xref: /openbmc/linux/tools/lib/bpf/relo_core.c (revision 4b33b5ff)
1 // SPDX-License-Identifier: (LGPL-2.1 OR BSD-2-Clause)
2 /* Copyright (c) 2019 Facebook */
3 
4 #ifdef __KERNEL__
5 #include <linux/bpf.h>
6 #include <linux/btf.h>
7 #include <linux/string.h>
8 #include <linux/bpf_verifier.h>
9 #include "relo_core.h"
10 
11 static const char *btf_kind_str(const struct btf_type *t)
12 {
13 	return btf_type_str(t);
14 }
15 
16 static bool is_ldimm64_insn(struct bpf_insn *insn)
17 {
18 	return insn->code == (BPF_LD | BPF_IMM | BPF_DW);
19 }
20 
21 static const struct btf_type *
22 skip_mods_and_typedefs(const struct btf *btf, u32 id, u32 *res_id)
23 {
24 	return btf_type_skip_modifiers(btf, id, res_id);
25 }
26 
27 static const char *btf__name_by_offset(const struct btf *btf, u32 offset)
28 {
29 	return btf_name_by_offset(btf, offset);
30 }
31 
32 static s64 btf__resolve_size(const struct btf *btf, u32 type_id)
33 {
34 	const struct btf_type *t;
35 	int size;
36 
37 	t = btf_type_by_id(btf, type_id);
38 	t = btf_resolve_size(btf, t, &size);
39 	if (IS_ERR(t))
40 		return PTR_ERR(t);
41 	return size;
42 }
43 
44 enum libbpf_print_level {
45 	LIBBPF_WARN,
46 	LIBBPF_INFO,
47 	LIBBPF_DEBUG,
48 };
49 
50 #undef pr_warn
51 #undef pr_info
52 #undef pr_debug
53 #define pr_warn(fmt, log, ...)	bpf_log((void *)log, fmt, "", ##__VA_ARGS__)
54 #define pr_info(fmt, log, ...)	bpf_log((void *)log, fmt, "", ##__VA_ARGS__)
55 #define pr_debug(fmt, log, ...)	bpf_log((void *)log, fmt, "", ##__VA_ARGS__)
56 #define libbpf_print(level, fmt, ...)	bpf_log((void *)prog_name, fmt, ##__VA_ARGS__)
57 #else
58 #include <stdio.h>
59 #include <string.h>
60 #include <errno.h>
61 #include <ctype.h>
62 #include <linux/err.h>
63 
64 #include "libbpf.h"
65 #include "bpf.h"
66 #include "btf.h"
67 #include "str_error.h"
68 #include "libbpf_internal.h"
69 #endif
70 
71 static bool is_flex_arr(const struct btf *btf,
72 			const struct bpf_core_accessor *acc,
73 			const struct btf_array *arr)
74 {
75 	const struct btf_type *t;
76 
77 	/* not a flexible array, if not inside a struct or has non-zero size */
78 	if (!acc->name || arr->nelems > 0)
79 		return false;
80 
81 	/* has to be the last member of enclosing struct */
82 	t = btf_type_by_id(btf, acc->type_id);
83 	return acc->idx == btf_vlen(t) - 1;
84 }
85 
86 static const char *core_relo_kind_str(enum bpf_core_relo_kind kind)
87 {
88 	switch (kind) {
89 	case BPF_CORE_FIELD_BYTE_OFFSET: return "byte_off";
90 	case BPF_CORE_FIELD_BYTE_SIZE: return "byte_sz";
91 	case BPF_CORE_FIELD_EXISTS: return "field_exists";
92 	case BPF_CORE_FIELD_SIGNED: return "signed";
93 	case BPF_CORE_FIELD_LSHIFT_U64: return "lshift_u64";
94 	case BPF_CORE_FIELD_RSHIFT_U64: return "rshift_u64";
95 	case BPF_CORE_TYPE_ID_LOCAL: return "local_type_id";
96 	case BPF_CORE_TYPE_ID_TARGET: return "target_type_id";
97 	case BPF_CORE_TYPE_EXISTS: return "type_exists";
98 	case BPF_CORE_TYPE_SIZE: return "type_size";
99 	case BPF_CORE_ENUMVAL_EXISTS: return "enumval_exists";
100 	case BPF_CORE_ENUMVAL_VALUE: return "enumval_value";
101 	default: return "unknown";
102 	}
103 }
104 
105 static bool core_relo_is_field_based(enum bpf_core_relo_kind kind)
106 {
107 	switch (kind) {
108 	case BPF_CORE_FIELD_BYTE_OFFSET:
109 	case BPF_CORE_FIELD_BYTE_SIZE:
110 	case BPF_CORE_FIELD_EXISTS:
111 	case BPF_CORE_FIELD_SIGNED:
112 	case BPF_CORE_FIELD_LSHIFT_U64:
113 	case BPF_CORE_FIELD_RSHIFT_U64:
114 		return true;
115 	default:
116 		return false;
117 	}
118 }
119 
120 static bool core_relo_is_type_based(enum bpf_core_relo_kind kind)
121 {
122 	switch (kind) {
123 	case BPF_CORE_TYPE_ID_LOCAL:
124 	case BPF_CORE_TYPE_ID_TARGET:
125 	case BPF_CORE_TYPE_EXISTS:
126 	case BPF_CORE_TYPE_SIZE:
127 		return true;
128 	default:
129 		return false;
130 	}
131 }
132 
133 static bool core_relo_is_enumval_based(enum bpf_core_relo_kind kind)
134 {
135 	switch (kind) {
136 	case BPF_CORE_ENUMVAL_EXISTS:
137 	case BPF_CORE_ENUMVAL_VALUE:
138 		return true;
139 	default:
140 		return false;
141 	}
142 }
143 
144 /*
145  * Turn bpf_core_relo into a low- and high-level spec representation,
146  * validating correctness along the way, as well as calculating resulting
147  * field bit offset, specified by accessor string. Low-level spec captures
148  * every single level of nestedness, including traversing anonymous
149  * struct/union members. High-level one only captures semantically meaningful
150  * "turning points": named fields and array indicies.
151  * E.g., for this case:
152  *
153  *   struct sample {
154  *       int __unimportant;
155  *       struct {
156  *           int __1;
157  *           int __2;
158  *           int a[7];
159  *       };
160  *   };
161  *
162  *   struct sample *s = ...;
163  *
164  *   int x = &s->a[3]; // access string = '0:1:2:3'
165  *
166  * Low-level spec has 1:1 mapping with each element of access string (it's
167  * just a parsed access string representation): [0, 1, 2, 3].
168  *
169  * High-level spec will capture only 3 points:
170  *   - intial zero-index access by pointer (&s->... is the same as &s[0]...);
171  *   - field 'a' access (corresponds to '2' in low-level spec);
172  *   - array element #3 access (corresponds to '3' in low-level spec).
173  *
174  * Type-based relocations (TYPE_EXISTS/TYPE_SIZE,
175  * TYPE_ID_LOCAL/TYPE_ID_TARGET) don't capture any field information. Their
176  * spec and raw_spec are kept empty.
