search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
WIP FPC-III support
[linux/fpc-iii.git] / tools / testing / selftests / bpf / verifier / ref_tracking.c
blob3b6ee009c00b648e5b1d92f8fd257aa1a7cfe86a
1 {
2 "reference tracking: leak potential reference",
3 .insns = {
4 BPF_SK_LOOKUP(sk_lookup_tcp),
5 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0), /* leak reference */
6 BPF_EXIT_INSN(),
7 },
8 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
9 .errstr = "Unreleased reference",
10 .result = REJECT,
11 },
12 {
13 "reference tracking: leak potential reference to sock_common",
14 .insns = {
15 BPF_SK_LOOKUP(skc_lookup_tcp),
16 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0), /* leak reference */
17 BPF_EXIT_INSN(),
18 },
19 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
20 .errstr = "Unreleased reference",
21 .result = REJECT,
22 },
23 {
24 "reference tracking: leak potential reference on stack",
25 .insns = {
26 BPF_SK_LOOKUP(sk_lookup_tcp),
27 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
28 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
29 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_0, 0),
30 BPF_MOV64_IMM(BPF_REG_0, 0),
31 BPF_EXIT_INSN(),
32 },
33 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
34 .errstr = "Unreleased reference",
35 .result = REJECT,
36 },
37 {
38 "reference tracking: leak potential reference on stack 2",
39 .insns = {
40 BPF_SK_LOOKUP(sk_lookup_tcp),
41 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
42 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
43 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_0, 0),
44 BPF_MOV64_IMM(BPF_REG_0, 0),
45 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
46 BPF_EXIT_INSN(),
47 },
48 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
49 .errstr = "Unreleased reference",
50 .result = REJECT,
51 },
52 {
53 "reference tracking: zero potential reference",
54 .insns = {
55 BPF_SK_LOOKUP(sk_lookup_tcp),
56 BPF_MOV64_IMM(BPF_REG_0, 0), /* leak reference */
57 BPF_EXIT_INSN(),
58 },
59 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
60 .errstr = "Unreleased reference",
61 .result = REJECT,
62 },
63 {
64 "reference tracking: zero potential reference to sock_common",
65 .insns = {
66 BPF_SK_LOOKUP(skc_lookup_tcp),
67 BPF_MOV64_IMM(BPF_REG_0, 0), /* leak reference */
68 BPF_EXIT_INSN(),
69 },
70 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
71 .errstr = "Unreleased reference",
72 .result = REJECT,
73 },
74 {
75 "reference tracking: copy and zero potential references",
76 .insns = {
77 BPF_SK_LOOKUP(sk_lookup_tcp),
78 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
79 BPF_MOV64_IMM(BPF_REG_0, 0),
80 BPF_MOV64_IMM(BPF_REG_7, 0), /* leak reference */
81 BPF_EXIT_INSN(),
82 },
83 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
84 .errstr = "Unreleased reference",
85 .result = REJECT,
86 },
87 {
88 "reference tracking: release reference without check",
89 .insns = {
90 BPF_SK_LOOKUP(sk_lookup_tcp),
91 /* reference in r0 may be NULL */
92 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
93 BPF_MOV64_IMM(BPF_REG_2, 0),
94 BPF_EMIT_CALL(BPF_FUNC_sk_release),
95 BPF_EXIT_INSN(),
96 },
97 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
98 .errstr = "type=sock_or_null expected=sock",
99 .result = REJECT,
100 },
101 {
102 "reference tracking: release reference to sock_common without check",
103 .insns = {
104 BPF_SK_LOOKUP(skc_lookup_tcp),
105 /* reference in r0 may be NULL */
106 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
107 BPF_MOV64_IMM(BPF_REG_2, 0),
108 BPF_EMIT_CALL(BPF_FUNC_sk_release),
109 BPF_EXIT_INSN(),
110 },
111 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
112 .errstr = "type=sock_common_or_null expected=sock",
113 .result = REJECT,
114 },
115 {
116 "reference tracking: release reference",
117 .insns = {
118 BPF_SK_LOOKUP(sk_lookup_tcp),
119 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
120 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
121 BPF_EMIT_CALL(BPF_FUNC_sk_release),
122 BPF_EXIT_INSN(),
123 },
124 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
125 .result = ACCEPT,
126 },
127 {
128 "reference tracking: release reference to sock_common",
