xref: /openbmc/linux/kernel/bpf/btf.c (revision f519cd13)
1 /* SPDX-License-Identifier: GPL-2.0 */
2 /* Copyright (c) 2018 Facebook */
3 
4 #include <uapi/linux/btf.h>
5 #include <uapi/linux/bpf.h>
6 #include <uapi/linux/bpf_perf_event.h>
7 #include <uapi/linux/types.h>
8 #include <linux/seq_file.h>
9 #include <linux/compiler.h>
10 #include <linux/ctype.h>
11 #include <linux/errno.h>
12 #include <linux/slab.h>
13 #include <linux/anon_inodes.h>
14 #include <linux/file.h>
15 #include <linux/uaccess.h>
16 #include <linux/kernel.h>
17 #include <linux/idr.h>
18 #include <linux/sort.h>
19 #include <linux/bpf_verifier.h>
20 #include <linux/btf.h>
21 #include <linux/skmsg.h>
22 #include <linux/perf_event.h>
23 #include <net/sock.h>
24 
25 /* BTF (BPF Type Format) is the meta data format which describes
26  * the data types of BPF program/map.  Hence, it basically focus
27  * on the C programming language which the modern BPF is primary
28  * using.
29  *
30  * ELF Section:
31  * ~~~~~~~~~~~
32  * The BTF data is stored under the ".BTF" ELF section
33  *
34  * struct btf_type:
35  * ~~~~~~~~~~~~~~~
36  * Each 'struct btf_type' object describes a C data type.
37  * Depending on the type it is describing, a 'struct btf_type'
38  * object may be followed by more data.  F.e.
39  * To describe an array, 'struct btf_type' is followed by
40  * 'struct btf_array'.
41  *
42  * 'struct btf_type' and any extra data following it are
43  * 4 bytes aligned.
44  *
45  * Type section:
46  * ~~~~~~~~~~~~~
47  * The BTF type section contains a list of 'struct btf_type' objects.
48  * Each one describes a C type.  Recall from the above section
49  * that a 'struct btf_type' object could be immediately followed by extra
50  * data in order to desribe some particular C types.
51  *
52  * type_id:
53  * ~~~~~~~
54  * Each btf_type object is identified by a type_id.  The type_id
55  * is implicitly implied by the location of the btf_type object in
56  * the BTF type section.  The first one has type_id 1.  The second
57  * one has type_id 2...etc.  Hence, an earlier btf_type has
58  * a smaller type_id.
59  *
60  * A btf_type object may refer to another btf_type object by using
61  * type_id (i.e. the "type" in the "struct btf_type").
62  *
63  * NOTE that we cannot assume any reference-order.
64  * A btf_type object can refer to an earlier btf_type object
65  * but it can also refer to a later btf_type object.
66  *
67  * For example, to describe "const void *".  A btf_type
68  * object describing "const" may refer to another btf_type
69  * object describing "void *".  This type-reference is done
70  * by specifying type_id:
71  *
72  * [1] CONST (anon) type_id=2
73  * [2] PTR (anon) type_id=0
74  *
75  * The above is the btf_verifier debug log:
76  *   - Each line started with "[?]" is a btf_type object
77  *   - [?] is the type_id of the btf_type object.
78  *   - CONST/PTR is the BTF_KIND_XXX
79  *   - "(anon)" is the name of the type.  It just
80  *     happens that CONST and PTR has no name.
81  *   - type_id=XXX is the 'u32 type' in btf_type
82  *
83  * NOTE: "void" has type_id 0
84  *
85  * String section:
86  * ~~~~~~~~~~~~~~
87  * The BTF string section contains the names used by the type section.
88  * Each string is referred by an "offset" from the beginning of the
89  * string section.
90  *
91  * Each string is '\0' terminated.
92  *
93  * The first character in the string section must be '\0'
94  * which is used to mean 'anonymous'. Some btf_type may not
95  * have a name.
96  */
97 
98 /* BTF verification:
99  *
100  * To verify BTF data, two passes are needed.
101  *
102  * Pass #1
103  * ~~~~~~~
104  * The first pass is to collect all btf_type objects to
105  * an array: "btf->types".
106  *
107  * Depending on the C type that a btf_type is describing,
108  * a btf_type may be followed by extra data.  We don't know
109  * how many btf_type is there, and more importantly we don't
110  * know where each btf_type is located in the type section.
111  *
112  * Without knowing the location of each type_id, most verifications
113  * cannot be done.  e.g. an earlier btf_type may refer to a later
114  * btf_type (recall the "const void *" above), so we cannot
115  * check this type-reference in the first pass.
116  *
117  * In the first pass, it still does some verifications (e.g.
118  * checking the name is a valid offset to the string section).
119  *
120  * Pass #2
121  * ~~~~~~~
122  * The main focus is to resolve a btf_type that is referring
123  * to another type.
124  *
125  * We have to ensure the referring type:
126  * 1) does exist in the BTF (i.e. in btf->types[])
127  * 2) does not cause a loop:
128  *	struct A {
129  *		struct B b;
130  *	};
131  *
132  *	struct B {
133  *		struct A a;
134  *	};
135  *
136  * btf_type_needs_resolve() decides if a btf_type needs
137  * to be resolved.
138  *
139  * The needs_resolve type implements the "resolve()" ops which
140  * essentially does a DFS and detects backedge.
141  *
142  * During resolve (or DFS), different C types have different
143  * "RESOLVED" conditions.
144  *
145  * When resolving a BTF_KIND_STRUCT, we need to resolve all its
146  * members because a member is always referring to another
147  * type.  A struct's member can be treated as "RESOLVED" if
148  * it is referring to a BTF_KIND_PTR.  Otherwise, the
149  * following valid C struct would be rejected:
150  *
151  *	struct A {
152  *		int m;
153  *		struct A *a;
154  *	};
155  *
156  * When resolving a BTF_KIND_PTR, it needs to keep resolving if
157  * it is referring to another BTF_KIND_PTR.  Otherwise, we cannot
158  * detect a pointer loop, e.g.:
159  * BTF_KIND_CONST -> BTF_KIND_PTR -> BTF_KIND_CONST -> BTF_KIND_PTR +
160  *                        ^                                         |
161  *                        +-----------------------------------------+
162  *
163  */
164 
165 #define BITS_PER_U128 (sizeof(u64) * BITS_PER_BYTE * 2)
166 #define BITS_PER_BYTE_MASK (BITS_PER_BYTE - 1)
167 #define BITS_PER_BYTE_MASKED(bits) ((bits) & BITS_PER_BYTE_MASK)
168 #define BITS_ROUNDDOWN_BYTES(bits) ((bits) >> 3)
169 #define BITS_ROUNDUP_BYTES(bits) \
170 	(BITS_ROUNDDOWN_BYTES(bits) + !!BITS_PER_BYTE_MASKED(bits))
171 
172 #define BTF_INFO_MASK 0x8f00ffff
173 #define BTF_INT_MASK 0x0fffffff
174 #define BTF_TYPE_ID_VALID(type_id) ((type_id) <= BTF_MAX_TYPE)
175 #define BTF_STR_OFFSET_VALID(name_off) ((name_off) <= BTF_MAX_NAME_OFFSET)
176 
177 /* 16MB for 64k structs and each has 16 members and
178  * a few MB spaces for the string section.
179  * The hard limit is S32_MAX.
180  */
181 #define BTF_MAX_SIZE (16 * 1024 * 1024)
182 
183 #define for_each_member(i, struct_type, member)			\
184 	for (i = 0, member = btf_type_member(struct_type);	\
185 	     i < btf_type_vlen(struct_type);			\
186 	     i++, member++)
187 
188 #define for_each_member_from(i, from, struct_type, member)		\
189 	for (i = from, member = btf_type_member(struct_type) + from;	\
190 	     i < btf_type_vlen(struct_type);				\
191 	     i++, member++)
192 
193 #define for_each_vsi(i, struct_type, member)			\
194 	for (i = 0, member = btf_type_var_secinfo(struct_type);	\
195 	     i < btf_type_vlen(struct_type);			\
196 	     i++, member++)
197 
198 #define for_each_vsi_from(i, from, struct_type, member)				\
199 	for (i = from, member = btf_type_var_secinfo(struct_type) + from;	\
200 	     i < btf_type_vlen(struct_type);					\
201 	     i++, member++)
202 
203 DEFINE_IDR(btf_idr);
204 DEFINE_SPINLOCK(btf_idr_lock);
205 
206 struct btf {
207 	void *data;
208 	struct btf_type **types;
209 	u32 *resolved_ids;
210 	u32 *resolved_sizes;
211 	const char *strings;
212 	void *nohdr_data;
213 	struct btf_header hdr;
214 	u32 nr_types;
215 	u32 types_size;
216 	u32 data_size;
217 	refcount_t refcnt;
218 	u32 id;
219 	struct rcu_head rcu;
220 };
221 
222 enum verifier_phase {
223 	CHECK_META,
224 	CHECK_TYPE,
225 };
226 
227 struct resolve_vertex {
228 	const struct btf_type *t;
229 	u32 type_id;
230 	u16 next_member;
231 };
232 
233 enum visit_state {
234 	NOT_VISITED,
235 	VISITED,
236 	RESOLVED,
237 };
238 
239 enum resolve_mode {
240 	RESOLVE_TBD,	/* To Be Determined */
241 	RESOLVE_PTR,	/* Resolving for Pointer */
242 	RESOLVE_STRUCT_OR_ARRAY,	/* Resolving for struct/union
243 					 * or array
244 					 */
245 };
246 
247 #define MAX_RESOLVE_DEPTH 32
248 
249 struct btf_sec_info {
250 	u32 off;
251 	u32 len;
252 };
253 
254 struct btf_verifier_env {
255 	struct btf *btf;
256 	u8 *visit_states;
257 	struct resolve_vertex stack[MAX_RESOLVE_DEPTH];
258 	struct bpf_verifier_log log;
259 	u32 log_type_id;
260 	u32 top_stack;
261 	enum verifier_phase phase;
262 	enum resolve_mode resolve_mode;
263 };
264 
265 static const char * const btf_kind_str[NR_BTF_KINDS] = {
266 	[BTF_KIND_UNKN]		= "UNKNOWN",
267 	[BTF_KIND_INT]		= "INT",
268 	[BTF_KIND_PTR]		= "PTR",
269 	[BTF_KIND_ARRAY]	= "ARRAY",
270 	[BTF_KIND_STRUCT]	= "STRUCT",
271 	[BTF_KIND_UNION]	= "UNION",
272 	[BTF_KIND_ENUM]		= "ENUM",
273 	[BTF_KIND_FWD]		= "FWD",
274 	[BTF_KIND_TYPEDEF]	= "TYPEDEF",
275 	[BTF_KIND_VOLATILE]	= "VOLATILE",
276 	[BTF_KIND_CONST]	= "CONST",
277 	[BTF_KIND_RESTRICT]	= "RESTRICT",
278 	[BTF_KIND_FUNC]		= "FUNC",
279 	[BTF_KIND_FUNC_PROTO]	= "FUNC_PROTO",
280 	[BTF_KIND_VAR]		= "VAR",
281 	[BTF_KIND_DATASEC]	= "DATASEC",
282 };
283 
284 struct btf_kind_operations {
285 	s32 (*check_meta)(struct btf_verifier_env *env,
286 			  const struct btf_type *t,
287 			  u32 meta_left);
288 	int (*resolve)(struct btf_verifier_env *env,
289 		       const struct resolve_vertex *v);
290 	int (*check_member)(struct btf_verifier_env *env,
291 			    const struct btf_type *struct_type,
292 			    const struct btf_member *member,
293 			    const struct btf_type *member_type);
294 	int (*check_kflag_member)(struct btf_verifier_env *env,
295 				  const struct btf_type *struct_type,
296 				  const struct btf_member *member,
297 				  const struct btf_type *member_type);
298 	void (*log_details)(struct btf_verifier_env *env,
299 			    const struct btf_type *t);
300 	void (*seq_show)(const struct btf *btf, const struct btf_type *t,
301 			 u32 type_id, void *data, u8 bits_offsets,
302 			 struct seq_file *m);
303 };
304 
305 static const struct btf_kind_operations * const kind_ops[NR_BTF_KINDS];
306 static struct btf_type btf_void;
307 
308 static int btf_resolve(struct btf_verifier_env *env,
309 		       const struct btf_type *t, u32 type_id);
310 
311 static bool btf_type_is_modifier(const struct btf_type *t)
312 {
313 	/* Some of them is not strictly a C modifier
314 	 * but they are grouped into the same bucket
315 	 * for BTF concern:
316 	 *   A type (t) that refers to another
317 	 *   type through t->type AND its size cannot
318 	 *   be determined without following the t->type.
319 	 *
320 	 * ptr does not fall into this bucket
321 	 * because its size is always sizeof(void *).
322 	 */
323 	switch (BTF_INFO_KIND(t->info)) {
324 	case BTF_KIND_TYPEDEF:
325 	case BTF_KIND_VOLATILE:
326 	case BTF_KIND_CONST:
327 	case BTF_KIND_RESTRICT:
328 		return true;
329 	}
330 
331 	return false;
332 }
333 
334 bool btf_type_is_void(const struct btf_type *t)
335 {
336 	return t == &btf_void;
337 }
338 
339 static bool btf_type_is_fwd(const struct btf_type *t)
340 {
341 	return BTF_INFO_KIND(t->info) == BTF_KIND_FWD;
342 }
343 
344 static bool btf_type_nosize(const struct btf_type *t)
345 {
346 	return btf_type_is_void(t) || btf_type_is_fwd(t) ||
347 	       btf_type_is_func(t) || btf_type_is_func_proto(t);
348 }
349 
350 static bool btf_type_nosize_or_null(const struct btf_type *t)
351 {
352 	return !t || btf_type_nosize(t);
353 }
354 
355 /* union is only a special case of struct:
356  * all its offsetof(member) == 0
357  */
358 static bool btf_type_is_struct(const struct btf_type *t)
359 {
360 	u8 kind = BTF_INFO_KIND(t->info);
361 
362 	return kind == BTF_KIND_STRUCT || kind == BTF_KIND_UNION;
363 }
364 
365 static bool __btf_type_is_struct(const struct btf_type *t)
366 {
367 	return BTF_INFO_KIND(t->info) == BTF_KIND_STRUCT;
368 }
369 
370 static bool btf_type_is_array(const struct btf_type *t)
371 {
372 	return BTF_INFO_KIND(t->info) == BTF_KIND_ARRAY;
373 }
374 
375 static bool btf_type_is_var(const struct btf_type *t)
376 {
377 	return BTF_INFO_KIND(t->info) == BTF_KIND_VAR;
378 }
379 
380 static bool btf_type_is_datasec(const struct btf_type *t)
381 {
382 	return BTF_INFO_KIND(t->info) == BTF_KIND_DATASEC;
383 }
384 
385 /* Types that act only as a source, not sink or intermediate
386  * type when resolving.
387  */
388 static bool btf_type_is_resolve_source_only(const struct btf_type *t)
389 {
390 	return btf_type_is_var(t) ||
391 	       btf_type_is_datasec(t);
392 }
393 
394 /* What types need to be resolved?
395  *
396  * btf_type_is_modifier() is an obvious one.
397  *
398  * btf_type_is_struct() because its member refers to
399  * another type (through member->type).
400  *
401  * btf_type_is_var() because the variable refers to
402  * another type. btf_type_is_datasec() holds multiple
403  * btf_type_is_var() types that need resolving.
404  *
405  * btf_type_is_array() because its element (array->type)
406  * refers to another type.  Array can be thought of a
407  * special case of struct while array just has the same
408  * member-type repeated by array->nelems of times.
409  */
410 static bool btf_type_needs_resolve(const struct btf_type *t)
411 {
412 	return btf_type_is_modifier(t) ||
413 	       btf_type_is_ptr(t) ||
414 	       btf_type_is_struct(t) ||
415 	       btf_type_is_array(t) ||
416 	       btf_type_is_var(t) ||
417 	       btf_type_is_datasec(t);
418 }
419 
420 /* t->size can be used */
421 static bool btf_type_has_size(const struct btf_type *t)
422 {
423 	switch (BTF_INFO_KIND(t->info)) {
424 	case BTF_KIND_INT:
425 	case BTF_KIND_STRUCT:
426 	case BTF_KIND_UNION:
427 	case BTF_KIND_ENUM:
428 	case BTF_KIND_DATASEC:
429 		return true;
430 	}
431 
432 	return false;
433 }
434 
435 static const char *btf_int_encoding_str(u8 encoding)
436 {
437 	if (encoding == 0)
438 		return "(none)";
439 	else if (encoding == BTF_INT_SIGNED)
440 		return "SIGNED";
441 	else if (encoding == BTF_INT_CHAR)
442 		return "CHAR";
443 	else if (encoding == BTF_INT_BOOL)
444 		return "BOOL";
445 	else
446 		return "UNKN";
447 }
448 
449 static u16 btf_type_vlen(const struct btf_type *t)
450 {
451 	return BTF_INFO_VLEN(t->info);
452 }
453 
454 static bool btf_type_kflag(const struct btf_type *t)
455 {
456 	return BTF_INFO_KFLAG(t->info);
457 }
458 
459 static u32 btf_member_bit_offset(const struct btf_type *struct_type,
460 			     const struct btf_member *member)
461 {
462 	return btf_type_kflag(struct_type) ? BTF_MEMBER_BIT_OFFSET(member->offset)
463 					   : member->offset;
464 }
465 
466 static u32 btf_member_bitfield_size(const struct btf_type *struct_type,
467 				    const struct btf_member *member)
468 {
469 	return btf_type_kflag(struct_type) ? BTF_MEMBER_BITFIELD_SIZE(member->offset)
470 					   : 0;
471 }
472 
473 static u32 btf_type_int(const struct btf_type *t)
474 {
475 	return *(u32 *)(t + 1);
476 }
477 
478 static const struct btf_array *btf_type_array(const struct btf_type *t)
479 {
480 	return (const struct btf_array *)(t + 1);
481 }
482 
483 static const struct btf_member *btf_type_member(const struct btf_type *t)
484 {
485 	return (const struct btf_member *)(t + 1);
486 }
487 
488 static const struct btf_enum *btf_type_enum(const struct btf_type *t)
489 {
490 	return (const struct btf_enum *)(t + 1);
491 }
492 
493 static const struct btf_var *btf_type_var(const struct btf_type *t)
494 {
495 	return (const struct btf_var *)(t + 1);
496 }
497 
498 static const struct btf_var_secinfo *btf_type_var_secinfo(const struct btf_type *t)
499 {
500 	return (const struct btf_var_secinfo *)(t + 1);
501 }
502 
503 static const struct btf_kind_operations *btf_type_ops(const struct btf_type *t)
504 {
505 	return kind_ops[BTF_INFO_KIND(t->info)];
506 }
507 
508 static bool btf_name_offset_valid(const struct btf *btf, u32 offset)
509 {
510 	return BTF_STR_OFFSET_VALID(offset) &&
511 		offset < btf->hdr.str_len;
512 }
513 
514 static bool __btf_name_char_ok(char c, bool first, bool dot_ok)
515 {
516 	if ((first ? !isalpha(c) :
517 		     !isalnum(c)) &&
518 	    c != '_' &&
519 	    ((c == '.' && !dot_ok) ||
520 	      c != '.'))
521 		return false;
522 	return true;
523 }
524 
525 static bool __btf_name_valid(const struct btf *btf, u32 offset, bool dot_ok)
526 {
527 	/* offset must be valid */
528 	const char *src = &btf->strings[offset];
529 	const char *src_limit;
530 
531 	if (!__btf_name_char_ok(*src, true, dot_ok))
532 		return false;
533 
534 	/* set a limit on identifier length */
535 	src_limit = src + KSYM_NAME_LEN;
536 	src++;
537 	while (*src && src < src_limit) {
538 		if (!__btf_name_char_ok(*src, false, dot_ok))
539 			return false;
540 		src++;
541 	}
542 
543 	return !*src;
544 }
545 
546 /* Only C-style identifier is permitted. This can be relaxed if
547  * necessary.
