projects / GitHub / LineageOS / android_kernel_motorola_exynos9610.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge tag 'linux-kselftest-4.14-rc7' of git://git.kernel.org/pub/scm/linux/kernel...
[GitHub/LineageOS/android_kernel_motorola_exynos9610.git] / net / core / filter.c
1 /*
2 * Linux Socket Filter - Kernel level socket filtering
3 *
4 * Based on the design of the Berkeley Packet Filter. The new
5 * internal format has been designed by PLUMgrid:
6 *
7 * Copyright (c) 2011 - 2014 PLUMgrid, http://plumgrid.com
8 *
9 * Authors:
10 *
11 * Jay Schulist <jschlst@samba.org>
12 * Alexei Starovoitov <ast@plumgrid.com>
13 * Daniel Borkmann <dborkman@redhat.com>
14 *
15 * This program is free software; you can redistribute it and/or
16 * modify it under the terms of the GNU General Public License
17 * as published by the Free Software Foundation; either version
18 * 2 of the License, or (at your option) any later version.
19 *
20 * Andi Kleen - Fix a few bad bugs and races.
21 * Kris Katterjohn - Added many additional checks in bpf_check_classic()
22 */
23
24 #include <linux/module.h>
25 #include <linux/types.h>
26 #include <linux/mm.h>
27 #include <linux/fcntl.h>
28 #include <linux/socket.h>
29 #include <linux/sock_diag.h>
30 #include <linux/in.h>
31 #include <linux/inet.h>
32 #include <linux/netdevice.h>
33 #include <linux/if_packet.h>
34 #include <linux/if_arp.h>
35 #include <linux/gfp.h>
36 #include <net/ip.h>
37 #include <net/protocol.h>
38 #include <net/netlink.h>
39 #include <linux/skbuff.h>
40 #include <net/sock.h>
41 #include <net/flow_dissector.h>
42 #include <linux/errno.h>
43 #include <linux/timer.h>
44 #include <linux/uaccess.h>
45 #include <asm/unaligned.h>
46 #include <linux/filter.h>
47 #include <linux/ratelimit.h>
48 #include <linux/seccomp.h>
49 #include <linux/if_vlan.h>
50 #include <linux/bpf.h>
51 #include <net/sch_generic.h>
52 #include <net/cls_cgroup.h>
53 #include <net/dst_metadata.h>
54 #include <net/dst.h>
55 #include <net/sock_reuseport.h>
56 #include <net/busy_poll.h>
57 #include <net/tcp.h>
58 #include <linux/bpf_trace.h>
59
60 /**
61 * sk_filter_trim_cap - run a packet through a socket filter
62 * @sk: sock associated with &sk_buff
63 * @skb: buffer to filter
64 * @cap: limit on how short the eBPF program may trim the packet
65 *
66 * Run the eBPF program and then cut skb->data to correct size returned by
67 * the program. If pkt_len is 0 we toss packet. If skb->len is smaller
68 * than pkt_len we keep whole skb->data. This is the socket level
69 * wrapper to BPF_PROG_RUN. It returns 0 if the packet should
70 * be accepted or -EPERM if the packet should be tossed.
71 *
72 */
73 int sk_filter_trim_cap(struct sock *sk, struct sk_buff *skb, unsigned int cap)
74 {
75 int err;
76 struct sk_filter *filter;
77
78 /*
79 * If the skb was allocated from pfmemalloc reserves, only
80 * allow SOCK_MEMALLOC sockets to use it as this socket is
81 * helping free memory
82 */
83 if (skb_pfmemalloc(skb) && !sock_flag(sk, SOCK_MEMALLOC)) {
84 NET_INC_STATS(sock_net(sk), LINUX_MIB_PFMEMALLOCDROP);
85 return -ENOMEM;
86 }
87 err = BPF_CGROUP_RUN_PROG_INET_INGRESS(sk, skb);
88 if (err)
89 return err;
90
91 err = security_sock_rcv_skb(sk, skb);
92 if (err)
93 return err;
94
95 rcu_read_lock();
96 filter = rcu_dereference(sk->sk_filter);
97 if (filter) {
98 struct sock *save_sk = skb->sk;
99 unsigned int pkt_len;
100
101 skb->sk = sk;
102 pkt_len = bpf_prog_run_save_cb(filter->prog, skb);
103 skb->sk = save_sk;
104 err = pkt_len ? pskb_trim(skb, max(cap, pkt_len)) : -EPERM;
105 }
106 rcu_read_unlock();
107
108 return err;
109 }
110 EXPORT_SYMBOL(sk_filter_trim_cap);
111
112 BPF_CALL_1(__skb_get_pay_offset, struct sk_buff *, skb)
113 {
114 return skb_get_poff(skb);
115 }
116
117 BPF_CALL_3(__skb_get_nlattr, struct sk_buff *, skb, u32, a, u32, x)
118 {
119 struct nlattr *nla;
120
121 if (skb_is_nonlinear(skb))
122 return 0;
123
124 if (skb->len < sizeof(struct nlattr))
125 return 0;
126
127 if (a > skb->len - sizeof(struct nlattr))
128 return 0;
129
130 nla = nla_find((struct nlattr *) &skb->data[a], skb->len - a, x);
131 if (nla)
132 return (void *) nla - (void *) skb->data;
133
134 return 0;
135 }
136
137 BPF_CALL_3(__skb_get_nlattr_nest, struct sk_buff *, skb, u32, a, u32, x)
138 {
139 struct nlattr *nla;
140
141 if (skb_is_nonlinear(skb))
142 return 0;
143
144 if (skb->len < sizeof(struct nlattr))
145 return 0;
146
147 if (a > skb->len - sizeof(struct nlattr))
148 return 0;
149
150 nla = (struct nlattr *) &skb->data[a];
151 if (nla->nla_len > skb->len - a)
152 return 0;
153
154 nla = nla_find_nested(nla, x);
155 if (nla)
156 return (void *) nla - (void *) skb->data;
157
158 return 0;
159 }
160
161 BPF_CALL_0(__get_raw_cpu_id)
162 {
163 return raw_smp_processor_id();
164 }
165
166 static const struct bpf_func_proto bpf_get_raw_smp_processor_id_proto = {
167 .func = __get_raw_cpu_id,
168 .gpl_only = false,
169 .ret_type = RET_INTEGER,
170 };
171
172 static u32 convert_skb_access(int skb_field, int dst_reg, int src_reg,
173 struct bpf_insn *insn_buf)
174 {
175 struct bpf_insn *insn = insn_buf;
176
177 switch (skb_field) {
178 case SKF_AD_MARK:
179 BUILD_BUG_ON(FIELD_SIZEOF(struct sk_buff, mark) != 4);
180
181 *insn++ = BPF_LDX_MEM(BPF_W, dst_reg, src_reg,
182 offsetof(struct sk_buff, mark));
183 break;
184
185 case SKF_AD_PKTTYPE:
186 *insn++ = BPF_LDX_MEM(BPF_B, dst_reg, src_reg, PKT_TYPE_OFFSET());
187 *insn++ = BPF_ALU32_IMM(BPF_AND, dst_reg, PKT_TYPE_MAX);
188 #ifdef __BIG_ENDIAN_BITFIELD
189 *insn++ = BPF_ALU32_IMM(BPF_RSH, dst_reg, 5);
190 #endif
191 break;
192
193 case SKF_AD_QUEUE:
194 BUILD_BUG_ON(FIELD_SIZEOF(struct sk_buff, queue_mapping) != 2);
195
196 *insn++ = BPF_LDX_MEM(BPF_H, dst_reg, src_reg,
197 offsetof(struct sk_buff, queue_mapping));
198 break;
199
200 case SKF_AD_VLAN_TAG:
201 case SKF_AD_VLAN_TAG_PRESENT:
202 BUILD_BUG_ON(FIELD_SIZEOF(struct sk_buff, vlan_tci) != 2);
203 BUILD_BUG_ON(VLAN_TAG_PRESENT != 0x1000);
204
205 /* dst_reg = *(u16 *) (src_reg + offsetof(vlan_tci)) */
206 *insn++ = BPF_LDX_MEM(BPF_H, dst_reg, src_reg,
207 offsetof(struct sk_buff, vlan_tci));
208 if (skb_field == SKF_AD_VLAN_TAG) {
209 *insn++ = BPF_ALU32_IMM(BPF_AND, dst_reg,
210 ~VLAN_TAG_PRESENT);
211 } else {
212 /* dst_reg >>= 12 */
213 *insn++ = BPF_ALU32_IMM(BPF_RSH, dst_reg, 12);
214 /* dst_reg &= 1 */
215 *insn++ = BPF_ALU32_IMM(BPF_AND, dst_reg, 1);
216 }
217 break;
218 }
219
220 return insn - insn_buf;
221 }
222
223 static bool convert_bpf_extensions(struct sock_filter *fp,
224 struct bpf_insn **insnp)
225 {
226 struct bpf_insn *insn = *insnp;
227 u32 cnt;
228
229 switch (fp->k) {
230 case SKF_AD_OFF + SKF_AD_PROTOCOL:
231 BUILD_BUG_ON(FIELD_SIZEOF(struct sk_buff, protocol) != 2);
232
233 /* A = *(u16 *) (CTX + offsetof(protocol)) */
234 *insn++ = BPF_LDX_MEM(BPF_H, BPF_REG_A, BPF_REG_CTX,
235 offsetof(struct sk_buff, protocol));
236 /* A = ntohs(A) [emitting a nop or swap16] */
237 *insn = BPF_ENDIAN(BPF_FROM_BE, BPF_REG_A, 16);
238 break;
239
240 case SKF_AD_OFF + SKF_AD_PKTTYPE:
241 cnt = convert_skb_access(SKF_AD_PKTTYPE, BPF_REG_A, BPF_REG_CTX, insn);
242 insn += cnt - 1;
243 break;
244
245 case SKF_AD_OFF + SKF_AD_IFINDEX:
246 case SKF_AD_OFF + SKF_AD_HATYPE:
247 BUILD_BUG_ON(FIELD_SIZEOF(struct net_device, ifindex) != 4);
248 BUILD_BUG_ON(FIELD_SIZEOF(struct net_device, type) != 2);
249
250 *insn++ = BPF_LDX_MEM(BPF_FIELD_SIZEOF(struct sk_buff, dev),
251 BPF_REG_TMP, BPF_REG_CTX,
252 offsetof(struct sk_buff, dev));
253 /* if (tmp != 0) goto pc + 1 */
254 *insn++ = BPF_JMP_IMM(BPF_JNE, BPF_REG_TMP, 0, 1);
255 *insn++ = BPF_EXIT_INSN();
256 if (fp->k == SKF_AD_OFF + SKF_AD_IFINDEX)
257 *insn = BPF_LDX_MEM(BPF_W, BPF_REG_A, BPF_REG_TMP,
258 offsetof(struct net_device, ifindex));
259 else
260 *insn = BPF_LDX_MEM(BPF_H, BPF_REG_A, BPF_REG_TMP,
261 offsetof(struct net_device, type));
262 break;
263
264 case SKF_AD_OFF + SKF_AD_MARK:
265 cnt = convert_skb_access(SKF_AD_MARK, BPF_REG_A, BPF_REG_CTX, insn);
266 insn += cnt - 1;
267 break;
268
269 case SKF_AD_OFF + SKF_AD_RXHASH:
270 BUILD_BUG_ON(FIELD_SIZEOF(struct sk_buff, hash) != 4);
271
272 *insn = BPF_LDX_MEM(BPF_W, BPF_REG_A, BPF_REG_CTX,
273 offsetof(struct sk_buff, hash));
274 break;
275
276 case SKF_AD_OFF + SKF_AD_QUEUE:
277 cnt = convert_skb_access(SKF_AD_QUEUE, BPF_REG_A, BPF_REG_CTX, insn);
278 insn += cnt - 1;
279 break;
280
281 case SKF_AD_OFF + SKF_AD_VLAN_TAG:
282 cnt = convert_skb_access(SKF_AD_VLAN_TAG,
283 BPF_REG_A, BPF_REG_CTX, insn);
284 insn += cnt - 1;
285 break;
286
287 case SKF_AD_OFF + SKF_AD_VLAN_TAG_PRESENT:
288 cnt = convert_skb_access(SKF_AD_VLAN_TAG_PRESENT,
289 BPF_REG_A, BPF_REG_CTX, insn);
290 insn += cnt - 1;
291 break;
292
293 case SKF_AD_OFF + SKF_AD_VLAN_TPID:
294 BUILD_BUG_ON(FIELD_SIZEOF(struct sk_buff, vlan_proto) != 2);
295
296 /* A = *(u16 *) (CTX + offsetof(vlan_proto)) */
297 *insn++ = BPF_LDX_MEM(BPF_H, BPF_REG_A, BPF_REG_CTX,
298 offsetof(struct sk_buff, vlan_proto));
299 /* A = ntohs(A) [emitting a nop or swap16] */
300 *insn = BPF_ENDIAN(BPF_FROM_BE, BPF_REG_A, 16);
301 break;
302
303 case SKF_AD_OFF + SKF_AD_PAY_OFFSET:
304 case SKF_AD_OFF + SKF_AD_NLATTR:
305 case SKF_AD_OFF + SKF_AD_NLATTR_NEST:
306 case SKF_AD_OFF + SKF_AD_CPU:
307 case SKF_AD_OFF + SKF_AD_RANDOM:
308 /* arg1 = CTX */
309 *insn++ = BPF_MOV64_REG(BPF_REG_ARG1, BPF_REG_CTX);
310 /* arg2 = A */
311 *insn++ = BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_A);
312 /* arg3 = X */
313 *insn++ = BPF_MOV64_REG(BPF_REG_ARG3, BPF_REG_X);
314 /* Emit call(arg1=CTX, arg2=A, arg3=X) */
315 switch (fp->k) {
316 case SKF_AD_OFF + SKF_AD_PAY_OFFSET:
317 *insn = BPF_EMIT_CALL(__skb_get_pay_offset);
318 break;
319 case SKF_AD_OFF + SKF_AD_NLATTR:
320 *insn = BPF_EMIT_CALL(__skb_get_nlattr);
321 break;
322 case SKF_AD_OFF + SKF_AD_NLATTR_NEST:
323 *insn = BPF_EMIT_CALL(__skb_get_nlattr_nest);
324 break;
325 case SKF_AD_OFF + SKF_AD_CPU:
326 *insn = BPF_EMIT_CALL(__get_raw_cpu_id);
327 break;
328 case SKF_AD_OFF + SKF_AD_RANDOM:
329 *insn = BPF_EMIT_CALL(bpf_user_rnd_u32);
330 bpf_user_rnd_init_once();
331 break;
332 }
333 break;
334
335 case SKF_AD_OFF + SKF_AD_ALU_XOR_X:
336 /* A ^= X */
337 *insn = BPF_ALU32_REG(BPF_XOR, BPF_REG_A, BPF_REG_X);
338 break;
339
340 default:
341 /* This is just a dummy call to avoid letting the compiler
342 * evict __bpf_call_base() as an optimization. Placed here
343 * where no-one bothers.
344 */
345 BUG_ON(__bpf_call_base(0, 0, 0, 0, 0) != 0);
346 return false;
347 }
348
349 *insnp = insn;
350 return true;
351 }
352
353 /**
354 * bpf_convert_filter - convert filter program
355 * @prog: the user passed filter program
356 * @len: the length of the user passed filter program
357 * @new_prog: allocated 'struct bpf_prog' or NULL
358 * @new_len: pointer to store length of converted program
359 *
360 * Remap 'sock_filter' style classic BPF (cBPF) instruction set to 'bpf_insn'
361 * style extended BPF (eBPF).
362 * Conversion workflow:
363 *
364 * 1) First pass for calculating the new program length:
365 * bpf_convert_filter(old_prog, old_len, NULL, &new_len)
366 *
367 * 2) 2nd pass to remap in two passes: 1st pass finds new
368 * jump offsets, 2nd pass remapping:
369 * bpf_convert_filter(old_prog, old_len, new_prog, &new_len);
370 */
371 static int bpf_convert_filter(struct sock_filter *prog, int len,
372 struct bpf_prog *new_prog, int *new_len)
373 {
374 int new_flen = 0, pass = 0, target, i, stack_off;
375 struct bpf_insn *new_insn, *first_insn = NULL;
376 struct sock_filter *fp;
377 int *addrs = NULL;
378 u8 bpf_src;
379
380 BUILD_BUG_ON(BPF_MEMWORDS * sizeof(u32) > MAX_BPF_STACK);
381 BUILD_BUG_ON(BPF_REG_FP + 1 != MAX_BPF_REG);
382
383 if (len <= 0 || len > BPF_MAXINSNS)
384 return -EINVAL;
385
386 if (new_prog) {
387 first_insn = new_prog->insnsi;
388 addrs = kcalloc(len, sizeof(*addrs),
389 GFP_KERNEL | __GFP_NOWARN);
390 if (!addrs)
391 return -ENOMEM;
392 }
393
394 do_pass:
395 new_insn = first_insn;
396 fp = prog;
397
398 /* Classic BPF related prologue emission. */
399 if (new_prog) {
400 /* Classic BPF expects A and X to be reset first. These need
401 * to be guaranteed to be the first two instructions.
402 */
403 *new_insn++ = BPF_ALU64_REG(BPF_XOR, BPF_REG_A, BPF_REG_A);
404 *new_insn++ = BPF_ALU64_REG(BPF_XOR, BPF_REG_X, BPF_REG_X);
405
406 /* All programs must keep CTX in callee saved BPF_REG_CTX.
407 * In eBPF case it's done by the compiler, here we need to
408 * do this ourself. Initial CTX is present in BPF_REG_ARG1.
409 */
410 *new_insn++ = BPF_MOV64_REG(BPF_REG_CTX, BPF_REG_ARG1);
411 } else {
412 new_insn += 3;
413 }
414
415 for (i = 0; i < len; fp++, i++) {
416 struct bpf_insn tmp_insns[6] = { };
417 struct bpf_insn *insn = tmp_insns;
418
419 if (addrs)
420 addrs[i] = new_insn - first_insn;
421
422 switch (fp->code) {
423 /* All arithmetic insns and skb loads map as-is. */
424 case BPF_ALU | BPF_ADD | BPF_X:
425 case BPF_ALU | BPF_ADD | BPF_K:
426 case BPF_ALU | BPF_SUB | BPF_X:
427 case BPF_ALU | BPF_SUB | BPF_K:
428 case BPF_ALU | BPF_AND | BPF_X:
429 case BPF_ALU | BPF_AND | BPF_K:
430 case BPF_ALU | BPF_OR | BPF_X:
431 case BPF_ALU | BPF_OR | BPF_K:
432 case BPF_ALU | BPF_LSH | BPF_X:
433 case BPF_ALU | BPF_LSH | BPF_K:
434 case BPF_ALU | BPF_RSH | BPF_X:
435 case BPF_ALU | BPF_RSH | BPF_K:
436 case BPF_ALU | BPF_XOR | BPF_X:
437 case BPF_ALU | BPF_XOR | BPF_K:
438 case BPF_ALU | BPF_MUL | BPF_X:
439 case BPF_ALU | BPF_MUL | BPF_K:
440 case BPF_ALU | BPF_DIV | BPF_X:
441 case BPF_ALU | BPF_DIV | BPF_K:
442 case BPF_ALU | BPF_MOD | BPF_X:
443 case BPF_ALU | BPF_MOD | BPF_K:
444 case BPF_ALU | BPF_NEG:
445 case BPF_LD | BPF_ABS | BPF_W:
446 case BPF_LD | BPF_ABS | BPF_H:
447 case BPF_LD | BPF_ABS | BPF_B:
448 case BPF_LD | BPF_IND | BPF_W:
449 case BPF_LD | BPF_IND | BPF_H:
450 case BPF_LD | BPF_IND | BPF_B:
451 /* Check for overloaded BPF extension and
452 * directly convert it if found, otherwise
453 * just move on with mapping.
454 */
455 if (BPF_CLASS(fp->code) == BPF_LD &&
456 BPF_MODE(fp->code) == BPF_ABS &&
457 convert_bpf_extensions(fp, &insn))
458 break;
459
460 *insn = BPF_RAW_INSN(fp->code, BPF_REG_A, BPF_REG_X, 0, fp->k);
461 break;
462
463 /* Jump transformation cannot use BPF block macros
464 * everywhere as offset calculation and target updates
465 * require a bit more work than the rest, i.e. jump
466 * opcodes map as-is, but offsets need adjustment.
467 */
468
469 #define BPF_EMIT_JMP \
470 do { \
471 if (target >= len || target < 0) \
472 goto err; \
473 insn->off = addrs ? addrs[target] - addrs[i] - 1 : 0; \
474 /* Adjust pc relative offset for 2nd or 3rd insn. */ \
475 insn->off -= insn - tmp_insns; \
476 } while (0)
477
478 case BPF_JMP | BPF_JA:
479 target = i + fp->k + 1;
480 insn->code = fp->code;
481 BPF_EMIT_JMP;
482 break;
483
484 case BPF_JMP | BPF_JEQ | BPF_K:
485 case BPF_JMP | BPF_JEQ | BPF_X:
486 case BPF_JMP | BPF_JSET | BPF_K:
487 case BPF_JMP | BPF_JSET | BPF_X:
488 case BPF_JMP | BPF_JGT | BPF_K:
489 case BPF_JMP | BPF_JGT | BPF_X:
490 case BPF_JMP | BPF_JGE | BPF_K:
491 case BPF_JMP | BPF_JGE | BPF_X:
492 if (BPF_SRC(fp->code) == BPF_K && (int) fp->k < 0) {
493 /* BPF immediates are signed, zero extend
494 * immediate into tmp register and use it
495 * in compare insn.
