Merge branch 'skb_sk-sk_fullsock-tcp_sock'

	ARG_ANYTHING,		/* any (initialized) argument is ok */

	ARG_PTR_TO_SOCKET,	/* pointer to bpf_sock */

	ARG_PTR_TO_SPIN_LOCK,	/* pointer to bpf_spin_lock */

	ARG_PTR_TO_SOCK_COMMON,	/* pointer to sock_common */

};

/* type of values returned from helper functions */

	RET_PTR_TO_MAP_VALUE,		/* returns a pointer to map elem value */

	RET_PTR_TO_MAP_VALUE_OR_NULL,	/* returns a pointer to map elem value or NULL */

	RET_PTR_TO_SOCKET_OR_NULL,	/* returns a pointer to a socket or NULL */

	RET_PTR_TO_TCP_SOCK_OR_NULL,	/* returns a pointer to a tcp_sock or NULL */

};

/* eBPF function prototype used by verifier to allow BPF_CALLs from eBPF programs

	PTR_TO_FLOW_KEYS,	 /* reg points to bpf_flow_keys */

	PTR_TO_SOCKET,		 /* reg points to struct bpf_sock */

	PTR_TO_SOCKET_OR_NULL,	 /* reg points to struct bpf_sock or NULL */

	PTR_TO_SOCK_COMMON,	 /* reg points to sock_common */

	PTR_TO_SOCK_COMMON_OR_NULL, /* reg points to sock_common or NULL */

	PTR_TO_TCP_SOCK,	 /* reg points to struct tcp_sock */

	PTR_TO_TCP_SOCK_OR_NULL, /* reg points to struct tcp_sock or NULL */

};

/* The information passed from prog-specific *_is_valid_access

u64 bpf_user_rnd_u32(u64 r1, u64 r2, u64 r3, u64 r4, u64 r5);

#if defined(CONFIG_NET)

bool bpf_sock_common_is_valid_access(int off, int size,

				     enum bpf_access_type type,

				     struct bpf_insn_access_aux *info);

bool bpf_sock_is_valid_access(int off, int size, enum bpf_access_type type,

			      struct bpf_insn_access_aux *info);

u32 bpf_sock_convert_ctx_access(enum bpf_access_type type,

				struct bpf_prog *prog,

				u32 *target_size);

#else

static inline bool bpf_sock_common_is_valid_access(int off, int size,

						   enum bpf_access_type type,

						   struct bpf_insn_access_aux *info)

{

	return false;

}

static inline bool bpf_sock_is_valid_access(int off, int size,

					    enum bpf_access_type type,

					    struct bpf_insn_access_aux *info)

}

#endif

#ifdef CONFIG_INET

bool bpf_tcp_sock_is_valid_access(int off, int size, enum bpf_access_type type,

				  struct bpf_insn_access_aux *info);

u32 bpf_tcp_sock_convert_ctx_access(enum bpf_access_type type,

				    const struct bpf_insn *si,

				    struct bpf_insn *insn_buf,

				    struct bpf_prog *prog,

				    u32 *target_size);

#else

static inline bool bpf_tcp_sock_is_valid_access(int off, int size,

						enum bpf_access_type type,

						struct bpf_insn_access_aux *info)

{

	return false;

}

static inline u32 bpf_tcp_sock_convert_ctx_access(enum bpf_access_type type,

						  const struct bpf_insn *si,

						  struct bpf_insn *insn_buf,

						  struct bpf_prog *prog,

						  u32 *target_size)

{

	return 0;

}

#endif /* CONFIG_INET */

#endif /* _LINUX_BPF_H */

 *		"**y**".

 *	Return

 *		0

 *

 * struct bpf_sock *bpf_sk_fullsock(struct bpf_sock *sk)

 *	Description

 *		This helper gets a **struct bpf_sock** pointer such

 *		that all the fields in bpf_sock can be accessed.

 *	Return

 *		A **struct bpf_sock** pointer on success, or NULL in

 *		case of failure.

