1 /* Common tests */ 2 { 3 "map_kptr: BPF_ST imm != 0", 4 .insns = { 5 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 6 BPF_LD_MAP_FD(BPF_REG_6, 0), 7 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 8 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), 9 BPF_MOV64_IMM(BPF_REG_0, 0), 10 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0), 11 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 12 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 13 BPF_EXIT_INSN(), 14 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 1), 15 BPF_EXIT_INSN(), 16 }, 17 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 18 .fixup_map_kptr = { 1 }, 19 .result = REJECT, 20 .errstr = "BPF_ST imm must be 0 when storing to kptr at off=0", 21 }, 22 { 23 "map_kptr: size != bpf_size_to_bytes(BPF_DW)", 24 .insns = { 25 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 26 BPF_LD_MAP_FD(BPF_REG_6, 0), 27 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 28 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), 29 BPF_MOV64_IMM(BPF_REG_0, 0), 30 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0), 31 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 32 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 33 BPF_EXIT_INSN(), 34 BPF_ST_MEM(BPF_W, BPF_REG_0, 0, 0), 35 BPF_EXIT_INSN(), 36 }, 37 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 38 .fixup_map_kptr = { 1 }, 39 .result = REJECT, 40 .errstr = "kptr access size must be BPF_DW", 41 }, 42 { 43 "map_kptr: map_value non-const var_off", 44 .insns = { 45 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 46 BPF_LD_MAP_FD(BPF_REG_6, 0), 47 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 48 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), 49 BPF_MOV64_IMM(BPF_REG_0, 0), 50 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0), 51 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 52 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 53 BPF_EXIT_INSN(), 54 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0), 55 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0), 56 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0, 1), 57 BPF_EXIT_INSN(), 58 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2, 0), 59 BPF_JMP_IMM(BPF_JLE, BPF_REG_2, 4, 1), 60 BPF_EXIT_INSN(), 61 BPF_JMP_IMM(BPF_JGE, BPF_REG_2, 0, 1), 62 BPF_EXIT_INSN(), 63 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_2), 64 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0), 65 BPF_EXIT_INSN(), 66 }, 67 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 68 .fixup_map_kptr = { 1 }, 69 .result = REJECT, 70 .errstr = "kptr access cannot have variable offset", 71 }, 72 { 73 "map_kptr: bpf_kptr_xchg non-const var_off", 74 .insns = { 75 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 76 BPF_LD_MAP_FD(BPF_REG_6, 0), 77 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 78 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), 79 BPF_MOV64_IMM(BPF_REG_0, 0), 80 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0), 81 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 82 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 83 BPF_EXIT_INSN(), 84 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0), 85 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0), 86 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0, 1), 87 BPF_EXIT_INSN(), 88 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2, 0), 89 BPF_JMP_IMM(BPF_JLE, BPF_REG_2, 4, 1), 90 BPF_EXIT_INSN(), 91 BPF_JMP_IMM(BPF_JGE, BPF_REG_2, 0, 1), 92 BPF_EXIT_INSN(), 93 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_2), 94 BPF_MOV64_REG(BPF_REG_1, BPF_REG_3), 95 BPF_MOV64_IMM(BPF_REG_2, 0), 96 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_kptr_xchg), 97 BPF_EXIT_INSN(), 98 }, 99 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 100 .fixup_map_kptr = { 1 }, 101 .result = REJECT, 102 .errstr = "R1 doesn't have constant offset. kptr has to be at the constant offset", 103 }, 104 { 105 "map_kptr: unaligned boundary load/store", 106 .insns = { 107 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 108 BPF_LD_MAP_FD(BPF_REG_6, 0), 109 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 110 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), 111 BPF_MOV64_IMM(BPF_REG_0, 0), 112 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0), 113 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 114 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 115 BPF_EXIT_INSN(), 116 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 7), 117 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0), 118 BPF_EXIT_INSN(), 119 }, 120 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 121 .fixup_map_kptr = { 1 }, 122 .result = REJECT, 123 .errstr = "kptr access misaligned expected=0 off=7", 124 }, 125 { 126 "map_kptr: reject var_off != 0", 127 .insns = { 128 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 129 BPF_LD_MAP_FD(BPF_REG_6, 0), 130 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 131 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), 132 BPF_MOV64_IMM(BPF_REG_0, 0), 133 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0), 134 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 135 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 136 BPF_EXIT_INSN(), 137 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0), 138 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1), 139 BPF_EXIT_INSN(), 140 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0), 141 BPF_JMP_IMM(BPF_JLE, BPF_REG_2, 4, 1), 142 BPF_EXIT_INSN(), 143 BPF_JMP_IMM(BPF_JGE, BPF_REG_2, 0, 1), 144 BPF_EXIT_INSN(), 145 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2), 146 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0), 147 BPF_EXIT_INSN(), 148 }, 149 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 150 .fixup_map_kptr = { 1 }, 151 .result = REJECT, 152 .errstr = "variable untrusted_ptr_ access var_off=(0x0; 0x7) disallowed", 153 }, 154 /* Tests for unreferened PTR_TO_BTF_ID */ 155 { 156 "map_kptr: unref: reject btf_struct_ids_match == false", 157 .insns = { 158 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 159 BPF_LD_MAP_FD(BPF_REG_6, 0), 160 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 161 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), 162 BPF_MOV64_IMM(BPF_REG_0, 0), 163 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0), 164 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 165 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 166 BPF_EXIT_INSN(), 167 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0), 168 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1), 169 BPF_EXIT_INSN(), 170 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 4), 171 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0), 172 BPF_EXIT_INSN(), 173 }, 174 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 175 .fixup_map_kptr = { 1 }, 176 .result = REJECT, 177 .errstr = "invalid kptr access, R1 type=untrusted_ptr_prog_test_ref_kfunc expected=ptr_prog_test", 178 }, 179 { 180 "map_kptr: unref: loaded pointer marked as untrusted", 181 .insns = { 182 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 183 BPF_LD_MAP_FD(BPF_REG_6, 0), 184 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 185 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), 186 BPF_MOV64_IMM(BPF_REG_0, 0), 187 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0), 188 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 189 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 190 BPF_EXIT_INSN(), 191 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0), 192 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 0), 193 BPF_EXIT_INSN(), 194 }, 195 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 196 .fixup_map_kptr = { 1 }, 197 .result = REJECT, 198 .errstr = "R0 invalid mem access 'untrusted_ptr_or_null_'", 199 }, 200 { 201 "map_kptr: unref: correct in kernel type size", 202 .insns = { 203 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 204 BPF_LD_MAP_FD(BPF_REG_6, 0), 205 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 206 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), 207 BPF_MOV64_IMM(BPF_REG_0, 0), 208 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0), 209 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 210 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 211 BPF_EXIT_INSN(), 212 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0), 213 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 214 BPF_EXIT_INSN(), 215 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 32), 216 BPF_EXIT_INSN(), 217 }, 218 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 219 .fixup_map_kptr = { 1 }, 220 .result = REJECT, 221 .errstr = "access beyond struct prog_test_ref_kfunc at off 32 size 8", 222 }, 223 { 224 "map_kptr: unref: inherit PTR_UNTRUSTED on struct walk", 225 .insns = { 226 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 227 BPF_LD_MAP_FD(BPF_REG_6, 0), 228 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 229 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), 230 BPF_MOV64_IMM(BPF_REG_0, 0), 231 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0), 232 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 233 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 234 BPF_EXIT_INSN(), 235 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0), 236 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 237 BPF_EXIT_INSN(), 238 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 16), 239 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_this_cpu_ptr), 240 BPF_EXIT_INSN(), 241 }, 242 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 243 .fixup_map_kptr = { 1 }, 244 .result = REJECT, 245 .errstr = "R1 type=untrusted_ptr_ expected=percpu_ptr_", 246 }, 247 { 248 "map_kptr: unref: no reference state created", 249 .insns = { 250 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 251 BPF_LD_MAP_FD(BPF_REG_6, 0), 252 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 253 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), 254 BPF_MOV64_IMM(BPF_REG_0, 0), 255 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0), 256 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 257 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 258 BPF_EXIT_INSN(), 259 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0), 260 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 261 BPF_EXIT_INSN(), 262 BPF_EXIT_INSN(), 263 }, 264 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 265 .fixup_map_kptr = { 1 }, 266 .result = ACCEPT, 267 }, 268 { 269 "map_kptr: unref: bpf_kptr_xchg rejected", 270 .insns = { 271 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 272 BPF_LD_MAP_FD(BPF_REG_6, 0), 273 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 274 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), 275 BPF_MOV64_IMM(BPF_REG_0, 0), 276 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0), 277 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 278 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 279 BPF_EXIT_INSN(), 280 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 281 BPF_MOV64_IMM(BPF_REG_2, 0), 282 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_kptr_xchg), 283 BPF_MOV64_IMM(BPF_REG_0, 0), 284 BPF_EXIT_INSN(), 285 }, 286 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 287 .fixup_map_kptr = { 1 }, 288 .result = REJECT, 289 .errstr = "off=0 kptr isn't referenced kptr", 290 }, 291 /* Tests for referenced PTR_TO_BTF_ID */ 292 { 293 "map_kptr: ref: loaded pointer marked as untrusted", 294 .insns = { 295 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 296 BPF_LD_MAP_FD(BPF_REG_6, 0), 297 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 298 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), 299 BPF_MOV64_IMM(BPF_REG_0, 