projects / linux-block.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
selftests/bpf: Add test cases to test narrower ctx field loads
[linux-block.git] / tools / testing / selftests / bpf / test_verifier.c
CommitLineData
3c731eba
AS		 1/*
2 * Testsuite for eBPF verifier
3 *
4 * Copyright (c) 2014 PLUMgrid, http://plumgrid.com
5 *
6 * This program is free software; you can redistribute it and/or
7 * modify it under the terms of version 2 of the GNU General Public
8 * License as published by the Free Software Foundation.
9 */
5aa5bd14 10
1da8ac7c
AS		 11#include <asm/types.h>
12#include <linux/types.h>
702498a1 13#include <stdint.h>
3c731eba 14#include <stdio.h>
702498a1 15#include <stdlib.h>
3c731eba 16#include <unistd.h>
3c731eba 17#include <errno.h>
3c731eba 18#include <string.h>
614cd3bd 19#include <stddef.h>
bf508877 20#include <stdbool.h>
5aa5bd14
DB		 21#include <sched.h>
22
d02d8986 23#include <sys/capability.h>
bf508877 24#include <sys/resource.h>
3c731eba 25
5aa5bd14
DB		 26#include <linux/unistd.h>
27#include <linux/filter.h>
28#include <linux/bpf_perf_event.h>
29#include <linux/bpf.h>
30
2ee89fb9
MS		 31#include <bpf/bpf.h>
32
02ea80b1
DB		 33#ifdef HAVE_GENHDR
34# include "autoconf.h"
35#else
36# if defined(__i386) || defined(__x86_64) || defined(__s390x__) || defined(__aarch64__)
37# define CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS 1
38# endif
39#endif
40
5aa5bd14
DB		 41#include "../../../include/linux/filter.h"
42
5aa5bd14
DB		 43#ifndef ARRAY_SIZE
44# define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
45#endif
3c731eba 46
5aa5bd14
DB		 47#define MAX_INSNS 512
48#define MAX_FIXUPS 8
fb30d4b7 49#define MAX_NR_MAPS 4
bf508877 50
02ea80b1 51#define F_NEEDS_EFFICIENT_UNALIGNED_ACCESS (1 << 0)
614d0d77 52#define F_LOAD_WITH_STRICT_ALIGNMENT (1 << 1)
02ea80b1 53
3c731eba
AS		 54struct bpf_test {
55 const char *descr;
56 struct bpf_insn insns[MAX_INSNS];
5aa5bd14
DB		 57 int fixup_map1[MAX_FIXUPS];
58 int fixup_map2[MAX_FIXUPS];
59 int fixup_prog[MAX_FIXUPS];
fb30d4b7 60 int fixup_map_in_map[MAX_FIXUPS];
3c731eba 61 const char *errstr;
bf508877 62 const char *errstr_unpriv;
3c731eba 63 enum {
bf508877 64 UNDEF,
3c731eba
AS		 65 ACCEPT,
66 REJECT
bf508877 67 } result, result_unpriv;
d691f9e8 68 enum bpf_prog_type prog_type;
02ea80b1 69 uint8_t flags;
3c731eba
AS		 70};
71
48461135
JB		 72/* Note we want this to be 64 bit aligned so that the end of our array is
73 * actually the end of the structure.
74 */
75#define MAX_ENTRIES 11
5aa5bd14 76
48461135 77struct test_val {
5aa5bd14 78 unsigned int index;
48461135
JB		 79 int foo[MAX_ENTRIES];
80};
81
3c731eba
AS		 82static struct bpf_test tests[] = {
83 {
84 "add+sub+mul",
85 .insns = {
86 BPF_MOV64_IMM(BPF_REG_1, 1),
87 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 2),
88 BPF_MOV64_IMM(BPF_REG_2, 3),
89 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_2),
90 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -1),
91 BPF_ALU64_IMM(BPF_MUL, BPF_REG_1, 3),
92 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
93 BPF_EXIT_INSN(),
94 },
95 .result = ACCEPT,
96 },
97 {
98 "unreachable",
99 .insns = {
100 BPF_EXIT_INSN(),
101 BPF_EXIT_INSN(),
102 },
103 .errstr = "unreachable",
104 .result = REJECT,
105 },
106 {
107 "unreachable2",
108 .insns = {
109 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
110 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
111 BPF_EXIT_INSN(),
112 },
113 .errstr = "unreachable",
114 .result = REJECT,
115 },
116 {
117 "out of range jump",
118 .insns = {
119 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
120 BPF_EXIT_INSN(),
121 },
122 .errstr = "jump out of range",
123 .result = REJECT,
124 },
125 {
126 "out of range jump2",
127 .insns = {
128 BPF_JMP_IMM(BPF_JA, 0, 0, -2),
129 BPF_EXIT_INSN(),
130 },
131 .errstr = "jump out of range",
132 .result = REJECT,
133 },
134 {
135 "test1 ld_imm64",
136 .insns = {
137 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
138 BPF_LD_IMM64(BPF_REG_0, 0),
139 BPF_LD_IMM64(BPF_REG_0, 0),
140 BPF_LD_IMM64(BPF_REG_0, 1),
141 BPF_LD_IMM64(BPF_REG_0, 1),
142 BPF_MOV64_IMM(BPF_REG_0, 2),
143 BPF_EXIT_INSN(),
144 },
145 .errstr = "invalid BPF_LD_IMM insn",
bf508877 146 .errstr_unpriv = "R1 pointer comparison",
3c731eba
AS		 147 .result = REJECT,
148 },
149 {
150 "test2 ld_imm64",
151 .insns = {
152 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
153 BPF_LD_IMM64(BPF_REG_0, 0),
154 BPF_LD_IMM64(BPF_REG_0, 0),
155 BPF_LD_IMM64(BPF_REG_0, 1),
156 BPF_LD_IMM64(BPF_REG_0, 1),
157 BPF_EXIT_INSN(),
158 },
159 .errstr = "invalid BPF_LD_IMM insn",
bf508877 160 .errstr_unpriv = "R1 pointer comparison",
3c731eba
AS		 161 .result = REJECT,
162 },
163 {
164 "test3 ld_imm64",
165 .insns = {
166 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
167 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
168 BPF_LD_IMM64(BPF_REG_0, 0),
169 BPF_LD_IMM64(BPF_REG_0, 0),
170 BPF_LD_IMM64(BPF_REG_0, 1),
171 BPF_LD_IMM64(BPF_REG_0, 1),
172 BPF_EXIT_INSN(),
173 },
174 .errstr = "invalid bpf_ld_imm64 insn",
175 .result = REJECT,
176 },
177 {
178 "test4 ld_imm64",
179 .insns = {
180 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
181 BPF_EXIT_INSN(),
182 },
183 .errstr = "invalid bpf_ld_imm64 insn",
184 .result = REJECT,
185 },
186 {
187 "test5 ld_imm64",
188 .insns = {
189 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
190 },
191 .errstr = "invalid bpf_ld_imm64 insn",
192 .result = REJECT,
193 },
728a853a
DB		 194 {
195 "test6 ld_imm64",
196 .insns = {
197 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
198 BPF_RAW_INSN(0, 0, 0, 0, 0),
199 BPF_EXIT_INSN(),
200 },
201 .result = ACCEPT,
202 },
203 {
204 "test7 ld_imm64",
205 .insns = {
206 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
207 BPF_RAW_INSN(0, 0, 0, 0, 1),
208 BPF_EXIT_INSN(),
209 },
210 .result = ACCEPT,
211 },
212 {
213 "test8 ld_imm64",
214 .insns = {
215 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 1, 1),
216 BPF_RAW_INSN(0, 0, 0, 0, 1),
217 BPF_EXIT_INSN(),
218 },
219 .errstr = "uses reserved fields",
220 .result = REJECT,
221 },
222 {
223 "test9 ld_imm64",
224 .insns = {
225 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
226 BPF_RAW_INSN(0, 0, 0, 1, 1),
227 BPF_EXIT_INSN(),
228 },
229 .errstr = "invalid bpf_ld_imm64 insn",
230 .result = REJECT,
231 },
232 {
233 "test10 ld_imm64",
234 .insns = {
235 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
236 BPF_RAW_INSN(0, BPF_REG_1, 0, 0, 1),
237 BPF_EXIT_INSN(),
238 },
239 .errstr = "invalid bpf_ld_imm64 insn",
240 .result = REJECT,
241 },
242 {
243 "test11 ld_imm64",
244 .insns = {
245 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
246 BPF_RAW_INSN(0, 0, BPF_REG_1, 0, 1),
247 BPF_EXIT_INSN(),
248 },
249 .errstr = "invalid bpf_ld_imm64 insn",
250 .result = REJECT,
251 },
252 {
253 "test12 ld_imm64",
254 .insns = {
255 BPF_MOV64_IMM(BPF_REG_1, 0),
256 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, BPF_REG_1, 0, 1),
257 BPF_RAW_INSN(0, 0, 0, 0, 1),
258 BPF_EXIT_INSN(),
259 },
260 .errstr = "not pointing to valid bpf_map",
261 .result = REJECT,
262 },
263 {
264 "test13 ld_imm64",
265 .insns = {
266 BPF_MOV64_IMM(BPF_REG_1, 0),
267 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, BPF_REG_1, 0, 1),
268 BPF_RAW_INSN(0, 0, BPF_REG_1, 0, 1),
269 BPF_EXIT_INSN(),
270 },
271 .errstr = "invalid bpf_ld_imm64 insn",
272 .result = REJECT,
273 },
3c731eba
AS		 274 {
275 "no bpf_exit",
276 .insns = {
277 BPF_ALU64_REG(BPF_MOV, BPF_REG_0, BPF_REG_2),
278 },
279 .errstr = "jump out of range",
280 .result = REJECT,
281 },
282 {
283 "loop (back-edge)",
284 .insns = {
285 BPF_JMP_IMM(BPF_JA, 0, 0, -1),
286 BPF_EXIT_INSN(),
287 },
288 .errstr = "back-edge",
289 .result = REJECT,
290 },
291 {
292 "loop2 (back-edge)",
293 .insns = {
294 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
295 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
296 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
297 BPF_JMP_IMM(BPF_JA, 0, 0, -4),
298 BPF_EXIT_INSN(),
299 },
300 .errstr = "back-edge",
301 .result = REJECT,
302 },
303 {
304 "conditional loop",
305 .insns = {
306 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
307 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
308 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
309 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, -3),
310 BPF_EXIT_INSN(),
311 },
312 .errstr = "back-edge",
313 .result = REJECT,
314 },
315 {
316 "read uninitialized register",
317 .insns = {
318 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
319 BPF_EXIT_INSN(),
320 },
321 .errstr = "R2 !read_ok",
322 .result = REJECT,
323 },
324 {
325 "read invalid register",
326 .insns = {
327 BPF_MOV64_REG(BPF_REG_0, -1),
328 BPF_EXIT_INSN(),
329 },
330 .errstr = "R15 is invalid",
331 .result = REJECT,
332 },
333 {
334 "program doesn't init R0 before exit",
335 .insns = {
336 BPF_ALU64_REG(BPF_MOV, BPF_REG_2, BPF_REG_1),
337 BPF_EXIT_INSN(),
338 },
339 .errstr = "R0 !read_ok",
340 .result = REJECT,
341 },
32bf08a6
AS		 342 {
343 "program doesn't init R0 before exit in all branches",
344 .insns = {
345 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
346 BPF_MOV64_IMM(BPF_REG_0, 1),
347 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 2),
348 BPF_EXIT_INSN(),
349 },
350 .errstr = "R0 !read_ok",
bf508877 351 .errstr_unpriv = "R1 pointer comparison",
32bf08a6
AS		 352 .result = REJECT,
353 },
3c731eba
AS		 354 {
355 "stack out of bounds",
356 .insns = {
357 BPF_ST_MEM(BPF_DW, BPF_REG_10, 8, 0),
358 BPF_EXIT_INSN(),
359 },
360 .errstr = "invalid stack",
361 .result = REJECT,
362 },
363 {
364 "invalid call insn1",
365 .insns = {
366 BPF_RAW_INSN(BPF_JMP | BPF_CALL | BPF_X, 0, 0, 0, 0),
367 BPF_EXIT_INSN(),
368 },
369 .errstr = "BPF_CALL uses reserved",
370 .result = REJECT,
371 },
372 {
373 "invalid call insn2",
374 .insns = {
375 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 1, 0),
376 BPF_EXIT_INSN(),
377 },
378 .errstr = "BPF_CALL uses reserved",
379 .result = REJECT,
380 },
381 {
382 "invalid function call",
383 .insns = {
384 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1234567),
385 BPF_EXIT_INSN(),
386 },
e00c7b21 387 .errstr = "invalid func unknown#1234567",
3c731eba
AS		 388 .result = REJECT,
389 },
390 {
391 "uninitialized stack1",
392 .insns = {
393 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
394 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
395 BPF_LD_MAP_FD(BPF_REG_1, 0),
5aa5bd14
DB		 396 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
397 BPF_FUNC_map_lookup_elem),
3c731eba
AS		 398 BPF_EXIT_INSN(),
399 },
5aa5bd14 400 .fixup_map1 = { 2 },
3c731eba
AS		 401 .errstr = "invalid indirect read from stack",
402 .result = REJECT,
403 },
404 {
405 "uninitialized stack2",
406 .insns = {
407 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
408 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, -8),
409 BPF_EXIT_INSN(),
410 },
411 .errstr = "invalid read from stack",
412 .result = REJECT,
413 },
728a853a
DB		 414 {
415 "invalid fp arithmetic",
416 /* If this gets ever changed, make sure JITs can deal with it. */
417 .insns = {
418 BPF_MOV64_IMM(BPF_REG_0, 0),
419 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
420 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 8),
421 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
422 BPF_EXIT_INSN(),
423 },
424 .errstr_unpriv = "R1 pointer arithmetic",
425 .result_unpriv = REJECT,
426 .errstr = "R1 invalid mem access",
427 .result = REJECT,
428 },
429 {
430 "non-invalid fp arithmetic",
431 .insns = {
432 BPF_MOV64_IMM(BPF_REG_0, 0),
433 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
434 BPF_EXIT_INSN(),
435 },
436 .result = ACCEPT,
437 },
7d95b0ab
DB		 438 {
439 "invalid argument register",
440 .insns = {
5aa5bd14
DB		 441 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
442 BPF_FUNC_get_cgroup_classid),
443 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
444 BPF_FUNC_get_cgroup_classid),
7d95b0ab
DB		 445 BPF_EXIT_INSN(),
446 },
447 .errstr = "R1 !read_ok",
448 .result = REJECT,
449 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
450 },
451 {
452 "non-invalid argument register",
453 .insns = {
454 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
5aa5bd14
DB		 455 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
456 BPF_FUNC_get_cgroup_classid),
7d95b0ab 457 BPF_ALU64_REG(BPF_MOV, BPF_REG_1, BPF_REG_6),
5aa5bd14
DB		 458 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
459 BPF_FUNC_get_cgroup_classid),
7d95b0ab
DB		 460 BPF_EXIT_INSN(),
461 },
462 .result = ACCEPT,
463 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
464 },
3c731eba
AS		 465 {
466 "check valid spill/fill",
467 .insns = {
468 /* spill R1(ctx) into stack */
469 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
3c731eba
AS		 470 /* fill it back into R2 */
471 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -8),
3c731eba 472 /* should be able to access R0 = *(R2 + 8) */
f91fe17e
DB		 473 /* BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, 8), */
474 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3c731eba
AS		 475 BPF_EXIT_INSN(),
476 },
bf508877 477 .errstr_unpriv = "R0 leaks addr",
3c731eba 478 .result = ACCEPT,
bf508877 479 .result_unpriv = REJECT,
3c731eba 480 },
3f2050e2
DB		 481 {
482 "check valid spill/fill, skb mark",
483 .insns = {
484 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
485 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
486 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
487 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
488 offsetof(struct __sk_buff, mark)),
489 BPF_EXIT_INSN(),
490 },
491 .result = ACCEPT,
492 .result_unpriv = ACCEPT,
493 },
3c731eba
AS		 494 {
495 "check corrupted spill/fill",
496 .insns = {
497 /* spill R1(ctx) into stack */
498 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
3c731eba
AS		 499 /* mess up with R1 pointer on stack */
500 BPF_ST_MEM(BPF_B, BPF_REG_10, -7, 0x23),
3c731eba
AS		 501 /* fill back into R0 should fail */
502 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
3c731eba
AS		 503 BPF_EXIT_INSN(),
504 },
bf508877 505 .errstr_unpriv = "attempt to corrupt spilled",
3c731eba
AS		 506 .errstr = "corrupted spill",
507 .result = REJECT,
508 },
509 {
510 "invalid src register in STX",
511 .insns = {
512 BPF_STX_MEM(BPF_B, BPF_REG_10, -1, -1),
513 BPF_EXIT_INSN(),
514 },
515 .errstr = "R15 is invalid",
516 .result = REJECT,
517 },
518 {
519 "invalid dst register in STX",
520 .insns = {
521 BPF_STX_MEM(BPF_B, 14, BPF_REG_10, -1),
522 BPF_EXIT_INSN(),
523 },
524 .errstr = "R14 is invalid",
525 .result = REJECT,
526 },
527 {
528 "invalid dst register in ST",
529 .insns = {
530 BPF_ST_MEM(BPF_B, 14, -1, -1),
531 BPF_EXIT_INSN(),
532 },
533 .errstr = "R14 is invalid",
534 .result = REJECT,
535 },
536 {
537 "invalid src register in LDX",
538 .insns = {
539 BPF_LDX_MEM(BPF_B, BPF_REG_0, 12, 0),
540 BPF_EXIT_INSN(),
541 },
542 .errstr = "R12 is invalid",
543 .result = REJECT,
544 },
545 {
546 "invalid dst register in LDX",
547 .insns = {
548 BPF_LDX_MEM(BPF_B, 11, BPF_REG_1, 0),
549 BPF_EXIT_INSN(),
550 },
551 .errstr = "R11 is invalid",
552 .result = REJECT,
553 },
554 {
555 "junk insn",
556 .insns = {
557 BPF_RAW_INSN(0, 0, 0, 0, 0),
558 BPF_EXIT_INSN(),
559 },
560 .errstr = "invalid BPF_LD_IMM",
561 .result = REJECT,
562 },
563 {
564 "junk insn2",
565 .insns = {
566 BPF_RAW_INSN(1, 0, 0, 0, 0),
567 BPF_EXIT_INSN(),
568 },
569 .errstr = "BPF_LDX uses reserved fields",
570 .result = REJECT,
571 },
572 {
573 "junk insn3",
574 .insns = {
575 BPF_RAW_INSN(-1, 0, 0, 0, 0),
576 BPF_EXIT_INSN(),
577 },
578 .errstr = "invalid BPF_ALU opcode f0",
579 .result = REJECT,
580 },
581 {
582 "junk insn4",
583 .insns = {
584 BPF_RAW_INSN(-1, -1, -1, -1, -1),
585 BPF_EXIT_INSN(),
586 },
587 .errstr = "invalid BPF_ALU opcode f0",
588 .result = REJECT,
589 },
590 {
591 "junk insn5",
592 .insns = {
593 BPF_RAW_INSN(0x7f, -1, -1, -1, -1),
594 BPF_EXIT_INSN(),
595 },
596 .errstr = "BPF_ALU uses reserved fields",
597 .result = REJECT,
598 },
599 {
600 "misaligned read from stack",
601 .insns = {
602 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
603 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, -4),
604 BPF_EXIT_INSN(),
605 },
606 .errstr = "misaligned access",
607 .result = REJECT,
608 },
609 {
610 "invalid map_fd for function call",
611 .insns = {
612 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
613 BPF_ALU64_REG(BPF_MOV, BPF_REG_2, BPF_REG_10),
614 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
615 BPF_LD_MAP_FD(BPF_REG_1, 0),
5aa5bd14
DB		 616 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
617 BPF_FUNC_map_delete_elem),
3c731eba
AS		 618 BPF_EXIT_INSN(),
619 },
620 .errstr = "fd 0 is not pointing to valid bpf_map",
621 .result = REJECT,
622 },
623 {
624 "don't check return value before access",
625 .insns = {
626 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
627 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
628 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
629 BPF_LD_MAP_FD(BPF_REG_1, 0),
5aa5bd14
DB		 630 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
631 BPF_FUNC_map_lookup_elem),
3c731eba
AS		 632 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
633 BPF_EXIT_INSN(),
634 },
5aa5bd14 635 .fixup_map1 = { 3 },
3c731eba
AS		 636 .errstr = "R0 invalid mem access 'map_value_or_null'",
637 .result = REJECT,
638 },
639 {
640 "access memory with incorrect alignment",
641 .insns = {
642 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
643 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
644 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
645 BPF_LD_MAP_FD(BPF_REG_1, 0),
5aa5bd14
DB		 646 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
647 BPF_FUNC_map_lookup_elem),
3c731eba
AS		 648 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
649 BPF_ST_MEM(BPF_DW, BPF_REG_0, 4, 0),
650 BPF_EXIT_INSN(),
651 },
5aa5bd14 652 .fixup_map1 = { 3 },
3c731eba
AS		 653 .errstr = "misaligned access",
654 .result = REJECT,
655 },
656 {
657 "sometimes access memory with incorrect alignment",
658 .insns = {
659 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
660 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
661 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
662 BPF_LD_MAP_FD(BPF_REG_1, 0),
5aa5bd14
DB		 663 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
664 BPF_FUNC_map_lookup_elem),
3c731eba
AS		 665 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
666 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
667 BPF_EXIT_INSN(),
668 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 1),
669 BPF_EXIT_INSN(),
670 },
5aa5bd14 671 .fixup_map1 = { 3 },
3c731eba 672 .errstr = "R0 invalid mem access",
bf508877 673 .errstr_unpriv = "R0 leaks addr",
3c731eba
AS		 674 .result = REJECT,
675 },
fd10c2ef
AS		 676 {
677 "jump test 1",
678 .insns = {
679 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
680 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -8),
681 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
682 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
683 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 1),
684 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 1),
685 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 1),
686 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 2),
687 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 1),
688 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 3),
689 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 1),
690 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 4),
691 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 1),
692 BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 5),
693 BPF_MOV64_IMM(BPF_REG_0, 0),
694 BPF_EXIT_INSN(),
695 },
bf508877
AS		 696 .errstr_unpriv = "R1 pointer comparison",
697 .result_unpriv = REJECT,
fd10c2ef
AS		 698 .result = ACCEPT,
699 },
700 {
701 "jump test 2",
702 .insns = {
703 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
704 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 2),
705 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
706 BPF_JMP_IMM(BPF_JA, 0, 0, 14),
707 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 2),
708 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 0),
709 BPF_JMP_IMM(BPF_JA, 0, 0, 11),
710 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 2),
711 BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 0),
712 BPF_JMP_IMM(BPF_JA, 0, 0, 8),
713 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 2),
714 BPF_ST_MEM(BPF_DW, BPF_REG_2, -40, 0),
715 BPF_JMP_IMM(BPF_JA, 0, 0, 5),
716 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 2),
717 BPF_ST_MEM(BPF_DW, BPF_REG_2, -48, 0),
718 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
719 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 1),
720 BPF_ST_MEM(BPF_DW, BPF_REG_2, -56, 0),
721 BPF_MOV64_IMM(BPF_REG_0, 0),
722 BPF_EXIT_INSN(),
723 },
bf508877
AS		 724 .errstr_unpriv = "R1 pointer comparison",
725 .result_unpriv = REJECT,
fd10c2ef
AS		 726 .result = ACCEPT,
727 },
728 {
729 "jump test 3",
730 .insns = {
731 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
732 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
733 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
734 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
735 BPF_JMP_IMM(BPF_JA, 0, 0, 19),
736 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 3),
737 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 0),
738 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
739 BPF_JMP_IMM(BPF_JA, 0, 0, 15),
740 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 3),
741 BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 0),
742 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -32),
743 BPF_JMP_IMM(BPF_JA, 0, 0, 11),
744 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 3),
745 BPF_ST_MEM(BPF_DW, BPF_REG_2, -40, 0),
746 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -40),
747 BPF_JMP_IMM(BPF_JA, 0, 0, 7),
748 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 3),
749 BPF_ST_MEM(BPF_DW, BPF_REG_2, -48, 0),
750 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -48),
751 BPF_JMP_IMM(BPF_JA, 0, 0, 3),
752 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 0),
753 BPF_ST_MEM(BPF_DW, BPF_REG_2, -56, 0),
754 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -56),
755 BPF_LD_MAP_FD(BPF_REG_1, 0),
5aa5bd14
DB		 756 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
757 BPF_FUNC_map_delete_elem),
fd10c2ef
AS		 758 BPF_EXIT_INSN(),
759 },
5aa5bd14 760 .fixup_map1 = { 24 },
bf508877
AS		 761 .errstr_unpriv = "R1 pointer comparison",
762 .result_unpriv = REJECT,
fd10c2ef
AS		 763 .result = ACCEPT,
764 },
765 {
766 "jump test 4",
767 .insns = {
768 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
769 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
770 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
771 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
772 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
773 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
774 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
775 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
776 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
777 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
778 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
779 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
780 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
781 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
782 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
783 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
784 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
785 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
786 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
787 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
788 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
789 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
790 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
791 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
792 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
793 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
794 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
795 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
796 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
797 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
798 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
799 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
800 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
801 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
802 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
803 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
804 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
805 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
806 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
807 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
808 BPF_MOV64_IMM(BPF_REG_0, 0),
809 BPF_EXIT_INSN(),
810 },
bf508877
AS		 811 .errstr_unpriv = "R1 pointer comparison",
812 .result_unpriv = REJECT,
fd10c2ef
AS		 813 .result = ACCEPT,
814 },
342ded40
AS		 815 {
816 "jump test 5",
817 .insns = {
818 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
819 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
820 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
821 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
822 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
823 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
824 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
825 BPF_MOV64_IMM(BPF_REG_0, 0),
826 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
827 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
828 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
829 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
830 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
831 BPF_MOV64_IMM(BPF_REG_0, 0),
832 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
833 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
