projects / deliverable / linux.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
net: filter: simplify label names from jump-table
[deliverable/linux.git] / net / core / filter.c
CommitLineData
1da177e4
LT		 1/*
2 * Linux Socket Filter - Kernel level socket filtering
3 *
bd4cf0ed
AS		 4 * Based on the design of the Berkeley Packet Filter. The new
5 * internal format has been designed by PLUMgrid:
1da177e4 6 *
bd4cf0ed
AS		 7 * Copyright (c) 2011 - 2014 PLUMgrid, http://plumgrid.com
8 *
9 * Authors:
10 *
11 * Jay Schulist <jschlst@samba.org>
12 * Alexei Starovoitov <ast@plumgrid.com>
13 * Daniel Borkmann <dborkman@redhat.com>
1da177e4
LT		 14 *
15 * This program is free software; you can redistribute it and/or
16 * modify it under the terms of the GNU General Public License
17 * as published by the Free Software Foundation; either version
18 * 2 of the License, or (at your option) any later version.
19 *
20 * Andi Kleen - Fix a few bad bugs and races.
93699863 21 * Kris Katterjohn - Added many additional checks in sk_chk_filter()
1da177e4
LT		 22 */
23
24#include <linux/module.h>
25#include <linux/types.h>
1da177e4
LT		 26#include <linux/mm.h>
27#include <linux/fcntl.h>
28#include <linux/socket.h>
29#include <linux/in.h>
30#include <linux/inet.h>
31#include <linux/netdevice.h>
32#include <linux/if_packet.h>
5a0e3ad6 33#include <linux/gfp.h>
1da177e4
LT		 34#include <net/ip.h>
35#include <net/protocol.h>
4738c1db 36#include <net/netlink.h>
1da177e4
LT		 37#include <linux/skbuff.h>
38#include <net/sock.h>
39#include <linux/errno.h>
40#include <linux/timer.h>
1da177e4 41#include <asm/uaccess.h>
40daafc8 42#include <asm/unaligned.h>
1da177e4 43#include <linux/filter.h>
86e4ca66 44#include <linux/ratelimit.h>
46b325c7 45#include <linux/seccomp.h>
f3335031 46#include <linux/if_vlan.h>
1da177e4 47
f03fb3f4
JS		 48/* No hurry in this branch
49 *
50 * Exported for the bpf jit load helper.
51 */
52void *bpf_internal_load_pointer_neg_helper(const struct sk_buff *skb, int k, unsigned int size)
1da177e4
LT		 53{
54 u8 *ptr = NULL;
55
56 if (k >= SKF_NET_OFF)
d56f90a7 57 ptr = skb_network_header(skb) + k - SKF_NET_OFF;
1da177e4 58 else if (k >= SKF_LL_OFF)
98e399f8 59 ptr = skb_mac_header(skb) + k - SKF_LL_OFF;
1da177e4 60
4bc65dd8 61 if (ptr >= skb->head && ptr + size <= skb_tail_pointer(skb))
1da177e4
LT		 62 return ptr;
63 return NULL;
64}
65
62ab0812 66static inline void *load_pointer(const struct sk_buff *skb, int k,
4ec93edb 67 unsigned int size, void *buffer)
0b05b2a4
PM		 68{
69 if (k >= 0)
70 return skb_header_pointer(skb, k, size, buffer);
f03fb3f4 71 return bpf_internal_load_pointer_neg_helper(skb, k, size);
0b05b2a4
PM		 72}
73
43db6d65
SH		 74/**
75 * sk_filter - run a packet through a socket filter
76 * @sk: sock associated with &sk_buff
77 * @skb: buffer to filter
43db6d65
SH		 78 *
79 * Run the filter code and then cut skb->data to correct size returned by
80 * sk_run_filter. If pkt_len is 0 we toss packet. If skb->len is smaller
81 * than pkt_len we keep whole skb->data. This is the socket level
82 * wrapper to sk_run_filter. It returns 0 if the packet should
83 * be accepted or -EPERM if the packet should be tossed.
84 *
85 */
86int sk_filter(struct sock *sk, struct sk_buff *skb)
87{
88 int err;
89 struct sk_filter *filter;
90
c93bdd0e
MG		 91 /*
92 * If the skb was allocated from pfmemalloc reserves, only
93 * allow SOCK_MEMALLOC sockets to use it as this socket is
94 * helping free memory
95 */
96 if (skb_pfmemalloc(skb) && !sock_flag(sk, SOCK_MEMALLOC))
97 return -ENOMEM;
98
43db6d65
SH		 99 err = security_sock_rcv_skb(sk, skb);
100 if (err)
101 return err;
102
80f8f102
ED		 103 rcu_read_lock();
104 filter = rcu_dereference(sk->sk_filter);
43db6d65 105 if (filter) {
0a14842f 106 unsigned int pkt_len = SK_RUN_FILTER(filter, skb);
0d7da9dd 107
43db6d65
SH		 108 err = pkt_len ? pskb_trim(skb, pkt_len) : -EPERM;
109 }
80f8f102 110 rcu_read_unlock();
43db6d65
SH		 111
112 return err;
113}
114EXPORT_SYMBOL(sk_filter);
115
bd4cf0ed
AS		 116/* Base function for offset calculation. Needs to go into .text section,
117 * therefore keeping it non-static as well; will also be used by JITs
118 * anyway later on, so do not let the compiler omit it.
119 */
120noinline u64 __bpf_call_base(u64 r1, u64 r2, u64 r3, u64 r4, u64 r5)
121{
122 return 0;
123}
124
83d5b7ef
AS		 125/* Register mappings for user programs. */
126#define A_REG 0
127#define X_REG 7
128#define TMP_REG 8
129#define ARG2_REG 2
130#define ARG3_REG 3
131
1da177e4 132/**
bd4cf0ed
AS		 133 * __sk_run_filter - run a filter on a given context
134 * @ctx: buffer to run the filter on
01d32f6e 135 * @insn: filter to apply
1da177e4 136 *
bd4cf0ed 137 * Decode and apply filter instructions to the skb->data. Return length to
01d32f6e 138 * keep, 0 for none. @ctx is the data we are operating on, @insn is the
bd4cf0ed 139 * array of filter instructions.
1da177e4 140 */
bd4cf0ed 141unsigned int __sk_run_filter(void *ctx, const struct sock_filter_int *insn)
1da177e4 142{
bd4cf0ed
AS		 143 u64 stack[MAX_BPF_STACK / sizeof(u64)];
144 u64 regs[MAX_BPF_REG], tmp;
0b05b2a4 145 void *ptr;
bd4cf0ed
AS		 146 int off;
147
148#define K insn->imm
149#define A regs[insn->a_reg]
150#define X regs[insn->x_reg]
151#define R0 regs[0]
152
153#define CONT ({insn++; goto select_insn; })
154#define CONT_JMP ({insn++; goto select_insn; })
155
156 static const void *jumptable[256] = {
157 [0 ... 255] = &&default_label,
158 /* Now overwrite non-defaults ... */
5bcfedf0
DB		 159#define DL(A, B, C) [BPF_##A|BPF_##B|BPF_##C] = &&A##_##B##_##C
160 DL(ALU, ADD, X),
161 DL(ALU, ADD, K),
162 DL(ALU, SUB, X),
163 DL(ALU, SUB, K),
164 DL(ALU, AND, X),
165 DL(ALU, AND, K),
166 DL(ALU, OR, X),
167 DL(ALU, OR, K),
168 DL(ALU, LSH, X),
169 DL(ALU, LSH, K),
170 DL(ALU, RSH, X),
171 DL(ALU, RSH, K),
172 DL(ALU, XOR, X),
173 DL(ALU, XOR, K),
174 DL(ALU, MUL, X),
175 DL(ALU, MUL, K),
176 DL(ALU, MOV, X),
177 DL(ALU, MOV, K),
178 DL(ALU, DIV, X),
179 DL(ALU, DIV, K),
180 DL(ALU, MOD, X),
181 DL(ALU, MOD, K),
182 DL(ALU, NEG, 0),
183 DL(ALU, END, TO_BE),
184 DL(ALU, END, TO_LE),
185 DL(ALU64, ADD, X),
186 DL(ALU64, ADD, K),
187 DL(ALU64, SUB, X),
188 DL(ALU64, SUB, K),
189 DL(ALU64, AND, X),
190 DL(ALU64, AND, K),
191 DL(ALU64, OR, X),
192 DL(ALU64, OR, K),
193 DL(ALU64, LSH, X),
194 DL(ALU64, LSH, K),
195 DL(ALU64, RSH, X),
196 DL(ALU64, RSH, K),
197 DL(ALU64, XOR, X),
198 DL(ALU64, XOR, K),
199 DL(ALU64, MUL, X),
200 DL(ALU64, MUL, K),
201 DL(ALU64, MOV, X),
202 DL(ALU64, MOV, K),
203 DL(ALU64, ARSH, X),
204 DL(ALU64, ARSH, K),
205 DL(ALU64, DIV, X),
206 DL(ALU64, DIV, K),
207 DL(ALU64, MOD, X),
208 DL(ALU64, MOD, K),
209 DL(ALU64, NEG, 0),
210 DL(JMP, CALL, 0),
211 DL(JMP, JA, 0),
212 DL(JMP, JEQ, X),
213 DL(JMP, JEQ, K),
214 DL(JMP, JNE, X),
215 DL(JMP, JNE, K),
216 DL(JMP, JGT, X),
