1 { 2 "access skb fields ok", 3 .insns = { 4 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 5 offsetof(struct __sk_buff, len)), 6 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1), 7 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 8 offsetof(struct __sk_buff, mark)), 9 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1), 10 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 11 offsetof(struct __sk_buff, pkt_type)), 12 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1), 13 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 14 offsetof(struct __sk_buff, queue_mapping)), 15 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0), 16 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 17 offsetof(struct __sk_buff, protocol)), 18 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0), 19 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 20 offsetof(struct __sk_buff, vlan_present)), 21 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0), 22 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 23 offsetof(struct __sk_buff, vlan_tci)), 24 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0), 25 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 26 offsetof(struct __sk_buff, napi_id)), 27 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0), 28 BPF_EXIT_INSN(), 29 }, 30 .result = ACCEPT, 31 }, 32 { 33 "access skb fields bad1", 34 .insns = { 35 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -4), 36 BPF_EXIT_INSN(), 37 }, 38 .errstr = "invalid bpf_context access", 39 .result = REJECT, 40 }, 41 { 42 "access skb fields bad2", 43 .insns = { 44 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 9), 45 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 46 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 47 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 48 BPF_LD_MAP_FD(BPF_REG_1, 0), 49 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 50 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 51 BPF_EXIT_INSN(), 52 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 53 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 54 offsetof(struct __sk_buff, pkt_type)), 55 BPF_EXIT_INSN(), 56 }, 57 .fixup_map_hash_8b = { 4 }, 58 .errstr = "different pointers", 59 .errstr_unpriv = "R1 pointer comparison", 60 .result = REJECT, 61 }, 62 { 63 "access skb fields bad3", 64 .insns = { 65 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2), 66 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 67 offsetof(struct __sk_buff, pkt_type)), 68 BPF_EXIT_INSN(), 69 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 70 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 71 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 72 BPF_LD_MAP_FD(BPF_REG_1, 0), 73 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 74 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 75 BPF_EXIT_INSN(), 76 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 77 BPF_JMP_IMM(BPF_JA, 0, 0, -12), 78 }, 79 .fixup_map_hash_8b = { 6 }, 80 .errstr = "different pointers", 81 .errstr_unpriv = "R1 pointer comparison", 82 .result = REJECT, 83 }, 84 { 85 "access skb fields bad4", 86 .insns = { 87 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 3), 88 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1, 89 offsetof(struct __sk_buff, len)), 90 BPF_MOV64_IMM(BPF_REG_0, 0), 91 BPF_EXIT_INSN(), 92 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 93 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 94 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 95 BPF_LD_MAP_FD(BPF_REG_1, 0), 96 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 97 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 98 BPF_EXIT_INSN(), 99 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 100 BPF_JMP_IMM(BPF_JA, 0, 0, -13), 101 }, 102 .fixup_map_hash_8b = { 7 }, 103 .errstr = "different pointers", 104 .errstr_unpriv = "R1 pointer comparison", 105 .result = REJECT, 106 }, 107 { 108 "invalid access __sk_buff family", 109 .insns = { 110 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 111 offsetof(struct __sk_buff, family)), 112 BPF_EXIT_INSN(), 113 }, 114 .errstr = "invalid bpf_context access", 115 .result = REJECT, 116 }, 117 { 118 "invalid access __sk_buff remote_ip4", 119 .insns = { 120 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 121 offsetof(struct __sk_buff, remote_ip4)), 122 BPF_EXIT_INSN(), 123 }, 124 .errstr = "invalid bpf_context access", 125 .result = REJECT, 126 }, 127 { 128 "invalid access __sk_buff local_ip4", 129 .insns = { 130 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 131 offsetof(struct __sk_buff, local_ip4)), 132 BPF_EXIT_INSN(), 133 }, 134 .errstr = "invalid bpf_context access", 135 .result = REJECT, 136 }, 137 { 138 "invalid access __sk_buff remote_ip6", 139 .insns = { 140 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 141 offsetof(struct __sk_buff, remote_ip6)), 142 BPF_EXIT_INSN(), 143 }, 144 .errstr = "invalid bpf_context access", 145 .result = REJECT, 146 }, 147 { 148 "invalid access __sk_buff local_ip6", 149 .insns = { 150 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 151 offsetof(struct __sk_buff, local_ip6)), 152 BPF_EXIT_INSN(), 153 }, 154 .errstr = "invalid bpf_context access", 155 .result = REJECT, 156 }, 157 { 158 "invalid access __sk_buff remote_port", 159 .insns = { 160 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 161 offsetof(struct __sk_buff, remote_port)), 162 BPF_EXIT_INSN(), 163 }, 164 .errstr = "invalid bpf_context access", 165 .result = REJECT, 166 }, 167 { 168 "invalid access __sk_buff remote_port", 169 .insns = { 170 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 171 offsetof(struct __sk_buff, local_port)), 172 BPF_EXIT_INSN(), 173 }, 174 .errstr = "invalid bpf_context access", 175 .result = REJECT, 176 }, 177 { 178 "valid access __sk_buff family", 179 .insns = { 180 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 181 offsetof(struct __sk_buff, family)), 182 BPF_EXIT_INSN(), 183 }, 184 .result = ACCEPT, 185 .prog_type = BPF_PROG_TYPE_SK_SKB, 186 }, 187 { 188 "valid access __sk_buff remote_ip4", 189 .insns = { 190 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 191 offsetof(struct __sk_buff, remote_ip4)), 192 BPF_EXIT_INSN(), 193 }, 194 .result = ACCEPT, 195 .prog_type = BPF_PROG_TYPE_SK_SKB, 196 }, 197 { 198 "valid access __sk_buff local_ip4", 199 .insns = { 200 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 201 offsetof(struct __sk_buff, local_ip4)), 202 BPF_EXIT_INSN(), 203 }, 204 .result = ACCEPT, 205 .prog_type = BPF_PROG_TYPE_SK_SKB, 206 }, 207 { 208 "valid access __sk_buff remote_ip6", 209 .insns = { 210 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 211 offsetof(struct __sk_buff, remote_ip6[0])), 212 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 213 offsetof(struct __sk_buff, remote_ip6[1])), 214 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 215 offsetof(struct __sk_buff, remote_ip6[2])), 216 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 217 offsetof(struct __sk_buff, remote_ip6[3])), 218 BPF_EXIT_INSN(), 219 }, 220 .result = ACCEPT, 221 .prog_type = BPF_PROG_TYPE_SK_SKB, 222 }, 223 { 224 "valid access __sk_buff local_ip6", 225 .insns = { 226 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 227 offsetof(struct __sk_buff, local_ip6[0])), 228 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 229 offsetof(struct __sk_buff, local_ip6[1])), 230 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 231 offsetof(struct __sk_buff, local_ip6[2])), 232 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 233 offsetof(struct __sk_buff, local_ip6[3])), 234 BPF_EXIT_INSN(), 235 }, 236 .result = ACCEPT, 237 .prog_type = BPF_PROG_TYPE_SK_SKB, 238 }, 239 { 240 "valid access __sk_buff remote_port", 241 .insns = { 242 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 243 offsetof(struct __sk_buff, remote_port)), 244 BPF_EXIT_INSN(), 245 }, 246 .result = ACCEPT, 247 .prog_type = BPF_PROG_TYPE_SK_SKB, 248 }, 249 { 250 "valid access __sk_buff remote_port", 251 .insns = { 252 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 253 offsetof(struct __sk_buff, local_port)), 254 BPF_EXIT_INSN(), 255 }, 256 .result = ACCEPT, 257 .prog_type = BPF_PROG_TYPE_SK_SKB, 258 }, 259 { 260 "invalid access of tc_classid for SK_SKB", 261 .insns = { 262 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 263 offsetof(struct __sk_buff, tc_classid)), 264 BPF_EXIT_INSN(), 265 }, 266 .result = REJECT, 267 .prog_type = BPF_PROG_TYPE_SK_SKB, 268 .errstr = "invalid bpf_context access", 269 }, 270 { 271 "invalid access of skb->mark for SK_SKB", 272 .insns = { 273 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 274 offsetof(struct __sk_buff, mark)), 275 BPF_EXIT_INSN(), 276 }, 277 .result = REJECT, 278 .prog_type = BPF_PROG_TYPE_SK_SKB, 279 .errstr = "invalid bpf_context access", 280 }, 281 { 282 "check skb->mark is not writeable by SK_SKB", 283 .insns = { 284 BPF_MOV64_IMM(BPF_REG_0, 0), 285 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 286 offsetof(struct __sk_buff, mark)), 287 BPF_EXIT_INSN(), 288 }, 289 .result = REJECT, 290 .prog_type = BPF_PROG_TYPE_SK_SKB, 291 .errstr = "invalid bpf_context access", 292 }, 293 { 294 "check skb->tc_index is writeable by SK_SKB", 295 .insns = { 296 BPF_MOV64_IMM(BPF_REG_0, 0), 297 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 298 offsetof(struct __sk_buff, tc_index)), 299 BPF_EXIT_INSN(), 300 }, 301 .result = ACCEPT, 302 .prog_type = BPF_PROG_TYPE_SK_SKB, 303 }, 304 { 305 "check skb->priority is writeable by SK_SKB", 306 .insns = { 307 BPF_MOV64_IMM(BPF_REG_0, 0), 308 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 309 offsetof(struct __sk_buff, priority)), 310 BPF_EXIT_INSN(), 311 }, 312 .result = ACCEPT, 313 .prog_type = BPF_PROG_TYPE_SK_SKB, 314 }, 315 { 316 "direct packet read for SK_SKB", 317 .insns = { 318 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 319 offsetof(struct __sk_buff, data)), 320 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 321 offsetof(struct __sk_buff, data_end)), 322 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 323 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 324 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 325 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0), 326 BPF_MOV64_IMM(BPF_REG_0, 0), 327 BPF_EXIT_INSN(), 328 }, 329 .result = ACCEPT, 330 .prog_type = BPF_PROG_TYPE_SK_SKB, 331 }, 332 { 333 "direct packet write for SK_SKB", 334 .insns = { 335 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 336 offsetof(struct __sk_buff, data)), 337 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 338 offsetof(struct __sk_buff, data_end)), 339 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 340 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 341 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1), 342 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0), 343 BPF_MOV64_IMM(BPF_REG_0, 0), 344 BPF_EXIT_INSN(), 345 }, 346 .result = ACCEPT, 347 .prog_type = BPF_PROG_TYPE_SK_SKB, 348 }, 349 { 350 "overlapping checks for direct packet access SK_SKB", 351 .insns = { 352 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 353 offsetof(struct __sk_buff, data)), 354 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 355 offsetof(struct __sk_buff, data_end)), 356 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 357 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 358 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4), 359 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2), 360 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6), 361 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1), 362 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6), 363 BPF_MOV64_IMM(BPF_REG_0, 0), 364 BPF_EXIT_INSN(), 365 }, 366 .result = ACCEPT, 367 .prog_type = BPF_PROG_TYPE_SK_SKB, 368 }, 369 { 370 "check skb->mark is not writeable by sockets", 371 .insns = { 372 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1, 373 offsetof(struct __sk_buff, mark)), 374 BPF_EXIT_INSN(), 375 }, 376 .errstr = "invalid bpf_context access", 377 .errstr_unpriv = "R1 leaks addr", 378 .result = REJECT, 379 }, 380 { 381 "check skb->tc_index is not writeable by sockets", 382 .insns = { 383 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1, 384 offsetof(struct __sk_buff, tc_index)), 385 BPF_EXIT_INSN(), 386 }, 387 .errstr = "invalid bpf_context access", 388 .errstr_unpriv = "R1 leaks addr", 389 .result = REJECT, 390 }, 391 { 392 "check cb access: byte", 393 .insns = { 394 BPF_MOV64_IMM(BPF_REG_0, 0), 395 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 396 offsetof(struct __sk_buff, cb[0])), 397 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 398 offsetof(struct __sk_buff, cb[0]) + 1), 399 