1 /* Common tests */
2 {
3 	"map_kptr: BPF_ST imm != 0",
4 	.insns = {
5 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6 	BPF_LD_MAP_FD(BPF_REG_6, 0),
7 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
8 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
9 	BPF_MOV64_IMM(BPF_REG_0, 0),
10 	BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
12 	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
13 	BPF_EXIT_INSN(),
14 	BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 1),
15 	BPF_EXIT_INSN(),
16 	},
17 	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
18 	.fixup_map_kptr = { 1 },
19 	.result = REJECT,
20 	.errstr = "BPF_ST imm must be 0 when storing to kptr at off=0",
21 },
22 {
23 	"map_kptr: size != bpf_size_to_bytes(BPF_DW)",
24 	.insns = {
25 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
26 	BPF_LD_MAP_FD(BPF_REG_6, 0),
27 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
28 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
29 	BPF_MOV64_IMM(BPF_REG_0, 0),
30 	BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
31 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
32 	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
33 	BPF_EXIT_INSN(),
34 	BPF_ST_MEM(BPF_W, BPF_REG_0, 0, 0),
35 	BPF_EXIT_INSN(),
36 	},
37 	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
38 	.fixup_map_kptr = { 1 },
39 	.result = REJECT,
40 	.errstr = "kptr access size must be BPF_DW",
41 },
42 {
43 	"map_kptr: map_value non-const var_off",
44 	.insns = {
45 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
46 	BPF_LD_MAP_FD(BPF_REG_6, 0),
47 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
48 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
49 	BPF_MOV64_IMM(BPF_REG_0, 0),
50 	BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
51 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
52 	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
53 	BPF_EXIT_INSN(),
54 	BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
55 	BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
56 	BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0, 1),
57 	BPF_EXIT_INSN(),
58 	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2, 0),
59 	BPF_JMP_IMM(BPF_JLE, BPF_REG_2, 4, 1),
60 	BPF_EXIT_INSN(),
61 	BPF_JMP_IMM(BPF_JGE, BPF_REG_2, 0, 1),
62 	BPF_EXIT_INSN(),
63 	BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_2),
64 	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
65 	BPF_EXIT_INSN(),
66 	},
67 	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
68 	.fixup_map_kptr = { 1 },
69 	.result = REJECT,
70 	.errstr = "kptr access cannot have variable offset",
71 	.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
72 },
73 {
74 	"map_kptr: bpf_kptr_xchg non-const var_off",
75 	.insns = {
76 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
77 	BPF_LD_MAP_FD(BPF_REG_6, 0),
78 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
79 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
80 	BPF_MOV64_IMM(BPF_REG_0, 0),
81 	BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
82 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
83 	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
84 	BPF_EXIT_INSN(),
85 	BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
86 	BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
87 	BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0, 1),
88 	BPF_EXIT_INSN(),
89 	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2, 0),
90 	BPF_JMP_IMM(BPF_JLE, BPF_REG_2, 4, 1),
91 	BPF_EXIT_INSN(),
92 	BPF_JMP_IMM(BPF_JGE, BPF_REG_2, 0, 1),
93 	BPF_EXIT_INSN(),
94 	BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_2),
95 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_3),
96 	BPF_MOV64_IMM(BPF_REG_2, 0),
97 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_kptr_xchg),
98 	BPF_EXIT_INSN(),
99 	},
100 	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
101 	.fixup_map_kptr = { 1 },
102 	.result = REJECT,
103 	.errstr = "R1 doesn't have constant offset. kptr has to be at the constant offset",
104 },
105 {
106 	"map_kptr: unaligned boundary load/store",
107 	.insns = {
108 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
109 	BPF_LD_MAP_FD(BPF_REG_6, 0),
110 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
111 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
112 	BPF_MOV64_IMM(BPF_REG_0, 0),
113 	BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
114 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
115 	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
116 	BPF_EXIT_INSN(),
117 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 7),
118 	BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
119 	BPF_EXIT_INSN(),
120 	},
121 	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
122 	.fixup_map_kptr = { 1 },
123 	.result = REJECT,
124 	.errstr = "kptr access misaligned expected=0 off=7",
125 	.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
126 },
127 {
128 	"map_kptr: reject var_off != 0",
129 	.insns = {
130 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
131 	BPF_LD_MAP_FD(BPF_REG_6, 0),
132 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
133 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
134 	BPF_MOV64_IMM(BPF_REG_0, 0),
135 	BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
136 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
137 	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
138 	BPF_EXIT_INSN(),
139 	BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
140 	BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
141 	BPF_EXIT_INSN(),
142 	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
143 	BPF_JMP_IMM(BPF_JLE, BPF_REG_2, 4, 1),
144 	BPF_EXIT_INSN(),
145 	BPF_JMP_IMM(BPF_JGE, BPF_REG_2, 0, 1),
146 	BPF_EXIT_INSN(),
147 	BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
148 	BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
149 	BPF_EXIT_INSN(),
150 	},
151 	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
152 	.fixup_map_kptr = { 1 },
