1 /* 2 * Testsuite for eBPF verifier 3 * 4 * Copyright (c) 2014 PLUMgrid, http://plumgrid.com 5 * Copyright (c) 2017 Facebook 6 * 7 * This program is free software; you can redistribute it and/or 8 * modify it under the terms of version 2 of the GNU General Public 9 * License as published by the Free Software Foundation. 10 */ 11 12 #include <endian.h> 13 #include <asm/types.h> 14 #include <linux/types.h> 15 #include <stdint.h> 16 #include <stdio.h> 17 #include <stdlib.h> 18 #include <unistd.h> 19 #include <errno.h> 20 #include <string.h> 21 #include <stddef.h> 22 #include <stdbool.h> 23 #include <sched.h> 24 #include <limits.h> 25 26 #include <sys/capability.h> 27 28 #include <linux/unistd.h> 29 #include <linux/filter.h> 30 #include <linux/bpf_perf_event.h> 31 #include <linux/bpf.h> 32 #include <linux/if_ether.h> 33 34 #include <bpf/bpf.h> 35 36 #ifdef HAVE_GENHDR 37 # include "autoconf.h" 38 #else 39 # if defined(__i386) || defined(__x86_64) || defined(__s390x__) || defined(__aarch64__) 40 # define CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS 1 41 # endif 42 #endif 43 #include "bpf_rlimit.h" 44 #include "bpf_rand.h" 45 #include "../../../include/linux/filter.h" 46 47 #ifndef ARRAY_SIZE 48 # define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0])) 49 #endif 50 51 #define MAX_INSNS BPF_MAXINSNS 52 #define MAX_FIXUPS 8 53 #define MAX_NR_MAPS 7 54 #define POINTER_VALUE 0xcafe4all 55 #define TEST_DATA_LEN 64 56 57 #define F_NEEDS_EFFICIENT_UNALIGNED_ACCESS (1 << 0) 58 #define F_LOAD_WITH_STRICT_ALIGNMENT (1 << 1) 59 60 #define UNPRIV_SYSCTL "kernel/unprivileged_bpf_disabled" 61 static bool unpriv_disabled = false; 62 63 struct bpf_test { 64 const char *descr; 65 struct bpf_insn insns[MAX_INSNS]; 66 int fixup_map1[MAX_FIXUPS]; 67 int fixup_map2[MAX_FIXUPS]; 68 int fixup_map3[MAX_FIXUPS]; 69 int fixup_map4[MAX_FIXUPS]; 70 int fixup_prog1[MAX_FIXUPS]; 71 int fixup_prog2[MAX_FIXUPS]; 72 int fixup_map_in_map[MAX_FIXUPS]; 73 const char *errstr; 74 const char *errstr_unpriv; 75 uint32_t retval; 76 enum { 77 UNDEF, 78 ACCEPT, 79 REJECT 80 } result, result_unpriv; 81 enum bpf_prog_type prog_type; 82 uint8_t flags; 83 __u8 data[TEST_DATA_LEN]; 84 void (*fill_helper)(struct bpf_test *self); 85 }; 86 87 /* Note we want this to be 64 bit aligned so that the end of our array is 88 * actually the end of the structure. 89 */ 90 #define MAX_ENTRIES 11 91 92 struct test_val { 93 unsigned int index; 94 int foo[MAX_ENTRIES]; 95 }; 96 97 struct other_val { 98 long long foo; 99 long long bar; 100 }; 101 102 static void bpf_fill_ld_abs_vlan_push_pop(struct bpf_test *self) 103 { 104 /* test: {skb->data[0], vlan_push} x 68 + {skb->data[0], vlan_pop} x 68 */ 105 #define PUSH_CNT 51 106 unsigned int len = BPF_MAXINSNS; 107 struct bpf_insn *insn = self->insns; 108 int i = 0, j, k = 0; 109 110 insn[i++] = BPF_MOV64_REG(BPF_REG_6, BPF_REG_1); 111 loop: 112 for (j = 0; j < PUSH_CNT; j++) { 113 insn[i++] = BPF_LD_ABS(BPF_B, 0); 114 insn[i] = BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x34, len - i - 2); 115 i++; 116 insn[i++] = BPF_MOV64_REG(BPF_REG_1, BPF_REG_6); 117 insn[i++] = BPF_MOV64_IMM(BPF_REG_2, 1); 118 insn[i++] = BPF_MOV64_IMM(BPF_REG_3, 2); 119 insn[i++] = BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 120 BPF_FUNC_skb_vlan_push), 121 insn[i] = BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, len - i - 2); 122 i++; 123 } 124 125 for (j = 0; j < PUSH_CNT; j++) { 126 insn[i++] = BPF_LD_ABS(BPF_B, 0); 127 insn[i] = BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x34, len - i - 2); 128 i++; 129 insn[i++] = BPF_MOV64_REG(BPF_REG_1, BPF_REG_6); 130 insn[i++] = BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 131 BPF_FUNC_skb_vlan_pop), 132 insn[i] = BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, len - i - 2); 133 i++; 134 } 135 if (++k < 5) 136 goto loop; 137 138 for (; i < len - 1; i++) 139 insn[i] = BPF_ALU32_IMM(BPF_MOV, BPF_REG_0, 0xbef); 140 insn[len - 1] = BPF_EXIT_INSN(); 141 } 142 143 static void bpf_fill_jump_around_ld_abs(struct bpf_test *self) 144 { 145 struct bpf_insn *insn = self->insns; 146 unsigned int len = BPF_MAXINSNS; 147 int i = 0; 148 149 insn[i++] = BPF_MOV64_REG(BPF_REG_6, BPF_REG_1); 150 insn[i++] = BPF_LD_ABS(BPF_B, 0); 151 insn[i] = BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 10, len - i - 2); 152 i++; 153 while (i < len - 1) 154 insn[i++] = BPF_LD_ABS(BPF_B, 1); 155 insn[i] = BPF_EXIT_INSN(); 156 } 157 158 static void bpf_fill_rand_ld_dw(struct bpf_test *self) 159 { 160 struct bpf_insn *insn = self->insns; 161 uint64_t res = 0; 162 int i = 0; 163 164 insn[i++] = BPF_MOV32_IMM(BPF_REG_0, 0); 165 while (i < self->retval) { 166 uint64_t val = bpf_semi_rand_get(); 167 struct bpf_insn tmp[2] = { BPF_LD_IMM64(BPF_REG_1, val) }; 168 169 res ^= val; 170 insn[i++] = tmp[0]; 171 insn[i++] = tmp[1]; 172 insn[i++] = BPF_ALU64_REG(BPF_XOR, BPF_REG_0, BPF_REG_1); 173 } 174 insn[i++] = BPF_MOV64_REG(BPF_REG_1, BPF_REG_0); 175 insn[i++] = BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 32); 176 insn[i++] = BPF_ALU64_REG(BPF_XOR, BPF_REG_0, BPF_REG_1); 177 insn[i] = BPF_EXIT_INSN(); 178 res ^= (res >> 32); 179 self->retval = (uint32_t)res; 180 } 181 182 static struct bpf_test tests[] = { 183 { 184 "add+sub+mul", 185 .insns = { 186 BPF_MOV64_IMM(BPF_REG_1, 1), 187 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 2), 188 BPF_MOV64_IMM(BPF_REG_2, 3), 189 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_2), 190 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -1), 191 BPF_ALU64_IMM(BPF_MUL, BPF_REG_1, 3), 192 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1), 193 BPF_EXIT_INSN(), 194 }, 195 .result = ACCEPT, 196 .retval = -3, 197 }, 198 { 199 "DIV32 by 0, zero check 1", 200 .insns = { 201 BPF_MOV32_IMM(BPF_REG_0, 42), 202 BPF_MOV32_IMM(BPF_REG_1, 0), 203 BPF_MOV32_IMM(BPF_REG_2, 1), 204 BPF_ALU32_REG(BPF_DIV, BPF_REG_2, BPF_REG_1), 205 BPF_EXIT_INSN(), 206 }, 207 .result = ACCEPT, 208 .retval = 42, 209 }, 210 { 211 "DIV32 by 0, zero check 2", 212 .insns = { 213 BPF_MOV32_IMM(BPF_REG_0, 42), 214 BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL), 215 BPF_MOV32_IMM(BPF_REG_2, 1), 216 BPF_ALU32_REG(BPF_DIV, BPF_REG_2, BPF_REG_1), 217 BPF_EXIT_INSN(), 218 }, 219 .result = ACCEPT, 220 .retval = 42, 221 }, 222 { 223 "DIV64 by 0, zero check", 224 .insns = { 225 BPF_MOV32_IMM(BPF_REG_0, 42), 226 BPF_MOV32_IMM(BPF_REG_1, 0), 227 BPF_MOV32_IMM(BPF_REG_2, 1), 228 BPF_ALU64_REG(BPF_DIV, BPF_REG_2, BPF_REG_1), 229 BPF_EXIT_INSN(), 230 }, 231 .result = ACCEPT, 232 .retval = 42, 233 }, 234 { 235 "MOD32 by 0, zero check 1", 236 .insns = { 237 BPF_MOV32_IMM(BPF_REG_0, 42), 238 BPF_MOV32_IMM(BPF_REG_1, 0), 239 BPF_MOV32_IMM(BPF_REG_2, 1), 240 BPF_ALU32_REG(BPF_MOD, BPF_REG_2, BPF_REG_1), 241 BPF_EXIT_INSN(), 242 }, 243 .result = ACCEPT, 244 .retval = 42, 245 }, 246 { 247 "MOD32 by 0, zero check 2", 248 .insns = { 249 BPF_MOV32_IMM(BPF_REG_0, 42), 250 BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL), 251 BPF_MOV32_IMM(BPF_REG_2, 1), 252 BPF_ALU32_REG(BPF_MOD, BPF_REG_2, BPF_REG_1), 253 BPF_EXIT_INSN(), 254 }, 255 .result = ACCEPT, 256 .retval = 42, 257 }, 258 { 259 "MOD64 by 0, zero check", 260 .insns = { 261 BPF_MOV32_IMM(BPF_REG_0, 42), 262 BPF_MOV32_IMM(BPF_REG_1, 0), 263 BPF_MOV32_IMM(BPF_REG_2, 1), 264 BPF_ALU64_REG(BPF_MOD, BPF_REG_2, BPF_REG_1), 265 BPF_EXIT_INSN(), 266 }, 267 .result = ACCEPT, 268 .retval = 42, 269 }, 270 { 271 "DIV32 by 0, zero check ok, cls", 272 .insns = { 273 BPF_MOV32_IMM(BPF_REG_0, 42), 274 BPF_MOV32_IMM(BPF_REG_1, 2), 275 BPF_MOV32_IMM(BPF_REG_2, 16), 276 BPF_ALU32_REG(BPF_DIV, BPF_REG_2, BPF_REG_1), 277 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 278 BPF_EXIT_INSN(), 279 }, 280 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 281 .result = ACCEPT, 282 .retval = 8, 283 }, 284 { 285 "DIV32 by 0, zero check 1, cls", 286 .insns = { 287 BPF_MOV32_IMM(BPF_REG_1, 0), 288 BPF_MOV32_IMM(BPF_REG_0, 1), 289 BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_1), 290 BPF_EXIT_INSN(), 291 }, 292 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 293 .result = ACCEPT, 294 .retval = 0, 295 }, 296 { 297 "DIV32 by 0, zero check 2, cls", 298 .insns = { 299 BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL), 300 BPF_MOV32_IMM(BPF_REG_0, 1), 301 BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_1), 302 BPF_EXIT_INSN(), 303 }, 304 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 305 .result = ACCEPT, 306 .retval = 0, 307 }, 308 { 309 "DIV64 by 0, zero check, cls", 310 .insns = { 311 BPF_MOV32_IMM(BPF_REG_1, 0), 312 BPF_MOV32_IMM(BPF_REG_0, 1), 313 BPF_ALU64_REG(BPF_DIV, BPF_REG_0, BPF_REG_1), 314 BPF_EXIT_INSN(), 315 }, 316 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 317 .result = ACCEPT, 318 .retval = 0, 319 }, 320 { 321 "MOD32 by 0, zero check ok, cls", 322 .insns = { 323 BPF_MOV32_IMM(BPF_REG_0, 42), 324 BPF_MOV32_IMM(BPF_REG_1, 3), 325 BPF_MOV32_IMM(BPF_REG_2, 5), 326 BPF_ALU32_REG(BPF_MOD, BPF_REG_2, BPF_REG_1), 327 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 328 BPF_EXIT_INSN(), 329 }, 330 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 331 .result = ACCEPT, 332 .retval = 2, 333 }, 334 { 335 "MOD32 by 0, zero check 1, cls", 336 .insns = { 337 BPF_MOV32_IMM(BPF_REG_1, 0), 338 BPF_MOV32_IMM(BPF_REG_0, 1), 339 BPF_ALU32_REG(BPF_MOD, BPF_REG_0, BPF_REG_1), 340 BPF_EXIT_INSN(), 341 }, 342 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 343 .result = ACCEPT, 344 .retval = 1, 345 }, 346 { 347 "MOD32 by 0, zero check 2, cls", 348 .insns = { 349 BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL), 350 BPF_MOV32_IMM(BPF_REG_0, 1), 351 BPF_ALU32_REG(BPF_MOD, BPF_REG_0, BPF_REG_1), 352 BPF_EXIT_INSN(), 353 }, 354 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 355 .result = ACCEPT, 356 .retval = 1, 357 }, 358 { 359 "MOD64 by 0, zero check 1, cls", 360 .insns = { 361 BPF_MOV32_IMM(BPF_REG_1, 0), 362 BPF_MOV32_IMM(BPF_REG_0, 2), 363 BPF_ALU64_REG(BPF_MOD, BPF_REG_0, BPF_REG_1), 364 BPF_EXIT_INSN(), 365 }, 366 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 367 .result = ACCEPT, 368 .retval = 2, 369 }, 370 { 371 "MOD64 by 0, zero check 2, cls", 372 .insns = { 373 BPF_MOV32_IMM(BPF_REG_1, 0), 374 BPF_MOV32_IMM(BPF_REG_0, -1), 375 BPF_ALU64_REG(BPF_MOD, BPF_REG_0, BPF_REG_1), 376 BPF_EXIT_INSN(), 377 }, 378 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 379 .result = ACCEPT, 380 .retval = -1, 381 }, 382 /* Just make sure that JITs used udiv/umod as otherwise we get 383 * an exception from INT_MIN/-1 overflow similarly as with div 384 * by zero. 385 */ 386 { 387 "DIV32 overflow, check 1", 388 .insns = { 389 BPF_MOV32_IMM(BPF_REG_1, -1), 390 BPF_MOV32_IMM(BPF_REG_0, INT_MIN), 391 BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_1), 392 BPF_EXIT_INSN(), 393 }, 394 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 395 .result = ACCEPT, 396 .retval = 0, 397 }, 398 { 399 "DIV32 overflow, check 2", 400 .insns = { 401 BPF_MOV32_IMM(BPF_REG_0, INT_MIN), 402 BPF_ALU32_IMM(BPF_DIV, BPF_REG_0, -1), 403 BPF_EXIT_INSN(), 404 }, 405 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 406 .result = ACCEPT, 407 .retval = 0, 408 }, 409 { 410 "DIV64 overflow, check 1", 411 .insns = { 412 BPF_MOV64_IMM(BPF_REG_1, -1), 413 BPF_LD_IMM64(BPF_REG_0, LLONG_MIN), 414 BPF_ALU64_REG(BPF_DIV, BPF_REG_0, BPF_REG_1), 415 BPF_EXIT_INSN(), 416 }, 417 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 418 .result = ACCEPT, 419 .retval = 0, 420 }, 421 { 422 "DIV64 overflow, check 2", 423 .insns = { 424 BPF_LD_IMM64(BPF_REG_0, LLONG_MIN), 425 BPF_ALU64_IMM(BPF_DIV, BPF_REG_0, -1), 426 BPF_EXIT_INSN(), 427 }, 428 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 429 .result = ACCEPT, 430 .retval = 0, 431 }, 432 { 433 "MOD32 overflow, check 1", 434 .insns = { 435 BPF_MOV32_IMM(BPF_REG_1, -1), 436 BPF_MOV32_IMM(BPF_REG_0, INT_MIN), 437 BPF_ALU32_REG(BPF_MOD, BPF_REG_0, BPF_REG_1), 438 BPF_EXIT_INSN(), 439 }, 440 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 441 .result = ACCEPT, 442 .retval = INT_MIN, 443 }, 444 { 445 "MOD32 overflow, check 2", 446 .insns = { 447 BPF_MOV32_IMM(BPF_REG_0, INT_MIN), 448 BPF_ALU32_IMM(BPF_MOD, BPF_REG_0, -1), 449 BPF_EXIT_INSN(), 450 }, 451 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 452 .result = ACCEPT, 453 .retval = INT_MIN, 454 }, 455 { 456 "MOD64 overflow, check 1", 457 .insns = { 458 BPF_MOV64_IMM(BPF_REG_1, -1), 459 BPF_LD_IMM64(BPF_REG_2, LLONG_MIN), 460 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2), 461 BPF_ALU64_REG(BPF_MOD, BPF_REG_2, BPF_REG_1), 462 BPF_MOV32_IMM(BPF_REG_0, 0), 463 BPF_JMP_REG(BPF_JNE, BPF_REG_3, BPF_REG_2, 1), 464 BPF_MOV32_IMM(BPF_REG_0, 1), 465 BPF_EXIT_INSN(), 466 }, 467 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 468 .result = ACCEPT, 469 .retval = 1, 470 }, 471 { 472 "MOD64 overflow, check 2", 473 .insns = { 474 BPF_LD_IMM64(BPF_REG_2, LLONG_MIN), 475 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2), 476 BPF_ALU64_IMM(BPF_MOD, BPF_REG_2, -1), 477 BPF_MOV32_IMM(BPF_REG_0, 0), 478 BPF_JMP_REG(BPF_JNE, BPF_REG_3, BPF_REG_2, 1), 479 BPF_MOV32_IMM(BPF_REG_0, 1), 480 BPF_EXIT_INSN(), 481 }, 482 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 483 .result = ACCEPT, 484 .retval = 1, 485 }, 486 { 487 "xor32 zero extend check", 488 .insns = { 489 BPF_MOV32_IMM(BPF_REG_2, -1), 490 BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 32), 491 BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 0xffff), 492 BPF_ALU32_REG(BPF_XOR, BPF_REG_2, BPF_REG_2), 493 BPF_MOV32_IMM(BPF_REG_0, 2), 494 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0, 1), 495 BPF_MOV32_IMM(BPF_REG_0, 1), 496 BPF_EXIT_INSN(), 497 }, 498 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 499 .result = ACCEPT, 500 .retval = 1, 501 }, 502 { 503 "empty prog", 504 .insns = { 505 }, 506 .errstr = "unknown opcode 00", 507 .result = REJECT, 508 }, 509 { 510 "only exit insn", 511 .insns = { 512 BPF_EXIT_INSN(), 513 }, 514 .errstr = "R0 !read_ok", 515 .result = REJECT, 516 }, 517 { 518 "unreachable", 519 .insns = { 520 BPF_EXIT_INSN(), 521 BPF_EXIT_INSN(), 522 }, 523 .errstr = "unreachable", 524 .result = REJECT, 525 }, 526 { 527 "unreachable2", 528 .insns = { 529 BPF_JMP_IMM(BPF_JA, 0, 0, 1), 530 BPF_JMP_IMM(BPF_JA, 0, 0, 0), 531 BPF_EXIT_INSN(), 532 }, 533 .errstr = "unreachable", 534 .result = REJECT, 535 }, 536 { 537 "out of range jump", 538 .insns = { 539 BPF_JMP_IMM(BPF_JA, 0, 0, 1), 540 BPF_EXIT_INSN(), 541 }, 542 .errstr = "jump out of range", 543 .result = REJECT, 544 }, 545 { 546 "out of range jump2", 547 .insns = { 548 BPF_JMP_IMM(BPF_JA, 0, 0, -2), 549 BPF_EXIT_INSN(), 550 }, 551 .errstr = "jump out of range", 552 .result = REJECT, 553 }, 554 { 555 "test1 ld_imm64", 556 .insns = { 557 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1), 558 BPF_LD_IMM64(BPF_REG_0, 0), 559 BPF_LD_IMM64(BPF_REG_0, 0), 560 BPF_LD_IMM64(BPF_REG_0, 1), 561 BPF_LD_IMM64(BPF_REG_0, 1), 562 BPF_MOV64_IMM(BPF_REG_0, 2), 563 BPF_EXIT_INSN(), 564 }, 565 .errstr = "invalid BPF_LD_IMM insn", 566 .errstr_unpriv = "R1 pointer comparison", 567 .result = REJECT, 568 }, 569 { 570 "test2 ld_imm64", 571 .insns = { 572 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1), 573 BPF_LD_IMM64(BPF_REG_0, 0), 574 BPF_LD_IMM64(BPF_REG_0, 0), 575 BPF_LD_IMM64(BPF_REG_0, 1), 576 BPF_LD_IMM64(BPF_REG_0, 1), 577 BPF_EXIT_INSN(), 578 }, 579 .errstr = "invalid BPF_LD_IMM insn", 580 .errstr_unpriv = "R1 pointer comparison", 581 .result = REJECT, 582 }, 583 { 584 "test3 ld_imm64", 585 .insns = { 586 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1), 587 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0), 588 BPF_LD_IMM64(BPF_REG_0, 0), 589 BPF_LD_IMM64(BPF_REG_0, 0), 590 BPF_LD_IMM64(BPF_REG_0, 1), 591 BPF_LD_IMM64(BPF_REG_0, 1), 592 BPF_EXIT_INSN(), 593 }, 594 .errstr = "invalid bpf_ld_imm64 insn", 595 .result = REJECT, 596 }, 597 { 598 "test4 ld_imm64", 599 .insns = { 600 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0), 601 BPF_EXIT_INSN(), 602 }, 603 .errstr = "invalid bpf_ld_imm64 insn", 604 .result = REJECT, 605 }, 606 { 607 "test5 ld_imm64", 608 .insns = { 609 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0), 610 }, 611 .errstr = "invalid bpf_ld_imm64 insn", 612 .result = REJECT, 613 }, 614 { 615 "test6 ld_imm64", 616 .insns = { 617 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0), 618 BPF_RAW_INSN(0, 0, 0, 0, 0), 619 BPF_EXIT_INSN(), 620 }, 621 .result = ACCEPT, 622 }, 623 { 624 "test7 ld_imm64", 625 .insns = { 626 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1), 627 BPF_RAW_INSN(0, 0, 0, 0, 1), 628 BPF_EXIT_INSN(), 629 }, 630 .result = ACCEPT, 631 .retval = 1, 632 }, 633 { 634 "test8 ld_imm64", 635 .insns = { 636 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 1, 1), 637 BPF_RAW_INSN(0, 0, 0, 0, 1), 638 BPF_EXIT_INSN(), 639 }, 640 .errstr = "uses reserved fields", 641 .result = REJECT, 642 }, 643 { 644 "test9 ld_imm64", 645 .insns = { 646 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1), 647 BPF_RAW_INSN(0, 0, 0, 1, 1), 648 BPF_EXIT_INSN(), 649 }, 650 .errstr = "invalid bpf_ld_imm64 insn", 651 .result = REJECT, 652 }, 653 { 654 "test10 ld_imm64", 655 .insns = { 656 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1), 657 BPF_RAW_INSN(0, BPF_REG_1, 0, 0, 1), 658 BPF_EXIT_INSN(), 659 }, 660 .errstr = "invalid bpf_ld_imm64 insn", 661 .result = REJECT, 662 }, 663 { 664 "test11 ld_imm64", 665 .insns = { 666 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1), 667 BPF_RAW_INSN(0, 0, BPF_REG_1, 0, 1), 668 BPF_EXIT_INSN(), 669 }, 670 .errstr = "invalid bpf_ld_imm64 insn", 671 .result = REJECT, 672 }, 673 { 674 "test12 ld_imm64", 675 .insns = { 676 BPF_MOV64_IMM(BPF_REG_1, 0), 677 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, BPF_REG_1, 0, 1), 678 BPF_RAW_INSN(0, 0, 0, 0, 1), 679 BPF_EXIT_INSN(), 680 }, 681 .errstr = "not pointing to valid bpf_map", 682 .result = REJECT, 683 }, 684 { 685 "test13 ld_imm64", 686 .insns = { 687 BPF_MOV64_IMM(BPF_REG_1, 0), 688 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, BPF_REG_1, 0, 1), 689 BPF_RAW_INSN(0, 0, BPF_REG_1, 0, 1), 690 BPF_EXIT_INSN(), 691 }, 692 .errstr = "invalid bpf_ld_imm64 insn", 693 .result = REJECT, 694 }, 695 { 696 "arsh32 on imm", 697 .insns = { 698 BPF_MOV64_IMM(BPF_REG_0, 1), 699 BPF_ALU32_IMM(BPF_ARSH, BPF_REG_0, 5), 700 BPF_EXIT_INSN(), 701 }, 702 .result = REJECT, 703 .errstr = "unknown opcode c4", 704 }, 705 { 706 "arsh32 on reg", 707 .insns = { 708 BPF_MOV64_IMM(BPF_REG_0, 1), 709 BPF_MOV64_IMM(BPF_REG_1, 5), 710 BPF_ALU32_REG(BPF_ARSH, BPF_REG_0, BPF_REG_1), 711 BPF_EXIT_INSN(), 712 }, 713 .result = REJECT, 714 .errstr = "unknown opcode cc", 715 }, 716 { 717 "arsh64 on imm", 718 .insns = { 719 BPF_MOV64_IMM(BPF_REG_0, 1), 720 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_0, 5), 721 BPF_EXIT_INSN(), 722 }, 723 .result = ACCEPT, 724 }, 725 { 726 "arsh64 on reg", 727 .insns = { 728 BPF_MOV64_IMM(BPF_REG_0, 1), 729 BPF_MOV64_IMM(BPF_REG_1, 5), 730 BPF_ALU64_REG(BPF_ARSH, BPF_REG_0, BPF_REG_1), 731 BPF_EXIT_INSN(), 732 }, 733 .result = ACCEPT, 734 }, 735 { 736 "no bpf_exit", 737 .insns = { 738 BPF_ALU64_REG(BPF_MOV, BPF_REG_0, BPF_REG_2), 739 }, 740 .errstr = "not an exit", 741 .result = REJECT, 742 }, 743 { 744 "loop (back-edge)", 745 .insns = { 746 BPF_JMP_IMM(BPF_JA, 0, 0, -1), 747 BPF_EXIT_INSN(), 748 }, 749 .errstr = "back-edge", 750 .result = REJECT, 751 }, 752 { 753 "loop2 (back-edge)", 754 .insns = { 755 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 756 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0), 757 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0), 758 BPF_JMP_IMM(BPF_JA, 0, 0, -4), 759 BPF_EXIT_INSN(), 760 }, 761 .errstr = "back-edge", 762 .result = REJECT, 763 }, 764 { 765 "conditional loop", 766 .insns = { 767 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 768 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0), 769 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0), 770 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, -3), 771 BPF_EXIT_INSN(), 772 }, 773 .errstr = "back-edge", 774 .result = REJECT, 775 }, 776 { 777 "read uninitialized register", 778 .insns = { 779 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 780 BPF_EXIT_INSN(), 781 }, 782 .errstr = "R2 !read_ok", 783 .result = REJECT, 784 }, 785 { 786 "read invalid register", 787 .insns = { 788 BPF_MOV64_REG(BPF_REG_0, -1), 789 BPF_EXIT_INSN(), 790 }, 791 .errstr = "R15 is invalid", 792 .result = REJECT, 793 }, 794 { 795 "program doesn't init R0 before exit", 796 .insns = { 797 BPF_ALU64_REG(BPF_MOV, BPF_REG_2, BPF_REG_1), 798 BPF_EXIT_INSN(), 799 }, 800 .errstr = "R0 !read_ok", 801 .result = REJECT, 802 }, 803 { 804 "program doesn't init R0 before exit in all branches", 805 .insns = { 806 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2), 807 BPF_MOV64_IMM(BPF_REG_0, 1), 808 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 2), 809 BPF_EXIT_INSN(), 810 }, 811 .errstr = "R0 !read_ok", 812 .errstr_unpriv = "R1 pointer comparison", 813 .result = REJECT, 814 }, 815 { 816 "stack out of bounds", 817 .insns = { 818 BPF_ST_MEM(BPF_DW, BPF_REG_10, 8, 0), 819 BPF_EXIT_INSN(), 820 }, 821 .errstr = "invalid stack", 822 .result = REJECT, 823 }, 824 { 825 "invalid call insn1", 826 .insns = { 827 BPF_RAW_INSN(BPF_JMP | BPF_CALL | BPF_X, 0, 0, 0, 0), 828 BPF_EXIT_INSN(), 829 }, 830 .errstr = "unknown opcode 8d", 831 .result = REJECT, 832 }, 833 { 834 "invalid call insn2", 835 .insns = { 836 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 1, 0), 837 BPF_EXIT_INSN(), 838 }, 839 .errstr = "BPF_CALL uses reserved", 840 .result = REJECT, 841 }, 842 { 843 "invalid function call", 844 .insns = { 845 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1234567), 846 BPF_EXIT_INSN(), 847 }, 848 .errstr = "invalid func unknown#1234567", 849 .result = REJECT, 850 }, 851 { 852 "uninitialized stack1", 853 .insns = { 854 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 855 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 856 BPF_LD_MAP_FD(BPF_REG_1, 0), 857 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 858 BPF_FUNC_map_lookup_elem), 859 BPF_EXIT_INSN(), 860 }, 861 .fixup_map1 = { 2 }, 862 .errstr = "invalid indirect read from stack", 863 .result = REJECT, 864 }, 865 { 866 "uninitialized stack2", 867 .insns = { 868 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 869 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, -8), 870 BPF_EXIT_INSN(), 871 }, 872 .errstr = "invalid read from stack", 873 .result = REJECT, 874 }, 875 { 876 "invalid fp arithmetic", 877 /* If this gets ever changed, make sure JITs can deal with it. */ 878 .insns = { 879 BPF_MOV64_IMM(BPF_REG_0, 0), 880 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 881 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 8), 882 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0), 883 BPF_EXIT_INSN(), 884 }, 885 .errstr = "R1 subtraction from stack pointer", 886 .result = REJECT, 887 }, 888 { 889 "non-invalid fp arithmetic", 890 .insns = { 891 BPF_MOV64_IMM(BPF_REG_0, 0), 892 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8), 893 BPF_EXIT_INSN(), 894 }, 895 .result = ACCEPT, 896 }, 897 { 898 "invalid argument register", 899 .insns = { 900 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 901 BPF_FUNC_get_cgroup_classid), 902 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 903 BPF_FUNC_get_cgroup_classid), 904 BPF_EXIT_INSN(), 905 }, 906 .errstr = "R1 !read_ok", 907 .result = REJECT, 908 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 909 }, 910 { 911 "non-invalid argument register", 912 .insns = { 913 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1), 914 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 915 BPF_FUNC_get_cgroup_classid), 916 BPF_ALU64_REG(BPF_MOV, BPF_REG_1, BPF_REG_6), 917 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 918 BPF_FUNC_get_cgroup_classid), 919 BPF_EXIT_INSN(), 920 }, 921 .result = ACCEPT, 922 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 923 }, 924 { 925 "check valid spill/fill", 926 .insns = { 927 /* spill R1(ctx) into stack */ 928 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8), 929 /* fill it back into R2 */ 930 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -8), 931 /* should be able to access R0 = *(R2 + 8) */ 932 /* BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, 8), */ 933 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 934 BPF_EXIT_INSN(), 935 }, 936 .errstr_unpriv = "R0 leaks addr", 937 .result = ACCEPT, 938 .result_unpriv = REJECT, 939 .retval = POINTER_VALUE, 940 }, 941 { 942 "check valid spill/fill, skb mark", 943 .insns = { 944 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1), 945 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, -8), 946 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8), 947 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 948 offsetof(struct __sk_buff, mark)), 949 BPF_EXIT_INSN(), 950 }, 951 .result = ACCEPT, 952 .result_unpriv = ACCEPT, 953 }, 954 { 955 "check corrupted spill/fill", 956 .insns = { 957 /* spill R1(ctx) into stack */ 958 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8), 959 /* mess up with R1 pointer on stack */ 960 BPF_ST_MEM(BPF_B, BPF_REG_10, -7, 0x23), 961 /* fill back into R0 should fail */ 962 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8), 963 BPF_EXIT_INSN(), 964 }, 965 .errstr_unpriv = "attempt to corrupt spilled", 966 .errstr = "corrupted spill", 967 .result = REJECT, 968 }, 969 { 970 "invalid src register in STX", 971 .insns = { 972 BPF_STX_MEM(BPF_B, BPF_REG_10, -1, -1), 973 BPF_EXIT_INSN(), 974 }, 975 .errstr = "R15 is invalid", 976 .result = REJECT, 977 }, 978 { 979 "invalid dst register in STX", 980 .insns = { 981 BPF_STX_MEM(BPF_B, 14, BPF_REG_10, -1), 982 BPF_EXIT_INSN(), 983 }, 984 .errstr = "R14 is invalid", 985 .result = REJECT, 986 }, 987 { 988 "invalid dst register in ST", 989 .insns = { 990 BPF_ST_MEM(BPF_B, 14, -1, -1), 991 BPF_EXIT_INSN(), 992 }, 993 .errstr = "R14 is invalid", 994 .result = REJECT, 995 }, 996 { 997 "invalid src register in LDX", 998 .insns = { 999 BPF_LDX_MEM(BPF_B, BPF_REG_0, 12, 0), 1000 BPF_EXIT_INSN(), 1001 }, 1002 .errstr = "R12 is invalid", 1003 .result = REJECT, 1004 }, 1005 { 1006 "invalid dst register in LDX", 1007 .insns = { 1008 BPF_LDX_MEM(BPF_B, 11, BPF_REG_1, 0), 1009 BPF_EXIT_INSN(), 1010 }, 1011 .errstr = "R11 is invalid", 1012 .result = REJECT, 1013 }, 1014 { 1015 "junk insn", 1016 .insns = { 1017 BPF_RAW_INSN(0, 0, 0, 0, 0), 1018 BPF_EXIT_INSN(), 1019 }, 1020 .errstr = "unknown opcode 00", 1021 .result = REJECT, 1022 }, 1023 { 1024 "junk insn2", 1025 .insns = { 1026 BPF_RAW_INSN(1, 0, 0, 0, 0), 1027 BPF_EXIT_INSN(), 1028 }, 1029 .errstr = "BPF_LDX uses reserved fields", 1030 .result = REJECT, 1031 }, 1032 { 1033 "junk insn3", 1034 .insns = { 1035 BPF_RAW_INSN(-1, 0, 0, 0, 0), 1036 BPF_EXIT_INSN(), 1037 }, 1038 .errstr = "unknown opcode ff", 1039 .result = REJECT, 1040 }, 1041 { 1042 "junk insn4", 1043 .insns = { 1044 BPF_RAW_INSN(-1, -1, -1, -1, -1), 1045 BPF_EXIT_INSN(), 1046 }, 1047 .errstr = "unknown opcode ff", 1048 .result = REJECT, 1049 }, 1050 { 1051 "junk insn5", 1052 .insns = { 1053 BPF_RAW_INSN(0x7f, -1, -1, -1, -1), 1054 BPF_EXIT_INSN(), 1055 }, 1056 .errstr = "BPF_ALU uses reserved fields", 1057 .result = REJECT, 1058 }, 1059 { 1060 "misaligned read from stack", 1061 .insns = { 1062 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 1063 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, -4), 1064 BPF_EXIT_INSN(), 1065 }, 1066 .errstr = "misaligned stack access", 1067 .result = REJECT, 1068 }, 1069 { 1070 "invalid map_fd for function call", 1071 .insns = { 1072 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 1073 BPF_ALU64_REG(BPF_MOV, BPF_REG_2, BPF_REG_10), 1074 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 1075 BPF_LD_MAP_FD(BPF_REG_1, 0), 1076 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1077 BPF_FUNC_map_delete_elem), 1078 BPF_EXIT_INSN(), 1079 }, 1080 .errstr = "fd 0 is not pointing to valid bpf_map", 1081 .result = REJECT, 1082 }, 1083 { 1084 "don't check return value before access", 1085 .insns = { 1086 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 1087 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 1088 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 1089 BPF_LD_MAP_FD(BPF_REG_1, 0), 1090 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1091 BPF_FUNC_map_lookup_elem), 1092 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0), 1093 BPF_EXIT_INSN(), 1094 }, 1095 .fixup_map1 = { 3 }, 1096 .errstr = "R0 invalid mem access 'map_value_or_null'", 1097 .result = REJECT, 1098 }, 1099 { 1100 "access memory with incorrect alignment", 1101 .insns = { 1102 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 1103 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 1104 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 1105 BPF_LD_MAP_FD(BPF_REG_1, 0), 1106 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1107 BPF_FUNC_map_lookup_elem), 1108 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1), 1109 BPF_ST_MEM(BPF_DW, BPF_REG_0, 4, 0), 1110 BPF_EXIT_INSN(), 1111 }, 1112 .fixup_map1 = { 3 }, 1113 .errstr = "misaligned value access", 1114 .result = REJECT, 1115 .flags = F_LOAD_WITH_STRICT_ALIGNMENT, 1116 }, 1117 { 1118 "sometimes access memory with incorrect alignment", 1119 .insns = { 1120 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 1121 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 1122 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 1123 BPF_LD_MAP_FD(BPF_REG_1, 0), 1124 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1125 BPF_FUNC_map_lookup_elem), 1126 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2), 1127 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0), 1128 BPF_EXIT_INSN(), 1129 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 1), 1130 BPF_EXIT_INSN(), 1131 }, 1132 .fixup_map1 = { 3 }, 1133 .errstr = "R0 invalid mem access", 1134 .errstr_unpriv = "R0 leaks addr", 1135 .result = REJECT, 1136 .flags = F_LOAD_WITH_STRICT_ALIGNMENT, 1137 }, 1138 { 1139 "jump test 1", 1140 .insns = { 1141 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 1142 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -8), 1143 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1), 1144 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0), 1145 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 1), 1146 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 1), 1147 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 1), 1148 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 2), 1149 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 1), 1150 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 3), 1151 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 1), 1152 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 4), 1153 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 1), 1154 BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 5), 1155 BPF_MOV64_IMM(BPF_REG_0, 0), 1156 BPF_EXIT_INSN(), 1157 }, 1158 .errstr_unpriv = "R1 pointer comparison", 1159 .result_unpriv = REJECT, 1160 .result = ACCEPT, 1161 }, 1162 { 1163 "jump test 2", 1164 .insns = { 1165 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 1166 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 2), 1167 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0), 1168 BPF_JMP_IMM(BPF_JA, 0, 0, 14), 1169 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 2), 1170 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 0), 1171 BPF_JMP_IMM(BPF_JA, 0, 0, 11), 1172 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 2), 1173 BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 0), 1174 BPF_JMP_IMM(BPF_JA, 0, 0, 8), 1175 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 2), 1176 BPF_ST_MEM(BPF_DW, BPF_REG_2, -40, 0), 1177 BPF_JMP_IMM(BPF_JA, 0, 0, 5), 1178 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 2), 1179 BPF_ST_MEM(BPF_DW, BPF_REG_2, -48, 0), 1180 BPF_JMP_IMM(BPF_JA, 0, 0, 2), 1181 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 1), 1182 BPF_ST_MEM(BPF_DW, BPF_REG_2, -56, 0), 1183 BPF_MOV64_IMM(BPF_REG_0, 0), 1184 BPF_EXIT_INSN(), 1185 }, 1186 .errstr_unpriv = "R1 pointer comparison", 1187 .result_unpriv = REJECT, 1188 .result = ACCEPT, 1189 }, 1190 { 1191 "jump test 3", 1192 .insns = { 1193 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 1194 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3), 1195 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0), 1196 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 1197 BPF_JMP_IMM(BPF_JA, 0, 0, 19), 1198 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 3), 1199 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 0), 1200 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16), 1201 BPF_JMP_IMM(BPF_JA, 0, 0, 15), 1202 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 3), 1203 BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 0), 1204 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -32), 1205 BPF_JMP_IMM(BPF_JA, 0, 0, 11), 1206 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 3), 1207 BPF_ST_MEM(BPF_DW, BPF_REG_2, -40, 0), 1208 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -40), 1209 BPF_JMP_IMM(BPF_JA, 0, 0, 7), 1210 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 3), 1211 BPF_ST_MEM(BPF_DW, BPF_REG_2, -48, 0), 1212 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -48), 1213 BPF_JMP_IMM(BPF_JA, 0, 0, 3), 1214 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 0), 1215 BPF_ST_MEM(BPF_DW, BPF_REG_2, -56, 0), 1216 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -56), 1217 BPF_LD_MAP_FD(BPF_REG_1, 0), 1218 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1219 BPF_FUNC_map_delete_elem), 1220 BPF_EXIT_INSN(), 1221 }, 1222 .fixup_map1 = { 24 }, 1223 .errstr_unpriv = "R1 pointer comparison", 1224 .result_unpriv = REJECT, 1225 .result = ACCEPT, 1226 .retval = -ENOENT, 1227 }, 1228 { 1229 "jump test 4", 1230 .insns = { 1231 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1), 1232 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2), 1233 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3), 1234 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4), 1235 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1), 1236 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2), 1237 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3), 1238 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4), 1239 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1), 1240 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2), 1241 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3), 1242 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4), 1243 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1), 1244 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2), 1245 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3), 1246 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4), 1247 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1), 1248 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2), 1249 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3), 1250 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4), 1251 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1), 1252 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2), 1253 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3), 1254 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4), 1255 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1), 1256 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2), 1257 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3), 1258 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4), 1259 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1), 1260 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2), 1261 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3), 1262 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4), 1263 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1), 1264 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2), 1265 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3), 1266 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4), 1267 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0), 1268 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0), 1269 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0), 1270 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0), 1271 BPF_MOV64_IMM(BPF_REG_0, 0), 1272 BPF_EXIT_INSN(), 1273 }, 1274 .errstr_unpriv = "R1 pointer comparison", 1275 .result_unpriv = REJECT, 1276 .result = ACCEPT, 1277 }, 1278 { 1279 "jump test 5", 1280 .insns = { 1281 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 1282 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2), 1283 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2), 1284 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8), 1285 BPF_JMP_IMM(BPF_JA, 0, 0, 2), 1286 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8), 1287 BPF_JMP_IMM(BPF_JA, 0, 0, 0), 1288 BPF_MOV64_IMM(BPF_REG_0, 0), 1289 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2), 1290 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8), 1291 BPF_JMP_IMM(BPF_JA, 0, 0, 2), 1292 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8), 1293 BPF_JMP_IMM(BPF_JA, 0, 0, 0), 1294 BPF_MOV64_IMM(BPF_REG_0, 0), 1295 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2), 1296 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8), 1297 BPF_JMP_IMM(BPF_JA, 0, 0, 2), 1298 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8), 1299 BPF_JMP_IMM(BPF_JA, 0, 0, 0), 1300 BPF_MOV64_IMM(BPF_REG_0, 0), 1301 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2), 1302 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8), 1303 BPF_JMP_IMM(BPF_JA, 0, 0, 2), 1304 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8), 1305 BPF_JMP_IMM(BPF_JA, 0, 0, 0), 1306 BPF_MOV64_IMM(BPF_REG_0, 0), 1307 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2), 1308 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8), 1309 BPF_JMP_IMM(BPF_JA, 0, 0, 2), 1310 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8), 1311 BPF_JMP_IMM(BPF_JA, 0, 0, 0), 1312 BPF_MOV64_IMM(BPF_REG_0, 0), 1313 BPF_EXIT_INSN(), 1314 }, 1315 .errstr_unpriv = "R1 pointer comparison", 1316 .result_unpriv = REJECT, 1317 .result = ACCEPT, 1318 }, 1319 { 1320 "access skb fields ok", 1321 .insns = { 1322 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1323 offsetof(struct __sk_buff, len)), 1324 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1), 1325 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1326 offsetof(struct __sk_buff, mark)), 1327 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1), 1328 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1329 offsetof(struct __sk_buff, pkt_type)), 1330 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1), 1331 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1332 offsetof(struct __sk_buff, queue_mapping)), 1333 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0), 1334 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1335 offsetof(struct __sk_buff, protocol)), 1336 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0), 1337 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1338 offsetof(struct __sk_buff, vlan_present)), 1339 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0), 1340 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1341 offsetof(struct __sk_buff, vlan_tci)), 1342 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0), 1343 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1344 offsetof(struct __sk_buff, napi_id)), 1345 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0), 1346 BPF_EXIT_INSN(), 1347 }, 1348 .result = ACCEPT, 1349 }, 1350 { 1351 "access skb fields bad1", 1352 .insns = { 1353 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -4), 1354 BPF_EXIT_INSN(), 1355 }, 1356 .errstr = "invalid bpf_context access", 1357 .result = REJECT, 1358 }, 1359 { 1360 "access skb fields bad2", 1361 .insns = { 1362 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 9), 1363 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 1364 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 1365 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 1366 BPF_LD_MAP_FD(BPF_REG_1, 0), 1367 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1368 BPF_FUNC_map_lookup_elem), 1369 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 1370 BPF_EXIT_INSN(), 1371 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 1372 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1373 offsetof(struct __sk_buff, pkt_type)), 1374 BPF_EXIT_INSN(), 1375 }, 1376 .fixup_map1 = { 4 }, 1377 .errstr = "different pointers", 1378 .errstr_unpriv = "R1 pointer comparison", 1379 .result = REJECT, 1380 }, 1381 { 1382 "access skb fields bad3", 1383 .insns = { 1384 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2), 1385 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1386 offsetof(struct __sk_buff, pkt_type)), 1387 BPF_EXIT_INSN(), 1388 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 1389 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 1390 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 1391 BPF_LD_MAP_FD(BPF_REG_1, 0), 1392 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1393 BPF_FUNC_map_lookup_elem), 1394 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 1395 BPF_EXIT_INSN(), 1396 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 1397 BPF_JMP_IMM(BPF_JA, 0, 0, -12), 1398 }, 1399 .fixup_map1 = { 6 }, 1400 .errstr = "different pointers", 1401 .errstr_unpriv = "R1 pointer comparison", 1402 .result = REJECT, 1403 }, 1404 { 1405 "access skb fields bad4", 1406 .insns = { 1407 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 3), 1408 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1, 1409 offsetof(struct __sk_buff, len)), 1410 BPF_MOV64_IMM(BPF_REG_0, 0), 1411 BPF_EXIT_INSN(), 1412 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 1413 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 1414 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 1415 BPF_LD_MAP_FD(BPF_REG_1, 0), 1416 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1417 BPF_FUNC_map_lookup_elem), 1418 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 1419 BPF_EXIT_INSN(), 1420 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 1421 BPF_JMP_IMM(BPF_JA, 0, 0, -13), 1422 }, 1423 .fixup_map1 = { 7 }, 1424 .errstr = "different pointers", 1425 .errstr_unpriv = "R1 pointer comparison", 1426 .result = REJECT, 1427 }, 1428 { 1429 "invalid access __sk_buff family", 1430 .insns = { 1431 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1432 offsetof(struct __sk_buff, family)), 1433 BPF_EXIT_INSN(), 1434 }, 1435 .errstr = "invalid bpf_context access", 1436 .result = REJECT, 1437 }, 1438 { 1439 "invalid access __sk_buff remote_ip4", 1440 .insns = { 1441 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1442 offsetof(struct __sk_buff, remote_ip4)), 1443 BPF_EXIT_INSN(), 1444 }, 1445 .errstr = "invalid bpf_context access", 1446 .result = REJECT, 1447 }, 1448 { 1449 "invalid access __sk_buff local_ip4", 1450 .insns = { 1451 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1452 offsetof(struct __sk_buff, local_ip4)), 1453 BPF_EXIT_INSN(), 1454 }, 1455 .errstr = "invalid bpf_context access", 1456 .result = REJECT, 1457 }, 1458 { 1459 "invalid access __sk_buff remote_ip6", 1460 .insns = { 1461 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1462 offsetof(struct __sk_buff, remote_ip6)), 1463 BPF_EXIT_INSN(), 1464 }, 1465 .errstr = "invalid bpf_context access", 1466 .result = REJECT, 1467 }, 1468 { 1469 "invalid access __sk_buff local_ip6", 1470 .insns = { 1471 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1472 offsetof(struct __sk_buff, local_ip6)), 1473 BPF_EXIT_INSN(), 1474 }, 1475 .errstr = "invalid bpf_context access", 1476 .result = REJECT, 1477 }, 1478 { 1479 "invalid access __sk_buff remote_port", 1480 .insns = { 1481 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1482 offsetof(struct __sk_buff, remote_port)), 1483 BPF_EXIT_INSN(), 1484 }, 1485 .errstr = "invalid bpf_context access", 1486 .result = REJECT, 1487 }, 1488 { 1489 "invalid access __sk_buff remote_port", 1490 .insns = { 1491 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1492 offsetof(struct __sk_buff, local_port)), 1493 BPF_EXIT_INSN(), 1494 }, 1495 .errstr = "invalid bpf_context access", 1496 .result = REJECT, 1497 }, 1498 { 1499 "valid access __sk_buff family", 1500 .insns = { 1501 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1502 offsetof(struct __sk_buff, family)), 1503 BPF_EXIT_INSN(), 1504 }, 1505 .result = ACCEPT, 1506 .prog_type = BPF_PROG_TYPE_SK_SKB, 1507 }, 1508 { 1509 "valid access __sk_buff remote_ip4", 1510 .insns = { 1511 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1512 offsetof(struct __sk_buff, remote_ip4)), 1513 BPF_EXIT_INSN(), 1514 }, 1515 .result = ACCEPT, 1516 .prog_type = BPF_PROG_TYPE_SK_SKB, 1517 }, 1518 { 1519 "valid access __sk_buff local_ip4", 1520 .insns = { 1521 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1522 offsetof(struct __sk_buff, local_ip4)), 1523 BPF_EXIT_INSN(), 1524 }, 1525 .result = ACCEPT, 1526 .prog_type = BPF_PROG_TYPE_SK_SKB, 1527 }, 1528 { 1529 "valid access __sk_buff remote_ip6", 1530 .insns = { 1531 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1532 offsetof(struct __sk_buff, remote_ip6[0])), 1533 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1534 offsetof(struct __sk_buff, remote_ip6[1])), 1535 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1536 offsetof(struct __sk_buff, remote_ip6[2])), 1537 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1538 offsetof(struct __sk_buff, remote_ip6[3])), 1539 BPF_EXIT_INSN(), 1540 }, 1541 .result = ACCEPT, 1542 .prog_type = BPF_PROG_TYPE_SK_SKB, 1543 }, 1544 { 1545 "valid access __sk_buff local_ip6", 1546 .insns = { 1547 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1548 offsetof(struct __sk_buff, local_ip6[0])), 1549 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1550 offsetof(struct __sk_buff, local_ip6[1])), 1551 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1552 offsetof(struct __sk_buff, local_ip6[2])), 1553 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1554 offsetof(struct __sk_buff, local_ip6[3])), 1555 BPF_EXIT_INSN(), 1556 }, 1557 .result = ACCEPT, 1558 .prog_type = BPF_PROG_TYPE_SK_SKB, 1559 }, 1560 { 1561 "valid access __sk_buff remote_port", 1562 .insns = { 1563 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1564 offsetof(struct __sk_buff, remote_port)), 1565 BPF_EXIT_INSN(), 1566 }, 1567 .result = ACCEPT, 1568 .prog_type = BPF_PROG_TYPE_SK_SKB, 1569 }, 1570 { 1571 "valid access __sk_buff remote_port", 1572 .insns = { 1573 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1574 offsetof(struct __sk_buff, local_port)), 1575 BPF_EXIT_INSN(), 1576 }, 1577 .result = ACCEPT, 1578 .prog_type = BPF_PROG_TYPE_SK_SKB, 1579 }, 1580 { 1581 "invalid access of tc_classid for SK_SKB", 1582 .insns = { 1583 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1584 offsetof(struct __sk_buff, tc_classid)), 1585 BPF_EXIT_INSN(), 1586 }, 1587 .result = REJECT, 1588 .prog_type = BPF_PROG_TYPE_SK_SKB, 1589 .errstr = "invalid bpf_context access", 1590 }, 1591 { 1592 "invalid access of skb->mark for SK_SKB", 1593 .insns = { 1594 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1595 offsetof(struct __sk_buff, mark)), 1596 BPF_EXIT_INSN(), 1597 }, 1598 .result = REJECT, 1599 .prog_type = BPF_PROG_TYPE_SK_SKB, 1600 .errstr = "invalid bpf_context access", 1601 }, 1602 { 1603 "check skb->mark is not writeable by SK_SKB", 1604 .insns = { 1605 BPF_MOV64_IMM(BPF_REG_0, 0), 1606 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 1607 offsetof(struct __sk_buff, mark)), 1608 BPF_EXIT_INSN(), 1609 }, 1610 .result = REJECT, 1611 .prog_type = BPF_PROG_TYPE_SK_SKB, 1612 .errstr = "invalid bpf_context access", 1613 }, 1614 { 1615 "check skb->tc_index is writeable by SK_SKB", 1616 .insns = { 1617 BPF_MOV64_IMM(BPF_REG_0, 0), 1618 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 1619 offsetof(struct __sk_buff, tc_index)), 1620 BPF_EXIT_INSN(), 1621 }, 1622 .result = ACCEPT, 1623 .prog_type = BPF_PROG_TYPE_SK_SKB, 1624 }, 1625 { 1626 "check skb->priority is writeable by SK_SKB", 1627 .insns = { 1628 BPF_MOV64_IMM(BPF_REG_0, 0), 1629 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 1630 offsetof(struct __sk_buff, priority)), 1631 BPF_EXIT_INSN(), 1632 }, 1633 .result = ACCEPT, 1634 .prog_type = BPF_PROG_TYPE_SK_SKB, 1635 }, 1636 { 1637 "direct packet read for SK_SKB", 1638 .insns = { 1639 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 1640 offsetof(struct __sk_buff, data)), 1641 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 1642 offsetof(struct __sk_buff, data_end)), 1643 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 1644 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 1645 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 1646 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 1647 BPF_MOV64_IMM(BPF_REG_0, 0), 1648 BPF_EXIT_INSN(), 1649 }, 1650 .result = ACCEPT, 1651 .prog_type = BPF_PROG_TYPE_SK_SKB, 1652 }, 1653 { 1654 "direct packet write for SK_SKB", 1655 .insns = { 1656 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 1657 offsetof(struct __sk_buff, data)), 1658 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 1659 offsetof(struct __sk_buff, data_end)), 1660 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 1661 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 1662 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 1663 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0), 1664 BPF_MOV64_IMM(BPF_REG_0, 0), 1665 BPF_EXIT_INSN(), 1666 }, 1667 .result = ACCEPT, 1668 .prog_type = BPF_PROG_TYPE_SK_SKB, 1669 }, 1670 { 1671 "overlapping checks for direct packet access SK_SKB", 1672 .insns = { 1673 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 1674 offsetof(struct __sk_buff, data)), 1675 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 1676 offsetof(struct __sk_buff, data_end)), 1677 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 1678 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 1679 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4), 1680 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 1681 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6), 1682 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1), 1683 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6), 1684 BPF_MOV64_IMM(BPF_REG_0, 0), 1685 BPF_EXIT_INSN(), 1686 }, 1687 .result = ACCEPT, 1688 .prog_type = BPF_PROG_TYPE_SK_SKB, 1689 }, 1690 { 1691 "valid access family in SK_MSG", 1692 .insns = { 1693 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1694 offsetof(struct sk_msg_md, family)), 1695 BPF_EXIT_INSN(), 1696 }, 1697 .result = ACCEPT, 1698 .prog_type = BPF_PROG_TYPE_SK_MSG, 1699 }, 1700 { 1701 "valid access remote_ip4 in SK_MSG", 1702 .insns = { 1703 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1704 offsetof(struct sk_msg_md, remote_ip4)), 1705 BPF_EXIT_INSN(), 1706 }, 1707 .result = ACCEPT, 1708 .prog_type = BPF_PROG_TYPE_SK_MSG, 1709 }, 1710 { 1711 "valid access local_ip4 in SK_MSG", 1712 .insns = { 1713 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1714 offsetof(struct sk_msg_md, local_ip4)), 1715 BPF_EXIT_INSN(), 1716 }, 1717 .result = ACCEPT, 1718 .prog_type = BPF_PROG_TYPE_SK_MSG, 1719 }, 1720 { 1721 "valid access remote_port in SK_MSG", 1722 .insns = { 1723 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1724 offsetof(struct sk_msg_md, remote_port)), 1725 BPF_EXIT_INSN(), 1726 }, 1727 .result = ACCEPT, 1728 .prog_type = BPF_PROG_TYPE_SK_MSG, 1729 }, 1730 { 1731 "valid access local_port in SK_MSG", 1732 .insns = { 1733 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1734 offsetof(struct sk_msg_md, local_port)), 1735 BPF_EXIT_INSN(), 1736 }, 1737 .result = ACCEPT, 1738 .prog_type = BPF_PROG_TYPE_SK_MSG, 1739 }, 1740 { 1741 "valid access remote_ip6 in SK_MSG", 1742 .insns = { 1743 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1744 offsetof(struct sk_msg_md, remote_ip6[0])), 1745 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1746 offsetof(struct sk_msg_md, remote_ip6[1])), 1747 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1748 offsetof(struct sk_msg_md, remote_ip6[2])), 1749 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1750 offsetof(struct sk_msg_md, remote_ip6[3])), 1751 BPF_EXIT_INSN(), 1752 }, 1753 .result = ACCEPT, 1754 .prog_type = BPF_PROG_TYPE_SK_SKB, 1755 }, 1756 { 1757 "valid access local_ip6 in SK_MSG", 1758 .insns = { 1759 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1760 offsetof(struct sk_msg_md, local_ip6[0])), 1761 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1762 offsetof(struct sk_msg_md, local_ip6[1])), 1763 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1764 offsetof(struct sk_msg_md, local_ip6[2])), 1765 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1766 offsetof(struct sk_msg_md, local_ip6[3])), 1767 BPF_EXIT_INSN(), 1768 }, 1769 .result = ACCEPT, 1770 .prog_type = BPF_PROG_TYPE_SK_SKB, 1771 }, 1772 { 1773 "invalid 64B read of family in SK_MSG", 1774 .insns = { 1775 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, 1776 offsetof(struct sk_msg_md, family)), 1777 BPF_EXIT_INSN(), 1778 }, 1779 .errstr = "invalid bpf_context access", 1780 .result = REJECT, 1781 .prog_type = BPF_PROG_TYPE_SK_MSG, 1782 }, 1783 { 1784 "invalid read past end of SK_MSG", 1785 .insns = { 1786 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 1787 offsetof(struct sk_msg_md, local_port) + 4), 1788 BPF_EXIT_INSN(), 1789 }, 1790 .errstr = "R0 !read_ok", 1791 .result = REJECT, 1792 .prog_type = BPF_PROG_TYPE_SK_MSG, 1793 }, 1794 { 1795 "invalid read offset in SK_MSG", 1796 .insns = { 1797 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 1798 offsetof(struct sk_msg_md, family) + 1), 1799 BPF_EXIT_INSN(), 1800 }, 1801 .errstr = "invalid bpf_context access", 1802 .result = REJECT, 1803 .prog_type = BPF_PROG_TYPE_SK_MSG, 1804 }, 1805 { 1806 "direct packet read for SK_MSG", 1807 .insns = { 1808 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, 1809 offsetof(struct sk_msg_md, data)), 1810 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 1811 offsetof(struct sk_msg_md, data_end)), 1812 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 1813 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 1814 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 1815 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 1816 BPF_MOV64_IMM(BPF_REG_0, 0), 1817 BPF_EXIT_INSN(), 1818 }, 1819 .result = ACCEPT, 1820 .prog_type = BPF_PROG_TYPE_SK_MSG, 1821 }, 1822 { 1823 "direct packet write for SK_MSG", 1824 .insns = { 1825 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, 1826 offsetof(struct sk_msg_md, data)), 1827 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 1828 offsetof(struct sk_msg_md, data_end)), 1829 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 1830 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 1831 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 1832 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0), 1833 BPF_MOV64_IMM(BPF_REG_0, 0), 1834 BPF_EXIT_INSN(), 1835 }, 1836 .result = ACCEPT, 1837 .prog_type = BPF_PROG_TYPE_SK_MSG, 1838 }, 1839 { 1840 "overlapping checks for direct packet access SK_MSG", 1841 .insns = { 1842 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, 1843 offsetof(struct sk_msg_md, data)), 1844 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 1845 offsetof(struct sk_msg_md, data_end)), 1846 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 1847 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 1848 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4), 1849 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 1850 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6), 1851 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1), 1852 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6), 1853 BPF_MOV64_IMM(BPF_REG_0, 0), 1854 BPF_EXIT_INSN(), 1855 }, 1856 .result = ACCEPT, 1857 .prog_type = BPF_PROG_TYPE_SK_MSG, 1858 }, 1859 { 1860 "check skb->mark is not writeable by sockets", 1861 .insns = { 1862 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1, 1863 offsetof(struct __sk_buff, mark)), 1864 BPF_EXIT_INSN(), 1865 }, 1866 .errstr = "invalid bpf_context access", 1867 .errstr_unpriv = "R1 leaks addr", 1868 .result = REJECT, 1869 }, 1870 { 1871 "check skb->tc_index is not writeable by sockets", 1872 .insns = { 1873 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1, 1874 offsetof(struct __sk_buff, tc_index)), 1875 BPF_EXIT_INSN(), 1876 }, 1877 .errstr = "invalid bpf_context access", 1878 .errstr_unpriv = "R1 leaks addr", 1879 .result = REJECT, 1880 }, 1881 { 1882 "check cb access: byte", 1883 .insns = { 1884 BPF_MOV64_IMM(BPF_REG_0, 0), 1885 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1886 offsetof(struct __sk_buff, cb[0])), 1887 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1888 offsetof(struct __sk_buff, cb[0]) + 1), 1889 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1890 offsetof(struct __sk_buff, cb[0]) + 2), 1891 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1892 offsetof(struct __sk_buff, cb[0]) + 3), 1893 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1894 offsetof(struct __sk_buff, cb[1])), 1895 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1896 offsetof(struct __sk_buff, cb[1]) + 1), 1897 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1898 offsetof(struct __sk_buff, cb[1]) + 2), 1899 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1900 offsetof(struct __sk_buff, cb[1]) + 3), 1901 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1902 offsetof(struct __sk_buff, cb[2])), 1903 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1904 offsetof(struct __sk_buff, cb[2]) + 1), 1905 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1906 offsetof(struct __sk_buff, cb[2]) + 2), 1907 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1908 offsetof(struct __sk_buff, cb[2]) + 3), 1909 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1910 offsetof(struct __sk_buff, cb[3])), 1911 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1912 offsetof(struct __sk_buff, cb[3]) + 1), 1913 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1914 offsetof(struct __sk_buff, cb[3]) + 2), 1915 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1916 offsetof(struct __sk_buff, cb[3]) + 3), 1917 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1918 offsetof(struct __sk_buff, cb[4])), 1919 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1920 offsetof(struct __sk_buff, cb[4]) + 1), 1921 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1922 