496 */
497 *insn++ = BPF_MOV32_IMM(BPF_REG_TMP, fp->k);
498
499 insn->dst_reg = BPF_REG_A;
500 insn->src_reg = BPF_REG_TMP;
501 bpf_src = BPF_X;
502 } else {
503 insn->dst_reg = BPF_REG_A;
504 insn->imm = fp->k;
505 bpf_src = BPF_SRC(fp->code);
506 insn->src_reg = bpf_src == BPF_X ? BPF_REG_X : 0;
507 }
508
509 /* Common case where 'jump_false' is next insn. */
510 if (fp->jf == 0) {
511 insn->code = BPF_JMP | BPF_OP(fp->code) | bpf_src;
512 target = i + fp->jt + 1;
513 BPF_EMIT_JMP;
514 break;
515 }
516
517 /* Convert some jumps when 'jump_true' is next insn. */
518 if (fp->jt == 0) {
519 switch (BPF_OP(fp->code)) {
520 case BPF_JEQ:
521 insn->code = BPF_JMP | BPF_JNE | bpf_src;
522 break;
523 case BPF_JGT:
524 insn->code = BPF_JMP | BPF_JLE | bpf_src;
525 break;
526 case BPF_JGE:
527 insn->code = BPF_JMP | BPF_JLT | bpf_src;
528 break;
529 default:
530 goto jmp_rest;
531 }
532
533 target = i + fp->jf + 1;
534 BPF_EMIT_JMP;
535 break;
536 }
537 jmp_rest:
538 /* Other jumps are mapped into two insns: Jxx and JA. */
539 target = i + fp->jt + 1;
540 insn->code = BPF_JMP | BPF_OP(fp->code) | bpf_src;
541 BPF_EMIT_JMP;
542 insn++;
543
544 insn->code = BPF_JMP | BPF_JA;
545 target = i + fp->jf + 1;
546 BPF_EMIT_JMP;
547 break;
548
549 /* ldxb 4 * ([14] & 0xf) is remaped into 6 insns. */
550 case BPF_LDX | BPF_MSH | BPF_B:
551 /* tmp = A */
552 *insn++ = BPF_MOV64_REG(BPF_REG_TMP, BPF_REG_A);
553 /* A = BPF_R0 = *(u8 *) (skb->data + K) */
554 *insn++ = BPF_LD_ABS(BPF_B, fp->k);
555 /* A &= 0xf */
556 *insn++ = BPF_ALU32_IMM(BPF_AND, BPF_REG_A, 0xf);
557 /* A <<= 2 */
558 *insn++ = BPF_ALU32_IMM(BPF_LSH, BPF_REG_A, 2);
559 /* X = A */
560 *insn++ = BPF_MOV64_REG(BPF_REG_X, BPF_REG_A);
561 /* A = tmp */
562 *insn = BPF_MOV64_REG(BPF_REG_A, BPF_REG_TMP);
563 break;
564
565 /* RET_K is remaped into 2 insns. RET_A case doesn't need an
566 * extra mov as BPF_REG_0 is already mapped into BPF_REG_A.
567 */
568 case BPF_RET | BPF_A:
569 case BPF_RET | BPF_K:
570 if (BPF_RVAL(fp->code) == BPF_K)
571 *insn++ = BPF_MOV32_RAW(BPF_K, BPF_REG_0,
572 0, fp->k);
573 *insn = BPF_EXIT_INSN();
574 break;
575
576 /* Store to stack. */
577 case BPF_ST:
578 case BPF_STX:
579 stack_off = fp->k * 4 + 4;
580 *insn = BPF_STX_MEM(BPF_W, BPF_REG_FP, BPF_CLASS(fp->code) ==
581 BPF_ST ? BPF_REG_A : BPF_REG_X,
582 -stack_off);
583 /* check_load_and_stores() verifies that classic BPF can
584 * load from stack only after write, so tracking
585 * stack_depth for ST|STX insns is enough
586 */
587 if (new_prog && new_prog->aux->stack_depth < stack_off)
588 new_prog->aux->stack_depth = stack_off;
589 break;
590
591 /* Load from stack. */
592 case BPF_LD | BPF_MEM:
593 case BPF_LDX | BPF_MEM:
594 stack_off = fp->k * 4 + 4;
595 *insn = BPF_LDX_MEM(BPF_W, BPF_CLASS(fp->code) == BPF_LD ?
596 BPF_REG_A : BPF_REG_X, BPF_REG_FP,
597 -stack_off);
598 break;
599
600 /* A = K or X = K */
601 case BPF_LD | BPF_IMM:
602 case BPF_LDX | BPF_IMM:
603 *insn = BPF_MOV32_IMM(BPF_CLASS(fp->code) == BPF_LD ?
604 BPF_REG_A : BPF_REG_X, fp->k);
605 break;
606
607 /* X = A */
608 case BPF_MISC | BPF_TAX:
609 *insn = BPF_MOV64_REG(BPF_REG_X, BPF_REG_A);
610 break;
611
612 /* A = X */
613 case BPF_MISC | BPF_TXA:
614 *insn = BPF_MOV64_REG(BPF_REG_A, BPF_REG_X);
615 break;
616
617 /* A = skb->len or X = skb->len */
618 case BPF_LD | BPF_W | BPF_LEN:
619 case BPF_LDX | BPF_W | BPF_LEN:
620 *insn = BPF_LDX_MEM(BPF_W, BPF_CLASS(fp->code) == BPF_LD ?
621 BPF_REG_A : BPF_REG_X, BPF_REG_CTX,
622 offsetof(struct sk_buff, len));
623 break;
624
625 /* Access seccomp_data fields. */
626 case BPF_LDX | BPF_ABS | BPF_W:
627 /* A = *(u32 *) (ctx + K) */
628 *insn = BPF_LDX_MEM(BPF_W, BPF_REG_A, BPF_REG_CTX, fp->k);
629 break;
630
631 /* Unknown instruction. */
632 default:
633 goto err;
634 }
635
636 insn++;
637 if (new_prog)
638 memcpy(new_insn, tmp_insns,
639 sizeof(*insn) * (insn - tmp_insns));
640 new_insn += insn - tmp_insns;
641 }
642
643 if (!new_prog) {
644 /* Only calculating new length. */
645 *new_len = new_insn - first_insn;
646 return 0;
647 }
648
649 pass++;
650 if (new_flen != new_insn - first_insn) {
651 new_flen = new_insn - first_insn;
652 if (pass > 2)
653 goto err;
654 goto do_pass;
655 }
656
657 kfree(addrs);
658 BUG_ON(*new_len != new_flen);
659 return 0;
660 err:
661 kfree(addrs);
662 return -EINVAL;
663 }
664
665 /* Security:
666 *
667 * As we dont want to clear mem[] array for each packet going through
668 * __bpf_prog_run(), we check that filter loaded by user never try to read
669 * a cell if not previously written, and we check all branches to be sure
670 * a malicious user doesn't try to abuse us.
671 */
672 static int check_load_and_stores(const struct sock_filter *filter, int flen)
673 {
674 u16 *masks, memvalid = 0; /* One bit per cell, 16 cells */
675 int pc, ret = 0;
676
677 BUILD_BUG_ON(BPF_MEMWORDS > 16);
678
679 masks = kmalloc_array(flen, sizeof(*masks), GFP_KERNEL);
680 if (!masks)
681 return -ENOMEM;
682
683 memset(masks, 0xff, flen * sizeof(*masks));
684
685 for (pc = 0; pc < flen; pc++) {
686 memvalid &= masks[pc];
687
688 switch (filter[pc].code) {
689 case BPF_ST:
690 case BPF_STX:
691 memvalid |= (1 << filter[pc].k);
692 break;
693 case BPF_LD | BPF_MEM:
694 case BPF_LDX | BPF_MEM:
695 if (!(memvalid & (1 << filter[pc].k))) {
696 ret = -EINVAL;
697 goto error;
698 }
699 break;
700 case BPF_JMP | BPF_JA:
701 /* A jump must set masks on target */
702 masks[pc + 1 + filter[pc].k] &= memvalid;
703 memvalid = ~0;
704 break;
705 case BPF_JMP | BPF_JEQ | BPF_K:
706 case BPF_JMP | BPF_JEQ | BPF_X:
707 case BPF_JMP | BPF_JGE | BPF_K:
708 case BPF_JMP | BPF_JGE | BPF_X:
709 case BPF_JMP | BPF_JGT | BPF_K:
710 case BPF_JMP | BPF_JGT | BPF_X:
711 case BPF_JMP | BPF_JSET | BPF_K:
712 case BPF_JMP | BPF_JSET | BPF_X:
713 /* A jump must set masks on targets */
714 masks[pc + 1 + filter[pc].jt] &= memvalid;
715 masks[pc + 1 + filter[pc].jf] &= memvalid;
716 memvalid = ~0;
717 break;
718 }
719 }
720 error:
721 kfree(masks);
722 return ret;
723 }
724
725 static bool chk_code_allowed(u16 code_to_probe)
726 {
727 static const bool codes[] = {
728 /* 32 bit ALU operations */
729 [BPF_ALU | BPF_ADD | BPF_K] = true,
730 [BPF_ALU | BPF_ADD | BPF_X] = true,
731 [BPF_ALU | BPF_SUB | BPF_K] = true,
732 [BPF_ALU | BPF_SUB | BPF_X] = true,
733 [BPF_ALU | BPF_MUL | BPF_K] = true,
734 [BPF_ALU | BPF_MUL | BPF_X] = true,
735 [BPF_ALU | BPF_DIV | BPF_K] = true,
736 [BPF_ALU | BPF_DIV | BPF_X] = true,
737 [BPF_ALU | BPF_MOD | BPF_K] = true,
738 [BPF_ALU | BPF_MOD | BPF_X] = true,
739 [BPF_ALU | BPF_AND | BPF_K] = true,
740 [BPF_ALU | BPF_AND | BPF_X] = true,
741 [BPF_ALU | BPF_OR | BPF_K] = true,
742 [BPF_ALU | BPF_OR | BPF_X] = true,
743 [BPF_ALU | BPF_XOR | BPF_K] = true,
744 [BPF_ALU | BPF_XOR | BPF_X] = true,
745 [BPF_ALU | BPF_LSH | BPF_K] = true,
746 [BPF_ALU | BPF_LSH | BPF_X] = true,
747 [BPF_ALU | BPF_RSH | BPF_K] = true,
748 [BPF_ALU | BPF_RSH | BPF_X] = true,
749 [BPF_ALU | BPF_NEG] = true,
750 /* Load instructions */
751 [BPF_LD | BPF_W | BPF_ABS] = true,
752 [BPF_LD | BPF_H | BPF_ABS] = true,
753 [BPF_LD | BPF_B | BPF_ABS] = true,
754 [BPF_LD | BPF_W | BPF_LEN] = true,
755 [BPF_LD | BPF_W | BPF_IND] = true,
756 [BPF_LD | BPF_H | BPF_IND] = true,
757 [BPF_LD | BPF_B | BPF_IND] = true,
758 [BPF_LD | BPF_IMM] = true,
759 [BPF_LD | BPF_MEM] = true,
760 [BPF_LDX | BPF_W | BPF_LEN] = true,
761 [BPF_LDX | BPF_B | BPF_MSH] = true,
762 [BPF_LDX | BPF_IMM] = true,
763 [BPF_LDX | BPF_MEM] = true,
764 /* Store instructions */
765 [BPF_ST] = true,
766 [BPF_STX] = true,
767 /* Misc instructions */
768 [BPF_MISC | BPF_TAX] = true,
769 [BPF_MISC | BPF_TXA] = true,
770 /* Return instructions */
771 [BPF_RET | BPF_K] = true,
772 [BPF_RET | BPF_A] = true,
773 /* Jump instructions */
774 [BPF_JMP | BPF_JA] = true,
775 [BPF_JMP | BPF_JEQ | BPF_K] = true,
776 [BPF_JMP | BPF_JEQ | BPF_X] = true,
777 [BPF_JMP | BPF_JGE | BPF_K] = true,
778 [BPF_JMP | BPF_JGE | BPF_X] = true,
779 [BPF_JMP | BPF_JGT | BPF_K] = true,
780 [BPF_JMP | BPF_JGT | BPF_X] = true,
781 [BPF_JMP | BPF_JSET | BPF_K] = true,
782 [BPF_JMP | BPF_JSET | BPF_X] = true,
783 };
784
785 if (code_to_probe >= ARRAY_SIZE(codes))
786 return false;
787
788 return codes[code_to_probe];
789 }
790
791 static bool bpf_check_basics_ok(const struct sock_filter *filter,
792 unsigned int flen)
793 {
794 if (filter == NULL)
795 return false;
796 if (flen == 0 || flen > BPF_MAXINSNS)
797 return false;
798
799 return true;
800 }
801
802 /**
803 * bpf_check_classic - verify socket filter code
804 * @filter: filter to verify
805 * @flen: length of filter
806 *
807 * Check the user's filter code. If we let some ugly
808 * filter code slip through kaboom! The filter must contain
809 * no references or jumps that are out of range, no illegal
810 * instructions, and must end with a RET instruction.
811 *
812 * All jumps are forward as they are not signed.
813 *
814 * Returns 0 if the rule set is legal or -EINVAL if not.
815 */
816 static int bpf_check_classic(const struct sock_filter *filter,
817 unsigned int flen)
818 {
819 bool anc_found;
820 int pc;
821
822 /* Check the filter code now */
823 for (pc = 0; pc < flen; pc++) {
824 const struct sock_filter *ftest = &filter[pc];
825
826 /* May we actually operate on this code? */
827 if (!chk_code_allowed(ftest->code))
828 return -EINVAL;
829
830 /* Some instructions need special checks */
831 switch (ftest->code) {
832 case BPF_ALU | BPF_DIV | BPF_K:
833 case BPF_ALU | BPF_MOD | BPF_K:
834 /* Check for division by zero */
835 if (ftest->k == 0)
836 return -EINVAL;
837 break;
838 case BPF_ALU | BPF_LSH | BPF_K:
839 case BPF_ALU | BPF_RSH | BPF_K:
840 if (ftest->k >= 32)
841 return -EINVAL;
842 break;
843 case BPF_LD | BPF_MEM:
844 case BPF_LDX | BPF_MEM:
845 case BPF_ST:
846 case BPF_STX:
847 /* Check for invalid memory addresses */
848 if (ftest->k >= BPF_MEMWORDS)
849 return -EINVAL;
850 break;
851 case BPF_JMP | BPF_JA:
852 /* Note, the large ftest->k might cause loops.
853 * Compare this with conditional jumps below,
854 * where offsets are limited. --ANK (981016)
855 */
856 if (ftest->k >= (unsigned int)(flen - pc - 1))
857 return -EINVAL;
858 break;
859 case BPF_JMP | BPF_JEQ | BPF_K:
860 case BPF_JMP | BPF_JEQ | BPF_X:
861 case BPF_JMP | BPF_JGE | BPF_K:
862 case BPF_JMP | BPF_JGE | BPF_X:
863 case BPF_JMP | BPF_JGT | BPF_K:
864 case BPF_JMP | BPF_JGT | BPF_X:
865 case BPF_JMP | BPF_JSET | BPF_K:
866 case BPF_JMP | BPF_JSET | BPF_X:
867 /* Both conditionals must be safe */
868 if (pc + ftest->jt + 1 >= flen ||
869 pc + ftest->jf + 1 >= flen)
870 return -EINVAL;
871 break;
872 case BPF_LD | BPF_W | BPF_ABS:
873 case BPF_LD | BPF_H | BPF_ABS:
874 case BPF_LD | BPF_B | BPF_ABS:
875 anc_found = false;
876 if (bpf_anc_helper(ftest) & BPF_ANC)
877 anc_found = true;
878 /* Ancillary operation unknown or unsupported */
879 if (anc_found == false && ftest->k >= SKF_AD_OFF)
880 return -EINVAL;
881 }
882 }
883
884 /* Last instruction must be a RET code */
885 switch (filter[flen - 1].code) {
886 case BPF_RET | BPF_K:
887 case BPF_RET | BPF_A:
888 return check_load_and_stores(filter, flen);
889 }
890
891 return -EINVAL;
892 }
893
894 static int bpf_prog_store_orig_filter(struct bpf_prog *fp,
895 const struct sock_fprog *fprog)
896 {
897 unsigned int fsize = bpf_classic_proglen(fprog);
898 struct sock_fprog_kern *fkprog;
899
900 fp->orig_prog = kmalloc(sizeof(*fkprog), GFP_KERNEL);
901 if (!fp->orig_prog)
902 return -ENOMEM;
903
904 fkprog = fp->orig_prog;
905 fkprog->len = fprog->len;
906
907 fkprog->filter = kmemdup(fp->insns, fsize,
908 GFP_KERNEL | __GFP_NOWARN);
909 if (!fkprog->filter) {
910 kfree(fp->orig_prog);
911 return -ENOMEM;
912 }
913
914 return 0;
915 }
916
917 static void bpf_release_orig_filter(struct bpf_prog *fp)
918 {
919 struct sock_fprog_kern *fprog = fp->orig_prog;
920
921 if (fprog) {
922 kfree(fprog->filter);
923 kfree(fprog);
924 }
925 }
926
927 static void __bpf_prog_release(struct bpf_prog *prog)
928 {
929 if (prog->type == BPF_PROG_TYPE_SOCKET_FILTER) {
930 bpf_prog_put(prog);
931 } else {
932 bpf_release_orig_filter(prog);
933 bpf_prog_free(prog);
934 }
935 }
936
937 static void __sk_filter_release(struct sk_filter *fp)
938 {
939 __bpf_prog_release(fp->prog);
940 kfree(fp);
941 }
942
943 /**
944 * sk_filter_release_rcu - Release a socket filter by rcu_head
945 * @rcu: rcu_head that contains the sk_filter to free
946 */
947 static void sk_filter_release_rcu(struct rcu_head *rcu)
948 {
949 struct sk_filter *fp = container_of(rcu, struct sk_filter, rcu);
950
951 __sk_filter_release(fp);
952 }
953
954 /**
955 * sk_filter_release - release a socket filter
956 * @fp: filter to remove
957 *
958 * Remove a filter from a socket and release its resources.
959 */
960 static void sk_filter_release(struct sk_filter *fp)
961 {
962 if (refcount_dec_and_test(&fp->refcnt))
963 call_rcu(&fp->rcu, sk_filter_release_rcu);
964 }
965
966 void sk_filter_uncharge(struct sock *sk, struct sk_filter *fp)
967 {
968 u32 filter_size = bpf_prog_size(fp->prog->len);
969
970 atomic_sub(filter_size, &sk->sk_omem_alloc);
971 sk_filter_release(fp);
972 }
973
974 /* try to charge the socket memory if there is space available
975 * return true on success
976 */
977 static bool __sk_filter_charge(struct sock *sk, struct sk_filter *fp)
978 {
979 u32 filter_size = bpf_prog_size(fp->prog->len);
980
981 /* same check as in sock_kmalloc() */
982 if (filter_size <= sysctl_optmem_max &&
983 atomic_read(&sk->sk_omem_alloc) + filter_size < sysctl_optmem_max) {
984 atomic_add(filter_size, &sk->sk_omem_alloc);
985 return true;
986 }
987 return false;
988 }
989
990 bool sk_filter_charge(struct sock *sk, struct sk_filter *fp)
991 {
992 if (!refcount_inc_not_zero(&fp->refcnt))
993 return false;
994
995 if (!__sk_filter_charge(sk, fp)) {
996 sk_filter_release(fp);
997 return false;
998 }
999 return true;
1000 }
1001
1002 static struct bpf_prog *bpf_migrate_filter(struct bpf_prog *fp)
1003 {
1004 struct sock_filter *old_prog;
1005 struct bpf_prog *old_fp;
1006 int err, new_len, old_len = fp->len;
1007
1008 /* We are free to overwrite insns et al right here as it
1009 * won't be used at this point in time anymore internally
1010 * after the migration to the internal BPF instruction
1011 * representation.
1012 */
1013 BUILD_BUG_ON(sizeof(struct sock_filter) !=
1014 sizeof(struct bpf_insn));
1015
1016 /* Conversion cannot happen on overlapping memory areas,
1017 * so we need to keep the user BPF around until the 2nd
1018 * pass. At this time, the user BPF is stored in fp->insns.
1019 */
1020 old_prog = kmemdup(fp->insns, old_len * sizeof(struct sock_filter),
1021 GFP_KERNEL | __GFP_NOWARN);
1022 if (!old_prog) {
1023 err = -ENOMEM;
1024 goto out_err;
1025 }
1026
1027 /* 1st pass: calculate the new program length. */
1028 err = bpf_convert_filter(old_prog, old_len, NULL, &new_len);
1029 if (err)
1030 goto out_err_free;
1031
1032 /* Expand fp for appending the new filter representation. */
1033 old_fp = fp;
1034 fp = bpf_prog_realloc(old_fp, bpf_prog_size(new_len), 0);
1035 if (!fp) {
1036 /* The old_fp is still around in case we couldn't
1037 * allocate new memory, so uncharge on that one.
1038 */
1039 fp = old_fp;
1040 err = -ENOMEM;
1041 goto out_err_free;
1042 }
1043
1044 fp->len = new_len;
1045
1046 /* 2nd pass: remap sock_filter insns into bpf_insn insns. */
1047 err = bpf_convert_filter(old_prog, old_len, fp, &new_len);
1048 if (err)
1049 /* 2nd bpf_convert_filter() can fail only if it fails
1050 * to allocate memory, remapping must succeed. Note,
1051 * that at this time old_fp has already been released
1052 * by krealloc().
1053 */
1054 goto out_err_free;
1055
1056 /* We are guaranteed to never error here with cBPF to eBPF
1057 * transitions, since there's no issue with type compatibility
1058 * checks on program arrays.
1059 */
1060 fp = bpf_prog_select_runtime(fp, &err);
1061
1062 kfree(old_prog);
1063 return fp;
1064
1065 out_err_free:
1066 kfree(old_prog);
1067 out_err:
1068 __bpf_prog_release(fp);
1069 return ERR_PTR(err);
1070 }
1071
1072 static struct bpf_prog *bpf_prepare_filter(struct bpf_prog *fp,
1073 bpf_aux_classic_check_t trans)
1074 {
1075 int err;
1076
1077 fp->bpf_func = NULL;
1078 fp->jited = 0;
1079
1080 err = bpf_check_classic(fp->insns, fp->len);
1081 if (err) {
1082 __bpf_prog_release(fp);
1083 return ERR_PTR(err);
1084 }
1085
1086 /* There might be additional checks and transformations
1087 * needed on classic filters, f.e. in case of seccomp.
1088 */
1089 if (trans) {
1090 err = trans(fp->insns, fp->len);
1091 if (err) {
1092 __bpf_prog_release(fp);
1093 return ERR_PTR(err);
1094 }
1095 }
1096
1097 /* Probe if we can JIT compile the filter and if so, do
1098 * the compilation of the filter.
1099 */
1100 bpf_jit_compile(fp);
1101
1102 /* JIT compiler couldn't process this filter, so do the
1103 * internal BPF translation for the optimized interpreter.