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 400 offsetof(struct __sk_buff, cb[0]) + 2), 401 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 402 offsetof(struct __sk_buff, cb[0]) + 3), 403 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 404 offsetof(struct __sk_buff, cb[1])), 405 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 406 offsetof(struct __sk_buff, cb[1]) + 1), 407 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 408 offsetof(struct __sk_buff, cb[1]) + 2), 409 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 410 offsetof(struct __sk_buff, cb[1]) + 3), 411 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 412 offsetof(struct __sk_buff, cb[2])), 413 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 414 offsetof(struct __sk_buff, cb[2]) + 1), 415 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 416 offsetof(struct __sk_buff, cb[2]) + 2), 417 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 418 offsetof(struct __sk_buff, cb[2]) + 3), 419 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 420 offsetof(struct __sk_buff, cb[3])), 421 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 422 offsetof(struct __sk_buff, cb[3]) + 1), 423 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 424 offsetof(struct __sk_buff, cb[3]) + 2), 425 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 426 offsetof(struct __sk_buff, cb[3]) + 3), 427 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 428 offsetof(struct __sk_buff, cb[4])), 429 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 430 offsetof(struct __sk_buff, cb[4]) + 1), 431 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 432 offsetof(struct __sk_buff, cb[4]) + 2), 433 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 434 offsetof(struct __sk_buff, cb[4]) + 3), 435 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 436 offsetof(struct __sk_buff, cb[0])), 437 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 438 offsetof(struct __sk_buff, cb[0]) + 1), 439 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 440 offsetof(struct __sk_buff, cb[0]) + 2), 441 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 442 offsetof(struct __sk_buff, cb[0]) + 3), 443 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 444 offsetof(struct __sk_buff, cb[1])), 445 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 446 offsetof(struct __sk_buff, cb[1]) + 1), 447 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 448 offsetof(struct __sk_buff, cb[1]) + 2), 449 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 450 offsetof(struct __sk_buff, cb[1]) + 3), 451 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 452 offsetof(struct __sk_buff, cb[2])), 453 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 454 offsetof(struct __sk_buff, cb[2]) + 1), 455 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 456 offsetof(struct __sk_buff, cb[2]) + 2), 457 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 458 offsetof(struct __sk_buff, cb[2]) + 3), 459 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 460 offsetof(struct __sk_buff, cb[3])), 461 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 462 offsetof(struct __sk_buff, cb[3]) + 1), 463 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 464 offsetof(struct __sk_buff, cb[3]) + 2), 465 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 466 offsetof(struct __sk_buff, cb[3]) + 3), 467 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 468 offsetof(struct __sk_buff, cb[4])), 469 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 470 offsetof(struct __sk_buff, cb[4]) + 1), 471 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 472 offsetof(struct __sk_buff, cb[4]) + 2), 473 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 474 offsetof(struct __sk_buff, cb[4]) + 3), 475 BPF_EXIT_INSN(), 476 }, 477 .result = ACCEPT, 478 }, 479 { 480 "__sk_buff->hash, offset 0, byte store not permitted", 481 .insns = { 482 BPF_MOV64_IMM(BPF_REG_0, 0), 483 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 484 offsetof(struct __sk_buff, hash)), 485 BPF_EXIT_INSN(), 486 }, 487 .errstr = "invalid bpf_context access", 488 .result = REJECT, 489 }, 490 { 491 "__sk_buff->tc_index, offset 3, byte store not permitted", 492 .insns = { 493 