2 * Testsuite for eBPF verifier
4 * Copyright (c) 2014 PLUMgrid, http://plumgrid.com
5 * Copyright (c) 2017 Facebook
6 * Copyright (c) 2018 Covalent IO, Inc. http://covalent.io
8 * This program is free software; you can redistribute it and/or
9 * modify it under the terms of version 2 of the GNU General Public
10 * License as published by the Free Software Foundation.
14 #include <asm/types.h>
15 #include <linux/types.h>
27 #include <sys/capability.h>
29 #include <linux/unistd.h>
30 #include <linux/filter.h>
31 #include <linux/bpf_perf_event.h>
32 #include <linux/bpf.h>
33 #include <linux/if_ether.h>
38 # include "autoconf.h"
40 # if defined(__i386) || defined(__x86_64) || defined(__s390x__) || defined(__aarch64__)
41 # define CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS 1
44 #include "bpf_rlimit.h"
47 #include "../../../include/linux/filter.h"
49 #define MAX_INSNS BPF_MAXINSNS
51 #define MAX_NR_MAPS 13
52 #define POINTER_VALUE 0xcafe4all
53 #define TEST_DATA_LEN 64
55 #define F_NEEDS_EFFICIENT_UNALIGNED_ACCESS (1 << 0)
56 #define F_LOAD_WITH_STRICT_ALIGNMENT (1 << 1)
58 #define UNPRIV_SYSCTL "kernel/unprivileged_bpf_disabled"
59 static bool unpriv_disabled = false;
63 struct bpf_insn insns[MAX_INSNS];
64 int fixup_map_hash_8b[MAX_FIXUPS];
65 int fixup_map_hash_48b[MAX_FIXUPS];
66 int fixup_map_hash_16b[MAX_FIXUPS];
67 int fixup_map_array_48b[MAX_FIXUPS];
68 int fixup_map_sockmap[MAX_FIXUPS];
69 int fixup_map_sockhash[MAX_FIXUPS];
70 int fixup_map_xskmap[MAX_FIXUPS];
71 int fixup_map_stacktrace[MAX_FIXUPS];
72 int fixup_prog1[MAX_FIXUPS];
73 int fixup_prog2[MAX_FIXUPS];
74 int fixup_map_in_map[MAX_FIXUPS];
75 int fixup_cgroup_storage[MAX_FIXUPS];
76 int fixup_percpu_cgroup_storage[MAX_FIXUPS];
78 const char *errstr_unpriv;
84 } result, result_unpriv;
85 enum bpf_prog_type prog_type;
87 __u8 data[TEST_DATA_LEN];
88 void (*fill_helper)(struct bpf_test *self);
91 /* Note we want this to be 64 bit aligned so that the end of our array is
92 * actually the end of the structure.
94 #define MAX_ENTRIES 11
106 static void bpf_fill_ld_abs_vlan_push_pop(struct bpf_test *self)
108 /* test: {skb->data[0], vlan_push} x 68 + {skb->data[0], vlan_pop} x 68 */
110 unsigned int len = BPF_MAXINSNS;
111 struct bpf_insn *insn = self->insns;
114 insn[i++] = BPF_MOV64_REG(BPF_REG_6, BPF_REG_1);
116 for (j = 0; j < PUSH_CNT; j++) {
117 insn[i++] = BPF_LD_ABS(BPF_B, 0);
118 insn[i] = BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x34, len - i - 2);
120 insn[i++] = BPF_MOV64_REG(BPF_REG_1, BPF_REG_6);
121 insn[i++] = BPF_MOV64_IMM(BPF_REG_2, 1);
122 insn[i++] = BPF_MOV64_IMM(BPF_REG_3, 2);
123 insn[i++] = BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
124 BPF_FUNC_skb_vlan_push),
125 insn[i] = BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, len - i - 2);
129 for (j = 0; j < PUSH_CNT; j++) {
130 insn[i++] = BPF_LD_ABS(BPF_B, 0);
131 insn[i] = BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x34, len - i - 2);
133 insn[i++] = BPF_MOV64_REG(BPF_REG_1, BPF_REG_6);
134 insn[i++] = BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
135 BPF_FUNC_skb_vlan_pop),
136 insn[i] = BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, len - i - 2);
142 for (; i < len - 1; i++)
143 insn[i] = BPF_ALU32_IMM(BPF_MOV, BPF_REG_0, 0xbef);
144 insn[len - 1] = BPF_EXIT_INSN();
147 static void bpf_fill_jump_around_ld_abs(struct bpf_test *self)
149 struct bpf_insn *insn = self->insns;
150 unsigned int len = BPF_MAXINSNS;
153 insn[i++] = BPF_MOV64_REG(BPF_REG_6, BPF_REG_1);
154 insn[i++] = BPF_LD_ABS(BPF_B, 0);
155 insn[i] = BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 10, len - i - 2);
158 insn[i++] = BPF_LD_ABS(BPF_B, 1);
159 insn[i] = BPF_EXIT_INSN();
162 static void bpf_fill_rand_ld_dw(struct bpf_test *self)
164 struct bpf_insn *insn = self->insns;
168 insn[i++] = BPF_MOV32_IMM(BPF_REG_0, 0);
169 while (i < self->retval) {
170 uint64_t val = bpf_semi_rand_get();
171 struct bpf_insn tmp[2] = { BPF_LD_IMM64(BPF_REG_1, val) };
176 insn[i++] = BPF_ALU64_REG(BPF_XOR, BPF_REG_0, BPF_REG_1);
178 insn[i++] = BPF_MOV64_REG(BPF_REG_1, BPF_REG_0);
179 insn[i++] = BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 32);
180 insn[i++] = BPF_ALU64_REG(BPF_XOR, BPF_REG_0, BPF_REG_1);
181 insn[i] = BPF_EXIT_INSN();
183 self->retval = (uint32_t)res;
186 /* BPF_SK_LOOKUP contains 13 instructions, if you need to fix up maps */
187 #define BPF_SK_LOOKUP \
188 /* struct bpf_sock_tuple tuple = {} */ \
189 BPF_MOV64_IMM(BPF_REG_2, 0), \
190 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_2, -8), \
191 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -16), \
192 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -24), \
193 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -32), \
194 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -40), \
195 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -48), \
196 /* sk = sk_lookup_tcp(ctx, &tuple, sizeof tuple, 0, 0) */ \
197 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), \
198 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -48), \
199 BPF_MOV64_IMM(BPF_REG_3, sizeof(struct bpf_sock_tuple)), \
200 BPF_MOV64_IMM(BPF_REG_4, 0), \
201 BPF_MOV64_IMM(BPF_REG_5, 0), \
202 BPF_EMIT_CALL(BPF_FUNC_sk_lookup_tcp)
204 static struct bpf_test tests[] = {
208 BPF_MOV64_IMM(BPF_REG_1, 1),
209 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 2),
210 BPF_MOV64_IMM(BPF_REG_2, 3),
211 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_2),
212 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -1),
213 BPF_ALU64_IMM(BPF_MUL, BPF_REG_1, 3),
214 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
221 "DIV32 by 0, zero check 1",
223 BPF_MOV32_IMM(BPF_REG_0, 42),
224 BPF_MOV32_IMM(BPF_REG_1, 0),
225 BPF_MOV32_IMM(BPF_REG_2, 1),
226 BPF_ALU32_REG(BPF_DIV, BPF_REG_2, BPF_REG_1),
233 "DIV32 by 0, zero check 2",
235 BPF_MOV32_IMM(BPF_REG_0, 42),
236 BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL),
237 BPF_MOV32_IMM(BPF_REG_2, 1),
238 BPF_ALU32_REG(BPF_DIV, BPF_REG_2, BPF_REG_1),
245 "DIV64 by 0, zero check",
247 BPF_MOV32_IMM(BPF_REG_0, 42),
248 BPF_MOV32_IMM(BPF_REG_1, 0),
249 BPF_MOV32_IMM(BPF_REG_2, 1),
250 BPF_ALU64_REG(BPF_DIV, BPF_REG_2, BPF_REG_1),
257 "MOD32 by 0, zero check 1",
259 BPF_MOV32_IMM(BPF_REG_0, 42),
260 BPF_MOV32_IMM(BPF_REG_1, 0),
261 BPF_MOV32_IMM(BPF_REG_2, 1),
262 BPF_ALU32_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
269 "MOD32 by 0, zero check 2",
271 BPF_MOV32_IMM(BPF_REG_0, 42),
272 BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL),
273 BPF_MOV32_IMM(BPF_REG_2, 1),
274 BPF_ALU32_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
281 "MOD64 by 0, zero check",
283 BPF_MOV32_IMM(BPF_REG_0, 42),
284 BPF_MOV32_IMM(BPF_REG_1, 0),
285 BPF_MOV32_IMM(BPF_REG_2, 1),
286 BPF_ALU64_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
293 "DIV32 by 0, zero check ok, cls",
295 BPF_MOV32_IMM(BPF_REG_0, 42),
296 BPF_MOV32_IMM(BPF_REG_1, 2),
297 BPF_MOV32_IMM(BPF_REG_2, 16),
298 BPF_ALU32_REG(BPF_DIV, BPF_REG_2, BPF_REG_1),
299 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
302 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
307 "DIV32 by 0, zero check 1, cls",
309 BPF_MOV32_IMM(BPF_REG_1, 0),
310 BPF_MOV32_IMM(BPF_REG_0, 1),
311 BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
314 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
319 "DIV32 by 0, zero check 2, cls",
321 BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL),
322 BPF_MOV32_IMM(BPF_REG_0, 1),
323 BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
326 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
331 "DIV64 by 0, zero check, cls",
333 BPF_MOV32_IMM(BPF_REG_1, 0),
334 BPF_MOV32_IMM(BPF_REG_0, 1),
335 BPF_ALU64_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
338 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
343 "MOD32 by 0, zero check ok, cls",
345 BPF_MOV32_IMM(BPF_REG_0, 42),
346 BPF_MOV32_IMM(BPF_REG_1, 3),
347 BPF_MOV32_IMM(BPF_REG_2, 5),
348 BPF_ALU32_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
349 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
352 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
357 "MOD32 by 0, zero check 1, cls",
359 BPF_MOV32_IMM(BPF_REG_1, 0),
360 BPF_MOV32_IMM(BPF_REG_0, 1),
361 BPF_ALU32_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
364 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
369 "MOD32 by 0, zero check 2, cls",
371 BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL),
372 BPF_MOV32_IMM(BPF_REG_0, 1),
373 BPF_ALU32_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
376 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
381 "MOD64 by 0, zero check 1, cls",
383 BPF_MOV32_IMM(BPF_REG_1, 0),
384 BPF_MOV32_IMM(BPF_REG_0, 2),
385 BPF_ALU64_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
388 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
393 "MOD64 by 0, zero check 2, cls",
395 BPF_MOV32_IMM(BPF_REG_1, 0),
396 BPF_MOV32_IMM(BPF_REG_0, -1),
397 BPF_ALU64_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
400 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
404 /* Just make sure that JITs used udiv/umod as otherwise we get
405 * an exception from INT_MIN/-1 overflow similarly as with div
409 "DIV32 overflow, check 1",
411 BPF_MOV32_IMM(BPF_REG_1, -1),
412 BPF_MOV32_IMM(BPF_REG_0, INT_MIN),
413 BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
416 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
421 "DIV32 overflow, check 2",
423 BPF_MOV32_IMM(BPF_REG_0, INT_MIN),
424 BPF_ALU32_IMM(BPF_DIV, BPF_REG_0, -1),
427 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
432 "DIV64 overflow, check 1",
434 BPF_MOV64_IMM(BPF_REG_1, -1),
435 BPF_LD_IMM64(BPF_REG_0, LLONG_MIN),
436 BPF_ALU64_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
439 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
444 "DIV64 overflow, check 2",
446 BPF_LD_IMM64(BPF_REG_0, LLONG_MIN),
447 BPF_ALU64_IMM(BPF_DIV, BPF_REG_0, -1),
450 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
455 "MOD32 overflow, check 1",
457 BPF_MOV32_IMM(BPF_REG_1, -1),
458 BPF_MOV32_IMM(BPF_REG_0, INT_MIN),
459 BPF_ALU32_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
462 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
467 "MOD32 overflow, check 2",
469 BPF_MOV32_IMM(BPF_REG_0, INT_MIN),
470 BPF_ALU32_IMM(BPF_MOD, BPF_REG_0, -1),
473 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
478 "MOD64 overflow, check 1",
480 BPF_MOV64_IMM(BPF_REG_1, -1),
481 BPF_LD_IMM64(BPF_REG_2, LLONG_MIN),
482 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
483 BPF_ALU64_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
484 BPF_MOV32_IMM(BPF_REG_0, 0),
485 BPF_JMP_REG(BPF_JNE, BPF_REG_3, BPF_REG_2, 1),
486 BPF_MOV32_IMM(BPF_REG_0, 1),
489 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
494 "MOD64 overflow, check 2",
496 BPF_LD_IMM64(BPF_REG_2, LLONG_MIN),
497 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
498 BPF_ALU64_IMM(BPF_MOD, BPF_REG_2, -1),
499 BPF_MOV32_IMM(BPF_REG_0, 0),
500 BPF_JMP_REG(BPF_JNE, BPF_REG_3, BPF_REG_2, 1),
501 BPF_MOV32_IMM(BPF_REG_0, 1),
504 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
509 "xor32 zero extend check",
511 BPF_MOV32_IMM(BPF_REG_2, -1),
512 BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 32),
513 BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 0xffff),
514 BPF_ALU32_REG(BPF_XOR, BPF_REG_2, BPF_REG_2),
515 BPF_MOV32_IMM(BPF_REG_0, 2),
516 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0, 1),
517 BPF_MOV32_IMM(BPF_REG_0, 1),
520 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
528 .errstr = "unknown opcode 00",
536 .errstr = "R0 !read_ok",
545 .errstr = "unreachable",
551 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
552 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
555 .errstr = "unreachable",
561 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
564 .errstr = "jump out of range",
568 "out of range jump2",
570 BPF_JMP_IMM(BPF_JA, 0, 0, -2),
573 .errstr = "jump out of range",
579 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
580 BPF_LD_IMM64(BPF_REG_0, 0),
581 BPF_LD_IMM64(BPF_REG_0, 0),
582 BPF_LD_IMM64(BPF_REG_0, 1),
583 BPF_LD_IMM64(BPF_REG_0, 1),
584 BPF_MOV64_IMM(BPF_REG_0, 2),
587 .errstr = "invalid BPF_LD_IMM insn",
588 .errstr_unpriv = "R1 pointer comparison",
594 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
595 BPF_LD_IMM64(BPF_REG_0, 0),
596 BPF_LD_IMM64(BPF_REG_0, 0),
597 BPF_LD_IMM64(BPF_REG_0, 1),
598 BPF_LD_IMM64(BPF_REG_0, 1),
601 .errstr = "invalid BPF_LD_IMM insn",
602 .errstr_unpriv = "R1 pointer comparison",
608 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
609 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
610 BPF_LD_IMM64(BPF_REG_0, 0),
611 BPF_LD_IMM64(BPF_REG_0, 0),
612 BPF_LD_IMM64(BPF_REG_0, 1),
613 BPF_LD_IMM64(BPF_REG_0, 1),
616 .errstr = "invalid bpf_ld_imm64 insn",
622 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
625 .errstr = "invalid bpf_ld_imm64 insn",
631 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
633 .errstr = "invalid bpf_ld_imm64 insn",
639 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
640 BPF_RAW_INSN(0, 0, 0, 0, 0),
648 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
649 BPF_RAW_INSN(0, 0, 0, 0, 1),
658 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 1, 1),
659 BPF_RAW_INSN(0, 0, 0, 0, 1),
662 .errstr = "uses reserved fields",
668 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
669 BPF_RAW_INSN(0, 0, 0, 1, 1),
672 .errstr = "invalid bpf_ld_imm64 insn",
678 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
679 BPF_RAW_INSN(0, BPF_REG_1, 0, 0, 1),
682 .errstr = "invalid bpf_ld_imm64 insn",
688 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
689 BPF_RAW_INSN(0, 0, BPF_REG_1, 0, 1),
692 .errstr = "invalid bpf_ld_imm64 insn",
698 BPF_MOV64_IMM(BPF_REG_1, 0),
699 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, BPF_REG_1, 0, 1),
700 BPF_RAW_INSN(0, 0, 0, 0, 1),
703 .errstr = "not pointing to valid bpf_map",
709 BPF_MOV64_IMM(BPF_REG_1, 0),
710 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, BPF_REG_1, 0, 1),
711 BPF_RAW_INSN(0, 0, BPF_REG_1, 0, 1),
714 .errstr = "invalid bpf_ld_imm64 insn",
720 BPF_MOV64_IMM(BPF_REG_0, 1),
721 BPF_ALU32_IMM(BPF_ARSH, BPF_REG_0, 5),
725 .errstr = "unknown opcode c4",
730 BPF_MOV64_IMM(BPF_REG_0, 1),
731 BPF_MOV64_IMM(BPF_REG_1, 5),
732 BPF_ALU32_REG(BPF_ARSH, BPF_REG_0, BPF_REG_1),
736 .errstr = "unknown opcode cc",
741 BPF_MOV64_IMM(BPF_REG_0, 1),
742 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_0, 5),
750 BPF_MOV64_IMM(BPF_REG_0, 1),
751 BPF_MOV64_IMM(BPF_REG_1, 5),
752 BPF_ALU64_REG(BPF_ARSH, BPF_REG_0, BPF_REG_1),
760 BPF_ALU64_REG(BPF_MOV, BPF_REG_0, BPF_REG_2),
762 .errstr = "not an exit",
768 BPF_JMP_IMM(BPF_JA, 0, 0, -1),
771 .errstr = "back-edge",
777 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
778 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
779 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
780 BPF_JMP_IMM(BPF_JA, 0, 0, -4),
783 .errstr = "back-edge",
789 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
790 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
791 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
792 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, -3),
795 .errstr = "back-edge",
799 "read uninitialized register",
801 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
804 .errstr = "R2 !read_ok",
808 "read invalid register",
810 BPF_MOV64_REG(BPF_REG_0, -1),
813 .errstr = "R15 is invalid",
817 "program doesn't init R0 before exit",
819 BPF_ALU64_REG(BPF_MOV, BPF_REG_2, BPF_REG_1),
822 .errstr = "R0 !read_ok",
826 "program doesn't init R0 before exit in all branches",
828 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
829 BPF_MOV64_IMM(BPF_REG_0, 1),
830 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 2),
833 .errstr = "R0 !read_ok",
834 .errstr_unpriv = "R1 pointer comparison",
838 "stack out of bounds",
840 BPF_ST_MEM(BPF_DW, BPF_REG_10, 8, 0),
843 .errstr = "invalid stack",
847 "invalid call insn1",
849 BPF_RAW_INSN(BPF_JMP | BPF_CALL | BPF_X, 0, 0, 0, 0),
852 .errstr = "unknown opcode 8d",
856 "invalid call insn2",
858 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 1, 0),
861 .errstr = "BPF_CALL uses reserved",
865 "invalid function call",
867 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1234567),
870 .errstr = "invalid func unknown#1234567",
874 "uninitialized stack1",
876 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
877 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
878 BPF_LD_MAP_FD(BPF_REG_1, 0),
879 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
880 BPF_FUNC_map_lookup_elem),
883 .fixup_map_hash_8b = { 2 },
884 .errstr = "invalid indirect read from stack",
888 "uninitialized stack2",
890 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
891 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, -8),
894 .errstr = "invalid read from stack",
898 "invalid fp arithmetic",
899 /* If this gets ever changed, make sure JITs can deal with it. */
901 BPF_MOV64_IMM(BPF_REG_0, 0),
902 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
903 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 8),
904 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
907 .errstr = "R1 subtraction from stack pointer",
911 "non-invalid fp arithmetic",
913 BPF_MOV64_IMM(BPF_REG_0, 0),
914 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
920 "invalid argument register",
922 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
923 BPF_FUNC_get_cgroup_classid),
924 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
925 BPF_FUNC_get_cgroup_classid),
928 .errstr = "R1 !read_ok",
930 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
933 "non-invalid argument register",
935 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
936 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
937 BPF_FUNC_get_cgroup_classid),
938 BPF_ALU64_REG(BPF_MOV, BPF_REG_1, BPF_REG_6),
939 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
940 BPF_FUNC_get_cgroup_classid),
944 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
947 "check valid spill/fill",
949 /* spill R1(ctx) into stack */
950 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
951 /* fill it back into R2 */
952 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -8),
953 /* should be able to access R0 = *(R2 + 8) */
954 /* BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, 8), */
955 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
958 .errstr_unpriv = "R0 leaks addr",
960 .result_unpriv = REJECT,
961 .retval = POINTER_VALUE,
964 "check valid spill/fill, skb mark",
966 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
967 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
968 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
969 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
970 offsetof(struct __sk_buff, mark)),
974 .result_unpriv = ACCEPT,
977 "check corrupted spill/fill",
979 /* spill R1(ctx) into stack */
980 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
981 /* mess up with R1 pointer on stack */
982 BPF_ST_MEM(BPF_B, BPF_REG_10, -7, 0x23),
983 /* fill back into R0 should fail */
984 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
987 .errstr_unpriv = "attempt to corrupt spilled",
988 .errstr = "corrupted spill",
992 "invalid src register in STX",
994 BPF_STX_MEM(BPF_B, BPF_REG_10, -1, -1),
997 .errstr = "R15 is invalid",
1001 "invalid dst register in STX",
1003 BPF_STX_MEM(BPF_B, 14, BPF_REG_10, -1),
1006 .errstr = "R14 is invalid",
1010 "invalid dst register in ST",
1012 BPF_ST_MEM(BPF_B, 14, -1, -1),
1015 .errstr = "R14 is invalid",
1019 "invalid src register in LDX",
1021 BPF_LDX_MEM(BPF_B, BPF_REG_0, 12, 0),
1024 .errstr = "R12 is invalid",
1028 "invalid dst register in LDX",
1030 BPF_LDX_MEM(BPF_B, 11, BPF_REG_1, 0),
1033 .errstr = "R11 is invalid",
1039 BPF_RAW_INSN(0, 0, 0, 0, 0),
1042 .errstr = "unknown opcode 00",
1048 BPF_RAW_INSN(1, 0, 0, 0, 0),
1051 .errstr = "BPF_LDX uses reserved fields",
1057 BPF_RAW_INSN(-1, 0, 0, 0, 0),
1060 .errstr = "unknown opcode ff",
1066 BPF_RAW_INSN(-1, -1, -1, -1, -1),
1069 .errstr = "unknown opcode ff",
1075 BPF_RAW_INSN(0x7f, -1, -1, -1, -1),
1078 .errstr = "BPF_ALU uses reserved fields",
1082 "misaligned read from stack",
1084 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1085 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, -4),
1088 .errstr = "misaligned stack access",
1092 "invalid map_fd for function call",
1094 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1095 BPF_ALU64_REG(BPF_MOV, BPF_REG_2, BPF_REG_10),
1096 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1097 BPF_LD_MAP_FD(BPF_REG_1, 0),
1098 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1099 BPF_FUNC_map_delete_elem),
1102 .errstr = "fd 0 is not pointing to valid bpf_map",
1106 "don't check return value before access",
1108 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1109 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1110 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1111 BPF_LD_MAP_FD(BPF_REG_1, 0),
1112 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1113 BPF_FUNC_map_lookup_elem),
1114 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
1117 .fixup_map_hash_8b = { 3 },
1118 .errstr = "R0 invalid mem access 'map_value_or_null'",
1122 "access memory with incorrect alignment",
1124 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1125 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1126 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1127 BPF_LD_MAP_FD(BPF_REG_1, 0),
1128 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1129 BPF_FUNC_map_lookup_elem),
1130 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
1131 BPF_ST_MEM(BPF_DW, BPF_REG_0, 4, 0),
1134 .fixup_map_hash_8b = { 3 },
1135 .errstr = "misaligned value access",
1137 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
1140 "sometimes access memory with incorrect alignment",
1142 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1143 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1144 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1145 BPF_LD_MAP_FD(BPF_REG_1, 0),
1146 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1147 BPF_FUNC_map_lookup_elem),
1148 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
1149 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
1151 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 1),
1154 .fixup_map_hash_8b = { 3 },
1155 .errstr = "R0 invalid mem access",
1156 .errstr_unpriv = "R0 leaks addr",
1158 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
1163 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1164 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -8),
1165 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
1166 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
1167 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 1),
1168 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 1),
1169 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 1),
1170 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 2),
1171 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 1),
1172 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 3),
1173 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 1),
1174 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 4),
1175 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 1),
1176 BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 5),
1177 BPF_MOV64_IMM(BPF_REG_0, 0),
1180 .errstr_unpriv = "R1 pointer comparison",
1181 .result_unpriv = REJECT,
1187 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1188 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 2),
1189 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
1190 BPF_JMP_IMM(BPF_JA, 0, 0, 14),
1191 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 2),
1192 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 0),
1193 BPF_JMP_IMM(BPF_JA, 0, 0, 11),
1194 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 2),
1195 BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 0),
1196 BPF_JMP_IMM(BPF_JA, 0, 0, 8),
1197 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 2),
1198 BPF_ST_MEM(BPF_DW, BPF_REG_2, -40, 0),
1199 BPF_JMP_IMM(BPF_JA, 0, 0, 5),
1200 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 2),
1201 BPF_ST_MEM(BPF_DW, BPF_REG_2, -48, 0),
1202 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1203 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 1),
1204 BPF_ST_MEM(BPF_DW, BPF_REG_2, -56, 0),
1205 BPF_MOV64_IMM(BPF_REG_0, 0),
1208 .errstr_unpriv = "R1 pointer comparison",
1209 .result_unpriv = REJECT,
1215 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1216 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
1217 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
1218 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1219 BPF_JMP_IMM(BPF_JA, 0, 0, 19),
1220 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 3),
1221 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 0),
1222 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
1223 BPF_JMP_IMM(BPF_JA, 0, 0, 15),
1224 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 3),
1225 BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 0),
1226 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -32),
1227 BPF_JMP_IMM(BPF_JA, 0, 0, 11),
1228 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 3),
1229 BPF_ST_MEM(BPF_DW, BPF_REG_2, -40, 0),
1230 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -40),
1231 BPF_JMP_IMM(BPF_JA, 0, 0, 7),
1232 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 3),
1233 BPF_ST_MEM(BPF_DW, BPF_REG_2, -48, 0),
1234 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -48),
1235 BPF_JMP_IMM(BPF_JA, 0, 0, 3),
1236 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 0),
1237 BPF_ST_MEM(BPF_DW, BPF_REG_2, -56, 0),
1238 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -56),
1239 BPF_LD_MAP_FD(BPF_REG_1, 0),
1240 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1241 BPF_FUNC_map_delete_elem),
1244 .fixup_map_hash_8b = { 24 },
1245 .errstr_unpriv = "R1 pointer comparison",
1246 .result_unpriv = REJECT,
1253 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1254 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1255 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1256 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1257 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1258 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1259 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1260 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1261 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1262 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1263 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1264 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1265 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1266 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1267 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1268 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1269 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1270 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1271 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1272 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1273 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1274 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1275 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1276 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1277 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1278 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1279 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1280 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1281 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1282 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1283 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1284 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1285 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1286 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1287 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1288 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1289 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1290 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1291 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1292 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1293 BPF_MOV64_IMM(BPF_REG_0, 0),
1296 .errstr_unpriv = "R1 pointer comparison",
1297 .result_unpriv = REJECT,
1303 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1304 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
1305 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1306 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1307 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1308 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1309 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1310 BPF_MOV64_IMM(BPF_REG_0, 0),
1311 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1312 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1313 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1314 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1315 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1316 BPF_MOV64_IMM(BPF_REG_0, 0),
1317 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1318 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1319 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1320 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1321 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1322 BPF_MOV64_IMM(BPF_REG_0, 0),
1323 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1324 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1325 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1326 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1327 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1328 BPF_MOV64_IMM(BPF_REG_0, 0),
1329 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1330 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1331 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1332 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1333 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1334 BPF_MOV64_IMM(BPF_REG_0, 0),
1337 .errstr_unpriv = "R1 pointer comparison",
1338 .result_unpriv = REJECT,
1342 "access skb fields ok",
1344 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1345 offsetof(struct __sk_buff, len)),
1346 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
1347 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1348 offsetof(struct __sk_buff, mark)),
1349 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
1350 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1351 offsetof(struct __sk_buff, pkt_type)),
1352 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
1353 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1354 offsetof(struct __sk_buff, queue_mapping)),
1355 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1356 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1357 offsetof(struct __sk_buff, protocol)),
1358 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1359 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1360 offsetof(struct __sk_buff, vlan_present)),
1361 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1362 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1363 offsetof(struct __sk_buff, vlan_tci)),
1364 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1365 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1366 offsetof(struct __sk_buff, napi_id)),
1367 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1373 "access skb fields bad1",
1375 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -4),
1378 .errstr = "invalid bpf_context access",
1382 "access skb fields bad2",
1384 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 9),
1385 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1386 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1387 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1388 BPF_LD_MAP_FD(BPF_REG_1, 0),
1389 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1390 BPF_FUNC_map_lookup_elem),
1391 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
1393 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
1394 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1395 offsetof(struct __sk_buff, pkt_type)),
1398 .fixup_map_hash_8b = { 4 },
1399 .errstr = "different pointers",
1400 .errstr_unpriv = "R1 pointer comparison",
1404 "access skb fields bad3",
1406 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1407 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1408 offsetof(struct __sk_buff, pkt_type)),
1410 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1411 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1412 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1413 BPF_LD_MAP_FD(BPF_REG_1, 0),
1414 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1415 BPF_FUNC_map_lookup_elem),
1416 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
1418 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
1419 BPF_JMP_IMM(BPF_JA, 0, 0, -12),
1421 .fixup_map_hash_8b = { 6 },
1422 .errstr = "different pointers",
1423 .errstr_unpriv = "R1 pointer comparison",
1427 "access skb fields bad4",
1429 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 3),
1430 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1431 offsetof(struct __sk_buff, len)),
1432 BPF_MOV64_IMM(BPF_REG_0, 0),
1434 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1435 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1436 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1437 BPF_LD_MAP_FD(BPF_REG_1, 0),
1438 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1439 BPF_FUNC_map_lookup_elem),
1440 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
1442 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
1443 BPF_JMP_IMM(BPF_JA, 0, 0, -13),
1445 .fixup_map_hash_8b = { 7 },
1446 .errstr = "different pointers",
1447 .errstr_unpriv = "R1 pointer comparison",
1451 "invalid access __sk_buff family",
1453 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1454 offsetof(struct __sk_buff, family)),
1457 .errstr = "invalid bpf_context access",
1461 "invalid access __sk_buff remote_ip4",
1463 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1464 offsetof(struct __sk_buff, remote_ip4)),
1467 .errstr = "invalid bpf_context access",
1471 "invalid access __sk_buff local_ip4",
1473 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1474 offsetof(struct __sk_buff, local_ip4)),
1477 .errstr = "invalid bpf_context access",
1481 "invalid access __sk_buff remote_ip6",
1483 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1484 offsetof(struct __sk_buff, remote_ip6)),
1487 .errstr = "invalid bpf_context access",
1491 "invalid access __sk_buff local_ip6",
1493 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1494 offsetof(struct __sk_buff, local_ip6)),
1497 .errstr = "invalid bpf_context access",
1501 "invalid access __sk_buff remote_port",
1503 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1504 offsetof(struct __sk_buff, remote_port)),
1507 .errstr = "invalid bpf_context access",
1511 "invalid access __sk_buff remote_port",
1513 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1514 offsetof(struct __sk_buff, local_port)),
1517 .errstr = "invalid bpf_context access",
1521 "valid access __sk_buff family",
1523 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1524 offsetof(struct __sk_buff, family)),
1528 .prog_type = BPF_PROG_TYPE_SK_SKB,
1531 "valid access __sk_buff remote_ip4",
1533 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1534 offsetof(struct __sk_buff, remote_ip4)),
1538 .prog_type = BPF_PROG_TYPE_SK_SKB,
1541 "valid access __sk_buff local_ip4",
1543 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1544 offsetof(struct __sk_buff, local_ip4)),
1548 .prog_type = BPF_PROG_TYPE_SK_SKB,
1551 "valid access __sk_buff remote_ip6",
1553 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1554 offsetof(struct __sk_buff, remote_ip6[0])),
1555 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1556 offsetof(struct __sk_buff, remote_ip6[1])),
1557 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1558 offsetof(struct __sk_buff, remote_ip6[2])),
1559 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1560 offsetof(struct __sk_buff, remote_ip6[3])),
1564 .prog_type = BPF_PROG_TYPE_SK_SKB,
1567 "valid access __sk_buff local_ip6",
1569 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1570 offsetof(struct __sk_buff, local_ip6[0])),
1571 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1572 offsetof(struct __sk_buff, local_ip6[1])),
1573 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1574 offsetof(struct __sk_buff, local_ip6[2])),
1575 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1576 offsetof(struct __sk_buff, local_ip6[3])),
1580 .prog_type = BPF_PROG_TYPE_SK_SKB,
1583 "valid access __sk_buff remote_port",
1585 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1586 offsetof(struct __sk_buff, remote_port)),
1590 .prog_type = BPF_PROG_TYPE_SK_SKB,
1593 "valid access __sk_buff remote_port",
1595 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1596 offsetof(struct __sk_buff, local_port)),
1600 .prog_type = BPF_PROG_TYPE_SK_SKB,
1603 "invalid access of tc_classid for SK_SKB",
1605 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1606 offsetof(struct __sk_buff, tc_classid)),
1610 .prog_type = BPF_PROG_TYPE_SK_SKB,
1611 .errstr = "invalid bpf_context access",
1614 "invalid access of skb->mark for SK_SKB",
1616 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1617 offsetof(struct __sk_buff, mark)),
1621 .prog_type = BPF_PROG_TYPE_SK_SKB,
1622 .errstr = "invalid bpf_context access",
1625 "check skb->mark is not writeable by SK_SKB",
1627 BPF_MOV64_IMM(BPF_REG_0, 0),
1628 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1629 offsetof(struct __sk_buff, mark)),
1633 .prog_type = BPF_PROG_TYPE_SK_SKB,
1634 .errstr = "invalid bpf_context access",
1637 "check skb->tc_index is writeable by SK_SKB",
1639 BPF_MOV64_IMM(BPF_REG_0, 0),
1640 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1641 offsetof(struct __sk_buff, tc_index)),
1645 .prog_type = BPF_PROG_TYPE_SK_SKB,
1648 "check skb->priority is writeable by SK_SKB",
1650 BPF_MOV64_IMM(BPF_REG_0, 0),
1651 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1652 offsetof(struct __sk_buff, priority)),
1656 .prog_type = BPF_PROG_TYPE_SK_SKB,
1659 "direct packet read for SK_SKB",
1661 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1662 offsetof(struct __sk_buff, data)),
1663 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1664 offsetof(struct __sk_buff, data_end)),
1665 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1666 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1667 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1668 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
1669 BPF_MOV64_IMM(BPF_REG_0, 0),
1673 .prog_type = BPF_PROG_TYPE_SK_SKB,
1676 "direct packet write for SK_SKB",
1678 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1679 offsetof(struct __sk_buff, data)),
1680 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1681 offsetof(struct __sk_buff, data_end)),
1682 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1683 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1684 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1685 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
1686 BPF_MOV64_IMM(BPF_REG_0, 0),
1690 .prog_type = BPF_PROG_TYPE_SK_SKB,
1693 "overlapping checks for direct packet access SK_SKB",
1695 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1696 offsetof(struct __sk_buff, data)),
1697 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1698 offsetof(struct __sk_buff, data_end)),
1699 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1700 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1701 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4),
1702 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
1703 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6),
1704 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
1705 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6),
1706 BPF_MOV64_IMM(BPF_REG_0, 0),
1710 .prog_type = BPF_PROG_TYPE_SK_SKB,
1713 "valid access family in SK_MSG",
1715 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1716 offsetof(struct sk_msg_md, family)),
1720 .prog_type = BPF_PROG_TYPE_SK_MSG,
1723 "valid access remote_ip4 in SK_MSG",
1725 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1726 offsetof(struct sk_msg_md, remote_ip4)),
1730 .prog_type = BPF_PROG_TYPE_SK_MSG,
1733 "valid access local_ip4 in SK_MSG",
1735 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1736 offsetof(struct sk_msg_md, local_ip4)),
1740 .prog_type = BPF_PROG_TYPE_SK_MSG,
1743 "valid access remote_port in SK_MSG",
1745 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1746 offsetof(struct sk_msg_md, remote_port)),
1750 .prog_type = BPF_PROG_TYPE_SK_MSG,
1753 "valid access local_port in SK_MSG",
1755 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1756 offsetof(struct sk_msg_md, local_port)),
1760 .prog_type = BPF_PROG_TYPE_SK_MSG,
1763 "valid access remote_ip6 in SK_MSG",
1765 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1766 offsetof(struct sk_msg_md, remote_ip6[0])),
1767 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1768 offsetof(struct sk_msg_md, remote_ip6[1])),
1769 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1770 offsetof(struct sk_msg_md, remote_ip6[2])),
1771 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1772 offsetof(struct sk_msg_md, remote_ip6[3])),
1776 .prog_type = BPF_PROG_TYPE_SK_SKB,
1779 "valid access local_ip6 in SK_MSG",
1781 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1782 offsetof(struct sk_msg_md, local_ip6[0])),
1783 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1784 offsetof(struct sk_msg_md, local_ip6[1])),
1785 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1786 offsetof(struct sk_msg_md, local_ip6[2])),
1787 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1788 offsetof(struct sk_msg_md, local_ip6[3])),
1792 .prog_type = BPF_PROG_TYPE_SK_SKB,
1795 "invalid 64B read of family in SK_MSG",
1797 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1,
1798 offsetof(struct sk_msg_md, family)),
1801 .errstr = "invalid bpf_context access",
1803 .prog_type = BPF_PROG_TYPE_SK_MSG,
1806 "invalid read past end of SK_MSG",
1808 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1809 offsetof(struct sk_msg_md, local_port) + 4),
1812 .errstr = "R0 !read_ok",
1814 .prog_type = BPF_PROG_TYPE_SK_MSG,
1817 "invalid read offset in SK_MSG",
1819 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1820 offsetof(struct sk_msg_md, family) + 1),
1823 .errstr = "invalid bpf_context access",
1825 .prog_type = BPF_PROG_TYPE_SK_MSG,
1828 "direct packet read for SK_MSG",
1830 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1,
1831 offsetof(struct sk_msg_md, data)),
1832 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1,
1833 offsetof(struct sk_msg_md, data_end)),
1834 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1835 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1836 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1837 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
1838 BPF_MOV64_IMM(BPF_REG_0, 0),
1842 .prog_type = BPF_PROG_TYPE_SK_MSG,
1845 "direct packet write for SK_MSG",
1847 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1,
1848 offsetof(struct sk_msg_md, data)),
1849 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1,
1850 offsetof(struct sk_msg_md, data_end)),
1851 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1852 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1853 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1854 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
1855 BPF_MOV64_IMM(BPF_REG_0, 0),
1859 .prog_type = BPF_PROG_TYPE_SK_MSG,
1862 "overlapping checks for direct packet access SK_MSG",
1864 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1,
1865 offsetof(struct sk_msg_md, data)),
1866 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1,
1867 offsetof(struct sk_msg_md, data_end)),
1868 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1869 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1870 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4),
1871 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
1872 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6),
1873 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
1874 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6),
1875 BPF_MOV64_IMM(BPF_REG_0, 0),
1879 .prog_type = BPF_PROG_TYPE_SK_MSG,
1882 "check skb->mark is not writeable by sockets",
1884 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1885 offsetof(struct __sk_buff, mark)),
1888 .errstr = "invalid bpf_context access",
1889 .errstr_unpriv = "R1 leaks addr",
1893 "check skb->tc_index is not writeable by sockets",
1895 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1896 offsetof(struct __sk_buff, tc_index)),
1899 .errstr = "invalid bpf_context access",
1900 .errstr_unpriv = "R1 leaks addr",
1904 "check cb access: byte",
1906 BPF_MOV64_IMM(BPF_REG_0, 0),
1907 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1908 offsetof(struct __sk_buff, cb[0])),
1909 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1910 offsetof(struct __sk_buff, cb[0]) + 1),
1911 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1912 offsetof(struct __sk_buff, cb[0]) + 2),
1913 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1914 offsetof(struct __sk_buff, cb[0]) + 3),
1915 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1916 offsetof(struct __sk_buff, cb[1])),
1917 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1918 offsetof(struct __sk_buff, cb[1]) + 1),
1919 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1920 offsetof(struct __sk_buff, cb[1]) + 2),
1921 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1922 offsetof(struct __sk_buff, cb[1]) + 3),
1923 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1924 offsetof(struct __sk_buff, cb[2])),
1925 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1926 offsetof(struct __sk_buff, cb[2]) + 1),
1927 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1928 offsetof(struct __sk_buff, cb[2]) + 2),
1929 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1930 offsetof(struct __sk_buff, cb[2]) + 3),
1931 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1932 offsetof(struct __sk_buff, cb[3])),
1933 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1934 offsetof(struct __sk_buff, cb[3]) + 1),
1935 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1936 offsetof(struct __sk_buff, cb[3]) + 2),
1937 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1938 offsetof(struct __sk_buff, cb[3]) + 3),
1939 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1940 offsetof(struct __sk_buff, cb[4])),
1941 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1942 offsetof(struct __sk_buff, cb[4]) + 1),
1943 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1944 offsetof(struct __sk_buff, cb[4]) + 2),
1945 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1946 offsetof(struct __sk_buff, cb[4]) + 3),
1947 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1948 offsetof(struct __sk_buff, cb[0])),
1949 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1950 offsetof(struct __sk_buff, cb[0]) + 1),
1951 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1952 offsetof(struct __sk_buff, cb[0]) + 2),
1953 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1954 offsetof(struct __sk_buff, cb[0]) + 3),
1955 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1956 offsetof(struct __sk_buff, cb[1])),
1957 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1958 offsetof(struct __sk_buff, cb[1]) + 1),
1959 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1960 offsetof(struct __sk_buff, cb[1]) + 2),
1961 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1962 offsetof(struct __sk_buff, cb[1]) + 3),
1963 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1964 offsetof(struct __sk_buff, cb[2])),
1965 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1966 offsetof(struct __sk_buff, cb[2]) + 1),
1967 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1968 offsetof(struct __sk_buff, cb[2]) + 2),
1969 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1970 offsetof(struct __sk_buff, cb[2]) + 3),
1971 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1972 offsetof(struct __sk_buff, cb[3])),
1973 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1974 offsetof(struct __sk_buff, cb[3]) + 1),
1975 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1976 offsetof(struct __sk_buff, cb[3]) + 2),
1977 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1978 offsetof(struct __sk_buff, cb[3]) + 3),
1979 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1980 offsetof(struct __sk_buff, cb[4])),
1981 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1982 offsetof(struct __sk_buff, cb[4]) + 1),
1983 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1984 offsetof(struct __sk_buff, cb[4]) + 2),
1985 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1986 offsetof(struct __sk_buff, cb[4]) + 3),
1992 "__sk_buff->hash, offset 0, byte store not permitted",
1994 BPF_MOV64_IMM(BPF_REG_0, 0),
1995 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1996 offsetof(struct __sk_buff, hash)),
1999 .errstr = "invalid bpf_context access",
2003 "__sk_buff->tc_index, offset 3, byte store not permitted",
2005 BPF_MOV64_IMM(BPF_REG_0, 0),
2006 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
2007 offsetof(struct __sk_buff, tc_index) + 3),
2010 .errstr = "invalid bpf_context access",
2014 "check skb->hash byte load permitted",
2016 BPF_MOV64_IMM(BPF_REG_0, 0),
2017 #if __BYTE_ORDER == __LITTLE_ENDIAN
2018 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2019 offsetof(struct __sk_buff, hash)),
2021 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2022 offsetof(struct __sk_buff, hash) + 3),
2029 "check skb->hash byte load not permitted 1",
2031 BPF_MOV64_IMM(BPF_REG_0, 0),
2032 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2033 offsetof(struct __sk_buff, hash) + 1),
2036 .errstr = "invalid bpf_context access",
