ANDROID: bpf: validate bpf_func when BPF_JIT is enabled with CFI

	struct sock_filter	*filter;

};

#define BPF_BINARY_HEADER_MAGIC	0x05de0e82

struct bpf_binary_header {

#ifdef CONFIG_CFI_CLANG

	u32 magic;

#endif

	u32 pages;

	/* Some arches need word alignment for their instructions */

	u8 image[] __aligned(4);

	struct bpf_prog	*prog;

};

#define BPF_PROG_RUN(filter, ctx)  (*(filter)->bpf_func)(ctx, (filter)->insnsi)

#if IS_ENABLED(CONFIG_BPF_JIT) && IS_ENABLED(CONFIG_CFI_CLANG)

/*

 * With JIT, the kernel makes an indirect call to dynamically generated

 * code. Use bpf_call_func to perform additional validation of the call

 * target to narrow down attack surface. Architectures implementing BPF

 * JIT can override arch_bpf_jit_check_func for arch-specific checking.

 */

extern bool arch_bpf_jit_check_func(const struct bpf_prog *prog);

static inline unsigned int __bpf_call_func(const struct bpf_prog *prog,

					   const void *ctx)

{

	/* Call interpreter with CFI checking. */

	return prog->bpf_func(ctx, prog->insnsi);

}

static inline struct bpf_binary_header *

bpf_jit_binary_hdr(const struct bpf_prog *fp);

static inline unsigned int __nocfi bpf_call_func(const struct bpf_prog *prog,

						 const void *ctx)

{

	const struct bpf_binary_header *hdr = bpf_jit_binary_hdr(prog);

	if (!IS_ENABLED(CONFIG_BPF_JIT_ALWAYS_ON) && !prog->jited)

		return __bpf_call_func(prog, ctx);

	/*

	 * We are about to call dynamically generated code. Check that the

	 * page has bpf_binary_header with a valid magic to limit possible

	 * call targets.

	 */

	BUG_ON(hdr->magic != BPF_BINARY_HEADER_MAGIC ||

		!arch_bpf_jit_check_func(prog));

	/* Call jited function without CFI checking. */

	return prog->bpf_func(ctx, prog->insnsi);

}

static inline void bpf_jit_set_header_magic(struct bpf_binary_header *hdr)

{

	hdr->magic = BPF_BINARY_HEADER_MAGIC;

}

#else

static inline unsigned int bpf_call_func(const struct bpf_prog *prog,

					 const void *ctx)

{

	return prog->bpf_func(ctx, prog->insnsi);

}

static inline void bpf_jit_set_header_magic(struct bpf_binary_header *hdr)

{

}

#endif

#define BPF_PROG_RUN(filter, ctx)  bpf_call_func(filter, ctx)

#define BPF_SKB_CB_LEN QDISC_CB_PRIV_LEN

	atomic_long_sub(pages, &bpf_jit_current);

}

#if IS_ENABLED(CONFIG_BPF_JIT) && IS_ENABLED(CONFIG_CFI_CLANG)

bool __weak arch_bpf_jit_check_func(const struct bpf_prog *prog)

{

	return true;

}

EXPORT_SYMBOL(arch_bpf_jit_check_func);

#endif

struct bpf_binary_header *

bpf_jit_binary_alloc(unsigned int proglen, u8 **image_ptr,

		     unsigned int alignment,

	/* Fill space with illegal/arch-dep instructions. */

	bpf_fill_ill_insns(hdr, size);

	bpf_jit_set_header_magic(hdr);

	hdr->pages = pages;

	hole = min_t(unsigned int, size - (proglen + sizeof(*hdr)),

		     PAGE_SIZE - sizeof(*hdr));

	bool "enable BPF Just In Time compiler"

	depends on HAVE_CBPF_JIT || HAVE_EBPF_JIT

	depends on MODULES

	depends on !CFI

	---help---

	  Berkeley Packet Filter filtering capabilities are normally handled

	  by an interpreter. This option allows kernel to generate a native