217 DL(JMP, JGT, K),
218 DL(JMP, JGE, X),
219 DL(JMP, JGE, K),
220 DL(JMP, JSGT, X),
221 DL(JMP, JSGT, K),
222 DL(JMP, JSGE, X),
223 DL(JMP, JSGE, K),
224 DL(JMP, JSET, X),
225 DL(JMP, JSET, K),
226 DL(JMP, EXIT, 0),
227 DL(STX, MEM, B),
228 DL(STX, MEM, H),
229 DL(STX, MEM, W),
230 DL(STX, MEM, DW),
231 DL(STX, XADD, W),
232 DL(STX, XADD, DW),
233 DL(ST, MEM, B),
234 DL(ST, MEM, H),
235 DL(ST, MEM, W),
236 DL(ST, MEM, DW),
237 DL(LDX, MEM, B),
238 DL(LDX, MEM, H),
239 DL(LDX, MEM, W),
240 DL(LDX, MEM, DW),
241 DL(LD, ABS, W),
242 DL(LD, ABS, H),
243 DL(LD, ABS, B),
244 DL(LD, IND, W),
245 DL(LD, IND, H),
246 DL(LD, IND, B),
bd4cf0ed
AS		 247#undef DL
248 };
1da177e4 249
bd4cf0ed
AS		 250 regs[FP_REG] = (u64) (unsigned long) &stack[ARRAY_SIZE(stack)];
251 regs[ARG1_REG] = (u64) (unsigned long) ctx;
83d5b7ef
AS		 252 regs[A_REG] = 0;
253 regs[X_REG] = 0;
bd4cf0ed
AS		 254
255select_insn:
256 goto *jumptable[insn->code];
257
258 /* ALU */
259#define ALU(OPCODE, OP) \
5bcfedf0 260 ALU64_##OPCODE##_X: \
bd4cf0ed
AS		 261 A = A OP X; \
262 CONT; \
5bcfedf0 263 ALU_##OPCODE##_X: \
bd4cf0ed
AS		 264 A = (u32) A OP (u32) X; \
265 CONT; \
5bcfedf0 266 ALU64_##OPCODE##_K: \
bd4cf0ed
AS		 267 A = A OP K; \
268 CONT; \
5bcfedf0 269 ALU_##OPCODE##_K: \
bd4cf0ed
AS		 270 A = (u32) A OP (u32) K; \
271 CONT;
272
5bcfedf0
DB		 273 ALU(ADD, +)
274 ALU(SUB, -)
275 ALU(AND, &)
276 ALU(OR, |)
277 ALU(LSH, <<)
278 ALU(RSH, >>)
279 ALU(XOR, ^)
280 ALU(MUL, *)
bd4cf0ed 281#undef ALU
5bcfedf0 282 ALU_NEG_0:
bd4cf0ed
AS		 283 A = (u32) -A;
284 CONT;
5bcfedf0 285 ALU64_NEG_0:
bd4cf0ed
AS		 286 A = -A;
287 CONT;
5bcfedf0 288 ALU_MOV_X:
bd4cf0ed
AS		 289 A = (u32) X;
290 CONT;
5bcfedf0 291 ALU_MOV_K:
bd4cf0ed
AS		 292 A = (u32) K;
293 CONT;
5bcfedf0 294 ALU64_MOV_X:
bd4cf0ed
AS		 295 A = X;
296 CONT;
5bcfedf0 297 ALU64_MOV_K:
bd4cf0ed
AS		 298 A = K;
299 CONT;
5bcfedf0 300 ALU64_ARSH_X:
bd4cf0ed
AS		 301 (*(s64 *) &A) >>= X;
302 CONT;
5bcfedf0 303 ALU64_ARSH_K:
bd4cf0ed
AS		 304 (*(s64 *) &A) >>= K;
305 CONT;
5bcfedf0 306 ALU64_MOD_X:
5f9fde5f
DB		 307 if (unlikely(X == 0))
308 return 0;
bd4cf0ed 309 tmp = A;
5f9fde5f 310 A = do_div(tmp, X);
bd4cf0ed 311 CONT;
5bcfedf0 312 ALU_MOD_X:
5f9fde5f
DB		 313 if (unlikely(X == 0))
314 return 0;
bd4cf0ed 315 tmp = (u32) A;
5f9fde5f 316 A = do_div(tmp, (u32) X);
bd4cf0ed 317 CONT;
5bcfedf0 318 ALU64_MOD_K:
bd4cf0ed 319 tmp = A;
5f9fde5f 320 A = do_div(tmp, K);
bd4cf0ed 321 CONT;
5bcfedf0 322 ALU_MOD_K:
bd4cf0ed 323 tmp = (u32) A;
5f9fde5f 324 A = do_div(tmp, (u32) K);
bd4cf0ed 325 CONT;
5bcfedf0 326 ALU64_DIV_X:
5f9fde5f
DB		 327 if (unlikely(X == 0))
328 return 0;
329 do_div(A, X);
bd4cf0ed 330 CONT;
5bcfedf0 331 ALU_DIV_X:
5f9fde5f
DB		 332 if (unlikely(X == 0))
333 return 0;
bd4cf0ed 334 tmp = (u32) A;
5f9fde5f 335 do_div(tmp, (u32) X);
bd4cf0ed
AS		 336 A = (u32) tmp;
337 CONT;
5bcfedf0 338 ALU64_DIV_K:
5f9fde5f 339 do_div(A, K);
bd4cf0ed 340 CONT;
5bcfedf0 341 ALU_DIV_K:
bd4cf0ed 342 tmp = (u32) A;
5f9fde5f 343 do_div(tmp, (u32) K);
bd4cf0ed
AS		 344 A = (u32) tmp;
345 CONT;
5bcfedf0 346 ALU_END_TO_BE:
bd4cf0ed
AS		 347 switch (K) {
348 case 16:
349 A = (__force u16) cpu_to_be16(A);
350 break;
351 case 32:
352 A = (__force u32) cpu_to_be32(A);
353 break;
354 case 64:
355 A = (__force u64) cpu_to_be64(A);
356 break;
357 }
358 CONT;
5bcfedf0 359 ALU_END_TO_LE:
bd4cf0ed
AS		 360 switch (K) {
361 case 16:
362 A = (__force u16) cpu_to_le16(A);
363 break;
364 case 32:
365 A = (__force u32) cpu_to_le32(A);
366 break;
367 case 64:
368 A = (__force u64) cpu_to_le64(A);
369 break;
370 }
371 CONT;
372
373 /* CALL */
5bcfedf0 374 JMP_CALL_0:
bd4cf0ed
AS		 375 /* Function call scratches R1-R5 registers, preserves R6-R9,
376 * and stores return value into R0.
377 */
378 R0 = (__bpf_call_base + insn->imm)(regs[1], regs[2], regs[3],
379 regs[4], regs[5]);
380 CONT;
381
382 /* JMP */
5bcfedf0 383 JMP_JA_0:
bd4cf0ed
AS		 384 insn += insn->off;
385 CONT;
5bcfedf0 386 JMP_JEQ_X:
bd4cf0ed
AS		 387 if (A == X) {
388 insn += insn->off;
389 CONT_JMP;
390 }
391 CONT;
5bcfedf0 392 JMP_JEQ_K:
bd4cf0ed
AS		 393 if (A == K) {
394 insn += insn->off;
395 CONT_JMP;
396 }
397 CONT;
5bcfedf0 398 JMP_JNE_X:
bd4cf0ed
AS		 399 if (A != X) {
400 insn += insn->off;
401 CONT_JMP;
402 }
403 CONT;
5bcfedf0 404 JMP_JNE_K:
bd4cf0ed
AS		 405 if (A != K) {
406 insn += insn->off;
407 CONT_JMP;
408 }
409 CONT;
5bcfedf0 410 JMP_JGT_X:
bd4cf0ed
AS		 411 if (A > X) {
412 insn += insn->off;
413 CONT_JMP;
414 }
415 CONT;
5bcfedf0 416 JMP_JGT_K:
bd4cf0ed
AS		 417 if (A > K) {
418 insn += insn->off;
419 CONT_JMP;
420 }
421 CONT;
5bcfedf0 422 JMP_JGE_X:
bd4cf0ed
AS		 423 if (A >= X) {
424 insn += insn->off;
425 CONT_JMP;
426 }
427 CONT;
5bcfedf0 428 JMP_JGE_K:
bd4cf0ed
AS		 429 if (A >= K) {
430 insn += insn->off;
431 CONT_JMP;
432 }
433 CONT;
5bcfedf0
DB		 434 JMP_JSGT_X:
435 if (((s64) A) > ((s64) X)) {
bd4cf0ed
AS		 436 insn += insn->off;
437 CONT_JMP;
438 }
439 CONT;
5bcfedf0
DB		 440 JMP_JSGT_K:
441 if (((s64) A) > ((s64) K)) {
bd4cf0ed
AS		 442 insn += insn->off;
443 CONT_JMP;
444 }
445 CONT;
5bcfedf0
DB		 446 JMP_JSGE_X:
447 if (((s64) A) >= ((s64) X)) {
bd4cf0ed
AS		 448 insn += insn->off;
449 CONT_JMP;
450 }
451 CONT;
5bcfedf0
DB		 452 JMP_JSGE_K:
453 if (((s64) A) >= ((s64) K)) {
bd4cf0ed
AS		 454 insn += insn->off;
455 CONT_JMP;
456 }
457 CONT;
5bcfedf0 458 JMP_JSET_X:
bd4cf0ed
AS		 459 if (A & X) {
460 insn += insn->off;
461 CONT_JMP;
462 }
463 CONT;
5bcfedf0 464 JMP_JSET_K:
bd4cf0ed
AS		 465 if (A & K) {
466 insn += insn->off;
467 CONT_JMP;
468 }
469 CONT;
5bcfedf0 470 JMP_EXIT_0:
bd4cf0ed
AS		 471 return R0;
472
473 /* STX and ST and LDX*/
474#define LDST(SIZEOP, SIZE) \
5bcfedf0 475 STX_MEM_##SIZEOP: \
bd4cf0ed
AS		 476 *(SIZE *)(unsigned long) (A + insn->off) = X; \
477 CONT; \
5bcfedf0 478 ST_MEM_##SIZEOP: \
bd4cf0ed
AS		 479 *(SIZE *)(unsigned long) (A + insn->off) = K; \
480 CONT; \
5bcfedf0 481 LDX_MEM_##SIZEOP: \
bd4cf0ed
AS		 482 A = *(SIZE *)(unsigned long) (X + insn->off); \
483 CONT;
484
5bcfedf0
DB		 485 LDST(B, u8)
486 LDST(H, u16)
487 LDST(W, u32)
488 LDST(DW, u64)
bd4cf0ed 489#undef LDST
5bcfedf0 490 STX_XADD_W: /* lock xadd *(u32 *)(A + insn->off) += X */
bd4cf0ed
AS		 491 atomic_add((u32) X, (atomic_t *)(unsigned long)
492 (A + insn->off));
493 CONT;
5bcfedf0 494 STX_XADD_DW: /* lock xadd *(u64 *)(A + insn->off) += X */
bd4cf0ed
AS		 495 atomic64_add((u64) X, (atomic64_t *)(unsigned long)
496 (A + insn->off));
497 CONT;
5bcfedf0 498 LD_ABS_W: /* R0 = ntohl(*(u32 *) (skb->data + K)) */
bd4cf0ed
AS		 499 off = K;
500load_word:
501 /* BPF_LD + BPD_ABS and BPF_LD + BPF_IND insns are only
502 * appearing in the programs where ctx == skb. All programs
503 * keep 'ctx' in regs[CTX_REG] == R6, sk_convert_filter()
504 * saves it in R6, internal BPF verifier will check that
505 * R6 == ctx.
