2 * Linux Socket Filter - Kernel level socket filtering
4 * Based on the design of the Berkeley Packet Filter. The new
5 * internal format has been designed by PLUMgrid:
7 * Copyright (c) 2011 - 2014 PLUMgrid, http://plumgrid.com
11 * Jay Schulist <jschlst@samba.org>
12 * Alexei Starovoitov <ast@plumgrid.com>
13 * Daniel Borkmann <dborkman@redhat.com>
15 * This program is free software; you can redistribute it and/or
16 * modify it under the terms of the GNU General Public License
17 * as published by the Free Software Foundation; either version
18 * 2 of the License, or (at your option) any later version.
20 * Andi Kleen - Fix a few bad bugs and races.
21 * Kris Katterjohn - Added many additional checks in sk_chk_filter()
24 #include <linux/module.h>
25 #include <linux/types.h>
27 #include <linux/fcntl.h>
28 #include <linux/socket.h>
30 #include <linux/inet.h>
31 #include <linux/netdevice.h>
32 #include <linux/if_packet.h>
33 #include <linux/gfp.h>
35 #include <net/protocol.h>
36 #include <net/netlink.h>
37 #include <linux/skbuff.h>
39 #include <linux/errno.h>
40 #include <linux/timer.h>
41 #include <asm/uaccess.h>
42 #include <asm/unaligned.h>
43 #include <linux/filter.h>
44 #include <linux/ratelimit.h>
45 #include <linux/seccomp.h>
46 #include <linux/if_vlan.h>
48 /* No hurry in this branch
50 * Exported for the bpf jit load helper.
52 void *bpf_internal_load_pointer_neg_helper(const struct sk_buff
*skb
, int k
, unsigned int size
)
57 ptr
= skb_network_header(skb
) + k
- SKF_NET_OFF
;
58 else if (k
>= SKF_LL_OFF
)
59 ptr
= skb_mac_header(skb
) + k
- SKF_LL_OFF
;
61 if (ptr
>= skb
->head
&& ptr
+ size
<= skb_tail_pointer(skb
))
66 static inline void *load_pointer(const struct sk_buff
*skb
, int k
,
67 unsigned int size
, void *buffer
)
70 return skb_header_pointer(skb
, k
, size
, buffer
);
71 return bpf_internal_load_pointer_neg_helper(skb
, k
, size
);
75 * sk_filter - run a packet through a socket filter
76 * @sk: sock associated with &sk_buff
77 * @skb: buffer to filter
79 * Run the filter code and then cut skb->data to correct size returned by
80 * sk_run_filter. If pkt_len is 0 we toss packet. If skb->len is smaller
81 * than pkt_len we keep whole skb->data. This is the socket level
82 * wrapper to sk_run_filter. It returns 0 if the packet should
83 * be accepted or -EPERM if the packet should be tossed.
86 int sk_filter(struct sock
*sk
, struct sk_buff
*skb
)
89 struct sk_filter
*filter
;
92 * If the skb was allocated from pfmemalloc reserves, only
93 * allow SOCK_MEMALLOC sockets to use it as this socket is
96 if (skb_pfmemalloc(skb
) && !sock_flag(sk
, SOCK_MEMALLOC
))
99 err
= security_sock_rcv_skb(sk
, skb
);
104 filter
= rcu_dereference(sk
->sk_filter
);
106 unsigned int pkt_len
= SK_RUN_FILTER(filter
, skb
);
108 err
= pkt_len
? pskb_trim(skb
, pkt_len
) : -EPERM
;
114 EXPORT_SYMBOL(sk_filter
);
116 /* Base function for offset calculation. Needs to go into .text section,
117 * therefore keeping it non-static as well; will also be used by JITs
118 * anyway later on, so do not let the compiler omit it.
120 noinline u64
__bpf_call_base(u64 r1
, u64 r2
, u64 r3
, u64 r4
, u64 r5
)
126 * __sk_run_filter - run a filter on a given context
127 * @ctx: buffer to run the filter on
128 * @insn: filter to apply
130 * Decode and apply filter instructions to the skb->data. Return length to
131 * keep, 0 for none. @ctx is the data we are operating on, @insn is the
132 * array of filter instructions.
134 unsigned int __sk_run_filter(void *ctx
, const struct sock_filter_int
*insn
)
136 u64 stack
[MAX_BPF_STACK
/ sizeof(u64
)];
137 u64 regs
[MAX_BPF_REG
], tmp
;
142 #define A regs[insn->a_reg]
143 #define X regs[insn->x_reg]
146 #define CONT ({insn++; goto select_insn; })
147 #define CONT_JMP ({insn++; goto select_insn; })
149 static const void *jumptable
[256] = {
150 [0 ... 255] = &&default_label
,
151 /* Now overwrite non-defaults ... */
152 #define DL(A, B, C) [A|B|C] = &&A##_##B##_##C
153 DL(BPF_ALU
, BPF_ADD
, BPF_X
),
154 DL(BPF_ALU
, BPF_ADD
, BPF_K
),
155 DL(BPF_ALU
, BPF_SUB
, BPF_X
),
156 DL(BPF_ALU
, BPF_SUB
, BPF_K
),
157 DL(BPF_ALU
, BPF_AND
, BPF_X
),
158 DL(BPF_ALU
, BPF_AND
, BPF_K
),
159 DL(BPF_ALU
, BPF_OR
, BPF_X
),
160 DL(BPF_ALU
, BPF_OR
, BPF_K
),
161 DL(BPF_ALU
, BPF_LSH
, BPF_X
),
162 DL(BPF_ALU
, BPF_LSH
, BPF_K
),
163 DL(BPF_ALU
, BPF_RSH
, BPF_X
),
164 DL(BPF_ALU
, BPF_RSH
, BPF_K
),
165 DL(BPF_ALU
, BPF_XOR
, BPF_X
),
166 DL(BPF_ALU
, BPF_XOR
, BPF_K
),
167 DL(BPF_ALU
, BPF_MUL
, BPF_X
),
168 DL(BPF_ALU
, BPF_MUL
, BPF_K
),
169 DL(BPF_ALU
, BPF_MOV
, BPF_X
),
170 DL(BPF_ALU
, BPF_MOV
, BPF_K
),
171 DL(BPF_ALU
, BPF_DIV
, BPF_X
),
172 DL(BPF_ALU
, BPF_DIV
, BPF_K
),
173 DL(BPF_ALU
, BPF_MOD
, BPF_X
),
174 DL(BPF_ALU
, BPF_MOD
, BPF_K
),
175 DL(BPF_ALU
, BPF_NEG
, 0),
176 DL(BPF_ALU
, BPF_END
, BPF_TO_BE
),
177 DL(BPF_ALU
, BPF_END
, BPF_TO_LE
),
178 DL(BPF_ALU64
, BPF_ADD
, BPF_X
),
179 DL(BPF_ALU64
, BPF_ADD
, BPF_K
),
180 DL(BPF_ALU64
, BPF_SUB
, BPF_X
),
181 DL(BPF_ALU64
, BPF_SUB
, BPF_K
),
182 DL(BPF_ALU64
, BPF_AND
, BPF_X
),
183 DL(BPF_ALU64
, BPF_AND
, BPF_K
),
184 DL(BPF_ALU64