offsetof(struct __sk_buff, cb[4]) + 2), 1923 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1924 offsetof(struct __sk_buff, cb[4]) + 3), 1925 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1926 offsetof(struct __sk_buff, cb[0])), 1927 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1928 offsetof(struct __sk_buff, cb[0]) + 1), 1929 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1930 offsetof(struct __sk_buff, cb[0]) + 2), 1931 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1932 offsetof(struct __sk_buff, cb[0]) + 3), 1933 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1934 offsetof(struct __sk_buff, cb[1])), 1935 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1936 offsetof(struct __sk_buff, cb[1]) + 1), 1937 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1938 offsetof(struct __sk_buff, cb[1]) + 2), 1939 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1940 offsetof(struct __sk_buff, cb[1]) + 3), 1941 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1942 offsetof(struct __sk_buff, cb[2])), 1943 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1944 offsetof(struct __sk_buff, cb[2]) + 1), 1945 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1946 offsetof(struct __sk_buff, cb[2]) + 2), 1947 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1948 offsetof(struct __sk_buff, cb[2]) + 3), 1949 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1950 offsetof(struct __sk_buff, cb[3])), 1951 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1952 offsetof(struct __sk_buff, cb[3]) + 1), 1953 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1954 offsetof(struct __sk_buff, cb[3]) + 2), 1955 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1956 offsetof(struct __sk_buff, cb[3]) + 3), 1957 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1958 offsetof(struct __sk_buff, cb[4])), 1959 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1960 offsetof(struct __sk_buff, cb[4]) + 1), 1961 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1962 offsetof(struct __sk_buff, cb[4]) + 2), 1963 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1964 offsetof(struct __sk_buff, cb[4]) + 3), 1965 BPF_EXIT_INSN(), 1966 }, 1967 .result = ACCEPT, 1968 }, 1969 { 1970 "__sk_buff->hash, offset 0, byte store not permitted", 1971 .insns = { 1972 BPF_MOV64_IMM(BPF_REG_0, 0), 1973 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1974 offsetof(struct __sk_buff, hash)), 1975 BPF_EXIT_INSN(), 1976 }, 1977 .errstr = "invalid bpf_context access", 1978 .result = REJECT, 1979 }, 1980 { 1981 "__sk_buff->tc_index, offset 3, byte store not permitted", 1982 .insns = { 1983 BPF_MOV64_IMM(BPF_REG_0, 0), 1984 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 1985 offsetof(struct __sk_buff, tc_index) + 3), 1986 BPF_EXIT_INSN(), 1987 }, 1988 .errstr = "invalid bpf_context access", 1989 .result = REJECT, 1990 }, 1991 { 1992 "check skb->hash byte load permitted", 1993 .insns = { 1994 BPF_MOV64_IMM(BPF_REG_0, 0), 1995 #if __BYTE_ORDER == __LITTLE_ENDIAN 1996 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1997 offsetof(struct __sk_buff, hash)), 1998 #else 1999 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 2000 offsetof(struct __sk_buff, hash) + 3), 2001 #endif 2002 BPF_EXIT_INSN(), 2003 }, 2004 .result = ACCEPT, 2005 }, 2006 { 2007 "check skb->hash byte load not permitted 1", 2008 .insns = { 2009 BPF_MOV64_IMM(BPF_REG_0, 0), 2010 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 2011 offsetof(struct __sk_buff, hash) + 1), 2012 BPF_EXIT_INSN(), 2013 }, 2014 .errstr = "invalid bpf_context access", 2015 .result = REJECT, 2016 }, 2017 { 2018 "check skb->hash byte load not permitted 2", 2019 .insns = { 2020 BPF_MOV64_IMM(BPF_REG_0, 0), 2021 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 2022 offsetof(struct __sk_buff, hash) + 2), 2023 BPF_EXIT_INSN(), 2024 }, 2025 .errstr = "invalid bpf_context access", 2026 .result = REJECT, 2027 }, 2028 { 2029 "check skb->hash byte load not permitted 3", 2030 .insns = { 2031 BPF_MOV64_IMM(BPF_REG_0, 0), 2032 #if __BYTE_ORDER == __LITTLE_ENDIAN 2033 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 2034 offsetof(struct __sk_buff, hash) + 3), 2035 #else 2036 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 2037 offsetof(struct __sk_buff, hash)), 2038 #endif 2039 BPF_EXIT_INSN(), 2040 }, 2041 .errstr = "invalid bpf_context access", 2042 .result = REJECT, 2043 }, 2044 { 2045 "check cb access: byte, wrong type", 2046 .insns = { 2047 BPF_MOV64_IMM(BPF_REG_0, 0), 2048 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 2049 offsetof(struct __sk_buff, cb[0])), 2050 BPF_EXIT_INSN(), 2051 }, 2052 .errstr = "invalid bpf_context access", 2053 .result = REJECT, 2054 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK, 2055 }, 2056 { 2057 "check cb access: half", 2058 .insns = { 2059 BPF_MOV64_IMM(BPF_REG_0, 0), 2060 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 2061 offsetof(struct __sk_buff, cb[0])), 2062 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 2063 offsetof(struct __sk_buff, cb[0]) + 2), 2064 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 2065 offsetof(struct __sk_buff, cb[1])), 2066 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 2067 offsetof(struct __sk_buff, cb[1]) + 2), 2068 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 2069 offsetof(struct __sk_buff, cb[2])), 2070 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 2071 offsetof(struct __sk_buff, cb[2]) + 2), 2072 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 2073 offsetof(struct __sk_buff, cb[3])), 2074 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 2075 offsetof(struct __sk_buff, cb[3]) + 2), 2076 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 2077 offsetof(struct __sk_buff, cb[4])), 2078 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 2079 offsetof(struct __sk_buff, cb[4]) + 2), 2080 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 2081 offsetof(struct __sk_buff, cb[0])), 2082 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 2083 offsetof(struct __sk_buff, cb[0]) + 2), 2084 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 2085 offsetof(struct __sk_buff, cb[1])), 2086 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 2087 offsetof(struct __sk_buff, cb[1]) + 2), 2088 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 2089 offsetof(struct __sk_buff, cb[2])), 2090 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 2091 offsetof(struct __sk_buff, cb[2]) + 2), 2092 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 2093 offsetof(struct __sk_buff, cb[3])), 2094 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 2095 offsetof(struct __sk_buff, cb[3]) + 2), 2096 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 2097 offsetof(struct __sk_buff, cb[4])), 2098 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 2099 offsetof(struct __sk_buff, cb[4]) + 2), 2100 BPF_EXIT_INSN(), 2101 }, 2102 .result = ACCEPT, 2103 }, 2104 { 2105 "check cb access: half, unaligned", 2106 .insns = { 2107 BPF_MOV64_IMM(BPF_REG_0, 0), 2108 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 2109 offsetof(struct __sk_buff, cb[0]) + 1), 2110 BPF_EXIT_INSN(), 2111 }, 2112 .errstr = "misaligned context access", 2113 .result = REJECT, 2114 .flags = F_LOAD_WITH_STRICT_ALIGNMENT, 2115 }, 2116 { 2117 "check __sk_buff->hash, offset 0, half store not permitted", 2118 .insns = { 2119 BPF_MOV64_IMM(BPF_REG_0, 0), 2120 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 2121 offsetof(struct __sk_buff, hash)), 2122 BPF_EXIT_INSN(), 2123 }, 2124 .errstr = "invalid bpf_context access", 2125 .result = REJECT, 2126 }, 2127 { 2128 "check __sk_buff->tc_index, offset 2, half store not permitted", 2129 .insns = { 2130 BPF_MOV64_IMM(BPF_REG_0, 0), 2131 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 2132 offsetof(struct __sk_buff, tc_index) + 2), 2133 BPF_EXIT_INSN(), 2134 }, 2135 .errstr = "invalid bpf_context access", 2136 .result = REJECT, 2137 }, 2138 { 2139 "check skb->hash half load permitted", 2140 .insns = { 2141 BPF_MOV64_IMM(BPF_REG_0, 0), 2142 #if __BYTE_ORDER == __LITTLE_ENDIAN 2143 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 2144 offsetof(struct __sk_buff, hash)), 2145 #else 2146 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 2147 offsetof(struct __sk_buff, hash) + 2), 2148 #endif 2149 BPF_EXIT_INSN(), 2150 }, 2151 .result = ACCEPT, 2152 }, 2153 { 2154 "check skb->hash half load not permitted", 2155 .insns = { 2156 BPF_MOV64_IMM(BPF_REG_0, 0), 2157 #if __BYTE_ORDER == __LITTLE_ENDIAN 2158 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 2159 offsetof(struct __sk_buff, hash) + 2), 2160 #else 2161 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 2162 offsetof(struct __sk_buff, hash)), 2163 #endif 2164 BPF_EXIT_INSN(), 2165 }, 2166 .errstr = "invalid bpf_context access", 2167 .result = REJECT, 2168 }, 2169 { 2170 "check cb access: half, wrong type", 2171 .insns = { 2172 BPF_MOV64_IMM(BPF_REG_0, 0), 2173 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 2174 offsetof(struct __sk_buff, cb[0])), 2175 BPF_EXIT_INSN(), 2176 }, 2177 .errstr = "invalid bpf_context access", 2178 .result = REJECT, 2179 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK, 2180 }, 2181 { 2182 "check cb access: word", 2183 .insns = { 2184 BPF_MOV64_IMM(BPF_REG_0, 0), 2185 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 2186 offsetof(struct __sk_buff, cb[0])), 2187 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 2188 offsetof(struct __sk_buff, cb[1])), 2189 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 2190 offsetof(struct __sk_buff, cb[2])), 2191 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 2192 offsetof(struct __sk_buff, cb[3])), 2193 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 2194 offsetof(struct __sk_buff, cb[4])), 2195 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 2196 offsetof(struct __sk_buff, cb[0])), 2197 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 2198 offsetof(struct __sk_buff, cb[1])), 2199 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 2200 offsetof(struct __sk_buff, cb[2])), 2201 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 2202 offsetof(struct __sk_buff, cb[3])), 2203 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 2204 offsetof(struct __sk_buff, cb[4])), 2205 BPF_EXIT_INSN(), 2206 }, 2207 .result = ACCEPT, 2208 }, 2209 { 2210 "check cb access: word, unaligned 1", 2211 .insns = { 2212 BPF_MOV64_IMM(BPF_REG_0, 0), 2213 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 2214 offsetof(struct __sk_buff, cb[0]) + 2), 2215 BPF_EXIT_INSN(), 2216 }, 2217 .errstr = "misaligned context access", 2218 .result = REJECT, 2219 .flags = F_LOAD_WITH_STRICT_ALIGNMENT, 2220 }, 2221 { 2222 "check cb access: word, unaligned 2", 2223 .insns = { 2224 BPF_MOV64_IMM(BPF_REG_0, 0), 2225 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 2226 offsetof(struct __sk_buff, cb[4]) + 1), 2227 BPF_EXIT_INSN(), 2228 }, 2229 .errstr = "misaligned context access", 2230 .result = REJECT, 2231 .flags = F_LOAD_WITH_STRICT_ALIGNMENT, 2232 }, 2233 { 2234 "check cb access: word, unaligned 3", 2235 .insns = { 2236 BPF_MOV64_IMM(BPF_REG_0, 0), 2237 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 2238 offsetof(struct __sk_buff, cb[4]) + 2), 2239 BPF_EXIT_INSN(), 2240 }, 2241 .errstr = "misaligned context access", 2242 .result = REJECT, 2243 .flags = F_LOAD_WITH_STRICT_ALIGNMENT, 2244 }, 2245 { 2246 "check cb access: word, unaligned 4", 2247 .insns = { 2248 BPF_MOV64_IMM(BPF_REG_0, 0), 2249 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 2250 offsetof(struct __sk_buff, cb[4]) + 3), 2251 BPF_EXIT_INSN(), 2252 }, 2253 .errstr = "misaligned context access", 2254 .result = REJECT, 2255 .flags = F_LOAD_WITH_STRICT_ALIGNMENT, 2256 }, 2257 { 2258 "check cb access: double", 2259 .insns = { 2260 BPF_MOV64_IMM(BPF_REG_0, 0), 2261 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 2262 offsetof(struct __sk_buff, cb[0])), 2263 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 2264 offsetof(struct __sk_buff, cb[2])), 2265 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2266 offsetof(struct __sk_buff, cb[0])), 2267 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2268 offsetof(struct __sk_buff, cb[2])), 2269 BPF_EXIT_INSN(), 2270 }, 2271 .result = ACCEPT, 2272 }, 2273 { 2274 "check cb access: double, unaligned 1", 2275 .insns = { 2276 BPF_MOV64_IMM(BPF_REG_0, 0), 2277 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 2278 offsetof(struct __sk_buff, cb[1])), 2279 BPF_EXIT_INSN(), 2280 }, 2281 .errstr = "misaligned context access", 2282 .result = REJECT, 2283 .flags = F_LOAD_WITH_STRICT_ALIGNMENT, 2284 }, 2285 { 2286 "check cb access: double, unaligned 2", 2287 .insns = { 2288 BPF_MOV64_IMM(BPF_REG_0, 0), 2289 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 2290 offsetof(struct __sk_buff, cb[3])), 2291 BPF_EXIT_INSN(), 2292 }, 2293 .errstr = "misaligned context access", 2294 .result = REJECT, 2295 .flags = F_LOAD_WITH_STRICT_ALIGNMENT, 2296 }, 2297 { 2298 "check cb access: double, oob 1", 2299 .insns = { 2300 BPF_MOV64_IMM(BPF_REG_0, 0), 2301 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 2302 offsetof(struct __sk_buff, cb[4])), 2303 BPF_EXIT_INSN(), 2304 }, 2305 .errstr = "invalid bpf_context access", 2306 .result = REJECT, 2307 }, 2308 { 2309 "check cb access: double, oob 2", 2310 .insns = { 2311 BPF_MOV64_IMM(BPF_REG_0, 0), 2312 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2313 offsetof(struct __sk_buff, cb[4])), 2314 BPF_EXIT_INSN(), 2315 }, 2316 .errstr = "invalid bpf_context access", 2317 .result = REJECT, 2318 }, 2319 { 2320 "check __sk_buff->ifindex dw store not permitted", 2321 .insns = { 2322 BPF_MOV64_IMM(BPF_REG_0, 0), 2323 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 2324 offsetof(struct __sk_buff, ifindex)), 2325 BPF_EXIT_INSN(), 2326 }, 2327 .errstr = "invalid bpf_context access", 2328 .result = REJECT, 2329 }, 2330 { 2331 "check __sk_buff->ifindex dw load not permitted", 2332 .insns = { 2333 BPF_MOV64_IMM(BPF_REG_0, 0), 2334 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2335 offsetof(struct __sk_buff, ifindex)), 2336 BPF_EXIT_INSN(), 2337 }, 2338 .errstr = "invalid bpf_context access", 2339 .result = REJECT, 2340 }, 2341 { 2342 "check cb access: double, wrong type", 2343 .insns = { 2344 BPF_MOV64_IMM(BPF_REG_0, 0), 2345 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 2346 offsetof(struct __sk_buff, cb[0])), 2347 BPF_EXIT_INSN(), 2348 }, 2349 .errstr = "invalid bpf_context access", 2350 .result = REJECT, 2351 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK, 2352 }, 2353 { 2354 "check out of range skb->cb access", 2355 .insns = { 2356 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 2357 offsetof(struct __sk_buff, cb[0]) + 256), 2358 BPF_EXIT_INSN(), 2359 }, 2360 .errstr = "invalid bpf_context access", 2361 .errstr_unpriv = "", 2362 .result = REJECT, 2363 .prog_type = BPF_PROG_TYPE_SCHED_ACT, 2364 }, 2365 { 2366 "write skb fields from socket prog", 2367 .insns = { 2368 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 2369 offsetof(struct __sk_buff, cb[4])), 2370 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1), 2371 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 2372 offsetof(struct __sk_buff, mark)), 2373 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 2374 offsetof(struct __sk_buff, tc_index)), 2375 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1), 2376 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1, 2377 offsetof(struct __sk_buff, cb[0])), 2378 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1, 2379 offsetof(struct __sk_buff, cb[2])), 2380 BPF_EXIT_INSN(), 2381 }, 2382 .result = ACCEPT, 2383 .errstr_unpriv = "R1 leaks addr", 2384 .result_unpriv = REJECT, 2385 }, 2386 { 2387 "write skb fields from tc_cls_act prog", 2388 .insns = { 2389 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 2390 offsetof(struct __sk_buff, cb[0])), 2391 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 2392 offsetof(struct __sk_buff, mark)), 2393 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 2394 offsetof(struct __sk_buff, tc_index)), 2395 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 2396 offsetof(struct __sk_buff, tc_index)), 2397 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 2398 offsetof(struct __sk_buff, cb[3])), 2399 BPF_EXIT_INSN(), 2400 }, 2401 .errstr_unpriv = "", 2402 .result_unpriv = REJECT, 2403 .result = ACCEPT, 2404 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2405 }, 2406 { 2407 "PTR_TO_STACK store/load", 2408 .insns = { 2409 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 2410 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10), 2411 BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c), 2412 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2), 2413 BPF_EXIT_INSN(), 2414 }, 2415 .result = ACCEPT, 2416 .retval = 0xfaceb00c, 2417 }, 2418 { 2419 "PTR_TO_STACK store/load - bad alignment on off", 2420 .insns = { 2421 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 2422 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8), 2423 BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c), 2424 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2), 2425 BPF_EXIT_INSN(), 2426 }, 2427 .result = REJECT, 2428 .errstr = "misaligned stack access off (0x0; 0x0)+-8+2 size 8", 2429 }, 2430 { 2431 "PTR_TO_STACK store/load - bad alignment on reg", 2432 .insns = { 2433 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 2434 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10), 2435 BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c), 2436 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8), 2437 BPF_EXIT_INSN(), 2438 }, 2439 .result = REJECT, 2440 .errstr = "misaligned stack access off (0x0; 0x0)+-10+8 size 8", 2441 }, 2442 { 2443 "PTR_TO_STACK store/load - out of bounds low", 2444 .insns = { 2445 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 2446 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -80000), 2447 BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c), 2448 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8), 2449 BPF_EXIT_INSN(), 2450 }, 2451 .result = REJECT, 2452 .errstr = "invalid stack off=-79992 size=8", 2453 }, 2454 { 2455 "PTR_TO_STACK store/load - out of bounds high", 2456 .insns = { 2457 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 2458 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8), 2459 BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c), 2460 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8), 2461 BPF_EXIT_INSN(), 2462 }, 2463 .result = REJECT, 2464 .errstr = "invalid stack off=0 size=8", 2465 }, 2466 { 2467 "unpriv: return pointer", 2468 .insns = { 2469 BPF_MOV64_REG(BPF_REG_0, BPF_REG_10), 2470 BPF_EXIT_INSN(), 2471 }, 2472 .result = ACCEPT, 2473 .result_unpriv = REJECT, 2474 .errstr_unpriv = "R0 leaks addr", 2475 .retval = POINTER_VALUE, 2476 }, 2477 { 2478 "unpriv: add const to pointer", 2479 .insns = { 2480 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 2481 BPF_MOV64_IMM(BPF_REG_0, 0), 2482 BPF_EXIT_INSN(), 2483 }, 2484 .result = ACCEPT, 2485 }, 2486 { 2487 "unpriv: add pointer to pointer", 2488 .insns = { 2489 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_10), 2490 BPF_MOV64_IMM(BPF_REG_0, 0), 2491 BPF_EXIT_INSN(), 2492 }, 2493 .result = REJECT, 2494 .errstr = "R1 pointer += pointer", 2495 }, 2496 { 2497 "unpriv: neg pointer", 2498 .insns = { 2499 BPF_ALU64_IMM(BPF_NEG, BPF_REG_1, 0), 2500 BPF_MOV64_IMM(BPF_REG_0, 0), 2501 BPF_EXIT_INSN(), 2502 }, 2503 .result = ACCEPT, 2504 .result_unpriv = REJECT, 2505 .errstr_unpriv = "R1 pointer arithmetic", 2506 }, 2507 { 2508 "unpriv: cmp pointer with const", 2509 .insns = { 2510 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0), 2511 BPF_MOV64_IMM(BPF_REG_0, 0), 2512 BPF_EXIT_INSN(), 2513 }, 2514 .result = ACCEPT, 2515 .result_unpriv = REJECT, 2516 .errstr_unpriv = "R1 pointer comparison", 2517 }, 2518 { 2519 "unpriv: cmp pointer with pointer", 2520 .insns = { 2521 BPF_JMP_REG(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0), 2522 BPF_MOV64_IMM(BPF_REG_0, 0), 2523 BPF_EXIT_INSN(), 2524 }, 2525 .result = ACCEPT, 2526 .result_unpriv = REJECT, 2527 .errstr_unpriv = "R10 pointer comparison", 2528 }, 2529 { 2530 "unpriv: check that printk is disallowed", 2531 .insns = { 2532 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 2533 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 2534 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8), 2535 BPF_MOV64_IMM(BPF_REG_2, 8), 2536 BPF_MOV64_REG(BPF_REG_3, BPF_REG_1), 2537 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2538 BPF_FUNC_trace_printk), 2539 BPF_MOV64_IMM(BPF_REG_0, 0), 2540 BPF_EXIT_INSN(), 2541 }, 2542 .errstr_unpriv = "unknown func bpf_trace_printk#6", 2543 .result_unpriv = REJECT, 2544 .result = ACCEPT, 2545 }, 2546 { 2547 "unpriv: pass pointer to helper function", 2548 .insns = { 2549 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 2550 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 2551 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 2552 BPF_LD_MAP_FD(BPF_REG_1, 0), 2553 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2), 2554 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2), 2555 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2556 BPF_FUNC_map_update_elem), 2557 BPF_MOV64_IMM(BPF_REG_0, 0), 2558 BPF_EXIT_INSN(), 2559 }, 2560 .fixup_map1 = { 3 }, 2561 .errstr_unpriv = "R4 leaks addr", 2562 .result_unpriv = REJECT, 2563 .result = ACCEPT, 2564 }, 2565 { 2566 "unpriv: indirectly pass pointer on stack to helper function", 2567 .insns = { 2568 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8), 2569 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 2570 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 2571 BPF_LD_MAP_FD(BPF_REG_1, 0), 2572 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2573 BPF_FUNC_map_lookup_elem), 2574 BPF_MOV64_IMM(BPF_REG_0, 0), 2575 BPF_EXIT_INSN(), 2576 }, 2577 .fixup_map1 = { 3 }, 2578 .errstr = "invalid indirect read from stack off -8+0 size 8", 2579 .result = REJECT, 2580 }, 2581 { 2582 "unpriv: mangle pointer on stack 1", 2583 .insns = { 2584 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8), 2585 BPF_ST_MEM(BPF_W, BPF_REG_10, -8, 0), 2586 BPF_MOV64_IMM(BPF_REG_0, 0), 2587 BPF_EXIT_INSN(), 2588 }, 2589 .errstr_unpriv = "attempt to corrupt spilled", 2590 .result_unpriv = REJECT, 2591 .result = ACCEPT, 2592 }, 2593 { 2594 "unpriv: mangle pointer on stack 2", 2595 .insns = { 2596 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8), 2597 BPF_ST_MEM(BPF_B, BPF_REG_10, -1, 0), 2598 BPF_MOV64_IMM(BPF_REG_0, 0), 2599 BPF_EXIT_INSN(), 2600 }, 2601 .errstr_unpriv = "attempt to corrupt spilled", 2602 .result_unpriv = REJECT, 2603 .result = ACCEPT, 2604 }, 2605 { 2606 "unpriv: read pointer from stack in small chunks", 2607 .insns = { 2608 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8), 2609 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_10, -8), 2610 BPF_MOV64_IMM(BPF_REG_0, 0), 2611 BPF_EXIT_INSN(), 2612 }, 2613 .errstr = "invalid size", 2614 .result = REJECT, 2615 }, 2616 { 2617 "unpriv: write pointer into ctx", 2618 .insns = { 2619 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, 0), 2620 BPF_MOV64_IMM(BPF_REG_0, 0), 2621 BPF_EXIT_INSN(), 2622 }, 2623 .errstr_unpriv = "R1 leaks addr", 2624 .result_unpriv = REJECT, 2625 .errstr = "invalid bpf_context access", 2626 .result = REJECT, 2627 }, 2628 { 2629 "unpriv: spill/fill of ctx", 2630 .insns = { 2631 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 2632 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 2633 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0), 2634 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0), 2635 BPF_MOV64_IMM(BPF_REG_0, 0), 2636 BPF_EXIT_INSN(), 2637 }, 2638 .result = ACCEPT, 2639 }, 2640 { 2641 "unpriv: spill/fill of ctx 2", 2642 .insns = { 2643 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 2644 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 2645 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0), 2646 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0), 2647 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2648 BPF_FUNC_get_hash_recalc), 2649 BPF_MOV64_IMM(BPF_REG_0, 0), 2650 BPF_EXIT_INSN(), 2651 }, 2652 .result = ACCEPT, 2653 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2654 }, 2655 { 2656 "unpriv: spill/fill of ctx 3", 2657 .insns = { 2658 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 2659 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 2660 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0), 2661 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_10, 0), 2662 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0), 2663 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2664 BPF_FUNC_get_hash_recalc), 2665 BPF_EXIT_INSN(), 2666 }, 2667 .result = REJECT, 2668 .errstr = "R1 type=fp expected=ctx", 2669 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2670 }, 2671 { 2672 "unpriv: spill/fill of ctx 4", 2673 .insns = { 2674 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 2675 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 2676 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0), 2677 BPF_MOV64_IMM(BPF_REG_0, 1), 2678 BPF_RAW_INSN(BPF_STX | BPF_XADD | BPF_DW, BPF_REG_10, 2679 BPF_REG_0, -8, 0), 2680 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0), 2681 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2682 BPF_FUNC_get_hash_recalc), 2683 BPF_EXIT_INSN(), 2684 }, 2685 .result = REJECT, 2686 .errstr = "R1 type=inv expected=ctx", 2687 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2688 }, 2689 { 2690 "unpriv: spill/fill of different pointers stx", 2691 .insns = { 2692 BPF_MOV64_IMM(BPF_REG_3, 42), 2693 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 2694 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 2695 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3), 2696 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 2697 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16), 2698 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0), 2699 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1), 2700 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0), 2701 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0), 2702 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_3, 2703 offsetof(struct __sk_buff, mark)), 2704 BPF_MOV64_IMM(BPF_REG_0, 0), 2705 BPF_EXIT_INSN(), 2706 }, 2707 .result = REJECT, 2708 .errstr = "same insn cannot be used with different pointers", 2709 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2710 }, 2711 { 2712 "unpriv: spill/fill of different pointers ldx", 2713 .insns = { 2714 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 2715 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 2716 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3), 2717 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 2718 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 2719 -(__s32)offsetof(struct bpf_perf_event_data, 2720 sample_period) - 8), 2721 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0), 2722 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1), 2723 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0), 2724 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0), 2725 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, 2726 offsetof(struct bpf_perf_event_data, 2727 sample_period)), 2728 BPF_MOV64_IMM(BPF_REG_0, 0), 2729 BPF_EXIT_INSN(), 2730 }, 2731 .result = REJECT, 2732 .errstr = "same insn cannot be used with different pointers", 2733 .prog_type = BPF_PROG_TYPE_PERF_EVENT, 2734 }, 2735 { 2736 "unpriv: write pointer into map elem value", 2737 .insns = { 2738 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 2739 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 2740 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 2741 BPF_LD_MAP_FD(BPF_REG_1, 0), 2742 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2743 BPF_FUNC_map_lookup_elem), 2744 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1), 2745 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0), 2746 BPF_EXIT_INSN(), 2747 }, 2748 .fixup_map1 = { 3 }, 2749 .errstr_unpriv = "R0 leaks addr", 2750 .result_unpriv = REJECT, 2751 .result = ACCEPT, 2752 }, 2753 { 2754 "unpriv: partial copy of pointer", 2755 .insns = { 2756 BPF_MOV32_REG(BPF_REG_1, BPF_REG_10), 2757 BPF_MOV64_IMM(BPF_REG_0, 0), 2758 BPF_EXIT_INSN(), 2759 }, 2760 .errstr_unpriv = "R10 partial copy", 2761 .result_unpriv = REJECT, 2762 .result = ACCEPT, 2763 }, 2764 { 2765 "unpriv: pass pointer to tail_call", 2766 .insns = { 2767 BPF_MOV64_REG(BPF_REG_3, BPF_REG_1), 2768 BPF_LD_MAP_FD(BPF_REG_2, 0), 2769 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2770 BPF_FUNC_tail_call), 2771 BPF_MOV64_IMM(BPF_REG_0, 0), 2772 BPF_EXIT_INSN(), 2773 }, 2774 .fixup_prog1 = { 1 }, 2775 .errstr_unpriv = "R3 leaks addr into helper", 2776 .result_unpriv = REJECT, 2777 .result = ACCEPT, 2778 }, 2779 { 2780 "unpriv: cmp map pointer with zero", 2781 .insns = { 2782 BPF_MOV64_IMM(BPF_REG_1, 0), 2783 BPF_LD_MAP_FD(BPF_REG_1, 0), 2784 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0), 2785 BPF_MOV64_IMM(BPF_REG_0, 0), 2786 BPF_EXIT_INSN(), 2787 }, 2788 .fixup_map1 = { 1 }, 2789 .errstr_unpriv = "R1 pointer comparison", 2790 .result_unpriv = REJECT, 2791 .result = ACCEPT, 2792 }, 2793 { 2794 "unpriv: write into frame pointer", 2795 .insns = { 2796 BPF_MOV64_REG(BPF_REG_10, BPF_REG_1), 2797 BPF_MOV64_IMM(BPF_REG_0, 0), 2798 BPF_EXIT_INSN(), 2799 }, 2800 .errstr = "frame pointer is read only", 2801 .result = REJECT, 2802 }, 2803 { 2804 "unpriv: spill/fill frame pointer", 2805 .insns = { 2806 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 2807 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 2808 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_10, 0), 2809 BPF_LDX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, 0), 2810 BPF_MOV64_IMM(BPF_REG_0, 0), 2811 BPF_EXIT_INSN(), 2812 }, 2813 .errstr = "frame pointer is read only", 2814 .result = REJECT, 2815 }, 2816 { 2817 "unpriv: cmp of frame pointer", 2818 .insns = { 2819 BPF_JMP_IMM(BPF_JEQ, BPF_REG_10, 0, 0), 2820 BPF_MOV64_IMM(BPF_REG_0, 0), 2821 BPF_EXIT_INSN(), 2822 }, 2823 .errstr_unpriv = "R10 pointer comparison", 2824 .result_unpriv = REJECT, 2825 .result = ACCEPT, 2826 }, 2827 { 2828 "unpriv: adding of fp", 2829 .insns = { 2830 BPF_MOV64_IMM(BPF_REG_0, 0), 2831 BPF_MOV64_IMM(BPF_REG_1, 0), 2832 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_10), 2833 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, -8), 2834 BPF_EXIT_INSN(), 2835 }, 2836 .result = ACCEPT, 2837 }, 2838 { 2839 "unpriv: cmp of stack pointer", 2840 .insns = { 2841 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 2842 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 2843 BPF_JMP_IMM(BPF_JEQ, BPF_REG_2, 0, 0), 2844 BPF_MOV64_IMM(BPF_REG_0, 0), 2845 BPF_EXIT_INSN(), 2846 }, 2847 .errstr_unpriv = "R2 pointer comparison", 2848 .result_unpriv = REJECT, 2849 .result = ACCEPT, 2850 }, 2851 { 2852 "runtime/jit: tail_call within bounds, prog once", 2853 .insns = { 2854 BPF_MOV64_IMM(BPF_REG_3, 0), 2855 BPF_LD_MAP_FD(BPF_REG_2, 0), 2856 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2857 BPF_FUNC_tail_call), 2858 BPF_MOV64_IMM(BPF_REG_0, 1), 2859 BPF_EXIT_INSN(), 2860 }, 2861 .fixup_prog1 = { 1 }, 2862 .result = ACCEPT, 2863 .retval = 42, 2864 }, 2865 { 2866 "runtime/jit: tail_call within bounds, prog loop", 2867 .insns = { 2868 BPF_MOV64_IMM(BPF_REG_3, 1), 2869 BPF_LD_MAP_FD(BPF_REG_2, 0), 2870 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2871 BPF_FUNC_tail_call), 2872 BPF_MOV64_IMM(BPF_REG_0, 1), 2873 BPF_EXIT_INSN(), 2874 }, 2875 .fixup_prog1 = { 1 }, 2876 .result = ACCEPT, 2877 .retval = 41, 2878 }, 2879 { 2880 "runtime/jit: tail_call within bounds, no prog", 2881 .insns = { 2882 BPF_MOV64_IMM(BPF_REG_3, 2), 2883 BPF_LD_MAP_FD(BPF_REG_2, 0), 2884 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2885 BPF_FUNC_tail_call), 2886 BPF_MOV64_IMM(BPF_REG_0, 1), 2887 BPF_EXIT_INSN(), 2888 }, 2889 .fixup_prog1 = { 1 }, 2890 .result = ACCEPT, 2891 .retval = 1, 2892 }, 2893 { 2894 "runtime/jit: tail_call out of bounds", 2895 .insns = { 2896 BPF_MOV64_IMM(BPF_REG_3, 256), 2897 BPF_LD_MAP_FD(BPF_REG_2, 0), 2898 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2899 BPF_FUNC_tail_call), 2900 BPF_MOV64_IMM(BPF_REG_0, 2), 2901 BPF_EXIT_INSN(), 2902 }, 2903 .fixup_prog1 = { 1 }, 2904 .result = ACCEPT, 2905 .retval = 2, 2906 }, 2907 { 2908 "runtime/jit: pass negative index to tail_call", 2909 .insns = { 2910 BPF_MOV64_IMM(BPF_REG_3, -1), 2911 BPF_LD_MAP_FD(BPF_REG_2, 0), 2912 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2913 BPF_FUNC_tail_call), 2914 BPF_MOV64_IMM(BPF_REG_0, 2), 2915 BPF_EXIT_INSN(), 2916 }, 2917 .fixup_prog1 = { 1 }, 2918 .result = ACCEPT, 2919 .retval = 2, 2920 }, 2921 { 2922 "runtime/jit: pass > 32bit index to tail_call", 2923 .insns = { 2924 BPF_LD_IMM64(BPF_REG_3, 0x100000000ULL), 2925 BPF_LD_MAP_FD(BPF_REG_2, 0), 2926 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2927 BPF_FUNC_tail_call), 2928 BPF_MOV64_IMM(BPF_REG_0, 2), 2929 BPF_EXIT_INSN(), 2930 }, 2931 .fixup_prog1 = { 2 }, 2932 .result = ACCEPT, 2933 .retval = 42, 2934 }, 2935 { 2936 "stack pointer arithmetic", 2937 .insns = { 2938 BPF_MOV64_IMM(BPF_REG_1, 4), 2939 BPF_JMP_IMM(BPF_JA, 0, 0, 0), 2940 BPF_MOV64_REG(BPF_REG_7, BPF_REG_10), 2941 BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -10), 2942 BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -10), 2943 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7), 2944 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_1), 2945 BPF_ST_MEM(0, BPF_REG_2, 4, 0), 2946 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7), 2947 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8), 2948 BPF_ST_MEM(0, BPF_REG_2, 4, 0), 2949 BPF_MOV64_IMM(BPF_REG_0, 0), 2950 BPF_EXIT_INSN(), 2951 }, 2952 .result = ACCEPT, 2953 }, 2954 { 2955 "raw_stack: no skb_load_bytes", 2956 .insns = { 2957 BPF_MOV64_IMM(BPF_REG_2, 4), 2958 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 2959 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 2960 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 2961 BPF_MOV64_IMM(BPF_REG_4, 8), 2962 /* Call to skb_load_bytes() omitted. */ 2963 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 2964 BPF_EXIT_INSN(), 2965 }, 2966 .result = REJECT, 2967 .errstr = "invalid read from stack off -8+0 size 8", 2968 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2969 }, 2970 { 2971 "raw_stack: skb_load_bytes, negative len", 2972 .insns = { 2973 BPF_MOV64_IMM(BPF_REG_2, 4), 2974 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 2975 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 2976 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 2977 BPF_MOV64_IMM(BPF_REG_4, -8), 2978 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2979 BPF_FUNC_skb_load_bytes), 2980 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 2981 BPF_EXIT_INSN(), 2982 }, 2983 .result = REJECT, 2984 .errstr = "R4 min value is negative", 2985 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2986 }, 2987 { 2988 "raw_stack: skb_load_bytes, negative len 2", 2989 .insns = { 2990 BPF_MOV64_IMM(BPF_REG_2, 4), 2991 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 2992 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 2993 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 2994 BPF_MOV64_IMM(BPF_REG_4, ~0), 2995 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 2996 BPF_FUNC_skb_load_bytes), 2997 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 2998 BPF_EXIT_INSN(), 2999 }, 3000 .result = REJECT, 3001 .errstr = "R4 min value is negative", 3002 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 3003 }, 3004 { 3005 "raw_stack: skb_load_bytes, zero len", 3006 .insns = { 3007 BPF_MOV64_IMM(BPF_REG_2, 4), 3008 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 3009 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 3010 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 3011 BPF_MOV64_IMM(BPF_REG_4, 0), 3012 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3013 BPF_FUNC_skb_load_bytes), 3014 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 3015 BPF_EXIT_INSN(), 3016 }, 3017 .result = REJECT, 3018 .errstr = "invalid stack type R3", 3019 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 3020 }, 3021 { 3022 "raw_stack: skb_load_bytes, no init", 3023 .insns = { 3024 BPF_MOV64_IMM(BPF_REG_2, 4), 3025 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 3026 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 3027 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 3028 BPF_MOV64_IMM(BPF_REG_4, 8), 3029 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3030 BPF_FUNC_skb_load_bytes), 3031 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 3032 BPF_EXIT_INSN(), 3033 }, 3034 .result = ACCEPT, 3035 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 3036 }, 3037 { 3038 "raw_stack: skb_load_bytes, init", 3039 .insns = { 3040 BPF_MOV64_IMM(BPF_REG_2, 4), 3041 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 3042 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 3043 BPF_ST_MEM(BPF_DW, BPF_REG_6, 0, 0xcafe), 3044 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 3045 BPF_MOV64_IMM(BPF_REG_4, 8), 3046 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3047 BPF_FUNC_skb_load_bytes), 3048 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 3049 BPF_EXIT_INSN(), 3050 }, 3051 .result = ACCEPT, 3052 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 3053 }, 3054 { 3055 "raw_stack: skb_load_bytes, spilled regs around bounds", 3056 .insns = { 3057 BPF_MOV64_IMM(BPF_REG_2, 4), 3058 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 3059 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16), 3060 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8), 3061 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8), 3062 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 3063 BPF_MOV64_IMM(BPF_REG_4, 8), 3064 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3065 BPF_FUNC_skb_load_bytes), 3066 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8), 3067 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 8), 3068 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 3069 offsetof(struct __sk_buff, mark)), 3070 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2, 3071 offsetof(struct __sk_buff, priority)), 3072 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2), 3073 BPF_EXIT_INSN(), 3074 }, 3075 .result = ACCEPT, 3076 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 3077 }, 3078 { 3079 "raw_stack: skb_load_bytes, spilled regs corruption", 3080 .insns = { 3081 BPF_MOV64_IMM(BPF_REG_2, 4), 3082 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 3083 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8), 3084 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0), 3085 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 3086 BPF_MOV64_IMM(BPF_REG_4, 8), 3087 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3088 BPF_FUNC_skb_load_bytes), 3089 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 3090 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 3091 offsetof(struct __sk_buff, mark)), 3092 BPF_EXIT_INSN(), 3093 }, 3094 .result = REJECT, 3095 .errstr = "R0 invalid mem access 'inv'", 3096 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 3097 }, 3098 { 3099 "raw_stack: skb_load_bytes, spilled regs corruption 2", 3100 .insns = { 3101 BPF_MOV64_IMM(BPF_REG_2, 4), 3102 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 3103 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16), 3104 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8), 3105 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0), 3106 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8), 3107 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 3108 BPF_MOV64_IMM(BPF_REG_4, 8), 3109 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3110 BPF_FUNC_skb_load_bytes), 3111 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8), 3112 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 8), 3113 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_6, 0), 3114 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 3115 offsetof(struct __sk_buff, mark)), 3116 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2, 3117 offsetof(struct __sk_buff, priority)), 3118 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2), 3119 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_3, 3120 offsetof(struct __sk_buff, pkt_type)), 3121 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3), 3122 BPF_EXIT_INSN(), 3123 }, 3124 .result = REJECT, 3125 .errstr = "R3 invalid mem access 'inv'", 3126 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 3127 }, 3128 { 3129 "raw_stack: skb_load_bytes, spilled regs + data", 3130 .insns = { 3131 BPF_MOV64_IMM(BPF_REG_2, 4), 3132 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 3133 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16), 3134 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8), 3135 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0), 3136 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8), 3137 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 3138 BPF_MOV64_IMM(BPF_REG_4, 8), 3139 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3140 BPF_FUNC_skb_load_bytes), 3141 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8), 3142 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 8), 3143 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_6, 0), 3144 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 3145 offsetof(struct __sk_buff, mark)), 3146 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2, 3147 offsetof(struct __sk_buff, priority)), 3148 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2), 3149 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3), 3150 BPF_EXIT_INSN(), 3151 }, 3152 .result = ACCEPT, 3153 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 3154 }, 3155 { 3156 "raw_stack: skb_load_bytes, invalid access 1", 3157 .insns = { 3158 BPF_MOV64_IMM(BPF_REG_2, 4), 3159 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 3160 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -513), 3161 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 3162 BPF_MOV64_IMM(BPF_REG_4, 8), 3163 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3164 BPF_FUNC_skb_load_bytes), 3165 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 3166 BPF_EXIT_INSN(), 3167 }, 3168 .result = REJECT, 3169 .errstr = "invalid stack type R3 off=-513 access_size=8", 3170 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 3171 }, 3172 { 3173 "raw_stack: skb_load_bytes, invalid access 2", 3174 .insns = { 3175 BPF_MOV64_IMM(BPF_REG_2, 4), 3176 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 3177 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -1), 3178 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 3179 BPF_MOV64_IMM(BPF_REG_4, 8), 3180 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3181 BPF_FUNC_skb_load_bytes), 3182 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 3183 BPF_EXIT_INSN(), 3184 }, 3185 .result = REJECT, 3186 .errstr = "invalid stack type R3 off=-1 access_size=8", 3187 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 3188 }, 3189 { 3190 "raw_stack: skb_load_bytes, invalid access 3", 3191 .insns = { 3192 BPF_MOV64_IMM(BPF_REG_2, 4), 3193 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 3194 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 0xffffffff), 3195 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 3196 BPF_MOV64_IMM(BPF_REG_4, 0xffffffff), 3197 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3198 BPF_FUNC_skb_load_bytes), 3199 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 3200 BPF_EXIT_INSN(), 3201 }, 3202 .result = REJECT, 3203 .errstr = "R4 min value is negative", 3204 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 3205 }, 3206 { 3207 "raw_stack: skb_load_bytes, invalid access 4", 3208 .insns = { 3209 BPF_MOV64_IMM(BPF_REG_2, 4), 3210 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 3211 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -1), 3212 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 3213 BPF_MOV64_IMM(BPF_REG_4, 0x7fffffff), 3214 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3215 BPF_FUNC_skb_load_bytes), 3216 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 3217 BPF_EXIT_INSN(), 3218 }, 3219 .result = REJECT, 3220 .errstr = "R4 unbounded memory access, use 'var &= const' or 'if (var < const)'", 3221 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 3222 }, 3223 { 3224 "raw_stack: skb_load_bytes, invalid access 5", 3225 .insns = { 3226 BPF_MOV64_IMM(BPF_REG_2, 4), 3227 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 3228 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512), 3229 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 3230 BPF_MOV64_IMM(BPF_REG_4, 0x7fffffff), 3231 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3232 BPF_FUNC_skb_load_bytes), 3233 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 3234 BPF_EXIT_INSN(), 3235 }, 3236 .result = REJECT, 3237 .errstr = "R4 unbounded memory access, use 'var &= const' or 'if (var < const)'", 3238 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 3239 }, 3240 { 3241 "raw_stack: skb_load_bytes, invalid access 6", 3242 .insns = { 3243 BPF_MOV64_IMM(BPF_REG_2, 4), 3244 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 3245 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512), 3246 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 3247 BPF_MOV64_IMM(BPF_REG_4, 0), 3248 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3249 BPF_FUNC_skb_load_bytes), 3250 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 3251 BPF_EXIT_INSN(), 3252 }, 3253 .result = REJECT, 3254 .errstr = "invalid stack type R3 off=-512 access_size=0", 3255 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 3256 }, 3257 { 3258 "raw_stack: skb_load_bytes, large access", 3259 .insns = { 3260 BPF_MOV64_IMM(BPF_REG_2, 4), 3261 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10), 3262 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512), 3263 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 3264 BPF_MOV64_IMM(BPF_REG_4, 512), 3265 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3266 BPF_FUNC_skb_load_bytes), 3267 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 3268 BPF_EXIT_INSN(), 3269 }, 3270 .result = ACCEPT, 3271 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 3272 }, 3273 { 3274 "context stores via ST", 3275 .insns = { 3276 BPF_MOV64_IMM(BPF_REG_0, 0), 3277 BPF_ST_MEM(BPF_DW, BPF_REG_1, offsetof(struct __sk_buff, mark), 0), 3278 BPF_EXIT_INSN(), 3279 }, 3280 .errstr = "BPF_ST stores into R1 context is not allowed", 3281 .result = REJECT, 3282 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 3283 }, 3284 { 3285 "context stores via XADD", 3286 .insns = { 3287 BPF_MOV64_IMM(BPF_REG_0, 0), 3288 BPF_RAW_INSN(BPF_STX | BPF_XADD | BPF_W, BPF_REG_1, 3289 BPF_REG_0, offsetof(struct __sk_buff, mark), 0), 3290 BPF_EXIT_INSN(), 3291 }, 3292 .errstr = "BPF_XADD stores into R1 context is not allowed", 3293 .result = REJECT, 3294 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 3295 }, 3296 { 3297 "direct packet access: test1", 3298 .insns = { 3299 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 3300 offsetof(struct __sk_buff, data)), 3301 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 3302 offsetof(struct __sk_buff, data_end)), 3303 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 3304 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 3305 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 3306 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 3307 BPF_MOV64_IMM(BPF_REG_0, 0), 3308 BPF_EXIT_INSN(), 3309 }, 3310 .result = ACCEPT, 3311 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 3312 }, 3313 { 3314 "direct packet access: test2", 3315 .insns = { 3316 BPF_MOV64_IMM(BPF_REG_0, 1), 3317 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1, 3318 offsetof(struct __sk_buff, data_end)), 3319 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 3320 offsetof(struct __sk_buff, data)), 3321 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3), 3322 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 14), 3323 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_4, 15), 3324 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_3, 7), 3325 BPF_LDX_MEM(BPF_B, BPF_REG_4, BPF_REG_3, 12), 3326 BPF_ALU64_IMM(BPF_MUL, BPF_REG_4, 14), 3327 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 3328 offsetof(struct __sk_buff, data)), 3329 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_4), 3330 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 3331 offsetof(struct __sk_buff, len)), 3332 BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 49), 3333 BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 49), 3334 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_2), 3335 BPF_MOV64_REG(BPF_REG_2, BPF_REG_3), 3336 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8), 3337 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1, 3338 offsetof(struct __sk_buff, data_end)), 3339 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1), 3340 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_3, 4), 3341 BPF_MOV64_IMM(BPF_REG_0, 0), 3342 BPF_EXIT_INSN(), 3343 }, 3344 .result = ACCEPT, 3345 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 3346 }, 3347 { 3348 "direct packet access: test3", 3349 .insns = { 3350 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 3351 offsetof(struct __sk_buff, data)), 3352 BPF_MOV64_IMM(BPF_REG_0, 0), 3353 BPF_EXIT_INSN(), 3354 }, 3355 .errstr = "invalid bpf_context access off=76", 3356 .result = REJECT, 3357 .prog_type = BPF_PROG_TYPE_SOCKET_FILTER, 3358 }, 3359 { 3360 "direct packet access: test4 (write)", 3361 .insns = { 3362 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 3363 offsetof(struct __sk_buff, data)), 3364 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 3365 offsetof(struct __sk_buff, data_end)), 3366 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 3367 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 3368 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 3369 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0), 3370 BPF_MOV64_IMM(BPF_REG_0, 0), 3371 BPF_EXIT_INSN(), 3372 }, 3373 .result = ACCEPT, 3374 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 3375 }, 3376 { 3377 "direct packet access: test5 (pkt_end >= reg, good access)", 3378 .insns = { 3379 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 3380 offsetof(struct __sk_buff, data)), 3381 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 3382 offsetof(struct __sk_buff, data_end)), 3383 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 3384 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 3385 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 2), 3386 BPF_MOV64_IMM(BPF_REG_0, 1), 3387 BPF_EXIT_INSN(), 3388 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 3389 BPF_MOV64_IMM(BPF_REG_0, 0), 3390 BPF_EXIT_INSN(), 3391 }, 3392 .result = ACCEPT, 3393 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 3394 }, 3395 { 3396 "direct packet access: test6 (pkt_end >= reg, bad access)", 3397 .insns = { 3398 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 3399 offsetof(struct __sk_buff, data)), 3400 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 3401 offsetof(struct __sk_buff, data_end)), 3402 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 3403 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 3404 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 3), 3405 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 3406 BPF_MOV64_IMM(BPF_REG_0, 1), 3407 BPF_EXIT_INSN(), 3408 BPF_MOV64_IMM(BPF_REG_0, 0), 3409 BPF_EXIT_INSN(), 3410 }, 3411 .errstr = "invalid access to packet", 3412 .result = REJECT, 3413 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 3414 }, 3415 { 3416 "direct packet access: test7 (pkt_end >= reg, both accesses)", 3417 .insns = { 3418 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 3419 offsetof(struct __sk_buff, data)), 3420 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 3421 offsetof(struct __sk_buff, data_end)), 3422 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 3423 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 3424 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 3), 3425 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 3426 BPF_MOV64_IMM(BPF_REG_0, 1), 3427 BPF_EXIT_INSN(), 3428 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 3429 BPF_MOV64_IMM(BPF_REG_0, 0), 3430 BPF_EXIT_INSN(), 3431 }, 3432 .errstr = "invalid access to packet", 3433 .result = REJECT, 3434 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 3435 }, 3436 { 3437 "direct packet access: test8 (double test, variant 1)", 3438 .insns = { 3439 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 3440 offsetof(struct __sk_buff, data)), 3441 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 3442 offsetof(struct __sk_buff, data_end)), 3443 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 3444 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 3445 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 4), 3446 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 3447 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 3448 BPF_MOV64_IMM(BPF_REG_0, 1), 3449 BPF_EXIT_INSN(), 3450 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 3451 BPF_MOV64_IMM(BPF_REG_0, 0), 3452 BPF_EXIT_INSN(), 3453 }, 3454 .result = ACCEPT, 3455 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 3456 }, 3457 { 3458 "direct packet access: test9 (double test, variant 2)", 3459 .insns = { 3460 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 3461 offsetof(struct __sk_buff, data)), 3462 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 3463 offsetof(struct __sk_buff, data_end)), 3464 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 3465 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 3466 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 2), 3467 BPF_MOV64_IMM(BPF_REG_0, 1), 3468 BPF_EXIT_INSN(), 3469 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 3470 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 3471 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 3472 BPF_MOV64_IMM(BPF_REG_0, 0), 3473 BPF_EXIT_INSN(), 3474 }, 3475 .result = ACCEPT, 3476 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 3477 }, 3478 { 3479 "direct packet access: test10 (write invalid)", 3480 .insns = { 3481 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 3482 offsetof(struct __sk_buff, data)), 3483 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 3484 offsetof(struct __sk_buff, data_end)), 3485 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 3486 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 3487 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2), 3488 BPF_MOV64_IMM(BPF_REG_0, 0), 3489 BPF_EXIT_INSN(), 3490 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0), 3491 BPF_MOV64_IMM(BPF_REG_0, 0), 3492 BPF_EXIT_INSN(), 3493 }, 3494 .errstr = "invalid access to packet", 3495 .result = REJECT, 3496 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 3497 }, 3498 { 3499 "direct packet access: test11 (shift, good access)", 3500 .insns = { 3501 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 3502 offsetof(struct __sk_buff, data)), 3503 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 3504 offsetof(struct __sk_buff, data_end)), 3505 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 3506 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22), 3507 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8), 3508 BPF_MOV64_IMM(BPF_REG_3, 144), 3509 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3), 3510 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23), 3511 BPF_ALU64_IMM(BPF_RSH, BPF_REG_5, 3), 3512 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2), 3513 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5), 3514 BPF_MOV64_IMM(BPF_REG_0, 1), 3515 BPF_EXIT_INSN(), 3516 BPF_MOV64_IMM(BPF_REG_0, 0), 3517 BPF_EXIT_INSN(), 3518 }, 3519 .result = ACCEPT, 3520 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 3521 .retval = 1, 3522 }, 3523 { 3524 "direct packet access: test12 (and, good access)", 3525 .insns = { 3526 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 3527 offsetof(struct __sk_buff, data)), 3528 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 3529 offsetof(struct __sk_buff, data_end)), 3530 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 3531 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22), 3532 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8), 3533 BPF_MOV64_IMM(BPF_REG_3, 144), 3534 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3), 3535 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23), 3536 BPF_ALU64_IMM(BPF_AND, BPF_REG_5, 15), 3537 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2), 3538 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5), 3539 BPF_MOV64_IMM(BPF_REG_0, 1), 3540 BPF_EXIT_INSN(), 3541 BPF_MOV64_IMM(BPF_REG_0, 0), 3542 BPF_EXIT_INSN(), 3543 }, 3544 .result = ACCEPT, 3545 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 3546 .retval = 1, 3547 }, 3548 { 3549 "direct packet access: test13 (branches, good access)", 3550 .insns = { 3551 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 3552 offsetof(struct __sk_buff, data)), 3553 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 3554 offsetof(struct __sk_buff, data_end)), 3555 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 3556 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22), 3557 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 13), 3558 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 3559 offsetof(struct __sk_buff, mark)), 3560 BPF_MOV64_IMM(BPF_REG_4, 1), 3561 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_4, 2), 3562 BPF_MOV64_IMM(BPF_REG_3, 14), 3563 BPF_JMP_IMM(BPF_JA, 0, 0, 1), 3564 BPF_MOV64_IMM(BPF_REG_3, 24), 3565 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3), 3566 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23), 3567 BPF_ALU64_IMM(BPF_AND, BPF_REG_5, 15), 3568 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2), 3569 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5), 3570 BPF_MOV64_IMM(BPF_REG_0, 1), 3571 BPF_EXIT_INSN(), 3572 BPF_MOV64_IMM(BPF_REG_0, 0), 3573 BPF_EXIT_INSN(), 3574 }, 3575 .result = ACCEPT, 3576 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 3577 .retval = 1, 3578 }, 3579 { 3580 "direct packet access: test14 (pkt_ptr += 0, CONST_IMM, good access)", 3581 .insns = { 3582 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 3583 offsetof(struct __sk_buff, data)), 3584 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 3585 offsetof(struct __sk_buff, data_end)), 3586 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 3587 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22), 3588 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 7), 3589 BPF_MOV64_IMM(BPF_REG_5, 12), 3590 BPF_ALU64_IMM(BPF_RSH, BPF_REG_5, 4), 3591 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2), 3592 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5), 3593 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_6, 0), 3594 BPF_MOV64_IMM(BPF_REG_0, 1), 3595 BPF_EXIT_INSN(), 3596 BPF_MOV64_IMM(BPF_REG_0, 0), 3597 BPF_EXIT_INSN(), 3598 }, 3599 .result = ACCEPT, 3600 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 3601 .retval = 1, 3602 }, 3603 { 3604 "direct packet access: test15 (spill with xadd)", 3605 .insns = { 3606 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 3607 offsetof(struct __sk_buff, data)), 3608 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 3609 offsetof(struct __sk_buff, data_end)), 3610 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 3611 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 3612 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8), 3613 BPF_MOV64_IMM(BPF_REG_5, 4096), 3614 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10), 3615 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8), 3616 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0), 3617 BPF_STX_XADD(BPF_DW, BPF_REG_4, BPF_REG_5, 0), 3618 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0), 3619 BPF_STX_MEM(BPF_W, BPF_REG_2, BPF_REG_5, 0), 3620 BPF_MOV64_IMM(BPF_REG_0, 0), 3621 BPF_EXIT_INSN(), 3622 }, 3623 .errstr = "R2 invalid mem access 'inv'", 3624 .result = REJECT, 3625 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 3626 }, 3627 { 3628 "direct packet access: test16 (arith on data_end)", 3629 .insns = { 3630 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 3631 offsetof(struct __sk_buff, data)), 3632 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 3633 offsetof(struct __sk_buff, data_end)), 3634 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 3635 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 3636 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 16), 3637 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 3638 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0), 3639 BPF_MOV64_IMM(BPF_REG_0, 0), 3640 BPF_EXIT_INSN(), 3641 }, 3642 .errstr = "R3 pointer arithmetic on PTR_TO_PACKET_END", 3643 .result = REJECT, 3644 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 3645 }, 3646 { 3647 "direct packet access: test17 (pruning, alignment)", 3648 .insns = { 3649 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 3650 offsetof(struct __sk_buff, data)), 3651 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 3652 offsetof(struct __sk_buff, data_end)), 3653 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1, 3654 offsetof(struct __sk_buff, mark)), 3655 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 3656 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 14), 3657 BPF_JMP_IMM(BPF_JGT, BPF_REG_7, 1, 4), 3658 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 3659 BPF_STX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, -4), 3660 BPF_MOV64_IMM(BPF_REG_0, 0), 3661 BPF_EXIT_INSN(), 3662 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 1), 3663 BPF_JMP_A(-6), 3664 }, 3665 .errstr = "misaligned packet access off 2+(0x0; 0x0)+15+-4 size 4", 3666 .result = REJECT, 3667 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 3668 .flags = F_LOAD_WITH_STRICT_ALIGNMENT, 3669 }, 3670 { 3671 "direct packet access: test18 (imm += pkt_ptr, 1)", 3672 .insns = { 3673 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 3674 offsetof(struct __sk_buff, data)), 3675 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 3676 offsetof(struct __sk_buff, data_end)), 3677 BPF_MOV64_IMM(BPF_REG_0, 8), 3678 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2), 3679 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 3680 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0), 3681 BPF_MOV64_IMM(BPF_REG_0, 0), 3682 BPF_EXIT_INSN(), 3683 }, 3684 .result = ACCEPT, 3685 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 3686 }, 3687 { 3688 "direct packet access: test19 (imm += pkt_ptr, 2)", 3689 .insns = { 3690 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 3691 offsetof(struct __sk_buff, data)), 3692 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 3693 offsetof(struct __sk_buff, data_end)), 3694 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 3695 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 3696 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3), 3697 BPF_MOV64_IMM(BPF_REG_4, 4), 3698 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2), 3699 BPF_STX_MEM(BPF_B, BPF_REG_4, BPF_REG_4, 0), 3700 BPF_MOV64_IMM(BPF_REG_0, 0), 3701 BPF_EXIT_INSN(), 3702 }, 3703 .result = ACCEPT, 3704 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 3705 }, 3706 { 3707 "direct packet access: test20 (x += pkt_ptr, 1)", 3708 .insns = { 3709 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 3710 offsetof(struct __sk_buff, data)), 3711 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 3712 offsetof(struct __sk_buff, data_end)), 3713 BPF_MOV64_IMM(BPF_REG_0, 0xffffffff), 3714 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8), 3715 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8), 3716 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0x7fff), 3717 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0), 3718 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2), 3719 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4), 3720 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0x7fff - 1), 3721 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1), 3722 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_4, 0), 3723 BPF_MOV64_IMM(BPF_REG_0, 0), 3724 BPF_EXIT_INSN(), 3725 }, 3726 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 3727 .result = ACCEPT, 3728 }, 3729 { 3730 "direct packet access: test21 (x += pkt_ptr, 2)", 3731 .insns = { 3732 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 3733 offsetof(struct __sk_buff, data)), 3734 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 3735 offsetof(struct __sk_buff, data_end)), 3736 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 3737 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 3738 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 9), 3739 BPF_MOV64_IMM(BPF_REG_4, 0xffffffff), 3740 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -8), 3741 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8), 3742 BPF_ALU64_IMM(BPF_AND, BPF_REG_4, 0x7fff), 3743 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2), 3744 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4), 3745 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0x7fff - 1), 3746 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1), 3747 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_4, 0), 3748 BPF_MOV64_IMM(BPF_REG_0, 0), 3749 BPF_EXIT_INSN(), 3750 }, 3751 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 3752 .result = ACCEPT, 3753 }, 3754 { 3755 "direct packet access: test22 (x += pkt_ptr, 3)", 3756 .insns = { 3757 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 3758 offsetof(struct __sk_buff, data)), 3759 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 3760 offsetof(struct __sk_buff, data_end)), 3761 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 3762 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 3763 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -8), 3764 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_3, -16), 3765 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_10, -16), 3766 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 11), 3767 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -8), 3768 BPF_MOV64_IMM(BPF_REG_4, 0xffffffff), 3769 BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_4, -8), 3770 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8), 3771 BPF_ALU64_IMM(BPF_RSH, BPF_REG_4, 49), 3772 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2), 3773 BPF_MOV64_REG(BPF_REG_0, BPF_REG_4), 3774 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 2), 3775 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2), 3776 BPF_MOV64_IMM(BPF_REG_2, 1), 3777 BPF_STX_MEM(BPF_H, BPF_REG_4, BPF_REG_2, 0), 3778 BPF_MOV64_IMM(BPF_REG_0, 0), 3779 BPF_EXIT_INSN(), 3780 }, 3781 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 3782 .result = ACCEPT, 3783 }, 3784 { 3785 "direct packet access: test23 (x += pkt_ptr, 4)", 3786 .insns = { 3787 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 3788 offsetof(struct __sk_buff, data)), 3789 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 3790 offsetof(struct __sk_buff, data_end)), 3791 BPF_MOV64_IMM(BPF_REG_0, 0xffffffff), 3792 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8), 3793 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8), 3794 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0xffff), 3795 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0), 3796 BPF_MOV64_IMM(BPF_REG_0, 31), 3797 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_4), 3798 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2), 3799 BPF_MOV64_REG(BPF_REG_5, BPF_REG_0), 3800 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0xffff - 1), 3801 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 3802 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_0, 0), 3803 BPF_MOV64_IMM(BPF_REG_0, 0), 3804 BPF_EXIT_INSN(), 3805 }, 3806 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 3807 .result = REJECT, 3808 .errstr = "invalid access to packet, off=0 size=8, R5(id=1,off=0,r=0)", 3809 }, 3810 { 3811 "direct packet access: test24 (x += pkt_ptr, 5)", 3812 .insns = { 3813 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 3814 offsetof(struct __sk_buff, data)), 3815 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 3816 offsetof(struct __sk_buff, data_end)), 3817 BPF_MOV64_IMM(BPF_REG_0, 0xffffffff), 3818 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8), 3819 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8), 3820 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0xff), 3821 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0), 3822 BPF_MOV64_IMM(BPF_REG_0, 64), 3823 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_4), 3824 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2), 3825 BPF_MOV64_REG(BPF_REG_5, BPF_REG_0), 3826 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x7fff - 1), 3827 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 3828 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_0, 0), 3829 BPF_MOV64_IMM(BPF_REG_0, 0), 3830 BPF_EXIT_INSN(), 3831 }, 3832 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 3833 .result = ACCEPT, 3834 }, 3835 { 3836 "direct packet access: test25 (marking on <, good access)", 3837 .insns = { 3838 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 3839 offsetof(struct __sk_buff, data)), 3840 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 3841 offsetof(struct __sk_buff, data_end)), 3842 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 3843 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 3844 BPF_JMP_REG(BPF_JLT, BPF_REG_0, BPF_REG_3, 2), 3845 BPF_MOV64_IMM(BPF_REG_0, 0), 3846 BPF_EXIT_INSN(), 3847 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 3848 BPF_JMP_IMM(BPF_JA, 0, 0, -4), 3849 }, 3850 .result = ACCEPT, 3851 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 3852 }, 3853 { 3854 "direct packet access: test26 (marking on <, bad access)", 3855 .insns = { 3856 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 3857 offsetof(struct __sk_buff, data)), 3858 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 3859 offsetof(struct __sk_buff, data_end)), 3860 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 3861 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 3862 BPF_JMP_REG(BPF_JLT, BPF_REG_0, BPF_REG_3, 3), 3863 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 3864 BPF_MOV64_IMM(BPF_REG_0, 0), 3865 BPF_EXIT_INSN(), 3866 BPF_JMP_IMM(BPF_JA, 0, 0, -3), 3867 }, 3868 .result = REJECT, 3869 .errstr = "invalid access to packet", 3870 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 3871 }, 3872 { 3873 "direct packet access: test27 (marking on <=, good access)", 3874 .insns = { 3875 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 3876 offsetof(struct __sk_buff, data)), 3877 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 3878 offsetof(struct __sk_buff, data_end)), 3879 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 3880 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 3881 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_0, 1), 3882 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 3883 BPF_MOV64_IMM(BPF_REG_0, 1), 3884 BPF_EXIT_INSN(), 3885 }, 3886 .result = ACCEPT, 3887 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 3888 .retval = 1, 3889 }, 3890 { 3891 "direct packet access: test28 (marking on <=, bad access)", 3892 .insns = { 3893 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 3894 offsetof(struct __sk_buff, data)), 3895 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 3896 offsetof(struct __sk_buff, data_end)), 3897 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 3898 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 3899 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_0, 2), 3900 BPF_MOV64_IMM(BPF_REG_0, 1), 3901 BPF_EXIT_INSN(), 3902 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 3903 BPF_JMP_IMM(BPF_JA, 0, 0, -4), 3904 }, 3905 .result = REJECT, 3906 .errstr = "invalid access to packet", 3907 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 3908 }, 3909 { 3910 "helper access to packet: test1, valid packet_ptr range", 3911 .insns = { 3912 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 3913 offsetof(struct xdp_md, data)), 3914 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 3915 offsetof(struct xdp_md, data_end)), 3916 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 3917 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 3918 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 5), 3919 BPF_LD_MAP_FD(BPF_REG_1, 0), 3920 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2), 3921 BPF_MOV64_IMM(BPF_REG_4, 0), 3922 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3923 BPF_FUNC_map_update_elem), 3924 BPF_MOV64_IMM(BPF_REG_0, 0), 3925 BPF_EXIT_INSN(), 3926 }, 3927 .fixup_map1 = { 5 }, 3928 .result_unpriv = ACCEPT, 3929 .result = ACCEPT, 3930 .prog_type = BPF_PROG_TYPE_XDP, 3931 }, 3932 { 3933 "helper access to packet: test2, unchecked packet_ptr", 3934 .insns = { 3935 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 3936 offsetof(struct xdp_md, data)), 3937 BPF_LD_MAP_FD(BPF_REG_1, 0), 3938 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3939 BPF_FUNC_map_lookup_elem), 3940 BPF_MOV64_IMM(BPF_REG_0, 0), 3941 BPF_EXIT_INSN(), 3942 }, 3943 .fixup_map1 = { 1 }, 3944 .result = REJECT, 3945 .errstr = "invalid access to packet", 3946 .prog_type = BPF_PROG_TYPE_XDP, 3947 }, 3948 { 3949 "helper access to packet: test3, variable add", 3950 .insns = { 3951 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 3952 offsetof(struct xdp_md, data)), 3953 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 3954 offsetof(struct xdp_md, data_end)), 3955 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2), 3956 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8), 3957 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 10), 3958 BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_2, 0), 3959 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2), 3960 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_5), 3961 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4), 3962 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 8), 3963 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 4), 3964 BPF_LD_MAP_FD(BPF_REG_1, 0), 3965 BPF_MOV64_REG(BPF_REG_2, BPF_REG_4), 3966 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3967 BPF_FUNC_map_lookup_elem), 3968 BPF_MOV64_IMM(BPF_REG_0, 0), 3969 BPF_EXIT_INSN(), 3970 }, 3971 .fixup_map1 = { 11 }, 3972 .result = ACCEPT, 3973 .prog_type = BPF_PROG_TYPE_XDP, 3974 }, 3975 { 3976 "helper access to packet: test4, packet_ptr with bad range", 3977 .insns = { 3978 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 3979 offsetof(struct xdp_md, data)), 3980 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 3981 offsetof(struct xdp_md, data_end)), 3982 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2), 3983 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 4), 3984 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 2), 3985 BPF_MOV64_IMM(BPF_REG_0, 0), 3986 BPF_EXIT_INSN(), 3987 BPF_LD_MAP_FD(BPF_REG_1, 0), 3988 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 3989 BPF_FUNC_map_lookup_elem), 3990 BPF_MOV64_IMM(BPF_REG_0, 0), 3991 BPF_EXIT_INSN(), 3992 }, 3993 .fixup_map1 = { 7 }, 3994 .result = REJECT, 3995 .errstr = "invalid access to packet", 3996 .prog_type = BPF_PROG_TYPE_XDP, 3997 }, 3998 { 3999 "helper access to packet: test5, packet_ptr with too short range", 4000 .insns = { 4001 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 4002 offsetof(struct xdp_md, data)), 4003 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 4004 offsetof(struct xdp_md, data_end)), 4005 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1), 4006 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2), 4007 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 7), 4008 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 3), 4009 BPF_LD_MAP_FD(BPF_REG_1, 0), 4010 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 4011 BPF_FUNC_map_lookup_elem), 4012 BPF_MOV64_IMM(BPF_REG_0, 0), 4013 BPF_EXIT_INSN(), 4014 }, 4015 .fixup_map1 = { 6 }, 4016 .result = REJECT, 4017 .errstr = "invalid access to packet", 4018 .prog_type = BPF_PROG_TYPE_XDP, 4019 }, 4020 { 4021 "helper access to packet: test6, cls valid packet_ptr range", 4022 .insns = { 4023 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 4024 offsetof(struct __sk_buff, data)), 4025 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 4026 offsetof(struct __sk_buff, data_end)), 4027 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 4028 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 4029 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 5), 4030 BPF_LD_MAP_FD(BPF_REG_1, 0), 4031 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2), 4032 BPF_MOV64_IMM(BPF_REG_4, 0), 4033 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 4034 BPF_FUNC_map_update_elem), 4035 BPF_MOV64_IMM(BPF_REG_0, 0), 4036 BPF_EXIT_INSN(), 4037 }, 4038 .fixup_map1 = { 5 }, 4039 .result = ACCEPT, 4040 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 4041 }, 4042 { 4043 "helper access to packet: test7, cls unchecked packet_ptr", 4044 .insns = { 4045 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 4046 offsetof(struct __sk_buff, data)), 4047 BPF_LD_MAP_FD(BPF_REG_1, 0), 4048 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 4049 BPF_FUNC_map_lookup_elem), 4050 BPF_MOV64_IMM(BPF_REG_0, 0), 4051 BPF_EXIT_INSN(), 4052 }, 4053 .fixup_map1 = { 1 }, 4054 .result = REJECT, 4055 .errstr = "invalid access to packet", 4056 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 4057 }, 4058 { 4059 "helper access to packet: test8, cls variable add", 4060 .insns = { 4061 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 4062 offsetof(struct __sk_buff, data)), 4063 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 4064 offsetof(struct __sk_buff, data_end)), 4065 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2), 4066 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8), 4067 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 10), 4068 BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_2, 0), 4069 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2), 4070 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_5), 4071 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4), 4072 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 8), 4073 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 4), 4074 BPF_LD_MAP_FD(BPF_REG_1, 0), 4075 BPF_MOV64_REG(BPF_REG_2, BPF_REG_4), 4076 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 4077 BPF_FUNC_map_lookup_elem), 4078 BPF_MOV64_IMM(BPF_REG_0, 0), 4079 BPF_EXIT_INSN(), 4080 }, 4081 .fixup_map1 = { 11 }, 4082 .result = ACCEPT, 4083 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 4084 }, 4085 { 4086 "helper access to packet: test9, cls packet_ptr with bad range", 4087 .insns = { 4088 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 4089 offsetof(struct __sk_buff, data)), 4090 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 4091 offsetof(struct __sk_buff, data_end)), 4092 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2), 4093 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 4), 4094 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 2), 4095 BPF_MOV64_IMM(BPF_REG_0, 0), 4096 BPF_EXIT_INSN(), 4097 BPF_LD_MAP_FD(BPF_REG_1, 0), 4098 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 4099 BPF_FUNC_map_lookup_elem), 4100 BPF_MOV64_IMM(BPF_REG_0, 0), 4101 BPF_EXIT_INSN(), 4102 }, 4103 .fixup_map1 = { 7 }, 4104 .result = REJECT, 4105 .errstr = "invalid access to packet", 4106 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 4107 }, 4108 { 4109 "helper access to packet: test10, cls packet_ptr with too short range", 4110 .insns = { 4111 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 4112 offsetof(struct __sk_buff, data)), 4113 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 4114 offsetof(struct __sk_buff, data_end)), 4115 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1), 4116 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2), 4117 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 7), 4118 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 3), 4119 BPF_LD_MAP_FD(BPF_REG_1, 0), 4120 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 4121 BPF_FUNC_map_lookup_elem), 4122 BPF_MOV64_IMM(BPF_REG_0, 0), 4123 BPF_EXIT_INSN(), 4124 }, 4125 .fixup_map1 = { 6 }, 4126 .result = REJECT, 4127 .errstr = "invalid access to packet", 4128 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 4129 }, 4130 { 4131 "helper access to packet: test11, cls unsuitable helper 1", 4132 .insns = { 4133 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1, 4134 offsetof(struct __sk_buff, data)), 4135 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1, 4136 offsetof(struct __sk_buff, data_end)), 4137 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1), 4138 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 4139 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 7), 4140 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_7, 4), 4141 BPF_MOV64_IMM(BPF_REG_2, 0), 4142 BPF_MOV64_IMM(BPF_REG_4, 42), 4143 BPF_MOV64_IMM(BPF_REG_5, 0), 4144 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 4145 BPF_FUNC_skb_store_bytes), 4146 BPF_MOV64_IMM(BPF_REG_0, 0), 4147 BPF_EXIT_INSN(), 4148 }, 4149 .result = REJECT, 4150 .errstr = "helper access to the packet", 4151 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 4152 }, 4153 { 4154 "helper access to packet: test12, cls unsuitable helper 2", 4155 .insns = { 4156 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1, 4157 offsetof(struct __sk_buff, data)), 4158 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1, 4159 offsetof(struct __sk_buff, data_end)), 4160 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6), 4161 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8), 4162 BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_7, 3), 4163 BPF_MOV64_IMM(BPF_REG_2, 0), 4164 BPF_MOV64_IMM(BPF_REG_4, 4), 4165 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 4166 BPF_FUNC_skb_load_bytes), 4167 BPF_MOV64_IMM(BPF_REG_0, 0), 4168 BPF_EXIT_INSN(), 4169 }, 4170 .result = REJECT, 4171 .errstr = "helper access to the packet", 4172 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 4173 }, 4174 { 4175 "helper access to packet: test13, cls helper ok", 4176 .insns = { 4177 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1, 4178 offsetof(struct __sk_buff, data)), 4179 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1, 4180 offsetof(struct __sk_buff, data_end)), 4181 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1), 4182 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 4183 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7), 4184 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6), 4185 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 4186 BPF_MOV64_IMM(BPF_REG_2, 4), 4187 BPF_MOV64_IMM(BPF_REG_3, 0), 4188 BPF_MOV64_IMM(BPF_REG_4, 0), 4189 BPF_MOV64_IMM(BPF_REG_5, 0), 4190 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 4191 BPF_FUNC_csum_diff), 4192 BPF_MOV64_IMM(BPF_REG_0, 0), 4193 BPF_EXIT_INSN(), 4194 }, 4195 .result = ACCEPT, 4196 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 4197 }, 4198 { 4199 "helper access to packet: test14, cls helper ok sub", 4200 .insns = { 4201 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1, 4202 offsetof(struct __sk_buff, data)), 4203 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1, 4204 offsetof(struct __sk_buff, data_end)), 4205 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1), 4206 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 4207 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7), 4208 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6), 4209 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 4), 4210 BPF_MOV64_IMM(BPF_REG_2, 4), 4211 BPF_MOV64_IMM(BPF_REG_3, 0), 4212 BPF_MOV64_IMM(BPF_REG_4, 0), 4213 BPF_MOV64_IMM(BPF_REG_5, 0), 4214 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 4215 BPF_FUNC_csum_diff), 4216 BPF_MOV64_IMM(BPF_REG_0, 0), 4217 BPF_EXIT_INSN(), 4218 }, 4219 .result = ACCEPT, 4220 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 4221 }, 4222 { 4223 "helper access to packet: test15, cls helper fail sub", 4224 .insns = { 4225 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1, 4226 offsetof(struct __sk_buff, data)), 4227 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1, 4228 offsetof(struct __sk_buff, data_end)), 4229 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1), 4230 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 4231 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7), 4232 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6), 4233 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 12), 4234 BPF_MOV64_IMM(BPF_REG_2, 4), 4235 BPF_MOV64_IMM(BPF_REG_3, 0), 4236 BPF_MOV64_IMM(BPF_REG_4, 0), 4237 BPF_MOV64_IMM(BPF_REG_5, 0), 4238 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 4239 BPF_FUNC_csum_diff), 4240 BPF_MOV64_IMM(BPF_REG_0, 0), 4241 BPF_EXIT_INSN(), 4242 }, 4243 .result = REJECT, 4244 .errstr = "invalid access to packet", 4245 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 4246 }, 4247 { 4248 "helper access to packet: test16, cls helper fail range 1", 4249 .insns = { 4250 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1, 4251 offsetof(struct __sk_buff, data)), 4252 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1, 4253 offsetof(struct __sk_buff, data_end)), 4254 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1), 4255 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 4256 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7), 4257 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6), 4258 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 4259 BPF_MOV64_IMM(BPF_REG_2, 8), 4260 BPF_MOV64_IMM(BPF_REG_3, 0), 4261 BPF_MOV64_IMM(BPF_REG_4, 0), 4262 BPF_MOV64_IMM(BPF_REG_5, 0), 4263 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 4264 BPF_FUNC_csum_diff), 4265 BPF_MOV64_IMM(BPF_REG_0, 0), 4266 BPF_EXIT_INSN(), 4267 }, 4268 .result = REJECT, 4269 .errstr = "invalid access to packet", 4270 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 4271 }, 4272 { 4273 "helper access to packet: test17, cls helper fail range 2", 4274 .insns = { 4275 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1, 4276 offsetof(struct __sk_buff, data)), 4277 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1, 4278 offsetof(struct __sk_buff, data_end)), 4279 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1), 4280 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 4281 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7), 4282 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6), 4283 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 4284 BPF_MOV64_IMM(BPF_REG_2, -9), 4285 BPF_MOV64_IMM(BPF_REG_3, 0), 4286 BPF_MOV64_IMM(BPF_REG_4, 0), 4287 BPF_MOV64_IMM(BPF_REG_5, 0), 4288 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 4289 BPF_FUNC_csum_diff), 4290 BPF_MOV64_IMM(BPF_REG_0, 0), 4291 BPF_EXIT_INSN(), 4292 }, 4293 .result = REJECT, 4294 .errstr = "R2 min value is negative", 4295 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 4296 }, 4297 { 4298 "helper access to packet: test18, cls helper fail range 3", 4299 .insns = { 4300 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1, 4301 offsetof(struct __sk_buff, data)), 4302 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1, 4303 offsetof(struct __sk_buff, data_end)), 4304 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1), 4305 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 4306 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7), 4307 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6), 4308 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 4309 BPF_MOV64_IMM(BPF_REG_2, ~0), 4310 BPF_MOV64_IMM(BPF_REG_3, 0), 4311 BPF_MOV64_IMM(BPF_REG_4, 0), 4312 BPF_MOV64_IMM(BPF_REG_5, 0), 4313 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 4314 BPF_FUNC_csum_diff), 4315 BPF_MOV64_IMM(BPF_REG_0, 0), 4316 BPF_EXIT_INSN(), 4317 }, 4318 .result = REJECT, 4319 .errstr = "R2 min value is negative", 4320 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 4321 }, 4322 { 4323 "helper access to packet: test19, cls helper range zero", 4324 .insns = { 4325 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1, 4326 offsetof(struct __sk_buff, data)), 4327 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1, 4328 offsetof(struct __sk_buff, data_end)), 4329 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1), 4330 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 4331 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7), 4332 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6), 4333 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 4334 BPF_MOV64_IMM(BPF_REG_2, 0), 4335 BPF_MOV64_IMM(BPF_REG_3, 0), 4336 BPF_MOV64_IMM(BPF_REG_4, 0), 4337 BPF_MOV64_IMM(BPF_REG_5, 0), 4338 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 4339 BPF_FUNC_csum_diff), 4340 BPF_MOV64_IMM(BPF_REG_0, 0), 4341 BPF_EXIT_INSN(), 4342 }, 4343 .result = ACCEPT, 4344 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 4345 }, 4346 { 4347 "helper access to packet: test20, pkt end as input", 4348 .insns = { 4349 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1, 4350 offsetof(struct __sk_buff, data)), 4351 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1, 4352 offsetof(struct __sk_buff, data_end)), 4353 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1), 4354 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 4355 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7), 4356 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6), 4357 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7), 4358 BPF_MOV64_IMM(BPF_REG_2, 4), 4359 BPF_MOV64_IMM(BPF_REG_3, 0), 4360 BPF_MOV64_IMM(BPF_REG_4, 0), 4361 BPF_MOV64_IMM(BPF_REG_5, 0), 4362 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 4363 BPF_FUNC_csum_diff), 4364 BPF_MOV64_IMM(BPF_REG_0, 0), 4365 BPF_EXIT_INSN(), 4366 }, 4367 .result = REJECT, 4368 .errstr = "R1 type=pkt_end expected=fp", 4369 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 4370 }, 4371 { 4372 "helper access to packet: test21, wrong reg", 4373 .insns = { 4374 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1, 4375 offsetof(struct __sk_buff, data)), 4376 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1, 4377 offsetof(struct __sk_buff, data_end)), 4378 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1), 4379 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 4380 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7), 4381 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6), 4382 BPF_MOV64_IMM(BPF_REG_2, 4), 4383 BPF_MOV64_IMM(BPF_REG_3, 0), 4384 BPF_MOV64_IMM(BPF_REG_4, 0), 4385 BPF_MOV64_IMM(BPF_REG_5, 0), 4386 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 4387 BPF_FUNC_csum_diff), 4388 BPF_MOV64_IMM(BPF_REG_0, 0), 4389 BPF_EXIT_INSN(), 4390 }, 4391 .result = REJECT, 4392 .errstr = "invalid access to packet", 4393 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 4394 }, 4395 { 4396 "valid map access into an array with a constant", 4397 .insns = { 4398 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 4399 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4400 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4401 BPF_LD_MAP_FD(BPF_REG_1, 0), 4402 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 4403 BPF_FUNC_map_lookup_elem), 4404 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1), 4405 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 4406 offsetof(struct test_val, foo)), 4407 BPF_EXIT_INSN(), 4408 }, 4409 .fixup_map2 = { 3 }, 4410 .errstr_unpriv = "R0 leaks addr", 4411 .result_unpriv = REJECT, 4412 .result = ACCEPT, 4413 }, 4414 { 4415 "valid map access into an array with a register", 4416 .insns = { 4417 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 4418 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4419 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4420 BPF_LD_MAP_FD(BPF_REG_1, 0), 4421 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 4422 BPF_FUNC_map_lookup_elem), 4423 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 4424 BPF_MOV64_IMM(BPF_REG_1, 4), 4425 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2), 4426 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 4427 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 4428 offsetof(struct test_val, foo)), 4429 BPF_EXIT_INSN(), 4430 }, 4431 .fixup_map2 = { 3 }, 4432 .errstr_unpriv = "R0 leaks addr", 4433 .result_unpriv = REJECT, 4434 .result = ACCEPT, 4435 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 4436 }, 4437 { 4438 "valid map access into an array with a variable", 4439 .insns = { 4440 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 4441 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4442 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4443 BPF_LD_MAP_FD(BPF_REG_1, 0), 4444 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 4445 BPF_FUNC_map_lookup_elem), 4446 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5), 4447 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0), 4448 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES, 3), 4449 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2), 4450 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 4451 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 4452 offsetof(struct test_val, foo)), 4453 BPF_EXIT_INSN(), 4454 }, 4455 .fixup_map2 = { 3 }, 4456 .errstr_unpriv = "R0 leaks addr", 4457 .result_unpriv = REJECT, 4458 .result = ACCEPT, 4459 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 4460 }, 4461 { 4462 "valid map access into an array with a signed variable", 4463 .insns = { 4464 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 4465 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4466 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4467 BPF_LD_MAP_FD(BPF_REG_1, 0), 4468 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 4469 BPF_FUNC_map_lookup_elem), 4470 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9), 4471 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0), 4472 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 0xffffffff, 1), 4473 BPF_MOV32_IMM(BPF_REG_1, 0), 4474 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES), 4475 BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1), 4476 BPF_MOV32_IMM(BPF_REG_1, 0), 4477 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2), 4478 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 4479 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 4480 offsetof(struct test_val, foo)), 4481 BPF_EXIT_INSN(), 4482 }, 4483 .fixup_map2 = { 3 }, 4484 .errstr_unpriv = "R0 leaks addr", 4485 .result_unpriv = REJECT, 4486 .result = ACCEPT, 4487 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 4488 }, 4489 { 4490 "invalid map access into an array with a constant", 4491 .insns = { 4492 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 4493 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4494 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4495 BPF_LD_MAP_FD(BPF_REG_1, 0), 4496 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 4497 BPF_FUNC_map_lookup_elem), 4498 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1), 4499 BPF_ST_MEM(BPF_DW, BPF_REG_0, (MAX_ENTRIES + 1) << 2, 4500 offsetof(struct test_val, foo)), 4501 BPF_EXIT_INSN(), 4502 }, 4503 .fixup_map2 = { 3 }, 4504 .errstr = "invalid access to map value, value_size=48 off=48 size=8", 4505 .result = REJECT, 4506 }, 4507 { 4508 "invalid map access into an array with a register", 4509 .insns = { 4510 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 4511 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4512 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4513 BPF_LD_MAP_FD(BPF_REG_1, 0), 4514 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 4515 BPF_FUNC_map_lookup_elem), 4516 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 4517 BPF_MOV64_IMM(BPF_REG_1, MAX_ENTRIES + 1), 4518 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2), 4519 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 4520 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 4521 offsetof(struct test_val, foo)), 4522 BPF_EXIT_INSN(), 4523 }, 4524 .fixup_map2 = { 3 }, 4525 .errstr = "R0 min value is outside of the array range", 4526 .result = REJECT, 4527 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 4528 }, 4529 { 4530 "invalid map access into an array with a variable", 4531 .insns = { 4532 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 4533 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4534 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4535 BPF_LD_MAP_FD(BPF_REG_1, 0), 4536 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 4537 BPF_FUNC_map_lookup_elem), 4538 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 4539 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0), 4540 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2), 4541 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 4542 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 4543 offsetof(struct test_val, foo)), 4544 BPF_EXIT_INSN(), 4545 }, 4546 .fixup_map2 = { 3 }, 4547 .errstr = "R0 unbounded memory access, make sure to bounds check any array access into a map", 4548 .result = REJECT, 4549 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 4550 }, 4551 { 4552 "invalid map access into an array with no floor check", 4553 .insns = { 4554 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 4555 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4556 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4557 BPF_LD_MAP_FD(BPF_REG_1, 0), 4558 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 4559 BPF_FUNC_map_lookup_elem), 4560 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7), 4561 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0), 4562 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES), 4563 BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1), 4564 BPF_MOV32_IMM(BPF_REG_1, 0), 4565 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2), 4566 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 4567 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 4568 offsetof(struct test_val, foo)), 4569 BPF_EXIT_INSN(), 4570 }, 4571 .fixup_map2 = { 3 }, 4572 .errstr_unpriv = "R0 leaks addr", 4573 .errstr = "R0 unbounded memory access", 4574 .result_unpriv = REJECT, 4575 .result = REJECT, 4576 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 4577 }, 4578 { 4579 "invalid map access into an array with a invalid max check", 4580 .insns = { 4581 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 4582 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4583 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4584 BPF_LD_MAP_FD(BPF_REG_1, 0), 4585 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 4586 BPF_FUNC_map_lookup_elem), 4587 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7), 4588 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0), 4589 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES + 1), 4590 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1), 4591 BPF_MOV32_IMM(BPF_REG_1, 0), 4592 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2), 4593 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 4594 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 4595 offsetof(struct test_val, foo)), 4596 BPF_EXIT_INSN(), 4597 }, 4598 .fixup_map2 = { 3 }, 4599 .errstr_unpriv = "R0 leaks addr", 4600 .errstr = "invalid access to map value, value_size=48 off=44 size=8", 4601 .result_unpriv = REJECT, 4602 .result = REJECT, 4603 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 4604 }, 4605 { 4606 "invalid map access into an array with a invalid max check", 4607 .insns = { 4608 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 4609 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4610 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4611 BPF_LD_MAP_FD(BPF_REG_1, 0), 4612 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 4613 BPF_FUNC_map_lookup_elem), 4614 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10), 4615 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0), 4616 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 4617 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4618 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4619 BPF_LD_MAP_FD(BPF_REG_1, 0), 4620 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 4621 BPF_FUNC_map_lookup_elem), 4622 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2), 4623 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8), 4624 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 4625 offsetof(struct test_val, foo)), 4626 BPF_EXIT_INSN(), 4627 }, 4628 .fixup_map2 = { 3, 11 }, 4629 .errstr = "R0 pointer += pointer", 4630 .result = REJECT, 4631 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 4632 }, 4633 { 4634 "multiple registers share map_lookup_elem result", 4635 .insns = { 4636 BPF_MOV64_IMM(BPF_REG_1, 10), 4637 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8), 4638 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4639 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4640 BPF_LD_MAP_FD(BPF_REG_1, 0), 4641 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 4642 BPF_FUNC_map_lookup_elem), 4643 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0), 4644 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1), 4645 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0), 4646 BPF_EXIT_INSN(), 4647 }, 4648 .fixup_map1 = { 4 }, 4649 .result = ACCEPT, 4650 .prog_type = BPF_PROG_TYPE_SCHED_CLS 4651 }, 4652 { 4653 "alu ops on ptr_to_map_value_or_null, 1", 4654 .insns = { 4655 BPF_MOV64_IMM(BPF_REG_1, 10), 4656 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8), 4657 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4658 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4659 BPF_LD_MAP_FD(BPF_REG_1, 0), 4660 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 4661 BPF_FUNC_map_lookup_elem), 4662 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0), 4663 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -2), 4664 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 2), 4665 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1), 4666 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0), 4667 BPF_EXIT_INSN(), 4668 }, 4669 .fixup_map1 = { 4 }, 4670 .errstr = "R4 pointer arithmetic on PTR_TO_MAP_VALUE_OR_NULL", 4671 .result = REJECT, 4672 .prog_type = BPF_PROG_TYPE_SCHED_CLS 4673 }, 4674 { 4675 "alu ops on ptr_to_map_value_or_null, 2", 4676 .insns = { 4677 BPF_MOV64_IMM(BPF_REG_1, 10), 4678 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8), 4679 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4680 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4681 BPF_LD_MAP_FD(BPF_REG_1, 0), 4682 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 4683 BPF_FUNC_map_lookup_elem), 4684 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0), 4685 BPF_ALU64_IMM(BPF_AND, BPF_REG_4, -1), 4686 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1), 4687 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0), 4688 BPF_EXIT_INSN(), 4689 }, 4690 .fixup_map1 = { 4 }, 4691 .errstr = "R4 pointer arithmetic on PTR_TO_MAP_VALUE_OR_NULL", 4692 .result = REJECT, 4693 .prog_type = BPF_PROG_TYPE_SCHED_CLS 4694 }, 4695 { 4696 "alu ops on ptr_to_map_value_or_null, 3", 4697 .insns = { 4698 BPF_MOV64_IMM(BPF_REG_1, 10), 4699 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8), 4700 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4701 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4702 BPF_LD_MAP_FD(BPF_REG_1, 0), 4703 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 4704 BPF_FUNC_map_lookup_elem), 4705 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0), 4706 BPF_ALU64_IMM(BPF_LSH, BPF_REG_4, 1), 4707 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1), 4708 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0), 4709 BPF_EXIT_INSN(), 4710 }, 4711 .fixup_map1 = { 4 }, 4712 .errstr = "R4 pointer arithmetic on PTR_TO_MAP_VALUE_OR_NULL", 4713 .result = REJECT, 4714 .prog_type = BPF_PROG_TYPE_SCHED_CLS 4715 }, 4716 { 4717 "invalid memory access with multiple map_lookup_elem calls", 4718 .insns = { 4719 BPF_MOV64_IMM(BPF_REG_1, 10), 4720 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8), 4721 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4722 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4723 BPF_LD_MAP_FD(BPF_REG_1, 0), 4724 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1), 4725 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2), 4726 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 4727 BPF_FUNC_map_lookup_elem), 4728 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0), 4729 BPF_MOV64_REG(BPF_REG_1, BPF_REG_8), 4730 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7), 4731 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 4732 BPF_FUNC_map_lookup_elem), 4733 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1), 4734 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0), 4735 BPF_EXIT_INSN(), 4736 }, 4737 .fixup_map1 = { 4 }, 4738 .result = REJECT, 4739 .errstr = "R4 !read_ok", 4740 .prog_type = BPF_PROG_TYPE_SCHED_CLS 4741 }, 4742 { 4743 "valid indirect map_lookup_elem access with 2nd lookup in branch", 4744 .insns = { 4745 BPF_MOV64_IMM(BPF_REG_1, 10), 4746 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8), 4747 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4748 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4749 BPF_LD_MAP_FD(BPF_REG_1, 0), 4750 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1), 4751 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2), 4752 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 4753 BPF_FUNC_map_lookup_elem), 4754 BPF_MOV64_IMM(BPF_REG_2, 10), 4755 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0, 3), 4756 BPF_MOV64_REG(BPF_REG_1, BPF_REG_8), 4757 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7), 4758 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 4759 BPF_FUNC_map_lookup_elem), 4760 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0), 4761 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1), 4762 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0), 4763 BPF_EXIT_INSN(), 4764 }, 4765 .fixup_map1 = { 4 }, 4766 .result = ACCEPT, 4767 .prog_type = BPF_PROG_TYPE_SCHED_CLS 4768 }, 4769 { 4770 "invalid map access from else condition", 4771 .insns = { 4772 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 4773 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 4774 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 4775 BPF_LD_MAP_FD(BPF_REG_1, 0), 4776 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 4777 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 4778 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0), 4779 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES-1, 1), 4780 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1), 4781 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2), 4782 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 4783 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, offsetof(struct test_val, foo)), 4784 BPF_EXIT_INSN(), 4785 }, 4786 .fixup_map2 = { 3 }, 4787 .errstr = "R0 unbounded memory access", 4788 .result = REJECT, 4789 .errstr_unpriv = "R0 leaks addr", 4790 .result_unpriv = REJECT, 4791 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 4792 }, 4793 { 4794 "constant register |= constant should keep constant type", 4795 .insns = { 4796 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 4797 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48), 4798 BPF_MOV64_IMM(BPF_REG_2, 34), 4799 BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 13), 4800 BPF_MOV64_IMM(BPF_REG_3, 0), 4801 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4802 BPF_EXIT_INSN(), 4803 }, 4804 .result = ACCEPT, 4805 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4806 }, 4807 { 4808 "constant register |= constant should not bypass stack boundary checks", 4809 .insns = { 4810 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 4811 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48), 4812 BPF_MOV64_IMM(BPF_REG_2, 34), 4813 BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 24), 4814 BPF_MOV64_IMM(BPF_REG_3, 0), 4815 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4816 BPF_EXIT_INSN(), 4817 }, 4818 .errstr = "invalid stack type R1 off=-48 access_size=58", 4819 .result = REJECT, 4820 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4821 }, 4822 { 4823 "constant register |= constant register should keep constant type", 4824 .insns = { 4825 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 4826 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48), 4827 BPF_MOV64_IMM(BPF_REG_2, 34), 4828 BPF_MOV64_IMM(BPF_REG_4, 13), 4829 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_4), 4830 BPF_MOV64_IMM(BPF_REG_3, 0), 4831 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4832 BPF_EXIT_INSN(), 4833 }, 4834 .result = ACCEPT, 4835 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4836 }, 4837 { 4838 "constant register |= constant register should not bypass stack boundary checks", 4839 .insns = { 4840 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 4841 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48), 4842 BPF_MOV64_IMM(BPF_REG_2, 34), 4843 BPF_MOV64_IMM(BPF_REG_4, 24), 4844 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_4), 4845 BPF_MOV64_IMM(BPF_REG_3, 0), 4846 BPF_EMIT_CALL(BPF_FUNC_probe_read), 4847 BPF_EXIT_INSN(), 4848 }, 4849 .errstr = "invalid stack type R1 off=-48 access_size=58", 4850 .result = REJECT, 4851 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 4852 }, 4853 { 4854 "invalid direct packet write for LWT_IN", 4855 .insns = { 4856 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 4857 offsetof(struct __sk_buff, data)), 4858 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 4859 offsetof(struct __sk_buff, data_end)), 4860 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 4861 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 4862 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 4863 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0), 4864 BPF_MOV64_IMM(BPF_REG_0, 0), 4865 BPF_EXIT_INSN(), 4866 }, 4867 .errstr = "cannot write into packet", 4868 .result = REJECT, 4869 .prog_type = BPF_PROG_TYPE_LWT_IN, 4870 }, 4871 { 4872 "invalid direct packet write for LWT_OUT", 4873 .insns = { 4874 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 4875 offsetof(struct __sk_buff, data)), 4876 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 4877 offsetof(struct __sk_buff, data_end)), 4878 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 4879 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 4880 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 4881 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0), 4882 BPF_MOV64_IMM(BPF_REG_0, 0), 4883 BPF_EXIT_INSN(), 4884 }, 4885 .errstr = "cannot write into packet", 4886 .result = REJECT, 4887 .prog_type = BPF_PROG_TYPE_LWT_OUT, 4888 }, 4889 { 4890 "direct packet write for LWT_XMIT", 4891 .insns = { 4892 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 4893 offsetof(struct __sk_buff, data)), 4894 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 4895 offsetof(struct __sk_buff, data_end)), 4896 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 4897 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 4898 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 4899 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0), 4900 BPF_MOV64_IMM(BPF_REG_0, 0), 4901 BPF_EXIT_INSN(), 4902 }, 4903 .result = ACCEPT, 4904 .prog_type = BPF_PROG_TYPE_LWT_XMIT, 4905 }, 4906 { 4907 "direct packet read for LWT_IN", 4908 .insns = { 4909 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 4910 offsetof(struct __sk_buff, data)), 4911 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 4912 offsetof(struct __sk_buff, data_end)), 4913 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 4914 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 4915 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 4916 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 4917 BPF_MOV64_IMM(BPF_REG_0, 0), 4918 BPF_EXIT_INSN(), 4919 }, 4920 .result = ACCEPT, 4921 .prog_type = BPF_PROG_TYPE_LWT_IN, 4922 }, 4923 { 4924 "direct packet read for LWT_OUT", 4925 .insns = { 4926 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 4927 offsetof(struct __sk_buff, data)), 4928 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 4929 offsetof(struct __sk_buff, data_end)), 4930 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 4931 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 4932 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 4933 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 4934 BPF_MOV64_IMM(BPF_REG_0, 0), 4935 BPF_EXIT_INSN(), 4936 }, 4937 .result = ACCEPT, 4938 .prog_type = BPF_PROG_TYPE_LWT_OUT, 4939 }, 4940 { 4941 "direct packet read for LWT_XMIT", 4942 .insns = { 4943 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 4944 offsetof(struct __sk_buff, data)), 4945 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 4946 offsetof(struct __sk_buff, data_end)), 4947 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 4948 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 4949 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 4950 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 4951 BPF_MOV64_IMM(BPF_REG_0, 0), 4952 BPF_EXIT_INSN(), 4953 }, 4954 .result = ACCEPT, 4955 .prog_type = BPF_PROG_TYPE_LWT_XMIT, 4956 }, 4957 { 4958 "overlapping checks for direct packet access", 4959 .insns = { 4960 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 4961 offsetof(struct __sk_buff, data)), 4962 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 4963 offsetof(struct __sk_buff, data_end)), 4964 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 4965 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 4966 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4), 4967 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 4968 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6), 4969 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1), 4970 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6), 4971 BPF_MOV64_IMM(BPF_REG_0, 0), 4972 BPF_EXIT_INSN(), 4973 }, 4974 .result = ACCEPT, 4975 .prog_type = BPF_PROG_TYPE_LWT_XMIT, 4976 }, 4977 { 4978 "invalid access of tc_classid for LWT_IN", 4979 .insns = { 4980 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 4981 offsetof(struct __sk_buff, tc_classid)), 4982 BPF_EXIT_INSN(), 4983 }, 4984 .result = REJECT, 4985 .errstr = "invalid bpf_context access", 4986 }, 4987 { 4988 "invalid access of tc_classid for LWT_OUT", 4989 .insns = { 4990 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 4991 offsetof(struct __sk_buff, tc_classid)), 4992 BPF_EXIT_INSN(), 4993 }, 4994 .result = REJECT, 4995 .errstr = "invalid bpf_context access", 4996 }, 4997 { 4998 "invalid access of tc_classid for LWT_XMIT", 4999 .insns = { 5000 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 5001 offsetof(struct __sk_buff, tc_classid)), 5002 BPF_EXIT_INSN(), 5003 }, 5004 .result = REJECT, 5005 .errstr = "invalid bpf_context access", 5006 }, 5007 { 5008 "leak pointer into ctx 1", 5009 .insns = { 5010 BPF_MOV64_IMM(BPF_REG_0, 0), 5011 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 5012 offsetof(struct __sk_buff, cb[0])), 5013 BPF_LD_MAP_FD(BPF_REG_2, 0), 5014 BPF_STX_XADD(BPF_DW, BPF_REG_1, BPF_REG_2, 5015 offsetof(struct __sk_buff, cb[0])), 5016 BPF_EXIT_INSN(), 5017 }, 5018 .fixup_map1 = { 2 }, 5019 .errstr_unpriv = "R2 leaks addr into mem", 5020 .result_unpriv = REJECT, 5021 .result = REJECT, 5022 .errstr = "BPF_XADD stores into R1 context is not allowed", 5023 }, 5024 { 5025 "leak pointer into ctx 2", 5026 .insns = { 5027 BPF_MOV64_IMM(BPF_REG_0, 0), 5028 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 5029 offsetof(struct __sk_buff, cb[0])), 5030 BPF_STX_XADD(BPF_DW, BPF_REG_1, BPF_REG_10, 5031 offsetof(struct __sk_buff, cb[0])), 5032 BPF_EXIT_INSN(), 5033 }, 5034 .errstr_unpriv = "R10 leaks addr into mem", 5035 .result_unpriv = REJECT, 5036 .result = REJECT, 5037 .errstr = "BPF_XADD stores into R1 context is not allowed", 5038 }, 5039 { 5040 "leak pointer into ctx 3", 5041 .insns = { 5042 BPF_MOV64_IMM(BPF_REG_0, 0), 5043 BPF_LD_MAP_FD(BPF_REG_2, 0), 5044 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, 