sys/linux: describe full call to bpf_trace_printk helper

This commit describes the full snippet of BPF bytecode necessary to
successfully call the bpf_trace_printk helper.

That helper has the following prototype:

    long bpf_trace_printk(const char *fmt, u32 fmt_size, ...)

We thus need to initialize the fmt string on the stack, then prepare the
arguments (pointer to the stack & size), before actually calling the
helper.

To that end, we rely on previously defined templates to express the
specific instructions we need (e.g., init register with imm, perform ALU
operation on register with imm).

The corresponding eBPF bytecode is kept in comment as that is much
easier to parse for anyone familiar with the bytecode.

In addition to the test case introduced in the next commit, this new
description was tested by focusing fuzzing on bpf_trace_printk. That is,
a new syscall description PROG_LOAD_FOCUS was added to cover only
programs with bpf_trace_printk. Syzkaller was then executed on 16 VMs (2
logical cores each) with only the bpf$PROG_LOAD_FOCUS and
bpf$BPF_PROG_TEST_RUN syscalls enabled. It was able to reach the
definition of this helper [1] within a few minutes.

1 - https://github.com/torvalds/linux/blob/v6.5/kernel/trace/bpf_trace.c#L375
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>

1 files changed, 1 insertions, 0 deletions

diff --git a/sys/linux/bpf.txt.const b/sys/linux/bpf.txt.const
index c3ccf7bfe..e6eff547d 100644
--- a/sys/linux/bpf.txt.const
+++ b/sys/linux/bpf.txt.const
@@ -61,6 +61,7 @@ BPF_EXIST = 2
 BPF_EXIT0 = 9
 BPF_FLOW_DISSECTOR = 17
 BPF_FUNC_INFO_SIZE = 8
+BPF_FUNC_trace_printk = 6
 BPF_F_AFTER = 16
 BPF_F_ALLOW_MULTI = 2
 BPF_F_ALLOW_OVERRIDE = 1