BPF_MOV64_IMM(BPF_REG_0, 0), 494 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 495 offsetof(struct __sk_buff, tc_index) + 3), 496 BPF_EXIT_INSN(), 497 }, 498 .errstr = "invalid bpf_context access", 499 .result = REJECT, 500 }, 501 { 502 "check skb->hash byte load permitted", 503 .insns = { 504 BPF_MOV64_IMM(BPF_REG_0, 0), 505 #if __BYTE_ORDER == __LITTLE_ENDIAN 506 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 507 offsetof(struct __sk_buff, hash)), 508 #else 509 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 510 offsetof(struct __sk_buff, hash) + 3), 511 #endif 512 BPF_EXIT_INSN(), 513 }, 514 .result = ACCEPT, 515 }, 516 { 517 "check skb->hash byte load permitted 1", 518 .insns = { 519 BPF_MOV64_IMM(BPF_REG_0, 0), 520 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 521 offsetof(struct __sk_buff, hash) + 1), 522 BPF_EXIT_INSN(), 523 }, 524 .result = ACCEPT, 525 }, 526 { 527 "check skb->hash byte load permitted 2", 528 .insns = { 529 BPF_MOV64_IMM(BPF_REG_0, 0), 530 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 531 offsetof(struct __sk_buff, hash) + 2), 532 BPF_EXIT_INSN(), 533 }, 534 .result = ACCEPT, 535 }, 536 { 537 "check skb->hash byte load permitted 3", 538 .insns = { 539 BPF_MOV64_IMM(BPF_REG_0, 0), 540 #if __BYTE_ORDER == __LITTLE_ENDIAN 541 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 542 offsetof(struct __sk_buff, hash) + 3), 543 #else 544 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 545 offsetof(struct __sk_buff, hash)), 546 #endif 547 BPF_EXIT_INSN(), 548 }, 549 .result = ACCEPT, 550 }, 551 { 552 "check cb access: byte, wrong type", 553 .insns = { 554 BPF_MOV64_IMM(BPF_REG_0, 0), 555 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 556 offsetof(struct __sk_buff, cb[0])), 557 BPF_EXIT_INSN(), 558 }, 559 .errstr = "invalid bpf_context access", 560 .result = REJECT, 561 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK, 562 }, 563 { 564 "check cb access: half", 565 .insns = { 566 BPF_MOV64_IMM(BPF_REG_0, 0), 567 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 568 offsetof(struct __sk_buff, cb[0])), 569 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 570 offsetof(struct __sk_buff, cb[0]) + 2), 571 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 572 offsetof(struct __sk_buff, cb[1])), 573 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 574 offsetof(struct __sk_buff, cb[1]) + 2), 575 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 576 offsetof(struct __sk_buff, cb[2])), 577 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 578 offsetof(struct __sk_buff, cb[2]) + 2), 579 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 580 offsetof(struct __sk_buff, cb[3])), 581 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 582 offsetof(struct __sk_buff, cb[3]) + 2), 583 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 584 offsetof(struct __sk_buff, cb[4])), 585 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 586 offsetof(struct __sk_buff, cb[4]) + 2), 587 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 588 offsetof(struct __sk_buff, cb[0])), 589 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 590 offsetof(struct __sk_buff, cb[0]) + 2), 591 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 592 offsetof(struct __sk_buff, cb[1])), 593 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 594 offsetof(struct __sk_buff, cb[1]) + 2), 595 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 596 offsetof(struct __sk_buff, cb[2])), 597 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 598 offsetof(struct __sk_buff, cb[2]) + 2), 599 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 600 offsetof(struct __sk_buff, cb[3])), 601 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 602 offsetof(struct __sk_buff, cb[3]) + 2), 603 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 604 offsetof(struct __sk_buff, cb[4])), 605 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 606 offsetof(struct __sk_buff, cb[4]) + 2), 607 BPF_EXIT_INSN(), 608 }, 609 .result = ACCEPT, 610 }, 611 { 612 "check cb access: half, unaligned", 613 .insns = { 614 BPF_MOV64_IMM(BPF_REG_0, 0), 615 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 616 offsetof(struct __sk_buff, cb[0]) + 1), 617 BPF_EXIT_INSN(), 