tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
bpf: Warn on internal verifier errors
This patch is a follow up to commit 1cb0f56d9618 ("bpf: WARN_ONCE on
verifier bugs"). It generalizes the use of verifier_error throughout
the verifier, in particular for logs previously marked "verifier
internal error". As a consequence, all of those verifier bugs will now
come with a kernel warning (under CONFIG_DBEUG_KERNEL) detectable by
fuzzers.
While at it, some error messages that were too generic (ex., "bpf
verifier is misconfigured") have been reworded.
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
Link: https://lore.kernel.org/r/aGQqnzMyeagzgkCK@Tunnel
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
authored by
Paul Chaignon
and committed by
Alexei Starovoitov
0df1a55a
26d0e532
+102
-109
+102
-109
kernel/bpf/verifier.c
+102
-109
kernel/bpf/verifier.c
···
861
861
* dynptr
862
862
*/
863
863
if (state->stack[i].slot_type[0] != STACK_DYNPTR) {
864
-
verbose(env, "verifier internal error: misconfigured ref_obj_id\n");
864
+
verifier_bug(env, "misconfigured ref_obj_id");
865
865
return -EFAULT;
866
866
}
867
867
if (state->stack[i].spilled_ptr.dynptr.first_slot)
···
2030
2030
while (st) {
2031
2031
u32 br = --st->branches;
2032
2032
2033
-
/* WARN_ON(br > 1) technically makes sense here,
2033
+
/* verifier_bug_if(br > 1, ...) technically makes sense here,
2034
2034
* but see comment in push_stack(), hence:
2035
2035
*/
2036
-
WARN_ONCE((int)br < 0,
2037
-
"BUG update_branch_counts:branches_to_explore=%d\n",
2038
-
br);
2036
+
verifier_bug_if((int)br < 0, env, "%s:branches_to_explore=%d", __func__, br);
2039
2037
if (br)
2040
2038
break;
2041
2039
err = maybe_exit_scc(env, st);
···
2679
2681
2680
2682
return 0;
2681
2683
out:
2682
-
verbose(env, "REG INVARIANTS VIOLATION (%s): %s u64=[%#llx, %#llx] "
2683
-
"s64=[%#llx, %#llx] u32=[%#x, %#x] s32=[%#x, %#x] var_off=(%#llx, %#llx)\n",
2684
-
ctx, msg, reg->umin_value, reg->umax_value,
2685
-
reg->smin_value, reg->smax_value,
2686
-
reg->u32_min_value, reg->u32_max_value,
2687
-
reg->s32_min_value, reg->s32_max_value,
2688
-
reg->var_off.value, reg->var_off.mask);
2684
+
verifier_bug(env, "REG INVARIANTS VIOLATION (%s): %s u64=[%#llx, %#llx] "
2685
+
"s64=[%#llx, %#llx] u32=[%#x, %#x] s32=[%#x, %#x] var_off=(%#llx, %#llx)",
2686
+
ctx, msg, reg->umin_value, reg->umax_value,
2687
+
reg->smin_value, reg->smax_value,
2688
+
reg->u32_min_value, reg->u32_max_value,
2689
+
reg->s32_min_value, reg->s32_max_value,
2690
+
reg->var_off.value, reg->var_off.mask);
2689
2691
if (env->test_reg_invariants)
2690
2692
return -EFAULT;
2691
2693
__mark_reg_unbounded(reg);
···
4739
4741
if (regno >= 0) {
4740
4742
reg = &func->regs[regno];
4741
4743
if (reg->type != SCALAR_VALUE) {
4742
-
WARN_ONCE(1, "backtracing misuse");
4744
+
verifier_bug(env, "backtracking misuse");
4743
4745
return -EFAULT;
4744
4746
}
4745
4747
bt_set_reg(bt, regno);
···
7211
7213
7212
7214
if (env->ops->btf_struct_access && !type_is_alloc(reg->type) && atype == BPF_WRITE) {
7213
7215
if (!btf_is_kernel(reg->btf)) {
7214
-
verbose(env, "verifier internal error: reg->btf must be kernel btf\n");
7216
+
verifier_bug(env, "reg->btf must be kernel btf");
7215
7217
return -EFAULT;
7216
7218
}
7217
7219
ret = env->ops->btf_struct_access(&env->log, reg, off, size);
···
7227
7229
7228
7230
if (type_is_alloc(reg->type) && !type_is_non_owning_ref(reg->type) &&
7229
7231
!(reg->type & MEM_RCU) && !reg->ref_obj_id) {