834 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
835 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
836 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
837 BPF_MOV64_IMM(BPF_REG_0, 0),
838 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
839 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
840 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
841 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
842 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
843 BPF_MOV64_IMM(BPF_REG_0, 0),
844 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
845 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
846 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
847 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
848 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
849 BPF_MOV64_IMM(BPF_REG_0, 0),
850 BPF_EXIT_INSN(),
851 },
bf508877
AS		 852 .errstr_unpriv = "R1 pointer comparison",
853 .result_unpriv = REJECT,
342ded40
AS		 854 .result = ACCEPT,
855 },
614cd3bd
AS		 856 {
857 "access skb fields ok",
858 .insns = {
859 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
860 offsetof(struct __sk_buff, len)),
861 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
862 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
863 offsetof(struct __sk_buff, mark)),
864 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
865 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
866 offsetof(struct __sk_buff, pkt_type)),
867 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
868 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
869 offsetof(struct __sk_buff, queue_mapping)),
870 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
c2497395
AS		 871 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
872 offsetof(struct __sk_buff, protocol)),
873 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
874 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
875 offsetof(struct __sk_buff, vlan_present)),
876 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
877 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
878 offsetof(struct __sk_buff, vlan_tci)),
879 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
b1d9fc41
DB		 880 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
881 offsetof(struct __sk_buff, napi_id)),
882 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
614cd3bd
AS		 883 BPF_EXIT_INSN(),
884 },
885 .result = ACCEPT,
886 },
887 {
888 "access skb fields bad1",
889 .insns = {
890 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -4),
891 BPF_EXIT_INSN(),
892 },
893 .errstr = "invalid bpf_context access",
894 .result = REJECT,
895 },
896 {
897 "access skb fields bad2",
898 .insns = {
899 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 9),
900 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
901 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
902 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
903 BPF_LD_MAP_FD(BPF_REG_1, 0),
5aa5bd14
DB		 904 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
905 BPF_FUNC_map_lookup_elem),
614cd3bd
AS		 906 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
907 BPF_EXIT_INSN(),
908 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
909 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
910 offsetof(struct __sk_buff, pkt_type)),
911 BPF_EXIT_INSN(),
912 },
5aa5bd14 913 .fixup_map1 = { 4 },
614cd3bd 914 .errstr = "different pointers",
bf508877 915 .errstr_unpriv = "R1 pointer comparison",
614cd3bd
AS		 916 .result = REJECT,
917 },
918 {
919 "access skb fields bad3",
920 .insns = {
921 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
922 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
923 offsetof(struct __sk_buff, pkt_type)),
924 BPF_EXIT_INSN(),
925 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
926 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
927 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
928 BPF_LD_MAP_FD(BPF_REG_1, 0),
5aa5bd14
DB		 929 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
930 BPF_FUNC_map_lookup_elem),
614cd3bd
AS		 931 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
932 BPF_EXIT_INSN(),
933 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
934 BPF_JMP_IMM(BPF_JA, 0, 0, -12),
935 },
5aa5bd14 936 .fixup_map1 = { 6 },
614cd3bd 937 .errstr = "different pointers",
bf508877 938 .errstr_unpriv = "R1 pointer comparison",
614cd3bd
AS		 939 .result = REJECT,
940 },
725f9dcd
AS		 941 {
942 "access skb fields bad4",
943 .insns = {
944 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 3),
945 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
946 offsetof(struct __sk_buff, len)),
947 BPF_MOV64_IMM(BPF_REG_0, 0),
948 BPF_EXIT_INSN(),
949 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
950 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
951 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
952 BPF_LD_MAP_FD(BPF_REG_1, 0),
5aa5bd14
DB		 953 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
954 BPF_FUNC_map_lookup_elem),
725f9dcd
AS		 955 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
956 BPF_EXIT_INSN(),
957 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
958 BPF_JMP_IMM(BPF_JA, 0, 0, -13),
959 },
5aa5bd14 960 .fixup_map1 = { 7 },
725f9dcd 961 .errstr = "different pointers",
bf508877 962 .errstr_unpriv = "R1 pointer comparison",
725f9dcd
AS		 963 .result = REJECT,
964 },
d691f9e8
AS		 965 {
966 "check skb->mark is not writeable by sockets",
967 .insns = {
968 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
969 offsetof(struct __sk_buff, mark)),
970 BPF_EXIT_INSN(),
971 },
972 .errstr = "invalid bpf_context access",
bf508877 973 .errstr_unpriv = "R1 leaks addr",
d691f9e8
AS		 974 .result = REJECT,
975 },
976 {
977 "check skb->tc_index is not writeable by sockets",
978 .insns = {
979 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
980 offsetof(struct __sk_buff, tc_index)),
981 BPF_EXIT_INSN(),
982 },
983 .errstr = "invalid bpf_context access",
bf508877 984 .errstr_unpriv = "R1 leaks addr",
d691f9e8
AS		 985 .result = REJECT,
986 },
987 {
62c7989b 988 "check cb access: byte",
d691f9e8 989 .insns = {
62c7989b
DB		 990 BPF_MOV64_IMM(BPF_REG_0, 0),
991 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
992 offsetof(struct __sk_buff, cb[0])),
993 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
994 offsetof(struct __sk_buff, cb[0]) + 1),
995 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
996 offsetof(struct __sk_buff, cb[0]) + 2),
997 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
998 offsetof(struct __sk_buff, cb[0]) + 3),
999 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1000 offsetof(struct __sk_buff, cb[1])),
1001 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1002 offsetof(struct __sk_buff, cb[1]) + 1),
1003 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1004 offsetof(struct __sk_buff, cb[1]) + 2),
1005 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1006 offsetof(struct __sk_buff, cb[1]) + 3),
1007 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1008 offsetof(struct __sk_buff, cb[2])),
1009 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1010 offsetof(struct __sk_buff, cb[2]) + 1),
1011 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1012 offsetof(struct __sk_buff, cb[2]) + 2),
1013 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1014 offsetof(struct __sk_buff, cb[2]) + 3),
1015 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1016 offsetof(struct __sk_buff, cb[3])),
1017 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1018 offsetof(struct __sk_buff, cb[3]) + 1),
1019 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1020 offsetof(struct __sk_buff, cb[3]) + 2),
1021 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1022 offsetof(struct __sk_buff, cb[3]) + 3),
1023 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1024 offsetof(struct __sk_buff, cb[4])),
1025 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1026 offsetof(struct __sk_buff, cb[4]) + 1),
1027 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1028 offsetof(struct __sk_buff, cb[4]) + 2),
1029 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1030 offsetof(struct __sk_buff, cb[4]) + 3),
1031 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1032 offsetof(struct __sk_buff, cb[0])),
1033 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1034 offsetof(struct __sk_buff, cb[0]) + 1),
1035 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1036 offsetof(struct __sk_buff, cb[0]) + 2),
1037 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1038 offsetof(struct __sk_buff, cb[0]) + 3),
1039 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1040 offsetof(struct __sk_buff, cb[1])),
1041 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1042 offsetof(struct __sk_buff, cb[1]) + 1),
1043 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1044 offsetof(struct __sk_buff, cb[1]) + 2),
1045 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1046 offsetof(struct __sk_buff, cb[1]) + 3),
1047 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1048 offsetof(struct __sk_buff, cb[2])),
1049 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1050 offsetof(struct __sk_buff, cb[2]) + 1),
1051 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1052 offsetof(struct __sk_buff, cb[2]) + 2),
1053 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1054 offsetof(struct __sk_buff, cb[2]) + 3),
1055 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1056 offsetof(struct __sk_buff, cb[3])),
1057 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1058 offsetof(struct __sk_buff, cb[3]) + 1),
1059 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1060 offsetof(struct __sk_buff, cb[3]) + 2),
1061 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1062 offsetof(struct __sk_buff, cb[3]) + 3),
1063 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1064 offsetof(struct __sk_buff, cb[4])),
1065 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1066 offsetof(struct __sk_buff, cb[4]) + 1),
1067 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1068 offsetof(struct __sk_buff, cb[4]) + 2),
1069 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1070 offsetof(struct __sk_buff, cb[4]) + 3),
1071 BPF_EXIT_INSN(),
1072 },
1073 .result = ACCEPT,
1074 },
1075 {
31fd8581 1076 "__sk_buff->hash, offset 0, byte store not permitted",
62c7989b
DB		 1077 .insns = {
1078 BPF_MOV64_IMM(BPF_REG_0, 0),
1079 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
31fd8581 1080 offsetof(struct __sk_buff, hash)),
62c7989b
DB		 1081 BPF_EXIT_INSN(),
1082 },
1083 .errstr = "invalid bpf_context access",
1084 .result = REJECT,
1085 },
1086 {
31fd8581 1087 "__sk_buff->tc_index, offset 3, byte store not permitted",
62c7989b
DB		 1088 .insns = {
1089 BPF_MOV64_IMM(BPF_REG_0, 0),
1090 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
31fd8581 1091 offsetof(struct __sk_buff, tc_index) + 3),
62c7989b
DB		 1092 BPF_EXIT_INSN(),
1093 },
1094 .errstr = "invalid bpf_context access",
1095 .result = REJECT,
1096 },
18f3d6be
YS		 1097 {
1098 "check skb->hash byte load permitted",
1099 .insns = {
1100 BPF_MOV64_IMM(BPF_REG_0, 0),
1101#ifdef __LITTLE_ENDIAN
1102 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1103 offsetof(struct __sk_buff, hash)),
1104#else
1105 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1106 offsetof(struct __sk_buff, hash) + 3),
1107#endif
1108 BPF_EXIT_INSN(),
1109 },
1110 .result = ACCEPT,
1111 },
1112 {
1113 "check skb->hash byte load not permitted 1",
1114 .insns = {
1115 BPF_MOV64_IMM(BPF_REG_0, 0),
1116 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1117 offsetof(struct __sk_buff, hash) + 1),
1118 BPF_EXIT_INSN(),
1119 },
1120 .errstr = "invalid bpf_context access",
1121 .result = REJECT,
1122 },
1123 {
1124 "check skb->hash byte load not permitted 2",
1125 .insns = {
1126 BPF_MOV64_IMM(BPF_REG_0, 0),
1127 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1128 offsetof(struct __sk_buff, hash) + 2),
1129 BPF_EXIT_INSN(),
1130 },
1131 .errstr = "invalid bpf_context access",
1132 .result = REJECT,
1133 },
1134 {
1135 "check skb->hash byte load not permitted 3",
1136 .insns = {
1137 BPF_MOV64_IMM(BPF_REG_0, 0),
1138#ifdef __LITTLE_ENDIAN
1139 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1140 offsetof(struct __sk_buff, hash) + 3),
1141#else
1142 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1143 offsetof(struct __sk_buff, hash)),
1144#endif
1145 BPF_EXIT_INSN(),
1146 },
1147 .errstr = "invalid bpf_context access",
1148 .result = REJECT,
1149 },
62c7989b
DB		 1150 {
1151 "check cb access: byte, wrong type",
1152 .insns = {
1153 BPF_MOV64_IMM(BPF_REG_0, 0),
1154 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1155 offsetof(struct __sk_buff, cb[0])),
1156 BPF_EXIT_INSN(),
1157 },
1158 .errstr = "invalid bpf_context access",
1159 .result = REJECT,
1160 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
1161 },
1162 {
1163 "check cb access: half",
1164 .insns = {
1165 BPF_MOV64_IMM(BPF_REG_0, 0),
1166 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1167 offsetof(struct __sk_buff, cb[0])),
1168 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1169 offsetof(struct __sk_buff, cb[0]) + 2),
1170 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1171 offsetof(struct __sk_buff, cb[1])),
1172 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1173 offsetof(struct __sk_buff, cb[1]) + 2),
1174 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1175 offsetof(struct __sk_buff, cb[2])),
1176 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1177 offsetof(struct __sk_buff, cb[2]) + 2),
1178 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1179 offsetof(struct __sk_buff, cb[3])),
1180 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1181 offsetof(struct __sk_buff, cb[3]) + 2),
1182 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1183 offsetof(struct __sk_buff, cb[4])),
1184 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1185 offsetof(struct __sk_buff, cb[4]) + 2),
1186 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1187 offsetof(struct __sk_buff, cb[0])),
1188 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1189 offsetof(struct __sk_buff, cb[0]) + 2),
1190 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1191 offsetof(struct __sk_buff, cb[1])),
1192 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1193 offsetof(struct __sk_buff, cb[1]) + 2),
1194 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1195 offsetof(struct __sk_buff, cb[2])),
1196 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1197 offsetof(struct __sk_buff, cb[2]) + 2),
1198 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1199 offsetof(struct __sk_buff, cb[3])),
1200 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1201 offsetof(struct __sk_buff, cb[3]) + 2),
1202 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1203 offsetof(struct __sk_buff, cb[4])),
1204 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1205 offsetof(struct __sk_buff, cb[4]) + 2),
1206 BPF_EXIT_INSN(),
1207 },
1208 .result = ACCEPT,
1209 },
1210 {
1211 "check cb access: half, unaligned",
1212 .insns = {
1213 BPF_MOV64_IMM(BPF_REG_0, 0),
1214 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1215 offsetof(struct __sk_buff, cb[0]) + 1),
1216 BPF_EXIT_INSN(),
1217 },
1218 .errstr = "misaligned access",
1219 .result = REJECT,
1220 },
1221 {
31fd8581 1222 "check __sk_buff->hash, offset 0, half store not permitted",
62c7989b
DB		 1223 .insns = {
1224 BPF_MOV64_IMM(BPF_REG_0, 0),
1225 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
31fd8581 1226 offsetof(struct __sk_buff, hash)),
62c7989b
DB		 1227 BPF_EXIT_INSN(),
1228 },
1229 .errstr = "invalid bpf_context access",
1230 .result = REJECT,
1231 },
1232 {
31fd8581 1233 "check __sk_buff->tc_index, offset 2, half store not permitted",
62c7989b
DB		 1234 .insns = {
1235 BPF_MOV64_IMM(BPF_REG_0, 0),
1236 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
31fd8581 1237 offsetof(struct __sk_buff, tc_index) + 2),
62c7989b
DB		 1238 BPF_EXIT_INSN(),
1239 },
1240 .errstr = "invalid bpf_context access",
1241 .result = REJECT,
1242 },
18f3d6be
YS		 1243 {
1244 "check skb->hash half load permitted",
1245 .insns = {
1246 BPF_MOV64_IMM(BPF_REG_0, 0),
1247#ifdef __LITTLE_ENDIAN
1248 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1249 offsetof(struct __sk_buff, hash)),
1250#else
1251 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1252 offsetof(struct __sk_buff, hash) + 2),
1253#endif
1254 BPF_EXIT_INSN(),
1255 },
1256 .result = ACCEPT,
1257 },
1258 {
1259 "check skb->hash half load not permitted",
1260 .insns = {
1261 BPF_MOV64_IMM(BPF_REG_0, 0),
1262#ifdef __LITTLE_ENDIAN
1263 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1264 offsetof(struct __sk_buff, hash) + 2),
1265#else
1266 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1267 offsetof(struct __sk_buff, hash)),
1268#endif
1269 BPF_EXIT_INSN(),
1270 },
1271 .errstr = "invalid bpf_context access",
1272 .result = REJECT,
1273 },
62c7989b
DB		 1274 {
1275 "check cb access: half, wrong type",
1276 .insns = {
1277 BPF_MOV64_IMM(BPF_REG_0, 0),
1278 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1279 offsetof(struct __sk_buff, cb[0])),
1280 BPF_EXIT_INSN(),
1281 },
1282 .errstr = "invalid bpf_context access",
1283 .result = REJECT,
1284 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
1285 },
1286 {
1287 "check cb access: word",
1288 .insns = {
1289 BPF_MOV64_IMM(BPF_REG_0, 0),
1290 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1291 offsetof(struct __sk_buff, cb[0])),
1292 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1293 offsetof(struct __sk_buff, cb[1])),
1294 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1295 offsetof(struct __sk_buff, cb[2])),
1296 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1297 offsetof(struct __sk_buff, cb[3])),
1298 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1299 offsetof(struct __sk_buff, cb[4])),
1300 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1301 offsetof(struct __sk_buff, cb[0])),
1302 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1303 offsetof(struct __sk_buff, cb[1])),
1304 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1305 offsetof(struct __sk_buff, cb[2])),
1306 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1307 offsetof(struct __sk_buff, cb[3])),
1308 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1309 offsetof(struct __sk_buff, cb[4])),
1310 BPF_EXIT_INSN(),
1311 },
1312 .result = ACCEPT,
1313 },
1314 {
1315 "check cb access: word, unaligned 1",
1316 .insns = {
1317 BPF_MOV64_IMM(BPF_REG_0, 0),
1318 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1319 offsetof(struct __sk_buff, cb[0]) + 2),
1320 BPF_EXIT_INSN(),
1321 },
1322 .errstr = "misaligned access",
1323 .result = REJECT,
1324 },
1325 {
1326 "check cb access: word, unaligned 2",
1327 .insns = {
1328 BPF_MOV64_IMM(BPF_REG_0, 0),
1329 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1330 offsetof(struct __sk_buff, cb[4]) + 1),
1331 BPF_EXIT_INSN(),
1332 },
1333 .errstr = "misaligned access",
1334 .result = REJECT,
1335 },
1336 {
1337 "check cb access: word, unaligned 3",
1338 .insns = {
1339 BPF_MOV64_IMM(BPF_REG_0, 0),
1340 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1341 offsetof(struct __sk_buff, cb[4]) + 2),
1342 BPF_EXIT_INSN(),
1343 },
1344 .errstr = "misaligned access",
1345 .result = REJECT,
1346 },
1347 {
1348 "check cb access: word, unaligned 4",
1349 .insns = {
1350 BPF_MOV64_IMM(BPF_REG_0, 0),
1351 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1352 offsetof(struct __sk_buff, cb[4]) + 3),
1353 BPF_EXIT_INSN(),
1354 },
1355 .errstr = "misaligned access",
1356 .result = REJECT,
1357 },
1358 {
1359 "check cb access: double",
1360 .insns = {
1361 BPF_MOV64_IMM(BPF_REG_0, 0),
1362 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
1363 offsetof(struct __sk_buff, cb[0])),
1364 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
1365 offsetof(struct __sk_buff, cb[2])),
1366 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
1367 offsetof(struct __sk_buff, cb[0])),
1368 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
1369 offsetof(struct __sk_buff, cb[2])),
1370 BPF_EXIT_INSN(),
1371 },
1372 .result = ACCEPT,
1373 },
1374 {
1375 "check cb access: double, unaligned 1",
1376 .insns = {
1377 BPF_MOV64_IMM(BPF_REG_0, 0),
1378 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
1379 offsetof(struct __sk_buff, cb[1])),
1380 BPF_EXIT_INSN(),
1381 },
1382 .errstr = "misaligned access",
1383 .result = REJECT,
1384 },
1385 {
1386 "check cb access: double, unaligned 2",
1387 .insns = {
1388 BPF_MOV64_IMM(BPF_REG_0, 0),
1389 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
1390 offsetof(struct __sk_buff, cb[3])),
1391 BPF_EXIT_INSN(),
1392 },
1393 .errstr = "misaligned access",
1394 .result = REJECT,
1395 },
1396 {
1397 "check cb access: double, oob 1",
1398 .insns = {
1399 BPF_MOV64_IMM(BPF_REG_0, 0),
1400 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
1401 offsetof(struct __sk_buff, cb[4])),
1402 BPF_EXIT_INSN(),
1403 },
1404 .errstr = "invalid bpf_context access",
1405 .result = REJECT,
1406 },
1407 {
1408 "check cb access: double, oob 2",
62c7989b
DB		 1409 .insns = {
1410 BPF_MOV64_IMM(BPF_REG_0, 0),
1411 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
1412 offsetof(struct __sk_buff, cb[4])),
1413 BPF_EXIT_INSN(),
1414 },
1415 .errstr = "invalid bpf_context access",
1416 .result = REJECT,
1417 },
1418 {
31fd8581 1419 "check __sk_buff->ifindex dw store not permitted",
62c7989b
DB		 1420 .insns = {
1421 BPF_MOV64_IMM(BPF_REG_0, 0),
31fd8581
YS		 1422 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
1423 offsetof(struct __sk_buff, ifindex)),
62c7989b
DB		 1424 BPF_EXIT_INSN(),
1425 },
1426 .errstr = "invalid bpf_context access",
1427 .result = REJECT,
1428 },
1429 {
31fd8581 1430 "check __sk_buff->ifindex dw load not permitted",
62c7989b
DB		 1431 .insns = {
1432 BPF_MOV64_IMM(BPF_REG_0, 0),
1433 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
31fd8581 1434 offsetof(struct __sk_buff, ifindex)),
62c7989b
DB		 1435 BPF_EXIT_INSN(),
1436 },
1437 .errstr = "invalid bpf_context access",
1438 .result = REJECT,
1439 },
1440 {
1441 "check cb access: double, wrong type",
1442 .insns = {
1443 BPF_MOV64_IMM(BPF_REG_0, 0),
1444 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
d691f9e8
AS		 1445 offsetof(struct __sk_buff, cb[0])),
1446 BPF_EXIT_INSN(),
1447 },
1448 .errstr = "invalid bpf_context access",
1449 .result = REJECT,
62c7989b 1450 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
d691f9e8
AS		 1451 },
1452 {
1453 "check out of range skb->cb access",
1454 .insns = {
1455 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
bf508877 1456 offsetof(struct __sk_buff, cb[0]) + 256),
d691f9e8
AS		 1457 BPF_EXIT_INSN(),
1458 },
1459 .errstr = "invalid bpf_context access",
bf508877 1460 .errstr_unpriv = "",
d691f9e8
AS		 1461 .result = REJECT,
1462 .prog_type = BPF_PROG_TYPE_SCHED_ACT,
1463 },
1464 {
1465 "write skb fields from socket prog",
1466 .insns = {
1467 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1468 offsetof(struct __sk_buff, cb[4])),
1469 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
1470 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1471 offsetof(struct __sk_buff, mark)),
1472 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1473 offsetof(struct __sk_buff, tc_index)),
1474 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
1475 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1476 offsetof(struct __sk_buff, cb[0])),
1477 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1478 offsetof(struct __sk_buff, cb[2])),
1479 BPF_EXIT_INSN(),
1480 },
1481 .result = ACCEPT,
bf508877
AS		 1482 .errstr_unpriv = "R1 leaks addr",
1483 .result_unpriv = REJECT,
d691f9e8
AS		 1484 },
1485 {
1486 "write skb fields from tc_cls_act prog",
1487 .insns = {
1488 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1489 offsetof(struct __sk_buff, cb[0])),
1490 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1491 offsetof(struct __sk_buff, mark)),
1492 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1493 offsetof(struct __sk_buff, tc_index)),
1494 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1495 offsetof(struct __sk_buff, tc_index)),
1496 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1497 offsetof(struct __sk_buff, cb[3])),
1498 BPF_EXIT_INSN(),
1499 },
bf508877
AS		 1500 .errstr_unpriv = "",
1501 .result_unpriv = REJECT,
d691f9e8
AS		 1502 .result = ACCEPT,
1503 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
1504 },
24b4d2ab
AG		 1505 {
1506 "PTR_TO_STACK store/load",
1507 .insns = {
1508 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
1509 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10),
1510 BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c),
1511 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2),
1512 BPF_EXIT_INSN(),
1513 },
1514 .result = ACCEPT,
1515 },
1516 {
1517 "PTR_TO_STACK store/load - bad alignment on off",
1518 .insns = {
1519 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
1520 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
1521 BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c),
1522 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2),
1523 BPF_EXIT_INSN(),
1524 },
1525 .result = REJECT,
1526 .errstr = "misaligned access off -6 size 8",
1527 },
1528 {
1529 "PTR_TO_STACK store/load - bad alignment on reg",
1530 .insns = {
1531 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
1532 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10),
1533 BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
1534 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
1535 BPF_EXIT_INSN(),
1536 },
1537 .result = REJECT,
1538 .errstr = "misaligned access off -2 size 8",
1539 },
1540 {
1541 "PTR_TO_STACK store/load - out of bounds low",
1542 .insns = {
1543 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
1544 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -80000),
1545 BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
1546 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
1547 BPF_EXIT_INSN(),