177  *
178  * Enum value-based relocations (ENUMVAL_EXISTS/ENUMVAL_VALUE) use access
179  * string to specify enumerator's value index that need to be relocated.
180  */
181 static int bpf_core_parse_spec(const char *prog_name, const struct btf *btf,
182 			       __u32 type_id,
183 			       const char *spec_str,
184 			       enum bpf_core_relo_kind relo_kind,
185 			       struct bpf_core_spec *spec)
186 {
187 	int access_idx, parsed_len, i;
188 	struct bpf_core_accessor *acc;
189 	const struct btf_type *t;
190 	const char *name;
191 	__u32 id;
192 	__s64 sz;
193 
194 	if (str_is_empty(spec_str) || *spec_str == ':')
195 		return -EINVAL;
196 
197 	memset(spec, 0, sizeof(*spec));
198 	spec->btf = btf;
199 	spec->root_type_id = type_id;
200 	spec->relo_kind = relo_kind;
201 
202 	/* type-based relocations don't have a field access string */
203 	if (core_relo_is_type_based(relo_kind)) {
204 		if (strcmp(spec_str, "0"))
205 			return -EINVAL;
206 		return 0;
207 	}
208 
209 	/* parse spec_str="0:1:2:3:4" into array raw_spec=[0, 1, 2, 3, 4] */
210 	while (*spec_str) {
211 		if (*spec_str == ':')
212 			++spec_str;
213 		if (sscanf(spec_str, "%d%n", &access_idx, &parsed_len) != 1)
214 			return -EINVAL;
215 		if (spec->raw_len == BPF_CORE_SPEC_MAX_LEN)
216 			return -E2BIG;
217 		spec_str += parsed_len;
218 		spec->raw_spec[spec->raw_len++] = access_idx;
219 	}
220 
221 	if (spec->raw_len == 0)
222 		return -EINVAL;
223 
224 	t = skip_mods_and_typedefs(btf, type_id, &id);
225 	if (!t)
226 		return -EINVAL;
227 
228 	access_idx = spec->raw_spec[0];
229 	acc = &spec->spec[0];
230 	acc->type_id = id;
231 	acc->idx = access_idx;
232 	spec->len++;
233 
234 	if (core_relo_is_enumval_based(relo_kind)) {
235 		if (!btf_is_enum(t) || spec->raw_len > 1 || access_idx >= btf_vlen(t))
236 			return -EINVAL;
237 
238 		/* record enumerator name in a first accessor */
239 		acc->name = btf__name_by_offset(btf, btf_enum(t)[access_idx].name_off);
240 		return 0;
241 	}
242 
243 	if (!core_relo_is_field_based(relo_kind))
244 		return -EINVAL;
245 
246 	sz = btf__resolve_size(btf, id);
247 	if (sz < 0)
248 		return sz;
249 	spec->bit_offset = access_idx * sz * 8;
250 
251 	for (i = 1; i < spec->raw_len; i++) {
252 		t = skip_mods_and_typedefs(btf, id, &id);
253 		if (!t)
254 			return -EINVAL;
255 
256 		access_idx = spec->raw_spec[i];
257 		acc = &spec->spec[spec->len];
258 
259 		if (btf_is_composite(t)) {
260 			const struct btf_member *m;
261 			__u32 bit_offset;
262 
263 			if (access_idx >= btf_vlen(t))
264 				return -EINVAL;
265 
266 			bit_offset = btf_member_bit_offset(t, access_idx);
267 			spec->bit_offset += bit_offset;
268 
269 			m = btf_members(t) + access_idx;
270 			if (m->name_off) {
271 				name = btf__name_by_offset(btf, m->name_off);
272 				if (str_is_empty(name))
273 					return -EINVAL;
274 
275 				acc->type_id = id;
276 				acc->idx = access_idx;
277 				acc->name = name;
278 				spec->len++;
279 			}
280 
281 			id = m->type;
282 		} else if (btf_is_array(t)) {
283 			const struct btf_array *a = btf_array(t);
284 			bool flex;
285 
286 			t = skip_mods_and_typedefs(btf, a->type, &id);
287 			if (!t)
288 				return -EINVAL;
289 
290 			flex = is_flex_arr(btf, acc - 1, a);
291 			if (!flex && access_idx >= a->nelems)
292 				return -EINVAL;
293 
294 			spec->spec[spec->len].type_id = id;
295 			spec->spec[spec->len].idx = access_idx;
296 			spec->len++;
297 
298 			sz = btf__resolve_size(btf, id);
299 			if (sz < 0)
300 				return sz;
301 			spec->bit_offset += access_idx * sz * 8;
302 		} else {
303 			pr_warn("prog '%s': relo for [%u] %s (at idx %d) captures type [%d] of unexpected kind %s\n",
304 				prog_name, type_id, spec_str, i, id, btf_kind_str(t));
305 			return -EINVAL;
306 		}
307 	}
308 
309 	return 0;
310 }
311 
312 /* Check two types for compatibility for the purpose of field access
313  * relocation. const/volatile/restrict and typedefs are skipped to ensure we
314  * are relocating semantically compatible entities:
315  *   - any two STRUCTs/UNIONs are compatible and can be mixed;
316  *   - any two FWDs are compatible, if their names match (modulo flavor suffix);
317  *   - any two PTRs are always compatible;
318  *   - for ENUMs, names should be the same (ignoring flavor suffix) or at
319  *     least one of enums should be anonymous;
320  *   - for ENUMs, check sizes, names are ignored;
321  *   - for INT, size and signedness are ignored;
322  *   - any two FLOATs are always compatible;
323  *   - for ARRAY, dimensionality is ignored, element types are checked for
324  *     compatibility recursively;
325  *   - everything else shouldn't be ever a target of relocation.
326  * These rules are not set in stone and probably will be adjusted as we get
327  * more experience with using BPF CO-RE relocations.
