bpf generator fails with radio + subtype probe-req

[ryancdotorg]

Used alone, with optimizations on, (wlan[0] & 0xfc) == 0x40 and subtype probe-req produce the same bytecode. However if I examine the radiotap header via bpf different bytecode is generated. Please see samples below:

tcpdump version 4.99.4
libpcap version 1.10.4 (with TPACKET_V3)
OpenSSL 1.1.1t  7 Feb 2023
# tcpdump -d -y IEEE802_11_RADIO 'subtype probe-req'
# 5d64c17672b015af55ed53fd68ad5d3230f2d59cd1a4262e1cc8f15c01d14c4d
(000) ldb      [3]
(001) lsh      #8
(002) tax      
(003) ldb      [2]
(004) or       x
(005) tax      
(006) ldb      [x + 0]
(007) and      #0xfc
(008) jeq      #0x40            jt 9	jf 10
(009) ret      #262144
(010) ret      #0
# tcpdump -d -y IEEE802_11_RADIO 'type mgt subtype probe-req'
# 5d64c17672b015af55ed53fd68ad5d3230f2d59cd1a4262e1cc8f15c01d14c4d
(000) ldb      [3]
(001) lsh      #8
(002) tax      
(003) ldb      [2]
(004) or       x
(005) tax      
(006) ldb      [x + 0]
(007) and      #0xfc
(008) jeq      #0x40            jt 9	jf 10
(009) ret      #262144
(010) ret      #0
# tcpdump -d -y IEEE802_11_RADIO '(wlan[0] & 0xfc) == 0x40'
# 5d64c17672b015af55ed53fd68ad5d3230f2d59cd1a4262e1cc8f15c01d14c4d
(000) ldb      [3]
(001) lsh      #8
(002) tax      
(003) ldb      [2]
(004) or       x
(005) tax      
(006) ldb      [x + 0]
(007) and      #0xfc
(008) jeq      #0x40            jt 9	jf 10
(009) ret      #262144
(010) ret      #0
# tcpdump -d -y IEEE802_11_RADIO '(radio[16] & 0x40) == 0 and subtype probe-req'
# d459e763c9ae84f2b833b68c446a4081713552b0088ec21dbb65c3cae7eb5fa0
(000) ldb      [16]
(001) jset     #0x40            jt 6	jf 2
(002) ldb      [0]
(003) and      #0xfc
(004) jeq      #0x40            jt 5	jf 6
(005) ret      #262144
(006) ret      #0
# tcpdump -d -y IEEE802_11_RADIO '(radio[16] & 0x40) == 0 and type mgt subtype probe-req'
# d459e763c9ae84f2b833b68c446a4081713552b0088ec21dbb65c3cae7eb5fa0
(000) ldb      [16]
(001) jset     #0x40            jt 6	jf 2
(002) ldb      [0]
(003) and      #0xfc
(004) jeq      #0x40            jt 5	jf 6
(005) ret      #262144
(006) ret      #0
# tcpdump -d -y IEEE802_11_RADIO '(radio[16] & 0x40) == 0 and (wlan[0] & 0xfc) == 0x40'
# e1bd174a8c279e51d38e91fa3ad29f75900b84fed22c3c7fa969ca2fc2cae543
(000) ldb      [3]
(001) lsh      #8
(002) tax      
(003) ldb      [2]
(004) or       x
(005) st       M[5]
(006) ldb      [16]
(007) jset     #0x40            jt 13	jf 8
(008) ldx      M[5]
(009) ldb      [x + 0]
(010) and      #0xfc
(011) jeq      #0x40            jt 12	jf 13
(012) ret      #262144
(013) ret      #0
# tcpdump -d -y IEEE802_11_RADIO 'subtype probe-req and (radio[16] & 0x40) == 0'
# f5940ddf273c49d5bf75aa4d05773dac61a2be22d200ef5429c7b9fa6e4e4923
(000) ldb      [3]
(001) lsh      #8
(002) tax      
(003) ldb      [2]
(004) or       x
(005) tax      
(006) ldb      [x + 0]
(007) and      #0xfc
(008) jeq      #0x40            jt 9	jf 12
(009) ldb      [16]