1548 },
1549 .result = REJECT,
1550 .errstr = "invalid stack off=-79992 size=8",
1551 },
1552 {
1553 "PTR_TO_STACK store/load - out of bounds high",
1554 .insns = {
1555 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
1556 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
1557 BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
1558 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
1559 BPF_EXIT_INSN(),
1560 },
1561 .result = REJECT,
1562 .errstr = "invalid stack off=0 size=8",
1563 },
bf508877
AS		 1564 {
1565 "unpriv: return pointer",
1566 .insns = {
1567 BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
1568 BPF_EXIT_INSN(),
1569 },
1570 .result = ACCEPT,
1571 .result_unpriv = REJECT,
1572 .errstr_unpriv = "R0 leaks addr",
1573 },
1574 {
1575 "unpriv: add const to pointer",
1576 .insns = {
1577 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
1578 BPF_MOV64_IMM(BPF_REG_0, 0),
1579 BPF_EXIT_INSN(),
1580 },
1581 .result = ACCEPT,
1582 .result_unpriv = REJECT,
1583 .errstr_unpriv = "R1 pointer arithmetic",
1584 },
1585 {
1586 "unpriv: add pointer to pointer",
1587 .insns = {
1588 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_10),
1589 BPF_MOV64_IMM(BPF_REG_0, 0),
1590 BPF_EXIT_INSN(),
1591 },
1592 .result = ACCEPT,
1593 .result_unpriv = REJECT,
1594 .errstr_unpriv = "R1 pointer arithmetic",
1595 },
1596 {
1597 "unpriv: neg pointer",
1598 .insns = {
1599 BPF_ALU64_IMM(BPF_NEG, BPF_REG_1, 0),
1600 BPF_MOV64_IMM(BPF_REG_0, 0),
1601 BPF_EXIT_INSN(),
1602 },
1603 .result = ACCEPT,
1604 .result_unpriv = REJECT,
1605 .errstr_unpriv = "R1 pointer arithmetic",
1606 },
1607 {
1608 "unpriv: cmp pointer with const",
1609 .insns = {
1610 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0),
1611 BPF_MOV64_IMM(BPF_REG_0, 0),
1612 BPF_EXIT_INSN(),
1613 },
1614 .result = ACCEPT,
1615 .result_unpriv = REJECT,
1616 .errstr_unpriv = "R1 pointer comparison",
1617 },
1618 {
1619 "unpriv: cmp pointer with pointer",
1620 .insns = {
1621 BPF_JMP_REG(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1622 BPF_MOV64_IMM(BPF_REG_0, 0),
1623 BPF_EXIT_INSN(),
1624 },
1625 .result = ACCEPT,
1626 .result_unpriv = REJECT,
1627 .errstr_unpriv = "R10 pointer comparison",
1628 },
1629 {
1630 "unpriv: check that printk is disallowed",
1631 .insns = {
1632 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1633 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
1634 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
1635 BPF_MOV64_IMM(BPF_REG_2, 8),
1636 BPF_MOV64_REG(BPF_REG_3, BPF_REG_1),
5aa5bd14
DB		 1637 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1638 BPF_FUNC_trace_printk),
bf508877
AS		 1639 BPF_MOV64_IMM(BPF_REG_0, 0),
1640 BPF_EXIT_INSN(),
1641 },
0eb6984f 1642 .errstr_unpriv = "unknown func bpf_trace_printk#6",
bf508877
AS		 1643 .result_unpriv = REJECT,
1644 .result = ACCEPT,
1645 },
1646 {
1647 "unpriv: pass pointer to helper function",
1648 .insns = {
1649 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1650 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1651 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1652 BPF_LD_MAP_FD(BPF_REG_1, 0),
1653 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
1654 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
5aa5bd14
DB		 1655 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1656 BPF_FUNC_map_update_elem),
bf508877
AS		 1657 BPF_MOV64_IMM(BPF_REG_0, 0),
1658 BPF_EXIT_INSN(),
1659 },
5aa5bd14 1660 .fixup_map1 = { 3 },
bf508877
AS		 1661 .errstr_unpriv = "R4 leaks addr",
1662 .result_unpriv = REJECT,
1663 .result = ACCEPT,
1664 },
1665 {
1666 "unpriv: indirectly pass pointer on stack to helper function",
1667 .insns = {
1668 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
1669 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1670 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1671 BPF_LD_MAP_FD(BPF_REG_1, 0),
5aa5bd14
DB		 1672 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1673 BPF_FUNC_map_lookup_elem),
bf508877
AS		 1674 BPF_MOV64_IMM(BPF_REG_0, 0),
1675 BPF_EXIT_INSN(),
1676 },
5aa5bd14 1677 .fixup_map1 = { 3 },
bf508877
AS		 1678 .errstr = "invalid indirect read from stack off -8+0 size 8",
1679 .result = REJECT,
1680 },
1681 {
1682 "unpriv: mangle pointer on stack 1",
1683 .insns = {
1684 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
1685 BPF_ST_MEM(BPF_W, BPF_REG_10, -8, 0),
1686 BPF_MOV64_IMM(BPF_REG_0, 0),
1687 BPF_EXIT_INSN(),
1688 },
1689 .errstr_unpriv = "attempt to corrupt spilled",
1690 .result_unpriv = REJECT,
1691 .result = ACCEPT,
1692 },
1693 {
1694 "unpriv: mangle pointer on stack 2",
1695 .insns = {
1696 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
1697 BPF_ST_MEM(BPF_B, BPF_REG_10, -1, 0),
1698 BPF_MOV64_IMM(BPF_REG_0, 0),
1699 BPF_EXIT_INSN(),
1700 },
1701 .errstr_unpriv = "attempt to corrupt spilled",
1702 .result_unpriv = REJECT,
1703 .result = ACCEPT,
1704 },
1705 {
1706 "unpriv: read pointer from stack in small chunks",
1707 .insns = {
1708 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
1709 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_10, -8),
1710 BPF_MOV64_IMM(BPF_REG_0, 0),
1711 BPF_EXIT_INSN(),
1712 },
1713 .errstr = "invalid size",
1714 .result = REJECT,
1715 },
1716 {
1717 "unpriv: write pointer into ctx",
1718 .insns = {
1719 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, 0),
1720 BPF_MOV64_IMM(BPF_REG_0, 0),
1721 BPF_EXIT_INSN(),
1722 },
1723 .errstr_unpriv = "R1 leaks addr",
1724 .result_unpriv = REJECT,
1725 .errstr = "invalid bpf_context access",
1726 .result = REJECT,
1727 },
1a776b9c
DB		 1728 {
1729 "unpriv: spill/fill of ctx",
1730 .insns = {
1731 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
1732 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
1733 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
1734 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
1735 BPF_MOV64_IMM(BPF_REG_0, 0),
1736 BPF_EXIT_INSN(),
1737 },
1738 .result = ACCEPT,
1739 },
1740 {
1741 "unpriv: spill/fill of ctx 2",
1742 .insns = {
1743 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
1744 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
1745 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
1746 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
5aa5bd14
DB		 1747 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1748 BPF_FUNC_get_hash_recalc),
1a776b9c
DB		 1749 BPF_EXIT_INSN(),
1750 },
1751 .result = ACCEPT,
1752 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
1753 },
1754 {
1755 "unpriv: spill/fill of ctx 3",
1756 .insns = {
1757 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
1758 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
1759 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
1760 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_10, 0),
1761 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
5aa5bd14
DB		 1762 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1763 BPF_FUNC_get_hash_recalc),
1a776b9c
DB		 1764 BPF_EXIT_INSN(),
1765 },
1766 .result = REJECT,
1767 .errstr = "R1 type=fp expected=ctx",
1768 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
1769 },
1770 {
1771 "unpriv: spill/fill of ctx 4",
1772 .insns = {
1773 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
1774 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
1775 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
1776 BPF_MOV64_IMM(BPF_REG_0, 1),
5aa5bd14
DB		 1777 BPF_RAW_INSN(BPF_STX | BPF_XADD | BPF_DW, BPF_REG_10,
1778 BPF_REG_0, -8, 0),
1a776b9c 1779 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
5aa5bd14
DB		 1780 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1781 BPF_FUNC_get_hash_recalc),
1a776b9c
DB		 1782 BPF_EXIT_INSN(),
1783 },
1784 .result = REJECT,
1785 .errstr = "R1 type=inv expected=ctx",
1786 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
1787 },
1788 {
1789 "unpriv: spill/fill of different pointers stx",
1790 .insns = {
1791 BPF_MOV64_IMM(BPF_REG_3, 42),
1792 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
1793 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
1794 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
1795 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1796 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
1797 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
1798 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
1799 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
1800 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
1801 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_3,
1802 offsetof(struct __sk_buff, mark)),
1803 BPF_MOV64_IMM(BPF_REG_0, 0),
1804 BPF_EXIT_INSN(),
1805 },
1806 .result = REJECT,
1807 .errstr = "same insn cannot be used with different pointers",
1808 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
1809 },
1810 {
1811 "unpriv: spill/fill of different pointers ldx",
1812 .insns = {
1813 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
1814 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
1815 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
1816 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1817 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2,
1818 -(__s32)offsetof(struct bpf_perf_event_data,
1819 sample_period) - 8),
1820 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
1821 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
1822 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
1823 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
1824 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1,
1825 offsetof(struct bpf_perf_event_data,
1826 sample_period)),
1827 BPF_MOV64_IMM(BPF_REG_0, 0),
1828 BPF_EXIT_INSN(),
1829 },
1830 .result = REJECT,
1831 .errstr = "same insn cannot be used with different pointers",
1832 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
1833 },
bf508877
AS		 1834 {
1835 "unpriv: write pointer into map elem value",
1836 .insns = {
1837 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1838 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1839 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1840 BPF_LD_MAP_FD(BPF_REG_1, 0),
5aa5bd14
DB		 1841 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1842 BPF_FUNC_map_lookup_elem),
bf508877
AS		 1843 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
1844 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
1845 BPF_EXIT_INSN(),
1846 },
5aa5bd14 1847 .fixup_map1 = { 3 },
bf508877
AS		 1848 .errstr_unpriv = "R0 leaks addr",
1849 .result_unpriv = REJECT,
1850 .result = ACCEPT,
1851 },
1852 {
1853 "unpriv: partial copy of pointer",
1854 .insns = {
1855 BPF_MOV32_REG(BPF_REG_1, BPF_REG_10),
1856 BPF_MOV64_IMM(BPF_REG_0, 0),
1857 BPF_EXIT_INSN(),
1858 },
1859 .errstr_unpriv = "R10 partial copy",
1860 .result_unpriv = REJECT,
1861 .result = ACCEPT,
1862 },
1863 {
1864 "unpriv: pass pointer to tail_call",
1865 .insns = {
1866 BPF_MOV64_REG(BPF_REG_3, BPF_REG_1),
1867 BPF_LD_MAP_FD(BPF_REG_2, 0),
5aa5bd14
DB		 1868 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1869 BPF_FUNC_tail_call),
bf508877
AS		 1870 BPF_MOV64_IMM(BPF_REG_0, 0),
1871 BPF_EXIT_INSN(),
1872 },
5aa5bd14 1873 .fixup_prog = { 1 },
bf508877
AS		 1874 .errstr_unpriv = "R3 leaks addr into helper",
1875 .result_unpriv = REJECT,
1876 .result = ACCEPT,
1877 },
1878 {
1879 "unpriv: cmp map pointer with zero",
1880 .insns = {
1881 BPF_MOV64_IMM(BPF_REG_1, 0),
1882 BPF_LD_MAP_FD(BPF_REG_1, 0),
1883 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0),
1884 BPF_MOV64_IMM(BPF_REG_0, 0),
1885 BPF_EXIT_INSN(),
1886 },
5aa5bd14 1887 .fixup_map1 = { 1 },
bf508877
AS		 1888 .errstr_unpriv = "R1 pointer comparison",
1889 .result_unpriv = REJECT,
1890 .result = ACCEPT,
1891 },
1892 {
1893 "unpriv: write into frame pointer",
1894 .insns = {
1895 BPF_MOV64_REG(BPF_REG_10, BPF_REG_1),
1896 BPF_MOV64_IMM(BPF_REG_0, 0),
1897 BPF_EXIT_INSN(),
1898 },
1899 .errstr = "frame pointer is read only",
1900 .result = REJECT,
1901 },
1a776b9c
DB		 1902 {
1903 "unpriv: spill/fill frame pointer",
1904 .insns = {
1905 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
1906 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
1907 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_10, 0),
1908 BPF_LDX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, 0),
1909 BPF_MOV64_IMM(BPF_REG_0, 0),
1910 BPF_EXIT_INSN(),
1911 },
1912 .errstr = "frame pointer is read only",
1913 .result = REJECT,
1914 },
bf508877
AS		 1915 {
1916 "unpriv: cmp of frame pointer",
1917 .insns = {
1918 BPF_JMP_IMM(BPF_JEQ, BPF_REG_10, 0, 0),
1919 BPF_MOV64_IMM(BPF_REG_0, 0),
1920 BPF_EXIT_INSN(),
1921 },
1922 .errstr_unpriv = "R10 pointer comparison",
1923 .result_unpriv = REJECT,
1924 .result = ACCEPT,
1925 },
728a853a
DB		 1926 {
1927 "unpriv: adding of fp",
1928 .insns = {
1929 BPF_MOV64_IMM(BPF_REG_0, 0),
1930 BPF_MOV64_IMM(BPF_REG_1, 0),
1931 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_10),
1932 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, -8),
1933 BPF_EXIT_INSN(),
1934 },
1935 .errstr_unpriv = "pointer arithmetic prohibited",
1936 .result_unpriv = REJECT,
1937 .errstr = "R1 invalid mem access",
1938 .result = REJECT,
1939 },
bf508877
AS		 1940 {
1941 "unpriv: cmp of stack pointer",
1942 .insns = {
1943 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1944 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1945 BPF_JMP_IMM(BPF_JEQ, BPF_REG_2, 0, 0),
1946 BPF_MOV64_IMM(BPF_REG_0, 0),
1947 BPF_EXIT_INSN(),
1948 },
1949 .errstr_unpriv = "R2 pointer comparison",
1950 .result_unpriv = REJECT,
1951 .result = ACCEPT,
1952 },
1953 {
332270fd 1954 "stack pointer arithmetic",
bf508877 1955 .insns = {
332270fd
YS		 1956 BPF_MOV64_IMM(BPF_REG_1, 4),
1957 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1958 BPF_MOV64_REG(BPF_REG_7, BPF_REG_10),
1959 BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -10),
1960 BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -10),
1961 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
1962 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_1),
1963 BPF_ST_MEM(0, BPF_REG_2, 4, 0),
1964 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
1965 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
1966 BPF_ST_MEM(0, BPF_REG_2, 4, 0),
bf508877
AS		 1967 BPF_MOV64_IMM(BPF_REG_0, 0),
1968 BPF_EXIT_INSN(),
1969 },
bf508877
AS		 1970 .result = ACCEPT,
1971 },
3f2050e2
DB		 1972 {
1973 "raw_stack: no skb_load_bytes",
1974 .insns = {
1975 BPF_MOV64_IMM(BPF_REG_2, 4),
1976 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
1977 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
1978 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
1979 BPF_MOV64_IMM(BPF_REG_4, 8),
1980 /* Call to skb_load_bytes() omitted. */
1981 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
1982 BPF_EXIT_INSN(),
1983 },
1984 .result = REJECT,
1985 .errstr = "invalid read from stack off -8+0 size 8",
1986 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
1987 },
7d95b0ab
DB		 1988 {
1989 "raw_stack: skb_load_bytes, negative len",
1990 .insns = {
1991 BPF_MOV64_IMM(BPF_REG_2, 4),
1992 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
1993 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
1994 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
1995 BPF_MOV64_IMM(BPF_REG_4, -8),
5aa5bd14
DB		 1996 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1997 BPF_FUNC_skb_load_bytes),
7d95b0ab
DB		 1998 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
1999 BPF_EXIT_INSN(),
2000 },
2001 .result = REJECT,
2002 .errstr = "invalid stack type R3",
2003 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2004 },
2005 {
2006 "raw_stack: skb_load_bytes, negative len 2",
2007 .insns = {
2008 BPF_MOV64_IMM(BPF_REG_2, 4),
2009 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2010 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2011 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2012 BPF_MOV64_IMM(BPF_REG_4, ~0),
5aa5bd14
DB		 2013 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2014 BPF_FUNC_skb_load_bytes),
7d95b0ab
DB		 2015 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2016 BPF_EXIT_INSN(),
2017 },
2018 .result = REJECT,
2019 .errstr = "invalid stack type R3",
2020 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2021 },
2022 {
2023 "raw_stack: skb_load_bytes, zero len",
2024 .insns = {
2025 BPF_MOV64_IMM(BPF_REG_2, 4),
2026 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2027 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2028 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2029 BPF_MOV64_IMM(BPF_REG_4, 0),
5aa5bd14
DB		 2030 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2031 BPF_FUNC_skb_load_bytes),
7d95b0ab
DB		 2032 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2033 BPF_EXIT_INSN(),
2034 },
2035 .result = REJECT,
2036 .errstr = "invalid stack type R3",
2037 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2038 },
3f2050e2
DB		 2039 {
2040 "raw_stack: skb_load_bytes, no init",
2041 .insns = {
2042 BPF_MOV64_IMM(BPF_REG_2, 4),
2043 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2044 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2045 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2046 BPF_MOV64_IMM(BPF_REG_4, 8),
5aa5bd14
DB		 2047 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2048 BPF_FUNC_skb_load_bytes),
3f2050e2
DB		 2049 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2050 BPF_EXIT_INSN(),
2051 },
2052 .result = ACCEPT,
2053 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2054 },
2055 {
2056 "raw_stack: skb_load_bytes, init",
2057 .insns = {
2058 BPF_MOV64_IMM(BPF_REG_2, 4),
2059 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2060 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2061 BPF_ST_MEM(BPF_DW, BPF_REG_6, 0, 0xcafe),
2062 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2063 BPF_MOV64_IMM(BPF_REG_4, 8),
5aa5bd14
DB		 2064 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2065 BPF_FUNC_skb_load_bytes),
3f2050e2
DB		 2066 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2067 BPF_EXIT_INSN(),
2068 },
2069 .result = ACCEPT,
2070 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2071 },
2072 {
2073 "raw_stack: skb_load_bytes, spilled regs around bounds",
2074 .insns = {
2075 BPF_MOV64_IMM(BPF_REG_2, 4),
2076 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2077 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
5aa5bd14
DB		 2078 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
2079 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8),
3f2050e2
DB		 2080 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2081 BPF_MOV64_IMM(BPF_REG_4, 8),
5aa5bd14
DB		 2082 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2083 BPF_FUNC_skb_load_bytes),
2084 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
2085 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 8),
3f2050e2
DB		 2086 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
2087 offsetof(struct __sk_buff, mark)),
2088 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
2089 offsetof(struct __sk_buff, priority)),
2090 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
2091 BPF_EXIT_INSN(),
2092 },
2093 .result = ACCEPT,
2094 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2095 },
2096 {
2097 "raw_stack: skb_load_bytes, spilled regs corruption",
2098 .insns = {
2099 BPF_MOV64_IMM(BPF_REG_2, 4),
2100 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2101 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
5aa5bd14 2102 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
3f2050e2
DB		 2103 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2104 BPF_MOV64_IMM(BPF_REG_4, 8),
5aa5bd14
DB		 2105 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2106 BPF_FUNC_skb_load_bytes),
2107 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3f2050e2
DB		 2108 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
2109 offsetof(struct __sk_buff, mark)),
2110 BPF_EXIT_INSN(),
2111 },
2112 .result = REJECT,
2113 .errstr = "R0 invalid mem access 'inv'",
2114 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2115 },
2116 {
2117 "raw_stack: skb_load_bytes, spilled regs corruption 2",
2118 .insns = {
2119 BPF_MOV64_IMM(BPF_REG_2, 4),
2120 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2121 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
5aa5bd14
DB		 2122 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
2123 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2124 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8),
3f2050e2
DB		 2125 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2126 BPF_MOV64_IMM(BPF_REG_4, 8),
5aa5bd14
DB		 2127 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2128 BPF_FUNC_skb_load_bytes),
2129 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
2130 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 8),
2131 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_6, 0),
3f2050e2
DB		 2132 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
2133 offsetof(struct __sk_buff, mark)),
2134 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
2135 offsetof(struct __sk_buff, priority)),
2136 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
2137 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_3,
2138 offsetof(struct __sk_buff, pkt_type)),
2139 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
2140 BPF_EXIT_INSN(),
2141 },
2142 .result = REJECT,
2143 .errstr = "R3 invalid mem access 'inv'",
2144 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2145 },
2146 {
2147 "raw_stack: skb_load_bytes, spilled regs + data",
2148 .insns = {
2149 BPF_MOV64_IMM(BPF_REG_2, 4),
2150 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2151 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
5aa5bd14
DB		 2152 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
2153 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2154 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8),
3f2050e2
DB		 2155 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2156 BPF_MOV64_IMM(BPF_REG_4, 8),
5aa5bd14
DB		 2157 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2158 BPF_FUNC_skb_load_bytes),
2159 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
2160 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 8),
2161 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_6, 0),
3f2050e2
DB		 2162 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
2163 offsetof(struct __sk_buff, mark)),
2164 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
2165 offsetof(struct __sk_buff, priority)),
2166 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
2167 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
2168 BPF_EXIT_INSN(),
2169 },
2170 .result = ACCEPT,
2171 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2172 },
2173 {
2174 "raw_stack: skb_load_bytes, invalid access 1",
2175 .insns = {
2176 BPF_MOV64_IMM(BPF_REG_2, 4),
2177 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2178 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -513),
2179 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2180 BPF_MOV64_IMM(BPF_REG_4, 8),
5aa5bd14
DB		 2181 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2182 BPF_FUNC_skb_load_bytes),
3f2050e2
DB		 2183 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2184 BPF_EXIT_INSN(),
2185 },
2186 .result = REJECT,
2187 .errstr = "invalid stack type R3 off=-513 access_size=8",
2188 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2189 },
2190 {
2191 "raw_stack: skb_load_bytes, invalid access 2",
2192 .insns = {
2193 BPF_MOV64_IMM(BPF_REG_2, 4),
2194 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2195 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -1),
2196 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2197 BPF_MOV64_IMM(BPF_REG_4, 8),
5aa5bd14
DB		 2198 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2199 BPF_FUNC_skb_load_bytes),
3f2050e2
DB		 2200 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2201 BPF_EXIT_INSN(),
2202 },
2203 .result = REJECT,
2204 .errstr = "invalid stack type R3 off=-1 access_size=8",
2205 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2206 },
2207 {
2208 "raw_stack: skb_load_bytes, invalid access 3",
2209 .insns = {
2210 BPF_MOV64_IMM(BPF_REG_2, 4),
2211 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2212 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 0xffffffff),
2213 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2214 BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
5aa5bd14
DB		 2215 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2216 BPF_FUNC_skb_load_bytes),
3f2050e2
DB		 2217 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2218 BPF_EXIT_INSN(),
2219 },
2220 .result = REJECT,
2221 .errstr = "invalid stack type R3 off=-1 access_size=-1",
2222 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2223 },
2224 {
2225 "raw_stack: skb_load_bytes, invalid access 4",
2226 .insns = {
2227 BPF_MOV64_IMM(BPF_REG_2, 4),
2228 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2229 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -1),
2230 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2231 BPF_MOV64_IMM(BPF_REG_4, 0x7fffffff),
5aa5bd14
DB		 2232 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2233 BPF_FUNC_skb_load_bytes),
3f2050e2
DB		 2234 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2235 BPF_EXIT_INSN(),
2236 },
2237 .result = REJECT,
2238 .errstr = "invalid stack type R3 off=-1 access_size=2147483647",
2239 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2240 },
2241 {
2242 "raw_stack: skb_load_bytes, invalid access 5",
2243 .insns = {
2244 BPF_MOV64_IMM(BPF_REG_2, 4),
2245 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2246 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
2247 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2248 BPF_MOV64_IMM(BPF_REG_4, 0x7fffffff),
5aa5bd14
DB		 2249 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2250 BPF_FUNC_skb_load_bytes),
3f2050e2
DB		 2251 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2252 BPF_EXIT_INSN(),
2253 },
2254 .result = REJECT,
2255 .errstr = "invalid stack type R3 off=-512 access_size=2147483647",
2256 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2257 },
