&env->log))
                return;

        linfo = find_linfo(env, insn_off);
        if (!linfo || linfo == env->prev_linfo)
                return;

        if (prefix_fmt) {
                va_list args;

                va_start(args, prefix_fmt);
                bpf_verifier_vlog(&env->log, prefix_fmt, args);
                va_end(args);
        }

        verbose(env, "%s\n",
                ltrim(btf_name_by_offset(env->prog->aux->btf,
                                         linfo->line_off)));

        env->prev_linfo = linfo;
}

static void verbose_invalid_scalar(struct bpf_verifier_env *env,
                                   struct bpf_reg_state *reg,
                                   struct tnum *range, const char *ctx,
                                   const char *reg_name)
{
        char tn_buf[48];

        verbose(env, "At %s the register %s ", ctx, reg_name);
        if (!tnum_is_unknown(reg->var_off)) {
                tnum_strn(tn_buf, sizeof(tn_buf), reg->var_off);
                verbose(env, "has value %s", tn_buf);
        } else {
                verbose(env, "has unknown scalar value");
        }
        tnum_strn(tn_buf, sizeof(tn_buf), *range);
        verbose(env, " should have been in %s\n", tn_buf);
}

static bool type_is_pkt_pointer(enum bpf_reg_type type)
{
        return type == PTR_TO_PACKET ||
               type == PTR_TO_PACKET_META;
}

static bool type_is_sk_pointer(enum bpf_reg_type type)
{
        return type == PTR_TO_SOCKET ||
                type == PTR_TO_SOCK_COMMON ||
                type == PTR_TO_TCP_SOCK ||
                type == PTR_TO_XDP_SOCK;
}

static bool reg_type_not_null(enum bpf_reg_type type)
{
        return type == PTR_TO_SOCKET ||
                type == PTR_TO_TCP_SOCK ||
                type == PTR_TO_MAP_VALUE ||
                type == PTR_TO_MAP_KEY ||
                type == PTR_TO_SOCK_COMMON;
}

static bool reg_type_may_be_null(enum bpf_reg_type type)
{
        return type == PTR_TO_MAP_VALUE_OR_NULL ||
               type == PTR_TO_SOCKET_OR_NULL ||
               type == PTR_TO_SOCK_COMMON_OR_NULL ||
               type == PTR_TO_TCP_SOCK_OR_NULL ||
               type == PTR_TO_BTF_ID_OR_NULL ||
               type == PTR_TO_MEM_OR_NULL ||
               type == PTR_TO_RDONLY_BUF_OR_NULL ||
               type == PTR_TO_RDWR_BUF_OR_NULL;
}

static bool reg_may_point_to_spin_lock(const struct bpf_reg_state *reg)
{
        return reg->type == PTR_TO_MAP_VALUE &&
                map_value_has_spin_lock(reg->map_ptr);
}

static bool reg_type_may_be_refcounted_or_null(enum bpf_reg_type type)
{
        return type == PTR_TO_SOCKET ||
                type == PTR_TO_SOCKET_OR_NULL ||
                type == PTR_TO_TCP_SOCK ||
                type == PTR_TO_TCP_SOCK_OR_NULL ||
                type == PTR_TO_MEM ||
                type == PTR_TO_MEM_OR_NULL;
}

static bool arg_type_may_be_refcounted(enum bpf_arg_type type)
{
        return type == ARG_PTR_TO_SOCK_COMMON;
}

static bool arg_type_may_be_null(enum bpf_arg_type type)
{
        return type == ARG_PTR_TO_MAP_VALUE_OR_NULL ||
               type == ARG_PTR_TO_MEM_OR_NULL ||
               type == ARG_PTR_TO_CTX_OR_NULL ||
               type == ARG_PTR_TO_SOCKET_OR_NULL ||
               type == ARG_PTR_TO_ALLOC_MEM_OR_NULL ||
               type == ARG_PTR_TO_STACK_OR_NULL;
}

/* Determine whether the function releases some resources allocated by another
 * function call. The first reference type argument will be assumed to be
 * released by release_reference().
 */
static bool is_release_function(enum bpf_func_id func_id)
{
        return func_id == BPF_FUNC_sk_release ||
               func_id == BPF_FUNC_ringbuf_submit ||
               func_id == BPF_FUNC_ringbuf_discard;
}

static bool may_be_acquire_function(enum bpf_func_id func_id)
{
        return func_id == BPF_FUNC_sk_lookup_tcp ||
                func_id == BPF_FUNC_sk_lookup_udp ||
                func_id == BPF_FUNC_skc_lookup_tcp ||
                func_id == BPF_FUNC_map_lookup_elem ||
                func_id == BPF_FUNC_ringbuf_reserve;
}

static bool is_acquire_function(enum bpf_func_id func_id,
                                const struct bpf_map *map)
{
        enum bpf_map_type map_type = map ? map->map_type : BPF_MAP_TYPE_UNSPEC;

        if (func_id == BPF_FUNC_sk_lookup_tcp ||
            func_id == BPF_FUNC_sk_lookup_udp ||
            func_id == BPF_FUNC_skc_lookup_tcp ||
            func_id == BPF_FUNC_ringbuf_reserve)
                return true;

        if (func_id == BPF_FUNC_map_lookup_elem &&
            (map_type == BPF_MAP_TYPE_SOCKMAP ||
             map_type == BPF_MAP_TYPE_SOCKHASH))
                return true;

        return false;
}

static bool is_ptr_cast_function(enum bpf_func_id func_id)
{
        return func_id == BPF_FUNC_tcp_sock ||
                func_id == BPF_FUNC_sk_fullsock ||
                func_id == BPF_FUNC_skc_to_tcp_sock ||
                func_id == BPF_FUNC_skc_to_tcp6_sock ||
                func_id == BPF_FUNC_skc_to_udp6_sock ||
                func_id == BPF_FUNC_skc_to_tcp_timewait_sock ||
                func_id == BPF_FUNC_skc_to_tcp_request_sock;
}

static bool is_cmpxchg_insn(const struct bpf_insn *insn)
{
        return BPF_CLASS(insn->code) == BPF_STX &&
               BPF_MODE(insn->code) == BPF_ATOMIC &&
               insn->imm == BPF_CMPXCHG;
}

/* string representation of 'enum bpf_reg_type' */
static const char * const reg_type_str[] = {
        [NOT_INIT]              = "?",
        [SCALAR_VALUE]          = "inv",
        [PTR_TO_CTX]            = "ctx",
        [CONST_PTR_TO_MAP]      = "map_ptr",
        [PTR_TO_MAP_VALUE]      = "map_value",
        [PTR_TO_MAP_VALUE_OR_NULL] = "map_value_or_null",
        [PTR_TO_STACK]          = "fp",
        [PTR_TO_PACKET]         = "pkt",
        [PTR_TO_PACKET_META]    = "pkt_meta",
        [PTR_TO_PACKET_END]     = "pkt_end",
        [PTR_TO_FLOW_KEYS]      = "flow_keys",
        [PTR_TO_SOCKET]         = "sock",
        [PTR_TO_SOCKET_OR_NULL] = "sock_or_null",
        [PTR_TO_SOCK_COMMON]    = "sock_common",
        [PTR_TO_SOCK_COMMON_OR_NULL] = "sock_common_or_null",
        [PTR_TO_TCP_SOCK]       = "tcp_sock",
        [PTR_TO_TCP_SOCK_OR_NULL] = "tcp_sock_or_null",
        [PTR_TO_TP_BUFFER]      = "tp_buffer",
        [PTR_TO_XDP_SOCK]       = "xdp_sock",
        [PTR_TO_BTF_ID]         = "ptr_",
        [PTR_TO_BTF_ID_OR_NULL] = "ptr_or_null_",
        [PTR_TO_PERCPU_BTF_ID]  = "percpu_ptr_",
        [PTR_TO_MEM]            = "mem",
        [PTR_TO_MEM_OR_NULL]    = "mem_or_null",
        [PTR_TO_RDONLY_BUF]     = "rdonly_buf",
        [PTR_TO_RDONLY_BUF_OR_NULL] = "rdonly_buf_or_null",
        [PTR_TO_RDWR_BUF]       = "rdwr_buf",
        [PTR_TO_RDWR_BUF_OR_NULL] = "rdwr_buf_or_null",
        [PTR_TO_FUNC]           = "func",
        [PTR_TO_MAP_KEY]        = "map_key",
};

static char slot_type_char[] = {
        [STACK_INVALID] = '?',
        [STACK_SPILL]   = 'r',
        [STACK_MISC]    = 'm',
        [STACK_ZERO]    = '0',
};

static void print_liveness(struct bpf_verifier_env *env,
                           enum bpf_reg_liveness live)
{
        if (live & (REG_LIVE_READ | REG_LIVE_WRITTEN | REG_LIVE_DONE))
            verbose(env, "_");
        if (live & REG_LIVE_READ)
                verbose(env, "r");
        if (live & REG_LIVE_WRITTEN)
                verbose(env, "w");
        if (live & REG_LIVE_DONE)
                verbose(env, "D");
}

static struct bpf_func_state *func(struct bpf_verifier_env *env,
                                   const struct bpf_reg_state *reg)
{
        struct bpf_verifier_state *cur = env->cur_state;

        return cur->frame[reg->frameno];
}

static const char *kernel_type_name(const struct btf* btf, u32 id)
{
        return btf_name_by_offset(btf, btf_type_by_id(btf, id)->name_off);
}

static void print_verifier_state(struct bpf_verifier_env *env,
                                 const struct bpf_func_state *state)
{
        const struct bpf_reg_state *reg;
        enum bpf_reg_type t;
        int i;

        if (state->frameno)
                verbose(env, " frame%d:", state->frameno);
        for (i = 0; i < MAX_BPF_REG; i++) {
                reg = &state->regs[i];
                t = reg->type;
                if (t == NOT_INIT)
                        continue;
                verbose(env, " R%d", i);
                print_liveness(env, reg->live);
                verbose(env, "=%s", reg_type_str[t]);
                if (t == SCALAR_VALUE && reg->precise)
                        verbose(env, "P");
                if ((t == SCALAR_VALUE || t == PTR_TO_STACK) &&
                    tnum_is_const(reg->var_off)) {
                        /* reg->off should be 0 for SCALAR_VALUE */
                        verbose(env, "%lld", reg->var_off.value + reg->off);
                } else {
                        if (t == PTR_TO_BTF_ID ||
                            t == PTR_TO_BTF_ID_OR_NULL ||
                            t == PTR_TO_PERCPU_BTF_ID)
                                verbose(env, "%s", kernel_type_name(reg->btf, reg->btf_id));
                        verbose(env, "(id=%d", reg->id);
                        if (reg_type_may_be_refcounted_or_null(t))
                                verbose(env, ",ref_obj_id=%d", reg->ref_obj_id);
                        if (t != SCALAR_VALUE)
                                verbose(env, ",off=%d", reg->off);
                        if (type_is_pkt_pointer(t))
                                verbose(env, ",r=%d", reg->range);
                        else if (t == CONST_PTR_TO_MAP ||
                                 t == PTR_TO_MAP_KEY ||
                                 t == PTR_TO_MAP_VALUE ||
                                 t == PTR_TO_MAP_VALUE_OR_NULL)
                                verbose(env, ",ks=%d,vs=%d",
                                        reg->map_ptr->key_size,
                                        reg->map_ptr->value_size);
                        if (tnum_is_const(reg->var_off)) {
                                /* Typically an immediate SCALAR_VALUE, but
                                 * could be a pointer whose offset is too big
                                 * for reg->off
                                 */
                                verbose(env, ",imm=%llx", reg->var_off.value);
                        } else {
                                if (reg->smin_value != reg->umin_value &&
                                    reg->smin_value != S64_MIN)
                                        verbose(env, ",smin_value=%lld",
                                                (long long)reg->smin_value);
                                if (reg->smax_value != reg->umax_value &&
                                    reg->smax_value != S64_MAX)
                                        verbose(env, ",smax_value=%lld",
                                                (long long)reg->smax_value);
                                if (reg->umin_value != 0)
                                        verbose(env, ",umin_value=%llu",
                                                (unsigned long long)reg->umin_value);
                                if (reg->umax_value != U64_MAX)
                                        verbose(env, ",umax_value=%llu",
                                                (unsigned long long)reg->umax_value);
                                if (!tnum_is_unknown(reg->var_off)) {
                                        char tn_buf[48];