1104 */
1105 if (!fp->jited)
1106 fp = bpf_migrate_filter(fp);
1107
1108 return fp;
1109 }
1110
1111 /**
1112 * bpf_prog_create - create an unattached filter
1113 * @pfp: the unattached filter that is created
1114 * @fprog: the filter program
1115 *
1116 * Create a filter independent of any socket. We first run some
1117 * sanity checks on it to make sure it does not explode on us later.
1118 * If an error occurs or there is insufficient memory for the filter
1119 * a negative errno code is returned. On success the return is zero.
1120 */
1121 int bpf_prog_create(struct bpf_prog **pfp, struct sock_fprog_kern *fprog)
1122 {
1123 unsigned int fsize = bpf_classic_proglen(fprog);
1124 struct bpf_prog *fp;
1125
1126 /* Make sure new filter is there and in the right amounts. */
1127 if (!bpf_check_basics_ok(fprog->filter, fprog->len))
1128 return -EINVAL;
1129
1130 fp = bpf_prog_alloc(bpf_prog_size(fprog->len), 0);
1131 if (!fp)
1132 return -ENOMEM;
1133
1134 memcpy(fp->insns, fprog->filter, fsize);
1135
1136 fp->len = fprog->len;
1137 /* Since unattached filters are not copied back to user
1138 * space through sk_get_filter(), we do not need to hold
1139 * a copy here, and can spare us the work.
1140 */
1141 fp->orig_prog = NULL;
1142
1143 /* bpf_prepare_filter() already takes care of freeing
1144 * memory in case something goes wrong.
1145 */
1146 fp = bpf_prepare_filter(fp, NULL);
1147 if (IS_ERR(fp))
1148 return PTR_ERR(fp);
1149
1150 *pfp = fp;
1151 return 0;
1152 }
1153 EXPORT_SYMBOL_GPL(bpf_prog_create);
1154
1155 /**
1156 * bpf_prog_create_from_user - create an unattached filter from user buffer
1157 * @pfp: the unattached filter that is created
1158 * @fprog: the filter program
1159 * @trans: post-classic verifier transformation handler
1160 * @save_orig: save classic BPF program
1161 *
1162 * This function effectively does the same as bpf_prog_create(), only
1163 * that it builds up its insns buffer from user space provided buffer.
1164 * It also allows for passing a bpf_aux_classic_check_t handler.
1165 */
1166 int bpf_prog_create_from_user(struct bpf_prog **pfp, struct sock_fprog *fprog,
1167 bpf_aux_classic_check_t trans, bool save_orig)
1168 {
1169 unsigned int fsize = bpf_classic_proglen(fprog);
1170 struct bpf_prog *fp;
1171 int err;
1172
1173 /* Make sure new filter is there and in the right amounts. */
1174 if (!bpf_check_basics_ok(fprog->filter, fprog->len))
1175 return -EINVAL;
1176
1177 fp = bpf_prog_alloc(bpf_prog_size(fprog->len), 0);
1178 if (!fp)
1179 return -ENOMEM;
1180
1181 if (copy_from_user(fp->insns, fprog->filter, fsize)) {
1182 __bpf_prog_free(fp);
1183 return -EFAULT;
1184 }
1185
1186 fp->len = fprog->len;
1187 fp->orig_prog = NULL;
1188
1189 if (save_orig) {
1190 err = bpf_prog_store_orig_filter(fp, fprog);
1191 if (err) {
1192 __bpf_prog_free(fp);
1193 return -ENOMEM;
1194 }
1195 }
1196
1197 /* bpf_prepare_filter() already takes care of freeing
1198 * memory in case something goes wrong.
1199 */
1200 fp = bpf_prepare_filter(fp, trans);
1201 if (IS_ERR(fp))
1202 return PTR_ERR(fp);
1203
1204 *pfp = fp;
1205 return 0;
1206 }
1207 EXPORT_SYMBOL_GPL(bpf_prog_create_from_user);
1208
1209 void bpf_prog_destroy(struct bpf_prog *fp)
1210 {
1211 __bpf_prog_release(fp);
1212 }
1213 EXPORT_SYMBOL_GPL(bpf_prog_destroy);
1214
1215 static int __sk_attach_prog(struct bpf_prog *prog, struct sock *sk)
1216 {
1217 struct sk_filter *fp, *old_fp;
1218
1219 fp = kmalloc(sizeof(*fp), GFP_KERNEL);
1220 if (!fp)
1221 return -ENOMEM;
1222
1223 fp->prog = prog;
1224
1225 if (!__sk_filter_charge(sk, fp)) {
1226 kfree(fp);
1227 return -ENOMEM;
1228 }
1229 refcount_set(&fp->refcnt, 1);
1230
1231 old_fp = rcu_dereference_protected(sk->sk_filter,
1232 lockdep_sock_is_held(sk));
1233 rcu_assign_pointer(sk->sk_filter, fp);
1234
1235 if (old_fp)
1236 sk_filter_uncharge(sk, old_fp);
1237
1238 return 0;
1239 }
1240
1241 static int __reuseport_attach_prog(struct bpf_prog *prog, struct sock *sk)
1242 {
1243 struct bpf_prog *old_prog;
1244 int err;
1245
1246 if (bpf_prog_size(prog->len) > sysctl_optmem_max)
1247 return -ENOMEM;
1248
1249 if (sk_unhashed(sk) && sk->sk_reuseport) {
1250 err = reuseport_alloc(sk);
1251 if (err)
1252 return err;
1253 } else if (!rcu_access_pointer(sk->sk_reuseport_cb)) {
1254 /* The socket wasn't bound with SO_REUSEPORT */
1255 return -EINVAL;
1256 }
1257
1258 old_prog = reuseport_attach_prog(sk, prog);
1259 if (old_prog)
1260 bpf_prog_destroy(old_prog);
1261
1262 return 0;
1263 }
1264
1265 static
1266 struct bpf_prog *__get_filter(struct sock_fprog *fprog, struct sock *sk)
1267 {
1268 unsigned int fsize = bpf_classic_proglen(fprog);
1269 struct bpf_prog *prog;
1270 int err;
1271
1272 if (sock_flag(sk, SOCK_FILTER_LOCKED))
1273 return ERR_PTR(-EPERM);
1274
1275 /* Make sure new filter is there and in the right amounts. */
1276 if (!bpf_check_basics_ok(fprog->filter, fprog->len))
1277 return ERR_PTR(-EINVAL);
1278
1279 prog = bpf_prog_alloc(bpf_prog_size(fprog->len), 0);
1280 if (!prog)
1281 return ERR_PTR(-ENOMEM);
1282
1283 if (copy_from_user(prog->insns, fprog->filter, fsize)) {
1284 __bpf_prog_free(prog);
1285 return ERR_PTR(-EFAULT);
1286 }
1287
1288 prog->len = fprog->len;
1289
1290 err = bpf_prog_store_orig_filter(prog, fprog);
1291 if (err) {
1292 __bpf_prog_free(prog);
1293 return ERR_PTR(-ENOMEM);
1294 }
1295
1296 /* bpf_prepare_filter() already takes care of freeing
1297 * memory in case something goes wrong.
1298 */
1299 return bpf_prepare_filter(prog, NULL);
1300 }
1301
1302 /**
1303 * sk_attach_filter - attach a socket filter
1304 * @fprog: the filter program
1305 * @sk: the socket to use
1306 *
1307 * Attach the user's filter code. We first run some sanity checks on
1308 * it to make sure it does not explode on us later. If an error
1309 * occurs or there is insufficient memory for the filter a negative
1310 * errno code is returned. On success the return is zero.
1311 */
1312 int sk_attach_filter(struct sock_fprog *fprog, struct sock *sk)
1313 {
1314 struct bpf_prog *prog = __get_filter(fprog, sk);
1315 int err;
1316
1317 if (IS_ERR(prog))
1318 return PTR_ERR(prog);
1319
1320 err = __sk_attach_prog(prog, sk);
1321 if (err < 0) {
1322 __bpf_prog_release(prog);
1323 return err;
1324 }
1325
1326 return 0;
1327 }
1328 EXPORT_SYMBOL_GPL(sk_attach_filter);
1329
1330 int sk_reuseport_attach_filter(struct sock_fprog *fprog, struct sock *sk)
1331 {
1332 struct bpf_prog *prog = __get_filter(fprog, sk);
1333 int err;
1334
1335 if (IS_ERR(prog))
1336 return PTR_ERR(prog);
1337
1338 err = __reuseport_attach_prog(prog, sk);
1339 if (err < 0) {
1340 __bpf_prog_release(prog);
1341 return err;
1342 }
1343
1344 return 0;
1345 }
1346
1347 static struct bpf_prog *__get_bpf(u32 ufd, struct sock *sk)
1348 {
1349 if (sock_flag(sk, SOCK_FILTER_LOCKED))
1350 return ERR_PTR(-EPERM);
1351
1352 return bpf_prog_get_type(ufd, BPF_PROG_TYPE_SOCKET_FILTER);
1353 }
1354
1355 int sk_attach_bpf(u32 ufd, struct sock *sk)
1356 {
1357 struct bpf_prog *prog = __get_bpf(ufd, sk);
1358 int err;
1359
1360 if (IS_ERR(prog))
1361 return PTR_ERR(prog);
1362
1363 err = __sk_attach_prog(prog, sk);
1364 if (err < 0) {
1365 bpf_prog_put(prog);
1366 return err;
1367 }
1368
1369 return 0;
1370 }
1371
1372 int sk_reuseport_attach_bpf(u32 ufd, struct sock *sk)
1373 {
1374 struct bpf_prog *prog = __get_bpf(ufd, sk);
1375 int err;
1376
1377 if (IS_ERR(prog))
1378 return PTR_ERR(prog);
1379
1380 err = __reuseport_attach_prog(prog, sk);
1381 if (err < 0) {
1382 bpf_prog_put(prog);
1383 return err;
1384 }
1385
1386 return 0;
1387 }
1388
1389 struct bpf_scratchpad {
1390 union {
1391 __be32 diff[MAX_BPF_STACK / sizeof(__be32)];
1392 u8 buff[MAX_BPF_STACK];
1393 };
1394 };
1395
1396 static DEFINE_PER_CPU(struct bpf_scratchpad, bpf_sp);
1397
1398 static inline int __bpf_try_make_writable(struct sk_buff *skb,
1399 unsigned int write_len)
1400 {
1401 return skb_ensure_writable(skb, write_len);
1402 }
1403
1404 static inline int bpf_try_make_writable(struct sk_buff *skb,
1405 unsigned int write_len)
1406 {
1407 int err = __bpf_try_make_writable(skb, write_len);
1408
1409 bpf_compute_data_end(skb);
1410 return err;
1411 }
1412
1413 static int bpf_try_make_head_writable(struct sk_buff *skb)
1414 {
1415 return bpf_try_make_writable(skb, skb_headlen(skb));
1416 }
1417
1418 static inline void bpf_push_mac_rcsum(struct sk_buff *skb)
1419 {
1420 if (skb_at_tc_ingress(skb))
1421 skb_postpush_rcsum(skb, skb_mac_header(skb), skb->mac_len);
1422 }
1423
1424 static inline void bpf_pull_mac_rcsum(struct sk_buff *skb)
1425 {
1426 if (skb_at_tc_ingress(skb))
1427 skb_postpull_rcsum(skb, skb_mac_header(skb), skb->mac_len);
1428 }
1429
1430 BPF_CALL_5(bpf_skb_store_bytes, struct sk_buff *, skb, u32, offset,
1431 const void *, from, u32, len, u64, flags)
1432 {
1433 void *ptr;
1434
1435 if (unlikely(flags & ~(BPF_F_RECOMPUTE_CSUM | BPF_F_INVALIDATE_HASH)))
1436 return -EINVAL;
1437 if (unlikely(offset > 0xffff))
1438 return -EFAULT;
1439 if (unlikely(bpf_try_make_writable(skb, offset + len)))
1440 return -EFAULT;
1441
1442 ptr = skb->data + offset;
1443 if (flags & BPF_F_RECOMPUTE_CSUM)
1444 __skb_postpull_rcsum(skb, ptr, len, offset);
1445
1446 memcpy(ptr, from, len);
1447
1448 if (flags & BPF_F_RECOMPUTE_CSUM)
1449 __skb_postpush_rcsum(skb, ptr, len, offset);
1450 if (flags & BPF_F_INVALIDATE_HASH)
1451 skb_clear_hash(skb);
1452
1453 return 0;
1454 }
1455
1456 static const struct bpf_func_proto bpf_skb_store_bytes_proto = {
1457 .func = bpf_skb_store_bytes,
1458 .gpl_only = false,
1459 .ret_type = RET_INTEGER,
1460 .arg1_type = ARG_PTR_TO_CTX,
1461 .arg2_type = ARG_ANYTHING,
1462 .arg3_type = ARG_PTR_TO_MEM,
1463 .arg4_type = ARG_CONST_SIZE,
1464 .arg5_type = ARG_ANYTHING,
1465 };
1466
1467 BPF_CALL_4(bpf_skb_load_bytes, const struct sk_buff *, skb, u32, offset,
1468 void *, to, u32, len)
1469 {
1470 void *ptr;
1471
1472 if (unlikely(offset > 0xffff))
1473 goto err_clear;
1474
1475 ptr = skb_header_pointer(skb, offset, len, to);
1476 if (unlikely(!ptr))
1477 goto err_clear;
1478 if (ptr != to)
1479 memcpy(to, ptr, len);
1480
1481 return 0;
1482 err_clear:
1483 memset(to, 0, len);
1484 return -EFAULT;
1485 }
1486
1487 static const struct bpf_func_proto bpf_skb_load_bytes_proto = {
1488 .func = bpf_skb_load_bytes,
1489 .gpl_only = false,
1490 .ret_type = RET_INTEGER,
1491 .arg1_type = ARG_PTR_TO_CTX,
1492 .arg2_type = ARG_ANYTHING,
1493 .arg3_type = ARG_PTR_TO_UNINIT_MEM,
1494 .arg4_type = ARG_CONST_SIZE,
1495 };
1496
1497 BPF_CALL_2(bpf_skb_pull_data, struct sk_buff *, skb, u32, len)
1498 {
1499 /* Idea is the following: should the needed direct read/write
1500 * test fail during runtime, we can pull in more data and redo
1501 * again, since implicitly, we invalidate previous checks here.
1502 *
1503 * Or, since we know how much we need to make read/writeable,
1504 * this can be done once at the program beginning for direct
1505 * access case. By this we overcome limitations of only current
1506 * headroom being accessible.
1507 */
1508 return bpf_try_make_writable(skb, len ? : skb_headlen(skb));
1509 }
1510
1511 static const struct bpf_func_proto bpf_skb_pull_data_proto = {
1512 .func = bpf_skb_pull_data,
1513 .gpl_only = false,
1514 .ret_type = RET_INTEGER,
1515 .arg1_type = ARG_PTR_TO_CTX,
1516 .arg2_type = ARG_ANYTHING,
1517 };
1518
1519 BPF_CALL_5(bpf_l3_csum_replace, struct sk_buff *, skb, u32, offset,
1520 u64, from, u64, to, u64, flags)
1521 {
1522 __sum16 *ptr;
1523
1524 if (unlikely(flags & ~(BPF_F_HDR_FIELD_MASK)))
1525 return -EINVAL;
1526 if (unlikely(offset > 0xffff || offset & 1))
1527 return -EFAULT;
1528 if (unlikely(bpf_try_make_writable(skb, offset + sizeof(*ptr))))
1529 return -EFAULT;
1530
1531 ptr = (__sum16 *)(skb->data + offset);
1532 switch (flags & BPF_F_HDR_FIELD_MASK) {
1533 case 0:
1534 if (unlikely(from != 0))
1535 return -EINVAL;
1536
1537 csum_replace_by_diff(ptr, to);
1538 break;
1539 case 2:
1540 csum_replace2(ptr, from, to);
1541 break;
1542 case 4:
1543 csum_replace4(ptr, from, to);
1544 break;
1545 default:
1546 return -EINVAL;
1547 }
1548
1549 return 0;
1550 }
1551
1552 static const struct bpf_func_proto bpf_l3_csum_replace_proto = {
1553 .func = bpf_l3_csum_replace,
1554 .gpl_only = false,
1555 .ret_type = RET_INTEGER,
1556 .arg1_type = ARG_PTR_TO_CTX,
1557 .arg2_type = ARG_ANYTHING,
1558 .arg3_type = ARG_ANYTHING,
1559 .arg4_type = ARG_ANYTHING,
1560 .arg5_type = ARG_ANYTHING,
1561 };
1562
1563 BPF_CALL_5(bpf_l4_csum_replace, struct sk_buff *, skb, u32, offset,
1564 u64, from, u64, to, u64, flags)
1565 {
1566 bool is_pseudo = flags & BPF_F_PSEUDO_HDR;
1567 bool is_mmzero = flags & BPF_F_MARK_MANGLED_0;
1568 bool do_mforce = flags & BPF_F_MARK_ENFORCE;
1569 __sum16 *ptr;
1570
1571 if (unlikely(flags & ~(BPF_F_MARK_MANGLED_0 | BPF_F_MARK_ENFORCE |
1572 BPF_F_PSEUDO_HDR | BPF_F_HDR_FIELD_MASK)))
1573 return -EINVAL;
1574 if (unlikely(offset > 0xffff || offset & 1))
1575 return -EFAULT;
1576 if (unlikely(bpf_try_make_writable(skb, offset + sizeof(*ptr))))
1577 return -EFAULT;
1578
1579 ptr = (__sum16 *)(skb->data + offset);
1580 if (is_mmzero && !do_mforce && !*ptr)
1581 return 0;
1582
1583 switch (flags & BPF_F_HDR_FIELD_MASK) {
1584 case 0:
1585 if (unlikely(from != 0))
1586 return -EINVAL;
1587
1588 inet_proto_csum_replace_by_diff(ptr, skb, to, is_pseudo);
1589 break;
1590 case 2:
1591 inet_proto_csum_replace2(ptr, skb, from, to, is_pseudo);
1592 break;
1593 case 4:
1594 inet_proto_csum_replace4(ptr, skb, from, to, is_pseudo);
1595 break;
1596 default:
1597 return -EINVAL;
1598 }
1599
1600 if (is_mmzero && !*ptr)
1601 *ptr = CSUM_MANGLED_0;
1602 return 0;
1603 }
1604
1605 static const struct bpf_func_proto bpf_l4_csum_replace_proto = {
1606 .func = bpf_l4_csum_replace,
1607 .gpl_only = false,
1608 .ret_type = RET_INTEGER,
1609 .arg1_type = ARG_PTR_TO_CTX,
1610 .arg2_type = ARG_ANYTHING,
1611 .arg3_type = ARG_ANYTHING,
1612 .arg4_type = ARG_ANYTHING,
1613 .arg5_type = ARG_ANYTHING,
1614 };
1615
1616 BPF_CALL_5(bpf_csum_diff, __be32 *, from, u32, from_size,
1617 __be32 *, to, u32, to_size, __wsum, seed)
1618 {
1619 struct bpf_scratchpad *sp = this_cpu_ptr(&bpf_sp);
1620 u32 diff_size = from_size + to_size;
1621 int i, j = 0;
1622
1623 /* This is quite flexible, some examples:
1624 *
1625 * from_size == 0, to_size > 0, seed := csum --> pushing data
1626 * from_size > 0, to_size == 0, seed := csum --> pulling data
1627 * from_size > 0, to_size > 0, seed := 0 --> diffing data
1628 *
1629 * Even for diffing, from_size and to_size don't need to be equal.
1630 */
1631 if (unlikely(((from_size | to_size) & (sizeof(__be32) - 1)) ||
1632 diff_size > sizeof(sp->diff)))
1633 return -EINVAL;
1634
1635 for (i = 0; i < from_size / sizeof(__be32); i++, j++)
1636 sp->diff[j] = ~from[i];
1637 for (i = 0; i < to_size / sizeof(__be32); i++, j++)
1638 sp->diff[j] = to[i];
1639
1640 return csum_partial(sp->diff, diff_size, seed);
1641 }
1642
1643 static const struct bpf_func_proto bpf_csum_diff_proto = {
1644 .func = bpf_csum_diff,
1645 .gpl_only = false,
1646 .pkt_access = true,
1647 .ret_type = RET_INTEGER,
1648 .arg1_type = ARG_PTR_TO_MEM,
1649 .arg2_type = ARG_CONST_SIZE_OR_ZERO,
1650 .arg3_type = ARG_PTR_TO_MEM,
1651 .arg4_type = ARG_CONST_SIZE_OR_ZERO,
1652 .arg5_type = ARG_ANYTHING,
1653 };
1654
1655 BPF_CALL_2(bpf_csum_update, struct sk_buff *, skb, __wsum, csum)
1656 {
1657 /* The interface is to be used in combination with bpf_csum_diff()
1658 * for direct packet writes. csum rotation for alignment as well
1659 * as emulating csum_sub() can be done from the eBPF program.
1660 */
1661 if (skb->ip_summed == CHECKSUM_COMPLETE)
1662 return (skb->csum = csum_add(skb->csum, csum));
1663
1664 return -ENOTSUPP;
1665 }
1666
1667 static const struct bpf_func_proto bpf_csum_update_proto = {
1668 .func = bpf_csum_update,
1669 .gpl_only = false,
1670 .ret_type = RET_INTEGER,
1671 .arg1_type = ARG_PTR_TO_CTX,
1672 .arg2_type = ARG_ANYTHING,
1673 };
1674
1675 static inline int __bpf_rx_skb(struct net_device *dev, struct sk_buff *skb)
1676 {
1677 return dev_forward_skb(dev, skb);
1678 }
1679
1680 static inline int __bpf_rx_skb_no_mac(struct net_device *dev,
1681 struct sk_buff *skb)
1682 {
1683 int ret = ____dev_forward_skb(dev, skb);
1684
1685 if (likely(!ret)) {
1686 skb->dev = dev;
1687 ret = netif_rx(skb);
1688 }
1689
1690 return ret;
1691 }
1692
1693 static inline int __bpf_tx_skb(struct net_device *dev, struct sk_buff *skb)
1694 {
1695 int ret;
1696
1697 if (unlikely(__this_cpu_read(xmit_recursion) > XMIT_RECURSION_LIMIT)) {
1698 net_crit_ratelimited("bpf: recursion limit reached on datapath, buggy bpf program?\n");
1699 kfree_skb(skb);
1700 return -ENETDOWN;
1701 }
1702
1703 skb->dev = dev;
1704
1705 __this_cpu_inc(xmit_recursion);
1706 ret = dev_queue_xmit(skb);
1707 __this_cpu_dec(xmit_recursion);
1708
1709 return ret;
1710 }
1711
1712 static int __bpf_redirect_no_mac(struct sk_buff *skb, struct net_device *dev,
1713 u32 flags)
1714 {
1715 /* skb->mac_len is not set on normal egress */
1716 unsigned int mlen = skb->network_header - skb->mac_header;
1717
1718 __skb_pull(skb, mlen);
1719
1720 /* At ingress, the mac header has already been pulled once.