129 .insns = {
130 BPF_SK_LOOKUP(skc_lookup_tcp),
131 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
132 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
133 BPF_EMIT_CALL(BPF_FUNC_sk_release),
134 BPF_EXIT_INSN(),
135 },
136 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
137 .result = ACCEPT,
138 },
139 {
140 "reference tracking: release reference 2",
141 .insns = {
142 BPF_SK_LOOKUP(sk_lookup_tcp),
143 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
144 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
145 BPF_EXIT_INSN(),
146 BPF_EMIT_CALL(BPF_FUNC_sk_release),
147 BPF_EXIT_INSN(),
148 },
149 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
150 .result = ACCEPT,
151 },
152 {
153 "reference tracking: release reference twice",
154 .insns = {
155 BPF_SK_LOOKUP(sk_lookup_tcp),
156 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
157 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
158 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
159 BPF_EMIT_CALL(BPF_FUNC_sk_release),
160 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
161 BPF_EMIT_CALL(BPF_FUNC_sk_release),
162 BPF_EXIT_INSN(),
163 },
164 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
165 .errstr = "type=inv expected=sock",
166 .result = REJECT,
167 },
168 {
169 "reference tracking: release reference twice inside branch",
170 .insns = {
171 BPF_SK_LOOKUP(sk_lookup_tcp),
172 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
173 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
174 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3), /* goto end */
175 BPF_EMIT_CALL(BPF_FUNC_sk_release),
176 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
177 BPF_EMIT_CALL(BPF_FUNC_sk_release),
178 BPF_EXIT_INSN(),
179 },
180 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
181 .errstr = "type=inv expected=sock",
182 .result = REJECT,
183 },
184 {
185 "reference tracking: alloc, check, free in one subbranch",
186 .insns = {
187 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
188 offsetof(struct __sk_buff, data)),
189 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
190 offsetof(struct __sk_buff, data_end)),
191 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
192 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 16),
193 /* if (offsetof(skb, mark) > data_len) exit; */
194 BPF_JMP_REG(BPF_JLE, BPF_REG_0, BPF_REG_3, 1),
195 BPF_EXIT_INSN(),
196 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_2,
197 offsetof(struct __sk_buff, mark)),
198 BPF_SK_LOOKUP(sk_lookup_tcp),
199 BPF_JMP_IMM(BPF_JEQ, BPF_REG_6, 0, 1), /* mark == 0? */
200 /* Leak reference in R0 */
201 BPF_EXIT_INSN(),
202 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2), /* sk NULL? */
203 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
204 BPF_EMIT_CALL(BPF_FUNC_sk_release),
205 BPF_EXIT_INSN(),
206 },
207 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
208 .errstr = "Unreleased reference",
209 .result = REJECT,
210 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
211 },
212 {
213 "reference tracking: alloc, check, free in both subbranches",
214 .insns = {
215 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
216 offsetof(struct __sk_buff, data)),
217 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
218 offsetof(struct __sk_buff, data_end)),
219 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
220 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 16),
221 /* if (offsetof(skb, mark) > data_len) exit; */
222 BPF_JMP_REG(BPF_JLE, BPF_REG_0, BPF_REG_3, 1),
223 BPF_EXIT_INSN(),
224 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_2,
225 offsetof(struct __sk_buff, mark)),
226 BPF_SK_LOOKUP(sk_lookup_tcp),
227 BPF_JMP_IMM(BPF_JEQ, BPF_REG_6, 0, 4), /* mark == 0? */
228 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2), /* sk NULL? */
229 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
230 BPF_EMIT_CALL(BPF_FUNC_sk_release),
231 BPF_EXIT_INSN(),
232 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2), /* sk NULL? */
233 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
234 BPF_EMIT_CALL(BPF_FUNC_sk_release),
235 BPF_EXIT_INSN(),
236 },
237 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