 *

 * struct bpf_tcp_sock *bpf_tcp_sock(struct bpf_sock *sk)

 *	Description

 *		This helper gets a **struct bpf_tcp_sock** pointer from a

 *		**struct bpf_sock** pointer.

 *

 *	Return

 *		A **struct bpf_tcp_sock** pointer on success, or NULL in

 *		case of failure.

 */

#define __BPF_FUNC_MAPPER(FN)		\

	FN(unspec),			\

	FN(msg_pop_data),		\

	FN(rc_pointer_rel),		\

	FN(spin_lock),			\

	FN(spin_unlock),

	FN(spin_unlock),		\

	FN(sk_fullsock),		\

	FN(tcp_sock),

/* integer value in 'imm' field of BPF_CALL instruction selects which helper

 * function eBPF program intends to call

	__u64 tstamp;

	__u32 wire_len;

	__u32 gso_segs;

	__bpf_md_ptr(struct bpf_sock *, sk);

};

struct bpf_tunnel_key {

	__u32 protocol;

	__u32 mark;

	__u32 priority;

	__u32 src_ip4;		/* Allows 1,2,4-byte read.

				 * Stored in network byte order.

	/* IP address also allows 1 and 2 bytes access */

	__u32 src_ip4;

	__u32 src_ip6[4];

	__u32 src_port;		/* host byte order */

	__u32 dst_port;		/* network byte order */

	__u32 dst_ip4;

	__u32 dst_ip6[4];

	__u32 state;

};

struct bpf_tcp_sock {

	__u32 snd_cwnd;		/* Sending congestion window		*/

	__u32 srtt_us;		/* smoothed round trip time << 3 in usecs */

	__u32 rtt_min;

	__u32 snd_ssthresh;	/* Slow start size threshold		*/

	__u32 rcv_nxt;		/* What we want to receive next		*/

	__u32 snd_nxt;		/* Next sequence we send		*/

	__u32 snd_una;		/* First byte we want an ack for	*/

	__u32 mss_cache;	/* Cached effective mss, not including SACKS */

	__u32 ecn_flags;	/* ECN status bits.			*/

	__u32 rate_delivered;	/* saved rate sample: packets delivered */

	__u32 rate_interval_us;	/* saved rate sample: time elapsed */

	__u32 packets_out;	/* Packets which are "in flight"	*/

	__u32 retrans_out;	/* Retransmitted packets out		*/

	__u32 total_retrans;	/* Total retransmits for entire connection */

	__u32 segs_in;		/* RFC4898 tcpEStatsPerfSegsIn

				 * total number of segments in.

				 */

	__u32 src_ip6[4];	/* Allows 1,2,4-byte read.

				 * Stored in network byte order.

	__u32 data_segs_in;	/* RFC4898 tcpEStatsPerfDataSegsIn

				 * total number of data segments in.

				 */

	__u32 segs_out;		/* RFC4898 tcpEStatsPerfSegsOut

				 * The total number of segments sent.

				 */

	__u32 data_segs_out;	/* RFC4898 tcpEStatsPerfDataSegsOut

				 * total number of data segments sent.

				 */

	__u32 lost_out;		/* Lost packets			*/

	__u32 sacked_out;	/* SACK'd packets			*/

	__u64 bytes_received;	/* RFC4898 tcpEStatsAppHCThruOctetsReceived

				 * sum(delta(rcv_nxt)), or how many bytes

				 * were acked.

				 */

	__u32 src_port;		/* Allows 4-byte read.

				 * Stored in host byte order

	__u64 bytes_acked;	/* RFC4898 tcpEStatsAppHCThruOctetsAcked

				 * sum(delta(snd_una)), or how many bytes

				 * were acked.

