xref: /external/syzkaller/sys/linux/bpf.txt

# Copyright 2015 syzkaller project authors. All rights reserved.
# Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.

# Note these sysctls have radical effect on code paths inside of kernel:
# net.core.bpf_jit_enable  = { 0, 1, 2 }
# net.core.bpf_jit_harden  = { 0, 1, 2 }

include <linux/bpf.h>

resource fd_bpf_map[fd]: BPF_PSEUDO_MAP_FD
resource fd_bpf_prog[fd]
resource bpf_prog_id[int32]: 0, -1
resource bpf_map_id[int32]: 0, -1

bpf$MAP_CREATE(cmd const[BPF_MAP_CREATE], arg ptr[in, bpf_map_create_arg], size len[arg]) fd_bpf_map
bpf$MAP_LOOKUP_ELEM(cmd const[BPF_MAP_LOOKUP_ELEM], arg ptr[in, bpf_map_lookup_arg], size len[arg])
bpf$MAP_UPDATE_ELEM(cmd const[BPF_MAP_UPDATE_ELEM], arg ptr[in, bpf_map_update_arg], size len[arg])
bpf$MAP_DELETE_ELEM(cmd const[BPF_MAP_DELETE_ELEM], arg ptr[in, bpf_map_delete_arg], size len[arg])
bpf$MAP_GET_NEXT_KEY(cmd const[BPF_MAP_GET_NEXT_KEY], arg ptr[in, bpf_map_get_next_arg], size len[arg])
bpf$PROG_LOAD(cmd const[BPF_PROG_LOAD], arg ptr[in, bpf_prog], size len[arg]) fd_bpf_prog
bpf$OBJ_PIN_MAP(cmd const[BPF_OBJ_PIN], arg ptr[in, bpf_obj_pin_map], size len[arg])
bpf$OBJ_PIN_PROG(cmd const[BPF_OBJ_PIN], arg ptr[in, bpf_obj_pin_prog], size len[arg])
bpf$OBJ_GET_MAP(cmd const[BPF_OBJ_GET], arg ptr[in, bpf_obj_get], size len[arg]) fd_bpf_map
bpf$OBJ_GET_PROG(cmd const[BPF_OBJ_GET], arg ptr[in, bpf_obj_get], size len[arg]) fd_bpf_prog
bpf$BPF_PROG_ATTACH(cmd const[BPF_PROG_ATTACH], arg ptr[in, bpf_attach_arg], size len[arg])
bpf$BPF_PROG_DETACH(cmd const[BPF_PROG_DETACH], arg ptr[in, bpf_detach_arg], size len[arg])
bpf$BPF_PROG_TEST_RUN(cmd const[BPF_PROG_TEST_RUN], arg ptr[in, bpf_test_prog_arg], size len[arg])
bpf$BPF_PROG_GET_NEXT_ID(cmd const[BPF_PROG_GET_NEXT_ID], arg ptr[in, int32], size len[arg])
bpf$BPF_MAP_GET_NEXT_ID(cmd const[BPF_MAP_GET_NEXT_ID], arg ptr[in, int32], size len[arg])
bpf$BPF_PROG_GET_FD_BY_ID(cmd const[BPF_PROG_GET_FD_BY_ID], arg ptr[in, bpf_prog_id], size len[arg]) fd_bpf_prog
bpf$BPF_MAP_GET_FD_BY_ID(cmd const[BPF_MAP_GET_FD_BY_ID], arg ptr[in, bpf_map_get_fd_by_id_arg], size len[arg]) fd_bpf_map
bpf$BPF_GET_PROG_INFO(cmd const[BPF_OBJ_GET_INFO_BY_FD], arg ptr[in, bpf_get_prog_info_arg], size len[arg])
bpf$BPF_GET_MAP_INFO(cmd const[BPF_OBJ_GET_INFO_BY_FD], arg ptr[in, bpf_get_map_info_arg], size len[arg])
bpf$BPF_PROG_QUERY(cmd const[BPF_PROG_QUERY], arg ptr[in, bpf_prog_query], size len[arg])
bpf$BPF_RAW_TRACEPOINT_OPEN(cmd const[BPF_RAW_TRACEPOINT_OPEN], arg ptr[in, bpf_raw_tracepoint], size len[arg]) fd

bpf_map_create_arg {
	type		flags[bpf_map_type, int32]
	ksize		int32
	vsize		int32
	max		int32
	flags		flags[map_flags, int32]
	inner		fd_bpf_map[opt]
	node		int32
	map_name	array[const[0, int8], BPF_OBJ_NAME_LEN]
}

bpf_map_get_fd_by_id_arg {
	map_id		bpf_map_id
	next_id		int32
	open_flags	flags[bpf_open_flags, int32]
}

bpf_map_lookup_arg {
	map	fd_bpf_map
	key	ptr64[in, array[int8]]
	val	ptr64[out, array[int8]]
}