2258 {
2259 "raw_stack: skb_load_bytes, invalid access 6",
2260 .insns = {
2261 BPF_MOV64_IMM(BPF_REG_2, 4),
2262 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2263 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
2264 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2265 BPF_MOV64_IMM(BPF_REG_4, 0),
5aa5bd14
DB		 2266 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2267 BPF_FUNC_skb_load_bytes),
3f2050e2
DB		 2268 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2269 BPF_EXIT_INSN(),
2270 },
2271 .result = REJECT,
2272 .errstr = "invalid stack type R3 off=-512 access_size=0",
2273 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2274 },
2275 {
2276 "raw_stack: skb_load_bytes, large access",
2277 .insns = {
2278 BPF_MOV64_IMM(BPF_REG_2, 4),
2279 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2280 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
2281 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2282 BPF_MOV64_IMM(BPF_REG_4, 512),
5aa5bd14
DB		 2283 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2284 BPF_FUNC_skb_load_bytes),
3f2050e2
DB		 2285 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2286 BPF_EXIT_INSN(),
2287 },
2288 .result = ACCEPT,
2289 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2290 },
883e44e4 2291 {
1633ac0a 2292 "direct packet access: test1",
883e44e4
AS		 2293 .insns = {
2294 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2295 offsetof(struct __sk_buff, data)),
2296 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2297 offsetof(struct __sk_buff, data_end)),
2298 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2299 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2300 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
2301 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
2302 BPF_MOV64_IMM(BPF_REG_0, 0),
2303 BPF_EXIT_INSN(),
2304 },
2305 .result = ACCEPT,
2306 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2307 },
2308 {
1633ac0a 2309 "direct packet access: test2",
883e44e4
AS		 2310 .insns = {
2311 BPF_MOV64_IMM(BPF_REG_0, 1),
2312 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
2313 offsetof(struct __sk_buff, data_end)),
2314 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2315 offsetof(struct __sk_buff, data)),
2316 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
2317 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 14),
2318 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_4, 15),
2319 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_3, 7),
2320 BPF_LDX_MEM(BPF_B, BPF_REG_4, BPF_REG_3, 12),
2321 BPF_ALU64_IMM(BPF_MUL, BPF_REG_4, 14),
2322 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2323 offsetof(struct __sk_buff, data)),
2324 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_4),
2325 BPF_MOV64_REG(BPF_REG_2, BPF_REG_1),
2326 BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 48),
2327 BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 48),
2328 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_2),
2329 BPF_MOV64_REG(BPF_REG_2, BPF_REG_3),
2330 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
2331 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
2332 offsetof(struct __sk_buff, data_end)),
2333 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
2334 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_3, 4),
2335 BPF_MOV64_IMM(BPF_REG_0, 0),
2336 BPF_EXIT_INSN(),
2337 },
2338 .result = ACCEPT,
2339 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2340 },
2341 {
1633ac0a 2342 "direct packet access: test3",
883e44e4
AS		 2343 .insns = {
2344 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2345 offsetof(struct __sk_buff, data)),
2346 BPF_MOV64_IMM(BPF_REG_0, 0),
2347 BPF_EXIT_INSN(),
2348 },
2349 .errstr = "invalid bpf_context access off=76",
2350 .result = REJECT,
2351 .prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
2352 },
2353 {
7d95b0ab 2354 "direct packet access: test4 (write)",
883e44e4
AS		 2355 .insns = {
2356 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2357 offsetof(struct __sk_buff, data)),
2358 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2359 offsetof(struct __sk_buff, data_end)),
2360 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2361 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2362 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
2363 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
2364 BPF_MOV64_IMM(BPF_REG_0, 0),
2365 BPF_EXIT_INSN(),
2366 },
7d95b0ab 2367 .result = ACCEPT,
883e44e4
AS		 2368 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2369 },
2d2be8ca
DB		 2370 {
2371 "direct packet access: test5 (pkt_end >= reg, good access)",
2372 .insns = {
2373 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2374 offsetof(struct __sk_buff, data)),
2375 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2376 offsetof(struct __sk_buff, data_end)),
2377 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2378 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2379 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 2),
2380 BPF_MOV64_IMM(BPF_REG_0, 1),
2381 BPF_EXIT_INSN(),
2382 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
2383 BPF_MOV64_IMM(BPF_REG_0, 0),
2384 BPF_EXIT_INSN(),
2385 },
2386 .result = ACCEPT,
2387 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2388 },
2389 {
2390 "direct packet access: test6 (pkt_end >= reg, bad access)",
2391 .insns = {
2392 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2393 offsetof(struct __sk_buff, data)),
2394 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2395 offsetof(struct __sk_buff, data_end)),
2396 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2397 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2398 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 3),
2399 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
2400 BPF_MOV64_IMM(BPF_REG_0, 1),
2401 BPF_EXIT_INSN(),
2402 BPF_MOV64_IMM(BPF_REG_0, 0),
2403 BPF_EXIT_INSN(),
2404 },
2405 .errstr = "invalid access to packet",
2406 .result = REJECT,
2407 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2408 },
2409 {
2410 "direct packet access: test7 (pkt_end >= reg, both accesses)",
2411 .insns = {
2412 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2413 offsetof(struct __sk_buff, data)),
2414 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2415 offsetof(struct __sk_buff, data_end)),
2416 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2417 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2418 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 3),
2419 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
2420 BPF_MOV64_IMM(BPF_REG_0, 1),
2421 BPF_EXIT_INSN(),
2422 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
2423 BPF_MOV64_IMM(BPF_REG_0, 0),
2424 BPF_EXIT_INSN(),
2425 },
2426 .errstr = "invalid access to packet",
2427 .result = REJECT,
2428 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2429 },
2430 {
2431 "direct packet access: test8 (double test, variant 1)",
2432 .insns = {
2433 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2434 offsetof(struct __sk_buff, data)),
2435 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2436 offsetof(struct __sk_buff, data_end)),
2437 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2438 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2439 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 4),
2440 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
2441 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
2442 BPF_MOV64_IMM(BPF_REG_0, 1),
2443 BPF_EXIT_INSN(),
2444 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
2445 BPF_MOV64_IMM(BPF_REG_0, 0),
2446 BPF_EXIT_INSN(),
2447 },
2448 .result = ACCEPT,
2449 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2450 },
2451 {
2452 "direct packet access: test9 (double test, variant 2)",
2453 .insns = {
2454 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2455 offsetof(struct __sk_buff, data)),
2456 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2457 offsetof(struct __sk_buff, data_end)),
2458 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2459 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2460 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 2),
2461 BPF_MOV64_IMM(BPF_REG_0, 1),
2462 BPF_EXIT_INSN(),
2463 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
2464 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
2465 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
2466 BPF_MOV64_IMM(BPF_REG_0, 0),
2467 BPF_EXIT_INSN(),
2468 },
2469 .result = ACCEPT,
2470 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2471 },
7d95b0ab
DB		 2472 {
2473 "direct packet access: test10 (write invalid)",
2474 .insns = {
2475 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2476 offsetof(struct __sk_buff, data)),
2477 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2478 offsetof(struct __sk_buff, data_end)),
2479 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2480 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2481 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
2482 BPF_MOV64_IMM(BPF_REG_0, 0),
2483 BPF_EXIT_INSN(),
2484 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
2485 BPF_MOV64_IMM(BPF_REG_0, 0),
2486 BPF_EXIT_INSN(),
2487 },
2488 .errstr = "invalid access to packet",
2489 .result = REJECT,
2490 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2491 },
3fadc801
DB		 2492 {
2493 "direct packet access: test11 (shift, good access)",
2494 .insns = {
2495 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2496 offsetof(struct __sk_buff, data)),
2497 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2498 offsetof(struct __sk_buff, data_end)),
2499 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2500 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
2501 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
2502 BPF_MOV64_IMM(BPF_REG_3, 144),
2503 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
2504 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
2505 BPF_ALU64_IMM(BPF_RSH, BPF_REG_5, 3),
2506 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
2507 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
2508 BPF_MOV64_IMM(BPF_REG_0, 1),
2509 BPF_EXIT_INSN(),
2510 BPF_MOV64_IMM(BPF_REG_0, 0),
2511 BPF_EXIT_INSN(),
2512 },
2513 .result = ACCEPT,
2514 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2515 },
2516 {
2517 "direct packet access: test12 (and, good access)",
2518 .insns = {
2519 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2520 offsetof(struct __sk_buff, data)),
2521 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2522 offsetof(struct __sk_buff, data_end)),
2523 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2524 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
2525 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
2526 BPF_MOV64_IMM(BPF_REG_3, 144),
2527 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
2528 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
2529 BPF_ALU64_IMM(BPF_AND, BPF_REG_5, 15),
2530 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
2531 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
2532 BPF_MOV64_IMM(BPF_REG_0, 1),
2533 BPF_EXIT_INSN(),
2534 BPF_MOV64_IMM(BPF_REG_0, 0),
2535 BPF_EXIT_INSN(),
2536 },
2537 .result = ACCEPT,
2538 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2539 },
2540 {
2541 "direct packet access: test13 (branches, good access)",
2542 .insns = {
2543 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2544 offsetof(struct __sk_buff, data)),
2545 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2546 offsetof(struct __sk_buff, data_end)),
2547 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2548 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
2549 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 13),
2550 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2551 offsetof(struct __sk_buff, mark)),
2552 BPF_MOV64_IMM(BPF_REG_4, 1),
2553 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_4, 2),
2554 BPF_MOV64_IMM(BPF_REG_3, 14),
2555 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
2556 BPF_MOV64_IMM(BPF_REG_3, 24),
2557 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
2558 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
2559 BPF_ALU64_IMM(BPF_AND, BPF_REG_5, 15),
2560 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
2561 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
2562 BPF_MOV64_IMM(BPF_REG_0, 1),
2563 BPF_EXIT_INSN(),
2564 BPF_MOV64_IMM(BPF_REG_0, 0),
2565 BPF_EXIT_INSN(),
2566 },
2567 .result = ACCEPT,
2568 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2569 },
63dfef75
WT		 2570 {
2571 "direct packet access: test14 (pkt_ptr += 0, CONST_IMM, good access)",
2572 .insns = {
2573 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2574 offsetof(struct __sk_buff, data)),
2575 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2576 offsetof(struct __sk_buff, data_end)),
2577 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2578 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
2579 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 7),
2580 BPF_MOV64_IMM(BPF_REG_5, 12),
2581 BPF_ALU64_IMM(BPF_RSH, BPF_REG_5, 4),
2582 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
2583 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
2584 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_6, 0),
2585 BPF_MOV64_IMM(BPF_REG_0, 1),
2586 BPF_EXIT_INSN(),
2587 BPF_MOV64_IMM(BPF_REG_0, 0),
2588 BPF_EXIT_INSN(),
2589 },
2590 .result = ACCEPT,
2591 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2592 },
02ea80b1
DB		 2593 {
2594 "direct packet access: test15 (spill with xadd)",
2595 .insns = {
2596 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2597 offsetof(struct __sk_buff, data)),
2598 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2599 offsetof(struct __sk_buff, data_end)),
2600 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2601 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2602 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
2603 BPF_MOV64_IMM(BPF_REG_5, 4096),
2604 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
2605 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
2606 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
2607 BPF_STX_XADD(BPF_DW, BPF_REG_4, BPF_REG_5, 0),
2608 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
2609 BPF_STX_MEM(BPF_W, BPF_REG_2, BPF_REG_5, 0),
2610 BPF_MOV64_IMM(BPF_REG_0, 0),
2611 BPF_EXIT_INSN(),
2612 },
2613 .errstr = "R2 invalid mem access 'inv'",
2614 .result = REJECT,
2615 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2616 },
728a853a
DB		 2617 {
2618 "direct packet access: test16 (arith on data_end)",
2619 .insns = {
2620 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2621 offsetof(struct __sk_buff, data)),
2622 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2623 offsetof(struct __sk_buff, data_end)),
2624 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2625 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2626 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 16),
2627 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
2628 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
2629 BPF_MOV64_IMM(BPF_REG_0, 0),
2630 BPF_EXIT_INSN(),
2631 },
2632 .errstr = "invalid access to packet",
2633 .result = REJECT,
2634 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2635 },
614d0d77
DB		 2636 {
2637 "direct packet access: test17 (pruning, alignment)",
2638 .insns = {
2639 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2640 offsetof(struct __sk_buff, data)),
2641 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2642 offsetof(struct __sk_buff, data_end)),
2643 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
2644 offsetof(struct __sk_buff, mark)),
2645 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2646 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 14),
2647 BPF_JMP_IMM(BPF_JGT, BPF_REG_7, 1, 4),
2648 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
2649 BPF_STX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, -4),
2650 BPF_MOV64_IMM(BPF_REG_0, 0),
2651 BPF_EXIT_INSN(),
2652 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 1),
2653 BPF_JMP_A(-6),
2654 },
2655 .errstr = "misaligned packet access off 2+15+-4 size 4",
2656 .result = REJECT,
2657 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2658 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2659 },
1633ac0a
AY		 2660 {
2661 "helper access to packet: test1, valid packet_ptr range",
2662 .insns = {
2663 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2664 offsetof(struct xdp_md, data)),
2665 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2666 offsetof(struct xdp_md, data_end)),
2667 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
2668 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
2669 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 5),
2670 BPF_LD_MAP_FD(BPF_REG_1, 0),
2671 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
2672 BPF_MOV64_IMM(BPF_REG_4, 0),
5aa5bd14
DB		 2673 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2674 BPF_FUNC_map_update_elem),
1633ac0a
AY		 2675 BPF_MOV64_IMM(BPF_REG_0, 0),
2676 BPF_EXIT_INSN(),
2677 },
5aa5bd14 2678 .fixup_map1 = { 5 },
1633ac0a
AY		 2679 .result_unpriv = ACCEPT,
2680 .result = ACCEPT,
2681 .prog_type = BPF_PROG_TYPE_XDP,
2682 },
2683 {
2684 "helper access to packet: test2, unchecked packet_ptr",
2685 .insns = {
2686 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2687 offsetof(struct xdp_md, data)),
2688 BPF_LD_MAP_FD(BPF_REG_1, 0),
5aa5bd14
DB		 2689 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2690 BPF_FUNC_map_lookup_elem),
1633ac0a
AY		 2691 BPF_MOV64_IMM(BPF_REG_0, 0),
2692 BPF_EXIT_INSN(),
2693 },
5aa5bd14 2694 .fixup_map1 = { 1 },
1633ac0a
AY		 2695 .result = REJECT,
2696 .errstr = "invalid access to packet",
2697 .prog_type = BPF_PROG_TYPE_XDP,
2698 },
2699 {
2700 "helper access to packet: test3, variable add",
2701 .insns = {
2702 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2703 offsetof(struct xdp_md, data)),
2704 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2705 offsetof(struct xdp_md, data_end)),
2706 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
2707 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
2708 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 10),
2709 BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_2, 0),
2710 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
2711 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_5),
2712 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
2713 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 8),
2714 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 4),
2715 BPF_LD_MAP_FD(BPF_REG_1, 0),
2716 BPF_MOV64_REG(BPF_REG_2, BPF_REG_4),
5aa5bd14
DB		 2717 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2718 BPF_FUNC_map_lookup_elem),
1633ac0a
AY		 2719 BPF_MOV64_IMM(BPF_REG_0, 0),
2720 BPF_EXIT_INSN(),
2721 },
5aa5bd14 2722 .fixup_map1 = { 11 },
1633ac0a
AY		 2723 .result = ACCEPT,
2724 .prog_type = BPF_PROG_TYPE_XDP,
2725 },
2726 {
2727 "helper access to packet: test4, packet_ptr with bad range",
2728 .insns = {
2729 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2730 offsetof(struct xdp_md, data)),
2731 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2732 offsetof(struct xdp_md, data_end)),
2733 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
2734 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 4),
2735 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 2),
2736 BPF_MOV64_IMM(BPF_REG_0, 0),
2737 BPF_EXIT_INSN(),
2738 BPF_LD_MAP_FD(BPF_REG_1, 0),
5aa5bd14
DB		 2739 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2740 BPF_FUNC_map_lookup_elem),
1633ac0a
AY		 2741 BPF_MOV64_IMM(BPF_REG_0, 0),
2742 BPF_EXIT_INSN(),
2743 },
5aa5bd14 2744 .fixup_map1 = { 7 },
1633ac0a
AY		 2745 .result = REJECT,
2746 .errstr = "invalid access to packet",
2747 .prog_type = BPF_PROG_TYPE_XDP,
2748 },
2749 {
2750 "helper access to packet: test5, packet_ptr with too short range",
2751 .insns = {
2752 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2753 offsetof(struct xdp_md, data)),
2754 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2755 offsetof(struct xdp_md, data_end)),
2756 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
2757 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
2758 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 7),
2759 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 3),
2760 BPF_LD_MAP_FD(BPF_REG_1, 0),
5aa5bd14
DB		 2761 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2762 BPF_FUNC_map_lookup_elem),
1633ac0a
AY		 2763 BPF_MOV64_IMM(BPF_REG_0, 0),
2764 BPF_EXIT_INSN(),
2765 },
5aa5bd14 2766 .fixup_map1 = { 6 },
1633ac0a
AY		 2767 .result = REJECT,
2768 .errstr = "invalid access to packet",
2769 .prog_type = BPF_PROG_TYPE_XDP,
2770 },
7d95b0ab
DB		 2771 {
2772 "helper access to packet: test6, cls valid packet_ptr range",
2773 .insns = {
2774 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2775 offsetof(struct __sk_buff, data)),
2776 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2777 offsetof(struct __sk_buff, data_end)),
2778 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
2779 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
2780 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 5),
2781 BPF_LD_MAP_FD(BPF_REG_1, 0),
2782 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
2783 BPF_MOV64_IMM(BPF_REG_4, 0),
5aa5bd14
DB		 2784 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2785 BPF_FUNC_map_update_elem),
7d95b0ab
DB		 2786 BPF_MOV64_IMM(BPF_REG_0, 0),
2787 BPF_EXIT_INSN(),
2788 },
5aa5bd14 2789 .fixup_map1 = { 5 },
7d95b0ab
DB		 2790 .result = ACCEPT,
2791 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2792 },
2793 {
2794 "helper access to packet: test7, cls unchecked packet_ptr",
2795 .insns = {
2796 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2797 offsetof(struct __sk_buff, data)),
2798 BPF_LD_MAP_FD(BPF_REG_1, 0),
5aa5bd14
DB		 2799 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2800 BPF_FUNC_map_lookup_elem),
7d95b0ab
DB		 2801 BPF_MOV64_IMM(BPF_REG_0, 0),
2802 BPF_EXIT_INSN(),
2803 },
5aa5bd14 2804 .fixup_map1 = { 1 },
7d95b0ab
DB		 2805 .result = REJECT,
2806 .errstr = "invalid access to packet",
2807 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2808 },
2809 {
2810 "helper access to packet: test8, cls variable add",
2811 .insns = {
2812 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2813 offsetof(struct __sk_buff, data)),
2814 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2815 offsetof(struct __sk_buff, data_end)),
2816 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
2817 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
2818 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 10),
2819 BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_2, 0),
2820 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
2821 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_5),
2822 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
2823 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 8),
2824 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 4),
2825 BPF_LD_MAP_FD(BPF_REG_1, 0),
2826 BPF_MOV64_REG(BPF_REG_2, BPF_REG_4),
5aa5bd14
DB		 2827 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2828 BPF_FUNC_map_lookup_elem),
7d95b0ab
DB		 2829 BPF_MOV64_IMM(BPF_REG_0, 0),
2830 BPF_EXIT_INSN(),
2831 },
5aa5bd14 2832 .fixup_map1 = { 11 },
7d95b0ab
DB		 2833 .result = ACCEPT,
2834 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2835 },
2836 {
2837 "helper access to packet: test9, cls packet_ptr with bad range",
2838 .insns = {
2839 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2840 offsetof(struct __sk_buff, data)),
2841 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2842 offsetof(struct __sk_buff, data_end)),
2843 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
2844 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 4),
2845 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 2),
2846 BPF_MOV64_IMM(BPF_REG_0, 0),
2847 BPF_EXIT_INSN(),
2848 BPF_LD_MAP_FD(BPF_REG_1, 0),
5aa5bd14
DB		 2849 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2850 BPF_FUNC_map_lookup_elem),
7d95b0ab
DB		 2851 BPF_MOV64_IMM(BPF_REG_0, 0),
2852 BPF_EXIT_INSN(),
2853 },
5aa5bd14 2854 .fixup_map1 = { 7 },
7d95b0ab
DB		 2855 .result = REJECT,
2856 .errstr = "invalid access to packet",
2857 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2858 },
2859 {
2860 "helper access to packet: test10, cls packet_ptr with too short range",
2861 .insns = {
2862 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2863 offsetof(struct __sk_buff, data)),
2864 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2865 offsetof(struct __sk_buff, data_end)),
2866 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
2867 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
2868 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 7),
2869 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 3),
2870 BPF_LD_MAP_FD(BPF_REG_1, 0),
5aa5bd14
DB		 2871 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2872 BPF_FUNC_map_lookup_elem),
7d95b0ab
DB		 2873 BPF_MOV64_IMM(BPF_REG_0, 0),
2874 BPF_EXIT_INSN(),
2875 },
5aa5bd14 2876 .fixup_map1 = { 6 },
7d95b0ab
DB		 2877 .result = REJECT,
2878 .errstr = "invalid access to packet",
2879 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2880 },
2881 {
2882 "helper access to packet: test11, cls unsuitable helper 1",
2883 .insns = {
2884 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
2885 offsetof(struct __sk_buff, data)),
2886 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
2887 offsetof(struct __sk_buff, data_end)),
2888 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
2889 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2890 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 7),
2891 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_7, 4),
2892 BPF_MOV64_IMM(BPF_REG_2, 0),
2893 BPF_MOV64_IMM(BPF_REG_4, 42),
2894 BPF_MOV64_IMM(BPF_REG_5, 0),
