xref: /openbmc/linux/security/apparmor/match.c (revision 8795a739)
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  * AppArmor security module
4  *
5  * This file contains AppArmor dfa based regular expression matching engine
6  *
7  * Copyright (C) 1998-2008 Novell/SUSE
8  * Copyright 2009-2012 Canonical Ltd.
9  */
10 
11 #include <linux/errno.h>
12 #include <linux/kernel.h>
13 #include <linux/mm.h>
14 #include <linux/slab.h>
15 #include <linux/vmalloc.h>
16 #include <linux/err.h>
17 #include <linux/kref.h>
18 
19 #include "include/lib.h"
20 #include "include/match.h"
21 
22 #define base_idx(X) ((X) & 0xffffff)
23 
24 static char nulldfa_src[] = {
25 	#include "nulldfa.in"
26 };
27 struct aa_dfa *nulldfa;
28 
29 static char stacksplitdfa_src[] = {
30 	#include "stacksplitdfa.in"
31 };
32 struct aa_dfa *stacksplitdfa;
33 
34 int aa_setup_dfa_engine(void)
35 {
36 	int error;
37 
38 	nulldfa = aa_dfa_unpack(nulldfa_src, sizeof(nulldfa_src),
39 				TO_ACCEPT1_FLAG(YYTD_DATA32) |
40 				TO_ACCEPT2_FLAG(YYTD_DATA32));
41 	if (IS_ERR(nulldfa)) {
42 		error = PTR_ERR(nulldfa);
43 		nulldfa = NULL;
44 		return error;
45 	}
46 
47 	stacksplitdfa = aa_dfa_unpack(stacksplitdfa_src,
48 				      sizeof(stacksplitdfa_src),
49 				      TO_ACCEPT1_FLAG(YYTD_DATA32) |
50 				      TO_ACCEPT2_FLAG(YYTD_DATA32));
51 	if (IS_ERR(stacksplitdfa)) {
52 		aa_put_dfa(nulldfa);
53 		nulldfa = NULL;
54 		error = PTR_ERR(stacksplitdfa);
55 		stacksplitdfa = NULL;
56 		return error;
57 	}
58 
59 	return 0;
60 }
61 
62 void aa_teardown_dfa_engine(void)
63 {
64 	aa_put_dfa(stacksplitdfa);
65 	aa_put_dfa(nulldfa);
66 }
67 
68 /**
69  * unpack_table - unpack a dfa table (one of accept, default, base, next check)
70  * @blob: data to unpack (NOT NULL)
71  * @bsize: size of blob
72  *
73  * Returns: pointer to table else NULL on failure
74  *
75  * NOTE: must be freed by kvfree (not kfree)
76  */
77 static struct table_header *unpack_table(char *blob, size_t bsize)
78 {
79 	struct table_header *table = NULL;
80 	struct table_header th;
81 	size_t tsize;
82 
83 	if (bsize < sizeof(struct table_header))
84 		goto out;
85 
86 	/* loaded td_id's start at 1, subtract 1 now to avoid doing
87 	 * it every time we use td_id as an index
88 	 */
89 	th.td_id = be16_to_cpu(*(__be16 *) (blob)) - 1;
90 	if (th.td_id > YYTD_ID_MAX)
91 		goto out;
92 	th.td_flags = be16_to_cpu(*(__be16 *) (blob + 2));
93 	th.td_lolen = be32_to_cpu(*(__be32 *) (blob + 8));
94 	blob += sizeof(struct table_header);
95 
96 	if (!(th.td_flags == YYTD_DATA16 || th.td_flags == YYTD_DATA32 ||
97 	      th.td_flags == YYTD_DATA8))
98 		goto out;
99 
100 	tsize = table_size(th.td_lolen, th.td_flags);
101 	if (bsize < tsize)
102 		goto out;
103 
104 	table = kvzalloc(tsize, GFP_KERNEL);
105 	if (table) {
106 		table->td_id = th.td_id;
107 		table->td_flags = th.td_flags;
108 		table->td_lolen = th.td_lolen;
109 		if (th.td_flags == YYTD_DATA8)
110 			UNPACK_ARRAY(table->td_data, blob, th.td_lolen,
111 				     u8, u8, byte_to_byte);
112 		else if (th.td_flags == YYTD_DATA16)
113 			UNPACK_ARRAY(table->td_data, blob, th.td_lolen,
114 				     u16, __be16, be16_to_cpu);
115 		else if (th.td_flags == YYTD_DATA32)
116 			UNPACK_ARRAY(table->td_data, blob, th.td_lolen,
117 				     u32, __be32, be32_to_cpu);
118 		else
119 			goto fail;
120 		/* if table was vmalloced make sure the page tables are synced
121 		 * before it is used, as it goes live to all cpus.