153 	.result = REJECT,
154 	.errstr = "variable untrusted_ptr_ access var_off=(0x0; 0x7) disallowed",
155 },
156 /* Tests for unreferened PTR_TO_BTF_ID */
157 {
158 	"map_kptr: unref: reject btf_struct_ids_match == false",
159 	.insns = {
160 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
161 	BPF_LD_MAP_FD(BPF_REG_6, 0),
162 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
163 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
164 	BPF_MOV64_IMM(BPF_REG_0, 0),
165 	BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
166 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
167 	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
168 	BPF_EXIT_INSN(),
169 	BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
170 	BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
171 	BPF_EXIT_INSN(),
172 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 4),
173 	BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
174 	BPF_EXIT_INSN(),
175 	},
176 	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
177 	.fixup_map_kptr = { 1 },
178 	.result = REJECT,
179 	.errstr = "invalid kptr access, R1 type=untrusted_ptr_prog_test_ref_kfunc expected=ptr_prog_test",
180 },
181 {
182 	"map_kptr: unref: loaded pointer marked as untrusted",
183 	.insns = {
184 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
185 	BPF_LD_MAP_FD(BPF_REG_6, 0),
186 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
187 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
188 	BPF_MOV64_IMM(BPF_REG_0, 0),
189 	BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
190 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
191 	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
192 	BPF_EXIT_INSN(),
193 	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
194 	BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 0),
195 	BPF_EXIT_INSN(),
196 	},
197 	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
198 	.fixup_map_kptr = { 1 },
199 	.result = REJECT,
200 	.errstr = "R0 invalid mem access 'untrusted_ptr_or_null_'",
201 },
202 {
203 	"map_kptr: unref: correct in kernel type size",
204 	.insns = {
205 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
206 	BPF_LD_MAP_FD(BPF_REG_6, 0),
207 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
208 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
209 	BPF_MOV64_IMM(BPF_REG_0, 0),
210 	BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
211 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
212 	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
213 	BPF_EXIT_INSN(),
214 	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
215 	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
216 	BPF_EXIT_INSN(),
217 	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 32),
218 	BPF_EXIT_INSN(),
219 	},
220 	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
221 	.fixup_map_kptr = { 1 },
222 	.result = REJECT,
223 	.errstr = "access beyond struct prog_test_ref_kfunc at off 32 size 8",
224 },
225 {
226 	"map_kptr: unref: inherit PTR_UNTRUSTED on struct walk",
227 	.insns = {
228 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
229 	BPF_LD_MAP_FD(BPF_REG_6, 0),
230 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
231 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
232 	BPF_MOV64_IMM(BPF_REG_0, 0),
233 	BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
234 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
235 	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
236 	BPF_EXIT_INSN(),
237 	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
238 	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
239 	BPF_EXIT_INSN(),
240 	BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 16),
241 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_this_cpu_ptr),
242 	BPF_EXIT_INSN(),
243 	},
244 	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
245 	.fixup_map_kptr = { 1 },
246 	.result = REJECT,
247 	.errstr = "R1 type=untrusted_ptr_ expected=percpu_ptr_",
248 },
249 {
250 	"map_kptr: unref: no reference state created",
251 	.insns = {
252 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
253 	BPF_LD_MAP_FD(BPF_REG_6, 0),
254 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
255 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
256 	BPF_MOV64_IMM(BPF_REG_0, 0),
257 	BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
258 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
259 	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
260 	BPF_EXIT_INSN(),
261 	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
262 	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
263 	BPF_EXIT_INSN(),
264 	BPF_EXIT_INSN(),
265 	},
266 	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
267 	.fixup_map_kptr = { 1 },
268 	.result = ACCEPT,
269 },
270 {
271 	"map_kptr: unref: bpf_kptr_xchg rejected",
272 	.insns = {
273 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
274 	BPF_LD_MAP_FD(BPF_REG_6, 0),
275 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
276 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
277 	BPF_MOV64_IMM(BPF_REG_0, 0),
278 	BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
279 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
280 	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
281 	BPF_EXIT_INSN(),
282 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
283 	BPF_MOV64_IMM(BPF_REG_2, 0),
284 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_kptr_xchg),
285 	BPF_MOV64_IMM(BPF_REG_0, 0),
286 	BPF_EXIT_INSN(),
287 	},
288 	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
289 	.fixup_map_kptr = { 1 },
290 	.result = REJECT,
291 	.errstr = "off=0 kptr isn't referenced kptr",
292 },
293 /* Tests for referenced PTR_TO_BTF_ID */
294 {
295 	"map_kptr: ref: loaded pointer marked as untrusted",
296 	.insns = {
297 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
298 	BPF_LD_MAP_FD(BPF_REG_6, 0),
299 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
300 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
