Merge tag 'for-netdev' of https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next

BPF Instruction Set Architecture (ISA)

======================================

This document specifies the BPF instruction set architecture (ISA).

eBPF (which is no longer an acronym for anything), also commonly

referred to as BPF, is a technology with origins in the Linux kernel

that can run untrusted programs in a privileged context such as an

operating system kernel. This document specifies the BPF instruction

set architecture (ISA).

Documentation conventions

=========================

  ===== =========

For example, `u32` is a type whose valid values are all the 32-bit unsigned

numbers and `s16` is a types whose valid values are all the 16-bit signed

numbers and `s16` is a type whose valid values are all the 16-bit signed

numbers.

Functions

group.

The use of named conformance groups enables interoperability between a runtime

that executes instructions, and tools as such compilers that generate

that executes instructions, and tools such as compilers that generate

instructions for the runtime.  Thus, capability discovery in terms of

conformance groups might be done manually by users or automatically by tools.

    (`64-bit immediate instructions`_ reuse this field for other purposes)

  **dst_reg**

    destination register number (0-10)

    destination register number (0-10), unless otherwise specified

    (future instructions might reuse this field for other purposes)

**offset**

  signed integer offset used with pointer arithmetic

  signed integer offset used with pointer arithmetic, except where

  otherwise specified (some arithmetic instructions reuse this field

  for other purposes)

**imm**

  signed integer immediate value

  operation to perform, encoded as explained above

**regs**

  The source and destination register numbers, encoded as explained above

  The source and destination register numbers (unless otherwise

  specified), encoded as explained above

**offset**

  signed integer offset used with pointer arithmetic

  signed integer offset used with pointer arithmetic, unless

  otherwise specified

**imm**

  signed integer immediate value

  dst = dst ^ imm

Note that most instructions have instruction offset of 0. Only three instructions

(``SDIV``, ``SMOD``, ``MOVSX``) have a non-zero offset.

Note that most arithmetic instructions have 'offset' set to 0. Only three instructions

(``SDIV``, ``SMOD``, ``MOVSX``) have a non-zero 'offset'.

Division, multiplication, and modulo operations for ``ALU`` are part

of the "divmul32" conformance group, and division, multiplication, and

when the dividend or divisor are negative, where implementations often

vary by language such that Python, Ruby, etc.  differ from C, Go, Java,

etc. This specification requires that signed modulo use truncated division

(where -13 % 3 == -1) as implemented in C, Go, etc.:

(where -13 % 3 == -1) as implemented in C, Go, etc.::

   a % n = a - n * trunc(a / n)

The ``MOVSX`` instruction does a move operation with sign extension.

``{MOVSX, X, ALU}`` :term:`sign extends<Sign Extend>` 8-bit and 16-bit operands into 32

bit operands, and zeroes the remaining upper 32 bits.

``{MOVSX, X, ALU}`` :term:`sign extends<Sign Extend>` 8-bit and 16-bit operands into

32-bit operands, and zeroes the remaining upper 32 bits.

``{MOVSX, X, ALU64}`` :term:`sign extends<Sign Extend>` 8-bit, 16-bit, and 32-bit

operands into 64 bit operands.  Unlike other arithmetic instructions,

operands into 64-bit operands.  Unlike other arithmetic instructions,

``MOVSX`` is only defined for register source operands (``X``).

The ``NEG`` instruction is only defined when the source bit is clear

Examples:

``{END, TO_LE, ALU}`` with imm = 16/32/64 means::

``{END, TO_LE, ALU}`` with 'imm' = 16/32/64 means::

  dst = htole16(dst)

  dst = htole32(dst)

  dst = htole64(dst)

``{END, TO_BE, ALU}`` with imm = 16/32/64 means::

``{END, TO_BE, ALU}`` with 'imm' = 16/32/64 means::

  dst = htobe16(dst)

  dst = htobe32(dst)

  dst = htobe64(dst)

``{END, TO_LE, ALU64}`` with imm = 16/32/64 means::

``{END, TO_LE, ALU64}`` with 'imm' = 16/32/64 means::

  dst = bswap16(dst)

  dst = bswap32(dst)

group unless otherwise specified.