122 		 */
123 		if (is_vmalloc_addr(table))
124 			vm_unmap_aliases();
125 	}
126 
127 out:
128 	return table;
129 fail:
130 	kvfree(table);
131 	return NULL;
132 }
133 
134 /**
135  * verify_table_headers - verify that the tables headers are as expected
136  * @tables - array of dfa tables to check (NOT NULL)
137  * @flags: flags controlling what type of accept table are acceptable
138  *
139  * Assumes dfa has gone through the first pass verification done by unpacking
140  * NOTE: this does not valid accept table values
141  *
142  * Returns: %0 else error code on failure to verify
143  */
144 static int verify_table_headers(struct table_header **tables, int flags)
145 {
146 	size_t state_count, trans_count;
147 	int error = -EPROTO;
148 
149 	/* check that required tables exist */
150 	if (!(tables[YYTD_ID_DEF] && tables[YYTD_ID_BASE] &&
151 	      tables[YYTD_ID_NXT] && tables[YYTD_ID_CHK]))
152 		goto out;
153 
154 	/* accept.size == default.size == base.size */
155 	state_count = tables[YYTD_ID_BASE]->td_lolen;
156 	if (ACCEPT1_FLAGS(flags)) {
157 		if (!tables[YYTD_ID_ACCEPT])
158 			goto out;
159 		if (state_count != tables[YYTD_ID_ACCEPT]->td_lolen)
160 			goto out;
161 	}
162 	if (ACCEPT2_FLAGS(flags)) {
163 		if (!tables[YYTD_ID_ACCEPT2])
164 			goto out;
165 		if (state_count != tables[YYTD_ID_ACCEPT2]->td_lolen)
166 			goto out;
167 	}
168 	if (state_count != tables[YYTD_ID_DEF]->td_lolen)
169 		goto out;
170 
171 	/* next.size == chk.size */
172 	trans_count = tables[YYTD_ID_NXT]->td_lolen;
173 	if (trans_count != tables[YYTD_ID_CHK]->td_lolen)
174 		goto out;
175 
176 	/* if equivalence classes then its table size must be 256 */
177 	if (tables[YYTD_ID_EC] && tables[YYTD_ID_EC]->td_lolen != 256)
178 		goto out;
179 
180 	error = 0;
181 out:
182 	return error;
183 }
184 
185 /**
186  * verify_dfa - verify that transitions and states in the tables are in bounds.