301 	BPF_MOV64_IMM(BPF_REG_0, 0),
302 	BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
303 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
304 	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
305 	BPF_EXIT_INSN(),
306 	BPF_MOV64_IMM(BPF_REG_1, 0),
307 	BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 8),
308 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_this_cpu_ptr),
309 	BPF_EXIT_INSN(),
310 	},
311 	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
312 	.fixup_map_kptr = { 1 },
313 	.result = REJECT,
314 	.errstr = "R1 type=rcu_ptr_or_null_ expected=percpu_ptr_",
315 },
316 {
317 	"map_kptr: ref: reject off != 0",
318 	.insns = {
319 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
320 	BPF_LD_MAP_FD(BPF_REG_6, 0),
321 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
322 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
323 	BPF_MOV64_IMM(BPF_REG_0, 0),
324 	BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
325 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
326 	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
327 	BPF_EXIT_INSN(),
328 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
329 	BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
330 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
331 	BPF_MOV64_IMM(BPF_REG_2, 0),
332 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_kptr_xchg),
333 	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
334 	BPF_EXIT_INSN(),
335 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
336 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
337 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
338 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
339 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_kptr_xchg),
340 	BPF_EXIT_INSN(),
341 	},
342 	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
343 	.fixup_map_kptr = { 1 },
344 	.result = REJECT,
345 	.errstr = "invalid kptr access, R2 type=ptr_prog_test_ref_kfunc expected=ptr_prog_test_member",
346 },
347 {
348 	"map_kptr: ref: reference state created and released on xchg",
349 	.insns = {
350 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
351 	BPF_LD_MAP_FD(BPF_REG_6, 0),
352 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
353 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
354 	BPF_MOV64_IMM(BPF_REG_0, 0),
355 	BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
356 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
357 	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
358 	BPF_EXIT_INSN(),
359 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
360 	BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
361 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
362 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
363 	BPF_ST_MEM(BPF_DW, BPF_REG_1, 0, 0),
364 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, BPF_PSEUDO_KFUNC_CALL, 0, 0),
365 	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
366 	BPF_EXIT_INSN(),
367 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
368 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
369 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_kptr_xchg),
370 	BPF_MOV64_IMM(BPF_REG_0, 0),
371 	BPF_EXIT_INSN(),
372 	},
373 	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
374 	.fixup_map_kptr = { 1 },
375 	.result = REJECT,
376 	.errstr = "Unreleased reference id=5 alloc_insn=20",
377 	.fixup_kfunc_btf_id = {
378 		{ "bpf_kfunc_call_test_acquire", 15 },
379 	}
380 },
381 {
382 	"map_kptr: ref: reject STX",
383 	.insns = {
384 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
385 	BPF_LD_MAP_FD(BPF_REG_6, 0),
386 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
387 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
388 	BPF_MOV64_IMM(BPF_REG_0, 0),
389 	BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
390 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
391 	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
392 	BPF_EXIT_INSN(),
393 	BPF_MOV64_REG(BPF_REG_1, 0),
394 	BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
395 	BPF_EXIT_INSN(),
396 	},
397 	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
398 	.fixup_map_kptr = { 1 },
399 	.result = REJECT,
400 	.errstr = "store to referenced kptr disallowed",
401 },
402 {
403 	"map_kptr: ref: reject ST",
404 	.insns = {
405 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
406 	BPF_LD_MAP_FD(BPF_REG_6, 0),
407 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
408 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
409 	BPF_MOV64_IMM(BPF_REG_0, 0),
410 	BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
411 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
412 	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
413 	BPF_EXIT_INSN(),
414 	BPF_ST_MEM(BPF_DW, BPF_REG_0, 8, 0),
415 	BPF_EXIT_INSN(),
416 	},
417 	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
418 	.fixup_map_kptr = { 1 },
419 	.result = REJECT,
420 	.errstr = "store to referenced kptr disallowed",
421 },
422 {
423 	"map_kptr: reject helper access to kptr",
424 	.insns = {
425 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
426 	BPF_LD_MAP_FD(BPF_REG_6, 0),
427 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
428 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
429 	BPF_MOV64_IMM(BPF_REG_0, 0),
430 	BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
431 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
432 	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
433 	BPF_EXIT_INSN(),
434 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
435 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 2),
436 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
437 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_delete_elem),
438 	BPF_EXIT_INSN(),
439 	},
440 	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
441 	.fixup_map_kptr = { 1 },
442 	.result = REJECT,
443 	.errstr = "kptr cannot be accessed indirectly by helper",
444 },
445