5045 offsetof(struct __sk_buff, cb[0])), 5046 BPF_EXIT_INSN(), 5047 }, 5048 .fixup_map1 = { 1 }, 5049 .errstr_unpriv = "R2 leaks addr into ctx", 5050 .result_unpriv = REJECT, 5051 .result = ACCEPT, 5052 }, 5053 { 5054 "leak pointer into map val", 5055 .insns = { 5056 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), 5057 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 5058 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5059 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 5060 BPF_LD_MAP_FD(BPF_REG_1, 0), 5061 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 5062 BPF_FUNC_map_lookup_elem), 5063 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3), 5064 BPF_MOV64_IMM(BPF_REG_3, 0), 5065 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0), 5066 BPF_STX_XADD(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 5067 BPF_MOV64_IMM(BPF_REG_0, 0), 5068 BPF_EXIT_INSN(), 5069 }, 5070 .fixup_map1 = { 4 }, 5071 .errstr_unpriv = "R6 leaks addr into mem", 5072 .result_unpriv = REJECT, 5073 .result = ACCEPT, 5074 }, 5075 { 5076 "helper access to map: full range", 5077 .insns = { 5078 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5079 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 5080 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 5081 BPF_LD_MAP_FD(BPF_REG_1, 0), 5082 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 5083 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 5084 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 5085 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)), 5086 BPF_MOV64_IMM(BPF_REG_3, 0), 5087 BPF_EMIT_CALL(BPF_FUNC_probe_read), 5088 BPF_EXIT_INSN(), 5089 }, 5090 .fixup_map2 = { 3 }, 5091 .result = ACCEPT, 5092 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 5093 }, 5094 { 5095 "helper access to map: partial range", 5096 .insns = { 5097 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5098 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 5099 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 5100 BPF_LD_MAP_FD(BPF_REG_1, 0), 5101 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 5102 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 5103 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 5104 BPF_MOV64_IMM(BPF_REG_2, 8), 5105 BPF_MOV64_IMM(BPF_REG_3, 0), 5106 BPF_EMIT_CALL(BPF_FUNC_probe_read), 5107 BPF_EXIT_INSN(), 5108 }, 5109 .fixup_map2 = { 3 }, 5110 .result = ACCEPT, 5111 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 5112 }, 5113 { 5114 "helper access to map: empty range", 5115 .insns = { 5116 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5117 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 5118 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 5119 BPF_LD_MAP_FD(BPF_REG_1, 0), 5120 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 5121 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3), 5122 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 5123 BPF_MOV64_IMM(BPF_REG_2, 0), 5124 BPF_EMIT_CALL(BPF_FUNC_trace_printk), 5125 BPF_EXIT_INSN(), 5126 }, 5127 .fixup_map2 = { 3 }, 5128 .errstr = "invalid access to map value, value_size=48 off=0 size=0", 5129 .result = REJECT, 5130 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 5131 }, 5132 { 5133 "helper access to map: out-of-bound range", 5134 .insns = { 5135 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5136 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 5137 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 5138 BPF_LD_MAP_FD(BPF_REG_1, 0), 5139 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 5140 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 5141 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 5142 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val) + 8), 5143 BPF_MOV64_IMM(BPF_REG_3, 0), 5144 BPF_EMIT_CALL(BPF_FUNC_probe_read), 5145 BPF_EXIT_INSN(), 5146 }, 5147 .fixup_map2 = { 3 }, 5148 .errstr = "invalid access to map value, value_size=48 off=0 size=56", 5149 .result = REJECT, 5150 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 5151 }, 5152 { 5153 "helper access to map: negative range", 5154 .insns = { 5155 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5156 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 5157 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 5158 BPF_LD_MAP_FD(BPF_REG_1, 0), 5159 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 5160 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 5161 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 5162 BPF_MOV64_IMM(BPF_REG_2, -8), 5163 BPF_MOV64_IMM(BPF_REG_3, 0), 5164 BPF_EMIT_CALL(BPF_FUNC_probe_read), 5165 BPF_EXIT_INSN(), 5166 }, 5167 .fixup_map2 = { 3 }, 5168 .errstr = "R2 min value is negative", 5169 .result = REJECT, 5170 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 5171 }, 5172 { 5173 "helper access to adjusted map (via const imm): full range", 5174 .insns = { 5175 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5176 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 5177 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 5178 BPF_LD_MAP_FD(BPF_REG_1, 0), 5179 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 5180 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5), 5181 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 5182 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 5183 offsetof(struct test_val, foo)), 5184 BPF_MOV64_IMM(BPF_REG_2, 5185 sizeof(struct test_val) - 5186 offsetof(struct test_val, foo)), 5187 BPF_MOV64_IMM(BPF_REG_3, 0), 5188 BPF_EMIT_CALL(BPF_FUNC_probe_read), 5189 BPF_EXIT_INSN(), 5190 }, 5191 .fixup_map2 = { 3 }, 5192 .result = ACCEPT, 5193 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 5194 }, 5195 { 5196 "helper access to adjusted map (via const imm): partial range", 5197 .insns = { 5198 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5199 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 5200 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 5201 BPF_LD_MAP_FD(BPF_REG_1, 0), 5202 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 5203 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5), 5204 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 5205 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 5206 offsetof(struct test_val, foo)), 5207 BPF_MOV64_IMM(BPF_REG_2, 8), 5208 BPF_MOV64_IMM(BPF_REG_3, 0), 5209 BPF_EMIT_CALL(BPF_FUNC_probe_read), 5210 BPF_EXIT_INSN(), 5211 }, 5212 .fixup_map2 = { 3 }, 5213 .result = ACCEPT, 5214 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 5215 }, 5216 { 5217 "helper access to adjusted map (via const imm): empty range", 5218 .insns = { 5219 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5220 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 5221 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 5222 BPF_LD_MAP_FD(BPF_REG_1, 0), 5223 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 5224 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 5225 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 5226 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 5227 offsetof(struct test_val, foo)), 5228 BPF_MOV64_IMM(BPF_REG_2, 0), 5229 BPF_EMIT_CALL(BPF_FUNC_trace_printk), 5230 BPF_EXIT_INSN(), 5231 }, 5232 .fixup_map2 = { 3 }, 5233 .errstr = "invalid access to map value, value_size=48 off=4 size=0", 5234 .result = REJECT, 5235 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 5236 }, 5237 { 5238 "helper access to adjusted map (via const imm): out-of-bound range", 5239 .insns = { 5240 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5241 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 5242 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 5243 BPF_LD_MAP_FD(BPF_REG_1, 0), 5244 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 5245 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5), 5246 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 5247 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 5248 offsetof(struct test_val, foo)), 5249 BPF_MOV64_IMM(BPF_REG_2, 5250 sizeof(struct test_val) - 5251 offsetof(struct test_val, foo) + 8), 5252 BPF_MOV64_IMM(BPF_REG_3, 0), 5253 BPF_EMIT_CALL(BPF_FUNC_probe_read), 5254 BPF_EXIT_INSN(), 5255 }, 5256 .fixup_map2 = { 3 }, 5257 .errstr = "invalid access to map value, value_size=48 off=4 size=52", 5258 .result = REJECT, 5259 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 5260 }, 5261 { 5262 "helper access to adjusted map (via const imm): negative range (> adjustment)", 5263 .insns = { 5264 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5265 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 5266 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 5267 BPF_LD_MAP_FD(BPF_REG_1, 0), 5268 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 5269 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5), 5270 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 5271 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 5272 offsetof(struct test_val, foo)), 5273 BPF_MOV64_IMM(BPF_REG_2, -8), 5274 BPF_MOV64_IMM(BPF_REG_3, 0), 5275 BPF_EMIT_CALL(BPF_FUNC_probe_read), 5276 BPF_EXIT_INSN(), 5277 }, 5278 .fixup_map2 = { 3 }, 5279 .errstr = "R2 min value is negative", 5280 .result = REJECT, 5281 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 5282 }, 5283 { 5284 "helper access to adjusted map (via const imm): negative range (< adjustment)", 5285 .insns = { 5286 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5287 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 5288 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 5289 BPF_LD_MAP_FD(BPF_REG_1, 0), 5290 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 5291 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5), 5292 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 5293 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 5294 offsetof(struct test_val, foo)), 5295 BPF_MOV64_IMM(BPF_REG_2, -1), 5296 BPF_MOV64_IMM(BPF_REG_3, 0), 5297 BPF_EMIT_CALL(BPF_FUNC_probe_read), 5298 BPF_EXIT_INSN(), 5299 }, 5300 .fixup_map2 = { 3 }, 5301 .errstr = "R2 min value is negative", 5302 .result = REJECT, 5303 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 5304 }, 5305 { 5306 "helper access to adjusted map (via const reg): full range", 5307 .insns = { 5308 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5309 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 5310 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 5311 BPF_LD_MAP_FD(BPF_REG_1, 0), 5312 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 5313 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 5314 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 5315 BPF_MOV64_IMM(BPF_REG_3, 5316 offsetof(struct test_val, foo)), 5317 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 5318 BPF_MOV64_IMM(BPF_REG_2, 5319 sizeof(struct test_val) - 5320 offsetof(struct test_val, foo)), 5321 BPF_MOV64_IMM(BPF_REG_3, 0), 5322 BPF_EMIT_CALL(BPF_FUNC_probe_read), 5323 BPF_EXIT_INSN(), 5324 }, 5325 .fixup_map2 = { 3 }, 5326 .result = ACCEPT, 5327 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 5328 }, 5329 { 5330 "helper access to adjusted map (via const reg): partial range", 5331 .insns = { 5332 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5333 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 5334 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 5335 BPF_LD_MAP_FD(BPF_REG_1, 0), 5336 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 5337 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 5338 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 5339 BPF_MOV64_IMM(BPF_REG_3, 5340 offsetof(struct test_val, foo)), 5341 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 5342 BPF_MOV64_IMM(BPF_REG_2, 8), 5343 BPF_MOV64_IMM(BPF_REG_3, 0), 5344 BPF_EMIT_CALL(BPF_FUNC_probe_read), 5345 BPF_EXIT_INSN(), 5346 }, 5347 .fixup_map2 = { 3 }, 5348 .result = ACCEPT, 5349 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 5350 }, 5351 { 5352 "helper access to adjusted map (via const reg): empty range", 5353 .insns = { 5354 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5355 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 5356 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 5357 BPF_LD_MAP_FD(BPF_REG_1, 0), 5358 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 5359 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5), 5360 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 5361 BPF_MOV64_IMM(BPF_REG_3, 0), 5362 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 5363 BPF_MOV64_IMM(BPF_REG_2, 0), 5364 BPF_EMIT_CALL(BPF_FUNC_trace_printk), 5365 BPF_EXIT_INSN(), 5366 }, 5367 .fixup_map2 = { 3 }, 5368 .errstr = "R1 min value is outside of the array range", 5369 .result = REJECT, 5370 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 5371 }, 5372 { 5373 "helper access to adjusted map (via const reg): out-of-bound range", 5374 .insns = { 5375 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5376 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 5377 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 5378 BPF_LD_MAP_FD(BPF_REG_1, 0), 5379 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 5380 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 5381 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 5382 BPF_MOV64_IMM(BPF_REG_3, 5383 offsetof(struct test_val, foo)), 5384 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 5385 BPF_MOV64_IMM(BPF_REG_2, 5386 sizeof(struct test_val) - 5387 offsetof(struct test_val, foo) + 8), 5388 BPF_MOV64_IMM(BPF_REG_3, 0), 5389 BPF_EMIT_CALL(BPF_FUNC_probe_read), 5390 BPF_EXIT_INSN(), 5391 }, 5392 .fixup_map2 = { 3 }, 5393 .errstr = "invalid access to map value, value_size=48 off=4 size=52", 5394 .result = REJECT, 5395 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 5396 }, 5397 { 5398 "helper access to adjusted map (via const reg): negative range (> adjustment)", 5399 .insns = { 5400 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5401 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 5402 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 5403 BPF_LD_MAP_FD(BPF_REG_1, 0), 5404 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 5405 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 5406 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 5407 BPF_MOV64_IMM(BPF_REG_3, 5408 offsetof(struct test_val, foo)), 5409 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 5410 BPF_MOV64_IMM(BPF_REG_2, -8), 5411 BPF_MOV64_IMM(BPF_REG_3, 0), 5412 BPF_EMIT_CALL(BPF_FUNC_probe_read), 5413 BPF_EXIT_INSN(), 5414 }, 5415 .fixup_map2 = { 3 }, 5416 .errstr = "R2 min value is negative", 5417 .result = REJECT, 5418 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 5419 }, 5420 { 5421 "helper access to adjusted map (via const reg): negative range (< adjustment)", 5422 .insns = { 5423 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5424 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 5425 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 5426 BPF_LD_MAP_FD(BPF_REG_1, 0), 5427 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 5428 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 5429 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 5430 BPF_MOV64_IMM(BPF_REG_3, 5431 offsetof(struct test_val, foo)), 5432 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 5433 BPF_MOV64_IMM(BPF_REG_2, -1), 5434 BPF_MOV64_IMM(BPF_REG_3, 0), 5435 BPF_EMIT_CALL(BPF_FUNC_probe_read), 5436 BPF_EXIT_INSN(), 5437 }, 5438 .fixup_map2 = { 3 }, 5439 .errstr = "R2 min value is negative", 5440 .result = REJECT, 5441 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 5442 }, 5443 { 5444 "helper access to adjusted map (via variable): full range", 5445 .insns = { 5446 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5447 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 5448 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 5449 BPF_LD_MAP_FD(BPF_REG_1, 0), 5450 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 5451 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7), 5452 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 5453 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0), 5454 BPF_JMP_IMM(BPF_JGT, BPF_REG_3, 5455 offsetof(struct test_val, foo), 4), 5456 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 5457 BPF_MOV64_IMM(BPF_REG_2, 5458 sizeof(struct test_val) - 5459 offsetof(struct test_val, foo)), 5460 BPF_MOV64_IMM(BPF_REG_3, 0), 5461 BPF_EMIT_CALL(BPF_FUNC_probe_read), 5462 BPF_EXIT_INSN(), 5463 }, 5464 .fixup_map2 = { 3 }, 5465 .result = ACCEPT, 5466 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 5467 }, 5468 { 5469 "helper access to adjusted map (via variable): partial range", 5470 .insns = { 5471 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5472 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 5473 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 5474 BPF_LD_MAP_FD(BPF_REG_1, 0), 5475 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 5476 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7), 5477 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 5478 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0), 5479 BPF_JMP_IMM(BPF_JGT, BPF_REG_3, 5480 offsetof(struct test_val, foo), 4), 5481 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 5482 BPF_MOV64_IMM(BPF_REG_2, 8), 5483 BPF_MOV64_IMM(BPF_REG_3, 0), 5484 BPF_EMIT_CALL(BPF_FUNC_probe_read), 5485 BPF_EXIT_INSN(), 5486 }, 5487 .fixup_map2 = { 3 }, 5488 .result = ACCEPT, 5489 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 5490 }, 5491 { 5492 "helper access to adjusted map (via variable): empty range", 5493 .insns = { 5494 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5495 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 5496 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 5497 BPF_LD_MAP_FD(BPF_REG_1, 0), 5498 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 5499 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 5500 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 5501 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0), 5502 BPF_JMP_IMM(BPF_JGT, BPF_REG_3, 5503 offsetof(struct test_val, foo), 3), 5504 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 5505 BPF_MOV64_IMM(BPF_REG_2, 0), 5506 BPF_EMIT_CALL(BPF_FUNC_trace_printk), 5507 BPF_EXIT_INSN(), 5508 }, 5509 .fixup_map2 = { 3 }, 5510 .errstr = "R1 min value is outside of the array range", 5511 .result = REJECT, 5512 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 5513 }, 5514 { 5515 "helper access to adjusted map (via variable): no max check", 5516 .insns = { 5517 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5518 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 5519 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 5520 BPF_LD_MAP_FD(BPF_REG_1, 0), 5521 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 5522 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 5523 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 5524 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0), 5525 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 5526 BPF_MOV64_IMM(BPF_REG_2, 1), 5527 BPF_MOV64_IMM(BPF_REG_3, 0), 5528 BPF_EMIT_CALL(BPF_FUNC_probe_read), 5529 BPF_EXIT_INSN(), 5530 }, 5531 .fixup_map2 = { 3 }, 5532 .errstr = "R1 unbounded memory access", 5533 .result = REJECT, 5534 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 5535 }, 5536 { 5537 "helper access to adjusted map (via variable): wrong max check", 5538 .insns = { 5539 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5540 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 5541 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 5542 BPF_LD_MAP_FD(BPF_REG_1, 0), 5543 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 5544 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7), 5545 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 5546 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0), 5547 BPF_JMP_IMM(BPF_JGT, BPF_REG_3, 5548 offsetof(struct test_val, foo), 4), 5549 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 5550 BPF_MOV64_IMM(BPF_REG_2, 5551 sizeof(struct test_val) - 5552 offsetof(struct test_val, foo) + 1), 5553 BPF_MOV64_IMM(BPF_REG_3, 0), 5554 BPF_EMIT_CALL(BPF_FUNC_probe_read), 5555 BPF_EXIT_INSN(), 5556 }, 5557 .fixup_map2 = { 3 }, 5558 .errstr = "invalid access to map value, value_size=48 off=4 size=45", 5559 .result = REJECT, 5560 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 5561 }, 5562 { 5563 "helper access to map: bounds check using <, good access", 5564 .insns = { 5565 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5566 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 5567 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 5568 BPF_LD_MAP_FD(BPF_REG_1, 0), 5569 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 5570 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 5571 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 5572 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0), 5573 BPF_JMP_IMM(BPF_JLT, BPF_REG_3, 32, 2), 5574 BPF_MOV64_IMM(BPF_REG_0, 0), 5575 BPF_EXIT_INSN(), 5576 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 5577 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0), 5578 BPF_MOV64_IMM(BPF_REG_0, 0), 5579 BPF_EXIT_INSN(), 5580 }, 5581 .fixup_map2 = { 3 }, 5582 .result = ACCEPT, 5583 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 5584 }, 5585 { 5586 "helper access to map: bounds check using <, bad access", 5587 .insns = { 5588 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5589 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 5590 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 5591 BPF_LD_MAP_FD(BPF_REG_1, 0), 5592 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 5593 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 5594 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 5595 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0), 5596 BPF_JMP_IMM(BPF_JLT, BPF_REG_3, 32, 4), 5597 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 5598 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0), 5599 BPF_MOV64_IMM(BPF_REG_0, 0), 5600 BPF_EXIT_INSN(), 5601 BPF_MOV64_IMM(BPF_REG_0, 0), 5602 BPF_EXIT_INSN(), 5603 }, 5604 .fixup_map2 = { 3 }, 5605 .result = REJECT, 5606 .errstr = "R1 unbounded memory access", 5607 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 5608 }, 5609 { 5610 "helper access to map: bounds check using <=, good access", 5611 .insns = { 5612 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5613 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 5614 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 5615 BPF_LD_MAP_FD(BPF_REG_1, 0), 5616 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 5617 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 5618 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 5619 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0), 5620 BPF_JMP_IMM(BPF_JLE, BPF_REG_3, 32, 2), 5621 BPF_MOV64_IMM(BPF_REG_0, 0), 5622 BPF_EXIT_INSN(), 5623 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 5624 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0), 5625 BPF_MOV64_IMM(BPF_REG_0, 0), 5626 BPF_EXIT_INSN(), 5627 }, 5628 .fixup_map2 = { 3 }, 5629 .result = ACCEPT, 5630 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 5631 }, 5632 { 5633 "helper access to map: bounds check using <=, bad access", 5634 .insns = { 5635 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5636 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 5637 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 5638 BPF_LD_MAP_FD(BPF_REG_1, 0), 5639 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 5640 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 5641 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 5642 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0), 5643 BPF_JMP_IMM(BPF_JLE, BPF_REG_3, 32, 4), 5644 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 5645 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0), 5646 BPF_MOV64_IMM(BPF_REG_0, 0), 5647 BPF_EXIT_INSN(), 5648 BPF_MOV64_IMM(BPF_REG_0, 0), 5649 BPF_EXIT_INSN(), 5650 }, 5651 .fixup_map2 = { 3 }, 5652 .result = REJECT, 5653 .errstr = "R1 unbounded memory access", 5654 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 5655 }, 5656 { 5657 "helper access to map: bounds check using s<, good access", 5658 .insns = { 5659 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5660 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 5661 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 5662 BPF_LD_MAP_FD(BPF_REG_1, 0), 5663 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 5664 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 5665 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 5666 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0), 5667 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2), 5668 BPF_MOV64_IMM(BPF_REG_0, 0), 5669 BPF_EXIT_INSN(), 5670 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 0, -3), 5671 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 5672 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0), 5673 BPF_MOV64_IMM(BPF_REG_0, 0), 5674 BPF_EXIT_INSN(), 5675 }, 5676 .fixup_map2 = { 3 }, 5677 .result = ACCEPT, 5678 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 5679 }, 5680 { 5681 "helper access to map: bounds check using s<, good access 2", 5682 .insns = { 5683 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5684 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 5685 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 5686 BPF_LD_MAP_FD(BPF_REG_1, 0), 5687 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 5688 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 5689 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 5690 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0), 5691 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2), 5692 BPF_MOV64_IMM(BPF_REG_0, 0), 5693 BPF_EXIT_INSN(), 5694 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, -3, -3), 5695 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 5696 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0), 5697 BPF_MOV64_IMM(BPF_REG_0, 0), 5698 BPF_EXIT_INSN(), 5699 }, 5700 .fixup_map2 = { 3 }, 5701 .result = ACCEPT, 5702 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 5703 }, 5704 { 5705 "helper access to map: bounds check using s<, bad access", 5706 .insns = { 5707 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5708 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 5709 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 5710 BPF_LD_MAP_FD(BPF_REG_1, 0), 5711 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 5712 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 5713 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 5714 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0), 5715 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2), 5716 BPF_MOV64_IMM(BPF_REG_0, 0), 5717 BPF_EXIT_INSN(), 5718 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, -3, -3), 5719 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 5720 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0), 5721 BPF_MOV64_IMM(BPF_REG_0, 0), 5722 BPF_EXIT_INSN(), 5723 }, 5724 .fixup_map2 = { 3 }, 5725 .result = REJECT, 5726 .errstr = "R1 min value is negative", 5727 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 5728 }, 5729 { 5730 "helper access to map: bounds check using s<=, good access", 5731 .insns = { 5732 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5733 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 5734 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 5735 BPF_LD_MAP_FD(BPF_REG_1, 0), 5736 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 5737 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 5738 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 5739 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0), 5740 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2), 5741 BPF_MOV64_IMM(BPF_REG_0, 0), 5742 BPF_EXIT_INSN(), 5743 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 0, -3), 5744 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 5745 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0), 5746 BPF_MOV64_IMM(BPF_REG_0, 0), 5747 BPF_EXIT_INSN(), 5748 }, 5749 .fixup_map2 = { 3 }, 5750 .result = ACCEPT, 5751 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 5752 }, 5753 { 5754 "helper access to map: bounds check using s<=, good access 2", 5755 .insns = { 5756 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5757 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 5758 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 5759 BPF_LD_MAP_FD(BPF_REG_1, 0), 5760 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 5761 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 5762 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 5763 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0), 5764 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2), 5765 BPF_MOV64_IMM(BPF_REG_0, 0), 5766 BPF_EXIT_INSN(), 5767 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, -3, -3), 5768 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 5769 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0), 5770 BPF_MOV64_IMM(BPF_REG_0, 0), 5771 BPF_EXIT_INSN(), 5772 }, 5773 .fixup_map2 = { 3 }, 5774 .result = ACCEPT, 5775 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 5776 }, 5777 { 5778 "helper access to map: bounds check using s<=, bad access", 5779 .insns = { 5780 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5781 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 5782 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 5783 BPF_LD_MAP_FD(BPF_REG_1, 0), 5784 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 5785 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 5786 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 5787 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0), 5788 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2), 5789 BPF_MOV64_IMM(BPF_REG_0, 0), 5790 BPF_EXIT_INSN(), 5791 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, -3, -3), 5792 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 5793 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0), 5794 BPF_MOV64_IMM(BPF_REG_0, 0), 5795 BPF_EXIT_INSN(), 5796 }, 5797 .fixup_map2 = { 3 }, 5798 .result = REJECT, 5799 .errstr = "R1 min value is negative", 5800 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 5801 }, 5802 { 5803 "map lookup helper access to map", 5804 .insns = { 5805 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5806 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 5807 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 5808 BPF_LD_MAP_FD(BPF_REG_1, 0), 5809 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 5810 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 5811 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0), 5812 BPF_LD_MAP_FD(BPF_REG_1, 0), 5813 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 5814 BPF_EXIT_INSN(), 5815 }, 5816 .fixup_map3 = { 3, 8 }, 5817 .result = ACCEPT, 5818 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 5819 }, 5820 { 5821 "map update helper access to map", 5822 .insns = { 5823 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5824 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 5825 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 5826 BPF_LD_MAP_FD(BPF_REG_1, 0), 5827 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 5828 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 5829 BPF_MOV64_IMM(BPF_REG_4, 0), 5830 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0), 5831 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0), 5832 BPF_LD_MAP_FD(BPF_REG_1, 0), 5833 BPF_EMIT_CALL(BPF_FUNC_map_update_elem), 5834 BPF_EXIT_INSN(), 5835 }, 5836 .fixup_map3 = { 3, 10 }, 5837 .result = ACCEPT, 5838 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 5839 }, 5840 { 5841 "map update helper access to map: wrong size", 5842 .insns = { 5843 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5844 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 5845 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 5846 BPF_LD_MAP_FD(BPF_REG_1, 0), 5847 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 5848 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 5849 BPF_MOV64_IMM(BPF_REG_4, 0), 5850 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0), 5851 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0), 5852 BPF_LD_MAP_FD(BPF_REG_1, 0), 5853 BPF_EMIT_CALL(BPF_FUNC_map_update_elem), 5854 BPF_EXIT_INSN(), 5855 }, 5856 .fixup_map1 = { 3 }, 5857 .fixup_map3 = { 10 }, 5858 .result = REJECT, 5859 .errstr = "invalid access to map value, value_size=8 off=0 size=16", 5860 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 5861 }, 5862 { 5863 "map helper access to adjusted map (via const imm)", 5864 .insns = { 5865 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5866 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 5867 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 5868 BPF_LD_MAP_FD(BPF_REG_1, 0), 5869 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 5870 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5), 5871 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0), 5872 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 5873 offsetof(struct other_val, bar)), 5874 BPF_LD_MAP_FD(BPF_REG_1, 0), 5875 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 5876 BPF_EXIT_INSN(), 5877 }, 5878 .fixup_map3 = { 3, 9 }, 5879 .result = ACCEPT, 5880 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 5881 }, 5882 { 5883 "map helper access to adjusted map (via const imm): out-of-bound 1", 5884 .insns = { 5885 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5886 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 5887 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 5888 BPF_LD_MAP_FD(BPF_REG_1, 0), 5889 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 5890 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5), 5891 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0), 5892 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 5893 sizeof(struct other_val) - 4), 5894 BPF_LD_MAP_FD(BPF_REG_1, 0), 5895 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 5896 BPF_EXIT_INSN(), 5897 }, 5898 .fixup_map3 = { 3, 9 }, 5899 .result = REJECT, 5900 .errstr = "invalid access to map value, value_size=16 off=12 size=8", 5901 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 5902 }, 5903 { 5904 "map helper access to adjusted map (via const imm): out-of-bound 2", 5905 .insns = { 5906 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5907 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 5908 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 5909 BPF_LD_MAP_FD(BPF_REG_1, 0), 5910 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 5911 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5), 5912 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0), 5913 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), 5914 BPF_LD_MAP_FD(BPF_REG_1, 0), 5915 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 5916 BPF_EXIT_INSN(), 5917 }, 5918 .fixup_map3 = { 3, 9 }, 5919 .result = REJECT, 5920 .errstr = "invalid access to map value, value_size=16 off=-4 size=8", 5921 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 5922 }, 5923 { 5924 "map helper access to adjusted map (via const reg)", 5925 .insns = { 5926 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5927 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 5928 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 5929 BPF_LD_MAP_FD(BPF_REG_1, 0), 5930 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 5931 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 5932 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0), 5933 BPF_MOV64_IMM(BPF_REG_3, 5934 offsetof(struct other_val, bar)), 5935 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3), 5936 BPF_LD_MAP_FD(BPF_REG_1, 0), 5937 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 5938 BPF_EXIT_INSN(), 5939 }, 5940 .fixup_map3 = { 3, 10 }, 5941 .result = ACCEPT, 5942 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 5943 }, 5944 { 5945 "map helper access to adjusted map (via const reg): out-of-bound 1", 5946 .insns = { 5947 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5948 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 5949 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 5950 BPF_LD_MAP_FD(BPF_REG_1, 0), 5951 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 5952 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 5953 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0), 5954 BPF_MOV64_IMM(BPF_REG_3, 5955 sizeof(struct other_val) - 4), 5956 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3), 5957 BPF_LD_MAP_FD(BPF_REG_1, 0), 5958 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 5959 BPF_EXIT_INSN(), 5960 }, 5961 .fixup_map3 = { 3, 10 }, 5962 .result = REJECT, 5963 .errstr = "invalid access to map value, value_size=16 off=12 size=8", 5964 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 5965 }, 5966 { 5967 "map helper access to adjusted map (via const reg): out-of-bound 2", 5968 .insns = { 5969 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5970 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 5971 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 5972 BPF_LD_MAP_FD(BPF_REG_1, 0), 5973 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 5974 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 5975 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0), 5976 BPF_MOV64_IMM(BPF_REG_3, -4), 5977 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3), 5978 BPF_LD_MAP_FD(BPF_REG_1, 0), 5979 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 5980 BPF_EXIT_INSN(), 5981 }, 5982 .fixup_map3 = { 3, 10 }, 5983 .result = REJECT, 5984 .errstr = "invalid access to map value, value_size=16 off=-4 size=8", 5985 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 5986 }, 5987 { 5988 "map helper access to adjusted map (via variable)", 5989 .insns = { 5990 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 5991 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 5992 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 5993 BPF_LD_MAP_FD(BPF_REG_1, 0), 5994 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 5995 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7), 5996 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0), 5997 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0), 5998 BPF_JMP_IMM(BPF_JGT, BPF_REG_3, 5999 offsetof(struct other_val, bar), 4), 6000 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3), 6001 BPF_LD_MAP_FD(BPF_REG_1, 0), 6002 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 6003 BPF_EXIT_INSN(), 6004 }, 6005 .fixup_map3 = { 3, 11 }, 6006 .result = ACCEPT, 6007 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 6008 }, 6009 { 6010 "map helper access to adjusted map (via variable): no max check", 6011 .insns = { 6012 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 6013 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 6014 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 6015 BPF_LD_MAP_FD(BPF_REG_1, 0), 6016 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 6017 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 6018 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0), 6019 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0), 6020 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3), 6021 BPF_LD_MAP_FD(BPF_REG_1, 0), 6022 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 6023 BPF_EXIT_INSN(), 6024 }, 6025 .fixup_map3 = { 3, 10 }, 6026 .result = REJECT, 6027 .errstr = "R2 unbounded memory access, make sure to bounds check any array access into a map", 6028 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 6029 }, 6030 { 6031 "map helper access to adjusted map (via variable): wrong max check", 6032 .insns = { 6033 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 6034 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 6035 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 6036 BPF_LD_MAP_FD(BPF_REG_1, 0), 6037 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 6038 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7), 6039 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0), 6040 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0), 6041 BPF_JMP_IMM(BPF_JGT, BPF_REG_3, 6042 offsetof(struct other_val, bar) + 1, 4), 6043 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3), 6044 BPF_LD_MAP_FD(BPF_REG_1, 0), 6045 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 6046 BPF_EXIT_INSN(), 6047 }, 6048 .fixup_map3 = { 3, 11 }, 6049 .result = REJECT, 6050 .errstr = "invalid access to map value, value_size=16 off=9 size=8", 6051 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 6052 }, 6053 { 6054 "map element value is preserved across register spilling", 6055 .insns = { 6056 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 6057 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 6058 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 6059 BPF_LD_MAP_FD(BPF_REG_1, 0), 6060 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 6061 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 6062 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42), 6063 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 6064 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -184), 6065 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0), 6066 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0), 6067 BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42), 6068 BPF_EXIT_INSN(), 6069 }, 6070 .fixup_map2 = { 3 }, 6071 .errstr_unpriv = "R0 leaks addr", 6072 .result = ACCEPT, 6073 .result_unpriv = REJECT, 6074 }, 6075 { 6076 "map element value or null is marked on register spilling", 6077 .insns = { 6078 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 6079 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 6080 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 6081 BPF_LD_MAP_FD(BPF_REG_1, 0), 6082 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 6083 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 6084 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -152), 6085 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0), 6086 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2), 6087 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0), 6088 BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42), 6089 BPF_EXIT_INSN(), 6090 }, 6091 .fixup_map2 = { 3 }, 6092 .errstr_unpriv = "R0 leaks addr", 6093 .result = ACCEPT, 6094 .result_unpriv = REJECT, 6095 }, 6096 { 6097 "map element value store of cleared call register", 6098 .insns = { 6099 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 6100 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 6101 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 6102 BPF_LD_MAP_FD(BPF_REG_1, 0), 6103 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 6104 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1), 6105 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0), 6106 BPF_EXIT_INSN(), 6107 }, 6108 .fixup_map2 = { 3 }, 6109 .errstr_unpriv = "R1 !read_ok", 6110 .errstr = "R1 !read_ok", 6111 .result = REJECT, 6112 .result_unpriv = REJECT, 6113 }, 6114 { 6115 "map element value with unaligned store", 6116 .insns = { 6117 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 6118 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 6119 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 6120 BPF_LD_MAP_FD(BPF_REG_1, 0), 6121 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 6122 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 17), 6123 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 3), 6124 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42), 6125 BPF_ST_MEM(BPF_DW, BPF_REG_0, 2, 43), 6126 BPF_ST_MEM(BPF_DW, BPF_REG_0, -2, 44), 6127 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0), 6128 BPF_ST_MEM(BPF_DW, BPF_REG_8, 0, 32), 6129 BPF_ST_MEM(BPF_DW, BPF_REG_8, 2, 33), 6130 BPF_ST_MEM(BPF_DW, BPF_REG_8, -2, 34), 6131 BPF_ALU64_IMM(BPF_ADD, BPF_REG_8, 5), 6132 BPF_ST_MEM(BPF_DW, BPF_REG_8, 0, 22), 6133 BPF_ST_MEM(BPF_DW, BPF_REG_8, 4, 23), 6134 BPF_ST_MEM(BPF_DW, BPF_REG_8, -7, 24), 6135 BPF_MOV64_REG(BPF_REG_7, BPF_REG_8), 6136 BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, 3), 6137 BPF_ST_MEM(BPF_DW, BPF_REG_7, 0, 22), 6138 BPF_ST_MEM(BPF_DW, BPF_REG_7, 4, 23), 6139 BPF_ST_MEM(BPF_DW, BPF_REG_7, -4, 24), 6140 BPF_EXIT_INSN(), 6141 }, 6142 .fixup_map2 = { 3 }, 6143 .errstr_unpriv = "R0 leaks addr", 6144 .result = ACCEPT, 6145 .result_unpriv = REJECT, 6146 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 6147 }, 6148 { 6149 "map element value with unaligned load", 6150 .insns = { 6151 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 6152 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 6153 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 6154 BPF_LD_MAP_FD(BPF_REG_1, 0), 6155 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 6156 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11), 6157 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0), 6158 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES, 9), 6159 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 3), 6160 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0), 6161 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 2), 6162 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0), 6163 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_8, 0), 6164 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_8, 2), 6165 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 5), 6166 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0), 6167 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 4), 6168 BPF_EXIT_INSN(), 6169 }, 6170 .fixup_map2 = { 3 }, 6171 .errstr_unpriv = "R0 leaks addr", 6172 .result = ACCEPT, 6173 .result_unpriv = REJECT, 6174 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 6175 }, 6176 { 6177 "map element value illegal alu op, 1", 6178 .insns = { 6179 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 6180 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 6181 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 6182 BPF_LD_MAP_FD(BPF_REG_1, 0), 6183 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 6184 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2), 6185 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 8), 6186 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22), 6187 BPF_EXIT_INSN(), 6188 }, 6189 .fixup_map2 = { 3 }, 6190 .errstr = "R0 bitwise operator &= on pointer", 6191 .result = REJECT, 6192 }, 6193 { 6194 "map element value illegal alu op, 2", 6195 .insns = { 6196 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 6197 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 6198 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 6199 BPF_LD_MAP_FD(BPF_REG_1, 0), 6200 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 6201 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2), 6202 BPF_ALU32_IMM(BPF_ADD, BPF_REG_0, 0), 6203 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22), 6204 BPF_EXIT_INSN(), 6205 }, 6206 .fixup_map2 = { 3 }, 6207 .errstr = "R0 32-bit pointer arithmetic prohibited", 6208 .result = REJECT, 6209 }, 6210 { 6211 "map element value illegal alu op, 3", 6212 .insns = { 6213 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 6214 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 6215 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 6216 BPF_LD_MAP_FD(BPF_REG_1, 0), 6217 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 6218 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2), 6219 BPF_ALU64_IMM(BPF_DIV, BPF_REG_0, 42), 6220 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22), 6221 BPF_EXIT_INSN(), 6222 }, 6223 .fixup_map2 = { 3 }, 6224 .errstr = "R0 pointer arithmetic with /= operator", 6225 .result = REJECT, 6226 }, 6227 { 6228 "map element value illegal alu op, 4", 6229 .insns = { 6230 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 6231 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 6232 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 6233 BPF_LD_MAP_FD(BPF_REG_1, 0), 6234 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 6235 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2), 6236 BPF_ENDIAN(BPF_FROM_BE, BPF_REG_0, 64), 6237 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22), 6238 BPF_EXIT_INSN(), 6239 }, 6240 .fixup_map2 = { 3 }, 6241 .errstr_unpriv = "R0 pointer arithmetic prohibited", 6242 .errstr = "invalid mem access 'inv'", 6243 .result = REJECT, 6244 .result_unpriv = REJECT, 6245 }, 6246 { 6247 "map element value illegal alu op, 5", 6248 .insns = { 6249 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 6250 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 6251 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 6252 BPF_LD_MAP_FD(BPF_REG_1, 0), 6253 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 6254 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7), 6255 BPF_MOV64_IMM(BPF_REG_3, 4096), 6256 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 6257 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 6258 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0), 6259 BPF_STX_XADD(BPF_DW, BPF_REG_2, BPF_REG_3, 0), 6260 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, 0), 6261 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22), 6262 BPF_EXIT_INSN(), 6263 }, 6264 .fixup_map2 = { 3 }, 6265 .errstr = "R0 invalid mem access 'inv'", 6266 .result = REJECT, 6267 }, 6268 { 6269 "map element value is preserved across register spilling", 6270 .insns = { 6271 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 6272 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 6273 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 6274 BPF_LD_MAP_FD(BPF_REG_1, 0), 6275 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 6276 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7), 6277 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 6278 offsetof(struct test_val, foo)), 6279 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42), 6280 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 6281 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -184), 6282 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0), 6283 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0), 6284 BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42), 6285 BPF_EXIT_INSN(), 6286 }, 6287 .fixup_map2 = { 3 }, 6288 .errstr_unpriv = "R0 leaks addr", 6289 .result = ACCEPT, 6290 .result_unpriv = REJECT, 6291 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 6292 }, 6293 { 6294 "helper access to variable memory: stack, bitwise AND + JMP, correct bounds", 6295 .insns = { 6296 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 6297 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64), 6298 BPF_MOV64_IMM(BPF_REG_0, 0), 6299 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64), 6300 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56), 6301 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48), 6302 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40), 6303 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32), 6304 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24), 6305 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16), 6306 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8), 6307 BPF_MOV64_IMM(BPF_REG_2, 16), 6308 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128), 6309 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128), 6310 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64), 6311 BPF_MOV64_IMM(BPF_REG_4, 0), 6312 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2), 6313 BPF_MOV64_IMM(BPF_REG_3, 0), 6314 BPF_EMIT_CALL(BPF_FUNC_probe_read), 6315 BPF_MOV64_IMM(BPF_REG_0, 0), 6316 BPF_EXIT_INSN(), 6317 }, 6318 .result = ACCEPT, 6319 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 6320 }, 6321 { 6322 "helper access to variable memory: stack, bitwise AND, zero included", 6323 .insns = { 6324 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 6325 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64), 6326 BPF_MOV64_IMM(BPF_REG_2, 16), 6327 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128), 6328 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128), 6329 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64), 6330 BPF_MOV64_IMM(BPF_REG_3, 0), 6331 BPF_EMIT_CALL(BPF_FUNC_probe_read), 6332 BPF_EXIT_INSN(), 6333 }, 6334 .errstr = "invalid indirect read from stack off -64+0 size 64", 6335 .result = REJECT, 6336 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 6337 }, 6338 { 6339 "helper access to variable memory: stack, bitwise AND + JMP, wrong max", 6340 .insns = { 6341 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 6342 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64), 6343 BPF_MOV64_IMM(BPF_REG_2, 16), 6344 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128), 6345 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128), 6346 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 65), 6347 BPF_MOV64_IMM(BPF_REG_4, 0), 6348 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2), 6349 BPF_MOV64_IMM(BPF_REG_3, 0), 6350 BPF_EMIT_CALL(BPF_FUNC_probe_read), 6351 BPF_MOV64_IMM(BPF_REG_0, 0), 6352 BPF_EXIT_INSN(), 6353 }, 6354 .errstr = "invalid stack type R1 off=-64 access_size=65", 6355 .result = REJECT, 6356 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 6357 }, 6358 { 6359 "helper access to variable memory: stack, JMP, correct bounds", 6360 .insns = { 6361 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 6362 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64), 6363 BPF_MOV64_IMM(BPF_REG_0, 0), 6364 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64), 6365 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56), 6366 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48), 6367 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40), 6368 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32), 6369 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24), 6370 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16), 6371 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8), 6372 BPF_MOV64_IMM(BPF_REG_2, 16), 6373 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128), 6374 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128), 6375 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 4), 6376 BPF_MOV64_IMM(BPF_REG_4, 0), 6377 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2), 6378 BPF_MOV64_IMM(BPF_REG_3, 0), 6379 BPF_EMIT_CALL(BPF_FUNC_probe_read), 6380 BPF_MOV64_IMM(BPF_REG_0, 0), 6381 BPF_EXIT_INSN(), 6382 }, 6383 .result = ACCEPT, 6384 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 6385 }, 6386 { 6387 "helper access to variable memory: stack, JMP (signed), correct bounds", 6388 .insns = { 6389 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 6390 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64), 6391 BPF_MOV64_IMM(BPF_REG_0, 0), 6392 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64), 6393 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56), 6394 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48), 6395 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40), 6396 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32), 6397 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24), 6398 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16), 6399 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8), 6400 BPF_MOV64_IMM(BPF_REG_2, 16), 6401 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128), 6402 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128), 6403 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 64, 4), 6404 BPF_MOV64_IMM(BPF_REG_4, 0), 6405 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2), 6406 BPF_MOV64_IMM(BPF_REG_3, 0), 6407 BPF_EMIT_CALL(BPF_FUNC_probe_read), 6408 BPF_MOV64_IMM(BPF_REG_0, 0), 6409 BPF_EXIT_INSN(), 6410 }, 6411 .result = ACCEPT, 6412 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 6413 }, 6414 { 6415 "helper access to variable memory: stack, JMP, bounds + offset", 6416 .insns = { 6417 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 6418 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64), 6419 BPF_MOV64_IMM(BPF_REG_2, 16), 6420 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128), 6421 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128), 6422 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 5), 6423 BPF_MOV64_IMM(BPF_REG_4, 0), 6424 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 3), 6425 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1), 6426 BPF_MOV64_IMM(BPF_REG_3, 0), 6427 BPF_EMIT_CALL(BPF_FUNC_probe_read), 6428 BPF_MOV64_IMM(BPF_REG_0, 0), 6429 BPF_EXIT_INSN(), 6430 }, 6431 .errstr = "invalid stack type R1 off=-64 access_size=65", 6432 .result = REJECT, 6433 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 6434 }, 6435 { 6436 "helper access to variable memory: stack, JMP, wrong max", 6437 .insns = { 6438 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 6439 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64), 6440 BPF_MOV64_IMM(BPF_REG_2, 16), 6441 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128), 6442 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128), 6443 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 65, 4), 6444 BPF_MOV64_IMM(BPF_REG_4, 0), 6445 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2), 6446 BPF_MOV64_IMM(BPF_REG_3, 0), 6447 BPF_EMIT_CALL(BPF_FUNC_probe_read), 6448 BPF_MOV64_IMM(BPF_REG_0, 0), 6449 BPF_EXIT_INSN(), 6450 }, 6451 .errstr = "invalid stack type R1 off=-64 access_size=65", 6452 .result = REJECT, 6453 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 6454 }, 6455 { 6456 "helper access to variable memory: stack, JMP, no max check", 6457 .insns = { 6458 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 6459 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64), 6460 BPF_MOV64_IMM(BPF_REG_2, 16), 6461 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128), 6462 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128), 6463 BPF_MOV64_IMM(BPF_REG_4, 0), 6464 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2), 6465 BPF_MOV64_IMM(BPF_REG_3, 0), 6466 BPF_EMIT_CALL(BPF_FUNC_probe_read), 6467 BPF_MOV64_IMM(BPF_REG_0, 0), 6468 BPF_EXIT_INSN(), 6469 }, 6470 /* because max wasn't checked, signed min is negative */ 6471 .errstr = "R2 min value is negative, either use unsigned or 'var &= const'", 6472 .result = REJECT, 6473 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 6474 }, 6475 { 6476 "helper access