187  * @dfa: dfa to test  (NOT NULL)
188  *
189  * Assumes dfa has gone through the first pass verification done by unpacking
190  * NOTE: this does not valid accept table values
191  *
192  * Returns: %0 else error code on failure to verify
193  */
194 static int verify_dfa(struct aa_dfa *dfa)
195 {
196 	size_t i, state_count, trans_count;
197 	int error = -EPROTO;
198 
199 	state_count = dfa->tables[YYTD_ID_BASE]->td_lolen;
200 	trans_count = dfa->tables[YYTD_ID_NXT]->td_lolen;
201 	for (i = 0; i < state_count; i++) {
202 		if (!(BASE_TABLE(dfa)[i] & MATCH_FLAG_DIFF_ENCODE) &&
203 		    (DEFAULT_TABLE(dfa)[i] >= state_count))
204 			goto out;
205 		if (base_idx(BASE_TABLE(dfa)[i]) + 255 >= trans_count) {
206 			pr_err("AppArmor DFA next/check upper bounds error\n");
207 			goto out;
208 		}
209 	}
210 
211 	for (i = 0; i < trans_count; i++) {
212 		if (NEXT_TABLE(dfa)[i] >= state_count)
213 			goto out;
214 		if (CHECK_TABLE(dfa)[i] >= state_count)
215 			goto out;
216 	}
217 
218 	/* Now that all the other tables are verified, verify diffencoding */
219 	for (i = 0; i < state_count; i++) {
220 		size_t j, k;
221 
222 		for (j = i;
223 		     (BASE_TABLE(dfa)[j] & MATCH_FLAG_DIFF_ENCODE) &&
224 		     !(BASE_TABLE(dfa)[j] & MARK_DIFF_ENCODE);
225 		     j = k) {
226 			k = DEFAULT_TABLE(dfa)[j];
227 			if (j == k)
228 				goto out;
229 			if (k < j)
230 				break;		/* already verified */
231 			BASE_TABLE(dfa)[j] |= MARK_DIFF_ENCODE;
232 		}
233 	}
234 	error = 0;
235 
236 out:
237 	return error;
238 }
239 
240 /**
241  * dfa_free - free a dfa allocated by aa_dfa_unpack
242  * @dfa: the dfa to free  (MAYBE NULL)
243  *
244  * Requires: reference count to dfa == 0
245  */
246 static void dfa_free(struct aa_dfa *dfa)
247 {
248 	if (dfa) {
249 		int i;
250 
251 		for (i = 0; i < ARRAY_SIZE(dfa->tables); i++) {
252 			kvfree(dfa->tables[i]);
253 			dfa->tables[i] = NULL;
254 		}
255 		kfree(dfa);
256 	}
257 }
258 
259 /**
260  * aa_dfa_free_kref - free aa_dfa by kref (called by aa_put_dfa)
261  * @kr: kref callback for freeing of a dfa  (NOT NULL)
262  */
263 void aa_dfa_free_kref(struct kref *kref)
264 {
265 	struct aa_dfa *dfa = container_of(kref, struct aa_dfa, count);
266 	dfa_free(dfa);
267 }
268 
269 /**
270  * aa_dfa_unpack - unpack the binary tables of a serialized dfa
271  * @blob: aligned serialized stream of data to unpack  (NOT NULL)
272  * @size: size of data to unpack
273  * @flags: flags controlling what type of accept tables are acceptable
274  *
275  * Unpack a dfa that has been serialized.  To find information on the dfa
276  * format look in Documentation/admin-guide/LSM/apparmor.rst
277  * Assumes the dfa @blob stream has been aligned on a 8 byte boundary
278  *
279  * Returns: an unpacked dfa ready for matching or ERR_PTR on failure
280  */
281 struct aa_dfa *aa_dfa_unpack(void *blob, size_t size, int flags)
282 {
283 	int hsize;
284 	int error = -ENOMEM;
285 	char *data = blob;
286 	struct table_header *table = NULL;
