sys/linux: describe call to bpf_tail_call helper

The bpf_tail_call helper has the following prototype.

    bpf_tail_call(void *ctx, struct bpf_map *prog_array_map, u32 index)

R2 should therefore hold a pointer to a tail call map (aka, prog array
map). That tail call map should be updated such that index points to
another BPF program. In our case, index is hardcoded to 0.

Finally, R1 should hold a pointer to the context. That is always true at
the start of BPF programs so we don't change R1. If syzkaller generates
other BPF instructions between the start of the program and the
bpf_tail_call helper call, they might clobber the R1 register. That
seems unlikely to happen in practice and it's also hard to prevent it
anyway.

To load the map fd into R2, we need to templatize bpf_insn_map_fd such
that we can use it with a specific register and map fd.

There's one special case here: we need to explicitly set R0 to 0 after
the helper call because this helper has the following verifier
prototype:

    .ret_type       = RET_VOID,
    .arg1_type      = ARG_PTR_TO_CTX,
    .arg2_type      = ARG_CONST_MAP_PTR,
    .arg3_type      = ARG_ANYTHING,

Given the return verifier type is RET_VOID, if R0 isn't set explicitly,
the verifier will complain with "R0 !read_ok" when we exit.

Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>

1 files changed, 1 insertions, 0 deletions

diff --git a/sys/linux/bpf.txt.const b/sys/linux/bpf.txt.const
index e1d7a549e..4e55324c0 100644
--- a/sys/linux/bpf.txt.const
+++ b/sys/linux/bpf.txt.const
@@ -67,6 +67,7 @@ BPF_EXIT0 = 9
 BPF_FLOW_DISSECTOR = 17
 BPF_FUNC_INFO_SIZE = 8
 BPF_FUNC_snprintf = 165
+BPF_FUNC_tail_call = 12
 BPF_FUNC_trace_printk = 6
 BPF_F_AFTER = 16
 BPF_F_ALLOW_MULTI = 2