1721 * At egress, skb_pospull_rcsum has to be done in case that
1722 * the skb is originated from ingress (i.e. a forwarded skb)
1723 * to ensure that rcsum starts at net header.
1724 */
1725 if (!skb_at_tc_ingress(skb))
1726 skb_postpull_rcsum(skb, skb_mac_header(skb), mlen);
1727 skb_pop_mac_header(skb);
1728 skb_reset_mac_len(skb);
1729 return flags & BPF_F_INGRESS ?
1730 __bpf_rx_skb_no_mac(dev, skb) : __bpf_tx_skb(dev, skb);
1731 }
1732
1733 static int __bpf_redirect_common(struct sk_buff *skb, struct net_device *dev,
1734 u32 flags)
1735 {
1736 /* Verify that a link layer header is carried */
1737 if (unlikely(skb->mac_header >= skb->network_header)) {
1738 kfree_skb(skb);
1739 return -ERANGE;
1740 }
1741
1742 bpf_push_mac_rcsum(skb);
1743 return flags & BPF_F_INGRESS ?
1744 __bpf_rx_skb(dev, skb) : __bpf_tx_skb(dev, skb);
1745 }
1746
1747 static int __bpf_redirect(struct sk_buff *skb, struct net_device *dev,
1748 u32 flags)
1749 {
1750 if (dev_is_mac_header_xmit(dev))
1751 return __bpf_redirect_common(skb, dev, flags);
1752 else
1753 return __bpf_redirect_no_mac(skb, dev, flags);
1754 }
1755
1756 BPF_CALL_3(bpf_clone_redirect, struct sk_buff *, skb, u32, ifindex, u64, flags)
1757 {
1758 struct net_device *dev;
1759 struct sk_buff *clone;
1760 int ret;
1761
1762 if (unlikely(flags & ~(BPF_F_INGRESS)))
1763 return -EINVAL;
1764
1765 dev = dev_get_by_index_rcu(dev_net(skb->dev), ifindex);
1766 if (unlikely(!dev))
1767 return -EINVAL;
1768
1769 clone = skb_clone(skb, GFP_ATOMIC);
1770 if (unlikely(!clone))
1771 return -ENOMEM;
1772
1773 /* For direct write, we need to keep the invariant that the skbs
1774 * we're dealing with need to be uncloned. Should uncloning fail
1775 * here, we need to free the just generated clone to unclone once
1776 * again.
1777 */
1778 ret = bpf_try_make_head_writable(skb);
1779 if (unlikely(ret)) {
1780 kfree_skb(clone);
1781 return -ENOMEM;
1782 }
1783
1784 return __bpf_redirect(clone, dev, flags);
1785 }
1786
1787 static const struct bpf_func_proto bpf_clone_redirect_proto = {
1788 .func = bpf_clone_redirect,
1789 .gpl_only = false,
1790 .ret_type = RET_INTEGER,
1791 .arg1_type = ARG_PTR_TO_CTX,
1792 .arg2_type = ARG_ANYTHING,
1793 .arg3_type = ARG_ANYTHING,
1794 };
1795
1796 struct redirect_info {
1797 u32 ifindex;
1798 u32 flags;
1799 struct bpf_map *map;
1800 struct bpf_map *map_to_flush;
1801 unsigned long map_owner;
1802 };
1803
1804 static DEFINE_PER_CPU(struct redirect_info, redirect_info);
1805
1806 BPF_CALL_2(bpf_redirect, u32, ifindex, u64, flags)
1807 {
1808 struct redirect_info *ri = this_cpu_ptr(&redirect_info);
1809
1810 if (unlikely(flags & ~(BPF_F_INGRESS)))
1811 return TC_ACT_SHOT;
1812
1813 ri->ifindex = ifindex;
1814 ri->flags = flags;
1815
1816 return TC_ACT_REDIRECT;
1817 }
1818
1819 int skb_do_redirect(struct sk_buff *skb)
1820 {
1821 struct redirect_info *ri = this_cpu_ptr(&redirect_info);
1822 struct net_device *dev;
1823
1824 dev = dev_get_by_index_rcu(dev_net(skb->dev), ri->ifindex);
1825 ri->ifindex = 0;
1826 if (unlikely(!dev)) {
1827 kfree_skb(skb);
1828 return -EINVAL;
1829 }
1830
1831 return __bpf_redirect(skb, dev, ri->flags);
1832 }
1833
1834 static const struct bpf_func_proto bpf_redirect_proto = {
1835 .func = bpf_redirect,
1836 .gpl_only = false,
1837 .ret_type = RET_INTEGER,
1838 .arg1_type = ARG_ANYTHING,
1839 .arg2_type = ARG_ANYTHING,
1840 };
1841
1842 BPF_CALL_4(bpf_sk_redirect_map, struct sk_buff *, skb,
1843 struct bpf_map *, map, u32, key, u64, flags)
1844 {
1845 struct tcp_skb_cb *tcb = TCP_SKB_CB(skb);
1846
1847 /* If user passes invalid input drop the packet. */
1848 if (unlikely(flags))
1849 return SK_DROP;
1850
1851 tcb->bpf.key = key;
1852 tcb->bpf.flags = flags;
1853 tcb->bpf.map = map;
1854
1855 return SK_PASS;
1856 }
1857
1858 struct sock *do_sk_redirect_map(struct sk_buff *skb)
1859 {
1860 struct tcp_skb_cb *tcb = TCP_SKB_CB(skb);
1861 struct sock *sk = NULL;
1862
1863 if (tcb->bpf.map) {
1864 sk = __sock_map_lookup_elem(tcb->bpf.map, tcb->bpf.key);
1865
1866 tcb->bpf.key = 0;
1867 tcb->bpf.map = NULL;
1868 }
1869
1870 return sk;
1871 }
1872
1873 static const struct bpf_func_proto bpf_sk_redirect_map_proto = {
1874 .func = bpf_sk_redirect_map,
1875 .gpl_only = false,
1876 .ret_type = RET_INTEGER,
1877 .arg1_type = ARG_PTR_TO_CTX,
1878 .arg2_type = ARG_CONST_MAP_PTR,
1879 .arg3_type = ARG_ANYTHING,
1880 .arg4_type = ARG_ANYTHING,
1881 };
1882
1883 BPF_CALL_1(bpf_get_cgroup_classid, const struct sk_buff *, skb)
1884 {
1885 return task_get_classid(skb);
1886 }
1887
1888 static const struct bpf_func_proto bpf_get_cgroup_classid_proto = {
1889 .func = bpf_get_cgroup_classid,
1890 .gpl_only = false,
1891 .ret_type = RET_INTEGER,
1892 .arg1_type = ARG_PTR_TO_CTX,
1893 };
1894
1895 BPF_CALL_1(bpf_get_route_realm, const struct sk_buff *, skb)
1896 {
1897 return dst_tclassid(skb);
1898 }
1899
1900 static const struct bpf_func_proto bpf_get_route_realm_proto = {
1901 .func = bpf_get_route_realm,
1902 .gpl_only = false,
1903 .ret_type = RET_INTEGER,
1904 .arg1_type = ARG_PTR_TO_CTX,
1905 };
1906
1907 BPF_CALL_1(bpf_get_hash_recalc, struct sk_buff *, skb)
1908 {
1909 /* If skb_clear_hash() was called due to mangling, we can
1910 * trigger SW recalculation here. Later access to hash
1911 * can then use the inline skb->hash via context directly
1912 * instead of calling this helper again.
1913 */
1914 return skb_get_hash(skb);
1915 }
1916
1917 static const struct bpf_func_proto bpf_get_hash_recalc_proto = {
1918 .func = bpf_get_hash_recalc,
1919 .gpl_only = false,
1920 .ret_type = RET_INTEGER,
1921 .arg1_type = ARG_PTR_TO_CTX,
1922 };
1923
1924 BPF_CALL_1(bpf_set_hash_invalid, struct sk_buff *, skb)
1925 {
1926 /* After all direct packet write, this can be used once for
1927 * triggering a lazy recalc on next skb_get_hash() invocation.
1928 */
1929 skb_clear_hash(skb);
1930 return 0;
1931 }
1932
1933 static const struct bpf_func_proto bpf_set_hash_invalid_proto = {
1934 .func = bpf_set_hash_invalid,
1935 .gpl_only = false,
1936 .ret_type = RET_INTEGER,
1937 .arg1_type = ARG_PTR_TO_CTX,
1938 };
1939
1940 BPF_CALL_2(bpf_set_hash, struct sk_buff *, skb, u32, hash)
1941 {
1942 /* Set user specified hash as L4(+), so that it gets returned
1943 * on skb_get_hash() call unless BPF prog later on triggers a
1944 * skb_clear_hash().
1945 */
1946 __skb_set_sw_hash(skb, hash, true);
1947 return 0;
1948 }
1949
1950 static const struct bpf_func_proto bpf_set_hash_proto = {
1951 .func = bpf_set_hash,
1952 .gpl_only = false,
1953 .ret_type = RET_INTEGER,
1954 .arg1_type = ARG_PTR_TO_CTX,
1955 .arg2_type = ARG_ANYTHING,
1956 };
1957
1958 BPF_CALL_3(bpf_skb_vlan_push, struct sk_buff *, skb, __be16, vlan_proto,
1959 u16, vlan_tci)
1960 {
1961 int ret;
1962
1963 if (unlikely(vlan_proto != htons(ETH_P_8021Q) &&
1964 vlan_proto != htons(ETH_P_8021AD)))
1965 vlan_proto = htons(ETH_P_8021Q);
1966
1967 bpf_push_mac_rcsum(skb);
1968 ret = skb_vlan_push(skb, vlan_proto, vlan_tci);
1969 bpf_pull_mac_rcsum(skb);
1970
1971 bpf_compute_data_end(skb);
1972 return ret;
1973 }
1974
1975 const struct bpf_func_proto bpf_skb_vlan_push_proto = {
1976 .func = bpf_skb_vlan_push,
1977 .gpl_only = false,
1978 .ret_type = RET_INTEGER,
1979 .arg1_type = ARG_PTR_TO_CTX,
1980 .arg2_type = ARG_ANYTHING,
1981 .arg3_type = ARG_ANYTHING,
1982 };
1983 EXPORT_SYMBOL_GPL(bpf_skb_vlan_push_proto);
1984
1985 BPF_CALL_1(bpf_skb_vlan_pop, struct sk_buff *, skb)
1986 {
1987 int ret;
1988
1989 bpf_push_mac_rcsum(skb);
1990 ret = skb_vlan_pop(skb);
1991 bpf_pull_mac_rcsum(skb);
1992
1993 bpf_compute_data_end(skb);
1994 return ret;
1995 }
1996
1997 const struct bpf_func_proto bpf_skb_vlan_pop_proto = {
1998 .func = bpf_skb_vlan_pop,
1999 .gpl_only = false,
2000 .ret_type = RET_INTEGER,
2001 .arg1_type = ARG_PTR_TO_CTX,
2002 };
2003 EXPORT_SYMBOL_GPL(bpf_skb_vlan_pop_proto);
2004
2005 static int bpf_skb_generic_push(struct sk_buff *skb, u32 off, u32 len)
2006 {
2007 /* Caller already did skb_cow() with len as headroom,
2008 * so no need to do it here.
2009 */
2010 skb_push(skb, len);
2011 memmove(skb->data, skb->data + len, off);
2012 memset(skb->data + off, 0, len);
2013
2014 /* No skb_postpush_rcsum(skb, skb->data + off, len)
2015 * needed here as it does not change the skb->csum
2016 * result for checksum complete when summing over
2017 * zeroed blocks.
2018 */
2019 return 0;
2020 }
2021
2022 static int bpf_skb_generic_pop(struct sk_buff *skb, u32 off, u32 len)
2023 {
2024 /* skb_ensure_writable() is not needed here, as we're
2025 * already working on an uncloned skb.
2026 */
2027 if (unlikely(!pskb_may_pull(skb, off + len)))
2028 return -ENOMEM;
2029
2030 skb_postpull_rcsum(skb, skb->data + off, len);
2031 memmove(skb->data + len, skb->data, off);
2032 __skb_pull(skb, len);
2033
2034 return 0;
2035 }
2036
2037 static int bpf_skb_net_hdr_push(struct sk_buff *skb, u32 off, u32 len)
2038 {
2039 bool trans_same = skb->transport_header == skb->network_header;
2040 int ret;
2041
2042 /* There's no need for __skb_push()/__skb_pull() pair to
2043 * get to the start of the mac header as we're guaranteed
2044 * to always start from here under eBPF.
2045 */
2046 ret = bpf_skb_generic_push(skb, off, len);
2047 if (likely(!ret)) {
2048 skb->mac_header -= len;
2049 skb->network_header -= len;
2050 if (trans_same)
2051 skb->transport_header = skb->network_header;
2052 }
2053
2054 return ret;
2055 }
2056
2057 static int bpf_skb_net_hdr_pop(struct sk_buff *skb, u32 off, u32 len)
2058 {
2059 bool trans_same = skb->transport_header == skb->network_header;
2060 int ret;
2061
2062 /* Same here, __skb_push()/__skb_pull() pair not needed. */
2063 ret = bpf_skb_generic_pop(skb, off, len);
2064 if (likely(!ret)) {
2065 skb->mac_header += len;
2066 skb->network_header += len;
2067 if (trans_same)
2068 skb->transport_header = skb->network_header;
2069 }
2070
2071 return ret;
2072 }
2073
2074 static int bpf_skb_proto_4_to_6(struct sk_buff *skb)
2075 {
2076 const u32 len_diff = sizeof(struct ipv6hdr) - sizeof(struct iphdr);
2077 u32 off = skb_mac_header_len(skb);
2078 int ret;
2079
2080 ret = skb_cow(skb, len_diff);
2081 if (unlikely(ret < 0))
2082 return ret;
2083
2084 ret = bpf_skb_net_hdr_push(skb, off, len_diff);
2085 if (unlikely(ret < 0))
2086 return ret;
2087
2088 if (skb_is_gso(skb)) {
2089 /* SKB_GSO_TCPV4 needs to be changed into
2090 * SKB_GSO_TCPV6.
2091 */
2092 if (skb_shinfo(skb)->gso_type & SKB_GSO_TCPV4) {
2093 skb_shinfo(skb)->gso_type &= ~SKB_GSO_TCPV4;
2094 skb_shinfo(skb)->gso_type |= SKB_GSO_TCPV6;
2095 }
2096
2097 /* Due to IPv6 header, MSS needs to be downgraded. */
2098 skb_shinfo(skb)->gso_size -= len_diff;
2099 /* Header must be checked, and gso_segs recomputed. */
2100 skb_shinfo(skb)->gso_type |= SKB_GSO_DODGY;
2101 skb_shinfo(skb)->gso_segs = 0;
2102 }
2103
2104 skb->protocol = htons(ETH_P_IPV6);
2105 skb_clear_hash(skb);
2106
2107 return 0;
2108 }
2109
2110 static int bpf_skb_proto_6_to_4(struct sk_buff *skb)
2111 {
2112 const u32 len_diff = sizeof(struct ipv6hdr) - sizeof(struct iphdr);
2113 u32 off = skb_mac_header_len(skb);
2114 int ret;
2115
2116 ret = skb_unclone(skb, GFP_ATOMIC);
2117 if (unlikely(ret < 0))
2118 return ret;
2119
2120 ret = bpf_skb_net_hdr_pop(skb, off, len_diff);
2121 if (unlikely(ret < 0))
2122 return ret;
2123
2124 if (skb_is_gso(skb)) {
2125 /* SKB_GSO_TCPV6 needs to be changed into
2126 * SKB_GSO_TCPV4.
2127 */
2128 if (skb_shinfo(skb)->gso_type & SKB_GSO_TCPV6) {
2129 skb_shinfo(skb)->gso_type &= ~SKB_GSO_TCPV6;
2130 skb_shinfo(skb)->gso_type |= SKB_GSO_TCPV4;
2131 }
2132
2133 /* Due to IPv4 header, MSS can be upgraded. */
2134 skb_shinfo(skb)->gso_size += len_diff;
2135 /* Header must be checked, and gso_segs recomputed. */
2136 skb_shinfo(skb)->gso_type |= SKB_GSO_DODGY;
2137 skb_shinfo(skb)->gso_segs = 0;
2138 }
2139
2140 skb->protocol = htons(ETH_P_IP);
2141 skb_clear_hash(skb);
2142
2143 return 0;
2144 }
2145
2146 static int bpf_skb_proto_xlat(struct sk_buff *skb, __be16 to_proto)
2147 {
2148 __be16 from_proto = skb->protocol;
2149
2150 if (from_proto == htons(ETH_P_IP) &&
2151 to_proto == htons(ETH_P_IPV6))
2152 return bpf_skb_proto_4_to_6(skb);
2153
2154 if (from_proto == htons(ETH_P_IPV6) &&
2155 to_proto == htons(ETH_P_IP))
2156 return bpf_skb_proto_6_to_4(skb);
2157
2158 return -ENOTSUPP;
2159 }
2160
2161 BPF_CALL_3(bpf_skb_change_proto, struct sk_buff *, skb, __be16, proto,
2162 u64, flags)
2163 {
2164 int ret;
2165
2166 if (unlikely(flags))
2167 return -EINVAL;
2168
2169 /* General idea is that this helper does the basic groundwork
2170 * needed for changing the protocol, and eBPF program fills the
2171 * rest through bpf_skb_store_bytes(), bpf_lX_csum_replace()
2172 * and other helpers, rather than passing a raw buffer here.
2173 *
2174 * The rationale is to keep this minimal and without a need to
2175 * deal with raw packet data. F.e. even if we would pass buffers
2176 * here, the program still needs to call the bpf_lX_csum_replace()
2177 * helpers anyway. Plus, this way we keep also separation of
2178 * concerns, since f.e. bpf_skb_store_bytes() should only take
2179 * care of stores.
2180 *
2181 * Currently, additional options and extension header space are
2182 * not supported, but flags register is reserved so we can adapt
2183 * that. For offloads, we mark packet as dodgy, so that headers
2184 * need to be verified first.