328  */
329 static int bpf_core_fields_are_compat(const struct btf *local_btf,
330 				      __u32 local_id,
331 				      const struct btf *targ_btf,
332 				      __u32 targ_id)
333 {
334 	const struct btf_type *local_type, *targ_type;
335 
336 recur:
337 	local_type = skip_mods_and_typedefs(local_btf, local_id, &local_id);
338 	targ_type = skip_mods_and_typedefs(targ_btf, targ_id, &targ_id);
339 	if (!local_type || !targ_type)
340 		return -EINVAL;
341 
342 	if (btf_is_composite(local_type) && btf_is_composite(targ_type))
343 		return 1;
344 	if (btf_kind(local_type) != btf_kind(targ_type))
345 		return 0;
346 
347 	switch (btf_kind(local_type)) {
348 	case BTF_KIND_PTR:
349 	case BTF_KIND_FLOAT:
350 		return 1;
351 	case BTF_KIND_FWD:
352 	case BTF_KIND_ENUM: {
353 		const char *local_name, *targ_name;
354 		size_t local_len, targ_len;
355 
356 		local_name = btf__name_by_offset(local_btf,
357 						 local_type->name_off);
358 		targ_name = btf__name_by_offset(targ_btf, targ_type->name_off);
359 		local_len = bpf_core_essential_name_len(local_name);
360 		targ_len = bpf_core_essential_name_len(targ_name);
361 		/* one of them is anonymous or both w/ same flavor-less names */
362 		return local_len == 0 || targ_len == 0 ||
363 		       (local_len == targ_len &&
364 			strncmp(local_name, targ_name, local_len) == 0);
365 	}
366 	case BTF_KIND_INT:
367 		/* just reject deprecated bitfield-like integers; all other
368 		 * integers are by default compatible between each other
369 		 */
370 		return btf_int_offset(local_type) == 0 &&
371 		       btf_int_offset(targ_type) == 0;
372 	case BTF_KIND_ARRAY:
373 		local_id = btf_array(local_type)->type;
374 		targ_id = btf_array(targ_type)->type;
375 		goto recur;
376 	default:
377 		return 0;
378 	}
379 }
380 
381 /*
382  * Given single high-level named field accessor in local type, find
383  * corresponding high-level accessor for a target type. Along the way,
384  * maintain low-level spec for target as well. Also keep updating target
385  * bit offset.
386  *
387  * Searching is performed through recursive exhaustive enumeration of all
388  * fields of a struct/union. If there are any anonymous (embedded)
389  * structs/unions, they are recursively searched as well. If field with
390  * desired name is found, check compatibility between local and target types,
391  * before returning result.
392  *
393  * 1 is returned, if field is found.
394  * 0 is returned if no compatible field is found.
395  * <0 is returned on error.
396  */
397 static int bpf_core_match_member(const struct btf *local_btf,
398 				 const struct bpf_core_accessor *local_acc,
399 				 const struct btf *targ_btf,
400 				 __u32 targ_id,
401 				 struct bpf_core_spec *spec,
402 				 __u32 *next_targ_id)
403 {
404 	const struct btf_type *local_type, *targ_type;
405 	const struct btf_member *local_member, *m;
406 	const char *local_name, *targ_name;
407 	__u32 local_id;
408 	int i, n, found;
409 
410 	targ_type = skip_mods_and_typedefs(targ_btf, targ_id, &targ_id);
411 	if (!targ_type)
412 		return -EINVAL;
413 	if (!btf_is_composite(targ_type))
414 		return 0;
415 
416 	local_id = local_acc->type_id;
417 	local_type = btf_type_by_id(local_btf, local_id);
418 	local_member = btf_members(local_type) + local_acc->idx;
419 	local_name = btf__name_by_offset(local_btf, local_member->name_off);
420 
421 	n = btf_vlen(targ_type);
422 	m = btf_members(targ_type);
423 	for (i = 0; i < n; i++, m++) {
424 		__u32 bit_offset;
425 
426 		bit_offset = btf_member_bit_offset(targ_type, i);
427 
428 		/* too deep struct/union/array nesting */
429 		if (spec->raw_len == BPF_CORE_SPEC_MAX_LEN)
430 			return -E2BIG;
431 
432 		/* speculate this member will be the good one */
433 		spec->bit_offset += bit_offset;
434 		spec->raw_spec[spec->raw_len++] = i;
435 
436 		targ_name = btf__name_by_offset(targ_btf, m->name_off);
437 		if (str_is_empty(targ_name)) {
438 			/* embedded struct/union, we need to go deeper */
439 			found = bpf_core_match_member(local_btf, local_acc,
440 						      targ_btf, m->type,
441 						      spec, next_targ_id);
442 			if (found) /* either found or error */
443 				return found;
444 		} else if (strcmp(local_name, targ_name) == 0) {
445 			/* matching named field */
446 			struct bpf_core_accessor *targ_acc;
447 
448 			targ_acc = &spec->spec[spec->len++];
449 			targ_acc->type_id = targ_id;
450 			targ_acc->idx = i;
451 			targ_acc->name = targ_name;
452 
453 			*next_targ_id = m->type;
454 			found = bpf_core_fields_are_compat(local_btf,
455 							   local_member->type,
456 							   targ_btf, m->type);
457 			if (!found)
458 				spec->len--; /* pop accessor */
459 			return found;
460 		}
461 		/* member turned out not to be what we looked for */
462 		spec->bit_offset -= bit_offset;
463 		spec->raw_len--;
464 	}
465 
466 	return 0;
467 }
468 
469 /*
470  * Try to match local spec to a target type and, if successful, produce full
471  * target spec (high-level, low-level + bit offset).
472  */
473 static int bpf_core_spec_match(struct bpf_core_spec *local_spec,
474 			       const struct btf *targ_btf, __u32 targ_id,
475 			       struct bpf_core_spec *targ_spec)
476 {
477 	const struct btf_type *targ_type;
478 	const struct bpf_core_accessor *local_acc;
479 	struct bpf_core_accessor *targ_acc;
480 	int i, sz, matched;
481 
482 	memset(targ_spec, 0, sizeof(*targ_spec));
483 	targ_spec->btf = targ_btf;
484 	targ_spec->root_type_id = targ_id;
485 	targ_spec->relo_kind = local_spec->relo_kind;
486 
487 	if (core_relo_is_type_based(local_spec->relo_kind)) {
488 		return bpf_core_types_are_compat(local_spec->btf,
489 						 local_spec->root_type_id,
490 						 targ_btf, targ_id);
491 	}
492 
493 	local_acc = &local_spec->spec[0];
494 	targ_acc = &targ_spec->spec[0];
495 
496 	if (core_relo_is_enumval_based(local_spec->relo_kind)) {
497 		size_t local_essent_len, targ_essent_len;
498 		const struct btf_enum *e;
499 		const char *targ_name;
500 
501 		/* has to resolve to an enum */
