1 // SPDX-License-Identifier: GPL-2.0-or-later
3 * Linux Socket Filter - Kernel level socket filtering
5 * Based on the design of the Berkeley Packet Filter. The new
6 * internal format has been designed by PLUMgrid:
8 * Copyright (c) 2011 - 2014 PLUMgrid, http://plumgrid.com
12 * Jay Schulist <jschlst@samba.org>
13 * Alexei Starovoitov <ast@plumgrid.com>
14 * Daniel Borkmann <dborkman@redhat.com>
16 * Andi Kleen - Fix a few bad bugs and races.
17 * Kris Katterjohn - Added many additional checks in bpf_check_classic()
20 #include <uapi/linux/btf.h>
21 #include <linux/filter.h>
22 #include <linux/skbuff.h>
23 #include <linux/vmalloc.h>
24 #include <linux/random.h>
25 #include <linux/moduleloader.h>
26 #include <linux/bpf.h>
27 #include <linux/btf.h>
28 #include <linux/frame.h>
29 #include <linux/rbtree_latch.h>
30 #include <linux/kallsyms.h>
31 #include <linux/rcupdate.h>
32 #include <linux/perf_event.h>
34 #include <asm/barrier.h>
35 #include <asm/unaligned.h>
38 #define BPF_R0 regs[BPF_REG_0]
39 #define BPF_R1 regs[BPF_REG_1]
40 #define BPF_R2 regs[BPF_REG_2]
41 #define BPF_R3 regs[BPF_REG_3]
42 #define BPF_R4 regs[BPF_REG_4]
43 #define BPF_R5 regs[BPF_REG_5]
44 #define BPF_R6 regs[BPF_REG_6]
45 #define BPF_R7 regs[BPF_REG_7]
46 #define BPF_R8 regs[BPF_REG_8]
47 #define BPF_R9 regs[BPF_REG_9]
48 #define BPF_R10 regs[BPF_REG_10]
51 #define DST regs[insn->dst_reg]
52 #define SRC regs[insn->src_reg]
53 #define FP regs[BPF_REG_FP]
54 #define AX regs[BPF_REG_AX]
55 #define ARG1 regs[BPF_REG_ARG1]
56 #define CTX regs[BPF_REG_CTX]
59 /* No hurry in this branch
61 * Exported for the bpf jit load helper.
63 void *bpf_internal_load_pointer_neg_helper(const struct sk_buff *skb, int k, unsigned int size)
68 ptr = skb_network_header(skb) + k - SKF_NET_OFF;
69 else if (k >= SKF_LL_OFF)
70 ptr = skb_mac_header(skb) + k - SKF_LL_OFF;
72 if (ptr >= skb->head && ptr + size <= skb_tail_pointer(skb))
78 struct bpf_prog *bpf_prog_alloc_no_stats(unsigned int size, gfp_t gfp_extra_flags)
80 gfp_t gfp_flags = GFP_KERNEL | __GFP_ZERO | gfp_extra_flags;
81 struct bpf_prog_aux *aux;
84 size = round_up(size, PAGE_SIZE);
85 fp = __vmalloc(size, gfp_flags, PAGE_KERNEL);
89 aux = kzalloc(sizeof(*aux), GFP_KERNEL | gfp_extra_flags);
95 fp->pages = size / PAGE_SIZE;
98 fp->jit_requested = ebpf_jit_enabled();
100 INIT_LIST_HEAD_RCU(&fp->aux->ksym_lnode);
105 struct bpf_prog *bpf_prog_alloc(unsigned int size, gfp_t gfp_extra_flags)
107 gfp_t gfp_flags = GFP_KERNEL | __GFP_ZERO | gfp_extra_flags;
108 struct bpf_prog *prog;
111 prog = bpf_prog_alloc_no_stats(size, gfp_extra_flags);
115 prog->aux->stats = alloc_percpu_gfp(struct bpf_prog_stats, gfp_flags);
116 if (!prog->aux->stats) {
122 for_each_possible_cpu(cpu) {
123 struct bpf_prog_stats *pstats;
125 pstats = per_cpu_ptr(prog->aux->stats, cpu);
126 u64_stats_init(&pstats->syncp);
130 EXPORT_SYMBOL_GPL(bpf_prog_alloc);
132 int bpf_prog_alloc_jited_linfo(struct bpf_prog *prog)
134 if (!prog->aux->nr_linfo || !prog->jit_requested)
137 prog->aux->jited_linfo = kcalloc(prog->aux->nr_linfo,
138 sizeof(*prog->aux->jited_linfo),
139 GFP_KERNEL | __GFP_NOWARN);
140 if (!prog->aux->jited_linfo)
146 void bpf_prog_free_jited_linfo(struct bpf_prog *prog)
148 kfree(prog->aux->jited_linfo);
149 prog->aux->jited_linfo = NULL;
152 void bpf_prog_free_unused_jited_linfo(struct bpf_prog *prog)
154 if (prog->aux->jited_linfo && !prog->aux->jited_linfo[0])
155 bpf_prog_free_jited_linfo(prog);
158 /* The jit engine is responsible to provide an array
159 * for insn_off to the jited_off mapping (insn_to_jit_off).
161 * The idx to this array is the insn_off. Hence, the insn_off
162 * here is relative to the prog itself instead of the main prog.
163 * This array has one entry for each xlated bpf insn.
165 * jited_off is the byte off to the last byte of the jited insn.
169 * The first bpf insn off of the prog. The insn off
170 * here is relative to the main prog.
171 * e.g. if prog is a subprog, insn_start > 0
173 * The prog's idx to prog->aux->linfo and jited_linfo
175 * jited_linfo[linfo_idx] = prog->bpf_func
179 * jited_linfo[i] = prog->bpf_func +
180 * insn_to_jit_off[linfo[i].insn_off - insn_start - 1]
182 void bpf_prog_fill_jited_linfo(struct bpf_prog *prog,
183 const u32 *insn_to_jit_off)
185 u32 linfo_idx, insn_start, insn_end, nr_linfo, i;
186 const struct bpf_line_info *linfo;
189 if (!prog->aux->jited_linfo)
190 /* Userspace did not provide linfo */
193 linfo_idx = prog->aux->linfo_idx;
194 linfo = &prog->aux->linfo[linfo_idx];
195 insn_start = linfo[0].insn_off;
196 insn_end = insn_start + prog->len;
198 jited_linfo = &prog->aux->jited_linfo[linfo_idx];
199 jited_linfo[0] = prog->bpf_func;
201 nr_linfo = prog->aux->nr_linfo - linfo_idx;
203 for (i = 1; i < nr_linfo && linfo[i].insn_off < insn_end; i++)
204 /* The verifier ensures that linfo[i].insn_off is
205 * strictly increasing
207 jited_linfo[i] = prog->bpf_func +
208 insn_to_jit_off[linfo[i].insn_off - insn_start - 1];
211 void bpf_prog_free_linfo(struct bpf_prog *prog)
213 bpf_prog_free_jited_linfo(prog);
214 kvfree(prog->aux->linfo);
217 struct bpf_prog *bpf_prog_realloc(struct bpf_prog *fp_old, unsigned int size,
218 gfp_t gfp_extra_flags)
220 gfp_t gfp_flags = GFP_KERNEL | __GFP_ZERO | gfp_extra_flags;
225 BUG_ON(fp_old == NULL);
227 size = round_up(size, PAGE_SIZE);
228 pages = size / PAGE_SIZE;
229 if (pages <= fp_old->pages)
232 delta = pages - fp_old->pages;
233 ret = __bpf_prog_charge(fp_old->aux->user, delta);
237 fp = __vmalloc(size, gfp_flags, PAGE_KERNEL);
239 __bpf_prog_uncharge(fp_old->aux->user, delta);
241 memcpy(fp, fp_old, fp_old->pages * PAGE_SIZE);
245 /* We keep fp->aux from fp_old around in the new
246 * reallocated structure.
249 __bpf_prog_free(fp_old);
255 void __bpf_prog_free(struct bpf_prog *fp)
258 free_percpu(fp->aux->stats);
264 int bpf_prog_calc_tag(struct bpf_prog *fp)
266 const u32 bits_offset = SHA_MESSAGE_BYTES - sizeof(__be64);
267 u32 raw_size = bpf_prog_tag_scratch_size(fp);
268 u32 digest[SHA_DIGEST_WORDS];
269 u32 ws[SHA_WORKSPACE_WORDS];
270 u32 i, bsize, psize, blocks;
271 struct bpf_insn *dst;
277 raw = vmalloc(raw_size);
282 memset(ws, 0, sizeof(ws));
284 /* We need to take out the map fd for the digest calculation
285 * since they are unstable from user space side.
