search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Linux 4.19.133
[linux/fpc-iii.git] / tools / testing / selftests / bpf / test_verifier.c
blob9db5a7378f40fd6d1bce3938571688681d9a8022
1 /*
2 * Testsuite for eBPF verifier
3 *
4 * Copyright (c) 2014 PLUMgrid, http://plumgrid.com
5 * Copyright (c) 2017 Facebook
6 *
7 * This program is free software; you can redistribute it and/or
8 * modify it under the terms of version 2 of the GNU General Public
9 * License as published by the Free Software Foundation.
10 */
11
12 #include <endian.h>
13 #include <asm/types.h>
14 #include <linux/types.h>
15 #include <stdint.h>
16 #include <stdio.h>
17 #include <stdlib.h>
18 #include <unistd.h>
19 #include <errno.h>
20 #include <string.h>
21 #include <stddef.h>
22 #include <stdbool.h>
23 #include <sched.h>
24 #include <limits.h>
25
26 #include <sys/capability.h>
27
28 #include <linux/unistd.h>
29 #include <linux/filter.h>
30 #include <linux/bpf_perf_event.h>
31 #include <linux/bpf.h>
32 #include <linux/if_ether.h>
33
34 #include <bpf/bpf.h>
35
36 #ifdef HAVE_GENHDR
37 # include "autoconf.h"
38 #else
39 # if defined(__i386) || defined(__x86_64) || defined(__s390x__) || defined(__aarch64__)
40 # define CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS 1
41 # endif
42 #endif
43 #include "bpf_rlimit.h"
44 #include "bpf_rand.h"
45 #include "bpf_util.h"
46 #include "../../../include/linux/filter.h"
47
48 #define MAX_INSNS BPF_MAXINSNS
49 #define MAX_FIXUPS 8
50 #define MAX_NR_MAPS 8
51 #define POINTER_VALUE 0xcafe4all
52 #define TEST_DATA_LEN 64
53
54 #define F_NEEDS_EFFICIENT_UNALIGNED_ACCESS (1 << 0)
55 #define F_LOAD_WITH_STRICT_ALIGNMENT (1 << 1)
56
57 #define UNPRIV_SYSCTL "kernel/unprivileged_bpf_disabled"
58 static bool unpriv_disabled = false;
59
60 struct bpf_test {
61 const char *descr;
62 struct bpf_insn insns[MAX_INSNS];
63 int fixup_map1[MAX_FIXUPS];
64 int fixup_map2[MAX_FIXUPS];
65 int fixup_map3[MAX_FIXUPS];
66 int fixup_map4[MAX_FIXUPS];
67 int fixup_prog1[MAX_FIXUPS];
68 int fixup_prog2[MAX_FIXUPS];
69 int fixup_map_in_map[MAX_FIXUPS];
70 int fixup_cgroup_storage[MAX_FIXUPS];
71 const char *errstr;
72 const char *errstr_unpriv;
73 uint32_t retval;
74 enum {
75 UNDEF,
76 ACCEPT,
77 REJECT
78 } result, result_unpriv;
79 enum bpf_prog_type prog_type;
80 uint8_t flags;
81 __u8 data[TEST_DATA_LEN];
82 void (*fill_helper)(struct bpf_test *self);
83 };
84
85 /* Note we want this to be 64 bit aligned so that the end of our array is
86 * actually the end of the structure.
87 */
88 #define MAX_ENTRIES 11
89
90 struct test_val {
91 unsigned int index;
92 int foo[MAX_ENTRIES];
93 };
94
95 struct other_val {
96 long long foo;
97 long long bar;
98 };
99
100 static void bpf_fill_ld_abs_vlan_push_pop(struct bpf_test *self)
101 {
102 /* test: {skb->data[0], vlan_push} x 68 + {skb->data[0], vlan_pop} x 68 */
103 #define PUSH_CNT 51
104 unsigned int len = BPF_MAXINSNS;
105 struct bpf_insn *insn = self->insns;
106 int i = 0, j, k = 0;
107
108 insn[i++] = BPF_MOV64_REG(BPF_REG_6, BPF_REG_1);
109 loop:
110 for (j = 0; j < PUSH_CNT; j++) {
111 insn[i++] = BPF_LD_ABS(BPF_B, 0);
112 insn[i] = BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x34, len - i - 2);
113 i++;
114 insn[i++] = BPF_MOV64_REG(BPF_REG_1, BPF_REG_6);
115 insn[i++] = BPF_MOV64_IMM(BPF_REG_2, 1);
116 insn[i++] = BPF_MOV64_IMM(BPF_REG_3, 2);
117 insn[i++] = BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
118 BPF_FUNC_skb_vlan_push),
119 insn[i] = BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, len - i - 2);
120 i++;
121 }
122
123 for (j = 0; j < PUSH_CNT; j++) {
124 insn[i++] = BPF_LD_ABS(BPF_B, 0);
125 insn[i] = BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x34, len - i - 2);
126 i++;
127 insn[i++] = BPF_MOV64_REG(BPF_REG_1, BPF_REG_6);
128 insn[i++] = BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
129 BPF_FUNC_skb_vlan_pop),
130 insn[i] = BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, len - i - 2);
131 i++;
132 }
133 if (++k < 5)
134 goto loop;
135
136 for (; i < len - 1; i++)
137 insn[i] = BPF_ALU32_IMM(BPF_MOV, BPF_REG_0, 0xbef);
138 insn[len - 1] = BPF_EXIT_INSN();
139 }
140
141 static void bpf_fill_jump_around_ld_abs(struct bpf_test *self)
142 {
143 struct bpf_insn *insn = self->insns;
144 unsigned int len = BPF_MAXINSNS;
145 int i = 0;
146
147 insn[i++] = BPF_MOV64_REG(BPF_REG_6, BPF_REG_1);
148 insn[i++] = BPF_LD_ABS(BPF_B, 0);
149 insn[i] = BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 10, len - i - 2);
150 i++;
151 while (i < len - 1)
152 insn[i++] = BPF_LD_ABS(BPF_B, 1);
153 insn[i] = BPF_EXIT_INSN();
154 }
155
156 static void bpf_fill_rand_ld_dw(struct bpf_test *self)
157 {
158 struct bpf_insn *insn = self->insns;
159 uint64_t res = 0;
160 int i = 0;
161
162 insn[i++] = BPF_MOV32_IMM(BPF_REG_0, 0);
163 while (i < self->retval) {
164 uint64_t val = bpf_semi_rand_get();
165 struct bpf_insn tmp[2] = { BPF_LD_IMM64(BPF_REG_1, val) };
166
167 res ^= val;
168 insn[i++] = tmp[0];
169 insn[i++] = tmp[1];
170 insn[i++] = BPF_ALU64_REG(BPF_XOR, BPF_REG_0, BPF_REG_1);
171 }
172 insn[i++] = BPF_MOV64_REG(BPF_REG_1, BPF_REG_0);
173 insn[i++] = BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 32);
174 insn[i++] = BPF_ALU64_REG(BPF_XOR, BPF_REG_0, BPF_REG_1);
175 insn[i] = BPF_EXIT_INSN();
176 res ^= (res >> 32);
177 self->retval = (uint32_t)res;
178 }
179
180 static struct bpf_test tests[] = {
181 {
182 "add+sub+mul",
183 .insns = {
184 BPF_MOV64_IMM(BPF_REG_1, 1),
185 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 2),
186 BPF_MOV64_IMM(BPF_REG_2, 3),
187 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_2),
188 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -1),
189 BPF_ALU64_IMM(BPF_MUL, BPF_REG_1, 3),
190 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
191 BPF_EXIT_INSN(),
192 },
193 .result = ACCEPT,
194 .retval = -3,
195 },
196 {
197 "DIV32 by 0, zero check 1",
198 .insns = {
199 BPF_MOV32_IMM(BPF_REG_0, 42),
200 BPF_MOV32_IMM(BPF_REG_1, 0),
201 BPF_MOV32_IMM(BPF_REG_2, 1),
202 BPF_ALU32_REG(BPF_DIV, BPF_REG_2, BPF_REG_1),
203 BPF_EXIT_INSN(),
204 },
205 .result = ACCEPT,
206 .retval = 42,
207 },
208 {
209 "DIV32 by 0, zero check 2",
210 .insns = {
211 BPF_MOV32_IMM(BPF_REG_0, 42),
212 BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL),
213 BPF_MOV32_IMM(BPF_REG_2, 1),
214 BPF_ALU32_REG(BPF_DIV, BPF_REG_2, BPF_REG_1),
215 BPF_EXIT_INSN(),
216 },
217 .result = ACCEPT,
218 .retval = 42,
219 },
220 {
221 "DIV64 by 0, zero check",
222 .insns = {
223 BPF_MOV32_IMM(BPF_REG_0, 42),
224 BPF_MOV32_IMM(BPF_REG_1, 0),
225 BPF_MOV32_IMM(BPF_REG_2, 1),
226 BPF_ALU64_REG(BPF_DIV, BPF_REG_2, BPF_REG_1),
227 BPF_EXIT_INSN(),
228 },
229 .result = ACCEPT,
230 .retval = 42,
231 },
232 {
233 "MOD32 by 0, zero check 1",
234 .insns = {
235 BPF_MOV32_IMM(BPF_REG_0, 42),
236 BPF_MOV32_IMM(BPF_REG_1, 0),
237 BPF_MOV32_IMM(BPF_REG_2, 1),
238 BPF_ALU32_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
239 BPF_EXIT_INSN(),
240 },
241 .result = ACCEPT,
242 .retval = 42,
243 },
244 {
245 "MOD32 by 0, zero check 2",
246 .insns = {
247 BPF_MOV32_IMM(BPF_REG_0, 42),
248 BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL),
249 BPF_MOV32_IMM(BPF_REG_2, 1),
250 BPF_ALU32_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
251 BPF_EXIT_INSN(),
252 },
253 .result = ACCEPT,
254 .retval = 42,
255 },
256 {
257 "MOD64 by 0, zero check",
258 .insns = {
259 BPF_MOV32_IMM(BPF_REG_0, 42),
260 BPF_MOV32_IMM(BPF_REG_1, 0),
261 BPF_MOV32_IMM(BPF_REG_2, 1),
262 BPF_ALU64_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
263 BPF_EXIT_INSN(),
264 },
265 .result = ACCEPT,
266 .retval = 42,
267 },
268 {
269 "DIV32 by 0, zero check ok, cls",
270 .insns = {
271 BPF_MOV32_IMM(BPF_REG_0, 42),
272 BPF_MOV32_IMM(BPF_REG_1, 2),
273 BPF_MOV32_IMM(BPF_REG_2, 16),
274 BPF_ALU32_REG(BPF_DIV, BPF_REG_2, BPF_REG_1),
275 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
276 BPF_EXIT_INSN(),
277 },
278 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
279 .result = ACCEPT,
280 .retval = 8,
281 },
282 {
283 "DIV32 by 0, zero check 1, cls",
284 .insns = {
285 BPF_MOV32_IMM(BPF_REG_1, 0),
286 BPF_MOV32_IMM(BPF_REG_0, 1),
287 BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
288 BPF_EXIT_INSN(),
289 },
290 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
291 .result = ACCEPT,
292 .retval = 0,
293 },
294 {
295 "DIV32 by 0, zero check 2, cls",
296 .insns = {
297 BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL),
298 BPF_MOV32_IMM(BPF_REG_0, 1),
299 BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
300 BPF_EXIT_INSN(),
301 },
302 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
303 .result = ACCEPT,
304 .retval = 0,
305 },
306 {
307 "DIV64 by 0, zero check, cls",
308 .insns = {
309 BPF_MOV32_IMM(BPF_REG_1, 0),
310 BPF_MOV32_IMM(BPF_REG_0, 1),
311 BPF_ALU64_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
312 BPF_EXIT_INSN(),
313 },
314 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
315 .result = ACCEPT,
316 .retval = 0,
317 },
318 {
319 "MOD32 by 0, zero check ok, cls",
320 .insns = {
321 BPF_MOV32_IMM(BPF_REG_0, 42),
322 BPF_MOV32_IMM(BPF_REG_1, 3),
323 BPF_MOV32_IMM(BPF_REG_2, 5),
324 BPF_ALU32_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
325 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
326 BPF_EXIT_INSN(),
327 },
328 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
329 .result = ACCEPT,
330 .retval = 2,
331 },
332 {
333 "MOD32 by 0, zero check 1, cls",
334 .insns = {
335 BPF_MOV32_IMM(BPF_REG_1, 0),
336 BPF_MOV32_IMM(BPF_REG_0, 1),
337 BPF_ALU32_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
338 BPF_EXIT_INSN(),
339 },
340 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
341 .result = ACCEPT,
342 .retval = 1,
343 },
344 {
345 "MOD32 by 0, zero check 2, cls",
346 .insns = {
347 BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL),
348 BPF_MOV32_IMM(BPF_REG_0, 1),
349 BPF_ALU32_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
350 BPF_EXIT_INSN(),
351 },
352 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
353 .result = ACCEPT,
354 .retval = 1,
355 },
356 {
357 "MOD64 by 0, zero check 1, cls",
358 .insns = {
359 BPF_MOV32_IMM(BPF_REG_1, 0),
360 BPF_MOV32_IMM(BPF_REG_0, 2),
361 BPF_ALU64_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
362 BPF_EXIT_INSN(),
363 },
364 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
365 .result = ACCEPT,
366 .retval = 2,
367 },
368 {
369 "MOD64 by 0, zero check 2, cls",
370 .insns = {
371 BPF_MOV32_IMM(BPF_REG_1, 0),
372 BPF_MOV32_IMM(BPF_REG_0, -1),
373 BPF_ALU64_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
374 BPF_EXIT_INSN(),
375 },
376 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
377 .result = ACCEPT,
378 .retval = -1,
379 },
380 /* Just make sure that JITs used udiv/umod as otherwise we get
381 * an exception from INT_MIN/-1 overflow similarly as with div
382 * by zero.
383 */
384 {
385 "DIV32 overflow, check 1",
386 .insns = {
387 BPF_MOV32_IMM(BPF_REG_1, -1),
388 BPF_MOV32_IMM(BPF_REG_0, INT_MIN),
389 BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
390 BPF_EXIT_INSN(),
391 },
392 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
393 .result = ACCEPT,
394 .retval = 0,
395 },
396 {
397 "DIV32 overflow, check 2",
398 .insns = {
399 BPF_MOV32_IMM(BPF_REG_0, INT_MIN),
400 BPF_ALU32_IMM(BPF_DIV, BPF_REG_0, -1),
401 BPF_EXIT_INSN(),
402 },
403 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
404 .result = ACCEPT,
405 .retval = 0,
406 },
407 {
408 "DIV64 overflow, check 1",
409 .insns = {
410 BPF_MOV64_IMM(BPF_REG_1, -1),
411 BPF_LD_IMM64(BPF_REG_0, LLONG_MIN),
412 BPF_ALU64_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
413 BPF_EXIT_INSN(),
414 },
415 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
416 .result = ACCEPT,
417 .retval = 0,
418 },
419 {
420 "DIV64 overflow, check 2",
421 .insns = {
422 BPF_LD_IMM64(BPF_REG_0, LLONG_MIN),
423 BPF_ALU64_IMM(BPF_DIV, BPF_REG_0, -1),
424 BPF_EXIT_INSN(),
425 },
426 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
427 .result = ACCEPT,
428 .retval = 0,
429 },
430 {
431 "MOD32 overflow, check 1",
432 .insns = {
433 BPF_MOV32_IMM(BPF_REG_1, -1),
434 BPF_MOV32_IMM(BPF_REG_0, INT_MIN),
435 BPF_ALU32_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
436 BPF_EXIT_INSN(),
437 },
438 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
439 .result = ACCEPT,
440 .retval = INT_MIN,
441 },
442 {
443 "MOD32 overflow, check 2",
444 .insns = {
445 BPF_MOV32_IMM(BPF_REG_0, INT_MIN),
446 BPF_ALU32_IMM(BPF_MOD, BPF_REG_0, -1),
447 BPF_EXIT_INSN(),
448 },
449 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
450 .result = ACCEPT,
451 .retval = INT_MIN,
452 },
453 {
454 "MOD64 overflow, check 1",
455 .insns = {
456 BPF_MOV64_IMM(BPF_REG_1, -1),
457 BPF_LD_IMM64(BPF_REG_2, LLONG_MIN),
458 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
459 BPF_ALU64_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
460 BPF_MOV32_IMM(BPF_REG_0, 0),
461 BPF_JMP_REG(BPF_JNE, BPF_REG_3, BPF_REG_2, 1),
462 BPF_MOV32_IMM(BPF_REG_0, 1),
463 BPF_EXIT_INSN(),
464 },
465 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
466 .result = ACCEPT,
467 .retval = 1,
468 },
469 {
470 "MOD64 overflow, check 2",
471 .insns = {
472 BPF_LD_IMM64(BPF_REG_2, LLONG_MIN),
473 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
474 BPF_ALU64_IMM(BPF_MOD, BPF_REG_2, -1),
475 BPF_MOV32_IMM(BPF_REG_0, 0),
476 BPF_JMP_REG(BPF_JNE, BPF_REG_3, BPF_REG_2, 1),
477 BPF_MOV32_IMM(BPF_REG_0, 1),
478 BPF_EXIT_INSN(),
479 },
480 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
481 .result = ACCEPT,
482 .retval = 1,
483 },
484 {
485 "xor32 zero extend check",
486 .insns = {
487 BPF_MOV32_IMM(BPF_REG_2, -1),
488 BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 32),
489 BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 0xffff),
490 BPF_ALU32_REG(BPF_XOR, BPF_REG_2, BPF_REG_2),
491 BPF_MOV32_IMM(BPF_REG_0, 2),
492 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0, 1),
493 BPF_MOV32_IMM(BPF_REG_0, 1),
494 BPF_EXIT_INSN(),
495 },
496 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
497 .result = ACCEPT,
498 .retval = 1,
499 },
500 {
501 "empty prog",
502 .insns = {
503 },
504 .errstr = "unknown opcode 00",
505 .result = REJECT,
506 },
507 {
508 "only exit insn",
509 .insns = {
510 BPF_EXIT_INSN(),
511 },
512 .errstr = "R0 !read_ok",
513 .result = REJECT,
514 },
515 {
516 "unreachable",
517 .insns = {
518 BPF_EXIT_INSN(),
519 BPF_EXIT_INSN(),
520 },
521 .errstr = "unreachable",
522 .result = REJECT,
523 },
524 {
525 "unreachable2",
526 .insns = {
527 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
528 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
529 BPF_EXIT_INSN(),
530 },
531 .errstr = "unreachable",
532 .result = REJECT,
533 },
534 {
535 "out of range jump",
536 .insns = {
537 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
538 BPF_EXIT_INSN(),
539 },
540 .errstr = "jump out of range",
541 .result = REJECT,
542 },
543 {
544 "out of range jump2",
545 .insns = {
546 BPF_JMP_IMM(BPF_JA, 0, 0, -2),
547 BPF_EXIT_INSN(),
548 },
549 .errstr = "jump out of range",
550 .result = REJECT,
551 },
552 {
553 "test1 ld_imm64",
554 .insns = {
555 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
556 BPF_LD_IMM64(BPF_REG_0, 0),
557 BPF_LD_IMM64(BPF_REG_0, 0),
558 BPF_LD_IMM64(BPF_REG_0, 1),
559 BPF_LD_IMM64(BPF_REG_0, 1),
560 BPF_MOV64_IMM(BPF_REG_0, 2),
561 BPF_EXIT_INSN(),
562 },
563 .errstr = "invalid BPF_LD_IMM insn",
564 .errstr_unpriv = "R1 pointer comparison",
565 .result = REJECT,
566 },
567 {
568 "test2 ld_imm64",
569 .insns = {
570 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
571 BPF_LD_IMM64(BPF_REG_0, 0),
572 BPF_LD_IMM64(BPF_REG_0, 0),
573 BPF_LD_IMM64(BPF_REG_0, 1),
574 BPF_LD_IMM64(BPF_REG_0, 1),
575 BPF_EXIT_INSN(),
576 },
577 .errstr = "invalid BPF_LD_IMM insn",
578 .errstr_unpriv = "R1 pointer comparison",
579 .result = REJECT,
580 },
581 {
582 "test3 ld_imm64",
583 .insns = {
584 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
585 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
586 BPF_LD_IMM64(BPF_REG_0, 0),
587 BPF_LD_IMM64(BPF_REG_0, 0),
588 BPF_LD_IMM64(BPF_REG_0, 1),
589 BPF_LD_IMM64(BPF_REG_0, 1),
590 BPF_EXIT_INSN(),
591 },
592 .errstr = "invalid bpf_ld_imm64 insn",
593 .result = REJECT,
594 },
595 {
596 "test4 ld_imm64",
597 .insns = {
598 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
599 BPF_EXIT_INSN(),
600 },
601 .errstr = "invalid bpf_ld_imm64 insn",
602 .result = REJECT,
603 },
604 {
605 "test5 ld_imm64",
606 .insns = {
607 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
608 },
609 .errstr = "invalid bpf_ld_imm64 insn",
610 .result = REJECT,
611 },
612 {
613 "test6 ld_imm64",
614 .insns = {
615 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
616 BPF_RAW_INSN(0, 0, 0, 0, 0),
617 BPF_EXIT_INSN(),
618 },
619 .result = ACCEPT,
620 },
621 {
622 "test7 ld_imm64",
623 .insns = {
624 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
625 BPF_RAW_INSN(0, 0, 0, 0, 1),
626 BPF_EXIT_INSN(),
627 },
628 .result = ACCEPT,
629 .retval = 1,
630 },
631 {
632 "test8 ld_imm64",
633 .insns = {
634 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 1, 1),
635 BPF_RAW_INSN(0, 0, 0, 0, 1),
636 BPF_EXIT_INSN(),
637 },
638 .errstr = "uses reserved fields",
639 .result = REJECT,
640 },
641 {
642 "test9 ld_imm64",
643 .insns = {
644 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
645 BPF_RAW_INSN(0, 0, 0, 1, 1),
646 BPF_EXIT_INSN(),
647 },
648 .errstr = "invalid bpf_ld_imm64 insn",
649 .result = REJECT,
650 },
651 {
652 "test10 ld_imm64",
653 .insns = {
654 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
655 BPF_RAW_INSN(0, BPF_REG_1, 0, 0, 1),
656 BPF_EXIT_INSN(),
657 },
658 .errstr = "invalid bpf_ld_imm64 insn",
659 .result = REJECT,
660 },
661 {
662 "test11 ld_imm64",
663 .insns = {
664 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
665 BPF_RAW_INSN(0, 0, BPF_REG_1, 0, 1),
666 BPF_EXIT_INSN(),
667 },
668 .errstr = "invalid bpf_ld_imm64 insn",
669 .result = REJECT,
670 },
671 {
672 "test12 ld_imm64",
673 .insns = {
674 BPF_MOV64_IMM(BPF_REG_1, 0),
675 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, BPF_REG_1, 0, 1),
676 BPF_RAW_INSN(0, 0, 0, 0, 1),
677 BPF_EXIT_INSN(),
678 },
679 .errstr = "not pointing to valid bpf_map",
680 .result = REJECT,
681 },
682 {
683 "test13 ld_imm64",
684 .insns = {
685 BPF_MOV64_IMM(BPF_REG_1, 0),
686 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, BPF_REG_1, 0, 1),
687 BPF_RAW_INSN(0, 0, BPF_REG_1, 0, 1),
688 BPF_EXIT_INSN(),
689 },
690 .errstr = "invalid bpf_ld_imm64 insn",
691 .result = REJECT,
692 },
693 {
694 "arsh32 on imm",
695 .insns = {
696 BPF_MOV64_IMM(BPF_REG_0, 1),
697 BPF_ALU32_IMM(BPF_ARSH, BPF_REG_0, 5),
698 BPF_EXIT_INSN(),
699 },
700 .result = REJECT,
701 .errstr = "unknown opcode c4",
702 },
703 {
704 "arsh32 on reg",
705 .insns = {
706 BPF_MOV64_IMM(BPF_REG_0, 1),
707 BPF_MOV64_IMM(BPF_REG_1, 5),
708 BPF_ALU32_REG(BPF_ARSH, BPF_REG_0, BPF_REG_1),
709 BPF_EXIT_INSN(),
710 },
711 .result = REJECT,
712 .errstr = "unknown opcode cc",
713 },
714 {
715 "arsh64 on imm",
716 .insns = {
717 BPF_MOV64_IMM(BPF_REG_0, 1),
718 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_0, 5),
719 BPF_EXIT_INSN(),
720 },
721 .result = ACCEPT,
722 },
723 {
724 "arsh64 on reg",
725 .insns = {
726 BPF_MOV64_IMM(BPF_REG_0, 1),
727 BPF_MOV64_IMM(BPF_REG_1, 5),
728 BPF_ALU64_REG(BPF_ARSH, BPF_REG_0, BPF_REG_1),
729 BPF_EXIT_INSN(),
730 },
731 .result = ACCEPT,
732 },
733 {
734 "no bpf_exit",
735 .insns = {
736 BPF_ALU64_REG(BPF_MOV, BPF_REG_0, BPF_REG_2),
737 },
738 .errstr = "not an exit",
739 .result = REJECT,
740 },
741 {
742 "loop (back-edge)",
743 .insns = {
744 BPF_JMP_IMM(BPF_JA, 0, 0, -1),
745 BPF_EXIT_INSN(),
746 },
747 .errstr = "back-edge",
748 .result = REJECT,
749 },
750 {
751 "loop2 (back-edge)",
752 .insns = {
753 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
754 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
755 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
756 BPF_JMP_IMM(BPF_JA, 0, 0, -4),
757 BPF_EXIT_INSN(),
758 },
759 .errstr = "back-edge",
760 .result = REJECT,
761 },
762 {
763 "conditional loop",
764 .insns = {
765 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
766 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
767 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
768 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, -3),
769 BPF_EXIT_INSN(),
770 },
771 .errstr = "back-edge",
772 .result = REJECT,
773 },
774 {
775 "read uninitialized register",
776 .insns = {
777 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
778 BPF_EXIT_INSN(),
779 },
780 .errstr = "R2 !read_ok",
781 .result = REJECT,
782 },
783 {
784 "read invalid register",
785 .insns = {
786 BPF_MOV64_REG(BPF_REG_0, -1),
787 BPF_EXIT_INSN(),
788 },
789 .errstr = "R15 is invalid",
790 .result = REJECT,
791 },
792 {
793 "program doesn't init R0 before exit",
794 .insns = {
795 BPF_ALU64_REG(BPF_MOV, BPF_REG_2, BPF_REG_1),
796 BPF_EXIT_INSN(),
797 },
798 .errstr = "R0 !read_ok",
799 .result = REJECT,
800 },
801 {
802 "program doesn't init R0 before exit in all branches",
803 .insns = {
804 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
805 BPF_MOV64_IMM(BPF_REG_0, 1),
806 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 2),
807 BPF_EXIT_INSN(),
808 },
809 .errstr = "R0 !read_ok",
810 .errstr_unpriv = "R1 pointer comparison",
811 .result = REJECT,
812 },
813 {
814 "stack out of bounds",
815 .insns = {
816 BPF_ST_MEM(BPF_DW, BPF_REG_10, 8, 0),
817 BPF_EXIT_INSN(),
818 },
819 .errstr = "invalid stack",
820 .result = REJECT,
821 },
822 {
823 "invalid call insn1",
824 .insns = {
825 BPF_RAW_INSN(BPF_JMP | BPF_CALL | BPF_X, 0, 0, 0, 0),
826 BPF_EXIT_INSN(),
827 },
828 .errstr = "unknown opcode 8d",
829 .result = REJECT,
830 },
831 {
832 "invalid call insn2",
833 .insns = {
834 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 1, 0),
835 BPF_EXIT_INSN(),
836 },
837 .errstr = "BPF_CALL uses reserved",
838 .result = REJECT,
839 },
840 {
841 "invalid function call",
842 .insns = {
843 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1234567),
844 BPF_EXIT_INSN(),
845 },
846 .errstr = "invalid func unknown#1234567",
847 .result = REJECT,
848 },
849 {
850 "uninitialized stack1",
851 .insns = {
852 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
853 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
854 BPF_LD_MAP_FD(BPF_REG_1, 0),
855 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
856 BPF_FUNC_map_lookup_elem),
857 BPF_EXIT_INSN(),
858 },
859 .fixup_map1 = { 2 },
860 .errstr = "invalid indirect read from stack",
861 .result = REJECT,
862 },
863 {
864 "uninitialized stack2",
865 .insns = {
866 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
867 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, -8),
868 BPF_EXIT_INSN(),
869 },
870 .errstr = "invalid read from stack",
871 .result = REJECT,
872 },
873 {
874 "invalid fp arithmetic",
875 /* If this gets ever changed, make sure JITs can deal with it. */
876 .insns = {
877 BPF_MOV64_IMM(BPF_REG_0, 0),
878 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
879 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 8),
880 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
881 BPF_EXIT_INSN(),
882 },
883 .errstr = "R1 subtraction from stack pointer",
884 .result = REJECT,
885 },
886 {
887 "non-invalid fp arithmetic",
888 .insns = {
889 BPF_MOV64_IMM(BPF_REG_0, 0),
890 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
891 BPF_EXIT_INSN(),
892 },
893 .result = ACCEPT,
894 },
895 {
896 "invalid argument register",
897 .insns = {
898 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
899 BPF_FUNC_get_cgroup_classid),
900 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
901 BPF_FUNC_get_cgroup_classid),
902 BPF_EXIT_INSN(),
903 },
904 .errstr = "R1 !read_ok",
905 .result = REJECT,
906 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
907 },
908 {
909 "non-invalid argument register",
910 .insns = {
911 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
912 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
913 BPF_FUNC_get_cgroup_classid),
914 BPF_ALU64_REG(BPF_MOV, BPF_REG_1, BPF_REG_6),
915 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
916 BPF_FUNC_get_cgroup_classid),
917 BPF_EXIT_INSN(),
918 },
919 .result = ACCEPT,
920 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
921 },
922 {
923 "check valid spill/fill",
924 .insns = {
925 /* spill R1(ctx) into stack */
926 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
927 /* fill it back into R2 */
928 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -8),
929 /* should be able to access R0 = *(R2 + 8) */
930 /* BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, 8), */
931 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
932 BPF_EXIT_INSN(),
933 },
934 .errstr_unpriv = "R0 leaks addr",
935 .result = ACCEPT,
936 .result_unpriv = REJECT,
937 .retval = POINTER_VALUE,
938 },
939 {
940 "check valid spill/fill, skb mark",
941 .insns = {
942 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
943 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
944 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
945 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
946 offsetof(struct __sk_buff, mark)),
947 BPF_EXIT_INSN(),
948 },
949 .result = ACCEPT,
950 .result_unpriv = ACCEPT,
951 },
952 {
953 "check corrupted spill/fill",
954 .insns = {
955 /* spill R1(ctx) into stack */
956 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
957 /* mess up with R1 pointer on stack */
958 BPF_ST_MEM(BPF_B, BPF_REG_10, -7, 0x23),
959 /* fill back into R0 should fail */
960 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
961 BPF_EXIT_INSN(),
962 },
963 .errstr_unpriv = "attempt to corrupt spilled",
964 .errstr = "corrupted spill",
965 .result = REJECT,
966 },
967 {
968 "invalid src register in STX",
969 .insns = {
970 BPF_STX_MEM(BPF_B, BPF_REG_10, -1, -1),
971 BPF_EXIT_INSN(),
972 },
973 .errstr = "R15 is invalid",
974 .result = REJECT,
975 },
976 {
977 "invalid dst register in STX",
978 .insns = {
979 BPF_STX_MEM(BPF_B, 14, BPF_REG_10, -1),
980 BPF_EXIT_INSN(),
981 },
982 .errstr = "R14 is invalid",
983 .result = REJECT,
984 },
985 {
986 "invalid dst register in ST",
987 .insns = {
988 BPF_ST_MEM(BPF_B, 14, -1, -1),
989 BPF_EXIT_INSN(),
990 },
991 .errstr = "R14 is invalid",
992 .result = REJECT,
993 },
994 {
995 "invalid src register in LDX",
996 .insns = {
997 BPF_LDX_MEM(BPF_B, BPF_REG_0, 12, 0),
998 BPF_EXIT_INSN(),
999 },
1000 .errstr = "R12 is invalid",
1001 .result = REJECT,
1002 },
1003 {
1004 "invalid dst register in LDX",
1005 .insns = {
1006 BPF_LDX_MEM(BPF_B, 11, BPF_REG_1, 0),
1007 BPF_EXIT_INSN(),
1008 },
1009 .errstr = "R11 is invalid",
1010 .result = REJECT,
1011 },
1012 {
1013 "junk insn",
1014 .insns = {
1015 BPF_RAW_INSN(0, 0, 0, 0, 0),
1016 BPF_EXIT_INSN(),
1017 },
1018 .errstr = "unknown opcode 00",
1019 .result = REJECT,
1020 },
1021 {
1022 "junk insn2",
1023 .insns = {
1024 BPF_RAW_INSN(1, 0, 0, 0, 0),
1025 BPF_EXIT_INSN(),
1026 },
1027 .errstr = "BPF_LDX uses reserved fields",
1028 .result = REJECT,
1029 },
1030 {
1031 "junk insn3",
1032 .insns = {
1033 BPF_RAW_INSN(-1, 0, 0, 0, 0),
1034 BPF_EXIT_INSN(),
1035 },
1036 .errstr = "unknown opcode ff",
1037 .result = REJECT,
1038 },
1039 {
1040 "junk insn4",
1041 .insns = {
1042 BPF_RAW_INSN(-1, -1, -1, -1, -1),
1043 BPF_EXIT_INSN(),
1044 },
1045 .errstr = "unknown opcode ff",
1046 .result = REJECT,
1047 },
1048 {
1049 "junk insn5",
1050 .insns = {
1051 BPF_RAW_INSN(0x7f, -1, -1, -1, -1),
1052 BPF_EXIT_INSN(),
1053 },
1054 .errstr = "BPF_ALU uses reserved fields",
1055 .result = REJECT,
1056 },
1057 {
1058 "misaligned read from stack",
1059 .insns = {
1060 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1061 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, -4),
1062 BPF_EXIT_INSN(),
1063 },
1064 .errstr = "misaligned stack access",
1065 .result = REJECT,
1066 },
1067 {
1068 "invalid map_fd for function call",
1069 .insns = {
1070 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1071 BPF_ALU64_REG(BPF_MOV, BPF_REG_2, BPF_REG_10),
1072 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1073 BPF_LD_MAP_FD(BPF_REG_1, 0),
1074 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1075 BPF_FUNC_map_delete_elem),
1076 BPF_EXIT_INSN(),
1077 },
1078 .errstr = "fd 0 is not pointing to valid bpf_map",
1079 .result = REJECT,
1080 },
1081 {
1082 "don't check return value before access",
1083 .insns = {
1084 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1085 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1086 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1087 BPF_LD_MAP_FD(BPF_REG_1, 0),
1088 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1089 BPF_FUNC_map_lookup_elem),
1090 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
1091 BPF_EXIT_INSN(),
1092 },
1093 .fixup_map1 = { 3 },
1094 .errstr = "R0 invalid mem access 'map_value_or_null'",
1095 .result = REJECT,
1096 },
1097 {
1098 "access memory with incorrect alignment",
1099 .insns = {
1100 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1101 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1102 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1103 BPF_LD_MAP_FD(BPF_REG_1, 0),
1104 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1105 BPF_FUNC_map_lookup_elem),
1106 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
1107 BPF_ST_MEM(BPF_DW, BPF_REG_0, 4, 0),
1108 BPF_EXIT_INSN(),
1109 },
1110 .fixup_map1 = { 3 },
1111 .errstr = "misaligned value access",
1112 .result = REJECT,
1113 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
1114 },
1115 {
1116 "sometimes access memory with incorrect alignment",
1117 .insns = {
1118 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1119 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1120 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1121 BPF_LD_MAP_FD(BPF_REG_1, 0),
1122 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1123 BPF_FUNC_map_lookup_elem),
1124 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
1125 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
1126 BPF_EXIT_INSN(),
1127 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 1),
1128 BPF_EXIT_INSN(),
1129 },
1130 .fixup_map1 = { 3 },
1131 .errstr = "R0 invalid mem access",
1132 .errstr_unpriv = "R0 leaks addr",
1133 .result = REJECT,
1134 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
1135 },
1136 {
1137 "jump test 1",
1138 .insns = {
1139 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1140 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -8),
1141 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
1142 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
1143 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 1),
1144 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 1),
1145 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 1),
1146 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 2),
1147 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 1),
1148 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 3),
1149 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 1),
1150 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 4),
1151 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 1),
1152 BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 5),
1153 BPF_MOV64_IMM(BPF_REG_0, 0),
1154 BPF_EXIT_INSN(),
1155 },
1156 .errstr_unpriv = "R1 pointer comparison",
1157 .result_unpriv = REJECT,
1158 .result = ACCEPT,
1159 },
1160 {
1161 "jump test 2",
1162 .insns = {
1163 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1164 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 2),
1165 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
1166 BPF_JMP_IMM(BPF_JA, 0, 0, 14),
1167 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 2),
1168 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 0),
1169 BPF_JMP_IMM(BPF_JA, 0, 0, 11),
1170 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 2),
1171 BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 0),
1172 BPF_JMP_IMM(BPF_JA, 0, 0, 8),
1173 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 2),
1174 BPF_ST_MEM(BPF_DW, BPF_REG_2, -40, 0),
1175 BPF_JMP_IMM(BPF_JA, 0, 0, 5),
1176 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 2),
1177 BPF_ST_MEM(BPF_DW, BPF_REG_2, -48, 0),
1178 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1179 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 1),
1180 BPF_ST_MEM(BPF_DW, BPF_REG_2, -56, 0),
1181 BPF_MOV64_IMM(BPF_REG_0, 0),
1182 BPF_EXIT_INSN(),
1183 },
1184 .errstr_unpriv = "R1 pointer comparison",
1185 .result_unpriv = REJECT,
1186 .result = ACCEPT,
1187 },
1188 {
1189 "jump test 3",
1190 .insns = {
1191 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1192 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
1193 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
1194 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1195 BPF_JMP_IMM(BPF_JA, 0, 0, 19),
1196 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 3),
1197 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 0),
1198 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
1199 BPF_JMP_IMM(BPF_JA, 0, 0, 15),
1200 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 3),
1201 BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 0),
1202 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -32),
1203 BPF_JMP_IMM(BPF_JA, 0, 0, 11),
1204 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 3),
1205 BPF_ST_MEM(BPF_DW, BPF_REG_2, -40, 0),
1206 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -40),
1207 BPF_JMP_IMM(BPF_JA, 0, 0, 7),
1208 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 3),
1209 BPF_ST_MEM(BPF_DW, BPF_REG_2, -48, 0),
1210 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -48),
1211 BPF_JMP_IMM(BPF_JA, 0, 0, 3),
1212 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 0),
1213 BPF_ST_MEM(BPF_DW, BPF_REG_2, -56, 0),
1214 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -56),
1215 BPF_LD_MAP_FD(BPF_REG_1, 0),
1216 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1217 BPF_FUNC_map_delete_elem),
1218 BPF_EXIT_INSN(),
1219 },
1220 .fixup_map1 = { 24 },
1221 .errstr_unpriv = "R1 pointer comparison",
1222 .result_unpriv = REJECT,
1223 .result = ACCEPT,
1224 .retval = -ENOENT,
1225 },
1226 {
1227 "jump test 4",
1228 .insns = {
1229 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1230 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1231 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1232 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1233 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1234 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1235 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1236 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1237 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1238 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1239 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1240 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1241 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1242 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1243 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1244 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1245 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1246 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1247 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1248 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1249 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1250 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1251 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1252 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1253 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1254 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1255 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1256 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1257 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1258 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1259 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1260 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1261 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1262 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1263 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1264 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1265 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1266 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1267 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1268 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1269 BPF_MOV64_IMM(BPF_REG_0, 0),
1270 BPF_EXIT_INSN(),
1271 },
1272 .errstr_unpriv = "R1 pointer comparison",
1273 .result_unpriv = REJECT,
1274 .result = ACCEPT,
1275 },
1276 {
1277 "jump test 5",
1278 .insns = {
1279 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1280 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
1281 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1282 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1283 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1284 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1285 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1286 BPF_MOV64_IMM(BPF_REG_0, 0),
1287 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1288 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1289 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1290 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1291 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1292 BPF_MOV64_IMM(BPF_REG_0, 0),
1293 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1294 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1295 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1296 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1297 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1298 BPF_MOV64_IMM(BPF_REG_0, 0),
1299 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1300 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1301 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1302 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1303 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1304 BPF_MOV64_IMM(BPF_REG_0, 0),
1305 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1306 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1307 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1308 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1309 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1310 BPF_MOV64_IMM(BPF_REG_0, 0),
1311 BPF_EXIT_INSN(),
1312 },
1313 .errstr_unpriv = "R1 pointer comparison",
1314 .result_unpriv = REJECT,
1315 .result = ACCEPT,
1316 },
1317 {
1318 "access skb fields ok",
1319 .insns = {
1320 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1321 offsetof(struct __sk_buff, len)),
1322 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
1323 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1324 offsetof(struct __sk_buff, mark)),
1325 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
1326 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1327 offsetof(struct __sk_buff, pkt_type)),
1328 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
1329 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1330 offsetof(struct __sk_buff, queue_mapping)),
1331 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1332 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1333 offsetof(struct __sk_buff, protocol)),
1334 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1335 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1336 offsetof(struct __sk_buff, vlan_present)),
1337 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1338 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1339 offsetof(struct __sk_buff, vlan_tci)),
1340 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1341 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1342 offsetof(struct __sk_buff, napi_id)),
1343 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1344 BPF_EXIT_INSN(),
1345 },
1346 .result = ACCEPT,
1347 },
1348 {
1349 "access skb fields bad1",
1350 .insns = {
1351 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -4),
1352 BPF_EXIT_INSN(),
1353 },
1354 .errstr = "invalid bpf_context access",
1355 .result = REJECT,
1356 },
1357 {
1358 "access skb fields bad2",
1359 .insns = {
1360 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 9),
1361 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1362 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1363 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1364 BPF_LD_MAP_FD(BPF_REG_1, 0),
1365 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1366 BPF_FUNC_map_lookup_elem),
1367 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
1368 BPF_EXIT_INSN(),
1369 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
1370 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1371 offsetof(struct __sk_buff, pkt_type)),
1372 BPF_EXIT_INSN(),
1373 },
1374 .fixup_map1 = { 4 },
1375 .errstr = "different pointers",
1376 .errstr_unpriv = "R1 pointer comparison",
1377 .result = REJECT,
1378 },
1379 {
1380 "access skb fields bad3",
1381 .insns = {
1382 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1383 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1384 offsetof(struct __sk_buff, pkt_type)),
1385 BPF_EXIT_INSN(),
1386 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1387 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1388 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1389 BPF_LD_MAP_FD(BPF_REG_1, 0),
1390 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1391 BPF_FUNC_map_lookup_elem),
1392 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
1393 BPF_EXIT_INSN(),
1394 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
1395 BPF_JMP_IMM(BPF_JA, 0, 0, -12),
1396 },
1397 .fixup_map1 = { 6 },
1398 .errstr = "different pointers",
1399 .errstr_unpriv = "R1 pointer comparison",
1400 .result = REJECT,
1401 },
1402 {
1403 "access skb fields bad4",
1404 .insns = {
1405 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 3),
1406 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1407 offsetof(struct __sk_buff, len)),
1408 BPF_MOV64_IMM(BPF_REG_0, 0),
1409 BPF_EXIT_INSN(),
1410 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1411 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1412 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1413 BPF_LD_MAP_FD(BPF_REG_1, 0),
1414 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1415 BPF_FUNC_map_lookup_elem),
1416 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
1417 BPF_EXIT_INSN(),
1418 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
1419 BPF_JMP_IMM(BPF_JA, 0, 0, -13),
1420 },
1421 .fixup_map1 = { 7 },
1422 .errstr = "different pointers",
1423 .errstr_unpriv = "R1 pointer comparison",
1424 .result = REJECT,
1425 },
1426 {
1427 "invalid access __sk_buff family",
1428 .insns = {
1429 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1430 offsetof(struct __sk_buff, family)),
1431 BPF_EXIT_INSN(),
1432 },
1433 .errstr = "invalid bpf_context access",
1434 .result = REJECT,
1435 },
1436 {
1437 "invalid access __sk_buff remote_ip4",
1438 .insns = {
1439 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1440 offsetof(struct __sk_buff, remote_ip4)),
1441 BPF_EXIT_INSN(),
1442 },
1443 .errstr = "invalid bpf_context access",
1444 .result = REJECT,
1445 },
1446 {
1447 "invalid access __sk_buff local_ip4",
1448 .insns = {
1449 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1450 offsetof(struct __sk_buff, local_ip4)),
1451 BPF_EXIT_INSN(),
1452 },
1453 .errstr = "invalid bpf_context access",
1454 .result = REJECT,
1455 },
1456 {
1457 "invalid access __sk_buff remote_ip6",
1458 .insns = {
1459 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1460 offsetof(struct __sk_buff, remote_ip6)),
1461 BPF_EXIT_INSN(),
1462 },
1463 .errstr = "invalid bpf_context access",
1464 .result = REJECT,
1465 },
1466 {
1467 "invalid access __sk_buff local_ip6",
1468 .insns = {
1469 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1470 offsetof(struct __sk_buff, local_ip6)),
1471 BPF_EXIT_INSN(),
1472 },
1473 .errstr = "invalid bpf_context access",
1474 .result = REJECT,
1475 },
1476 {
1477 "invalid access __sk_buff remote_port",
1478 .insns = {
1479 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1480 offsetof(struct __sk_buff, remote_port)),
1481 BPF_EXIT_INSN(),
1482 },
1483 .errstr = "invalid bpf_context access",
1484 .result = REJECT,
1485 },
1486 {
1487 "invalid access __sk_buff remote_port",
1488 .insns = {
1489 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1490 offsetof(struct __sk_buff, local_port)),
1491 BPF_EXIT_INSN(),
1492 },
1493 .errstr = "invalid bpf_context access",
1494 .result = REJECT,
1495 },
1496 {
1497 "valid access __sk_buff family",
1498 .insns = {
1499 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1500 offsetof(struct __sk_buff, family)),
1501 BPF_EXIT_INSN(),
1502 },
1503 .result = ACCEPT,
1504 .prog_type = BPF_PROG_TYPE_SK_SKB,
1505 },
1506 {
1507 "valid access __sk_buff remote_ip4",
1508 .insns = {
1509 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1510 offsetof(struct __sk_buff, remote_ip4)),
1511 BPF_EXIT_INSN(),
1512 },
1513 .result = ACCEPT,
1514 .prog_type = BPF_PROG_TYPE_SK_SKB,
1515 },
1516 {
1517 "valid access __sk_buff local_ip4",
1518 .insns = {
1519 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1520 offsetof(struct __sk_buff, local_ip4)),
1521 BPF_EXIT_INSN(),
1522 },
1523 .result = ACCEPT,
1524 .prog_type = BPF_PROG_TYPE_SK_SKB,
1525 },
1526 {
1527 "valid access __sk_buff remote_ip6",
1528 .insns = {
1529 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1530 offsetof(struct __sk_buff, remote_ip6[0])),
1531 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1532 offsetof(struct __sk_buff, remote_ip6[1])),
1533 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1534 offsetof(struct __sk_buff, remote_ip6[2])),
1535 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1536 offsetof(struct __sk_buff, remote_ip6[3])),
1537 BPF_EXIT_INSN(),
1538 },
1539 .result = ACCEPT,
1540 .prog_type = BPF_PROG_TYPE_SK_SKB,
1541 },
1542 {
1543 "valid access __sk_buff local_ip6",
1544 .insns = {
1545 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1546 offsetof(struct __sk_buff, local_ip6[0])),
1547 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1548 offsetof(struct __sk_buff, local_ip6[1])),
1549 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1550 offsetof(struct __sk_buff, local_ip6[2])),
1551 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1552 offsetof(struct __sk_buff, local_ip6[3])),
1553 BPF_EXIT_INSN(),
1554 },
1555 .result = ACCEPT,
1556 .prog_type = BPF_PROG_TYPE_SK_SKB,
1557 },
1558 {
1559 "valid access __sk_buff remote_port",
1560 .insns = {
1561 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1562 offsetof(struct __sk_buff, remote_port)),
1563 BPF_EXIT_INSN(),
1564 },
1565 .result = ACCEPT,
1566 .prog_type = BPF_PROG_TYPE_SK_SKB,
1567 },
1568 {
1569 "valid access __sk_buff remote_port",
1570 .insns = {
1571 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1572 offsetof(struct __sk_buff, local_port)),
1573 BPF_EXIT_INSN(),
1574 },
1575 .result = ACCEPT,
1576 .prog_type = BPF_PROG_TYPE_SK_SKB,
1577 },
1578 {
1579 "invalid access of tc_classid for SK_SKB",
1580 .insns = {
1581 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1582 offsetof(struct __sk_buff, tc_classid)),
1583 BPF_EXIT_INSN(),
1584 },
1585 .result = REJECT,
1586 .prog_type = BPF_PROG_TYPE_SK_SKB,
1587 .errstr = "invalid bpf_context access",
1588 },
1589 {
1590 "invalid access of skb->mark for SK_SKB",
1591 .insns = {
1592 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1593 offsetof(struct __sk_buff, mark)),
1594 BPF_EXIT_INSN(),
1595 },
1596 .result = REJECT,
1597 .prog_type = BPF_PROG_TYPE_SK_SKB,
1598 .errstr = "invalid bpf_context access",
1599 },
1600 {
1601 "check skb->mark is not writeable by SK_SKB",
1602 .insns = {
1603 BPF_MOV64_IMM(BPF_REG_0, 0),
1604 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1605 offsetof(struct __sk_buff, mark)),
1606 BPF_EXIT_INSN(),
1607 },
1608 .result = REJECT,
1609 .prog_type = BPF_PROG_TYPE_SK_SKB,
1610 .errstr = "invalid bpf_context access",
1611 },
1612 {
1613 "check skb->tc_index is writeable by SK_SKB",
1614 .insns = {
1615 BPF_MOV64_IMM(BPF_REG_0, 0),
1616 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1617 offsetof(struct __sk_buff, tc_index)),
1618 BPF_EXIT_INSN(),
1619 },
1620 .result = ACCEPT,
1621 .prog_type = BPF_PROG_TYPE_SK_SKB,
1622 },
1623 {
1624 "check skb->priority is writeable by SK_SKB",
1625 .insns = {
1626 BPF_MOV64_IMM(BPF_REG_0, 0),
1627 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1628 offsetof(struct __sk_buff, priority)),
1629 BPF_EXIT_INSN(),
1630 },
1631 .result = ACCEPT,
1632 .prog_type = BPF_PROG_TYPE_SK_SKB,
1633 },
1634 {
1635 "direct packet read for SK_SKB",
1636 .insns = {
1637 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1638 offsetof(struct __sk_buff, data)),
1639 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1640 offsetof(struct __sk_buff, data_end)),
1641 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1642 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1643 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1644 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
1645 BPF_MOV64_IMM(BPF_REG_0, 0),
1646 BPF_EXIT_INSN(),
1647 },
1648 .result = ACCEPT,
1649 .prog_type = BPF_PROG_TYPE_SK_SKB,
1650 },
1651 {
1652 "direct packet write for SK_SKB",
1653 .insns = {
1654 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1655 offsetof(struct __sk_buff, data)),
1656 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1657 offsetof(struct __sk_buff, data_end)),
1658 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1659 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1660 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1661 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
1662 BPF_MOV64_IMM(BPF_REG_0, 0),
1663 BPF_EXIT_INSN(),
1664 },
1665 .result = ACCEPT,
1666 .prog_type = BPF_PROG_TYPE_SK_SKB,
1667 },
1668 {
1669 "overlapping checks for direct packet access SK_SKB",
1670 .insns = {
1671 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1672 offsetof(struct __sk_buff, data)),
1673 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1674 offsetof(struct __sk_buff, data_end)),
1675 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1676 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1677 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4),
1678 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
1679 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6),
1680 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
1681 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6),
1682 BPF_MOV64_IMM(BPF_REG_0, 0),
1683 BPF_EXIT_INSN(),
1684 },
1685 .result = ACCEPT,
1686 .prog_type = BPF_PROG_TYPE_SK_SKB,
1687 },
1688 {
1689 "valid access family in SK_MSG",
1690 .insns = {
1691 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1692 offsetof(struct sk_msg_md, family)),
1693 BPF_EXIT_INSN(),
1694 },
1695 .result = ACCEPT,
1696 .prog_type = BPF_PROG_TYPE_SK_MSG,
1697 },
1698 {
1699 "valid access remote_ip4 in SK_MSG",
1700 .insns = {
1701 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1702 offsetof(struct sk_msg_md, remote_ip4)),
1703 BPF_EXIT_INSN(),
1704 },
1705 .result = ACCEPT,
1706 .prog_type = BPF_PROG_TYPE_SK_MSG,
1707 },
1708 {
1709 "valid access local_ip4 in SK_MSG",
1710 .insns = {
1711 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1712 offsetof(struct sk_msg_md, local_ip4)),
1713 BPF_EXIT_INSN(),
1714 },
1715 .result = ACCEPT,
1716 .prog_type = BPF_PROG_TYPE_SK_MSG,
1717 },
1718 {
1719 "valid access remote_port in SK_MSG",
1720 .insns = {
1721 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1722 offsetof(struct sk_msg_md, remote_port)),
1723 BPF_EXIT_INSN(),
1724 },
1725 .result = ACCEPT,
1726 .prog_type = BPF_PROG_TYPE_SK_MSG,
1727 },
1728 {
1729 "valid access local_port in SK_MSG",
1730 .insns = {
1731 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1732 offsetof(struct sk_msg_md, local_port)),
1733 BPF_EXIT_INSN(),
1734 },
1735 .result = ACCEPT,
1736 .prog_type = BPF_PROG_TYPE_SK_MSG,
1737 },
1738 {
1739 "valid access remote_ip6 in SK_MSG",
1740 .insns = {
1741 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1742 offsetof(struct sk_msg_md, remote_ip6[0])),
1743 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1744 offsetof(struct sk_msg_md, remote_ip6[1])),
1745 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1746 offsetof(struct sk_msg_md, remote_ip6[2])),
1747 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1748 offsetof(struct sk_msg_md, remote_ip6[3])),
1749 BPF_EXIT_INSN(),
1750 },
1751 .result = ACCEPT,
1752 .prog_type = BPF_PROG_TYPE_SK_SKB,
1753 },
1754 {
1755 "valid access local_ip6 in SK_MSG",
1756 .insns = {
1757 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1758 offsetof(struct sk_msg_md, local_ip6[0])),
1759 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1760 offsetof(struct sk_msg_md, local_ip6[1])),
1761 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1762 offsetof(struct sk_msg_md, local_ip6[2])),
1763 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1764 offsetof(struct sk_msg_md, local_ip6[3])),
1765 BPF_EXIT_INSN(),
1766 },
1767 .result = ACCEPT,
1768 .prog_type = BPF_PROG_TYPE_SK_SKB,
1769 },
1770 {
1771 "invalid 64B read of family in SK_MSG",
1772 .insns = {
1773 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1,
1774 offsetof(struct sk_msg_md, family)),
1775 BPF_EXIT_INSN(),
1776 },
1777 .errstr = "invalid bpf_context access",
1778 .result = REJECT,
1779 .prog_type = BPF_PROG_TYPE_SK_MSG,
1780 },
1781 {
1782 "invalid read past end of SK_MSG",
1783 .insns = {
1784 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1785 offsetof(struct sk_msg_md, local_port) + 4),
1786 BPF_EXIT_INSN(),
1787 },
1788 .errstr = "R0 !read_ok",
1789 .result = REJECT,
1790 .prog_type = BPF_PROG_TYPE_SK_MSG,
1791 },
1792 {
1793 "invalid read offset in SK_MSG",
1794 .insns = {
1795 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1796 offsetof(struct sk_msg_md, family) + 1),
1797 BPF_EXIT_INSN(),
1798 },
1799 .errstr = "invalid bpf_context access",
1800 .result = REJECT,
1801 .prog_type = BPF_PROG_TYPE_SK_MSG,
1802 },
1803 {
1804 "direct packet read for SK_MSG",
1805 .insns = {
1806 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1,
1807 offsetof(struct sk_msg_md, data)),
1808 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1,
1809 offsetof(struct sk_msg_md, data_end)),
1810 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1811 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1812 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1813 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
1814 BPF_MOV64_IMM(BPF_REG_0, 0),
1815 BPF_EXIT_INSN(),
1816 },
1817 .result = ACCEPT,
1818 .prog_type = BPF_PROG_TYPE_SK_MSG,
1819 },
1820 {
1821 "direct packet write for SK_MSG",
1822 .insns = {
1823 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1,
1824 offsetof(struct sk_msg_md, data)),
1825 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1,
1826 offsetof(struct sk_msg_md, data_end)),
1827 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1828 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1829 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1830 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
1831 BPF_MOV64_IMM(BPF_REG_0, 0),
1832 BPF_EXIT_INSN(),
1833 },
1834 .result = ACCEPT,
1835 .prog_type = BPF_PROG_TYPE_SK_MSG,
1836 },
1837 {
1838 "overlapping checks for direct packet access SK_MSG",
1839 .insns = {
1840 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1,
1841 offsetof(struct sk_msg_md, data)),
1842 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1,
1843 offsetof(struct sk_msg_md, data_end)),
1844 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1845 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1846 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4),
1847 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
1848 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6),
1849 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
1850 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6),
1851 BPF_MOV64_IMM(BPF_REG_0, 0),
1852 BPF_EXIT_INSN(),
1853 },
1854 .result = ACCEPT,
1855 .prog_type = BPF_PROG_TYPE_SK_MSG,
1856 },
1857 {
1858 "check skb->mark is not writeable by sockets",
1859 .insns = {
1860 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1861 offsetof(struct __sk_buff, mark)),
1862 BPF_EXIT_INSN(),
1863 },
1864 .errstr = "invalid bpf_context access",
1865 .errstr_unpriv = "R1 leaks addr",
1866 .result = REJECT,
1867 },
1868 {
1869 "check skb->tc_index is not writeable by sockets",
1870 .insns = {
1871 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1872 offsetof(struct __sk_buff, tc_index)),
1873 BPF_EXIT_INSN(),
1874 },
1875 .errstr = "invalid bpf_context access",
1876 .errstr_unpriv = "R1 leaks addr",
1877 .result = REJECT,
1878 },
1879 {
1880 "check cb access: byte",
1881 .insns = {
1882 BPF_MOV64_IMM(BPF_REG_0, 0),
1883 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1884 offsetof(struct __sk_buff, cb[0])),
1885 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1886 offsetof(struct __sk_buff, cb[0]) + 1),
1887 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1888 offsetof(struct __sk_buff, cb[0]) + 2),
1889 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1890 offsetof(struct __sk_buff, cb[0]) + 3),
1891 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1892 offsetof(struct __sk_buff, cb[1])),
1893 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1894 offsetof(struct __sk_buff, cb[1]) + 1),
1895 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1896 offsetof(struct __sk_buff, cb[1]) + 2),
1897 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1898 offsetof(struct __sk_buff, cb[1]) + 3),
1899 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1900 offsetof(struct __sk_buff, cb[2])),
1901 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1902 offsetof(struct __sk_buff, cb[2]) + 1),
1903 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1904 offsetof(struct __sk_buff, cb[2]) + 2),
1905 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1906 offsetof(struct __sk_buff, cb[2]) + 3),
1907 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1908 offsetof(struct __sk_buff, cb[3])),
1909 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1910 offsetof(struct __sk_buff, cb[3]) + 1),
1911 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1912 offsetof(struct __sk_buff, cb[3]) + 2),
1913 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1914 offsetof(struct __sk_buff, cb[3]) + 3),
1915 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1916 offsetof(struct __sk_buff, cb[4])),
1917 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1918 offsetof(struct __sk_buff, cb[4]) + 1),
1919 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1920 offsetof(struct __sk_buff, cb[4]) + 2),
1921 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1922 offsetof(struct __sk_buff, cb[4]) + 3),
1923 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1924 offsetof(struct __sk_buff, cb[0])),
1925 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1926 offsetof(struct __sk_buff, cb[0]) + 1),
1927 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1928 offsetof(struct __sk_buff, cb[0]) + 2),