548  */
549 static bool btf_name_valid_identifier(const struct btf *btf, u32 offset)
550 {
551 	return __btf_name_valid(btf, offset, false);
552 }
553 
554 static bool btf_name_valid_section(const struct btf *btf, u32 offset)
555 {
556 	return __btf_name_valid(btf, offset, true);
557 }
558 
559 static const char *__btf_name_by_offset(const struct btf *btf, u32 offset)
560 {
561 	if (!offset)
562 		return "(anon)";
563 	else if (offset < btf->hdr.str_len)
564 		return &btf->strings[offset];
565 	else
566 		return "(invalid-name-offset)";
567 }
568 
569 const char *btf_name_by_offset(const struct btf *btf, u32 offset)
570 {
571 	if (offset < btf->hdr.str_len)
572 		return &btf->strings[offset];
573 
574 	return NULL;
575 }
576 
577 const struct btf_type *btf_type_by_id(const struct btf *btf, u32 type_id)
578 {
579 	if (type_id > btf->nr_types)
580 		return NULL;
581 
582 	return btf->types[type_id];
583 }
584 
585 /*
586  * Regular int is not a bit field and it must be either
587  * u8/u16/u32/u64 or __int128.
588  */
589 static bool btf_type_int_is_regular(const struct btf_type *t)
590 {
591 	u8 nr_bits, nr_bytes;
592 	u32 int_data;
593 
594 	int_data = btf_type_int(t);
595 	nr_bits = BTF_INT_BITS(int_data);
596 	nr_bytes = BITS_ROUNDUP_BYTES(nr_bits);
597 	if (BITS_PER_BYTE_MASKED(nr_bits) ||
598 	    BTF_INT_OFFSET(int_data) ||
599 	    (nr_bytes != sizeof(u8) && nr_bytes != sizeof(u16) &&
600 	     nr_bytes != sizeof(u32) && nr_bytes != sizeof(u64) &&
601 	     nr_bytes != (2 * sizeof(u64)))) {
602 		return false;
603 	}
604 
605 	return true;
606 }
607 
608 /*
609  * Check that given struct member is a regular int with expected
610  * offset and size.
611  */
612 bool btf_member_is_reg_int(const struct btf *btf, const struct btf_type *s,
613 			   const struct btf_member *m,
614 			   u32 expected_offset, u32 expected_size)
615 {
616 	const struct btf_type *t;
617 	u32 id, int_data;
618 	u8 nr_bits;
619 
620 	id = m->type;
621 	t = btf_type_id_size(btf, &id, NULL);
622 	if (!t || !btf_type_is_int(t))
623 		return false;
624 
625 	int_data = btf_type_int(t);
626 	nr_bits = BTF_INT_BITS(int_data);
627 	if (btf_type_kflag(s)) {
628 		u32 bitfield_size = BTF_MEMBER_BITFIELD_SIZE(m->offset);
629 		u32 bit_offset = BTF_MEMBER_BIT_OFFSET(m->offset);
630 
631 		/* if kflag set, int should be a regular int and
632 		 * bit offset should be at byte boundary.
633 		 */
634 		return !bitfield_size &&
635 		       BITS_ROUNDUP_BYTES(bit_offset) == expected_offset &&
636 		       BITS_ROUNDUP_BYTES(nr_bits) == expected_size;
637 	}
638 
639 	if (BTF_INT_OFFSET(int_data) ||
640 	    BITS_PER_BYTE_MASKED(m->offset) ||
641 	    BITS_ROUNDUP_BYTES(m->offset) != expected_offset ||
642 	    BITS_PER_BYTE_MASKED(nr_bits) ||
643 	    BITS_ROUNDUP_BYTES(nr_bits) != expected_size)
644 		return false;
645 
646 	return true;
647 }
648 
649 __printf(2, 3) static void __btf_verifier_log(struct bpf_verifier_log *log,
650 					      const char *fmt, ...)
651 {
652 	va_list args;
653 
654 	va_start(args, fmt);
655 	bpf_verifier_vlog(log, fmt, args);
656 	va_end(args);
657 }
658 
659 __printf(2, 3) static void btf_verifier_log(struct btf_verifier_env *env,
660 					    const char *fmt, ...)
661 {
662 	struct bpf_verifier_log *log = &env->log;
663 	va_list args;
664 
665 	if (!bpf_verifier_log_needed(log))
666 		return;
667 
668 	va_start(args, fmt);
669 	bpf_verifier_vlog(log, fmt, args);
670 	va_end(args);
671 }
672 
673 __printf(4, 5) static void __btf_verifier_log_type(struct btf_verifier_env *env,
674 						   const struct btf_type *t,
675 						   bool log_details,
676 						   const char *fmt, ...)
677 {
678 	struct bpf_verifier_log *log = &env->log;
679 	u8 kind = BTF_INFO_KIND(t->info);
680 	struct btf *btf = env->btf;
681 	va_list args;
682 
683 	if (!bpf_verifier_log_needed(log))
684 		return;
685 
686 	/* btf verifier prints all types it is processing via
687 	 * btf_verifier_log_type(..., fmt = NULL).
688 	 * Skip those prints for in-kernel BTF verification.
689 	 */
690 	if (log->level == BPF_LOG_KERNEL && !fmt)
691 		return;
692 
693 	__btf_verifier_log(log, "[%u] %s %s%s",
694 			   env->log_type_id,
695 			   btf_kind_str[kind],
696 			   __btf_name_by_offset(btf, t->name_off),
697 			   log_details ? " " : "");
698 
699 	if (log_details)
700 		btf_type_ops(t)->log_details(env, t);
701 
702 	if (fmt && *fmt) {
703 		__btf_verifier_log(log, " ");
704 		va_start(args, fmt);
705 		bpf_verifier_vlog(log, fmt, args);
706 		va_end(args);
707 	}
708 
709 	__btf_verifier_log(log, "\n");
710 }
711 
712 #define btf_verifier_log_type(env, t, ...) \
713 	__btf_verifier_log_type((env), (t), true, __VA_ARGS__)
714 #define btf_verifier_log_basic(env, t, ...) \
715 	__btf_verifier_log_type((env), (t), false, __VA_ARGS__)
716 
717 __printf(4, 5)
718 static void btf_verifier_log_member(struct btf_verifier_env *env,
719 				    const struct btf_type *struct_type,
720 				    const struct btf_member *member,
721 				    const char *fmt, ...)
722 {
723 	struct bpf_verifier_log *log = &env->log;
724 	struct btf *btf = env->btf;
725 	va_list args;
726 
727 	if (!bpf_verifier_log_needed(log))
728 		return;
729 
730 	if (log->level == BPF_LOG_KERNEL && !fmt)
731 		return;
732 	/* The CHECK_META phase already did a btf dump.
733 	 *
734 	 * If member is logged again, it must hit an error in
735 	 * parsing this member.  It is useful to print out which
736 	 * struct this member belongs to.
737 	 */
738 	if (env->phase != CHECK_META)
739 		btf_verifier_log_type(env, struct_type, NULL);
740 
741 	if (btf_type_kflag(struct_type))
742 		__btf_verifier_log(log,
743 				   "\t%s type_id=%u bitfield_size=%u bits_offset=%u",
744 				   __btf_name_by_offset(btf, member->name_off),
745 				   member->type,
746 				   BTF_MEMBER_BITFIELD_SIZE(member->offset),
747 				   BTF_MEMBER_BIT_OFFSET(member->offset));
748 	else
749 		__btf_verifier_log(log, "\t%s type_id=%u bits_offset=%u",
750 				   __btf_name_by_offset(btf, member->name_off),
751 				   member->type, member->offset);
752 
753 	if (fmt && *fmt) {
754 		__btf_verifier_log(log, " ");
755 		va_start(args, fmt);
756 		bpf_verifier_vlog(log, fmt, args);
757 		va_end(args);
758 	}
759 
760 	__btf_verifier_log(log, "\n");
761 }
762 
763 __printf(4, 5)
764 static void btf_verifier_log_vsi(struct btf_verifier_env *env,
765 				 const struct btf_type *datasec_type,
766 				 const struct btf_var_secinfo *vsi,
767 				 const char *fmt, ...)
768 {
769 	struct bpf_verifier_log *log = &env->log;
770 	va_list args;
771 
772 	if (!bpf_verifier_log_needed(log))
773 		return;
774 	if (log->level == BPF_LOG_KERNEL && !fmt)
775 		return;
776 	if (env->phase != CHECK_META)
777 		btf_verifier_log_type(env, datasec_type, NULL);
778 
779 	__btf_verifier_log(log, "\t type_id=%u offset=%u size=%u",
780 			   vsi->type, vsi->offset, vsi->size);
781 	if (fmt && *fmt) {
782 		__btf_verifier_log(log, " ");
783 		va_start(args, fmt);
784 		bpf_verifier_vlog(log, fmt, args);
785 		va_end(args);
786 	}
787 
788 	__btf_verifier_log(log, "\n");
789 }
790 
791 static void btf_verifier_log_hdr(struct btf_verifier_env *env,
792 				 u32 btf_data_size)
793 {
794 	struct bpf_verifier_log *log = &env->log;
795 	const struct btf *btf = env->btf;
796 	const struct btf_header *hdr;
797 
798 	if (!bpf_verifier_log_needed(log))
799 		return;
800 
801 	if (log->level == BPF_LOG_KERNEL)
802 		return;
803 	hdr = &btf->hdr;
804 	__btf_verifier_log(log, "magic: 0x%x\n", hdr->magic);
805 	__btf_verifier_log(log, "version: %u\n", hdr->version);
806 	__btf_verifier_log(log, "flags: 0x%x\n", hdr->flags);
807 	__btf_verifier_log(log, "hdr_len: %u\n", hdr->hdr_len);
808 	__btf_verifier_log(log, "type_off: %u\n", hdr->type_off);
809 	__btf_verifier_log(log, "type_len: %u\n", hdr->type_len);
810 	__btf_verifier_log(log, "str_off: %u\n", hdr->str_off);
811 	__btf_verifier_log(log, "str_len: %u\n", hdr->str_len);
812 	__btf_verifier_log(log, "btf_total_size: %u\n", btf_data_size);
813 }
814 
815 static int btf_add_type(struct btf_verifier_env *env, struct btf_type *t)
816 {
817 	struct btf *btf = env->btf;
818 
819 	/* < 2 because +1 for btf_void which is always in btf->types[0].
820 	 * btf_void is not accounted in btf->nr_types because btf_void
821 	 * does not come from the BTF file.
822 	 */
823 	if (btf->types_size - btf->nr_types < 2) {
824 		/* Expand 'types' array */
825 
826 		struct btf_type **new_types;
827 		u32 expand_by, new_size;
828 
829 		if (btf->types_size == BTF_MAX_TYPE) {
830 			btf_verifier_log(env, "Exceeded max num of types");
831 			return -E2BIG;
832 		}
833 
834 		expand_by = max_t(u32, btf->types_size >> 2, 16);
835 		new_size = min_t(u32, BTF_MAX_TYPE,
836 				 btf->types_size + expand_by);
837 
838 		new_types = kvcalloc(new_size, sizeof(*new_types),
839 				     GFP_KERNEL | __GFP_NOWARN);
840 		if (!new_types)
841 			return -ENOMEM;
842 
843 		if (btf->nr_types == 0)
844 			new_types[0] = &btf_void;
845 		else
846 			memcpy(new_types, btf->types,
847 			       sizeof(*btf->types) * (btf->nr_types + 1));
848 
849 		kvfree(btf->types);
850 		btf->types = new_types;
851 		btf->types_size = new_size;
852 	}
853 
854 	btf->types[++(btf->nr_types)] = t;
855 
856 	return 0;
857 }
858 
859 static int btf_alloc_id(struct btf *btf)
860 {
861 	int id;
862 
863 	idr_preload(GFP_KERNEL);
864 	spin_lock_bh(&btf_idr_lock);
865 	id = idr_alloc_cyclic(&btf_idr, btf, 1, INT_MAX, GFP_ATOMIC);
866 	if (id > 0)
867 		btf->id = id;
868 	spin_unlock_bh(&btf_idr_lock);
869 	idr_preload_end();
870 
871 	if (WARN_ON_ONCE(!id))
872 		return -ENOSPC;
873 
874 	return id > 0 ? 0 : id;
875 }
876 
877 static void btf_free_id(struct btf *btf)
878 {
879 	unsigned long flags;
880 
881 	/*
882 	 * In map-in-map, calling map_delete_elem() on outer
883 	 * map will call bpf_map_put on the inner map.
884 	 * It will then eventually call btf_free_id()
885 	 * on the inner map.  Some of the map_delete_elem()
886 	 * implementation may have irq disabled, so
887 	 * we need to use the _irqsave() version instead
888 	 * of the _bh() version.
889 	 */
890 	spin_lock_irqsave(&btf_idr_lock, flags);
891 	idr_remove(&btf_idr, btf->id);
892 	spin_unlock_irqrestore(&btf_idr_lock, flags);
893 }
894 
895 static void btf_free(struct btf *btf)
896 {
897 	kvfree(btf->types);
898 	kvfree(btf->resolved_sizes);
899 	kvfree(btf->resolved_ids);
900 	kvfree(btf->data);
901 	kfree(btf);
902 }
903 
904 static void btf_free_rcu(struct rcu_head *rcu)
905 {
906 	struct btf *btf = container_of(rcu, struct btf, rcu);
907 
908 	btf_free(btf);
909 }
910 
911 void btf_put(struct btf *btf)
912 {
913 	if (btf && refcount_dec_and_test(&btf->refcnt)) {
914 		btf_free_id(btf);
915 		call_rcu(&btf->rcu, btf_free_rcu);
916 	}
917 }
918 
919 static int env_resolve_init(struct btf_verifier_env *env)
920 {
921 	struct btf *btf = env->btf;
922 	u32 nr_types = btf->nr_types;
923 	u32 *resolved_sizes = NULL;
924 	u32 *resolved_ids = NULL;
925 	u8 *visit_states = NULL;
926 
927 	/* +1 for btf_void */
928 	resolved_sizes = kvcalloc(nr_types + 1, sizeof(*resolved_sizes),
929 				  GFP_KERNEL | __GFP_NOWARN);
930 	if (!resolved_sizes)
931 		goto nomem;
932 
933 	resolved_ids = kvcalloc(nr_types + 1, sizeof(*resolved_ids),
934 				GFP_KERNEL | __GFP_NOWARN);
935 	if (!resolved_ids)
936 		goto nomem;
937 
938 	visit_states = kvcalloc(nr_types + 1, sizeof(*visit_states),
939 				GFP_KERNEL | __GFP_NOWARN);
940 	if (!visit_states)
941 		goto nomem;
942 
943 	btf->resolved_sizes = resolved_sizes;
944 	btf->resolved_ids = resolved_ids;
945 	env->visit_states = visit_states;
946 
947 	return 0;
948 
949 nomem:
950 	kvfree(resolved_sizes);
951 	kvfree(resolved_ids);
952 	kvfree(visit_states);
953 	return -ENOMEM;
954 }
955 
956 static void btf_verifier_env_free(struct btf_verifier_env *env)
957 {
958 	kvfree(env->visit_states);
959 	kfree(env);
960 }
961 
962 static bool env_type_is_resolve_sink(const struct btf_verifier_env *env,
963 				     const struct btf_type *next_type)
964 {
965 	switch (env->resolve_mode) {
966 	case RESOLVE_TBD:
967 		/* int, enum or void is a sink */
968 		return !btf_type_needs_resolve(next_type);
969 	case RESOLVE_PTR:
970 		/* int, enum, void, struct, array, func or func_proto is a sink
971 		 * for ptr
972 		 */
973 		return !btf_type_is_modifier(next_type) &&
974 			!btf_type_is_ptr(next_type);
975 	case RESOLVE_STRUCT_OR_ARRAY:
976 		/* int, enum, void, ptr, func or func_proto is a sink
977 		 * for struct and array
978 		 */
979 		return !btf_type_is_modifier(next_type) &&
980 			!btf_type_is_array(next_type) &&
981 			!btf_type_is_struct(next_type);
982 	default:
983 		BUG();
984 	}
985 }
986 
987 static bool env_type_is_resolved(const struct btf_verifier_env *env,
988 				 u32 type_id)
989 {
990 	return env->visit_states[type_id] == RESOLVED;
991 }
992 
993 static int env_stack_push(struct btf_verifier_env *env,
994 			  const struct btf_type *t, u32 type_id)
995 {
996 	struct resolve_vertex *v;
997 
998 	if (env->top_stack == MAX_RESOLVE_DEPTH)
999 		return -E2BIG;
1000 
1001 	if (env->visit_states[type_id] != NOT_VISITED)
1002 		return -EEXIST;
1003 
1004 	env->visit_states[type_id] = VISITED;
1005 
1006 	v = &env->stack[env->top_stack++];
1007 	v->t = t;
1008 	v->type_id = type_id;
1009 	v->next_member = 0;
1010 
1011 	if (env->resolve_mode == RESOLVE_TBD) {
1012 		if (btf_type_is_ptr(t))
1013 			env->resolve_mode = RESOLVE_PTR;
1014 		else if (btf_type_is_struct(t) || btf_type_is_array(t))
1015 			env->resolve_mode = RESOLVE_STRUCT_OR_ARRAY;
1016 	}
1017 
1018 	return 0;
1019 }
1020 
1021 static void env_stack_set_next_member(struct btf_verifier_env *env,
1022 				      u16 next_member)
1023 {
1024 	env->stack[env->top_stack - 1].next_member = next_member;
1025 }
1026 
1027 static void env_stack_pop_resolved(struct btf_verifier_env *env,
1028 				   u32 resolved_type_id,
1029 				   u32 resolved_size)
1030 {
1031 	u32 type_id = env->stack[--(env->top_stack)].type_id;
1032 	struct btf *btf = env->btf;
1033 
1034 	btf->resolved_sizes[type_id] = resolved_size;
1035 	btf->resolved_ids[type_id] = resolved_type_id;
1036 	env->visit_states[type_id] = RESOLVED;
1037 }
1038 
1039 static const struct resolve_vertex *env_stack_peak(struct btf_verifier_env *env)
1040 {
1041 	return env->top_stack ? &env->stack[env->top_stack - 1] : NULL;
1042 }
1043 
1044 /* Resolve the size of a passed-in "type"
1045  *
1046  * type: is an array (e.g. u32 array[x][y])
1047  * return type: type "u32[x][y]", i.e. BTF_KIND_ARRAY,
1048  * *type_size: (x * y * sizeof(u32)).  Hence, *type_size always
1049  *             corresponds to the return type.