2040 "check skb->hash byte load not permitted 2",
2042 BPF_MOV64_IMM(BPF_REG_0, 0),
2043 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2044 offsetof(struct __sk_buff, hash) + 2),
2047 .errstr = "invalid bpf_context access",
2051 "check skb->hash byte load not permitted 3",
2053 BPF_MOV64_IMM(BPF_REG_0, 0),
2054 #if __BYTE_ORDER == __LITTLE_ENDIAN
2055 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2056 offsetof(struct __sk_buff, hash) + 3),
2058 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2059 offsetof(struct __sk_buff, hash)),
2063 .errstr = "invalid bpf_context access",
2067 "check cb access: byte, wrong type",
2069 BPF_MOV64_IMM(BPF_REG_0, 0),
2070 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
2071 offsetof(struct __sk_buff, cb[0])),
2074 .errstr = "invalid bpf_context access",
2076 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
2079 "check cb access: half",
2081 BPF_MOV64_IMM(BPF_REG_0, 0),
2082 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2083 offsetof(struct __sk_buff, cb[0])),
2084 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2085 offsetof(struct __sk_buff, cb[0]) + 2),
2086 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2087 offsetof(struct __sk_buff, cb[1])),
2088 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2089 offsetof(struct __sk_buff, cb[1]) + 2),
2090 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2091 offsetof(struct __sk_buff, cb[2])),
2092 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2093 offsetof(struct __sk_buff, cb[2]) + 2),
2094 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2095 offsetof(struct __sk_buff, cb[3])),
2096 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2097 offsetof(struct __sk_buff, cb[3]) + 2),
2098 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2099 offsetof(struct __sk_buff, cb[4])),
2100 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2101 offsetof(struct __sk_buff, cb[4]) + 2),
2102 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2103 offsetof(struct __sk_buff, cb[0])),
2104 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2105 offsetof(struct __sk_buff, cb[0]) + 2),
2106 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2107 offsetof(struct __sk_buff, cb[1])),
2108 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2109 offsetof(struct __sk_buff, cb[1]) + 2),
2110 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2111 offsetof(struct __sk_buff, cb[2])),
2112 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2113 offsetof(struct __sk_buff, cb[2]) + 2),
2114 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2115 offsetof(struct __sk_buff, cb[3])),
2116 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2117 offsetof(struct __sk_buff, cb[3]) + 2),
2118 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2119 offsetof(struct __sk_buff, cb[4])),
2120 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2121 offsetof(struct __sk_buff, cb[4]) + 2),
2127 "check cb access: half, unaligned",
2129 BPF_MOV64_IMM(BPF_REG_0, 0),
2130 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2131 offsetof(struct __sk_buff, cb[0]) + 1),
2134 .errstr = "misaligned context access",
2136 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2139 "check __sk_buff->hash, offset 0, half store not permitted",
2141 BPF_MOV64_IMM(BPF_REG_0, 0),
2142 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2143 offsetof(struct __sk_buff, hash)),
2146 .errstr = "invalid bpf_context access",
2150 "check __sk_buff->tc_index, offset 2, half store not permitted",
2152 BPF_MOV64_IMM(BPF_REG_0, 0),
2153 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2154 offsetof(struct __sk_buff, tc_index) + 2),
2157 .errstr = "invalid bpf_context access",
2161 "check skb->hash half load permitted",
2163 BPF_MOV64_IMM(BPF_REG_0, 0),
2164 #if __BYTE_ORDER == __LITTLE_ENDIAN
2165 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2166 offsetof(struct __sk_buff, hash)),
2168 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2169 offsetof(struct __sk_buff, hash) + 2),
2176 "check skb->hash half load not permitted",
2178 BPF_MOV64_IMM(BPF_REG_0, 0),
2179 #if __BYTE_ORDER == __LITTLE_ENDIAN
2180 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2181 offsetof(struct __sk_buff, hash) + 2),
2183 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2184 offsetof(struct __sk_buff, hash)),
2188 .errstr = "invalid bpf_context access",
2192 "check cb access: half, wrong type",
2194 BPF_MOV64_IMM(BPF_REG_0, 0),
2195 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2196 offsetof(struct __sk_buff, cb[0])),
2199 .errstr = "invalid bpf_context access",
2201 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
2204 "check cb access: word",
2206 BPF_MOV64_IMM(BPF_REG_0, 0),
2207 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2208 offsetof(struct __sk_buff, cb[0])),
2209 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2210 offsetof(struct __sk_buff, cb[1])),
2211 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2212 offsetof(struct __sk_buff, cb[2])),
2213 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2214 offsetof(struct __sk_buff, cb[3])),
2215 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2216 offsetof(struct __sk_buff, cb[4])),
2217 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2218 offsetof(struct __sk_buff, cb[0])),
2219 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2220 offsetof(struct __sk_buff, cb[1])),
2221 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2222 offsetof(struct __sk_buff, cb[2])),
2223 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2224 offsetof(struct __sk_buff, cb[3])),
2225 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2226 offsetof(struct __sk_buff, cb[4])),
2232 "check cb access: word, unaligned 1",
2234 BPF_MOV64_IMM(BPF_REG_0, 0),
2235 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2236 offsetof(struct __sk_buff, cb[0]) + 2),
2239 .errstr = "misaligned context access",
2241 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2244 "check cb access: word, unaligned 2",
2246 BPF_MOV64_IMM(BPF_REG_0, 0),
2247 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2248 offsetof(struct __sk_buff, cb[4]) + 1),
2251 .errstr = "misaligned context access",
2253 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2256 "check cb access: word, unaligned 3",
2258 BPF_MOV64_IMM(BPF_REG_0, 0),
2259 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2260 offsetof(struct __sk_buff, cb[4]) + 2),
2263 .errstr = "misaligned context access",
2265 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2268 "check cb access: word, unaligned 4",
2270 BPF_MOV64_IMM(BPF_REG_0, 0),
2271 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2272 offsetof(struct __sk_buff, cb[4]) + 3),
2275 .errstr = "misaligned context access",
2277 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2280 "check cb access: double",
2282 BPF_MOV64_IMM(BPF_REG_0, 0),
2283 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2284 offsetof(struct __sk_buff, cb[0])),
2285 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2286 offsetof(struct __sk_buff, cb[2])),
2287 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2288 offsetof(struct __sk_buff, cb[0])),
2289 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2290 offsetof(struct __sk_buff, cb[2])),
2296 "check cb access: double, unaligned 1",
2298 BPF_MOV64_IMM(BPF_REG_0, 0),
2299 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2300 offsetof(struct __sk_buff, cb[1])),
2303 .errstr = "misaligned context access",
2305 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2308 "check cb access: double, unaligned 2",
2310 BPF_MOV64_IMM(BPF_REG_0, 0),
2311 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2312 offsetof(struct __sk_buff, cb[3])),
2315 .errstr = "misaligned context access",
2317 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2320 "check cb access: double, oob 1",
2322 BPF_MOV64_IMM(BPF_REG_0, 0),
2323 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2324 offsetof(struct __sk_buff, cb[4])),
2327 .errstr = "invalid bpf_context access",
2331 "check cb access: double, oob 2",
2333 BPF_MOV64_IMM(BPF_REG_0, 0),
2334 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2335 offsetof(struct __sk_buff, cb[4])),
2338 .errstr = "invalid bpf_context access",
2342 "check __sk_buff->ifindex dw store not permitted",
2344 BPF_MOV64_IMM(BPF_REG_0, 0),
2345 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2346 offsetof(struct __sk_buff, ifindex)),
2349 .errstr = "invalid bpf_context access",
2353 "check __sk_buff->ifindex dw load not permitted",
2355 BPF_MOV64_IMM(BPF_REG_0, 0),
2356 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2357 offsetof(struct __sk_buff, ifindex)),
2360 .errstr = "invalid bpf_context access",
2364 "check cb access: double, wrong type",
2366 BPF_MOV64_IMM(BPF_REG_0, 0),
2367 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2368 offsetof(struct __sk_buff, cb[0])),
2371 .errstr = "invalid bpf_context access",
2373 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
2376 "check out of range skb->cb access",
2378 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2379 offsetof(struct __sk_buff, cb[0]) + 256),
2382 .errstr = "invalid bpf_context access",
2383 .errstr_unpriv = "",
2385 .prog_type = BPF_PROG_TYPE_SCHED_ACT,
2388 "write skb fields from socket prog",
2390 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2391 offsetof(struct __sk_buff, cb[4])),
2392 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
2393 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2394 offsetof(struct __sk_buff, mark)),
2395 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2396 offsetof(struct __sk_buff, tc_index)),
2397 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
2398 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
2399 offsetof(struct __sk_buff, cb[0])),
2400 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
2401 offsetof(struct __sk_buff, cb[2])),
2405 .errstr_unpriv = "R1 leaks addr",
2406 .result_unpriv = REJECT,
2409 "write skb fields from tc_cls_act prog",
2411 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2412 offsetof(struct __sk_buff, cb[0])),
2413 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2414 offsetof(struct __sk_buff, mark)),
2415 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2416 offsetof(struct __sk_buff, tc_index)),
2417 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2418 offsetof(struct __sk_buff, tc_index)),
2419 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2420 offsetof(struct __sk_buff, cb[3])),
2423 .errstr_unpriv = "",
2424 .result_unpriv = REJECT,
2426 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2429 "PTR_TO_STACK store/load",
2431 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2432 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10),
2433 BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c),
2434 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2),
2438 .retval = 0xfaceb00c,
2441 "PTR_TO_STACK store/load - bad alignment on off",
2443 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2444 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
2445 BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c),
2446 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2),
2450 .errstr = "misaligned stack access off (0x0; 0x0)+-8+2 size 8",
2453 "PTR_TO_STACK store/load - bad alignment on reg",
2455 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2456 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10),
2457 BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
2458 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
2462 .errstr = "misaligned stack access off (0x0; 0x0)+-10+8 size 8",
2465 "PTR_TO_STACK store/load - out of bounds low",
2467 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2468 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -80000),
2469 BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
2470 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
2474 .errstr = "invalid stack off=-79992 size=8",
2477 "PTR_TO_STACK store/load - out of bounds high",
2479 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2480 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
2481 BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
2482 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
2486 .errstr = "invalid stack off=0 size=8",
2489 "unpriv: return pointer",
2491 BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
2495 .result_unpriv = REJECT,
2496 .errstr_unpriv = "R0 leaks addr",
2497 .retval = POINTER_VALUE,
2500 "unpriv: add const to pointer",
2502 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
2503 BPF_MOV64_IMM(BPF_REG_0, 0),
2509 "unpriv: add pointer to pointer",
2511 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_10),
2512 BPF_MOV64_IMM(BPF_REG_0, 0),
2516 .errstr = "R1 pointer += pointer",
2519 "unpriv: neg pointer",
2521 BPF_ALU64_IMM(BPF_NEG, BPF_REG_1, 0),
2522 BPF_MOV64_IMM(BPF_REG_0, 0),
2526 .result_unpriv = REJECT,
2527 .errstr_unpriv = "R1 pointer arithmetic",
2530 "unpriv: cmp pointer with const",
2532 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0),
2533 BPF_MOV64_IMM(BPF_REG_0, 0),
2537 .result_unpriv = REJECT,
2538 .errstr_unpriv = "R1 pointer comparison",
2541 "unpriv: cmp pointer with pointer",
2543 BPF_JMP_REG(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
2544 BPF_MOV64_IMM(BPF_REG_0, 0),
2548 .result_unpriv = REJECT,
2549 .errstr_unpriv = "R10 pointer comparison",
2552 "unpriv: check that printk is disallowed",
2554 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
2555 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2556 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
2557 BPF_MOV64_IMM(BPF_REG_2, 8),
2558 BPF_MOV64_REG(BPF_REG_3, BPF_REG_1),
2559 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2560 BPF_FUNC_trace_printk),
2561 BPF_MOV64_IMM(BPF_REG_0, 0),
2564 .errstr_unpriv = "unknown func bpf_trace_printk#6",
2565 .result_unpriv = REJECT,
2569 "unpriv: pass pointer to helper function",
2571 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
2572 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2573 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2574 BPF_LD_MAP_FD(BPF_REG_1, 0),
2575 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
2576 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
2577 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2578 BPF_FUNC_map_update_elem),
2579 BPF_MOV64_IMM(BPF_REG_0, 0),
2582 .fixup_map_hash_8b = { 3 },
2583 .errstr_unpriv = "R4 leaks addr",
2584 .result_unpriv = REJECT,
2588 "unpriv: indirectly pass pointer on stack to helper function",
2590 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2591 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2592 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2593 BPF_LD_MAP_FD(BPF_REG_1, 0),
2594 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2595 BPF_FUNC_map_lookup_elem),
2596 BPF_MOV64_IMM(BPF_REG_0, 0),
2599 .fixup_map_hash_8b = { 3 },
2600 .errstr = "invalid indirect read from stack off -8+0 size 8",
2604 "unpriv: mangle pointer on stack 1",
2606 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2607 BPF_ST_MEM(BPF_W, BPF_REG_10, -8, 0),
2608 BPF_MOV64_IMM(BPF_REG_0, 0),
2611 .errstr_unpriv = "attempt to corrupt spilled",
2612 .result_unpriv = REJECT,
2616 "unpriv: mangle pointer on stack 2",
2618 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2619 BPF_ST_MEM(BPF_B, BPF_REG_10, -1, 0),
2620 BPF_MOV64_IMM(BPF_REG_0, 0),
2623 .errstr_unpriv = "attempt to corrupt spilled",
2624 .result_unpriv = REJECT,
2628 "unpriv: read pointer from stack in small chunks",
2630 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2631 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_10, -8),
2632 BPF_MOV64_IMM(BPF_REG_0, 0),
2635 .errstr = "invalid size",
2639 "unpriv: write pointer into ctx",
2641 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, 0),
2642 BPF_MOV64_IMM(BPF_REG_0, 0),
2645 .errstr_unpriv = "R1 leaks addr",
2646 .result_unpriv = REJECT,
2647 .errstr = "invalid bpf_context access",
2651 "unpriv: spill/fill of ctx",
2653 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2654 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2655 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2656 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2657 BPF_MOV64_IMM(BPF_REG_0, 0),
2663 "unpriv: spill/fill of ctx 2",
2665 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2666 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2667 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2668 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2669 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2670 BPF_FUNC_get_hash_recalc),
2671 BPF_MOV64_IMM(BPF_REG_0, 0),
2675 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2678 "unpriv: spill/fill of ctx 3",
2680 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2681 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2682 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2683 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_10, 0),
2684 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2685 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2686 BPF_FUNC_get_hash_recalc),
2690 .errstr = "R1 type=fp expected=ctx",
2691 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2694 "unpriv: spill/fill of ctx 4",
2696 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2697 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2698 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2699 BPF_MOV64_IMM(BPF_REG_0, 1),
2700 BPF_RAW_INSN(BPF_STX | BPF_XADD | BPF_DW, BPF_REG_10,
2702 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2703 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2704 BPF_FUNC_get_hash_recalc),
2708 .errstr = "R1 type=inv expected=ctx",
2709 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2712 "unpriv: spill/fill of different pointers stx",
2714 BPF_MOV64_IMM(BPF_REG_3, 42),
2715 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2716 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2717 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
2718 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2719 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
2720 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
2721 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
2722 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2723 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2724 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_3,
2725 offsetof(struct __sk_buff, mark)),
2726 BPF_MOV64_IMM(BPF_REG_0, 0),
2730 .errstr = "same insn cannot be used with different pointers",
2731 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2734 "unpriv: spill/fill of different pointers stx - ctx and sock",
2736 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
2737 /* struct bpf_sock *sock = bpf_sock_lookup(...); */
2739 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
2741 /* void *target = &foo; */
2742 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2743 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2744 BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
2745 /* if (skb == NULL) *target = sock; */
2746 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
2747 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
2748 /* else *target = skb; */
2749 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
2750 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2751 /* struct __sk_buff *skb = *target; */
2752 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2753 /* skb->mark = 42; */
2754 BPF_MOV64_IMM(BPF_REG_3, 42),
2755 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_3,
2756 offsetof(struct __sk_buff, mark)),
2757 /* if (sk) bpf_sk_release(sk) */
2758 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
2759 BPF_EMIT_CALL(BPF_FUNC_sk_release),
2760 BPF_MOV64_IMM(BPF_REG_0, 0),
2764 .errstr = "type=ctx expected=sock",
2765 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2768 "unpriv: spill/fill of different pointers stx - leak sock",
2770 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
2771 /* struct bpf_sock *sock = bpf_sock_lookup(...); */
2773 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
2775 /* void *target = &foo; */
2776 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2777 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2778 BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
2779 /* if (skb == NULL) *target = sock; */
2780 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
2781 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
2782 /* else *target = skb; */
2783 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
2784 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2785 /* struct __sk_buff *skb = *target; */
2786 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2787 /* skb->mark = 42; */
2788 BPF_MOV64_IMM(BPF_REG_3, 42),
2789 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_3,
2790 offsetof(struct __sk_buff, mark)),
2794 //.errstr = "same insn cannot be used with different pointers",
2795 .errstr = "Unreleased reference",
2796 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2799 "unpriv: spill/fill of different pointers stx - sock and ctx (read)",
2801 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
2802 /* struct bpf_sock *sock = bpf_sock_lookup(...); */
2804 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
2806 /* void *target = &foo; */
2807 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2808 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2809 BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
2810 /* if (skb) *target = skb */
2811 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
2812 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2813 /* else *target = sock */
2814 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
2815 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
2816 /* struct bpf_sock *sk = *target; */
2817 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2818 /* if (sk) u32 foo = sk->mark; bpf_sk_release(sk); */
2819 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 2),
2820 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2821 offsetof(struct bpf_sock, mark)),
2822 BPF_EMIT_CALL(BPF_FUNC_sk_release),
2823 BPF_MOV64_IMM(BPF_REG_0, 0),
2827 .errstr = "same insn cannot be used with different pointers",
2828 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2831 "unpriv: spill/fill of different pointers stx - sock and ctx (write)",
2833 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
2834 /* struct bpf_sock *sock = bpf_sock_lookup(...); */
2836 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
2838 /* void *target = &foo; */
2839 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2840 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2841 BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
2842 /* if (skb) *target = skb */
2843 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
2844 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2845 /* else *target = sock */
2846 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
2847 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
2848 /* struct bpf_sock *sk = *target; */
2849 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2850 /* if (sk) sk->mark = 42; bpf_sk_release(sk); */
2851 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
2852 BPF_MOV64_IMM(BPF_REG_3, 42),
2853 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_3,
2854 offsetof(struct bpf_sock, mark)),
2855 BPF_EMIT_CALL(BPF_FUNC_sk_release),
2856 BPF_MOV64_IMM(BPF_REG_0, 0),
2860 //.errstr = "same insn cannot be used with different pointers",
2861 .errstr = "cannot write into socket",
2862 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2865 "unpriv: spill/fill of different pointers ldx",
2867 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2868 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2869 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
2870 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2871 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2,
2872 -(__s32)offsetof(struct bpf_perf_event_data,
2873 sample_period) - 8),
2874 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
2875 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
2876 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2877 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2878 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1,
2879 offsetof(struct bpf_perf_event_data,
2881 BPF_MOV64_IMM(BPF_REG_0, 0),
2885 .errstr = "same insn cannot be used with different pointers",
2886 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
2889 "unpriv: write pointer into map elem value",
2891 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
2892 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2893 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2894 BPF_LD_MAP_FD(BPF_REG_1, 0),
2895 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2896 BPF_FUNC_map_lookup_elem),
2897 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
2898 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
2901 .fixup_map_hash_8b = { 3 },
2902 .errstr_unpriv = "R0 leaks addr",
2903 .result_unpriv = REJECT,
2907 "unpriv: partial copy of pointer",
2909 BPF_MOV32_REG(BPF_REG_1, BPF_REG_10),
2910 BPF_MOV64_IMM(BPF_REG_0, 0),
2913 .errstr_unpriv = "R10 partial copy",
2914 .result_unpriv = REJECT,
2918 "unpriv: pass pointer to tail_call",
2920 BPF_MOV64_REG(BPF_REG_3, BPF_REG_1),
2921 BPF_LD_MAP_FD(BPF_REG_2, 0),
2922 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2923 BPF_FUNC_tail_call),
2924 BPF_MOV64_IMM(BPF_REG_0, 0),
2927 .fixup_prog1 = { 1 },
2928 .errstr_unpriv = "R3 leaks addr into helper",
2929 .result_unpriv = REJECT,
2933 "unpriv: cmp map pointer with zero",
2935 BPF_MOV64_IMM(BPF_REG_1, 0),
2936 BPF_LD_MAP_FD(BPF_REG_1, 0),
2937 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0),
2938 BPF_MOV64_IMM(BPF_REG_0, 0),
2941 .fixup_map_hash_8b = { 1 },
2942 .errstr_unpriv = "R1 pointer comparison",
2943 .result_unpriv = REJECT,
2947 "unpriv: write into frame pointer",
2949 BPF_MOV64_REG(BPF_REG_10, BPF_REG_1),
2950 BPF_MOV64_IMM(BPF_REG_0, 0),
2953 .errstr = "frame pointer is read only",
2957 "unpriv: spill/fill frame pointer",
2959 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2960 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2961 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_10, 0),
2962 BPF_LDX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, 0),
2963 BPF_MOV64_IMM(BPF_REG_0, 0),
2966 .errstr = "frame pointer is read only",
2970 "unpriv: cmp of frame pointer",
2972 BPF_JMP_IMM(BPF_JEQ, BPF_REG_10, 0, 0),
2973 BPF_MOV64_IMM(BPF_REG_0, 0),
2976 .errstr_unpriv = "R10 pointer comparison",
2977 .result_unpriv = REJECT,
2981 "unpriv: adding of fp",
2983 BPF_MOV64_IMM(BPF_REG_0, 0),
2984 BPF_MOV64_IMM(BPF_REG_1, 0),
2985 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_10),
2986 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, -8),
2992 "unpriv: cmp of stack pointer",
2994 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2995 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2996 BPF_JMP_IMM(BPF_JEQ, BPF_REG_2, 0, 0),
2997 BPF_MOV64_IMM(BPF_REG_0, 0),
3000 .errstr_unpriv = "R2 pointer comparison",
3001 .result_unpriv = REJECT,
3005 "runtime/jit: tail_call within bounds, prog once",
3007 BPF_MOV64_IMM(BPF_REG_3, 0),
3008 BPF_LD_MAP_FD(BPF_REG_2, 0),
3009 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3010 BPF_FUNC_tail_call),
3011 BPF_MOV64_IMM(BPF_REG_0, 1),
3014 .fixup_prog1 = { 1 },
3019 "runtime/jit: tail_call within bounds, prog loop",
3021 BPF_MOV64_IMM(BPF_REG_3, 1),
3022 BPF_LD_MAP_FD(BPF_REG_2, 0),
3023 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3024 BPF_FUNC_tail_call),
3025 BPF_MOV64_IMM(BPF_REG_0, 1),
3028 .fixup_prog1 = { 1 },
3033 "runtime/jit: tail_call within bounds, no prog",
3035 BPF_MOV64_IMM(BPF_REG_3, 2),
3036 BPF_LD_MAP_FD(BPF_REG_2, 0),
3037 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3038 BPF_FUNC_tail_call),
3039 BPF_MOV64_IMM(BPF_REG_0, 1),
3042 .fixup_prog1 = { 1 },
3047 "runtime/jit: tail_call out of bounds",
3049 BPF_MOV64_IMM(BPF_REG_3, 256),
3050 BPF_LD_MAP_FD(BPF_REG_2, 0),
3051 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3052 BPF_FUNC_tail_call),
3053 BPF_MOV64_IMM(BPF_REG_0, 2),
3056 .fixup_prog1 = { 1 },
3061 "runtime/jit: pass negative index to tail_call",
3063 BPF_MOV64_IMM(BPF_REG_3, -1),
3064 BPF_LD_MAP_FD(BPF_REG_2, 0),
3065 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3066 BPF_FUNC_tail_call),
3067 BPF_MOV64_IMM(BPF_REG_0, 2),
3070 .fixup_prog1 = { 1 },
3075 "runtime/jit: pass > 32bit index to tail_call",
3077 BPF_LD_IMM64(BPF_REG_3, 0x100000000ULL),
3078 BPF_LD_MAP_FD(BPF_REG_2, 0),
3079 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3080 BPF_FUNC_tail_call),
3081 BPF_MOV64_IMM(BPF_REG_0, 2),
3084 .fixup_prog1 = { 2 },
3089 "stack pointer arithmetic",
3091 BPF_MOV64_IMM(BPF_REG_1, 4),
3092 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
3093 BPF_MOV64_REG(BPF_REG_7, BPF_REG_10),
3094 BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -10),
3095 BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -10),
3096 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
3097 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_1),
3098 BPF_ST_MEM(0, BPF_REG_2, 4, 0),
3099 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
3100 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
3101 BPF_ST_MEM(0, BPF_REG_2, 4, 0),
3102 BPF_MOV64_IMM(BPF_REG_0, 0),
3108 "raw_stack: no skb_load_bytes",
3110 BPF_MOV64_IMM(BPF_REG_2, 4),
3111 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3112 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3113 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3114 BPF_MOV64_IMM(BPF_REG_4, 8),
3115 /* Call to skb_load_bytes() omitted. */
3116 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3120 .errstr = "invalid read from stack off -8+0 size 8",
3121 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3124 "raw_stack: skb_load_bytes, negative len",
3126 BPF_MOV64_IMM(BPF_REG_2, 4),
3127 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3128 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3129 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3130 BPF_MOV64_IMM(BPF_REG_4, -8),
3131 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3132 BPF_FUNC_skb_load_bytes),
3133 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3137 .errstr = "R4 min value is negative",
3138 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3141 "raw_stack: skb_load_bytes, negative len 2",
3143 BPF_MOV64_IMM(BPF_REG_2, 4),
3144 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3145 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3146 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3147 BPF_MOV64_IMM(BPF_REG_4, ~0),
3148 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3149 BPF_FUNC_skb_load_bytes),
3150 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3154 .errstr = "R4 min value is negative",
3155 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3158 "raw_stack: skb_load_bytes, zero len",
3160 BPF_MOV64_IMM(BPF_REG_2, 4),
3161 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3162 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3163 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3164 BPF_MOV64_IMM(BPF_REG_4, 0),
3165 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3166 BPF_FUNC_skb_load_bytes),
3167 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3171 .errstr = "invalid stack type R3",
3172 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3175 "raw_stack: skb_load_bytes, no init",
3177 BPF_MOV64_IMM(BPF_REG_2, 4),
3178 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3179 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3180 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3181 BPF_MOV64_IMM(BPF_REG_4, 8),
3182 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3183 BPF_FUNC_skb_load_bytes),
3184 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3188 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3191 "raw_stack: skb_load_bytes, init",
3193 BPF_MOV64_IMM(BPF_REG_2, 4),
3194 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3195 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3196 BPF_ST_MEM(BPF_DW, BPF_REG_6, 0, 0xcafe),
3197 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3198 BPF_MOV64_IMM(BPF_REG_4, 8),
3199 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3200 BPF_FUNC_skb_load_bytes),
3201 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3205 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3208 "raw_stack: skb_load_bytes, spilled regs around bounds",
3210 BPF_MOV64_IMM(BPF_REG_2, 4),
3211 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3212 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
3213 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
3214 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8),
3215 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3216 BPF_MOV64_IMM(BPF_REG_4, 8),
3217 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3218 BPF_FUNC_skb_load_bytes),
3219 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
3220 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 8),
3221 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
3222 offsetof(struct __sk_buff, mark)),
3223 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
3224 offsetof(struct __sk_buff, priority)),
3225 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3229 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3232 "raw_stack: skb_load_bytes, spilled regs corruption",
3234 BPF_MOV64_IMM(BPF_REG_2, 4),
3235 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3236 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3237 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
3238 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3239 BPF_MOV64_IMM(BPF_REG_4, 8),
3240 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3241 BPF_FUNC_skb_load_bytes),
3242 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3243 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
3244 offsetof(struct __sk_buff, mark)),
3248 .errstr = "R0 invalid mem access 'inv'",
3249 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3252 "raw_stack: skb_load_bytes, spilled regs corruption 2",
3254 BPF_MOV64_IMM(BPF_REG_2, 4),
3255 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3256 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
3257 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
3258 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
3259 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8),
3260 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3261 BPF_MOV64_IMM(BPF_REG_4, 8),
3262 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3263 BPF_FUNC_skb_load_bytes),
3264 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
3265 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 8),
3266 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_6, 0),
3267 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
3268 offsetof(struct __sk_buff, mark)),
3269 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
3270 offsetof(struct __sk_buff, priority)),
3271 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3272 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_3,
3273 offsetof(struct __sk_buff, pkt_type)),
3274 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
3278 .errstr = "R3 invalid mem access 'inv'",
3279 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3282 "raw_stack: skb_load_bytes, spilled regs + data",
3284 BPF_MOV64_IMM(BPF_REG_2, 4),
3285 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3286 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
3287 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
3288 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
3289 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8),
3290 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3291 BPF_MOV64_IMM(BPF_REG_4, 8),
3292 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3293 BPF_FUNC_skb_load_bytes),
3294 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
3295 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 8),
3296 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_6, 0),
3297 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
3298 offsetof(struct __sk_buff, mark)),
3299 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
3300 offsetof(struct __sk_buff, priority)),
3301 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3302 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
3306 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3309 "raw_stack: skb_load_bytes, invalid access 1",
3311 BPF_MOV64_IMM(BPF_REG_2, 4),
3312 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3313 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -513),
3314 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3315 BPF_MOV64_IMM(BPF_REG_4, 8),
3316 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3317 BPF_FUNC_skb_load_bytes),
3318 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3322 .errstr = "invalid stack type R3 off=-513 access_size=8",
3323 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3326 "raw_stack: skb_load_bytes, invalid access 2",
3328 BPF_MOV64_IMM(BPF_REG_2, 4),
3329 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3330 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -1),
3331 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3332 BPF_MOV64_IMM(BPF_REG_4, 8),
3333 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3334 BPF_FUNC_skb_load_bytes),
3335 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3339 .errstr = "invalid stack type R3 off=-1 access_size=8",
3340 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3343 "raw_stack: skb_load_bytes, invalid access 3",
3345 BPF_MOV64_IMM(BPF_REG_2, 4),
3346 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3347 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 0xffffffff),
3348 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3349 BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
3350 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3351 BPF_FUNC_skb_load_bytes),
3352 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3356 .errstr = "R4 min value is negative",
3357 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3360 "raw_stack: skb_load_bytes, invalid access 4",
3362 BPF_MOV64_IMM(BPF_REG_2, 4),
3363 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3364 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -1),
3365 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3366 BPF_MOV64_IMM(BPF_REG_4, 0x7fffffff),
3367 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3368 BPF_FUNC_skb_load_bytes),
3369 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3373 .errstr = "R4 unbounded memory access, use 'var &= const' or 'if (var < const)'",
3374 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3377 "raw_stack: skb_load_bytes, invalid access 5",
3379 BPF_MOV64_IMM(BPF_REG_2, 4),
3380 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3381 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
3382 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3383 BPF_MOV64_IMM(BPF_REG_4, 0x7fffffff),
3384 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3385 BPF_FUNC_skb_load_bytes),
3386 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3390 .errstr = "R4 unbounded memory access, use 'var &= const' or 'if (var < const)'",
3391 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3394 "raw_stack: skb_load_bytes, invalid access 6",
3396 BPF_MOV64_IMM(BPF_REG_2, 4),
3397 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3398 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
3399 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3400 BPF_MOV64_IMM(BPF_REG_4, 0),
3401 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3402 BPF_FUNC_skb_load_bytes),
3403 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3407 .errstr = "invalid stack type R3 off=-512 access_size=0",
3408 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3411 "raw_stack: skb_load_bytes, large access",
3413 BPF_MOV64_IMM(BPF_REG_2, 4),
3414 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3415 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
3416 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3417 BPF_MOV64_IMM(BPF_REG_4, 512),
3418 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3419 BPF_FUNC_skb_load_bytes),
3420 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3424 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3427 "context stores via ST",
3429 BPF_MOV64_IMM(BPF_REG_0, 0),
3430 BPF_ST_MEM(BPF_DW, BPF_REG_1, offsetof(struct __sk_buff, mark), 0),
3433 .errstr = "BPF_ST stores into R1 ctx is not allowed",
3435 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3438 "context stores via XADD",
3440 BPF_MOV64_IMM(BPF_REG_0, 0),
3441 BPF_RAW_INSN(BPF_STX | BPF_XADD | BPF_W, BPF_REG_1,
3442 BPF_REG_0, offsetof(struct __sk_buff, mark), 0),
3445 .errstr = "BPF_XADD stores into R1 ctx is not allowed",
3447 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3450 "direct packet access: test1",
3452 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3453 offsetof(struct __sk_buff, data)),
3454 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3455 offsetof(struct __sk_buff, data_end)),
3456 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3457 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3458 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3459 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3460 BPF_MOV64_IMM(BPF_REG_0, 0),
3464 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3467 "direct packet access: test2",
3469 BPF_MOV64_IMM(BPF_REG_0, 1),
3470 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
3471 offsetof(struct __sk_buff, data_end)),
3472 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3473 offsetof(struct __sk_buff, data)),
3474 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
3475 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 14),
3476 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_4, 15),
3477 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_3, 7),
3478 BPF_LDX_MEM(BPF_B, BPF_REG_4, BPF_REG_3, 12),
3479 BPF_ALU64_IMM(BPF_MUL, BPF_REG_4, 14),
3480 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3481 offsetof(struct __sk_buff, data)),
3482 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_4),
3483 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3484 offsetof(struct __sk_buff, len)),
3485 BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 49),
3486 BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 49),
3487 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_2),
3488 BPF_MOV64_REG(BPF_REG_2, BPF_REG_3),
3489 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
3490 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
3491 offsetof(struct __sk_buff, data_end)),
3492 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
3493 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_3, 4),
3494 BPF_MOV64_IMM(BPF_REG_0, 0),
3498 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3501 "direct packet access: test3",
3503 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3504 offsetof(struct __sk_buff, data)),
3505 BPF_MOV64_IMM(BPF_REG_0, 0),
3508 .errstr = "invalid bpf_context access off=76",
3510 .prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
3513 "direct packet access: test4 (write)",
3515 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3516 offsetof(struct __sk_buff, data)),
3517 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3518 offsetof(struct __sk_buff, data_end)),
3519 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3520 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3521 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3522 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3523 BPF_MOV64_IMM(BPF_REG_0, 0),
3527 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3530 "direct packet access: test5 (pkt_end >= reg, good access)",
3532 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3533 offsetof(struct __sk_buff, data)),
3534 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3535 offsetof(struct __sk_buff, data_end)),
3536 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3537 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3538 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 2),
3539 BPF_MOV64_IMM(BPF_REG_0, 1),
3541 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3542 BPF_MOV64_IMM(BPF_REG_0, 0),
3546 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3549 "direct packet access: test6 (pkt_end >= reg, bad access)",
3551 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3552 offsetof(struct __sk_buff, data)),
3553 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3554 offsetof(struct __sk_buff, data_end)),
3555 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3556 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3557 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 3),
3558 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3559 BPF_MOV64_IMM(BPF_REG_0, 1),
3561 BPF_MOV64_IMM(BPF_REG_0, 0),
3564 .errstr = "invalid access to packet",
3566 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3569 "direct packet access: test7 (pkt_end >= reg, both accesses)",
3571 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3572 offsetof(struct __sk_buff, data)),
3573 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3574 offsetof(struct __sk_buff, data_end)),
3575 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3576 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3577 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 3),
3578 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3579 BPF_MOV64_IMM(BPF_REG_0, 1),
3581 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3582 BPF_MOV64_IMM(BPF_REG_0, 0),
3585 .errstr = "invalid access to packet",
3587 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3590 "direct packet access: test8 (double test, variant 1)",
3592 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3593 offsetof(struct __sk_buff, data)),
3594 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3595 offsetof(struct __sk_buff, data_end)),
3596 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3597 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3598 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 4),
3599 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3600 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3601 BPF_MOV64_IMM(BPF_REG_0, 1),
3603 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3604 BPF_MOV64_IMM(BPF_REG_0, 0),
3608 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3611 "direct packet access: test9 (double test, variant 2)",
3613 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3614 offsetof(struct __sk_buff, data)),
3615 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3616 offsetof(struct __sk_buff, data_end)),
3617 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3618 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3619 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 2),
3620 BPF_MOV64_IMM(BPF_REG_0, 1),
3622 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3623 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3624 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3625 BPF_MOV64_IMM(BPF_REG_0, 0),
3629 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3632 "direct packet access: test10 (write invalid)",
3634 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3635 offsetof(struct __sk_buff, data)),
3636 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3637 offsetof(struct __sk_buff, data_end)),
3638 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3639 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3640 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
3641 BPF_MOV64_IMM(BPF_REG_0, 0),
3643 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3644 BPF_MOV64_IMM(BPF_REG_0, 0),
3647 .errstr = "invalid access to packet",
3649 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3652 "direct packet access: test11 (shift, good access)",
3654 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3655 offsetof(struct __sk_buff, data)),
3656 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3657 offsetof(struct __sk_buff, data_end)),
3658 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3659 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
3660 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
3661 BPF_MOV64_IMM(BPF_REG_3, 144),
3662 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
3663 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
3664 BPF_ALU64_IMM(BPF_RSH, BPF_REG_5, 3),
3665 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
3666 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
3667 BPF_MOV64_IMM(BPF_REG_0, 1),
3669 BPF_MOV64_IMM(BPF_REG_0, 0),
3673 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3677 "direct packet access: test12 (and, good access)",
3679 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3680 offsetof(struct __sk_buff, data)),
3681 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3682 offsetof(struct __sk_buff, data_end)),
3683 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3684 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
3685 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
3686 BPF_MOV64_IMM(BPF_REG_3, 144),
3687 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
3688 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
3689 BPF_ALU64_IMM(BPF_AND, BPF_REG_5, 15),
3690 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
3691 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
3692 BPF_MOV64_IMM(BPF_REG_0, 1),
3694 BPF_MOV64_IMM(BPF_REG_0, 0),
3698 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3702 "direct packet access: test13 (branches, good access)",
3704 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3705 offsetof(struct __sk_buff, data)),
3706 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3707 offsetof(struct __sk_buff, data_end)),