1929 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1930 offsetof(struct __sk_buff, cb[0]) + 3),
1931 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1932 offsetof(struct __sk_buff, cb[1])),
1933 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1934 offsetof(struct __sk_buff, cb[1]) + 1),
1935 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1936 offsetof(struct __sk_buff, cb[1]) + 2),
1937 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1938 offsetof(struct __sk_buff, cb[1]) + 3),
1939 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1940 offsetof(struct __sk_buff, cb[2])),
1941 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1942 offsetof(struct __sk_buff, cb[2]) + 1),
1943 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1944 offsetof(struct __sk_buff, cb[2]) + 2),
1945 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1946 offsetof(struct __sk_buff, cb[2]) + 3),
1947 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1948 offsetof(struct __sk_buff, cb[3])),
1949 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1950 offsetof(struct __sk_buff, cb[3]) + 1),
1951 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1952 offsetof(struct __sk_buff, cb[3]) + 2),
1953 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1954 offsetof(struct __sk_buff, cb[3]) + 3),
1955 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1956 offsetof(struct __sk_buff, cb[4])),
1957 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1958 offsetof(struct __sk_buff, cb[4]) + 1),
1959 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1960 offsetof(struct __sk_buff, cb[4]) + 2),
1961 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1962 offsetof(struct __sk_buff, cb[4]) + 3),
1963 BPF_EXIT_INSN(),
1964 },
1965 .result = ACCEPT,
1966 },
1967 {
1968 "__sk_buff->hash, offset 0, byte store not permitted",
1969 .insns = {
1970 BPF_MOV64_IMM(BPF_REG_0, 0),
1971 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1972 offsetof(struct __sk_buff, hash)),
1973 BPF_EXIT_INSN(),
1974 },
1975 .errstr = "invalid bpf_context access",
1976 .result = REJECT,
1977 },
1978 {
1979 "__sk_buff->tc_index, offset 3, byte store not permitted",
1980 .insns = {
1981 BPF_MOV64_IMM(BPF_REG_0, 0),
1982 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1983 offsetof(struct __sk_buff, tc_index) + 3),
1984 BPF_EXIT_INSN(),
1985 },
1986 .errstr = "invalid bpf_context access",
1987 .result = REJECT,
1988 },
1989 {
1990 "check skb->hash byte load permitted",
1991 .insns = {
1992 BPF_MOV64_IMM(BPF_REG_0, 0),
1993 #if __BYTE_ORDER == __LITTLE_ENDIAN
1994 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1995 offsetof(struct __sk_buff, hash)),
1996 #else
1997 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1998 offsetof(struct __sk_buff, hash) + 3),
1999 #endif
2000 BPF_EXIT_INSN(),
2001 },
2002 .result = ACCEPT,
2003 },
2004 {
2005 "check skb->hash byte load not permitted 1",
2006 .insns = {
2007 BPF_MOV64_IMM(BPF_REG_0, 0),
2008 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2009 offsetof(struct __sk_buff, hash) + 1),
2010 BPF_EXIT_INSN(),
2011 },
2012 .errstr = "invalid bpf_context access",
2013 .result = REJECT,
2014 },
2015 {
2016 "check skb->hash byte load not permitted 2",
2017 .insns = {
2018 BPF_MOV64_IMM(BPF_REG_0, 0),
2019 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2020 offsetof(struct __sk_buff, hash) + 2),
2021 BPF_EXIT_INSN(),
2022 },
2023 .errstr = "invalid bpf_context access",
2024 .result = REJECT,
2025 },
2026 {
2027 "check skb->hash byte load not permitted 3",
2028 .insns = {
2029 BPF_MOV64_IMM(BPF_REG_0, 0),
2030 #if __BYTE_ORDER == __LITTLE_ENDIAN
2031 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2032 offsetof(struct __sk_buff, hash) + 3),
2033 #else
2034 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2035 offsetof(struct __sk_buff, hash)),
2036 #endif
2037 BPF_EXIT_INSN(),
2038 },
2039 .errstr = "invalid bpf_context access",
2040 .result = REJECT,
2041 },
2042 {
2043 "check cb access: byte, wrong type",
2044 .insns = {
2045 BPF_MOV64_IMM(BPF_REG_0, 0),
2046 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
2047 offsetof(struct __sk_buff, cb[0])),
2048 BPF_EXIT_INSN(),
2049 },
2050 .errstr = "invalid bpf_context access",
2051 .result = REJECT,
2052 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
2053 },
2054 {
2055 "check cb access: half",
2056 .insns = {
2057 BPF_MOV64_IMM(BPF_REG_0, 0),
2058 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2059 offsetof(struct __sk_buff, cb[0])),
2060 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2061 offsetof(struct __sk_buff, cb[0]) + 2),
2062 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2063 offsetof(struct __sk_buff, cb[1])),
2064 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2065 offsetof(struct __sk_buff, cb[1]) + 2),
2066 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2067 offsetof(struct __sk_buff, cb[2])),
2068 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2069 offsetof(struct __sk_buff, cb[2]) + 2),
2070 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2071 offsetof(struct __sk_buff, cb[3])),
2072 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2073 offsetof(struct __sk_buff, cb[3]) + 2),
2074 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2075 offsetof(struct __sk_buff, cb[4])),
2076 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2077 offsetof(struct __sk_buff, cb[4]) + 2),
2078 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2079 offsetof(struct __sk_buff, cb[0])),
2080 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2081 offsetof(struct __sk_buff, cb[0]) + 2),
2082 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2083 offsetof(struct __sk_buff, cb[1])),
2084 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2085 offsetof(struct __sk_buff, cb[1]) + 2),
2086 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2087 offsetof(struct __sk_buff, cb[2])),
2088 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2089 offsetof(struct __sk_buff, cb[2]) + 2),
2090 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2091 offsetof(struct __sk_buff, cb[3])),
2092 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2093 offsetof(struct __sk_buff, cb[3]) + 2),
2094 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2095 offsetof(struct __sk_buff, cb[4])),
2096 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2097 offsetof(struct __sk_buff, cb[4]) + 2),
2098 BPF_EXIT_INSN(),
2099 },
2100 .result = ACCEPT,
2101 },
2102 {
2103 "check cb access: half, unaligned",
2104 .insns = {
2105 BPF_MOV64_IMM(BPF_REG_0, 0),
2106 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2107 offsetof(struct __sk_buff, cb[0]) + 1),
2108 BPF_EXIT_INSN(),
2109 },
2110 .errstr = "misaligned context access",
2111 .result = REJECT,
2112 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2113 },
2114 {
2115 "check __sk_buff->hash, offset 0, half store not permitted",
2116 .insns = {
2117 BPF_MOV64_IMM(BPF_REG_0, 0),
2118 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2119 offsetof(struct __sk_buff, hash)),
2120 BPF_EXIT_INSN(),
2121 },
2122 .errstr = "invalid bpf_context access",
2123 .result = REJECT,
2124 },
2125 {
2126 "check __sk_buff->tc_index, offset 2, half store not permitted",
2127 .insns = {
2128 BPF_MOV64_IMM(BPF_REG_0, 0),
2129 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2130 offsetof(struct __sk_buff, tc_index) + 2),
2131 BPF_EXIT_INSN(),
2132 },
2133 .errstr = "invalid bpf_context access",
2134 .result = REJECT,
2135 },
2136 {
2137 "check skb->hash half load permitted",
2138 .insns = {
2139 BPF_MOV64_IMM(BPF_REG_0, 0),
2140 #if __BYTE_ORDER == __LITTLE_ENDIAN
2141 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2142 offsetof(struct __sk_buff, hash)),
2143 #else
2144 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2145 offsetof(struct __sk_buff, hash) + 2),
2146 #endif
2147 BPF_EXIT_INSN(),
2148 },
2149 .result = ACCEPT,
2150 },
2151 {
2152 "check skb->hash half load not permitted",
2153 .insns = {
2154 BPF_MOV64_IMM(BPF_REG_0, 0),
2155 #if __BYTE_ORDER == __LITTLE_ENDIAN
2156 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2157 offsetof(struct __sk_buff, hash) + 2),
2158 #else
2159 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2160 offsetof(struct __sk_buff, hash)),
2161 #endif
2162 BPF_EXIT_INSN(),
2163 },
2164 .errstr = "invalid bpf_context access",
2165 .result = REJECT,
2166 },
2167 {
2168 "check cb access: half, wrong type",
2169 .insns = {
2170 BPF_MOV64_IMM(BPF_REG_0, 0),
2171 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2172 offsetof(struct __sk_buff, cb[0])),
2173 BPF_EXIT_INSN(),
2174 },
2175 .errstr = "invalid bpf_context access",
2176 .result = REJECT,
2177 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
2178 },
2179 {
2180 "check cb access: word",
2181 .insns = {
2182 BPF_MOV64_IMM(BPF_REG_0, 0),
2183 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2184 offsetof(struct __sk_buff, cb[0])),
2185 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2186 offsetof(struct __sk_buff, cb[1])),
2187 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2188 offsetof(struct __sk_buff, cb[2])),
2189 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2190 offsetof(struct __sk_buff, cb[3])),
2191 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2192 offsetof(struct __sk_buff, cb[4])),
2193 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2194 offsetof(struct __sk_buff, cb[0])),
2195 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2196 offsetof(struct __sk_buff, cb[1])),
2197 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2198 offsetof(struct __sk_buff, cb[2])),
2199 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2200 offsetof(struct __sk_buff, cb[3])),
2201 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2202 offsetof(struct __sk_buff, cb[4])),
2203 BPF_EXIT_INSN(),
2204 },
2205 .result = ACCEPT,
2206 },
2207 {
2208 "check cb access: word, unaligned 1",
2209 .insns = {
2210 BPF_MOV64_IMM(BPF_REG_0, 0),
2211 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2212 offsetof(struct __sk_buff, cb[0]) + 2),
2213 BPF_EXIT_INSN(),
2214 },
2215 .errstr = "misaligned context access",
2216 .result = REJECT,
2217 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2218 },
2219 {
2220 "check cb access: word, unaligned 2",
2221 .insns = {
2222 BPF_MOV64_IMM(BPF_REG_0, 0),
2223 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2224 offsetof(struct __sk_buff, cb[4]) + 1),
2225 BPF_EXIT_INSN(),
2226 },
2227 .errstr = "misaligned context access",
2228 .result = REJECT,
2229 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2230 },
2231 {
2232 "check cb access: word, unaligned 3",
2233 .insns = {
2234 BPF_MOV64_IMM(BPF_REG_0, 0),
2235 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2236 offsetof(struct __sk_buff, cb[4]) + 2),
2237 BPF_EXIT_INSN(),
2238 },
2239 .errstr = "misaligned context access",
2240 .result = REJECT,
2241 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2242 },
2243 {
2244 "check cb access: word, unaligned 4",
2245 .insns = {
2246 BPF_MOV64_IMM(BPF_REG_0, 0),
2247 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2248 offsetof(struct __sk_buff, cb[4]) + 3),
2249 BPF_EXIT_INSN(),
2250 },
2251 .errstr = "misaligned context access",
2252 .result = REJECT,
2253 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2254 },
2255 {
2256 "check cb access: double",
2257 .insns = {
2258 BPF_MOV64_IMM(BPF_REG_0, 0),
2259 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2260 offsetof(struct __sk_buff, cb[0])),
2261 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2262 offsetof(struct __sk_buff, cb[2])),
2263 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2264 offsetof(struct __sk_buff, cb[0])),
2265 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2266 offsetof(struct __sk_buff, cb[2])),
2267 BPF_EXIT_INSN(),
2268 },
2269 .result = ACCEPT,
2270 },
2271 {
2272 "check cb access: double, unaligned 1",
2273 .insns = {
2274 BPF_MOV64_IMM(BPF_REG_0, 0),
2275 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2276 offsetof(struct __sk_buff, cb[1])),
2277 BPF_EXIT_INSN(),
2278 },
2279 .errstr = "misaligned context access",
2280 .result = REJECT,
2281 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2282 },
2283 {
2284 "check cb access: double, unaligned 2",
2285 .insns = {
2286 BPF_MOV64_IMM(BPF_REG_0, 0),
2287 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2288 offsetof(struct __sk_buff, cb[3])),
2289 BPF_EXIT_INSN(),
2290 },
2291 .errstr = "misaligned context access",
2292 .result = REJECT,
2293 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2294 },
2295 {
2296 "check cb access: double, oob 1",
2297 .insns = {
2298 BPF_MOV64_IMM(BPF_REG_0, 0),
2299 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2300 offsetof(struct __sk_buff, cb[4])),
2301 BPF_EXIT_INSN(),
2302 },
2303 .errstr = "invalid bpf_context access",
2304 .result = REJECT,
2305 },
2306 {
2307 "check cb access: double, oob 2",
2308 .insns = {
2309 BPF_MOV64_IMM(BPF_REG_0, 0),
2310 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2311 offsetof(struct __sk_buff, cb[4])),
2312 BPF_EXIT_INSN(),
2313 },
2314 .errstr = "invalid bpf_context access",
2315 .result = REJECT,
2316 },
2317 {
2318 "check __sk_buff->ifindex dw store not permitted",
2319 .insns = {
2320 BPF_MOV64_IMM(BPF_REG_0, 0),
2321 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2322 offsetof(struct __sk_buff, ifindex)),
2323 BPF_EXIT_INSN(),
2324 },
2325 .errstr = "invalid bpf_context access",
2326 .result = REJECT,
2327 },
2328 {
2329 "check __sk_buff->ifindex dw load not permitted",
2330 .insns = {
2331 BPF_MOV64_IMM(BPF_REG_0, 0),
2332 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2333 offsetof(struct __sk_buff, ifindex)),
2334 BPF_EXIT_INSN(),
2335 },
2336 .errstr = "invalid bpf_context access",
2337 .result = REJECT,
2338 },
2339 {
2340 "check cb access: double, wrong type",
2341 .insns = {
2342 BPF_MOV64_IMM(BPF_REG_0, 0),
2343 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2344 offsetof(struct __sk_buff, cb[0])),
2345 BPF_EXIT_INSN(),
2346 },
2347 .errstr = "invalid bpf_context access",
2348 .result = REJECT,
2349 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
2350 },
2351 {
2352 "check out of range skb->cb access",
2353 .insns = {
2354 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2355 offsetof(struct __sk_buff, cb[0]) + 256),
2356 BPF_EXIT_INSN(),
2357 },
2358 .errstr = "invalid bpf_context access",
2359 .errstr_unpriv = "",
2360 .result = REJECT,
2361 .prog_type = BPF_PROG_TYPE_SCHED_ACT,
2362 },
2363 {
2364 "write skb fields from socket prog",
2365 .insns = {
2366 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2367 offsetof(struct __sk_buff, cb[4])),
2368 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
2369 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2370 offsetof(struct __sk_buff, mark)),
2371 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2372 offsetof(struct __sk_buff, tc_index)),
2373 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
2374 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
2375 offsetof(struct __sk_buff, cb[0])),
2376 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
2377 offsetof(struct __sk_buff, cb[2])),
2378 BPF_EXIT_INSN(),
2379 },
2380 .result = ACCEPT,
2381 .errstr_unpriv = "R1 leaks addr",
2382 .result_unpriv = REJECT,
2383 },
2384 {
2385 "write skb fields from tc_cls_act prog",
2386 .insns = {
2387 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2388 offsetof(struct __sk_buff, cb[0])),
2389 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2390 offsetof(struct __sk_buff, mark)),
2391 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2392 offsetof(struct __sk_buff, tc_index)),
2393 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2394 offsetof(struct __sk_buff, tc_index)),
2395 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2396 offsetof(struct __sk_buff, cb[3])),
2397 BPF_EXIT_INSN(),
2398 },
2399 .errstr_unpriv = "",
2400 .result_unpriv = REJECT,
2401 .result = ACCEPT,
2402 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2403 },
2404 {
2405 "PTR_TO_STACK store/load",
2406 .insns = {
2407 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2408 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10),
2409 BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c),
2410 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2),
2411 BPF_EXIT_INSN(),
2412 },
2413 .result = ACCEPT,
2414 .retval = 0xfaceb00c,
2415 },
2416 {
2417 "PTR_TO_STACK store/load - bad alignment on off",
2418 .insns = {
2419 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2420 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
2421 BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c),
2422 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2),
2423 BPF_EXIT_INSN(),
2424 },
2425 .result = REJECT,
2426 .errstr = "misaligned stack access off (0x0; 0x0)+-8+2 size 8",
2427 },
2428 {
2429 "PTR_TO_STACK store/load - bad alignment on reg",
2430 .insns = {
2431 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2432 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10),
2433 BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
2434 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
2435 BPF_EXIT_INSN(),
2436 },
2437 .result = REJECT,
2438 .errstr = "misaligned stack access off (0x0; 0x0)+-10+8 size 8",
2439 },
2440 {
2441 "PTR_TO_STACK store/load - out of bounds low",
2442 .insns = {
2443 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2444 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -80000),
2445 BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
2446 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
2447 BPF_EXIT_INSN(),
2448 },
2449 .result = REJECT,
2450 .errstr = "invalid stack off=-79992 size=8",
2451 },
2452 {
2453 "PTR_TO_STACK store/load - out of bounds high",
2454 .insns = {
2455 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2456 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
2457 BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
2458 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
2459 BPF_EXIT_INSN(),
2460 },
2461 .result = REJECT,
2462 .errstr = "invalid stack off=0 size=8",
2463 },
2464 {
2465 "unpriv: return pointer",
2466 .insns = {
2467 BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
2468 BPF_EXIT_INSN(),
2469 },
2470 .result = ACCEPT,
2471 .result_unpriv = REJECT,
2472 .errstr_unpriv = "R0 leaks addr",
2473 .retval = POINTER_VALUE,
2474 },
2475 {
2476 "unpriv: add const to pointer",
2477 .insns = {
2478 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
2479 BPF_MOV64_IMM(BPF_REG_0, 0),
2480 BPF_EXIT_INSN(),
2481 },
2482 .result = ACCEPT,
2483 },
2484 {
2485 "unpriv: add pointer to pointer",
2486 .insns = {
2487 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_10),
2488 BPF_MOV64_IMM(BPF_REG_0, 0),
2489 BPF_EXIT_INSN(),
2490 },
2491 .result = REJECT,
2492 .errstr = "R1 pointer += pointer",
2493 },
2494 {
2495 "unpriv: neg pointer",
2496 .insns = {
2497 BPF_ALU64_IMM(BPF_NEG, BPF_REG_1, 0),
2498 BPF_MOV64_IMM(BPF_REG_0, 0),
2499 BPF_EXIT_INSN(),
2500 },
2501 .result = ACCEPT,
2502 .result_unpriv = REJECT,
2503 .errstr_unpriv = "R1 pointer arithmetic",
2504 },
2505 {
2506 "unpriv: cmp pointer with const",
2507 .insns = {
2508 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0),
2509 BPF_MOV64_IMM(BPF_REG_0, 0),
2510 BPF_EXIT_INSN(),
2511 },
2512 .result = ACCEPT,
2513 .result_unpriv = REJECT,
2514 .errstr_unpriv = "R1 pointer comparison",
2515 },
2516 {
2517 "unpriv: cmp pointer with pointer",
2518 .insns = {
2519 BPF_JMP_REG(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
2520 BPF_MOV64_IMM(BPF_REG_0, 0),
2521 BPF_EXIT_INSN(),
2522 },
2523 .result = ACCEPT,
2524 .result_unpriv = REJECT,
2525 .errstr_unpriv = "R10 pointer comparison",
2526 },
2527 {
2528 "unpriv: check that printk is disallowed",
2529 .insns = {
2530 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
2531 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2532 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
2533 BPF_MOV64_IMM(BPF_REG_2, 8),
2534 BPF_MOV64_REG(BPF_REG_3, BPF_REG_1),
2535 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2536 BPF_FUNC_trace_printk),
2537 BPF_MOV64_IMM(BPF_REG_0, 0),
2538 BPF_EXIT_INSN(),
2539 },
2540 .errstr_unpriv = "unknown func bpf_trace_printk#6",
2541 .result_unpriv = REJECT,
2542 .result = ACCEPT,
2543 },
2544 {
2545 "unpriv: pass pointer to helper function",
2546 .insns = {
2547 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
2548 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2549 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2550 BPF_LD_MAP_FD(BPF_REG_1, 0),
2551 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
2552 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
2553 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2554 BPF_FUNC_map_update_elem),
2555 BPF_MOV64_IMM(BPF_REG_0, 0),
2556 BPF_EXIT_INSN(),
2557 },
2558 .fixup_map1 = { 3 },
2559 .errstr_unpriv = "R4 leaks addr",
2560 .result_unpriv = REJECT,
2561 .result = ACCEPT,
2562 },
2563 {
2564 "unpriv: indirectly pass pointer on stack to helper function",
2565 .insns = {
2566 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2567 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2568 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2569 BPF_LD_MAP_FD(BPF_REG_1, 0),
2570 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2571 BPF_FUNC_map_lookup_elem),
2572 BPF_MOV64_IMM(BPF_REG_0, 0),
2573 BPF_EXIT_INSN(),
2574 },
2575 .fixup_map1 = { 3 },
2576 .errstr = "invalid indirect read from stack off -8+0 size 8",
2577 .result = REJECT,
2578 },
2579 {
2580 "unpriv: mangle pointer on stack 1",
2581 .insns = {
2582 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2583 BPF_ST_MEM(BPF_W, BPF_REG_10, -8, 0),
2584 BPF_MOV64_IMM(BPF_REG_0, 0),
2585 BPF_EXIT_INSN(),
2586 },
2587 .errstr_unpriv = "attempt to corrupt spilled",
2588 .result_unpriv = REJECT,
2589 .result = ACCEPT,
2590 },
2591 {
2592 "unpriv: mangle pointer on stack 2",
2593 .insns = {
2594 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2595 BPF_ST_MEM(BPF_B, BPF_REG_10, -1, 0),
2596 BPF_MOV64_IMM(BPF_REG_0, 0),
2597 BPF_EXIT_INSN(),
2598 },
2599 .errstr_unpriv = "attempt to corrupt spilled",
2600 .result_unpriv = REJECT,
2601 .result = ACCEPT,
2602 },
2603 {
2604 "unpriv: read pointer from stack in small chunks",
2605 .insns = {
2606 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2607 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_10, -8),
2608 BPF_MOV64_IMM(BPF_REG_0, 0),
2609 BPF_EXIT_INSN(),
2610 },
2611 .errstr = "invalid size",
2612 .result = REJECT,
2613 },
2614 {
2615 "unpriv: write pointer into ctx",
2616 .insns = {
2617 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, 0),
2618 BPF_MOV64_IMM(BPF_REG_0, 0),
2619 BPF_EXIT_INSN(),
2620 },
2621 .errstr_unpriv = "R1 leaks addr",
2622 .result_unpriv = REJECT,
2623 .errstr = "invalid bpf_context access",
2624 .result = REJECT,
2625 },
2626 {
2627 "unpriv: spill/fill of ctx",
2628 .insns = {
2629 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2630 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2631 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2632 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2633 BPF_MOV64_IMM(BPF_REG_0, 0),
2634 BPF_EXIT_INSN(),
2635 },
2636 .result = ACCEPT,
2637 },
2638 {
2639 "unpriv: spill/fill of ctx 2",
2640 .insns = {
2641 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2642 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2643 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2644 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2645 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2646 BPF_FUNC_get_hash_recalc),
2647 BPF_MOV64_IMM(BPF_REG_0, 0),
2648 BPF_EXIT_INSN(),
2649 },
2650 .result = ACCEPT,
2651 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2652 },
2653 {
2654 "unpriv: spill/fill of ctx 3",
2655 .insns = {
2656 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2657 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2658 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2659 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_10, 0),
2660 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2661 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2662 BPF_FUNC_get_hash_recalc),
2663 BPF_EXIT_INSN(),
2664 },
2665 .result = REJECT,
2666 .errstr = "R1 type=fp expected=ctx",
2667 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2668 },
2669 {
2670 "unpriv: spill/fill of ctx 4",
2671 .insns = {
2672 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2673 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2674 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2675 BPF_MOV64_IMM(BPF_REG_0, 1),
2676 BPF_RAW_INSN(BPF_STX | BPF_XADD | BPF_DW, BPF_REG_10,
2677 BPF_REG_0, -8, 0),
2678 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2679 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2680 BPF_FUNC_get_hash_recalc),
2681 BPF_EXIT_INSN(),
2682 },
2683 .result = REJECT,
2684 .errstr = "R1 type=inv expected=ctx",
2685 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2686 },
2687 {
2688 "unpriv: spill/fill of different pointers stx",
2689 .insns = {
2690 BPF_MOV64_IMM(BPF_REG_3, 42),
2691 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2692 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2693 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
2694 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2695 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
2696 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
2697 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
2698 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2699 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2700 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_3,
2701 offsetof(struct __sk_buff, mark)),
2702 BPF_MOV64_IMM(BPF_REG_0, 0),
2703 BPF_EXIT_INSN(),
2704 },
2705 .result = REJECT,
2706 .errstr = "same insn cannot be used with different pointers",
2707 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2708 },
2709 {
2710 "unpriv: spill/fill of different pointers ldx",
2711 .insns = {
2712 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2713 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2714 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
2715 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2716 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2,
2717 -(__s32)offsetof(struct bpf_perf_event_data,
2718 sample_period) - 8),
2719 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
2720 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
2721 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2722 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2723 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1,
2724 offsetof(struct bpf_perf_event_data,
2725 sample_period)),
2726 BPF_MOV64_IMM(BPF_REG_0, 0),
2727 BPF_EXIT_INSN(),
2728 },
2729 .result = REJECT,
2730 .errstr = "same insn cannot be used with different pointers",
2731 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
2732 },
2733 {
2734 "unpriv: write pointer into map elem value",
2735 .insns = {
2736 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
2737 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2738 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2739 BPF_LD_MAP_FD(BPF_REG_1, 0),
2740 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2741 BPF_FUNC_map_lookup_elem),
2742 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
2743 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
2744 BPF_EXIT_INSN(),
2745 },
2746 .fixup_map1 = { 3 },
2747 .errstr_unpriv = "R0 leaks addr",
2748 .result_unpriv = REJECT,
2749 .result = ACCEPT,
2750 },
2751 {
2752 "alu32: mov u32 const",
2753 .insns = {
2754 BPF_MOV32_IMM(BPF_REG_7, 0),
2755 BPF_ALU32_IMM(BPF_AND, BPF_REG_7, 1),
2756 BPF_MOV32_REG(BPF_REG_0, BPF_REG_7),
2757 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
2758 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_7, 0),
2759 BPF_EXIT_INSN(),
2760 },
2761 .result = ACCEPT,
2762 .retval = 0,
2763 },
2764 {
2765 "unpriv: partial copy of pointer",
2766 .insns = {
2767 BPF_MOV32_REG(BPF_REG_1, BPF_REG_10),
2768 BPF_MOV64_IMM(BPF_REG_0, 0),
2769 BPF_EXIT_INSN(),
2770 },
2771 .errstr_unpriv = "R10 partial copy",
2772 .result_unpriv = REJECT,
2773 .result = ACCEPT,
2774 },
2775 {
2776 "unpriv: pass pointer to tail_call",
2777 .insns = {
2778 BPF_MOV64_REG(BPF_REG_3, BPF_REG_1),
2779 BPF_LD_MAP_FD(BPF_REG_2, 0),
2780 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2781 BPF_FUNC_tail_call),
2782 BPF_MOV64_IMM(BPF_REG_0, 0),
2783 BPF_EXIT_INSN(),
2784 },
2785 .fixup_prog1 = { 1 },
2786 .errstr_unpriv = "R3 leaks addr into helper",
2787 .result_unpriv = REJECT,
2788 .result = ACCEPT,
2789 },
2790 {
2791 "unpriv: cmp map pointer with zero",
2792 .insns = {
2793 BPF_MOV64_IMM(BPF_REG_1, 0),
2794 BPF_LD_MAP_FD(BPF_REG_1, 0),
2795 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0),
2796 BPF_MOV64_IMM(BPF_REG_0, 0),
2797 BPF_EXIT_INSN(),
2798 },
2799 .fixup_map1 = { 1 },
2800 .errstr_unpriv = "R1 pointer comparison",
2801 .result_unpriv = REJECT,
2802 .result = ACCEPT,
2803 },
2804 {
2805 "unpriv: write into frame pointer",
2806 .insns = {
2807 BPF_MOV64_REG(BPF_REG_10, BPF_REG_1),
2808 BPF_MOV64_IMM(BPF_REG_0, 0),
2809 BPF_EXIT_INSN(),
2810 },
2811 .errstr = "frame pointer is read only",
2812 .result = REJECT,
2813 },
2814 {
2815 "unpriv: spill/fill frame pointer",
2816 .insns = {
2817 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2818 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2819 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_10, 0),
2820 BPF_LDX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, 0),
2821 BPF_MOV64_IMM(BPF_REG_0, 0),
2822 BPF_EXIT_INSN(),
2823 },
2824 .errstr = "frame pointer is read only",
2825 .result = REJECT,
2826 },
2827 {
2828 "unpriv: cmp of frame pointer",
2829 .insns = {
2830 BPF_JMP_IMM(BPF_JEQ, BPF_REG_10, 0, 0),
2831 BPF_MOV64_IMM(BPF_REG_0, 0),
2832 BPF_EXIT_INSN(),
2833 },
2834 .errstr_unpriv = "R10 pointer comparison",
2835 .result_unpriv = REJECT,
2836 .result = ACCEPT,
2837 },
2838 {
2839 "unpriv: adding of fp",
2840 .insns = {
2841 BPF_MOV64_IMM(BPF_REG_0, 0),
2842 BPF_MOV64_IMM(BPF_REG_1, 0),
2843 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_10),
2844 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, -8),
2845 BPF_EXIT_INSN(),
2846 },
2847 .result = ACCEPT,
2848 },
2849 {
2850 "unpriv: cmp of stack pointer",
2851 .insns = {
2852 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2853 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2854 BPF_JMP_IMM(BPF_JEQ, BPF_REG_2, 0, 0),
2855 BPF_MOV64_IMM(BPF_REG_0, 0),
2856 BPF_EXIT_INSN(),
2857 },
2858 .errstr_unpriv = "R2 pointer comparison",
2859 .result_unpriv = REJECT,
2860 .result = ACCEPT,
2861 },
2862 {
2863 "runtime/jit: tail_call within bounds, prog once",
2864 .insns = {
2865 BPF_MOV64_IMM(BPF_REG_3, 0),
2866 BPF_LD_MAP_FD(BPF_REG_2, 0),
2867 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2868 BPF_FUNC_tail_call),
2869 BPF_MOV64_IMM(BPF_REG_0, 1),
2870 BPF_EXIT_INSN(),
2871 },
2872 .fixup_prog1 = { 1 },
2873 .result = ACCEPT,
2874 .retval = 42,
2875 },
2876 {
2877 "runtime/jit: tail_call within bounds, prog loop",
2878 .insns = {
2879 BPF_MOV64_IMM(BPF_REG_3, 1),
2880 BPF_LD_MAP_FD(BPF_REG_2, 0),
2881 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2882 BPF_FUNC_tail_call),
2883 BPF_MOV64_IMM(BPF_REG_0, 1),
2884 BPF_EXIT_INSN(),
2885 },
2886 .fixup_prog1 = { 1 },
2887 .result = ACCEPT,
2888 .retval = 41,
2889 },
2890 {
2891 "runtime/jit: tail_call within bounds, no prog",
2892 .insns = {
2893 BPF_MOV64_IMM(BPF_REG_3, 2),
2894 BPF_LD_MAP_FD(BPF_REG_2, 0),
2895 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2896 BPF_FUNC_tail_call),
2897 BPF_MOV64_IMM(BPF_REG_0, 1),
2898 BPF_EXIT_INSN(),
2899 },
2900 .fixup_prog1 = { 1 },
2901 .result = ACCEPT,
2902 .retval = 1,
2903 },
2904 {
2905 "runtime/jit: tail_call out of bounds",
2906 .insns = {
2907 BPF_MOV64_IMM(BPF_REG_3, 256),
2908 BPF_LD_MAP_FD(BPF_REG_2, 0),
2909 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2910 BPF_FUNC_tail_call),
2911 BPF_MOV64_IMM(BPF_REG_0, 2),
2912 BPF_EXIT_INSN(),
2913 },
2914 .fixup_prog1 = { 1 },
2915 .result = ACCEPT,
2916 .retval = 2,
2917 },
2918 {
2919 "runtime/jit: pass negative index to tail_call",
2920 .insns = {
2921 BPF_MOV64_IMM(BPF_REG_3, -1),
2922 BPF_LD_MAP_FD(BPF_REG_2, 0),
2923 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2924 BPF_FUNC_tail_call),
2925 BPF_MOV64_IMM(BPF_REG_0, 2),
2926 BPF_EXIT_INSN(),
2927 },
2928 .fixup_prog1 = { 1 },
2929 .result = ACCEPT,
2930 .retval = 2,
2931 },
2932 {
2933 "runtime/jit: pass > 32bit index to tail_call",
2934 .insns = {
2935 BPF_LD_IMM64(BPF_REG_3, 0x100000000ULL),
2936 BPF_LD_MAP_FD(BPF_REG_2, 0),
2937 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2938 BPF_FUNC_tail_call),
2939 BPF_MOV64_IMM(BPF_REG_0, 2),
2940 BPF_EXIT_INSN(),
2941 },
2942 .fixup_prog1 = { 2 },
2943 .result = ACCEPT,
2944 .retval = 42,
2945 },
2946 {
2947 "stack pointer arithmetic",
2948 .insns = {
2949 BPF_MOV64_IMM(BPF_REG_1, 4),
2950 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
2951 BPF_MOV64_REG(BPF_REG_7, BPF_REG_10),
2952 BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -10),
2953 BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -10),
2954 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
2955 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_1),
2956 BPF_ST_MEM(0, BPF_REG_2, 4, 0),
2957 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
2958 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
2959 BPF_ST_MEM(0, BPF_REG_2, 4, 0),
2960 BPF_MOV64_IMM(BPF_REG_0, 0),
2961 BPF_EXIT_INSN(),
2962 },
2963 .result = ACCEPT,
2964 },
2965 {
2966 "raw_stack: no skb_load_bytes",
2967 .insns = {
2968 BPF_MOV64_IMM(BPF_REG_2, 4),
2969 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2970 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2971 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2972 BPF_MOV64_IMM(BPF_REG_4, 8),
2973 /* Call to skb_load_bytes() omitted. */
2974 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2975 BPF_EXIT_INSN(),
2976 },
2977 .result = REJECT,
2978 .errstr = "invalid read from stack off -8+0 size 8",
2979 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2980 },
2981 {
2982 "raw_stack: skb_load_bytes, negative len",
2983 .insns = {
2984 BPF_MOV64_IMM(BPF_REG_2, 4),
2985 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2986 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2987 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2988 BPF_MOV64_IMM(BPF_REG_4, -8),
2989 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2990 BPF_FUNC_skb_load_bytes),
2991 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2992 BPF_EXIT_INSN(),
2993 },
2994 .result = REJECT,
2995 .errstr = "R4 min value is negative",
2996 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2997 },
2998 {
2999 "raw_stack: skb_load_bytes, negative len 2",
3000 .insns = {
3001 BPF_MOV64_IMM(BPF_REG_2, 4),
3002 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3003 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3004 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3005 BPF_MOV64_IMM(BPF_REG_4, ~0),
3006 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3007 BPF_FUNC_skb_load_bytes),
3008 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3009 BPF_EXIT_INSN(),
3010 },
3011 .result = REJECT,
3012 .errstr = "R4 min value is negative",
3013 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3014 },
3015 {
3016 "raw_stack: skb_load_bytes, zero len",
3017 .insns = {
3018 BPF_MOV64_IMM(BPF_REG_2, 4),
3019 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3020 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3021 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3022 BPF_MOV64_IMM(BPF_REG_4, 0),
3023 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3024 BPF_FUNC_skb_load_bytes),
3025 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3026 BPF_EXIT_INSN(),
3027 },
3028 .result = REJECT,
3029 .errstr = "invalid stack type R3",
3030 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3031 },
3032 {
3033 "raw_stack: skb_load_bytes, no init",
3034 .insns = {
3035 BPF_MOV64_IMM(BPF_REG_2, 4),
3036 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3037 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3038 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3039 BPF_MOV64_IMM(BPF_REG_4, 8),
3040 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3041 BPF_FUNC_skb_load_bytes),
3042 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3043 BPF_EXIT_INSN(),
3044 },
3045 .result = ACCEPT,
3046 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3047 },
3048 {
3049 "raw_stack: skb_load_bytes, init",
3050 .insns = {
3051 BPF_MOV64_IMM(BPF_REG_2, 4),
3052 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3053 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3054 BPF_ST_MEM(BPF_DW, BPF_REG_6, 0, 0xcafe),
3055 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3056 BPF_MOV64_IMM(BPF_REG_4, 8),
3057 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3058 BPF_FUNC_skb_load_bytes),
3059 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3060 BPF_EXIT_INSN(),
3061 },
3062 .result = ACCEPT,
3063 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3064 },
3065 {
3066 "raw_stack: skb_load_bytes, spilled regs around bounds",
3067 .insns = {
3068 BPF_MOV64_IMM(BPF_REG_2, 4),
3069 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3070 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
3071 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
3072 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8),
3073 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3074 BPF_MOV64_IMM(BPF_REG_4, 8),
3075 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3076 BPF_FUNC_skb_load_bytes),
3077 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
3078 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 8),
3079 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
3080 offsetof(struct __sk_buff, mark)),
3081 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
3082 offsetof(struct __sk_buff, priority)),
3083 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3084 BPF_EXIT_INSN(),
3085 },
3086 .result = ACCEPT,
3087 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3088 },
3089 {
3090 "raw_stack: skb_load_bytes, spilled regs corruption",
3091 .insns = {
3092 BPF_MOV64_IMM(BPF_REG_2, 4),
3093 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3094 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3095 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
3096 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3097 BPF_MOV64_IMM(BPF_REG_4, 8),
3098 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3099 BPF_FUNC_skb_load_bytes),
3100 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3101 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
3102 offsetof(struct __sk_buff, mark)),
3103 BPF_EXIT_INSN(),
3104 },
3105 .result = REJECT,
3106 .errstr = "R0 invalid mem access 'inv'",
3107 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3108 },
3109 {
3110 "raw_stack: skb_load_bytes, spilled regs corruption 2",
3111 .insns = {
3112 BPF_MOV64_IMM(BPF_REG_2, 4),
3113 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3114 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
3115 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
3116 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
3117 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8),
3118 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3119 BPF_MOV64_IMM(BPF_REG_4, 8),
3120 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3121 BPF_FUNC_skb_load_bytes),
3122 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
3123 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 8),
3124 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_6, 0),
3125 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
3126 offsetof(struct __sk_buff, mark)),
3127 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
3128 offsetof(struct __sk_buff, priority)),
3129 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3130 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_3,
3131 offsetof(struct __sk_buff, pkt_type)),
3132 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
3133 BPF_EXIT_INSN(),
3134 },
3135 .result = REJECT,
3136 .errstr = "R3 invalid mem access 'inv'",
3137 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3138 },
3139 {
3140 "raw_stack: skb_load_bytes, spilled regs + data",
3141 .insns = {
3142 BPF_MOV64_IMM(BPF_REG_2, 4),
3143 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3144 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
3145 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
3146 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
3147 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8),
3148 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3149 BPF_MOV64_IMM(BPF_REG_4, 8),
3150 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3151 BPF_FUNC_skb_load_bytes),
3152 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
3153 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 8),
3154 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_6, 0),
3155 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
3156 offsetof(struct __sk_buff, mark)),
3157 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
3158 offsetof(struct __sk_buff, priority)),
3159 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3160 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
3161 BPF_EXIT_INSN(),
3162 },
3163 .result = ACCEPT,
3164 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3165 },
3166 {
3167 "raw_stack: skb_load_bytes, invalid access 1",
3168 .insns = {
3169 BPF_MOV64_IMM(BPF_REG_2, 4),
3170 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3171 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -513),
3172 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3173 BPF_MOV64_IMM(BPF_REG_4, 8),
3174 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3175 BPF_FUNC_skb_load_bytes),
3176 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3177 BPF_EXIT_INSN(),
3178 },
3179 .result = REJECT,
3180 .errstr = "invalid stack type R3 off=-513 access_size=8",
3181 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3182 },
3183 {
3184 "raw_stack: skb_load_bytes, invalid access 2",
3185 .insns = {
3186 BPF_MOV64_IMM(BPF_REG_2, 4),
3187 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3188 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -1),
3189 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3190 BPF_MOV64_IMM(BPF_REG_4, 8),
3191 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3192 BPF_FUNC_skb_load_bytes),
3193 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3194 BPF_EXIT_INSN(),
3195 },
3196 .result = REJECT,
3197 .errstr = "invalid stack type R3 off=-1 access_size=8",
3198 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3199 },
3200 {
3201 "raw_stack: skb_load_bytes, invalid access 3",
3202 .insns = {
3203 BPF_MOV64_IMM(BPF_REG_2, 4),
3204 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3205 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 0xffffffff),
3206 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3207 BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
3208 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3209 BPF_FUNC_skb_load_bytes),
3210 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3211 BPF_EXIT_INSN(),
3212 },
3213 .result = REJECT,
3214 .errstr = "R4 min value is negative",
3215 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3216 },
3217 {
3218 "raw_stack: skb_load_bytes, invalid access 4",
3219 .insns = {
3220 BPF_MOV64_IMM(BPF_REG_2, 4),
3221 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3222 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -1),
3223 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3224 BPF_MOV64_IMM(BPF_REG_4, 0x7fffffff),
3225 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3226 BPF_FUNC_skb_load_bytes),
3227 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3228 BPF_EXIT_INSN(),
3229 },
3230 .result = REJECT,
3231 .errstr = "R4 unbounded memory access, use 'var &= const' or 'if (var < const)'",
3232 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3233 },
3234 {
3235 "raw_stack: skb_load_bytes, invalid access 5",
3236 .insns = {
3237 BPF_MOV64_IMM(BPF_REG_2, 4),
3238 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3239 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
3240 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3241 BPF_MOV64_IMM(BPF_REG_4, 0x7fffffff),
3242 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3243 BPF_FUNC_skb_load_bytes),
3244 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3245 BPF_EXIT_INSN(),
3246 },
3247 .result = REJECT,
3248 .errstr = "R4 unbounded memory access, use 'var &= const' or 'if (var < const)'",
3249 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3250 },
3251 {
3252 "raw_stack: skb_load_bytes, invalid access 6",
3253 .insns = {
3254 BPF_MOV64_IMM(BPF_REG_2, 4),
3255 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3256 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
3257 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3258 BPF_MOV64_IMM(BPF_REG_4, 0),
3259 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3260 BPF_FUNC_skb_load_bytes),
3261 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3262 BPF_EXIT_INSN(),
3263 },
3264 .result = REJECT,
3265 .errstr = "invalid stack type R3 off=-512 access_size=0",
3266 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3267 },
3268 {
3269 "raw_stack: skb_load_bytes, large access",
3270 .insns = {
3271 BPF_MOV64_IMM(BPF_REG_2, 4),
3272 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3273 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
3274 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3275 BPF_MOV64_IMM(BPF_REG_4, 512),
3276 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3277 BPF_FUNC_skb_load_bytes),
3278 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3279 BPF_EXIT_INSN(),
3280 },
3281 .result = ACCEPT,
3282 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3283 },
3284 {
3285 "context stores via ST",
3286 .insns = {
3287 BPF_MOV64_IMM(BPF_REG_0, 0),
3288 BPF_ST_MEM(BPF_DW, BPF_REG_1, offsetof(struct __sk_buff, mark), 0),
3289 BPF_EXIT_INSN(),
3290 },
3291 .errstr = "BPF_ST stores into R1 context is not allowed",
3292 .result = REJECT,
3293 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3294 },
3295 {
3296 "context stores via XADD",
3297 .insns = {
3298 BPF_MOV64_IMM(BPF_REG_0, 0),
3299 BPF_RAW_INSN(BPF_STX | BPF_XADD | BPF_W, BPF_REG_1,
3300 BPF_REG_0, offsetof(struct __sk_buff, mark), 0),
3301 BPF_EXIT_INSN(),
3302 },
3303 .errstr = "BPF_XADD stores into R1 context is not allowed",
3304 .result = REJECT,
3305 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3306 },
3307 {
3308 "direct packet access: test1",
3309 .insns = {
3310 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3311 offsetof(struct __sk_buff, data)),
3312 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3313 offsetof(struct __sk_buff, data_end)),
3314 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3315 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3316 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3317 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3318 BPF_MOV64_IMM(BPF_REG_0, 0),
3319 BPF_EXIT_INSN(),
3320 },
3321 .result = ACCEPT,
3322 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3323 },
3324 {
3325 "direct packet access: test2",
3326 .insns = {
3327 BPF_MOV64_IMM(BPF_REG_0, 1),
3328 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
3329 offsetof(struct __sk_buff, data_end)),
3330 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3331 offsetof(struct __sk_buff, data)),
3332 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
3333 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 14),
3334 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_4, 15),
3335 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_3, 7),
3336 BPF_LDX_MEM(BPF_B, BPF_REG_4, BPF_REG_3, 12),
3337 BPF_ALU64_IMM(BPF_MUL, BPF_REG_4, 14),
3338 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3339 offsetof(struct __sk_buff, data)),
3340 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_4),
3341 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3342 offsetof(struct __sk_buff, len)),
3343 BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 49),
3344 BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 49),
3345 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_2),
3346 BPF_MOV64_REG(BPF_REG_2, BPF_REG_3),
3347 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
3348 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
3349 offsetof(struct __sk_buff, data_end)),
3350 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
3351 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_3, 4),
3352 BPF_MOV64_IMM(BPF_REG_0, 0),
3353 BPF_EXIT_INSN(),
3354 },
3355 .result = ACCEPT,
3356 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3357 },
3358 {
3359 "direct packet access: test3",
3360 .insns = {
3361 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3362 offsetof(struct __sk_buff, data)),
3363 BPF_MOV64_IMM(BPF_REG_0, 0),
3364 BPF_EXIT_INSN(),
3365 },
3366 .errstr = "invalid bpf_context access off=76",
3367 .result = REJECT,
3368 .prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
3369 },
3370 {
3371 "direct packet access: test4 (write)",
3372 .insns = {
3373 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3374 offsetof(struct __sk_buff, data)),
3375 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3376 offsetof(struct __sk_buff, data_end)),
3377 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3378 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3379 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3380 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3381 BPF_MOV64_IMM(BPF_REG_0, 0),
3382 BPF_EXIT_INSN(),
3383 },
3384 .result = ACCEPT,
3385 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3386 },
3387 {
3388 "direct packet access: test5 (pkt_end >= reg, good access)",
3389 .insns = {
3390 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3391 offsetof(struct __sk_buff, data)),
3392 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3393 offsetof(struct __sk_buff, data_end)),
3394 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3395 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3396 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 2),
3397 BPF_MOV64_IMM(BPF_REG_0, 1),
3398 BPF_EXIT_INSN(),
3399 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3400 BPF_MOV64_IMM(BPF_REG_0, 0),
3401 BPF_EXIT_INSN(),
3402 },
3403 .result = ACCEPT,
3404 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3405 },
3406 {
3407 "direct packet access: test6 (pkt_end >= reg, bad access)",
3408 .insns = {
3409 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3410 offsetof(struct __sk_buff, data)),
3411 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3412 offsetof(struct __sk_buff, data_end)),
3413 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3414 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3415 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 3),
3416 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3417 BPF_MOV64_IMM(BPF_REG_0, 1),
3418 BPF_EXIT_INSN(),
3419 BPF_MOV64_IMM(BPF_REG_0, 0),
3420 BPF_EXIT_INSN(),
3421 },
3422 .errstr = "invalid access to packet",
3423 .result = REJECT,
3424 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3425 },
3426 {
3427 "direct packet access: test7 (pkt_end >= reg, both accesses)",
3428 .insns = {
3429 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3430 offsetof(struct __sk_buff, data)),
3431 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3432 offsetof(struct __sk_buff, data_end)),
3433 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3434 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3435 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 3),
3436 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3437 BPF_MOV64_IMM(BPF_REG_0, 1),
3438 BPF_EXIT_INSN(),
3439 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3440 BPF_MOV64_IMM(BPF_REG_0, 0),
3441 BPF_EXIT_INSN(),
3442 },
3443 .errstr = "invalid access to packet",
3444 .result = REJECT,
3445 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3446 },
3447 {
3448 "direct packet access: test8 (double test, variant 1)",
3449 .insns = {
3450 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3451 offsetof(struct __sk_buff, data)),
3452 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3453 offsetof(struct __sk_buff, data_end)),
3454 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3455 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3456 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 4),
3457 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3458 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3459 BPF_MOV64_IMM(BPF_REG_0, 1),
3460 BPF_EXIT_INSN(),
3461 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3462 BPF_MOV64_IMM(BPF_REG_0, 0),
3463 BPF_EXIT_INSN(),
3464 },
3465 .result = ACCEPT,
3466 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3467 },
3468 {
3469 "direct packet access: test9 (double test, variant 2)",
3470 .insns = {
3471 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3472 offsetof(struct __sk_buff, data)),
3473 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3474 offsetof(struct __sk_buff, data_end)),
3475 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3476 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3477 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 2),
3478 BPF_MOV64_IMM(BPF_REG_0, 1),
3479 BPF_EXIT_INSN(),
3480 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3481 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3482 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3483 BPF_MOV64_IMM(BPF_REG_0, 0),
3484 BPF_EXIT_INSN(),
3485 },
3486 .result = ACCEPT,
3487 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3488 },
3489 {
3490 "direct packet access: test10 (write invalid)",
3491 .insns = {
3492 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3493 offsetof(struct __sk_buff, data)),
3494 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3495 offsetof(struct __sk_buff, data_end)),
3496 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3497 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3498 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
3499 BPF_MOV64_IMM(BPF_REG_0, 0),
3500 BPF_EXIT_INSN(),
3501 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3502 BPF_MOV64_IMM(BPF_REG_0, 0),
3503 BPF_EXIT_INSN(),
3504 },
3505 .errstr = "invalid access to packet",
3506 .result = REJECT,
3507 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3508 },
3509 {
3510 "direct packet access: test11 (shift, good access)",
3511 .insns = {
3512 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3513 offsetof(struct __sk_buff, data)),
3514 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3515 offsetof(struct __sk_buff, data_end)),
3516 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3517 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
3518 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
3519 BPF_MOV64_IMM(BPF_REG_3, 144),
3520 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
3521 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
3522 BPF_ALU64_IMM(BPF_RSH, BPF_REG_5, 3),
3523 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
3524 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
3525 BPF_MOV64_IMM(BPF_REG_0, 1),
3526 BPF_EXIT_INSN(),
3527 BPF_MOV64_IMM(BPF_REG_0, 0),
3528 BPF_EXIT_INSN(),
3529 },
3530 .result = ACCEPT,
3531 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3532 .retval = 1,
3533 },
3534 {
3535 "direct packet access: test12 (and, good access)",
3536 .insns = {
3537 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3538 offsetof(struct __sk_buff, data)),
3539 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3540 offsetof(struct __sk_buff, data_end)),
3541 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3542 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
3543 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
3544 BPF_MOV64_IMM(BPF_REG_3, 144),
3545 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
3546 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
3547 BPF_ALU64_IMM(BPF_AND, BPF_REG_5, 15),
3548 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
3549 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
3550 BPF_MOV64_IMM(BPF_REG_0, 1),
3551 BPF_EXIT_INSN(),
3552 BPF_MOV64_IMM(BPF_REG_0, 0),
3553 BPF_EXIT_INSN(),
3554 },
3555 .result = ACCEPT,
3556 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3557 .retval = 1,
3558 },
3559 {
3560 "direct packet access: test13 (branches, good access)",
3561 .insns = {
3562 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3563 offsetof(struct __sk_buff, data)),
3564 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3565 offsetof(struct __sk_buff, data_end)),
3566 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3567 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
3568 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 13),
3569 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3570 offsetof(struct __sk_buff, mark)),
3571 BPF_MOV64_IMM(BPF_REG_4, 1),
3572 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_4, 2),
3573 BPF_MOV64_IMM(BPF_REG_3, 14),
3574 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
3575 BPF_MOV64_IMM(BPF_REG_3, 24),
3576 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
3577 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
3578 BPF_ALU64_IMM(BPF_AND, BPF_REG_5, 15),
3579 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
3580 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
3581 BPF_MOV64_IMM(BPF_REG_0, 1),
3582 BPF_EXIT_INSN(),
3583 BPF_MOV64_IMM(BPF_REG_0, 0),
3584 BPF_EXIT_INSN(),
3585 },
3586 .result = ACCEPT,
3587 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3588 .retval = 1,
3589 },
3590 {
3591 "direct packet access: test14 (pkt_ptr += 0, CONST_IMM, good access)",
3592 .insns = {
3593 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3594 offsetof(struct __sk_buff, data)),
3595 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3596 offsetof(struct __sk_buff, data_end)),
3597 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3598 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
3599 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 7),
3600 BPF_MOV64_IMM(BPF_REG_5, 12),
3601 BPF_ALU64_IMM(BPF_RSH, BPF_REG_5, 4),
3602 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
3603 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
3604 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_6, 0),
3605 BPF_MOV64_IMM(BPF_REG_0, 1),
3606 BPF_EXIT_INSN(),
3607 BPF_MOV64_IMM(BPF_REG_0, 0),
3608 BPF_EXIT_INSN(),
3609 },
3610 .result = ACCEPT,
3611 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3612 .retval = 1,
3613 },
3614 {
3615 "direct packet access: test15 (spill with xadd)",
3616 .insns = {
3617 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3618 offsetof(struct __sk_buff, data)),
3619 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3620 offsetof(struct __sk_buff, data_end)),