2185 */
2186 ret = bpf_skb_proto_xlat(skb, proto);
2187 bpf_compute_data_end(skb);
2188 return ret;
2189 }
2190
2191 static const struct bpf_func_proto bpf_skb_change_proto_proto = {
2192 .func = bpf_skb_change_proto,
2193 .gpl_only = false,
2194 .ret_type = RET_INTEGER,
2195 .arg1_type = ARG_PTR_TO_CTX,
2196 .arg2_type = ARG_ANYTHING,
2197 .arg3_type = ARG_ANYTHING,
2198 };
2199
2200 BPF_CALL_2(bpf_skb_change_type, struct sk_buff *, skb, u32, pkt_type)
2201 {
2202 /* We only allow a restricted subset to be changed for now. */
2203 if (unlikely(!skb_pkt_type_ok(skb->pkt_type) ||
2204 !skb_pkt_type_ok(pkt_type)))
2205 return -EINVAL;
2206
2207 skb->pkt_type = pkt_type;
2208 return 0;
2209 }
2210
2211 static const struct bpf_func_proto bpf_skb_change_type_proto = {
2212 .func = bpf_skb_change_type,
2213 .gpl_only = false,
2214 .ret_type = RET_INTEGER,
2215 .arg1_type = ARG_PTR_TO_CTX,
2216 .arg2_type = ARG_ANYTHING,
2217 };
2218
2219 static u32 bpf_skb_net_base_len(const struct sk_buff *skb)
2220 {
2221 switch (skb->protocol) {
2222 case htons(ETH_P_IP):
2223 return sizeof(struct iphdr);
2224 case htons(ETH_P_IPV6):
2225 return sizeof(struct ipv6hdr);
2226 default:
2227 return ~0U;
2228 }
2229 }
2230
2231 static int bpf_skb_net_grow(struct sk_buff *skb, u32 len_diff)
2232 {
2233 u32 off = skb_mac_header_len(skb) + bpf_skb_net_base_len(skb);
2234 int ret;
2235
2236 ret = skb_cow(skb, len_diff);
2237 if (unlikely(ret < 0))
2238 return ret;
2239
2240 ret = bpf_skb_net_hdr_push(skb, off, len_diff);
2241 if (unlikely(ret < 0))
2242 return ret;
2243
2244 if (skb_is_gso(skb)) {
2245 /* Due to header grow, MSS needs to be downgraded. */
2246 skb_shinfo(skb)->gso_size -= len_diff;
2247 /* Header must be checked, and gso_segs recomputed. */
2248 skb_shinfo(skb)->gso_type |= SKB_GSO_DODGY;
2249 skb_shinfo(skb)->gso_segs = 0;
2250 }
2251
2252 return 0;
2253 }
2254
2255 static int bpf_skb_net_shrink(struct sk_buff *skb, u32 len_diff)
2256 {
2257 u32 off = skb_mac_header_len(skb) + bpf_skb_net_base_len(skb);
2258 int ret;
2259
2260 ret = skb_unclone(skb, GFP_ATOMIC);
2261 if (unlikely(ret < 0))
2262 return ret;
2263
2264 ret = bpf_skb_net_hdr_pop(skb, off, len_diff);
2265 if (unlikely(ret < 0))
2266 return ret;
2267
2268 if (skb_is_gso(skb)) {
2269 /* Due to header shrink, MSS can be upgraded. */
2270 skb_shinfo(skb)->gso_size += len_diff;
2271 /* Header must be checked, and gso_segs recomputed. */
2272 skb_shinfo(skb)->gso_type |= SKB_GSO_DODGY;
2273 skb_shinfo(skb)->gso_segs = 0;
2274 }
2275
2276 return 0;
2277 }
2278
2279 static u32 __bpf_skb_max_len(const struct sk_buff *skb)
2280 {
2281 return skb->dev->mtu + skb->dev->hard_header_len;
2282 }
2283
2284 static int bpf_skb_adjust_net(struct sk_buff *skb, s32 len_diff)
2285 {
2286 bool trans_same = skb->transport_header == skb->network_header;
2287 u32 len_cur, len_diff_abs = abs(len_diff);
2288 u32 len_min = bpf_skb_net_base_len(skb);
2289 u32 len_max = __bpf_skb_max_len(skb);
2290 __be16 proto = skb->protocol;
2291 bool shrink = len_diff < 0;
2292 int ret;
2293
2294 if (unlikely(len_diff_abs > 0xfffU))
2295 return -EFAULT;
2296 if (unlikely(proto != htons(ETH_P_IP) &&
2297 proto != htons(ETH_P_IPV6)))
2298 return -ENOTSUPP;
2299
2300 len_cur = skb->len - skb_network_offset(skb);
2301 if (skb_transport_header_was_set(skb) && !trans_same)
2302 len_cur = skb_network_header_len(skb);
2303 if ((shrink && (len_diff_abs >= len_cur ||
2304 len_cur - len_diff_abs < len_min)) ||
2305 (!shrink && (skb->len + len_diff_abs > len_max &&
2306 !skb_is_gso(skb))))
2307 return -ENOTSUPP;
2308
2309 ret = shrink ? bpf_skb_net_shrink(skb, len_diff_abs) :
2310 bpf_skb_net_grow(skb, len_diff_abs);
2311
2312 bpf_compute_data_end(skb);
2313 return ret;
2314 }
2315
2316 BPF_CALL_4(bpf_skb_adjust_room, struct sk_buff *, skb, s32, len_diff,
2317 u32, mode, u64, flags)
2318 {
2319 if (unlikely(flags))
2320 return -EINVAL;
2321 if (likely(mode == BPF_ADJ_ROOM_NET))
2322 return bpf_skb_adjust_net(skb, len_diff);
2323
2324 return -ENOTSUPP;
2325 }
2326
2327 static const struct bpf_func_proto bpf_skb_adjust_room_proto = {
2328 .func = bpf_skb_adjust_room,
2329 .gpl_only = false,
2330 .ret_type = RET_INTEGER,
2331 .arg1_type = ARG_PTR_TO_CTX,
2332 .arg2_type = ARG_ANYTHING,
2333 .arg3_type = ARG_ANYTHING,
2334 .arg4_type = ARG_ANYTHING,
2335 };
2336
2337 static u32 __bpf_skb_min_len(const struct sk_buff *skb)
2338 {
2339 u32 min_len = skb_network_offset(skb);
2340
2341 if (skb_transport_header_was_set(skb))
2342 min_len = skb_transport_offset(skb);
2343 if (skb->ip_summed == CHECKSUM_PARTIAL)
2344 min_len = skb_checksum_start_offset(skb) +
2345 skb->csum_offset + sizeof(__sum16);
2346 return min_len;
2347 }
2348
2349 static int bpf_skb_grow_rcsum(struct sk_buff *skb, unsigned int new_len)
2350 {
2351 unsigned int old_len = skb->len;
2352 int ret;
2353
2354 ret = __skb_grow_rcsum(skb, new_len);
2355 if (!ret)
2356 memset(skb->data + old_len, 0, new_len - old_len);
2357 return ret;
2358 }
2359
2360 static int bpf_skb_trim_rcsum(struct sk_buff *skb, unsigned int new_len)
2361 {
2362 return __skb_trim_rcsum(skb, new_len);
2363 }
2364
2365 BPF_CALL_3(bpf_skb_change_tail, struct sk_buff *, skb, u32, new_len,
2366 u64, flags)
2367 {
2368 u32 max_len = __bpf_skb_max_len(skb);
2369 u32 min_len = __bpf_skb_min_len(skb);
2370 int ret;
2371
2372 if (unlikely(flags || new_len > max_len || new_len < min_len))
2373 return -EINVAL;
2374 if (skb->encapsulation)
2375 return -ENOTSUPP;
2376
2377 /* The basic idea of this helper is that it's performing the
2378 * needed work to either grow or trim an skb, and eBPF program
2379 * rewrites the rest via helpers like bpf_skb_store_bytes(),
2380 * bpf_lX_csum_replace() and others rather than passing a raw
2381 * buffer here. This one is a slow path helper and intended
2382 * for replies with control messages.
2383 *
2384 * Like in bpf_skb_change_proto(), we want to keep this rather
2385 * minimal and without protocol specifics so that we are able
2386 * to separate concerns as in bpf_skb_store_bytes() should only
2387 * be the one responsible for writing buffers.
2388 *
2389 * It's really expected to be a slow path operation here for
2390 * control message replies, so we're implicitly linearizing,
2391 * uncloning and drop offloads from the skb by this.
2392 */
2393 ret = __bpf_try_make_writable(skb, skb->len);
2394 if (!ret) {
2395 if (new_len > skb->len)
2396 ret = bpf_skb_grow_rcsum(skb, new_len);
2397 else if (new_len < skb->len)
2398 ret = bpf_skb_trim_rcsum(skb, new_len);
2399 if (!ret && skb_is_gso(skb))
2400 skb_gso_reset(skb);
2401 }
2402
2403 bpf_compute_data_end(skb);
2404 return ret;
2405 }
2406
2407 static const struct bpf_func_proto bpf_skb_change_tail_proto = {
2408 .func = bpf_skb_change_tail,
2409 .gpl_only = false,
2410 .ret_type = RET_INTEGER,
2411 .arg1_type = ARG_PTR_TO_CTX,
2412 .arg2_type = ARG_ANYTHING,
2413 .arg3_type = ARG_ANYTHING,
2414 };
2415
2416 BPF_CALL_3(bpf_skb_change_head, struct sk_buff *, skb, u32, head_room,
2417 u64, flags)
2418 {
2419 u32 max_len = __bpf_skb_max_len(skb);
2420 u32 new_len = skb->len + head_room;
2421 int ret;
2422
2423 if (unlikely(flags || (!skb_is_gso(skb) && new_len > max_len) ||
2424 new_len < skb->len))
2425 return -EINVAL;
2426
2427 ret = skb_cow(skb, head_room);
2428 if (likely(!ret)) {
2429 /* Idea for this helper is that we currently only
2430 * allow to expand on mac header. This means that
2431 * skb->protocol network header, etc, stay as is.
2432 * Compared to bpf_skb_change_tail(), we're more
2433 * flexible due to not needing to linearize or
2434 * reset GSO. Intention for this helper is to be
2435 * used by an L3 skb that needs to push mac header
2436 * for redirection into L2 device.
2437 */
2438 __skb_push(skb, head_room);
2439 memset(skb->data, 0, head_room);
2440 skb_reset_mac_header(skb);
2441 }
2442
2443 bpf_compute_data_end(skb);
2444 return 0;
2445 }
2446
2447 static const struct bpf_func_proto bpf_skb_change_head_proto = {
2448 .func = bpf_skb_change_head,
2449 .gpl_only = false,
2450 .ret_type = RET_INTEGER,
2451 .arg1_type = ARG_PTR_TO_CTX,
2452 .arg2_type = ARG_ANYTHING,
2453 .arg3_type = ARG_ANYTHING,
2454 };
2455
2456 BPF_CALL_2(bpf_xdp_adjust_head, struct xdp_buff *, xdp, int, offset)
2457 {
2458 void *data = xdp->data + offset;
2459
2460 if (unlikely(data < xdp->data_hard_start ||
2461 data > xdp->data_end - ETH_HLEN))
2462 return -EINVAL;
2463
2464 xdp->data = data;
2465
2466 return 0;
2467 }
2468
2469 static const struct bpf_func_proto bpf_xdp_adjust_head_proto = {
2470 .func = bpf_xdp_adjust_head,
2471 .gpl_only = false,
2472 .ret_type = RET_INTEGER,
2473 .arg1_type = ARG_PTR_TO_CTX,
2474 .arg2_type = ARG_ANYTHING,
2475 };
2476
2477 static int __bpf_tx_xdp(struct net_device *dev,
2478 struct bpf_map *map,
2479 struct xdp_buff *xdp,
2480 u32 index)
2481 {
2482 int err;
2483
2484 if (!dev->netdev_ops->ndo_xdp_xmit) {
2485 return -EOPNOTSUPP;
2486 }
2487
2488 err = dev->netdev_ops->ndo_xdp_xmit(dev, xdp);
2489 if (err)
2490 return err;
2491 if (map)
2492 __dev_map_insert_ctx(map, index);
2493 else
2494 dev->netdev_ops->ndo_xdp_flush(dev);
2495 return 0;
2496 }
2497
2498 void xdp_do_flush_map(void)
2499 {
2500 struct redirect_info *ri = this_cpu_ptr(&redirect_info);
2501 struct bpf_map *map = ri->map_to_flush;
2502
2503 ri->map_to_flush = NULL;
2504 if (map)
2505 __dev_map_flush(map);
2506 }
2507 EXPORT_SYMBOL_GPL(xdp_do_flush_map);
2508
2509 static inline bool xdp_map_invalid(const struct bpf_prog *xdp_prog,
2510 unsigned long aux)
2511 {
2512 return (unsigned long)xdp_prog->aux != aux;
2513 }
2514
2515 static int xdp_do_redirect_map(struct net_device *dev, struct xdp_buff *xdp,
2516 struct bpf_prog *xdp_prog)
2517 {
2518 struct redirect_info *ri = this_cpu_ptr(&redirect_info);
2519 unsigned long map_owner = ri->map_owner;
2520 struct bpf_map *map = ri->map;
2521 struct net_device *fwd = NULL;
2522 u32 index = ri->ifindex;
2523 int err;
2524
2525 ri->ifindex = 0;
2526 ri->map = NULL;
2527 ri->map_owner = 0;
2528
2529 if (unlikely(xdp_map_invalid(xdp_prog, map_owner))) {
2530 err = -EFAULT;
2531 map = NULL;
2532 goto err;
2533 }
2534
2535 fwd = __dev_map_lookup_elem(map, index);
2536 if (!fwd) {
2537 err = -EINVAL;
2538 goto err;
2539 }
2540 if (ri->map_to_flush && ri->map_to_flush != map)
2541 xdp_do_flush_map();
2542
2543 err = __bpf_tx_xdp(fwd, map, xdp, index);
2544 if (unlikely(err))
2545 goto err;
2546
2547 ri->map_to_flush = map;
2548 _trace_xdp_redirect_map(dev, xdp_prog, fwd, map, index);
2549 return 0;
2550 err:
2551 _trace_xdp_redirect_map_err(dev, xdp_prog, fwd, map, index, err);
2552 return err;
2553 }
2554
2555 int xdp_do_redirect(struct net_device *dev, struct xdp_buff *xdp,
2556 struct bpf_prog *xdp_prog)
2557 {
2558 struct redirect_info *ri = this_cpu_ptr(&redirect_info);
2559 struct net_device *fwd;
2560 u32 index = ri->ifindex;
2561 int err;
2562
2563 if (ri->map)
2564 return xdp_do_redirect_map(dev, xdp, xdp_prog);
2565
2566 fwd = dev_get_by_index_rcu(dev_net(dev), index);
2567 ri->ifindex = 0;
2568 if (unlikely(!fwd)) {
2569 err = -EINVAL;
2570 goto err;
2571 }
2572
2573 err = __bpf_tx_xdp(fwd, NULL, xdp, 0);
2574 if (unlikely(err))
2575 goto err;
2576
2577 _trace_xdp_redirect(dev, xdp_prog, index);
2578 return 0;
2579 err:
2580 _trace_xdp_redirect_err(dev, xdp_prog, index, err);
2581 return err;
2582 }
2583 EXPORT_SYMBOL_GPL(xdp_do_redirect);
2584
2585 int xdp_do_generic_redirect(struct net_device *dev, struct sk_buff *skb,
2586 struct bpf_prog *xdp_prog)
2587 {
2588 struct redirect_info *ri = this_cpu_ptr(&redirect_info);
2589 unsigned long map_owner = ri->map_owner;
2590 struct bpf_map *map = ri->map;
2591 struct net_device *fwd = NULL;
2592 u32 index = ri->ifindex;
2593 unsigned int len;
2594 int err = 0;
2595
2596 ri->ifindex = 0;
2597 ri->map = NULL;
2598 ri->map_owner = 0;
2599
2600 if (map) {
2601 if (unlikely(xdp_map_invalid(xdp_prog, map_owner))) {
2602 err = -EFAULT;
2603 map = NULL;
2604 goto err;
2605 }
2606 fwd = __dev_map_lookup_elem(map, index);
2607 } else {
2608 fwd = dev_get_by_index_rcu(dev_net(dev), index);
2609 }
2610 if (unlikely(!fwd)) {
2611 err = -EINVAL;
2612 goto err;
2613 }
2614
2615 if (unlikely(!(fwd->flags & IFF_UP))) {
2616 err = -ENETDOWN;
2617 goto err;
2618 }
2619
2620 len = fwd->mtu + fwd->hard_header_len + VLAN_HLEN;
2621 if (skb->len > len) {
2622 err = -EMSGSIZE;
2623 goto err;
2624 }
2625
2626 skb->dev = fwd;
2627 map ? _trace_xdp_redirect_map(dev, xdp_prog, fwd, map, index)
2628 : _trace_xdp_redirect(dev, xdp_prog, index);
2629 return 0;
2630 err:
2631 map ? _trace_xdp_redirect_map_err(dev, xdp_prog, fwd, map, index, err)
2632 : _trace_xdp_redirect_err(dev, xdp_prog, index, err);
2633 return err;
2634 }
2635 EXPORT_SYMBOL_GPL(xdp_do_generic_redirect);
2636
2637 BPF_CALL_2(bpf_xdp_redirect, u32, ifindex, u64, flags)
2638 {
2639 struct redirect_info *ri = this_cpu_ptr(&redirect_info);
2640
2641 if (unlikely(flags))
2642 return XDP_ABORTED;
2643
2644 ri->ifindex = ifindex;
2645 ri->flags = flags;
2646 ri->map = NULL;
2647 ri->map_owner = 0;
2648
2649 return XDP_REDIRECT;
2650 }
2651
2652 static const struct bpf_func_proto bpf_xdp_redirect_proto = {
2653 .func = bpf_xdp_redirect,
2654 .gpl_only = false,
2655 .ret_type = RET_INTEGER,
2656 .arg1_type = ARG_ANYTHING,
2657 .arg2_type = ARG_ANYTHING,
2658 };
2659
2660 BPF_CALL_4(bpf_xdp_redirect_map, struct bpf_map *, map, u32, ifindex, u64, flags,
2661 unsigned long, map_owner)
2662 {
2663 struct redirect_info *ri = this_cpu_ptr(&redirect_info);
2664
2665 if (unlikely(flags))
2666 return XDP_ABORTED;
2667
2668 ri->ifindex = ifindex;
2669 ri->flags = flags;
2670 ri->map = map;
2671 ri->map_owner = map_owner;
2672
2673 return XDP_REDIRECT;
2674 }
2675
2676 /* Note, arg4 is hidden from users and populated by the verifier
2677 * with the right pointer.
2678 */
2679 static const struct bpf_func_proto bpf_xdp_redirect_map_proto = {
2680 .func = bpf_xdp_redirect_map,
2681 .gpl_only = false,
2682 .ret_type = RET_INTEGER,
2683 .arg1_type = ARG_CONST_MAP_PTR,
2684 .arg2_type = ARG_ANYTHING,
2685 .arg3_type = ARG_ANYTHING,
2686 };
2687
2688 bool bpf_helper_changes_pkt_data(void *func)
2689 {
2690 if (func == bpf_skb_vlan_push ||
2691 func == bpf_skb_vlan_pop ||
2692 func == bpf_skb_store_bytes ||
2693 func == bpf_skb_change_proto ||
2694 func == bpf_skb_change_head ||
2695 func == bpf_skb_change_tail ||
2696 func == bpf_skb_adjust_room ||
2697 func == bpf_skb_pull_data ||
2698 func == bpf_clone_redirect ||
2699 func == bpf_l3_csum_replace ||
2700 func == bpf_l4_csum_replace ||
2701 func == bpf_xdp_adjust_head)
2702 return true;
2703
2704 return false;
2705 }
2706
2707 static unsigned long bpf_skb_copy(void *dst_buff, const void *skb,
2708 unsigned long off, unsigned long len)
2709 {
2710 void *ptr = skb_header_pointer(skb, off, len, dst_buff);
2711
2712 if (unlikely(!ptr))
2713 return len;
2714 if (ptr != dst_buff)
2715 memcpy(dst_buff, ptr, len);
2716
2717 return 0;
2718 }
2719
2720 BPF_CALL_5(bpf_skb_event_output, struct sk_buff *, skb, struct bpf_map *, map,
2721 u64, flags, void *, meta, u64, meta_size)
2722 {
2723 u64 skb_size = (flags & BPF_F_CTXLEN_MASK) >> 32;
2724
2725 if (unlikely(flags & ~(BPF_F_CTXLEN_MASK | BPF_F_INDEX_MASK)))
2726 return -EINVAL;
2727 if (unlikely(skb_size > skb->len))
2728 return -EFAULT;
2729
2730 return bpf_event_output(map, flags, meta, meta_size, skb, skb_size,
2731 bpf_skb_copy);
2732 }
2733
2734 static const struct bpf_func_proto bpf_skb_event_output_proto = {
2735 .func = bpf_skb_event_output,
2736 .gpl_only = true,
2737 .ret_type = RET_INTEGER,
2738 .arg1_type = ARG_PTR_TO_CTX,
2739 .arg2_type = ARG_CONST_MAP_PTR,
2740 .arg3_type = ARG_ANYTHING,
2741 .arg4_type = ARG_PTR_TO_MEM,
2742 .arg5_type = ARG_CONST_SIZE,
2743 };
2744
2745 static unsigned short bpf_tunnel_key_af(u64 flags)
2746 {
2747 return flags & BPF_F_TUNINFO_IPV6 ? AF_INET6 : AF_INET;
2748 }
2749
2750 BPF_CALL_4(bpf_skb_get_tunnel_key, struct sk_buff *, skb, struct bpf_tunnel_key *, to,
2751 u32, size, u64, flags)
2752 {
2753 const struct ip_tunnel_info *info = skb_tunnel_info(skb);
2754 u8 compat[sizeof(struct bpf_tunnel_key)];
2755 void *to_orig = to;
2756 int err;
2757
2758 if (unlikely(!info || (flags & ~(BPF_F_TUNINFO_IPV6)))) {
2759 err = -EINVAL;
2760 goto err_clear;
2761 }
2762 if (ip_tunnel_info_af(info) != bpf_tunnel_key_af(flags)) {
2763 err = -EPROTO;
2764 goto err_clear;
2765 }
2766 if (unlikely(size != sizeof(struct bpf_tunnel_key))) {
2767 err = -EINVAL;
2768 switch (size) {
2769 case offsetof(struct bpf_tunnel_key, tunnel_label):
2770 case offsetof(struct bpf_tunnel_key, tunnel_ext):
2771 goto set_compat;
2772 case offsetof(struct bpf_tunnel_key, remote_ipv6[1]):
2773 /* Fixup deprecated structure layouts here, so we have
2774 * a common path later on.
2775 */
2776 if (ip_tunnel_info_af(info) != AF_INET)
2777 goto err_clear;
2778 set_compat:
2779 to = (struct bpf_tunnel_key *)compat;
2780 break;
2781 default:
2782 goto err_clear;
2783 }
2784 }
2785
2786 to->tunnel_id = be64_to_cpu(info->key.tun_id);
2787 to->tunnel_tos = info->key.tos;
2788 to->tunnel_ttl = info->key.ttl;
2789
2790 if (flags & BPF_F_TUNINFO_IPV6) {
2791 memcpy(to->remote_ipv6, &info->key.u.ipv6.src,
2792 sizeof(to->remote_ipv6));
2793 to->tunnel_label = be32_to_cpu(info->key.label);
2794 } else {
2795 to->remote_ipv4 = be32_to_cpu(info->key.u.ipv4.src);
2796 }
2797
2798 if (unlikely(size != sizeof(struct bpf_tunnel_key)))
2799 memcpy(to_orig, to, size);
2800
2801 return 0;
2802 err_clear:
2803 memset(to_orig, 0, size);
2804 return err;
2805 }
2806
2807 static const struct bpf_func_proto bpf_skb_get_tunnel_key_proto = {
2808 .func = bpf_skb_get_tunnel_key,
2809 .gpl_only = false,
2810 .ret_type = RET_INTEGER,
2811 .arg1_type = ARG_PTR_TO_CTX,
2812 .arg2_type = ARG_PTR_TO_UNINIT_MEM,
2813 .arg3_type = ARG_CONST_SIZE,
2814 .arg4_type = ARG_ANYTHING,
2815 };
2816
2817 BPF_CALL_3(bpf_skb_get_tunnel_opt, struct sk_buff *, skb, u8 *, to, u32, size)
2818 {
2819 const struct ip_tunnel_info *info = skb_tunnel_info(skb);
2820 int err;
2821
2822 if (unlikely(!info ||
2823 !(info->key.tun_flags & TUNNEL_OPTIONS_PRESENT))) {
2824 err = -ENOENT;
2825 goto err_clear;
2826 }
2827 if (unlikely(size < info->options_len)) {
2828 err = -ENOMEM;
2829 goto err_clear;
2830 }
2831
2832 ip_tunnel_info_opts_get(to, info);
2833 if (size > info->options_len)
2834 memset(to + info->options_len, 0, size - info->options_len);
2835
2836 return info->options_len;
2837 err_clear:
2838 memset(to, 0, size);
2839 return err;
2840 }
2841
2842 static const struct bpf_func_proto bpf_skb_get_tunnel_opt_proto = {
2843 .func = bpf_skb_get_tunnel_opt,
2844 .gpl_only = false,
2845 .ret_type = RET_INTEGER,
2846 .arg1_type = ARG_PTR_TO_CTX,
2847 .arg2_type = ARG_PTR_TO_UNINIT_MEM,
2848 .arg3_type = ARG_CONST_SIZE,
2849 };
2850
2851 static struct metadata_dst __percpu *md_dst;
2852
2853 BPF_CALL_4(bpf_skb_set_tunnel_key, struct sk_buff *, skb,
2854 const struct bpf_tunnel_key *, from, u32, size, u64, flags)
2855 {
2856 struct metadata_dst *md = this_cpu_ptr(md_dst);
2857 u8 compat[sizeof(struct bpf_tunnel_key)];
2858 struct ip_tunnel_info *info;
2859
2860 if (unlikely(flags & ~(BPF_F_TUNINFO_IPV6 | BPF_F_ZERO_CSUM_TX |
2861 BPF_F_DONT_FRAGMENT)))
2862 return -EINVAL;
2863 if (unlikely(size != sizeof(struct bpf_tunnel_key))) {
2864 switch (size) {
2865 case offsetof(struct bpf_tunnel_key, tunnel_label):
2866 case offsetof(struct bpf_tunnel_key, tunnel_ext):
2867 case offsetof(struct bpf_tunnel_key, remote_ipv6[1]):
2868 /* Fixup deprecated structure layouts here, so we have
2869 * a common path later on.