3708 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3709 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
3710 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 13),
3711 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3712 offsetof(struct __sk_buff, mark)),
3713 BPF_MOV64_IMM(BPF_REG_4, 1),
3714 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_4, 2),
3715 BPF_MOV64_IMM(BPF_REG_3, 14),
3716 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
3717 BPF_MOV64_IMM(BPF_REG_3, 24),
3718 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
3719 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
3720 BPF_ALU64_IMM(BPF_AND, BPF_REG_5, 15),
3721 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
3722 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
3723 BPF_MOV64_IMM(BPF_REG_0, 1),
3725 BPF_MOV64_IMM(BPF_REG_0, 0),
3729 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3733 "direct packet access: test14 (pkt_ptr += 0, CONST_IMM, good access)",
3735 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3736 offsetof(struct __sk_buff, data)),
3737 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3738 offsetof(struct __sk_buff, data_end)),
3739 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3740 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
3741 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 7),
3742 BPF_MOV64_IMM(BPF_REG_5, 12),
3743 BPF_ALU64_IMM(BPF_RSH, BPF_REG_5, 4),
3744 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
3745 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
3746 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_6, 0),
3747 BPF_MOV64_IMM(BPF_REG_0, 1),
3749 BPF_MOV64_IMM(BPF_REG_0, 0),
3753 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3757 "direct packet access: test15 (spill with xadd)",
3759 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3760 offsetof(struct __sk_buff, data)),
3761 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3762 offsetof(struct __sk_buff, data_end)),
3763 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3764 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3765 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
3766 BPF_MOV64_IMM(BPF_REG_5, 4096),
3767 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
3768 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
3769 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
3770 BPF_STX_XADD(BPF_DW, BPF_REG_4, BPF_REG_5, 0),
3771 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
3772 BPF_STX_MEM(BPF_W, BPF_REG_2, BPF_REG_5, 0),
3773 BPF_MOV64_IMM(BPF_REG_0, 0),
3776 .errstr = "R2 invalid mem access 'inv'",
3778 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3781 "direct packet access: test16 (arith on data_end)",
3783 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3784 offsetof(struct __sk_buff, data)),
3785 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3786 offsetof(struct __sk_buff, data_end)),
3787 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3788 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3789 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 16),
3790 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3791 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3792 BPF_MOV64_IMM(BPF_REG_0, 0),
3795 .errstr = "R3 pointer arithmetic on pkt_end",
3797 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3800 "direct packet access: test17 (pruning, alignment)",
3802 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3803 offsetof(struct __sk_buff, data)),
3804 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3805 offsetof(struct __sk_buff, data_end)),
3806 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3807 offsetof(struct __sk_buff, mark)),
3808 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3809 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 14),
3810 BPF_JMP_IMM(BPF_JGT, BPF_REG_7, 1, 4),
3811 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3812 BPF_STX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, -4),
3813 BPF_MOV64_IMM(BPF_REG_0, 0),
3815 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 1),
3818 .errstr = "misaligned packet access off 2+(0x0; 0x0)+15+-4 size 4",
3820 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3821 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
3824 "direct packet access: test18 (imm += pkt_ptr, 1)",
3826 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3827 offsetof(struct __sk_buff, data)),
3828 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3829 offsetof(struct __sk_buff, data_end)),
3830 BPF_MOV64_IMM(BPF_REG_0, 8),
3831 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3832 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3833 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3834 BPF_MOV64_IMM(BPF_REG_0, 0),
3838 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3841 "direct packet access: test19 (imm += pkt_ptr, 2)",
3843 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3844 offsetof(struct __sk_buff, data)),
3845 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3846 offsetof(struct __sk_buff, data_end)),
3847 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3848 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3849 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
3850 BPF_MOV64_IMM(BPF_REG_4, 4),
3851 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
3852 BPF_STX_MEM(BPF_B, BPF_REG_4, BPF_REG_4, 0),
3853 BPF_MOV64_IMM(BPF_REG_0, 0),
3857 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3860 "direct packet access: test20 (x += pkt_ptr, 1)",
3862 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3863 offsetof(struct __sk_buff, data)),
3864 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3865 offsetof(struct __sk_buff, data_end)),
3866 BPF_MOV64_IMM(BPF_REG_0, 0xffffffff),
3867 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
3868 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
3869 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0x7fff),
3870 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3871 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
3872 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
3873 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0x7fff - 1),
3874 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
3875 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_4, 0),
3876 BPF_MOV64_IMM(BPF_REG_0, 0),
3879 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3883 "direct packet access: test21 (x += pkt_ptr, 2)",
3885 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3886 offsetof(struct __sk_buff, data)),
3887 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3888 offsetof(struct __sk_buff, data_end)),
3889 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3890 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3891 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 9),
3892 BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
3893 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -8),
3894 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
3895 BPF_ALU64_IMM(BPF_AND, BPF_REG_4, 0x7fff),
3896 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
3897 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
3898 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0x7fff - 1),
3899 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
3900 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_4, 0),
3901 BPF_MOV64_IMM(BPF_REG_0, 0),
3904 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3908 "direct packet access: test22 (x += pkt_ptr, 3)",
3910 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3911 offsetof(struct __sk_buff, data)),
3912 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3913 offsetof(struct __sk_buff, data_end)),
3914 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3915 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3916 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -8),
3917 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_3, -16),
3918 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_10, -16),
3919 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 11),
3920 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -8),
3921 BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
3922 BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_4, -8),
3923 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
3924 BPF_ALU64_IMM(BPF_RSH, BPF_REG_4, 49),
3925 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
3926 BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
3927 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 2),
3928 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
3929 BPF_MOV64_IMM(BPF_REG_2, 1),
3930 BPF_STX_MEM(BPF_H, BPF_REG_4, BPF_REG_2, 0),
3931 BPF_MOV64_IMM(BPF_REG_0, 0),
3934 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3938 "direct packet access: test23 (x += pkt_ptr, 4)",
3940 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3941 offsetof(struct __sk_buff, data)),
3942 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3943 offsetof(struct __sk_buff, data_end)),
3944 BPF_MOV64_IMM(BPF_REG_0, 0xffffffff),
3945 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
3946 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
3947 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0xffff),
3948 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3949 BPF_MOV64_IMM(BPF_REG_0, 31),
3950 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_4),
3951 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3952 BPF_MOV64_REG(BPF_REG_5, BPF_REG_0),
3953 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0xffff - 1),
3954 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3955 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_0, 0),
3956 BPF_MOV64_IMM(BPF_REG_0, 0),
3959 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3961 .errstr = "invalid access to packet, off=0 size=8, R5(id=1,off=0,r=0)",
3964 "direct packet access: test24 (x += pkt_ptr, 5)",
3966 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3967 offsetof(struct __sk_buff, data)),
3968 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3969 offsetof(struct __sk_buff, data_end)),
3970 BPF_MOV64_IMM(BPF_REG_0, 0xffffffff),
3971 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
3972 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
3973 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0xff),
3974 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3975 BPF_MOV64_IMM(BPF_REG_0, 64),
3976 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_4),
3977 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3978 BPF_MOV64_REG(BPF_REG_5, BPF_REG_0),
3979 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x7fff - 1),
3980 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3981 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_0, 0),
3982 BPF_MOV64_IMM(BPF_REG_0, 0),
3985 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3989 "direct packet access: test25 (marking on <, good access)",
3991 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3992 offsetof(struct __sk_buff, data)),
3993 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3994 offsetof(struct __sk_buff, data_end)),
3995 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3996 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3997 BPF_JMP_REG(BPF_JLT, BPF_REG_0, BPF_REG_3, 2),
3998 BPF_MOV64_IMM(BPF_REG_0, 0),
4000 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
4001 BPF_JMP_IMM(BPF_JA, 0, 0, -4),
4004 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4007 "direct packet access: test26 (marking on <, bad access)",
4009 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4010 offsetof(struct __sk_buff, data)),
4011 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4012 offsetof(struct __sk_buff, data_end)),
4013 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4014 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4015 BPF_JMP_REG(BPF_JLT, BPF_REG_0, BPF_REG_3, 3),
4016 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
4017 BPF_MOV64_IMM(BPF_REG_0, 0),
4019 BPF_JMP_IMM(BPF_JA, 0, 0, -3),
4022 .errstr = "invalid access to packet",
4023 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4026 "direct packet access: test27 (marking on <=, good access)",
4028 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4029 offsetof(struct __sk_buff, data)),
4030 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4031 offsetof(struct __sk_buff, data_end)),
4032 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4033 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4034 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_0, 1),
4035 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
4036 BPF_MOV64_IMM(BPF_REG_0, 1),
4040 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4044 "direct packet access: test28 (marking on <=, bad access)",
4046 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4047 offsetof(struct __sk_buff, data)),
4048 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4049 offsetof(struct __sk_buff, data_end)),
4050 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4051 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4052 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_0, 2),
4053 BPF_MOV64_IMM(BPF_REG_0, 1),
4055 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
4056 BPF_JMP_IMM(BPF_JA, 0, 0, -4),
4059 .errstr = "invalid access to packet",
4060 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4063 "helper access to packet: test1, valid packet_ptr range",
4065 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4066 offsetof(struct xdp_md, data)),
4067 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4068 offsetof(struct xdp_md, data_end)),
4069 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
4070 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
4071 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 5),
4072 BPF_LD_MAP_FD(BPF_REG_1, 0),
4073 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
4074 BPF_MOV64_IMM(BPF_REG_4, 0),
4075 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4076 BPF_FUNC_map_update_elem),
4077 BPF_MOV64_IMM(BPF_REG_0, 0),
4080 .fixup_map_hash_8b = { 5 },
4081 .result_unpriv = ACCEPT,
4083 .prog_type = BPF_PROG_TYPE_XDP,
4086 "helper access to packet: test2, unchecked packet_ptr",
4088 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4089 offsetof(struct xdp_md, data)),
4090 BPF_LD_MAP_FD(BPF_REG_1, 0),
4091 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4092 BPF_FUNC_map_lookup_elem),
4093 BPF_MOV64_IMM(BPF_REG_0, 0),
4096 .fixup_map_hash_8b = { 1 },
4098 .errstr = "invalid access to packet",
4099 .prog_type = BPF_PROG_TYPE_XDP,
4102 "helper access to packet: test3, variable add",
4104 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4105 offsetof(struct xdp_md, data)),
4106 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4107 offsetof(struct xdp_md, data_end)),
4108 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4109 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
4110 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 10),
4111 BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_2, 0),
4112 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4113 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_5),
4114 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
4115 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 8),
4116 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 4),
4117 BPF_LD_MAP_FD(BPF_REG_1, 0),
4118 BPF_MOV64_REG(BPF_REG_2, BPF_REG_4),
4119 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4120 BPF_FUNC_map_lookup_elem),
4121 BPF_MOV64_IMM(BPF_REG_0, 0),
4124 .fixup_map_hash_8b = { 11 },
4126 .prog_type = BPF_PROG_TYPE_XDP,
4129 "helper access to packet: test4, packet_ptr with bad range",
4131 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4132 offsetof(struct xdp_md, data)),
4133 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4134 offsetof(struct xdp_md, data_end)),
4135 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4136 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 4),
4137 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 2),
4138 BPF_MOV64_IMM(BPF_REG_0, 0),
4140 BPF_LD_MAP_FD(BPF_REG_1, 0),
4141 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4142 BPF_FUNC_map_lookup_elem),
4143 BPF_MOV64_IMM(BPF_REG_0, 0),
4146 .fixup_map_hash_8b = { 7 },
4148 .errstr = "invalid access to packet",
4149 .prog_type = BPF_PROG_TYPE_XDP,
4152 "helper access to packet: test5, packet_ptr with too short range",
4154 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4155 offsetof(struct xdp_md, data)),
4156 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4157 offsetof(struct xdp_md, data_end)),
4158 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
4159 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4160 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 7),
4161 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 3),
4162 BPF_LD_MAP_FD(BPF_REG_1, 0),
4163 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4164 BPF_FUNC_map_lookup_elem),
4165 BPF_MOV64_IMM(BPF_REG_0, 0),
4168 .fixup_map_hash_8b = { 6 },
4170 .errstr = "invalid access to packet",
4171 .prog_type = BPF_PROG_TYPE_XDP,
4174 "helper access to packet: test6, cls valid packet_ptr range",
4176 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4177 offsetof(struct __sk_buff, data)),
4178 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4179 offsetof(struct __sk_buff, data_end)),
4180 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
4181 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
4182 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 5),
4183 BPF_LD_MAP_FD(BPF_REG_1, 0),
4184 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
4185 BPF_MOV64_IMM(BPF_REG_4, 0),
4186 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4187 BPF_FUNC_map_update_elem),
4188 BPF_MOV64_IMM(BPF_REG_0, 0),
4191 .fixup_map_hash_8b = { 5 },
4193 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4196 "helper access to packet: test7, cls unchecked packet_ptr",
4198 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4199 offsetof(struct __sk_buff, data)),
4200 BPF_LD_MAP_FD(BPF_REG_1, 0),
4201 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4202 BPF_FUNC_map_lookup_elem),
4203 BPF_MOV64_IMM(BPF_REG_0, 0),
4206 .fixup_map_hash_8b = { 1 },
4208 .errstr = "invalid access to packet",
4209 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4212 "helper access to packet: test8, cls variable add",
4214 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4215 offsetof(struct __sk_buff, data)),
4216 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4217 offsetof(struct __sk_buff, data_end)),
4218 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4219 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
4220 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 10),
4221 BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_2, 0),
4222 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4223 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_5),
4224 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
4225 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 8),
4226 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 4),
4227 BPF_LD_MAP_FD(BPF_REG_1, 0),
4228 BPF_MOV64_REG(BPF_REG_2, BPF_REG_4),
4229 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4230 BPF_FUNC_map_lookup_elem),
4231 BPF_MOV64_IMM(BPF_REG_0, 0),
4234 .fixup_map_hash_8b = { 11 },
4236 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4239 "helper access to packet: test9, cls packet_ptr with bad range",
4241 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4242 offsetof(struct __sk_buff, data)),
4243 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4244 offsetof(struct __sk_buff, data_end)),
4245 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4246 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 4),
4247 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 2),
4248 BPF_MOV64_IMM(BPF_REG_0, 0),
4250 BPF_LD_MAP_FD(BPF_REG_1, 0),
4251 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4252 BPF_FUNC_map_lookup_elem),
4253 BPF_MOV64_IMM(BPF_REG_0, 0),
4256 .fixup_map_hash_8b = { 7 },
4258 .errstr = "invalid access to packet",
4259 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4262 "helper access to packet: test10, cls packet_ptr with too short range",
4264 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4265 offsetof(struct __sk_buff, data)),
4266 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4267 offsetof(struct __sk_buff, data_end)),
4268 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
4269 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4270 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 7),
4271 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 3),
4272 BPF_LD_MAP_FD(BPF_REG_1, 0),
4273 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4274 BPF_FUNC_map_lookup_elem),
4275 BPF_MOV64_IMM(BPF_REG_0, 0),
4278 .fixup_map_hash_8b = { 6 },
4280 .errstr = "invalid access to packet",
4281 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4284 "helper access to packet: test11, cls unsuitable helper 1",
4286 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4287 offsetof(struct __sk_buff, data)),
4288 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4289 offsetof(struct __sk_buff, data_end)),
4290 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4291 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
4292 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 7),
4293 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_7, 4),
4294 BPF_MOV64_IMM(BPF_REG_2, 0),
4295 BPF_MOV64_IMM(BPF_REG_4, 42),
4296 BPF_MOV64_IMM(BPF_REG_5, 0),
4297 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4298 BPF_FUNC_skb_store_bytes),
4299 BPF_MOV64_IMM(BPF_REG_0, 0),
4303 .errstr = "helper access to the packet",
4304 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4307 "helper access to packet: test12, cls unsuitable helper 2",
4309 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4310 offsetof(struct __sk_buff, data)),
4311 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4312 offsetof(struct __sk_buff, data_end)),
4313 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
4314 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8),
4315 BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_7, 3),
4316 BPF_MOV64_IMM(BPF_REG_2, 0),
4317 BPF_MOV64_IMM(BPF_REG_4, 4),
4318 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4319 BPF_FUNC_skb_load_bytes),
4320 BPF_MOV64_IMM(BPF_REG_0, 0),
4324 .errstr = "helper access to the packet",
4325 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4328 "helper access to packet: test13, cls helper ok",
4330 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4331 offsetof(struct __sk_buff, data)),
4332 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4333 offsetof(struct __sk_buff, data_end)),
4334 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4335 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4336 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4337 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4338 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4339 BPF_MOV64_IMM(BPF_REG_2, 4),
4340 BPF_MOV64_IMM(BPF_REG_3, 0),
4341 BPF_MOV64_IMM(BPF_REG_4, 0),
4342 BPF_MOV64_IMM(BPF_REG_5, 0),
4343 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4344 BPF_FUNC_csum_diff),
4345 BPF_MOV64_IMM(BPF_REG_0, 0),
4349 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4352 "helper access to packet: test14, cls helper ok sub",
4354 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4355 offsetof(struct __sk_buff, data)),
4356 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4357 offsetof(struct __sk_buff, data_end)),
4358 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4359 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4360 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4361 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4362 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 4),
4363 BPF_MOV64_IMM(BPF_REG_2, 4),
4364 BPF_MOV64_IMM(BPF_REG_3, 0),
4365 BPF_MOV64_IMM(BPF_REG_4, 0),
4366 BPF_MOV64_IMM(BPF_REG_5, 0),
4367 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4368 BPF_FUNC_csum_diff),
4369 BPF_MOV64_IMM(BPF_REG_0, 0),
4373 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4376 "helper access to packet: test15, cls helper fail sub",
4378 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4379 offsetof(struct __sk_buff, data)),
4380 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4381 offsetof(struct __sk_buff, data_end)),
4382 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4383 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4384 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4385 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4386 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 12),
4387 BPF_MOV64_IMM(BPF_REG_2, 4),
4388 BPF_MOV64_IMM(BPF_REG_3, 0),
4389 BPF_MOV64_IMM(BPF_REG_4, 0),
4390 BPF_MOV64_IMM(BPF_REG_5, 0),
4391 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4392 BPF_FUNC_csum_diff),
4393 BPF_MOV64_IMM(BPF_REG_0, 0),
4397 .errstr = "invalid access to packet",
4398 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4401 "helper access to packet: test16, cls helper fail range 1",
4403 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4404 offsetof(struct __sk_buff, data)),
4405 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4406 offsetof(struct __sk_buff, data_end)),
4407 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4408 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4409 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4410 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4411 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4412 BPF_MOV64_IMM(BPF_REG_2, 8),
4413 BPF_MOV64_IMM(BPF_REG_3, 0),
4414 BPF_MOV64_IMM(BPF_REG_4, 0),
4415 BPF_MOV64_IMM(BPF_REG_5, 0),
4416 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4417 BPF_FUNC_csum_diff),
4418 BPF_MOV64_IMM(BPF_REG_0, 0),
4422 .errstr = "invalid access to packet",
4423 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4426 "helper access to packet: test17, cls helper fail range 2",
4428 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4429 offsetof(struct __sk_buff, data)),
4430 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4431 offsetof(struct __sk_buff, data_end)),
4432 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4433 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4434 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4435 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4436 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4437 BPF_MOV64_IMM(BPF_REG_2, -9),
4438 BPF_MOV64_IMM(BPF_REG_3, 0),
4439 BPF_MOV64_IMM(BPF_REG_4, 0),
4440 BPF_MOV64_IMM(BPF_REG_5, 0),
4441 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4442 BPF_FUNC_csum_diff),
4443 BPF_MOV64_IMM(BPF_REG_0, 0),
4447 .errstr = "R2 min value is negative",
4448 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4451 "helper access to packet: test18, cls helper fail range 3",
4453 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4454 offsetof(struct __sk_buff, data)),
4455 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4456 offsetof(struct __sk_buff, data_end)),
4457 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4458 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4459 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4460 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4461 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4462 BPF_MOV64_IMM(BPF_REG_2, ~0),
4463 BPF_MOV64_IMM(BPF_REG_3, 0),
4464 BPF_MOV64_IMM(BPF_REG_4, 0),
4465 BPF_MOV64_IMM(BPF_REG_5, 0),
4466 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4467 BPF_FUNC_csum_diff),
4468 BPF_MOV64_IMM(BPF_REG_0, 0),
4472 .errstr = "R2 min value is negative",
4473 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4476 "helper access to packet: test19, cls helper range zero",
4478 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4479 offsetof(struct __sk_buff, data)),
4480 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4481 offsetof(struct __sk_buff, data_end)),
4482 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4483 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4484 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4485 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4486 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4487 BPF_MOV64_IMM(BPF_REG_2, 0),
4488 BPF_MOV64_IMM(BPF_REG_3, 0),
4489 BPF_MOV64_IMM(BPF_REG_4, 0),
4490 BPF_MOV64_IMM(BPF_REG_5, 0),
4491 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4492 BPF_FUNC_csum_diff),
4493 BPF_MOV64_IMM(BPF_REG_0, 0),
4497 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4500 "helper access to packet: test20, pkt end as input",
4502 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4503 offsetof(struct __sk_buff, data)),
4504 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4505 offsetof(struct __sk_buff, data_end)),
4506 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4507 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4508 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4509 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4510 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
4511 BPF_MOV64_IMM(BPF_REG_2, 4),
4512 BPF_MOV64_IMM(BPF_REG_3, 0),
4513 BPF_MOV64_IMM(BPF_REG_4, 0),
4514 BPF_MOV64_IMM(BPF_REG_5, 0),
4515 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4516 BPF_FUNC_csum_diff),
4517 BPF_MOV64_IMM(BPF_REG_0, 0),
4521 .errstr = "R1 type=pkt_end expected=fp",
4522 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4525 "helper access to packet: test21, wrong reg",
4527 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4528 offsetof(struct __sk_buff, data)),
4529 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4530 offsetof(struct __sk_buff, data_end)),
4531 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4532 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4533 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4534 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4535 BPF_MOV64_IMM(BPF_REG_2, 4),
4536 BPF_MOV64_IMM(BPF_REG_3, 0),
4537 BPF_MOV64_IMM(BPF_REG_4, 0),
4538 BPF_MOV64_IMM(BPF_REG_5, 0),
4539 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4540 BPF_FUNC_csum_diff),
4541 BPF_MOV64_IMM(BPF_REG_0, 0),
4545 .errstr = "invalid access to packet",
4546 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4549 "prevent map lookup in sockmap",
4551 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4552 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4553 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4554 BPF_LD_MAP_FD(BPF_REG_1, 0),
4555 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4556 BPF_FUNC_map_lookup_elem),
4559 .fixup_map_sockmap = { 3 },
4561 .errstr = "cannot pass map_type 15 into func bpf_map_lookup_elem",
4562 .prog_type = BPF_PROG_TYPE_SOCK_OPS,
4565 "prevent map lookup in sockhash",
4567 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4568 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4569 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4570 BPF_LD_MAP_FD(BPF_REG_1, 0),
4571 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4572 BPF_FUNC_map_lookup_elem),
4575 .fixup_map_sockhash = { 3 },
4577 .errstr = "cannot pass map_type 18 into func bpf_map_lookup_elem",
4578 .prog_type = BPF_PROG_TYPE_SOCK_OPS,
4581 "prevent map lookup in xskmap",
4583 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4584 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4585 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4586 BPF_LD_MAP_FD(BPF_REG_1, 0),
4587 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4588 BPF_FUNC_map_lookup_elem),
4591 .fixup_map_xskmap = { 3 },
4593 .errstr = "cannot pass map_type 17 into func bpf_map_lookup_elem",
4594 .prog_type = BPF_PROG_TYPE_XDP,
4597 "prevent map lookup in stack trace",
4599 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4600 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4601 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4602 BPF_LD_MAP_FD(BPF_REG_1, 0),
4603 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4604 BPF_FUNC_map_lookup_elem),
4607 .fixup_map_stacktrace = { 3 },
4609 .errstr = "cannot pass map_type 7 into func bpf_map_lookup_elem",
4610 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
4613 "prevent map lookup in prog array",
4615 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4616 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4617 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4618 BPF_LD_MAP_FD(BPF_REG_1, 0),
4619 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4620 BPF_FUNC_map_lookup_elem),
4623 .fixup_prog2 = { 3 },
4625 .errstr = "cannot pass map_type 3 into func bpf_map_lookup_elem",
4628 "valid map access into an array with a constant",
4630 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4631 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4632 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4633 BPF_LD_MAP_FD(BPF_REG_1, 0),
4634 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4635 BPF_FUNC_map_lookup_elem),
4636 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4637 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4638 offsetof(struct test_val, foo)),
4641 .fixup_map_hash_48b = { 3 },
4642 .errstr_unpriv = "R0 leaks addr",
4643 .result_unpriv = REJECT,
4647 "valid map access into an array with a register",
4649 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4650 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4651 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4652 BPF_LD_MAP_FD(BPF_REG_1, 0),
4653 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4654 BPF_FUNC_map_lookup_elem),
4655 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4656 BPF_MOV64_IMM(BPF_REG_1, 4),
4657 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4658 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4659 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4660 offsetof(struct test_val, foo)),
4663 .fixup_map_hash_48b = { 3 },
4664 .errstr_unpriv = "R0 leaks addr",
4665 .result_unpriv = REJECT,
4667 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4670 "valid map access into an array with a variable",
4672 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4673 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4674 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4675 BPF_LD_MAP_FD(BPF_REG_1, 0),
4676 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4677 BPF_FUNC_map_lookup_elem),
4678 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
4679 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4680 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES, 3),
4681 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4682 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4683 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4684 offsetof(struct test_val, foo)),
4687 .fixup_map_hash_48b = { 3 },
4688 .errstr_unpriv = "R0 leaks addr",
4689 .result_unpriv = REJECT,
4691 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4694 "valid map access into an array with a signed variable",
4696 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4697 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4698 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4699 BPF_LD_MAP_FD(BPF_REG_1, 0),
4700 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4701 BPF_FUNC_map_lookup_elem),
4702 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
4703 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4704 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 0xffffffff, 1),
4705 BPF_MOV32_IMM(BPF_REG_1, 0),
4706 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
4707 BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
4708 BPF_MOV32_IMM(BPF_REG_1, 0),
4709 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
4710 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4711 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4712 offsetof(struct test_val, foo)),
4715 .fixup_map_hash_48b = { 3 },
4716 .errstr_unpriv = "R0 leaks addr",
4717 .result_unpriv = REJECT,
4719 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4722 "invalid map access into an array with a constant",
4724 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4725 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4726 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4727 BPF_LD_MAP_FD(BPF_REG_1, 0),
4728 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4729 BPF_FUNC_map_lookup_elem),
4730 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4731 BPF_ST_MEM(BPF_DW, BPF_REG_0, (MAX_ENTRIES + 1) << 2,
4732 offsetof(struct test_val, foo)),
4735 .fixup_map_hash_48b = { 3 },
4736 .errstr = "invalid access to map value, value_size=48 off=48 size=8",
4740 "invalid map access into an array with a register",
4742 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4743 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4744 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4745 BPF_LD_MAP_FD(BPF_REG_1, 0),
4746 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4747 BPF_FUNC_map_lookup_elem),
4748 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4749 BPF_MOV64_IMM(BPF_REG_1, MAX_ENTRIES + 1),
4750 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4751 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4752 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4753 offsetof(struct test_val, foo)),
4756 .fixup_map_hash_48b = { 3 },
4757 .errstr = "R0 min value is outside of the array range",
4759 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4762 "invalid map access into an array with a variable",
4764 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4765 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4766 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4767 BPF_LD_MAP_FD(BPF_REG_1, 0),
4768 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4769 BPF_FUNC_map_lookup_elem),
4770 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4771 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4772 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4773 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4774 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4775 offsetof(struct test_val, foo)),
4778 .fixup_map_hash_48b = { 3 },
4779 .errstr = "R0 unbounded memory access, make sure to bounds check any array access into a map",
4781 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4784 "invalid map access into an array with no floor check",
4786 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4787 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4788 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4789 BPF_LD_MAP_FD(BPF_REG_1, 0),
4790 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4791 BPF_FUNC_map_lookup_elem),
4792 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
4793 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
4794 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
4795 BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
4796 BPF_MOV32_IMM(BPF_REG_1, 0),
4797 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
4798 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4799 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4800 offsetof(struct test_val, foo)),
4803 .fixup_map_hash_48b = { 3 },
4804 .errstr_unpriv = "R0 leaks addr",
4805 .errstr = "R0 unbounded memory access",
4806 .result_unpriv = REJECT,
4808 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4811 "invalid map access into an array with a invalid max check",
4813 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4814 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4815 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4816 BPF_LD_MAP_FD(BPF_REG_1, 0),
4817 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4818 BPF_FUNC_map_lookup_elem),
4819 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
4820 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4821 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES + 1),
4822 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
4823 BPF_MOV32_IMM(BPF_REG_1, 0),
4824 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
4825 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4826 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4827 offsetof(struct test_val, foo)),
4830 .fixup_map_hash_48b = { 3 },
4831 .errstr_unpriv = "R0 leaks addr",
4832 .errstr = "invalid access to map value, value_size=48 off=44 size=8",
4833 .result_unpriv = REJECT,
4835 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4838 "invalid map access into an array with a invalid max check",
4840 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4841 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4842 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4843 BPF_LD_MAP_FD(BPF_REG_1, 0),
4844 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4845 BPF_FUNC_map_lookup_elem),
4846 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
4847 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
4848 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4849 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4850 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4851 BPF_LD_MAP_FD(BPF_REG_1, 0),
4852 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4853 BPF_FUNC_map_lookup_elem),
4854 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
4855 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8),
4856 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
4857 offsetof(struct test_val, foo)),
4860 .fixup_map_hash_48b = { 3, 11 },
4861 .errstr = "R0 pointer += pointer",
4863 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4866 "direct packet read test#1 for CGROUP_SKB",
4868 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4869 offsetof(struct __sk_buff, data)),
4870 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4871 offsetof(struct __sk_buff, data_end)),
4872 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
4873 offsetof(struct __sk_buff, len)),
4874 BPF_LDX_MEM(BPF_W, BPF_REG_5, BPF_REG_1,
4875 offsetof(struct __sk_buff, pkt_type)),
4876 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4877 offsetof(struct __sk_buff, mark)),
4878 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_6,
4879 offsetof(struct __sk_buff, mark)),
4880 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4881 offsetof(struct __sk_buff, queue_mapping)),
4882 BPF_LDX_MEM(BPF_W, BPF_REG_8, BPF_REG_1,
4883 offsetof(struct __sk_buff, protocol)),
4884 BPF_LDX_MEM(BPF_W, BPF_REG_9, BPF_REG_1,
4885 offsetof(struct __sk_buff, vlan_present)),
4886 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4887 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4888 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4889 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
4890 BPF_MOV64_IMM(BPF_REG_0, 0),
4894 .result_unpriv = REJECT,
4895 .errstr_unpriv = "invalid bpf_context access off=76 size=4",
4896 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
4899 "direct packet read test#2 for CGROUP_SKB",
4901 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
4902 offsetof(struct __sk_buff, vlan_tci)),
4903 BPF_LDX_MEM(BPF_W, BPF_REG_5, BPF_REG_1,
4904 offsetof(struct __sk_buff, vlan_proto)),
4905 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4906 offsetof(struct __sk_buff, priority)),
4907 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_6,
4908 offsetof(struct __sk_buff, priority)),
4909 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4910 offsetof(struct __sk_buff,
4912 BPF_LDX_MEM(BPF_W, BPF_REG_8, BPF_REG_1,
4913 offsetof(struct __sk_buff, tc_index)),
4914 BPF_LDX_MEM(BPF_W, BPF_REG_9, BPF_REG_1,
4915 offsetof(struct __sk_buff, hash)),
4916 BPF_MOV64_IMM(BPF_REG_0, 0),
4920 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
4923 "direct packet read test#3 for CGROUP_SKB",
4925 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
4926 offsetof(struct __sk_buff, cb[0])),
4927 BPF_LDX_MEM(BPF_W, BPF_REG_5, BPF_REG_1,
4928 offsetof(struct __sk_buff, cb[1])),
4929 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4930 offsetof(struct __sk_buff, cb[2])),
4931 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4932 offsetof(struct __sk_buff, cb[3])),
4933 BPF_LDX_MEM(BPF_W, BPF_REG_8, BPF_REG_1,
4934 offsetof(struct __sk_buff, cb[4])),
4935 BPF_LDX_MEM(BPF_W, BPF_REG_9, BPF_REG_1,
4936 offsetof(struct __sk_buff, napi_id)),
4937 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_4,
4938 offsetof(struct __sk_buff, cb[0])),
4939 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_5,
4940 offsetof(struct __sk_buff, cb[1])),
4941 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_6,
4942 offsetof(struct __sk_buff, cb[2])),
4943 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_7,
4944 offsetof(struct __sk_buff, cb[3])),
4945 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_8,
4946 offsetof(struct __sk_buff, cb[4])),
4947 BPF_MOV64_IMM(BPF_REG_0, 0),
4951 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
4954 "direct packet read test#4 for CGROUP_SKB",
4956 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4957 offsetof(struct __sk_buff, family)),
4958 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4959 offsetof(struct __sk_buff, remote_ip4)),
4960 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
4961 offsetof(struct __sk_buff, local_ip4)),
4962 BPF_LDX_MEM(BPF_W, BPF_REG_5, BPF_REG_1,
4963 offsetof(struct __sk_buff, remote_ip6[0])),
4964 BPF_LDX_MEM(BPF_W, BPF_REG_5, BPF_REG_1,
4965 offsetof(struct __sk_buff, remote_ip6[1])),
4966 BPF_LDX_MEM(BPF_W, BPF_REG_5, BPF_REG_1,
4967 offsetof(struct __sk_buff, remote_ip6[2])),
4968 BPF_LDX_MEM(BPF_W, BPF_REG_5, BPF_REG_1,
4969 offsetof(struct __sk_buff, remote_ip6[3])),
4970 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4971 offsetof(struct __sk_buff, local_ip6[0])),
4972 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4973 offsetof(struct __sk_buff, local_ip6[1])),
4974 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4975 offsetof(struct __sk_buff, local_ip6[2])),
4976 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4977 offsetof(struct __sk_buff, local_ip6[3])),
4978 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4979 offsetof(struct __sk_buff, remote_port)),
4980 BPF_LDX_MEM(BPF_W, BPF_REG_8, BPF_REG_1,
4981 offsetof(struct __sk_buff, local_port)),
4982 BPF_MOV64_IMM(BPF_REG_0, 0),
4986 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
4989 "invalid access of tc_classid for CGROUP_SKB",
4991 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
4992 offsetof(struct __sk_buff, tc_classid)),
4993 BPF_MOV64_IMM(BPF_REG_0, 0),
4997 .errstr = "invalid bpf_context access",
4998 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5001 "invalid access of data_meta for CGROUP_SKB",
5003 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
5004 offsetof(struct __sk_buff, data_meta)),
5005 BPF_MOV64_IMM(BPF_REG_0, 0),
5009 .errstr = "invalid bpf_context access",
5010 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5013 "invalid access of flow_keys for CGROUP_SKB",
5015 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
5016 offsetof(struct __sk_buff, flow_keys)),
5017 BPF_MOV64_IMM(BPF_REG_0, 0),
5021 .errstr = "invalid bpf_context access",
5022 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5025 "invalid write access to napi_id for CGROUP_SKB",
5027 BPF_LDX_MEM(BPF_W, BPF_REG_9, BPF_REG_1,
5028 offsetof(struct __sk_buff, napi_id)),
5029 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_9,
5030 offsetof(struct __sk_buff, napi_id)),
5031 BPF_MOV64_IMM(BPF_REG_0, 0),
5035 .errstr = "invalid bpf_context access",
5036 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5039 "valid cgroup storage access",
5041 BPF_MOV64_IMM(BPF_REG_2, 0),
5042 BPF_LD_MAP_FD(BPF_REG_1, 0),
5043 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5044 BPF_FUNC_get_local_storage),
5045 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5046 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
5047 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
5050 .fixup_cgroup_storage = { 1 },
5052 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5055 "invalid cgroup storage access 1",
5057 BPF_MOV64_IMM(BPF_REG_2, 0),
5058 BPF_LD_MAP_FD(BPF_REG_1, 0),
5059 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5060 BPF_FUNC_get_local_storage),
5061 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5062 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
5063 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
5066 .fixup_map_hash_8b = { 1 },
5068 .errstr = "cannot pass map_type 1 into func bpf_get_local_storage",
5069 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5072 "invalid cgroup storage access 2",
5074 BPF_MOV64_IMM(BPF_REG_2, 0),
5075 BPF_LD_MAP_FD(BPF_REG_1, 1),
5076 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5077 BPF_FUNC_get_local_storage),
5078 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
5082 .errstr = "fd 1 is not pointing to valid bpf_map",
5083 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5086 "invalid cgroup storage access 3",
5088 BPF_MOV64_IMM(BPF_REG_2, 0),
5089 BPF_LD_MAP_FD(BPF_REG_1, 0),
5090 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5091 BPF_FUNC_get_local_storage),
5092 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 256),
5093 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
5094 BPF_MOV64_IMM(BPF_REG_0, 0),
5097 .fixup_cgroup_storage = { 1 },
5099 .errstr = "invalid access to map value, value_size=64 off=256 size=4",
5100 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5103 "invalid cgroup storage access 4",
5105 BPF_MOV64_IMM(BPF_REG_2, 0),
5106 BPF_LD_MAP_FD(BPF_REG_1, 0),
5107 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5108 BPF_FUNC_get_local_storage),
5109 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, -2),
5110 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
5111 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
