bpf: split explored_states

split explored_states into prune_point boolean mark
and link list of explored states.
This removes STATE_LIST_MARK hack and allows marks to be separate from states.

Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>

diff --git a/include/linux/bpf_verifier.h b/include/linux/bpf_verifier.h
index 1305ccb..02bba09 100644 (file)
--- a/include/linux/bpf_verifier.h
+++ b/include/linux/bpf_verifier.h
@@ -233,6 +233,7 @@ struct bpf_insn_aux_data {
        int sanitize_stack_off; /* stack slot to be cleared */
        bool seen; /* this insn was processed by the verifier */
        u8 alu_state; /* used in combination with alu_limit */
+       bool prune_point;
        unsigned int orig_idx; /* original instruction index */
 };
 

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 736b5a0..6a3e69b 100644 (file)
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -5436,7 +5436,6 @@ enum {
        BRANCH = 2,
 };
 
-#define STATE_LIST_MARK ((struct bpf_verifier_state_list *) -1L)
 static struct bpf_verifier_state_list **explored_state(
                                        struct bpf_verifier_env *env,
                                        int idx)
@@ -5446,7 +5445,7 @@ static struct bpf_verifier_state_list **explored_state(
 
 static void init_explored_state(struct bpf_verifier_env *env, int idx)
 {
-       env->explored_states[idx] = STATE_LIST_MARK;
+       env->insn_aux_data[idx].prune_point = true;
 }
 
 /* t, w, e - match pseudo-code above:
@@ -6018,10 +6017,7 @@ static void clean_live_states(struct bpf_verifier_env *env, int insn,
        int i;
 
        sl = *explored_state(env, insn);
-       if (!sl)
-               return;
-
-       while (sl != STATE_LIST_MARK) {
+       while (sl) {
                if (sl->state.curframe != cur->curframe)
                        goto next;
                for (i = 0; i <= cur->curframe; i++)
@@ -6376,18 +6372,18 @@ static int is_state_visited(struct bpf_verifier_env *env, int insn_idx)
        struct bpf_verifier_state *cur = env->cur_state, *new;
        int i, j, err, states_cnt = 0;
 
-       pprev = explored_state(env, insn_idx);
-       sl = *pprev;
-
-       if (!sl)
+       if (!env->insn_aux_data[insn_idx].prune_point)
                /* this 'insn_idx' instruction wasn't marked, so we will not
                 * be doing state search here
                 */
                return 0;
 
+       pprev = explored_state(env, insn_idx);
+       sl = *pprev;
+
        clean_live_states(env, insn_idx, cur);
 
-       while (sl != STATE_LIST_MARK) {
+       while (sl) {
                if (states_equal(env, &sl->state, cur)) {
                        sl->hit_cnt++;
                        /* reached equivalent register/stack state,
@@ -8145,13 +8141,12 @@ static void free_states(struct bpf_verifier_env *env)
        for (i = 0; i < env->prog->len; i++) {
                sl = env->explored_states[i];
 
-               if (sl)
-                       while (sl != STATE_LIST_MARK) {
-                               sln = sl->next;
-                               free_verifier_state(&sl->state, false);
-                               kfree(sl);
-                               sl = sln;
-                       }
+               while (sl) {
+                       sln = sl->next;
+                       free_verifier_state(&sl->state, false);
+                       kfree(sl);
+                       sl = sln;
+               }
        }
 
        kvfree(env->explored_states);