287 	struct aa_dfa *dfa = kzalloc(sizeof(struct aa_dfa), GFP_KERNEL);
288 	if (!dfa)
289 		goto fail;
290 
291 	kref_init(&dfa->count);
292 
293 	error = -EPROTO;
294 
295 	/* get dfa table set header */
296 	if (size < sizeof(struct table_set_header))
297 		goto fail;
298 
299 	if (ntohl(*(__be32 *) data) != YYTH_MAGIC)
300 		goto fail;
301 
302 	hsize = ntohl(*(__be32 *) (data + 4));
303 	if (size < hsize)
304 		goto fail;
305 
306 	dfa->flags = ntohs(*(__be16 *) (data + 12));
307 	if (dfa->flags != 0 && dfa->flags != YYTH_FLAG_DIFF_ENCODE)
308 		goto fail;
309 
310 	data += hsize;
311 	size -= hsize;
312 
313 	while (size > 0) {
314 		table = unpack_table(data, size);
315 		if (!table)
316 			goto fail;
317 
318 		switch (table->td_id) {
319 		case YYTD_ID_ACCEPT:
320 			if (!(table->td_flags & ACCEPT1_FLAGS(flags)))
321 				goto fail;
322 			break;
323 		case YYTD_ID_ACCEPT2:
324 			if (!(table->td_flags & ACCEPT2_FLAGS(flags)))
325 				goto fail;
326 			break;
327 		case YYTD_ID_BASE:
328 			if (table->td_flags != YYTD_DATA32)
329 				goto fail;
330 			break;
331 		case YYTD_ID_DEF:
332 		case YYTD_ID_NXT:
333 		case YYTD_ID_CHK:
334 			if (table->td_flags != YYTD_DATA16)
335 				goto fail;
336 			break;
337 		case YYTD_ID_EC:
338 			if (table->td_flags != YYTD_DATA8)
339 				goto fail;
340 			break;
341 		default:
342 			goto fail;
343 		}
344 		/* check for duplicate table entry */
345 		if (dfa->tables[table->td_id])
346 			goto fail;
347 		dfa->tables[table->td_id] = table;
348 		data += table_size(table->td_lolen, table->td_flags);
349 		size -= table_size(table->td_lolen, table->td_flags);
350 		table = NULL;
351 	}
352 	error = verify_table_headers(dfa->tables, flags);
353 	if (error)
354 		goto fail;
355 
356 	if (flags & DFA_FLAG_VERIFY_STATES) {
357 		error = verify_dfa(dfa);
358 		if (error)
359 			goto fail;
360 	}
361 
362 	return dfa;
363 
364 fail:
365 	kvfree(table);
366 	dfa_free(dfa);
367 	return ERR_PTR(error);
368 }
369 
370 #define match_char(state, def, base, next, check, C)	\
371 do {							\
372 	u32 b = (base)[(state)];			\
373 	unsigned int pos = base_idx(b) + (C);		\
374 	if ((check)[pos] != (state)) {			\
375 		(state) = (def)[(state)];		\
376 		if (b & MATCH_FLAG_DIFF_ENCODE)		\
377 			continue;			\
378 		break;					\
379 	}						\
380 	(state) = (next)[pos];				\
381 	break;						\
382 } while (1)
383 
384 /**
385  * aa_dfa_match_len - traverse @dfa to find state @str stops at
386  * @dfa: the dfa to match @str against  (NOT NULL)
387  * @start: the state of the dfa to start matching in
388  * @str: the string of bytes to match against the dfa  (NOT NULL)
389  * @len: length of the string of bytes to match
390  *
391  * aa_dfa_match_len will match @str against the dfa and return the state it
392  * finished matching in. The final state can be used to look up the accepting
393  * label, or as the start state of a continuing match.
394  *
395  * This function will happily match again the 0 byte and only finishes
396  * when @len input is consumed.