5114 .fixup_cgroup_storage = { 1 },
5116 .errstr = "invalid access to map value, value_size=64 off=-2 size=4",
5117 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5120 "invalid cgroup storage access 5",
5122 BPF_MOV64_IMM(BPF_REG_2, 7),
5123 BPF_LD_MAP_FD(BPF_REG_1, 0),
5124 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5125 BPF_FUNC_get_local_storage),
5126 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5127 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
5128 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
5131 .fixup_cgroup_storage = { 1 },
5133 .errstr = "get_local_storage() doesn't support non-zero flags",
5134 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5137 "invalid cgroup storage access 6",
5139 BPF_MOV64_REG(BPF_REG_2, BPF_REG_1),
5140 BPF_LD_MAP_FD(BPF_REG_1, 0),
5141 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5142 BPF_FUNC_get_local_storage),
5143 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5144 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
5145 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
5148 .fixup_cgroup_storage = { 1 },
5150 .errstr = "get_local_storage() doesn't support non-zero flags",
5151 .errstr_unpriv = "R2 leaks addr into helper function",
5152 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5155 "valid per-cpu cgroup storage access",
5157 BPF_MOV64_IMM(BPF_REG_2, 0),
5158 BPF_LD_MAP_FD(BPF_REG_1, 0),
5159 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5160 BPF_FUNC_get_local_storage),
5161 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5162 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
5163 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
5166 .fixup_percpu_cgroup_storage = { 1 },
5168 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5171 "invalid per-cpu cgroup storage access 1",
5173 BPF_MOV64_IMM(BPF_REG_2, 0),
5174 BPF_LD_MAP_FD(BPF_REG_1, 0),
5175 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5176 BPF_FUNC_get_local_storage),
5177 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5178 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
5179 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
5182 .fixup_map_hash_8b = { 1 },
5184 .errstr = "cannot pass map_type 1 into func bpf_get_local_storage",
5185 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5188 "invalid per-cpu cgroup storage access 2",
5190 BPF_MOV64_IMM(BPF_REG_2, 0),
5191 BPF_LD_MAP_FD(BPF_REG_1, 1),
5192 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5193 BPF_FUNC_get_local_storage),
5194 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
5198 .errstr = "fd 1 is not pointing to valid bpf_map",
5199 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5202 "invalid per-cpu cgroup storage access 3",
5204 BPF_MOV64_IMM(BPF_REG_2, 0),
5205 BPF_LD_MAP_FD(BPF_REG_1, 0),
5206 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5207 BPF_FUNC_get_local_storage),
5208 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 256),
5209 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
5210 BPF_MOV64_IMM(BPF_REG_0, 0),
5213 .fixup_percpu_cgroup_storage = { 1 },
5215 .errstr = "invalid access to map value, value_size=64 off=256 size=4",
5216 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5219 "invalid per-cpu cgroup storage access 4",
5221 BPF_MOV64_IMM(BPF_REG_2, 0),
5222 BPF_LD_MAP_FD(BPF_REG_1, 0),
5223 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5224 BPF_FUNC_get_local_storage),
5225 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, -2),
5226 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
5227 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
5230 .fixup_cgroup_storage = { 1 },
5232 .errstr = "invalid access to map value, value_size=64 off=-2 size=4",
5233 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5236 "invalid per-cpu cgroup storage access 5",
5238 BPF_MOV64_IMM(BPF_REG_2, 7),
5239 BPF_LD_MAP_FD(BPF_REG_1, 0),
5240 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5241 BPF_FUNC_get_local_storage),
5242 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5243 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
5244 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
5247 .fixup_percpu_cgroup_storage = { 1 },
5249 .errstr = "get_local_storage() doesn't support non-zero flags",
5250 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5253 "invalid per-cpu cgroup storage access 6",
5255 BPF_MOV64_REG(BPF_REG_2, BPF_REG_1),
5256 BPF_LD_MAP_FD(BPF_REG_1, 0),
5257 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5258 BPF_FUNC_get_local_storage),
5259 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5260 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
5261 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
5264 .fixup_percpu_cgroup_storage = { 1 },
5266 .errstr = "get_local_storage() doesn't support non-zero flags",
5267 .errstr_unpriv = "R2 leaks addr into helper function",
5268 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5271 "multiple registers share map_lookup_elem result",
5273 BPF_MOV64_IMM(BPF_REG_1, 10),
5274 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
5275 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5276 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5277 BPF_LD_MAP_FD(BPF_REG_1, 0),
5278 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5279 BPF_FUNC_map_lookup_elem),
5280 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
5281 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
5282 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
5285 .fixup_map_hash_8b = { 4 },
5287 .prog_type = BPF_PROG_TYPE_SCHED_CLS
5290 "alu ops on ptr_to_map_value_or_null, 1",
5292 BPF_MOV64_IMM(BPF_REG_1, 10),
5293 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
5294 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5295 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5296 BPF_LD_MAP_FD(BPF_REG_1, 0),
5297 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5298 BPF_FUNC_map_lookup_elem),
5299 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
5300 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -2),
5301 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 2),
5302 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
5303 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
5306 .fixup_map_hash_8b = { 4 },
5307 .errstr = "R4 pointer arithmetic on map_value_or_null",
5309 .prog_type = BPF_PROG_TYPE_SCHED_CLS
5312 "alu ops on ptr_to_map_value_or_null, 2",
5314 BPF_MOV64_IMM(BPF_REG_1, 10),
5315 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
5316 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5317 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5318 BPF_LD_MAP_FD(BPF_REG_1, 0),
5319 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5320 BPF_FUNC_map_lookup_elem),
5321 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
5322 BPF_ALU64_IMM(BPF_AND, BPF_REG_4, -1),
5323 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
5324 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
5327 .fixup_map_hash_8b = { 4 },
5328 .errstr = "R4 pointer arithmetic on map_value_or_null",
5330 .prog_type = BPF_PROG_TYPE_SCHED_CLS
5333 "alu ops on ptr_to_map_value_or_null, 3",
5335 BPF_MOV64_IMM(BPF_REG_1, 10),
5336 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
5337 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5338 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5339 BPF_LD_MAP_FD(BPF_REG_1, 0),
5340 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5341 BPF_FUNC_map_lookup_elem),
5342 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
5343 BPF_ALU64_IMM(BPF_LSH, BPF_REG_4, 1),
5344 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
5345 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
5348 .fixup_map_hash_8b = { 4 },
5349 .errstr = "R4 pointer arithmetic on map_value_or_null",
5351 .prog_type = BPF_PROG_TYPE_SCHED_CLS
5354 "invalid memory access with multiple map_lookup_elem calls",
5356 BPF_MOV64_IMM(BPF_REG_1, 10),
5357 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
5358 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5359 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5360 BPF_LD_MAP_FD(BPF_REG_1, 0),
5361 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
5362 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
5363 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5364 BPF_FUNC_map_lookup_elem),
5365 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
5366 BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
5367 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
5368 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5369 BPF_FUNC_map_lookup_elem),
5370 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
5371 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
5374 .fixup_map_hash_8b = { 4 },
5376 .errstr = "R4 !read_ok",
5377 .prog_type = BPF_PROG_TYPE_SCHED_CLS
5380 "valid indirect map_lookup_elem access with 2nd lookup in branch",
5382 BPF_MOV64_IMM(BPF_REG_1, 10),
5383 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
5384 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5385 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5386 BPF_LD_MAP_FD(BPF_REG_1, 0),
5387 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
5388 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
5389 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5390 BPF_FUNC_map_lookup_elem),
5391 BPF_MOV64_IMM(BPF_REG_2, 10),
5392 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0, 3),
5393 BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
5394 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
5395 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5396 BPF_FUNC_map_lookup_elem),
5397 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
5398 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
5399 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
5402 .fixup_map_hash_8b = { 4 },
5404 .prog_type = BPF_PROG_TYPE_SCHED_CLS
5407 "invalid map access from else condition",
5409 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5410 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5411 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5412 BPF_LD_MAP_FD(BPF_REG_1, 0),
5413 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
5414 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5415 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5416 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES-1, 1),
5417 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
5418 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
5419 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
5420 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, offsetof(struct test_val, foo)),
5423 .fixup_map_hash_48b = { 3 },
5424 .errstr = "R0 unbounded memory access",
5426 .errstr_unpriv = "R0 leaks addr",
5427 .result_unpriv = REJECT,
5428 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
5431 "constant register |= constant should keep constant type",
5433 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5434 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
5435 BPF_MOV64_IMM(BPF_REG_2, 34),
5436 BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 13),
5437 BPF_MOV64_IMM(BPF_REG_3, 0),
5438 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5442 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5445 "constant register |= constant should not bypass stack boundary checks",
5447 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5448 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
5449 BPF_MOV64_IMM(BPF_REG_2, 34),
5450 BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 24),
5451 BPF_MOV64_IMM(BPF_REG_3, 0),
5452 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5455 .errstr = "invalid stack type R1 off=-48 access_size=58",
5457 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5460 "constant register |= constant register should keep constant type",
5462 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5463 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
5464 BPF_MOV64_IMM(BPF_REG_2, 34),
5465 BPF_MOV64_IMM(BPF_REG_4, 13),
5466 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_4),
5467 BPF_MOV64_IMM(BPF_REG_3, 0),
5468 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5472 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5475 "constant register |= constant register should not bypass stack boundary checks",
5477 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5478 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
5479 BPF_MOV64_IMM(BPF_REG_2, 34),
5480 BPF_MOV64_IMM(BPF_REG_4, 24),
5481 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_4),
5482 BPF_MOV64_IMM(BPF_REG_3, 0),
5483 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5486 .errstr = "invalid stack type R1 off=-48 access_size=58",
5488 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5491 "invalid direct packet write for LWT_IN",
5493 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5494 offsetof(struct __sk_buff, data)),
5495 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5496 offsetof(struct __sk_buff, data_end)),
5497 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5498 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5499 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
5500 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
5501 BPF_MOV64_IMM(BPF_REG_0, 0),
5504 .errstr = "cannot write into packet",
5506 .prog_type = BPF_PROG_TYPE_LWT_IN,
5509 "invalid direct packet write for LWT_OUT",
5511 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5512 offsetof(struct __sk_buff, data)),
5513 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5514 offsetof(struct __sk_buff, data_end)),
5515 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5516 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5517 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
5518 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
5519 BPF_MOV64_IMM(BPF_REG_0, 0),
5522 .errstr = "cannot write into packet",
5524 .prog_type = BPF_PROG_TYPE_LWT_OUT,
5527 "direct packet write for LWT_XMIT",
5529 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5530 offsetof(struct __sk_buff, data)),
5531 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5532 offsetof(struct __sk_buff, data_end)),
5533 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5534 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5535 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
5536 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
5537 BPF_MOV64_IMM(BPF_REG_0, 0),
5541 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
5544 "direct packet read for LWT_IN",
5546 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5547 offsetof(struct __sk_buff, data)),
5548 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5549 offsetof(struct __sk_buff, data_end)),
5550 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5551 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5552 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
5553 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
5554 BPF_MOV64_IMM(BPF_REG_0, 0),
5558 .prog_type = BPF_PROG_TYPE_LWT_IN,
5561 "direct packet read for LWT_OUT",
5563 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5564 offsetof(struct __sk_buff, data)),
5565 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5566 offsetof(struct __sk_buff, data_end)),
5567 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5568 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5569 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
5570 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
5571 BPF_MOV64_IMM(BPF_REG_0, 0),
5575 .prog_type = BPF_PROG_TYPE_LWT_OUT,
5578 "direct packet read for LWT_XMIT",
5580 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5581 offsetof(struct __sk_buff, data)),
5582 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5583 offsetof(struct __sk_buff, data_end)),
5584 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5585 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5586 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
5587 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
5588 BPF_MOV64_IMM(BPF_REG_0, 0),
5592 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
5595 "overlapping checks for direct packet access",
5597 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5598 offsetof(struct __sk_buff, data)),
5599 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5600 offsetof(struct __sk_buff, data_end)),
5601 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5602 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5603 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4),
5604 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
5605 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6),
5606 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
5607 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6),
5608 BPF_MOV64_IMM(BPF_REG_0, 0),
5612 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
5615 "make headroom for LWT_XMIT",
5617 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
5618 BPF_MOV64_IMM(BPF_REG_2, 34),
5619 BPF_MOV64_IMM(BPF_REG_3, 0),
5620 BPF_EMIT_CALL(BPF_FUNC_skb_change_head),
5621 /* split for s390 to succeed */
5622 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
5623 BPF_MOV64_IMM(BPF_REG_2, 42),
5624 BPF_MOV64_IMM(BPF_REG_3, 0),
5625 BPF_EMIT_CALL(BPF_FUNC_skb_change_head),
5626 BPF_MOV64_IMM(BPF_REG_0, 0),
5630 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
5633 "invalid access of tc_classid for LWT_IN",
5635 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
5636 offsetof(struct __sk_buff, tc_classid)),
5640 .errstr = "invalid bpf_context access",
5643 "invalid access of tc_classid for LWT_OUT",
5645 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
5646 offsetof(struct __sk_buff, tc_classid)),
5650 .errstr = "invalid bpf_context access",
5653 "invalid access of tc_classid for LWT_XMIT",
5655 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
5656 offsetof(struct __sk_buff, tc_classid)),
5660 .errstr = "invalid bpf_context access",
5663 "leak pointer into ctx 1",
5665 BPF_MOV64_IMM(BPF_REG_0, 0),
5666 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
5667 offsetof(struct __sk_buff, cb[0])),
5668 BPF_LD_MAP_FD(BPF_REG_2, 0),
5669 BPF_STX_XADD(BPF_DW, BPF_REG_1, BPF_REG_2,
5670 offsetof(struct __sk_buff, cb[0])),
5673 .fixup_map_hash_8b = { 2 },
5674 .errstr_unpriv = "R2 leaks addr into mem",
5675 .result_unpriv = REJECT,
5677 .errstr = "BPF_XADD stores into R1 ctx is not allowed",
5680 "leak pointer into ctx 2",
5682 BPF_MOV64_IMM(BPF_REG_0, 0),
5683 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
5684 offsetof(struct __sk_buff, cb[0])),
5685 BPF_STX_XADD(BPF_DW, BPF_REG_1, BPF_REG_10,
5686 offsetof(struct __sk_buff, cb[0])),
5689 .errstr_unpriv = "R10 leaks addr into mem",
5690 .result_unpriv = REJECT,
5692 .errstr = "BPF_XADD stores into R1 ctx is not allowed",
5695 "leak pointer into ctx 3",
5697 BPF_MOV64_IMM(BPF_REG_0, 0),
5698 BPF_LD_MAP_FD(BPF_REG_2, 0),
5699 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2,
5700 offsetof(struct __sk_buff, cb[0])),
5703 .fixup_map_hash_8b = { 1 },
5704 .errstr_unpriv = "R2 leaks addr into ctx",
5705 .result_unpriv = REJECT,
5709 "leak pointer into map val",
5711 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
5712 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5713 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5714 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5715 BPF_LD_MAP_FD(BPF_REG_1, 0),
5716 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5717 BPF_FUNC_map_lookup_elem),
5718 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
5719 BPF_MOV64_IMM(BPF_REG_3, 0),
5720 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
5721 BPF_STX_XADD(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
5722 BPF_MOV64_IMM(BPF_REG_0, 0),
5725 .fixup_map_hash_8b = { 4 },
5726 .errstr_unpriv = "R6 leaks addr into mem",
5727 .result_unpriv = REJECT,
5731 "helper access to map: full range",
5733 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5734 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5735 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5736 BPF_LD_MAP_FD(BPF_REG_1, 0),
5737 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5738 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5739 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5740 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
5741 BPF_MOV64_IMM(BPF_REG_3, 0),
5742 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5745 .fixup_map_hash_48b = { 3 },
5747 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5750 "helper access to map: partial range",
5752 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5753 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5754 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5755 BPF_LD_MAP_FD(BPF_REG_1, 0),
5756 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5757 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5758 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5759 BPF_MOV64_IMM(BPF_REG_2, 8),
5760 BPF_MOV64_IMM(BPF_REG_3, 0),
5761 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5764 .fixup_map_hash_48b = { 3 },
5766 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5769 "helper access to map: empty range",
5771 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5772 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5773 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5774 BPF_LD_MAP_FD(BPF_REG_1, 0),
5775 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5776 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
5777 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5778 BPF_MOV64_IMM(BPF_REG_2, 0),
5779 BPF_EMIT_CALL(BPF_FUNC_trace_printk),
5782 .fixup_map_hash_48b = { 3 },
5783 .errstr = "invalid access to map value, value_size=48 off=0 size=0",
5785 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5788 "helper access to map: out-of-bound range",
5790 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5791 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5792 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5793 BPF_LD_MAP_FD(BPF_REG_1, 0),
5794 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5795 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5796 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5797 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val) + 8),
5798 BPF_MOV64_IMM(BPF_REG_3, 0),
5799 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5802 .fixup_map_hash_48b = { 3 },
5803 .errstr = "invalid access to map value, value_size=48 off=0 size=56",
5805 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5808 "helper access to map: negative range",
5810 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5811 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5812 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5813 BPF_LD_MAP_FD(BPF_REG_1, 0),
5814 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5815 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5816 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5817 BPF_MOV64_IMM(BPF_REG_2, -8),
5818 BPF_MOV64_IMM(BPF_REG_3, 0),
5819 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5822 .fixup_map_hash_48b = { 3 },
5823 .errstr = "R2 min value is negative",
5825 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5828 "helper access to adjusted map (via const imm): full range",
5830 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5831 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5832 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5833 BPF_LD_MAP_FD(BPF_REG_1, 0),
5834 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5835 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5836 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5837 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5838 offsetof(struct test_val, foo)),
5839 BPF_MOV64_IMM(BPF_REG_2,
5840 sizeof(struct test_val) -
5841 offsetof(struct test_val, foo)),
5842 BPF_MOV64_IMM(BPF_REG_3, 0),
5843 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5846 .fixup_map_hash_48b = { 3 },
5848 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5851 "helper access to adjusted map (via const imm): partial range",
5853 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5854 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5855 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5856 BPF_LD_MAP_FD(BPF_REG_1, 0),
5857 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5858 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5859 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5860 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5861 offsetof(struct test_val, foo)),
5862 BPF_MOV64_IMM(BPF_REG_2, 8),
5863 BPF_MOV64_IMM(BPF_REG_3, 0),
5864 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5867 .fixup_map_hash_48b = { 3 },
5869 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5872 "helper access to adjusted map (via const imm): empty range",
5874 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5875 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5876 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5877 BPF_LD_MAP_FD(BPF_REG_1, 0),
5878 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5879 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5880 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5881 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5882 offsetof(struct test_val, foo)),
5883 BPF_MOV64_IMM(BPF_REG_2, 0),
5884 BPF_EMIT_CALL(BPF_FUNC_trace_printk),
5887 .fixup_map_hash_48b = { 3 },
5888 .errstr = "invalid access to map value, value_size=48 off=4 size=0",
5890 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5893 "helper access to adjusted map (via const imm): out-of-bound range",
5895 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5896 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5897 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5898 BPF_LD_MAP_FD(BPF_REG_1, 0),
5899 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5900 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5901 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5902 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5903 offsetof(struct test_val, foo)),
5904 BPF_MOV64_IMM(BPF_REG_2,
5905 sizeof(struct test_val) -
5906 offsetof(struct test_val, foo) + 8),
5907 BPF_MOV64_IMM(BPF_REG_3, 0),
5908 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5911 .fixup_map_hash_48b = { 3 },
5912 .errstr = "invalid access to map value, value_size=48 off=4 size=52",
5914 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5917 "helper access to adjusted map (via const imm): negative range (> adjustment)",
5919 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5920 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5921 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5922 BPF_LD_MAP_FD(BPF_REG_1, 0),
5923 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5924 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5925 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5926 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5927 offsetof(struct test_val, foo)),
5928 BPF_MOV64_IMM(BPF_REG_2, -8),
5929 BPF_MOV64_IMM(BPF_REG_3, 0),
5930 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5933 .fixup_map_hash_48b = { 3 },
5934 .errstr = "R2 min value is negative",
5936 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5939 "helper access to adjusted map (via const imm): negative range (< adjustment)",
5941 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5942 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5943 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5944 BPF_LD_MAP_FD(BPF_REG_1, 0),
5945 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5946 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5947 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5948 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5949 offsetof(struct test_val, foo)),
5950 BPF_MOV64_IMM(BPF_REG_2, -1),
5951 BPF_MOV64_IMM(BPF_REG_3, 0),
5952 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5955 .fixup_map_hash_48b = { 3 },
5956 .errstr = "R2 min value is negative",
5958 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5961 "helper access to adjusted map (via const reg): full range",
5963 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5964 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5965 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5966 BPF_LD_MAP_FD(BPF_REG_1, 0),
5967 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5968 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5969 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5970 BPF_MOV64_IMM(BPF_REG_3,
5971 offsetof(struct test_val, foo)),
5972 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5973 BPF_MOV64_IMM(BPF_REG_2,
5974 sizeof(struct test_val) -
5975 offsetof(struct test_val, foo)),
5976 BPF_MOV64_IMM(BPF_REG_3, 0),
5977 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5980 .fixup_map_hash_48b = { 3 },
5982 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5985 "helper access to adjusted map (via const reg): partial range",
5987 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5988 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5989 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5990 BPF_LD_MAP_FD(BPF_REG_1, 0),
5991 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5992 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5993 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5994 BPF_MOV64_IMM(BPF_REG_3,
5995 offsetof(struct test_val, foo)),
5996 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5997 BPF_MOV64_IMM(BPF_REG_2, 8),
5998 BPF_MOV64_IMM(BPF_REG_3, 0),
5999 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6002 .fixup_map_hash_48b = { 3 },
6004 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6007 "helper access to adjusted map (via const reg): empty range",
6009 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6010 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6011 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6012 BPF_LD_MAP_FD(BPF_REG_1, 0),
6013 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6014 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
6015 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6016 BPF_MOV64_IMM(BPF_REG_3, 0),
6017 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6018 BPF_MOV64_IMM(BPF_REG_2, 0),
6019 BPF_EMIT_CALL(BPF_FUNC_trace_printk),
6022 .fixup_map_hash_48b = { 3 },
6023 .errstr = "R1 min value is outside of the array range",
6025 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6028 "helper access to adjusted map (via const reg): out-of-bound range",
6030 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6031 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6032 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6033 BPF_LD_MAP_FD(BPF_REG_1, 0),
6034 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6035 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6036 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6037 BPF_MOV64_IMM(BPF_REG_3,
6038 offsetof(struct test_val, foo)),
6039 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6040 BPF_MOV64_IMM(BPF_REG_2,
6041 sizeof(struct test_val) -
6042 offsetof(struct test_val, foo) + 8),
6043 BPF_MOV64_IMM(BPF_REG_3, 0),
6044 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6047 .fixup_map_hash_48b = { 3 },
6048 .errstr = "invalid access to map value, value_size=48 off=4 size=52",
6050 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6053 "helper access to adjusted map (via const reg): negative range (> adjustment)",
6055 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6056 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6057 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6058 BPF_LD_MAP_FD(BPF_REG_1, 0),
6059 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6060 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6061 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6062 BPF_MOV64_IMM(BPF_REG_3,
6063 offsetof(struct test_val, foo)),
6064 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6065 BPF_MOV64_IMM(BPF_REG_2, -8),
6066 BPF_MOV64_IMM(BPF_REG_3, 0),
6067 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6070 .fixup_map_hash_48b = { 3 },
6071 .errstr = "R2 min value is negative",
6073 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6076 "helper access to adjusted map (via const reg): negative range (< adjustment)",
6078 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6079 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6080 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6081 BPF_LD_MAP_FD(BPF_REG_1, 0),
6082 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6083 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6084 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6085 BPF_MOV64_IMM(BPF_REG_3,
6086 offsetof(struct test_val, foo)),
6087 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6088 BPF_MOV64_IMM(BPF_REG_2, -1),
6089 BPF_MOV64_IMM(BPF_REG_3, 0),
6090 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6093 .fixup_map_hash_48b = { 3 },
6094 .errstr = "R2 min value is negative",
6096 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6099 "helper access to adjusted map (via variable): full range",
6101 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6102 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6103 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6104 BPF_LD_MAP_FD(BPF_REG_1, 0),
6105 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6106 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6107 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6108 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6109 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
6110 offsetof(struct test_val, foo), 4),
6111 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6112 BPF_MOV64_IMM(BPF_REG_2,
6113 sizeof(struct test_val) -
6114 offsetof(struct test_val, foo)),
6115 BPF_MOV64_IMM(BPF_REG_3, 0),
6116 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6119 .fixup_map_hash_48b = { 3 },
6121 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6124 "helper access to adjusted map (via variable): partial range",
6126 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6127 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6128 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6129 BPF_LD_MAP_FD(BPF_REG_1, 0),
6130 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6131 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6132 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6133 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6134 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
6135 offsetof(struct test_val, foo), 4),
6136 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6137 BPF_MOV64_IMM(BPF_REG_2, 8),
6138 BPF_MOV64_IMM(BPF_REG_3, 0),
6139 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6142 .fixup_map_hash_48b = { 3 },
6144 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6147 "helper access to adjusted map (via variable): empty range",
6149 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6150 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6151 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6152 BPF_LD_MAP_FD(BPF_REG_1, 0),
6153 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6154 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6155 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6156 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6157 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
6158 offsetof(struct test_val, foo), 3),
6159 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6160 BPF_MOV64_IMM(BPF_REG_2, 0),
6161 BPF_EMIT_CALL(BPF_FUNC_trace_printk),
6164 .fixup_map_hash_48b = { 3 },
6165 .errstr = "R1 min value is outside of the array range",
6167 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6170 "helper access to adjusted map (via variable): no max check",
6172 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6173 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6174 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6175 BPF_LD_MAP_FD(BPF_REG_1, 0),
6176 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6177 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6178 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6179 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6180 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6181 BPF_MOV64_IMM(BPF_REG_2, 1),
6182 BPF_MOV64_IMM(BPF_REG_3, 0),
6183 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6186 .fixup_map_hash_48b = { 3 },
6187 .errstr = "R1 unbounded memory access",
6189 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6192 "helper access to adjusted map (via variable): wrong max check",
6194 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6195 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6196 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6197 BPF_LD_MAP_FD(BPF_REG_1, 0),
6198 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6199 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6200 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6201 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6202 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
6203 offsetof(struct test_val, foo), 4),
6204 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6205 BPF_MOV64_IMM(BPF_REG_2,
6206 sizeof(struct test_val) -
6207 offsetof(struct test_val, foo) + 1),
6208 BPF_MOV64_IMM(BPF_REG_3, 0),
6209 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6212 .fixup_map_hash_48b = { 3 },
6213 .errstr = "invalid access to map value, value_size=48 off=4 size=45",
6215 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6218 "helper access to map: bounds check using <, good access",
6220 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6221 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6222 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6223 BPF_LD_MAP_FD(BPF_REG_1, 0),
6224 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6225 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6226 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6227 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6228 BPF_JMP_IMM(BPF_JLT, BPF_REG_3, 32, 2),
6229 BPF_MOV64_IMM(BPF_REG_0, 0),
6231 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6232 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
6233 BPF_MOV64_IMM(BPF_REG_0, 0),
6236 .fixup_map_hash_48b = { 3 },
6238 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6241 "helper access to map: bounds check using <, bad access",
6243 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6244 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6245 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6246 BPF_LD_MAP_FD(BPF_REG_1, 0),
6247 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6248 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6249 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6250 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6251 BPF_JMP_IMM(BPF_JLT, BPF_REG_3, 32, 4),
6252 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6253 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
6254 BPF_MOV64_IMM(BPF_REG_0, 0),
6256 BPF_MOV64_IMM(BPF_REG_0, 0),
6259 .fixup_map_hash_48b = { 3 },
6261 .errstr = "R1 unbounded memory access",
6262 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6265 "helper access to map: bounds check using <=, good access",
6267 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6268 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6269 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6270 BPF_LD_MAP_FD(BPF_REG_1, 0),
6271 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6272 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6273 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6274 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6275 BPF_JMP_IMM(BPF_JLE, BPF_REG_3, 32, 2),
6276 BPF_MOV64_IMM(BPF_REG_0, 0),
6278 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6279 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
6280 BPF_MOV64_IMM(BPF_REG_0, 0),
6283 .fixup_map_hash_48b = { 3 },
6285 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6288 "helper access to map: bounds check using <=, bad access",
6290 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6291 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6292 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6293 BPF_LD_MAP_FD(BPF_REG_1, 0),
6294 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6295 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6296 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6297 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6298 BPF_JMP_IMM(BPF_JLE, BPF_REG_3, 32, 4),
6299 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6300 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
6301 BPF_MOV64_IMM(BPF_REG_0, 0),
6303 BPF_MOV64_IMM(BPF_REG_0, 0),
6306 .fixup_map_hash_48b = { 3 },
6308 .errstr = "R1 unbounded memory access",
6309 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6312 "helper access to map: bounds check using s<, good access",
6314 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6315 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6316 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6317 BPF_LD_MAP_FD(BPF_REG_1, 0),
6318 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6319 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6320 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6321 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6322 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2),
6323 BPF_MOV64_IMM(BPF_REG_0, 0),
6325 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 0, -3),
6326 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6327 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
6328 BPF_MOV64_IMM(BPF_REG_0, 0),
6331 .fixup_map_hash_48b = { 3 },
6333 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6336 "helper access to map: bounds check using s<, good access 2",
6338 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6339 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6340 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6341 BPF_LD_MAP_FD(BPF_REG_1, 0),
6342 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6343 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6344 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6345 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6346 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2),
6347 BPF_MOV64_IMM(BPF_REG_0, 0),
6349 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, -3, -3),
6350 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6351 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
6352 BPF_MOV64_IMM(BPF_REG_0, 0),
6355 .fixup_map_hash_48b = { 3 },
6357 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6360 "helper access to map: bounds check using s<, bad access",
6362 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6363 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6364 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6365 BPF_LD_MAP_FD(BPF_REG_1, 0),
6366 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6367 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6368 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6369 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
6370 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2),
6371 BPF_MOV64_IMM(BPF_REG_0, 0),
6373 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, -3, -3),
6374 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6375 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
6376 BPF_MOV64_IMM(BPF_REG_0, 0),
6379 .fixup_map_hash_48b = { 3 },
6381 .errstr = "R1 min value is negative",
6382 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6385 "helper access to map: bounds check using s<=, good access",
6387 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6388 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6389 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6390 BPF_LD_MAP_FD(BPF_REG_1, 0),
6391 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6392 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6393 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6394 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6395 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2),
6396 BPF_MOV64_IMM(BPF_REG_0, 0),
6398 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 0, -3),
6399 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6400 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
6401 BPF_MOV64_IMM(BPF_REG_0, 0),
6404 .fixup_map_hash_48b = { 3 },
6406 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6409 "helper access to map: bounds check using s<=, good access 2",
6411 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6412 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6413 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6414 BPF_LD_MAP_FD(BPF_REG_1, 0),
6415 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6416 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6417 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6418 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6419 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2),
6420 BPF_MOV64_IMM(BPF_REG_0, 0),
6422 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, -3, -3),
6423 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6424 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
6425 BPF_MOV64_IMM(BPF_REG_0, 0),
6428 .fixup_map_hash_48b = { 3 },
6430 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6433 "helper access to map: bounds check using s<=, bad access",
6435 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6436 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6437 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6438 BPF_LD_MAP_FD(BPF_REG_1, 0),
6439 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6440 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6441 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6442 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
6443 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2),
6444 BPF_MOV64_IMM(BPF_REG_0, 0),
6446 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, -3, -3),
6447 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6448 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
6449 BPF_MOV64_IMM(BPF_REG_0, 0),
6452 .fixup_map_hash_48b = { 3 },
6454 .errstr = "R1 min value is negative",
6455 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6458 "map access: known scalar += value_ptr",
6460 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6461 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6462 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6463 BPF_LD_MAP_FD(BPF_REG_1, 0),
6464 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6465 BPF_FUNC_map_lookup_elem),
6466 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
6467 BPF_MOV64_IMM(BPF_REG_1, 4),
6468 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
6469 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
6470 BPF_MOV64_IMM(BPF_REG_0, 1),
6473 .fixup_map_array_48b = { 3 },
6478 "map access: value_ptr += known scalar",
6480 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6481 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6482 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6483 BPF_LD_MAP_FD(BPF_REG_1, 0),
6484 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6485 BPF_FUNC_map_lookup_elem),
6486 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
6487 BPF_MOV64_IMM(BPF_REG_1, 4),
6488 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6489 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
6490 BPF_MOV64_IMM(BPF_REG_0, 1),
6493 .fixup_map_array_48b = { 3 },
6498 "map access: unknown scalar += value_ptr",
6500 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6501 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6502 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6503 BPF_LD_MAP_FD(BPF_REG_1, 0),
6504 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6505 BPF_FUNC_map_lookup_elem),
6506 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6507 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
6508 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xf),
6509 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
6510 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
6511 BPF_MOV64_IMM(BPF_REG_0, 1),
6514 .fixup_map_array_48b = { 3 },
6519 "map access: value_ptr += unknown scalar",
6521 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6522 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6523 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6524 BPF_LD_MAP_FD(BPF_REG_1, 0),
6525 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6526 BPF_FUNC_map_lookup_elem),
6527 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6528 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
6529 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xf),
6530 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6531 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
6532 BPF_MOV64_IMM(BPF_REG_0, 1),
6535 .fixup_map_array_48b = { 3 },
6540 "map access: value_ptr += value_ptr",
6542 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6543 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6544 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6545 BPF_LD_MAP_FD(BPF_REG_1, 0),
6546 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6547 BPF_FUNC_map_lookup_elem),
6548 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
6549 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_0),
6550 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
6551 BPF_MOV64_IMM(BPF_REG_0, 1),
6554 .fixup_map_array_48b = { 3 },
6556 .errstr = "R0 pointer += pointer prohibited",
6559 "map access: known scalar -= value_ptr",
6561 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6562 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6563 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6564 BPF_LD_MAP_FD(BPF_REG_1, 0),