502 		targ_type = skip_mods_and_typedefs(targ_spec->btf, targ_id, &targ_id);
503 		if (!btf_is_enum(targ_type))
504 			return 0;
505 
506 		local_essent_len = bpf_core_essential_name_len(local_acc->name);
507 
508 		for (i = 0, e = btf_enum(targ_type); i < btf_vlen(targ_type); i++, e++) {
509 			targ_name = btf__name_by_offset(targ_spec->btf, e->name_off);
510 			targ_essent_len = bpf_core_essential_name_len(targ_name);
511 			if (targ_essent_len != local_essent_len)
512 				continue;
513 			if (strncmp(local_acc->name, targ_name, local_essent_len) == 0) {
514 				targ_acc->type_id = targ_id;
515 				targ_acc->idx = i;
516 				targ_acc->name = targ_name;
517 				targ_spec->len++;
518 				targ_spec->raw_spec[targ_spec->raw_len] = targ_acc->idx;
519 				targ_spec->raw_len++;
520 				return 1;
521 			}
522 		}
523 		return 0;
524 	}
525 
526 	if (!core_relo_is_field_based(local_spec->relo_kind))
527 		return -EINVAL;
528 
529 	for (i = 0; i < local_spec->len; i++, local_acc++, targ_acc++) {
530 		targ_type = skip_mods_and_typedefs(targ_spec->btf, targ_id,
531 						   &targ_id);
532 		if (!targ_type)
533 			return -EINVAL;
534 
535 		if (local_acc->name) {
536 			matched = bpf_core_match_member(local_spec->btf,
537 							local_acc,
538 							targ_btf, targ_id,
539 							targ_spec, &targ_id);
540 			if (matched <= 0)
541 				return matched;
542 		} else {
543 			/* for i=0, targ_id is already treated as array element
544 			 * type (because it's the original struct), for others
545 			 * we should find array element type first
546 			 */
547 			if (i > 0) {
548 				const struct btf_array *a;
549 				bool flex;
550 
551 				if (!btf_is_array(targ_type))
552 					return 0;
553 
554 				a = btf_array(targ_type);
555 				flex = is_flex_arr(targ_btf, targ_acc - 1, a);
556 				if (!flex && local_acc->idx >= a->nelems)
557 					return 0;
558 				if (!skip_mods_and_typedefs(targ_btf, a->type,
559 							    &targ_id))
560 					return -EINVAL;
561 			}
562 
563 			/* too deep struct/union/array nesting */
564 			if (targ_spec->raw_len == BPF_CORE_SPEC_MAX_LEN)
565 				return -E2BIG;
566 
567 			targ_acc->type_id = targ_id;
568 			targ_acc->idx = local_acc->idx;
569 			targ_acc->name = NULL;
570 			targ_spec->len++;
571 			targ_spec->raw_spec[targ_spec->raw_len] = targ_acc->idx;
572 			targ_spec->raw_len++;
573 
574 			sz = btf__resolve_size(targ_btf, targ_id);
575 			if (sz < 0)
576 				return sz;
577 			targ_spec->bit_offset += local_acc->idx * sz * 8;
578 		}
579 	}
580 
581 	return 1;
582 }
583 
584 static int bpf_core_calc_field_relo(const char *prog_name,
585 				    const struct bpf_core_relo *relo,
586 				    const struct bpf_core_spec *spec,
587 				    __u32 *val, __u32 *field_sz, __u32 *type_id,
588 				    bool *validate)
589 {
590 	const struct bpf_core_accessor *acc;
591 	const struct btf_type *t;
592 	__u32 byte_off, byte_sz, bit_off, bit_sz, field_type_id;
593 	const struct btf_member *m;
594 	const struct btf_type *mt;
595 	bool bitfield;
596 	__s64 sz;
597 
598 	*field_sz = 0;
599 
600 	if (relo->kind == BPF_CORE_FIELD_EXISTS) {
601 		*val = spec ? 1 : 0;
602 		return 0;
603 	}
604 
605 	if (!spec)
606 		return -EUCLEAN; /* request instruction poisoning */
607 
608 	acc = &spec->spec[spec->len - 1];
609 	t = btf_type_by_id(spec->btf, acc->type_id);
610 
611 	/* a[n] accessor needs special handling */
612 	if (!acc->name) {
613 		if (relo->kind == BPF_CORE_FIELD_BYTE_OFFSET) {
614 			*val = spec->bit_offset / 8;
615 			/* remember field size for load/store mem size */
616 			sz = btf__resolve_size(spec->btf, acc->type_id);
617 			if (sz < 0)
618 				return -EINVAL;
619 			*field_sz = sz;
620 			*type_id = acc->type_id;
621 		} else if (relo->kind == BPF_CORE_FIELD_BYTE_SIZE) {
622 			sz = btf__resolve_size(spec->btf, acc->type_id);
623 			if (sz < 0)
624 				return -EINVAL;
625 			*val = sz;
626 		} else {
627 			pr_warn("prog '%s': relo %d at insn #%d can't be applied to array access\n",
628 				prog_name, relo->kind, relo->insn_off / 8);
629 			return -EINVAL;
630 		}
631 		if (validate)
632 			*validate = true;
633 		return 0;
634 	}
635 
636 	m = btf_members(t) + acc->idx;
637 	mt = skip_mods_and_typedefs(spec->btf, m->type, &field_type_id);
638 	bit_off = spec->bit_offset;
639 	bit_sz = btf_member_bitfield_size(t, acc->idx);
640 
641 	bitfield = bit_sz > 0;
642 	if (bitfield) {
643 		byte_sz = mt->size;
644 		byte_off = bit_off / 8 / byte_sz * byte_sz;
645 		/* figure out smallest int size necessary for bitfield load */
646 		while (bit_off + bit_sz - byte_off * 8 > byte_sz * 8) {
647 			if (byte_sz >= 8) {
648 				/* bitfield can't be read with 64-bit read */
649 				pr_warn("prog '%s': relo %d at insn #%d can't be satisfied for bitfield\n",
650 					prog_name, relo->kind, relo->insn_off / 8);
651 				return -E2BIG;
652 			}
653 			byte_sz *= 2;
654 			byte_off = bit_off / 8 / byte_sz * byte_sz;
655 		}
656 	} else {
657 		sz = btf__resolve_size(spec->btf, field_type_id);
658 		if (sz < 0)
659 			return -EINVAL;
660 		byte_sz = sz;
661 		byte_off = spec->bit_offset / 8;
662 		bit_sz = byte_sz * 8;
663 	}
664 
665 	/* for bitfields, all the relocatable aspects are ambiguous and we
666 	 * might disagree with compiler, so turn off validation of expected
667 	 * value, except for signedness
668 	 */
669 	if (validate)
670 		*validate = !bitfield;
671 
672 	switch (relo->kind) {
673 	case BPF_CORE_FIELD_BYTE_OFFSET:
674 		*val = byte_off;
675 		if (!bitfield) {
676 			*field_sz = byte_sz;
677 			*type_id = field_type_id;
678 		}
679 		break;
680 	case BPF_CORE_FIELD_BYTE_SIZE:
681 		*val = byte_sz;
682 		break;
683 	case BPF_CORE_FIELD_SIGNED:
684 		/* enums will be assumed unsigned */
685 		*val = btf_is_enum(mt) ||
686 		       (btf_int_encoding(mt) & BTF_INT_SIGNED);
687 		if (validate)
688 			*validate = true; /* signedness is never ambiguous */
689 		break;
690 	case BPF_CORE_FIELD_LSHIFT_U64:
691 #if __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__
692 		*val = 64 - (bit_off + bit_sz - byte_off  * 8);
693 #else
