projects / linux-2.6-block.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
bpf: test make sure to run unpriv test cases in test_verifier
[linux-2.6-block.git] / tools / testing / selftests / bpf / test_verifier.c
CommitLineData
3c731eba
AS		 1/*
2 * Testsuite for eBPF verifier
3 *
4 * Copyright (c) 2014 PLUMgrid, http://plumgrid.com
a7ff3eca 5 * Copyright (c) 2017 Facebook
b584ab88 6 * Copyright (c) 2018 Covalent IO, Inc. http://covalent.io
3c731eba
AS		 7 *
8 * This program is free software; you can redistribute it and/or
9 * modify it under the terms of version 2 of the GNU General Public
10 * License as published by the Free Software Foundation.
11 */
5aa5bd14 12
2c460621 13#include <endian.h>
1da8ac7c
AS		 14#include <asm/types.h>
15#include <linux/types.h>
702498a1 16#include <stdint.h>
3c731eba 17#include <stdio.h>
702498a1 18#include <stdlib.h>
3c731eba 19#include <unistd.h>
3c731eba 20#include <errno.h>
3c731eba 21#include <string.h>
614cd3bd 22#include <stddef.h>
bf508877 23#include <stdbool.h>
5aa5bd14 24#include <sched.h>
21ccaf21 25#include <limits.h>
5aa5bd14 26
d02d8986 27#include <sys/capability.h>
3c731eba 28
5aa5bd14
DB		 29#include <linux/unistd.h>
30#include <linux/filter.h>
31#include <linux/bpf_perf_event.h>
32#include <linux/bpf.h>
111e6b45 33#include <linux/if_ether.h>
5aa5bd14 34
2ee89fb9
MS		 35#include <bpf/bpf.h>
36
02ea80b1
DB		 37#ifdef HAVE_GENHDR
38# include "autoconf.h"
39#else
40# if defined(__i386) || defined(__x86_64) || defined(__s390x__) || defined(__aarch64__)
41# define CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS 1
42# endif
43#endif
fe8d662a 44#include "bpf_rlimit.h"
a82d8cd3 45#include "bpf_rand.h"
aa5f0c96 46#include "bpf_util.h"
5aa5bd14
DB		 47#include "../../../include/linux/filter.h"
48
93731ef0 49#define MAX_INSNS BPF_MAXINSNS
5aa5bd14 50#define MAX_FIXUPS 8
7c85c448 51#define MAX_NR_MAPS 13
111e6b45
AS		 52#define POINTER_VALUE 0xcafe4all
53#define TEST_DATA_LEN 64
bf508877 54
02ea80b1 55#define F_NEEDS_EFFICIENT_UNALIGNED_ACCESS (1 << 0)
614d0d77 56#define F_LOAD_WITH_STRICT_ALIGNMENT (1 << 1)
02ea80b1 57
0a674874
JS		 58#define UNPRIV_SYSCTL "kernel/unprivileged_bpf_disabled"
59static bool unpriv_disabled = false;
60
3c731eba
AS		 61struct bpf_test {
62 const char *descr;
63 struct bpf_insn insns[MAX_INSNS];
908142e6
PB		 64 int fixup_map_hash_8b[MAX_FIXUPS];
65 int fixup_map_hash_48b[MAX_FIXUPS];
66 int fixup_map_hash_16b[MAX_FIXUPS];
67 int fixup_map_array_48b[MAX_FIXUPS];
7c85c448
PB		 68 int fixup_map_sockmap[MAX_FIXUPS];
69 int fixup_map_sockhash[MAX_FIXUPS];
70 int fixup_map_xskmap[MAX_FIXUPS];
71 int fixup_map_stacktrace[MAX_FIXUPS];
06be0864
DB		 72 int fixup_prog1[MAX_FIXUPS];
73 int fixup_prog2[MAX_FIXUPS];
fb30d4b7 74 int fixup_map_in_map[MAX_FIXUPS];
d4c9f573 75 int fixup_cgroup_storage[MAX_FIXUPS];
a3c6054f 76 int fixup_percpu_cgroup_storage[MAX_FIXUPS];
3c731eba 77 const char *errstr;
bf508877 78 const char *errstr_unpriv;
832c6f2c 79 uint32_t retval, retval_unpriv;
3c731eba 80 enum {
bf508877 81 UNDEF,
3c731eba
AS		 82 ACCEPT,
83 REJECT
bf508877 84 } result, result_unpriv;
d691f9e8 85 enum bpf_prog_type prog_type;
02ea80b1 86 uint8_t flags;
93731ef0
DB		 87 __u8 data[TEST_DATA_LEN];
88 void (*fill_helper)(struct bpf_test *self);
3c731eba
AS		 89};
90
48461135
JB		 91/* Note we want this to be 64 bit aligned so that the end of our array is
92 * actually the end of the structure.
93 */
94#define MAX_ENTRIES 11
5aa5bd14 95
48461135 96struct test_val {
5aa5bd14 97 unsigned int index;
48461135
JB		 98 int foo[MAX_ENTRIES];
99};
100
5f90dd6a
PC		 101struct other_val {
102 long long foo;
103 long long bar;
104};
105
93731ef0
DB		 106static void bpf_fill_ld_abs_vlan_push_pop(struct bpf_test *self)
107{
108 /* test: {skb->data[0], vlan_push} x 68 + {skb->data[0], vlan_pop} x 68 */
109#define PUSH_CNT 51
110 unsigned int len = BPF_MAXINSNS;
111 struct bpf_insn *insn = self->insns;
112 int i = 0, j, k = 0;
113
114 insn[i++] = BPF_MOV64_REG(BPF_REG_6, BPF_REG_1);
115loop:
116 for (j = 0; j < PUSH_CNT; j++) {
117 insn[i++] = BPF_LD_ABS(BPF_B, 0);
118 insn[i] = BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x34, len - i - 2);
119 i++;
120 insn[i++] = BPF_MOV64_REG(BPF_REG_1, BPF_REG_6);
121 insn[i++] = BPF_MOV64_IMM(BPF_REG_2, 1);
122 insn[i++] = BPF_MOV64_IMM(BPF_REG_3, 2);
123 insn[i++] = BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
124 BPF_FUNC_skb_vlan_push),
125 insn[i] = BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, len - i - 2);
126 i++;
127 }
128
129 for (j = 0; j < PUSH_CNT; j++) {
130 insn[i++] = BPF_LD_ABS(BPF_B, 0);
131 insn[i] = BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x34, len - i - 2);
132 i++;
133 insn[i++] = BPF_MOV64_REG(BPF_REG_1, BPF_REG_6);
134 insn[i++] = BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
135 BPF_FUNC_skb_vlan_pop),
136 insn[i] = BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, len - i - 2);
137 i++;
138 }
139 if (++k < 5)
140 goto loop;
141
142 for (; i < len - 1; i++)
143 insn[i] = BPF_ALU32_IMM(BPF_MOV, BPF_REG_0, 0xbef);
144 insn[len - 1] = BPF_EXIT_INSN();
145}
146
147static void bpf_fill_jump_around_ld_abs(struct bpf_test *self)
148{
149 struct bpf_insn *insn = self->insns;
150 unsigned int len = BPF_MAXINSNS;
151 int i = 0;
152
153 insn[i++] = BPF_MOV64_REG(BPF_REG_6, BPF_REG_1);
154 insn[i++] = BPF_LD_ABS(BPF_B, 0);
155 insn[i] = BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 10, len - i - 2);
156 i++;
157 while (i < len - 1)
158 insn[i++] = BPF_LD_ABS(BPF_B, 1);
159 insn[i] = BPF_EXIT_INSN();
160}
161
a82d8cd3
DB		 162static void bpf_fill_rand_ld_dw(struct bpf_test *self)
163{
164 struct bpf_insn *insn = self->insns;
165 uint64_t res = 0;
166 int i = 0;
167
168 insn[i++] = BPF_MOV32_IMM(BPF_REG_0, 0);
169 while (i < self->retval) {
170 uint64_t val = bpf_semi_rand_get();
171 struct bpf_insn tmp[2] = { BPF_LD_IMM64(BPF_REG_1, val) };
172
173 res ^= val;
174 insn[i++] = tmp[0];
175 insn[i++] = tmp[1];
176 insn[i++] = BPF_ALU64_REG(BPF_XOR, BPF_REG_0, BPF_REG_1);
177 }
178 insn[i++] = BPF_MOV64_REG(BPF_REG_1, BPF_REG_0);
179 insn[i++] = BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 32);
180 insn[i++] = BPF_ALU64_REG(BPF_XOR, BPF_REG_0, BPF_REG_1);
181 insn[i] = BPF_EXIT_INSN();
182 res ^= (res >> 32);
183 self->retval = (uint32_t)res;
184}
185
b584ab88
JS		 186/* BPF_SK_LOOKUP contains 13 instructions, if you need to fix up maps */
187#define BPF_SK_LOOKUP \
188 /* struct bpf_sock_tuple tuple = {} */ \
189 BPF_MOV64_IMM(BPF_REG_2, 0), \
190 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_2, -8), \
191 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -16), \
192 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -24), \
193 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -32), \
194 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -40), \
195 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -48), \
196 /* sk = sk_lookup_tcp(ctx, &tuple, sizeof tuple, 0, 0) */ \
197 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), \
198 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -48), \
199 BPF_MOV64_IMM(BPF_REG_3, sizeof(struct bpf_sock_tuple)), \
200 BPF_MOV64_IMM(BPF_REG_4, 0), \
201 BPF_MOV64_IMM(BPF_REG_5, 0), \
202 BPF_EMIT_CALL(BPF_FUNC_sk_lookup_tcp)
203
3c731eba
AS		 204static struct bpf_test tests[] = {
205 {
206 "add+sub+mul",
207 .insns = {
208 BPF_MOV64_IMM(BPF_REG_1, 1),
209 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 2),
210 BPF_MOV64_IMM(BPF_REG_2, 3),
211 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_2),
212 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -1),
213 BPF_ALU64_IMM(BPF_MUL, BPF_REG_1, 3),
214 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
215 BPF_EXIT_INSN(),
216 },
217 .result = ACCEPT,
111e6b45 218 .retval = -3,
3c731eba 219 },
87c1793b
DB		 220 {
221 "DIV32 by 0, zero check 1",
222 .insns = {
223 BPF_MOV32_IMM(BPF_REG_0, 42),
224 BPF_MOV32_IMM(BPF_REG_1, 0),
225 BPF_MOV32_IMM(BPF_REG_2, 1),
226 BPF_ALU32_REG(BPF_DIV, BPF_REG_2, BPF_REG_1),
227 BPF_EXIT_INSN(),
228 },
229 .result = ACCEPT,
21ccaf21 230 .retval = 42,
87c1793b
DB		 231 },
232 {
233 "DIV32 by 0, zero check 2",
234 .insns = {
235 BPF_MOV32_IMM(BPF_REG_0, 42),
236 BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL),
237 BPF_MOV32_IMM(BPF_REG_2, 1),
238 BPF_ALU32_REG(BPF_DIV, BPF_REG_2, BPF_REG_1),
239 BPF_EXIT_INSN(),
240 },
241 .result = ACCEPT,
21ccaf21 242 .retval = 42,
87c1793b
DB		 243 },
244 {
245 "DIV64 by 0, zero check",
246 .insns = {
247 BPF_MOV32_IMM(BPF_REG_0, 42),
248 BPF_MOV32_IMM(BPF_REG_1, 0),
249 BPF_MOV32_IMM(BPF_REG_2, 1),
250 BPF_ALU64_REG(BPF_DIV, BPF_REG_2, BPF_REG_1),
251 BPF_EXIT_INSN(),
252 },
253 .result = ACCEPT,
21ccaf21 254 .retval = 42,
87c1793b
DB		 255 },
256 {
257 "MOD32 by 0, zero check 1",
258 .insns = {
259 BPF_MOV32_IMM(BPF_REG_0, 42),
260 BPF_MOV32_IMM(BPF_REG_1, 0),
261 BPF_MOV32_IMM(BPF_REG_2, 1),
262 BPF_ALU32_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
263 BPF_EXIT_INSN(),
264 },
265 .result = ACCEPT,
21ccaf21 266 .retval = 42,
87c1793b
DB		 267 },
268 {
269 "MOD32 by 0, zero check 2",
270 .insns = {
271 BPF_MOV32_IMM(BPF_REG_0, 42),
272 BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL),
273 BPF_MOV32_IMM(BPF_REG_2, 1),
274 BPF_ALU32_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
275 BPF_EXIT_INSN(),
276 },
277 .result = ACCEPT,
21ccaf21 278 .retval = 42,
87c1793b
DB		 279 },
280 {
281 "MOD64 by 0, zero check",
282 .insns = {
283 BPF_MOV32_IMM(BPF_REG_0, 42),
284 BPF_MOV32_IMM(BPF_REG_1, 0),
285 BPF_MOV32_IMM(BPF_REG_2, 1),
286 BPF_ALU64_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
287 BPF_EXIT_INSN(),
288 },
289 .result = ACCEPT,
21ccaf21
DB		 290 .retval = 42,
291 },
292 {
293 "DIV32 by 0, zero check ok, cls",
294 .insns = {
295 BPF_MOV32_IMM(BPF_REG_0, 42),
296 BPF_MOV32_IMM(BPF_REG_1, 2),
297 BPF_MOV32_IMM(BPF_REG_2, 16),
298 BPF_ALU32_REG(BPF_DIV, BPF_REG_2, BPF_REG_1),
299 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
300 BPF_EXIT_INSN(),
301 },
302 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
303 .result = ACCEPT,
304 .retval = 8,
305 },
306 {
307 "DIV32 by 0, zero check 1, cls",
308 .insns = {
309 BPF_MOV32_IMM(BPF_REG_1, 0),
310 BPF_MOV32_IMM(BPF_REG_0, 1),
311 BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
312 BPF_EXIT_INSN(),
313 },
314 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
315 .result = ACCEPT,
316 .retval = 0,
317 },
318 {
319 "DIV32 by 0, zero check 2, cls",
320 .insns = {
321 BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL),
322 BPF_MOV32_IMM(BPF_REG_0, 1),
323 BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
324 BPF_EXIT_INSN(),
325 },
326 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
327 .result = ACCEPT,
328 .retval = 0,
329 },
330 {
331 "DIV64 by 0, zero check, cls",
332 .insns = {
333 BPF_MOV32_IMM(BPF_REG_1, 0),
334 BPF_MOV32_IMM(BPF_REG_0, 1),
335 BPF_ALU64_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
336 BPF_EXIT_INSN(),
337 },
338 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
339 .result = ACCEPT,
340 .retval = 0,
341 },
342 {
343 "MOD32 by 0, zero check ok, cls",
344 .insns = {
345 BPF_MOV32_IMM(BPF_REG_0, 42),
346 BPF_MOV32_IMM(BPF_REG_1, 3),
347 BPF_MOV32_IMM(BPF_REG_2, 5),
348 BPF_ALU32_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
349 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
350 BPF_EXIT_INSN(),
351 },
352 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
353 .result = ACCEPT,
354 .retval = 2,
355 },
356 {
357 "MOD32 by 0, zero check 1, cls",
358 .insns = {
359 BPF_MOV32_IMM(BPF_REG_1, 0),
360 BPF_MOV32_IMM(BPF_REG_0, 1),
361 BPF_ALU32_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
362 BPF_EXIT_INSN(),
363 },
364 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
365 .result = ACCEPT,
366 .retval = 1,
367 },
368 {
369 "MOD32 by 0, zero check 2, cls",
370 .insns = {
371 BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL),
372 BPF_MOV32_IMM(BPF_REG_0, 1),
373 BPF_ALU32_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
374 BPF_EXIT_INSN(),
375 },
376 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
377 .result = ACCEPT,
378 .retval = 1,
379 },
380 {
381 "MOD64 by 0, zero check 1, cls",
382 .insns = {
383 BPF_MOV32_IMM(BPF_REG_1, 0),
384 BPF_MOV32_IMM(BPF_REG_0, 2),
385 BPF_ALU64_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
386 BPF_EXIT_INSN(),
387 },
388 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
389 .result = ACCEPT,
390 .retval = 2,
391 },
392 {
393 "MOD64 by 0, zero check 2, cls",
394 .insns = {
395 BPF_MOV32_IMM(BPF_REG_1, 0),
396 BPF_MOV32_IMM(BPF_REG_0, -1),
397 BPF_ALU64_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
398 BPF_EXIT_INSN(),
399 },
400 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
401 .result = ACCEPT,
402 .retval = -1,
403 },
404 /* Just make sure that JITs used udiv/umod as otherwise we get
405 * an exception from INT_MIN/-1 overflow similarly as with div
406 * by zero.
407 */
408 {
409 "DIV32 overflow, check 1",
410 .insns = {
411 BPF_MOV32_IMM(BPF_REG_1, -1),
412 BPF_MOV32_IMM(BPF_REG_0, INT_MIN),
413 BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
414 BPF_EXIT_INSN(),
415 },
416 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
417 .result = ACCEPT,
418 .retval = 0,
419 },
420 {
421 "DIV32 overflow, check 2",
422 .insns = {
423 BPF_MOV32_IMM(BPF_REG_0, INT_MIN),
424 BPF_ALU32_IMM(BPF_DIV, BPF_REG_0, -1),
425 BPF_EXIT_INSN(),
426 },
427 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
428 .result = ACCEPT,
429 .retval = 0,
430 },
431 {
432 "DIV64 overflow, check 1",
433 .insns = {
434 BPF_MOV64_IMM(BPF_REG_1, -1),
435 BPF_LD_IMM64(BPF_REG_0, LLONG_MIN),
436 BPF_ALU64_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
437 BPF_EXIT_INSN(),
438 },
439 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
440 .result = ACCEPT,
441 .retval = 0,
442 },
443 {
444 "DIV64 overflow, check 2",
445 .insns = {
446 BPF_LD_IMM64(BPF_REG_0, LLONG_MIN),
447 BPF_ALU64_IMM(BPF_DIV, BPF_REG_0, -1),
448 BPF_EXIT_INSN(),
449 },
450 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
451 .result = ACCEPT,
87c1793b
DB		 452 .retval = 0,
453 },
21ccaf21
DB		 454 {
455 "MOD32 overflow, check 1",
456 .insns = {
457 BPF_MOV32_IMM(BPF_REG_1, -1),
458 BPF_MOV32_IMM(BPF_REG_0, INT_MIN),
459 BPF_ALU32_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
460 BPF_EXIT_INSN(),
461 },
462 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
463 .result = ACCEPT,
464 .retval = INT_MIN,
465 },
466 {
467 "MOD32 overflow, check 2",
468 .insns = {
469 BPF_MOV32_IMM(BPF_REG_0, INT_MIN),
470 BPF_ALU32_IMM(BPF_MOD, BPF_REG_0, -1),
471 BPF_EXIT_INSN(),
472 },
473 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
474 .result = ACCEPT,
475 .retval = INT_MIN,
476 },
477 {
478 "MOD64 overflow, check 1",
479 .insns = {
480 BPF_MOV64_IMM(BPF_REG_1, -1),
481 BPF_LD_IMM64(BPF_REG_2, LLONG_MIN),
482 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
483 BPF_ALU64_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
484 BPF_MOV32_IMM(BPF_REG_0, 0),
485 BPF_JMP_REG(BPF_JNE, BPF_REG_3, BPF_REG_2, 1),
486 BPF_MOV32_IMM(BPF_REG_0, 1),
487 BPF_EXIT_INSN(),
488 },
489 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
490 .result = ACCEPT,
491 .retval = 1,
492 },
493 {
494 "MOD64 overflow, check 2",
495 .insns = {
496 BPF_LD_IMM64(BPF_REG_2, LLONG_MIN),
497 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
498 BPF_ALU64_IMM(BPF_MOD, BPF_REG_2, -1),
499 BPF_MOV32_IMM(BPF_REG_0, 0),
500 BPF_JMP_REG(BPF_JNE, BPF_REG_3, BPF_REG_2, 1),
501 BPF_MOV32_IMM(BPF_REG_0, 1),
502 BPF_EXIT_INSN(),
503 },
504 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
505 .result = ACCEPT,
506 .retval = 1,
507 },
508 {
509 "xor32 zero extend check",
510 .insns = {
511 BPF_MOV32_IMM(BPF_REG_2, -1),
512 BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 32),
513 BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 0xffff),
514 BPF_ALU32_REG(BPF_XOR, BPF_REG_2, BPF_REG_2),
515 BPF_MOV32_IMM(BPF_REG_0, 2),
516 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0, 1),
517 BPF_MOV32_IMM(BPF_REG_0, 1),
518 BPF_EXIT_INSN(),
519 },
520 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
521 .result = ACCEPT,
522 .retval = 1,
523 },
87c1793b
DB		 524 {
525 "empty prog",
526 .insns = {
527 },
21ccaf21 528 .errstr = "unknown opcode 00",
87c1793b
DB		 529 .result = REJECT,
530 },
531 {
532 "only exit insn",
533 .insns = {
534 BPF_EXIT_INSN(),
535 },
536 .errstr = "R0 !read_ok",
537 .result = REJECT,
3c731eba
AS		 538 },
539 {
540 "unreachable",
541 .insns = {
542 BPF_EXIT_INSN(),
543 BPF_EXIT_INSN(),
544 },
545 .errstr = "unreachable",
546 .result = REJECT,
547 },
548 {
549 "unreachable2",
550 .insns = {
551 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
552 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
553 BPF_EXIT_INSN(),
554 },
555 .errstr = "unreachable",
556 .result = REJECT,
557 },
558 {
559 "out of range jump",
560 .insns = {
561 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
562 BPF_EXIT_INSN(),
563 },
564 .errstr = "jump out of range",
565 .result = REJECT,
566 },
567 {
568 "out of range jump2",
569 .insns = {
570 BPF_JMP_IMM(BPF_JA, 0, 0, -2),
571 BPF_EXIT_INSN(),
572 },
573 .errstr = "jump out of range",
574 .result = REJECT,
575 },
576 {
577 "test1 ld_imm64",
578 .insns = {
579 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
580 BPF_LD_IMM64(BPF_REG_0, 0),
581 BPF_LD_IMM64(BPF_REG_0, 0),
582 BPF_LD_IMM64(BPF_REG_0, 1),
583 BPF_LD_IMM64(BPF_REG_0, 1),
584 BPF_MOV64_IMM(BPF_REG_0, 2),
585 BPF_EXIT_INSN(),
586 },
587 .errstr = "invalid BPF_LD_IMM insn",
bf508877 588 .errstr_unpriv = "R1 pointer comparison",
3c731eba
AS		 589 .result = REJECT,
590 },
591 {
592 "test2 ld_imm64",
593 .insns = {
594 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
595 BPF_LD_IMM64(BPF_REG_0, 0),
596 BPF_LD_IMM64(BPF_REG_0, 0),
597 BPF_LD_IMM64(BPF_REG_0, 1),
598 BPF_LD_IMM64(BPF_REG_0, 1),
599 BPF_EXIT_INSN(),
600 },
601 .errstr = "invalid BPF_LD_IMM insn",
bf508877 602 .errstr_unpriv = "R1 pointer comparison",
3c731eba
AS		 603 .result = REJECT,
604 },
605 {
606 "test3 ld_imm64",
607 .insns = {
608 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
609 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
610 BPF_LD_IMM64(BPF_REG_0, 0),
611 BPF_LD_IMM64(BPF_REG_0, 0),
612 BPF_LD_IMM64(BPF_REG_0, 1),
613 BPF_LD_IMM64(BPF_REG_0, 1),
614 BPF_EXIT_INSN(),
615 },
616 .errstr = "invalid bpf_ld_imm64 insn",
617 .result = REJECT,
618 },
619 {
620 "test4 ld_imm64",
621 .insns = {
622 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
623 BPF_EXIT_INSN(),
624 },
625 .errstr = "invalid bpf_ld_imm64 insn",
626 .result = REJECT,
627 },
628 {
629 "test5 ld_imm64",
630 .insns = {
631 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
632 },
633 .errstr = "invalid bpf_ld_imm64 insn",
634 .result = REJECT,
635 },
728a853a
DB		 636 {
637 "test6 ld_imm64",
638 .insns = {
639 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
640 BPF_RAW_INSN(0, 0, 0, 0, 0),
641 BPF_EXIT_INSN(),
642 },
643 .result = ACCEPT,
644 },
645 {
646 "test7 ld_imm64",
647 .insns = {
648 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
649 BPF_RAW_INSN(0, 0, 0, 0, 1),
650 BPF_EXIT_INSN(),
651 },
652 .result = ACCEPT,
111e6b45 653 .retval = 1,
728a853a
DB		 654 },
655 {
656 "test8 ld_imm64",
657 .insns = {
658 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 1, 1),
659 BPF_RAW_INSN(0, 0, 0, 0, 1),
660 BPF_EXIT_INSN(),
661 },
662 .errstr = "uses reserved fields",
663 .result = REJECT,
664 },
665 {
666 "test9 ld_imm64",
667 .insns = {
668 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
669 BPF_RAW_INSN(0, 0, 0, 1, 1),
670 BPF_EXIT_INSN(),
671 },
672 .errstr = "invalid bpf_ld_imm64 insn",
673 .result = REJECT,
674 },
675 {
676 "test10 ld_imm64",
677 .insns = {
678 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
679 BPF_RAW_INSN(0, BPF_REG_1, 0, 0, 1),
680 BPF_EXIT_INSN(),
681 },
682 .errstr = "invalid bpf_ld_imm64 insn",
683 .result = REJECT,
684 },
685 {
686 "test11 ld_imm64",
687 .insns = {
688 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
689 BPF_RAW_INSN(0, 0, BPF_REG_1, 0, 1),
690 BPF_EXIT_INSN(),
691 },
692 .errstr = "invalid bpf_ld_imm64 insn",
693 .result = REJECT,
694 },
695 {
696 "test12 ld_imm64",
697 .insns = {
698 BPF_MOV64_IMM(BPF_REG_1, 0),
699 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, BPF_REG_1, 0, 1),
700 BPF_RAW_INSN(0, 0, 0, 0, 1),
701 BPF_EXIT_INSN(),
702 },
703 .errstr = "not pointing to valid bpf_map",
704 .result = REJECT,
705 },
706 {
707 "test13 ld_imm64",
708 .insns = {
709 BPF_MOV64_IMM(BPF_REG_1, 0),
710 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, BPF_REG_1, 0, 1),
711 BPF_RAW_INSN(0, 0, BPF_REG_1, 0, 1),
712 BPF_EXIT_INSN(),
713 },
714 .errstr = "invalid bpf_ld_imm64 insn",
715 .result = REJECT,
716 },
7891a87e
DB		 717 {
718 "arsh32 on imm",
719 .insns = {
720 BPF_MOV64_IMM(BPF_REG_0, 1),
721 BPF_ALU32_IMM(BPF_ARSH, BPF_REG_0, 5),
722 BPF_EXIT_INSN(),
723 },
724 .result = REJECT,
21ccaf21 725 .errstr = "unknown opcode c4",
7891a87e
DB		 726 },
727 {
728 "arsh32 on reg",
729 .insns = {
730 BPF_MOV64_IMM(BPF_REG_0, 1),
731 BPF_MOV64_IMM(BPF_REG_1, 5),
732 BPF_ALU32_REG(BPF_ARSH, BPF_REG_0, BPF_REG_1),
733 BPF_EXIT_INSN(),
734 },
735 .result = REJECT,
21ccaf21 736 .errstr = "unknown opcode cc",
7891a87e
DB		 737 },
738 {
739 "arsh64 on imm",
740 .insns = {
741 BPF_MOV64_IMM(BPF_REG_0, 1),
742 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_0, 5),
743 BPF_EXIT_INSN(),
744 },
745 .result = ACCEPT,
746 },
747 {
748 "arsh64 on reg",
749 .insns = {
750 BPF_MOV64_IMM(BPF_REG_0, 1),
751 BPF_MOV64_IMM(BPF_REG_1, 5),
752 BPF_ALU64_REG(BPF_ARSH, BPF_REG_0, BPF_REG_1),
753 BPF_EXIT_INSN(),
754 },
755 .result = ACCEPT,
756 },
3c731eba
AS		 757 {
758 "no bpf_exit",
759 .insns = {
760 BPF_ALU64_REG(BPF_MOV, BPF_REG_0, BPF_REG_2),
761 },
a7ff3eca 762 .errstr = "not an exit",
3c731eba
AS		 763 .result = REJECT,
764 },
765 {
766 "loop (back-edge)",
767 .insns = {
768 BPF_JMP_IMM(BPF_JA, 0, 0, -1),
769 BPF_EXIT_INSN(),
770 },
771 .errstr = "back-edge",
772 .result = REJECT,
773 },
774 {
775 "loop2 (back-edge)",
776 .insns = {
777 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
778 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
779 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
780 BPF_JMP_IMM(BPF_JA, 0, 0, -4),
781 BPF_EXIT_INSN(),
782 },
783 .errstr = "back-edge",
784 .result = REJECT,
785 },
786 {
787 "conditional loop",
788 .insns = {
789 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
790 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
791 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
792 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, -3),
793 BPF_EXIT_INSN(),
794 },
795 .errstr = "back-edge",
796 .result = REJECT,
797 },
798 {
799 "read uninitialized register",
800 .insns = {
801 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
802 BPF_EXIT_INSN(),
803 },
804 .errstr = "R2 !read_ok",
805 .result = REJECT,
806 },
807 {
808 "read invalid register",
809 .insns = {
810 BPF_MOV64_REG(BPF_REG_0, -1),
811 BPF_EXIT_INSN(),
812 },
813 .errstr = "R15 is invalid",
814 .result = REJECT,
815 },
816 {
817 "program doesn't init R0 before exit",
818 .insns = {
819 BPF_ALU64_REG(BPF_MOV, BPF_REG_2, BPF_REG_1),
820 BPF_EXIT_INSN(),
821 },
822 .errstr = "R0 !read_ok",
823 .result = REJECT,
824 },
32bf08a6
AS		 825 {
826 "program doesn't init R0 before exit in all branches",
827 .insns = {
828 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
829 BPF_MOV64_IMM(BPF_REG_0, 1),
830 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 2),
831 BPF_EXIT_INSN(),
832 },
833 .errstr = "R0 !read_ok",
bf508877 834 .errstr_unpriv = "R1 pointer comparison",
32bf08a6
AS		 835 .result = REJECT,
836 },
3c731eba
AS		 837 {
838 "stack out of bounds",
839 .insns = {
840 BPF_ST_MEM(BPF_DW, BPF_REG_10, 8, 0),
841 BPF_EXIT_INSN(),
842 },
843 .errstr = "invalid stack",
844 .result = REJECT,
845 },
846 {
847 "invalid call insn1",
848 .insns = {
849 BPF_RAW_INSN(BPF_JMP | BPF_CALL | BPF_X, 0, 0, 0, 0),
850 BPF_EXIT_INSN(),
851 },
21ccaf21 852 .errstr = "unknown opcode 8d",
3c731eba
AS		 853 .result = REJECT,
854 },
855 {
856 "invalid call insn2",
857 .insns = {
858 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 1, 0),
859 BPF_EXIT_INSN(),
860 },
861 .errstr = "BPF_CALL uses reserved",
862 .result = REJECT,
863 },
864 {
865 "invalid function call",
866 .insns = {
867 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1234567),
868 BPF_EXIT_INSN(),
869 },
e00c7b21 870 .errstr = "invalid func unknown#1234567",
3c731eba
AS		 871 .result = REJECT,
872 },
873 {
874 "uninitialized stack1",
875 .insns = {
876 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
877 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
878 BPF_LD_MAP_FD(BPF_REG_1, 0),
5aa5bd14
DB		 879 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
880 BPF_FUNC_map_lookup_elem),
3c731eba
AS		 881 BPF_EXIT_INSN(),
882 },
908142e6 883 .fixup_map_hash_8b = { 2 },
3c731eba
AS		 884 .errstr = "invalid indirect read from stack",
885 .result = REJECT,
886 },
887 {
888 "uninitialized stack2",
889 .insns = {
890 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
891 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, -8),
892 BPF_EXIT_INSN(),
893 },
894 .errstr = "invalid read from stack",
895 .result = REJECT,
896 },
728a853a
DB		 897 {
898 "invalid fp arithmetic",
899 /* If this gets ever changed, make sure JITs can deal with it. */
900 .insns = {
901 BPF_MOV64_IMM(BPF_REG_0, 0),
902 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
903 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 8),
904 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
905 BPF_EXIT_INSN(),
906 },
82abbf8d 907 .errstr = "R1 subtraction from stack pointer",
728a853a
DB		 908 .result = REJECT,
909 },
910 {
911 "non-invalid fp arithmetic",
912 .insns = {
913 BPF_MOV64_IMM(BPF_REG_0, 0),
914 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
915 BPF_EXIT_INSN(),
916 },
917 .result = ACCEPT,
918 },
7d95b0ab
DB		 919 {
920 "invalid argument register",
921 .insns = {
5aa5bd14
DB		 922 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
923 BPF_FUNC_get_cgroup_classid),
924 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
925 BPF_FUNC_get_cgroup_classid),
7d95b0ab
DB		 926 BPF_EXIT_INSN(),
927 },
928 .errstr = "R1 !read_ok",
929 .result = REJECT,
930 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
931 },
932 {
933 "non-invalid argument register",
934 .insns = {
935 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
5aa5bd14
DB		 936 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
937 BPF_FUNC_get_cgroup_classid),
7d95b0ab 938 BPF_ALU64_REG(BPF_MOV, BPF_REG_1, BPF_REG_6),
5aa5bd14
DB		 939 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
940 BPF_FUNC_get_cgroup_classid),
7d95b0ab
DB		 941 BPF_EXIT_INSN(),
942 },
943 .result = ACCEPT,
944 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
945 },
3c731eba
AS		 946 {
947 "check valid spill/fill",
948 .insns = {
949 /* spill R1(ctx) into stack */
950 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
3c731eba
AS		 951 /* fill it back into R2 */
952 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -8),
3c731eba 953 /* should be able to access R0 = *(R2 + 8) */
f91fe17e
DB		 954 /* BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, 8), */
955 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3c731eba
AS		 956 BPF_EXIT_INSN(),
957 },
bf508877 958 .errstr_unpriv = "R0 leaks addr",
3c731eba 959 .result = ACCEPT,
bf508877 960 .result_unpriv = REJECT,
111e6b45 961 .retval = POINTER_VALUE,
3c731eba 962 },
3f2050e2
DB		 963 {
964 "check valid spill/fill, skb mark",
965 .insns = {
966 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
967 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
968 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
969 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
970 offsetof(struct __sk_buff, mark)),
971 BPF_EXIT_INSN(),
972 },
973 .result = ACCEPT,
974 .result_unpriv = ACCEPT,
975 },
3c731eba
AS		 976 {
977 "check corrupted spill/fill",
978 .insns = {
979 /* spill R1(ctx) into stack */
980 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
3c731eba
AS		 981 /* mess up with R1 pointer on stack */
982 BPF_ST_MEM(BPF_B, BPF_REG_10, -7, 0x23),
3c731eba
AS		 983 /* fill back into R0 should fail */
984 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
3c731eba
AS		 985 BPF_EXIT_INSN(),
986 },
bf508877 987 .errstr_unpriv = "attempt to corrupt spilled",
3c731eba
AS		 988 .errstr = "corrupted spill",
989 .result = REJECT,
990 },
991 {
992 "invalid src register in STX",
993 .insns = {
994 BPF_STX_MEM(BPF_B, BPF_REG_10, -1, -1),
995 BPF_EXIT_INSN(),
996 },
997 .errstr = "R15 is invalid",
998 .result = REJECT,
999 },
1000 {
1001 "invalid dst register in STX",
1002 .insns = {
1003 BPF_STX_MEM(BPF_B, 14, BPF_REG_10, -1),
1004 BPF_EXIT_INSN(),
1005 },
1006 .errstr = "R14 is invalid",
1007 .result = REJECT,
1008 },
1009 {
1010 "invalid dst register in ST",
1011 .insns = {
1012 BPF_ST_MEM(BPF_B, 14, -1, -1),
1013 BPF_EXIT_INSN(),
1014 },
1015 .errstr = "R14 is invalid",
1016 .result = REJECT,
1017 },
1018 {
1019 "invalid src register in LDX",
1020 .insns = {
1021 BPF_LDX_MEM(BPF_B, BPF_REG_0, 12, 0),
1022 BPF_EXIT_INSN(),
1023 },
1024 .errstr = "R12 is invalid",
1025 .result = REJECT,
1026 },
1027 {
1028 "invalid dst register in LDX",
1029 .insns = {
1030 BPF_LDX_MEM(BPF_B, 11, BPF_REG_1, 0),
1031 BPF_EXIT_INSN(),
1032 },
1033 .errstr = "R11 is invalid",
1034 .result = REJECT,
1035 },
1036 {
1037 "junk insn",
1038 .insns = {
1039 BPF_RAW_INSN(0, 0, 0, 0, 0),
1040 BPF_EXIT_INSN(),
1041 },
21ccaf21 1042 .errstr = "unknown opcode 00",
3c731eba
AS		 1043 .result = REJECT,
1044 },
1045 {
1046 "junk insn2",
1047 .insns = {
1048 BPF_RAW_INSN(1, 0, 0, 0, 0),
1049 BPF_EXIT_INSN(),
1050 },
1051 .errstr = "BPF_LDX uses reserved fields",
1052 .result = REJECT,
1053 },
1054 {
1055 "junk insn3",
1056 .insns = {
1057 BPF_RAW_INSN(-1, 0, 0, 0, 0),
1058 BPF_EXIT_INSN(),
1059 },
21ccaf21 1060 .errstr = "unknown opcode ff",
3c731eba
AS		 1061 .result = REJECT,
1062 },
1063 {
1064 "junk insn4",
1065 .insns = {
1066 BPF_RAW_INSN(-1, -1, -1, -1, -1),
1067 BPF_EXIT_INSN(),
1068 },
21ccaf21 1069 .errstr = "unknown opcode ff",
3c731eba
AS		 1070 .result = REJECT,
1071 },
1072 {
1073 "junk insn5",
1074 .insns = {
1075 BPF_RAW_INSN(0x7f, -1, -1, -1, -1),
1076 BPF_EXIT_INSN(),
1077 },
1078 .errstr = "BPF_ALU uses reserved fields",
1079 .result = REJECT,
1080 },
1081 {
1082 "misaligned read from stack",
1083 .insns = {
1084 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1085 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, -4),
1086 BPF_EXIT_INSN(),
1087 },
f65b1849 1088 .errstr = "misaligned stack access",
3c731eba
AS		 1089 .result = REJECT,
1090 },
1091 {
1092 "invalid map_fd for function call",
1093 .insns = {
1094 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1095 BPF_ALU64_REG(BPF_MOV, BPF_REG_2, BPF_REG_10),
1096 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1097 BPF_LD_MAP_FD(BPF_REG_1, 0),
5aa5bd14
DB		 1098 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1099 BPF_FUNC_map_delete_elem),
3c731eba
AS		 1100 BPF_EXIT_INSN(),
1101 },
1102 .errstr = "fd 0 is not pointing to valid bpf_map",
1103 .result = REJECT,
1104 },
1105 {
1106 "don't check return value before access",
1107 .insns = {
1108 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1109 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1110 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1111 BPF_LD_MAP_FD(BPF_REG_1, 0),
5aa5bd14
DB		 1112 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1113 BPF_FUNC_map_lookup_elem),
3c731eba
AS		 1114 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
1115 BPF_EXIT_INSN(),
1116 },
908142e6 1117 .fixup_map_hash_8b = { 3 },
3c731eba
AS		 1118 .errstr = "R0 invalid mem access 'map_value_or_null'",
1119 .result = REJECT,
1120 },
1121 {
1122 "access memory with incorrect alignment",
1123 .insns = {
1124 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1125 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1126 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1127 BPF_LD_MAP_FD(BPF_REG_1, 0),
5aa5bd14
DB		 1128 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1129 BPF_FUNC_map_lookup_elem),
3c731eba
AS		 1130 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
1131 BPF_ST_MEM(BPF_DW, BPF_REG_0, 4, 0),
1132 BPF_EXIT_INSN(),
1133 },
908142e6 1134 .fixup_map_hash_8b = { 3 },
f65b1849 1135 .errstr = "misaligned value access",
3c731eba 1136 .result = REJECT,
f65b1849 1137 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
3c731eba
AS		 1138 },
1139 {
1140 "sometimes access memory with incorrect alignment",
1141 .insns = {
1142 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1143 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1144 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1145 BPF_LD_MAP_FD(BPF_REG_1, 0),
5aa5bd14
DB		 1146 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1147 BPF_FUNC_map_lookup_elem),
3c731eba
AS		 1148 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
1149 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
1150 BPF_EXIT_INSN(),
1151 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 1),
1152 BPF_EXIT_INSN(),
1153 },
908142e6 1154 .fixup_map_hash_8b = { 3 },
3c731eba 1155 .errstr = "R0 invalid mem access",
bf508877 1156 .errstr_unpriv = "R0 leaks addr",
3c731eba 1157 .result = REJECT,
f65b1849 1158 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
3c731eba 1159 },
fd10c2ef
AS		 1160 {
1161 "jump test 1",
1162 .insns = {
1163 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1164 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -8),
1165 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
1166 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
1167 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 1),
1168 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 1),
1169 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 1),
1170 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 2),
1171 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 1),
1172 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 3),
1173 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 1),
1174 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 4),
1175 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 1),
1176 BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 5),
1177 BPF_MOV64_IMM(BPF_REG_0, 0),
1178 BPF_EXIT_INSN(),
1179 },
bf508877
AS		 1180 .errstr_unpriv = "R1 pointer comparison",
1181 .result_unpriv = REJECT,
fd10c2ef
AS		 1182 .result = ACCEPT,
1183 },
1184 {
1185 "jump test 2",
1186 .insns = {
1187 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1188 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 2),
1189 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
1190 BPF_JMP_IMM(BPF_JA, 0, 0, 14),
1191 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 2),
1192 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 0),
1193 BPF_JMP_IMM(BPF_JA, 0, 0, 11),
1194 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 2),
1195 BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 0),
1196 BPF_JMP_IMM(BPF_JA, 0, 0, 8),
1197 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 2),
1198 BPF_ST_MEM(BPF_DW, BPF_REG_2, -40, 0),
1199 BPF_JMP_IMM(BPF_JA, 0, 0, 5),
1200 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 2),
1201 BPF_ST_MEM(BPF_DW, BPF_REG_2, -48, 0),
1202 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1203 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 1),
1204 BPF_ST_MEM(BPF_DW, BPF_REG_2, -56, 0),
1205 BPF_MOV64_IMM(BPF_REG_0, 0),
1206 BPF_EXIT_INSN(),
1207 },
bf508877
AS		 1208 .errstr_unpriv = "R1 pointer comparison",
1209 .result_unpriv = REJECT,
fd10c2ef
AS		 1210 .result = ACCEPT,
1211 },
1212 {
1213 "jump test 3",
1214 .insns = {
1215 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1216 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
1217 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
1218 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1219 BPF_JMP_IMM(BPF_JA, 0, 0, 19),
1220 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 3),
1221 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 0),
1222 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
1223 BPF_JMP_IMM(BPF_JA, 0, 0, 15),
1224 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 3),
1225 BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 0),
1226 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -32),
1227 BPF_JMP_IMM(BPF_JA, 0, 0, 11),
1228 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 3),
1229 BPF_ST_MEM(BPF_DW, BPF_REG_2, -40, 0),
1230 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -40),
1231 BPF_JMP_IMM(BPF_JA, 0, 0, 7),
1232 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 3),
1233 BPF_ST_MEM(BPF_DW, BPF_REG_2, -48, 0),
1234 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -48),
1235 BPF_JMP_IMM(BPF_JA, 0, 0, 3),
1236 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 0),
1237 BPF_ST_MEM(BPF_DW, BPF_REG_2, -56, 0),
1238 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -56),
1239 BPF_LD_MAP_FD(BPF_REG_1, 0),
5aa5bd14
DB		 1240 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1241 BPF_FUNC_map_delete_elem),
fd10c2ef
AS		 1242 BPF_EXIT_INSN(),
1243 },
908142e6 1244 .fixup_map_hash_8b = { 24 },
bf508877
AS		 1245 .errstr_unpriv = "R1 pointer comparison",
1246 .result_unpriv = REJECT,
fd10c2ef 1247 .result = ACCEPT,
111e6b45 1248 .retval = -ENOENT,
fd10c2ef
AS		 1249 },
1250 {
1251 "jump test 4",
1252 .insns = {
1253 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1254 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1255 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1256 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1257 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1258 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1259 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1260 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1261 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1262 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1263 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1264 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1265 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1266 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1267 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1268 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1269 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1270 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1271 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1272 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1273 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1274 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1275 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1276 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1277 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1278 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1279 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1280 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1281 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1282 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1283 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1284 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1285 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1286 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1287 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1288 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1289 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1290 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1291 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1292 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1293 BPF_MOV64_IMM(BPF_REG_0, 0),
1294 BPF_EXIT_INSN(),
1295 },
bf508877
AS		 1296 .errstr_unpriv = "R1 pointer comparison",
1297 .result_unpriv = REJECT,
fd10c2ef
AS		 1298 .result = ACCEPT,
1299 },
342ded40
AS		 1300 {
1301 "jump test 5",
1302 .insns = {
1303 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1304 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
1305 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1306 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1307 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1308 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1309 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1310 BPF_MOV64_IMM(BPF_REG_0, 0),
1311 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1312 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1313 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1314 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1315 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1316 BPF_MOV64_IMM(BPF_REG_0, 0),
1317 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1318 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1319 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1320 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1321 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1322 BPF_MOV64_IMM(BPF_REG_0, 0),
1323 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1324 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1325 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1326 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1327 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1328 BPF_MOV64_IMM(BPF_REG_0, 0),
1329 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1330 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1331 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1332 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1333 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1334 BPF_MOV64_IMM(BPF_REG_0, 0),
1335 BPF_EXIT_INSN(),
1336 },
bf508877
AS		 1337 .errstr_unpriv = "R1 pointer comparison",
1338 .result_unpriv = REJECT,
342ded40
AS		 1339 .result = ACCEPT,
1340 },
614cd3bd
AS		 1341 {
1342 "access skb fields ok",
1343 .insns = {
1344 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1345 offsetof(struct __sk_buff, len)),
1346 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
1347 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1348 offsetof(struct __sk_buff, mark)),
1349 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
1350 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1351 offsetof(struct __sk_buff, pkt_type)),
1352 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
1353 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1354 offsetof(struct __sk_buff, queue_mapping)),
1355 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
c2497395
AS		 1356 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1357 offsetof(struct __sk_buff, protocol)),
1358 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1359 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1360 offsetof(struct __sk_buff, vlan_present)),
1361 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1362 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1363 offsetof(struct __sk_buff, vlan_tci)),
1364 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
b1d9fc41
DB		 1365 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1366 offsetof(struct __sk_buff, napi_id)),
1367 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
614cd3bd
AS		 1368 BPF_EXIT_INSN(),
1369 },
1370 .result = ACCEPT,
1371 },
1372 {
1373 "access skb fields bad1",
1374 .insns = {
1375 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -4),
1376 BPF_EXIT_INSN(),
1377 },
1378 .errstr = "invalid bpf_context access",
1379 .result = REJECT,
1380 },
1381 {
1382 "access skb fields bad2",
1383 .insns = {
1384 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 9),
1385 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1386 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1387 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1388 BPF_LD_MAP_FD(BPF_REG_1, 0),
5aa5bd14
DB		 1389 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1390 BPF_FUNC_map_lookup_elem),
614cd3bd
AS		 1391 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
1392 BPF_EXIT_INSN(),
1393 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
1394 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1395 offsetof(struct __sk_buff, pkt_type)),
1396 BPF_EXIT_INSN(),
1397 },
908142e6 1398 .fixup_map_hash_8b = { 4 },
614cd3bd 1399 .errstr = "different pointers",
bf508877 1400 .errstr_unpriv = "R1 pointer comparison",
614cd3bd
AS		 1401 .result = REJECT,
1402 },
1403 {
1404 "access skb fields bad3",
1405 .insns = {
1406 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1407 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1408 offsetof(struct __sk_buff, pkt_type)),
1409 BPF_EXIT_INSN(),
1410 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1411 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1412 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1413 BPF_LD_MAP_FD(BPF_REG_1, 0),
5aa5bd14
DB		 1414 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1415 BPF_FUNC_map_lookup_elem),
614cd3bd
AS		 1416 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
1417 BPF_EXIT_INSN(),
1418 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
1419 BPF_JMP_IMM(BPF_JA, 0, 0, -12),
1420 },
908142e6 1421 .fixup_map_hash_8b = { 6 },
614cd3bd 1422 .errstr = "different pointers",
bf508877 1423 .errstr_unpriv = "R1 pointer comparison",
614cd3bd
AS		 1424 .result = REJECT,
1425 },
725f9dcd
AS		 1426 {
1427 "access skb fields bad4",
1428 .insns = {
1429 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 3),
1430 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1431 offsetof(struct __sk_buff, len)),
1432 BPF_MOV64_IMM(BPF_REG_0, 0),
1433 BPF_EXIT_INSN(),
1434 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1435 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1436 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1437 BPF_LD_MAP_FD(BPF_REG_1, 0),
5aa5bd14
DB		 1438 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1439 BPF_FUNC_map_lookup_elem),
725f9dcd
AS		 1440 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
1441 BPF_EXIT_INSN(),
1442 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
1443 BPF_JMP_IMM(BPF_JA, 0, 0, -13),
1444 },
908142e6 1445 .fixup_map_hash_8b = { 7 },
725f9dcd 1446 .errstr = "different pointers",
bf508877 1447 .errstr_unpriv = "R1 pointer comparison",
725f9dcd
AS		 1448 .result = REJECT,
1449 },
41bc94f5
JF		 1450 {
1451 "invalid access __sk_buff family",
1452 .insns = {
1453 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1454 offsetof(struct __sk_buff, family)),
1455 BPF_EXIT_INSN(),
1456 },
1457 .errstr = "invalid bpf_context access",
1458 .result = REJECT,
1459 },
1460 {
1461 "invalid access __sk_buff remote_ip4",
1462 .insns = {
1463 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1464 offsetof(struct __sk_buff, remote_ip4)),
1465 BPF_EXIT_INSN(),
1466 },
1467 .errstr = "invalid bpf_context access",
1468 .result = REJECT,
1469 },
1470 {
1471 "invalid access __sk_buff local_ip4",
1472 .insns = {
1473 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1474 offsetof(struct __sk_buff, local_ip4)),
1475 BPF_EXIT_INSN(),
1476 },
1477 .errstr = "invalid bpf_context access",
1478 .result = REJECT,
1479 },
1480 {
1481 "invalid access __sk_buff remote_ip6",
1482 .insns = {
1483 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1484 offsetof(struct __sk_buff, remote_ip6)),
1485 BPF_EXIT_INSN(),
1486 },
1487 .errstr = "invalid bpf_context access",
1488 .result = REJECT,
1489 },
1490 {
1491 "invalid access __sk_buff local_ip6",
1492 .insns = {
1493 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1494 offsetof(struct __sk_buff, local_ip6)),
1495 BPF_EXIT_INSN(),
1496 },
1497 .errstr = "invalid bpf_context access",
1498 .result = REJECT,
1499 },
1500 {
1501 "invalid access __sk_buff remote_port",
1502 .insns = {
1503 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1504 offsetof(struct __sk_buff, remote_port)),
1505 BPF_EXIT_INSN(),
1506 },
1507 .errstr = "invalid bpf_context access",
1508 .result = REJECT,
1509 },
1510 {
1511 "invalid access __sk_buff remote_port",
1512 .insns = {
1513 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1514 offsetof(struct __sk_buff, local_port)),
1515 BPF_EXIT_INSN(),
1516 },
1517 .errstr = "invalid bpf_context access",
1518 .result = REJECT,
1519 },
1520 {
1521 "valid access __sk_buff family",
1522 .insns = {
1523 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1524 offsetof(struct __sk_buff, family)),
1525 BPF_EXIT_INSN(),
1526 },
1527 .result = ACCEPT,
1528 .prog_type = BPF_PROG_TYPE_SK_SKB,
1529 },
1530 {
1531 "valid access __sk_buff remote_ip4",
1532 .insns = {
1533 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1534 offsetof(struct __sk_buff, remote_ip4)),
1535 BPF_EXIT_INSN(),
1536 },
1537 .result = ACCEPT,
1538 .prog_type = BPF_PROG_TYPE_SK_SKB,
1539 },
1540 {
1541 "valid access __sk_buff local_ip4",
1542 .insns = {
1543 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1544 offsetof(struct __sk_buff, local_ip4)),
1545 BPF_EXIT_INSN(),
1546 },
1547 .result = ACCEPT,
1548 .prog_type = BPF_PROG_TYPE_SK_SKB,
1549 },
1550 {
1551 "valid access __sk_buff remote_ip6",
1552 .insns = {
1553 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1554 offsetof(struct __sk_buff, remote_ip6[0])),
1555 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1556 offsetof(struct __sk_buff, remote_ip6[1])),
1557 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1558 offsetof(struct __sk_buff, remote_ip6[2])),
1559 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1560 offsetof(struct __sk_buff, remote_ip6[3])),
1561 BPF_EXIT_INSN(),
1562 },
1563 .result = ACCEPT,
1564 .prog_type = BPF_PROG_TYPE_SK_SKB,
1565 },
1566 {
1567 "valid access __sk_buff local_ip6",
1568 .insns = {
1569 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1570 offsetof(struct __sk_buff, local_ip6[0])),
1571 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1572 offsetof(struct __sk_buff, local_ip6[1])),
1573 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1574 offsetof(struct __sk_buff, local_ip6[2])),
1575 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1576 offsetof(struct __sk_buff, local_ip6[3])),
1577 BPF_EXIT_INSN(),
1578 },
1579 .result = ACCEPT,
1580 .prog_type = BPF_PROG_TYPE_SK_SKB,
1581 },
1582 {
1583 "valid access __sk_buff remote_port",
1584 .insns = {
1585 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1586 offsetof(struct __sk_buff, remote_port)),
1587 BPF_EXIT_INSN(),
1588 },
1589 .result = ACCEPT,
1590 .prog_type = BPF_PROG_TYPE_SK_SKB,
1591 },
1592 {
1593 "valid access __sk_buff remote_port",
1594 .insns = {
1595 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1596 offsetof(struct __sk_buff, local_port)),
1597 BPF_EXIT_INSN(),
1598 },
1599 .result = ACCEPT,
1600 .prog_type = BPF_PROG_TYPE_SK_SKB,
1601 },
ed85054d
JF		 1602 {
1603 "invalid access of tc_classid for SK_SKB",
1604 .insns = {
1605 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1606 offsetof(struct __sk_buff, tc_classid)),
1607 BPF_EXIT_INSN(),
1608 },
1609 .result = REJECT,
1610 .prog_type = BPF_PROG_TYPE_SK_SKB,
1611 .errstr = "invalid bpf_context access",
1612 },
1613 {
f7e9cb1e
JF		 1614 "invalid access of skb->mark for SK_SKB",
1615 .insns = {
1616 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1617 offsetof(struct __sk_buff, mark)),
1618 BPF_EXIT_INSN(),
1619 },
1620 .result = REJECT,
1621 .prog_type = BPF_PROG_TYPE_SK_SKB,
1622 .errstr = "invalid bpf_context access",
1623 },
1624 {
1625 "check skb->mark is not writeable by SK_SKB",
ed85054d
JF		 1626 .insns = {
1627 BPF_MOV64_IMM(BPF_REG_0, 0),
1628 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1629 offsetof(struct __sk_buff, mark)),
1630 BPF_EXIT_INSN(),
1631 },
f7e9cb1e 1632 .result = REJECT,
ed85054d 1633 .prog_type = BPF_PROG_TYPE_SK_SKB,
f7e9cb1e 1634 .errstr = "invalid bpf_context access",
ed85054d
JF		 1635 },
1636 {
1637 "check skb->tc_index is writeable by SK_SKB",
1638 .insns = {
1639 BPF_MOV64_IMM(BPF_REG_0, 0),
1640 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1641 offsetof(struct __sk_buff, tc_index)),
1642 BPF_EXIT_INSN(),
1643 },
1644 .result = ACCEPT,
1645 .prog_type = BPF_PROG_TYPE_SK_SKB,
1646 },
1647 {
1648 "check skb->priority is writeable by SK_SKB",
1649 .insns = {
1650 BPF_MOV64_IMM(BPF_REG_0, 0),
1651 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1652 offsetof(struct __sk_buff, priority)),
1653 BPF_EXIT_INSN(),
1654 },
1655 .result = ACCEPT,
1656 .prog_type = BPF_PROG_TYPE_SK_SKB,
1657 },
1658 {
1659 "direct packet read for SK_SKB",
1660 .insns = {
1661 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1662 offsetof(struct __sk_buff, data)),
1663 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1664 offsetof(struct __sk_buff, data_end)),
1665 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1666 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1667 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1668 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
1669 BPF_MOV64_IMM(BPF_REG_0, 0),
1670 BPF_EXIT_INSN(),
1671 },
1672 .result = ACCEPT,
1673 .prog_type = BPF_PROG_TYPE_SK_SKB,
1674 },
1675 {
1676 "direct packet write for SK_SKB",
1677 .insns = {
1678 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1679 offsetof(struct __sk_buff, data)),
1680 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1681 offsetof(struct __sk_buff, data_end)),
1682 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1683 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1684 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1685 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
1686 BPF_MOV64_IMM(BPF_REG_0, 0),
1687 BPF_EXIT_INSN(),
1688 },
1689 .result = ACCEPT,
1690 .prog_type = BPF_PROG_TYPE_SK_SKB,
1691 },
1692 {
1693 "overlapping checks for direct packet access SK_SKB",
1694 .insns = {
1695 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1696 offsetof(struct __sk_buff, data)),
1697 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1698 offsetof(struct __sk_buff, data_end)),
1699 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1700 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1701 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4),
1702 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
1703 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6),
1704 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
1705 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6),
1706 BPF_MOV64_IMM(BPF_REG_0, 0),
1707 BPF_EXIT_INSN(),
1708 },
1709 .result = ACCEPT,
1710 .prog_type = BPF_PROG_TYPE_SK_SKB,
1711 },
4da0dcab
JF		 1712 {
1713 "valid access family in SK_MSG",
1714 .insns = {
1715 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1716 offsetof(struct sk_msg_md, family)),
1717 BPF_EXIT_INSN(),
1718 },
1719 .result = ACCEPT,
1720 .prog_type = BPF_PROG_TYPE_SK_MSG,
1721 },
1722 {
1723 "valid access remote_ip4 in SK_MSG",
1724 .insns = {
1725 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1726 offsetof(struct sk_msg_md, remote_ip4)),
1727 BPF_EXIT_INSN(),
1728 },
1729 .result = ACCEPT,
1730 .prog_type = BPF_PROG_TYPE_SK_MSG,
1731 },
1732 {
1733 "valid access local_ip4 in SK_MSG",
1734 .insns = {
1735 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1736 offsetof(struct sk_msg_md, local_ip4)),
1737 BPF_EXIT_INSN(),
1738 },
1739 .result = ACCEPT,
1740 .prog_type = BPF_PROG_TYPE_SK_MSG,
1741 },
1742 {
1743 "valid access remote_port in SK_MSG",
1744 .insns = {
1745 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1746 offsetof(struct sk_msg_md, remote_port)),
1747 BPF_EXIT_INSN(),
1748 },
1749 .result = ACCEPT,
1750 .prog_type = BPF_PROG_TYPE_SK_MSG,
1751 },
1752 {
1753 "valid access local_port in SK_MSG",
1754 .insns = {
1755 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1756 offsetof(struct sk_msg_md, local_port)),
1757 BPF_EXIT_INSN(),
1758 },
1759 .result = ACCEPT,
1760 .prog_type = BPF_PROG_TYPE_SK_MSG,
1761 },
1762 {
1763 "valid access remote_ip6 in SK_MSG",
1764 .insns = {
1765 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1766 offsetof(struct sk_msg_md, remote_ip6[0])),
1767 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1768 offsetof(struct sk_msg_md, remote_ip6[1])),
1769 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1770 offsetof(struct sk_msg_md, remote_ip6[2])),
1771 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1772 offsetof(struct sk_msg_md, remote_ip6[3])),
1773 BPF_EXIT_INSN(),
1774 },
1775 .result = ACCEPT,
1776 .prog_type = BPF_PROG_TYPE_SK_SKB,
1777 },
1778 {
1779 "valid access local_ip6 in SK_MSG",
1780 .insns = {
1781 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1782 offsetof(struct sk_msg_md, local_ip6[0])),
1783 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1784 offsetof(struct sk_msg_md, local_ip6[1])),
1785 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1786 offsetof(struct sk_msg_md, local_ip6[2])),
1787 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1788 offsetof(struct sk_msg_md, local_ip6[3])),
1789 BPF_EXIT_INSN(),
1790 },
1791 .result = ACCEPT,
1792 .prog_type = BPF_PROG_TYPE_SK_SKB,
1793 },
1794 {
1795 "invalid 64B read of family in SK_MSG",
1796 .insns = {
1797 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1,
1798 offsetof(struct sk_msg_md, family)),
1799 BPF_EXIT_INSN(),
1800 },
1801 .errstr = "invalid bpf_context access",
1802 .result = REJECT,
1803 .prog_type = BPF_PROG_TYPE_SK_MSG,
1804 },
1805 {
1806 "invalid read past end of SK_MSG",
1807 .insns = {
1808 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1809 offsetof(struct sk_msg_md, local_port) + 4),
1810 BPF_EXIT_INSN(),
1811 },
1812 .errstr = "R0 !read_ok",
1813 .result = REJECT,
1814 .prog_type = BPF_PROG_TYPE_SK_MSG,
1815 },
1816 {
1817 "invalid read offset in SK_MSG",
1818 .insns = {
1819 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1820 offsetof(struct sk_msg_md, family) + 1),
1821 BPF_EXIT_INSN(),
1822 },
1823 .errstr = "invalid bpf_context access",
1824 .result = REJECT,
1825 .prog_type = BPF_PROG_TYPE_SK_MSG,
1826 },
1acc60b6
JF		 1827 {
1828 "direct packet read for SK_MSG",
1829 .insns = {
1830 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1,
1831 offsetof(struct sk_msg_md, data)),
1832 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1,
1833 offsetof(struct sk_msg_md, data_end)),
1834 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1835 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1836 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1837 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
1838 BPF_MOV64_IMM(BPF_REG_0, 0),
1839 BPF_EXIT_INSN(),
1840 },
1841 .result = ACCEPT,
1842 .prog_type = BPF_PROG_TYPE_SK_MSG,
1843 },
1844 {
1845 "direct packet write for SK_MSG",
1846 .insns = {
1847 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1,
1848 offsetof(struct sk_msg_md, data)),
1849 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1,
1850 offsetof(struct sk_msg_md, data_end)),
1851 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1852 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1853 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1854 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
1855 BPF_MOV64_IMM(BPF_REG_0, 0),
1856 BPF_EXIT_INSN(),
1857 },
1858 .result = ACCEPT,
1859 .prog_type = BPF_PROG_TYPE_SK_MSG,
1860 },
1861 {
1862 "overlapping checks for direct packet access SK_MSG",
1863 .insns = {
1864 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1,
1865 offsetof(struct sk_msg_md, data)),
1866 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1,
1867 offsetof(struct sk_msg_md, data_end)),
1868 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1869 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1870 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4),
1871 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
1872 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6),
1873 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
1874 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6),
1875 BPF_MOV64_IMM(BPF_REG_0, 0),
1876 BPF_EXIT_INSN(),
1877 },
1878 .result = ACCEPT,
1879 .prog_type = BPF_PROG_TYPE_SK_MSG,
1880 },
d691f9e8
AS		 1881 {
1882 "check skb->mark is not writeable by sockets",
1883 .insns = {
1884 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1885 offsetof(struct __sk_buff, mark)),
1886 BPF_EXIT_INSN(),
1887 },
1888 .errstr = "invalid bpf_context access",
bf508877 1889 .errstr_unpriv = "R1 leaks addr",
d691f9e8
AS		 1890 .result = REJECT,
1891 },
1892 {
1893 "check skb->tc_index is not writeable by sockets",
1894 .insns = {
1895 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1896 offsetof(struct __sk_buff, tc_index)),
1897 BPF_EXIT_INSN(),
1898 },
1899 .errstr = "invalid bpf_context access",
bf508877 1900 .errstr_unpriv = "R1 leaks addr",
d691f9e8
AS		 1901 .result = REJECT,
1902 },
1903 {
62c7989b 1904 "check cb access: byte",
d691f9e8 1905 .insns = {
62c7989b
DB		 1906 BPF_MOV64_IMM(BPF_REG_0, 0),
1907 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1908 offsetof(struct __sk_buff, cb[0])),
1909 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1910 offsetof(struct __sk_buff, cb[0]) + 1),
1911 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1912 offsetof(struct __sk_buff, cb[0]) + 2),
1913 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1914 offsetof(struct __sk_buff, cb[0]) + 3),
1915 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1916 offsetof(struct __sk_buff, cb[1])),
1917 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1918 offsetof(struct __sk_buff, cb[1]) + 1),
1919 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1920 offsetof(struct __sk_buff, cb[1]) + 2),
1921 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1922 offsetof(struct __sk_buff, cb[1]) + 3),
1923 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1924 offsetof(struct __sk_buff, cb[2])),
1925 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1926 offsetof(struct __sk_buff, cb[2]) + 1),
1927 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1928 offsetof(struct __sk_buff, cb[2]) + 2),
1929 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1930 offsetof(struct __sk_buff, cb[2]) + 3),
1931 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1932 offsetof(struct __sk_buff, cb[3])),
1933 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1934 offsetof(struct __sk_buff, cb[3]) + 1),
1935 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1936 offsetof(struct __sk_buff, cb[3]) + 2),
1937 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1938 offsetof(struct __sk_buff, cb[3]) + 3),
1939 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1940 offsetof(struct __sk_buff, cb[4])),
1941 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1942 offsetof(struct __sk_buff, cb[4]) + 1),
1943 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1944 offsetof(struct __sk_buff, cb[4]) + 2),
1945 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1946 offsetof(struct __sk_buff, cb[4]) + 3),
1947 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1948 offsetof(struct __sk_buff, cb[0])),
1949 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1950 offsetof(struct __sk_buff, cb[0]) + 1),
1951 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1952 offsetof(struct __sk_buff, cb[0]) + 2),
1953 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1954 offsetof(struct __sk_buff, cb[0]) + 3),
1955 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1956 offsetof(struct __sk_buff, cb[1])),
1957 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1958 offsetof(struct __sk_buff, cb[1]) + 1),
1959 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1960 offsetof(struct __sk_buff, cb[1]) + 2),
1961 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1962 offsetof(struct __sk_buff, cb[1]) + 3),
1963 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1964 offsetof(struct __sk_buff, cb[2])),
1965 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1966 offsetof(struct __sk_buff, cb[2]) + 1),
1967 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1968 offsetof(struct __sk_buff, cb[2]) + 2),
1969 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1970 offsetof(struct __sk_buff, cb[2]) + 3),
1971 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1972 offsetof(struct __sk_buff, cb[3])),
1973 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1974 offsetof(struct __sk_buff, cb[3]) + 1),
1975 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1976 offsetof(struct __sk_buff, cb[3]) + 2),
1977 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1978 offsetof(struct __sk_buff, cb[3]) + 3),
1979 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1980 offsetof(struct __sk_buff, cb[4])),
1981 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1982 offsetof(struct __sk_buff, cb[4]) + 1),
1983 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1984 offsetof(struct __sk_buff, cb[4]) + 2),
1985 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1986 offsetof(struct __sk_buff, cb[4]) + 3),
1987 BPF_EXIT_INSN(),
1988 },
1989 .result = ACCEPT,
1990 },
1991 {
31fd8581 1992 "__sk_buff->hash, offset 0, byte store not permitted",
62c7989b
DB		 1993 .insns = {
1994 BPF_MOV64_IMM(BPF_REG_0, 0),
1995 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
31fd8581 1996 offsetof(struct __sk_buff, hash)),
62c7989b
DB		 1997 BPF_EXIT_INSN(),
1998 },
1999 .errstr = "invalid bpf_context access",
2000 .result = REJECT,
2001 },
2002 {
31fd8581 2003 "__sk_buff->tc_index, offset 3, byte store not permitted",
62c7989b
DB		 2004 .insns = {
2005 BPF_MOV64_IMM(BPF_REG_0, 0),
2006 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
31fd8581 2007 offsetof(struct __sk_buff, tc_index) + 3),
62c7989b
DB		 2008 BPF_EXIT_INSN(),
2009 },
2010 .errstr = "invalid bpf_context access",
2011 .result = REJECT,
2012 },
18f3d6be
YS		 2013 {
2014 "check skb->hash byte load permitted",
2015 .insns = {
2016 BPF_MOV64_IMM(BPF_REG_0, 0),
2c460621 2017#if __BYTE_ORDER == __LITTLE_ENDIAN
18f3d6be
YS		 2018 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2019 offsetof(struct __sk_buff, hash)),
2020#else
2021 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2022 offsetof(struct __sk_buff, hash) + 3),
2023#endif
2024 BPF_EXIT_INSN(),
2025 },
2026 .result = ACCEPT,
2027 },
2028 {
2029 "check skb->hash byte load not permitted 1",
2030 .insns = {
2031 BPF_MOV64_IMM(BPF_REG_0, 0),
2032 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2033 offsetof(struct __sk_buff, hash) + 1),
2034 BPF_EXIT_INSN(),
2035 },
2036 .errstr = "invalid bpf_context access",
2037 .result = REJECT,
2038 },
2039 {
2040 "check skb->hash byte load not permitted 2",
2041 .insns = {
2042 BPF_MOV64_IMM(BPF_REG_0, 0),
2043 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2044 offsetof(struct __sk_buff, hash) + 2),
2045 BPF_EXIT_INSN(),
2046 },
2047 .errstr = "invalid bpf_context access",
2048 .result = REJECT,
2049 },
2050 {
2051 "check skb->hash byte load not permitted 3",
2052 .insns = {
2053 BPF_MOV64_IMM(BPF_REG_0, 0),
2c460621 2054#if __BYTE_ORDER == __LITTLE_ENDIAN
18f3d6be
YS		 2055 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2056 offsetof(struct __sk_buff, hash) + 3),
2057#else
2058 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2059 offsetof(struct __sk_buff, hash)),
2060#endif
2061 BPF_EXIT_INSN(),
2062 },
2063 .errstr = "invalid bpf_context access",
2064 .result = REJECT,
2065 },
62c7989b
DB		 2066 {
2067 "check cb access: byte, wrong type",
2068 .insns = {
2069 BPF_MOV64_IMM(BPF_REG_0, 0),
2070 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
2071 offsetof(struct __sk_buff, cb[0])),
2072 BPF_EXIT_INSN(),
2073 },
2074 .errstr = "invalid bpf_context access",
2075 .result = REJECT,
2076 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
2077 },
2078 {
2079 "check cb access: half",
2080 .insns = {
2081 BPF_MOV64_IMM(BPF_REG_0, 0),
2082 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2083 offsetof(struct __sk_buff, cb[0])),
2084 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2085 offsetof(struct __sk_buff, cb[0]) + 2),
2086 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2087 offsetof(struct __sk_buff, cb[1])),