to variable memory: stack, JMP, no min check", 6477 .insns = { 6478 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 6479 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64), 6480 BPF_MOV64_IMM(BPF_REG_2, 16), 6481 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128), 6482 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128), 6483 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 3), 6484 BPF_MOV64_IMM(BPF_REG_3, 0), 6485 BPF_EMIT_CALL(BPF_FUNC_probe_read), 6486 BPF_MOV64_IMM(BPF_REG_0, 0), 6487 BPF_EXIT_INSN(), 6488 }, 6489 .errstr = "invalid indirect read from stack off -64+0 size 64", 6490 .result = REJECT, 6491 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 6492 }, 6493 { 6494 "helper access to variable memory: stack, JMP (signed), no min check", 6495 .insns = { 6496 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 6497 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64), 6498 BPF_MOV64_IMM(BPF_REG_2, 16), 6499 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128), 6500 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128), 6501 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 64, 3), 6502 BPF_MOV64_IMM(BPF_REG_3, 0), 6503 BPF_EMIT_CALL(BPF_FUNC_probe_read), 6504 BPF_MOV64_IMM(BPF_REG_0, 0), 6505 BPF_EXIT_INSN(), 6506 }, 6507 .errstr = "R2 min value is negative", 6508 .result = REJECT, 6509 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 6510 }, 6511 { 6512 "helper access to variable memory: map, JMP, correct bounds", 6513 .insns = { 6514 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 6515 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 6516 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 6517 BPF_LD_MAP_FD(BPF_REG_1, 0), 6518 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 6519 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10), 6520 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 6521 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)), 6522 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128), 6523 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128), 6524 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 6525 sizeof(struct test_val), 4), 6526 BPF_MOV64_IMM(BPF_REG_4, 0), 6527 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2), 6528 BPF_MOV64_IMM(BPF_REG_3, 0), 6529 BPF_EMIT_CALL(BPF_FUNC_probe_read), 6530 BPF_MOV64_IMM(BPF_REG_0, 0), 6531 BPF_EXIT_INSN(), 6532 }, 6533 .fixup_map2 = { 3 }, 6534 .result = ACCEPT, 6535 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 6536 }, 6537 { 6538 "helper access to variable memory: map, JMP, wrong max", 6539 .insns = { 6540 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 6541 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 6542 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 6543 BPF_LD_MAP_FD(BPF_REG_1, 0), 6544 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 6545 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10), 6546 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 6547 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)), 6548 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128), 6549 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128), 6550 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 6551 sizeof(struct test_val) + 1, 4), 6552 BPF_MOV64_IMM(BPF_REG_4, 0), 6553 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2), 6554 BPF_MOV64_IMM(BPF_REG_3, 0), 6555 BPF_EMIT_CALL(BPF_FUNC_probe_read), 6556 BPF_MOV64_IMM(BPF_REG_0, 0), 6557 BPF_EXIT_INSN(), 6558 }, 6559 .fixup_map2 = { 3 }, 6560 .errstr = "invalid access to map value, value_size=48 off=0 size=49", 6561 .result = REJECT, 6562 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 6563 }, 6564 { 6565 "helper access to variable memory: map adjusted, JMP, correct bounds", 6566 .insns = { 6567 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 6568 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 6569 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 6570 BPF_LD_MAP_FD(BPF_REG_1, 0), 6571 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 6572 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11), 6573 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 6574 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 20), 6575 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)), 6576 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128), 6577 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128), 6578 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 6579 sizeof(struct test_val) - 20, 4), 6580 BPF_MOV64_IMM(BPF_REG_4, 0), 6581 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2), 6582 BPF_MOV64_IMM(BPF_REG_3, 0), 6583 BPF_EMIT_CALL(BPF_FUNC_probe_read), 6584 BPF_MOV64_IMM(BPF_REG_0, 0), 6585 BPF_EXIT_INSN(), 6586 }, 6587 .fixup_map2 = { 3 }, 6588 .result = ACCEPT, 6589 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 6590 }, 6591 { 6592 "helper access to variable memory: map adjusted, JMP, wrong max", 6593 .insns = { 6594 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 6595 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 6596 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 6597 BPF_LD_MAP_FD(BPF_REG_1, 0), 6598 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 6599 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11), 6600 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 6601 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 20), 6602 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)), 6603 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128), 6604 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128), 6605 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 6606 sizeof(struct test_val) - 19, 4), 6607 BPF_MOV64_IMM(BPF_REG_4, 0), 6608 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2), 6609 BPF_MOV64_IMM(BPF_REG_3, 0), 6610 BPF_EMIT_CALL(BPF_FUNC_probe_read), 6611 BPF_MOV64_IMM(BPF_REG_0, 0), 6612 BPF_EXIT_INSN(), 6613 }, 6614 .fixup_map2 = { 3 }, 6615 .errstr = "R1 min value is outside of the array range", 6616 .result = REJECT, 6617 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 6618 }, 6619 { 6620 "helper access to variable memory: size = 0 allowed on NULL (ARG_PTR_TO_MEM_OR_NULL)", 6621 .insns = { 6622 BPF_MOV64_IMM(BPF_REG_1, 0), 6623 BPF_MOV64_IMM(BPF_REG_2, 0), 6624 BPF_MOV64_IMM(BPF_REG_3, 0), 6625 BPF_MOV64_IMM(BPF_REG_4, 0), 6626 BPF_MOV64_IMM(BPF_REG_5, 0), 6627 BPF_EMIT_CALL(BPF_FUNC_csum_diff), 6628 BPF_EXIT_INSN(), 6629 }, 6630 .result = ACCEPT, 6631 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 6632 }, 6633 { 6634 "helper access to variable memory: size > 0 not allowed on NULL (ARG_PTR_TO_MEM_OR_NULL)", 6635 .insns = { 6636 BPF_MOV64_IMM(BPF_REG_1, 0), 6637 BPF_MOV64_IMM(BPF_REG_2, 1), 6638 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128), 6639 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128), 6640 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64), 6641 BPF_MOV64_IMM(BPF_REG_3, 0), 6642 BPF_MOV64_IMM(BPF_REG_4, 0), 6643 BPF_MOV64_IMM(BPF_REG_5, 0), 6644 BPF_EMIT_CALL(BPF_FUNC_csum_diff), 6645 BPF_EXIT_INSN(), 6646 }, 6647 .errstr = "R1 type=inv expected=fp", 6648 .result = REJECT, 6649 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 6650 }, 6651 { 6652 "helper access to variable memory: size = 0 allowed on != NULL stack pointer (ARG_PTR_TO_MEM_OR_NULL)", 6653 .insns = { 6654 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 6655 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8), 6656 BPF_MOV64_IMM(BPF_REG_2, 0), 6657 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, 0), 6658 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 8), 6659 BPF_MOV64_IMM(BPF_REG_3, 0), 6660 BPF_MOV64_IMM(BPF_REG_4, 0), 6661 BPF_MOV64_IMM(BPF_REG_5, 0), 6662 BPF_EMIT_CALL(BPF_FUNC_csum_diff), 6663 BPF_EXIT_INSN(), 6664 }, 6665 .result = ACCEPT, 6666 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 6667 }, 6668 { 6669 "helper access to variable memory: size = 0 allowed on != NULL map pointer (ARG_PTR_TO_MEM_OR_NULL)", 6670 .insns = { 6671 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 6672 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 6673 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 6674 BPF_LD_MAP_FD(BPF_REG_1, 0), 6675 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 6676 BPF_FUNC_map_lookup_elem), 6677 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 6678 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 6679 BPF_MOV64_IMM(BPF_REG_2, 0), 6680 BPF_MOV64_IMM(BPF_REG_3, 0), 6681 BPF_MOV64_IMM(BPF_REG_4, 0), 6682 BPF_MOV64_IMM(BPF_REG_5, 0), 6683 BPF_EMIT_CALL(BPF_FUNC_csum_diff), 6684 BPF_EXIT_INSN(), 6685 }, 6686 .fixup_map1 = { 3 }, 6687 .result = ACCEPT, 6688 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 6689 }, 6690 { 6691 "helper access to variable memory: size possible = 0 allowed on != NULL stack pointer (ARG_PTR_TO_MEM_OR_NULL)", 6692 .insns = { 6693 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 6694 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 6695 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 6696 BPF_LD_MAP_FD(BPF_REG_1, 0), 6697 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 6698 BPF_FUNC_map_lookup_elem), 6699 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9), 6700 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0), 6701 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 7), 6702 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 6703 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8), 6704 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, 0), 6705 BPF_MOV64_IMM(BPF_REG_3, 0), 6706 BPF_MOV64_IMM(BPF_REG_4, 0), 6707 BPF_MOV64_IMM(BPF_REG_5, 0), 6708 BPF_EMIT_CALL(BPF_FUNC_csum_diff), 6709 BPF_EXIT_INSN(), 6710 }, 6711 .fixup_map1 = { 3 }, 6712 .result = ACCEPT, 6713 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 6714 }, 6715 { 6716 "helper access to variable memory: size possible = 0 allowed on != NULL map pointer (ARG_PTR_TO_MEM_OR_NULL)", 6717 .insns = { 6718 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 6719 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 6720 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 6721 BPF_LD_MAP_FD(BPF_REG_1, 0), 6722 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 6723 BPF_FUNC_map_lookup_elem), 6724 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7), 6725 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 6726 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0), 6727 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4), 6728 BPF_MOV64_IMM(BPF_REG_3, 0), 6729 BPF_MOV64_IMM(BPF_REG_4, 0), 6730 BPF_MOV64_IMM(BPF_REG_5, 0), 6731 BPF_EMIT_CALL(BPF_FUNC_csum_diff), 6732 BPF_EXIT_INSN(), 6733 }, 6734 .fixup_map1 = { 3 }, 6735 .result = ACCEPT, 6736 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 6737 }, 6738 { 6739 "helper access to variable memory: size possible = 0 allowed on != NULL packet pointer (ARG_PTR_TO_MEM_OR_NULL)", 6740 .insns = { 6741 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1, 6742 offsetof(struct __sk_buff, data)), 6743 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 6744 offsetof(struct __sk_buff, data_end)), 6745 BPF_MOV64_REG(BPF_REG_0, BPF_REG_6), 6746 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 6747 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 7), 6748 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 6749 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 0), 6750 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4), 6751 BPF_MOV64_IMM(BPF_REG_3, 0), 6752 BPF_MOV64_IMM(BPF_REG_4, 0), 6753 BPF_MOV64_IMM(BPF_REG_5, 0), 6754 BPF_EMIT_CALL(BPF_FUNC_csum_diff), 6755 BPF_EXIT_INSN(), 6756 }, 6757 .result = ACCEPT, 6758 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 6759 .retval = 0 /* csum_diff of 64-byte packet */, 6760 }, 6761 { 6762 "helper access to variable memory: size = 0 not allowed on NULL (!ARG_PTR_TO_MEM_OR_NULL)", 6763 .insns = { 6764 BPF_MOV64_IMM(BPF_REG_1, 0), 6765 BPF_MOV64_IMM(BPF_REG_2, 0), 6766 BPF_MOV64_IMM(BPF_REG_3, 0), 6767 BPF_EMIT_CALL(BPF_FUNC_probe_read), 6768 BPF_EXIT_INSN(), 6769 }, 6770 .errstr = "R1 type=inv expected=fp", 6771 .result = REJECT, 6772 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 6773 }, 6774 { 6775 "helper access to variable memory: size > 0 not allowed on NULL (!ARG_PTR_TO_MEM_OR_NULL)", 6776 .insns = { 6777 BPF_MOV64_IMM(BPF_REG_1, 0), 6778 BPF_MOV64_IMM(BPF_REG_2, 1), 6779 BPF_MOV64_IMM(BPF_REG_3, 0), 6780 BPF_EMIT_CALL(BPF_FUNC_probe_read), 6781 BPF_EXIT_INSN(), 6782 }, 6783 .errstr = "R1 type=inv expected=fp", 6784 .result = REJECT, 6785 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 6786 }, 6787 { 6788 "helper access to variable memory: size = 0 allowed on != NULL stack pointer (!ARG_PTR_TO_MEM_OR_NULL)", 6789 .insns = { 6790 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 6791 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8), 6792 BPF_MOV64_IMM(BPF_REG_2, 0), 6793 BPF_MOV64_IMM(BPF_REG_3, 0), 6794 BPF_EMIT_CALL(BPF_FUNC_probe_read), 6795 BPF_EXIT_INSN(), 6796 }, 6797 .result = ACCEPT, 6798 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 6799 }, 6800 { 6801 "helper access to variable memory: size = 0 allowed on != NULL map pointer (!ARG_PTR_TO_MEM_OR_NULL)", 6802 .insns = { 6803 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 6804 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 6805 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 6806 BPF_LD_MAP_FD(BPF_REG_1, 0), 6807 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 6808 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 6809 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 6810 BPF_MOV64_IMM(BPF_REG_2, 0), 6811 BPF_MOV64_IMM(BPF_REG_3, 0), 6812 BPF_EMIT_CALL(BPF_FUNC_probe_read), 6813 BPF_EXIT_INSN(), 6814 }, 6815 .fixup_map1 = { 3 }, 6816 .result = ACCEPT, 6817 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 6818 }, 6819 { 6820 "helper access to variable memory: size possible = 0 allowed on != NULL stack pointer (!ARG_PTR_TO_MEM_OR_NULL)", 6821 .insns = { 6822 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 6823 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 6824 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 6825 BPF_LD_MAP_FD(BPF_REG_1, 0), 6826 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 6827 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 6828 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0), 6829 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4), 6830 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 6831 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8), 6832 BPF_MOV64_IMM(BPF_REG_3, 0), 6833 BPF_EMIT_CALL(BPF_FUNC_probe_read), 6834 BPF_EXIT_INSN(), 6835 }, 6836 .fixup_map1 = { 3 }, 6837 .result = ACCEPT, 6838 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 6839 }, 6840 { 6841 "helper access to variable memory: size possible = 0 allowed on != NULL map pointer (!ARG_PTR_TO_MEM_OR_NULL)", 6842 .insns = { 6843 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 6844 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 6845 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 6846 BPF_LD_MAP_FD(BPF_REG_1, 0), 6847 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 6848 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5), 6849 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 6850 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0), 6851 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 2), 6852 BPF_MOV64_IMM(BPF_REG_3, 0), 6853 BPF_EMIT_CALL(BPF_FUNC_probe_read), 6854 BPF_EXIT_INSN(), 6855 }, 6856 .fixup_map1 = { 3 }, 6857 .result = ACCEPT, 6858 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 6859 }, 6860 { 6861 "helper access to variable memory: 8 bytes leak", 6862 .insns = { 6863 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 6864 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64), 6865 BPF_MOV64_IMM(BPF_REG_0, 0), 6866 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64), 6867 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56), 6868 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48), 6869 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40), 6870 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24), 6871 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16), 6872 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8), 6873 BPF_MOV64_IMM(BPF_REG_2, 1), 6874 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128), 6875 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128), 6876 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 63), 6877 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1), 6878 BPF_MOV64_IMM(BPF_REG_3, 0), 6879 BPF_EMIT_CALL(BPF_FUNC_probe_read), 6880 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16), 6881 BPF_EXIT_INSN(), 6882 }, 6883 .errstr = "invalid indirect read from stack off -64+32 size 64", 6884 .result = REJECT, 6885 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 6886 }, 6887 { 6888 "helper access to variable memory: 8 bytes no leak (init memory)", 6889 .insns = { 6890 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 6891 BPF_MOV64_IMM(BPF_REG_0, 0), 6892 BPF_MOV64_IMM(BPF_REG_0, 0), 6893 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64), 6894 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56), 6895 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48), 6896 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40), 6897 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32), 6898 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24), 6899 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16), 6900 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8), 6901 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64), 6902 BPF_MOV64_IMM(BPF_REG_2, 0), 6903 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 32), 6904 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 32), 6905 BPF_MOV64_IMM(BPF_REG_3, 0), 6906 BPF_EMIT_CALL(BPF_FUNC_probe_read), 6907 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16), 6908 BPF_EXIT_INSN(), 6909 }, 6910 .result = ACCEPT, 6911 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 6912 }, 6913 { 6914 "invalid and of negative number", 6915 .insns = { 6916 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 6917 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 6918 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 6919 BPF_LD_MAP_FD(BPF_REG_1, 0), 6920 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 6921 BPF_FUNC_map_lookup_elem), 6922 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 6923 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0), 6924 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, -4), 6925 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2), 6926 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 6927 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 6928 offsetof(struct test_val, foo)), 6929 BPF_EXIT_INSN(), 6930 }, 6931 .fixup_map2 = { 3 }, 6932 .errstr = "R0 max value is outside of the array range", 6933 .result = REJECT, 6934 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 6935 }, 6936 { 6937 "invalid range check", 6938 .insns = { 6939 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 6940 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 6941 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 6942 BPF_LD_MAP_FD(BPF_REG_1, 0), 6943 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 6944 BPF_FUNC_map_lookup_elem), 6945 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 12), 6946 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0), 6947 BPF_MOV64_IMM(BPF_REG_9, 1), 6948 BPF_ALU32_IMM(BPF_MOD, BPF_REG_1, 2), 6949 BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 1), 6950 BPF_ALU32_REG(BPF_AND, BPF_REG_9, BPF_REG_1), 6951 BPF_ALU32_IMM(BPF_ADD, BPF_REG_9, 1), 6952 BPF_ALU32_IMM(BPF_RSH, BPF_REG_9, 1), 6953 BPF_MOV32_IMM(BPF_REG_3, 1), 6954 BPF_ALU32_REG(BPF_SUB, BPF_REG_3, BPF_REG_9), 6955 BPF_ALU32_IMM(BPF_MUL, BPF_REG_3, 0x10000000), 6956 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3), 6957 BPF_STX_MEM(BPF_W, BPF_REG_0, BPF_REG_3, 0), 6958 BPF_MOV64_REG(BPF_REG_0, 0), 6959 BPF_EXIT_INSN(), 6960 }, 6961 .fixup_map2 = { 3 }, 6962 .errstr = "R0 max value is outside of the array range", 6963 .result = REJECT, 6964 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 6965 }, 6966 { 6967 "map in map access", 6968 .insns = { 6969 BPF_ST_MEM(0, BPF_REG_10, -4, 0), 6970 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 6971 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), 6972 BPF_LD_MAP_FD(BPF_REG_1, 0), 6973 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 6974 BPF_FUNC_map_lookup_elem), 6975 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5), 6976 BPF_ST_MEM(0, BPF_REG_10, -4, 0), 6977 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 6978 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), 6979 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 6980 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 6981 BPF_FUNC_map_lookup_elem), 6982 BPF_MOV64_REG(BPF_REG_0, 0), 6983 BPF_EXIT_INSN(), 6984 }, 6985 .fixup_map_in_map = { 3 }, 6986 .result = ACCEPT, 6987 }, 6988 { 6989 "invalid inner map pointer", 6990 .insns = { 6991 BPF_ST_MEM(0, BPF_REG_10, -4, 0), 6992 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 6993 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), 6994 BPF_LD_MAP_FD(BPF_REG_1, 0), 6995 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 6996 BPF_FUNC_map_lookup_elem), 6997 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 6998 BPF_ST_MEM(0, BPF_REG_10, -4, 0), 6999 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 7000 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), 7001 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 7002 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 7003 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 7004 BPF_FUNC_map_lookup_elem), 7005 BPF_MOV64_REG(BPF_REG_0, 0), 7006 BPF_EXIT_INSN(), 7007 }, 7008 .fixup_map_in_map = { 3 }, 7009 .errstr = "R1 pointer arithmetic on CONST_PTR_TO_MAP prohibited", 7010 .result = REJECT, 7011 }, 7012 { 7013 "forgot null checking on the inner map pointer", 7014 .insns = { 7015 BPF_ST_MEM(0, BPF_REG_10, -4, 0), 7016 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 7017 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), 7018 BPF_LD_MAP_FD(BPF_REG_1, 0), 7019 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 7020 BPF_FUNC_map_lookup_elem), 7021 BPF_ST_MEM(0, BPF_REG_10, -4, 0), 7022 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 7023 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), 7024 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 7025 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 7026 BPF_FUNC_map_lookup_elem), 7027 BPF_MOV64_REG(BPF_REG_0, 0), 7028 BPF_EXIT_INSN(), 7029 }, 7030 .fixup_map_in_map = { 3 }, 7031 .errstr = "R1 type=map_value_or_null expected=map_ptr", 7032 .result = REJECT, 7033 }, 7034 { 7035 "ld_abs: check calling conv, r1", 7036 .insns = { 7037 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), 7038 BPF_MOV64_IMM(BPF_REG_1, 0), 7039 BPF_LD_ABS(BPF_W, -0x200000), 7040 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1), 7041 BPF_EXIT_INSN(), 7042 }, 7043 .errstr = "R1 !read_ok", 7044 .result = REJECT, 7045 }, 7046 { 7047 "ld_abs: check calling conv, r2", 7048 .insns = { 7049 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), 7050 BPF_MOV64_IMM(BPF_REG_2, 0), 7051 BPF_LD_ABS(BPF_W, -0x200000), 7052 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 7053 BPF_EXIT_INSN(), 7054 }, 7055 .errstr = "R2 !read_ok", 7056 .result = REJECT, 7057 }, 7058 { 7059 "ld_abs: check calling conv, r3", 7060 .insns = { 7061 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), 7062 BPF_MOV64_IMM(BPF_REG_3, 0), 7063 BPF_LD_ABS(BPF_W, -0x200000), 7064 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3), 7065 BPF_EXIT_INSN(), 7066 }, 7067 .errstr = "R3 !read_ok", 7068 .result = REJECT, 7069 }, 7070 { 7071 "ld_abs: check calling conv, r4", 7072 .insns = { 7073 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), 7074 BPF_MOV64_IMM(BPF_REG_4, 0), 7075 BPF_LD_ABS(BPF_W, -0x200000), 7076 BPF_MOV64_REG(BPF_REG_0, BPF_REG_4), 7077 BPF_EXIT_INSN(), 7078 }, 7079 .errstr = "R4 !read_ok", 7080 .result = REJECT, 7081 }, 7082 { 7083 "ld_abs: check calling conv, r5", 7084 .insns = { 7085 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), 7086 BPF_MOV64_IMM(BPF_REG_5, 0), 7087 BPF_LD_ABS(BPF_W, -0x200000), 7088 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5), 7089 BPF_EXIT_INSN(), 7090 }, 7091 .errstr = "R5 !read_ok", 7092 .result = REJECT, 7093 }, 7094 { 7095 "ld_abs: check calling conv, r7", 7096 .insns = { 7097 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), 7098 BPF_MOV64_IMM(BPF_REG_7, 0), 7099 BPF_LD_ABS(BPF_W, -0x200000), 7100 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7), 7101 BPF_EXIT_INSN(), 7102 }, 7103 .result = ACCEPT, 7104 }, 7105 { 7106 "ld_abs: tests on r6 and skb data reload helper", 7107 .insns = { 7108 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), 7109 BPF_LD_ABS(BPF_B, 0), 7110 BPF_LD_ABS(BPF_H, 0), 7111 BPF_LD_ABS(BPF_W, 0), 7112 BPF_MOV64_REG(BPF_REG_7, BPF_REG_6), 7113 BPF_MOV64_IMM(BPF_REG_6, 0), 7114 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7), 7115 BPF_MOV64_IMM(BPF_REG_2, 1), 7116 BPF_MOV64_IMM(BPF_REG_3, 2), 7117 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 7118 BPF_FUNC_skb_vlan_push), 7119 BPF_MOV64_REG(BPF_REG_6, BPF_REG_7), 7120 BPF_LD_ABS(BPF_B, 0), 7121 BPF_LD_ABS(BPF_H, 0), 7122 BPF_LD_ABS(BPF_W, 0), 7123 BPF_MOV64_IMM(BPF_REG_0, 42), 7124 BPF_EXIT_INSN(), 7125 }, 7126 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 7127 .result = ACCEPT, 7128 .retval = 42 /* ultimate return value */, 7129 }, 7130 { 7131 "ld_ind: check calling conv, r1", 7132 .insns = { 7133 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), 7134 BPF_MOV64_IMM(BPF_REG_1, 1), 7135 BPF_LD_IND(BPF_W, BPF_REG_1, -0x200000), 7136 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1), 7137 BPF_EXIT_INSN(), 7138 }, 7139 .errstr = "R1 !read_ok", 7140 .result = REJECT, 7141 }, 7142 { 7143 "ld_ind: check calling conv, r2", 7144 .insns = { 7145 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), 7146 BPF_MOV64_IMM(BPF_REG_2, 1), 7147 BPF_LD_IND(BPF_W, BPF_REG_2, -0x200000), 7148 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 7149 BPF_EXIT_INSN(), 7150 }, 7151 .errstr = "R2 !read_ok", 7152 .result = REJECT, 7153 }, 7154 { 7155 "ld_ind: check calling conv, r3", 7156 .insns = { 7157 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), 7158 BPF_MOV64_IMM(BPF_REG_3, 1), 7159 BPF_LD_IND(BPF_W, BPF_REG_3, -0x200000), 7160 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3), 7161 BPF_EXIT_INSN(), 7162 }, 7163 .errstr = "R3 !read_ok", 7164 .result = REJECT, 7165 }, 7166 { 7167 "ld_ind: check calling conv, r4", 7168 .insns = { 7169 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), 7170 BPF_MOV64_IMM(BPF_REG_4, 1), 7171 BPF_LD_IND(BPF_W, BPF_REG_4, -0x200000), 7172 BPF_MOV64_REG(BPF_REG_0, BPF_REG_4), 7173 BPF_EXIT_INSN(), 7174 }, 7175 .errstr = "R4 !read_ok", 7176 .result = REJECT, 7177 }, 7178 { 7179 "ld_ind: check calling conv, r5", 7180 .insns = { 7181 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), 7182 BPF_MOV64_IMM(BPF_REG_5, 1), 7183 BPF_LD_IND(BPF_W, BPF_REG_5, -0x200000), 7184 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5), 7185 BPF_EXIT_INSN(), 7186 }, 7187 .errstr = "R5 !read_ok", 7188 .result = REJECT, 7189 }, 7190 { 7191 "ld_ind: check calling conv, r7", 7192 .insns = { 7193 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), 7194 BPF_MOV64_IMM(BPF_REG_7, 1), 7195 BPF_LD_IND(BPF_W, BPF_REG_7, -0x200000), 7196 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7), 7197 BPF_EXIT_INSN(), 7198 }, 7199 .result = ACCEPT, 7200 .retval = 1, 7201 }, 7202 { 7203 "check bpf_perf_event_data->sample_period byte load permitted", 7204 .insns = { 7205 BPF_MOV64_IMM(BPF_REG_0, 0), 7206 #if __BYTE_ORDER == __LITTLE_ENDIAN 7207 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 7208 offsetof(struct bpf_perf_event_data, sample_period)), 7209 #else 7210 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 7211 offsetof(struct bpf_perf_event_data, sample_period) + 7), 7212 #endif 7213 BPF_EXIT_INSN(), 7214 }, 7215 .result = ACCEPT, 7216 .prog_type = BPF_PROG_TYPE_PERF_EVENT, 7217 }, 7218 { 7219 "check bpf_perf_event_data->sample_period half load permitted", 7220 .insns = { 7221 BPF_MOV64_IMM(BPF_REG_0, 0), 7222 #if __BYTE_ORDER == __LITTLE_ENDIAN 7223 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 7224 offsetof(struct bpf_perf_event_data, sample_period)), 7225 #else 7226 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 7227 offsetof(struct bpf_perf_event_data, sample_period) + 6), 7228 #endif 7229 BPF_EXIT_INSN(), 7230 }, 7231 .result = ACCEPT, 7232 .prog_type = BPF_PROG_TYPE_PERF_EVENT, 7233 }, 7234 { 7235 "check bpf_perf_event_data->sample_period word load permitted", 7236 .insns = { 7237 BPF_MOV64_IMM(BPF_REG_0, 0), 7238 #if __BYTE_ORDER == __LITTLE_ENDIAN 7239 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 7240 offsetof(struct bpf_perf_event_data, sample_period)), 7241 #else 7242 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 7243 offsetof(struct bpf_perf_event_data, sample_period) + 4), 7244 #endif 7245 BPF_EXIT_INSN(), 7246 }, 7247 .result = ACCEPT, 7248 .prog_type = BPF_PROG_TYPE_PERF_EVENT, 7249 }, 7250 { 7251 "check bpf_perf_event_data->sample_period dword load permitted", 7252 .insns = { 7253 BPF_MOV64_IMM(BPF_REG_0, 0), 7254 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 7255 offsetof(struct bpf_perf_event_data, sample_period)), 7256 BPF_EXIT_INSN(), 7257 }, 7258 .result = ACCEPT, 7259 .prog_type = BPF_PROG_TYPE_PERF_EVENT, 7260 }, 7261 { 7262 "check skb->data half load not permitted", 7263 .insns = { 7264 BPF_MOV64_IMM(BPF_REG_0, 0), 7265 #if __BYTE_ORDER == __LITTLE_ENDIAN 7266 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 7267 offsetof(struct __sk_buff, data)), 7268 #else 7269 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 7270 offsetof(struct __sk_buff, data) + 2), 7271 #endif 7272 BPF_EXIT_INSN(), 7273 }, 7274 .result = REJECT, 7275 .errstr = "invalid bpf_context access", 7276 }, 7277 { 7278 "check skb->tc_classid half load not permitted for lwt prog", 7279 .insns = { 7280 BPF_MOV64_IMM(BPF_REG_0, 0), 7281 #if __BYTE_ORDER == __LITTLE_ENDIAN 7282 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 7283 offsetof(struct __sk_buff, tc_classid)), 7284 #else 7285 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 7286 offsetof(struct __sk_buff, tc_classid) + 2), 7287 #endif 7288 BPF_EXIT_INSN(), 7289 }, 7290 .result = REJECT, 7291 .errstr = "invalid bpf_context access", 7292 .prog_type = BPF_PROG_TYPE_LWT_IN, 7293 }, 7294 { 7295 "bounds checks mixing signed and unsigned, positive bounds", 7296 .insns = { 7297 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 7298 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 7299 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 7300 BPF_LD_MAP_FD(BPF_REG_1, 0), 7301 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 7302 BPF_FUNC_map_lookup_elem), 7303 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7), 7304 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8), 7305 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16), 7306 BPF_MOV64_IMM(BPF_REG_2, 2), 7307 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 3), 7308 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 4, 2), 7309 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 7310 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0), 7311 BPF_MOV64_IMM(BPF_REG_0, 0), 7312 BPF_EXIT_INSN(), 7313 }, 7314 .fixup_map1 = { 3 }, 7315 .errstr = "unbounded min value", 7316 .result = REJECT, 7317 }, 7318 { 7319 "bounds checks mixing signed and unsigned", 7320 .insns = { 7321 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 7322 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 7323 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 7324 BPF_LD_MAP_FD(BPF_REG_1, 0), 7325 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 7326 BPF_FUNC_map_lookup_elem), 7327 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7), 7328 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8), 7329 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16), 7330 BPF_MOV64_IMM(BPF_REG_2, -1), 7331 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 3), 7332 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2), 7333 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 7334 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0), 7335 BPF_MOV64_IMM(BPF_REG_0, 0), 7336 BPF_EXIT_INSN(), 7337 }, 7338 .fixup_map1 = { 3 }, 7339 .errstr = "unbounded min value", 7340 .result = REJECT, 7341 }, 7342 { 7343 "bounds checks mixing signed and unsigned, variant 2", 7344 .insns = { 7345 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 7346 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 7347 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 7348 BPF_LD_MAP_FD(BPF_REG_1, 0), 7349 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 7350 BPF_FUNC_map_lookup_elem), 7351 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9), 7352 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8), 7353 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16), 7354 BPF_MOV64_IMM(BPF_REG_2, -1), 7355 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 5), 7356 BPF_MOV64_IMM(BPF_REG_8, 0), 7357 BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_1), 7358 BPF_JMP_IMM(BPF_JSGT, BPF_REG_8, 1, 2), 7359 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8), 7360 BPF_ST_MEM(BPF_B, BPF_REG_8, 0, 0), 7361 BPF_MOV64_IMM(BPF_REG_0, 0), 7362 BPF_EXIT_INSN(), 7363 }, 7364 .fixup_map1 = { 3 }, 7365 .errstr = "unbounded min value", 7366 .result = REJECT, 7367 }, 7368 { 7369 "bounds checks mixing signed and unsigned, variant 3", 7370 .insns = { 7371 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 7372 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 7373 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 7374 BPF_LD_MAP_FD(BPF_REG_1, 0), 7375 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 7376 BPF_FUNC_map_lookup_elem), 7377 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8), 7378 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8), 7379 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16), 7380 BPF_MOV64_IMM(BPF_REG_2, -1), 7381 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 4), 7382 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1), 7383 BPF_JMP_IMM(BPF_JSGT, BPF_REG_8, 1, 2), 7384 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8), 7385 BPF_ST_MEM(BPF_B, BPF_REG_8, 0, 0), 7386 BPF_MOV64_IMM(BPF_REG_0, 0), 7387 BPF_EXIT_INSN(), 7388 }, 7389 .fixup_map1 = { 3 }, 7390 .errstr = "unbounded min value", 7391 .result = REJECT, 7392 }, 7393 { 7394 "bounds checks mixing signed and unsigned, variant 4", 7395 .insns = { 7396 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 7397 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 7398 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 7399 BPF_LD_MAP_FD(BPF_REG_1, 0), 7400 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 7401 BPF_FUNC_map_lookup_elem), 7402 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7), 7403 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8), 7404 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16), 7405 BPF_MOV64_IMM(BPF_REG_2, 1), 7406 BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2), 7407 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2), 7408 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 7409 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0), 7410 BPF_MOV64_IMM(BPF_REG_0, 0), 7411 BPF_EXIT_INSN(), 7412 }, 7413 .fixup_map1 = { 3 }, 7414 .result = ACCEPT, 7415 }, 7416 { 7417 "bounds checks mixing signed and unsigned, variant 5", 7418 .insns = { 7419 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 7420 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 7421 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 7422 BPF_LD_MAP_FD(BPF_REG_1, 0), 7423 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 7424 BPF_FUNC_map_lookup_elem), 7425 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9), 7426 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8), 7427 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16), 7428 BPF_MOV64_IMM(BPF_REG_2, -1), 7429 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 5), 7430 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 4), 7431 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 4), 7432 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1), 7433 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0), 7434 BPF_MOV64_IMM(BPF_REG_0, 0), 7435 BPF_EXIT_INSN(), 7436 }, 7437 .fixup_map1 = { 3 }, 7438 .errstr = "unbounded min value", 7439 .result = REJECT, 7440 }, 7441 { 7442 "bounds checks mixing signed and unsigned, variant 6", 7443 .insns = { 7444 BPF_MOV64_IMM(BPF_REG_2, 0), 7445 BPF_MOV64_REG(BPF_REG_3, BPF_REG_10), 7446 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, -512), 7447 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8), 7448 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -16), 7449 BPF_MOV64_IMM(BPF_REG_6, -1), 7450 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_6, 5), 7451 BPF_JMP_IMM(BPF_JSGT, BPF_REG_4, 1, 4), 7452 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 1), 7453 BPF_MOV64_IMM(BPF_REG_5, 0), 7454 BPF_ST_MEM(BPF_H, BPF_REG_10, -512, 0), 7455 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 7456 BPF_FUNC_skb_load_bytes), 7457 BPF_MOV64_IMM(BPF_REG_0, 0), 7458 BPF_EXIT_INSN(), 7459 }, 7460 .errstr = "R4 min value is negative, either use unsigned", 7461 .result = REJECT, 7462 }, 7463 { 7464 "bounds checks mixing signed and unsigned, variant 7", 7465 .insns = { 7466 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 7467 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 7468 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 7469 BPF_LD_MAP_FD(BPF_REG_1, 0), 7470 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 7471 BPF_FUNC_map_lookup_elem), 7472 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7), 7473 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8), 7474 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16), 7475 BPF_MOV64_IMM(BPF_REG_2, 1024 * 1024 * 1024), 7476 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 3), 7477 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2), 7478 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 7479 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0), 7480 BPF_MOV64_IMM(BPF_REG_0, 0), 7481 BPF_EXIT_INSN(), 7482 }, 7483 .fixup_map1 = { 3 }, 7484 .result = ACCEPT, 7485 }, 7486 { 7487 "bounds checks mixing signed and unsigned, variant 8", 7488 .insns = { 7489 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 7490 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 7491 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 7492 BPF_LD_MAP_FD(BPF_REG_1, 0), 7493 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 7494 BPF_FUNC_map_lookup_elem), 7495 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9), 7496 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8), 7497 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16), 7498 BPF_MOV64_IMM(BPF_REG_2, -1), 7499 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 2), 7500 BPF_MOV64_IMM(BPF_REG_0, 0), 7501 BPF_EXIT_INSN(), 7502 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2), 7503 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 7504 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0), 7505 BPF_MOV64_IMM(BPF_REG_0, 0), 7506 BPF_EXIT_INSN(), 7507 }, 7508 .fixup_map1 = { 3 }, 7509 .errstr = "unbounded min value", 7510 .result = REJECT, 7511 }, 7512 { 7513 "bounds checks mixing signed and unsigned, variant 9", 7514 .insns = { 7515 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 7516 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 7517 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 7518 BPF_LD_MAP_FD(BPF_REG_1, 0), 7519 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 7520 BPF_FUNC_map_lookup_elem), 7521 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10), 7522 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8), 7523 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16), 7524 BPF_LD_IMM64(BPF_REG_2, -9223372036854775808ULL), 7525 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 2), 7526 BPF_MOV64_IMM(BPF_REG_0, 0), 7527 BPF_EXIT_INSN(), 7528 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2), 7529 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 7530 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0), 7531 BPF_MOV64_IMM(BPF_REG_0, 0), 7532 BPF_EXIT_INSN(), 7533 }, 7534 .fixup_map1 = { 3 }, 7535 .result = ACCEPT, 7536 }, 7537 { 7538 "bounds checks mixing signed and unsigned, variant 10", 7539 .insns = { 7540 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 7541 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 7542 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 7543 BPF_LD_MAP_FD(BPF_REG_1, 0), 7544 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 7545 BPF_FUNC_map_lookup_elem), 7546 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9), 7547 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8), 7548 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16), 7549 BPF_MOV64_IMM(BPF_REG_2, 0), 7550 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 2), 7551 BPF_MOV64_IMM(BPF_REG_0, 0), 7552 BPF_EXIT_INSN(), 7553 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2), 7554 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 7555 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0), 7556 BPF_MOV64_IMM(BPF_REG_0, 0), 7557 BPF_EXIT_INSN(), 7558 }, 7559 .fixup_map1 = { 3 }, 7560 .errstr = "unbounded min value", 7561 .result = REJECT, 7562 }, 7563 { 7564 "bounds checks mixing signed and unsigned, variant 11", 7565 .insns = { 7566 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 7567 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 7568 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 7569 BPF_LD_MAP_FD(BPF_REG_1, 0), 7570 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 7571 BPF_FUNC_map_lookup_elem), 7572 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9), 7573 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8), 7574 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16), 7575 BPF_MOV64_IMM(BPF_REG_2, -1), 7576 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2), 7577 /* Dead branch. */ 7578 BPF_MOV64_IMM(BPF_REG_0, 0), 7579 BPF_EXIT_INSN(), 7580 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2), 7581 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 7582 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0), 7583 BPF_MOV64_IMM(BPF_REG_0, 0), 7584 BPF_EXIT_INSN(), 7585 }, 7586 .fixup_map1 = { 3 }, 7587 .errstr = "unbounded min value", 7588 .result = REJECT, 7589 }, 7590 { 7591 "bounds checks mixing signed and unsigned, variant 12", 7592 .insns = { 7593 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 7594 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 7595 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 7596 BPF_LD_MAP_FD(BPF_REG_1, 0), 7597 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 7598 BPF_FUNC_map_lookup_elem), 7599 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9), 7600 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8), 7601 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16), 7602 BPF_MOV64_IMM(BPF_REG_2, -6), 7603 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2), 7604 BPF_MOV64_IMM(BPF_REG_0, 0), 7605 BPF_EXIT_INSN(), 7606 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2), 7607 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 7608 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0), 7609 BPF_MOV64_IMM(BPF_REG_0, 0), 7610 BPF_EXIT_INSN(), 7611 }, 7612 .fixup_map1 = { 3 }, 7613 .errstr = "unbounded min value", 7614 .result = REJECT, 7615 }, 7616 { 7617 "bounds checks mixing signed and unsigned, variant 13", 7618 .insns = { 7619 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 7620 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 7621 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 7622 BPF_LD_MAP_FD(BPF_REG_1, 0), 7623 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 7624 BPF_FUNC_map_lookup_elem), 7625 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 7626 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8), 7627 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16), 7628 BPF_MOV64_IMM(BPF_REG_2, 2), 7629 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2), 7630 BPF_MOV64_IMM(BPF_REG_7, 1), 7631 BPF_JMP_IMM(BPF_JSGT, BPF_REG_7, 0, 2), 7632 BPF_MOV64_IMM(BPF_REG_0, 0), 7633 BPF_EXIT_INSN(), 7634 BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_1), 7635 BPF_JMP_IMM(BPF_JSGT, BPF_REG_7, 4, 2), 7636 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_7), 7637 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0), 7638 BPF_MOV64_IMM(BPF_REG_0, 0), 7639 BPF_EXIT_INSN(), 7640 }, 7641 .fixup_map1 = { 3 }, 7642 .errstr = "unbounded min value", 7643 .result = REJECT, 7644 }, 7645 { 7646 "bounds checks mixing signed and unsigned, variant 14", 7647 .insns = { 7648 BPF_LDX_MEM(BPF_W, BPF_REG_9, BPF_REG_1, 7649 offsetof(struct __sk_buff, mark)), 7650 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 7651 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 7652 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 7653 BPF_LD_MAP_FD(BPF_REG_1, 0), 7654 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 7655 BPF_FUNC_map_lookup_elem), 7656 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8), 7657 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8), 7658 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16), 7659 BPF_MOV64_IMM(BPF_REG_2, -1), 7660 BPF_MOV64_IMM(BPF_REG_8, 2), 7661 BPF_JMP_IMM(BPF_JEQ, BPF_REG_9, 42, 6), 7662 BPF_JMP_REG(BPF_JSGT, BPF_REG_8, BPF_REG_1, 3), 7663 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2), 7664 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 7665 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0), 7666 BPF_MOV64_IMM(BPF_REG_0, 0), 7667 BPF_EXIT_INSN(), 7668 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, -3), 7669 BPF_JMP_IMM(BPF_JA, 0, 0, -7), 7670 }, 7671 .fixup_map1 = { 4 }, 7672 .errstr = "R0 invalid mem access 'inv'", 7673 .result = REJECT, 7674 }, 7675 { 7676 "bounds checks mixing signed and unsigned, variant 15", 7677 .insns = { 7678 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 7679 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 7680 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 7681 BPF_LD_MAP_FD(BPF_REG_1, 0), 7682 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 7683 BPF_FUNC_map_lookup_elem), 7684 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 7685 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8), 7686 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16), 7687 BPF_MOV64_IMM(BPF_REG_2, -6), 7688 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2), 7689 BPF_MOV64_IMM(BPF_REG_0, 0), 7690 BPF_EXIT_INSN(), 7691 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 7692 BPF_JMP_IMM(BPF_JGT, BPF_REG_0, 1, 2), 7693 BPF_MOV64_IMM(BPF_REG_0, 0), 7694 BPF_EXIT_INSN(), 7695 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0), 7696 BPF_MOV64_IMM(BPF_REG_0, 0), 7697 BPF_EXIT_INSN(), 7698 }, 7699 .fixup_map1 = { 3 }, 7700 .errstr = "unbounded min value", 7701 .result = REJECT, 7702 .result_unpriv = REJECT, 7703 }, 7704 { 7705 "subtraction bounds (map value) variant 1", 7706 .insns = { 7707 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 7708 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 7709 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 7710 BPF_LD_MAP_FD(BPF_REG_1, 0), 7711 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 7712 BPF_FUNC_map_lookup_elem), 7713 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9), 7714 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0), 7715 BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 0xff, 7), 7716 BPF_LDX_MEM(BPF_B, BPF_REG_3, BPF_REG_0, 1), 7717 BPF_JMP_IMM(BPF_JGT, BPF_REG_3, 0xff, 5), 7718 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_3), 7719 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 56), 7720 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 7721 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0), 7722 BPF_EXIT_INSN(), 7723 BPF_MOV64_IMM(BPF_REG_0, 0), 7724 BPF_EXIT_INSN(), 7725 }, 7726 .fixup_map1 = { 3 }, 7727 .errstr = "R0 max value is outside of the array range", 7728 .result = REJECT, 7729 }, 7730 { 7731 "subtraction bounds (map value) variant 2", 7732 .insns = { 7733 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 7734 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 7735 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 7736 BPF_LD_MAP_FD(BPF_REG_1, 0), 7737 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 7738 BPF_FUNC_map_lookup_elem), 7739 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8), 7740 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0), 7741 BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 0xff, 6), 7742 BPF_LDX_MEM(BPF_B, BPF_REG_3, BPF_REG_0, 1), 7743 BPF_JMP_IMM(BPF_JGT, BPF_REG_3, 0xff, 4), 7744 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_3), 7745 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 7746 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0), 7747 BPF_EXIT_INSN(), 7748 BPF_MOV64_IMM(BPF_REG_0, 0), 7749 BPF_EXIT_INSN(), 7750 }, 7751 .fixup_map1 = { 3 }, 7752 .errstr = "R0 min value is negative, either use unsigned index or do a if (index >=0) check.", 7753 .result = REJECT, 7754 }, 7755 { 7756 "bounds check based on zero-extended MOV", 7757 .insns = { 7758 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 7759 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 7760 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 7761 BPF_LD_MAP_FD(BPF_REG_1, 0), 7762 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 7763 BPF_FUNC_map_lookup_elem), 7764 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 7765 /* r2 = 0x0000'0000'ffff'ffff */ 7766 BPF_MOV32_IMM(BPF_REG_2, 0xffffffff), 7767 /* r2 = 0 */ 7768 BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 32), 7769 /* no-op */ 7770 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2), 7771 /* access at offset 0 */ 7772 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0), 7773 /* exit */ 7774 BPF_MOV64_IMM(BPF_REG_0, 0), 7775 BPF_EXIT_INSN(), 7776 }, 7777 .fixup_map1 = { 3 }, 7778 .result = ACCEPT 7779 }, 7780 { 7781 "bounds check based on sign-extended MOV. test1", 7782 .insns = { 7783 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 7784 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 7785 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 7786 BPF_LD_MAP_FD(BPF_REG_1, 0), 7787 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 7788 BPF_FUNC_map_lookup_elem), 7789 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 7790 /* r2 = 0xffff'ffff'ffff'ffff */ 7791 BPF_MOV64_IMM(BPF_REG_2, 0xffffffff), 7792 /* r2 = 0xffff'ffff */ 7793 BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 32), 7794 /* r0 = <oob pointer> */ 7795 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2), 7796 /* access to OOB pointer */ 7797 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0), 7798 /* exit */ 7799 BPF_MOV64_IMM(BPF_REG_0, 0), 7800 BPF_EXIT_INSN(), 7801 }, 7802 .fixup_map1 = { 3 }, 7803 .errstr = "map_value pointer and 4294967295", 7804 .result = REJECT 7805 }, 7806 { 7807 "bounds check based on sign-extended MOV. test2", 7808 .insns = { 7809 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 7810 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 7811 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 7812 BPF_LD_MAP_FD(BPF_REG_1, 0), 7813 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 7814 BPF_FUNC_map_lookup_elem), 7815 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 7816 /* r2 = 0xffff'ffff'ffff'ffff */ 7817 BPF_MOV64_IMM(BPF_REG_2, 0xffffffff), 7818 /* r2 = 0xfff'ffff */ 7819 BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 36), 7820 /* r0 = <oob pointer> */ 7821 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2), 7822 /* access to OOB pointer */ 7823 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0), 7824 /* exit */ 7825 BPF_MOV64_IMM(BPF_REG_0, 0), 7826 BPF_EXIT_INSN(), 7827 }, 7828 .fixup_map1 = { 3 }, 7829 .errstr = "R0 min value is outside of the array range", 7830 .result = REJECT 7831 }, 7832 { 7833 "bounds check based on reg_off + var_off + insn_off. test1", 7834 .insns = { 7835 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1, 7836 offsetof(struct __sk_buff, mark)), 7837 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 7838 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 7839 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 7840 BPF_LD_MAP_FD(BPF_REG_1, 0), 7841 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 7842 BPF_FUNC_map_lookup_elem), 7843 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 7844 BPF_ALU64_IMM(BPF_AND, BPF_REG_6, 1), 7845 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, (1 << 29) - 1), 7846 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_6), 7847 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, (1 << 29) - 1), 7848 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 3), 7849 BPF_MOV64_IMM(BPF_REG_0, 0), 7850 BPF_EXIT_INSN(), 7851 }, 7852 .fixup_map1 = { 4 }, 7853 .errstr = "value_size=8 off=1073741825", 7854 .result = REJECT, 7855 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 7856 }, 7857 { 7858 "bounds check based on reg_off + var_off + insn_off. test2", 7859 .insns = { 7860 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1, 7861 offsetof(struct __sk_buff, mark)), 7862 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 7863 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 7864 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 7865 BPF_LD_MAP_FD(BPF_REG_1, 0), 7866 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 7867 BPF_FUNC_map_lookup_elem), 7868 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4), 7869 BPF_ALU64_IMM(BPF_AND, BPF_REG_6, 1), 7870 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, (1 << 30) - 1), 7871 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_6), 7872 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, (1 << 29) - 1), 7873 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 3), 7874 BPF_MOV64_IMM(BPF_REG_0, 0), 7875 BPF_EXIT_INSN(), 7876 }, 7877 .fixup_map1 = { 4 }, 7878 .errstr = "value 1073741823", 7879 .result = REJECT, 7880 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 7881 }, 7882 { 7883 "bounds check after truncation of non-boundary-crossing range", 7884 .insns = { 7885 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 7886 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 7887 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 7888 BPF_LD_MAP_FD(BPF_REG_1, 0), 7889 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 7890 BPF_FUNC_map_lookup_elem), 7891 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9), 7892 /* r1 = [0x00, 0xff] */ 7893 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0), 7894 BPF_MOV64_IMM(BPF_REG_2, 1), 7895 /* r2 = 0x10'0000'0000 */ 7896 BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 36), 7897 /* r1 = [0x10'0000'0000, 0x10'0000'00ff] */ 7898 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2), 7899 /* r1 = [0x10'7fff'ffff, 0x10'8000'00fe] */ 7900 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff), 7901 /* r1 = [0x00, 0xff] */ 7902 BPF_ALU32_IMM(BPF_SUB, BPF_REG_1, 0x7fffffff), 7903 /* r1 = 0 */ 7904 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8), 7905 /* no-op */ 7906 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 7907 /* access at offset 0 */ 7908 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0), 7909 /* exit */ 7910 BPF_MOV64_IMM(BPF_REG_0, 0), 7911 BPF_EXIT_INSN(), 7912 }, 7913 .fixup_map1 = { 3 }, 7914 .result = ACCEPT 7915 }, 7916 { 7917 "bounds check after truncation of boundary-crossing range (1)", 7918 .insns = { 7919 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 7920 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 7921 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 7922 BPF_LD_MAP_FD(BPF_REG_1, 0), 7923 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 7924 BPF_FUNC_map_lookup_elem), 7925 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9), 7926 /* r1 = [0x00, 0xff] */ 7927 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0), 7928 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1), 7929 /* r1 = [0xffff'ff80, 0x1'0000'007f] */ 7930 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1), 7931 /* r1 = [0xffff'ff80, 0xffff'ffff] or 7932 * [0x0000'0000, 0x0000'007f] 7933 */ 7934 BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 0), 7935 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1), 7936 /* r1 = [0x00, 0xff] or 7937 * [0xffff'ffff'0000'0080, 0xffff'ffff'ffff'ffff] 7938 */ 7939 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1), 7940 /* r1 = 0 or 7941 * [0x00ff'ffff'ff00'0000, 0x00ff'ffff'ffff'ffff] 7942 */ 7943 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8), 7944 /* no-op or OOB pointer computation */ 7945 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 7946 /* potentially OOB access */ 7947 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0), 7948 /* exit */ 7949 BPF_MOV64_IMM(BPF_REG_0, 0), 7950 BPF_EXIT_INSN(), 7951 }, 7952 .fixup_map1 = { 3 }, 7953 /* not actually fully unbounded, but the bound is very high */ 7954 .errstr = "R0 unbounded memory access", 7955 .result = REJECT 7956 }, 7957 { 7958 "bounds check after truncation of boundary-crossing range (2)", 7959 .insns = { 7960 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 7961 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 7962 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 7963 BPF_LD_MAP_FD(BPF_REG_1, 0), 7964 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 7965 BPF_FUNC_map_lookup_elem), 7966 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9), 7967 /* r1 = [0x00, 0xff] */ 7968 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0), 7969 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1), 7970 /* r1 = [0xffff'ff80, 0x1'0000'007f] */ 7971 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1), 7972 /* r1 = [0xffff'ff80, 0xffff'ffff] or 7973 * [0x0000'0000, 0x0000'007f] 7974 * difference to previous test: truncation via MOV32 7975 * instead of ALU32. 