5aa5bd14
DB		 2895 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2896 BPF_FUNC_skb_store_bytes),
7d95b0ab
DB		 2897 BPF_MOV64_IMM(BPF_REG_0, 0),
2898 BPF_EXIT_INSN(),
2899 },
2900 .result = REJECT,
2901 .errstr = "helper access to the packet",
2902 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2903 },
2904 {
2905 "helper access to packet: test12, cls unsuitable helper 2",
2906 .insns = {
2907 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
2908 offsetof(struct __sk_buff, data)),
2909 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
2910 offsetof(struct __sk_buff, data_end)),
2911 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2912 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8),
2913 BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_7, 3),
2914 BPF_MOV64_IMM(BPF_REG_2, 0),
2915 BPF_MOV64_IMM(BPF_REG_4, 4),
5aa5bd14
DB		 2916 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2917 BPF_FUNC_skb_load_bytes),
7d95b0ab
DB		 2918 BPF_MOV64_IMM(BPF_REG_0, 0),
2919 BPF_EXIT_INSN(),
2920 },
2921 .result = REJECT,
2922 .errstr = "helper access to the packet",
2923 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2924 },
2925 {
2926 "helper access to packet: test13, cls helper ok",
2927 .insns = {
2928 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
2929 offsetof(struct __sk_buff, data)),
2930 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
2931 offsetof(struct __sk_buff, data_end)),
2932 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
2933 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
2934 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
2935 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
2936 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
2937 BPF_MOV64_IMM(BPF_REG_2, 4),
2938 BPF_MOV64_IMM(BPF_REG_3, 0),
2939 BPF_MOV64_IMM(BPF_REG_4, 0),
2940 BPF_MOV64_IMM(BPF_REG_5, 0),
5aa5bd14
DB		 2941 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2942 BPF_FUNC_csum_diff),
7d95b0ab
DB		 2943 BPF_MOV64_IMM(BPF_REG_0, 0),
2944 BPF_EXIT_INSN(),
2945 },
2946 .result = ACCEPT,
2947 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2948 },
2949 {
2950 "helper access to packet: test14, cls helper fail sub",
2951 .insns = {
2952 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
2953 offsetof(struct __sk_buff, data)),
2954 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
2955 offsetof(struct __sk_buff, data_end)),
2956 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
2957 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
2958 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
2959 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
2960 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 4),
2961 BPF_MOV64_IMM(BPF_REG_2, 4),
2962 BPF_MOV64_IMM(BPF_REG_3, 0),
2963 BPF_MOV64_IMM(BPF_REG_4, 0),
2964 BPF_MOV64_IMM(BPF_REG_5, 0),
5aa5bd14
DB		 2965 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2966 BPF_FUNC_csum_diff),
7d95b0ab
DB		 2967 BPF_MOV64_IMM(BPF_REG_0, 0),
2968 BPF_EXIT_INSN(),
2969 },
2970 .result = REJECT,
2971 .errstr = "type=inv expected=fp",
2972 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2973 },
2974 {
2975 "helper access to packet: test15, cls helper fail range 1",
2976 .insns = {
2977 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
2978 offsetof(struct __sk_buff, data)),
2979 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
2980 offsetof(struct __sk_buff, data_end)),
2981 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
2982 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
2983 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
2984 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
2985 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
2986 BPF_MOV64_IMM(BPF_REG_2, 8),
2987 BPF_MOV64_IMM(BPF_REG_3, 0),
2988 BPF_MOV64_IMM(BPF_REG_4, 0),
2989 BPF_MOV64_IMM(BPF_REG_5, 0),
5aa5bd14
DB		 2990 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2991 BPF_FUNC_csum_diff),
7d95b0ab
DB		 2992 BPF_MOV64_IMM(BPF_REG_0, 0),
2993 BPF_EXIT_INSN(),
2994 },
2995 .result = REJECT,
2996 .errstr = "invalid access to packet",
2997 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2998 },
2999 {
3000 "helper access to packet: test16, cls helper fail range 2",
3001 .insns = {
3002 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3003 offsetof(struct __sk_buff, data)),
3004 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3005 offsetof(struct __sk_buff, data_end)),
3006 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3007 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3008 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
3009 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
3010 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3011 BPF_MOV64_IMM(BPF_REG_2, -9),
3012 BPF_MOV64_IMM(BPF_REG_3, 0),
3013 BPF_MOV64_IMM(BPF_REG_4, 0),
3014 BPF_MOV64_IMM(BPF_REG_5, 0),
5aa5bd14
DB		 3015 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3016 BPF_FUNC_csum_diff),
7d95b0ab
DB		 3017 BPF_MOV64_IMM(BPF_REG_0, 0),
3018 BPF_EXIT_INSN(),
3019 },
3020 .result = REJECT,
3021 .errstr = "invalid access to packet",
3022 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3023 },
3024 {
3025 "helper access to packet: test17, cls helper fail range 3",
3026 .insns = {
3027 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3028 offsetof(struct __sk_buff, data)),
3029 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3030 offsetof(struct __sk_buff, data_end)),
3031 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3032 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3033 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
3034 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
3035 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3036 BPF_MOV64_IMM(BPF_REG_2, ~0),
3037 BPF_MOV64_IMM(BPF_REG_3, 0),
3038 BPF_MOV64_IMM(BPF_REG_4, 0),
3039 BPF_MOV64_IMM(BPF_REG_5, 0),
5aa5bd14
DB		 3040 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3041 BPF_FUNC_csum_diff),
7d95b0ab
DB		 3042 BPF_MOV64_IMM(BPF_REG_0, 0),
3043 BPF_EXIT_INSN(),
3044 },
3045 .result = REJECT,
3046 .errstr = "invalid access to packet",
3047 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3048 },
3049 {
3050 "helper access to packet: test18, cls helper fail range zero",
3051 .insns = {
3052 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3053 offsetof(struct __sk_buff, data)),
3054 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3055 offsetof(struct __sk_buff, data_end)),
3056 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3057 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3058 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
3059 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
3060 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3061 BPF_MOV64_IMM(BPF_REG_2, 0),
3062 BPF_MOV64_IMM(BPF_REG_3, 0),
3063 BPF_MOV64_IMM(BPF_REG_4, 0),
3064 BPF_MOV64_IMM(BPF_REG_5, 0),
5aa5bd14
DB		 3065 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3066 BPF_FUNC_csum_diff),
7d95b0ab
DB		 3067 BPF_MOV64_IMM(BPF_REG_0, 0),
3068 BPF_EXIT_INSN(),
3069 },
3070 .result = REJECT,
3071 .errstr = "invalid access to packet",
3072 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3073 },
3074 {
3075 "helper access to packet: test19, pkt end as input",
3076 .insns = {
3077 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3078 offsetof(struct __sk_buff, data)),
3079 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3080 offsetof(struct __sk_buff, data_end)),
3081 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3082 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3083 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
3084 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
3085 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
3086 BPF_MOV64_IMM(BPF_REG_2, 4),
3087 BPF_MOV64_IMM(BPF_REG_3, 0),
3088 BPF_MOV64_IMM(BPF_REG_4, 0),
3089 BPF_MOV64_IMM(BPF_REG_5, 0),
5aa5bd14
DB		 3090 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3091 BPF_FUNC_csum_diff),
7d95b0ab
DB		 3092 BPF_MOV64_IMM(BPF_REG_0, 0),
3093 BPF_EXIT_INSN(),
3094 },
3095 .result = REJECT,
3096 .errstr = "R1 type=pkt_end expected=fp",
3097 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3098 },
3099 {
3100 "helper access to packet: test20, wrong reg",
3101 .insns = {
3102 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3103 offsetof(struct __sk_buff, data)),
3104 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3105 offsetof(struct __sk_buff, data_end)),
3106 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3107 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3108 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
3109 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
3110 BPF_MOV64_IMM(BPF_REG_2, 4),
3111 BPF_MOV64_IMM(BPF_REG_3, 0),
3112 BPF_MOV64_IMM(BPF_REG_4, 0),
3113 BPF_MOV64_IMM(BPF_REG_5, 0),
5aa5bd14
DB		 3114 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3115 BPF_FUNC_csum_diff),
7d95b0ab
DB		 3116 BPF_MOV64_IMM(BPF_REG_0, 0),
3117 BPF_EXIT_INSN(),
3118 },
3119 .result = REJECT,
3120 .errstr = "invalid access to packet",
3121 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3122 },
48461135
JB		 3123 {
3124 "valid map access into an array with a constant",
3125 .insns = {
3126 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3127 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3128 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3129 BPF_LD_MAP_FD(BPF_REG_1, 0),
5aa5bd14
DB		 3130 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3131 BPF_FUNC_map_lookup_elem),
48461135 3132 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
5aa5bd14
DB		 3133 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
3134 offsetof(struct test_val, foo)),
48461135
JB		 3135 BPF_EXIT_INSN(),
3136 },
5aa5bd14 3137 .fixup_map2 = { 3 },
48461135
JB		 3138 .errstr_unpriv = "R0 leaks addr",
3139 .result_unpriv = REJECT,
3140 .result = ACCEPT,
3141 },
3142 {
3143 "valid map access into an array with a register",
3144 .insns = {
3145 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3146 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3147 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3148 BPF_LD_MAP_FD(BPF_REG_1, 0),
5aa5bd14
DB		 3149 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3150 BPF_FUNC_map_lookup_elem),
48461135
JB		 3151 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
3152 BPF_MOV64_IMM(BPF_REG_1, 4),
3153 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
3154 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
5aa5bd14
DB		 3155 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
3156 offsetof(struct test_val, foo)),
48461135
JB		 3157 BPF_EXIT_INSN(),
3158 },
5aa5bd14
DB		 3159 .fixup_map2 = { 3 },
3160 .errstr_unpriv = "R0 pointer arithmetic prohibited",
48461135
JB		 3161 .result_unpriv = REJECT,
3162 .result = ACCEPT,
02ea80b1 3163 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
48461135
JB		 3164 },
3165 {
3166 "valid map access into an array with a variable",
3167 .insns = {
3168 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3169 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3170 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3171 BPF_LD_MAP_FD(BPF_REG_1, 0),
5aa5bd14
DB		 3172 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3173 BPF_FUNC_map_lookup_elem),
48461135
JB		 3174 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
3175 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
3176 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES, 3),
3177 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
3178 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
5aa5bd14
DB		 3179 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
3180 offsetof(struct test_val, foo)),
48461135
JB		 3181 BPF_EXIT_INSN(),
3182 },
5aa5bd14
DB		 3183 .fixup_map2 = { 3 },
3184 .errstr_unpriv = "R0 pointer arithmetic prohibited",
48461135
JB		 3185 .result_unpriv = REJECT,
3186 .result = ACCEPT,
02ea80b1 3187 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
48461135
JB		 3188 },
3189 {
3190 "valid map access into an array with a signed variable",
3191 .insns = {
3192 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3193 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3194 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3195 BPF_LD_MAP_FD(BPF_REG_1, 0),
5aa5bd14
DB		 3196 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3197 BPF_FUNC_map_lookup_elem),
48461135
JB		 3198 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
3199 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
3200 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 0xffffffff, 1),
3201 BPF_MOV32_IMM(BPF_REG_1, 0),
3202 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
3203 BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
3204 BPF_MOV32_IMM(BPF_REG_1, 0),
3205 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
3206 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
5aa5bd14
DB		 3207 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
3208 offsetof(struct test_val, foo)),
48461135
JB		 3209 BPF_EXIT_INSN(),
3210 },
5aa5bd14
DB		 3211 .fixup_map2 = { 3 },
3212 .errstr_unpriv = "R0 pointer arithmetic prohibited",
48461135
JB		 3213 .result_unpriv = REJECT,
3214 .result = ACCEPT,
02ea80b1 3215 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
48461135
JB		 3216 },
3217 {
3218 "invalid map access into an array with a constant",
3219 .insns = {
3220 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3221 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3222 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3223 BPF_LD_MAP_FD(BPF_REG_1, 0),
5aa5bd14
DB		 3224 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3225 BPF_FUNC_map_lookup_elem),
48461135
JB		 3226 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
3227 BPF_ST_MEM(BPF_DW, BPF_REG_0, (MAX_ENTRIES + 1) << 2,
3228 offsetof(struct test_val, foo)),
3229 BPF_EXIT_INSN(),
3230 },
5aa5bd14 3231 .fixup_map2 = { 3 },
48461135
JB		 3232 .errstr = "invalid access to map value, value_size=48 off=48 size=8",
3233 .result = REJECT,
3234 },
3235 {
3236 "invalid map access into an array with a register",
3237 .insns = {
3238 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3239 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3240 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3241 BPF_LD_MAP_FD(BPF_REG_1, 0),
5aa5bd14
DB		 3242 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3243 BPF_FUNC_map_lookup_elem),
48461135
JB		 3244 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
3245 BPF_MOV64_IMM(BPF_REG_1, MAX_ENTRIES + 1),
3246 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
3247 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
5aa5bd14
DB		 3248 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
3249 offsetof(struct test_val, foo)),
48461135
JB		 3250 BPF_EXIT_INSN(),
3251 },
5aa5bd14
DB		 3252 .fixup_map2 = { 3 },
3253 .errstr_unpriv = "R0 pointer arithmetic prohibited",
48461135 3254 .errstr = "R0 min value is outside of the array range",
5aa5bd14 3255 .result_unpriv = REJECT,
48461135 3256 .result = REJECT,
02ea80b1 3257 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
48461135
JB		 3258 },
3259 {
3260 "invalid map access into an array with a variable",
3261 .insns = {
3262 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3263 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3264 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3265 BPF_LD_MAP_FD(BPF_REG_1, 0),
5aa5bd14
DB		 3266 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3267 BPF_FUNC_map_lookup_elem),
48461135
JB		 3268 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
3269 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
3270 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
3271 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
5aa5bd14
DB		 3272 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
3273 offsetof(struct test_val, foo)),
48461135
JB		 3274 BPF_EXIT_INSN(),
3275 },
5aa5bd14
DB		 3276 .fixup_map2 = { 3 },
3277 .errstr_unpriv = "R0 pointer arithmetic prohibited",
48461135 3278 .errstr = "R0 min value is negative, either use unsigned index or do a if (index >=0) check.",
5aa5bd14 3279 .result_unpriv = REJECT,
48461135 3280 .result = REJECT,
02ea80b1 3281 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
48461135
JB		 3282 },
3283 {
3284 "invalid map access into an array with no floor check",
3285 .insns = {
3286 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3287 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3288 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3289 BPF_LD_MAP_FD(BPF_REG_1, 0),
5aa5bd14
DB		 3290 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3291 BPF_FUNC_map_lookup_elem),
48461135
JB		 3292 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
3293 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
3294 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
3295 BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
3296 BPF_MOV32_IMM(BPF_REG_1, 0),
3297 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
3298 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
5aa5bd14
DB		 3299 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
3300 offsetof(struct test_val, foo)),
48461135
JB		 3301 BPF_EXIT_INSN(),
3302 },
5aa5bd14
DB		 3303 .fixup_map2 = { 3 },
3304 .errstr_unpriv = "R0 pointer arithmetic prohibited",
48461135 3305 .errstr = "R0 min value is negative, either use unsigned index or do a if (index >=0) check.",
5aa5bd14 3306 .result_unpriv = REJECT,
48461135 3307 .result = REJECT,
02ea80b1 3308 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
48461135
JB		 3309 },
3310 {
3311 "invalid map access into an array with a invalid max check",
3312 .insns = {
3313 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3314 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3315 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3316 BPF_LD_MAP_FD(BPF_REG_1, 0),
5aa5bd14
DB		 3317 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3318 BPF_FUNC_map_lookup_elem),
48461135
JB		 3319 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
3320 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
3321 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES + 1),
3322 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
3323 BPF_MOV32_IMM(BPF_REG_1, 0),
3324 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
3325 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
5aa5bd14
DB		 3326 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
3327 offsetof(struct test_val, foo)),
48461135
JB		 3328 BPF_EXIT_INSN(),
3329 },
5aa5bd14
DB		 3330 .fixup_map2 = { 3 },
3331 .errstr_unpriv = "R0 pointer arithmetic prohibited",
48461135 3332 .errstr = "invalid access to map value, value_size=48 off=44 size=8",
5aa5bd14 3333 .result_unpriv = REJECT,
48461135 3334 .result = REJECT,
02ea80b1 3335 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
48461135
JB		 3336 },
3337 {
3338 "invalid map access into an array with a invalid max check",
3339 .insns = {
3340 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3341 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3342 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3343 BPF_LD_MAP_FD(BPF_REG_1, 0),
5aa5bd14
DB		 3344 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3345 BPF_FUNC_map_lookup_elem),
48461135
JB		 3346 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
3347 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
3348 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3349 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3350 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3351 BPF_LD_MAP_FD(BPF_REG_1, 0),
5aa5bd14
DB		 3352 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3353 BPF_FUNC_map_lookup_elem),
48461135
JB		 3354 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
3355 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8),
5aa5bd14
DB		 3356 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
3357 offsetof(struct test_val, foo)),
48461135
JB		 3358 BPF_EXIT_INSN(),
3359 },
5aa5bd14
DB		 3360 .fixup_map2 = { 3, 11 },
3361 .errstr_unpriv = "R0 pointer arithmetic prohibited",
48461135 3362 .errstr = "R0 min value is negative, either use unsigned index or do a if (index >=0) check.",
5aa5bd14 3363 .result_unpriv = REJECT,
48461135 3364 .result = REJECT,
02ea80b1 3365 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
48461135 3366 },
57a09bf0
TG		 3367 {
3368 "multiple registers share map_lookup_elem result",
3369 .insns = {
3370 BPF_MOV64_IMM(BPF_REG_1, 10),
3371 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
3372 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3373 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3374 BPF_LD_MAP_FD(BPF_REG_1, 0),
3375 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3376 BPF_FUNC_map_lookup_elem),
3377 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3378 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
3379 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
3380 BPF_EXIT_INSN(),
3381 },
3382 .fixup_map1 = { 4 },
3383 .result = ACCEPT,
3384 .prog_type = BPF_PROG_TYPE_SCHED_CLS
3385 },
614d0d77
DB		 3386 {
3387 "alu ops on ptr_to_map_value_or_null, 1",
3388 .insns = {
3389 BPF_MOV64_IMM(BPF_REG_1, 10),
3390 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
3391 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3392 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3393 BPF_LD_MAP_FD(BPF_REG_1, 0),
3394 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3395 BPF_FUNC_map_lookup_elem),
3396 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3397 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -2),
3398 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 2),
3399 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
3400 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
3401 BPF_EXIT_INSN(),
3402 },
3403 .fixup_map1 = { 4 },
3404 .errstr = "R4 invalid mem access",
3405 .result = REJECT,
3406 .prog_type = BPF_PROG_TYPE_SCHED_CLS
3407 },
3408 {
3409 "alu ops on ptr_to_map_value_or_null, 2",
3410 .insns = {
3411 BPF_MOV64_IMM(BPF_REG_1, 10),
3412 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
3413 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3414 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3415 BPF_LD_MAP_FD(BPF_REG_1, 0),
3416 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3417 BPF_FUNC_map_lookup_elem),
3418 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3419 BPF_ALU64_IMM(BPF_AND, BPF_REG_4, -1),
3420 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
3421 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
3422 BPF_EXIT_INSN(),
3423 },
3424 .fixup_map1 = { 4 },
3425 .errstr = "R4 invalid mem access",
3426 .result = REJECT,
3427 .prog_type = BPF_PROG_TYPE_SCHED_CLS
3428 },
3429 {
3430 "alu ops on ptr_to_map_value_or_null, 3",
3431 .insns = {
3432 BPF_MOV64_IMM(BPF_REG_1, 10),
3433 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
3434 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3435 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3436 BPF_LD_MAP_FD(BPF_REG_1, 0),
3437 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3438 BPF_FUNC_map_lookup_elem),
3439 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3440 BPF_ALU64_IMM(BPF_LSH, BPF_REG_4, 1),
3441 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
3442 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
3443 BPF_EXIT_INSN(),
3444 },
3445 .fixup_map1 = { 4 },
3446 .errstr = "R4 invalid mem access",
3447 .result = REJECT,
3448 .prog_type = BPF_PROG_TYPE_SCHED_CLS
3449 },
57a09bf0
TG		 3450 {
3451 "invalid memory access with multiple map_lookup_elem calls",
3452 .insns = {
3453 BPF_MOV64_IMM(BPF_REG_1, 10),
3454 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
3455 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3456 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3457 BPF_LD_MAP_FD(BPF_REG_1, 0),
3458 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
3459 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
3460 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3461 BPF_FUNC_map_lookup_elem),
3462 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3463 BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
3464 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
3465 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3466 BPF_FUNC_map_lookup_elem),
3467 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
3468 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
3469 BPF_EXIT_INSN(),
3470 },
3471 .fixup_map1 = { 4 },
3472 .result = REJECT,
3473 .errstr = "R4 !read_ok",
3474 .prog_type = BPF_PROG_TYPE_SCHED_CLS
3475 },
3476 {
3477 "valid indirect map_lookup_elem access with 2nd lookup in branch",
3478 .insns = {
3479 BPF_MOV64_IMM(BPF_REG_1, 10),
3480 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
3481 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3482 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3483 BPF_LD_MAP_FD(BPF_REG_1, 0),
3484 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
3485 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
3486 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3487 BPF_FUNC_map_lookup_elem),
3488 BPF_MOV64_IMM(BPF_REG_2, 10),
3489 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0, 3),
3490 BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
3491 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
3492 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3493 BPF_FUNC_map_lookup_elem),
3494 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3495 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
3496 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
3497 BPF_EXIT_INSN(),
3498 },
3499 .fixup_map1 = { 4 },
3500 .result = ACCEPT,
3501 .prog_type = BPF_PROG_TYPE_SCHED_CLS
3502 },
a08dd0da
DB		 3503 {
3504 "multiple registers share map_lookup_elem bad reg type",
3505 .insns = {
3506 BPF_MOV64_IMM(BPF_REG_1, 10),
3507 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