506 *
507 * BPF_ABS and BPF_IND are wrappers of function calls, so
508 * they scratch R1-R5 registers, preserve R6-R9, and store
509 * return value into R0.
510 *
511 * Implicit input:
512 * ctx
513 *
514 * Explicit input:
515 * X == any register
516 * K == 32-bit immediate
517 *
518 * Output:
519 * R0 - 8/16/32-bit skb data converted to cpu endianness
520 */
521 ptr = load_pointer((struct sk_buff *) ctx, off, 4, &tmp);
522 if (likely(ptr != NULL)) {
523 R0 = get_unaligned_be32(ptr);
524 CONT;
525 }
526 return 0;
5bcfedf0 527 LD_ABS_H: /* R0 = ntohs(*(u16 *) (skb->data + K)) */
bd4cf0ed
AS		 528 off = K;
529load_half:
530 ptr = load_pointer((struct sk_buff *) ctx, off, 2, &tmp);
531 if (likely(ptr != NULL)) {
532 R0 = get_unaligned_be16(ptr);
533 CONT;
534 }
535 return 0;
5bcfedf0 536 LD_ABS_B: /* R0 = *(u8 *) (ctx + K) */
bd4cf0ed
AS		 537 off = K;
538load_byte:
539 ptr = load_pointer((struct sk_buff *) ctx, off, 1, &tmp);
540 if (likely(ptr != NULL)) {
541 R0 = *(u8 *)ptr;
542 CONT;
543 }
544 return 0;
5bcfedf0 545 LD_IND_W: /* R0 = ntohl(*(u32 *) (skb->data + X + K)) */
bd4cf0ed
AS		 546 off = K + X;
547 goto load_word;
5bcfedf0 548 LD_IND_H: /* R0 = ntohs(*(u16 *) (skb->data + X + K)) */
bd4cf0ed
AS		 549 off = K + X;
550 goto load_half;
5bcfedf0 551 LD_IND_B: /* R0 = *(u8 *) (skb->data + X + K) */
bd4cf0ed
AS		 552 off = K + X;
553 goto load_byte;
554
555 default_label:
556 /* If we ever reach this, we have a bug somewhere. */
557 WARN_RATELIMIT(1, "unknown opcode %02x\n", insn->code);
558 return 0;
559#undef CONT_JMP
560#undef CONT
561
562#undef R0
563#undef X
564#undef A
565#undef K
566}
567
568u32 sk_run_filter_int_seccomp(const struct seccomp_data *ctx,
569 const struct sock_filter_int *insni)
570 __attribute__ ((alias ("__sk_run_filter")));
571
572u32 sk_run_filter_int_skb(const struct sk_buff *ctx,
573 const struct sock_filter_int *insni)
574 __attribute__ ((alias ("__sk_run_filter")));
575EXPORT_SYMBOL_GPL(sk_run_filter_int_skb);
576
577/* Helper to find the offset of pkt_type in sk_buff structure. We want
578 * to make sure its still a 3bit field starting at a byte boundary;
579 * taken from arch/x86/net/bpf_jit_comp.c.
580 */
581#define PKT_TYPE_MAX 7
582static unsigned int pkt_type_offset(void)
583{
584 struct sk_buff skb_probe = { .pkt_type = ~0, };
585 u8 *ct = (u8 *) &skb_probe;
586 unsigned int off;
587
588 for (off = 0; off < sizeof(struct sk_buff); off++) {
589 if (ct[off] == PKT_TYPE_MAX)
590 return off;
591 }
592
593 pr_err_once("Please fix %s, as pkt_type couldn't be found!\n", __func__);
594 return -1;
595}
596
597static u64 __skb_get_pay_offset(u64 ctx, u64 A, u64 X, u64 r4, u64 r5)
598{
599 struct sk_buff *skb = (struct sk_buff *)(long) ctx;
600
601 return __skb_get_poff(skb);
602}
603
604static u64 __skb_get_nlattr(u64 ctx, u64 A, u64 X, u64 r4, u64 r5)
605{
606 struct sk_buff *skb = (struct sk_buff *)(long) ctx;
607 struct nlattr *nla;
608
609 if (skb_is_nonlinear(skb))
610 return 0;
611
05ab8f26
MK		 612 if (skb->len < sizeof(struct nlattr))
613 return 0;
614
bd4cf0ed
AS		 615 if (A > skb->len - sizeof(struct nlattr))
616 return 0;
617
618 nla = nla_find((struct nlattr *) &skb->data[A], skb->len - A, X);
619 if (nla)
620 return (void *) nla - (void *) skb->data;
621
622 return 0;
623}
624
625static u64 __skb_get_nlattr_nest(u64 ctx, u64 A, u64 X, u64 r4, u64 r5)
626{
627 struct sk_buff *skb = (struct sk_buff *)(long) ctx;
628 struct nlattr *nla;
629
630 if (skb_is_nonlinear(skb))
631 return 0;
632
05ab8f26
MK		 633 if (skb->len < sizeof(struct nlattr))
634 return 0;
635
bd4cf0ed
AS		 636 if (A > skb->len - sizeof(struct nlattr))
637 return 0;
638
639 nla = (struct nlattr *) &skb->data[A];
05ab8f26 640 if (nla->nla_len > skb->len - A)
bd4cf0ed
AS		 641 return 0;
642
643 nla = nla_find_nested(nla, X);
644 if (nla)
645 return (void *) nla - (void *) skb->data;
646
647 return 0;
648}
649
650static u64 __get_raw_cpu_id(u64 ctx, u64 A, u64 X, u64 r4, u64 r5)
651{
652 return raw_smp_processor_id();
653}
654
4cd3675e
CG		 655/* note that this only generates 32-bit random numbers */
656static u64 __get_random_u32(u64 ctx, u64 A, u64 X, u64 r4, u64 r5)
657{
658 return (u64)prandom_u32();
659}
660
bd4cf0ed
AS		 661static bool convert_bpf_extensions(struct sock_filter *fp,
662 struct sock_filter_int **insnp)
663{
664 struct sock_filter_int *insn = *insnp;
665
666 switch (fp->k) {
667 case SKF_AD_OFF + SKF_AD_PROTOCOL:
668 BUILD_BUG_ON(FIELD_SIZEOF(struct sk_buff, protocol) != 2);
669
670 insn->code = BPF_LDX | BPF_MEM | BPF_H;
671 insn->a_reg = A_REG;
672 insn->x_reg = CTX_REG;
673 insn->off = offsetof(struct sk_buff, protocol);
674 insn++;
675
676 /* A = ntohs(A) [emitting a nop or swap16] */
677 insn->code = BPF_ALU | BPF_END | BPF_FROM_BE;
678 insn->a_reg = A_REG;
679 insn->imm = 16;
680 break;
681
682 case SKF_AD_OFF + SKF_AD_PKTTYPE:
683 insn->code = BPF_LDX | BPF_MEM | BPF_B;
684 insn->a_reg = A_REG;
685 insn->x_reg = CTX_REG;
686 insn->off = pkt_type_offset();
687 if (insn->off < 0)
688 return false;
689 insn++;
690
691 insn->code = BPF_ALU | BPF_AND | BPF_K;
692 insn->a_reg = A_REG;
693 insn->imm = PKT_TYPE_MAX;
694 break;
695
696 case SKF_AD_OFF + SKF_AD_IFINDEX:
697 case SKF_AD_OFF + SKF_AD_HATYPE:
698 if (FIELD_SIZEOF(struct sk_buff, dev) == 8)
699 insn->code = BPF_LDX | BPF_MEM | BPF_DW;
700 else
701 insn->code = BPF_LDX | BPF_MEM | BPF_W;
702 insn->a_reg = TMP_REG;
703 insn->x_reg = CTX_REG;
704 insn->off = offsetof(struct sk_buff, dev);
705 insn++;
706
707 insn->code = BPF_JMP | BPF_JNE | BPF_K;
708 insn->a_reg = TMP_REG;
709 insn->imm = 0;
710 insn->off = 1;
711 insn++;
712
713 insn->code = BPF_JMP | BPF_EXIT;
714 insn++;
715
716 BUILD_BUG_ON(FIELD_SIZEOF(struct net_device, ifindex) != 4);
717 BUILD_BUG_ON(FIELD_SIZEOF(struct net_device, type) != 2);
718
719 insn->a_reg = A_REG;
720 insn->x_reg = TMP_REG;
721
722 if (fp->k == SKF_AD_OFF + SKF_AD_IFINDEX) {
723 insn->code = BPF_LDX | BPF_MEM | BPF_W;
724 insn->off = offsetof(struct net_device, ifindex);
725 } else {
726 insn->code = BPF_LDX | BPF_MEM | BPF_H;
727 insn->off = offsetof(struct net_device, type);
728 }
729 break;
730
731 case SKF_AD_OFF + SKF_AD_MARK:
732 BUILD_BUG_ON(FIELD_SIZEOF(struct sk_buff, mark) != 4);
733
734 insn->code = BPF_LDX | BPF_MEM | BPF_W;
735 insn->a_reg = A_REG;
736 insn->x_reg = CTX_REG;
737 insn->off = offsetof(struct sk_buff, mark);
738 break;
739
740 case SKF_AD_OFF + SKF_AD_RXHASH:
741 BUILD_BUG_ON(FIELD_SIZEOF(struct sk_buff, hash) != 4);
742
743 insn->code = BPF_LDX | BPF_MEM | BPF_W;
744 insn->a_reg = A_REG;
745 insn->x_reg = CTX_REG;
746 insn->off = offsetof(struct sk_buff, hash);
747 break;
748
749 case SKF_AD_OFF + SKF_AD_QUEUE:
750 BUILD_BUG_ON(FIELD_SIZEOF(struct sk_buff, queue_mapping) != 2);
751
752 insn->code = BPF_LDX | BPF_MEM | BPF_H;
753 insn->a_reg = A_REG;
754 insn->x_reg = CTX_REG;
755 insn->off = offsetof(struct sk_buff, queue_mapping);