                                        tnum_strn(tn_buf, sizeof(tn_buf), reg->var_off);
                                        verbose(env, ",var_off=%s", tn_buf);
                                }
                                if (reg->s32_min_value != reg->smin_value &&
                                    reg->s32_min_value != S32_MIN)
                                        verbose(env, ",s32_min_value=%d",
                                                (int)(reg->s32_min_value));
                                if (reg->s32_max_value != reg->smax_value &&
                                    reg->s32_max_value != S32_MAX)
                                        verbose(env, ",s32_max_value=%d",
                                                (int)(reg->s32_max_value));
                                if (reg->u32_min_value != reg->umin_value &&
                                    reg->u32_min_value != U32_MIN)
                                        verbose(env, ",u32_min_value=%d",
                                                (int)(reg->u32_min_value));
                                if (reg->u32_max_value != reg->umax_value &&
                                    reg->u32_max_value != U32_MAX)
                                        verbose(env, ",u32_max_value=%d",
                                                (int)(reg->u32_max_value));
                        }
                        verbose(env, ")");
                }
        }
        for (i = 0; i < state->allocated_stack / BPF_REG_SIZE; i++) {
                char types_buf[BPF_REG_SIZE + 1];
                bool valid = false;
                int j;

                for (j = 0; j < BPF_REG_SIZE; j++) {
                        if (state->stack[i].slot_type[j] != STACK_INVALID)
                                valid = true;
                        types_buf[j] = slot_type_char[
                                        state->stack[i].slot_type[j]];
                }
                types_buf[BPF_REG_SIZE] = 0;
                if (!valid)
                        continue;
                verbose(env, " fp%d", (-i - 1) * BPF_REG_SIZE);
                print_liveness(env, state->stack[i].spilled_ptr.live);
                if (state->stack[i].slot_type[0] == STACK_SPILL) {
                        reg = &state->stack[i].spilled_ptr;
                        t = reg->type;
                        verbose(env, "=%s", reg_type_str[t]);
                        if (t == SCALAR_VALUE && reg->precise)
                                verbose(env, "P");
                        if (t == SCALAR_VALUE && tnum_is_const(reg->var_off))
                                verbose(env, "%lld", reg->var_off.value + reg->off);
                } else {
                        verbose(env, "=%s", types_buf);
                }
        }
        if (state->acquired_refs && state->refs[0].id) {
                verbose(env, " refs=%d", state->refs[0].id);
                for (i = 1; i < state->acquired_refs; i++)
                        if (state->refs[i].id)
                                verbose(env, ",%d", state->refs[i].id);
        }
        verbose(env, "\n");
}

/* copy array src of length n * size bytes to dst. dst is reallocated if it's too
 * small to hold src. This is different from krealloc since we don't want to preserve
 * the contents of dst.
 *
 * Leaves dst untouched if src is NULL or length is zero. Returns NULL if memory could
 * not be allocated.
 */
static void *copy_array(void *dst, const void *src, size_t n, size_t size, gfp_t flags)
{
        size_t bytes;

        if (ZERO_OR_NULL_PTR(src))
                goto out;

        if (unlikely(check_mul_overflow(n, size, &bytes)))
                return NULL;

        if (ksize(dst) < bytes) {
                kfree(dst);
                dst = kmalloc_track_caller(bytes, flags);
                if (!dst)
                        return NULL;
        }

        memcpy(dst, src, bytes);
out:
        return dst ? dst : ZERO_SIZE_PTR;
}

/* resize an array from old_n items to new_n items. the array is reallocated if it's too
 * small to hold new_n items. new items are zeroed out if the array grows.
 *
 * Contrary to krealloc_array, does not free arr if new_n is zero.
 */
static void *realloc_array(void *arr, size_t old_n, size_t new_n, size_t size)
{
        if (!new_n || old_n == new_n)
                goto out;

        arr = krealloc_array(arr, new_n, size, GFP_KERNEL);
        if (!arr)
                return NULL;

        if (new_n > old_n)
                memset(arr + old_n * size, 0, (new_n - old_n) * size);

out:
        return arr ? arr : ZERO_SIZE_PTR;
}

static int copy_reference_state(struct bpf_func_state *dst, const struct bpf_func_state *src)
{
        dst->refs = copy_array(dst->refs, src->refs, src->acquired_refs,
                               sizeof(struct bpf_reference_state), GFP_KERNEL);
        if (!dst->refs)
                return -ENOMEM;

        dst->acquired_refs = src->acquired_refs;
        return 0;
}

static int copy_stack_state(struct bpf_func_state *dst, const struct bpf_func_state *src)
{
        size_t n = src->allocated_stack / BPF_REG_SIZE;

        dst->stack = copy_array(dst->stack, src->stack, n, sizeof(struct bpf_stack_state),
                                GFP_KERNEL);
        if (!dst->stack)
                return -ENOMEM;

        dst->allocated_stack = src->allocated_stack;
        return 0;
}

static int resize_reference_state(struct bpf_func_state *state, size_t n)
{
        state->refs = realloc_array(state->refs, state->acquired_refs, n,
                                    sizeof(struct bpf_reference_state));
        if (!state->refs)
                return -ENOMEM;

        state->acquired_refs = n;
        return 0;
}

static int grow_stack_state(struct bpf_func_state *state, int size)
{
        size_t old_n = state->allocated_stack / BPF_REG_SIZE, n = size / BPF_REG_SIZE;

        if (old_n >= n)
                return 0;

        state->stack = realloc_array(state->stack, old_n, n, sizeof(struct bpf_stack_state));
        if (!state->stack)
                return -ENOMEM;

        state->allocated_stack = size;
        return 0;
}

/* Acquire a pointer id from the env and update the state->refs to include
 * this new pointer reference.
 * On success, returns a valid pointer id to associate with the register
 * On failure, returns a negative errno.
 */
static int acquire_reference_state(struct bpf_verifier_env *env, int insn_idx)
{
        struct bpf_func_state *state = cur_func(env);
        int new_ofs = state->acquired_refs;
        int id, err;

        err = resize_reference_state(state, state->acquired_refs + 1);
        if (err)
                return err;
        id = ++env->id_gen;
        state->refs[new_ofs].id = id;
        state->refs[new_ofs].insn_idx = insn_idx;

        return id;
}

/* release function corresponding to acquire_reference_state(). Idempotent. */
static int release_reference_state(struct bpf_func_state *state, int ptr_id)
{
        int i, last_idx;

        last_idx = state->acquired_refs - 1;
        for (i = 0; i < state->acquired_refs; i++) {
                if (state->refs[i].id == ptr_id) {
                        if (last_idx && i != last_idx)
                                memcpy(&state->refs[i], &state->refs[last_idx],
                                       sizeof(*state->refs));
                        memset(&state->refs[last_idx], 0, sizeof(*state->refs));
                        state->acquired_refs--;
                        return 0;
                }
        }
        return -EINVAL;
}

static void free_func_state(struct bpf_func_state *state)
{
        if (!state)
                return;
        kfree(state->refs);
        kfree(state->stack);
        kfree(state);
}

static void clear_jmp_history(struct bpf_verifier_state *state)
{
        kfree(state->jmp_history);
        state->jmp_history = NULL;
        state->jmp_history_cnt = 0;
}

static void free_verifier_state(struct bpf_verifier_state *state,
                                bool free_self)
{
        int i;

        for (i = 0; i <= state->curframe; i++) {
                free_func_state(state->frame[i]);
                state->frame[i] = NULL;
        }
        clear_jmp_history(state);
        if (free_self)
                kfree(state);
}

/* copy verifier state from src to dst growing dst stack space
 * when necessary to accommodate larger src stack
 */
static int copy_func_state(struct bpf_func_state *dst,
                           const struct bpf_func_state *src)
{
        int err;

        memcpy(dst, src, offsetof(struct bpf_func_state, acquired_refs));
        err = copy_reference_state(dst, src);
        if (err)
                return err;
        return copy_stack_state(dst, src);
}

static int copy_verifier_state(struct bpf_verifier_state *dst_state,
                               const struct bpf_verifier_state *src)
{
        struct bpf_func_state *dst;
        int i, err;

        dst_state->jmp_history = copy_array(dst_state->jmp_history, src->jmp_history,
                                            src->jmp_history_cnt, sizeof(struct bpf_idx_pair),
                                            GFP_USER);
        if (!dst_state->jmp_history)
                return -ENOMEM;
        dst_state->jmp_history_cnt = src->jmp_history_cnt;

        /* if dst has more stack frames then src frame, free them */
        for (i = src->curframe + 1; i <= dst_state->curframe; i++) {
                free_func_state(dst_state->frame[i]);
                dst_state->frame[i] = NULL;
        }
        dst_state->speculative = src->speculative;
        dst_state->curframe = src->curframe;
        dst_state->active_spin_lock = src->active_spin_lock;
        dst_state->branches = src->branches;
        dst_state->parent = src->parent;
        dst_state->first_insn_idx = src->first_insn_idx;
        dst_state->last_insn_idx = src->last_insn_idx;
        for (i = 0; i <= src->curframe; i++) {
                dst = dst_state->frame[i];
                if (!dst) {
                        dst = kzalloc(sizeof(*dst), GFP_KERNEL);
                        if (!dst)
                                return -ENOMEM;
                        dst_state->frame[i] = dst;
                }
                err = copy_func_state(dst, src->frame[i]);
                if (err)
                        return err;
        }
        return 0;
}

static void update_branch_counts(struct bpf_verifier_env *env, struct bpf_verifier_state *st)
{
        while (st) {
                u32 br = --st->branches;

                /* WARN_ON(br > 1) technically makes sense here,
                 * but see comment in push_stack(), hence:
                 */
                WARN_ONCE((int)br < 0,
                          "BUG update_branch_counts:branches_to_explore=%d\n",
                          br);
                if (br)
                        break;
                st = st->parent;
        }
}

static int pop_stack(struct bpf_verifier_env *env, int *prev_insn_idx,
                     int *insn_idx, bool pop_log)
{
        struct bpf_verifier_state *cur = env->cur_state;
        struct bpf_verifier_stack_elem *elem, *head = env->head;
        int err;

        if (env->head == NULL)
                return -ENOENT;

        if (cur) {
                err = copy_verifier_state(cur, &head->st);
                if (err)
                        return err;
        }
        if (pop_log)
                bpf_vlog_reset(&env->log, head->log_pos);
        if (insn_idx)
                *insn_idx = head->insn_idx;

        if (prev_insn_idx)
                *prev_insn_idx = head->prev_insn_idx;
        elem = head->next;
        free_verifier_state(&head->st, false);
        kfree(head);
        env->head = elem;
        env->stack_size--;
        return 0;
}

static struct bpf_verifier_state *push_stack(struct bpf_verifier_env *env,
                                             int insn_idx, int prev_insn_idx,
                                             bool speculative)
{
        struct bpf_verifier_state *cur = env->cur_state;
        struct bpf_verifier_stack_elem *elem;
        int err;

        elem = kzalloc(sizeof(struct bpf_verifier_stack_elem), GFP_KERNEL);
        if (!elem)
                goto err;

        elem->insn_idx = insn_idx;
        elem->prev_insn_idx = prev_insn_idx;
        elem->next = env->head;
        elem->log_pos = env->log.len_used;
        env->head = elem;
        env->stack_size++;
        err = copy_verifier_state(&elem->st, cur);
        if (err)
                goto err;
        elem->st.speculative |= speculative;
        if (env->stack_size > BPF_COMPLEXITY_LIMIT_JMP_SEQ) {
                verbose(env, "The sequence of %d jumps is too complex.\n",
                        env->stack_size);
                goto err;
        }
        if (elem->st.parent) {
                ++elem->st.parent->branches;
                /* WARN_ON(branches > 2) technically makes sense here,
                 * but
                 * 1. speculative states will bump 'branches' for non-branch
                 * instructions
                 * 2. is_state_visited() heuristics may decide not to create
                 * a new state for a sequence of branches and all such current
                 * and cloned states will be pointing to a single parent state
                 * which might have large 'branches' count.
                 */
        }
        return &elem->st;
err:
        free_verifier_state(env->cur_state, true);
        env->cur_state = NULL;
        /* pop all elements and return */
        while (!pop_stack(env, NULL, NULL, false));
        return NULL;
}