288 for (i = 0, was_ld_map = false; i < fp->len; i++) {
289 dst[i] = fp->insnsi[i];
291 dst[i].code == (BPF_LD | BPF_IMM | BPF_DW) &&
292 (dst[i].src_reg == BPF_PSEUDO_MAP_FD ||
293 dst[i].src_reg == BPF_PSEUDO_MAP_VALUE)) {
296 } else if (was_ld_map &&
298 dst[i].dst_reg == 0 &&
299 dst[i].src_reg == 0 &&
308 psize = bpf_prog_insn_size(fp);
309 memset(&raw[psize], 0, raw_size - psize);
312 bsize = round_up(psize, SHA_MESSAGE_BYTES);
313 blocks = bsize / SHA_MESSAGE_BYTES;
315 if (bsize - psize >= sizeof(__be64)) {
316 bits = (__be64 *)(todo + bsize - sizeof(__be64));
318 bits = (__be64 *)(todo + bsize + bits_offset);
321 *bits = cpu_to_be64((psize - 1) << 3);
324 sha_transform(digest, todo, ws);
325 todo += SHA_MESSAGE_BYTES;
328 result = (__force __be32 *)digest;
329 for (i = 0; i < SHA_DIGEST_WORDS; i++)
330 result[i] = cpu_to_be32(digest[i]);
331 memcpy(fp->tag, result, sizeof(fp->tag));
337 static int bpf_adj_delta_to_imm(struct bpf_insn *insn, u32 pos, s32 end_old,
338 s32 end_new, s32 curr, const bool probe_pass)
340 const s64 imm_min = S32_MIN, imm_max = S32_MAX;
341 s32 delta = end_new - end_old;
344 if (curr < pos && curr + imm + 1 >= end_old)
346 else if (curr >= end_new && curr + imm + 1 < end_new)
348 if (imm < imm_min || imm > imm_max)
355 static int bpf_adj_delta_to_off(struct bpf_insn *insn, u32 pos, s32 end_old,
356 s32 end_new, s32 curr, const bool probe_pass)
358 const s32 off_min = S16_MIN, off_max = S16_MAX;
359 s32 delta = end_new - end_old;
362 if (curr < pos && curr + off + 1 >= end_old)
364 else if (curr >= end_new && curr + off + 1 < end_new)
366 if (off < off_min || off > off_max)
373 static int bpf_adj_branches(struct bpf_prog *prog, u32 pos, s32 end_old,
374 s32 end_new, const bool probe_pass)
376 u32 i, insn_cnt = prog->len + (probe_pass ? end_new - end_old : 0);
377 struct bpf_insn *insn = prog->insnsi;
380 for (i = 0; i < insn_cnt; i++, insn++) {
383 /* In the probing pass we still operate on the original,
384 * unpatched image in order to check overflows before we
385 * do any other adjustments. Therefore skip the patchlet.
387 if (probe_pass && i == pos) {
389 insn = prog->insnsi + end_old;
392 if ((BPF_CLASS(code) != BPF_JMP &&
393 BPF_CLASS(code) != BPF_JMP32) ||
394 BPF_OP(code) == BPF_EXIT)
396 /* Adjust offset of jmps if we cross patch boundaries. */
397 if (BPF_OP(code) == BPF_CALL) {
398 if (insn->src_reg != BPF_PSEUDO_CALL)
400 ret = bpf_adj_delta_to_imm(insn, pos, end_old,
401 end_new, i, probe_pass);
403 ret = bpf_adj_delta_to_off(insn, pos, end_old,
404 end_new, i, probe_pass);
413 static void bpf_adj_linfo(struct bpf_prog *prog, u32 off, u32 delta)
415 struct bpf_line_info *linfo;
418 nr_linfo = prog->aux->nr_linfo;
419 if (!nr_linfo || !delta)
422 linfo = prog->aux->linfo;
424 for (i = 0; i < nr_linfo; i++)
425 if (off < linfo[i].insn_off)
428 /* Push all off < linfo[i].insn_off by delta */
429 for (; i < nr_linfo; i++)
430 linfo[i].insn_off += delta;
433 struct bpf_prog *bpf_patch_insn_single(struct bpf_prog *prog, u32 off,
434 const struct bpf_insn *patch, u32 len)
436 u32 insn_adj_cnt, insn_rest, insn_delta = len - 1;
437 const u32 cnt_max = S16_MAX;
438 struct bpf_prog *prog_adj;
441 /* Since our patchlet doesn't expand the image, we're done. */
442 if (insn_delta == 0) {
443 memcpy(prog->insnsi + off, patch, sizeof(*patch));
447 insn_adj_cnt = prog->len + insn_delta;
449 /* Reject anything that would potentially let the insn->off
450 * target overflow when we have excessive program expansions.
451 * We need to probe here before we do any reallocation where
452 * we afterwards may not fail anymore.
454 if (insn_adj_cnt > cnt_max &&
455 (err = bpf_adj_branches(prog, off, off + 1, off + len, true)))
458 /* Several new instructions need to be inserted. Make room
459 * for them. Likely, there's no need for a new allocation as
460 * last page could have large enough tailroom.
462 prog_adj = bpf_prog_realloc(prog, bpf_prog_size(insn_adj_cnt),
465 return ERR_PTR(-ENOMEM);
467 prog_adj->len = insn_adj_cnt;
469 /* Patching happens in 3 steps:
471 * 1) Move over tail of insnsi from next instruction onwards,
472 * so we can patch the single target insn with one or more
473 * new ones (patching is always from 1 to n insns, n > 0).
474 * 2) Inject new instructions at the target location.
475 * 3) Adjust branch offsets if necessary.
477 insn_rest = insn_adj_cnt - off - len;
479 memmove(prog_adj->insnsi + off + len, prog_adj->insnsi + off + 1,
480 sizeof(*patch) * insn_rest);
481 memcpy(prog_adj->insnsi + off, patch, sizeof(*patch) * len);
483 /* We are guaranteed to not fail at this point, otherwise
484 * the ship has sailed to reverse to the original state. An
485 * overflow cannot happen at this point.
487 BUG_ON(bpf_adj_branches(prog_adj, off, off + 1, off + len, false));
489 bpf_adj_linfo(prog_adj, off, insn_delta);
494 int bpf_remove_insns(struct bpf_prog *prog, u32 off, u32 cnt)
496 /* Branch offsets can't overflow when program is shrinking, no need
497 * to call bpf_adj_branches(..., true) here
499 memmove(prog->insnsi + off, prog->insnsi + off + cnt,
500 sizeof(struct bpf_insn) * (prog->len - off - cnt));
503 return WARN_ON_ONCE(bpf_adj_branches(prog, off, off + cnt, off, false));
506 static void bpf_prog_kallsyms_del_subprogs(struct bpf_prog *fp)
510 for (i = 0; i < fp->aux->func_cnt; i++)
511 bpf_prog_kallsyms_del(fp->aux->func[i]);
514 void bpf_prog_kallsyms_del_all(struct bpf_prog *fp)
516 bpf_prog_kallsyms_del_subprogs(fp);
517 bpf_prog_kallsyms_del(fp);
520 #ifdef CONFIG_BPF_JIT
521 /* All BPF JIT sysctl knobs here. */
522 int bpf_jit_enable __read_mostly = IS_BUILTIN(CONFIG_BPF_JIT_ALWAYS_ON);
523 int bpf_jit_harden __read_mostly;
524 int bpf_jit_kallsyms __read_mostly;
525 long bpf_jit_limit __read_mostly;
526 long bpf_jit_limit_max __read_mostly;
528 static __always_inline void
529 bpf_get_prog_addr_region(const struct bpf_prog *prog,
530 unsigned long *symbol_start,
531 unsigned long *symbol_end)
533 const struct bpf_binary_header *hdr = bpf_jit_binary_hdr(prog);
534 unsigned long addr = (unsigned long)hdr;
536 WARN_ON_ONCE(!bpf_prog_ebpf_jited(prog));
538 *symbol_start = addr;
539 *symbol_end = addr + hdr->pages * PAGE_SIZE;
542 void bpf_get_prog_name(const struct bpf_prog *prog, char *sym)
544 const char *end = sym + KSYM_NAME_LEN;
545 const struct btf_type *type;
546 const char *func_name;
548 BUILD_BUG_ON(sizeof("bpf_prog_") +
549 sizeof(prog->tag) * 2 +
550 /* name has been null terminated.
