bpf: Support variable offset stack access from helpers

				BPF_SIZE(insn->code), BPF_WRITE, -1, true);

				BPF_SIZE(insn->code), BPF_WRITE, -1, true);

}

}

static int __check_stack_boundary(struct bpf_verifier_env *env, u32 regno,

				  int off, int access_size,

				  bool zero_size_allowed)

{

	struct bpf_reg_state *reg = reg_state(env, regno);

	if (off >= 0 || off < -MAX_BPF_STACK || off + access_size > 0 ||

	    access_size < 0 || (access_size == 0 && !zero_size_allowed)) {

		if (tnum_is_const(reg->var_off)) {

			verbose(env, "invalid stack type R%d off=%d access_size=%d\n",

				regno, off, access_size);

		} else {

			char tn_buf[48];

			tnum_strn(tn_buf, sizeof(tn_buf), reg->var_off);

			verbose(env, "invalid stack type R%d var_off=%s access_size=%d\n",

				regno, tn_buf, access_size);

		}

		return -EACCES;

	}

	return 0;

}

/* when register 'regno' is passed into function that will read 'access_size'

/* when register 'regno' is passed into function that will read 'access_size'

 * bytes from that pointer, make sure that it's within stack boundary

 * bytes from that pointer, make sure that it's within stack boundary

 * and all elements of stack are initialized.

 * and all elements of stack are initialized.

{

{

	struct bpf_reg_state *reg = reg_state(env, regno);

	struct bpf_reg_state *reg = reg_state(env, regno);

	struct bpf_func_state *state = func(env, reg);

	struct bpf_func_state *state = func(env, reg);

	int off, i, slot, spi;

	int err, min_off, max_off, i, slot, spi;

	if (reg->type != PTR_TO_STACK) {

	if (reg->type != PTR_TO_STACK) {

		/* Allow zero-byte read from NULL, regardless of pointer type */

		/* Allow zero-byte read from NULL, regardless of pointer type */

		return -EACCES;

		return -EACCES;

	}

	}

	/* Only allow fixed-offset stack reads */

	if (tnum_is_const(reg->var_off)) {

	if (!tnum_is_const(reg->var_off)) {

		min_off = max_off = reg->var_off.value + reg->off;

		char tn_buf[48];

		err = __check_stack_boundary(env, regno, min_off, access_size,

					     zero_size_allowed);

		tnum_strn(tn_buf, sizeof(tn_buf), reg->var_off);

		if (err)

		verbose(env, "invalid variable stack read R%d var_off=%s\n",

			return err;

			regno, tn_buf);

	} else {

		return -EACCES;

		min_off = reg->smin_value + reg->off;

	}

		max_off = reg->umax_value + reg->off;

	off = reg->off + reg->var_off.value;

		err = __check_stack_boundary(env, regno, min_off, access_size,

	if (off >= 0 || off < -MAX_BPF_STACK || off + access_size > 0 ||

					     zero_size_allowed);

	    access_size < 0 || (access_size == 0 && !zero_size_allowed)) {

		if (err)

		verbose(env, "invalid stack type R%d off=%d access_size=%d\n",

			return err;

			regno, off, access_size);

		err = __check_stack_boundary(env, regno, max_off, access_size,

		return -EACCES;

					     zero_size_allowed);

		if (err)

			return err;

	}

	}

	if (meta && meta->raw_mode) {

	if (meta && meta->raw_mode) {

		return 0;

		return 0;

	}

	}

	for (i = 0; i < access_size; i++) {

	for (i = min_off; i < max_off + access_size; i++) {

		u8 *stype;

		u8 *stype;

		slot = -(off + i) - 1;

		slot = -i - 1;

		spi = slot / BPF_REG_SIZE;

		spi = slot / BPF_REG_SIZE;

		if (state->allocated_stack <= slot)

		if (state->allocated_stack <= slot)

			goto err;

			goto err;

			goto mark;

			goto mark;

		}

		}

err:

err:

		if (tnum_is_const(reg->var_off)) {

			verbose(env, "invalid indirect read from stack off %d+%d size %d\n",

			verbose(env, "invalid indirect read from stack off %d+%d size %d\n",

			off, i, access_size);

				min_off, i - min_off, access_size);

		} else {

			char tn_buf[48];

			tnum_strn(tn_buf, sizeof(tn_buf), reg->var_off);

			verbose(env, "invalid indirect read from stack var_off %s+%d size %d\n",

				tn_buf, i - min_off, access_size);

		}

		return -EACCES;

		return -EACCES;

mark:

mark:

		/* reading any byte out of 8-byte 'spill_slot' will cause

		/* reading any byte out of 8-byte 'spill_slot' will cause

		mark_reg_read(env, &state->stack[spi].spilled_ptr,

		mark_reg_read(env, &state->stack[spi].spilled_ptr,

			      state->stack[spi].spilled_ptr.parent);

			      state->stack[spi].spilled_ptr.parent);

	}

	}

	return update_stack_depth(env, state, off);

	return update_stack_depth(env, state, min_off);

}

}

static int check_helper_mem_access(struct bpf_verifier_env *env, int regno,

static int check_helper_mem_access(struct bpf_verifier_env *env, int regno,