				 */

};

	       type == PTR_TO_PACKET_META;

}

static bool type_is_sk_pointer(enum bpf_reg_type type)

{

	return type == PTR_TO_SOCKET ||

		type == PTR_TO_SOCK_COMMON ||

		type == PTR_TO_TCP_SOCK;

}

static bool reg_type_may_be_null(enum bpf_reg_type type)

{

	return type == PTR_TO_MAP_VALUE_OR_NULL ||

	       type == PTR_TO_SOCKET_OR_NULL;

	       type == PTR_TO_SOCKET_OR_NULL ||

	       type == PTR_TO_SOCK_COMMON_OR_NULL ||

	       type == PTR_TO_TCP_SOCK_OR_NULL;

}

static bool type_is_refcounted(enum bpf_reg_type type)

	return func_id == BPF_FUNC_sk_release;

}

static bool is_acquire_function(enum bpf_func_id func_id)

{

	return func_id == BPF_FUNC_sk_lookup_tcp ||

		func_id == BPF_FUNC_sk_lookup_udp;

}

/* string representation of 'enum bpf_reg_type' */

static const char * const reg_type_str[] = {

	[NOT_INIT]		= "?",

	[PTR_TO_FLOW_KEYS]	= "flow_keys",

	[PTR_TO_SOCKET]		= "sock",

	[PTR_TO_SOCKET_OR_NULL] = "sock_or_null",

	[PTR_TO_SOCK_COMMON]	= "sock_common",

	[PTR_TO_SOCK_COMMON_OR_NULL] = "sock_common_or_null",

	[PTR_TO_TCP_SOCK]	= "tcp_sock",

	[PTR_TO_TCP_SOCK_OR_NULL] = "tcp_sock_or_null",

};

static char slot_type_char[] = {

}

/* release function corresponding to acquire_reference_state(). Idempotent. */

static int __release_reference_state(struct bpf_func_state *state, int ptr_id)

static int release_reference_state(struct bpf_func_state *state, int ptr_id)

{

	int i, last_idx;

	if (!ptr_id)

		return -EFAULT;

	last_idx = state->acquired_refs - 1;

	for (i = 0; i < state->acquired_refs; i++) {

		if (state->refs[i].id == ptr_id) {

			return 0;

		}

	}

	return -EFAULT;

}

/* variation on the above for cases where we expect that there must be an

 * outstanding reference for the specified ptr_id.

 */

static int release_reference_state(struct bpf_verifier_env *env, int ptr_id)

{

	struct bpf_func_state *state = cur_func(env);

	int err;

	err = __release_reference_state(state, ptr_id);

	if (WARN_ON_ONCE(err != 0))

		verbose(env, "verifier internal error: can't release reference\n");

	return err;

	return -EINVAL;

}

static int transfer_reference_state(struct bpf_func_state *dst,

	case CONST_PTR_TO_MAP:

	case PTR_TO_SOCKET:

	case PTR_TO_SOCKET_OR_NULL:

	case PTR_TO_SOCK_COMMON:

	case PTR_TO_SOCK_COMMON_OR_NULL:

	case PTR_TO_TCP_SOCK:

	case PTR_TO_TCP_SOCK_OR_NULL:

		return true;

	default:

		return false;

	struct bpf_reg_state *regs = cur_regs(env);

	struct bpf_reg_state *reg = &regs[regno];

	struct bpf_insn_access_aux info = {};

	bool valid;

	if (reg->smin_value < 0) {

		verbose(env, "R%d min value is negative, either use unsigned index or do a if (index >=0) check.\n",

		return -EACCES;

	}

	if (!bpf_sock_is_valid_access(off, size, t, &info)) {

		verbose(env, "invalid bpf_sock access off=%d size=%d\n",

			off, size);

		return -EACCES;

	switch (reg->type) {

	case PTR_TO_SOCK_COMMON:

		valid = bpf_sock_common_is_valid_access(off, size, t, &info);

		break;

	case PTR_TO_SOCKET:

		valid = bpf_sock_is_valid_access(off, size, t, &info);

		break;

	case PTR_TO_TCP_SOCK:

		valid = bpf_tcp_sock_is_valid_access(off, size, t, &info);

		break;

	default:

		valid = false;

	}

	env->insn_aux_data[insn_idx].ctx_field_size = info.ctx_field_size;

	if (valid) {

		env->insn_aux_data[insn_idx].ctx_field_size =

			info.ctx_field_size;

		return 0;

