xref: /openbmc/linux/tools/testing/selftests/bpf/verifier/map_kptr.c (revision 47aab53331effedd3f5a6136854bd1da011f94b6)
1 /* Common tests */
2 {
3 	"map_kptr: BPF_ST imm != 0",
4 	.insns = {
5 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6 	BPF_LD_MAP_FD(BPF_REG_6, 0),
7 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
8 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
9 	BPF_MOV64_IMM(BPF_REG_0, 0),
10 	BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
12 	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
13 	BPF_EXIT_INSN(),
14 	BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 1),
15 	BPF_EXIT_INSN(),
16 	},
17 	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
18 	.fixup_map_kptr = { 1 },
19 	.result = REJECT,
20 	.errstr = "BPF_ST imm must be 0 when storing to kptr at off=0",
21 },
22 {
23 	"map_kptr: size != bpf_size_to_bytes(BPF_DW)",
24 	.insns = {
25 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
26 	BPF_LD_MAP_FD(BPF_REG_6, 0),
27 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
28 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
29 	BPF_MOV64_IMM(BPF_REG_0, 0),
30 	BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
31 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
32 	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
33 	BPF_EXIT_INSN(),
34 	BPF_ST_MEM(BPF_W, BPF_REG_0, 0, 0),
35 	BPF_EXIT_INSN(),
36 	},
37 	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
38 	.fixup_map_kptr = { 1 },
39 	.result = REJECT,
40 	.errstr = "kptr access size must be BPF_DW",
41 },
42 {
43 	"map_kptr: map_value non-const var_off",
44 	.insns = {
45 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
46 	BPF_LD_MAP_FD(BPF_REG_6, 0),
47 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
48 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
49 	BPF_MOV64_IMM(BPF_REG_0, 0),
50 	BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
51 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
52 	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
53 	BPF_EXIT_INSN(),
54 	BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
55 	BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
56 	BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0, 1),
57 	BPF_EXIT_INSN(),
58 	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2, 0),
59 	BPF_JMP_IMM(BPF_JLE, BPF_REG_2, 4, 1),
60 	BPF_EXIT_INSN(),
61 	BPF_JMP_IMM(BPF_JGE, BPF_REG_2, 0, 1),
62 	BPF_EXIT_INSN(),
63 	BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_2),
64 	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
65 	BPF_EXIT_INSN(),
66 	},
67 	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
68 	.fixup_map_kptr = { 1 },
69 	.result = REJECT,
70 	.errstr = "kptr access cannot have variable offset",
71 },
72 {
73 	"map_kptr: bpf_kptr_xchg non-const var_off",
74 	.insns = {
75 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
76 	BPF_LD_MAP_FD(BPF_REG_6, 0),
77 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
78 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
79 	BPF_MOV64_IMM(BPF_REG_0, 0),
80 	BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
81 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
82 	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
83 	BPF_EXIT_INSN(),
84 	BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
85 	BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
86 	BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0, 1),
87 	BPF_EXIT_INSN(),
88 	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2, 0),
89 	BPF_JMP_IMM(BPF_JLE, BPF_REG_2, 4, 1),
90 	BPF_EXIT_INSN(),
91 	BPF_JMP_IMM(BPF_JGE, BPF_REG_2, 0, 1),
92 	BPF_EXIT_INSN(),
93 	BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_2),
94 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_3),
95 	BPF_MOV64_IMM(BPF_REG_2, 0),
96 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_kptr_xchg),
97 	BPF_EXIT_INSN(),
98 	},
99 	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
100 	.fixup_map_kptr = { 1 },
101 	.result = REJECT,
102 	.errstr = "R1 doesn't have constant offset. kptr has to be at the constant offset",
103 },
104 {
105 	"map_kptr: unaligned boundary load/store",
106 	.insns = {
107 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
108 	BPF_LD_MAP_FD(BPF_REG_6, 0),
109 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
110 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
111 	BPF_MOV64_IMM(BPF_REG_0, 0),
112 	BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
113 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
114 	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
115 	BPF_EXIT_INSN(),
116 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 7),
117 	BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
118 	BPF_EXIT_INSN(),
119 	},
120 	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
121 	.fixup_map_kptr = { 1 },
122 	.result = REJECT,
123 	.errstr = "kptr access misaligned expected=0 off=7",
124 },
125 {
126 	"map_kptr: reject var_off != 0",
127 	.insns = {
128 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
129 	BPF_LD_MAP_FD(BPF_REG_6, 0),
130 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
131 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
132 	BPF_MOV64_IMM(BPF_REG_0, 0),
133 	BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
134 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
135 	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
136 	BPF_EXIT_INSN(),
137 	BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
138 	BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
139 	BPF_EXIT_INSN(),
140 	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
141 	BPF_JMP_IMM(BPF_JLE, BPF_REG_2, 4, 1),
142 	BPF_EXIT_INSN(),
143 	BPF_JMP_IMM(BPF_JGE, BPF_REG_2, 0, 1),
144 	BPF_EXIT_INSN(),
145 	BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
146 	BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
147 	BPF_EXIT_INSN(),
148 	},
149 	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
150 	.fixup_map_kptr = { 1 },