, BPF_OR
, BPF_X
),
185 DL(BPF_ALU64
, BPF_OR
, BPF_K
),
186 DL(BPF_ALU64
, BPF_LSH
, BPF_X
),
187 DL(BPF_ALU64
, BPF_LSH
, BPF_K
),
188 DL(BPF_ALU64
, BPF_RSH
, BPF_X
),
189 DL(BPF_ALU64
, BPF_RSH
, BPF_K
),
190 DL(BPF_ALU64
, BPF_XOR
, BPF_X
),
191 DL(BPF_ALU64
, BPF_XOR
, BPF_K
),
192 DL(BPF_ALU64
, BPF_MUL
, BPF_X
),
193 DL(BPF_ALU64
, BPF_MUL
, BPF_K
),
194 DL(BPF_ALU64
, BPF_MOV
, BPF_X
),
195 DL(BPF_ALU64
, BPF_MOV
, BPF_K
),
196 DL(BPF_ALU64
, BPF_ARSH
, BPF_X
),
197 DL(BPF_ALU64
, BPF_ARSH
, BPF_K
),
198 DL(BPF_ALU64
, BPF_DIV
, BPF_X
),
199 DL(BPF_ALU64
, BPF_DIV
, BPF_K
),
200 DL(BPF_ALU64
, BPF_MOD
, BPF_X
),
201 DL(BPF_ALU64
, BPF_MOD
, BPF_K
),
202 DL(BPF_ALU64
, BPF_NEG
, 0),
203 DL(BPF_JMP
, BPF_CALL
, 0),
204 DL(BPF_JMP
, BPF_JA
, 0),
205 DL(BPF_JMP
, BPF_JEQ
, BPF_X
),
206 DL(BPF_JMP
, BPF_JEQ
, BPF_K
),
207 DL(BPF_JMP
, BPF_JNE
, BPF_X
),
208 DL(BPF_JMP
, BPF_JNE
, BPF_K
),
209 DL(BPF_JMP
, BPF_JGT
, BPF_X
),
210 DL(BPF_JMP
, BPF_JGT
, BPF_K
),
211 DL(BPF_JMP
, BPF_JGE
, BPF_X
),
212 DL(BPF_JMP
, BPF_JGE
, BPF_K
),
213 DL(BPF_JMP
, BPF_JSGT
, BPF_X
),
214 DL(BPF_JMP
, BPF_JSGT
, BPF_K
),
215 DL(BPF_JMP
, BPF_JSGE
, BPF_X
),
216 DL(BPF_JMP
, BPF_JSGE
, BPF_K
),
217 DL(BPF_JMP
, BPF_JSET
, BPF_X
),
218 DL(BPF_JMP
, BPF_JSET
, BPF_K
),
219 DL(BPF_JMP
, BPF_EXIT
, 0),
220 DL(BPF_STX
, BPF_MEM
, BPF_B
),
221 DL(BPF_STX
, BPF_MEM
, BPF_H
),
222 DL(BPF_STX
, BPF_MEM
, BPF_W
),
223 DL(BPF_STX
, BPF_MEM
, BPF_DW
),
224 DL(BPF_STX
, BPF_XADD
, BPF_W
),
225 DL(BPF_STX
, BPF_XADD
, BPF_DW
),
226 DL(BPF_ST
, BPF_MEM
, BPF_B
),
227 DL(BPF_ST
, BPF_MEM
, BPF_H
),
228 DL(BPF_ST
, BPF_MEM
, BPF_W
),
229 DL(BPF_ST
, BPF_MEM
, BPF_DW
),
230 DL(BPF_LDX
, BPF_MEM
, BPF_B
),
231 DL(BPF_LDX
, BPF_MEM
, BPF_H
),
232 DL(BPF_LDX
, BPF_MEM
, BPF_W
),
233 DL(BPF_LDX
, BPF_MEM
, BPF_DW
),
234 DL(BPF_LD
, BPF_ABS
, BPF_W
),
235 DL(BPF_LD
, BPF_ABS
, BPF_H
),
236 DL(BPF_LD
, BPF_ABS
, BPF_B
),
237 DL(BPF_LD
, BPF_IND
, BPF_W
),
238 DL(BPF_LD
, BPF_IND
, BPF_H
),
239 DL(BPF_LD
, BPF_IND
, BPF_B
),
243 regs
[FP_REG
] = (u64
) (unsigned long) &stack
[ARRAY_SIZE(stack
)];
244 regs
[ARG1_REG
] = (u64
) (unsigned long) ctx
;
247 goto *jumptable
[insn
->code
];
250 #define ALU(OPCODE, OP) \
251 BPF_ALU64_##OPCODE##_BPF_X: \
254 BPF_ALU_##OPCODE##_BPF_X: \
255 A = (u32) A OP (u32) X; \
257 BPF_ALU64_##OPCODE##_BPF_K: \
260 BPF_ALU_##OPCODE##_BPF_K: \
261 A = (u32) A OP (u32) K; \
279 BPF_ALU_BPF_MOV_BPF_X
:
282 BPF_ALU_BPF_MOV_BPF_K
:
285 BPF_ALU64_BPF_MOV_BPF_X
:
288 BPF_ALU64_BPF_MOV_BPF_K
:
291 BPF_ALU64_BPF_ARSH_BPF_X
:
294 BPF_ALU64_BPF_ARSH_BPF_K
:
297 BPF_ALU64_BPF_MOD_BPF_X
:
298 if (unlikely(X
== 0))
303 BPF_ALU_BPF_MOD_BPF_X
:
304 if (unlikely(X
== 0))
307 A
= do_div(tmp
, (u32
) X
);
309 BPF_ALU64_BPF_MOD_BPF_K
:
313 BPF_ALU_BPF_MOD_BPF_K
:
315 A
= do_div(tmp
, (u32
) K
);
317 BPF_ALU64_BPF_DIV_BPF_X
:
318 if (unlikely(X
== 0))
322 BPF_ALU_BPF_DIV_BPF_X
:
323 if (unlikely(X
== 0))
326 do_div(tmp
, (u32
) X
);
329 BPF_ALU64_BPF_DIV_BPF_K
:
332 BPF_ALU_BPF_DIV_BPF_K
:
334 do_div(tmp
, (u32
) K
);
337 BPF_ALU_BPF_END_BPF_TO_BE
:
340 A
= (__force u16
) cpu_to_be16(A
);
343 A
= (__force u32
) cpu_to_be32(A
);
346 A
= (__force u64
) cpu_to_be64(A
);
350 BPF_ALU_BPF_END_BPF_TO_LE
:
353 A
= (__force u16
) cpu_to_le16(A
);
356 A
= (__force u32
) cpu_to_le32(A
);
359 A
= (__force u64
) cpu_to_le64(A
);
366 /* Function call scratches R1-R5 registers, preserves R6-R9,
367 * and stores return value into R0.
369 R0
= (__bpf_call_base
+ insn
->imm
)(regs
[1], regs
[2], regs
[3],
377 BPF_JMP_BPF_JEQ_BPF_X
:
383 BPF_JMP_BPF_JEQ_BPF_K
:
389 BPF_JMP_BPF_JNE_BPF_X
:
395 BPF_JMP_BPF_JNE_BPF_K
:
401 BPF_JMP_BPF_JGT_BPF_X
:
407 BPF_JMP_BPF_JGT_BPF_K
:
413 BPF_JMP_BPF_JGE_BPF_X
:
419 BPF_JMP_BPF_JGE_BPF_K
:
425 BPF_JMP_BPF_JSGT_BPF_X
:
426 if (((s64
)A
) > ((s64
)X
)) {
431 BPF_JMP_BPF_JSGT_BPF_K
:
432 if (((s64
)A
) > ((s64
)K
)) {
437 BPF_JMP_BPF_JSGE_BPF_X
:
438 if (((s64
)A
) >= ((s64
)X
)) {
443 BPF_JMP_BPF_JSGE_BPF_K
:
444 if (((s64
)A
) >= ((s64
)K
)) {
449 BPF_JMP_BPF_JSET_BPF_X
:
455 BPF_JMP_BPF_JSET_BPF_K
:
464 /* STX and ST and LDX*/
465 #define LDST(SIZEOP, SIZE) \
466 BPF_STX_BPF_MEM_##SIZEOP: \
467 *(SIZE *)(unsigned long) (A + insn->off) = X; \
469 BPF_ST_BPF_MEM_##SIZEOP: \
470 *(SIZE *)(unsigned long) (A + insn->off) = K; \
472 BPF_LDX_BPF_MEM_##SIZEOP: \
473 A = *(SIZE *)(unsigned long) (X + insn->off); \
481 BPF_STX_BPF_XADD_BPF_W
: /* lock xadd *(u32 *)(A + insn->off) += X */
482 atomic_add((u32
) X
, (atomic_t
*)(unsigned long)
485 BPF_STX_BPF_XADD_BPF_DW
: /* lock xadd *(u64 *)(A + insn->off) += X */
486 atomic64_add((u64
) X
, (atomic64_t
*)(unsigned long)
489 BPF_LD_BPF_ABS_BPF_W
: /* R0 = ntohl(*(u32 *) (skb->data + K)) */
492 /* BPF_LD + BPD_ABS and BPF_LD + BPF_IND insns are only
493 * appearing in the programs where ctx == skb. All programs
494 * keep 'ctx' in regs[CTX_REG] == R6, sk_convert_filter()
495 * saves it in R6, internal BPF verifier will check that
498 * BPF_ABS and BPF_IND are wrappers of function calls, so
499 * they scratch R1-R5 registers, preserve R6-R9, and store
500 * return value into R0.