2088 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2089 offsetof(struct __sk_buff, cb[1]) + 2),
2090 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2091 offsetof(struct __sk_buff, cb[2])),
2092 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2093 offsetof(struct __sk_buff, cb[2]) + 2),
2094 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2095 offsetof(struct __sk_buff, cb[3])),
2096 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2097 offsetof(struct __sk_buff, cb[3]) + 2),
2098 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2099 offsetof(struct __sk_buff, cb[4])),
2100 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2101 offsetof(struct __sk_buff, cb[4]) + 2),
2102 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2103 offsetof(struct __sk_buff, cb[0])),
2104 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2105 offsetof(struct __sk_buff, cb[0]) + 2),
2106 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2107 offsetof(struct __sk_buff, cb[1])),
2108 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2109 offsetof(struct __sk_buff, cb[1]) + 2),
2110 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2111 offsetof(struct __sk_buff, cb[2])),
2112 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2113 offsetof(struct __sk_buff, cb[2]) + 2),
2114 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2115 offsetof(struct __sk_buff, cb[3])),
2116 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2117 offsetof(struct __sk_buff, cb[3]) + 2),
2118 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2119 offsetof(struct __sk_buff, cb[4])),
2120 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2121 offsetof(struct __sk_buff, cb[4]) + 2),
2122 BPF_EXIT_INSN(),
2123 },
2124 .result = ACCEPT,
2125 },
2126 {
2127 "check cb access: half, unaligned",
2128 .insns = {
2129 BPF_MOV64_IMM(BPF_REG_0, 0),
2130 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2131 offsetof(struct __sk_buff, cb[0]) + 1),
2132 BPF_EXIT_INSN(),
2133 },
f65b1849 2134 .errstr = "misaligned context access",
62c7989b 2135 .result = REJECT,
f65b1849 2136 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
62c7989b
DB		 2137 },
2138 {
31fd8581 2139 "check __sk_buff->hash, offset 0, half store not permitted",
62c7989b
DB		 2140 .insns = {
2141 BPF_MOV64_IMM(BPF_REG_0, 0),
2142 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
31fd8581 2143 offsetof(struct __sk_buff, hash)),
62c7989b
DB		 2144 BPF_EXIT_INSN(),
2145 },
2146 .errstr = "invalid bpf_context access",
2147 .result = REJECT,
2148 },
2149 {
31fd8581 2150 "check __sk_buff->tc_index, offset 2, half store not permitted",
62c7989b
DB		 2151 .insns = {
2152 BPF_MOV64_IMM(BPF_REG_0, 0),
2153 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
31fd8581 2154 offsetof(struct __sk_buff, tc_index) + 2),
62c7989b
DB		 2155 BPF_EXIT_INSN(),
2156 },
2157 .errstr = "invalid bpf_context access",
2158 .result = REJECT,
2159 },
18f3d6be
YS		 2160 {
2161 "check skb->hash half load permitted",
2162 .insns = {
2163 BPF_MOV64_IMM(BPF_REG_0, 0),
2c460621 2164#if __BYTE_ORDER == __LITTLE_ENDIAN
18f3d6be
YS		 2165 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2166 offsetof(struct __sk_buff, hash)),
2167#else
2168 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2169 offsetof(struct __sk_buff, hash) + 2),
2170#endif
2171 BPF_EXIT_INSN(),
2172 },
2173 .result = ACCEPT,
2174 },
2175 {
2176 "check skb->hash half load not permitted",
2177 .insns = {
2178 BPF_MOV64_IMM(BPF_REG_0, 0),
2c460621 2179#if __BYTE_ORDER == __LITTLE_ENDIAN
18f3d6be
YS		 2180 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2181 offsetof(struct __sk_buff, hash) + 2),
2182#else
2183 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2184 offsetof(struct __sk_buff, hash)),
2185#endif
2186 BPF_EXIT_INSN(),
2187 },
2188 .errstr = "invalid bpf_context access",
2189 .result = REJECT,
2190 },
62c7989b
DB		 2191 {
2192 "check cb access: half, wrong type",
2193 .insns = {
2194 BPF_MOV64_IMM(BPF_REG_0, 0),
2195 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2196 offsetof(struct __sk_buff, cb[0])),
2197 BPF_EXIT_INSN(),
2198 },
2199 .errstr = "invalid bpf_context access",
2200 .result = REJECT,
2201 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
2202 },
2203 {
2204 "check cb access: word",
2205 .insns = {
2206 BPF_MOV64_IMM(BPF_REG_0, 0),
2207 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2208 offsetof(struct __sk_buff, cb[0])),
2209 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2210 offsetof(struct __sk_buff, cb[1])),
2211 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2212 offsetof(struct __sk_buff, cb[2])),
2213 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2214 offsetof(struct __sk_buff, cb[3])),
2215 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2216 offsetof(struct __sk_buff, cb[4])),
2217 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2218 offsetof(struct __sk_buff, cb[0])),
2219 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2220 offsetof(struct __sk_buff, cb[1])),
2221 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2222 offsetof(struct __sk_buff, cb[2])),
2223 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2224 offsetof(struct __sk_buff, cb[3])),
2225 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2226 offsetof(struct __sk_buff, cb[4])),
2227 BPF_EXIT_INSN(),
2228 },
2229 .result = ACCEPT,
2230 },
2231 {
2232 "check cb access: word, unaligned 1",
2233 .insns = {
2234 BPF_MOV64_IMM(BPF_REG_0, 0),
2235 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2236 offsetof(struct __sk_buff, cb[0]) + 2),
2237 BPF_EXIT_INSN(),
2238 },
f65b1849 2239 .errstr = "misaligned context access",
62c7989b 2240 .result = REJECT,
f65b1849 2241 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
62c7989b
DB		 2242 },
2243 {
2244 "check cb access: word, unaligned 2",
2245 .insns = {
2246 BPF_MOV64_IMM(BPF_REG_0, 0),
2247 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2248 offsetof(struct __sk_buff, cb[4]) + 1),
2249 BPF_EXIT_INSN(),
2250 },
f65b1849 2251 .errstr = "misaligned context access",
62c7989b 2252 .result = REJECT,
f65b1849 2253 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
62c7989b
DB		 2254 },
2255 {
2256 "check cb access: word, unaligned 3",
2257 .insns = {
2258 BPF_MOV64_IMM(BPF_REG_0, 0),
2259 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2260 offsetof(struct __sk_buff, cb[4]) + 2),
2261 BPF_EXIT_INSN(),
2262 },
f65b1849 2263 .errstr = "misaligned context access",
62c7989b 2264 .result = REJECT,
f65b1849 2265 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
62c7989b
DB		 2266 },
2267 {
2268 "check cb access: word, unaligned 4",
2269 .insns = {
2270 BPF_MOV64_IMM(BPF_REG_0, 0),
2271 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2272 offsetof(struct __sk_buff, cb[4]) + 3),
2273 BPF_EXIT_INSN(),
2274 },
f65b1849 2275 .errstr = "misaligned context access",
62c7989b 2276 .result = REJECT,
f65b1849 2277 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
62c7989b
DB		 2278 },
2279 {
2280 "check cb access: double",
2281 .insns = {
2282 BPF_MOV64_IMM(BPF_REG_0, 0),
2283 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2284 offsetof(struct __sk_buff, cb[0])),
2285 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2286 offsetof(struct __sk_buff, cb[2])),
2287 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2288 offsetof(struct __sk_buff, cb[0])),
2289 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2290 offsetof(struct __sk_buff, cb[2])),
2291 BPF_EXIT_INSN(),
2292 },
2293 .result = ACCEPT,
2294 },
2295 {
2296 "check cb access: double, unaligned 1",
2297 .insns = {
2298 BPF_MOV64_IMM(BPF_REG_0, 0),
2299 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2300 offsetof(struct __sk_buff, cb[1])),
2301 BPF_EXIT_INSN(),
2302 },
f65b1849 2303 .errstr = "misaligned context access",
62c7989b 2304 .result = REJECT,
f65b1849 2305 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
62c7989b
DB		 2306 },
2307 {
2308 "check cb access: double, unaligned 2",
2309 .insns = {
2310 BPF_MOV64_IMM(BPF_REG_0, 0),
2311 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2312 offsetof(struct __sk_buff, cb[3])),
2313 BPF_EXIT_INSN(),
2314 },
f65b1849 2315 .errstr = "misaligned context access",
62c7989b 2316 .result = REJECT,
f65b1849 2317 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
62c7989b
DB		 2318 },
2319 {
2320 "check cb access: double, oob 1",
2321 .insns = {
2322 BPF_MOV64_IMM(BPF_REG_0, 0),
2323 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2324 offsetof(struct __sk_buff, cb[4])),
2325 BPF_EXIT_INSN(),
2326 },
2327 .errstr = "invalid bpf_context access",
2328 .result = REJECT,
2329 },
2330 {
2331 "check cb access: double, oob 2",
62c7989b
DB		 2332 .insns = {
2333 BPF_MOV64_IMM(BPF_REG_0, 0),
2334 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2335 offsetof(struct __sk_buff, cb[4])),
2336 BPF_EXIT_INSN(),
2337 },
2338 .errstr = "invalid bpf_context access",
2339 .result = REJECT,
2340 },
2341 {
31fd8581 2342 "check __sk_buff->ifindex dw store not permitted",
62c7989b
DB		 2343 .insns = {
2344 BPF_MOV64_IMM(BPF_REG_0, 0),
31fd8581
YS		 2345 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2346 offsetof(struct __sk_buff, ifindex)),
62c7989b
DB		 2347 BPF_EXIT_INSN(),
2348 },
2349 .errstr = "invalid bpf_context access",
2350 .result = REJECT,
2351 },
2352 {
31fd8581 2353 "check __sk_buff->ifindex dw load not permitted",
62c7989b
DB		 2354 .insns = {
2355 BPF_MOV64_IMM(BPF_REG_0, 0),
2356 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
31fd8581 2357 offsetof(struct __sk_buff, ifindex)),
62c7989b
DB		 2358 BPF_EXIT_INSN(),
2359 },
2360 .errstr = "invalid bpf_context access",
2361 .result = REJECT,
2362 },
2363 {
2364 "check cb access: double, wrong type",
2365 .insns = {
2366 BPF_MOV64_IMM(BPF_REG_0, 0),
2367 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
d691f9e8
AS		 2368 offsetof(struct __sk_buff, cb[0])),
2369 BPF_EXIT_INSN(),
2370 },
2371 .errstr = "invalid bpf_context access",
2372 .result = REJECT,
62c7989b 2373 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
d691f9e8
AS		 2374 },
2375 {
2376 "check out of range skb->cb access",
2377 .insns = {
2378 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
bf508877 2379 offsetof(struct __sk_buff, cb[0]) + 256),
d691f9e8
AS		 2380 BPF_EXIT_INSN(),
2381 },
2382 .errstr = "invalid bpf_context access",
bf508877 2383 .errstr_unpriv = "",
d691f9e8
AS		 2384 .result = REJECT,
2385 .prog_type = BPF_PROG_TYPE_SCHED_ACT,
2386 },
2387 {
2388 "write skb fields from socket prog",
2389 .insns = {
2390 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2391 offsetof(struct __sk_buff, cb[4])),
2392 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
2393 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2394 offsetof(struct __sk_buff, mark)),
2395 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2396 offsetof(struct __sk_buff, tc_index)),
2397 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
2398 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
2399 offsetof(struct __sk_buff, cb[0])),
2400 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
2401 offsetof(struct __sk_buff, cb[2])),
2402 BPF_EXIT_INSN(),
2403 },
2404 .result = ACCEPT,
bf508877
AS		 2405 .errstr_unpriv = "R1 leaks addr",
2406 .result_unpriv = REJECT,
d691f9e8
AS		 2407 },
2408 {
2409 "write skb fields from tc_cls_act prog",
2410 .insns = {
2411 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2412 offsetof(struct __sk_buff, cb[0])),
2413 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2414 offsetof(struct __sk_buff, mark)),
2415 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2416 offsetof(struct __sk_buff, tc_index)),
2417 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2418 offsetof(struct __sk_buff, tc_index)),
2419 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2420 offsetof(struct __sk_buff, cb[3])),
2421 BPF_EXIT_INSN(),
2422 },
bf508877
AS		 2423 .errstr_unpriv = "",
2424 .result_unpriv = REJECT,
d691f9e8
AS		 2425 .result = ACCEPT,
2426 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2427 },
24b4d2ab
AG		 2428 {
2429 "PTR_TO_STACK store/load",
2430 .insns = {
2431 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2432 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10),
2433 BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c),
2434 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2),
2435 BPF_EXIT_INSN(),
2436 },
2437 .result = ACCEPT,
111e6b45 2438 .retval = 0xfaceb00c,
24b4d2ab
AG		 2439 },
2440 {
2441 "PTR_TO_STACK store/load - bad alignment on off",
2442 .insns = {
2443 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2444 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
2445 BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c),
2446 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2),
2447 BPF_EXIT_INSN(),
2448 },
2449 .result = REJECT,
f65b1849 2450 .errstr = "misaligned stack access off (0x0; 0x0)+-8+2 size 8",
24b4d2ab
AG		 2451 },
2452 {
2453 "PTR_TO_STACK store/load - bad alignment on reg",
2454 .insns = {
2455 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2456 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10),
2457 BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
2458 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
2459 BPF_EXIT_INSN(),
2460 },
2461 .result = REJECT,
f65b1849 2462 .errstr = "misaligned stack access off (0x0; 0x0)+-10+8 size 8",
24b4d2ab
AG		 2463 },
2464 {
2465 "PTR_TO_STACK store/load - out of bounds low",
2466 .insns = {
2467 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2468 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -80000),
2469 BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
2470 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
2471 BPF_EXIT_INSN(),
2472 },
2473 .result = REJECT,
2474 .errstr = "invalid stack off=-79992 size=8",
2475 },
2476 {
2477 "PTR_TO_STACK store/load - out of bounds high",
2478 .insns = {
2479 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2480 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
2481 BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
2482 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
2483 BPF_EXIT_INSN(),
2484 },
2485 .result = REJECT,
2486 .errstr = "invalid stack off=0 size=8",
2487 },
bf508877
AS		 2488 {
2489 "unpriv: return pointer",
2490 .insns = {
2491 BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
2492 BPF_EXIT_INSN(),
2493 },
2494 .result = ACCEPT,
2495 .result_unpriv = REJECT,
2496 .errstr_unpriv = "R0 leaks addr",
111e6b45 2497 .retval = POINTER_VALUE,
bf508877
AS		 2498 },
2499 {
2500 "unpriv: add const to pointer",
2501 .insns = {
2502 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
2503 BPF_MOV64_IMM(BPF_REG_0, 0),
2504 BPF_EXIT_INSN(),
2505 },
2506 .result = ACCEPT,
bf508877
AS		 2507 },
2508 {
2509 "unpriv: add pointer to pointer",
2510 .insns = {
2511 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_10),
2512 BPF_MOV64_IMM(BPF_REG_0, 0),
2513 BPF_EXIT_INSN(),
2514 },
82abbf8d
AS		 2515 .result = REJECT,
2516 .errstr = "R1 pointer += pointer",
bf508877
AS		 2517 },
2518 {
2519 "unpriv: neg pointer",
2520 .insns = {
2521 BPF_ALU64_IMM(BPF_NEG, BPF_REG_1, 0),
2522 BPF_MOV64_IMM(BPF_REG_0, 0),
2523 BPF_EXIT_INSN(),
2524 },
2525 .result = ACCEPT,
2526 .result_unpriv = REJECT,
2527 .errstr_unpriv = "R1 pointer arithmetic",
2528 },
2529 {
2530 "unpriv: cmp pointer with const",
2531 .insns = {
2532 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0),
2533 BPF_MOV64_IMM(BPF_REG_0, 0),
2534 BPF_EXIT_INSN(),
2535 },
2536 .result = ACCEPT,
2537 .result_unpriv = REJECT,
2538 .errstr_unpriv = "R1 pointer comparison",
2539 },
2540 {
2541 "unpriv: cmp pointer with pointer",
2542 .insns = {
2543 BPF_JMP_REG(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
2544 BPF_MOV64_IMM(BPF_REG_0, 0),
2545 BPF_EXIT_INSN(),
2546 },
2547 .result = ACCEPT,
2548 .result_unpriv = REJECT,
2549 .errstr_unpriv = "R10 pointer comparison",
2550 },
2551 {
2552 "unpriv: check that printk is disallowed",
2553 .insns = {
2554 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
2555 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2556 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
2557 BPF_MOV64_IMM(BPF_REG_2, 8),
2558 BPF_MOV64_REG(BPF_REG_3, BPF_REG_1),
5aa5bd14
DB		 2559 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2560 BPF_FUNC_trace_printk),
bf508877
AS		 2561 BPF_MOV64_IMM(BPF_REG_0, 0),
2562 BPF_EXIT_INSN(),
2563 },
0eb6984f 2564 .errstr_unpriv = "unknown func bpf_trace_printk#6",
bf508877
AS		 2565 .result_unpriv = REJECT,
2566 .result = ACCEPT,
2567 },
2568 {
2569 "unpriv: pass pointer to helper function",
2570 .insns = {
2571 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
2572 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2573 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2574 BPF_LD_MAP_FD(BPF_REG_1, 0),
2575 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
2576 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
5aa5bd14
DB		 2577 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2578 BPF_FUNC_map_update_elem),
bf508877
AS		 2579 BPF_MOV64_IMM(BPF_REG_0, 0),
2580 BPF_EXIT_INSN(),
2581 },
908142e6 2582 .fixup_map_hash_8b = { 3 },
bf508877
AS		 2583 .errstr_unpriv = "R4 leaks addr",
2584 .result_unpriv = REJECT,
2585 .result = ACCEPT,
2586 },
2587 {
2588 "unpriv: indirectly pass pointer on stack to helper function",
2589 .insns = {
2590 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2591 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2592 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2593 BPF_LD_MAP_FD(BPF_REG_1, 0),
5aa5bd14
DB		 2594 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2595 BPF_FUNC_map_lookup_elem),
bf508877
AS		 2596 BPF_MOV64_IMM(BPF_REG_0, 0),
2597 BPF_EXIT_INSN(),
2598 },
908142e6 2599 .fixup_map_hash_8b = { 3 },
bf508877
AS		 2600 .errstr = "invalid indirect read from stack off -8+0 size 8",
2601 .result = REJECT,
2602 },
2603 {
2604 "unpriv: mangle pointer on stack 1",
2605 .insns = {
2606 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2607 BPF_ST_MEM(BPF_W, BPF_REG_10, -8, 0),
2608 BPF_MOV64_IMM(BPF_REG_0, 0),
2609 BPF_EXIT_INSN(),
2610 },
2611 .errstr_unpriv = "attempt to corrupt spilled",
2612 .result_unpriv = REJECT,
2613 .result = ACCEPT,
2614 },
2615 {
2616 "unpriv: mangle pointer on stack 2",
2617 .insns = {
2618 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2619 BPF_ST_MEM(BPF_B, BPF_REG_10, -1, 0),
2620 BPF_MOV64_IMM(BPF_REG_0, 0),
2621 BPF_EXIT_INSN(),
2622 },
2623 .errstr_unpriv = "attempt to corrupt spilled",
2624 .result_unpriv = REJECT,
2625 .result = ACCEPT,
2626 },
2627 {
2628 "unpriv: read pointer from stack in small chunks",
2629 .insns = {
2630 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2631 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_10, -8),
2632 BPF_MOV64_IMM(BPF_REG_0, 0),
2633 BPF_EXIT_INSN(),
2634 },
2635 .errstr = "invalid size",
2636 .result = REJECT,
2637 },
2638 {
2639 "unpriv: write pointer into ctx",
2640 .insns = {
2641 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, 0),
2642 BPF_MOV64_IMM(BPF_REG_0, 0),
2643 BPF_EXIT_INSN(),
2644 },
2645 .errstr_unpriv = "R1 leaks addr",
2646 .result_unpriv = REJECT,
2647 .errstr = "invalid bpf_context access",
2648 .result = REJECT,
2649 },
1a776b9c
DB		 2650 {
2651 "unpriv: spill/fill of ctx",
2652 .insns = {
2653 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2654 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2655 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2656 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2657 BPF_MOV64_IMM(BPF_REG_0, 0),
2658 BPF_EXIT_INSN(),
2659 },
2660 .result = ACCEPT,
2661 },
2662 {
2663 "unpriv: spill/fill of ctx 2",
2664 .insns = {
2665 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2666 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2667 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2668 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
5aa5bd14
DB		 2669 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2670 BPF_FUNC_get_hash_recalc),
111e6b45 2671 BPF_MOV64_IMM(BPF_REG_0, 0),
1a776b9c
DB		 2672 BPF_EXIT_INSN(),
2673 },
2674 .result = ACCEPT,
2675 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2676 },
2677 {
2678 "unpriv: spill/fill of ctx 3",
2679 .insns = {
2680 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2681 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2682 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2683 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_10, 0),
2684 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
5aa5bd14
DB		 2685 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2686 BPF_FUNC_get_hash_recalc),
1a776b9c
DB		 2687 BPF_EXIT_INSN(),
2688 },
2689 .result = REJECT,
2690 .errstr = "R1 type=fp expected=ctx",
2691 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2692 },
2693 {
2694 "unpriv: spill/fill of ctx 4",
2695 .insns = {
2696 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2697 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2698 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2699 BPF_MOV64_IMM(BPF_REG_0, 1),
5aa5bd14
DB		 2700 BPF_RAW_INSN(BPF_STX | BPF_XADD | BPF_DW, BPF_REG_10,
2701 BPF_REG_0, -8, 0),
1a776b9c 2702 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
5aa5bd14
DB		 2703 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2704 BPF_FUNC_get_hash_recalc),
1a776b9c
DB		 2705 BPF_EXIT_INSN(),
2706 },
2707 .result = REJECT,
2708 .errstr = "R1 type=inv expected=ctx",
2709 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2710 },
2711 {
2712 "unpriv: spill/fill of different pointers stx",
2713 .insns = {
2714 BPF_MOV64_IMM(BPF_REG_3, 42),
2715 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2716 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2717 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
2718 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2719 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
2720 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
2721 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
2722 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2723 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2724 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_3,
2725 offsetof(struct __sk_buff, mark)),
2726 BPF_MOV64_IMM(BPF_REG_0, 0),
2727 BPF_EXIT_INSN(),
2728 },
2729 .result = REJECT,
2730 .errstr = "same insn cannot be used with different pointers",
2731 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2732 },
b584ab88
JS		 2733 {
2734 "unpriv: spill/fill of different pointers stx - ctx and sock",
2735 .insns = {
2736 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
2737 /* struct bpf_sock *sock = bpf_sock_lookup(...); */
2738 BPF_SK_LOOKUP,
2739 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
2740 /* u64 foo; */
2741 /* void *target = &foo; */
2742 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2743 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2744 BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
2745 /* if (skb == NULL) *target = sock; */
2746 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
2747 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
2748 /* else *target = skb; */
2749 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
2750 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2751 /* struct __sk_buff *skb = *target; */
2752 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2753 /* skb->mark = 42; */
2754 BPF_MOV64_IMM(BPF_REG_3, 42),
2755 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_3,
2756 offsetof(struct __sk_buff, mark)),
2757 /* if (sk) bpf_sk_release(sk) */
2758 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
2759 BPF_EMIT_CALL(BPF_FUNC_sk_release),
2760 BPF_MOV64_IMM(BPF_REG_0, 0),
2761 BPF_EXIT_INSN(),
2762 },
2763 .result = REJECT,
2764 .errstr = "type=ctx expected=sock",
2765 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2766 },
2767 {
2768 "unpriv: spill/fill of different pointers stx - leak sock",
2769 .insns = {
2770 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
2771 /* struct bpf_sock *sock = bpf_sock_lookup(...); */
2772 BPF_SK_LOOKUP,
2773 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
2774 /* u64 foo; */
2775 /* void *target = &foo; */
2776 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2777 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2778 BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
2779 /* if (skb == NULL) *target = sock; */
2780 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
2781 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
2782 /* else *target = skb; */
2783 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
2784 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2785 /* struct __sk_buff *skb = *target; */
2786 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2787 /* skb->mark = 42; */
2788 BPF_MOV64_IMM(BPF_REG_3, 42),
2789 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_3,
2790 offsetof(struct __sk_buff, mark)),
2791 BPF_EXIT_INSN(),
2792 },
2793 .result = REJECT,
2794 //.errstr = "same insn cannot be used with different pointers",
2795 .errstr = "Unreleased reference",
2796 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2797 },
2798 {
2799 "unpriv: spill/fill of different pointers stx - sock and ctx (read)",
2800 .insns = {
2801 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
2802 /* struct bpf_sock *sock = bpf_sock_lookup(...); */
2803 BPF_SK_LOOKUP,
2804 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
2805 /* u64 foo; */
2806 /* void *target = &foo; */
2807 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2808 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2809 BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
2810 /* if (skb) *target = skb */
2811 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
2812 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2813 /* else *target = sock */
2814 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
2815 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
2816 /* struct bpf_sock *sk = *target; */
2817 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2818 /* if (sk) u32 foo = sk->mark; bpf_sk_release(sk); */
2819 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 2),
2820 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2821 offsetof(struct bpf_sock, mark)),
2822 BPF_EMIT_CALL(BPF_FUNC_sk_release),
2823 BPF_MOV64_IMM(BPF_REG_0, 0),
2824 BPF_EXIT_INSN(),
2825 },
2826 .result = REJECT,
2827 .errstr = "same insn cannot be used with different pointers",
2828 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2829 },
2830 {
2831 "unpriv: spill/fill of different pointers stx - sock and ctx (write)",
2832 .insns = {
2833 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
2834 /* struct bpf_sock *sock = bpf_sock_lookup(...); */
2835 BPF_SK_LOOKUP,
2836 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
2837 /* u64 foo; */
2838 /* void *target = &foo; */
2839 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2840 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2841 BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
2842 /* if (skb) *target = skb */
2843 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
2844 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2845 /* else *target = sock */
2846 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
2847 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
2848 /* struct bpf_sock *sk = *target; */
2849 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2850 /* if (sk) sk->mark = 42; bpf_sk_release(sk); */
2851 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
2852 BPF_MOV64_IMM(BPF_REG_3, 42),
2853 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_3,
2854 offsetof(struct bpf_sock, mark)),
2855 BPF_EMIT_CALL(BPF_FUNC_sk_release),
2856 BPF_MOV64_IMM(BPF_REG_0, 0),
2857 BPF_EXIT_INSN(),
2858 },
2859 .result = REJECT,
2860 //.errstr = "same insn cannot be used with different pointers",
2861 .errstr = "cannot write into socket",
2862 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2863 },
1a776b9c
DB		 2864 {
2865 "unpriv: spill/fill of different pointers ldx",
2866 .insns = {
2867 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2868 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2869 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
2870 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2871 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2,
2872 -(__s32)offsetof(struct bpf_perf_event_data,
2873 sample_period) - 8),
2874 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
2875 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
2876 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2877 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2878 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1,
2879 offsetof(struct bpf_perf_event_data,
2880 sample_period)),
2881 BPF_MOV64_IMM(BPF_REG_0, 0),
2882 BPF_EXIT_INSN(),
2883 },
2884 .result = REJECT,
2885 .errstr = "same insn cannot be used with different pointers",
2886 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
2887 },
bf508877
AS		 2888 {
2889 "unpriv: write pointer into map elem value",
2890 .insns = {
2891 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
2892 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2893 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2894 BPF_LD_MAP_FD(BPF_REG_1, 0),
5aa5bd14
DB		 2895 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2896 BPF_FUNC_map_lookup_elem),
bf508877
AS		 2897 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
2898 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
2899 BPF_EXIT_INSN(),
2900 },
908142e6 2901 .fixup_map_hash_8b = { 3 },
bf508877
AS		 2902 .errstr_unpriv = "R0 leaks addr",
2903 .result_unpriv = REJECT,
2904 .result = ACCEPT,
2905 },
2906 {
2907 "unpriv: partial copy of pointer",
2908 .insns = {
2909 BPF_MOV32_REG(BPF_REG_1, BPF_REG_10),
2910 BPF_MOV64_IMM(BPF_REG_0, 0),
2911 BPF_EXIT_INSN(),
2912 },
2913 .errstr_unpriv = "R10 partial copy",
2914 .result_unpriv = REJECT,
2915 .result = ACCEPT,
2916 },
2917 {
2918 "unpriv: pass pointer to tail_call",
2919 .insns = {
2920 BPF_MOV64_REG(BPF_REG_3, BPF_REG_1),
2921 BPF_LD_MAP_FD(BPF_REG_2, 0),
5aa5bd14
DB		 2922 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2923 BPF_FUNC_tail_call),
bf508877
AS		 2924 BPF_MOV64_IMM(BPF_REG_0, 0),
2925 BPF_EXIT_INSN(),
2926 },
06be0864 2927 .fixup_prog1 = { 1 },
bf508877
AS		 2928 .errstr_unpriv = "R3 leaks addr into helper",
2929 .result_unpriv = REJECT,
2930 .result = ACCEPT,
2931 },
2932 {
2933 "unpriv: cmp map pointer with zero",
2934 .insns = {
2935 BPF_MOV64_IMM(BPF_REG_1, 0),
2936 BPF_LD_MAP_FD(BPF_REG_1, 0),
2937 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0),
2938 BPF_MOV64_IMM(BPF_REG_0, 0),
2939 BPF_EXIT_INSN(),
2940 },
908142e6 2941 .fixup_map_hash_8b = { 1 },
bf508877
AS		 2942 .errstr_unpriv = "R1 pointer comparison",
2943 .result_unpriv = REJECT,
2944 .result = ACCEPT,
2945 },
2946 {
2947 "unpriv: write into frame pointer",
2948 .insns = {
2949 BPF_MOV64_REG(BPF_REG_10, BPF_REG_1),
2950 BPF_MOV64_IMM(BPF_REG_0, 0),
2951 BPF_EXIT_INSN(),
2952 },
2953 .errstr = "frame pointer is read only",
2954 .result = REJECT,
2955 },
1a776b9c
DB		 2956 {
2957 "unpriv: spill/fill frame pointer",
2958 .insns = {
2959 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2960 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2961 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_10, 0),
2962 BPF_LDX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, 0),
2963 BPF_MOV64_IMM(BPF_REG_0, 0),
2964 BPF_EXIT_INSN(),
2965 },
2966 .errstr = "frame pointer is read only",
2967 .result = REJECT,
2968 },
bf508877
AS		 2969 {
2970 "unpriv: cmp of frame pointer",
2971 .insns = {
2972 BPF_JMP_IMM(BPF_JEQ, BPF_REG_10, 0, 0),
2973 BPF_MOV64_IMM(BPF_REG_0, 0),
2974 BPF_EXIT_INSN(),
2975 },
2976 .errstr_unpriv = "R10 pointer comparison",
2977 .result_unpriv = REJECT,
2978 .result = ACCEPT,
2979 },
728a853a
DB		 2980 {
2981 "unpriv: adding of fp",
2982 .insns = {
2983 BPF_MOV64_IMM(BPF_REG_0, 0),
2984 BPF_MOV64_IMM(BPF_REG_1, 0),
2985 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_10),
2986 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, -8),
2987 BPF_EXIT_INSN(),
2988 },
f65b1849 2989 .result = ACCEPT,
728a853a 2990 },
bf508877
AS		 2991 {
2992 "unpriv: cmp of stack pointer",
2993 .insns = {
2994 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2995 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2996 BPF_JMP_IMM(BPF_JEQ, BPF_REG_2, 0, 0),
2997 BPF_MOV64_IMM(BPF_REG_0, 0),
2998 BPF_EXIT_INSN(),
2999 },
3000 .errstr_unpriv = "R2 pointer comparison",
3001 .result_unpriv = REJECT,
3002 .result = ACCEPT,
3003 },
b33eb735
DB		 3004 {
3005 "runtime/jit: tail_call within bounds, prog once",
3006 .insns = {
3007 BPF_MOV64_IMM(BPF_REG_3, 0),
3008 BPF_LD_MAP_FD(BPF_REG_2, 0),
3009 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3010 BPF_FUNC_tail_call),
3011 BPF_MOV64_IMM(BPF_REG_0, 1),
3012 BPF_EXIT_INSN(),
3013 },
06be0864 3014 .fixup_prog1 = { 1 },
b33eb735
DB		 3015 .result = ACCEPT,
3016 .retval = 42,
3017 },
3018 {
3019 "runtime/jit: tail_call within bounds, prog loop",
3020 .insns = {
3021 BPF_MOV64_IMM(BPF_REG_3, 1),
3022 BPF_LD_MAP_FD(BPF_REG_2, 0),
3023 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3024 BPF_FUNC_tail_call),
3025 BPF_MOV64_IMM(BPF_REG_0, 1),
3026 BPF_EXIT_INSN(),
3027 },
06be0864 3028 .fixup_prog1 = { 1 },
b33eb735
DB		 3029 .result = ACCEPT,
3030 .retval = 41,
3031 },
3032 {
3033 "runtime/jit: tail_call within bounds, no prog",
3034 .insns = {
3035 BPF_MOV64_IMM(BPF_REG_3, 2),
3036 BPF_LD_MAP_FD(BPF_REG_2, 0),
3037 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3038 BPF_FUNC_tail_call),
3039 BPF_MOV64_IMM(BPF_REG_0, 1),
3040 BPF_EXIT_INSN(),
3041 },
06be0864 3042 .fixup_prog1 = { 1 },
b33eb735
DB		 3043 .result = ACCEPT,
3044 .retval = 1,
3045 },
3046 {
3047 "runtime/jit: tail_call out of bounds",
3048 .insns = {
3049 BPF_MOV64_IMM(BPF_REG_3, 256),
3050 BPF_LD_MAP_FD(BPF_REG_2, 0),
3051 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3052 BPF_FUNC_tail_call),
3053 BPF_MOV64_IMM(BPF_REG_0, 2),
3054 BPF_EXIT_INSN(),
3055 },
06be0864 3056 .fixup_prog1 = { 1 },
b33eb735
DB		 3057 .result = ACCEPT,
3058 .retval = 2,
3059 },
16338a9b
DB		 3060 {
3061 "runtime/jit: pass negative index to tail_call",
3062 .insns = {
3063 BPF_MOV64_IMM(BPF_REG_3, -1),
3064 BPF_LD_MAP_FD(BPF_REG_2, 0),
3065 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3066 BPF_FUNC_tail_call),
b33eb735 3067 BPF_MOV64_IMM(BPF_REG_0, 2),
16338a9b
DB		 3068 BPF_EXIT_INSN(),
3069 },
06be0864 3070 .fixup_prog1 = { 1 },
16338a9b 3071 .result = ACCEPT,
b33eb735 3072 .retval = 2,
16338a9b
DB		 3073 },
3074 {
3075 "runtime/jit: pass > 32bit index to tail_call",
3076 .insns = {
3077 BPF_LD_IMM64(BPF_REG_3, 0x100000000ULL),
3078 BPF_LD_MAP_FD(BPF_REG_2, 0),
3079 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3080 BPF_FUNC_tail_call),
b33eb735 3081 BPF_MOV64_IMM(BPF_REG_0, 2),
16338a9b
DB		 3082 BPF_EXIT_INSN(),
3083 },
06be0864 3084 .fixup_prog1 = { 2 },
16338a9b 3085 .result = ACCEPT,
b33eb735 3086 .retval = 42,
832c6f2c
DB		 3087 /* Verifier rewrite for unpriv skips tail call here. */
3088 .retval_unpriv = 2,
16338a9b 3089 },
bf508877 3090 {
332270fd 3091 "stack pointer arithmetic",
bf508877 3092 .insns = {
332270fd
YS		 3093 BPF_MOV64_IMM(BPF_REG_1, 4),
3094 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
3095 BPF_MOV64_REG(BPF_REG_7, BPF_REG_10),
3096 BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -10),
3097 BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -10),
3098 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
3099 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_1),
3100 BPF_ST_MEM(0, BPF_REG_2, 4, 0),
3101 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
3102 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
3103 BPF_ST_MEM(0, BPF_REG_2, 4, 0),
bf508877
AS		 3104 BPF_MOV64_IMM(BPF_REG_0, 0),
3105 BPF_EXIT_INSN(),
3106 },
bf508877
AS		 3107 .result = ACCEPT,
3108 },
3f2050e2
DB		 3109 {
3110 "raw_stack: no skb_load_bytes",
3111 .insns = {
3112 BPF_MOV64_IMM(BPF_REG_2, 4),
3113 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3114 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3115 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3116 BPF_MOV64_IMM(BPF_REG_4, 8),
3117 /* Call to skb_load_bytes() omitted. */
3118 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3119 BPF_EXIT_INSN(),
3120 },
3121 .result = REJECT,
3122 .errstr = "invalid read from stack off -8+0 size 8",
3123 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3124 },
7d95b0ab
DB		 3125 {
3126 "raw_stack: skb_load_bytes, negative len",
3127 .insns = {
3128 BPF_MOV64_IMM(BPF_REG_2, 4),
3129 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3130 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3131 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3132 BPF_MOV64_IMM(BPF_REG_4, -8),
5aa5bd14
DB		 3133 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3134 BPF_FUNC_skb_load_bytes),
7d95b0ab
DB		 3135 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3136 BPF_EXIT_INSN(),
3137 },
3138 .result = REJECT,
f65b1849 3139 .errstr = "R4 min value is negative",
7d95b0ab
DB		 3140 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3141 },
3142 {
3143 "raw_stack: skb_load_bytes, negative len 2",
3144 .insns = {
3145 BPF_MOV64_IMM(BPF_REG_2, 4),
3146 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3147 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3148 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3149 BPF_MOV64_IMM(BPF_REG_4, ~0),
5aa5bd14
DB		 3150 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3151 BPF_FUNC_skb_load_bytes),
7d95b0ab
DB		 3152 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3153 BPF_EXIT_INSN(),
3154 },
3155 .result = REJECT,
f65b1849 3156 .errstr = "R4 min value is negative",
7d95b0ab
DB		 3157 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3158 },
3159 {
3160 "raw_stack: skb_load_bytes, zero len",
3161 .insns = {
3162 BPF_MOV64_IMM(BPF_REG_2, 4),
3163 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3164 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3165 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3166 BPF_MOV64_IMM(BPF_REG_4, 0),
5aa5bd14
DB		 3167 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3168 BPF_FUNC_skb_load_bytes),
7d95b0ab
DB		 3169 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3170 BPF_EXIT_INSN(),
3171 },
3172 .result = REJECT,
3173 .errstr = "invalid stack type R3",
3174 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3175 },
3f2050e2
DB		 3176 {
3177 "raw_stack: skb_load_bytes, no init",
3178 .insns = {
3179 BPF_MOV64_IMM(BPF_REG_2, 4),
3180 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3181 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3182 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3183 BPF_MOV64_IMM(BPF_REG_4, 8),
5aa5bd14
DB		 3184 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3185 BPF_FUNC_skb_load_bytes),
3f2050e2
DB		 3186 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3187 BPF_EXIT_INSN(),
3188 },
3189 .result = ACCEPT,
3190 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3191 },
3192 {
3193 "raw_stack: skb_load_bytes, init",
3194 .insns = {
3195 BPF_MOV64_IMM(BPF_REG_2, 4),
3196 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3197 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3198 BPF_ST_MEM(BPF_DW, BPF_REG_6, 0, 0xcafe),
3199 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3200 BPF_MOV64_IMM(BPF_REG_4, 8),
5aa5bd14
DB		 3201 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3202 BPF_FUNC_skb_load_bytes),
3f2050e2
DB		 3203 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3204 BPF_EXIT_INSN(),
3205 },
3206 .result = ACCEPT,
3207 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3208 },
3209 {
3210 "raw_stack: skb_load_bytes, spilled regs around bounds",
3211 .insns = {
3212 BPF_MOV64_IMM(BPF_REG_2, 4),
3213 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3214 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
5aa5bd14
DB		 3215 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
3216 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8),
3f2050e2
DB		 3217 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3218 BPF_MOV64_IMM(BPF_REG_4, 8),
5aa5bd14
DB		 3219 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3220 BPF_FUNC_skb_load_bytes),
3221 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
3222 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 8),
3f2050e2
DB		 3223 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
3224 offsetof(struct __sk_buff, mark)),
3225 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
3226 offsetof(struct __sk_buff, priority)),
3227 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3228 BPF_EXIT_INSN(),
3229 },
3230 .result = ACCEPT,
3231 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3232 },
3233 {
3234 "raw_stack: skb_load_bytes, spilled regs corruption",
3235 .insns = {
3236 BPF_MOV64_IMM(BPF_REG_2, 4),
3237 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3238 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
5aa5bd14 3239 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
3f2050e2
DB		 3240 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3241 BPF_MOV64_IMM(BPF_REG_4, 8),
5aa5bd14
DB		 3242 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3243 BPF_FUNC_skb_load_bytes),
3244 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3f2050e2
DB		 3245 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
3246 offsetof(struct __sk_buff, mark)),
3247 BPF_EXIT_INSN(),
3248 },
3249 .result = REJECT,
3250 .errstr = "R0 invalid mem access 'inv'",
3251 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3252 },
3253 {
3254 "raw_stack: skb_load_bytes, spilled regs corruption 2",
3255 .insns = {
3256 BPF_MOV64_IMM(BPF_REG_2, 4),
3257 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3258 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
5aa5bd14
DB		 3259 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
3260 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
3261 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8),
3f2050e2
DB		 3262 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3263 BPF_MOV64_IMM(BPF_REG_4, 8),
5aa5bd14
DB		 3264 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3265 BPF_FUNC_skb_load_bytes),
3266 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
3267 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 8),
3268 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_6, 0),
3f2050e2
DB		 3269 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
3270 offsetof(struct __sk_buff, mark)),
3271 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
3272 offsetof(struct __sk_buff, priority)),
3273 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3274 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_3,
3275 offsetof(struct __sk_buff, pkt_type)),
3276 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
3277 BPF_EXIT_INSN(),
3278 },
3279 .result = REJECT,
3280 .errstr = "R3 invalid mem access 'inv'",
3281 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3282 },
3283 {
3284 "raw_stack: skb_load_bytes, spilled regs + data",
3285 .insns = {
3286 BPF_MOV64_IMM(BPF_REG_2, 4),
3287 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3288 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
5aa5bd14
DB		 3289 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
3290 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
3291 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8),
3f2050e2
DB		 3292 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3293 BPF_MOV64_IMM(BPF_REG_4, 8),
5aa5bd14
DB		 3294 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3295 BPF_FUNC_skb_load_bytes),
3296 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
3297 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 8),
3298 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_6, 0),
3f2050e2
DB		 3299 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
3300 offsetof(struct __sk_buff, mark)),
3301 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
3302 offsetof(struct __sk_buff, priority)),
3303 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3304 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
3305 BPF_EXIT_INSN(),
3306 },
3307 .result = ACCEPT,
3308 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3309 },
3310 {
3311 "raw_stack: skb_load_bytes, invalid access 1",
3312 .insns = {
3313 BPF_MOV64_IMM(BPF_REG_2, 4),
3314 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3315 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -513),
3316 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3317 BPF_MOV64_IMM(BPF_REG_4, 8),
5aa5bd14
DB		 3318 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3319 BPF_FUNC_skb_load_bytes),
3f2050e2
DB		 3320 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3321 BPF_EXIT_INSN(),
3322 },
3323 .result = REJECT,
3324 .errstr = "invalid stack type R3 off=-513 access_size=8",
3325 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3326 },
3327 {
3328 "raw_stack: skb_load_bytes, invalid access 2",
3329 .insns = {
3330 BPF_MOV64_IMM(BPF_REG_2, 4),
3331 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3332 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -1),
3333 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3334 BPF_MOV64_IMM(BPF_REG_4, 8),
5aa5bd14
DB		 3335 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3336 BPF_FUNC_skb_load_bytes),
3f2050e2
DB		 3337 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3338 BPF_EXIT_INSN(),
3339 },
3340 .result = REJECT,
3341 .errstr = "invalid stack type R3 off=-1 access_size=8",
3342 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3343 },
3344 {
3345 "raw_stack: skb_load_bytes, invalid access 3",
3346 .insns = {
3347 BPF_MOV64_IMM(BPF_REG_2, 4),
3348 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3349 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 0xffffffff),
3350 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3351 BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
5aa5bd14
DB		 3352 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3353 BPF_FUNC_skb_load_bytes),
3f2050e2
DB		 3354 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3355 BPF_EXIT_INSN(),
3356 },
3357 .result = REJECT,
f65b1849 3358 .errstr = "R4 min value is negative",
3f2050e2
DB		 3359 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3360 },
3361 {
3362 "raw_stack: skb_load_bytes, invalid access 4",
3363 .insns = {
3364 BPF_MOV64_IMM(BPF_REG_2, 4),
3365 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3366 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -1),
3367 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3368 BPF_MOV64_IMM(BPF_REG_4, 0x7fffffff),
5aa5bd14
DB		 3369 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3370 BPF_FUNC_skb_load_bytes),
3f2050e2
DB		 3371 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3372 BPF_EXIT_INSN(),
3373 },
3374 .result = REJECT,
f65b1849 3375 .errstr = "R4 unbounded memory access, use 'var &= const' or 'if (var < const)'",
3f2050e2
DB		 3376 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3377 },
3378 {
3379 "raw_stack: skb_load_bytes, invalid access 5",
3380 .insns = {
3381 BPF_MOV64_IMM(BPF_REG_2, 4),
3382 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3383 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
3384 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3385 BPF_MOV64_IMM(BPF_REG_4, 0x7fffffff),
5aa5bd14
DB		 3386 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3387 BPF_FUNC_skb_load_bytes),
3f2050e2
DB		 3388 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3389 BPF_EXIT_INSN(),
3390 },
3391 .result = REJECT,
f65b1849 3392 .errstr = "R4 unbounded memory access, use 'var &= const' or 'if (var < const)'",
3f2050e2
DB		 3393 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3394 },
3395 {
3396 "raw_stack: skb_load_bytes, invalid access 6",
3397 .insns = {
3398 BPF_MOV64_IMM(BPF_REG_2, 4),
3399 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3400 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
3401 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3402 BPF_MOV64_IMM(BPF_REG_4, 0),
5aa5bd14
DB		 3403 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3404 BPF_FUNC_skb_load_bytes),
3f2050e2
DB		 3405 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3406 BPF_EXIT_INSN(),
3407 },
3408 .result = REJECT,
3409 .errstr = "invalid stack type R3 off=-512 access_size=0",
3410 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3411 },
3412 {
3413 "raw_stack: skb_load_bytes, large access",
3414 .insns = {
3415 BPF_MOV64_IMM(BPF_REG_2, 4),
3416 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3417 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
3418 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3419 BPF_MOV64_IMM(BPF_REG_4, 512),
5aa5bd14
DB		 3420 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3421 BPF_FUNC_skb_load_bytes),
3f2050e2
DB		 3422 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3423 BPF_EXIT_INSN(),
3424 },
3425 .result = ACCEPT,
3426 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3427 },
f37a8cb8
DB		 3428 {
3429 "context stores via ST",
3430 .insns = {
3431 BPF_MOV64_IMM(BPF_REG_0, 0),
3432 BPF_ST_MEM(BPF_DW, BPF_REG_1, offsetof(struct __sk_buff, mark), 0),
3433 BPF_EXIT_INSN(),
3434 },
2a159c6f 3435 .errstr = "BPF_ST stores into R1 ctx is not allowed",
f37a8cb8
DB		 3436 .result = REJECT,
3437 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3438 },
3439 {
3440 "context stores via XADD",
3441 .insns = {
3442 BPF_MOV64_IMM(BPF_REG_0, 0),
3443 BPF_RAW_INSN(BPF_STX | BPF_XADD | BPF_W, BPF_REG_1,
3444 BPF_REG_0, offsetof(struct __sk_buff, mark), 0),
3445 BPF_EXIT_INSN(),
3446 },
2a159c6f 3447 .errstr = "BPF_XADD stores into R1 ctx is not allowed",
f37a8cb8
DB		 3448 .result = REJECT,
3449 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3450 },
883e44e4 3451 {
1633ac0a 3452 "direct packet access: test1",
883e44e4
AS		 3453 .insns = {
3454 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3455 offsetof(struct __sk_buff, data)),
3456 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3457 offsetof(struct __sk_buff, data_end)),
3458 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3459 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3460 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3461 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3462 BPF_MOV64_IMM(BPF_REG_0, 0),
3463 BPF_EXIT_INSN(),
3464 },
3465 .result = ACCEPT,
3466 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3467 },
3468 {
1633ac0a 3469 "direct packet access: test2",
883e44e4
AS		 3470 .insns = {
3471 BPF_MOV64_IMM(BPF_REG_0, 1),
3472 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
3473 offsetof(struct __sk_buff, data_end)),
3474 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3475 offsetof(struct __sk_buff, data)),
3476 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
3477 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 14),
3478 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_4, 15),
3479 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_3, 7),
3480 BPF_LDX_MEM(BPF_B, BPF_REG_4, BPF_REG_3, 12),
3481 BPF_ALU64_IMM(BPF_MUL, BPF_REG_4, 14),
3482 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3483 offsetof(struct __sk_buff, data)),
3484 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_4),
82abbf8d
AS		 3485 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3486 offsetof(struct __sk_buff, len)),
1f9ab38f
EC		 3487 BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 49),
3488 BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 49),
883e44e4
AS		 3489 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_2),
3490 BPF_MOV64_REG(BPF_REG_2, BPF_REG_3),
3491 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
3492 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
3493 offsetof(struct __sk_buff, data_end)),
3494 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
3495 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_3, 4),
3496 BPF_MOV64_IMM(BPF_REG_0, 0),
3497 BPF_EXIT_INSN(),
3498 },
3499 .result = ACCEPT,
3500 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3501 },
3502 {
1633ac0a 3503 "direct packet access: test3",
883e44e4
AS		 3504 .insns = {
3505 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3506 offsetof(struct __sk_buff, data)),
3507 BPF_MOV64_IMM(BPF_REG_0, 0),
3508 BPF_EXIT_INSN(),
3509 },
3510 .errstr = "invalid bpf_context access off=76",
3511 .result = REJECT,
3512 .prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
3513 },
3514 {
7d95b0ab 3515 "direct packet access: test4 (write)",
883e44e4
AS		 3516 .insns = {
3517 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3518 offsetof(struct __sk_buff, data)),
3519 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3520 offsetof(struct __sk_buff, data_end)),
3521 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3522 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3523 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3524 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3525 BPF_MOV64_IMM(BPF_REG_0, 0),
3526 BPF_EXIT_INSN(),
3527 },
7d95b0ab 3528 .result = ACCEPT,
883e44e4
AS		 3529 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3530 },
2d2be8ca
DB		 3531 {
3532 "direct packet access: test5 (pkt_end >= reg, good access)",
3533 .insns = {
3534 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3535 offsetof(struct __sk_buff, data)),
3536 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3537 offsetof(struct __sk_buff, data_end)),
3538 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3539 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3540 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 2),
3541 BPF_MOV64_IMM(BPF_REG_0, 1),
3542 BPF_EXIT_INSN(),
3543 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3544 BPF_MOV64_IMM(BPF_REG_0, 0),
3545 BPF_EXIT_INSN(),
3546 },
3547 .result = ACCEPT,
3548 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3549 },
3550 {
3551 "direct packet access: test6 (pkt_end >= reg, bad access)",
3552 .insns = {
3553 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3554 offsetof(struct __sk_buff, data)),
3555 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3556 offsetof(struct __sk_buff, data_end)),
3557 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3558 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3559 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 3),
3560 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3561 BPF_MOV64_IMM(BPF_REG_0, 1),
3562 BPF_EXIT_INSN(),
3563 BPF_MOV64_IMM(BPF_REG_0, 0),
3564 BPF_EXIT_INSN(),
3565 },
3566 .errstr = "invalid access to packet",
3567 .result = REJECT,
3568 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3569 },
3570 {
3571 "direct packet access: test7 (pkt_end >= reg, both accesses)",
3572 .insns = {
3573 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3574 offsetof(struct __sk_buff, data)),
3575 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3576 offsetof(struct __sk_buff, data_end)),
3577 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3578 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3579 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 3),
3580 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3581 BPF_MOV64_IMM(BPF_REG_0, 1),
3582 BPF_EXIT_INSN(),
3583 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3584 BPF_MOV64_IMM(BPF_REG_0, 0),
3585 BPF_EXIT_INSN(),
3586 },
3587 .errstr = "invalid access to packet",
3588 .result = REJECT,
3589 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3590 },
3591 {
3592 "direct packet access: test8 (double test, variant 1)",
3593 .insns = {
3594 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3595 offsetof(struct __sk_buff, data)),
3596 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3597 offsetof(struct __sk_buff, data_end)),
3598 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3599 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3600 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 4),
3601 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3602 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3603 BPF_MOV64_IMM(BPF_REG_0, 1),
3604 BPF_EXIT_INSN(),
3605 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3606 BPF_MOV64_IMM(BPF_REG_0, 0),
3607 BPF_EXIT_INSN(),
3608 },
3609 .result = ACCEPT,
3610 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3611 },
3612 {
3613 "direct packet access: test9 (double test, variant 2)",
3614 .insns = {
3615 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3616 offsetof(struct __sk_buff, data)),
3617 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3618 offsetof(struct __sk_buff, data_end)),
3619 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3620 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3621 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 2),
3622 BPF_MOV64_IMM(BPF_REG_0, 1),
3623 BPF_EXIT_INSN(),
3624 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3625 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3626 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3627 BPF_MOV64_IMM(BPF_REG_0, 0),
3628 BPF_EXIT_INSN(),
3629 },
3630 .result = ACCEPT,
3631 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3632 },
7d95b0ab
DB		 3633 {
3634 "direct packet access: test10 (write invalid)",
3635 .insns = {
3636 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3637 offsetof(struct __sk_buff, data)),
3638 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3639 offsetof(struct __sk_buff, data_end)),
3640 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3641 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3642 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
3643 BPF_MOV64_IMM(BPF_REG_0, 0),
3644 BPF_EXIT_INSN(),
3645 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3646 BPF_MOV64_IMM(BPF_REG_0, 0),
3647 BPF_EXIT_INSN(),
3648 },
3649 .errstr = "invalid access to packet",
3650 .result = REJECT,
3651 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3652 },
3fadc801
DB		 3653 {
3654 "direct packet access: test11 (shift, good access)",
3655 .insns = {
3656 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3657 offsetof(struct __sk_buff, data)),
3658 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3659 offsetof(struct __sk_buff, data_end)),
3660 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3661 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
3662 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
3663 BPF_MOV64_IMM(BPF_REG_3, 144),
3664 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
3665 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
3666 BPF_ALU64_IMM(BPF_RSH, BPF_REG_5, 3),
3667 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
3668 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
3669 BPF_MOV64_IMM(BPF_REG_0, 1),
3670 BPF_EXIT_INSN(),
3671 BPF_MOV64_IMM(BPF_REG_0, 0),
3672 BPF_EXIT_INSN(),
3673 },
3674 .result = ACCEPT,
3675 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
111e6b45 3676 .retval = 1,
3fadc801
DB		 3677 },
3678 {
3679 "direct packet access: test12 (and, good access)",
3680 .insns = {
3681 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3682 offsetof(struct __sk_buff, data)),
3683 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3684 offsetof(struct __sk_buff, data_end)),
3685 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3686 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
3687 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
3688 BPF_MOV64_IMM(BPF_REG_3, 144),
3689 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
3690 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
3691 BPF_ALU64_IMM(BPF_AND, BPF_REG_5, 15),
3692 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
3693 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
3694 BPF_MOV64_IMM(BPF_REG_0, 1),
3695 BPF_EXIT_INSN(),
3696 BPF_MOV64_IMM(BPF_REG_0, 0),
3697 BPF_EXIT_INSN(),
3698 },
3699 .result = ACCEPT,
3700 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
111e6b45 3701 .retval = 1,
3fadc801
DB		 3702 },
3703 {
3704 "direct packet access: test13 (branches, good access)",
3705 .insns = {
3706 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3707 offsetof(struct __sk_buff, data)),
3708 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3709 offsetof(struct __sk_buff, data_end)),
3710 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3711 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
3712 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 13),
3713 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3714 offsetof(struct __sk_buff, mark)),
3715 BPF_MOV64_IMM(BPF_REG_4, 1),
3716 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_4, 2),
3717 BPF_MOV64_IMM(BPF_REG_3, 14),
3718 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
3719 BPF_MOV64_IMM(BPF_REG_3, 24),
3720 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
3721 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
3722 BPF_ALU64_IMM(BPF_AND, BPF_REG_5, 15),
3723 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
3724 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
3725 BPF_MOV64_IMM(BPF_REG_0, 1),
3726 BPF_EXIT_INSN(),
3727 BPF_MOV64_IMM(BPF_REG_0, 0),
3728 BPF_EXIT_INSN(),
3729 },
3730 .result = ACCEPT,
3731 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
111e6b45 3732 .retval = 1,
3fadc801 3733 },
63dfef75
WT		 3734 {
3735 "direct packet access: test14 (pkt_ptr += 0, CONST_IMM, good access)",
3736 .insns = {
3737 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3738 offsetof(struct __sk_buff, data)),
3739 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3740 offsetof(struct __sk_buff, data_end)),
3741 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3742 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
3743 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 7),
3744 BPF_MOV64_IMM(BPF_REG_5, 12),
3745 BPF_ALU64_IMM(BPF_RSH, BPF_REG_5, 4),
3746 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
3747 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
3748 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_6, 0),
3749 BPF_MOV64_IMM(BPF_REG_0, 1),
3750 BPF_EXIT_INSN(),
3751 BPF_MOV64_IMM(BPF_REG_0, 0),
3752 BPF_EXIT_INSN(),
3753 },
3754 .result = ACCEPT,
3755 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
111e6b45 3756 .retval = 1,
63dfef75 3757 },
02ea80b1
DB		 3758 {
3759 "direct packet access: test15 (spill with xadd)",
3760 .insns = {
3761 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3762 offsetof(struct __sk_buff, data)),
3763 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3764 offsetof(struct __sk_buff, data_end)),
3765 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3766 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3767 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
3768 BPF_MOV64_IMM(BPF_REG_5, 4096),
3769 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
3770 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
3771 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
3772 BPF_STX_XADD(BPF_DW, BPF_REG_4, BPF_REG_5, 0),
3773 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
3774 BPF_STX_MEM(BPF_W, BPF_REG_2, BPF_REG_5, 0),
3775 BPF_MOV64_IMM(BPF_REG_0, 0),
3776 BPF_EXIT_INSN(),
3777 },
3778 .errstr = "R2 invalid mem access 'inv'",
3779 .result = REJECT,
3780 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3781 },
728a853a
DB		 3782 {
3783 "direct packet access: test16 (arith on data_end)",
3784 .insns = {
3785 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3786 offsetof(struct __sk_buff, data)),
3787 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3788 offsetof(struct __sk_buff, data_end)),
3789 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3790 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3791 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 16),
3792 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3793 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3794 BPF_MOV64_IMM(BPF_REG_0, 0),
3795 BPF_EXIT_INSN(),
3796 },
aad2eeaf 3797 .errstr = "R3 pointer arithmetic on pkt_end",
728a853a
DB		 3798 .result = REJECT,
3799 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3800 },
614d0d77
DB		 3801 {
3802 "direct packet access: test17 (pruning, alignment)",
3803 .insns = {
3804 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3805 offsetof(struct __sk_buff, data)),
3806 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3807 offsetof(struct __sk_buff, data_end)),
3808 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3809 offsetof(struct __sk_buff, mark)),
3810 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3811 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 14),
3812 BPF_JMP_IMM(BPF_JGT, BPF_REG_7, 1, 4),
3813 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3814 BPF_STX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, -4),
3815 BPF_MOV64_IMM(BPF_REG_0, 0),
3816 BPF_EXIT_INSN(),
3817 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 1),
3818 BPF_JMP_A(-6),
3819 },
f65b1849 3820 .errstr = "misaligned packet access off 2+(0x0; 0x0)+15+-4 size 4",
614d0d77
DB		 3821 .result = REJECT,
3822 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3823 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
3824 },
6d191ed4
DB		 3825 {
3826 "direct packet access: test18 (imm += pkt_ptr, 1)",
3827 .insns = {
3828 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3829 offsetof(struct __sk_buff, data)),
3830 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3831 offsetof(struct __sk_buff, data_end)),
3832 BPF_MOV64_IMM(BPF_REG_0, 8),
3833 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3834 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3835 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3836 BPF_MOV64_IMM(BPF_REG_0, 0),
3837 BPF_EXIT_INSN(),
3838 },
3839 .result = ACCEPT,
3840 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3841 },
3842 {
3843 "direct packet access: test19 (imm += pkt_ptr, 2)",
3844 .insns = {
3845 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3846 offsetof(struct __sk_buff, data)),
3847 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3848 offsetof(struct __sk_buff, data_end)),
3849 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3850 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3851 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
3852 BPF_MOV64_IMM(BPF_REG_4, 4),
3853 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
3854 BPF_STX_MEM(BPF_B, BPF_REG_4, BPF_REG_4, 0),
3855 BPF_MOV64_IMM(BPF_REG_0, 0),
3856 BPF_EXIT_INSN(),
3857 },
3858 .result = ACCEPT,
3859 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3860 },
3861 {
3862 "direct packet access: test20 (x += pkt_ptr, 1)",
3863 .insns = {
3864 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3865 offsetof(struct __sk_buff, data)),
3866 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3867 offsetof(struct __sk_buff, data_end)),
3868 BPF_MOV64_IMM(BPF_REG_0, 0xffffffff),
3869 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
3870 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
1f9ab38f 3871 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0x7fff),
6d191ed4
DB		 3872 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3873 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
3874 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
1f9ab38f 3875 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0x7fff - 1),
6d191ed4
DB		 3876 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
3877 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_4, 0),
3878 BPF_MOV64_IMM(BPF_REG_0, 0),
3879 BPF_EXIT_INSN(),
3880 },
3881 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3882 .result = ACCEPT,
3883 },
3884 {
3885 "direct packet access: test21 (x += pkt_ptr, 2)",
3886 .insns = {
3887 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3888 offsetof(struct __sk_buff, data)),