151 	.result = REJECT,
152 	.errstr = "variable untrusted_ptr_ access var_off=(0x0; 0x7) disallowed",
153 },
154 /* Tests for unreferened PTR_TO_BTF_ID */
155 {
156 	"map_kptr: unref: reject btf_struct_ids_match == false",
157 	.insns = {
158 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
159 	BPF_LD_MAP_FD(BPF_REG_6, 0),
160 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
161 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
162 	BPF_MOV64_IMM(BPF_REG_0, 0),
163 	BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
164 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
165 	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
166 	BPF_EXIT_INSN(),
167 	BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
168 	BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
169 	BPF_EXIT_INSN(),
170 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 4),
171 	BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
172 	BPF_EXIT_INSN(),
173 	},
174 	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
175 	.fixup_map_kptr = { 1 },
176 	.result = REJECT,
177 	.errstr = "invalid kptr access, R1 type=untrusted_ptr_prog_test_ref_kfunc expected=ptr_prog_test",
178 },
179 {
180 	"map_kptr: unref: loaded pointer marked as untrusted",
181 	.insns = {
182 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
183 	BPF_LD_MAP_FD(BPF_REG_6, 0),
184 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
185 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
186 	BPF_MOV64_IMM(BPF_REG_0, 0),
187 	BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
188 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
189 	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
190 	BPF_EXIT_INSN(),
191 	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
192 	BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 0),
193 	BPF_EXIT_INSN(),
194 	},
195 	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
196 	.fixup_map_kptr = { 1 },
197 	.result = REJECT,
198 	.errstr = "R0 invalid mem access 'untrusted_ptr_or_null_'",
199 },
200 {
201 	"map_kptr: unref: correct in kernel type size",
202 	.insns = {
203 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
204 	BPF_LD_MAP_FD(BPF_REG_6, 0),
205 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
206 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
207 	BPF_MOV64_IMM(BPF_REG_0, 0),
208 	BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
209 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
210 	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
211 	BPF_EXIT_INSN(),
212 	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
213 	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
214 	BPF_EXIT_INSN(),
215 	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 32),
216 	BPF_EXIT_INSN(),
217 	},
218 	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
219 	.fixup_map_kptr = { 1 },
220 	.result = REJECT,
221 	.errstr = "access beyond struct prog_test_ref_kfunc at off 32 size 8",
222 },
223 {
224 	"map_kptr: unref: inherit PTR_UNTRUSTED on struct walk",
225 	.insns = {
226 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
227 	BPF_LD_MAP_FD(BPF_REG_6, 0),
228 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
229 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
230 	BPF_MOV64_IMM(BPF_REG_0, 0),
231 	BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
232 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
233 	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
234 	BPF_EXIT_INSN(),
235 	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
236 	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
237 	BPF_EXIT_INSN(),
238 	BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 16),
239 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_this_cpu_ptr),
240 	BPF_EXIT_INSN(),
241 	},
242 	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
243 	.fixup_map_kptr = { 1 },
244 	.result = REJECT,
245 	.errstr = "R1 type=untrusted_ptr_ expected=percpu_ptr_",
246 },
247 {
248 	"map_kptr: unref: no reference state created",
249 	.insns = {
250 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
251 	BPF_LD_MAP_FD(BPF_REG_6, 0),
252 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
253 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
254 	BPF_MOV64_IMM(BPF_REG_0, 0),
255 	BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
256 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
257 	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
258 	BPF_EXIT_INSN(),
259 	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
260 	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
261 	BPF_EXIT_INSN(),
262 	BPF_EXIT_INSN(),
263 	},
264 	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
265 	.fixup_map_kptr = { 1 },
266 	.result = ACCEPT,
267 },
268 {
269 	"map_kptr: unref: bpf_kptr_xchg rejected",
270 	.insns = {
271 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
272 	BPF_LD_MAP_FD(BPF_REG_6, 0),
273 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
274 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
275 	BPF_MOV64_IMM(BPF_REG_0, 0),
276 	BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
277 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
278 	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
279 	BPF_EXIT_INSN(),
280 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
281 	BPF_MOV64_IMM(BPF_REG_2, 0),
282 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_kptr_xchg),
283 	BPF_MOV64_IMM(BPF_REG_0, 0),
284 	BPF_EXIT_INSN(),
285 	},
286 	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
287 	.fixup_map_kptr = { 1 },
288 	.result = REJECT,
289 	.errstr = "off=0 kptr isn't referenced kptr",
290 },
291 /* Tests for referenced PTR_TO_BTF_ID */
292 {
293 	"map_kptr: ref: loaded pointer marked as untrusted",
294 	.insns = {
295 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
296 	BPF_LD_MAP_FD(BPF_REG_6, 0),
297 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
298 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