1050  * *elem_type: u32
1051  * *total_nelems: (x * y).  Hence, individual elem size is
1052  *                (*type_size / *total_nelems)
1053  *
1054  * type: is not an array (e.g. const struct X)
1055  * return type: type "struct X"
1056  * *type_size: sizeof(struct X)
1057  * *elem_type: same as return type ("struct X")
1058  * *total_nelems: 1
1059  */
1060 static const struct btf_type *
1061 btf_resolve_size(const struct btf *btf, const struct btf_type *type,
1062 		 u32 *type_size, const struct btf_type **elem_type,
1063 		 u32 *total_nelems)
1064 {
1065 	const struct btf_type *array_type = NULL;
1066 	const struct btf_array *array;
1067 	u32 i, size, nelems = 1;
1068 
1069 	for (i = 0; i < MAX_RESOLVE_DEPTH; i++) {
1070 		switch (BTF_INFO_KIND(type->info)) {
1071 		/* type->size can be used */
1072 		case BTF_KIND_INT:
1073 		case BTF_KIND_STRUCT:
1074 		case BTF_KIND_UNION:
1075 		case BTF_KIND_ENUM:
1076 			size = type->size;
1077 			goto resolved;
1078 
1079 		case BTF_KIND_PTR:
1080 			size = sizeof(void *);
1081 			goto resolved;
1082 
1083 		/* Modifiers */
1084 		case BTF_KIND_TYPEDEF:
1085 		case BTF_KIND_VOLATILE:
1086 		case BTF_KIND_CONST:
1087 		case BTF_KIND_RESTRICT:
1088 			type = btf_type_by_id(btf, type->type);
1089 			break;
1090 
1091 		case BTF_KIND_ARRAY:
1092 			if (!array_type)
1093 				array_type = type;
1094 			array = btf_type_array(type);
1095 			if (nelems && array->nelems > U32_MAX / nelems)
1096 				return ERR_PTR(-EINVAL);
1097 			nelems *= array->nelems;
1098 			type = btf_type_by_id(btf, array->type);
1099 			break;
1100 
1101 		/* type without size */
1102 		default:
1103 			return ERR_PTR(-EINVAL);
1104 		}
1105 	}
1106 
1107 	return ERR_PTR(-EINVAL);
1108 
1109 resolved:
1110 	if (nelems && size > U32_MAX / nelems)
1111 		return ERR_PTR(-EINVAL);
1112 
1113 	*type_size = nelems * size;
1114 	*total_nelems = nelems;
1115 	*elem_type = type;
1116 
1117 	return array_type ? : type;
1118 }
1119 
1120 /* The input param "type_id" must point to a needs_resolve type */
1121 static const struct btf_type *btf_type_id_resolve(const struct btf *btf,
1122 						  u32 *type_id)
1123 {
1124 	*type_id = btf->resolved_ids[*type_id];
1125 	return btf_type_by_id(btf, *type_id);
1126 }
1127 
1128 const struct btf_type *btf_type_id_size(const struct btf *btf,
1129 					u32 *type_id, u32 *ret_size)
1130 {
1131 	const struct btf_type *size_type;
1132 	u32 size_type_id = *type_id;
1133 	u32 size = 0;
1134 
1135 	size_type = btf_type_by_id(btf, size_type_id);
1136 	if (btf_type_nosize_or_null(size_type))
1137 		return NULL;
1138 
1139 	if (btf_type_has_size(size_type)) {
1140 		size = size_type->size;
1141 	} else if (btf_type_is_array(size_type)) {
1142 		size = btf->resolved_sizes[size_type_id];
1143 	} else if (btf_type_is_ptr(size_type)) {
1144 		size = sizeof(void *);
1145 	} else {
1146 		if (WARN_ON_ONCE(!btf_type_is_modifier(size_type) &&
1147 				 !btf_type_is_var(size_type)))
1148 			return NULL;
1149 
1150 		size_type_id = btf->resolved_ids[size_type_id];
1151 		size_type = btf_type_by_id(btf, size_type_id);
1152 		if (btf_type_nosize_or_null(size_type))
1153 			return NULL;
1154 		else if (btf_type_has_size(size_type))
1155 			size = size_type->size;
1156 		else if (btf_type_is_array(size_type))
1157 			size = btf->resolved_sizes[size_type_id];
1158 		else if (btf_type_is_ptr(size_type))
1159 			size = sizeof(void *);
1160 		else
1161 			return NULL;
1162 	}
1163 
1164 	*type_id = size_type_id;
1165 	if (ret_size)
1166 		*ret_size = size;
1167 
1168 	return size_type;
1169 }
1170 
1171 static int btf_df_check_member(struct btf_verifier_env *env,
1172 			       const struct btf_type *struct_type,
1173 			       const struct btf_member *member,
1174 			       const struct btf_type *member_type)
1175 {
1176 	btf_verifier_log_basic(env, struct_type,
1177 			       "Unsupported check_member");
1178 	return -EINVAL;
1179 }
1180 
1181 static int btf_df_check_kflag_member(struct btf_verifier_env *env,
1182 				     const struct btf_type *struct_type,
1183 				     const struct btf_member *member,
1184 				     const struct btf_type *member_type)
1185 {
1186 	btf_verifier_log_basic(env, struct_type,
1187 			       "Unsupported check_kflag_member");
1188 	return -EINVAL;
1189 }
1190 
1191 /* Used for ptr, array and struct/union type members.
1192  * int, enum and modifier types have their specific callback functions.
1193  */
1194 static int btf_generic_check_kflag_member(struct btf_verifier_env *env,
1195 					  const struct btf_type *struct_type,
1196 					  const struct btf_member *member,
1197 					  const struct btf_type *member_type)
1198 {
1199 	if (BTF_MEMBER_BITFIELD_SIZE(member->offset)) {
1200 		btf_verifier_log_member(env, struct_type, member,
1201 					"Invalid member bitfield_size");
1202 		return -EINVAL;
1203 	}
1204 
1205 	/* bitfield size is 0, so member->offset represents bit offset only.
1206 	 * It is safe to call non kflag check_member variants.
1207 	 */
1208 	return btf_type_ops(member_type)->check_member(env, struct_type,
1209 						       member,
1210 						       member_type);
1211 }
1212 
1213 static int btf_df_resolve(struct btf_verifier_env *env,
1214 			  const struct resolve_vertex *v)
1215 {
1216 	btf_verifier_log_basic(env, v->t, "Unsupported resolve");
1217 	return -EINVAL;
1218 }
1219 
1220 static void btf_df_seq_show(const struct btf *btf, const struct btf_type *t,
1221 			    u32 type_id, void *data, u8 bits_offsets,
1222 			    struct seq_file *m)
1223 {
1224 	seq_printf(m, "<unsupported kind:%u>", BTF_INFO_KIND(t->info));
1225 }
1226 
1227 static int btf_int_check_member(struct btf_verifier_env *env,
1228 				const struct btf_type *struct_type,
1229 				const struct btf_member *member,
1230 				const struct btf_type *member_type)
1231 {
1232 	u32 int_data = btf_type_int(member_type);
1233 	u32 struct_bits_off = member->offset;
1234 	u32 struct_size = struct_type->size;
1235 	u32 nr_copy_bits;
1236 	u32 bytes_offset;
1237 
1238 	if (U32_MAX - struct_bits_off < BTF_INT_OFFSET(int_data)) {
1239 		btf_verifier_log_member(env, struct_type, member,
1240 					"bits_offset exceeds U32_MAX");
1241 		return -EINVAL;
1242 	}
1243 
1244 	struct_bits_off += BTF_INT_OFFSET(int_data);
1245 	bytes_offset = BITS_ROUNDDOWN_BYTES(struct_bits_off);
1246 	nr_copy_bits = BTF_INT_BITS(int_data) +
1247 		BITS_PER_BYTE_MASKED(struct_bits_off);
1248 
1249 	if (nr_copy_bits > BITS_PER_U128) {
1250 		btf_verifier_log_member(env, struct_type, member,
1251 					"nr_copy_bits exceeds 128");
1252 		return -EINVAL;
1253 	}
1254 
1255 	if (struct_size < bytes_offset ||
1256 	    struct_size - bytes_offset < BITS_ROUNDUP_BYTES(nr_copy_bits)) {
1257 		btf_verifier_log_member(env, struct_type, member,
1258 					"Member exceeds struct_size");
1259 		return -EINVAL;
1260 	}
1261 
1262 	return 0;
1263 }
1264 
1265 static int btf_int_check_kflag_member(struct btf_verifier_env *env,
1266 				      const struct btf_type *struct_type,
1267 				      const struct btf_member *member,
1268 				      const struct btf_type *member_type)
1269 {
1270 	u32 struct_bits_off, nr_bits, nr_int_data_bits, bytes_offset;
1271 	u32 int_data = btf_type_int(member_type);
1272 	u32 struct_size = struct_type->size;
1273 	u32 nr_copy_bits;
1274 
1275 	/* a regular int type is required for the kflag int member */
1276 	if (!btf_type_int_is_regular(member_type)) {
1277 		btf_verifier_log_member(env, struct_type, member,
1278 					"Invalid member base type");
1279 		return -EINVAL;
1280 	}
1281 
1282 	/* check sanity of bitfield size */
1283 	nr_bits = BTF_MEMBER_BITFIELD_SIZE(member->offset);
1284 	struct_bits_off = BTF_MEMBER_BIT_OFFSET(member->offset);
1285 	nr_int_data_bits = BTF_INT_BITS(int_data);
1286 	if (!nr_bits) {
1287 		/* Not a bitfield member, member offset must be at byte
1288 		 * boundary.
1289 		 */
1290 		if (BITS_PER_BYTE_MASKED(struct_bits_off)) {
1291 			btf_verifier_log_member(env, struct_type, member,
1292 						"Invalid member offset");
1293 			return -EINVAL;
1294 		}
1295 
1296 		nr_bits = nr_int_data_bits;
1297 	} else if (nr_bits > nr_int_data_bits) {
1298 		btf_verifier_log_member(env, struct_type, member,
1299 					"Invalid member bitfield_size");
1300 		return -EINVAL;
1301 	}
1302 
1303 	bytes_offset = BITS_ROUNDDOWN_BYTES(struct_bits_off);
1304 	nr_copy_bits = nr_bits + BITS_PER_BYTE_MASKED(struct_bits_off);
1305 	if (nr_copy_bits > BITS_PER_U128) {
1306 		btf_verifier_log_member(env, struct_type, member,
1307 					"nr_copy_bits exceeds 128");
1308 		return -EINVAL;
1309 	}
1310 
1311 	if (struct_size < bytes_offset ||
1312 	    struct_size - bytes_offset < BITS_ROUNDUP_BYTES(nr_copy_bits)) {
1313 		btf_verifier_log_member(env, struct_type, member,
1314 					"Member exceeds struct_size");
1315 		return -EINVAL;
1316 	}
1317 
1318 	return 0;
1319 }
1320 
1321 static s32 btf_int_check_meta(struct btf_verifier_env *env,
1322 			      const struct btf_type *t,
1323 			      u32 meta_left)
1324 {
1325 	u32 int_data, nr_bits, meta_needed = sizeof(int_data);
1326 	u16 encoding;
1327 
1328 	if (meta_left < meta_needed) {
1329 		btf_verifier_log_basic(env, t,
1330 				       "meta_left:%u meta_needed:%u",
1331 				       meta_left, meta_needed);
1332 		return -EINVAL;
1333 	}
1334 
1335 	if (btf_type_vlen(t)) {
1336 		btf_verifier_log_type(env, t, "vlen != 0");
1337 		return -EINVAL;
1338 	}
1339 
1340 	if (btf_type_kflag(t)) {
1341 		btf_verifier_log_type(env, t, "Invalid btf_info kind_flag");
1342 		return -EINVAL;
1343 	}
1344 
1345 	int_data = btf_type_int(t);
1346 	if (int_data & ~BTF_INT_MASK) {
1347 		btf_verifier_log_basic(env, t, "Invalid int_data:%x",
1348 				       int_data);
1349 		return -EINVAL;
1350 	}
1351 
1352 	nr_bits = BTF_INT_BITS(int_data) + BTF_INT_OFFSET(int_data);
1353 
1354 	if (nr_bits > BITS_PER_U128) {
1355 		btf_verifier_log_type(env, t, "nr_bits exceeds %zu",
1356 				      BITS_PER_U128);
1357 		return -EINVAL;
1358 	}
1359 
1360 	if (BITS_ROUNDUP_BYTES(nr_bits) > t->size) {
1361 		btf_verifier_log_type(env, t, "nr_bits exceeds type_size");
1362 		return -EINVAL;
1363 	}
1364 
1365 	/*
1366 	 * Only one of the encoding bits is allowed and it
1367 	 * should be sufficient for the pretty print purpose (i.e. decoding).
1368 	 * Multiple bits can be allowed later if it is found
1369 	 * to be insufficient.
1370 	 */
1371 	encoding = BTF_INT_ENCODING(int_data);
1372 	if (encoding &&
1373 	    encoding != BTF_INT_SIGNED &&
1374 	    encoding != BTF_INT_CHAR &&
1375 	    encoding != BTF_INT_BOOL) {
1376 		btf_verifier_log_type(env, t, "Unsupported encoding");
1377 		return -ENOTSUPP;
1378 	}
1379 
1380 	btf_verifier_log_type(env, t, NULL);
1381 
1382 	return meta_needed;
1383 }
1384 
1385 static void btf_int_log(struct btf_verifier_env *env,
1386 			const struct btf_type *t)
1387 {
1388 	int int_data = btf_type_int(t);
1389 
1390 	btf_verifier_log(env,
1391 			 "size=%u bits_offset=%u nr_bits=%u encoding=%s",
1392 			 t->size, BTF_INT_OFFSET(int_data),
1393 			 BTF_INT_BITS(int_data),
1394 			 btf_int_encoding_str(BTF_INT_ENCODING(int_data)));
1395 }
1396 
1397 static void btf_int128_print(struct seq_file *m, void *data)
1398 {
1399 	/* data points to a __int128 number.
1400 	 * Suppose
1401 	 *     int128_num = *(__int128 *)data;
1402 	 * The below formulas shows what upper_num and lower_num represents:
1403 	 *     upper_num = int128_num >> 64;
1404 	 *     lower_num = int128_num & 0xffffffffFFFFFFFFULL;
1405 	 */
1406 	u64 upper_num, lower_num;
1407 
1408 #ifdef __BIG_ENDIAN_BITFIELD
1409 	upper_num = *(u64 *)data;
1410 	lower_num = *(u64 *)(data + 8);
1411 #else
1412 	upper_num = *(u64 *)(data + 8);
1413 	lower_num = *(u64 *)data;
1414 #endif
1415 	if (upper_num == 0)
1416 		seq_printf(m, "0x%llx", lower_num);
1417 	else
1418 		seq_printf(m, "0x%llx%016llx", upper_num, lower_num);
1419 }
1420 
1421 static void btf_int128_shift(u64 *print_num, u16 left_shift_bits,
1422 			     u16 right_shift_bits)
1423 {
1424 	u64 upper_num, lower_num;
1425 
1426 #ifdef __BIG_ENDIAN_BITFIELD
1427 	upper_num = print_num[0];
1428 	lower_num = print_num[1];
1429 #else
1430 	upper_num = print_num[1];
1431 	lower_num = print_num[0];
1432 #endif
1433 
1434 	/* shake out un-needed bits by shift/or operations */
1435 	if (left_shift_bits >= 64) {
1436 		upper_num = lower_num << (left_shift_bits - 64);
1437 		lower_num = 0;
1438 	} else {
1439 		upper_num = (upper_num << left_shift_bits) |
1440 			    (lower_num >> (64 - left_shift_bits));
1441 		lower_num = lower_num << left_shift_bits;
1442 	}
1443 
1444 	if (right_shift_bits >= 64) {
1445 		lower_num = upper_num >> (right_shift_bits - 64);
1446 		upper_num = 0;
1447 	} else {
1448 		lower_num = (lower_num >> right_shift_bits) |
1449 			    (upper_num << (64 - right_shift_bits));
1450 		upper_num = upper_num >> right_shift_bits;
1451 	}
1452 
1453 #ifdef __BIG_ENDIAN_BITFIELD
1454 	print_num[0] = upper_num;
1455 	print_num[1] = lower_num;
1456 #else
1457 	print_num[0] = lower_num;
1458 	print_num[1] = upper_num;
1459 #endif
1460 }
1461 
1462 static void btf_bitfield_seq_show(void *data, u8 bits_offset,
1463 				  u8 nr_bits, struct seq_file *m)
1464 {
1465 	u16 left_shift_bits, right_shift_bits;
1466 	u8 nr_copy_bytes;
1467 	u8 nr_copy_bits;
1468 	u64 print_num[2] = {};
1469 
1470 	nr_copy_bits = nr_bits + bits_offset;
1471 	nr_copy_bytes = BITS_ROUNDUP_BYTES(nr_copy_bits);
1472 
1473 	memcpy(print_num, data, nr_copy_bytes);
1474 
1475 #ifdef __BIG_ENDIAN_BITFIELD
1476 	left_shift_bits = bits_offset;
1477 #else
1478 	left_shift_bits = BITS_PER_U128 - nr_copy_bits;
1479 #endif
1480 	right_shift_bits = BITS_PER_U128 - nr_bits;
1481 
1482 	btf_int128_shift(print_num, left_shift_bits, right_shift_bits);
1483 	btf_int128_print(m, print_num);
1484 }
1485 
1486 
1487 static void btf_int_bits_seq_show(const struct btf *btf,
1488 				  const struct btf_type *t,
1489 				  void *data, u8 bits_offset,
1490 				  struct seq_file *m)
1491 {
1492 	u32 int_data = btf_type_int(t);
1493 	u8 nr_bits = BTF_INT_BITS(int_data);
1494 	u8 total_bits_offset;
1495 
1496 	/*
1497 	 * bits_offset is at most 7.
1498 	 * BTF_INT_OFFSET() cannot exceed 128 bits.
1499 	 */
1500 	total_bits_offset = bits_offset + BTF_INT_OFFSET(int_data);
1501 	data += BITS_ROUNDDOWN_BYTES(total_bits_offset);
1502 	bits_offset = BITS_PER_BYTE_MASKED(total_bits_offset);
1503 	btf_bitfield_seq_show(data, bits_offset, nr_bits, m);
1504 }
1505 
1506 static void btf_int_seq_show(const struct btf *btf, const struct btf_type *t,
1507 			     u32 type_id, void *data, u8 bits_offset,
1508 			     struct seq_file *m)
1509 {
1510 	u32 int_data = btf_type_int(t);
1511 	u8 encoding = BTF_INT_ENCODING(int_data);
1512 	bool sign = encoding & BTF_INT_SIGNED;
1513 	u8 nr_bits = BTF_INT_BITS(int_data);
1514 
1515 	if (bits_offset || BTF_INT_OFFSET(int_data) ||
1516 	    BITS_PER_BYTE_MASKED(nr_bits)) {
1517 		btf_int_bits_seq_show(btf, t, data, bits_offset, m);
1518 		return;
1519 	}
1520 
1521 	switch (nr_bits) {
1522 	case 128:
1523 		btf_int128_print(m, data);
1524 		break;
1525 	case 64:
1526 		if (sign)
1527 			seq_printf(m, "%lld", *(s64 *)data);
1528 		else
1529 			seq_printf(m, "%llu", *(u64 *)data);
1530 		break;
1531 	case 32:
1532 		if (sign)
1533 			seq_printf(m, "%d", *(s32 *)data);
1534 		else
1535 			seq_printf(m, "%u", *(u32 *)data);
1536 		break;
1537 	case 16:
1538 		if (sign)
1539 			seq_printf(m, "%d", *(s16 *)data);
1540 		else
1541 			seq_printf(m, "%u", *(u16 *)data);
1542 		break;
1543 	case 8:
1544 		if (sign)
1545 			seq_printf(m, "%d", *(s8 *)data);
1546 		else
1547 			seq_printf(m, "%u", *(u8 *)data);
1548 		break;
1549 	default:
1550 		btf_int_bits_seq_show(btf, t, data, bits_offset, m);
1551 	}
1552 }
1553 
1554 static const struct btf_kind_operations int_ops = {
1555 	.check_meta = btf_int_check_meta,
1556 	.resolve = btf_df_resolve,
1557 	.check_member = btf_int_check_member,
1558 	.check_kflag_member = btf_int_check_kflag_member,
1559 	.log_details = btf_int_log,
1560 	.seq_show = btf_int_seq_show,
1561 };
1562 
1563 static int btf_modifier_check_member(struct btf_verifier_env *env,
1564 				     const struct btf_type *struct_type,
1565 				     const struct btf_member *member,
1566 				     const struct btf_type *member_type)
1567 {
1568 	const struct btf_type *resolved_type;
1569 	u32 resolved_type_id = member->type;
1570 	struct btf_member resolved_member;
1571 	struct btf *btf = env->btf;
1572 
1573 	resolved_type = btf_type_id_size(btf, &resolved_type_id, NULL);
1574 	if (!resolved_type) {
1575 		btf_verifier_log_member(env, struct_type, member,
1576 					"Invalid member");
1577 		return -EINVAL;
1578 	}
1579 
1580 	resolved_member = *member;
1581 	resolved_member.type = resolved_type_id;
1582 
1583 	return btf_type_ops(resolved_type)->check_member(env, struct_type,
1584 							 &resolved_member,
1585 							 resolved_type);
1586 }
1587 
1588 static int btf_modifier_check_kflag_member(struct btf_verifier_env *env,
1589 					   const struct btf_type *struct_type,
1590 					   const struct btf_member *member,
1591 					   const struct btf_type *member_type)
1592 {
1593 	const struct btf_type *resolved_type;
1594 	u32 resolved_type_id = member->type;
1595 	struct btf_member resolved_member;
1596 	struct btf *btf = env->btf;
1597 
1598 	resolved_type = btf_type_id_size(btf, &resolved_type_id, NULL);
1599 	if (!resolved_type) {
1600 		btf_verifier_log_member(env, struct_type, member,
1601 					"Invalid member");
1602 		return -EINVAL;
1603 	}
1604 
1605 	resolved_member = *member;
1606 	resolved_member.type = resolved_type_id;
1607 
1608 	return btf_type_ops(resolved_type)->check_kflag_member(env, struct_type,
1609 							       &resolved_member,
1610 							       resolved_type);
1611 }
1612 
1613 static int btf_ptr_check_member(struct btf_verifier_env *env,
1614 				const struct btf_type *struct_type,
1615 				const struct btf_member *member,
1616 				const struct btf_type *member_type)
1617 {
1618 	u32 struct_size, struct_bits_off, bytes_offset;
1619 
1620 	struct_size = struct_type->size;
1621 	struct_bits_off = member->offset;
1622 	bytes_offset = BITS_ROUNDDOWN_BYTES(struct_bits_off);
1623 
1624 	if (BITS_PER_BYTE_MASKED(struct_bits_off)) {
1625 		btf_verifier_log_member(env, struct_type, member,
1626 					"Member is not byte aligned");
1627 		return -EINVAL;
1628 	}
1629 
1630 	if (struct_size - bytes_offset < sizeof(void *)) {
1631 		btf_verifier_log_member(env, struct_type, member,
1632 					"Member exceeds struct_size");
1633 		return -EINVAL;
1634 	}
1635 
1636 	return 0;
1637 }
1638 
1639 static int btf_ref_type_check_meta(struct btf_verifier_env *env,
1640 				   const struct btf_type *t,
1641 				   u32 meta_left)
1642 {
1643 	if (btf_type_vlen(t)) {
1644 		btf_verifier_log_type(env, t, "vlen != 0");
1645 		return -EINVAL;
1646 	}
1647 
1648 	if (btf_type_kflag(t)) {
1649 		btf_verifier_log_type(env, t, "Invalid btf_info kind_flag");
1650 		return -EINVAL;
1651 	}
1652 
1653 	if (!BTF_TYPE_ID_VALID(t->type)) {
1654 		btf_verifier_log_type(env, t, "Invalid type_id");
1655 		return -EINVAL;
1656 	}
1657 
1658 	/* typedef type must have a valid name, and other ref types,
1659 	 * volatile, const, restrict, should have a null name.