bpf_map_update_arg {
	map	fd_bpf_map
	key	ptr64[in, array[int8]]
	val	ptr64[in, array[int8]]
	flags	flags[bpf_map_flags, int64]
}

bpf_map_delete_arg {
	map	fd_bpf_map
	key	ptr64[in, array[int8]]
}

bpf_map_get_next_arg {
	map	fd_bpf_map
	key	ptr64[in, array[int8]]
	next	ptr64[out, array[int8]]
}

bpf_prog {
	type			flags[bpf_prog_type, int32]
	ninsn			bytesize8[insns, int32]
	insns			ptr64[in, bpf_instructions]
	license			ptr64[in, string[bpf_licenses]]
	loglev			int32
	logsize			len[log, int32]
	log			ptr64[out, array[int8], opt]
	kern_version		flags[bpf_kern_version, int32]
	flags			flags[bpf_prog_load_flags, int32]
	prog_name		array[const[0, int8], BPF_OBJ_NAME_LEN]
	prog_ifindex		ifindex[opt]
	expected_attach_type	flags[bpf_attach_type, int32]
}

bpf_licenses = "GPL", "syzkaller"
bpf_kern_version = 0x40f00, 0x41000, 0x41100

bpf_instructions [
	framed	bpf_framed_program
	raw	array[bpf_insn]
] [varlen]

bpf_framed_program {
	initr0	bpf_insn_init_r0
	body	array[bpf_insn]
	exit	bpf_insn_exit
} [packed]

bpf_insn [
	generic	bpf_insn_generic
	ldst	bpf_insn_ldst
	alu	bpf_insn_alu
	jmp	bpf_insn_jmp
	call	bpf_insn_call
	exit	bpf_insn_exit
	initr0	bpf_insn_init_r0
	map	bpf_insn_map
]

bpf_insn_generic {
	code	int8
	regs	int8
	off	int16
	imm	int32
}

bpf_insn_ldst {
	code_class	flags[bpf_ldst_insn, int8:3]
	code_size	flags[bpf_ldst_size, int8:2]
	code_mode	flags[bpf_ldst_mode, int8:3]
	dst		flags[bpf_reg, int8:4]
	src		flags[bpf_reg, int8:4]
	off		flags[bpf_insn_offsets, int16]
	imm		flags[bpf_insn_immediates, int32]
}

bpf_ldst_insn = BPF_LD, BPF_LDX, BPF_ST, BPF_STX
bpf_ldst_size = BPF_W0, BPF_H0, BPF_B0, BPF_DW0
bpf_ldst_mode = BPF_IMM0, BPF_ABS0, BPF_IND0, BPF_MEM0, BPF_XADD0

define BPF_W0	BPF_W >> 3
define BPF_H0	BPF_H >> 3
define BPF_B0	BPF_B >> 3
define BPF_DW0	BPF_DW >> 3

define BPF_IMM0	BPF_IMM >> 5
define BPF_ABS0	BPF_ABS >> 5
define BPF_IND0	BPF_IND >> 5
define BPF_MEM0	BPF_MEM >> 5
define BPF_XADD0	BPF_XADD >> 5

bpf_insn_alu {
	code_class	flags[bpf_alu_insn, int8:3]
	code_s		int8:1
	code_op		flags[bpf_alu_op, int8:4]
	dst		flags[bpf_reg, int8:4]
	src		flags[bpf_reg, int8:4]
	off		flags[bpf_insn_offsets, int16]
	imm		flags[bpf_insn_immediates, int32]
}

bpf_alu_insn = BPF_ALU, BPF_ALU64
bpf_alu_op = BPF_ADD0, BPF_SUB0, BPF_MUL0, BPF_DIV0, BPF_OR0, BPF_AND0, BPF_LSH0, BPF_RSH0, BPF_NEG0, BPF_MOD0, BPF_XOR0, BPF_MOV0, BPF_ARSH0, BPF_END0

define BPF_ADD0	BPF_ADD >> 4
define BPF_SUB0	BPF_SUB >> 4
define BPF_MUL0	BPF_MUL >> 4
define BPF_DIV0	BPF_DIV >> 4
define BPF_OR0	BPF_OR >> 4
define BPF_AND0	BPF_AND >> 4
define BPF_LSH0	BPF_LSH >> 4
define BPF_RSH0	BPF_RSH >> 4
define BPF_NEG0	BPF_NEG >> 4
define BPF_MOD0	BPF_MOD >> 4
define BPF_XOR0	BPF_XOR >> 4
define BPF_MOV0	BPF_MOV >> 4
define BPF_ARSH0	BPF_ARSH >> 4
define BPF_END0	BPF_END >> 4

