Lines Matching +full:foo +full:- +full:over +full:- +full:udp
32 After kernel function call, R1-R5 are reset to unreadable and
35 Since R6-R9 are callee saved, their state is preserved across the call.
40 bpf_call foo
72 stack bounds, which are [-MAX_BPF_STACK, 0). In this example offset is 8,
78 Classic BPF verifier does similar check with M[0-15] memory slots.
81 bpf_ld R0 = *(u32 *)(R10 - 4)
85 Though R10 is correct read-only register and has type PTR_TO_STACK
86 and R10 - 4 is within stack bounds, there were no stores into that location.
88 Pointer register spill/fill is tracked as well, since four (R6-R9)
91 Allowed function calls are customized with bpf_verifier_ops->get_func_proto()
137 skb->data.
139 skb->data + headlen; arithmetic forbidden.
145 checked != NULL. PTR_TO_SOCKET is reference-counted,
152 offset'. The former is used when an exactly-known value (e.g. an immediate
167 the low 8 are unknown - which is represented as the tnum (0x0; 0xff). If we
185 bounds-checked and found to be less than a PTR_TO_PACKET_END, the register B is
191 checked and found to be non-NULL, all copies can become PTR_TO_MAP_VALUEs.
192 As well as range-checking, the tracked information is also used for enforcing
194 is 2 bytes after a 4-byte alignment. If a program adds 14 bytes to that to jump
195 over the Ethernet header, then reads IHL and adds (IHL * 4), the resulting
197 bytes (NET_IP_ALIGN) gives a 4-byte alignment and so word-sized accesses through
201 behaviour to the handling for PTR_TO_MAP_VALUE_OR_NULL->PTR_TO_MAP_VALUE, but
204 reference is not leaked, it is imperative to NULL-check the reference and in
205 the non-NULL case, and pass the valid reference to the socket release function.
211 data via skb->data and skb->data_end pointers.
214 1: r4 = *(u32 *)(r1 +80) /* load skb->data_end */
215 2: r3 = *(u32 *)(r1 +76) /* load skb->data */
223 did check ``if (skb->data + 14 > skb->data_end) goto err`` at insn #5 which
224 means that in the fall-through case the register R3 (which points to skb->data)
232 it now points to ``skb->data + 14`` and accessible range is [R5, R5 + 14 - 14)
242 9: r3 = *(u32 *)(r1 +76) /* load skb->data */
250 17: r1 = *(u32 *)(r1 +80) /* load skb->data_end */
263 Operation ``r3 += rX`` may overflow and become less than original skb->data,
265 instruction and rX is more than 16-bit value, any subsequent bounds-check of r3
266 against skb->data_end will not give us 'range' information, so attempts to read
273 R4=inv(id=0,umax_value=3570,var_off=(0x0; 0xfffe)), since multiplying an 8-bit
284 void *data = (void *)(long)skb->data;
285 void *data_end = (void *)(long)skb->data_end;
288 struct udphdr *udp = data + sizeof(*eth) + sizeof(*iph);
290 if (data + sizeof(*eth) + sizeof(*iph) + sizeof(*udp) > data_end)
292 if (eth->h_proto != htons(ETH_P_IP))
294 if (iph->protocol != IPPROTO_UDP || iph->ihl != 5)
296 if (udp->dest == 53 || udp->source == 9)
308 subset, the branch is 'pruned' - that is, the fact that the previous state was
310 previous state, r1 held a packet-pointer, and in the current state, r1 holds a
311 packet-pointer with a range as long or longer and at least as strict an
322 --------------------------
335 --- checkpoint ---
389 * ``REG_LIVE_NONE`` is an initial value assigned to ``->live`` fields upon new
402 * ``->live`` field values are formed by combining ``enum bpf_reg_liveness``
410 corresponding register or stack slot in its parent state via a ``->parent``
421 * For the outer stack frames, only callee saved registers (r6-r9) and stack
427 new frame, parent links for r6-r9 and stack slots are set to nil, parent links
428 for r1-r5 are set to match caller r1-r5 parent links.