3889 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3890 offsetof(struct __sk_buff, data_end)),
3891 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3892 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3893 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 9),
3894 BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
3895 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -8),
3896 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
1f9ab38f 3897 BPF_ALU64_IMM(BPF_AND, BPF_REG_4, 0x7fff),
6d191ed4
DB		 3898 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
3899 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
1f9ab38f 3900 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0x7fff - 1),
6d191ed4
DB		 3901 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
3902 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_4, 0),
3903 BPF_MOV64_IMM(BPF_REG_0, 0),
3904 BPF_EXIT_INSN(),
3905 },
3906 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3907 .result = ACCEPT,
3908 },
3909 {
3910 "direct packet access: test22 (x += pkt_ptr, 3)",
3911 .insns = {
3912 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3913 offsetof(struct __sk_buff, data)),
3914 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3915 offsetof(struct __sk_buff, data_end)),
3916 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3917 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3918 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -8),
3919 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_3, -16),
3920 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_10, -16),
3921 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 11),
3922 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -8),
3923 BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
3924 BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_4, -8),
3925 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
1f9ab38f 3926 BPF_ALU64_IMM(BPF_RSH, BPF_REG_4, 49),
6d191ed4
DB		 3927 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
3928 BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
3929 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 2),
3930 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
3931 BPF_MOV64_IMM(BPF_REG_2, 1),
3932 BPF_STX_MEM(BPF_H, BPF_REG_4, BPF_REG_2, 0),
3933 BPF_MOV64_IMM(BPF_REG_0, 0),
3934 BPF_EXIT_INSN(),
3935 },
3936 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3937 .result = ACCEPT,
3938 },
3939 {
3940 "direct packet access: test23 (x += pkt_ptr, 4)",
3941 .insns = {
3942 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3943 offsetof(struct __sk_buff, data)),
3944 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3945 offsetof(struct __sk_buff, data_end)),
3946 BPF_MOV64_IMM(BPF_REG_0, 0xffffffff),
3947 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
3948 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
3949 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0xffff),
3950 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3951 BPF_MOV64_IMM(BPF_REG_0, 31),
3952 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_4),
3953 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3954 BPF_MOV64_REG(BPF_REG_5, BPF_REG_0),
3955 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0xffff - 1),
3956 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3957 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_0, 0),
3958 BPF_MOV64_IMM(BPF_REG_0, 0),
3959 BPF_EXIT_INSN(),
3960 },
3961 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3962 .result = REJECT,
f65b1849 3963 .errstr = "invalid access to packet, off=0 size=8, R5(id=1,off=0,r=0)",
6d191ed4
DB		 3964 },
3965 {
3966 "direct packet access: test24 (x += pkt_ptr, 5)",
3967 .insns = {
3968 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3969 offsetof(struct __sk_buff, data)),
3970 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3971 offsetof(struct __sk_buff, data_end)),
3972 BPF_MOV64_IMM(BPF_REG_0, 0xffffffff),
3973 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
3974 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
3975 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0xff),
3976 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3977 BPF_MOV64_IMM(BPF_REG_0, 64),
3978 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_4),
3979 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3980 BPF_MOV64_REG(BPF_REG_5, BPF_REG_0),
1f9ab38f 3981 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x7fff - 1),
6d191ed4
DB		 3982 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3983 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_0, 0),
3984 BPF_MOV64_IMM(BPF_REG_0, 0),
3985 BPF_EXIT_INSN(),
3986 },
3987 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3988 .result = ACCEPT,
3989 },
31e482bf
DB		 3990 {
3991 "direct packet access: test25 (marking on <, good access)",
3992 .insns = {
3993 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3994 offsetof(struct __sk_buff, data)),
3995 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3996 offsetof(struct __sk_buff, data_end)),
3997 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3998 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3999 BPF_JMP_REG(BPF_JLT, BPF_REG_0, BPF_REG_3, 2),
4000 BPF_MOV64_IMM(BPF_REG_0, 0),
4001 BPF_EXIT_INSN(),
4002 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
4003 BPF_JMP_IMM(BPF_JA, 0, 0, -4),
4004 },
4005 .result = ACCEPT,
4006 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4007 },
4008 {
4009 "direct packet access: test26 (marking on <, bad access)",
4010 .insns = {
4011 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4012 offsetof(struct __sk_buff, data)),
4013 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4014 offsetof(struct __sk_buff, data_end)),
4015 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4016 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4017 BPF_JMP_REG(BPF_JLT, BPF_REG_0, BPF_REG_3, 3),
4018 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
4019 BPF_MOV64_IMM(BPF_REG_0, 0),
4020 BPF_EXIT_INSN(),
4021 BPF_JMP_IMM(BPF_JA, 0, 0, -3),
4022 },
4023 .result = REJECT,
4024 .errstr = "invalid access to packet",
4025 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4026 },
4027 {
4028 "direct packet access: test27 (marking on <=, good access)",
4029 .insns = {
4030 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4031 offsetof(struct __sk_buff, data)),
4032 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4033 offsetof(struct __sk_buff, data_end)),
4034 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4035 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4036 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_0, 1),
4037 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
4038 BPF_MOV64_IMM(BPF_REG_0, 1),
4039 BPF_EXIT_INSN(),
4040 },
4041 .result = ACCEPT,
4042 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
111e6b45 4043 .retval = 1,
31e482bf
DB		 4044 },
4045 {
4046 "direct packet access: test28 (marking on <=, bad access)",
4047 .insns = {
4048 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4049 offsetof(struct __sk_buff, data)),
4050 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4051 offsetof(struct __sk_buff, data_end)),
4052 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4053 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4054 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_0, 2),
4055 BPF_MOV64_IMM(BPF_REG_0, 1),
4056 BPF_EXIT_INSN(),
4057 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
4058 BPF_JMP_IMM(BPF_JA, 0, 0, -4),
4059 },
4060 .result = REJECT,
4061 .errstr = "invalid access to packet",
4062 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4063 },
1633ac0a
AY		 4064 {
4065 "helper access to packet: test1, valid packet_ptr range",
4066 .insns = {
4067 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4068 offsetof(struct xdp_md, data)),
4069 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4070 offsetof(struct xdp_md, data_end)),
4071 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
4072 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
4073 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 5),
4074 BPF_LD_MAP_FD(BPF_REG_1, 0),
4075 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
4076 BPF_MOV64_IMM(BPF_REG_4, 0),
5aa5bd14
DB		 4077 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4078 BPF_FUNC_map_update_elem),
1633ac0a
AY		 4079 BPF_MOV64_IMM(BPF_REG_0, 0),
4080 BPF_EXIT_INSN(),
4081 },
908142e6 4082 .fixup_map_hash_8b = { 5 },
1633ac0a
AY		 4083 .result_unpriv = ACCEPT,
4084 .result = ACCEPT,
4085 .prog_type = BPF_PROG_TYPE_XDP,
4086 },
4087 {
4088 "helper access to packet: test2, unchecked packet_ptr",
4089 .insns = {
4090 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4091 offsetof(struct xdp_md, data)),
4092 BPF_LD_MAP_FD(BPF_REG_1, 0),
5aa5bd14
DB		 4093 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4094 BPF_FUNC_map_lookup_elem),
1633ac0a
AY		 4095 BPF_MOV64_IMM(BPF_REG_0, 0),
4096 BPF_EXIT_INSN(),
4097 },
908142e6 4098 .fixup_map_hash_8b = { 1 },
1633ac0a
AY		 4099 .result = REJECT,
4100 .errstr = "invalid access to packet",
4101 .prog_type = BPF_PROG_TYPE_XDP,
4102 },
4103 {
4104 "helper access to packet: test3, variable add",
4105 .insns = {
4106 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4107 offsetof(struct xdp_md, data)),
4108 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4109 offsetof(struct xdp_md, data_end)),
4110 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4111 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
4112 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 10),
4113 BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_2, 0),
4114 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4115 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_5),
4116 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
4117 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 8),
4118 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 4),
4119 BPF_LD_MAP_FD(BPF_REG_1, 0),
4120 BPF_MOV64_REG(BPF_REG_2, BPF_REG_4),
5aa5bd14
DB		 4121 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4122 BPF_FUNC_map_lookup_elem),
1633ac0a
AY		 4123 BPF_MOV64_IMM(BPF_REG_0, 0),
4124 BPF_EXIT_INSN(),
4125 },
908142e6 4126 .fixup_map_hash_8b = { 11 },
1633ac0a
AY		 4127 .result = ACCEPT,
4128 .prog_type = BPF_PROG_TYPE_XDP,
4129 },
4130 {
4131 "helper access to packet: test4, packet_ptr with bad range",
4132 .insns = {
4133 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4134 offsetof(struct xdp_md, data)),
4135 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4136 offsetof(struct xdp_md, data_end)),
4137 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4138 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 4),
4139 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 2),
4140 BPF_MOV64_IMM(BPF_REG_0, 0),
4141 BPF_EXIT_INSN(),
4142 BPF_LD_MAP_FD(BPF_REG_1, 0),
5aa5bd14
DB		 4143 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4144 BPF_FUNC_map_lookup_elem),
1633ac0a
AY		 4145 BPF_MOV64_IMM(BPF_REG_0, 0),
4146 BPF_EXIT_INSN(),
4147 },
908142e6 4148 .fixup_map_hash_8b = { 7 },
1633ac0a
AY		 4149 .result = REJECT,
4150 .errstr = "invalid access to packet",
4151 .prog_type = BPF_PROG_TYPE_XDP,
4152 },
4153 {
4154 "helper access to packet: test5, packet_ptr with too short range",
4155 .insns = {
4156 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4157 offsetof(struct xdp_md, data)),
4158 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4159 offsetof(struct xdp_md, data_end)),
4160 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
4161 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4162 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 7),
4163 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 3),
4164 BPF_LD_MAP_FD(BPF_REG_1, 0),
5aa5bd14
DB		 4165 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4166 BPF_FUNC_map_lookup_elem),
1633ac0a
AY		 4167 BPF_MOV64_IMM(BPF_REG_0, 0),
4168 BPF_EXIT_INSN(),
4169 },
908142e6 4170 .fixup_map_hash_8b = { 6 },
1633ac0a
AY		 4171 .result = REJECT,
4172 .errstr = "invalid access to packet",
4173 .prog_type = BPF_PROG_TYPE_XDP,
4174 },
7d95b0ab
DB		 4175 {
4176 "helper access to packet: test6, cls valid packet_ptr range",
4177 .insns = {
4178 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4179 offsetof(struct __sk_buff, data)),
4180 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4181 offsetof(struct __sk_buff, data_end)),
4182 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
4183 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
4184 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 5),
4185 BPF_LD_MAP_FD(BPF_REG_1, 0),
4186 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
4187 BPF_MOV64_IMM(BPF_REG_4, 0),
5aa5bd14
DB		 4188 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4189 BPF_FUNC_map_update_elem),
7d95b0ab
DB		 4190 BPF_MOV64_IMM(BPF_REG_0, 0),
4191 BPF_EXIT_INSN(),
4192 },
908142e6 4193 .fixup_map_hash_8b = { 5 },
7d95b0ab
DB		 4194 .result = ACCEPT,
4195 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4196 },
4197 {
4198 "helper access to packet: test7, cls unchecked packet_ptr",
4199 .insns = {
4200 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4201 offsetof(struct __sk_buff, data)),
4202 BPF_LD_MAP_FD(BPF_REG_1, 0),
5aa5bd14
DB		 4203 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4204 BPF_FUNC_map_lookup_elem),
7d95b0ab
DB		 4205 BPF_MOV64_IMM(BPF_REG_0, 0),
4206 BPF_EXIT_INSN(),
4207 },
908142e6 4208 .fixup_map_hash_8b = { 1 },
7d95b0ab
DB		 4209 .result = REJECT,
4210 .errstr = "invalid access to packet",
4211 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4212 },
4213 {
4214 "helper access to packet: test8, cls variable add",
4215 .insns = {
4216 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4217 offsetof(struct __sk_buff, data)),
4218 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4219 offsetof(struct __sk_buff, data_end)),
4220 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4221 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
4222 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 10),
4223 BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_2, 0),
4224 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4225 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_5),
4226 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
4227 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 8),
4228 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 4),
4229 BPF_LD_MAP_FD(BPF_REG_1, 0),
4230 BPF_MOV64_REG(BPF_REG_2, BPF_REG_4),
5aa5bd14
DB		 4231 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4232 BPF_FUNC_map_lookup_elem),
7d95b0ab
DB		 4233 BPF_MOV64_IMM(BPF_REG_0, 0),
4234 BPF_EXIT_INSN(),
4235 },
908142e6 4236 .fixup_map_hash_8b = { 11 },
7d95b0ab
DB		 4237 .result = ACCEPT,
4238 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4239 },
4240 {
4241 "helper access to packet: test9, cls packet_ptr with bad range",
4242 .insns = {
4243 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4244 offsetof(struct __sk_buff, data)),
4245 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4246 offsetof(struct __sk_buff, data_end)),
4247 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4248 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 4),
4249 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 2),
4250 BPF_MOV64_IMM(BPF_REG_0, 0),
4251 BPF_EXIT_INSN(),
4252 BPF_LD_MAP_FD(BPF_REG_1, 0),
5aa5bd14
DB		 4253 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4254 BPF_FUNC_map_lookup_elem),
7d95b0ab
DB		 4255 BPF_MOV64_IMM(BPF_REG_0, 0),
4256 BPF_EXIT_INSN(),
4257 },
908142e6 4258 .fixup_map_hash_8b = { 7 },
7d95b0ab
DB		 4259 .result = REJECT,
4260 .errstr = "invalid access to packet",
4261 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4262 },
4263 {
4264 "helper access to packet: test10, cls packet_ptr with too short range",
4265 .insns = {
4266 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4267 offsetof(struct __sk_buff, data)),
4268 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4269 offsetof(struct __sk_buff, data_end)),
4270 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
4271 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4272 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 7),
4273 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 3),
4274 BPF_LD_MAP_FD(BPF_REG_1, 0),
5aa5bd14
DB		 4275 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4276 BPF_FUNC_map_lookup_elem),
7d95b0ab
DB		 4277 BPF_MOV64_IMM(BPF_REG_0, 0),
4278 BPF_EXIT_INSN(),
4279 },
908142e6 4280 .fixup_map_hash_8b = { 6 },
7d95b0ab
DB		 4281 .result = REJECT,
4282 .errstr = "invalid access to packet",
4283 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4284 },
4285 {
4286 "helper access to packet: test11, cls unsuitable helper 1",
4287 .insns = {
4288 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4289 offsetof(struct __sk_buff, data)),
4290 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4291 offsetof(struct __sk_buff, data_end)),
4292 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4293 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
4294 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 7),
4295 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_7, 4),
4296 BPF_MOV64_IMM(BPF_REG_2, 0),
4297 BPF_MOV64_IMM(BPF_REG_4, 42),
4298 BPF_MOV64_IMM(BPF_REG_5, 0),
5aa5bd14
DB		 4299 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4300 BPF_FUNC_skb_store_bytes),
7d95b0ab
DB		 4301 BPF_MOV64_IMM(BPF_REG_0, 0),
4302 BPF_EXIT_INSN(),
4303 },
4304 .result = REJECT,
4305 .errstr = "helper access to the packet",
4306 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4307 },
4308 {
4309 "helper access to packet: test12, cls unsuitable helper 2",
4310 .insns = {
4311 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4312 offsetof(struct __sk_buff, data)),
4313 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4314 offsetof(struct __sk_buff, data_end)),
4315 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
4316 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8),
4317 BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_7, 3),
4318 BPF_MOV64_IMM(BPF_REG_2, 0),
4319 BPF_MOV64_IMM(BPF_REG_4, 4),
5aa5bd14
DB		 4320 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4321 BPF_FUNC_skb_load_bytes),
7d95b0ab
DB		 4322 BPF_MOV64_IMM(BPF_REG_0, 0),
4323 BPF_EXIT_INSN(),
4324 },
4325 .result = REJECT,
4326 .errstr = "helper access to the packet",
4327 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4328 },
4329 {
4330 "helper access to packet: test13, cls helper ok",
4331 .insns = {
4332 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4333 offsetof(struct __sk_buff, data)),
4334 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4335 offsetof(struct __sk_buff, data_end)),
4336 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4337 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4338 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4339 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4340 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4341 BPF_MOV64_IMM(BPF_REG_2, 4),
4342 BPF_MOV64_IMM(BPF_REG_3, 0),
4343 BPF_MOV64_IMM(BPF_REG_4, 0),
4344 BPF_MOV64_IMM(BPF_REG_5, 0),
5aa5bd14
DB		 4345 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4346 BPF_FUNC_csum_diff),
7d95b0ab
DB		 4347 BPF_MOV64_IMM(BPF_REG_0, 0),
4348 BPF_EXIT_INSN(),
4349 },
4350 .result = ACCEPT,
4351 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4352 },
4353 {
f65b1849 4354 "helper access to packet: test14, cls helper ok sub",
7d95b0ab
DB		 4355 .insns = {
4356 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4357 offsetof(struct __sk_buff, data)),
4358 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4359 offsetof(struct __sk_buff, data_end)),
4360 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4361 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4362 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4363 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4364 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 4),
4365 BPF_MOV64_IMM(BPF_REG_2, 4),
4366 BPF_MOV64_IMM(BPF_REG_3, 0),
4367 BPF_MOV64_IMM(BPF_REG_4, 0),
4368 BPF_MOV64_IMM(BPF_REG_5, 0),
5aa5bd14
DB		 4369 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4370 BPF_FUNC_csum_diff),
7d95b0ab
DB		 4371 BPF_MOV64_IMM(BPF_REG_0, 0),
4372 BPF_EXIT_INSN(),
4373 },
f65b1849
EC		 4374 .result = ACCEPT,
4375 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4376 },
4377 {
4378 "helper access to packet: test15, cls helper fail sub",
4379 .insns = {
4380 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4381 offsetof(struct __sk_buff, data)),
4382 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4383 offsetof(struct __sk_buff, data_end)),
4384 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4385 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4386 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4387 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4388 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 12),
4389 BPF_MOV64_IMM(BPF_REG_2, 4),
4390 BPF_MOV64_IMM(BPF_REG_3, 0),
4391 BPF_MOV64_IMM(BPF_REG_4, 0),
4392 BPF_MOV64_IMM(BPF_REG_5, 0),
4393 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4394 BPF_FUNC_csum_diff),
4395 BPF_MOV64_IMM(BPF_REG_0, 0),
4396 BPF_EXIT_INSN(),
4397 },
7d95b0ab 4398 .result = REJECT,
f65b1849 4399 .errstr = "invalid access to packet",
7d95b0ab
DB		 4400 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4401 },
4402 {
f65b1849 4403 "helper access to packet: test16, cls helper fail range 1",
7d95b0ab
DB		 4404 .insns = {
4405 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4406 offsetof(struct __sk_buff, data)),
4407 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4408 offsetof(struct __sk_buff, data_end)),
4409 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4410 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4411 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4412 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4413 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4414 BPF_MOV64_IMM(BPF_REG_2, 8),
4415 BPF_MOV64_IMM(BPF_REG_3, 0),
4416 BPF_MOV64_IMM(BPF_REG_4, 0),
4417 BPF_MOV64_IMM(BPF_REG_5, 0),
5aa5bd14
DB		 4418 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4419 BPF_FUNC_csum_diff),
7d95b0ab
DB		 4420 BPF_MOV64_IMM(BPF_REG_0, 0),
4421 BPF_EXIT_INSN(),
4422 },
4423 .result = REJECT,
4424 .errstr = "invalid access to packet",
4425 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4426 },
4427 {
f65b1849 4428 "helper access to packet: test17, cls helper fail range 2",
7d95b0ab
DB		 4429 .insns = {
4430 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4431 offsetof(struct __sk_buff, data)),
4432 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4433 offsetof(struct __sk_buff, data_end)),
4434 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4435 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4436 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4437 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4438 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4439 BPF_MOV64_IMM(BPF_REG_2, -9),
4440 BPF_MOV64_IMM(BPF_REG_3, 0),
4441 BPF_MOV64_IMM(BPF_REG_4, 0),
4442 BPF_MOV64_IMM(BPF_REG_5, 0),
5aa5bd14
DB		 4443 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4444 BPF_FUNC_csum_diff),
7d95b0ab
DB		 4445 BPF_MOV64_IMM(BPF_REG_0, 0),
4446 BPF_EXIT_INSN(),
4447 },
4448 .result = REJECT,
f65b1849 4449 .errstr = "R2 min value is negative",
7d95b0ab
DB		 4450 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4451 },
4452 {
f65b1849 4453 "helper access to packet: test18, cls helper fail range 3",
7d95b0ab
DB		 4454 .insns = {
4455 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4456 offsetof(struct __sk_buff, data)),
4457 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4458 offsetof(struct __sk_buff, data_end)),
4459 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4460 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4461 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4462 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4463 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4464 BPF_MOV64_IMM(BPF_REG_2, ~0),
4465 BPF_MOV64_IMM(BPF_REG_3, 0),
4466 BPF_MOV64_IMM(BPF_REG_4, 0),
4467 BPF_MOV64_IMM(BPF_REG_5, 0),
5aa5bd14
DB		 4468 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4469 BPF_FUNC_csum_diff),
7d95b0ab
DB		 4470 BPF_MOV64_IMM(BPF_REG_0, 0),
4471 BPF_EXIT_INSN(),
4472 },
4473 .result = REJECT,
f65b1849 4474 .errstr = "R2 min value is negative",
7d95b0ab
DB		 4475 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4476 },
4477 {
b6ff6391 4478 "helper access to packet: test19, cls helper range zero",
7d95b0ab
DB		 4479 .insns = {
4480 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4481 offsetof(struct __sk_buff, data)),
4482 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4483 offsetof(struct __sk_buff, data_end)),
4484 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4485 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4486 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4487 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4488 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4489 BPF_MOV64_IMM(BPF_REG_2, 0),
4490 BPF_MOV64_IMM(BPF_REG_3, 0),
4491 BPF_MOV64_IMM(BPF_REG_4, 0),
4492 BPF_MOV64_IMM(BPF_REG_5, 0),
5aa5bd14
DB		 4493 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4494 BPF_FUNC_csum_diff),
7d95b0ab
DB		 4495 BPF_MOV64_IMM(BPF_REG_0, 0),
4496 BPF_EXIT_INSN(),
4497 },
b6ff6391 4498 .result = ACCEPT,
7d95b0ab
DB		 4499 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4500 },
4501 {
f65b1849 4502 "helper access to packet: test20, pkt end as input",
7d95b0ab
DB		 4503 .insns = {
4504 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4505 offsetof(struct __sk_buff, data)),
4506 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4507 offsetof(struct __sk_buff, data_end)),
4508 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4509 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4510 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4511 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4512 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
4513 BPF_MOV64_IMM(BPF_REG_2, 4),
4514 BPF_MOV64_IMM(BPF_REG_3, 0),
4515 BPF_MOV64_IMM(BPF_REG_4, 0),
4516 BPF_MOV64_IMM(BPF_REG_5, 0),
5aa5bd14
DB		 4517 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4518 BPF_FUNC_csum_diff),
7d95b0ab
DB		 4519 BPF_MOV64_IMM(BPF_REG_0, 0),
4520 BPF_EXIT_INSN(),
4521 },
4522 .result = REJECT,
4523 .errstr = "R1 type=pkt_end expected=fp",
4524 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4525 },
4526 {
f65b1849 4527 "helper access to packet: test21, wrong reg",
7d95b0ab
DB		 4528 .insns = {
4529 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4530 offsetof(struct __sk_buff, data)),
4531 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4532 offsetof(struct __sk_buff, data_end)),
4533 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4534 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4535 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4536 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4537 BPF_MOV64_IMM(BPF_REG_2, 4),
4538 BPF_MOV64_IMM(BPF_REG_3, 0),
4539 BPF_MOV64_IMM(BPF_REG_4, 0),
4540 BPF_MOV64_IMM(BPF_REG_5, 0),
5aa5bd14
DB		 4541 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4542 BPF_FUNC_csum_diff),
7d95b0ab
DB		 4543 BPF_MOV64_IMM(BPF_REG_0, 0),
4544 BPF_EXIT_INSN(),
4545 },
4546 .result = REJECT,
4547 .errstr = "invalid access to packet",
4548 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4549 },
7c85c448
PB		 4550 {
4551 "prevent map lookup in sockmap",
4552 .insns = {
4553 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4554 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4555 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4556 BPF_LD_MAP_FD(BPF_REG_1, 0),
4557 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4558 BPF_FUNC_map_lookup_elem),
4559 BPF_EXIT_INSN(),
4560 },
4561 .fixup_map_sockmap = { 3 },
4562 .result = REJECT,
4563 .errstr = "cannot pass map_type 15 into func bpf_map_lookup_elem",
4564 .prog_type = BPF_PROG_TYPE_SOCK_OPS,
4565 },
4566 {
4567 "prevent map lookup in sockhash",
4568 .insns = {
4569 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4570 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4571 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4572 BPF_LD_MAP_FD(BPF_REG_1, 0),
4573 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4574 BPF_FUNC_map_lookup_elem),
4575 BPF_EXIT_INSN(),
4576 },
4577 .fixup_map_sockhash = { 3 },
4578 .result = REJECT,
4579 .errstr = "cannot pass map_type 18 into func bpf_map_lookup_elem",
4580 .prog_type = BPF_PROG_TYPE_SOCK_OPS,
4581 },
4582 {
4583 "prevent map lookup in xskmap",
4584 .insns = {
4585 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4586 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4587 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4588 BPF_LD_MAP_FD(BPF_REG_1, 0),
4589 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4590 BPF_FUNC_map_lookup_elem),
4591 BPF_EXIT_INSN(),
4592 },
4593 .fixup_map_xskmap = { 3 },
4594 .result = REJECT,
4595 .errstr = "cannot pass map_type 17 into func bpf_map_lookup_elem",
4596 .prog_type = BPF_PROG_TYPE_XDP,
4597 },
4598 {
4599 "prevent map lookup in stack trace",
4600 .insns = {
4601 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4602 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4603 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4604 BPF_LD_MAP_FD(BPF_REG_1, 0),
4605 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4606 BPF_FUNC_map_lookup_elem),
4607 BPF_EXIT_INSN(),
4608 },
4609 .fixup_map_stacktrace = { 3 },
4610 .result = REJECT,
4611 .errstr = "cannot pass map_type 7 into func bpf_map_lookup_elem",
4612 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
4613 },
4614 {
4615 "prevent map lookup in prog array",
4616 .insns = {
4617 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4618 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4619 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4620 BPF_LD_MAP_FD(BPF_REG_1, 0),
4621 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4622 BPF_FUNC_map_lookup_elem),
4623 BPF_EXIT_INSN(),
4624 },
4625 .fixup_prog2 = { 3 },
4626 .result = REJECT,
4627 .errstr = "cannot pass map_type 3 into func bpf_map_lookup_elem",
4628 },
48461135
JB		 4629 {
4630 "valid map access into an array with a constant",
4631 .insns = {
4632 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4633 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4634 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4635 BPF_LD_MAP_FD(BPF_REG_1, 0),
5aa5bd14
DB		 4636 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4637 BPF_FUNC_map_lookup_elem),
48461135 4638 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
5aa5bd14
DB		 4639 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4640 offsetof(struct test_val, foo)),
48461135
JB		 4641 BPF_EXIT_INSN(),
4642 },
908142e6 4643 .fixup_map_hash_48b = { 3 },
48461135
JB		 4644 .errstr_unpriv = "R0 leaks addr",
4645 .result_unpriv = REJECT,
4646 .result = ACCEPT,
4647 },
4648 {
4649 "valid map access into an array with a register",
4650 .insns = {
4651 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4652 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4653 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4654 BPF_LD_MAP_FD(BPF_REG_1, 0),
5aa5bd14
DB		 4655 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4656 BPF_FUNC_map_lookup_elem),
48461135
JB		 4657 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4658 BPF_MOV64_IMM(BPF_REG_1, 4),
4659 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4660 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
5aa5bd14
DB		 4661 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4662 offsetof(struct test_val, foo)),
48461135
JB		 4663 BPF_EXIT_INSN(),
4664 },
908142e6 4665 .fixup_map_hash_48b = { 3 },
f65b1849 4666 .errstr_unpriv = "R0 leaks addr",
48461135
JB		 4667 .result_unpriv = REJECT,
4668 .result = ACCEPT,
02ea80b1 4669 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
48461135
JB		 4670 },
4671 {
4672 "valid map access into an array with a variable",
4673 .insns = {
4674 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4675 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4676 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4677 BPF_LD_MAP_FD(BPF_REG_1, 0),
5aa5bd14
DB		 4678 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4679 BPF_FUNC_map_lookup_elem),
48461135
JB		 4680 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
4681 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4682 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES, 3),
4683 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4684 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
5aa5bd14
DB		 4685 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4686 offsetof(struct test_val, foo)),
48461135
JB		 4687 BPF_EXIT_INSN(),
4688 },
908142e6 4689 .fixup_map_hash_48b = { 3 },
f65b1849 4690 .errstr_unpriv = "R0 leaks addr",
48461135
JB		 4691 .result_unpriv = REJECT,
4692 .result = ACCEPT,
02ea80b1 4693 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
48461135
JB		 4694 },
4695 {
4696 "valid map access into an array with a signed variable",
4697 .insns = {
4698 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4699 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4700 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4701 BPF_LD_MAP_FD(BPF_REG_1, 0),
5aa5bd14
DB		 4702 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4703 BPF_FUNC_map_lookup_elem),
48461135
JB		 4704 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
4705 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4706 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 0xffffffff, 1),
4707 BPF_MOV32_IMM(BPF_REG_1, 0),
4708 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
4709 BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
4710 BPF_MOV32_IMM(BPF_REG_1, 0),
4711 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
4712 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
5aa5bd14
DB		 4713 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4714 offsetof(struct test_val, foo)),
48461135
JB		 4715 BPF_EXIT_INSN(),
4716 },
908142e6 4717 .fixup_map_hash_48b = { 3 },
f65b1849 4718 .errstr_unpriv = "R0 leaks addr",
48461135
JB		 4719 .result_unpriv = REJECT,
4720 .result = ACCEPT,
02ea80b1 4721 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
48461135
JB		 4722 },
4723 {
4724 "invalid map access into an array with a constant",
4725 .insns = {
4726 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4727 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4728 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4729 BPF_LD_MAP_FD(BPF_REG_1, 0),
5aa5bd14
DB		 4730 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4731 BPF_FUNC_map_lookup_elem),
48461135
JB		 4732 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4733 BPF_ST_MEM(BPF_DW, BPF_REG_0, (MAX_ENTRIES + 1) << 2,
4734 offsetof(struct test_val, foo)),
4735 BPF_EXIT_INSN(),
4736 },
908142e6 4737 .fixup_map_hash_48b = { 3 },
48461135
JB		 4738 .errstr = "invalid access to map value, value_size=48 off=48 size=8",
4739 .result = REJECT,
4740 },
4741 {
4742 "invalid map access into an array with a register",
4743 .insns = {
4744 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4745 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4746 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4747 BPF_LD_MAP_FD(BPF_REG_1, 0),
5aa5bd14
DB		 4748 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4749 BPF_FUNC_map_lookup_elem),
48461135
JB		 4750 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4751 BPF_MOV64_IMM(BPF_REG_1, MAX_ENTRIES + 1),
4752 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4753 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
5aa5bd14
DB		 4754 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4755 offsetof(struct test_val, foo)),
48461135
JB		 4756 BPF_EXIT_INSN(),
4757 },
908142e6 4758 .fixup_map_hash_48b = { 3 },
48461135
JB		 4759 .errstr = "R0 min value is outside of the array range",
4760 .result = REJECT,
02ea80b1 4761 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
48461135
JB		 4762 },
4763 {
4764 "invalid map access into an array with a variable",
4765 .insns = {
4766 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4767 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4768 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4769 BPF_LD_MAP_FD(BPF_REG_1, 0),
5aa5bd14
DB		 4770 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4771 BPF_FUNC_map_lookup_elem),
48461135
JB		 4772 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4773 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4774 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4775 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
5aa5bd14
DB		 4776 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4777 offsetof(struct test_val, foo)),
48461135
JB		 4778 BPF_EXIT_INSN(),
4779 },
908142e6 4780 .fixup_map_hash_48b = { 3 },
f65b1849 4781 .errstr = "R0 unbounded memory access, make sure to bounds check any array access into a map",
48461135 4782 .result = REJECT,
02ea80b1 4783 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
48461135
JB		 4784 },
4785 {
4786 "invalid map access into an array with no floor check",
4787 .insns = {
4788 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4789 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4790 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4791 BPF_LD_MAP_FD(BPF_REG_1, 0),
5aa5bd14
DB		 4792 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4793 BPF_FUNC_map_lookup_elem),
48461135 4794 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
f65b1849 4795 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
48461135
JB		 4796 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
4797 BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
4798 BPF_MOV32_IMM(BPF_REG_1, 0),
4799 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
4800 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
5aa5bd14
DB		 4801 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4802 offsetof(struct test_val, foo)),
48461135
JB		 4803 BPF_EXIT_INSN(),
4804 },
908142e6 4805 .fixup_map_hash_48b = { 3 },
f65b1849
EC		 4806 .errstr_unpriv = "R0 leaks addr",
4807 .errstr = "R0 unbounded memory access",
5aa5bd14 4808 .result_unpriv = REJECT,
48461135 4809 .result = REJECT,
02ea80b1 4810 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
48461135
JB		 4811 },
4812 {
4813 "invalid map access into an array with a invalid max check",
4814 .insns = {
4815 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4816 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4817 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4818 BPF_LD_MAP_FD(BPF_REG_1, 0),
5aa5bd14
DB		 4819 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4820 BPF_FUNC_map_lookup_elem),
48461135
JB		 4821 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
4822 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4823 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES + 1),
4824 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
4825 BPF_MOV32_IMM(BPF_REG_1, 0),
4826 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
4827 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
5aa5bd14
DB		 4828 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4829 offsetof(struct test_val, foo)),
48461135
JB		 4830 BPF_EXIT_INSN(),
4831 },
908142e6 4832 .fixup_map_hash_48b = { 3 },
f65b1849 4833 .errstr_unpriv = "R0 leaks addr",
48461135 4834 .errstr = "invalid access to map value, value_size=48 off=44 size=8",
5aa5bd14 4835 .result_unpriv = REJECT,
48461135 4836 .result = REJECT,
02ea80b1 4837 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
48461135
JB		 4838 },
4839 {
4840 "invalid map access into an array with a invalid max check",
4841 .insns = {
4842 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4843 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4844 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4845 BPF_LD_MAP_FD(BPF_REG_1, 0),
5aa5bd14
DB		 4846 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4847 BPF_FUNC_map_lookup_elem),
48461135
JB		 4848 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
4849 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
4850 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4851 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4852 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4853 BPF_LD_MAP_FD(BPF_REG_1, 0),
5aa5bd14
DB		 4854 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4855 BPF_FUNC_map_lookup_elem),
48461135
JB		 4856 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
4857 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8),
5aa5bd14
DB		 4858 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
4859 offsetof(struct test_val, foo)),
48461135
JB		 4860 BPF_EXIT_INSN(),
4861 },
908142e6 4862 .fixup_map_hash_48b = { 3, 11 },
82abbf8d 4863 .errstr = "R0 pointer += pointer",
48461135 4864 .result = REJECT,
02ea80b1 4865 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
48461135 4866 },
2cb494a3
SL		 4867 {
4868 "direct packet read test#1 for CGROUP_SKB",
4869 .insns = {
4870 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4871 offsetof(struct __sk_buff, data)),
4872 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4873 offsetof(struct __sk_buff, data_end)),
4874 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
4875 offsetof(struct __sk_buff, len)),
4876 BPF_LDX_MEM(BPF_W, BPF_REG_5, BPF_REG_1,
4877 offsetof(struct __sk_buff, pkt_type)),
4878 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4879 offsetof(struct __sk_buff, mark)),
4880 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_6,
4881 offsetof(struct __sk_buff, mark)),
4882 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4883 offsetof(struct __sk_buff, queue_mapping)),
4884 BPF_LDX_MEM(BPF_W, BPF_REG_8, BPF_REG_1,
4885 offsetof(struct __sk_buff, protocol)),
4886 BPF_LDX_MEM(BPF_W, BPF_REG_9, BPF_REG_1,
4887 offsetof(struct __sk_buff, vlan_present)),
4888 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4889 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4890 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4891 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
4892 BPF_MOV64_IMM(BPF_REG_0, 0),
4893 BPF_EXIT_INSN(),
4894 },
4895 .result = ACCEPT,
36641ad6 4896 .result_unpriv = REJECT,
ab21c1b5 4897 .errstr_unpriv = "invalid bpf_context access off=76 size=4",
2cb494a3
SL		 4898 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
4899 },
4900 {
4901 "direct packet read test#2 for CGROUP_SKB",
4902 .insns = {
4903 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
4904 offsetof(struct __sk_buff, vlan_tci)),
4905 BPF_LDX_MEM(BPF_W, BPF_REG_5, BPF_REG_1,
4906 offsetof(struct __sk_buff, vlan_proto)),
4907 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4908 offsetof(struct __sk_buff, priority)),
4909 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_6,
4910 offsetof(struct __sk_buff, priority)),
4911 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4912 offsetof(struct __sk_buff,
4913 ingress_ifindex)),
4914 BPF_LDX_MEM(BPF_W, BPF_REG_8, BPF_REG_1,
4915 offsetof(struct __sk_buff, tc_index)),
4916 BPF_LDX_MEM(BPF_W, BPF_REG_9, BPF_REG_1,
4917 offsetof(struct __sk_buff, hash)),
4918 BPF_MOV64_IMM(BPF_REG_0, 0),
4919 BPF_EXIT_INSN(),
4920 },
4921 .result = ACCEPT,
4922 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
4923 },
4924 {
4925 "direct packet read test#3 for CGROUP_SKB",
4926 .insns = {
4927 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
4928 offsetof(struct __sk_buff, cb[0])),
4929 BPF_LDX_MEM(BPF_W, BPF_REG_5, BPF_REG_1,
4930 offsetof(struct __sk_buff, cb[1])),
4931 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4932 offsetof(struct __sk_buff, cb[2])),
4933 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4934 offsetof(struct __sk_buff, cb[3])),
4935 BPF_LDX_MEM(BPF_W, BPF_REG_8, BPF_REG_1,
4936 offsetof(struct __sk_buff, cb[4])),
4937 BPF_LDX_MEM(BPF_W, BPF_REG_9, BPF_REG_1,
4938 offsetof(struct __sk_buff, napi_id)),
4939 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_4,
4940 offsetof(struct __sk_buff, cb[0])),
4941 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_5,
4942 offsetof(struct __sk_buff, cb[1])),
4943 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_6,
4944 offsetof(struct __sk_buff, cb[2])),
4945 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_7,
4946 offsetof(struct __sk_buff, cb[3])),
4947 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_8,
4948 offsetof(struct __sk_buff, cb[4])),
4949 BPF_MOV64_IMM(BPF_REG_0, 0),
4950 BPF_EXIT_INSN(),
4951 },
4952 .result = ACCEPT,
4953 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
4954 },
4955 {
4956 "direct packet read test#4 for CGROUP_SKB",
4957 .insns = {
4958 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4959 offsetof(struct __sk_buff, family)),
4960 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4961 offsetof(struct __sk_buff, remote_ip4)),
4962 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
4963 offsetof(struct __sk_buff, local_ip4)),
4964 BPF_LDX_MEM(BPF_W, BPF_REG_5, BPF_REG_1,
4965 offsetof(struct __sk_buff, remote_ip6[0])),
4966 BPF_LDX_MEM(BPF_W, BPF_REG_5, BPF_REG_1,
4967 offsetof(struct __sk_buff, remote_ip6[1])),
4968 BPF_LDX_MEM(BPF_W, BPF_REG_5, BPF_REG_1,
4969 offsetof(struct __sk_buff, remote_ip6[2])),
4970 BPF_LDX_MEM(BPF_W, BPF_REG_5, BPF_REG_1,
4971 offsetof(struct __sk_buff, remote_ip6[3])),
4972 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4973 offsetof(struct __sk_buff, local_ip6[0])),
4974 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4975 offsetof(struct __sk_buff, local_ip6[1])),
4976 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4977 offsetof(struct __sk_buff, local_ip6[2])),
4978 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4979 offsetof(struct __sk_buff, local_ip6[3])),
4980 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4981 offsetof(struct __sk_buff, remote_port)),
4982 BPF_LDX_MEM(BPF_W, BPF_REG_8, BPF_REG_1,
4983 offsetof(struct __sk_buff, local_port)),
4984 BPF_MOV64_IMM(BPF_REG_0, 0),
4985 BPF_EXIT_INSN(),
4986 },
4987 .result = ACCEPT,
4988 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
4989 },
4990 {
4991 "invalid access of tc_classid for CGROUP_SKB",
4992 .insns = {
4993 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
4994 offsetof(struct __sk_buff, tc_classid)),
4995 BPF_MOV64_IMM(BPF_REG_0, 0),
4996 BPF_EXIT_INSN(),
4997 },
4998 .result = REJECT,
4999 .errstr = "invalid bpf_context access",
5000 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5001 },
5002 {
5003 "invalid access of data_meta for CGROUP_SKB",
5004 .insns = {
5005 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
5006 offsetof(struct __sk_buff, data_meta)),
5007 BPF_MOV64_IMM(BPF_REG_0, 0),
5008 BPF_EXIT_INSN(),
5009 },
5010 .result = REJECT,
5011 .errstr = "invalid bpf_context access",
5012 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5013 },
5014 {
5015 "invalid access of flow_keys for CGROUP_SKB",
5016 .insns = {
5017 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
5018 offsetof(struct __sk_buff, flow_keys)),
5019 BPF_MOV64_IMM(BPF_REG_0, 0),
5020 BPF_EXIT_INSN(),
5021 },
5022 .result = REJECT,
5023 .errstr = "invalid bpf_context access",
5024 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5025 },
5026 {
5027 "invalid write access to napi_id for CGROUP_SKB",
5028 .insns = {
5029 BPF_LDX_MEM(BPF_W, BPF_REG_9, BPF_REG_1,
5030 offsetof(struct __sk_buff, napi_id)),
5031 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_9,
5032 offsetof(struct __sk_buff, napi_id)),
5033 BPF_MOV64_IMM(BPF_REG_0, 0),
5034 BPF_EXIT_INSN(),
5035 },
5036 .result = REJECT,
5037 .errstr = "invalid bpf_context access",
5038 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5039 },
d4c9f573
RG		 5040 {
5041 "valid cgroup storage access",
5042 .insns = {
5043 BPF_MOV64_IMM(BPF_REG_2, 0),
5044 BPF_LD_MAP_FD(BPF_REG_1, 0),
5045 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5046 BPF_FUNC_get_local_storage),
5047 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5048 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
5049 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
5050 BPF_EXIT_INSN(),
5051 },
5052 .fixup_cgroup_storage = { 1 },
5053 .result = ACCEPT,
5054 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5055 },
5056 {
5057 "invalid cgroup storage access 1",
5058 .insns = {
5059 BPF_MOV64_IMM(BPF_REG_2, 0),
5060 BPF_LD_MAP_FD(BPF_REG_1, 0),
5061 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5062 BPF_FUNC_get_local_storage),
5063 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5064 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
5065 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
5066 BPF_EXIT_INSN(),
5067 },
908142e6 5068 .fixup_map_hash_8b = { 1 },
d4c9f573
RG		 5069 .result = REJECT,
5070 .errstr = "cannot pass map_type 1 into func bpf_get_local_storage",
5071 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5072 },
5073 {
5074 "invalid cgroup storage access 2",
5075 .insns = {
5076 BPF_MOV64_IMM(BPF_REG_2, 0),
5077 BPF_LD_MAP_FD(BPF_REG_1, 1),
5078 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5079 BPF_FUNC_get_local_storage),
5080 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
5081 BPF_EXIT_INSN(),
5082 },
5083 .result = REJECT,
5084 .errstr = "fd 1 is not pointing to valid bpf_map",
5085 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5086 },
5087 {
a3c6054f 5088 "invalid cgroup storage access 3",
d4c9f573
RG		 5089 .insns = {
5090 BPF_MOV64_IMM(BPF_REG_2, 0),
5091 BPF_LD_MAP_FD(BPF_REG_1, 0),
5092 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5093 BPF_FUNC_get_local_storage),
5094 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 256),
5095 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
5096 BPF_MOV64_IMM(BPF_REG_0, 0),
5097 BPF_EXIT_INSN(),
5098 },
5099 .fixup_cgroup_storage = { 1 },
5100 .result = REJECT,
5101 .errstr = "invalid access to map value, value_size=64 off=256 size=4",
5102 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5103 },
5104 {
5105 "invalid cgroup storage access 4",
5106 .insns = {
5107 BPF_MOV64_IMM(BPF_REG_2, 0),
5108 BPF_LD_MAP_FD(BPF_REG_1, 0),
5109 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5110 BPF_FUNC_get_local_storage),
5111 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, -2),
5112 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
5113 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
5114 BPF_EXIT_INSN(),
5115 },
5116 .fixup_cgroup_storage = { 1 },
5117 .result = REJECT,
5118 .errstr = "invalid access to map value, value_size=64 off=-2 size=4",
5119 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5120 },
5121 {
5122 "invalid cgroup storage access 5",
5123 .insns = {
5124 BPF_MOV64_IMM(BPF_REG_2, 7),
5125 BPF_LD_MAP_FD(BPF_REG_1, 0),
5126 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5127 BPF_FUNC_get_local_storage),
5128 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5129 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
5130 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
5131 BPF_EXIT_INSN(),
5132 },
5133 .fixup_cgroup_storage = { 1 },
5134 .result = REJECT,
5135 .errstr = "get_local_storage() doesn't support non-zero flags",
5136 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5137 },
5138 {
5139 "invalid cgroup storage access 6",
5140 .insns = {
5141 BPF_MOV64_REG(BPF_REG_2, BPF_REG_1),
5142 BPF_LD_MAP_FD(BPF_REG_1, 0),
5143 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5144 BPF_FUNC_get_local_storage),
5145 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5146 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
5147 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
5148 BPF_EXIT_INSN(),
5149 },
5150 .fixup_cgroup_storage = { 1 },
5151 .result = REJECT,
5152 .errstr = "get_local_storage() doesn't support non-zero flags",
36641ad6 5153 .errstr_unpriv = "R2 leaks addr into helper function",
d4c9f573
RG		 5154 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5155 },
a3c6054f
RG		 5156 {
5157 "valid per-cpu cgroup storage access",
5158 .insns = {
5159 BPF_MOV64_IMM(BPF_REG_2, 0),
5160 BPF_LD_MAP_FD(BPF_REG_1, 0),
5161 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5162 BPF_FUNC_get_local_storage),
5163 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5164 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
5165 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
5166 BPF_EXIT_INSN(),
5167 },
5168 .fixup_percpu_cgroup_storage = { 1 },
5169 .result = ACCEPT,
5170 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5171 },
5172 {
5173 "invalid per-cpu cgroup storage access 1",
5174 .insns = {
5175 BPF_MOV64_IMM(BPF_REG_2, 0),
5176 BPF_LD_MAP_FD(BPF_REG_1, 0),
5177 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5178 BPF_FUNC_get_local_storage),
5179 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5180 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
5181 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
5182 BPF_EXIT_INSN(),
5183 },
908142e6 5184 .fixup_map_hash_8b = { 1 },
a3c6054f
RG		 5185 .result = REJECT,
5186 .errstr = "cannot pass map_type 1 into func bpf_get_local_storage",
5187 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5188 },
5189 {
5190 "invalid per-cpu cgroup storage access 2",
5191 .insns = {
5192 BPF_MOV64_IMM(BPF_REG_2, 0),
5193 BPF_LD_MAP_FD(BPF_REG_1, 1),
5194 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5195 BPF_FUNC_get_local_storage),
5196 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
5197 BPF_EXIT_INSN(),
5198 },
5199 .result = REJECT,
5200 .errstr = "fd 1 is not pointing to valid bpf_map",
5201 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5202 },
5203 {
5204 "invalid per-cpu cgroup storage access 3",
5205 .insns = {
5206 BPF_MOV64_IMM(BPF_REG_2, 0),
5207 BPF_LD_MAP_FD(BPF_REG_1, 0),
5208 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5209 BPF_FUNC_get_local_storage),
5210 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 256),
5211 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
5212 BPF_MOV64_IMM(BPF_REG_0, 0),
5213 BPF_EXIT_INSN(),
5214 },
5215 .fixup_percpu_cgroup_storage = { 1 },
5216 .result = REJECT,
5217 .errstr = "invalid access to map value, value_size=64 off=256 size=4",
5218 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5219 },
5220 {
5221 "invalid per-cpu cgroup storage access 4",
5222 .insns = {
5223 BPF_MOV64_IMM(BPF_REG_2, 0),
5224 BPF_LD_MAP_FD(BPF_REG_1, 0),
5225 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5226 BPF_FUNC_get_local_storage),
5227 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, -2),
5228 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
5229 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
5230 BPF_EXIT_INSN(),
5231 },
5232 .fixup_cgroup_storage = { 1 },
5233 .result = REJECT,
5234 .errstr = "invalid access to map value, value_size=64 off=-2 size=4",
5235 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5236 },
5237 {
5238 "invalid per-cpu cgroup storage access 5",
5239 .insns = {
5240 BPF_MOV64_IMM(BPF_REG_2, 7),
5241 BPF_LD_MAP_FD(BPF_REG_1, 0),
5242 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5243 BPF_FUNC_get_local_storage),
5244 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5245 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
5246 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
5247 BPF_EXIT_INSN(),
5248 },
5249 .fixup_percpu_cgroup_storage = { 1 },
5250 .result = REJECT,
5251 .errstr = "get_local_storage() doesn't support non-zero flags",
5252 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5253 },
5254 {
5255 "invalid per-cpu cgroup storage access 6",
5256 .insns = {
5257 BPF_MOV64_REG(BPF_REG_2, BPF_REG_1),
5258 BPF_LD_MAP_FD(BPF_REG_1, 0),
5259 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5260 BPF_FUNC_get_local_storage),
5261 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5262 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
5263 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
5264 BPF_EXIT_INSN(),
5265 },
5266 .fixup_percpu_cgroup_storage = { 1 },
5267 .result = REJECT,
5268 .errstr = "get_local_storage() doesn't support non-zero flags",
36641ad6 5269 .errstr_unpriv = "R2 leaks addr into helper function",
a3c6054f
RG		 5270 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5271 },
57a09bf0
TG		 5272 {
5273 "multiple registers share map_lookup_elem result",
5274 .insns = {
5275 BPF_MOV64_IMM(BPF_REG_1, 10),
5276 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
5277 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5278 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5279 BPF_LD_MAP_FD(BPF_REG_1, 0),
5280 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5281 BPF_FUNC_map_lookup_elem),
5282 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
5283 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
5284 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
5285 BPF_EXIT_INSN(),
5286 },
908142e6 5287 .fixup_map_hash_8b = { 4 },
57a09bf0
TG		 5288 .result = ACCEPT,
5289 .prog_type = BPF_PROG_TYPE_SCHED_CLS
5290 },
614d0d77
DB		 5291 {
5292 "alu ops on ptr_to_map_value_or_null, 1",
5293 .insns = {
5294 BPF_MOV64_IMM(BPF_REG_1, 10),
5295 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
5296 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5297 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5298 BPF_LD_MAP_FD(BPF_REG_1, 0),
5299 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5300 BPF_FUNC_map_lookup_elem),
5301 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
5302 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -2),
5303 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 2),
5304 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
5305 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
5306 BPF_EXIT_INSN(),
5307 },
908142e6 5308 .fixup_map_hash_8b = { 4 },
aad2eeaf 5309 .errstr = "R4 pointer arithmetic on map_value_or_null",
614d0d77
DB		 5310 .result = REJECT,
5311 .prog_type = BPF_PROG_TYPE_SCHED_CLS
5312 },
5313 {
5314 "alu ops on ptr_to_map_value_or_null, 2",
5315 .insns = {
5316 BPF_MOV64_IMM(BPF_REG_1, 10),
5317 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
5318 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5319 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5320 BPF_LD_MAP_FD(BPF_REG_1, 0),
5321 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5322 BPF_FUNC_map_lookup_elem),
5323 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
5324 BPF_ALU64_IMM(BPF_AND, BPF_REG_4, -1),
5325 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
5326 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
5327 BPF_EXIT_INSN(),
5328 },
908142e6 5329 .fixup_map_hash_8b = { 4 },
aad2eeaf 5330 .errstr = "R4 pointer arithmetic on map_value_or_null",
614d0d77
DB		 5331 .result = REJECT,
5332 .prog_type = BPF_PROG_TYPE_SCHED_CLS
5333 },
5334 {
5335 "alu ops on ptr_to_map_value_or_null, 3",
5336 .insns = {
5337 BPF_MOV64_IMM(BPF_REG_1, 10),
5338 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
5339 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5340 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5341 BPF_LD_MAP_FD(BPF_REG_1, 0),
5342 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5343 BPF_FUNC_map_lookup_elem),
5344 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
5345 BPF_ALU64_IMM(BPF_LSH, BPF_REG_4, 1),
5346 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
5347 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
5348 BPF_EXIT_INSN(),
5349 },
908142e6 5350 .fixup_map_hash_8b = { 4 },
aad2eeaf 5351 .errstr = "R4 pointer arithmetic on map_value_or_null",
614d0d77
DB		 5352 .result = REJECT,
5353 .prog_type = BPF_PROG_TYPE_SCHED_CLS
5354 },
57a09bf0
TG		 5355 {
5356 "invalid memory access with multiple map_lookup_elem calls",
5357 .insns = {
5358 BPF_MOV64_IMM(BPF_REG_1, 10),
5359 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
5360 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5361 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5362 BPF_LD_MAP_FD(BPF_REG_1, 0),
5363 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
5364 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
5365 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5366 BPF_FUNC_map_lookup_elem),
5367 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
5368 BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
5369 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
5370 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5371 BPF_FUNC_map_lookup_elem),
5372 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
5373 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
5374 BPF_EXIT_INSN(),
5375 },
908142e6 5376 .fixup_map_hash_8b = { 4 },
57a09bf0
TG		 5377 .result = REJECT,
5378 .errstr = "R4 !read_ok",
5379 .prog_type = BPF_PROG_TYPE_SCHED_CLS
5380 },
5381 {
5382 "valid indirect map_lookup_elem access with 2nd lookup in branch",
5383 .insns = {
5384 BPF_MOV64_IMM(BPF_REG_1, 10),
5385 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
5386 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5387 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5388 BPF_LD_MAP_FD(BPF_REG_1, 0),
5389 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
5390 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
5391 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5392 BPF_FUNC_map_lookup_elem),
5393 BPF_MOV64_IMM(BPF_REG_2, 10),
5394 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0, 3),
5395 BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
5396 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
5397 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5398 BPF_FUNC_map_lookup_elem),
5399 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
5400 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
5401 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
5402 BPF_EXIT_INSN(),
5403 },
908142e6 5404 .fixup_map_hash_8b = { 4 },
57a09bf0
TG		 5405 .result = ACCEPT,
5406 .prog_type = BPF_PROG_TYPE_SCHED_CLS
5407 },
e9548901
JB		 5408 {
5409 "invalid map access from else condition",
5410 .insns = {
5411 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5412 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5413 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5414 BPF_LD_MAP_FD(BPF_REG_1, 0),
5415 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
5416 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5417 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5418 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES-1, 1),
5419 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
5420 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
5421 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
5422 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, offsetof(struct test_val, foo)),
5423 BPF_EXIT_INSN(),
5424 },
908142e6 5425 .fixup_map_hash_48b = { 3 },
f65b1849 5426 .errstr = "R0 unbounded memory access",
e9548901 5427 .result = REJECT,
f65b1849 5428 .errstr_unpriv = "R0 leaks addr",
e9548901 5429 .result_unpriv = REJECT,
02ea80b1 5430 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
e9548901 5431 },
3c839744
GB		 5432 {
5433 "constant register |= constant should keep constant type",
5434 .insns = {
5435 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5436 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
5437 BPF_MOV64_IMM(BPF_REG_2, 34),
5438 BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 13),
5439 BPF_MOV64_IMM(BPF_REG_3, 0),
5440 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5441 BPF_EXIT_INSN(),
5442 },
5443 .result = ACCEPT,
5444 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5445 },
5446 {
5447 "constant register |= constant should not bypass stack boundary checks",
5448 .insns = {
5449 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5450 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
5451 BPF_MOV64_IMM(BPF_REG_2, 34),
5452 BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 24),
5453 BPF_MOV64_IMM(BPF_REG_3, 0),
5454 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5455 BPF_EXIT_INSN(),
5456 },
5457 .errstr = "invalid stack type R1 off=-48 access_size=58",
5458 .result = REJECT,
5459 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5460 },
5461 {
5462 "constant register |= constant register should keep constant type",
5463 .insns = {
5464 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5465 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
5466 BPF_MOV64_IMM(BPF_REG_2, 34),
5467 BPF_MOV64_IMM(BPF_REG_4, 13),
5468 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_4),
5469 BPF_MOV64_IMM(BPF_REG_3, 0),
5470 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5471 BPF_EXIT_INSN(),
5472 },
5473 .result = ACCEPT,
5474 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5475 },
5476 {
5477 "constant register |= constant register should not bypass stack boundary checks",
5478 .insns = {
5479 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5480 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
5481 BPF_MOV64_IMM(BPF_REG_2, 34),
5482 BPF_MOV64_IMM(BPF_REG_4, 24),
5483 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_4),
5484 BPF_MOV64_IMM(BPF_REG_3, 0),
5485 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5486 BPF_EXIT_INSN(),
5487 },
5488 .errstr = "invalid stack type R1 off=-48 access_size=58",
5489 .result = REJECT,
5490 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5491 },
3f731d89
TG		 5492 {
5493 "invalid direct packet write for LWT_IN",
5494 .insns = {
5495 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5496 offsetof(struct __sk_buff, data)),
5497 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5498 offsetof(struct __sk_buff, data_end)),
5499 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5500 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5501 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
5502 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
5503 BPF_MOV64_IMM(BPF_REG_0, 0),
5504 BPF_EXIT_INSN(),
5505 },
5506 .errstr = "cannot write into packet",
5507 .result = REJECT,
5508 .prog_type = BPF_PROG_TYPE_LWT_IN,
5509 },
5510 {
5511 "invalid direct packet write for LWT_OUT",
5512 .insns = {
5513 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5514 offsetof(struct __sk_buff, data)),
5515 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5516 offsetof(struct __sk_buff, data_end)),
5517 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5518 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5519 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
5520 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
5521 BPF_MOV64_IMM(BPF_REG_0, 0),
5522 BPF_EXIT_INSN(),
5523 },
5524 .errstr = "cannot write into packet",
5525 .result = REJECT,
5526 .prog_type = BPF_PROG_TYPE_LWT_OUT,
5527 },
5528 {
5529 "direct packet write for LWT_XMIT",
5530 .insns = {
5531 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5532 offsetof(struct __sk_buff, data)),
5533 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5534 offsetof(struct __sk_buff, data_end)),
5535 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5536 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5537 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
5538 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
5539 BPF_MOV64_IMM(BPF_REG_0, 0),
5540 BPF_EXIT_INSN(),
5541 },
5542 .result = ACCEPT,
5543 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
5544 },
5545 {
5546 "direct packet read for LWT_IN",
5547 .insns = {
5548 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5549 offsetof(struct __sk_buff, data)),
5550 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5551 offsetof(struct __sk_buff, data_end)),
5552 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5553 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5554 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
