2 * Linux Socket Filter - Kernel level socket filtering
4 * Based on the design of the Berkeley Packet Filter. The new
5 * internal format has been designed by PLUMgrid:
7 * Copyright (c) 2011 - 2014 PLUMgrid, http://plumgrid.com
11 * Jay Schulist <jschlst@samba.org>
12 * Alexei Starovoitov <ast@plumgrid.com>
13 * Daniel Borkmann <dborkman@redhat.com>
15 * This program is free software; you can redistribute it and/or
16 * modify it under the terms of the GNU General Public License
17 * as published by the Free Software Foundation; either version
18 * 2 of the License, or (at your option) any later version.
20 * Andi Kleen - Fix a few bad bugs and races.
21 * Kris Katterjohn - Added many additional checks in sk_chk_filter()
24 #include <linux/module.h>
25 #include <linux/types.h>
27 #include <linux/fcntl.h>
28 #include <linux/socket.h>
30 #include <linux/inet.h>
31 #include <linux/netdevice.h>
32 #include <linux/if_packet.h>
33 #include <linux/gfp.h>
35 #include <net/protocol.h>
36 #include <net/netlink.h>
37 #include <linux/skbuff.h>
39 #include <linux/errno.h>
40 #include <linux/timer.h>
41 #include <asm/uaccess.h>
42 #include <asm/unaligned.h>
43 #include <linux/filter.h>
44 #include <linux/ratelimit.h>
45 #include <linux/seccomp.h>
46 #include <linux/if_vlan.h>
49 #define BPF_R0 regs[BPF_REG_0]
50 #define BPF_R1 regs[BPF_REG_1]
51 #define BPF_R2 regs[BPF_REG_2]
52 #define BPF_R3 regs[BPF_REG_3]
53 #define BPF_R4 regs[BPF_REG_4]
54 #define BPF_R5 regs[BPF_REG_5]
55 #define BPF_R6 regs[BPF_REG_6]
56 #define BPF_R7 regs[BPF_REG_7]
57 #define BPF_R8 regs[BPF_REG_8]
58 #define BPF_R9 regs[BPF_REG_9]
59 #define BPF_R10 regs[BPF_REG_10]
62 #define A regs[insn->a_reg]
63 #define X regs[insn->x_reg]
64 #define FP regs[BPF_REG_FP]
65 #define ARG1 regs[BPF_REG_ARG1]
66 #define CTX regs[BPF_REG_CTX]
69 /* No hurry in this branch
71 * Exported for the bpf jit load helper.
73 void *bpf_internal_load_pointer_neg_helper(const struct sk_buff *skb, int k, unsigned int size)
78 ptr = skb_network_header(skb) + k - SKF_NET_OFF;
79 else if (k >= SKF_LL_OFF)
80 ptr = skb_mac_header(skb) + k - SKF_LL_OFF;
81 if (ptr >= skb->head && ptr + size <= skb_tail_pointer(skb))
87 static inline void *load_pointer(const struct sk_buff *skb, int k,
88 unsigned int size, void *buffer)
91 return skb_header_pointer(skb, k, size, buffer);
93 return bpf_internal_load_pointer_neg_helper(skb, k, size);
97 * sk_filter - run a packet through a socket filter
98 * @sk: sock associated with &sk_buff
99 * @skb: buffer to filter
101 * Run the filter code and then cut skb->data to correct size returned by
102 * sk_run_filter. If pkt_len is 0 we toss packet. If skb->len is smaller
103 * than pkt_len we keep whole skb->data. This is the socket level
104 * wrapper to sk_run_filter. It returns 0 if the packet should
105 * be accepted or -EPERM if the packet should be tossed.
108 int sk_filter(struct sock *sk, struct sk_buff *skb)
111 struct sk_filter *filter;
114 * If the skb was allocated from pfmemalloc reserves, only
115 * allow SOCK_MEMALLOC sockets to use it as this socket is
116 * helping free memory
118 if (skb_pfmemalloc(skb) && !sock_flag(sk, SOCK_MEMALLOC))
121 err = security_sock_rcv_skb(sk, skb);
126 filter = rcu_dereference(sk->sk_filter);
128 unsigned int pkt_len = SK_RUN_FILTER(filter, skb);
130 err = pkt_len ? pskb_trim(skb, pkt_len) : -EPERM;
136 EXPORT_SYMBOL(sk_filter);
138 /* Base function for offset calculation. Needs to go into .text section,
139 * therefore keeping it non-static as well; will also be used by JITs
140 * anyway later on, so do not let the compiler omit it.
142 noinline u64 __bpf_call_base(u64 r1, u64 r2, u64 r3, u64 r4, u64 r5)
148 * __sk_run_filter - run a filter on a given context
149 * @ctx: buffer to run the filter on
150 * @insn: filter to apply
152 * Decode and apply filter instructions to the skb->data. Return length to
153 * keep, 0 for none. @ctx is the data we are operating on, @insn is the
154 * array of filter instructions.
156 unsigned int __sk_run_filter(void *ctx, const struct sock_filter_int *insn)
158 u64 stack[MAX_BPF_STACK / sizeof(u64)];
159 u64 regs[MAX_BPF_REG], tmp;
160 static const void *jumptable[256] = {
161 [0 ... 255] = &&default_label,
162 /* Now overwrite non-defaults ... */
163 #define DL(A, B, C) [BPF_##A|BPF_##B|BPF_##C] = &&A##_##B##_##C
256 #define CONT ({ insn++; goto select_insn; })
257 #define CONT_JMP ({ insn++; goto select_insn; })
259 FP = (u64) (unsigned long) &stack[ARRAY_SIZE(stack)];
260 ARG1 = (u64) (unsigned long) ctx;
262 /* Register for user BPF programs need to be reset first. */
267 goto *jumptable[insn->code];
270 #define ALU(OPCODE, OP) \
271 ALU64_##OPCODE##_X: \
275 A = (u32) A OP (u32) X; \
277 ALU64_##OPCODE##_K: \
281 A = (u32) A OP (u32) K; \
318 if (unlikely(X == 0))
324 if (unlikely(X == 0))
327 A = do_div(tmp, (u32) X);
335 A = do_div(tmp, (u32) K);
338 if (unlikely(X == 0))
343 if (unlikely(X == 0))
346 do_div(tmp, (u32) X);
354 do_div(tmp, (u32) K);
360 A = (__force u16) cpu_to_be16(A);
363 A = (__force u32) cpu_to_be32(A);
366 A = (__force u64) cpu_to_be64(A);
373 A = (__force u16) cpu_to_le16(A);
376 A = (__force u32) cpu_to_le32(A);
379 A = (__force u64) cpu_to_le64(A);
386 /* Function call scratches BPF_R1-BPF_R5 registers,
387 * preserves BPF_R6-BPF_R9, and stores return value
390 BPF_R0 = (__bpf_call_base + insn->imm)(BPF_R1, BPF_R2, BPF_R3,
447 if (((s64) A) > ((s64) X)) {
453 if (((s64) A) > ((s64) K)) {
459 if (((s64) A) >= ((s64) X)) {
465 if (((s64) A) >= ((s64) K)) {
485 /* STX and ST and LDX*/
486 #define LDST(SIZEOP, SIZE) \
488 *(SIZE *)(unsigned long) (A + insn->off) = X; \
491 *(SIZE *)(unsigned long) (A + insn->off) = K; \
494 A = *(SIZE *)(unsigned long) (X + insn->off); \
502 STX_XADD_W: /* lock xadd *(u32 *)(A + insn->off) += X */
503 atomic_add((u32) X, (atomic_t *)(unsigned long)
506 STX_XADD_DW: /* lock xadd *(u64 *)(A + insn->off) += X */
507 atomic64_add((u64) X, (atomic64_t *)(unsigned long)
510 LD_ABS_W: /* BPF_R0 = ntohl(*(u32 *) (skb->data + K)) */
513 /* BPF_LD + BPD_ABS and BPF_LD + BPF_IND insns are
514 * only appearing in the programs where ctx ==
515 * skb. All programs keep 'ctx' in regs[BPF_REG_CTX]
516 * == BPF_R6, sk_convert_filter() saves it in BPF_R6,
517 * internal BPF verifier will check that BPF_R6 ==
520 * BPF_ABS and BPF_IND are wrappers of function calls,
521 * so they scratch BPF_R1-BPF_R5 registers, preserve
522 * BPF_R6-BPF_R9, and store return value into BPF_R0.