431 ``->parent`` pointers)::
434 --- checkpoint #0 ---
436 --- checkpoint #1 ---
437 2 : call foo() ; Frame #0
438 ... ; Frame #1, instructions from foo()
439 --- checkpoint #2 ---
440 ... ; Frame #1, instructions from foo()
441 --- checkpoint #3 ---
442 exit ; Frame #1, return from foo()
443 3 : r1 = r6 ; Frame #0 <- current state
445 +-------------------------------+-------------------------------+
447 Checkpoint +-------------------------------+-------------------------------+
448 #0 | r0 | r1-r5 | r6-r9 | fp-8 ... |
449 +-------------------------------+
452 Checkpoint +-------------------------------+
453 #1 | r0 | r1-r5 | r6-r9 | fp-8 ... |
454 +-------------------------------+
460 Checkpoint +-------------------------------+-------------------------------+
461 #2 | r0 | r1-r5 | r6-r9 | fp-8 ... | r0 | r1-r5 | r6-r9 | fp-8 ... |
462 +-------------------------------+-------------------------------+
466 Checkpoint +-------------------------------+-------------------------------+
467 #3 | r0 | r1-r5 | r6-r9 | fp-8 ... | r0 | r1-r5 | r6-r9 | fp-8 ... |
468 +-------------------------------+-------------------------------+
472 Current +-------------------------------+
473 state | r0 | r1-r5 | r6-r9 | fp-8 ... |
474 +-------------------------------+
492 parent = state->parent
494 if state->live & REG_LIVE_WRITTEN:
496 if parent->live & REG_LIVE_READ64:
498 parent->live |= REG_LIVE_READ64
500 parent = state->parent
506 means that it is updated by some instruction in the straight-line code leading
522 0: (*u64)(r10 - 8) = 0 ; define 8 bytes of fp-8
523 --- checkpoint #0 ---
524 1: (*u32)(r10 - 8) = 1 ; redefine lower 4 bytes
525 2: r1 = (*u32)(r10 - 8) ; read lower 4 bytes defined at (1)
526 3: r2 = (*u32)(r10 - 4) ; read upper 4 bytes defined at (0)
533 called to update the ``->branches`` counter for each verifier state in a chain
534 of parent verifier states. When the ``->branches`` counter reaches zero the
537 Each entry of the verifier states cache is post-processed by a function
551 --- checkpoint[0] ---
582 propagated over the parentage chain of the current state. Example below shows
585 Consider the following state parentage chain (S is a starting state, A-E are
586 derived states, -> arrows show which state is derived from which)::
589 <------------- A[r1] == 0
591 S ---> A ---> B ---> exit E[r1] == 1
593 ` ---> C ---> D
595 ` ---> E ^
602 * Chain of states ``S -> A -> B -> exit`` is verified first.
604 * While ``B -> exit`` is verified, register ``r1`` is read and this read mark is
607 * When chain of states ``C -> D`` is verified the state ``D`` turns out to be
665 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
673 1: (07) r2 += -8
676 invalid indirect read from stack off -8+0 size 8
680 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
682 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
689 0: (7a) *(u64 *)(r10 -8) = 0
691 2: (07) r2 += -8
699 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
701 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
709 0: (7a) *(u64 *)(r10 -8) = 0
711 2: (07) r2 += -8
720 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
722 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
731 0: (7a) *(u64 *)(r10 -8) = 0
733 2: (07) r2 += -8
745 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
747 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
758 0: (7a) *(u64 *)(r10 -8) = 0
760 2: (07) r2 += -8
776 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_2, -8),
778 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
789 1: (63) *(u32 *)(r10 -8) = r2
791 3: (07) r2 += -8
800 Program that performs a socket lookup but does not NULL-check the returned
804 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_2, -8),
806 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
816 1: (63) *(u32 *)(r10 -8) = r2
818 3: (07) r2 += -8