The 'code' field encodes the operation as below:

========  =====  =======  ===============================  ===================================================

========  =====  =======  =================================  ===================================================

code      value  src_reg  description                        notes

========  =====  =======  ===============================  ===================================================

========  =====  =======  =================================  ===================================================

JA        0x0    0x0      PC += offset                       {JA, K, JMP} only

JA        0x0    0x0      PC += imm                          {JA, K, JMP32} only

JEQ       0x1    any      PC += offset if dst == src

JNE       0x5    any      PC += offset if dst != src

JSGT      0x6    any      PC += offset if dst > src          signed

JSGE      0x7    any      PC += offset if dst >= src         signed

CALL      0x8    0x0      call helper function by address  {CALL, K, JMP} only, see `Helper functions`_

CALL      0x8    0x0      call helper function by static ID  {CALL, K, JMP} only, see `Helper functions`_

CALL      0x8    0x1      call PC += imm                     {CALL, K, JMP} only, see `Program-local functions`_

CALL      0x8    0x2      call helper function by BTF ID     {CALL, K, JMP} only, see `Helper functions`_

EXIT      0x9    0x0      return                             {CALL, K, JMP} only

JLE       0xb    any      PC += offset if dst <= src         unsigned

JSLT      0xc    any      PC += offset if dst < src          signed

JSLE      0xd    any      PC += offset if dst <= src         signed

========  =====  =======  ===============================  ===================================================

========  =====  =======  =================================  ===================================================

where 'PC' denotes the program counter, and the offset to increment by

is in units of 64-bit instructions relative to the instruction following

the jump instruction.  Thus 'PC += 1' skips execution of the next

instruction if it's a basic instruction or results in undefined behavior

if the next instruction is a 128-bit wide instruction.

The BPF program needs to store the return value into register R0 before doing an

``EXIT``.

  gotol +imm

where 'imm' means the branch offset comes from insn 'imm' field.

where 'imm' means the branch offset comes from the 'imm' field.

Note that there are two flavors of ``JA`` instructions. The

``JMP`` class permits a 16-bit jump offset specified by the 'offset'

Helper functions are a concept whereby BPF programs can call into a

set of function calls exposed by the underlying platform.

Historically, each helper function was identified by an address

encoded in the imm field.  The available helper functions may differ

for each program type, but address values are unique across all program types.

Historically, each helper function was identified by a static ID

encoded in the 'imm' field.  The available helper functions may differ

for each program type, but static IDs are unique across all program types.

Platforms that support the BPF Type Format (BTF) support identifying

a helper function by a BTF ID encoded in the imm field, where the BTF ID

a helper function by a BTF ID encoded in the 'imm' field, where the BTF ID

identifies the helper name and type.