2870 */
2871 memcpy(compat, from, size);
2872 memset(compat + size, 0, sizeof(compat) - size);
2873 from = (const struct bpf_tunnel_key *) compat;
2874 break;
2875 default:
2876 return -EINVAL;
2877 }
2878 }
2879 if (unlikely((!(flags & BPF_F_TUNINFO_IPV6) && from->tunnel_label) ||
2880 from->tunnel_ext))
2881 return -EINVAL;
2882
2883 skb_dst_drop(skb);
2884 dst_hold((struct dst_entry *) md);
2885 skb_dst_set(skb, (struct dst_entry *) md);
2886
2887 info = &md->u.tun_info;
2888 info->mode = IP_TUNNEL_INFO_TX;
2889
2890 info->key.tun_flags = TUNNEL_KEY | TUNNEL_CSUM | TUNNEL_NOCACHE;
2891 if (flags & BPF_F_DONT_FRAGMENT)
2892 info->key.tun_flags |= TUNNEL_DONT_FRAGMENT;
2893
2894 info->key.tun_id = cpu_to_be64(from->tunnel_id);
2895 info->key.tos = from->tunnel_tos;
2896 info->key.ttl = from->tunnel_ttl;
2897
2898 if (flags & BPF_F_TUNINFO_IPV6) {
2899 info->mode |= IP_TUNNEL_INFO_IPV6;
2900 memcpy(&info->key.u.ipv6.dst, from->remote_ipv6,
2901 sizeof(from->remote_ipv6));
2902 info->key.label = cpu_to_be32(from->tunnel_label) &
2903 IPV6_FLOWLABEL_MASK;
2904 } else {
2905 info->key.u.ipv4.dst = cpu_to_be32(from->remote_ipv4);
2906 if (flags & BPF_F_ZERO_CSUM_TX)
2907 info->key.tun_flags &= ~TUNNEL_CSUM;
2908 }
2909
2910 return 0;
2911 }
2912
2913 static const struct bpf_func_proto bpf_skb_set_tunnel_key_proto = {
2914 .func = bpf_skb_set_tunnel_key,
2915 .gpl_only = false,
2916 .ret_type = RET_INTEGER,
2917 .arg1_type = ARG_PTR_TO_CTX,
2918 .arg2_type = ARG_PTR_TO_MEM,
2919 .arg3_type = ARG_CONST_SIZE,
2920 .arg4_type = ARG_ANYTHING,
2921 };
2922
2923 BPF_CALL_3(bpf_skb_set_tunnel_opt, struct sk_buff *, skb,
2924 const u8 *, from, u32, size)
2925 {
2926 struct ip_tunnel_info *info = skb_tunnel_info(skb);
2927 const struct metadata_dst *md = this_cpu_ptr(md_dst);
2928
2929 if (unlikely(info != &md->u.tun_info || (size & (sizeof(u32) - 1))))
2930 return -EINVAL;
2931 if (unlikely(size > IP_TUNNEL_OPTS_MAX))
2932 return -ENOMEM;
2933
2934 ip_tunnel_info_opts_set(info, from, size);
2935
2936 return 0;
2937 }
2938
2939 static const struct bpf_func_proto bpf_skb_set_tunnel_opt_proto = {
2940 .func = bpf_skb_set_tunnel_opt,
2941 .gpl_only = false,
2942 .ret_type = RET_INTEGER,
2943 .arg1_type = ARG_PTR_TO_CTX,
2944 .arg2_type = ARG_PTR_TO_MEM,
2945 .arg3_type = ARG_CONST_SIZE,
2946 };
2947
2948 static const struct bpf_func_proto *
2949 bpf_get_skb_set_tunnel_proto(enum bpf_func_id which)
2950 {
2951 if (!md_dst) {
2952 /* Race is not possible, since it's called from verifier
2953 * that is holding verifier mutex.
2954 */
2955 md_dst = metadata_dst_alloc_percpu(IP_TUNNEL_OPTS_MAX,
2956 METADATA_IP_TUNNEL,
2957 GFP_KERNEL);
2958 if (!md_dst)
2959 return NULL;
2960 }
2961
2962 switch (which) {
2963 case BPF_FUNC_skb_set_tunnel_key:
2964 return &bpf_skb_set_tunnel_key_proto;
2965 case BPF_FUNC_skb_set_tunnel_opt:
2966 return &bpf_skb_set_tunnel_opt_proto;
2967 default:
2968 return NULL;
2969 }
2970 }
2971
2972 BPF_CALL_3(bpf_skb_under_cgroup, struct sk_buff *, skb, struct bpf_map *, map,
2973 u32, idx)
2974 {
2975 struct bpf_array *array = container_of(map, struct bpf_array, map);
2976 struct cgroup *cgrp;
2977 struct sock *sk;
2978
2979 sk = skb_to_full_sk(skb);
2980 if (!sk || !sk_fullsock(sk))
2981 return -ENOENT;
2982 if (unlikely(idx >= array->map.max_entries))
2983 return -E2BIG;
2984
2985 cgrp = READ_ONCE(array->ptrs[idx]);
2986 if (unlikely(!cgrp))
2987 return -EAGAIN;
2988
2989 return sk_under_cgroup_hierarchy(sk, cgrp);
2990 }
2991
2992 static const struct bpf_func_proto bpf_skb_under_cgroup_proto = {
2993 .func = bpf_skb_under_cgroup,
2994 .gpl_only = false,
2995 .ret_type = RET_INTEGER,
2996 .arg1_type = ARG_PTR_TO_CTX,
2997 .arg2_type = ARG_CONST_MAP_PTR,
2998 .arg3_type = ARG_ANYTHING,
2999 };
3000
3001 static unsigned long bpf_xdp_copy(void *dst_buff, const void *src_buff,
3002 unsigned long off, unsigned long len)
3003 {
3004 memcpy(dst_buff, src_buff + off, len);
3005 return 0;
3006 }
3007
3008 BPF_CALL_5(bpf_xdp_event_output, struct xdp_buff *, xdp, struct bpf_map *, map,
3009 u64, flags, void *, meta, u64, meta_size)
3010 {
3011 u64 xdp_size = (flags & BPF_F_CTXLEN_MASK) >> 32;
3012
3013 if (unlikely(flags & ~(BPF_F_CTXLEN_MASK | BPF_F_INDEX_MASK)))
3014 return -EINVAL;
3015 if (unlikely(xdp_size > (unsigned long)(xdp->data_end - xdp->data)))
3016 return -EFAULT;
3017
3018 return bpf_event_output(map, flags, meta, meta_size, xdp->data,
3019 xdp_size, bpf_xdp_copy);
3020 }
3021
3022 static const struct bpf_func_proto bpf_xdp_event_output_proto = {
3023 .func = bpf_xdp_event_output,
3024 .gpl_only = true,
3025 .ret_type = RET_INTEGER,
3026 .arg1_type = ARG_PTR_TO_CTX,
3027 .arg2_type = ARG_CONST_MAP_PTR,
3028 .arg3_type = ARG_ANYTHING,
3029 .arg4_type = ARG_PTR_TO_MEM,
3030 .arg5_type = ARG_CONST_SIZE,
3031 };
3032
3033 BPF_CALL_1(bpf_get_socket_cookie, struct sk_buff *, skb)
3034 {
3035 return skb->sk ? sock_gen_cookie(skb->sk) : 0;
3036 }
3037
3038 static const struct bpf_func_proto bpf_get_socket_cookie_proto = {
3039 .func = bpf_get_socket_cookie,
3040 .gpl_only = false,
3041 .ret_type = RET_INTEGER,
3042 .arg1_type = ARG_PTR_TO_CTX,
3043 };
3044
3045 BPF_CALL_1(bpf_get_socket_uid, struct sk_buff *, skb)
3046 {
3047 struct sock *sk = sk_to_full_sk(skb->sk);
3048 kuid_t kuid;
3049
3050 if (!sk || !sk_fullsock(sk))
3051 return overflowuid;
3052 kuid = sock_net_uid(sock_net(sk), sk);
3053 return from_kuid_munged(sock_net(sk)->user_ns, kuid);
3054 }
3055
3056 static const struct bpf_func_proto bpf_get_socket_uid_proto = {
3057 .func = bpf_get_socket_uid,
3058 .gpl_only = false,
3059 .ret_type = RET_INTEGER,
3060 .arg1_type = ARG_PTR_TO_CTX,
3061 };
3062
3063 BPF_CALL_5(bpf_setsockopt, struct bpf_sock_ops_kern *, bpf_sock,
3064 int, level, int, optname, char *, optval, int, optlen)
3065 {
3066 struct sock *sk = bpf_sock->sk;
3067 int ret = 0;
3068 int val;
3069
3070 if (!sk_fullsock(sk))
3071 return -EINVAL;
3072
3073 if (level == SOL_SOCKET) {
3074 if (optlen != sizeof(int))
3075 return -EINVAL;
3076 val = *((int *)optval);
3077
3078 /* Only some socketops are supported */
3079 switch (optname) {
3080 case SO_RCVBUF:
3081 sk->sk_userlocks |= SOCK_RCVBUF_LOCK;
3082 sk->sk_rcvbuf = max_t(int, val * 2, SOCK_MIN_RCVBUF);
3083 break;
3084 case SO_SNDBUF:
3085 sk->sk_userlocks |= SOCK_SNDBUF_LOCK;
3086 sk->sk_sndbuf = max_t(int, val * 2, SOCK_MIN_SNDBUF);
3087 break;
3088 case SO_MAX_PACING_RATE:
3089 sk->sk_max_pacing_rate = val;
3090 sk->sk_pacing_rate = min(sk->sk_pacing_rate,
3091 sk->sk_max_pacing_rate);
3092 break;
3093 case SO_PRIORITY:
3094 sk->sk_priority = val;
3095 break;
3096 case SO_RCVLOWAT:
3097 if (val < 0)
3098 val = INT_MAX;
3099 sk->sk_rcvlowat = val ? : 1;
3100 break;
3101 case SO_MARK:
3102 sk->sk_mark = val;
3103 break;
3104 default:
3105 ret = -EINVAL;
3106 }
3107 #ifdef CONFIG_INET
3108 } else if (level == SOL_TCP &&
3109 sk->sk_prot->setsockopt == tcp_setsockopt) {
3110 if (optname == TCP_CONGESTION) {
3111 char name[TCP_CA_NAME_MAX];
3112 bool reinit = bpf_sock->op > BPF_SOCK_OPS_NEEDS_ECN;
3113
3114 strncpy(name, optval, min_t(long, optlen,
3115 TCP_CA_NAME_MAX-1));
3116 name[TCP_CA_NAME_MAX-1] = 0;
3117 ret = tcp_set_congestion_control(sk, name, false, reinit);
3118 } else {
3119 struct tcp_sock *tp = tcp_sk(sk);
3120
3121 if (optlen != sizeof(int))
3122 return -EINVAL;
3123
3124 val = *((int *)optval);
3125 /* Only some options are supported */
3126 switch (optname) {
3127 case TCP_BPF_IW:
3128 if (val <= 0 || tp->data_segs_out > 0)
3129 ret = -EINVAL;
3130 else
3131 tp->snd_cwnd = val;
3132 break;
3133 case TCP_BPF_SNDCWND_CLAMP:
3134 if (val <= 0) {
3135 ret = -EINVAL;
3136 } else {
3137 tp->snd_cwnd_clamp = val;
3138 tp->snd_ssthresh = val;
3139 }
3140 break;
3141 default:
3142 ret = -EINVAL;
3143 }
3144 }
3145 #endif
3146 } else {
3147 ret = -EINVAL;
3148 }
3149 return ret;
3150 }
3151
3152 static const struct bpf_func_proto bpf_setsockopt_proto = {
3153 .func = bpf_setsockopt,
3154 .gpl_only = true,
3155 .ret_type = RET_INTEGER,
3156 .arg1_type = ARG_PTR_TO_CTX,
3157 .arg2_type = ARG_ANYTHING,
3158 .arg3_type = ARG_ANYTHING,
3159 .arg4_type = ARG_PTR_TO_MEM,
3160 .arg5_type = ARG_CONST_SIZE,
3161 };
3162
3163 static const struct bpf_func_proto *
3164 bpf_base_func_proto(enum bpf_func_id func_id)
3165 {
3166 switch (func_id) {
3167 case BPF_FUNC_map_lookup_elem:
3168 return &bpf_map_lookup_elem_proto;
3169 case BPF_FUNC_map_update_elem:
3170 return &bpf_map_update_elem_proto;
3171 case BPF_FUNC_map_delete_elem:
3172 return &bpf_map_delete_elem_proto;
3173 case BPF_FUNC_get_prandom_u32:
3174 return &bpf_get_prandom_u32_proto;
3175 case BPF_FUNC_get_smp_processor_id:
3176 return &bpf_get_raw_smp_processor_id_proto;
3177 case BPF_FUNC_get_numa_node_id:
3178 return &bpf_get_numa_node_id_proto;
3179 case BPF_FUNC_tail_call:
3180 return &bpf_tail_call_proto;
3181 case BPF_FUNC_ktime_get_ns:
3182 return &bpf_ktime_get_ns_proto;
3183 case BPF_FUNC_trace_printk:
3184 if (capable(CAP_SYS_ADMIN))
3185 return bpf_get_trace_printk_proto();
3186 default:
3187 return NULL;
3188 }
3189 }
3190
3191 static const struct bpf_func_proto *
3192 sock_filter_func_proto(enum bpf_func_id func_id)
3193 {
3194 switch (func_id) {
3195 /* inet and inet6 sockets are created in a process
3196 * context so there is always a valid uid/gid
3197 */
3198 case BPF_FUNC_get_current_uid_gid:
3199 return &bpf_get_current_uid_gid_proto;
3200 default:
3201 return bpf_base_func_proto(func_id);
3202 }
3203 }
3204
3205 static const struct bpf_func_proto *
3206 sk_filter_func_proto(enum bpf_func_id func_id)
3207 {
3208 switch (func_id) {
3209 case BPF_FUNC_skb_load_bytes:
3210 return &bpf_skb_load_bytes_proto;
3211 case BPF_FUNC_get_socket_cookie:
3212 return &bpf_get_socket_cookie_proto;
3213 case BPF_FUNC_get_socket_uid:
3214 return &bpf_get_socket_uid_proto;
3215 default:
3216 return bpf_base_func_proto(func_id);
3217 }
3218 }
3219
3220 static const struct bpf_func_proto *
3221 tc_cls_act_func_proto(enum bpf_func_id func_id)
3222 {
3223 switch (func_id) {
3224 case BPF_FUNC_skb_store_bytes:
3225 return &bpf_skb_store_bytes_proto;
3226 case BPF_FUNC_skb_load_bytes:
3227 return &bpf_skb_load_bytes_proto;
3228 case BPF_FUNC_skb_pull_data:
3229 return &bpf_skb_pull_data_proto;
3230 case BPF_FUNC_csum_diff:
3231 return &bpf_csum_diff_proto;
3232 case BPF_FUNC_csum_update:
3233 return &bpf_csum_update_proto;
3234 case BPF_FUNC_l3_csum_replace:
3235 return &bpf_l3_csum_replace_proto;
3236 case BPF_FUNC_l4_csum_replace:
3237 return &bpf_l4_csum_replace_proto;
3238 case BPF_FUNC_clone_redirect:
3239 return &bpf_clone_redirect_proto;
3240 case BPF_FUNC_get_cgroup_classid:
3241 return &bpf_get_cgroup_classid_proto;
3242 case BPF_FUNC_skb_vlan_push:
3243 return &bpf_skb_vlan_push_proto;
3244 case BPF_FUNC_skb_vlan_pop:
3245 return &bpf_skb_vlan_pop_proto;
3246 case BPF_FUNC_skb_change_proto:
3247 return &bpf_skb_change_proto_proto;
3248 case BPF_FUNC_skb_change_type:
3249 return &bpf_skb_change_type_proto;
3250 case BPF_FUNC_skb_adjust_room:
3251 return &bpf_skb_adjust_room_proto;
3252 case BPF_FUNC_skb_change_tail:
3253 return &bpf_skb_change_tail_proto;
3254 case BPF_FUNC_skb_get_tunnel_key:
3255 return &bpf_skb_get_tunnel_key_proto;
3256 case BPF_FUNC_skb_set_tunnel_key:
3257 return bpf_get_skb_set_tunnel_proto(func_id);
3258 case BPF_FUNC_skb_get_tunnel_opt:
3259 return &bpf_skb_get_tunnel_opt_proto;
3260 case BPF_FUNC_skb_set_tunnel_opt:
3261 return bpf_get_skb_set_tunnel_proto(func_id);
3262 case BPF_FUNC_redirect:
3263 return &bpf_redirect_proto;
3264 case BPF_FUNC_get_route_realm:
3265 return &bpf_get_route_realm_proto;
3266 case BPF_FUNC_get_hash_recalc:
3267 return &bpf_get_hash_recalc_proto;
3268 case BPF_FUNC_set_hash_invalid:
3269 return &bpf_set_hash_invalid_proto;
3270 case BPF_FUNC_set_hash:
3271 return &bpf_set_hash_proto;
3272 case BPF_FUNC_perf_event_output:
3273 return &bpf_skb_event_output_proto;
3274 case BPF_FUNC_get_smp_processor_id:
3275 return &bpf_get_smp_processor_id_proto;
3276 case BPF_FUNC_skb_under_cgroup:
3277 return &bpf_skb_under_cgroup_proto;
3278 case BPF_FUNC_get_socket_cookie:
3279 return &bpf_get_socket_cookie_proto;
3280 case BPF_FUNC_get_socket_uid:
3281 return &bpf_get_socket_uid_proto;
3282 default:
3283 return bpf_base_func_proto(func_id);
3284 }
3285 }
3286
3287 static const struct bpf_func_proto *
3288 xdp_func_proto(enum bpf_func_id func_id)
3289 {
3290 switch (func_id) {
3291 case BPF_FUNC_perf_event_output:
3292 return &bpf_xdp_event_output_proto;
3293 case BPF_FUNC_get_smp_processor_id:
3294 return &bpf_get_smp_processor_id_proto;
3295 case BPF_FUNC_xdp_adjust_head:
3296 return &bpf_xdp_adjust_head_proto;
3297 case BPF_FUNC_redirect:
3298 return &bpf_xdp_redirect_proto;
3299 case BPF_FUNC_redirect_map:
3300 return &bpf_xdp_redirect_map_proto;
3301 default:
3302 return bpf_base_func_proto(func_id);
3303 }
3304 }
3305
3306 static const struct bpf_func_proto *
3307 lwt_inout_func_proto(enum bpf_func_id func_id)
3308 {
3309 switch (func_id) {
3310 case BPF_FUNC_skb_load_bytes:
3311 return &bpf_skb_load_bytes_proto;
3312 case BPF_FUNC_skb_pull_data:
3313 return &bpf_skb_pull_data_proto;
3314 case BPF_FUNC_csum_diff:
3315 return &bpf_csum_diff_proto;
3316 case BPF_FUNC_get_cgroup_classid:
3317 return &bpf_get_cgroup_classid_proto;
3318 case BPF_FUNC_get_route_realm:
3319 return &bpf_get_route_realm_proto;
3320 case BPF_FUNC_get_hash_recalc:
3321 return &bpf_get_hash_recalc_proto;
3322 case BPF_FUNC_perf_event_output:
3323 return &bpf_skb_event_output_proto;
3324 case BPF_FUNC_get_smp_processor_id:
3325 return &bpf_get_smp_processor_id_proto;
3326 case BPF_FUNC_skb_under_cgroup:
3327 return &bpf_skb_under_cgroup_proto;
3328 default:
3329 return bpf_base_func_proto(func_id);
3330 }
3331 }
3332
3333 static const struct bpf_func_proto *
3334 sock_ops_func_proto(enum bpf_func_id func_id)
3335 {
3336 switch (func_id) {
3337 case BPF_FUNC_setsockopt:
3338 return &bpf_setsockopt_proto;
3339 case BPF_FUNC_sock_map_update:
3340 return &bpf_sock_map_update_proto;
3341 default:
3342 return bpf_base_func_proto(func_id);
3343 }
3344 }
3345
3346 static const struct bpf_func_proto *sk_skb_func_proto(enum bpf_func_id func_id)
3347 {
3348 switch (func_id) {
3349 case BPF_FUNC_skb_store_bytes:
3350 return &bpf_skb_store_bytes_proto;
3351 case BPF_FUNC_skb_load_bytes:
3352 return &bpf_skb_load_bytes_proto;
3353 case BPF_FUNC_skb_pull_data:
3354 return &bpf_skb_pull_data_proto;
3355 case BPF_FUNC_skb_change_tail:
3356 return &bpf_skb_change_tail_proto;
3357 case BPF_FUNC_skb_change_head:
3358 return &bpf_skb_change_head_proto;
3359 case BPF_FUNC_get_socket_cookie:
3360 return &bpf_get_socket_cookie_proto;
3361 case BPF_FUNC_get_socket_uid:
3362 return &bpf_get_socket_uid_proto;
3363 case BPF_FUNC_sk_redirect_map:
3364 return &bpf_sk_redirect_map_proto;
3365 default:
3366 return bpf_base_func_proto(func_id);
3367 }
3368 }
3369
3370 static const struct bpf_func_proto *
3371 lwt_xmit_func_proto(enum bpf_func_id func_id)
3372 {
3373 switch (func_id) {
3374 case BPF_FUNC_skb_get_tunnel_key:
3375 return &bpf_skb_get_tunnel_key_proto;
3376 case BPF_FUNC_skb_set_tunnel_key:
3377 return bpf_get_skb_set_tunnel_proto(func_id);
3378 case BPF_FUNC_skb_get_tunnel_opt:
3379 return &bpf_skb_get_tunnel_opt_proto;
3380 case BPF_FUNC_skb_set_tunnel_opt:
3381 return bpf_get_skb_set_tunnel_proto(func_id);
3382 case BPF_FUNC_redirect:
3383 return &bpf_redirect_proto;
3384 case BPF_FUNC_clone_redirect:
3385 return &bpf_clone_redirect_proto;
3386 case BPF_FUNC_skb_change_tail:
3387 return &bpf_skb_change_tail_proto;
3388 case BPF_FUNC_skb_change_head:
3389 return &bpf_skb_change_head_proto;
3390 case BPF_FUNC_skb_store_bytes:
3391 return &bpf_skb_store_bytes_proto;
3392 case BPF_FUNC_csum_update:
3393 return &bpf_csum_update_proto;
3394 case BPF_FUNC_l3_csum_replace:
3395 return &bpf_l3_csum_replace_proto;
3396 case BPF_FUNC_l4_csum_replace:
3397 return &bpf_l4_csum_replace_proto;
3398 case BPF_FUNC_set_hash_invalid:
3399 return &bpf_set_hash_invalid_proto;
3400 default:
3401 return lwt_inout_func_proto(func_id);
3402 }
3403 }
3404
3405 static bool bpf_skb_is_valid_access(int off, int size, enum bpf_access_type type,
3406 struct bpf_insn_access_aux *info)
3407 {
3408 const int size_default = sizeof(__u32);
3409
3410 if (off < 0 || off >= sizeof(struct __sk_buff))
3411 return false;
3412
3413 /* The verifier guarantees that size > 0. */
3414 if (off % size != 0)
3415 return false;
3416
3417 switch (off) {
3418 case bpf_ctx_range_till(struct __sk_buff, cb[0], cb[4]):
3419 if (off + size > offsetofend(struct __sk_buff, cb[4]))
3420 return false;
3421 break;
3422 case bpf_ctx_range_till(struct __sk_buff, remote_ip6[0], remote_ip6[3]):
3423 case bpf_ctx_range_till(struct __sk_buff, local_ip6[0], local_ip6[3]):
3424 case bpf_ctx_range_till(struct __sk_buff, remote_ip4, remote_ip4):
3425 case bpf_ctx_range_till(struct __sk_buff, local_ip4, local_ip4):
3426 case bpf_ctx_range(struct __sk_buff, data):
3427 case bpf_ctx_range(struct __sk_buff, data_end):
3428 if (size != size_default)
3429 return false;
3430 break;
3431 default:
3432 /* Only narrow read access allowed for now. */
3433 if (type == BPF_WRITE) {
3434 if (size != size_default)
3435 return false;
3436 } else {
3437 bpf_ctx_record_field_size(info, size_default);
3438 if (!bpf_ctx_narrow_access_ok(off, size, size_default))
3439 return false;
3440 }
3441 }
3442
3443 return true;
3444 }
3445
3446 static bool sk_filter_is_valid_access(int off, int size,
3447 enum bpf_access_type type,
3448 struct bpf_insn_access_aux *info)
3449 {
3450 switch (off) {
3451 case bpf_ctx_range(struct __sk_buff, tc_classid):
3452 case bpf_ctx_range(struct __sk_buff, data):
3453 case bpf_ctx_range(struct __sk_buff, data_end):
3454 case bpf_ctx_range_till(struct __sk_buff, family, local_port):
3455 return false;
3456 }
3457
3458 if (type == BPF_WRITE) {
3459 switch (off) {
3460 case bpf_ctx_range_till(struct __sk_buff, cb[0], cb[4]):
3461 break;
3462 default:
3463 return false;
3464 }
3465 }
3466
3467 return bpf_skb_is_valid_access(off, size, type, info);
3468 }
3469
3470 static bool lwt_is_valid_access(int off, int size,
3471 enum bpf_access_type type,
3472 struct bpf_insn_access_aux *info)
3473 {
3474 switch (off) {
3475 case bpf_ctx_range(struct __sk_buff, tc_classid):
3476 case bpf_ctx_range_till(struct __sk_buff, family, local_port):
3477 return false;
3478 }
3479
3480 if (type == BPF_WRITE) {
3481 switch (off) {
3482 case bpf_ctx_range(struct __sk_buff, mark):
3483 case bpf_ctx_range(struct __sk_buff, priority):
3484 case bpf_ctx_range_till(struct __sk_buff, cb[0], cb[4]):
3485 break;
3486 default:
3487 return false;
3488 }
3489 }
3490
3491 switch (off) {
3492 case bpf_ctx_range(struct __sk_buff, data):
3493 info->reg_type = PTR_TO_PACKET;
3494 break;
3495 case bpf_ctx_range(struct __sk_buff, data_end):
3496 info->reg_type = PTR_TO_PACKET_END;
3497 break;
3498 }
3499
3500 return bpf_skb_is_valid_access(off, size, type, info);
3501 }
3502
3503 static bool sock_filter_is_valid_access(int off, int size,
3504 enum bpf_access_type type,
3505 struct bpf_insn_access_aux *info)
3506 {
3507 if (type == BPF_WRITE) {
3508 switch (off) {
3509 case offsetof(struct bpf_sock, bound_dev_if):
3510 case offsetof(struct bpf_sock, mark):
3511 case offsetof(struct bpf_sock, priority):
3512 break;
3513 default:
3514 return false;
3515 }
3516 }
3517
3518 if (off < 0 || off + size > sizeof(struct bpf_sock))
3519 return false;
3520 /* The verifier guarantees that size > 0. */
3521 if (off % size != 0)
3522 return false;
3523 if (size != sizeof(__u32))
3524 return false;
3525
3526 return true;
3527 }
3528
3529 static int bpf_unclone_prologue(struct bpf_insn *insn_buf, bool direct_write,
3530 const struct bpf_prog *prog, int drop_verdict)
3531 {
3532 struct bpf_insn *insn = insn_buf;
3533
3534 if (!direct_write)
3535 return 0;
3536
3537 /* if (!skb->cloned)
3538 * goto start;
3539 *
3540 * (Fast-path, otherwise approximation that we might be
3541 * a clone, do the rest in helper.)