3621 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3622 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3623 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
3624 BPF_MOV64_IMM(BPF_REG_5, 4096),
3625 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
3626 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
3627 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
3628 BPF_STX_XADD(BPF_DW, BPF_REG_4, BPF_REG_5, 0),
3629 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
3630 BPF_STX_MEM(BPF_W, BPF_REG_2, BPF_REG_5, 0),
3631 BPF_MOV64_IMM(BPF_REG_0, 0),
3632 BPF_EXIT_INSN(),
3633 },
3634 .errstr = "R2 invalid mem access 'inv'",
3635 .result = REJECT,
3636 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3637 },
3638 {
3639 "direct packet access: test16 (arith on data_end)",
3640 .insns = {
3641 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3642 offsetof(struct __sk_buff, data)),
3643 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3644 offsetof(struct __sk_buff, data_end)),
3645 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3646 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3647 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 16),
3648 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3649 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3650 BPF_MOV64_IMM(BPF_REG_0, 0),
3651 BPF_EXIT_INSN(),
3652 },
3653 .errstr = "R3 pointer arithmetic on PTR_TO_PACKET_END",
3654 .result = REJECT,
3655 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3656 },
3657 {
3658 "direct packet access: test17 (pruning, alignment)",
3659 .insns = {
3660 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3661 offsetof(struct __sk_buff, data)),
3662 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3663 offsetof(struct __sk_buff, data_end)),
3664 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3665 offsetof(struct __sk_buff, mark)),
3666 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3667 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 14),
3668 BPF_JMP_IMM(BPF_JGT, BPF_REG_7, 1, 4),
3669 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3670 BPF_STX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, -4),
3671 BPF_MOV64_IMM(BPF_REG_0, 0),
3672 BPF_EXIT_INSN(),
3673 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 1),
3674 BPF_JMP_A(-6),
3675 },
3676 .errstr = "misaligned packet access off 2+(0x0; 0x0)+15+-4 size 4",
3677 .result = REJECT,
3678 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3679 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
3680 },
3681 {
3682 "direct packet access: test18 (imm += pkt_ptr, 1)",
3683 .insns = {
3684 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3685 offsetof(struct __sk_buff, data)),
3686 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3687 offsetof(struct __sk_buff, data_end)),
3688 BPF_MOV64_IMM(BPF_REG_0, 8),
3689 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3690 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3691 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3692 BPF_MOV64_IMM(BPF_REG_0, 0),
3693 BPF_EXIT_INSN(),
3694 },
3695 .result = ACCEPT,
3696 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3697 },
3698 {
3699 "direct packet access: test19 (imm += pkt_ptr, 2)",
3700 .insns = {
3701 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3702 offsetof(struct __sk_buff, data)),
3703 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3704 offsetof(struct __sk_buff, data_end)),
3705 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3706 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3707 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
3708 BPF_MOV64_IMM(BPF_REG_4, 4),
3709 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
3710 BPF_STX_MEM(BPF_B, BPF_REG_4, BPF_REG_4, 0),
3711 BPF_MOV64_IMM(BPF_REG_0, 0),
3712 BPF_EXIT_INSN(),
3713 },
3714 .result = ACCEPT,
3715 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3716 },
3717 {
3718 "direct packet access: test20 (x += pkt_ptr, 1)",
3719 .insns = {
3720 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3721 offsetof(struct __sk_buff, data)),
3722 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3723 offsetof(struct __sk_buff, data_end)),
3724 BPF_MOV64_IMM(BPF_REG_0, 0xffffffff),
3725 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
3726 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
3727 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0x7fff),
3728 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3729 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
3730 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
3731 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0x7fff - 1),
3732 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
3733 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_4, 0),
3734 BPF_MOV64_IMM(BPF_REG_0, 0),
3735 BPF_EXIT_INSN(),
3736 },
3737 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3738 .result = ACCEPT,
3739 },
3740 {
3741 "direct packet access: test21 (x += pkt_ptr, 2)",
3742 .insns = {
3743 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3744 offsetof(struct __sk_buff, data)),
3745 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3746 offsetof(struct __sk_buff, data_end)),
3747 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3748 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3749 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 9),
3750 BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
3751 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -8),
3752 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
3753 BPF_ALU64_IMM(BPF_AND, BPF_REG_4, 0x7fff),
3754 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
3755 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
3756 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0x7fff - 1),
3757 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
3758 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_4, 0),
3759 BPF_MOV64_IMM(BPF_REG_0, 0),
3760 BPF_EXIT_INSN(),
3761 },
3762 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3763 .result = ACCEPT,
3764 },
3765 {
3766 "direct packet access: test22 (x += pkt_ptr, 3)",
3767 .insns = {
3768 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3769 offsetof(struct __sk_buff, data)),
3770 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3771 offsetof(struct __sk_buff, data_end)),
3772 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3773 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3774 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -8),
3775 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_3, -16),
3776 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_10, -16),
3777 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 11),
3778 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -8),
3779 BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
3780 BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_4, -8),
3781 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
3782 BPF_ALU64_IMM(BPF_RSH, BPF_REG_4, 49),
3783 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
3784 BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
3785 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 2),
3786 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
3787 BPF_MOV64_IMM(BPF_REG_2, 1),
3788 BPF_STX_MEM(BPF_H, BPF_REG_4, BPF_REG_2, 0),
3789 BPF_MOV64_IMM(BPF_REG_0, 0),
3790 BPF_EXIT_INSN(),
3791 },
3792 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3793 .result = ACCEPT,
3794 },
3795 {
3796 "direct packet access: test23 (x += pkt_ptr, 4)",
3797 .insns = {
3798 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3799 offsetof(struct __sk_buff, data)),
3800 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3801 offsetof(struct __sk_buff, data_end)),
3802 BPF_MOV64_IMM(BPF_REG_0, 0xffffffff),
3803 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
3804 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
3805 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0xffff),
3806 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3807 BPF_MOV64_IMM(BPF_REG_0, 31),
3808 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_4),
3809 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3810 BPF_MOV64_REG(BPF_REG_5, BPF_REG_0),
3811 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0xffff - 1),
3812 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3813 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_0, 0),
3814 BPF_MOV64_IMM(BPF_REG_0, 0),
3815 BPF_EXIT_INSN(),
3816 },
3817 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3818 .result = REJECT,
3819 .errstr = "invalid access to packet, off=0 size=8, R5(id=1,off=0,r=0)",
3820 },
3821 {
3822 "direct packet access: test24 (x += pkt_ptr, 5)",
3823 .insns = {
3824 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3825 offsetof(struct __sk_buff, data)),
3826 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3827 offsetof(struct __sk_buff, data_end)),
3828 BPF_MOV64_IMM(BPF_REG_0, 0xffffffff),
3829 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
3830 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
3831 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0xff),
3832 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3833 BPF_MOV64_IMM(BPF_REG_0, 64),
3834 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_4),
3835 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3836 BPF_MOV64_REG(BPF_REG_5, BPF_REG_0),
3837 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x7fff - 1),
3838 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3839 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_0, 0),
3840 BPF_MOV64_IMM(BPF_REG_0, 0),
3841 BPF_EXIT_INSN(),
3842 },
3843 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3844 .result = ACCEPT,
3845 },
3846 {
3847 "direct packet access: test25 (marking on <, good access)",
3848 .insns = {
3849 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3850 offsetof(struct __sk_buff, data)),
3851 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3852 offsetof(struct __sk_buff, data_end)),
3853 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3854 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3855 BPF_JMP_REG(BPF_JLT, BPF_REG_0, BPF_REG_3, 2),
3856 BPF_MOV64_IMM(BPF_REG_0, 0),
3857 BPF_EXIT_INSN(),
3858 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3859 BPF_JMP_IMM(BPF_JA, 0, 0, -4),
3860 },
3861 .result = ACCEPT,
3862 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3863 },
3864 {
3865 "direct packet access: test26 (marking on <, bad access)",
3866 .insns = {
3867 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3868 offsetof(struct __sk_buff, data)),
3869 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3870 offsetof(struct __sk_buff, data_end)),
3871 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3872 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3873 BPF_JMP_REG(BPF_JLT, BPF_REG_0, BPF_REG_3, 3),
3874 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3875 BPF_MOV64_IMM(BPF_REG_0, 0),
3876 BPF_EXIT_INSN(),
3877 BPF_JMP_IMM(BPF_JA, 0, 0, -3),
3878 },
3879 .result = REJECT,
3880 .errstr = "invalid access to packet",
3881 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3882 },
3883 {
3884 "direct packet access: test27 (marking on <=, good access)",
3885 .insns = {
3886 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3887 offsetof(struct __sk_buff, data)),
3888 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3889 offsetof(struct __sk_buff, data_end)),
3890 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3891 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3892 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_0, 1),
3893 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3894 BPF_MOV64_IMM(BPF_REG_0, 1),
3895 BPF_EXIT_INSN(),
3896 },
3897 .result = ACCEPT,
3898 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3899 .retval = 1,
3900 },
3901 {
3902 "direct packet access: test28 (marking on <=, bad access)",
3903 .insns = {
3904 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3905 offsetof(struct __sk_buff, data)),
3906 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3907 offsetof(struct __sk_buff, data_end)),
3908 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3909 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3910 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_0, 2),
3911 BPF_MOV64_IMM(BPF_REG_0, 1),
3912 BPF_EXIT_INSN(),
3913 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3914 BPF_JMP_IMM(BPF_JA, 0, 0, -4),
3915 },
3916 .result = REJECT,
3917 .errstr = "invalid access to packet",
3918 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3919 },
3920 {
3921 "helper access to packet: test1, valid packet_ptr range",
3922 .insns = {
3923 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3924 offsetof(struct xdp_md, data)),
3925 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3926 offsetof(struct xdp_md, data_end)),
3927 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
3928 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
3929 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 5),
3930 BPF_LD_MAP_FD(BPF_REG_1, 0),
3931 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
3932 BPF_MOV64_IMM(BPF_REG_4, 0),
3933 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3934 BPF_FUNC_map_update_elem),
3935 BPF_MOV64_IMM(BPF_REG_0, 0),
3936 BPF_EXIT_INSN(),
3937 },
3938 .fixup_map1 = { 5 },
3939 .result_unpriv = ACCEPT,
3940 .result = ACCEPT,
3941 .prog_type = BPF_PROG_TYPE_XDP,
3942 },
3943 {
3944 "helper access to packet: test2, unchecked packet_ptr",
3945 .insns = {
3946 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3947 offsetof(struct xdp_md, data)),
3948 BPF_LD_MAP_FD(BPF_REG_1, 0),
3949 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3950 BPF_FUNC_map_lookup_elem),
3951 BPF_MOV64_IMM(BPF_REG_0, 0),
3952 BPF_EXIT_INSN(),
3953 },
3954 .fixup_map1 = { 1 },
3955 .result = REJECT,
3956 .errstr = "invalid access to packet",
3957 .prog_type = BPF_PROG_TYPE_XDP,
3958 },
3959 {
3960 "helper access to packet: test3, variable add",
3961 .insns = {
3962 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3963 offsetof(struct xdp_md, data)),
3964 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3965 offsetof(struct xdp_md, data_end)),
3966 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3967 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
3968 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 10),
3969 BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_2, 0),
3970 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3971 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_5),
3972 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
3973 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 8),
3974 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 4),
3975 BPF_LD_MAP_FD(BPF_REG_1, 0),
3976 BPF_MOV64_REG(BPF_REG_2, BPF_REG_4),
3977 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3978 BPF_FUNC_map_lookup_elem),
3979 BPF_MOV64_IMM(BPF_REG_0, 0),
3980 BPF_EXIT_INSN(),
3981 },
3982 .fixup_map1 = { 11 },
3983 .result = ACCEPT,
3984 .prog_type = BPF_PROG_TYPE_XDP,
3985 },
3986 {
3987 "helper access to packet: test4, packet_ptr with bad range",
3988 .insns = {
3989 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3990 offsetof(struct xdp_md, data)),
3991 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3992 offsetof(struct xdp_md, data_end)),
3993 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3994 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 4),
3995 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 2),
3996 BPF_MOV64_IMM(BPF_REG_0, 0),
3997 BPF_EXIT_INSN(),
3998 BPF_LD_MAP_FD(BPF_REG_1, 0),
3999 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4000 BPF_FUNC_map_lookup_elem),
4001 BPF_MOV64_IMM(BPF_REG_0, 0),
4002 BPF_EXIT_INSN(),
4003 },
4004 .fixup_map1 = { 7 },
4005 .result = REJECT,
4006 .errstr = "invalid access to packet",
4007 .prog_type = BPF_PROG_TYPE_XDP,
4008 },
4009 {
4010 "helper access to packet: test5, packet_ptr with too short range",
4011 .insns = {
4012 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4013 offsetof(struct xdp_md, data)),
4014 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4015 offsetof(struct xdp_md, data_end)),
4016 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
4017 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4018 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 7),
4019 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 3),
4020 BPF_LD_MAP_FD(BPF_REG_1, 0),
4021 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4022 BPF_FUNC_map_lookup_elem),
4023 BPF_MOV64_IMM(BPF_REG_0, 0),
4024 BPF_EXIT_INSN(),
4025 },
4026 .fixup_map1 = { 6 },
4027 .result = REJECT,
4028 .errstr = "invalid access to packet",
4029 .prog_type = BPF_PROG_TYPE_XDP,
4030 },
4031 {
4032 "helper access to packet: test6, cls valid packet_ptr range",
4033 .insns = {
4034 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4035 offsetof(struct __sk_buff, data)),
4036 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4037 offsetof(struct __sk_buff, data_end)),
4038 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
4039 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
4040 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 5),
4041 BPF_LD_MAP_FD(BPF_REG_1, 0),
4042 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
4043 BPF_MOV64_IMM(BPF_REG_4, 0),
4044 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4045 BPF_FUNC_map_update_elem),
4046 BPF_MOV64_IMM(BPF_REG_0, 0),
4047 BPF_EXIT_INSN(),
4048 },
4049 .fixup_map1 = { 5 },
4050 .result = ACCEPT,
4051 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4052 },
4053 {
4054 "helper access to packet: test7, cls unchecked packet_ptr",
4055 .insns = {
4056 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4057 offsetof(struct __sk_buff, data)),
4058 BPF_LD_MAP_FD(BPF_REG_1, 0),
4059 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4060 BPF_FUNC_map_lookup_elem),
4061 BPF_MOV64_IMM(BPF_REG_0, 0),
4062 BPF_EXIT_INSN(),
4063 },
4064 .fixup_map1 = { 1 },
4065 .result = REJECT,
4066 .errstr = "invalid access to packet",
4067 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4068 },
4069 {
4070 "helper access to packet: test8, cls variable add",
4071 .insns = {
4072 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4073 offsetof(struct __sk_buff, data)),
4074 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4075 offsetof(struct __sk_buff, data_end)),
4076 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4077 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
4078 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 10),
4079 BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_2, 0),
4080 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4081 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_5),
4082 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
4083 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 8),
4084 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 4),
4085 BPF_LD_MAP_FD(BPF_REG_1, 0),
4086 BPF_MOV64_REG(BPF_REG_2, BPF_REG_4),
4087 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4088 BPF_FUNC_map_lookup_elem),
4089 BPF_MOV64_IMM(BPF_REG_0, 0),
4090 BPF_EXIT_INSN(),
4091 },
4092 .fixup_map1 = { 11 },
4093 .result = ACCEPT,
4094 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4095 },
4096 {
4097 "helper access to packet: test9, cls packet_ptr with bad range",
4098 .insns = {
4099 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4100 offsetof(struct __sk_buff, data)),
4101 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4102 offsetof(struct __sk_buff, data_end)),
4103 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4104 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 4),
4105 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 2),
4106 BPF_MOV64_IMM(BPF_REG_0, 0),
4107 BPF_EXIT_INSN(),
4108 BPF_LD_MAP_FD(BPF_REG_1, 0),
4109 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4110 BPF_FUNC_map_lookup_elem),
4111 BPF_MOV64_IMM(BPF_REG_0, 0),
4112 BPF_EXIT_INSN(),
4113 },
4114 .fixup_map1 = { 7 },
4115 .result = REJECT,
4116 .errstr = "invalid access to packet",
4117 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4118 },
4119 {
4120 "helper access to packet: test10, cls packet_ptr with too short range",
4121 .insns = {
4122 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4123 offsetof(struct __sk_buff, data)),
4124 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4125 offsetof(struct __sk_buff, data_end)),
4126 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
4127 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4128 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 7),
4129 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 3),
4130 BPF_LD_MAP_FD(BPF_REG_1, 0),
4131 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4132 BPF_FUNC_map_lookup_elem),
4133 BPF_MOV64_IMM(BPF_REG_0, 0),
4134 BPF_EXIT_INSN(),
4135 },
4136 .fixup_map1 = { 6 },
4137 .result = REJECT,
4138 .errstr = "invalid access to packet",
4139 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4140 },
4141 {
4142 "helper access to packet: test11, cls unsuitable helper 1",
4143 .insns = {
4144 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4145 offsetof(struct __sk_buff, data)),
4146 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4147 offsetof(struct __sk_buff, data_end)),
4148 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4149 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
4150 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 7),
4151 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_7, 4),
4152 BPF_MOV64_IMM(BPF_REG_2, 0),
4153 BPF_MOV64_IMM(BPF_REG_4, 42),
4154 BPF_MOV64_IMM(BPF_REG_5, 0),
4155 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4156 BPF_FUNC_skb_store_bytes),
4157 BPF_MOV64_IMM(BPF_REG_0, 0),
4158 BPF_EXIT_INSN(),
4159 },
4160 .result = REJECT,
4161 .errstr = "helper access to the packet",
4162 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4163 },
4164 {
4165 "helper access to packet: test12, cls unsuitable helper 2",
4166 .insns = {
4167 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4168 offsetof(struct __sk_buff, data)),
4169 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4170 offsetof(struct __sk_buff, data_end)),
4171 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
4172 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8),
4173 BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_7, 3),
4174 BPF_MOV64_IMM(BPF_REG_2, 0),
4175 BPF_MOV64_IMM(BPF_REG_4, 4),
4176 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4177 BPF_FUNC_skb_load_bytes),
4178 BPF_MOV64_IMM(BPF_REG_0, 0),
4179 BPF_EXIT_INSN(),
4180 },
4181 .result = REJECT,
4182 .errstr = "helper access to the packet",
4183 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4184 },
4185 {
4186 "helper access to packet: test13, cls helper ok",
4187 .insns = {
4188 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4189 offsetof(struct __sk_buff, data)),
4190 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4191 offsetof(struct __sk_buff, data_end)),
4192 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4193 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4194 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4195 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4196 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4197 BPF_MOV64_IMM(BPF_REG_2, 4),
4198 BPF_MOV64_IMM(BPF_REG_3, 0),
4199 BPF_MOV64_IMM(BPF_REG_4, 0),
4200 BPF_MOV64_IMM(BPF_REG_5, 0),
4201 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4202 BPF_FUNC_csum_diff),
4203 BPF_MOV64_IMM(BPF_REG_0, 0),
4204 BPF_EXIT_INSN(),
4205 },
4206 .result = ACCEPT,
4207 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4208 },
4209 {
4210 "helper access to packet: test14, cls helper ok sub",
4211 .insns = {
4212 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4213 offsetof(struct __sk_buff, data)),
4214 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4215 offsetof(struct __sk_buff, data_end)),
4216 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4217 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4218 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4219 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4220 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 4),
4221 BPF_MOV64_IMM(BPF_REG_2, 4),
4222 BPF_MOV64_IMM(BPF_REG_3, 0),
4223 BPF_MOV64_IMM(BPF_REG_4, 0),
4224 BPF_MOV64_IMM(BPF_REG_5, 0),
4225 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4226 BPF_FUNC_csum_diff),
4227 BPF_MOV64_IMM(BPF_REG_0, 0),
4228 BPF_EXIT_INSN(),
4229 },
4230 .result = ACCEPT,
4231 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4232 },
4233 {
4234 "helper access to packet: test15, cls helper fail sub",
4235 .insns = {
4236 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4237 offsetof(struct __sk_buff, data)),
4238 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4239 offsetof(struct __sk_buff, data_end)),
4240 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4241 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4242 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4243 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4244 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 12),
4245 BPF_MOV64_IMM(BPF_REG_2, 4),
4246 BPF_MOV64_IMM(BPF_REG_3, 0),
4247 BPF_MOV64_IMM(BPF_REG_4, 0),
4248 BPF_MOV64_IMM(BPF_REG_5, 0),
4249 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4250 BPF_FUNC_csum_diff),
4251 BPF_MOV64_IMM(BPF_REG_0, 0),
4252 BPF_EXIT_INSN(),
4253 },
4254 .result = REJECT,
4255 .errstr = "invalid access to packet",
4256 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4257 },
4258 {
4259 "helper access to packet: test16, cls helper fail range 1",
4260 .insns = {
4261 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4262 offsetof(struct __sk_buff, data)),
4263 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4264 offsetof(struct __sk_buff, data_end)),
4265 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4266 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4267 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4268 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4269 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4270 BPF_MOV64_IMM(BPF_REG_2, 8),
4271 BPF_MOV64_IMM(BPF_REG_3, 0),
4272 BPF_MOV64_IMM(BPF_REG_4, 0),
4273 BPF_MOV64_IMM(BPF_REG_5, 0),
4274 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4275 BPF_FUNC_csum_diff),
4276 BPF_MOV64_IMM(BPF_REG_0, 0),
4277 BPF_EXIT_INSN(),
4278 },
4279 .result = REJECT,
4280 .errstr = "invalid access to packet",
4281 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4282 },
4283 {
4284 "helper access to packet: test17, cls helper fail range 2",
4285 .insns = {
4286 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4287 offsetof(struct __sk_buff, data)),
4288 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4289 offsetof(struct __sk_buff, data_end)),
4290 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4291 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4292 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4293 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4294 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4295 BPF_MOV64_IMM(BPF_REG_2, -9),
4296 BPF_MOV64_IMM(BPF_REG_3, 0),
4297 BPF_MOV64_IMM(BPF_REG_4, 0),
4298 BPF_MOV64_IMM(BPF_REG_5, 0),
4299 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4300 BPF_FUNC_csum_diff),
4301 BPF_MOV64_IMM(BPF_REG_0, 0),
4302 BPF_EXIT_INSN(),
4303 },
4304 .result = REJECT,
4305 .errstr = "R2 min value is negative",
4306 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4307 },
4308 {
4309 "helper access to packet: test18, cls helper fail range 3",
4310 .insns = {
4311 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4312 offsetof(struct __sk_buff, data)),
4313 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4314 offsetof(struct __sk_buff, data_end)),
4315 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4316 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4317 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4318 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4319 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4320 BPF_MOV64_IMM(BPF_REG_2, ~0),
4321 BPF_MOV64_IMM(BPF_REG_3, 0),
4322 BPF_MOV64_IMM(BPF_REG_4, 0),
4323 BPF_MOV64_IMM(BPF_REG_5, 0),
4324 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4325 BPF_FUNC_csum_diff),
4326 BPF_MOV64_IMM(BPF_REG_0, 0),
4327 BPF_EXIT_INSN(),
4328 },
4329 .result = REJECT,
4330 .errstr = "R2 min value is negative",
4331 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4332 },
4333 {
4334 "helper access to packet: test19, cls helper range zero",
4335 .insns = {
4336 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4337 offsetof(struct __sk_buff, data)),
4338 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4339 offsetof(struct __sk_buff, data_end)),
4340 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4341 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4342 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4343 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4344 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4345 BPF_MOV64_IMM(BPF_REG_2, 0),
4346 BPF_MOV64_IMM(BPF_REG_3, 0),
4347 BPF_MOV64_IMM(BPF_REG_4, 0),
4348 BPF_MOV64_IMM(BPF_REG_5, 0),
4349 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4350 BPF_FUNC_csum_diff),
4351 BPF_MOV64_IMM(BPF_REG_0, 0),
4352 BPF_EXIT_INSN(),
4353 },
4354 .result = ACCEPT,
4355 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4356 },
4357 {
4358 "helper access to packet: test20, pkt end as input",
4359 .insns = {
4360 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4361 offsetof(struct __sk_buff, data)),
4362 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4363 offsetof(struct __sk_buff, data_end)),
4364 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4365 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4366 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4367 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4368 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
4369 BPF_MOV64_IMM(BPF_REG_2, 4),
4370 BPF_MOV64_IMM(BPF_REG_3, 0),
4371 BPF_MOV64_IMM(BPF_REG_4, 0),
4372 BPF_MOV64_IMM(BPF_REG_5, 0),
4373 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4374 BPF_FUNC_csum_diff),
4375 BPF_MOV64_IMM(BPF_REG_0, 0),
4376 BPF_EXIT_INSN(),
4377 },
4378 .result = REJECT,
4379 .errstr = "R1 type=pkt_end expected=fp",
4380 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4381 },
4382 {
4383 "helper access to packet: test21, wrong reg",
4384 .insns = {
4385 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4386 offsetof(struct __sk_buff, data)),
4387 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4388 offsetof(struct __sk_buff, data_end)),
4389 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4390 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4391 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4392 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4393 BPF_MOV64_IMM(BPF_REG_2, 4),
4394 BPF_MOV64_IMM(BPF_REG_3, 0),
4395 BPF_MOV64_IMM(BPF_REG_4, 0),
4396 BPF_MOV64_IMM(BPF_REG_5, 0),
4397 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4398 BPF_FUNC_csum_diff),
4399 BPF_MOV64_IMM(BPF_REG_0, 0),
4400 BPF_EXIT_INSN(),
4401 },
4402 .result = REJECT,
4403 .errstr = "invalid access to packet",
4404 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4405 },
4406 {
4407 "valid map access into an array with a constant",
4408 .insns = {
4409 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4410 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4411 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4412 BPF_LD_MAP_FD(BPF_REG_1, 0),
4413 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4414 BPF_FUNC_map_lookup_elem),
4415 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4416 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4417 offsetof(struct test_val, foo)),
4418 BPF_EXIT_INSN(),
4419 },
4420 .fixup_map2 = { 3 },
4421 .errstr_unpriv = "R0 leaks addr",
4422 .result_unpriv = REJECT,
4423 .result = ACCEPT,
4424 },
4425 {
4426 "valid map access into an array with a register",
4427 .insns = {
4428 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4429 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4430 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4431 BPF_LD_MAP_FD(BPF_REG_1, 0),
4432 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4433 BPF_FUNC_map_lookup_elem),
4434 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4435 BPF_MOV64_IMM(BPF_REG_1, 4),
4436 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4437 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4438 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4439 offsetof(struct test_val, foo)),
4440 BPF_EXIT_INSN(),
4441 },
4442 .fixup_map2 = { 3 },
4443 .errstr_unpriv = "R0 leaks addr",
4444 .result_unpriv = REJECT,
4445 .result = ACCEPT,
4446 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4447 },
4448 {
4449 "valid map access into an array with a variable",
4450 .insns = {
4451 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4452 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4453 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4454 BPF_LD_MAP_FD(BPF_REG_1, 0),
4455 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4456 BPF_FUNC_map_lookup_elem),
4457 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
4458 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4459 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES, 3),
4460 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4461 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4462 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4463 offsetof(struct test_val, foo)),
4464 BPF_EXIT_INSN(),
4465 },
4466 .fixup_map2 = { 3 },
4467 .errstr_unpriv = "R0 leaks addr",
4468 .result_unpriv = REJECT,
4469 .result = ACCEPT,
4470 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4471 },
4472 {
4473 "valid map access into an array with a signed variable",
4474 .insns = {
4475 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4476 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4477 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4478 BPF_LD_MAP_FD(BPF_REG_1, 0),
4479 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4480 BPF_FUNC_map_lookup_elem),
4481 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
4482 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4483 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 0xffffffff, 1),
4484 BPF_MOV32_IMM(BPF_REG_1, 0),
4485 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
4486 BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
4487 BPF_MOV32_IMM(BPF_REG_1, 0),
4488 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
4489 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4490 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4491 offsetof(struct test_val, foo)),
4492 BPF_EXIT_INSN(),
4493 },
4494 .fixup_map2 = { 3 },
4495 .errstr_unpriv = "R0 leaks addr",
4496 .result_unpriv = REJECT,
4497 .result = ACCEPT,
4498 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4499 },
4500 {
4501 "invalid map access into an array with a constant",
4502 .insns = {
4503 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4504 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4505 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4506 BPF_LD_MAP_FD(BPF_REG_1, 0),
4507 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4508 BPF_FUNC_map_lookup_elem),
4509 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4510 BPF_ST_MEM(BPF_DW, BPF_REG_0, (MAX_ENTRIES + 1) << 2,
4511 offsetof(struct test_val, foo)),
4512 BPF_EXIT_INSN(),
4513 },
4514 .fixup_map2 = { 3 },
4515 .errstr = "invalid access to map value, value_size=48 off=48 size=8",
4516 .result = REJECT,
4517 },
4518 {
4519 "invalid map access into an array with a register",
4520 .insns = {
4521 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4522 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4523 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4524 BPF_LD_MAP_FD(BPF_REG_1, 0),
4525 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4526 BPF_FUNC_map_lookup_elem),
4527 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4528 BPF_MOV64_IMM(BPF_REG_1, MAX_ENTRIES + 1),
4529 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4530 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4531 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4532 offsetof(struct test_val, foo)),
4533 BPF_EXIT_INSN(),
4534 },
4535 .fixup_map2 = { 3 },
4536 .errstr = "R0 min value is outside of the array range",
4537 .result = REJECT,
4538 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4539 },
4540 {
4541 "invalid map access into an array with a variable",
4542 .insns = {
4543 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4544 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4545 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4546 BPF_LD_MAP_FD(BPF_REG_1, 0),
4547 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4548 BPF_FUNC_map_lookup_elem),
4549 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4550 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4551 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4552 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4553 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4554 offsetof(struct test_val, foo)),
4555 BPF_EXIT_INSN(),
4556 },
4557 .fixup_map2 = { 3 },
4558 .errstr = "R0 unbounded memory access, make sure to bounds check any array access into a map",
4559 .result = REJECT,
4560 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4561 },
4562 {
4563 "invalid map access into an array with no floor check",
4564 .insns = {
4565 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4566 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4567 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4568 BPF_LD_MAP_FD(BPF_REG_1, 0),
4569 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4570 BPF_FUNC_map_lookup_elem),
4571 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
4572 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
4573 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
4574 BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
4575 BPF_MOV32_IMM(BPF_REG_1, 0),
4576 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
4577 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4578 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4579 offsetof(struct test_val, foo)),
4580 BPF_EXIT_INSN(),
4581 },
4582 .fixup_map2 = { 3 },
4583 .errstr_unpriv = "R0 leaks addr",
4584 .errstr = "R0 unbounded memory access",
4585 .result_unpriv = REJECT,
4586 .result = REJECT,
4587 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4588 },
4589 {
4590 "invalid map access into an array with a invalid max check",
4591 .insns = {
4592 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4593 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4594 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4595 BPF_LD_MAP_FD(BPF_REG_1, 0),
4596 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4597 BPF_FUNC_map_lookup_elem),
4598 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
4599 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4600 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES + 1),
4601 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
4602 BPF_MOV32_IMM(BPF_REG_1, 0),
4603 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
4604 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4605 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4606 offsetof(struct test_val, foo)),
4607 BPF_EXIT_INSN(),
4608 },
4609 .fixup_map2 = { 3 },
4610 .errstr_unpriv = "R0 leaks addr",
4611 .errstr = "invalid access to map value, value_size=48 off=44 size=8",
4612 .result_unpriv = REJECT,
4613 .result = REJECT,
4614 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4615 },
4616 {
4617 "invalid map access into an array with a invalid max check",
4618 .insns = {
4619 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4620 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4621 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4622 BPF_LD_MAP_FD(BPF_REG_1, 0),
4623 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4624 BPF_FUNC_map_lookup_elem),
4625 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
4626 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
4627 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4628 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4629 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4630 BPF_LD_MAP_FD(BPF_REG_1, 0),
4631 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4632 BPF_FUNC_map_lookup_elem),
4633 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
4634 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8),
4635 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
4636 offsetof(struct test_val, foo)),
4637 BPF_EXIT_INSN(),
4638 },
4639 .fixup_map2 = { 3, 11 },
4640 .errstr = "R0 pointer += pointer",
4641 .result = REJECT,
4642 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4643 },
4644 {
4645 "valid cgroup storage access",
4646 .insns = {
4647 BPF_MOV64_IMM(BPF_REG_2, 0),
4648 BPF_LD_MAP_FD(BPF_REG_1, 0),
4649 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4650 BPF_FUNC_get_local_storage),
4651 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4652 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
4653 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
4654 BPF_EXIT_INSN(),
4655 },
4656 .fixup_cgroup_storage = { 1 },
4657 .result = ACCEPT,
4658 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
4659 },
4660 {
4661 "invalid cgroup storage access 1",
4662 .insns = {
4663 BPF_MOV64_IMM(BPF_REG_2, 0),
4664 BPF_LD_MAP_FD(BPF_REG_1, 0),
4665 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4666 BPF_FUNC_get_local_storage),
4667 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4668 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
4669 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
4670 BPF_EXIT_INSN(),
4671 },
4672 .fixup_map1 = { 1 },
4673 .result = REJECT,
4674 .errstr = "cannot pass map_type 1 into func bpf_get_local_storage",
4675 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
4676 },
4677 {
4678 "invalid cgroup storage access 2",
4679 .insns = {
4680 BPF_MOV64_IMM(BPF_REG_2, 0),
4681 BPF_LD_MAP_FD(BPF_REG_1, 1),
4682 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4683 BPF_FUNC_get_local_storage),
4684 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
4685 BPF_EXIT_INSN(),
4686 },
4687 .result = REJECT,
4688 .errstr = "fd 1 is not pointing to valid bpf_map",
4689 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
4690 },
4691 {
4692 "invalid per-cgroup storage access 3",
4693 .insns = {
4694 BPF_MOV64_IMM(BPF_REG_2, 0),
4695 BPF_LD_MAP_FD(BPF_REG_1, 0),
4696 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4697 BPF_FUNC_get_local_storage),
4698 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 256),
4699 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
4700 BPF_MOV64_IMM(BPF_REG_0, 0),
4701 BPF_EXIT_INSN(),
4702 },
4703 .fixup_cgroup_storage = { 1 },
4704 .result = REJECT,
4705 .errstr = "invalid access to map value, value_size=64 off=256 size=4",
4706 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
4707 },
4708 {
4709 "invalid cgroup storage access 4",
4710 .insns = {
4711 BPF_MOV64_IMM(BPF_REG_2, 0),
4712 BPF_LD_MAP_FD(BPF_REG_1, 0),
4713 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4714 BPF_FUNC_get_local_storage),
4715 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, -2),
4716 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
4717 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
4718 BPF_EXIT_INSN(),
4719 },
4720 .fixup_cgroup_storage = { 1 },
4721 .result = REJECT,
4722 .errstr = "invalid access to map value, value_size=64 off=-2 size=4",
4723 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
4724 },
4725 {
4726 "invalid cgroup storage access 5",
4727 .insns = {
4728 BPF_MOV64_IMM(BPF_REG_2, 7),
4729 BPF_LD_MAP_FD(BPF_REG_1, 0),
4730 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4731 BPF_FUNC_get_local_storage),
4732 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4733 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
4734 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
4735 BPF_EXIT_INSN(),
4736 },
4737 .fixup_cgroup_storage = { 1 },
4738 .result = REJECT,
4739 .errstr = "get_local_storage() doesn't support non-zero flags",
4740 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
4741 },
4742 {
4743 "invalid cgroup storage access 6",
4744 .insns = {
4745 BPF_MOV64_REG(BPF_REG_2, BPF_REG_1),
4746 BPF_LD_MAP_FD(BPF_REG_1, 0),
4747 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4748 BPF_FUNC_get_local_storage),
4749 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4750 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
4751 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
4752 BPF_EXIT_INSN(),
4753 },
4754 .fixup_cgroup_storage = { 1 },
4755 .result = REJECT,
4756 .errstr = "get_local_storage() doesn't support non-zero flags",
4757 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
4758 },
4759 {
4760 "multiple registers share map_lookup_elem result",
4761 .insns = {
4762 BPF_MOV64_IMM(BPF_REG_1, 10),
4763 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4764 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4765 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4766 BPF_LD_MAP_FD(BPF_REG_1, 0),
4767 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4768 BPF_FUNC_map_lookup_elem),
4769 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4770 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4771 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4772 BPF_EXIT_INSN(),
4773 },
4774 .fixup_map1 = { 4 },
4775 .result = ACCEPT,
4776 .prog_type = BPF_PROG_TYPE_SCHED_CLS
4777 },
4778 {
4779 "alu ops on ptr_to_map_value_or_null, 1",
4780 .insns = {
4781 BPF_MOV64_IMM(BPF_REG_1, 10),
4782 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4783 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4784 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4785 BPF_LD_MAP_FD(BPF_REG_1, 0),
4786 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4787 BPF_FUNC_map_lookup_elem),
4788 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4789 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -2),
4790 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 2),
4791 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4792 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4793 BPF_EXIT_INSN(),
4794 },
4795 .fixup_map1 = { 4 },
4796 .errstr = "R4 pointer arithmetic on PTR_TO_MAP_VALUE_OR_NULL",
4797 .result = REJECT,
4798 .prog_type = BPF_PROG_TYPE_SCHED_CLS
4799 },
4800 {
4801 "alu ops on ptr_to_map_value_or_null, 2",
4802 .insns = {
4803 BPF_MOV64_IMM(BPF_REG_1, 10),
4804 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4805 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4806 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4807 BPF_LD_MAP_FD(BPF_REG_1, 0),
4808 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4809 BPF_FUNC_map_lookup_elem),
4810 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4811 BPF_ALU64_IMM(BPF_AND, BPF_REG_4, -1),
4812 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4813 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4814 BPF_EXIT_INSN(),
4815 },
4816 .fixup_map1 = { 4 },
4817 .errstr = "R4 pointer arithmetic on PTR_TO_MAP_VALUE_OR_NULL",
4818 .result = REJECT,
4819 .prog_type = BPF_PROG_TYPE_SCHED_CLS
4820 },
4821 {
4822 "alu ops on ptr_to_map_value_or_null, 3",
4823 .insns = {
4824 BPF_MOV64_IMM(BPF_REG_1, 10),
4825 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4826 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4827 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4828 BPF_LD_MAP_FD(BPF_REG_1, 0),
4829 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4830 BPF_FUNC_map_lookup_elem),
4831 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4832 BPF_ALU64_IMM(BPF_LSH, BPF_REG_4, 1),
4833 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4834 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4835 BPF_EXIT_INSN(),
4836 },
4837 .fixup_map1 = { 4 },
4838 .errstr = "R4 pointer arithmetic on PTR_TO_MAP_VALUE_OR_NULL",
4839 .result = REJECT,
4840 .prog_type = BPF_PROG_TYPE_SCHED_CLS
4841 },
4842 {
4843 "invalid memory access with multiple map_lookup_elem calls",
4844 .insns = {
4845 BPF_MOV64_IMM(BPF_REG_1, 10),
4846 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4847 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4848 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4849 BPF_LD_MAP_FD(BPF_REG_1, 0),
4850 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
4851 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
4852 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4853 BPF_FUNC_map_lookup_elem),
4854 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4855 BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
4856 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
4857 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4858 BPF_FUNC_map_lookup_elem),
4859 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4860 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4861 BPF_EXIT_INSN(),
4862 },
4863 .fixup_map1 = { 4 },
4864 .result = REJECT,
4865 .errstr = "R4 !read_ok",
4866 .prog_type = BPF_PROG_TYPE_SCHED_CLS
4867 },
4868 {
4869 "valid indirect map_lookup_elem access with 2nd lookup in branch",
4870 .insns = {
4871 BPF_MOV64_IMM(BPF_REG_1, 10),
4872 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4873 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4874 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4875 BPF_LD_MAP_FD(BPF_REG_1, 0),
4876 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
4877 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
4878 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4879 BPF_FUNC_map_lookup_elem),
4880 BPF_MOV64_IMM(BPF_REG_2, 10),
4881 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0, 3),
4882 BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
4883 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
4884 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4885 BPF_FUNC_map_lookup_elem),
4886 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4887 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4888 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4889 BPF_EXIT_INSN(),
4890 },
4891 .fixup_map1 = { 4 },
4892 .result = ACCEPT,
4893 .prog_type = BPF_PROG_TYPE_SCHED_CLS
4894 },
4895 {
4896 "invalid map access from else condition",
4897 .insns = {
4898 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4899 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4900 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4901 BPF_LD_MAP_FD(BPF_REG_1, 0),
4902 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
4903 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
4904 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4905 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES-1, 1),
4906 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
4907 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4908 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4909 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, offsetof(struct test_val, foo)),
4910 BPF_EXIT_INSN(),
4911 },
4912 .fixup_map2 = { 3 },
4913 .errstr = "R0 unbounded memory access",
4914 .result = REJECT,
4915 .errstr_unpriv = "R0 leaks addr",
4916 .result_unpriv = REJECT,
4917 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4918 },
4919 {
4920 "constant register |= constant should keep constant type",
4921 .insns = {
4922 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4923 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
4924 BPF_MOV64_IMM(BPF_REG_2, 34),
4925 BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 13),
4926 BPF_MOV64_IMM(BPF_REG_3, 0),
4927 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4928 BPF_EXIT_INSN(),
4929 },
4930 .result = ACCEPT,
4931 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4932 },
4933 {
4934 "constant register |= constant should not bypass stack boundary checks",
4935 .insns = {
4936 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4937 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
4938 BPF_MOV64_IMM(BPF_REG_2, 34),
4939 BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 24),
4940 BPF_MOV64_IMM(BPF_REG_3, 0),
4941 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4942 BPF_EXIT_INSN(),
4943 },
4944 .errstr = "invalid stack type R1 off=-48 access_size=58",
4945 .result = REJECT,
4946 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4947 },
4948 {
4949 "constant register |= constant register should keep constant type",
4950 .insns = {
4951 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4952 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
4953 BPF_MOV64_IMM(BPF_REG_2, 34),
4954 BPF_MOV64_IMM(BPF_REG_4, 13),
4955 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_4),
4956 BPF_MOV64_IMM(BPF_REG_3, 0),
4957 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4958 BPF_EXIT_INSN(),
4959 },
4960 .result = ACCEPT,
4961 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4962 },
4963 {
4964 "constant register |= constant register should not bypass stack boundary checks",
4965 .insns = {
4966 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4967 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
4968 BPF_MOV64_IMM(BPF_REG_2, 34),
4969 BPF_MOV64_IMM(BPF_REG_4, 24),
4970 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_4),
4971 BPF_MOV64_IMM(BPF_REG_3, 0),
4972 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4973 BPF_EXIT_INSN(),
4974 },
4975 .errstr = "invalid stack type R1 off=-48 access_size=58",
4976 .result = REJECT,
4977 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4978 },
4979 {
4980 "invalid direct packet write for LWT_IN",
4981 .insns = {
4982 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4983 offsetof(struct __sk_buff, data)),
4984 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4985 offsetof(struct __sk_buff, data_end)),
4986 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4987 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4988 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4989 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
4990 BPF_MOV64_IMM(BPF_REG_0, 0),
4991 BPF_EXIT_INSN(),
4992 },
4993 .errstr = "cannot write into packet",
4994 .result = REJECT,
4995 .prog_type = BPF_PROG_TYPE_LWT_IN,
4996 },
4997 {
4998 "invalid direct packet write for LWT_OUT",
4999 .insns = {
5000 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5001 offsetof(struct __sk_buff, data)),
5002 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5003 offsetof(struct __sk_buff, data_end)),
5004 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5005 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5006 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
5007 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
5008 BPF_MOV64_IMM(BPF_REG_0, 0),
5009 BPF_EXIT_INSN(),
5010 },
5011 .errstr = "cannot write into packet",
5012 .result = REJECT,
5013 .prog_type = BPF_PROG_TYPE_LWT_OUT,
5014 },
5015 {
5016 "direct packet write for LWT_XMIT",
5017 .insns = {
5018 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5019 offsetof(struct __sk_buff, data)),
5020 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5021 offsetof(struct __sk_buff, data_end)),
5022 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5023 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5024 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
5025 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
5026 BPF_MOV64_IMM(BPF_REG_0, 0),
5027 BPF_EXIT_INSN(),
5028 },
5029 .result = ACCEPT,
5030 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
5031 },
5032 {
5033 "direct packet read for LWT_IN",
5034 .insns = {
5035 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5036 offsetof(struct __sk_buff, data)),
5037 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5038 offsetof(struct __sk_buff, data_end)),
5039 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5040 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5041 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
5042 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
5043 BPF_MOV64_IMM(BPF_REG_0, 0),
5044 BPF_EXIT_INSN(),
5045 },
5046 .result = ACCEPT,
5047 .prog_type = BPF_PROG_TYPE_LWT_IN,
5048 },
5049 {
5050 "direct packet read for LWT_OUT",
5051 .insns = {
5052 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5053 offsetof(struct __sk_buff, data)),
5054 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5055 offsetof(struct __sk_buff, data_end)),
5056 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5057 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5058 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
5059 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
5060 BPF_MOV64_IMM(BPF_REG_0, 0),
5061 BPF_EXIT_INSN(),
5062 },
5063 .result = ACCEPT,
5064 .prog_type = BPF_PROG_TYPE_LWT_OUT,
5065 },
5066 {
5067 "direct packet read for LWT_XMIT",
5068 .insns = {
5069 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5070 offsetof(struct __sk_buff, data)),
5071 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5072 offsetof(struct __sk_buff, data_end)),
5073 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5074 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5075 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
5076 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
5077 BPF_MOV64_IMM(BPF_REG_0, 0),
5078 BPF_EXIT_INSN(),
5079 },
5080 .result = ACCEPT,
5081 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
5082 },
5083 {
5084 "overlapping checks for direct packet access",
5085 .insns = {
5086 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5087 offsetof(struct __sk_buff, data)),
5088 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5089 offsetof(struct __sk_buff, data_end)),
5090 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5091 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5092 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4),
5093 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
5094 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6),
5095 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
5096 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6),
5097 BPF_MOV64_IMM(BPF_REG_0, 0),
5098 BPF_EXIT_INSN(),
5099 },
5100 .result = ACCEPT,
5101 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
5102 },
5103 {
5104 "make headroom for LWT_XMIT",
5105 .insns = {
5106 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
5107 BPF_MOV64_IMM(BPF_REG_2, 34),
5108 BPF_MOV64_IMM(BPF_REG_3, 0),
5109 BPF_EMIT_CALL(BPF_FUNC_skb_change_head),
5110 /* split for s390 to succeed */
5111 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
5112 BPF_MOV64_IMM(BPF_REG_2, 42),
5113 BPF_MOV64_IMM(BPF_REG_3, 0),
5114 BPF_EMIT_CALL(BPF_FUNC_skb_change_head),
5115 BPF_MOV64_IMM(BPF_REG_0, 0),
5116 BPF_EXIT_INSN(),
5117 },
5118 .result = ACCEPT,