694 		*val = (8 - byte_sz) * 8 + (bit_off - byte_off * 8);
695 #endif
696 		break;
697 	case BPF_CORE_FIELD_RSHIFT_U64:
698 		*val = 64 - bit_sz;
699 		if (validate)
700 			*validate = true; /* right shift is never ambiguous */
701 		break;
702 	case BPF_CORE_FIELD_EXISTS:
703 	default:
704 		return -EOPNOTSUPP;
705 	}
706 
707 	return 0;
708 }
709 
710 static int bpf_core_calc_type_relo(const struct bpf_core_relo *relo,
711 				   const struct bpf_core_spec *spec,
712 				   __u32 *val, bool *validate)
713 {
714 	__s64 sz;
715 
716 	/* by default, always check expected value in bpf_insn */
717 	if (validate)
718 		*validate = true;
719 
720 	/* type-based relos return zero when target type is not found */
721 	if (!spec) {
722 		*val = 0;
723 		return 0;
724 	}
725 
726 	switch (relo->kind) {
727 	case BPF_CORE_TYPE_ID_TARGET:
728 		*val = spec->root_type_id;
729 		/* type ID, embedded in bpf_insn, might change during linking,
730 		 * so enforcing it is pointless
731 		 */
732 		if (validate)
733 			*validate = false;
734 		break;
735 	case BPF_CORE_TYPE_EXISTS:
736 		*val = 1;
737 		break;
738 	case BPF_CORE_TYPE_SIZE:
739 		sz = btf__resolve_size(spec->btf, spec->root_type_id);
740 		if (sz < 0)
741 			return -EINVAL;
742 		*val = sz;
743 		break;
744 	case BPF_CORE_TYPE_ID_LOCAL:
745 	/* BPF_CORE_TYPE_ID_LOCAL is handled specially and shouldn't get here */
746 	default:
747 		return -EOPNOTSUPP;
748 	}
749 
750 	return 0;
751 }
752 
753 static int bpf_core_calc_enumval_relo(const struct bpf_core_relo *relo,
754 				      const struct bpf_core_spec *spec,
755 				      __u32 *val)
756 {
757 	const struct btf_type *t;
758 	const struct btf_enum *e;
759 
760 	switch (relo->kind) {
761 	case BPF_CORE_ENUMVAL_EXISTS:
762 		*val = spec ? 1 : 0;
763 		break;
764 	case BPF_CORE_ENUMVAL_VALUE:
765 		if (!spec)
766 			return -EUCLEAN; /* request instruction poisoning */
767 		t = btf_type_by_id(spec->btf, spec->spec[0].type_id);
768 		e = btf_enum(t) + spec->spec[0].idx;
769 		*val = e->val;
770 		break;
771 	default:
772 		return -EOPNOTSUPP;
773 	}
774 
775 	return 0;
776 }
777 
778 /* Calculate original and target relocation values, given local and target
779  * specs and relocation kind. These values are calculated for each candidate.
780  * If there are multiple candidates, resulting values should all be consistent
781  * with each other. Otherwise, libbpf will refuse to proceed due to ambiguity.
782  * If instruction has to be poisoned, *poison will be set to true.
783  */
784 static int bpf_core_calc_relo(const char *prog_name,
785 			      const struct bpf_core_relo *relo,
786 			      int relo_idx,
787 			      const struct bpf_core_spec *local_spec,
788 			      const struct bpf_core_spec *targ_spec,
789 			      struct bpf_core_relo_res *res)
790 {
791 	int err = -EOPNOTSUPP;
792 
793 	res->orig_val = 0;
794 	res->new_val = 0;
795 	res->poison = false;
796 	res->validate = true;
797 	res->fail_memsz_adjust = false;
798 	res->orig_sz = res->new_sz = 0;
799 	res->orig_type_id = res->new_type_id = 0;
800 
801 	if (core_relo_is_field_based(relo->kind)) {
802 		err = bpf_core_calc_field_relo(prog_name, relo, local_spec,
803 					       &res->orig_val, &res->orig_sz,
804 					       &res->orig_type_id, &res->validate);
805 		err = err ?: bpf_core_calc_field_relo(prog_name, relo, targ_spec,
806 						      &res->new_val, &res->new_sz,
807 						      &res->new_type_id, NULL);
808 		if (err)
809 			goto done;
810 		/* Validate if it's safe to adjust load/store memory size.
811 		 * Adjustments are performed only if original and new memory
812 		 * sizes differ.
813 		 */
814 		res->fail_memsz_adjust = false;
815 		if (res->orig_sz != res->new_sz) {
816 			const struct btf_type *orig_t, *new_t;
817 
818 			orig_t = btf_type_by_id(local_spec->btf, res->orig_type_id);
819 			new_t = btf_type_by_id(targ_spec->btf, res->new_type_id);
820 
821 			/* There are two use cases in which it's safe to
822 			 * adjust load/store's mem size:
823 			 *   - reading a 32-bit kernel pointer, while on BPF
824 			 *   size pointers are always 64-bit; in this case
825 			 *   it's safe to "downsize" instruction size due to
826 			 *   pointer being treated as unsigned integer with
827 			 *   zero-extended upper 32-bits;
828 			 *   - reading unsigned integers, again due to
829 			 *   zero-extension is preserving the value correctly.
830 			 *
831 			 * In all other cases it's incorrect to attempt to
832 			 * load/store field because read value will be
833 			 * incorrect, so we poison relocated instruction.
834 			 */
835 			if (btf_is_ptr(orig_t) && btf_is_ptr(new_t))
836 				goto done;
837 			if (btf_is_int(orig_t) && btf_is_int(new_t) &&
838 			    btf_int_encoding(orig_t) != BTF_INT_SIGNED &&
839 			    btf_int_encoding(new_t) != BTF_INT_SIGNED)
840 				goto done;
841 
842 			/* mark as invalid mem size adjustment, but this will
843 			 * only be checked for LDX/STX/ST insns
844 			 */
845 			res->fail_memsz_adjust = true;
846 		}
847 	} else if (core_relo_is_type_based(relo->kind)) {
848 		err = bpf_core_calc_type_relo(relo, local_spec, &res->orig_val, &res->validate);
849 		err = err ?: bpf_core_calc_type_relo(relo, targ_spec, &res->new_val, NULL);
850 	} else if (core_relo_is_enumval_based(relo->kind)) {
851 		err = bpf_core_calc_enumval_relo(relo, local_spec, &res->orig_val);
852 		err = err ?: bpf_core_calc_enumval_relo(relo, targ_spec, &res->new_val);
853 	}
854 
855 done:
856 	if (err == -EUCLEAN) {
857 		/* EUCLEAN is used to signal instruction poisoning request */
858 		res->poison = true;
859 		err = 0;
860 	} else if (err == -EOPNOTSUPP) {
861 		/* EOPNOTSUPP means unknown/unsupported relocation */
862 		pr_warn("prog '%s': relo #%d: unrecognized CO-RE relocation %s (%d) at insn #%d\n",
863 			prog_name, relo_idx, core_relo_kind_str(relo->kind),
864 			relo->kind, relo->insn_off / 8);
865 	}
866 
867 	return err;
868 }
869 
870 /*
871  * Turn instruction for which CO_RE relocation failed into invalid one with
872  * distinct signature.