6565 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6566 BPF_FUNC_map_lookup_elem),
6567 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
6568 BPF_MOV64_IMM(BPF_REG_1, 4),
6569 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0),
6570 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
6571 BPF_MOV64_IMM(BPF_REG_0, 1),
6574 .fixup_map_array_48b = { 3 },
6576 .errstr = "R1 tried to subtract pointer from scalar",
6579 "map access: value_ptr -= known scalar",
6581 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6582 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6583 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6584 BPF_LD_MAP_FD(BPF_REG_1, 0),
6585 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6586 BPF_FUNC_map_lookup_elem),
6587 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
6588 BPF_MOV64_IMM(BPF_REG_1, 4),
6589 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
6590 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
6591 BPF_MOV64_IMM(BPF_REG_0, 1),
6594 .fixup_map_array_48b = { 3 },
6596 .errstr = "R0 min value is outside of the array range",
6599 "map access: value_ptr -= known scalar, 2",
6601 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6602 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6603 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6604 BPF_LD_MAP_FD(BPF_REG_1, 0),
6605 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6606 BPF_FUNC_map_lookup_elem),
6607 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
6608 BPF_MOV64_IMM(BPF_REG_1, 6),
6609 BPF_MOV64_IMM(BPF_REG_2, 4),
6610 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6611 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_2),
6612 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
6613 BPF_MOV64_IMM(BPF_REG_0, 1),
6616 .fixup_map_array_48b = { 3 },
6621 "map access: unknown scalar -= value_ptr",
6623 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6624 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6625 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6626 BPF_LD_MAP_FD(BPF_REG_1, 0),
6627 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6628 BPF_FUNC_map_lookup_elem),
6629 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6630 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
6631 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xf),
6632 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0),
6633 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
6634 BPF_MOV64_IMM(BPF_REG_0, 1),
6637 .fixup_map_array_48b = { 3 },
6639 .errstr = "R1 tried to subtract pointer from scalar",
6642 "map access: value_ptr -= unknown scalar",
6644 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6645 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6646 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6647 BPF_LD_MAP_FD(BPF_REG_1, 0),
6648 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6649 BPF_FUNC_map_lookup_elem),
6650 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6651 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
6652 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xf),
6653 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
6654 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
6655 BPF_MOV64_IMM(BPF_REG_0, 1),
6658 .fixup_map_array_48b = { 3 },
6660 .errstr = "R0 min value is negative",
6663 "map access: value_ptr -= unknown scalar, 2",
6665 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6666 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6667 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6668 BPF_LD_MAP_FD(BPF_REG_1, 0),
6669 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6670 BPF_FUNC_map_lookup_elem),
6671 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
6672 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
6673 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xf),
6674 BPF_ALU64_IMM(BPF_OR, BPF_REG_1, 0x7),
6675 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6676 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
6677 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0x7),
6678 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
6679 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
6680 BPF_MOV64_IMM(BPF_REG_0, 1),
6683 .fixup_map_array_48b = { 3 },
6688 "map access: value_ptr -= value_ptr",
6690 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6691 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6692 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6693 BPF_LD_MAP_FD(BPF_REG_1, 0),
6694 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6695 BPF_FUNC_map_lookup_elem),
6696 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
6697 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_0),
6698 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
6699 BPF_MOV64_IMM(BPF_REG_0, 1),
6702 .fixup_map_array_48b = { 3 },
6704 .errstr = "R0 invalid mem access 'inv'",
6705 .errstr_unpriv = "R0 pointer -= pointer prohibited",
6708 "map lookup helper access to map",
6710 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6711 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6712 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6713 BPF_LD_MAP_FD(BPF_REG_1, 0),
6714 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6715 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6716 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6717 BPF_LD_MAP_FD(BPF_REG_1, 0),
6718 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6721 .fixup_map_hash_16b = { 3, 8 },
6723 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6726 "map update helper access to map",
6728 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6729 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6730 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6731 BPF_LD_MAP_FD(BPF_REG_1, 0),
6732 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6733 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6734 BPF_MOV64_IMM(BPF_REG_4, 0),
6735 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
6736 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6737 BPF_LD_MAP_FD(BPF_REG_1, 0),
6738 BPF_EMIT_CALL(BPF_FUNC_map_update_elem),
6741 .fixup_map_hash_16b = { 3, 10 },
6743 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6746 "map update helper access to map: wrong size",
6748 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6749 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6750 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6751 BPF_LD_MAP_FD(BPF_REG_1, 0),
6752 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6753 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6754 BPF_MOV64_IMM(BPF_REG_4, 0),
6755 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
6756 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6757 BPF_LD_MAP_FD(BPF_REG_1, 0),
6758 BPF_EMIT_CALL(BPF_FUNC_map_update_elem),
6761 .fixup_map_hash_8b = { 3 },
6762 .fixup_map_hash_16b = { 10 },
6764 .errstr = "invalid access to map value, value_size=8 off=0 size=16",
6765 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6768 "map helper access to adjusted map (via const imm)",
6770 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6771 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6772 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6773 BPF_LD_MAP_FD(BPF_REG_1, 0),
6774 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6775 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
6776 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6777 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2,
6778 offsetof(struct other_val, bar)),
6779 BPF_LD_MAP_FD(BPF_REG_1, 0),
6780 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6783 .fixup_map_hash_16b = { 3, 9 },
6785 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6788 "map helper access to adjusted map (via const imm): out-of-bound 1",
6790 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6791 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6792 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6793 BPF_LD_MAP_FD(BPF_REG_1, 0),
6794 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6795 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
6796 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6797 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2,
6798 sizeof(struct other_val) - 4),
6799 BPF_LD_MAP_FD(BPF_REG_1, 0),
6800 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6803 .fixup_map_hash_16b = { 3, 9 },
6805 .errstr = "invalid access to map value, value_size=16 off=12 size=8",
6806 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6809 "map helper access to adjusted map (via const imm): out-of-bound 2",
6811 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6812 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6813 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6814 BPF_LD_MAP_FD(BPF_REG_1, 0),
6815 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6816 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
6817 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6818 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
6819 BPF_LD_MAP_FD(BPF_REG_1, 0),
6820 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6823 .fixup_map_hash_16b = { 3, 9 },
6825 .errstr = "invalid access to map value, value_size=16 off=-4 size=8",
6826 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6829 "map helper access to adjusted map (via const reg)",
6831 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6832 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6833 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6834 BPF_LD_MAP_FD(BPF_REG_1, 0),
6835 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6836 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6837 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6838 BPF_MOV64_IMM(BPF_REG_3,
6839 offsetof(struct other_val, bar)),
6840 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
6841 BPF_LD_MAP_FD(BPF_REG_1, 0),
6842 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6845 .fixup_map_hash_16b = { 3, 10 },
6847 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6850 "map helper access to adjusted map (via const reg): out-of-bound 1",
6852 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6853 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6854 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6855 BPF_LD_MAP_FD(BPF_REG_1, 0),
6856 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6857 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6858 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6859 BPF_MOV64_IMM(BPF_REG_3,
6860 sizeof(struct other_val) - 4),
6861 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
6862 BPF_LD_MAP_FD(BPF_REG_1, 0),
6863 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6866 .fixup_map_hash_16b = { 3, 10 },
6868 .errstr = "invalid access to map value, value_size=16 off=12 size=8",
6869 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6872 "map helper access to adjusted map (via const reg): out-of-bound 2",
6874 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6875 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6876 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6877 BPF_LD_MAP_FD(BPF_REG_1, 0),
6878 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6879 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6880 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6881 BPF_MOV64_IMM(BPF_REG_3, -4),
6882 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
6883 BPF_LD_MAP_FD(BPF_REG_1, 0),
6884 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6887 .fixup_map_hash_16b = { 3, 10 },
6889 .errstr = "invalid access to map value, value_size=16 off=-4 size=8",
6890 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6893 "map helper access to adjusted map (via variable)",
6895 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6896 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6897 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6898 BPF_LD_MAP_FD(BPF_REG_1, 0),
6899 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6900 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6901 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6902 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6903 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
6904 offsetof(struct other_val, bar), 4),
6905 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
6906 BPF_LD_MAP_FD(BPF_REG_1, 0),
6907 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6910 .fixup_map_hash_16b = { 3, 11 },
6912 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6915 "map helper access to adjusted map (via variable): no max check",
6917 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6918 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6919 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6920 BPF_LD_MAP_FD(BPF_REG_1, 0),
6921 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6922 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6923 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6924 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6925 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
6926 BPF_LD_MAP_FD(BPF_REG_1, 0),
6927 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6930 .fixup_map_hash_16b = { 3, 10 },
6932 .errstr = "R2 unbounded memory access, make sure to bounds check any array access into a map",
6933 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6936 "map helper access to adjusted map (via variable): wrong max check",
6938 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6939 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6940 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6941 BPF_LD_MAP_FD(BPF_REG_1, 0),
6942 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6943 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6944 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6945 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6946 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
6947 offsetof(struct other_val, bar) + 1, 4),
6948 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
6949 BPF_LD_MAP_FD(BPF_REG_1, 0),
6950 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6953 .fixup_map_hash_16b = { 3, 11 },
6955 .errstr = "invalid access to map value, value_size=16 off=9 size=8",
6956 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6959 "map element value is preserved across register spilling",
6961 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6962 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6963 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6964 BPF_LD_MAP_FD(BPF_REG_1, 0),
6965 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6966 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6967 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
6968 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6969 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -184),
6970 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
6971 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
6972 BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
6975 .fixup_map_hash_48b = { 3 },
6976 .errstr_unpriv = "R0 leaks addr",
6978 .result_unpriv = REJECT,
6981 "map element value or null is marked on register spilling",
6983 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6984 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6985 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6986 BPF_LD_MAP_FD(BPF_REG_1, 0),
6987 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6988 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6989 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -152),
6990 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
6991 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
6992 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
6993 BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
6996 .fixup_map_hash_48b = { 3 },
6997 .errstr_unpriv = "R0 leaks addr",
6999 .result_unpriv = REJECT,
7002 "map element value store of cleared call register",
7004 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7005 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7006 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7007 BPF_LD_MAP_FD(BPF_REG_1, 0),
7008 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7009 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
7010 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
7013 .fixup_map_hash_48b = { 3 },
7014 .errstr_unpriv = "R1 !read_ok",
7015 .errstr = "R1 !read_ok",
7017 .result_unpriv = REJECT,
7020 "map element value with unaligned store",
7022 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7023 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7024 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7025 BPF_LD_MAP_FD(BPF_REG_1, 0),
7026 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7027 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 17),
7028 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 3),
7029 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
7030 BPF_ST_MEM(BPF_DW, BPF_REG_0, 2, 43),
7031 BPF_ST_MEM(BPF_DW, BPF_REG_0, -2, 44),
7032 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
7033 BPF_ST_MEM(BPF_DW, BPF_REG_8, 0, 32),
7034 BPF_ST_MEM(BPF_DW, BPF_REG_8, 2, 33),
7035 BPF_ST_MEM(BPF_DW, BPF_REG_8, -2, 34),
7036 BPF_ALU64_IMM(BPF_ADD, BPF_REG_8, 5),
7037 BPF_ST_MEM(BPF_DW, BPF_REG_8, 0, 22),
7038 BPF_ST_MEM(BPF_DW, BPF_REG_8, 4, 23),
7039 BPF_ST_MEM(BPF_DW, BPF_REG_8, -7, 24),
7040 BPF_MOV64_REG(BPF_REG_7, BPF_REG_8),
7041 BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, 3),
7042 BPF_ST_MEM(BPF_DW, BPF_REG_7, 0, 22),
7043 BPF_ST_MEM(BPF_DW, BPF_REG_7, 4, 23),
7044 BPF_ST_MEM(BPF_DW, BPF_REG_7, -4, 24),
7047 .fixup_map_hash_48b = { 3 },
7048 .errstr_unpriv = "R0 leaks addr",
7050 .result_unpriv = REJECT,
7051 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7054 "map element value with unaligned load",
7056 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7057 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7058 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7059 BPF_LD_MAP_FD(BPF_REG_1, 0),
7060 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7061 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
7062 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
7063 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES, 9),
7064 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 3),
7065 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
7066 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 2),
7067 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
7068 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_8, 0),
7069 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_8, 2),
7070 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 5),
7071 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
7072 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 4),
7075 .fixup_map_hash_48b = { 3 },
7076 .errstr_unpriv = "R0 leaks addr",
7078 .result_unpriv = REJECT,
7079 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7082 "map element value illegal alu op, 1",
7084 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7085 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7086 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7087 BPF_LD_MAP_FD(BPF_REG_1, 0),
7088 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7089 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
7090 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 8),
7091 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
7094 .fixup_map_hash_48b = { 3 },
7095 .errstr = "R0 bitwise operator &= on pointer",
7099 "map element value illegal alu op, 2",
7101 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7102 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7103 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7104 BPF_LD_MAP_FD(BPF_REG_1, 0),
7105 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7106 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
7107 BPF_ALU32_IMM(BPF_ADD, BPF_REG_0, 0),
7108 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
7111 .fixup_map_hash_48b = { 3 },
7112 .errstr = "R0 32-bit pointer arithmetic prohibited",
7116 "map element value illegal alu op, 3",
7118 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7119 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7120 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7121 BPF_LD_MAP_FD(BPF_REG_1, 0),
7122 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7123 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
7124 BPF_ALU64_IMM(BPF_DIV, BPF_REG_0, 42),
7125 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
7128 .fixup_map_hash_48b = { 3 },
7129 .errstr = "R0 pointer arithmetic with /= operator",
7133 "map element value illegal alu op, 4",
7135 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7136 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7137 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7138 BPF_LD_MAP_FD(BPF_REG_1, 0),
7139 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7140 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
7141 BPF_ENDIAN(BPF_FROM_BE, BPF_REG_0, 64),
7142 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
7145 .fixup_map_hash_48b = { 3 },
7146 .errstr_unpriv = "R0 pointer arithmetic prohibited",
7147 .errstr = "invalid mem access 'inv'",
7149 .result_unpriv = REJECT,
7152 "map element value illegal alu op, 5",
7154 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7155 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7156 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7157 BPF_LD_MAP_FD(BPF_REG_1, 0),
7158 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7159 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
7160 BPF_MOV64_IMM(BPF_REG_3, 4096),
7161 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7162 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7163 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
7164 BPF_STX_XADD(BPF_DW, BPF_REG_2, BPF_REG_3, 0),
7165 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, 0),
7166 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
7169 .fixup_map_hash_48b = { 3 },
7170 .errstr = "R0 invalid mem access 'inv'",
7174 "map element value is preserved across register spilling",
7176 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7177 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7178 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7179 BPF_LD_MAP_FD(BPF_REG_1, 0),
7180 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7181 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
7182 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0,
7183 offsetof(struct test_val, foo)),
7184 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
7185 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7186 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -184),
7187 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
7188 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
7189 BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
7192 .fixup_map_hash_48b = { 3 },
7193 .errstr_unpriv = "R0 leaks addr",
7195 .result_unpriv = REJECT,
7196 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7199 "helper access to variable memory: stack, bitwise AND + JMP, correct bounds",
7201 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7202 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
7203 BPF_MOV64_IMM(BPF_REG_0, 0),
7204 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
7205 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
7206 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
7207 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
7208 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
7209 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
7210 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
7211 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
7212 BPF_MOV64_IMM(BPF_REG_2, 16),
7213 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
7214 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
7215 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
7216 BPF_MOV64_IMM(BPF_REG_4, 0),
7217 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
7218 BPF_MOV64_IMM(BPF_REG_3, 0),
7219 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7220 BPF_MOV64_IMM(BPF_REG_0, 0),
7224 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7227 "helper access to variable memory: stack, bitwise AND, zero included",
7229 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7230 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
7231 BPF_MOV64_IMM(BPF_REG_2, 16),
7232 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
7233 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
7234 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
7235 BPF_MOV64_IMM(BPF_REG_3, 0),
7236 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7239 .errstr = "invalid indirect read from stack off -64+0 size 64",
7241 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7244 "helper access to variable memory: stack, bitwise AND + JMP, wrong max",
7246 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7247 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
7248 BPF_MOV64_IMM(BPF_REG_2, 16),
7249 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
7250 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
7251 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 65),
7252 BPF_MOV64_IMM(BPF_REG_4, 0),
7253 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
7254 BPF_MOV64_IMM(BPF_REG_3, 0),
7255 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7256 BPF_MOV64_IMM(BPF_REG_0, 0),
7259 .errstr = "invalid stack type R1 off=-64 access_size=65",
7261 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7264 "helper access to variable memory: stack, JMP, correct bounds",
7266 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7267 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
7268 BPF_MOV64_IMM(BPF_REG_0, 0),
7269 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
7270 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
7271 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
7272 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
7273 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
7274 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
7275 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
7276 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
7277 BPF_MOV64_IMM(BPF_REG_2, 16),
7278 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
7279 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
7280 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 4),
7281 BPF_MOV64_IMM(BPF_REG_4, 0),
7282 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
7283 BPF_MOV64_IMM(BPF_REG_3, 0),
7284 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7285 BPF_MOV64_IMM(BPF_REG_0, 0),
7289 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7292 "helper access to variable memory: stack, JMP (signed), correct bounds",
7294 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7295 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
7296 BPF_MOV64_IMM(BPF_REG_0, 0),
7297 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
7298 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
7299 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
7300 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
7301 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
7302 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
7303 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
7304 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
7305 BPF_MOV64_IMM(BPF_REG_2, 16),
7306 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
7307 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
7308 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 64, 4),
7309 BPF_MOV64_IMM(BPF_REG_4, 0),
7310 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
7311 BPF_MOV64_IMM(BPF_REG_3, 0),
7312 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7313 BPF_MOV64_IMM(BPF_REG_0, 0),
7317 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7320 "helper access to variable memory: stack, JMP, bounds + offset",
7322 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7323 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
7324 BPF_MOV64_IMM(BPF_REG_2, 16),
7325 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
7326 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
7327 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 5),
7328 BPF_MOV64_IMM(BPF_REG_4, 0),
7329 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 3),
7330 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
7331 BPF_MOV64_IMM(BPF_REG_3, 0),
7332 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7333 BPF_MOV64_IMM(BPF_REG_0, 0),
7336 .errstr = "invalid stack type R1 off=-64 access_size=65",
7338 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7341 "helper access to variable memory: stack, JMP, wrong max",
7343 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7344 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
7345 BPF_MOV64_IMM(BPF_REG_2, 16),
7346 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
7347 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
7348 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 65, 4),
7349 BPF_MOV64_IMM(BPF_REG_4, 0),
7350 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
7351 BPF_MOV64_IMM(BPF_REG_3, 0),
7352 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7353 BPF_MOV64_IMM(BPF_REG_0, 0),
7356 .errstr = "invalid stack type R1 off=-64 access_size=65",
7358 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7361 "helper access to variable memory: stack, JMP, no max check",
7363 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7364 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
7365 BPF_MOV64_IMM(BPF_REG_2, 16),
7366 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
7367 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
7368 BPF_MOV64_IMM(BPF_REG_4, 0),
7369 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
7370 BPF_MOV64_IMM(BPF_REG_3, 0),
7371 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7372 BPF_MOV64_IMM(BPF_REG_0, 0),
7375 /* because max wasn't checked, signed min is negative */
7376 .errstr = "R2 min value is negative, either use unsigned or 'var &= const'",
7378 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7381 "helper access to variable memory: stack, JMP, no min check",
7383 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7384 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
7385 BPF_MOV64_IMM(BPF_REG_2, 16),
7386 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
7387 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
7388 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 3),
7389 BPF_MOV64_IMM(BPF_REG_3, 0),
7390 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7391 BPF_MOV64_IMM(BPF_REG_0, 0),
7394 .errstr = "invalid indirect read from stack off -64+0 size 64",
7396 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7399 "helper access to variable memory: stack, JMP (signed), no min check",
7401 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7402 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
7403 BPF_MOV64_IMM(BPF_REG_2, 16),
7404 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
7405 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
7406 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 64, 3),
7407 BPF_MOV64_IMM(BPF_REG_3, 0),
7408 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7409 BPF_MOV64_IMM(BPF_REG_0, 0),
7412 .errstr = "R2 min value is negative",
7414 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7417 "helper access to variable memory: map, JMP, correct bounds",
7419 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7420 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7421 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7422 BPF_LD_MAP_FD(BPF_REG_1, 0),
7423 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7424 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
7425 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
7426 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
7427 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
7428 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
7429 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
7430 sizeof(struct test_val), 4),
7431 BPF_MOV64_IMM(BPF_REG_4, 0),
7432 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
7433 BPF_MOV64_IMM(BPF_REG_3, 0),
7434 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7435 BPF_MOV64_IMM(BPF_REG_0, 0),
7438 .fixup_map_hash_48b = { 3 },
7440 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7443 "helper access to variable memory: map, JMP, wrong max",
7445 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7446 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7447 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7448 BPF_LD_MAP_FD(BPF_REG_1, 0),
7449 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7450 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
7451 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
7452 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
7453 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
7454 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
7455 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
7456 sizeof(struct test_val) + 1, 4),
7457 BPF_MOV64_IMM(BPF_REG_4, 0),
7458 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
7459 BPF_MOV64_IMM(BPF_REG_3, 0),
7460 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7461 BPF_MOV64_IMM(BPF_REG_0, 0),
7464 .fixup_map_hash_48b = { 3 },
7465 .errstr = "invalid access to map value, value_size=48 off=0 size=49",
7467 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7470 "helper access to variable memory: map adjusted, JMP, correct bounds",
7472 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7473 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7474 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7475 BPF_LD_MAP_FD(BPF_REG_1, 0),
7476 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7477 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
7478 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
7479 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 20),
7480 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
7481 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
7482 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
7483 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
7484 sizeof(struct test_val) - 20, 4),
7485 BPF_MOV64_IMM(BPF_REG_4, 0),
7486 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
7487 BPF_MOV64_IMM(BPF_REG_3, 0),
7488 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7489 BPF_MOV64_IMM(BPF_REG_0, 0),
7492 .fixup_map_hash_48b = { 3 },
7494 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7497 "helper access to variable memory: map adjusted, JMP, wrong max",
7499 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7500 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7501 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7502 BPF_LD_MAP_FD(BPF_REG_1, 0),
7503 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7504 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
7505 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
7506 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 20),
7507 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
7508 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
7509 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
7510 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
7511 sizeof(struct test_val) - 19, 4),
7512 BPF_MOV64_IMM(BPF_REG_4, 0),
7513 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
7514 BPF_MOV64_IMM(BPF_REG_3, 0),
7515 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7516 BPF_MOV64_IMM(BPF_REG_0, 0),
7519 .fixup_map_hash_48b = { 3 },
7520 .errstr = "R1 min value is outside of the array range",
7522 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7525 "helper access to variable memory: size = 0 allowed on NULL (ARG_PTR_TO_MEM_OR_NULL)",
7527 BPF_MOV64_IMM(BPF_REG_1, 0),
7528 BPF_MOV64_IMM(BPF_REG_2, 0),
7529 BPF_MOV64_IMM(BPF_REG_3, 0),
7530 BPF_MOV64_IMM(BPF_REG_4, 0),
7531 BPF_MOV64_IMM(BPF_REG_5, 0),
7532 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
7536 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
7539 "helper access to variable memory: size > 0 not allowed on NULL (ARG_PTR_TO_MEM_OR_NULL)",
7541 BPF_MOV64_IMM(BPF_REG_1, 0),
7542 BPF_MOV64_IMM(BPF_REG_2, 1),
7543 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
7544 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
7545 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
7546 BPF_MOV64_IMM(BPF_REG_3, 0),
7547 BPF_MOV64_IMM(BPF_REG_4, 0),
7548 BPF_MOV64_IMM(BPF_REG_5, 0),
7549 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
7552 .errstr = "R1 type=inv expected=fp",
7554 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
7557 "helper access to variable memory: size = 0 allowed on != NULL stack pointer (ARG_PTR_TO_MEM_OR_NULL)",
7559 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7560 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
7561 BPF_MOV64_IMM(BPF_REG_2, 0),
7562 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, 0),
7563 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 8),
7564 BPF_MOV64_IMM(BPF_REG_3, 0),
7565 BPF_MOV64_IMM(BPF_REG_4, 0),
7566 BPF_MOV64_IMM(BPF_REG_5, 0),
7567 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
7571 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
7574 "helper access to variable memory: size = 0 allowed on != NULL map pointer (ARG_PTR_TO_MEM_OR_NULL)",
7576 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7577 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7578 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7579 BPF_LD_MAP_FD(BPF_REG_1, 0),
7580 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7581 BPF_FUNC_map_lookup_elem),
7582 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
7583 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
7584 BPF_MOV64_IMM(BPF_REG_2, 0),
7585 BPF_MOV64_IMM(BPF_REG_3, 0),
7586 BPF_MOV64_IMM(BPF_REG_4, 0),
7587 BPF_MOV64_IMM(BPF_REG_5, 0),
7588 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
7591 .fixup_map_hash_8b = { 3 },
7593 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
7596 "helper access to variable memory: size possible = 0 allowed on != NULL stack pointer (ARG_PTR_TO_MEM_OR_NULL)",
7598 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7599 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7600 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7601 BPF_LD_MAP_FD(BPF_REG_1, 0),
7602 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7603 BPF_FUNC_map_lookup_elem),
7604 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7605 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
7606 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 7),
7607 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7608 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
7609 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, 0),
7610 BPF_MOV64_IMM(BPF_REG_3, 0),
7611 BPF_MOV64_IMM(BPF_REG_4, 0),
7612 BPF_MOV64_IMM(BPF_REG_5, 0),
7613 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
7616 .fixup_map_hash_8b = { 3 },
7618 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
7621 "helper access to variable memory: size possible = 0 allowed on != NULL map pointer (ARG_PTR_TO_MEM_OR_NULL)",
7623 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7624 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7625 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7626 BPF_LD_MAP_FD(BPF_REG_1, 0),
7627 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7628 BPF_FUNC_map_lookup_elem),
7629 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
7630 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
7631 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
7632 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4),
7633 BPF_MOV64_IMM(BPF_REG_3, 0),
7634 BPF_MOV64_IMM(BPF_REG_4, 0),
7635 BPF_MOV64_IMM(BPF_REG_5, 0),
7636 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
7639 .fixup_map_hash_8b = { 3 },
7641 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
7644 "helper access to variable memory: size possible = 0 allowed on != NULL packet pointer (ARG_PTR_TO_MEM_OR_NULL)",
7646 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
7647 offsetof(struct __sk_buff, data)),
7648 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7649 offsetof(struct __sk_buff, data_end)),
7650 BPF_MOV64_REG(BPF_REG_0, BPF_REG_6),
7651 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
7652 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 7),
7653 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
7654 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 0),
7655 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4),
7656 BPF_MOV64_IMM(BPF_REG_3, 0),
7657 BPF_MOV64_IMM(BPF_REG_4, 0),
7658 BPF_MOV64_IMM(BPF_REG_5, 0),
7659 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
7663 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
7664 .retval = 0 /* csum_diff of 64-byte packet */,
7667 "helper access to variable memory: size = 0 not allowed on NULL (!ARG_PTR_TO_MEM_OR_NULL)",
7669 BPF_MOV64_IMM(BPF_REG_1, 0),
7670 BPF_MOV64_IMM(BPF_REG_2, 0),
7671 BPF_MOV64_IMM(BPF_REG_3, 0),
7672 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7675 .errstr = "R1 type=inv expected=fp",
7677 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7680 "helper access to variable memory: size > 0 not allowed on NULL (!ARG_PTR_TO_MEM_OR_NULL)",
7682 BPF_MOV64_IMM(BPF_REG_1, 0),
7683 BPF_MOV64_IMM(BPF_REG_2, 1),
7684 BPF_MOV64_IMM(BPF_REG_3, 0),
7685 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7688 .errstr = "R1 type=inv expected=fp",
7690 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7693 "helper access to variable memory: size = 0 allowed on != NULL stack pointer (!ARG_PTR_TO_MEM_OR_NULL)",
7695 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7696 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
7697 BPF_MOV64_IMM(BPF_REG_2, 0),
7698 BPF_MOV64_IMM(BPF_REG_3, 0),
7699 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7703 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7706 "helper access to variable memory: size = 0 allowed on != NULL map pointer (!ARG_PTR_TO_MEM_OR_NULL)",
7708 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7709 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7710 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7711 BPF_LD_MAP_FD(BPF_REG_1, 0),
7712 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7713 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7714 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
7715 BPF_MOV64_IMM(BPF_REG_2, 0),
7716 BPF_MOV64_IMM(BPF_REG_3, 0),
7717 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7720 .fixup_map_hash_8b = { 3 },
7722 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7725 "helper access to variable memory: size possible = 0 allowed on != NULL stack pointer (!ARG_PTR_TO_MEM_OR_NULL)",
7727 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7728 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7729 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7730 BPF_LD_MAP_FD(BPF_REG_1, 0),
7731 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7732 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
7733 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
7734 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4),
7735 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7736 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
7737 BPF_MOV64_IMM(BPF_REG_3, 0),
7738 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7741 .fixup_map_hash_8b = { 3 },
7743 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7746 "helper access to variable memory: size possible = 0 allowed on != NULL map pointer (!ARG_PTR_TO_MEM_OR_NULL)",
7748 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7749 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7750 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7751 BPF_LD_MAP_FD(BPF_REG_1, 0),
7752 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7753 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
7754 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
7755 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
7756 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 2),
7757 BPF_MOV64_IMM(BPF_REG_3, 0),
7758 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7761 .fixup_map_hash_8b = { 3 },
7763 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7766 "helper access to variable memory: 8 bytes leak",
7768 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7769 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
7770 BPF_MOV64_IMM(BPF_REG_0, 0),
7771 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
7772 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
7773 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
7774 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
7775 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
7776 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
7777 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
7778 BPF_MOV64_IMM(BPF_REG_2, 1),
7779 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
7780 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
7781 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 63),
7782 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
7783 BPF_MOV64_IMM(BPF_REG_3, 0),
7784 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7785 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7788 .errstr = "invalid indirect read from stack off -64+32 size 64",
7790 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7793 "helper access to variable memory: 8 bytes no leak (init memory)",
7795 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7796 BPF_MOV64_IMM(BPF_REG_0, 0),
7797 BPF_MOV64_IMM(BPF_REG_0, 0),
7798 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
7799 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
7800 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
7801 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
7802 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
7803 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
7804 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
7805 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
7806 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
7807 BPF_MOV64_IMM(BPF_REG_2, 0),
7808 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 32),
7809 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 32),
7810 BPF_MOV64_IMM(BPF_REG_3, 0),
7811 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7812 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7816 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7819 "invalid and of negative number",
7821 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7822 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7823 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7824 BPF_LD_MAP_FD(BPF_REG_1, 0),
7825 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7826 BPF_FUNC_map_lookup_elem),
7827 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7828 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7829 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, -4),
7830 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
7831 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7832 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
7833 offsetof(struct test_val, foo)),
7836 .fixup_map_hash_48b = { 3 },
7837 .errstr = "R0 max value is outside of the array range",
7839 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7842 "invalid range check",
7844 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7845 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7846 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7847 BPF_LD_MAP_FD(BPF_REG_1, 0),
7848 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7849 BPF_FUNC_map_lookup_elem),
7850 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 12),
7851 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
7852 BPF_MOV64_IMM(BPF_REG_9, 1),
7853 BPF_ALU32_IMM(BPF_MOD, BPF_REG_1, 2),
7854 BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 1),
7855 BPF_ALU32_REG(BPF_AND, BPF_REG_9, BPF_REG_1),
7856 BPF_ALU32_IMM(BPF_ADD, BPF_REG_9, 1),
7857 BPF_ALU32_IMM(BPF_RSH, BPF_REG_9, 1),
7858 BPF_MOV32_IMM(BPF_REG_3, 1),
7859 BPF_ALU32_REG(BPF_SUB, BPF_REG_3, BPF_REG_9),
7860 BPF_ALU32_IMM(BPF_MUL, BPF_REG_3, 0x10000000),
7861 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
7862 BPF_STX_MEM(BPF_W, BPF_REG_0, BPF_REG_3, 0),
7863 BPF_MOV64_REG(BPF_REG_0, 0),
7866 .fixup_map_hash_48b = { 3 },
7867 .errstr = "R0 max value is outside of the array range",
7869 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7872 "map in map access",
7874 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
7875 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7876 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
7877 BPF_LD_MAP_FD(BPF_REG_1, 0),
7878 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7879 BPF_FUNC_map_lookup_elem),
7880 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
7881 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
7882 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7883 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
7884 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
7885 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7886 BPF_FUNC_map_lookup_elem),
7887 BPF_MOV64_IMM(BPF_REG_0, 0),
7890 .fixup_map_in_map = { 3 },
7894 "invalid inner map pointer",
7896 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
7897 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7898 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
7899 BPF_LD_MAP_FD(BPF_REG_1, 0),
7900 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7901 BPF_FUNC_map_lookup_elem),
7902 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
7903 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