1660 	 */
1661 	if (BTF_INFO_KIND(t->info) == BTF_KIND_TYPEDEF) {
1662 		if (!t->name_off ||
1663 		    !btf_name_valid_identifier(env->btf, t->name_off)) {
1664 			btf_verifier_log_type(env, t, "Invalid name");
1665 			return -EINVAL;
1666 		}
1667 	} else {
1668 		if (t->name_off) {
1669 			btf_verifier_log_type(env, t, "Invalid name");
1670 			return -EINVAL;
1671 		}
1672 	}
1673 
1674 	btf_verifier_log_type(env, t, NULL);
1675 
1676 	return 0;
1677 }
1678 
1679 static int btf_modifier_resolve(struct btf_verifier_env *env,
1680 				const struct resolve_vertex *v)
1681 {
1682 	const struct btf_type *t = v->t;
1683 	const struct btf_type *next_type;
1684 	u32 next_type_id = t->type;
1685 	struct btf *btf = env->btf;
1686 
1687 	next_type = btf_type_by_id(btf, next_type_id);
1688 	if (!next_type || btf_type_is_resolve_source_only(next_type)) {
1689 		btf_verifier_log_type(env, v->t, "Invalid type_id");
1690 		return -EINVAL;
1691 	}
1692 
1693 	if (!env_type_is_resolve_sink(env, next_type) &&
1694 	    !env_type_is_resolved(env, next_type_id))
1695 		return env_stack_push(env, next_type, next_type_id);
1696 
1697 	/* Figure out the resolved next_type_id with size.
1698 	 * They will be stored in the current modifier's
1699 	 * resolved_ids and resolved_sizes such that it can
1700 	 * save us a few type-following when we use it later (e.g. in
1701 	 * pretty print).
1702 	 */
1703 	if (!btf_type_id_size(btf, &next_type_id, NULL)) {
1704 		if (env_type_is_resolved(env, next_type_id))
1705 			next_type = btf_type_id_resolve(btf, &next_type_id);
1706 
1707 		/* "typedef void new_void", "const void"...etc */
1708 		if (!btf_type_is_void(next_type) &&
1709 		    !btf_type_is_fwd(next_type) &&
1710 		    !btf_type_is_func_proto(next_type)) {
1711 			btf_verifier_log_type(env, v->t, "Invalid type_id");
1712 			return -EINVAL;
1713 		}
1714 	}
1715 
1716 	env_stack_pop_resolved(env, next_type_id, 0);
1717 
1718 	return 0;
1719 }
1720 
1721 static int btf_var_resolve(struct btf_verifier_env *env,
1722 			   const struct resolve_vertex *v)
1723 {
1724 	const struct btf_type *next_type;
1725 	const struct btf_type *t = v->t;
1726 	u32 next_type_id = t->type;
1727 	struct btf *btf = env->btf;
1728 
1729 	next_type = btf_type_by_id(btf, next_type_id);
1730 	if (!next_type || btf_type_is_resolve_source_only(next_type)) {
1731 		btf_verifier_log_type(env, v->t, "Invalid type_id");
1732 		return -EINVAL;
1733 	}
1734 
1735 	if (!env_type_is_resolve_sink(env, next_type) &&
1736 	    !env_type_is_resolved(env, next_type_id))
1737 		return env_stack_push(env, next_type, next_type_id);
1738 
1739 	if (btf_type_is_modifier(next_type)) {
1740 		const struct btf_type *resolved_type;
1741 		u32 resolved_type_id;
1742 
1743 		resolved_type_id = next_type_id;
1744 		resolved_type = btf_type_id_resolve(btf, &resolved_type_id);
1745 
1746 		if (btf_type_is_ptr(resolved_type) &&
1747 		    !env_type_is_resolve_sink(env, resolved_type) &&
1748 		    !env_type_is_resolved(env, resolved_type_id))
1749 			return env_stack_push(env, resolved_type,
1750 					      resolved_type_id);
1751 	}
1752 
1753 	/* We must resolve to something concrete at this point, no
1754 	 * forward types or similar that would resolve to size of
1755 	 * zero is allowed.
1756 	 */
1757 	if (!btf_type_id_size(btf, &next_type_id, NULL)) {
1758 		btf_verifier_log_type(env, v->t, "Invalid type_id");
1759 		return -EINVAL;
1760 	}
1761 
1762 	env_stack_pop_resolved(env, next_type_id, 0);
1763 
1764 	return 0;
1765 }
1766 
1767 static int btf_ptr_resolve(struct btf_verifier_env *env,
1768 			   const struct resolve_vertex *v)
1769 {
1770 	const struct btf_type *next_type;
1771 	const struct btf_type *t = v->t;
1772 	u32 next_type_id = t->type;
1773 	struct btf *btf = env->btf;
1774 
1775 	next_type = btf_type_by_id(btf, next_type_id);
1776 	if (!next_type || btf_type_is_resolve_source_only(next_type)) {
1777 		btf_verifier_log_type(env, v->t, "Invalid type_id");
1778 		return -EINVAL;
1779 	}
1780 
1781 	if (!env_type_is_resolve_sink(env, next_type) &&
1782 	    !env_type_is_resolved(env, next_type_id))
1783 		return env_stack_push(env, next_type, next_type_id);
1784 
1785 	/* If the modifier was RESOLVED during RESOLVE_STRUCT_OR_ARRAY,
1786 	 * the modifier may have stopped resolving when it was resolved
1787 	 * to a ptr (last-resolved-ptr).
1788 	 *
1789 	 * We now need to continue from the last-resolved-ptr to
1790 	 * ensure the last-resolved-ptr will not referring back to
1791 	 * the currenct ptr (t).
1792 	 */
1793 	if (btf_type_is_modifier(next_type)) {
1794 		const struct btf_type *resolved_type;
1795 		u32 resolved_type_id;
1796 
1797 		resolved_type_id = next_type_id;
1798 		resolved_type = btf_type_id_resolve(btf, &resolved_type_id);
1799 
1800 		if (btf_type_is_ptr(resolved_type) &&
1801 		    !env_type_is_resolve_sink(env, resolved_type) &&
1802 		    !env_type_is_resolved(env, resolved_type_id))
1803 			return env_stack_push(env, resolved_type,
1804 					      resolved_type_id);
1805 	}
1806 
1807 	if (!btf_type_id_size(btf, &next_type_id, NULL)) {
1808 		if (env_type_is_resolved(env, next_type_id))
1809 			next_type = btf_type_id_resolve(btf, &next_type_id);
1810 
1811 		if (!btf_type_is_void(next_type) &&
1812 		    !btf_type_is_fwd(next_type) &&
1813 		    !btf_type_is_func_proto(next_type)) {
1814 			btf_verifier_log_type(env, v->t, "Invalid type_id");
1815 			return -EINVAL;
1816 		}
1817 	}
1818 
1819 	env_stack_pop_resolved(env, next_type_id, 0);
1820 
1821 	return 0;
1822 }
1823 
1824 static void btf_modifier_seq_show(const struct btf *btf,
1825 				  const struct btf_type *t,
1826 				  u32 type_id, void *data,
1827 				  u8 bits_offset, struct seq_file *m)
1828 {
1829 	t = btf_type_id_resolve(btf, &type_id);
1830 
1831 	btf_type_ops(t)->seq_show(btf, t, type_id, data, bits_offset, m);
1832 }
1833 
1834 static void btf_var_seq_show(const struct btf *btf, const struct btf_type *t,
1835 			     u32 type_id, void *data, u8 bits_offset,
1836 			     struct seq_file *m)
1837 {
1838 	t = btf_type_id_resolve(btf, &type_id);
1839 
1840 	btf_type_ops(t)->seq_show(btf, t, type_id, data, bits_offset, m);
1841 }
1842 
1843 static void btf_ptr_seq_show(const struct btf *btf, const struct btf_type *t,
1844 			     u32 type_id, void *data, u8 bits_offset,
1845 			     struct seq_file *m)
1846 {
1847 	/* It is a hashed value */
1848 	seq_printf(m, "%p", *(void **)data);
1849 }
1850 
1851 static void btf_ref_type_log(struct btf_verifier_env *env,
1852 			     const struct btf_type *t)
1853 {
1854 	btf_verifier_log(env, "type_id=%u", t->type);
1855 }
1856 
1857 static struct btf_kind_operations modifier_ops = {
1858 	.check_meta = btf_ref_type_check_meta,
1859 	.resolve = btf_modifier_resolve,
1860 	.check_member = btf_modifier_check_member,
1861 	.check_kflag_member = btf_modifier_check_kflag_member,
1862 	.log_details = btf_ref_type_log,
1863 	.seq_show = btf_modifier_seq_show,
1864 };
1865 
1866 static struct btf_kind_operations ptr_ops = {
1867 	.check_meta = btf_ref_type_check_meta,
1868 	.resolve = btf_ptr_resolve,
1869 	.check_member = btf_ptr_check_member,
1870 	.check_kflag_member = btf_generic_check_kflag_member,
1871 	.log_details = btf_ref_type_log,
1872 	.seq_show = btf_ptr_seq_show,
1873 };
1874 
1875 static s32 btf_fwd_check_meta(struct btf_verifier_env *env,
1876 			      const struct btf_type *t,
1877 			      u32 meta_left)
1878 {
1879 	if (btf_type_vlen(t)) {
1880 		btf_verifier_log_type(env, t, "vlen != 0");
1881 		return -EINVAL;
1882 	}
1883 
1884 	if (t->type) {
1885 		btf_verifier_log_type(env, t, "type != 0");
1886 		return -EINVAL;
1887 	}
1888 
1889 	/* fwd type must have a valid name */
1890 	if (!t->name_off ||
1891 	    !btf_name_valid_identifier(env->btf, t->name_off)) {
1892 		btf_verifier_log_type(env, t, "Invalid name");
1893 		return -EINVAL;
1894 	}
1895 
1896 	btf_verifier_log_type(env, t, NULL);
1897 
1898 	return 0;
1899 }
1900 
1901 static void btf_fwd_type_log(struct btf_verifier_env *env,
1902 			     const struct btf_type *t)
1903 {
1904 	btf_verifier_log(env, "%s", btf_type_kflag(t) ? "union" : "struct");
1905 }
1906 
1907 static struct btf_kind_operations fwd_ops = {
1908 	.check_meta = btf_fwd_check_meta,
1909 	.resolve = btf_df_resolve,
1910 	.check_member = btf_df_check_member,
1911 	.check_kflag_member = btf_df_check_kflag_member,
1912 	.log_details = btf_fwd_type_log,
1913 	.seq_show = btf_df_seq_show,
1914 };
1915 
1916 static int btf_array_check_member(struct btf_verifier_env *env,
1917 				  const struct btf_type *struct_type,
1918 				  const struct btf_member *member,
1919 				  const struct btf_type *member_type)
1920 {
1921 	u32 struct_bits_off = member->offset;
1922 	u32 struct_size, bytes_offset;
1923 	u32 array_type_id, array_size;
1924 	struct btf *btf = env->btf;
1925 
1926 	if (BITS_PER_BYTE_MASKED(struct_bits_off)) {
1927 		btf_verifier_log_member(env, struct_type, member,
1928 					"Member is not byte aligned");
1929 		return -EINVAL;
1930 	}
1931 
1932 	array_type_id = member->type;
1933 	btf_type_id_size(btf, &array_type_id, &array_size);
1934 	struct_size = struct_type->size;
1935 	bytes_offset = BITS_ROUNDDOWN_BYTES(struct_bits_off);
1936 	if (struct_size - bytes_offset < array_size) {
1937 		btf_verifier_log_member(env, struct_type, member,
1938 					"Member exceeds struct_size");
1939 		return -EINVAL;
1940 	}
1941 
1942 	return 0;
1943 }
1944 
1945 static s32 btf_array_check_meta(struct btf_verifier_env *env,
1946 				const struct btf_type *t,
1947 				u32 meta_left)
1948 {
1949 	const struct btf_array *array = btf_type_array(t);
1950 	u32 meta_needed = sizeof(*array);
1951 
1952 	if (meta_left < meta_needed) {
1953 		btf_verifier_log_basic(env, t,
1954 				       "meta_left:%u meta_needed:%u",
1955 				       meta_left, meta_needed);
1956 		return -EINVAL;
1957 	}
1958 
1959 	/* array type should not have a name */
1960 	if (t->name_off) {
1961 		btf_verifier_log_type(env, t, "Invalid name");
1962 		return -EINVAL;
1963 	}
1964 
1965 	if (btf_type_vlen(t)) {
1966 		btf_verifier_log_type(env, t, "vlen != 0");
1967 		return -EINVAL;
1968 	}
1969 
1970 	if (btf_type_kflag(t)) {
1971 		btf_verifier_log_type(env, t, "Invalid btf_info kind_flag");
1972 		return -EINVAL;
1973 	}
1974 
1975 	if (t->size) {
1976 		btf_verifier_log_type(env, t, "size != 0");
1977 		return -EINVAL;
1978 	}
1979 
1980 	/* Array elem type and index type cannot be in type void,
1981 	 * so !array->type and !array->index_type are not allowed.
1982 	 */
1983 	if (!array->type || !BTF_TYPE_ID_VALID(array->type)) {
1984 		btf_verifier_log_type(env, t, "Invalid elem");
1985 		return -EINVAL;
1986 	}
1987 
1988 	if (!array->index_type || !BTF_TYPE_ID_VALID(array->index_type)) {
1989 		btf_verifier_log_type(env, t, "Invalid index");
1990 		return -EINVAL;
1991 	}
1992 
1993 	btf_verifier_log_type(env, t, NULL);
1994 
1995 	return meta_needed;
1996 }
1997 
1998 static int btf_array_resolve(struct btf_verifier_env *env,
1999 			     const struct resolve_vertex *v)
2000 {
2001 	const struct btf_array *array = btf_type_array(v->t);
2002 	const struct btf_type *elem_type, *index_type;
2003 	u32 elem_type_id, index_type_id;
2004 	struct btf *btf = env->btf;
2005 	u32 elem_size;
2006 
2007 	/* Check array->index_type */
2008 	index_type_id = array->index_type;
2009 	index_type = btf_type_by_id(btf, index_type_id);
2010 	if (btf_type_nosize_or_null(index_type) ||
2011 	    btf_type_is_resolve_source_only(index_type)) {
2012 		btf_verifier_log_type(env, v->t, "Invalid index");
2013 		return -EINVAL;
2014 	}
2015 
2016 	if (!env_type_is_resolve_sink(env, index_type) &&
2017 	    !env_type_is_resolved(env, index_type_id))
2018 		return env_stack_push(env, index_type, index_type_id);
2019 
2020 	index_type = btf_type_id_size(btf, &index_type_id, NULL);
2021 	if (!index_type || !btf_type_is_int(index_type) ||
2022 	    !btf_type_int_is_regular(index_type)) {
2023 		btf_verifier_log_type(env, v->t, "Invalid index");
2024 		return -EINVAL;
2025 	}
2026 
2027 	/* Check array->type */
2028 	elem_type_id = array->type;
2029 	elem_type = btf_type_by_id(btf, elem_type_id);
2030 	if (btf_type_nosize_or_null(elem_type) ||
2031 	    btf_type_is_resolve_source_only(elem_type)) {
2032 		btf_verifier_log_type(env, v->t,
2033 				      "Invalid elem");
2034 		return -EINVAL;
2035 	}
2036 
2037 	if (!env_type_is_resolve_sink(env, elem_type) &&
2038 	    !env_type_is_resolved(env, elem_type_id))
2039 		return env_stack_push(env, elem_type, elem_type_id);
2040 
2041 	elem_type = btf_type_id_size(btf, &elem_type_id, &elem_size);
2042 	if (!elem_type) {
2043 		btf_verifier_log_type(env, v->t, "Invalid elem");
2044 		return -EINVAL;
2045 	}
2046 
2047 	if (btf_type_is_int(elem_type) && !btf_type_int_is_regular(elem_type)) {
2048 		btf_verifier_log_type(env, v->t, "Invalid array of int");
2049 		return -EINVAL;
2050 	}
2051 
2052 	if (array->nelems && elem_size > U32_MAX / array->nelems) {
2053 		btf_verifier_log_type(env, v->t,
2054 				      "Array size overflows U32_MAX");
2055 		return -EINVAL;
2056 	}
2057 
2058 	env_stack_pop_resolved(env, elem_type_id, elem_size * array->nelems);
2059 
2060 	return 0;
2061 }
2062 
2063 static void btf_array_log(struct btf_verifier_env *env,
2064 			  const struct btf_type *t)
2065 {
2066 	const struct btf_array *array = btf_type_array(t);
2067 
2068 	btf_verifier_log(env, "type_id=%u index_type_id=%u nr_elems=%u",
2069 			 array->type, array->index_type, array->nelems);
2070 }
2071 
2072 static void btf_array_seq_show(const struct btf *btf, const struct btf_type *t,
2073 			       u32 type_id, void *data, u8 bits_offset,
2074 			       struct seq_file *m)
2075 {
2076 	const struct btf_array *array = btf_type_array(t);
2077 	const struct btf_kind_operations *elem_ops;
2078 	const struct btf_type *elem_type;
2079 	u32 i, elem_size, elem_type_id;
2080 
2081 	elem_type_id = array->type;
2082 	elem_type = btf_type_id_size(btf, &elem_type_id, &elem_size);
2083 	elem_ops = btf_type_ops(elem_type);
2084 	seq_puts(m, "[");
2085 	for (i = 0; i < array->nelems; i++) {
2086 		if (i)
2087 			seq_puts(m, ",");
2088 
2089 		elem_ops->seq_show(btf, elem_type, elem_type_id, data,
2090 				   bits_offset, m);
2091 		data += elem_size;
2092 	}
2093 	seq_puts(m, "]");
2094 }
2095 
2096 static struct btf_kind_operations array_ops = {
2097 	.check_meta = btf_array_check_meta,
2098 	.resolve = btf_array_resolve,
2099 	.check_member = btf_array_check_member,
2100 	.check_kflag_member = btf_generic_check_kflag_member,
2101 	.log_details = btf_array_log,
2102 	.seq_show = btf_array_seq_show,
2103 };
2104 
2105 static int btf_struct_check_member(struct btf_verifier_env *env,
2106 				   const struct btf_type *struct_type,
2107 				   const struct btf_member *member,
2108 				   const struct btf_type *member_type)
2109 {
2110 	u32 struct_bits_off = member->offset;
2111 	u32 struct_size, bytes_offset;
2112 
2113 	if (BITS_PER_BYTE_MASKED(struct_bits_off)) {
2114 		btf_verifier_log_member(env, struct_type, member,
2115 					"Member is not byte aligned");
2116 		return -EINVAL;
2117 	}
2118 
2119 	struct_size = struct_type->size;
2120 	bytes_offset = BITS_ROUNDDOWN_BYTES(struct_bits_off);
2121 	if (struct_size - bytes_offset < member_type->size) {
2122 		btf_verifier_log_member(env, struct_type, member,
2123 					"Member exceeds struct_size");
2124 		return -EINVAL;
2125 	}
2126 
2127 	return 0;
2128 }
2129 
2130 static s32 btf_struct_check_meta(struct btf_verifier_env *env,
2131 				 const struct btf_type *t,
2132 				 u32 meta_left)
2133 {
2134 	bool is_union = BTF_INFO_KIND(t->info) == BTF_KIND_UNION;
2135 	const struct btf_member *member;
2136 	u32 meta_needed, last_offset;
2137 	struct btf *btf = env->btf;
2138 	u32 struct_size = t->size;
2139 	u32 offset;
2140 	u16 i;
2141 
2142 	meta_needed = btf_type_vlen(t) * sizeof(*member);
2143 	if (meta_left < meta_needed) {
2144 		btf_verifier_log_basic(env, t,
2145 				       "meta_left:%u meta_needed:%u",
2146 				       meta_left, meta_needed);
2147 		return -EINVAL;
2148 	}
2149 
2150 	/* struct type either no name or a valid one */
2151 	if (t->name_off &&
2152 	    !btf_name_valid_identifier(env->btf, t->name_off)) {
2153 		btf_verifier_log_type(env, t, "Invalid name");
2154 		return -EINVAL;
2155 	}
2156 
2157 	btf_verifier_log_type(env, t, NULL);
2158 
2159 	last_offset = 0;
2160 	for_each_member(i, t, member) {
2161 		if (!btf_name_offset_valid(btf, member->name_off)) {
2162 			btf_verifier_log_member(env, t, member,
2163 						"Invalid member name_offset:%u",
2164 						member->name_off);
2165 			return -EINVAL;
2166 		}
2167 
2168 		/* struct member either no name or a valid one */
2169 		if (member->name_off &&
2170 		    !btf_name_valid_identifier(btf, member->name_off)) {
2171 			btf_verifier_log_member(env, t, member, "Invalid name");
2172 			return -EINVAL;
2173 		}
2174 		/* A member cannot be in type void */
2175 		if (!member->type || !BTF_TYPE_ID_VALID(member->type)) {
2176 			btf_verifier_log_member(env, t, member,
2177 						"Invalid type_id");
2178 			return -EINVAL;
2179 		}
2180 
2181 		offset = btf_member_bit_offset(t, member);
2182 		if (is_union && offset) {
2183 			btf_verifier_log_member(env, t, member,
2184 						"Invalid member bits_offset");
2185 			return -EINVAL;
2186 		}
2187 
2188 		/*
2189 		 * ">" instead of ">=" because the last member could be
2190 		 * "char a[0];"
2191 		 */
2192 		if (last_offset > offset) {
2193 			btf_verifier_log_member(env, t, member,
2194 						"Invalid member bits_offset");
2195 			return -EINVAL;
2196 		}
2197 
2198 		if (BITS_ROUNDUP_BYTES(offset) > struct_size) {
2199 			btf_verifier_log_member(env, t, member,
2200 						"Member bits_offset exceeds its struct size");
2201 			return -EINVAL;
2202 		}
2203 
2204 		btf_verifier_log_member(env, t, member, NULL);
2205 		last_offset = offset;
2206 	}
2207 
2208 	return meta_needed;
2209 }
2210 
2211 static int btf_struct_resolve(struct btf_verifier_env *env,
2212 			      const struct resolve_vertex *v)
2213 {
2214 	const struct btf_member *member;
2215 	int err;
2216 	u16 i;
2217 
2218 	/* Before continue resolving the next_member,
2219 	 * ensure the last member is indeed resolved to a
2220 	 * type with size info.