756 break;
757
758 case SKF_AD_OFF + SKF_AD_VLAN_TAG:
759 case SKF_AD_OFF + SKF_AD_VLAN_TAG_PRESENT:
760 BUILD_BUG_ON(FIELD_SIZEOF(struct sk_buff, vlan_tci) != 2);
761
762 insn->code = BPF_LDX | BPF_MEM | BPF_H;
763 insn->a_reg = A_REG;
764 insn->x_reg = CTX_REG;
765 insn->off = offsetof(struct sk_buff, vlan_tci);
766 insn++;
767
768 BUILD_BUG_ON(VLAN_TAG_PRESENT != 0x1000);
769
770 if (fp->k == SKF_AD_OFF + SKF_AD_VLAN_TAG) {
771 insn->code = BPF_ALU | BPF_AND | BPF_K;
772 insn->a_reg = A_REG;
773 insn->imm = ~VLAN_TAG_PRESENT;
774 } else {
775 insn->code = BPF_ALU | BPF_RSH | BPF_K;
776 insn->a_reg = A_REG;
777 insn->imm = 12;
778 insn++;
779
780 insn->code = BPF_ALU | BPF_AND | BPF_K;
781 insn->a_reg = A_REG;
782 insn->imm = 1;
783 }
784 break;
785
786 case SKF_AD_OFF + SKF_AD_PAY_OFFSET:
787 case SKF_AD_OFF + SKF_AD_NLATTR:
788 case SKF_AD_OFF + SKF_AD_NLATTR_NEST:
789 case SKF_AD_OFF + SKF_AD_CPU:
4cd3675e 790 case SKF_AD_OFF + SKF_AD_RANDOM:
bd4cf0ed
AS		 791 /* arg1 = ctx */
792 insn->code = BPF_ALU64 | BPF_MOV | BPF_X;
793 insn->a_reg = ARG1_REG;
794 insn->x_reg = CTX_REG;
795 insn++;
796
797 /* arg2 = A */
798 insn->code = BPF_ALU64 | BPF_MOV | BPF_X;
799 insn->a_reg = ARG2_REG;
800 insn->x_reg = A_REG;
801 insn++;
802
803 /* arg3 = X */
804 insn->code = BPF_ALU64 | BPF_MOV | BPF_X;
805 insn->a_reg = ARG3_REG;
806 insn->x_reg = X_REG;
807 insn++;
808
809 /* Emit call(ctx, arg2=A, arg3=X) */
810 insn->code = BPF_JMP | BPF_CALL;
811 switch (fp->k) {
812 case SKF_AD_OFF + SKF_AD_PAY_OFFSET:
813 insn->imm = __skb_get_pay_offset - __bpf_call_base;
814 break;
815 case SKF_AD_OFF + SKF_AD_NLATTR:
816 insn->imm = __skb_get_nlattr - __bpf_call_base;
817 break;
818 case SKF_AD_OFF + SKF_AD_NLATTR_NEST:
819 insn->imm = __skb_get_nlattr_nest - __bpf_call_base;
820 break;
821 case SKF_AD_OFF + SKF_AD_CPU:
822 insn->imm = __get_raw_cpu_id - __bpf_call_base;
823 break;
4cd3675e
CG		 824 case SKF_AD_OFF + SKF_AD_RANDOM:
825 insn->imm = __get_random_u32 - __bpf_call_base;
826 break;
bd4cf0ed
AS		 827 }
828 break;
829
830 case SKF_AD_OFF + SKF_AD_ALU_XOR_X:
831 insn->code = BPF_ALU | BPF_XOR | BPF_X;
832 insn->a_reg = A_REG;
833 insn->x_reg = X_REG;
834 break;
835
836 default:
837 /* This is just a dummy call to avoid letting the compiler
838 * evict __bpf_call_base() as an optimization. Placed here
839 * where no-one bothers.
840 */
841 BUG_ON(__bpf_call_base(0, 0, 0, 0, 0) != 0);
842 return false;
843 }
844
845 *insnp = insn;
846 return true;
847}
848
849/**
850 * sk_convert_filter - convert filter program
851 * @prog: the user passed filter program
852 * @len: the length of the user passed filter program
853 * @new_prog: buffer where converted program will be stored
854 * @new_len: pointer to store length of converted program
855 *
856 * Remap 'sock_filter' style BPF instruction set to 'sock_filter_ext' style.
857 * Conversion workflow:
858 *
859 * 1) First pass for calculating the new program length:
860 * sk_convert_filter(old_prog, old_len, NULL, &new_len)
861 *
862 * 2) 2nd pass to remap in two passes: 1st pass finds new
863 * jump offsets, 2nd pass remapping:
864 * new_prog = kmalloc(sizeof(struct sock_filter_int) * new_len);
865 * sk_convert_filter(old_prog, old_len, new_prog, &new_len);
866 *
867 * User BPF's register A is mapped to our BPF register 6, user BPF
868 * register X is mapped to BPF register 7; frame pointer is always
869 * register 10; Context 'void *ctx' is stored in register 1, that is,
870 * for socket filters: ctx == 'struct sk_buff *', for seccomp:
871 * ctx == 'struct seccomp_data *'.
872 */
873int sk_convert_filter(struct sock_filter *prog, int len,
874 struct sock_filter_int *new_prog, int *new_len)
875{
876 int new_flen = 0, pass = 0, target, i;
877 struct sock_filter_int *new_insn;
878 struct sock_filter *fp;
879 int *addrs = NULL;
880 u8 bpf_src;
881
882 BUILD_BUG_ON(BPF_MEMWORDS * sizeof(u32) > MAX_BPF_STACK);
883 BUILD_BUG_ON(FP_REG + 1 != MAX_BPF_REG);
884
885 if (len <= 0 || len >= BPF_MAXINSNS)
886 return -EINVAL;
887
888 if (new_prog) {
889 addrs = kzalloc(len * sizeof(*addrs), GFP_KERNEL);
890 if (!addrs)
891 return -ENOMEM;
892 }
893
894do_pass:
895 new_insn = new_prog;
896 fp = prog;
897
898 if (new_insn) {
899 new_insn->code = BPF_ALU64 | BPF_MOV | BPF_X;
900 new_insn->a_reg = CTX_REG;
901 new_insn->x_reg = ARG1_REG;
902 }
903 new_insn++;
904
905 for (i = 0; i < len; fp++, i++) {
906 struct sock_filter_int tmp_insns[6] = { };
907 struct sock_filter_int *insn = tmp_insns;
908
909 if (addrs)
910 addrs[i] = new_insn - new_prog;
911
912 switch (fp->code) {
913 /* All arithmetic insns and skb loads map as-is. */
914 case BPF_ALU | BPF_ADD | BPF_X:
915 case BPF_ALU | BPF_ADD | BPF_K:
916 case BPF_ALU | BPF_SUB | BPF_X:
917 case BPF_ALU | BPF_SUB | BPF_K:
918 case BPF_ALU | BPF_AND | BPF_X:
919 case BPF_ALU | BPF_AND | BPF_K:
920 case BPF_ALU | BPF_OR | BPF_X:
921 case BPF_ALU | BPF_OR | BPF_K:
922 case BPF_ALU | BPF_LSH | BPF_X:
923 case BPF_ALU | BPF_LSH | BPF_K:
924 case BPF_ALU | BPF_RSH | BPF_X:
925 case BPF_ALU | BPF_RSH | BPF_K:
926 case BPF_ALU | BPF_XOR | BPF_X:
927 case BPF_ALU | BPF_XOR | BPF_K:
928 case BPF_ALU | BPF_MUL | BPF_X:
929 case BPF_ALU | BPF_MUL | BPF_K:
930 case BPF_ALU | BPF_DIV | BPF_X:
931 case BPF_ALU | BPF_DIV | BPF_K:
932 case BPF_ALU | BPF_MOD | BPF_X:
933 case BPF_ALU | BPF_MOD | BPF_K:
934 case BPF_ALU | BPF_NEG:
935 case BPF_LD | BPF_ABS | BPF_W:
936 case BPF_LD | BPF_ABS | BPF_H:
937 case BPF_LD | BPF_ABS | BPF_B:
938 case BPF_LD | BPF_IND | BPF_W:
939 case BPF_LD | BPF_IND | BPF_H:
940 case BPF_LD | BPF_IND | BPF_B:
941 /* Check for overloaded BPF extension and
942 * directly convert it if found, otherwise
943 * just move on with mapping.
944 */
945 if (BPF_CLASS(fp->code) == BPF_LD &&
946 BPF_MODE(fp->code) == BPF_ABS &&
947 convert_bpf_extensions(fp, &insn))
948 break;
949
950 insn->code = fp->code;
951 insn->a_reg = A_REG;
952 insn->x_reg = X_REG;
953 insn->imm = fp->k;
954 break;
955
956 /* Jump opcodes map as-is, but offsets need adjustment. */
957 case BPF_JMP | BPF_JA:
958 target = i + fp->k + 1;
959 insn->code = fp->code;
960#define EMIT_JMP \
961 do { \
962 if (target >= len || target < 0) \
963 goto err; \
964 insn->off = addrs ? addrs[target] - addrs[i] - 1 : 0; \
965 /* Adjust pc relative offset for 2nd or 3rd insn. */ \
966 insn->off -= insn - tmp_insns; \
967 } while (0)
968
969 EMIT_JMP;
970 break;
971
972 case BPF_JMP | BPF_JEQ | BPF_K:
973 case BPF_JMP | BPF_JEQ | BPF_X:
974 case BPF_JMP | BPF_JSET | BPF_K:
975 case BPF_JMP | BPF_JSET | BPF_X:
976 case BPF_JMP | BPF_JGT | BPF_K:
977 case BPF_JMP | BPF_JGT | BPF_X:
978 case BPF_JMP | BPF_JGE | BPF_K:
979 case BPF_JMP | BPF_JGE | BPF_X:
980 if (BPF_SRC(fp->code) == BPF_K && (int) fp->k < 0) {
981 /* BPF immediates are signed, zero extend
982 * immediate into tmp register and use it
983 * in compare insn.