5555 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
5556 BPF_MOV64_IMM(BPF_REG_0, 0),
5557 BPF_EXIT_INSN(),
5558 },
5559 .result = ACCEPT,
5560 .prog_type = BPF_PROG_TYPE_LWT_IN,
5561 },
5562 {
5563 "direct packet read for LWT_OUT",
5564 .insns = {
5565 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5566 offsetof(struct __sk_buff, data)),
5567 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5568 offsetof(struct __sk_buff, data_end)),
5569 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5570 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5571 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
5572 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
5573 BPF_MOV64_IMM(BPF_REG_0, 0),
5574 BPF_EXIT_INSN(),
5575 },
5576 .result = ACCEPT,
5577 .prog_type = BPF_PROG_TYPE_LWT_OUT,
5578 },
5579 {
5580 "direct packet read for LWT_XMIT",
5581 .insns = {
5582 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5583 offsetof(struct __sk_buff, data)),
5584 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5585 offsetof(struct __sk_buff, data_end)),
5586 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5587 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5588 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
5589 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
5590 BPF_MOV64_IMM(BPF_REG_0, 0),
5591 BPF_EXIT_INSN(),
5592 },
5593 .result = ACCEPT,
5594 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
5595 },
b1977682
AS		 5596 {
5597 "overlapping checks for direct packet access",
5598 .insns = {
5599 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5600 offsetof(struct __sk_buff, data)),
5601 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5602 offsetof(struct __sk_buff, data_end)),
5603 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5604 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5605 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4),
5606 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
5607 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6),
5608 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
5609 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6),
5610 BPF_MOV64_IMM(BPF_REG_0, 0),
5611 BPF_EXIT_INSN(),
3f731d89
TG		 5612 },
5613 .result = ACCEPT,
5614 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
5615 },
6e6fddc7
DB		 5616 {
5617 "make headroom for LWT_XMIT",
5618 .insns = {
5619 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
5620 BPF_MOV64_IMM(BPF_REG_2, 34),
5621 BPF_MOV64_IMM(BPF_REG_3, 0),
5622 BPF_EMIT_CALL(BPF_FUNC_skb_change_head),
5623 /* split for s390 to succeed */
5624 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
5625 BPF_MOV64_IMM(BPF_REG_2, 42),
5626 BPF_MOV64_IMM(BPF_REG_3, 0),
5627 BPF_EMIT_CALL(BPF_FUNC_skb_change_head),
5628 BPF_MOV64_IMM(BPF_REG_0, 0),
5629 BPF_EXIT_INSN(),
5630 },
5631 .result = ACCEPT,
5632 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
5633 },
3f731d89
TG		 5634 {
5635 "invalid access of tc_classid for LWT_IN",
5636 .insns = {
5637 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
5638 offsetof(struct __sk_buff, tc_classid)),
5639 BPF_EXIT_INSN(),
5640 },
5641 .result = REJECT,
5642 .errstr = "invalid bpf_context access",
5643 },
5644 {
5645 "invalid access of tc_classid for LWT_OUT",
5646 .insns = {
5647 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
5648 offsetof(struct __sk_buff, tc_classid)),
5649 BPF_EXIT_INSN(),
5650 },
5651 .result = REJECT,
5652 .errstr = "invalid bpf_context access",
5653 },
5654 {
5655 "invalid access of tc_classid for LWT_XMIT",
5656 .insns = {
5657 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
5658 offsetof(struct __sk_buff, tc_classid)),
5659 BPF_EXIT_INSN(),
5660 },
5661 .result = REJECT,
5662 .errstr = "invalid bpf_context access",
5663 },
6bdf6abc
DB		 5664 {
5665 "leak pointer into ctx 1",
5666 .insns = {
5667 BPF_MOV64_IMM(BPF_REG_0, 0),
5668 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
5669 offsetof(struct __sk_buff, cb[0])),
5670 BPF_LD_MAP_FD(BPF_REG_2, 0),
5671 BPF_STX_XADD(BPF_DW, BPF_REG_1, BPF_REG_2,
5672 offsetof(struct __sk_buff, cb[0])),
5673 BPF_EXIT_INSN(),
5674 },
908142e6 5675 .fixup_map_hash_8b = { 2 },
6bdf6abc
DB		 5676 .errstr_unpriv = "R2 leaks addr into mem",
5677 .result_unpriv = REJECT,
f37a8cb8 5678 .result = REJECT,
2a159c6f 5679 .errstr = "BPF_XADD stores into R1 ctx is not allowed",
6bdf6abc
DB		 5680 },
5681 {
5682 "leak pointer into ctx 2",
5683 .insns = {
5684 BPF_MOV64_IMM(BPF_REG_0, 0),
5685 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
5686 offsetof(struct __sk_buff, cb[0])),
5687 BPF_STX_XADD(BPF_DW, BPF_REG_1, BPF_REG_10,
5688 offsetof(struct __sk_buff, cb[0])),
5689 BPF_EXIT_INSN(),
5690 },
5691 .errstr_unpriv = "R10 leaks addr into mem",
5692 .result_unpriv = REJECT,
f37a8cb8 5693 .result = REJECT,
2a159c6f 5694 .errstr = "BPF_XADD stores into R1 ctx is not allowed",
6bdf6abc
DB		 5695 },
5696 {
5697 "leak pointer into ctx 3",
5698 .insns = {
5699 BPF_MOV64_IMM(BPF_REG_0, 0),
5700 BPF_LD_MAP_FD(BPF_REG_2, 0),
5701 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2,
5702 offsetof(struct __sk_buff, cb[0])),
5703 BPF_EXIT_INSN(),
5704 },
908142e6 5705 .fixup_map_hash_8b = { 1 },
6bdf6abc
DB		 5706 .errstr_unpriv = "R2 leaks addr into ctx",
5707 .result_unpriv = REJECT,
5708 .result = ACCEPT,
5709 },
5710 {
5711 "leak pointer into map val",
5712 .insns = {
5713 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
5714 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5715 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5716 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5717 BPF_LD_MAP_FD(BPF_REG_1, 0),
5718 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5719 BPF_FUNC_map_lookup_elem),
5720 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
5721 BPF_MOV64_IMM(BPF_REG_3, 0),
5722 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
5723 BPF_STX_XADD(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
5724 BPF_MOV64_IMM(BPF_REG_0, 0),
5725 BPF_EXIT_INSN(),
5726 },
908142e6 5727 .fixup_map_hash_8b = { 4 },
6bdf6abc
DB		 5728 .errstr_unpriv = "R6 leaks addr into mem",
5729 .result_unpriv = REJECT,
5730 .result = ACCEPT,
5731 },
5722569b
GB		 5732 {
5733 "helper access to map: full range",
5734 .insns = {
5735 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5736 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5737 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5738 BPF_LD_MAP_FD(BPF_REG_1, 0),
5739 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5740 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5741 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5742 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
5743 BPF_MOV64_IMM(BPF_REG_3, 0),
5744 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5745 BPF_EXIT_INSN(),
5746 },
908142e6 5747 .fixup_map_hash_48b = { 3 },
5722569b
GB		 5748 .result = ACCEPT,
5749 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5750 },
5751 {
5752 "helper access to map: partial range",
5753 .insns = {
5754 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5755 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5756 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5757 BPF_LD_MAP_FD(BPF_REG_1, 0),
5758 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5759 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5760 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5761 BPF_MOV64_IMM(BPF_REG_2, 8),
5762 BPF_MOV64_IMM(BPF_REG_3, 0),
5763 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5764 BPF_EXIT_INSN(),
5765 },
908142e6 5766 .fixup_map_hash_48b = { 3 },
5722569b
GB		 5767 .result = ACCEPT,
5768 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5769 },
5770 {
5771 "helper access to map: empty range",
5772 .insns = {
5773 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5774 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5775 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5776 BPF_LD_MAP_FD(BPF_REG_1, 0),
5777 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
f1a8b8e3
YS		 5778 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
5779 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5780 BPF_MOV64_IMM(BPF_REG_2, 0),
5781 BPF_EMIT_CALL(BPF_FUNC_trace_printk),
5722569b
GB		 5782 BPF_EXIT_INSN(),
5783 },
908142e6 5784 .fixup_map_hash_48b = { 3 },
5722569b
GB		 5785 .errstr = "invalid access to map value, value_size=48 off=0 size=0",
5786 .result = REJECT,
5787 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5788 },
5789 {
5790 "helper access to map: out-of-bound range",
5791 .insns = {
5792 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5793 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5794 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5795 BPF_LD_MAP_FD(BPF_REG_1, 0),
5796 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5797 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5798 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5799 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val) + 8),
5800 BPF_MOV64_IMM(BPF_REG_3, 0),
5801 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5802 BPF_EXIT_INSN(),
5803 },
908142e6 5804 .fixup_map_hash_48b = { 3 },
5722569b
GB		 5805 .errstr = "invalid access to map value, value_size=48 off=0 size=56",
5806 .result = REJECT,
5807 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5808 },
5809 {
5810 "helper access to map: negative range",
5811 .insns = {
5812 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5813 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5814 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5815 BPF_LD_MAP_FD(BPF_REG_1, 0),
5816 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5817 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5818 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5819 BPF_MOV64_IMM(BPF_REG_2, -8),
5820 BPF_MOV64_IMM(BPF_REG_3, 0),
5821 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5822 BPF_EXIT_INSN(),
5823 },
908142e6 5824 .fixup_map_hash_48b = { 3 },
f65b1849 5825 .errstr = "R2 min value is negative",
5722569b
GB		 5826 .result = REJECT,
5827 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5828 },
5829 {
5830 "helper access to adjusted map (via const imm): full range",
5831 .insns = {
5832 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5833 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5834 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5835 BPF_LD_MAP_FD(BPF_REG_1, 0),
5836 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5837 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5838 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5839 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5840 offsetof(struct test_val, foo)),
5841 BPF_MOV64_IMM(BPF_REG_2,
5842 sizeof(struct test_val) -
5843 offsetof(struct test_val, foo)),
5844 BPF_MOV64_IMM(BPF_REG_3, 0),
5845 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5846 BPF_EXIT_INSN(),
5847 },
908142e6 5848 .fixup_map_hash_48b = { 3 },
5722569b
GB		 5849 .result = ACCEPT,
5850 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5851 },
5852 {
5853 "helper access to adjusted map (via const imm): partial range",
5854 .insns = {
5855 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5856 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5857 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5858 BPF_LD_MAP_FD(BPF_REG_1, 0),
5859 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5860 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5861 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5862 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5863 offsetof(struct test_val, foo)),
5864 BPF_MOV64_IMM(BPF_REG_2, 8),
5865 BPF_MOV64_IMM(BPF_REG_3, 0),
5866 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5867 BPF_EXIT_INSN(),
5868 },
908142e6 5869 .fixup_map_hash_48b = { 3 },
5722569b
GB		 5870 .result = ACCEPT,
5871 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5872 },
5873 {
5874 "helper access to adjusted map (via const imm): empty range",
5875 .insns = {
5876 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5877 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5878 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5879 BPF_LD_MAP_FD(BPF_REG_1, 0),
5880 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
f1a8b8e3 5881 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5722569b
GB		 5882 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5883 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5884 offsetof(struct test_val, foo)),
f1a8b8e3
YS		 5885 BPF_MOV64_IMM(BPF_REG_2, 0),
5886 BPF_EMIT_CALL(BPF_FUNC_trace_printk),
5722569b
GB		 5887 BPF_EXIT_INSN(),
5888 },
908142e6 5889 .fixup_map_hash_48b = { 3 },
f65b1849 5890 .errstr = "invalid access to map value, value_size=48 off=4 size=0",
5722569b
GB		 5891 .result = REJECT,
5892 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5893 },
5894 {
5895 "helper access to adjusted map (via const imm): out-of-bound range",
5896 .insns = {
5897 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5898 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5899 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5900 BPF_LD_MAP_FD(BPF_REG_1, 0),
5901 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5902 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5903 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5904 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5905 offsetof(struct test_val, foo)),
5906 BPF_MOV64_IMM(BPF_REG_2,
5907 sizeof(struct test_val) -
5908 offsetof(struct test_val, foo) + 8),
5909 BPF_MOV64_IMM(BPF_REG_3, 0),
5910 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5911 BPF_EXIT_INSN(),
5912 },
908142e6 5913 .fixup_map_hash_48b = { 3 },
5722569b
GB		 5914 .errstr = "invalid access to map value, value_size=48 off=4 size=52",
5915 .result = REJECT,
5916 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5917 },
5918 {
5919 "helper access to adjusted map (via const imm): negative range (> adjustment)",
5920 .insns = {
5921 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5922 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5923 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5924 BPF_LD_MAP_FD(BPF_REG_1, 0),
5925 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5926 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5927 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5928 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5929 offsetof(struct test_val, foo)),
5930 BPF_MOV64_IMM(BPF_REG_2, -8),
5931 BPF_MOV64_IMM(BPF_REG_3, 0),
5932 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5933 BPF_EXIT_INSN(),
5934 },
908142e6 5935 .fixup_map_hash_48b = { 3 },
f65b1849 5936 .errstr = "R2 min value is negative",
5722569b
GB		 5937 .result = REJECT,
5938 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5939 },
5940 {
5941 "helper access to adjusted map (via const imm): negative range (< adjustment)",
5942 .insns = {
5943 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5944 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5945 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5946 BPF_LD_MAP_FD(BPF_REG_1, 0),
5947 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5948 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5949 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5950 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5951 offsetof(struct test_val, foo)),
5952 BPF_MOV64_IMM(BPF_REG_2, -1),
5953 BPF_MOV64_IMM(BPF_REG_3, 0),
5954 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5955 BPF_EXIT_INSN(),
5956 },
908142e6 5957 .fixup_map_hash_48b = { 3 },
f65b1849 5958 .errstr = "R2 min value is negative",
5722569b
GB		 5959 .result = REJECT,
5960 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5961 },
5962 {
5963 "helper access to adjusted map (via const reg): full range",
5964 .insns = {
5965 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5966 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5967 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5968 BPF_LD_MAP_FD(BPF_REG_1, 0),
5969 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5970 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5971 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5972 BPF_MOV64_IMM(BPF_REG_3,
5973 offsetof(struct test_val, foo)),
5974 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5975 BPF_MOV64_IMM(BPF_REG_2,
5976 sizeof(struct test_val) -
5977 offsetof(struct test_val, foo)),
5978 BPF_MOV64_IMM(BPF_REG_3, 0),
5979 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5980 BPF_EXIT_INSN(),
5981 },
908142e6 5982 .fixup_map_hash_48b = { 3 },
5722569b
GB		 5983 .result = ACCEPT,
5984 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5985 },
5986 {
5987 "helper access to adjusted map (via const reg): partial range",
5988 .insns = {
5989 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5990 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5991 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5992 BPF_LD_MAP_FD(BPF_REG_1, 0),
5993 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5994 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5995 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5996 BPF_MOV64_IMM(BPF_REG_3,
5997 offsetof(struct test_val, foo)),
5998 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5999 BPF_MOV64_IMM(BPF_REG_2, 8),
6000 BPF_MOV64_IMM(BPF_REG_3, 0),
6001 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6002 BPF_EXIT_INSN(),
6003 },
908142e6 6004 .fixup_map_hash_48b = { 3 },
5722569b
GB		 6005 .result = ACCEPT,
6006 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6007 },
6008 {
6009 "helper access to adjusted map (via const reg): empty range",
6010 .insns = {
6011 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6012 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6013 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6014 BPF_LD_MAP_FD(BPF_REG_1, 0),
6015 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
f1a8b8e3 6016 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5722569b
GB		 6017 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6018 BPF_MOV64_IMM(BPF_REG_3, 0),
6019 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
f1a8b8e3
YS		 6020 BPF_MOV64_IMM(BPF_REG_2, 0),
6021 BPF_EMIT_CALL(BPF_FUNC_trace_printk),
5722569b
GB		 6022 BPF_EXIT_INSN(),
6023 },
908142e6 6024 .fixup_map_hash_48b = { 3 },
f1a8b8e3 6025 .errstr = "R1 min value is outside of the array range",
5722569b
GB		 6026 .result = REJECT,
6027 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6028 },
6029 {
6030 "helper access to adjusted map (via const reg): out-of-bound range",
6031 .insns = {
6032 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6033 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6034 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6035 BPF_LD_MAP_FD(BPF_REG_1, 0),
6036 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6037 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6038 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6039 BPF_MOV64_IMM(BPF_REG_3,
6040 offsetof(struct test_val, foo)),
6041 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6042 BPF_MOV64_IMM(BPF_REG_2,
6043 sizeof(struct test_val) -
6044 offsetof(struct test_val, foo) + 8),
6045 BPF_MOV64_IMM(BPF_REG_3, 0),
6046 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6047 BPF_EXIT_INSN(),
6048 },
908142e6 6049 .fixup_map_hash_48b = { 3 },
5722569b
GB		 6050 .errstr = "invalid access to map value, value_size=48 off=4 size=52",
6051 .result = REJECT,
6052 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6053 },
6054 {
6055 "helper access to adjusted map (via const reg): negative range (> adjustment)",
6056 .insns = {
6057 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6058 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6059 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6060 BPF_LD_MAP_FD(BPF_REG_1, 0),
6061 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6062 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6063 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6064 BPF_MOV64_IMM(BPF_REG_3,
6065 offsetof(struct test_val, foo)),
6066 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6067 BPF_MOV64_IMM(BPF_REG_2, -8),
6068 BPF_MOV64_IMM(BPF_REG_3, 0),
6069 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6070 BPF_EXIT_INSN(),
6071 },
908142e6 6072 .fixup_map_hash_48b = { 3 },
f65b1849 6073 .errstr = "R2 min value is negative",
5722569b
GB		 6074 .result = REJECT,
6075 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6076 },
6077 {
6078 "helper access to adjusted map (via const reg): negative range (< adjustment)",
6079 .insns = {
6080 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6081 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6082 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6083 BPF_LD_MAP_FD(BPF_REG_1, 0),
6084 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6085 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6086 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6087 BPF_MOV64_IMM(BPF_REG_3,
6088 offsetof(struct test_val, foo)),
6089 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6090 BPF_MOV64_IMM(BPF_REG_2, -1),
6091 BPF_MOV64_IMM(BPF_REG_3, 0),
6092 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6093 BPF_EXIT_INSN(),
6094 },
908142e6 6095 .fixup_map_hash_48b = { 3 },
f65b1849 6096 .errstr = "R2 min value is negative",
5722569b
GB		 6097 .result = REJECT,
6098 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6099 },
6100 {
6101 "helper access to adjusted map (via variable): full range",
6102 .insns = {
6103 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6104 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6105 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6106 BPF_LD_MAP_FD(BPF_REG_1, 0),
6107 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6108 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6109 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6110 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6111 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
6112 offsetof(struct test_val, foo), 4),
6113 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6114 BPF_MOV64_IMM(BPF_REG_2,
6115 sizeof(struct test_val) -
6116 offsetof(struct test_val, foo)),
6117 BPF_MOV64_IMM(BPF_REG_3, 0),
6118 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6119 BPF_EXIT_INSN(),
6120 },
908142e6 6121 .fixup_map_hash_48b = { 3 },
5722569b
GB		 6122 .result = ACCEPT,
6123 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6124 },
6125 {
6126 "helper access to adjusted map (via variable): partial range",
6127 .insns = {
6128 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6129 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6130 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6131 BPF_LD_MAP_FD(BPF_REG_1, 0),
6132 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6133 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6134 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6135 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6136 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
6137 offsetof(struct test_val, foo), 4),
6138 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6139 BPF_MOV64_IMM(BPF_REG_2, 8),
6140 BPF_MOV64_IMM(BPF_REG_3, 0),
6141 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6142 BPF_EXIT_INSN(),
6143 },
908142e6 6144 .fixup_map_hash_48b = { 3 },
5722569b
GB		 6145 .result = ACCEPT,
6146 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6147 },
6148 {
6149 "helper access to adjusted map (via variable): empty range",
6150 .insns = {
6151 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6152 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6153 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6154 BPF_LD_MAP_FD(BPF_REG_1, 0),
6155 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
f1a8b8e3 6156 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5722569b
GB		 6157 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6158 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6159 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
f1a8b8e3 6160 offsetof(struct test_val, foo), 3),
5722569b 6161 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
f1a8b8e3
YS		 6162 BPF_MOV64_IMM(BPF_REG_2, 0),
6163 BPF_EMIT_CALL(BPF_FUNC_trace_printk),
5722569b
GB		 6164 BPF_EXIT_INSN(),
6165 },
908142e6 6166 .fixup_map_hash_48b = { 3 },
f1a8b8e3 6167 .errstr = "R1 min value is outside of the array range",
5722569b
GB		 6168 .result = REJECT,
6169 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6170 },
6171 {
6172 "helper access to adjusted map (via variable): no max check",
6173 .insns = {
6174 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6175 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6176 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6177 BPF_LD_MAP_FD(BPF_REG_1, 0),
6178 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6179 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6180 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6181 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6182 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
f65b1849 6183 BPF_MOV64_IMM(BPF_REG_2, 1),
5722569b
GB		 6184 BPF_MOV64_IMM(BPF_REG_3, 0),
6185 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6186 BPF_EXIT_INSN(),
6187 },
908142e6 6188 .fixup_map_hash_48b = { 3 },
f65b1849 6189 .errstr = "R1 unbounded memory access",
5722569b
GB		 6190 .result = REJECT,
6191 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6192 },
6193 {
6194 "helper access to adjusted map (via variable): wrong max check",
6195 .insns = {
6196 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6197 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6198 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6199 BPF_LD_MAP_FD(BPF_REG_1, 0),
6200 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6201 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6202 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6203 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6204 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
6205 offsetof(struct test_val, foo), 4),
6206 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6207 BPF_MOV64_IMM(BPF_REG_2,
6208 sizeof(struct test_val) -
6209 offsetof(struct test_val, foo) + 1),
6210 BPF_MOV64_IMM(BPF_REG_3, 0),
6211 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6212 BPF_EXIT_INSN(),
6213 },
908142e6 6214 .fixup_map_hash_48b = { 3 },
5722569b
GB		 6215 .errstr = "invalid access to map value, value_size=48 off=4 size=45",
6216 .result = REJECT,
6217 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6218 },
31e482bf
DB		 6219 {
6220 "helper access to map: bounds check using <, good access",
6221 .insns = {
6222 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6223 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6224 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6225 BPF_LD_MAP_FD(BPF_REG_1, 0),
6226 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6227 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6228 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6229 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6230 BPF_JMP_IMM(BPF_JLT, BPF_REG_3, 32, 2),
6231 BPF_MOV64_IMM(BPF_REG_0, 0),
6232 BPF_EXIT_INSN(),
6233 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6234 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
6235 BPF_MOV64_IMM(BPF_REG_0, 0),
6236 BPF_EXIT_INSN(),
6237 },
908142e6 6238 .fixup_map_hash_48b = { 3 },
31e482bf
DB		 6239 .result = ACCEPT,
6240 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6241 },
6242 {
6243 "helper access to map: bounds check using <, bad access",
6244 .insns = {
6245 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6246 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6247 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6248 BPF_LD_MAP_FD(BPF_REG_1, 0),
6249 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6250 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6251 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6252 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6253 BPF_JMP_IMM(BPF_JLT, BPF_REG_3, 32, 4),
6254 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6255 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
6256 BPF_MOV64_IMM(BPF_REG_0, 0),
6257 BPF_EXIT_INSN(),
6258 BPF_MOV64_IMM(BPF_REG_0, 0),
6259 BPF_EXIT_INSN(),
6260 },
908142e6 6261 .fixup_map_hash_48b = { 3 },
31e482bf
DB		 6262 .result = REJECT,
6263 .errstr = "R1 unbounded memory access",
6264 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6265 },
6266 {
6267 "helper access to map: bounds check using <=, good access",
6268 .insns = {
6269 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6270 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6271 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6272 BPF_LD_MAP_FD(BPF_REG_1, 0),
6273 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6274 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6275 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6276 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6277 BPF_JMP_IMM(BPF_JLE, BPF_REG_3, 32, 2),
6278 BPF_MOV64_IMM(BPF_REG_0, 0),
6279 BPF_EXIT_INSN(),
6280 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6281 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
6282 BPF_MOV64_IMM(BPF_REG_0, 0),
6283 BPF_EXIT_INSN(),
6284 },
908142e6 6285 .fixup_map_hash_48b = { 3 },
31e482bf
DB		 6286 .result = ACCEPT,
6287 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6288 },
6289 {
6290 "helper access to map: bounds check using <=, bad access",
6291 .insns = {
6292 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6293 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6294 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6295 BPF_LD_MAP_FD(BPF_REG_1, 0),
6296 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6297 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6298 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6299 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6300 BPF_JMP_IMM(BPF_JLE, BPF_REG_3, 32, 4),
6301 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6302 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
6303 BPF_MOV64_IMM(BPF_REG_0, 0),
6304 BPF_EXIT_INSN(),
6305 BPF_MOV64_IMM(BPF_REG_0, 0),
6306 BPF_EXIT_INSN(),
6307 },
908142e6 6308 .fixup_map_hash_48b = { 3 },
31e482bf
DB		 6309 .result = REJECT,
6310 .errstr = "R1 unbounded memory access",
6311 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6312 },
6313 {
6314 "helper access to map: bounds check using s<, good access",
6315 .insns = {
6316 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6317 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6318 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6319 BPF_LD_MAP_FD(BPF_REG_1, 0),
6320 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6321 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6322 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6323 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6324 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2),
6325 BPF_MOV64_IMM(BPF_REG_0, 0),
6326 BPF_EXIT_INSN(),
6327 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 0, -3),
6328 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6329 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
6330 BPF_MOV64_IMM(BPF_REG_0, 0),
6331 BPF_EXIT_INSN(),
6332 },
908142e6 6333 .fixup_map_hash_48b = { 3 },
31e482bf
DB		 6334 .result = ACCEPT,
6335 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6336 },
6337 {
6338 "helper access to map: bounds check using s<, good access 2",
6339 .insns = {
6340 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6341 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6342 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6343 BPF_LD_MAP_FD(BPF_REG_1, 0),
6344 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6345 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6346 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6347 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6348 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2),
6349 BPF_MOV64_IMM(BPF_REG_0, 0),
6350 BPF_EXIT_INSN(),
6351 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, -3, -3),
6352 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6353 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
6354 BPF_MOV64_IMM(BPF_REG_0, 0),
6355 BPF_EXIT_INSN(),
6356 },
908142e6 6357 .fixup_map_hash_48b = { 3 },
31e482bf
DB		 6358 .result = ACCEPT,
6359 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6360 },
6361 {
6362 "helper access to map: bounds check using s<, bad access",
6363 .insns = {
6364 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6365 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6366 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6367 BPF_LD_MAP_FD(BPF_REG_1, 0),
6368 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6369 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6370 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6371 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
6372 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2),
6373 BPF_MOV64_IMM(BPF_REG_0, 0),
6374 BPF_EXIT_INSN(),
6375 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, -3, -3),
6376 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6377 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
6378 BPF_MOV64_IMM(BPF_REG_0, 0),
6379 BPF_EXIT_INSN(),
6380 },
908142e6 6381 .fixup_map_hash_48b = { 3 },
31e482bf
DB		 6382 .result = REJECT,
6383 .errstr = "R1 min value is negative",
6384 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6385 },
6386 {
6387 "helper access to map: bounds check using s<=, good access",
6388 .insns = {
6389 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6390 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6391 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6392 BPF_LD_MAP_FD(BPF_REG_1, 0),
6393 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6394 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6395 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6396 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6397 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2),
6398 BPF_MOV64_IMM(BPF_REG_0, 0),
6399 BPF_EXIT_INSN(),
6400 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 0, -3),
6401 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6402 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
6403 BPF_MOV64_IMM(BPF_REG_0, 0),
6404 BPF_EXIT_INSN(),
6405 },
908142e6 6406 .fixup_map_hash_48b = { 3 },
31e482bf
DB		 6407 .result = ACCEPT,
6408 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6409 },
6410 {
6411 "helper access to map: bounds check using s<=, good access 2",
6412 .insns = {
6413 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6414 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6415 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6416 BPF_LD_MAP_FD(BPF_REG_1, 0),
6417 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6418 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6419 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6420 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6421 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2),
6422 BPF_MOV64_IMM(BPF_REG_0, 0),
6423 BPF_EXIT_INSN(),
6424 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, -3, -3),
6425 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6426 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
6427 BPF_MOV64_IMM(BPF_REG_0, 0),
6428 BPF_EXIT_INSN(),
6429 },
908142e6 6430 .fixup_map_hash_48b = { 3 },
31e482bf
DB		 6431 .result = ACCEPT,
6432 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6433 },
6434 {
6435 "helper access to map: bounds check using s<=, bad access",
6436 .insns = {
6437 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6438 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6439 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6440 BPF_LD_MAP_FD(BPF_REG_1, 0),
6441 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6442 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6443 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6444 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
6445 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2),
6446 BPF_MOV64_IMM(BPF_REG_0, 0),
6447 BPF_EXIT_INSN(),
6448 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, -3, -3),
6449 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6450 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
6451 BPF_MOV64_IMM(BPF_REG_0, 0),
6452 BPF_EXIT_INSN(),
6453 },
908142e6 6454 .fixup_map_hash_48b = { 3 },
31e482bf
DB		 6455 .result = REJECT,
6456 .errstr = "R1 min value is negative",
6457 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6458 },
2683f412
DB		 6459 {
6460 "map access: known scalar += value_ptr",
6461 .insns = {
6462 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6463 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6464 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6465 BPF_LD_MAP_FD(BPF_REG_1, 0),
6466 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6467 BPF_FUNC_map_lookup_elem),
6468 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
6469 BPF_MOV64_IMM(BPF_REG_1, 4),
6470 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
6471 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
6472 BPF_MOV64_IMM(BPF_REG_0, 1),
6473 BPF_EXIT_INSN(),
6474 },
6475 .fixup_map_array_48b = { 3 },
6476 .result = ACCEPT,
6477 .retval = 1,
6478 },
6479 {
6480 "map access: value_ptr += known scalar",
6481 .insns = {
6482 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6483 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6484 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6485 BPF_LD_MAP_FD(BPF_REG_1, 0),
6486 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6487 BPF_FUNC_map_lookup_elem),
6488 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
6489 BPF_MOV64_IMM(BPF_REG_1, 4),
6490 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6491 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
6492 BPF_MOV64_IMM(BPF_REG_0, 1),
6493 BPF_EXIT_INSN(),
6494 },
6495 .fixup_map_array_48b = { 3 },
6496 .result = ACCEPT,
6497 .retval = 1,
6498 },
6499 {
6500 "map access: unknown scalar += value_ptr",
6501 .insns = {
6502 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6503 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6504 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6505 BPF_LD_MAP_FD(BPF_REG_1, 0),
6506 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6507 BPF_FUNC_map_lookup_elem),
6508 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6509 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
6510 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xf),
6511 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
6512 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
6513 BPF_MOV64_IMM(BPF_REG_0, 1),
6514 BPF_EXIT_INSN(),
6515 },
6516 .fixup_map_array_48b = { 3 },
6517 .result = ACCEPT,
6518 .retval = 1,
6519 },
6520 {
6521 "map access: value_ptr += unknown scalar",
6522 .insns = {
6523 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6524 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6525 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6526 BPF_LD_MAP_FD(BPF_REG_1, 0),
6527 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6528 BPF_FUNC_map_lookup_elem),
6529 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6530 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
6531 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xf),
6532 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6533 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
6534 BPF_MOV64_IMM(BPF_REG_0, 1),
6535 BPF_EXIT_INSN(),
6536 },
6537 .fixup_map_array_48b = { 3 },
6538 .result = ACCEPT,
6539 .retval = 1,
6540 },
6541 {
6542 "map access: value_ptr += value_ptr",
6543 .insns = {
6544 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6545 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6546 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6547 BPF_LD_MAP_FD(BPF_REG_1, 0),
6548 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6549 BPF_FUNC_map_lookup_elem),
6550 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
6551 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_0),
6552 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
6553 BPF_MOV64_IMM(BPF_REG_0, 1),
6554 BPF_EXIT_INSN(),
6555 },
6556 .fixup_map_array_48b = { 3 },
6557 .result = REJECT,
6558 .errstr = "R0 pointer += pointer prohibited",
6559 },
6560 {
6561 "map access: known scalar -= value_ptr",
6562 .insns = {
6563 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6564 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6565 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6566 BPF_LD_MAP_FD(BPF_REG_1, 0),
6567 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6568 BPF_FUNC_map_lookup_elem),
6569 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
6570 BPF_MOV64_IMM(BPF_REG_1, 4),
6571 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0),
6572 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
6573 BPF_MOV64_IMM(BPF_REG_0, 1),
6574 BPF_EXIT_INSN(),
6575 },
6576 .fixup_map_array_48b = { 3 },
6577 .result = REJECT,
6578 .errstr = "R1 tried to subtract pointer from scalar",
6579 },
6580 {
6581 "map access: value_ptr -= known scalar",
6582 .insns = {
6583 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6584 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6585 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6586 BPF_LD_MAP_FD(BPF_REG_1, 0),
6587 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6588 BPF_FUNC_map_lookup_elem),
6589 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
6590 BPF_MOV64_IMM(BPF_REG_1, 4),
6591 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
6592 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
6593 BPF_MOV64_IMM(BPF_REG_0, 1),
6594 BPF_EXIT_INSN(),
6595 },
6596 .fixup_map_array_48b = { 3 },
6597 .result = REJECT,
6598 .errstr = "R0 min value is outside of the array range",
6599 },
6600 {
6601 "map access: value_ptr -= known scalar, 2",
6602 .insns = {
6603 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6604 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6605 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6606 BPF_LD_MAP_FD(BPF_REG_1, 0),
6607 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6608 BPF_FUNC_map_lookup_elem),
6609 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
6610 BPF_MOV64_IMM(BPF_REG_1, 6),
6611 BPF_MOV64_IMM(BPF_REG_2, 4),
6612 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6613 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_2),
6614 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
6615 BPF_MOV64_IMM(BPF_REG_0, 1),
6616 BPF_EXIT_INSN(),
6617 },
6618 .fixup_map_array_48b = { 3 },
6619 .result = ACCEPT,
6620 .retval = 1,
6621 },
6622 {
6623 "map access: unknown scalar -= value_ptr",
6624 .insns = {
6625 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6626 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6627 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6628 BPF_LD_MAP_FD(BPF_REG_1, 0),
6629 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6630 BPF_FUNC_map_lookup_elem),
6631 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6632 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
6633 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xf),
6634 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0),
6635 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
6636 BPF_MOV64_IMM(BPF_REG_0, 1),
6637 BPF_EXIT_INSN(),
6638 },
6639 .fixup_map_array_48b = { 3 },
6640 .result = REJECT,
6641 .errstr = "R1 tried to subtract pointer from scalar",
6642 },
6643 {
6644 "map access: value_ptr -= unknown scalar",
6645 .insns = {
6646 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6647 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6648 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6649 BPF_LD_MAP_FD(BPF_REG_1, 0),
6650 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6651 BPF_FUNC_map_lookup_elem),
6652 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6653 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
6654 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xf),
6655 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
6656 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
6657 BPF_MOV64_IMM(BPF_REG_0, 1),
6658 BPF_EXIT_INSN(),
6659 },
6660 .fixup_map_array_48b = { 3 },
6661 .result = REJECT,
6662 .errstr = "R0 min value is negative",
6663 },
6664 {
6665 "map access: value_ptr -= unknown scalar, 2",
6666 .insns = {
6667 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6668 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6669 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6670 BPF_LD_MAP_FD(BPF_REG_1, 0),
6671 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6672 BPF_FUNC_map_lookup_elem),
6673 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
6674 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
6675 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xf),
6676 BPF_ALU64_IMM(BPF_OR, BPF_REG_1, 0x7),
6677 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6678 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
6679 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0x7),
6680 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
6681 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
6682 BPF_MOV64_IMM(BPF_REG_0, 1),
6683 BPF_EXIT_INSN(),
6684 },
6685 .fixup_map_array_48b = { 3 },
6686 .result = ACCEPT,
6687 .retval = 1,
6688 },
6689 {
6690 "map access: value_ptr -= value_ptr",
6691 .insns = {
6692 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6693 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6694 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6695 BPF_LD_MAP_FD(BPF_REG_1, 0),
6696 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6697 BPF_FUNC_map_lookup_elem),
6698 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
6699 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_0),
6700 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
6701 BPF_MOV64_IMM(BPF_REG_0, 1),
6702 BPF_EXIT_INSN(),
6703 },
6704 .fixup_map_array_48b = { 3 },
6705 .result = REJECT,
6706 .errstr = "R0 invalid mem access 'inv'",
6707 .errstr_unpriv = "R0 pointer -= pointer prohibited",
6708 },
5f90dd6a
PC		 6709 {
6710 "map lookup helper access to map",
6711 .insns = {
6712 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6713 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6714 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6715 BPF_LD_MAP_FD(BPF_REG_1, 0),
6716 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6717 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6718 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6719 BPF_LD_MAP_FD(BPF_REG_1, 0),
6720 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6721 BPF_EXIT_INSN(),
6722 },
908142e6 6723 .fixup_map_hash_16b = { 3, 8 },
5f90dd6a
PC		 6724 .result = ACCEPT,
6725 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6726 },
6727 {
6728 "map update helper access to map",
6729 .insns = {
6730 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6731 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6732 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6733 BPF_LD_MAP_FD(BPF_REG_1, 0),
6734 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6735 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6736 BPF_MOV64_IMM(BPF_REG_4, 0),
6737 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
6738 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6739 BPF_LD_MAP_FD(BPF_REG_1, 0),
6740 BPF_EMIT_CALL(BPF_FUNC_map_update_elem),
6741 BPF_EXIT_INSN(),
6742 },
908142e6 6743 .fixup_map_hash_16b = { 3, 10 },
5f90dd6a
PC		 6744 .result = ACCEPT,
6745 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6746 },
6747 {
6748 "map update helper access to map: wrong size",
6749 .insns = {
6750 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6751 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6752 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6753 BPF_LD_MAP_FD(BPF_REG_1, 0),
6754 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6755 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6756 BPF_MOV64_IMM(BPF_REG_4, 0),
6757 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
6758 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6759 BPF_LD_MAP_FD(BPF_REG_1, 0),
6760 BPF_EMIT_CALL(BPF_FUNC_map_update_elem),
6761 BPF_EXIT_INSN(),
6762 },
908142e6
PB		 6763 .fixup_map_hash_8b = { 3 },
6764 .fixup_map_hash_16b = { 10 },
5f90dd6a
PC		 6765 .result = REJECT,
6766 .errstr = "invalid access to map value, value_size=8 off=0 size=16",
6767 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6768 },
6769 {
6770 "map helper access to adjusted map (via const imm)",
6771 .insns = {
6772 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6773 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6774 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6775 BPF_LD_MAP_FD(BPF_REG_1, 0),
6776 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6777 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
6778 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6779 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2,
6780 offsetof(struct other_val, bar)),
6781 BPF_LD_MAP_FD(BPF_REG_1, 0),
6782 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6783 BPF_EXIT_INSN(),
6784 },
908142e6 6785 .fixup_map_hash_16b = { 3, 9 },
5f90dd6a
PC		 6786 .result = ACCEPT,
6787 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6788 },
6789 {
6790 "map helper access to adjusted map (via const imm): out-of-bound 1",
6791 .insns = {
6792 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6793 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6794 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6795 BPF_LD_MAP_FD(BPF_REG_1, 0),
6796 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6797 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
6798 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6799 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2,
6800 sizeof(struct other_val) - 4),
6801 BPF_LD_MAP_FD(BPF_REG_1, 0),
6802 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6803 BPF_EXIT_INSN(),
6804 },
908142e6 6805 .fixup_map_hash_16b = { 3, 9 },
5f90dd6a
PC		 6806 .result = REJECT,
6807 .errstr = "invalid access to map value, value_size=16 off=12 size=8",
6808 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6809 },
6810 {
6811 "map helper access to adjusted map (via const imm): out-of-bound 2",
6812 .insns = {
6813 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6814 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6815 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6816 BPF_LD_MAP_FD(BPF_REG_1, 0),
6817 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6818 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
6819 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6820 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
6821 BPF_LD_MAP_FD(BPF_REG_1, 0),
6822 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6823 BPF_EXIT_INSN(),
6824 },
908142e6 6825 .fixup_map_hash_16b = { 3, 9 },
5f90dd6a
PC		 6826 .result = REJECT,
6827 .errstr = "invalid access to map value, value_size=16 off=-4 size=8",
6828 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6829 },
6830 {
6831 "map helper access to adjusted map (via const reg)",
6832 .insns = {
6833 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6834 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6835 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6836 BPF_LD_MAP_FD(BPF_REG_1, 0),
6837 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6838 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6839 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6840 BPF_MOV64_IMM(BPF_REG_3,
6841 offsetof(struct other_val, bar)),
6842 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
6843 BPF_LD_MAP_FD(BPF_REG_1, 0),
6844 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6845 BPF_EXIT_INSN(),
6846 },
908142e6 6847 .fixup_map_hash_16b = { 3, 10 },
5f90dd6a
PC		 6848 .result = ACCEPT,
6849 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6850 },
6851 {
6852 "map helper access to adjusted map (via const reg): out-of-bound 1",
6853 .insns = {
6854 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6855 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6856 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6857 BPF_LD_MAP_FD(BPF_REG_1, 0),
6858 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6859 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6860 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6861 BPF_MOV64_IMM(BPF_REG_3,
6862 sizeof(struct other_val) - 4),
6863 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
6864 BPF_LD_MAP_FD(BPF_REG_1, 0),
6865 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6866 BPF_EXIT_INSN(),
6867 },
908142e6 6868 .fixup_map_hash_16b = { 3, 10 },
5f90dd6a
PC		 6869 .result = REJECT,
6870 .errstr = "invalid access to map value, value_size=16 off=12 size=8",
6871 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6872 },
6873 {
6874 "map helper access to adjusted map (via const reg): out-of-bound 2",
6875 .insns = {
6876 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6877 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6878 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6879 BPF_LD_MAP_FD(BPF_REG_1, 0),
6880 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6881 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6882 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6883 BPF_MOV64_IMM(BPF_REG_3, -4),
6884 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
6885 BPF_LD_MAP_FD(BPF_REG_1, 0),
6886 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6887 BPF_EXIT_INSN(),
6888 },
908142e6 6889 .fixup_map_hash_16b = { 3, 10 },
5f90dd6a
PC		 6890 .result = REJECT,
6891 .errstr = "invalid access to map value, value_size=16 off=-4 size=8",
6892 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6893 },
6894 {
6895 "map helper access to adjusted map (via variable)",
6896 .insns = {
6897 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6898 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6899 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6900 BPF_LD_MAP_FD(BPF_REG_1, 0),
6901 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6902 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6903 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6904 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6905 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
6906 offsetof(struct other_val, bar), 4),
6907 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
6908 BPF_LD_MAP_FD(BPF_REG_1, 0),
6909 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6910 BPF_EXIT_INSN(),
6911 },
908142e6 6912 .fixup_map_hash_16b = { 3, 11 },
5f90dd6a
PC		 6913 .result = ACCEPT,
6914 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6915 },
6916 {
6917 "map helper access to adjusted map (via variable): no max check",
6918 .insns = {
6919 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6920 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6921 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6922 BPF_LD_MAP_FD(BPF_REG_1, 0),
6923 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6924 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6925 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6926 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6927 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
6928 BPF_LD_MAP_FD(BPF_REG_1, 0),
6929 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6930 BPF_EXIT_INSN(),
6931 },
908142e6 6932 .fixup_map_hash_16b = { 3, 10 },
5f90dd6a
PC		 6933 .result = REJECT,
6934 .errstr = "R2 unbounded memory access, make sure to bounds check any array access into a map",
6935 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6936 },
6937 {
6938 "map helper access to adjusted map (via variable): wrong max check",
6939 .insns = {
6940 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6941 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6942 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6943 BPF_LD_MAP_FD(BPF_REG_1, 0),
6944 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6945 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6946 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6947 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6948 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
6949 offsetof(struct other_val, bar) + 1, 4),
6950 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
6951 BPF_LD_MAP_FD(BPF_REG_1, 0),
6952 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6953 BPF_EXIT_INSN(),
6954 },
908142e6 6955 .fixup_map_hash_16b = { 3, 11 },
5f90dd6a
PC		 6956 .result = REJECT,
6957 .errstr = "invalid access to map value, value_size=16 off=9 size=8",
6958 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6959 },
f0318d01
GB		 6960 {
6961 "map element value is preserved across register spilling",
6962 .insns = {
6963 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6964 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6965 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6966 BPF_LD_MAP_FD(BPF_REG_1, 0),
6967 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6968 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6969 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
6970 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6971 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -184),
6972 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
6973 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
6974 BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
6975 BPF_EXIT_INSN(),
6976 },
908142e6 6977 .fixup_map_hash_48b = { 3 },
f0318d01
GB		 6978 .errstr_unpriv = "R0 leaks addr",
6979 .result = ACCEPT,
6980 .result_unpriv = REJECT,
6981 },
6982 {
02ea80b1
DB		 6983 "map element value or null is marked on register spilling",
6984 .insns = {
6985 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6986 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6987 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6988 BPF_LD_MAP_FD(BPF_REG_1, 0),
6989 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6990 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6991 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -152),
6992 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
6993 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
6994 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
6995 BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
6996 BPF_EXIT_INSN(),
6997 },
908142e6 6998 .fixup_map_hash_48b = { 3 },
02ea80b1
DB		 6999 .errstr_unpriv = "R0 leaks addr",
7000 .result = ACCEPT,
7001 .result_unpriv = REJECT,
7002 },
7003 {
7004 "map element value store of cleared call register",
7005 .insns = {
7006 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7007 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7008 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7009 BPF_LD_MAP_FD(BPF_REG_1, 0),
7010 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7011 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
7012 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
7013 BPF_EXIT_INSN(),
7014 },
908142e6 7015 .fixup_map_hash_48b = { 3 },
02ea80b1
DB		 7016 .errstr_unpriv = "R1 !read_ok",
7017 .errstr = "R1 !read_ok",
7018 .result = REJECT,
7019 .result_unpriv = REJECT,
7020 },
7021 {
7022 "map element value with unaligned store",
7023 .insns = {
7024 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7025 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7026 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7027 BPF_LD_MAP_FD(BPF_REG_1, 0),
7028 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7029 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 17),
7030 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 3),
7031 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
7032 BPF_ST_MEM(BPF_DW, BPF_REG_0, 2, 43),
7033 BPF_ST_MEM(BPF_DW, BPF_REG_0, -2, 44),
7034 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
7035 BPF_ST_MEM(BPF_DW, BPF_REG_8, 0, 32),
7036 BPF_ST_MEM(BPF_DW, BPF_REG_8, 2, 33),
7037 BPF_ST_MEM(BPF_DW, BPF_REG_8, -2, 34),
7038 BPF_ALU64_IMM(BPF_ADD, BPF_REG_8, 5),
7039 BPF_ST_MEM(BPF_DW, BPF_REG_8, 0, 22),
7040 BPF_ST_MEM(BPF_DW, BPF_REG_8, 4, 23),
7041 BPF_ST_MEM(BPF_DW, BPF_REG_8, -7, 24),
7042 BPF_MOV64_REG(BPF_REG_7, BPF_REG_8),
7043 BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, 3),
7044 BPF_ST_MEM(BPF_DW, BPF_REG_7, 0, 22),
7045 BPF_ST_MEM(BPF_DW, BPF_REG_7, 4, 23),
7046 BPF_ST_MEM(BPF_DW, BPF_REG_7, -4, 24),
7047 BPF_EXIT_INSN(),
7048 },
908142e6 7049 .fixup_map_hash_48b = { 3 },
f65b1849 7050 .errstr_unpriv = "R0 leaks addr",
02ea80b1
DB		 7051 .result = ACCEPT,
7052 .result_unpriv = REJECT,
7053 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7054 },
7055 {
7056 "map element value with unaligned load",
7057 .insns = {
7058 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7059 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7060 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7061 BPF_LD_MAP_FD(BPF_REG_1, 0),
7062 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7063 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
7064 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
7065 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES, 9),
7066 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 3),
7067 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
7068 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 2),
7069 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
7070 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_8, 0),
7071 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_8, 2),
7072 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 5),
7073 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
7074 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 4),
7075 BPF_EXIT_INSN(),
7076 },
908142e6 7077 .fixup_map_hash_48b = { 3 },
f65b1849 7078 .errstr_unpriv = "R0 leaks addr",
02ea80b1
DB		 7079 .result = ACCEPT,
7080 .result_unpriv = REJECT,
7081 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7082 },
7083 {
7084 "map element value illegal alu op, 1",
7085 .insns = {
7086 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7087 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7088 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7089 BPF_LD_MAP_FD(BPF_REG_1, 0),
7090 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7091 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
7092 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 8),
7093 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
7094 BPF_EXIT_INSN(),
7095 },
908142e6 7096 .fixup_map_hash_48b = { 3 },
82abbf8d 7097 .errstr = "R0 bitwise operator &= on pointer",
02ea80b1 7098 .result = REJECT,
02ea80b1
DB		 7099 },
7100 {
7101 "map element value illegal alu op, 2",
7102 .insns = {
7103 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7104 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7105 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7106 BPF_LD_MAP_FD(BPF_REG_1, 0),
7107 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7108 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
7109 BPF_ALU32_IMM(BPF_ADD, BPF_REG_0, 0),
7110 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
7111 BPF_EXIT_INSN(),
7112 },
908142e6 7113 .fixup_map_hash_48b = { 3 },
82abbf8d 7114 .errstr = "R0 32-bit pointer arithmetic prohibited",
02ea80b1 7115 .result = REJECT,
02ea80b1
DB		 7116 },
7117 {
7118 "map element value illegal alu op, 3",
7119 .insns = {
7120 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7121 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7122 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7123 BPF_LD_MAP_FD(BPF_REG_1, 0),
7124 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7125 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
7126 BPF_ALU64_IMM(BPF_DIV, BPF_REG_0, 42),
7127 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
7128 BPF_EXIT_INSN(),
7129 },
908142e6 7130 .fixup_map_hash_48b = { 3 },
82abbf8d 7131 .errstr = "R0 pointer arithmetic with /= operator",
02ea80b1 7132 .result = REJECT,
02ea80b1
DB		 7133 },
7134 {
7135 "map element value illegal alu op, 4",
7136 .insns = {
7137 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7138 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7139 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7140 BPF_LD_MAP_FD(BPF_REG_1, 0),
7141 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7142 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
7143 BPF_ENDIAN(BPF_FROM_BE, BPF_REG_0, 64),
7144 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
7145 BPF_EXIT_INSN(),
7146 },
908142e6 7147 .fixup_map_hash_48b = { 3 },
02ea80b1
DB		 7148 .errstr_unpriv = "R0 pointer arithmetic prohibited",
7149 .errstr = "invalid mem access 'inv'",
7150 .result = REJECT,
7151 .result_unpriv = REJECT,
7152 },
7153 {
7154 "map element value illegal alu op, 5",
7155 .insns = {
7156 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7157 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7158 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7159 BPF_LD_MAP_FD(BPF_REG_1, 0),
7160 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7161 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
7162 BPF_MOV64_IMM(BPF_REG_3, 4096),
7163 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7164 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7165 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
7166 BPF_STX_XADD(BPF_DW, BPF_REG_2, BPF_REG_3, 0),
7167 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, 0),
7168 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
7169 BPF_EXIT_INSN(),
7170 },
908142e6 7171 .fixup_map_hash_48b = { 3 },
02ea80b1
DB		 7172 .errstr = "R0 invalid mem access 'inv'",
7173 .result = REJECT,
02ea80b1
DB		 7174 },
7175 {
7176 "map element value is preserved across register spilling",
f0318d01
GB		 7177 .insns = {
7178 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7179 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7180 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7181 BPF_LD_MAP_FD(BPF_REG_1, 0),
7182 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7183 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
7184 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0,
7185 offsetof(struct test_val, foo)),
7186 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
7187 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7188 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -184),
7189 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
7190 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
7191 BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
7192 BPF_EXIT_INSN(),
7193 },
908142e6 7194 .fixup_map_hash_48b = { 3 },
f65b1849 7195 .errstr_unpriv = "R0 leaks addr",
f0318d01
GB		 7196 .result = ACCEPT,
7197 .result_unpriv = REJECT,
02ea80b1 7198 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
f0318d01 7199 },
06c1c049
GB		 7200 {
7201 "helper access to variable memory: stack, bitwise AND + JMP, correct bounds",
7202 .insns = {
7203 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7204 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
7205 BPF_MOV64_IMM(BPF_REG_0, 0),
7206 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
7207 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
7208 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
7209 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
7210 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
7211 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
7212 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
7213 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
7214 BPF_MOV64_IMM(BPF_REG_2, 16),