507 * K == 32-bit immediate
510 * R0 - 8/16/32-bit skb data converted to cpu endianness
512 ptr
= load_pointer((struct sk_buff
*) ctx
, off
, 4, &tmp
);
513 if (likely(ptr
!= NULL
)) {
514 R0
= get_unaligned_be32(ptr
);
518 BPF_LD_BPF_ABS_BPF_H
: /* R0 = ntohs(*(u16 *) (skb->data + K)) */
521 ptr
= load_pointer((struct sk_buff
*) ctx
, off
, 2, &tmp
);
522 if (likely(ptr
!= NULL
)) {
523 R0
= get_unaligned_be16(ptr
);
527 BPF_LD_BPF_ABS_BPF_B
: /* R0 = *(u8 *) (ctx + K) */
530 ptr
= load_pointer((struct sk_buff
*) ctx
, off
, 1, &tmp
);
531 if (likely(ptr
!= NULL
)) {
536 BPF_LD_BPF_IND_BPF_W
: /* R0 = ntohl(*(u32 *) (skb->data + X + K)) */
539 BPF_LD_BPF_IND_BPF_H
: /* R0 = ntohs(*(u16 *) (skb->data + X + K)) */
542 BPF_LD_BPF_IND_BPF_B
: /* R0 = *(u8 *) (skb->data + X + K) */
547 /* If we ever reach this, we have a bug somewhere. */
548 WARN_RATELIMIT(1, "unknown opcode %02x\n", insn
->code
);
559 u32
sk_run_filter_int_seccomp(const struct seccomp_data
*ctx
,
560 const struct sock_filter_int
*insni
)
561 __attribute__ ((alias ("__sk_run_filter")));
563 u32
sk_run_filter_int_skb(const struct sk_buff
*ctx
,
564 const struct sock_filter_int
*insni
)
565 __attribute__ ((alias ("__sk_run_filter")));
566 EXPORT_SYMBOL_GPL(sk_run_filter_int_skb
);
568 /* Helper to find the offset of pkt_type in sk_buff structure. We want
569 * to make sure its still a 3bit field starting at a byte boundary;
570 * taken from arch/x86/net/bpf_jit_comp.c.
572 #define PKT_TYPE_MAX 7
573 static unsigned int pkt_type_offset(void)
575 struct sk_buff skb_probe
= { .pkt_type
= ~0, };
576 u8
*ct
= (u8
*) &skb_probe
;
579 for (off
= 0; off
< sizeof(struct sk_buff
); off
++) {
580 if (ct
[off
] == PKT_TYPE_MAX
)
584 pr_err_once("Please fix %s, as pkt_type couldn't be found!\n", __func__
);
588 static u64
__skb_get_pay_offset(u64 ctx
, u64 A
, u64 X
, u64 r4
, u64 r5
)
590 struct sk_buff
*skb
= (struct sk_buff
*)(long) ctx
;
592 return __skb_get_poff(skb
);
595 static u64
__skb_get_nlattr(u64 ctx
, u64 A
, u64 X
, u64 r4
, u64 r5
)
597 struct sk_buff
*skb
= (struct sk_buff
*)(long) ctx
;
600 if (skb_is_nonlinear(skb
))
603 if (skb
->len
< sizeof(struct nlattr
))
606 if (A
> skb
->len
- sizeof(struct nlattr
))
609 nla
= nla_find((struct nlattr
*) &skb
->data
[A
], skb
->len
- A
, X
);
611 return (void *) nla
- (void *) skb
->data
;
616 static u64
__skb_get_nlattr_nest(u64 ctx
, u64 A
, u64 X
, u64 r4
, u64 r5
)
618 struct sk_buff
*skb
= (struct sk_buff
*)(long) ctx
;
621 if (skb_is_nonlinear(skb
))
624 if (skb
->len
< sizeof(struct nlattr
))
627 if (A
> skb
->len
- sizeof(struct nlattr
))
630 nla
= (struct nlattr
*) &skb
->data
[A
];
631 if (nla
->nla_len
> skb
->len
- A
)
634 nla
= nla_find_nested(nla
, X
);
636 return (void *) nla
- (void *) skb
->data
;
641 static u64
__get_raw_cpu_id(u64 ctx
, u64 A
, u64 X
, u64 r4
, u64 r5
)
643 return raw_smp_processor_id();
646 /* Register mappings for user programs. */
653 static bool convert_bpf_extensions(struct sock_filter
*fp
,
654 struct sock_filter_int
**insnp
)
656 struct sock_filter_int
*insn
= *insnp
;
659 case SKF_AD_OFF
+ SKF_AD_PROTOCOL
:
660 BUILD_BUG_ON(FIELD_SIZEOF(struct sk_buff
, protocol
) != 2);
662 insn
->code
= BPF_LDX
| BPF_MEM
| BPF_H
;
664 insn
->x_reg
= CTX_REG
;
665 insn
->off
= offsetof(struct sk_buff
, protocol
);
668 /* A = ntohs(A) [emitting a nop or swap16] */
669 insn
->code
= BPF_ALU
| BPF_END
| BPF_FROM_BE
;
674 case SKF_AD_OFF
+ SKF_AD_PKTTYPE
:
675 insn
->code
= BPF_LDX
| BPF_MEM
| BPF_B
;
677 insn
->x_reg
= CTX_REG
;
678 insn
->off
= pkt_type_offset();
683 insn
->code
= BPF_ALU
| BPF_AND
| BPF_K
;
685 insn
->imm
= PKT_TYPE_MAX
;
688 case SKF_AD_OFF
+ SKF_AD_IFINDEX
:
689 case SKF_AD_OFF
+ SKF_AD_HATYPE
:
690 if (FIELD_SIZEOF(struct sk_buff
, dev
) == 8)
691 insn
->code
= BPF_LDX
| BPF_MEM
| BPF_DW
;
693 insn
->code
= BPF_LDX
| BPF_MEM
| BPF_W
;
694 insn
->a_reg
= TMP_REG
;
695 insn
->x_reg
= CTX_REG
;
696 insn
->off
= offsetof(struct sk_buff
, dev
);
699 insn
->code
= BPF_JMP
| BPF_JNE
| BPF_K
;
700 insn
->a_reg
= TMP_REG
;
705 insn
->code
= BPF_JMP
| BPF_EXIT
;
708 BUILD_BUG_ON(FIELD_SIZEOF(struct net_device
, ifindex
) != 4);
709 BUILD_BUG_ON(FIELD_SIZEOF(struct net_device
, type
) != 2);
712 insn
->x_reg
= TMP_REG
;
714 if (fp
->k
== SKF_AD_OFF
+ SKF_AD_IFINDEX
) {
715 insn
->code
= BPF_LDX
| BPF_MEM
| BPF_W
;
716 insn
->off
= offsetof(struct net_device
, ifindex
);
718 insn
->code
= BPF_LDX
| BPF_MEM
| BPF_H
;
719 insn
->off
= offsetof(struct net_device
, type
);
723 case SKF_AD_OFF
+ SKF_AD_MARK
:
724 BUILD_BUG_ON(FIELD_SIZEOF(struct sk_buff
, mark
) != 4);
726 insn
->code
= BPF_LDX
| BPF_MEM
| BPF_W
;
728 insn
->x_reg
= CTX_REG
;
729 insn
->off
= offsetof(struct sk_buff
, mark
);
732 case SKF_AD_OFF
+ SKF_AD_RXHASH
:
733 BUILD_BUG_ON(FIELD_SIZEOF(struct sk_buff
, hash
) != 4);
735 insn
->code
= BPF_LDX
| BPF_MEM
| BPF_W
;
737 insn
->x_reg
= CTX_REG
;
738 insn
->off
= offsetof(struct sk_buff