984 */
985 insn->code = BPF_ALU | BPF_MOV | BPF_K;
986 insn->a_reg = TMP_REG;
987 insn->imm = fp->k;
988 insn++;
989
990 insn->a_reg = A_REG;
991 insn->x_reg = TMP_REG;
992 bpf_src = BPF_X;
993 } else {
994 insn->a_reg = A_REG;
995 insn->x_reg = X_REG;
996 insn->imm = fp->k;
997 bpf_src = BPF_SRC(fp->code);
1da177e4 998 }
bd4cf0ed
AS		 999
1000 /* Common case where 'jump_false' is next insn. */
1001 if (fp->jf == 0) {
1002 insn->code = BPF_JMP | BPF_OP(fp->code) | bpf_src;
1003 target = i + fp->jt + 1;
1004 EMIT_JMP;
1005 break;
1da177e4 1006 }
bd4cf0ed
AS		 1007
1008 /* Convert JEQ into JNE when 'jump_true' is next insn. */
1009 if (fp->jt == 0 && BPF_OP(fp->code) == BPF_JEQ) {
1010 insn->code = BPF_JMP | BPF_JNE | bpf_src;
1011 target = i + fp->jf + 1;
1012 EMIT_JMP;
1013 break;
0b05b2a4 1014 }
bd4cf0ed
AS		 1015
1016 /* Other jumps are mapped into two insns: Jxx and JA. */
1017 target = i + fp->jt + 1;
1018 insn->code = BPF_JMP | BPF_OP(fp->code) | bpf_src;
1019 EMIT_JMP;
1020 insn++;
1021
1022 insn->code = BPF_JMP | BPF_JA;
1023 target = i + fp->jf + 1;
1024 EMIT_JMP;
1025 break;
1026
1027 /* ldxb 4 * ([14] & 0xf) is remaped into 6 insns. */
1028 case BPF_LDX | BPF_MSH | BPF_B:
1029 insn->code = BPF_ALU64 | BPF_MOV | BPF_X;
1030 insn->a_reg = TMP_REG;
1031 insn->x_reg = A_REG;
1032 insn++;
1033
1034 insn->code = BPF_LD | BPF_ABS | BPF_B;
1035 insn->a_reg = A_REG;
1036 insn->imm = fp->k;
1037 insn++;
1038
1039 insn->code = BPF_ALU | BPF_AND | BPF_K;
1040 insn->a_reg = A_REG;
1041 insn->imm = 0xf;
1042 insn++;
1043
1044 insn->code = BPF_ALU | BPF_LSH | BPF_K;
1045 insn->a_reg = A_REG;
1046 insn->imm = 2;
1047 insn++;
1048
1049 insn->code = BPF_ALU64 | BPF_MOV | BPF_X;
1050 insn->a_reg = X_REG;
1051 insn->x_reg = A_REG;
1052 insn++;
1053
1054 insn->code = BPF_ALU64 | BPF_MOV | BPF_X;
1055 insn->a_reg = A_REG;
1056 insn->x_reg = TMP_REG;
1057 break;
1058
1059 /* RET_K, RET_A are remaped into 2 insns. */
1060 case BPF_RET | BPF_A:
1061 case BPF_RET | BPF_K:
1062 insn->code = BPF_ALU | BPF_MOV |
1063 (BPF_RVAL(fp->code) == BPF_K ?
1064 BPF_K : BPF_X);
1065 insn->a_reg = 0;
1066 insn->x_reg = A_REG;
1067 insn->imm = fp->k;
1068 insn++;
1069
1070 insn->code = BPF_JMP | BPF_EXIT;
1071 break;
1072
1073 /* Store to stack. */
1074 case BPF_ST:
1075 case BPF_STX:
1076 insn->code = BPF_STX | BPF_MEM | BPF_W;
1077 insn->a_reg = FP_REG;
1078 insn->x_reg = fp->code == BPF_ST ? A_REG : X_REG;
1079 insn->off = -(BPF_MEMWORDS - fp->k) * 4;
1080 break;
1081
1082 /* Load from stack. */
1083 case BPF_LD | BPF_MEM:
1084 case BPF_LDX | BPF_MEM:
1085 insn->code = BPF_LDX | BPF_MEM | BPF_W;
1086 insn->a_reg = BPF_CLASS(fp->code) == BPF_LD ?
1087 A_REG : X_REG;
1088 insn->x_reg = FP_REG;
1089 insn->off = -(BPF_MEMWORDS - fp->k) * 4;
1090 break;
1091
1092 /* A = K or X = K */
1093 case BPF_LD | BPF_IMM:
1094 case BPF_LDX | BPF_IMM:
1095 insn->code = BPF_ALU | BPF_MOV | BPF_K;
1096 insn->a_reg = BPF_CLASS(fp->code) == BPF_LD ?
1097 A_REG : X_REG;
1098 insn->imm = fp->k;
1099 break;
1100
1101 /* X = A */
1102 case BPF_MISC | BPF_TAX:
1103 insn->code = BPF_ALU64 | BPF_MOV | BPF_X;
1104 insn->a_reg = X_REG;
1105 insn->x_reg = A_REG;
1106 break;
1107
1108 /* A = X */
1109 case BPF_MISC | BPF_TXA:
1110 insn->code = BPF_ALU64 | BPF_MOV | BPF_X;
1111 insn->a_reg = A_REG;
1112 insn->x_reg = X_REG;
1113 break;
1114
1115 /* A = skb->len or X = skb->len */
1116 case BPF_LD | BPF_W | BPF_LEN:
1117 case BPF_LDX | BPF_W | BPF_LEN:
1118 insn->code = BPF_LDX | BPF_MEM | BPF_W;
1119 insn->a_reg = BPF_CLASS(fp->code) == BPF_LD ?
1120 A_REG : X_REG;
1121 insn->x_reg = CTX_REG;
1122 insn->off = offsetof(struct sk_buff, len);
1123 break;
1124
1125 /* access seccomp_data fields */
1126 case BPF_LDX | BPF_ABS | BPF_W:
1127 insn->code = BPF_LDX | BPF_MEM | BPF_W;
1128 insn->a_reg = A_REG;
1129 insn->x_reg = CTX_REG;
1130 insn->off = fp->k;
1131 break;
1132
1da177e4 1133 default:
bd4cf0ed 1134 goto err;
1da177e4 1135 }
bd4cf0ed
AS		 1136
1137 insn++;
1138 if (new_prog)
1139 memcpy(new_insn, tmp_insns,
1140 sizeof(*insn) * (insn - tmp_insns));
1141
1142 new_insn += insn - tmp_insns;
1da177e4
LT		 1143 }
1144
bd4cf0ed
AS		 1145 if (!new_prog) {
1146 /* Only calculating new length. */
1147 *new_len = new_insn - new_prog;
1148 return 0;
1149 }
1150
1151 pass++;
1152 if (new_flen != new_insn - new_prog) {
1153 new_flen = new_insn - new_prog;
1154 if (pass > 2)
1155 goto err;
1156
1157 goto do_pass;
1158 }
1159
1160 kfree(addrs);
1161 BUG_ON(*new_len != new_flen);
1da177e4 1162 return 0;
bd4cf0ed
AS		 1163err:
1164 kfree(addrs);
1165 return -EINVAL;
1da177e4
LT		 1166}
1167
bd4cf0ed
AS		 1168/* Security:
1169 *
2d5311e4 1170 * A BPF program is able to use 16 cells of memory to store intermediate
bd4cf0ed
AS		 1171 * values (check u32 mem[BPF_MEMWORDS] in sk_run_filter()).
1172 *
2d5311e4
ED		 1173 * As we dont want to clear mem[] array for each packet going through
1174 * sk_run_filter(), we check that filter loaded by user never try to read
1175 * a cell if not previously written, and we check all branches to be sure
25985edc 1176 * a malicious user doesn't try to abuse us.
2d5311e4
ED		 1177 */
1178static int check_load_and_stores(struct sock_filter *filter, int flen)
1179{
1180 u16 *masks, memvalid = 0; /* one bit per cell, 16 cells */
1181 int pc, ret = 0;
1182
1183 BUILD_BUG_ON(BPF_MEMWORDS > 16);
1184 masks = kmalloc(flen * sizeof(*masks), GFP_KERNEL);
1185 if (!masks)
1186 return -ENOMEM;
1187 memset(masks, 0xff, flen * sizeof(*masks));
1188
1189 for (pc = 0; pc < flen; pc++) {
1190 memvalid &= masks[pc];
1191
1192 switch (filter[pc].code) {
1193 case BPF_S_ST:
1194 case BPF_S_STX:
1195 memvalid |= (1 << filter[pc].k);
1196 break;
1197 case BPF_S_LD_MEM:
1198 case BPF_S_LDX_MEM:
1199 if (!(memvalid & (1 << filter[pc].k))) {
1200 ret = -EINVAL;
1201 goto error;
1202 }
1203 break;
1204 case BPF_S_JMP_JA:
1205 /* a jump must set masks on target */
1206 masks[pc + 1 + filter[pc].k] &= memvalid;
1207 memvalid = ~0;
1208 break;
1209 case BPF_S_JMP_JEQ_K:
1210 case BPF_S_JMP_JEQ_X:
1211 case BPF_S_JMP_JGE_K:
1212 case BPF_S_JMP_JGE_X:
1213 case BPF_S_JMP_JGT_K:
1214 case BPF_S_JMP_JGT_X:
1215 case BPF_S_JMP_JSET_X:
1216 case BPF_S_JMP_JSET_K:
1217 /* a jump must set masks on targets */
1218 masks[pc + 1 + filter[pc].jt] &= memvalid;
1219 masks[pc + 1 + filter[pc].jf] &= memvalid;
1220 memvalid = ~0;
1221 break;
1222 }
1223 }
1224error:
1225 kfree(masks);
1226 return ret;
1227}
1228
1da177e4
LT		 1229/**
1230 * sk_chk_filter - verify socket filter code
1231 * @filter: filter to verify
1232 * @flen: length of filter
1233 *
1234 * Check the user's filter code. If we let some ugly
1235 * filter code slip through kaboom! The filter must contain
93699863
KK		 1236 * no references or jumps that are out of range, no illegal
1237 * instructions, and must end with a RET instruction.
1da177e4 1238 *
7b11f69f
KK		 1239 * All jumps are forward as they are not signed.
1240 *
1241 * Returns 0 if the rule set is legal or -EINVAL if not.
1da177e4 1242 */
4f25af27 1243int sk_chk_filter(struct sock_filter *filter, unsigned int flen)
1da177e4 1244{
cba328fc
TH		 1245 /*
1246 * Valid instructions are initialized to non-0.
1247 * Invalid instructions are initialized to 0.