238 .result = ACCEPT,
239 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
240 },
241 {
242 "reference tracking in call: free reference in subprog",
243 .insns = {
244 BPF_SK_LOOKUP(sk_lookup_tcp),
245 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), /* unchecked reference */
246 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
247 BPF_MOV64_IMM(BPF_REG_0, 0),
248 BPF_EXIT_INSN(),
249
250 /* subprog 1 */
251 BPF_MOV64_REG(BPF_REG_2, BPF_REG_1),
252 BPF_JMP_IMM(BPF_JEQ, BPF_REG_2, 0, 1),
253 BPF_EMIT_CALL(BPF_FUNC_sk_release),
254 BPF_EXIT_INSN(),
255 },
256 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
257 .result = ACCEPT,
258 },
259 {
260 "reference tracking in call: free reference in subprog and outside",
261 .insns = {
262 BPF_SK_LOOKUP(sk_lookup_tcp),
263 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), /* unchecked reference */
264 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
265 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
266 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
267 BPF_EMIT_CALL(BPF_FUNC_sk_release),
268 BPF_EXIT_INSN(),
269
270 /* subprog 1 */
271 BPF_MOV64_REG(BPF_REG_2, BPF_REG_1),
272 BPF_JMP_IMM(BPF_JEQ, BPF_REG_2, 0, 1),
273 BPF_EMIT_CALL(BPF_FUNC_sk_release),
274 BPF_EXIT_INSN(),
275 },
276 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
277 .errstr = "type=inv expected=sock",
278 .result = REJECT,
279 },
280 {
281 "reference tracking in call: alloc & leak reference in subprog",
282 .insns = {
283 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
284 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
285 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
286 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
287 BPF_MOV64_IMM(BPF_REG_0, 0),
288 BPF_EXIT_INSN(),
289
290 /* subprog 1 */
291 BPF_MOV64_REG(BPF_REG_6, BPF_REG_4),
292 BPF_SK_LOOKUP(sk_lookup_tcp),
293 /* spill unchecked sk_ptr into stack of caller */
294 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
295 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
296 BPF_EXIT_INSN(),
297 },
298 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
299 .errstr = "Unreleased reference",
300 .result = REJECT,
301 },
302 {
303 "reference tracking in call: alloc in subprog, release outside",
304 .insns = {
305 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
306 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
307 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
308 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
309 BPF_EMIT_CALL(BPF_FUNC_sk_release),
310 BPF_EXIT_INSN(),
311
312 /* subprog 1 */
313 BPF_SK_LOOKUP(sk_lookup_tcp),
314 BPF_EXIT_INSN(), /* return sk */
315 },
316 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
317 .retval = POINTER_VALUE,
318 .result = ACCEPT,
319 },
320 {
321 "reference tracking in call: sk_ptr leak into caller stack",
322 .insns = {
323 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
324 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
325 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
326 BPF_MOV64_IMM(BPF_REG_0, 0),
327 BPF_EXIT_INSN(),
328
329 /* subprog 1 */
330 BPF_MOV64_REG(BPF_REG_5, BPF_REG_10),
331 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, -8),
332 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_4, 0),
333 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 5),
334 /* spill unchecked sk_ptr into stack of caller */
335 BPF_MOV64_REG(BPF_REG_5, BPF_REG_10),
336 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, -8),
337 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_5, 0),
338 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_0, 0),
339 BPF_EXIT_INSN(),
340
341 /* subprog 2 */
342 BPF_SK_LOOKUP(sk_lookup_tcp),
343 BPF_EXIT_INSN(),
344 },
345 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
346 .errstr = "Unreleased reference",
347 .result = REJECT,
348 },
349 {
350 "reference tracking in call: sk_ptr spill into caller stack",
351 .insns = {
352 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
353 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
354 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
355 BPF_MOV64_IMM(BPF_REG_0, 0),
356 BPF_EXIT_INSN(),