, hash
);
741 case SKF_AD_OFF
+ SKF_AD_QUEUE
:
742 BUILD_BUG_ON(FIELD_SIZEOF(struct sk_buff
, queue_mapping
) != 2);
744 insn
->code
= BPF_LDX
| BPF_MEM
| BPF_H
;
746 insn
->x_reg
= CTX_REG
;
747 insn
->off
= offsetof(struct sk_buff
, queue_mapping
);
750 case SKF_AD_OFF
+ SKF_AD_VLAN_TAG
:
751 case SKF_AD_OFF
+ SKF_AD_VLAN_TAG_PRESENT
:
752 BUILD_BUG_ON(FIELD_SIZEOF(struct sk_buff
, vlan_tci
) != 2);
754 insn
->code
= BPF_LDX
| BPF_MEM
| BPF_H
;
756 insn
->x_reg
= CTX_REG
;
757 insn
->off
= offsetof(struct sk_buff
, vlan_tci
);
760 BUILD_BUG_ON(VLAN_TAG_PRESENT
!= 0x1000);
762 if (fp
->k
== SKF_AD_OFF
+ SKF_AD_VLAN_TAG
) {
763 insn
->code
= BPF_ALU
| BPF_AND
| BPF_K
;
765 insn
->imm
= ~VLAN_TAG_PRESENT
;
767 insn
->code
= BPF_ALU
| BPF_RSH
| BPF_K
;
772 insn
->code
= BPF_ALU
| BPF_AND
| BPF_K
;
778 case SKF_AD_OFF
+ SKF_AD_PAY_OFFSET
:
779 case SKF_AD_OFF
+ SKF_AD_NLATTR
:
780 case SKF_AD_OFF
+ SKF_AD_NLATTR_NEST
:
781 case SKF_AD_OFF
+ SKF_AD_CPU
:
783 insn
->code
= BPF_ALU64
| BPF_MOV
| BPF_X
;
784 insn
->a_reg
= ARG1_REG
;
785 insn
->x_reg
= CTX_REG
;
789 insn
->code
= BPF_ALU64
| BPF_MOV
| BPF_X
;
790 insn
->a_reg
= ARG2_REG
;
795 insn
->code
= BPF_ALU64
| BPF_MOV
| BPF_X
;
796 insn
->a_reg
= ARG3_REG
;
800 /* Emit call(ctx, arg2=A, arg3=X) */
801 insn
->code
= BPF_JMP
| BPF_CALL
;
803 case SKF_AD_OFF
+ SKF_AD_PAY_OFFSET
:
804 insn
->imm
= __skb_get_pay_offset
- __bpf_call_base
;
806 case SKF_AD_OFF
+ SKF_AD_NLATTR
:
807 insn
->imm
= __skb_get_nlattr
- __bpf_call_base
;
809 case SKF_AD_OFF
+ SKF_AD_NLATTR_NEST
:
810 insn
->imm
= __skb_get_nlattr_nest
- __bpf_call_base
;
812 case SKF_AD_OFF
+ SKF_AD_CPU
:
813 insn
->imm
= __get_raw_cpu_id
- __bpf_call_base
;
818 case SKF_AD_OFF
+ SKF_AD_ALU_XOR_X
:
819 insn
->code
= BPF_ALU
| BPF_XOR
| BPF_X
;
825 /* This is just a dummy call to avoid letting the compiler
826 * evict __bpf_call_base() as an optimization. Placed here
827 * where no-one bothers.
829 BUG_ON(__bpf_call_base(0, 0, 0, 0, 0) != 0);
838 * sk_convert_filter - convert filter program
839 * @prog: the user passed filter program
840 * @len: the length of the user passed filter program
841 * @new_prog: buffer where converted program will be stored
842 * @new_len: pointer to store length of converted program
844 * Remap 'sock_filter' style BPF instruction set to 'sock_filter_ext' style.
845 * Conversion workflow:
847 * 1) First pass for calculating the new program length:
848 * sk_convert_filter(old_prog, old_len, NULL, &new_len)
850 * 2) 2nd pass to remap in two passes: 1st pass finds new
851 * jump offsets, 2nd pass remapping:
852 * new_prog = kmalloc(sizeof(struct sock_filter_int) * new_len);
853 * sk_convert_filter(old_prog, old_len, new_prog, &new_len);
855 * User BPF's register A is mapped to our BPF register 6, user BPF
856 * register X is mapped to BPF register 7; frame pointer is always
857 * register 10; Context 'void *ctx' is stored in register 1, that is,
858 * for socket filters: ctx == 'struct sk_buff *', for seccomp:
859 * ctx == 'struct seccomp_data *'.
861 int sk_convert_filter(struct sock_filter
*prog
, int len
,
862 struct sock_filter_int
*new_prog
, int *new_len
)
864 int new_flen
= 0, pass
= 0, target
, i
;
865 struct sock_filter_int
*new_insn
;
866 struct sock_filter
*fp
;
870 BUILD_BUG_ON(BPF_MEMWORDS
* sizeof(u32
) > MAX_BPF_STACK
);
871 BUILD_BUG_ON(FP_REG
+ 1 != MAX_BPF_REG
);
873 if (len
<= 0 || len
>= BPF_MAXINSNS
)
877 addrs
= kzalloc(len
* sizeof(*addrs
), GFP_KERNEL
);
887 new_insn
->code
= BPF_ALU64
| BPF_MOV
| BPF_X
;
888 new_insn
->a_reg
= CTX_REG
;
889 new_insn
->x_reg
= ARG1_REG
;
893 for (i
= 0; i
< len
; fp
++, i
++) {
894 struct sock_filter_int tmp_insns
[6] = { };
895 struct sock_filter_int
*insn
= tmp_insns
;
898 addrs
[i
] = new_insn
- new_prog
;
901 /* All arithmetic insns and skb loads map as-is. */
902 case BPF_ALU
| BPF_ADD
| BPF_X
:
903 case BPF_ALU
| BPF_ADD
| BPF_K
:
904 case BPF_ALU
| BPF_SUB
| BPF_X
:
905 case BPF_ALU
| BPF_SUB
| BPF_K
:
906 case BPF_ALU
| BPF_AND
| BPF_X
:
907 case BPF_ALU
| BPF_AND
| BPF_K
:
908 case BPF_ALU
| BPF_OR
| BPF_X
:
909 case BPF_ALU
| BPF_OR
| BPF_K
:
910 case BPF_ALU
| BPF_LSH
| BPF_X
:
911 case BPF_ALU
| BPF_LSH
| BPF_K
:
912 case BPF_ALU
| BPF_RSH
| BPF_X
:
913 case BPF_ALU
| BPF_RSH
| BPF_K
:
914 case BPF_ALU
| BPF_XOR
| BPF_X
:
915 case BPF_ALU
| BPF_XOR
| BPF_K
:
916 case BPF_ALU
| BPF_MUL
| BPF_X
:
917 case BPF_ALU
| BPF_MUL
| BPF_K
:
918 case BPF_ALU
| BPF_DIV
| BPF_X
:
919 case BPF_ALU
| BPF_DIV
| BPF_K
:
920 case BPF_ALU
| BPF_MOD
| BPF_X
:
921 case BPF_ALU
| BPF_MOD
| BPF_K
:
922 case BPF_ALU
| BPF_NEG
:
923 case BPF_LD
| BPF_ABS
| BPF_W
:
924 case BPF_LD
| BPF_ABS
| BPF_H
:
925 case BPF_LD
| BPF_ABS
| BPF_B
:
926 case BPF_LD
| BPF_IND
| BPF_W
:
927 case BPF_LD
| BPF_IND
| BPF_H
:
928 case BPF_LD
| BPF_IND
| BPF_B
:
929 /* Check for overloaded BPF extension and
930 * directly convert it if found, otherwise
931 * just move on with mapping.