1248 */
1249 static const u8 codes[] = {
8c1592d6
ED		 1250 [BPF_ALU|BPF_ADD|BPF_K] = BPF_S_ALU_ADD_K,
1251 [BPF_ALU|BPF_ADD|BPF_X] = BPF_S_ALU_ADD_X,
1252 [BPF_ALU|BPF_SUB|BPF_K] = BPF_S_ALU_SUB_K,
1253 [BPF_ALU|BPF_SUB|BPF_X] = BPF_S_ALU_SUB_X,
1254 [BPF_ALU|BPF_MUL|BPF_K] = BPF_S_ALU_MUL_K,
1255 [BPF_ALU|BPF_MUL|BPF_X] = BPF_S_ALU_MUL_X,
1256 [BPF_ALU|BPF_DIV|BPF_X] = BPF_S_ALU_DIV_X,
b6069a95
ED		 1257 [BPF_ALU|BPF_MOD|BPF_K] = BPF_S_ALU_MOD_K,
1258 [BPF_ALU|BPF_MOD|BPF_X] = BPF_S_ALU_MOD_X,
8c1592d6
ED		 1259 [BPF_ALU|BPF_AND|BPF_K] = BPF_S_ALU_AND_K,
1260 [BPF_ALU|BPF_AND|BPF_X] = BPF_S_ALU_AND_X,
1261 [BPF_ALU|BPF_OR|BPF_K] = BPF_S_ALU_OR_K,
1262 [BPF_ALU|BPF_OR|BPF_X] = BPF_S_ALU_OR_X,
9e49e889
DB		 1263 [BPF_ALU|BPF_XOR|BPF_K] = BPF_S_ALU_XOR_K,
1264 [BPF_ALU|BPF_XOR|BPF_X] = BPF_S_ALU_XOR_X,
8c1592d6
ED		 1265 [BPF_ALU|BPF_LSH|BPF_K] = BPF_S_ALU_LSH_K,
1266 [BPF_ALU|BPF_LSH|BPF_X] = BPF_S_ALU_LSH_X,
1267 [BPF_ALU|BPF_RSH|BPF_K] = BPF_S_ALU_RSH_K,
1268 [BPF_ALU|BPF_RSH|BPF_X] = BPF_S_ALU_RSH_X,
1269 [BPF_ALU|BPF_NEG] = BPF_S_ALU_NEG,
1270 [BPF_LD|BPF_W|BPF_ABS] = BPF_S_LD_W_ABS,
1271 [BPF_LD|BPF_H|BPF_ABS] = BPF_S_LD_H_ABS,
1272 [BPF_LD|BPF_B|BPF_ABS] = BPF_S_LD_B_ABS,
1273 [BPF_LD|BPF_W|BPF_LEN] = BPF_S_LD_W_LEN,
1274 [BPF_LD|BPF_W|BPF_IND] = BPF_S_LD_W_IND,
1275 [BPF_LD|BPF_H|BPF_IND] = BPF_S_LD_H_IND,
1276 [BPF_LD|BPF_B|BPF_IND] = BPF_S_LD_B_IND,
1277 [BPF_LD|BPF_IMM] = BPF_S_LD_IMM,
1278 [BPF_LDX|BPF_W|BPF_LEN] = BPF_S_LDX_W_LEN,
1279 [BPF_LDX|BPF_B|BPF_MSH] = BPF_S_LDX_B_MSH,
1280 [BPF_LDX|BPF_IMM] = BPF_S_LDX_IMM,
1281 [BPF_MISC|BPF_TAX] = BPF_S_MISC_TAX,
1282 [BPF_MISC|BPF_TXA] = BPF_S_MISC_TXA,
1283 [BPF_RET|BPF_K] = BPF_S_RET_K,
1284 [BPF_RET|BPF_A] = BPF_S_RET_A,
1285 [BPF_ALU|BPF_DIV|BPF_K] = BPF_S_ALU_DIV_K,
1286 [BPF_LD|BPF_MEM] = BPF_S_LD_MEM,
1287 [BPF_LDX|BPF_MEM] = BPF_S_LDX_MEM,
1288 [BPF_ST] = BPF_S_ST,
1289 [BPF_STX] = BPF_S_STX,
1290 [BPF_JMP|BPF_JA] = BPF_S_JMP_JA,
1291 [BPF_JMP|BPF_JEQ|BPF_K] = BPF_S_JMP_JEQ_K,
1292 [BPF_JMP|BPF_JEQ|BPF_X] = BPF_S_JMP_JEQ_X,
1293 [BPF_JMP|BPF_JGE|BPF_K] = BPF_S_JMP_JGE_K,
1294 [BPF_JMP|BPF_JGE|BPF_X] = BPF_S_JMP_JGE_X,
1295 [BPF_JMP|BPF_JGT|BPF_K] = BPF_S_JMP_JGT_K,
1296 [BPF_JMP|BPF_JGT|BPF_X] = BPF_S_JMP_JGT_X,
1297 [BPF_JMP|BPF_JSET|BPF_K] = BPF_S_JMP_JSET_K,
1298 [BPF_JMP|BPF_JSET|BPF_X] = BPF_S_JMP_JSET_X,
cba328fc 1299 };
1da177e4 1300 int pc;
aa1113d9 1301 bool anc_found;
1da177e4 1302
1b93ae64 1303 if (flen == 0 || flen > BPF_MAXINSNS)
1da177e4
LT		 1304 return -EINVAL;
1305
1306 /* check the filter code now */
1307 for (pc = 0; pc < flen; pc++) {
cba328fc
TH		 1308 struct sock_filter *ftest = &filter[pc];
1309 u16 code = ftest->code;
93699863 1310
cba328fc
TH		 1311 if (code >= ARRAY_SIZE(codes))
1312 return -EINVAL;
1313 code = codes[code];
8c1592d6 1314 if (!code)
cba328fc 1315 return -EINVAL;
93699863 1316 /* Some instructions need special checks */
cba328fc
TH		 1317 switch (code) {
1318 case BPF_S_ALU_DIV_K:
b6069a95
ED		 1319 case BPF_S_ALU_MOD_K:
1320 /* check for division by zero */
1321 if (ftest->k == 0)
1322 return -EINVAL;
1323 break;
cba328fc
TH		 1324 case BPF_S_LD_MEM:
1325 case BPF_S_LDX_MEM:
1326 case BPF_S_ST:
1327 case BPF_S_STX:
1328 /* check for invalid memory addresses */
93699863
KK		 1329 if (ftest->k >= BPF_MEMWORDS)
1330 return -EINVAL;
1331 break;
cba328fc 1332 case BPF_S_JMP_JA:
93699863
KK		 1333 /*
1334 * Note, the large ftest->k might cause loops.
1335 * Compare this with conditional jumps below,
1336 * where offsets are limited. --ANK (981016)
1337 */
95c96174 1338 if (ftest->k >= (unsigned int)(flen-pc-1))
93699863 1339 return -EINVAL;
01f2f3f6 1340 break;
01f2f3f6
HPP		 1341 case BPF_S_JMP_JEQ_K:
1342 case BPF_S_JMP_JEQ_X:
1343 case BPF_S_JMP_JGE_K:
1344 case BPF_S_JMP_JGE_X:
1345 case BPF_S_JMP_JGT_K:
1346 case BPF_S_JMP_JGT_X:
1347 case BPF_S_JMP_JSET_X:
1348 case BPF_S_JMP_JSET_K:
cba328fc 1349 /* for conditionals both must be safe */
e35bedf3 1350 if (pc + ftest->jt + 1 >= flen ||
93699863
KK		 1351 pc + ftest->jf + 1 >= flen)
1352 return -EINVAL;
cba328fc 1353 break;
12b16dad
ED		 1354 case BPF_S_LD_W_ABS:
1355 case BPF_S_LD_H_ABS:
1356 case BPF_S_LD_B_ABS:
aa1113d9 1357 anc_found = false;
12b16dad
ED		 1358#define ANCILLARY(CODE) case SKF_AD_OFF + SKF_AD_##CODE: \
1359 code = BPF_S_ANC_##CODE; \
aa1113d9 1360 anc_found = true; \
12b16dad
ED		 1361 break
1362 switch (ftest->k) {
1363 ANCILLARY(PROTOCOL);
1364 ANCILLARY(PKTTYPE);
1365 ANCILLARY(IFINDEX);
1366 ANCILLARY(NLATTR);
1367 ANCILLARY(NLATTR_NEST);
1368 ANCILLARY(MARK);
1369 ANCILLARY(QUEUE);
1370 ANCILLARY(HATYPE);
1371 ANCILLARY(RXHASH);
1372 ANCILLARY(CPU);
ffe06c17 1373 ANCILLARY(ALU_XOR_X);
f3335031
ED		 1374 ANCILLARY(VLAN_TAG);
1375 ANCILLARY(VLAN_TAG_PRESENT);
3e5289d5 1376 ANCILLARY(PAY_OFFSET);
4cd3675e 1377 ANCILLARY(RANDOM);
12b16dad 1378 }
aa1113d9
DB		 1379
1380 /* ancillary operation unknown or unsupported */
1381 if (anc_found == false && ftest->k >= SKF_AD_OFF)
1382 return -EINVAL;
01f2f3f6 1383 }
cba328fc 1384 ftest->code = code;
01f2f3f6 1385 }
93699863 1386
01f2f3f6
HPP		 1387 /* last instruction must be a RET code */
1388 switch (filter[flen - 1].code) {
1389 case BPF_S_RET_K:
1390 case BPF_S_RET_A:
2d5311e4 1391 return check_load_and_stores(filter, flen);
cba328fc
TH		 1392 }
1393 return -EINVAL;
1da177e4 1394}
b715631f 1395EXPORT_SYMBOL(sk_chk_filter);
1da177e4 1396
a3ea269b
DB		 1397static int sk_store_orig_filter(struct sk_filter *fp,
1398 const struct sock_fprog *fprog)
1399{
1400 unsigned int fsize = sk_filter_proglen(fprog);
1401 struct sock_fprog_kern *fkprog;
1402
1403 fp->orig_prog = kmalloc(sizeof(*fkprog), GFP_KERNEL);
1404 if (!fp->orig_prog)
1405 return -ENOMEM;
1406
1407 fkprog = fp->orig_prog;
1408 fkprog->len = fprog->len;
1409 fkprog->filter = kmemdup(fp->insns, fsize, GFP_KERNEL);
1410 if (!fkprog->filter) {
1411 kfree(fp->orig_prog);
1412 return -ENOMEM;
1413 }
1414
1415 return 0;
1416}
1417
1418static void sk_release_orig_filter(struct sk_filter *fp)
1419{
1420 struct sock_fprog_kern *fprog = fp->orig_prog;
1421
1422 if (fprog) {
1423 kfree(fprog->filter);
1424 kfree(fprog);
1425 }
1426}
1427
47e958ea 1428/**
46bcf14f 1429 * sk_filter_release_rcu - Release a socket filter by rcu_head
47e958ea
PE		 1430 * @rcu: rcu_head that contains the sk_filter to free
1431 */
fbc907f0 1432static void sk_filter_release_rcu(struct rcu_head *rcu)
47e958ea
PE		 1433{
1434 struct sk_filter *fp = container_of(rcu, struct sk_filter, rcu);
1435
a3ea269b 1436 sk_release_orig_filter(fp);
0a14842f 1437 bpf_jit_free(fp);
47e958ea 1438}
fbc907f0
DB		 1439
1440/**
1441 * sk_filter_release - release a socket filter
1442 * @fp: filter to remove
1443 *
1444 * Remove a filter from a socket and release its resources.