357
358 /* subprog 1 */
359 BPF_MOV64_REG(BPF_REG_5, BPF_REG_10),
360 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, -8),
361 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_4, 0),
362 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
363 /* spill unchecked sk_ptr into stack of caller */
364 BPF_MOV64_REG(BPF_REG_5, BPF_REG_10),
365 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, -8),
366 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_5, 0),
367 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_0, 0),
368 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
369 /* now the sk_ptr is verified, free the reference */
370 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_4, 0),
371 BPF_EMIT_CALL(BPF_FUNC_sk_release),
372 BPF_EXIT_INSN(),
373
374 /* subprog 2 */
375 BPF_SK_LOOKUP(sk_lookup_tcp),
376 BPF_EXIT_INSN(),
377 },
378 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
379 .result = ACCEPT,
380 },
381 {
382 "reference tracking: allow LD_ABS",
383 .insns = {
384 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
385 BPF_SK_LOOKUP(sk_lookup_tcp),
386 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
387 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
388 BPF_EMIT_CALL(BPF_FUNC_sk_release),
389 BPF_LD_ABS(BPF_B, 0),
390 BPF_LD_ABS(BPF_H, 0),
391 BPF_LD_ABS(BPF_W, 0),
392 BPF_EXIT_INSN(),
393 },
394 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
395 .result = ACCEPT,
396 },
397 {
398 "reference tracking: forbid LD_ABS while holding reference",
399 .insns = {
400 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
401 BPF_SK_LOOKUP(sk_lookup_tcp),
402 BPF_LD_ABS(BPF_B, 0),
403 BPF_LD_ABS(BPF_H, 0),
404 BPF_LD_ABS(BPF_W, 0),
405 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
406 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
407 BPF_EMIT_CALL(BPF_FUNC_sk_release),
408 BPF_EXIT_INSN(),
409 },
410 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
411 .errstr = "BPF_LD_[ABS|IND] cannot be mixed with socket references",
412 .result = REJECT,
413 },
414 {
415 "reference tracking: allow LD_IND",
416 .insns = {
417 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
418 BPF_SK_LOOKUP(sk_lookup_tcp),
419 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
420 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
421 BPF_EMIT_CALL(BPF_FUNC_sk_release),
422 BPF_MOV64_IMM(BPF_REG_7, 1),
423 BPF_LD_IND(BPF_W, BPF_REG_7, -0x200000),
424 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
425 BPF_EXIT_INSN(),
426 },
427 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
428 .result = ACCEPT,
429 .retval = 1,
430 },
431 {
432 "reference tracking: forbid LD_IND while holding reference",
433 .insns = {
434 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
435 BPF_SK_LOOKUP(sk_lookup_tcp),
436 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
437 BPF_MOV64_IMM(BPF_REG_7, 1),
438 BPF_LD_IND(BPF_W, BPF_REG_7, -0x200000),
439 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
440 BPF_MOV64_REG(BPF_REG_1, BPF_REG_4),
441 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
442 BPF_EMIT_CALL(BPF_FUNC_sk_release),
443 BPF_EXIT_INSN(),
444 },
445 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
446 .errstr = "BPF_LD_[ABS|IND] cannot be mixed with socket references",
447 .result = REJECT,
448 },
449 {
450 "reference tracking: check reference or tail call",
451 .insns = {
452 BPF_MOV64_REG(BPF_REG_7, BPF_REG_1),
453 BPF_SK_LOOKUP(sk_lookup_tcp),
454 /* if (sk) bpf_sk_release() */
455 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
456 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 7),
457 /* bpf_tail_call() */
458 BPF_MOV64_IMM(BPF_REG_3, 3),
459 BPF_LD_MAP_FD(BPF_REG_2, 0),
460 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
461 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_tail_call),
462 BPF_MOV64_IMM(BPF_REG_0, 0),
463 BPF_EXIT_INSN(),
464 BPF_EMIT_CALL(BPF_FUNC_sk_release),
465 BPF_EXIT_INSN(),
466 },
467 .fixup_prog1 = { 17 },
468 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
469 .result = ACCEPT,
470 },
471 {
472 "reference tracking: release reference then tail call",
473 .insns = {
474 BPF_MOV64_REG(BPF_REG_7, BPF_REG_1),