Program-local functions

~~~~~~~~~~~~~~~~~~~~~~~

Program-local functions are functions exposed by the same BPF program as the

caller, and are referenced by offset from the call instruction, similar to

``JA``.  The offset is encoded in the imm field of the call instruction.

A ``EXIT`` within the program-local function will return to the caller.

``JA``.  The offset is encoded in the 'imm' field of the call instruction.

An ``EXIT`` within the program-local function will return to the caller.

Load and store instructions

===========================

For load and store instructions (``LD``, ``LDX``, ``ST``, and ``STX``), the

8-bit 'opcode' field is divided as::

8-bit 'opcode' field is divided as follows::

  +-+-+-+-+-+-+-+-+

  |mode |sz |class|

  dst = *(signed size *) (src + offset)

Where size is one of: ``B``, ``H``, or ``W``, and

Where '<size>' is one of: ``B``, ``H``, or ``W``, and

'signed size' is one of: s8, s16, or s32.

Atomic operations

=======  =========================================  ===========  ==============

0x0      dst = (next_imm << 32) | imm               integer      integer

0x1      dst = map_by_fd(imm)                       map fd       map

0x2      dst = map_val(map_by_fd(imm)) + next_imm   map fd       data pointer

0x3      dst = var_addr(imm)                        variable id  data pointer

0x4      dst = code_addr(imm)                       integer      code pointer

0x2      dst = map_val(map_by_fd(imm)) + next_imm   map fd       data address

0x3      dst = var_addr(imm)                        variable id  data address

0x4      dst = code_addr(imm)                       integer      code address

0x5      dst = map_by_idx(imm)                      map index    map

0x6      dst = map_val(map_by_idx(imm)) + next_imm  map index    data pointer

0x6      dst = map_val(map_by_idx(imm)) + next_imm  map index    data address

=======  =========================================  ===========  ==============

where

F:	kernel/bpf/trampoline.c

F:	kernel/bpf/verifier.c

BPF [CRYPTO]

M:	Vadim Fedorenko <vadim.fedorenko@linux.dev>

L:	bpf@vger.kernel.org

S:	Maintained

F:	crypto/bpf_crypto_skcipher.c

F:	include/linux/bpf_crypto.h

F:	kernel/bpf/crypto.c

BPF [DOCUMENTATION] (Related to Standardization)

R:	David Vernet <void@manifault.com>

L:	bpf@vger.kernel.org

#define TCALL_CNT (MAX_BPF_JIT_REG + 2)

#define TMP_REG_3 (MAX_BPF_JIT_REG + 3)

#define FP_BOTTOM (MAX_BPF_JIT_REG + 4)

#define ARENA_VM_START (MAX_BPF_JIT_REG + 5)

#define check_imm(bits, imm) do {				\

	if ((((imm) > 0) && ((imm) >> (bits))) ||		\

	/* temporary register for blinding constants */

	[BPF_REG_AX] = A64_R(9),

	[FP_BOTTOM] = A64_R(27),

	/* callee saved register for kern_vm_start address */

	[ARENA_VM_START] = A64_R(28),

};

struct jit_ctx {

	__le32 *ro_image;

	u32 stack_size;

	int fpb_offset;

	u64 user_vm_start;

};

struct bpf_plt {

#define PROLOGUE_OFFSET (BTI_INSNS + 2 + PAC_INSNS + 8)

static int build_prologue(struct jit_ctx *ctx, bool ebpf_from_cbpf,

			  bool is_exception_cb)

			  bool is_exception_cb, u64 arena_vm_start)

{

	const struct bpf_prog *prog = ctx->prog;

	const bool is_main_prog = !bpf_is_subprog(prog);

	const u8 fp = bpf2a64[BPF_REG_FP];

	const u8 tcc = bpf2a64[TCALL_CNT];

	const u8 fpb = bpf2a64[FP_BOTTOM];

	const u8 arena_vm_base = bpf2a64[ARENA_VM_START];

	const int idx0 = ctx->idx;

	int cur_offset;

	/* Set up function call stack */