618 }, 619 .errstr = "misaligned context access", 620 .result = REJECT, 621 .flags = F_LOAD_WITH_STRICT_ALIGNMENT, 622 }, 623 { 624 "check __sk_buff->hash, offset 0, half store not permitted", 625 .insns = { 626 BPF_MOV64_IMM(BPF_REG_0, 0), 627 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 628 offsetof(struct __sk_buff, hash)), 629 BPF_EXIT_INSN(), 630 }, 631 .errstr = "invalid bpf_context access", 632 .result = REJECT, 633 }, 634 { 635 "check __sk_buff->tc_index, offset 2, half store not permitted", 636 .insns = { 637 BPF_MOV64_IMM(BPF_REG_0, 0), 638 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 639 offsetof(struct __sk_buff, tc_index) + 2), 640 BPF_EXIT_INSN(), 641 }, 642 .errstr = "invalid bpf_context access", 643 .result = REJECT, 644 }, 645 { 646 "check skb->hash half load permitted", 647 .insns = { 648 BPF_MOV64_IMM(BPF_REG_0, 0), 649 #if __BYTE_ORDER == __LITTLE_ENDIAN 650 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 651 offsetof(struct __sk_buff, hash)), 652 #else 653 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 654 offsetof(struct __sk_buff, hash) + 2), 655 #endif 656 BPF_EXIT_INSN(), 657 }, 658 .result = ACCEPT, 659 }, 660 { 661 "check skb->hash half load permitted 2", 662 .insns = { 663 BPF_MOV64_IMM(BPF_REG_0, 0), 664 #if __BYTE_ORDER == __LITTLE_ENDIAN 665 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 666 offsetof(struct __sk_buff, hash) + 2), 667 #else 668 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 669 offsetof(struct __sk_buff, hash)), 670 #endif 671 BPF_EXIT_INSN(), 672 }, 673 .result = ACCEPT, 674 }, 675 { 676 "check skb->hash half load not permitted, unaligned 1", 677 .insns = { 678 BPF_MOV64_IMM(BPF_REG_0, 0), 679 #if __BYTE_ORDER == __LITTLE_ENDIAN 680 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 681 offsetof(struct __sk_buff, hash) + 1), 682 #else 683 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 684 offsetof(struct __sk_buff, hash) + 3), 685 #endif 686 BPF_EXIT_INSN(), 687 }, 688 .errstr = "invalid bpf_context access", 689 .result = REJECT, 690 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 691 }, 692 { 693 "check skb->hash half load not permitted, unaligned 3", 694 .insns = { 695 BPF_MOV64_IMM(BPF_REG_0, 0), 696 #if __BYTE_ORDER == __LITTLE_ENDIAN 697 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 698 offsetof(struct __sk_buff, hash) + 3), 699 #else 700 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 701 offsetof(struct __sk_buff, hash) + 1), 702 #endif 703 BPF_EXIT_INSN(), 704 }, 705 .errstr = "invalid bpf_context access", 706 .result = REJECT, 707 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 708 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 709 }, 710 { 711 "check cb access: half, wrong type", 712 .insns = { 713 BPF_MOV64_IMM(BPF_REG_0, 0), 714 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0, 715 offsetof(struct __sk_buff, cb[0])), 716 BPF_EXIT_INSN(), 717 }, 718 .errstr = "invalid bpf_context access", 719 .result = REJECT, 720 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK, 721 }, 722 { 723 "check cb access: word", 724 .insns = { 725 BPF_MOV64_IMM(BPF_REG_0, 0), 726 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 727 offsetof(struct __sk_buff, cb[0])), 728 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 729 offsetof(struct __sk_buff, cb[1])), 730 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 731 offsetof(struct __sk_buff, cb[2])), 732 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 733 offsetof(struct __sk_buff, cb[3])), 734 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 735 offsetof(struct __sk_buff, cb[4])), 736 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 737 offsetof(struct __sk_buff, cb[0])), 738 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 739 offsetof(struct __sk_buff, cb[1])), 740 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 741 offsetof(struct __sk_buff, cb[2])), 742 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 743 offsetof(struct __sk_buff, cb[3])), 744 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 745 offsetof(struct __sk_buff, cb[4])), 746 BPF_EXIT_INSN(), 747 }, 748 .result = ACCEPT, 749 }, 750 { 751 "check cb access: word, unaligned 1", 752 .insns = { 753 