3508 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3509 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3510 BPF_LD_MAP_FD(BPF_REG_1, 0),
3511 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3512 BPF_FUNC_map_lookup_elem),
3513 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
3514 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
3515 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3516 BPF_MOV64_REG(BPF_REG_5, BPF_REG_0),
3517 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
3518 BPF_MOV64_IMM(BPF_REG_1, 1),
3519 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
3520 BPF_MOV64_IMM(BPF_REG_1, 2),
3521 BPF_JMP_IMM(BPF_JEQ, BPF_REG_3, 0, 1),
3522 BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 0),
3523 BPF_MOV64_IMM(BPF_REG_1, 3),
3524 BPF_EXIT_INSN(),
3525 },
3526 .fixup_map1 = { 4 },
3527 .result = REJECT,
3528 .errstr = "R3 invalid mem access 'inv'",
3529 .prog_type = BPF_PROG_TYPE_SCHED_CLS
3530 },
e9548901
JB		 3531 {
3532 "invalid map access from else condition",
3533 .insns = {
3534 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3535 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3536 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3537 BPF_LD_MAP_FD(BPF_REG_1, 0),
3538 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
3539 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
3540 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
3541 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES-1, 1),
3542 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
3543 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
3544 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
3545 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, offsetof(struct test_val, foo)),
3546 BPF_EXIT_INSN(),
3547 },
3548 .fixup_map2 = { 3 },
3549 .errstr = "R0 unbounded memory access, make sure to bounds check any array access into a map",
3550 .result = REJECT,
3551 .errstr_unpriv = "R0 pointer arithmetic prohibited",
3552 .result_unpriv = REJECT,
02ea80b1 3553 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
e9548901 3554 },
3c839744
GB		 3555 {
3556 "constant register |= constant should keep constant type",
3557 .insns = {
3558 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
3559 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
3560 BPF_MOV64_IMM(BPF_REG_2, 34),
3561 BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 13),
3562 BPF_MOV64_IMM(BPF_REG_3, 0),
3563 BPF_EMIT_CALL(BPF_FUNC_probe_read),
3564 BPF_EXIT_INSN(),
3565 },
3566 .result = ACCEPT,
3567 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
3568 },
3569 {
3570 "constant register |= constant should not bypass stack boundary checks",
3571 .insns = {
3572 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
3573 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
3574 BPF_MOV64_IMM(BPF_REG_2, 34),
3575 BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 24),
3576 BPF_MOV64_IMM(BPF_REG_3, 0),
3577 BPF_EMIT_CALL(BPF_FUNC_probe_read),
3578 BPF_EXIT_INSN(),
3579 },
3580 .errstr = "invalid stack type R1 off=-48 access_size=58",
3581 .result = REJECT,
3582 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
3583 },
3584 {
3585 "constant register |= constant register should keep constant type",
3586 .insns = {
3587 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
3588 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
3589 BPF_MOV64_IMM(BPF_REG_2, 34),
3590 BPF_MOV64_IMM(BPF_REG_4, 13),
3591 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_4),
3592 BPF_MOV64_IMM(BPF_REG_3, 0),
3593 BPF_EMIT_CALL(BPF_FUNC_probe_read),
3594 BPF_EXIT_INSN(),
3595 },
3596 .result = ACCEPT,
3597 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
3598 },
3599 {
3600 "constant register |= constant register should not bypass stack boundary checks",
3601 .insns = {
3602 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
3603 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
3604 BPF_MOV64_IMM(BPF_REG_2, 34),
3605 BPF_MOV64_IMM(BPF_REG_4, 24),
3606 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_4),
3607 BPF_MOV64_IMM(BPF_REG_3, 0),
3608 BPF_EMIT_CALL(BPF_FUNC_probe_read),
3609 BPF_EXIT_INSN(),
3610 },
3611 .errstr = "invalid stack type R1 off=-48 access_size=58",
3612 .result = REJECT,
3613 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
3614 },
3f731d89
TG		 3615 {
3616 "invalid direct packet write for LWT_IN",
3617 .insns = {
3618 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3619 offsetof(struct __sk_buff, data)),
3620 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3621 offsetof(struct __sk_buff, data_end)),
3622 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3623 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3624 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3625 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3626 BPF_MOV64_IMM(BPF_REG_0, 0),
3627 BPF_EXIT_INSN(),
3628 },
3629 .errstr = "cannot write into packet",
3630 .result = REJECT,
3631 .prog_type = BPF_PROG_TYPE_LWT_IN,
3632 },
3633 {
3634 "invalid direct packet write for LWT_OUT",
3635 .insns = {
3636 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3637 offsetof(struct __sk_buff, data)),
3638 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3639 offsetof(struct __sk_buff, data_end)),
3640 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3641 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3642 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3643 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3644 BPF_MOV64_IMM(BPF_REG_0, 0),
3645 BPF_EXIT_INSN(),
3646 },
3647 .errstr = "cannot write into packet",
3648 .result = REJECT,
3649 .prog_type = BPF_PROG_TYPE_LWT_OUT,
3650 },
3651 {
3652 "direct packet write for LWT_XMIT",
3653 .insns = {
3654 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3655 offsetof(struct __sk_buff, data)),
3656 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3657 offsetof(struct __sk_buff, data_end)),
3658 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3659 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3660 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3661 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3662 BPF_MOV64_IMM(BPF_REG_0, 0),
3663 BPF_EXIT_INSN(),
3664 },
3665 .result = ACCEPT,
3666 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
3667 },
3668 {
3669 "direct packet read for LWT_IN",
3670 .insns = {
3671 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3672 offsetof(struct __sk_buff, data)),
3673 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3674 offsetof(struct __sk_buff, data_end)),
3675 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3676 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3677 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3678 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3679 BPF_MOV64_IMM(BPF_REG_0, 0),
3680 BPF_EXIT_INSN(),
3681 },
3682 .result = ACCEPT,
3683 .prog_type = BPF_PROG_TYPE_LWT_IN,
3684 },
3685 {
3686 "direct packet read for LWT_OUT",
3687 .insns = {
3688 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3689 offsetof(struct __sk_buff, data)),
3690 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3691 offsetof(struct __sk_buff, data_end)),
3692 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3693 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3694 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3695 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3696 BPF_MOV64_IMM(BPF_REG_0, 0),
3697 BPF_EXIT_INSN(),
3698 },
3699 .result = ACCEPT,
3700 .prog_type = BPF_PROG_TYPE_LWT_OUT,
3701 },
3702 {
3703 "direct packet read for LWT_XMIT",
3704 .insns = {
3705 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3706 offsetof(struct __sk_buff, data)),
3707 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3708 offsetof(struct __sk_buff, data_end)),
3709 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3710 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3711 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3712 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3713 BPF_MOV64_IMM(BPF_REG_0, 0),
3714 BPF_EXIT_INSN(),
3715 },
3716 .result = ACCEPT,
3717 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
3718 },
b1977682
AS		 3719 {
3720 "overlapping checks for direct packet access",
3721 .insns = {
3722 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3723 offsetof(struct __sk_buff, data)),
3724 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3725 offsetof(struct __sk_buff, data_end)),
3726 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3727 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3728 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4),
3729 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
3730 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6),
3731 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
3732 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6),
3733 BPF_MOV64_IMM(BPF_REG_0, 0),
3734 BPF_EXIT_INSN(),
3f731d89
TG		 3735 },
3736 .result = ACCEPT,
3737 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
3738 },
3739 {
3740 "invalid access of tc_classid for LWT_IN",
3741 .insns = {
3742 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
3743 offsetof(struct __sk_buff, tc_classid)),
3744 BPF_EXIT_INSN(),
3745 },
3746 .result = REJECT,
3747 .errstr = "invalid bpf_context access",
3748 },
3749 {
3750 "invalid access of tc_classid for LWT_OUT",
3751 .insns = {
3752 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
3753 offsetof(struct __sk_buff, tc_classid)),
3754 BPF_EXIT_INSN(),
3755 },
3756 .result = REJECT,
3757 .errstr = "invalid bpf_context access",
3758 },
3759 {
3760 "invalid access of tc_classid for LWT_XMIT",
3761 .insns = {
3762 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
3763 offsetof(struct __sk_buff, tc_classid)),
3764 BPF_EXIT_INSN(),
3765 },
3766 .result = REJECT,
3767 .errstr = "invalid bpf_context access",
3768 },
5722569b
GB		 3769 {
3770 "helper access to map: full range",
3771 .insns = {
3772 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3773 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3774 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
3775 BPF_LD_MAP_FD(BPF_REG_1, 0),
3776 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
3777 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
3778 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
3779 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
3780 BPF_MOV64_IMM(BPF_REG_3, 0),
3781 BPF_EMIT_CALL(BPF_FUNC_probe_read),
3782 BPF_EXIT_INSN(),
3783 },
3784 .fixup_map2 = { 3 },
3785 .result = ACCEPT,
3786 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
3787 },
3788 {
3789 "helper access to map: partial range",
3790 .insns = {
3791 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3792 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3793 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
3794 BPF_LD_MAP_FD(BPF_REG_1, 0),
3795 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
3796 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
3797 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
3798 BPF_MOV64_IMM(BPF_REG_2, 8),
3799 BPF_MOV64_IMM(BPF_REG_3, 0),
3800 BPF_EMIT_CALL(BPF_FUNC_probe_read),
3801 BPF_EXIT_INSN(),
3802 },
3803 .fixup_map2 = { 3 },
3804 .result = ACCEPT,
3805 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
3806 },
3807 {
3808 "helper access to map: empty range",
3809 .insns = {
3810 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3811 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3812 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
3813 BPF_LD_MAP_FD(BPF_REG_1, 0),
3814 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
3815 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
3816 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
3817 BPF_MOV64_IMM(BPF_REG_2, 0),
3818 BPF_MOV64_IMM(BPF_REG_3, 0),
3819 BPF_EMIT_CALL(BPF_FUNC_probe_read),
3820 BPF_EXIT_INSN(),
3821 },
3822 .fixup_map2 = { 3 },
3823 .errstr = "invalid access to map value, value_size=48 off=0 size=0",
3824 .result = REJECT,
3825 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
3826 },
3827 {
3828 "helper access to map: out-of-bound range",
3829 .insns = {
3830 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3831 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3832 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
3833 BPF_LD_MAP_FD(BPF_REG_1, 0),
3834 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
3835 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
3836 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
3837 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val) + 8),
3838 BPF_MOV64_IMM(BPF_REG_3, 0),
3839 BPF_EMIT_CALL(BPF_FUNC_probe_read),
3840 BPF_EXIT_INSN(),
3841 },
3842 .fixup_map2 = { 3 },
3843 .errstr = "invalid access to map value, value_size=48 off=0 size=56",
3844 .result = REJECT,
3845 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
3846 },
3847 {
3848 "helper access to map: negative range",
3849 .insns = {
3850 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3851 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3852 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
3853 BPF_LD_MAP_FD(BPF_REG_1, 0),
3854 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
3855 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
3856 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
3857 BPF_MOV64_IMM(BPF_REG_2, -8),
3858 BPF_MOV64_IMM(BPF_REG_3, 0),
3859 BPF_EMIT_CALL(BPF_FUNC_probe_read),
3860 BPF_EXIT_INSN(),
3861 },
3862 .fixup_map2 = { 3 },
3863 .errstr = "invalid access to map value, value_size=48 off=0 size=-8",
3864 .result = REJECT,
3865 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
3866 },
3867 {
3868 "helper access to adjusted map (via const imm): full range",
3869 .insns = {
3870 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3871 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3872 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
3873 BPF_LD_MAP_FD(BPF_REG_1, 0),
3874 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
3875 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
3876 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
3877 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
3878 offsetof(struct test_val, foo)),
3879 BPF_MOV64_IMM(BPF_REG_2,
3880 sizeof(struct test_val) -
3881 offsetof(struct test_val, foo)),
3882 BPF_MOV64_IMM(BPF_REG_3, 0),
3883 BPF_EMIT_CALL(BPF_FUNC_probe_read),
3884 BPF_EXIT_INSN(),
3885 },
3886 .fixup_map2 = { 3 },
3887 .result = ACCEPT,
3888 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
3889 },
3890 {
3891 "helper access to adjusted map (via const imm): partial range",
3892 .insns = {
3893 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3894 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3895 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
3896 BPF_LD_MAP_FD(BPF_REG_1, 0),
3897 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
3898 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
3899 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
3900 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
3901 offsetof(struct test_val, foo)),
3902 BPF_MOV64_IMM(BPF_REG_2, 8),
3903 BPF_MOV64_IMM(BPF_REG_3, 0),
3904 BPF_EMIT_CALL(BPF_FUNC_probe_read),
3905 BPF_EXIT_INSN(),
3906 },
3907 .fixup_map2 = { 3 },
3908 .result = ACCEPT,
3909 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
3910 },
3911 {
3912 "helper access to adjusted map (via const imm): empty range",
3913 .insns = {
3914 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3915 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3916 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
3917 BPF_LD_MAP_FD(BPF_REG_1, 0),
3918 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
3919 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
3920 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
3921 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
3922 offsetof(struct test_val, foo)),
3923 BPF_MOV64_IMM(BPF_REG_2, 0),
3924 BPF_MOV64_IMM(BPF_REG_3, 0),
3925 BPF_EMIT_CALL(BPF_FUNC_probe_read),
3926 BPF_EXIT_INSN(),
3927 },
3928 .fixup_map2 = { 3 },
3929 .errstr = "R1 min value is outside of the array range",
3930 .result = REJECT,
3931 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
3932 },
3933 {
3934 "helper access to adjusted map (via const imm): out-of-bound range",
3935 .insns = {
3936 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3937 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3938 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
3939 BPF_LD_MAP_FD(BPF_REG_1, 0),
3940 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
3941 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
3942 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
3943 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
3944 offsetof(struct test_val, foo)),
3945 BPF_MOV64_IMM(BPF_REG_2,
3946 sizeof(struct test_val) -
3947 offsetof(struct test_val, foo) + 8),
3948 BPF_MOV64_IMM(BPF_REG_3, 0),
3949 BPF_EMIT_CALL(BPF_FUNC_probe_read),
3950 BPF_EXIT_INSN(),
3951 },
3952 .fixup_map2 = { 3 },
3953 .errstr = "invalid access to map value, value_size=48 off=4 size=52",
3954 .result = REJECT,
3955 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
3956 },
3957 {
3958 "helper access to adjusted map (via const imm): negative range (> adjustment)",
3959 .insns = {
3960 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3961 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3962 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
3963 BPF_LD_MAP_FD(BPF_REG_1, 0),
3964 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
3965 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
3966 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
3967 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
3968 offsetof(struct test_val, foo)),
3969 BPF_MOV64_IMM(BPF_REG_2, -8),
3970 BPF_MOV64_IMM(BPF_REG_3, 0),
3971 BPF_EMIT_CALL(BPF_FUNC_probe_read),
3972 BPF_EXIT_INSN(),
3973 },
3974 .fixup_map2 = { 3 },
3975 .errstr = "invalid access to map value, value_size=48 off=4 size=-8",
3976 .result = REJECT,
3977 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
3978 },
3979 {
3980 "helper access to adjusted map (via const imm): negative range (< adjustment)",
3981 .insns = {
3982 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3983 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3984 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
3985 BPF_LD_MAP_FD(BPF_REG_1, 0),
3986 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
3987 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
3988 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
3989 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
3990 offsetof(struct test_val, foo)),
3991 BPF_MOV64_IMM(BPF_REG_2, -1),
3992 BPF_MOV64_IMM(BPF_REG_3, 0),
3993 BPF_EMIT_CALL(BPF_FUNC_probe_read),
3994 BPF_EXIT_INSN(),
3995 },
3996 .fixup_map2 = { 3 },
3997 .errstr = "R1 min value is outside of the array range",
3998 .result = REJECT,
3999 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4000 },
4001 {
4002 "helper access to adjusted map (via const reg): full range",
4003 .insns = {
4004 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4005 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4006 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4007 BPF_LD_MAP_FD(BPF_REG_1, 0),
4008 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4009 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
4010 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4011 BPF_MOV64_IMM(BPF_REG_3,
4012 offsetof(struct test_val, foo)),
4013 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4014 BPF_MOV64_IMM(BPF_REG_2,
4015 sizeof(struct test_val) -
4016 offsetof(struct test_val, foo)),
4017 BPF_MOV64_IMM(BPF_REG_3, 0),
4018 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4019 BPF_EXIT_INSN(),
4020 },
4021 .fixup_map2 = { 3 },
4022 .result = ACCEPT,
4023 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4024 },
4025 {
4026 "helper access to adjusted map (via const reg): partial range",
4027 .insns = {
4028 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4029 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4030 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4031 BPF_LD_MAP_FD(BPF_REG_1, 0),
4032 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4033 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
4034 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4035 BPF_MOV64_IMM(BPF_REG_3,
4036 offsetof(struct test_val, foo)),
4037 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4038 BPF_MOV64_IMM(BPF_REG_2, 8),
4039 BPF_MOV64_IMM(BPF_REG_3, 0),
4040 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4041 BPF_EXIT_INSN(),
4042 },
4043 .fixup_map2 = { 3 },
4044 .result = ACCEPT,
4045 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4046 },
4047 {
4048 "helper access to adjusted map (via const reg): empty range",
4049 .insns = {
4050 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4051 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4052 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4053 BPF_LD_MAP_FD(BPF_REG_1, 0),
4054 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4055 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
4056 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4057 BPF_MOV64_IMM(BPF_REG_3, 0),
4058 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4059 BPF_MOV64_IMM(BPF_REG_2, 0),
4060 BPF_MOV64_IMM(BPF_REG_3, 0),
4061 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4062 BPF_EXIT_INSN(),
4063 },
4064 .fixup_map2 = { 3 },
4065 .errstr = "R1 min value is outside of the array range",
4066 .result = REJECT,
4067 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4068 },
4069 {
4070 "helper access to adjusted map (via const reg): out-of-bound range",
4071 .insns = {
4072 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4073 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4074 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4075 BPF_LD_MAP_FD(BPF_REG_1, 0),
4076 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4077 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
4078 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4079 BPF_MOV64_IMM(BPF_REG_3,
4080 offsetof(struct test_val, foo)),
4081 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4082 BPF_MOV64_IMM(BPF_REG_2,
4083 sizeof(struct test_val) -
4084 offsetof(struct test_val, foo) + 8),
4085 BPF_MOV64_IMM(BPF_REG_3, 0),
4086 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4087 BPF_EXIT_INSN(),
4088 },
4089 .fixup_map2 = { 3 },
4090 .errstr = "invalid access to map value, value_size=48 off=4 size=52",
4091 .result = REJECT,
4092 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4093 },
4094 {
4095 "helper access to adjusted map (via const reg): negative range (> adjustment)",
4096 .insns = {
4097 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4098 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4099 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4100 BPF_LD_MAP_FD(BPF_REG_1, 0),
4101 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4102 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
4103 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4104 BPF_MOV64_IMM(BPF_REG_3,
4105 offsetof(struct test_val, foo)),
4106 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4107 BPF_MOV64_IMM(BPF_REG_2, -8),
4108 BPF_MOV64_IMM(BPF_REG_3, 0),
4109 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4110 BPF_EXIT_INSN(),
4111 },
4112 .fixup_map2 = { 3 },
4113 .errstr = "invalid access to map value, value_size=48 off=4 size=-8",
4114 .result = REJECT,
4115 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4116 },
4117 {
4118 "helper access to adjusted map (via const reg): negative range (< adjustment)",
4119 .insns = {
4120 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4121 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4122 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4123 BPF_LD_MAP_FD(BPF_REG_1, 0),
4124 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4125 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
4126 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4127 BPF_MOV64_IMM(BPF_REG_3,
4128 offsetof(struct test_val, foo)),
4129 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4130 BPF_MOV64_IMM(BPF_REG_2, -1),
4131 BPF_MOV64_IMM(BPF_REG_3, 0),
4132 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4133 BPF_EXIT_INSN(),
4134 },
4135 .fixup_map2 = { 3 },
4136 .errstr = "R1 min value is outside of the array range",
4137 .result = REJECT,
4138 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4139 },
4140 {
4141 "helper access to adjusted map (via variable): full range",
4142 .insns = {
4143 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4144 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4145 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4146 BPF_LD_MAP_FD(BPF_REG_1, 0),
4147 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4148 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
4149 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4150 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
4151 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
4152 offsetof(struct test_val, foo), 4),
4153 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4154 BPF_MOV64_IMM(BPF_REG_2,
4155 sizeof(struct test_val) -
4156 offsetof(struct test_val, foo)),
4157 BPF_MOV64_IMM(BPF_REG_3, 0),
4158 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4159 BPF_EXIT_INSN(),
4160 },
4161 .fixup_map2 = { 3 },
4162 .result = ACCEPT,
4163 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4164 },
4165 {
4166 "helper access to adjusted map (via variable): partial range",
4167 .insns = {
4168 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4169 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4170 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4171 BPF_LD_MAP_FD(BPF_REG_1, 0),