551 * We should need +1 for the '_' preceding
552 * the name. However, the null character
553 * is double counted between the name and the
554 * sizeof("bpf_prog_") above, so we omit
557 sizeof(prog->aux->name) > KSYM_NAME_LEN);
559 sym += snprintf(sym, KSYM_NAME_LEN, "bpf_prog_");
560 sym = bin2hex(sym, prog->tag, sizeof(prog->tag));
562 /* prog->aux->name will be ignored if full btf name is available */
563 if (prog->aux->func_info_cnt) {
564 type = btf_type_by_id(prog->aux->btf,
565 prog->aux->func_info[prog->aux->func_idx].type_id);
566 func_name = btf_name_by_offset(prog->aux->btf, type->name_off);
567 snprintf(sym, (size_t)(end - sym), "_%s", func_name);
571 if (prog->aux->name[0])
572 snprintf(sym, (size_t)(end - sym), "_%s", prog->aux->name);
577 static __always_inline unsigned long
578 bpf_get_prog_addr_start(struct latch_tree_node *n)
580 unsigned long symbol_start, symbol_end;
581 const struct bpf_prog_aux *aux;
583 aux = container_of(n, struct bpf_prog_aux, ksym_tnode);
584 bpf_get_prog_addr_region(aux->prog, &symbol_start, &symbol_end);
589 static __always_inline bool bpf_tree_less(struct latch_tree_node *a,
590 struct latch_tree_node *b)
592 return bpf_get_prog_addr_start(a) < bpf_get_prog_addr_start(b);
595 static __always_inline int bpf_tree_comp(void *key, struct latch_tree_node *n)
597 unsigned long val = (unsigned long)key;
598 unsigned long symbol_start, symbol_end;
599 const struct bpf_prog_aux *aux;
601 aux = container_of(n, struct bpf_prog_aux, ksym_tnode);
602 bpf_get_prog_addr_region(aux->prog, &symbol_start, &symbol_end);
604 if (val < symbol_start)
606 if (val >= symbol_end)
612 static const struct latch_tree_ops bpf_tree_ops = {
613 .less = bpf_tree_less,
614 .comp = bpf_tree_comp,
617 static DEFINE_SPINLOCK(bpf_lock);
618 static LIST_HEAD(bpf_kallsyms);
619 static struct latch_tree_root bpf_tree __cacheline_aligned;
621 static void bpf_prog_ksym_node_add(struct bpf_prog_aux *aux)
623 WARN_ON_ONCE(!list_empty(&aux->ksym_lnode));
624 list_add_tail_rcu(&aux->ksym_lnode, &bpf_kallsyms);
625 latch_tree_insert(&aux->ksym_tnode, &bpf_tree, &bpf_tree_ops);
628 static void bpf_prog_ksym_node_del(struct bpf_prog_aux *aux)
630 if (list_empty(&aux->ksym_lnode))
633 latch_tree_erase(&aux->ksym_tnode, &bpf_tree, &bpf_tree_ops);
634 list_del_rcu(&aux->ksym_lnode);
637 static bool bpf_prog_kallsyms_candidate(const struct bpf_prog *fp)
639 return fp->jited && !bpf_prog_was_classic(fp);
642 static bool bpf_prog_kallsyms_verify_off(const struct bpf_prog *fp)
644 return list_empty(&fp->aux->ksym_lnode) ||
645 fp->aux->ksym_lnode.prev == LIST_POISON2;
648 void bpf_prog_kallsyms_add(struct bpf_prog *fp)
650 if (!bpf_prog_kallsyms_candidate(fp) ||
651 !capable(CAP_SYS_ADMIN))
654 spin_lock_bh(&bpf_lock);
655 bpf_prog_ksym_node_add(fp->aux);
656 spin_unlock_bh(&bpf_lock);
659 void bpf_prog_kallsyms_del(struct bpf_prog *fp)
661 if (!bpf_prog_kallsyms_candidate(fp))
664 spin_lock_bh(&bpf_lock);
665 bpf_prog_ksym_node_del(fp->aux);
666 spin_unlock_bh(&bpf_lock);
669 static struct bpf_prog *bpf_prog_kallsyms_find(unsigned long addr)
671 struct latch_tree_node *n;
673 if (!bpf_jit_kallsyms_enabled())
676 n = latch_tree_find((void *)addr, &bpf_tree, &bpf_tree_ops);
678 container_of(n, struct bpf_prog_aux, ksym_tnode)->prog :
682 const char *__bpf_address_lookup(unsigned long addr, unsigned long *size,
683 unsigned long *off, char *sym)
685 unsigned long symbol_start, symbol_end;
686 struct bpf_prog *prog;
690 prog = bpf_prog_kallsyms_find(addr);
692 bpf_get_prog_addr_region(prog, &symbol_start, &symbol_end);
693 bpf_get_prog_name(prog, sym);
697 *size = symbol_end - symbol_start;
699 *off = addr - symbol_start;
706 bool is_bpf_text_address(unsigned long addr)
711 ret = bpf_prog_kallsyms_find(addr) != NULL;
717 int bpf_get_kallsym(unsigned int symnum, unsigned long *value, char *type,
720 struct bpf_prog_aux *aux;
724 if (!bpf_jit_kallsyms_enabled())
728 list_for_each_entry_rcu(aux, &bpf_kallsyms, ksym_lnode) {
732 bpf_get_prog_name(aux->prog, sym);
734 *value = (unsigned long)aux->prog->bpf_func;
735 *type = BPF_SYM_ELF_TYPE;
745 static atomic_long_t bpf_jit_current;
747 /* Can be overridden by an arch's JIT compiler if it has a custom,
748 * dedicated BPF backend memory area, or if neither of the two
751 u64 __weak bpf_jit_alloc_exec_limit(void)
753 #if defined(MODULES_VADDR)
754 return MODULES_END - MODULES_VADDR;
756 return VMALLOC_END - VMALLOC_START;
760 static int __init bpf_jit_charge_init(void)
762 /* Only used as heuristic here to derive limit. */
763 bpf_jit_limit_max = bpf_jit_alloc_exec_limit();
764 bpf_jit_limit = min_t(u64, round_up(bpf_jit_limit_max >> 2,
765 PAGE_SIZE), LONG_MAX);
768 pure_initcall(bpf_jit_charge_init);
770 static int bpf_jit_charge_modmem(u32 pages)
772 if (atomic_long_add_return(pages, &bpf_jit_current) >
773 (bpf_jit_limit >> PAGE_SHIFT)) {
774 if (!capable(CAP_SYS_ADMIN)) {
775 atomic_long_sub(pages, &bpf_jit_current);
783 static void bpf_jit_uncharge_modmem(u32 pages)
785 atomic_long_sub(pages, &bpf_jit_current);
788 void *__weak bpf_jit_alloc_exec(unsigned long size)
790 return module_alloc(size);
793 void __weak bpf_jit_free_exec(void *addr)
795 module_memfree(addr);
798 struct bpf_binary_header *
799 bpf_jit_binary_alloc(unsigned int proglen, u8 **image_ptr,
800 unsigned int alignment,
801 bpf_jit_fill_hole_t bpf_fill_ill_insns)
803 struct bpf_binary_header *hdr;
804 u32 size, hole, start, pages;
806 /* Most of BPF filters are really small, but if some of them
807 * fill a page, allow at least 128 extra bytes to insert a
808 * random section of illegal instructions.
810 size = round_up(proglen + sizeof(*hdr) + 128, PAGE_SIZE);
811 pages = size / PAGE_SIZE;
813 if (bpf_jit_charge_modmem(pages))
815 hdr = bpf_jit_alloc_exec(size);
817 bpf_jit_uncharge_modmem(pages);
821 /* Fill space with illegal/arch-dep instructions. */
822 bpf_fill_ill_insns(hdr, size);
825 hole = min_t(unsigned int, size - (proglen + sizeof(*hdr)),
826 PAGE_SIZE - sizeof(*hdr));
827 start = (get_random_int() % hole) & ~(alignment - 1);
829 /* Leave a random number of instructions before BPF code. */
830 *image_ptr = &hdr->image[start];
835 void bpf_jit_binary_free(struct bpf_binary_header *hdr)
837 u32 pages = hdr->pages;
839 bpf_jit_free_exec(hdr);
840 bpf_jit_uncharge_modmem(pages);
843 /* This symbol is only overridden by archs that have different
844 * requirements than the usual eBPF JITs, f.e. when they only
845 * implement cBPF JIT, do not set images read-only, etc.
847 void __weak bpf_jit_free(struct bpf_prog *fp)
850 struct bpf_binary_header *hdr = bpf_jit_binary_hdr(fp);
852 bpf_jit_binary_free(hdr);
854 WARN_ON_ONCE(!bpf_prog_kallsyms_verify_off(fp));
857 bpf_prog_unlock_free(fp);
860 int bpf_jit_get_func_addr(const struct bpf_prog *prog,
861 const struct bpf_insn *insn, bool extra_pass,
862 u64 *func_addr, bool *func_addr_fixed)
868 *func_addr_fixed = insn->src_reg != BPF_PSEUDO_CALL;
869 if (!*func_addr_fixed) {
870 /* Place-holder address till the last pass has collected
871 * all addresses for JITed subprograms in which case we
872 * can pick them up from prog->aux.