529 * K == 32-bit immediate
532 * BPF_R0 - 8/16/32-bit skb data converted to cpu endianness
534 ptr = load_pointer((struct sk_buff *) ctx, off, 4, &tmp);
535 if (likely(ptr != NULL)) {
536 BPF_R0 = get_unaligned_be32(ptr);
540 LD_ABS_H: /* BPF_R0 = ntohs(*(u16 *) (skb->data + K)) */
543 ptr = load_pointer((struct sk_buff *) ctx, off, 2, &tmp);
544 if (likely(ptr != NULL)) {
545 BPF_R0 = get_unaligned_be16(ptr);
549 LD_ABS_B: /* BPF_R0 = *(u8 *) (ctx + K) */
552 ptr = load_pointer((struct sk_buff *) ctx, off, 1, &tmp);
553 if (likely(ptr != NULL)) {
558 LD_IND_W: /* BPF_R0 = ntohl(*(u32 *) (skb->data + X + K)) */
561 LD_IND_H: /* BPF_R0 = ntohs(*(u16 *) (skb->data + X + K)) */
564 LD_IND_B: /* BPF_R0 = *(u8 *) (skb->data + X + K) */
569 /* If we ever reach this, we have a bug somewhere. */
570 WARN_RATELIMIT(1, "unknown opcode %02x\n", insn->code);
574 u32 sk_run_filter_int_seccomp(const struct seccomp_data *ctx,
575 const struct sock_filter_int *insni)
576 __attribute__ ((alias ("__sk_run_filter")));
578 u32 sk_run_filter_int_skb(const struct sk_buff *ctx,
579 const struct sock_filter_int *insni)
580 __attribute__ ((alias ("__sk_run_filter")));
581 EXPORT_SYMBOL_GPL(sk_run_filter_int_skb);
583 /* Helper to find the offset of pkt_type in sk_buff structure. We want
584 * to make sure its still a 3bit field starting at a byte boundary;
585 * taken from arch/x86/net/bpf_jit_comp.c.
587 #define PKT_TYPE_MAX 7
588 static unsigned int pkt_type_offset(void)
590 struct sk_buff skb_probe = { .pkt_type = ~0, };
591 u8 *ct = (u8 *) &skb_probe;
594 for (off = 0; off < sizeof(struct sk_buff); off++) {
595 if (ct[off] == PKT_TYPE_MAX)
599 pr_err_once("Please fix %s, as pkt_type couldn't be found!\n", __func__);
603 static u64 __skb_get_pay_offset(u64 ctx, u64 a, u64 x, u64 r4, u64 r5)
605 return __skb_get_poff((struct sk_buff *)(unsigned long) ctx);
608 static u64 __skb_get_nlattr(u64 ctx, u64 a, u64 x, u64 r4, u64 r5)
610 struct sk_buff *skb = (struct sk_buff *)(unsigned long) ctx;
613 if (skb_is_nonlinear(skb))
616 if (skb->len < sizeof(struct nlattr))
619 if (a > skb->len - sizeof(struct nlattr))
622 nla = nla_find((struct nlattr *) &skb->data[a], skb->len - a, x);
624 return (void *) nla - (void *) skb->data;
629 static u64 __skb_get_nlattr_nest(u64 ctx, u64 a, u64 x, u64 r4, u64 r5)
631 struct sk_buff *skb = (struct sk_buff *)(unsigned long) ctx;
634 if (skb_is_nonlinear(skb))
637 if (skb->len < sizeof(struct nlattr))
640 if (a > skb->len - sizeof(struct nlattr))
643 nla = (struct nlattr *) &skb->data[a];
644 if (nla->nla_len > skb->len - a)
647 nla = nla_find_nested(nla, x);
649 return (void *) nla - (void *) skb->data;
654 static u64 __get_raw_cpu_id(u64 ctx, u64 a, u64 x, u64 r4, u64 r5)
656 return raw_smp_processor_id();
659 /* note that this only generates 32-bit random numbers */
660 static u64 __get_random_u32(u64 ctx, u64 a, u64 x, u64 r4, u64 r5)
662 return prandom_u32();
665 static bool convert_bpf_extensions(struct sock_filter *fp,
666 struct sock_filter_int **insnp)
668 struct sock_filter_int *insn = *insnp;
671 case SKF_AD_OFF + SKF_AD_PROTOCOL:
672 BUILD_BUG_ON(FIELD_SIZEOF(struct sk_buff, protocol) != 2);
674 /* A = *(u16 *) (ctx + offsetof(protocol)) */
675 *insn = BPF_LDX_MEM(BPF_H, BPF_REG_A, BPF_REG_CTX,
676 offsetof(struct sk_buff, protocol));
679 /* A = ntohs(A) [emitting a nop or swap16] */
680 insn->code = BPF_ALU | BPF_END | BPF_FROM_BE;
681 insn->a_reg = BPF_REG_A;
685 case SKF_AD_OFF + SKF_AD_PKTTYPE:
686 *insn = BPF_LDX_MEM(BPF_B, BPF_REG_A, BPF_REG_CTX,
692 *insn = BPF_ALU32_IMM(BPF_AND, BPF_REG_A, PKT_TYPE_MAX);
695 case SKF_AD_OFF + SKF_AD_IFINDEX:
696 case SKF_AD_OFF + SKF_AD_HATYPE:
697 *insn = BPF_LDX_MEM(size_to_bpf(FIELD_SIZEOF(struct sk_buff, dev)),
698 BPF_REG_TMP, BPF_REG_CTX,
699 offsetof(struct sk_buff, dev));
702 /* if (tmp != 0) goto pc+1 */