3542 */
3543 *insn++ = BPF_LDX_MEM(BPF_B, BPF_REG_6, BPF_REG_1, CLONED_OFFSET());
3544 *insn++ = BPF_ALU32_IMM(BPF_AND, BPF_REG_6, CLONED_MASK);
3545 *insn++ = BPF_JMP_IMM(BPF_JEQ, BPF_REG_6, 0, 7);
3546
3547 /* ret = bpf_skb_pull_data(skb, 0); */
3548 *insn++ = BPF_MOV64_REG(BPF_REG_6, BPF_REG_1);
3549 *insn++ = BPF_ALU64_REG(BPF_XOR, BPF_REG_2, BPF_REG_2);
3550 *insn++ = BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3551 BPF_FUNC_skb_pull_data);
3552 /* if (!ret)
3553 * goto restore;
3554 * return TC_ACT_SHOT;
3555 */
3556 *insn++ = BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2);
3557 *insn++ = BPF_ALU32_IMM(BPF_MOV, BPF_REG_0, drop_verdict);
3558 *insn++ = BPF_EXIT_INSN();
3559
3560 /* restore: */
3561 *insn++ = BPF_MOV64_REG(BPF_REG_1, BPF_REG_6);
3562 /* start: */
3563 *insn++ = prog->insnsi[0];
3564
3565 return insn - insn_buf;
3566 }
3567
3568 static int tc_cls_act_prologue(struct bpf_insn *insn_buf, bool direct_write,
3569 const struct bpf_prog *prog)
3570 {
3571 return bpf_unclone_prologue(insn_buf, direct_write, prog, TC_ACT_SHOT);
3572 }
3573
3574 static bool tc_cls_act_is_valid_access(int off, int size,
3575 enum bpf_access_type type,
3576 struct bpf_insn_access_aux *info)
3577 {
3578 if (type == BPF_WRITE) {
3579 switch (off) {
3580 case bpf_ctx_range(struct __sk_buff, mark):
3581 case bpf_ctx_range(struct __sk_buff, tc_index):
3582 case bpf_ctx_range(struct __sk_buff, priority):
3583 case bpf_ctx_range(struct __sk_buff, tc_classid):
3584 case bpf_ctx_range_till(struct __sk_buff, cb[0], cb[4]):
3585 break;
3586 default:
3587 return false;
3588 }
3589 }
3590
3591 switch (off) {
3592 case bpf_ctx_range(struct __sk_buff, data):
3593 info->reg_type = PTR_TO_PACKET;
3594 break;
3595 case bpf_ctx_range(struct __sk_buff, data_end):
3596 info->reg_type = PTR_TO_PACKET_END;
3597 break;
3598 case bpf_ctx_range_till(struct __sk_buff, family, local_port):
3599 return false;
3600 }
3601
3602 return bpf_skb_is_valid_access(off, size, type, info);
3603 }
3604
3605 static bool __is_valid_xdp_access(int off, int size)
3606 {
3607 if (off < 0 || off >= sizeof(struct xdp_md))
3608 return false;
3609 if (off % size != 0)
3610 return false;
3611 if (size != sizeof(__u32))
3612 return false;
3613
3614 return true;
3615 }
3616
3617 static bool xdp_is_valid_access(int off, int size,
3618 enum bpf_access_type type,
3619 struct bpf_insn_access_aux *info)
3620 {
3621 if (type == BPF_WRITE)
3622 return false;
3623
3624 switch (off) {
3625 case offsetof(struct xdp_md, data):
3626 info->reg_type = PTR_TO_PACKET;
3627 break;
3628 case offsetof(struct xdp_md, data_end):
3629 info->reg_type = PTR_TO_PACKET_END;
3630 break;
3631 }
3632
3633 return __is_valid_xdp_access(off, size);
3634 }
3635
3636 void bpf_warn_invalid_xdp_action(u32 act)
3637 {
3638 const u32 act_max = XDP_REDIRECT;
3639
3640 WARN_ONCE(1, "%s XDP return value %u, expect packet loss!\n",
3641 act > act_max ? "Illegal" : "Driver unsupported",
3642 act);
3643 }
3644 EXPORT_SYMBOL_GPL(bpf_warn_invalid_xdp_action);
3645
3646 static bool __is_valid_sock_ops_access(int off, int size)
3647 {
3648 if (off < 0 || off >= sizeof(struct bpf_sock_ops))
3649 return false;
3650 /* The verifier guarantees that size > 0. */
3651 if (off % size != 0)
3652 return false;
3653 if (size != sizeof(__u32))
3654 return false;
3655
3656 return true;
3657 }
3658
3659 static bool sock_ops_is_valid_access(int off, int size,
3660 enum bpf_access_type type,
3661 struct bpf_insn_access_aux *info)
3662 {
3663 if (type == BPF_WRITE) {
3664 switch (off) {
3665 case offsetof(struct bpf_sock_ops, op) ...
3666 offsetof(struct bpf_sock_ops, replylong[3]):
3667 break;
3668 default:
3669 return false;
3670 }
3671 }
3672
3673 return __is_valid_sock_ops_access(off, size);
3674 }
3675
3676 static int sk_skb_prologue(struct bpf_insn *insn_buf, bool direct_write,
3677 const struct bpf_prog *prog)
3678 {
3679 return bpf_unclone_prologue(insn_buf, direct_write, prog, SK_DROP);
3680 }
3681
3682 static bool sk_skb_is_valid_access(int off, int size,
3683 enum bpf_access_type type,
3684 struct bpf_insn_access_aux *info)
3685 {
3686 if (type == BPF_WRITE) {
3687 switch (off) {
3688 case bpf_ctx_range(struct __sk_buff, tc_index):
3689 case bpf_ctx_range(struct __sk_buff, priority):
3690 break;
3691 default:
3692 return false;
3693 }
3694 }
3695
3696 switch (off) {
3697 case bpf_ctx_range(struct __sk_buff, mark):
3698 case bpf_ctx_range(struct __sk_buff, tc_classid):
3699 return false;
3700 case bpf_ctx_range(struct __sk_buff, data):
3701 info->reg_type = PTR_TO_PACKET;
3702 break;
3703 case bpf_ctx_range(struct __sk_buff, data_end):
3704 info->reg_type = PTR_TO_PACKET_END;
3705 break;
3706 }
3707
3708 return bpf_skb_is_valid_access(off, size, type, info);
3709 }
3710
3711 static u32 bpf_convert_ctx_access(enum bpf_access_type type,
3712 const struct bpf_insn *si,
3713 struct bpf_insn *insn_buf,
3714 struct bpf_prog *prog, u32 *target_size)
3715 {
3716 struct bpf_insn *insn = insn_buf;
3717 int off;
3718
3719 switch (si->off) {
3720 case offsetof(struct __sk_buff, len):
3721 *insn++ = BPF_LDX_MEM(BPF_W, si->dst_reg, si->src_reg,
3722 bpf_target_off(struct sk_buff, len, 4,
3723 target_size));
3724 break;
3725
3726 case offsetof(struct __sk_buff, protocol):
3727 *insn++ = BPF_LDX_MEM(BPF_H, si->dst_reg, si->src_reg,
3728 bpf_target_off(struct sk_buff, protocol, 2,
3729 target_size));
3730 break;
3731
3732 case offsetof(struct __sk_buff, vlan_proto):
3733 *insn++ = BPF_LDX_MEM(BPF_H, si->dst_reg, si->src_reg,
3734 bpf_target_off(struct sk_buff, vlan_proto, 2,
3735 target_size));
3736 break;
3737
3738 case offsetof(struct __sk_buff, priority):
3739 if (type == BPF_WRITE)
3740 *insn++ = BPF_STX_MEM(BPF_W, si->dst_reg, si->src_reg,
3741 bpf_target_off(struct sk_buff, priority, 4,
3742 target_size));
3743 else
3744 *insn++ = BPF_LDX_MEM(BPF_W, si->dst_reg, si->src_reg,
3745 bpf_target_off(struct sk_buff, priority, 4,
3746 target_size));
3747 break;
3748
3749 case offsetof(struct __sk_buff, ingress_ifindex):
3750 *insn++ = BPF_LDX_MEM(BPF_W, si->dst_reg, si->src_reg,
3751 bpf_target_off(struct sk_buff, skb_iif, 4,
3752 target_size));
3753 break;
3754
3755 case offsetof(struct __sk_buff, ifindex):
3756 *insn++ = BPF_LDX_MEM(BPF_FIELD_SIZEOF(struct sk_buff, dev),
3757 si->dst_reg, si->src_reg,
3758 offsetof(struct sk_buff, dev));
3759 *insn++ = BPF_JMP_IMM(BPF_JEQ, si->dst_reg, 0, 1);
3760 *insn++ = BPF_LDX_MEM(BPF_W, si->dst_reg, si->dst_reg,
3761 bpf_target_off(struct net_device, ifindex, 4,
3762 target_size));
3763 break;
3764
3765 case offsetof(struct __sk_buff, hash):
3766 *insn++ = BPF_LDX_MEM(BPF_W, si->dst_reg, si->src_reg,
3767 bpf_target_off(struct sk_buff, hash, 4,
3768 target_size));
3769 break;
3770
3771 case offsetof(struct __sk_buff, mark):
3772 if (type == BPF_WRITE)
3773 *insn++ = BPF_STX_MEM(BPF_W, si->dst_reg, si->src_reg,
3774 bpf_target_off(struct sk_buff, mark, 4,
3775 target_size));
3776 else
3777 *insn++ = BPF_LDX_MEM(BPF_W, si->dst_reg, si->src_reg,
3778 bpf_target_off(struct sk_buff, mark, 4,
3779 target_size));
3780 break;
3781
3782 case offsetof(struct __sk_buff, pkt_type):
3783 *target_size = 1;
3784 *insn++ = BPF_LDX_MEM(BPF_B, si->dst_reg, si->src_reg,
3785 PKT_TYPE_OFFSET());
3786 *insn++ = BPF_ALU32_IMM(BPF_AND, si->dst_reg, PKT_TYPE_MAX);
3787 #ifdef __BIG_ENDIAN_BITFIELD
3788 *insn++ = BPF_ALU32_IMM(BPF_RSH, si->dst_reg, 5);
3789 #endif
3790 break;
3791
3792 case offsetof(struct __sk_buff, queue_mapping):
3793 *insn++ = BPF_LDX_MEM(BPF_H, si->dst_reg, si->src_reg,
3794 bpf_target_off(struct sk_buff, queue_mapping, 2,
3795 target_size));
3796 break;
3797
3798 case offsetof(struct __sk_buff, vlan_present):
3799 case offsetof(struct __sk_buff, vlan_tci):
3800 BUILD_BUG_ON(VLAN_TAG_PRESENT != 0x1000);
3801
3802 *insn++ = BPF_LDX_MEM(BPF_H, si->dst_reg, si->src_reg,
3803 bpf_target_off(struct sk_buff, vlan_tci, 2,
3804 target_size));
3805 if (si->off == offsetof(struct __sk_buff, vlan_tci)) {
3806 *insn++ = BPF_ALU32_IMM(BPF_AND, si->dst_reg,
3807 ~VLAN_TAG_PRESENT);
3808 } else {
3809 *insn++ = BPF_ALU32_IMM(BPF_RSH, si->dst_reg, 12);
3810 *insn++ = BPF_ALU32_IMM(BPF_AND, si->dst_reg, 1);
3811 }
3812 break;
3813
3814 case offsetof(struct __sk_buff, cb[0]) ...
3815 offsetofend(struct __sk_buff, cb[4]) - 1:
3816 BUILD_BUG_ON(FIELD_SIZEOF(struct qdisc_skb_cb, data) < 20);
3817 BUILD_BUG_ON((offsetof(struct sk_buff, cb) +
3818 offsetof(struct qdisc_skb_cb, data)) %
3819 sizeof(__u64));
3820
3821 prog->cb_access = 1;
3822 off = si->off;
3823 off -= offsetof(struct __sk_buff, cb[0]);
3824 off += offsetof(struct sk_buff, cb);
3825 off += offsetof(struct qdisc_skb_cb, data);
3826 if (type == BPF_WRITE)
3827 *insn++ = BPF_STX_MEM(BPF_SIZE(si->code), si->dst_reg,
3828 si->src_reg, off);
3829 else
3830 *insn++ = BPF_LDX_MEM(BPF_SIZE(si->code), si->dst_reg,
3831 si->src_reg, off);
3832 break;
3833
3834 case offsetof(struct __sk_buff, tc_classid):
3835 BUILD_BUG_ON(FIELD_SIZEOF(struct qdisc_skb_cb, tc_classid) != 2);
3836
3837 off = si->off;
3838 off -= offsetof(struct __sk_buff, tc_classid);
3839 off += offsetof(struct sk_buff, cb);
3840 off += offsetof(struct qdisc_skb_cb, tc_classid);
3841 *target_size = 2;
3842 if (type == BPF_WRITE)
3843 *insn++ = BPF_STX_MEM(BPF_H, si->dst_reg,
3844 si->src_reg, off);
3845 else
3846 *insn++ = BPF_LDX_MEM(BPF_H, si->dst_reg,
3847 si->src_reg, off);
3848 break;
3849
3850 case offsetof(struct __sk_buff, data):
3851 *insn++ = BPF_LDX_MEM(BPF_FIELD_SIZEOF(struct sk_buff, data),
3852 si->dst_reg, si->src_reg,
3853 offsetof(struct sk_buff, data));
3854 break;
3855
3856 case offsetof(struct __sk_buff, data_end):
3857 off = si->off;
3858 off -= offsetof(struct __sk_buff, data_end);
3859 off += offsetof(struct sk_buff, cb);
3860 off += offsetof(struct bpf_skb_data_end, data_end);
3861 *insn++ = BPF_LDX_MEM(BPF_SIZEOF(void *), si->dst_reg,
3862 si->src_reg, off);
3863 break;
3864
3865 case offsetof(struct __sk_buff, tc_index):
3866 #ifdef CONFIG_NET_SCHED
3867 if (type == BPF_WRITE)
3868 *insn++ = BPF_STX_MEM(BPF_H, si->dst_reg, si->src_reg,
3869 bpf_target_off(struct sk_buff, tc_index, 2,
3870 target_size));
3871 else
3872 *insn++ = BPF_LDX_MEM(BPF_H, si->dst_reg, si->src_reg,
3873 bpf_target_off(struct sk_buff, tc_index, 2,
3874 target_size));
3875 #else
3876 *target_size = 2;
3877 if (type == BPF_WRITE)
3878 *insn++ = BPF_MOV64_REG(si->dst_reg, si->dst_reg);
3879 else
3880 *insn++ = BPF_MOV64_IMM(si->dst_reg, 0);
3881 #endif
3882 break;
3883
3884 case offsetof(struct __sk_buff, napi_id):
3885 #if defined(CONFIG_NET_RX_BUSY_POLL)
3886 *insn++ = BPF_LDX_MEM(BPF_W, si->dst_reg, si->src_reg,
3887 bpf_target_off(struct sk_buff, napi_id, 4,
3888 target_size));
3889 *insn++ = BPF_JMP_IMM(BPF_JGE, si->dst_reg, MIN_NAPI_ID, 1);
3890 *insn++ = BPF_MOV64_IMM(si->dst_reg, 0);
3891 #else
3892 *target_size = 4;
3893 *insn++ = BPF_MOV64_IMM(si->dst_reg, 0);
3894 #endif
3895 break;
3896 case offsetof(struct __sk_buff, family):
3897 BUILD_BUG_ON(FIELD_SIZEOF(struct sock_common, skc_family) != 2);
3898
3899 *insn++ = BPF_LDX_MEM(BPF_FIELD_SIZEOF(struct sk_buff, sk),
3900 si->dst_reg, si->src_reg,
3901 offsetof(struct sk_buff, sk));
3902 *insn++ = BPF_LDX_MEM(BPF_H, si->dst_reg, si->dst_reg,
3903 bpf_target_off(struct sock_common,
3904 skc_family,
3905 2, target_size));
3906 break;
3907 case offsetof(struct __sk_buff, remote_ip4):
3908 BUILD_BUG_ON(FIELD_SIZEOF(struct sock_common, skc_daddr) != 4);
3909
3910 *insn++ = BPF_LDX_MEM(BPF_FIELD_SIZEOF(struct sk_buff, sk),
3911 si->dst_reg, si->src_reg,
3912 offsetof(struct sk_buff, sk));
3913 *insn++ = BPF_LDX_MEM(BPF_W, si->dst_reg, si->dst_reg,
3914 bpf_target_off(struct sock_common,
3915 skc_daddr,
3916 4, target_size));
3917 break;
3918 case offsetof(struct __sk_buff, local_ip4):
3919 BUILD_BUG_ON(FIELD_SIZEOF(struct sock_common,
3920 skc_rcv_saddr) != 4);
3921
3922 *insn++ = BPF_LDX_MEM(BPF_FIELD_SIZEOF(struct sk_buff, sk),
3923 si->dst_reg, si->src_reg,
3924 offsetof(struct sk_buff, sk));
3925 *insn++ = BPF_LDX_MEM(BPF_W, si->dst_reg, si->dst_reg,
3926 bpf_target_off(struct sock_common,
3927 skc_rcv_saddr,
3928 4, target_size));
3929 break;
3930 case offsetof(struct __sk_buff, remote_ip6[0]) ...