876 else if (prog->aux->func &&
877 off >= 0 && off < prog->aux->func_cnt)
878 addr = (u8 *)prog->aux->func[off]->bpf_func;
882 /* Address of a BPF helper call. Since part of the core
883 * kernel, it's always at a fixed location. __bpf_call_base
884 * and the helper with imm relative to it are both in core
887 addr = (u8 *)__bpf_call_base + imm;
890 *func_addr = (unsigned long)addr;
894 static int bpf_jit_blind_insn(const struct bpf_insn *from,
895 const struct bpf_insn *aux,
896 struct bpf_insn *to_buff,
899 struct bpf_insn *to = to_buff;
900 u32 imm_rnd = get_random_int();
903 BUILD_BUG_ON(BPF_REG_AX + 1 != MAX_BPF_JIT_REG);
904 BUILD_BUG_ON(MAX_BPF_REG + 1 != MAX_BPF_JIT_REG);
906 /* Constraints on AX register:
908 * AX register is inaccessible from user space. It is mapped in
909 * all JITs, and used here for constant blinding rewrites. It is
910 * typically "stateless" meaning its contents are only valid within
911 * the executed instruction, but not across several instructions.
912 * There are a few exceptions however which are further detailed
915 * Constant blinding is only used by JITs, not in the interpreter.
916 * The interpreter uses AX in some occasions as a local temporary
917 * register e.g. in DIV or MOD instructions.
919 * In restricted circumstances, the verifier can also use the AX
920 * register for rewrites as long as they do not interfere with
923 if (from->dst_reg == BPF_REG_AX || from->src_reg == BPF_REG_AX)
926 if (from->imm == 0 &&
927 (from->code == (BPF_ALU | BPF_MOV | BPF_K) ||
928 from->code == (BPF_ALU64 | BPF_MOV | BPF_K))) {
929 *to++ = BPF_ALU64_REG(BPF_XOR, from->dst_reg, from->dst_reg);
933 switch (from->code) {
934 case BPF_ALU | BPF_ADD | BPF_K:
935 case BPF_ALU | BPF_SUB | BPF_K:
936 case BPF_ALU | BPF_AND | BPF_K:
937 case BPF_ALU | BPF_OR | BPF_K:
938 case BPF_ALU | BPF_XOR | BPF_K:
939 case BPF_ALU | BPF_MUL | BPF_K:
940 case BPF_ALU | BPF_MOV | BPF_K:
941 case BPF_ALU | BPF_DIV | BPF_K:
942 case BPF_ALU | BPF_MOD | BPF_K:
943 *to++ = BPF_ALU32_IMM(BPF_MOV, BPF_REG_AX, imm_rnd ^ from->imm);
944 *to++ = BPF_ALU32_IMM(BPF_XOR, BPF_REG_AX, imm_rnd);
945 *to++ = BPF_ALU32_REG(from->code, from->dst_reg, BPF_REG_AX);
948 case BPF_ALU64 | BPF_ADD | BPF_K:
949 case BPF_ALU64 | BPF_SUB | BPF_K:
950 case BPF_ALU64 | BPF_AND | BPF_K:
951 case BPF_ALU64 | BPF_OR | BPF_K:
952 case BPF_ALU64 | BPF_XOR | BPF_K:
953 case BPF_ALU64 | BPF_MUL | BPF_K:
954 case BPF_ALU64 | BPF_MOV | BPF_K:
955 case BPF_ALU64 | BPF_DIV | BPF_K:
956 case BPF_ALU64 | BPF_MOD | BPF_K:
957 *to++ = BPF_ALU64_IMM(BPF_MOV, BPF_REG_AX, imm_rnd ^ from->imm);
958 *to++ = BPF_ALU64_IMM(BPF_XOR, BPF_REG_AX, imm_rnd);
959 *to++ = BPF_ALU64_REG(from->code, from->dst_reg, BPF_REG_AX);
962 case BPF_JMP | BPF_JEQ | BPF_K:
963 case BPF_JMP | BPF_JNE | BPF_K:
964 case BPF_JMP | BPF_JGT | BPF_K:
965 case BPF_JMP | BPF_JLT | BPF_K:
966 case BPF_JMP | BPF_JGE | BPF_K:
967 case BPF_JMP | BPF_JLE | BPF_K:
968 case BPF_JMP | BPF_JSGT | BPF_K:
969 case BPF_JMP | BPF_JSLT | BPF_K:
970 case BPF_JMP | BPF_JSGE | BPF_K:
971 case BPF_JMP | BPF_JSLE | BPF_K:
972 case BPF_JMP | BPF_JSET | BPF_K:
973 /* Accommodate for extra offset in case of a backjump. */
977 *to++ = BPF_ALU64_IMM(BPF_MOV, BPF_REG_AX, imm_rnd ^ from->imm);
978 *to++ = BPF_ALU64_IMM(BPF_XOR, BPF_REG_AX, imm_rnd);
979 *to++ = BPF_JMP_REG(from->code, from->dst_reg, BPF_REG_AX, off);
982 case BPF_JMP32 | BPF_JEQ | BPF_K:
983 case BPF_JMP32 | BPF_JNE | BPF_K:
984 case BPF_JMP32 | BPF_JGT | BPF_K:
985 case BPF_JMP32 | BPF_JLT | BPF_K:
986 case BPF_JMP32 | BPF_JGE | BPF_K:
987 case BPF_JMP32 | BPF_JLE | BPF_K:
988 case BPF_JMP32 | BPF_JSGT | BPF_K:
989 case BPF_JMP32 | BPF_JSLT | BPF_K:
990 case BPF_JMP32 | BPF_JSGE | BPF_K:
991 case BPF_JMP32 | BPF_JSLE | BPF_K:
992 case BPF_JMP32 | BPF_JSET | BPF_K:
993 /* Accommodate for extra offset in case of a backjump. */
997 *to++ = BPF_ALU32_IMM(BPF_MOV, BPF_REG_AX, imm_rnd ^ from->imm);
998 *to++ = BPF_ALU32_IMM(BPF_XOR, BPF_REG_AX, imm_rnd);
999 *to++ = BPF_JMP32_REG(from->code, from->dst_reg, BPF_REG_AX,
1003 case BPF_LD | BPF_IMM | BPF_DW:
1004 *to++ = BPF_ALU64_IMM(BPF_MOV, BPF_REG_AX, imm_rnd ^ aux[1].imm);
1005 *to++ = BPF_ALU64_IMM(BPF_XOR, BPF_REG_AX, imm_rnd);
1006 *to++ = BPF_ALU64_IMM(BPF_LSH, BPF_REG_AX, 32);
1007 *to++ = BPF_ALU64_REG(BPF_MOV, aux[0].dst_reg, BPF_REG_AX);
1009 case 0: /* Part 2 of BPF_LD | BPF_IMM | BPF_DW. */
1010 *to++ = BPF_ALU32_IMM(BPF_MOV, BPF_REG_AX, imm_rnd ^ aux[0].imm);
1011 *to++ = BPF_ALU32_IMM(BPF_XOR, BPF_REG_AX, imm_rnd);
1013 *to++ = BPF_ZEXT_REG(BPF_REG_AX);
1014 *to++ = BPF_ALU64_REG(BPF_OR, aux[0].dst_reg, BPF_REG_AX);
1017 case BPF_ST | BPF_MEM | BPF_DW:
1018 case BPF_ST | BPF_MEM | BPF_W:
1019 case BPF_ST | BPF_MEM | BPF_H:
1020 case BPF_ST | BPF_MEM | BPF_B:
1021 *to++ = BPF_ALU64_IMM(BPF_MOV, BPF_REG_AX, imm_rnd ^ from->imm);
1022 *to++ = BPF_ALU64_IMM(BPF_XOR, BPF_REG_AX, imm_rnd);
1023 *to++ = BPF_STX_MEM(from->code, from->dst_reg, BPF_REG_AX, from->off);
1027 return to - to_buff;
1030 static struct bpf_prog *bpf_prog_clone_create(struct bpf_prog *fp_other,
1031 gfp_t gfp_extra_flags)
1033 gfp_t gfp_flags = GFP_KERNEL | __GFP_ZERO | gfp_extra_flags;
1034 struct bpf_prog *fp;
1036 fp = __vmalloc(fp_other->pages * PAGE_SIZE, gfp_flags, PAGE_KERNEL);
1038 /* aux->prog still points to the fp_other one, so
1039 * when promoting the clone to the real program,
1040 * this still needs to be adapted.
1042 memcpy(fp, fp_other, fp_other->pages * PAGE_SIZE);
1048 static void bpf_prog_clone_free(struct bpf_prog *fp)
1050 /* aux was stolen by the other clone, so we cannot free
1051 * it from this path! It will be freed eventually by the
1052 * other program on release.
1054 * At this point, we don't need a deferred release since
1055 * clone is guaranteed to not be locked.
1058 __bpf_prog_free(fp);
1061 void bpf_jit_prog_release_other(struct bpf_prog *fp, struct bpf_prog *fp_other)
1063 /* We have to repoint aux->prog to self, as we don't
1064 * know whether fp here is the clone or the original.
1067 bpf_prog_clone_free(fp_other);
1070 struct bpf_prog *bpf_jit_blind_constants(struct bpf_prog *prog)
1072 struct bpf_insn insn_buff[16], aux[2];
1073 struct bpf_prog *clone, *tmp;
1074 int insn_delta, insn_cnt;
1075 struct bpf_insn *insn;
1078 if (!bpf_jit_blinding_enabled(prog) || prog->blinded)
1081 clone = bpf_prog_clone_create(prog, GFP_USER);
1083 return ERR_PTR(-ENOMEM);
1085 insn_cnt = clone->len;
1086 insn = clone->insnsi;
1088 for (i = 0; i < insn_cnt; i++, insn++) {
1089 /* We temporarily need to hold the original ld64 insn
1090 * so that we can still access the first part in the
1091 * second blinding run.