7976 */ 7977 BPF_MOV32_REG(BPF_REG_1, BPF_REG_1), 7978 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1), 7979 /* r1 = [0x00, 0xff] or 7980 * [0xffff'ffff'0000'0080, 0xffff'ffff'ffff'ffff] 7981 */ 7982 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1), 7983 /* r1 = 0 or 7984 * [0x00ff'ffff'ff00'0000, 0x00ff'ffff'ffff'ffff] 7985 */ 7986 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8), 7987 /* no-op or OOB pointer computation */ 7988 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 7989 /* potentially OOB access */ 7990 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0), 7991 /* exit */ 7992 BPF_MOV64_IMM(BPF_REG_0, 0), 7993 BPF_EXIT_INSN(), 7994 }, 7995 .fixup_map1 = { 3 }, 7996 /* not actually fully unbounded, but the bound is very high */ 7997 .errstr = "R0 unbounded memory access", 7998 .result = REJECT 7999 }, 8000 { 8001 "bounds check after wrapping 32-bit addition", 8002 .insns = { 8003 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 8004 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 8005 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 8006 BPF_LD_MAP_FD(BPF_REG_1, 0), 8007 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 8008 BPF_FUNC_map_lookup_elem), 8009 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5), 8010 /* r1 = 0x7fff'ffff */ 8011 BPF_MOV64_IMM(BPF_REG_1, 0x7fffffff), 8012 /* r1 = 0xffff'fffe */ 8013 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff), 8014 /* r1 = 0 */ 8015 BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 2), 8016 /* no-op */ 8017 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 8018 /* access at offset 0 */ 8019 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0), 8020 /* exit */ 8021 BPF_MOV64_IMM(BPF_REG_0, 0), 8022 BPF_EXIT_INSN(), 8023 }, 8024 .fixup_map1 = { 3 }, 8025 .result = ACCEPT 8026 }, 8027 { 8028 "bounds check after shift with oversized count operand", 8029 .insns = { 8030 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 8031 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 8032 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 8033 BPF_LD_MAP_FD(BPF_REG_1, 0), 8034 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 8035 BPF_FUNC_map_lookup_elem), 8036 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 8037 BPF_MOV64_IMM(BPF_REG_2, 32), 8038 BPF_MOV64_IMM(BPF_REG_1, 1), 8039 /* r1 = (u32)1 << (u32)32 = ? */ 8040 BPF_ALU32_REG(BPF_LSH, BPF_REG_1, BPF_REG_2), 8041 /* r1 = [0x0000, 0xffff] */ 8042 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xffff), 8043 /* computes unknown pointer, potentially OOB */ 8044 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 8045 /* potentially OOB access */ 8046 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0), 8047 /* exit */ 8048 BPF_MOV64_IMM(BPF_REG_0, 0), 8049 BPF_EXIT_INSN(), 8050 }, 8051 .fixup_map1 = { 3 }, 8052 .errstr = "R0 max value is outside of the array range", 8053 .result = REJECT 8054 }, 8055 { 8056 "bounds check after right shift of maybe-negative number", 8057 .insns = { 8058 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 8059 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 8060 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 8061 BPF_LD_MAP_FD(BPF_REG_1, 0), 8062 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 8063 BPF_FUNC_map_lookup_elem), 8064 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6), 8065 /* r1 = [0x00, 0xff] */ 8066 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0), 8067 /* r1 = [-0x01, 0xfe] */ 8068 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 1), 8069 /* r1 = 0 or 0xff'ffff'ffff'ffff */ 8070 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8), 8071 /* r1 = 0 or 0xffff'ffff'ffff */ 8072 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8), 8073 /* computes unknown pointer, potentially OOB */ 8074 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 8075 /* potentially OOB access */ 8076 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0), 8077 /* exit */ 8078 BPF_MOV64_IMM(BPF_REG_0, 0), 8079 BPF_EXIT_INSN(), 8080 }, 8081 .fixup_map1 = { 3 }, 8082 .errstr = "R0 unbounded memory access", 8083 .result = REJECT 8084 }, 8085 { 8086 "bounds check map access with off+size signed 32bit overflow. test1", 8087 .insns = { 8088 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 8089 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 8090 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 8091 BPF_LD_MAP_FD(BPF_REG_1, 0), 8092 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 8093 BPF_FUNC_map_lookup_elem), 8094 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 8095 BPF_EXIT_INSN(), 8096 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x7ffffffe), 8097 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0), 8098 BPF_JMP_A(0), 8099 BPF_EXIT_INSN(), 8100 }, 8101 .fixup_map1 = { 3 }, 8102 .errstr = "map_value pointer and 2147483646", 8103 .result = REJECT 8104 }, 8105 { 8106 "bounds check map access with off+size signed 32bit overflow. test2", 8107 .insns = { 8108 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 8109 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 8110 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 8111 BPF_LD_MAP_FD(BPF_REG_1, 0), 8112 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 8113 BPF_FUNC_map_lookup_elem), 8114 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 8115 BPF_EXIT_INSN(), 8116 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x1fffffff), 8117 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x1fffffff), 8118 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x1fffffff), 8119 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0), 8120 BPF_JMP_A(0), 8121 BPF_EXIT_INSN(), 8122 }, 8123 .fixup_map1 = { 3 }, 8124 .errstr = "pointer offset 1073741822", 8125 .result = REJECT 8126 }, 8127 { 8128 "bounds check map access with off+size signed 32bit overflow. test3", 8129 .insns = { 8130 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 8131 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 8132 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 8133 BPF_LD_MAP_FD(BPF_REG_1, 0), 8134 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 8135 BPF_FUNC_map_lookup_elem), 8136 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 8137 BPF_EXIT_INSN(), 8138 BPF_ALU64_IMM(BPF_SUB, BPF_REG_0, 0x1fffffff), 8139 BPF_ALU64_IMM(BPF_SUB, BPF_REG_0, 0x1fffffff), 8140 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 2), 8141 BPF_JMP_A(0), 8142 BPF_EXIT_INSN(), 8143 }, 8144 .fixup_map1 = { 3 }, 8145 .errstr = "pointer offset -1073741822", 8146 .result = REJECT 8147 }, 8148 { 8149 "bounds check map access with off+size signed 32bit overflow. test4", 8150 .insns = { 8151 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 8152 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 8153 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 8154 BPF_LD_MAP_FD(BPF_REG_1, 0), 8155 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 8156 BPF_FUNC_map_lookup_elem), 8157 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 8158 BPF_EXIT_INSN(), 8159 BPF_MOV64_IMM(BPF_REG_1, 1000000), 8160 BPF_ALU64_IMM(BPF_MUL, BPF_REG_1, 1000000), 8161 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 8162 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 2), 8163 BPF_JMP_A(0), 8164 BPF_EXIT_INSN(), 8165 }, 8166 .fixup_map1 = { 3 }, 8167 .errstr = "map_value pointer and 1000000000000", 8168 .result = REJECT 8169 }, 8170 { 8171 "pointer/scalar confusion in state equality check (way 1)", 8172 .insns = { 8173 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 8174 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 8175 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 8176 BPF_LD_MAP_FD(BPF_REG_1, 0), 8177 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 8178 BPF_FUNC_map_lookup_elem), 8179 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2), 8180 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0), 8181 BPF_JMP_A(1), 8182 BPF_MOV64_REG(BPF_REG_0, BPF_REG_10), 8183 BPF_JMP_A(0), 8184 BPF_EXIT_INSN(), 8185 }, 8186 .fixup_map1 = { 3 }, 8187 .result = ACCEPT, 8188 .retval = POINTER_VALUE, 8189 .result_unpriv = REJECT, 8190 .errstr_unpriv = "R0 leaks addr as return value" 8191 }, 8192 { 8193 "pointer/scalar confusion in state equality check (way 2)", 8194 .insns = { 8195 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 8196 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 8197 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 8198 BPF_LD_MAP_FD(BPF_REG_1, 0), 8199 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 8200 BPF_FUNC_map_lookup_elem), 8201 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2), 8202 BPF_MOV64_REG(BPF_REG_0, BPF_REG_10), 8203 BPF_JMP_A(1), 8204 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0), 8205 BPF_EXIT_INSN(), 8206 }, 8207 .fixup_map1 = { 3 }, 8208 .result = ACCEPT, 8209 .retval = POINTER_VALUE, 8210 .result_unpriv = REJECT, 8211 .errstr_unpriv = "R0 leaks addr as return value" 8212 }, 8213 { 8214 "variable-offset ctx access", 8215 .insns = { 8216 /* Get an unknown value */ 8217 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0), 8218 /* Make it small and 4-byte aligned */ 8219 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 4), 8220 /* add it to skb. We now have either &skb->len or 8221 * &skb->pkt_type, but we don't know which 8222 */ 8223 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2), 8224 /* dereference it */ 8225 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0), 8226 BPF_EXIT_INSN(), 8227 }, 8228 .errstr = "variable ctx access var_off=(0x0; 0x4)", 8229 .result = REJECT, 8230 .prog_type = BPF_PROG_TYPE_LWT_IN, 8231 }, 8232 { 8233 "variable-offset stack access", 8234 .insns = { 8235 /* Fill the top 8 bytes of the stack */ 8236 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 8237 /* Get an unknown value */ 8238 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0), 8239 /* Make it small and 4-byte aligned */ 8240 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 4), 8241 BPF_ALU64_IMM(BPF_SUB, BPF_REG_2, 8), 8242 /* add it to fp. We now have either fp-4 or fp-8, but 8243 * we don't know which 8244 */ 8245 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_10), 8246 /* dereference it */ 8247 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_2, 0), 8248 BPF_EXIT_INSN(), 8249 }, 8250 .errstr = "variable stack access var_off=(0xfffffffffffffff8; 0x4)", 8251 .result = REJECT, 8252 .prog_type = BPF_PROG_TYPE_LWT_IN, 8253 }, 8254 { 8255 "indirect variable-offset stack access", 8256 .insns = { 8257 /* Fill the top 8 bytes of the stack */ 8258 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 8259 /* Get an unknown value */ 8260 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0), 8261 /* Make it small and 4-byte aligned */ 8262 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 4), 8263 BPF_ALU64_IMM(BPF_SUB, BPF_REG_2, 8), 8264 /* add it to fp. We now have either fp-4 or fp-8, but 8265 * we don't know which 8266 */ 8267 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_10), 8268 /* dereference it indirectly */ 8269 BPF_LD_MAP_FD(BPF_REG_1, 0), 8270 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 8271 BPF_FUNC_map_lookup_elem), 8272 BPF_MOV64_IMM(BPF_REG_0, 0), 8273 BPF_EXIT_INSN(), 8274 }, 8275 .fixup_map1 = { 5 }, 8276 .errstr = "variable stack read R2", 8277 .result = REJECT, 8278 .prog_type = BPF_PROG_TYPE_LWT_IN, 8279 }, 8280 { 8281 "direct stack access with 32-bit wraparound. test1", 8282 .insns = { 8283 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 8284 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff), 8285 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff), 8286 BPF_MOV32_IMM(BPF_REG_0, 0), 8287 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0), 8288 BPF_EXIT_INSN() 8289 }, 8290 .errstr = "fp pointer and 2147483647", 8291 .result = REJECT 8292 }, 8293 { 8294 "direct stack access with 32-bit wraparound. test2", 8295 .insns = { 8296 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 8297 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x3fffffff), 8298 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x3fffffff), 8299 BPF_MOV32_IMM(BPF_REG_0, 0), 8300 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0), 8301 BPF_EXIT_INSN() 8302 }, 8303 .errstr = "fp pointer and 1073741823", 8304 .result = REJECT 8305 }, 8306 { 8307 "direct stack access with 32-bit wraparound. test3", 8308 .insns = { 8309 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 8310 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x1fffffff), 8311 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x1fffffff), 8312 BPF_MOV32_IMM(BPF_REG_0, 0), 8313 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0), 8314 BPF_EXIT_INSN() 8315 }, 8316 .errstr = "fp pointer offset 1073741822", 8317 .result = REJECT 8318 }, 8319 { 8320 "liveness pruning and write screening", 8321 .insns = { 8322 /* Get an unknown value */ 8323 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0), 8324 /* branch conditions teach us nothing about R2 */ 8325 BPF_JMP_IMM(BPF_JGE, BPF_REG_2, 0, 1), 8326 BPF_MOV64_IMM(BPF_REG_0, 0), 8327 BPF_JMP_IMM(BPF_JGE, BPF_REG_2, 0, 1), 8328 BPF_MOV64_IMM(BPF_REG_0, 0), 8329 BPF_EXIT_INSN(), 8330 }, 8331 .errstr = "R0 !read_ok", 8332 .result = REJECT, 8333 .prog_type = BPF_PROG_TYPE_LWT_IN, 8334 }, 8335 { 8336 "varlen_map_value_access pruning", 8337 .insns = { 8338 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 8339 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 8340 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 8341 BPF_LD_MAP_FD(BPF_REG_1, 0), 8342 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 8343 BPF_FUNC_map_lookup_elem), 8344 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8), 8345 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0), 8346 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES), 8347 BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1), 8348 BPF_MOV32_IMM(BPF_REG_1, 0), 8349 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2), 8350 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), 8351 BPF_JMP_IMM(BPF_JA, 0, 0, 0), 8352 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 8353 offsetof(struct test_val, foo)), 8354 BPF_EXIT_INSN(), 8355 }, 8356 .fixup_map2 = { 3 }, 8357 .errstr_unpriv = "R0 leaks addr", 8358 .errstr = "R0 unbounded memory access", 8359 .result_unpriv = REJECT, 8360 .result = REJECT, 8361 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 8362 }, 8363 { 8364 "invalid 64-bit BPF_END", 8365 .insns = { 8366 BPF_MOV32_IMM(BPF_REG_0, 0), 8367 { 8368 .code = BPF_ALU64 | BPF_END | BPF_TO_LE, 8369 .dst_reg = BPF_REG_0, 8370 .src_reg = 0, 8371 .off = 0, 8372 .imm = 32, 8373 }, 8374 BPF_EXIT_INSN(), 8375 }, 8376 .errstr = "unknown opcode d7", 8377 .result = REJECT, 8378 }, 8379 { 8380 "XDP, using ifindex from netdev", 8381 .insns = { 8382 BPF_MOV64_IMM(BPF_REG_0, 0), 8383 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 8384 offsetof(struct xdp_md, ingress_ifindex)), 8385 BPF_JMP_IMM(BPF_JLT, BPF_REG_2, 1, 1), 8386 BPF_MOV64_IMM(BPF_REG_0, 1), 8387 BPF_EXIT_INSN(), 8388 }, 8389 .result = ACCEPT, 8390 .prog_type = BPF_PROG_TYPE_XDP, 8391 .retval = 1, 8392 }, 8393 { 8394 "meta access, test1", 8395 .insns = { 8396 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 8397 offsetof(struct xdp_md, data_meta)), 8398 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 8399 offsetof(struct xdp_md, data)), 8400 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 8401 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 8402 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 8403 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 8404 BPF_MOV64_IMM(BPF_REG_0, 0), 8405 BPF_EXIT_INSN(), 8406 }, 8407 .result = ACCEPT, 8408 .prog_type = BPF_PROG_TYPE_XDP, 8409 }, 8410 { 8411 "meta access, test2", 8412 .insns = { 8413 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 8414 offsetof(struct xdp_md, data_meta)), 8415 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 8416 offsetof(struct xdp_md, data)), 8417 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 8418 BPF_ALU64_IMM(BPF_SUB, BPF_REG_0, 8), 8419 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2), 8420 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8), 8421 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1), 8422 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0), 8423 BPF_MOV64_IMM(BPF_REG_0, 0), 8424 BPF_EXIT_INSN(), 8425 }, 8426 .result = REJECT, 8427 .errstr = "invalid access to packet, off=-8", 8428 .prog_type = BPF_PROG_TYPE_XDP, 8429 }, 8430 { 8431 "meta access, test3", 8432 .insns = { 8433 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 8434 offsetof(struct xdp_md, data_meta)), 8435 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 8436 offsetof(struct xdp_md, data_end)), 8437 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 8438 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 8439 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 8440 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 8441 BPF_MOV64_IMM(BPF_REG_0, 0), 8442 BPF_EXIT_INSN(), 8443 }, 8444 .result = REJECT, 8445 .errstr = "invalid access to packet", 8446 .prog_type = BPF_PROG_TYPE_XDP, 8447 }, 8448 { 8449 "meta access, test4", 8450 .insns = { 8451 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 8452 offsetof(struct xdp_md, data_meta)), 8453 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 8454 offsetof(struct xdp_md, data_end)), 8455 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1, 8456 offsetof(struct xdp_md, data)), 8457 BPF_MOV64_REG(BPF_REG_0, BPF_REG_4), 8458 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 8459 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 8460 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 8461 BPF_MOV64_IMM(BPF_REG_0, 0), 8462 BPF_EXIT_INSN(), 8463 }, 8464 .result = REJECT, 8465 .errstr = "invalid access to packet", 8466 .prog_type = BPF_PROG_TYPE_XDP, 8467 }, 8468 { 8469 "meta access, test5", 8470 .insns = { 8471 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 8472 offsetof(struct xdp_md, data_meta)), 8473 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1, 8474 offsetof(struct xdp_md, data)), 8475 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3), 8476 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 8477 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_4, 3), 8478 BPF_MOV64_IMM(BPF_REG_2, -8), 8479 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 8480 BPF_FUNC_xdp_adjust_meta), 8481 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_3, 0), 8482 BPF_MOV64_IMM(BPF_REG_0, 0), 8483 BPF_EXIT_INSN(), 8484 }, 8485 .result = REJECT, 8486 .errstr = "R3 !read_ok", 8487 .prog_type = BPF_PROG_TYPE_XDP, 8488 }, 8489 { 8490 "meta access, test6", 8491 .insns = { 8492 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 8493 offsetof(struct xdp_md, data_meta)), 8494 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 8495 offsetof(struct xdp_md, data)), 8496 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3), 8497 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 8498 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2), 8499 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8), 8500 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_0, 1), 8501 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 8502 BPF_MOV64_IMM(BPF_REG_0, 0), 8503 BPF_EXIT_INSN(), 8504 }, 8505 .result = REJECT, 8506 .errstr = "invalid access to packet", 8507 .prog_type = BPF_PROG_TYPE_XDP, 8508 }, 8509 { 8510 "meta access, test7", 8511 .insns = { 8512 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 8513 offsetof(struct xdp_md, data_meta)), 8514 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 8515 offsetof(struct xdp_md, data)), 8516 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3), 8517 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 8518 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2), 8519 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8), 8520 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1), 8521 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 8522 BPF_MOV64_IMM(BPF_REG_0, 0), 8523 BPF_EXIT_INSN(), 8524 }, 8525 .result = ACCEPT, 8526 .prog_type = BPF_PROG_TYPE_XDP, 8527 }, 8528 { 8529 "meta access, test8", 8530 .insns = { 8531 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 8532 offsetof(struct xdp_md, data_meta)), 8533 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 8534 offsetof(struct xdp_md, data)), 8535 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2), 8536 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0xFFFF), 8537 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1), 8538 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 8539 BPF_MOV64_IMM(BPF_REG_0, 0), 8540 BPF_EXIT_INSN(), 8541 }, 8542 .result = ACCEPT, 8543 .prog_type = BPF_PROG_TYPE_XDP, 8544 }, 8545 { 8546 "meta access, test9", 8547 .insns = { 8548 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 8549 offsetof(struct xdp_md, data_meta)), 8550 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 8551 offsetof(struct xdp_md, data)), 8552 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2), 8553 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0xFFFF), 8554 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 1), 8555 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1), 8556 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 8557 BPF_MOV64_IMM(BPF_REG_0, 0), 8558 BPF_EXIT_INSN(), 8559 }, 8560 .result = REJECT, 8561 .errstr = "invalid access to packet", 8562 .prog_type = BPF_PROG_TYPE_XDP, 8563 }, 8564 { 8565 "meta access, test10", 8566 .insns = { 8567 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 8568 offsetof(struct xdp_md, data_meta)), 8569 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 8570 offsetof(struct xdp_md, data)), 8571 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1, 8572 offsetof(struct xdp_md, data_end)), 8573 BPF_MOV64_IMM(BPF_REG_5, 42), 8574 BPF_MOV64_IMM(BPF_REG_6, 24), 8575 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_5, -8), 8576 BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_6, -8), 8577 BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -8), 8578 BPF_JMP_IMM(BPF_JGT, BPF_REG_5, 100, 6), 8579 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_5), 8580 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3), 8581 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2), 8582 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8), 8583 BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_5, 1), 8584 BPF_LDX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0), 8585 BPF_MOV64_IMM(BPF_REG_0, 0), 8586 BPF_EXIT_INSN(), 8587 }, 8588 .result = REJECT, 8589 .errstr = "invalid access to packet", 8590 .prog_type = BPF_PROG_TYPE_XDP, 8591 }, 8592 { 8593 "meta access, test11", 8594 .insns = { 8595 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 8596 offsetof(struct xdp_md, data_meta)), 8597 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 8598 offsetof(struct xdp_md, data)), 8599 BPF_MOV64_IMM(BPF_REG_5, 42), 8600 BPF_MOV64_IMM(BPF_REG_6, 24), 8601 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_5, -8), 8602 BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_6, -8), 8603 BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -8), 8604 BPF_JMP_IMM(BPF_JGT, BPF_REG_5, 100, 6), 8605 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_5), 8606 BPF_MOV64_REG(BPF_REG_5, BPF_REG_2), 8607 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2), 8608 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8), 8609 BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_3, 1), 8610 BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_5, 0), 8611 BPF_MOV64_IMM(BPF_REG_0, 0), 8612 BPF_EXIT_INSN(), 8613 }, 8614 .result = ACCEPT, 8615 .prog_type = BPF_PROG_TYPE_XDP, 8616 }, 8617 { 8618 "meta access, test12", 8619 .insns = { 8620 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 8621 offsetof(struct xdp_md, data_meta)), 8622 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 8623 offsetof(struct xdp_md, data)), 8624 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1, 8625 offsetof(struct xdp_md, data_end)), 8626 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3), 8627 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 16), 8628 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_4, 5), 8629 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_3, 0), 8630 BPF_MOV64_REG(BPF_REG_5, BPF_REG_2), 8631 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 16), 8632 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 1), 8633 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 8634 BPF_MOV64_IMM(BPF_REG_0, 0), 8635 BPF_EXIT_INSN(), 8636 }, 8637 .result = ACCEPT, 8638 .prog_type = BPF_PROG_TYPE_XDP, 8639 }, 8640 { 8641 "arithmetic ops make PTR_TO_CTX unusable", 8642 .insns = { 8643 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8644 offsetof(struct __sk_buff, data) - 8645 offsetof(struct __sk_buff, mark)), 8646 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 8647 offsetof(struct __sk_buff, mark)), 8648 BPF_EXIT_INSN(), 8649 }, 8650 .errstr = "dereference of modified ctx ptr", 8651 .result = REJECT, 8652 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 8653 }, 8654 { 8655 "pkt_end - pkt_start is allowed", 8656 .insns = { 8657 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 8658 offsetof(struct __sk_buff, data_end)), 8659 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 8660 offsetof(struct __sk_buff, data)), 8661 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_2), 8662 BPF_EXIT_INSN(), 8663 }, 8664 .result = ACCEPT, 8665 .retval = TEST_DATA_LEN, 8666 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 8667 }, 8668 { 8669 "XDP pkt read, pkt_end mangling, bad access 1", 8670 .insns = { 8671 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 8672 offsetof(struct xdp_md, data)), 8673 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 8674 offsetof(struct xdp_md, data_end)), 8675 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 8676 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 8677 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 8), 8678 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1), 8679 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8), 8680 BPF_MOV64_IMM(BPF_REG_0, 0), 8681 BPF_EXIT_INSN(), 8682 }, 8683 .errstr = "R3 pointer arithmetic on PTR_TO_PACKET_END", 8684 .result = REJECT, 8685 .prog_type = BPF_PROG_TYPE_XDP, 8686 }, 8687 { 8688 "XDP pkt read, pkt_end mangling, bad access 2", 8689 .insns = { 8690 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 8691 offsetof(struct xdp_md, data)), 8692 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 8693 offsetof(struct xdp_md, data_end)), 8694 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 8695 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 8696 BPF_ALU64_IMM(BPF_SUB, BPF_REG_3, 8), 8697 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1), 8698 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8), 8699 BPF_MOV64_IMM(BPF_REG_0, 0), 8700 BPF_EXIT_INSN(), 8701 }, 8702 .errstr = "R3 pointer arithmetic on PTR_TO_PACKET_END", 8703 .result = REJECT, 8704 .prog_type = BPF_PROG_TYPE_XDP, 8705 }, 8706 { 8707 "XDP pkt read, pkt_data' > pkt_end, good access", 8708 .insns = { 8709 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 8710 offsetof(struct xdp_md, data)), 8711 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 8712 offsetof(struct xdp_md, data_end)), 8713 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 8714 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 8715 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1), 8716 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8), 8717 BPF_MOV64_IMM(BPF_REG_0, 0), 8718 BPF_EXIT_INSN(), 8719 }, 8720 .result = ACCEPT, 8721 .prog_type = BPF_PROG_TYPE_XDP, 8722 }, 8723 { 8724 "XDP pkt read, pkt_data' > pkt_end, bad access 1", 8725 .insns = { 8726 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 8727 offsetof(struct xdp_md, data)), 8728 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 8729 offsetof(struct xdp_md, data_end)), 8730 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 8731 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 8732 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1), 8733 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4), 8734 BPF_MOV64_IMM(BPF_REG_0, 0), 8735 BPF_EXIT_INSN(), 8736 }, 8737 .errstr = "R1 offset is outside of the packet", 8738 .result = REJECT, 8739 .prog_type = BPF_PROG_TYPE_XDP, 8740 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 8741 }, 8742 { 8743 "XDP pkt read, pkt_data' > pkt_end, bad access 2", 8744 .insns = { 8745 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 8746 offsetof(struct xdp_md, data)), 8747 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 8748 offsetof(struct xdp_md, data_end)), 8749 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 8750 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 8751 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 0), 8752 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8), 8753 BPF_MOV64_IMM(BPF_REG_0, 0), 8754 BPF_EXIT_INSN(), 8755 }, 8756 .errstr = "R1 offset is outside of the packet", 8757 .result = REJECT, 8758 .prog_type = BPF_PROG_TYPE_XDP, 8759 }, 8760 { 8761 "XDP pkt read, pkt_end > pkt_data', good access", 8762 .insns = { 8763 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 8764 offsetof(struct xdp_md, data)), 8765 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 8766 offsetof(struct xdp_md, data_end)), 8767 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 8768 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 8769 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1), 8770 BPF_JMP_IMM(BPF_JA, 0, 0, 1), 8771 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5), 8772 BPF_MOV64_IMM(BPF_REG_0, 0), 8773 BPF_EXIT_INSN(), 8774 }, 8775 .result = ACCEPT, 8776 .prog_type = BPF_PROG_TYPE_XDP, 8777 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 8778 }, 8779 { 8780 "XDP pkt read, pkt_end > pkt_data', bad access 1", 8781 .insns = { 8782 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 8783 offsetof(struct xdp_md, data)), 8784 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 8785 offsetof(struct xdp_md, data_end)), 8786 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 8787 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 8788 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1), 8789 BPF_JMP_IMM(BPF_JA, 0, 0, 1), 8790 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8), 8791 BPF_MOV64_IMM(BPF_REG_0, 0), 8792 BPF_EXIT_INSN(), 8793 }, 8794 .errstr = "R1 offset is outside of the packet", 8795 .result = REJECT, 8796 .prog_type = BPF_PROG_TYPE_XDP, 8797 }, 8798 { 8799 "XDP pkt read, pkt_end > pkt_data', bad access 2", 8800 .insns = { 8801 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 8802 offsetof(struct xdp_md, data)), 8803 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 8804 offsetof(struct xdp_md, data_end)), 8805 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 8806 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 8807 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1), 8808 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8), 8809 BPF_MOV64_IMM(BPF_REG_0, 0), 8810 BPF_EXIT_INSN(), 8811 }, 8812 .errstr = "R1 offset is outside of the packet", 8813 .result = REJECT, 8814 .prog_type = BPF_PROG_TYPE_XDP, 8815 }, 8816 { 8817 "XDP pkt read, pkt_data' < pkt_end, good access", 8818 .insns = { 8819 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 8820 offsetof(struct xdp_md, data)), 8821 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 8822 offsetof(struct xdp_md, data_end)), 8823 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 8824 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 8825 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1), 8826 BPF_JMP_IMM(BPF_JA, 0, 0, 1), 8827 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5), 8828 BPF_MOV64_IMM(BPF_REG_0, 0), 8829 BPF_EXIT_INSN(), 8830 }, 8831 .result = ACCEPT, 8832 .prog_type = BPF_PROG_TYPE_XDP, 8833 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 8834 }, 8835 { 8836 "XDP pkt read, pkt_data' < pkt_end, bad access 1", 8837 .insns = { 8838 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 8839 offsetof(struct xdp_md, data)), 8840 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 8841 offsetof(struct xdp_md, data_end)), 8842 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 8843 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 8844 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1), 8845 BPF_JMP_IMM(BPF_JA, 0, 0, 1), 8846 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8), 8847 BPF_MOV64_IMM(BPF_REG_0, 0), 8848 BPF_EXIT_INSN(), 8849 }, 8850 .errstr = "R1 offset is outside of the packet", 8851 .result = REJECT, 8852 .prog_type = BPF_PROG_TYPE_XDP, 8853 }, 8854 { 8855 "XDP pkt read, pkt_data' < pkt_end, bad access 2", 8856 .insns = { 8857 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 8858 offsetof(struct xdp_md, data)), 8859 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 8860 offsetof(struct xdp_md, data_end)), 8861 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 8862 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 8863 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1), 8864 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8), 8865 BPF_MOV64_IMM(BPF_REG_0, 0), 8866 BPF_EXIT_INSN(), 8867 }, 8868 .errstr = "R1 offset is outside of the packet", 8869 .result = REJECT, 8870 .prog_type = BPF_PROG_TYPE_XDP, 8871 }, 8872 { 8873 "XDP pkt read, pkt_end < pkt_data', good access", 8874 .insns = { 8875 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 8876 offsetof(struct xdp_md, data)), 8877 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 8878 offsetof(struct xdp_md, data_end)), 8879 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 8880 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 8881 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1), 8882 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8), 8883 BPF_MOV64_IMM(BPF_REG_0, 0), 8884 BPF_EXIT_INSN(), 8885 }, 8886 .result = ACCEPT, 8887 .prog_type = BPF_PROG_TYPE_XDP, 8888 }, 8889 { 8890 "XDP pkt read, pkt_end < pkt_data', bad access 1", 8891 .insns = { 8892 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 8893 offsetof(struct xdp_md, data)), 8894 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 8895 offsetof(struct xdp_md, data_end)), 8896 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 8897 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 8898 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1), 8899 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4), 8900 BPF_MOV64_IMM(BPF_REG_0, 0), 8901 BPF_EXIT_INSN(), 8902 }, 8903 .errstr = "R1 offset is outside of the packet", 8904 .result = REJECT, 8905 .prog_type = BPF_PROG_TYPE_XDP, 8906 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 8907 }, 8908 { 8909 "XDP pkt read, pkt_end < pkt_data', bad access 2", 8910 .insns = { 8911 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 8912 offsetof(struct xdp_md, data)), 8913 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 8914 offsetof(struct xdp_md, data_end)), 8915 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 8916 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 8917 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 0), 8918 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8), 8919 BPF_MOV64_IMM(BPF_REG_0, 0), 8920 BPF_EXIT_INSN(), 8921 }, 8922 .errstr = "R1 offset is outside of the packet", 8923 .result = REJECT, 8924 .prog_type = BPF_PROG_TYPE_XDP, 8925 }, 8926 { 8927 "XDP pkt read, pkt_data' >= pkt_end, good access", 8928 .insns = { 8929 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 8930 offsetof(struct xdp_md, data)), 8931 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 8932 offsetof(struct xdp_md, data_end)), 8933 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 8934 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 8935 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1), 8936 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5), 8937 BPF_MOV64_IMM(BPF_REG_0, 0), 8938 BPF_EXIT_INSN(), 8939 }, 8940 .result = ACCEPT, 8941 .prog_type = BPF_PROG_TYPE_XDP, 8942 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 8943 }, 8944 { 8945 "XDP pkt read, pkt_data' >= pkt_end, bad access 1", 8946 .insns = { 8947 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 8948 offsetof(struct xdp_md, data)), 8949 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 8950 offsetof(struct xdp_md, data_end)), 8951 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 8952 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 8953 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1), 8954 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8), 8955 BPF_MOV64_IMM(BPF_REG_0, 0), 8956 BPF_EXIT_INSN(), 8957 }, 8958 .errstr = "R1 offset is outside of the packet", 8959 .result = REJECT, 8960 .prog_type = BPF_PROG_TYPE_XDP, 8961 }, 8962 { 8963 "XDP pkt read, pkt_data' >= pkt_end, bad access 2", 8964 .insns = { 8965 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 8966 offsetof(struct xdp_md, data)), 8967 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 8968 offsetof(struct xdp_md, data_end)), 8969 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 8970 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 8971 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 0), 8972 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5), 8973 BPF_MOV64_IMM(BPF_REG_0, 0), 8974 BPF_EXIT_INSN(), 8975 }, 8976 .errstr = "R1 offset is outside of the packet", 8977 .result = REJECT, 8978 .prog_type = BPF_PROG_TYPE_XDP, 8979 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 8980 }, 8981 { 8982 "XDP pkt read, pkt_end >= pkt_data', good access", 8983 .insns = { 8984 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 8985 offsetof(struct xdp_md, data)), 8986 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 8987 offsetof(struct xdp_md, data_end)), 8988 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 8989 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 8990 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1), 8991 BPF_JMP_IMM(BPF_JA, 0, 0, 1), 8992 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8), 8993 BPF_MOV64_IMM(BPF_REG_0, 0), 8994 BPF_EXIT_INSN(), 8995 }, 8996 .result = ACCEPT, 8997 .prog_type = BPF_PROG_TYPE_XDP, 8998 }, 8999 { 9000 "XDP pkt read, pkt_end >= pkt_data', bad access 1", 9001 .insns = { 9002 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 9003 offsetof(struct xdp_md, data)), 9004 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 9005 offsetof(struct xdp_md, data_end)), 9006 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 9007 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 9008 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1), 9009 BPF_JMP_IMM(BPF_JA, 0, 0, 1), 9010 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4), 9011 BPF_MOV64_IMM(BPF_REG_0, 0), 9012 BPF_EXIT_INSN(), 9013 }, 9014 .errstr = "R1 offset is outside of the packet", 9015 .result = REJECT, 9016 .prog_type = BPF_PROG_TYPE_XDP, 9017 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 9018 }, 9019 { 9020 "XDP pkt read, pkt_end >= pkt_data', bad access 2", 9021 .insns = { 9022 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 9023 offsetof(struct xdp_md, data)), 9024 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 9025 offsetof(struct xdp_md, data_end)), 9026 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 9027 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 9028 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1), 9029 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8), 9030 BPF_MOV64_IMM(BPF_REG_0, 0), 9031 BPF_EXIT_INSN(), 9032 }, 9033 .errstr = "R1 offset is outside of the packet", 9034 .result = REJECT, 9035 .prog_type = BPF_PROG_TYPE_XDP, 9036 }, 9037 { 9038 "XDP pkt read, pkt_data' <= pkt_end, good access", 9039 .insns = { 9040 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 9041 offsetof(struct xdp_md, data)), 9042 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 9043 offsetof(struct xdp_md, data_end)), 9044 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 9045 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 9046 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1), 9047 BPF_JMP_IMM(BPF_JA, 0, 0, 1), 9048 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8), 9049 BPF_MOV64_IMM(BPF_REG_0, 0), 9050 BPF_EXIT_INSN(), 9051 }, 9052 .result = ACCEPT, 9053 .prog_type = BPF_PROG_TYPE_XDP, 9054 }, 9055 { 9056 "XDP pkt read, pkt_data' <= pkt_end, bad access 1", 9057 .insns = { 9058 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 9059 offsetof(struct xdp_md, data)), 9060 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 9061 offsetof(struct xdp_md, data_end)), 9062 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 9063 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 9064 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1), 9065 BPF_JMP_IMM(BPF_JA, 0, 0, 1), 9066 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4), 9067 BPF_MOV64_IMM(BPF_REG_0, 0), 9068 BPF_EXIT_INSN(), 9069 }, 9070 .errstr = "R1 offset is outside of the packet", 9071 .result = REJECT, 9072 .prog_type = BPF_PROG_TYPE_XDP, 9073 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 9074 }, 9075 { 9076 "XDP pkt read, pkt_data' <= pkt_end, bad access 2", 9077 .insns = { 9078 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 9079 offsetof(struct xdp_md, data)), 9080 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 9081 offsetof(struct xdp_md, data_end)), 9082 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 9083 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 9084 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1), 9085 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8), 9086 BPF_MOV64_IMM(BPF_REG_0, 0), 9087 BPF_EXIT_INSN(), 9088 }, 9089 .errstr = "R1 offset is outside of the packet", 9090 .result = REJECT, 9091 .prog_type = BPF_PROG_TYPE_XDP, 9092 }, 9093 { 9094 "XDP pkt read, pkt_end <= pkt_data', good access", 9095 .insns = { 9096 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 9097 offsetof(struct xdp_md, data)), 9098 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 9099 offsetof(struct xdp_md, data_end)), 9100 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 9101 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 9102 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1), 9103 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5), 9104 BPF_MOV64_IMM(BPF_REG_0, 0), 9105 BPF_EXIT_INSN(), 9106 }, 9107 .result = ACCEPT, 9108 .prog_type = BPF_PROG_TYPE_XDP, 9109 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 9110 }, 9111 { 9112 "XDP pkt read, pkt_end <= pkt_data', bad access 1", 9113 .insns = { 9114 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 9115 offsetof(struct xdp_md, data)), 9116 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 9117 offsetof(struct xdp_md, data_end)), 9118 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 9119 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 9120 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1), 9121 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8), 9122 BPF_MOV64_IMM(BPF_REG_0, 0), 9123 BPF_EXIT_INSN(), 9124 }, 9125 .errstr = "R1 offset is outside of the packet", 9126 .result = REJECT, 9127 .prog_type = BPF_PROG_TYPE_XDP, 9128 }, 9129 { 9130 "XDP pkt read, pkt_end <= pkt_data', bad access 2", 9131 .insns = { 9132 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 9133 offsetof(struct xdp_md, data)), 9134 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 9135 offsetof(struct xdp_md, data_end)), 9136 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 9137 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 9138 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 0), 9139 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5), 9140 BPF_MOV64_IMM(BPF_REG_0, 0), 9141 BPF_EXIT_INSN(), 9142 }, 9143 .errstr = "R1 offset is outside of the packet", 9144 .result = REJECT, 9145 .prog_type = BPF_PROG_TYPE_XDP, 9146 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 9147 }, 9148 { 9149 "XDP pkt read, pkt_meta' > pkt_data, good access", 9150 .insns = { 9151 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 9152 offsetof(struct xdp_md, data_meta)), 9153 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 9154 offsetof(struct xdp_md, data)), 9155 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 9156 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 9157 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1), 9158 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8), 9159 BPF_MOV64_IMM(BPF_REG_0, 0), 9160 BPF_EXIT_INSN(), 9161 }, 9162 .result = ACCEPT, 9163 .prog_type = BPF_PROG_TYPE_XDP, 9164 }, 9165 { 9166 "XDP pkt read, pkt_meta' > pkt_data, bad access 1", 9167 .insns = { 9168 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 9169 offsetof(struct xdp_md, data_meta)), 9170 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 9171 offsetof(struct xdp_md, data)), 9172 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 9173 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 9174 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1), 9175 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4), 9176 BPF_MOV64_IMM(BPF_REG_0, 0), 9177 BPF_EXIT_INSN(), 9178 }, 9179 .errstr = "R1 offset is outside of the packet", 9180 .result = REJECT, 9181 .prog_type = BPF_PROG_TYPE_XDP, 9182 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 9183 }, 9184 { 9185 "XDP pkt read, pkt_meta' > pkt_data, bad access 2", 9186 .insns = { 9187 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 9188 offsetof(struct xdp_md, data_meta)), 9189 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 9190 offsetof(struct xdp_md, data)), 9191 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 9192 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 9193 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 0), 9194 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8), 9195 BPF_MOV64_IMM(BPF_REG_0, 0), 9196 BPF_EXIT_INSN(), 9197 }, 9198 .errstr = "R1 offset is outside of the packet", 9199 .result = REJECT, 9200 .prog_type = BPF_PROG_TYPE_XDP, 9201 }, 9202 { 9203 "XDP pkt read, pkt_data > pkt_meta', good access", 9204 .insns = { 9205 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 9206 offsetof(struct xdp_md, data_meta)), 9207 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 9208 offsetof(struct xdp_md, data)), 9209 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 9210 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 9211 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1), 9212 BPF_JMP_IMM(BPF_JA, 0, 0, 1), 9213 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5), 9214 BPF_MOV64_IMM(BPF_REG_0, 0), 9215 BPF_EXIT_INSN(), 9216 }, 9217 .result = ACCEPT, 9218 .prog_type = BPF_PROG_TYPE_XDP, 9219 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 9220 }, 9221 { 9222 "XDP pkt read, pkt_data > pkt_meta', bad access 1", 9223 .insns = { 9224 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 9225 offsetof(struct xdp_md, data_meta)), 9226 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 9227 offsetof(struct xdp_md, data)), 9228 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 9229 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 9230 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1), 9231 BPF_JMP_IMM(BPF_JA, 0, 0, 1), 9232 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8), 9233 BPF_MOV64_IMM(BPF_REG_0, 0), 9234 BPF_EXIT_INSN(), 9235 }, 9236 .errstr = "R1 offset is outside of the packet", 9237 .result = REJECT, 9238 .prog_type = BPF_PROG_TYPE_XDP, 9239 }, 9240 { 9241 "XDP pkt read, pkt_data > pkt_meta', bad access 2", 9242 .insns = { 9243 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 9244 offsetof(struct xdp_md, data_meta)), 9245 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 9246 offsetof(struct xdp_md, data)), 9247 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 9248 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 9249 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1), 9250 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8), 9251 BPF_MOV64_IMM(BPF_REG_0, 0), 9252 BPF_EXIT_INSN(), 9253 }, 9254 .errstr = "R1 offset is outside of the packet", 9255 .result = REJECT, 9256 .prog_type = BPF_PROG_TYPE_XDP, 9257 }, 9258 { 9259 "XDP pkt read, pkt_meta' < pkt_data, good access", 9260 .insns = { 9261 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 9262 offsetof(struct xdp_md, data_meta)), 9263 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 9264 offsetof(struct xdp_md, data)), 9265 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 9266 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 9267 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1), 9268 BPF_JMP_IMM(BPF_JA, 0, 0, 1), 9269 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5), 9270 BPF_MOV64_IMM(BPF_REG_0, 0), 9271 BPF_EXIT_INSN(), 9272 }, 9273 .result = ACCEPT, 9274 .prog_type = BPF_PROG_TYPE_XDP, 9275 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 9276 }, 9277 { 9278 "XDP pkt read, pkt_meta' < pkt_data, bad access 1", 9279 .insns = { 9280 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 9281 offsetof(struct xdp_md, data_meta)), 9282 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 9283 offsetof(struct xdp_md, data)), 9284 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 9285 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 9286 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1), 9287 BPF_JMP_IMM(BPF_JA, 0, 0, 1), 9288 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8), 9289 BPF_MOV64_IMM(BPF_REG_0, 0), 9290 BPF_EXIT_INSN(), 9291 }, 9292 .errstr = "R1 offset is outside of the packet", 9293 .result = REJECT, 9294 .prog_type = BPF_PROG_TYPE_XDP, 9295 }, 9296 { 9297 "XDP pkt read, pkt_meta' < pkt_data, bad access 2", 9298 .insns = { 9299 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 9300 offsetof(struct xdp_md, data_meta)), 9301 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 9302 offsetof(struct xdp_md, data)), 9303 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 9304 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 9305 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1), 9306 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8), 9307 BPF_MOV64_IMM(BPF_REG_0, 0), 9308 BPF_EXIT_INSN(), 9309 }, 9310 .errstr = "R1 offset is outside of the packet", 9311 .result = REJECT, 9312 .prog_type = BPF_PROG_TYPE_XDP, 9313 }, 9314 { 9315 "XDP pkt read, pkt_data < pkt_meta', good access", 9316 .insns = { 9317 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 9318 offsetof(struct xdp_md, data_meta)), 9319 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 9320 offsetof(struct xdp_md, data)), 9321 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 9322 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 9323 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1), 9324 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8), 9325 BPF_MOV64_IMM(BPF_REG_0, 0), 9326 BPF_EXIT_INSN(), 9327 }, 9328 .result = ACCEPT, 9329 .prog_type = BPF_PROG_TYPE_XDP, 9330 }, 9331 { 9332 "XDP pkt read, pkt_data < pkt_meta', bad access 1", 9333 .insns = { 9334 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 9335 offsetof(struct xdp_md, data_meta)), 9336 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 9337 offsetof(struct xdp_md, data)), 9338 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 9339 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 9340 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1), 9341 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4), 9342 BPF_MOV64_IMM(BPF_REG_0, 0), 9343 BPF_EXIT_INSN(), 9344 }, 9345 .errstr = "R1 offset is outside of the packet", 9346 .result = REJECT, 9347 .prog_type = BPF_PROG_TYPE_XDP, 9348 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 9349 }, 9350 { 9351 "XDP pkt read, pkt_data < pkt_meta', bad access 2", 9352 .insns = { 9353 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 9354 offsetof(struct xdp_md, data_meta)), 9355 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 9356 offsetof(struct xdp_md, data)), 9357 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 9358 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 9359 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 0), 9360 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8), 9361 BPF_MOV64_IMM(BPF_REG_0, 0), 9362 BPF_EXIT_INSN(), 9363 }, 9364 .errstr = "R1 offset is outside of the packet", 9365 .result = REJECT, 9366 .prog_type = BPF_PROG_TYPE_XDP, 9367 }, 9368 { 9369 "XDP pkt read, pkt_meta' >= pkt_data, good access", 9370 .insns = { 9371 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 9372 offsetof(struct xdp_md, data_meta)), 9373 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 9374 offsetof(struct xdp_md, data)), 9375 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 9376 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 9377 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1), 9378 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5), 9379 BPF_MOV64_IMM(BPF_REG_0, 0), 9380 BPF_EXIT_INSN(), 9381 }, 9382 .result = ACCEPT, 9383 .prog_type = BPF_PROG_TYPE_XDP, 9384 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 9385 }, 9386 { 9387 "XDP pkt read, pkt_meta' >= pkt_data, bad access 1", 9388 .insns = { 9389 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 9390 offsetof(struct xdp_md, data_meta)), 9391 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 9392 offsetof(struct xdp_md, data)), 9393 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 9394 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 9395 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1), 9396 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8), 9397 BPF_MOV64_IMM(BPF_REG_0, 0), 9398 BPF_EXIT_INSN(), 9399 }, 9400 .errstr = "R1 offset is outside of the packet", 9401 .result = REJECT, 9402 .prog_type = BPF_PROG_TYPE_XDP, 9403 }, 9404 { 9405 "XDP pkt read, pkt_meta' >= pkt_data, bad access 2", 9406 .insns = { 9407 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 9408 offsetof(struct xdp_md, data_meta)), 9409 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 9410 offsetof(struct xdp_md, data)), 9411 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 9412 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 9413 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 0), 9414 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5), 9415 BPF_MOV64_IMM(BPF_REG_0, 0), 9416 BPF_EXIT_INSN(), 9417 }, 9418 .errstr = "R1 offset is outside of the packet", 9419 .result = REJECT, 9420 .prog_type = BPF_PROG_TYPE_XDP, 9421 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 9422 }, 9423 { 9424 "XDP pkt read, pkt_data >= pkt_meta', good access", 9425 .insns = { 9426 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 9427 offsetof(struct xdp_md, data_meta)), 9428 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 9429 offsetof(struct xdp_md, data)), 9430 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 9431 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 9432 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1), 9433 BPF_JMP_IMM(BPF_JA, 0, 0, 1), 9434 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8), 9435 BPF_MOV64_IMM(BPF_REG_0, 0), 9436 BPF_EXIT_INSN(), 9437 }, 9438 .result = ACCEPT, 9439 .prog_type = BPF_PROG_TYPE_XDP, 9440 }, 9441 { 9442 "XDP pkt read, pkt_data >= pkt_meta', bad access 1", 9443 .insns = { 9444 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 9445 offsetof(struct xdp_md, data_meta)), 9446 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 9447 offsetof(struct xdp_md, data)), 9448 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 9449 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 9450 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1), 9451 BPF_JMP_IMM(BPF_JA, 0, 0, 1), 9452 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4), 9453 BPF_MOV64_IMM(BPF_REG_0, 0), 9454 BPF_EXIT_INSN(), 9455 }, 9456 .errstr = "R1 offset is outside of the packet", 9457 .result = REJECT, 9458 .prog_type = BPF_PROG_TYPE_XDP, 9459 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 9460 }, 9461 { 9462 "XDP pkt read, pkt_data >= pkt_meta', bad access 2", 9463 .insns = { 9464 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 9465 offsetof(struct xdp_md, data_meta)), 9466 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 9467 offsetof(struct xdp_md, data)), 9468 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 9469 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 9470 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1), 9471 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8), 9472 BPF_MOV64_IMM(BPF_REG_0, 0), 9473 BPF_EXIT_INSN(), 9474 }, 9475 .errstr = "R1 offset is outside of the packet", 9476 .result = REJECT, 9477 .prog_type = BPF_PROG_TYPE_XDP, 9478 }, 9479 { 9480 "XDP pkt read, pkt_meta' <= pkt_data, good access", 9481 .insns = { 9482 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 9483 offsetof(struct xdp_md, data_meta)), 9484 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 9485 offsetof(struct xdp_md, data)), 9486 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 9487 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 9488 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1), 9489 BPF_JMP_IMM(BPF_JA, 0, 0, 1), 9490 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8), 9491 BPF_MOV64_IMM(BPF_REG_0, 0), 9492 BPF_EXIT_INSN(), 9493 }, 9494 .result = ACCEPT, 9495 .prog_type = BPF_PROG_TYPE_XDP, 9496 }, 9497 { 9498 "XDP pkt read, pkt_meta' <= pkt_data, bad access 1", 9499 .insns = { 9500 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 9501 offsetof(struct xdp_md, data_meta)), 9502 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 9503 offsetof(struct xdp_md, data)), 9504 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 9505 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 9506 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1), 9507 BPF_JMP_IMM(BPF_JA, 0, 0, 1), 9508 