static void nfp_record_adjust_head(struct nfp_app_bpf *bpf, struct nfp_prog *nfp_prog, struct nfp_insn_meta *meta, const struct bpf_reg_state *reg2) { unsigned int location = UINT_MAX; int imm; /* Datapath usually can give us guarantees on how much adjust head * can be done without the need for any checks. Optimize the simple * case where there is only one adjust head by a constant. */ if (reg2->type != SCALAR_VALUE || !tnum_is_const(reg2->var_off)) goto exit_set_location; imm = reg2->var_off.value; /* Translator will skip all checks, we need to guarantee min pkt len */ if (imm > ETH_ZLEN - ETH_HLEN) goto exit_set_location; if (imm > (int)bpf->adjust_head.guaranteed_add || imm < -bpf->adjust_head.guaranteed_sub) goto exit_set_location; if (nfp_prog->adjust_head_location) { /* Only one call per program allowed */ if (nfp_prog->adjust_head_location != meta->n) goto exit_set_location; if (meta->arg2.reg.var_off.value != imm) goto exit_set_location; } location = meta->n; exit_set_location: nfp_prog->adjust_head_location = location; }
static int nfp_bpf_map_mark_used(struct bpf_verifier_env *env, struct nfp_insn_meta *meta, const struct bpf_reg_state *reg, enum nfp_bpf_map_use use) { struct bpf_offloaded_map *offmap; struct nfp_bpf_map *nfp_map; unsigned int size, off; int i, err; if (!tnum_is_const(reg->var_off)) { pr_vlog(env, "map value offset is variable\n"); return -EOPNOTSUPP; } off = reg->var_off.value + meta->insn.off + reg->off; size = BPF_LDST_BYTES(&meta->insn); offmap = map_to_offmap(reg->map_ptr); nfp_map = offmap->dev_priv; if (off + size > offmap->map.value_size) { pr_vlog(env, "map value access out-of-bounds\n"); return -EINVAL; } for (i = 0; i < size; i += 4 - (off + i) % 4) { err = nfp_bpf_map_mark_used_one(env, nfp_map, off + i, use); if (err) return err; } return 0; }
static int nfp_bpf_check_stack_access(struct nfp_prog *nfp_prog, struct nfp_insn_meta *meta, const struct bpf_reg_state *reg, struct bpf_verifier_env *env) { s32 old_off, new_off; if (!tnum_is_const(reg->var_off)) { pr_vlog(env, "variable ptr stack access\n"); return -EINVAL; } if (meta->ptr.type == NOT_INIT) return 0; old_off = meta->ptr.off + meta->ptr.var_off.value; new_off = reg->off + reg->var_off.value; meta->ptr_not_const |= old_off != new_off; if (!meta->ptr_not_const) return 0; if (old_off % 4 == new_off % 4) return 0; pr_vlog(env, "stack access changed location was:%d is:%d\n", old_off, new_off); return -EINVAL; }
static int nfp_bpf_check_exit(struct nfp_prog *nfp_prog, struct bpf_verifier_env *env) { const struct bpf_reg_state *reg0 = cur_regs(env) + BPF_REG_0; u64 imm; if (nfp_prog->type == BPF_PROG_TYPE_XDP) return 0; if (!(reg0->type == SCALAR_VALUE && tnum_is_const(reg0->var_off))) { char tn_buf[48]; tnum_strn(tn_buf, sizeof(tn_buf), reg0->var_off); pr_vlog(env, "unsupported exit state: %d, var_off: %s\n", reg0->type, tn_buf); return -EINVAL; } imm = reg0->var_off.value; if (nfp_prog->type == BPF_PROG_TYPE_SCHED_CLS && imm <= TC_ACT_REDIRECT && imm != TC_ACT_SHOT && imm != TC_ACT_STOLEN && imm != TC_ACT_QUEUED) { pr_vlog(env, "unsupported exit state: %d, imm: %llx\n", reg0->type, imm); return -EINVAL; } return 0; }
static int nfp_bpf_stack_arg_ok(const char *fname, struct bpf_verifier_env *env, const struct bpf_reg_state *reg, struct nfp_bpf_reg_state *old_arg) { s64 off, old_off; if (reg->type != PTR_TO_STACK) { pr_vlog(env, "%s: unsupported ptr type %d\n", fname, reg->type); return false; } if (!tnum_is_const(reg->var_off)) { pr_vlog(env, "%s: variable pointer\n", fname); return false; } off = reg->var_off.value + reg->off; if (-off % 4) { pr_vlog(env, "%s: unaligned stack pointer %lld\n", fname, -off); return false; } /* Rest of the checks is only if we re-parse the same insn */ if (!old_arg) return true; old_off = old_arg->reg.var_off.value + old_arg->reg.off; old_arg->var_off |= off != old_off; return true; }
static int nfp_bpf_check_call(struct nfp_prog *nfp_prog, struct bpf_verifier_env *env, struct nfp_insn_meta *meta) { const struct bpf_reg_state *reg1 = cur_regs(env) + BPF_REG_1; const struct bpf_reg_state *reg2 = cur_regs(env) + BPF_REG_2; struct nfp_app_bpf *bpf = nfp_prog->bpf; u32 func_id = meta->insn.imm; s64 off, old_off; switch (func_id) { case BPF_FUNC_xdp_adjust_head: if (!bpf->adjust_head.off_max) { pr_vlog(env, "adjust_head not supported by FW\n"); return -EOPNOTSUPP; } if (!(bpf->adjust_head.flags & NFP_BPF_ADJUST_HEAD_NO_META)) { pr_vlog(env, "adjust_head: FW requires shifting metadata, not supported by the driver\n"); return -EOPNOTSUPP; } nfp_record_adjust_head(bpf, nfp_prog, meta, reg2); break; case BPF_FUNC_map_lookup_elem: if (!bpf->helpers.map_lookup) { pr_vlog(env, "map_lookup: not supported by FW\n"); return -EOPNOTSUPP; } if (reg2->type != PTR_TO_STACK) { pr_vlog(env, "map_lookup: unsupported key ptr type %d\n", reg2->type); return -EOPNOTSUPP; } if (!tnum_is_const(reg2->var_off)) { pr_vlog(env, "map_lookup: variable key pointer\n"); return -EOPNOTSUPP; } off = reg2->var_off.value + reg2->off; if (-off % 4) { pr_vlog(env, "map_lookup: unaligned stack pointer %lld\n", -off); return -EOPNOTSUPP; } /* Rest of the checks is only if we re-parse the same insn */ if (!meta->func_id) break; old_off = meta->arg2.var_off.value + meta->arg2.off; meta->arg2_var_off |= off != old_off; if (meta->arg1.map_ptr != reg1->map_ptr) { pr_vlog(env, "map_lookup: called for different map\n"); return -EOPNOTSUPP; } break; default: pr_vlog(env, "unsupported function id: %d\n", func_id); return -EOPNOTSUPP; } meta->func_id = func_id; meta->arg1 = *reg1; meta->arg2 = *reg2; return 0; }