BPF_MOV64_IMM(BPF_REG_0, 0), 754 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 755 offsetof(struct __sk_buff, cb[0]) + 2), 756 BPF_EXIT_INSN(), 757 }, 758 .errstr = "misaligned context access", 759 .result = REJECT, 760 .flags = F_LOAD_WITH_STRICT_ALIGNMENT, 761 }, 762 { 763 "check cb access: word, unaligned 2", 764 .insns = { 765 BPF_MOV64_IMM(BPF_REG_0, 0), 766 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 767 offsetof(struct __sk_buff, cb[4]) + 1), 768 BPF_EXIT_INSN(), 769 }, 770 .errstr = "misaligned context access", 771 .result = REJECT, 772 .flags = F_LOAD_WITH_STRICT_ALIGNMENT, 773 }, 774 { 775 "check cb access: word, unaligned 3", 776 .insns = { 777 BPF_MOV64_IMM(BPF_REG_0, 0), 778 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 779 offsetof(struct __sk_buff, cb[4]) + 2), 780 BPF_EXIT_INSN(), 781 }, 782 .errstr = "misaligned context access", 783 .result = REJECT, 784 .flags = F_LOAD_WITH_STRICT_ALIGNMENT, 785 }, 786 { 787 "check cb access: word, unaligned 4", 788 .insns = { 789 BPF_MOV64_IMM(BPF_REG_0, 0), 790 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 791 offsetof(struct __sk_buff, cb[4]) + 3), 792 BPF_EXIT_INSN(), 793 }, 794 .errstr = "misaligned context access", 795 .result = REJECT, 796 .flags = F_LOAD_WITH_STRICT_ALIGNMENT, 797 }, 798 { 799 "check cb access: double", 800 .insns = { 801 BPF_MOV64_IMM(BPF_REG_0, 0), 802 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 803 offsetof(struct __sk_buff, cb[0])), 804 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 805 offsetof(struct __sk_buff, cb[2])), 806 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 807 offsetof(struct __sk_buff, cb[0])), 808 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 809 offsetof(struct __sk_buff, cb[2])), 810 BPF_EXIT_INSN(), 811 }, 812 .result = ACCEPT, 813 }, 814 { 815 "check cb access: double, unaligned 1", 816 .insns = { 817 BPF_MOV64_IMM(BPF_REG_0, 0), 818 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 819 offsetof(struct __sk_buff, cb[1])), 820 BPF_EXIT_INSN(), 821 }, 822 .errstr = "misaligned context access", 823 .result = REJECT, 824 .flags = F_LOAD_WITH_STRICT_ALIGNMENT, 825 }, 826 { 827 "check cb access: double, unaligned 2", 828 .insns = { 829 BPF_MOV64_IMM(BPF_REG_0, 0), 830 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 831 offsetof(struct __sk_buff, cb[3])), 832 BPF_EXIT_INSN(), 833 }, 834 .errstr = "misaligned context access", 835 .result = REJECT, 836 .flags = F_LOAD_WITH_STRICT_ALIGNMENT, 837 }, 838 { 839 "check cb access: double, oob 1", 840 .insns = { 841 BPF_MOV64_IMM(BPF_REG_0, 0), 842 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 843 offsetof(struct __sk_buff, cb[4])), 844 BPF_EXIT_INSN(), 845 }, 846 .errstr = "invalid bpf_context access", 847 .result = REJECT, 848 }, 849 { 850 "check cb access: double, oob 2", 851 .insns = { 852 BPF_MOV64_IMM(BPF_REG_0, 0), 853 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 854 offsetof(struct __sk_buff, cb[4])), 855 BPF_EXIT_INSN(), 856 }, 857 .errstr = "invalid bpf_context access", 858 .result = REJECT, 859 }, 860 { 861 "check __sk_buff->ifindex dw store not permitted", 862 .insns = { 863 BPF_MOV64_IMM(BPF_REG_0, 0), 864 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 865 offsetof(struct __sk_buff, ifindex)), 866 BPF_EXIT_INSN(), 867 }, 868 .errstr = "invalid bpf_context access", 869 .result = REJECT, 870 }, 871 { 872 "check __sk_buff->ifindex dw load not permitted", 873 .insns = { 874 BPF_MOV64_IMM(BPF_REG_0, 0), 875 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 876 offsetof(struct __sk_buff, ifindex)), 877 BPF_EXIT_INSN(), 878 }, 879 .errstr = "invalid bpf_context access", 880 .result = REJECT, 881 }, 882 { 883 "check cb access: double, wrong type", 884 .insns = { 885 BPF_MOV64_IMM(BPF_REG_0, 0), 886 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 887 offsetof(struct __sk_buff, cb[0])), 888 BPF_EXIT_INSN(), 889 }, 890 .errstr = "invalid bpf_context access", 891 .result = REJECT, 892 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK, 893 }, 894 { 895 "check out of range skb->cb access", 896 .insns = { 897 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 898 offsetof(struct __sk_buff, cb[0]) + 256), 899 BPF_EXIT_INSN(), 900 }, 901 .errstr = "invalid bpf_context