933 if (BPF_CLASS(fp
->code
) == BPF_LD
&&
934 BPF_MODE(fp
->code
) == BPF_ABS
&&
935 convert_bpf_extensions(fp
, &insn
))
938 insn
->code
= fp
->code
;
944 /* Jump opcodes map as-is, but offsets need adjustment. */
945 case BPF_JMP
| BPF_JA
:
946 target
= i
+ fp
->k
+ 1;
947 insn
->code
= fp
->code
;
950 if (target >= len || target < 0) \
952 insn->off = addrs ? addrs[target] - addrs[i] - 1 : 0; \
953 /* Adjust pc relative offset for 2nd or 3rd insn. */ \
954 insn->off -= insn - tmp_insns; \
960 case BPF_JMP
| BPF_JEQ
| BPF_K
:
961 case BPF_JMP
| BPF_JEQ
| BPF_X
:
962 case BPF_JMP
| BPF_JSET
| BPF_K
:
963 case BPF_JMP
| BPF_JSET
| BPF_X
:
964 case BPF_JMP
| BPF_JGT
| BPF_K
:
965 case BPF_JMP
| BPF_JGT
| BPF_X
:
966 case BPF_JMP
| BPF_JGE
| BPF_K
:
967 case BPF_JMP
| BPF_JGE
| BPF_X
:
968 if (BPF_SRC(fp
->code
) == BPF_K
&& (int) fp
->k
< 0) {
969 /* BPF immediates are signed, zero extend
970 * immediate into tmp register and use it
973 insn
->code
= BPF_ALU
| BPF_MOV
| BPF_K
;
974 insn
->a_reg
= TMP_REG
;
979 insn
->x_reg
= TMP_REG
;
985 bpf_src
= BPF_SRC(fp
->code
);
988 /* Common case where 'jump_false' is next insn. */
990 insn
->code
= BPF_JMP
| BPF_OP(fp
->code
) | bpf_src
;
991 target
= i
+ fp
->jt
+ 1;
996 /* Convert JEQ into JNE when 'jump_true' is next insn. */
997 if (fp
->jt
== 0 && BPF_OP(fp
->code
) == BPF_JEQ
) {
998 insn
->code
= BPF_JMP
| BPF_JNE
| bpf_src
;
999 target
= i
+ fp
->jf
+ 1;
1004 /* Other jumps are mapped into two insns: Jxx and JA. */
1005 target
= i
+ fp
->jt
+ 1;
1006 insn
->code
= BPF_JMP
| BPF_OP(fp
->code
) | bpf_src
;
1010 insn
->code
= BPF_JMP
| BPF_JA
;
1011 target
= i
+ fp
->jf
+ 1;
1015 /* ldxb 4 * ([14] & 0xf) is remaped into 6 insns. */
1016 case BPF_LDX
| BPF_MSH
| BPF_B
:
1017 insn
->code
= BPF_ALU64
| BPF_MOV
| BPF_X
;
1018 insn
->a_reg
= TMP_REG
;
1019 insn
->x_reg
= A_REG
;
1022 insn
->code
= BPF_LD
| BPF_ABS
| BPF_B
;
1023 insn
->a_reg
= A_REG
;
1027 insn
->code
= BPF_ALU
| BPF_AND
| BPF_K
;
1028 insn
->a_reg
= A_REG
;
1032 insn
->code
= BPF_ALU
| BPF_LSH
| BPF_K
;
1033 insn
->a_reg
= A_REG
;
1037 insn
->code
= BPF_ALU64
| BPF_MOV
| BPF_X
;
1038 insn
->a_reg
= X_REG
;
1039 insn
->x_reg
= A_REG
;
1042 insn
->code
= BPF_ALU64
| BPF_MOV
| BPF_X
;
1043 insn
->a_reg
= A_REG
;
1044 insn
->x_reg
= TMP_REG
;
1047 /* RET_K, RET_A are remaped into 2 insns. */
1048 case BPF_RET
| BPF_A
:
1049 case BPF_RET
| BPF_K
:
1050 insn
->code
= BPF_ALU
| BPF_MOV
|
1051 (BPF_RVAL(fp
->code
) == BPF_K
?
1054 insn
->x_reg
= A_REG
;
1058 insn
->code
= BPF_JMP
| BPF_EXIT
;
1061 /* Store to stack. */
1064 insn
->code
= BPF_STX
| BPF_MEM
| BPF_W
;
1065 insn
->a_reg
= FP_REG
;
1066 insn
->x_reg
= fp
->code
== BPF_ST
? A_REG
: X_REG
;
1067 insn
->off
= -(BPF_MEMWORDS
- fp
->k
) * 4;
1070 /* Load from stack. */
1071 case BPF_LD
| BPF_MEM
:
1072 case BPF_LDX
| BPF_MEM
:
1073 insn
->code
= BPF_LDX
| BPF_MEM
| BPF_W
;
1074 insn
->a_reg
= BPF_CLASS(fp
->code
) == BPF_LD
?
1076 insn
->x_reg
= FP_REG
;
1077 insn
->off
= -(BPF_MEMWORDS
- fp
->k
) * 4;
1080 /* A = K or X = K */
1081 case BPF_LD
| BPF_IMM
:
1082 case BPF_LDX
| BPF_IMM
:
1083 insn
->code
= BPF_ALU
| BPF_MOV
| BPF_K
;
1084 insn
->a_reg
= BPF_CLASS(fp
->code
) == BPF_LD
?
1090 case BPF_MISC
| BPF_TAX
:
1091 insn
->code
= BPF_ALU64
| BPF_MOV
| BPF_X
;
1092 insn
->a_reg
= X_REG
;
1093 insn
->x_reg
= A_REG
;
1097 case BPF_MISC
| BPF_TXA
:
1098 insn
->code
= BPF_ALU64
| BPF_MOV
| BPF_X
;
1099 insn
->a_reg
= A_REG
;
1100 insn
->x_reg
= X_REG
;
1103 /* A = skb->len or X = skb->len */
1104 case BPF_LD
| BPF_W
| BPF_LEN
:
1105 case BPF_LDX
| BPF_W
| BPF_LEN
:
1106 insn
->code
= BPF_LDX
| BPF_MEM
| BPF_W
;
1107 insn
->a_reg
= BPF_CLASS(fp
->code
) == BPF_LD
?
1109 insn
->x_reg
= CTX_REG
;
1110 insn
->off
= offsetof(struct sk_buff
, len
);
1113 /* access seccomp_data fields */
1114 case BPF_LDX
| BPF_ABS
| BPF_W
:
1115 insn
->code
= BPF_LDX
| BPF_MEM
| BPF_W
;
1116 insn
->a_reg
= A_REG
;
1117 insn
->x_reg
= CTX_REG
;
1127 memcpy(new_insn
, tmp_insns
,
1128 sizeof(*insn
) * (insn
- tmp_insns
));
1130 new_insn
+= insn
- tmp_insns
;
1134 /* Only calculating new length. */
1135 *new_len
= new_insn
- new_prog
;
1140 if (new_flen
!= new_insn
- new_prog
) {
1141 new_flen
= new_insn
- new_prog
;
1149 BUG_ON(*new_len
!= new_flen
);
1158 * A BPF program is able to use 16 cells of memory to store intermediate
1159 * values (check u32 mem[BPF_MEMWORDS] in sk_run_filter()).
1161 * As we dont want to clear mem[] array for each packet going through
1162 * sk_run_filter(), we check that filter loaded by user never try to read
1163 * a cell if not previously written, and we check all branches to be sure
1164 * a malicious user doesn't try to abuse us.
1166 static int check_load_and_stores(struct sock_filter
*filter
, int flen
)
1168 u16
*masks
, memvalid
= 0; /* one bit per cell, 16 cells */
1171 BUILD_BUG_ON(BPF_MEMWORDS
> 16);
1172 masks
= kmalloc(flen
* sizeof(*masks
), GFP_KERNEL
);
1175 memset(masks
, 0xff, flen
* sizeof(*masks
));
1177 for (pc
= 0; pc
< flen
; pc
++) {
1178 memvalid
&= masks
[pc
];
1180 switch (filter
[pc
].code
) {
1183 memvalid
|= (1 << filter
[pc
].k
);
1187 if (!(memvalid
& (1 << filter
[pc
].k
))) {
1193 /* a jump must set masks on target */
1194 masks
[pc
+ 1 + filter
[pc
].k
] &= memvalid
;
1197 case BPF_S_JMP_JEQ_K
:
1198 case BPF_S_JMP_JEQ_X
:
1199 case BPF_S_JMP_JGE_K
:
1200 case BPF_S_JMP_JGE_X
:
1201 case BPF_S_JMP_JGT_K
:
1202 case BPF_S_JMP_JGT_X
:
1203 case BPF_S_JMP_JSET_X
:
1204 case BPF_S_JMP_JSET_K
:
1205 /* a jump must set masks on targets */
1206 masks
[pc
+ 1 + filter
[pc
].jt
] &= memvalid
;
1207 masks
[pc
+ 1 + filter
[pc
].jf
] &= memvalid
;
1218 * sk_chk_filter - verify socket filter code
1219 * @filter: filter to verify
1220 * @flen: length of filter
1222 * Check the user's filter code. If we let some ugly
1223 * filter code slip through kaboom! The filter must contain
1224 * no references or jumps that are out of range, no illegal
1225 * instructions, and must end with a RET instruction.
1227 * All jumps are forward as they are not signed.
1229 * Returns 0 if the rule set is legal or -EINVAL if not.
1231 int sk_chk_filter(struct sock_filter
*filter
, unsigned int flen
)
1234 * Valid instructions are initialized to non-0.
1235 * Invalid instructions are initialized to 0.