7904 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7905 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
7906 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
7907 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7908 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7909 BPF_FUNC_map_lookup_elem),
7910 BPF_MOV64_IMM(BPF_REG_0, 0),
7913 .fixup_map_in_map = { 3 },
7914 .errstr = "R1 pointer arithmetic on map_ptr prohibited",
7918 "forgot null checking on the inner map pointer",
7920 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
7921 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7922 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
7923 BPF_LD_MAP_FD(BPF_REG_1, 0),
7924 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7925 BPF_FUNC_map_lookup_elem),
7926 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
7927 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7928 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
7929 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
7930 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7931 BPF_FUNC_map_lookup_elem),
7932 BPF_MOV64_IMM(BPF_REG_0, 0),
7935 .fixup_map_in_map = { 3 },
7936 .errstr = "R1 type=map_value_or_null expected=map_ptr",
7940 "ld_abs: check calling conv, r1",
7942 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7943 BPF_MOV64_IMM(BPF_REG_1, 0),
7944 BPF_LD_ABS(BPF_W, -0x200000),
7945 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
7948 .errstr = "R1 !read_ok",
7952 "ld_abs: check calling conv, r2",
7954 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7955 BPF_MOV64_IMM(BPF_REG_2, 0),
7956 BPF_LD_ABS(BPF_W, -0x200000),
7957 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
7960 .errstr = "R2 !read_ok",
7964 "ld_abs: check calling conv, r3",
7966 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7967 BPF_MOV64_IMM(BPF_REG_3, 0),
7968 BPF_LD_ABS(BPF_W, -0x200000),
7969 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
7972 .errstr = "R3 !read_ok",
7976 "ld_abs: check calling conv, r4",
7978 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7979 BPF_MOV64_IMM(BPF_REG_4, 0),
7980 BPF_LD_ABS(BPF_W, -0x200000),
7981 BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
7984 .errstr = "R4 !read_ok",
7988 "ld_abs: check calling conv, r5",
7990 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7991 BPF_MOV64_IMM(BPF_REG_5, 0),
7992 BPF_LD_ABS(BPF_W, -0x200000),
7993 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
7996 .errstr = "R5 !read_ok",
8000 "ld_abs: check calling conv, r7",
8002 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
8003 BPF_MOV64_IMM(BPF_REG_7, 0),
8004 BPF_LD_ABS(BPF_W, -0x200000),
8005 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
8011 "ld_abs: tests on r6 and skb data reload helper",
8013 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
8014 BPF_LD_ABS(BPF_B, 0),
8015 BPF_LD_ABS(BPF_H, 0),
8016 BPF_LD_ABS(BPF_W, 0),
8017 BPF_MOV64_REG(BPF_REG_7, BPF_REG_6),
8018 BPF_MOV64_IMM(BPF_REG_6, 0),
8019 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
8020 BPF_MOV64_IMM(BPF_REG_2, 1),
8021 BPF_MOV64_IMM(BPF_REG_3, 2),
8022 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8023 BPF_FUNC_skb_vlan_push),
8024 BPF_MOV64_REG(BPF_REG_6, BPF_REG_7),
8025 BPF_LD_ABS(BPF_B, 0),
8026 BPF_LD_ABS(BPF_H, 0),
8027 BPF_LD_ABS(BPF_W, 0),
8028 BPF_MOV64_IMM(BPF_REG_0, 42),
8031 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
8033 .retval = 42 /* ultimate return value */,
8036 "ld_ind: check calling conv, r1",
8038 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
8039 BPF_MOV64_IMM(BPF_REG_1, 1),
8040 BPF_LD_IND(BPF_W, BPF_REG_1, -0x200000),
8041 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
8044 .errstr = "R1 !read_ok",
8048 "ld_ind: check calling conv, r2",
8050 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
8051 BPF_MOV64_IMM(BPF_REG_2, 1),
8052 BPF_LD_IND(BPF_W, BPF_REG_2, -0x200000),
8053 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
8056 .errstr = "R2 !read_ok",
8060 "ld_ind: check calling conv, r3",
8062 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
8063 BPF_MOV64_IMM(BPF_REG_3, 1),
8064 BPF_LD_IND(BPF_W, BPF_REG_3, -0x200000),
8065 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
8068 .errstr = "R3 !read_ok",
8072 "ld_ind: check calling conv, r4",
8074 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
8075 BPF_MOV64_IMM(BPF_REG_4, 1),
8076 BPF_LD_IND(BPF_W, BPF_REG_4, -0x200000),
8077 BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
8080 .errstr = "R4 !read_ok",
8084 "ld_ind: check calling conv, r5",
8086 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
8087 BPF_MOV64_IMM(BPF_REG_5, 1),
8088 BPF_LD_IND(BPF_W, BPF_REG_5, -0x200000),
8089 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
8092 .errstr = "R5 !read_ok",
8096 "ld_ind: check calling conv, r7",
8098 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
8099 BPF_MOV64_IMM(BPF_REG_7, 1),
8100 BPF_LD_IND(BPF_W, BPF_REG_7, -0x200000),
8101 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
8108 "check bpf_perf_event_data->sample_period byte load permitted",
8110 BPF_MOV64_IMM(BPF_REG_0, 0),
8111 #if __BYTE_ORDER == __LITTLE_ENDIAN
8112 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
8113 offsetof(struct bpf_perf_event_data, sample_period)),
8115 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
8116 offsetof(struct bpf_perf_event_data, sample_period) + 7),
8121 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
8124 "check bpf_perf_event_data->sample_period half load permitted",
8126 BPF_MOV64_IMM(BPF_REG_0, 0),
8127 #if __BYTE_ORDER == __LITTLE_ENDIAN
8128 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
8129 offsetof(struct bpf_perf_event_data, sample_period)),
8131 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
8132 offsetof(struct bpf_perf_event_data, sample_period) + 6),
8137 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
8140 "check bpf_perf_event_data->sample_period word load permitted",
8142 BPF_MOV64_IMM(BPF_REG_0, 0),
8143 #if __BYTE_ORDER == __LITTLE_ENDIAN
8144 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
8145 offsetof(struct bpf_perf_event_data, sample_period)),
8147 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
8148 offsetof(struct bpf_perf_event_data, sample_period) + 4),
8153 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
8156 "check bpf_perf_event_data->sample_period dword load permitted",
8158 BPF_MOV64_IMM(BPF_REG_0, 0),
8159 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
8160 offsetof(struct bpf_perf_event_data, sample_period)),
8164 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
8167 "check skb->data half load not permitted",
8169 BPF_MOV64_IMM(BPF_REG_0, 0),
8170 #if __BYTE_ORDER == __LITTLE_ENDIAN
8171 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
8172 offsetof(struct __sk_buff, data)),
8174 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
8175 offsetof(struct __sk_buff, data) + 2),
8180 .errstr = "invalid bpf_context access",
8183 "check skb->tc_classid half load not permitted for lwt prog",
8185 BPF_MOV64_IMM(BPF_REG_0, 0),
8186 #if __BYTE_ORDER == __LITTLE_ENDIAN
8187 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
8188 offsetof(struct __sk_buff, tc_classid)),
8190 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
8191 offsetof(struct __sk_buff, tc_classid) + 2),
8196 .errstr = "invalid bpf_context access",
8197 .prog_type = BPF_PROG_TYPE_LWT_IN,
8200 "bounds checks mixing signed and unsigned, positive bounds",
8202 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8203 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8204 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8205 BPF_LD_MAP_FD(BPF_REG_1, 0),
8206 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8207 BPF_FUNC_map_lookup_elem),
8208 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
8209 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
8210 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
8211 BPF_MOV64_IMM(BPF_REG_2, 2),
8212 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 3),
8213 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 4, 2),
8214 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8215 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
8216 BPF_MOV64_IMM(BPF_REG_0, 0),
8219 .fixup_map_hash_8b = { 3 },
8220 .errstr = "unbounded min value",
8224 "bounds checks mixing signed and unsigned",
8226 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8227 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8228 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8229 BPF_LD_MAP_FD(BPF_REG_1, 0),
8230 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8231 BPF_FUNC_map_lookup_elem),
8232 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
8233 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
8234 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
8235 BPF_MOV64_IMM(BPF_REG_2, -1),
8236 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 3),
8237 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
8238 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8239 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
8240 BPF_MOV64_IMM(BPF_REG_0, 0),
8243 .fixup_map_hash_8b = { 3 },
8244 .errstr = "unbounded min value",
8248 "bounds checks mixing signed and unsigned, variant 2",
8250 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8251 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8252 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8253 BPF_LD_MAP_FD(BPF_REG_1, 0),
8254 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8255 BPF_FUNC_map_lookup_elem),
8256 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
8257 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
8258 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
8259 BPF_MOV64_IMM(BPF_REG_2, -1),
8260 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 5),
8261 BPF_MOV64_IMM(BPF_REG_8, 0),
8262 BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_1),
8263 BPF_JMP_IMM(BPF_JSGT, BPF_REG_8, 1, 2),
8264 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8),
8265 BPF_ST_MEM(BPF_B, BPF_REG_8, 0, 0),
8266 BPF_MOV64_IMM(BPF_REG_0, 0),
8269 .fixup_map_hash_8b = { 3 },
8270 .errstr = "unbounded min value",
8274 "bounds checks mixing signed and unsigned, variant 3",
8276 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8277 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8278 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8279 BPF_LD_MAP_FD(BPF_REG_1, 0),
8280 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8281 BPF_FUNC_map_lookup_elem),
8282 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
8283 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
8284 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
8285 BPF_MOV64_IMM(BPF_REG_2, -1),
8286 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 4),
8287 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
8288 BPF_JMP_IMM(BPF_JSGT, BPF_REG_8, 1, 2),
8289 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8),
8290 BPF_ST_MEM(BPF_B, BPF_REG_8, 0, 0),
8291 BPF_MOV64_IMM(BPF_REG_0, 0),
8294 .fixup_map_hash_8b = { 3 },
8295 .errstr = "unbounded min value",
8299 "bounds checks mixing signed and unsigned, variant 4",
8301 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8302 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8303 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8304 BPF_LD_MAP_FD(BPF_REG_1, 0),
8305 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8306 BPF_FUNC_map_lookup_elem),
8307 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
8308 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
8309 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
8310 BPF_MOV64_IMM(BPF_REG_2, 1),
8311 BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
8312 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
8313 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8314 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
8315 BPF_MOV64_IMM(BPF_REG_0, 0),
8318 .fixup_map_hash_8b = { 3 },
8322 "bounds checks mixing signed and unsigned, variant 5",
8324 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8325 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8326 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8327 BPF_LD_MAP_FD(BPF_REG_1, 0),
8328 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8329 BPF_FUNC_map_lookup_elem),
8330 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
8331 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
8332 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
8333 BPF_MOV64_IMM(BPF_REG_2, -1),
8334 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 5),
8335 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 4),
8336 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 4),
8337 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
8338 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
8339 BPF_MOV64_IMM(BPF_REG_0, 0),
8342 .fixup_map_hash_8b = { 3 },
8343 .errstr = "unbounded min value",
8347 "bounds checks mixing signed and unsigned, variant 6",
8349 BPF_MOV64_IMM(BPF_REG_2, 0),
8350 BPF_MOV64_REG(BPF_REG_3, BPF_REG_10),
8351 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, -512),
8352 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
8353 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -16),
8354 BPF_MOV64_IMM(BPF_REG_6, -1),
8355 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_6, 5),
8356 BPF_JMP_IMM(BPF_JSGT, BPF_REG_4, 1, 4),
8357 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 1),
8358 BPF_MOV64_IMM(BPF_REG_5, 0),
8359 BPF_ST_MEM(BPF_H, BPF_REG_10, -512, 0),
8360 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8361 BPF_FUNC_skb_load_bytes),
8362 BPF_MOV64_IMM(BPF_REG_0, 0),
8365 .errstr = "R4 min value is negative, either use unsigned",
8369 "bounds checks mixing signed and unsigned, variant 7",
8371 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8372 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8373 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8374 BPF_LD_MAP_FD(BPF_REG_1, 0),
8375 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8376 BPF_FUNC_map_lookup_elem),
8377 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
8378 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
8379 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
8380 BPF_MOV64_IMM(BPF_REG_2, 1024 * 1024 * 1024),
8381 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 3),
8382 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
8383 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8384 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
8385 BPF_MOV64_IMM(BPF_REG_0, 0),
8388 .fixup_map_hash_8b = { 3 },
8392 "bounds checks mixing signed and unsigned, variant 8",
8394 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8395 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8396 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8397 BPF_LD_MAP_FD(BPF_REG_1, 0),
8398 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8399 BPF_FUNC_map_lookup_elem),
8400 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
8401 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
8402 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
8403 BPF_MOV64_IMM(BPF_REG_2, -1),
8404 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 2),
8405 BPF_MOV64_IMM(BPF_REG_0, 0),
8407 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
8408 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8409 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
8410 BPF_MOV64_IMM(BPF_REG_0, 0),
8413 .fixup_map_hash_8b = { 3 },
8414 .errstr = "unbounded min value",
8418 "bounds checks mixing signed and unsigned, variant 9",
8420 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8421 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8422 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8423 BPF_LD_MAP_FD(BPF_REG_1, 0),
8424 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8425 BPF_FUNC_map_lookup_elem),
8426 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
8427 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
8428 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
8429 BPF_LD_IMM64(BPF_REG_2, -9223372036854775808ULL),
8430 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 2),
8431 BPF_MOV64_IMM(BPF_REG_0, 0),
8433 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
8434 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8435 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
8436 BPF_MOV64_IMM(BPF_REG_0, 0),
8439 .fixup_map_hash_8b = { 3 },
8443 "bounds checks mixing signed and unsigned, variant 10",
8445 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8446 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8447 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8448 BPF_LD_MAP_FD(BPF_REG_1, 0),
8449 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8450 BPF_FUNC_map_lookup_elem),
8451 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
8452 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
8453 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
8454 BPF_MOV64_IMM(BPF_REG_2, 0),
8455 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 2),
8456 BPF_MOV64_IMM(BPF_REG_0, 0),
8458 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
8459 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8460 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
8461 BPF_MOV64_IMM(BPF_REG_0, 0),
8464 .fixup_map_hash_8b = { 3 },
8465 .errstr = "unbounded min value",
8469 "bounds checks mixing signed and unsigned, variant 11",
8471 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8472 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8473 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8474 BPF_LD_MAP_FD(BPF_REG_1, 0),
8475 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8476 BPF_FUNC_map_lookup_elem),
8477 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
8478 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
8479 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
8480 BPF_MOV64_IMM(BPF_REG_2, -1),
8481 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
8483 BPF_MOV64_IMM(BPF_REG_0, 0),
8485 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
8486 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8487 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
8488 BPF_MOV64_IMM(BPF_REG_0, 0),
8491 .fixup_map_hash_8b = { 3 },
8492 .errstr = "unbounded min value",
8496 "bounds checks mixing signed and unsigned, variant 12",
8498 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8499 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8500 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8501 BPF_LD_MAP_FD(BPF_REG_1, 0),
8502 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8503 BPF_FUNC_map_lookup_elem),
8504 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
8505 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
8506 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
8507 BPF_MOV64_IMM(BPF_REG_2, -6),
8508 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
8509 BPF_MOV64_IMM(BPF_REG_0, 0),
8511 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
8512 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8513 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
8514 BPF_MOV64_IMM(BPF_REG_0, 0),
8517 .fixup_map_hash_8b = { 3 },
8518 .errstr = "unbounded min value",
8522 "bounds checks mixing signed and unsigned, variant 13",
8524 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8525 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8526 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8527 BPF_LD_MAP_FD(BPF_REG_1, 0),
8528 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8529 BPF_FUNC_map_lookup_elem),
8530 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
8531 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
8532 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
8533 BPF_MOV64_IMM(BPF_REG_2, 2),
8534 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
8535 BPF_MOV64_IMM(BPF_REG_7, 1),
8536 BPF_JMP_IMM(BPF_JSGT, BPF_REG_7, 0, 2),
8537 BPF_MOV64_IMM(BPF_REG_0, 0),
8539 BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_1),
8540 BPF_JMP_IMM(BPF_JSGT, BPF_REG_7, 4, 2),
8541 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_7),
8542 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
8543 BPF_MOV64_IMM(BPF_REG_0, 0),
8546 .fixup_map_hash_8b = { 3 },
8547 .errstr = "unbounded min value",
8551 "bounds checks mixing signed and unsigned, variant 14",
8553 BPF_LDX_MEM(BPF_W, BPF_REG_9, BPF_REG_1,
8554 offsetof(struct __sk_buff, mark)),
8555 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8556 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8557 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8558 BPF_LD_MAP_FD(BPF_REG_1, 0),
8559 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8560 BPF_FUNC_map_lookup_elem),
8561 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
8562 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
8563 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
8564 BPF_MOV64_IMM(BPF_REG_2, -1),
8565 BPF_MOV64_IMM(BPF_REG_8, 2),
8566 BPF_JMP_IMM(BPF_JEQ, BPF_REG_9, 42, 6),
8567 BPF_JMP_REG(BPF_JSGT, BPF_REG_8, BPF_REG_1, 3),
8568 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
8569 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8570 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
8571 BPF_MOV64_IMM(BPF_REG_0, 0),
8573 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, -3),
8574 BPF_JMP_IMM(BPF_JA, 0, 0, -7),
8576 .fixup_map_hash_8b = { 4 },
8577 .errstr = "R0 invalid mem access 'inv'",
8581 "bounds checks mixing signed and unsigned, variant 15",
8583 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8584 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8585 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8586 BPF_LD_MAP_FD(BPF_REG_1, 0),
8587 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8588 BPF_FUNC_map_lookup_elem),
8589 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
8590 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
8591 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
8592 BPF_MOV64_IMM(BPF_REG_2, -6),
8593 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
8594 BPF_MOV64_IMM(BPF_REG_0, 0),
8596 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8597 BPF_JMP_IMM(BPF_JGT, BPF_REG_0, 1, 2),
8598 BPF_MOV64_IMM(BPF_REG_0, 0),
8600 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
8601 BPF_MOV64_IMM(BPF_REG_0, 0),
8604 .fixup_map_hash_8b = { 3 },
8605 .errstr = "unbounded min value",
8607 .result_unpriv = REJECT,
8610 "subtraction bounds (map value) variant 1",
8612 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8613 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8614 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8615 BPF_LD_MAP_FD(BPF_REG_1, 0),
8616 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8617 BPF_FUNC_map_lookup_elem),
8618 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
8619 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
8620 BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 0xff, 7),
8621 BPF_LDX_MEM(BPF_B, BPF_REG_3, BPF_REG_0, 1),
8622 BPF_JMP_IMM(BPF_JGT, BPF_REG_3, 0xff, 5),
8623 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_3),
8624 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 56),
8625 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8626 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8628 BPF_MOV64_IMM(BPF_REG_0, 0),
8631 .fixup_map_hash_8b = { 3 },
8632 .errstr = "R0 max value is outside of the array range",
8636 "subtraction bounds (map value) variant 2",
8638 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8639 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8640 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8641 BPF_LD_MAP_FD(BPF_REG_1, 0),
8642 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8643 BPF_FUNC_map_lookup_elem),
8644 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
8645 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
8646 BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 0xff, 6),
8647 BPF_LDX_MEM(BPF_B, BPF_REG_3, BPF_REG_0, 1),
8648 BPF_JMP_IMM(BPF_JGT, BPF_REG_3, 0xff, 4),
8649 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_3),
8650 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8651 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8653 BPF_MOV64_IMM(BPF_REG_0, 0),
8656 .fixup_map_hash_8b = { 3 },
8657 .errstr = "R0 min value is negative, either use unsigned index or do a if (index >=0) check.",
8661 "bounds check based on zero-extended MOV",
8663 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8664 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8665 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8666 BPF_LD_MAP_FD(BPF_REG_1, 0),
8667 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8668 BPF_FUNC_map_lookup_elem),
8669 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
8670 /* r2 = 0x0000'0000'ffff'ffff */
8671 BPF_MOV32_IMM(BPF_REG_2, 0xffffffff),
8673 BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 32),
8675 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
8676 /* access at offset 0 */
8677 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8679 BPF_MOV64_IMM(BPF_REG_0, 0),
8682 .fixup_map_hash_8b = { 3 },
8686 "bounds check based on sign-extended MOV. test1",
8688 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8689 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8690 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8691 BPF_LD_MAP_FD(BPF_REG_1, 0),
8692 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8693 BPF_FUNC_map_lookup_elem),
8694 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
8695 /* r2 = 0xffff'ffff'ffff'ffff */
8696 BPF_MOV64_IMM(BPF_REG_2, 0xffffffff),
8697 /* r2 = 0xffff'ffff */
8698 BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 32),
8699 /* r0 = <oob pointer> */
8700 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
8701 /* access to OOB pointer */
8702 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8704 BPF_MOV64_IMM(BPF_REG_0, 0),
8707 .fixup_map_hash_8b = { 3 },
8708 .errstr = "map_value pointer and 4294967295",
8712 "bounds check based on sign-extended MOV. test2",
8714 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8715 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8716 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8717 BPF_LD_MAP_FD(BPF_REG_1, 0),
8718 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8719 BPF_FUNC_map_lookup_elem),
8720 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
8721 /* r2 = 0xffff'ffff'ffff'ffff */
8722 BPF_MOV64_IMM(BPF_REG_2, 0xffffffff),
8723 /* r2 = 0xfff'ffff */
8724 BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 36),
8725 /* r0 = <oob pointer> */
8726 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
8727 /* access to OOB pointer */
8728 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8730 BPF_MOV64_IMM(BPF_REG_0, 0),
8733 .fixup_map_hash_8b = { 3 },
8734 .errstr = "R0 min value is outside of the array range",
8738 "bounds check based on reg_off + var_off + insn_off. test1",
8740 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
8741 offsetof(struct __sk_buff, mark)),
8742 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8743 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8744 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8745 BPF_LD_MAP_FD(BPF_REG_1, 0),
8746 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8747 BPF_FUNC_map_lookup_elem),
8748 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
8749 BPF_ALU64_IMM(BPF_AND, BPF_REG_6, 1),
8750 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, (1 << 29) - 1),
8751 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_6),
8752 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, (1 << 29) - 1),
8753 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 3),
8754 BPF_MOV64_IMM(BPF_REG_0, 0),
8757 .fixup_map_hash_8b = { 4 },
8758 .errstr = "value_size=8 off=1073741825",
8760 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
8763 "bounds check based on reg_off + var_off + insn_off. test2",
8765 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
8766 offsetof(struct __sk_buff, mark)),
8767 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8768 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8769 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8770 BPF_LD_MAP_FD(BPF_REG_1, 0),
8771 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8772 BPF_FUNC_map_lookup_elem),
8773 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
8774 BPF_ALU64_IMM(BPF_AND, BPF_REG_6, 1),
8775 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, (1 << 30) - 1),
8776 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_6),
8777 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, (1 << 29) - 1),
8778 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 3),
8779 BPF_MOV64_IMM(BPF_REG_0, 0),
8782 .fixup_map_hash_8b = { 4 },
8783 .errstr = "value 1073741823",
8785 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
8788 "bounds check after truncation of non-boundary-crossing range",
8790 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8791 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8792 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8793 BPF_LD_MAP_FD(BPF_REG_1, 0),
8794 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8795 BPF_FUNC_map_lookup_elem),
8796 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
8797 /* r1 = [0x00, 0xff] */
8798 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
8799 BPF_MOV64_IMM(BPF_REG_2, 1),
8800 /* r2 = 0x10'0000'0000 */
8801 BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 36),
8802 /* r1 = [0x10'0000'0000, 0x10'0000'00ff] */
8803 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
8804 /* r1 = [0x10'7fff'ffff, 0x10'8000'00fe] */
8805 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff),
8806 /* r1 = [0x00, 0xff] */
8807 BPF_ALU32_IMM(BPF_SUB, BPF_REG_1, 0x7fffffff),
8809 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
8811 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8812 /* access at offset 0 */
8813 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8815 BPF_MOV64_IMM(BPF_REG_0, 0),
8818 .fixup_map_hash_8b = { 3 },
8822 "bounds check after truncation of boundary-crossing range (1)",
8824 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8825 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8826 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8827 BPF_LD_MAP_FD(BPF_REG_1, 0),
8828 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8829 BPF_FUNC_map_lookup_elem),
8830 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
8831 /* r1 = [0x00, 0xff] */
8832 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
8833 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1),
8834 /* r1 = [0xffff'ff80, 0x1'0000'007f] */
8835 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1),
8836 /* r1 = [0xffff'ff80, 0xffff'ffff] or
8837 * [0x0000'0000, 0x0000'007f]
8839 BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 0),
8840 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1),
8841 /* r1 = [0x00, 0xff] or
8842 * [0xffff'ffff'0000'0080, 0xffff'ffff'ffff'ffff]
8844 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1),
8846 * [0x00ff'ffff'ff00'0000, 0x00ff'ffff'ffff'ffff]
8848 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
8849 /* no-op or OOB pointer computation */
8850 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8851 /* potentially OOB access */
8852 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8854 BPF_MOV64_IMM(BPF_REG_0, 0),
8857 .fixup_map_hash_8b = { 3 },
8858 /* not actually fully unbounded, but the bound is very high */
8859 .errstr = "R0 unbounded memory access",
8863 "bounds check after truncation of boundary-crossing range (2)",
8865 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8866 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8867 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8868 BPF_LD_MAP_FD(BPF_REG_1, 0),
8869 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8870 BPF_FUNC_map_lookup_elem),
8871 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
8872 /* r1 = [0x00, 0xff] */
8873 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
8874 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1),
8875 /* r1 = [0xffff'ff80, 0x1'0000'007f] */
8876 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1),
8877 /* r1 = [0xffff'ff80, 0xffff'ffff] or
8878 * [0x0000'0000, 0x0000'007f]
8879 * difference to previous test: truncation via MOV32
8882 BPF_MOV32_REG(BPF_REG_1, BPF_REG_1),
8883 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1),
8884 /* r1 = [0x00, 0xff] or
8885 * [0xffff'ffff'0000'0080, 0xffff'ffff'ffff'ffff]
8887 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1),
8889 * [0x00ff'ffff'ff00'0000, 0x00ff'ffff'ffff'ffff]
8891 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
8892 /* no-op or OOB pointer computation */
8893 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8894 /* potentially OOB access */
8895 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8897 BPF_MOV64_IMM(BPF_REG_0, 0),
8900 .fixup_map_hash_8b = { 3 },
8901 /* not actually fully unbounded, but the bound is very high */
8902 .errstr = "R0 unbounded memory access",
8906 "bounds check after wrapping 32-bit addition",
8908 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8909 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8910 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8911 BPF_LD_MAP_FD(BPF_REG_1, 0),
8912 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8913 BPF_FUNC_map_lookup_elem),
8914 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
8915 /* r1 = 0x7fff'ffff */
8916 BPF_MOV64_IMM(BPF_REG_1, 0x7fffffff),
8917 /* r1 = 0xffff'fffe */
8918 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff),
8920 BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 2),
8922 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8923 /* access at offset 0 */
8924 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8926 BPF_MOV64_IMM(BPF_REG_0, 0),
8929 .fixup_map_hash_8b = { 3 },
8933 "bounds check after shift with oversized count operand",
8935 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8936 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8937 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8938 BPF_LD_MAP_FD(BPF_REG_1, 0),
8939 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8940 BPF_FUNC_map_lookup_elem),
8941 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
8942 BPF_MOV64_IMM(BPF_REG_2, 32),
8943 BPF_MOV64_IMM(BPF_REG_1, 1),
8944 /* r1 = (u32)1 << (u32)32 = ? */
8945 BPF_ALU32_REG(BPF_LSH, BPF_REG_1, BPF_REG_2),
8946 /* r1 = [0x0000, 0xffff] */
8947 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xffff),
8948 /* computes unknown pointer, potentially OOB */
8949 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8950 /* potentially OOB access */
8951 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8953 BPF_MOV64_IMM(BPF_REG_0, 0),
8956 .fixup_map_hash_8b = { 3 },
8957 .errstr = "R0 max value is outside of the array range",
8961 "bounds check after right shift of maybe-negative number",
8963 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8964 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8965 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8966 BPF_LD_MAP_FD(BPF_REG_1, 0),
8967 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8968 BPF_FUNC_map_lookup_elem),
8969 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
8970 /* r1 = [0x00, 0xff] */
8971 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
8972 /* r1 = [-0x01, 0xfe] */
8973 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 1),
8974 /* r1 = 0 or 0xff'ffff'ffff'ffff */
8975 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
8976 /* r1 = 0 or 0xffff'ffff'ffff */
8977 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
8978 /* computes unknown pointer, potentially OOB */
8979 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8980 /* potentially OOB access */
8981 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8983 BPF_MOV64_IMM(BPF_REG_0, 0),
8986 .fixup_map_hash_8b = { 3 },
8987 .errstr = "R0 unbounded memory access",
8991 "bounds check map access with off+size signed 32bit overflow. test1",
8993 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8994 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8995 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8996 BPF_LD_MAP_FD(BPF_REG_1, 0),
8997 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8998 BPF_FUNC_map_lookup_elem),
8999 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
9001 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x7ffffffe),
9002 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
9006 .fixup_map_hash_8b = { 3 },
9007 .errstr = "map_value pointer and 2147483646",
9011 "bounds check map access with off+size signed 32bit overflow. test2",
9013 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9014 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9015 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9016 BPF_LD_MAP_FD(BPF_REG_1, 0),
9017 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9018 BPF_FUNC_map_lookup_elem),
9019 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
9021 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x1fffffff),
9022 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x1fffffff),
9023 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x1fffffff),
9024 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
9028 .fixup_map_hash_8b = { 3 },
9029 .errstr = "pointer offset 1073741822",
9033 "bounds check map access with off+size signed 32bit overflow. test3",
9035 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9036 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9037 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9038 BPF_LD_MAP_FD(BPF_REG_1, 0),
9039 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9040 BPF_FUNC_map_lookup_elem),
9041 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
9043 BPF_ALU64_IMM(BPF_SUB, BPF_REG_0, 0x1fffffff),
9044 BPF_ALU64_IMM(BPF_SUB, BPF_REG_0, 0x1fffffff),
9045 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 2),
9049 .fixup_map_hash_8b = { 3 },
9050 .errstr = "pointer offset -1073741822",
9054 "bounds check map access with off+size signed 32bit overflow. test4",
9056 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9057 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9058 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9059 BPF_LD_MAP_FD(BPF_REG_1, 0),
9060 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9061 BPF_FUNC_map_lookup_elem),
9062 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
9064 BPF_MOV64_IMM(BPF_REG_1, 1000000),
9065 BPF_ALU64_IMM(BPF_MUL, BPF_REG_1, 1000000),
9066 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
9067 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 2),
9071 .fixup_map_hash_8b = { 3 },
9072 .errstr = "map_value pointer and 1000000000000",
9076 "pointer/scalar confusion in state equality check (way 1)",
9078 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9079 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9080 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9081 BPF_LD_MAP_FD(BPF_REG_1, 0),
9082 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9083 BPF_FUNC_map_lookup_elem),
9084 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
9085 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
9087 BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
9091 .fixup_map_hash_8b = { 3 },
9093 .retval = POINTER_VALUE,
9094 .result_unpriv = REJECT,
9095 .errstr_unpriv = "R0 leaks addr as return value"
9098 "pointer/scalar confusion in state equality check (way 2)",
9100 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9101 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9102 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9103 BPF_LD_MAP_FD(BPF_REG_1, 0),
9104 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9105 BPF_FUNC_map_lookup_elem),
9106 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
9107 BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
9109 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
9112 .fixup_map_hash_8b = { 3 },
9114 .retval = POINTER_VALUE,
9115 .result_unpriv = REJECT,
9116 .errstr_unpriv = "R0 leaks addr as return value"
9119 "variable-offset ctx access",
9121 /* Get an unknown value */
9122 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
9123 /* Make it small and 4-byte aligned */
9124 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 4),
9125 /* add it to skb. We now have either &skb->len or
9126 * &skb->pkt_type, but we don't know which
9128 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
9129 /* dereference it */
9130 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
9133 .errstr = "variable ctx access var_off=(0x0; 0x4)",
9135 .prog_type = BPF_PROG_TYPE_LWT_IN,
9138 "variable-offset stack access",
9140 /* Fill the top 8 bytes of the stack */
9141 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9142 /* Get an unknown value */
9143 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
9144 /* Make it small and 4-byte aligned */
9145 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 4),
9146 BPF_ALU64_IMM(BPF_SUB, BPF_REG_2, 8),
9147 /* add it to fp. We now have either fp-4 or fp-8, but
9148 * we don't know which
9150 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_10),
9151 /* dereference it */
9152 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_2, 0),
9155 .errstr = "variable stack access var_off=(0xfffffffffffffff8; 0x4)",
9157 .prog_type = BPF_PROG_TYPE_LWT_IN,
9160 "indirect variable-offset stack access",
9162 /* Fill the top 8 bytes of the stack */
9163 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9164 /* Get an unknown value */
9165 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
9166 /* Make it small and 4-byte aligned */
9167 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 4),
9168 BPF_ALU64_IMM(BPF_SUB, BPF_REG_2, 8),
9169 /* add it to fp. We now have either fp-4 or fp-8, but
9170 * we don't know which
9172 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_10),
9173 /* dereference it indirectly */
9174 BPF_LD_MAP_FD(BPF_REG_1, 0),
9175 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9176 BPF_FUNC_map_lookup_elem),
9177 BPF_MOV64_IMM(BPF_REG_0, 0),
9180 .fixup_map_hash_8b = { 5 },
9181 .errstr = "variable stack read R2",
9183 .prog_type = BPF_PROG_TYPE_LWT_IN,
9186 "direct stack access with 32-bit wraparound. test1",
9188 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
9189 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff),
9190 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff),
9191 BPF_MOV32_IMM(BPF_REG_0, 0),
9192 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
9195 .errstr = "fp pointer and 2147483647",
9199 "direct stack access with 32-bit wraparound. test2",
9201 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
9202 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x3fffffff),
9203 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x3fffffff),
9204 BPF_MOV32_IMM(BPF_REG_0, 0),
9205 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
9208 .errstr = "fp pointer and 1073741823",
9212 "direct stack access with 32-bit wraparound. test3",
9214 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
9215 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x1fffffff),
9216 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x1fffffff),
9217 BPF_MOV32_IMM(BPF_REG_0, 0),
9218 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
9221 .errstr = "fp pointer offset 1073741822",
9225 "liveness pruning and write screening",
9227 /* Get an unknown value */
9228 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
9229 /* branch conditions teach us nothing about R2 */
9230 BPF_JMP_IMM(BPF_JGE, BPF_REG_2, 0, 1),
9231 BPF_MOV64_IMM(BPF_REG_0, 0),
9232 BPF_JMP_IMM(BPF_JGE, BPF_REG_2, 0, 1),
9233 BPF_MOV64_IMM(BPF_REG_0, 0),
9236 .errstr = "R0 !read_ok",
9238 .prog_type = BPF_PROG_TYPE_LWT_IN,
9241 "varlen_map_value_access pruning",
9243 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9244 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9245 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9246 BPF_LD_MAP_FD(BPF_REG_1, 0),
9247 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9248 BPF_FUNC_map_lookup_elem),
9249 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
9250 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
9251 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
9252 BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
9253 BPF_MOV32_IMM(BPF_REG_1, 0),
9254 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
9255 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
9256 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
9257 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
9258 offsetof(struct test_val, foo)),
9261 .fixup_map_hash_48b = { 3 },
9262 .errstr_unpriv = "R0 leaks addr",
9263 .errstr = "R0 unbounded memory access",
9264 .result_unpriv = REJECT,
9266 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9269 "invalid 64-bit BPF_END",
9271 BPF_MOV32_IMM(BPF_REG_0, 0),
9273 .code = BPF_ALU64 | BPF_END | BPF_TO_LE,
9274 .dst_reg = BPF_REG_0,
9281 .errstr = "unknown opcode d7",
9285 "XDP, using ifindex from netdev",
9287 BPF_MOV64_IMM(BPF_REG_0, 0),
9288 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9289 offsetof(struct xdp_md, ingress_ifindex)),
9290 BPF_JMP_IMM(BPF_JLT, BPF_REG_2, 1, 1),
9291 BPF_MOV64_IMM(BPF_REG_0, 1),
9295 .prog_type = BPF_PROG_TYPE_XDP,
9299 "meta access, test1",
9301 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9302 offsetof(struct xdp_md, data_meta)),
9303 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9304 offsetof(struct xdp_md, data)),
9305 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
9306 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
9307 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
9308 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
9309 BPF_MOV64_IMM(BPF_REG_0, 0),
9313 .prog_type = BPF_PROG_TYPE_XDP,
9316 "meta access, test2",
9318 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9319 offsetof(struct xdp_md, data_meta)),
9320 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9321 offsetof(struct xdp_md, data)),
9322 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
9323 BPF_ALU64_IMM(BPF_SUB, BPF_REG_0, 8),
9324 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
9325 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
9326 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
9327 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
9328 BPF_MOV64_IMM(BPF_REG_0, 0),
9332 .errstr = "invalid access to packet, off=-8",
9333 .prog_type = BPF_PROG_TYPE_XDP,
9336 "meta access, test3",
9338 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9339 offsetof(struct xdp_md, data_meta)),
9340 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9341 offsetof(struct xdp_md, data_end)),
9342 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
9343 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
9344 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
9345 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
9346 BPF_MOV64_IMM(BPF_REG_0, 0),
9350 .errstr = "invalid access to packet",
9351 .prog_type = BPF_PROG_TYPE_XDP,
9354 "meta access, test4",
9356 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9357 offsetof(struct xdp_md, data_meta)),
9358 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9359 offsetof(struct xdp_md, data_end)),
9360 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
9361 offsetof(struct xdp_md, data)),
9362 BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
9363 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
9364 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
9365 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
9366 BPF_MOV64_IMM(BPF_REG_0, 0),
9370 .errstr = "invalid access to packet",
9371 .prog_type = BPF_PROG_TYPE_XDP,
9374 "meta access, test5",
9376 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9377 offsetof(struct xdp_md, data_meta)),
9378 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
9379 offsetof(struct xdp_md, data)),
9380 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
9381 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
9382 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_4, 3),
9383 BPF_MOV64_IMM(BPF_REG_2, -8),
9384 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9385 BPF_FUNC_xdp_adjust_meta),
9386 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_3, 0),
9387 BPF_MOV64_IMM(BPF_REG_0, 0),
9391 .errstr = "R3 !read_ok",
9392 .prog_type = BPF_PROG_TYPE_XDP,
9395 "meta access, test6",
9397 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9398 offsetof(struct xdp_md, data_meta)),
9399 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9400 offsetof(struct xdp_md, data)),
9401 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
9402 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
9403 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
9404 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
9405 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_0, 1),
9406 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
9407 BPF_MOV64_IMM(BPF_REG_0, 0),
9411 .errstr = "invalid access to packet",
9412 .prog_type = BPF_PROG_TYPE_XDP,
9415 "meta access, test7",
9417 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9418 offsetof(struct xdp_md, data_meta)),
9419 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9420 offsetof(struct xdp_md, data)),
9421 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
9422 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
9423 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
9424 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
9425 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
9426 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
9427 BPF_MOV64_IMM(BPF_REG_0, 0),
9431 .prog_type = BPF_PROG_TYPE_XDP,
9434 "meta access, test8",
9436 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9437 offsetof(struct xdp_md, data_meta)),