	}

	verbose(env, "R%d invalid %s access off=%d size=%d\n",

		regno, reg_type_str[reg->type], off, size);

	return -EACCES;

}

static bool __is_pointer_value(bool allow_ptr_leaks,

			       const struct bpf_reg_state *reg)

{

{

	const struct bpf_reg_state *reg = reg_state(env, regno);

	return reg->type == PTR_TO_CTX ||

	       reg->type == PTR_TO_SOCKET;

	return reg->type == PTR_TO_CTX;

}

static bool is_sk_reg(struct bpf_verifier_env *env, int regno)

{

	const struct bpf_reg_state *reg = reg_state(env, regno);

	return type_is_sk_pointer(reg->type);

}

static bool is_pkt_reg(struct bpf_verifier_env *env, int regno)

	case PTR_TO_SOCKET:

		pointer_desc = "sock ";

		break;

	case PTR_TO_SOCK_COMMON:

		pointer_desc = "sock_common ";

		break;

	case PTR_TO_TCP_SOCK:

		pointer_desc = "tcp_sock ";

		break;

	default:

		break;

	}

			 * PTR_TO_PACKET[_META,_END]. In the latter

			 * case, we know the offset is zero.

			 */

			if (reg_type == SCALAR_VALUE)

			if (reg_type == SCALAR_VALUE) {

				mark_reg_unknown(env, regs, value_regno);

			else

			} else {

				mark_reg_known_zero(env, regs,

						    value_regno);

				if (reg_type_may_be_null(reg_type))

					regs[value_regno].id = ++env->id_gen;

			}

			regs[value_regno].type = reg_type;

		}

		err = check_flow_keys_access(env, off, size);

		if (!err && t == BPF_READ && value_regno >= 0)

			mark_reg_unknown(env, regs, value_regno);

	} else if (reg->type == PTR_TO_SOCKET) {

	} else if (type_is_sk_pointer(reg->type)) {

		if (t == BPF_WRITE) {

			verbose(env, "cannot write into socket\n");

			verbose(env, "R%d cannot write into %s\n",

				regno, reg_type_str[reg->type]);

			return -EACCES;

		}

		err = check_sock_access(env, insn_idx, regno, off, size, t);

	if (is_ctx_reg(env, insn->dst_reg) ||

	    is_pkt_reg(env, insn->dst_reg) ||

	    is_flow_key_reg(env, insn->dst_reg)) {

	    is_flow_key_reg(env, insn->dst_reg) ||

	    is_sk_reg(env, insn->dst_reg)) {

		verbose(env, "BPF_XADD stores into R%d %s is not allowed\n",

			insn->dst_reg,

			reg_type_str[reg_state(env, insn->dst_reg)->type]);

		err = check_ctx_reg(env, reg, regno);

		if (err < 0)

			return err;

	} else if (arg_type == ARG_PTR_TO_SOCK_COMMON) {

		expected_type = PTR_TO_SOCK_COMMON;

		/* Any sk pointer can be ARG_PTR_TO_SOCK_COMMON */

		if (!type_is_sk_pointer(type))

			goto err_type;

	} else if (arg_type == ARG_PTR_TO_SOCKET) {

		expected_type = PTR_TO_SOCKET;

		if (type != expected_type)

	for (i = 0; i <= vstate->curframe; i++)

		release_reg_references(env, vstate->frame[i], meta->ptr_id);

	return release_reference_state(env, meta->ptr_id);

	return release_reference_state(cur_func(env), meta->ptr_id);

}

static int check_func_call(struct bpf_verifier_env *env, struct bpf_insn *insn,

		}

	} else if (is_release_function(func_id)) {

		err = release_reference(env, &meta);

		if (err)

		if (err) {

			verbose(env, "func %s#%d reference has not been acquired before\n",

				func_id_name(func_id), func_id);

			return err;

		}

	}

	regs = cur_regs(env);

			regs[BPF_REG_0].id = ++env->id_gen;