1237 static const u8 codes
[] = {
1238 [BPF_ALU
|BPF_ADD
|BPF_K
] = BPF_S_ALU_ADD_K
,
1239 [BPF_ALU
|BPF_ADD
|BPF_X
] = BPF_S_ALU_ADD_X
,
1240 [BPF_ALU
|BPF_SUB
|BPF_K
] = BPF_S_ALU_SUB_K
,
1241 [BPF_ALU
|BPF_SUB
|BPF_X
] = BPF_S_ALU_SUB_X
,
1242 [BPF_ALU
|BPF_MUL
|BPF_K
] = BPF_S_ALU_MUL_K
,
1243 [BPF_ALU
|BPF_MUL
|BPF_X
] = BPF_S_ALU_MUL_X
,
1244 [BPF_ALU
|BPF_DIV
|BPF_X
] = BPF_S_ALU_DIV_X
,
1245 [BPF_ALU
|BPF_MOD
|BPF_K
] = BPF_S_ALU_MOD_K
,
1246 [BPF_ALU
|BPF_MOD
|BPF_X
] = BPF_S_ALU_MOD_X
,
1247 [BPF_ALU
|BPF_AND
|BPF_K
] = BPF_S_ALU_AND_K
,
1248 [BPF_ALU
|BPF_AND
|BPF_X
] = BPF_S_ALU_AND_X
,
1249 [BPF_ALU
|BPF_OR
|BPF_K
] = BPF_S_ALU_OR_K
,
1250 [BPF_ALU
|BPF_OR
|BPF_X
] = BPF_S_ALU_OR_X
,
1251 [BPF_ALU
|BPF_XOR
|BPF_K
] = BPF_S_ALU_XOR_K
,
1252 [BPF_ALU
|BPF_XOR
|BPF_X
] = BPF_S_ALU_XOR_X
,
1253 [BPF_ALU
|BPF_LSH
|BPF_K
] = BPF_S_ALU_LSH_K
,
1254 [BPF_ALU
|BPF_LSH
|BPF_X
] = BPF_S_ALU_LSH_X
,
1255 [BPF_ALU
|BPF_RSH
|BPF_K
] = BPF_S_ALU_RSH_K
,
1256 [BPF_ALU
|BPF_RSH
|BPF_X
] = BPF_S_ALU_RSH_X
,
1257 [BPF_ALU
|BPF_NEG
] = BPF_S_ALU_NEG
,
1258 [BPF_LD
|BPF_W
|BPF_ABS
] = BPF_S_LD_W_ABS
,
1259 [BPF_LD
|BPF_H
|BPF_ABS
] = BPF_S_LD_H_ABS
,
1260 [BPF_LD
|BPF_B
|BPF_ABS
] = BPF_S_LD_B_ABS
,
1261 [BPF_LD
|BPF_W
|BPF_LEN
] = BPF_S_LD_W_LEN
,
1262 [BPF_LD
|BPF_W
|BPF_IND
] = BPF_S_LD_W_IND
,
1263 [BPF_LD
|BPF_H
|BPF_IND
] = BPF_S_LD_H_IND
,
1264 [BPF_LD
|BPF_B
|BPF_IND
] = BPF_S_LD_B_IND
,
1265 [BPF_LD
|BPF_IMM
] = BPF_S_LD_IMM
,
1266 [BPF_LDX
|BPF_W
|BPF_LEN
] = BPF_S_LDX_W_LEN
,
1267 [BPF_LDX
|BPF_B
|BPF_MSH
] = BPF_S_LDX_B_MSH
,
1268 [BPF_LDX
|BPF_IMM
] = BPF_S_LDX_IMM
,
1269 [BPF_MISC
|BPF_TAX
] = BPF_S_MISC_TAX
,
1270 [BPF_MISC
|BPF_TXA
] = BPF_S_MISC_TXA
,
1271 [BPF_RET
|BPF_K
] = BPF_S_RET_K
,
1272 [BPF_RET
|BPF_A
] = BPF_S_RET_A
,
1273 [BPF_ALU
|BPF_DIV
|BPF_K
] = BPF_S_ALU_DIV_K
,
1274 [BPF_LD
|BPF_MEM
] = BPF_S_LD_MEM
,
1275 [BPF_LDX
|BPF_MEM
] = BPF_S_LDX_MEM
,
1276 [BPF_ST
] = BPF_S_ST
,
1277 [BPF_STX
] = BPF_S_STX
,
1278 [BPF_JMP
|BPF_JA
] = BPF_S_JMP_JA
,
1279 [BPF_JMP
|BPF_JEQ
|BPF_K
] = BPF_S_JMP_JEQ_K
,
1280 [BPF_JMP
|BPF_JEQ
|BPF_X
] = BPF_S_JMP_JEQ_X
,
1281 [BPF_JMP
|BPF_JGE
|BPF_K
] = BPF_S_JMP_JGE_K
,
1282 [BPF_JMP
|BPF_JGE
|BPF_X
] = BPF_S_JMP_JGE_X
,
1283 [BPF_JMP
|BPF_JGT
|BPF_K
] = BPF_S_JMP_JGT_K
,
1284 [BPF_JMP
|BPF_JGT
|BPF_X
] = BPF_S_JMP_JGT_X
,
1285 [BPF_JMP
|BPF_JSET
|BPF_K
] = BPF_S_JMP_JSET_K
,
1286 [BPF_JMP
|BPF_JSET
|BPF_X
] = BPF_S_JMP_JSET_X
,
1291 if (flen
== 0 || flen
> BPF_MAXINSNS
)
1294 /* check the filter code now */
1295 for (pc
= 0; pc
< flen
; pc
++) {
1296 struct sock_filter
*ftest
= &filter
[pc
];
1297 u16 code
= ftest
->code
;
1299 if (code
>= ARRAY_SIZE(codes
))
1304 /* Some instructions need special checks */
1306 case BPF_S_ALU_DIV_K
:
1307 case BPF_S_ALU_MOD_K
:
1308 /* check for division by zero */
1316 /* check for invalid memory addresses */
1317 if (ftest
->k
>= BPF_MEMWORDS
)
1322 * Note, the large ftest->k might cause loops.
1323 * Compare this with conditional jumps below,
1324 * where offsets are limited. --ANK (981016)
1326 if (ftest
->k
>= (unsigned int)(flen
-pc
-1))
1329 case BPF_S_JMP_JEQ_K
:
1330 case BPF_S_JMP_JEQ_X
:
1331 case BPF_S_JMP_JGE_K
:
1332 case BPF_S_JMP_JGE_X
:
1333 case BPF_S_JMP_JGT_K
:
1334 case BPF_S_JMP_JGT_X
:
1335 case BPF_S_JMP_JSET_X
:
1336 case BPF_S_JMP_JSET_K
:
1337 /* for conditionals both must be safe */
1338 if (pc
+ ftest
->jt
+ 1 >= flen
||
1339 pc
+ ftest
->jf
+ 1 >= flen
)
1342 case BPF_S_LD_W_ABS
:
1343 case BPF_S_LD_H_ABS
:
1344 case BPF_S_LD_B_ABS
:
1346 #define ANCILLARY(CODE) case SKF_AD_OFF + SKF_AD_##CODE: \
1347 code = BPF_S_ANC_##CODE; \
1351 ANCILLARY(PROTOCOL
);
1355 ANCILLARY(NLATTR_NEST
);
1361 ANCILLARY(ALU_XOR_X
);
1362 ANCILLARY(VLAN_TAG
);
1363 ANCILLARY(VLAN_TAG_PRESENT
);
1364 ANCILLARY(PAY_OFFSET
);
1367 /* ancillary operation unknown or unsupported */
1368 if (anc_found
== false && ftest
->k
>= SKF_AD_OFF
)
1374 /* last instruction must be a RET code */
1375 switch (filter
[flen
- 1].code
) {
1378 return check_load_and_stores(filter
, flen
);
1382 EXPORT_SYMBOL(sk_chk_filter
);
1384 static int sk_store_orig_filter(struct sk_filter
*fp
,
1385 const struct sock_fprog
*fprog
)
1387 unsigned int fsize
= sk_filter_proglen(fprog
);
1388 struct sock_fprog_kern
*fkprog
;
1390 fp
->orig_prog
= kmalloc(sizeof(*fkprog
), GFP_KERNEL
);
1394 fkprog
= fp
->orig_prog
;
1395 fkprog
->len
= fprog
->len
;
1396 fkprog
->filter
= kmemdup(fp
->insns
, fsize
, GFP_KERNEL
);
1397 if (!fkprog
->filter
) {
1398 kfree(fp
->orig_prog
);
1405 static void sk_release_orig_filter(struct sk_filter
*fp
)
1407 struct sock_fprog_kern
*fprog
= fp
->orig_prog
;
1410 kfree(fprog
->filter
);
1416 * sk_filter_release_rcu - Release a socket filter by rcu_head
1417 * @rcu: rcu_head that contains the sk_filter to free
1419 static void sk_filter_release_rcu(struct rcu_head
*rcu
)
1421 struct sk_filter
*fp
= container_of(rcu
, struct sk_filter
, rcu
);
1423 sk_release_orig_filter(fp
);
1428 * sk_filter_release - release a socket filter
1429 * @fp: filter to remove
1431 * Remove a filter from a socket and release its resources.