873  */
874 static void bpf_core_poison_insn(const char *prog_name, int relo_idx,
875 				 int insn_idx, struct bpf_insn *insn)
876 {
877 	pr_debug("prog '%s': relo #%d: substituting insn #%d w/ invalid insn\n",
878 		 prog_name, relo_idx, insn_idx);
879 	insn->code = BPF_JMP | BPF_CALL;
880 	insn->dst_reg = 0;
881 	insn->src_reg = 0;
882 	insn->off = 0;
883 	/* if this instruction is reachable (not a dead code),
884 	 * verifier will complain with the following message:
885 	 * invalid func unknown#195896080
886 	 */
887 	insn->imm = 195896080; /* => 0xbad2310 => "bad relo" */
888 }
889 
890 static int insn_bpf_size_to_bytes(struct bpf_insn *insn)
891 {
892 	switch (BPF_SIZE(insn->code)) {
893 	case BPF_DW: return 8;
894 	case BPF_W: return 4;
895 	case BPF_H: return 2;
896 	case BPF_B: return 1;
897 	default: return -1;
898 	}
899 }
900 
901 static int insn_bytes_to_bpf_size(__u32 sz)
902 {
903 	switch (sz) {
904 	case 8: return BPF_DW;
905 	case 4: return BPF_W;
906 	case 2: return BPF_H;
907 	case 1: return BPF_B;
908 	default: return -1;
909 	}
910 }
911 
912 /*
913  * Patch relocatable BPF instruction.
914  *
915  * Patched value is determined by relocation kind and target specification.
916  * For existence relocations target spec will be NULL if field/type is not found.
917  * Expected insn->imm value is determined using relocation kind and local
918  * spec, and is checked before patching instruction. If actual insn->imm value
919  * is wrong, bail out with error.
920  *
921  * Currently supported classes of BPF instruction are:
922  * 1. rX = <imm> (assignment with immediate operand);
923  * 2. rX += <imm> (arithmetic operations with immediate operand);
924  * 3. rX = <imm64> (load with 64-bit immediate value);
925  * 4. rX = *(T *)(rY + <off>), where T is one of {u8, u16, u32, u64};
926  * 5. *(T *)(rX + <off>) = rY, where T is one of {u8, u16, u32, u64};
927  * 6. *(T *)(rX + <off>) = <imm>, where T is one of {u8, u16, u32, u64}.
928  */
929 int bpf_core_patch_insn(const char *prog_name, struct bpf_insn *insn,
930 			int insn_idx, const struct bpf_core_relo *relo,
931 			int relo_idx, const struct bpf_core_relo_res *res)
932 {
933 	__u32 orig_val, new_val;
934 	__u8 class;
935 
936 	class = BPF_CLASS(insn->code);
937 
938 	if (res->poison) {
939 poison:
940 		/* poison second part of ldimm64 to avoid confusing error from
941 		 * verifier about "unknown opcode 00"
942 		 */
943 		if (is_ldimm64_insn(insn))
944 			bpf_core_poison_insn(prog_name, relo_idx, insn_idx + 1, insn + 1);
945 		bpf_core_poison_insn(prog_name, relo_idx, insn_idx, insn);
946 		return 0;
947 	}
948 
949 	orig_val = res->orig_val;
950 	new_val = res->new_val;
951 
952 	switch (class) {
953 	case BPF_ALU:
954 	case BPF_ALU64:
955 		if (BPF_SRC(insn->code) != BPF_K)
956 			return -EINVAL;
957 		if (res->validate && insn->imm != orig_val) {
958 			pr_warn("prog '%s': relo #%d: unexpected insn #%d (ALU/ALU64) value: got %u, exp %u -> %u\n",
959 				prog_name, relo_idx,
960 				insn_idx, insn->imm, orig_val, new_val);
961 			return -EINVAL;
962 		}
963 		orig_val = insn->imm;
964 		insn->imm = new_val;
965 		pr_debug("prog '%s': relo #%d: patched insn #%d (ALU/ALU64) imm %u -> %u\n",
966 			 prog_name, relo_idx, insn_idx,
967 			 orig_val, new_val);
968 		break;
969 	case BPF_LDX:
970 	case BPF_ST:
971 	case BPF_STX:
972 		if (res->validate && insn->off != orig_val) {
973 			pr_warn("prog '%s': relo #%d: unexpected insn #%d (LDX/ST/STX) value: got %u, exp %u -> %u\n",
974 				prog_name, relo_idx, insn_idx, insn->off, orig_val, new_val);
975 			return -EINVAL;
976 		}
977 		if (new_val > SHRT_MAX) {
978 			pr_warn("prog '%s': relo #%d: insn #%d (LDX/ST/STX) value too big: %u\n",
979 				prog_name, relo_idx, insn_idx, new_val);
980 			return -ERANGE;
981 		}
982 		if (res->fail_memsz_adjust) {
983 			pr_warn("prog '%s': relo #%d: insn #%d (LDX/ST/STX) accesses field incorrectly. "
984 				"Make sure you are accessing pointers, unsigned integers, or fields of matching type and size.\n",
985 				prog_name, relo_idx, insn_idx);
986 			goto poison;
987 		}
988 
989 		orig_val = insn->off;
990 		insn->off = new_val;
991 		pr_debug("prog '%s': relo #%d: patched insn #%d (LDX/ST/STX) off %u -> %u\n",
992 			 prog_name, relo_idx, insn_idx, orig_val, new_val);
993 
994 		if (res->new_sz != res->orig_sz) {
995 			int insn_bytes_sz, insn_bpf_sz;
996 
997 			insn_bytes_sz = insn_bpf_size_to_bytes(insn);
998 			if (insn_bytes_sz != res->orig_sz) {
999 				pr_warn("prog '%s': relo #%d: insn #%d (LDX/ST/STX) unexpected mem size: got %d, exp %u\n",
1000 					prog_name, relo_idx, insn_idx, insn_bytes_sz, res->orig_sz);
1001 				return -EINVAL;
1002 			}
1003 
1004 			insn_bpf_sz = insn_bytes_to_bpf_size(res->new_sz);
1005 			if (insn_bpf_sz < 0) {
1006 				pr_warn("prog '%s': relo #%d: insn #%d (LDX/ST/STX) invalid new mem size: %u\n",
1007 					prog_name, relo_idx, insn_idx, res->new_sz);
1008 				return -EINVAL;
1009 			}
1010 
1011 			insn->code = BPF_MODE(insn->code) | insn_bpf_sz | BPF_CLASS(insn->code);
1012 			pr_debug("prog '%s': relo #%d: patched insn #%d (LDX/ST/STX) mem_sz %u -> %u\n",
1013 				 prog_name, relo_idx, insn_idx, res->orig_sz, res->new_sz);
1014 		}
1015 		break;
1016 	case BPF_LD: {
1017 		__u64 imm;
1018 
1019 		if (!is_ldimm64_insn(insn) ||
1020 		    insn[0].src_reg != 0 || insn[0].off != 0 ||
1021 		    insn[1].code != 0 || insn[1].dst_reg != 0 ||
1022 		    insn[1].src_reg != 0 || insn[1].off != 0) {
1023 			pr_warn("prog '%s': relo #%d: insn #%d (LDIMM64) has unexpected form\n",
1024 				prog_name, relo_idx, insn_idx);
1025 			return -EINVAL;
1026 		}
1027 
1028 		imm = insn[0].imm + ((__u64)insn[1].imm << 32);
1029 		if (res->validate && imm != orig_val) {
1030 			pr_warn("prog '%s': relo #%d: unexpected insn #%d (LDIMM64) value: got %llu, exp %u -> %u\n",
1031 				prog_name, relo_idx,
1032 				insn_idx, (unsigned long long)imm,