703 *insn = BPF_JMP_IMM(BPF_JNE, BPF_REG_TMP, 0, 1);
706 *insn = BPF_EXIT_INSN();
709 BUILD_BUG_ON(FIELD_SIZEOF(struct net_device, ifindex) != 4);
710 BUILD_BUG_ON(FIELD_SIZEOF(struct net_device, type) != 2);
712 insn->a_reg = BPF_REG_A;
713 insn->x_reg = BPF_REG_TMP;
715 if (fp->k == SKF_AD_OFF + SKF_AD_IFINDEX) {
716 insn->code = BPF_LDX | BPF_MEM | BPF_W;
717 insn->off = offsetof(struct net_device, ifindex);
719 insn->code = BPF_LDX | BPF_MEM | BPF_H;
720 insn->off = offsetof(struct net_device, type);
724 case SKF_AD_OFF + SKF_AD_MARK:
725 BUILD_BUG_ON(FIELD_SIZEOF(struct sk_buff, mark) != 4);
727 *insn = BPF_LDX_MEM(BPF_W, BPF_REG_A, BPF_REG_CTX,
728 offsetof(struct sk_buff, mark));
731 case SKF_AD_OFF + SKF_AD_RXHASH:
732 BUILD_BUG_ON(FIELD_SIZEOF(struct sk_buff, hash) != 4);
734 *insn = BPF_LDX_MEM(BPF_W, BPF_REG_A, BPF_REG_CTX,
735 offsetof(struct sk_buff, hash));
738 case SKF_AD_OFF + SKF_AD_QUEUE:
739 BUILD_BUG_ON(FIELD_SIZEOF(struct sk_buff, queue_mapping) != 2);
741 *insn = BPF_LDX_MEM(BPF_H, BPF_REG_A, BPF_REG_CTX,
742 offsetof(struct sk_buff, queue_mapping));
745 case SKF_AD_OFF + SKF_AD_VLAN_TAG:
746 case SKF_AD_OFF + SKF_AD_VLAN_TAG_PRESENT:
747 BUILD_BUG_ON(FIELD_SIZEOF(struct sk_buff, vlan_tci) != 2);
749 /* A = *(u16 *) (ctx + offsetof(vlan_tci)) */
750 *insn = BPF_LDX_MEM(BPF_H, BPF_REG_A, BPF_REG_CTX,
751 offsetof(struct sk_buff, vlan_tci));
754 BUILD_BUG_ON(VLAN_TAG_PRESENT != 0x1000);
756 if (fp->k == SKF_AD_OFF + SKF_AD_VLAN_TAG) {
757 *insn = BPF_ALU32_IMM(BPF_AND, BPF_REG_A,
761 *insn = BPF_ALU32_IMM(BPF_RSH, BPF_REG_A, 12);
765 *insn = BPF_ALU32_IMM(BPF_AND, BPF_REG_A, 1);
769 case SKF_AD_OFF + SKF_AD_PAY_OFFSET:
770 case SKF_AD_OFF + SKF_AD_NLATTR:
771 case SKF_AD_OFF + SKF_AD_NLATTR_NEST:
772 case SKF_AD_OFF + SKF_AD_CPU:
773 case SKF_AD_OFF + SKF_AD_RANDOM:
775 *insn = BPF_ALU64_REG(BPF_MOV, BPF_REG_ARG1, BPF_REG_CTX);
779 *insn = BPF_ALU64_REG(BPF_MOV, BPF_REG_ARG2, BPF_REG_A);
783 *insn = BPF_ALU64_REG(BPF_MOV, BPF_REG_ARG3, BPF_REG_X);
786 /* Emit call(ctx, arg2=A, arg3=X) */
787 insn->code = BPF_JMP | BPF_CALL;
789 case SKF_AD_OFF + SKF_AD_PAY_OFFSET:
790 insn->imm = __skb_get_pay_offset - __bpf_call_base;
792 case SKF_AD_OFF + SKF_AD_NLATTR:
793 insn->imm = __skb_get_nlattr - __bpf_call_base;
795 case SKF_AD_OFF + SKF_AD_NLATTR_NEST:
796 insn->imm = __skb_get_nlattr_nest - __bpf_call_base;
798 case SKF_AD_OFF + SKF_AD_CPU:
799 insn->imm = __get_raw_cpu_id - __bpf_call_base;
801 case SKF_AD_OFF + SKF_AD_RANDOM:
802 insn->imm = __get_random_u32 - __bpf_call_base;
807 case SKF_AD_OFF + SKF_AD_ALU_XOR_X:
809 *insn = BPF_ALU32_REG(BPF_XOR, BPF_REG_A, BPF_REG_X);
813 /* This is just a dummy call to avoid letting the compiler
814 * evict __bpf_call_base() as an optimization. Placed here
815 * where no-one bothers.
817 BUG_ON(__bpf_call_base(0, 0, 0, 0, 0) != 0);
826 * sk_convert_filter - convert filter program
827 * @prog: the user passed filter program
828 * @len: the length of the user passed filter program
829 * @new_prog: buffer where converted program will be stored
830 * @new_len: pointer to store length of converted program
832 * Remap 'sock_filter' style BPF instruction set to 'sock_filter_ext' style.
833 * Conversion workflow:
835 * 1) First pass for calculating the new program length:
836 * sk_convert_filter(old_prog, old_len, NULL, &new_len)
838 * 2) 2nd pass to remap in two passes: 1st pass finds new
839 * jump offsets, 2nd pass remapping:
840 * new_prog = kmalloc(sizeof(struct sock_filter_int) * new_len);
841 * sk_convert_filter(old_prog, old_len, new_prog, &new_len);
843 * User BPF's register A is mapped to our BPF register 6, user BPF
844 * register X is mapped to BPF register 7; frame pointer is always
845 * register 10; Context 'void *ctx' is stored in register 1, that is,
846 * for socket filters: ctx == 'struct sk_buff *', for seccomp:
847 * ctx == 'struct seccomp_data *'.