access", 902 .errstr_unpriv = "", 903 .result = REJECT, 904 .prog_type = BPF_PROG_TYPE_SCHED_ACT, 905 }, 906 { 907 "write skb fields from socket prog", 908 .insns = { 909 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 910 offsetof(struct __sk_buff, cb[4])), 911 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1), 912 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 913 offsetof(struct __sk_buff, mark)), 914 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 915 offsetof(struct __sk_buff, tc_index)), 916 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1), 917 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1, 918 offsetof(struct __sk_buff, cb[0])), 919 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1, 920 offsetof(struct __sk_buff, cb[2])), 921 BPF_EXIT_INSN(), 922 }, 923 .result = ACCEPT, 924 .errstr_unpriv = "R1 leaks addr", 925 .result_unpriv = REJECT, 926 }, 927 { 928 "write skb fields from tc_cls_act prog", 929 .insns = { 930 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 931 offsetof(struct __sk_buff, cb[0])), 932 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 933 offsetof(struct __sk_buff, mark)), 934 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 935 offsetof(struct __sk_buff, tc_index)), 936 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 937 offsetof(struct __sk_buff, tc_index)), 938 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 939 offsetof(struct __sk_buff, cb[3])), 940 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 941 offsetof(struct __sk_buff, tstamp)), 942 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 943 offsetof(struct __sk_buff, tstamp)), 944 BPF_EXIT_INSN(), 945 }, 946 .errstr_unpriv = "", 947 .result_unpriv = REJECT, 948 .result = ACCEPT, 949 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 950 }, 951 { 952 "check skb->data half load not permitted", 953 .insns = { 954 BPF_MOV64_IMM(BPF_REG_0, 0), 955 #if __BYTE_ORDER == __LITTLE_ENDIAN 956 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 957 offsetof(struct __sk_buff, data)), 958 #else 959 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, 960 offsetof(struct __sk_buff, data) + 2), 961 #endif 962 BPF_EXIT_INSN(), 963 }, 964 .result = REJECT, 965 .errstr = "invalid bpf_context access", 966 }, 967 { 968 "read gso_segs from CGROUP_SKB", 969 .insns = { 970 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 971 offsetof(struct __sk_buff, gso_segs)), 972 BPF_MOV64_IMM(BPF_REG_0, 0), 973 BPF_EXIT_INSN(), 974 }, 975 .result = ACCEPT, 976 .prog_type = BPF_PROG_TYPE_CGROUP_SKB, 977 }, 978 { 979 "write gso_segs from CGROUP_SKB", 980 .insns = { 981 BPF_MOV64_IMM(BPF_REG_0, 0), 982 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 983 offsetof(struct __sk_buff, gso_segs)), 984 BPF_MOV64_IMM(BPF_REG_0, 0), 985 BPF_EXIT_INSN(), 986 }, 987 .result = REJECT, 988 .result_unpriv = REJECT, 989 .errstr = "invalid bpf_context access off=164 size=4", 990 .prog_type = BPF_PROG_TYPE_CGROUP_SKB, 991 }, 992 { 993 "read gso_segs from CLS", 994 .insns = { 995 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 996 offsetof(struct __sk_buff, gso_segs)), 997 BPF_MOV64_IMM(BPF_REG_0, 0), 998 BPF_EXIT_INSN(), 999 }, 1000 .result = ACCEPT, 1001 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 1002 }, 1003 { 1004 "check wire_len is not readable by sockets", 1005 .insns = { 1006 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1007 offsetof(struct __sk_buff, wire_len)), 1008 BPF_EXIT_INSN(), 1009 }, 1010 .errstr = "invalid bpf_context access", 1011 .result = REJECT, 1012 }, 1013 { 1014 "check wire_len is readable by tc classifier", 1015 .insns = { 1016 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 1017 offsetof(struct __sk_buff, wire_len)), 1018 BPF_EXIT_INSN(), 1019 }, 1020 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 1021 .result = ACCEPT, 1022 }, 1023 { 1024 "check wire_len is not writable by tc classifier", 1025 .insns = { 1026 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1, 1027 offsetof(struct __sk_buff, wire_len)), 1028 BPF_EXIT_INSN(), 1029 }, 1030 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 1031 .errstr = "invalid bpf_context access", 1032 .errstr_unpriv = "R1 leaks addr", 1033 .result = REJECT, 1034 }, 1035