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4), 9509 BPF_MOV64_IMM(BPF_REG_0, 0), 9510 BPF_EXIT_INSN(), 9511 }, 9512 .errstr = "R1 offset is outside of the packet", 9513 .result = REJECT, 9514 .prog_type = BPF_PROG_TYPE_XDP, 9515 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 9516 }, 9517 { 9518 "XDP pkt read, pkt_meta' <= pkt_data, bad access 2", 9519 .insns = { 9520 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 9521 offsetof(struct xdp_md, data_meta)), 9522 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 9523 offsetof(struct xdp_md, data)), 9524 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 9525 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 9526 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1), 9527 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8), 9528 BPF_MOV64_IMM(BPF_REG_0, 0), 9529 BPF_EXIT_INSN(), 9530 }, 9531 .errstr = "R1 offset is outside of the packet", 9532 .result = REJECT, 9533 .prog_type = BPF_PROG_TYPE_XDP, 9534 }, 9535 { 9536 "XDP pkt read, pkt_data <= pkt_meta', good access", 9537 .insns = { 9538 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 9539 offsetof(struct xdp_md, data_meta)), 9540 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 9541 offsetof(struct xdp_md, data)), 9542 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 9543 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 9544 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1), 9545 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5), 9546 BPF_MOV64_IMM(BPF_REG_0, 0), 9547 BPF_EXIT_INSN(), 9548 }, 9549 .result = ACCEPT, 9550 .prog_type = BPF_PROG_TYPE_XDP, 9551 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 9552 }, 9553 { 9554 "XDP pkt read, pkt_data <= pkt_meta', bad access 1", 9555 .insns = { 9556 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 9557 offsetof(struct xdp_md, data_meta)), 9558 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 9559 offsetof(struct xdp_md, data)), 9560 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 9561 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 9562 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1), 9563 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8), 9564 BPF_MOV64_IMM(BPF_REG_0, 0), 9565 BPF_EXIT_INSN(), 9566 }, 9567 .errstr = "R1 offset is outside of the packet", 9568 .result = REJECT, 9569 .prog_type = BPF_PROG_TYPE_XDP, 9570 }, 9571 { 9572 "XDP pkt read, pkt_data <= pkt_meta', bad access 2", 9573 .insns = { 9574 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 9575 offsetof(struct xdp_md, data_meta)), 9576 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 9577 offsetof(struct xdp_md, data)), 9578 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 9579 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 9580 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 0), 9581 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5), 9582 BPF_MOV64_IMM(BPF_REG_0, 0), 9583 BPF_EXIT_INSN(), 9584 }, 9585 .errstr = "R1 offset is outside of the packet", 9586 .result = REJECT, 9587 .prog_type = BPF_PROG_TYPE_XDP, 9588 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 9589 }, 9590 { 9591 "check deducing bounds from const, 1", 9592 .insns = { 9593 BPF_MOV64_IMM(BPF_REG_0, 1), 9594 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 1, 0), 9595 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1), 9596 BPF_EXIT_INSN(), 9597 }, 9598 .result = REJECT, 9599 .errstr = "R0 tried to subtract pointer from scalar", 9600 }, 9601 { 9602 "check deducing bounds from const, 2", 9603 .insns = { 9604 BPF_MOV64_IMM(BPF_REG_0, 1), 9605 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 1, 1), 9606 BPF_EXIT_INSN(), 9607 BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 1, 1), 9608 BPF_EXIT_INSN(), 9609 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0), 9610 BPF_EXIT_INSN(), 9611 }, 9612 .result = ACCEPT, 9613 .retval = 1, 9614 }, 9615 { 9616 "check deducing bounds from const, 3", 9617 .insns = { 9618 BPF_MOV64_IMM(BPF_REG_0, 0), 9619 BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 0, 0), 9620 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1), 9621 BPF_EXIT_INSN(), 9622 }, 9623 .result = REJECT, 9624 .errstr = "R0 tried to subtract pointer from scalar", 9625 }, 9626 { 9627 "check deducing bounds from const, 4", 9628 .insns = { 9629 BPF_MOV64_IMM(BPF_REG_0, 0), 9630 BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 0, 1), 9631 BPF_EXIT_INSN(), 9632 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 1), 9633 BPF_EXIT_INSN(), 9634 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0), 9635 BPF_EXIT_INSN(), 9636 }, 9637 .result = ACCEPT, 9638 }, 9639 { 9640 "check deducing bounds from const, 5", 9641 .insns = { 9642 BPF_MOV64_IMM(BPF_REG_0, 0), 9643 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 1), 9644 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1), 9645 BPF_EXIT_INSN(), 9646 }, 9647 .result = REJECT, 9648 .errstr = "R0 tried to subtract pointer from scalar", 9649 }, 9650 { 9651 "check deducing bounds from const, 6", 9652 .insns = { 9653 BPF_MOV64_IMM(BPF_REG_0, 0), 9654 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 1), 9655 BPF_EXIT_INSN(), 9656 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1), 9657 BPF_EXIT_INSN(), 9658 }, 9659 .result = REJECT, 9660 .errstr = "R0 tried to subtract pointer from scalar", 9661 }, 9662 { 9663 "check deducing bounds from const, 7", 9664 .insns = { 9665 BPF_MOV64_IMM(BPF_REG_0, ~0), 9666 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 0), 9667 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0), 9668 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 9669 offsetof(struct __sk_buff, mark)), 9670 BPF_EXIT_INSN(), 9671 }, 9672 .result = REJECT, 9673 .errstr = "dereference of modified ctx ptr", 9674 }, 9675 { 9676 "check deducing bounds from const, 8", 9677 .insns = { 9678 BPF_MOV64_IMM(BPF_REG_0, ~0), 9679 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 1), 9680 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0), 9681 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 9682 offsetof(struct __sk_buff, mark)), 9683 BPF_EXIT_INSN(), 9684 }, 9685 .result = REJECT, 9686 .errstr = "dereference of modified ctx ptr", 9687 }, 9688 { 9689 "check deducing bounds from const, 9", 9690 .insns = { 9691 BPF_MOV64_IMM(BPF_REG_0, 0), 9692 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 0), 9693 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1), 9694 BPF_EXIT_INSN(), 9695 }, 9696 .result = REJECT, 9697 .errstr = "R0 tried to subtract pointer from scalar", 9698 }, 9699 { 9700 "check deducing bounds from const, 10", 9701 .insns = { 9702 BPF_MOV64_IMM(BPF_REG_0, 0), 9703 BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 0, 0), 9704 /* Marks reg as unknown. */ 9705 BPF_ALU64_IMM(BPF_NEG, BPF_REG_0, 0), 9706 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1), 9707 BPF_EXIT_INSN(), 9708 }, 9709 .result = REJECT, 9710 .errstr = "math between ctx pointer and register with unbounded min value is not allowed", 9711 }, 9712 { 9713 "bpf_exit with invalid return code. test1", 9714 .insns = { 9715 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0), 9716 BPF_EXIT_INSN(), 9717 }, 9718 .errstr = "R0 has value (0x0; 0xffffffff)", 9719 .result = REJECT, 9720 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK, 9721 }, 9722 { 9723 "bpf_exit with invalid return code. test2", 9724 .insns = { 9725 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0), 9726 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1), 9727 BPF_EXIT_INSN(), 9728 }, 9729 .result = ACCEPT, 9730 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK, 9731 }, 9732 { 9733 "bpf_exit with invalid return code. test3", 9734 .insns = { 9735 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0), 9736 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 3), 9737 BPF_EXIT_INSN(), 9738 }, 9739 .errstr = "R0 has value (0x0; 0x3)", 9740 .result = REJECT, 9741 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK, 9742 }, 9743 { 9744 "bpf_exit with invalid return code. test4", 9745 .insns = { 9746 BPF_MOV64_IMM(BPF_REG_0, 1), 9747 BPF_EXIT_INSN(), 9748 }, 9749 .result = ACCEPT, 9750 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK, 9751 }, 9752 { 9753 "bpf_exit with invalid return code. test5", 9754 .insns = { 9755 BPF_MOV64_IMM(BPF_REG_0, 2), 9756 BPF_EXIT_INSN(), 9757 }, 9758 .errstr = "R0 has value (0x2; 0x0)", 9759 .result = REJECT, 9760 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK, 9761 }, 9762 { 9763 "bpf_exit with invalid return code. test6", 9764 .insns = { 9765 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1), 9766 BPF_EXIT_INSN(), 9767 }, 9768 .errstr = "R0 is not a known value (ctx)", 9769 .result = REJECT, 9770 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK, 9771 }, 9772 { 9773 "bpf_exit with invalid return code. test7", 9774 .insns = { 9775 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0), 9776 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 4), 9777 BPF_ALU64_REG(BPF_MUL, BPF_REG_0, BPF_REG_2), 9778 BPF_EXIT_INSN(), 9779 }, 9780 .errstr = "R0 has unknown scalar value", 9781 .result = REJECT, 9782 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK, 9783 }, 9784 { 9785 "calls: basic sanity", 9786 .insns = { 9787 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2), 9788 BPF_MOV64_IMM(BPF_REG_0, 1), 9789 BPF_EXIT_INSN(), 9790 BPF_MOV64_IMM(BPF_REG_0, 2), 9791 BPF_EXIT_INSN(), 9792 }, 9793 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 9794 .result = ACCEPT, 9795 }, 9796 { 9797 "calls: not on unpriviledged", 9798 .insns = { 9799 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2), 9800 BPF_MOV64_IMM(BPF_REG_0, 1), 9801 BPF_EXIT_INSN(), 9802 BPF_MOV64_IMM(BPF_REG_0, 2), 9803 BPF_EXIT_INSN(), 9804 }, 9805 .errstr_unpriv = "function calls to other bpf functions are allowed for root only", 9806 .result_unpriv = REJECT, 9807 .result = ACCEPT, 9808 .retval = 1, 9809 }, 9810 { 9811 "calls: div by 0 in subprog", 9812 .insns = { 9813 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), 9814 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8), 9815 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 9816 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1, 9817 offsetof(struct __sk_buff, data_end)), 9818 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0), 9819 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8), 9820 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1), 9821 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0), 9822 BPF_MOV64_IMM(BPF_REG_0, 1), 9823 BPF_EXIT_INSN(), 9824 BPF_MOV32_IMM(BPF_REG_2, 0), 9825 BPF_MOV32_IMM(BPF_REG_3, 1), 9826 BPF_ALU32_REG(BPF_DIV, BPF_REG_3, BPF_REG_2), 9827 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 9828 offsetof(struct __sk_buff, data)), 9829 BPF_EXIT_INSN(), 9830 }, 9831 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 9832 .result = ACCEPT, 9833 .retval = 1, 9834 }, 9835 { 9836 "calls: multiple ret types in subprog 1", 9837 .insns = { 9838 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), 9839 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8), 9840 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 9841 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1, 9842 offsetof(struct __sk_buff, data_end)), 9843 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0), 9844 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8), 9845 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1), 9846 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0), 9847 BPF_MOV64_IMM(BPF_REG_0, 1), 9848 BPF_EXIT_INSN(), 9849 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 9850 offsetof(struct __sk_buff, data)), 9851 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 9852 BPF_MOV32_IMM(BPF_REG_0, 42), 9853 BPF_EXIT_INSN(), 9854 }, 9855 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 9856 .result = REJECT, 9857 .errstr = "R0 invalid mem access 'inv'", 9858 }, 9859 { 9860 "calls: multiple ret types in subprog 2", 9861 .insns = { 9862 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), 9863 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8), 9864 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 9865 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1, 9866 offsetof(struct __sk_buff, data_end)), 9867 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0), 9868 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8), 9869 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1), 9870 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0), 9871 BPF_MOV64_IMM(BPF_REG_0, 1), 9872 BPF_EXIT_INSN(), 9873 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 9874 offsetof(struct __sk_buff, data)), 9875 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), 9876 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 9), 9877 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 9878 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 9879 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 9880 BPF_LD_MAP_FD(BPF_REG_1, 0), 9881 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 9882 BPF_FUNC_map_lookup_elem), 9883 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 9884 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_6, 9885 offsetof(struct __sk_buff, data)), 9886 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 64), 9887 BPF_EXIT_INSN(), 9888 }, 9889 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 9890 .fixup_map1 = { 16 }, 9891 .result = REJECT, 9892 .errstr = "R0 min value is outside of the array range", 9893 }, 9894 { 9895 "calls: overlapping caller/callee", 9896 .insns = { 9897 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 0), 9898 BPF_MOV64_IMM(BPF_REG_0, 1), 9899 BPF_EXIT_INSN(), 9900 }, 9901 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 9902 .errstr = "last insn is not an exit or jmp", 9903 .result = REJECT, 9904 }, 9905 { 9906 "calls: wrong recursive calls", 9907 .insns = { 9908 BPF_JMP_IMM(BPF_JA, 0, 0, 4), 9909 BPF_JMP_IMM(BPF_JA, 0, 0, 4), 9910 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -2), 9911 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -2), 9912 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -2), 9913 BPF_MOV64_IMM(BPF_REG_0, 1), 9914 BPF_EXIT_INSN(), 9915 }, 9916 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 9917 .errstr = "jump out of range", 9918 .result = REJECT, 9919 }, 9920 { 9921 "calls: wrong src reg", 9922 .insns = { 9923 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 2, 0, 0), 9924 BPF_MOV64_IMM(BPF_REG_0, 1), 9925 BPF_EXIT_INSN(), 9926 }, 9927 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 9928 .errstr = "BPF_CALL uses reserved fields", 9929 .result = REJECT, 9930 }, 9931 { 9932 "calls: wrong off value", 9933 .insns = { 9934 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, -1, 2), 9935 BPF_MOV64_IMM(BPF_REG_0, 1), 9936 BPF_EXIT_INSN(), 9937 BPF_MOV64_IMM(BPF_REG_0, 2), 9938 BPF_EXIT_INSN(), 9939 }, 9940 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 9941 .errstr = "BPF_CALL uses reserved fields", 9942 .result = REJECT, 9943 }, 9944 { 9945 "calls: jump back loop", 9946 .insns = { 9947 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -1), 9948 BPF_MOV64_IMM(BPF_REG_0, 1), 9949 BPF_EXIT_INSN(), 9950 }, 9951 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 9952 .errstr = "back-edge from insn 0 to 0", 9953 .result = REJECT, 9954 }, 9955 { 9956 "calls: conditional call", 9957 .insns = { 9958 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 9959 offsetof(struct __sk_buff, mark)), 9960 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3), 9961 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2), 9962 BPF_MOV64_IMM(BPF_REG_0, 1), 9963 BPF_EXIT_INSN(), 9964 BPF_MOV64_IMM(BPF_REG_0, 2), 9965 BPF_EXIT_INSN(), 9966 }, 9967 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 9968 .errstr = "jump out of range", 9969 .result = REJECT, 9970 }, 9971 { 9972 "calls: conditional call 2", 9973 .insns = { 9974 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 9975 offsetof(struct __sk_buff, mark)), 9976 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3), 9977 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4), 9978 BPF_MOV64_IMM(BPF_REG_0, 1), 9979 BPF_EXIT_INSN(), 9980 BPF_MOV64_IMM(BPF_REG_0, 2), 9981 BPF_EXIT_INSN(), 9982 BPF_MOV64_IMM(BPF_REG_0, 3), 9983 BPF_EXIT_INSN(), 9984 }, 9985 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 9986 .result = ACCEPT, 9987 }, 9988 { 9989 "calls: conditional call 3", 9990 .insns = { 9991 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 9992 offsetof(struct __sk_buff, mark)), 9993 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3), 9994 BPF_JMP_IMM(BPF_JA, 0, 0, 4), 9995 BPF_MOV64_IMM(BPF_REG_0, 1), 9996 BPF_EXIT_INSN(), 9997 BPF_MOV64_IMM(BPF_REG_0, 1), 9998 BPF_JMP_IMM(BPF_JA, 0, 0, -6), 9999 BPF_MOV64_IMM(BPF_REG_0, 3), 10000 BPF_JMP_IMM(BPF_JA, 0, 0, -6), 10001 }, 10002 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 10003 .errstr = "back-edge from insn", 10004 .result = REJECT, 10005 }, 10006 { 10007 "calls: conditional call 4", 10008 .insns = { 10009 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 10010 offsetof(struct __sk_buff, mark)), 10011 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3), 10012 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4), 10013 BPF_MOV64_IMM(BPF_REG_0, 1), 10014 BPF_EXIT_INSN(), 10015 BPF_MOV64_IMM(BPF_REG_0, 1), 10016 BPF_JMP_IMM(BPF_JA, 0, 0, -5), 10017 BPF_MOV64_IMM(BPF_REG_0, 3), 10018 BPF_EXIT_INSN(), 10019 }, 10020 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 10021 .result = ACCEPT, 10022 }, 10023 { 10024 "calls: conditional call 5", 10025 .insns = { 10026 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 10027 offsetof(struct __sk_buff, mark)), 10028 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3), 10029 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4), 10030 BPF_MOV64_IMM(BPF_REG_0, 1), 10031 BPF_EXIT_INSN(), 10032 BPF_MOV64_IMM(BPF_REG_0, 1), 10033 BPF_JMP_IMM(BPF_JA, 0, 0, -6), 10034 BPF_MOV64_IMM(BPF_REG_0, 3), 10035 BPF_EXIT_INSN(), 10036 }, 10037 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 10038 .errstr = "back-edge from insn", 10039 .result = REJECT, 10040 }, 10041 { 10042 "calls: conditional call 6", 10043 .insns = { 10044 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2), 10045 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, -2), 10046 BPF_EXIT_INSN(), 10047 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 10048 offsetof(struct __sk_buff, mark)), 10049 BPF_EXIT_INSN(), 10050 }, 10051 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 10052 .errstr = "back-edge from insn", 10053 .result = REJECT, 10054 }, 10055 { 10056 "calls: using r0 returned by callee", 10057 .insns = { 10058 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1), 10059 BPF_EXIT_INSN(), 10060 BPF_MOV64_IMM(BPF_REG_0, 2), 10061 BPF_EXIT_INSN(), 10062 }, 10063 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 10064 .result = ACCEPT, 10065 }, 10066 { 10067 "calls: using uninit r0 from callee", 10068 .insns = { 10069 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1), 10070 BPF_EXIT_INSN(), 10071 BPF_EXIT_INSN(), 10072 }, 10073 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 10074 .errstr = "!read_ok", 10075 .result = REJECT, 10076 }, 10077 { 10078 "calls: callee is using r1", 10079 .insns = { 10080 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1), 10081 BPF_EXIT_INSN(), 10082 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 10083 offsetof(struct __sk_buff, len)), 10084 BPF_EXIT_INSN(), 10085 }, 10086 .prog_type = BPF_PROG_TYPE_SCHED_ACT, 10087 .result = ACCEPT, 10088 .retval = TEST_DATA_LEN, 10089 }, 10090 { 10091 "calls: callee using args1", 10092 .insns = { 10093 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1), 10094 BPF_EXIT_INSN(), 10095 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1), 10096 BPF_EXIT_INSN(), 10097 }, 10098 .errstr_unpriv = "allowed for root only", 10099 .result_unpriv = REJECT, 10100 .result = ACCEPT, 10101 .retval = POINTER_VALUE, 10102 }, 10103 { 10104 "calls: callee using wrong args2", 10105 .insns = { 10106 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1), 10107 BPF_EXIT_INSN(), 10108 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 10109 BPF_EXIT_INSN(), 10110 }, 10111 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 10112 .errstr = "R2 !read_ok", 10113 .result = REJECT, 10114 }, 10115 { 10116 "calls: callee using two args", 10117 .insns = { 10118 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), 10119 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_6, 10120 offsetof(struct __sk_buff, len)), 10121 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_6, 10122 offsetof(struct __sk_buff, len)), 10123 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1), 10124 BPF_EXIT_INSN(), 10125 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1), 10126 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2), 10127 BPF_EXIT_INSN(), 10128 }, 10129 .errstr_unpriv = "allowed for root only", 10130 .result_unpriv = REJECT, 10131 .result = ACCEPT, 10132 .retval = TEST_DATA_LEN + TEST_DATA_LEN - ETH_HLEN - ETH_HLEN, 10133 }, 10134 { 10135 "calls: callee changing pkt pointers", 10136 .insns = { 10137 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1, 10138 offsetof(struct xdp_md, data)), 10139 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1, 10140 offsetof(struct xdp_md, data_end)), 10141 BPF_MOV64_REG(BPF_REG_8, BPF_REG_6), 10142 BPF_ALU64_IMM(BPF_ADD, BPF_REG_8, 8), 10143 BPF_JMP_REG(BPF_JGT, BPF_REG_8, BPF_REG_7, 2), 10144 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3), 10145 /* clear_all_pkt_pointers() has to walk all frames 10146 * to make sure that pkt pointers in the caller 10147 * are cleared when callee is calling a helper that 10148 * adjusts packet size 10149 */ 10150 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 10151 BPF_MOV32_IMM(BPF_REG_0, 0), 10152 BPF_EXIT_INSN(), 10153 BPF_MOV64_IMM(BPF_REG_2, 0), 10154 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 10155 BPF_FUNC_xdp_adjust_head), 10156 BPF_EXIT_INSN(), 10157 }, 10158 .result = REJECT, 10159 .errstr = "R6 invalid mem access 'inv'", 10160 .prog_type = BPF_PROG_TYPE_XDP, 10161 }, 10162 { 10163 "calls: two calls with args", 10164 .insns = { 10165 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1), 10166 BPF_EXIT_INSN(), 10167 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), 10168 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 6), 10169 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0), 10170 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 10171 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3), 10172 BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_0), 10173 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7), 10174 BPF_EXIT_INSN(), 10175 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 10176 offsetof(struct __sk_buff, len)), 10177 BPF_EXIT_INSN(), 10178 }, 10179 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 10180 .result = ACCEPT, 10181 .retval = TEST_DATA_LEN + TEST_DATA_LEN, 10182 }, 10183 { 10184 "calls: calls with stack arith", 10185 .insns = { 10186 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 10187 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -64), 10188 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1), 10189 BPF_EXIT_INSN(), 10190 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -64), 10191 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1), 10192 BPF_EXIT_INSN(), 10193 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -64), 10194 BPF_MOV64_IMM(BPF_REG_0, 42), 10195 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0), 10196 BPF_EXIT_INSN(), 10197 }, 10198 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 10199 .result = ACCEPT, 10200 .retval = 42, 10201 }, 10202 { 10203 "calls: calls with misaligned stack access", 10204 .insns = { 10205 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 10206 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -63), 10207 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1), 10208 BPF_EXIT_INSN(), 10209 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -61), 10210 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1), 10211 BPF_EXIT_INSN(), 10212 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -63), 10213 BPF_MOV64_IMM(BPF_REG_0, 42), 10214 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0), 10215 BPF_EXIT_INSN(), 10216 }, 10217 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 10218 .flags = F_LOAD_WITH_STRICT_ALIGNMENT, 10219 .errstr = "misaligned stack access", 10220 .result = REJECT, 10221 }, 10222 { 10223 "calls: calls control flow, jump test", 10224 .insns = { 10225 BPF_MOV64_IMM(BPF_REG_0, 42), 10226 BPF_JMP_IMM(BPF_JA, 0, 0, 2), 10227 BPF_MOV64_IMM(BPF_REG_0, 43), 10228 BPF_JMP_IMM(BPF_JA, 0, 0, 1), 10229 BPF_JMP_IMM(BPF_JA, 0, 0, -3), 10230 BPF_EXIT_INSN(), 10231 }, 10232 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 10233 .result = ACCEPT, 10234 .retval = 43, 10235 }, 10236 { 10237 "calls: calls control flow, jump test 2", 10238 .insns = { 10239 BPF_MOV64_IMM(BPF_REG_0, 42), 10240 BPF_JMP_IMM(BPF_JA, 0, 0, 2), 10241 BPF_MOV64_IMM(BPF_REG_0, 43), 10242 BPF_JMP_IMM(BPF_JA, 0, 0, 1), 10243 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -3), 10244 BPF_EXIT_INSN(), 10245 }, 10246 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 10247 .errstr = "jump out of range from insn 1 to 4", 10248 .result = REJECT, 10249 }, 10250 { 10251 "calls: two calls with bad jump", 10252 .insns = { 10253 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1), 10254 BPF_EXIT_INSN(), 10255 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), 10256 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 6), 10257 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0), 10258 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 10259 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3), 10260 BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_0), 10261 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7), 10262 BPF_EXIT_INSN(), 10263 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 10264 offsetof(struct __sk_buff, len)), 10265 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, -3), 10266 BPF_EXIT_INSN(), 10267 }, 10268 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 10269 .errstr = "jump out of range from insn 11 to 9", 10270 .result = REJECT, 10271 }, 10272 { 10273 "calls: recursive call. test1", 10274 .insns = { 10275 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1), 10276 BPF_EXIT_INSN(), 10277 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -1), 10278 BPF_EXIT_INSN(), 10279 }, 10280 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 10281 .errstr = "back-edge", 10282 .result = REJECT, 10283 }, 10284 { 10285 "calls: recursive call. test2", 10286 .insns = { 10287 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1), 10288 BPF_EXIT_INSN(), 10289 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -3), 10290 BPF_EXIT_INSN(), 10291 }, 10292 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 10293 .errstr = "back-edge", 10294 .result = REJECT, 10295 }, 10296 { 10297 "calls: unreachable code", 10298 .insns = { 10299 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1), 10300 BPF_EXIT_INSN(), 10301 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1), 10302 BPF_EXIT_INSN(), 10303 BPF_MOV64_IMM(BPF_REG_0, 0), 10304 BPF_EXIT_INSN(), 10305 BPF_MOV64_IMM(BPF_REG_0, 0), 10306 BPF_EXIT_INSN(), 10307 }, 10308 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 10309 .errstr = "unreachable insn 6", 10310 .result = REJECT, 10311 }, 10312 { 10313 "calls: invalid call", 10314 .insns = { 10315 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1), 10316 BPF_EXIT_INSN(), 10317 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -4), 10318 BPF_EXIT_INSN(), 10319 }, 10320 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 10321 .errstr = "invalid destination", 10322 .result = REJECT, 10323 }, 10324 { 10325 "calls: invalid call 2", 10326 .insns = { 10327 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1), 10328 BPF_EXIT_INSN(), 10329 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 0x7fffffff), 10330 BPF_EXIT_INSN(), 10331 }, 10332 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 10333 .errstr = "invalid destination", 10334 .result = REJECT, 10335 }, 10336 { 10337 "calls: jumping across function bodies. test1", 10338 .insns = { 10339 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2), 10340 BPF_MOV64_IMM(BPF_REG_0, 0), 10341 BPF_EXIT_INSN(), 10342 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, -3), 10343 BPF_EXIT_INSN(), 10344 }, 10345 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 10346 .errstr = "jump out of range", 10347 .result = REJECT, 10348 }, 10349 { 10350 "calls: jumping across function bodies. test2", 10351 .insns = { 10352 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3), 10353 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2), 10354 BPF_MOV64_IMM(BPF_REG_0, 0), 10355 BPF_EXIT_INSN(), 10356 BPF_EXIT_INSN(), 10357 }, 10358 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 10359 .errstr = "jump out of range", 10360 .result = REJECT, 10361 }, 10362 { 10363 "calls: call without exit", 10364 .insns = { 10365 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1), 10366 BPF_EXIT_INSN(), 10367 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1), 10368 BPF_EXIT_INSN(), 10369 BPF_MOV64_IMM(BPF_REG_0, 0), 10370 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, -2), 10371 }, 10372 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 10373 .errstr = "not an exit", 10374 .result = REJECT, 10375 }, 10376 { 10377 "calls: call into middle of ld_imm64", 10378 .insns = { 10379 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3), 10380 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3), 10381 BPF_MOV64_IMM(BPF_REG_0, 0), 10382 BPF_EXIT_INSN(), 10383 BPF_LD_IMM64(BPF_REG_0, 0), 10384 BPF_EXIT_INSN(), 10385 }, 10386 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 10387 .errstr = "last insn", 10388 .result = REJECT, 10389 }, 10390 { 10391 "calls: call into middle of other call", 10392 .insns = { 10393 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3), 10394 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3), 10395 BPF_MOV64_IMM(BPF_REG_0, 0), 10396 BPF_EXIT_INSN(), 10397 BPF_MOV64_IMM(BPF_REG_0, 0), 10398 BPF_MOV64_IMM(BPF_REG_0, 0), 10399 BPF_EXIT_INSN(), 10400 }, 10401 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 10402 .errstr = "last insn", 10403 .result = REJECT, 10404 }, 10405 { 10406 "calls: ld_abs with changing ctx data in callee", 10407 .insns = { 10408 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), 10409 BPF_LD_ABS(BPF_B, 0), 10410 BPF_LD_ABS(BPF_H, 0), 10411 BPF_LD_ABS(BPF_W, 0), 10412 BPF_MOV64_REG(BPF_REG_7, BPF_REG_6), 10413 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 5), 10414 BPF_MOV64_REG(BPF_REG_6, BPF_REG_7), 10415 BPF_LD_ABS(BPF_B, 0), 10416 BPF_LD_ABS(BPF_H, 0), 10417 BPF_LD_ABS(BPF_W, 0), 10418 BPF_EXIT_INSN(), 10419 BPF_MOV64_IMM(BPF_REG_2, 1), 10420 BPF_MOV64_IMM(BPF_REG_3, 2), 10421 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 10422 BPF_FUNC_skb_vlan_push), 10423 BPF_EXIT_INSN(), 10424 }, 10425 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 10426 .errstr = "BPF_LD_[ABS|IND] instructions cannot be mixed", 10427 .result = REJECT, 10428 }, 10429 { 10430 "calls: two calls with bad fallthrough", 10431 .insns = { 10432 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1), 10433 BPF_EXIT_INSN(), 10434 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), 10435 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 6), 10436 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0), 10437 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 10438 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3), 10439 BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_0), 10440 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7), 10441 BPF_MOV64_REG(BPF_REG_0, BPF_REG_0), 10442 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 10443 offsetof(struct __sk_buff, len)), 10444 BPF_EXIT_INSN(), 10445 }, 10446 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 10447 .errstr = "not an exit", 10448 .result = REJECT, 10449 }, 10450 { 10451 "calls: two calls with stack read", 10452 .insns = { 10453 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 10454 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 10455 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8), 10456 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1), 10457 BPF_EXIT_INSN(), 10458 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), 10459 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 6), 10460 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0), 10461 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 10462 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3), 10463 BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_0), 10464 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7), 10465 BPF_EXIT_INSN(), 10466 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0), 10467 BPF_EXIT_INSN(), 10468 }, 10469 .prog_type = BPF_PROG_TYPE_XDP, 10470 .result = ACCEPT, 10471 }, 10472 { 10473 "calls: two calls with stack write", 10474 .insns = { 10475 /* main prog */ 10476 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 10477 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 10478 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8), 10479 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 10480 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16), 10481 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2), 10482 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -16), 10483 BPF_EXIT_INSN(), 10484 10485 /* subprog 1 */ 10486 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), 10487 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2), 10488 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 7), 10489 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0), 10490 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 10491 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4), 10492 BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_0), 10493 BPF_MOV64_REG(BPF_REG_0, BPF_REG_8), 10494 /* write into stack frame of main prog */ 10495 BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0), 10496 BPF_EXIT_INSN(), 10497 10498 /* subprog 2 */ 10499 /* read from stack frame of main prog */ 10500 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0), 10501 BPF_EXIT_INSN(), 10502 }, 10503 .prog_type = BPF_PROG_TYPE_XDP, 10504 .result = ACCEPT, 10505 }, 10506 { 10507 "calls: stack overflow using two frames (pre-call access)", 10508 .insns = { 10509 /* prog 1 */ 10510 BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0), 10511 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), 10512 BPF_EXIT_INSN(), 10513 10514 /* prog 2 */ 10515 BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0), 10516 BPF_MOV64_IMM(BPF_REG_0, 0), 10517 BPF_EXIT_INSN(), 10518 }, 10519 .prog_type = BPF_PROG_TYPE_XDP, 10520 .errstr = "combined stack size", 10521 .result = REJECT, 10522 }, 10523 { 10524 "calls: stack overflow using two frames (post-call access)", 10525 .insns = { 10526 /* prog 1 */ 10527 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 2), 10528 BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0), 10529 BPF_EXIT_INSN(), 10530 10531 /* prog 2 */ 10532 BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0), 10533 BPF_MOV64_IMM(BPF_REG_0, 0), 10534 BPF_EXIT_INSN(), 10535 }, 10536 .prog_type = BPF_PROG_TYPE_XDP, 10537 .errstr = "combined stack size", 10538 .result = REJECT, 10539 }, 10540 { 10541 "calls: stack depth check using three frames. test1", 10542 .insns = { 10543 /* main */ 10544 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 4), /* call A */ 10545 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 5), /* call B */ 10546 BPF_ST_MEM(BPF_B, BPF_REG_10, -32, 0), 10547 BPF_MOV64_IMM(BPF_REG_0, 0), 10548 BPF_EXIT_INSN(), 10549 /* A */ 10550 BPF_ST_MEM(BPF_B, BPF_REG_10, -256, 0), 10551 BPF_EXIT_INSN(), 10552 /* B */ 10553 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, -3), /* call A */ 10554 BPF_ST_MEM(BPF_B, BPF_REG_10, -64, 0), 10555 BPF_EXIT_INSN(), 10556 }, 10557 .prog_type = BPF_PROG_TYPE_XDP, 10558 /* stack_main=32, stack_A=256, stack_B=64 10559 * and max(main+A, main+A+B) < 512 10560 */ 10561 .result = ACCEPT, 10562 }, 10563 { 10564 "calls: stack depth check using three frames. test2", 10565 .insns = { 10566 /* main */ 10567 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 4), /* call A */ 10568 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 5), /* call B */ 10569 BPF_ST_MEM(BPF_B, BPF_REG_10, -32, 0), 10570 BPF_MOV64_IMM(BPF_REG_0, 0), 10571 BPF_EXIT_INSN(), 10572 /* A */ 10573 BPF_ST_MEM(BPF_B, BPF_REG_10, -64, 0), 10574 BPF_EXIT_INSN(), 10575 /* B */ 10576 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, -3), /* call A */ 10577 BPF_ST_MEM(BPF_B, BPF_REG_10, -256, 0), 10578 BPF_EXIT_INSN(), 10579 }, 10580 .prog_type = BPF_PROG_TYPE_XDP, 10581 /* stack_main=32, stack_A=64, stack_B=256 10582 * and max(main+A, main+A+B) < 512 10583 */ 10584 .result = ACCEPT, 10585 }, 10586 { 10587 "calls: stack depth check using three frames. test3", 10588 .insns = { 10589 /* main */ 10590 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), 10591 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 6), /* call A */ 10592 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 10593 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 8), /* call B */ 10594 BPF_JMP_IMM(BPF_JGE, BPF_REG_6, 0, 1), 10595 BPF_ST_MEM(BPF_B, BPF_REG_10, -64, 0), 10596 BPF_MOV64_IMM(BPF_REG_0, 0), 10597 BPF_EXIT_INSN(), 10598 /* A */ 10599 BPF_JMP_IMM(BPF_JLT, BPF_REG_1, 10, 1), 10600 BPF_EXIT_INSN(), 10601 BPF_ST_MEM(BPF_B, BPF_REG_10, -224, 0), 10602 BPF_JMP_IMM(BPF_JA, 0, 0, -3), 10603 /* B */ 10604 BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 2, 1), 10605 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, -6), /* call A */ 10606 BPF_ST_MEM(BPF_B, BPF_REG_10, -256, 0), 10607 BPF_EXIT_INSN(), 10608 }, 10609 .prog_type = BPF_PROG_TYPE_XDP, 10610 /* stack_main=64, stack_A=224, stack_B=256 10611 * and max(main+A, main+A+B) > 512 10612 */ 10613 .errstr = "combined stack", 10614 .result = REJECT, 10615 }, 10616 { 10617 "calls: stack depth check using three frames. test4", 10618 /* void main(void) { 10619 * func1(0); 10620 * func1(1); 10621 * func2(1); 10622 * } 10623 * void func1(int alloc_or_recurse) { 10624 * if (alloc_or_recurse) { 10625 * frame_pointer[-300] = 1; 10626 * } else { 10627 * func2(alloc_or_recurse); 10628 * } 10629 * } 10630 * void func2(int alloc_or_recurse) { 10631 * if (alloc_or_recurse) { 10632 * frame_pointer[-300] = 1; 10633 * } 10634 * } 10635 */ 10636 .insns = { 10637 /* main */ 10638 BPF_MOV64_IMM(BPF_REG_1, 0), 10639 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 6), /* call A */ 10640 BPF_MOV64_IMM(BPF_REG_1, 1), 10641 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 4), /* call A */ 10642 BPF_MOV64_IMM(BPF_REG_1, 1), 10643 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 7), /* call B */ 10644 BPF_MOV64_IMM(BPF_REG_0, 0), 10645 BPF_EXIT_INSN(), 10646 /* A */ 10647 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 2), 10648 BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0), 10649 BPF_EXIT_INSN(), 10650 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call B */ 10651 BPF_EXIT_INSN(), 10652 /* B */ 10653 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1), 10654 BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0), 10655 BPF_EXIT_INSN(), 10656 }, 10657 .prog_type = BPF_PROG_TYPE_XDP, 10658 .result = REJECT, 10659 .errstr = "combined stack", 10660 }, 10661 { 10662 "calls: stack depth check using three frames. test5", 10663 .insns = { 10664 /* main */ 10665 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call A */ 10666 BPF_EXIT_INSN(), 10667 /* A */ 10668 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call B */ 10669 BPF_EXIT_INSN(), 10670 /* B */ 10671 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call C */ 10672 BPF_EXIT_INSN(), 10673 /* C */ 10674 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call D */ 10675 BPF_EXIT_INSN(), 10676 /* D */ 10677 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call E */ 10678 BPF_EXIT_INSN(), 10679 /* E */ 10680 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call F */ 10681 BPF_EXIT_INSN(), 10682 /* F */ 10683 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call G */ 10684 BPF_EXIT_INSN(), 10685 /* G */ 10686 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call H */ 10687 BPF_EXIT_INSN(), 10688 /* H */ 10689 BPF_MOV64_IMM(BPF_REG_0, 0), 10690 BPF_EXIT_INSN(), 10691 }, 10692 .prog_type = BPF_PROG_TYPE_XDP, 10693 .errstr = "call stack", 10694 .result = REJECT, 10695 }, 10696 { 10697 "calls: spill into caller stack frame", 10698 .insns = { 10699 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 10700 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 10701 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8), 10702 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1), 10703 BPF_EXIT_INSN(), 10704 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, 0), 10705 BPF_MOV64_IMM(BPF_REG_0, 0), 10706 BPF_EXIT_INSN(), 10707 }, 10708 .prog_type = BPF_PROG_TYPE_XDP, 10709 .errstr = "cannot spill", 10710 .result = REJECT, 10711 }, 10712 { 10713 "calls: write into caller stack frame", 10714 .insns = { 10715 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 10716 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8), 10717 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), 10718 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2), 10719 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 10720 BPF_EXIT_INSN(), 10721 BPF_ST_MEM(BPF_DW, BPF_REG_1, 0, 42), 10722 BPF_MOV64_IMM(BPF_REG_0, 0), 10723 BPF_EXIT_INSN(), 10724 }, 10725 .prog_type = BPF_PROG_TYPE_XDP, 10726 .result = ACCEPT, 10727 .retval = 42, 10728 }, 10729 { 10730 "calls: write into callee stack frame", 10731 .insns = { 10732 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2), 10733 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42), 10734 BPF_EXIT_INSN(), 10735 BPF_MOV64_REG(BPF_REG_0, BPF_REG_10), 10736 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, -8), 10737 BPF_EXIT_INSN(), 10738 }, 10739 .prog_type = BPF_PROG_TYPE_XDP, 10740 .errstr = "cannot return stack pointer", 10741 .result = REJECT, 10742 }, 10743 { 10744 "calls: two calls with stack write and void return", 10745 .insns = { 10746 /* main prog */ 10747 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 10748 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 10749 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8), 10750 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 10751 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16), 10752 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2), 10753 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -16), 10754 BPF_EXIT_INSN(), 10755 10756 /* subprog 1 */ 10757 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), 10758 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2), 10759 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3), 10760 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7), 10761 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1), 10762 BPF_EXIT_INSN(), 10763 10764 /* subprog 2 */ 10765 /* write into stack frame of main prog */ 10766 BPF_ST_MEM(BPF_DW, BPF_REG_1, 0, 0), 10767 BPF_EXIT_INSN(), /* void return */ 10768 }, 10769 .prog_type = BPF_PROG_TYPE_XDP, 10770 .result = ACCEPT, 10771 }, 10772 { 10773 "calls: ambiguous return value", 10774 .insns = { 10775 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), 10776 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 5), 10777 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 10778 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 10779 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2), 10780 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 10781 BPF_EXIT_INSN(), 10782 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1), 10783 BPF_MOV64_IMM(BPF_REG_0, 0), 10784 BPF_EXIT_INSN(), 10785 }, 10786 .errstr_unpriv = "allowed for root only", 10787 .result_unpriv = REJECT, 10788 .errstr = "R0 !read_ok", 10789 .result = REJECT, 10790 }, 10791 { 10792 "calls: two calls that return map_value", 10793 .insns = { 10794 /* main prog */ 10795 /* pass fp-16, fp-8 into a function */ 10796 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 10797 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8), 10798 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 10799 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16), 10800 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8), 10801 10802 /* fetch map_value_ptr from the stack of this function */ 10803 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8), 10804 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1), 10805 /* write into map value */ 10806 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0), 10807 /* fetch secound map_value_ptr from the stack */ 10808 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -16), 10809 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1), 10810 /* write into map value */ 10811 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0), 10812 BPF_MOV64_IMM(BPF_REG_0, 0), 10813 BPF_EXIT_INSN(), 10814 10815 /* subprog 1 */ 10816 /* call 3rd function twice */ 10817 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), 10818 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2), 10819 /* first time with fp-8 */ 10820 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3), 10821 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7), 10822 /* second time with fp-16 */ 10823 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1), 10824 BPF_EXIT_INSN(), 10825 10826 /* subprog 2 */ 10827 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), 10828 /* lookup from map */ 10829 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 10830 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 10831 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 10832 BPF_LD_MAP_FD(BPF_REG_1, 0), 10833 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 10834 BPF_FUNC_map_lookup_elem), 10835 /* write map_value_ptr into stack frame of main prog */ 10836 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0), 10837 BPF_MOV64_IMM(BPF_REG_0, 0), 10838 BPF_EXIT_INSN(), /* return 0 */ 10839 }, 10840 .prog_type = BPF_PROG_TYPE_XDP, 10841 .fixup_map1 = { 23 }, 10842 .result = ACCEPT, 10843 }, 10844 { 10845 "calls: two calls that return map_value with bool condition", 10846 .insns = { 10847 /* main prog */ 10848 /* pass fp-16, fp-8 into a function */ 10849 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 10850 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8), 10851 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 10852 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16), 10853 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2), 10854 BPF_MOV64_IMM(BPF_REG_0, 0), 10855 BPF_EXIT_INSN(), 10856 10857 /* subprog 1 */ 10858 /* call 3rd function twice */ 10859 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), 10860 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2), 10861 /* first time with fp-8 */ 10862 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 9), 10863 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2), 10864 /* fetch map_value_ptr from the stack of this function */ 10865 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 10866 /* write into map value */ 10867 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0), 10868 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7), 10869 /* second time with fp-16 */ 10870 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4), 10871 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2), 10872 /* fetch secound map_value_ptr from the stack */ 10873 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_7, 0), 10874 /* write into map value */ 10875 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0), 10876 BPF_EXIT_INSN(), 10877 10878 /* subprog 2 */ 10879 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), 10880 /* lookup from map */ 10881 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 10882 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 10883 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 10884 BPF_LD_MAP_FD(BPF_REG_1, 0), 10885 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 10886 BPF_FUNC_map_lookup_elem), 10887 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2), 10888 BPF_MOV64_IMM(BPF_REG_0, 0), 10889 BPF_EXIT_INSN(), /* return 0 */ 10890 /* write map_value_ptr into stack frame of main prog */ 10891 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0), 10892 BPF_MOV64_IMM(BPF_REG_0, 1), 10893 BPF_EXIT_INSN(), /* return 1 */ 10894 }, 10895 .prog_type = BPF_PROG_TYPE_XDP, 10896 .fixup_map1 = { 23 }, 10897 .result = ACCEPT, 10898 }, 10899 { 10900 "calls: two calls that return map_value with incorrect bool check", 10901 .insns = { 10902 /* main prog */ 10903 /* pass fp-16, fp-8 into a function */ 10904 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 10905 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8), 10906 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 10907 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16), 10908 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2), 10909 BPF_MOV64_IMM(BPF_REG_0, 0), 10910 BPF_EXIT_INSN(), 10911 10912 /* subprog 1 */ 10913 /* call 3rd function twice */ 10914 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), 10915 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2), 10916 /* first time with fp-8 */ 10917 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 9), 10918 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2), 10919 /* fetch map_value_ptr from the stack of this function */ 10920 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 10921 /* write into map value */ 10922 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0), 10923 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7), 10924 /* second time with fp-16 */ 10925 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4), 10926 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2), 10927 /* fetch secound map_value_ptr from the stack */ 10928 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_7, 0), 10929 /* write into map value */ 10930 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0), 10931 BPF_EXIT_INSN(), 10932 10933 /* subprog 2 */ 10934 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), 10935 /* lookup from map */ 10936 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 10937 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 10938 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 10939 BPF_LD_MAP_FD(BPF_REG_1, 0), 10940 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 10941 BPF_FUNC_map_lookup_elem), 10942 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2), 10943 BPF_MOV64_IMM(BPF_REG_0, 0), 10944 BPF_EXIT_INSN(), /* return 0 */ 10945 /* write map_value_ptr into stack frame of main prog */ 10946 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0), 10947 BPF_MOV64_IMM(BPF_REG_0, 1), 10948 BPF_EXIT_INSN(), /* return 1 */ 10949 }, 10950 .prog_type = BPF_PROG_TYPE_XDP, 10951 .fixup_map1 = { 23 }, 10952 .result = REJECT, 10953 .errstr = "invalid read from stack off -16+0 size 8", 10954 }, 10955 { 10956 "calls: two calls that receive map_value via arg=ptr_stack_of_caller. test1", 10957 .insns = { 10958 /* main prog */ 10959 /* pass fp-16, fp-8 into a function */ 10960 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 10961 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8), 10962 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 10963 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16), 10964 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2), 10965 BPF_MOV64_IMM(BPF_REG_0, 0), 10966 BPF_EXIT_INSN(), 10967 10968 /* subprog 1 */ 10969 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), 10970 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2), 10971 /* 1st lookup from map */ 10972 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 10973 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 10974 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 10975 BPF_LD_MAP_FD(BPF_REG_1, 0), 10976 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 10977 BPF_FUNC_map_lookup_elem), 10978 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2), 10979 BPF_MOV64_IMM(BPF_REG_8, 0), 10980 BPF_JMP_IMM(BPF_JA, 0, 0, 2), 10981 /* write map_value_ptr into stack frame of main prog at fp-8 */ 10982 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0), 10983 BPF_MOV64_IMM(BPF_REG_8, 1), 10984 10985 /* 2nd lookup from map */ 10986 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), /* 20 */ 10987 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 10988 BPF_LD_MAP_FD(BPF_REG_1, 0), 10989 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, /* 24 */ 10990 BPF_FUNC_map_lookup_elem), 10991 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2), 10992 BPF_MOV64_IMM(BPF_REG_9, 0), 10993 BPF_JMP_IMM(BPF_JA, 0, 0, 2), 10994 /* write map_value_ptr into stack frame of main prog at fp-16 */ 10995 BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0), 10996 BPF_MOV64_IMM(BPF_REG_9, 1), 10997 10998 /* call 3rd func with fp-8, 0|1, fp-16, 0|1 */ 10999 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), /* 30 */ 11000 BPF_MOV64_REG(BPF_REG_2, BPF_REG_8), 11001 BPF_MOV64_REG(BPF_REG_3, BPF_REG_7), 11002 BPF_MOV64_REG(BPF_REG_4, BPF_REG_9), 11003 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1), /* 34 */ 11004 BPF_EXIT_INSN(), 11005 11006 /* subprog 2 */ 11007 /* if arg2 == 1 do *arg1 = 0 */ 11008 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2), 11009 /* fetch map_value_ptr from the stack of this function */ 11010 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0), 11011 /* write into map value */ 11012 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0), 11013 11014 /* if arg4 == 1 do *arg3 = 0 */ 11015 BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 1, 2), 11016 /* fetch map_value_ptr from the stack of this function */ 11017 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0), 11018 /* write into map value */ 11019 BPF_ST_MEM(BPF_DW, BPF_REG_0, 2, 0), 11020 BPF_EXIT_INSN(), 11021 }, 11022 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 11023 .fixup_map1 = { 12, 22 }, 11024 .result = REJECT, 11025 .errstr = "invalid access to map value, value_size=8 off=2 size=8", 11026 }, 11027 { 11028 "calls: two calls that receive map_value via arg=ptr_stack_of_caller. test2", 11029 .insns = { 11030 /* main prog */ 11031 /* pass fp-16, fp-8 into a function */ 11032 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 11033 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8), 11034 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 11035 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16), 11036 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2), 11037 BPF_MOV64_IMM(BPF_REG_0, 0), 11038 BPF_EXIT_INSN(), 11039 11040 /* subprog 1 */ 11041 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), 11042 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2), 11043 /* 1st lookup from map */ 11044 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 11045 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 11046 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 11047 BPF_LD_MAP_FD(BPF_REG_1, 0), 11048 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 11049 BPF_FUNC_map_lookup_elem), 11050 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2), 11051 BPF_MOV64_IMM(BPF_REG_8, 0), 11052 BPF_JMP_IMM(BPF_JA, 0, 0, 2), 11053 /* write map_value_ptr into stack frame of main prog at fp-8 */ 11054 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0), 11055 BPF_MOV64_IMM(BPF_REG_8, 1), 11056 11057 /* 2nd lookup from map */ 11058 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), /* 20 */ 11059 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 11060 BPF_LD_MAP_FD(BPF_REG_1, 0), 11061 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, /* 24 */ 11062 BPF_FUNC_map_lookup_elem), 11063 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2), 11064 BPF_MOV64_IMM(BPF_REG_9, 0), 11065 BPF_JMP_IMM(BPF_JA, 0, 0, 2), 11066 /* write map_value_ptr into stack frame of main prog at fp-16 */ 11067 BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0), 11068 BPF_MOV64_IMM(BPF_REG_9, 1), 11069 11070 /* call 3rd func with fp-8, 0|1, fp-16, 0|1 */ 11071 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), /* 30 */ 11072 BPF_MOV64_REG(BPF_REG_2, BPF_REG_8), 11073 BPF_MOV64_REG(BPF_REG_3, BPF_REG_7), 11074 BPF_MOV64_REG(BPF_REG_4, BPF_REG_9), 11075 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1), /* 34 */ 11076 BPF_EXIT_INSN(), 11077 11078 /* subprog 2 */ 11079 /* if arg2 == 1 do *arg1 = 0 */ 11080 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2), 11081 /* fetch map_value_ptr from the stack of this function */ 11082 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0), 11083 /* write into map value */ 11084 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0), 11085 11086 /* if arg4 == 1 do *arg3 = 0 */ 11087 BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 1, 2), 11088 /* fetch map_value_ptr from the stack of this function */ 11089 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0), 11090 /* write into map value */ 11091 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0), 11092 BPF_EXIT_INSN(), 11093 }, 11094 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 11095 .fixup_map1 = { 12, 22 }, 11096 .result = ACCEPT, 11097 }, 11098 { 11099 "calls: two jumps that receive map_value via arg=ptr_stack_of_jumper. test3", 11100 .insns = { 11101 /* main prog */ 11102 /* pass fp-16, fp-8 into a function */ 11103 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 11104 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8), 11105 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 11106 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16), 11107 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2), 11108 BPF_MOV64_IMM(BPF_REG_0, 0), 11109 BPF_EXIT_INSN(), 11110 11111 /* subprog 1 */ 11112 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), 11113 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2), 11114 /* 1st lookup from map */ 11115 