bpf_insn_jmp {
	code_class	const[BPF_JMP, int8:3]
	code_s		int8:1
	code_op		flags[bpf_jmp_op, int8:4]
	dst		flags[bpf_reg, int8:4]
	src		flags[bpf_reg, int8:4]
	off		flags[bpf_insn_offsets, int16]
	imm		flags[bpf_insn_immediates, int32]
}

bpf_jmp_op = BPF_JA0, BPF_JEQ0, BPF_JGT0, BPF_JGE0, BPF_JSET0, BPF_JNE0, BPF_JSGT0, BPF_JSGE0, BPF_CALL0, BPF_EXIT0, BPF_JLT0, BPF_JLE0, BPF_JSLT0, BPF_JSLE0

define BPF_JA0	BPF_JA >> 4
define BPF_JEQ0	BPF_JEQ >> 4
define BPF_JGT0	BPF_JGT >> 4
define BPF_JGE0	BPF_JGE >> 4
define BPF_JSET0	BPF_JSET >> 4
define BPF_JNE0	BPF_JNE >> 4
define BPF_JSGT0	BPF_JSGT >> 4
define BPF_JSGE0	BPF_JSGE >> 4
define BPF_CALL0	BPF_CALL >> 4
define BPF_EXIT0	BPF_EXIT >> 4
define BPF_JLT0	BPF_JLT >> 4
define BPF_JLE0	BPF_JLE >> 4
define BPF_JSLT0	BPF_JSLT >> 4
define BPF_JSLE0	BPF_JSLE >> 4

bpf_insn_call {
	code	const[bpf_call_code, int8]
	regs	const[0, int8]
	off	const[0, int16]
	func	int32[0:__BPF_FUNC_MAX_ID]
}

define bpf_call_code	BPF_JMP | BPF_CALL

bpf_insn_exit {
	code	const[bpf_exit_code, int8]
	regs	const[0, int8]
	off	const[0, int16]
	imm	const[0, int32]
}

define bpf_exit_code	BPF_JMP | BPF_EXIT

bpf_insn_init_r0 {
	code	const[bpf_insn_load_imm_dw, int8]
	dst	const[BPF_REG_0, int8:4]
	src	const[0, int8:4]
	off	const[0, int16]
	imm	int32
	code2	const[0, int8]
	regs2	const[0, int8]
	off2	const[0, int16]
	imm2	int32
}

bpf_insn_map {
	code	const[bpf_insn_load_imm_dw, int8]
	dst	flags[bpf_reg, int8:4]
	src	const[BPF_PSEUDO_MAP_FD, int8:4]
	off	const[0, int16]
	imm	fd_bpf_map
	code2	const[0, int8]
	regs2	const[0, int8]
	off2	const[0, int16]
	imm2	const[0, int32]
}

define bpf_insn_load_imm_dw	BPF_LD | BPF_DW | BPF_IMM

# Slightly prune state space, these values frequently must be 0.
bpf_insn_offsets = 0, 1, 2, 4, 6, 8, 12, 16, 24, 32, 48, 64, 80, 128, 256, -1, -2, -4, -8, -12, -16, -32, -64
bpf_insn_immediates = 0, 1, 4, 8, 16, -1, -4, -16
bpf_reg = BPF_REG_0, BPF_REG_1, BPF_REG_2, BPF_REG_3, BPF_REG_4, BPF_REG_5, BPF_REG_6, BPF_REG_7, BPF_REG_8, BPF_REG_9, BPF_REG_10

# TODO: these filenames must be on bpf filesystem
bpf_obj_pin_map {
	path	ptr64[in, filename]
	fd	fd_bpf_map
}

bpf_obj_pin_prog {
	path	ptr64[in, filename]
	fd	fd_bpf_prog
}

bpf_obj_get {
	path		ptr64[in, filename]
	fd		const[0, int32]
	file_flags	flags[bpf_open_flags, int32]
}

bpf_attach_arg {
	target_fd	fd_cgroup
	attach_bpf_fd	fd_bpf_prog
	type		flags[bpf_attach_type, int32]
	flags		flags[bpf_attach_flags, int32]
}

bpf_detach_arg {
	target	const[0, int32]
	prog	fd_bpf_prog
	type	flags[bpf_attach_type, int32]
	flags	flags[bpf_attach_flags, int32]
	prog2	const[0, int32]
}

bpf_test_prog_arg {
	prog	fd_bpf_prog
	retval	const[0, int32]
	insize	len[indata, int32]
	outsize	len[outdata, int32]
	indata	ptr64[in, array[int8]]
	outdata	ptr64[out, array[int8]]
	repeat	int32
	dur	const[0, int32]
}

bpf_get_prog_info_arg {
	prog	fd_bpf_prog
	len	len[info, int32]
	info	ptr64[out, bpf_prog_info]
}