#define CALLER_SAVED_REGS 6
static const int caller_saved[CALLER_SAVED_REGS] = {
        BPF_REG_0, BPF_REG_1, BPF_REG_2, BPF_REG_3, BPF_REG_4, BPF_REG_5
};

static void __mark_reg_not_init(const struct bpf_verifier_env *env,
                                struct bpf_reg_state *reg);

/* This helper doesn't clear reg->id */
static void ___mark_reg_known(struct bpf_reg_state *reg, u64 imm)
{
        reg->var_off = tnum_const(imm);
        reg->smin_value = (s64)imm;
        reg->smax_value = (s64)imm;
        reg->umin_value = imm;
        reg->umax_value = imm;

        reg->s32_min_value = (s32)imm;
        reg->s32_max_value = (s32)imm;
        reg->u32_min_value = (u32)imm;
        reg->u32_max_value = (u32)imm;
}

/* Mark the unknown part of a register (variable offset or scalar value) as
 * known to have the value @imm.
 */
static void __mark_reg_known(struct bpf_reg_state *reg, u64 imm)
{
        /* Clear id, off, and union(map_ptr, range) */
        memset(((u8 *)reg) + sizeof(reg->type), 0,
               offsetof(struct bpf_reg_state, var_off) - sizeof(reg->type));
        ___mark_reg_known(reg, imm);
}

static void __mark_reg32_known(struct bpf_reg_state *reg, u64 imm)
{
        reg->var_off = tnum_const_subreg(reg->var_off, imm);
        reg->s32_min_value = (s32)imm;
        reg->s32_max_value = (s32)imm;
        reg->u32_min_value = (u32)imm;
        reg->u32_max_value = (u32)imm;
}

/* Mark the 'variable offset' part of a register as zero.  This should be
 * used only on registers holding a pointer type.
 */
static void __mark_reg_known_zero(struct bpf_reg_state *reg)
{
        __mark_reg_known(reg, 0);
}

static void __mark_reg_const_zero(struct bpf_reg_state *reg)
{
        __mark_reg_known(reg, 0);
        reg->type = SCALAR_VALUE;
}

static void mark_reg_known_zero(struct bpf_verifier_env *env,
                                struct bpf_reg_state *regs, u32 regno)
{
        if (WARN_ON(regno >= MAX_BPF_REG)) {
                verbose(env, "mark_reg_known_zero(regs, %u)\n", regno);
                /* Something bad happened, let's kill all regs */
                for (regno = 0; regno < MAX_BPF_REG; regno++)
                        __mark_reg_not_init(env, regs + regno);
                return;
        }
        __mark_reg_known_zero(regs + regno);
}

static void mark_ptr_not_null_reg(struct bpf_reg_state *reg)
{
        switch (reg->type) {
        case PTR_TO_MAP_VALUE_OR_NULL: {
                const struct bpf_map *map = reg->map_ptr;

                if (map->inner_map_meta) {
                        reg->type = CONST_PTR_TO_MAP;
                        reg->map_ptr = map->inner_map_meta;
                } else if (map->map_type == BPF_MAP_TYPE_XSKMAP) {
                        reg->type = PTR_TO_XDP_SOCK;
                } else if (map->map_type == BPF_MAP_TYPE_SOCKMAP ||
                           map->map_type == BPF_MAP_TYPE_SOCKHASH) {
                        reg->type = PTR_TO_SOCKET;
                } else {
                        reg->type = PTR_TO_MAP_VALUE;
                }
                break;
        }
        case PTR_TO_SOCKET_OR_NULL:
                reg->type = PTR_TO_SOCKET;
                break;
        case PTR_TO_SOCK_COMMON_OR_NULL:
                reg->type = PTR_TO_SOCK_COMMON;
                break;
        case PTR_TO_TCP_SOCK_OR_NULL:
                reg->type = PTR_TO_TCP_SOCK;
                break;
        case PTR_TO_BTF_ID_OR_NULL:
                reg->type = PTR_TO_BTF_ID;
                break;
        case PTR_TO_MEM_OR_NULL:
                reg->type = PTR_TO_MEM;
                break;
        case PTR_TO_RDONLY_BUF_OR_NULL:
                reg->type = PTR_TO_RDONLY_BUF;
                break;
        case PTR_TO_RDWR_BUF_OR_NULL:
                reg->type = PTR_TO_RDWR_BUF;
                break;
        default:
                WARN_ONCE(1, "unknown nullable register type");
        }
}

static bool reg_is_pkt_pointer(const struct bpf_reg_state *reg)
{
        return type_is_pkt_pointer(reg->type);
}

static bool reg_is_pkt_pointer_any(const struct bpf_reg_state *reg)
{
        return reg_is_pkt_pointer(reg) ||
               reg->type == PTR_TO_PACKET_END;
}

/* Unmodified PTR_TO_PACKET[_META,_END] register from ctx access. */
static bool reg_is_init_pkt_pointer(const struct bpf_reg_state *reg,
                                    enum bpf_reg_type which)
{
        /* The register can already have a range from prior markings.
         * This is fine as long as it hasn't been advanced from its
         * origin.
         */
        return reg->type == which &&
               reg->id == 0 &&
               reg->off == 0 &&
               tnum_equals_const(reg->var_off, 0);
}

/* Reset the min/max bounds of a register */
static void __mark_reg_unbounded(struct bpf_reg_state *reg)
{
        reg->smin_value = S64_MIN;
        reg->smax_value = S64_MAX;
        reg->umin_value = 0;
        reg->umax_value = U64_MAX;

        reg->s32_min_value = S32_MIN;
        reg->s32_max_value = S32_MAX;
        reg->u32_min_value = 0;
        reg->u32_max_value = U32_MAX;
}

static void __mark_reg64_unbounded(struct bpf_reg_state *reg)
{
        reg->smin_value = S64_MIN;
        reg->smax_value = S64_MAX;
        reg->umin_value = 0;
        reg->umax_value = U64_MAX;
}

static void __mark_reg32_unbounded(struct bpf_reg_state *reg)
{
        reg->s32_min_value = S32_MIN;
        reg->s32_max_value = S32_MAX;
        reg->u32_min_value = 0;
        reg->u32_max_value = U32_MAX;
}

static void __update_reg32_bounds(struct bpf_reg_state *reg)
{
        struct tnum var32_off = tnum_subreg(reg->var_off);

        /* min signed is max(sign bit) | min(other bits) */
        reg->s32_min_value = max_t(s32, reg->s32_min_value,
                        var32_off.value | (var32_off.mask & S32_MIN));
        /* max signed is min(sign bit) | max(other bits) */
        reg->s32_max_value = min_t(s32, reg->s32_max_value,
                        var32_off.value | (var32_off.mask & S32_MAX));
        reg->u32_min_value = max_t(u32, reg->u32_min_value, (u32)var32_off.value);
        reg->u32_max_value = min(reg->u32_max_value,
                                 (u32)(var32_off.value | var32_off.mask));
}

static void __update_reg64_bounds(struct bpf_reg_state *reg)
{
        /* min signed is max(sign bit) | min(other bits) */
        reg->smin_value = max_t(s64, reg->smin_value,
                                reg->var_off.value | (reg->var_off.mask & S64_MIN));
        /* max signed is min(sign bit) | max(other bits) */
        reg->smax_value = min_t(s64, reg->smax_value,
                                reg->var_off.value | (reg->var_off.mask & S64_MAX));
        reg->umin_value = max(reg->umin_value, reg->var_off.value);
        reg->umax_value = min(reg->umax_value,
                              reg->var_off.value | reg->var_off.mask);
}

static void __update_reg_bounds(struct bpf_reg_state *reg)
{
        __update_reg32_bounds(reg);
        __update_reg64_bounds(reg);
}

/* Uses signed min/max values to inform unsigned, and vice-versa */
static void __reg32_deduce_bounds(struct bpf_reg_state *reg)
{
        /* Learn sign from signed bounds.
         * If we cannot cross the sign boundary, then signed and unsigned bounds
         * are the same, so combine.  This works even in the negative case, e.g.
         * -3 s<= x s<= -1 implies 0xf...fd u<= x u<= 0xf...ff.
         */
        if (reg->s32_min_value >= 0 || reg->s32_max_value < 0) {
                reg->s32_min_value = reg->u32_min_value =
                        max_t(u32, reg->s32_min_value, reg->u32_min_value);
                reg->s32_max_value = reg->u32_max_value =
                        min_t(u32, reg->s32_max_value, reg->u32_max_value);
                return;
        }
        /* Learn sign from unsigned bounds.  Signed bounds cross the sign
         * boundary, so we must be careful.
         */
        if ((s32)reg->u32_max_value >= 0) {
                /* Positive.  We can't learn anything from the smin, but smax
                 * is positive, hence safe.
                 */
                reg->s32_min_value = reg->u32_min_value;
                reg->s32_max_value = reg->u32_max_value =
                        min_t(u32, reg->s32_max_value, reg->u32_max_value);
        } else if ((s32)reg->u32_min_value < 0) {
                /* Negative.  We can't learn anything from the smax, but smin
                 * is negative, hence safe.
                 */
                reg->s32_min_value = reg->u32_min_value =
                        max_t(u32, reg->s32_min_value, reg->u32_min_value);
                reg->s32_max_value = reg->u32_max_value;
        }
}

static void __reg64_deduce_bounds(struct bpf_reg_state *reg)
{
        /* Learn sign from signed bounds.
         * If we cannot cross the sign boundary, then signed and unsigned bounds
         * are the same, so combine.  This works even in the negative case, e.g.
         * -3 s<= x s<= -1 implies 0xf...fd u<= x u<= 0xf...ff.
         */
        if (reg->smin_value >= 0 || reg->smax_value < 0) {
                reg->smin_value = reg->umin_value = max_t(u64, reg->smin_value,
                                                          reg->umin_value);
                reg->smax_value = reg->umax_value = min_t(u64, reg->smax_value,
                                                          reg->umax_value);
                return;
        }
        /* Learn sign from unsigned bounds.  Signed bounds cross the sign
         * boundary, so we must be careful.
         */
        if ((s64)reg->umax_value >= 0) {
                /* Positive.  We can't learn anything from the smin, but smax
                 * is positive, hence safe.
                 */
                reg->smin_value = reg->umin_value;
                reg->smax_value = reg->umax_value = min_t(u64, reg->smax_value,
                                                          reg->umax_value);
        } else if ((s64)reg->umin_value < 0) {
                /* Negative.  We can't learn anything from the smax, but smin
                 * is negative, hence safe.
                 */
                reg->smin_value = reg->umin_value = max_t(u64, reg->smin_value,
                                                          reg->umin_value);
                reg->smax_value = reg->umax_value;
        }
}

static void __reg_deduce_bounds(struct bpf_reg_state *reg)
{
        __reg32_deduce_bounds(reg);
        __reg64_deduce_bounds(reg);
}