7230
-
verbose(env, "verifier internal error: ref_obj_id for allocated object must be non-zero\n");
7232
+
verifier_bug(env, "ref_obj_id for allocated object must be non-zero");
7231
7233
return -EFAULT;
7232
7234
}
7233
7235
···
8595
8597
* ARG_PTR_TO_DYNPTR (or ARG_PTR_TO_DYNPTR | DYNPTR_TYPE_*):
8596
8598
*/
8597
8599
if ((arg_type & (MEM_UNINIT | MEM_RDONLY)) == (MEM_UNINIT | MEM_RDONLY)) {
8598
-
verbose(env, "verifier internal error: misconfigured dynptr helper type flags\n");
8600
+
verifier_bug(env, "misconfigured dynptr helper type flags");
8599
8601
return -EFAULT;
8600
8602
}
8601
8603
···
8961
8963
8962
8964
if (cur_iter->iter.state != BPF_ITER_STATE_ACTIVE &&
8963
8965
cur_iter->iter.state != BPF_ITER_STATE_DRAINED) {
8964
-
verbose(env, "verifier internal error: unexpected iterator state %d (%s)\n",
8965
-
cur_iter->iter.state, iter_state_str(cur_iter->iter.state));
8966
+
verifier_bug(env, "unexpected iterator state %d (%s)",
8967
+
cur_iter->iter.state, iter_state_str(cur_iter->iter.state));
8966
8968
return -EFAULT;
8967
8969
}
8968
8970
···
8972
8974
*/
8973
8975
if (!cur_st->parent || cur_st->parent->insn_idx != insn_idx ||
8974
8976
!same_callsites(cur_st->parent, cur_st)) {
8975
-
verbose(env, "bug: bad parent state for iter next call");
8977
+
verifier_bug(env, "bad parent state for iter next call");
8976
8978
return -EFAULT;
8977
8979
}
8978
8980
/* Note cur_st->parent in the call below, it is necessary to skip
···
9031
9033
{
9032
9034
if (!meta->map_ptr) {
9033
9035
/* kernel subsystem misconfigured verifier */
9034
-
verbose(env, "invalid map_ptr to access map->type\n");
9036
+
verifier_bug(env, "invalid map_ptr to access map->type");
9035
9037
return -EFAULT;
9036
9038
}
9037
9039
···
9178
9180
9179
9181
compatible = compatible_reg_types[base_type(arg_type)];
9180
9182
if (!compatible) {
9181
-
verbose(env, "verifier internal error: unsupported arg type %d\n", arg_type);
9183
+
verifier_bug(env, "unsupported arg type %d", arg_type);
9182
9184
return -EFAULT;
9183
9185
}
9184
9186
···
9260
9262
9261
9263
if (!arg_btf_id) {
9262
9264
if (!compatible->btf_id) {
9263
-
verbose(env, "verifier internal error: missing arg compatible BTF ID\n");
9265
+
verifier_bug(env, "missing arg compatible BTF ID");
9264
9266
return -EFAULT;
9265
9267
}
9266
9268
arg_btf_id = compatible->btf_id;
···
9292
9294
case PTR_TO_BTF_ID | MEM_PERCPU | MEM_ALLOC:
9293
9295
if (meta->func_id != BPF_FUNC_spin_lock && meta->func_id != BPF_FUNC_spin_unlock &&
9294
9296
meta->func_id != BPF_FUNC_kptr_xchg) {
9295
-
verbose(env, "verifier internal error: unimplemented handling of MEM_ALLOC\n");
9297
+
verifier_bug(env, "unimplemented handling of MEM_ALLOC");
9296
9298
return -EFAULT;
9297
9299
}
9298
9300
/* Check if local kptr in src arg matches kptr in dst arg */
···
9307
9309
/* Handled by helper specific checks */
9308
9310
break;
9309
9311
default:
9310
-
verbose(env, "verifier internal error: invalid PTR_TO_BTF_ID register for type match\n");
9312
+
verifier_bug(env, "invalid PTR_TO_BTF_ID register for type match");
9311
9313
return -EFAULT;
9312
9314
}
9313
9315
return 0;
···
9665
9667
return -EINVAL;
9666
9668
}
9667
9669
if (meta->release_regno) {
9668
-
verbose(env, "verifier internal error: more than one release argument\n");
9670
+
verifier_bug(env, "more than one release argument");
9669
9671
return -EFAULT;
9670
9672
}
9671
9673
meta->release_regno = regno;
···
9673
9675
9674
9676