5119 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
5120 },
5121 {
5122 "invalid access of tc_classid for LWT_IN",
5123 .insns = {
5124 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
5125 offsetof(struct __sk_buff, tc_classid)),
5126 BPF_EXIT_INSN(),
5127 },
5128 .result = REJECT,
5129 .errstr = "invalid bpf_context access",
5130 },
5131 {
5132 "invalid access of tc_classid for LWT_OUT",
5133 .insns = {
5134 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
5135 offsetof(struct __sk_buff, tc_classid)),
5136 BPF_EXIT_INSN(),
5137 },
5138 .result = REJECT,
5139 .errstr = "invalid bpf_context access",
5140 },
5141 {
5142 "invalid access of tc_classid for LWT_XMIT",
5143 .insns = {
5144 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
5145 offsetof(struct __sk_buff, tc_classid)),
5146 BPF_EXIT_INSN(),
5147 },
5148 .result = REJECT,
5149 .errstr = "invalid bpf_context access",
5150 },
5151 {
5152 "leak pointer into ctx 1",
5153 .insns = {
5154 BPF_MOV64_IMM(BPF_REG_0, 0),
5155 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
5156 offsetof(struct __sk_buff, cb[0])),
5157 BPF_LD_MAP_FD(BPF_REG_2, 0),
5158 BPF_STX_XADD(BPF_DW, BPF_REG_1, BPF_REG_2,
5159 offsetof(struct __sk_buff, cb[0])),
5160 BPF_EXIT_INSN(),
5161 },
5162 .fixup_map1 = { 2 },
5163 .errstr_unpriv = "R2 leaks addr into mem",
5164 .result_unpriv = REJECT,
5165 .result = REJECT,
5166 .errstr = "BPF_XADD stores into R1 context is not allowed",
5167 },
5168 {
5169 "leak pointer into ctx 2",
5170 .insns = {
5171 BPF_MOV64_IMM(BPF_REG_0, 0),
5172 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
5173 offsetof(struct __sk_buff, cb[0])),
5174 BPF_STX_XADD(BPF_DW, BPF_REG_1, BPF_REG_10,
5175 offsetof(struct __sk_buff, cb[0])),
5176 BPF_EXIT_INSN(),
5177 },
5178 .errstr_unpriv = "R10 leaks addr into mem",
5179 .result_unpriv = REJECT,
5180 .result = REJECT,
5181 .errstr = "BPF_XADD stores into R1 context is not allowed",
5182 },
5183 {
5184 "leak pointer into ctx 3",
5185 .insns = {
5186 BPF_MOV64_IMM(BPF_REG_0, 0),
5187 BPF_LD_MAP_FD(BPF_REG_2, 0),
5188 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2,
5189 offsetof(struct __sk_buff, cb[0])),
5190 BPF_EXIT_INSN(),
5191 },
5192 .fixup_map1 = { 1 },
5193 .errstr_unpriv = "R2 leaks addr into ctx",
5194 .result_unpriv = REJECT,
5195 .result = ACCEPT,
5196 },
5197 {
5198 "leak pointer into map val",
5199 .insns = {
5200 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
5201 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5202 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5203 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5204 BPF_LD_MAP_FD(BPF_REG_1, 0),
5205 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5206 BPF_FUNC_map_lookup_elem),
5207 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
5208 BPF_MOV64_IMM(BPF_REG_3, 0),
5209 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
5210 BPF_STX_XADD(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
5211 BPF_MOV64_IMM(BPF_REG_0, 0),
5212 BPF_EXIT_INSN(),
5213 },
5214 .fixup_map1 = { 4 },
5215 .errstr_unpriv = "R6 leaks addr into mem",
5216 .result_unpriv = REJECT,
5217 .result = ACCEPT,
5218 },
5219 {
5220 "helper access to map: full range",
5221 .insns = {
5222 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5223 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5224 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5225 BPF_LD_MAP_FD(BPF_REG_1, 0),
5226 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5227 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5228 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5229 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
5230 BPF_MOV64_IMM(BPF_REG_3, 0),
5231 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5232 BPF_EXIT_INSN(),
5233 },
5234 .fixup_map2 = { 3 },
5235 .result = ACCEPT,
5236 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5237 },
5238 {
5239 "helper access to map: partial range",
5240 .insns = {
5241 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5242 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5243 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5244 BPF_LD_MAP_FD(BPF_REG_1, 0),
5245 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5246 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5247 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5248 BPF_MOV64_IMM(BPF_REG_2, 8),
5249 BPF_MOV64_IMM(BPF_REG_3, 0),
5250 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5251 BPF_EXIT_INSN(),
5252 },
5253 .fixup_map2 = { 3 },
5254 .result = ACCEPT,
5255 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5256 },
5257 {
5258 "helper access to map: empty range",
5259 .insns = {
5260 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5261 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5262 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5263 BPF_LD_MAP_FD(BPF_REG_1, 0),
5264 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5265 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
5266 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5267 BPF_MOV64_IMM(BPF_REG_2, 0),
5268 BPF_EMIT_CALL(BPF_FUNC_trace_printk),
5269 BPF_EXIT_INSN(),
5270 },
5271 .fixup_map2 = { 3 },
5272 .errstr = "invalid access to map value, value_size=48 off=0 size=0",
5273 .result = REJECT,
5274 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5275 },
5276 {
5277 "helper access to map: out-of-bound range",
5278 .insns = {
5279 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5280 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5281 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5282 BPF_LD_MAP_FD(BPF_REG_1, 0),
5283 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5284 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5285 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5286 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val) + 8),
5287 BPF_MOV64_IMM(BPF_REG_3, 0),
5288 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5289 BPF_EXIT_INSN(),
5290 },
5291 .fixup_map2 = { 3 },
5292 .errstr = "invalid access to map value, value_size=48 off=0 size=56",
5293 .result = REJECT,
5294 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5295 },
5296 {
5297 "helper access to map: negative range",
5298 .insns = {
5299 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5300 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5301 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5302 BPF_LD_MAP_FD(BPF_REG_1, 0),
5303 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5304 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5305 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5306 BPF_MOV64_IMM(BPF_REG_2, -8),
5307 BPF_MOV64_IMM(BPF_REG_3, 0),
5308 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5309 BPF_EXIT_INSN(),
5310 },
5311 .fixup_map2 = { 3 },
5312 .errstr = "R2 min value is negative",
5313 .result = REJECT,
5314 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5315 },
5316 {
5317 "helper access to adjusted map (via const imm): full range",
5318 .insns = {
5319 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5320 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5321 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5322 BPF_LD_MAP_FD(BPF_REG_1, 0),
5323 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5324 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5325 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5326 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5327 offsetof(struct test_val, foo)),
5328 BPF_MOV64_IMM(BPF_REG_2,
5329 sizeof(struct test_val) -
5330 offsetof(struct test_val, foo)),
5331 BPF_MOV64_IMM(BPF_REG_3, 0),
5332 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5333 BPF_EXIT_INSN(),
5334 },
5335 .fixup_map2 = { 3 },
5336 .result = ACCEPT,
5337 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5338 },
5339 {
5340 "helper access to adjusted map (via const imm): partial range",
5341 .insns = {
5342 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5343 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5344 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5345 BPF_LD_MAP_FD(BPF_REG_1, 0),
5346 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5347 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5348 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5349 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5350 offsetof(struct test_val, foo)),
5351 BPF_MOV64_IMM(BPF_REG_2, 8),
5352 BPF_MOV64_IMM(BPF_REG_3, 0),
5353 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5354 BPF_EXIT_INSN(),
5355 },
5356 .fixup_map2 = { 3 },
5357 .result = ACCEPT,
5358 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5359 },
5360 {
5361 "helper access to adjusted map (via const imm): empty range",
5362 .insns = {
5363 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5364 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5365 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5366 BPF_LD_MAP_FD(BPF_REG_1, 0),
5367 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5368 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5369 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5370 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5371 offsetof(struct test_val, foo)),
5372 BPF_MOV64_IMM(BPF_REG_2, 0),
5373 BPF_EMIT_CALL(BPF_FUNC_trace_printk),
5374 BPF_EXIT_INSN(),
5375 },
5376 .fixup_map2 = { 3 },
5377 .errstr = "invalid access to map value, value_size=48 off=4 size=0",
5378 .result = REJECT,
5379 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5380 },
5381 {
5382 "helper access to adjusted map (via const imm): out-of-bound range",
5383 .insns = {
5384 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5385 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5386 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5387 BPF_LD_MAP_FD(BPF_REG_1, 0),
5388 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5389 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5390 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5391 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5392 offsetof(struct test_val, foo)),
5393 BPF_MOV64_IMM(BPF_REG_2,
5394 sizeof(struct test_val) -
5395 offsetof(struct test_val, foo) + 8),
5396 BPF_MOV64_IMM(BPF_REG_3, 0),
5397 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5398 BPF_EXIT_INSN(),
5399 },
5400 .fixup_map2 = { 3 },
5401 .errstr = "invalid access to map value, value_size=48 off=4 size=52",
5402 .result = REJECT,
5403 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5404 },
5405 {
5406 "helper access to adjusted map (via const imm): negative range (> adjustment)",
5407 .insns = {
5408 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5409 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5410 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5411 BPF_LD_MAP_FD(BPF_REG_1, 0),
5412 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5413 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5414 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5415 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5416 offsetof(struct test_val, foo)),
5417 BPF_MOV64_IMM(BPF_REG_2, -8),
5418 BPF_MOV64_IMM(BPF_REG_3, 0),
5419 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5420 BPF_EXIT_INSN(),
5421 },
5422 .fixup_map2 = { 3 },
5423 .errstr = "R2 min value is negative",
5424 .result = REJECT,
5425 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5426 },
5427 {
5428 "helper access to adjusted map (via const imm): negative range (< adjustment)",
5429 .insns = {
5430 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5431 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5432 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5433 BPF_LD_MAP_FD(BPF_REG_1, 0),
5434 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5435 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5436 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5437 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5438 offsetof(struct test_val, foo)),
5439 BPF_MOV64_IMM(BPF_REG_2, -1),
5440 BPF_MOV64_IMM(BPF_REG_3, 0),
5441 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5442 BPF_EXIT_INSN(),
5443 },
5444 .fixup_map2 = { 3 },
5445 .errstr = "R2 min value is negative",
5446 .result = REJECT,
5447 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5448 },
5449 {
5450 "helper access to adjusted map (via const reg): full range",
5451 .insns = {
5452 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5453 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5454 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5455 BPF_LD_MAP_FD(BPF_REG_1, 0),
5456 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5457 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5458 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5459 BPF_MOV64_IMM(BPF_REG_3,
5460 offsetof(struct test_val, foo)),
5461 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5462 BPF_MOV64_IMM(BPF_REG_2,
5463 sizeof(struct test_val) -
5464 offsetof(struct test_val, foo)),
5465 BPF_MOV64_IMM(BPF_REG_3, 0),
5466 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5467 BPF_EXIT_INSN(),
5468 },
5469 .fixup_map2 = { 3 },
5470 .result = ACCEPT,
5471 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5472 },
5473 {
5474 "helper access to adjusted map (via const reg): partial range",
5475 .insns = {
5476 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5477 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5478 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5479 BPF_LD_MAP_FD(BPF_REG_1, 0),
5480 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5481 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5482 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5483 BPF_MOV64_IMM(BPF_REG_3,
5484 offsetof(struct test_val, foo)),
5485 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5486 BPF_MOV64_IMM(BPF_REG_2, 8),
5487 BPF_MOV64_IMM(BPF_REG_3, 0),
5488 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5489 BPF_EXIT_INSN(),
5490 },
5491 .fixup_map2 = { 3 },
5492 .result = ACCEPT,
5493 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5494 },
5495 {
5496 "helper access to adjusted map (via const reg): empty range",
5497 .insns = {
5498 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5499 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5500 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5501 BPF_LD_MAP_FD(BPF_REG_1, 0),
5502 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5503 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5504 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5505 BPF_MOV64_IMM(BPF_REG_3, 0),
5506 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5507 BPF_MOV64_IMM(BPF_REG_2, 0),
5508 BPF_EMIT_CALL(BPF_FUNC_trace_printk),
5509 BPF_EXIT_INSN(),
5510 },
5511 .fixup_map2 = { 3 },
5512 .errstr = "R1 min value is outside of the array range",
5513 .result = REJECT,
5514 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5515 },
5516 {
5517 "helper access to adjusted map (via const reg): out-of-bound range",
5518 .insns = {
5519 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5520 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5521 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5522 BPF_LD_MAP_FD(BPF_REG_1, 0),
5523 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5524 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5525 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5526 BPF_MOV64_IMM(BPF_REG_3,
5527 offsetof(struct test_val, foo)),
5528 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5529 BPF_MOV64_IMM(BPF_REG_2,
5530 sizeof(struct test_val) -
5531 offsetof(struct test_val, foo) + 8),
5532 BPF_MOV64_IMM(BPF_REG_3, 0),
5533 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5534 BPF_EXIT_INSN(),
5535 },
5536 .fixup_map2 = { 3 },
5537 .errstr = "invalid access to map value, value_size=48 off=4 size=52",
5538 .result = REJECT,
5539 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5540 },
5541 {
5542 "helper access to adjusted map (via const reg): negative range (> adjustment)",
5543 .insns = {
5544 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5545 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5546 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5547 BPF_LD_MAP_FD(BPF_REG_1, 0),
5548 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5549 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5550 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5551 BPF_MOV64_IMM(BPF_REG_3,
5552 offsetof(struct test_val, foo)),
5553 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5554 BPF_MOV64_IMM(BPF_REG_2, -8),
5555 BPF_MOV64_IMM(BPF_REG_3, 0),
5556 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5557 BPF_EXIT_INSN(),
5558 },
5559 .fixup_map2 = { 3 },
5560 .errstr = "R2 min value is negative",
5561 .result = REJECT,
5562 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5563 },
5564 {
5565 "helper access to adjusted map (via const reg): negative range (< adjustment)",
5566 .insns = {
5567 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5568 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5569 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5570 BPF_LD_MAP_FD(BPF_REG_1, 0),
5571 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5572 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5573 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5574 BPF_MOV64_IMM(BPF_REG_3,
5575 offsetof(struct test_val, foo)),
5576 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5577 BPF_MOV64_IMM(BPF_REG_2, -1),
5578 BPF_MOV64_IMM(BPF_REG_3, 0),
5579 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5580 BPF_EXIT_INSN(),
5581 },
5582 .fixup_map2 = { 3 },
5583 .errstr = "R2 min value is negative",
5584 .result = REJECT,
5585 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5586 },
5587 {
5588 "helper access to adjusted map (via variable): full range",
5589 .insns = {
5590 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5591 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5592 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5593 BPF_LD_MAP_FD(BPF_REG_1, 0),
5594 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5595 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
5596 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5597 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5598 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
5599 offsetof(struct test_val, foo), 4),
5600 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5601 BPF_MOV64_IMM(BPF_REG_2,
5602 sizeof(struct test_val) -
5603 offsetof(struct test_val, foo)),
5604 BPF_MOV64_IMM(BPF_REG_3, 0),
5605 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5606 BPF_EXIT_INSN(),
5607 },
5608 .fixup_map2 = { 3 },
5609 .result = ACCEPT,
5610 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5611 },
5612 {
5613 "helper access to adjusted map (via variable): partial range",
5614 .insns = {
5615 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5616 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5617 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5618 BPF_LD_MAP_FD(BPF_REG_1, 0),
5619 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5620 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
5621 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5622 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5623 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
5624 offsetof(struct test_val, foo), 4),
5625 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5626 BPF_MOV64_IMM(BPF_REG_2, 8),
5627 BPF_MOV64_IMM(BPF_REG_3, 0),
5628 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5629 BPF_EXIT_INSN(),
5630 },
5631 .fixup_map2 = { 3 },
5632 .result = ACCEPT,
5633 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5634 },
5635 {
5636 "helper access to adjusted map (via variable): empty range",
5637 .insns = {
5638 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5639 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5640 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5641 BPF_LD_MAP_FD(BPF_REG_1, 0),
5642 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5643 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5644 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5645 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5646 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
5647 offsetof(struct test_val, foo), 3),
5648 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5649 BPF_MOV64_IMM(BPF_REG_2, 0),
5650 BPF_EMIT_CALL(BPF_FUNC_trace_printk),
5651 BPF_EXIT_INSN(),
5652 },
5653 .fixup_map2 = { 3 },
5654 .errstr = "R1 min value is outside of the array range",
5655 .result = REJECT,
5656 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5657 },
5658 {
5659 "helper access to adjusted map (via variable): no max check",
5660 .insns = {
5661 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5662 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5663 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5664 BPF_LD_MAP_FD(BPF_REG_1, 0),
5665 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5666 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5667 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5668 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5669 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5670 BPF_MOV64_IMM(BPF_REG_2, 1),
5671 BPF_MOV64_IMM(BPF_REG_3, 0),
5672 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5673 BPF_EXIT_INSN(),
5674 },
5675 .fixup_map2 = { 3 },
5676 .errstr = "R1 unbounded memory access",
5677 .result = REJECT,
5678 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5679 },
5680 {
5681 "helper access to adjusted map (via variable): wrong max check",
5682 .insns = {
5683 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5684 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5685 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5686 BPF_LD_MAP_FD(BPF_REG_1, 0),
5687 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5688 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
5689 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5690 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5691 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
5692 offsetof(struct test_val, foo), 4),
5693 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5694 BPF_MOV64_IMM(BPF_REG_2,
5695 sizeof(struct test_val) -
5696 offsetof(struct test_val, foo) + 1),
5697 BPF_MOV64_IMM(BPF_REG_3, 0),
5698 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5699 BPF_EXIT_INSN(),
5700 },
5701 .fixup_map2 = { 3 },
5702 .errstr = "invalid access to map value, value_size=48 off=4 size=45",
5703 .result = REJECT,
5704 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5705 },
5706 {
5707 "helper access to map: bounds check using <, good access",
5708 .insns = {
5709 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5710 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5711 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5712 BPF_LD_MAP_FD(BPF_REG_1, 0),
5713 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5714 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5715 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5716 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5717 BPF_JMP_IMM(BPF_JLT, BPF_REG_3, 32, 2),
5718 BPF_MOV64_IMM(BPF_REG_0, 0),
5719 BPF_EXIT_INSN(),
5720 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5721 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5722 BPF_MOV64_IMM(BPF_REG_0, 0),
5723 BPF_EXIT_INSN(),
5724 },
5725 .fixup_map2 = { 3 },
5726 .result = ACCEPT,
5727 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5728 },
5729 {
5730 "helper access to map: bounds check using <, bad access",
5731 .insns = {
5732 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5733 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5734 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5735 BPF_LD_MAP_FD(BPF_REG_1, 0),
5736 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5737 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5738 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5739 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5740 BPF_JMP_IMM(BPF_JLT, BPF_REG_3, 32, 4),
5741 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5742 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5743 BPF_MOV64_IMM(BPF_REG_0, 0),
5744 BPF_EXIT_INSN(),
5745 BPF_MOV64_IMM(BPF_REG_0, 0),
5746 BPF_EXIT_INSN(),
5747 },
5748 .fixup_map2 = { 3 },
5749 .result = REJECT,
5750 .errstr = "R1 unbounded memory access",
5751 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5752 },
5753 {
5754 "helper access to map: bounds check using <=, good access",
5755 .insns = {
5756 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5757 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5758 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5759 BPF_LD_MAP_FD(BPF_REG_1, 0),
5760 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5761 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5762 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5763 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5764 BPF_JMP_IMM(BPF_JLE, BPF_REG_3, 32, 2),
5765 BPF_MOV64_IMM(BPF_REG_0, 0),
5766 BPF_EXIT_INSN(),
5767 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5768 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5769 BPF_MOV64_IMM(BPF_REG_0, 0),
5770 BPF_EXIT_INSN(),
5771 },
5772 .fixup_map2 = { 3 },
5773 .result = ACCEPT,
5774 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5775 },
5776 {
5777 "helper access to map: bounds check using <=, bad access",
5778 .insns = {
5779 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5780 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5781 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5782 BPF_LD_MAP_FD(BPF_REG_1, 0),
5783 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5784 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5785 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5786 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5787 BPF_JMP_IMM(BPF_JLE, BPF_REG_3, 32, 4),
5788 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5789 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5790 BPF_MOV64_IMM(BPF_REG_0, 0),
5791 BPF_EXIT_INSN(),
5792 BPF_MOV64_IMM(BPF_REG_0, 0),
5793 BPF_EXIT_INSN(),
5794 },
5795 .fixup_map2 = { 3 },
5796 .result = REJECT,
5797 .errstr = "R1 unbounded memory access",
5798 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5799 },
5800 {
5801 "helper access to map: bounds check using s<, good access",
5802 .insns = {
5803 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5804 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5805 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5806 BPF_LD_MAP_FD(BPF_REG_1, 0),
5807 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5808 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5809 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5810 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5811 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2),
5812 BPF_MOV64_IMM(BPF_REG_0, 0),
5813 BPF_EXIT_INSN(),
5814 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 0, -3),
5815 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5816 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5817 BPF_MOV64_IMM(BPF_REG_0, 0),
5818 BPF_EXIT_INSN(),
5819 },
5820 .fixup_map2 = { 3 },
5821 .result = ACCEPT,
5822 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5823 },
5824 {
5825 "helper access to map: bounds check using s<, good access 2",
5826 .insns = {
5827 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5828 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5829 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5830 BPF_LD_MAP_FD(BPF_REG_1, 0),
5831 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5832 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5833 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5834 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5835 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2),
5836 BPF_MOV64_IMM(BPF_REG_0, 0),
5837 BPF_EXIT_INSN(),
5838 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, -3, -3),
5839 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5840 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5841 BPF_MOV64_IMM(BPF_REG_0, 0),
5842 BPF_EXIT_INSN(),
5843 },
5844 .fixup_map2 = { 3 },
5845 .result = ACCEPT,
5846 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5847 },
5848 {
5849 "helper access to map: bounds check using s<, bad access",
5850 .insns = {
5851 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5852 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5853 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5854 BPF_LD_MAP_FD(BPF_REG_1, 0),
5855 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5856 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5857 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5858 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
5859 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2),
5860 BPF_MOV64_IMM(BPF_REG_0, 0),
5861 BPF_EXIT_INSN(),
5862 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, -3, -3),
5863 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5864 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5865 BPF_MOV64_IMM(BPF_REG_0, 0),
5866 BPF_EXIT_INSN(),
5867 },
5868 .fixup_map2 = { 3 },
5869 .result = REJECT,
5870 .errstr = "R1 min value is negative",
5871 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5872 },
5873 {
5874 "helper access to map: bounds check using s<=, good access",
5875 .insns = {
5876 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5877 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5878 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5879 BPF_LD_MAP_FD(BPF_REG_1, 0),
5880 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5881 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5882 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5883 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5884 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2),
5885 BPF_MOV64_IMM(BPF_REG_0, 0),
5886 BPF_EXIT_INSN(),
5887 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 0, -3),
5888 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5889 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5890 BPF_MOV64_IMM(BPF_REG_0, 0),
5891 BPF_EXIT_INSN(),
5892 },
5893 .fixup_map2 = { 3 },
5894 .result = ACCEPT,
5895 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5896 },
5897 {
5898 "helper access to map: bounds check using s<=, good access 2",
5899 .insns = {
5900 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5901 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5902 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5903 BPF_LD_MAP_FD(BPF_REG_1, 0),
5904 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5905 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5906 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5907 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5908 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2),
5909 BPF_MOV64_IMM(BPF_REG_0, 0),
5910 BPF_EXIT_INSN(),
5911 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, -3, -3),
5912 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5913 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5914 BPF_MOV64_IMM(BPF_REG_0, 0),
5915 BPF_EXIT_INSN(),
5916 },
5917 .fixup_map2 = { 3 },
5918 .result = ACCEPT,
5919 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5920 },
5921 {
5922 "helper access to map: bounds check using s<=, bad access",
5923 .insns = {
5924 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5925 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5926 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5927 BPF_LD_MAP_FD(BPF_REG_1, 0),
5928 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5929 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5930 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5931 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
5932 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2),
5933 BPF_MOV64_IMM(BPF_REG_0, 0),
5934 BPF_EXIT_INSN(),
5935 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, -3, -3),
5936 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5937 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5938 BPF_MOV64_IMM(BPF_REG_0, 0),
5939 BPF_EXIT_INSN(),
5940 },
5941 .fixup_map2 = { 3 },
5942 .result = REJECT,
5943 .errstr = "R1 min value is negative",
5944 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5945 },
5946 {
5947 "map lookup helper access to map",
5948 .insns = {
5949 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5950 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5951 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5952 BPF_LD_MAP_FD(BPF_REG_1, 0),
5953 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5954 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5955 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
5956 BPF_LD_MAP_FD(BPF_REG_1, 0),
5957 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5958 BPF_EXIT_INSN(),
5959 },
5960 .fixup_map3 = { 3, 8 },
5961 .result = ACCEPT,
5962 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5963 },
5964 {
5965 "map update helper access to map",
5966 .insns = {
5967 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5968 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5969 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5970 BPF_LD_MAP_FD(BPF_REG_1, 0),
5971 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5972 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5973 BPF_MOV64_IMM(BPF_REG_4, 0),
5974 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
5975 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
5976 BPF_LD_MAP_FD(BPF_REG_1, 0),
5977 BPF_EMIT_CALL(BPF_FUNC_map_update_elem),
5978 BPF_EXIT_INSN(),
5979 },
5980 .fixup_map3 = { 3, 10 },
5981 .result = ACCEPT,
5982 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5983 },
5984 {
5985 "map update helper access to map: wrong size",
5986 .insns = {
5987 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5988 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5989 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5990 BPF_LD_MAP_FD(BPF_REG_1, 0),
5991 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5992 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5993 BPF_MOV64_IMM(BPF_REG_4, 0),
5994 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
5995 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
5996 BPF_LD_MAP_FD(BPF_REG_1, 0),
5997 BPF_EMIT_CALL(BPF_FUNC_map_update_elem),
5998 BPF_EXIT_INSN(),
5999 },
6000 .fixup_map1 = { 3 },
6001 .fixup_map3 = { 10 },
6002 .result = REJECT,
6003 .errstr = "invalid access to map value, value_size=8 off=0 size=16",
6004 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6005 },
6006 {
6007 "map helper access to adjusted map (via const imm)",
6008 .insns = {
6009 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6010 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6011 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6012 BPF_LD_MAP_FD(BPF_REG_1, 0),
6013 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6014 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
6015 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6016 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2,
6017 offsetof(struct other_val, bar)),
6018 BPF_LD_MAP_FD(BPF_REG_1, 0),
6019 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6020 BPF_EXIT_INSN(),
6021 },
6022 .fixup_map3 = { 3, 9 },
6023 .result = ACCEPT,
6024 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6025 },
6026 {
6027 "map helper access to adjusted map (via const imm): out-of-bound 1",
6028 .insns = {
6029 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6030 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6031 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6032 BPF_LD_MAP_FD(BPF_REG_1, 0),
6033 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6034 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
6035 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6036 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2,
6037 sizeof(struct other_val) - 4),
6038 BPF_LD_MAP_FD(BPF_REG_1, 0),
6039 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6040 BPF_EXIT_INSN(),
6041 },
6042 .fixup_map3 = { 3, 9 },
6043 .result = REJECT,
6044 .errstr = "invalid access to map value, value_size=16 off=12 size=8",
6045 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6046 },
6047 {
6048 "map helper access to adjusted map (via const imm): out-of-bound 2",
6049 .insns = {
6050 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6051 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6052 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6053 BPF_LD_MAP_FD(BPF_REG_1, 0),
6054 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6055 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
6056 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6057 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
6058 BPF_LD_MAP_FD(BPF_REG_1, 0),
6059 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6060 BPF_EXIT_INSN(),
6061 },
6062 .fixup_map3 = { 3, 9 },
6063 .result = REJECT,
6064 .errstr = "invalid access to map value, value_size=16 off=-4 size=8",
6065 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6066 },
6067 {
6068 "map helper access to adjusted map (via const reg)",
6069 .insns = {
6070 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6071 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6072 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6073 BPF_LD_MAP_FD(BPF_REG_1, 0),
6074 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6075 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6076 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6077 BPF_MOV64_IMM(BPF_REG_3,
6078 offsetof(struct other_val, bar)),
6079 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
6080 BPF_LD_MAP_FD(BPF_REG_1, 0),
6081 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6082 BPF_EXIT_INSN(),
6083 },
6084 .fixup_map3 = { 3, 10 },
6085 .result = ACCEPT,
6086 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6087 },
6088 {
6089 "map helper access to adjusted map (via const reg): out-of-bound 1",
6090 .insns = {
6091 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6092 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6093 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6094 BPF_LD_MAP_FD(BPF_REG_1, 0),
6095 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6096 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6097 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6098 BPF_MOV64_IMM(BPF_REG_3,
6099 sizeof(struct other_val) - 4),
6100 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
6101 BPF_LD_MAP_FD(BPF_REG_1, 0),
6102 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6103 BPF_EXIT_INSN(),
6104 },
6105 .fixup_map3 = { 3, 10 },
6106 .result = REJECT,
6107 .errstr = "invalid access to map value, value_size=16 off=12 size=8",
6108 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6109 },
6110 {
6111 "map helper access to adjusted map (via const reg): out-of-bound 2",
6112 .insns = {
6113 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6114 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6115 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6116 BPF_LD_MAP_FD(BPF_REG_1, 0),
6117 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6118 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6119 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6120 BPF_MOV64_IMM(BPF_REG_3, -4),
6121 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
6122 BPF_LD_MAP_FD(BPF_REG_1, 0),
6123 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6124 BPF_EXIT_INSN(),
6125 },
6126 .fixup_map3 = { 3, 10 },
6127 .result = REJECT,
6128 .errstr = "invalid access to map value, value_size=16 off=-4 size=8",
6129 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6130 },
6131 {
6132 "map helper access to adjusted map (via variable)",
6133 .insns = {
6134 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6135 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6136 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6137 BPF_LD_MAP_FD(BPF_REG_1, 0),
6138 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6139 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6140 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6141 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6142 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
6143 offsetof(struct other_val, bar), 4),
6144 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
6145 BPF_LD_MAP_FD(BPF_REG_1, 0),
6146 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6147 BPF_EXIT_INSN(),
6148 },
6149 .fixup_map3 = { 3, 11 },
6150 .result = ACCEPT,
6151 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6152 },
6153 {
6154 "map helper access to adjusted map (via variable): no max check",
6155 .insns = {
6156 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6157 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6158 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6159 BPF_LD_MAP_FD(BPF_REG_1, 0),
6160 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6161 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6162 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6163 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6164 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
6165 BPF_LD_MAP_FD(BPF_REG_1, 0),
6166 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6167 BPF_EXIT_INSN(),
6168 },
6169 .fixup_map3 = { 3, 10 },
6170 .result = REJECT,
6171 .errstr = "R2 unbounded memory access, make sure to bounds check any array access into a map",
6172 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6173 },
6174 {
6175 "map helper access to adjusted map (via variable): wrong max check",
6176 .insns = {
6177 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6178 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6179 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6180 BPF_LD_MAP_FD(BPF_REG_1, 0),
6181 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6182 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6183 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6184 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6185 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
6186 offsetof(struct other_val, bar) + 1, 4),
6187 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
6188 BPF_LD_MAP_FD(BPF_REG_1, 0),
6189 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6190 BPF_EXIT_INSN(),
6191 },
6192 .fixup_map3 = { 3, 11 },
6193 .result = REJECT,
6194 .errstr = "invalid access to map value, value_size=16 off=9 size=8",
6195 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6196 },
6197 {
6198 "map element value is preserved across register spilling",
6199 .insns = {
6200 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6201 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6202 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6203 BPF_LD_MAP_FD(BPF_REG_1, 0),
6204 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6205 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6206 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
6207 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6208 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -184),
6209 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
6210 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
6211 BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
6212 BPF_EXIT_INSN(),
6213 },
6214 .fixup_map2 = { 3 },
6215 .errstr_unpriv = "R0 leaks addr",
6216 .result = ACCEPT,
6217 .result_unpriv = REJECT,
6218 },
6219 {
6220 "map element value or null is marked on register spilling",
6221 .insns = {
6222 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6223 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6224 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6225 BPF_LD_MAP_FD(BPF_REG_1, 0),
6226 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6227 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6228 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -152),
6229 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
6230 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
6231 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
6232 BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
6233 BPF_EXIT_INSN(),
6234 },
6235 .fixup_map2 = { 3 },
6236 .errstr_unpriv = "R0 leaks addr",
6237 .result = ACCEPT,
6238 .result_unpriv = REJECT,
6239 },
6240 {
6241 "map element value store of cleared call register",
6242 .insns = {
6243 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6244 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6245 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6246 BPF_LD_MAP_FD(BPF_REG_1, 0),
6247 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6248 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
6249 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
6250 BPF_EXIT_INSN(),
6251 },
6252 .fixup_map2 = { 3 },
6253 .errstr_unpriv = "R1 !read_ok",
6254 .errstr = "R1 !read_ok",
6255 .result = REJECT,
6256 .result_unpriv = REJECT,
6257 },
6258 {
6259 "map element value with unaligned store",
6260 .insns = {
6261 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6262 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6263 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6264 BPF_LD_MAP_FD(BPF_REG_1, 0),
6265 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6266 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 17),
6267 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 3),
6268 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
6269 BPF_ST_MEM(BPF_DW, BPF_REG_0, 2, 43),
6270 BPF_ST_MEM(BPF_DW, BPF_REG_0, -2, 44),
6271 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
6272 BPF_ST_MEM(BPF_DW, BPF_REG_8, 0, 32),
6273 BPF_ST_MEM(BPF_DW, BPF_REG_8, 2, 33),
6274 BPF_ST_MEM(BPF_DW, BPF_REG_8, -2, 34),
6275 BPF_ALU64_IMM(BPF_ADD, BPF_REG_8, 5),
6276 BPF_ST_MEM(BPF_DW, BPF_REG_8, 0, 22),
6277 BPF_ST_MEM(BPF_DW, BPF_REG_8, 4, 23),
6278 BPF_ST_MEM(BPF_DW, BPF_REG_8, -7, 24),
6279 BPF_MOV64_REG(BPF_REG_7, BPF_REG_8),
6280 BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, 3),
6281 BPF_ST_MEM(BPF_DW, BPF_REG_7, 0, 22),
6282 BPF_ST_MEM(BPF_DW, BPF_REG_7, 4, 23),
6283 BPF_ST_MEM(BPF_DW, BPF_REG_7, -4, 24),
6284 BPF_EXIT_INSN(),
6285 },
6286 .fixup_map2 = { 3 },
6287 .errstr_unpriv = "R0 leaks addr",
6288 .result = ACCEPT,
6289 .result_unpriv = REJECT,
6290 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
6291 },
6292 {
6293 "map element value with unaligned load",
6294 .insns = {
6295 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6296 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6297 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6298 BPF_LD_MAP_FD(BPF_REG_1, 0),
6299 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6300 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
6301 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
6302 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES, 9),
6303 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 3),
6304 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
6305 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 2),
6306 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
6307 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_8, 0),
6308 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_8, 2),
6309 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 5),
6310 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
6311 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 4),
6312 BPF_EXIT_INSN(),
6313 },
6314 .fixup_map2 = { 3 },
6315 .errstr_unpriv = "R0 leaks addr",
6316 .result = ACCEPT,
6317 .result_unpriv = REJECT,
6318 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
6319 },
6320 {
6321 "map element value illegal alu op, 1",
6322 .insns = {
6323 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6324 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6325 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6326 BPF_LD_MAP_FD(BPF_REG_1, 0),
6327 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6328 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
6329 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 8),
6330 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
6331 BPF_EXIT_INSN(),
6332 },
6333 .fixup_map2 = { 3 },
6334 .errstr = "R0 bitwise operator &= on pointer",
6335 .result = REJECT,
6336 },
6337 {
6338 "map element value illegal alu op, 2",
6339 .insns = {
6340 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6341 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6342 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6343 BPF_LD_MAP_FD(BPF_REG_1, 0),
6344 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6345 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
6346 BPF_ALU32_IMM(BPF_ADD, BPF_REG_0, 0),
6347 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
6348 BPF_EXIT_INSN(),
6349 },
6350 .fixup_map2 = { 3 },
6351 .errstr = "R0 32-bit pointer arithmetic prohibited",
6352 .result = REJECT,
6353 },
6354 {
6355 "map element value illegal alu op, 3",
6356 .insns = {
6357 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6358 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6359 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6360 BPF_LD_MAP_FD(BPF_REG_1, 0),
6361 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6362 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
6363 BPF_ALU64_IMM(BPF_DIV, BPF_REG_0, 42),
6364 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
6365 BPF_EXIT_INSN(),
6366 },
6367 .fixup_map2 = { 3 },
6368 .errstr = "R0 pointer arithmetic with /= operator",
6369 .result = REJECT,
6370 },
6371 {
6372 "map element value illegal alu op, 4",
6373 .insns = {
6374 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6375 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6376 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6377 BPF_LD_MAP_FD(BPF_REG_1, 0),
6378 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6379 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
6380 BPF_ENDIAN(BPF_FROM_BE, BPF_REG_0, 64),
6381 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
6382 BPF_EXIT_INSN(),
6383 },
6384 .fixup_map2 = { 3 },
6385 .errstr_unpriv = "R0 pointer arithmetic prohibited",
6386 .errstr = "invalid mem access 'inv'",
6387 .result = REJECT,
6388 .result_unpriv = REJECT,
6389 },
6390 {
6391 "map element value illegal alu op, 5",
6392 .insns = {
6393 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6394 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6395 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6396 BPF_LD_MAP_FD(BPF_REG_1, 0),
6397 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6398 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6399 BPF_MOV64_IMM(BPF_REG_3, 4096),
6400 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6401 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6402 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
6403 BPF_STX_XADD(BPF_DW, BPF_REG_2, BPF_REG_3, 0),
6404 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, 0),
6405 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
6406 BPF_EXIT_INSN(),
6407 },
6408 .fixup_map2 = { 3 },
6409 .errstr = "R0 invalid mem access 'inv'",
6410 .result = REJECT,
6411 },
6412 {
6413 "map element value is preserved across register spilling",
6414 .insns = {
6415 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6416 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6417 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6418 BPF_LD_MAP_FD(BPF_REG_1, 0),
6419 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6420 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6421 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0,
6422 offsetof(struct test_val, foo)),
6423 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
6424 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6425 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -184),
6426 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
6427 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
6428 BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
6429 BPF_EXIT_INSN(),
6430 },
6431 .fixup_map2 = { 3 },
6432 .errstr_unpriv = "R0 leaks addr",
6433 .result = ACCEPT,
6434 .result_unpriv = REJECT,
6435 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
6436 },
6437 {
6438 "helper access to variable memory: stack, bitwise AND + JMP, correct bounds",
6439 .insns = {
6440 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6441 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6442 BPF_MOV64_IMM(BPF_REG_0, 0),
6443 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
6444 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
6445 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
6446 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
6447 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
6448 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
6449 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
6450 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
6451 BPF_MOV64_IMM(BPF_REG_2, 16),
6452 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6453 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6454 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
6455 BPF_MOV64_IMM(BPF_REG_4, 0),
6456 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
6457 BPF_MOV64_IMM(BPF_REG_3, 0),
6458 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6459 BPF_MOV64_IMM(BPF_REG_0, 0),
6460 BPF_EXIT_INSN(),
6461 },
6462 .result = ACCEPT,
6463 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6464 },
6465 {
6466 "helper access to variable memory: stack, bitwise AND, zero included",
6467 .insns = {
6468 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6469 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6470 BPF_MOV64_IMM(BPF_REG_2, 16),
6471 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6472 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6473 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
6474 BPF_MOV64_IMM(BPF_REG_3, 0),
6475 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6476 BPF_EXIT_INSN(),
6477 },
6478 .errstr = "invalid indirect read from stack off -64+0 size 64",
6479 .result = REJECT,
6480 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6481 },
6482 {
6483 "helper access to variable memory: stack, bitwise AND + JMP, wrong max",
6484 .insns = {
6485 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6486 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6487 BPF_MOV64_IMM(BPF_REG_2, 16),
6488 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6489 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6490 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 65),
6491 BPF_MOV64_IMM(BPF_REG_4, 0),
6492 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
6493 BPF_MOV64_IMM(BPF_REG_3, 0),
6494 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6495 BPF_MOV64_IMM(BPF_REG_0, 0),
6496 BPF_EXIT_INSN(),
6497 },
6498 .errstr = "invalid stack type R1 off=-64 access_size=65",
6499 .result = REJECT,
6500 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6501 },
6502 {
6503 "helper access to variable memory: stack, JMP, correct bounds",
6504 .insns = {
6505 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6506 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6507 BPF_MOV64_IMM(BPF_REG_0, 0),
6508 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
6509 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
6510 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
6511 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
6512 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
6513 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
6514 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
6515 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
6516 BPF_MOV64_IMM(BPF_REG_2, 16),
6517 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6518 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6519 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 4),
6520 BPF_MOV64_IMM(BPF_REG_4, 0),
6521 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
6522 BPF_MOV64_IMM(BPF_REG_3, 0),
6523 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6524 BPF_MOV64_IMM(BPF_REG_0, 0),
6525 BPF_EXIT_INSN(),
6526 },
6527 .result = ACCEPT,
6528 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6529 },
6530 {
6531 "helper access to variable memory: stack, JMP (signed), correct bounds",
6532 .insns = {
6533 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6534 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6535 BPF_MOV64_IMM(BPF_REG_0, 0),
6536 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
6537 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
6538 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
6539 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
6540 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
6541 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
6542 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
6543 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
6544 BPF_MOV64_IMM(BPF_REG_2, 16),
6545 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6546 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6547 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 64, 4),
6548 BPF_MOV64_IMM(BPF_REG_4, 0),
6549 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
6550 BPF_MOV64_IMM(BPF_REG_3, 0),
6551 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6552 BPF_MOV64_IMM(BPF_REG_0, 0),
6553 BPF_EXIT_INSN(),
6554 },
6555 .result = ACCEPT,
6556 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6557 },
6558 {
6559 "helper access to variable memory: stack, JMP, bounds + offset",
6560 .insns = {
6561 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6562 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6563 BPF_MOV64_IMM(BPF_REG_2, 16),
6564 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6565 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6566 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 5),
6567 BPF_MOV64_IMM(BPF_REG_4, 0),
6568 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 3),
6569 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
6570 BPF_MOV64_IMM(BPF_REG_3, 0),
6571 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6572 BPF_MOV64_IMM(BPF_REG_0, 0),
6573 BPF_EXIT_INSN(),
6574 },
6575 .errstr = "invalid stack type R1 off=-64 access_size=65",
6576 .result = REJECT,
6577 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6578 },
6579 {
6580 "helper access to variable memory: stack, JMP, wrong max",
6581 .insns = {
6582 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6583 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6584 BPF_MOV64_IMM(BPF_REG_2, 16),
6585 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6586 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6587 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 65, 4),
6588 BPF_MOV64_IMM(BPF_REG_4, 0),
6589 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
6590 BPF_MOV64_IMM(BPF_REG_3, 0),
6591 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6592 BPF_MOV64_IMM(BPF_REG_0, 0),
6593 BPF_EXIT_INSN(),
6594 },
6595 .errstr = "invalid stack type R1 off=-64 access_size=65",
6596 .result = REJECT,