/* Attempts to improve var_off based on unsigned min/max information */
static void __reg_bound_offset(struct bpf_reg_state *reg)
{
        struct tnum var64_off = tnum_intersect(reg->var_off,
                                               tnum_range(reg->umin_value,
                                                          reg->umax_value));
        struct tnum var32_off = tnum_intersect(tnum_subreg(reg->var_off),
                                                tnum_range(reg->u32_min_value,
                                                           reg->u32_max_value));

        reg->var_off = tnum_or(tnum_clear_subreg(var64_off), var32_off);
}

static void __reg_assign_32_into_64(struct bpf_reg_state *reg)
{
        reg->umin_value = reg->u32_min_value;
        reg->umax_value = reg->u32_max_value;
        /* Attempt to pull 32-bit signed bounds into 64-bit bounds
         * but must be positive otherwise set to worse case bounds
         * and refine later from tnum.
         */
        if (reg->s32_min_value >= 0 && reg->s32_max_value >= 0)
                reg->smax_value = reg->s32_max_value;
        else
                reg->smax_value = U32_MAX;
        if (reg->s32_min_value >= 0)
                reg->smin_value = reg->s32_min_value;
        else
                reg->smin_value = 0;
}

static void __reg_combine_32_into_64(struct bpf_reg_state *reg)
{
        /* special case when 64-bit register has upper 32-bit register
         * zeroed. Typically happens after zext or <<32, >>32 sequence
         * allowing us to use 32-bit bounds directly,
         */
        if (tnum_equals_const(tnum_clear_subreg(reg->var_off), 0)) {
                __reg_assign_32_into_64(reg);
        } else {
                /* Otherwise the best we can do is push lower 32bit known and
                 * unknown bits into register (var_off set from jmp logic)
                 * then learn as much as possible from the 64-bit tnum
                 * known and unknown bits. The previous smin/smax bounds are
                 * invalid here because of jmp32 compare so mark them unknown
                 * so they do not impact tnum bounds calculation.
                 */
                __mark_reg64_unbounded(reg);
                __update_reg_bounds(reg);
        }

        /* Intersecting with the old var_off might have improved our bounds
         * slightly.  e.g. if umax was 0x7f...f and var_off was (0; 0xf...fc),
         * then new var_off is (0; 0x7f...fc) which improves our umax.
         */
        __reg_deduce_bounds(reg);
        __reg_bound_offset(reg);
        __update_reg_bounds(reg);
}

static bool __reg64_bound_s32(s64 a)
{
        return a > S32_MIN && a < S32_MAX;
}

static bool __reg64_bound_u32(u64 a)
{
        return a > U32_MIN && a < U32_MAX;
}

static void __reg_combine_64_into_32(struct bpf_reg_state *reg)
{
        __mark_reg32_unbounded(reg);

        if (__reg64_bound_s32(reg->smin_value) && __reg64_bound_s32(reg->smax_value)) {
                reg->s32_min_value = (s32)reg->smin_value;
                reg->s32_max_value = (s32)reg->smax_value;
        }
        if (__reg64_bound_u32(reg->umin_value) && __reg64_bound_u32(reg->umax_value)) {
                reg->u32_min_value = (u32)reg->umin_value;
                reg->u32_max_value = (u32)reg->umax_value;
        }

        /* Intersecting with the old var_off might have improved our bounds
         * slightly.  e.g. if umax was 0x7f...f and var_off was (0; 0xf...fc),
         * then new var_off is (0; 0x7f...fc) which improves our umax.
         */
        __reg_deduce_bounds(reg);
        __reg_bound_offset(reg);
        __update_reg_bounds(reg);
}

/* Mark a register as having a completely unknown (scalar) value. */
static void __mark_reg_unknown(const struct bpf_verifier_env *env,
                               struct bpf_reg_state *reg)
{
        /*
         * Clear type, id, off, and union(map_ptr, range) and
         * padding between 'type' and union
         */
        memset(reg, 0, offsetof(struct bpf_reg_state, var_off));
        reg->type = SCALAR_VALUE;
        reg->var_off = tnum_unknown;
        reg->frameno = 0;
        reg->precise = env->subprog_cnt > 1 || !env->bpf_capable;
        __mark_reg_unbounded(reg);
}

static void mark_reg_unknown(struct bpf_verifier_env *env,
                             struct bpf_reg_state *regs, u32 regno)
{
        if (WARN_ON(regno >= MAX_BPF_REG)) {
                verbose(env, "mark_reg_unknown(regs, %u)\n", regno);
                /* Something bad happened, let's kill all regs except FP */
                for (regno = 0; regno < BPF_REG_FP; regno++)
                        __mark_reg_not_init(env, regs + regno);
                return;
        }
        __mark_reg_unknown(env, regs + regno);
}

static void __mark_reg_not_init(const struct bpf_verifier_env *env,
                                struct bpf_reg_state *reg)
{
        __mark_reg_unknown(env, reg);
        reg->type = NOT_INIT;
}

static void mark_reg_not_init(struct bpf_verifier_env *env,
                              struct bpf_reg_state *regs, u32 regno)
{
        if (WARN_ON(regno >= MAX_BPF_REG)) {
                verbose(env, "mark_reg_not_init(regs, %u)\n", regno);
                /* Something bad happened, let's kill all regs except FP */
                for (regno = 0; regno < BPF_REG_FP; regno++)
                        __mark_reg_not_init(env, regs + regno);
                return;
        }
        __mark_reg_not_init(env, regs + regno);
}

static void mark_btf_ld_reg(struct bpf_verifier_env *env,
                            struct bpf_reg_state *regs, u32 regno,
                            enum bpf_reg_type reg_type,
                            struct btf *btf, u32 btf_id)
{
        if (reg_type == SCALAR_VALUE) {
                mark_reg_unknown(env, regs, regno);
                return;
        }
        mark_reg_known_zero(env, regs, regno);
        regs[regno].type = PTR_TO_BTF_ID;
        regs[regno].btf = btf;
        regs[regno].btf_id = btf_id;
}

#define DEF_NOT_SUBREG  (0)
static void init_reg_state(struct bpf_verifier_env *env,
                           struct bpf_func_state *state)
{
        struct bpf_reg_state *regs = state->regs;
        int i;

        for (i = 0; i < MAX_BPF_REG; i++) {
                mark_reg_not_init(env, regs, i);
                regs[i].live = REG_LIVE_NONE;
                regs[i].parent = NULL;
                regs[i].subreg_def = DEF_NOT_SUBREG;
        }

        /* frame pointer */
        regs[BPF_REG_FP].type = PTR_TO_STACK;
        mark_reg_known_zero(env, regs, BPF_REG_FP);
        regs[BPF_REG_FP].frameno = state->frameno;
}

#define BPF_MAIN_FUNC (-1)
static void init_func_state(struct bpf_verifier_env *env,
                            struct bpf_func_state *state,
                            int callsite, int frameno, int subprogno)
{
        state->callsite = callsite;
        state->frameno = frameno;
        state->subprogno = subprogno;
        init_reg_state(env, state);
}

enum reg_arg_type {
        SRC_OP,         /* register is used as source operand */
        DST_OP,         /* register is used as destination operand */
        DST_OP_NO_MARK  /* same as above, check only, don't mark */
};

static int cmp_subprogs(const void *a, const void *b)
{
        return ((struct bpf_subprog_info *)a)->start -
               ((struct bpf_subprog_info *)b)->start;
}

static int find_subprog(struct bpf_verifier_env *env, int off)
{
        struct bpf_subprog_info *p;

        p = bsearch(&off, env->subprog_info, env->subprog_cnt,
                    sizeof(env->subprog_info[0]), cmp_subprogs);
        if (!p)
                return -ENOENT;
        return p - env->subprog_info;

}

static int add_subprog(struct bpf_verifier_env *env, int off)
{
        int insn_cnt = env->prog->len;
        int ret;

        if (off >= insn_cnt || off < 0) {
                verbose(env, "call to invalid destination\n");
                return -EINVAL;
        }
        ret = find_subprog(env, off);
        if (ret >= 0)
                return ret;
        if (env->subprog_cnt >= BPF_MAX_SUBPROGS) {
                verbose(env, "too many subprograms\n");
                return -E2BIG;
        }
        /* determine subprog starts. The end is one before the next starts */
        env->subprog_info[env->subprog_cnt++].start = off;
        sort(env->subprog_info, env->subprog_cnt,
             sizeof(env->subprog_info[0]), cmp_subprogs, NULL);
        return env->subprog_cnt - 1;
}

struct bpf_kfunc_desc {
        struct btf_func_model func_model;
        u32 func_id;
        s32 imm;
};

#define MAX_KFUNC_DESCS 256
struct bpf_kfunc_desc_tab {
        struct bpf_kfunc_desc descs[MAX_KFUNC_DESCS];
        u32 nr_descs;
};

static int kfunc_desc_cmp_by_id(const void *a, const void *b)
{
        const struct bpf_kfunc_desc *d0 = a;
        const struct bpf_kfunc_desc *d1 = b;

        /* func_id is not greater than BTF_MAX_TYPE */
        return d0->func_id - d1->func_id;
}

static const struct bpf_kfunc_desc *
find_kfunc_desc(const struct bpf_prog *prog, u32 func_id)
{
        struct bpf_kfunc_desc desc = {
                .func_id = func_id,
        };
        struct bpf_kfunc_desc_tab *tab;

        tab = prog->aux->kfunc_tab;
        return bsearch(&desc, tab->descs, tab->nr_descs,
                       sizeof(tab->descs[0]), kfunc_desc_cmp_by_id);
}

static int add_kfunc_call(struct bpf_verifier_env *env, u32 func_id)
{
        const struct btf_type *func, *func_proto;
        struct bpf_kfunc_desc_tab *tab;
        struct bpf_prog_aux *prog_aux;
        struct bpf_kfunc_desc *desc;
        const char *func_name;
        unsigned long addr;
        int err;

        prog_aux = env->prog->aux;
        tab = prog_aux->kfunc_tab;
        if (!tab) {
                if (!btf_vmlinux) {
                        verbose(env, "calling kernel function is not supported without CONFIG_DEBUG_INFO_BTF\n");
                        return -ENOTSUPP;
                }

                if (!env->prog->jit_requested) {
                        verbose(env, "JIT is required for calling kernel function\n");
                        return -ENOTSUPP;
                }

                if (!bpf_jit_supports_kfunc_call()) {
                        verbose(env, "JIT does not support calling kernel function\n");
                        return -ENOTSUPP;
                }

                if (!env->prog->gpl_compatible) {
                        verbose(env, "cannot call kernel function from non-GPL compatible program\n");
                        return -EINVAL;
                }

                tab = kzalloc(sizeof(*tab), GFP_KERNEL);
                if (!tab)
                        return -ENOMEM;
                prog_aux->kfunc_tab = tab;
        }

        if (find_kfunc_desc(env->prog, func_id))
                return 0;

        if (tab->nr_descs == MAX_KFUNC_DESCS) {
                verbose(env, "too many different kernel function calls\n");
                return -E2BIG;
        }

        func = btf_type_by_id(btf_vmlinux, func_id);
        if (!func || !btf_type_is_func(func)) {
                verbose(env, "kernel btf_id %u is not a function\n",
                        func_id);
                return -EINVAL;
        }
        func_proto = btf_type_by_id(btf_vmlinux, func->type);
        if (!func_proto || !btf_type_is_func_proto(func_proto)) {
                verbose(env, "kernel function btf_id %u does not have a valid func_proto\n",
                        func_id);
                return -EINVAL;
        }

        func_name = btf_name_by_offset(btf_vmlinux, func->name_off);
        addr = kallsyms_lookup_name(func_name);
        if (!addr) {
                verbose(env, "cannot find address for kernel function %s\n",
                        func_name);
                return -EINVAL;
        }