475 BPF_SK_LOOKUP(sk_lookup_tcp),
476 /* if (sk) bpf_sk_release() */
477 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
478 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
479 BPF_EMIT_CALL(BPF_FUNC_sk_release),
480 /* bpf_tail_call() */
481 BPF_MOV64_IMM(BPF_REG_3, 3),
482 BPF_LD_MAP_FD(BPF_REG_2, 0),
483 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
484 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_tail_call),
485 BPF_MOV64_IMM(BPF_REG_0, 0),
486 BPF_EXIT_INSN(),
487 },
488 .fixup_prog1 = { 18 },
489 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
490 .result = ACCEPT,
491 },
492 {
493 "reference tracking: leak possible reference over tail call",
494 .insns = {
495 BPF_MOV64_REG(BPF_REG_7, BPF_REG_1),
496 /* Look up socket and store in REG_6 */
497 BPF_SK_LOOKUP(sk_lookup_tcp),
498 /* bpf_tail_call() */
499 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
500 BPF_MOV64_IMM(BPF_REG_3, 3),
501 BPF_LD_MAP_FD(BPF_REG_2, 0),
502 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
503 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_tail_call),
504 BPF_MOV64_IMM(BPF_REG_0, 0),
505 /* if (sk) bpf_sk_release() */
506 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
507 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
508 BPF_EMIT_CALL(BPF_FUNC_sk_release),
509 BPF_EXIT_INSN(),
510 },
511 .fixup_prog1 = { 16 },
512 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
513 .errstr = "tail_call would lead to reference leak",
514 .result = REJECT,
515 },
516 {
517 "reference tracking: leak checked reference over tail call",
518 .insns = {
519 BPF_MOV64_REG(BPF_REG_7, BPF_REG_1),
520 /* Look up socket and store in REG_6 */
521 BPF_SK_LOOKUP(sk_lookup_tcp),
522 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
523 /* if (!sk) goto end */
524 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
525 /* bpf_tail_call() */
526 BPF_MOV64_IMM(BPF_REG_3, 0),
527 BPF_LD_MAP_FD(BPF_REG_2, 0),
528 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
529 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_tail_call),
530 BPF_MOV64_IMM(BPF_REG_0, 0),
531 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
532 BPF_EMIT_CALL(BPF_FUNC_sk_release),
533 BPF_EXIT_INSN(),
534 },
535 .fixup_prog1 = { 17 },
536 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
537 .errstr = "tail_call would lead to reference leak",
538 .result = REJECT,
539 },
540 {
541 "reference tracking: mangle and release sock_or_null",
542 .insns = {
543 BPF_SK_LOOKUP(sk_lookup_tcp),
544 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
545 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 5),
546 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
547 BPF_EMIT_CALL(BPF_FUNC_sk_release),
548 BPF_EXIT_INSN(),
549 },
550 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
551 .errstr = "R1 pointer arithmetic on sock_or_null prohibited",
552 .result = REJECT,
553 },
554 {
555 "reference tracking: mangle and release sock",
556 .insns = {
557 BPF_SK_LOOKUP(sk_lookup_tcp),
558 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
559 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
560 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 5),
561 BPF_EMIT_CALL(BPF_FUNC_sk_release),
562 BPF_EXIT_INSN(),
563 },
564 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
565 .errstr = "R1 pointer arithmetic on sock prohibited",
566 .result = REJECT,
567 },
568 {
569 "reference tracking: access member",
570 .insns = {
571 BPF_SK_LOOKUP(sk_lookup_tcp),
572 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
573 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
574 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_0, 4),
575 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
576 BPF_EMIT_CALL(BPF_FUNC_sk_release),
577 BPF_EXIT_INSN(),
578 },
579 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
580 .result = ACCEPT,
581 },
582 {
583 "reference tracking: write to member",
584 .insns = {
585 BPF_SK_LOOKUP(sk_lookup_tcp),
586 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
587 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
588 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
589 BPF_LD_IMM64(BPF_REG_2, 42),