BPF_ST_MEM(BPF_DW, BPF_REG_10, -24, 0), 11116 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 11117 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -24), 11118 BPF_LD_MAP_FD(BPF_REG_1, 0), 11119 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 11120 BPF_FUNC_map_lookup_elem), 11121 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2), 11122 BPF_MOV64_IMM(BPF_REG_8, 0), 11123 BPF_JMP_IMM(BPF_JA, 0, 0, 2), 11124 /* write map_value_ptr into stack frame of main prog at fp-8 */ 11125 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0), 11126 BPF_MOV64_IMM(BPF_REG_8, 1), 11127 11128 /* 2nd lookup from map */ 11129 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 11130 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -24), 11131 BPF_LD_MAP_FD(BPF_REG_1, 0), 11132 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 11133 BPF_FUNC_map_lookup_elem), 11134 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2), 11135 BPF_MOV64_IMM(BPF_REG_9, 0), // 26 11136 BPF_JMP_IMM(BPF_JA, 0, 0, 2), 11137 /* write map_value_ptr into stack frame of main prog at fp-16 */ 11138 BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0), 11139 BPF_MOV64_IMM(BPF_REG_9, 1), 11140 11141 /* call 3rd func with fp-8, 0|1, fp-16, 0|1 */ 11142 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), // 30 11143 BPF_MOV64_REG(BPF_REG_2, BPF_REG_8), 11144 BPF_MOV64_REG(BPF_REG_3, BPF_REG_7), 11145 BPF_MOV64_REG(BPF_REG_4, BPF_REG_9), 11146 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1), // 34 11147 BPF_JMP_IMM(BPF_JA, 0, 0, -30), 11148 11149 /* subprog 2 */ 11150 /* if arg2 == 1 do *arg1 = 0 */ 11151 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2), 11152 /* fetch map_value_ptr from the stack of this function */ 11153 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0), 11154 /* write into map value */ 11155 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0), 11156 11157 /* if arg4 == 1 do *arg3 = 0 */ 11158 BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 1, 2), 11159 /* fetch map_value_ptr from the stack of this function */ 11160 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0), 11161 /* write into map value */ 11162 BPF_ST_MEM(BPF_DW, BPF_REG_0, 2, 0), 11163 BPF_JMP_IMM(BPF_JA, 0, 0, -8), 11164 }, 11165 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 11166 .fixup_map1 = { 12, 22 }, 11167 .result = REJECT, 11168 .errstr = "invalid access to map value, value_size=8 off=2 size=8", 11169 }, 11170 { 11171 "calls: two calls that receive map_value_ptr_or_null via arg. test1", 11172 .insns = { 11173 /* main prog */ 11174 /* pass fp-16, fp-8 into a function */ 11175 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 11176 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8), 11177 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 11178 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16), 11179 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2), 11180 BPF_MOV64_IMM(BPF_REG_0, 0), 11181 BPF_EXIT_INSN(), 11182 11183 /* subprog 1 */ 11184 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), 11185 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2), 11186 /* 1st lookup from map */ 11187 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 11188 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 11189 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 11190 BPF_LD_MAP_FD(BPF_REG_1, 0), 11191 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 11192 BPF_FUNC_map_lookup_elem), 11193 /* write map_value_ptr_or_null into stack frame of main prog at fp-8 */ 11194 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0), 11195 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2), 11196 BPF_MOV64_IMM(BPF_REG_8, 0), 11197 BPF_JMP_IMM(BPF_JA, 0, 0, 1), 11198 BPF_MOV64_IMM(BPF_REG_8, 1), 11199 11200 /* 2nd lookup from map */ 11201 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 11202 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 11203 BPF_LD_MAP_FD(BPF_REG_1, 0), 11204 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 11205 BPF_FUNC_map_lookup_elem), 11206 /* write map_value_ptr_or_null into stack frame of main prog at fp-16 */ 11207 BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0), 11208 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2), 11209 BPF_MOV64_IMM(BPF_REG_9, 0), 11210 BPF_JMP_IMM(BPF_JA, 0, 0, 1), 11211 BPF_MOV64_IMM(BPF_REG_9, 1), 11212 11213 /* call 3rd func with fp-8, 0|1, fp-16, 0|1 */ 11214 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 11215 BPF_MOV64_REG(BPF_REG_2, BPF_REG_8), 11216 BPF_MOV64_REG(BPF_REG_3, BPF_REG_7), 11217 BPF_MOV64_REG(BPF_REG_4, BPF_REG_9), 11218 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1), 11219 BPF_EXIT_INSN(), 11220 11221 /* subprog 2 */ 11222 /* if arg2 == 1 do *arg1 = 0 */ 11223 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2), 11224 /* fetch map_value_ptr from the stack of this function */ 11225 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0), 11226 /* write into map value */ 11227 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0), 11228 11229 /* if arg4 == 1 do *arg3 = 0 */ 11230 BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 1, 2), 11231 /* fetch map_value_ptr from the stack of this function */ 11232 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0), 11233 /* write into map value */ 11234 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0), 11235 BPF_EXIT_INSN(), 11236 }, 11237 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 11238 .fixup_map1 = { 12, 22 }, 11239 .result = ACCEPT, 11240 }, 11241 { 11242 "calls: two calls that receive map_value_ptr_or_null via arg. test2", 11243 .insns = { 11244 /* main prog */ 11245 /* pass fp-16, fp-8 into a function */ 11246 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 11247 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8), 11248 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 11249 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16), 11250 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2), 11251 BPF_MOV64_IMM(BPF_REG_0, 0), 11252 BPF_EXIT_INSN(), 11253 11254 /* subprog 1 */ 11255 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), 11256 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2), 11257 /* 1st lookup from map */ 11258 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 11259 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 11260 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 11261 BPF_LD_MAP_FD(BPF_REG_1, 0), 11262 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 11263 BPF_FUNC_map_lookup_elem), 11264 /* write map_value_ptr_or_null into stack frame of main prog at fp-8 */ 11265 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0), 11266 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2), 11267 BPF_MOV64_IMM(BPF_REG_8, 0), 11268 BPF_JMP_IMM(BPF_JA, 0, 0, 1), 11269 BPF_MOV64_IMM(BPF_REG_8, 1), 11270 11271 /* 2nd lookup from map */ 11272 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 11273 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 11274 BPF_LD_MAP_FD(BPF_REG_1, 0), 11275 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 11276 BPF_FUNC_map_lookup_elem), 11277 /* write map_value_ptr_or_null into stack frame of main prog at fp-16 */ 11278 BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0), 11279 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2), 11280 BPF_MOV64_IMM(BPF_REG_9, 0), 11281 BPF_JMP_IMM(BPF_JA, 0, 0, 1), 11282 BPF_MOV64_IMM(BPF_REG_9, 1), 11283 11284 /* call 3rd func with fp-8, 0|1, fp-16, 0|1 */ 11285 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 11286 BPF_MOV64_REG(BPF_REG_2, BPF_REG_8), 11287 BPF_MOV64_REG(BPF_REG_3, BPF_REG_7), 11288 BPF_MOV64_REG(BPF_REG_4, BPF_REG_9), 11289 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1), 11290 BPF_EXIT_INSN(), 11291 11292 /* subprog 2 */ 11293 /* if arg2 == 1 do *arg1 = 0 */ 11294 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2), 11295 /* fetch map_value_ptr from the stack of this function */ 11296 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0), 11297 /* write into map value */ 11298 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0), 11299 11300 /* if arg4 == 0 do *arg3 = 0 */ 11301 BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 0, 2), 11302 /* fetch map_value_ptr from the stack of this function */ 11303 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0), 11304 /* write into map value */ 11305 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0), 11306 BPF_EXIT_INSN(), 11307 }, 11308 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 11309 .fixup_map1 = { 12, 22 }, 11310 .result = REJECT, 11311 .errstr = "R0 invalid mem access 'inv'", 11312 }, 11313 { 11314 "calls: pkt_ptr spill into caller stack", 11315 .insns = { 11316 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10), 11317 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8), 11318 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1), 11319 BPF_EXIT_INSN(), 11320 11321 /* subprog 1 */ 11322 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 11323 offsetof(struct __sk_buff, data)), 11324 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 11325 offsetof(struct __sk_buff, data_end)), 11326 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 11327 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 11328 /* spill unchecked pkt_ptr into stack of caller */ 11329 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0), 11330 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2), 11331 /* now the pkt range is verified, read pkt_ptr from stack */ 11332 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0), 11333 /* write 4 bytes into packet */ 11334 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0), 11335 BPF_EXIT_INSN(), 11336 }, 11337 .result = ACCEPT, 11338 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 11339 .retval = POINTER_VALUE, 11340 }, 11341 { 11342 "calls: pkt_ptr spill into caller stack 2", 11343 .insns = { 11344 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10), 11345 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8), 11346 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3), 11347 /* Marking is still kept, but not in all cases safe. */ 11348 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8), 11349 BPF_ST_MEM(BPF_W, BPF_REG_4, 0, 0), 11350 BPF_EXIT_INSN(), 11351 11352 /* subprog 1 */ 11353 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 11354 offsetof(struct __sk_buff, data)), 11355 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 11356 offsetof(struct __sk_buff, data_end)), 11357 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 11358 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 11359 /* spill unchecked pkt_ptr into stack of caller */ 11360 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0), 11361 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2), 11362 /* now the pkt range is verified, read pkt_ptr from stack */ 11363 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0), 11364 /* write 4 bytes into packet */ 11365 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0), 11366 BPF_EXIT_INSN(), 11367 }, 11368 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 11369 .errstr = "invalid access to packet", 11370 .result = REJECT, 11371 }, 11372 { 11373 "calls: pkt_ptr spill into caller stack 3", 11374 .insns = { 11375 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10), 11376 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8), 11377 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4), 11378 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2), 11379 /* Marking is still kept and safe here. */ 11380 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8), 11381 BPF_ST_MEM(BPF_W, BPF_REG_4, 0, 0), 11382 BPF_EXIT_INSN(), 11383 11384 /* subprog 1 */ 11385 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 11386 offsetof(struct __sk_buff, data)), 11387 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 11388 offsetof(struct __sk_buff, data_end)), 11389 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 11390 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 11391 /* spill unchecked pkt_ptr into stack of caller */ 11392 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0), 11393 BPF_MOV64_IMM(BPF_REG_5, 0), 11394 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3), 11395 BPF_MOV64_IMM(BPF_REG_5, 1), 11396 /* now the pkt range is verified, read pkt_ptr from stack */ 11397 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0), 11398 /* write 4 bytes into packet */ 11399 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0), 11400 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5), 11401 BPF_EXIT_INSN(), 11402 }, 11403 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 11404 .result = ACCEPT, 11405 .retval = 1, 11406 }, 11407 { 11408 "calls: pkt_ptr spill into caller stack 4", 11409 .insns = { 11410 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10), 11411 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8), 11412 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4), 11413 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2), 11414 /* Check marking propagated. */ 11415 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8), 11416 BPF_ST_MEM(BPF_W, BPF_REG_4, 0, 0), 11417 BPF_EXIT_INSN(), 11418 11419 /* subprog 1 */ 11420 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 11421 offsetof(struct __sk_buff, data)), 11422 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 11423 offsetof(struct __sk_buff, data_end)), 11424 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 11425 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 11426 /* spill unchecked pkt_ptr into stack of caller */ 11427 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0), 11428 BPF_MOV64_IMM(BPF_REG_5, 0), 11429 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2), 11430 BPF_MOV64_IMM(BPF_REG_5, 1), 11431 /* don't read back pkt_ptr from stack here */ 11432 /* write 4 bytes into packet */ 11433 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0), 11434 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5), 11435 BPF_EXIT_INSN(), 11436 }, 11437 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 11438 .result = ACCEPT, 11439 .retval = 1, 11440 }, 11441 { 11442 "calls: pkt_ptr spill into caller stack 5", 11443 .insns = { 11444 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10), 11445 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8), 11446 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_1, 0), 11447 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3), 11448 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8), 11449 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0), 11450 BPF_EXIT_INSN(), 11451 11452 /* subprog 1 */ 11453 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 11454 offsetof(struct __sk_buff, data)), 11455 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 11456 offsetof(struct __sk_buff, data_end)), 11457 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 11458 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 11459 BPF_MOV64_IMM(BPF_REG_5, 0), 11460 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3), 11461 /* spill checked pkt_ptr into stack of caller */ 11462 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0), 11463 BPF_MOV64_IMM(BPF_REG_5, 1), 11464 /* don't read back pkt_ptr from stack here */ 11465 /* write 4 bytes into packet */ 11466 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0), 11467 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5), 11468 BPF_EXIT_INSN(), 11469 }, 11470 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 11471 .errstr = "same insn cannot be used with different", 11472 .result = REJECT, 11473 }, 11474 { 11475 "calls: pkt_ptr spill into caller stack 6", 11476 .insns = { 11477 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 11478 offsetof(struct __sk_buff, data_end)), 11479 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10), 11480 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8), 11481 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0), 11482 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3), 11483 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8), 11484 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0), 11485 BPF_EXIT_INSN(), 11486 11487 /* subprog 1 */ 11488 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 11489 offsetof(struct __sk_buff, data)), 11490 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 11491 offsetof(struct __sk_buff, data_end)), 11492 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 11493 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 11494 BPF_MOV64_IMM(BPF_REG_5, 0), 11495 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3), 11496 /* spill checked pkt_ptr into stack of caller */ 11497 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0), 11498 BPF_MOV64_IMM(BPF_REG_5, 1), 11499 /* don't read back pkt_ptr from stack here */ 11500 /* write 4 bytes into packet */ 11501 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0), 11502 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5), 11503 BPF_EXIT_INSN(), 11504 }, 11505 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 11506 .errstr = "R4 invalid mem access", 11507 .result = REJECT, 11508 }, 11509 { 11510 "calls: pkt_ptr spill into caller stack 7", 11511 .insns = { 11512 BPF_MOV64_IMM(BPF_REG_2, 0), 11513 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10), 11514 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8), 11515 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0), 11516 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3), 11517 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8), 11518 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0), 11519 BPF_EXIT_INSN(), 11520 11521 /* subprog 1 */ 11522 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 11523 offsetof(struct __sk_buff, data)), 11524 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 11525 offsetof(struct __sk_buff, data_end)), 11526 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 11527 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 11528 BPF_MOV64_IMM(BPF_REG_5, 0), 11529 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3), 11530 /* spill checked pkt_ptr into stack of caller */ 11531 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0), 11532 BPF_MOV64_IMM(BPF_REG_5, 1), 11533 /* don't read back pkt_ptr from stack here */ 11534 /* write 4 bytes into packet */ 11535 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0), 11536 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5), 11537 BPF_EXIT_INSN(), 11538 }, 11539 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 11540 .errstr = "R4 invalid mem access", 11541 .result = REJECT, 11542 }, 11543 { 11544 "calls: pkt_ptr spill into caller stack 8", 11545 .insns = { 11546 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 11547 offsetof(struct __sk_buff, data)), 11548 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 11549 offsetof(struct __sk_buff, data_end)), 11550 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 11551 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 11552 BPF_JMP_REG(BPF_JLE, BPF_REG_0, BPF_REG_3, 1), 11553 BPF_EXIT_INSN(), 11554 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10), 11555 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8), 11556 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0), 11557 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3), 11558 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8), 11559 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0), 11560 BPF_EXIT_INSN(), 11561 11562 /* subprog 1 */ 11563 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 11564 offsetof(struct __sk_buff, data)), 11565 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 11566 offsetof(struct __sk_buff, data_end)), 11567 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 11568 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 11569 BPF_MOV64_IMM(BPF_REG_5, 0), 11570 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3), 11571 /* spill checked pkt_ptr into stack of caller */ 11572 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0), 11573 BPF_MOV64_IMM(BPF_REG_5, 1), 11574 /* don't read back pkt_ptr from stack here */ 11575 /* write 4 bytes into packet */ 11576 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0), 11577 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5), 11578 BPF_EXIT_INSN(), 11579 }, 11580 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 11581 .result = ACCEPT, 11582 }, 11583 { 11584 "calls: pkt_ptr spill into caller stack 9", 11585 .insns = { 11586 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 11587 offsetof(struct __sk_buff, data)), 11588 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 11589 offsetof(struct __sk_buff, data_end)), 11590 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 11591 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 11592 BPF_JMP_REG(BPF_JLE, BPF_REG_0, BPF_REG_3, 1), 11593 BPF_EXIT_INSN(), 11594 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10), 11595 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8), 11596 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0), 11597 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3), 11598 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8), 11599 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0), 11600 BPF_EXIT_INSN(), 11601 11602 /* subprog 1 */ 11603 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 11604 offsetof(struct __sk_buff, data)), 11605 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 11606 offsetof(struct __sk_buff, data_end)), 11607 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 11608 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 11609 BPF_MOV64_IMM(BPF_REG_5, 0), 11610 /* spill unchecked pkt_ptr into stack of caller */ 11611 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0), 11612 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2), 11613 BPF_MOV64_IMM(BPF_REG_5, 1), 11614 /* don't read back pkt_ptr from stack here */ 11615 /* write 4 bytes into packet */ 11616 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0), 11617 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5), 11618 BPF_EXIT_INSN(), 11619 }, 11620 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 11621 .errstr = "invalid access to packet", 11622 .result = REJECT, 11623 }, 11624 { 11625 "calls: caller stack init to zero or map_value_or_null", 11626 .insns = { 11627 BPF_MOV64_IMM(BPF_REG_0, 0), 11628 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8), 11629 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 11630 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 11631 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4), 11632 /* fetch map_value_or_null or const_zero from stack */ 11633 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8), 11634 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1), 11635 /* store into map_value */ 11636 BPF_ST_MEM(BPF_W, BPF_REG_0, 0, 0), 11637 BPF_EXIT_INSN(), 11638 11639 /* subprog 1 */ 11640 /* if (ctx == 0) return; */ 11641 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 8), 11642 /* else bpf_map_lookup() and *(fp - 8) = r0 */ 11643 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2), 11644 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 11645 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 11646 BPF_LD_MAP_FD(BPF_REG_1, 0), 11647 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 11648 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 11649 BPF_FUNC_map_lookup_elem), 11650 /* write map_value_ptr_or_null into stack frame of main prog at fp-8 */ 11651 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0), 11652 BPF_EXIT_INSN(), 11653 }, 11654 .fixup_map1 = { 13 }, 11655 .result = ACCEPT, 11656 .prog_type = BPF_PROG_TYPE_XDP, 11657 }, 11658 { 11659 "calls: stack init to zero and pruning", 11660 .insns = { 11661 /* first make allocated_stack 16 byte */ 11662 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, 0), 11663 /* now fork the execution such that the false branch 11664 * of JGT insn will be verified second and it skisp zero 11665 * init of fp-8 stack slot. If stack liveness marking 11666 * is missing live_read marks from call map_lookup 11667 * processing then pruning will incorrectly assume 11668 * that fp-8 stack slot was unused in the fall-through 11669 * branch and will accept the program incorrectly 11670 */ 11671 BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 2, 2), 11672 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 11673 BPF_JMP_IMM(BPF_JA, 0, 0, 0), 11674 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 11675 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 11676 BPF_LD_MAP_FD(BPF_REG_1, 0), 11677 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 11678 BPF_FUNC_map_lookup_elem), 11679 BPF_EXIT_INSN(), 11680 }, 11681 .fixup_map2 = { 6 }, 11682 .errstr = "invalid indirect read from stack off -8+0 size 8", 11683 .result = REJECT, 11684 .prog_type = BPF_PROG_TYPE_XDP, 11685 }, 11686 { 11687 "calls: two calls returning different map pointers for lookup (hash, array)", 11688 .insns = { 11689 /* main prog */ 11690 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2), 11691 BPF_CALL_REL(11), 11692 BPF_JMP_IMM(BPF_JA, 0, 0, 1), 11693 BPF_CALL_REL(12), 11694 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 11695 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 11696 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 11697 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 11698 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 11699 BPF_FUNC_map_lookup_elem), 11700 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2), 11701 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 11702 offsetof(struct test_val, foo)), 11703 BPF_MOV64_IMM(BPF_REG_0, 1), 11704 BPF_EXIT_INSN(), 11705 /* subprog 1 */ 11706 BPF_LD_MAP_FD(BPF_REG_0, 0), 11707 BPF_EXIT_INSN(), 11708 /* subprog 2 */ 11709 BPF_LD_MAP_FD(BPF_REG_0, 0), 11710 BPF_EXIT_INSN(), 11711 }, 11712 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 11713 .fixup_map2 = { 13 }, 11714 .fixup_map4 = { 16 }, 11715 .result = ACCEPT, 11716 .retval = 1, 11717 }, 11718 { 11719 "calls: two calls returning different map pointers for lookup (hash, map in map)", 11720 .insns = { 11721 /* main prog */ 11722 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2), 11723 BPF_CALL_REL(11), 11724 BPF_JMP_IMM(BPF_JA, 0, 0, 1), 11725 BPF_CALL_REL(12), 11726 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 11727 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 11728 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 11729 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 11730 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 11731 BPF_FUNC_map_lookup_elem), 11732 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2), 11733 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 11734 offsetof(struct test_val, foo)), 11735 BPF_MOV64_IMM(BPF_REG_0, 1), 11736 BPF_EXIT_INSN(), 11737 /* subprog 1 */ 11738 BPF_LD_MAP_FD(BPF_REG_0, 0), 11739 BPF_EXIT_INSN(), 11740 /* subprog 2 */ 11741 BPF_LD_MAP_FD(BPF_REG_0, 0), 11742 BPF_EXIT_INSN(), 11743 }, 11744 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 11745 .fixup_map_in_map = { 16 }, 11746 .fixup_map4 = { 13 }, 11747 .result = REJECT, 11748 .errstr = "R0 invalid mem access 'map_ptr'", 11749 }, 11750 { 11751 "cond: two branches returning different map pointers for lookup (tail, tail)", 11752 .insns = { 11753 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1, 11754 offsetof(struct __sk_buff, mark)), 11755 BPF_JMP_IMM(BPF_JNE, BPF_REG_6, 0, 3), 11756 BPF_LD_MAP_FD(BPF_REG_2, 0), 11757 BPF_JMP_IMM(BPF_JA, 0, 0, 2), 11758 BPF_LD_MAP_FD(BPF_REG_2, 0), 11759 BPF_MOV64_IMM(BPF_REG_3, 7), 11760 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 11761 BPF_FUNC_tail_call), 11762 BPF_MOV64_IMM(BPF_REG_0, 1), 11763 BPF_EXIT_INSN(), 11764 }, 11765 .fixup_prog1 = { 5 }, 11766 .fixup_prog2 = { 2 }, 11767 .result_unpriv = REJECT, 11768 .errstr_unpriv = "tail_call abusing map_ptr", 11769 .result = ACCEPT, 11770 .retval = 42, 11771 }, 11772 { 11773 "cond: two branches returning same map pointers for lookup (tail, tail)", 11774 .insns = { 11775 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1, 11776 offsetof(struct __sk_buff, mark)), 11777 BPF_JMP_IMM(BPF_JEQ, BPF_REG_6, 0, 3), 11778 BPF_LD_MAP_FD(BPF_REG_2, 0), 11779 BPF_JMP_IMM(BPF_JA, 0, 0, 2), 11780 BPF_LD_MAP_FD(BPF_REG_2, 0), 11781 BPF_MOV64_IMM(BPF_REG_3, 7), 11782 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 11783 BPF_FUNC_tail_call), 11784 BPF_MOV64_IMM(BPF_REG_0, 1), 11785 BPF_EXIT_INSN(), 11786 }, 11787 .fixup_prog2 = { 2, 5 }, 11788 .result_unpriv = ACCEPT, 11789 .result = ACCEPT, 11790 .retval = 42, 11791 }, 11792 { 11793 "search pruning: all branches should be verified (nop operation)", 11794 .insns = { 11795 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 11796 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 11797 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 11798 BPF_LD_MAP_FD(BPF_REG_1, 0), 11799 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 11800 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11), 11801 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0), 11802 BPF_JMP_IMM(BPF_JEQ, BPF_REG_3, 0xbeef, 2), 11803 BPF_MOV64_IMM(BPF_REG_4, 0), 11804 BPF_JMP_A(1), 11805 BPF_MOV64_IMM(BPF_REG_4, 1), 11806 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -16), 11807 BPF_EMIT_CALL(BPF_FUNC_ktime_get_ns), 11808 BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -16), 11809 BPF_JMP_IMM(BPF_JEQ, BPF_REG_5, 0, 2), 11810 BPF_MOV64_IMM(BPF_REG_6, 0), 11811 BPF_ST_MEM(BPF_DW, BPF_REG_6, 0, 0xdead), 11812 BPF_EXIT_INSN(), 11813 }, 11814 .fixup_map1 = { 3 }, 11815 .errstr = "R6 invalid mem access 'inv'", 11816 .result = REJECT, 11817 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 11818 }, 11819 { 11820 "search pruning: all branches should be verified (invalid stack access)", 11821 .insns = { 11822 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 11823 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 11824 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0), 11825 BPF_LD_MAP_FD(BPF_REG_1, 0), 11826 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 11827 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8), 11828 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0), 11829 BPF_MOV64_IMM(BPF_REG_4, 0), 11830 BPF_JMP_IMM(BPF_JEQ, BPF_REG_3, 0xbeef, 2), 11831 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -16), 11832 BPF_JMP_A(1), 11833 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -24), 11834 BPF_EMIT_CALL(BPF_FUNC_ktime_get_ns), 11835 BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -16), 11836 BPF_EXIT_INSN(), 11837 }, 11838 .fixup_map1 = { 3 }, 11839 .errstr = "invalid read from stack off -16+0 size 8", 11840 .result = REJECT, 11841 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 11842 }, 11843 { 11844 "jit: lsh, rsh, arsh by 1", 11845 .insns = { 11846 BPF_MOV64_IMM(BPF_REG_0, 1), 11847 BPF_MOV64_IMM(BPF_REG_1, 0xff), 11848 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 1), 11849 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 1), 11850 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0x3fc, 1), 11851 BPF_EXIT_INSN(), 11852 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 1), 11853 BPF_ALU32_IMM(BPF_RSH, BPF_REG_1, 1), 11854 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0xff, 1), 11855 BPF_EXIT_INSN(), 11856 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_1, 1), 11857 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0x7f, 1), 11858 BPF_EXIT_INSN(), 11859 BPF_MOV64_IMM(BPF_REG_0, 2), 11860 BPF_EXIT_INSN(), 11861 }, 11862 .result = ACCEPT, 11863 .retval = 2, 11864 }, 11865 { 11866 "jit: mov32 for ldimm64, 1", 11867 .insns = { 11868 BPF_MOV64_IMM(BPF_REG_0, 2), 11869 BPF_LD_IMM64(BPF_REG_1, 0xfeffffffffffffffULL), 11870 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 32), 11871 BPF_LD_IMM64(BPF_REG_2, 0xfeffffffULL), 11872 BPF_JMP_REG(BPF_JEQ, BPF_REG_1, BPF_REG_2, 1), 11873 BPF_MOV64_IMM(BPF_REG_0, 1), 11874 BPF_EXIT_INSN(), 11875 }, 11876 .result = ACCEPT, 11877 .retval = 2, 11878 }, 11879 { 11880 "jit: mov32 for ldimm64, 2", 11881 .insns = { 11882 BPF_MOV64_IMM(BPF_REG_0, 1), 11883 BPF_LD_IMM64(BPF_REG_1, 0x1ffffffffULL), 11884 BPF_LD_IMM64(BPF_REG_2, 0xffffffffULL), 11885 BPF_JMP_REG(BPF_JEQ, BPF_REG_1, BPF_REG_2, 1), 11886 BPF_MOV64_IMM(BPF_REG_0, 2), 11887 BPF_EXIT_INSN(), 11888 }, 11889 .result = ACCEPT, 11890 .retval = 2, 11891 }, 11892 { 11893 "jit: various mul tests", 11894 .insns = { 11895 BPF_LD_IMM64(BPF_REG_2, 0xeeff0d413122ULL), 11896 BPF_LD_IMM64(BPF_REG_0, 0xfefefeULL), 11897 BPF_LD_IMM64(BPF_REG_1, 0xefefefULL), 11898 BPF_ALU64_REG(BPF_MUL, BPF_REG_0, BPF_REG_1), 11899 BPF_JMP_REG(BPF_JEQ, BPF_REG_0, BPF_REG_2, 2), 11900 BPF_MOV64_IMM(BPF_REG_0, 1), 11901 BPF_EXIT_INSN(), 11902 BPF_LD_IMM64(BPF_REG_3, 0xfefefeULL), 11903 BPF_ALU64_REG(BPF_MUL, BPF_REG_3, BPF_REG_1), 11904 BPF_JMP_REG(BPF_JEQ, BPF_REG_3, BPF_REG_2, 2), 11905 BPF_MOV64_IMM(BPF_REG_0, 1), 11906 BPF_EXIT_INSN(), 11907 BPF_MOV32_REG(BPF_REG_2, BPF_REG_2), 11908 BPF_LD_IMM64(BPF_REG_0, 0xfefefeULL), 11909 BPF_ALU32_REG(BPF_MUL, BPF_REG_0, BPF_REG_1), 11910 BPF_JMP_REG(BPF_JEQ, BPF_REG_0, BPF_REG_2, 2), 11911 BPF_MOV64_IMM(BPF_REG_0, 1), 11912 BPF_EXIT_INSN(), 11913 BPF_LD_IMM64(BPF_REG_3, 0xfefefeULL), 11914 BPF_ALU32_REG(BPF_MUL, BPF_REG_3, BPF_REG_1), 11915 BPF_JMP_REG(BPF_JEQ, BPF_REG_3, BPF_REG_2, 2), 11916 BPF_MOV64_IMM(BPF_REG_0, 1), 11917 BPF_EXIT_INSN(), 11918 BPF_LD_IMM64(BPF_REG_0, 0x952a7bbcULL), 11919 BPF_LD_IMM64(BPF_REG_1, 0xfefefeULL), 11920 BPF_LD_IMM64(BPF_REG_2, 0xeeff0d413122ULL), 11921 BPF_ALU32_REG(BPF_MUL, BPF_REG_2, BPF_REG_1), 11922 BPF_JMP_REG(BPF_JEQ, BPF_REG_2, BPF_REG_0, 2), 11923 BPF_MOV64_IMM(BPF_REG_0, 1), 11924 BPF_EXIT_INSN(), 11925 BPF_MOV64_IMM(BPF_REG_0, 2), 11926 BPF_EXIT_INSN(), 11927 }, 11928 .result = ACCEPT, 11929 .retval = 2, 11930 }, 11931 { 11932 "xadd/w check unaligned stack", 11933 .insns = { 11934 BPF_MOV64_IMM(BPF_REG_0, 1), 11935 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8), 11936 BPF_STX_XADD(BPF_W, BPF_REG_10, BPF_REG_0, -7), 11937 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8), 11938 BPF_EXIT_INSN(), 11939 }, 11940 .result = REJECT, 11941 .errstr = "misaligned stack access off", 11942 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 11943 }, 11944 { 11945 "xadd/w check unaligned map", 11946 .insns = { 11947 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 11948 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 11949 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 11950 BPF_LD_MAP_FD(BPF_REG_1, 0), 11951 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 11952 BPF_FUNC_map_lookup_elem), 11953 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 11954 BPF_EXIT_INSN(), 11955 BPF_MOV64_IMM(BPF_REG_1, 1), 11956 BPF_STX_XADD(BPF_W, BPF_REG_0, BPF_REG_1, 3), 11957 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 3), 11958 BPF_EXIT_INSN(), 11959 }, 11960 .fixup_map1 = { 3 }, 11961 .result = REJECT, 11962 .errstr = "misaligned value access off", 11963 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 11964 }, 11965 { 11966 "xadd/w check unaligned pkt", 11967 .insns = { 11968 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 11969 offsetof(struct xdp_md, data)), 11970 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 11971 offsetof(struct xdp_md, data_end)), 11972 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 11973 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 11974 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 2), 11975 BPF_MOV64_IMM(BPF_REG_0, 99), 11976 BPF_JMP_IMM(BPF_JA, 0, 0, 6), 11977 BPF_MOV64_IMM(BPF_REG_0, 1), 11978 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0), 11979 BPF_ST_MEM(BPF_W, BPF_REG_2, 3, 0), 11980 BPF_STX_XADD(BPF_W, BPF_REG_2, BPF_REG_0, 1), 11981 BPF_STX_XADD(BPF_W, BPF_REG_2, BPF_REG_0, 2), 11982 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_2, 1), 11983 BPF_EXIT_INSN(), 11984 }, 11985 .result = REJECT, 11986 .errstr = "BPF_XADD stores into R2 packet", 11987 .prog_type = BPF_PROG_TYPE_XDP, 11988 }, 11989 { 11990 "bpf_get_stack return R0 within range", 11991 .insns = { 11992 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), 11993 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 11994 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 11995 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 11996 BPF_LD_MAP_FD(BPF_REG_1, 0), 11997 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 11998 BPF_FUNC_map_lookup_elem), 11999 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 28), 12000 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0), 12001 BPF_MOV64_IMM(BPF_REG_9, sizeof(struct test_val)), 12002 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 12003 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7), 12004 BPF_MOV64_IMM(BPF_REG_3, sizeof(struct test_val)), 12005 BPF_MOV64_IMM(BPF_REG_4, 256), 12006 BPF_EMIT_CALL(BPF_FUNC_get_stack), 12007 BPF_MOV64_IMM(BPF_REG_1, 0), 12008 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0), 12009 BPF_ALU64_IMM(BPF_LSH, BPF_REG_8, 32), 12010 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_8, 32), 12011 BPF_JMP_REG(BPF_JSLT, BPF_REG_1, BPF_REG_8, 16), 12012 BPF_ALU64_REG(BPF_SUB, BPF_REG_9, BPF_REG_8), 12013 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7), 12014 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_8), 12015 BPF_MOV64_REG(BPF_REG_1, BPF_REG_9), 12016 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 32), 12017 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_1, 32), 12018 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2), 12019 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_1), 12020 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7), 12021 BPF_MOV64_IMM(BPF_REG_5, sizeof(struct test_val)), 12022 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_5), 12023 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 4), 12024 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 12025 BPF_MOV64_REG(BPF_REG_3, BPF_REG_9), 12026 BPF_MOV64_IMM(BPF_REG_4, 0), 12027 BPF_EMIT_CALL(BPF_FUNC_get_stack), 12028 BPF_EXIT_INSN(), 12029 }, 12030 .fixup_map2 = { 4 }, 12031 .result = ACCEPT, 12032 .prog_type = BPF_PROG_TYPE_TRACEPOINT, 12033 }, 12034 { 12035 "ld_abs: invalid op 1", 12036 .insns = { 12037 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), 12038 BPF_LD_ABS(BPF_DW, 0), 12039 BPF_EXIT_INSN(), 12040 }, 12041 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 12042 .result = REJECT, 12043 .errstr = "unknown opcode", 12044 }, 12045 { 12046 "ld_abs: invalid op 2", 12047 .insns = { 12048 BPF_MOV32_IMM(BPF_REG_0, 256), 12049 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), 12050 BPF_LD_IND(BPF_DW, BPF_REG_0, 0), 12051 BPF_EXIT_INSN(), 12052 }, 12053 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 12054 .result = REJECT, 12055 .errstr = "unknown opcode", 12056 }, 12057 { 12058 "ld_abs: nmap reduced", 12059 .insns = { 12060 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), 12061 BPF_LD_ABS(BPF_H, 12), 12062 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x806, 28), 12063 BPF_LD_ABS(BPF_H, 12), 12064 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x806, 26), 12065 BPF_MOV32_IMM(BPF_REG_0, 18), 12066 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -64), 12067 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_10, -64), 12068 BPF_LD_IND(BPF_W, BPF_REG_7, 14), 12069 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -60), 12070 BPF_MOV32_IMM(BPF_REG_0, 280971478), 12071 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -56), 12072 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_10, -56), 12073 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_10, -60), 12074 BPF_ALU32_REG(BPF_SUB, BPF_REG_0, BPF_REG_7), 12075 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 15), 12076 BPF_LD_ABS(BPF_H, 12), 12077 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x806, 13), 12078 BPF_MOV32_IMM(BPF_REG_0, 22), 12079 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -56), 12080 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_10, -56), 12081 BPF_LD_IND(BPF_H, BPF_REG_7, 14), 12082 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -52), 12083 BPF_MOV32_IMM(BPF_REG_0, 17366), 12084 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -48), 12085 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_10, -48), 12086 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_10, -52), 12087 BPF_ALU32_REG(BPF_SUB, BPF_REG_0, BPF_REG_7), 12088 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2), 12089 BPF_MOV32_IMM(BPF_REG_0, 256), 12090 BPF_EXIT_INSN(), 12091 BPF_MOV32_IMM(BPF_REG_0, 0), 12092 BPF_EXIT_INSN(), 12093 }, 12094 .data = { 12095 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0x08, 0x06, 0, 12096 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 12097 0x10, 0xbf, 0x48, 0xd6, 0x43, 0xd6, 12098 }, 12099 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 12100 .result = ACCEPT, 12101 .retval = 256, 12102 }, 12103 { 12104 "ld_abs: div + abs, test 1", 12105 .insns = { 12106 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1), 12107 BPF_LD_ABS(BPF_B, 3), 12108 BPF_ALU64_IMM(BPF_MOV, BPF_REG_2, 2), 12109 BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_2), 12110 BPF_ALU64_REG(BPF_MOV, BPF_REG_8, BPF_REG_0), 12111 BPF_LD_ABS(BPF_B, 4), 12112 BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_0), 12113 BPF_LD_IND(BPF_B, BPF_REG_8, -70), 12114 BPF_EXIT_INSN(), 12115 }, 12116 .data = { 12117 10, 20, 30, 40, 50, 12118 }, 12119 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 12120 .result = ACCEPT, 12121 .retval = 10, 12122 }, 12123 { 12124 "ld_abs: div + abs, test 2", 12125 .insns = { 12126 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1), 12127 BPF_LD_ABS(BPF_B, 3), 12128 BPF_ALU64_IMM(BPF_MOV, BPF_REG_2, 2), 12129 BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_2), 12130 BPF_ALU64_REG(BPF_MOV, BPF_REG_8, BPF_REG_0), 12131 BPF_LD_ABS(BPF_B, 128), 12132 BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_0), 12133 BPF_LD_IND(BPF_B, BPF_REG_8, -70), 12134 BPF_EXIT_INSN(), 12135 }, 12136 .data = { 12137 10, 20, 30, 40, 50, 12138 }, 12139 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 12140 .result = ACCEPT, 12141 .retval = 0, 12142 }, 12143 { 12144 "ld_abs: div + abs, test 3", 12145 .insns = { 12146 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1), 12147 BPF_ALU64_IMM(BPF_MOV, BPF_REG_7, 0), 12148 BPF_LD_ABS(BPF_B, 3), 12149 BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_7), 12150 BPF_EXIT_INSN(), 12151 }, 12152 .data = { 12153 10, 20, 30, 40, 50, 12154 }, 12155 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 12156 .result = ACCEPT, 12157 .retval = 0, 12158 }, 12159 { 12160 "ld_abs: div + abs, test 4", 12161 .insns = { 12162 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1), 12163 BPF_ALU64_IMM(BPF_MOV, BPF_REG_7, 0), 12164 BPF_LD_ABS(BPF_B, 256), 12165 BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_7), 12166 BPF_EXIT_INSN(), 12167 }, 12168 .data = { 12169 10, 20, 30, 40, 50, 12170 }, 12171 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 12172 .result = ACCEPT, 12173 .retval = 0, 12174 }, 12175 { 12176 "ld_abs: vlan + abs, test 1", 12177 .insns = { }, 12178 .data = { 12179 0x34, 12180 }, 12181 .fill_helper = bpf_fill_ld_abs_vlan_push_pop, 12182 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 12183 .result = ACCEPT, 12184 .retval = 0xbef, 12185 }, 12186 { 12187 "ld_abs: vlan + abs, test 2", 12188 .insns = { 12189 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), 12190 BPF_LD_ABS(BPF_B, 0), 12191 BPF_LD_ABS(BPF_H, 0), 12192 BPF_LD_ABS(BPF_W, 0), 12193 BPF_MOV64_REG(BPF_REG_7, BPF_REG_6), 12194 BPF_MOV64_IMM(BPF_REG_6, 0), 12195 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7), 12196 BPF_MOV64_IMM(BPF_REG_2, 1), 12197 BPF_MOV64_IMM(BPF_REG_3, 2), 12198 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 12199 BPF_FUNC_skb_vlan_push), 12200 BPF_MOV64_REG(BPF_REG_6, BPF_REG_7), 12201 BPF_LD_ABS(BPF_B, 0), 12202 BPF_LD_ABS(BPF_H, 0), 12203 BPF_LD_ABS(BPF_W, 0), 12204 BPF_MOV64_IMM(BPF_REG_0, 42), 12205 BPF_EXIT_INSN(), 12206 }, 12207 .data = { 12208 0x34, 12209 }, 12210 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 12211 .result = ACCEPT, 12212 .retval = 42, 12213 }, 12214 { 12215 "ld_abs: jump around ld_abs", 12216 .insns = { }, 12217 .data = { 12218 10, 11, 12219 }, 12220 .fill_helper = bpf_fill_jump_around_ld_abs, 12221 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 12222 .result = ACCEPT, 12223 .retval = 10, 12224 }, 12225 { 12226 "ld_dw: xor semi-random 64 bit imms, test 1", 12227 .insns = { }, 12228 .data = { }, 12229 .fill_helper = bpf_fill_rand_ld_dw, 12230 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 12231 .result = ACCEPT, 12232 .retval = 4090, 12233 }, 12234 { 12235 "ld_dw: xor semi-random 64 bit imms, test 2", 12236 .insns = { }, 12237 .data = { }, 12238 .fill_helper = bpf_fill_rand_ld_dw, 12239 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 12240 .result = ACCEPT, 12241 .retval = 2047, 12242 }, 12243 { 12244 "ld_dw: xor semi-random 64 bit imms, test 3", 12245 .insns = { }, 12246 .data = { }, 12247 .fill_helper = bpf_fill_rand_ld_dw, 12248 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 12249 .result = ACCEPT, 12250 .retval = 511, 12251 }, 12252 { 12253 "ld_dw: xor semi-random 64 bit imms, test 4", 12254 .insns = { }, 12255 .data = { }, 12256 .fill_helper = bpf_fill_rand_ld_dw, 12257 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 12258 .result = ACCEPT, 12259 .retval = 5, 12260 }, 12261 { 12262 "pass unmodified ctx pointer to helper", 12263 .insns = { 12264 BPF_MOV64_IMM(BPF_REG_2, 0), 12265 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 12266 BPF_FUNC_csum_update), 12267 BPF_MOV64_IMM(BPF_REG_0, 0), 12268 BPF_EXIT_INSN(), 12269 }, 12270 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 12271 .result = ACCEPT, 12272 }, 12273 { 12274 "pass modified ctx pointer to helper, 1", 12275 .insns = { 12276 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -612), 12277 BPF_MOV64_IMM(BPF_REG_2, 0), 12278 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 12279 BPF_FUNC_csum_update), 12280 BPF_MOV64_IMM(BPF_REG_0, 0), 12281 BPF_EXIT_INSN(), 12282 }, 12283 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 12284 .result = REJECT, 12285 .errstr = "dereference of modified ctx ptr", 12286 }, 12287 { 12288 "pass modified ctx pointer to helper, 2", 12289 .insns = { 12290 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -612), 12291 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 12292 BPF_FUNC_get_socket_cookie), 12293 BPF_MOV64_IMM(BPF_REG_0, 0), 12294 BPF_EXIT_INSN(), 12295 }, 12296 .result_unpriv = REJECT, 12297 .result = REJECT, 12298 .errstr_unpriv = "dereference of modified ctx ptr", 12299 .errstr = "dereference of modified ctx ptr", 12300 }, 12301 { 12302 "pass modified ctx pointer to helper, 3", 12303 .insns = { 12304 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 0), 12305 BPF_ALU64_IMM(BPF_AND, BPF_REG_3, 4), 12306 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3), 12307 BPF_MOV64_IMM(BPF_REG_2, 0), 12308 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 12309 BPF_FUNC_csum_update), 12310 BPF_MOV64_IMM(BPF_REG_0, 0), 12311 BPF_EXIT_INSN(), 12312 }, 12313 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 12314 .result = REJECT, 12315 .errstr = "variable ctx access var_off=(0x0; 0x4)", 12316 }, 12317 }; 12318 12319 static int probe_filter_length(const struct bpf_insn *fp) 12320 { 12321 int len; 12322 12323 for (len = MAX_INSNS - 1; len > 0; --len) 12324 if (fp[len].code != 0 || fp[len].imm != 0) 12325 break; 12326 return len + 1; 12327 } 12328 12329 static int create_map(uint32_t type, uint32_t size_key, 12330 uint32_t size_value, uint32_t max_elem) 12331 { 12332 int fd; 12333 12334 fd = bpf_create_map(type, size_key, size_value, max_elem, 12335 type == BPF_MAP_TYPE_HASH ? BPF_F_NO_PREALLOC : 0); 12336 if (fd < 0) 12337 printf("Failed to create hash map '%s'!\n", strerror(errno)); 12338 12339 return fd; 12340 } 12341 12342 static int create_prog_dummy1(void) 12343 { 12344 struct bpf_insn prog[] = { 12345 BPF_MOV64_IMM(BPF_REG_0, 42), 12346 BPF_EXIT_INSN(), 12347 }; 12348 12349 return bpf_load_program(BPF_PROG_TYPE_SOCKET_FILTER, prog, 12350 ARRAY_SIZE(prog), "GPL", 0, NULL, 0); 12351 } 12352 12353 static int create_prog_dummy2(int mfd, int idx) 12354 { 12355 struct bpf_insn prog[] = { 12356 BPF_MOV64_IMM(BPF_REG_3, idx), 12357 BPF_LD_MAP_FD(BPF_REG_2, mfd), 12358 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 12359 BPF_FUNC_tail_call), 12360 BPF_MOV64_IMM(BPF_REG_0, 41), 12361 BPF_EXIT_INSN(), 12362 }; 12363 12364 return bpf_load_program(BPF_PROG_TYPE_SOCKET_FILTER, prog, 12365 ARRAY_SIZE(prog), "GPL", 0, NULL, 0); 12366 } 12367 12368 static int create_prog_array(uint32_t max_elem, int p1key) 12369 { 12370 int p2key = 1; 12371 int mfd, p1fd, p2fd; 12372 12373 mfd = bpf_create_map(BPF_MAP_TYPE_PROG_ARRAY, sizeof(int), 12374 sizeof(int), max_elem, 0); 12375 if (mfd < 0) { 12376 printf("Failed to create prog array '%s'!\n", strerror(errno)); 12377 return -1; 12378 } 12379 12380 p1fd = create_prog_dummy1(); 12381 p2fd = create_prog_dummy2(mfd, p2key); 12382 if (p1fd < 0 || p2fd < 0) 12383 goto out; 12384 if (bpf_map_update_elem(mfd, &p1key, &p1fd, BPF_ANY) < 0) 12385 goto out; 12386 if (bpf_map_update_elem(mfd, &p2key, &p2fd, BPF_ANY) < 0) 12387 goto out; 12388 close(p2fd); 12389 close(p1fd); 12390 12391 return mfd; 12392 out: 12393 close(p2fd); 12394 close(p1fd); 12395 close(mfd); 12396 return -1; 12397 } 12398 12399 static int create_map_in_map(void) 12400 { 12401 int inner_map_fd, outer_map_fd; 12402 12403 inner_map_fd = bpf_create_map(BPF_MAP_TYPE_ARRAY, sizeof(int), 12404 sizeof(int), 1, 0); 12405 if (inner_map_fd < 0) { 12406 printf("Failed to create array '%s'!\n", strerror(errno)); 12407 return inner_map_fd; 12408 } 12409 12410 outer_map_fd = bpf_create_map_in_map(BPF_MAP_TYPE_ARRAY_OF_MAPS, NULL, 12411 sizeof(int), inner_map_fd, 1, 0); 12412 if (outer_map_fd < 0) 12413 printf("Failed to create array of maps '%s'!\n", 12414 strerror(errno)); 12415 12416 close(inner_map_fd); 12417 12418 return outer_map_fd; 12419 } 12420 12421 static char bpf_vlog[UINT_MAX >> 8]; 12422 12423 static void do_test_fixup(struct bpf_test *test, struct bpf_insn *prog, 12424 int *map_fds) 12425 { 12426 int *fixup_map1 = test->fixup_map1; 12427 int *fixup_map2 = test->fixup_map2; 12428 int *fixup_map3 = test->fixup_map3; 12429 int *fixup_map4 = test->fixup_map4; 12430 int *fixup_prog1 = test->fixup_prog1; 12431 int *fixup_prog2 = test->fixup_prog2; 12432 int *fixup_map_in_map = test->fixup_map_in_map; 12433 12434 if (test->fill_helper) 12435 test->fill_helper(test); 12436 12437 /* Allocating HTs with 1 elem is fine here, since we only test 12438 * for verifier and not do a runtime lookup, so the only thing 12439 * that really matters is value size in this case. 12440 */ 12441 if (*fixup_map1) { 12442 map_fds[0] = create_map(BPF_MAP_TYPE_HASH, sizeof(long long), 12443 sizeof(long long), 1); 12444 do { 12445 prog[*fixup_map1].imm = map_fds[0]; 12446 fixup_map1++; 12447 } while (*fixup_map1); 12448 } 12449 12450 if (*fixup_map2) { 12451 map_fds[1] = create_map(BPF_MAP_TYPE_HASH, sizeof(long long), 12452 sizeof(struct test_val), 1); 12453 do { 12454 prog[*fixup_map2].imm = map_fds[1]; 12455 fixup_map2++; 12456 } while (*fixup_map2); 12457 } 12458 12459 if (*fixup_map3) { 12460 map_fds[2] = create_map(BPF_MAP_TYPE_HASH, sizeof(long long), 12461 sizeof(struct other_val), 1); 12462 do { 12463 prog[*fixup_map3].imm = map_fds[2]; 12464 fixup_map3++; 12465 } while (*fixup_map3); 12466 } 12467 12468 if (*fixup_map4) { 12469 map_fds[3] = create_map(BPF_MAP_TYPE_ARRAY, sizeof(int), 12470 sizeof(struct test_val), 1); 12471 do { 12472 prog[*fixup_map4].imm = map_fds[3]; 12473 fixup_map4++; 12474 } while (*fixup_map4); 12475 } 12476 12477 if (*fixup_prog1) { 12478 map_fds[4] = create_prog_array(4, 0); 12479 do { 12480 prog[*fixup_prog1].imm = map_fds[4]; 12481 fixup_prog1++; 12482 } while (*fixup_prog1); 12483 } 12484 12485 if (*fixup_prog2) { 12486 map_fds[5] = create_prog_array(8, 7); 12487 do { 12488 prog[*fixup_prog2].imm = map_fds[5]; 12489 fixup_prog2++; 12490 } while (*fixup_prog2); 12491 } 12492 12493 if (*fixup_map_in_map) { 12494 map_fds[6] = create_map_in_map(); 12495 do { 12496 prog[*fixup_map_in_map].imm = map_fds[6]; 12497 fixup_map_in_map++; 12498 } while (*fixup_map_in_map); 12499 } 12500 } 12501 12502 static void do_test_single(struct bpf_test *test, bool unpriv, 12503 int *passes, int *errors) 12504 { 12505 int fd_prog, expected_ret, reject_from_alignment; 12506 int prog_len, prog_type = test->prog_type; 12507 struct bpf_insn *prog = test->insns; 12508 int map_fds[MAX_NR_MAPS]; 12509 const char *expected_err; 12510 uint32_t retval; 12511 int i, err; 12512 12513 for (i = 0; i < MAX_NR_MAPS; i++) 12514 map_fds[i] = -1; 12515 12516 do_test_fixup(test, prog, map_fds); 12517 prog_len = probe_filter_length(prog); 12518 12519 fd_prog = bpf_verify_program(prog_type ? : BPF_PROG_TYPE_SOCKET_FILTER, 12520 prog, prog_len, test->flags & F_LOAD_WITH_STRICT_ALIGNMENT, 12521 "GPL", 0, bpf_vlog, sizeof(bpf_vlog), 1); 12522 12523 expected_ret = unpriv && test->result_unpriv != UNDEF ? 12524 test->result_unpriv : test->result; 12525 expected_err = unpriv && test->errstr_unpriv ? 12526 test->errstr_unpriv : test->errstr; 12527 12528 reject_from_alignment = fd_prog < 0 && 12529 (test->flags & F_NEEDS_EFFICIENT_UNALIGNED_ACCESS) && 12530 strstr(bpf_vlog, "Unknown alignment."); 12531 #ifdef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS 12532 if (reject_from_alignment) { 12533 printf("FAIL\nFailed due to alignment despite having efficient unaligned access: '%s'!\n", 12534 strerror(errno)); 12535 goto fail_log; 12536 } 12537 #endif 12538 if (expected_ret == ACCEPT) { 12539 if (fd_prog < 0 && !reject_from_alignment) { 12540 printf("FAIL\nFailed to load prog '%s'!\n", 12541 strerror(errno)); 12542 goto fail_log; 12543 } 12544 } else { 12545 if (fd_prog >= 0) { 12546 printf("FAIL\nUnexpected success to load!\n"); 12547 goto fail_log; 12548 } 12549 if (!strstr(bpf_vlog, expected_err) && !reject_from_alignment) { 12550 printf("FAIL\nUnexpected error message!\n\tEXP: %s\n\tRES: %s\n", 12551 expected_err, bpf_vlog); 12552 goto fail_log; 12553 } 12554 } 12555 12556 if (fd_prog >= 0) { 12557 err = bpf_prog_test_run(fd_prog, 1, test->data, 12558 sizeof(test->data), NULL, NULL, 12559 &retval, NULL); 12560 if (err && errno != 524/*ENOTSUPP*/ && errno != EPERM) { 12561 printf("Unexpected bpf_prog_test_run error\n"); 12562 goto fail_log; 12563 } 12564 if (!err && retval != test->retval && 12565 test->retval != POINTER_VALUE) { 12566 printf("FAIL retval %d != %d\n", retval, test->retval); 12567 goto fail_log; 12568 } 12569 } 12570 (*passes)++; 12571 printf("OK%s\n", reject_from_alignment ? 12572 " (NOTE: reject due to unknown alignment)" : ""); 12573 close_fds: 12574 close(fd_prog); 12575 for (i = 0; i < MAX_NR_MAPS; i++) 12576 close(map_fds[i]); 12577 sched_yield(); 12578 return; 12579 fail_log: 12580 (*errors)++; 12581 printf("%s", bpf_vlog); 12582 goto close_fds; 12583 } 12584 12585 static bool is_admin(void) 12586 { 12587 cap_t caps; 12588 cap_flag_value_t sysadmin = CAP_CLEAR; 12589 const cap_value_t cap_val = CAP_SYS_ADMIN; 12590 12591 #ifdef CAP_IS_SUPPORTED 12592 if (!CAP_IS_SUPPORTED(CAP_SETFCAP)) { 12593 perror("cap_get_flag"); 12594 return false; 12595 } 12596 #endif 12597 caps = cap_get_proc(); 12598 if (!caps) { 12599 perror("cap_get_proc"); 12600 return false; 12601 } 12602 if (cap_get_flag(caps, cap_val, CAP_EFFECTIVE, &sysadmin)) 12603 perror("cap_get_flag"); 12604 if (cap_free(caps)) 12605 perror("cap_free"); 12606 return (sysadmin == CAP_SET); 12607 } 12608 12609 static int set_admin(bool admin) 12610 { 12611 cap_t caps; 12612 const cap_value_t cap_val = CAP_SYS_ADMIN; 12613 int ret = -1; 12614 12615 caps = cap_get_proc(); 12616 if (!caps) { 12617 perror("cap_get_proc"); 12618 return -1; 12619 } 12620 if (cap_set_flag(caps, CAP_EFFECTIVE, 1, &cap_val, 12621 admin ? CAP_SET : CAP_CLEAR)) { 12622 perror("cap_set_flag"); 12623 goto out; 12624 } 12625 if (cap_set_proc(caps)) { 12626 perror("cap_set_proc"); 12627 goto out; 12628 } 12629 ret = 0; 12630 out: 12631 if (cap_free(caps)) 12632 perror("cap_free"); 12633 return ret; 12634 } 12635 12636 static void get_unpriv_disabled() 12637 { 12638 char buf[2]; 12639 FILE *fd; 12640 12641 fd = fopen("/proc/sys/"UNPRIV_SYSCTL, "r"); 12642 if (!fd) { 12643 perror("fopen /proc/sys/"UNPRIV_SYSCTL); 12644 unpriv_disabled = true; 12645 return; 12646 } 12647 if (fgets(buf, 2, fd) == buf && atoi(buf)) 12648 unpriv_disabled = true; 12649 fclose(fd); 12650 } 12651 12652 static int do_test(bool unpriv, unsigned int from, unsigned int to) 12653 { 12654 int i, passes = 0, errors = 0, skips = 0; 12655 12656 for (i = from; i < to; i++) { 12657 struct bpf_test *test = &tests[i]; 12658 12659 /* Program types that are not supported by non-root we 12660 * skip right away. 12661 */ 12662 if (!test->prog_type && unpriv_disabled) { 12663 printf("#%d/u %s SKIP\n", i, test->descr); 12664 skips++; 12665 } else if (!test->prog_type) { 12666 if (!unpriv) 12667 set_admin(false); 12668 printf("#%d/u %s ", i, test->descr); 12669 do_test_single(test, true, &passes, &errors); 12670 if (!unpriv) 12671 set_admin(true); 12672 } 12673 12674 if (unpriv) { 12675 printf("#%d/p %s SKIP\n", i, test->descr); 12676 skips++; 12677 } else { 12678 printf("#%d/p %s ", i, test->descr); 12679 do_test_single(test, false, &passes, &errors); 12680 } 12681 } 12682 12683 printf("Summary: %d PASSED, %d SKIPPED, %d FAILED\n", passes, 12684 skips, errors); 12685 return errors ? EXIT_FAILURE : EXIT_SUCCESS; 12686 } 12687 12688 int main(int argc, char **argv) 12689 { 12690 unsigned int from = 0, to = ARRAY_SIZE(tests); 12691 bool unpriv = !is_admin(); 12692 12693 if (argc == 3) { 12694 unsigned int l = atoi(argv[argc - 2]); 12695 unsigned int u = atoi(argv[argc - 1]); 12696 12697 if (l < to && u < to) { 12698 from = l; 12699 to = u + 1; 12700 } 12701 } else if (argc == 2) { 12702 unsigned int t = atoi(argv[argc - 1]); 12703 12704 if (t < to) { 12705 from = t; 12706 to = t + 1; 12707 } 12708 } 12709 12710 get_unpriv_disabled(); 12711 if (unpriv && unpriv_disabled) { 12712 printf("Cannot run as unprivileged user with sysctl %s.\n", 12713 UNPRIV_SYSCTL); 12714 return EXIT_FAILURE; 12715 } 12716 12717 bpf_semi_rand_init(); 12718 return do_test(unpriv, from, to); 12719 } 12720