        desc = &tab->descs[tab->nr_descs++];
        desc->func_id = func_id;
        desc->imm = BPF_CAST_CALL(addr) - __bpf_call_base;
        err = btf_distill_func_proto(&env->log, btf_vmlinux,
                                     func_proto, func_name,
                                     &desc->func_model);
        if (!err)
                sort(tab->descs, tab->nr_descs, sizeof(tab->descs[0]),
                     kfunc_desc_cmp_by_id, NULL);
        return err;
}

static int kfunc_desc_cmp_by_imm(const void *a, const void *b)
{
        const struct bpf_kfunc_desc *d0 = a;
        const struct bpf_kfunc_desc *d1 = b;

        if (d0->imm > d1->imm)
                return 1;
        else if (d0->imm < d1->imm)
                return -1;
        return 0;
}

static void sort_kfunc_descs_by_imm(struct bpf_prog *prog)
{
        struct bpf_kfunc_desc_tab *tab;

        tab = prog->aux->kfunc_tab;
        if (!tab)
                return;

        sort(tab->descs, tab->nr_descs, sizeof(tab->descs[0]),
             kfunc_desc_cmp_by_imm, NULL);
}

bool bpf_prog_has_kfunc_call(const struct bpf_prog *prog)
{
        return !!prog->aux->kfunc_tab;
}

const struct btf_func_model *
bpf_jit_find_kfunc_model(const struct bpf_prog *prog,
                         const struct bpf_insn *insn)
{
        const struct bpf_kfunc_desc desc = {
                .imm = insn->imm,
        };
        const struct bpf_kfunc_desc *res;
        struct bpf_kfunc_desc_tab *tab;

        tab = prog->aux->kfunc_tab;
        res = bsearch(&desc, tab->descs, tab->nr_descs,
                      sizeof(tab->descs[0]), kfunc_desc_cmp_by_imm);

        return res ? &res->func_model : NULL;
}

static int add_subprog_and_kfunc(struct bpf_verifier_env *env)
{
        struct bpf_subprog_info *subprog = env->subprog_info;
        struct bpf_insn *insn = env->prog->insnsi;
        int i, ret, insn_cnt = env->prog->len;

        /* Add entry function. */
        ret = add_subprog(env, 0);
        if (ret)
                return ret;

        for (i = 0; i < insn_cnt; i++, insn++) {
                if (!bpf_pseudo_func(insn) && !bpf_pseudo_call(insn) &&
                    !bpf_pseudo_kfunc_call(insn))
                        continue;

                if (!env->bpf_capable) {
                        verbose(env, "loading/calling other bpf or kernel functions are allowed for CAP_BPF and CAP_SYS_ADMIN\n");
                        return -EPERM;
                }

                if (bpf_pseudo_func(insn)) {
                        ret = add_subprog(env, i + insn->imm + 1);
                        if (ret >= 0)
                                /* remember subprog */
                                insn[1].imm = ret;
                } else if (bpf_pseudo_call(insn)) {
                        ret = add_subprog(env, i + insn->imm + 1);
                } else {
                        ret = add_kfunc_call(env, insn->imm);
                }

                if (ret < 0)
                        return ret;
        }

        /* Add a fake 'exit' subprog which could simplify subprog iteration
         * logic. 'subprog_cnt' should not be increased.
         */
        subprog[env->subprog_cnt].start = insn_cnt;

        if (env->log.level & BPF_LOG_LEVEL2)
                for (i = 0; i < env->subprog_cnt; i++)
                        verbose(env, "func#%d @%d\n", i, subprog[i].start);

        return 0;
}

static int check_subprogs(struct bpf_verifier_env *env)
{
        int i, subprog_start, subprog_end, off, cur_subprog = 0;
        struct bpf_subprog_info *subprog = env->subprog_info;
        struct bpf_insn *insn = env->prog->insnsi;
        int insn_cnt = env->prog->len;

        /* now check that all jumps are within the same subprog */
        subprog_start = subprog[cur_subprog].start;
        subprog_end = subprog[cur_subprog + 1].start;
        for (i = 0; i < insn_cnt; i++) {
                u8 code = insn[i].code;

                if (code == (BPF_JMP | BPF_CALL) &&
                    insn[i].imm == BPF_FUNC_tail_call &&
                    insn[i].src_reg != BPF_PSEUDO_CALL)
                        subprog[cur_subprog].has_tail_call = true;
                if (BPF_CLASS(code) == BPF_LD &&
                    (BPF_MODE(code) == BPF_ABS || BPF_MODE(code) == BPF_IND))
                        subprog[cur_subprog].has_ld_abs = true;
                if (BPF_CLASS(code) != BPF_JMP && BPF_CLASS(code) != BPF_JMP32)
                        goto next;
                if (BPF_OP(code) == BPF_EXIT || BPF_OP(code) == BPF_CALL)
                        goto next;
                off = i + insn[i].off + 1;
                if (off < subprog_start || off >= subprog_end) {
                        verbose(env, "jump out of range from insn %d to %d\n", i, off);
                        return -EINVAL;
                }
next:
                if (i == subprog_end - 1) {
                        /* to avoid fall-through from one subprog into another
                         * the last insn of the subprog should be either exit
                         * or unconditional jump back
                         */
                        if (code != (BPF_JMP | BPF_EXIT) &&
                            code != (BPF_JMP | BPF_JA)) {
                                verbose(env, "last insn is not an exit or jmp\n");
                                return -EINVAL;
                        }
                        subprog_start = subprog_end;
                        cur_subprog++;
                        if (cur_subprog < env->subprog_cnt)
                                subprog_end = subprog[cur_subprog + 1].start;
                }
        }
        return 0;
}

/* Parentage chain of this register (or stack slot) should take care of all
 * issues like callee-saved registers, stack slot allocation time, etc.
 */
static int mark_reg_read(struct bpf_verifier_env *env,
                         const struct bpf_reg_state *state,
                         struct bpf_reg_state *parent, u8 flag)
{
        bool writes = parent == state->parent; /* Observe write marks */
        int cnt = 0;

        while (parent) {
                /* if read wasn't screened by an earlier write ... */
                if (writes && state->live & REG_LIVE_WRITTEN)
                        break;
                if (parent->live & REG_LIVE_DONE) {
                        verbose(env, "verifier BUG type %s var_off %lld off %d\n",
                                reg_type_str[parent->type],
                                parent->var_off.value, parent->off);
                        return -EFAULT;
                }
                /* The first condition is more likely to be true than the
                 * second, checked it first.
                 */
                if ((parent->live & REG_LIVE_READ) == flag ||
                    parent->live & REG_LIVE_READ64)
                        /* The parentage chain never changes and
                         * this parent was already marked as LIVE_READ.
                         * There is no need to keep walking the chain again and
                         * keep re-marking all parents as LIVE_READ.
                         * This case happens when the same register is read
                         * multiple times without writes into it in-between.
                         * Also, if parent has the stronger REG_LIVE_READ64 set,
                         * then no need to set the weak REG_LIVE_READ32.
                         */
                        break;
                /* ... then we depend on parent's value */
                parent->live |= flag;
                /* REG_LIVE_READ64 overrides REG_LIVE_READ32. */
                if (flag == REG_LIVE_READ64)
                        parent->live &= ~REG_LIVE_READ32;
                state = parent;
                parent = state->parent;
                writes = true;
                cnt++;
        }

        if (env->longest_mark_read_walk < cnt)
                env->longest_mark_read_walk = cnt;
        return 0;
}

/* This function is supposed to be used by the following 32-bit optimization
 * code only. It returns TRUE if the source or destination register operates
 * on 64-bit, otherwise return FALSE.
 */
static bool is_reg64(struct bpf_verifier_env *env, struct bpf_insn *insn,
                     u32 regno, struct bpf_reg_state *reg, enum reg_arg_type t)
{
        u8 code, class, op;

        code = insn->code;
        class = BPF_CLASS(code);
        op = BPF_OP(code);
        if (class == BPF_JMP) {
                /* BPF_EXIT for "main" will reach here. Return TRUE
                 * conservatively.
                 */
                if (op == BPF_EXIT)
                        return true;
                if (op == BPF_CALL) {
                        /* BPF to BPF call will reach here because of marking
                         * caller saved clobber with DST_OP_NO_MARK for which we
                         * don't care the register def because they are anyway
                         * marked as NOT_INIT already.
                         */
                        if (insn->src_reg == BPF_PSEUDO_CALL)
                                return false;
                        /* Helper call will reach here because of arg type
                         * check, conservatively return TRUE.
                         */
                        if (t == SRC_OP)
                                return true;

                        return false;
                }
        }

        if (class == BPF_ALU64 || class == BPF_JMP ||
            /* BPF_END always use BPF_ALU class. */
            (class == BPF_ALU && op == BPF_END && insn->imm == 64))
                return true;

        if (class == BPF_ALU || class == BPF_JMP32)
                return false;

        if (class == BPF_LDX) {
                if (t != SRC_OP)
                        return BPF_SIZE(code) == BPF_DW;
                /* LDX source must be ptr. */
                return true;
        }

        if (class == BPF_STX) {
                /* BPF_STX (including atomic variants) has multiple source
                 * operands, one of which is a ptr. Check whether the caller is
                 * asking about it.
                 */
                if (t == SRC_OP && reg->type != SCALAR_VALUE)
                        return true;
                return BPF_SIZE(code) == BPF_DW;
        }

        if (class == BPF_LD) {
                u8 mode = BPF_MODE(code);

                /* LD_IMM64 */
                if (mode == BPF_IMM)
                        return true;

                /* Both LD_IND and LD_ABS return 32-bit data. */
                if (t != SRC_OP)
                        return  false;

                /* Implicit ctx ptr. */
                if (regno == BPF_REG_6)
                        return true;

                /* Explicit source could be any width. */
                return true;
        }

        if (class == BPF_ST)
                /* The only source register for BPF_ST is a ptr. */
                return true;

        /* Conservatively return true at default. */
        return true;
}

/* Return the regno defined by the insn, or -1. */
static int insn_def_regno(const struct bpf_insn *insn)
{
        switch (BPF_CLASS(insn->code)) {
        case BPF_JMP:
        case BPF_JMP32:
        case BPF_ST:
                return -1;
        case BPF_STX:
                if (BPF_MODE(insn->code) == BPF_ATOMIC &&
                    (insn->imm & BPF_FETCH)) {
                        if (insn->imm == BPF_CMPXCHG)
                                return BPF_REG_0;
                        else
                                return insn->src_reg;
                } else {
                        return -1;
                }
        default:
                return insn->dst_reg;
        }
}