1445 */
1446static void sk_filter_release(struct sk_filter *fp)
1447{
1448 if (atomic_dec_and_test(&fp->refcnt))
1449 call_rcu(&fp->rcu, sk_filter_release_rcu);
1450}
1451
1452void sk_filter_uncharge(struct sock *sk, struct sk_filter *fp)
1453{
1454 atomic_sub(sk_filter_size(fp->len), &sk->sk_omem_alloc);
1455 sk_filter_release(fp);
1456}
1457
1458void sk_filter_charge(struct sock *sk, struct sk_filter *fp)
1459{
1460 atomic_inc(&fp->refcnt);
1461 atomic_add(sk_filter_size(fp->len), &sk->sk_omem_alloc);
1462}
47e958ea 1463
bd4cf0ed
AS		 1464static struct sk_filter *__sk_migrate_realloc(struct sk_filter *fp,
1465 struct sock *sk,
1466 unsigned int len)
1467{
1468 struct sk_filter *fp_new;
1469
1470 if (sk == NULL)
1471 return krealloc(fp, len, GFP_KERNEL);
1472
1473 fp_new = sock_kmalloc(sk, len, GFP_KERNEL);
1474 if (fp_new) {
1475 memcpy(fp_new, fp, sizeof(struct sk_filter));
1476 /* As we're kepping orig_prog in fp_new along,
1477 * we need to make sure we're not evicting it
1478 * from the old fp.
1479 */
1480 fp->orig_prog = NULL;
1481 sk_filter_uncharge(sk, fp);
1482 }
1483
1484 return fp_new;
1485}
1486
1487static struct sk_filter *__sk_migrate_filter(struct sk_filter *fp,
1488 struct sock *sk)
1489{
1490 struct sock_filter *old_prog;
1491 struct sk_filter *old_fp;
1492 int i, err, new_len, old_len = fp->len;
1493
1494 /* We are free to overwrite insns et al right here as it
1495 * won't be used at this point in time anymore internally
1496 * after the migration to the internal BPF instruction
1497 * representation.
1498 */
1499 BUILD_BUG_ON(sizeof(struct sock_filter) !=
1500 sizeof(struct sock_filter_int));
1501
1502 /* For now, we need to unfiddle BPF_S_* identifiers in place.
1503 * This can sooner or later on be subject to removal, e.g. when
1504 * JITs have been converted.
1505 */
1506 for (i = 0; i < fp->len; i++)
1507 sk_decode_filter(&fp->insns[i], &fp->insns[i]);
1508
1509 /* Conversion cannot happen on overlapping memory areas,
1510 * so we need to keep the user BPF around until the 2nd
1511 * pass. At this time, the user BPF is stored in fp->insns.
1512 */
1513 old_prog = kmemdup(fp->insns, old_len * sizeof(struct sock_filter),
1514 GFP_KERNEL);
1515 if (!old_prog) {
1516 err = -ENOMEM;
1517 goto out_err;
1518 }
1519
1520 /* 1st pass: calculate the new program length. */
1521 err = sk_convert_filter(old_prog, old_len, NULL, &new_len);
1522 if (err)
1523 goto out_err_free;
1524
1525 /* Expand fp for appending the new filter representation. */
1526 old_fp = fp;
1527 fp = __sk_migrate_realloc(old_fp, sk, sk_filter_size(new_len));
1528 if (!fp) {
1529 /* The old_fp is still around in case we couldn't
1530 * allocate new memory, so uncharge on that one.
1531 */
1532 fp = old_fp;
1533 err = -ENOMEM;
1534 goto out_err_free;
1535 }
1536
1537 fp->bpf_func = sk_run_filter_int_skb;
1538 fp->len = new_len;
1539
1540 /* 2nd pass: remap sock_filter insns into sock_filter_int insns. */
1541 err = sk_convert_filter(old_prog, old_len, fp->insnsi, &new_len);
1542 if (err)
1543 /* 2nd sk_convert_filter() can fail only if it fails
1544 * to allocate memory, remapping must succeed. Note,
1545 * that at this time old_fp has already been released
1546 * by __sk_migrate_realloc().
1547 */
1548 goto out_err_free;
1549
1550 kfree(old_prog);
1551 return fp;
1552
1553out_err_free:
1554 kfree(old_prog);
1555out_err:
1556 /* Rollback filter setup. */
1557 if (sk != NULL)
1558 sk_filter_uncharge(sk, fp);
1559 else
1560 kfree(fp);
1561 return ERR_PTR(err);
1562}
1563
1564static struct sk_filter *__sk_prepare_filter(struct sk_filter *fp,
1565 struct sock *sk)
302d6637
JP		 1566{
1567 int err;
1568
bd4cf0ed 1569 fp->bpf_func = NULL;
f8bbbfc3 1570 fp->jited = 0;
302d6637
JP		 1571
1572 err = sk_chk_filter(fp->insns, fp->len);
1573 if (err)
bd4cf0ed 1574 return ERR_PTR(err);
302d6637 1575
bd4cf0ed
AS		 1576 /* Probe if we can JIT compile the filter and if so, do
1577 * the compilation of the filter.
1578 */
302d6637 1579 bpf_jit_compile(fp);
bd4cf0ed
AS		 1580
1581 /* JIT compiler couldn't process this filter, so do the
1582 * internal BPF translation for the optimized interpreter.
1583 */
1584 if (!fp->jited)
1585 fp = __sk_migrate_filter(fp, sk);
1586
1587 return fp;
302d6637
JP		 1588}
1589
1590/**
1591 * sk_unattached_filter_create - create an unattached filter
1592 * @fprog: the filter program
c6c4b97c 1593 * @pfp: the unattached filter that is created
302d6637 1594 *
c6c4b97c 1595 * Create a filter independent of any socket. We first run some
302d6637
JP		 1596 * sanity checks on it to make sure it does not explode on us later.
1597 * If an error occurs or there is insufficient memory for the filter
1598 * a negative errno code is returned. On success the return is zero.
1599 */
1600int sk_unattached_filter_create(struct sk_filter **pfp,
1601 struct sock_fprog *fprog)
1602{
a3ea269b 1603 unsigned int fsize = sk_filter_proglen(fprog);
302d6637 1604 struct sk_filter *fp;
302d6637
JP		 1605
1606 /* Make sure new filter is there and in the right amounts. */
1607 if (fprog->filter == NULL)
1608 return -EINVAL;
1609
d45ed4a4 1610 fp = kmalloc(sk_filter_size(fprog->len), GFP_KERNEL);
302d6637
JP		 1611 if (!fp)
1612 return -ENOMEM;
a3ea269b 1613
302d6637
JP		 1614 memcpy(fp->insns, fprog->filter, fsize);
1615
1616 atomic_set(&fp->refcnt, 1);
1617 fp->len = fprog->len;
a3ea269b
DB		 1618 /* Since unattached filters are not copied back to user
1619 * space through sk_get_filter(), we do not need to hold
1620 * a copy here, and can spare us the work.
1621 */
1622 fp->orig_prog = NULL;
302d6637 1623
bd4cf0ed
AS		 1624 /* __sk_prepare_filter() already takes care of uncharging
1625 * memory in case something goes wrong.
1626 */
1627 fp = __sk_prepare_filter(fp, NULL);
1628 if (IS_ERR(fp))
1629 return PTR_ERR(fp);
302d6637
JP		 1630
1631 *pfp = fp;
1632 return 0;
302d6637
JP		 1633}
1634EXPORT_SYMBOL_GPL(sk_unattached_filter_create);
1635
1636void sk_unattached_filter_destroy(struct sk_filter *fp)
1637{
1638 sk_filter_release(fp);
1639}
1640EXPORT_SYMBOL_GPL(sk_unattached_filter_destroy);
1641
1da177e4
LT		 1642/**
1643 * sk_attach_filter - attach a socket filter
1644 * @fprog: the filter program
1645 * @sk: the socket to use
1646 *
1647 * Attach the user's filter code. We first run some sanity checks on
1648 * it to make sure it does not explode on us later. If an error
1649 * occurs or there is insufficient memory for the filter a negative
1650 * errno code is returned. On success the return is zero.
1651 */
1652int sk_attach_filter(struct sock_fprog *fprog, struct sock *sk)
1653{
d3904b73 1654 struct sk_filter *fp, *old_fp;
a3ea269b 1655 unsigned int fsize = sk_filter_proglen(fprog);
d45ed4a4 1656 unsigned int sk_fsize = sk_filter_size(fprog->len);
1da177e4
LT		 1657 int err;
1658
d59577b6
VB		 1659 if (sock_flag(sk, SOCK_FILTER_LOCKED))
1660 return -EPERM;
1661
1da177e4 1662 /* Make sure new filter is there and in the right amounts. */
e35bedf3
KK		 1663 if (fprog->filter == NULL)
1664 return -EINVAL;
1da177e4 1665
d45ed4a4 1666 fp = sock_kmalloc(sk, sk_fsize, GFP_KERNEL);
1da177e4
LT		 1667 if (!fp)
1668 return -ENOMEM;
a3ea269b 1669
1da177e4 1670 if (copy_from_user(fp->insns, fprog->filter, fsize)) {
d45ed4a4 1671 sock_kfree_s(sk, fp, sk_fsize);
1da177e4
LT		 1672 return -EFAULT;
1673 }
1674
1675 atomic_set(&fp->refcnt, 1);
1676 fp->len = fprog->len;
1677
a3ea269b
DB		 1678 err = sk_store_orig_filter(fp, fprog);
1679 if (err) {
1680 sk_filter_uncharge(sk, fp);
1681 return -ENOMEM;
1682 }
1683
bd4cf0ed
AS		 1684 /* __sk_prepare_filter() already takes care of uncharging
1685 * memory in case something goes wrong.