590 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_2,
591 offsetof(struct bpf_sock, mark)),
592 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
593 BPF_EMIT_CALL(BPF_FUNC_sk_release),
594 BPF_LD_IMM64(BPF_REG_0, 0),
595 BPF_EXIT_INSN(),
596 },
597 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
598 .errstr = "cannot write into sock",
599 .result = REJECT,
600 },
601 {
602 "reference tracking: invalid 64-bit access of member",
603 .insns = {
604 BPF_SK_LOOKUP(sk_lookup_tcp),
605 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
606 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
607 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
608 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
609 BPF_EMIT_CALL(BPF_FUNC_sk_release),
610 BPF_EXIT_INSN(),
611 },
612 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
613 .errstr = "invalid sock access off=0 size=8",
614 .result = REJECT,
615 },
616 {
617 "reference tracking: access after release",
618 .insns = {
619 BPF_SK_LOOKUP(sk_lookup_tcp),
620 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
621 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
622 BPF_EMIT_CALL(BPF_FUNC_sk_release),
623 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
624 BPF_EXIT_INSN(),
625 },
626 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
627 .errstr = "!read_ok",
628 .result = REJECT,
629 },
630 {
631 "reference tracking: direct access for lookup",
632 .insns = {
633 /* Check that the packet is at least 64B long */
634 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
635 offsetof(struct __sk_buff, data)),
636 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
637 offsetof(struct __sk_buff, data_end)),
638 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
639 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 64),
640 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 9),
641 /* sk = sk_lookup_tcp(ctx, skb->data, ...) */
642 BPF_MOV64_IMM(BPF_REG_3, sizeof(struct bpf_sock_tuple)),
643 BPF_MOV64_IMM(BPF_REG_4, 0),
644 BPF_MOV64_IMM(BPF_REG_5, 0),
645 BPF_EMIT_CALL(BPF_FUNC_sk_lookup_tcp),
646 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
647 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
648 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_0, 4),
649 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
650 BPF_EMIT_CALL(BPF_FUNC_sk_release),
651 BPF_EXIT_INSN(),
652 },
653 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
654 .result = ACCEPT,
655 },
656 {
657 "reference tracking: use ptr from bpf_tcp_sock() after release",
658 .insns = {
659 BPF_SK_LOOKUP(sk_lookup_tcp),
660 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
661 BPF_EXIT_INSN(),
662 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
663 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
664 BPF_EMIT_CALL(BPF_FUNC_tcp_sock),
665 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 3),
666 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
667 BPF_EMIT_CALL(BPF_FUNC_sk_release),
668 BPF_EXIT_INSN(),
669 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
670 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
671 BPF_EMIT_CALL(BPF_FUNC_sk_release),
672 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_7, offsetof(struct bpf_tcp_sock, snd_cwnd)),
673 BPF_EXIT_INSN(),
674 },
675 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
676 .result = REJECT,
677 .errstr = "invalid mem access",
678 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
679 },
680 {
681 "reference tracking: use ptr from bpf_sk_fullsock() after release",
682 .insns = {
683 BPF_SK_LOOKUP(sk_lookup_tcp),
684 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
685 BPF_EXIT_INSN(),
686 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
687 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
688 BPF_EMIT_CALL(BPF_FUNC_sk_fullsock),
689 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 3),
690 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
691 BPF_EMIT_CALL(BPF_FUNC_sk_release),
692 BPF_EXIT_INSN(),
693 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
694 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
695 BPF_EMIT_CALL(BPF_FUNC_sk_release),
