shinys000114/linux
1
0
Fork 0
mirror of https://github.com/hardkernel/linux.git synced 2026-06-05 10:31:46 +09:00
Code Issues Packages Projects Releases Wiki Activity

Revert "bpf: clean up visit_insn()'s instruction processing"

Browse Source 
This reverts commit b1c780ed3c which is
commit 653ae3a874 upstream.

It breaks the Android kernel abi and can be brought back in the future
in an abi-safe way if it is really needed.

Bug: 161946584
Change-Id: I083d407a06bd85594d74aa486969115a74675e1f
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
This commit is contained in:
Greg Kroah-Hartman
2024-01-15 11:28:46 +00:00
parent c7b298c1b5
commit 797e6a76ea
1 changed files with 13 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
kernel/bpf/verifier.c
View File

@@ -11132,43 +11132,44 @@ static int visit_func_call_insn(int t, struct bpf_insn *insns,
*/ */
static int visit_insn(int t, struct bpf_verifier_env *env) static int visit_insn(int t, struct bpf_verifier_env *env)
{ {
struct bpf_insn *insns = env->prog->insnsi, *insn = &insns[t]; struct bpf_insn *insns = env->prog->insnsi;
int ret; int ret;
if (bpf_pseudo_func(insn)) if (bpf_pseudo_func(insns + t))
return visit_func_call_insn(t, insns, env, true); return visit_func_call_insn(t, insns, env, true);
/* All non-branch instructions have a single fall-through edge. */ /* All non-branch instructions have a single fall-through edge. */
if (BPF_CLASS(insn->code) != BPF_JMP && if (BPF_CLASS(insns[t].code) != BPF_JMP &&
BPF_CLASS(insn->code) != BPF_JMP32) BPF_CLASS(insns[t].code) != BPF_JMP32)
return push_insn(t, t + 1, FALLTHROUGH, env, false); return push_insn(t, t + 1, FALLTHROUGH, env, false);
switch (BPF_OP(insn->code)) { switch (BPF_OP(insns[t].code)) {
case BPF_EXIT: case BPF_EXIT:
return DONE_EXPLORING; return DONE_EXPLORING;
case BPF_CALL: case BPF_CALL:
if (insn->imm == BPF_FUNC_timer_set_callback) if (insns[t].imm == BPF_FUNC_timer_set_callback)
/* Mark this call insn as a prune point to trigger /* Mark this call insn as a prune point to trigger
* is_state_visited() check before call itself is * is_state_visited() check before call itself is
* processed by __check_func_call(). Otherwise new * processed by __check_func_call(). Otherwise new
* async state will be pushed for further exploration. * async state will be pushed for further exploration.
*/ */
mark_prune_point(env, t); mark_prune_point(env, t);
return visit_func_call_insn(t, insns, env, insn->src_reg == BPF_PSEUDO_CALL); return visit_func_call_insn(t, insns, env,
insns[t].src_reg == BPF_PSEUDO_CALL);
case BPF_JA: case BPF_JA:
if (BPF_SRC(insn->code) != BPF_K) if (BPF_SRC(insns[t].code) != BPF_K)
return -EINVAL; return -EINVAL;
/* unconditional jump with single edge */ /* unconditional jump with single edge */
ret = push_insn(t, t + insn->off + 1, FALLTHROUGH, env, ret = push_insn(t, t + insns[t].off + 1, FALLTHROUGH, env,
true); true);
if (ret) if (ret)
return ret; return ret;
mark_prune_point(env, t + insn->off + 1); mark_prune_point(env, t + insns[t].off + 1);
mark_jmp_point(env, t + insn->off + 1); mark_jmp_point(env, t + insns[t].off + 1);
return ret; return ret;
@@ -11180,7 +11181,7 @@ static int visit_insn(int t, struct bpf_verifier_env *env)
if (ret) if (ret)
return ret; return ret;
return push_insn(t, t + insn->off + 1, BRANCH, env, true); return push_insn(t, t + insns[t].off + 1, BRANCH, env, true);
} }
} }