1093 if (insn[0].code == (BPF_LD | BPF_IMM | BPF_DW) &&
1095 memcpy(aux, insn, sizeof(aux));
1097 rewritten = bpf_jit_blind_insn(insn, aux, insn_buff,
1098 clone->aux->verifier_zext);
1102 tmp = bpf_patch_insn_single(clone, i, insn_buff, rewritten);
1104 /* Patching may have repointed aux->prog during
1105 * realloc from the original one, so we need to
1106 * fix it up here on error.
1108 bpf_jit_prog_release_other(prog, clone);
1113 insn_delta = rewritten - 1;
1115 /* Walk new program and skip insns we just inserted. */
1116 insn = clone->insnsi + i + insn_delta;
1117 insn_cnt += insn_delta;
1124 #endif /* CONFIG_BPF_JIT */
1126 /* Base function for offset calculation. Needs to go into .text section,
1127 * therefore keeping it non-static as well; will also be used by JITs
1128 * anyway later on, so do not let the compiler omit it. This also needs
1129 * to go into kallsyms for correlation from e.g. bpftool, so naming
1132 noinline u64 __bpf_call_base(u64 r1, u64 r2, u64 r3, u64 r4, u64 r5)
1136 EXPORT_SYMBOL_GPL(__bpf_call_base);
1138 /* All UAPI available opcodes. */
1139 #define BPF_INSN_MAP(INSN_2, INSN_3) \
1140 /* 32 bit ALU operations. */ \
1141 /* Register based. */ \
1142 INSN_3(ALU, ADD, X), \
1143 INSN_3(ALU, SUB, X), \
1144 INSN_3(ALU, AND, X), \
1145 INSN_3(ALU, OR, X), \
1146 INSN_3(ALU, LSH, X), \
1147 INSN_3(ALU, RSH, X), \
1148 INSN_3(ALU, XOR, X), \
1149 INSN_3(ALU, MUL, X), \
1150 INSN_3(ALU, MOV, X), \
1151 INSN_3(ALU, ARSH, X), \
1152 INSN_3(ALU, DIV, X), \
1153 INSN_3(ALU, MOD, X), \
1155 INSN_3(ALU, END, TO_BE), \
1156 INSN_3(ALU, END, TO_LE), \
1157 /* Immediate based. */ \
1158 INSN_3(ALU, ADD, K), \
1159 INSN_3(ALU, SUB, K), \
1160 INSN_3(ALU, AND, K), \
1161 INSN_3(ALU, OR, K), \
1162 INSN_3(ALU, LSH, K), \
1163 INSN_3(ALU, RSH, K), \
1164 INSN_3(ALU, XOR, K), \
1165 INSN_3(ALU, MUL, K), \
1166 INSN_3(ALU, MOV, K), \
1167 INSN_3(ALU, ARSH, K), \
1168 INSN_3(ALU, DIV, K), \
1169 INSN_3(ALU, MOD, K), \
1170 /* 64 bit ALU operations. */ \
1171 /* Register based. */ \
1172 INSN_3(ALU64, ADD, X), \
1173 INSN_3(ALU64, SUB, X), \
1174 INSN_3(ALU64, AND, X), \
1175 INSN_3(ALU64, OR, X), \
1176 INSN_3(ALU64, LSH, X), \
1177 INSN_3(ALU64, RSH, X), \
1178 INSN_3(ALU64, XOR, X), \
1179 INSN_3(ALU64, MUL, X), \
1180 INSN_3(ALU64, MOV, X), \
1181 INSN_3(ALU64, ARSH, X), \
1182 INSN_3(ALU64, DIV, X), \
1183 INSN_3(ALU64, MOD, X), \
1184 INSN_2(ALU64, NEG), \
1185 /* Immediate based. */ \
1186 INSN_3(ALU64, ADD, K), \
1187 INSN_3(ALU64, SUB, K), \
1188 INSN_3(ALU64, AND, K), \
1189 INSN_3(ALU64, OR, K), \
1190 INSN_3(ALU64, LSH, K), \
1191 INSN_3(ALU64, RSH, K), \
1192 INSN_3(ALU64, XOR, K), \
1193 INSN_3(ALU64, MUL, K), \
1194 INSN_3(ALU64, MOV, K), \
1195 INSN_3(ALU64, ARSH, K), \
1196 INSN_3(ALU64, DIV, K), \
1197 INSN_3(ALU64, MOD, K), \
1198 /* Call instruction. */ \
1199 INSN_2(JMP, CALL), \
1200 /* Exit instruction. */ \
1201 INSN_2(JMP, EXIT), \
1202 /* 32-bit Jump instructions. */ \
1203 /* Register based. */ \
1204 INSN_3(JMP32, JEQ, X), \
1205 INSN_3(JMP32, JNE, X), \
1206 INSN_3(JMP32, JGT, X), \
1207 INSN_3(JMP32, JLT, X), \
1208 INSN_3(JMP32, JGE, X), \
1209 INSN_3(JMP32, JLE, X), \
1210 INSN_3(JMP32, JSGT, X), \
1211 INSN_3(JMP32, JSLT, X), \
1212 INSN_3(JMP32, JSGE, X), \
1213 INSN_3(JMP32, JSLE, X), \
1214 INSN_3(JMP32, JSET, X), \
1215 /* Immediate based. */ \
1216 INSN_3(JMP32, JEQ, K), \
1217 INSN_3(JMP32, JNE, K), \
1218 INSN_3(JMP32, JGT, K), \
1219 INSN_3(JMP32, JLT, K), \
1220 INSN_3(JMP32, JGE, K), \
1221 INSN_3(JMP32, JLE, K), \
1222 INSN_3(JMP32, JSGT, K), \
1223 INSN_3(JMP32, JSLT, K), \
1224 INSN_3(JMP32, JSGE, K), \
1225 INSN_3(JMP32, JSLE, K), \
1226 INSN_3(JMP32, JSET, K), \
1227 /* Jump instructions. */ \
1228 /* Register based. */ \
1229 INSN_3(JMP, JEQ, X), \
1230 INSN_3(JMP, JNE, X), \
1231 INSN_3(JMP, JGT, X), \
1232 INSN_3(JMP, JLT, X), \
1233 INSN_3(JMP, JGE, X), \
1234 INSN_3(JMP, JLE, X), \
1235 INSN_3(JMP, JSGT, X), \
1236 INSN_3(JMP, JSLT, X), \
1237 INSN_3(JMP, JSGE, X), \
1238 INSN_3(JMP, JSLE, X), \
1239 INSN_3(JMP, JSET, X), \
1240 /* Immediate based. */ \
1241 INSN_3(JMP, JEQ, K), \
1242 INSN_3(JMP, JNE, K), \
1243 INSN_3(JMP, JGT, K), \
1244 INSN_3(JMP, JLT, K), \
1245 INSN_3(JMP, JGE, K), \
1246 INSN_3(JMP, JLE, K), \
1247 INSN_3(JMP, JSGT, K), \
1248 INSN_3(JMP, JSLT, K), \
1249 INSN_3(JMP, JSGE, K), \
1250 INSN_3(JMP, JSLE, K), \
1251 INSN_3(JMP, JSET, K), \
1253 /* Store instructions. */ \
1254 /* Register based. */ \
1255 INSN_3(STX, MEM, B), \
1256 INSN_3(STX, MEM, H), \
1257 INSN_3(STX, MEM, W), \
1258 INSN_3(STX, MEM, DW), \
1259 INSN_3(STX, XADD, W), \
1260 INSN_3(STX, XADD, DW), \
1261 /* Immediate based. */ \
1262 INSN_3(ST, MEM, B), \
1263 INSN_3(ST, MEM, H), \
1264 INSN_3(ST, MEM, W), \
1265 INSN_3(ST, MEM, DW), \
1266 /* Load instructions. */ \
1267 /* Register based. */ \
1268 INSN_3(LDX, MEM, B), \
1269 INSN_3(LDX, MEM, H), \
1270 INSN_3(LDX, MEM, W), \
1271 INSN_3(LDX, MEM, DW), \
1272 /* Immediate based. */ \
1275 bool bpf_opcode_in_insntable(u8 code)
1277 #define BPF_INSN_2_TBL(x, y) [BPF_##x | BPF_##y] = true
1278 #define BPF_INSN_3_TBL(x, y, z) [BPF_##x | BPF_##y | BPF_##z] = true
1279 static const bool public_insntable[256] = {
1280 [0 ... 255] = false,
1281 /* Now overwrite non-defaults ... */
1282 BPF_INSN_MAP(BPF_INSN_2_TBL, BPF_INSN_3_TBL),
1283 /* UAPI exposed, but rewritten opcodes. cBPF carry-over. */
1284 [BPF_LD | BPF_ABS | BPF_B] = true,
1285 [BPF_LD | BPF_ABS | BPF_H] = true,
1286 [BPF_LD | BPF_ABS | BPF_W] = true,
1287 [BPF_LD | BPF_IND | BPF_B] = true,
1288 [BPF_LD | BPF_IND | BPF_H] = true,
1289 [BPF_LD | BPF_IND | BPF_W] = true,
1291 #undef BPF_INSN_3_TBL
1292 #undef BPF_INSN_2_TBL
1293 return public_insntable[code];
1296 #ifndef CONFIG_BPF_JIT_ALWAYS_ON
1298 * __bpf_prog_run - run eBPF program on a given context
1299 * @regs: is the array of MAX_BPF_EXT_REG eBPF pseudo-registers
1300 * @insn: is the array of eBPF instructions
1301 * @stack: is the eBPF storage stack
1303 * Decode and execute eBPF instructions.