6597 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6598 },
6599 {
6600 "helper access to variable memory: stack, JMP, no max check",
6601 .insns = {
6602 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6603 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6604 BPF_MOV64_IMM(BPF_REG_2, 16),
6605 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6606 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6607 BPF_MOV64_IMM(BPF_REG_4, 0),
6608 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
6609 BPF_MOV64_IMM(BPF_REG_3, 0),
6610 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6611 BPF_MOV64_IMM(BPF_REG_0, 0),
6612 BPF_EXIT_INSN(),
6613 },
6614 /* because max wasn't checked, signed min is negative */
6615 .errstr = "R2 min value is negative, either use unsigned or 'var &= const'",
6616 .result = REJECT,
6617 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6618 },
6619 {
6620 "helper access to variable memory: stack, JMP, no min check",
6621 .insns = {
6622 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6623 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6624 BPF_MOV64_IMM(BPF_REG_2, 16),
6625 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6626 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6627 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 3),
6628 BPF_MOV64_IMM(BPF_REG_3, 0),
6629 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6630 BPF_MOV64_IMM(BPF_REG_0, 0),
6631 BPF_EXIT_INSN(),
6632 },
6633 .errstr = "invalid indirect read from stack off -64+0 size 64",
6634 .result = REJECT,
6635 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6636 },
6637 {
6638 "helper access to variable memory: stack, JMP (signed), no min check",
6639 .insns = {
6640 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6641 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6642 BPF_MOV64_IMM(BPF_REG_2, 16),
6643 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6644 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6645 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 64, 3),
6646 BPF_MOV64_IMM(BPF_REG_3, 0),
6647 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6648 BPF_MOV64_IMM(BPF_REG_0, 0),
6649 BPF_EXIT_INSN(),
6650 },
6651 .errstr = "R2 min value is negative",
6652 .result = REJECT,
6653 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6654 },
6655 {
6656 "helper access to variable memory: map, JMP, correct bounds",
6657 .insns = {
6658 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6659 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6660 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6661 BPF_LD_MAP_FD(BPF_REG_1, 0),
6662 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6663 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
6664 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6665 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
6666 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
6667 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
6668 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
6669 sizeof(struct test_val), 4),
6670 BPF_MOV64_IMM(BPF_REG_4, 0),
6671 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
6672 BPF_MOV64_IMM(BPF_REG_3, 0),
6673 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6674 BPF_MOV64_IMM(BPF_REG_0, 0),
6675 BPF_EXIT_INSN(),
6676 },
6677 .fixup_map2 = { 3 },
6678 .result = ACCEPT,
6679 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6680 },
6681 {
6682 "helper access to variable memory: map, JMP, wrong max",
6683 .insns = {
6684 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6685 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6686 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6687 BPF_LD_MAP_FD(BPF_REG_1, 0),
6688 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6689 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
6690 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6691 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
6692 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
6693 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
6694 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
6695 sizeof(struct test_val) + 1, 4),
6696 BPF_MOV64_IMM(BPF_REG_4, 0),
6697 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
6698 BPF_MOV64_IMM(BPF_REG_3, 0),
6699 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6700 BPF_MOV64_IMM(BPF_REG_0, 0),
6701 BPF_EXIT_INSN(),
6702 },
6703 .fixup_map2 = { 3 },
6704 .errstr = "invalid access to map value, value_size=48 off=0 size=49",
6705 .result = REJECT,
6706 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6707 },
6708 {
6709 "helper access to variable memory: map adjusted, JMP, correct bounds",
6710 .insns = {
6711 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6712 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6713 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6714 BPF_LD_MAP_FD(BPF_REG_1, 0),
6715 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6716 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
6717 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6718 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 20),
6719 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
6720 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
6721 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
6722 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
6723 sizeof(struct test_val) - 20, 4),
6724 BPF_MOV64_IMM(BPF_REG_4, 0),
6725 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
6726 BPF_MOV64_IMM(BPF_REG_3, 0),
6727 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6728 BPF_MOV64_IMM(BPF_REG_0, 0),
6729 BPF_EXIT_INSN(),
6730 },
6731 .fixup_map2 = { 3 },
6732 .result = ACCEPT,
6733 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6734 },
6735 {
6736 "helper access to variable memory: map adjusted, JMP, wrong max",
6737 .insns = {
6738 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6739 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6740 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6741 BPF_LD_MAP_FD(BPF_REG_1, 0),
6742 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6743 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
6744 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6745 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 20),
6746 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
6747 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
6748 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
6749 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
6750 sizeof(struct test_val) - 19, 4),
6751 BPF_MOV64_IMM(BPF_REG_4, 0),
6752 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
6753 BPF_MOV64_IMM(BPF_REG_3, 0),
6754 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6755 BPF_MOV64_IMM(BPF_REG_0, 0),
6756 BPF_EXIT_INSN(),
6757 },
6758 .fixup_map2 = { 3 },
6759 .errstr = "R1 min value is outside of the array range",
6760 .result = REJECT,
6761 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6762 },
6763 {
6764 "helper access to variable memory: size = 0 allowed on NULL (ARG_PTR_TO_MEM_OR_NULL)",
6765 .insns = {
6766 BPF_MOV64_IMM(BPF_REG_1, 0),
6767 BPF_MOV64_IMM(BPF_REG_2, 0),
6768 BPF_MOV64_IMM(BPF_REG_3, 0),
6769 BPF_MOV64_IMM(BPF_REG_4, 0),
6770 BPF_MOV64_IMM(BPF_REG_5, 0),
6771 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
6772 BPF_EXIT_INSN(),
6773 },
6774 .result = ACCEPT,
6775 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
6776 },
6777 {
6778 "helper access to variable memory: size > 0 not allowed on NULL (ARG_PTR_TO_MEM_OR_NULL)",
6779 .insns = {
6780 BPF_MOV64_IMM(BPF_REG_1, 0),
6781 BPF_MOV64_IMM(BPF_REG_2, 1),
6782 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
6783 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
6784 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
6785 BPF_MOV64_IMM(BPF_REG_3, 0),
6786 BPF_MOV64_IMM(BPF_REG_4, 0),
6787 BPF_MOV64_IMM(BPF_REG_5, 0),
6788 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
6789 BPF_EXIT_INSN(),
6790 },
6791 .errstr = "R1 type=inv expected=fp",
6792 .result = REJECT,
6793 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
6794 },
6795 {
6796 "helper access to variable memory: size = 0 allowed on != NULL stack pointer (ARG_PTR_TO_MEM_OR_NULL)",
6797 .insns = {
6798 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6799 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
6800 BPF_MOV64_IMM(BPF_REG_2, 0),
6801 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, 0),
6802 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 8),
6803 BPF_MOV64_IMM(BPF_REG_3, 0),
6804 BPF_MOV64_IMM(BPF_REG_4, 0),
6805 BPF_MOV64_IMM(BPF_REG_5, 0),
6806 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
6807 BPF_EXIT_INSN(),
6808 },
6809 .result = ACCEPT,
6810 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
6811 },
6812 {
6813 "helper access to variable memory: size = 0 allowed on != NULL map pointer (ARG_PTR_TO_MEM_OR_NULL)",
6814 .insns = {
6815 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6816 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6817 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6818 BPF_LD_MAP_FD(BPF_REG_1, 0),
6819 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6820 BPF_FUNC_map_lookup_elem),
6821 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6822 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6823 BPF_MOV64_IMM(BPF_REG_2, 0),
6824 BPF_MOV64_IMM(BPF_REG_3, 0),
6825 BPF_MOV64_IMM(BPF_REG_4, 0),
6826 BPF_MOV64_IMM(BPF_REG_5, 0),
6827 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
6828 BPF_EXIT_INSN(),
6829 },
6830 .fixup_map1 = { 3 },
6831 .result = ACCEPT,
6832 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
6833 },
6834 {
6835 "helper access to variable memory: size possible = 0 allowed on != NULL stack pointer (ARG_PTR_TO_MEM_OR_NULL)",
6836 .insns = {
6837 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6838 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6839 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6840 BPF_LD_MAP_FD(BPF_REG_1, 0),
6841 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6842 BPF_FUNC_map_lookup_elem),
6843 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
6844 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
6845 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 7),
6846 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6847 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
6848 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, 0),
6849 BPF_MOV64_IMM(BPF_REG_3, 0),
6850 BPF_MOV64_IMM(BPF_REG_4, 0),
6851 BPF_MOV64_IMM(BPF_REG_5, 0),
6852 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
6853 BPF_EXIT_INSN(),
6854 },
6855 .fixup_map1 = { 3 },
6856 .result = ACCEPT,
6857 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
6858 },
6859 {
6860 "helper access to variable memory: size possible = 0 allowed on != NULL map pointer (ARG_PTR_TO_MEM_OR_NULL)",
6861 .insns = {
6862 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6863 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6864 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6865 BPF_LD_MAP_FD(BPF_REG_1, 0),
6866 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6867 BPF_FUNC_map_lookup_elem),
6868 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6869 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6870 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
6871 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4),
6872 BPF_MOV64_IMM(BPF_REG_3, 0),
6873 BPF_MOV64_IMM(BPF_REG_4, 0),
6874 BPF_MOV64_IMM(BPF_REG_5, 0),
6875 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
6876 BPF_EXIT_INSN(),
6877 },
6878 .fixup_map1 = { 3 },
6879 .result = ACCEPT,
6880 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
6881 },
6882 {
6883 "helper access to variable memory: size possible = 0 allowed on != NULL packet pointer (ARG_PTR_TO_MEM_OR_NULL)",
6884 .insns = {
6885 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
6886 offsetof(struct __sk_buff, data)),
6887 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
6888 offsetof(struct __sk_buff, data_end)),
6889 BPF_MOV64_REG(BPF_REG_0, BPF_REG_6),
6890 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
6891 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 7),
6892 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
6893 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 0),
6894 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4),
6895 BPF_MOV64_IMM(BPF_REG_3, 0),
6896 BPF_MOV64_IMM(BPF_REG_4, 0),
6897 BPF_MOV64_IMM(BPF_REG_5, 0),
6898 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
6899 BPF_EXIT_INSN(),
6900 },
6901 .result = ACCEPT,
6902 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
6903 .retval = 0 /* csum_diff of 64-byte packet */,
6904 },
6905 {
6906 "helper access to variable memory: size = 0 not allowed on NULL (!ARG_PTR_TO_MEM_OR_NULL)",
6907 .insns = {
6908 BPF_MOV64_IMM(BPF_REG_1, 0),
6909 BPF_MOV64_IMM(BPF_REG_2, 0),
6910 BPF_MOV64_IMM(BPF_REG_3, 0),
6911 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6912 BPF_EXIT_INSN(),
6913 },
6914 .errstr = "R1 type=inv expected=fp",
6915 .result = REJECT,
6916 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6917 },
6918 {
6919 "helper access to variable memory: size > 0 not allowed on NULL (!ARG_PTR_TO_MEM_OR_NULL)",
6920 .insns = {
6921 BPF_MOV64_IMM(BPF_REG_1, 0),
6922 BPF_MOV64_IMM(BPF_REG_2, 1),
6923 BPF_MOV64_IMM(BPF_REG_3, 0),
6924 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6925 BPF_EXIT_INSN(),
6926 },
6927 .errstr = "R1 type=inv expected=fp",
6928 .result = REJECT,
6929 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6930 },
6931 {
6932 "helper access to variable memory: size = 0 allowed on != NULL stack pointer (!ARG_PTR_TO_MEM_OR_NULL)",
6933 .insns = {
6934 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6935 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
6936 BPF_MOV64_IMM(BPF_REG_2, 0),
6937 BPF_MOV64_IMM(BPF_REG_3, 0),
6938 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6939 BPF_EXIT_INSN(),
6940 },
6941 .result = ACCEPT,
6942 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6943 },
6944 {
6945 "helper access to variable memory: size = 0 allowed on != NULL map pointer (!ARG_PTR_TO_MEM_OR_NULL)",
6946 .insns = {
6947 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6948 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6949 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6950 BPF_LD_MAP_FD(BPF_REG_1, 0),
6951 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6952 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6953 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6954 BPF_MOV64_IMM(BPF_REG_2, 0),
6955 BPF_MOV64_IMM(BPF_REG_3, 0),
6956 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6957 BPF_EXIT_INSN(),
6958 },
6959 .fixup_map1 = { 3 },
6960 .result = ACCEPT,
6961 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6962 },
6963 {
6964 "helper access to variable memory: size possible = 0 allowed on != NULL stack pointer (!ARG_PTR_TO_MEM_OR_NULL)",
6965 .insns = {
6966 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6967 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6968 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6969 BPF_LD_MAP_FD(BPF_REG_1, 0),
6970 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6971 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6972 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
6973 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4),
6974 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6975 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
6976 BPF_MOV64_IMM(BPF_REG_3, 0),
6977 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6978 BPF_EXIT_INSN(),
6979 },
6980 .fixup_map1 = { 3 },
6981 .result = ACCEPT,
6982 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6983 },
6984 {
6985 "helper access to variable memory: size possible = 0 allowed on != NULL map pointer (!ARG_PTR_TO_MEM_OR_NULL)",
6986 .insns = {
6987 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6988 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6989 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6990 BPF_LD_MAP_FD(BPF_REG_1, 0),
6991 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6992 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
6993 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6994 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
6995 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 2),
6996 BPF_MOV64_IMM(BPF_REG_3, 0),
6997 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6998 BPF_EXIT_INSN(),
6999 },
7000 .fixup_map1 = { 3 },
7001 .result = ACCEPT,
7002 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7003 },
7004 {
7005 "helper access to variable memory: 8 bytes leak",
7006 .insns = {
7007 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7008 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
7009 BPF_MOV64_IMM(BPF_REG_0, 0),
7010 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
7011 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
7012 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
7013 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
7014 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
7015 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
7016 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
7017 BPF_MOV64_IMM(BPF_REG_2, 1),
7018 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
7019 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
7020 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 63),
7021 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
7022 BPF_MOV64_IMM(BPF_REG_3, 0),
7023 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7024 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7025 BPF_EXIT_INSN(),
7026 },
7027 .errstr = "invalid indirect read from stack off -64+32 size 64",
7028 .result = REJECT,
7029 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7030 },
7031 {
7032 "helper access to variable memory: 8 bytes no leak (init memory)",
7033 .insns = {
7034 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7035 BPF_MOV64_IMM(BPF_REG_0, 0),
7036 BPF_MOV64_IMM(BPF_REG_0, 0),
7037 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
7038 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
7039 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
7040 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
7041 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
7042 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
7043 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
7044 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
7045 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
7046 BPF_MOV64_IMM(BPF_REG_2, 0),
7047 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 32),
7048 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 32),
7049 BPF_MOV64_IMM(BPF_REG_3, 0),
7050 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7051 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7052 BPF_EXIT_INSN(),
7053 },
7054 .result = ACCEPT,
7055 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7056 },
7057 {
7058 "invalid and of negative number",
7059 .insns = {
7060 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7061 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7062 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7063 BPF_LD_MAP_FD(BPF_REG_1, 0),
7064 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7065 BPF_FUNC_map_lookup_elem),
7066 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7067 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7068 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, -4),
7069 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
7070 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7071 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
7072 offsetof(struct test_val, foo)),
7073 BPF_EXIT_INSN(),
7074 },
7075 .fixup_map2 = { 3 },
7076 .errstr = "R0 max value is outside of the array range",
7077 .result = REJECT,
7078 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7079 },
7080 {
7081 "invalid range check",
7082 .insns = {
7083 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7084 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7085 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7086 BPF_LD_MAP_FD(BPF_REG_1, 0),
7087 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7088 BPF_FUNC_map_lookup_elem),
7089 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 12),
7090 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
7091 BPF_MOV64_IMM(BPF_REG_9, 1),
7092 BPF_ALU32_IMM(BPF_MOD, BPF_REG_1, 2),
7093 BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 1),
7094 BPF_ALU32_REG(BPF_AND, BPF_REG_9, BPF_REG_1),
7095 BPF_ALU32_IMM(BPF_ADD, BPF_REG_9, 1),
7096 BPF_ALU32_IMM(BPF_RSH, BPF_REG_9, 1),
7097 BPF_MOV32_IMM(BPF_REG_3, 1),
7098 BPF_ALU32_REG(BPF_SUB, BPF_REG_3, BPF_REG_9),
7099 BPF_ALU32_IMM(BPF_MUL, BPF_REG_3, 0x10000000),
7100 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
7101 BPF_STX_MEM(BPF_W, BPF_REG_0, BPF_REG_3, 0),
7102 BPF_MOV64_REG(BPF_REG_0, 0),
7103 BPF_EXIT_INSN(),
7104 },
7105 .fixup_map2 = { 3 },
7106 .errstr = "R0 max value is outside of the array range",
7107 .result = REJECT,
7108 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7109 },
7110 {
7111 "map in map access",
7112 .insns = {
7113 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
7114 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7115 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
7116 BPF_LD_MAP_FD(BPF_REG_1, 0),
7117 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7118 BPF_FUNC_map_lookup_elem),
7119 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
7120 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
7121 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7122 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
7123 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
7124 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7125 BPF_FUNC_map_lookup_elem),
7126 BPF_MOV64_IMM(BPF_REG_0, 0),
7127 BPF_EXIT_INSN(),
7128 },
7129 .fixup_map_in_map = { 3 },
7130 .result = ACCEPT,
7131 },
7132 {
7133 "invalid inner map pointer",
7134 .insns = {
7135 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
7136 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7137 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
7138 BPF_LD_MAP_FD(BPF_REG_1, 0),
7139 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7140 BPF_FUNC_map_lookup_elem),
7141 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
7142 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
7143 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7144 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
7145 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
7146 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7147 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7148 BPF_FUNC_map_lookup_elem),
7149 BPF_MOV64_IMM(BPF_REG_0, 0),
7150 BPF_EXIT_INSN(),
7151 },
7152 .fixup_map_in_map = { 3 },
7153 .errstr = "R1 pointer arithmetic on CONST_PTR_TO_MAP prohibited",
7154 .result = REJECT,
7155 },
7156 {
7157 "forgot null checking on the inner map pointer",
7158 .insns = {
7159 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
7160 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7161 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
7162 BPF_LD_MAP_FD(BPF_REG_1, 0),
7163 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7164 BPF_FUNC_map_lookup_elem),
7165 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
7166 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7167 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
7168 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
7169 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7170 BPF_FUNC_map_lookup_elem),
7171 BPF_MOV64_IMM(BPF_REG_0, 0),
7172 BPF_EXIT_INSN(),
7173 },
7174 .fixup_map_in_map = { 3 },
7175 .errstr = "R1 type=map_value_or_null expected=map_ptr",
7176 .result = REJECT,
7177 },
7178 {
7179 "ld_abs: check calling conv, r1",
7180 .insns = {
7181 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7182 BPF_MOV64_IMM(BPF_REG_1, 0),
7183 BPF_LD_ABS(BPF_W, -0x200000),
7184 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
7185 BPF_EXIT_INSN(),
7186 },
7187 .errstr = "R1 !read_ok",
7188 .result = REJECT,
7189 },
7190 {
7191 "ld_abs: check calling conv, r2",
7192 .insns = {
7193 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7194 BPF_MOV64_IMM(BPF_REG_2, 0),
7195 BPF_LD_ABS(BPF_W, -0x200000),
7196 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
7197 BPF_EXIT_INSN(),
7198 },
7199 .errstr = "R2 !read_ok",
7200 .result = REJECT,
7201 },
7202 {
7203 "ld_abs: check calling conv, r3",
7204 .insns = {
7205 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7206 BPF_MOV64_IMM(BPF_REG_3, 0),
7207 BPF_LD_ABS(BPF_W, -0x200000),
7208 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
7209 BPF_EXIT_INSN(),
7210 },
7211 .errstr = "R3 !read_ok",
7212 .result = REJECT,
7213 },
7214 {
7215 "ld_abs: check calling conv, r4",
7216 .insns = {
7217 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7218 BPF_MOV64_IMM(BPF_REG_4, 0),
7219 BPF_LD_ABS(BPF_W, -0x200000),
7220 BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
7221 BPF_EXIT_INSN(),
7222 },
7223 .errstr = "R4 !read_ok",
7224 .result = REJECT,
7225 },
7226 {
7227 "ld_abs: check calling conv, r5",
7228 .insns = {
7229 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7230 BPF_MOV64_IMM(BPF_REG_5, 0),
7231 BPF_LD_ABS(BPF_W, -0x200000),
7232 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
7233 BPF_EXIT_INSN(),
7234 },
7235 .errstr = "R5 !read_ok",
7236 .result = REJECT,
7237 },
7238 {
7239 "ld_abs: check calling conv, r7",
7240 .insns = {
7241 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7242 BPF_MOV64_IMM(BPF_REG_7, 0),
7243 BPF_LD_ABS(BPF_W, -0x200000),
7244 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
7245 BPF_EXIT_INSN(),
7246 },
7247 .result = ACCEPT,
7248 },
7249 {
7250 "ld_abs: tests on r6 and skb data reload helper",
7251 .insns = {
7252 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7253 BPF_LD_ABS(BPF_B, 0),
7254 BPF_LD_ABS(BPF_H, 0),
7255 BPF_LD_ABS(BPF_W, 0),
7256 BPF_MOV64_REG(BPF_REG_7, BPF_REG_6),
7257 BPF_MOV64_IMM(BPF_REG_6, 0),
7258 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
7259 BPF_MOV64_IMM(BPF_REG_2, 1),
7260 BPF_MOV64_IMM(BPF_REG_3, 2),
7261 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7262 BPF_FUNC_skb_vlan_push),
7263 BPF_MOV64_REG(BPF_REG_6, BPF_REG_7),
7264 BPF_LD_ABS(BPF_B, 0),
7265 BPF_LD_ABS(BPF_H, 0),
7266 BPF_LD_ABS(BPF_W, 0),
7267 BPF_MOV64_IMM(BPF_REG_0, 42),
7268 BPF_EXIT_INSN(),
7269 },
7270 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
7271 .result = ACCEPT,
7272 .retval = 42 /* ultimate return value */,
7273 },
7274 {
7275 "ld_ind: check calling conv, r1",
7276 .insns = {
7277 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7278 BPF_MOV64_IMM(BPF_REG_1, 1),
7279 BPF_LD_IND(BPF_W, BPF_REG_1, -0x200000),
7280 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
7281 BPF_EXIT_INSN(),
7282 },
7283 .errstr = "R1 !read_ok",
7284 .result = REJECT,
7285 },
7286 {
7287 "ld_ind: check calling conv, r2",
7288 .insns = {
7289 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7290 BPF_MOV64_IMM(BPF_REG_2, 1),
7291 BPF_LD_IND(BPF_W, BPF_REG_2, -0x200000),
7292 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
7293 BPF_EXIT_INSN(),
7294 },
7295 .errstr = "R2 !read_ok",
7296 .result = REJECT,
7297 },
7298 {
7299 "ld_ind: check calling conv, r3",
7300 .insns = {
7301 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7302 BPF_MOV64_IMM(BPF_REG_3, 1),
7303 BPF_LD_IND(BPF_W, BPF_REG_3, -0x200000),
7304 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
7305 BPF_EXIT_INSN(),
7306 },
7307 .errstr = "R3 !read_ok",
7308 .result = REJECT,
7309 },
7310 {
7311 "ld_ind: check calling conv, r4",
7312 .insns = {
7313 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7314 BPF_MOV64_IMM(BPF_REG_4, 1),
7315 BPF_LD_IND(BPF_W, BPF_REG_4, -0x200000),
7316 BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
7317 BPF_EXIT_INSN(),
7318 },
7319 .errstr = "R4 !read_ok",
7320 .result = REJECT,
7321 },
7322 {
7323 "ld_ind: check calling conv, r5",
7324 .insns = {
7325 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7326 BPF_MOV64_IMM(BPF_REG_5, 1),
7327 BPF_LD_IND(BPF_W, BPF_REG_5, -0x200000),
7328 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
7329 BPF_EXIT_INSN(),
7330 },
7331 .errstr = "R5 !read_ok",
7332 .result = REJECT,
7333 },
7334 {
7335 "ld_ind: check calling conv, r7",
7336 .insns = {
7337 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7338 BPF_MOV64_IMM(BPF_REG_7, 1),
7339 BPF_LD_IND(BPF_W, BPF_REG_7, -0x200000),
7340 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
7341 BPF_EXIT_INSN(),
7342 },
7343 .result = ACCEPT,
7344 .retval = 1,
7345 },
7346 {
7347 "check bpf_perf_event_data->sample_period byte load permitted",
7348 .insns = {
7349 BPF_MOV64_IMM(BPF_REG_0, 0),
7350 #if __BYTE_ORDER == __LITTLE_ENDIAN
7351 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
7352 offsetof(struct bpf_perf_event_data, sample_period)),
7353 #else
7354 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
7355 offsetof(struct bpf_perf_event_data, sample_period) + 7),
7356 #endif
7357 BPF_EXIT_INSN(),
7358 },
7359 .result = ACCEPT,
7360 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
7361 },
7362 {
7363 "check bpf_perf_event_data->sample_period half load permitted",
7364 .insns = {
7365 BPF_MOV64_IMM(BPF_REG_0, 0),
7366 #if __BYTE_ORDER == __LITTLE_ENDIAN
7367 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
7368 offsetof(struct bpf_perf_event_data, sample_period)),
7369 #else
7370 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
7371 offsetof(struct bpf_perf_event_data, sample_period) + 6),
7372 #endif
7373 BPF_EXIT_INSN(),
7374 },
7375 .result = ACCEPT,
7376 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
7377 },
7378 {
7379 "check bpf_perf_event_data->sample_period word load permitted",
7380 .insns = {
7381 BPF_MOV64_IMM(BPF_REG_0, 0),
7382 #if __BYTE_ORDER == __LITTLE_ENDIAN
7383 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
7384 offsetof(struct bpf_perf_event_data, sample_period)),
7385 #else
7386 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
7387 offsetof(struct bpf_perf_event_data, sample_period) + 4),
7388 #endif
7389 BPF_EXIT_INSN(),
7390 },
7391 .result = ACCEPT,
7392 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
7393 },
7394 {
7395 "check bpf_perf_event_data->sample_period dword load permitted",
7396 .insns = {
7397 BPF_MOV64_IMM(BPF_REG_0, 0),
7398 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
7399 offsetof(struct bpf_perf_event_data, sample_period)),
7400 BPF_EXIT_INSN(),
7401 },
7402 .result = ACCEPT,
7403 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
7404 },
7405 {
7406 "check skb->data half load not permitted",
7407 .insns = {
7408 BPF_MOV64_IMM(BPF_REG_0, 0),
7409 #if __BYTE_ORDER == __LITTLE_ENDIAN
7410 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
7411 offsetof(struct __sk_buff, data)),
7412 #else
7413 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
7414 offsetof(struct __sk_buff, data) + 2),
7415 #endif
7416 BPF_EXIT_INSN(),
7417 },
7418 .result = REJECT,
7419 .errstr = "invalid bpf_context access",
7420 },
7421 {
7422 "check skb->tc_classid half load not permitted for lwt prog",
7423 .insns = {
7424 BPF_MOV64_IMM(BPF_REG_0, 0),
7425 #if __BYTE_ORDER == __LITTLE_ENDIAN
7426 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
7427 offsetof(struct __sk_buff, tc_classid)),
7428 #else
7429 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
7430 offsetof(struct __sk_buff, tc_classid) + 2),
7431 #endif
7432 BPF_EXIT_INSN(),
7433 },
7434 .result = REJECT,
7435 .errstr = "invalid bpf_context access",
7436 .prog_type = BPF_PROG_TYPE_LWT_IN,
7437 },
7438 {
7439 "bounds checks mixing signed and unsigned, positive bounds",
7440 .insns = {
7441 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7442 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7443 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7444 BPF_LD_MAP_FD(BPF_REG_1, 0),
7445 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7446 BPF_FUNC_map_lookup_elem),
7447 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
7448 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7449 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7450 BPF_MOV64_IMM(BPF_REG_2, 2),
7451 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 3),
7452 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 4, 2),
7453 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7454 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7455 BPF_MOV64_IMM(BPF_REG_0, 0),
7456 BPF_EXIT_INSN(),
7457 },
7458 .fixup_map1 = { 3 },
7459 .errstr = "unbounded min value",
7460 .result = REJECT,
7461 },
7462 {
7463 "bounds checks mixing signed and unsigned",
7464 .insns = {
7465 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7466 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7467 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7468 BPF_LD_MAP_FD(BPF_REG_1, 0),
7469 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7470 BPF_FUNC_map_lookup_elem),
7471 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
7472 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7473 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7474 BPF_MOV64_IMM(BPF_REG_2, -1),
7475 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 3),
7476 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7477 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7478 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7479 BPF_MOV64_IMM(BPF_REG_0, 0),
7480 BPF_EXIT_INSN(),
7481 },
7482 .fixup_map1 = { 3 },
7483 .errstr = "unbounded min value",
7484 .result = REJECT,
7485 },
7486 {
7487 "bounds checks mixing signed and unsigned, variant 2",
7488 .insns = {
7489 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7490 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7491 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7492 BPF_LD_MAP_FD(BPF_REG_1, 0),
7493 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7494 BPF_FUNC_map_lookup_elem),
7495 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7496 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7497 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7498 BPF_MOV64_IMM(BPF_REG_2, -1),
7499 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 5),
7500 BPF_MOV64_IMM(BPF_REG_8, 0),
7501 BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_1),
7502 BPF_JMP_IMM(BPF_JSGT, BPF_REG_8, 1, 2),
7503 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8),
7504 BPF_ST_MEM(BPF_B, BPF_REG_8, 0, 0),
7505 BPF_MOV64_IMM(BPF_REG_0, 0),
7506 BPF_EXIT_INSN(),
7507 },
7508 .fixup_map1 = { 3 },
7509 .errstr = "unbounded min value",
7510 .result = REJECT,
7511 },
7512 {
7513 "bounds checks mixing signed and unsigned, variant 3",
7514 .insns = {
7515 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7516 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7517 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7518 BPF_LD_MAP_FD(BPF_REG_1, 0),
7519 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7520 BPF_FUNC_map_lookup_elem),
7521 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
7522 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7523 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7524 BPF_MOV64_IMM(BPF_REG_2, -1),
7525 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 4),
7526 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
7527 BPF_JMP_IMM(BPF_JSGT, BPF_REG_8, 1, 2),
7528 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8),
7529 BPF_ST_MEM(BPF_B, BPF_REG_8, 0, 0),
7530 BPF_MOV64_IMM(BPF_REG_0, 0),
7531 BPF_EXIT_INSN(),
7532 },
7533 .fixup_map1 = { 3 },
7534 .errstr = "unbounded min value",
7535 .result = REJECT,
7536 },
7537 {
7538 "bounds checks mixing signed and unsigned, variant 4",
7539 .insns = {
7540 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7541 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7542 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7543 BPF_LD_MAP_FD(BPF_REG_1, 0),
7544 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7545 BPF_FUNC_map_lookup_elem),
7546 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
7547 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7548 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7549 BPF_MOV64_IMM(BPF_REG_2, 1),
7550 BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
7551 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7552 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7553 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7554 BPF_MOV64_IMM(BPF_REG_0, 0),
7555 BPF_EXIT_INSN(),
7556 },
7557 .fixup_map1 = { 3 },
7558 .result = ACCEPT,
7559 },
7560 {
7561 "bounds checks mixing signed and unsigned, variant 5",
7562 .insns = {
7563 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7564 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7565 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7566 BPF_LD_MAP_FD(BPF_REG_1, 0),
7567 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7568 BPF_FUNC_map_lookup_elem),
7569 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7570 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7571 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7572 BPF_MOV64_IMM(BPF_REG_2, -1),
7573 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 5),
7574 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 4),
7575 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 4),
7576 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
7577 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7578 BPF_MOV64_IMM(BPF_REG_0, 0),
7579 BPF_EXIT_INSN(),
7580 },
7581 .fixup_map1 = { 3 },
7582 .errstr = "unbounded min value",
7583 .result = REJECT,
7584 },
7585 {
7586 "bounds checks mixing signed and unsigned, variant 6",
7587 .insns = {
7588 BPF_MOV64_IMM(BPF_REG_2, 0),
7589 BPF_MOV64_REG(BPF_REG_3, BPF_REG_10),
7590 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, -512),
7591 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7592 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -16),
7593 BPF_MOV64_IMM(BPF_REG_6, -1),
7594 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_6, 5),
7595 BPF_JMP_IMM(BPF_JSGT, BPF_REG_4, 1, 4),
7596 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 1),
7597 BPF_MOV64_IMM(BPF_REG_5, 0),
7598 BPF_ST_MEM(BPF_H, BPF_REG_10, -512, 0),
7599 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7600 BPF_FUNC_skb_load_bytes),
7601 BPF_MOV64_IMM(BPF_REG_0, 0),
7602 BPF_EXIT_INSN(),
7603 },
7604 .errstr = "R4 min value is negative, either use unsigned",
7605 .result = REJECT,
7606 },
7607 {
7608 "bounds checks mixing signed and unsigned, variant 7",
7609 .insns = {
7610 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7611 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7612 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7613 BPF_LD_MAP_FD(BPF_REG_1, 0),
7614 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7615 BPF_FUNC_map_lookup_elem),
7616 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
7617 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7618 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7619 BPF_MOV64_IMM(BPF_REG_2, 1024 * 1024 * 1024),
7620 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 3),
7621 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7622 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7623 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7624 BPF_MOV64_IMM(BPF_REG_0, 0),
7625 BPF_EXIT_INSN(),
7626 },
7627 .fixup_map1 = { 3 },
7628 .result = ACCEPT,
7629 },
7630 {
7631 "bounds checks mixing signed and unsigned, variant 8",
7632 .insns = {
7633 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7634 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7635 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7636 BPF_LD_MAP_FD(BPF_REG_1, 0),
7637 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7638 BPF_FUNC_map_lookup_elem),
7639 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7640 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7641 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7642 BPF_MOV64_IMM(BPF_REG_2, -1),
7643 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 2),
7644 BPF_MOV64_IMM(BPF_REG_0, 0),
7645 BPF_EXIT_INSN(),
7646 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7647 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7648 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7649 BPF_MOV64_IMM(BPF_REG_0, 0),
7650 BPF_EXIT_INSN(),
7651 },
7652 .fixup_map1 = { 3 },
7653 .errstr = "unbounded min value",
7654 .result = REJECT,
7655 },
7656 {
7657 "bounds checks mixing signed and unsigned, variant 9",
7658 .insns = {
7659 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7660 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7661 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7662 BPF_LD_MAP_FD(BPF_REG_1, 0),
7663 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7664 BPF_FUNC_map_lookup_elem),
7665 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
7666 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7667 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7668 BPF_LD_IMM64(BPF_REG_2, -9223372036854775808ULL),
7669 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 2),
7670 BPF_MOV64_IMM(BPF_REG_0, 0),
7671 BPF_EXIT_INSN(),
7672 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7673 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7674 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7675 BPF_MOV64_IMM(BPF_REG_0, 0),
7676 BPF_EXIT_INSN(),
7677 },
7678 .fixup_map1 = { 3 },
7679 .result = ACCEPT,
7680 },
7681 {
7682 "bounds checks mixing signed and unsigned, variant 10",
7683 .insns = {
7684 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7685 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7686 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7687 BPF_LD_MAP_FD(BPF_REG_1, 0),
7688 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7689 BPF_FUNC_map_lookup_elem),
7690 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7691 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7692 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7693 BPF_MOV64_IMM(BPF_REG_2, 0),
7694 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 2),
7695 BPF_MOV64_IMM(BPF_REG_0, 0),
7696 BPF_EXIT_INSN(),
7697 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7698 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7699 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7700 BPF_MOV64_IMM(BPF_REG_0, 0),
7701 BPF_EXIT_INSN(),
7702 },
7703 .fixup_map1 = { 3 },
7704 .errstr = "unbounded min value",
7705 .result = REJECT,
7706 },
7707 {
7708 "bounds checks mixing signed and unsigned, variant 11",
7709 .insns = {
7710 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7711 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7712 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7713 BPF_LD_MAP_FD(BPF_REG_1, 0),
7714 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7715 BPF_FUNC_map_lookup_elem),
7716 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7717 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7718 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7719 BPF_MOV64_IMM(BPF_REG_2, -1),
7720 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
7721 /* Dead branch. */
7722 BPF_MOV64_IMM(BPF_REG_0, 0),
7723 BPF_EXIT_INSN(),
7724 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7725 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7726 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7727 BPF_MOV64_IMM(BPF_REG_0, 0),
7728 BPF_EXIT_INSN(),
7729 },
7730 .fixup_map1 = { 3 },
7731 .errstr = "unbounded min value",
7732 .result = REJECT,
7733 },
7734 {
7735 "bounds checks mixing signed and unsigned, variant 12",
7736 .insns = {
7737 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7738 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7739 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7740 BPF_LD_MAP_FD(BPF_REG_1, 0),
7741 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7742 BPF_FUNC_map_lookup_elem),
7743 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7744 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7745 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7746 BPF_MOV64_IMM(BPF_REG_2, -6),
7747 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
7748 BPF_MOV64_IMM(BPF_REG_0, 0),
7749 BPF_EXIT_INSN(),
7750 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7751 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7752 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7753 BPF_MOV64_IMM(BPF_REG_0, 0),
7754 BPF_EXIT_INSN(),
7755 },
7756 .fixup_map1 = { 3 },
7757 .errstr = "unbounded min value",
7758 .result = REJECT,
7759 },
7760 {
7761 "bounds checks mixing signed and unsigned, variant 13",
7762 .insns = {
7763 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7764 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7765 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7766 BPF_LD_MAP_FD(BPF_REG_1, 0),
7767 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7768 BPF_FUNC_map_lookup_elem),
7769 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
7770 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7771 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7772 BPF_MOV64_IMM(BPF_REG_2, 2),
7773 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
7774 BPF_MOV64_IMM(BPF_REG_7, 1),
7775 BPF_JMP_IMM(BPF_JSGT, BPF_REG_7, 0, 2),
7776 BPF_MOV64_IMM(BPF_REG_0, 0),
7777 BPF_EXIT_INSN(),
7778 BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_1),
7779 BPF_JMP_IMM(BPF_JSGT, BPF_REG_7, 4, 2),
7780 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_7),
7781 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7782 BPF_MOV64_IMM(BPF_REG_0, 0),
7783 BPF_EXIT_INSN(),
7784 },
7785 .fixup_map1 = { 3 },
7786 .errstr = "unbounded min value",
7787 .result = REJECT,
7788 },
7789 {
7790 "bounds checks mixing signed and unsigned, variant 14",
7791 .insns = {
7792 BPF_LDX_MEM(BPF_W, BPF_REG_9, BPF_REG_1,
7793 offsetof(struct __sk_buff, mark)),
7794 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7795 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7796 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7797 BPF_LD_MAP_FD(BPF_REG_1, 0),
7798 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7799 BPF_FUNC_map_lookup_elem),
7800 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
7801 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7802 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7803 BPF_MOV64_IMM(BPF_REG_2, -1),
7804 BPF_MOV64_IMM(BPF_REG_8, 2),
7805 BPF_JMP_IMM(BPF_JEQ, BPF_REG_9, 42, 6),
7806 BPF_JMP_REG(BPF_JSGT, BPF_REG_8, BPF_REG_1, 3),
7807 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7808 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7809 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7810 BPF_MOV64_IMM(BPF_REG_0, 0),
7811 BPF_EXIT_INSN(),
7812 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, -3),
7813 BPF_JMP_IMM(BPF_JA, 0, 0, -7),
7814 },
7815 .fixup_map1 = { 4 },
7816 .errstr = "R0 invalid mem access 'inv'",
7817 .result = REJECT,
7818 },
7819 {
7820 "bounds checks mixing signed and unsigned, variant 15",
7821 .insns = {
7822 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7823 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7824 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7825 BPF_LD_MAP_FD(BPF_REG_1, 0),
7826 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7827 BPF_FUNC_map_lookup_elem),
7828 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7829 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7830 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7831 BPF_MOV64_IMM(BPF_REG_2, -6),
7832 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
7833 BPF_MOV64_IMM(BPF_REG_0, 0),
7834 BPF_EXIT_INSN(),
7835 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7836 BPF_JMP_IMM(BPF_JGT, BPF_REG_0, 1, 2),
7837 BPF_MOV64_IMM(BPF_REG_0, 0),
7838 BPF_EXIT_INSN(),
7839 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7840 BPF_MOV64_IMM(BPF_REG_0, 0),
7841 BPF_EXIT_INSN(),
7842 },
7843 .fixup_map1 = { 3 },
7844 .errstr = "unbounded min value",
7845 .result = REJECT,
7846 .result_unpriv = REJECT,
7847 },
7848 {
7849 "subtraction bounds (map value) variant 1",
7850 .insns = {
7851 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7852 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7853 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7854 BPF_LD_MAP_FD(BPF_REG_1, 0),
7855 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7856 BPF_FUNC_map_lookup_elem),
7857 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7858 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7859 BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 0xff, 7),
7860 BPF_LDX_MEM(BPF_B, BPF_REG_3, BPF_REG_0, 1),
7861 BPF_JMP_IMM(BPF_JGT, BPF_REG_3, 0xff, 5),
7862 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_3),
7863 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 56),
7864 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7865 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7866 BPF_EXIT_INSN(),
7867 BPF_MOV64_IMM(BPF_REG_0, 0),
7868 BPF_EXIT_INSN(),
7869 },
7870 .fixup_map1 = { 3 },
7871 .errstr = "R0 max value is outside of the array range",
7872 .result = REJECT,
7873 },
7874 {
7875 "subtraction bounds (map value) variant 2",
7876 .insns = {
7877 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7878 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7879 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7880 BPF_LD_MAP_FD(BPF_REG_1, 0),
7881 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7882 BPF_FUNC_map_lookup_elem),
7883 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
7884 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7885 BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 0xff, 6),
7886 BPF_LDX_MEM(BPF_B, BPF_REG_3, BPF_REG_0, 1),
7887 BPF_JMP_IMM(BPF_JGT, BPF_REG_3, 0xff, 4),
7888 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_3),
7889 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7890 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7891 BPF_EXIT_INSN(),
7892 BPF_MOV64_IMM(BPF_REG_0, 0),
7893 BPF_EXIT_INSN(),
7894 },
7895 .fixup_map1 = { 3 },
7896 .errstr = "R0 min value is negative, either use unsigned index or do a if (index >=0) check.",
7897 .result = REJECT,
7898 },
7899 {
7900 "bounds check based on zero-extended MOV",
7901 .insns = {
7902 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7903 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7904 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7905 BPF_LD_MAP_FD(BPF_REG_1, 0),
7906 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7907 BPF_FUNC_map_lookup_elem),
7908 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7909 /* r2 = 0x0000'0000'ffff'ffff */
7910 BPF_MOV32_IMM(BPF_REG_2, 0xffffffff),
7911 /* r2 = 0 */
7912 BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 32),
7913 /* no-op */
7914 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
7915 /* access at offset 0 */
7916 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7917 /* exit */
7918 BPF_MOV64_IMM(BPF_REG_0, 0),
7919 BPF_EXIT_INSN(),
7920 },
7921 .fixup_map1 = { 3 },
7922 .result = ACCEPT
7923 },
7924 {
7925 "bounds check based on sign-extended MOV. test1",
7926 .insns = {
7927 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7928 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7929 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7930 BPF_LD_MAP_FD(BPF_REG_1, 0),
7931 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7932 BPF_FUNC_map_lookup_elem),
7933 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7934 /* r2 = 0xffff'ffff'ffff'ffff */
7935 BPF_MOV64_IMM(BPF_REG_2, 0xffffffff),
7936 /* r2 = 0xffff'ffff */
7937 BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 32),
7938 /* r0 = <oob pointer> */
7939 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
7940 /* access to OOB pointer */
7941 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7942 /* exit */
7943 BPF_MOV64_IMM(BPF_REG_0, 0),
7944 BPF_EXIT_INSN(),
7945 },
7946 .fixup_map1 = { 3 },
7947 .errstr = "map_value pointer and 4294967295",
7948 .result = REJECT
7949 },
7950 {
7951 "bounds check based on sign-extended MOV. test2",
7952 .insns = {
7953 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7954 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7955 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7956 BPF_LD_MAP_FD(BPF_REG_1, 0),
7957 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7958 BPF_FUNC_map_lookup_elem),
7959 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7960 /* r2 = 0xffff'ffff'ffff'ffff */
7961 BPF_MOV64_IMM(BPF_REG_2, 0xffffffff),
7962 /* r2 = 0xfff'ffff */
7963 BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 36),
7964 /* r0 = <oob pointer> */
7965 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
7966 /* access to OOB pointer */
7967 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7968 /* exit */
7969 BPF_MOV64_IMM(BPF_REG_0, 0),
7970 BPF_EXIT_INSN(),
7971 },
7972 .fixup_map1 = { 3 },
7973 .errstr = "R0 min value is outside of the array range",
7974 .result = REJECT
7975 },
7976 {
7977 "bounds check based on reg_off + var_off + insn_off. test1",
7978 .insns = {
7979 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
7980 offsetof(struct __sk_buff, mark)),
7981 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7982 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7983 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7984 BPF_LD_MAP_FD(BPF_REG_1, 0),
7985 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7986 BPF_FUNC_map_lookup_elem),
7987 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7988 BPF_ALU64_IMM(BPF_AND, BPF_REG_6, 1),
7989 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, (1 << 29) - 1),
7990 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_6),
7991 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, (1 << 29) - 1),
7992 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 3),
7993 BPF_MOV64_IMM(BPF_REG_0, 0),
7994 BPF_EXIT_INSN(),
7995 },
7996 .fixup_map1 = { 4 },
7997 .errstr = "value_size=8 off=1073741825",
7998 .result = REJECT,
7999 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
8000 },
8001 {
8002 "bounds check based on reg_off + var_off + insn_off. test2",
8003 .insns = {
8004 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
8005 offsetof(struct __sk_buff, mark)),
8006 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8007 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8008 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8009 BPF_LD_MAP_FD(BPF_REG_1, 0),
8010 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8011 BPF_FUNC_map_lookup_elem),
8012 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
8013 BPF_ALU64_IMM(BPF_AND, BPF_REG_6, 1),
8014 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, (1 << 30) - 1),
8015 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_6),
8016 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, (1 << 29) - 1),
8017 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 3),
8018 BPF_MOV64_IMM(BPF_REG_0, 0),
8019 BPF_EXIT_INSN(),
8020 },
8021 .fixup_map1 = { 4 },
8022 .errstr = "value 1073741823",
8023 .result = REJECT,
8024 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
8025 },
8026 {
8027 "bounds check after truncation of non-boundary-crossing range",
8028 .insns = {
8029 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8030 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8031 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8032 BPF_LD_MAP_FD(BPF_REG_1, 0),
8033 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8034 BPF_FUNC_map_lookup_elem),
8035 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
8036 /* r1 = [0x00, 0xff] */
8037 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
8038 BPF_MOV64_IMM(BPF_REG_2, 1),
8039 /* r2 = 0x10'0000'0000 */
8040 BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 36),
8041 /* r1 = [0x10'0000'0000, 0x10'0000'00ff] */
8042 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
8043 /* r1 = [0x10'7fff'ffff, 0x10'8000'00fe] */
8044 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff),
8045 /* r1 = [0x00, 0xff] */
8046 BPF_ALU32_IMM(BPF_SUB, BPF_REG_1, 0x7fffffff),
8047 /* r1 = 0 */
8048 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
8049 /* no-op */
8050 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8051 /* access at offset 0 */
8052 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8053 /* exit */
8054 BPF_MOV64_IMM(BPF_REG_0, 0),
8055 BPF_EXIT_INSN(),
8056 },
8057 .fixup_map1 = { 3 },
8058 .result = ACCEPT
8059 },
8060 {
8061 "bounds check after truncation of boundary-crossing range (1)",
8062 .insns = {
8063 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8064 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8065 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8066 BPF_LD_MAP_FD(BPF_REG_1, 0),
8067 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8068 BPF_FUNC_map_lookup_elem),
8069 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
8070 /* r1 = [0x00, 0xff] */
8071 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
8072 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1),
8073 /* r1 = [0xffff'ff80, 0x1'0000'007f] */
8074 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1),
8075 /* r1 = [0xffff'ff80, 0xffff'ffff] or
8076 * [0x0000'0000, 0x0000'007f]
8077 */
8078 BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 0),
8079 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1),
8080 /* r1 = [0x00, 0xff] or
8081 * [0xffff'ffff'0000'0080, 0xffff'ffff'ffff'ffff]
8082 */
8083 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1),
8084 /* r1 = 0 or
8085 * [0x00ff'ffff'ff00'0000, 0x00ff'ffff'ffff'ffff]
8086 */
8087 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
8088 /* no-op or OOB pointer computation */
8089 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8090 /* potentially OOB access */
8091 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8092 /* exit */
8093 BPF_MOV64_IMM(BPF_REG_0, 0),
8094 BPF_EXIT_INSN(),
8095 },
8096 .fixup_map1 = { 3 },
8097 /* not actually fully unbounded, but the bound is very high */
8098 .errstr = "R0 unbounded memory access",
8099 .result = REJECT
8100 },
8101 {
8102 "bounds check after truncation of boundary-crossing range (2)",
8103 .insns = {
8104 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8105 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8106 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8107 BPF_LD_MAP_FD(BPF_REG_1, 0),
8108 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8109 BPF_FUNC_map_lookup_elem),
8110 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
8111 /* r1 = [0x00, 0xff] */
8112 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
8113 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1),
8114 /* r1 = [0xffff'ff80, 0x1'0000'007f] */
8115 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1),
8116 /* r1 = [0xffff'ff80, 0xffff'ffff] or
8117 * [0x0000'0000, 0x0000'007f]
8118 * difference to previous test: truncation via MOV32
8119 * instead of ALU32.
