sys/linux: support BPF calls to kernel functions

Commit [1] upstream introduced support for BPF calls to kernel
functions, via a new call instruction BPF_PSEUDO_KFUNC_CALL. In this new
instruction, the immediate value is the BTF ID of the function to call
in the kernel.

This commit introduces basic support for this new instruction in
syzkaller. The immediate value will point to a BTF ID, but a fair amount
of additional work would be required to ensure that BTF ID is actually
pointing to a kernel function.

1 - https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e6ac2450d6dee
Signed-off-by: Paul Chaignon <paul@isovalent.com>

2 files changed, 10 insertions, 0 deletions

diff --git a/sys/linux/bpf.txt b/sys/linux/bpf.txt
index fcf0a8f07..30fecac48 100644
--- a/sys/linux/bpf.txt
+++ b/sys/linux/bpf.txt
@@ -229,6 +229,7 @@ bpf_insn [
 	jmp		bpf_insn_jmp
 	call		bpf_insn_call_helper
 	func		bpf_insn_call_func
+	kfunc		bpf_insn_call_kfunc
 	exit		bpf_insn_exit
 	initr0		bpf_insn_init_r0
 	map_fd		bpf_insn_map_fd
@@ -343,6 +344,14 @@ bpf_insn_call_func {
 	func	int32[-8:8]
 }
 
+bpf_insn_call_kfunc {
+	code	const[bpf_call_code, int8]
+	dst	const[0, int8:4]
+	src	const[BPF_PSEUDO_KFUNC_CALL, int8:4]
+	off	const[0, int16]
+	kfunc	btf_type_id
+}
+
 define bpf_call_code	BPF_JMP | BPF_CALL
 
 bpf_insn_exit {
diff --git a/sys/linux/bpf.txt.const b/sys/linux/bpf.txt.const
index 5f8cf4c07..4a4462f3b 100644
--- a/sys/linux/bpf.txt.const
+++ b/sys/linux/bpf.txt.const
@@ -193,6 +193,7 @@ BPF_PROG_TYPE_XDP = 6
 BPF_PSEUDO_BTF_ID = 3
 BPF_PSEUDO_CALL = 1
 BPF_PSEUDO_FUNC = 4
+BPF_PSEUDO_KFUNC_CALL = 2
 BPF_PSEUDO_MAP_FD = 1
 BPF_PSEUDO_MAP_IDX = 5
 BPF_PSEUDO_MAP_IDX_VALUE = 6