849 int sk_convert_filter(struct sock_filter *prog, int len,
850 struct sock_filter_int *new_prog, int *new_len)
852 int new_flen = 0, pass = 0, target, i;
853 struct sock_filter_int *new_insn;
854 struct sock_filter *fp;
858 BUILD_BUG_ON(BPF_MEMWORDS * sizeof(u32) > MAX_BPF_STACK);
859 BUILD_BUG_ON(BPF_REG_FP + 1 != MAX_BPF_REG);
861 if (len <= 0 || len >= BPF_MAXINSNS)
865 addrs = kzalloc(len * sizeof(*addrs), GFP_KERNEL);
875 *new_insn = BPF_ALU64_REG(BPF_MOV, BPF_REG_CTX, BPF_REG_ARG1);
879 for (i = 0; i < len; fp++, i++) {
880 struct sock_filter_int tmp_insns[6] = { };
881 struct sock_filter_int *insn = tmp_insns;
884 addrs[i] = new_insn - new_prog;
887 /* All arithmetic insns and skb loads map as-is. */
888 case BPF_ALU | BPF_ADD | BPF_X:
889 case BPF_ALU | BPF_ADD | BPF_K:
890 case BPF_ALU | BPF_SUB | BPF_X:
891 case BPF_ALU | BPF_SUB | BPF_K:
892 case BPF_ALU | BPF_AND | BPF_X:
893 case BPF_ALU | BPF_AND | BPF_K:
894 case BPF_ALU | BPF_OR | BPF_X:
895 case BPF_ALU | BPF_OR | BPF_K:
896 case BPF_ALU | BPF_LSH | BPF_X:
897 case BPF_ALU | BPF_LSH | BPF_K:
898 case BPF_ALU | BPF_RSH | BPF_X:
899 case BPF_ALU | BPF_RSH | BPF_K:
900 case BPF_ALU | BPF_XOR | BPF_X:
901 case BPF_ALU | BPF_XOR | BPF_K:
902 case BPF_ALU | BPF_MUL | BPF_X:
903 case BPF_ALU | BPF_MUL | BPF_K:
904 case BPF_ALU | BPF_DIV | BPF_X:
905 case BPF_ALU | BPF_DIV | BPF_K:
906 case BPF_ALU | BPF_MOD | BPF_X:
907 case BPF_ALU | BPF_MOD | BPF_K:
908 case BPF_ALU | BPF_NEG:
909 case BPF_LD | BPF_ABS | BPF_W:
910 case BPF_LD | BPF_ABS | BPF_H:
911 case BPF_LD | BPF_ABS | BPF_B:
912 case BPF_LD | BPF_IND | BPF_W:
913 case BPF_LD | BPF_IND | BPF_H:
914 case BPF_LD | BPF_IND | BPF_B:
915 /* Check for overloaded BPF extension and
916 * directly convert it if found, otherwise
917 * just move on with mapping.
919 if (BPF_CLASS(fp->code) == BPF_LD &&
920 BPF_MODE(fp->code) == BPF_ABS &&
921 convert_bpf_extensions(fp, &insn))
924 insn->code = fp->code;
925 insn->a_reg = BPF_REG_A;
926 insn->x_reg = BPF_REG_X;
930 /* Jump opcodes map as-is, but offsets need adjustment. */
931 case BPF_JMP | BPF_JA:
932 target = i + fp->k + 1;
933 insn->code = fp->code;
936 if (target >= len || target < 0) \
938 insn->off = addrs ? addrs[target] - addrs[i] - 1 : 0; \
939 /* Adjust pc relative offset for 2nd or 3rd insn. */ \
940 insn->off -= insn - tmp_insns; \
946 case BPF_JMP | BPF_JEQ | BPF_K:
947 case BPF_JMP | BPF_JEQ | BPF_X:
948 case BPF_JMP | BPF_JSET | BPF_K:
949 case BPF_JMP | BPF_JSET | BPF_X:
950 case BPF_JMP | BPF_JGT | BPF_K:
951 case BPF_JMP | BPF_JGT | BPF_X:
952 case BPF_JMP | BPF_JGE | BPF_K:
953 case BPF_JMP | BPF_JGE | BPF_X:
954 if (BPF_SRC(fp->code) == BPF_K && (int) fp->k < 0) {
955 /* BPF immediates are signed, zero extend
956 * immediate into tmp register and use it
959 insn->code = BPF_ALU | BPF_MOV | BPF_K;
960 insn->a_reg = BPF_REG_TMP;
964 insn->a_reg = BPF_REG_A;
965 insn->x_reg = BPF_REG_TMP;
968 insn->a_reg = BPF_REG_A;
969 insn->x_reg = BPF_REG_X;
971 bpf_src = BPF_SRC(fp->code);
974 /* Common case where 'jump_false' is next insn. */
976 insn->code = BPF_JMP | BPF_OP(fp->code) | bpf_src;
977 target = i + fp->jt + 1;
982 /* Convert JEQ into JNE when 'jump_true' is next insn. */
983 if (fp->jt == 0 && BPF_OP(fp->code) == BPF_JEQ) {
984 insn->code = BPF_JMP | BPF_JNE | bpf_src;
985 target = i + fp->jf + 1;
990 /* Other jumps are mapped into two insns: Jxx and JA. */
991 target = i + fp->jt + 1;
992 insn->code = BPF_JMP | BPF_OP(fp->code) | bpf_src;
996 insn->code = BPF_JMP | BPF_JA;
997 target = i + fp->jf + 1;
1001 /* ldxb 4 * ([14] & 0xf) is remaped into 6 insns. */
1002 case BPF_LDX | BPF_MSH | BPF_B:
1004 *insn = BPF_ALU64_REG(BPF_MOV, BPF_REG_TMP, BPF_REG_A);
1007 /* A = BPF_R0 = *(u8 *) (skb->data + K) */
1008 *insn = BPF_LD_ABS(BPF_B, fp->k);
1012 *insn = BPF_ALU32_IMM(BPF_AND, BPF_REG_A, 0xf);
1016 *insn = BPF_ALU32_IMM(BPF_LSH, BPF_REG_A, 2);
1020 *insn = BPF_ALU64_REG(BPF_MOV, BPF_REG_X, BPF_REG_A);
1024 *insn = BPF_ALU64_REG(BPF_MOV, BPF_REG_A, BPF_REG_TMP);
1027 /* RET_K, RET_A are remaped into 2 insns. */
1028 case BPF_RET | BPF_A:
1029 case BPF_RET | BPF_K:
1030 insn->code = BPF_ALU | BPF_MOV |
1031 (BPF_RVAL(fp->code) == BPF_K ?
1034 insn->x_reg = BPF_REG_A;
1038 *insn = BPF_EXIT_INSN();
1041 /* Store to stack. */
1044 insn->code = BPF_STX | BPF_MEM | BPF_W;
1045 insn->a_reg = BPF_REG_FP;
1046 insn->x_reg = fp->code == BPF_ST ?
1047 BPF_REG_A : BPF_REG_X;
1048 insn->off = -(BPF_MEMWORDS - fp->k) * 4;
1051 /* Load from stack. */
1052 case BPF_LD | BPF_MEM:
1053 case BPF_LDX | BPF_MEM:
1054 insn->code = BPF_LDX | BPF_MEM | BPF_W;
1055 insn->a_reg = BPF_CLASS(fp->code) == BPF_LD ?
1056 BPF_REG_A : BPF_REG_X;
1057 insn->x_reg = BPF_REG_FP;
1058 insn->off = -(BPF_MEMWORDS - fp->k) * 4;
1061 /* A = K or X = K */
1062 case BPF_LD | BPF_IMM:
1063 case BPF_LDX | BPF_IMM:
1064 insn->code = BPF_ALU | BPF_MOV | BPF_K;
1065 insn->a_reg = BPF_CLASS(fp->code) == BPF_LD ?