if (reg->ref_obj_id && base_type(arg_type) != ARG_KPTR_XCHG_DEST) {
9675
9677
if (meta->ref_obj_id) {
9676
-
verbose(env, "verifier internal error: more than one arg with ref_obj_id R%d %u %u\n",
9677
-
regno, reg->ref_obj_id,
9678
-
meta->ref_obj_id);
9678
+
verifier_bug(env, "more than one arg with ref_obj_id R%d %u %u",
9679
+
regno, reg->ref_obj_id,
9680
+
meta->ref_obj_id);
9679
9681
return -EFAULT;
9680
9682
}
9681
9683
meta->ref_obj_id = reg->ref_obj_id;
···
9719
9721
* we have to check map_key here. Otherwise it means
9720
9722
* that kernel subsystem misconfigured verifier
9721
9723
*/
9722
-
verbose(env, "invalid map_ptr to access map->key\n");
9724
+
verifier_bug(env, "invalid map_ptr to access map->key");
9723
9725
return -EFAULT;
9724
9726
}
9725
9727
key_size = meta->map_ptr->key_size;
···
9746
9748
*/
9747
9749
if (!meta->map_ptr) {
9748
9750
/* kernel subsystem misconfigured verifier */
9749
-
verbose(env, "invalid map_ptr to access map->value\n");
9751
+
verifier_bug(env, "invalid map_ptr to access map->value");
9750
9752
return -EFAULT;
9751
9753
}
9752
9754
meta->raw_mode = arg_type & MEM_UNINIT;
···
9776
9778
if (err)
9777
9779
return err;
9778
9780
} else {
9779
-
verbose(env, "verifier internal error\n");
9781
+
verifier_bug(env, "spin lock arg on unexpected helper");
9780
9782
return -EFAULT;
9781
9783
}
9782
9784
break;
···
10934
10936
return -EINVAL;
10935
10937
}
10936
10938
if (!calls_callback(env, callee->callsite)) {
10937
-
verbose(env, "BUG: in callback at %d, callsite %d !calls_callback\n",
10938
-
*insn_idx, callee->callsite);
10939
+
verifier_bug(env, "in callback at %d, callsite %d !calls_callback",
10940
+
*insn_idx, callee->callsite);
10939
10941
return -EFAULT;
10940
10942
}
10941
10943
} else {
···
11042
11044
return 0;
11043
11045
11044
11046
if (map == NULL) {
11045
-
verbose(env, "kernel subsystem misconfigured verifier\n");
11047
+
verifier_bug(env, "expected map for helper call");
11046
11048
return -EFAULT;
11047
11049
}
11048
11050
···
11081
11083
if (func_id != BPF_FUNC_tail_call)
11082
11084
return 0;
11083
11085
if (!map || map->map_type != BPF_MAP_TYPE_PROG_ARRAY) {
11084
-
verbose(env, "kernel subsystem misconfigured verifier\n");
11086
+
verifier_bug(env, "expected array map for tail call");
11085
11087
return -EFAULT;
11086
11088
}
11087
11089
···
11334
11336
/* With LD_ABS/IND some JITs save/restore skb from r1. */
11335
11337
changes_data = bpf_helper_changes_pkt_data(func_id);
11336
11338
if (changes_data && fn->arg1_type != ARG_PTR_TO_CTX) {
11337
-
verbose(env, "kernel subsystem misconfigured func %s#%d: r1 != ctx\n",
11338
-
func_id_name(func_id), func_id);
11339
+
verifier_bug(env, "func %s#%d: r1 != ctx", func_id_name(func_id), func_id);
11339
11340
return -EFAULT;
11340
11341
}
11341
11342
···
11343
11346
11344
11347
err = check_func_proto(fn, func_id);
11345
11348
if (err) {
11346
-
verbose(env, "kernel subsystem misconfigured func %s#%d\n",
11347
-
func_id_name(func_id), func_id);
11349
+
verifier_bug(env, "incorrect func proto %s#%d", func_id_name(func_id), func_id);
11348
11350
return err;
11349
11351
}
11350
11352
···
11416
11420
*/
11417
11421
if (arg_type_is_dynptr(fn->arg_type[meta.release_regno - BPF_REG_1])) {
11418
11422
if (regs[meta.release_regno].type == CONST_PTR_TO_DYNPTR) {
11419
-
verbose(env, "verifier internal error: CONST_PTR_TO_DYNPTR cannot be released\n");
11423
+
verifier_bug(env, "CONST_PTR_TO_DYNPTR cannot be released");
11420
