1 /* Common tests */ 2 { 3 "map_kptr: BPF_ST imm != 0", 4 .insns = { 5 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 6 BPF_LD_MAP_FD(BPF_REG_6, 0), 7 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 8 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), 9 BPF_MOV64_IMM(BPF_REG_0, 0), 10 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0), 11 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 12 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 13 BPF_EXIT_INSN(), 14 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 1), 15 BPF_EXIT_INSN(), 16 }, 17 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 18 .fixup_map_kptr = { 1 }, 19 .result = REJECT, 20 .errstr = "BPF_ST imm must be 0 when storing to kptr at off=0", 21 }, 22 { 23 "map_kptr: size != bpf_size_to_bytes(BPF_DW)", 24 .insns = { 25 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 26 BPF_LD_MAP_FD(BPF_REG_6, 0), 27 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 28 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), 29 BPF_MOV64_IMM(BPF_REG_0, 0), 30 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0), 31 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 32 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 33 BPF_EXIT_INSN(), 34 BPF_ST_MEM(BPF_W, BPF_REG_0, 0, 0), 35 BPF_EXIT_INSN(), 36 }, 37 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 38 .fixup_map_kptr = { 1 }, 39 .result = REJECT, 40 .errstr = "kptr access size must be BPF_DW", 41 }, 42 { 43 "map_kptr: map_value non-const var_off", 44 .insns = { 45 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 46 BPF_LD_MAP_FD(BPF_REG_6, 0), 47 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 48 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), 49 BPF_MOV64_IMM(BPF_REG_0, 0), 50 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0), 51 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 52 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 53 BPF_EXIT_INSN(), 54 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0), 55 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0), 56 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0, 1), 57 BPF_EXIT_INSN(), 58 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2, 0), 59 BPF_JMP_IMM(BPF_JLE, BPF_REG_2, 4, 1), 60 BPF_EXIT_INSN(), 61 BPF_JMP_IMM(BPF_JGE, BPF_REG_2, 0, 1), 62 BPF_EXIT_INSN(), 63 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_2), 64 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0), 65 BPF_EXIT_INSN(), 66 }, 67 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 68 .fixup_map_kptr = { 1 }, 69 .result = REJECT, 70 .errstr = "kptr access cannot have variable offset", 71 }, 72 { 73 "map_kptr: bpf_kptr_xchg non-const var_off", 74 .insns = { 75 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 76 BPF_LD_MAP_FD(BPF_REG_6, 0), 77 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 78 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), 79 BPF_MOV64_IMM(BPF_REG_0, 0), 80 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0), 81 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 82 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 83 BPF_EXIT_INSN(), 84 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0), 85 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0), 86 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0, 1), 87 BPF_EXIT_INSN(), 88 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2, 0), 89 BPF_JMP_IMM(BPF_JLE, BPF_REG_2, 4, 1), 90 BPF_EXIT_INSN(), 91 BPF_JMP_IMM(BPF_JGE, BPF_REG_2, 0, 1), 92 BPF_EXIT_INSN(), 93 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_2), 94 BPF_MOV64_REG(BPF_REG_1, BPF_REG_3), 95 BPF_MOV64_IMM(BPF_REG_2, 0), 96 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_kptr_xchg), 97 BPF_EXIT_INSN(), 98 }, 99 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 100 .fixup_map_kptr = { 1 }, 101 .result = REJECT, 102 .errstr = "R1 doesn't have constant offset. kptr has to be at the constant offset", 103 }, 104 { 105 "map_kptr: unaligned boundary load/store", 106 .insns = { 107 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 108 BPF_LD_MAP_FD(BPF_REG_6, 0), 109 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 110 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), 111 BPF_MOV64_IMM(BPF_REG_0, 0), 112 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0), 113 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 114 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 115 BPF_EXIT_INSN(), 116 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 7), 117 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0), 118 BPF_EXIT_INSN(), 119 }, 120 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 121 .fixup_map_kptr = { 1 }, 122 .result = REJECT, 123 .errstr = "kptr access misaligned expected=0 off=7", 124 }, 125 { 126 "map_kptr: reject var_off != 0", 127 .insns = { 128 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 129 BPF_LD_MAP_FD(BPF_REG_6, 0), 130 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 131 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), 132 BPF_MOV64_IMM(BPF_REG_0, 0), 133 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0), 134 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 135 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 136 BPF_EXIT_INSN(), 137 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0), 138 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1), 139 BPF_EXIT_INSN(), 140 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0), 141 BPF_JMP_IMM(BPF_JLE, BPF_REG_2, 4, 1), 142 BPF_EXIT_INSN(), 143 BPF_JMP_IMM(BPF_JGE, BPF_REG_2, 0, 1), 144 BPF_EXIT_INSN(), 145 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2), 146 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0), 147 BPF_EXIT_INSN(), 148 }, 149 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 150 .fixup_map_kptr = { 1 }, 151 .result = REJECT, 152 .errstr = "variable untrusted_ptr_ access var_off=(0x0; 0x7) disallowed", 153 }, 154 /* Tests for unreferened PTR_TO_BTF_ID */ 155 { 156 "map_kptr: unref: reject btf_struct_ids_match == false", 157 .insns = { 158 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 159 BPF_LD_MAP_FD(BPF_REG_6, 0), 160 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 161 