4172 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4173 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
4174 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4175 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
4176 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
4177 offsetof(struct test_val, foo), 4),
4178 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4179 BPF_MOV64_IMM(BPF_REG_2, 8),
4180 BPF_MOV64_IMM(BPF_REG_3, 0),
4181 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4182 BPF_EXIT_INSN(),
4183 },
4184 .fixup_map2 = { 3 },
4185 .result = ACCEPT,
4186 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4187 },
4188 {
4189 "helper access to adjusted map (via variable): empty range",
4190 .insns = {
4191 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4192 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4193 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4194 BPF_LD_MAP_FD(BPF_REG_1, 0),
4195 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4196 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
4197 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4198 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
4199 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
4200 offsetof(struct test_val, foo), 4),
4201 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4202 BPF_MOV64_IMM(BPF_REG_2, 0),
4203 BPF_MOV64_IMM(BPF_REG_3, 0),
4204 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4205 BPF_EXIT_INSN(),
4206 },
4207 .fixup_map2 = { 3 },
4208 .errstr = "R1 min value is outside of the array range",
4209 .result = REJECT,
4210 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4211 },
4212 {
4213 "helper access to adjusted map (via variable): no max check",
4214 .insns = {
4215 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4216 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4217 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4218 BPF_LD_MAP_FD(BPF_REG_1, 0),
4219 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4220 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
4221 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4222 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
4223 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4224 BPF_MOV64_IMM(BPF_REG_2, 0),
4225 BPF_MOV64_IMM(BPF_REG_3, 0),
4226 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4227 BPF_EXIT_INSN(),
4228 },
4229 .fixup_map2 = { 3 },
4230 .errstr = "R1 min value is negative, either use unsigned index or do a if (index >=0) check",
4231 .result = REJECT,
4232 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4233 },
4234 {
4235 "helper access to adjusted map (via variable): wrong max check",
4236 .insns = {
4237 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4238 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4239 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4240 BPF_LD_MAP_FD(BPF_REG_1, 0),
4241 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4242 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
4243 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4244 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
4245 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
4246 offsetof(struct test_val, foo), 4),
4247 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4248 BPF_MOV64_IMM(BPF_REG_2,
4249 sizeof(struct test_val) -
4250 offsetof(struct test_val, foo) + 1),
4251 BPF_MOV64_IMM(BPF_REG_3, 0),
4252 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4253 BPF_EXIT_INSN(),
4254 },
4255 .fixup_map2 = { 3 },
4256 .errstr = "invalid access to map value, value_size=48 off=4 size=45",
4257 .result = REJECT,
4258 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4259 },
f0318d01
GB		 4260 {
4261 "map element value is preserved across register spilling",
4262 .insns = {
4263 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4264 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4265 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4266 BPF_LD_MAP_FD(BPF_REG_1, 0),
4267 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4268 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
4269 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
4270 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4271 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -184),
4272 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
4273 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
4274 BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
4275 BPF_EXIT_INSN(),
4276 },
4277 .fixup_map2 = { 3 },
4278 .errstr_unpriv = "R0 leaks addr",
4279 .result = ACCEPT,
4280 .result_unpriv = REJECT,
4281 },
4282 {
02ea80b1
DB		 4283 "map element value or null is marked on register spilling",
4284 .insns = {
4285 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4286 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4287 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4288 BPF_LD_MAP_FD(BPF_REG_1, 0),
4289 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4290 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4291 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -152),
4292 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
4293 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
4294 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
4295 BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
4296 BPF_EXIT_INSN(),
4297 },
4298 .fixup_map2 = { 3 },
4299 .errstr_unpriv = "R0 leaks addr",
4300 .result = ACCEPT,
4301 .result_unpriv = REJECT,
4302 },
4303 {
4304 "map element value store of cleared call register",
4305 .insns = {
4306 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4307 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4308 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4309 BPF_LD_MAP_FD(BPF_REG_1, 0),
4310 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4311 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4312 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
4313 BPF_EXIT_INSN(),
4314 },
4315 .fixup_map2 = { 3 },
4316 .errstr_unpriv = "R1 !read_ok",
4317 .errstr = "R1 !read_ok",
4318 .result = REJECT,
4319 .result_unpriv = REJECT,
4320 },
4321 {
4322 "map element value with unaligned store",
4323 .insns = {
4324 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4325 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4326 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4327 BPF_LD_MAP_FD(BPF_REG_1, 0),
4328 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4329 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 17),
4330 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 3),
4331 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
4332 BPF_ST_MEM(BPF_DW, BPF_REG_0, 2, 43),
4333 BPF_ST_MEM(BPF_DW, BPF_REG_0, -2, 44),
4334 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
4335 BPF_ST_MEM(BPF_DW, BPF_REG_8, 0, 32),
4336 BPF_ST_MEM(BPF_DW, BPF_REG_8, 2, 33),
4337 BPF_ST_MEM(BPF_DW, BPF_REG_8, -2, 34),
4338 BPF_ALU64_IMM(BPF_ADD, BPF_REG_8, 5),
4339 BPF_ST_MEM(BPF_DW, BPF_REG_8, 0, 22),
4340 BPF_ST_MEM(BPF_DW, BPF_REG_8, 4, 23),
4341 BPF_ST_MEM(BPF_DW, BPF_REG_8, -7, 24),
4342 BPF_MOV64_REG(BPF_REG_7, BPF_REG_8),
4343 BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, 3),
4344 BPF_ST_MEM(BPF_DW, BPF_REG_7, 0, 22),
4345 BPF_ST_MEM(BPF_DW, BPF_REG_7, 4, 23),
4346 BPF_ST_MEM(BPF_DW, BPF_REG_7, -4, 24),
4347 BPF_EXIT_INSN(),
4348 },
4349 .fixup_map2 = { 3 },
4350 .errstr_unpriv = "R0 pointer arithmetic prohibited",
4351 .result = ACCEPT,
4352 .result_unpriv = REJECT,
4353 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4354 },
4355 {
4356 "map element value with unaligned load",
4357 .insns = {
4358 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4359 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4360 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4361 BPF_LD_MAP_FD(BPF_REG_1, 0),
4362 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4363 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
4364 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4365 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES, 9),
4366 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 3),
4367 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
4368 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 2),
4369 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
4370 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_8, 0),
4371 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_8, 2),
4372 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 5),
4373 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
4374 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 4),
4375 BPF_EXIT_INSN(),
4376 },
4377 .fixup_map2 = { 3 },
4378 .errstr_unpriv = "R0 pointer arithmetic prohibited",
4379 .result = ACCEPT,
4380 .result_unpriv = REJECT,
4381 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4382 },
4383 {
4384 "map element value illegal alu op, 1",
4385 .insns = {
4386 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4387 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4388 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4389 BPF_LD_MAP_FD(BPF_REG_1, 0),
4390 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4391 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
4392 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 8),
4393 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
4394 BPF_EXIT_INSN(),
4395 },
4396 .fixup_map2 = { 3 },
4397 .errstr_unpriv = "R0 pointer arithmetic prohibited",
4398 .errstr = "invalid mem access 'inv'",
4399 .result = REJECT,
4400 .result_unpriv = REJECT,
4401 },
4402 {
4403 "map element value illegal alu op, 2",
4404 .insns = {
4405 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4406 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4407 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4408 BPF_LD_MAP_FD(BPF_REG_1, 0),
4409 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4410 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
4411 BPF_ALU32_IMM(BPF_ADD, BPF_REG_0, 0),
4412 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
4413 BPF_EXIT_INSN(),
4414 },
4415 .fixup_map2 = { 3 },
4416 .errstr_unpriv = "R0 pointer arithmetic prohibited",
4417 .errstr = "invalid mem access 'inv'",
4418 .result = REJECT,
4419 .result_unpriv = REJECT,
4420 },
4421 {
4422 "map element value illegal alu op, 3",
4423 .insns = {
4424 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4425 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4426 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4427 BPF_LD_MAP_FD(BPF_REG_1, 0),
4428 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4429 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
4430 BPF_ALU64_IMM(BPF_DIV, BPF_REG_0, 42),
4431 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
4432 BPF_EXIT_INSN(),
4433 },
4434 .fixup_map2 = { 3 },
4435 .errstr_unpriv = "R0 pointer arithmetic prohibited",
4436 .errstr = "invalid mem access 'inv'",
4437 .result = REJECT,
4438 .result_unpriv = REJECT,
4439 },
4440 {
4441 "map element value illegal alu op, 4",
4442 .insns = {
4443 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4444 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4445 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4446 BPF_LD_MAP_FD(BPF_REG_1, 0),
4447 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4448 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
4449 BPF_ENDIAN(BPF_FROM_BE, BPF_REG_0, 64),
4450 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
4451 BPF_EXIT_INSN(),
4452 },
4453 .fixup_map2 = { 3 },
4454 .errstr_unpriv = "R0 pointer arithmetic prohibited",
4455 .errstr = "invalid mem access 'inv'",
4456 .result = REJECT,
4457 .result_unpriv = REJECT,
4458 },
4459 {
4460 "map element value illegal alu op, 5",
4461 .insns = {
4462 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4463 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4464 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4465 BPF_LD_MAP_FD(BPF_REG_1, 0),
4466 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4467 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
4468 BPF_MOV64_IMM(BPF_REG_3, 4096),
4469 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4470 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4471 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
4472 BPF_STX_XADD(BPF_DW, BPF_REG_2, BPF_REG_3, 0),
4473 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, 0),
4474 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
4475 BPF_EXIT_INSN(),
4476 },
4477 .fixup_map2 = { 3 },
4478 .errstr_unpriv = "R0 invalid mem access 'inv'",
4479 .errstr = "R0 invalid mem access 'inv'",
4480 .result = REJECT,
4481 .result_unpriv = REJECT,
4482 },
4483 {
4484 "map element value is preserved across register spilling",
f0318d01
GB		 4485 .insns = {
4486 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4487 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4488 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4489 BPF_LD_MAP_FD(BPF_REG_1, 0),
4490 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4491 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
4492 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0,
4493 offsetof(struct test_val, foo)),
4494 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
4495 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4496 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -184),
4497 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
4498 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
4499 BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
4500 BPF_EXIT_INSN(),
4501 },
4502 .fixup_map2 = { 3 },
4503 .errstr_unpriv = "R0 pointer arithmetic prohibited",
4504 .result = ACCEPT,
4505 .result_unpriv = REJECT,
02ea80b1 4506 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
f0318d01 4507 },
06c1c049
GB		 4508 {
4509 "helper access to variable memory: stack, bitwise AND + JMP, correct bounds",
4510 .insns = {
4511 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4512 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
4513 BPF_MOV64_IMM(BPF_REG_0, 0),
4514 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
4515 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
4516 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
4517 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
4518 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
4519 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
4520 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
4521 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
4522 BPF_MOV64_IMM(BPF_REG_2, 16),
4523 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
4524 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
4525 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
4526 BPF_MOV64_IMM(BPF_REG_4, 0),
4527 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
4528 BPF_MOV64_IMM(BPF_REG_3, 0),
4529 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4530 BPF_MOV64_IMM(BPF_REG_0, 0),
4531 BPF_EXIT_INSN(),
4532 },
4533 .result = ACCEPT,
4534 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4535 },
4536 {
4537 "helper access to variable memory: stack, bitwise AND, zero included",
4538 .insns = {
4539 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4540 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
4541 BPF_MOV64_IMM(BPF_REG_2, 16),
4542 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
4543 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
4544 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
4545 BPF_MOV64_IMM(BPF_REG_3, 0),
4546 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4547 BPF_EXIT_INSN(),
4548 },
4549 .errstr = "invalid stack type R1 off=-64 access_size=0",
4550 .result = REJECT,
4551 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4552 },
4553 {
4554 "helper access to variable memory: stack, bitwise AND + JMP, wrong max",
4555 .insns = {
4556 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4557 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
4558 BPF_MOV64_IMM(BPF_REG_2, 16),
4559 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
4560 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
4561 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 65),
4562 BPF_MOV64_IMM(BPF_REG_4, 0),
4563 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
4564 BPF_MOV64_IMM(BPF_REG_3, 0),
4565 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4566 BPF_MOV64_IMM(BPF_REG_0, 0),
4567 BPF_EXIT_INSN(),
4568 },
4569 .errstr = "invalid stack type R1 off=-64 access_size=65",
4570 .result = REJECT,
4571 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4572 },
4573 {
4574 "helper access to variable memory: stack, JMP, correct bounds",
4575 .insns = {
4576 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4577 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
4578 BPF_MOV64_IMM(BPF_REG_0, 0),
4579 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
4580 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
4581 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
4582 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
4583 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
4584 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
4585 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
4586 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
4587 BPF_MOV64_IMM(BPF_REG_2, 16),
4588 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
4589 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
4590 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 4),
4591 BPF_MOV64_IMM(BPF_REG_4, 0),
4592 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
4593 BPF_MOV64_IMM(BPF_REG_3, 0),
4594 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4595 BPF_MOV64_IMM(BPF_REG_0, 0),
4596 BPF_EXIT_INSN(),
4597 },
4598 .result = ACCEPT,
4599 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4600 },
4601 {
4602 "helper access to variable memory: stack, JMP (signed), correct bounds",
4603 .insns = {
4604 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4605 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
4606 BPF_MOV64_IMM(BPF_REG_0, 0),
4607 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
4608 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
4609 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
4610 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
4611 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
4612 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
4613 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
4614 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
4615 BPF_MOV64_IMM(BPF_REG_2, 16),
4616 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
4617 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
4618 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 64, 4),
4619 BPF_MOV64_IMM(BPF_REG_4, 0),
4620 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
4621 BPF_MOV64_IMM(BPF_REG_3, 0),
4622 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4623 BPF_MOV64_IMM(BPF_REG_0, 0),
4624 BPF_EXIT_INSN(),
4625 },
4626 .result = ACCEPT,
4627 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4628 },
4629 {
4630 "helper access to variable memory: stack, JMP, bounds + offset",
4631 .insns = {
4632 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4633 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
4634 BPF_MOV64_IMM(BPF_REG_2, 16),
4635 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
4636 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
4637 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 5),
4638 BPF_MOV64_IMM(BPF_REG_4, 0),
4639 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 3),
4640 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
4641 BPF_MOV64_IMM(BPF_REG_3, 0),
4642 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4643 BPF_MOV64_IMM(BPF_REG_0, 0),
4644 BPF_EXIT_INSN(),
4645 },
4646 .errstr = "invalid stack type R1 off=-64 access_size=65",
4647 .result = REJECT,
4648 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4649 },
4650 {
4651 "helper access to variable memory: stack, JMP, wrong max",
4652 .insns = {
4653 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4654 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
4655 BPF_MOV64_IMM(BPF_REG_2, 16),
4656 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
4657 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
4658 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 65, 4),
4659 BPF_MOV64_IMM(BPF_REG_4, 0),
4660 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
4661 BPF_MOV64_IMM(BPF_REG_3, 0),
4662 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4663 BPF_MOV64_IMM(BPF_REG_0, 0),
4664 BPF_EXIT_INSN(),
4665 },
4666 .errstr = "invalid stack type R1 off=-64 access_size=65",
4667 .result = REJECT,
4668 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4669 },
4670 {
4671 "helper access to variable memory: stack, JMP, no max check",
4672 .insns = {
4673 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4674 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
4675 BPF_MOV64_IMM(BPF_REG_2, 16),
4676 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
4677 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
4678 BPF_MOV64_IMM(BPF_REG_4, 0),
4679 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
4680 BPF_MOV64_IMM(BPF_REG_3, 0),
4681 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4682 BPF_MOV64_IMM(BPF_REG_0, 0),
4683 BPF_EXIT_INSN(),
4684 },
4685 .errstr = "R2 unbounded memory access",
4686 .result = REJECT,
4687 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4688 },
4689 {
4690 "helper access to variable memory: stack, JMP, no min check",
4691 .insns = {
4692 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4693 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
4694 BPF_MOV64_IMM(BPF_REG_2, 16),
4695 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
4696 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
4697 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 3),
4698 BPF_MOV64_IMM(BPF_REG_3, 0),
4699 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4700 BPF_MOV64_IMM(BPF_REG_0, 0),
4701 BPF_EXIT_INSN(),
4702 },
4703 .errstr = "invalid stack type R1 off=-64 access_size=0",
4704 .result = REJECT,
4705 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4706 },
4707 {
4708 "helper access to variable memory: stack, JMP (signed), no min check",
4709 .insns = {
4710 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4711 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
4712 BPF_MOV64_IMM(BPF_REG_2, 16),
4713 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
4714 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
4715 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 64, 3),
4716 BPF_MOV64_IMM(BPF_REG_3, 0),
4717 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4718 BPF_MOV64_IMM(BPF_REG_0, 0),
4719 BPF_EXIT_INSN(),
4720 },
4721 .errstr = "R2 min value is negative",
4722 .result = REJECT,
4723 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4724 },
4725 {
4726 "helper access to variable memory: map, JMP, correct bounds",
4727 .insns = {
4728 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4729 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4730 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4731 BPF_LD_MAP_FD(BPF_REG_1, 0),
4732 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4733 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
4734 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4735 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
4736 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
4737 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
4738 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
4739 sizeof(struct test_val), 4),
4740 BPF_MOV64_IMM(BPF_REG_4, 0),
4741 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
4742 BPF_MOV64_IMM(BPF_REG_3, 0),
4743 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4744 BPF_MOV64_IMM(BPF_REG_0, 0),
4745 BPF_EXIT_INSN(),
4746 },
4747 .fixup_map2 = { 3 },
4748 .result = ACCEPT,
4749 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4750 },
4751 {
4752 "helper access to variable memory: map, JMP, wrong max",
4753 .insns = {
4754 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4755 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4756 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4757 BPF_LD_MAP_FD(BPF_REG_1, 0),
4758 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4759 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
4760 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4761 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
4762 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
4763 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
4764 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
4765 sizeof(struct test_val) + 1, 4),
4766 BPF_MOV64_IMM(BPF_REG_4, 0),
4767 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
4768 BPF_MOV64_IMM(BPF_REG_3, 0),
4769 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4770 BPF_MOV64_IMM(BPF_REG_0, 0),
4771 BPF_EXIT_INSN(),
4772 },
4773 .fixup_map2 = { 3 },
4774 .errstr = "invalid access to map value, value_size=48 off=0 size=49",
4775 .result = REJECT,
4776 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4777 },
4778 {
4779 "helper access to variable memory: map adjusted, JMP, correct bounds",
4780 .insns = {
4781 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4782 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4783 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4784 BPF_LD_MAP_FD(BPF_REG_1, 0),
4785 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4786 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
4787 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4788 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 20),
4789 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
4790 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
4791 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
4792 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
4793 sizeof(struct test_val) - 20, 4),