397  *
398  * Returns: final state reached after input is consumed
399  */
400 unsigned int aa_dfa_match_len(struct aa_dfa *dfa, unsigned int start,
401 			      const char *str, int len)
402 {
403 	u16 *def = DEFAULT_TABLE(dfa);
404 	u32 *base = BASE_TABLE(dfa);
405 	u16 *next = NEXT_TABLE(dfa);
406 	u16 *check = CHECK_TABLE(dfa);
407 	unsigned int state = start;
408 
409 	if (state == 0)
410 		return 0;
411 
412 	/* current state is <state>, matching character *str */
413 	if (dfa->tables[YYTD_ID_EC]) {
414 		/* Equivalence class table defined */
415 		u8 *equiv = EQUIV_TABLE(dfa);
416 		for (; len; len--)
417 			match_char(state, def, base, next, check,
418 				   equiv[(u8) *str++]);
419 	} else {
420 		/* default is direct to next state */
421 		for (; len; len--)
422 			match_char(state, def, base, next, check, (u8) *str++);
423 	}
424 
425 	return state;
426 }
427 
428 /**
429  * aa_dfa_match - traverse @dfa to find state @str stops at
430  * @dfa: the dfa to match @str against  (NOT NULL)
431  * @start: the state of the dfa to start matching in
432  * @str: the null terminated string of bytes to match against the dfa (NOT NULL)
433  *
434  * aa_dfa_match will match @str against the dfa and return the state it
435  * finished matching in. The final state can be used to look up the accepting
436  * label, or as the start state of a continuing match.
437  *
438  * Returns: final state reached after input is consumed
439  */
440 unsigned int aa_dfa_match(struct aa_dfa *dfa, unsigned int start,
441 			  const char *str)
442 {
443 	u16 *def = DEFAULT_TABLE(dfa);
444 	u32 *base = BASE_TABLE(dfa);
445 	u16 *next = NEXT_TABLE(dfa);
446 	u16 *check = CHECK_TABLE(dfa);
447 	unsigned int state = start;
448 
449 	if (state == 0)
450 		return 0;
451 
452 	/* current state is <state>, matching character *str */
453 	if (dfa->tables[YYTD_ID_EC]) {
454 		/* Equivalence class table defined */
455 		u8 *equiv = EQUIV_TABLE(dfa);
456 		/* default is direct to next state */
457 		while (*str)
458 			match_char(state, def, base, next, check,
459 				   equiv[(u8) *str++]);
460 	} else {
461 		/* default is direct to next state */
462 		while (*str)
463 			match_char(state, def, base, next, check, (u8) *str++);
464 	}
465 
466 	return state;
467 }
468 
469 /**
470  * aa_dfa_next - step one character to the next state in the dfa
471  * @dfa: the dfa to traverse (NOT NULL)
472  * @state: the state to start in
473  * @c: the input character to transition on
474  *
475  * aa_dfa_match will step through the dfa by one input character @c
476  *
477  * Returns: state reach after input @c
478  */
479 unsigned int aa_dfa_next(struct aa_dfa *dfa, unsigned int state,
480 			  const char c)
481 {
482 	u16 *def = DEFAULT_TABLE(dfa);
483 	u32 *base = BASE_TABLE(dfa);
484 	u16 *next = NEXT_TABLE(dfa);
485 	u16 *check = CHECK_TABLE(dfa);
486 
487 	/* current state is <state>, matching character *str */
488 	if (dfa->tables[YYTD_ID_EC]) {
489 		/* Equivalence class table defined */
490 		u8 *equiv = EQUIV_TABLE(dfa);
491 		match_char(state, def, base, next, check, equiv[(u8) c]);
492 	} else
493 		match_char(state, def, base, next, check, (u8) c);
494 
495 	return state;
496 }
497 
498 /**
499  * aa_dfa_match_until - traverse @dfa until accept state or end of input
500  * @dfa: the dfa to match @str against  (NOT NULL)
501  * @start: the state of the dfa to start matching in
502  * @str: the null terminated string of bytes to match against the dfa (NOT NULL)
503  * @retpos: first character in str after match OR end of string
504  *
505  * aa_dfa_match will match @str against the dfa and return the state it
506  * finished matching in. The final state can be used to look up the accepting
507  * label, or as the start state of a continuing match.