1433 static void sk_filter_release(struct sk_filter
*fp
)
1435 if (atomic_dec_and_test(&fp
->refcnt
))
1436 call_rcu(&fp
->rcu
, sk_filter_release_rcu
);
1439 void sk_filter_uncharge(struct sock
*sk
, struct sk_filter
*fp
)
1441 atomic_sub(sk_filter_size(fp
->len
), &sk
->sk_omem_alloc
);
1442 sk_filter_release(fp
);
1445 void sk_filter_charge(struct sock
*sk
, struct sk_filter
*fp
)
1447 atomic_inc(&fp
->refcnt
);
1448 atomic_add(sk_filter_size(fp
->len
), &sk
->sk_omem_alloc
);
1451 static struct sk_filter
*__sk_migrate_realloc(struct sk_filter
*fp
,
1455 struct sk_filter
*fp_new
;
1458 return krealloc(fp
, len
, GFP_KERNEL
);
1460 fp_new
= sock_kmalloc(sk
, len
, GFP_KERNEL
);
1462 memcpy(fp_new
, fp
, sizeof(struct sk_filter
));
1463 /* As we're kepping orig_prog in fp_new along,
1464 * we need to make sure we're not evicting it
1467 fp
->orig_prog
= NULL
;
1468 sk_filter_uncharge(sk
, fp
);
1474 static struct sk_filter
*__sk_migrate_filter(struct sk_filter
*fp
,
1477 struct sock_filter
*old_prog
;
1478 struct sk_filter
*old_fp
;
1479 int i
, err
, new_len
, old_len
= fp
->len
;
1481 /* We are free to overwrite insns et al right here as it
1482 * won't be used at this point in time anymore internally
1483 * after the migration to the internal BPF instruction
1486 BUILD_BUG_ON(sizeof(struct sock_filter
) !=
1487 sizeof(struct sock_filter_int
));
1489 /* For now, we need to unfiddle BPF_S_* identifiers in place.
1490 * This can sooner or later on be subject to removal, e.g. when
1491 * JITs have been converted.
1493 for (i
= 0; i
< fp
->len
; i
++)
1494 sk_decode_filter(&fp
->insns
[i
], &fp
->insns
[i
]);
1496 /* Conversion cannot happen on overlapping memory areas,
1497 * so we need to keep the user BPF around until the 2nd
1498 * pass. At this time, the user BPF is stored in fp->insns.
1500 old_prog
= kmemdup(fp
->insns
, old_len
* sizeof(struct sock_filter
),
1507 /* 1st pass: calculate the new program length. */
1508 err
= sk_convert_filter(old_prog
, old_len
, NULL
, &new_len
);
1512 /* Expand fp for appending the new filter representation. */
1514 fp
= __sk_migrate_realloc(old_fp
, sk
, sk_filter_size(new_len
));
1516 /* The old_fp is still around in case we couldn't
1517 * allocate new memory, so uncharge on that one.
1524 fp
->bpf_func
= sk_run_filter_int_skb
;
1527 /* 2nd pass: remap sock_filter insns into sock_filter_int insns. */
1528 err
= sk_convert_filter(old_prog
, old_len
, fp
->insnsi
, &new_len
);
1530 /* 2nd sk_convert_filter() can fail only if it fails
1531 * to allocate memory, remapping must succeed. Note,
1532 * that at this time old_fp has already been released
1533 * by __sk_migrate_realloc().
1543 /* Rollback filter setup. */
1545 sk_filter_uncharge(sk
, fp
);
1548 return ERR_PTR(err
);
1551 static struct sk_filter
*__sk_prepare_filter(struct sk_filter
*fp
,
1556 fp
->bpf_func
= NULL
;
1559 err
= sk_chk_filter(fp
->insns
, fp
->len
);
1561 return ERR_PTR(err
);
1563 /* Probe if we can JIT compile the filter and if so, do
1564 * the compilation of the filter.
1566 bpf_jit_compile(fp
);
1568 /* JIT compiler couldn't process this filter, so do the
1569 * internal BPF translation for the optimized interpreter.
1572 fp
= __sk_migrate_filter(fp
, sk
);
1578 * sk_unattached_filter_create - create an unattached filter
1579 * @fprog: the filter program
1580 * @pfp: the unattached filter that is created
1582 * Create a filter independent of any socket. We first run some
1583 * sanity checks on it to make sure it does not explode on us later.
1584 * If an error occurs or there is insufficient memory for the filter
1585 * a negative errno code is returned. On success the return is zero.
1587 int sk_unattached_filter_create(struct sk_filter
**pfp
,
1588 struct sock_fprog
*fprog
)
1590 unsigned int fsize
= sk_filter_proglen(fprog
);
1591 struct sk_filter
*fp
;
1593 /* Make sure new filter is there and in the right amounts. */
1594 if (fprog
->filter
== NULL
)
1597 fp
= kmalloc(sk_filter_size(fprog
->len
), GFP_KERNEL
);
1601 memcpy(fp
->insns
, fprog
->filter
, fsize
);
1603 atomic_set(&fp
->refcnt
, 1);
1604 fp
->len
= fprog
->len
;
1605 /* Since unattached filters are not copied back to user
1606 * space through sk_get_filter(), we do not need to hold
1607 * a copy here, and can spare us the work.
1609 fp
->orig_prog
= NULL
;
1611 /* __sk_prepare_filter() already takes care of uncharging
1612 * memory in case something goes wrong.
1614 fp
= __sk_prepare_filter(fp
, NULL
);
1621 EXPORT_SYMBOL_GPL(sk_unattached_filter_create
);
1623 void sk_unattached_filter_destroy(struct sk_filter
*fp
)
1625 sk_filter_release(fp
);
1627 EXPORT_SYMBOL_GPL(sk_unattached_filter_destroy
);
1630 * sk_attach_filter - attach a socket filter
1631 * @fprog: the filter program
1632 * @sk: the socket to use
1634 * Attach the user's filter code. We first run some sanity checks on
1635 * it to make sure it does not explode on us later. If an error
1636 * occurs or there is insufficient memory for the filter a negative
1637 * errno code is returned. On success the return is zero.
1639 int sk_attach_filter(struct sock_fprog
*fprog
, struct sock
*sk
)
1641 struct sk_filter
*fp
, *old_fp
;
1642 unsigned int fsize
= sk_filter_proglen(fprog
);
1643 unsigned int sk_fsize
= sk_filter_size(fprog
->len
);
1646 if (sock_flag(sk
, SOCK_FILTER_LOCKED
))
1649 /* Make sure new filter is there and in the right amounts. */
1650 if (fprog
->filter
== NULL
)
1653 fp
= sock_kmalloc(sk
, sk_fsize
, GFP_KERNEL
);
1657 if (copy_from_user(fp
->insns
, fprog
->filter
, fsize
)) {
1658 sock_kfree_s(sk
, fp
, sk_fsize
);
1662 atomic_set(&fp
->refcnt
, 1);
1663 fp
->len
= fprog
->len
;
1665 err
= sk_store_orig_filter(fp
, fprog
);
1667 sk_filter_uncharge(sk
, fp
);
1671 /* __sk_prepare_filter() already takes care of uncharging
1672 * memory in case something goes wrong.