/* Return TRUE if INSN has defined any 32-bit value explicitly. */
static bool insn_has_def32(struct bpf_verifier_env *env, struct bpf_insn *insn)
{
        int dst_reg = insn_def_regno(insn);

        if (dst_reg == -1)
                return false;

        return !is_reg64(env, insn, dst_reg, NULL, DST_OP);
}

static void mark_insn_zext(struct bpf_verifier_env *env,
                           struct bpf_reg_state *reg)
{
        s32 def_idx = reg->subreg_def;

        if (def_idx == DEF_NOT_SUBREG)
                return;

        env->insn_aux_data[def_idx - 1].zext_dst = true;
        /* The dst will be zero extended, so won't be sub-register anymore. */
        reg->subreg_def = DEF_NOT_SUBREG;
}

static int check_reg_arg(struct bpf_verifier_env *env, u32 regno,
                         enum reg_arg_type t)
{
        struct bpf_verifier_state *vstate = env->cur_state;
        struct bpf_func_state *state = vstate->frame[vstate->curframe];
        struct bpf_insn *insn = env->prog->insnsi + env->insn_idx;
        struct bpf_reg_state *reg, *regs = state->regs;
        bool rw64;

        if (regno >= MAX_BPF_REG) {
                verbose(env, "R%d is invalid\n", regno);
                return -EINVAL;
        }

        reg = &regs[regno];
        rw64 = is_reg64(env, insn, regno, reg, t);
        if (t == SRC_OP) {
                /* check whether register used as source operand can be read */
                if (reg->type == NOT_INIT) {
                        verbose(env, "R%d !read_ok\n", regno);
                        return -EACCES;
                }
                /* We don't need to worry about FP liveness because it's read-only */
                if (regno == BPF_REG_FP)
                        return 0;

                if (rw64)
                        mark_insn_zext(env, reg);

                return mark_reg_read(env, reg, reg->parent,
                                     rw64 ? REG_LIVE_READ64 : REG_LIVE_READ32);
        } else {
                /* check whether register used as dest operand can be written to */
                if (regno == BPF_REG_FP) {
                        verbose(env, "frame pointer is read only\n");
                        return -EACCES;
                }
                reg->live |= REG_LIVE_WRITTEN;
                reg->subreg_def = rw64 ? DEF_NOT_SUBREG : env->insn_idx + 1;
                if (t == DST_OP)
                        mark_reg_unknown(env, regs, regno);
        }
        return 0;
}

/* for any branch, call, exit record the history of jmps in the given state */
static int push_jmp_history(struct bpf_verifier_env *env,
                            struct bpf_verifier_state *cur)
{
        u32 cnt = cur->jmp_history_cnt;
        struct bpf_idx_pair *p;

        cnt++;
        p = krealloc(cur->jmp_history, cnt * sizeof(*p), GFP_USER);
        if (!p)
                return -ENOMEM;
        p[cnt - 1].idx = env->insn_idx;
        p[cnt - 1].prev_idx = env->prev_insn_idx;
        cur->jmp_history = p;
        cur->jmp_history_cnt = cnt;
        return 0;
}

/* Backtrack one insn at a time. If idx is not at the top of recorded
 * history then previous instruction came from straight line execution.
 */
static int get_prev_insn_idx(struct bpf_verifier_state *st, int i,
                             u32 *history)
{
        u32 cnt = *history;

        if (cnt && st->jmp_history[cnt - 1].idx == i) {
                i = st->jmp_history[cnt - 1].prev_idx;
                (*history)--;
        } else {
                i--;
        }
        return i;
}

static const char *disasm_kfunc_name(void *data, const struct bpf_insn *insn)
{
        const struct btf_type *func;

        if (insn->src_reg != BPF_PSEUDO_KFUNC_CALL)
                return NULL;

        func = btf_type_by_id(btf_vmlinux, insn->imm);
        return btf_name_by_offset(btf_vmlinux, func->name_off);
}

/* For given verifier state backtrack_insn() is called from the last insn to
 * the first insn. Its purpose is to compute a bitmask of registers and
 * stack slots that needs precision in the parent verifier state.
 */
static int backtrack_insn(struct bpf_verifier_env *env, int idx,
                          u32 *reg_mask, u64 *stack_mask)
{
        const struct bpf_insn_cbs cbs = {
                .cb_call        = disasm_kfunc_name,
                .cb_print       = verbose,
                .private_data   = env,
        };
        struct bpf_insn *insn = env->prog->insnsi + idx;
        u8 class = BPF_CLASS(insn->code);
        u8 opcode = BPF_OP(insn->code);
        u8 mode = BPF_MODE(insn->code);
        u32 dreg = 1u << insn->dst_reg;
        u32 sreg = 1u << insn->src_reg;
        u32 spi;

        if (insn->code == 0)
                return 0;
        if (env->log.level & BPF_LOG_LEVEL) {
                verbose(env, "regs=%x stack=%llx before ", *reg_mask, *stack_mask);
                verbose(env, "%d: ", idx);
                print_bpf_insn(&cbs, insn, env->allow_ptr_leaks);
        }

        if (class == BPF_ALU || class == BPF_ALU64) {
                if (!(*reg_mask & dreg))
                        return 0;
                if (opcode == BPF_MOV) {
                        if (BPF_SRC(insn->code) == BPF_X) {
                                /* dreg = sreg
                                 * dreg needs precision after this insn
                                 * sreg needs precision before this insn
                                 */
                                *reg_mask &= ~dreg;
                                *reg_mask |= sreg;
                        } else {
                                /* dreg = K
                                 * dreg needs precision after this insn.
                                 * Corresponding register is already marked
                                 * as precise=true in this verifier state.
                                 * No further markings in parent are necessary
                                 */
                                *reg_mask &= ~dreg;
                        }
                } else {
                        if (BPF_SRC(insn->code) == BPF_X) {
                                /* dreg += sreg
                                 * both dreg and sreg need precision
                                 * before this insn
                                 */
                                *reg_mask |= sreg;
                        } /* else dreg += K
                           * dreg still needs precision before this insn
                           */
                }
        } else if (class == BPF_LDX) {
                if (!(*reg_mask & dreg))
                        return 0;
                *reg_mask &= ~dreg;

                /* scalars can only be spilled into stack w/o losing precision.
                 * Load from any other memory can be zero extended.
                 * The desire to keep that precision is already indicated
                 * by 'precise' mark in corresponding register of this state.
                 * No further tracking necessary.
                 */
                if (insn->src_reg != BPF_REG_FP)
                        return 0;
                if (BPF_SIZE(insn->code) != BPF_DW)
                        return 0;

                /* dreg = *(u64 *)[fp - off] was a fill from the stack.
                 * that [fp - off] slot contains scalar that needs to be
                 * tracked with precision
                 */
                spi = (-insn->off - 1) / BPF_REG_SIZE;
                if (spi >= 64) {
                        verbose(env, "BUG spi %d\n", spi);
                        WARN_ONCE(1, "verifier backtracking bug");
                        return -EFAULT;
                }
                *stack_mask |= 1ull << spi;
        } else if (class == BPF_STX || class == BPF_ST) {
                if (*reg_mask & dreg)
                        /* stx & st shouldn't be using _scalar_ dst_reg
                         * to access memory. It means backtracking
                         * encountered a case of pointer subtraction.
                         */
                        return -ENOTSUPP;
                /* scalars can only be spilled into stack */
                if (insn->dst_reg != BPF_REG_FP)
                        return 0;
                if (BPF_SIZE(insn->code) != BPF_DW)
                        return 0;
                spi = (-insn->off - 1) / BPF_REG_SIZE;
                if (spi >= 64) {
                        verbose(env, "BUG spi %d\n", spi);
                        WARN_ONCE(1, "verifier backtracking bug");
                        return -EFAULT;
                }
                if (!(*stack_mask & (1ull << spi)))
                        return 0;
                *stack_mask &= ~(1ull << spi);
                if (class == BPF_STX)
                        *reg_mask |= sreg;
        } else if (class == BPF_JMP || class == BPF_JMP32) {
                if (opcode == BPF_CALL) {
                        if (insn->src_reg == BPF_PSEUDO_CALL)
                                return -ENOTSUPP;
                        /* regular helper call sets R0 */
                        *reg_mask &= ~1;
                        if (*reg_mask & 0x3f) {
                                /* if backtracing was looking for registers R1-R5
                                 * they should have been found already.
                                 */
                                verbose(env, "BUG regs %x\n", *reg_mask);
                                WARN_ONCE(1, "verifier backtracking bug");
                                return -EFAULT;
                        }
                } else if (opcode == BPF_EXIT) {
                        return -ENOTSUPP;
                }
        } else if (class == BPF_LD) {
                if (!(*reg_mask & dreg))
                        return 0;
                *reg_mask &= ~dreg;
                /* It's ld_imm64 or ld_abs or ld_ind.
                 * For ld_imm64 no further tracking of precision
                 * into parent is necessary
                 */
                if (mode == BPF_IND || mode == BPF_ABS)
                        /* to be analyzed */
                        return -ENOTSUPP;
        }
        return 0;
}

/* the scalar precision tracking algorithm:
 * . at the start all registers have precise=false.
 * . scalar ranges are tracked as normal through alu and jmp insns.
 * . once precise value of the scalar register is used in:
 *   .  ptr + scalar alu
 *   . if (scalar cond K|scalar)
 *   .  helper_call(.., scalar, ...) where ARG_CONST is expected
 *   backtrack through the verifier states and mark all registers and
 *   stack slots with spilled constants that these scalar regisers
 *   should be precise.
 * . during state pruning two registers (or spilled stack slots)
 *   are equivalent if both are not precise.
 *
 * Note the verifier cannot simply walk register parentage chain,
 * since many different registers and stack slots could have been
 * used to compute single precise scalar.
 *
 * The approach of starting with precise=true for all registers and then
 * backtrack to mark a register as not precise when the verifier detects
 * that program doesn't care about specific value (e.g., when helper
 * takes register as ARG_ANYTHING parameter) is not safe.
 *
 * It's ok to walk single parentage chain of the verifier states.
 * It's possible that this backtracking will go all the way till 1st insn.
 * All other branches will be explored for needing precision later.
 *
 * The backtracking needs to deal with cases like:
 *   R8=map_value(id=0,off=0,ks=4,vs=1952,imm=0) R9_w=map_value(id=0,off=40,ks=4,vs=1952,imm=0)
 * r9 -= r8
 * r5 = r9
 * if r5 > 0x79f goto pc+7
 *    R5_w=inv(id=0,umax_value=1951,var_off=(0x0; 0x7ff))
 * r5 += 1
 * ...
 * call bpf_perf_event_output#25
 *   where .arg5_type = ARG_CONST_SIZE_OR_ZERO
 *
 * and this case:
 * r6 = 1
 * call foo // uses callee's r6 inside to compute r0
 * r0 += r6
 * if r0 == 0 goto
 *
 * to track above reg_mask/stack_mask needs to be independent for each frame.
 *
 * Also if parent's curframe > frame where backtracking started,
 * the verifier need to mark registers in both frames, otherwise callees
 * may incorrectly prune callers. This is similar to
 * commit 7640ead93924 ("bpf: verifier: make sure callees don't prune with caller differences")
 *
 * For now backtracking falls back into conservative marking.
 */
static void mark_all_scalars_precise(struct bpf_verifier_env *env,
                                     struct bpf_verifier_state *st)
{
        struct bpf_func_state *func;
        struct bpf_reg_state *reg;
        int i, j;