696 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_7, offsetof(struct bpf_sock, type)),
697 BPF_EXIT_INSN(),
698 },
699 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
700 .result = REJECT,
701 .errstr = "invalid mem access",
702 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
703 },
704 {
705 "reference tracking: use ptr from bpf_sk_fullsock(tp) after release",
706 .insns = {
707 BPF_SK_LOOKUP(sk_lookup_tcp),
708 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
709 BPF_EXIT_INSN(),
710 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
711 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
712 BPF_EMIT_CALL(BPF_FUNC_tcp_sock),
713 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 3),
714 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
715 BPF_EMIT_CALL(BPF_FUNC_sk_release),
716 BPF_EXIT_INSN(),
717 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
718 BPF_EMIT_CALL(BPF_FUNC_sk_fullsock),
719 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
720 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
721 BPF_EMIT_CALL(BPF_FUNC_sk_release),
722 BPF_JMP_IMM(BPF_JNE, BPF_REG_6, 0, 1),
723 BPF_EXIT_INSN(),
724 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_6, offsetof(struct bpf_sock, type)),
725 BPF_EXIT_INSN(),
726 },
727 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
728 .result = REJECT,
729 .errstr = "invalid mem access",
730 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
731 },
732 {
733 "reference tracking: use sk after bpf_sk_release(tp)",
734 .insns = {
735 BPF_SK_LOOKUP(sk_lookup_tcp),
736 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
737 BPF_EXIT_INSN(),
738 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
739 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
740 BPF_EMIT_CALL(BPF_FUNC_tcp_sock),
741 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 3),
742 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
743 BPF_EMIT_CALL(BPF_FUNC_sk_release),
744 BPF_EXIT_INSN(),
745 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
746 BPF_EMIT_CALL(BPF_FUNC_sk_release),
747 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_6, offsetof(struct bpf_sock, type)),
748 BPF_EXIT_INSN(),
749 },
750 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
751 .result = REJECT,
752 .errstr = "invalid mem access",
753 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
754 },
755 {
756 "reference tracking: use ptr from bpf_get_listener_sock() after bpf_sk_release(sk)",
757 .insns = {
758 BPF_SK_LOOKUP(sk_lookup_tcp),
759 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
760 BPF_EXIT_INSN(),
761 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
762 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
763 BPF_EMIT_CALL(BPF_FUNC_get_listener_sock),
764 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 3),
765 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
766 BPF_EMIT_CALL(BPF_FUNC_sk_release),
767 BPF_EXIT_INSN(),
768 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
769 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
770 BPF_EMIT_CALL(BPF_FUNC_sk_release),
771 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_6, offsetof(struct bpf_sock, src_port)),
772 BPF_EXIT_INSN(),
773 },
774 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
775 .result = ACCEPT,
776 },
777 {
778 "reference tracking: bpf_sk_release(listen_sk)",
779 .insns = {
780 BPF_SK_LOOKUP(sk_lookup_tcp),
781 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
782 BPF_EXIT_INSN(),
783 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
784 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
785 BPF_EMIT_CALL(BPF_FUNC_get_listener_sock),
786 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 3),
787 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
788 BPF_EMIT_CALL(BPF_FUNC_sk_release),
789 BPF_EXIT_INSN(),
790 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
791 BPF_EMIT_CALL(BPF_FUNC_sk_release),
792 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_6, offsetof(struct bpf_sock, type)),
793 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
794 BPF_EMIT_CALL(BPF_FUNC_sk_release),
795 BPF_EXIT_INSN(),
796 },
797 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
798 .result = REJECT,