11424
return -EFAULT;
11421
11425
}
11422
11426
err = unmark_stack_slots_dynptr(env, ®s[meta.release_regno]);
···
11533
11537
11534
11538
11535
11539
if (meta.dynptr_id) {
11536
-
verbose(env, "verifier internal error: meta.dynptr_id already set\n");
11540
+
verifier_bug(env, "meta.dynptr_id already set");
11537
11541
return -EFAULT;
11538
11542
}
11539
11543
if (meta.ref_obj_id) {
11540
-
verbose(env, "verifier internal error: meta.ref_obj_id already set\n");
11544
+
verifier_bug(env, "meta.ref_obj_id already set");
11541
11545
return -EFAULT;
11542
11546
}
11543
11547
11544
11548
id = dynptr_id(env, reg);
11545
11549
if (id < 0) {
11546
-
verbose(env, "verifier internal error: failed to obtain dynptr id\n");
11550
+
verifier_bug(env, "failed to obtain dynptr id");
11547
11551
return id;
11548
11552
}
11549
11553
11550
11554
ref_obj_id = dynptr_ref_obj_id(env, reg);
11551
11555
if (ref_obj_id < 0) {
11552
-
verbose(env, "verifier internal error: failed to obtain dynptr ref_obj_id\n");
11556
+
verifier_bug(env, "failed to obtain dynptr ref_obj_id");
11553
11557
return ref_obj_id;
11554
11558
}
11555
11559
···
11634
11638
* to map element returned from bpf_map_lookup_elem()
11635
11639
*/
11636
11640
if (meta.map_ptr == NULL) {
11637
-
verbose(env,
11638
-
"kernel subsystem misconfigured verifier\n");
11641
+
verifier_bug(env, "unexpected null map_ptr");
11639
11642
return -EFAULT;
11640
11643
}
11641
11644
···
11725
11730
}
11726
11731
} else {
11727
11732
if (fn->ret_btf_id == BPF_PTR_POISON) {
11728
-
verbose(env, "verifier internal error:");
11729
-
verbose(env, "func %s has non-overwritten BPF_PTR_POISON return type\n",
11730
-
func_id_name(func_id));
11733
+
verifier_bug(env, "func %s has non-overwritten BPF_PTR_POISON return type",
11734
+
func_id_name(func_id));
11731
11735
return -EFAULT;
11732
11736
}
11733
11737
ret_btf = btf_vmlinux;
···
11752
11758
regs[BPF_REG_0].id = ++env->id_gen;
11753
11759
11754
11760
if (helper_multiple_ref_obj_use(func_id, meta.map_ptr)) {
11755
-
verbose(env, "verifier internal error: func %s#%d sets ref_obj_id more than once\n",
11756
-
func_id_name(func_id), func_id);
11761
+
verifier_bug(env, "func %s#%d sets ref_obj_id more than once",
11762
+
func_id_name(func_id), func_id);
11757
11763
return -EFAULT;
11758
11764
}
11759
11765
···
12465
12471
if (meta->func_id == special_kfunc_list[KF_bpf_res_spin_unlock_irqrestore])
12466
12472
kfunc_class = IRQ_LOCK_KFUNC;
12467
12473
} else {
12468
-
verbose(env, "verifier internal error: unknown irq flags kfunc\n");
12474
+
verifier_bug(env, "unknown irq flags kfunc");
12469
12475
return -EFAULT;
12470
12476
}
12471
12477
···
12506
12512
struct btf_record *rec = reg_btf_record(reg);
12507
12513
12508
12514
if (!env->cur_state->active_locks) {
12509
-
verbose(env, "verifier internal error: ref_set_non_owning w/o active lock\n");
12515
+
verifier_bug(env, "%s w/o active lock", __func__);
12510
12516
return -EFAULT;
12511
12517
}
12512
12518
12513
12519
if (type_flag(reg->type) & NON_OWN_REF) {
12514
-
verbose(env, "verifier internal error: NON_OWN_REF already set\n");
12520
+
verifier_bug(env, "NON_OWN_REF already set");
12515
12521
return -EFAULT;
12516
12522
}
12517
12523
···
12530
12536
int i;
12531
12537
12532
12538
if (!ref_obj_id) {
12533
-
verbose(env, "verifier internal error: ref_obj_id is zero for "
12534
-
"owning -> non-owning conversion\n");
12539
+
verifier_bug(env, "ref_obj_id is zero for owning -> non-owning conversion");