9438 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9439 offsetof(struct xdp_md, data)),
9440 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
9441 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0xFFFF),
9442 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
9443 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
9444 BPF_MOV64_IMM(BPF_REG_0, 0),
9448 .prog_type = BPF_PROG_TYPE_XDP,
9451 "meta access, test9",
9453 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9454 offsetof(struct xdp_md, data_meta)),
9455 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9456 offsetof(struct xdp_md, data)),
9457 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
9458 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0xFFFF),
9459 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 1),
9460 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
9461 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
9462 BPF_MOV64_IMM(BPF_REG_0, 0),
9466 .errstr = "invalid access to packet",
9467 .prog_type = BPF_PROG_TYPE_XDP,
9470 "meta access, test10",
9472 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9473 offsetof(struct xdp_md, data_meta)),
9474 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9475 offsetof(struct xdp_md, data)),
9476 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
9477 offsetof(struct xdp_md, data_end)),
9478 BPF_MOV64_IMM(BPF_REG_5, 42),
9479 BPF_MOV64_IMM(BPF_REG_6, 24),
9480 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_5, -8),
9481 BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
9482 BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -8),
9483 BPF_JMP_IMM(BPF_JGT, BPF_REG_5, 100, 6),
9484 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_5),
9485 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
9486 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
9487 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8),
9488 BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_5, 1),
9489 BPF_LDX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
9490 BPF_MOV64_IMM(BPF_REG_0, 0),
9494 .errstr = "invalid access to packet",
9495 .prog_type = BPF_PROG_TYPE_XDP,
9498 "meta access, test11",
9500 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9501 offsetof(struct xdp_md, data_meta)),
9502 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9503 offsetof(struct xdp_md, data)),
9504 BPF_MOV64_IMM(BPF_REG_5, 42),
9505 BPF_MOV64_IMM(BPF_REG_6, 24),
9506 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_5, -8),
9507 BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
9508 BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -8),
9509 BPF_JMP_IMM(BPF_JGT, BPF_REG_5, 100, 6),
9510 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_5),
9511 BPF_MOV64_REG(BPF_REG_5, BPF_REG_2),
9512 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
9513 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8),
9514 BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_3, 1),
9515 BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_5, 0),
9516 BPF_MOV64_IMM(BPF_REG_0, 0),
9520 .prog_type = BPF_PROG_TYPE_XDP,
9523 "meta access, test12",
9525 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9526 offsetof(struct xdp_md, data_meta)),
9527 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9528 offsetof(struct xdp_md, data)),
9529 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
9530 offsetof(struct xdp_md, data_end)),
9531 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
9532 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 16),
9533 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_4, 5),
9534 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_3, 0),
9535 BPF_MOV64_REG(BPF_REG_5, BPF_REG_2),
9536 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 16),
9537 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 1),
9538 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
9539 BPF_MOV64_IMM(BPF_REG_0, 0),
9543 .prog_type = BPF_PROG_TYPE_XDP,
9546 "arithmetic ops make PTR_TO_CTX unusable",
9548 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
9549 offsetof(struct __sk_buff, data) -
9550 offsetof(struct __sk_buff, mark)),
9551 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9552 offsetof(struct __sk_buff, mark)),
9555 .errstr = "dereference of modified ctx ptr",
9557 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
9560 "pkt_end - pkt_start is allowed",
9562 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9563 offsetof(struct __sk_buff, data_end)),
9564 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9565 offsetof(struct __sk_buff, data)),
9566 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_2),
9570 .retval = TEST_DATA_LEN,
9571 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
9574 "XDP pkt read, pkt_end mangling, bad access 1",
9576 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9577 offsetof(struct xdp_md, data)),
9578 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9579 offsetof(struct xdp_md, data_end)),
9580 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9581 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9582 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 8),
9583 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
9584 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9585 BPF_MOV64_IMM(BPF_REG_0, 0),
9588 .errstr = "R3 pointer arithmetic on pkt_end",
9590 .prog_type = BPF_PROG_TYPE_XDP,
9593 "XDP pkt read, pkt_end mangling, bad access 2",
9595 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9596 offsetof(struct xdp_md, data)),
9597 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9598 offsetof(struct xdp_md, data_end)),
9599 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9600 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9601 BPF_ALU64_IMM(BPF_SUB, BPF_REG_3, 8),
9602 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
9603 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9604 BPF_MOV64_IMM(BPF_REG_0, 0),
9607 .errstr = "R3 pointer arithmetic on pkt_end",
9609 .prog_type = BPF_PROG_TYPE_XDP,
9612 "XDP pkt read, pkt_data' > pkt_end, good access",
9614 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9615 offsetof(struct xdp_md, data)),
9616 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9617 offsetof(struct xdp_md, data_end)),
9618 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9619 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9620 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
9621 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9622 BPF_MOV64_IMM(BPF_REG_0, 0),
9626 .prog_type = BPF_PROG_TYPE_XDP,
9629 "XDP pkt read, pkt_data' > pkt_end, bad access 1",
9631 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9632 offsetof(struct xdp_md, data)),
9633 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9634 offsetof(struct xdp_md, data_end)),
9635 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9636 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9637 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
9638 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
9639 BPF_MOV64_IMM(BPF_REG_0, 0),
9642 .errstr = "R1 offset is outside of the packet",
9644 .prog_type = BPF_PROG_TYPE_XDP,
9645 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9648 "XDP pkt read, pkt_data' > pkt_end, bad access 2",
9650 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9651 offsetof(struct xdp_md, data)),
9652 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9653 offsetof(struct xdp_md, data_end)),
9654 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9655 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9656 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 0),
9657 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9658 BPF_MOV64_IMM(BPF_REG_0, 0),
9661 .errstr = "R1 offset is outside of the packet",
9663 .prog_type = BPF_PROG_TYPE_XDP,
9666 "XDP pkt read, pkt_end > pkt_data', good access",
9668 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9669 offsetof(struct xdp_md, data)),
9670 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9671 offsetof(struct xdp_md, data_end)),
9672 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9673 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9674 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
9675 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9676 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9677 BPF_MOV64_IMM(BPF_REG_0, 0),
9681 .prog_type = BPF_PROG_TYPE_XDP,
9682 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9685 "XDP pkt read, pkt_end > pkt_data', bad access 1",
9687 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9688 offsetof(struct xdp_md, data)),
9689 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9690 offsetof(struct xdp_md, data_end)),
9691 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9692 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9693 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
9694 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9695 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9696 BPF_MOV64_IMM(BPF_REG_0, 0),
9699 .errstr = "R1 offset is outside of the packet",
9701 .prog_type = BPF_PROG_TYPE_XDP,
9704 "XDP pkt read, pkt_end > pkt_data', bad access 2",
9706 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9707 offsetof(struct xdp_md, data)),
9708 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9709 offsetof(struct xdp_md, data_end)),
9710 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9711 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9712 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
9713 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9714 BPF_MOV64_IMM(BPF_REG_0, 0),
9717 .errstr = "R1 offset is outside of the packet",
9719 .prog_type = BPF_PROG_TYPE_XDP,
9722 "XDP pkt read, pkt_data' < pkt_end, good access",
9724 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9725 offsetof(struct xdp_md, data)),
9726 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9727 offsetof(struct xdp_md, data_end)),
9728 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9729 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9730 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
9731 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9732 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9733 BPF_MOV64_IMM(BPF_REG_0, 0),
9737 .prog_type = BPF_PROG_TYPE_XDP,
9738 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9741 "XDP pkt read, pkt_data' < pkt_end, bad access 1",
9743 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9744 offsetof(struct xdp_md, data)),
9745 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9746 offsetof(struct xdp_md, data_end)),
9747 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9748 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9749 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
9750 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9751 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9752 BPF_MOV64_IMM(BPF_REG_0, 0),
9755 .errstr = "R1 offset is outside of the packet",
9757 .prog_type = BPF_PROG_TYPE_XDP,
9760 "XDP pkt read, pkt_data' < pkt_end, bad access 2",
9762 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9763 offsetof(struct xdp_md, data)),
9764 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9765 offsetof(struct xdp_md, data_end)),
9766 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9767 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9768 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
9769 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9770 BPF_MOV64_IMM(BPF_REG_0, 0),
9773 .errstr = "R1 offset is outside of the packet",
9775 .prog_type = BPF_PROG_TYPE_XDP,
9778 "XDP pkt read, pkt_end < pkt_data', good access",
9780 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9781 offsetof(struct xdp_md, data)),
9782 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9783 offsetof(struct xdp_md, data_end)),
9784 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9785 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9786 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
9787 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9788 BPF_MOV64_IMM(BPF_REG_0, 0),
9792 .prog_type = BPF_PROG_TYPE_XDP,
9795 "XDP pkt read, pkt_end < pkt_data', bad access 1",
9797 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9798 offsetof(struct xdp_md, data)),
9799 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9800 offsetof(struct xdp_md, data_end)),
9801 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9802 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9803 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
9804 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
9805 BPF_MOV64_IMM(BPF_REG_0, 0),
9808 .errstr = "R1 offset is outside of the packet",
9810 .prog_type = BPF_PROG_TYPE_XDP,
9811 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9814 "XDP pkt read, pkt_end < pkt_data', bad access 2",
9816 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9817 offsetof(struct xdp_md, data)),
9818 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9819 offsetof(struct xdp_md, data_end)),
9820 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9821 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9822 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 0),
9823 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9824 BPF_MOV64_IMM(BPF_REG_0, 0),
9827 .errstr = "R1 offset is outside of the packet",
9829 .prog_type = BPF_PROG_TYPE_XDP,
9832 "XDP pkt read, pkt_data' >= pkt_end, good access",
9834 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9835 offsetof(struct xdp_md, data)),
9836 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9837 offsetof(struct xdp_md, data_end)),
9838 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9839 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9840 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
9841 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9842 BPF_MOV64_IMM(BPF_REG_0, 0),
9846 .prog_type = BPF_PROG_TYPE_XDP,
9847 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9850 "XDP pkt read, pkt_data' >= pkt_end, bad access 1",
9852 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9853 offsetof(struct xdp_md, data)),
9854 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9855 offsetof(struct xdp_md, data_end)),
9856 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9857 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9858 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
9859 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9860 BPF_MOV64_IMM(BPF_REG_0, 0),
9863 .errstr = "R1 offset is outside of the packet",
9865 .prog_type = BPF_PROG_TYPE_XDP,
9868 "XDP pkt read, pkt_data' >= pkt_end, bad access 2",
9870 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9871 offsetof(struct xdp_md, data)),
9872 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9873 offsetof(struct xdp_md, data_end)),
9874 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9875 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9876 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 0),
9877 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9878 BPF_MOV64_IMM(BPF_REG_0, 0),
9881 .errstr = "R1 offset is outside of the packet",
9883 .prog_type = BPF_PROG_TYPE_XDP,
9884 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9887 "XDP pkt read, pkt_end >= pkt_data', good access",
9889 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9890 offsetof(struct xdp_md, data)),
9891 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9892 offsetof(struct xdp_md, data_end)),
9893 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9894 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9895 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
9896 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9897 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9898 BPF_MOV64_IMM(BPF_REG_0, 0),
9902 .prog_type = BPF_PROG_TYPE_XDP,
9905 "XDP pkt read, pkt_end >= pkt_data', bad access 1",
9907 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9908 offsetof(struct xdp_md, data)),
9909 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9910 offsetof(struct xdp_md, data_end)),
9911 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9912 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9913 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
9914 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9915 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
9916 BPF_MOV64_IMM(BPF_REG_0, 0),
9919 .errstr = "R1 offset is outside of the packet",
9921 .prog_type = BPF_PROG_TYPE_XDP,
9922 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9925 "XDP pkt read, pkt_end >= pkt_data', bad access 2",
9927 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9928 offsetof(struct xdp_md, data)),
9929 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9930 offsetof(struct xdp_md, data_end)),
9931 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9932 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9933 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
9934 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9935 BPF_MOV64_IMM(BPF_REG_0, 0),
9938 .errstr = "R1 offset is outside of the packet",
9940 .prog_type = BPF_PROG_TYPE_XDP,
9943 "XDP pkt read, pkt_data' <= pkt_end, good access",
9945 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9946 offsetof(struct xdp_md, data)),
9947 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9948 offsetof(struct xdp_md, data_end)),
9949 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9950 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9951 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
9952 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9953 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9954 BPF_MOV64_IMM(BPF_REG_0, 0),
9958 .prog_type = BPF_PROG_TYPE_XDP,
9961 "XDP pkt read, pkt_data' <= pkt_end, bad access 1",
9963 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9964 offsetof(struct xdp_md, data)),
9965 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9966 offsetof(struct xdp_md, data_end)),
9967 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9968 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9969 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
9970 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9971 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
9972 BPF_MOV64_IMM(BPF_REG_0, 0),
9975 .errstr = "R1 offset is outside of the packet",
9977 .prog_type = BPF_PROG_TYPE_XDP,
9978 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9981 "XDP pkt read, pkt_data' <= pkt_end, bad access 2",
9983 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9984 offsetof(struct xdp_md, data)),
9985 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9986 offsetof(struct xdp_md, data_end)),
9987 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9988 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9989 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
9990 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9991 BPF_MOV64_IMM(BPF_REG_0, 0),
9994 .errstr = "R1 offset is outside of the packet",
9996 .prog_type = BPF_PROG_TYPE_XDP,
9999 "XDP pkt read, pkt_end <= pkt_data', good access",
10001 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10002 offsetof(struct xdp_md, data)),
10003 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10004 offsetof(struct xdp_md, data_end)),
10005 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10006 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10007 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
10008 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
10009 BPF_MOV64_IMM(BPF_REG_0, 0),
10013 .prog_type = BPF_PROG_TYPE_XDP,
10014 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10017 "XDP pkt read, pkt_end <= pkt_data', bad access 1",
10019 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10020 offsetof(struct xdp_md, data)),
10021 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10022 offsetof(struct xdp_md, data_end)),
10023 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10024 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10025 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
10026 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10027 BPF_MOV64_IMM(BPF_REG_0, 0),
10030 .errstr = "R1 offset is outside of the packet",
10032 .prog_type = BPF_PROG_TYPE_XDP,
10035 "XDP pkt read, pkt_end <= pkt_data', bad access 2",
10037 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10038 offsetof(struct xdp_md, data)),
10039 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10040 offsetof(struct xdp_md, data_end)),
10041 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10042 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10043 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 0),
10044 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
10045 BPF_MOV64_IMM(BPF_REG_0, 0),
10048 .errstr = "R1 offset is outside of the packet",
10050 .prog_type = BPF_PROG_TYPE_XDP,
10051 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10054 "XDP pkt read, pkt_meta' > pkt_data, good access",
10056 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10057 offsetof(struct xdp_md, data_meta)),
10058 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10059 offsetof(struct xdp_md, data)),
10060 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10061 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10062 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
10063 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10064 BPF_MOV64_IMM(BPF_REG_0, 0),
10068 .prog_type = BPF_PROG_TYPE_XDP,
10071 "XDP pkt read, pkt_meta' > pkt_data, bad access 1",
10073 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10074 offsetof(struct xdp_md, data_meta)),
10075 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10076 offsetof(struct xdp_md, data)),
10077 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10078 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10079 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
10080 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
10081 BPF_MOV64_IMM(BPF_REG_0, 0),
10084 .errstr = "R1 offset is outside of the packet",
10086 .prog_type = BPF_PROG_TYPE_XDP,
10087 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10090 "XDP pkt read, pkt_meta' > pkt_data, bad access 2",
10092 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10093 offsetof(struct xdp_md, data_meta)),
10094 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10095 offsetof(struct xdp_md, data)),
10096 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10097 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10098 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 0),
10099 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10100 BPF_MOV64_IMM(BPF_REG_0, 0),
10103 .errstr = "R1 offset is outside of the packet",
10105 .prog_type = BPF_PROG_TYPE_XDP,
10108 "XDP pkt read, pkt_data > pkt_meta', good access",
10110 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10111 offsetof(struct xdp_md, data_meta)),
10112 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10113 offsetof(struct xdp_md, data)),
10114 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10115 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10116 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
10117 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
10118 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
10119 BPF_MOV64_IMM(BPF_REG_0, 0),
10123 .prog_type = BPF_PROG_TYPE_XDP,
10124 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10127 "XDP pkt read, pkt_data > pkt_meta', bad access 1",
10129 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10130 offsetof(struct xdp_md, data_meta)),
10131 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10132 offsetof(struct xdp_md, data)),
10133 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10134 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10135 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
10136 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
10137 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10138 BPF_MOV64_IMM(BPF_REG_0, 0),
10141 .errstr = "R1 offset is outside of the packet",
10143 .prog_type = BPF_PROG_TYPE_XDP,
10146 "XDP pkt read, pkt_data > pkt_meta', bad access 2",
10148 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10149 offsetof(struct xdp_md, data_meta)),
10150 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10151 offsetof(struct xdp_md, data)),
10152 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10153 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10154 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
10155 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10156 BPF_MOV64_IMM(BPF_REG_0, 0),
10159 .errstr = "R1 offset is outside of the packet",
10161 .prog_type = BPF_PROG_TYPE_XDP,
10164 "XDP pkt read, pkt_meta' < pkt_data, good access",
10166 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10167 offsetof(struct xdp_md, data_meta)),
10168 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10169 offsetof(struct xdp_md, data)),
10170 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10171 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10172 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
10173 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
10174 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
10175 BPF_MOV64_IMM(BPF_REG_0, 0),
10179 .prog_type = BPF_PROG_TYPE_XDP,
10180 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10183 "XDP pkt read, pkt_meta' < pkt_data, bad access 1",
10185 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10186 offsetof(struct xdp_md, data_meta)),
10187 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10188 offsetof(struct xdp_md, data)),
10189 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10190 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10191 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
10192 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
10193 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10194 BPF_MOV64_IMM(BPF_REG_0, 0),
10197 .errstr = "R1 offset is outside of the packet",
10199 .prog_type = BPF_PROG_TYPE_XDP,
10202 "XDP pkt read, pkt_meta' < pkt_data, bad access 2",
10204 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10205 offsetof(struct xdp_md, data_meta)),
10206 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10207 offsetof(struct xdp_md, data)),
10208 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10209 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10210 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
10211 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10212 BPF_MOV64_IMM(BPF_REG_0, 0),
10215 .errstr = "R1 offset is outside of the packet",
10217 .prog_type = BPF_PROG_TYPE_XDP,
10220 "XDP pkt read, pkt_data < pkt_meta', good access",
10222 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10223 offsetof(struct xdp_md, data_meta)),
10224 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10225 offsetof(struct xdp_md, data)),
10226 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10227 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10228 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
10229 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10230 BPF_MOV64_IMM(BPF_REG_0, 0),
10234 .prog_type = BPF_PROG_TYPE_XDP,
10237 "XDP pkt read, pkt_data < pkt_meta', bad access 1",
10239 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10240 offsetof(struct xdp_md, data_meta)),
10241 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10242 offsetof(struct xdp_md, data)),
10243 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10244 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10245 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
10246 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
10247 BPF_MOV64_IMM(BPF_REG_0, 0),
10250 .errstr = "R1 offset is outside of the packet",
10252 .prog_type = BPF_PROG_TYPE_XDP,
10253 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10256 "XDP pkt read, pkt_data < pkt_meta', bad access 2",
10258 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10259 offsetof(struct xdp_md, data_meta)),
10260 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10261 offsetof(struct xdp_md, data)),
10262 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10263 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10264 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 0),
10265 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10266 BPF_MOV64_IMM(BPF_REG_0, 0),
10269 .errstr = "R1 offset is outside of the packet",
10271 .prog_type = BPF_PROG_TYPE_XDP,
10274 "XDP pkt read, pkt_meta' >= pkt_data, good access",
10276 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10277 offsetof(struct xdp_md, data_meta)),
10278 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10279 offsetof(struct xdp_md, data)),
10280 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10281 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10282 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
10283 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
10284 BPF_MOV64_IMM(BPF_REG_0, 0),
10288 .prog_type = BPF_PROG_TYPE_XDP,
10289 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10292 "XDP pkt read, pkt_meta' >= pkt_data, bad access 1",
10294 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10295 offsetof(struct xdp_md, data_meta)),
10296 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10297 offsetof(struct xdp_md, data)),
10298 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10299 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10300 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
10301 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10302 BPF_MOV64_IMM(BPF_REG_0, 0),
10305 .errstr = "R1 offset is outside of the packet",
10307 .prog_type = BPF_PROG_TYPE_XDP,
10310 "XDP pkt read, pkt_meta' >= pkt_data, bad access 2",
10312 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10313 offsetof(struct xdp_md, data_meta)),
10314 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10315 offsetof(struct xdp_md, data)),
10316 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10317 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10318 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 0),
10319 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
10320 BPF_MOV64_IMM(BPF_REG_0, 0),
10323 .errstr = "R1 offset is outside of the packet",
10325 .prog_type = BPF_PROG_TYPE_XDP,
10326 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10329 "XDP pkt read, pkt_data >= pkt_meta', good access",
10331 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10332 offsetof(struct xdp_md, data_meta)),
10333 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10334 offsetof(struct xdp_md, data)),
10335 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10336 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10337 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
10338 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
10339 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10340 BPF_MOV64_IMM(BPF_REG_0, 0),
10344 .prog_type = BPF_PROG_TYPE_XDP,
10347 "XDP pkt read, pkt_data >= pkt_meta', bad access 1",
10349 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10350 offsetof(struct xdp_md, data_meta)),
10351 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10352 offsetof(struct xdp_md, data)),
10353 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10354 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10355 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
10356 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
10357 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
10358 BPF_MOV64_IMM(BPF_REG_0, 0),
10361 .errstr = "R1 offset is outside of the packet",
10363 .prog_type = BPF_PROG_TYPE_XDP,
10364 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10367 "XDP pkt read, pkt_data >= pkt_meta', bad access 2",
10369 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10370 offsetof(struct xdp_md, data_meta)),
10371 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10372 offsetof(struct xdp_md, data)),
10373 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10374 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10375 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
10376 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10377 BPF_MOV64_IMM(BPF_REG_0, 0),
10380 .errstr = "R1 offset is outside of the packet",
10382 .prog_type = BPF_PROG_TYPE_XDP,
10385 "XDP pkt read, pkt_meta' <= pkt_data, good access",
10387 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10388 offsetof(struct xdp_md, data_meta)),
10389 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10390 offsetof(struct xdp_md, data)),
10391 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10392 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10393 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
10394 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
10395 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10396 BPF_MOV64_IMM(BPF_REG_0, 0),
10400 .prog_type = BPF_PROG_TYPE_XDP,
10403 "XDP pkt read, pkt_meta' <= pkt_data, bad access 1",
10405 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10406 offsetof(struct xdp_md, data_meta)),
10407 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10408 offsetof(struct xdp_md, data)),
10409 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10410 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10411 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
10412 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
10413 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
10414 BPF_MOV64_IMM(BPF_REG_0, 0),
10417 .errstr = "R1 offset is outside of the packet",
10419 .prog_type = BPF_PROG_TYPE_XDP,
10420 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10423 "XDP pkt read, pkt_meta' <= pkt_data, bad access 2",
10425 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10426 offsetof(struct xdp_md, data_meta)),
10427 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10428 offsetof(struct xdp_md, data)),
10429 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10430 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10431 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
10432 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10433 BPF_MOV64_IMM(BPF_REG_0, 0),
10436 .errstr = "R1 offset is outside of the packet",
10438 .prog_type = BPF_PROG_TYPE_XDP,
10441 "XDP pkt read, pkt_data <= pkt_meta', good access",
10443 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10444 offsetof(struct xdp_md, data_meta)),
10445 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10446 offsetof(struct xdp_md, data)),
10447 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10448 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10449 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
10450 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
10451 BPF_MOV64_IMM(BPF_REG_0, 0),
10455 .prog_type = BPF_PROG_TYPE_XDP,
10456 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10459 "XDP pkt read, pkt_data <= pkt_meta', bad access 1",
10461 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10462 offsetof(struct xdp_md, data_meta)),
10463 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10464 offsetof(struct xdp_md, data)),
10465 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10466 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10467 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
10468 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10469 BPF_MOV64_IMM(BPF_REG_0, 0),
10472 .errstr = "R1 offset is outside of the packet",
10474 .prog_type = BPF_PROG_TYPE_XDP,
10477 "XDP pkt read, pkt_data <= pkt_meta', bad access 2",
10479 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10480 offsetof(struct xdp_md, data_meta)),
10481 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10482 offsetof(struct xdp_md, data)),
10483 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10484 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10485 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 0),
10486 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
10487 BPF_MOV64_IMM(BPF_REG_0, 0),
10490 .errstr = "R1 offset is outside of the packet",
10492 .prog_type = BPF_PROG_TYPE_XDP,
10493 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10496 "check deducing bounds from const, 1",
10498 BPF_MOV64_IMM(BPF_REG_0, 1),
10499 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 1, 0),
10500 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
10504 .errstr = "R0 tried to subtract pointer from scalar",
10507 "check deducing bounds from const, 2",
10509 BPF_MOV64_IMM(BPF_REG_0, 1),
10510 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 1, 1),
10512 BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 1, 1),
10514 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0),
10521 "check deducing bounds from const, 3",
10523 BPF_MOV64_IMM(BPF_REG_0, 0),
10524 BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 0, 0),
10525 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
10529 .errstr = "R0 tried to subtract pointer from scalar",
10532 "check deducing bounds from const, 4",
10534 BPF_MOV64_IMM(BPF_REG_0, 0),
10535 BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 0, 1),
10537 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 1),
10539 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0),
10545 "check deducing bounds from const, 5",
10547 BPF_MOV64_IMM(BPF_REG_0, 0),
10548 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 1),
10549 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
10553 .errstr = "R0 tried to subtract pointer from scalar",
10556 "check deducing bounds from const, 6",
10558 BPF_MOV64_IMM(BPF_REG_0, 0),
10559 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 1),
10561 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
10565 .errstr = "R0 tried to subtract pointer from scalar",
10568 "check deducing bounds from const, 7",
10570 BPF_MOV64_IMM(BPF_REG_0, ~0),
10571 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 0),
10572 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0),
10573 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10574 offsetof(struct __sk_buff, mark)),
10578 .errstr = "dereference of modified ctx ptr",
10581 "check deducing bounds from const, 8",
10583 BPF_MOV64_IMM(BPF_REG_0, ~0),
10584 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 1),
10585 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
10586 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10587 offsetof(struct __sk_buff, mark)),
10591 .errstr = "dereference of modified ctx ptr",
10594 "check deducing bounds from const, 9",
10596 BPF_MOV64_IMM(BPF_REG_0, 0),
10597 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 0),
10598 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
10602 .errstr = "R0 tried to subtract pointer from scalar",
10605 "check deducing bounds from const, 10",
10607 BPF_MOV64_IMM(BPF_REG_0, 0),
10608 BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 0, 0),
10609 /* Marks reg as unknown. */
10610 BPF_ALU64_IMM(BPF_NEG, BPF_REG_0, 0),
10611 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
10615 .errstr = "math between ctx pointer and register with unbounded min value is not allowed",
10618 "bpf_exit with invalid return code. test1",
10620 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
10623 .errstr = "R0 has value (0x0; 0xffffffff)",
10625 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
10628 "bpf_exit with invalid return code. test2",
10630 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
10631 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
10635 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
10638 "bpf_exit with invalid return code. test3",
10640 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
10641 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 3),
10644 .errstr = "R0 has value (0x0; 0x3)",
10646 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
10649 "bpf_exit with invalid return code. test4",
10651 BPF_MOV64_IMM(BPF_REG_0, 1),
10655 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
10658 "bpf_exit with invalid return code. test5",
10660 BPF_MOV64_IMM(BPF_REG_0, 2),
10663 .errstr = "R0 has value (0x2; 0x0)",
10665 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
10668 "bpf_exit with invalid return code. test6",
10670 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
10673 .errstr = "R0 is not a known value (ctx)",
10675 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
10678 "bpf_exit with invalid return code. test7",
10680 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
10681 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 4),
10682 BPF_ALU64_REG(BPF_MUL, BPF_REG_0, BPF_REG_2),
10685 .errstr = "R0 has unknown scalar value",
10687 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
10690 "calls: basic sanity",
10692 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10693 BPF_MOV64_IMM(BPF_REG_0, 1),
10695 BPF_MOV64_IMM(BPF_REG_0, 2),
10698 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10702 "calls: not on unpriviledged",
10704 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10705 BPF_MOV64_IMM(BPF_REG_0, 1),
10707 BPF_MOV64_IMM(BPF_REG_0, 2),
10710 .errstr_unpriv = "function calls to other bpf functions are allowed for root only",
10711 .result_unpriv = REJECT,
10716 "calls: div by 0 in subprog",
10718 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10719 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
10720 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10721 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
10722 offsetof(struct __sk_buff, data_end)),
10723 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
10724 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
10725 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
10726 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
10727 BPF_MOV64_IMM(BPF_REG_0, 1),
10729 BPF_MOV32_IMM(BPF_REG_2, 0),
10730 BPF_MOV32_IMM(BPF_REG_3, 1),
10731 BPF_ALU32_REG(BPF_DIV, BPF_REG_3, BPF_REG_2),
10732 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10733 offsetof(struct __sk_buff, data)),
10736 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
10741 "calls: multiple ret types in subprog 1",
10743 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10744 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
10745 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10746 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
10747 offsetof(struct __sk_buff, data_end)),
10748 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
10749 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
10750 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
10751 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
10752 BPF_MOV64_IMM(BPF_REG_0, 1),
10754 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10755 offsetof(struct __sk_buff, data)),
10756 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
10757 BPF_MOV32_IMM(BPF_REG_0, 42),
10760 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
10762 .errstr = "R0 invalid mem access 'inv'",
10765 "calls: multiple ret types in subprog 2",
10767 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10768 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
10769 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10770 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
10771 offsetof(struct __sk_buff, data_end)),
10772 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
10773 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
10774 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
10775 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
10776 BPF_MOV64_IMM(BPF_REG_0, 1),
10778 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10779 offsetof(struct __sk_buff, data)),
10780 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10781 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 9),
10782 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10783 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10784 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
10785 BPF_LD_MAP_FD(BPF_REG_1, 0),
10786 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10787 BPF_FUNC_map_lookup_elem),
10788 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
10789 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_6,
10790 offsetof(struct __sk_buff, data)),
10791 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 64),
10794 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
10795 .fixup_map_hash_8b = { 16 },
10797 .errstr = "R0 min value is outside of the array range",
10800 "calls: overlapping caller/callee",
10802 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 0),
10803 BPF_MOV64_IMM(BPF_REG_0, 1),
10806 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10807 .errstr = "last insn is not an exit or jmp",
10811 "calls: wrong recursive calls",
10813 BPF_JMP_IMM(BPF_JA, 0, 0, 4),
10814 BPF_JMP_IMM(BPF_JA, 0, 0, 4),
10815 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -2),
10816 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -2),
10817 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -2),
10818 BPF_MOV64_IMM(BPF_REG_0, 1),
10821 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10822 .errstr = "jump out of range",
10826 "calls: wrong src reg",
10828 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 2, 0, 0),
10829 BPF_MOV64_IMM(BPF_REG_0, 1),
10832 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10833 .errstr = "BPF_CALL uses reserved fields",
10837 "calls: wrong off value",
10839 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, -1, 2),
10840 BPF_MOV64_IMM(BPF_REG_0, 1),
10842 BPF_MOV64_IMM(BPF_REG_0, 2),
10845 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10846 .errstr = "BPF_CALL uses reserved fields",
10850 "calls: jump back loop",
10852 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -1),
10853 BPF_MOV64_IMM(BPF_REG_0, 1),
10856 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10857 .errstr = "back-edge from insn 0 to 0",
10861 "calls: conditional call",
10863 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10864 offsetof(struct __sk_buff, mark)),
10865 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
10866 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10867 BPF_MOV64_IMM(BPF_REG_0, 1),
10869 BPF_MOV64_IMM(BPF_REG_0, 2),
10872 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10873 .errstr = "jump out of range",
10877 "calls: conditional call 2",
10879 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10880 offsetof(struct __sk_buff, mark)),
10881 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
10882 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
10883 BPF_MOV64_IMM(BPF_REG_0, 1),
10885 BPF_MOV64_IMM(BPF_REG_0, 2),
10887 BPF_MOV64_IMM(BPF_REG_0, 3),
10890 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10894 "calls: conditional call 3",
10896 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10897 offsetof(struct __sk_buff, mark)),
10898 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
10899 BPF_JMP_IMM(BPF_JA, 0, 0, 4),
10900 BPF_MOV64_IMM(BPF_REG_0, 1),
10902 BPF_MOV64_IMM(BPF_REG_0, 1),
10903 BPF_JMP_IMM(BPF_JA, 0, 0, -6),
10904 BPF_MOV64_IMM(BPF_REG_0, 3),
10905 BPF_JMP_IMM(BPF_JA, 0, 0, -6),
10907 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10908 .errstr = "back-edge from insn",
10912 "calls: conditional call 4",
10914 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10915 offsetof(struct __sk_buff, mark)),
10916 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
10917 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
10918 BPF_MOV64_IMM(BPF_REG_0, 1),
10920 BPF_MOV64_IMM(BPF_REG_0, 1),
10921 BPF_JMP_IMM(BPF_JA, 0, 0, -5),
10922 BPF_MOV64_IMM(BPF_REG_0, 3),
10925 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10929 "calls: conditional call 5",
10931 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10932 offsetof(struct __sk_buff, mark)),
10933 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
10934 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
10935 BPF_MOV64_IMM(BPF_REG_0, 1),
10937 BPF_MOV64_IMM(BPF_REG_0, 1),
10938 BPF_JMP_IMM(BPF_JA, 0, 0, -6),
10939 BPF_MOV64_IMM(BPF_REG_0, 3),
10942 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10943 .errstr = "back-edge from insn",
10947 "calls: conditional call 6",
10949 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10950 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, -2),
10952 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10953 offsetof(struct __sk_buff, mark)),
10956 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10957 .errstr = "back-edge from insn",
10961 "calls: using r0 returned by callee",
10963 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10965 BPF_MOV64_IMM(BPF_REG_0, 2),
10968 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10972 "calls: using uninit r0 from callee",
10974 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10978 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10979 .errstr = "!read_ok",
10983 "calls: callee is using r1",
10985 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10987 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10988 offsetof(struct __sk_buff, len)),
10991 .prog_type = BPF_PROG_TYPE_SCHED_ACT,
10993 .retval = TEST_DATA_LEN,
10996 "calls: callee using args1",
10998 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11000 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
11003 .errstr_unpriv = "allowed for root only",
11004 .result_unpriv = REJECT,
11006 .retval = POINTER_VALUE,
11009 "calls: callee using wrong args2",
11011 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11013 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11016 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
11017 .errstr = "R2 !read_ok",
11021 "calls: callee using two args",
11023 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11024 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_6,