2221 	 */
2222 	if (v->next_member) {
2223 		const struct btf_type *last_member_type;
2224 		const struct btf_member *last_member;
2225 		u16 last_member_type_id;
2226 
2227 		last_member = btf_type_member(v->t) + v->next_member - 1;
2228 		last_member_type_id = last_member->type;
2229 		if (WARN_ON_ONCE(!env_type_is_resolved(env,
2230 						       last_member_type_id)))
2231 			return -EINVAL;
2232 
2233 		last_member_type = btf_type_by_id(env->btf,
2234 						  last_member_type_id);
2235 		if (btf_type_kflag(v->t))
2236 			err = btf_type_ops(last_member_type)->check_kflag_member(env, v->t,
2237 								last_member,
2238 								last_member_type);
2239 		else
2240 			err = btf_type_ops(last_member_type)->check_member(env, v->t,
2241 								last_member,
2242 								last_member_type);
2243 		if (err)
2244 			return err;
2245 	}
2246 
2247 	for_each_member_from(i, v->next_member, v->t, member) {
2248 		u32 member_type_id = member->type;
2249 		const struct btf_type *member_type = btf_type_by_id(env->btf,
2250 								member_type_id);
2251 
2252 		if (btf_type_nosize_or_null(member_type) ||
2253 		    btf_type_is_resolve_source_only(member_type)) {
2254 			btf_verifier_log_member(env, v->t, member,
2255 						"Invalid member");
2256 			return -EINVAL;
2257 		}
2258 
2259 		if (!env_type_is_resolve_sink(env, member_type) &&
2260 		    !env_type_is_resolved(env, member_type_id)) {
2261 			env_stack_set_next_member(env, i + 1);
2262 			return env_stack_push(env, member_type, member_type_id);
2263 		}
2264 
2265 		if (btf_type_kflag(v->t))
2266 			err = btf_type_ops(member_type)->check_kflag_member(env, v->t,
2267 									    member,
2268 									    member_type);
2269 		else
2270 			err = btf_type_ops(member_type)->check_member(env, v->t,
2271 								      member,
2272 								      member_type);
2273 		if (err)
2274 			return err;
2275 	}
2276 
2277 	env_stack_pop_resolved(env, 0, 0);
2278 
2279 	return 0;
2280 }
2281 
2282 static void btf_struct_log(struct btf_verifier_env *env,
2283 			   const struct btf_type *t)
2284 {
2285 	btf_verifier_log(env, "size=%u vlen=%u", t->size, btf_type_vlen(t));
2286 }
2287 
2288 /* find 'struct bpf_spin_lock' in map value.
2289  * return >= 0 offset if found
2290  * and < 0 in case of error
2291  */
2292 int btf_find_spin_lock(const struct btf *btf, const struct btf_type *t)
2293 {
2294 	const struct btf_member *member;
2295 	u32 i, off = -ENOENT;
2296 
2297 	if (!__btf_type_is_struct(t))
2298 		return -EINVAL;
2299 
2300 	for_each_member(i, t, member) {
2301 		const struct btf_type *member_type = btf_type_by_id(btf,
2302 								    member->type);
2303 		if (!__btf_type_is_struct(member_type))
2304 			continue;
2305 		if (member_type->size != sizeof(struct bpf_spin_lock))
2306 			continue;
2307 		if (strcmp(__btf_name_by_offset(btf, member_type->name_off),
2308 			   "bpf_spin_lock"))
2309 			continue;
2310 		if (off != -ENOENT)
2311 			/* only one 'struct bpf_spin_lock' is allowed */
2312 			return -E2BIG;
2313 		off = btf_member_bit_offset(t, member);
2314 		if (off % 8)
2315 			/* valid C code cannot generate such BTF */
2316 			return -EINVAL;
2317 		off /= 8;
2318 		if (off % __alignof__(struct bpf_spin_lock))
2319 			/* valid struct bpf_spin_lock will be 4 byte aligned */
2320 			return -EINVAL;
2321 	}
2322 	return off;
2323 }
2324 
2325 static void btf_struct_seq_show(const struct btf *btf, const struct btf_type *t,
2326 				u32 type_id, void *data, u8 bits_offset,
2327 				struct seq_file *m)
2328 {
2329 	const char *seq = BTF_INFO_KIND(t->info) == BTF_KIND_UNION ? "|" : ",";
2330 	const struct btf_member *member;
2331 	u32 i;
2332 
2333 	seq_puts(m, "{");
2334 	for_each_member(i, t, member) {
2335 		const struct btf_type *member_type = btf_type_by_id(btf,
2336 								member->type);
2337 		const struct btf_kind_operations *ops;
2338 		u32 member_offset, bitfield_size;
2339 		u32 bytes_offset;
2340 		u8 bits8_offset;
2341 
2342 		if (i)
2343 			seq_puts(m, seq);
2344 
2345 		member_offset = btf_member_bit_offset(t, member);
2346 		bitfield_size = btf_member_bitfield_size(t, member);
2347 		bytes_offset = BITS_ROUNDDOWN_BYTES(member_offset);
2348 		bits8_offset = BITS_PER_BYTE_MASKED(member_offset);
2349 		if (bitfield_size) {
2350 			btf_bitfield_seq_show(data + bytes_offset, bits8_offset,
2351 					      bitfield_size, m);
2352 		} else {
2353 			ops = btf_type_ops(member_type);
2354 			ops->seq_show(btf, member_type, member->type,
2355 				      data + bytes_offset, bits8_offset, m);
2356 		}
2357 	}
2358 	seq_puts(m, "}");
2359 }
2360 
2361 static struct btf_kind_operations struct_ops = {
2362 	.check_meta = btf_struct_check_meta,
2363 	.resolve = btf_struct_resolve,
2364 	.check_member = btf_struct_check_member,
2365 	.check_kflag_member = btf_generic_check_kflag_member,
2366 	.log_details = btf_struct_log,
2367 	.seq_show = btf_struct_seq_show,
2368 };
2369 
2370 static int btf_enum_check_member(struct btf_verifier_env *env,
2371 				 const struct btf_type *struct_type,
2372 				 const struct btf_member *member,
2373 				 const struct btf_type *member_type)
2374 {
2375 	u32 struct_bits_off = member->offset;
2376 	u32 struct_size, bytes_offset;
2377 
2378 	if (BITS_PER_BYTE_MASKED(struct_bits_off)) {
2379 		btf_verifier_log_member(env, struct_type, member,
2380 					"Member is not byte aligned");
2381 		return -EINVAL;
2382 	}
2383 
2384 	struct_size = struct_type->size;
2385 	bytes_offset = BITS_ROUNDDOWN_BYTES(struct_bits_off);
2386 	if (struct_size - bytes_offset < sizeof(int)) {
2387 		btf_verifier_log_member(env, struct_type, member,
2388 					"Member exceeds struct_size");
2389 		return -EINVAL;
2390 	}
2391 
2392 	return 0;
2393 }
2394 
2395 static int btf_enum_check_kflag_member(struct btf_verifier_env *env,
2396 				       const struct btf_type *struct_type,
2397 				       const struct btf_member *member,
2398 				       const struct btf_type *member_type)
2399 {
2400 	u32 struct_bits_off, nr_bits, bytes_end, struct_size;
2401 	u32 int_bitsize = sizeof(int) * BITS_PER_BYTE;
2402 
2403 	struct_bits_off = BTF_MEMBER_BIT_OFFSET(member->offset);
2404 	nr_bits = BTF_MEMBER_BITFIELD_SIZE(member->offset);
2405 	if (!nr_bits) {
2406 		if (BITS_PER_BYTE_MASKED(struct_bits_off)) {
2407 			btf_verifier_log_member(env, struct_type, member,
2408 						"Member is not byte aligned");
2409 			return -EINVAL;
2410 		}
2411 
2412 		nr_bits = int_bitsize;
2413 	} else if (nr_bits > int_bitsize) {
2414 		btf_verifier_log_member(env, struct_type, member,
2415 					"Invalid member bitfield_size");
2416 		return -EINVAL;
2417 	}
2418 
2419 	struct_size = struct_type->size;
2420 	bytes_end = BITS_ROUNDUP_BYTES(struct_bits_off + nr_bits);
2421 	if (struct_size < bytes_end) {
2422 		btf_verifier_log_member(env, struct_type, member,
2423 					"Member exceeds struct_size");
2424 		return -EINVAL;
2425 	}
2426 
2427 	return 0;
2428 }
2429 
2430 static s32 btf_enum_check_meta(struct btf_verifier_env *env,
2431 			       const struct btf_type *t,
2432 			       u32 meta_left)
2433 {
2434 	const struct btf_enum *enums = btf_type_enum(t);
2435 	struct btf *btf = env->btf;
2436 	u16 i, nr_enums;
2437 	u32 meta_needed;
2438 
2439 	nr_enums = btf_type_vlen(t);
2440 	meta_needed = nr_enums * sizeof(*enums);
2441 
2442 	if (meta_left < meta_needed) {
2443 		btf_verifier_log_basic(env, t,
2444 				       "meta_left:%u meta_needed:%u",
2445 				       meta_left, meta_needed);
2446 		return -EINVAL;
2447 	}
2448 
2449 	if (btf_type_kflag(t)) {
2450 		btf_verifier_log_type(env, t, "Invalid btf_info kind_flag");
2451 		return -EINVAL;
2452 	}
2453 
2454 	if (t->size > 8 || !is_power_of_2(t->size)) {
2455 		btf_verifier_log_type(env, t, "Unexpected size");
2456 		return -EINVAL;
2457 	}
2458 
2459 	/* enum type either no name or a valid one */
2460 	if (t->name_off &&
2461 	    !btf_name_valid_identifier(env->btf, t->name_off)) {
2462 		btf_verifier_log_type(env, t, "Invalid name");
2463 		return -EINVAL;
2464 	}
2465 
2466 	btf_verifier_log_type(env, t, NULL);
2467 
2468 	for (i = 0; i < nr_enums; i++) {
2469 		if (!btf_name_offset_valid(btf, enums[i].name_off)) {
2470 			btf_verifier_log(env, "\tInvalid name_offset:%u",
2471 					 enums[i].name_off);
2472 			return -EINVAL;
2473 		}
2474 
2475 		/* enum member must have a valid name */
2476 		if (!enums[i].name_off ||
2477 		    !btf_name_valid_identifier(btf, enums[i].name_off)) {
2478 			btf_verifier_log_type(env, t, "Invalid name");
2479 			return -EINVAL;
2480 		}
2481 
2482 		if (env->log.level == BPF_LOG_KERNEL)
2483 			continue;
2484 		btf_verifier_log(env, "\t%s val=%d\n",
2485 				 __btf_name_by_offset(btf, enums[i].name_off),
2486 				 enums[i].val);
2487 	}
2488 
2489 	return meta_needed;
2490 }
2491 
2492 static void btf_enum_log(struct btf_verifier_env *env,
2493 			 const struct btf_type *t)
2494 {
2495 	btf_verifier_log(env, "size=%u vlen=%u", t->size, btf_type_vlen(t));
2496 }
2497 
2498 static void btf_enum_seq_show(const struct btf *btf, const struct btf_type *t,
2499 			      u32 type_id, void *data, u8 bits_offset,
2500 			      struct seq_file *m)
2501 {
2502 	const struct btf_enum *enums = btf_type_enum(t);
2503 	u32 i, nr_enums = btf_type_vlen(t);
2504 	int v = *(int *)data;
2505 
2506 	for (i = 0; i < nr_enums; i++) {
2507 		if (v == enums[i].val) {
2508 			seq_printf(m, "%s",
2509 				   __btf_name_by_offset(btf,
2510 							enums[i].name_off));
2511 			return;
2512 		}
2513 	}
2514 
2515 	seq_printf(m, "%d", v);
2516 }
2517 
2518 static struct btf_kind_operations enum_ops = {
2519 	.check_meta = btf_enum_check_meta,
2520 	.resolve = btf_df_resolve,
2521 	.check_member = btf_enum_check_member,
2522 	.check_kflag_member = btf_enum_check_kflag_member,
2523 	.log_details = btf_enum_log,
2524 	.seq_show = btf_enum_seq_show,
2525 };
2526 
2527 static s32 btf_func_proto_check_meta(struct btf_verifier_env *env,
2528 				     const struct btf_type *t,
2529 				     u32 meta_left)
2530 {
2531 	u32 meta_needed = btf_type_vlen(t) * sizeof(struct btf_param);
2532 
2533 	if (meta_left < meta_needed) {
2534 		btf_verifier_log_basic(env, t,
2535 				       "meta_left:%u meta_needed:%u",
2536 				       meta_left, meta_needed);
2537 		return -EINVAL;
2538 	}
2539 
2540 	if (t->name_off) {
2541 		btf_verifier_log_type(env, t, "Invalid name");
2542 		return -EINVAL;
2543 	}
2544 
2545 	if (btf_type_kflag(t)) {
2546 		btf_verifier_log_type(env, t, "Invalid btf_info kind_flag");
2547 		return -EINVAL;
2548 	}
2549 
2550 	btf_verifier_log_type(env, t, NULL);
2551 
2552 	return meta_needed;
2553 }
2554 
2555 static void btf_func_proto_log(struct btf_verifier_env *env,
2556 			       const struct btf_type *t)
2557 {
2558 	const struct btf_param *args = (const struct btf_param *)(t + 1);
2559 	u16 nr_args = btf_type_vlen(t), i;
2560 
2561 	btf_verifier_log(env, "return=%u args=(", t->type);
2562 	if (!nr_args) {
2563 		btf_verifier_log(env, "void");
2564 		goto done;
2565 	}
2566 
2567 	if (nr_args == 1 && !args[0].type) {
2568 		/* Only one vararg */
2569 		btf_verifier_log(env, "vararg");
2570 		goto done;
2571 	}
2572 
2573 	btf_verifier_log(env, "%u %s", args[0].type,
2574 			 __btf_name_by_offset(env->btf,
2575 					      args[0].name_off));
2576 	for (i = 1; i < nr_args - 1; i++)
2577 		btf_verifier_log(env, ", %u %s", args[i].type,
2578 				 __btf_name_by_offset(env->btf,
2579 						      args[i].name_off));
2580 
2581 	if (nr_args > 1) {
2582 		const struct btf_param *last_arg = &args[nr_args - 1];
2583 
2584 		if (last_arg->type)
2585 			btf_verifier_log(env, ", %u %s", last_arg->type,
2586 					 __btf_name_by_offset(env->btf,
2587 							      last_arg->name_off));
2588 		else
2589 			btf_verifier_log(env, ", vararg");
2590 	}
2591 
2592 done:
2593 	btf_verifier_log(env, ")");
2594 }
2595 
2596 static struct btf_kind_operations func_proto_ops = {
2597 	.check_meta = btf_func_proto_check_meta,
2598 	.resolve = btf_df_resolve,
2599 	/*
2600 	 * BTF_KIND_FUNC_PROTO cannot be directly referred by
2601 	 * a struct's member.
2602 	 *
2603 	 * It should be a funciton pointer instead.
2604 	 * (i.e. struct's member -> BTF_KIND_PTR -> BTF_KIND_FUNC_PROTO)
2605 	 *
2606 	 * Hence, there is no btf_func_check_member().