12535
12540
return -EFAULT;
12536
12541
}
12537
12542
···
12550
12557
return 0;
12551
12558
}
12552
12559
12553
-
verbose(env, "verifier internal error: ref state missing for ref_obj_id\n");
12560
+
verifier_bug(env, "ref state missing for ref_obj_id");
12554
12561
return -EFAULT;
12555
12562
}
12556
12563
···
12612
12619
ptr = reg->btf;
12613
12620
break;
12614
12621
default:
12615
-
verbose(env, "verifier internal error: unknown reg type for lock check\n");
12622
+
verifier_bug(env, "unknown reg type for lock check");
12616
12623
return -EFAULT;
12617
12624
}
12618
12625
id = reg->id;
···
12773
12780
u32 head_off;
12774
12781
12775
12782
if (meta->btf != btf_vmlinux) {
12776
-
verbose(env, "verifier internal error: unexpected btf mismatch in kfunc call\n");
12783
+
verifier_bug(env, "unexpected btf mismatch in kfunc call");
12777
12784
return -EFAULT;
12778
12785
}
12779
12786
···
12804
12811
}
12805
12812
12806
12813
if (*head_field) {
12807
-
verbose(env, "verifier internal error: repeating %s arg\n", head_type_name);
12814
+
verifier_bug(env, "repeating %s arg", head_type_name);
12808
12815
return -EFAULT;
12809
12816
}
12810
12817
*head_field = field;
···
12841
12848
u32 node_off;
12842
12849
12843
12850
if (meta->btf != btf_vmlinux) {
12844
-
verbose(env, "verifier internal error: unexpected btf mismatch in kfunc call\n");
12851
+
verifier_bug(env, "unexpected btf mismatch in kfunc call");
12845
12852
return -EFAULT;
12846
12853
}
12847
12854
···
12969
12976
if (is_kfunc_arg_prog(btf, &args[i])) {
12970
12977
/* Used to reject repeated use of __prog. */
12971
12978
if (meta->arg_prog) {
12972
-
verbose(env, "Only 1 prog->aux argument supported per-kfunc\n");
12979
+
verifier_bug(env, "Only 1 prog->aux argument supported per-kfunc");
12973
12980
return -EFAULT;
12974
12981
}
12975
12982
meta->arg_prog = true;
···
12985
12992
12986
12993
if (is_kfunc_arg_constant(meta->btf, &args[i])) {
12987
12994
if (meta->arg_constant.found) {
12988
-
verbose(env, "verifier internal error: only one constant argument permitted\n");
12995
+
verifier_bug(env, "only one constant argument permitted");
12989
12996
return -EFAULT;
12990
12997
}
12991
12998
if (!tnum_is_const(reg->var_off)) {
···
13037
13044
13038
13045
if (reg->ref_obj_id) {
13039
13046
if (is_kfunc_release(meta) && meta->ref_obj_id) {
13040
-
verbose(env, "verifier internal error: more than one arg with ref_obj_id R%d %u %u\n",
13041
-
regno, reg->ref_obj_id,
13042
-
meta->ref_obj_id);
13047
+
verifier_bug(env, "more than one arg with ref_obj_id R%d %u %u",
13048
+
regno, reg->ref_obj_id,
13049
+
meta->ref_obj_id);
13043
13050
return -EFAULT;
13044
13051
}
13045
13052
meta->ref_obj_id = reg->ref_obj_id;
···
13119
13126
case KF_ARG_PTR_TO_RES_SPIN_LOCK:
13120
13127
break;
13121
13128
default:
13122
-
WARN_ON_ONCE(1);
13129
+
verifier_bug(env, "unknown kfunc arg type %d", kf_arg_type);
13123
13130
return -EFAULT;
13124
13131
}
13125
13132
···
13188
13195
enum bpf_dynptr_type parent_type = meta->initialized_dynptr.type;
13189
13196
13190
13197
if (parent_type == BPF_DYNPTR_TYPE_INVALID) {
13191
-
verbose(env, "verifier internal error: no dynptr type for parent of clone\n");
13198
+
verifier_bug(env, "no dynptr type for parent of clone");
13192
13199
return -EFAULT;
13193
13200
}
13194
13201
13195
13202
dynptr_arg_type |= (unsigned int)get_dynptr_type_flag(parent_type);
13196
13203
clone_ref_obj_id = meta->initialized_dynptr.ref_obj_id;
13197