1066 BPF_REG_A : BPF_REG_X;
1071 case BPF_MISC | BPF_TAX:
1072 *insn = BPF_ALU64_REG(BPF_MOV, BPF_REG_X, BPF_REG_A);
1076 case BPF_MISC | BPF_TXA:
1077 *insn = BPF_ALU64_REG(BPF_MOV, BPF_REG_A, BPF_REG_X);
1080 /* A = skb->len or X = skb->len */
1081 case BPF_LD | BPF_W | BPF_LEN:
1082 case BPF_LDX | BPF_W | BPF_LEN:
1083 insn->code = BPF_LDX | BPF_MEM | BPF_W;
1084 insn->a_reg = BPF_CLASS(fp->code) == BPF_LD ?
1085 BPF_REG_A : BPF_REG_X;
1086 insn->x_reg = BPF_REG_CTX;
1087 insn->off = offsetof(struct sk_buff, len);
1090 /* access seccomp_data fields */
1091 case BPF_LDX | BPF_ABS | BPF_W:
1092 /* A = *(u32 *) (ctx + K) */
1093 *insn = BPF_LDX_MEM(BPF_W, BPF_REG_A, BPF_REG_CTX, fp->k);
1102 memcpy(new_insn, tmp_insns,
1103 sizeof(*insn) * (insn - tmp_insns));
1105 new_insn += insn - tmp_insns;
1109 /* Only calculating new length. */
1110 *new_len = new_insn - new_prog;
1115 if (new_flen != new_insn - new_prog) {
1116 new_flen = new_insn - new_prog;
1124 BUG_ON(*new_len != new_flen);
1133 * A BPF program is able to use 16 cells of memory to store intermediate
1134 * values (check u32 mem[BPF_MEMWORDS] in sk_run_filter()).
1136 * As we dont want to clear mem[] array for each packet going through
1137 * sk_run_filter(), we check that filter loaded by user never try to read
1138 * a cell if not previously written, and we check all branches to be sure
1139 * a malicious user doesn't try to abuse us.
1141 static int check_load_and_stores(struct sock_filter *filter, int flen)
1143 u16 *masks, memvalid = 0; /* one bit per cell, 16 cells */
1146 BUILD_BUG_ON(BPF_MEMWORDS > 16);
1147 masks = kmalloc(flen * sizeof(*masks), GFP_KERNEL);
1150 memset(masks, 0xff, flen * sizeof(*masks));
1152 for (pc = 0; pc < flen; pc++) {
1153 memvalid &= masks[pc];
1155 switch (filter[pc].code) {
1158 memvalid |= (1 << filter[pc].k);
1162 if (!(memvalid & (1 << filter[pc].k))) {
1168 /* a jump must set masks on target */
1169 masks[pc + 1 + filter[pc].k] &= memvalid;
1172 case BPF_S_JMP_JEQ_K:
1173 case BPF_S_JMP_JEQ_X:
1174 case BPF_S_JMP_JGE_K:
1175 case BPF_S_JMP_JGE_X:
1176 case BPF_S_JMP_JGT_K:
1177 case BPF_S_JMP_JGT_X:
1178 case BPF_S_JMP_JSET_X:
1179 case BPF_S_JMP_JSET_K:
1180 /* a jump must set masks on targets */
1181 masks[pc + 1 + filter[pc].jt] &= memvalid;
1182 masks[pc + 1 + filter[pc].jf] &= memvalid;
1193 * sk_chk_filter - verify socket filter code
1194 * @filter: filter to verify
1195 * @flen: length of filter
1197 * Check the user's filter code. If we let some ugly
1198 * filter code slip through kaboom! The filter must contain
1199 * no references or jumps that are out of range, no illegal
1200 * instructions, and must end with a RET instruction.
1202 * All jumps are forward as they are not signed.
1204 * Returns 0 if the rule set is legal or -EINVAL if not.
1206 int sk_chk_filter(struct sock_filter *filter, unsigned int flen)
1209 * Valid instructions are initialized to non-0.
1210 * Invalid instructions are initialized to 0.
1212 static const u8 codes[] = {
1213 [BPF_ALU|BPF_ADD|BPF_K] = BPF_S_ALU_ADD_K,
1214 [BPF_ALU|BPF_ADD|BPF_X] = BPF_S_ALU_ADD_X,
1215 [BPF_ALU|BPF_SUB|BPF_K] = BPF_S_ALU_SUB_K,
1216 [BPF_ALU|BPF_SUB|BPF_X] = BPF_S_ALU_SUB_X,
1217 [BPF_ALU|BPF_MUL|BPF_K] = BPF_S_ALU_MUL_K,
1218 [BPF_ALU|BPF_MUL|BPF_X] = BPF_S_ALU_MUL_X,
1219 [BPF_ALU|BPF_DIV|BPF_X] = BPF_S_ALU_DIV_X,
1220 [BPF_ALU|BPF_MOD|BPF_K] = BPF_S_ALU_MOD_K,
1221 [BPF_ALU|BPF_MOD|BPF_X] = BPF_S_ALU_MOD_X,
1222 [BPF_ALU|BPF_AND|BPF_K] = BPF_S_ALU_AND_K,
1223 [BPF_ALU|BPF_AND|BPF_X] = BPF_S_ALU_AND_X,
1224 [BPF_ALU|BPF_OR|BPF_K] = BPF_S_ALU_OR_K,
1225 [BPF_ALU|BPF_OR|BPF_X] = BPF_S_ALU_OR_X,
1226 [BPF_ALU|BPF_XOR|BPF_K] = BPF_S_ALU_XOR_K,
1227 [BPF_ALU|BPF_XOR|BPF_X] = BPF_S_ALU_XOR_X,
1228 [BPF_ALU|BPF_LSH|BPF_K] = BPF_S_ALU_LSH_K,
1229 [BPF_ALU|BPF_LSH|BPF_X] = BPF_S_ALU_LSH_X,
1230 [BPF_ALU|BPF_RSH|BPF_K] = BPF_S_ALU_RSH_K,
1231 [BPF_ALU|BPF_RSH|BPF_X] = BPF_S_ALU_RSH_X,
1232 [BPF_ALU|BPF_NEG] = BPF_S_ALU_NEG,
1233 [BPF_LD|BPF_W|BPF_ABS] = BPF_S_LD_W_ABS,
1234 [BPF_LD|BPF_H|BPF_ABS] = BPF_S_LD_H_ABS,
1235 [BPF_LD|BPF_B|BPF_ABS] = BPF_S_LD_B_ABS,
1236 [BPF_LD|BPF_W|BPF_LEN] = BPF_S_LD_W_LEN,
1237 [BPF_LD|BPF_W|BPF_IND] = BPF_S_LD_W_IND,
1238 [BPF_LD|BPF_H|BPF_IND] = BPF_S_LD_H_IND,
1239 [BPF_LD|BPF_B|BPF_IND] = BPF_S_LD_B_IND,
1240 [BPF_LD|BPF_IMM] = BPF_S_LD_IMM,
1241 [BPF_LDX|BPF_W|BPF_LEN] = BPF_S_LDX_W_LEN,
1242 [BPF_LDX|BPF_B|BPF_MSH] = BPF_S_LDX_B_MSH,
1243 [BPF_LDX|BPF_IMM] = BPF_S_LDX_IMM,
1244 [BPF_MISC|BPF_TAX] = BPF_S_MISC_TAX,
1245 [BPF_MISC|BPF_TXA] = BPF_S_MISC_TXA,
1246 [BPF_RET|BPF_K] = BPF_S_RET_K,