0), 300 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0), 301 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 302 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 303 BPF_EXIT_INSN(), 304 BPF_MOV64_IMM(BPF_REG_1, 0), 305 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 8), 306 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_this_cpu_ptr), 307 BPF_EXIT_INSN(), 308 }, 309 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 310 .fixup_map_kptr = { 1 }, 311 .result = REJECT, 312 .errstr = "R1 type=rcu_ptr_or_null_ expected=percpu_ptr_", 313 }, 314 { 315 "map_kptr: ref: reject off != 0", 316 .insns = { 317 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 318 BPF_LD_MAP_FD(BPF_REG_6, 0), 319 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 320 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), 321 BPF_MOV64_IMM(BPF_REG_0, 0), 322 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0), 323 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 324 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 325 BPF_EXIT_INSN(), 326 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 327 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0), 328 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 329 BPF_MOV64_IMM(BPF_REG_2, 0), 330 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_kptr_xchg), 331 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 332 BPF_EXIT_INSN(), 333 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7), 334 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 335 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 336 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0), 337 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_kptr_xchg), 338 BPF_EXIT_INSN(), 339 }, 340 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 341 .fixup_map_kptr = { 1 }, 342 .result = REJECT, 343 .errstr = "invalid kptr access, R2 type=ptr_prog_test_ref_kfunc expected=ptr_prog_test_member", 344 }, 345 { 346 "map_kptr: ref: reference state created and released on xchg", 347 .insns = { 348 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 349 BPF_LD_MAP_FD(BPF_REG_6, 0), 350 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 351 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), 352 BPF_MOV64_IMM(BPF_REG_0, 0), 353 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0), 354 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 355 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 356 BPF_EXIT_INSN(), 357 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 358 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0), 359 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 360 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8), 361 BPF_ST_MEM(BPF_DW, BPF_REG_1, 0, 0), 362 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, BPF_PSEUDO_KFUNC_CALL, 0, 0), 363 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 364 BPF_EXIT_INSN(), 365 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7), 366 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0), 367 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_kptr_xchg), 368 BPF_MOV64_IMM(BPF_REG_0, 0), 369 BPF_EXIT_INSN(), 370 }, 371 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 372 .fixup_map_kptr = { 1 }, 373 .result = REJECT, 374 .errstr = "Unreleased reference id=5 alloc_insn=20", 375 .fixup_kfunc_btf_id = { 376 { "bpf_kfunc_call_test_acquire", 15 }, 377 } 378 }, 379 { 380 "map_kptr: ref: reject STX", 381 .insns = { 382 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 383 BPF_LD_MAP_FD(BPF_REG_6, 0), 384 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 385 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), 386 BPF_MOV64_IMM(BPF_REG_0, 0), 387 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0), 388 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 389 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 390 BPF_EXIT_INSN(), 391 BPF_MOV64_REG(BPF_REG_1, 0), 392 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8), 393 BPF_EXIT_INSN(), 394 }, 395 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 396 .fixup_map_kptr = { 1 }, 397 .result = REJECT, 398 .errstr = "store to referenced kptr disallowed", 399 }, 400 { 401 "map_kptr: ref: reject ST", 402 .insns = { 403 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 404 BPF_LD_MAP_FD(BPF_REG_6, 0), 405 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 406 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), 407 BPF_MOV64_IMM(BPF_REG_0, 0), 408 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0), 409 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 410 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 411 BPF_EXIT_INSN(), 412 BPF_ST_MEM(BPF_DW, BPF_REG_0, 8, 0), 413 BPF_EXIT_INSN(), 414 }, 415 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 416 .fixup_map_kptr = { 1 }, 417 .result = REJECT, 418 .errstr = "store to referenced kptr disallowed", 419 }, 420 { 421 "map_kptr: reject helper access to kptr", 422 .insns = { 423 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 424 BPF_LD_MAP_FD(BPF_REG_6, 0), 425 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 426 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), 427 BPF_MOV64_IMM(BPF_REG_0, 0), 428 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0), 429 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 430 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 431 BPF_EXIT_INSN(), 432 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 433 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 2), 434 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0), 435 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_delete_elem), 436 BPF_EXIT_INSN(), 437 }, 438 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 439 .fixup_map_kptr = { 1 }, 440 .result = REJECT, 441 .errstr = "kptr cannot be accessed indirectly by helper", 442 }, 443