7215 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
7216 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
7217 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
7218 BPF_MOV64_IMM(BPF_REG_4, 0),
7219 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
7220 BPF_MOV64_IMM(BPF_REG_3, 0),
7221 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7222 BPF_MOV64_IMM(BPF_REG_0, 0),
7223 BPF_EXIT_INSN(),
7224 },
7225 .result = ACCEPT,
7226 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7227 },
7228 {
7229 "helper access to variable memory: stack, bitwise AND, zero included",
7230 .insns = {
7231 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7232 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
7233 BPF_MOV64_IMM(BPF_REG_2, 16),
7234 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
7235 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
7236 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
7237 BPF_MOV64_IMM(BPF_REG_3, 0),
7238 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7239 BPF_EXIT_INSN(),
7240 },
b6ff6391 7241 .errstr = "invalid indirect read from stack off -64+0 size 64",
06c1c049
GB		 7242 .result = REJECT,
7243 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7244 },
7245 {
7246 "helper access to variable memory: stack, bitwise AND + JMP, wrong max",
7247 .insns = {
7248 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7249 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
7250 BPF_MOV64_IMM(BPF_REG_2, 16),
7251 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
7252 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
7253 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 65),
7254 BPF_MOV64_IMM(BPF_REG_4, 0),
7255 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
7256 BPF_MOV64_IMM(BPF_REG_3, 0),
7257 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7258 BPF_MOV64_IMM(BPF_REG_0, 0),
7259 BPF_EXIT_INSN(),
7260 },
7261 .errstr = "invalid stack type R1 off=-64 access_size=65",
7262 .result = REJECT,
7263 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7264 },
7265 {
7266 "helper access to variable memory: stack, JMP, correct bounds",
7267 .insns = {
7268 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7269 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
7270 BPF_MOV64_IMM(BPF_REG_0, 0),
7271 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
7272 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
7273 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
7274 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
7275 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
7276 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
7277 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
7278 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
7279 BPF_MOV64_IMM(BPF_REG_2, 16),
7280 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
7281 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
7282 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 4),
7283 BPF_MOV64_IMM(BPF_REG_4, 0),
7284 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
7285 BPF_MOV64_IMM(BPF_REG_3, 0),
7286 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7287 BPF_MOV64_IMM(BPF_REG_0, 0),
7288 BPF_EXIT_INSN(),
7289 },
7290 .result = ACCEPT,
7291 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7292 },
7293 {
7294 "helper access to variable memory: stack, JMP (signed), correct bounds",
7295 .insns = {
7296 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7297 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
7298 BPF_MOV64_IMM(BPF_REG_0, 0),
7299 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
7300 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
7301 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
7302 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
7303 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
7304 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
7305 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
7306 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
7307 BPF_MOV64_IMM(BPF_REG_2, 16),
7308 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
7309 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
7310 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 64, 4),
7311 BPF_MOV64_IMM(BPF_REG_4, 0),
7312 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
7313 BPF_MOV64_IMM(BPF_REG_3, 0),
7314 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7315 BPF_MOV64_IMM(BPF_REG_0, 0),
7316 BPF_EXIT_INSN(),
7317 },
7318 .result = ACCEPT,
7319 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7320 },
7321 {
7322 "helper access to variable memory: stack, JMP, bounds + offset",
7323 .insns = {
7324 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7325 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
7326 BPF_MOV64_IMM(BPF_REG_2, 16),
7327 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
7328 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
7329 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 5),
7330 BPF_MOV64_IMM(BPF_REG_4, 0),
7331 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 3),
7332 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
7333 BPF_MOV64_IMM(BPF_REG_3, 0),
7334 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7335 BPF_MOV64_IMM(BPF_REG_0, 0),
7336 BPF_EXIT_INSN(),
7337 },
7338 .errstr = "invalid stack type R1 off=-64 access_size=65",
7339 .result = REJECT,
7340 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7341 },
7342 {
7343 "helper access to variable memory: stack, JMP, wrong max",
7344 .insns = {
7345 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7346 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
7347 BPF_MOV64_IMM(BPF_REG_2, 16),
7348 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
7349 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
7350 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 65, 4),
7351 BPF_MOV64_IMM(BPF_REG_4, 0),
7352 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
7353 BPF_MOV64_IMM(BPF_REG_3, 0),
7354 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7355 BPF_MOV64_IMM(BPF_REG_0, 0),
7356 BPF_EXIT_INSN(),
7357 },
7358 .errstr = "invalid stack type R1 off=-64 access_size=65",
7359 .result = REJECT,
7360 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7361 },
7362 {
7363 "helper access to variable memory: stack, JMP, no max check",
7364 .insns = {
7365 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7366 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
7367 BPF_MOV64_IMM(BPF_REG_2, 16),
7368 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
7369 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
7370 BPF_MOV64_IMM(BPF_REG_4, 0),
7371 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
7372 BPF_MOV64_IMM(BPF_REG_3, 0),
7373 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7374 BPF_MOV64_IMM(BPF_REG_0, 0),
7375 BPF_EXIT_INSN(),
7376 },
f65b1849
EC		 7377 /* because max wasn't checked, signed min is negative */
7378 .errstr = "R2 min value is negative, either use unsigned or 'var &= const'",
06c1c049
GB		 7379 .result = REJECT,
7380 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7381 },
7382 {
7383 "helper access to variable memory: stack, JMP, no min check",
7384 .insns = {
7385 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7386 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
7387 BPF_MOV64_IMM(BPF_REG_2, 16),
7388 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
7389 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
7390 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 3),
7391 BPF_MOV64_IMM(BPF_REG_3, 0),
7392 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7393 BPF_MOV64_IMM(BPF_REG_0, 0),
7394 BPF_EXIT_INSN(),
7395 },
b6ff6391 7396 .errstr = "invalid indirect read from stack off -64+0 size 64",
06c1c049
GB		 7397 .result = REJECT,
7398 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7399 },
7400 {
7401 "helper access to variable memory: stack, JMP (signed), no min check",
7402 .insns = {
7403 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7404 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
7405 BPF_MOV64_IMM(BPF_REG_2, 16),
7406 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
7407 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
7408 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 64, 3),
7409 BPF_MOV64_IMM(BPF_REG_3, 0),
7410 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7411 BPF_MOV64_IMM(BPF_REG_0, 0),
7412 BPF_EXIT_INSN(),
7413 },
7414 .errstr = "R2 min value is negative",
7415 .result = REJECT,
7416 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7417 },
7418 {
7419 "helper access to variable memory: map, JMP, correct bounds",
7420 .insns = {
7421 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7422 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7423 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7424 BPF_LD_MAP_FD(BPF_REG_1, 0),
7425 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7426 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
7427 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
7428 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
7429 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
7430 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
7431 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
7432 sizeof(struct test_val), 4),
7433 BPF_MOV64_IMM(BPF_REG_4, 0),
a1502132 7434 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
06c1c049
GB		 7435 BPF_MOV64_IMM(BPF_REG_3, 0),
7436 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7437 BPF_MOV64_IMM(BPF_REG_0, 0),
7438 BPF_EXIT_INSN(),
7439 },
908142e6 7440 .fixup_map_hash_48b = { 3 },
06c1c049
GB		 7441 .result = ACCEPT,
7442 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7443 },
7444 {
7445 "helper access to variable memory: map, JMP, wrong max",
7446 .insns = {
7447 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7448 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7449 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7450 BPF_LD_MAP_FD(BPF_REG_1, 0),
7451 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7452 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
7453 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
7454 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
7455 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
7456 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
7457 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
7458 sizeof(struct test_val) + 1, 4),
7459 BPF_MOV64_IMM(BPF_REG_4, 0),
a1502132 7460 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
06c1c049
GB		 7461 BPF_MOV64_IMM(BPF_REG_3, 0),
7462 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7463 BPF_MOV64_IMM(BPF_REG_0, 0),
7464 BPF_EXIT_INSN(),
7465 },
908142e6 7466 .fixup_map_hash_48b = { 3 },
06c1c049
GB		 7467 .errstr = "invalid access to map value, value_size=48 off=0 size=49",
7468 .result = REJECT,
7469 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7470 },
7471 {
7472 "helper access to variable memory: map adjusted, JMP, correct bounds",
7473 .insns = {
7474 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7475 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7476 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7477 BPF_LD_MAP_FD(BPF_REG_1, 0),
7478 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7479 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
7480 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
7481 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 20),
7482 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
7483 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
7484 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
7485 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
7486 sizeof(struct test_val) - 20, 4),
7487 BPF_MOV64_IMM(BPF_REG_4, 0),
a1502132 7488 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
06c1c049
GB		 7489 BPF_MOV64_IMM(BPF_REG_3, 0),
7490 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7491 BPF_MOV64_IMM(BPF_REG_0, 0),
7492 BPF_EXIT_INSN(),
7493 },
908142e6 7494 .fixup_map_hash_48b = { 3 },
06c1c049
GB		 7495 .result = ACCEPT,
7496 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7497 },
7498 {
7499 "helper access to variable memory: map adjusted, JMP, wrong max",
7500 .insns = {
7501 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7502 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7503 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7504 BPF_LD_MAP_FD(BPF_REG_1, 0),
7505 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7506 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
7507 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
7508 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 20),
7509 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
7510 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
7511 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
7512 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
7513 sizeof(struct test_val) - 19, 4),
7514 BPF_MOV64_IMM(BPF_REG_4, 0),
a1502132 7515 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
06c1c049
GB		 7516 BPF_MOV64_IMM(BPF_REG_3, 0),
7517 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7518 BPF_MOV64_IMM(BPF_REG_0, 0),
7519 BPF_EXIT_INSN(),
7520 },
908142e6 7521 .fixup_map_hash_48b = { 3 },
06c1c049
GB		 7522 .errstr = "R1 min value is outside of the array range",
7523 .result = REJECT,
7524 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7525 },
f65b1849 7526 {
db1ac496 7527 "helper access to variable memory: size = 0 allowed on NULL (ARG_PTR_TO_MEM_OR_NULL)",
f65b1849
EC		 7528 .insns = {
7529 BPF_MOV64_IMM(BPF_REG_1, 0),
7530 BPF_MOV64_IMM(BPF_REG_2, 0),
7531 BPF_MOV64_IMM(BPF_REG_3, 0),
7532 BPF_MOV64_IMM(BPF_REG_4, 0),
7533 BPF_MOV64_IMM(BPF_REG_5, 0),
7534 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
7535 BPF_EXIT_INSN(),
7536 },
7537 .result = ACCEPT,
7538 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
7539 },
06c1c049 7540 {
db1ac496 7541 "helper access to variable memory: size > 0 not allowed on NULL (ARG_PTR_TO_MEM_OR_NULL)",
06c1c049
GB		 7542 .insns = {
7543 BPF_MOV64_IMM(BPF_REG_1, 0),
d98588ce 7544 BPF_MOV64_IMM(BPF_REG_2, 1),
3fadc801
DB		 7545 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
7546 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
06c1c049
GB		 7547 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
7548 BPF_MOV64_IMM(BPF_REG_3, 0),
7549 BPF_MOV64_IMM(BPF_REG_4, 0),
7550 BPF_MOV64_IMM(BPF_REG_5, 0),
7551 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
7552 BPF_EXIT_INSN(),
7553 },
f65b1849 7554 .errstr = "R1 type=inv expected=fp",
06c1c049
GB		 7555 .result = REJECT,
7556 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
7557 },
7558 {
db1ac496 7559 "helper access to variable memory: size = 0 allowed on != NULL stack pointer (ARG_PTR_TO_MEM_OR_NULL)",
06c1c049
GB		 7560 .insns = {
7561 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7562 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
7563 BPF_MOV64_IMM(BPF_REG_2, 0),
7564 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, 0),
7565 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 8),
7566 BPF_MOV64_IMM(BPF_REG_3, 0),
7567 BPF_MOV64_IMM(BPF_REG_4, 0),
7568 BPF_MOV64_IMM(BPF_REG_5, 0),
7569 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
7570 BPF_EXIT_INSN(),
7571 },
b6ff6391
YS		 7572 .result = ACCEPT,
7573 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
7574 },
7575 {
db1ac496 7576 "helper access to variable memory: size = 0 allowed on != NULL map pointer (ARG_PTR_TO_MEM_OR_NULL)",
b6ff6391
YS		 7577 .insns = {
7578 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7579 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7580 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7581 BPF_LD_MAP_FD(BPF_REG_1, 0),
7582 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7583 BPF_FUNC_map_lookup_elem),
7584 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
7585 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
7586 BPF_MOV64_IMM(BPF_REG_2, 0),
7587 BPF_MOV64_IMM(BPF_REG_3, 0),
7588 BPF_MOV64_IMM(BPF_REG_4, 0),
7589 BPF_MOV64_IMM(BPF_REG_5, 0),
7590 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
7591 BPF_EXIT_INSN(),
7592 },
908142e6 7593 .fixup_map_hash_8b = { 3 },
b6ff6391
YS		 7594 .result = ACCEPT,
7595 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
7596 },
7597 {
db1ac496 7598 "helper access to variable memory: size possible = 0 allowed on != NULL stack pointer (ARG_PTR_TO_MEM_OR_NULL)",
b6ff6391
YS		 7599 .insns = {
7600 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7601 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7602 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7603 BPF_LD_MAP_FD(BPF_REG_1, 0),
7604 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7605 BPF_FUNC_map_lookup_elem),
7606 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7607 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
7608 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 7),
7609 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7610 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
7611 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, 0),
7612 BPF_MOV64_IMM(BPF_REG_3, 0),
7613 BPF_MOV64_IMM(BPF_REG_4, 0),
7614 BPF_MOV64_IMM(BPF_REG_5, 0),
7615 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
7616 BPF_EXIT_INSN(),
7617 },
908142e6 7618 .fixup_map_hash_8b = { 3 },
b6ff6391
YS		 7619 .result = ACCEPT,
7620 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
7621 },
7622 {
db1ac496 7623 "helper access to variable memory: size possible = 0 allowed on != NULL map pointer (ARG_PTR_TO_MEM_OR_NULL)",
b6ff6391
YS		 7624 .insns = {
7625 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7626 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7627 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7628 BPF_LD_MAP_FD(BPF_REG_1, 0),
7629 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7630 BPF_FUNC_map_lookup_elem),
7631 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
7632 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
7633 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
7634 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4),
7635 BPF_MOV64_IMM(BPF_REG_3, 0),
7636 BPF_MOV64_IMM(BPF_REG_4, 0),
7637 BPF_MOV64_IMM(BPF_REG_5, 0),
7638 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
7639 BPF_EXIT_INSN(),
7640 },
908142e6 7641 .fixup_map_hash_8b = { 3 },
b6ff6391
YS		 7642 .result = ACCEPT,
7643 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
7644 },
7645 {
db1ac496 7646 "helper access to variable memory: size possible = 0 allowed on != NULL packet pointer (ARG_PTR_TO_MEM_OR_NULL)",
b6ff6391
YS		 7647 .insns = {
7648 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
7649 offsetof(struct __sk_buff, data)),
7650 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7651 offsetof(struct __sk_buff, data_end)),
7652 BPF_MOV64_REG(BPF_REG_0, BPF_REG_6),
7653 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
7654 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 7),
7655 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
7656 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 0),
7657 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4),
7658 BPF_MOV64_IMM(BPF_REG_3, 0),
7659 BPF_MOV64_IMM(BPF_REG_4, 0),
7660 BPF_MOV64_IMM(BPF_REG_5, 0),
7661 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
7662 BPF_EXIT_INSN(),
7663 },
7664 .result = ACCEPT,
06c1c049 7665 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
111e6b45 7666 .retval = 0 /* csum_diff of 64-byte packet */,
06c1c049 7667 },
db1ac496
GB		 7668 {
7669 "helper access to variable memory: size = 0 not allowed on NULL (!ARG_PTR_TO_MEM_OR_NULL)",
7670 .insns = {
7671 BPF_MOV64_IMM(BPF_REG_1, 0),
7672 BPF_MOV64_IMM(BPF_REG_2, 0),
7673 BPF_MOV64_IMM(BPF_REG_3, 0),
7674 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7675 BPF_EXIT_INSN(),
7676 },
7677 .errstr = "R1 type=inv expected=fp",
7678 .result = REJECT,
7679 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7680 },
7681 {
7682 "helper access to variable memory: size > 0 not allowed on NULL (!ARG_PTR_TO_MEM_OR_NULL)",
7683 .insns = {
7684 BPF_MOV64_IMM(BPF_REG_1, 0),
7685 BPF_MOV64_IMM(BPF_REG_2, 1),
7686 BPF_MOV64_IMM(BPF_REG_3, 0),
7687 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7688 BPF_EXIT_INSN(),
7689 },
7690 .errstr = "R1 type=inv expected=fp",
7691 .result = REJECT,
7692 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7693 },
7694 {
7695 "helper access to variable memory: size = 0 allowed on != NULL stack pointer (!ARG_PTR_TO_MEM_OR_NULL)",
7696 .insns = {
7697 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7698 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
7699 BPF_MOV64_IMM(BPF_REG_2, 0),
7700 BPF_MOV64_IMM(BPF_REG_3, 0),
7701 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7702 BPF_EXIT_INSN(),
7703 },
7704 .result = ACCEPT,
7705 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7706 },
7707 {
7708 "helper access to variable memory: size = 0 allowed on != NULL map pointer (!ARG_PTR_TO_MEM_OR_NULL)",
7709 .insns = {
7710 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7711 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7712 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7713 BPF_LD_MAP_FD(BPF_REG_1, 0),
7714 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7715 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7716 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
7717 BPF_MOV64_IMM(BPF_REG_2, 0),
7718 BPF_MOV64_IMM(BPF_REG_3, 0),
7719 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7720 BPF_EXIT_INSN(),
7721 },
908142e6 7722 .fixup_map_hash_8b = { 3 },
db1ac496
GB		 7723 .result = ACCEPT,
7724 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7725 },
7726 {
7727 "helper access to variable memory: size possible = 0 allowed on != NULL stack pointer (!ARG_PTR_TO_MEM_OR_NULL)",
7728 .insns = {
7729 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7730 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7731 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7732 BPF_LD_MAP_FD(BPF_REG_1, 0),
7733 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7734 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
7735 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
7736 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4),
7737 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7738 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
7739 BPF_MOV64_IMM(BPF_REG_3, 0),
7740 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7741 BPF_EXIT_INSN(),
7742 },
908142e6 7743 .fixup_map_hash_8b = { 3 },
db1ac496
GB		 7744 .result = ACCEPT,
7745 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7746 },
7747 {
7748 "helper access to variable memory: size possible = 0 allowed on != NULL map pointer (!ARG_PTR_TO_MEM_OR_NULL)",
7749 .insns = {
7750 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7751 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7752 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7753 BPF_LD_MAP_FD(BPF_REG_1, 0),
7754 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7755 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
7756 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
7757 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
7758 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 2),
7759 BPF_MOV64_IMM(BPF_REG_3, 0),
7760 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7761 BPF_EXIT_INSN(),
7762 },
908142e6 7763 .fixup_map_hash_8b = { 3 },
db1ac496
GB		 7764 .result = ACCEPT,
7765 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7766 },
06c1c049
GB		 7767 {
7768 "helper access to variable memory: 8 bytes leak",
7769 .insns = {
7770 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7771 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
7772 BPF_MOV64_IMM(BPF_REG_0, 0),
7773 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
7774 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
7775 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
7776 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
7777 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
7778 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
7779 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
d98588ce 7780 BPF_MOV64_IMM(BPF_REG_2, 1),
3fadc801
DB		 7781 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
7782 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
06c1c049
GB		 7783 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 63),
7784 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
7785 BPF_MOV64_IMM(BPF_REG_3, 0),
7786 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7787 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7788 BPF_EXIT_INSN(),
7789 },
7790 .errstr = "invalid indirect read from stack off -64+32 size 64",
7791 .result = REJECT,
7792 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7793 },
7794 {
7795 "helper access to variable memory: 8 bytes no leak (init memory)",
7796 .insns = {
7797 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7798 BPF_MOV64_IMM(BPF_REG_0, 0),
7799 BPF_MOV64_IMM(BPF_REG_0, 0),
7800 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
7801 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
7802 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
7803 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
7804 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
7805 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
7806 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
7807 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
7808 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
7809 BPF_MOV64_IMM(BPF_REG_2, 0),
7810 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 32),
7811 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 32),
7812 BPF_MOV64_IMM(BPF_REG_3, 0),
7813 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7814 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7815 BPF_EXIT_INSN(),
7816 },
7817 .result = ACCEPT,
7818 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7819 },
29200c19
JB		 7820 {
7821 "invalid and of negative number",
7822 .insns = {
7823 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7824 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7825 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7826 BPF_LD_MAP_FD(BPF_REG_1, 0),
7827 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7828 BPF_FUNC_map_lookup_elem),
7829 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
f65b1849 7830 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
29200c19
JB		 7831 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, -4),
7832 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
7833 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7834 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
7835 offsetof(struct test_val, foo)),
7836 BPF_EXIT_INSN(),
7837 },
908142e6 7838 .fixup_map_hash_48b = { 3 },
f65b1849 7839 .errstr = "R0 max value is outside of the array range",
29200c19 7840 .result = REJECT,
02ea80b1 7841 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
29200c19
JB		 7842 },
7843 {
7844 "invalid range check",
7845 .insns = {
7846 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7847 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7848 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7849 BPF_LD_MAP_FD(BPF_REG_1, 0),
7850 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7851 BPF_FUNC_map_lookup_elem),
7852 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 12),
7853 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
7854 BPF_MOV64_IMM(BPF_REG_9, 1),
7855 BPF_ALU32_IMM(BPF_MOD, BPF_REG_1, 2),
7856 BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 1),
7857 BPF_ALU32_REG(BPF_AND, BPF_REG_9, BPF_REG_1),
7858 BPF_ALU32_IMM(BPF_ADD, BPF_REG_9, 1),
7859 BPF_ALU32_IMM(BPF_RSH, BPF_REG_9, 1),
7860 BPF_MOV32_IMM(BPF_REG_3, 1),
7861 BPF_ALU32_REG(BPF_SUB, BPF_REG_3, BPF_REG_9),
7862 BPF_ALU32_IMM(BPF_MUL, BPF_REG_3, 0x10000000),
7863 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
7864 BPF_STX_MEM(BPF_W, BPF_REG_0, BPF_REG_3, 0),
7865 BPF_MOV64_REG(BPF_REG_0, 0),
7866 BPF_EXIT_INSN(),
7867 },
908142e6 7868 .fixup_map_hash_48b = { 3 },
f65b1849 7869 .errstr = "R0 max value is outside of the array range",
29200c19 7870 .result = REJECT,
02ea80b1 7871 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
fb30d4b7
MKL		 7872 },
7873 {
7874 "map in map access",
7875 .insns = {
7876 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
7877 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7878 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
7879 BPF_LD_MAP_FD(BPF_REG_1, 0),
7880 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7881 BPF_FUNC_map_lookup_elem),
7882 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
7883 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
7884 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7885 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
7886 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
7887 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7888 BPF_FUNC_map_lookup_elem),
0069fb85 7889 BPF_MOV64_IMM(BPF_REG_0, 0),
fb30d4b7
MKL		 7890 BPF_EXIT_INSN(),
7891 },
7892 .fixup_map_in_map = { 3 },
7893 .result = ACCEPT,
7894 },
7895 {
7896 "invalid inner map pointer",
7897 .insns = {
7898 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
7899 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7900 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
7901 BPF_LD_MAP_FD(BPF_REG_1, 0),
7902 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7903 BPF_FUNC_map_lookup_elem),
7904 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
7905 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
7906 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7907 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
7908 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
7909 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7910 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7911 BPF_FUNC_map_lookup_elem),
0069fb85 7912 BPF_MOV64_IMM(BPF_REG_0, 0),
fb30d4b7
MKL		 7913 BPF_EXIT_INSN(),
7914 },
7915 .fixup_map_in_map = { 3 },
aad2eeaf 7916 .errstr = "R1 pointer arithmetic on map_ptr prohibited",
fb30d4b7
MKL		 7917 .result = REJECT,
7918 },
7919 {
7920 "forgot null checking on the inner map pointer",
7921 .insns = {
7922 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
7923 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7924 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
7925 BPF_LD_MAP_FD(BPF_REG_1, 0),
7926 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7927 BPF_FUNC_map_lookup_elem),
7928 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
7929 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7930 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
7931 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
7932 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7933 BPF_FUNC_map_lookup_elem),
0069fb85 7934 BPF_MOV64_IMM(BPF_REG_0, 0),
fb30d4b7
MKL		 7935 BPF_EXIT_INSN(),
7936 },
7937 .fixup_map_in_map = { 3 },
7938 .errstr = "R1 type=map_value_or_null expected=map_ptr",
7939 .result = REJECT,
614d0d77
DB		 7940 },
7941 {
7942 "ld_abs: check calling conv, r1",
7943 .insns = {
7944 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7945 BPF_MOV64_IMM(BPF_REG_1, 0),
7946 BPF_LD_ABS(BPF_W, -0x200000),
7947 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
7948 BPF_EXIT_INSN(),
7949 },
7950 .errstr = "R1 !read_ok",
7951 .result = REJECT,
7952 },
7953 {
7954 "ld_abs: check calling conv, r2",
7955 .insns = {
7956 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7957 BPF_MOV64_IMM(BPF_REG_2, 0),
7958 BPF_LD_ABS(BPF_W, -0x200000),
7959 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
7960 BPF_EXIT_INSN(),
7961 },
7962 .errstr = "R2 !read_ok",
7963 .result = REJECT,
7964 },
7965 {
7966 "ld_abs: check calling conv, r3",
7967 .insns = {
7968 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7969 BPF_MOV64_IMM(BPF_REG_3, 0),
7970 BPF_LD_ABS(BPF_W, -0x200000),
7971 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
7972 BPF_EXIT_INSN(),
7973 },
7974 .errstr = "R3 !read_ok",
7975 .result = REJECT,
7976 },
7977 {
7978 "ld_abs: check calling conv, r4",
7979 .insns = {
7980 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7981 BPF_MOV64_IMM(BPF_REG_4, 0),
7982 BPF_LD_ABS(BPF_W, -0x200000),
7983 BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
7984 BPF_EXIT_INSN(),
7985 },
7986 .errstr = "R4 !read_ok",
7987 .result = REJECT,
7988 },
7989 {
7990 "ld_abs: check calling conv, r5",
7991 .insns = {
7992 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7993 BPF_MOV64_IMM(BPF_REG_5, 0),
7994 BPF_LD_ABS(BPF_W, -0x200000),
7995 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
7996 BPF_EXIT_INSN(),
7997 },
7998 .errstr = "R5 !read_ok",
7999 .result = REJECT,
8000 },
8001 {
8002 "ld_abs: check calling conv, r7",
8003 .insns = {
8004 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
8005 BPF_MOV64_IMM(BPF_REG_7, 0),
8006 BPF_LD_ABS(BPF_W, -0x200000),
8007 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
8008 BPF_EXIT_INSN(),
8009 },
8010 .result = ACCEPT,
8011 },
87ab8194
DB		 8012 {
8013 "ld_abs: tests on r6 and skb data reload helper",
8014 .insns = {
8015 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
8016 BPF_LD_ABS(BPF_B, 0),
8017 BPF_LD_ABS(BPF_H, 0),
8018 BPF_LD_ABS(BPF_W, 0),
8019 BPF_MOV64_REG(BPF_REG_7, BPF_REG_6),
8020 BPF_MOV64_IMM(BPF_REG_6, 0),
8021 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
8022 BPF_MOV64_IMM(BPF_REG_2, 1),
8023 BPF_MOV64_IMM(BPF_REG_3, 2),
8024 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8025 BPF_FUNC_skb_vlan_push),
8026 BPF_MOV64_REG(BPF_REG_6, BPF_REG_7),
8027 BPF_LD_ABS(BPF_B, 0),
8028 BPF_LD_ABS(BPF_H, 0),
8029 BPF_LD_ABS(BPF_W, 0),
8030 BPF_MOV64_IMM(BPF_REG_0, 42),
8031 BPF_EXIT_INSN(),
8032 },
8033 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
8034 .result = ACCEPT,
111e6b45 8035 .retval = 42 /* ultimate return value */,
614d0d77
DB		 8036 },
8037 {
8038 "ld_ind: check calling conv, r1",
8039 .insns = {
8040 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
8041 BPF_MOV64_IMM(BPF_REG_1, 1),
8042 BPF_LD_IND(BPF_W, BPF_REG_1, -0x200000),
8043 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
8044 BPF_EXIT_INSN(),
8045 },
8046 .errstr = "R1 !read_ok",
8047 .result = REJECT,
8048 },
8049 {
8050 "ld_ind: check calling conv, r2",
8051 .insns = {
8052 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
8053 BPF_MOV64_IMM(BPF_REG_2, 1),
8054 BPF_LD_IND(BPF_W, BPF_REG_2, -0x200000),
8055 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
8056 BPF_EXIT_INSN(),
8057 },
8058 .errstr = "R2 !read_ok",
8059 .result = REJECT,
8060 },
8061 {
8062 "ld_ind: check calling conv, r3",
8063 .insns = {
8064 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
8065 BPF_MOV64_IMM(BPF_REG_3, 1),
8066 BPF_LD_IND(BPF_W, BPF_REG_3, -0x200000),
8067 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
8068 BPF_EXIT_INSN(),
8069 },
8070 .errstr = "R3 !read_ok",
8071 .result = REJECT,
8072 },
8073 {
8074 "ld_ind: check calling conv, r4",
8075 .insns = {
8076 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
8077 BPF_MOV64_IMM(BPF_REG_4, 1),
8078 BPF_LD_IND(BPF_W, BPF_REG_4, -0x200000),
8079 BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
8080 BPF_EXIT_INSN(),
8081 },
8082 .errstr = "R4 !read_ok",
8083 .result = REJECT,
8084 },
8085 {
8086 "ld_ind: check calling conv, r5",
8087 .insns = {
8088 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
8089 BPF_MOV64_IMM(BPF_REG_5, 1),
8090 BPF_LD_IND(BPF_W, BPF_REG_5, -0x200000),
8091 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
8092 BPF_EXIT_INSN(),
8093 },
8094 .errstr = "R5 !read_ok",
8095 .result = REJECT,
8096 },
8097 {
8098 "ld_ind: check calling conv, r7",
8099 .insns = {
8100 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
8101 BPF_MOV64_IMM(BPF_REG_7, 1),
8102 BPF_LD_IND(BPF_W, BPF_REG_7, -0x200000),
8103 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
8104 BPF_EXIT_INSN(),
8105 },
8106 .result = ACCEPT,
111e6b45 8107 .retval = 1,
614d0d77 8108 },
18f3d6be
YS		 8109 {
8110 "check bpf_perf_event_data->sample_period byte load permitted",
8111 .insns = {
8112 BPF_MOV64_IMM(BPF_REG_0, 0),
2c460621 8113#if __BYTE_ORDER == __LITTLE_ENDIAN
18f3d6be
YS		 8114 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
8115 offsetof(struct bpf_perf_event_data, sample_period)),
8116#else
8117 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
8118 offsetof(struct bpf_perf_event_data, sample_period) + 7),
8119#endif
8120 BPF_EXIT_INSN(),
8121 },
8122 .result = ACCEPT,
8123 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
8124 },
8125 {
8126 "check bpf_perf_event_data->sample_period half load permitted",
8127 .insns = {
8128 BPF_MOV64_IMM(BPF_REG_0, 0),
2c460621 8129#if __BYTE_ORDER == __LITTLE_ENDIAN
18f3d6be
YS		 8130 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
8131 offsetof(struct bpf_perf_event_data, sample_period)),
8132#else
8133 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
8134 offsetof(struct bpf_perf_event_data, sample_period) + 6),
8135#endif
8136 BPF_EXIT_INSN(),
8137 },
8138 .result = ACCEPT,
8139 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
8140 },
8141 {
8142 "check bpf_perf_event_data->sample_period word load permitted",
8143 .insns = {
8144 BPF_MOV64_IMM(BPF_REG_0, 0),
2c460621 8145#if __BYTE_ORDER == __LITTLE_ENDIAN
18f3d6be
YS		 8146 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
8147 offsetof(struct bpf_perf_event_data, sample_period)),
8148#else
8149 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
8150 offsetof(struct bpf_perf_event_data, sample_period) + 4),
8151#endif
8152 BPF_EXIT_INSN(),
8153 },
8154 .result = ACCEPT,
8155 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
8156 },
8157 {
8158 "check bpf_perf_event_data->sample_period dword load permitted",
8159 .insns = {
8160 BPF_MOV64_IMM(BPF_REG_0, 0),
8161 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
8162 offsetof(struct bpf_perf_event_data, sample_period)),
8163 BPF_EXIT_INSN(),
8164 },
8165 .result = ACCEPT,
8166 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
8167 },
8168 {
8169 "check skb->data half load not permitted",
8170 .insns = {
8171 BPF_MOV64_IMM(BPF_REG_0, 0),
2c460621 8172#if __BYTE_ORDER == __LITTLE_ENDIAN
18f3d6be
YS		 8173 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
8174 offsetof(struct __sk_buff, data)),
8175#else
8176 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
8177 offsetof(struct __sk_buff, data) + 2),
8178#endif
8179 BPF_EXIT_INSN(),
8180 },
8181 .result = REJECT,
8182 .errstr = "invalid bpf_context access",
8183 },
8184 {
8185 "check skb->tc_classid half load not permitted for lwt prog",
8186 .insns = {
8187 BPF_MOV64_IMM(BPF_REG_0, 0),
2c460621 8188#if __BYTE_ORDER == __LITTLE_ENDIAN
18f3d6be
YS		 8189 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
8190 offsetof(struct __sk_buff, tc_classid)),
8191#else
8192 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
8193 offsetof(struct __sk_buff, tc_classid) + 2),
8194#endif
8195 BPF_EXIT_INSN(),
8196 },
8197 .result = REJECT,
8198 .errstr = "invalid bpf_context access",
8199 .prog_type = BPF_PROG_TYPE_LWT_IN,
8200 },
b712296a
EC		 8201 {
8202 "bounds checks mixing signed and unsigned, positive bounds",
8203 .insns = {
8204 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8205 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8206 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8207 BPF_LD_MAP_FD(BPF_REG_1, 0),
8208 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8209 BPF_FUNC_map_lookup_elem),
8210 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
8211 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
8212 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
8213 BPF_MOV64_IMM(BPF_REG_2, 2),
8214 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 3),
8215 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 4, 2),
8216 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8217 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
8218 BPF_MOV64_IMM(BPF_REG_0, 0),
8219 BPF_EXIT_INSN(),
8220 },
908142e6 8221 .fixup_map_hash_8b = { 3 },
2255f8d5 8222 .errstr = "unbounded min value",
b712296a 8223 .result = REJECT,
b712296a
EC		 8224 },
8225 {
8226 "bounds checks mixing signed and unsigned",
8227 .insns = {
8228 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8229 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8230 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8231 BPF_LD_MAP_FD(BPF_REG_1, 0),
8232 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8233 BPF_FUNC_map_lookup_elem),
8234 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
8235 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
8236 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
8237 BPF_MOV64_IMM(BPF_REG_2, -1),
8238 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 3),
8239 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
8240 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8241 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
8242 BPF_MOV64_IMM(BPF_REG_0, 0),
8243 BPF_EXIT_INSN(),
8244 },
908142e6 8245 .fixup_map_hash_8b = { 3 },
2255f8d5 8246 .errstr = "unbounded min value",
b712296a 8247 .result = REJECT,
b712296a 8248 },
86412502
DB		 8249 {
8250 "bounds checks mixing signed and unsigned, variant 2",
8251 .insns = {
8252 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8253 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8254 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8255 BPF_LD_MAP_FD(BPF_REG_1, 0),
8256 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8257 BPF_FUNC_map_lookup_elem),
8258 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
8259 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
8260 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
8261 BPF_MOV64_IMM(BPF_REG_2, -1),
8262 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 5),
8263 BPF_MOV64_IMM(BPF_REG_8, 0),
8264 BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_1),
8265 BPF_JMP_IMM(BPF_JSGT, BPF_REG_8, 1, 2),
8266 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8),
8267 BPF_ST_MEM(BPF_B, BPF_REG_8, 0, 0),
8268 BPF_MOV64_IMM(BPF_REG_0, 0),
8269 BPF_EXIT_INSN(),
8270 },
908142e6 8271 .fixup_map_hash_8b = { 3 },
2255f8d5 8272 .errstr = "unbounded min value",
86412502 8273 .result = REJECT,
86412502
DB		 8274 },
8275 {
8276 "bounds checks mixing signed and unsigned, variant 3",
8277 .insns = {
8278 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8279 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8280 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8281 BPF_LD_MAP_FD(BPF_REG_1, 0),
8282 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8283 BPF_FUNC_map_lookup_elem),
8284 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
8285 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
8286 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
8287 BPF_MOV64_IMM(BPF_REG_2, -1),
8288 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 4),
8289 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
8290 BPF_JMP_IMM(BPF_JSGT, BPF_REG_8, 1, 2),
8291 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8),
8292 BPF_ST_MEM(BPF_B, BPF_REG_8, 0, 0),
8293 BPF_MOV64_IMM(BPF_REG_0, 0),
8294 BPF_EXIT_INSN(),
8295 },
908142e6 8296 .fixup_map_hash_8b = { 3 },
2255f8d5 8297 .errstr = "unbounded min value",
86412502 8298 .result = REJECT,
86412502
DB		 8299 },
8300 {
8301 "bounds checks mixing signed and unsigned, variant 4",
8302 .insns = {
8303 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8304 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8305 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8306 BPF_LD_MAP_FD(BPF_REG_1, 0),
8307 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8308 BPF_FUNC_map_lookup_elem),
8309 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
8310 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
8311 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
8312 BPF_MOV64_IMM(BPF_REG_2, 1),
8313 BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
8314 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
8315 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8316 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
8317 BPF_MOV64_IMM(BPF_REG_0, 0),
8318 BPF_EXIT_INSN(),
8319 },
908142e6 8320 .fixup_map_hash_8b = { 3 },
f65b1849 8321 .result = ACCEPT,
86412502
DB		 8322 },
8323 {
8324 "bounds checks mixing signed and unsigned, variant 5",
8325 .insns = {
8326 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8327 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8328 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8329 BPF_LD_MAP_FD(BPF_REG_1, 0),
8330 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8331 BPF_FUNC_map_lookup_elem),
8332 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
8333 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
8334 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
8335 BPF_MOV64_IMM(BPF_REG_2, -1),
8336 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 5),
8337 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 4),
8338 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 4),
8339 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
8340 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
8341 BPF_MOV64_IMM(BPF_REG_0, 0),
8342 BPF_EXIT_INSN(),
8343 },
908142e6 8344 .fixup_map_hash_8b = { 3 },
2255f8d5 8345 .errstr = "unbounded min value",
86412502 8346 .result = REJECT,
86412502
DB		 8347 },
8348 {
8349 "bounds checks mixing signed and unsigned, variant 6",
8350 .insns = {
8351 BPF_MOV64_IMM(BPF_REG_2, 0),
8352 BPF_MOV64_REG(BPF_REG_3, BPF_REG_10),
8353 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, -512),
8354 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
8355 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -16),
8356 BPF_MOV64_IMM(BPF_REG_6, -1),
8357 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_6, 5),
8358 BPF_JMP_IMM(BPF_JSGT, BPF_REG_4, 1, 4),
8359 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 1),
8360 BPF_MOV64_IMM(BPF_REG_5, 0),
8361 BPF_ST_MEM(BPF_H, BPF_REG_10, -512, 0),
8362 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8363 BPF_FUNC_skb_load_bytes),
8364 BPF_MOV64_IMM(BPF_REG_0, 0),
8365 BPF_EXIT_INSN(),
8366 },
86412502
DB		 8367 .errstr = "R4 min value is negative, either use unsigned",
8368 .result = REJECT,
86412502
DB		 8369 },
8370 {
8371 "bounds checks mixing signed and unsigned, variant 7",
8372 .insns = {
8373 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8374 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8375 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8376 BPF_LD_MAP_FD(BPF_REG_1, 0),
8377 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8378 BPF_FUNC_map_lookup_elem),
8379 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
8380 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
8381 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
8382 BPF_MOV64_IMM(BPF_REG_2, 1024 * 1024 * 1024),
8383 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 3),
8384 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
8385 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8386 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
8387 BPF_MOV64_IMM(BPF_REG_0, 0),
8388 BPF_EXIT_INSN(),
8389 },
908142e6 8390 .fixup_map_hash_8b = { 3 },
f65b1849 8391 .result = ACCEPT,
86412502
DB		 8392 },
8393 {
8394 "bounds checks mixing signed and unsigned, variant 8",
86412502
DB		 8395 .insns = {
8396 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8397 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8398 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8399 BPF_LD_MAP_FD(BPF_REG_1, 0),
8400 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8401 BPF_FUNC_map_lookup_elem),
8402 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
8403 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
8404 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
8405 BPF_MOV64_IMM(BPF_REG_2, -1),
8406 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 2),
8407 BPF_MOV64_IMM(BPF_REG_0, 0),
8408 BPF_EXIT_INSN(),
8409 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
8410 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8411 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
8412 BPF_MOV64_IMM(BPF_REG_0, 0),
8413 BPF_EXIT_INSN(),
8414 },
908142e6 8415 .fixup_map_hash_8b = { 3 },
2255f8d5 8416 .errstr = "unbounded min value",
86412502 8417 .result = REJECT,
86412502
DB		 8418 },
8419 {
f65b1849 8420 "bounds checks mixing signed and unsigned, variant 9",
86412502
DB		 8421 .insns = {
8422 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8423 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8424 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8425 BPF_LD_MAP_FD(BPF_REG_1, 0),
8426 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8427 BPF_FUNC_map_lookup_elem),
8428 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
8429 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
8430 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
8431 BPF_LD_IMM64(BPF_REG_2, -9223372036854775808ULL),
8432 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 2),
8433 BPF_MOV64_IMM(BPF_REG_0, 0),
8434 BPF_EXIT_INSN(),
8435 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
8436 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8437 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
8438 BPF_MOV64_IMM(BPF_REG_0, 0),
8439 BPF_EXIT_INSN(),
8440 },
908142e6 8441 .fixup_map_hash_8b = { 3 },
f65b1849 8442 .result = ACCEPT,
86412502
DB		 8443 },
8444 {
f65b1849 8445 "bounds checks mixing signed and unsigned, variant 10",
86412502
DB		 8446 .insns = {
8447 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8448 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8449 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8450 BPF_LD_MAP_FD(BPF_REG_1, 0),
8451 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8452 BPF_FUNC_map_lookup_elem),
8453 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
8454 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
8455 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
8456 BPF_MOV64_IMM(BPF_REG_2, 0),
8457 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 2),
8458 BPF_MOV64_IMM(BPF_REG_0, 0),
8459 BPF_EXIT_INSN(),
8460 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
8461 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8462 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
8463 BPF_MOV64_IMM(BPF_REG_0, 0),
8464 BPF_EXIT_INSN(),
8465 },
908142e6 8466 .fixup_map_hash_8b = { 3 },
2255f8d5 8467 .errstr = "unbounded min value",
86412502 8468 .result = REJECT,
86412502
DB		 8469 },
8470 {
f65b1849 8471 "bounds checks mixing signed and unsigned, variant 11",
86412502
DB		 8472 .insns = {
8473 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8474 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8475 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8476 BPF_LD_MAP_FD(BPF_REG_1, 0),
8477 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8478 BPF_FUNC_map_lookup_elem),
8479 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
8480 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
8481 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
8482 BPF_MOV64_IMM(BPF_REG_2, -1),
8483 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
8484 /* Dead branch. */
8485 BPF_MOV64_IMM(BPF_REG_0, 0),
8486 BPF_EXIT_INSN(),
8487 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
8488 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8489 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
8490 BPF_MOV64_IMM(BPF_REG_0, 0),
8491 BPF_EXIT_INSN(),
8492 },
908142e6 8493 .fixup_map_hash_8b = { 3 },
2255f8d5 8494 .errstr = "unbounded min value",
86412502 8495 .result = REJECT,
86412502
DB		 8496 },
8497 {
f65b1849 8498 "bounds checks mixing signed and unsigned, variant 12",
86412502
DB		 8499 .insns = {
8500 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8501 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8502 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8503 BPF_LD_MAP_FD(BPF_REG_1, 0),
8504 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8505 BPF_FUNC_map_lookup_elem),
8506 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
8507 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
8508 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
8509 BPF_MOV64_IMM(BPF_REG_2, -6),
8510 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
8511 BPF_MOV64_IMM(BPF_REG_0, 0),
8512 BPF_EXIT_INSN(),
8513 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
8514 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8515 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
8516 BPF_MOV64_IMM(BPF_REG_0, 0),
8517 BPF_EXIT_INSN(),
8518 },
908142e6 8519 .fixup_map_hash_8b = { 3 },
2255f8d5 8520 .errstr = "unbounded min value",
86412502 8521 .result = REJECT,
86412502
DB		 8522 },
8523 {
f65b1849 8524 "bounds checks mixing signed and unsigned, variant 13",
86412502
DB		 8525 .insns = {
8526 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8527 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8528 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8529 BPF_LD_MAP_FD(BPF_REG_1, 0),
8530 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8531 BPF_FUNC_map_lookup_elem),
8532 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
8533 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
8534 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
8535 BPF_MOV64_IMM(BPF_REG_2, 2),
8536 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
8537 BPF_MOV64_IMM(BPF_REG_7, 1),
8538 BPF_JMP_IMM(BPF_JSGT, BPF_REG_7, 0, 2),
8539 BPF_MOV64_IMM(BPF_REG_0, 0),
8540 BPF_EXIT_INSN(),
8541 BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_1),
8542 BPF_JMP_IMM(BPF_JSGT, BPF_REG_7, 4, 2),
8543 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_7),
8544 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
8545 BPF_MOV64_IMM(BPF_REG_0, 0),
8546 BPF_EXIT_INSN(),
8547 },
908142e6 8548 .fixup_map_hash_8b = { 3 },
2255f8d5 8549 .errstr = "unbounded min value",
86412502 8550 .result = REJECT,
86412502
DB		 8551 },
8552 {
f65b1849 8553 "bounds checks mixing signed and unsigned, variant 14",
86412502
DB		 8554 .insns = {
8555 BPF_LDX_MEM(BPF_W, BPF_REG_9, BPF_REG_1,
8556 offsetof(struct __sk_buff, mark)),
8557 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8558 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8559 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8560 BPF_LD_MAP_FD(BPF_REG_1, 0),
8561 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8562 BPF_FUNC_map_lookup_elem),
8563 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
8564 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
8565 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
8566 BPF_MOV64_IMM(BPF_REG_2, -1),
8567 BPF_MOV64_IMM(BPF_REG_8, 2),
8568 BPF_JMP_IMM(BPF_JEQ, BPF_REG_9, 42, 6),
8569 BPF_JMP_REG(BPF_JSGT, BPF_REG_8, BPF_REG_1, 3),
8570 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
8571 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8572 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
8573 BPF_MOV64_IMM(BPF_REG_0, 0),
8574 BPF_EXIT_INSN(),
8575 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, -3),
8576 BPF_JMP_IMM(BPF_JA, 0, 0, -7),
8577 },
908142e6 8578 .fixup_map_hash_8b = { 4 },
6f16101e 8579 .errstr = "R0 invalid mem access 'inv'",
86412502 8580 .result = REJECT,
86412502
DB		 8581 },
8582 {
f65b1849 8583 "bounds checks mixing signed and unsigned, variant 15",
86412502
DB		 8584 .insns = {
8585 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8586 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8587 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8588 BPF_LD_MAP_FD(BPF_REG_1, 0),
8589 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8590 BPF_FUNC_map_lookup_elem),
8591 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
8592 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
8593 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
8594 BPF_MOV64_IMM(BPF_REG_2, -6),
8595 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
8596 BPF_MOV64_IMM(BPF_REG_0, 0),
8597 BPF_EXIT_INSN(),
8598 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8599 BPF_JMP_IMM(BPF_JGT, BPF_REG_0, 1, 2),
8600 BPF_MOV64_IMM(BPF_REG_0, 0),
8601 BPF_EXIT_INSN(),
8602 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
8603 BPF_MOV64_IMM(BPF_REG_0, 0),
8604 BPF_EXIT_INSN(),
8605 },
908142e6 8606 .fixup_map_hash_8b = { 3 },
2255f8d5 8607 .errstr = "unbounded min value",
86412502
DB		 8608 .result = REJECT,
8609 .result_unpriv = REJECT,
8610 },
545722cb 8611 {
f65b1849 8612 "subtraction bounds (map value) variant 1",
545722cb
EC		 8613 .insns = {
8614 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8615 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8616 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8617 BPF_LD_MAP_FD(BPF_REG_1, 0),
8618 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8619 BPF_FUNC_map_lookup_elem),
8620 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
8621 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
8622 BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 0xff, 7),
8623 BPF_LDX_MEM(BPF_B, BPF_REG_3, BPF_REG_0, 1),
8624 BPF_JMP_IMM(BPF_JGT, BPF_REG_3, 0xff, 5),
8625 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_3),
8626 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 56),
8627 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8628 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8629 BPF_EXIT_INSN(),
8630 BPF_MOV64_IMM(BPF_REG_0, 0),
8631 BPF_EXIT_INSN(),
8632 },
908142e6 8633 .fixup_map_hash_8b = { 3 },
f65b1849
EC		 8634 .errstr = "R0 max value is outside of the array range",
8635 .result = REJECT,
8636 },
8637 {
8638 "subtraction bounds (map value) variant 2",
8639 .insns = {
8640 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8641 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8642 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8643 BPF_LD_MAP_FD(BPF_REG_1, 0),
8644 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8645 BPF_FUNC_map_lookup_elem),
8646 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
8647 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
8648 BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 0xff, 6),
8649 BPF_LDX_MEM(BPF_B, BPF_REG_3, BPF_REG_0, 1),
8650 BPF_JMP_IMM(BPF_JGT, BPF_REG_3, 0xff, 4),
8651 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_3),
8652 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8653 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8654 BPF_EXIT_INSN(),
8655 BPF_MOV64_IMM(BPF_REG_0, 0),
8656 BPF_EXIT_INSN(),
8657 },
908142e6 8658 .fixup_map_hash_8b = { 3 },
545722cb
EC		 8659 .errstr = "R0 min value is negative, either use unsigned index or do a if (index >=0) check.",
8660 .result = REJECT,
545722cb 8661 },
2255f8d5
JH		 8662 {
8663 "bounds check based on zero-extended MOV",
8664 .insns = {
8665 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8666 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8667 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8668 BPF_LD_MAP_FD(BPF_REG_1, 0),
8669 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8670 BPF_FUNC_map_lookup_elem),
8671 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
8672 /* r2 = 0x0000'0000'ffff'ffff */
8673 BPF_MOV32_IMM(BPF_REG_2, 0xffffffff),
8674 /* r2 = 0 */
8675 BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 32),
8676 /* no-op */
8677 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
8678 /* access at offset 0 */
8679 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8680 /* exit */
8681 BPF_MOV64_IMM(BPF_REG_0, 0),
8682 BPF_EXIT_INSN(),
8683 },
908142e6 8684 .fixup_map_hash_8b = { 3 },
2255f8d5
JH		 8685 .result = ACCEPT
8686 },
8687 {
8688 "bounds check based on sign-extended MOV. test1",
8689 .insns = {
8690 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8691 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8692 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8693 BPF_LD_MAP_FD(BPF_REG_1, 0),
8694 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8695 BPF_FUNC_map_lookup_elem),
8696 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
8697 /* r2 = 0xffff'ffff'ffff'ffff */
8698 BPF_MOV64_IMM(BPF_REG_2, 0xffffffff),
8699 /* r2 = 0xffff'ffff */
8700 BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 32),
8701 /* r0 = <oob pointer> */
8702 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
8703 /* access to OOB pointer */
8704 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8705 /* exit */
8706 BPF_MOV64_IMM(BPF_REG_0, 0),
8707 BPF_EXIT_INSN(),
8708 },
908142e6 8709 .fixup_map_hash_8b = { 3 },
2255f8d5
JH		 8710 .errstr = "map_value pointer and 4294967295",
8711 .result = REJECT
8712 },
8713 {
8714 "bounds check based on sign-extended MOV. test2",
8715 .insns = {
8716 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8717 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8718 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8719 BPF_LD_MAP_FD(BPF_REG_1, 0),
8720 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8721 BPF_FUNC_map_lookup_elem),
8722 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
8723 /* r2 = 0xffff'ffff'ffff'ffff */
8724 BPF_MOV64_IMM(BPF_REG_2, 0xffffffff),
8725 /* r2 = 0xfff'ffff */
8726 BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 36),
8727 /* r0 = <oob pointer> */
8728 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
8729 /* access to OOB pointer */
8730 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8731 /* exit */
8732 BPF_MOV64_IMM(BPF_REG_0, 0),
8733 BPF_EXIT_INSN(),
8734 },
908142e6 8735 .fixup_map_hash_8b = { 3 },
2255f8d5
JH		 8736 .errstr = "R0 min value is outside of the array range",
8737 .result = REJECT
8738 },
8739 {
8740 "bounds check based on reg_off + var_off + insn_off. test1",
8741 .insns = {
8742 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
8743 offsetof(struct __sk_buff, mark)),
8744 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8745 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8746 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8747 BPF_LD_MAP_FD(BPF_REG_1, 0),
8748 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8749 BPF_FUNC_map_lookup_elem),
8750 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
8751 BPF_ALU64_IMM(BPF_AND, BPF_REG_6, 1),
8752 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, (1 << 29) - 1),
8753 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_6),
8754 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, (1 << 29) - 1),
8755 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 3),
8756 BPF_MOV64_IMM(BPF_REG_0, 0),
8757 BPF_EXIT_INSN(),
8758 },
908142e6 8759 .fixup_map_hash_8b = { 4 },
2255f8d5
JH		 8760 .errstr = "value_size=8 off=1073741825",
8761 .result = REJECT,
8762 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
8763 },
8764 {
8765 "bounds check based on reg_off + var_off + insn_off. test2",
8766 .insns = {
8767 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
8768 offsetof(struct __sk_buff, mark)),
8769 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8770 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8771 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8772 BPF_LD_MAP_FD(BPF_REG_1, 0),
8773 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8774 BPF_FUNC_map_lookup_elem),
8775 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
8776 BPF_ALU64_IMM(BPF_AND, BPF_REG_6, 1),
8777 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, (1 << 30) - 1),
8778 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_6),
8779 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, (1 << 29) - 1),
8780 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 3),
8781 BPF_MOV64_IMM(BPF_REG_0, 0),
8782 BPF_EXIT_INSN(),
8783 },
908142e6 8784 .fixup_map_hash_8b = { 4 },
2255f8d5
JH		 8785 .errstr = "value 1073741823",
8786 .result = REJECT,
8787 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
8788 },
8789 {
8790 "bounds check after truncation of non-boundary-crossing range",
8791 .insns = {
8792 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8793 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8794 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8795 BPF_LD_MAP_FD(BPF_REG_1, 0),
8796 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8797 BPF_FUNC_map_lookup_elem),
8798 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
8799 /* r1 = [0x00, 0xff] */
8800 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
8801 BPF_MOV64_IMM(BPF_REG_2, 1),
8802 /* r2 = 0x10'0000'0000 */
8803 BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 36),
8804 /* r1 = [0x10'0000'0000, 0x10'0000'00ff] */
8805 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
8806 /* r1 = [0x10'7fff'ffff, 0x10'8000'00fe] */
8807 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff),
8808 /* r1 = [0x00, 0xff] */
8809 BPF_ALU32_IMM(BPF_SUB, BPF_REG_1, 0x7fffffff),
8810 /* r1 = 0 */
8811 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
8812 /* no-op */
8813 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8814 /* access at offset 0 */
8815 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8816 /* exit */
8817 BPF_MOV64_IMM(BPF_REG_0, 0),
8818 BPF_EXIT_INSN(),
8819 },
908142e6 8820 .fixup_map_hash_8b = { 3 },
2255f8d5
JH		 8821 .result = ACCEPT
8822 },
8823 {
8824 "bounds check after truncation of boundary-crossing range (1)",
8825 .insns = {
8826 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8827 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8828 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8829 BPF_LD_MAP_FD(BPF_REG_1, 0),
8830 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8831 BPF_FUNC_map_lookup_elem),
8832 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
8833 /* r1 = [0x00, 0xff] */
8834 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
8835 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1),
8836 /* r1 = [0xffff'ff80, 0x1'0000'007f] */
8837 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1),
8838 /* r1 = [0xffff'ff80, 0xffff'ffff] or
8839 * [0x0000'0000, 0x0000'007f]
8840 */
8841 BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 0),
8842 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1),
8843 /* r1 = [0x00, 0xff] or
8844 * [0xffff'ffff'0000'0080, 0xffff'ffff'ffff'ffff]
8845 */
8846 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1),
8847 /* r1 = 0 or
8848 * [0x00ff'ffff'ff00'0000, 0x00ff'ffff'ffff'ffff]
8849 */
8850 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
8851 /* no-op or OOB pointer computation */
8852 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8853 /* potentially OOB access */
8854 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8855 /* exit */
8856 BPF_MOV64_IMM(BPF_REG_0, 0),
8857 BPF_EXIT_INSN(),
8858 },
908142e6 8859 .fixup_map_hash_8b = { 3 },
2255f8d5
JH		 8860 /* not actually fully unbounded, but the bound is very high */
8861 .errstr = "R0 unbounded memory access",
8862 .result = REJECT
8863 },
8864 {
8865 "bounds check after truncation of boundary-crossing range (2)",
8866 .insns = {
8867 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8868 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8869 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8870 BPF_LD_MAP_FD(BPF_REG_1, 0),
8871 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8872 BPF_FUNC_map_lookup_elem),
8873 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
8874 /* r1 = [0x00, 0xff] */
8875 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
8876 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1),
8877 /* r1 = [0xffff'ff80, 0x1'0000'007f] */
8878 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1),
8879 /* r1 = [0xffff'ff80, 0xffff'ffff] or
8880 * [0x0000'0000, 0x0000'007f]
8881 * difference to previous test: truncation via MOV32
8882 * instead of ALU32.