	emit(A64_SUB_I(1, A64_SP, A64_SP, ctx->stack_size), ctx);

	if (arena_vm_start)

		emit_a64_mov_i64(arena_vm_base, arena_vm_start, ctx);

	return 0;

}

#define BPF_FIXUP_OFFSET_MASK	GENMASK(26, 0)

#define BPF_FIXUP_REG_MASK	GENMASK(31, 27)

#define DONT_CLEAR 5 /* Unused ARM64 register from BPF's POV */

bool ex_handler_bpf(const struct exception_table_entry *ex,

		    struct pt_regs *regs)

	off_t offset = FIELD_GET(BPF_FIXUP_OFFSET_MASK, ex->fixup);

	int dst_reg = FIELD_GET(BPF_FIXUP_REG_MASK, ex->fixup);

	if (dst_reg != DONT_CLEAR)

		regs->regs[dst_reg] = 0;

	regs->pc = (unsigned long)&ex->fixup - offset;

	return true;

		return 0;

	if (BPF_MODE(insn->code) != BPF_PROBE_MEM &&

		BPF_MODE(insn->code) != BPF_PROBE_MEMSX)

		BPF_MODE(insn->code) != BPF_PROBE_MEMSX &&

			BPF_MODE(insn->code) != BPF_PROBE_MEM32)

		return 0;

	if (!ctx->prog->aux->extable ||

	ex->insn = ins_offset;

	if (BPF_CLASS(insn->code) != BPF_LDX)

		dst_reg = DONT_CLEAR;

	ex->fixup = FIELD_PREP(BPF_FIXUP_OFFSET_MASK, fixup_offset) |

		    FIELD_PREP(BPF_FIXUP_REG_MASK, dst_reg);

		      bool extra_pass)

{

	const u8 code = insn->code;

	const u8 dst = bpf2a64[insn->dst_reg];

	const u8 src = bpf2a64[insn->src_reg];

	u8 dst = bpf2a64[insn->dst_reg];

	u8 src = bpf2a64[insn->src_reg];

	const u8 tmp = bpf2a64[TMP_REG_1];

	const u8 tmp2 = bpf2a64[TMP_REG_2];

	const u8 fp = bpf2a64[BPF_REG_FP];

	const u8 fpb = bpf2a64[FP_BOTTOM];

	const u8 arena_vm_base = bpf2a64[ARENA_VM_START];

	const s16 off = insn->off;

	const s32 imm = insn->imm;

	const int i = insn - ctx->prog->insnsi;

	/* dst = src */

	case BPF_ALU | BPF_MOV | BPF_X:

	case BPF_ALU64 | BPF_MOV | BPF_X:

		if (insn_is_cast_user(insn)) {

			emit(A64_MOV(0, tmp, src), ctx); // 32-bit mov clears the upper 32 bits

			emit_a64_mov_i(0, dst, ctx->user_vm_start >> 32, ctx);

			emit(A64_LSL(1, dst, dst, 32), ctx);

			emit(A64_CBZ(1, tmp, 2), ctx);

			emit(A64_ORR(1, tmp, dst, tmp), ctx);

			emit(A64_MOV(1, dst, tmp), ctx);

			break;

		}

		switch (insn->off) {

		case 0:

			emit(A64_MOV(is64, dst, src), ctx);

	case BPF_LDX | BPF_PROBE_MEMSX | BPF_B:

	case BPF_LDX | BPF_PROBE_MEMSX | BPF_H:

	case BPF_LDX | BPF_PROBE_MEMSX | BPF_W:

		if (ctx->fpb_offset > 0 && src == fp) {

	case BPF_LDX | BPF_PROBE_MEM32 | BPF_B:

	case BPF_LDX | BPF_PROBE_MEM32 | BPF_H:

	case BPF_LDX | BPF_PROBE_MEM32 | BPF_W:

	case BPF_LDX | BPF_PROBE_MEM32 | BPF_DW:

		if (BPF_MODE(insn->code) == BPF_PROBE_MEM32) {

			emit(A64_ADD(1, tmp2, src, arena_vm_base), ctx);

			src = tmp2;

		}

		if (ctx->fpb_offset > 0 && src == fp && BPF_MODE(insn->code) != BPF_PROBE_MEM32) {

			src_adj = fpb;

			off_adj = off + ctx->fpb_offset;

		} else {

	case BPF_ST | BPF_MEM | BPF_H:

	case BPF_ST | BPF_MEM | BPF_B:

	case BPF_ST | BPF_MEM | BPF_DW:

		if (ctx->fpb_offset > 0 && dst == fp) {

	case BPF_ST | BPF_PROBE_MEM32 | BPF_B:

	case BPF_ST | BPF_PROBE_MEM32 | BPF_H:

	case BPF_ST | BPF_PROBE_MEM32 | BPF_W:

	case BPF_ST | BPF_PROBE_MEM32 | BPF_DW:

		if (BPF_MODE(insn->code) == BPF_PROBE_MEM32) {

			emit(A64_ADD(1, tmp2, dst, arena_vm_base), ctx);

			dst = tmp2;

		}

		if (ctx->fpb_offset > 0 && dst == fp && BPF_MODE(insn->code) != BPF_PROBE_MEM32) {

			dst_adj = fpb;

			off_adj = off + ctx->fpb_offset;

		} else {

			}

			break;

		}

		ret = add_exception_handler(insn, ctx, dst);

		if (ret)

			return ret;

		break;

	/* STX: *(size *)(dst + off) = src */

	case BPF_STX | BPF_MEM | BPF_H:

	case BPF_STX | BPF_MEM | BPF_B:

	case BPF_STX | BPF_MEM | BPF_DW:

		if (ctx->fpb_offset > 0 && dst == fp) {

	case BPF_STX | BPF_PROBE_MEM32 | BPF_B:

	case BPF_STX | BPF_PROBE_MEM32 | BPF_H:

	case BPF_STX | BPF_PROBE_MEM32 | BPF_W:

	case BPF_STX | BPF_PROBE_MEM32 | BPF_DW:

		if (BPF_MODE(insn->code) == BPF_PROBE_MEM32) {

			emit(A64_ADD(1, tmp2, dst, arena_vm_base), ctx);

			dst = tmp2;

		}

		if (ctx->fpb_offset > 0 && dst == fp && BPF_MODE(insn->code) != BPF_PROBE_MEM32) {

			dst_adj = fpb;

			off_adj = off + ctx->fpb_offset;

		} else {

			}

			break;

		}

		ret = add_exception_handler(insn, ctx, dst);

		if (ret)

			return ret;

		break;

	case BPF_STX | BPF_ATOMIC | BPF_W:

	bool tmp_blinded = false;

	bool extra_pass = false;

	struct jit_ctx ctx;

	u64 arena_vm_start;

	u8 *image_ptr;

	u8 *ro_image_ptr;

		prog = tmp;

	}

	arena_vm_start = bpf_arena_get_kern_vm_start(prog->aux->arena);

	jit_data = prog->aux->jit_data;

	if (!jit_data) {

		jit_data = kzalloc(sizeof(*jit_data), GFP_KERNEL);

	}

	ctx.fpb_offset = find_fpb_offset(prog);

	ctx.user_vm_start = bpf_arena_get_user_vm_start(prog->aux->arena);

	/*

	 * 1. Initial fake pass to compute ctx->idx and ctx->offset.

	 * BPF line info needs ctx->offset[i] to be the offset of

	 * instruction[i] in jited image, so build prologue first.

	 */

	if (build_prologue(&ctx, was_classic, prog->aux->exception_cb)) {

	if (build_prologue(&ctx, was_classic, prog->aux->exception_cb,

			   arena_vm_start)) {

		prog = orig_prog;

		goto out_off;

	}

	ctx.idx = 0;

	ctx.exentry_idx = 0;

	build_prologue(&ctx, was_classic, prog->aux->exception_cb);

	build_prologue(&ctx, was_classic, prog->aux->exception_cb, arena_vm_start);

	if (build_body(&ctx, extra_pass)) {

		prog = orig_prog;

	return true;

}

bool bpf_jit_supports_arena(void)

{

	return true;

}

void bpf_jit_free(struct bpf_prog *prog)

{

	if (prog->jited) {

	int nexentries;

	unsigned long flags;

	int stack_size;

	u64 arena_vm_start;

	u64 user_vm_start;

};

/* Convert from ninsns to bytes. */

#define RV_REG_TCC RV_REG_A6

#define RV_REG_TCC_SAVED RV_REG_S6 /* Store A6 in S6 if program do calls */

#define RV_REG_ARENA RV_REG_S7 /* For storing arena_vm_start */

static const int regmap[] = {

	[BPF_REG_0] =	RV_REG_A5,

		emit_ld(RV_REG_S6, store_offset, RV_REG_SP, ctx);

		store_offset -= 8;

	}

	if (ctx->arena_vm_start) {

		emit_ld(RV_REG_ARENA, store_offset, RV_REG_SP, ctx);

		store_offset -= 8;

	}

	emit_addi(RV_REG_SP, RV_REG_SP, stack_adjust, ctx);

	/* Set return value. */

#define BPF_FIXUP_OFFSET_MASK   GENMASK(26, 0)

#define BPF_FIXUP_REG_MASK      GENMASK(31, 27)

#define REG_DONT_CLEAR_MARKER	0	/* RV_REG_ZERO unused in pt_regmap */

bool ex_handler_bpf(const struct exception_table_entry *ex,

		    struct pt_regs *regs)

	off_t offset = FIELD_GET(BPF_FIXUP_OFFSET_MASK, ex->fixup);

	int regs_offset = FIELD_GET(BPF_FIXUP_REG_MASK, ex->fixup);

	if (regs_offset != REG_DONT_CLEAR_MARKER)

		*(unsigned long *)((void *)regs + pt_regmap[regs_offset]) = 0;

	regs->epc = (unsigned long)&ex->fixup - offset;

	off_t fixup_offset;

	if (!ctx->insns || !ctx->ro_insns || !ctx->prog->aux->extable ||

	    (BPF_MODE(insn->code) != BPF_PROBE_MEM && BPF_MODE(insn->code) != BPF_PROBE_MEMSX))

	    (BPF_MODE(insn->code) != BPF_PROBE_MEM && BPF_MODE(insn->code) != BPF_PROBE_MEMSX &&

	     BPF_MODE(insn->code) != BPF_PROBE_MEM32))

		return 0;

	if (WARN_ON_ONCE(ctx->nexentries >= ctx->prog->aux->num_exentries))