1674 fp
= __sk_prepare_filter(fp
, sk
);
1678 old_fp
= rcu_dereference_protected(sk
->sk_filter
,
1679 sock_owned_by_user(sk
));
1680 rcu_assign_pointer(sk
->sk_filter
, fp
);
1683 sk_filter_uncharge(sk
, old_fp
);
1687 EXPORT_SYMBOL_GPL(sk_attach_filter
);
1689 int sk_detach_filter(struct sock
*sk
)
1692 struct sk_filter
*filter
;
1694 if (sock_flag(sk
, SOCK_FILTER_LOCKED
))
1697 filter
= rcu_dereference_protected(sk
->sk_filter
,
1698 sock_owned_by_user(sk
));
1700 RCU_INIT_POINTER(sk
->sk_filter
, NULL
);
1701 sk_filter_uncharge(sk
, filter
);
1707 EXPORT_SYMBOL_GPL(sk_detach_filter
);
1709 void sk_decode_filter(struct sock_filter
*filt
, struct sock_filter
*to
)
1711 static const u16 decodes
[] = {
1712 [BPF_S_ALU_ADD_K
] = BPF_ALU
|BPF_ADD
|BPF_K
,
1713 [BPF_S_ALU_ADD_X
] = BPF_ALU
|BPF_ADD
|BPF_X
,
1714 [BPF_S_ALU_SUB_K
] = BPF_ALU
|BPF_SUB
|BPF_K
,
1715 [BPF_S_ALU_SUB_X
] = BPF_ALU
|BPF_SUB
|BPF_X
,
1716 [BPF_S_ALU_MUL_K
] = BPF_ALU
|BPF_MUL
|BPF_K
,
1717 [BPF_S_ALU_MUL_X
] = BPF_ALU
|BPF_MUL
|BPF_X
,
1718 [BPF_S_ALU_DIV_X
] = BPF_ALU
|BPF_DIV
|BPF_X
,
1719 [BPF_S_ALU_MOD_K
] = BPF_ALU
|BPF_MOD
|BPF_K
,
1720 [BPF_S_ALU_MOD_X
] = BPF_ALU
|BPF_MOD
|BPF_X
,
1721 [BPF_S_ALU_AND_K
] = BPF_ALU
|BPF_AND
|BPF_K
,
1722 [BPF_S_ALU_AND_X
] = BPF_ALU
|BPF_AND
|BPF_X
,
1723 [BPF_S_ALU_OR_K
] = BPF_ALU
|BPF_OR
|BPF_K
,
1724 [BPF_S_ALU_OR_X
] = BPF_ALU
|BPF_OR
|BPF_X
,
1725 [BPF_S_ALU_XOR_K
] = BPF_ALU
|BPF_XOR
|BPF_K
,
1726 [BPF_S_ALU_XOR_X
] = BPF_ALU
|BPF_XOR
|BPF_X
,
1727 [BPF_S_ALU_LSH_K
] = BPF_ALU
|BPF_LSH
|BPF_K
,
1728 [BPF_S_ALU_LSH_X
] = BPF_ALU
|BPF_LSH
|BPF_X
,
1729 [BPF_S_ALU_RSH_K
] = BPF_ALU
|BPF_RSH
|BPF_K
,
1730 [BPF_S_ALU_RSH_X
] = BPF_ALU
|BPF_RSH
|BPF_X
,
1731 [BPF_S_ALU_NEG
] = BPF_ALU
|BPF_NEG
,
1732 [BPF_S_LD_W_ABS
] = BPF_LD
|BPF_W
|BPF_ABS
,
1733 [BPF_S_LD_H_ABS
] = BPF_LD
|BPF_H
|BPF_ABS
,
1734 [BPF_S_LD_B_ABS
] = BPF_LD
|BPF_B
|BPF_ABS
,
1735 [BPF_S_ANC_PROTOCOL
] = BPF_LD
|BPF_B
|BPF_ABS
,
1736 [BPF_S_ANC_PKTTYPE
] = BPF_LD
|BPF_B
|BPF_ABS
,
1737 [BPF_S_ANC_IFINDEX
] = BPF_LD
|BPF_B
|BPF_ABS
,
1738 [BPF_S_ANC_NLATTR
] = BPF_LD
|BPF_B
|BPF_ABS
,
1739 [BPF_S_ANC_NLATTR_NEST
] = BPF_LD
|BPF_B
|BPF_ABS
,
1740 [BPF_S_ANC_MARK
] = BPF_LD
|BPF_B
|BPF_ABS
,
1741 [BPF_S_ANC_QUEUE
] = BPF_LD
|BPF_B
|BPF_ABS
,
1742 [BPF_S_ANC_HATYPE
] = BPF_LD
|BPF_B
|BPF_ABS
,
1743 [BPF_S_ANC_RXHASH
] = BPF_LD
|BPF_B
|BPF_ABS
,
1744 [BPF_S_ANC_CPU
] = BPF_LD
|BPF_B
|BPF_ABS
,
1745 [BPF_S_ANC_ALU_XOR_X
] = BPF_LD
|BPF_B
|BPF_ABS
,
1746 [BPF_S_ANC_VLAN_TAG
] = BPF_LD
|BPF_B
|BPF_ABS
,
1747 [BPF_S_ANC_VLAN_TAG_PRESENT
] = BPF_LD
|BPF_B
|BPF_ABS
,
1748 [BPF_S_ANC_PAY_OFFSET
] = BPF_LD
|BPF_B
|BPF_ABS
,
1749 [BPF_S_LD_W_LEN
] = BPF_LD
|BPF_W
|BPF_LEN
,
1750 [BPF_S_LD_W_IND
] = BPF_LD
|BPF_W
|BPF_IND
,
1751 [BPF_S_LD_H_IND
] = BPF_LD
|BPF_H
|BPF_IND
,
1752 [BPF_S_LD_B_IND
] = BPF_LD
|BPF_B
|BPF_IND
,
1753 [BPF_S_LD_IMM
] = BPF_LD
|BPF_IMM
,
1754 [BPF_S_LDX_W_LEN
] = BPF_LDX
|BPF_W
|BPF_LEN
,
1755 [BPF_S_LDX_B_MSH
] = BPF_LDX
|BPF_B
|BPF_MSH
,
1756 [BPF_S_LDX_IMM
] = BPF_LDX
|BPF_IMM
,
1757 [BPF_S_MISC_TAX
] = BPF_MISC
|BPF_TAX
,
1758 [BPF_S_MISC_TXA
] = BPF_MISC
|BPF_TXA
,
1759 [BPF_S_RET_K
] = BPF_RET
|BPF_K
,
1760 [BPF_S_RET_A
] = BPF_RET
|BPF_A
,
1761 [BPF_S_ALU_DIV_K
] = BPF_ALU
|BPF_DIV
|BPF_K
,
1762 [BPF_S_LD_MEM
] = BPF_LD
|BPF_MEM
,
1763 [BPF_S_LDX_MEM
] = BPF_LDX
|BPF_MEM
,
1764 [BPF_S_ST
] = BPF_ST
,
1765 [BPF_S_STX
] = BPF_STX
,
1766 [BPF_S_JMP_JA
] = BPF_JMP
|BPF_JA
,
1767 [BPF_S_JMP_JEQ_K
] = BPF_JMP
|BPF_JEQ
|BPF_K
,
1768 [BPF_S_JMP_JEQ_X
] = BPF_JMP
|BPF_JEQ
|BPF_X
,
1769 [BPF_S_JMP_JGE_K
] = BPF_JMP
|BPF_JGE
|BPF_K
,
1770 [BPF_S_JMP_JGE_X
] = BPF_JMP
|BPF_JGE
|BPF_X
,
1771 [BPF_S_JMP_JGT_K
] = BPF_JMP
|BPF_JGT
|BPF_K
,
1772 [BPF_S_JMP_JGT_X
] = BPF_JMP
|BPF_JGT
|BPF_X
,
1773 [BPF_S_JMP_JSET_K
] = BPF_JMP
|BPF_JSET
|BPF_K
,
1774 [BPF_S_JMP_JSET_X
] = BPF_JMP
|BPF_JSET
|BPF_X
,
1780 to
->code
= decodes
[code
];
1786 int sk_get_filter(struct sock
*sk
, struct sock_filter __user
*ubuf
,
1789 struct sock_fprog_kern
*fprog
;
1790 struct sk_filter
*filter
;
1794 filter
= rcu_dereference_protected(sk
->sk_filter
,
1795 sock_owned_by_user(sk
));
1799 /* We're copying the filter that has been originally attached,
1800 * so no conversion/decode needed anymore.
1802 fprog
= filter
->orig_prog
;
1806 /* User space only enquires number of filter blocks. */
1810 if (len
< fprog
->len
)
1814 if (copy_to_user(ubuf
, fprog
->filter
, sk_filter_proglen(fprog
)))
1817 /* Instead of bytes, the API requests to return the number