1305 static u64 ___bpf_prog_run(u64 *regs, const struct bpf_insn *insn, u64 *stack)
1307 #define BPF_INSN_2_LBL(x, y) [BPF_##x | BPF_##y] = &&x##_##y
1308 #define BPF_INSN_3_LBL(x, y, z) [BPF_##x | BPF_##y | BPF_##z] = &&x##_##y##_##z
1309 static const void * const jumptable[256] __annotate_jump_table = {
1310 [0 ... 255] = &&default_label,
1311 /* Now overwrite non-defaults ... */
1312 BPF_INSN_MAP(BPF_INSN_2_LBL, BPF_INSN_3_LBL),
1313 /* Non-UAPI available opcodes. */
1314 [BPF_JMP | BPF_CALL_ARGS] = &&JMP_CALL_ARGS,
1315 [BPF_JMP | BPF_TAIL_CALL] = &&JMP_TAIL_CALL,
1316 [BPF_ST | BPF_NOSPEC] = &&ST_NOSPEC,
1318 #undef BPF_INSN_3_LBL
1319 #undef BPF_INSN_2_LBL
1320 u32 tail_call_cnt = 0;
1322 #define CONT ({ insn++; goto select_insn; })
1323 #define CONT_JMP ({ insn++; goto select_insn; })
1326 goto *jumptable[insn->code];
1328 /* Explicitly mask the register-based shift amounts with 63 or 31
1329 * to avoid undefined behavior. Normally this won't affect the
1330 * generated code, for example, in case of native 64 bit archs such
1331 * as x86-64 or arm64, the compiler is optimizing the AND away for
1332 * the interpreter. In case of JITs, each of the JIT backends compiles
1333 * the BPF shift operations to machine instructions which produce
1334 * implementation-defined results in such a case; the resulting
1335 * contents of the register may be arbitrary, but program behaviour
1336 * as a whole remains defined. In other words, in case of JIT backends,
1337 * the AND must /not/ be added to the emitted LSH/RSH/ARSH translation.
1340 #define SHT(OPCODE, OP) \
1341 ALU64_##OPCODE##_X: \
1342 DST = DST OP (SRC & 63); \
1345 DST = (u32) DST OP ((u32) SRC & 31); \
1347 ALU64_##OPCODE##_K: \
1351 DST = (u32) DST OP (u32) IMM; \
1354 #define ALU(OPCODE, OP) \
1355 ALU64_##OPCODE##_X: \
1359 DST = (u32) DST OP (u32) SRC; \
1361 ALU64_##OPCODE##_K: \
1365 DST = (u32) DST OP (u32) IMM; \
1396 DST = (u64) (u32) insn[0].imm | ((u64) (u32) insn[1].imm) << 32;
1400 DST = (u64) (u32) (((s32) DST) >> (SRC & 31));
1403 DST = (u64) (u32) (((s32) DST) >> IMM);
1406 (*(s64 *) &DST) >>= (SRC & 63);
1409 (*(s64 *) &DST) >>= IMM;
1412 div64_u64_rem(DST, SRC, &AX);
1417 DST = do_div(AX, (u32) SRC);
1420 div64_u64_rem(DST, IMM, &AX);
1425 DST = do_div(AX, (u32) IMM);
1428 DST = div64_u64(DST, SRC);
1432 do_div(AX, (u32) SRC);
1436 DST = div64_u64(DST, IMM);
1440 do_div(AX, (u32) IMM);
1446 DST = (__force u16) cpu_to_be16(DST);
1449 DST = (__force u32) cpu_to_be32(DST);
1452 DST = (__force u64) cpu_to_be64(DST);
1459 DST = (__force u16) cpu_to_le16(DST);
1462 DST = (__force u32) cpu_to_le32(DST);
1465 DST = (__force u64) cpu_to_le64(DST);
1472 /* Function call scratches BPF_R1-BPF_R5 registers,
1473 * preserves BPF_R6-BPF_R9, and stores return value
1476 BPF_R0 = (__bpf_call_base + insn->imm)(BPF_R1, BPF_R2, BPF_R3,
1481 BPF_R0 = (__bpf_call_base_args + insn->imm)(BPF_R1, BPF_R2,
1484 insn + insn->off + 1);
1488 struct bpf_map *map = (struct bpf_map *) (unsigned long) BPF_R2;
1489 struct bpf_array *array = container_of(map, struct bpf_array, map);
1490 struct bpf_prog *prog;
1493 if (unlikely(index >= array->map.max_entries))
1495 if (unlikely(tail_call_cnt > MAX_TAIL_CALL_CNT))
1500 prog = READ_ONCE(array->ptrs[index]);
1504 /* ARG1 at this point is guaranteed to point to CTX from
1505 * the verifier side due to the fact that the tail call is
1506 * handeled like a helper, that is, bpf_tail_call_proto,
1507 * where arg1_type is ARG_PTR_TO_CTX.
1509 insn = prog->insnsi;
1520 #define COND_JMP(SIGN, OPCODE, CMP_OP) \
1522 if ((SIGN##64) DST CMP_OP (SIGN##64) SRC) { \
1523 insn += insn->off; \
1527 JMP32_##OPCODE##_X: \
1528 if ((SIGN##32) DST CMP_OP (SIGN##32) SRC) { \
1529 insn += insn->off; \
1534 if ((SIGN##64) DST CMP_OP (SIGN##64) IMM) { \
1535 insn += insn->off; \
1539 JMP32_##OPCODE##_K: \
1540 if ((SIGN##32) DST CMP_OP (SIGN##32) IMM) { \
1541 insn += insn->off; \
1545 COND_JMP(u, JEQ, ==)
1546 COND_JMP(u, JNE, !=)
1549 COND_JMP(u, JGE, >=)
1550 COND_JMP(u, JLE, <=)
1551 COND_JMP(u, JSET, &)
1552 COND_JMP(s, JSGT, >)
1553 COND_JMP(s, JSLT, <)
1554 COND_JMP(s, JSGE, >=)
1555 COND_JMP(s, JSLE, <=)
1557 /* ST, STX and LDX*/
1559 /* Speculation barrier for mitigating Speculative Store Bypass.
1560 * In case of arm64, we rely on the firmware mitigation as
1561 * controlled via the ssbd kernel parameter. Whenever the
1562 * mitigation is enabled, it works for all of the kernel code
1563 * with no need to provide any additional instructions here.
1564 * In case of x86, we use 'lfence' insn for mitigation. We
1565 * reuse preexisting logic from Spectre v1 mitigation that
1566 * happens to produce the required code on x86 for v4 as well.
1572 #define LDST(SIZEOP, SIZE) \
1574 *(SIZE *)(unsigned long) (DST + insn->off) = SRC; \
1577 *(SIZE *)(unsigned long) (DST + insn->off) = IMM; \
1580 DST = *(SIZE *)(unsigned long) (SRC + insn->off); \
1588 STX_XADD_W: /* lock xadd *(u32 *)(dst_reg + off16) += src_reg */
1589 atomic_add((u32) SRC, (atomic_t *)(unsigned long)
1592 STX_XADD_DW: /* lock xadd *(u64 *)(dst_reg + off16) += src_reg */
1593 atomic64_add((u64) SRC, (atomic64_t *)(unsigned long)
1598 /* If we ever reach this, we have a bug somewhere. Die hard here
1599 * instead of just returning 0; we could be somewhere in a subprog,
1600 * so execution could continue otherwise which we do /not/ want.
1602 * Note, verifier whitelists all opcodes in bpf_opcode_in_insntable().