1686 */
1687 fp = __sk_prepare_filter(fp, sk);
1688 if (IS_ERR(fp))
1689 return PTR_ERR(fp);
1da177e4 1690
f91ff5b9
ED		 1691 old_fp = rcu_dereference_protected(sk->sk_filter,
1692 sock_owned_by_user(sk));
d3904b73 1693 rcu_assign_pointer(sk->sk_filter, fp);
d3904b73 1694
9b013e05 1695 if (old_fp)
46bcf14f 1696 sk_filter_uncharge(sk, old_fp);
a3ea269b 1697
d3904b73 1698 return 0;
1da177e4 1699}
5ff3f073 1700EXPORT_SYMBOL_GPL(sk_attach_filter);
1da177e4 1701
55b33325
PE		 1702int sk_detach_filter(struct sock *sk)
1703{
1704 int ret = -ENOENT;
1705 struct sk_filter *filter;
1706
d59577b6
VB		 1707 if (sock_flag(sk, SOCK_FILTER_LOCKED))
1708 return -EPERM;
1709
f91ff5b9
ED		 1710 filter = rcu_dereference_protected(sk->sk_filter,
1711 sock_owned_by_user(sk));
55b33325 1712 if (filter) {
a9b3cd7f 1713 RCU_INIT_POINTER(sk->sk_filter, NULL);
46bcf14f 1714 sk_filter_uncharge(sk, filter);
55b33325
PE		 1715 ret = 0;
1716 }
a3ea269b 1717
55b33325
PE		 1718 return ret;
1719}
5ff3f073 1720EXPORT_SYMBOL_GPL(sk_detach_filter);
a8fc9277 1721
ed13998c 1722void sk_decode_filter(struct sock_filter *filt, struct sock_filter *to)
a8fc9277
PE		 1723{
1724 static const u16 decodes[] = {
1725 [BPF_S_ALU_ADD_K] = BPF_ALU|BPF_ADD|BPF_K,
1726 [BPF_S_ALU_ADD_X] = BPF_ALU|BPF_ADD|BPF_X,
1727 [BPF_S_ALU_SUB_K] = BPF_ALU|BPF_SUB|BPF_K,
1728 [BPF_S_ALU_SUB_X] = BPF_ALU|BPF_SUB|BPF_X,
1729 [BPF_S_ALU_MUL_K] = BPF_ALU|BPF_MUL|BPF_K,
1730 [BPF_S_ALU_MUL_X] = BPF_ALU|BPF_MUL|BPF_X,
1731 [BPF_S_ALU_DIV_X] = BPF_ALU|BPF_DIV|BPF_X,
1732 [BPF_S_ALU_MOD_K] = BPF_ALU|BPF_MOD|BPF_K,
1733 [BPF_S_ALU_MOD_X] = BPF_ALU|BPF_MOD|BPF_X,
1734 [BPF_S_ALU_AND_K] = BPF_ALU|BPF_AND|BPF_K,
1735 [BPF_S_ALU_AND_X] = BPF_ALU|BPF_AND|BPF_X,
1736 [BPF_S_ALU_OR_K] = BPF_ALU|BPF_OR|BPF_K,
1737 [BPF_S_ALU_OR_X] = BPF_ALU|BPF_OR|BPF_X,
1738 [BPF_S_ALU_XOR_K] = BPF_ALU|BPF_XOR|BPF_K,
1739 [BPF_S_ALU_XOR_X] = BPF_ALU|BPF_XOR|BPF_X,
1740 [BPF_S_ALU_LSH_K] = BPF_ALU|BPF_LSH|BPF_K,
1741 [BPF_S_ALU_LSH_X] = BPF_ALU|BPF_LSH|BPF_X,
1742 [BPF_S_ALU_RSH_K] = BPF_ALU|BPF_RSH|BPF_K,
1743 [BPF_S_ALU_RSH_X] = BPF_ALU|BPF_RSH|BPF_X,
1744 [BPF_S_ALU_NEG] = BPF_ALU|BPF_NEG,
1745 [BPF_S_LD_W_ABS] = BPF_LD|BPF_W|BPF_ABS,
1746 [BPF_S_LD_H_ABS] = BPF_LD|BPF_H|BPF_ABS,
1747 [BPF_S_LD_B_ABS] = BPF_LD|BPF_B|BPF_ABS,
1748 [BPF_S_ANC_PROTOCOL] = BPF_LD|BPF_B|BPF_ABS,
1749 [BPF_S_ANC_PKTTYPE] = BPF_LD|BPF_B|BPF_ABS,
1750 [BPF_S_ANC_IFINDEX] = BPF_LD|BPF_B|BPF_ABS,
1751 [BPF_S_ANC_NLATTR] = BPF_LD|BPF_B|BPF_ABS,
1752 [BPF_S_ANC_NLATTR_NEST] = BPF_LD|BPF_B|BPF_ABS,
1753 [BPF_S_ANC_MARK] = BPF_LD|BPF_B|BPF_ABS,
1754 [BPF_S_ANC_QUEUE] = BPF_LD|BPF_B|BPF_ABS,
1755 [BPF_S_ANC_HATYPE] = BPF_LD|BPF_B|BPF_ABS,
1756 [BPF_S_ANC_RXHASH] = BPF_LD|BPF_B|BPF_ABS,
1757 [BPF_S_ANC_CPU] = BPF_LD|BPF_B|BPF_ABS,
1758 [BPF_S_ANC_ALU_XOR_X] = BPF_LD|BPF_B|BPF_ABS,
a8fc9277
PE		 1759 [BPF_S_ANC_VLAN_TAG] = BPF_LD|BPF_B|BPF_ABS,
1760 [BPF_S_ANC_VLAN_TAG_PRESENT] = BPF_LD|BPF_B|BPF_ABS,
3e5289d5 1761 [BPF_S_ANC_PAY_OFFSET] = BPF_LD|BPF_B|BPF_ABS,
4cd3675e 1762 [BPF_S_ANC_RANDOM] = BPF_LD|BPF_B|BPF_ABS,
a8fc9277
PE		 1763 [BPF_S_LD_W_LEN] = BPF_LD|BPF_W|BPF_LEN,
1764 [BPF_S_LD_W_IND] = BPF_LD|BPF_W|BPF_IND,
1765 [BPF_S_LD_H_IND] = BPF_LD|BPF_H|BPF_IND,
1766 [BPF_S_LD_B_IND] = BPF_LD|BPF_B|BPF_IND,
1767 [BPF_S_LD_IMM] = BPF_LD|BPF_IMM,
1768 [BPF_S_LDX_W_LEN] = BPF_LDX|BPF_W|BPF_LEN,
1769 [BPF_S_LDX_B_MSH] = BPF_LDX|BPF_B|BPF_MSH,
1770 [BPF_S_LDX_IMM] = BPF_LDX|BPF_IMM,
1771 [BPF_S_MISC_TAX] = BPF_MISC|BPF_TAX,
1772 [BPF_S_MISC_TXA] = BPF_MISC|BPF_TXA,
1773 [BPF_S_RET_K] = BPF_RET|BPF_K,
1774 [BPF_S_RET_A] = BPF_RET|BPF_A,
1775 [BPF_S_ALU_DIV_K] = BPF_ALU|BPF_DIV|BPF_K,
1776 [BPF_S_LD_MEM] = BPF_LD|BPF_MEM,
1777 [BPF_S_LDX_MEM] = BPF_LDX|BPF_MEM,
1778 [BPF_S_ST] = BPF_ST,
1779 [BPF_S_STX] = BPF_STX,
1780 [BPF_S_JMP_JA] = BPF_JMP|BPF_JA,
1781 [BPF_S_JMP_JEQ_K] = BPF_JMP|BPF_JEQ|BPF_K,
1782 [BPF_S_JMP_JEQ_X] = BPF_JMP|BPF_JEQ|BPF_X,
1783 [BPF_S_JMP_JGE_K] = BPF_JMP|BPF_JGE|BPF_K,
1784 [BPF_S_JMP_JGE_X] = BPF_JMP|BPF_JGE|BPF_X,
1785 [BPF_S_JMP_JGT_K] = BPF_JMP|BPF_JGT|BPF_K,
1786 [BPF_S_JMP_JGT_X] = BPF_JMP|BPF_JGT|BPF_X,
1787 [BPF_S_JMP_JSET_K] = BPF_JMP|BPF_JSET|BPF_K,
1788 [BPF_S_JMP_JSET_X] = BPF_JMP|BPF_JSET|BPF_X,
1789 };
1790 u16 code;
1791
1792 code = filt->code;
1793
1794 to->code = decodes[code];
1795 to->jt = filt->jt;
1796 to->jf = filt->jf;
aee636c4 1797 to->k = filt->k;
a8fc9277
PE		 1798}
1799
a3ea269b
DB		 1800int sk_get_filter(struct sock *sk, struct sock_filter __user *ubuf,
1801 unsigned int len)
a8fc9277 1802{
a3ea269b 1803 struct sock_fprog_kern *fprog;
a8fc9277 1804 struct sk_filter *filter;
a3ea269b 1805 int ret = 0;
a8fc9277
PE		 1806
1807 lock_sock(sk);
1808 filter = rcu_dereference_protected(sk->sk_filter,
a3ea269b 1809 sock_owned_by_user(sk));
a8fc9277
PE		 1810 if (!filter)
1811 goto out;
a3ea269b
DB		 1812
1813 /* We're copying the filter that has been originally attached,
1814 * so no conversion/decode needed anymore.
1815 */
1816 fprog = filter->orig_prog;
1817
1818 ret = fprog->len;
a8fc9277 1819 if (!len)
a3ea269b 1820 /* User space only enquires number of filter blocks. */
a8fc9277 1821 goto out;
a3ea269b 1822
a8fc9277 1823 ret = -EINVAL;
a3ea269b 1824 if (len < fprog->len)
a8fc9277
PE		 1825 goto out;
1826
1827 ret = -EFAULT;
a3ea269b
DB		 1828 if (copy_to_user(ubuf, fprog->filter, sk_filter_proglen(fprog)))
1829 goto out;
a8fc9277 1830
a3ea269b
DB		 1831 /* Instead of bytes, the API requests to return the number
1832 * of filter blocks.
1833 */
1834 ret = fprog->len;
a8fc9277
PE		 1835out:
1836 release_sock(sk);
1837 return ret;
1838}
Linux kernel - Deliverables
This page took 0.802405 seconds and 5 git commands to generate.