        /* big hammer: mark all scalars precise in this path.
         * pop_stack may still get !precise scalars.
         */
        for (; st; st = st->parent)
                for (i = 0; i <= st->curframe; i++) {
                        func = st->frame[i];
                        for (j = 0; j < BPF_REG_FP; j++) {
                                reg = &func->regs[j];
                                if (reg->type != SCALAR_VALUE)
                                        continue;
                                reg->precise = true;
                        }
                        for (j = 0; j < func->allocated_stack / BPF_REG_SIZE; j++) {
                                if (func->stack[j].slot_type[0] != STACK_SPILL)
                                        continue;
                                reg = &func->stack[j].spilled_ptr;
                                if (reg->type != SCALAR_VALUE)
                                        continue;
                                reg->precise = true;
                        }
                }
}

static int __mark_chain_precision(struct bpf_verifier_env *env, int regno,
                                  int spi)
{
        struct bpf_verifier_state *st = env->cur_state;
        int first_idx = st->first_insn_idx;
        int last_idx = env->insn_idx;
        struct bpf_func_state *func;
        struct bpf_reg_state *reg;
        u32 reg_mask = regno >= 0 ? 1u << regno : 0;
        u64 stack_mask = spi >= 0 ? 1ull << spi : 0;
        bool skip_first = true;
        bool new_marks = false;
        int i, err;

        if (!env->bpf_capable)
                return 0;

        func = st->frame[st->curframe];
        if (regno >= 0) {
                reg = &func->regs[regno];
                if (reg->type != SCALAR_VALUE) {
                        WARN_ONCE(1, "backtracing misuse");
                        return -EFAULT;
                }
                if (!reg->precise)
                        new_marks = true;
                else
                        reg_mask = 0;
                reg->precise = true;
        }

        while (spi >= 0) {
                if (func->stack[spi].slot_type[0] != STACK_SPILL) {
                        stack_mask = 0;
                        break;
                }
                reg = &func->stack[spi].spilled_ptr;
                if (reg->type != SCALAR_VALUE) {
                        stack_mask = 0;
                        break;
                }
                if (!reg->precise)
                        new_marks = true;
                else
                        stack_mask = 0;
                reg->precise = true;
                break;
        }

        if (!new_marks)
                return 0;
        if (!reg_mask && !stack_mask)
                return 0;
        for (;;) {
                DECLARE_BITMAP(mask, 64);
                u32 history = st->jmp_history_cnt;

                if (env->log.level & BPF_LOG_LEVEL)
                        verbose(env, "last_idx %d first_idx %d\n", last_idx, first_idx);
                for (i = last_idx;;) {
                        if (skip_first) {
                                err = 0;
                                skip_first = false;
                        } else {
                                err = backtrack_insn(env, i, &reg_mask, &stack_mask);
                        }
                        if (err == -ENOTSUPP) {
                                mark_all_scalars_precise(env, st);
                                return 0;
                        } else if (err) {
                                return err;
                        }
                        if (!reg_mask && !stack_mask)
                                /* Found assignment(s) into tracked register in this state.
                                 * Since this state is already marked, just return.
                                 * Nothing to be tracked further in the parent state.
                                 */
                                return 0;
                        if (i == first_idx)
                                break;
                        i = get_prev_insn_idx(st, i, &history);
                        if (i >= env->prog->len) {
                                /* This can happen if backtracking reached insn 0
                                 * and there are still reg_mask or stack_mask
                                 * to backtrack.
                                 * It means the backtracking missed the spot where
                                 * particular register was initialized with a constant.
                                 */
                                verbose(env, "BUG backtracking idx %d\n", i);
                                WARN_ONCE(1, "verifier backtracking bug");
                                return -EFAULT;
                        }
                }
                st = st->parent;
                if (!st)
                        break;

                new_marks = false;
                func = st->frame[st->curframe];
                bitmap_from_u64(mask, reg_mask);
                for_each_set_bit(i, mask, 32) {
                        reg = &func->regs[i];
                        if (reg->type != SCALAR_VALUE) {
                                reg_mask &= ~(1u << i);
                                continue;
                        }
                        if (!reg->precise)
                                new_marks = true;
                        reg->precise = true;
                }

                bitmap_from_u64(mask, stack_mask);
                for_each_set_bit(i, mask, 64) {
                        if (i >= func->allocated_stack / BPF_REG_SIZE) {
                                /* the sequence of instructions:
                                 * 2: (bf) r3 = r10
                                 * 3: (7b) *(u64 *)(r3 -8) = r0
                                 * 4: (79) r4 = *(u64 *)(r10 -8)
                                 * doesn't contain jmps. It's backtracked
                                 * as a single block.
                                 * During backtracking insn 3 is not recognized as
                                 * stack access, so at the end of backtracking
                                 * stack slot fp-8 is still marked in stack_mask.
                                 * However the parent state may not have accessed
                                 * fp-8 and it's "unallocated" stack space.
                                 * In such case fallback to conservative.
                                 */
                                mark_all_scalars_precise(env, st);
                                return 0;
                        }

                        if (func->stack[i].slot_type[0] != STACK_SPILL) {
                                stack_mask &= ~(1ull << i);
                                continue;
                        }
                        reg = &func->stack[i].spilled_ptr;
                        if (reg->type != SCALAR_VALUE) {
                                stack_mask &= ~(1ull << i);
                                continue;
                        }
                        if (!reg->precise)
                                new_marks = true;
                        reg->precise = true;
                }
                if (env->log.level & BPF_LOG_LEVEL) {
                        print_verifier_state(env, func);
                        verbose(env, "parent %s regs=%x stack=%llx marks\n",
                                new_marks ? "didn't have" : "already had",
                                reg_mask, stack_mask);
                }

                if (!reg_mask && !stack_mask)
                        break;
                if (!new_marks)
                        break;

                last_idx = st->last_insn_idx;
                first_idx = st->first_insn_idx;
        }
        return 0;
}

static int mark_chain_precision(struct bpf_verifier_env *env, int regno)
{
        return __mark_chain_precision(env, regno, -1);
}

static int mark_chain_precision_stack(struct bpf_verifier_env *env, int spi)
{
        return __mark_chain_precision(env, -1, spi);
}

static bool is_spillable_regtype(enum bpf_reg_type type)
{
        switch (type) {
        case PTR_TO_MAP_VALUE:
        case PTR_TO_MAP_VALUE_OR_NULL:
        case PTR_TO_STACK:
        case PTR_TO_CTX:
        case PTR_TO_PACKET:
        case PTR_TO_PACKET_META:
        case PTR_TO_PACKET_END:
        case PTR_TO_FLOW_KEYS:
        case CONST_PTR_TO_MAP:
        case PTR_TO_SOCKET:
        case PTR_TO_SOCKET_OR_NULL:
        case PTR_TO_SOCK_COMMON:
        case PTR_TO_SOCK_COMMON_OR_NULL:
        case PTR_TO_TCP_SOCK:
        case PTR_TO_TCP_SOCK_OR_NULL:
        case PTR_TO_XDP_SOCK:
        case PTR_TO_BTF_ID:
        case PTR_TO_BTF_ID_OR_NULL:
        case PTR_TO_RDONLY_BUF:
        case PTR_TO_RDONLY_BUF_OR_NULL:
        case PTR_TO_RDWR_BUF:
        case PTR_TO_RDWR_BUF_OR_NULL:
        case PTR_TO_PERCPU_BTF_ID:
        case PTR_TO_MEM:
        case PTR_TO_MEM_OR_NULL:
        case PTR_TO_FUNC:
        case PTR_TO_MAP_KEY:
                return true;
        default:
                return false;
        }
}

/* Does this register contain a constant zero? */
static bool register_is_null(struct bpf_reg_state *reg)
{
        return reg->type == SCALAR_VALUE && tnum_equals_const(reg->var_off, 0);
}

static bool register_is_const(struct bpf_reg_state *reg)
{
        return reg->type == SCALAR_VALUE && tnum_is_const(reg->var_off);
}

static bool __is_scalar_unbounded(struct bpf_reg_state *reg)
{
        return tnum_is_unknown(reg->var_off) &&
               reg->smin_value == S64_MIN && reg->smax_value == S64_MAX &&
               reg->umin_value == 0 && reg->umax_value == U64_MAX &&
               reg->s32_min_value == S32_MIN && reg->s32_max_value == S32_MAX &&
               reg->u32_min_value == 0 && reg->u32_max_value == U32_MAX;
}

static bool register_is_bounded(struct bpf_reg_state *reg)
{
        return reg->type == SCALAR_VALUE && !__is_scalar_unbounded(reg);
}

static bool __is_pointer_value(bool allow_ptr_leaks,
                               const struct bpf_reg_state *reg)
{
        if (allow_ptr_leaks)
                return false;

        return reg->type != SCALAR_VALUE;
}

static void save_register_state(struct bpf_func_state *state,
                                int spi, struct bpf_reg_state *reg)
{
        int i;

        state->stack[spi].spilled_ptr = *reg;
        state->stack[spi].spilled_ptr.live |= REG_LIVE_WRITTEN;

        for (i = 0; i < BPF_REG_SIZE; i++)
                state->stack[spi].slot_type[i] = STACK_SPILL;
}

/* check_stack_{read,write}_fixed_off functions track spill/fill of registers,
 * stack boundary and alignment are checked in check_mem_access()
 */
static int check_stack_write_fixed_off(struct bpf_verifier_env *env,
                                       /* stack frame we're writing to */
                                       struct bpf_func_state *state,
                                       int off, int size, int value_regno,
                                       int insn_idx)
{
        struct bpf_func_state *cur; /* state of the current function */
        int i, slot = -off - 1, spi = slot / BPF_REG_SIZE, err;
        u32 dst_reg = env->prog->insnsi[insn_idx].dst_reg;
        struct bpf_reg_state *reg = NULL;

        err = grow_stack_state(state, round_up(slot + 1, BPF_REG_SIZE));
        if (err)
                return err;
        /* caller checked that off % size == 0 and -MAX_BPF_STACK <= off < 0,
         * so it's aligned access and [off, off + size) are within stack limits
         */
        if (!env->allow_ptr_leaks &&
            state->stack[spi].slot_type[0] == STACK_SPILL &&
            size != BPF_REG_SIZE) {
                verbose(env, "attempt to corrupt spilled pointer on stack\n");
                return -EACCES;
        }

        cur = env->cur_state->frame[env->cur_state->curframe];
        if (value_regno >= 0)
                reg = &cur->regs[value_regno];
        if (!env->bypass_spec_v4) {
                bool sanitize = reg && is_spillable_regtype(reg->type);

                for (i = 0; i < size; i++) {
                        if (state->stack[spi].slot_type[i] == STACK_INVALID) {
                                sanitize = true;
                                break;
                        }
                }

                if (sanitize)
                        env->insn_aux_data[insn_idx].sanitize_stack_spill = true;
        }

        if (reg && size == BPF_REG_SIZE && register_is_bounded(reg) &&
            !register_is_null(reg) && env->bpf_capable) {
                if (dst_reg != BPF_REG_FP) {
                        /* The backtracking logic can only recognize explicit
                         * stack slot address like [fp - 8]. Other spill of
                         * scalar via different register has to be conservative.
                         * Backtrack from here and mark all registers as precise
                         * that contributed into 'reg' being a constant.
                         */
                        err = mark_chain_precision(env, value_regno);
                        if (err)
                                return err;
                }
                save_register_state(state, spi, reg);
        } else if (reg && is_spillable_regtype(reg->type)) {
                /* register containing pointer is being spilled into stack */
                if (size != BPF_REG_SIZE) {
                        verbose_linfo(env, insn_idx, "; ");
                        verbose(env, "invalid size of register spill\n");
                        return -EACCES;
                }
                if (state != cur && reg->type == PTR_TO_STACK) {
                        verbose(env, "cannot spill pointers to stack into stack frame of the caller\n");
                        return -EINVAL;
                }
                save_register_state(state, spi, reg);
        } else {
                u8 type = STACK_MISC;

                /* regular write of data into stack destroys any spilled ptr */
                state->stack[spi].spilled_ptr.type = NOT_INIT;
                /* Mark slots as STACK_MISC if they belonged to spilled ptr. */
                if (state->stack[spi].slot_type[0] == STACK_SPILL)
                        for (i = 0; i < BPF_REG_SIZE; i++)
                                state->stack[spi].slot_type[i] = STACK_MISC;

                /* only mark the slot as written if all 8 bytes were written
                 * otherwise read propagation may incorrectly stop too soon
                 * when stack slots are partially written.
                 * This heuristic means that read propagation will be
                 * conservative, since it will add reg_live_read marks
                 * to stack slots all the way to first state when programs
                 * writes+reads less than 8 bytes
                 */
                if (size == BPF_REG_SIZE)
                        state->stack[spi].spilled_ptr.live |= REG_LIVE_WRITTEN;

                /* when we zero initialize stack slots mark them as such */
                if (reg && register_is_null(reg)) {
                        /* backtracking doesn't work for STACK_ZERO yet. */
                        err = mark_chain_precision(env, value_regno);
                        if (err)
                                return err;
                        type = STACK_ZERO;
                }