(010) jset     #0x40            jt 12	jf 11
(011) ret      #262144
(012) ret      #0
# tcpdump -d -y IEEE802_11_RADIO 'type mgt subtype probe-req and (radio[16] & 0x40) == 0'
# f5940ddf273c49d5bf75aa4d05773dac61a2be22d200ef5429c7b9fa6e4e4923
(000) ldb      [3]
(001) lsh      #8
(002) tax      
(003) ldb      [2]
(004) or       x
(005) tax      
(006) ldb      [x + 0]
(007) and      #0xfc
(008) jeq      #0x40            jt 9	jf 12
(009) ldb      [16]
(010) jset     #0x40            jt 12	jf 11
(011) ret      #262144
(012) ret      #0
# tcpdump -d -y IEEE802_11_RADIO '(wlan[0] & 0xfc) == 0x40 and (radio[16] & 0x40) == 0'
# f5940ddf273c49d5bf75aa4d05773dac61a2be22d200ef5429c7b9fa6e4e4923
(000) ldb      [3]
(001) lsh      #8
(002) tax      
(003) ldb      [2]
(004) or       x
(005) tax      
(006) ldb      [x + 0]
(007) and      #0xfc
(008) jeq      #0x40            jt 9	jf 12
(009) ldb      [16]
(010) jset     #0x40            jt 12	jf 11
(011) ret      #262144
(012) ret      #0
# tcpdump -O -d -y IEEE802_11_RADIO 'subtype probe-req'
# bff9f3ac881e404b3b2723610a6a809d578156aad9a1489adc692331cc2e2d7a
(000) ldb      [3]
(001) lsh      #8
(002) tax      
(003) ldb      [2]
(004) or       x
(005) st       M[0]
(006) tax      
(007) ldx      M[0]
(008) ldb      [x + 0]
(009) and      #0xfc
(010) jeq      #0x40            jt 11	jf 12
(011) ret      #262144
(012) ret      #0
# tcpdump -O -d -y IEEE802_11_RADIO 'type mgt subtype probe-req'
# bff9f3ac881e404b3b2723610a6a809d578156aad9a1489adc692331cc2e2d7a
(000) ldb      [3]
(001) lsh      #8
(002) tax      
(003) ldb      [2]
(004) or       x
(005) st       M[0]
(006) tax      
(007) ldx      M[0]
(008) ldb      [x + 0]
(009) and      #0xfc
(010) jeq      #0x40            jt 11	jf 12
(011) ret      #262144
(012) ret      #0
# tcpdump -O -d -y IEEE802_11_RADIO '(wlan[0] & 0xfc) == 0x40'
# 266fa82cc6260f4a08e5c389dde4b40d0dc9dd741ee4dd590c0db5c56eec8055
(000) ldb      [3]
(001) lsh      #8
(002) tax      
(003) ldb      [2]
(004) or       x
(005) st       M[2]
(006) tax      
(007) ld       #0x0
(008) st       M[0]
(009) ldx      M[2]
(010) ld       M[0]
(011) add      x
(012) tax      
(013) ldb      [x + 0]
(014) st       M[1]
(015) ld       #0xfc
(016) st       M[3]
(017) ldx      M[3]
(018) ld       M[1]
(019) and      x
(020) st       M[3]
(021) ld       #0x40
(022) st       M[4]
(023) ldx      M[4]
(024) ld       M[3]
(025) sub      x
(026) jeq      #0x0             jt 27	jf 28
(027) ret      #262144
(028) ret      #0
# tcpdump -O -d -y IEEE802_11_RADIO '(radio[16] & 0x40) == 0 and subtype probe-req'
# 5663cbe6858797aa85a1962c1e99907bdfbac2e8477fa46e2e896080a3857dca
(000) ldb      [3]
(001) lsh      #8
(002) tax      
(003) ldb      [2]
(004) or       x
(005) st       M[3]
(006) tax      
(007) ld       #0x10
(008) st       M[0]
(009) ldx      M[0]
(010) ldb      [x + 0]
(011) st       M[1]
(012) ld       #0x40
(013) st       M[2]
(014) ldx      M[2]