508  *
509  * Returns: final state reached after input is consumed
510  */
511 unsigned int aa_dfa_match_until(struct aa_dfa *dfa, unsigned int start,
512 				const char *str, const char **retpos)
513 {
514 	u16 *def = DEFAULT_TABLE(dfa);
515 	u32 *base = BASE_TABLE(dfa);
516 	u16 *next = NEXT_TABLE(dfa);
517 	u16 *check = CHECK_TABLE(dfa);
518 	u32 *accept = ACCEPT_TABLE(dfa);
519 	unsigned int state = start, pos;
520 
521 	if (state == 0)
522 		return 0;
523 
524 	/* current state is <state>, matching character *str */
525 	if (dfa->tables[YYTD_ID_EC]) {
526 		/* Equivalence class table defined */
527 		u8 *equiv = EQUIV_TABLE(dfa);
528 		/* default is direct to next state */
529 		while (*str) {
530 			pos = base_idx(base[state]) + equiv[(u8) *str++];
531 			if (check[pos] == state)
532 				state = next[pos];
533 			else
534 				state = def[state];
535 			if (accept[state])
536 				break;
537 		}
538 	} else {
539 		/* default is direct to next state */
540 		while (*str) {
541 			pos = base_idx(base[state]) + (u8) *str++;
542 			if (check[pos] == state)
543 				state = next[pos];
544 			else
545 				state = def[state];
546 			if (accept[state])
547 				break;
548 		}
549 	}
550 
551 	*retpos = str;
552 	return state;
553 }
554 
555 /**
556  * aa_dfa_matchn_until - traverse @dfa until accept or @n bytes consumed
557  * @dfa: the dfa to match @str against  (NOT NULL)
558  * @start: the state of the dfa to start matching in
559  * @str: the string of bytes to match against the dfa  (NOT NULL)
560  * @n: length of the string of bytes to match
561  * @retpos: first character in str after match OR str + n
562  *
563  * aa_dfa_match_len will match @str against the dfa and return the state it
564  * finished matching in. The final state can be used to look up the accepting
565  * label, or as the start state of a continuing match.
566  *
567  * This function will happily match again the 0 byte and only finishes
568  * when @n input is consumed.
569  *
570  * Returns: final state reached after input is consumed
571  */
572 unsigned int aa_dfa_matchn_until(struct aa_dfa *dfa, unsigned int start,
573 				 const char *str, int n, const char **retpos)
574 {
575 	u16 *def = DEFAULT_TABLE(dfa);
576 	u32 *base = BASE_TABLE(dfa);
577 	u16 *next = NEXT_TABLE(dfa);
578 	u16 *check = CHECK_TABLE(dfa);
579 	u32 *accept = ACCEPT_TABLE(dfa);
580 	unsigned int state = start, pos;
581 
582 	*retpos = NULL;
583 	if (state == 0)
584 		return 0;
585 
586 	/* current state is <state>, matching character *str */
587 	if (dfa->tables[YYTD_ID_EC]) {
588 		/* Equivalence class table defined */
589 		u8 *equiv = EQUIV_TABLE(dfa);
590 		/* default is direct to next state */
591 		for (; n; n--) {
592 			pos = base_idx(base[state]) + equiv[(u8) *str++];
593 			if (check[pos] == state)
594 				state = next[pos];
595 			else
596 				state = def[state];
597 			if (accept[state])
598 				break;
599 		}
600 	} else {
601 		/* default is direct to next state */
602 		for (; n; n--) {
603 			pos = base_idx(base[state]) + (u8) *str++;
604 			if (check[pos] == state)
605 				state = next[pos];
606 			else
607 				state = def[state];
608 			if (accept[state])
609 				break;
610 		}
611 	}
612 
613 	*retpos = str;
614 	return state;
615 }
616 
617 #define inc_wb_pos(wb)						\