                /* Mark slots affected by this stack write. */
                for (i = 0; i < size; i++)
                        state->stack[spi].slot_type[(slot - i) % BPF_REG_SIZE] =
                                type;
        }
        return 0;
}

/* Write the stack: 'stack[ptr_regno + off] = value_regno'. 'ptr_regno' is
 * known to contain a variable offset.
 * This function checks whether the write is permitted and conservatively
 * tracks the effects of the write, considering that each stack slot in the
 * dynamic range is potentially written to.
 *
 * 'off' includes 'regno->off'.
 * 'value_regno' can be -1, meaning that an unknown value is being written to
 * the stack.
 *
 * Spilled pointers in range are not marked as written because we don't know
 * what's going to be actually written. This means that read propagation for
 * future reads cannot be terminated by this write.
 *
 * For privileged programs, uninitialized stack slots are considered
 * initialized by this write (even though we don't know exactly what offsets
 * are going to be written to). The idea is that we don't want the verifier to
 * reject future reads that access slots written to through variable offsets.
 */
static int check_stack_write_var_off(struct bpf_verifier_env *env,
                                     /* func where register points to */
                                     struct bpf_func_state *state,
                                     int ptr_regno, int off, int size,
                                     int value_regno, int insn_idx)
{
        struct bpf_func_state *cur; /* state of the current function */
        int min_off, max_off;
        int i, err;
        struct bpf_reg_state *ptr_reg = NULL, *value_reg = NULL;
        bool writing_zero = false;
        /* set if the fact that we're writing a zero is used to let any
         * stack slots remain STACK_ZERO
         */
        bool zero_used = false;

        cur = env->cur_state->frame[env->cur_state->curframe];
        ptr_reg = &cur->regs[ptr_regno];
        min_off = ptr_reg->smin_value + off;
        max_off = ptr_reg->smax_value + off + size;
        if (value_regno >= 0)
                value_reg = &cur->regs[value_regno];
        if (value_reg && register_is_null(value_reg))
                writing_zero = true;

        err = grow_stack_state(state, round_up(-min_off, BPF_REG_SIZE));
        if (err)
                return err;


        /* Variable offset writes destroy any spilled pointers in range. */
        for (i = min_off; i < max_off; i++) {
                u8 new_type, *stype;
                int slot, spi;

                slot = -i - 1;
                spi = slot / BPF_REG_SIZE;
                stype = &state->stack[spi].slot_type[slot % BPF_REG_SIZE];

                if (!env->allow_ptr_leaks
                                && *stype != NOT_INIT
                                && *stype != SCALAR_VALUE) {
                        /* Reject the write if there's are spilled pointers in
                         * range. If we didn't reject here, the ptr status
                         * would be erased below (even though not all slots are
                         * actually overwritten), possibly opening the door to
                         * leaks.
                         */
                        verbose(env, "spilled ptr in range of var-offset stack write; insn %d, ptr off: %d",
                                insn_idx, i);
                        return -EINVAL;
                }

                /* Erase all spilled pointers. */
                state->stack[spi].spilled_ptr.type = NOT_INIT;

                /* Update the slot type. */
                new_type = STACK_MISC;
                if (writing_zero && *stype == STACK_ZERO) {
                        new_type = STACK_ZERO;
                        zero_used = true;
                }
                /* If the slot is STACK_INVALID, we check whether it's OK to
                 * pretend that it will be initialized by this write. The slot
                 * might not actually be written to, and so if we mark it as
                 * initialized future reads might leak uninitialized memory.
                 * For privileged programs, we will accept such reads to slots
                 * that may or may not be written because, if we're reject
                 * them, the error would be too confusing.
                 */
                if (*stype == STACK_INVALID && !env->allow_uninit_stack) {
                        verbose(env, "uninit stack in range of var-offset write prohibited for !root; insn %d, off: %d",
                                        insn_idx, i);
                        return -EINVAL;
                }
                *stype = new_type;
        }
        if (zero_used) {
                /* backtracking doesn't work for STACK_ZERO yet. */
                err = mark_chain_precision(env, value_regno);
                if (err)
                        return err;
        }
        return 0;
}

/* When register 'dst_regno' is assigned some values from stack[min_off,
 * max_off), we set the register's type according to the types of the
 * respective stack slots. If all the stack values are known to be zeros, then
 * so is the destination reg. Otherwise, the register is considered to be
 * SCALAR. This function does not deal with register filling; the caller must
 * ensure that all spilled registers in the stack range have been marked as
 * read.
 */
static void mark_reg_stack_read(struct bpf_verifier_env *env,
                                /* func where src register points to */
                                struct bpf_func_state *ptr_state,
                                int min_off, int max_off, int dst_regno)
{
        struct bpf_verifier_state *vstate = env->cur_state;
        struct bpf_func_state *state = vstate->frame[vstate->curframe];
        int i, slot, spi;
        u8 *stype;
        int zeros = 0;

        for (i = min_off; i < max_off; i++) {
                slot = -i - 1;
                spi = slot / BPF_REG_SIZE;
                stype = ptr_state->stack[spi].slot_type;
                if (stype[slot % BPF_REG_SIZE] != STACK_ZERO)
                        break;
                zeros++;
        }
        if (zeros == max_off - min_off) {
                /* any access_size read into register is zero extended,
                 * so the whole register == const_zero
                 */
                __mark_reg_const_zero(&state->regs[dst_regno]);
                /* backtracking doesn't support STACK_ZERO yet,
                 * so mark it precise here, so that later
                 * backtracking can stop here.
                 * Backtracking may not need this if this register
                 * doesn't participate in pointer adjustment.
                 * Forward propagation of precise flag is not
                 * necessary either. This mark is only to stop
                 * backtracking. Any register that contributed
                 * to const 0 was marked precise before spill.
                 */
                state->regs[dst_regno].precise = true;
        } else {
                /* have read misc data from the stack */
                mark_reg_unknown(env, state->regs, dst_regno);
        }
        state->regs[dst_regno].live |= REG_LIVE_WRITTEN;
}

/* Read the stack at 'off' and put the results into the register indicated by
 * 'dst_regno'. It handles reg filling if the addressed stack slot is a
 * spilled reg.
 *
 * 'dst_regno' can be -1, meaning that the read value is not going to a
 * register.
 *
 * The access is assumed to be within the current stack bounds.
 */
static int check_stack_read_fixed_off(struct bpf_verifier_env *env,
                                      /* func where src register points to */
                                      struct bpf_func_state *reg_state,
                                      int off, int size, int dst_regno)
{
        struct bpf_verifier_state *vstate = env->cur_state;
        struct bpf_func_state *state = vstate->frame[vstate->curframe];
        int i, slot = -off - 1, spi = slot / BPF_REG_SIZE;
        struct bpf_reg_state *reg;
        u8 *stype;

        stype = reg_state->stack[spi].slot_type;
        reg = &reg_state->stack[spi].spilled_ptr;

        if (stype[0] == STACK_SPILL) {
                if (size != BPF_REG_SIZE) {
                        if (reg->type != SCALAR_VALUE) {
                                verbose_linfo(env, env->insn_idx, "; ");
                                verbose(env, "invalid size of register fill\n");
                                return -EACCES;
                        }
                        if (dst_regno >= 0) {
                                mark_reg_unknown(env, state->regs, dst_regno);
                                state->regs[dst_regno].live |= REG_LIVE_WRITTEN;
                        }
                        mark_reg_read(env, reg, reg->parent, REG_LIVE_READ64);
                        return 0;
                }
                for (i = 1; i < BPF_REG_SIZE; i++) {
                        if (stype[(slot - i) % BPF_REG_SIZE] != STACK_SPILL) {
                                verbose(env, "corrupted spill memory\n");
                                return -EACCES;
                        }
                }

                if (dst_regno >= 0) {
                        /* restore register state from stack */
                        state->regs[dst_regno] = *reg;
                        /* mark reg as written since spilled pointer state likely
                         * has its liveness marks cleared by is_state_visited()
                         * which resets stack/reg liveness for state transitions
                         */
                        state->regs[dst_regno].live |= REG_LIVE_WRITTEN;
                } else if (__is_pointer_value(env->allow_ptr_leaks, reg)) {
                        /* If dst_regno==-1, the caller is asking us whether
                         * it is acceptable to use this value as a SCALAR_VALUE
                         * (e.g. for XADD).
                         * We must not allow unprivileged callers to do that
                         * with spilled pointers.
                         */
                        verbose(env, "leaking pointer from stack off %d\n",
                                off);
                        return -EACCES;
                }
                mark_reg_read(env, reg, reg->parent, REG_LIVE_READ64);
        } else {
                u8 type;

                for (i = 0; i < size; i++) {
                        type = stype[(slot - i) % BPF_REG_SIZE];
                        if (type == STACK_MISC)
                                continue;
                        if (type == STACK_ZERO)
                                continue;
                        verbose(env, "invalid read from stack off %d+%d size %d\n",
                                off, i, size);
                        return -EACCES;
                }
                mark_reg_read(env, reg, reg->parent, REG_LIVE_READ64);
                if (dst_regno >= 0)
                        mark_reg_stack_read(env, reg_state, off, off + size, dst_regno);
        }
        return 0;
}

enum stack_access_src {
        ACCESS_DIRECT = 1,  /* the access is performed by an instruction */
        ACCESS_HELPER = 2,  /* the access is performed by a helper */
};

static int check_stack_range_initialized(struct bpf_verifier_env *env,
                                         int regno, int off, int access_size,
                                         bool zero_size_allowed,
                                         enum stack_access_src type,
                                         struct bpf_call_arg_meta *meta);

static struct bpf_reg_state *reg_state(struct bpf_verifier_env *env, int regno)
{
        return cur_regs(env) + regno;
}

/* Read the stack at 'ptr_regno + off' and put the result into the register
 * 'dst_regno'.
 * 'off' includes the pointer register's fixed offset(i.e. 'ptr_regno.off'),
 * but not its variable offset.
 * 'size' is assumed to be <= reg size and the access is assumed to be aligned.
 *
 * As opposed to check_stack_read_fixed_off, this function doesn't deal with
 * filling registers (i.e. reads of spilled register cannot be detected when
 * the offset is not fixed). We conservatively mark 'dst_regno' as containing
 * SCALAR_VALUE. That's why we assert that the 'ptr_regno' has a variable
 * offset; for a fixed offset check_stack_read_fixed_off should be used
 * instead.
 */
static int check_stack_read_var_off(struct bpf_verifier_env *env,
                                    int ptr_regno, int off, int size, int dst_regno)
{
        /* The state of the source register. */
        struct bpf_reg_state *reg = reg_state(env, ptr_regno);
        struct bpf_func_state *ptr_state = func(env, reg);
        int err;
        int min_off, max_off;

        /* Note that we pass a NULL meta, so raw access will not be permitted.
         */
        err = check_stack_range_initialized(env, ptr_regno, off, size,
                                            false, ACCESS_DIRECT, NULL);
        if (err)
                return err;

        min_off = reg->smin_value + off;
        max_off = reg->smax_value + off;
        mark_reg_stack_read(env, ptr_state, min_off, max_off + size, dst_regno);
        return 0;
}

/* check_stack_read dispatches to check_stack_read_fixed_off or
 * check_stack_read_var_off.
 *
 * The caller must ensure that the offset falls within the allocated stack
 * bounds.
 *
 * 'dst_regno' is a register which will receive the value from the stack. It
 * can be -1, meaning that the read value is not going to a register.
 */
static int check_stack_read(struct bpf_verifier_env *env,
                            int ptr_regno, int off, int size,
                            int dst_regno)
{
        struct bpf_reg_state *reg = reg_state(env, ptr_regno);
        struct bpf_func_state *state = func(env, reg);
        int err;
        /* Some accesses are only permitted with a static offset. */
        bool var_off = !tnum_is_const(reg->var_off);

        /* The offset is required to be static when reads don't go to a