(015) ld       M[1]
(016) and      x
(017) st       M[2]
(018) ld       #0x0
(019) st       M[3]
(020) ldx      M[3]
(021) ld       M[2]
(022) sub      x
(023) jeq      #0x0             jt 24	jf 29
(024) ldx      M[3]
(025) ldb      [x + 0]
(026) and      #0xfc
(027) jeq      #0x40            jt 28	jf 29
(028) ret      #262144
(029) ret      #0
# tcpdump -O -d -y IEEE802_11_RADIO '(radio[16] & 0x40) == 0 and type mgt subtype probe-req'
# 5663cbe6858797aa85a1962c1e99907bdfbac2e8477fa46e2e896080a3857dca
(000) ldb      [3]
(001) lsh      #8
(002) tax      
(003) ldb      [2]
(004) or       x
(005) st       M[3]
(006) tax      
(007) ld       #0x10
(008) st       M[0]
(009) ldx      M[0]
(010) ldb      [x + 0]
(011) st       M[1]
(012) ld       #0x40
(013) st       M[2]
(014) ldx      M[2]
(015) ld       M[1]
(016) and      x
(017) st       M[2]
(018) ld       #0x0
(019) st       M[3]
(020) ldx      M[3]
(021) ld       M[2]
(022) sub      x
(023) jeq      #0x0             jt 24	jf 29
(024) ldx      M[3]
(025) ldb      [x + 0]
(026) and      #0xfc
(027) jeq      #0x40            jt 28	jf 29
(028) ret      #262144
(029) ret      #0
# tcpdump -O -d -y IEEE802_11_RADIO '(radio[16] & 0x40) == 0 and (wlan[0] & 0xfc) == 0x40'
# 9f7a0c3d0457a1c19eba6f4b74404f13368f873ca771ecda907a5f26a6af72f8
(000) ldb      [3]
(001) lsh      #8
(002) tax      
(003) ldb      [2]
(004) or       x
(005) st       M[5]
(006) tax      
(007) ld       #0x10
(008) st       M[0]
(009) ldx      M[0]
(010) ldb      [x + 0]
(011) st       M[1]
(012) ld       #0x40
(013) st       M[2]
(014) ldx      M[2]
(015) ld       M[1]
(016) and      x
(017) st       M[2]
(018) ld       #0x0
(019) st       M[3]
(020) ldx      M[3]
(021) ld       M[2]
(022) sub      x
(023) jeq      #0x0             jt 24	jf 45
(024) ld       #0x0
(025) st       M[3]
(026) ldx      M[5]
(027) ld       M[3]
(028) add      x
(029) tax      
(030) ldb      [x + 0]
(031) st       M[4]
(032) ld       #0xfc
(033) st       M[6]
(034) ldx      M[6]
(035) ld       M[4]
(036) and      x
(037) st       M[6]
(038) ld       #0x40
(039) st       M[7]
(040) ldx      M[7]
(041) ld       M[6]
(042) sub      x
(043) jeq      #0x0             jt 44	jf 45
(044) ret      #262144
(045) ret      #0
# tcpdump -O -d -y IEEE802_11_RADIO 'subtype probe-req and (radio[16] & 0x40) == 0'
# cb22cf48f5315b1bb7a25debbc9ca3faead89f44640129cee2fda9ddafac3dcd
(000) ldb      [3]
(001) lsh      #8
(002) tax      
(003) ldb      [2]
(004) or       x
(005) st       M[0]
(006) tax      
(007) ldx      M[0]
(008) ldb      [x + 0]
(009) and      #0xfc
(010) jeq      #0x40            jt 11	jf 29
(011) ld       #0x10
(012) st       M[1]
(013) ldx      M[1]
(014) ldb      [x + 0]
(015) st       M[2]
(016) ld       #0x40
(017) st       M[3]
(018) ldx      M[3]
(019) ld       M[2]
(020) and      x
(021) st       M[3]
(022) ld       #0x0
(023) st       M[4]
(024) ldx      M[4]
(025) ld       M[3]
(026) sub      x