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), 162 BPF_MOV64_IMM(BPF_REG_0, 0), 163 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0), 164 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 165 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 166 BPF_EXIT_INSN(), 167 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0), 168 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1), 169 BPF_EXIT_INSN(), 170 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 4), 171 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0), 172 BPF_EXIT_INSN(), 173 }, 174 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 175 .fixup_map_kptr = { 1 }, 176 .result = REJECT, 177 .errstr = "invalid kptr access, R1 type=untrusted_ptr_prog_test_ref_kfunc expected=ptr_prog_test", 178 }, 179 { 180 "map_kptr: unref: loaded pointer marked as untrusted", 181 .insns = { 182 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 183 BPF_LD_MAP_FD(BPF_REG_6, 0), 184 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 185 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), 186 BPF_MOV64_IMM(BPF_REG_0, 0), 187 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0), 188 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 189 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 190 BPF_EXIT_INSN(), 191 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0), 192 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 0), 193 BPF_EXIT_INSN(), 194 }, 195 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 196 .fixup_map_kptr = { 1 }, 197 .result = REJECT, 198 .errstr = "R0 invalid mem access 'untrusted_ptr_or_null_'", 199 }, 200 { 201 "map_kptr: unref: correct in kernel type size", 202 .insns = { 203 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 204 BPF_LD_MAP_FD(BPF_REG_6, 0), 205 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 206 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), 207 BPF_MOV64_IMM(BPF_REG_0, 0), 208 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0), 209 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 210 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 211 BPF_EXIT_INSN(), 212 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0), 213 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 214 BPF_EXIT_INSN(), 215 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 32), 216 BPF_EXIT_INSN(), 217 }, 218 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 219 .fixup_map_kptr = { 1 }, 220 .result = REJECT, 221 .errstr = "access beyond struct prog_test_ref_kfunc at off 32 size 8", 222 }, 223 { 224 "map_kptr: unref: inherit PTR_UNTRUSTED on struct walk", 225 .insns = { 226 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 227 BPF_LD_MAP_FD(BPF_REG_6, 0), 228 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 229 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), 230 BPF_MOV64_IMM(BPF_REG_0, 0), 231 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0), 232 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 233 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 234 BPF_EXIT_INSN(), 235 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0), 236 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 237 BPF_EXIT_INSN(), 238 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 16), 239 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_this_cpu_ptr), 240 BPF_EXIT_INSN(), 241 }, 242 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 243 .fixup_map_kptr = { 1 }, 244 .result = REJECT, 245 .errstr = "R1 type=untrusted_ptr_ expected=percpu_ptr_", 246 }, 247 { 248 "map_kptr: unref: no reference state created", 249 .insns = { 250 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 251 BPF_LD_MAP_FD(BPF_REG_6, 0), 252 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 253 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), 254 BPF_MOV64_IMM(BPF_REG_0, 0), 255 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0), 256 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 257 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 258 BPF_EXIT_INSN(), 259 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0), 260 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 261 BPF_EXIT_INSN(), 262 BPF_EXIT_INSN(), 263 }, 264 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 265 .fixup_map_kptr = { 1 }, 266 .result = ACCEPT, 267 }, 268 { 269 "map_kptr: unref: bpf_kptr_xchg rejected", 270 .insns = { 271 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 272 BPF_LD_MAP_FD(BPF_REG_6, 0), 273 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 274 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), 275 BPF_MOV64_IMM(BPF_REG_0, 0), 276 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0), 277 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 278 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 279 BPF_EXIT_INSN(), 280 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 281 BPF_MOV64_IMM(BPF_REG_2, 0), 282 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_kptr_xchg), 283 BPF_MOV64_IMM(BPF_REG_0, 0), 284 BPF_EXIT_INSN(), 285 }, 286 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 287 .fixup_map_kptr = { 1 }, 288 .result = REJECT, 289 .errstr = "off=0 kptr isn't referenced kptr", 290 }, 291 { 292 "map_kptr: unref: bpf_kfunc_call_test_kptr_get rejected", 293 .insns = { 294 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 295 BPF_LD_MAP_FD(BPF_REG_6, 0), 296 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 297 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), 298 BPF_MOV64_IMM(BPF_REG_0, 0), 299 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0), 300 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 301 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 302 BPF_EXIT_INSN(), 303 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 304 BPF_MOV64_IMM(BPF_REG_2, 0), 305 BPF_MOV64_IMM(BPF_REG_3, 0), 306 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, BPF_PSEUDO_KFUNC_CALL, 0, 0), 307 BPF_MOV64_IMM(BPF_REG_0, 0), 308 BPF_EXIT_INSN(), 309 }, 310 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 311 .fixup_map_kptr = { 1 }, 312 .result = REJECT, 313 .errstr = "arg#0 no referenced kptr at map value offset=0", 314 .fixup_kfunc_btf_id = { 315 { "bpf_kfunc_call_test_kptr_get", 13 }, 316 } 317 }, 318 /* Tests for referenced PTR_TO_BTF_ID */ 319 { 320 "map_kptr: ref: loaded pointer marked as untrusted", 321 .insns = { 322 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 323 BPF_LD_MAP_FD(BPF_REG_6, 0), 324 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 325 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), 326 BPF_MOV64_IMM(BPF_REG_0, 0), 327 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0), 328 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 329 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 330 BPF_EXIT_INSN(), 331 BPF_MOV64_IMM(BPF_REG_1, 0), 332 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 8), 333 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_this_cpu_ptr), 334 BPF_EXIT_INSN(), 335 }, 336 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 337 .fixup_map_kptr = { 1 }, 338 .result = REJECT, 339 .errstr = "R1 type=untrusted_ptr_or_null_ expected=percpu_ptr_", 340 }, 341 { 342 "map_kptr: ref: reject off != 0", 343 .insns = { 344 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 345 BPF_LD_MAP_FD(BPF_REG_6, 0), 346 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 347 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), 348 BPF_MOV64_IMM(BPF_REG_0, 0), 349 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0), 350 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 351 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 352 BPF_EXIT_INSN(), 353 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 354 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0), 355 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 356 BPF_MOV64_IMM(BPF_REG_2, 0), 357 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_kptr_xchg), 358 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 359 BPF_EXIT_INSN(), 360 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7), 361 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 362 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 363 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0), 364 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_kptr_xchg), 365 BPF_EXIT_INSN(), 366 }, 367 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 368 .fixup_map_kptr = { 1 }, 369 .result = REJECT, 370 .errstr = "invalid kptr access, R2 type=ptr_prog_test_ref_kfunc expected=ptr_prog_test_member", 371 }, 372 { 373 "map_kptr: ref: reference state created and released on xchg", 374 .insns = { 375 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 376 BPF_LD_MAP_FD(BPF_REG_6, 0), 377 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 378 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), 379 BPF_MOV64_IMM(BPF_REG_0, 0), 380 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0), 381 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 382 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 383 BPF_EXIT_INSN(), 384 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 385 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0), 386 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 387 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8), 388 BPF_ST_MEM(BPF_DW, BPF_REG_1, 0, 0), 389 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, BPF_PSEUDO_KFUNC_CALL, 0, 0), 390 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 391 BPF_EXIT_INSN(), 392 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7), 393 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0), 394 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_kptr_xchg), 395 BPF_MOV64_IMM(BPF_REG_0, 0), 396 BPF_EXIT_INSN(), 397 }, 398 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 399 .fixup_map_kptr = { 1 }, 400 .result = REJECT, 401 .errstr = "Unreleased reference id=5 alloc_insn=20", 402 .fixup_kfunc_btf_id = { 403 { "bpf_kfunc_call_test_acquire", 15 }, 404 } 405 }, 406 { 407 "map_kptr: ref: reject STX", 408 .insns = { 409 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 410 BPF_LD_MAP_FD(BPF_REG_6, 0), 411 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 412 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), 413 BPF_MOV64_IMM(BPF_REG_0, 0), 414 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0), 415 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 416 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 417 BPF_EXIT_INSN(), 418 BPF_MOV64_REG(BPF_REG_1, 0), 419 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8), 420 BPF_EXIT_INSN(), 421 }, 422 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 423 .fixup_map_kptr = { 1 }, 424 .result = REJECT, 425 .errstr = "store to referenced kptr disallowed", 426 }, 427 { 428 "map_kptr: ref: reject ST", 429 .insns = { 430 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 431 BPF_LD_MAP_FD(BPF_REG_6, 0), 432 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 433 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), 434 BPF_MOV64_IMM(BPF_REG_0, 0), 435 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0), 436 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 437 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 438 BPF_EXIT_INSN(), 439 BPF_ST_MEM(BPF_DW, BPF_REG_0, 8, 0), 440 BPF_EXIT_INSN(), 441 }, 442 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 443 .fixup_map_kptr = { 1 }, 444 .result = REJECT, 445 .errstr = "store to referenced kptr disallowed", 446 }, 447 { 448 "map_kptr: reject helper access to kptr", 449 .insns = { 450 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 451 BPF_LD_MAP_FD(BPF_REG_6, 0), 452 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 453 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), 454 BPF_MOV64_IMM(BPF_REG_0, 0), 455 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0), 456 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 457 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 458 BPF_EXIT_INSN(), 459 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 460 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 2), 461 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0), 462 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_delete_elem), 463 BPF_EXIT_INSN(), 464 }, 465 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 466 .fixup_map_kptr = { 1 }, 467 .result = REJECT, 468 .errstr = "kptr cannot be accessed indirectly by helper", 469 }, 470