299 	BPF_MOV64_IMM(BPF_REG_0, 0),
300 	BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
301 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
302 	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
303 	BPF_EXIT_INSN(),
304 	BPF_MOV64_IMM(BPF_REG_1, 0),
305 	BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 8),
306 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_this_cpu_ptr),
307 	BPF_EXIT_INSN(),
308 	},
309 	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
310 	.fixup_map_kptr = { 1 },
311 	.result = REJECT,
312 	.errstr = "R1 type=rcu_ptr_or_null_ expected=percpu_ptr_",
313 },
314 {
315 	"map_kptr: ref: reject off != 0",
316 	.insns = {
317 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
318 	BPF_LD_MAP_FD(BPF_REG_6, 0),
319 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
320 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
321 	BPF_MOV64_IMM(BPF_REG_0, 0),
322 	BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
323 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
324 	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
325 	BPF_EXIT_INSN(),
326 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
327 	BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
328 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
329 	BPF_MOV64_IMM(BPF_REG_2, 0),
330 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_kptr_xchg),
331 	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
332 	BPF_EXIT_INSN(),
333 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
334 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
335 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
336 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
337 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_kptr_xchg),
338 	BPF_EXIT_INSN(),
339 	},
340 	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
341 	.fixup_map_kptr = { 1 },
342 	.result = REJECT,
343 	.errstr = "invalid kptr access, R2 type=ptr_prog_test_ref_kfunc expected=ptr_prog_test_member",
344 },
345 {
346 	"map_kptr: ref: reference state created and released on xchg",
347 	.insns = {
348 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
349 	BPF_LD_MAP_FD(BPF_REG_6, 0),
350 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
351 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
352 	BPF_MOV64_IMM(BPF_REG_0, 0),
353 	BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
354 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
355 	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
356 	BPF_EXIT_INSN(),
357 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
358 	BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
359 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
360 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
361 	BPF_ST_MEM(BPF_DW, BPF_REG_1, 0, 0),
362 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, BPF_PSEUDO_KFUNC_CALL, 0, 0),
363 	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
364 	BPF_EXIT_INSN(),
365 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
366 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
367 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_kptr_xchg),
368 	BPF_MOV64_IMM(BPF_REG_0, 0),
369 	BPF_EXIT_INSN(),
370 	},
371 	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
372 	.fixup_map_kptr = { 1 },
373 	.result = REJECT,
374 	.errstr = "Unreleased reference id=5 alloc_insn=20",
375 	.fixup_kfunc_btf_id = {
376 		{ "bpf_kfunc_call_test_acquire", 15 },
377 	}
378 },
379 {
380 	"map_kptr: ref: reject STX",
381 	.insns = {
382 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
383 	BPF_LD_MAP_FD(BPF_REG_6, 0),
384 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
385 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
386 	BPF_MOV64_IMM(BPF_REG_0, 0),
387 	BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
388 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
389 	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
390 	BPF_EXIT_INSN(),
391 	BPF_MOV64_REG(BPF_REG_1, 0),
392 	BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
393 	BPF_EXIT_INSN(),
394 	},
395 	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
396 	.fixup_map_kptr = { 1 },
397 	.result = REJECT,
398 	.errstr = "store to referenced kptr disallowed",
399 },
400 {
401 	"map_kptr: ref: reject ST",
402 	.insns = {
403 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
404 	BPF_LD_MAP_FD(BPF_REG_6, 0),
405 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
406 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
407 	BPF_MOV64_IMM(BPF_REG_0, 0),
408 	BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
409 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
410 	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
411 	BPF_EXIT_INSN(),
412 	BPF_ST_MEM(BPF_DW, BPF_REG_0, 8, 0),
413 	BPF_EXIT_INSN(),
414 	},
415 	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
416 	.fixup_map_kptr = { 1 },
417 	.result = REJECT,
418 	.errstr = "store to referenced kptr disallowed",
419 },
420 {
421 	"map_kptr: reject helper access to kptr",
422 	.insns = {
423 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
424 	BPF_LD_MAP_FD(BPF_REG_6, 0),
425 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
426 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
427 	BPF_MOV64_IMM(BPF_REG_0, 0),
428 	BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
429 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
430 	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
431 	BPF_EXIT_INSN(),
432 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
433 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 2),
434 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
435 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_delete_elem),
436 	BPF_EXIT_INSN(),
437 	},
438 	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
439 	.fixup_map_kptr = { 1 },
440 	.result = REJECT,
441 	.errstr = "kptr cannot be accessed indirectly by helper",
442 },
443