8883 */
8884 BPF_MOV32_REG(BPF_REG_1, BPF_REG_1),
8885 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1),
8886 /* r1 = [0x00, 0xff] or
8887 * [0xffff'ffff'0000'0080, 0xffff'ffff'ffff'ffff]
8888 */
8889 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1),
8890 /* r1 = 0 or
8891 * [0x00ff'ffff'ff00'0000, 0x00ff'ffff'ffff'ffff]
8892 */
8893 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
8894 /* no-op or OOB pointer computation */
8895 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8896 /* potentially OOB access */
8897 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8898 /* exit */
8899 BPF_MOV64_IMM(BPF_REG_0, 0),
8900 BPF_EXIT_INSN(),
8901 },
908142e6 8902 .fixup_map_hash_8b = { 3 },
2255f8d5
JH		 8903 /* not actually fully unbounded, but the bound is very high */
8904 .errstr = "R0 unbounded memory access",
8905 .result = REJECT
8906 },
8907 {
8908 "bounds check after wrapping 32-bit addition",
8909 .insns = {
8910 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8911 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8912 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8913 BPF_LD_MAP_FD(BPF_REG_1, 0),
8914 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8915 BPF_FUNC_map_lookup_elem),
8916 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
8917 /* r1 = 0x7fff'ffff */
8918 BPF_MOV64_IMM(BPF_REG_1, 0x7fffffff),
8919 /* r1 = 0xffff'fffe */
8920 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff),
8921 /* r1 = 0 */
8922 BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 2),
8923 /* no-op */
8924 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8925 /* access at offset 0 */
8926 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8927 /* exit */
8928 BPF_MOV64_IMM(BPF_REG_0, 0),
8929 BPF_EXIT_INSN(),
8930 },
908142e6 8931 .fixup_map_hash_8b = { 3 },
2255f8d5
JH		 8932 .result = ACCEPT
8933 },
8934 {
8935 "bounds check after shift with oversized count operand",
8936 .insns = {
8937 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8938 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8939 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8940 BPF_LD_MAP_FD(BPF_REG_1, 0),
8941 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8942 BPF_FUNC_map_lookup_elem),
8943 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
8944 BPF_MOV64_IMM(BPF_REG_2, 32),
8945 BPF_MOV64_IMM(BPF_REG_1, 1),
8946 /* r1 = (u32)1 << (u32)32 = ? */
8947 BPF_ALU32_REG(BPF_LSH, BPF_REG_1, BPF_REG_2),
8948 /* r1 = [0x0000, 0xffff] */
8949 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xffff),
8950 /* computes unknown pointer, potentially OOB */
8951 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8952 /* potentially OOB access */
8953 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8954 /* exit */
8955 BPF_MOV64_IMM(BPF_REG_0, 0),
8956 BPF_EXIT_INSN(),
8957 },
908142e6 8958 .fixup_map_hash_8b = { 3 },
2255f8d5
JH		 8959 .errstr = "R0 max value is outside of the array range",
8960 .result = REJECT
8961 },
8962 {
8963 "bounds check after right shift of maybe-negative number",
8964 .insns = {
8965 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8966 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8967 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8968 BPF_LD_MAP_FD(BPF_REG_1, 0),
8969 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8970 BPF_FUNC_map_lookup_elem),
8971 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
8972 /* r1 = [0x00, 0xff] */
8973 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
8974 /* r1 = [-0x01, 0xfe] */
8975 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 1),
8976 /* r1 = 0 or 0xff'ffff'ffff'ffff */
8977 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
8978 /* r1 = 0 or 0xffff'ffff'ffff */
8979 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
8980 /* computes unknown pointer, potentially OOB */
8981 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8982 /* potentially OOB access */
8983 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8984 /* exit */
8985 BPF_MOV64_IMM(BPF_REG_0, 0),
8986 BPF_EXIT_INSN(),
8987 },
908142e6 8988 .fixup_map_hash_8b = { 3 },
2255f8d5
JH		 8989 .errstr = "R0 unbounded memory access",
8990 .result = REJECT
8991 },
8992 {
8993 "bounds check map access with off+size signed 32bit overflow. test1",
8994 .insns = {
8995 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8996 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8997 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8998 BPF_LD_MAP_FD(BPF_REG_1, 0),
8999 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9000 BPF_FUNC_map_lookup_elem),
9001 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
9002 BPF_EXIT_INSN(),
9003 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x7ffffffe),
9004 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
9005 BPF_JMP_A(0),
9006 BPF_EXIT_INSN(),
9007 },
908142e6 9008 .fixup_map_hash_8b = { 3 },
2255f8d5
JH		 9009 .errstr = "map_value pointer and 2147483646",
9010 .result = REJECT
9011 },
9012 {
9013 "bounds check map access with off+size signed 32bit overflow. test2",
9014 .insns = {
9015 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9016 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9017 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9018 BPF_LD_MAP_FD(BPF_REG_1, 0),
9019 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9020 BPF_FUNC_map_lookup_elem),
9021 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
9022 BPF_EXIT_INSN(),
9023 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x1fffffff),
9024 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x1fffffff),
9025 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x1fffffff),
9026 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
9027 BPF_JMP_A(0),
9028 BPF_EXIT_INSN(),
9029 },
908142e6 9030 .fixup_map_hash_8b = { 3 },
2255f8d5
JH		 9031 .errstr = "pointer offset 1073741822",
9032 .result = REJECT
9033 },
9034 {
9035 "bounds check map access with off+size signed 32bit overflow. test3",
9036 .insns = {
9037 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9038 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9039 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9040 BPF_LD_MAP_FD(BPF_REG_1, 0),
9041 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9042 BPF_FUNC_map_lookup_elem),
9043 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
9044 BPF_EXIT_INSN(),
9045 BPF_ALU64_IMM(BPF_SUB, BPF_REG_0, 0x1fffffff),
9046 BPF_ALU64_IMM(BPF_SUB, BPF_REG_0, 0x1fffffff),
9047 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 2),
9048 BPF_JMP_A(0),
9049 BPF_EXIT_INSN(),
9050 },
908142e6 9051 .fixup_map_hash_8b = { 3 },
2255f8d5
JH		 9052 .errstr = "pointer offset -1073741822",
9053 .result = REJECT
9054 },
9055 {
9056 "bounds check map access with off+size signed 32bit overflow. test4",
9057 .insns = {
9058 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9059 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9060 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9061 BPF_LD_MAP_FD(BPF_REG_1, 0),
9062 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9063 BPF_FUNC_map_lookup_elem),
9064 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
9065 BPF_EXIT_INSN(),
9066 BPF_MOV64_IMM(BPF_REG_1, 1000000),
9067 BPF_ALU64_IMM(BPF_MUL, BPF_REG_1, 1000000),
9068 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
9069 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 2),
9070 BPF_JMP_A(0),
9071 BPF_EXIT_INSN(),
9072 },
908142e6 9073 .fixup_map_hash_8b = { 3 },
2255f8d5
JH		 9074 .errstr = "map_value pointer and 1000000000000",
9075 .result = REJECT
9076 },
9077 {
9078 "pointer/scalar confusion in state equality check (way 1)",
9079 .insns = {
9080 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9081 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9082 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9083 BPF_LD_MAP_FD(BPF_REG_1, 0),
9084 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9085 BPF_FUNC_map_lookup_elem),
9086 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
9087 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
9088 BPF_JMP_A(1),
9089 BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
9090 BPF_JMP_A(0),
9091 BPF_EXIT_INSN(),
9092 },
908142e6 9093 .fixup_map_hash_8b = { 3 },
2255f8d5 9094 .result = ACCEPT,
111e6b45 9095 .retval = POINTER_VALUE,
2255f8d5
JH		 9096 .result_unpriv = REJECT,
9097 .errstr_unpriv = "R0 leaks addr as return value"
9098 },
9099 {
9100 "pointer/scalar confusion in state equality check (way 2)",
9101 .insns = {
9102 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9103 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9104 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9105 BPF_LD_MAP_FD(BPF_REG_1, 0),
9106 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9107 BPF_FUNC_map_lookup_elem),
9108 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
9109 BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
9110 BPF_JMP_A(1),
9111 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
9112 BPF_EXIT_INSN(),
9113 },
908142e6 9114 .fixup_map_hash_8b = { 3 },
2255f8d5 9115 .result = ACCEPT,
111e6b45 9116 .retval = POINTER_VALUE,
2255f8d5
JH		 9117 .result_unpriv = REJECT,
9118 .errstr_unpriv = "R0 leaks addr as return value"
9119 },
69c4e8ad
EC		 9120 {
9121 "variable-offset ctx access",
9122 .insns = {
9123 /* Get an unknown value */
9124 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
9125 /* Make it small and 4-byte aligned */
9126 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 4),
9127 /* add it to skb. We now have either &skb->len or
9128 * &skb->pkt_type, but we don't know which
9129 */
9130 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
9131 /* dereference it */
9132 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
9133 BPF_EXIT_INSN(),
9134 },
9135 .errstr = "variable ctx access var_off=(0x0; 0x4)",
9136 .result = REJECT,
9137 .prog_type = BPF_PROG_TYPE_LWT_IN,
9138 },
9139 {
9140 "variable-offset stack access",
9141 .insns = {
9142 /* Fill the top 8 bytes of the stack */
9143 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9144 /* Get an unknown value */
9145 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
9146 /* Make it small and 4-byte aligned */
9147 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 4),
9148 BPF_ALU64_IMM(BPF_SUB, BPF_REG_2, 8),
9149 /* add it to fp. We now have either fp-4 or fp-8, but
9150 * we don't know which
9151 */
9152 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_10),
9153 /* dereference it */
9154 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_2, 0),
9155 BPF_EXIT_INSN(),
9156 },
9157 .errstr = "variable stack access var_off=(0xfffffffffffffff8; 0x4)",
9158 .result = REJECT,
9159 .prog_type = BPF_PROG_TYPE_LWT_IN,
9160 },
2255f8d5
JH		 9161 {
9162 "indirect variable-offset stack access",
9163 .insns = {
9164 /* Fill the top 8 bytes of the stack */
9165 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9166 /* Get an unknown value */
9167 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
9168 /* Make it small and 4-byte aligned */
9169 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 4),
9170 BPF_ALU64_IMM(BPF_SUB, BPF_REG_2, 8),
9171 /* add it to fp. We now have either fp-4 or fp-8, but
9172 * we don't know which
9173 */
9174 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_10),
9175 /* dereference it indirectly */
9176 BPF_LD_MAP_FD(BPF_REG_1, 0),
9177 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9178 BPF_FUNC_map_lookup_elem),
9179 BPF_MOV64_IMM(BPF_REG_0, 0),
9180 BPF_EXIT_INSN(),
9181 },
908142e6 9182 .fixup_map_hash_8b = { 5 },
2255f8d5
JH		 9183 .errstr = "variable stack read R2",
9184 .result = REJECT,
9185 .prog_type = BPF_PROG_TYPE_LWT_IN,
9186 },
9187 {
9188 "direct stack access with 32-bit wraparound. test1",
9189 .insns = {
9190 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
9191 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff),
9192 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff),
9193 BPF_MOV32_IMM(BPF_REG_0, 0),
9194 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
9195 BPF_EXIT_INSN()
9196 },
9197 .errstr = "fp pointer and 2147483647",
9198 .result = REJECT
9199 },
9200 {
9201 "direct stack access with 32-bit wraparound. test2",
9202 .insns = {
9203 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
9204 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x3fffffff),
9205 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x3fffffff),
9206 BPF_MOV32_IMM(BPF_REG_0, 0),
9207 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
9208 BPF_EXIT_INSN()
9209 },
9210 .errstr = "fp pointer and 1073741823",
9211 .result = REJECT
9212 },
9213 {
9214 "direct stack access with 32-bit wraparound. test3",
9215 .insns = {
9216 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
9217 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x1fffffff),
9218 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x1fffffff),
9219 BPF_MOV32_IMM(BPF_REG_0, 0),
9220 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
9221 BPF_EXIT_INSN()
9222 },
9223 .errstr = "fp pointer offset 1073741822",
9224 .result = REJECT
9225 },
d893dc26
EC		 9226 {
9227 "liveness pruning and write screening",
9228 .insns = {
9229 /* Get an unknown value */
9230 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
9231 /* branch conditions teach us nothing about R2 */
9232 BPF_JMP_IMM(BPF_JGE, BPF_REG_2, 0, 1),
9233 BPF_MOV64_IMM(BPF_REG_0, 0),
9234 BPF_JMP_IMM(BPF_JGE, BPF_REG_2, 0, 1),
9235 BPF_MOV64_IMM(BPF_REG_0, 0),
9236 BPF_EXIT_INSN(),
9237 },
9238 .errstr = "R0 !read_ok",
9239 .result = REJECT,
9240 .prog_type = BPF_PROG_TYPE_LWT_IN,
9241 },
df20cb7e
AS		 9242 {
9243 "varlen_map_value_access pruning",
9244 .insns = {
9245 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9246 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9247 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9248 BPF_LD_MAP_FD(BPF_REG_1, 0),
9249 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9250 BPF_FUNC_map_lookup_elem),
9251 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
9252 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
9253 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
9254 BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
9255 BPF_MOV32_IMM(BPF_REG_1, 0),
9256 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
9257 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
9258 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
9259 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
9260 offsetof(struct test_val, foo)),
9261 BPF_EXIT_INSN(),
9262 },
908142e6 9263 .fixup_map_hash_48b = { 3 },
df20cb7e
AS		 9264 .errstr_unpriv = "R0 leaks addr",
9265 .errstr = "R0 unbounded memory access",
9266 .result_unpriv = REJECT,
9267 .result = REJECT,
9268 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9269 },
e67b8a68
EC		 9270 {
9271 "invalid 64-bit BPF_END",
9272 .insns = {
9273 BPF_MOV32_IMM(BPF_REG_0, 0),
9274 {
9275 .code = BPF_ALU64 | BPF_END | BPF_TO_LE,
9276 .dst_reg = BPF_REG_0,
9277 .src_reg = 0,
9278 .off = 0,
9279 .imm = 32,
9280 },
9281 BPF_EXIT_INSN(),
9282 },
21ccaf21 9283 .errstr = "unknown opcode d7",
e67b8a68
EC		 9284 .result = REJECT,
9285 },
65073a67
DB		 9286 {
9287 "XDP, using ifindex from netdev",
9288 .insns = {
9289 BPF_MOV64_IMM(BPF_REG_0, 0),
9290 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9291 offsetof(struct xdp_md, ingress_ifindex)),
9292 BPF_JMP_IMM(BPF_JLT, BPF_REG_2, 1, 1),
9293 BPF_MOV64_IMM(BPF_REG_0, 1),
9294 BPF_EXIT_INSN(),
9295 },
9296 .result = ACCEPT,
9297 .prog_type = BPF_PROG_TYPE_XDP,
9298 .retval = 1,
9299 },
22c88526
DB		 9300 {
9301 "meta access, test1",
9302 .insns = {
9303 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9304 offsetof(struct xdp_md, data_meta)),
9305 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9306 offsetof(struct xdp_md, data)),
9307 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
9308 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
9309 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
9310 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
9311 BPF_MOV64_IMM(BPF_REG_0, 0),
9312 BPF_EXIT_INSN(),
9313 },
9314 .result = ACCEPT,
9315 .prog_type = BPF_PROG_TYPE_XDP,
9316 },
9317 {
9318 "meta access, test2",
9319 .insns = {
9320 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9321 offsetof(struct xdp_md, data_meta)),
9322 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9323 offsetof(struct xdp_md, data)),
9324 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
9325 BPF_ALU64_IMM(BPF_SUB, BPF_REG_0, 8),
9326 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
9327 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
9328 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
9329 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
9330 BPF_MOV64_IMM(BPF_REG_0, 0),
9331 BPF_EXIT_INSN(),
9332 },
9333 .result = REJECT,
9334 .errstr = "invalid access to packet, off=-8",
9335 .prog_type = BPF_PROG_TYPE_XDP,
9336 },
9337 {
9338 "meta access, test3",
9339 .insns = {
9340 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9341 offsetof(struct xdp_md, data_meta)),
9342 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9343 offsetof(struct xdp_md, data_end)),
9344 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
9345 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
9346 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
9347 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
9348 BPF_MOV64_IMM(BPF_REG_0, 0),
9349 BPF_EXIT_INSN(),
9350 },
9351 .result = REJECT,
9352 .errstr = "invalid access to packet",
9353 .prog_type = BPF_PROG_TYPE_XDP,
9354 },
9355 {
9356 "meta access, test4",
9357 .insns = {
9358 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9359 offsetof(struct xdp_md, data_meta)),
9360 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9361 offsetof(struct xdp_md, data_end)),
9362 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
9363 offsetof(struct xdp_md, data)),
9364 BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
9365 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
9366 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
9367 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
9368 BPF_MOV64_IMM(BPF_REG_0, 0),
9369 BPF_EXIT_INSN(),
9370 },
9371 .result = REJECT,
9372 .errstr = "invalid access to packet",
9373 .prog_type = BPF_PROG_TYPE_XDP,
9374 },
9375 {
9376 "meta access, test5",
9377 .insns = {
9378 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9379 offsetof(struct xdp_md, data_meta)),
9380 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
9381 offsetof(struct xdp_md, data)),
9382 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
9383 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
9384 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_4, 3),
9385 BPF_MOV64_IMM(BPF_REG_2, -8),
9386 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9387 BPF_FUNC_xdp_adjust_meta),
9388 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_3, 0),
9389 BPF_MOV64_IMM(BPF_REG_0, 0),
9390 BPF_EXIT_INSN(),
9391 },
9392 .result = REJECT,
9393 .errstr = "R3 !read_ok",
9394 .prog_type = BPF_PROG_TYPE_XDP,
9395 },
9396 {
9397 "meta access, test6",
9398 .insns = {
9399 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9400 offsetof(struct xdp_md, data_meta)),
9401 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9402 offsetof(struct xdp_md, data)),
9403 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
9404 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
9405 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
9406 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
9407 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_0, 1),
9408 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
9409 BPF_MOV64_IMM(BPF_REG_0, 0),
9410 BPF_EXIT_INSN(),
9411 },
9412 .result = REJECT,
9413 .errstr = "invalid access to packet",
9414 .prog_type = BPF_PROG_TYPE_XDP,
9415 },
9416 {
9417 "meta access, test7",
9418 .insns = {
9419 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9420 offsetof(struct xdp_md, data_meta)),
9421 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9422 offsetof(struct xdp_md, data)),
9423 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
9424 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
9425 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
9426 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
9427 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
9428 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
9429 BPF_MOV64_IMM(BPF_REG_0, 0),
9430 BPF_EXIT_INSN(),
9431 },
9432 .result = ACCEPT,
9433 .prog_type = BPF_PROG_TYPE_XDP,
9434 },
9435 {
9436 "meta access, test8",
9437 .insns = {
9438 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9439 offsetof(struct xdp_md, data_meta)),
9440 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9441 offsetof(struct xdp_md, data)),
9442 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
9443 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0xFFFF),
9444 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
9445 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
9446 BPF_MOV64_IMM(BPF_REG_0, 0),
9447 BPF_EXIT_INSN(),
9448 },
9449 .result = ACCEPT,
9450 .prog_type = BPF_PROG_TYPE_XDP,
9451 },
9452 {
9453 "meta access, test9",
9454 .insns = {
9455 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9456 offsetof(struct xdp_md, data_meta)),
9457 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9458 offsetof(struct xdp_md, data)),
9459 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
9460 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0xFFFF),
9461 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 1),
9462 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
9463 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
9464 BPF_MOV64_IMM(BPF_REG_0, 0),
9465 BPF_EXIT_INSN(),
9466 },
9467 .result = REJECT,
9468 .errstr = "invalid access to packet",
9469 .prog_type = BPF_PROG_TYPE_XDP,
9470 },
9471 {
9472 "meta access, test10",
9473 .insns = {
9474 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9475 offsetof(struct xdp_md, data_meta)),
9476 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9477 offsetof(struct xdp_md, data)),
9478 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
9479 offsetof(struct xdp_md, data_end)),
9480 BPF_MOV64_IMM(BPF_REG_5, 42),
9481 BPF_MOV64_IMM(BPF_REG_6, 24),
9482 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_5, -8),
9483 BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
9484 BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -8),
9485 BPF_JMP_IMM(BPF_JGT, BPF_REG_5, 100, 6),
9486 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_5),
9487 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
9488 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
9489 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8),
9490 BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_5, 1),
9491 BPF_LDX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
9492 BPF_MOV64_IMM(BPF_REG_0, 0),
9493 BPF_EXIT_INSN(),
9494 },
9495 .result = REJECT,
9496 .errstr = "invalid access to packet",
9497 .prog_type = BPF_PROG_TYPE_XDP,
9498 },
9499 {
9500 "meta access, test11",
9501 .insns = {
9502 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9503 offsetof(struct xdp_md, data_meta)),
9504 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9505 offsetof(struct xdp_md, data)),
9506 BPF_MOV64_IMM(BPF_REG_5, 42),
9507 BPF_MOV64_IMM(BPF_REG_6, 24),
9508 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_5, -8),
9509 BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
9510 BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -8),
9511 BPF_JMP_IMM(BPF_JGT, BPF_REG_5, 100, 6),
9512 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_5),
9513 BPF_MOV64_REG(BPF_REG_5, BPF_REG_2),
9514 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
9515 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8),
9516 BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_3, 1),
9517 BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_5, 0),
9518 BPF_MOV64_IMM(BPF_REG_0, 0),
9519 BPF_EXIT_INSN(),
9520 },
9521 .result = ACCEPT,
9522 .prog_type = BPF_PROG_TYPE_XDP,
9523 },
9524 {
9525 "meta access, test12",
9526 .insns = {
9527 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9528 offsetof(struct xdp_md, data_meta)),
9529 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9530 offsetof(struct xdp_md, data)),
9531 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
9532 offsetof(struct xdp_md, data_end)),
9533 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
9534 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 16),
9535 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_4, 5),
9536 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_3, 0),
9537 BPF_MOV64_REG(BPF_REG_5, BPF_REG_2),
9538 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 16),
9539 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 1),
9540 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
9541 BPF_MOV64_IMM(BPF_REG_0, 0),
9542 BPF_EXIT_INSN(),
9543 },
9544 .result = ACCEPT,
9545 .prog_type = BPF_PROG_TYPE_XDP,
9546 },
28e33f9d
JK		 9547 {
9548 "arithmetic ops make PTR_TO_CTX unusable",
9549 .insns = {
9550 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
9551 offsetof(struct __sk_buff, data) -
9552 offsetof(struct __sk_buff, mark)),
9553 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9554 offsetof(struct __sk_buff, mark)),
9555 BPF_EXIT_INSN(),
9556 },
58990d1f 9557 .errstr = "dereference of modified ctx ptr",
28e33f9d
JK		 9558 .result = REJECT,
9559 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
9560 },
82abbf8d
AS		 9561 {
9562 "pkt_end - pkt_start is allowed",
9563 .insns = {
9564 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9565 offsetof(struct __sk_buff, data_end)),
9566 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9567 offsetof(struct __sk_buff, data)),
9568 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_2),
9569 BPF_EXIT_INSN(),
9570 },
9571 .result = ACCEPT,
111e6b45 9572 .retval = TEST_DATA_LEN,
82abbf8d
AS		 9573 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
9574 },
b37242c7
DB		 9575 {
9576 "XDP pkt read, pkt_end mangling, bad access 1",
9577 .insns = {
9578 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9579 offsetof(struct xdp_md, data)),
9580 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9581 offsetof(struct xdp_md, data_end)),
9582 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9583 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9584 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 8),
9585 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
9586 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9587 BPF_MOV64_IMM(BPF_REG_0, 0),
9588 BPF_EXIT_INSN(),
9589 },
aad2eeaf 9590 .errstr = "R3 pointer arithmetic on pkt_end",
b37242c7
DB		 9591 .result = REJECT,
9592 .prog_type = BPF_PROG_TYPE_XDP,
9593 },
9594 {
9595 "XDP pkt read, pkt_end mangling, bad access 2",
9596 .insns = {
9597 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9598 offsetof(struct xdp_md, data)),
9599 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9600 offsetof(struct xdp_md, data_end)),
9601 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9602 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9603 BPF_ALU64_IMM(BPF_SUB, BPF_REG_3, 8),
9604 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
9605 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9606 BPF_MOV64_IMM(BPF_REG_0, 0),
9607 BPF_EXIT_INSN(),
9608 },
aad2eeaf 9609 .errstr = "R3 pointer arithmetic on pkt_end",
b37242c7
DB		 9610 .result = REJECT,
9611 .prog_type = BPF_PROG_TYPE_XDP,
9612 },
9613 {
9614 "XDP pkt read, pkt_data' > pkt_end, good access",
9615 .insns = {
9616 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9617 offsetof(struct xdp_md, data)),
9618 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9619 offsetof(struct xdp_md, data_end)),
9620 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9621 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9622 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
9623 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9624 BPF_MOV64_IMM(BPF_REG_0, 0),
9625 BPF_EXIT_INSN(),
9626 },
9627 .result = ACCEPT,
9628 .prog_type = BPF_PROG_TYPE_XDP,
9629 },
9630 {
9631 "XDP pkt read, pkt_data' > pkt_end, bad access 1",
9632 .insns = {
9633 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9634 offsetof(struct xdp_md, data)),
9635 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9636 offsetof(struct xdp_md, data_end)),
9637 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9638 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9639 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
9640 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
9641 BPF_MOV64_IMM(BPF_REG_0, 0),
9642 BPF_EXIT_INSN(),
9643 },
9644 .errstr = "R1 offset is outside of the packet",
9645 .result = REJECT,
9646 .prog_type = BPF_PROG_TYPE_XDP,
9647 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9648 },
9649 {
9650 "XDP pkt read, pkt_data' > pkt_end, bad access 2",
9651 .insns = {
9652 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9653 offsetof(struct xdp_md, data)),
9654 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9655 offsetof(struct xdp_md, data_end)),
9656 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9657 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9658 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 0),
9659 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9660 BPF_MOV64_IMM(BPF_REG_0, 0),
9661 BPF_EXIT_INSN(),
9662 },
9663 .errstr = "R1 offset is outside of the packet",
9664 .result = REJECT,
9665 .prog_type = BPF_PROG_TYPE_XDP,
9666 },
9667 {
9668 "XDP pkt read, pkt_end > pkt_data', good access",
9669 .insns = {
9670 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9671 offsetof(struct xdp_md, data)),
9672 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9673 offsetof(struct xdp_md, data_end)),
9674 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9675 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9676 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
9677 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9678 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9679 BPF_MOV64_IMM(BPF_REG_0, 0),
9680 BPF_EXIT_INSN(),
9681 },
9682 .result = ACCEPT,
9683 .prog_type = BPF_PROG_TYPE_XDP,
9684 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9685 },
9686 {
9687 "XDP pkt read, pkt_end > pkt_data', bad access 1",
9688 .insns = {
9689 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9690 offsetof(struct xdp_md, data)),
9691 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9692 offsetof(struct xdp_md, data_end)),
9693 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9694 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9695 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
9696 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9697 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9698 BPF_MOV64_IMM(BPF_REG_0, 0),
9699 BPF_EXIT_INSN(),
9700 },
9701 .errstr = "R1 offset is outside of the packet",
9702 .result = REJECT,
9703 .prog_type = BPF_PROG_TYPE_XDP,
9704 },
9705 {
9706 "XDP pkt read, pkt_end > pkt_data', bad access 2",
9707 .insns = {
9708 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9709 offsetof(struct xdp_md, data)),
9710 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9711 offsetof(struct xdp_md, data_end)),
9712 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9713 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9714 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
9715 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9716 BPF_MOV64_IMM(BPF_REG_0, 0),
9717 BPF_EXIT_INSN(),
9718 },
9719 .errstr = "R1 offset is outside of the packet",
9720 .result = REJECT,
9721 .prog_type = BPF_PROG_TYPE_XDP,
9722 },
9723 {
9724 "XDP pkt read, pkt_data' < pkt_end, good access",
9725 .insns = {
9726 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9727 offsetof(struct xdp_md, data)),
9728 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9729 offsetof(struct xdp_md, data_end)),
9730 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9731 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9732 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
9733 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9734 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9735 BPF_MOV64_IMM(BPF_REG_0, 0),
9736 BPF_EXIT_INSN(),
9737 },
9738 .result = ACCEPT,
9739 .prog_type = BPF_PROG_TYPE_XDP,
9740 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9741 },
9742 {
9743 "XDP pkt read, pkt_data' < pkt_end, bad access 1",
9744 .insns = {
9745 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9746 offsetof(struct xdp_md, data)),
9747 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9748 offsetof(struct xdp_md, data_end)),
9749 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9750 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9751 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
9752 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9753 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9754 BPF_MOV64_IMM(BPF_REG_0, 0),
9755 BPF_EXIT_INSN(),
9756 },
9757 .errstr = "R1 offset is outside of the packet",
9758 .result = REJECT,
9759 .prog_type = BPF_PROG_TYPE_XDP,
9760 },
9761 {
9762 "XDP pkt read, pkt_data' < pkt_end, bad access 2",
9763 .insns = {
9764 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9765 offsetof(struct xdp_md, data)),
9766 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9767 offsetof(struct xdp_md, data_end)),
9768 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9769 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9770 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
9771 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9772 BPF_MOV64_IMM(BPF_REG_0, 0),
9773 BPF_EXIT_INSN(),
9774 },
9775 .errstr = "R1 offset is outside of the packet",
9776 .result = REJECT,
9777 .prog_type = BPF_PROG_TYPE_XDP,
9778 },
9779 {
9780 "XDP pkt read, pkt_end < pkt_data', good access",
9781 .insns = {
9782 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9783 offsetof(struct xdp_md, data)),
9784 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9785 offsetof(struct xdp_md, data_end)),
9786 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9787 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9788 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
9789 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9790 BPF_MOV64_IMM(BPF_REG_0, 0),
9791 BPF_EXIT_INSN(),
9792 },
9793 .result = ACCEPT,
9794 .prog_type = BPF_PROG_TYPE_XDP,
9795 },
9796 {
9797 "XDP pkt read, pkt_end < pkt_data', bad access 1",
9798 .insns = {
9799 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9800 offsetof(struct xdp_md, data)),
9801 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9802 offsetof(struct xdp_md, data_end)),
9803 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9804 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9805 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
9806 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
9807 BPF_MOV64_IMM(BPF_REG_0, 0),
9808 BPF_EXIT_INSN(),
9809 },
9810 .errstr = "R1 offset is outside of the packet",
9811 .result = REJECT,
9812 .prog_type = BPF_PROG_TYPE_XDP,
9813 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9814 },
9815 {
9816 "XDP pkt read, pkt_end < pkt_data', bad access 2",
9817 .insns = {
9818 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9819 offsetof(struct xdp_md, data)),
9820 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9821 offsetof(struct xdp_md, data_end)),
9822 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9823 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9824 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 0),
9825 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9826 BPF_MOV64_IMM(BPF_REG_0, 0),
9827 BPF_EXIT_INSN(),
9828 },
9829 .errstr = "R1 offset is outside of the packet",
9830 .result = REJECT,
9831 .prog_type = BPF_PROG_TYPE_XDP,
9832 },
9833 {
9834 "XDP pkt read, pkt_data' >= pkt_end, good access",
9835 .insns = {
9836 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9837 offsetof(struct xdp_md, data)),
9838 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9839 offsetof(struct xdp_md, data_end)),
9840 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9841 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9842 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
9843 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9844 BPF_MOV64_IMM(BPF_REG_0, 0),
9845 BPF_EXIT_INSN(),
9846 },
9847 .result = ACCEPT,
9848 .prog_type = BPF_PROG_TYPE_XDP,
9849 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9850 },
9851 {
9852 "XDP pkt read, pkt_data' >= pkt_end, bad access 1",
9853 .insns = {
9854 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9855 offsetof(struct xdp_md, data)),
9856 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9857 offsetof(struct xdp_md, data_end)),
9858 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9859 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9860 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
9861 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9862 BPF_MOV64_IMM(BPF_REG_0, 0),
9863 BPF_EXIT_INSN(),
9864 },
9865 .errstr = "R1 offset is outside of the packet",
9866 .result = REJECT,
9867 .prog_type = BPF_PROG_TYPE_XDP,
9868 },
9869 {
9870 "XDP pkt read, pkt_data' >= pkt_end, bad access 2",
9871 .insns = {
9872 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9873 offsetof(struct xdp_md, data)),
9874 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9875 offsetof(struct xdp_md, data_end)),
9876 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9877 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9878 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 0),
9879 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9880 BPF_MOV64_IMM(BPF_REG_0, 0),
9881 BPF_EXIT_INSN(),
9882 },
9883 .errstr = "R1 offset is outside of the packet",
9884 .result = REJECT,
9885 .prog_type = BPF_PROG_TYPE_XDP,
9886 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9887 },
9888 {
9889 "XDP pkt read, pkt_end >= pkt_data', good access",
9890 .insns = {
9891 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9892 offsetof(struct xdp_md, data)),
9893 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9894 offsetof(struct xdp_md, data_end)),
9895 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9896 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9897 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
9898 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9899 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9900 BPF_MOV64_IMM(BPF_REG_0, 0),
9901 BPF_EXIT_INSN(),
9902 },
9903 .result = ACCEPT,
9904 .prog_type = BPF_PROG_TYPE_XDP,
9905 },
9906 {
9907 "XDP pkt read, pkt_end >= pkt_data', bad access 1",
9908 .insns = {
9909 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9910 offsetof(struct xdp_md, data)),
9911 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9912 offsetof(struct xdp_md, data_end)),
9913 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9914 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9915 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
9916 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9917 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
9918 BPF_MOV64_IMM(BPF_REG_0, 0),
9919 BPF_EXIT_INSN(),
9920 },
9921 .errstr = "R1 offset is outside of the packet",
9922 .result = REJECT,
9923 .prog_type = BPF_PROG_TYPE_XDP,
9924 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9925 },
9926 {
9927 "XDP pkt read, pkt_end >= pkt_data', bad access 2",
9928 .insns = {
9929 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9930 offsetof(struct xdp_md, data)),
9931 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9932 offsetof(struct xdp_md, data_end)),
9933 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9934 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9935 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
9936 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9937 BPF_MOV64_IMM(BPF_REG_0, 0),
9938 BPF_EXIT_INSN(),
9939 },
9940 .errstr = "R1 offset is outside of the packet",
9941 .result = REJECT,
9942 .prog_type = BPF_PROG_TYPE_XDP,
9943 },
9944 {
9945 "XDP pkt read, pkt_data' <= pkt_end, good access",
9946 .insns = {
9947 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9948 offsetof(struct xdp_md, data)),
9949 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9950 offsetof(struct xdp_md, data_end)),
9951 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9952 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9953 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
9954 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9955 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9956 BPF_MOV64_IMM(BPF_REG_0, 0),
9957 BPF_EXIT_INSN(),
9958 },
9959 .result = ACCEPT,
9960 .prog_type = BPF_PROG_TYPE_XDP,
9961 },
9962 {
9963 "XDP pkt read, pkt_data' <= pkt_end, bad access 1",
9964 .insns = {
9965 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9966 offsetof(struct xdp_md, data)),
9967 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9968 offsetof(struct xdp_md, data_end)),
9969 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9970 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9971 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
9972 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9973 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
9974 BPF_MOV64_IMM(BPF_REG_0, 0),
9975 BPF_EXIT_INSN(),
9976 },
9977 .errstr = "R1 offset is outside of the packet",
9978 .result = REJECT,
9979 .prog_type = BPF_PROG_TYPE_XDP,
9980 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9981 },
9982 {
9983 "XDP pkt read, pkt_data' <= pkt_end, bad access 2",
9984 .insns = {
9985 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9986 offsetof(struct xdp_md, data)),
9987 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9988 offsetof(struct xdp_md, data_end)),
9989 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9990 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9991 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
9992 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9993 BPF_MOV64_IMM(BPF_REG_0, 0),
9994 BPF_EXIT_INSN(),
9995 },
9996 .errstr = "R1 offset is outside of the packet",
9997 .result = REJECT,
9998 .prog_type = BPF_PROG_TYPE_XDP,
9999 },
10000 {
10001 "XDP pkt read, pkt_end <= pkt_data', good access",
10002 .insns = {
10003 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10004 offsetof(struct xdp_md, data)),
10005 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10006 offsetof(struct xdp_md, data_end)),
10007 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10008 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10009 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
10010 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
10011 BPF_MOV64_IMM(BPF_REG_0, 0),
10012 BPF_EXIT_INSN(),
10013 },
10014 .result = ACCEPT,
10015 .prog_type = BPF_PROG_TYPE_XDP,
10016 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10017 },
10018 {
10019 "XDP pkt read, pkt_end <= pkt_data', bad access 1",
10020 .insns = {
10021 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10022 offsetof(struct xdp_md, data)),
10023 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10024 offsetof(struct xdp_md, data_end)),
10025 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10026 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10027 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
10028 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10029 BPF_MOV64_IMM(BPF_REG_0, 0),
10030 BPF_EXIT_INSN(),
10031 },
10032 .errstr = "R1 offset is outside of the packet",
10033 .result = REJECT,
10034 .prog_type = BPF_PROG_TYPE_XDP,
10035 },
10036 {
10037 "XDP pkt read, pkt_end <= pkt_data', bad access 2",
10038 .insns = {
10039 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10040 offsetof(struct xdp_md, data)),
10041 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10042 offsetof(struct xdp_md, data_end)),
10043 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10044 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10045 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 0),
10046 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
10047 BPF_MOV64_IMM(BPF_REG_0, 0),
10048 BPF_EXIT_INSN(),
10049 },
10050 .errstr = "R1 offset is outside of the packet",
10051 .result = REJECT,
10052 .prog_type = BPF_PROG_TYPE_XDP,
10053 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10054 },
634eab11
DB		 10055 {
10056 "XDP pkt read, pkt_meta' > pkt_data, good access",
10057 .insns = {
10058 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10059 offsetof(struct xdp_md, data_meta)),
10060 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10061 offsetof(struct xdp_md, data)),
10062 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10063 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10064 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
10065 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10066 BPF_MOV64_IMM(BPF_REG_0, 0),
10067 BPF_EXIT_INSN(),
10068 },
10069 .result = ACCEPT,
10070 .prog_type = BPF_PROG_TYPE_XDP,
10071 },
10072 {
10073 "XDP pkt read, pkt_meta' > pkt_data, bad access 1",
10074 .insns = {
10075 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10076 offsetof(struct xdp_md, data_meta)),
10077 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10078 offsetof(struct xdp_md, data)),
10079 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10080 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10081 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
10082 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
10083 BPF_MOV64_IMM(BPF_REG_0, 0),
10084 BPF_EXIT_INSN(),
10085 },
10086 .errstr = "R1 offset is outside of the packet",
10087 .result = REJECT,
10088 .prog_type = BPF_PROG_TYPE_XDP,
10089 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10090 },
10091 {
10092 "XDP pkt read, pkt_meta' > pkt_data, bad access 2",
10093 .insns = {
10094 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10095 offsetof(struct xdp_md, data_meta)),
10096 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10097 offsetof(struct xdp_md, data)),
10098 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10099 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10100 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 0),
10101 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10102 BPF_MOV64_IMM(BPF_REG_0, 0),
10103 BPF_EXIT_INSN(),
10104 },
10105 .errstr = "R1 offset is outside of the packet",
10106 .result = REJECT,
10107 .prog_type = BPF_PROG_TYPE_XDP,
10108 },
10109 {
10110 "XDP pkt read, pkt_data > pkt_meta', good access",
10111 .insns = {
10112 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10113 offsetof(struct xdp_md, data_meta)),
10114 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10115 offsetof(struct xdp_md, data)),
10116 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10117 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10118 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
10119 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
10120 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
10121 BPF_MOV64_IMM(BPF_REG_0, 0),
10122 BPF_EXIT_INSN(),
10123 },
10124 .result = ACCEPT,
10125 .prog_type = BPF_PROG_TYPE_XDP,
10126 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10127 },
10128 {
10129 "XDP pkt read, pkt_data > pkt_meta', bad access 1",
10130 .insns = {
10131 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10132 offsetof(struct xdp_md, data_meta)),
10133 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10134 offsetof(struct xdp_md, data)),
10135 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10136 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10137 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
10138 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
10139 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10140 BPF_MOV64_IMM(BPF_REG_0, 0),
10141 BPF_EXIT_INSN(),
10142 },
10143 .errstr = "R1 offset is outside of the packet",
10144 .result = REJECT,
10145 .prog_type = BPF_PROG_TYPE_XDP,
10146 },
10147 {
10148 "XDP pkt read, pkt_data > pkt_meta', bad access 2",
10149 .insns = {
10150 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10151 offsetof(struct xdp_md, data_meta)),
10152 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10153 offsetof(struct xdp_md, data)),
10154 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10155 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10156 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
10157 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10158 BPF_MOV64_IMM(BPF_REG_0, 0),
10159 BPF_EXIT_INSN(),
10160 },
10161 .errstr = "R1 offset is outside of the packet",
10162 .result = REJECT,
10163 .prog_type = BPF_PROG_TYPE_XDP,
10164 },
10165 {
10166 "XDP pkt read, pkt_meta' < pkt_data, good access",
10167 .insns = {
10168 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10169 offsetof(struct xdp_md, data_meta)),
10170 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10171 offsetof(struct xdp_md, data)),
10172 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10173 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10174 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
10175 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
10176 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
10177 BPF_MOV64_IMM(BPF_REG_0, 0),
10178 BPF_EXIT_INSN(),
10179 },
10180 .result = ACCEPT,
10181 .prog_type = BPF_PROG_TYPE_XDP,
10182 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10183 },
10184 {
10185 "XDP pkt read, pkt_meta' < pkt_data, bad access 1",
10186 .insns = {
10187 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10188 offsetof(struct xdp_md, data_meta)),
10189 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10190 offsetof(struct xdp_md, data)),
10191 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10192 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10193 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
10194 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
10195 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10196 BPF_MOV64_IMM(BPF_REG_0, 0),
10197 BPF_EXIT_INSN(),
10198 },
10199 .errstr = "R1 offset is outside of the packet",
10200 .result = REJECT,
10201 .prog_type = BPF_PROG_TYPE_XDP,
10202 },
10203 {
10204 "XDP pkt read, pkt_meta' < pkt_data, bad access 2",
10205 .insns = {
10206 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10207 offsetof(struct xdp_md, data_meta)),
10208 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10209 offsetof(struct xdp_md, data)),
10210 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10211 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10212 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
10213 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10214 BPF_MOV64_IMM(BPF_REG_0, 0),
10215 BPF_EXIT_INSN(),
10216 },
10217 .errstr = "R1 offset is outside of the packet",
10218 .result = REJECT,
10219 .prog_type = BPF_PROG_TYPE_XDP,
10220 },
10221 {
10222 "XDP pkt read, pkt_data < pkt_meta', good access",
10223 .insns = {
10224 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10225 offsetof(struct xdp_md, data_meta)),
10226 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10227 offsetof(struct xdp_md, data)),
10228 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10229 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10230 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
10231 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10232 BPF_MOV64_IMM(BPF_REG_0, 0),
10233 BPF_EXIT_INSN(),
10234 },
10235 .result = ACCEPT,
10236 .prog_type = BPF_PROG_TYPE_XDP,
10237 },
10238 {
10239 "XDP pkt read, pkt_data < pkt_meta', bad access 1",
10240 .insns = {
10241 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10242 offsetof(struct xdp_md, data_meta)),
10243 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10244 offsetof(struct xdp_md, data)),
10245 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10246 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10247 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
10248 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
10249 BPF_MOV64_IMM(BPF_REG_0, 0),
10250 BPF_EXIT_INSN(),
10251 },
10252 .errstr = "R1 offset is outside of the packet",
10253 .result = REJECT,
10254 .prog_type = BPF_PROG_TYPE_XDP,
10255 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10256 },
10257 {
10258 "XDP pkt read, pkt_data < pkt_meta', bad access 2",
10259 .insns = {
10260 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10261 offsetof(struct xdp_md, data_meta)),
10262 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10263 offsetof(struct xdp_md, data)),
10264 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10265 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10266 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 0),
10267 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10268 BPF_MOV64_IMM(BPF_REG_0, 0),
10269 BPF_EXIT_INSN(),
10270 },
10271 .errstr = "R1 offset is outside of the packet",
10272 .result = REJECT,
10273 .prog_type = BPF_PROG_TYPE_XDP,
10274 },
10275 {
10276 "XDP pkt read, pkt_meta' >= pkt_data, good access",
10277 .insns = {
10278 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10279 offsetof(struct xdp_md, data_meta)),
10280 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10281 offsetof(struct xdp_md, data)),
10282 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10283 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10284 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
10285 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
10286 BPF_MOV64_IMM(BPF_REG_0, 0),
10287 BPF_EXIT_INSN(),
10288 },
10289 .result = ACCEPT,
10290 .prog_type = BPF_PROG_TYPE_XDP,
10291 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10292 },
10293 {
10294 "XDP pkt read, pkt_meta' >= pkt_data, bad access 1",
10295 .insns = {
10296 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10297 offsetof(struct xdp_md, data_meta)),
10298 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10299 offsetof(struct xdp_md, data)),
10300 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10301 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10302 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
10303 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10304 BPF_MOV64_IMM(BPF_REG_0, 0),
10305 BPF_EXIT_INSN(),
10306 },
10307 .errstr = "R1 offset is outside of the packet",
10308 .result = REJECT,
10309 .prog_type = BPF_PROG_TYPE_XDP,
10310 },
10311 {
10312 "XDP pkt read, pkt_meta' >= pkt_data, bad access 2",
10313 .insns = {
10314 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10315 offsetof(struct xdp_md, data_meta)),
10316 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10317 offsetof(struct xdp_md, data)),
10318 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10319 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10320 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 0),
10321 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
10322 BPF_MOV64_IMM(BPF_REG_0, 0),
10323 BPF_EXIT_INSN(),
10324 },
10325 .errstr = "R1 offset is outside of the packet",
10326 .result = REJECT,
10327 .prog_type = BPF_PROG_TYPE_XDP,
10328 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10329 },
10330 {
10331 "XDP pkt read, pkt_data >= pkt_meta', good access",
10332 .insns = {
10333 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10334 offsetof(struct xdp_md, data_meta)),
10335 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10336 offsetof(struct xdp_md, data)),
10337 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10338 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10339 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
10340 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
10341 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10342 BPF_MOV64_IMM(BPF_REG_0, 0),
10343 BPF_EXIT_INSN(),
10344 },
10345 .result = ACCEPT,
10346 .prog_type = BPF_PROG_TYPE_XDP,
10347 },
10348 {
10349 "XDP pkt read, pkt_data >= pkt_meta', bad access 1",
10350 .insns = {
10351 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10352 offsetof(struct xdp_md, data_meta)),
10353 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10354 offsetof(struct xdp_md, data)),
10355 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10356 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10357 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
10358 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
10359 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
10360 BPF_MOV64_IMM(BPF_REG_0, 0),
10361 BPF_EXIT_INSN(),
10362 },
10363 .errstr = "R1 offset is outside of the packet",
10364 .result = REJECT,
10365 .prog_type = BPF_PROG_TYPE_XDP,
10366 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10367 },
10368 {
10369 "XDP pkt read, pkt_data >= pkt_meta', bad access 2",
10370 .insns = {
10371 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10372 offsetof(struct xdp_md, data_meta)),
10373 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10374 offsetof(struct xdp_md, data)),
10375 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10376 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10377 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
10378 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10379 BPF_MOV64_IMM(BPF_REG_0, 0),
10380 BPF_EXIT_INSN(),
10381 },
10382 .errstr = "R1 offset is outside of the packet",
10383 .result = REJECT,
10384 .prog_type = BPF_PROG_TYPE_XDP,
10385 },
10386 {
10387 "XDP pkt read, pkt_meta' <= pkt_data, good access",
10388 .insns = {
10389 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10390 offsetof(struct xdp_md, data_meta)),
10391 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10392 offsetof(struct xdp_md, data)),
10393 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10394 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10395 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
10396 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
10397 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10398 BPF_MOV64_IMM(BPF_REG_0, 0),
10399 BPF_EXIT_INSN(),
10400 },
10401 .result = ACCEPT,
10402 .prog_type = BPF_PROG_TYPE_XDP,
10403 },
10404 {
10405 "XDP pkt read, pkt_meta' <= pkt_data, bad access 1",
10406 .insns = {
10407 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10408 offsetof(struct xdp_md, data_meta)),
10409 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10410 offsetof(struct xdp_md, data)),
10411 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10412 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10413 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
10414 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
10415 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
10416 BPF_MOV64_IMM(BPF_REG_0, 0),
10417 BPF_EXIT_INSN(),
10418 },
10419 .errstr = "R1 offset is outside of the packet",
10420 .result = REJECT,
10421 .prog_type = BPF_PROG_TYPE_XDP,
10422 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10423 },
10424 {
10425 "XDP pkt read, pkt_meta' <= pkt_data, bad access 2",
10426 .insns = {
10427 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10428 offsetof(struct xdp_md, data_meta)),
10429 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10430 offsetof(struct xdp_md, data)),
10431 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10432 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10433 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
10434 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10435 BPF_MOV64_IMM(BPF_REG_0, 0),
10436 BPF_EXIT_INSN(),
10437 },
10438 .errstr = "R1 offset is outside of the packet",
10439 .result = REJECT,
10440 .prog_type = BPF_PROG_TYPE_XDP,
10441 },
10442 {
10443 "XDP pkt read, pkt_data <= pkt_meta', good access",
10444 .insns = {
10445 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10446 offsetof(struct xdp_md, data_meta)),
10447 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10448 offsetof(struct xdp_md, data)),
10449 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10450 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10451 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
10452 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
10453 BPF_MOV64_IMM(BPF_REG_0, 0),
10454 BPF_EXIT_INSN(),
10455 },
10456 .result = ACCEPT,
10457 .prog_type = BPF_PROG_TYPE_XDP,
10458 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10459 },
10460 {
10461 "XDP pkt read, pkt_data <= pkt_meta', bad access 1",
10462 .insns = {
10463 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10464 offsetof(struct xdp_md, data_meta)),
10465 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10466 offsetof(struct xdp_md, data)),
10467 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10468 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10469 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
10470 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10471 BPF_MOV64_IMM(BPF_REG_0, 0),
10472 BPF_EXIT_INSN(),
10473 },
10474 .errstr = "R1 offset is outside of the packet",
10475 .result = REJECT,
10476 .prog_type = BPF_PROG_TYPE_XDP,
10477 },
10478 {
10479 "XDP pkt read, pkt_data <= pkt_meta', bad access 2",
10480 .insns = {
10481 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10482 offsetof(struct xdp_md, data_meta)),
10483 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10484 offsetof(struct xdp_md, data)),
10485 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10486 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10487 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 0),
10488 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
10489 BPF_MOV64_IMM(BPF_REG_0, 0),
10490 BPF_EXIT_INSN(),
10491 },
10492 .errstr = "R1 offset is outside of the packet",
10493 .result = REJECT,
10494 .prog_type = BPF_PROG_TYPE_XDP,
10495 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10496 },
6f16101e
DB		 10497 {
10498 "check deducing bounds from const, 1",
10499 .insns = {
10500 BPF_MOV64_IMM(BPF_REG_0, 1),
10501 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 1, 0),
10502 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
10503 BPF_EXIT_INSN(),
10504 },
10505 .result = REJECT,
10506 .errstr = "R0 tried to subtract pointer from scalar",
10507 },
10508 {
10509 "check deducing bounds from const, 2",
10510 .insns = {
10511 BPF_MOV64_IMM(BPF_REG_0, 1),
10512 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 1, 1),
10513 BPF_EXIT_INSN(),
10514 BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 1, 1),
10515 BPF_EXIT_INSN(),
10516 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0),
10517 BPF_EXIT_INSN(),
10518 },
10519 .result = ACCEPT,
35136920 10520 .retval = 1,
6f16101e
DB		 10521 },
10522 {
10523 "check deducing bounds from const, 3",
10524 .insns = {
10525 BPF_MOV64_IMM(BPF_REG_0, 0),
10526 BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 0, 0),
10527 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
10528 BPF_EXIT_INSN(),
10529 },
10530 .result = REJECT,
10531 .errstr = "R0 tried to subtract pointer from scalar",
10532 },
10533 {
10534 "check deducing bounds from const, 4",
10535 .insns = {
10536 BPF_MOV64_IMM(BPF_REG_0, 0),
10537 BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 0, 1),
10538 BPF_EXIT_INSN(),
10539 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 1),
10540 BPF_EXIT_INSN(),
10541 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0),
10542 BPF_EXIT_INSN(),
10543 },
10544 .result = ACCEPT,
10545 },
10546 {
10547 "check deducing bounds from const, 5",
10548 .insns = {
10549 BPF_MOV64_IMM(BPF_REG_0, 0),
10550 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 1),
10551 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
10552 BPF_EXIT_INSN(),
10553 },
10554 .result = REJECT,
10555 .errstr = "R0 tried to subtract pointer from scalar",
10556 },
10557 {
10558 "check deducing bounds from const, 6",
10559 .insns = {
10560 BPF_MOV64_IMM(BPF_REG_0, 0),
10561 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 1),
10562 BPF_EXIT_INSN(),
10563 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
10564 BPF_EXIT_INSN(),
10565 },
10566 .result = REJECT,
10567 .errstr = "R0 tried to subtract pointer from scalar",
10568 },
10569 {
10570 "check deducing bounds from const, 7",
10571 .insns = {
10572 BPF_MOV64_IMM(BPF_REG_0, ~0),
10573 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 0),
10574 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0),
10575 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10576 offsetof(struct __sk_buff, mark)),
10577 BPF_EXIT_INSN(),
10578 },
10579 .result = REJECT,
10580 .errstr = "dereference of modified ctx ptr",
10581 },
10582 {
10583 "check deducing bounds from const, 8",
10584 .insns = {
10585 BPF_MOV64_IMM(BPF_REG_0, ~0),
10586 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 1),
10587 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
10588 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10589 offsetof(struct __sk_buff, mark)),
10590 BPF_EXIT_INSN(),
10591 },
10592 .result = REJECT,
10593 .errstr = "dereference of modified ctx ptr",
10594 },
10595 {
10596 "check deducing bounds from const, 9",
10597 .insns = {
10598 BPF_MOV64_IMM(BPF_REG_0, 0),
10599 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 0),
10600 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
10601 BPF_EXIT_INSN(),
10602 },
10603 .result = REJECT,
10604 .errstr = "R0 tried to subtract pointer from scalar",
10605 },
10606 {
10607 "check deducing bounds from const, 10",
10608 .insns = {
10609 BPF_MOV64_IMM(BPF_REG_0, 0),
10610 BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 0, 0),
10611 /* Marks reg as unknown. */
10612 BPF_ALU64_IMM(BPF_NEG, BPF_REG_0, 0),
10613 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
10614 BPF_EXIT_INSN(),
10615 },
10616 .result = REJECT,
10617 .errstr = "math between ctx pointer and register with unbounded min value is not allowed",
10618 },
b06723da
DB		 10619 {
10620 "bpf_exit with invalid return code. test1",
10621 .insns = {
10622 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
10623 BPF_EXIT_INSN(),
10624 },
10625 .errstr = "R0 has value (0x0; 0xffffffff)",
10626 .result = REJECT,
10627 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
10628 },
10629 {
10630 "bpf_exit with invalid return code. test2",
10631 .insns = {
10632 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
10633 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
10634 BPF_EXIT_INSN(),
10635 },
10636 .result = ACCEPT,
10637 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
10638 },
10639 {
10640 "bpf_exit with invalid return code. test3",
10641 .insns = {
10642 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
10643 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 3),
10644 BPF_EXIT_INSN(),
10645 },
10646 .errstr = "R0 has value (0x0; 0x3)",
10647 .result = REJECT,
10648 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
10649 },
10650 {
10651 "bpf_exit with invalid return code. test4",
10652 .insns = {
10653 BPF_MOV64_IMM(BPF_REG_0, 1),
10654 BPF_EXIT_INSN(),
10655 },
10656 .result = ACCEPT,
10657 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
10658 },
10659 {
10660 "bpf_exit with invalid return code. test5",
10661 .insns = {
10662 BPF_MOV64_IMM(BPF_REG_0, 2),
10663 BPF_EXIT_INSN(),
10664 },
10665 .errstr = "R0 has value (0x2; 0x0)",
10666 .result = REJECT,
10667 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
10668 },
10669 {
10670 "bpf_exit with invalid return code. test6",
10671 .insns = {
10672 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
10673 BPF_EXIT_INSN(),
10674 },
10675 .errstr = "R0 is not a known value (ctx)",
10676 .result = REJECT,
10677 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
10678 },
10679 {
10680 "bpf_exit with invalid return code. test7",
10681 .insns = {
10682 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
10683 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 4),
10684 BPF_ALU64_REG(BPF_MUL, BPF_REG_0, BPF_REG_2),
10685 BPF_EXIT_INSN(),
10686 },
10687 .errstr = "R0 has unknown scalar value",
10688 .result = REJECT,
10689 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
10690 },
a7ff3eca
AS		 10691 {
10692 "calls: basic sanity",
10693 .insns = {
10694 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10695 BPF_MOV64_IMM(BPF_REG_0, 1),
10696 BPF_EXIT_INSN(),
10697 BPF_MOV64_IMM(BPF_REG_0, 2),
10698 BPF_EXIT_INSN(),
10699 },
10700 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10701 .result = ACCEPT,
10702 },
28ab173e
DB		 10703 {
10704 "calls: not on unpriviledged",
10705 .insns = {
10706 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10707 BPF_MOV64_IMM(BPF_REG_0, 1),
10708 BPF_EXIT_INSN(),
10709 BPF_MOV64_IMM(BPF_REG_0, 2),
10710 BPF_EXIT_INSN(),
10711 },
10712 .errstr_unpriv = "function calls to other bpf functions are allowed for root only",
10713 .result_unpriv = REJECT,