1247 [BPF_RET|BPF_A] = BPF_S_RET_A,
1248 [BPF_ALU|BPF_DIV|BPF_K] = BPF_S_ALU_DIV_K,
1249 [BPF_LD|BPF_MEM] = BPF_S_LD_MEM,
1250 [BPF_LDX|BPF_MEM] = BPF_S_LDX_MEM,
1251 [BPF_ST] = BPF_S_ST,
1252 [BPF_STX] = BPF_S_STX,
1253 [BPF_JMP|BPF_JA] = BPF_S_JMP_JA,
1254 [BPF_JMP|BPF_JEQ|BPF_K] = BPF_S_JMP_JEQ_K,
1255 [BPF_JMP|BPF_JEQ|BPF_X] = BPF_S_JMP_JEQ_X,
1256 [BPF_JMP|BPF_JGE|BPF_K] = BPF_S_JMP_JGE_K,
1257 [BPF_JMP|BPF_JGE|BPF_X] = BPF_S_JMP_JGE_X,
1258 [BPF_JMP|BPF_JGT|BPF_K] = BPF_S_JMP_JGT_K,
1259 [BPF_JMP|BPF_JGT|BPF_X] = BPF_S_JMP_JGT_X,
1260 [BPF_JMP|BPF_JSET|BPF_K] = BPF_S_JMP_JSET_K,
1261 [BPF_JMP|BPF_JSET|BPF_X] = BPF_S_JMP_JSET_X,
1266 if (flen == 0 || flen > BPF_MAXINSNS)
1269 /* check the filter code now */
1270 for (pc = 0; pc < flen; pc++) {
1271 struct sock_filter *ftest = &filter[pc];
1272 u16 code = ftest->code;
1274 if (code >= ARRAY_SIZE(codes))
1279 /* Some instructions need special checks */
1281 case BPF_S_ALU_DIV_K:
1282 case BPF_S_ALU_MOD_K:
1283 /* check for division by zero */
1291 /* check for invalid memory addresses */
1292 if (ftest->k >= BPF_MEMWORDS)
1297 * Note, the large ftest->k might cause loops.
1298 * Compare this with conditional jumps below,
1299 * where offsets are limited. --ANK (981016)
1301 if (ftest->k >= (unsigned int)(flen-pc-1))
1304 case BPF_S_JMP_JEQ_K:
1305 case BPF_S_JMP_JEQ_X:
1306 case BPF_S_JMP_JGE_K:
1307 case BPF_S_JMP_JGE_X:
1308 case BPF_S_JMP_JGT_K:
1309 case BPF_S_JMP_JGT_X:
1310 case BPF_S_JMP_JSET_X:
1311 case BPF_S_JMP_JSET_K:
1312 /* for conditionals both must be safe */
1313 if (pc + ftest->jt + 1 >= flen ||
1314 pc + ftest->jf + 1 >= flen)
1317 case BPF_S_LD_W_ABS:
1318 case BPF_S_LD_H_ABS:
1319 case BPF_S_LD_B_ABS:
1321 #define ANCILLARY(CODE) case SKF_AD_OFF + SKF_AD_##CODE: \
1322 code = BPF_S_ANC_##CODE; \
1326 ANCILLARY(PROTOCOL);
1330 ANCILLARY(NLATTR_NEST);
1336 ANCILLARY(ALU_XOR_X);
1337 ANCILLARY(VLAN_TAG);
1338 ANCILLARY(VLAN_TAG_PRESENT);
1339 ANCILLARY(PAY_OFFSET);
1343 /* ancillary operation unknown or unsupported */
1344 if (anc_found == false && ftest->k >= SKF_AD_OFF)
1350 /* last instruction must be a RET code */
1351 switch (filter[flen - 1].code) {
1354 return check_load_and_stores(filter, flen);
1358 EXPORT_SYMBOL(sk_chk_filter);
1360 static int sk_store_orig_filter(struct sk_filter *fp,
1361 const struct sock_fprog *fprog)
1363 unsigned int fsize = sk_filter_proglen(fprog);
1364 struct sock_fprog_kern *fkprog;
1366 fp->orig_prog = kmalloc(sizeof(*fkprog), GFP_KERNEL);
1370 fkprog = fp->orig_prog;
1371 fkprog->len = fprog->len;
1372 fkprog->filter = kmemdup(fp->insns, fsize, GFP_KERNEL);
1373 if (!fkprog->filter) {
1374 kfree(fp->orig_prog);
1381 static void sk_release_orig_filter(struct sk_filter *fp)
1383 struct sock_fprog_kern *fprog = fp->orig_prog;
1386 kfree(fprog->filter);
1392 * sk_filter_release_rcu - Release a socket filter by rcu_head
1393 * @rcu: rcu_head that contains the sk_filter to free
1395 static void sk_filter_release_rcu(struct rcu_head *rcu)
1397 struct sk_filter *fp = container_of(rcu, struct sk_filter, rcu);
1399 sk_release_orig_filter(fp);
1404 * sk_filter_release - release a socket filter
1405 * @fp: filter to remove
1407 * Remove a filter from a socket and release its resources.
1409 static void sk_filter_release(struct sk_filter *fp)
1411 if (atomic_dec_and_test(&fp->refcnt))
1412 call_rcu(&fp->rcu, sk_filter_release_rcu);
1415 void sk_filter_uncharge(struct sock *sk, struct sk_filter *fp)
1417 atomic_sub(sk_filter_size(fp->len), &sk->sk_omem_alloc);
1418 sk_filter_release(fp);
1421 void sk_filter_charge(struct sock *sk, struct sk_filter *fp)
1423 atomic_inc(&fp->refcnt);
1424 atomic_add(sk_filter_size(fp->len), &sk->sk_omem_alloc);
1427 static struct sk_filter *__sk_migrate_realloc(struct sk_filter *fp,
1431 struct sk_filter *fp_new;
1434 return krealloc(fp, len, GFP_KERNEL);
1436 fp_new = sock_kmalloc(sk, len, GFP_KERNEL);
1439 /* As we're kepping orig_prog in fp_new along,
1440 * we need to make sure we're not evicting it
1443 fp->orig_prog = NULL;
1444 sk_filter_uncharge(sk, fp);
1450 static struct sk_filter *__sk_migrate_filter(struct sk_filter *fp,
1453 struct sock_filter *old_prog;
1454 struct sk_filter *old_fp;
1455 int i, err, new_len, old_len = fp->len;
1457 /* We are free to overwrite insns et al right here as it
1458 * won't be used at this point in time anymore internally
1459 * after the migration to the internal BPF instruction
1462 BUILD_BUG_ON(sizeof(struct sock_filter) !=
1463 sizeof(struct sock_filter_int));
1465 /* For now, we need to unfiddle BPF_S_* identifiers in place.