2607 	 */
2608 	.check_member = btf_df_check_member,
2609 	.check_kflag_member = btf_df_check_kflag_member,
2610 	.log_details = btf_func_proto_log,
2611 	.seq_show = btf_df_seq_show,
2612 };
2613 
2614 static s32 btf_func_check_meta(struct btf_verifier_env *env,
2615 			       const struct btf_type *t,
2616 			       u32 meta_left)
2617 {
2618 	if (!t->name_off ||
2619 	    !btf_name_valid_identifier(env->btf, t->name_off)) {
2620 		btf_verifier_log_type(env, t, "Invalid name");
2621 		return -EINVAL;
2622 	}
2623 
2624 	if (btf_type_vlen(t)) {
2625 		btf_verifier_log_type(env, t, "vlen != 0");
2626 		return -EINVAL;
2627 	}
2628 
2629 	if (btf_type_kflag(t)) {
2630 		btf_verifier_log_type(env, t, "Invalid btf_info kind_flag");
2631 		return -EINVAL;
2632 	}
2633 
2634 	btf_verifier_log_type(env, t, NULL);
2635 
2636 	return 0;
2637 }
2638 
2639 static struct btf_kind_operations func_ops = {
2640 	.check_meta = btf_func_check_meta,
2641 	.resolve = btf_df_resolve,
2642 	.check_member = btf_df_check_member,
2643 	.check_kflag_member = btf_df_check_kflag_member,
2644 	.log_details = btf_ref_type_log,
2645 	.seq_show = btf_df_seq_show,
2646 };
2647 
2648 static s32 btf_var_check_meta(struct btf_verifier_env *env,
2649 			      const struct btf_type *t,
2650 			      u32 meta_left)
2651 {
2652 	const struct btf_var *var;
2653 	u32 meta_needed = sizeof(*var);
2654 
2655 	if (meta_left < meta_needed) {
2656 		btf_verifier_log_basic(env, t,
2657 				       "meta_left:%u meta_needed:%u",
2658 				       meta_left, meta_needed);
2659 		return -EINVAL;
2660 	}
2661 
2662 	if (btf_type_vlen(t)) {
2663 		btf_verifier_log_type(env, t, "vlen != 0");
2664 		return -EINVAL;
2665 	}
2666 
2667 	if (btf_type_kflag(t)) {
2668 		btf_verifier_log_type(env, t, "Invalid btf_info kind_flag");
2669 		return -EINVAL;
2670 	}
2671 
2672 	if (!t->name_off ||
2673 	    !__btf_name_valid(env->btf, t->name_off, true)) {
2674 		btf_verifier_log_type(env, t, "Invalid name");
2675 		return -EINVAL;
2676 	}
2677 
2678 	/* A var cannot be in type void */
2679 	if (!t->type || !BTF_TYPE_ID_VALID(t->type)) {
2680 		btf_verifier_log_type(env, t, "Invalid type_id");
2681 		return -EINVAL;
2682 	}
2683 
2684 	var = btf_type_var(t);
2685 	if (var->linkage != BTF_VAR_STATIC &&
2686 	    var->linkage != BTF_VAR_GLOBAL_ALLOCATED) {
2687 		btf_verifier_log_type(env, t, "Linkage not supported");
2688 		return -EINVAL;
2689 	}
2690 
2691 	btf_verifier_log_type(env, t, NULL);
2692 
2693 	return meta_needed;
2694 }
2695 
2696 static void btf_var_log(struct btf_verifier_env *env, const struct btf_type *t)
2697 {
2698 	const struct btf_var *var = btf_type_var(t);
2699 
2700 	btf_verifier_log(env, "type_id=%u linkage=%u", t->type, var->linkage);
2701 }
2702 
2703 static const struct btf_kind_operations var_ops = {
2704 	.check_meta		= btf_var_check_meta,
2705 	.resolve		= btf_var_resolve,
2706 	.check_member		= btf_df_check_member,
2707 	.check_kflag_member	= btf_df_check_kflag_member,
2708 	.log_details		= btf_var_log,
2709 	.seq_show		= btf_var_seq_show,
2710 };
2711 
2712 static s32 btf_datasec_check_meta(struct btf_verifier_env *env,
2713 				  const struct btf_type *t,
2714 				  u32 meta_left)
2715 {
2716 	const struct btf_var_secinfo *vsi;
2717 	u64 last_vsi_end_off = 0, sum = 0;
2718 	u32 i, meta_needed;
2719 
2720 	meta_needed = btf_type_vlen(t) * sizeof(*vsi);
2721 	if (meta_left < meta_needed) {
2722 		btf_verifier_log_basic(env, t,
2723 				       "meta_left:%u meta_needed:%u",
2724 				       meta_left, meta_needed);
2725 		return -EINVAL;
2726 	}
2727 
2728 	if (!btf_type_vlen(t)) {
2729 		btf_verifier_log_type(env, t, "vlen == 0");
2730 		return -EINVAL;
2731 	}
2732 
2733 	if (!t->size) {
2734 		btf_verifier_log_type(env, t, "size == 0");
2735 		return -EINVAL;
2736 	}
2737 
2738 	if (btf_type_kflag(t)) {
2739 		btf_verifier_log_type(env, t, "Invalid btf_info kind_flag");
2740 		return -EINVAL;
2741 	}
2742 
2743 	if (!t->name_off ||
2744 	    !btf_name_valid_section(env->btf, t->name_off)) {
2745 		btf_verifier_log_type(env, t, "Invalid name");
2746 		return -EINVAL;
2747 	}
2748 
2749 	btf_verifier_log_type(env, t, NULL);
2750 
2751 	for_each_vsi(i, t, vsi) {
2752 		/* A var cannot be in type void */
2753 		if (!vsi->type || !BTF_TYPE_ID_VALID(vsi->type)) {
2754 			btf_verifier_log_vsi(env, t, vsi,
2755 					     "Invalid type_id");
2756 			return -EINVAL;
2757 		}
2758 
2759 		if (vsi->offset < last_vsi_end_off || vsi->offset >= t->size) {
2760 			btf_verifier_log_vsi(env, t, vsi,
2761 					     "Invalid offset");
2762 			return -EINVAL;
2763 		}
2764 
2765 		if (!vsi->size || vsi->size > t->size) {
2766 			btf_verifier_log_vsi(env, t, vsi,
2767 					     "Invalid size");
2768 			return -EINVAL;
2769 		}
2770 
2771 		last_vsi_end_off = vsi->offset + vsi->size;
2772 		if (last_vsi_end_off > t->size) {
2773 			btf_verifier_log_vsi(env, t, vsi,
2774 					     "Invalid offset+size");
2775 			return -EINVAL;
2776 		}
2777 
2778 		btf_verifier_log_vsi(env, t, vsi, NULL);
2779 		sum += vsi->size;
2780 	}
2781 
2782 	if (t->size < sum) {
2783 		btf_verifier_log_type(env, t, "Invalid btf_info size");
2784 		return -EINVAL;
2785 	}
2786 
2787 	return meta_needed;
2788 }
2789 
2790 static int btf_datasec_resolve(struct btf_verifier_env *env,
2791 			       const struct resolve_vertex *v)
2792 {
2793 	const struct btf_var_secinfo *vsi;
2794 	struct btf *btf = env->btf;
2795 	u16 i;
2796 
2797 	for_each_vsi_from(i, v->next_member, v->t, vsi) {
2798 		u32 var_type_id = vsi->type, type_id, type_size = 0;
2799 		const struct btf_type *var_type = btf_type_by_id(env->btf,
2800 								 var_type_id);
2801 		if (!var_type || !btf_type_is_var(var_type)) {
2802 			btf_verifier_log_vsi(env, v->t, vsi,
2803 					     "Not a VAR kind member");
2804 			return -EINVAL;
2805 		}
2806 
2807 		if (!env_type_is_resolve_sink(env, var_type) &&
2808 		    !env_type_is_resolved(env, var_type_id)) {
2809 			env_stack_set_next_member(env, i + 1);
2810 			return env_stack_push(env, var_type, var_type_id);
2811 		}
2812 
2813 		type_id = var_type->type;
2814 		if (!btf_type_id_size(btf, &type_id, &type_size)) {
2815 			btf_verifier_log_vsi(env, v->t, vsi, "Invalid type");
2816 			return -EINVAL;
2817 		}
2818 
2819 		if (vsi->size < type_size) {
2820 			btf_verifier_log_vsi(env, v->t, vsi, "Invalid size");
2821 			return -EINVAL;
2822 		}
2823 	}
2824 
2825 	env_stack_pop_resolved(env, 0, 0);
2826 	return 0;
2827 }
2828 
2829 static void btf_datasec_log(struct btf_verifier_env *env,
2830 			    const struct btf_type *t)
2831 {
2832 	btf_verifier_log(env, "size=%u vlen=%u", t->size, btf_type_vlen(t));
2833 }
2834 
2835 static void btf_datasec_seq_show(const struct btf *btf,
2836 				 const struct btf_type *t, u32 type_id,
2837 				 void *data, u8 bits_offset,
2838 				 struct seq_file *m)
2839 {
2840 	const struct btf_var_secinfo *vsi;
2841 	const struct btf_type *var;
2842 	u32 i;
2843 
2844 	seq_printf(m, "section (\"%s\") = {", __btf_name_by_offset(btf, t->name_off));
2845 	for_each_vsi(i, t, vsi) {
2846 		var = btf_type_by_id(btf, vsi->type);
2847 		if (i)
2848 			seq_puts(m, ",");
2849 		btf_type_ops(var)->seq_show(btf, var, vsi->type,
2850 					    data + vsi->offset, bits_offset, m);
2851 	}
2852 	seq_puts(m, "}");
2853 }
2854 
2855 static const struct btf_kind_operations datasec_ops = {
2856 	.check_meta		= btf_datasec_check_meta,
2857 	.resolve		= btf_datasec_resolve,
2858 	.check_member		= btf_df_check_member,
2859 	.check_kflag_member	= btf_df_check_kflag_member,
2860 	.log_details		= btf_datasec_log,
2861 	.seq_show		= btf_datasec_seq_show,
2862 };
2863 
2864 static int btf_func_proto_check(struct btf_verifier_env *env,
2865 				const struct btf_type *t)
2866 {
2867 	const struct btf_type *ret_type;
2868 	const struct btf_param *args;
2869 	const struct btf *btf;
2870 	u16 nr_args, i;
2871 	int err;
2872 
2873 	btf = env->btf;
2874 	args = (const struct btf_param *)(t + 1);
2875 	nr_args = btf_type_vlen(t);
2876 
2877 	/* Check func return type which could be "void" (t->type == 0) */
2878 	if (t->type) {
2879 		u32 ret_type_id = t->type;
2880 
2881 		ret_type = btf_type_by_id(btf, ret_type_id);
2882 		if (!ret_type) {
2883 			btf_verifier_log_type(env, t, "Invalid return type");
2884 			return -EINVAL;
2885 		}
2886 
2887 		if (btf_type_needs_resolve(ret_type) &&
2888 		    !env_type_is_resolved(env, ret_type_id)) {
2889 			err = btf_resolve(env, ret_type, ret_type_id);
2890 			if (err)
2891 				return err;
2892 		}
2893 
2894 		/* Ensure the return type is a type that has a size */
2895 		if (!btf_type_id_size(btf, &ret_type_id, NULL)) {
2896 			btf_verifier_log_type(env, t, "Invalid return type");
2897 			return -EINVAL;
2898 		}
2899 	}
2900 
2901 	if (!nr_args)
2902 		return 0;
2903 
2904 	/* Last func arg type_id could be 0 if it is a vararg */
2905 	if (!args[nr_args - 1].type) {
2906 		if (args[nr_args - 1].name_off) {
2907 			btf_verifier_log_type(env, t, "Invalid arg#%u",
2908 					      nr_args);
2909 			return -EINVAL;
2910 		}
2911 		nr_args--;
2912 	}
2913 
2914 	err = 0;
2915 	for (i = 0; i < nr_args; i++) {
2916 		const struct btf_type *arg_type;
2917 		u32 arg_type_id;
2918 
2919 		arg_type_id = args[i].type;
2920 		arg_type = btf_type_by_id(btf, arg_type_id);
2921 		if (!arg_type) {
2922 			btf_verifier_log_type(env, t, "Invalid arg#%u", i + 1);
2923 			err = -EINVAL;
2924 			break;
2925 		}
2926 
2927 		if (args[i].name_off &&
2928 		    (!btf_name_offset_valid(btf, args[i].name_off) ||
2929 		     !btf_name_valid_identifier(btf, args[i].name_off))) {
2930 			btf_verifier_log_type(env, t,
2931 					      "Invalid arg#%u", i + 1);
2932 			err = -EINVAL;
2933 			break;
2934 		}
2935 
2936 		if (btf_type_needs_resolve(arg_type) &&
2937 		    !env_type_is_resolved(env, arg_type_id)) {
2938 			err = btf_resolve(env, arg_type, arg_type_id);
2939 			if (err)
2940 				break;
2941 		}
2942 
2943 		if (!btf_type_id_size(btf, &arg_type_id, NULL)) {
2944 			btf_verifier_log_type(env, t, "Invalid arg#%u", i + 1);
2945 			err = -EINVAL;
2946 			break;
2947 		}
2948 	}
2949 
2950 	return err;
2951 }
2952 
2953 static int btf_func_check(struct btf_verifier_env *env,
2954 			  const struct btf_type *t)
2955 {
2956 	const struct btf_type *proto_type;
2957 	const struct btf_param *args;
2958 	const struct btf *btf;
2959 	u16 nr_args, i;
2960 
2961 	btf = env->btf;
2962 	proto_type = btf_type_by_id(btf, t->type);
2963 
2964 	if (!proto_type || !btf_type_is_func_proto(proto_type)) {
2965 		btf_verifier_log_type(env, t, "Invalid type_id");
2966 		return -EINVAL;
2967 	}
2968 
2969 	args = (const struct btf_param *)(proto_type + 1);
2970 	nr_args = btf_type_vlen(proto_type);
2971 	for (i = 0; i < nr_args; i++) {
2972 		if (!args[i].name_off && args[i].type) {
2973 			btf_verifier_log_type(env, t, "Invalid arg#%u", i + 1);
2974 			return -EINVAL;
2975 		}
2976 	}
2977 
2978 	return 0;
2979 }
2980 
2981 static const struct btf_kind_operations * const kind_ops[NR_BTF_KINDS] = {
2982 	[BTF_KIND_INT] = &int_ops,
2983 	[BTF_KIND_PTR] = &ptr_ops,
2984 	[BTF_KIND_ARRAY] = &array_ops,
2985 	[BTF_KIND_STRUCT] = &struct_ops,
2986 	[BTF_KIND_UNION] = &struct_ops,
2987 	[BTF_KIND_ENUM] = &enum_ops,
2988 	[BTF_KIND_FWD] = &fwd_ops,
2989 	[BTF_KIND_TYPEDEF] = &modifier_ops,
2990 	[BTF_KIND_VOLATILE] = &modifier_ops,
2991 	[BTF_KIND_CONST] = &modifier_ops,
2992 	[BTF_KIND_RESTRICT] = &modifier_ops,
2993 	[BTF_KIND_FUNC] = &func_ops,
2994 	[BTF_KIND_FUNC_PROTO] = &func_proto_ops,
2995 	[BTF_KIND_VAR] = &var_ops,
2996 	[BTF_KIND_DATASEC] = &datasec_ops,
2997 };
2998 
2999 static s32 btf_check_meta(struct btf_verifier_env *env,
3000 			  const struct btf_type *t,
3001 			  u32 meta_left)
3002 {
3003 	u32 saved_meta_left = meta_left;
3004 	s32 var_meta_size;
3005 
3006 	if (meta_left < sizeof(*t)) {
3007 		btf_verifier_log(env, "[%u] meta_left:%u meta_needed:%zu",
3008 				 env->log_type_id, meta_left, sizeof(*t));
3009 		return -EINVAL;
3010 	}
3011 	meta_left -= sizeof(*t);
3012 
3013 	if (t->info & ~BTF_INFO_MASK) {
3014 		btf_verifier_log(env, "[%u] Invalid btf_info:%x",
3015 				 env->log_type_id, t->info);
3016 		return -EINVAL;
3017 	}
3018 
3019 	if (BTF_INFO_KIND(t->info) > BTF_KIND_MAX ||
3020 	    BTF_INFO_KIND(t->info) == BTF_KIND_UNKN) {
3021 		btf_verifier_log(env, "[%u] Invalid kind:%u",
3022 				 env->log_type_id, BTF_INFO_KIND(t->info));
3023 		return -EINVAL;
3024 	}
3025 
3026 	if (!btf_name_offset_valid(env->btf, t->name_off)) {
3027 		btf_verifier_log(env, "[%u] Invalid name_offset:%u",
3028 				 env->log_type_id, t->name_off);
3029 		return -EINVAL;
3030 	}
3031 
3032 	var_meta_size = btf_type_ops(t)->check_meta(env, t, meta_left);
3033 	if (var_meta_size < 0)
3034 		return var_meta_size;
3035 
3036 	meta_left -= var_meta_size;
3037 
3038 	return saved_meta_left - meta_left;
3039 }
3040 
3041 static int btf_check_all_metas(struct btf_verifier_env *env)
3042 {
3043 	struct btf *btf = env->btf;
3044 	struct btf_header *hdr;
3045 	void *cur, *end;
3046 
3047 	hdr = &btf->hdr;
3048 	cur = btf->nohdr_data + hdr->type_off;
3049 	end = cur + hdr->type_len;
3050 
3051 	env->log_type_id = 1;
3052 	while (cur < end) {
3053 		struct btf_type *t = cur;
3054 		s32 meta_size;
3055 
3056 		meta_size = btf_check_meta(env, t, end - cur);
3057 		if (meta_size < 0)
3058 			return meta_size;
3059 
3060 		btf_add_type(env, t);
3061 		cur += meta_size;
3062 		env->log_type_id++;
3063 	}
3064 
3065 	return 0;
3066 }
3067 
3068 static bool btf_resolve_valid(struct btf_verifier_env *env,
3069 			      const struct btf_type *t,
3070 			      u32 type_id)
3071 {
3072 	struct btf *btf = env->btf;
3073 
3074 	if (!env_type_is_resolved(env, type_id))
3075 		return false;
3076 
3077 	if (btf_type_is_struct(t) || btf_type_is_datasec(t))
3078 		return !btf->resolved_ids[type_id] &&
3079 		       !btf->resolved_sizes[type_id];
3080 
3081 	if (btf_type_is_modifier(t) || btf_type_is_ptr(t) ||
3082 	    btf_type_is_var(t)) {
3083 		t = btf_type_id_resolve(btf, &type_id);
3084 		return t &&
3085 		       !btf_type_is_modifier(t) &&
3086 		       !btf_type_is_var(t) &&
3087 		       !btf_type_is_datasec(t);
3088 	}
3089 
3090 	if (btf_type_is_array(t)) {
3091 		const struct btf_array *array = btf_type_array(t);
3092 		const struct btf_type *elem_type;
3093 		u32 elem_type_id = array->type;
3094 		u32 elem_size;
3095 
3096 		elem_type = btf_type_id_size(btf, &elem_type_id, &elem_size);
3097 		return elem_type && !btf_type_is_modifier(elem_type) &&
3098 			(array->nelems * elem_size ==
3099 			 btf->resolved_sizes[type_id]);
3100 	}
3101 
3102 	return false;
3103 }
3104 
3105 static int btf_resolve(struct btf_verifier_env *env,
3106 		       const struct btf_type *t, u32 type_id)
3107 {
3108 	u32 save_log_type_id = env->log_type_id;
3109 	const struct resolve_vertex *v;
3110 	int err = 0;
3111 
3112 	env->resolve_mode = RESOLVE_TBD;
3113 	env_stack_push(env, t, type_id);
3114 	while (!err && (v = env_stack_peak(env))) {
3115 		env->log_type_id = v->type_id;
3116 		err = btf_type_ops(v->t)->resolve(env, v);
3117 	}
3118 
3119 	env->log_type_id = type_id;
3120 	if (err == -E2BIG) {
3121 		btf_verifier_log_type(env, t,
3122 				      "Exceeded max resolving depth:%u",
3123 				      MAX_RESOLVE_DEPTH);
3124 	} else if (err == -EEXIST) {
3125 		btf_verifier_log_type(env, t, "Loop detected");
3126 	}
3127 
3128 	/* Final sanity check */
3129 	if (!err && !btf_resolve_valid(env, t, type_id)) {
3130 		btf_verifier_log_type(env, t, "Invalid resolve state");
3131 		err = -EINVAL;
3132 	}
3133 
3134 	env->log_type_id = save_log_type_id;
3135 	return err;
3136 }
3137 
3138 static int btf_check_all_types(struct btf_verifier_env *env)
3139 {
3140 	struct btf *btf = env->btf;
3141 	u32 type_id;
3142 	int err;
3143 
3144 	err = env_resolve_init(env);
3145 	if (err)
3146 		return err;