10714 .result = ACCEPT,
111e6b45 10715 .retval = 1,
28ab173e 10716 },
21ccaf21
DB		 10717 {
10718 "calls: div by 0 in subprog",
10719 .insns = {
10720 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10721 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
10722 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10723 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
10724 offsetof(struct __sk_buff, data_end)),
10725 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
10726 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
10727 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
10728 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
10729 BPF_MOV64_IMM(BPF_REG_0, 1),
10730 BPF_EXIT_INSN(),
10731 BPF_MOV32_IMM(BPF_REG_2, 0),
10732 BPF_MOV32_IMM(BPF_REG_3, 1),
10733 BPF_ALU32_REG(BPF_DIV, BPF_REG_3, BPF_REG_2),
10734 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10735 offsetof(struct __sk_buff, data)),
10736 BPF_EXIT_INSN(),
10737 },
10738 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
10739 .result = ACCEPT,
10740 .retval = 1,
10741 },
10742 {
10743 "calls: multiple ret types in subprog 1",
10744 .insns = {
10745 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10746 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
10747 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10748 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
10749 offsetof(struct __sk_buff, data_end)),
10750 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
10751 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
10752 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
10753 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
10754 BPF_MOV64_IMM(BPF_REG_0, 1),
10755 BPF_EXIT_INSN(),
10756 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10757 offsetof(struct __sk_buff, data)),
10758 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
10759 BPF_MOV32_IMM(BPF_REG_0, 42),
10760 BPF_EXIT_INSN(),
10761 },
10762 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
10763 .result = REJECT,
10764 .errstr = "R0 invalid mem access 'inv'",
10765 },
10766 {
10767 "calls: multiple ret types in subprog 2",
10768 .insns = {
10769 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10770 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
10771 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10772 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
10773 offsetof(struct __sk_buff, data_end)),
10774 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
10775 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
10776 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
10777 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
10778 BPF_MOV64_IMM(BPF_REG_0, 1),
10779 BPF_EXIT_INSN(),
10780 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10781 offsetof(struct __sk_buff, data)),
10782 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10783 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 9),
10784 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10785 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10786 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
10787 BPF_LD_MAP_FD(BPF_REG_1, 0),
10788 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10789 BPF_FUNC_map_lookup_elem),
10790 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
10791 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_6,
10792 offsetof(struct __sk_buff, data)),
10793 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 64),
10794 BPF_EXIT_INSN(),
10795 },
10796 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
908142e6 10797 .fixup_map_hash_8b = { 16 },
21ccaf21
DB		 10798 .result = REJECT,
10799 .errstr = "R0 min value is outside of the array range",
10800 },
28ab173e
DB		 10801 {
10802 "calls: overlapping caller/callee",
10803 .insns = {
10804 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 0),
10805 BPF_MOV64_IMM(BPF_REG_0, 1),
10806 BPF_EXIT_INSN(),
10807 },
10808 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10809 .errstr = "last insn is not an exit or jmp",
10810 .result = REJECT,
10811 },
10812 {
10813 "calls: wrong recursive calls",
10814 .insns = {
10815 BPF_JMP_IMM(BPF_JA, 0, 0, 4),
10816 BPF_JMP_IMM(BPF_JA, 0, 0, 4),
10817 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -2),
10818 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -2),
10819 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -2),
10820 BPF_MOV64_IMM(BPF_REG_0, 1),
10821 BPF_EXIT_INSN(),
10822 },
10823 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10824 .errstr = "jump out of range",
10825 .result = REJECT,
10826 },
10827 {
10828 "calls: wrong src reg",
10829 .insns = {
10830 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 2, 0, 0),
10831 BPF_MOV64_IMM(BPF_REG_0, 1),
10832 BPF_EXIT_INSN(),
10833 },
10834 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10835 .errstr = "BPF_CALL uses reserved fields",
10836 .result = REJECT,
10837 },
10838 {
10839 "calls: wrong off value",
10840 .insns = {
10841 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, -1, 2),
10842 BPF_MOV64_IMM(BPF_REG_0, 1),
10843 BPF_EXIT_INSN(),
10844 BPF_MOV64_IMM(BPF_REG_0, 2),
10845 BPF_EXIT_INSN(),
10846 },
10847 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10848 .errstr = "BPF_CALL uses reserved fields",
10849 .result = REJECT,
10850 },
10851 {
10852 "calls: jump back loop",
10853 .insns = {
10854 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -1),
10855 BPF_MOV64_IMM(BPF_REG_0, 1),
10856 BPF_EXIT_INSN(),
10857 },
10858 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10859 .errstr = "back-edge from insn 0 to 0",
10860 .result = REJECT,
10861 },
10862 {
10863 "calls: conditional call",
10864 .insns = {
10865 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10866 offsetof(struct __sk_buff, mark)),
10867 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
10868 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10869 BPF_MOV64_IMM(BPF_REG_0, 1),
10870 BPF_EXIT_INSN(),
10871 BPF_MOV64_IMM(BPF_REG_0, 2),
10872 BPF_EXIT_INSN(),
10873 },
10874 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10875 .errstr = "jump out of range",
10876 .result = REJECT,
10877 },
10878 {
10879 "calls: conditional call 2",
10880 .insns = {
10881 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10882 offsetof(struct __sk_buff, mark)),
10883 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
10884 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
10885 BPF_MOV64_IMM(BPF_REG_0, 1),
10886 BPF_EXIT_INSN(),
10887 BPF_MOV64_IMM(BPF_REG_0, 2),
10888 BPF_EXIT_INSN(),
10889 BPF_MOV64_IMM(BPF_REG_0, 3),
10890 BPF_EXIT_INSN(),
10891 },
10892 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10893 .result = ACCEPT,
10894 },
10895 {
10896 "calls: conditional call 3",
10897 .insns = {
10898 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10899 offsetof(struct __sk_buff, mark)),
10900 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
10901 BPF_JMP_IMM(BPF_JA, 0, 0, 4),
10902 BPF_MOV64_IMM(BPF_REG_0, 1),
10903 BPF_EXIT_INSN(),
10904 BPF_MOV64_IMM(BPF_REG_0, 1),
10905 BPF_JMP_IMM(BPF_JA, 0, 0, -6),
10906 BPF_MOV64_IMM(BPF_REG_0, 3),
10907 BPF_JMP_IMM(BPF_JA, 0, 0, -6),
10908 },
10909 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10910 .errstr = "back-edge from insn",
10911 .result = REJECT,
10912 },
10913 {
10914 "calls: conditional call 4",
10915 .insns = {
10916 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10917 offsetof(struct __sk_buff, mark)),
10918 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
10919 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
10920 BPF_MOV64_IMM(BPF_REG_0, 1),
10921 BPF_EXIT_INSN(),
10922 BPF_MOV64_IMM(BPF_REG_0, 1),
10923 BPF_JMP_IMM(BPF_JA, 0, 0, -5),
10924 BPF_MOV64_IMM(BPF_REG_0, 3),
10925 BPF_EXIT_INSN(),
10926 },
10927 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10928 .result = ACCEPT,
10929 },
10930 {
10931 "calls: conditional call 5",
10932 .insns = {
10933 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10934 offsetof(struct __sk_buff, mark)),
10935 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
10936 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
10937 BPF_MOV64_IMM(BPF_REG_0, 1),
10938 BPF_EXIT_INSN(),
10939 BPF_MOV64_IMM(BPF_REG_0, 1),
10940 BPF_JMP_IMM(BPF_JA, 0, 0, -6),
10941 BPF_MOV64_IMM(BPF_REG_0, 3),
10942 BPF_EXIT_INSN(),
10943 },
10944 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10945 .errstr = "back-edge from insn",
10946 .result = REJECT,
10947 },
10948 {
10949 "calls: conditional call 6",
10950 .insns = {
10951 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10952 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, -2),
10953 BPF_EXIT_INSN(),
10954 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10955 offsetof(struct __sk_buff, mark)),
10956 BPF_EXIT_INSN(),
10957 },
10958 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10959 .errstr = "back-edge from insn",
10960 .result = REJECT,
10961 },
a7ff3eca
AS		 10962 {
10963 "calls: using r0 returned by callee",
10964 .insns = {
10965 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10966 BPF_EXIT_INSN(),
10967 BPF_MOV64_IMM(BPF_REG_0, 2),
10968 BPF_EXIT_INSN(),
10969 },
10970 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10971 .result = ACCEPT,
10972 },
28ab173e
DB		 10973 {
10974 "calls: using uninit r0 from callee",
10975 .insns = {
10976 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10977 BPF_EXIT_INSN(),
10978 BPF_EXIT_INSN(),
10979 },
10980 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10981 .errstr = "!read_ok",
10982 .result = REJECT,
10983 },
a7ff3eca
AS		 10984 {
10985 "calls: callee is using r1",
10986 .insns = {
10987 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10988 BPF_EXIT_INSN(),
10989 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10990 offsetof(struct __sk_buff, len)),
10991 BPF_EXIT_INSN(),
10992 },
10993 .prog_type = BPF_PROG_TYPE_SCHED_ACT,
10994 .result = ACCEPT,
111e6b45 10995 .retval = TEST_DATA_LEN,
a7ff3eca
AS		 10996 },
10997 {
10998 "calls: callee using args1",
10999 .insns = {
11000 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11001 BPF_EXIT_INSN(),
11002 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
11003 BPF_EXIT_INSN(),
11004 },
11005 .errstr_unpriv = "allowed for root only",
11006 .result_unpriv = REJECT,
11007 .result = ACCEPT,
111e6b45 11008 .retval = POINTER_VALUE,
a7ff3eca
AS		 11009 },
11010 {
11011 "calls: callee using wrong args2",
11012 .insns = {
11013 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11014 BPF_EXIT_INSN(),
11015 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11016 BPF_EXIT_INSN(),
11017 },
11018 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
11019 .errstr = "R2 !read_ok",
11020 .result = REJECT,
11021 },
11022 {
11023 "calls: callee using two args",
11024 .insns = {
11025 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11026 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_6,
11027 offsetof(struct __sk_buff, len)),
11028 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_6,
11029 offsetof(struct __sk_buff, len)),
11030 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11031 BPF_EXIT_INSN(),
11032 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
11033 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
11034 BPF_EXIT_INSN(),
11035 },
11036 .errstr_unpriv = "allowed for root only",
11037 .result_unpriv = REJECT,
11038 .result = ACCEPT,
111e6b45 11039 .retval = TEST_DATA_LEN + TEST_DATA_LEN - ETH_HLEN - ETH_HLEN,
a7ff3eca
AS		 11040 },
11041 {
11042 "calls: callee changing pkt pointers",
11043 .insns = {
11044 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
11045 offsetof(struct xdp_md, data)),
11046 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
11047 offsetof(struct xdp_md, data_end)),
11048 BPF_MOV64_REG(BPF_REG_8, BPF_REG_6),
11049 BPF_ALU64_IMM(BPF_ADD, BPF_REG_8, 8),
11050 BPF_JMP_REG(BPF_JGT, BPF_REG_8, BPF_REG_7, 2),
11051 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11052 /* clear_all_pkt_pointers() has to walk all frames
11053 * to make sure that pkt pointers in the caller
11054 * are cleared when callee is calling a helper that
11055 * adjusts packet size
11056 */
11057 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
11058 BPF_MOV32_IMM(BPF_REG_0, 0),
11059 BPF_EXIT_INSN(),
11060 BPF_MOV64_IMM(BPF_REG_2, 0),
11061 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11062 BPF_FUNC_xdp_adjust_head),
11063 BPF_EXIT_INSN(),
11064 },
11065 .result = REJECT,
11066 .errstr = "R6 invalid mem access 'inv'",
11067 .prog_type = BPF_PROG_TYPE_XDP,
11068 },
11069 {
11070 "calls: two calls with args",
11071 .insns = {
11072 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11073 BPF_EXIT_INSN(),
11074 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11075 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 6),
11076 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
11077 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
11078 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11079 BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_0),
11080 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
11081 BPF_EXIT_INSN(),
11082 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
11083 offsetof(struct __sk_buff, len)),
11084 BPF_EXIT_INSN(),
11085 },
11086 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11087 .result = ACCEPT,
111e6b45 11088 .retval = TEST_DATA_LEN + TEST_DATA_LEN,
a7ff3eca 11089 },
28ab173e
DB		 11090 {
11091 "calls: calls with stack arith",
11092 .insns = {
11093 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11094 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -64),
11095 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11096 BPF_EXIT_INSN(),
11097 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -64),
11098 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11099 BPF_EXIT_INSN(),
11100 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -64),
11101 BPF_MOV64_IMM(BPF_REG_0, 42),
11102 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
11103 BPF_EXIT_INSN(),
11104 },
11105 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11106 .result = ACCEPT,
111e6b45 11107 .retval = 42,
28ab173e
DB		 11108 },
11109 {
11110 "calls: calls with misaligned stack access",
11111 .insns = {
11112 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11113 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -63),
11114 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11115 BPF_EXIT_INSN(),
11116 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -61),
11117 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11118 BPF_EXIT_INSN(),
11119 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -63),
11120 BPF_MOV64_IMM(BPF_REG_0, 42),
11121 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
11122 BPF_EXIT_INSN(),
11123 },
11124 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11125 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
11126 .errstr = "misaligned stack access",
11127 .result = REJECT,
11128 },
11129 {
11130 "calls: calls control flow, jump test",
11131 .insns = {
11132 BPF_MOV64_IMM(BPF_REG_0, 42),
11133 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
11134 BPF_MOV64_IMM(BPF_REG_0, 43),
11135 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
11136 BPF_JMP_IMM(BPF_JA, 0, 0, -3),
11137 BPF_EXIT_INSN(),
11138 },
11139 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11140 .result = ACCEPT,
111e6b45 11141 .retval = 43,
28ab173e
DB		 11142 },
11143 {
11144 "calls: calls control flow, jump test 2",
11145 .insns = {
11146 BPF_MOV64_IMM(BPF_REG_0, 42),
11147 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
11148 BPF_MOV64_IMM(BPF_REG_0, 43),
11149 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
11150 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -3),
11151 BPF_EXIT_INSN(),
11152 },
11153 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11154 .errstr = "jump out of range from insn 1 to 4",
11155 .result = REJECT,
11156 },
a7ff3eca
AS		 11157 {
11158 "calls: two calls with bad jump",
11159 .insns = {
11160 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11161 BPF_EXIT_INSN(),
11162 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11163 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 6),
11164 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
11165 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
11166 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11167 BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_0),
11168 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
11169 BPF_EXIT_INSN(),
11170 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
11171 offsetof(struct __sk_buff, len)),
11172 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, -3),
11173 BPF_EXIT_INSN(),
11174 },
11175 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
11176 .errstr = "jump out of range from insn 11 to 9",
11177 .result = REJECT,
11178 },
11179 {
11180 "calls: recursive call. test1",
11181 .insns = {
11182 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11183 BPF_EXIT_INSN(),
11184 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -1),
11185 BPF_EXIT_INSN(),
11186 },
11187 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
11188 .errstr = "back-edge",
11189 .result = REJECT,
11190 },
11191 {
11192 "calls: recursive call. test2",
11193 .insns = {
11194 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11195 BPF_EXIT_INSN(),
11196 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -3),
11197 BPF_EXIT_INSN(),
11198 },
11199 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
11200 .errstr = "back-edge",
11201 .result = REJECT,
11202 },
11203 {
11204 "calls: unreachable code",
11205 .insns = {
11206 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11207 BPF_EXIT_INSN(),
11208 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11209 BPF_EXIT_INSN(),
11210 BPF_MOV64_IMM(BPF_REG_0, 0),
11211 BPF_EXIT_INSN(),
11212 BPF_MOV64_IMM(BPF_REG_0, 0),
11213 BPF_EXIT_INSN(),
11214 },
11215 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
11216 .errstr = "unreachable insn 6",
11217 .result = REJECT,
11218 },
11219 {
11220 "calls: invalid call",
11221 .insns = {
11222 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11223 BPF_EXIT_INSN(),
11224 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -4),
11225 BPF_EXIT_INSN(),
11226 },
11227 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
11228 .errstr = "invalid destination",
11229 .result = REJECT,
11230 },
28ab173e
DB		 11231 {
11232 "calls: invalid call 2",
11233 .insns = {
11234 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11235 BPF_EXIT_INSN(),
11236 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 0x7fffffff),
11237 BPF_EXIT_INSN(),
11238 },
11239 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
11240 .errstr = "invalid destination",
11241 .result = REJECT,
11242 },
a7ff3eca
AS		 11243 {
11244 "calls: jumping across function bodies. test1",
11245 .insns = {
11246 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11247 BPF_MOV64_IMM(BPF_REG_0, 0),
11248 BPF_EXIT_INSN(),
11249 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, -3),
11250 BPF_EXIT_INSN(),
11251 },
11252 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
11253 .errstr = "jump out of range",
11254 .result = REJECT,
11255 },
11256 {
11257 "calls: jumping across function bodies. test2",
11258 .insns = {
11259 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
11260 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11261 BPF_MOV64_IMM(BPF_REG_0, 0),
11262 BPF_EXIT_INSN(),
11263 BPF_EXIT_INSN(),
11264 },
11265 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
11266 .errstr = "jump out of range",
11267 .result = REJECT,
11268 },
11269 {
11270 "calls: call without exit",
11271 .insns = {
11272 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11273 BPF_EXIT_INSN(),
11274 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11275 BPF_EXIT_INSN(),
11276 BPF_MOV64_IMM(BPF_REG_0, 0),
11277 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, -2),
11278 },
11279 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
11280 .errstr = "not an exit",
11281 .result = REJECT,
11282 },
11283 {
11284 "calls: call into middle of ld_imm64",
11285 .insns = {
11286 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11287 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11288 BPF_MOV64_IMM(BPF_REG_0, 0),
11289 BPF_EXIT_INSN(),
11290 BPF_LD_IMM64(BPF_REG_0, 0),
11291 BPF_EXIT_INSN(),
11292 },
11293 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
11294 .errstr = "last insn",
11295 .result = REJECT,
11296 },
11297 {
11298 "calls: call into middle of other call",
11299 .insns = {
11300 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11301 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11302 BPF_MOV64_IMM(BPF_REG_0, 0),
11303 BPF_EXIT_INSN(),
11304 BPF_MOV64_IMM(BPF_REG_0, 0),
11305 BPF_MOV64_IMM(BPF_REG_0, 0),
11306 BPF_EXIT_INSN(),
11307 },
11308 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
11309 .errstr = "last insn",
11310 .result = REJECT,
11311 },
28ab173e
DB		 11312 {
11313 "calls: ld_abs with changing ctx data in callee",
11314 .insns = {
11315 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11316 BPF_LD_ABS(BPF_B, 0),
11317 BPF_LD_ABS(BPF_H, 0),
11318 BPF_LD_ABS(BPF_W, 0),
11319 BPF_MOV64_REG(BPF_REG_7, BPF_REG_6),
11320 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 5),
11321 BPF_MOV64_REG(BPF_REG_6, BPF_REG_7),
11322 BPF_LD_ABS(BPF_B, 0),
11323 BPF_LD_ABS(BPF_H, 0),
11324 BPF_LD_ABS(BPF_W, 0),
11325 BPF_EXIT_INSN(),
11326 BPF_MOV64_IMM(BPF_REG_2, 1),
11327 BPF_MOV64_IMM(BPF_REG_3, 2),
11328 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11329 BPF_FUNC_skb_vlan_push),
11330 BPF_EXIT_INSN(),
11331 },
11332 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11333 .errstr = "BPF_LD_[ABS|IND] instructions cannot be mixed",
11334 .result = REJECT,
11335 },
a7ff3eca
AS		 11336 {
11337 "calls: two calls with bad fallthrough",
11338 .insns = {
11339 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11340 BPF_EXIT_INSN(),
11341 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11342 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 6),
11343 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
11344 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
11345 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11346 BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_0),
11347 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
11348 BPF_MOV64_REG(BPF_REG_0, BPF_REG_0),
11349 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
11350 offsetof(struct __sk_buff, len)),
11351 BPF_EXIT_INSN(),
11352 },
11353 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
11354 .errstr = "not an exit",
11355 .result = REJECT,
11356 },
11357 {
11358 "calls: two calls with stack read",
11359 .insns = {
11360 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11361 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11362 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11363 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11364 BPF_EXIT_INSN(),
11365 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11366 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 6),
11367 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
11368 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
11369 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11370 BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_0),
11371 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
11372 BPF_EXIT_INSN(),
11373 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
11374 BPF_EXIT_INSN(),
11375 },
11376 .prog_type = BPF_PROG_TYPE_XDP,
11377 .result = ACCEPT,
11378 },
11379 {
11380 "calls: two calls with stack write",
11381 .insns = {
11382 /* main prog */
11383 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11384 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11385 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11386 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11387 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
11388 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11389 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -16),
11390 BPF_EXIT_INSN(),
11391
11392 /* subprog 1 */
11393 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11394 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
11395 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 7),
11396 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
11397 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
11398 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
11399 BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_0),
11400 BPF_MOV64_REG(BPF_REG_0, BPF_REG_8),
11401 /* write into stack frame of main prog */
11402 BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
11403 BPF_EXIT_INSN(),
11404
11405 /* subprog 2 */
11406 /* read from stack frame of main prog */
11407 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
11408 BPF_EXIT_INSN(),
11409 },
11410 .prog_type = BPF_PROG_TYPE_XDP,
11411 .result = ACCEPT,
11412 },
6b80ad29
JH		 11413 {
11414 "calls: stack overflow using two frames (pre-call access)",
11415 .insns = {
11416 /* prog 1 */
11417 BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
11418 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1),
11419 BPF_EXIT_INSN(),
11420
11421 /* prog 2 */
11422 BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
11423 BPF_MOV64_IMM(BPF_REG_0, 0),
11424 BPF_EXIT_INSN(),
11425 },
11426 .prog_type = BPF_PROG_TYPE_XDP,
11427 .errstr = "combined stack size",
11428 .result = REJECT,
11429 },
11430 {
11431 "calls: stack overflow using two frames (post-call access)",
11432 .insns = {
11433 /* prog 1 */
11434 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 2),
11435 BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
11436 BPF_EXIT_INSN(),
11437
11438 /* prog 2 */
11439 BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
11440 BPF_MOV64_IMM(BPF_REG_0, 0),
11441 BPF_EXIT_INSN(),
11442 },
11443 .prog_type = BPF_PROG_TYPE_XDP,
11444 .errstr = "combined stack size",
11445 .result = REJECT,
11446 },
6b86c421
AS		 11447 {
11448 "calls: stack depth check using three frames. test1",
11449 .insns = {
11450 /* main */
11451 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 4), /* call A */
11452 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 5), /* call B */
11453 BPF_ST_MEM(BPF_B, BPF_REG_10, -32, 0),
11454 BPF_MOV64_IMM(BPF_REG_0, 0),
11455 BPF_EXIT_INSN(),
11456 /* A */
11457 BPF_ST_MEM(BPF_B, BPF_REG_10, -256, 0),
11458 BPF_EXIT_INSN(),
11459 /* B */
11460 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, -3), /* call A */
11461 BPF_ST_MEM(BPF_B, BPF_REG_10, -64, 0),
11462 BPF_EXIT_INSN(),
11463 },
11464 .prog_type = BPF_PROG_TYPE_XDP,
11465 /* stack_main=32, stack_A=256, stack_B=64
11466 * and max(main+A, main+A+B) < 512
11467 */
11468 .result = ACCEPT,
11469 },
11470 {
11471 "calls: stack depth check using three frames. test2",
11472 .insns = {
11473 /* main */
11474 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 4), /* call A */
11475 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 5), /* call B */
11476 BPF_ST_MEM(BPF_B, BPF_REG_10, -32, 0),
11477 BPF_MOV64_IMM(BPF_REG_0, 0),
11478 BPF_EXIT_INSN(),
11479 /* A */
11480 BPF_ST_MEM(BPF_B, BPF_REG_10, -64, 0),
11481 BPF_EXIT_INSN(),
11482 /* B */
11483 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, -3), /* call A */
11484 BPF_ST_MEM(BPF_B, BPF_REG_10, -256, 0),
11485 BPF_EXIT_INSN(),
11486 },
11487 .prog_type = BPF_PROG_TYPE_XDP,
11488 /* stack_main=32, stack_A=64, stack_B=256
11489 * and max(main+A, main+A+B) < 512
11490 */
11491 .result = ACCEPT,
11492 },
11493 {
11494 "calls: stack depth check using three frames. test3",
11495 .insns = {
11496 /* main */
11497 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11498 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 6), /* call A */
11499 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
11500 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 8), /* call B */
11501 BPF_JMP_IMM(BPF_JGE, BPF_REG_6, 0, 1),
11502 BPF_ST_MEM(BPF_B, BPF_REG_10, -64, 0),
11503 BPF_MOV64_IMM(BPF_REG_0, 0),
11504 BPF_EXIT_INSN(),
11505 /* A */
11506 BPF_JMP_IMM(BPF_JLT, BPF_REG_1, 10, 1),
11507 BPF_EXIT_INSN(),
11508 BPF_ST_MEM(BPF_B, BPF_REG_10, -224, 0),
11509 BPF_JMP_IMM(BPF_JA, 0, 0, -3),
11510 /* B */
11511 BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 2, 1),
11512 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, -6), /* call A */
11513 BPF_ST_MEM(BPF_B, BPF_REG_10, -256, 0),
11514 BPF_EXIT_INSN(),
11515 },
11516 .prog_type = BPF_PROG_TYPE_XDP,
11517 /* stack_main=64, stack_A=224, stack_B=256
11518 * and max(main+A, main+A+B) > 512
11519 */
11520 .errstr = "combined stack",
11521 .result = REJECT,
11522 },
11523 {
11524 "calls: stack depth check using three frames. test4",
11525 /* void main(void) {
11526 * func1(0);
11527 * func1(1);
11528 * func2(1);
11529 * }
11530 * void func1(int alloc_or_recurse) {
11531 * if (alloc_or_recurse) {
11532 * frame_pointer[-300] = 1;
11533 * } else {
11534 * func2(alloc_or_recurse);
11535 * }
11536 * }
11537 * void func2(int alloc_or_recurse) {
11538 * if (alloc_or_recurse) {
11539 * frame_pointer[-300] = 1;
11540 * }
11541 * }
11542 */
11543 .insns = {
11544 /* main */
11545 BPF_MOV64_IMM(BPF_REG_1, 0),
11546 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 6), /* call A */
11547 BPF_MOV64_IMM(BPF_REG_1, 1),
11548 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 4), /* call A */
11549 BPF_MOV64_IMM(BPF_REG_1, 1),
11550 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 7), /* call B */
11551 BPF_MOV64_IMM(BPF_REG_0, 0),
11552 BPF_EXIT_INSN(),
11553 /* A */
11554 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 2),
11555 BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
11556 BPF_EXIT_INSN(),
11557 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call B */
11558 BPF_EXIT_INSN(),
11559 /* B */
11560 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
11561 BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
11562 BPF_EXIT_INSN(),
11563 },
11564 .prog_type = BPF_PROG_TYPE_XDP,
11565 .result = REJECT,
11566 .errstr = "combined stack",
11567 },
aada9ce6
AS		 11568 {
11569 "calls: stack depth check using three frames. test5",
11570 .insns = {
11571 /* main */
11572 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call A */
11573 BPF_EXIT_INSN(),
11574 /* A */
11575 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call B */
11576 BPF_EXIT_INSN(),
11577 /* B */
11578 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call C */
11579 BPF_EXIT_INSN(),
11580 /* C */
11581 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call D */
11582 BPF_EXIT_INSN(),
11583 /* D */
11584 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call E */
11585 BPF_EXIT_INSN(),
11586 /* E */
11587 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call F */
11588 BPF_EXIT_INSN(),
11589 /* F */
11590 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call G */
11591 BPF_EXIT_INSN(),
11592 /* G */
11593 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call H */
11594 BPF_EXIT_INSN(),
11595 /* H */
11596 BPF_MOV64_IMM(BPF_REG_0, 0),
11597 BPF_EXIT_INSN(),
11598 },
11599 .prog_type = BPF_PROG_TYPE_XDP,
11600 .errstr = "call stack",
11601 .result = REJECT,
11602 },
a7ff3eca
AS		 11603 {
11604 "calls: spill into caller stack frame",
11605 .insns = {
11606 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11607 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11608 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11609 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11610 BPF_EXIT_INSN(),
11611 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, 0),
11612 BPF_MOV64_IMM(BPF_REG_0, 0),
11613 BPF_EXIT_INSN(),
11614 },
11615 .prog_type = BPF_PROG_TYPE_XDP,
11616 .errstr = "cannot spill",
11617 .result = REJECT,
11618 },
28ab173e
DB		 11619 {
11620 "calls: write into caller stack frame",
11621 .insns = {
11622 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11623 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11624 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11625 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11626 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
11627 BPF_EXIT_INSN(),
11628 BPF_ST_MEM(BPF_DW, BPF_REG_1, 0, 42),
11629 BPF_MOV64_IMM(BPF_REG_0, 0),
11630 BPF_EXIT_INSN(),
11631 },
11632 .prog_type = BPF_PROG_TYPE_XDP,
11633 .result = ACCEPT,
111e6b45 11634 .retval = 42,
28ab173e
DB		 11635 },
11636 {
11637 "calls: write into callee stack frame",
11638 .insns = {
11639 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11640 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
11641 BPF_EXIT_INSN(),
11642 BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
11643 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, -8),
11644 BPF_EXIT_INSN(),
11645 },
11646 .prog_type = BPF_PROG_TYPE_XDP,
11647 .errstr = "cannot return stack pointer",
11648 .result = REJECT,
11649 },
a7ff3eca
AS		 11650 {
11651 "calls: two calls with stack write and void return",
11652 .insns = {
11653 /* main prog */
11654 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11655 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11656 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11657 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11658 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
11659 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11660 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -16),
11661 BPF_EXIT_INSN(),
11662
11663 /* subprog 1 */
11664 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11665 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
11666 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11667 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
11668 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11669 BPF_EXIT_INSN(),
11670
11671 /* subprog 2 */
11672 /* write into stack frame of main prog */
11673 BPF_ST_MEM(BPF_DW, BPF_REG_1, 0, 0),
11674 BPF_EXIT_INSN(), /* void return */
11675 },
11676 .prog_type = BPF_PROG_TYPE_XDP,
11677 .result = ACCEPT,
11678 },
11679 {
11680 "calls: ambiguous return value",
11681 .insns = {
11682 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11683 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 5),
11684 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
11685 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
11686 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11687 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
11688 BPF_EXIT_INSN(),
11689 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
11690 BPF_MOV64_IMM(BPF_REG_0, 0),
11691 BPF_EXIT_INSN(),
11692 },
11693 .errstr_unpriv = "allowed for root only",
11694 .result_unpriv = REJECT,
11695 .errstr = "R0 !read_ok",
11696 .result = REJECT,
11697 },
11698 {
11699 "calls: two calls that return map_value",
11700 .insns = {
11701 /* main prog */
11702 /* pass fp-16, fp-8 into a function */
11703 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11704 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11705 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11706 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
11707 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
11708
11709 /* fetch map_value_ptr from the stack of this function */
11710 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
11711 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
11712 /* write into map value */
11713 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11714 /* fetch secound map_value_ptr from the stack */
11715 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -16),
11716 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
11717 /* write into map value */
11718 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11719 BPF_MOV64_IMM(BPF_REG_0, 0),
11720 BPF_EXIT_INSN(),
11721
11722 /* subprog 1 */
11723 /* call 3rd function twice */
11724 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11725 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
11726 /* first time with fp-8 */
11727 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11728 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
11729 /* second time with fp-16 */
11730 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11731 BPF_EXIT_INSN(),
11732
11733 /* subprog 2 */
11734 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11735 /* lookup from map */
11736 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11737 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11738 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11739 BPF_LD_MAP_FD(BPF_REG_1, 0),
11740 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11741 BPF_FUNC_map_lookup_elem),
11742 /* write map_value_ptr into stack frame of main prog */
11743 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
11744 BPF_MOV64_IMM(BPF_REG_0, 0),
11745 BPF_EXIT_INSN(), /* return 0 */
11746 },
11747 .prog_type = BPF_PROG_TYPE_XDP,
908142e6 11748 .fixup_map_hash_8b = { 23 },
a7ff3eca
AS		 11749 .result = ACCEPT,
11750 },
11751 {
11752 "calls: two calls that return map_value with bool condition",
11753 .insns = {
11754 /* main prog */
11755 /* pass fp-16, fp-8 into a function */
11756 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11757 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11758 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11759 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
11760 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11761 BPF_MOV64_IMM(BPF_REG_0, 0),
11762 BPF_EXIT_INSN(),
11763
11764 /* subprog 1 */
11765 /* call 3rd function twice */
11766 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11767 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
11768 /* first time with fp-8 */
11769 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 9),
11770 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
11771 /* fetch map_value_ptr from the stack of this function */
11772 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
11773 /* write into map value */
11774 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11775 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
11776 /* second time with fp-16 */
11777 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
11778 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
11779 /* fetch secound map_value_ptr from the stack */
11780 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_7, 0),
11781 /* write into map value */
11782 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11783 BPF_EXIT_INSN(),
11784
11785 /* subprog 2 */
11786 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11787 /* lookup from map */
11788 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11789 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11790 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11791 BPF_LD_MAP_FD(BPF_REG_1, 0),
11792 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11793 BPF_FUNC_map_lookup_elem),
11794 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11795 BPF_MOV64_IMM(BPF_REG_0, 0),
11796 BPF_EXIT_INSN(), /* return 0 */
11797 /* write map_value_ptr into stack frame of main prog */
11798 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
11799 BPF_MOV64_IMM(BPF_REG_0, 1),
11800 BPF_EXIT_INSN(), /* return 1 */
11801 },
11802 .prog_type = BPF_PROG_TYPE_XDP,
908142e6 11803 .fixup_map_hash_8b = { 23 },
a7ff3eca
AS		 11804 .result = ACCEPT,
11805 },
11806 {
11807 "calls: two calls that return map_value with incorrect bool check",
11808 .insns = {
11809 /* main prog */
11810 /* pass fp-16, fp-8 into a function */
11811 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11812 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11813 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11814 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
11815 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11816 BPF_MOV64_IMM(BPF_REG_0, 0),
11817 BPF_EXIT_INSN(),
11818
11819 /* subprog 1 */
11820 /* call 3rd function twice */
11821 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11822 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
11823 /* first time with fp-8 */
11824 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 9),
11825 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
11826 /* fetch map_value_ptr from the stack of this function */
11827 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
11828 /* write into map value */
11829 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11830 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
11831 /* second time with fp-16 */
11832 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
11833 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11834 /* fetch secound map_value_ptr from the stack */
11835 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_7, 0),
11836 /* write into map value */
11837 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11838 BPF_EXIT_INSN(),
11839
11840 /* subprog 2 */
11841 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11842 /* lookup from map */
11843 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11844 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11845 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11846 BPF_LD_MAP_FD(BPF_REG_1, 0),
11847 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11848 BPF_FUNC_map_lookup_elem),
11849 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11850 BPF_MOV64_IMM(BPF_REG_0, 0),
11851 BPF_EXIT_INSN(), /* return 0 */
11852 /* write map_value_ptr into stack frame of main prog */
11853 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
11854 BPF_MOV64_IMM(BPF_REG_0, 1),
11855 BPF_EXIT_INSN(), /* return 1 */
11856 },
11857 .prog_type = BPF_PROG_TYPE_XDP,
908142e6 11858 .fixup_map_hash_8b = { 23 },
a7ff3eca
AS		 11859 .result = REJECT,
11860 .errstr = "invalid read from stack off -16+0 size 8",
11861 },
11862 {
11863 "calls: two calls that receive map_value via arg=ptr_stack_of_caller. test1",
11864 .insns = {
11865 /* main prog */
11866 /* pass fp-16, fp-8 into a function */
11867 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11868 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11869 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11870 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
11871 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11872 BPF_MOV64_IMM(BPF_REG_0, 0),
11873 BPF_EXIT_INSN(),
11874
11875 /* subprog 1 */
11876 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11877 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
11878 /* 1st lookup from map */
11879 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11880 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11881 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11882 BPF_LD_MAP_FD(BPF_REG_1, 0),
11883 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11884 BPF_FUNC_map_lookup_elem),
11885 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11886 BPF_MOV64_IMM(BPF_REG_8, 0),
11887 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
11888 /* write map_value_ptr into stack frame of main prog at fp-8 */
11889 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
11890 BPF_MOV64_IMM(BPF_REG_8, 1),
11891
11892 /* 2nd lookup from map */
11893 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), /* 20 */
11894 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11895 BPF_LD_MAP_FD(BPF_REG_1, 0),
11896 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, /* 24 */
11897 BPF_FUNC_map_lookup_elem),
11898 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11899 BPF_MOV64_IMM(BPF_REG_9, 0),
11900 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
11901 /* write map_value_ptr into stack frame of main prog at fp-16 */
11902 BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
11903 BPF_MOV64_IMM(BPF_REG_9, 1),
11904
11905 /* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
11906 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), /* 30 */
11907 BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
11908 BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
11909 BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
11910 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1), /* 34 */
11911 BPF_EXIT_INSN(),
11912
11913 /* subprog 2 */
11914 /* if arg2 == 1 do *arg1 = 0 */
11915 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
11916 /* fetch map_value_ptr from the stack of this function */
11917 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
11918 /* write into map value */
11919 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11920
11921 /* if arg4 == 1 do *arg3 = 0 */
11922 BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 1, 2),
11923 /* fetch map_value_ptr from the stack of this function */
11924 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
11925 /* write into map value */
11926 BPF_ST_MEM(BPF_DW, BPF_REG_0, 2, 0),
11927 BPF_EXIT_INSN(),
11928 },
11929 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
908142e6 11930 .fixup_map_hash_8b = { 12, 22 },
a7ff3eca
AS		 11931 .result = REJECT,
11932 .errstr = "invalid access to map value, value_size=8 off=2 size=8",
11933 },
11934 {
11935 "calls: two calls that receive map_value via arg=ptr_stack_of_caller. test2",
11936 .insns = {
11937 /* main prog */
11938 /* pass fp-16, fp-8 into a function */
11939 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11940 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11941 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11942 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
11943 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11944 BPF_MOV64_IMM(BPF_REG_0, 0),
11945 BPF_EXIT_INSN(),
11946
11947 /* subprog 1 */
11948 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11949 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
11950 /* 1st lookup from map */
11951 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11952 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11953 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11954 BPF_LD_MAP_FD(BPF_REG_1, 0),
11955 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11956 BPF_FUNC_map_lookup_elem),
11957 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11958 BPF_MOV64_IMM(BPF_REG_8, 0),
11959 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
11960 /* write map_value_ptr into stack frame of main prog at fp-8 */
11961 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
11962 BPF_MOV64_IMM(BPF_REG_8, 1),
11963
11964 /* 2nd lookup from map */
11965 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), /* 20 */
11966 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11967 BPF_LD_MAP_FD(BPF_REG_1, 0),
11968 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, /* 24 */
11969 BPF_FUNC_map_lookup_elem),
11970 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11971 BPF_MOV64_IMM(BPF_REG_9, 0),
11972 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
11973 /* write map_value_ptr into stack frame of main prog at fp-16 */
11974 BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
11975 BPF_MOV64_IMM(BPF_REG_9, 1),
11976
11977 /* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
11978 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), /* 30 */
11979 BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
11980 BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
11981 BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
11982 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1), /* 34 */
11983 BPF_EXIT_INSN(),
11984
11985 /* subprog 2 */
11986 /* if arg2 == 1 do *arg1 = 0 */
11987 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
11988 /* fetch map_value_ptr from the stack of this function */
11989 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
11990 /* write into map value */
11991 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11992
11993 /* if arg4 == 1 do *arg3 = 0 */
11994 BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 1, 2),
11995 /* fetch map_value_ptr from the stack of this function */
11996 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
11997 /* write into map value */
11998 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11999 BPF_EXIT_INSN(),
12000 },
12001 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
908142e6 12002 .fixup_map_hash_8b = { 12, 22 },
a7ff3eca
AS		 12003 .result = ACCEPT,
12004 },
12005 {
12006 "calls: two jumps that receive map_value via arg=ptr_stack_of_jumper. test3",
12007 .insns = {
12008 /* main prog */
12009 /* pass fp-16, fp-8 into a function */
12010 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
12011 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
12012 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12013 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
12014 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
12015 BPF_MOV64_IMM(BPF_REG_0, 0),
12016 BPF_EXIT_INSN(),
12017
12018 /* subprog 1 */
12019 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12020 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
12021 /* 1st lookup from map */
12022 BPF_ST_MEM(BPF_DW, BPF_REG_10, -24, 0),
12023 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12024 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -24),
12025 BPF_LD_MAP_FD(BPF_REG_1, 0),
12026 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12027 BPF_FUNC_map_lookup_elem),
12028 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
12029 BPF_MOV64_IMM(BPF_REG_8, 0),
12030 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
12031 /* write map_value_ptr into stack frame of main prog at fp-8 */
12032 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
12033 BPF_MOV64_IMM(BPF_REG_8, 1),
12034
12035 /* 2nd lookup from map */
12036 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12037 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -24),
12038 BPF_LD_MAP_FD(BPF_REG_1, 0),
12039 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12040 BPF_FUNC_map_lookup_elem),
12041 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
12042 BPF_MOV64_IMM(BPF_REG_9, 0), // 26
12043 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
12044 /* write map_value_ptr into stack frame of main prog at fp-16 */
12045 BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
12046 BPF_MOV64_IMM(BPF_REG_9, 1),
12047
12048 /* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
12049 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), // 30
12050 BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
12051 BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
12052 BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
12053 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1), // 34
12054 BPF_JMP_IMM(BPF_JA, 0, 0, -30),
12055
12056 /* subprog 2 */
12057 /* if arg2 == 1 do *arg1 = 0 */
12058 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
12059 /* fetch map_value_ptr from the stack of this function */
12060 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
12061 /* write into map value */
12062 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
12063
12064 /* if arg4 == 1 do *arg3 = 0 */
12065 BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 1, 2),
12066 /* fetch map_value_ptr from the stack of this function */
12067 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
12068 /* write into map value */
12069 BPF_ST_MEM(BPF_DW, BPF_REG_0, 2, 0),
12070 BPF_JMP_IMM(BPF_JA, 0, 0, -8),
12071 },
12072 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
908142e6 12073 .fixup_map_hash_8b = { 12, 22 },
a7ff3eca
AS		 12074 .result = REJECT,
12075 .errstr = "invalid access to map value, value_size=8 off=2 size=8",
12076 },
12077 {
12078 "calls: two calls that receive map_value_ptr_or_null via arg. test1",
12079 .insns = {
12080 /* main prog */
12081 /* pass fp-16, fp-8 into a function */
12082 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
12083 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
12084 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12085 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
12086 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
12087 BPF_MOV64_IMM(BPF_REG_0, 0),
12088 BPF_EXIT_INSN(),
12089
12090 /* subprog 1 */
12091 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12092 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
12093 /* 1st lookup from map */
12094 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
12095 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12096 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
12097 BPF_LD_MAP_FD(BPF_REG_1, 0),
12098 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12099 BPF_FUNC_map_lookup_elem),
12100 /* write map_value_ptr_or_null into stack frame of main prog at fp-8 */
12101 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
12102 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
12103 BPF_MOV64_IMM(BPF_REG_8, 0),
12104 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
12105 BPF_MOV64_IMM(BPF_REG_8, 1),
12106
12107 /* 2nd lookup from map */
12108 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12109 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
12110 BPF_LD_MAP_FD(BPF_REG_1, 0),
12111 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12112 BPF_FUNC_map_lookup_elem),
12113 /* write map_value_ptr_or_null into stack frame of main prog at fp-16 */
12114 BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
12115 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
12116 BPF_MOV64_IMM(BPF_REG_9, 0),
12117 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
12118 BPF_MOV64_IMM(BPF_REG_9, 1),
12119
12120 /* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
12121 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
12122 BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
12123 BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
12124 BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
12125 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
12126 BPF_EXIT_INSN(),
12127
12128 /* subprog 2 */
12129 /* if arg2 == 1 do *arg1 = 0 */
12130 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
12131 /* fetch map_value_ptr from the stack of this function */
12132 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
12133 /* write into map value */
12134 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
12135
12136 /* if arg4 == 1 do *arg3 = 0 */
12137 BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 1, 2),
12138 /* fetch map_value_ptr from the stack of this function */
12139 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
12140 /* write into map value */
12141 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
12142 BPF_EXIT_INSN(),
12143 },
12144 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
908142e6 12145 .fixup_map_hash_8b = { 12, 22 },
a7ff3eca
AS		 12146 .result = ACCEPT,
12147 },
12148 {
12149 "calls: two calls that receive map_value_ptr_or_null via arg. test2",
12150 .insns = {
12151 /* main prog */
12152 /* pass fp-16, fp-8 into a function */
12153 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
12154 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
12155 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12156 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
12157 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
12158 BPF_MOV64_IMM(BPF_REG_0, 0),
12159 BPF_EXIT_INSN(),
12160
12161 /* subprog 1 */
12162 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12163 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
12164 /* 1st lookup from map */
12165 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
12166 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12167 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
12168 BPF_LD_MAP_FD(BPF_REG_1, 0),
12169 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12170 BPF_FUNC_map_lookup_elem),
12171 /* write map_value_ptr_or_null into stack frame of main prog at fp-8 */
12172 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
12173 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
12174 BPF_MOV64_IMM(BPF_REG_8, 0),
12175 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
12176 BPF_MOV64_IMM(BPF_REG_8, 1),
12177
12178 /* 2nd lookup from map */
12179 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12180 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
12181 BPF_LD_MAP_FD(BPF_REG_1, 0),
12182 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12183 BPF_FUNC_map_lookup_elem),
12184 /* write map_value_ptr_or_null into stack frame of main prog at fp-16 */
12185 BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
12186 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
12187 BPF_MOV64_IMM(BPF_REG_9, 0),
12188 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
12189 BPF_MOV64_IMM(BPF_REG_9, 1),
12190
12191 /* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
12192 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
12193 BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
12194 BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
12195 BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
12196 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
12197 BPF_EXIT_INSN(),
12198
12199 /* subprog 2 */
12200 /* if arg2 == 1 do *arg1 = 0 */
12201 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
12202 /* fetch map_value_ptr from the stack of this function */
12203 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
12204 /* write into map value */
12205 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
12206
12207 /* if arg4 == 0 do *arg3 = 0 */
12208 BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 0, 2),
12209 /* fetch map_value_ptr from the stack of this function */
12210 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
12211 /* write into map value */
12212 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
12213 BPF_EXIT_INSN(),
12214 },
12215 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
908142e6 12216 .fixup_map_hash_8b = { 12, 22 },
a7ff3eca
AS		 12217 .result = REJECT,
12218 .errstr = "R0 invalid mem access 'inv'",
12219 },
12220 {
12221 "calls: pkt_ptr spill into caller stack",
12222 .insns = {
12223 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
12224 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
12225 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
12226 BPF_EXIT_INSN(),
12227
12228 /* subprog 1 */
12229 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
12230 offsetof(struct __sk_buff, data)),
12231 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
12232 offsetof(struct __sk_buff, data_end)),
12233 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
12234 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
12235 /* spill unchecked pkt_ptr into stack of caller */
12236 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
12237 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
12238 /* now the pkt range is verified, read pkt_ptr from stack */
12239 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
12240 /* write 4 bytes into packet */
12241 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
12242 BPF_EXIT_INSN(),
12243 },
12244 .result = ACCEPT,
12245 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
111e6b45 12246 .retval = POINTER_VALUE,
a7ff3eca 12247 },
28ab173e
DB		 12248 {
12249 "calls: pkt_ptr spill into caller stack 2",
12250 .insns = {
12251 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
12252 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
12253 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
12254 /* Marking is still kept, but not in all cases safe. */
12255 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
12256 BPF_ST_MEM(BPF_W, BPF_REG_4, 0, 0),
12257 BPF_EXIT_INSN(),
12258
12259 /* subprog 1 */
12260 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
12261 offsetof(struct __sk_buff, data)),
12262 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
12263 offsetof(struct __sk_buff, data_end)),
12264 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
12265 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
12266 /* spill unchecked pkt_ptr into stack of caller */
12267 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
12268 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
12269 /* now the pkt range is verified, read pkt_ptr from stack */
12270 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
12271 /* write 4 bytes into packet */
12272 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
12273 BPF_EXIT_INSN(),
12274 },
12275 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12276 .errstr = "invalid access to packet",
12277 .result = REJECT,
12278 },
12279 {
12280 "calls: pkt_ptr spill into caller stack 3",
12281 .insns = {
12282 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
12283 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
12284 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
12285 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
12286 /* Marking is still kept and safe here. */
12287 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
12288 BPF_ST_MEM(BPF_W, BPF_REG_4, 0, 0),
12289 BPF_EXIT_INSN(),
12290
12291 /* subprog 1 */
12292 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
12293 offsetof(struct __sk_buff, data)),
12294 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
12295 offsetof(struct __sk_buff, data_end)),
12296 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
12297 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
12298 /* spill unchecked pkt_ptr into stack of caller */
12299 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
12300 BPF_MOV64_IMM(BPF_REG_5, 0),
12301 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
12302 BPF_MOV64_IMM(BPF_REG_5, 1),
12303 /* now the pkt range is verified, read pkt_ptr from stack */
12304 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
12305 /* write 4 bytes into packet */
12306 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
12307 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
12308 BPF_EXIT_INSN(),
12309 },
12310 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12311 .result = ACCEPT,
111e6b45 12312 .retval = 1,
28ab173e
DB		 12313 },
12314 {
12315 "calls: pkt_ptr spill into caller stack 4",
12316 .insns = {
12317 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
12318 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
12319 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
12320 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
12321 /* Check marking propagated. */
12322 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
12323 BPF_ST_MEM(BPF_W, BPF_REG_4, 0, 0),
12324 BPF_EXIT_INSN(),
12325
12326 /* subprog 1 */
12327 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
12328 offsetof(struct __sk_buff, data)),
12329 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
12330 offsetof(struct __sk_buff, data_end)),
12331 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
12332 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
12333 /* spill unchecked pkt_ptr into stack of caller */
12334 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
12335 BPF_MOV64_IMM(BPF_REG_5, 0),
12336 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
12337 BPF_MOV64_IMM(BPF_REG_5, 1),
12338 /* don't read back pkt_ptr from stack here */
12339 /* write 4 bytes into packet */
12340 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
12341 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
12342 BPF_EXIT_INSN(),
12343 },
12344 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12345 .result = ACCEPT,
111e6b45 12346 .retval = 1,
28ab173e
DB		 12347 },
12348 {
12349 "calls: pkt_ptr spill into caller stack 5",
12350 .insns = {
12351 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
12352 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
12353 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_1, 0),
12354 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
12355 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
12356 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
12357 BPF_EXIT_INSN(),
12358
12359 /* subprog 1 */
12360 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
12361 offsetof(struct __sk_buff, data)),
12362 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
12363 offsetof(struct __sk_buff, data_end)),
12364 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
12365 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
12366 BPF_MOV64_IMM(BPF_REG_5, 0),
12367 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
12368 /* spill checked pkt_ptr into stack of caller */
12369 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
12370 BPF_MOV64_IMM(BPF_REG_5, 1),
12371 /* don't read back pkt_ptr from stack here */
12372 /* write 4 bytes into packet */
12373 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
12374 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
12375 BPF_EXIT_INSN(),
12376 },
12377 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12378 .errstr = "same insn cannot be used with different",
12379 .result = REJECT,
12380 },
12381 {
12382 "calls: pkt_ptr spill into caller stack 6",
12383 .insns = {
12384 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
12385 offsetof(struct __sk_buff, data_end)),
12386 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
12387 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
12388 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
12389 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
12390 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
12391 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
12392 BPF_EXIT_INSN(),
12393
12394 /* subprog 1 */
12395 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
12396 offsetof(struct __sk_buff, data)),
12397 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
12398 offsetof(struct __sk_buff, data_end)),
12399 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
12400 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
12401 BPF_MOV64_IMM(BPF_REG_5, 0),
12402 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
12403 /* spill checked pkt_ptr into stack of caller */
12404 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
12405 BPF_MOV64_IMM(BPF_REG_5, 1),
12406 /* don't read back pkt_ptr from stack here */
12407 /* write 4 bytes into packet */
12408 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
12409 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
12410 BPF_EXIT_INSN(),
12411 },
12412 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12413 .errstr = "R4 invalid mem access",
12414 .result = REJECT,
12415 },
12416 {
12417 "calls: pkt_ptr spill into caller stack 7",
12418 .insns = {
12419 BPF_MOV64_IMM(BPF_REG_2, 0),
12420 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
12421 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
12422 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
12423 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
12424 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
12425 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
12426 BPF_EXIT_INSN(),
12427
12428 /* subprog 1 */
12429 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
12430 offsetof(struct __sk_buff, data)),
12431 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
12432 offsetof(struct __sk_buff, data_end)),
12433 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
12434 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
12435 BPF_MOV64_IMM(BPF_REG_5, 0),
12436 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
12437 /* spill checked pkt_ptr into stack of caller */
12438 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
12439 BPF_MOV64_IMM(BPF_REG_5, 1),
12440 /* don't read back pkt_ptr from stack here */
12441 /* write 4 bytes into packet */
12442 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
12443 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
12444 BPF_EXIT_INSN(),
12445 },
12446 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12447 .errstr = "R4 invalid mem access",
12448 .result = REJECT,
12449 },
12450 {
12451 "calls: pkt_ptr spill into caller stack 8",
12452 .insns = {
12453 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
12454 offsetof(struct __sk_buff, data)),
12455 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
12456 offsetof(struct __sk_buff, data_end)),
12457 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
12458 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
12459 BPF_JMP_REG(BPF_JLE, BPF_REG_0, BPF_REG_3, 1),
12460 BPF_EXIT_INSN(),
12461 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
12462 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
12463 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
12464 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
12465 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
12466 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
12467 BPF_EXIT_INSN(),
12468
12469 /* subprog 1 */
12470 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
12471 offsetof(struct __sk_buff, data)),
12472 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
12473 offsetof(struct __sk_buff, data_end)),
12474 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
12475 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
12476 BPF_MOV64_IMM(BPF_REG_5, 0),
12477 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
12478 /* spill checked pkt_ptr into stack of caller */