13204
if (dynptr_type_refcounted(parent_type) && !clone_ref_obj_id) {
13198
-
verbose(env, "verifier internal error: missing ref obj id for parent of clone\n");
13205
+
verifier_bug(env, "missing ref obj id for parent of clone");
13199
13206
return -EFAULT;
13200
13207
}
13201
13208
}
···
13208
13215
int id = dynptr_id(env, reg);
13209
13216
13210
13217
if (id < 0) {
13211
-
verbose(env, "verifier internal error: failed to obtain dynptr id\n");
13218
+
verifier_bug(env, "failed to obtain dynptr id");
13212
13219
return id;
13213
13220
}
13214
13221
meta->initialized_dynptr.id = id;
···
13344
13351
13345
13352
if (is_kfunc_arg_const_mem_size(meta->btf, size_arg, size_reg)) {
13346
13353
if (meta->arg_constant.found) {
13347
-
verbose(env, "verifier internal error: only one constant argument permitted\n");
13354
+
verifier_bug(env, "only one constant argument permitted");
13348
13355
return -EFAULT;
13349
13356
}
13350
13357
if (!tnum_is_const(size_reg->var_off)) {
···
13376
13383
13377
13384
rec = reg_btf_record(reg);
13378
13385
if (!rec) {
13379
-
verbose(env, "verifier internal error: Couldn't find btf_record\n");
13386
+
verifier_bug(env, "Couldn't find btf_record");
13380
13387
return -EFAULT;
13381
13388
}
13382
13389
···
13635
13642
mark_reg_known_zero(env, regs, BPF_REG_0);
13636
13643
13637
13644
if (!meta->arg_constant.found) {
13638
-
verbose(env, "verifier internal error: bpf_dynptr_slice(_rdwr) no constant size\n");
13645
+
verifier_bug(env, "bpf_dynptr_slice(_rdwr) no constant size");
13639
13646
return -EFAULT;
13640
13647
}
13641
13648
···
13655
13662
}
13656
13663
13657
13664
if (!meta->initialized_dynptr.id) {
13658
-
verbose(env, "verifier internal error: no dynptr id\n");
13665
+
verifier_bug(env, "no dynptr id");
13659
13666
return -EFAULT;
13660
13667
}
13661
13668
regs[BPF_REG_0].dynptr_id = meta->initialized_dynptr.id;
···
14299
14306
dst, err);
14300
14307
return -ENOMEM;
14301
14308
default:
14302
-
verbose(env, "verifier internal error: unknown reason (%d)\n",
14303
-
reason);
14309
+
verifier_bug(env, "unknown reason (%d)", reason);
14304
14310
break;
14305
14311
}
14306
14312
···
16834
16842
dst_reg->btf_id = aux->btf_var.btf_id;
16835
16843
break;
16836
16844
default:
16837
-
verbose(env, "bpf verifier is misconfigured\n");
16845
+
verifier_bug(env, "pseudo btf id: unexpected dst reg type");
16838
16846
return -EFAULT;
16839
16847
}
16840
16848
return 0;
···
16876
16884
insn->src_reg == BPF_PSEUDO_MAP_IDX) {
16877
16885
dst_reg->type = CONST_PTR_TO_MAP;
16878
16886
} else {
16879
-
verbose(env, "bpf verifier is misconfigured\n");
16887
+
verifier_bug(env, "unexpected src reg value for ldimm64");
16880
16888
return -EFAULT;
16881
16889
}
16882
16890
···
16923
16931
}
16924
16932
16925
16933
if (!env->ops->gen_ld_abs) {
16926
-
verbose(env, "bpf verifier is misconfigured\n");
16934
+
verifier_bug(env, "gen_ld_abs is null");
16927
16935
return -EFAULT;
16928
16936
}
16929
16937
···
17334
17342
/* forward- or cross-edge */
17335
17343
insn_state[t] = DISCOVERED | e;
17336
17344
} else {
17337
-
verbose(env, "insn state internal bug\n");
17345
+
verifier_bug(env, "insn state internal bug");
17338
17346
return -EFAULT;
17339
17347
}
17340
17348
return DONE_EXPLORING;
···
17795
17803
break;
17796
17804
default:
17797
17805
if (ret > 0) {
17798
-
verbose(env, "visit_insn internal bug\n");
17806
+
verifier_bug(env, "visit_insn internal bug");
17799
17807
ret = -EFAULT;
17800
17808
}
17801