4794 BPF_MOV64_IMM(BPF_REG_4, 0),
4795 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
4796 BPF_MOV64_IMM(BPF_REG_3, 0),
4797 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4798 BPF_MOV64_IMM(BPF_REG_0, 0),
4799 BPF_EXIT_INSN(),
4800 },
4801 .fixup_map2 = { 3 },
4802 .result = ACCEPT,
4803 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4804 },
4805 {
4806 "helper access to variable memory: map adjusted, JMP, wrong max",
4807 .insns = {
4808 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4809 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4810 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4811 BPF_LD_MAP_FD(BPF_REG_1, 0),
4812 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4813 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
4814 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4815 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 20),
4816 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
4817 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
4818 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
4819 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
4820 sizeof(struct test_val) - 19, 4),
4821 BPF_MOV64_IMM(BPF_REG_4, 0),
4822 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
4823 BPF_MOV64_IMM(BPF_REG_3, 0),
4824 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4825 BPF_MOV64_IMM(BPF_REG_0, 0),
4826 BPF_EXIT_INSN(),
4827 },
4828 .fixup_map2 = { 3 },
4829 .errstr = "R1 min value is outside of the array range",
4830 .result = REJECT,
4831 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4832 },
4833 {
4834 "helper access to variable memory: size > 0 not allowed on NULL",
4835 .insns = {
4836 BPF_MOV64_IMM(BPF_REG_1, 0),
4837 BPF_MOV64_IMM(BPF_REG_2, 0),
3fadc801
DB		 4838 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
4839 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
06c1c049
GB		 4840 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
4841 BPF_MOV64_IMM(BPF_REG_3, 0),
4842 BPF_MOV64_IMM(BPF_REG_4, 0),
4843 BPF_MOV64_IMM(BPF_REG_5, 0),
4844 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
4845 BPF_EXIT_INSN(),
4846 },
4847 .errstr = "R1 type=imm expected=fp",
4848 .result = REJECT,
4849 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4850 },
4851 {
4852 "helper access to variable memory: size = 0 not allowed on != NULL",
4853 .insns = {
4854 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4855 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
4856 BPF_MOV64_IMM(BPF_REG_2, 0),
4857 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, 0),
4858 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 8),
4859 BPF_MOV64_IMM(BPF_REG_3, 0),
4860 BPF_MOV64_IMM(BPF_REG_4, 0),
4861 BPF_MOV64_IMM(BPF_REG_5, 0),
4862 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
4863 BPF_EXIT_INSN(),
4864 },
4865 .errstr = "invalid stack type R1 off=-8 access_size=0",
4866 .result = REJECT,
4867 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4868 },
4869 {
4870 "helper access to variable memory: 8 bytes leak",
4871 .insns = {
4872 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4873 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
4874 BPF_MOV64_IMM(BPF_REG_0, 0),
4875 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
4876 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
4877 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
4878 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
4879 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
4880 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
4881 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
4882 BPF_MOV64_IMM(BPF_REG_2, 0),
3fadc801
DB		 4883 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
4884 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
06c1c049
GB		 4885 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 63),
4886 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
4887 BPF_MOV64_IMM(BPF_REG_3, 0),
4888 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4889 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
4890 BPF_EXIT_INSN(),
4891 },
4892 .errstr = "invalid indirect read from stack off -64+32 size 64",
4893 .result = REJECT,
4894 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4895 },
4896 {
4897 "helper access to variable memory: 8 bytes no leak (init memory)",
4898 .insns = {
4899 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4900 BPF_MOV64_IMM(BPF_REG_0, 0),
4901 BPF_MOV64_IMM(BPF_REG_0, 0),
4902 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
4903 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
4904 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
4905 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
4906 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
4907 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
4908 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
4909 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
4910 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
4911 BPF_MOV64_IMM(BPF_REG_2, 0),
4912 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 32),
4913 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 32),
4914 BPF_MOV64_IMM(BPF_REG_3, 0),
4915 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4916 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
4917 BPF_EXIT_INSN(),
4918 },
4919 .result = ACCEPT,
4920 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4921 },
29200c19
JB		 4922 {
4923 "invalid and of negative number",
4924 .insns = {
4925 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4926 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4927 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4928 BPF_LD_MAP_FD(BPF_REG_1, 0),
4929 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4930 BPF_FUNC_map_lookup_elem),
4931 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4932 BPF_MOV64_IMM(BPF_REG_1, 6),
4933 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, -4),
4934 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4935 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4936 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4937 offsetof(struct test_val, foo)),
4938 BPF_EXIT_INSN(),
4939 },
4940 .fixup_map2 = { 3 },
4941 .errstr_unpriv = "R0 pointer arithmetic prohibited",
4942 .errstr = "R0 min value is negative, either use unsigned index or do a if (index >=0) check.",
4943 .result = REJECT,
4944 .result_unpriv = REJECT,
02ea80b1 4945 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
29200c19
JB		 4946 },
4947 {
4948 "invalid range check",
4949 .insns = {
4950 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4951 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4952 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4953 BPF_LD_MAP_FD(BPF_REG_1, 0),
4954 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4955 BPF_FUNC_map_lookup_elem),
4956 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 12),
4957 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4958 BPF_MOV64_IMM(BPF_REG_9, 1),
4959 BPF_ALU32_IMM(BPF_MOD, BPF_REG_1, 2),
4960 BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 1),
4961 BPF_ALU32_REG(BPF_AND, BPF_REG_9, BPF_REG_1),
4962 BPF_ALU32_IMM(BPF_ADD, BPF_REG_9, 1),
4963 BPF_ALU32_IMM(BPF_RSH, BPF_REG_9, 1),
4964 BPF_MOV32_IMM(BPF_REG_3, 1),
4965 BPF_ALU32_REG(BPF_SUB, BPF_REG_3, BPF_REG_9),
4966 BPF_ALU32_IMM(BPF_MUL, BPF_REG_3, 0x10000000),
4967 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
4968 BPF_STX_MEM(BPF_W, BPF_REG_0, BPF_REG_3, 0),
4969 BPF_MOV64_REG(BPF_REG_0, 0),
4970 BPF_EXIT_INSN(),
4971 },
4972 .fixup_map2 = { 3 },
4973 .errstr_unpriv = "R0 pointer arithmetic prohibited",
4974 .errstr = "R0 min value is negative, either use unsigned index or do a if (index >=0) check.",
4975 .result = REJECT,
4976 .result_unpriv = REJECT,
02ea80b1 4977 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
fb30d4b7
MKL		 4978 },
4979 {
4980 "map in map access",
4981 .insns = {
4982 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
4983 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4984 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
4985 BPF_LD_MAP_FD(BPF_REG_1, 0),
4986 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4987 BPF_FUNC_map_lookup_elem),
4988 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
4989 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
4990 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4991 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
4992 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4993 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4994 BPF_FUNC_map_lookup_elem),
4995 BPF_MOV64_REG(BPF_REG_0, 0),
4996 BPF_EXIT_INSN(),
4997 },
4998 .fixup_map_in_map = { 3 },
4999 .result = ACCEPT,
5000 },
5001 {
5002 "invalid inner map pointer",
5003 .insns = {
5004 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
5005 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5006 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
5007 BPF_LD_MAP_FD(BPF_REG_1, 0),
5008 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5009 BPF_FUNC_map_lookup_elem),
5010 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5011 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
5012 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5013 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
5014 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5015 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
5016 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5017 BPF_FUNC_map_lookup_elem),
5018 BPF_MOV64_REG(BPF_REG_0, 0),
5019 BPF_EXIT_INSN(),
5020 },
5021 .fixup_map_in_map = { 3 },
5022 .errstr = "R1 type=inv expected=map_ptr",
5023 .errstr_unpriv = "R1 pointer arithmetic prohibited",
5024 .result = REJECT,
5025 },
5026 {
5027 "forgot null checking on the inner map pointer",
5028 .insns = {
5029 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
5030 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5031 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
5032 BPF_LD_MAP_FD(BPF_REG_1, 0),
5033 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5034 BPF_FUNC_map_lookup_elem),
5035 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
5036 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5037 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
5038 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5039 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5040 BPF_FUNC_map_lookup_elem),
5041 BPF_MOV64_REG(BPF_REG_0, 0),
5042 BPF_EXIT_INSN(),
5043 },
5044 .fixup_map_in_map = { 3 },
5045 .errstr = "R1 type=map_value_or_null expected=map_ptr",
5046 .result = REJECT,
614d0d77
DB		 5047 },
5048 {
5049 "ld_abs: check calling conv, r1",
5050 .insns = {
5051 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
5052 BPF_MOV64_IMM(BPF_REG_1, 0),
5053 BPF_LD_ABS(BPF_W, -0x200000),
5054 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
5055 BPF_EXIT_INSN(),
5056 },
5057 .errstr = "R1 !read_ok",
5058 .result = REJECT,
5059 },
5060 {
5061 "ld_abs: check calling conv, r2",
5062 .insns = {
5063 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
5064 BPF_MOV64_IMM(BPF_REG_2, 0),
5065 BPF_LD_ABS(BPF_W, -0x200000),
5066 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5067 BPF_EXIT_INSN(),
5068 },
5069 .errstr = "R2 !read_ok",
5070 .result = REJECT,
5071 },
5072 {
5073 "ld_abs: check calling conv, r3",
5074 .insns = {
5075 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
5076 BPF_MOV64_IMM(BPF_REG_3, 0),
5077 BPF_LD_ABS(BPF_W, -0x200000),
5078 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
5079 BPF_EXIT_INSN(),
5080 },
5081 .errstr = "R3 !read_ok",
5082 .result = REJECT,
5083 },
5084 {
5085 "ld_abs: check calling conv, r4",
5086 .insns = {
5087 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
5088 BPF_MOV64_IMM(BPF_REG_4, 0),
5089 BPF_LD_ABS(BPF_W, -0x200000),
5090 BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
5091 BPF_EXIT_INSN(),
5092 },
5093 .errstr = "R4 !read_ok",
5094 .result = REJECT,
5095 },
5096 {
5097 "ld_abs: check calling conv, r5",
5098 .insns = {
5099 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
5100 BPF_MOV64_IMM(BPF_REG_5, 0),
5101 BPF_LD_ABS(BPF_W, -0x200000),
5102 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
5103 BPF_EXIT_INSN(),
5104 },
5105 .errstr = "R5 !read_ok",
5106 .result = REJECT,
5107 },
5108 {
5109 "ld_abs: check calling conv, r7",
5110 .insns = {
5111 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
5112 BPF_MOV64_IMM(BPF_REG_7, 0),
5113 BPF_LD_ABS(BPF_W, -0x200000),
5114 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
5115 BPF_EXIT_INSN(),
5116 },
5117 .result = ACCEPT,
5118 },
5119 {
5120 "ld_ind: check calling conv, r1",
5121 .insns = {
5122 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
5123 BPF_MOV64_IMM(BPF_REG_1, 1),
5124 BPF_LD_IND(BPF_W, BPF_REG_1, -0x200000),
5125 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
5126 BPF_EXIT_INSN(),
5127 },
5128 .errstr = "R1 !read_ok",
5129 .result = REJECT,
5130 },
5131 {
5132 "ld_ind: check calling conv, r2",
5133 .insns = {
5134 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
5135 BPF_MOV64_IMM(BPF_REG_2, 1),
5136 BPF_LD_IND(BPF_W, BPF_REG_2, -0x200000),
5137 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5138 BPF_EXIT_INSN(),
5139 },
5140 .errstr = "R2 !read_ok",
5141 .result = REJECT,
5142 },
5143 {
5144 "ld_ind: check calling conv, r3",
5145 .insns = {
5146 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
5147 BPF_MOV64_IMM(BPF_REG_3, 1),
5148 BPF_LD_IND(BPF_W, BPF_REG_3, -0x200000),
5149 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
5150 BPF_EXIT_INSN(),
5151 },
5152 .errstr = "R3 !read_ok",
5153 .result = REJECT,
5154 },
5155 {
5156 "ld_ind: check calling conv, r4",
5157 .insns = {
5158 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
5159 BPF_MOV64_IMM(BPF_REG_4, 1),
5160 BPF_LD_IND(BPF_W, BPF_REG_4, -0x200000),
5161 BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
5162 BPF_EXIT_INSN(),
5163 },
5164 .errstr = "R4 !read_ok",
5165 .result = REJECT,
5166 },
5167 {
5168 "ld_ind: check calling conv, r5",
5169 .insns = {
5170 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
5171 BPF_MOV64_IMM(BPF_REG_5, 1),
5172 BPF_LD_IND(BPF_W, BPF_REG_5, -0x200000),
5173 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
5174 BPF_EXIT_INSN(),
5175 },
5176 .errstr = "R5 !read_ok",
5177 .result = REJECT,
5178 },
5179 {
5180 "ld_ind: check calling conv, r7",
5181 .insns = {
5182 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
5183 BPF_MOV64_IMM(BPF_REG_7, 1),
5184 BPF_LD_IND(BPF_W, BPF_REG_7, -0x200000),
5185 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
5186 BPF_EXIT_INSN(),
5187 },
5188 .result = ACCEPT,
5189 },
18f3d6be
YS		 5190 {
5191 "check bpf_perf_event_data->sample_period byte load permitted",
5192 .insns = {
5193 BPF_MOV64_IMM(BPF_REG_0, 0),
5194#ifdef __LITTLE_ENDIAN
5195 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
5196 offsetof(struct bpf_perf_event_data, sample_period)),
5197#else
5198 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
5199 offsetof(struct bpf_perf_event_data, sample_period) + 7),
5200#endif
5201 BPF_EXIT_INSN(),
5202 },
5203 .result = ACCEPT,
5204 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
5205 },
5206 {
5207 "check bpf_perf_event_data->sample_period half load permitted",
5208 .insns = {
5209 BPF_MOV64_IMM(BPF_REG_0, 0),
5210#ifdef __LITTLE_ENDIAN
5211 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
5212 offsetof(struct bpf_perf_event_data, sample_period)),
5213#else
5214 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
5215 offsetof(struct bpf_perf_event_data, sample_period) + 6),
5216#endif
5217 BPF_EXIT_INSN(),
5218 },
5219 .result = ACCEPT,
5220 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
5221 },
5222 {
5223 "check bpf_perf_event_data->sample_period word load permitted",
5224 .insns = {
5225 BPF_MOV64_IMM(BPF_REG_0, 0),
5226#ifdef __LITTLE_ENDIAN
5227 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
5228 offsetof(struct bpf_perf_event_data, sample_period)),
5229#else
5230 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
5231 offsetof(struct bpf_perf_event_data, sample_period) + 4),
5232#endif
5233 BPF_EXIT_INSN(),
5234 },
5235 .result = ACCEPT,
5236 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
5237 },
5238 {
5239 "check bpf_perf_event_data->sample_period dword load permitted",
5240 .insns = {
5241 BPF_MOV64_IMM(BPF_REG_0, 0),
5242 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
5243 offsetof(struct bpf_perf_event_data, sample_period)),
5244 BPF_EXIT_INSN(),
5245 },
5246 .result = ACCEPT,
5247 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
5248 },
5249 {
5250 "check skb->data half load not permitted",
5251 .insns = {
5252 BPF_MOV64_IMM(BPF_REG_0, 0),
5253#ifdef __LITTLE_ENDIAN
5254 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
5255 offsetof(struct __sk_buff, data)),
5256#else
5257 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
5258 offsetof(struct __sk_buff, data) + 2),
5259#endif
5260 BPF_EXIT_INSN(),
5261 },
5262 .result = REJECT,
5263 .errstr = "invalid bpf_context access",
5264 },
5265 {
5266 "check skb->tc_classid half load not permitted for lwt prog",
5267 .insns = {
5268 BPF_MOV64_IMM(BPF_REG_0, 0),
5269#ifdef __LITTLE_ENDIAN
5270 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
5271 offsetof(struct __sk_buff, tc_classid)),
5272#else
5273 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
5274 offsetof(struct __sk_buff, tc_classid) + 2),
5275#endif
5276 BPF_EXIT_INSN(),
5277 },
5278 .result = REJECT,
5279 .errstr = "invalid bpf_context access",
5280 .prog_type = BPF_PROG_TYPE_LWT_IN,
5281 },
3c731eba
AS		 5282};
5283
5aa5bd14 5284static int probe_filter_length(const struct bpf_insn *fp)
3c731eba 5285{
5aa5bd14 5286 int len;
3c731eba
AS		 5287
5288 for (len = MAX_INSNS - 1; len > 0; --len)
5289 if (fp[len].code != 0 || fp[len].imm != 0)
5290 break;
3c731eba
AS		 5291 return len + 1;
5292}
5293
5aa5bd14 5294static int create_map(uint32_t size_value, uint32_t max_elem)
3c731eba 5295{
5aa5bd14 5296 int fd;
3c731eba 5297
f4874d01 5298 fd = bpf_create_map(BPF_MAP_TYPE_HASH, sizeof(long long),
5aa5bd14
DB		 5299 size_value, max_elem, BPF_F_NO_PREALLOC);
5300 if (fd < 0)
5301 printf("Failed to create hash map '%s'!\n", strerror(errno));
bf508877 5302
5aa5bd14 5303 return fd;
bf508877
AS		 5304}
5305
5306static int create_prog_array(void)
5307{
5aa5bd14 5308 int fd;
bf508877 5309
f4874d01 5310 fd = bpf_create_map(BPF_MAP_TYPE_PROG_ARRAY, sizeof(int),
5aa5bd14
DB		 5311 sizeof(int), 4, 0);
5312 if (fd < 0)
5313 printf("Failed to create prog array '%s'!\n", strerror(errno));
3c731eba 5314
5aa5bd14 5315 return fd;
3c731eba
AS		 5316}
5317
fb30d4b7
MKL		 5318static int create_map_in_map(void)
5319{
5320 int inner_map_fd, outer_map_fd;
5321
5322 inner_map_fd = bpf_create_map(BPF_MAP_TYPE_ARRAY, sizeof(int),
5323 sizeof(int), 1, 0);
5324 if (inner_map_fd < 0) {
5325 printf("Failed to create array '%s'!\n", strerror(errno));
5326 return inner_map_fd;
5327 }
5328
5329 outer_map_fd = bpf_create_map_in_map(BPF_MAP_TYPE_ARRAY_OF_MAPS,
5330 sizeof(int), inner_map_fd, 1, 0);
5331 if (outer_map_fd < 0)
5332 printf("Failed to create array of maps '%s'!\n",
5333 strerror(errno));
5334
5335 close(inner_map_fd);
5336
5337 return outer_map_fd;
5338}
5339
5aa5bd14
DB		 5340static char bpf_vlog[32768];
5341
5342static void do_test_fixup(struct bpf_test *test, struct bpf_insn *prog,
fb30d4b7 5343 int *map_fds)
3c731eba 5344{
5aa5bd14
DB		 5345 int *fixup_map1 = test->fixup_map1;
5346 int *fixup_map2 = test->fixup_map2;
5347 int *fixup_prog = test->fixup_prog;
fb30d4b7 5348 int *fixup_map_in_map = test->fixup_map_in_map;
3c731eba 5349
5aa5bd14
DB		 5350 /* Allocating HTs with 1 elem is fine here, since we only test
5351 * for verifier and not do a runtime lookup, so the only thing
5352 * that really matters is value size in this case.
5353 */
5354 if (*fixup_map1) {
fb30d4b7 5355 map_fds[0] = create_map(sizeof(long long), 1);
5aa5bd14 5356 do {
fb30d4b7 5357 prog[*fixup_map1].imm = map_fds[0];
5aa5bd14
DB		 5358 fixup_map1++;
5359 } while (*fixup_map1);
5360 }
3c731eba 5361
5aa5bd14 5362 if (*fixup_map2) {
fb30d4b7 5363 map_fds[1] = create_map(sizeof(struct test_val), 1);
5aa5bd14 5364 do {
fb30d4b7 5365 prog[*fixup_map2].imm = map_fds[1];
5aa5bd14
DB		 5366 fixup_map2++;
5367 } while (*fixup_map2);
5368 }
3c731eba 5369
5aa5bd14 5370 if (*fixup_prog) {
fb30d4b7 5371 map_fds[2] = create_prog_array();
5aa5bd14 5372 do {
fb30d4b7 5373 prog[*fixup_prog].imm = map_fds[2];
5aa5bd14
DB		 5374 fixup_prog++;
5375 } while (*fixup_prog);
5376 }
fb30d4b7
MKL		 5377
5378 if (*fixup_map_in_map) {
5379 map_fds[3] = create_map_in_map();
5380 do {
5381 prog[*fixup_map_in_map].imm = map_fds[3];
5382 fixup_map_in_map++;
5383 } while (*fixup_map_in_map);
5384 }
5aa5bd14 5385}
bf508877 5386
5aa5bd14
DB		 5387static void do_test_single(struct bpf_test *test, bool unpriv,
5388 int *passes, int *errors)
5389{
02ea80b1 5390 int fd_prog, expected_ret, reject_from_alignment;
5aa5bd14
DB		 5391 struct bpf_insn *prog = test->insns;
5392 int prog_len = probe_filter_length(prog);
5393 int prog_type = test->prog_type;
fb30d4b7 5394 int map_fds[MAX_NR_MAPS];
5aa5bd14 5395 const char *expected_err;
fb30d4b7
MKL		 5396 int i;
5397
5398 for (i = 0; i < MAX_NR_MAPS; i++)
5399 map_fds[i] = -1;
48461135 5400
fb30d4b7 5401 do_test_fixup(test, prog, map_fds);
3c731eba 5402
614d0d77
DB		 5403 fd_prog = bpf_verify_program(prog_type ? : BPF_PROG_TYPE_SOCKET_FILTER,
5404 prog, prog_len, test->flags & F_LOAD_WITH_STRICT_ALIGNMENT,
5405 "GPL", 0, bpf_vlog, sizeof(bpf_vlog));
3c731eba 5406
5aa5bd14
DB		 5407 expected_ret = unpriv && test->result_unpriv != UNDEF ?
5408 test->result_unpriv : test->result;
5409 expected_err = unpriv && test->errstr_unpriv ?
5410 test->errstr_unpriv : test->errstr;
02ea80b1
DB		 5411
5412 reject_from_alignment = fd_prog < 0 &&
5413 (test->flags & F_NEEDS_EFFICIENT_UNALIGNED_ACCESS) &&
5414 strstr(bpf_vlog, "Unknown alignment.");
5415#ifdef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS
5416 if (reject_from_alignment) {
5417 printf("FAIL\nFailed due to alignment despite having efficient unaligned access: '%s'!\n",
5418 strerror(errno));
5419 goto fail_log;
5420 }
5421#endif
5aa5bd14 5422 if (expected_ret == ACCEPT) {
02ea80b1 5423 if (fd_prog < 0 && !reject_from_alignment) {
5aa5bd14
DB		 5424 printf("FAIL\nFailed to load prog '%s'!\n",
5425 strerror(errno));
5426 goto fail_log;
5427 }
5428 } else {
5429 if (fd_prog >= 0) {
5430 printf("FAIL\nUnexpected success to load!\n");
5431 goto fail_log;
5432 }
02ea80b1 5433 if (!strstr(bpf_vlog, expected_err) && !reject_from_alignment) {
5aa5bd14
DB		 5434 printf("FAIL\nUnexpected error message!\n");
5435 goto fail_log;
5436 }
5437 }
bf508877 5438
5aa5bd14 5439 (*passes)++;
02ea80b1
DB		 5440 printf("OK%s\n", reject_from_alignment ?
5441 " (NOTE: reject due to unknown alignment)" : "");
5aa5bd14
DB		 5442close_fds:
5443 close(fd_prog);
fb30d4b7
MKL		 5444 for (i = 0; i < MAX_NR_MAPS; i++)
5445 close(map_fds[i]);
5aa5bd14
DB		 5446 sched_yield();
5447 return;
5448fail_log:
5449 (*errors)++;
5450 printf("%s", bpf_vlog);
5451 goto close_fds;
5452}
bf508877 5453
d02d8986
MS		 5454static bool is_admin(void)
5455{
5456 cap_t caps;
5457 cap_flag_value_t sysadmin = CAP_CLEAR;
5458 const cap_value_t cap_val = CAP_SYS_ADMIN;
5459
1da8ac7c 5460#ifdef CAP_IS_SUPPORTED
d02d8986
MS		 5461 if (!CAP_IS_SUPPORTED(CAP_SETFCAP)) {
5462 perror("cap_get_flag");
5463 return false;
5464 }
1da8ac7c 5465#endif
d02d8986
MS		 5466 caps = cap_get_proc();
5467 if (!caps) {
5468 perror("cap_get_proc");
5469 return false;
5470 }
5471 if (cap_get_flag(caps, cap_val, CAP_EFFECTIVE, &sysadmin))
5472 perror("cap_get_flag");
5473 if (cap_free(caps))
5474 perror("cap_free");
5475 return (sysadmin == CAP_SET);
5476}
5477
5478static int set_admin(bool admin)
5479{
5480 cap_t caps;
5481 const cap_value_t cap_val = CAP_SYS_ADMIN;
5482 int ret = -1;
5483
5484 caps = cap_get_proc();
5485 if (!caps) {
5486 perror("cap_get_proc");
5487 return -1;
5488 }
5489 if (cap_set_flag(caps, CAP_EFFECTIVE, 1, &cap_val,
5490 admin ? CAP_SET : CAP_CLEAR)) {
5491 perror("cap_set_flag");
5492 goto out;
5493 }
5494 if (cap_set_proc(caps)) {
5495 perror("cap_set_proc");
5496 goto out;
5497 }
5498 ret = 0;
5499out:
5500 if (cap_free(caps))
5501 perror("cap_free");
5502 return ret;
5503}
5504
5aa5bd14
DB		 5505static int do_test(bool unpriv, unsigned int from, unsigned int to)
5506{
5507 int i, passes = 0, errors = 0;
3c731eba 5508
5aa5bd14
DB		 5509 for (i = from; i < to; i++) {
5510 struct bpf_test *test = &tests[i];
3c731eba 5511
5aa5bd14
DB		 5512 /* Program types that are not supported by non-root we
5513 * skip right away.
5514 */
d02d8986
MS		 5515 if (!test->prog_type) {
5516 if (!unpriv)
5517 set_admin(false);
5518 printf("#%d/u %s ", i, test->descr);
5519 do_test_single(test, true, &passes, &errors);
5520 if (!unpriv)
5521 set_admin(true);
5522 }
5aa5bd14 5523
d02d8986
MS		 5524 if (!unpriv) {
5525 printf("#%d/p %s ", i, test->descr);
5526 do_test_single(test, false, &passes, &errors);
5527 }
3c731eba
AS		 5528 }
5529
5aa5bd14 5530 printf("Summary: %d PASSED, %d FAILED\n", passes, errors);
efe5f9c0 5531 return errors ? EXIT_FAILURE : EXIT_SUCCESS;
3c731eba
AS		 5532}
5533
5aa5bd14 5534int main(int argc, char **argv)
3c731eba 5535{
5aa5bd14
DB		 5536 struct rlimit rinf = { RLIM_INFINITY, RLIM_INFINITY };
5537 struct rlimit rlim = { 1 << 20, 1 << 20 };
5538 unsigned int from = 0, to = ARRAY_SIZE(tests);
d02d8986 5539 bool unpriv = !is_admin();
5aa5bd14
DB		 5540
5541 if (argc == 3) {
5542 unsigned int l = atoi(argv[argc - 2]);
5543 unsigned int u = atoi(argv[argc - 1]);
5544
5545 if (l < to && u < to) {
5546 from = l;
5547 to = u + 1;
5548 }
5549 } else if (argc == 2) {
5550 unsigned int t = atoi(argv[argc - 1]);
5551
5552 if (t < to) {
5553 from = t;
5554 to = t + 1;
5555 }
5556 }
bf508877 5557
5aa5bd14
DB		 5558 setrlimit(RLIMIT_MEMLOCK, unpriv ? &rlim : &rinf);
5559 return do_test(unpriv, from, to);
3c731eba 5560}
Linux 6.x block layer and io_uring tree(s)