3931 offsetof(struct __sk_buff, remote_ip6[3]):
3932 #if IS_ENABLED(CONFIG_IPV6)
3933 BUILD_BUG_ON(FIELD_SIZEOF(struct sock_common,
3934 skc_v6_daddr.s6_addr32[0]) != 4);
3935
3936 off = si->off;
3937 off -= offsetof(struct __sk_buff, remote_ip6[0]);
3938
3939 *insn++ = BPF_LDX_MEM(BPF_FIELD_SIZEOF(struct sk_buff, sk),
3940 si->dst_reg, si->src_reg,
3941 offsetof(struct sk_buff, sk));
3942 *insn++ = BPF_LDX_MEM(BPF_W, si->dst_reg, si->dst_reg,
3943 offsetof(struct sock_common,
3944 skc_v6_daddr.s6_addr32[0]) +
3945 off);
3946 #else
3947 *insn++ = BPF_MOV32_IMM(si->dst_reg, 0);
3948 #endif
3949 break;
3950 case offsetof(struct __sk_buff, local_ip6[0]) ...
3951 offsetof(struct __sk_buff, local_ip6[3]):
3952 #if IS_ENABLED(CONFIG_IPV6)
3953 BUILD_BUG_ON(FIELD_SIZEOF(struct sock_common,
3954 skc_v6_rcv_saddr.s6_addr32[0]) != 4);
3955
3956 off = si->off;
3957 off -= offsetof(struct __sk_buff, local_ip6[0]);
3958
3959 *insn++ = BPF_LDX_MEM(BPF_FIELD_SIZEOF(struct sk_buff, sk),
3960 si->dst_reg, si->src_reg,
3961 offsetof(struct sk_buff, sk));
3962 *insn++ = BPF_LDX_MEM(BPF_W, si->dst_reg, si->dst_reg,
3963 offsetof(struct sock_common,
3964 skc_v6_rcv_saddr.s6_addr32[0]) +
3965 off);
3966 #else
3967 *insn++ = BPF_MOV32_IMM(si->dst_reg, 0);
3968 #endif
3969 break;
3970
3971 case offsetof(struct __sk_buff, remote_port):
3972 BUILD_BUG_ON(FIELD_SIZEOF(struct sock_common, skc_dport) != 2);
3973
3974 *insn++ = BPF_LDX_MEM(BPF_FIELD_SIZEOF(struct sk_buff, sk),
3975 si->dst_reg, si->src_reg,
3976 offsetof(struct sk_buff, sk));
3977 *insn++ = BPF_LDX_MEM(BPF_H, si->dst_reg, si->dst_reg,
3978 bpf_target_off(struct sock_common,
3979 skc_dport,
3980 2, target_size));
3981 #ifndef __BIG_ENDIAN_BITFIELD
3982 *insn++ = BPF_ALU32_IMM(BPF_LSH, si->dst_reg, 16);
3983 #endif
3984 break;
3985
3986 case offsetof(struct __sk_buff, local_port):
3987 BUILD_BUG_ON(FIELD_SIZEOF(struct sock_common, skc_num) != 2);
3988
3989 *insn++ = BPF_LDX_MEM(BPF_FIELD_SIZEOF(struct sk_buff, sk),
3990 si->dst_reg, si->src_reg,
3991 offsetof(struct sk_buff, sk));
3992 *insn++ = BPF_LDX_MEM(BPF_H, si->dst_reg, si->dst_reg,
3993 bpf_target_off(struct sock_common,
3994 skc_num, 2, target_size));
3995 break;
3996 }
3997
3998 return insn - insn_buf;
3999 }
4000
4001 static u32 sock_filter_convert_ctx_access(enum bpf_access_type type,
4002 const struct bpf_insn *si,
4003 struct bpf_insn *insn_buf,
4004 struct bpf_prog *prog, u32 *target_size)
4005 {
4006 struct bpf_insn *insn = insn_buf;
4007
4008 switch (si->off) {
4009 case offsetof(struct bpf_sock, bound_dev_if):
4010 BUILD_BUG_ON(FIELD_SIZEOF(struct sock, sk_bound_dev_if) != 4);
4011
4012 if (type == BPF_WRITE)
4013 *insn++ = BPF_STX_MEM(BPF_W, si->dst_reg, si->src_reg,
4014 offsetof(struct sock, sk_bound_dev_if));
4015 else
4016 *insn++ = BPF_LDX_MEM(BPF_W, si->dst_reg, si->src_reg,
4017 offsetof(struct sock, sk_bound_dev_if));
4018 break;
4019
4020 case offsetof(struct bpf_sock, mark):
4021 BUILD_BUG_ON(FIELD_SIZEOF(struct sock, sk_mark) != 4);
4022
4023 if (type == BPF_WRITE)
4024 *insn++ = BPF_STX_MEM(BPF_W, si->dst_reg, si->src_reg,
4025 offsetof(struct sock, sk_mark));
4026 else
4027 *insn++ = BPF_LDX_MEM(BPF_W, si->dst_reg, si->src_reg,
4028 offsetof(struct sock, sk_mark));
4029 break;
4030
4031 case offsetof(struct bpf_sock, priority):
4032 BUILD_BUG_ON(FIELD_SIZEOF(struct sock, sk_priority) != 4);
4033
4034 if (type == BPF_WRITE)
4035 *insn++ = BPF_STX_MEM(BPF_W, si->dst_reg, si->src_reg,
4036 offsetof(struct sock, sk_priority));
4037 else
4038 *insn++ = BPF_LDX_MEM(BPF_W, si->dst_reg, si->src_reg,
4039 offsetof(struct sock, sk_priority));
4040 break;
4041
4042 case offsetof(struct bpf_sock, family):
4043 BUILD_BUG_ON(FIELD_SIZEOF(struct sock, sk_family) != 2);
4044
4045 *insn++ = BPF_LDX_MEM(BPF_H, si->dst_reg, si->src_reg,
4046 offsetof(struct sock, sk_family));
4047 break;
4048
4049 case offsetof(struct bpf_sock, type):
4050 *insn++ = BPF_LDX_MEM(BPF_W, si->dst_reg, si->src_reg,
4051 offsetof(struct sock, __sk_flags_offset));
4052 *insn++ = BPF_ALU32_IMM(BPF_AND, si->dst_reg, SK_FL_TYPE_MASK);
4053 *insn++ = BPF_ALU32_IMM(BPF_RSH, si->dst_reg, SK_FL_TYPE_SHIFT);
4054 break;
4055
4056 case offsetof(struct bpf_sock, protocol):
4057 *insn++ = BPF_LDX_MEM(BPF_W, si->dst_reg, si->src_reg,
4058 offsetof(struct sock, __sk_flags_offset));
4059 *insn++ = BPF_ALU32_IMM(BPF_AND, si->dst_reg, SK_FL_PROTO_MASK);
4060 *insn++ = BPF_ALU32_IMM(BPF_RSH, si->dst_reg, SK_FL_PROTO_SHIFT);
4061 break;
4062 }
4063
4064 return insn - insn_buf;
4065 }
4066
4067 static u32 tc_cls_act_convert_ctx_access(enum bpf_access_type type,
4068 const struct bpf_insn *si,
4069 struct bpf_insn *insn_buf,
4070 struct bpf_prog *prog, u32 *target_size)
4071 {
4072 struct bpf_insn *insn = insn_buf;
4073
4074 switch (si->off) {
4075 case offsetof(struct __sk_buff, ifindex):
4076 *insn++ = BPF_LDX_MEM(BPF_FIELD_SIZEOF(struct sk_buff, dev),
4077 si->dst_reg, si->src_reg,
4078 offsetof(struct sk_buff, dev));
4079 *insn++ = BPF_LDX_MEM(BPF_W, si->dst_reg, si->dst_reg,
4080 bpf_target_off(struct net_device, ifindex, 4,
4081 target_size));
4082 break;
4083 default:
4084 return bpf_convert_ctx_access(type, si, insn_buf, prog,
4085 target_size);
4086 }
4087
4088 return insn - insn_buf;
4089 }
4090
4091 static u32 xdp_convert_ctx_access(enum bpf_access_type type,
4092 const struct bpf_insn *si,
4093 struct bpf_insn *insn_buf,
4094 struct bpf_prog *prog, u32 *target_size)
4095 {
4096 struct bpf_insn *insn = insn_buf;
4097
4098 switch (si->off) {
4099 case offsetof(struct xdp_md, data):
4100 *insn++ = BPF_LDX_MEM(BPF_FIELD_SIZEOF(struct xdp_buff, data),
4101 si->dst_reg, si->src_reg,
4102 offsetof(struct xdp_buff, data));
4103 break;
4104 case offsetof(struct xdp_md, data_end):
4105 *insn++ = BPF_LDX_MEM(BPF_FIELD_SIZEOF(struct xdp_buff, data_end),
4106 si->dst_reg, si->src_reg,
4107 offsetof(struct xdp_buff, data_end));
4108 break;
4109 }
4110
4111 return insn - insn_buf;
4112 }
4113
4114 static u32 sock_ops_convert_ctx_access(enum bpf_access_type type,
4115 const struct bpf_insn *si,
4116 struct bpf_insn *insn_buf,
4117 struct bpf_prog *prog,
4118 u32 *target_size)
4119 {
4120 struct bpf_insn *insn = insn_buf;
4121 int off;
4122
4123 switch (si->off) {
4124 case offsetof(struct bpf_sock_ops, op) ...
4125 offsetof(struct bpf_sock_ops, replylong[3]):
4126 BUILD_BUG_ON(FIELD_SIZEOF(struct bpf_sock_ops, op) !=
4127 FIELD_SIZEOF(struct bpf_sock_ops_kern, op));
4128 BUILD_BUG_ON(FIELD_SIZEOF(struct bpf_sock_ops, reply) !=
4129 FIELD_SIZEOF(struct bpf_sock_ops_kern, reply));
4130 BUILD_BUG_ON(FIELD_SIZEOF(struct bpf_sock_ops, replylong) !=
4131 FIELD_SIZEOF(struct bpf_sock_ops_kern, replylong));
4132 off = si->off;
4133 off -= offsetof(struct bpf_sock_ops, op);
4134 off += offsetof(struct bpf_sock_ops_kern, op);
4135 if (type == BPF_WRITE)
4136 *insn++ = BPF_STX_MEM(BPF_W, si->dst_reg, si->src_reg,
4137 off);
4138 else
4139 *insn++ = BPF_LDX_MEM(BPF_W, si->dst_reg, si->src_reg,
4140 off);
4141 break;
4142
4143 case offsetof(struct bpf_sock_ops, family):
4144 BUILD_BUG_ON(FIELD_SIZEOF(struct sock_common, skc_family) != 2);
4145
4146 *insn++ = BPF_LDX_MEM(BPF_FIELD_SIZEOF(
4147 struct bpf_sock_ops_kern, sk),
4148 si->dst_reg, si->src_reg,
4149 offsetof(struct bpf_sock_ops_kern, sk));
4150 *insn++ = BPF_LDX_MEM(BPF_H, si->dst_reg, si->dst_reg,
4151 offsetof(struct sock_common, skc_family));
4152 break;
4153
4154 case offsetof(struct bpf_sock_ops, remote_ip4):
4155 BUILD_BUG_ON(FIELD_SIZEOF(struct sock_common, skc_daddr) != 4);
4156
4157 *insn++ = BPF_LDX_MEM(BPF_FIELD_SIZEOF(
4158 struct bpf_sock_ops_kern, sk),
4159 si->dst_reg, si->src_reg,
4160 offsetof(struct bpf_sock_ops_kern, sk));
4161 *insn++ = BPF_LDX_MEM(BPF_W, si->dst_reg, si->dst_reg,
4162 offsetof(struct sock_common, skc_daddr));
4163 break;
4164
4165 case offsetof(struct bpf_sock_ops, local_ip4):
4166 BUILD_BUG_ON(FIELD_SIZEOF(struct sock_common, skc_rcv_saddr) != 4);
4167
4168 *insn++ = BPF_LDX_MEM(BPF_FIELD_SIZEOF(
4169 struct bpf_sock_ops_kern, sk),
4170 si->dst_reg, si->src_reg,
4171 offsetof(struct bpf_sock_ops_kern, sk));
4172 *insn++ = BPF_LDX_MEM(BPF_W, si->dst_reg, si->dst_reg,
4173 offsetof(struct sock_common,
4174 skc_rcv_saddr));
4175 break;
4176
4177 case offsetof(struct bpf_sock_ops, remote_ip6[0]) ...
4178 offsetof(struct bpf_sock_ops, remote_ip6[3]):
4179 #if IS_ENABLED(CONFIG_IPV6)
4180 BUILD_BUG_ON(FIELD_SIZEOF(struct sock_common,
4181 skc_v6_daddr.s6_addr32[0]) != 4);
4182
4183 off = si->off;
4184 off -= offsetof(struct bpf_sock_ops, remote_ip6[0]);
4185 *insn++ = BPF_LDX_MEM(BPF_FIELD_SIZEOF(
4186 struct bpf_sock_ops_kern, sk),
4187 si->dst_reg, si->src_reg,
4188 offsetof(struct bpf_sock_ops_kern, sk));
4189 *insn++ = BPF_LDX_MEM(BPF_W, si->dst_reg, si->dst_reg,
4190 offsetof(struct sock_common,
4191 skc_v6_daddr.s6_addr32[0]) +
4192 off);
4193 #else
4194 *insn++ = BPF_MOV32_IMM(si->dst_reg, 0);
4195 #endif
4196 break;
4197
4198 case offsetof(struct bpf_sock_ops, local_ip6[0]) ...
4199 offsetof(struct bpf_sock_ops, local_ip6[3]):
4200 #if IS_ENABLED(CONFIG_IPV6)
4201 BUILD_BUG_ON(FIELD_SIZEOF(struct sock_common,
4202 skc_v6_rcv_saddr.s6_addr32[0]) != 4);
4203
4204 off = si->off;
4205 off -= offsetof(struct bpf_sock_ops, local_ip6[0]);
4206 *insn++ = BPF_LDX_MEM(BPF_FIELD_SIZEOF(
4207 struct bpf_sock_ops_kern, sk),
4208 si->dst_reg, si->src_reg,
4209 offsetof(struct bpf_sock_ops_kern, sk));
4210 *insn++ = BPF_LDX_MEM(BPF_W, si->dst_reg, si->dst_reg,
4211 offsetof(struct sock_common,
4212 skc_v6_rcv_saddr.s6_addr32[0]) +
4213 off);
4214 #else
4215 *insn++ = BPF_MOV32_IMM(si->dst_reg, 0);
4216 #endif
4217 break;
4218
4219 case offsetof(struct bpf_sock_ops, remote_port):
4220 BUILD_BUG_ON(FIELD_SIZEOF(struct sock_common, skc_dport) != 2);
4221
4222 *insn++ = BPF_LDX_MEM(BPF_FIELD_SIZEOF(
4223 struct bpf_sock_ops_kern, sk),
4224 si->dst_reg, si->src_reg,
4225 offsetof(struct bpf_sock_ops_kern, sk));
4226 *insn++ = BPF_LDX_MEM(BPF_H, si->dst_reg, si->dst_reg,
4227 offsetof(struct sock_common, skc_dport));
4228 #ifndef __BIG_ENDIAN_BITFIELD
4229 *insn++ = BPF_ALU32_IMM(BPF_LSH, si->dst_reg, 16);
4230 #endif
4231 break;
4232
4233 case offsetof(struct bpf_sock_ops, local_port):
4234 BUILD_BUG_ON(FIELD_SIZEOF(struct sock_common, skc_num) != 2);
4235
4236 *insn++ = BPF_LDX_MEM(BPF_FIELD_SIZEOF(
4237 struct bpf_sock_ops_kern, sk),
4238 si->dst_reg, si->src_reg,
4239 offsetof(struct bpf_sock_ops_kern, sk));
4240 *insn++ = BPF_LDX_MEM(BPF_H, si->dst_reg, si->dst_reg,
4241 offsetof(struct sock_common, skc_num));
4242 break;
4243 }
4244 return insn - insn_buf;
4245 }
4246
4247 static u32 sk_skb_convert_ctx_access(enum bpf_access_type type,
4248 const struct bpf_insn *si,
4249 struct bpf_insn *insn_buf,
4250 struct bpf_prog *prog, u32 *target_size)
4251 {
4252 struct bpf_insn *insn = insn_buf;
4253 int off;
4254
4255 switch (si->off) {
4256 case offsetof(struct __sk_buff, data_end):
4257 off = si->off;
4258 off -= offsetof(struct __sk_buff, data_end);
4259 off += offsetof(struct sk_buff, cb);
4260 off += offsetof(struct tcp_skb_cb, bpf.data_end);
4261 *insn++ = BPF_LDX_MEM(BPF_SIZEOF(void *), si->dst_reg,
4262 si->src_reg, off);
4263 break;
4264 default:
4265 return bpf_convert_ctx_access(type, si, insn_buf, prog,
4266 target_size);
4267 }
4268
4269 return insn - insn_buf;
4270 }
4271
4272 const struct bpf_verifier_ops sk_filter_prog_ops = {
4273 .get_func_proto = sk_filter_func_proto,
4274 .is_valid_access = sk_filter_is_valid_access,
4275 .convert_ctx_access = bpf_convert_ctx_access,
4276 };
4277
4278 const struct bpf_verifier_ops tc_cls_act_prog_ops = {
4279 .get_func_proto = tc_cls_act_func_proto,
4280 .is_valid_access = tc_cls_act_is_valid_access,
4281 .convert_ctx_access = tc_cls_act_convert_ctx_access,
4282 .gen_prologue = tc_cls_act_prologue,
4283 .test_run = bpf_prog_test_run_skb,
4284 };
4285
4286 const struct bpf_verifier_ops xdp_prog_ops = {
4287 .get_func_proto = xdp_func_proto,
4288 .is_valid_access = xdp_is_valid_access,
4289 .convert_ctx_access = xdp_convert_ctx_access,
4290 .test_run = bpf_prog_test_run_xdp,
4291 };
4292
4293 const struct bpf_verifier_ops cg_skb_prog_ops = {
4294 .get_func_proto = sk_filter_func_proto,
4295 .is_valid_access = sk_filter_is_valid_access,
4296 .convert_ctx_access = bpf_convert_ctx_access,
4297 .test_run = bpf_prog_test_run_skb,
4298 };
4299
4300 const struct bpf_verifier_ops lwt_inout_prog_ops = {
4301 .get_func_proto = lwt_inout_func_proto,
4302 .is_valid_access = lwt_is_valid_access,
4303 .convert_ctx_access = bpf_convert_ctx_access,
4304 .test_run = bpf_prog_test_run_skb,
4305 };
4306
4307 const struct bpf_verifier_ops lwt_xmit_prog_ops = {
4308 .get_func_proto = lwt_xmit_func_proto,
4309 .is_valid_access = lwt_is_valid_access,
4310 .convert_ctx_access = bpf_convert_ctx_access,
4311 .gen_prologue = tc_cls_act_prologue,
4312 .test_run = bpf_prog_test_run_skb,
4313 };
4314
4315 const struct bpf_verifier_ops cg_sock_prog_ops = {
4316 .get_func_proto = sock_filter_func_proto,
4317 .is_valid_access = sock_filter_is_valid_access,
4318 .convert_ctx_access = sock_filter_convert_ctx_access,
4319 };
4320
4321 const struct bpf_verifier_ops sock_ops_prog_ops = {
4322 .get_func_proto = sock_ops_func_proto,
4323 .is_valid_access = sock_ops_is_valid_access,
4324 .convert_ctx_access = sock_ops_convert_ctx_access,
4325 };
4326
4327 const struct bpf_verifier_ops sk_skb_prog_ops = {
4328 .get_func_proto = sk_skb_func_proto,
4329 .is_valid_access = sk_skb_is_valid_access,
4330 .convert_ctx_access = sk_skb_convert_ctx_access,
4331 .gen_prologue = sk_skb_prologue,
4332 };
4333
4334 int sk_detach_filter(struct sock *sk)
4335 {
4336 int ret = -ENOENT;
4337 struct sk_filter *filter;
4338
4339 if (sock_flag(sk, SOCK_FILTER_LOCKED))
4340 return -EPERM;
4341
4342 filter = rcu_dereference_protected(sk->sk_filter,
4343 lockdep_sock_is_held(sk));
4344 if (filter) {
4345 RCU_INIT_POINTER(sk->sk_filter, NULL);
4346 sk_filter_uncharge(sk, filter);
4347 ret = 0;
4348 }
4349
4350 return ret;
4351 }
4352 EXPORT_SYMBOL_GPL(sk_detach_filter);
4353
4354 int sk_get_filter(struct sock *sk, struct sock_filter __user *ubuf,
4355 unsigned int len)
4356 {
4357 struct sock_fprog_kern *fprog;
4358 struct sk_filter *filter;
4359 int ret = 0;
4360
4361 lock_sock(sk);
4362 filter = rcu_dereference_protected(sk->sk_filter,
4363 lockdep_sock_is_held(sk));
4364 if (!filter)
4365 goto out;
4366
4367 /* We're copying the filter that has been originally attached,
4368 * so no conversion/decode needed anymore. eBPF programs that
4369 * have no original program cannot be dumped through this.
4370 */
4371 ret = -EACCES;
4372 fprog = filter->prog->orig_prog;
4373 if (!fprog)
4374 goto out;
4375
4376 ret = fprog->len;
4377 if (!len)
4378 /* User space only enquires number of filter blocks. */
4379 goto out;
4380
4381 ret = -EINVAL;
4382 if (len < fprog->len)
4383 goto out;
4384
4385 ret = -EFAULT;
4386 if (copy_to_user(ubuf, fprog->filter, bpf_classic_proglen(fprog)))
4387 goto out;
4388
4389 /* Instead of bytes, the API requests to return the number
4390 * of filter blocks.
4391 */
4392 ret = fprog->len;
4393 out:
4394 release_sock(sk);
4395 return ret;
4396 }