17809
goto err_free;
···
17803
17811
}
17804
17812
17805
17813
if (env->cfg.cur_stack < 0) {
17806
-
verbose(env, "pop stack internal bug\n");
17814
+
verifier_bug(env, "pop stack internal bug");
17807
17815
ret = -EFAULT;
17808
17816
goto err_free;
17809
17817
}
···
19556
19564
return err;
19557
19565
}
19558
19566
new->insn_idx = insn_idx;
19559
-
WARN_ONCE(new->branches != 1,
19560
-
"BUG is_state_visited:branches_to_explore=%d insn %d\n", new->branches, insn_idx);
19567
+
verifier_bug_if(new->branches != 1, env,
19568
+
"%s:branches_to_explore=%d insn %d",
19569
+
__func__, new->branches, insn_idx);
19561
19570
err = maybe_enter_scc(env, new);
19562
19571
if (err) {
19563
19572
free_verifier_state(new, false);
···
21129
21136
epilogue_cnt = ops->gen_epilogue(epilogue_buf, env->prog,
21130
21137
-(subprogs[0].stack_depth + 8));
21131
21138
if (epilogue_cnt >= INSN_BUF_SIZE) {
21132
-
verbose(env, "bpf verifier is misconfigured\n");
21139
+
verifier_bug(env, "epilogue is too long");
21133
21140
return -EFAULT;
21134
21141
} else if (epilogue_cnt) {
21135
21142
/* Save the ARG_PTR_TO_CTX for the epilogue to use */
···
21152
21159
21153
21160
if (ops->gen_prologue || env->seen_direct_write) {
21154
21161
if (!ops->gen_prologue) {
21155
-
verbose(env, "bpf verifier is misconfigured\n");
21162
+
verifier_bug(env, "gen_prologue is null");
21156
21163
return -EFAULT;
21157
21164
}
21158
21165
cnt = ops->gen_prologue(insn_buf, env->seen_direct_write,
21159
21166
env->prog);
21160
21167
if (cnt >= INSN_BUF_SIZE) {
21161
-
verbose(env, "bpf verifier is misconfigured\n");
21168
+
verifier_bug(env, "prologue is too long");
21162
21169
return -EFAULT;
21163
21170
} else if (cnt) {
21164
21171
new_prog = bpf_patch_insn_data(env, 0, insn_buf, cnt);
···
21342
21349
u8 size_code;
21343
21350
21344
21351
if (type == BPF_WRITE) {
21345
-
verbose(env, "bpf verifier narrow ctx access misconfigured\n");
21352
+
verifier_bug(env, "narrow ctx access misconfigured");
21346
21353
return -EFAULT;
21347
21354
}
21348
21355
···
21361
21368
&target_size);
21362
21369
if (cnt == 0 || cnt >= INSN_BUF_SIZE ||
21363
21370
(ctx_field_size && !target_size)) {
21364
-
verbose(env, "bpf verifier is misconfigured\n");
21371
+
verifier_bug(env, "error during ctx access conversion");
21365
21372
return -EFAULT;
21366
21373
}
21367
21374
···
21369
21376
u8 shift = bpf_ctx_narrow_access_offset(
21370
21377
off, size, size_default) * 8;
21371
21378
if (shift && cnt + 1 >= INSN_BUF_SIZE) {
21372
-
verbose(env, "bpf verifier narrow ctx load misconfigured\n");
21379
+
verifier_bug(env, "narrow ctx load misconfigured");
21373
21380
return -EFAULT;
21374
21381
}
21375
21382
if (ctx_field_size <= 4) {
···
21800
21807
*/
21801
21808
desc = find_kfunc_desc(env->prog, insn->imm, insn->off);
21802
21809
if (!desc) {
21803
-
verbose(env, "verifier internal error: kernel function descriptor not found for func_id %u\n",
21804
-
insn->imm);
21810
+
verifier_bug(env, "kernel function descriptor not found for func_id %u",
21811
+
insn->imm);
21805
21812
return -EFAULT;
21806
21813
}
21807
21814
···
21816
21823
u64 obj_new_size = env->insn_aux_data[insn_idx].obj_new_size;
21817
21824
21818
21825
if (desc->func_id == special_kfunc_list[KF_bpf_percpu_obj_new_impl] && kptr_struct_meta) {
21819
-
verbose(env, "verifier internal error: NULL kptr_struct_meta expected at insn_idx %d\n",
21820
-
insn_idx);
21826
+
verifier_bug(env, "NULL kptr_struct_meta expected at insn_idx %d",