12479 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
12480 BPF_MOV64_IMM(BPF_REG_5, 1),
12481 /* don't read back pkt_ptr from stack here */
12482 /* write 4 bytes into packet */
12483 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
12484 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
12485 BPF_EXIT_INSN(),
12486 },
12487 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12488 .result = ACCEPT,
12489 },
12490 {
12491 "calls: pkt_ptr spill into caller stack 9",
12492 .insns = {
12493 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
12494 offsetof(struct __sk_buff, data)),
12495 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
12496 offsetof(struct __sk_buff, data_end)),
12497 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
12498 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
12499 BPF_JMP_REG(BPF_JLE, BPF_REG_0, BPF_REG_3, 1),
12500 BPF_EXIT_INSN(),
12501 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
12502 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
12503 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
12504 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
12505 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
12506 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
12507 BPF_EXIT_INSN(),
12508
12509 /* subprog 1 */
12510 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
12511 offsetof(struct __sk_buff, data)),
12512 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
12513 offsetof(struct __sk_buff, data_end)),
12514 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
12515 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
12516 BPF_MOV64_IMM(BPF_REG_5, 0),
12517 /* spill unchecked pkt_ptr into stack of caller */
12518 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
12519 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
12520 BPF_MOV64_IMM(BPF_REG_5, 1),
12521 /* don't read back pkt_ptr from stack here */
12522 /* write 4 bytes into packet */
12523 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
12524 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
12525 BPF_EXIT_INSN(),
12526 },
12527 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12528 .errstr = "invalid access to packet",
12529 .result = REJECT,
12530 },
d98588ce
AS		 12531 {
12532 "calls: caller stack init to zero or map_value_or_null",
12533 .insns = {
12534 BPF_MOV64_IMM(BPF_REG_0, 0),
12535 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
12536 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12537 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
12538 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
12539 /* fetch map_value_or_null or const_zero from stack */
12540 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
12541 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
12542 /* store into map_value */
12543 BPF_ST_MEM(BPF_W, BPF_REG_0, 0, 0),
12544 BPF_EXIT_INSN(),
12545
12546 /* subprog 1 */
12547 /* if (ctx == 0) return; */
12548 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 8),
12549 /* else bpf_map_lookup() and *(fp - 8) = r0 */
12550 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
12551 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12552 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
12553 BPF_LD_MAP_FD(BPF_REG_1, 0),
12554 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
12555 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12556 BPF_FUNC_map_lookup_elem),
12557 /* write map_value_ptr_or_null into stack frame of main prog at fp-8 */
12558 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
12559 BPF_EXIT_INSN(),
12560 },
908142e6 12561 .fixup_map_hash_8b = { 13 },
d98588ce
AS		 12562 .result = ACCEPT,
12563 .prog_type = BPF_PROG_TYPE_XDP,
12564 },
12565 {
12566 "calls: stack init to zero and pruning",
12567 .insns = {
12568 /* first make allocated_stack 16 byte */
12569 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, 0),
12570 /* now fork the execution such that the false branch
12571 * of JGT insn will be verified second and it skisp zero
12572 * init of fp-8 stack slot. If stack liveness marking
12573 * is missing live_read marks from call map_lookup
12574 * processing then pruning will incorrectly assume
12575 * that fp-8 stack slot was unused in the fall-through
12576 * branch and will accept the program incorrectly
12577 */
12578 BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 2, 2),
12579 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
12580 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
12581 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12582 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
12583 BPF_LD_MAP_FD(BPF_REG_1, 0),
12584 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12585 BPF_FUNC_map_lookup_elem),
12586 BPF_EXIT_INSN(),
12587 },
908142e6 12588 .fixup_map_hash_48b = { 6 },
d98588ce
AS		 12589 .errstr = "invalid indirect read from stack off -8+0 size 8",
12590 .result = REJECT,
12591 .prog_type = BPF_PROG_TYPE_XDP,
12592 },
06be0864
DB		 12593 {
12594 "calls: two calls returning different map pointers for lookup (hash, array)",
12595 .insns = {
12596 /* main prog */
12597 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
12598 BPF_CALL_REL(11),
12599 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
12600 BPF_CALL_REL(12),
12601 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
12602 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
12603 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12604 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
12605 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12606 BPF_FUNC_map_lookup_elem),
12607 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
12608 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
12609 offsetof(struct test_val, foo)),
12610 BPF_MOV64_IMM(BPF_REG_0, 1),
12611 BPF_EXIT_INSN(),
12612 /* subprog 1 */
12613 BPF_LD_MAP_FD(BPF_REG_0, 0),
12614 BPF_EXIT_INSN(),
12615 /* subprog 2 */
12616 BPF_LD_MAP_FD(BPF_REG_0, 0),
12617 BPF_EXIT_INSN(),
12618 },
12619 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
908142e6
PB		 12620 .fixup_map_hash_48b = { 13 },
12621 .fixup_map_array_48b = { 16 },
06be0864
DB		 12622 .result = ACCEPT,
12623 .retval = 1,
12624 },
12625 {
12626 "calls: two calls returning different map pointers for lookup (hash, map in map)",
12627 .insns = {
12628 /* main prog */
12629 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
12630 BPF_CALL_REL(11),
12631 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
12632 BPF_CALL_REL(12),
12633 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
12634 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
12635 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12636 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
12637 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12638 BPF_FUNC_map_lookup_elem),
12639 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
12640 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
12641 offsetof(struct test_val, foo)),
12642 BPF_MOV64_IMM(BPF_REG_0, 1),
12643 BPF_EXIT_INSN(),
12644 /* subprog 1 */
12645 BPF_LD_MAP_FD(BPF_REG_0, 0),
12646 BPF_EXIT_INSN(),
12647 /* subprog 2 */
12648 BPF_LD_MAP_FD(BPF_REG_0, 0),
12649 BPF_EXIT_INSN(),
12650 },
12651 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12652 .fixup_map_in_map = { 16 },
908142e6 12653 .fixup_map_array_48b = { 13 },
06be0864
DB		 12654 .result = REJECT,
12655 .errstr = "R0 invalid mem access 'map_ptr'",
12656 },
12657 {
12658 "cond: two branches returning different map pointers for lookup (tail, tail)",
12659 .insns = {
12660 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
12661 offsetof(struct __sk_buff, mark)),
12662 BPF_JMP_IMM(BPF_JNE, BPF_REG_6, 0, 3),
12663 BPF_LD_MAP_FD(BPF_REG_2, 0),
12664 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
12665 BPF_LD_MAP_FD(BPF_REG_2, 0),
12666 BPF_MOV64_IMM(BPF_REG_3, 7),
12667 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12668 BPF_FUNC_tail_call),
12669 BPF_MOV64_IMM(BPF_REG_0, 1),
12670 BPF_EXIT_INSN(),
12671 },
12672 .fixup_prog1 = { 5 },
12673 .fixup_prog2 = { 2 },
12674 .result_unpriv = REJECT,
12675 .errstr_unpriv = "tail_call abusing map_ptr",
12676 .result = ACCEPT,
12677 .retval = 42,
12678 },
12679 {
12680 "cond: two branches returning same map pointers for lookup (tail, tail)",
12681 .insns = {
12682 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
12683 offsetof(struct __sk_buff, mark)),
12684 BPF_JMP_IMM(BPF_JEQ, BPF_REG_6, 0, 3),
12685 BPF_LD_MAP_FD(BPF_REG_2, 0),
12686 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
12687 BPF_LD_MAP_FD(BPF_REG_2, 0),
12688 BPF_MOV64_IMM(BPF_REG_3, 7),
12689 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12690 BPF_FUNC_tail_call),
12691 BPF_MOV64_IMM(BPF_REG_0, 1),
12692 BPF_EXIT_INSN(),
12693 },
12694 .fixup_prog2 = { 2, 5 },
12695 .result_unpriv = ACCEPT,
12696 .result = ACCEPT,
12697 .retval = 42,
12698 },
fd05e57b
GB		 12699 {
12700 "search pruning: all branches should be verified (nop operation)",
12701 .insns = {
12702 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12703 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
12704 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
12705 BPF_LD_MAP_FD(BPF_REG_1, 0),
12706 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
12707 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
12708 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
12709 BPF_JMP_IMM(BPF_JEQ, BPF_REG_3, 0xbeef, 2),
12710 BPF_MOV64_IMM(BPF_REG_4, 0),
12711 BPF_JMP_A(1),
12712 BPF_MOV64_IMM(BPF_REG_4, 1),
12713 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -16),
12714 BPF_EMIT_CALL(BPF_FUNC_ktime_get_ns),
12715 BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -16),
12716 BPF_JMP_IMM(BPF_JEQ, BPF_REG_5, 0, 2),
12717 BPF_MOV64_IMM(BPF_REG_6, 0),
12718 BPF_ST_MEM(BPF_DW, BPF_REG_6, 0, 0xdead),
12719 BPF_EXIT_INSN(),
12720 },
908142e6 12721 .fixup_map_hash_8b = { 3 },
fd05e57b
GB		 12722 .errstr = "R6 invalid mem access 'inv'",
12723 .result = REJECT,
12724 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
12725 },
12726 {
12727 "search pruning: all branches should be verified (invalid stack access)",
12728 .insns = {
12729 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12730 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
12731 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
12732 BPF_LD_MAP_FD(BPF_REG_1, 0),
12733 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
12734 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
12735 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
12736 BPF_MOV64_IMM(BPF_REG_4, 0),
12737 BPF_JMP_IMM(BPF_JEQ, BPF_REG_3, 0xbeef, 2),
12738 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -16),
12739 BPF_JMP_A(1),
12740 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -24),
12741 BPF_EMIT_CALL(BPF_FUNC_ktime_get_ns),
12742 BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -16),
12743 BPF_EXIT_INSN(),
12744 },
908142e6 12745 .fixup_map_hash_8b = { 3 },
fd05e57b
GB		 12746 .errstr = "invalid read from stack off -16+0 size 8",
12747 .result = REJECT,
12748 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
12749 },
23d191a8
DB		 12750 {
12751 "jit: lsh, rsh, arsh by 1",
12752 .insns = {
12753 BPF_MOV64_IMM(BPF_REG_0, 1),
12754 BPF_MOV64_IMM(BPF_REG_1, 0xff),
12755 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 1),
12756 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 1),
12757 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0x3fc, 1),
12758 BPF_EXIT_INSN(),
12759 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 1),
12760 BPF_ALU32_IMM(BPF_RSH, BPF_REG_1, 1),
12761 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0xff, 1),
12762 BPF_EXIT_INSN(),
12763 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_1, 1),
12764 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0x7f, 1),
12765 BPF_EXIT_INSN(),
12766 BPF_MOV64_IMM(BPF_REG_0, 2),
12767 BPF_EXIT_INSN(),
12768 },
12769 .result = ACCEPT,
12770 .retval = 2,
12771 },
12772 {
12773 "jit: mov32 for ldimm64, 1",
12774 .insns = {
12775 BPF_MOV64_IMM(BPF_REG_0, 2),
12776 BPF_LD_IMM64(BPF_REG_1, 0xfeffffffffffffffULL),
12777 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 32),
12778 BPF_LD_IMM64(BPF_REG_2, 0xfeffffffULL),
12779 BPF_JMP_REG(BPF_JEQ, BPF_REG_1, BPF_REG_2, 1),
12780 BPF_MOV64_IMM(BPF_REG_0, 1),
12781 BPF_EXIT_INSN(),
12782 },
12783 .result = ACCEPT,
12784 .retval = 2,
12785 },
12786 {
12787 "jit: mov32 for ldimm64, 2",
12788 .insns = {
12789 BPF_MOV64_IMM(BPF_REG_0, 1),
12790 BPF_LD_IMM64(BPF_REG_1, 0x1ffffffffULL),
12791 BPF_LD_IMM64(BPF_REG_2, 0xffffffffULL),
12792 BPF_JMP_REG(BPF_JEQ, BPF_REG_1, BPF_REG_2, 1),
12793 BPF_MOV64_IMM(BPF_REG_0, 2),
12794 BPF_EXIT_INSN(),
12795 },
12796 .result = ACCEPT,
12797 .retval = 2,
12798 },
12799 {
12800 "jit: various mul tests",
12801 .insns = {
12802 BPF_LD_IMM64(BPF_REG_2, 0xeeff0d413122ULL),
12803 BPF_LD_IMM64(BPF_REG_0, 0xfefefeULL),
12804 BPF_LD_IMM64(BPF_REG_1, 0xefefefULL),
12805 BPF_ALU64_REG(BPF_MUL, BPF_REG_0, BPF_REG_1),
12806 BPF_JMP_REG(BPF_JEQ, BPF_REG_0, BPF_REG_2, 2),
12807 BPF_MOV64_IMM(BPF_REG_0, 1),
12808 BPF_EXIT_INSN(),
12809 BPF_LD_IMM64(BPF_REG_3, 0xfefefeULL),
12810 BPF_ALU64_REG(BPF_MUL, BPF_REG_3, BPF_REG_1),
12811 BPF_JMP_REG(BPF_JEQ, BPF_REG_3, BPF_REG_2, 2),
12812 BPF_MOV64_IMM(BPF_REG_0, 1),
12813 BPF_EXIT_INSN(),
12814 BPF_MOV32_REG(BPF_REG_2, BPF_REG_2),
12815 BPF_LD_IMM64(BPF_REG_0, 0xfefefeULL),
12816 BPF_ALU32_REG(BPF_MUL, BPF_REG_0, BPF_REG_1),
12817 BPF_JMP_REG(BPF_JEQ, BPF_REG_0, BPF_REG_2, 2),
12818 BPF_MOV64_IMM(BPF_REG_0, 1),
12819 BPF_EXIT_INSN(),
12820 BPF_LD_IMM64(BPF_REG_3, 0xfefefeULL),
12821 BPF_ALU32_REG(BPF_MUL, BPF_REG_3, BPF_REG_1),
12822 BPF_JMP_REG(BPF_JEQ, BPF_REG_3, BPF_REG_2, 2),
12823 BPF_MOV64_IMM(BPF_REG_0, 1),
12824 BPF_EXIT_INSN(),
12825 BPF_LD_IMM64(BPF_REG_0, 0x952a7bbcULL),
12826 BPF_LD_IMM64(BPF_REG_1, 0xfefefeULL),
12827 BPF_LD_IMM64(BPF_REG_2, 0xeeff0d413122ULL),
12828 BPF_ALU32_REG(BPF_MUL, BPF_REG_2, BPF_REG_1),
12829 BPF_JMP_REG(BPF_JEQ, BPF_REG_2, BPF_REG_0, 2),
12830 BPF_MOV64_IMM(BPF_REG_0, 1),
12831 BPF_EXIT_INSN(),
12832 BPF_MOV64_IMM(BPF_REG_0, 2),
12833 BPF_EXIT_INSN(),
12834 },
12835 .result = ACCEPT,
12836 .retval = 2,
12837 },
ca369602
DB		 12838 {
12839 "xadd/w check unaligned stack",
12840 .insns = {
12841 BPF_MOV64_IMM(BPF_REG_0, 1),
12842 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
12843 BPF_STX_XADD(BPF_W, BPF_REG_10, BPF_REG_0, -7),
12844 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
12845 BPF_EXIT_INSN(),
12846 },
12847 .result = REJECT,
12848 .errstr = "misaligned stack access off",
12849 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12850 },
12851 {
12852 "xadd/w check unaligned map",
12853 .insns = {
12854 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
12855 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12856 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
12857 BPF_LD_MAP_FD(BPF_REG_1, 0),
12858 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12859 BPF_FUNC_map_lookup_elem),
12860 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
12861 BPF_EXIT_INSN(),
12862 BPF_MOV64_IMM(BPF_REG_1, 1),
12863 BPF_STX_XADD(BPF_W, BPF_REG_0, BPF_REG_1, 3),
12864 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 3),
12865 BPF_EXIT_INSN(),
12866 },
908142e6 12867 .fixup_map_hash_8b = { 3 },
ca369602
DB		 12868 .result = REJECT,
12869 .errstr = "misaligned value access off",
12870 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12871 },
12872 {
12873 "xadd/w check unaligned pkt",
12874 .insns = {
12875 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
12876 offsetof(struct xdp_md, data)),
12877 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
12878 offsetof(struct xdp_md, data_end)),
12879 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
12880 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
12881 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 2),
12882 BPF_MOV64_IMM(BPF_REG_0, 99),
12883 BPF_JMP_IMM(BPF_JA, 0, 0, 6),
12884 BPF_MOV64_IMM(BPF_REG_0, 1),
12885 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
12886 BPF_ST_MEM(BPF_W, BPF_REG_2, 3, 0),
12887 BPF_STX_XADD(BPF_W, BPF_REG_2, BPF_REG_0, 1),
12888 BPF_STX_XADD(BPF_W, BPF_REG_2, BPF_REG_0, 2),
12889 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_2, 1),
12890 BPF_EXIT_INSN(),
12891 },
12892 .result = REJECT,
2a159c6f 12893 .errstr = "BPF_XADD stores into R2 pkt is not allowed",
ca369602
DB		 12894 .prog_type = BPF_PROG_TYPE_XDP,
12895 },
fa47a16b
DB		 12896 {
12897 "xadd/w check whether src/dst got mangled, 1",
12898 .insns = {
12899 BPF_MOV64_IMM(BPF_REG_0, 1),
12900 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
12901 BPF_MOV64_REG(BPF_REG_7, BPF_REG_10),
12902 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
12903 BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
12904 BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
12905 BPF_JMP_REG(BPF_JNE, BPF_REG_6, BPF_REG_0, 3),
12906 BPF_JMP_REG(BPF_JNE, BPF_REG_7, BPF_REG_10, 2),
12907 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
12908 BPF_EXIT_INSN(),
12909 BPF_MOV64_IMM(BPF_REG_0, 42),
12910 BPF_EXIT_INSN(),
12911 },
12912 .result = ACCEPT,
12913 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12914 .retval = 3,
12915 },
12916 {
12917 "xadd/w check whether src/dst got mangled, 2",
12918 .insns = {
12919 BPF_MOV64_IMM(BPF_REG_0, 1),
12920 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
12921 BPF_MOV64_REG(BPF_REG_7, BPF_REG_10),
12922 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -8),
12923 BPF_STX_XADD(BPF_W, BPF_REG_10, BPF_REG_0, -8),
12924 BPF_STX_XADD(BPF_W, BPF_REG_10, BPF_REG_0, -8),
12925 BPF_JMP_REG(BPF_JNE, BPF_REG_6, BPF_REG_0, 3),
12926 BPF_JMP_REG(BPF_JNE, BPF_REG_7, BPF_REG_10, 2),
12927 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_10, -8),
12928 BPF_EXIT_INSN(),
12929 BPF_MOV64_IMM(BPF_REG_0, 42),
12930 BPF_EXIT_INSN(),
12931 },
12932 .result = ACCEPT,
12933 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12934 .retval = 3,
12935 },
2abe611c
YS		 12936 {
12937 "bpf_get_stack return R0 within range",
12938 .insns = {
12939 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12940 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
12941 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12942 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
12943 BPF_LD_MAP_FD(BPF_REG_1, 0),
12944 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12945 BPF_FUNC_map_lookup_elem),
12946 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 28),
12947 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
12948 BPF_MOV64_IMM(BPF_REG_9, sizeof(struct test_val)),
12949 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
12950 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
12951 BPF_MOV64_IMM(BPF_REG_3, sizeof(struct test_val)),
12952 BPF_MOV64_IMM(BPF_REG_4, 256),
12953 BPF_EMIT_CALL(BPF_FUNC_get_stack),
12954 BPF_MOV64_IMM(BPF_REG_1, 0),
12955 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
12956 BPF_ALU64_IMM(BPF_LSH, BPF_REG_8, 32),
12957 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_8, 32),
12958 BPF_JMP_REG(BPF_JSLT, BPF_REG_1, BPF_REG_8, 16),
12959 BPF_ALU64_REG(BPF_SUB, BPF_REG_9, BPF_REG_8),
12960 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
12961 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_8),
12962 BPF_MOV64_REG(BPF_REG_1, BPF_REG_9),
12963 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 32),
12964 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_1, 32),
12965 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
12966 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_1),
12967 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
12968 BPF_MOV64_IMM(BPF_REG_5, sizeof(struct test_val)),
12969 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_5),
12970 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 4),
12971 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
12972 BPF_MOV64_REG(BPF_REG_3, BPF_REG_9),
12973 BPF_MOV64_IMM(BPF_REG_4, 0),
12974 BPF_EMIT_CALL(BPF_FUNC_get_stack),
12975 BPF_EXIT_INSN(),
12976 },
908142e6 12977 .fixup_map_hash_48b = { 4 },
2abe611c
YS		 12978 .result = ACCEPT,
12979 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
12980 },
93731ef0
DB		 12981 {
12982 "ld_abs: invalid op 1",
12983 .insns = {
12984 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12985 BPF_LD_ABS(BPF_DW, 0),
12986 BPF_EXIT_INSN(),
12987 },
12988 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12989 .result = REJECT,
12990 .errstr = "unknown opcode",
12991 },
12992 {
12993 "ld_abs: invalid op 2",
12994 .insns = {
12995 BPF_MOV32_IMM(BPF_REG_0, 256),
12996 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12997 BPF_LD_IND(BPF_DW, BPF_REG_0, 0),
12998 BPF_EXIT_INSN(),
12999 },
13000 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13001 .result = REJECT,
13002 .errstr = "unknown opcode",
13003 },
13004 {
13005 "ld_abs: nmap reduced",
13006 .insns = {
13007 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
13008 BPF_LD_ABS(BPF_H, 12),
13009 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x806, 28),
13010 BPF_LD_ABS(BPF_H, 12),
13011 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x806, 26),
13012 BPF_MOV32_IMM(BPF_REG_0, 18),
13013 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -64),
13014 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_10, -64),
13015 BPF_LD_IND(BPF_W, BPF_REG_7, 14),
13016 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -60),
13017 BPF_MOV32_IMM(BPF_REG_0, 280971478),
13018 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -56),
13019 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_10, -56),
13020 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_10, -60),
13021 BPF_ALU32_REG(BPF_SUB, BPF_REG_0, BPF_REG_7),
13022 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 15),
13023 BPF_LD_ABS(BPF_H, 12),
13024 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x806, 13),
13025 BPF_MOV32_IMM(BPF_REG_0, 22),
13026 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -56),
13027 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_10, -56),
13028 BPF_LD_IND(BPF_H, BPF_REG_7, 14),
13029 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -52),
13030 BPF_MOV32_IMM(BPF_REG_0, 17366),
13031 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -48),
13032 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_10, -48),
13033 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_10, -52),
13034 BPF_ALU32_REG(BPF_SUB, BPF_REG_0, BPF_REG_7),
13035 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
13036 BPF_MOV32_IMM(BPF_REG_0, 256),
13037 BPF_EXIT_INSN(),
13038 BPF_MOV32_IMM(BPF_REG_0, 0),
13039 BPF_EXIT_INSN(),
13040 },
13041 .data = {
13042 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0x08, 0x06, 0,
13043 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
13044 0x10, 0xbf, 0x48, 0xd6, 0x43, 0xd6,
13045 },
13046 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13047 .result = ACCEPT,
13048 .retval = 256,
13049 },
13050 {
13051 "ld_abs: div + abs, test 1",
13052 .insns = {
13053 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
13054 BPF_LD_ABS(BPF_B, 3),
13055 BPF_ALU64_IMM(BPF_MOV, BPF_REG_2, 2),
13056 BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_2),
13057 BPF_ALU64_REG(BPF_MOV, BPF_REG_8, BPF_REG_0),
13058 BPF_LD_ABS(BPF_B, 4),
13059 BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_0),
13060 BPF_LD_IND(BPF_B, BPF_REG_8, -70),
13061 BPF_EXIT_INSN(),
13062 },
13063 .data = {
13064 10, 20, 30, 40, 50,
13065 },
13066 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13067 .result = ACCEPT,
13068 .retval = 10,
13069 },
13070 {
13071 "ld_abs: div + abs, test 2",
13072 .insns = {
13073 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
13074 BPF_LD_ABS(BPF_B, 3),
13075 BPF_ALU64_IMM(BPF_MOV, BPF_REG_2, 2),
13076 BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_2),
13077 BPF_ALU64_REG(BPF_MOV, BPF_REG_8, BPF_REG_0),
13078 BPF_LD_ABS(BPF_B, 128),
13079 BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_0),
13080 BPF_LD_IND(BPF_B, BPF_REG_8, -70),
13081 BPF_EXIT_INSN(),
13082 },
13083 .data = {
13084 10, 20, 30, 40, 50,
13085 },
13086 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13087 .result = ACCEPT,
13088 .retval = 0,
13089 },
13090 {
13091 "ld_abs: div + abs, test 3",
13092 .insns = {
13093 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
13094 BPF_ALU64_IMM(BPF_MOV, BPF_REG_7, 0),
13095 BPF_LD_ABS(BPF_B, 3),
13096 BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_7),
13097 BPF_EXIT_INSN(),
13098 },
13099 .data = {
13100 10, 20, 30, 40, 50,
13101 },
13102 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13103 .result = ACCEPT,
13104 .retval = 0,
13105 },
13106 {
13107 "ld_abs: div + abs, test 4",
13108 .insns = {
13109 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
13110 BPF_ALU64_IMM(BPF_MOV, BPF_REG_7, 0),
13111 BPF_LD_ABS(BPF_B, 256),
13112 BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_7),
13113 BPF_EXIT_INSN(),
13114 },
13115 .data = {
13116 10, 20, 30, 40, 50,
13117 },
13118 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13119 .result = ACCEPT,
13120 .retval = 0,
13121 },
13122 {
13123 "ld_abs: vlan + abs, test 1",
13124 .insns = { },
13125 .data = {
13126 0x34,
13127 },
13128 .fill_helper = bpf_fill_ld_abs_vlan_push_pop,
13129 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13130 .result = ACCEPT,
13131 .retval = 0xbef,
13132 },
13133 {
13134 "ld_abs: vlan + abs, test 2",
13135 .insns = {
13136 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
13137 BPF_LD_ABS(BPF_B, 0),
13138 BPF_LD_ABS(BPF_H, 0),
13139 BPF_LD_ABS(BPF_W, 0),
13140 BPF_MOV64_REG(BPF_REG_7, BPF_REG_6),
13141 BPF_MOV64_IMM(BPF_REG_6, 0),
13142 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
13143 BPF_MOV64_IMM(BPF_REG_2, 1),
13144 BPF_MOV64_IMM(BPF_REG_3, 2),
13145 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
13146 BPF_FUNC_skb_vlan_push),
13147 BPF_MOV64_REG(BPF_REG_6, BPF_REG_7),
13148 BPF_LD_ABS(BPF_B, 0),
13149 BPF_LD_ABS(BPF_H, 0),
13150 BPF_LD_ABS(BPF_W, 0),
13151 BPF_MOV64_IMM(BPF_REG_0, 42),
13152 BPF_EXIT_INSN(),
13153 },
13154 .data = {
13155 0x34,
13156 },
13157 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13158 .result = ACCEPT,
13159 .retval = 42,
13160 },
13161 {
13162 "ld_abs: jump around ld_abs",
13163 .insns = { },
13164 .data = {
13165 10, 11,
13166 },
13167 .fill_helper = bpf_fill_jump_around_ld_abs,
13168 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13169 .result = ACCEPT,
13170 .retval = 10,
13171 },
a82d8cd3
DB		 13172 {
13173 "ld_dw: xor semi-random 64 bit imms, test 1",
13174 .insns = { },
13175 .data = { },
13176 .fill_helper = bpf_fill_rand_ld_dw,
13177 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13178 .result = ACCEPT,
13179 .retval = 4090,
13180 },
13181 {
13182 "ld_dw: xor semi-random 64 bit imms, test 2",
13183 .insns = { },
13184 .data = { },
13185 .fill_helper = bpf_fill_rand_ld_dw,
13186 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13187 .result = ACCEPT,
13188 .retval = 2047,
13189 },
13190 {
13191 "ld_dw: xor semi-random 64 bit imms, test 3",
13192 .insns = { },
13193 .data = { },
13194 .fill_helper = bpf_fill_rand_ld_dw,
13195 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13196 .result = ACCEPT,
13197 .retval = 511,
13198 },
13199 {
13200 "ld_dw: xor semi-random 64 bit imms, test 4",
13201 .insns = { },
13202 .data = { },
13203 .fill_helper = bpf_fill_rand_ld_dw,
13204 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13205 .result = ACCEPT,
13206 .retval = 5,
13207 },
58990d1f
DB		 13208 {
13209 "pass unmodified ctx pointer to helper",
13210 .insns = {
13211 BPF_MOV64_IMM(BPF_REG_2, 0),
13212 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
13213 BPF_FUNC_csum_update),
13214 BPF_MOV64_IMM(BPF_REG_0, 0),
13215 BPF_EXIT_INSN(),
13216 },
13217 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13218 .result = ACCEPT,
13219 },
b584ab88
JS		 13220 {
13221 "reference tracking: leak potential reference",
13222 .insns = {
13223 BPF_SK_LOOKUP,
13224 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0), /* leak reference */
13225 BPF_EXIT_INSN(),
13226 },
13227 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13228 .errstr = "Unreleased reference",
13229 .result = REJECT,
13230 },
13231 {
13232 "reference tracking: leak potential reference on stack",
13233 .insns = {
13234 BPF_SK_LOOKUP,
13235 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
13236 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
13237 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_0, 0),
13238 BPF_MOV64_IMM(BPF_REG_0, 0),
13239 BPF_EXIT_INSN(),
13240 },
13241 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13242 .errstr = "Unreleased reference",
13243 .result = REJECT,
13244 },
13245 {
13246 "reference tracking: leak potential reference on stack 2",
13247 .insns = {
13248 BPF_SK_LOOKUP,
13249 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
13250 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
13251 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_0, 0),
13252 BPF_MOV64_IMM(BPF_REG_0, 0),
13253 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
13254 BPF_EXIT_INSN(),
13255 },
13256 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13257 .errstr = "Unreleased reference",
13258 .result = REJECT,
13259 },
13260 {
13261 "reference tracking: zero potential reference",
13262 .insns = {
13263 BPF_SK_LOOKUP,
13264 BPF_MOV64_IMM(BPF_REG_0, 0), /* leak reference */
13265 BPF_EXIT_INSN(),
13266 },
13267 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13268 .errstr = "Unreleased reference",
13269 .result = REJECT,
13270 },
13271 {
13272 "reference tracking: copy and zero potential references",
13273 .insns = {
13274 BPF_SK_LOOKUP,
13275 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
13276 BPF_MOV64_IMM(BPF_REG_0, 0),
13277 BPF_MOV64_IMM(BPF_REG_7, 0), /* leak reference */
13278 BPF_EXIT_INSN(),
13279 },
13280 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13281 .errstr = "Unreleased reference",
13282 .result = REJECT,
13283 },
13284 {
13285 "reference tracking: release reference without check",
13286 .insns = {
13287 BPF_SK_LOOKUP,
13288 /* reference in r0 may be NULL */
13289 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13290 BPF_MOV64_IMM(BPF_REG_2, 0),
13291 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13292 BPF_EXIT_INSN(),
13293 },
13294 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13295 .errstr = "type=sock_or_null expected=sock",
13296 .result = REJECT,
13297 },
13298 {
13299 "reference tracking: release reference",
13300 .insns = {
13301 BPF_SK_LOOKUP,
13302 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13303 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
13304 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13305 BPF_EXIT_INSN(),
13306 },
13307 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13308 .result = ACCEPT,
13309 },
13310 {
13311 "reference tracking: release reference 2",
13312 .insns = {
13313 BPF_SK_LOOKUP,
13314 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13315 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
13316 BPF_EXIT_INSN(),
13317 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13318 BPF_EXIT_INSN(),
13319 },
13320 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13321 .result = ACCEPT,
13322 },
13323 {
13324 "reference tracking: release reference twice",
13325 .insns = {
13326 BPF_SK_LOOKUP,
13327 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13328 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
13329 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
13330 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13331 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
13332 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13333 BPF_EXIT_INSN(),
13334 },
13335 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13336 .errstr = "type=inv expected=sock",
13337 .result = REJECT,
13338 },
13339 {
13340 "reference tracking: release reference twice inside branch",
13341 .insns = {
13342 BPF_SK_LOOKUP,
13343 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13344 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
13345 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3), /* goto end */
13346 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13347 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
13348 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13349 BPF_EXIT_INSN(),
13350 },
13351 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13352 .errstr = "type=inv expected=sock",
13353 .result = REJECT,
13354 },
13355 {
13356 "reference tracking: alloc, check, free in one subbranch",
13357 .insns = {
13358 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
13359 offsetof(struct __sk_buff, data)),
13360 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
13361 offsetof(struct __sk_buff, data_end)),
13362 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
13363 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 16),
13364 /* if (offsetof(skb, mark) > data_len) exit; */
13365 BPF_JMP_REG(BPF_JLE, BPF_REG_0, BPF_REG_3, 1),
13366 BPF_EXIT_INSN(),
13367 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_2,
13368 offsetof(struct __sk_buff, mark)),
13369 BPF_SK_LOOKUP,
13370 BPF_JMP_IMM(BPF_JEQ, BPF_REG_6, 0, 1), /* mark == 0? */
13371 /* Leak reference in R0 */
13372 BPF_EXIT_INSN(),
13373 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2), /* sk NULL? */
13374 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13375 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13376 BPF_EXIT_INSN(),
13377 },
13378 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13379 .errstr = "Unreleased reference",
13380 .result = REJECT,
13381 },
13382 {
13383 "reference tracking: alloc, check, free in both subbranches",
13384 .insns = {
13385 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
13386 offsetof(struct __sk_buff, data)),
13387 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
13388 offsetof(struct __sk_buff, data_end)),
13389 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
13390 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 16),
13391 /* if (offsetof(skb, mark) > data_len) exit; */
13392 BPF_JMP_REG(BPF_JLE, BPF_REG_0, BPF_REG_3, 1),
13393 BPF_EXIT_INSN(),
13394 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_2,
13395 offsetof(struct __sk_buff, mark)),
13396 BPF_SK_LOOKUP,
13397 BPF_JMP_IMM(BPF_JEQ, BPF_REG_6, 0, 4), /* mark == 0? */
13398 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2), /* sk NULL? */
13399 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13400 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13401 BPF_EXIT_INSN(),
13402 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2), /* sk NULL? */
13403 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13404 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13405 BPF_EXIT_INSN(),
13406 },
13407 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13408 .result = ACCEPT,
13409 },
13410 {
13411 "reference tracking in call: free reference in subprog",
13412 .insns = {
13413 BPF_SK_LOOKUP,
13414 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), /* unchecked reference */
13415 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
13416 BPF_MOV64_IMM(BPF_REG_0, 0),
13417 BPF_EXIT_INSN(),
13418
13419 /* subprog 1 */
13420 BPF_MOV64_REG(BPF_REG_2, BPF_REG_1),
13421 BPF_JMP_IMM(BPF_JEQ, BPF_REG_2, 0, 1),
13422 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13423 BPF_EXIT_INSN(),
13424 },
13425 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13426 .result = ACCEPT,
13427 },
58990d1f
DB		 13428 {
13429 "pass modified ctx pointer to helper, 1",
13430 .insns = {
13431 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -612),
13432 BPF_MOV64_IMM(BPF_REG_2, 0),
13433 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
13434 BPF_FUNC_csum_update),
13435 BPF_MOV64_IMM(BPF_REG_0, 0),
13436 BPF_EXIT_INSN(),
13437 },
13438 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13439 .result = REJECT,
13440 .errstr = "dereference of modified ctx ptr",
13441 },
13442 {
13443 "pass modified ctx pointer to helper, 2",
13444 .insns = {
13445 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -612),
13446 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
13447 BPF_FUNC_get_socket_cookie),
13448 BPF_MOV64_IMM(BPF_REG_0, 0),
13449 BPF_EXIT_INSN(),
13450 },
13451 .result_unpriv = REJECT,
13452 .result = REJECT,
13453 .errstr_unpriv = "dereference of modified ctx ptr",
13454 .errstr = "dereference of modified ctx ptr",
13455 },
13456 {
13457 "pass modified ctx pointer to helper, 3",
13458 .insns = {
13459 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 0),
13460 BPF_ALU64_IMM(BPF_AND, BPF_REG_3, 4),
13461 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
13462 BPF_MOV64_IMM(BPF_REG_2, 0),
13463 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
13464 BPF_FUNC_csum_update),
13465 BPF_MOV64_IMM(BPF_REG_0, 0),
13466 BPF_EXIT_INSN(),
13467 },
13468 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13469 .result = REJECT,
13470 .errstr = "variable ctx access var_off=(0x0; 0x4)",
13471 },
fbeb1603
AF		 13472 {
13473 "mov64 src == dst",
13474 .insns = {
13475 BPF_MOV64_IMM(BPF_REG_2, 0),
13476 BPF_MOV64_REG(BPF_REG_2, BPF_REG_2),
13477 // Check bounds are OK
13478 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
13479 BPF_MOV64_IMM(BPF_REG_0, 0),
13480 BPF_EXIT_INSN(),
13481 },
13482 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13483 .result = ACCEPT,
13484 },
13485 {
13486 "mov64 src != dst",
13487 .insns = {
13488 BPF_MOV64_IMM(BPF_REG_3, 0),
13489 BPF_MOV64_REG(BPF_REG_2, BPF_REG_3),
13490 // Check bounds are OK
13491 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
13492 BPF_MOV64_IMM(BPF_REG_0, 0),
13493 BPF_EXIT_INSN(),
13494 },
13495 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13496 .result = ACCEPT,
13497 },
b584ab88
JS		 13498 {
13499 "reference tracking in call: free reference in subprog and outside",
13500 .insns = {
13501 BPF_SK_LOOKUP,
13502 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), /* unchecked reference */
13503 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
13504 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
13505 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
13506 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13507 BPF_EXIT_INSN(),
13508
13509 /* subprog 1 */
13510 BPF_MOV64_REG(BPF_REG_2, BPF_REG_1),
13511 BPF_JMP_IMM(BPF_JEQ, BPF_REG_2, 0, 1),
13512 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13513 BPF_EXIT_INSN(),
13514 },
13515 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13516 .errstr = "type=inv expected=sock",
13517 .result = REJECT,
13518 },
13519 {
13520 "reference tracking in call: alloc & leak reference in subprog",
13521 .insns = {
13522 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
13523 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
13524 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
13525 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13526 BPF_MOV64_IMM(BPF_REG_0, 0),
13527 BPF_EXIT_INSN(),
13528
13529 /* subprog 1 */
13530 BPF_MOV64_REG(BPF_REG_6, BPF_REG_4),
13531 BPF_SK_LOOKUP,
13532 /* spill unchecked sk_ptr into stack of caller */
13533 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
13534 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13535 BPF_EXIT_INSN(),
13536 },
13537 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13538 .errstr = "Unreleased reference",
13539 .result = REJECT,
13540 },
13541 {
13542 "reference tracking in call: alloc in subprog, release outside",
13543 .insns = {
13544 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
13545 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
13546 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13547 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
13548 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13549 BPF_EXIT_INSN(),
13550
13551 /* subprog 1 */
13552 BPF_SK_LOOKUP,
13553 BPF_EXIT_INSN(), /* return sk */
13554 },
13555 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13556 .retval = POINTER_VALUE,
13557 .result = ACCEPT,
13558 },
13559 {
13560 "reference tracking in call: sk_ptr leak into caller stack",
13561 .insns = {
13562 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
13563 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
13564 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
13565 BPF_MOV64_IMM(BPF_REG_0, 0),
13566 BPF_EXIT_INSN(),
13567
13568 /* subprog 1 */
13569 BPF_MOV64_REG(BPF_REG_5, BPF_REG_10),
13570 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, -8),
13571 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_4, 0),
13572 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 5),
13573 /* spill unchecked sk_ptr into stack of caller */
13574 BPF_MOV64_REG(BPF_REG_5, BPF_REG_10),
13575 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, -8),
13576 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_5, 0),
13577 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_0, 0),
13578 BPF_EXIT_INSN(),
13579
13580 /* subprog 2 */
13581 BPF_SK_LOOKUP,
13582 BPF_EXIT_INSN(),
13583 },
13584 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13585 .errstr = "Unreleased reference",
13586 .result = REJECT,
13587 },
13588 {
13589 "reference tracking in call: sk_ptr spill into caller stack",
13590 .insns = {
13591 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
13592 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
13593 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
13594 BPF_MOV64_IMM(BPF_REG_0, 0),
13595 BPF_EXIT_INSN(),
13596
13597 /* subprog 1 */
13598 BPF_MOV64_REG(BPF_REG_5, BPF_REG_10),
13599 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, -8),
13600 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_4, 0),
13601 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
13602 /* spill unchecked sk_ptr into stack of caller */
13603 BPF_MOV64_REG(BPF_REG_5, BPF_REG_10),
13604 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, -8),
13605 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_5, 0),
13606 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_0, 0),
13607 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
13608 /* now the sk_ptr is verified, free the reference */
13609 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_4, 0),
13610 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13611 BPF_EXIT_INSN(),
13612
13613 /* subprog 2 */
13614 BPF_SK_LOOKUP,
13615 BPF_EXIT_INSN(),
13616 },
13617 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13618 .result = ACCEPT,
13619 },
13620 {
13621 "reference tracking: allow LD_ABS",
13622 .insns = {
13623 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
13624 BPF_SK_LOOKUP,
13625 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13626 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
13627 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13628 BPF_LD_ABS(BPF_B, 0),
13629 BPF_LD_ABS(BPF_H, 0),
13630 BPF_LD_ABS(BPF_W, 0),
13631 BPF_EXIT_INSN(),
13632 },
13633 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13634 .result = ACCEPT,
13635 },
13636 {
13637 "reference tracking: forbid LD_ABS while holding reference",
13638 .insns = {
13639 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
13640 BPF_SK_LOOKUP,
13641 BPF_LD_ABS(BPF_B, 0),
13642 BPF_LD_ABS(BPF_H, 0),
13643 BPF_LD_ABS(BPF_W, 0),
13644 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13645 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
13646 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13647 BPF_EXIT_INSN(),
13648 },
13649 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13650 .errstr = "BPF_LD_[ABS|IND] cannot be mixed with socket references",
13651 .result = REJECT,
13652 },
13653 {
13654 "reference tracking: allow LD_IND",
13655 .insns = {
13656 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
13657 BPF_SK_LOOKUP,
13658 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13659 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
13660 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13661 BPF_MOV64_IMM(BPF_REG_7, 1),
13662 BPF_LD_IND(BPF_W, BPF_REG_7, -0x200000),
13663 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
13664 BPF_EXIT_INSN(),
13665 },
13666 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13667 .result = ACCEPT,
13668 .retval = 1,
13669 },
13670 {
13671 "reference tracking: forbid LD_IND while holding reference",
13672 .insns = {
13673 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
13674 BPF_SK_LOOKUP,
13675 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
13676 BPF_MOV64_IMM(BPF_REG_7, 1),
13677 BPF_LD_IND(BPF_W, BPF_REG_7, -0x200000),
13678 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
13679 BPF_MOV64_REG(BPF_REG_1, BPF_REG_4),
13680 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
13681 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13682 BPF_EXIT_INSN(),
13683 },
13684 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13685 .errstr = "BPF_LD_[ABS|IND] cannot be mixed with socket references",
13686 .result = REJECT,
13687 },
13688 {
13689 "reference tracking: check reference or tail call",
13690 .insns = {
13691 BPF_MOV64_REG(BPF_REG_7, BPF_REG_1),
13692 BPF_SK_LOOKUP,
13693 /* if (sk) bpf_sk_release() */
13694 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13695 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 7),
13696 /* bpf_tail_call() */
13697 BPF_MOV64_IMM(BPF_REG_3, 2),
13698 BPF_LD_MAP_FD(BPF_REG_2, 0),
13699 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
13700 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
13701 BPF_FUNC_tail_call),
13702 BPF_MOV64_IMM(BPF_REG_0, 0),
13703 BPF_EXIT_INSN(),
13704 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13705 BPF_EXIT_INSN(),
13706 },
13707 .fixup_prog1 = { 17 },
13708 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13709 .result = ACCEPT,
13710 },
13711 {
13712 "reference tracking: release reference then tail call",
13713 .insns = {
13714 BPF_MOV64_REG(BPF_REG_7, BPF_REG_1),
13715 BPF_SK_LOOKUP,
13716 /* if (sk) bpf_sk_release() */
13717 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13718 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
13719 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13720 /* bpf_tail_call() */
13721 BPF_MOV64_IMM(BPF_REG_3, 2),
13722 BPF_LD_MAP_FD(BPF_REG_2, 0),
13723 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
13724 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
13725 BPF_FUNC_tail_call),
13726 BPF_MOV64_IMM(BPF_REG_0, 0),
13727 BPF_EXIT_INSN(),
13728 },
13729 .fixup_prog1 = { 18 },
13730 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13731 .result = ACCEPT,
13732 },
13733 {
13734 "reference tracking: leak possible reference over tail call",
13735 .insns = {
13736 BPF_MOV64_REG(BPF_REG_7, BPF_REG_1),
13737 /* Look up socket and store in REG_6 */
13738 BPF_SK_LOOKUP,
13739 /* bpf_tail_call() */
13740 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
13741 BPF_MOV64_IMM(BPF_REG_3, 2),
13742 BPF_LD_MAP_FD(BPF_REG_2, 0),
13743 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
13744 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
13745 BPF_FUNC_tail_call),
13746 BPF_MOV64_IMM(BPF_REG_0, 0),
13747 /* if (sk) bpf_sk_release() */
13748 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
13749 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
13750 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13751 BPF_EXIT_INSN(),
13752 },
13753 .fixup_prog1 = { 16 },
13754 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13755 .errstr = "tail_call would lead to reference leak",
13756 .result = REJECT,
13757 },
13758 {
13759 "reference tracking: leak checked reference over tail call",
13760 .insns = {
13761 BPF_MOV64_REG(BPF_REG_7, BPF_REG_1),
13762 /* Look up socket and store in REG_6 */
13763 BPF_SK_LOOKUP,
13764 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
13765 /* if (!sk) goto end */
13766 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
13767 /* bpf_tail_call() */
13768 BPF_MOV64_IMM(BPF_REG_3, 0),
13769 BPF_LD_MAP_FD(BPF_REG_2, 0),
13770 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
13771 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
13772 BPF_FUNC_tail_call),
13773 BPF_MOV64_IMM(BPF_REG_0, 0),
13774 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
13775 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13776 BPF_EXIT_INSN(),
13777 },
13778 .fixup_prog1 = { 17 },
13779 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13780 .errstr = "tail_call would lead to reference leak",
13781 .result = REJECT,
13782 },
13783 {
13784 "reference tracking: mangle and release sock_or_null",
13785 .insns = {
13786 BPF_SK_LOOKUP,
13787 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13788 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 5),
13789 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
13790 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13791 BPF_EXIT_INSN(),
13792 },
13793 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13794 .errstr = "R1 pointer arithmetic on sock_or_null prohibited",
13795 .result = REJECT,
13796 },
13797 {
13798 "reference tracking: mangle and release sock",
13799 .insns = {
13800 BPF_SK_LOOKUP,
13801 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13802 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
13803 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 5),
13804 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13805 BPF_EXIT_INSN(),
13806 },
13807 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13808 .errstr = "R1 pointer arithmetic on sock prohibited",
13809 .result = REJECT,
13810 },
13811 {
13812 "reference tracking: access member",
13813 .insns = {
13814 BPF_SK_LOOKUP,
13815 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
13816 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
13817 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_0, 4),
13818 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
13819 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13820 BPF_EXIT_INSN(),
13821 },
13822 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13823 .result = ACCEPT,
13824 },
13825 {
13826 "reference tracking: write to member",
13827 .insns = {
13828 BPF_SK_LOOKUP,
13829 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
13830 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
13831 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
13832 BPF_LD_IMM64(BPF_REG_2, 42),
13833 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_2,
13834 offsetof(struct bpf_sock, mark)),
13835 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
13836 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13837 BPF_LD_IMM64(BPF_REG_0, 0),
13838 BPF_EXIT_INSN(),
13839 },
13840 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13841 .errstr = "cannot write into socket",
13842 .result = REJECT,
13843 },
13844 {
13845 "reference tracking: invalid 64-bit access of member",
13846 .insns = {
13847 BPF_SK_LOOKUP,
13848 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
13849 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
13850 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
13851 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
13852 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13853 BPF_EXIT_INSN(),
13854 },
13855 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13856 .errstr = "invalid bpf_sock access off=0 size=8",
13857 .result = REJECT,
13858 },
13859 {
13860 "reference tracking: access after release",
13861 .insns = {
13862 BPF_SK_LOOKUP,
13863 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13864 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
13865 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13866 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
13867 BPF_EXIT_INSN(),
13868 },
13869 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13870 .errstr = "!read_ok",
13871 .result = REJECT,
13872 },
13873 {
13874 "reference tracking: direct access for lookup",
13875 .insns = {
13876 /* Check that the packet is at least 64B long */
13877 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
13878 offsetof(struct __sk_buff, data)),
13879 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
13880 offsetof(struct __sk_buff, data_end)),
13881 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
13882 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 64),
13883 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 9),
13884 /* sk = sk_lookup_tcp(ctx, skb->data, ...) */
13885 BPF_MOV64_IMM(BPF_REG_3, sizeof(struct bpf_sock_tuple)),
13886 BPF_MOV64_IMM(BPF_REG_4, 0),
13887 BPF_MOV64_IMM(BPF_REG_5, 0),
13888 BPF_EMIT_CALL(BPF_FUNC_sk_lookup_tcp),
13889 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
13890 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
13891 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_0, 4),
13892 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
13893 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13894 BPF_EXIT_INSN(),
13895 },
13896 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13897 .result = ACCEPT,
13898 },
3c731eba
AS		 13899};
13900
5aa5bd14 13901static int probe_filter_length(const struct bpf_insn *fp)
3c731eba 13902{
5aa5bd14 13903 int len;
3c731eba
AS		 13904
13905 for (len = MAX_INSNS - 1; len > 0; --len)
13906 if (fp[len].code != 0 || fp[len].imm != 0)
13907 break;
3c731eba
AS		 13908 return len + 1;
13909}
13910
06be0864
DB		 13911static int create_map(uint32_t type, uint32_t size_key,
13912 uint32_t size_value, uint32_t max_elem)
3c731eba 13913{
5aa5bd14 13914 int fd;
3c731eba 13915
06be0864
DB		 13916 fd = bpf_create_map(type, size_key, size_value, max_elem,
13917 type == BPF_MAP_TYPE_HASH ? BPF_F_NO_PREALLOC : 0);
5aa5bd14
DB		 13918 if (fd < 0)
13919 printf("Failed to create hash map '%s'!\n", strerror(errno));
bf508877 13920
5aa5bd14 13921 return fd;
bf508877
AS		 13922}
13923
0c586079 13924static int create_prog_dummy1(enum bpf_map_type prog_type)
b33eb735
DB		 13925{
13926 struct bpf_insn prog[] = {
13927 BPF_MOV64_IMM(BPF_REG_0, 42),
13928 BPF_EXIT_INSN(),
13929 };
13930
0c586079 13931 return bpf_load_program(prog_type, prog,
b33eb735
DB		 13932 ARRAY_SIZE(prog), "GPL", 0, NULL, 0);
13933}
13934
0c586079 13935static int create_prog_dummy2(enum bpf_map_type prog_type, int mfd, int idx)
b33eb735
DB		 13936{
13937 struct bpf_insn prog[] = {
13938 BPF_MOV64_IMM(BPF_REG_3, idx),
13939 BPF_LD_MAP_FD(BPF_REG_2, mfd),
13940 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
13941 BPF_FUNC_tail_call),
13942 BPF_MOV64_IMM(BPF_REG_0, 41),
13943 BPF_EXIT_INSN(),
13944 };
13945
0c586079 13946 return bpf_load_program(prog_type, prog,
b33eb735
DB		 13947 ARRAY_SIZE(prog), "GPL", 0, NULL, 0);
13948}
13949
0c586079
JS		 13950static int create_prog_array(enum bpf_map_type prog_type, uint32_t max_elem,
13951 int p1key)
bf508877 13952{
06be0864 13953 int p2key = 1;
b33eb735 13954 int mfd, p1fd, p2fd;
bf508877 13955
b33eb735 13956 mfd = bpf_create_map(BPF_MAP_TYPE_PROG_ARRAY, sizeof(int),
06be0864 13957 sizeof(int), max_elem, 0);
b33eb735 13958 if (mfd < 0) {
5aa5bd14 13959 printf("Failed to create prog array '%s'!\n", strerror(errno));
b33eb735
DB		 13960 return -1;
13961 }
3c731eba 13962
0c586079
JS		 13963 p1fd = create_prog_dummy1(prog_type);
13964 p2fd = create_prog_dummy2(prog_type, mfd, p2key);
b33eb735
DB		 13965 if (p1fd < 0 || p2fd < 0)
13966 goto out;
13967 if (bpf_map_update_elem(mfd, &p1key, &p1fd, BPF_ANY) < 0)
13968 goto out;
13969 if (bpf_map_update_elem(mfd, &p2key, &p2fd, BPF_ANY) < 0)
13970 goto out;
13971 close(p2fd);
13972 close(p1fd);
13973
13974 return mfd;
13975out:
13976 close(p2fd);
13977 close(p1fd);
13978 close(mfd);
13979 return -1;
3c731eba
AS		 13980}
13981
fb30d4b7
MKL		 13982static int create_map_in_map(void)
13983{
13984 int inner_map_fd, outer_map_fd;
13985
13986 inner_map_fd = bpf_create_map(BPF_MAP_TYPE_ARRAY, sizeof(int),
13987 sizeof(int), 1, 0);
13988 if (inner_map_fd < 0) {
13989 printf("Failed to create array '%s'!\n", strerror(errno));
13990 return inner_map_fd;
13991 }
13992
88cda1c9 13993 outer_map_fd = bpf_create_map_in_map(BPF_MAP_TYPE_ARRAY_OF_MAPS, NULL,
fb30d4b7
MKL		 13994 sizeof(int), inner_map_fd, 1, 0);
13995 if (outer_map_fd < 0)
13996 printf("Failed to create array of maps '%s'!\n",
13997 strerror(errno));
13998
13999 close(inner_map_fd);
14000
14001 return outer_map_fd;
14002}
14003
a3c6054f 14004static int create_cgroup_storage(bool percpu)
d4c9f573 14005{
a3c6054f
RG		 14006 enum bpf_map_type type = percpu ? BPF_MAP_TYPE_PERCPU_CGROUP_STORAGE :
14007 BPF_MAP_TYPE_CGROUP_STORAGE;
d4c9f573
RG		 14008 int fd;
14009
a3c6054f 14010 fd = bpf_create_map(type, sizeof(struct bpf_cgroup_storage_key),
d4c9f573
RG		 14011 TEST_DATA_LEN, 0, 0);
14012 if (fd < 0)
a3c6054f
RG		 14013 printf("Failed to create cgroup storage '%s'!\n",
14014 strerror(errno));
d4c9f573
RG		 14015
14016 return fd;
14017}
14018
93731ef0 14019static char bpf_vlog[UINT_MAX >> 8];
5aa5bd14 14020
0c586079
JS		 14021static void do_test_fixup(struct bpf_test *test, enum bpf_map_type prog_type,
14022 struct bpf_insn *prog, int *map_fds)
3c731eba 14023{
908142e6
PB		 14024 int *fixup_map_hash_8b = test->fixup_map_hash_8b;
14025 int *fixup_map_hash_48b = test->fixup_map_hash_48b;
14026 int *fixup_map_hash_16b = test->fixup_map_hash_16b;
14027 int *fixup_map_array_48b = test->fixup_map_array_48b;
7c85c448
PB		 14028 int *fixup_map_sockmap = test->fixup_map_sockmap;
14029 int *fixup_map_sockhash = test->fixup_map_sockhash;
14030 int *fixup_map_xskmap = test->fixup_map_xskmap;
14031 int *fixup_map_stacktrace = test->fixup_map_stacktrace;
06be0864
DB		 14032 int *fixup_prog1 = test->fixup_prog1;
14033 int *fixup_prog2 = test->fixup_prog2;
fb30d4b7 14034 int *fixup_map_in_map = test->fixup_map_in_map;
d4c9f573 14035 int *fixup_cgroup_storage = test->fixup_cgroup_storage;
a3c6054f 14036 int *fixup_percpu_cgroup_storage = test->fixup_percpu_cgroup_storage;
3c731eba 14037
93731ef0
DB		 14038 if (test->fill_helper)
14039 test->fill_helper(test);
14040
5aa5bd14
DB		 14041 /* Allocating HTs with 1 elem is fine here, since we only test
14042 * for verifier and not do a runtime lookup, so the only thing
14043 * that really matters is value size in this case.
14044 */
908142e6 14045 if (*fixup_map_hash_8b) {
06be0864
DB		 14046 map_fds[0] = create_map(BPF_MAP_TYPE_HASH, sizeof(long long),
14047 sizeof(long long), 1);
5aa5bd14 14048 do {
908142e6
PB		 14049 prog[*fixup_map_hash_8b].imm = map_fds[0];
14050 fixup_map_hash_8b++;
14051 } while (*fixup_map_hash_8b);
5aa5bd14 14052 }
3c731eba 14053
908142e6 14054 if (*fixup_map_hash_48b) {
06be0864
DB		 14055 map_fds[1] = create_map(BPF_MAP_TYPE_HASH, sizeof(long long),
14056 sizeof(struct test_val), 1);
5aa5bd14 14057 do {
908142e6
PB		 14058 prog[*fixup_map_hash_48b].imm = map_fds[1];
14059 fixup_map_hash_48b++;
14060 } while (*fixup_map_hash_48b);
5aa5bd14 14061 }
3c731eba 14062
908142e6 14063 if (*fixup_map_hash_16b) {
06be0864
DB		 14064 map_fds[2] = create_map(BPF_MAP_TYPE_HASH, sizeof(long long),
14065 sizeof(struct other_val), 1);
5f90dd6a 14066 do {
908142e6
PB		 14067 prog[*fixup_map_hash_16b].imm = map_fds[2];
14068 fixup_map_hash_16b++;
14069 } while (*fixup_map_hash_16b);
5f90dd6a
PC		 14070 }
14071
908142e6 14072 if (*fixup_map_array_48b) {
06be0864
DB		 14073 map_fds[3] = create_map(BPF_MAP_TYPE_ARRAY, sizeof(int),
14074 sizeof(struct test_val), 1);
14075 do {
908142e6
PB		 14076 prog[*fixup_map_array_48b].imm = map_fds[3];
14077 fixup_map_array_48b++;
14078 } while (*fixup_map_array_48b);
06be0864
DB		 14079 }
14080
14081 if (*fixup_prog1) {
0c586079 14082 map_fds[4] = create_prog_array(prog_type, 4, 0);
06be0864
DB		 14083 do {
14084 prog[*fixup_prog1].imm = map_fds[4];
14085 fixup_prog1++;
14086 } while (*fixup_prog1);
14087 }
14088
14089 if (*fixup_prog2) {
0c586079 14090 map_fds[5] = create_prog_array(prog_type, 8, 7);
5aa5bd14 14091 do {
06be0864
DB		 14092 prog[*fixup_prog2].imm = map_fds[5];
14093 fixup_prog2++;
14094 } while (*fixup_prog2);
5aa5bd14 14095 }
fb30d4b7
MKL		 14096
14097 if (*fixup_map_in_map) {
06be0864 14098 map_fds[6] = create_map_in_map();
fb30d4b7 14099 do {
06be0864 14100 prog[*fixup_map_in_map].imm = map_fds[6];
fb30d4b7
MKL		 14101 fixup_map_in_map++;
14102 } while (*fixup_map_in_map);
14103 }
d4c9f573
RG		 14104
14105 if (*fixup_cgroup_storage) {
a3c6054f 14106 map_fds[7] = create_cgroup_storage(false);
d4c9f573
RG		 14107 do {
14108 prog[*fixup_cgroup_storage].imm = map_fds[7];
14109 fixup_cgroup_storage++;
14110 } while (*fixup_cgroup_storage);
14111 }
a3c6054f
RG		 14112
14113 if (*fixup_percpu_cgroup_storage) {
14114 map_fds[8] = create_cgroup_storage(true);
14115 do {
14116 prog[*fixup_percpu_cgroup_storage].imm = map_fds[8];
14117 fixup_percpu_cgroup_storage++;
14118 } while (*fixup_percpu_cgroup_storage);
14119 }
7c85c448
PB		 14120 if (*fixup_map_sockmap) {
14121 map_fds[9] = create_map(BPF_MAP_TYPE_SOCKMAP, sizeof(int),
14122 sizeof(int), 1);
14123 do {
14124 prog[*fixup_map_sockmap].imm = map_fds[9];
14125 fixup_map_sockmap++;
14126 } while (*fixup_map_sockmap);
14127 }
14128 if (*fixup_map_sockhash) {
14129 map_fds[10] = create_map(BPF_MAP_TYPE_SOCKHASH, sizeof(int),
14130 sizeof(int), 1);
14131 do {
14132 prog[*fixup_map_sockhash].imm = map_fds[10];
14133 fixup_map_sockhash++;
14134 } while (*fixup_map_sockhash);
14135 }
14136 if (*fixup_map_xskmap) {
14137 map_fds[11] = create_map(BPF_MAP_TYPE_XSKMAP, sizeof(int),
14138 sizeof(int), 1);
14139 do {
14140 prog[*fixup_map_xskmap].imm = map_fds[11];
14141 fixup_map_xskmap++;
14142 } while (*fixup_map_xskmap);
14143 }
14144 if (*fixup_map_stacktrace) {
14145 map_fds[12] = create_map(BPF_MAP_TYPE_STACK_TRACE, sizeof(u32),
14146 sizeof(u64), 1);
14147 do {
14148 prog[*fixup_map_stacktrace].imm = map_fds[12];
14149 fixup_map_stacktrace++;
14150 } while (fixup_map_stacktrace);
14151 }
5aa5bd14 14152}
bf508877 14153
832c6f2c
DB		 14154static int set_admin(bool admin)
14155{
14156 cap_t caps;
14157 const cap_value_t cap_val = CAP_SYS_ADMIN;
14158 int ret = -1;
14159
14160 caps = cap_get_proc();
14161 if (!caps) {
14162 perror("cap_get_proc");
14163 return -1;
14164 }
14165 if (cap_set_flag(caps, CAP_EFFECTIVE, 1, &cap_val,
14166 admin ? CAP_SET : CAP_CLEAR)) {
14167 perror("cap_set_flag");
14168 goto out;
14169 }
14170 if (cap_set_proc(caps)) {
14171 perror("cap_set_proc");
14172 goto out;
14173 }
14174 ret = 0;
14175out:
14176 if (cap_free(caps))
14177 perror("cap_free");
14178 return ret;
14179}
14180
5aa5bd14
DB		 14181static void do_test_single(struct bpf_test *test, bool unpriv,
14182 int *passes, int *errors)
14183{
02ea80b1 14184 int fd_prog, expected_ret, reject_from_alignment;
93731ef0 14185 int prog_len, prog_type = test->prog_type;
5aa5bd14 14186 struct bpf_insn *prog = test->insns;
fb30d4b7 14187 int map_fds[MAX_NR_MAPS];
5aa5bd14 14188 const char *expected_err;
832c6f2c 14189 uint32_t expected_val;
111e6b45
AS		 14190 uint32_t retval;
14191 int i, err;
fb30d4b7
MKL		 14192
14193 for (i = 0; i < MAX_NR_MAPS; i++)
14194 map_fds[i] = -1;
48461135 14195
0c586079
JS		 14196 if (!prog_type)
14197 prog_type = BPF_PROG_TYPE_SOCKET_FILTER;
14198 do_test_fixup(test, prog_type, prog, map_fds);
93731ef0 14199 prog_len = probe_filter_length(prog);
3c731eba 14200
0c586079
JS		 14201 fd_prog = bpf_verify_program(prog_type, prog, prog_len,
14202 test->flags & F_LOAD_WITH_STRICT_ALIGNMENT,
d6554904 14203 "GPL", 0, bpf_vlog, sizeof(bpf_vlog), 1);
3c731eba 14204
5aa5bd14
DB		 14205 expected_ret = unpriv && test->result_unpriv != UNDEF ?
14206 test->result_unpriv : test->result;
14207 expected_err = unpriv && test->errstr_unpriv ?
14208 test->errstr_unpriv : test->errstr;
832c6f2c
DB		 14209 expected_val = unpriv && test->retval_unpriv ?
14210 test->retval_unpriv : test->retval;
02ea80b1
DB		 14211
14212 reject_from_alignment = fd_prog < 0 &&
14213 (test->flags & F_NEEDS_EFFICIENT_UNALIGNED_ACCESS) &&
14214 strstr(bpf_vlog, "Unknown alignment.");
14215#ifdef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS
14216 if (reject_from_alignment) {
14217 printf("FAIL\nFailed due to alignment despite having efficient unaligned access: '%s'!\n",
14218 strerror(errno));
14219 goto fail_log;
14220 }
14221#endif
5aa5bd14 14222 if (expected_ret == ACCEPT) {
02ea80b1 14223 if (fd_prog < 0 && !reject_from_alignment) {
5aa5bd14
DB		 14224 printf("FAIL\nFailed to load prog '%s'!\n",
14225 strerror(errno));
14226 goto fail_log;
14227 }
14228 } else {
14229 if (fd_prog >= 0) {
14230 printf("FAIL\nUnexpected success to load!\n");
14231 goto fail_log;
14232 }
02ea80b1 14233 if (!strstr(bpf_vlog, expected_err) && !reject_from_alignment) {
95f87a97
JS		 14234 printf("FAIL\nUnexpected error message!\n\tEXP: %s\n\tRES: %s\n",
14235 expected_err, bpf_vlog);
5aa5bd14
DB		 14236 goto fail_log;
14237 }
14238 }
bf508877 14239
111e6b45 14240 if (fd_prog >= 0) {
6e6fddc7
DB		 14241 __u8 tmp[TEST_DATA_LEN << 2];
14242 __u32 size_tmp = sizeof(tmp);
14243
832c6f2c
DB		 14244 if (unpriv)
14245 set_admin(true);
93731ef0 14246 err = bpf_prog_test_run(fd_prog, 1, test->data,
6e6fddc7 14247 sizeof(test->data), tmp, &size_tmp,
93731ef0 14248 &retval, NULL);
832c6f2c
DB		 14249 if (unpriv)
14250 set_admin(false);
111e6b45
AS		 14251 if (err && errno != 524/*ENOTSUPP*/ && errno != EPERM) {
14252 printf("Unexpected bpf_prog_test_run error\n");
14253 goto fail_log;
14254 }
832c6f2c
DB		 14255 if (!err && retval != expected_val &&
14256 expected_val != POINTER_VALUE) {
14257 printf("FAIL retval %d != %d\n", retval, expected_val);
111e6b45
AS		 14258 goto fail_log;
14259 }
14260 }
5aa5bd14 14261 (*passes)++;
02ea80b1
DB		 14262 printf("OK%s\n", reject_from_alignment ?
14263 " (NOTE: reject due to unknown alignment)" : "");
5aa5bd14
DB		 14264close_fds:
14265 close(fd_prog);
fb30d4b7
MKL		 14266 for (i = 0; i < MAX_NR_MAPS; i++)
14267 close(map_fds[i]);
5aa5bd14
DB		 14268 sched_yield();
14269 return;
14270fail_log:
14271 (*errors)++;
14272 printf("%s", bpf_vlog);
14273 goto close_fds;
14274}
bf508877 14275
d02d8986
MS		 14276static bool is_admin(void)
14277{
14278 cap_t caps;
14279 cap_flag_value_t sysadmin = CAP_CLEAR;
14280 const cap_value_t cap_val = CAP_SYS_ADMIN;
14281
1da8ac7c 14282#ifdef CAP_IS_SUPPORTED
d02d8986
MS		 14283 if (!CAP_IS_SUPPORTED(CAP_SETFCAP)) {
14284 perror("cap_get_flag");
14285 return false;
14286 }
1da8ac7c 14287#endif
d02d8986
MS		 14288 caps = cap_get_proc();
14289 if (!caps) {
14290 perror("cap_get_proc");
14291 return false;
14292 }
14293 if (cap_get_flag(caps, cap_val, CAP_EFFECTIVE, &sysadmin))
14294 perror("cap_get_flag");
14295 if (cap_free(caps))
14296 perror("cap_free");
14297 return (sysadmin == CAP_SET);
14298}
14299
0a674874
JS		 14300static void get_unpriv_disabled()
14301{
14302 char buf[2];
14303 FILE *fd;
14304
14305 fd = fopen("/proc/sys/"UNPRIV_SYSCTL, "r");
deea8122
JDB		 14306 if (!fd) {
14307 perror("fopen /proc/sys/"UNPRIV_SYSCTL);
14308 unpriv_disabled = true;
14309 return;
14310 }
0a674874
JS		 14311 if (fgets(buf, 2, fd) == buf && atoi(buf))
14312 unpriv_disabled = true;
14313 fclose(fd);
14314}
14315
36641ad6
DB		 14316static bool test_as_unpriv(struct bpf_test *test)
14317{
14318 return !test->prog_type ||
14319 test->prog_type == BPF_PROG_TYPE_SOCKET_FILTER ||
14320 test->prog_type == BPF_PROG_TYPE_CGROUP_SKB;
14321}
14322
5aa5bd14
DB		 14323static int do_test(bool unpriv, unsigned int from, unsigned int to)
14324{
d0a0e495 14325 int i, passes = 0, errors = 0, skips = 0;
3c731eba 14326
5aa5bd14
DB		 14327 for (i = from; i < to; i++) {
14328 struct bpf_test *test = &tests[i];
3c731eba 14329
5aa5bd14
DB		 14330 /* Program types that are not supported by non-root we
14331 * skip right away.
14332 */
36641ad6 14333 if (test_as_unpriv(test) && unpriv_disabled) {
0a674874
JS		 14334 printf("#%d/u %s SKIP\n", i, test->descr);
14335 skips++;
36641ad6 14336 } else if (test_as_unpriv(test)) {
d02d8986
MS		 14337 if (!unpriv)
14338 set_admin(false);
14339 printf("#%d/u %s ", i, test->descr);
14340 do_test_single(test, true, &passes, &errors);
14341 if (!unpriv)
14342 set_admin(true);
14343 }
5aa5bd14 14344
d0a0e495
JS		 14345 if (unpriv) {
14346 printf("#%d/p %s SKIP\n", i, test->descr);
14347 skips++;
14348 } else {
d02d8986
MS		 14349 printf("#%d/p %s ", i, test->descr);
14350 do_test_single(test, false, &passes, &errors);
14351 }
3c731eba
AS		 14352 }
14353
d0a0e495
JS		 14354 printf("Summary: %d PASSED, %d SKIPPED, %d FAILED\n", passes,
14355 skips, errors);
efe5f9c0 14356 return errors ? EXIT_FAILURE : EXIT_SUCCESS;
3c731eba
AS		 14357}
14358
5aa5bd14 14359int main(int argc, char **argv)
3c731eba 14360{
5aa5bd14 14361 unsigned int from = 0, to = ARRAY_SIZE(tests);
d02d8986 14362 bool unpriv = !is_admin();
5aa5bd14
DB		 14363
14364 if (argc == 3) {
14365 unsigned int l = atoi(argv[argc - 2]);
14366 unsigned int u = atoi(argv[argc - 1]);
14367
14368 if (l < to && u < to) {
14369 from = l;
14370 to = u + 1;
14371 }
14372 } else if (argc == 2) {
14373 unsigned int t = atoi(argv[argc - 1]);
14374
14375 if (t < to) {
14376 from = t;
14377 to = t + 1;
14378 }
14379 }
bf508877 14380
0a674874
JS		 14381 get_unpriv_disabled();
14382 if (unpriv && unpriv_disabled) {
14383 printf("Cannot run as unprivileged user with sysctl %s.\n",
14384 UNPRIV_SYSCTL);
14385 return EXIT_FAILURE;
14386 }
14387
a82d8cd3 14388 bpf_semi_rand_init();
5aa5bd14 14389 return do_test(unpriv, from, to);
3c731eba 14390}
Linux 6.x block layer and io_uring tree(s)