	/* dst = src */

	case BPF_ALU | BPF_MOV | BPF_X:

	case BPF_ALU64 | BPF_MOV | BPF_X:

		if (insn_is_cast_user(insn)) {

			emit_mv(RV_REG_T1, rs, ctx);

			emit_zextw(RV_REG_T1, RV_REG_T1, ctx);

			emit_imm(rd, (ctx->user_vm_start >> 32) << 32, ctx);

			emit(rv_beq(RV_REG_T1, RV_REG_ZERO, 4), ctx);

			emit_or(RV_REG_T1, rd, RV_REG_T1, ctx);

			emit_mv(rd, RV_REG_T1, ctx);

			break;

		}

		if (imm == 1) {

			/* Special mov32 for zext */

			emit_zextw(rd, rd, ctx);

	case BPF_LDX | BPF_PROBE_MEMSX | BPF_B:

	case BPF_LDX | BPF_PROBE_MEMSX | BPF_H:

	case BPF_LDX | BPF_PROBE_MEMSX | BPF_W:

	/* LDX | PROBE_MEM32: dst = *(unsigned size *)(src + RV_REG_ARENA + off) */

	case BPF_LDX | BPF_PROBE_MEM32 | BPF_B:

	case BPF_LDX | BPF_PROBE_MEM32 | BPF_H:

	case BPF_LDX | BPF_PROBE_MEM32 | BPF_W:

	case BPF_LDX | BPF_PROBE_MEM32 | BPF_DW:

	{

		int insn_len, insns_start;

		bool sign_ext;

		sign_ext = BPF_MODE(insn->code) == BPF_MEMSX ||

			   BPF_MODE(insn->code) == BPF_PROBE_MEMSX;

		if (BPF_MODE(insn->code) == BPF_PROBE_MEM32) {

			emit_add(RV_REG_T2, rs, RV_REG_ARENA, ctx);

			rs = RV_REG_T2;

		}

		switch (BPF_SIZE(code)) {

		case BPF_B:

			if (is_12b_int(off)) {

		emit_sd(RV_REG_T2, 0, RV_REG_T1, ctx);

		break;

	case BPF_ST | BPF_PROBE_MEM32 | BPF_B:

	case BPF_ST | BPF_PROBE_MEM32 | BPF_H:

	case BPF_ST | BPF_PROBE_MEM32 | BPF_W:

	case BPF_ST | BPF_PROBE_MEM32 | BPF_DW:

	{

		int insn_len, insns_start;

		emit_add(RV_REG_T3, rd, RV_REG_ARENA, ctx);

		rd = RV_REG_T3;

		/* Load imm to a register then store it */

		emit_imm(RV_REG_T1, imm, ctx);

		switch (BPF_SIZE(code)) {

		case BPF_B:

			if (is_12b_int(off)) {

				insns_start = ctx->ninsns;

				emit(rv_sb(rd, off, RV_REG_T1), ctx);

				insn_len = ctx->ninsns - insns_start;

				break;

			}

			emit_imm(RV_REG_T2, off, ctx);

			emit_add(RV_REG_T2, RV_REG_T2, rd, ctx);

			insns_start = ctx->ninsns;

			emit(rv_sb(RV_REG_T2, 0, RV_REG_T1), ctx);

			insn_len = ctx->ninsns - insns_start;

			break;

		case BPF_H:

			if (is_12b_int(off)) {

				insns_start = ctx->ninsns;

				emit(rv_sh(rd, off, RV_REG_T1), ctx);

				insn_len = ctx->ninsns - insns_start;

				break;

			}

			emit_imm(RV_REG_T2, off, ctx);

			emit_add(RV_REG_T2, RV_REG_T2, rd, ctx);

			insns_start = ctx->ninsns;

			emit(rv_sh(RV_REG_T2, 0, RV_REG_T1), ctx);

			insn_len = ctx->ninsns - insns_start;

			break;

		case BPF_W:

			if (is_12b_int(off)) {

				insns_start = ctx->ninsns;

				emit_sw(rd, off, RV_REG_T1, ctx);

				insn_len = ctx->ninsns - insns_start;

				break;

			}

			emit_imm(RV_REG_T2, off, ctx);

			emit_add(RV_REG_T2, RV_REG_T2, rd, ctx);

			insns_start = ctx->ninsns;

			emit_sw(RV_REG_T2, 0, RV_REG_T1, ctx);

			insn_len = ctx->ninsns - insns_start;

			break;

		case BPF_DW:

			if (is_12b_int(off)) {

				insns_start = ctx->ninsns;

				emit_sd(rd, off, RV_REG_T1, ctx);

				insn_len = ctx->ninsns - insns_start;

				break;

			}

			emit_imm(RV_REG_T2, off, ctx);

			emit_add(RV_REG_T2, RV_REG_T2, rd, ctx);

			insns_start = ctx->ninsns;

			emit_sd(RV_REG_T2, 0, RV_REG_T1, ctx);

			insn_len = ctx->ninsns - insns_start;

			break;

		}

		ret = add_exception_handler(insn, ctx, REG_DONT_CLEAR_MARKER,

					    insn_len);

		if (ret)

			return ret;

		break;

	}

	/* STX: *(size *)(dst + off) = src */

	case BPF_STX | BPF_MEM | BPF_B:

		if (is_12b_int(off)) {

		emit_atomic(rd, rs, off, imm,

			    BPF_SIZE(code) == BPF_DW, ctx);