1604 pr_warn("BPF interpreter: unknown opcode %02x\n", insn->code);
1609 #define PROG_NAME(stack_size) __bpf_prog_run##stack_size
1610 #define DEFINE_BPF_PROG_RUN(stack_size) \
1611 static unsigned int PROG_NAME(stack_size)(const void *ctx, const struct bpf_insn *insn) \
1613 u64 stack[stack_size / sizeof(u64)]; \
1614 u64 regs[MAX_BPF_EXT_REG]; \
1616 FP = (u64) (unsigned long) &stack[ARRAY_SIZE(stack)]; \
1617 ARG1 = (u64) (unsigned long) ctx; \
1618 return ___bpf_prog_run(regs, insn, stack); \
1621 #define PROG_NAME_ARGS(stack_size) __bpf_prog_run_args##stack_size
1622 #define DEFINE_BPF_PROG_RUN_ARGS(stack_size) \
1623 static u64 PROG_NAME_ARGS(stack_size)(u64 r1, u64 r2, u64 r3, u64 r4, u64 r5, \
1624 const struct bpf_insn *insn) \
1626 u64 stack[stack_size / sizeof(u64)]; \
1627 u64 regs[MAX_BPF_EXT_REG]; \
1629 FP = (u64) (unsigned long) &stack[ARRAY_SIZE(stack)]; \
1635 return ___bpf_prog_run(regs, insn, stack); \
1638 #define EVAL1(FN, X) FN(X)
1639 #define EVAL2(FN, X, Y...) FN(X) EVAL1(FN, Y)
1640 #define EVAL3(FN, X, Y...) FN(X) EVAL2(FN, Y)
1641 #define EVAL4(FN, X, Y...) FN(X) EVAL3(FN, Y)
1642 #define EVAL5(FN, X, Y...) FN(X) EVAL4(FN, Y)
1643 #define EVAL6(FN, X, Y...) FN(X) EVAL5(FN, Y)
1645 EVAL6(DEFINE_BPF_PROG_RUN, 32, 64, 96, 128, 160, 192);
1646 EVAL6(DEFINE_BPF_PROG_RUN, 224, 256, 288, 320, 352, 384);
1647 EVAL4(DEFINE_BPF_PROG_RUN, 416, 448, 480, 512);
1649 EVAL6(DEFINE_BPF_PROG_RUN_ARGS, 32, 64, 96, 128, 160, 192);
1650 EVAL6(DEFINE_BPF_PROG_RUN_ARGS, 224, 256, 288, 320, 352, 384);
1651 EVAL4(DEFINE_BPF_PROG_RUN_ARGS, 416, 448, 480, 512);
1653 #define PROG_NAME_LIST(stack_size) PROG_NAME(stack_size),
1655 static unsigned int (*interpreters[])(const void *ctx,
1656 const struct bpf_insn *insn) = {
1657 EVAL6(PROG_NAME_LIST, 32, 64, 96, 128, 160, 192)
1658 EVAL6(PROG_NAME_LIST, 224, 256, 288, 320, 352, 384)
1659 EVAL4(PROG_NAME_LIST, 416, 448, 480, 512)
1661 #undef PROG_NAME_LIST
1662 #define PROG_NAME_LIST(stack_size) PROG_NAME_ARGS(stack_size),
1663 static u64 (*interpreters_args[])(u64 r1, u64 r2, u64 r3, u64 r4, u64 r5,
1664 const struct bpf_insn *insn) = {
1665 EVAL6(PROG_NAME_LIST, 32, 64, 96, 128, 160, 192)
1666 EVAL6(PROG_NAME_LIST, 224, 256, 288, 320, 352, 384)
1667 EVAL4(PROG_NAME_LIST, 416, 448, 480, 512)
1669 #undef PROG_NAME_LIST
1671 void bpf_patch_call_args(struct bpf_insn *insn, u32 stack_depth)
1673 stack_depth = max_t(u32, stack_depth, 1);
1674 insn->off = (s16) insn->imm;
1675 insn->imm = interpreters_args[(round_up(stack_depth, 32) / 32) - 1] -
1676 __bpf_call_base_args;
1677 insn->code = BPF_JMP | BPF_CALL_ARGS;
1681 static unsigned int __bpf_prog_ret0_warn(const void *ctx,
1682 const struct bpf_insn *insn)
1684 /* If this handler ever gets executed, then BPF_JIT_ALWAYS_ON
1685 * is not working properly, so warn about it!
1692 bool bpf_prog_array_compatible(struct bpf_array *array,
1693 const struct bpf_prog *fp)
1695 if (fp->kprobe_override)
1698 if (!array->owner_prog_type) {
1699 /* There's no owner yet where we could check for
1702 array->owner_prog_type = fp->type;
1703 array->owner_jited = fp->jited;
1708 return array->owner_prog_type == fp->type &&
1709 array->owner_jited == fp->jited;
1712 static int bpf_check_tail_call(const struct bpf_prog *fp)
1714 struct bpf_prog_aux *aux = fp->aux;
1717 for (i = 0; i < aux->used_map_cnt; i++) {
1718 struct bpf_map *map = aux->used_maps[i];
1719 struct bpf_array *array;
1721 if (map->map_type != BPF_MAP_TYPE_PROG_ARRAY)
1724 array = container_of(map, struct bpf_array, map);
1725 if (!bpf_prog_array_compatible(array, fp))
1732 static void bpf_prog_select_func(struct bpf_prog *fp)
1734 #ifndef CONFIG_BPF_JIT_ALWAYS_ON
1735 u32 stack_depth = max_t(u32, fp->aux->stack_depth, 1);
1737 fp->bpf_func = interpreters[(round_up(stack_depth, 32) / 32) - 1];
1739 fp->bpf_func = __bpf_prog_ret0_warn;
1744 * bpf_prog_select_runtime - select exec runtime for BPF program
1745 * @fp: bpf_prog populated with internal BPF program
1746 * @err: pointer to error variable
1748 * Try to JIT eBPF program, if JIT is not available, use interpreter.
1749 * The BPF program will be executed via BPF_PROG_RUN() macro.
1751 struct bpf_prog *bpf_prog_select_runtime(struct bpf_prog *fp, int *err)
1753 /* In case of BPF to BPF calls, verifier did all the prep
1754 * work with regards to JITing, etc.
1759 bpf_prog_select_func(fp);
1761 /* eBPF JITs can rewrite the program in case constant
1762 * blinding is active. However, in case of error during
1763 * blinding, bpf_int_jit_compile() must always return a
1764 * valid program, which in this case would simply not
1765 * be JITed, but falls back to the interpreter.
1767 if (!bpf_prog_is_dev_bound(fp->aux)) {
1768 *err = bpf_prog_alloc_jited_linfo(fp);
1772 fp = bpf_int_jit_compile(fp);
1774 bpf_prog_free_jited_linfo(fp);
1775 #ifdef CONFIG_BPF_JIT_ALWAYS_ON
1780 bpf_prog_free_unused_jited_linfo(fp);
1783 *err = bpf_prog_offload_compile(fp);
1789 bpf_prog_lock_ro(fp);
1791 /* The tail call compatibility check can only be done at
1792 * this late stage as we need to determine, if we deal
1793 * with JITed or non JITed program concatenations and not
1794 * all eBPF JITs might immediately support all features.
1796 *err = bpf_check_tail_call(fp);
1800 EXPORT_SYMBOL_GPL(bpf_prog_select_runtime);
1802 static unsigned int __bpf_prog_ret1(const void *ctx,
1803 const struct bpf_insn *insn)
1808 static struct bpf_prog_dummy {
1809 struct bpf_prog prog;
1810 } dummy_bpf_prog = {
1812 .bpf_func = __bpf_prog_ret1,
1816 /* to avoid allocating empty bpf_prog_array for cgroups that
1817 * don't have bpf program attached use one global 'empty_prog_array'
1818 * It will not be modified the caller of bpf_prog_array_alloc()
1819 * (since caller requested prog_cnt == 0)
1820 * that pointer should be 'freed' by bpf_prog_array_free()
1823 struct bpf_prog_array hdr;
1824 struct bpf_prog *null_prog;
1825 } empty_prog_array = {
1829 struct bpf_prog_array *bpf_prog_array_alloc(u32 prog_cnt, gfp_t flags)
1832 return kzalloc(sizeof(struct bpf_prog_array) +
1833 sizeof(struct bpf_prog_array_item) *
1837 return &empty_prog_array.hdr;
1840 void bpf_prog_array_free(struct bpf_prog_array *progs)
1842 if (!progs || progs == &empty_prog_array.hdr)
1844 kfree_rcu(progs, rcu);
1847 int bpf_prog_array_length(struct bpf_prog_array *array)
1849 struct bpf_prog_array_item *item;
1852 for (item = array->items; item->prog; item++)
1853 if (item->prog != &dummy_bpf_prog.prog)
1858 bool bpf_prog_array_is_empty(struct bpf_prog_array *array)
1860 struct bpf_prog_array_item *item;
1862 for (item = array->items; item->prog; item++)
1863 if (item->prog != &dummy_bpf_prog.prog)
1868 static bool bpf_prog_array_copy_core(struct bpf_prog_array *array,
1872 struct bpf_prog_array_item *item;
1875 for (item = array->items; item->prog; item++) {
1876 if (item->prog == &dummy_bpf_prog.prog)
1878 prog_ids[i] = item->prog->aux->id;
1879 if (++i == request_cnt) {
1885 return !!(item->prog);
1888 int bpf_prog_array_copy_to_user(struct bpf_prog_array *array,
1889 __u32 __user *prog_ids, u32 cnt)
1891 unsigned long err = 0;
1895 /* users of this function are doing:
1896 * cnt = bpf_prog_array_length();
1898 * bpf_prog_array_copy_to_user(..., cnt);
1899 * so below kcalloc doesn't need extra cnt > 0 check.