8120 */
8121 BPF_MOV32_REG(BPF_REG_1, BPF_REG_1),
8122 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1),
8123 /* r1 = [0x00, 0xff] or
8124 * [0xffff'ffff'0000'0080, 0xffff'ffff'ffff'ffff]
8125 */
8126 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1),
8127 /* r1 = 0 or
8128 * [0x00ff'ffff'ff00'0000, 0x00ff'ffff'ffff'ffff]
8129 */
8130 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
8131 /* no-op or OOB pointer computation */
8132 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8133 /* potentially OOB access */
8134 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8135 /* exit */
8136 BPF_MOV64_IMM(BPF_REG_0, 0),
8137 BPF_EXIT_INSN(),
8138 },
8139 .fixup_map1 = { 3 },
8140 /* not actually fully unbounded, but the bound is very high */
8141 .errstr = "R0 unbounded memory access",
8142 .result = REJECT
8143 },
8144 {
8145 "bounds check after wrapping 32-bit addition",
8146 .insns = {
8147 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8148 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8149 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8150 BPF_LD_MAP_FD(BPF_REG_1, 0),
8151 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8152 BPF_FUNC_map_lookup_elem),
8153 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
8154 /* r1 = 0x7fff'ffff */
8155 BPF_MOV64_IMM(BPF_REG_1, 0x7fffffff),
8156 /* r1 = 0xffff'fffe */
8157 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff),
8158 /* r1 = 0 */
8159 BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 2),
8160 /* no-op */
8161 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8162 /* access at offset 0 */
8163 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8164 /* exit */
8165 BPF_MOV64_IMM(BPF_REG_0, 0),
8166 BPF_EXIT_INSN(),
8167 },
8168 .fixup_map1 = { 3 },
8169 .result = ACCEPT
8170 },
8171 {
8172 "bounds check after shift with oversized count operand",
8173 .insns = {
8174 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8175 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8176 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8177 BPF_LD_MAP_FD(BPF_REG_1, 0),
8178 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8179 BPF_FUNC_map_lookup_elem),
8180 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
8181 BPF_MOV64_IMM(BPF_REG_2, 32),
8182 BPF_MOV64_IMM(BPF_REG_1, 1),
8183 /* r1 = (u32)1 << (u32)32 = ? */
8184 BPF_ALU32_REG(BPF_LSH, BPF_REG_1, BPF_REG_2),
8185 /* r1 = [0x0000, 0xffff] */
8186 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xffff),
8187 /* computes unknown pointer, potentially OOB */
8188 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8189 /* potentially OOB access */
8190 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8191 /* exit */
8192 BPF_MOV64_IMM(BPF_REG_0, 0),
8193 BPF_EXIT_INSN(),
8194 },
8195 .fixup_map1 = { 3 },
8196 .errstr = "R0 max value is outside of the array range",
8197 .result = REJECT
8198 },
8199 {
8200 "bounds check after right shift of maybe-negative number",
8201 .insns = {
8202 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8203 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8204 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8205 BPF_LD_MAP_FD(BPF_REG_1, 0),
8206 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8207 BPF_FUNC_map_lookup_elem),
8208 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
8209 /* r1 = [0x00, 0xff] */
8210 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
8211 /* r1 = [-0x01, 0xfe] */
8212 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 1),
8213 /* r1 = 0 or 0xff'ffff'ffff'ffff */
8214 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
8215 /* r1 = 0 or 0xffff'ffff'ffff */
8216 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
8217 /* computes unknown pointer, potentially OOB */
8218 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8219 /* potentially OOB access */
8220 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8221 /* exit */
8222 BPF_MOV64_IMM(BPF_REG_0, 0),
8223 BPF_EXIT_INSN(),
8224 },
8225 .fixup_map1 = { 3 },
8226 .errstr = "R0 unbounded memory access",
8227 .result = REJECT
8228 },
8229 {
8230 "bounds check map access with off+size signed 32bit overflow. test1",
8231 .insns = {
8232 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8233 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8234 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8235 BPF_LD_MAP_FD(BPF_REG_1, 0),
8236 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8237 BPF_FUNC_map_lookup_elem),
8238 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
8239 BPF_EXIT_INSN(),
8240 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x7ffffffe),
8241 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
8242 BPF_JMP_A(0),
8243 BPF_EXIT_INSN(),
8244 },
8245 .fixup_map1 = { 3 },
8246 .errstr = "map_value pointer and 2147483646",
8247 .result = REJECT
8248 },
8249 {
8250 "bounds check map access with off+size signed 32bit overflow. test2",
8251 .insns = {
8252 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8253 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8254 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8255 BPF_LD_MAP_FD(BPF_REG_1, 0),
8256 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8257 BPF_FUNC_map_lookup_elem),
8258 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
8259 BPF_EXIT_INSN(),
8260 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x1fffffff),
8261 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x1fffffff),
8262 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x1fffffff),
8263 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
8264 BPF_JMP_A(0),
8265 BPF_EXIT_INSN(),
8266 },
8267 .fixup_map1 = { 3 },
8268 .errstr = "pointer offset 1073741822",
8269 .result = REJECT
8270 },
8271 {
8272 "bounds check map access with off+size signed 32bit overflow. test3",
8273 .insns = {
8274 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8275 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8276 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8277 BPF_LD_MAP_FD(BPF_REG_1, 0),
8278 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8279 BPF_FUNC_map_lookup_elem),
8280 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
8281 BPF_EXIT_INSN(),
8282 BPF_ALU64_IMM(BPF_SUB, BPF_REG_0, 0x1fffffff),
8283 BPF_ALU64_IMM(BPF_SUB, BPF_REG_0, 0x1fffffff),
8284 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 2),
8285 BPF_JMP_A(0),
8286 BPF_EXIT_INSN(),
8287 },
8288 .fixup_map1 = { 3 },
8289 .errstr = "pointer offset -1073741822",
8290 .result = REJECT
8291 },
8292 {
8293 "bounds check map access with off+size signed 32bit overflow. test4",
8294 .insns = {
8295 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8296 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8297 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8298 BPF_LD_MAP_FD(BPF_REG_1, 0),
8299 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8300 BPF_FUNC_map_lookup_elem),
8301 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
8302 BPF_EXIT_INSN(),
8303 BPF_MOV64_IMM(BPF_REG_1, 1000000),
8304 BPF_ALU64_IMM(BPF_MUL, BPF_REG_1, 1000000),
8305 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8306 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 2),
8307 BPF_JMP_A(0),
8308 BPF_EXIT_INSN(),
8309 },
8310 .fixup_map1 = { 3 },
8311 .errstr = "map_value pointer and 1000000000000",
8312 .result = REJECT
8313 },
8314 {
8315 "pointer/scalar confusion in state equality check (way 1)",
8316 .insns = {
8317 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8318 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8319 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8320 BPF_LD_MAP_FD(BPF_REG_1, 0),
8321 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8322 BPF_FUNC_map_lookup_elem),
8323 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
8324 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
8325 BPF_JMP_A(1),
8326 BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
8327 BPF_JMP_A(0),
8328 BPF_EXIT_INSN(),
8329 },
8330 .fixup_map1 = { 3 },
8331 .result = ACCEPT,
8332 .retval = POINTER_VALUE,
8333 .result_unpriv = REJECT,
8334 .errstr_unpriv = "R0 leaks addr as return value"
8335 },
8336 {
8337 "pointer/scalar confusion in state equality check (way 2)",
8338 .insns = {
8339 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8340 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8341 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8342 BPF_LD_MAP_FD(BPF_REG_1, 0),
8343 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8344 BPF_FUNC_map_lookup_elem),
8345 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
8346 BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
8347 BPF_JMP_A(1),
8348 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
8349 BPF_EXIT_INSN(),
8350 },
8351 .fixup_map1 = { 3 },
8352 .result = ACCEPT,
8353 .retval = POINTER_VALUE,
8354 .result_unpriv = REJECT,
8355 .errstr_unpriv = "R0 leaks addr as return value"
8356 },
8357 {
8358 "variable-offset ctx access",
8359 .insns = {
8360 /* Get an unknown value */
8361 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
8362 /* Make it small and 4-byte aligned */
8363 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 4),
8364 /* add it to skb. We now have either &skb->len or
8365 * &skb->pkt_type, but we don't know which
8366 */
8367 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
8368 /* dereference it */
8369 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
8370 BPF_EXIT_INSN(),
8371 },
8372 .errstr = "variable ctx access var_off=(0x0; 0x4)",
8373 .result = REJECT,
8374 .prog_type = BPF_PROG_TYPE_LWT_IN,
8375 },
8376 {
8377 "variable-offset stack access",
8378 .insns = {
8379 /* Fill the top 8 bytes of the stack */
8380 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8381 /* Get an unknown value */
8382 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
8383 /* Make it small and 4-byte aligned */
8384 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 4),
8385 BPF_ALU64_IMM(BPF_SUB, BPF_REG_2, 8),
8386 /* add it to fp. We now have either fp-4 or fp-8, but
8387 * we don't know which
8388 */
8389 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_10),
8390 /* dereference it */
8391 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_2, 0),
8392 BPF_EXIT_INSN(),
8393 },
8394 .errstr = "variable stack access var_off=(0xfffffffffffffff8; 0x4)",
8395 .result = REJECT,
8396 .prog_type = BPF_PROG_TYPE_LWT_IN,
8397 },
8398 {
8399 "indirect variable-offset stack access",
8400 .insns = {
8401 /* Fill the top 8 bytes of the stack */
8402 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8403 /* Get an unknown value */
8404 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
8405 /* Make it small and 4-byte aligned */
8406 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 4),
8407 BPF_ALU64_IMM(BPF_SUB, BPF_REG_2, 8),
8408 /* add it to fp. We now have either fp-4 or fp-8, but
8409 * we don't know which
8410 */
8411 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_10),
8412 /* dereference it indirectly */
8413 BPF_LD_MAP_FD(BPF_REG_1, 0),
8414 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8415 BPF_FUNC_map_lookup_elem),
8416 BPF_MOV64_IMM(BPF_REG_0, 0),
8417 BPF_EXIT_INSN(),
8418 },
8419 .fixup_map1 = { 5 },
8420 .errstr = "variable stack read R2",
8421 .result = REJECT,
8422 .prog_type = BPF_PROG_TYPE_LWT_IN,
8423 },
8424 {
8425 "direct stack access with 32-bit wraparound. test1",
8426 .insns = {
8427 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
8428 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff),
8429 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff),
8430 BPF_MOV32_IMM(BPF_REG_0, 0),
8431 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
8432 BPF_EXIT_INSN()
8433 },
8434 .errstr = "fp pointer and 2147483647",
8435 .result = REJECT
8436 },
8437 {
8438 "direct stack access with 32-bit wraparound. test2",
8439 .insns = {
8440 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
8441 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x3fffffff),
8442 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x3fffffff),
8443 BPF_MOV32_IMM(BPF_REG_0, 0),
8444 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
8445 BPF_EXIT_INSN()
8446 },
8447 .errstr = "fp pointer and 1073741823",
8448 .result = REJECT
8449 },
8450 {
8451 "direct stack access with 32-bit wraparound. test3",
8452 .insns = {
8453 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
8454 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x1fffffff),
8455 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x1fffffff),
8456 BPF_MOV32_IMM(BPF_REG_0, 0),
8457 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
8458 BPF_EXIT_INSN()
8459 },
8460 .errstr = "fp pointer offset 1073741822",
8461 .result = REJECT
8462 },
8463 {
8464 "liveness pruning and write screening",
8465 .insns = {
8466 /* Get an unknown value */
8467 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
8468 /* branch conditions teach us nothing about R2 */
8469 BPF_JMP_IMM(BPF_JGE, BPF_REG_2, 0, 1),
8470 BPF_MOV64_IMM(BPF_REG_0, 0),
8471 BPF_JMP_IMM(BPF_JGE, BPF_REG_2, 0, 1),
8472 BPF_MOV64_IMM(BPF_REG_0, 0),
8473 BPF_EXIT_INSN(),
8474 },
8475 .errstr = "R0 !read_ok",
8476 .result = REJECT,
8477 .prog_type = BPF_PROG_TYPE_LWT_IN,
8478 },
8479 {
8480 "varlen_map_value_access pruning",
8481 .insns = {
8482 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8483 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8484 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8485 BPF_LD_MAP_FD(BPF_REG_1, 0),
8486 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8487 BPF_FUNC_map_lookup_elem),
8488 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
8489 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
8490 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
8491 BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
8492 BPF_MOV32_IMM(BPF_REG_1, 0),
8493 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
8494 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8495 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
8496 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
8497 offsetof(struct test_val, foo)),
8498 BPF_EXIT_INSN(),
8499 },
8500 .fixup_map2 = { 3 },
8501 .errstr_unpriv = "R0 leaks addr",
8502 .errstr = "R0 unbounded memory access",
8503 .result_unpriv = REJECT,
8504 .result = REJECT,
8505 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8506 },
8507 {
8508 "invalid 64-bit BPF_END",
8509 .insns = {
8510 BPF_MOV32_IMM(BPF_REG_0, 0),
8511 {
8512 .code = BPF_ALU64 | BPF_END | BPF_TO_LE,
8513 .dst_reg = BPF_REG_0,
8514 .src_reg = 0,
8515 .off = 0,
8516 .imm = 32,
8517 },
8518 BPF_EXIT_INSN(),
8519 },
8520 .errstr = "unknown opcode d7",
8521 .result = REJECT,
8522 },
8523 {
8524 "XDP, using ifindex from netdev",
8525 .insns = {
8526 BPF_MOV64_IMM(BPF_REG_0, 0),
8527 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8528 offsetof(struct xdp_md, ingress_ifindex)),
8529 BPF_JMP_IMM(BPF_JLT, BPF_REG_2, 1, 1),
8530 BPF_MOV64_IMM(BPF_REG_0, 1),
8531 BPF_EXIT_INSN(),
8532 },
8533 .result = ACCEPT,
8534 .prog_type = BPF_PROG_TYPE_XDP,
8535 .retval = 1,
8536 },
8537 {
8538 "meta access, test1",
8539 .insns = {
8540 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8541 offsetof(struct xdp_md, data_meta)),
8542 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8543 offsetof(struct xdp_md, data)),
8544 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
8545 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
8546 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
8547 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
8548 BPF_MOV64_IMM(BPF_REG_0, 0),
8549 BPF_EXIT_INSN(),
8550 },
8551 .result = ACCEPT,
8552 .prog_type = BPF_PROG_TYPE_XDP,
8553 },
8554 {
8555 "meta access, test2",
8556 .insns = {
8557 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8558 offsetof(struct xdp_md, data_meta)),
8559 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8560 offsetof(struct xdp_md, data)),
8561 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
8562 BPF_ALU64_IMM(BPF_SUB, BPF_REG_0, 8),
8563 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
8564 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
8565 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
8566 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8567 BPF_MOV64_IMM(BPF_REG_0, 0),
8568 BPF_EXIT_INSN(),
8569 },
8570 .result = REJECT,
8571 .errstr = "invalid access to packet, off=-8",
8572 .prog_type = BPF_PROG_TYPE_XDP,
8573 },
8574 {
8575 "meta access, test3",
8576 .insns = {
8577 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8578 offsetof(struct xdp_md, data_meta)),
8579 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8580 offsetof(struct xdp_md, data_end)),
8581 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
8582 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
8583 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
8584 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
8585 BPF_MOV64_IMM(BPF_REG_0, 0),
8586 BPF_EXIT_INSN(),
8587 },
8588 .result = REJECT,
8589 .errstr = "invalid access to packet",
8590 .prog_type = BPF_PROG_TYPE_XDP,
8591 },
8592 {
8593 "meta access, test4",
8594 .insns = {
8595 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8596 offsetof(struct xdp_md, data_meta)),
8597 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8598 offsetof(struct xdp_md, data_end)),
8599 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
8600 offsetof(struct xdp_md, data)),
8601 BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
8602 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
8603 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
8604 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
8605 BPF_MOV64_IMM(BPF_REG_0, 0),
8606 BPF_EXIT_INSN(),
8607 },
8608 .result = REJECT,
8609 .errstr = "invalid access to packet",
8610 .prog_type = BPF_PROG_TYPE_XDP,
8611 },
8612 {
8613 "meta access, test5",
8614 .insns = {
8615 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8616 offsetof(struct xdp_md, data_meta)),
8617 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
8618 offsetof(struct xdp_md, data)),
8619 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
8620 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
8621 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_4, 3),
8622 BPF_MOV64_IMM(BPF_REG_2, -8),
8623 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8624 BPF_FUNC_xdp_adjust_meta),
8625 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_3, 0),
8626 BPF_MOV64_IMM(BPF_REG_0, 0),
8627 BPF_EXIT_INSN(),
8628 },
8629 .result = REJECT,
8630 .errstr = "R3 !read_ok",
8631 .prog_type = BPF_PROG_TYPE_XDP,
8632 },
8633 {
8634 "meta access, test6",
8635 .insns = {
8636 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8637 offsetof(struct xdp_md, data_meta)),
8638 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8639 offsetof(struct xdp_md, data)),
8640 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
8641 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
8642 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
8643 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
8644 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_0, 1),
8645 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
8646 BPF_MOV64_IMM(BPF_REG_0, 0),
8647 BPF_EXIT_INSN(),
8648 },
8649 .result = REJECT,
8650 .errstr = "invalid access to packet",
8651 .prog_type = BPF_PROG_TYPE_XDP,
8652 },
8653 {
8654 "meta access, test7",
8655 .insns = {
8656 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8657 offsetof(struct xdp_md, data_meta)),
8658 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8659 offsetof(struct xdp_md, data)),
8660 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
8661 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
8662 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
8663 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
8664 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
8665 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
8666 BPF_MOV64_IMM(BPF_REG_0, 0),
8667 BPF_EXIT_INSN(),
8668 },
8669 .result = ACCEPT,
8670 .prog_type = BPF_PROG_TYPE_XDP,
8671 },
8672 {
8673 "meta access, test8",
8674 .insns = {
8675 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8676 offsetof(struct xdp_md, data_meta)),
8677 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8678 offsetof(struct xdp_md, data)),
8679 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
8680 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0xFFFF),
8681 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
8682 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
8683 BPF_MOV64_IMM(BPF_REG_0, 0),
8684 BPF_EXIT_INSN(),
8685 },
8686 .result = ACCEPT,
8687 .prog_type = BPF_PROG_TYPE_XDP,
8688 },
8689 {
8690 "meta access, test9",
8691 .insns = {
8692 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8693 offsetof(struct xdp_md, data_meta)),
8694 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8695 offsetof(struct xdp_md, data)),
8696 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
8697 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0xFFFF),
8698 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 1),
8699 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
8700 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
8701 BPF_MOV64_IMM(BPF_REG_0, 0),
8702 BPF_EXIT_INSN(),
8703 },
8704 .result = REJECT,
8705 .errstr = "invalid access to packet",
8706 .prog_type = BPF_PROG_TYPE_XDP,
8707 },
8708 {
8709 "meta access, test10",
8710 .insns = {
8711 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8712 offsetof(struct xdp_md, data_meta)),
8713 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8714 offsetof(struct xdp_md, data)),
8715 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
8716 offsetof(struct xdp_md, data_end)),
8717 BPF_MOV64_IMM(BPF_REG_5, 42),
8718 BPF_MOV64_IMM(BPF_REG_6, 24),
8719 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_5, -8),
8720 BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
8721 BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -8),
8722 BPF_JMP_IMM(BPF_JGT, BPF_REG_5, 100, 6),
8723 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_5),
8724 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
8725 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
8726 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8),
8727 BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_5, 1),
8728 BPF_LDX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
8729 BPF_MOV64_IMM(BPF_REG_0, 0),
8730 BPF_EXIT_INSN(),
8731 },
8732 .result = REJECT,
8733 .errstr = "invalid access to packet",
8734 .prog_type = BPF_PROG_TYPE_XDP,
8735 },
8736 {
8737 "meta access, test11",
8738 .insns = {
8739 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8740 offsetof(struct xdp_md, data_meta)),
8741 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8742 offsetof(struct xdp_md, data)),
8743 BPF_MOV64_IMM(BPF_REG_5, 42),
8744 BPF_MOV64_IMM(BPF_REG_6, 24),
8745 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_5, -8),
8746 BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
8747 BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -8),
8748 BPF_JMP_IMM(BPF_JGT, BPF_REG_5, 100, 6),
8749 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_5),
8750 BPF_MOV64_REG(BPF_REG_5, BPF_REG_2),
8751 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
8752 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8),
8753 BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_3, 1),
8754 BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_5, 0),
8755 BPF_MOV64_IMM(BPF_REG_0, 0),
8756 BPF_EXIT_INSN(),
8757 },
8758 .result = ACCEPT,
8759 .prog_type = BPF_PROG_TYPE_XDP,
8760 },
8761 {
8762 "meta access, test12",
8763 .insns = {
8764 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8765 offsetof(struct xdp_md, data_meta)),
8766 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8767 offsetof(struct xdp_md, data)),
8768 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
8769 offsetof(struct xdp_md, data_end)),
8770 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
8771 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 16),
8772 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_4, 5),
8773 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_3, 0),
8774 BPF_MOV64_REG(BPF_REG_5, BPF_REG_2),
8775 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 16),
8776 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 1),
8777 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
8778 BPF_MOV64_IMM(BPF_REG_0, 0),
8779 BPF_EXIT_INSN(),
8780 },
8781 .result = ACCEPT,
8782 .prog_type = BPF_PROG_TYPE_XDP,
8783 },
8784 {
8785 "arithmetic ops make PTR_TO_CTX unusable",
8786 .insns = {
8787 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
8788 offsetof(struct __sk_buff, data) -
8789 offsetof(struct __sk_buff, mark)),
8790 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
8791 offsetof(struct __sk_buff, mark)),
8792 BPF_EXIT_INSN(),
8793 },
8794 .errstr = "dereference of modified ctx ptr",
8795 .result = REJECT,
8796 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
8797 },
8798 {
8799 "pkt_end - pkt_start is allowed",
8800 .insns = {
8801 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
8802 offsetof(struct __sk_buff, data_end)),
8803 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8804 offsetof(struct __sk_buff, data)),
8805 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_2),
8806 BPF_EXIT_INSN(),
8807 },
8808 .result = ACCEPT,
8809 .retval = TEST_DATA_LEN,
8810 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
8811 },
8812 {
8813 "XDP pkt read, pkt_end mangling, bad access 1",
8814 .insns = {
8815 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8816 offsetof(struct xdp_md, data)),
8817 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8818 offsetof(struct xdp_md, data_end)),
8819 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8820 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8821 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 8),
8822 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
8823 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8824 BPF_MOV64_IMM(BPF_REG_0, 0),
8825 BPF_EXIT_INSN(),
8826 },
8827 .errstr = "R3 pointer arithmetic on PTR_TO_PACKET_END",
8828 .result = REJECT,
8829 .prog_type = BPF_PROG_TYPE_XDP,
8830 },
8831 {
8832 "XDP pkt read, pkt_end mangling, bad access 2",
8833 .insns = {
8834 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8835 offsetof(struct xdp_md, data)),
8836 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8837 offsetof(struct xdp_md, data_end)),
8838 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8839 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8840 BPF_ALU64_IMM(BPF_SUB, BPF_REG_3, 8),
8841 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
8842 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8843 BPF_MOV64_IMM(BPF_REG_0, 0),
8844 BPF_EXIT_INSN(),
8845 },
8846 .errstr = "R3 pointer arithmetic on PTR_TO_PACKET_END",
8847 .result = REJECT,
8848 .prog_type = BPF_PROG_TYPE_XDP,
8849 },
8850 {
8851 "XDP pkt read, pkt_data' > pkt_end, good access",
8852 .insns = {
8853 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8854 offsetof(struct xdp_md, data)),
8855 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8856 offsetof(struct xdp_md, data_end)),
8857 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8858 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8859 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
8860 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8861 BPF_MOV64_IMM(BPF_REG_0, 0),
8862 BPF_EXIT_INSN(),
8863 },
8864 .result = ACCEPT,
8865 .prog_type = BPF_PROG_TYPE_XDP,
8866 },
8867 {
8868 "XDP pkt read, pkt_data' > pkt_end, bad access 1",
8869 .insns = {
8870 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8871 offsetof(struct xdp_md, data)),
8872 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8873 offsetof(struct xdp_md, data_end)),
8874 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8875 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8876 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
8877 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
8878 BPF_MOV64_IMM(BPF_REG_0, 0),
8879 BPF_EXIT_INSN(),
8880 },
8881 .errstr = "R1 offset is outside of the packet",
8882 .result = REJECT,
8883 .prog_type = BPF_PROG_TYPE_XDP,
8884 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8885 },
8886 {
8887 "XDP pkt read, pkt_data' > pkt_end, bad access 2",
8888 .insns = {
8889 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8890 offsetof(struct xdp_md, data)),
8891 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8892 offsetof(struct xdp_md, data_end)),
8893 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8894 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8895 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 0),
8896 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8897 BPF_MOV64_IMM(BPF_REG_0, 0),
8898 BPF_EXIT_INSN(),
8899 },
8900 .errstr = "R1 offset is outside of the packet",
8901 .result = REJECT,
8902 .prog_type = BPF_PROG_TYPE_XDP,
8903 },
8904 {
8905 "XDP pkt read, pkt_end > pkt_data', good access",
8906 .insns = {
8907 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8908 offsetof(struct xdp_md, data)),
8909 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8910 offsetof(struct xdp_md, data_end)),
8911 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8912 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8913 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
8914 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8915 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
8916 BPF_MOV64_IMM(BPF_REG_0, 0),
8917 BPF_EXIT_INSN(),
8918 },
8919 .result = ACCEPT,
8920 .prog_type = BPF_PROG_TYPE_XDP,
8921 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8922 },
8923 {
8924 "XDP pkt read, pkt_end > pkt_data', bad access 1",
8925 .insns = {
8926 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8927 offsetof(struct xdp_md, data)),
8928 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8929 offsetof(struct xdp_md, data_end)),
8930 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8931 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8932 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
8933 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8934 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8935 BPF_MOV64_IMM(BPF_REG_0, 0),
8936 BPF_EXIT_INSN(),
8937 },
8938 .errstr = "R1 offset is outside of the packet",
8939 .result = REJECT,
8940 .prog_type = BPF_PROG_TYPE_XDP,
8941 },
8942 {
8943 "XDP pkt read, pkt_end > pkt_data', bad access 2",
8944 .insns = {
8945 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8946 offsetof(struct xdp_md, data)),
8947 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8948 offsetof(struct xdp_md, data_end)),
8949 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8950 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8951 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
8952 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8953 BPF_MOV64_IMM(BPF_REG_0, 0),
8954 BPF_EXIT_INSN(),
8955 },
8956 .errstr = "R1 offset is outside of the packet",
8957 .result = REJECT,
8958 .prog_type = BPF_PROG_TYPE_XDP,
8959 },
8960 {
8961 "XDP pkt read, pkt_data' < pkt_end, good access",
8962 .insns = {
8963 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8964 offsetof(struct xdp_md, data)),
8965 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8966 offsetof(struct xdp_md, data_end)),
8967 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8968 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8969 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
8970 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8971 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
8972 BPF_MOV64_IMM(BPF_REG_0, 0),
8973 BPF_EXIT_INSN(),
8974 },
8975 .result = ACCEPT,
8976 .prog_type = BPF_PROG_TYPE_XDP,
8977 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8978 },
8979 {
8980 "XDP pkt read, pkt_data' < pkt_end, bad access 1",
8981 .insns = {
8982 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8983 offsetof(struct xdp_md, data)),
8984 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8985 offsetof(struct xdp_md, data_end)),
8986 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8987 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8988 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
8989 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8990 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8991 BPF_MOV64_IMM(BPF_REG_0, 0),
8992 BPF_EXIT_INSN(),
8993 },
8994 .errstr = "R1 offset is outside of the packet",
8995 .result = REJECT,
8996 .prog_type = BPF_PROG_TYPE_XDP,
8997 },
8998 {
8999 "XDP pkt read, pkt_data' < pkt_end, bad access 2",
9000 .insns = {
9001 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9002 offsetof(struct xdp_md, data)),
9003 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9004 offsetof(struct xdp_md, data_end)),
9005 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9006 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9007 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
9008 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9009 BPF_MOV64_IMM(BPF_REG_0, 0),
9010 BPF_EXIT_INSN(),
9011 },
9012 .errstr = "R1 offset is outside of the packet",
9013 .result = REJECT,
9014 .prog_type = BPF_PROG_TYPE_XDP,
9015 },
9016 {
9017 "XDP pkt read, pkt_end < pkt_data', good access",
9018 .insns = {
9019 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9020 offsetof(struct xdp_md, data)),
9021 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9022 offsetof(struct xdp_md, data_end)),
9023 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9024 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9025 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
9026 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9027 BPF_MOV64_IMM(BPF_REG_0, 0),
9028 BPF_EXIT_INSN(),
9029 },
9030 .result = ACCEPT,
9031 .prog_type = BPF_PROG_TYPE_XDP,
9032 },
9033 {
9034 "XDP pkt read, pkt_end < pkt_data', bad access 1",
9035 .insns = {
9036 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9037 offsetof(struct xdp_md, data)),
9038 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9039 offsetof(struct xdp_md, data_end)),
9040 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9041 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9042 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
9043 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
9044 BPF_MOV64_IMM(BPF_REG_0, 0),
9045 BPF_EXIT_INSN(),
9046 },
9047 .errstr = "R1 offset is outside of the packet",
9048 .result = REJECT,
9049 .prog_type = BPF_PROG_TYPE_XDP,
9050 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9051 },
9052 {
9053 "XDP pkt read, pkt_end < pkt_data', bad access 2",
9054 .insns = {
9055 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9056 offsetof(struct xdp_md, data)),
9057 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9058 offsetof(struct xdp_md, data_end)),
9059 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9060 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9061 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 0),
9062 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9063 BPF_MOV64_IMM(BPF_REG_0, 0),
9064 BPF_EXIT_INSN(),
9065 },
9066 .errstr = "R1 offset is outside of the packet",
9067 .result = REJECT,
9068 .prog_type = BPF_PROG_TYPE_XDP,
9069 },
9070 {
9071 "XDP pkt read, pkt_data' >= pkt_end, good access",
9072 .insns = {
9073 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9074 offsetof(struct xdp_md, data)),
9075 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9076 offsetof(struct xdp_md, data_end)),
9077 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9078 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9079 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
9080 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9081 BPF_MOV64_IMM(BPF_REG_0, 0),
9082 BPF_EXIT_INSN(),
9083 },
9084 .result = ACCEPT,
9085 .prog_type = BPF_PROG_TYPE_XDP,
9086 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9087 },
9088 {
9089 "XDP pkt read, pkt_data' >= pkt_end, bad access 1",
9090 .insns = {
9091 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9092 offsetof(struct xdp_md, data)),
9093 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9094 offsetof(struct xdp_md, data_end)),
9095 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9096 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9097 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
9098 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9099 BPF_MOV64_IMM(BPF_REG_0, 0),
9100 BPF_EXIT_INSN(),
9101 },
9102 .errstr = "R1 offset is outside of the packet",
9103 .result = REJECT,
9104 .prog_type = BPF_PROG_TYPE_XDP,
9105 },
9106 {
9107 "XDP pkt read, pkt_data' >= pkt_end, bad access 2",
9108 .insns = {
9109 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9110 offsetof(struct xdp_md, data)),
9111 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9112 offsetof(struct xdp_md, data_end)),
9113 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9114 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9115 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 0),
9116 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9117 BPF_MOV64_IMM(BPF_REG_0, 0),
9118 BPF_EXIT_INSN(),
9119 },
9120 .errstr = "R1 offset is outside of the packet",
9121 .result = REJECT,
9122 .prog_type = BPF_PROG_TYPE_XDP,
9123 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9124 },
9125 {
9126 "XDP pkt read, pkt_end >= pkt_data', good access",
9127 .insns = {
9128 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9129 offsetof(struct xdp_md, data)),
9130 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9131 offsetof(struct xdp_md, data_end)),
9132 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9133 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9134 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
9135 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9136 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9137 BPF_MOV64_IMM(BPF_REG_0, 0),
9138 BPF_EXIT_INSN(),
9139 },
9140 .result = ACCEPT,
9141 .prog_type = BPF_PROG_TYPE_XDP,
9142 },
9143 {
9144 "XDP pkt read, pkt_end >= pkt_data', bad access 1",
9145 .insns = {
9146 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9147 offsetof(struct xdp_md, data)),
9148 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9149 offsetof(struct xdp_md, data_end)),
9150 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9151 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9152 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
9153 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9154 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
9155 BPF_MOV64_IMM(BPF_REG_0, 0),
9156 BPF_EXIT_INSN(),
9157 },
9158 .errstr = "R1 offset is outside of the packet",
9159 .result = REJECT,
9160 .prog_type = BPF_PROG_TYPE_XDP,
9161 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9162 },
9163 {
9164 "XDP pkt read, pkt_end >= pkt_data', bad access 2",
9165 .insns = {
9166 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9167 offsetof(struct xdp_md, data)),
9168 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9169 offsetof(struct xdp_md, data_end)),
9170 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9171 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9172 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
9173 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9174 BPF_MOV64_IMM(BPF_REG_0, 0),
9175 BPF_EXIT_INSN(),
9176 },
9177 .errstr = "R1 offset is outside of the packet",
9178 .result = REJECT,
9179 .prog_type = BPF_PROG_TYPE_XDP,
9180 },
9181 {
9182 "XDP pkt read, pkt_data' <= pkt_end, good access",
9183 .insns = {
9184 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9185 offsetof(struct xdp_md, data)),
9186 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9187 offsetof(struct xdp_md, data_end)),
9188 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9189 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9190 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
9191 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9192 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9193 BPF_MOV64_IMM(BPF_REG_0, 0),
9194 BPF_EXIT_INSN(),
9195 },
9196 .result = ACCEPT,
9197 .prog_type = BPF_PROG_TYPE_XDP,
9198 },
9199 {
9200 "XDP pkt read, pkt_data' <= pkt_end, bad access 1",
9201 .insns = {
9202 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9203 offsetof(struct xdp_md, data)),
9204 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9205 offsetof(struct xdp_md, data_end)),
9206 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9207 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9208 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
9209 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9210 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
9211 BPF_MOV64_IMM(BPF_REG_0, 0),
9212 BPF_EXIT_INSN(),
9213 },
9214 .errstr = "R1 offset is outside of the packet",
9215 .result = REJECT,
9216 .prog_type = BPF_PROG_TYPE_XDP,
9217 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9218 },
9219 {
9220 "XDP pkt read, pkt_data' <= pkt_end, bad access 2",
9221 .insns = {
9222 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9223 offsetof(struct xdp_md, data)),
9224 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9225 offsetof(struct xdp_md, data_end)),
9226 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9227 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9228 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
9229 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9230 BPF_MOV64_IMM(BPF_REG_0, 0),
9231 BPF_EXIT_INSN(),
9232 },
9233 .errstr = "R1 offset is outside of the packet",
9234 .result = REJECT,
9235 .prog_type = BPF_PROG_TYPE_XDP,
9236 },
9237 {
9238 "XDP pkt read, pkt_end <= pkt_data', good access",
9239 .insns = {
9240 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9241 offsetof(struct xdp_md, data)),
9242 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9243 offsetof(struct xdp_md, data_end)),
9244 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9245 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9246 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
9247 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9248 BPF_MOV64_IMM(BPF_REG_0, 0),
9249 BPF_EXIT_INSN(),
9250 },
9251 .result = ACCEPT,
9252 .prog_type = BPF_PROG_TYPE_XDP,
9253 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9254 },
9255 {
9256 "XDP pkt read, pkt_end <= pkt_data', bad access 1",
9257 .insns = {
9258 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9259 offsetof(struct xdp_md, data)),
9260 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9261 offsetof(struct xdp_md, data_end)),
9262 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9263 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9264 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
9265 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9266 BPF_MOV64_IMM(BPF_REG_0, 0),
9267 BPF_EXIT_INSN(),
9268 },
9269 .errstr = "R1 offset is outside of the packet",
9270 .result = REJECT,
9271 .prog_type = BPF_PROG_TYPE_XDP,
9272 },
9273 {
9274 "XDP pkt read, pkt_end <= pkt_data', bad access 2",
9275 .insns = {
9276 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9277 offsetof(struct xdp_md, data)),
9278 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9279 offsetof(struct xdp_md, data_end)),
9280 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9281 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9282 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 0),
9283 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9284 BPF_MOV64_IMM(BPF_REG_0, 0),
9285 BPF_EXIT_INSN(),
9286 },
9287 .errstr = "R1 offset is outside of the packet",
9288 .result = REJECT,
9289 .prog_type = BPF_PROG_TYPE_XDP,
9290 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9291 },
9292 {
9293 "XDP pkt read, pkt_meta' > pkt_data, good access",
9294 .insns = {
9295 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9296 offsetof(struct xdp_md, data_meta)),
9297 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9298 offsetof(struct xdp_md, data)),
9299 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9300 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9301 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
9302 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9303 BPF_MOV64_IMM(BPF_REG_0, 0),
9304 BPF_EXIT_INSN(),
9305 },
9306 .result = ACCEPT,
9307 .prog_type = BPF_PROG_TYPE_XDP,
9308 },
9309 {
9310 "XDP pkt read, pkt_meta' > pkt_data, bad access 1",
9311 .insns = {
9312 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9313 offsetof(struct xdp_md, data_meta)),
9314 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9315 offsetof(struct xdp_md, data)),
9316 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9317 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9318 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
9319 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
9320 BPF_MOV64_IMM(BPF_REG_0, 0),
9321 BPF_EXIT_INSN(),
9322 },
9323 .errstr = "R1 offset is outside of the packet",
9324 .result = REJECT,
9325 .prog_type = BPF_PROG_TYPE_XDP,
9326 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9327 },
9328 {
9329 "XDP pkt read, pkt_meta' > pkt_data, bad access 2",
9330 .insns = {
9331 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9332 offsetof(struct xdp_md, data_meta)),
9333 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9334 offsetof(struct xdp_md, data)),
9335 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9336 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9337 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 0),
9338 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9339 BPF_MOV64_IMM(BPF_REG_0, 0),
9340 BPF_EXIT_INSN(),
9341 },
9342 .errstr = "R1 offset is outside of the packet",
9343 .result = REJECT,
9344 .prog_type = BPF_PROG_TYPE_XDP,
9345 },
9346 {
9347 "XDP pkt read, pkt_data > pkt_meta', good access",
9348 .insns = {
9349 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9350 offsetof(struct xdp_md, data_meta)),
9351 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9352 offsetof(struct xdp_md, data)),
9353 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9354 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9355 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
9356 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9357 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9358 BPF_MOV64_IMM(BPF_REG_0, 0),
9359 BPF_EXIT_INSN(),
9360 },
9361 .result = ACCEPT,
9362 .prog_type = BPF_PROG_TYPE_XDP,
9363 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9364 },
9365 {
9366 "XDP pkt read, pkt_data > pkt_meta', bad access 1",
9367 .insns = {
9368 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9369 offsetof(struct xdp_md, data_meta)),
9370 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9371 offsetof(struct xdp_md, data)),
9372 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9373 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9374 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
9375 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9376 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9377 BPF_MOV64_IMM(BPF_REG_0, 0),
9378 BPF_EXIT_INSN(),
9379 },
9380 .errstr = "R1 offset is outside of the packet",
9381 .result = REJECT,
9382 .prog_type = BPF_PROG_TYPE_XDP,
9383 },
9384 {
9385 "XDP pkt read, pkt_data > pkt_meta', bad access 2",
9386 .insns = {
9387 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9388 offsetof(struct xdp_md, data_meta)),
9389 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9390 offsetof(struct xdp_md, data)),
9391 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9392 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9393 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
9394 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9395 BPF_MOV64_IMM(BPF_REG_0, 0),
9396 BPF_EXIT_INSN(),
9397 },
9398 .errstr = "R1 offset is outside of the packet",
9399 .result = REJECT,
9400 .prog_type = BPF_PROG_TYPE_XDP,
9401 },
9402 {
9403 "XDP pkt read, pkt_meta' < pkt_data, good access",
9404 .insns = {
9405 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9406 offsetof(struct xdp_md, data_meta)),
9407 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9408 offsetof(struct xdp_md, data)),
9409 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9410 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9411 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
9412 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9413 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9414 BPF_MOV64_IMM(BPF_REG_0, 0),
9415 BPF_EXIT_INSN(),
9416 },
9417 .result = ACCEPT,
9418 .prog_type = BPF_PROG_TYPE_XDP,
9419 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9420 },
9421 {
9422 "XDP pkt read, pkt_meta' < pkt_data, bad access 1",
9423 .insns = {
9424 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9425 offsetof(struct xdp_md, data_meta)),
9426 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9427 offsetof(struct xdp_md, data)),
9428 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9429 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9430 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
9431 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9432 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9433 BPF_MOV64_IMM(BPF_REG_0, 0),
9434 BPF_EXIT_INSN(),
9435 },
9436 .errstr = "R1 offset is outside of the packet",
9437 .result = REJECT,
9438 .prog_type = BPF_PROG_TYPE_XDP,
9439 },
9440 {
9441 "XDP pkt read, pkt_meta' < pkt_data, bad access 2",
9442 .insns = {
9443 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9444 offsetof(struct xdp_md, data_meta)),
9445 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9446 offsetof(struct xdp_md, data)),
9447 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9448 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9449 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
9450 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9451 BPF_MOV64_IMM(BPF_REG_0, 0),
9452 BPF_EXIT_INSN(),
9453 },
9454 .errstr = "R1 offset is outside of the packet",
9455 .result = REJECT,
9456 .prog_type = BPF_PROG_TYPE_XDP,
9457 },
9458 {
9459 "XDP pkt read, pkt_data < pkt_meta', good access",
9460 .insns = {
9461 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9462 offsetof(struct xdp_md, data_meta)),
9463 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9464 offsetof(struct xdp_md, data)),
9465 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9466 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9467 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
9468 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9469 BPF_MOV64_IMM(BPF_REG_0, 0),
9470 BPF_EXIT_INSN(),
9471 },
9472 .result = ACCEPT,
9473 .prog_type = BPF_PROG_TYPE_XDP,
9474 },
9475 {
9476 "XDP pkt read, pkt_data < pkt_meta', bad access 1",
9477 .insns = {
9478 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9479 offsetof(struct xdp_md, data_meta)),
9480 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9481 offsetof(struct xdp_md, data)),
9482 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9483 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9484 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
9485 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
9486 BPF_MOV64_IMM(BPF_REG_0, 0),
9487 BPF_EXIT_INSN(),
9488 },
9489 .errstr = "R1 offset is outside of the packet",
9490 .result = REJECT,
9491 .prog_type = BPF_PROG_TYPE_XDP,
9492 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9493 },
9494 {
9495 "XDP pkt read, pkt_data < pkt_meta', bad access 2",
9496 .insns = {
9497 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9498 offsetof(struct xdp_md, data_meta)),
9499 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9500 offsetof(struct xdp_md, data)),
9501 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9502 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9503 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 0),
9504 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9505 BPF_MOV64_IMM(BPF_REG_0, 0),
9506 BPF_EXIT_INSN(),
9507 },
9508 .errstr = "R1 offset is outside of the packet",
9509 .result = REJECT,
9510 .prog_type = BPF_PROG_TYPE_XDP,
9511 },
9512 {
9513 "XDP pkt read, pkt_meta' >= pkt_data, good access",
9514 .insns = {
9515 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9516 offsetof(struct xdp_md, data_meta)),
9517 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9518 offsetof(struct xdp_md, data)),
9519 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9520 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9521 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
9522 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9523 BPF_MOV64_IMM(BPF_REG_0, 0),
9524 BPF_EXIT_INSN(),
9525 },
9526 .result = ACCEPT,
9527 .prog_type = BPF_PROG_TYPE_XDP,
9528 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9529 },
9530 {
9531 "XDP pkt read, pkt_meta' >= pkt_data, bad access 1",
9532 .insns = {
9533 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9534 offsetof(struct xdp_md, data_meta)),
9535 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9536 offsetof(struct xdp_md, data)),
9537 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9538 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9539 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
9540 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9541 BPF_MOV64_IMM(BPF_REG_0, 0),
9542 BPF_EXIT_INSN(),
9543 },
9544 .errstr = "R1 offset is outside of the packet",
9545 .result = REJECT,
9546 .prog_type = BPF_PROG_TYPE_XDP,
9547 },
9548 {
9549 "XDP pkt read, pkt_meta' >= pkt_data, bad access 2",
9550 .insns = {
9551 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9552 offsetof(struct xdp_md, data_meta)),
9553 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9554 offsetof(struct xdp_md, data)),
9555 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9556 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9557 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 0),
9558 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9559 BPF_MOV64_IMM(BPF_REG_0, 0),
9560 BPF_EXIT_INSN(),
9561 },
9562 .errstr = "R1 offset is outside of the packet",
9563 .result = REJECT,
9564 .prog_type = BPF_PROG_TYPE_XDP,
9565 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9566 },
9567 {
9568 "XDP pkt read, pkt_data >= pkt_meta', good access",
9569 .insns = {
9570 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9571 offsetof(struct xdp_md, data_meta)),
9572 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9573 offsetof(struct xdp_md, data)),
9574 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9575 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9576 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
9577 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9578 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9579 BPF_MOV64_IMM(BPF_REG_0, 0),
9580 BPF_EXIT_INSN(),
9581 },
9582 .result = ACCEPT,
9583 .prog_type = BPF_PROG_TYPE_XDP,
9584 },
9585 {
9586 "XDP pkt read, pkt_data >= pkt_meta', bad access 1",
9587 .insns = {
9588 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9589 offsetof(struct xdp_md, data_meta)),
9590 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9591 offsetof(struct xdp_md, data)),
9592 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9593 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9594 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
9595 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9596 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
9597 BPF_MOV64_IMM(BPF_REG_0, 0),
9598 BPF_EXIT_INSN(),
9599 },
9600 .errstr = "R1 offset is outside of the packet",
9601 .result = REJECT,
9602 .prog_type = BPF_PROG_TYPE_XDP,
9603 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9604 },
9605 {
9606 "XDP pkt read, pkt_data >= pkt_meta', bad access 2",
9607 .insns = {
9608 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9609 offsetof(struct xdp_md, data_meta)),
9610 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9611 offsetof(struct xdp_md, data)),
9612 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9613 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9614 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
9615 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9616 BPF_MOV64_IMM(BPF_REG_0, 0),
9617 BPF_EXIT_INSN(),
9618 },
9619 .errstr = "R1 offset is outside of the packet",
9620 .result = REJECT,
9621 .prog_type = BPF_PROG_TYPE_XDP,
9622 },
9623 {
9624 "XDP pkt read, pkt_meta' <= pkt_data, good access",
9625 .insns = {
9626 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9627 offsetof(struct xdp_md, data_meta)),
9628 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9629 offsetof(struct xdp_md, data)),
9630 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9631 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9632 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
9633 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9634 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9635 BPF_MOV64_IMM(BPF_REG_0, 0),
9636 BPF_EXIT_INSN(),
9637 },
9638 .result = ACCEPT,
9639 .prog_type = BPF_PROG_TYPE_XDP,
9640 },
9641 {
9642 "XDP pkt read, pkt_meta' <= pkt_data, bad access 1",
9643 .insns = {
9644 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9645 offsetof(struct xdp_md, data_meta)),
9646 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9647 offsetof(struct xdp_md, data)),
9648 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9649 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9650 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
9651 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9652 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
9653 BPF_MOV64_IMM(BPF_REG_0, 0),
9654 BPF_EXIT_INSN(),
9655 },
9656 .errstr = "R1 offset is outside of the packet",
9657 .result = REJECT,
9658 .prog_type = BPF_PROG_TYPE_XDP,
9659 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9660 },
9661 {
9662 "XDP pkt read, pkt_meta' <= pkt_data, bad access 2",
9663 .insns = {
9664 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9665 offsetof(struct xdp_md, data_meta)),
9666 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9667 offsetof(struct xdp_md, data)),
9668 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9669 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9670 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
9671 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9672 BPF_MOV64_IMM(BPF_REG_0, 0),
9673 BPF_EXIT_INSN(),
9674 },
9675 .errstr = "R1 offset is outside of the packet",
9676 .result = REJECT,
9677 .prog_type = BPF_PROG_TYPE_XDP,
9678 },
9679 {
9680 "XDP pkt read, pkt_data <= pkt_meta', good access",
9681 .insns = {
9682 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9683 offsetof(struct xdp_md, data_meta)),
9684 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9685 offsetof(struct xdp_md, data)),
9686 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9687 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9688 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