1033 				orig_val, new_val);
1034 			return -EINVAL;
1035 		}
1036 
1037 		insn[0].imm = new_val;
1038 		insn[1].imm = 0; /* currently only 32-bit values are supported */
1039 		pr_debug("prog '%s': relo #%d: patched insn #%d (LDIMM64) imm64 %llu -> %u\n",
1040 			 prog_name, relo_idx, insn_idx,
1041 			 (unsigned long long)imm, new_val);
1042 		break;
1043 	}
1044 	default:
1045 		pr_warn("prog '%s': relo #%d: trying to relocate unrecognized insn #%d, code:0x%x, src:0x%x, dst:0x%x, off:0x%x, imm:0x%x\n",
1046 			prog_name, relo_idx, insn_idx, insn->code,
1047 			insn->src_reg, insn->dst_reg, insn->off, insn->imm);
1048 		return -EINVAL;
1049 	}
1050 
1051 	return 0;
1052 }
1053 
1054 /* Output spec definition in the format:
1055  * [<type-id>] (<type-name>) + <raw-spec> => <offset>@<spec>,
1056  * where <spec> is a C-syntax view of recorded field access, e.g.: x.a[3].b
1057  */
1058 static void bpf_core_dump_spec(const char *prog_name, int level, const struct bpf_core_spec *spec)
1059 {
1060 	const struct btf_type *t;
1061 	const struct btf_enum *e;
1062 	const char *s;
1063 	__u32 type_id;
1064 	int i;
1065 
1066 	type_id = spec->root_type_id;
1067 	t = btf_type_by_id(spec->btf, type_id);
1068 	s = btf__name_by_offset(spec->btf, t->name_off);
1069 
1070 	libbpf_print(level, "[%u] %s %s", type_id, btf_kind_str(t), str_is_empty(s) ? "<anon>" : s);
1071 
1072 	if (core_relo_is_type_based(spec->relo_kind))
1073 		return;
1074 
1075 	if (core_relo_is_enumval_based(spec->relo_kind)) {
1076 		t = skip_mods_and_typedefs(spec->btf, type_id, NULL);
1077 		e = btf_enum(t) + spec->raw_spec[0];
1078 		s = btf__name_by_offset(spec->btf, e->name_off);
1079 
1080 		libbpf_print(level, "::%s = %u", s, e->val);
1081 		return;
1082 	}
1083 
1084 	if (core_relo_is_field_based(spec->relo_kind)) {
1085 		for (i = 0; i < spec->len; i++) {
1086 			if (spec->spec[i].name)
1087 				libbpf_print(level, ".%s", spec->spec[i].name);
1088 			else if (i > 0 || spec->spec[i].idx > 0)
1089 				libbpf_print(level, "[%u]", spec->spec[i].idx);
1090 		}
1091 
1092 		libbpf_print(level, " (");
1093 		for (i = 0; i < spec->raw_len; i++)
1094 			libbpf_print(level, "%s%d", i == 0 ? "" : ":", spec->raw_spec[i]);
1095 
1096 		if (spec->bit_offset % 8)
1097 			libbpf_print(level, " @ offset %u.%u)",
1098 				     spec->bit_offset / 8, spec->bit_offset % 8);
1099 		else
1100 			libbpf_print(level, " @ offset %u)", spec->bit_offset / 8);
1101 		return;
1102 	}
1103 }
1104 
1105 /*
1106  * Calculate CO-RE relocation target result.
1107  *
1108  * The outline and important points of the algorithm:
1109  * 1. For given local type, find corresponding candidate target types.
1110  *    Candidate type is a type with the same "essential" name, ignoring
1111  *    everything after last triple underscore (___). E.g., `sample`,
1112  *    `sample___flavor_one`, `sample___flavor_another_one`, are all candidates
1113  *    for each other. Names with triple underscore are referred to as
1114  *    "flavors" and are useful, among other things, to allow to
1115  *    specify/support incompatible variations of the same kernel struct, which
1116  *    might differ between different kernel versions and/or build
1117  *    configurations.
1118  *
1119  *    N.B. Struct "flavors" could be generated by bpftool's BTF-to-C
1120  *    converter, when deduplicated BTF of a kernel still contains more than
1121  *    one different types with the same name. In that case, ___2, ___3, etc
1122  *    are appended starting from second name conflict. But start flavors are
1123  *    also useful to be defined "locally", in BPF program, to extract same
1124  *    data from incompatible changes between different kernel
1125  *    versions/configurations. For instance, to handle field renames between
1126  *    kernel versions, one can use two flavors of the struct name with the
1127  *    same common name and use conditional relocations to extract that field,
1128  *    depending on target kernel version.
1129  * 2. For each candidate type, try to match local specification to this
1130  *    candidate target type. Matching involves finding corresponding
1131  *    high-level spec accessors, meaning that all named fields should match,
1132  *    as well as all array accesses should be within the actual bounds. Also,
1133  *    types should be compatible (see bpf_core_fields_are_compat for details).
1134  * 3. It is supported and expected that there might be multiple flavors
1135  *    matching the spec. As long as all the specs resolve to the same set of
1136  *    offsets across all candidates, there is no error. If there is any
1137  *    ambiguity, CO-RE relocation will fail. This is necessary to accomodate
1138  *    imprefection of BTF deduplication, which can cause slight duplication of
1139  *    the same BTF type, if some directly or indirectly referenced (by
1140  *    pointer) type gets resolved to different actual types in different
1141  *    object files. If such situation occurs, deduplicated BTF will end up
1142  *    with two (or more) structurally identical types, which differ only in
1143  *    types they refer to through pointer. This should be OK in most cases and
1144  *    is not an error.
1145  * 4. Candidate types search is performed by linearly scanning through all
1146  *    types in target BTF. It is anticipated that this is overall more
1147  *    efficient memory-wise and not significantly worse (if not better)
1148  *    CPU-wise compared to prebuilding a map from all local type names to
1149  *    a list of candidate type names. It's also sped up by caching resolved
1150  *    list of matching candidates per each local "root" type ID, that has at
1151  *    least one bpf_core_relo associated with it. This list is shared
1152  *    between multiple relocations for the same type ID and is updated as some
1153  *    of the candidates are pruned due to structural incompatibility.