3147 
3148 	env->phase++;
3149 	for (type_id = 1; type_id <= btf->nr_types; type_id++) {
3150 		const struct btf_type *t = btf_type_by_id(btf, type_id);
3151 
3152 		env->log_type_id = type_id;
3153 		if (btf_type_needs_resolve(t) &&
3154 		    !env_type_is_resolved(env, type_id)) {
3155 			err = btf_resolve(env, t, type_id);
3156 			if (err)
3157 				return err;
3158 		}
3159 
3160 		if (btf_type_is_func_proto(t)) {
3161 			err = btf_func_proto_check(env, t);
3162 			if (err)
3163 				return err;
3164 		}
3165 
3166 		if (btf_type_is_func(t)) {
3167 			err = btf_func_check(env, t);
3168 			if (err)
3169 				return err;
3170 		}
3171 	}
3172 
3173 	return 0;
3174 }
3175 
3176 static int btf_parse_type_sec(struct btf_verifier_env *env)
3177 {
3178 	const struct btf_header *hdr = &env->btf->hdr;
3179 	int err;
3180 
3181 	/* Type section must align to 4 bytes */
3182 	if (hdr->type_off & (sizeof(u32) - 1)) {
3183 		btf_verifier_log(env, "Unaligned type_off");
3184 		return -EINVAL;
3185 	}
3186 
3187 	if (!hdr->type_len) {
3188 		btf_verifier_log(env, "No type found");
3189 		return -EINVAL;
3190 	}
3191 
3192 	err = btf_check_all_metas(env);
3193 	if (err)
3194 		return err;
3195 
3196 	return btf_check_all_types(env);
3197 }
3198 
3199 static int btf_parse_str_sec(struct btf_verifier_env *env)
3200 {
3201 	const struct btf_header *hdr;
3202 	struct btf *btf = env->btf;
3203 	const char *start, *end;
3204 
3205 	hdr = &btf->hdr;
3206 	start = btf->nohdr_data + hdr->str_off;
3207 	end = start + hdr->str_len;
3208 
3209 	if (end != btf->data + btf->data_size) {
3210 		btf_verifier_log(env, "String section is not at the end");
3211 		return -EINVAL;
3212 	}
3213 
3214 	if (!hdr->str_len || hdr->str_len - 1 > BTF_MAX_NAME_OFFSET ||
3215 	    start[0] || end[-1]) {
3216 		btf_verifier_log(env, "Invalid string section");
3217 		return -EINVAL;
3218 	}
3219 
3220 	btf->strings = start;
3221 
3222 	return 0;
3223 }
3224 
3225 static const size_t btf_sec_info_offset[] = {
3226 	offsetof(struct btf_header, type_off),
3227 	offsetof(struct btf_header, str_off),
3228 };
3229 
3230 static int btf_sec_info_cmp(const void *a, const void *b)
3231 {
3232 	const struct btf_sec_info *x = a;
3233 	const struct btf_sec_info *y = b;
3234 
3235 	return (int)(x->off - y->off) ? : (int)(x->len - y->len);
3236 }
3237 
3238 static int btf_check_sec_info(struct btf_verifier_env *env,
3239 			      u32 btf_data_size)
3240 {
3241 	struct btf_sec_info secs[ARRAY_SIZE(btf_sec_info_offset)];
3242 	u32 total, expected_total, i;
3243 	const struct btf_header *hdr;
3244 	const struct btf *btf;
3245 
3246 	btf = env->btf;
3247 	hdr = &btf->hdr;
3248 
3249 	/* Populate the secs from hdr */
3250 	for (i = 0; i < ARRAY_SIZE(btf_sec_info_offset); i++)
3251 		secs[i] = *(struct btf_sec_info *)((void *)hdr +
3252 						   btf_sec_info_offset[i]);
3253 
3254 	sort(secs, ARRAY_SIZE(btf_sec_info_offset),
3255 	     sizeof(struct btf_sec_info), btf_sec_info_cmp, NULL);
3256 
3257 	/* Check for gaps and overlap among sections */
3258 	total = 0;
3259 	expected_total = btf_data_size - hdr->hdr_len;
3260 	for (i = 0; i < ARRAY_SIZE(btf_sec_info_offset); i++) {
3261 		if (expected_total < secs[i].off) {
3262 			btf_verifier_log(env, "Invalid section offset");
3263 			return -EINVAL;
3264 		}
3265 		if (total < secs[i].off) {
3266 			/* gap */
3267 			btf_verifier_log(env, "Unsupported section found");
3268 			return -EINVAL;
3269 		}
3270 		if (total > secs[i].off) {
3271 			btf_verifier_log(env, "Section overlap found");
3272 			return -EINVAL;
3273 		}
3274 		if (expected_total - total < secs[i].len) {
3275 			btf_verifier_log(env,
3276 					 "Total section length too long");
3277 			return -EINVAL;
3278 		}
3279 		total += secs[i].len;
3280 	}
3281 
3282 	/* There is data other than hdr and known sections */
3283 	if (expected_total != total) {
3284 		btf_verifier_log(env, "Unsupported section found");
3285 		return -EINVAL;
3286 	}
3287 
3288 	return 0;
3289 }
3290 
3291 static int btf_parse_hdr(struct btf_verifier_env *env)
3292 {
3293 	u32 hdr_len, hdr_copy, btf_data_size;
3294 	const struct btf_header *hdr;
3295 	struct btf *btf;
3296 	int err;
3297 
3298 	btf = env->btf;
3299 	btf_data_size = btf->data_size;
3300 
3301 	if (btf_data_size <
3302 	    offsetof(struct btf_header, hdr_len) + sizeof(hdr->hdr_len)) {
3303 		btf_verifier_log(env, "hdr_len not found");
3304 		return -EINVAL;
3305 	}
3306 
3307 	hdr = btf->data;
3308 	hdr_len = hdr->hdr_len;
3309 	if (btf_data_size < hdr_len) {
3310 		btf_verifier_log(env, "btf_header not found");
3311 		return -EINVAL;
3312 	}
3313 
3314 	/* Ensure the unsupported header fields are zero */
3315 	if (hdr_len > sizeof(btf->hdr)) {
3316 		u8 *expected_zero = btf->data + sizeof(btf->hdr);
3317 		u8 *end = btf->data + hdr_len;
3318 
3319 		for (; expected_zero < end; expected_zero++) {
3320 			if (*expected_zero) {
3321 				btf_verifier_log(env, "Unsupported btf_header");
3322 				return -E2BIG;
3323 			}
3324 		}
3325 	}
3326 
3327 	hdr_copy = min_t(u32, hdr_len, sizeof(btf->hdr));
3328 	memcpy(&btf->hdr, btf->data, hdr_copy);
3329 
3330 	hdr = &btf->hdr;
3331 
3332 	btf_verifier_log_hdr(env, btf_data_size);
3333 
3334 	if (hdr->magic != BTF_MAGIC) {
3335 		btf_verifier_log(env, "Invalid magic");
3336 		return -EINVAL;
3337 	}
3338 
3339 	if (hdr->version != BTF_VERSION) {
3340 		btf_verifier_log(env, "Unsupported version");
3341 		return -ENOTSUPP;
3342 	}
3343 
3344 	if (hdr->flags) {
3345 		btf_verifier_log(env, "Unsupported flags");
3346 		return -ENOTSUPP;
3347 	}
3348 
3349 	if (btf_data_size == hdr->hdr_len) {
3350 		btf_verifier_log(env, "No data");
3351 		return -EINVAL;
3352 	}
3353 
3354 	err = btf_check_sec_info(env, btf_data_size);
3355 	if (err)
3356 		return err;
3357 
3358 	return 0;
3359 }
3360 
3361 static struct btf *btf_parse(void __user *btf_data, u32 btf_data_size,
3362 			     u32 log_level, char __user *log_ubuf, u32 log_size)
3363 {
3364 	struct btf_verifier_env *env = NULL;
3365 	struct bpf_verifier_log *log;
3366 	struct btf *btf = NULL;
3367 	u8 *data;
3368 	int err;
3369 
3370 	if (btf_data_size > BTF_MAX_SIZE)
3371 		return ERR_PTR(-E2BIG);
3372 
3373 	env = kzalloc(sizeof(*env), GFP_KERNEL | __GFP_NOWARN);
3374 	if (!env)
3375 		return ERR_PTR(-ENOMEM);
3376 
3377 	log = &env->log;
3378 	if (log_level || log_ubuf || log_size) {
3379 		/* user requested verbose verifier output
3380 		 * and supplied buffer to store the verification trace
3381 		 */
3382 		log->level = log_level;
3383 		log->ubuf = log_ubuf;
3384 		log->len_total = log_size;
3385 
3386 		/* log attributes have to be sane */
3387 		if (log->len_total < 128 || log->len_total > UINT_MAX >> 8 ||
3388 		    !log->level || !log->ubuf) {
3389 			err = -EINVAL;
3390 			goto errout;
3391 		}
3392 	}
3393 
3394 	btf = kzalloc(sizeof(*btf), GFP_KERNEL | __GFP_NOWARN);
3395 	if (!btf) {
3396 		err = -ENOMEM;
3397 		goto errout;
3398 	}
3399 	env->btf = btf;
3400 
3401 	data = kvmalloc(btf_data_size, GFP_KERNEL | __GFP_NOWARN);
3402 	if (!data) {
3403 		err = -ENOMEM;
3404 		goto errout;
3405 	}
3406 
3407 	btf->data = data;
3408 	btf->data_size = btf_data_size;
3409 
3410 	if (copy_from_user(data, btf_data, btf_data_size)) {
3411 		err = -EFAULT;
3412 		goto errout;
3413 	}
3414 
3415 	err = btf_parse_hdr(env);
3416 	if (err)
3417 		goto errout;
3418 
3419 	btf->nohdr_data = btf->data + btf->hdr.hdr_len;
3420 
3421 	err = btf_parse_str_sec(env);
3422 	if (err)
3423 		goto errout;
3424 
3425 	err = btf_parse_type_sec(env);
3426 	if (err)
3427 		goto errout;
3428 
3429 	if (log->level && bpf_verifier_log_full(log)) {
3430 		err = -ENOSPC;
3431 		goto errout;
3432 	}
3433 
3434 	btf_verifier_env_free(env);
3435 	refcount_set(&btf->refcnt, 1);
3436 	return btf;
3437 
3438 errout:
3439 	btf_verifier_env_free(env);
3440 	if (btf)
3441 		btf_free(btf);
3442 	return ERR_PTR(err);
3443 }
3444 
3445 extern char __weak _binary__btf_vmlinux_bin_start[];
3446 extern char __weak _binary__btf_vmlinux_bin_end[];
3447 extern struct btf *btf_vmlinux;
3448 
3449 #define BPF_MAP_TYPE(_id, _ops)
3450 static union {
3451 	struct bpf_ctx_convert {
3452 #define BPF_PROG_TYPE(_id, _name, prog_ctx_type, kern_ctx_type) \
3453 	prog_ctx_type _id##_prog; \
3454 	kern_ctx_type _id##_kern;
3455 #include <linux/bpf_types.h>
3456 #undef BPF_PROG_TYPE
3457 	} *__t;
3458 	/* 't' is written once under lock. Read many times. */
3459 	const struct btf_type *t;
3460 } bpf_ctx_convert;
3461 enum {
3462 #define BPF_PROG_TYPE(_id, _name, prog_ctx_type, kern_ctx_type) \
3463 	__ctx_convert##_id,
3464 #include <linux/bpf_types.h>
3465 #undef BPF_PROG_TYPE
3466 	__ctx_convert_unused, /* to avoid empty enum in extreme .config */
3467 };
3468 static u8 bpf_ctx_convert_map[] = {
3469 #define BPF_PROG_TYPE(_id, _name, prog_ctx_type, kern_ctx_type) \
3470 	[_id] = __ctx_convert##_id,
3471 #include <linux/bpf_types.h>
3472 #undef BPF_PROG_TYPE
3473 	0, /* avoid empty array */
3474 };
3475 #undef BPF_MAP_TYPE
3476 
3477 static const struct btf_member *
3478 btf_get_prog_ctx_type(struct bpf_verifier_log *log, struct btf *btf,
3479 		      const struct btf_type *t, enum bpf_prog_type prog_type)
3480 {
3481 	const struct btf_type *conv_struct;
3482 	const struct btf_type *ctx_struct;
3483 	const struct btf_member *ctx_type;
3484 	const char *tname, *ctx_tname;
3485 
3486 	conv_struct = bpf_ctx_convert.t;
3487 	if (!conv_struct) {
3488 		bpf_log(log, "btf_vmlinux is malformed\n");
3489 		return NULL;
3490 	}
3491 	t = btf_type_by_id(btf, t->type);
3492 	while (btf_type_is_modifier(t))
3493 		t = btf_type_by_id(btf, t->type);
3494 	if (!btf_type_is_struct(t)) {
3495 		/* Only pointer to struct is supported for now.
3496 		 * That means that BPF_PROG_TYPE_TRACEPOINT with BTF
3497 		 * is not supported yet.
3498 		 * BPF_PROG_TYPE_RAW_TRACEPOINT is fine.
3499 		 */
3500 		bpf_log(log, "BPF program ctx type is not a struct\n");
3501 		return NULL;
3502 	}
3503 	tname = btf_name_by_offset(btf, t->name_off);
3504 	if (!tname) {
3505 		bpf_log(log, "BPF program ctx struct doesn't have a name\n");
3506 		return NULL;
3507 	}
3508 	/* prog_type is valid bpf program type. No need for bounds check. */
3509 	ctx_type = btf_type_member(conv_struct) + bpf_ctx_convert_map[prog_type] * 2;
3510 	/* ctx_struct is a pointer to prog_ctx_type in vmlinux.
3511 	 * Like 'struct __sk_buff'
3512 	 */
3513 	ctx_struct = btf_type_by_id(btf_vmlinux, ctx_type->type);
3514 	if (!ctx_struct)
3515 		/* should not happen */
3516 		return NULL;
3517 	ctx_tname = btf_name_by_offset(btf_vmlinux, ctx_struct->name_off);
3518 	if (!ctx_tname) {
3519 		/* should not happen */
3520 		bpf_log(log, "Please fix kernel include/linux/bpf_types.h\n");
3521 		return NULL;
3522 	}
3523 	/* only compare that prog's ctx type name is the same as
3524 	 * kernel expects. No need to compare field by field.
3525 	 * It's ok for bpf prog to do:
3526 	 * struct __sk_buff {};
3527 	 * int socket_filter_bpf_prog(struct __sk_buff *skb)
3528 	 * { // no fields of skb are ever used }
3529 	 */
3530 	if (strcmp(ctx_tname, tname))
3531 		return NULL;
3532 	return ctx_type;
3533 }
3534 
3535 static int btf_translate_to_vmlinux(struct bpf_verifier_log *log,
3536 				     struct btf *btf,
3537 				     const struct btf_type *t,
3538 				     enum bpf_prog_type prog_type)
3539 {
3540 	const struct btf_member *prog_ctx_type, *kern_ctx_type;
3541 
3542 	prog_ctx_type = btf_get_prog_ctx_type(log, btf, t, prog_type);
3543 	if (!prog_ctx_type)
3544 		return -ENOENT;
3545 	kern_ctx_type = prog_ctx_type + 1;
3546 	return kern_ctx_type->type;
3547 }
3548 
3549 struct btf *btf_parse_vmlinux(void)
3550 {
3551 	struct btf_verifier_env *env = NULL;
3552 	struct bpf_verifier_log *log;
3553 	struct btf *btf = NULL;
3554 	int err, i;
3555 
3556 	env = kzalloc(sizeof(*env), GFP_KERNEL | __GFP_NOWARN);
3557 	if (!env)
3558 		return ERR_PTR(-ENOMEM);
3559 
3560 	log = &env->log;
3561 	log->level = BPF_LOG_KERNEL;
3562 
3563 	btf = kzalloc(sizeof(*btf), GFP_KERNEL | __GFP_NOWARN);
3564 	if (!btf) {
3565 		err = -ENOMEM;
3566 		goto errout;
3567 	}
3568 	env->btf = btf;
3569 
3570 	btf->data = _binary__btf_vmlinux_bin_start;
3571 	btf->data_size = _binary__btf_vmlinux_bin_end -
3572 		_binary__btf_vmlinux_bin_start;
3573 
3574 	err = btf_parse_hdr(env);
3575 	if (err)
3576 		goto errout;
3577 
3578 	btf->nohdr_data = btf->data + btf->hdr.hdr_len;
3579 
3580 	err = btf_parse_str_sec(env);
3581 	if (err)
3582 		goto errout;
3583 
3584 	err = btf_check_all_metas(env);
3585 	if (err)
3586 		goto errout;
3587 
3588 	/* find struct bpf_ctx_convert for type checking later */
3589 	for (i = 1; i <= btf->nr_types; i++) {
3590 		const struct btf_type *t;
3591 		const char *tname;
3592 
3593 		t = btf_type_by_id(btf, i);
3594 		if (!__btf_type_is_struct(t))
3595 			continue;
3596 		tname = __btf_name_by_offset(btf, t->name_off);
3597 		if (!strcmp(tname, "bpf_ctx_convert")) {
3598 			/* btf_parse_vmlinux() runs under bpf_verifier_lock */
3599 			bpf_ctx_convert.t = t;
3600 			break;
3601 		}
3602 	}
3603 	if (i > btf->nr_types) {
3604 		err = -ENOENT;
3605 		goto errout;
3606 	}
3607 
3608 	btf_verifier_env_free(env);
3609 	refcount_set(&btf->refcnt, 1);
3610 	return btf;
3611 
3612 errout:
3613 	btf_verifier_env_free(env);
3614 	if (btf) {
3615 		kvfree(btf->types);
3616 		kfree(btf);
3617 	}
3618 	return ERR_PTR(err);
3619 }
3620 
3621 struct btf *bpf_prog_get_target_btf(const struct bpf_prog *prog)
3622 {
3623 	struct bpf_prog *tgt_prog = prog->aux->linked_prog;
3624 
3625 	if (tgt_prog) {
3626 		return tgt_prog->aux->btf;
3627 	} else {
3628 		return btf_vmlinux;
3629 	}
3630 }
3631 
3632 bool btf_ctx_access(int off, int size, enum bpf_access_type type,
3633 		    const struct bpf_prog *prog,
3634 		    struct bpf_insn_access_aux *info)
3635 {
3636 	const struct btf_type *t = prog->aux->attach_func_proto;
3637 	struct bpf_prog *tgt_prog = prog->aux->linked_prog;
3638 	struct btf *btf = bpf_prog_get_target_btf(prog);
3639 	const char *tname = prog->aux->attach_func_name;
3640 	struct bpf_verifier_log *log = info->log;
3641 	const struct btf_param *args;
3642 	u32 nr_args, arg;
3643 	int ret;
3644 
3645 	if (off % 8) {
3646 		bpf_log(log, "func '%s' offset %d is not multiple of 8\n",
3647 			tname, off);
3648 		return false;
3649 	}
3650 	arg = off / 8;
3651 	args = (const struct btf_param *)(t + 1);
3652 	/* if (t == NULL) Fall back to default BPF prog with 5 u64 arguments */
3653 	nr_args = t ? btf_type_vlen(t) : 5;
3654 	if (prog->aux->attach_btf_trace) {
3655 		/* skip first 'void *__data' argument in btf_trace_##name typedef */
3656 		args++;
3657 		nr_args--;
3658 	}
3659 
3660 	if (prog->expected_attach_type == BPF_TRACE_FEXIT &&
3661 	    arg == nr_args) {
3662 		if (!t)
3663 			/* Default prog with 5 args. 6th arg is retval. */
3664 			return true;
3665 		/* function return type */
3666 		t = btf_type_by_id(btf, t->type);
3667 	} else if (arg >= nr_args) {
3668 		bpf_log(log, "func '%s' doesn't have %d-th argument\n",
3669 			tname, arg + 1);
3670 		return false;
3671 	} else {
3672 		if (!t)
3673 			/* Default prog with 5 args */
3674 			return true;
3675 		t = btf_type_by_id(btf, args[arg].type);
3676 	}
3677 	/* skip modifiers */
3678 	while (btf_type_is_modifier(t))
3679 		t = btf_type_by_id(btf, t->type);
3680 	if (btf_type_is_int(t))
3681 		/* accessing a scalar */
3682 		return true;
3683 	if (!btf_type_is_ptr(t)) {
3684 		bpf_log(log,
3685 			"func '%s' arg%d '%s' has type %s. Only pointer access is allowed\n",
3686 			tname, arg,
3687 			__btf_name_by_offset(btf, t->name_off),
3688 			btf_kind_str[BTF_INFO_KIND(t->info)]);
3689 		return false;
3690 	}
3691 	if (t->type == 0)
3692 		/* This is a pointer to void.
3693 		 * It is the same as scalar from the verifier safety pov.
3694 		 * No further pointer walking is allowed.