1466 * This can sooner or later on be subject to removal, e.g. when
1467 * JITs have been converted.
1469 for (i = 0; i < fp->len; i++)
1470 sk_decode_filter(&fp->insns[i], &fp->insns[i]);
1472 /* Conversion cannot happen on overlapping memory areas,
1473 * so we need to keep the user BPF around until the 2nd
1474 * pass. At this time, the user BPF is stored in fp->insns.
1476 old_prog = kmemdup(fp->insns, old_len * sizeof(struct sock_filter),
1483 /* 1st pass: calculate the new program length. */
1484 err = sk_convert_filter(old_prog, old_len, NULL, &new_len);
1488 /* Expand fp for appending the new filter representation. */
1490 fp = __sk_migrate_realloc(old_fp, sk, sk_filter_size(new_len));
1492 /* The old_fp is still around in case we couldn't
1493 * allocate new memory, so uncharge on that one.
1500 fp->bpf_func = sk_run_filter_int_skb;
1503 /* 2nd pass: remap sock_filter insns into sock_filter_int insns. */
1504 err = sk_convert_filter(old_prog, old_len, fp->insnsi, &new_len);
1506 /* 2nd sk_convert_filter() can fail only if it fails
1507 * to allocate memory, remapping must succeed. Note,
1508 * that at this time old_fp has already been released
1509 * by __sk_migrate_realloc().
1519 /* Rollback filter setup. */
1521 sk_filter_uncharge(sk, fp);
1524 return ERR_PTR(err);
1527 void __weak bpf_int_jit_compile(struct sk_filter *prog)
1531 static struct sk_filter *__sk_prepare_filter(struct sk_filter *fp,
1536 fp->bpf_func = NULL;
1539 err = sk_chk_filter(fp->insns, fp->len);
1541 return ERR_PTR(err);
1543 /* Probe if we can JIT compile the filter and if so, do
1544 * the compilation of the filter.
1546 bpf_jit_compile(fp);
1548 /* JIT compiler couldn't process this filter, so do the
1549 * internal BPF translation for the optimized interpreter.
1552 fp = __sk_migrate_filter(fp, sk);
1554 /* Probe if internal BPF can be jit-ed */
1555 bpf_int_jit_compile(fp);
1561 * sk_unattached_filter_create - create an unattached filter
1562 * @fprog: the filter program
1563 * @pfp: the unattached filter that is created
1565 * Create a filter independent of any socket. We first run some
1566 * sanity checks on it to make sure it does not explode on us later.
1567 * If an error occurs or there is insufficient memory for the filter
1568 * a negative errno code is returned. On success the return is zero.
1570 int sk_unattached_filter_create(struct sk_filter **pfp,
1571 struct sock_fprog *fprog)
1573 unsigned int fsize = sk_filter_proglen(fprog);
1574 struct sk_filter *fp;
1576 /* Make sure new filter is there and in the right amounts. */
1577 if (fprog->filter == NULL)
1580 fp = kmalloc(sk_filter_size(fprog->len), GFP_KERNEL);
1584 memcpy(fp->insns, fprog->filter, fsize);
1586 atomic_set(&fp->refcnt, 1);
1587 fp->len = fprog->len;
1588 /* Since unattached filters are not copied back to user
1589 * space through sk_get_filter(), we do not need to hold
1590 * a copy here, and can spare us the work.
1592 fp->orig_prog = NULL;
1594 /* __sk_prepare_filter() already takes care of uncharging
1595 * memory in case something goes wrong.
1597 fp = __sk_prepare_filter(fp, NULL);
1604 EXPORT_SYMBOL_GPL(sk_unattached_filter_create);
1606 void sk_unattached_filter_destroy(struct sk_filter *fp)
1608 sk_filter_release(fp);
1610 EXPORT_SYMBOL_GPL(sk_unattached_filter_destroy);
1613 * sk_attach_filter - attach a socket filter
1614 * @fprog: the filter program
1615 * @sk: the socket to use
1617 * Attach the user's filter code. We first run some sanity checks on
1618 * it to make sure it does not explode on us later. If an error
1619 * occurs or there is insufficient memory for the filter a negative
1620 * errno code is returned. On success the return is zero.
1622 int sk_attach_filter(struct sock_fprog *fprog, struct sock *sk)
1624 struct sk_filter *fp, *old_fp;
1625 unsigned int fsize = sk_filter_proglen(fprog);
1626 unsigned int sk_fsize = sk_filter_size(fprog->len);
1629 if (sock_flag(sk, SOCK_FILTER_LOCKED))
1632 /* Make sure new filter is there and in the right amounts. */
1633 if (fprog->filter == NULL)
1636 fp = sock_kmalloc(sk, sk_fsize, GFP_KERNEL);
1640 if (copy_from_user(fp->insns, fprog->filter, fsize)) {
1641 sock_kfree_s(sk, fp, sk_fsize);
1645 atomic_set(&fp->refcnt, 1);
1646 fp->len = fprog->len;
1648 err = sk_store_orig_filter(fp, fprog);
1650 sk_filter_uncharge(sk, fp);
1654 /* __sk_prepare_filter() already takes care of uncharging
1655 * memory in case something goes wrong.