		}

	} else if (fn->ret_type == RET_PTR_TO_SOCKET_OR_NULL) {

		mark_reg_known_zero(env, regs, BPF_REG_0);

		regs[BPF_REG_0].type = PTR_TO_SOCKET_OR_NULL;

		if (is_acquire_function(func_id)) {

			int id = acquire_reference_state(env, insn_idx);

			if (id < 0)

				return id;

		mark_reg_known_zero(env, regs, BPF_REG_0);

		regs[BPF_REG_0].type = PTR_TO_SOCKET_OR_NULL;

			/* For release_reference() */

			regs[BPF_REG_0].id = id;

		} else {

			/* For mark_ptr_or_null_reg() */

			regs[BPF_REG_0].id = ++env->id_gen;

		}

	} else if (fn->ret_type == RET_PTR_TO_TCP_SOCK_OR_NULL) {

		mark_reg_known_zero(env, regs, BPF_REG_0);

		regs[BPF_REG_0].type = PTR_TO_TCP_SOCK_OR_NULL;

		regs[BPF_REG_0].id = ++env->id_gen;

	} else {

		verbose(env, "unknown return type %d of func %s#%d\n",

			fn->ret_type, func_id_name(func_id), func_id);

	case PTR_TO_PACKET_END:

	case PTR_TO_SOCKET:

	case PTR_TO_SOCKET_OR_NULL:

	case PTR_TO_SOCK_COMMON:

	case PTR_TO_SOCK_COMMON_OR_NULL:

	case PTR_TO_TCP_SOCK:

	case PTR_TO_TCP_SOCK_OR_NULL:

		verbose(env, "R%d pointer arithmetic on %s prohibited\n",

			dst, reg_type_str[ptr_reg->type]);

		return -EACCES;

			}

		} else if (reg->type == PTR_TO_SOCKET_OR_NULL) {

			reg->type = PTR_TO_SOCKET;

		} else if (reg->type == PTR_TO_SOCK_COMMON_OR_NULL) {

			reg->type = PTR_TO_SOCK_COMMON;

		} else if (reg->type == PTR_TO_TCP_SOCK_OR_NULL) {

			reg->type = PTR_TO_TCP_SOCK;

		}

		if (is_null || !(reg_is_refcounted(reg) ||

				 reg_may_point_to_spin_lock(reg))) {

	int i, j;

	if (reg_is_refcounted_or_null(&regs[regno]) && is_null)

		__release_reference_state(state, id);

		release_reference_state(state, id);

	for (i = 0; i < MAX_BPF_REG; i++)

		mark_ptr_or_null_reg(state, &regs[i], id, is_null);

	case PTR_TO_FLOW_KEYS:

	case PTR_TO_SOCKET:

	case PTR_TO_SOCKET_OR_NULL:

	case PTR_TO_SOCK_COMMON:

	case PTR_TO_SOCK_COMMON_OR_NULL:

	case PTR_TO_TCP_SOCK:

	case PTR_TO_TCP_SOCK_OR_NULL:

		/* Only valid matches are exact, which memcmp() above

		 * would have accepted

		 */

	case PTR_TO_CTX:

	case PTR_TO_SOCKET:

	case PTR_TO_SOCKET_OR_NULL:

	case PTR_TO_SOCK_COMMON:

	case PTR_TO_SOCK_COMMON_OR_NULL:

	case PTR_TO_TCP_SOCK:

	case PTR_TO_TCP_SOCK_OR_NULL:

		return false;

	default:

		return true;

			convert_ctx_access = ops->convert_ctx_access;

			break;

		case PTR_TO_SOCKET:

		case PTR_TO_SOCK_COMMON:

			convert_ctx_access = bpf_sock_convert_ctx_access;

			break;

		case PTR_TO_TCP_SOCK:

			convert_ctx_access = bpf_tcp_sock_convert_ctx_access;

			break;

		default:

			continue;

		}

 *		"**y**".