9689 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9690 BPF_MOV64_IMM(BPF_REG_0, 0),
9691 BPF_EXIT_INSN(),
9692 },
9693 .result = ACCEPT,
9694 .prog_type = BPF_PROG_TYPE_XDP,
9695 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9696 },
9697 {
9698 "XDP pkt read, pkt_data <= pkt_meta', bad access 1",
9699 .insns = {
9700 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9701 offsetof(struct xdp_md, data_meta)),
9702 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9703 offsetof(struct xdp_md, data)),
9704 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9705 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9706 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
9707 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9708 BPF_MOV64_IMM(BPF_REG_0, 0),
9709 BPF_EXIT_INSN(),
9710 },
9711 .errstr = "R1 offset is outside of the packet",
9712 .result = REJECT,
9713 .prog_type = BPF_PROG_TYPE_XDP,
9714 },
9715 {
9716 "XDP pkt read, pkt_data <= pkt_meta', bad access 2",
9717 .insns = {
9718 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9719 offsetof(struct xdp_md, data_meta)),
9720 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9721 offsetof(struct xdp_md, data)),
9722 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9723 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9724 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 0),
9725 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9726 BPF_MOV64_IMM(BPF_REG_0, 0),
9727 BPF_EXIT_INSN(),
9728 },
9729 .errstr = "R1 offset is outside of the packet",
9730 .result = REJECT,
9731 .prog_type = BPF_PROG_TYPE_XDP,
9732 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9733 },
9734 {
9735 "check deducing bounds from const, 1",
9736 .insns = {
9737 BPF_MOV64_IMM(BPF_REG_0, 1),
9738 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 1, 0),
9739 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
9740 BPF_EXIT_INSN(),
9741 },
9742 .result = REJECT,
9743 .errstr = "R0 tried to subtract pointer from scalar",
9744 },
9745 {
9746 "check deducing bounds from const, 2",
9747 .insns = {
9748 BPF_MOV64_IMM(BPF_REG_0, 1),
9749 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 1, 1),
9750 BPF_EXIT_INSN(),
9751 BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 1, 1),
9752 BPF_EXIT_INSN(),
9753 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0),
9754 BPF_EXIT_INSN(),
9755 },
9756 .result = ACCEPT,
9757 .retval = 1,
9758 },
9759 {
9760 "check deducing bounds from const, 3",
9761 .insns = {
9762 BPF_MOV64_IMM(BPF_REG_0, 0),
9763 BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 0, 0),
9764 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
9765 BPF_EXIT_INSN(),
9766 },
9767 .result = REJECT,
9768 .errstr = "R0 tried to subtract pointer from scalar",
9769 },
9770 {
9771 "check deducing bounds from const, 4",
9772 .insns = {
9773 BPF_MOV64_IMM(BPF_REG_0, 0),
9774 BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 0, 1),
9775 BPF_EXIT_INSN(),
9776 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 1),
9777 BPF_EXIT_INSN(),
9778 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0),
9779 BPF_EXIT_INSN(),
9780 },
9781 .result = ACCEPT,
9782 },
9783 {
9784 "check deducing bounds from const, 5",
9785 .insns = {
9786 BPF_MOV64_IMM(BPF_REG_0, 0),
9787 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 1),
9788 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
9789 BPF_EXIT_INSN(),
9790 },
9791 .result = REJECT,
9792 .errstr = "R0 tried to subtract pointer from scalar",
9793 },
9794 {
9795 "check deducing bounds from const, 6",
9796 .insns = {
9797 BPF_MOV64_IMM(BPF_REG_0, 0),
9798 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 1),
9799 BPF_EXIT_INSN(),
9800 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
9801 BPF_EXIT_INSN(),
9802 },
9803 .result = REJECT,
9804 .errstr = "R0 tried to subtract pointer from scalar",
9805 },
9806 {
9807 "check deducing bounds from const, 7",
9808 .insns = {
9809 BPF_MOV64_IMM(BPF_REG_0, ~0),
9810 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 0),
9811 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0),
9812 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9813 offsetof(struct __sk_buff, mark)),
9814 BPF_EXIT_INSN(),
9815 },
9816 .result = REJECT,
9817 .errstr = "dereference of modified ctx ptr",
9818 },
9819 {
9820 "check deducing bounds from const, 8",
9821 .insns = {
9822 BPF_MOV64_IMM(BPF_REG_0, ~0),
9823 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 1),
9824 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
9825 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9826 offsetof(struct __sk_buff, mark)),
9827 BPF_EXIT_INSN(),
9828 },
9829 .result = REJECT,
9830 .errstr = "dereference of modified ctx ptr",
9831 },
9832 {
9833 "check deducing bounds from const, 9",
9834 .insns = {
9835 BPF_MOV64_IMM(BPF_REG_0, 0),
9836 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 0),
9837 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
9838 BPF_EXIT_INSN(),
9839 },
9840 .result = REJECT,
9841 .errstr = "R0 tried to subtract pointer from scalar",
9842 },
9843 {
9844 "check deducing bounds from const, 10",
9845 .insns = {
9846 BPF_MOV64_IMM(BPF_REG_0, 0),
9847 BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 0, 0),
9848 /* Marks reg as unknown. */
9849 BPF_ALU64_IMM(BPF_NEG, BPF_REG_0, 0),
9850 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
9851 BPF_EXIT_INSN(),
9852 },
9853 .result = REJECT,
9854 .errstr = "math between ctx pointer and register with unbounded min value is not allowed",
9855 },
9856 {
9857 "bpf_exit with invalid return code. test1",
9858 .insns = {
9859 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
9860 BPF_EXIT_INSN(),
9861 },
9862 .errstr = "R0 has value (0x0; 0xffffffff)",
9863 .result = REJECT,
9864 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
9865 },
9866 {
9867 "bpf_exit with invalid return code. test2",
9868 .insns = {
9869 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
9870 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
9871 BPF_EXIT_INSN(),
9872 },
9873 .result = ACCEPT,
9874 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
9875 },
9876 {
9877 "bpf_exit with invalid return code. test3",
9878 .insns = {
9879 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
9880 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 3),
9881 BPF_EXIT_INSN(),
9882 },
9883 .errstr = "R0 has value (0x0; 0x3)",
9884 .result = REJECT,
9885 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
9886 },
9887 {
9888 "bpf_exit with invalid return code. test4",
9889 .insns = {
9890 BPF_MOV64_IMM(BPF_REG_0, 1),
9891 BPF_EXIT_INSN(),
9892 },
9893 .result = ACCEPT,
9894 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
9895 },
9896 {
9897 "bpf_exit with invalid return code. test5",
9898 .insns = {
9899 BPF_MOV64_IMM(BPF_REG_0, 2),
9900 BPF_EXIT_INSN(),
9901 },
9902 .errstr = "R0 has value (0x2; 0x0)",
9903 .result = REJECT,
9904 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
9905 },
9906 {
9907 "bpf_exit with invalid return code. test6",
9908 .insns = {
9909 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
9910 BPF_EXIT_INSN(),
9911 },
9912 .errstr = "R0 is not a known value (ctx)",
9913 .result = REJECT,
9914 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
9915 },
9916 {
9917 "bpf_exit with invalid return code. test7",
9918 .insns = {
9919 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
9920 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 4),
9921 BPF_ALU64_REG(BPF_MUL, BPF_REG_0, BPF_REG_2),
9922 BPF_EXIT_INSN(),
9923 },
9924 .errstr = "R0 has unknown scalar value",
9925 .result = REJECT,
9926 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
9927 },
9928 {
9929 "calls: basic sanity",
9930 .insns = {
9931 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
9932 BPF_MOV64_IMM(BPF_REG_0, 1),
9933 BPF_EXIT_INSN(),
9934 BPF_MOV64_IMM(BPF_REG_0, 2),
9935 BPF_EXIT_INSN(),
9936 },
9937 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
9938 .result = ACCEPT,
9939 },
9940 {
9941 "calls: not on unpriviledged",
9942 .insns = {
9943 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
9944 BPF_MOV64_IMM(BPF_REG_0, 1),
9945 BPF_EXIT_INSN(),
9946 BPF_MOV64_IMM(BPF_REG_0, 2),
9947 BPF_EXIT_INSN(),
9948 },
9949 .errstr_unpriv = "function calls to other bpf functions are allowed for root only",
9950 .result_unpriv = REJECT,
9951 .result = ACCEPT,
9952 .retval = 1,
9953 },
9954 {
9955 "calls: div by 0 in subprog",
9956 .insns = {
9957 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
9958 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
9959 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
9960 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
9961 offsetof(struct __sk_buff, data_end)),
9962 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
9963 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
9964 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
9965 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
9966 BPF_MOV64_IMM(BPF_REG_0, 1),
9967 BPF_EXIT_INSN(),
9968 BPF_MOV32_IMM(BPF_REG_2, 0),
9969 BPF_MOV32_IMM(BPF_REG_3, 1),
9970 BPF_ALU32_REG(BPF_DIV, BPF_REG_3, BPF_REG_2),
9971 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9972 offsetof(struct __sk_buff, data)),
9973 BPF_EXIT_INSN(),
9974 },
9975 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
9976 .result = ACCEPT,
9977 .retval = 1,
9978 },
9979 {
9980 "calls: multiple ret types in subprog 1",
9981 .insns = {
9982 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
9983 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
9984 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
9985 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
9986 offsetof(struct __sk_buff, data_end)),
9987 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
9988 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
9989 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
9990 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
9991 BPF_MOV64_IMM(BPF_REG_0, 1),
9992 BPF_EXIT_INSN(),
9993 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9994 offsetof(struct __sk_buff, data)),
9995 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
9996 BPF_MOV32_IMM(BPF_REG_0, 42),
9997 BPF_EXIT_INSN(),
9998 },
9999 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
10000 .result = REJECT,
10001 .errstr = "R0 invalid mem access 'inv'",
10002 },
10003 {
10004 "calls: multiple ret types in subprog 2",
10005 .insns = {
10006 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10007 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
10008 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10009 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
10010 offsetof(struct __sk_buff, data_end)),
10011 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
10012 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
10013 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
10014 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
10015 BPF_MOV64_IMM(BPF_REG_0, 1),
10016 BPF_EXIT_INSN(),
10017 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10018 offsetof(struct __sk_buff, data)),
10019 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10020 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 9),
10021 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10022 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10023 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
10024 BPF_LD_MAP_FD(BPF_REG_1, 0),
10025 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10026 BPF_FUNC_map_lookup_elem),
10027 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
10028 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_6,
10029 offsetof(struct __sk_buff, data)),
10030 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 64),
10031 BPF_EXIT_INSN(),
10032 },
10033 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
10034 .fixup_map1 = { 16 },
10035 .result = REJECT,
10036 .errstr = "R0 min value is outside of the array range",
10037 },
10038 {
10039 "calls: overlapping caller/callee",
10040 .insns = {
10041 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 0),
10042 BPF_MOV64_IMM(BPF_REG_0, 1),
10043 BPF_EXIT_INSN(),
10044 },
10045 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10046 .errstr = "last insn is not an exit or jmp",
10047 .result = REJECT,
10048 },
10049 {
10050 "calls: wrong recursive calls",
10051 .insns = {
10052 BPF_JMP_IMM(BPF_JA, 0, 0, 4),
10053 BPF_JMP_IMM(BPF_JA, 0, 0, 4),
10054 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -2),
10055 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -2),
10056 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -2),
10057 BPF_MOV64_IMM(BPF_REG_0, 1),
10058 BPF_EXIT_INSN(),
10059 },
10060 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10061 .errstr = "jump out of range",
10062 .result = REJECT,
10063 },
10064 {
10065 "calls: wrong src reg",
10066 .insns = {
10067 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 2, 0, 0),
10068 BPF_MOV64_IMM(BPF_REG_0, 1),
10069 BPF_EXIT_INSN(),
10070 },
10071 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10072 .errstr = "BPF_CALL uses reserved fields",
10073 .result = REJECT,
10074 },
10075 {
10076 "calls: wrong off value",
10077 .insns = {
10078 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, -1, 2),
10079 BPF_MOV64_IMM(BPF_REG_0, 1),
10080 BPF_EXIT_INSN(),
10081 BPF_MOV64_IMM(BPF_REG_0, 2),
10082 BPF_EXIT_INSN(),
10083 },
10084 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10085 .errstr = "BPF_CALL uses reserved fields",
10086 .result = REJECT,
10087 },
10088 {
10089 "calls: jump back loop",
10090 .insns = {
10091 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -1),
10092 BPF_MOV64_IMM(BPF_REG_0, 1),
10093 BPF_EXIT_INSN(),
10094 },
10095 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10096 .errstr = "back-edge from insn 0 to 0",
10097 .result = REJECT,
10098 },
10099 {
10100 "calls: conditional call",
10101 .insns = {
10102 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10103 offsetof(struct __sk_buff, mark)),
10104 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
10105 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10106 BPF_MOV64_IMM(BPF_REG_0, 1),
10107 BPF_EXIT_INSN(),
10108 BPF_MOV64_IMM(BPF_REG_0, 2),
10109 BPF_EXIT_INSN(),
10110 },
10111 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10112 .errstr = "jump out of range",
10113 .result = REJECT,
10114 },
10115 {
10116 "calls: conditional call 2",
10117 .insns = {
10118 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10119 offsetof(struct __sk_buff, mark)),
10120 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
10121 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
10122 BPF_MOV64_IMM(BPF_REG_0, 1),
10123 BPF_EXIT_INSN(),
10124 BPF_MOV64_IMM(BPF_REG_0, 2),
10125 BPF_EXIT_INSN(),
10126 BPF_MOV64_IMM(BPF_REG_0, 3),
10127 BPF_EXIT_INSN(),
10128 },
10129 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10130 .result = ACCEPT,
10131 },
10132 {
10133 "calls: conditional call 3",
10134 .insns = {
10135 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10136 offsetof(struct __sk_buff, mark)),
10137 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
10138 BPF_JMP_IMM(BPF_JA, 0, 0, 4),
10139 BPF_MOV64_IMM(BPF_REG_0, 1),
10140 BPF_EXIT_INSN(),
10141 BPF_MOV64_IMM(BPF_REG_0, 1),
10142 BPF_JMP_IMM(BPF_JA, 0, 0, -6),
10143 BPF_MOV64_IMM(BPF_REG_0, 3),
10144 BPF_JMP_IMM(BPF_JA, 0, 0, -6),
10145 },
10146 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10147 .errstr = "back-edge from insn",
10148 .result = REJECT,
10149 },
10150 {
10151 "calls: conditional call 4",
10152 .insns = {
10153 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10154 offsetof(struct __sk_buff, mark)),
10155 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
10156 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
10157 BPF_MOV64_IMM(BPF_REG_0, 1),
10158 BPF_EXIT_INSN(),
10159 BPF_MOV64_IMM(BPF_REG_0, 1),
10160 BPF_JMP_IMM(BPF_JA, 0, 0, -5),
10161 BPF_MOV64_IMM(BPF_REG_0, 3),
10162 BPF_EXIT_INSN(),
10163 },
10164 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10165 .result = ACCEPT,
10166 },
10167 {
10168 "calls: conditional call 5",
10169 .insns = {
10170 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10171 offsetof(struct __sk_buff, mark)),
10172 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
10173 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
10174 BPF_MOV64_IMM(BPF_REG_0, 1),
10175 BPF_EXIT_INSN(),
10176 BPF_MOV64_IMM(BPF_REG_0, 1),
10177 BPF_JMP_IMM(BPF_JA, 0, 0, -6),
10178 BPF_MOV64_IMM(BPF_REG_0, 3),
10179 BPF_EXIT_INSN(),
10180 },
10181 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10182 .errstr = "back-edge from insn",
10183 .result = REJECT,
10184 },
10185 {
10186 "calls: conditional call 6",
10187 .insns = {
10188 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10189 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, -2),
10190 BPF_EXIT_INSN(),
10191 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10192 offsetof(struct __sk_buff, mark)),
10193 BPF_EXIT_INSN(),
10194 },
10195 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10196 .errstr = "back-edge from insn",
10197 .result = REJECT,
10198 },
10199 {
10200 "calls: using r0 returned by callee",
10201 .insns = {
10202 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10203 BPF_EXIT_INSN(),
10204 BPF_MOV64_IMM(BPF_REG_0, 2),
10205 BPF_EXIT_INSN(),
10206 },
10207 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10208 .result = ACCEPT,
10209 },
10210 {
10211 "calls: using uninit r0 from callee",
10212 .insns = {
10213 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10214 BPF_EXIT_INSN(),
10215 BPF_EXIT_INSN(),
10216 },
10217 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10218 .errstr = "!read_ok",
10219 .result = REJECT,
10220 },
10221 {
10222 "calls: callee is using r1",
10223 .insns = {
10224 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10225 BPF_EXIT_INSN(),
10226 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10227 offsetof(struct __sk_buff, len)),
10228 BPF_EXIT_INSN(),
10229 },
10230 .prog_type = BPF_PROG_TYPE_SCHED_ACT,
10231 .result = ACCEPT,
10232 .retval = TEST_DATA_LEN,
10233 },
10234 {
10235 "calls: callee using args1",
10236 .insns = {
10237 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10238 BPF_EXIT_INSN(),
10239 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
10240 BPF_EXIT_INSN(),
10241 },
10242 .errstr_unpriv = "allowed for root only",
10243 .result_unpriv = REJECT,
10244 .result = ACCEPT,
10245 .retval = POINTER_VALUE,
10246 },
10247 {
10248 "calls: callee using wrong args2",
10249 .insns = {
10250 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10251 BPF_EXIT_INSN(),
10252 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
10253 BPF_EXIT_INSN(),
10254 },
10255 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10256 .errstr = "R2 !read_ok",
10257 .result = REJECT,
10258 },
10259 {
10260 "calls: callee using two args",
10261 .insns = {
10262 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10263 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_6,
10264 offsetof(struct __sk_buff, len)),
10265 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_6,
10266 offsetof(struct __sk_buff, len)),
10267 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10268 BPF_EXIT_INSN(),
10269 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
10270 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
10271 BPF_EXIT_INSN(),
10272 },
10273 .errstr_unpriv = "allowed for root only",
10274 .result_unpriv = REJECT,
10275 .result = ACCEPT,
10276 .retval = TEST_DATA_LEN + TEST_DATA_LEN - ETH_HLEN - ETH_HLEN,
10277 },
10278 {
10279 "calls: callee changing pkt pointers",
10280 .insns = {
10281 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
10282 offsetof(struct xdp_md, data)),
10283 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
10284 offsetof(struct xdp_md, data_end)),
10285 BPF_MOV64_REG(BPF_REG_8, BPF_REG_6),
10286 BPF_ALU64_IMM(BPF_ADD, BPF_REG_8, 8),
10287 BPF_JMP_REG(BPF_JGT, BPF_REG_8, BPF_REG_7, 2),
10288 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10289 /* clear_all_pkt_pointers() has to walk all frames
10290 * to make sure that pkt pointers in the caller
10291 * are cleared when callee is calling a helper that
10292 * adjusts packet size
10293 */
10294 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
10295 BPF_MOV32_IMM(BPF_REG_0, 0),
10296 BPF_EXIT_INSN(),
10297 BPF_MOV64_IMM(BPF_REG_2, 0),
10298 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10299 BPF_FUNC_xdp_adjust_head),
10300 BPF_EXIT_INSN(),
10301 },
10302 .result = REJECT,
10303 .errstr = "R6 invalid mem access 'inv'",
10304 .prog_type = BPF_PROG_TYPE_XDP,
10305 },
10306 {
10307 "calls: two calls with args",
10308 .insns = {
10309 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10310 BPF_EXIT_INSN(),
10311 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10312 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 6),
10313 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
10314 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10315 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10316 BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_0),
10317 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
10318 BPF_EXIT_INSN(),
10319 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10320 offsetof(struct __sk_buff, len)),
10321 BPF_EXIT_INSN(),
10322 },
10323 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
10324 .result = ACCEPT,
10325 .retval = TEST_DATA_LEN + TEST_DATA_LEN,
10326 },
10327 {
10328 "calls: calls with stack arith",
10329 .insns = {
10330 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10331 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -64),
10332 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10333 BPF_EXIT_INSN(),
10334 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -64),
10335 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10336 BPF_EXIT_INSN(),
10337 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -64),
10338 BPF_MOV64_IMM(BPF_REG_0, 42),
10339 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
10340 BPF_EXIT_INSN(),
10341 },
10342 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
10343 .result = ACCEPT,
10344 .retval = 42,
10345 },
10346 {
10347 "calls: calls with misaligned stack access",
10348 .insns = {
10349 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10350 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -63),
10351 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10352 BPF_EXIT_INSN(),
10353 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -61),
10354 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10355 BPF_EXIT_INSN(),
10356 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -63),
10357 BPF_MOV64_IMM(BPF_REG_0, 42),
10358 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
10359 BPF_EXIT_INSN(),
10360 },
10361 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
10362 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
10363 .errstr = "misaligned stack access",
10364 .result = REJECT,
10365 },
10366 {
10367 "calls: calls control flow, jump test",
10368 .insns = {
10369 BPF_MOV64_IMM(BPF_REG_0, 42),
10370 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
10371 BPF_MOV64_IMM(BPF_REG_0, 43),
10372 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
10373 BPF_JMP_IMM(BPF_JA, 0, 0, -3),
10374 BPF_EXIT_INSN(),
10375 },
10376 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
10377 .result = ACCEPT,
10378 .retval = 43,
10379 },
10380 {
10381 "calls: calls control flow, jump test 2",
10382 .insns = {
10383 BPF_MOV64_IMM(BPF_REG_0, 42),
10384 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
10385 BPF_MOV64_IMM(BPF_REG_0, 43),
10386 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
10387 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -3),
10388 BPF_EXIT_INSN(),
10389 },
10390 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
10391 .errstr = "jump out of range from insn 1 to 4",
10392 .result = REJECT,
10393 },
10394 {
10395 "calls: two calls with bad jump",
10396 .insns = {
10397 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10398 BPF_EXIT_INSN(),
10399 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10400 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 6),
10401 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
10402 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10403 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10404 BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_0),
10405 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
10406 BPF_EXIT_INSN(),
10407 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10408 offsetof(struct __sk_buff, len)),
10409 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, -3),
10410 BPF_EXIT_INSN(),
10411 },
10412 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10413 .errstr = "jump out of range from insn 11 to 9",
10414 .result = REJECT,
10415 },
10416 {
10417 "calls: recursive call. test1",
10418 .insns = {
10419 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10420 BPF_EXIT_INSN(),
10421 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -1),
10422 BPF_EXIT_INSN(),
10423 },
10424 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10425 .errstr = "back-edge",
10426 .result = REJECT,
10427 },
10428 {
10429 "calls: recursive call. test2",
10430 .insns = {
10431 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10432 BPF_EXIT_INSN(),
10433 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -3),
10434 BPF_EXIT_INSN(),
10435 },
10436 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10437 .errstr = "back-edge",
10438 .result = REJECT,
10439 },
10440 {
10441 "calls: unreachable code",
10442 .insns = {
10443 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10444 BPF_EXIT_INSN(),
10445 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10446 BPF_EXIT_INSN(),
10447 BPF_MOV64_IMM(BPF_REG_0, 0),
10448 BPF_EXIT_INSN(),
10449 BPF_MOV64_IMM(BPF_REG_0, 0),
10450 BPF_EXIT_INSN(),
10451 },
10452 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10453 .errstr = "unreachable insn 6",
10454 .result = REJECT,
10455 },
10456 {
10457 "calls: invalid call",
10458 .insns = {
10459 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10460 BPF_EXIT_INSN(),
10461 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -4),
10462 BPF_EXIT_INSN(),
10463 },
10464 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10465 .errstr = "invalid destination",
10466 .result = REJECT,
10467 },
10468 {
10469 "calls: invalid call 2",
10470 .insns = {
10471 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10472 BPF_EXIT_INSN(),
10473 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 0x7fffffff),
10474 BPF_EXIT_INSN(),
10475 },
10476 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10477 .errstr = "invalid destination",
10478 .result = REJECT,
10479 },
10480 {
10481 "calls: jumping across function bodies. test1",
10482 .insns = {
10483 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10484 BPF_MOV64_IMM(BPF_REG_0, 0),
10485 BPF_EXIT_INSN(),
10486 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, -3),
10487 BPF_EXIT_INSN(),
10488 },
10489 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10490 .errstr = "jump out of range",
10491 .result = REJECT,
10492 },
10493 {
10494 "calls: jumping across function bodies. test2",
10495 .insns = {
10496 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
10497 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10498 BPF_MOV64_IMM(BPF_REG_0, 0),
10499 BPF_EXIT_INSN(),
10500 BPF_EXIT_INSN(),
10501 },
10502 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10503 .errstr = "jump out of range",
10504 .result = REJECT,
10505 },
10506 {
10507 "calls: call without exit",
10508 .insns = {
10509 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10510 BPF_EXIT_INSN(),
10511 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10512 BPF_EXIT_INSN(),
10513 BPF_MOV64_IMM(BPF_REG_0, 0),
10514 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, -2),
10515 },
10516 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10517 .errstr = "not an exit",
10518 .result = REJECT,
10519 },
10520 {
10521 "calls: call into middle of ld_imm64",
10522 .insns = {
10523 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10524 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10525 BPF_MOV64_IMM(BPF_REG_0, 0),
10526 BPF_EXIT_INSN(),
10527 BPF_LD_IMM64(BPF_REG_0, 0),
10528 BPF_EXIT_INSN(),
10529 },
10530 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10531 .errstr = "last insn",
10532 .result = REJECT,
10533 },
10534 {
10535 "calls: call into middle of other call",
10536 .insns = {
10537 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10538 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10539 BPF_MOV64_IMM(BPF_REG_0, 0),
10540 BPF_EXIT_INSN(),
10541 BPF_MOV64_IMM(BPF_REG_0, 0),
10542 BPF_MOV64_IMM(BPF_REG_0, 0),
10543 BPF_EXIT_INSN(),
10544 },
10545 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10546 .errstr = "last insn",
10547 .result = REJECT,
10548 },
10549 {
10550 "calls: ld_abs with changing ctx data in callee",
10551 .insns = {
10552 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10553 BPF_LD_ABS(BPF_B, 0),
10554 BPF_LD_ABS(BPF_H, 0),
10555 BPF_LD_ABS(BPF_W, 0),
10556 BPF_MOV64_REG(BPF_REG_7, BPF_REG_6),
10557 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 5),
10558 BPF_MOV64_REG(BPF_REG_6, BPF_REG_7),
10559 BPF_LD_ABS(BPF_B, 0),
10560 BPF_LD_ABS(BPF_H, 0),
10561 BPF_LD_ABS(BPF_W, 0),
10562 BPF_EXIT_INSN(),
10563 BPF_MOV64_IMM(BPF_REG_2, 1),
10564 BPF_MOV64_IMM(BPF_REG_3, 2),
10565 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10566 BPF_FUNC_skb_vlan_push),
10567 BPF_EXIT_INSN(),
10568 },
10569 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
10570 .errstr = "BPF_LD_[ABS|IND] instructions cannot be mixed",
10571 .result = REJECT,
10572 },
10573 {
10574 "calls: two calls with bad fallthrough",
10575 .insns = {
10576 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10577 BPF_EXIT_INSN(),
10578 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10579 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 6),
10580 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
10581 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10582 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10583 BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_0),
10584 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
10585 BPF_MOV64_REG(BPF_REG_0, BPF_REG_0),
10586 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10587 offsetof(struct __sk_buff, len)),
10588 BPF_EXIT_INSN(),
10589 },
10590 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10591 .errstr = "not an exit",
10592 .result = REJECT,
10593 },
10594 {
10595 "calls: two calls with stack read",
10596 .insns = {
10597 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10598 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10599 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10600 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10601 BPF_EXIT_INSN(),
10602 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10603 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 6),
10604 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
10605 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10606 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10607 BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_0),
10608 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
10609 BPF_EXIT_INSN(),
10610 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
10611 BPF_EXIT_INSN(),
10612 },
10613 .prog_type = BPF_PROG_TYPE_XDP,
10614 .result = ACCEPT,
10615 },
10616 {
10617 "calls: two calls with stack write",
10618 .insns = {
10619 /* main prog */
10620 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10621 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10622 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10623 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10624 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
10625 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10626 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -16),
10627 BPF_EXIT_INSN(),
10628
10629 /* subprog 1 */
10630 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10631 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
10632 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 7),
10633 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
10634 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10635 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
10636 BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_0),
10637 BPF_MOV64_REG(BPF_REG_0, BPF_REG_8),
10638 /* write into stack frame of main prog */
10639 BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
10640 BPF_EXIT_INSN(),
10641
10642 /* subprog 2 */
10643 /* read from stack frame of main prog */
10644 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
10645 BPF_EXIT_INSN(),
10646 },
10647 .prog_type = BPF_PROG_TYPE_XDP,
10648 .result = ACCEPT,
10649 },
10650 {
10651 "calls: stack overflow using two frames (pre-call access)",
10652 .insns = {
10653 /* prog 1 */
10654 BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
10655 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1),
10656 BPF_EXIT_INSN(),
10657
10658 /* prog 2 */
10659 BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
10660 BPF_MOV64_IMM(BPF_REG_0, 0),
10661 BPF_EXIT_INSN(),
10662 },
10663 .prog_type = BPF_PROG_TYPE_XDP,
10664 .errstr = "combined stack size",
10665 .result = REJECT,
10666 },
10667 {
10668 "calls: stack overflow using two frames (post-call access)",
10669 .insns = {
10670 /* prog 1 */
10671 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 2),
10672 BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
10673 BPF_EXIT_INSN(),
10674
10675 /* prog 2 */
10676 BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
10677 BPF_MOV64_IMM(BPF_REG_0, 0),
10678 BPF_EXIT_INSN(),
10679 },
10680 .prog_type = BPF_PROG_TYPE_XDP,
10681 .errstr = "combined stack size",
10682 .result = REJECT,
10683 },
10684 {
10685 "calls: stack depth check using three frames. test1",
10686 .insns = {
10687 /* main */
10688 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 4), /* call A */
10689 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 5), /* call B */
10690 BPF_ST_MEM(BPF_B, BPF_REG_10, -32, 0),
10691 BPF_MOV64_IMM(BPF_REG_0, 0),
10692 BPF_EXIT_INSN(),
10693 /* A */
10694 BPF_ST_MEM(BPF_B, BPF_REG_10, -256, 0),
10695 BPF_EXIT_INSN(),
10696 /* B */
10697 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, -3), /* call A */
10698 BPF_ST_MEM(BPF_B, BPF_REG_10, -64, 0),
10699 BPF_EXIT_INSN(),
10700 },
10701 .prog_type = BPF_PROG_TYPE_XDP,
10702 /* stack_main=32, stack_A=256, stack_B=64
10703 * and max(main+A, main+A+B) < 512
10704 */
10705 .result = ACCEPT,
10706 },
10707 {
10708 "calls: stack depth check using three frames. test2",
10709 .insns = {
10710 /* main */
10711 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 4), /* call A */
10712 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 5), /* call B */
10713 BPF_ST_MEM(BPF_B, BPF_REG_10, -32, 0),
10714 BPF_MOV64_IMM(BPF_REG_0, 0),
10715 BPF_EXIT_INSN(),
10716 /* A */
10717 BPF_ST_MEM(BPF_B, BPF_REG_10, -64, 0),
10718 BPF_EXIT_INSN(),
10719 /* B */
10720 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, -3), /* call A */
10721 BPF_ST_MEM(BPF_B, BPF_REG_10, -256, 0),
10722 BPF_EXIT_INSN(),
10723 },
10724 .prog_type = BPF_PROG_TYPE_XDP,
10725 /* stack_main=32, stack_A=64, stack_B=256
10726 * and max(main+A, main+A+B) < 512
10727 */
10728 .result = ACCEPT,
10729 },
10730 {
10731 "calls: stack depth check using three frames. test3",
10732 .insns = {
10733 /* main */
10734 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10735 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 6), /* call A */
10736 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10737 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 8), /* call B */
10738 BPF_JMP_IMM(BPF_JGE, BPF_REG_6, 0, 1),
10739 BPF_ST_MEM(BPF_B, BPF_REG_10, -64, 0),
10740 BPF_MOV64_IMM(BPF_REG_0, 0),
10741 BPF_EXIT_INSN(),
10742 /* A */
10743 BPF_JMP_IMM(BPF_JLT, BPF_REG_1, 10, 1),
10744 BPF_EXIT_INSN(),
10745 BPF_ST_MEM(BPF_B, BPF_REG_10, -224, 0),
10746 BPF_JMP_IMM(BPF_JA, 0, 0, -3),
10747 /* B */
10748 BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 2, 1),
10749 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, -6), /* call A */
10750 BPF_ST_MEM(BPF_B, BPF_REG_10, -256, 0),
10751 BPF_EXIT_INSN(),
10752 },
10753 .prog_type = BPF_PROG_TYPE_XDP,
10754 /* stack_main=64, stack_A=224, stack_B=256
10755 * and max(main+A, main+A+B) > 512
10756 */
10757 .errstr = "combined stack",
10758 .result = REJECT,
10759 },
10760 {
10761 "calls: stack depth check using three frames. test4",
10762 /* void main(void) {
10763 * func1(0);
10764 * func1(1);
10765 * func2(1);
10766 * }
10767 * void func1(int alloc_or_recurse) {
10768 * if (alloc_or_recurse) {
10769 * frame_pointer[-300] = 1;
10770 * } else {
10771 * func2(alloc_or_recurse);
10772 * }
10773 * }
10774 * void func2(int alloc_or_recurse) {
10775 * if (alloc_or_recurse) {
10776 * frame_pointer[-300] = 1;
10777 * }
10778 * }
10779 */
10780 .insns = {
10781 /* main */
10782 BPF_MOV64_IMM(BPF_REG_1, 0),
10783 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 6), /* call A */
10784 BPF_MOV64_IMM(BPF_REG_1, 1),
10785 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 4), /* call A */
10786 BPF_MOV64_IMM(BPF_REG_1, 1),
10787 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 7), /* call B */
10788 BPF_MOV64_IMM(BPF_REG_0, 0),
10789 BPF_EXIT_INSN(),
10790 /* A */
10791 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 2),
10792 BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
10793 BPF_EXIT_INSN(),
10794 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call B */
10795 BPF_EXIT_INSN(),
10796 /* B */
10797 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
10798 BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
10799 BPF_EXIT_INSN(),
10800 },
10801 .prog_type = BPF_PROG_TYPE_XDP,
10802 .result = REJECT,
10803 .errstr = "combined stack",
10804 },
10805 {
10806 "calls: stack depth check using three frames. test5",
10807 .insns = {
10808 /* main */
10809 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call A */
10810 BPF_EXIT_INSN(),
10811 /* A */
10812 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call B */
10813 BPF_EXIT_INSN(),
10814 /* B */
10815 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call C */
10816 BPF_EXIT_INSN(),
10817 /* C */
10818 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call D */
10819 BPF_EXIT_INSN(),
10820 /* D */
10821 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call E */
10822 BPF_EXIT_INSN(),
10823 /* E */
10824 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call F */
10825 BPF_EXIT_INSN(),
10826 /* F */
10827 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call G */
10828 BPF_EXIT_INSN(),
10829 /* G */
10830 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call H */
10831 BPF_EXIT_INSN(),
10832 /* H */
10833 BPF_MOV64_IMM(BPF_REG_0, 0),
10834 BPF_EXIT_INSN(),
10835 },
10836 .prog_type = BPF_PROG_TYPE_XDP,
10837 .errstr = "call stack",
10838 .result = REJECT,
10839 },
10840 {
10841 "calls: spill into caller stack frame",
10842 .insns = {
10843 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10844 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10845 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10846 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10847 BPF_EXIT_INSN(),
10848 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, 0),
10849 BPF_MOV64_IMM(BPF_REG_0, 0),
10850 BPF_EXIT_INSN(),
10851 },
10852 .prog_type = BPF_PROG_TYPE_XDP,
10853 .errstr = "cannot spill",
10854 .result = REJECT,
10855 },
10856 {
10857 "calls: write into caller stack frame",
10858 .insns = {
10859 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10860 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10861 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10862 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10863 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
10864 BPF_EXIT_INSN(),
10865 BPF_ST_MEM(BPF_DW, BPF_REG_1, 0, 42),
10866 BPF_MOV64_IMM(BPF_REG_0, 0),
10867 BPF_EXIT_INSN(),
10868 },
10869 .prog_type = BPF_PROG_TYPE_XDP,
10870 .result = ACCEPT,
10871 .retval = 42,
10872 },
10873 {
10874 "calls: write into callee stack frame",
10875 .insns = {
10876 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10877 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
10878 BPF_EXIT_INSN(),
10879 BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
10880 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, -8),
10881 BPF_EXIT_INSN(),
10882 },
10883 .prog_type = BPF_PROG_TYPE_XDP,
10884 .errstr = "cannot return stack pointer",
10885 .result = REJECT,
10886 },
10887 {
10888 "calls: two calls with stack write and void return",
10889 .insns = {
10890 /* main prog */
10891 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10892 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10893 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10894 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10895 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
10896 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10897 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -16),
10898 BPF_EXIT_INSN(),
10899
10900 /* subprog 1 */
10901 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10902 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
10903 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10904 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
10905 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10906 BPF_EXIT_INSN(),
10907
10908 /* subprog 2 */
10909 /* write into stack frame of main prog */
10910 BPF_ST_MEM(BPF_DW, BPF_REG_1, 0, 0),
10911 BPF_EXIT_INSN(), /* void return */
10912 },
10913 .prog_type = BPF_PROG_TYPE_XDP,
10914 .result = ACCEPT,
10915 },
10916 {
10917 "calls: ambiguous return value",
10918 .insns = {
10919 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10920 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 5),
10921 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
10922 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10923 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10924 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
10925 BPF_EXIT_INSN(),
10926 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
10927 BPF_MOV64_IMM(BPF_REG_0, 0),
10928 BPF_EXIT_INSN(),
10929 },
10930 .errstr_unpriv = "allowed for root only",
10931 .result_unpriv = REJECT,
10932 .errstr = "R0 !read_ok",
10933 .result = REJECT,
10934 },
10935 {
10936 "calls: two calls that return map_value",
10937 .insns = {
10938 /* main prog */
10939 /* pass fp-16, fp-8 into a function */
10940 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10941 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10942 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10943 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
10944 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
10945
10946 /* fetch map_value_ptr from the stack of this function */
10947 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
10948 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
10949 /* write into map value */
10950 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
10951 /* fetch secound map_value_ptr from the stack */
10952 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -16),
10953 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
10954 /* write into map value */
10955 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
10956 BPF_MOV64_IMM(BPF_REG_0, 0),
10957 BPF_EXIT_INSN(),
10958
10959 /* subprog 1 */
10960 /* call 3rd function twice */
10961 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10962 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
10963 /* first time with fp-8 */
10964 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10965 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
10966 /* second time with fp-16 */
10967 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10968 BPF_EXIT_INSN(),
10969
10970 /* subprog 2 */
10971 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10972 /* lookup from map */
10973 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10974 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10975 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
10976 BPF_LD_MAP_FD(BPF_REG_1, 0),
10977 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10978 BPF_FUNC_map_lookup_elem),
10979 /* write map_value_ptr into stack frame of main prog */
10980 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
10981 BPF_MOV64_IMM(BPF_REG_0, 0),
10982 BPF_EXIT_INSN(), /* return 0 */
10983 },
10984 .prog_type = BPF_PROG_TYPE_XDP,
10985 .fixup_map1 = { 23 },
10986 .result = ACCEPT,
10987 },
10988 {
10989 "calls: two calls that return map_value with bool condition",
10990 .insns = {
10991 /* main prog */
10992 /* pass fp-16, fp-8 into a function */
10993 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10994 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10995 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10996 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
10997 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10998 BPF_MOV64_IMM(BPF_REG_0, 0),
10999 BPF_EXIT_INSN(),
11000
11001 /* subprog 1 */
11002 /* call 3rd function twice */
11003 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11004 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
11005 /* first time with fp-8 */
11006 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 9),
11007 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
11008 /* fetch map_value_ptr from the stack of this function */
11009 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
11010 /* write into map value */
11011 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11012 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
11013 /* second time with fp-16 */
11014 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
11015 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
11016 /* fetch secound map_value_ptr from the stack */
11017 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_7, 0),
11018 /* write into map value */
11019 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11020 BPF_EXIT_INSN(),
11021
11022 /* subprog 2 */
11023 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11024 /* lookup from map */
11025 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11026 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11027 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11028 BPF_LD_MAP_FD(BPF_REG_1, 0),
11029 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11030 BPF_FUNC_map_lookup_elem),
11031 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11032 BPF_MOV64_IMM(BPF_REG_0, 0),
11033 BPF_EXIT_INSN(), /* return 0 */
11034 /* write map_value_ptr into stack frame of main prog */
11035 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
11036 BPF_MOV64_IMM(BPF_REG_0, 1),
11037 BPF_EXIT_INSN(), /* return 1 */
11038 },
11039 .prog_type = BPF_PROG_TYPE_XDP,
11040 .fixup_map1 = { 23 },
11041 .result = ACCEPT,
11042 },
11043 {
11044 "calls: two calls that return map_value with incorrect bool check",
11045 .insns = {
11046 /* main prog */
11047 /* pass fp-16, fp-8 into a function */
11048 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11049 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11050 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11051 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
11052 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11053 BPF_MOV64_IMM(BPF_REG_0, 0),
11054 BPF_EXIT_INSN(),
11055
11056 /* subprog 1 */
11057 /* call 3rd function twice */
11058 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11059 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
11060 /* first time with fp-8 */
11061 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 9),
11062 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
11063 /* fetch map_value_ptr from the stack of this function */
11064 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
11065 /* write into map value */
11066 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11067 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
11068 /* second time with fp-16 */
11069 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
11070 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11071 /* fetch secound map_value_ptr from the stack */
11072 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_7, 0),
11073 /* write into map value */
11074 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11075 BPF_EXIT_INSN(),
11076
11077 /* subprog 2 */
11078 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11079 /* lookup from map */
11080 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11081 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11082 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11083 BPF_LD_MAP_FD(BPF_REG_1, 0),
11084 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11085 BPF_FUNC_map_lookup_elem),
11086 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11087 BPF_MOV64_IMM(BPF_REG_0, 0),
11088 BPF_EXIT_INSN(), /* return 0 */
11089 /* write map_value_ptr into stack frame of main prog */
11090 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
11091 BPF_MOV64_IMM(BPF_REG_0, 1),
11092 BPF_EXIT_INSN(), /* return 1 */
11093 },
11094 .prog_type = BPF_PROG_TYPE_XDP,
11095 .fixup_map1 = { 23 },
11096 .result = REJECT,
11097 .errstr = "invalid read from stack off -16+0 size 8",
11098 },
11099 {
11100 "calls: two calls that receive map_value via arg=ptr_stack_of_caller. test1",
11101 .insns = {
11102 /* main prog */
11103 /* pass fp-16, fp-8 into a function */
11104 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11105 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11106 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11107 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
11108 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11109 BPF_MOV64_IMM(BPF_REG_0, 0),
11110 BPF_EXIT_INSN(),
11111
11112 /* subprog 1 */
11113 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11114 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
11115 /* 1st lookup from map */
11116 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11117 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11118 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11119 BPF_LD_MAP_FD(BPF_REG_1, 0),
11120 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11121 BPF_FUNC_map_lookup_elem),
11122 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11123 BPF_MOV64_IMM(BPF_REG_8, 0),
11124 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
11125 /* write map_value_ptr into stack frame of main prog at fp-8 */
11126 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
11127 BPF_MOV64_IMM(BPF_REG_8, 1),
11128
11129 /* 2nd lookup from map */
11130 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), /* 20 */
11131 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11132 BPF_LD_MAP_FD(BPF_REG_1, 0),
11133 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, /* 24 */
11134 BPF_FUNC_map_lookup_elem),
11135 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11136 BPF_MOV64_IMM(BPF_REG_9, 0),
11137 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
11138 /* write map_value_ptr into stack frame of main prog at fp-16 */
11139 BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
11140 BPF_MOV64_IMM(BPF_REG_9, 1),
11141
11142 /* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
11143 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), /* 30 */
11144 BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
11145 BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
11146 BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
11147 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1), /* 34 */
11148 BPF_EXIT_INSN(),
11149
11150 /* subprog 2 */
11151 /* if arg2 == 1 do *arg1 = 0 */
11152 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
11153 /* fetch map_value_ptr from the stack of this function */
11154 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
11155 /* write into map value */
11156 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11157
11158 /* if arg4 == 1 do *arg3 = 0 */
11159 BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 1, 2),
11160 /* fetch map_value_ptr from the stack of this function */
11161 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
11162 /* write into map value */
11163 BPF_ST_MEM(BPF_DW, BPF_REG_0, 2, 0),
11164 BPF_EXIT_INSN(),
11165 },
11166 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11167 .fixup_map1 = { 12, 22 },
11168 .result = REJECT,
11169 .errstr = "invalid access to map value, value_size=8 off=2 size=8",
11170 },
11171 {
11172 "calls: two calls that receive map_value via arg=ptr_stack_of_caller. test2",
11173 .insns = {
11174 /* main prog */
11175 /* pass fp-16, fp-8 into a function */
11176 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11177 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11178 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11179 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
11180 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11181 BPF_MOV64_IMM(BPF_REG_0, 0),
11182 BPF_EXIT_INSN(),
11183
11184 /* subprog 1 */
11185 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11186 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
11187 /* 1st lookup from map */
11188 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11189 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11190 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11191 BPF_LD_MAP_FD(BPF_REG_1, 0),
11192 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11193 BPF_FUNC_map_lookup_elem),
11194 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11195 BPF_MOV64_IMM(BPF_REG_8, 0),
11196 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
11197 /* write map_value_ptr into stack frame of main prog at fp-8 */
11198 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
11199 BPF_MOV64_IMM(BPF_REG_8, 1),
11200
11201 /* 2nd lookup from map */
11202 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), /* 20 */
11203 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11204 BPF_LD_MAP_FD(BPF_REG_1, 0),
11205 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, /* 24 */
11206 BPF_FUNC_map_lookup_elem),
11207 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11208 BPF_MOV64_IMM(BPF_REG_9, 0),
11209 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
11210 /* write map_value_ptr into stack frame of main prog at fp-16 */
11211 BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
11212 BPF_MOV64_IMM(BPF_REG_9, 1),
11213
11214 /* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
11215 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), /* 30 */
11216 BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
11217 BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
11218 BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
11219 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1), /* 34 */
11220 BPF_EXIT_INSN(),
11221
11222 /* subprog 2 */
11223 /* if arg2 == 1 do *arg1 = 0 */
11224 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
11225 /* fetch map_value_ptr from the stack of this function */
11226 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
11227 /* write into map value */
11228 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11229
11230 /* if arg4 == 1 do *arg3 = 0 */
11231 BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 1, 2),
11232 /* fetch map_value_ptr from the stack of this function */
11233 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
11234 /* write into map value */
11235 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11236 BPF_EXIT_INSN(),
11237 },
11238 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11239 .fixup_map1 = { 12, 22 },
11240 .result = ACCEPT,
11241 },
11242 {
11243 "calls: two jumps that receive map_value via arg=ptr_stack_of_jumper. test3",
11244 .insns = {
11245 /* main prog */
11246 /* pass fp-16, fp-8 into a function */
11247 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11248 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11249 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11250 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
11251 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
11252 BPF_MOV64_IMM(BPF_REG_0, 0),
11253 BPF_EXIT_INSN(),
11254
11255 /* subprog 1 */
11256 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11257 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
11258 /* 1st lookup from map */
11259 BPF_ST_MEM(BPF_DW, BPF_REG_10, -24, 0),
11260 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11261 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -24),
11262 BPF_LD_MAP_FD(BPF_REG_1, 0),
11263 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11264 BPF_FUNC_map_lookup_elem),
11265 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11266 BPF_MOV64_IMM(BPF_REG_8, 0),
11267 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
11268 /* write map_value_ptr into stack frame of main prog at fp-8 */
11269 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
11270 BPF_MOV64_IMM(BPF_REG_8, 1),
11271
11272 /* 2nd lookup from map */
11273 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11274 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -24),
11275 BPF_LD_MAP_FD(BPF_REG_1, 0),
11276 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11277 BPF_FUNC_map_lookup_elem),
11278 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11279 BPF_MOV64_IMM(BPF_REG_9, 0), // 26
11280 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
11281 /* write map_value_ptr into stack frame of main prog at fp-16 */
11282 BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
11283 BPF_MOV64_IMM(BPF_REG_9, 1),
11284
11285 /* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
11286 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), // 30
11287 BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
11288 BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
11289 BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
11290 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1), // 34
11291 BPF_JMP_IMM(BPF_JA, 0, 0, -30),
11292
11293 /* subprog 2 */
11294 /* if arg2 == 1 do *arg1 = 0 */
11295 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
11296 /* fetch map_value_ptr from the stack of this function */
11297 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
11298 /* write into map value */
11299 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11300
11301 /* if arg4 == 1 do *arg3 = 0 */
11302 BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 1, 2),
11303 /* fetch map_value_ptr from the stack of this function */
11304 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
11305 /* write into map value */
11306 BPF_ST_MEM(BPF_DW, BPF_REG_0, 2, 0),
11307 BPF_JMP_IMM(BPF_JA, 0, 0, -8),
11308 },
11309 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11310 .fixup_map1 = { 12, 22 },
11311 .result = REJECT,
11312 .errstr = "invalid access to map value, value_size=8 off=2 size=8",
11313 },
11314 {
11315 "calls: two calls that receive map_value_ptr_or_null via arg. test1",
11316 .insns = {
11317 /* main prog */
11318 /* pass fp-16, fp-8 into a function */