bpf_prog_info {
	type			int32
	id			bpf_prog_id
	tag			int64
	jited_prog_len		int32
	xlated_prog_len		int32
	jited_prog_insns	int64
	xlated_prog_insns	int64
	load_time		int64
	created_by_uid		int32
	nr_map_ids		int32
	map_ids			int64
	name			array[int8, BPF_OBJ_NAME_LEN]
} [align_8]

bpf_get_map_info_arg {
	prog	fd_bpf_map
	len	len[info, int32]
	info	ptr64[out, bpf_map_info]
}

bpf_map_info {
	type		int32
	id		bpf_map_id
	key_size	int32
	value_size	int32
	max_entries	int32
	map_flags	int32
	name		array[int8, BPF_OBJ_NAME_LEN]
} [align_8]

bpf_prog_query {
	target_fd	fd_cgroup
	attach_type	flags[bpf_prog_query_attach_type, int32]
	query_flags	flags[bpf_prog_query_flags, int32]
	attach_flags	int32
	prog_ids	ptr64[out, array[int32]]
	prog_cnt	len[prog_ids, int32]
} [align_8]

bpf_raw_tracepoint {
	name	ptr64[in, string]
	prog_fd	fd_bpf_prog
} [align_8]

bpf_map_type = BPF_MAP_TYPE_HASH, BPF_MAP_TYPE_ARRAY, BPF_MAP_TYPE_PROG_ARRAY, BPF_MAP_TYPE_PERF_EVENT_ARRAY, BPF_MAP_TYPE_STACK_TRACE, BPF_MAP_TYPE_CGROUP_ARRAY, BPF_MAP_TYPE_PERCPU_HASH, BPF_MAP_TYPE_PERCPU_ARRAY, BPF_MAP_TYPE_LRU_HASH, BPF_MAP_TYPE_LRU_PERCPU_HASH, BPF_MAP_TYPE_LPM_TRIE, BPF_MAP_TYPE_ARRAY_OF_MAPS, BPF_MAP_TYPE_HASH_OF_MAPS, BPF_MAP_TYPE_DEVMAP, BPF_MAP_TYPE_SOCKMAP, BPF_MAP_TYPE_CPUMAP
bpf_map_flags = BPF_ANY, BPF_NOEXIST, BPF_EXIST
bpf_prog_type = BPF_PROG_TYPE_SOCKET_FILTER, BPF_PROG_TYPE_KPROBE, BPF_PROG_TYPE_SCHED_CLS, BPF_PROG_TYPE_SCHED_ACT, BPF_PROG_TYPE_TRACEPOINT, BPF_PROG_TYPE_XDP, BPF_PROG_TYPE_PERF_EVENT, BPF_PROG_TYPE_CGROUP_SKB, BPF_PROG_TYPE_CGROUP_SOCK, BPF_PROG_TYPE_LWT_IN, BPF_PROG_TYPE_LWT_OUT, BPF_PROG_TYPE_LWT_XMIT, BPF_PROG_TYPE_SOCK_OPS, BPF_PROG_TYPE_SK_SKB, BPF_PROG_TYPE_CGROUP_DEVICE, BPF_PROG_TYPE_SK_MSG, BPF_PROG_TYPE_RAW_TRACEPOINT, BPF_PROG_TYPE_CGROUP_SOCK_ADDR
map_flags = BPF_F_NO_PREALLOC, BPF_F_NO_COMMON_LRU, BPF_F_NUMA_NODE, BPF_F_RDONLY, BPF_F_WRONLY, BPF_F_STACK_BUILD_ID
bpf_attach_type = BPF_CGROUP_INET_INGRESS, BPF_CGROUP_INET_EGRESS, BPF_CGROUP_INET_SOCK_CREATE, BPF_CGROUP_SOCK_OPS, BPF_SK_SKB_STREAM_PARSER, BPF_SK_SKB_STREAM_VERDICT, BPF_CGROUP_DEVICE, BPF_SK_MSG_VERDICT, BPF_CGROUP_INET4_BIND, BPF_CGROUP_INET6_BIND, BPF_CGROUP_INET4_CONNECT, BPF_CGROUP_INET6_CONNECT, BPF_CGROUP_INET4_POST_BIND, BPF_CGROUP_INET6_POST_BIND
bpf_prog_load_flags = BPF_F_STRICT_ALIGNMENT
bpf_attach_flags = BPF_F_ALLOW_OVERRIDE, BPF_F_ALLOW_MULTI
bpf_prog_query_flags = BPF_F_QUERY_EFFECTIVE
bpf_prog_query_attach_type = BPF_CGROUP_INET_INGRESS, BPF_CGROUP_INET_EGRESS, BPF_CGROUP_INET_SOCK_CREATE, BPF_CGROUP_SOCK_OPS, BPF_CGROUP_DEVICE
bpf_open_flags = BPF_F_RDONLY, BPF_F_WRONLY