1901 ids = kcalloc(cnt, sizeof(u32), GFP_USER | __GFP_NOWARN);
1904 nospc = bpf_prog_array_copy_core(array, ids, cnt);
1905 err = copy_to_user(prog_ids, ids, cnt * sizeof(u32));
1914 void bpf_prog_array_delete_safe(struct bpf_prog_array *array,
1915 struct bpf_prog *old_prog)
1917 struct bpf_prog_array_item *item;
1919 for (item = array->items; item->prog; item++)
1920 if (item->prog == old_prog) {
1921 WRITE_ONCE(item->prog, &dummy_bpf_prog.prog);
1926 int bpf_prog_array_copy(struct bpf_prog_array *old_array,
1927 struct bpf_prog *exclude_prog,
1928 struct bpf_prog *include_prog,
1929 struct bpf_prog_array **new_array)
1931 int new_prog_cnt, carry_prog_cnt = 0;
1932 struct bpf_prog_array_item *existing;
1933 struct bpf_prog_array *array;
1934 bool found_exclude = false;
1935 int new_prog_idx = 0;
1937 /* Figure out how many existing progs we need to carry over to
1941 existing = old_array->items;
1942 for (; existing->prog; existing++) {
1943 if (existing->prog == exclude_prog) {
1944 found_exclude = true;
1947 if (existing->prog != &dummy_bpf_prog.prog)
1949 if (existing->prog == include_prog)
1954 if (exclude_prog && !found_exclude)
1957 /* How many progs (not NULL) will be in the new array? */
1958 new_prog_cnt = carry_prog_cnt;
1962 /* Do we have any prog (not NULL) in the new array? */
1963 if (!new_prog_cnt) {
1968 /* +1 as the end of prog_array is marked with NULL */
1969 array = bpf_prog_array_alloc(new_prog_cnt + 1, GFP_KERNEL);
1973 /* Fill in the new prog array */
1974 if (carry_prog_cnt) {
1975 existing = old_array->items;
1976 for (; existing->prog; existing++)
1977 if (existing->prog != exclude_prog &&
1978 existing->prog != &dummy_bpf_prog.prog) {
1979 array->items[new_prog_idx++].prog =
1984 array->items[new_prog_idx++].prog = include_prog;
1985 array->items[new_prog_idx].prog = NULL;
1990 int bpf_prog_array_copy_info(struct bpf_prog_array *array,
1991 u32 *prog_ids, u32 request_cnt,
1997 cnt = bpf_prog_array_length(array);
2001 /* return early if user requested only program count or nothing to copy */
2002 if (!request_cnt || !cnt)
2005 /* this function is called under trace/bpf_trace.c: bpf_event_mutex */
2006 return bpf_prog_array_copy_core(array, prog_ids, request_cnt) ? -ENOSPC
2010 static void bpf_prog_free_deferred(struct work_struct *work)
2012 struct bpf_prog_aux *aux;
2015 aux = container_of(work, struct bpf_prog_aux, work);
2016 if (bpf_prog_is_dev_bound(aux))
2017 bpf_prog_offload_destroy(aux->prog);
2018 #ifdef CONFIG_PERF_EVENTS
2019 if (aux->prog->has_callchain_buf)
2020 put_callchain_buffers();
2022 for (i = 0; i < aux->func_cnt; i++)
2023 bpf_jit_free(aux->func[i]);
2024 if (aux->func_cnt) {
2026 bpf_prog_unlock_free(aux->prog);
2028 bpf_jit_free(aux->prog);
2032 /* Free internal BPF program */
2033 void bpf_prog_free(struct bpf_prog *fp)
2035 struct bpf_prog_aux *aux = fp->aux;
2037 INIT_WORK(&aux->work, bpf_prog_free_deferred);
2038 schedule_work(&aux->work);
2040 EXPORT_SYMBOL_GPL(bpf_prog_free);
2042 /* RNG for unpriviledged user space with separated state from prandom_u32(). */
2043 static DEFINE_PER_CPU(struct rnd_state, bpf_user_rnd_state);
2045 void bpf_user_rnd_init_once(void)
2047 prandom_init_once(&bpf_user_rnd_state);
2050 BPF_CALL_0(bpf_user_rnd_u32)
2052 /* Should someone ever have the rather unwise idea to use some
2053 * of the registers passed into this function, then note that
2054 * this function is called from native eBPF and classic-to-eBPF
2055 * transformations. Register assignments from both sides are
2056 * different, f.e. classic always sets fn(ctx, A, X) here.
2058 struct rnd_state *state;
2061 state = &get_cpu_var(bpf_user_rnd_state);
2062 res = prandom_u32_state(state);
2063 put_cpu_var(bpf_user_rnd_state);
2068 /* Weak definitions of helper functions in case we don't have bpf syscall. */
2069 const struct bpf_func_proto bpf_map_lookup_elem_proto __weak;
2070 const struct bpf_func_proto bpf_map_update_elem_proto __weak;
2071 const struct bpf_func_proto bpf_map_delete_elem_proto __weak;
2072 const struct bpf_func_proto bpf_map_push_elem_proto __weak;
2073 const struct bpf_func_proto bpf_map_pop_elem_proto __weak;
2074 const struct bpf_func_proto bpf_map_peek_elem_proto __weak;
2075 const struct bpf_func_proto bpf_spin_lock_proto __weak;
2076 const struct bpf_func_proto bpf_spin_unlock_proto __weak;
2078 const struct bpf_func_proto bpf_get_prandom_u32_proto __weak;
2079 const struct bpf_func_proto bpf_get_smp_processor_id_proto __weak;
2080 const struct bpf_func_proto bpf_get_numa_node_id_proto __weak;
2081 const struct bpf_func_proto bpf_ktime_get_ns_proto __weak;
2083 const struct bpf_func_proto bpf_get_current_pid_tgid_proto __weak;
2084 const struct bpf_func_proto bpf_get_current_uid_gid_proto __weak;
2085 const struct bpf_func_proto bpf_get_current_comm_proto __weak;
2086 const struct bpf_func_proto bpf_get_current_cgroup_id_proto __weak;
2087 const struct bpf_func_proto bpf_get_local_storage_proto __weak;
2089 const struct bpf_func_proto * __weak bpf_get_trace_printk_proto(void)
2095 bpf_event_output(struct bpf_map *map, u64 flags, void *meta, u64 meta_size,
2096 void *ctx, u64 ctx_size, bpf_ctx_copy_t ctx_copy)
2100 EXPORT_SYMBOL_GPL(bpf_event_output);
2102 /* Always built-in helper functions. */
2103 const struct bpf_func_proto bpf_tail_call_proto = {
2106 .ret_type = RET_VOID,
2107 .arg1_type = ARG_PTR_TO_CTX,
2108 .arg2_type = ARG_CONST_MAP_PTR,
2109 .arg3_type = ARG_ANYTHING,
2112 /* Stub for JITs that only support cBPF. eBPF programs are interpreted.
2113 * It is encouraged to implement bpf_int_jit_compile() instead, so that
2114 * eBPF and implicitly also cBPF can get JITed!
2116 struct bpf_prog * __weak bpf_int_jit_compile(struct bpf_prog *prog)
2121 /* Stub for JITs that support eBPF. All cBPF code gets transformed into
2122 * eBPF by the kernel and is later compiled by bpf_int_jit_compile().
2124 void __weak bpf_jit_compile(struct bpf_prog *prog)
2128 bool __weak bpf_helper_changes_pkt_data(void *func)
2133 /* Return TRUE if the JIT backend wants verifier to enable sub-register usage
2134 * analysis code and wants explicit zero extension inserted by verifier.
2135 * Otherwise, return FALSE.
2137 bool __weak bpf_jit_needs_zext(void)
2142 /* To execute LD_ABS/LD_IND instructions __bpf_prog_run() may call
2143 * skb_copy_bits(), so provide a weak definition of it for NET-less config.
2145 int __weak skb_copy_bits(const struct sk_buff *skb, int offset, void *to,
2151 DEFINE_STATIC_KEY_FALSE(bpf_stats_enabled_key);
2152 EXPORT_SYMBOL(bpf_stats_enabled_key);
2154 /* All definitions of tracepoints related to BPF. */
2155 #define CREATE_TRACE_POINTS
2156 #include <linux/bpf_trace.h>
2158 EXPORT_TRACEPOINT_SYMBOL_GPL(xdp_exception);
2159 EXPORT_TRACEPOINT_SYMBOL_GPL(xdp_bulk_tx);
projects / releases.git / blob