 *	Return

 *		0

 *

 * struct bpf_sock *bpf_sk_fullsock(struct bpf_sock *sk)

 *	Description

 *		This helper gets a **struct bpf_sock** pointer such

 *		that all the fields in bpf_sock can be accessed.

 *	Return

 *		A **struct bpf_sock** pointer on success, or NULL in

 *		case of failure.

 *

 * struct bpf_tcp_sock *bpf_tcp_sock(struct bpf_sock *sk)

 *	Description

 *		This helper gets a **struct bpf_tcp_sock** pointer from a

 *		**struct bpf_sock** pointer.

 *

 *	Return

 *		A **struct bpf_tcp_sock** pointer on success, or NULL in

 *		case of failure.

 */

#define __BPF_FUNC_MAPPER(FN)		\

	FN(unspec),			\

	FN(msg_pop_data),		\

	FN(rc_pointer_rel),		\

	FN(spin_lock),			\

	FN(spin_unlock),

	FN(spin_unlock),		\

	FN(sk_fullsock),		\

	FN(tcp_sock),

/* integer value in 'imm' field of BPF_CALL instruction selects which helper

 * function eBPF program intends to call

	__u64 tstamp;

	__u32 wire_len;

	__u32 gso_segs;

	__bpf_md_ptr(struct bpf_sock *, sk);

};

struct bpf_tunnel_key {

	__u32 protocol;

	__u32 mark;

	__u32 priority;

	__u32 src_ip4;		/* Allows 1,2,4-byte read.

				 * Stored in network byte order.

	/* IP address also allows 1 and 2 bytes access */

	__u32 src_ip4;

	__u32 src_ip6[4];

	__u32 src_port;		/* host byte order */

	__u32 dst_port;		/* network byte order */

	__u32 dst_ip4;

	__u32 dst_ip6[4];

	__u32 state;

};

struct bpf_tcp_sock {

	__u32 snd_cwnd;		/* Sending congestion window		*/

	__u32 srtt_us;		/* smoothed round trip time << 3 in usecs */

	__u32 rtt_min;

	__u32 snd_ssthresh;	/* Slow start size threshold		*/

	__u32 rcv_nxt;		/* What we want to receive next		*/

	__u32 snd_nxt;		/* Next sequence we send		*/

	__u32 snd_una;		/* First byte we want an ack for	*/

	__u32 mss_cache;	/* Cached effective mss, not including SACKS */

	__u32 ecn_flags;	/* ECN status bits.			*/

	__u32 rate_delivered;	/* saved rate sample: packets delivered */

	__u32 rate_interval_us;	/* saved rate sample: time elapsed */

	__u32 packets_out;	/* Packets which are "in flight"	*/

	__u32 retrans_out;	/* Retransmitted packets out		*/

	__u32 total_retrans;	/* Total retransmits for entire connection */

	__u32 segs_in;		/* RFC4898 tcpEStatsPerfSegsIn

				 * total number of segments in.

				 */

	__u32 src_ip6[4];	/* Allows 1,2,4-byte read.

				 * Stored in network byte order.

	__u32 data_segs_in;	/* RFC4898 tcpEStatsPerfDataSegsIn

				 * total number of data segments in.

				 */

	__u32 segs_out;		/* RFC4898 tcpEStatsPerfSegsOut

				 * The total number of segments sent.

				 */

	__u32 data_segs_out;	/* RFC4898 tcpEStatsPerfDataSegsOut

				 * total number of data segments sent.

				 */

	__u32 lost_out;		/* Lost packets			*/

	__u32 sacked_out;	/* SACK'd packets			*/

	__u64 bytes_received;	/* RFC4898 tcpEStatsAppHCThruOctetsReceived

				 * sum(delta(rcv_nxt)), or how many bytes

				 * were acked.

				 */

	__u32 src_port;		/* Allows 4-byte read.

				 * Stored in host byte order

	__u64 bytes_acked;	/* RFC4898 tcpEStatsAppHCThruOctetsAcked

				 * sum(delta(snd_una)), or how many bytes

				 * were acked.

				 */

};