1154  */
1155 int bpf_core_calc_relo_insn(const char *prog_name,
1156 			    const struct bpf_core_relo *relo,
1157 			    int relo_idx,
1158 			    const struct btf *local_btf,
1159 			    struct bpf_core_cand_list *cands,
1160 			    struct bpf_core_spec *specs_scratch,
1161 			    struct bpf_core_relo_res *targ_res)
1162 {
1163 	struct bpf_core_spec *local_spec = &specs_scratch[0];
1164 	struct bpf_core_spec *cand_spec = &specs_scratch[1];
1165 	struct bpf_core_spec *targ_spec = &specs_scratch[2];
1166 	struct bpf_core_relo_res cand_res;
1167 	const struct btf_type *local_type;
1168 	const char *local_name;
1169 	__u32 local_id;
1170 	const char *spec_str;
1171 	int i, j, err;
1172 
1173 	local_id = relo->type_id;
1174 	local_type = btf_type_by_id(local_btf, local_id);
1175 	local_name = btf__name_by_offset(local_btf, local_type->name_off);
1176 	if (!local_name)
1177 		return -EINVAL;
1178 
1179 	spec_str = btf__name_by_offset(local_btf, relo->access_str_off);
1180 	if (str_is_empty(spec_str))
1181 		return -EINVAL;
1182 
1183 	err = bpf_core_parse_spec(prog_name, local_btf, local_id, spec_str,
1184 				  relo->kind, local_spec);
1185 	if (err) {
1186 		pr_warn("prog '%s': relo #%d: parsing [%d] %s %s + %s failed: %d\n",
1187 			prog_name, relo_idx, local_id, btf_kind_str(local_type),
1188 			str_is_empty(local_name) ? "<anon>" : local_name,
1189 			spec_str, err);
1190 		return -EINVAL;
1191 	}
1192 
1193 	pr_debug("prog '%s': relo #%d: kind <%s> (%d), spec is ", prog_name,
1194 		 relo_idx, core_relo_kind_str(relo->kind), relo->kind);
1195 	bpf_core_dump_spec(prog_name, LIBBPF_DEBUG, local_spec);
1196 	libbpf_print(LIBBPF_DEBUG, "\n");
1197 
1198 	/* TYPE_ID_LOCAL relo is special and doesn't need candidate search */
1199 	if (relo->kind == BPF_CORE_TYPE_ID_LOCAL) {
1200 		/* bpf_insn's imm value could get out of sync during linking */
1201 		memset(targ_res, 0, sizeof(*targ_res));
1202 		targ_res->validate = false;
1203 		targ_res->poison = false;
1204 		targ_res->orig_val = local_spec->root_type_id;
1205 		targ_res->new_val = local_spec->root_type_id;
1206 		return 0;
1207 	}
1208 
1209 	/* libbpf doesn't support candidate search for anonymous types */
1210 	if (str_is_empty(spec_str)) {
1211 		pr_warn("prog '%s': relo #%d: <%s> (%d) relocation doesn't support anonymous types\n",
1212 			prog_name, relo_idx, core_relo_kind_str(relo->kind), relo->kind);
1213 		return -EOPNOTSUPP;
1214 	}
1215 
1216 	for (i = 0, j = 0; i < cands->len; i++) {
1217 		err = bpf_core_spec_match(local_spec, cands->cands[i].btf,
1218 					  cands->cands[i].id, cand_spec);
1219 		if (err < 0) {
1220 			pr_warn("prog '%s': relo #%d: error matching candidate #%d ",
1221 				prog_name, relo_idx, i);
1222 			bpf_core_dump_spec(prog_name, LIBBPF_WARN, cand_spec);
1223 			libbpf_print(LIBBPF_WARN, ": %d\n", err);
1224 			return err;
1225 		}
1226 
1227 		pr_debug("prog '%s': relo #%d: %s candidate #%d ", prog_name,
1228 			 relo_idx, err == 0 ? "non-matching" : "matching", i);
1229 		bpf_core_dump_spec(prog_name, LIBBPF_DEBUG, cand_spec);
1230 		libbpf_print(LIBBPF_DEBUG, "\n");
1231 
1232 		if (err == 0)
1233 			continue;
1234 
1235 		err = bpf_core_calc_relo(prog_name, relo, relo_idx, local_spec, cand_spec, &cand_res);
1236 		if (err)
1237 			return err;
1238 
1239 		if (j == 0) {
1240 			*targ_res = cand_res;
1241 			*targ_spec = *cand_spec;
1242 		} else if (cand_spec->bit_offset != targ_spec->bit_offset) {
1243 			/* if there are many field relo candidates, they
1244 			 * should all resolve to the same bit offset
1245 			 */
1246 			pr_warn("prog '%s': relo #%d: field offset ambiguity: %u != %u\n",
1247 				prog_name, relo_idx, cand_spec->bit_offset,
1248 				targ_spec->bit_offset);
1249 			return -EINVAL;
1250 		} else if (cand_res.poison != targ_res->poison ||
1251 			   cand_res.new_val != targ_res->new_val) {
1252 			/* all candidates should result in the same relocation
1253 			 * decision and value, otherwise it's dangerous to
1254 			 * proceed due to ambiguity
1255 			 */
1256 			pr_warn("prog '%s': relo #%d: relocation decision ambiguity: %s %u != %s %u\n",
1257 				prog_name, relo_idx,
1258 				cand_res.poison ? "failure" : "success", cand_res.new_val,
1259 				targ_res->poison ? "failure" : "success", targ_res->new_val);
1260 			return -EINVAL;
1261 		}
1262 
1263 		cands->cands[j++] = cands->cands[i];
1264 	}
1265 
1266 	/*
1267 	 * For BPF_CORE_FIELD_EXISTS relo or when used BPF program has field
1268 	 * existence checks or kernel version/config checks, it's expected
1269 	 * that we might not find any candidates. In this case, if field
1270 	 * wasn't found in any candidate, the list of candidates shouldn't
1271 	 * change at all, we'll just handle relocating appropriately,
1272 	 * depending on relo's kind.
1273 	 */
1274 	if (j > 0)
1275 		cands->len = j;
1276 
1277 	/*
1278 	 * If no candidates were found, it might be both a programmer error,
1279 	 * as well as expected case, depending whether instruction w/
1280 	 * relocation is guarded in some way that makes it unreachable (dead
1281 	 * code) if relocation can't be resolved. This is handled in
1282 	 * bpf_core_patch_insn() uniformly by replacing that instruction with
1283 	 * BPF helper call insn (using invalid helper ID). If that instruction
1284 	 * is indeed unreachable, then it will be ignored and eliminated by
1285 	 * verifier. If it was an error, then verifier will complain and point
1286 	 * to a specific instruction number in its log.
1287 	 */
1288 	if (j == 0) {
1289 		pr_debug("prog '%s': relo #%d: no matching targets found\n",
1290 			 prog_name, relo_idx);
1291 
1292 		/* calculate single target relo result explicitly */
1293 		err = bpf_core_calc_relo(prog_name, relo, relo_idx, local_spec, NULL, targ_res);
1294 		if (err)
1295 			return err;
1296 	}
1297 
1298 	return 0;
1299 }
1300