11319 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11320 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11321 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11322 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
11323 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11324 BPF_MOV64_IMM(BPF_REG_0, 0),
11325 BPF_EXIT_INSN(),
11326
11327 /* subprog 1 */
11328 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11329 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
11330 /* 1st lookup from map */
11331 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11332 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11333 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11334 BPF_LD_MAP_FD(BPF_REG_1, 0),
11335 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11336 BPF_FUNC_map_lookup_elem),
11337 /* write map_value_ptr_or_null into stack frame of main prog at fp-8 */
11338 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
11339 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11340 BPF_MOV64_IMM(BPF_REG_8, 0),
11341 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
11342 BPF_MOV64_IMM(BPF_REG_8, 1),
11343
11344 /* 2nd lookup from map */
11345 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11346 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11347 BPF_LD_MAP_FD(BPF_REG_1, 0),
11348 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11349 BPF_FUNC_map_lookup_elem),
11350 /* write map_value_ptr_or_null into stack frame of main prog at fp-16 */
11351 BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
11352 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11353 BPF_MOV64_IMM(BPF_REG_9, 0),
11354 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
11355 BPF_MOV64_IMM(BPF_REG_9, 1),
11356
11357 /* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
11358 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
11359 BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
11360 BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
11361 BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
11362 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11363 BPF_EXIT_INSN(),
11364
11365 /* subprog 2 */
11366 /* if arg2 == 1 do *arg1 = 0 */
11367 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
11368 /* fetch map_value_ptr from the stack of this function */
11369 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
11370 /* write into map value */
11371 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11372
11373 /* if arg4 == 1 do *arg3 = 0 */
11374 BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 1, 2),
11375 /* fetch map_value_ptr from the stack of this function */
11376 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
11377 /* write into map value */
11378 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11379 BPF_EXIT_INSN(),
11380 },
11381 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11382 .fixup_map1 = { 12, 22 },
11383 .result = ACCEPT,
11384 },
11385 {
11386 "calls: two calls that receive map_value_ptr_or_null via arg. test2",
11387 .insns = {
11388 /* main prog */
11389 /* pass fp-16, fp-8 into a function */
11390 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11391 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11392 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11393 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
11394 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11395 BPF_MOV64_IMM(BPF_REG_0, 0),
11396 BPF_EXIT_INSN(),
11397
11398 /* subprog 1 */
11399 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11400 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
11401 /* 1st lookup from map */
11402 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11403 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11404 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11405 BPF_LD_MAP_FD(BPF_REG_1, 0),
11406 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11407 BPF_FUNC_map_lookup_elem),
11408 /* write map_value_ptr_or_null into stack frame of main prog at fp-8 */
11409 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
11410 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11411 BPF_MOV64_IMM(BPF_REG_8, 0),
11412 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
11413 BPF_MOV64_IMM(BPF_REG_8, 1),
11414
11415 /* 2nd lookup from map */
11416 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11417 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11418 BPF_LD_MAP_FD(BPF_REG_1, 0),
11419 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11420 BPF_FUNC_map_lookup_elem),
11421 /* write map_value_ptr_or_null into stack frame of main prog at fp-16 */
11422 BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
11423 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11424 BPF_MOV64_IMM(BPF_REG_9, 0),
11425 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
11426 BPF_MOV64_IMM(BPF_REG_9, 1),
11427
11428 /* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
11429 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
11430 BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
11431 BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
11432 BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
11433 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11434 BPF_EXIT_INSN(),
11435
11436 /* subprog 2 */
11437 /* if arg2 == 1 do *arg1 = 0 */
11438 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
11439 /* fetch map_value_ptr from the stack of this function */
11440 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
11441 /* write into map value */
11442 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11443
11444 /* if arg4 == 0 do *arg3 = 0 */
11445 BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 0, 2),
11446 /* fetch map_value_ptr from the stack of this function */
11447 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
11448 /* write into map value */
11449 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11450 BPF_EXIT_INSN(),
11451 },
11452 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11453 .fixup_map1 = { 12, 22 },
11454 .result = REJECT,
11455 .errstr = "R0 invalid mem access 'inv'",
11456 },
11457 {
11458 "calls: pkt_ptr spill into caller stack",
11459 .insns = {
11460 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
11461 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
11462 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11463 BPF_EXIT_INSN(),
11464
11465 /* subprog 1 */
11466 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11467 offsetof(struct __sk_buff, data)),
11468 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11469 offsetof(struct __sk_buff, data_end)),
11470 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11471 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11472 /* spill unchecked pkt_ptr into stack of caller */
11473 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11474 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
11475 /* now the pkt range is verified, read pkt_ptr from stack */
11476 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
11477 /* write 4 bytes into packet */
11478 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11479 BPF_EXIT_INSN(),
11480 },
11481 .result = ACCEPT,
11482 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11483 .retval = POINTER_VALUE,
11484 },
11485 {
11486 "calls: pkt_ptr spill into caller stack 2",
11487 .insns = {
11488 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
11489 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
11490 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11491 /* Marking is still kept, but not in all cases safe. */
11492 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
11493 BPF_ST_MEM(BPF_W, BPF_REG_4, 0, 0),
11494 BPF_EXIT_INSN(),
11495
11496 /* subprog 1 */
11497 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11498 offsetof(struct __sk_buff, data)),
11499 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11500 offsetof(struct __sk_buff, data_end)),
11501 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11502 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11503 /* spill unchecked pkt_ptr into stack of caller */
11504 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11505 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
11506 /* now the pkt range is verified, read pkt_ptr from stack */
11507 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
11508 /* write 4 bytes into packet */
11509 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11510 BPF_EXIT_INSN(),
11511 },
11512 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11513 .errstr = "invalid access to packet",
11514 .result = REJECT,
11515 },
11516 {
11517 "calls: pkt_ptr spill into caller stack 3",
11518 .insns = {
11519 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
11520 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
11521 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
11522 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
11523 /* Marking is still kept and safe here. */
11524 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
11525 BPF_ST_MEM(BPF_W, BPF_REG_4, 0, 0),
11526 BPF_EXIT_INSN(),
11527
11528 /* subprog 1 */
11529 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11530 offsetof(struct __sk_buff, data)),
11531 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11532 offsetof(struct __sk_buff, data_end)),
11533 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11534 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11535 /* spill unchecked pkt_ptr into stack of caller */
11536 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11537 BPF_MOV64_IMM(BPF_REG_5, 0),
11538 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
11539 BPF_MOV64_IMM(BPF_REG_5, 1),
11540 /* now the pkt range is verified, read pkt_ptr from stack */
11541 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
11542 /* write 4 bytes into packet */
11543 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11544 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
11545 BPF_EXIT_INSN(),
11546 },
11547 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11548 .result = ACCEPT,
11549 .retval = 1,
11550 },
11551 {
11552 "calls: pkt_ptr spill into caller stack 4",
11553 .insns = {
11554 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
11555 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
11556 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
11557 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
11558 /* Check marking propagated. */
11559 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
11560 BPF_ST_MEM(BPF_W, BPF_REG_4, 0, 0),
11561 BPF_EXIT_INSN(),
11562
11563 /* subprog 1 */
11564 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11565 offsetof(struct __sk_buff, data)),
11566 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11567 offsetof(struct __sk_buff, data_end)),
11568 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11569 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11570 /* spill unchecked pkt_ptr into stack of caller */
11571 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11572 BPF_MOV64_IMM(BPF_REG_5, 0),
11573 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
11574 BPF_MOV64_IMM(BPF_REG_5, 1),
11575 /* don't read back pkt_ptr from stack here */
11576 /* write 4 bytes into packet */
11577 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11578 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
11579 BPF_EXIT_INSN(),
11580 },
11581 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11582 .result = ACCEPT,
11583 .retval = 1,
11584 },
11585 {
11586 "calls: pkt_ptr spill into caller stack 5",
11587 .insns = {
11588 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
11589 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
11590 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_1, 0),
11591 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11592 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
11593 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
11594 BPF_EXIT_INSN(),
11595
11596 /* subprog 1 */
11597 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11598 offsetof(struct __sk_buff, data)),
11599 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11600 offsetof(struct __sk_buff, data_end)),
11601 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11602 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11603 BPF_MOV64_IMM(BPF_REG_5, 0),
11604 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
11605 /* spill checked pkt_ptr into stack of caller */
11606 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11607 BPF_MOV64_IMM(BPF_REG_5, 1),
11608 /* don't read back pkt_ptr from stack here */
11609 /* write 4 bytes into packet */
11610 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11611 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
11612 BPF_EXIT_INSN(),
11613 },
11614 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11615 .errstr = "same insn cannot be used with different",
11616 .result = REJECT,
11617 },
11618 {
11619 "calls: pkt_ptr spill into caller stack 6",
11620 .insns = {
11621 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11622 offsetof(struct __sk_buff, data_end)),
11623 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
11624 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
11625 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11626 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11627 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
11628 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
11629 BPF_EXIT_INSN(),
11630
11631 /* subprog 1 */
11632 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11633 offsetof(struct __sk_buff, data)),
11634 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11635 offsetof(struct __sk_buff, data_end)),
11636 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11637 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11638 BPF_MOV64_IMM(BPF_REG_5, 0),
11639 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
11640 /* spill checked pkt_ptr into stack of caller */
11641 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11642 BPF_MOV64_IMM(BPF_REG_5, 1),
11643 /* don't read back pkt_ptr from stack here */
11644 /* write 4 bytes into packet */
11645 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11646 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
11647 BPF_EXIT_INSN(),
11648 },
11649 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11650 .errstr = "R4 invalid mem access",
11651 .result = REJECT,
11652 },
11653 {
11654 "calls: pkt_ptr spill into caller stack 7",
11655 .insns = {
11656 BPF_MOV64_IMM(BPF_REG_2, 0),
11657 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
11658 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
11659 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11660 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11661 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
11662 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
11663 BPF_EXIT_INSN(),
11664
11665 /* subprog 1 */
11666 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11667 offsetof(struct __sk_buff, data)),
11668 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11669 offsetof(struct __sk_buff, data_end)),
11670 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11671 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11672 BPF_MOV64_IMM(BPF_REG_5, 0),
11673 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
11674 /* spill checked pkt_ptr into stack of caller */
11675 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11676 BPF_MOV64_IMM(BPF_REG_5, 1),
11677 /* don't read back pkt_ptr from stack here */
11678 /* write 4 bytes into packet */
11679 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11680 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
11681 BPF_EXIT_INSN(),
11682 },
11683 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11684 .errstr = "R4 invalid mem access",
11685 .result = REJECT,
11686 },
11687 {
11688 "calls: pkt_ptr spill into caller stack 8",
11689 .insns = {
11690 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11691 offsetof(struct __sk_buff, data)),
11692 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11693 offsetof(struct __sk_buff, data_end)),
11694 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11695 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11696 BPF_JMP_REG(BPF_JLE, BPF_REG_0, BPF_REG_3, 1),
11697 BPF_EXIT_INSN(),
11698 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
11699 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
11700 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11701 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11702 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
11703 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
11704 BPF_EXIT_INSN(),
11705
11706 /* subprog 1 */
11707 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11708 offsetof(struct __sk_buff, data)),
11709 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11710 offsetof(struct __sk_buff, data_end)),
11711 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11712 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11713 BPF_MOV64_IMM(BPF_REG_5, 0),
11714 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
11715 /* spill checked pkt_ptr into stack of caller */
11716 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11717 BPF_MOV64_IMM(BPF_REG_5, 1),
11718 /* don't read back pkt_ptr from stack here */
11719 /* write 4 bytes into packet */
11720 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11721 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
11722 BPF_EXIT_INSN(),
11723 },
11724 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11725 .result = ACCEPT,
11726 },
11727 {
11728 "calls: pkt_ptr spill into caller stack 9",
11729 .insns = {
11730 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11731 offsetof(struct __sk_buff, data)),
11732 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11733 offsetof(struct __sk_buff, data_end)),
11734 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11735 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11736 BPF_JMP_REG(BPF_JLE, BPF_REG_0, BPF_REG_3, 1),
11737 BPF_EXIT_INSN(),
11738 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
11739 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
11740 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11741 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11742 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
11743 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
11744 BPF_EXIT_INSN(),
11745
11746 /* subprog 1 */
11747 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11748 offsetof(struct __sk_buff, data)),
11749 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11750 offsetof(struct __sk_buff, data_end)),
11751 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11752 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11753 BPF_MOV64_IMM(BPF_REG_5, 0),
11754 /* spill unchecked pkt_ptr into stack of caller */
11755 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11756 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
11757 BPF_MOV64_IMM(BPF_REG_5, 1),
11758 /* don't read back pkt_ptr from stack here */
11759 /* write 4 bytes into packet */
11760 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11761 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
11762 BPF_EXIT_INSN(),
11763 },
11764 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11765 .errstr = "invalid access to packet",
11766 .result = REJECT,
11767 },
11768 {
11769 "calls: caller stack init to zero or map_value_or_null",
11770 .insns = {
11771 BPF_MOV64_IMM(BPF_REG_0, 0),
11772 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
11773 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11774 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11775 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
11776 /* fetch map_value_or_null or const_zero from stack */
11777 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
11778 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
11779 /* store into map_value */
11780 BPF_ST_MEM(BPF_W, BPF_REG_0, 0, 0),
11781 BPF_EXIT_INSN(),
11782
11783 /* subprog 1 */
11784 /* if (ctx == 0) return; */
11785 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 8),
11786 /* else bpf_map_lookup() and *(fp - 8) = r0 */
11787 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
11788 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11789 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11790 BPF_LD_MAP_FD(BPF_REG_1, 0),
11791 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11792 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11793 BPF_FUNC_map_lookup_elem),
11794 /* write map_value_ptr_or_null into stack frame of main prog at fp-8 */
11795 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
11796 BPF_EXIT_INSN(),
11797 },
11798 .fixup_map1 = { 13 },
11799 .result = ACCEPT,
11800 .prog_type = BPF_PROG_TYPE_XDP,
11801 },
11802 {
11803 "calls: stack init to zero and pruning",
11804 .insns = {
11805 /* first make allocated_stack 16 byte */
11806 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, 0),
11807 /* now fork the execution such that the false branch
11808 * of JGT insn will be verified second and it skisp zero
11809 * init of fp-8 stack slot. If stack liveness marking
11810 * is missing live_read marks from call map_lookup
11811 * processing then pruning will incorrectly assume
11812 * that fp-8 stack slot was unused in the fall-through
11813 * branch and will accept the program incorrectly
11814 */
11815 BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 2, 2),
11816 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11817 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
11818 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11819 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11820 BPF_LD_MAP_FD(BPF_REG_1, 0),
11821 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11822 BPF_FUNC_map_lookup_elem),
11823 BPF_EXIT_INSN(),
11824 },
11825 .fixup_map2 = { 6 },
11826 .errstr = "invalid indirect read from stack off -8+0 size 8",
11827 .result = REJECT,
11828 .prog_type = BPF_PROG_TYPE_XDP,
11829 },
11830 {
11831 "calls: two calls returning different map pointers for lookup (hash, array)",
11832 .insns = {
11833 /* main prog */
11834 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
11835 BPF_CALL_REL(11),
11836 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
11837 BPF_CALL_REL(12),
11838 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
11839 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11840 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11841 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11842 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11843 BPF_FUNC_map_lookup_elem),
11844 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
11845 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
11846 offsetof(struct test_val, foo)),
11847 BPF_MOV64_IMM(BPF_REG_0, 1),
11848 BPF_EXIT_INSN(),
11849 /* subprog 1 */
11850 BPF_LD_MAP_FD(BPF_REG_0, 0),
11851 BPF_EXIT_INSN(),
11852 /* subprog 2 */
11853 BPF_LD_MAP_FD(BPF_REG_0, 0),
11854 BPF_EXIT_INSN(),
11855 },
11856 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11857 .fixup_map2 = { 13 },
11858 .fixup_map4 = { 16 },
11859 .result = ACCEPT,
11860 .retval = 1,
11861 },
11862 {
11863 "calls: two calls returning different map pointers for lookup (hash, map in map)",
11864 .insns = {
11865 /* main prog */
11866 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
11867 BPF_CALL_REL(11),
11868 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
11869 BPF_CALL_REL(12),
11870 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
11871 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11872 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11873 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11874 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11875 BPF_FUNC_map_lookup_elem),
11876 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
11877 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
11878 offsetof(struct test_val, foo)),
11879 BPF_MOV64_IMM(BPF_REG_0, 1),
11880 BPF_EXIT_INSN(),
11881 /* subprog 1 */
11882 BPF_LD_MAP_FD(BPF_REG_0, 0),
11883 BPF_EXIT_INSN(),
11884 /* subprog 2 */
11885 BPF_LD_MAP_FD(BPF_REG_0, 0),
11886 BPF_EXIT_INSN(),
11887 },
11888 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11889 .fixup_map_in_map = { 16 },
11890 .fixup_map4 = { 13 },
11891 .result = REJECT,
11892 .errstr = "R0 invalid mem access 'map_ptr'",
11893 },
11894 {
11895 "cond: two branches returning different map pointers for lookup (tail, tail)",
11896 .insns = {
11897 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
11898 offsetof(struct __sk_buff, mark)),
11899 BPF_JMP_IMM(BPF_JNE, BPF_REG_6, 0, 3),
11900 BPF_LD_MAP_FD(BPF_REG_2, 0),
11901 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
11902 BPF_LD_MAP_FD(BPF_REG_2, 0),
11903 BPF_MOV64_IMM(BPF_REG_3, 7),
11904 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11905 BPF_FUNC_tail_call),
11906 BPF_MOV64_IMM(BPF_REG_0, 1),
11907 BPF_EXIT_INSN(),
11908 },
11909 .fixup_prog1 = { 5 },
11910 .fixup_prog2 = { 2 },
11911 .result_unpriv = REJECT,
11912 .errstr_unpriv = "tail_call abusing map_ptr",
11913 .result = ACCEPT,
11914 .retval = 42,
11915 },
11916 {
11917 "cond: two branches returning same map pointers for lookup (tail, tail)",
11918 .insns = {
11919 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
11920 offsetof(struct __sk_buff, mark)),
11921 BPF_JMP_IMM(BPF_JEQ, BPF_REG_6, 0, 3),
11922 BPF_LD_MAP_FD(BPF_REG_2, 0),
11923 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
11924 BPF_LD_MAP_FD(BPF_REG_2, 0),
11925 BPF_MOV64_IMM(BPF_REG_3, 7),
11926 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11927 BPF_FUNC_tail_call),
11928 BPF_MOV64_IMM(BPF_REG_0, 1),
11929 BPF_EXIT_INSN(),
11930 },
11931 .fixup_prog2 = { 2, 5 },
11932 .result_unpriv = ACCEPT,
11933 .result = ACCEPT,
11934 .retval = 42,
11935 },
11936 {
11937 "search pruning: all branches should be verified (nop operation)",
11938 .insns = {
11939 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11940 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11941 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
11942 BPF_LD_MAP_FD(BPF_REG_1, 0),
11943 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
11944 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
11945 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
11946 BPF_JMP_IMM(BPF_JEQ, BPF_REG_3, 0xbeef, 2),
11947 BPF_MOV64_IMM(BPF_REG_4, 0),
11948 BPF_JMP_A(1),
11949 BPF_MOV64_IMM(BPF_REG_4, 1),
11950 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -16),
11951 BPF_EMIT_CALL(BPF_FUNC_ktime_get_ns),
11952 BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -16),
11953 BPF_JMP_IMM(BPF_JEQ, BPF_REG_5, 0, 2),
11954 BPF_MOV64_IMM(BPF_REG_6, 0),
11955 BPF_ST_MEM(BPF_DW, BPF_REG_6, 0, 0xdead),
11956 BPF_EXIT_INSN(),
11957 },
11958 .fixup_map1 = { 3 },
11959 .errstr = "R6 invalid mem access 'inv'",
11960 .result = REJECT,
11961 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
11962 },
11963 {
11964 "search pruning: all branches should be verified (invalid stack access)",
11965 .insns = {
11966 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11967 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11968 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
11969 BPF_LD_MAP_FD(BPF_REG_1, 0),
11970 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
11971 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
11972 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
11973 BPF_MOV64_IMM(BPF_REG_4, 0),
11974 BPF_JMP_IMM(BPF_JEQ, BPF_REG_3, 0xbeef, 2),
11975 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -16),
11976 BPF_JMP_A(1),
11977 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -24),
11978 BPF_EMIT_CALL(BPF_FUNC_ktime_get_ns),
11979 BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -16),
11980 BPF_EXIT_INSN(),
11981 },
11982 .fixup_map1 = { 3 },
11983 .errstr = "invalid read from stack off -16+0 size 8",
11984 .result = REJECT,
11985 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
11986 },
11987 {
11988 "jit: lsh, rsh, arsh by 1",
11989 .insns = {
11990 BPF_MOV64_IMM(BPF_REG_0, 1),
11991 BPF_MOV64_IMM(BPF_REG_1, 0xff),
11992 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 1),
11993 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 1),
11994 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0x3fc, 1),
11995 BPF_EXIT_INSN(),
11996 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 1),
11997 BPF_ALU32_IMM(BPF_RSH, BPF_REG_1, 1),
11998 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0xff, 1),
11999 BPF_EXIT_INSN(),
12000 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_1, 1),
12001 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0x7f, 1),
12002 BPF_EXIT_INSN(),
12003 BPF_MOV64_IMM(BPF_REG_0, 2),
12004 BPF_EXIT_INSN(),
12005 },
12006 .result = ACCEPT,
12007 .retval = 2,
12008 },
12009 {
12010 "jit: mov32 for ldimm64, 1",
12011 .insns = {
12012 BPF_MOV64_IMM(BPF_REG_0, 2),
12013 BPF_LD_IMM64(BPF_REG_1, 0xfeffffffffffffffULL),
12014 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 32),
12015 BPF_LD_IMM64(BPF_REG_2, 0xfeffffffULL),
12016 BPF_JMP_REG(BPF_JEQ, BPF_REG_1, BPF_REG_2, 1),
12017 BPF_MOV64_IMM(BPF_REG_0, 1),
12018 BPF_EXIT_INSN(),
12019 },
12020 .result = ACCEPT,
12021 .retval = 2,
12022 },
12023 {
12024 "jit: mov32 for ldimm64, 2",
12025 .insns = {
12026 BPF_MOV64_IMM(BPF_REG_0, 1),
12027 BPF_LD_IMM64(BPF_REG_1, 0x1ffffffffULL),
12028 BPF_LD_IMM64(BPF_REG_2, 0xffffffffULL),
12029 BPF_JMP_REG(BPF_JEQ, BPF_REG_1, BPF_REG_2, 1),
12030 BPF_MOV64_IMM(BPF_REG_0, 2),
12031 BPF_EXIT_INSN(),
12032 },
12033 .result = ACCEPT,
12034 .retval = 2,
12035 },
12036 {
12037 "jit: various mul tests",
12038 .insns = {
12039 BPF_LD_IMM64(BPF_REG_2, 0xeeff0d413122ULL),
12040 BPF_LD_IMM64(BPF_REG_0, 0xfefefeULL),
12041 BPF_LD_IMM64(BPF_REG_1, 0xefefefULL),
12042 BPF_ALU64_REG(BPF_MUL, BPF_REG_0, BPF_REG_1),
12043 BPF_JMP_REG(BPF_JEQ, BPF_REG_0, BPF_REG_2, 2),
12044 BPF_MOV64_IMM(BPF_REG_0, 1),
12045 BPF_EXIT_INSN(),
12046 BPF_LD_IMM64(BPF_REG_3, 0xfefefeULL),
12047 BPF_ALU64_REG(BPF_MUL, BPF_REG_3, BPF_REG_1),
12048 BPF_JMP_REG(BPF_JEQ, BPF_REG_3, BPF_REG_2, 2),
12049 BPF_MOV64_IMM(BPF_REG_0, 1),
12050 BPF_EXIT_INSN(),
12051 BPF_MOV32_REG(BPF_REG_2, BPF_REG_2),
12052 BPF_LD_IMM64(BPF_REG_0, 0xfefefeULL),
12053 BPF_ALU32_REG(BPF_MUL, BPF_REG_0, BPF_REG_1),
12054 BPF_JMP_REG(BPF_JEQ, BPF_REG_0, BPF_REG_2, 2),
12055 BPF_MOV64_IMM(BPF_REG_0, 1),
12056 BPF_EXIT_INSN(),
12057 BPF_LD_IMM64(BPF_REG_3, 0xfefefeULL),
12058 BPF_ALU32_REG(BPF_MUL, BPF_REG_3, BPF_REG_1),
12059 BPF_JMP_REG(BPF_JEQ, BPF_REG_3, BPF_REG_2, 2),
12060 BPF_MOV64_IMM(BPF_REG_0, 1),
12061 BPF_EXIT_INSN(),
12062 BPF_LD_IMM64(BPF_REG_0, 0x952a7bbcULL),
12063 BPF_LD_IMM64(BPF_REG_1, 0xfefefeULL),
12064 BPF_LD_IMM64(BPF_REG_2, 0xeeff0d413122ULL),
12065 BPF_ALU32_REG(BPF_MUL, BPF_REG_2, BPF_REG_1),
12066 BPF_JMP_REG(BPF_JEQ, BPF_REG_2, BPF_REG_0, 2),
12067 BPF_MOV64_IMM(BPF_REG_0, 1),
12068 BPF_EXIT_INSN(),
12069 BPF_MOV64_IMM(BPF_REG_0, 2),
12070 BPF_EXIT_INSN(),
12071 },
12072 .result = ACCEPT,
12073 .retval = 2,
12074 },
12075 {
12076 "xadd/w check unaligned stack",
12077 .insns = {
12078 BPF_MOV64_IMM(BPF_REG_0, 1),
12079 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
12080 BPF_STX_XADD(BPF_W, BPF_REG_10, BPF_REG_0, -7),
12081 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
12082 BPF_EXIT_INSN(),
12083 },
12084 .result = REJECT,
12085 .errstr = "misaligned stack access off",
12086 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12087 },
12088 {
12089 "xadd/w check unaligned map",
12090 .insns = {
12091 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
12092 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12093 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
12094 BPF_LD_MAP_FD(BPF_REG_1, 0),
12095 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12096 BPF_FUNC_map_lookup_elem),
12097 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
12098 BPF_EXIT_INSN(),
12099 BPF_MOV64_IMM(BPF_REG_1, 1),
12100 BPF_STX_XADD(BPF_W, BPF_REG_0, BPF_REG_1, 3),
12101 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 3),
12102 BPF_EXIT_INSN(),
12103 },
12104 .fixup_map1 = { 3 },
12105 .result = REJECT,
12106 .errstr = "misaligned value access off",
12107 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12108 },
12109 {
12110 "xadd/w check unaligned pkt",
12111 .insns = {
12112 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
12113 offsetof(struct xdp_md, data)),
12114 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
12115 offsetof(struct xdp_md, data_end)),
12116 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
12117 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
12118 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 2),
12119 BPF_MOV64_IMM(BPF_REG_0, 99),
12120 BPF_JMP_IMM(BPF_JA, 0, 0, 6),
12121 BPF_MOV64_IMM(BPF_REG_0, 1),
12122 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
12123 BPF_ST_MEM(BPF_W, BPF_REG_2, 3, 0),
12124 BPF_STX_XADD(BPF_W, BPF_REG_2, BPF_REG_0, 1),
12125 BPF_STX_XADD(BPF_W, BPF_REG_2, BPF_REG_0, 2),
12126 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_2, 1),
12127 BPF_EXIT_INSN(),
12128 },
12129 .result = REJECT,
12130 .errstr = "BPF_XADD stores into R2 packet",
12131 .prog_type = BPF_PROG_TYPE_XDP,
12132 },
12133 {
12134 "xadd/w check whether src/dst got mangled, 1",
12135 .insns = {
12136 BPF_MOV64_IMM(BPF_REG_0, 1),
12137 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
12138 BPF_MOV64_REG(BPF_REG_7, BPF_REG_10),
12139 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
12140 BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
12141 BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
12142 BPF_JMP_REG(BPF_JNE, BPF_REG_6, BPF_REG_0, 3),
12143 BPF_JMP_REG(BPF_JNE, BPF_REG_7, BPF_REG_10, 2),
12144 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
12145 BPF_EXIT_INSN(),
12146 BPF_MOV64_IMM(BPF_REG_0, 42),
12147 BPF_EXIT_INSN(),
12148 },
12149 .result = ACCEPT,
12150 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12151 .retval = 3,
12152 },
12153 {
12154 "xadd/w check whether src/dst got mangled, 2",
12155 .insns = {
12156 BPF_MOV64_IMM(BPF_REG_0, 1),
12157 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
12158 BPF_MOV64_REG(BPF_REG_7, BPF_REG_10),
12159 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -8),
12160 BPF_STX_XADD(BPF_W, BPF_REG_10, BPF_REG_0, -8),
12161 BPF_STX_XADD(BPF_W, BPF_REG_10, BPF_REG_0, -8),
12162 BPF_JMP_REG(BPF_JNE, BPF_REG_6, BPF_REG_0, 3),
12163 BPF_JMP_REG(BPF_JNE, BPF_REG_7, BPF_REG_10, 2),
12164 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_10, -8),
12165 BPF_EXIT_INSN(),
12166 BPF_MOV64_IMM(BPF_REG_0, 42),
12167 BPF_EXIT_INSN(),
12168 },
12169 .result = ACCEPT,
12170 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12171 .retval = 3,
12172 },
12173 {
12174 "bpf_get_stack return R0 within range",
12175 .insns = {
12176 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12177 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
12178 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12179 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
12180 BPF_LD_MAP_FD(BPF_REG_1, 0),
12181 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12182 BPF_FUNC_map_lookup_elem),
12183 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 28),
12184 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
12185 BPF_MOV64_IMM(BPF_REG_9, sizeof(struct test_val)),
12186 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
12187 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
12188 BPF_MOV64_IMM(BPF_REG_3, sizeof(struct test_val)),
12189 BPF_MOV64_IMM(BPF_REG_4, 256),
12190 BPF_EMIT_CALL(BPF_FUNC_get_stack),
12191 BPF_MOV64_IMM(BPF_REG_1, 0),
12192 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
12193 BPF_ALU64_IMM(BPF_LSH, BPF_REG_8, 32),
12194 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_8, 32),
12195 BPF_JMP_REG(BPF_JSLT, BPF_REG_1, BPF_REG_8, 16),
12196 BPF_ALU64_REG(BPF_SUB, BPF_REG_9, BPF_REG_8),
12197 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
12198 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_8),
12199 BPF_MOV64_REG(BPF_REG_1, BPF_REG_9),
12200 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 32),
12201 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_1, 32),
12202 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
12203 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_1),
12204 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
12205 BPF_MOV64_IMM(BPF_REG_5, sizeof(struct test_val)),
12206 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_5),
12207 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 4),
12208 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
12209 BPF_MOV64_REG(BPF_REG_3, BPF_REG_9),
12210 BPF_MOV64_IMM(BPF_REG_4, 0),
12211 BPF_EMIT_CALL(BPF_FUNC_get_stack),
12212 BPF_EXIT_INSN(),
12213 },
12214 .fixup_map2 = { 4 },
12215 .result = ACCEPT,
12216 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
12217 },
12218 {
12219 "ld_abs: invalid op 1",
12220 .insns = {
12221 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12222 BPF_LD_ABS(BPF_DW, 0),
12223 BPF_EXIT_INSN(),
12224 },
12225 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12226 .result = REJECT,
12227 .errstr = "unknown opcode",
12228 },
12229 {
12230 "ld_abs: invalid op 2",
12231 .insns = {
12232 BPF_MOV32_IMM(BPF_REG_0, 256),
12233 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12234 BPF_LD_IND(BPF_DW, BPF_REG_0, 0),
12235 BPF_EXIT_INSN(),
12236 },
12237 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12238 .result = REJECT,
12239 .errstr = "unknown opcode",
12240 },
12241 {
12242 "ld_abs: nmap reduced",
12243 .insns = {
12244 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12245 BPF_LD_ABS(BPF_H, 12),
12246 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x806, 28),
12247 BPF_LD_ABS(BPF_H, 12),
12248 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x806, 26),
12249 BPF_MOV32_IMM(BPF_REG_0, 18),
12250 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -64),
12251 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_10, -64),
12252 BPF_LD_IND(BPF_W, BPF_REG_7, 14),
12253 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -60),
12254 BPF_MOV32_IMM(BPF_REG_0, 280971478),
12255 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -56),
12256 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_10, -56),
12257 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_10, -60),
12258 BPF_ALU32_REG(BPF_SUB, BPF_REG_0, BPF_REG_7),
12259 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 15),
12260 BPF_LD_ABS(BPF_H, 12),
12261 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x806, 13),
12262 BPF_MOV32_IMM(BPF_REG_0, 22),
12263 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -56),
12264 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_10, -56),
12265 BPF_LD_IND(BPF_H, BPF_REG_7, 14),
12266 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -52),
12267 BPF_MOV32_IMM(BPF_REG_0, 17366),
12268 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -48),
12269 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_10, -48),
12270 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_10, -52),
12271 BPF_ALU32_REG(BPF_SUB, BPF_REG_0, BPF_REG_7),
12272 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
12273 BPF_MOV32_IMM(BPF_REG_0, 256),
12274 BPF_EXIT_INSN(),
12275 BPF_MOV32_IMM(BPF_REG_0, 0),
12276 BPF_EXIT_INSN(),
12277 },
12278 .data = {
12279 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0x08, 0x06, 0,
12280 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
12281 0x10, 0xbf, 0x48, 0xd6, 0x43, 0xd6,
12282 },
12283 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12284 .result = ACCEPT,
12285 .retval = 256,
12286 },
12287 {
12288 "ld_abs: div + abs, test 1",
12289 .insns = {
12290 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
12291 BPF_LD_ABS(BPF_B, 3),
12292 BPF_ALU64_IMM(BPF_MOV, BPF_REG_2, 2),
12293 BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_2),
12294 BPF_ALU64_REG(BPF_MOV, BPF_REG_8, BPF_REG_0),
12295 BPF_LD_ABS(BPF_B, 4),
12296 BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_0),
12297 BPF_LD_IND(BPF_B, BPF_REG_8, -70),
12298 BPF_EXIT_INSN(),
12299 },
12300 .data = {
12301 10, 20, 30, 40, 50,
12302 },
12303 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12304 .result = ACCEPT,
12305 .retval = 10,
12306 },
12307 {
12308 "ld_abs: div + abs, test 2",
12309 .insns = {
12310 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
12311 BPF_LD_ABS(BPF_B, 3),
12312 BPF_ALU64_IMM(BPF_MOV, BPF_REG_2, 2),
12313 BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_2),
12314 BPF_ALU64_REG(BPF_MOV, BPF_REG_8, BPF_REG_0),
12315 BPF_LD_ABS(BPF_B, 128),
12316 BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_0),
12317 BPF_LD_IND(BPF_B, BPF_REG_8, -70),
12318 BPF_EXIT_INSN(),
12319 },
12320 .data = {
12321 10, 20, 30, 40, 50,
12322 },
12323 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12324 .result = ACCEPT,
12325 .retval = 0,
12326 },
12327 {
12328 "ld_abs: div + abs, test 3",
12329 .insns = {
12330 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
12331 BPF_ALU64_IMM(BPF_MOV, BPF_REG_7, 0),
12332 BPF_LD_ABS(BPF_B, 3),
12333 BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_7),
12334 BPF_EXIT_INSN(),
12335 },
12336 .data = {
12337 10, 20, 30, 40, 50,
12338 },
12339 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12340 .result = ACCEPT,
12341 .retval = 0,
12342 },
12343 {
12344 "ld_abs: div + abs, test 4",
12345 .insns = {
12346 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
12347 BPF_ALU64_IMM(BPF_MOV, BPF_REG_7, 0),
12348 BPF_LD_ABS(BPF_B, 256),
12349 BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_7),
12350 BPF_EXIT_INSN(),
12351 },
12352 .data = {
12353 10, 20, 30, 40, 50,
12354 },
12355 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12356 .result = ACCEPT,
12357 .retval = 0,
12358 },
12359 {
12360 "ld_abs: vlan + abs, test 1",
12361 .insns = { },
12362 .data = {
12363 0x34,
12364 },
12365 .fill_helper = bpf_fill_ld_abs_vlan_push_pop,
12366 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12367 .result = ACCEPT,
12368 .retval = 0xbef,
12369 },
12370 {
12371 "ld_abs: vlan + abs, test 2",
12372 .insns = {
12373 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12374 BPF_LD_ABS(BPF_B, 0),
12375 BPF_LD_ABS(BPF_H, 0),
12376 BPF_LD_ABS(BPF_W, 0),
12377 BPF_MOV64_REG(BPF_REG_7, BPF_REG_6),
12378 BPF_MOV64_IMM(BPF_REG_6, 0),
12379 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
12380 BPF_MOV64_IMM(BPF_REG_2, 1),
12381 BPF_MOV64_IMM(BPF_REG_3, 2),
12382 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12383 BPF_FUNC_skb_vlan_push),
12384 BPF_MOV64_REG(BPF_REG_6, BPF_REG_7),
12385 BPF_LD_ABS(BPF_B, 0),
12386 BPF_LD_ABS(BPF_H, 0),
12387 BPF_LD_ABS(BPF_W, 0),
12388 BPF_MOV64_IMM(BPF_REG_0, 42),
12389 BPF_EXIT_INSN(),
12390 },
12391 .data = {
12392 0x34,
12393 },
12394 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12395 .result = ACCEPT,
12396 .retval = 42,
12397 },
12398 {
12399 "ld_abs: jump around ld_abs",
12400 .insns = { },
12401 .data = {
12402 10, 11,
12403 },
12404 .fill_helper = bpf_fill_jump_around_ld_abs,
12405 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12406 .result = ACCEPT,
12407 .retval = 10,
12408 },
12409 {
12410 "ld_dw: xor semi-random 64 bit imms, test 1",
12411 .insns = { },
12412 .data = { },
12413 .fill_helper = bpf_fill_rand_ld_dw,
12414 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12415 .result = ACCEPT,
12416 .retval = 4090,
12417 },
12418 {
12419 "ld_dw: xor semi-random 64 bit imms, test 2",
12420 .insns = { },
12421 .data = { },
12422 .fill_helper = bpf_fill_rand_ld_dw,
12423 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12424 .result = ACCEPT,
12425 .retval = 2047,
12426 },
12427 {
12428 "ld_dw: xor semi-random 64 bit imms, test 3",
12429 .insns = { },
12430 .data = { },
12431 .fill_helper = bpf_fill_rand_ld_dw,
12432 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12433 .result = ACCEPT,
12434 .retval = 511,
12435 },
12436 {
12437 "ld_dw: xor semi-random 64 bit imms, test 4",
12438 .insns = { },
12439 .data = { },
12440 .fill_helper = bpf_fill_rand_ld_dw,
12441 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12442 .result = ACCEPT,
12443 .retval = 5,
12444 },
12445 {
12446 "pass unmodified ctx pointer to helper",
12447 .insns = {
12448 BPF_MOV64_IMM(BPF_REG_2, 0),
12449 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12450 BPF_FUNC_csum_update),
12451 BPF_MOV64_IMM(BPF_REG_0, 0),
12452 BPF_EXIT_INSN(),
12453 },
12454 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12455 .result = ACCEPT,
12456 },
12457 {
12458 "pass modified ctx pointer to helper, 1",
12459 .insns = {
12460 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -612),
12461 BPF_MOV64_IMM(BPF_REG_2, 0),
12462 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12463 BPF_FUNC_csum_update),
12464 BPF_MOV64_IMM(BPF_REG_0, 0),
12465 BPF_EXIT_INSN(),
12466 },
12467 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12468 .result = REJECT,
12469 .errstr = "dereference of modified ctx ptr",
12470 },
12471 {
12472 "pass modified ctx pointer to helper, 2",
12473 .insns = {
12474 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -612),
12475 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12476 BPF_FUNC_get_socket_cookie),
12477 BPF_MOV64_IMM(BPF_REG_0, 0),
12478 BPF_EXIT_INSN(),
12479 },
12480 .result_unpriv = REJECT,
12481 .result = REJECT,
12482 .errstr_unpriv = "dereference of modified ctx ptr",
12483 .errstr = "dereference of modified ctx ptr",
12484 },
12485 {
12486 "pass modified ctx pointer to helper, 3",
12487 .insns = {
12488 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 0),
12489 BPF_ALU64_IMM(BPF_AND, BPF_REG_3, 4),
12490 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
12491 BPF_MOV64_IMM(BPF_REG_2, 0),
12492 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12493 BPF_FUNC_csum_update),
12494 BPF_MOV64_IMM(BPF_REG_0, 0),
12495 BPF_EXIT_INSN(),
12496 },
12497 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12498 .result = REJECT,
12499 .errstr = "variable ctx access var_off=(0x0; 0x4)",
12500 },
12501 {
12502 "mov64 src == dst",
12503 .insns = {
12504 BPF_MOV64_IMM(BPF_REG_2, 0),
12505 BPF_MOV64_REG(BPF_REG_2, BPF_REG_2),
12506 // Check bounds are OK
12507 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
12508 BPF_MOV64_IMM(BPF_REG_0, 0),
12509 BPF_EXIT_INSN(),
12510 },
12511 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12512 .result = ACCEPT,
12513 },
12514 {
12515 "mov64 src != dst",
12516 .insns = {
12517 BPF_MOV64_IMM(BPF_REG_3, 0),
12518 BPF_MOV64_REG(BPF_REG_2, BPF_REG_3),
12519 // Check bounds are OK
12520 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
12521 BPF_MOV64_IMM(BPF_REG_0, 0),
12522 BPF_EXIT_INSN(),
12523 },
12524 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12525 .result = ACCEPT,
12526 },
12527 {
12528 "calls: ctx read at start of subprog",
12529 .insns = {
12530 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12531 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 5),
12532 BPF_JMP_REG(BPF_JSGT, BPF_REG_0, BPF_REG_0, 0),
12533 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
12534 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
12535 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
12536 BPF_EXIT_INSN(),
12537 BPF_LDX_MEM(BPF_B, BPF_REG_9, BPF_REG_1, 0),
12538 BPF_MOV64_IMM(BPF_REG_0, 0),
12539 BPF_EXIT_INSN(),
12540 },
12541 .prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
12542 .errstr_unpriv = "function calls to other bpf functions are allowed for root only",
12543 .result_unpriv = REJECT,
12544 .result = ACCEPT,
12545 },
12546 };
12547
12548 static int probe_filter_length(const struct bpf_insn *fp)
12549 {
12550 int len;
12551
12552 for (len = MAX_INSNS - 1; len > 0; --len)
12553 if (fp[len].code != 0 || fp[len].imm != 0)
12554 break;
12555 return len + 1;
12556 }
12557
12558 static int create_map(uint32_t type, uint32_t size_key,
12559 uint32_t size_value, uint32_t max_elem)
12560 {
12561 int fd;
12562
12563 fd = bpf_create_map(type, size_key, size_value, max_elem,
12564 type == BPF_MAP_TYPE_HASH ? BPF_F_NO_PREALLOC : 0);
12565 if (fd < 0)
12566 printf("Failed to create hash map '%s'!\n", strerror(errno));
12567
12568 return fd;
12569 }
12570
12571 static int create_prog_dummy1(void)
12572 {
12573 struct bpf_insn prog[] = {
12574 BPF_MOV64_IMM(BPF_REG_0, 42),
12575 BPF_EXIT_INSN(),
12576 };
12577
12578 return bpf_load_program(BPF_PROG_TYPE_SOCKET_FILTER, prog,
12579 ARRAY_SIZE(prog), "GPL", 0, NULL, 0);
12580 }
12581
12582 static int create_prog_dummy2(int mfd, int idx)
12583 {
12584 struct bpf_insn prog[] = {
12585 BPF_MOV64_IMM(BPF_REG_3, idx),
12586 BPF_LD_MAP_FD(BPF_REG_2, mfd),
12587 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12588 BPF_FUNC_tail_call),
12589 BPF_MOV64_IMM(BPF_REG_0, 41),
12590 BPF_EXIT_INSN(),
12591 };
12592
12593 return bpf_load_program(BPF_PROG_TYPE_SOCKET_FILTER, prog,
12594 ARRAY_SIZE(prog), "GPL", 0, NULL, 0);
12595 }
12596
12597 static int create_prog_array(uint32_t max_elem, int p1key)
12598 {
12599 int p2key = 1;
12600 int mfd, p1fd, p2fd;
12601
12602 mfd = bpf_create_map(BPF_MAP_TYPE_PROG_ARRAY, sizeof(int),
12603 sizeof(int), max_elem, 0);
12604 if (mfd < 0) {
12605 printf("Failed to create prog array '%s'!\n", strerror(errno));
12606 return -1;
12607 }
12608
12609 p1fd = create_prog_dummy1();
12610 p2fd = create_prog_dummy2(mfd, p2key);
12611 if (p1fd < 0 || p2fd < 0)
12612 goto out;
12613 if (bpf_map_update_elem(mfd, &p1key, &p1fd, BPF_ANY) < 0)
12614 goto out;
12615 if (bpf_map_update_elem(mfd, &p2key, &p2fd, BPF_ANY) < 0)
12616 goto out;
12617 close(p2fd);
12618 close(p1fd);
12619
12620 return mfd;
12621 out:
12622 close(p2fd);
12623 close(p1fd);
12624 close(mfd);
12625 return -1;
12626 }
12627
12628 static int create_map_in_map(void)
12629 {
12630 int inner_map_fd, outer_map_fd;
12631
12632 inner_map_fd = bpf_create_map(BPF_MAP_TYPE_ARRAY, sizeof(int),
12633 sizeof(int), 1, 0);
12634 if (inner_map_fd < 0) {
12635 printf("Failed to create array '%s'!\n", strerror(errno));
12636 return inner_map_fd;
12637 }
12638
12639 outer_map_fd = bpf_create_map_in_map(BPF_MAP_TYPE_ARRAY_OF_MAPS, NULL,
12640 sizeof(int), inner_map_fd, 1, 0);
12641 if (outer_map_fd < 0)
12642 printf("Failed to create array of maps '%s'!\n",
12643 strerror(errno));
12644
12645 close(inner_map_fd);
12646
12647 return outer_map_fd;
12648 }
12649
12650 static int create_cgroup_storage(void)
12651 {
12652 int fd;
12653
12654 fd = bpf_create_map(BPF_MAP_TYPE_CGROUP_STORAGE,
12655 sizeof(struct bpf_cgroup_storage_key),
12656 TEST_DATA_LEN, 0, 0);
12657 if (fd < 0)
12658 printf("Failed to create array '%s'!\n", strerror(errno));
12659
12660 return fd;
12661 }
12662
12663 static char bpf_vlog[UINT_MAX >> 8];
12664
12665 static void do_test_fixup(struct bpf_test *test, struct bpf_insn *prog,
12666 int *map_fds)
12667 {
12668 int *fixup_map1 = test->fixup_map1;
12669 int *fixup_map2 = test->fixup_map2;
12670 int *fixup_map3 = test->fixup_map3;
12671 int *fixup_map4 = test->fixup_map4;
12672 int *fixup_prog1 = test->fixup_prog1;
12673 int *fixup_prog2 = test->fixup_prog2;
12674 int *fixup_map_in_map = test->fixup_map_in_map;
12675 int *fixup_cgroup_storage = test->fixup_cgroup_storage;
12676
12677 if (test->fill_helper)
12678 test->fill_helper(test);
12679
12680 /* Allocating HTs with 1 elem is fine here, since we only test
12681 * for verifier and not do a runtime lookup, so the only thing
12682 * that really matters is value size in this case.
12683 */
12684 if (*fixup_map1) {
12685 map_fds[0] = create_map(BPF_MAP_TYPE_HASH, sizeof(long long),
12686 sizeof(long long), 1);
12687 do {
12688 prog[*fixup_map1].imm = map_fds[0];
12689 fixup_map1++;
12690 } while (*fixup_map1);
12691 }
12692
12693 if (*fixup_map2) {
12694 map_fds[1] = create_map(BPF_MAP_TYPE_HASH, sizeof(long long),
12695 sizeof(struct test_val), 1);
12696 do {
12697 prog[*fixup_map2].imm = map_fds[1];
12698 fixup_map2++;
12699 } while (*fixup_map2);
12700 }
12701
12702 if (*fixup_map3) {
12703 map_fds[2] = create_map(BPF_MAP_TYPE_HASH, sizeof(long long),
12704 sizeof(struct other_val), 1);
12705 do {
12706 prog[*fixup_map3].imm = map_fds[2];
12707 fixup_map3++;
12708 } while (*fixup_map3);
12709 }
12710
12711 if (*fixup_map4) {
12712 map_fds[3] = create_map(BPF_MAP_TYPE_ARRAY, sizeof(int),
12713 sizeof(struct test_val), 1);
12714 do {
12715 prog[*fixup_map4].imm = map_fds[3];
12716 fixup_map4++;
12717 } while (*fixup_map4);
12718 }
12719
12720 if (*fixup_prog1) {
12721 map_fds[4] = create_prog_array(4, 0);
12722 do {
12723 prog[*fixup_prog1].imm = map_fds[4];
12724 fixup_prog1++;
12725 } while (*fixup_prog1);
12726 }
12727
12728 if (*fixup_prog2) {
12729 map_fds[5] = create_prog_array(8, 7);
12730 do {
12731 prog[*fixup_prog2].imm = map_fds[5];
12732 fixup_prog2++;
12733 } while (*fixup_prog2);
12734 }
12735
12736 if (*fixup_map_in_map) {
12737 map_fds[6] = create_map_in_map();
12738 do {
12739 prog[*fixup_map_in_map].imm = map_fds[6];
12740 fixup_map_in_map++;
12741 } while (*fixup_map_in_map);
12742 }
12743
12744 if (*fixup_cgroup_storage) {
12745 map_fds[7] = create_cgroup_storage();
12746 do {
12747 prog[*fixup_cgroup_storage].imm = map_fds[7];
12748 fixup_cgroup_storage++;
12749 } while (*fixup_cgroup_storage);
12750 }
12751 }
12752
12753 static void do_test_single(struct bpf_test *test, bool unpriv,
12754 int *passes, int *errors)
12755 {
12756 int fd_prog, expected_ret, reject_from_alignment;
12757 int prog_len, prog_type = test->prog_type;
12758 struct bpf_insn *prog = test->insns;
12759 int map_fds[MAX_NR_MAPS];
12760 const char *expected_err;
12761 uint32_t retval;
12762 int i, err;
12763
12764 for (i = 0; i < MAX_NR_MAPS; i++)
12765 map_fds[i] = -1;
12766
12767 do_test_fixup(test, prog, map_fds);
12768 prog_len = probe_filter_length(prog);
12769
12770 fd_prog = bpf_verify_program(prog_type ? : BPF_PROG_TYPE_SOCKET_FILTER,
12771 prog, prog_len, test->flags & F_LOAD_WITH_STRICT_ALIGNMENT,
12772 "GPL", 0, bpf_vlog, sizeof(bpf_vlog), 1);
12773
12774 expected_ret = unpriv && test->result_unpriv != UNDEF ?
12775 test->result_unpriv : test->result;
12776 expected_err = unpriv && test->errstr_unpriv ?
12777 test->errstr_unpriv : test->errstr;
12778
12779 reject_from_alignment = fd_prog < 0 &&
12780 (test->flags & F_NEEDS_EFFICIENT_UNALIGNED_ACCESS) &&
12781 strstr(bpf_vlog, "misaligned");
12782 #ifdef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS
12783 if (reject_from_alignment) {
12784 printf("FAIL\nFailed due to alignment despite having efficient unaligned access: '%s'!\n",
12785 strerror(errno));
12786 goto fail_log;
12787 }
12788 #endif
12789 if (expected_ret == ACCEPT) {
12790 if (fd_prog < 0 && !reject_from_alignment) {
12791 printf("FAIL\nFailed to load prog '%s'!\n",
12792 strerror(errno));
12793 goto fail_log;
12794 }
12795 } else {
12796 if (fd_prog >= 0) {
12797 printf("FAIL\nUnexpected success to load!\n");
12798 goto fail_log;
12799 }
12800 if (!strstr(bpf_vlog, expected_err) && !reject_from_alignment) {
12801 printf("FAIL\nUnexpected error message!\n\tEXP: %s\n\tRES: %s\n",
12802 expected_err, bpf_vlog);
12803 goto fail_log;
12804 }
12805 }
12806
12807 if (fd_prog >= 0) {
12808 __u8 tmp[TEST_DATA_LEN << 2];
12809 __u32 size_tmp = sizeof(tmp);
12810
12811 err = bpf_prog_test_run(fd_prog, 1, test->data,
12812 sizeof(test->data), tmp, &size_tmp,
12813 &retval, NULL);
12814 if (err && errno != 524/*ENOTSUPP*/ && errno != EPERM) {
12815 printf("Unexpected bpf_prog_test_run error\n");
12816 goto fail_log;
12817 }
12818 if (!err && retval != test->retval &&
12819 test->retval != POINTER_VALUE) {
12820 printf("FAIL retval %d != %d\n", retval, test->retval);
12821 goto fail_log;
12822 }
12823 }
12824 (*passes)++;
12825 printf("OK%s\n", reject_from_alignment ?
12826 " (NOTE: reject due to unknown alignment)" : "");
12827 close_fds:
12828 close(fd_prog);
12829 for (i = 0; i < MAX_NR_MAPS; i++)
12830 close(map_fds[i]);
12831 sched_yield();
12832 return;
12833 fail_log:
12834 (*errors)++;
12835 printf("%s", bpf_vlog);
12836 goto close_fds;
12837 }
12838
12839 static bool is_admin(void)
12840 {
12841 cap_t caps;
12842 cap_flag_value_t sysadmin = CAP_CLEAR;
12843 const cap_value_t cap_val = CAP_SYS_ADMIN;
12844
12845 #ifdef CAP_IS_SUPPORTED
12846 if (!CAP_IS_SUPPORTED(CAP_SETFCAP)) {
12847 perror("cap_get_flag");
12848 return false;
12849 }
12850 #endif
12851 caps = cap_get_proc();
12852 if (!caps) {
12853 perror("cap_get_proc");
12854 return false;
12855 }
12856 if (cap_get_flag(caps, cap_val, CAP_EFFECTIVE, &sysadmin))
12857 perror("cap_get_flag");
12858 if (cap_free(caps))
12859 perror("cap_free");
12860 return (sysadmin == CAP_SET);
12861 }
12862
12863 static int set_admin(bool admin)
12864 {
12865 cap_t caps;
12866 const cap_value_t cap_val = CAP_SYS_ADMIN;
12867 int ret = -1;
12868
12869 caps = cap_get_proc();
12870 if (!caps) {
12871 perror("cap_get_proc");
12872 return -1;
12873 }
12874 if (cap_set_flag(caps, CAP_EFFECTIVE, 1, &cap_val,
12875 admin ? CAP_SET : CAP_CLEAR)) {
12876 perror("cap_set_flag");
12877 goto out;
12878 }
12879 if (cap_set_proc(caps)) {
12880 perror("cap_set_proc");
12881 goto out;
12882 }
12883 ret = 0;
12884 out:
12885 if (cap_free(caps))
12886 perror("cap_free");
12887 return ret;
12888 }
12889
12890 static void get_unpriv_disabled()
12891 {
12892 char buf[2];
12893 FILE *fd;
12894
12895 fd = fopen("/proc/sys/"UNPRIV_SYSCTL, "r");
12896 if (!fd) {
12897 perror("fopen /proc/sys/"UNPRIV_SYSCTL);
12898 unpriv_disabled = true;
12899 return;
12900 }
12901 if (fgets(buf, 2, fd) == buf && atoi(buf))
12902 unpriv_disabled = true;
12903 fclose(fd);
12904 }
12905
12906 static int do_test(bool unpriv, unsigned int from, unsigned int to)
12907 {
12908 int i, passes = 0, errors = 0, skips = 0;
12909
12910 for (i = from; i < to; i++) {
12911 struct bpf_test *test = &tests[i];
12912
12913 /* Program types that are not supported by non-root we
12914 * skip right away.
12915 */
12916 if (!test->prog_type && unpriv_disabled) {
12917 printf("#%d/u %s SKIP\n", i, test->descr);
12918 skips++;
12919 } else if (!test->prog_type) {
12920 if (!unpriv)
12921 set_admin(false);
12922 printf("#%d/u %s ", i, test->descr);
12923 do_test_single(test, true, &passes, &errors);
12924 if (!unpriv)
12925 set_admin(true);
12926 }
12927
12928 if (unpriv) {
12929 printf("#%d/p %s SKIP\n", i, test->descr);
12930 skips++;
12931 } else {
12932 printf("#%d/p %s ", i, test->descr);
12933 do_test_single(test, false, &passes, &errors);
12934 }
12935 }
12936
12937 printf("Summary: %d PASSED, %d SKIPPED, %d FAILED\n", passes,
12938 skips, errors);
12939 return errors ? EXIT_FAILURE : EXIT_SUCCESS;
12940 }
12941
12942 int main(int argc, char **argv)
12943 {
12944 unsigned int from = 0, to = ARRAY_SIZE(tests);
12945 bool unpriv = !is_admin();
12946
12947 if (argc == 3) {
12948 unsigned int l = atoi(argv[argc - 2]);
12949 unsigned int u = atoi(argv[argc - 1]);
12950
12951 if (l < to && u < to) {
12952 from = l;
12953 to = u + 1;
12954 }
12955 } else if (argc == 2) {
12956 unsigned int t = atoi(argv[argc - 1]);
12957
12958 if (t < to) {
12959 from = t;
12960 to = t + 1;
12961 }
12962 }
12963
12964 get_unpriv_disabled();
12965 if (unpriv && unpriv_disabled) {
12966 printf("Cannot run as unprivileged user with sysctl %s.\n",
12967 UNPRIV_SYSCTL);
12968 return EXIT_FAILURE;
12969 }
12970
12971 bpf_semi_rand_init();
12972 return do_test(unpriv, from, to);
12973 }
Linux with added FPC-III support