21827
+
insn_idx);
21821
21828
return -EFAULT;
21822
21829
}
21823
21830
···
21833
21840
struct bpf_insn addr[2] = { BPF_LD_IMM64(BPF_REG_2, (long)kptr_struct_meta) };
21834
21841
21835
21842
if (desc->func_id == special_kfunc_list[KF_bpf_percpu_obj_drop_impl] && kptr_struct_meta) {
21836
-
verbose(env, "verifier internal error: NULL kptr_struct_meta expected at insn_idx %d\n",
21837
-
insn_idx);
21843
+
verifier_bug(env, "NULL kptr_struct_meta expected at insn_idx %d",
21844
+
insn_idx);
21838
21845
return -EFAULT;
21839
21846
}
21840
21847
21841
21848
if (desc->func_id == special_kfunc_list[KF_bpf_refcount_acquire_impl] &&
21842
21849
!kptr_struct_meta) {
21843
-
verbose(env, "verifier internal error: kptr_struct_meta expected at insn_idx %d\n",
21844
-
insn_idx);
21850
+
verifier_bug(env, "kptr_struct_meta expected at insn_idx %d",
21851
+
insn_idx);
21845
21852
return -EFAULT;
21846
21853
}
21847
21854
···
21863
21870
}
21864
21871
21865
21872
if (!kptr_struct_meta) {
21866
-
verbose(env, "verifier internal error: kptr_struct_meta expected at insn_idx %d\n",
21867
-
insn_idx);
21873
+
verifier_bug(env, "kptr_struct_meta expected at insn_idx %d",
21874
+
insn_idx);
21868
21875
return -EFAULT;
21869
21876
}
21870
21877
···
21898
21905
21899
21906
/* We only reserve one slot for hidden subprogs in subprog_info. */
21900
21907
if (env->hidden_subprog_cnt) {
21901
-
verbose(env, "verifier internal error: only one hidden subprog supported\n");
21908
+
verifier_bug(env, "only one hidden subprog supported");
21902
21909
return -EFAULT;
21903
21910
}
21904
21911
/* We're not patching any existing instruction, just appending the new
···
22134
22141
BPF_MODE(insn->code) == BPF_IND)) {
22135
22142
cnt = env->ops->gen_ld_abs(insn, insn_buf);
22136
22143
if (cnt == 0 || cnt >= INSN_BUF_SIZE) {
22137
-
verbose(env, "bpf verifier is misconfigured\n");
22144
+
verifier_bug(env, "%d insns generated for ld_abs", cnt);
22138
22145
return -EFAULT;
22139
22146
}
22140
22147
···
22470
22477
if (cnt == -EOPNOTSUPP)
22471
22478
goto patch_map_ops_generic;
22472
22479
if (cnt <= 0 || cnt >= INSN_BUF_SIZE) {
22473
-
verbose(env, "bpf verifier is misconfigured\n");
22480
+
verifier_bug(env, "%d insns generated for map lookup", cnt);
22474
22481
return -EFAULT;
22475
22482
}
22476
22483
···
22758
22765
* programs to call them, must be real in-kernel functions
22759
22766
*/
22760
22767
if (!fn->func) {
22761
-
verbose(env,
22762
-
"kernel subsystem misconfigured func %s#%d\n",
22763
-
func_id_name(insn->imm), insn->imm);
22768
+
verifier_bug(env,
22769
+
"not inlined functions %s#%d is missing func",
22770
+
func_id_name(insn->imm), insn->imm);
22764
22771
return -EFAULT;
22765
22772
}
22766
22773
insn->imm = fn->func - __bpf_call_base;
···
22830
22837
if (!map_ptr->ops->map_poke_track ||
22831
22838
!map_ptr->ops->map_poke_untrack ||
22832
22839
!map_ptr->ops->map_poke_run) {
22833
-
verbose(env, "bpf verifier is misconfigured\n");
22840
+
verifier_bug(env, "poke tab is misconfigured");
22834
22841
return -EFAULT;
22835
22842
}
22836
22843
···
23148
23155
/* caller can pass either PTR_TO_ARENA or SCALAR */
23149
23156
mark_reg_unknown(env, regs, i);
23150
23157
} else {
23151
-
WARN_ONCE(1, "BUG: unhandled arg#%d type %d\n",
23152
-
i - BPF_REG_1, arg->arg_type);
23158
+
verifier_bug(env, "unhandled arg#%d type %d",
23159
+
i - BPF_REG_1, arg->arg_type);
23153
23160
ret = -EFAULT;
23154
23161
goto out;
23155
23162
}