(027) jeq      #0x0             jt 28	jf 29
(028) ret      #262144
(029) ret      #0
# tcpdump -O -d -y IEEE802_11_RADIO 'type mgt subtype probe-req and (radio[16] & 0x40) == 0'
# cb22cf48f5315b1bb7a25debbc9ca3faead89f44640129cee2fda9ddafac3dcd
(000) ldb      [3]
(001) lsh      #8
(002) tax      
(003) ldb      [2]
(004) or       x
(005) st       M[0]
(006) tax      
(007) ldx      M[0]
(008) ldb      [x + 0]
(009) and      #0xfc
(010) jeq      #0x40            jt 11	jf 29
(011) ld       #0x10
(012) st       M[1]
(013) ldx      M[1]
(014) ldb      [x + 0]
(015) st       M[2]
(016) ld       #0x40
(017) st       M[3]
(018) ldx      M[3]
(019) ld       M[2]
(020) and      x
(021) st       M[3]
(022) ld       #0x0
(023) st       M[4]
(024) ldx      M[4]
(025) ld       M[3]
(026) sub      x
(027) jeq      #0x0             jt 28	jf 29
(028) ret      #262144
(029) ret      #0
# tcpdump -O -d -y IEEE802_11_RADIO '(wlan[0] & 0xfc) == 0x40 and (radio[16] & 0x40) == 0'
# b90d61fe8476f958050f069afb085797b1758ad13c5359418dab69b2dd442549
(000) ldb      [3]
(001) lsh      #8
(002) tax      
(003) ldb      [2]
(004) or       x
(005) st       M[2]
(006) tax      
(007) ld       #0x0
(008) st       M[0]
(009) ldx      M[2]
(010) ld       M[0]
(011) add      x
(012) tax      
(013) ldb      [x + 0]
(014) st       M[1]
(015) ld       #0xfc
(016) st       M[3]
(017) ldx      M[3]
(018) ld       M[1]
(019) and      x
(020) st       M[3]
(021) ld       #0x40
(022) st       M[4]
(023) ldx      M[4]
(024) ld       M[3]
(025) sub      x
(026) jeq      #0x0             jt 27	jf 45
(027) ld       #0x10
(028) st       M[4]
(029) ldx      M[4]
(030) ldb      [x + 0]
(031) st       M[5]
(032) ld       #0x40
(033) st       M[6]
(034) ldx      M[6]
(035) ld       M[5]
(036) and      x
(037) st       M[6]
(038) ld       #0x0
(039) st       M[7]
(040) ldx      M[7]
(041) ld       M[6]
(042) sub      x
(043) jeq      #0x0             jt 44	jf 45
(044) ret      #262144
(045) ret      #0

I don't think this is an optimizer bug.

[booo]

Hi,

I have the following BPF JIT configuration on myl laptop:

CONFIG_HAVE_EBPF_JIT=y
CONFIG_ARCH_WANT_DEFAULT_BPF_JIT=y
CONFIG_BPF_JIT=y
CONFIG_BPF_JIT_ALWAYS_ON=y
CONFIG_BPF_JIT_DEFAULT_ON=y

I have problems filtering for probe request frames with:

sudo tcpdump -i wlp3s0 subtype probe-req

I do not receive any frames with this configuration and filter.

On other systems where I can disable the BPF_JIT with echo 0 > /proc/sys/net/core/bpf_jit_enable I can receive probe request frames.

I filed a bug in the ArchLinux bug tracker (https://bugs.archlinux.org/task/79573) but they directed me here. To me it seems that in my case the JIT does something wrong but I don't know what exactly.

[ryancdotorg]

@booo That seems like a kernel bug rather than a libpcap bug, and your problem appears to be unrelated to this issue, which is specifically about the BPF code libpcap generates for some specific filter expressions.