1657 fp = __sk_prepare_filter(fp, sk);
1661 old_fp = rcu_dereference_protected(sk->sk_filter,
1662 sock_owned_by_user(sk));
1663 rcu_assign_pointer(sk->sk_filter, fp);
1666 sk_filter_uncharge(sk, old_fp);
1670 EXPORT_SYMBOL_GPL(sk_attach_filter);
1672 int sk_detach_filter(struct sock *sk)
1675 struct sk_filter *filter;
1677 if (sock_flag(sk, SOCK_FILTER_LOCKED))
1680 filter = rcu_dereference_protected(sk->sk_filter,
1681 sock_owned_by_user(sk));
1683 RCU_INIT_POINTER(sk->sk_filter, NULL);
1684 sk_filter_uncharge(sk, filter);
1690 EXPORT_SYMBOL_GPL(sk_detach_filter);
1692 void sk_decode_filter(struct sock_filter *filt, struct sock_filter *to)
1694 static const u16 decodes[] = {
1695 [BPF_S_ALU_ADD_K] = BPF_ALU|BPF_ADD|BPF_K,
1696 [BPF_S_ALU_ADD_X] = BPF_ALU|BPF_ADD|BPF_X,
1697 [BPF_S_ALU_SUB_K] = BPF_ALU|BPF_SUB|BPF_K,
1698 [BPF_S_ALU_SUB_X] = BPF_ALU|BPF_SUB|BPF_X,
1699 [BPF_S_ALU_MUL_K] = BPF_ALU|BPF_MUL|BPF_K,
1700 [BPF_S_ALU_MUL_X] = BPF_ALU|BPF_MUL|BPF_X,
1701 [BPF_S_ALU_DIV_X] = BPF_ALU|BPF_DIV|BPF_X,
1702 [BPF_S_ALU_MOD_K] = BPF_ALU|BPF_MOD|BPF_K,
1703 [BPF_S_ALU_MOD_X] = BPF_ALU|BPF_MOD|BPF_X,
1704 [BPF_S_ALU_AND_K] = BPF_ALU|BPF_AND|BPF_K,
1705 [BPF_S_ALU_AND_X] = BPF_ALU|BPF_AND|BPF_X,
1706 [BPF_S_ALU_OR_K] = BPF_ALU|BPF_OR|BPF_K,
1707 [BPF_S_ALU_OR_X] = BPF_ALU|BPF_OR|BPF_X,
1708 [BPF_S_ALU_XOR_K] = BPF_ALU|BPF_XOR|BPF_K,
1709 [BPF_S_ALU_XOR_X] = BPF_ALU|BPF_XOR|BPF_X,
1710 [BPF_S_ALU_LSH_K] = BPF_ALU|BPF_LSH|BPF_K,
1711 [BPF_S_ALU_LSH_X] = BPF_ALU|BPF_LSH|BPF_X,
1712 [BPF_S_ALU_RSH_K] = BPF_ALU|BPF_RSH|BPF_K,
1713 [BPF_S_ALU_RSH_X] = BPF_ALU|BPF_RSH|BPF_X,
1714 [BPF_S_ALU_NEG] = BPF_ALU|BPF_NEG,
1715 [BPF_S_LD_W_ABS] = BPF_LD|BPF_W|BPF_ABS,
1716 [BPF_S_LD_H_ABS] = BPF_LD|BPF_H|BPF_ABS,
1717 [BPF_S_LD_B_ABS] = BPF_LD|BPF_B|BPF_ABS,
1718 [BPF_S_ANC_PROTOCOL] = BPF_LD|BPF_B|BPF_ABS,
1719 [BPF_S_ANC_PKTTYPE] = BPF_LD|BPF_B|BPF_ABS,
1720 [BPF_S_ANC_IFINDEX] = BPF_LD|BPF_B|BPF_ABS,
1721 [BPF_S_ANC_NLATTR] = BPF_LD|BPF_B|BPF_ABS,
1722 [BPF_S_ANC_NLATTR_NEST] = BPF_LD|BPF_B|BPF_ABS,
1723 [BPF_S_ANC_MARK] = BPF_LD|BPF_B|BPF_ABS,
1724 [BPF_S_ANC_QUEUE] = BPF_LD|BPF_B|BPF_ABS,
1725 [BPF_S_ANC_HATYPE] = BPF_LD|BPF_B|BPF_ABS,
1726 [BPF_S_ANC_RXHASH] = BPF_LD|BPF_B|BPF_ABS,
1727 [BPF_S_ANC_CPU] = BPF_LD|BPF_B|BPF_ABS,
1728 [BPF_S_ANC_ALU_XOR_X] = BPF_LD|BPF_B|BPF_ABS,
1729 [BPF_S_ANC_VLAN_TAG] = BPF_LD|BPF_B|BPF_ABS,
1730 [BPF_S_ANC_VLAN_TAG_PRESENT] = BPF_LD|BPF_B|BPF_ABS,
1731 [BPF_S_ANC_PAY_OFFSET] = BPF_LD|BPF_B|BPF_ABS,
1732 [BPF_S_ANC_RANDOM] = BPF_LD|BPF_B|BPF_ABS,
1733 [BPF_S_LD_W_LEN] = BPF_LD|BPF_W|BPF_LEN,
1734 [BPF_S_LD_W_IND] = BPF_LD|BPF_W|BPF_IND,
1735 [BPF_S_LD_H_IND] = BPF_LD|BPF_H|BPF_IND,
1736 [BPF_S_LD_B_IND] = BPF_LD|BPF_B|BPF_IND,
1737 [BPF_S_LD_IMM] = BPF_LD|BPF_IMM,
1738 [BPF_S_LDX_W_LEN] = BPF_LDX|BPF_W|BPF_LEN,
1739 [BPF_S_LDX_B_MSH] = BPF_LDX|BPF_B|BPF_MSH,
1740 [BPF_S_LDX_IMM] = BPF_LDX|BPF_IMM,
1741 [BPF_S_MISC_TAX] = BPF_MISC|BPF_TAX,
1742 [BPF_S_MISC_TXA] = BPF_MISC|BPF_TXA,
1743 [BPF_S_RET_K] = BPF_RET|BPF_K,
1744 [BPF_S_RET_A] = BPF_RET|BPF_A,
1745 [BPF_S_ALU_DIV_K] = BPF_ALU|BPF_DIV|BPF_K,
1746 [BPF_S_LD_MEM] = BPF_LD|BPF_MEM,
1747 [BPF_S_LDX_MEM] = BPF_LDX|BPF_MEM,
1748 [BPF_S_ST] = BPF_ST,
1749 [BPF_S_STX] = BPF_STX,
1750 [BPF_S_JMP_JA] = BPF_JMP|BPF_JA,
1751 [BPF_S_JMP_JEQ_K] = BPF_JMP|BPF_JEQ|BPF_K,
1752 [BPF_S_JMP_JEQ_X] = BPF_JMP|BPF_JEQ|BPF_X,
1753 [BPF_S_JMP_JGE_K] = BPF_JMP|BPF_JGE|BPF_K,
1754 [BPF_S_JMP_JGE_X] = BPF_JMP|BPF_JGE|BPF_X,
1755 [BPF_S_JMP_JGT_K] = BPF_JMP|BPF_JGT|BPF_K,
1756 [BPF_S_JMP_JGT_X] = BPF_JMP|BPF_JGT|BPF_X,
1757 [BPF_S_JMP_JSET_K] = BPF_JMP|BPF_JSET|BPF_K,
1758 [BPF_S_JMP_JSET_X] = BPF_JMP|BPF_JSET|BPF_X,
1764 to->code = decodes[code];
1770 int sk_get_filter(struct sock *sk, struct sock_filter __user *ubuf,
1773 struct sock_fprog_kern *fprog;
1774 struct sk_filter *filter;
1778 filter = rcu_dereference_protected(sk->sk_filter,
1779 sock_owned_by_user(sk));
1783 /* We're copying the filter that has been originally attached,
1784 * so no conversion/decode needed anymore.
1786 fprog = filter->orig_prog;
1790 /* User space only enquires number of filter blocks. */
1794 if (len < fprog->len)
1798 if (copy_to_user(ubuf, fprog->filter, sk_filter_proglen(fprog)))
1801 /* Instead of bytes, the API requests to return the number