3695 		 */
3696 		return true;
3697 
3698 	/* this is a pointer to another type */
3699 	info->reg_type = PTR_TO_BTF_ID;
3700 	info->btf_id = t->type;
3701 
3702 	if (tgt_prog) {
3703 		ret = btf_translate_to_vmlinux(log, btf, t, tgt_prog->type);
3704 		if (ret > 0) {
3705 			info->btf_id = ret;
3706 			return true;
3707 		} else {
3708 			return false;
3709 		}
3710 	}
3711 	t = btf_type_by_id(btf, t->type);
3712 	/* skip modifiers */
3713 	while (btf_type_is_modifier(t))
3714 		t = btf_type_by_id(btf, t->type);
3715 	if (!btf_type_is_struct(t)) {
3716 		bpf_log(log,
3717 			"func '%s' arg%d type %s is not a struct\n",
3718 			tname, arg, btf_kind_str[BTF_INFO_KIND(t->info)]);
3719 		return false;
3720 	}
3721 	bpf_log(log, "func '%s' arg%d has btf_id %d type %s '%s'\n",
3722 		tname, arg, info->btf_id, btf_kind_str[BTF_INFO_KIND(t->info)],
3723 		__btf_name_by_offset(btf, t->name_off));
3724 	return true;
3725 }
3726 
3727 int btf_struct_access(struct bpf_verifier_log *log,
3728 		      const struct btf_type *t, int off, int size,
3729 		      enum bpf_access_type atype,
3730 		      u32 *next_btf_id)
3731 {
3732 	u32 i, moff, mtrue_end, msize = 0, total_nelems = 0;
3733 	const struct btf_type *mtype, *elem_type = NULL;
3734 	const struct btf_member *member;
3735 	const char *tname, *mname;
3736 
3737 again:
3738 	tname = __btf_name_by_offset(btf_vmlinux, t->name_off);
3739 	if (!btf_type_is_struct(t)) {
3740 		bpf_log(log, "Type '%s' is not a struct", tname);
3741 		return -EINVAL;
3742 	}
3743 
3744 	for_each_member(i, t, member) {
3745 		if (btf_member_bitfield_size(t, member))
3746 			/* bitfields are not supported yet */
3747 			continue;
3748 
3749 		/* offset of the field in bytes */
3750 		moff = btf_member_bit_offset(t, member) / 8;
3751 		if (off + size <= moff)
3752 			/* won't find anything, field is already too far */
3753 			break;
3754 		/* In case of "off" is pointing to holes of a struct */
3755 		if (off < moff)
3756 			continue;
3757 
3758 		/* type of the field */
3759 		mtype = btf_type_by_id(btf_vmlinux, member->type);
3760 		mname = __btf_name_by_offset(btf_vmlinux, member->name_off);
3761 
3762 		mtype = btf_resolve_size(btf_vmlinux, mtype, &msize,
3763 					 &elem_type, &total_nelems);
3764 		if (IS_ERR(mtype)) {
3765 			bpf_log(log, "field %s doesn't have size\n", mname);
3766 			return -EFAULT;
3767 		}
3768 
3769 		mtrue_end = moff + msize;
3770 		if (off >= mtrue_end)
3771 			/* no overlap with member, keep iterating */
3772 			continue;
3773 
3774 		if (btf_type_is_array(mtype)) {
3775 			u32 elem_idx;
3776 
3777 			/* btf_resolve_size() above helps to
3778 			 * linearize a multi-dimensional array.
3779 			 *
3780 			 * The logic here is treating an array
3781 			 * in a struct as the following way:
3782 			 *
3783 			 * struct outer {
3784 			 *	struct inner array[2][2];
3785 			 * };
3786 			 *
3787 			 * looks like:
3788 			 *
3789 			 * struct outer {
3790 			 *	struct inner array_elem0;
3791 			 *	struct inner array_elem1;
3792 			 *	struct inner array_elem2;
3793 			 *	struct inner array_elem3;
3794 			 * };
3795 			 *
3796 			 * When accessing outer->array[1][0], it moves
3797 			 * moff to "array_elem2", set mtype to
3798 			 * "struct inner", and msize also becomes
3799 			 * sizeof(struct inner).  Then most of the
3800 			 * remaining logic will fall through without
3801 			 * caring the current member is an array or
3802 			 * not.
3803 			 *
3804 			 * Unlike mtype/msize/moff, mtrue_end does not
3805 			 * change.  The naming difference ("_true") tells
3806 			 * that it is not always corresponding to
3807 			 * the current mtype/msize/moff.
3808 			 * It is the true end of the current
3809 			 * member (i.e. array in this case).  That
3810 			 * will allow an int array to be accessed like
3811 			 * a scratch space,
3812 			 * i.e. allow access beyond the size of
3813 			 *      the array's element as long as it is
3814 			 *      within the mtrue_end boundary.
3815 			 */
3816 
3817 			/* skip empty array */
3818 			if (moff == mtrue_end)
3819 				continue;
3820 
3821 			msize /= total_nelems;
3822 			elem_idx = (off - moff) / msize;
3823 			moff += elem_idx * msize;
3824 			mtype = elem_type;
3825 		}
3826 
3827 		/* the 'off' we're looking for is either equal to start
3828 		 * of this field or inside of this struct
3829 		 */
3830 		if (btf_type_is_struct(mtype)) {
3831 			/* our field must be inside that union or struct */
3832 			t = mtype;
3833 
3834 			/* adjust offset we're looking for */
3835 			off -= moff;
3836 			goto again;
3837 		}
3838 
3839 		if (btf_type_is_ptr(mtype)) {
3840 			const struct btf_type *stype;
3841 
3842 			if (msize != size || off != moff) {
3843 				bpf_log(log,
3844 					"cannot access ptr member %s with moff %u in struct %s with off %u size %u\n",
3845 					mname, moff, tname, off, size);
3846 				return -EACCES;
3847 			}
3848 
3849 			stype = btf_type_by_id(btf_vmlinux, mtype->type);
3850 			/* skip modifiers */
3851 			while (btf_type_is_modifier(stype))
3852 				stype = btf_type_by_id(btf_vmlinux, stype->type);
3853 			if (btf_type_is_struct(stype)) {
3854 				*next_btf_id = mtype->type;
3855 				return PTR_TO_BTF_ID;
3856 			}
3857 		}
3858 
3859 		/* Allow more flexible access within an int as long as
3860 		 * it is within mtrue_end.
3861 		 * Since mtrue_end could be the end of an array,
3862 		 * that also allows using an array of int as a scratch
3863 		 * space. e.g. skb->cb[].
3864 		 */
3865 		if (off + size > mtrue_end) {
3866 			bpf_log(log,
3867 				"access beyond the end of member %s (mend:%u) in struct %s with off %u size %u\n",
3868 				mname, mtrue_end, tname, off, size);
3869 			return -EACCES;
3870 		}
3871 
3872 		return SCALAR_VALUE;
3873 	}
3874 	bpf_log(log, "struct %s doesn't have field at offset %d\n", tname, off);
3875 	return -EINVAL;
3876 }
3877 
3878 static int __btf_resolve_helper_id(struct bpf_verifier_log *log, void *fn,
3879 				   int arg)
3880 {
3881 	char fnname[KSYM_SYMBOL_LEN + 4] = "btf_";
3882 	const struct btf_param *args;
3883 	const struct btf_type *t;
3884 	const char *tname, *sym;
3885 	u32 btf_id, i;
3886 
3887 	if (IS_ERR(btf_vmlinux)) {
3888 		bpf_log(log, "btf_vmlinux is malformed\n");
3889 		return -EINVAL;
3890 	}
3891 
3892 	sym = kallsyms_lookup((long)fn, NULL, NULL, NULL, fnname + 4);
3893 	if (!sym) {
3894 		bpf_log(log, "kernel doesn't have kallsyms\n");
3895 		return -EFAULT;
3896 	}
3897 
3898 	for (i = 1; i <= btf_vmlinux->nr_types; i++) {
3899 		t = btf_type_by_id(btf_vmlinux, i);
3900 		if (BTF_INFO_KIND(t->info) != BTF_KIND_TYPEDEF)
3901 			continue;
3902 		tname = __btf_name_by_offset(btf_vmlinux, t->name_off);
3903 		if (!strcmp(tname, fnname))
3904 			break;
3905 	}
3906 	if (i > btf_vmlinux->nr_types) {
3907 		bpf_log(log, "helper %s type is not found\n", fnname);
3908 		return -ENOENT;
3909 	}
3910 
3911 	t = btf_type_by_id(btf_vmlinux, t->type);
3912 	if (!btf_type_is_ptr(t))
3913 		return -EFAULT;
3914 	t = btf_type_by_id(btf_vmlinux, t->type);
3915 	if (!btf_type_is_func_proto(t))
3916 		return -EFAULT;
3917 
3918 	args = (const struct btf_param *)(t + 1);
3919 	if (arg >= btf_type_vlen(t)) {
3920 		bpf_log(log, "bpf helper %s doesn't have %d-th argument\n",
3921 			fnname, arg);
3922 		return -EINVAL;
3923 	}
3924 
3925 	t = btf_type_by_id(btf_vmlinux, args[arg].type);
3926 	if (!btf_type_is_ptr(t) || !t->type) {
3927 		/* anything but the pointer to struct is a helper config bug */
3928 		bpf_log(log, "ARG_PTR_TO_BTF is misconfigured\n");
3929 		return -EFAULT;
3930 	}
3931 	btf_id = t->type;
3932 	t = btf_type_by_id(btf_vmlinux, t->type);
3933 	/* skip modifiers */
3934 	while (btf_type_is_modifier(t)) {
3935 		btf_id = t->type;
3936 		t = btf_type_by_id(btf_vmlinux, t->type);
3937 	}
3938 	if (!btf_type_is_struct(t)) {
3939 		bpf_log(log, "ARG_PTR_TO_BTF is not a struct\n");
3940 		return -EFAULT;
3941 	}
3942 	bpf_log(log, "helper %s arg%d has btf_id %d struct %s\n", fnname + 4,
3943 		arg, btf_id, __btf_name_by_offset(btf_vmlinux, t->name_off));
3944 	return btf_id;
3945 }
3946 
3947 int btf_resolve_helper_id(struct bpf_verifier_log *log,
3948 			  const struct bpf_func_proto *fn, int arg)
3949 {
3950 	int *btf_id = &fn->btf_id[arg];
3951 	int ret;
3952 
3953 	if (fn->arg_type[arg] != ARG_PTR_TO_BTF_ID)
3954 		return -EINVAL;
3955 
3956 	ret = READ_ONCE(*btf_id);
3957 	if (ret)
3958 		return ret;
3959 	/* ok to race the search. The result is the same */
3960 	ret = __btf_resolve_helper_id(log, fn->func, arg);
3961 	if (!ret) {
3962 		/* Function argument cannot be type 'void' */
3963 		bpf_log(log, "BTF resolution bug\n");
3964 		return -EFAULT;
3965 	}
3966 	WRITE_ONCE(*btf_id, ret);
3967 	return ret;
3968 }
3969 
3970 static int __get_type_size(struct btf *btf, u32 btf_id,
3971 			   const struct btf_type **bad_type)
3972 {
3973 	const struct btf_type *t;
3974 
3975 	if (!btf_id)
3976 		/* void */
3977 		return 0;
3978 	t = btf_type_by_id(btf, btf_id);
3979 	while (t && btf_type_is_modifier(t))
3980 		t = btf_type_by_id(btf, t->type);
3981 	if (!t) {
3982 		*bad_type = btf->types[0];
3983 		return -EINVAL;
3984 	}
3985 	if (btf_type_is_ptr(t))
3986 		/* kernel size of pointer. Not BPF's size of pointer*/
3987 		return sizeof(void *);
3988 	if (btf_type_is_int(t) || btf_type_is_enum(t))
3989 		return t->size;
3990 	*bad_type = t;
3991 	return -EINVAL;
3992 }
3993 
3994 int btf_distill_func_proto(struct bpf_verifier_log *log,
3995 			   struct btf *btf,
3996 			   const struct btf_type *func,
3997 			   const char *tname,
3998 			   struct btf_func_model *m)
3999 {
4000 	const struct btf_param *args;
4001 	const struct btf_type *t;
4002 	u32 i, nargs;
4003 	int ret;
4004 
4005 	if (!func) {
4006 		/* BTF function prototype doesn't match the verifier types.
4007 		 * Fall back to 5 u64 args.
4008 		 */
4009 		for (i = 0; i < 5; i++)
4010 			m->arg_size[i] = 8;
4011 		m->ret_size = 8;
4012 		m->nr_args = 5;
4013 		return 0;
4014 	}
4015 	args = (const struct btf_param *)(func + 1);
4016 	nargs = btf_type_vlen(func);
4017 	if (nargs >= MAX_BPF_FUNC_ARGS) {
4018 		bpf_log(log,
4019 			"The function %s has %d arguments. Too many.\n",
4020 			tname, nargs);
4021 		return -EINVAL;
4022 	}
4023 	ret = __get_type_size(btf, func->type, &t);
4024 	if (ret < 0) {
4025 		bpf_log(log,
4026 			"The function %s return type %s is unsupported.\n",
4027 			tname, btf_kind_str[BTF_INFO_KIND(t->info)]);
4028 		return -EINVAL;
4029 	}
4030 	m->ret_size = ret;
4031 
4032 	for (i = 0; i < nargs; i++) {
4033 		ret = __get_type_size(btf, args[i].type, &t);
4034 		if (ret < 0) {
4035 			bpf_log(log,
4036 				"The function %s arg%d type %s is unsupported.\n",
4037 				tname, i, btf_kind_str[BTF_INFO_KIND(t->info)]);
4038 			return -EINVAL;
4039 		}
4040 		m->arg_size[i] = ret;
4041 	}
4042 	m->nr_args = nargs;
4043 	return 0;
4044 }
4045 
4046 int btf_check_func_arg_match(struct bpf_verifier_env *env, int subprog)
4047 {
4048 	struct bpf_verifier_state *st = env->cur_state;
4049 	struct bpf_func_state *func = st->frame[st->curframe];
4050 	struct bpf_reg_state *reg = func->regs;
4051 	struct bpf_verifier_log *log = &env->log;
4052 	struct bpf_prog *prog = env->prog;
4053 	struct btf *btf = prog->aux->btf;
4054 	const struct btf_param *args;
4055 	const struct btf_type *t;
4056 	u32 i, nargs, btf_id;
4057 	const char *tname;
4058 
4059 	if (!prog->aux->func_info)
4060 		return 0;
4061 
4062 	btf_id = prog->aux->func_info[subprog].type_id;
4063 	if (!btf_id)
4064 		return 0;
4065 
4066 	if (prog->aux->func_info_aux[subprog].unreliable)
4067 		return 0;
4068 
4069 	t = btf_type_by_id(btf, btf_id);
4070 	if (!t || !btf_type_is_func(t)) {
4071 		bpf_log(log, "BTF of subprog %d doesn't point to KIND_FUNC\n",
4072 			subprog);
4073 		return -EINVAL;
4074 	}
4075 	tname = btf_name_by_offset(btf, t->name_off);
4076 
4077 	t = btf_type_by_id(btf, t->type);
4078 	if (!t || !btf_type_is_func_proto(t)) {
4079 		bpf_log(log, "Invalid type of func %s\n", tname);
4080 		return -EINVAL;
4081 	}
4082 	args = (const struct btf_param *)(t + 1);
4083 	nargs = btf_type_vlen(t);
4084 	if (nargs > 5) {
4085 		bpf_log(log, "Function %s has %d > 5 args\n", tname, nargs);
4086 		goto out;
4087 	}
4088 	/* check that BTF function arguments match actual types that the
4089 	 * verifier sees.
4090 	 */
4091 	for (i = 0; i < nargs; i++) {
4092 		t = btf_type_by_id(btf, args[i].type);
4093 		while (btf_type_is_modifier(t))
4094 			t = btf_type_by_id(btf, t->type);
4095 		if (btf_type_is_int(t) || btf_type_is_enum(t)) {
4096 			if (reg[i + 1].type == SCALAR_VALUE)
4097 				continue;
4098 			bpf_log(log, "R%d is not a scalar\n", i + 1);
4099 			goto out;
4100 		}
4101 		if (btf_type_is_ptr(t)) {
4102 			if (reg[i + 1].type == SCALAR_VALUE) {
4103 				bpf_log(log, "R%d is not a pointer\n", i + 1);
4104 				goto out;
4105 			}
4106 			/* If program is passing PTR_TO_CTX into subprogram
4107 			 * check that BTF type matches.
4108 			 */
4109 			if (reg[i + 1].type == PTR_TO_CTX &&
4110 			    !btf_get_prog_ctx_type(log, btf, t, prog->type))
4111 				goto out;
4112 			/* All other pointers are ok */
4113 			continue;
4114 		}
4115 		bpf_log(log, "Unrecognized argument type %s\n",
4116 			btf_kind_str[BTF_INFO_KIND(t->info)]);
4117 		goto out;
4118 	}
4119 	return 0;
4120 out:
4121 	/* LLVM optimizations can remove arguments from static functions. */
4122 	bpf_log(log,
4123 		"Type info disagrees with actual arguments due to compiler optimizations\n");
4124 	prog->aux->func_info_aux[subprog].unreliable = true;
4125 	return 0;
4126 }
4127 
4128 void btf_type_seq_show(const struct btf *btf, u32 type_id, void *obj,
4129 		       struct seq_file *m)
4130 {
4131 	const struct btf_type *t = btf_type_by_id(btf, type_id);
4132 
4133 	btf_type_ops(t)->seq_show(btf, t, type_id, obj, 0, m);
4134 }
4135 
4136 #ifdef CONFIG_PROC_FS
4137 static void bpf_btf_show_fdinfo(struct seq_file *m, struct file *filp)
4138 {
4139 	const struct btf *btf = filp->private_data;
4140 
4141 	seq_printf(m, "btf_id:\t%u\n", btf->id);
4142 }
4143 #endif
4144 
4145 static int btf_release(struct inode *inode, struct file *filp)
4146 {
4147 	btf_put(filp->private_data);
4148 	return 0;
4149 }
4150 
4151 const struct file_operations btf_fops = {
4152 #ifdef CONFIG_PROC_FS
4153 	.show_fdinfo	= bpf_btf_show_fdinfo,
4154 #endif
4155 	.release	= btf_release,
4156 };
4157 
4158 static int __btf_new_fd(struct btf *btf)
4159 {
4160 	return anon_inode_getfd("btf", &btf_fops, btf, O_RDONLY | O_CLOEXEC);
4161 }
4162 
4163 int btf_new_fd(const union bpf_attr *attr)
4164 {
4165 	struct btf *btf;
4166 	int ret;
4167 
4168 	btf = btf_parse(u64_to_user_ptr(attr->btf),
4169 			attr->btf_size, attr->btf_log_level,
4170 			u64_to_user_ptr(attr->btf_log_buf),
4171 			attr->btf_log_size);
4172 	if (IS_ERR(btf))
4173 		return PTR_ERR(btf);
4174 
4175 	ret = btf_alloc_id(btf);
4176 	if (ret) {
4177 		btf_free(btf);
4178 		return ret;
4179 	}
4180 
4181 	/*
4182 	 * The BTF ID is published to the userspace.
4183 	 * All BTF free must go through call_rcu() from
4184 	 * now on (i.e. free by calling btf_put()).
4185 	 */
4186 
4187 	ret = __btf_new_fd(btf);
4188 	if (ret < 0)
4189 		btf_put(btf);
4190 
4191 	return ret;
4192 }
4193 
4194 struct btf *btf_get_by_fd(int fd)
4195 {
4196 	struct btf *btf;
4197 	struct fd f;
4198 
4199 	f = fdget(fd);
4200 
4201 	if (!f.file)
4202 		return ERR_PTR(-EBADF);
4203 
4204 	if (f.file->f_op != &btf_fops) {
4205 		fdput(f);
4206 		return ERR_PTR(-EINVAL);
4207 	}
4208 
4209 	btf = f.file->private_data;
4210 	refcount_inc(&btf->refcnt);
4211 	fdput(f);
4212 
4213 	return btf;
4214 }
4215 
4216 int btf_get_info_by_fd(const struct btf *btf,
4217 		       const union bpf_attr *attr,
4218 		       union bpf_attr __user *uattr)
4219 {
4220 	struct bpf_btf_info __user *uinfo;
4221 	struct bpf_btf_info info = {};
4222 	u32 info_copy, btf_copy;
4223 	void __user *ubtf;
4224 	u32 uinfo_len;
4225 
4226 	uinfo = u64_to_user_ptr(attr->info.info);
4227 	uinfo_len = attr->info.info_len;
4228 
4229 	info_copy = min_t(u32, uinfo_len, sizeof(info));
4230 	if (copy_from_user(&info, uinfo, info_copy))
4231 		return -EFAULT;
4232 
4233 	info.id = btf->id;
4234 	ubtf = u64_to_user_ptr(info.btf);
4235 	btf_copy = min_t(u32, btf->data_size, info.btf_size);
4236 	if (copy_to_user(ubtf, btf->data, btf_copy))
4237 		return -EFAULT;
4238 	info.btf_size = btf->data_size;
4239 
4240 	if (copy_to_user(uinfo, &info, info_copy) ||
4241 	    put_user(info_copy, &uattr->info.info_len))
4242 		return -EFAULT;
4243 
4244 	return 0;
4245 }
4246 
4247 int btf_get_fd_by_id(u32 id)
4248 {
4249 	struct btf *btf;
4250 	int fd;
4251 
4252 	rcu_read_lock();
4253 	btf = idr_find(&btf_idr, id);
4254 	if (!btf || !refcount_inc_not_zero(&btf->refcnt))
4255 		btf = ERR_PTR(-ENOENT);
4256 	rcu_read_unlock();
4257 
4258 	if (IS_ERR(btf))
4259 		return PTR_ERR(btf);
4260 
4261 	fd = __btf_new_fd(btf);
4262 	if (fd < 0)
4263 		btf_put(btf);
4264 
4265 	return fd;
4266 }
4267 
4268 u32 btf_id(const struct btf *btf)
4269 {
4270 	return btf->id;
4271 }
4272