618 do {								\
619 	wb->pos = (wb->pos + 1) & (wb->size - 1);		\
620 	wb->len = (wb->len + 1) & (wb->size - 1);		\
621 } while (0)
622 
623 /* For DFAs that don't support extended tagging of states */
624 static bool is_loop(struct match_workbuf *wb, unsigned int state,
625 		    unsigned int *adjust)
626 {
627 	unsigned int pos = wb->pos;
628 	unsigned int i;
629 
630 	if (wb->history[pos] < state)
631 		return false;
632 
633 	for (i = 0; i <= wb->len; i++) {
634 		if (wb->history[pos] == state) {
635 			*adjust = i;
636 			return true;
637 		}
638 		if (pos == 0)
639 			pos = wb->size;
640 		pos--;
641 	}
642 
643 	*adjust = i;
644 	return true;
645 }
646 
647 static unsigned int leftmatch_fb(struct aa_dfa *dfa, unsigned int start,
648 				 const char *str, struct match_workbuf *wb,
649 				 unsigned int *count)
650 {
651 	u16 *def = DEFAULT_TABLE(dfa);
652 	u32 *base = BASE_TABLE(dfa);
653 	u16 *next = NEXT_TABLE(dfa);
654 	u16 *check = CHECK_TABLE(dfa);
655 	unsigned int state = start, pos;
656 
657 	AA_BUG(!dfa);
658 	AA_BUG(!str);
659 	AA_BUG(!wb);
660 	AA_BUG(!count);
661 
662 	*count = 0;
663 	if (state == 0)
664 		return 0;
665 
666 	/* current state is <state>, matching character *str */
667 	if (dfa->tables[YYTD_ID_EC]) {
668 		/* Equivalence class table defined */
669 		u8 *equiv = EQUIV_TABLE(dfa);
670 		/* default is direct to next state */
671 		while (*str) {
672 			unsigned int adjust;
673 
674 			wb->history[wb->pos] = state;
675 			pos = base_idx(base[state]) + equiv[(u8) *str++];
676 			if (check[pos] == state)
677 				state = next[pos];
678 			else
679 				state = def[state];
680 			if (is_loop(wb, state, &adjust)) {
681 				state = aa_dfa_match(dfa, state, str);
682 				*count -= adjust;
683 				goto out;
684 			}
685 			inc_wb_pos(wb);
686 			(*count)++;
687 		}
688 	} else {
689 		/* default is direct to next state */
690 		while (*str) {
691 			unsigned int adjust;
692 
693 			wb->history[wb->pos] = state;
694 			pos = base_idx(base[state]) + (u8) *str++;
695 			if (check[pos] == state)
696 				state = next[pos];
697 			else
698 				state = def[state];
699 			if (is_loop(wb, state, &adjust)) {
700 				state = aa_dfa_match(dfa, state, str);
701 				*count -= adjust;
702 				goto out;
703 			}
704 			inc_wb_pos(wb);
705 			(*count)++;
706 		}
707 	}
708 
709 out:
710 	if (!state)
711 		*count = 0;
712 	return state;
713 }
714 
715 /**
716  * aa_dfa_leftmatch - traverse @dfa to find state @str stops at
717  * @dfa: the dfa to match @str against  (NOT NULL)
718  * @start: the state of the dfa to start matching in
719  * @str: the null terminated string of bytes to match against the dfa (NOT NULL)
720  * @count: current count of longest left.
721  *
722  * aa_dfa_match will match @str against the dfa and return the state it
723  * finished matching in. The final state can be used to look up the accepting
724  * label, or as the start state of a continuing match.
725  *
726  * Returns: final state reached after input is consumed
727  */
728 unsigned int aa_dfa_leftmatch(struct aa_dfa *dfa, unsigned int start,
729 			      const char *str, unsigned int *count)
730 {
731 	DEFINE_MATCH_WB(wb);
732 
733 	/* TODO: match for extended state dfas */
734 
735 	return leftmatch_fb(dfa, start, str, &wb, count);
736 }
737