799 .errstr = "reference has not been acquired before",
800 },
801 {
802 /* !bpf_sk_fullsock(sk) is checked but !bpf_tcp_sock(sk) is not checked */
803 "reference tracking: tp->snd_cwnd after bpf_sk_fullsock(sk) and bpf_tcp_sock(sk)",
804 .insns = {
805 BPF_SK_LOOKUP(sk_lookup_tcp),
806 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
807 BPF_EXIT_INSN(),
808 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
809 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
810 BPF_EMIT_CALL(BPF_FUNC_sk_fullsock),
811 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
812 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
813 BPF_EMIT_CALL(BPF_FUNC_tcp_sock),
814 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
815 BPF_JMP_IMM(BPF_JNE, BPF_REG_7, 0, 3),
816 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
817 BPF_EMIT_CALL(BPF_FUNC_sk_release),
818 BPF_EXIT_INSN(),
819 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_8, offsetof(struct bpf_tcp_sock, snd_cwnd)),
820 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
821 BPF_EMIT_CALL(BPF_FUNC_sk_release),
822 BPF_EXIT_INSN(),
823 },
824 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
825 .result = REJECT,
826 .errstr = "invalid mem access",
827 },
828 {
829 "reference tracking: branch tracking valid pointer null comparison",
830 .insns = {
831 BPF_SK_LOOKUP(sk_lookup_tcp),
832 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
833 BPF_MOV64_IMM(BPF_REG_3, 1),
834 BPF_JMP_IMM(BPF_JNE, BPF_REG_6, 0, 1),
835 BPF_MOV64_IMM(BPF_REG_3, 0),
836 BPF_JMP_IMM(BPF_JEQ, BPF_REG_6, 0, 2),
837 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
838 BPF_EMIT_CALL(BPF_FUNC_sk_release),
839 BPF_EXIT_INSN(),
840 },
841 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
842 .result = ACCEPT,
843 },
844 {
845 "reference tracking: branch tracking valid pointer value comparison",
846 .insns = {
847 BPF_SK_LOOKUP(sk_lookup_tcp),
848 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
849 BPF_MOV64_IMM(BPF_REG_3, 1),
850 BPF_JMP_IMM(BPF_JEQ, BPF_REG_6, 0, 4),
851 BPF_MOV64_IMM(BPF_REG_3, 0),
852 BPF_JMP_IMM(BPF_JEQ, BPF_REG_6, 1234, 2),
853 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
854 BPF_EMIT_CALL(BPF_FUNC_sk_release),
855 BPF_EXIT_INSN(),
856 },
857 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
858 .errstr = "Unreleased reference",
859 .result = REJECT,
860 },
861 {
862 "reference tracking: bpf_sk_release(btf_tcp_sock)",
863 .insns = {
864 BPF_SK_LOOKUP(sk_lookup_tcp),
865 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
866 BPF_EXIT_INSN(),
867 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
868 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
869 BPF_EMIT_CALL(BPF_FUNC_skc_to_tcp_sock),
870 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 3),
871 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
872 BPF_EMIT_CALL(BPF_FUNC_sk_release),
873 BPF_EXIT_INSN(),
874 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
875 BPF_EMIT_CALL(BPF_FUNC_sk_release),
876 BPF_EXIT_INSN(),
877 },
878 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
879 .result = ACCEPT,
880 .result_unpriv = REJECT,
881 .errstr_unpriv = "unknown func",
882 },
883 {
884 "reference tracking: use ptr from bpf_skc_to_tcp_sock() after release",
885 .insns = {
886 BPF_SK_LOOKUP(sk_lookup_tcp),
887 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
888 BPF_EXIT_INSN(),
889 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
890 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
891 BPF_EMIT_CALL(BPF_FUNC_skc_to_tcp_sock),
892 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 3),
893 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
894 BPF_EMIT_CALL(BPF_FUNC_sk_release),
895 BPF_EXIT_INSN(),
896 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
897 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
898 BPF_EMIT_CALL(BPF_FUNC_sk_release),
899 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_7, 0),
900 BPF_EXIT_INSN(),
901 },
902 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
903 .result = REJECT,
904 .errstr = "invalid mem access",
905 .result_unpriv = REJECT,
906 .errstr_unpriv = "unknown func",
907 },
Linux with added FPC-III support