sys/linux: support callback BPF functions

Commit [1] upstream introduced a new BPF helper, bpf_for_each_map_elem,
which comes with callback functions (BPF programs). The callback
function's address is provided via a 64-bit IMM load instruction where
the first 32-bit of the immediate value are the offset from the current
instruction to the start of the callback function. The 64-bit value is
then rewritten into the address of the callback function.

Callback BPF functions are similar to BPF_PSEUDO_CALL functions, except
the offset to the function is converted into an address to be passed to
a BPF helper. The same workaround is thus used to encode the offset in
syzkaller, given we can't currently limit the offset to the program
size.

1 - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=69c087ba6225b
Signed-off-by: Paul Chaignon <paul@isovalent.com>

1 files changed, 14 insertions, 0 deletions

diff --git a/sys/linux/bpf.txt b/sys/linux/bpf.txt
index e7d3a512b..fcf0a8f07 100644
--- a/sys/linux/bpf.txt
+++ b/sys/linux/bpf.txt
@@ -236,6 +236,7 @@ bpf_insn [
 	map_val		bpf_insn_map_value
 	map_idx_val	bpf_insn_map_idx_value
 	btf_id		bpf_insn_btf_id
+	cb_func		bpf_insn_cb_func
 ] [varlen]
 
 bpf_insn_generic {
@@ -413,6 +414,19 @@ bpf_insn_map_idx_value {
 	imm2	int32
 }
 
+bpf_insn_cb_func {
+	code	const[bpf_insn_load_imm_dw, int8]
+	dst	flags[bpf_reg, int8:4]
+	src	const[BPF_PSEUDO_FUNC, int8:4]
+	off	const[0, int16]
+# NEED: to limit the call offset to the program size, we'd need support for path expressions inside ranges of values.
+	imm	int32[-8:8]
+	code2	const[0, int8]
+	regs2	const[0, int8]
+	off2	const[0, int16]
+	imm2	const[0, int32]
+}
+
 bpf_insn_btf_id {
 	code	const[bpf_insn_load_imm_dw, int8]
 	dst	flags[bpf_reg, int8:4]