11025 offsetof(struct __sk_buff, len)),
11026 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_6,
11027 offsetof(struct __sk_buff, len)),
11028 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11030 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
11031 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
11034 .errstr_unpriv = "allowed for root only",
11035 .result_unpriv = REJECT,
11037 .retval = TEST_DATA_LEN + TEST_DATA_LEN - ETH_HLEN - ETH_HLEN,
11040 "calls: callee changing pkt pointers",
11042 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
11043 offsetof(struct xdp_md, data)),
11044 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
11045 offsetof(struct xdp_md, data_end)),
11046 BPF_MOV64_REG(BPF_REG_8, BPF_REG_6),
11047 BPF_ALU64_IMM(BPF_ADD, BPF_REG_8, 8),
11048 BPF_JMP_REG(BPF_JGT, BPF_REG_8, BPF_REG_7, 2),
11049 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11050 /* clear_all_pkt_pointers() has to walk all frames
11051 * to make sure that pkt pointers in the caller
11052 * are cleared when callee is calling a helper that
11053 * adjusts packet size
11055 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
11056 BPF_MOV32_IMM(BPF_REG_0, 0),
11058 BPF_MOV64_IMM(BPF_REG_2, 0),
11059 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11060 BPF_FUNC_xdp_adjust_head),
11064 .errstr = "R6 invalid mem access 'inv'",
11065 .prog_type = BPF_PROG_TYPE_XDP,
11068 "calls: two calls with args",
11070 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11072 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11073 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 6),
11074 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
11075 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
11076 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11077 BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_0),
11078 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
11080 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
11081 offsetof(struct __sk_buff, len)),
11084 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11086 .retval = TEST_DATA_LEN + TEST_DATA_LEN,
11089 "calls: calls with stack arith",
11091 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11092 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -64),
11093 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11095 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -64),
11096 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11098 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -64),
11099 BPF_MOV64_IMM(BPF_REG_0, 42),
11100 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
11103 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11108 "calls: calls with misaligned stack access",
11110 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11111 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -63),
11112 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11114 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -61),
11115 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11117 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -63),
11118 BPF_MOV64_IMM(BPF_REG_0, 42),
11119 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
11122 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11123 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
11124 .errstr = "misaligned stack access",
11128 "calls: calls control flow, jump test",
11130 BPF_MOV64_IMM(BPF_REG_0, 42),
11131 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
11132 BPF_MOV64_IMM(BPF_REG_0, 43),
11133 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
11134 BPF_JMP_IMM(BPF_JA, 0, 0, -3),
11137 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11142 "calls: calls control flow, jump test 2",
11144 BPF_MOV64_IMM(BPF_REG_0, 42),
11145 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
11146 BPF_MOV64_IMM(BPF_REG_0, 43),
11147 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
11148 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -3),
11151 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11152 .errstr = "jump out of range from insn 1 to 4",
11156 "calls: two calls with bad jump",
11158 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11160 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11161 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 6),
11162 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
11163 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
11164 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11165 BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_0),
11166 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
11168 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
11169 offsetof(struct __sk_buff, len)),
11170 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, -3),
11173 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
11174 .errstr = "jump out of range from insn 11 to 9",
11178 "calls: recursive call. test1",
11180 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11182 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -1),
11185 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
11186 .errstr = "back-edge",
11190 "calls: recursive call. test2",
11192 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11194 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -3),
11197 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
11198 .errstr = "back-edge",
11202 "calls: unreachable code",
11204 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11206 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11208 BPF_MOV64_IMM(BPF_REG_0, 0),
11210 BPF_MOV64_IMM(BPF_REG_0, 0),
11213 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
11214 .errstr = "unreachable insn 6",
11218 "calls: invalid call",
11220 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11222 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -4),
11225 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
11226 .errstr = "invalid destination",
11230 "calls: invalid call 2",
11232 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11234 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 0x7fffffff),
11237 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
11238 .errstr = "invalid destination",
11242 "calls: jumping across function bodies. test1",
11244 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11245 BPF_MOV64_IMM(BPF_REG_0, 0),
11247 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, -3),
11250 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
11251 .errstr = "jump out of range",
11255 "calls: jumping across function bodies. test2",
11257 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
11258 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11259 BPF_MOV64_IMM(BPF_REG_0, 0),
11263 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
11264 .errstr = "jump out of range",
11268 "calls: call without exit",
11270 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11272 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11274 BPF_MOV64_IMM(BPF_REG_0, 0),
11275 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, -2),
11277 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
11278 .errstr = "not an exit",
11282 "calls: call into middle of ld_imm64",
11284 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11285 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11286 BPF_MOV64_IMM(BPF_REG_0, 0),
11288 BPF_LD_IMM64(BPF_REG_0, 0),
11291 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
11292 .errstr = "last insn",
11296 "calls: call into middle of other call",
11298 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11299 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11300 BPF_MOV64_IMM(BPF_REG_0, 0),
11302 BPF_MOV64_IMM(BPF_REG_0, 0),
11303 BPF_MOV64_IMM(BPF_REG_0, 0),
11306 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
11307 .errstr = "last insn",
11311 "calls: ld_abs with changing ctx data in callee",
11313 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11314 BPF_LD_ABS(BPF_B, 0),
11315 BPF_LD_ABS(BPF_H, 0),
11316 BPF_LD_ABS(BPF_W, 0),
11317 BPF_MOV64_REG(BPF_REG_7, BPF_REG_6),
11318 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 5),
11319 BPF_MOV64_REG(BPF_REG_6, BPF_REG_7),
11320 BPF_LD_ABS(BPF_B, 0),
11321 BPF_LD_ABS(BPF_H, 0),
11322 BPF_LD_ABS(BPF_W, 0),
11324 BPF_MOV64_IMM(BPF_REG_2, 1),
11325 BPF_MOV64_IMM(BPF_REG_3, 2),
11326 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11327 BPF_FUNC_skb_vlan_push),
11330 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11331 .errstr = "BPF_LD_[ABS|IND] instructions cannot be mixed",
11335 "calls: two calls with bad fallthrough",
11337 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11339 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11340 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 6),
11341 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
11342 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
11343 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11344 BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_0),
11345 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
11346 BPF_MOV64_REG(BPF_REG_0, BPF_REG_0),
11347 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
11348 offsetof(struct __sk_buff, len)),
11351 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
11352 .errstr = "not an exit",
11356 "calls: two calls with stack read",
11358 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11359 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11360 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11361 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11363 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11364 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 6),
11365 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
11366 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
11367 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11368 BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_0),
11369 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
11371 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
11374 .prog_type = BPF_PROG_TYPE_XDP,
11378 "calls: two calls with stack write",
11381 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11382 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11383 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11384 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11385 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
11386 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11387 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -16),
11391 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11392 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
11393 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 7),
11394 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
11395 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
11396 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
11397 BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_0),
11398 BPF_MOV64_REG(BPF_REG_0, BPF_REG_8),
11399 /* write into stack frame of main prog */
11400 BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
11404 /* read from stack frame of main prog */
11405 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
11408 .prog_type = BPF_PROG_TYPE_XDP,
11412 "calls: stack overflow using two frames (pre-call access)",
11415 BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
11416 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1),
11420 BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
11421 BPF_MOV64_IMM(BPF_REG_0, 0),
11424 .prog_type = BPF_PROG_TYPE_XDP,
11425 .errstr = "combined stack size",
11429 "calls: stack overflow using two frames (post-call access)",
11432 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 2),
11433 BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
11437 BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
11438 BPF_MOV64_IMM(BPF_REG_0, 0),
11441 .prog_type = BPF_PROG_TYPE_XDP,
11442 .errstr = "combined stack size",
11446 "calls: stack depth check using three frames. test1",
11449 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 4), /* call A */
11450 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 5), /* call B */
11451 BPF_ST_MEM(BPF_B, BPF_REG_10, -32, 0),
11452 BPF_MOV64_IMM(BPF_REG_0, 0),
11455 BPF_ST_MEM(BPF_B, BPF_REG_10, -256, 0),
11458 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, -3), /* call A */
11459 BPF_ST_MEM(BPF_B, BPF_REG_10, -64, 0),
11462 .prog_type = BPF_PROG_TYPE_XDP,
11463 /* stack_main=32, stack_A=256, stack_B=64
11464 * and max(main+A, main+A+B) < 512
11469 "calls: stack depth check using three frames. test2",
11472 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 4), /* call A */
11473 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 5), /* call B */
11474 BPF_ST_MEM(BPF_B, BPF_REG_10, -32, 0),
11475 BPF_MOV64_IMM(BPF_REG_0, 0),
11478 BPF_ST_MEM(BPF_B, BPF_REG_10, -64, 0),
11481 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, -3), /* call A */
11482 BPF_ST_MEM(BPF_B, BPF_REG_10, -256, 0),
11485 .prog_type = BPF_PROG_TYPE_XDP,
11486 /* stack_main=32, stack_A=64, stack_B=256
11487 * and max(main+A, main+A+B) < 512
11492 "calls: stack depth check using three frames. test3",
11495 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11496 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 6), /* call A */
11497 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
11498 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 8), /* call B */
11499 BPF_JMP_IMM(BPF_JGE, BPF_REG_6, 0, 1),
11500 BPF_ST_MEM(BPF_B, BPF_REG_10, -64, 0),
11501 BPF_MOV64_IMM(BPF_REG_0, 0),
11504 BPF_JMP_IMM(BPF_JLT, BPF_REG_1, 10, 1),
11506 BPF_ST_MEM(BPF_B, BPF_REG_10, -224, 0),
11507 BPF_JMP_IMM(BPF_JA, 0, 0, -3),
11509 BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 2, 1),
11510 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, -6), /* call A */
11511 BPF_ST_MEM(BPF_B, BPF_REG_10, -256, 0),
11514 .prog_type = BPF_PROG_TYPE_XDP,
11515 /* stack_main=64, stack_A=224, stack_B=256
11516 * and max(main+A, main+A+B) > 512
11518 .errstr = "combined stack",
11522 "calls: stack depth check using three frames. test4",
11523 /* void main(void) {
11528 * void func1(int alloc_or_recurse) {
11529 * if (alloc_or_recurse) {
11530 * frame_pointer[-300] = 1;
11532 * func2(alloc_or_recurse);
11535 * void func2(int alloc_or_recurse) {
11536 * if (alloc_or_recurse) {
11537 * frame_pointer[-300] = 1;
11543 BPF_MOV64_IMM(BPF_REG_1, 0),
11544 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 6), /* call A */
11545 BPF_MOV64_IMM(BPF_REG_1, 1),
11546 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 4), /* call A */
11547 BPF_MOV64_IMM(BPF_REG_1, 1),
11548 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 7), /* call B */
11549 BPF_MOV64_IMM(BPF_REG_0, 0),
11552 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 2),
11553 BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
11555 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call B */
11558 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
11559 BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
11562 .prog_type = BPF_PROG_TYPE_XDP,
11564 .errstr = "combined stack",
11567 "calls: stack depth check using three frames. test5",
11570 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call A */
11573 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call B */
11576 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call C */
11579 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call D */
11582 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call E */
11585 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call F */
11588 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call G */
11591 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call H */
11594 BPF_MOV64_IMM(BPF_REG_0, 0),
11597 .prog_type = BPF_PROG_TYPE_XDP,
11598 .errstr = "call stack",
11602 "calls: spill into caller stack frame",
11604 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11605 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11606 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11607 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11609 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, 0),
11610 BPF_MOV64_IMM(BPF_REG_0, 0),
11613 .prog_type = BPF_PROG_TYPE_XDP,
11614 .errstr = "cannot spill",
11618 "calls: write into caller stack frame",
11620 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11621 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11622 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11623 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11624 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
11626 BPF_ST_MEM(BPF_DW, BPF_REG_1, 0, 42),
11627 BPF_MOV64_IMM(BPF_REG_0, 0),
11630 .prog_type = BPF_PROG_TYPE_XDP,
11635 "calls: write into callee stack frame",
11637 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11638 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
11640 BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
11641 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, -8),
11644 .prog_type = BPF_PROG_TYPE_XDP,
11645 .errstr = "cannot return stack pointer",
11649 "calls: two calls with stack write and void return",
11652 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11653 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11654 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11655 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11656 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
11657 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11658 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -16),
11662 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11663 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
11664 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11665 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
11666 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11670 /* write into stack frame of main prog */
11671 BPF_ST_MEM(BPF_DW, BPF_REG_1, 0, 0),
11672 BPF_EXIT_INSN(), /* void return */
11674 .prog_type = BPF_PROG_TYPE_XDP,
11678 "calls: ambiguous return value",
11680 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11681 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 5),
11682 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
11683 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
11684 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11685 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
11687 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
11688 BPF_MOV64_IMM(BPF_REG_0, 0),
11691 .errstr_unpriv = "allowed for root only",
11692 .result_unpriv = REJECT,
11693 .errstr = "R0 !read_ok",
11697 "calls: two calls that return map_value",
11700 /* pass fp-16, fp-8 into a function */
11701 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11702 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11703 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11704 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
11705 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
11707 /* fetch map_value_ptr from the stack of this function */
11708 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
11709 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
11710 /* write into map value */
11711 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11712 /* fetch secound map_value_ptr from the stack */
11713 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -16),
11714 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
11715 /* write into map value */
11716 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11717 BPF_MOV64_IMM(BPF_REG_0, 0),
11721 /* call 3rd function twice */
11722 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11723 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
11724 /* first time with fp-8 */
11725 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11726 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
11727 /* second time with fp-16 */
11728 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11732 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11733 /* lookup from map */
11734 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11735 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11736 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11737 BPF_LD_MAP_FD(BPF_REG_1, 0),
11738 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11739 BPF_FUNC_map_lookup_elem),
11740 /* write map_value_ptr into stack frame of main prog */
11741 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
11742 BPF_MOV64_IMM(BPF_REG_0, 0),
11743 BPF_EXIT_INSN(), /* return 0 */
11745 .prog_type = BPF_PROG_TYPE_XDP,
11746 .fixup_map_hash_8b = { 23 },
11750 "calls: two calls that return map_value with bool condition",
11753 /* pass fp-16, fp-8 into a function */
11754 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11755 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11756 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11757 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
11758 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11759 BPF_MOV64_IMM(BPF_REG_0, 0),
11763 /* call 3rd function twice */
11764 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11765 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
11766 /* first time with fp-8 */
11767 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 9),
11768 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
11769 /* fetch map_value_ptr from the stack of this function */
11770 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
11771 /* write into map value */
11772 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11773 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
11774 /* second time with fp-16 */
11775 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
11776 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
11777 /* fetch secound map_value_ptr from the stack */
11778 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_7, 0),
11779 /* write into map value */
11780 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11784 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11785 /* lookup from map */
11786 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11787 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11788 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11789 BPF_LD_MAP_FD(BPF_REG_1, 0),
11790 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11791 BPF_FUNC_map_lookup_elem),
11792 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11793 BPF_MOV64_IMM(BPF_REG_0, 0),
11794 BPF_EXIT_INSN(), /* return 0 */
11795 /* write map_value_ptr into stack frame of main prog */
11796 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
11797 BPF_MOV64_IMM(BPF_REG_0, 1),
11798 BPF_EXIT_INSN(), /* return 1 */
11800 .prog_type = BPF_PROG_TYPE_XDP,
11801 .fixup_map_hash_8b = { 23 },
11805 "calls: two calls that return map_value with incorrect bool check",
11808 /* pass fp-16, fp-8 into a function */
11809 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11810 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11811 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11812 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
11813 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11814 BPF_MOV64_IMM(BPF_REG_0, 0),
11818 /* call 3rd function twice */
11819 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11820 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
11821 /* first time with fp-8 */
11822 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 9),
11823 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
11824 /* fetch map_value_ptr from the stack of this function */
11825 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
11826 /* write into map value */
11827 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11828 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
11829 /* second time with fp-16 */
11830 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
11831 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11832 /* fetch secound map_value_ptr from the stack */
11833 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_7, 0),
11834 /* write into map value */
11835 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11839 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11840 /* lookup from map */
11841 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11842 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11843 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11844 BPF_LD_MAP_FD(BPF_REG_1, 0),
11845 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11846 BPF_FUNC_map_lookup_elem),
11847 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11848 BPF_MOV64_IMM(BPF_REG_0, 0),
11849 BPF_EXIT_INSN(), /* return 0 */
11850 /* write map_value_ptr into stack frame of main prog */
11851 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
11852 BPF_MOV64_IMM(BPF_REG_0, 1),
11853 BPF_EXIT_INSN(), /* return 1 */
11855 .prog_type = BPF_PROG_TYPE_XDP,
11856 .fixup_map_hash_8b = { 23 },
11858 .errstr = "invalid read from stack off -16+0 size 8",
11861 "calls: two calls that receive map_value via arg=ptr_stack_of_caller. test1",
11864 /* pass fp-16, fp-8 into a function */
11865 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11866 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11867 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11868 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
11869 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11870 BPF_MOV64_IMM(BPF_REG_0, 0),
11874 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11875 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
11876 /* 1st lookup from map */
11877 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11878 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11879 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11880 BPF_LD_MAP_FD(BPF_REG_1, 0),
11881 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11882 BPF_FUNC_map_lookup_elem),
11883 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11884 BPF_MOV64_IMM(BPF_REG_8, 0),
11885 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
11886 /* write map_value_ptr into stack frame of main prog at fp-8 */
11887 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
11888 BPF_MOV64_IMM(BPF_REG_8, 1),
11890 /* 2nd lookup from map */
11891 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), /* 20 */
11892 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11893 BPF_LD_MAP_FD(BPF_REG_1, 0),
11894 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, /* 24 */
11895 BPF_FUNC_map_lookup_elem),
11896 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11897 BPF_MOV64_IMM(BPF_REG_9, 0),
11898 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
11899 /* write map_value_ptr into stack frame of main prog at fp-16 */
11900 BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
11901 BPF_MOV64_IMM(BPF_REG_9, 1),
11903 /* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
11904 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), /* 30 */
11905 BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
11906 BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
11907 BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
11908 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1), /* 34 */
11912 /* if arg2 == 1 do *arg1 = 0 */
11913 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
11914 /* fetch map_value_ptr from the stack of this function */
11915 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
11916 /* write into map value */
11917 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11919 /* if arg4 == 1 do *arg3 = 0 */
11920 BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 1, 2),
11921 /* fetch map_value_ptr from the stack of this function */
11922 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
11923 /* write into map value */
11924 BPF_ST_MEM(BPF_DW, BPF_REG_0, 2, 0),
11927 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11928 .fixup_map_hash_8b = { 12, 22 },
11930 .errstr = "invalid access to map value, value_size=8 off=2 size=8",
11933 "calls: two calls that receive map_value via arg=ptr_stack_of_caller. test2",
11936 /* pass fp-16, fp-8 into a function */
11937 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11938 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11939 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11940 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
11941 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11942 BPF_MOV64_IMM(BPF_REG_0, 0),
11946 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11947 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
11948 /* 1st lookup from map */
11949 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11950 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11951 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11952 BPF_LD_MAP_FD(BPF_REG_1, 0),
11953 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11954 BPF_FUNC_map_lookup_elem),
11955 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11956 BPF_MOV64_IMM(BPF_REG_8, 0),
11957 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
11958 /* write map_value_ptr into stack frame of main prog at fp-8 */
11959 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
11960 BPF_MOV64_IMM(BPF_REG_8, 1),
11962 /* 2nd lookup from map */
11963 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), /* 20 */
11964 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11965 BPF_LD_MAP_FD(BPF_REG_1, 0),
11966 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, /* 24 */
11967 BPF_FUNC_map_lookup_elem),
11968 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11969 BPF_MOV64_IMM(BPF_REG_9, 0),
11970 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
11971 /* write map_value_ptr into stack frame of main prog at fp-16 */
11972 BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
11973 BPF_MOV64_IMM(BPF_REG_9, 1),
11975 /* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
11976 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), /* 30 */
11977 BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
11978 BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
11979 BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
11980 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1), /* 34 */
11984 /* if arg2 == 1 do *arg1 = 0 */
11985 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
11986 /* fetch map_value_ptr from the stack of this function */
11987 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
11988 /* write into map value */
11989 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11991 /* if arg4 == 1 do *arg3 = 0 */
11992 BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 1, 2),
11993 /* fetch map_value_ptr from the stack of this function */
11994 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
11995 /* write into map value */
11996 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11999 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12000 .fixup_map_hash_8b = { 12, 22 },
12004 "calls: two jumps that receive map_value via arg=ptr_stack_of_jumper. test3",
12007 /* pass fp-16, fp-8 into a function */
12008 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
12009 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
12010 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12011 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
12012 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
12013 BPF_MOV64_IMM(BPF_REG_0, 0),
12017 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12018 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
12019 /* 1st lookup from map */
12020 BPF_ST_MEM(BPF_DW, BPF_REG_10, -24, 0),
12021 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12022 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -24),
12023 BPF_LD_MAP_FD(BPF_REG_1, 0),
12024 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12025 BPF_FUNC_map_lookup_elem),
12026 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
12027 BPF_MOV64_IMM(BPF_REG_8, 0),
12028 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
12029 /* write map_value_ptr into stack frame of main prog at fp-8 */
12030 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
12031 BPF_MOV64_IMM(BPF_REG_8, 1),
12033 /* 2nd lookup from map */
12034 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12035 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -24),
12036 BPF_LD_MAP_FD(BPF_REG_1, 0),
12037 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12038 BPF_FUNC_map_lookup_elem),
12039 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
12040 BPF_MOV64_IMM(BPF_REG_9, 0), // 26
12041 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
12042 /* write map_value_ptr into stack frame of main prog at fp-16 */
12043 BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
12044 BPF_MOV64_IMM(BPF_REG_9, 1),
12046 /* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
12047 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), // 30
12048 BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
12049 BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
12050 BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
12051 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1), // 34
12052 BPF_JMP_IMM(BPF_JA, 0, 0, -30),
12055 /* if arg2 == 1 do *arg1 = 0 */
12056 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
12057 /* fetch map_value_ptr from the stack of this function */
12058 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
12059 /* write into map value */
12060 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
12062 /* if arg4 == 1 do *arg3 = 0 */
12063 BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 1, 2),
12064 /* fetch map_value_ptr from the stack of this function */
12065 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
12066 /* write into map value */
12067 BPF_ST_MEM(BPF_DW, BPF_REG_0, 2, 0),
12068 BPF_JMP_IMM(BPF_JA, 0, 0, -8),
12070 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12071 .fixup_map_hash_8b = { 12, 22 },
12073 .errstr = "invalid access to map value, value_size=8 off=2 size=8",
12076 "calls: two calls that receive map_value_ptr_or_null via arg. test1",
12079 /* pass fp-16, fp-8 into a function */
12080 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
12081 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
12082 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12083 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
12084 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
12085 BPF_MOV64_IMM(BPF_REG_0, 0),
12089 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12090 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
12091 /* 1st lookup from map */
12092 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
12093 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12094 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
12095 BPF_LD_MAP_FD(BPF_REG_1, 0),
12096 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12097 BPF_FUNC_map_lookup_elem),
12098 /* write map_value_ptr_or_null into stack frame of main prog at fp-8 */
12099 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
12100 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
12101 BPF_MOV64_IMM(BPF_REG_8, 0),
12102 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
12103 BPF_MOV64_IMM(BPF_REG_8, 1),
12105 /* 2nd lookup from map */
12106 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12107 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
12108 BPF_LD_MAP_FD(BPF_REG_1, 0),
12109 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12110 BPF_FUNC_map_lookup_elem),
12111 /* write map_value_ptr_or_null into stack frame of main prog at fp-16 */
12112 BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
12113 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
12114 BPF_MOV64_IMM(BPF_REG_9, 0),
12115 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
12116 BPF_MOV64_IMM(BPF_REG_9, 1),
12118 /* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
12119 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
12120 BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
12121 BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
12122 BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
12123 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
12127 /* if arg2 == 1 do *arg1 = 0 */
12128 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
12129 /* fetch map_value_ptr from the stack of this function */
12130 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
12131 /* write into map value */
12132 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
12134 /* if arg4 == 1 do *arg3 = 0 */
12135 BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 1, 2),
12136 /* fetch map_value_ptr from the stack of this function */
12137 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
12138 /* write into map value */
12139 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
12142 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12143 .fixup_map_hash_8b = { 12, 22 },
12147 "calls: two calls that receive map_value_ptr_or_null via arg. test2",
12150 /* pass fp-16, fp-8 into a function */
12151 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
12152 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
12153 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12154 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
12155 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
12156 BPF_MOV64_IMM(BPF_REG_0, 0),
12160 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12161 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
12162 /* 1st lookup from map */
12163 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
12164 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12165 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
12166 BPF_LD_MAP_FD(BPF_REG_1, 0),
12167 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12168 BPF_FUNC_map_lookup_elem),
12169 /* write map_value_ptr_or_null into stack frame of main prog at fp-8 */
12170 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
12171 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
12172 BPF_MOV64_IMM(BPF_REG_8, 0),
12173 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
12174 BPF_MOV64_IMM(BPF_REG_8, 1),
12176 /* 2nd lookup from map */
12177 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12178 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
12179 BPF_LD_MAP_FD(BPF_REG_1, 0),
12180 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12181 BPF_FUNC_map_lookup_elem),
12182 /* write map_value_ptr_or_null into stack frame of main prog at fp-16 */
12183 BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
12184 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
12185 BPF_MOV64_IMM(BPF_REG_9, 0),
12186 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
12187 BPF_MOV64_IMM(BPF_REG_9, 1),
12189 /* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
12190 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
12191 BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
12192 BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
12193 BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
12194 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
12198 /* if arg2 == 1 do *arg1 = 0 */
12199 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
12200 /* fetch map_value_ptr from the stack of this function */
12201 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
12202 /* write into map value */
12203 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
12205 /* if arg4 == 0 do *arg3 = 0 */
12206 BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 0, 2),
12207 /* fetch map_value_ptr from the stack of this function */
12208 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
12209 /* write into map value */
12210 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
12213 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12214 .fixup_map_hash_8b = { 12, 22 },
12216 .errstr = "R0 invalid mem access 'inv'",
12219 "calls: pkt_ptr spill into caller stack",
12221 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
12222 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
12223 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
12227 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
12228 offsetof(struct __sk_buff, data)),
12229 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
12230 offsetof(struct __sk_buff, data_end)),
12231 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
12232 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
12233 /* spill unchecked pkt_ptr into stack of caller */
12234 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
12235 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
12236 /* now the pkt range is verified, read pkt_ptr from stack */
12237 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
12238 /* write 4 bytes into packet */
12239 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
12243 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12244 .retval = POINTER_VALUE,
12247 "calls: pkt_ptr spill into caller stack 2",
12249 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
12250 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
12251 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
12252 /* Marking is still kept, but not in all cases safe. */
12253 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
12254 BPF_ST_MEM(BPF_W, BPF_REG_4, 0, 0),
12258 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
12259 offsetof(struct __sk_buff, data)),
12260 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
12261 offsetof(struct __sk_buff, data_end)),
12262 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
12263 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
12264 /* spill unchecked pkt_ptr into stack of caller */
12265 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
12266 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
12267 /* now the pkt range is verified, read pkt_ptr from stack */
12268 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
12269 /* write 4 bytes into packet */
12270 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
12273 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12274 .errstr = "invalid access to packet",
12278 "calls: pkt_ptr spill into caller stack 3",
12280 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
12281 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
12282 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
12283 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
12284 /* Marking is still kept and safe here. */
12285 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
12286 BPF_ST_MEM(BPF_W, BPF_REG_4, 0, 0),
12290 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
12291 offsetof(struct __sk_buff, data)),
12292 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
12293 offsetof(struct __sk_buff, data_end)),
12294 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
12295 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
12296 /* spill unchecked pkt_ptr into stack of caller */
12297 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
12298 BPF_MOV64_IMM(BPF_REG_5, 0),
12299 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
12300 BPF_MOV64_IMM(BPF_REG_5, 1),
12301 /* now the pkt range is verified, read pkt_ptr from stack */
12302 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
12303 /* write 4 bytes into packet */
12304 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
12305 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
12308 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12313 "calls: pkt_ptr spill into caller stack 4",
12315 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
12316 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
12317 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
12318 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
12319 /* Check marking propagated. */
12320 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
12321 BPF_ST_MEM(BPF_W, BPF_REG_4, 0, 0),
12325 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
12326 offsetof(struct __sk_buff, data)),
12327 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
12328 offsetof(struct __sk_buff, data_end)),
12329 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
12330 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
12331 /* spill unchecked pkt_ptr into stack of caller */
12332 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
12333 BPF_MOV64_IMM(BPF_REG_5, 0),
12334 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
12335 BPF_MOV64_IMM(BPF_REG_5, 1),
12336 /* don't read back pkt_ptr from stack here */
12337 /* write 4 bytes into packet */
12338 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
12339 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
12342 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12347 "calls: pkt_ptr spill into caller stack 5",
12349 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
12350 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
12351 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_1, 0),
12352 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
12353 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
12354 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
12358 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
12359 offsetof(struct __sk_buff, data)),
12360 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
12361 offsetof(struct __sk_buff, data_end)),
12362 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
12363 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
12364 BPF_MOV64_IMM(BPF_REG_5, 0),
12365 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
12366 /* spill checked pkt_ptr into stack of caller */
12367 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
12368 BPF_MOV64_IMM(BPF_REG_5, 1),
12369 /* don't read back pkt_ptr from stack here */
12370 /* write 4 bytes into packet */
12371 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
12372 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
12375 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12376 .errstr = "same insn cannot be used with different",
12380 "calls: pkt_ptr spill into caller stack 6",
12382 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
12383 offsetof(struct __sk_buff, data_end)),
12384 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
12385 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
12386 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
12387 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
12388 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
12389 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
12393 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
12394 offsetof(struct __sk_buff, data)),
12395 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
12396 offsetof(struct __sk_buff, data_end)),
12397 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
12398 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
12399 BPF_MOV64_IMM(BPF_REG_5, 0),
12400 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
12401 /* spill checked pkt_ptr into stack of caller */
12402 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
12403 BPF_MOV64_IMM(BPF_REG_5, 1),
12404 /* don't read back pkt_ptr from stack here */
12405 /* write 4 bytes into packet */
12406 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
12407 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
12410 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12411 .errstr = "R4 invalid mem access",
12415 "calls: pkt_ptr spill into caller stack 7",
12417 BPF_MOV64_IMM(BPF_REG_2, 0),
12418 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
12419 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
12420 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
12421 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
12422 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
12423 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
12427 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
12428 offsetof(struct __sk_buff, data)),
12429 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
12430 offsetof(struct __sk_buff, data_end)),
12431 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
12432 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
12433 BPF_MOV64_IMM(BPF_REG_5, 0),
12434 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
12435 /* spill checked pkt_ptr into stack of caller */
12436 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
12437 BPF_MOV64_IMM(BPF_REG_5, 1),
12438 /* don't read back pkt_ptr from stack here */
12439 /* write 4 bytes into packet */
12440 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
12441 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
12444 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12445 .errstr = "R4 invalid mem access",
12449 "calls: pkt_ptr spill into caller stack 8",
12451 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
12452 offsetof(struct __sk_buff, data)),
12453 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
12454 offsetof(struct __sk_buff, data_end)),
12455 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
12456 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
12457 BPF_JMP_REG(BPF_JLE, BPF_REG_0, BPF_REG_3, 1),
12459 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
12460 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
12461 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
12462 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
12463 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
12464 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
12468 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
12469 offsetof(struct __sk_buff, data)),
12470 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
12471 offsetof(struct __sk_buff, data_end)),
12472 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
12473 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
12474 BPF_MOV64_IMM(BPF_REG_5, 0),
12475 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
12476 /* spill checked pkt_ptr into stack of caller */
12477 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
12478 BPF_MOV64_IMM(BPF_REG_5, 1),
12479 /* don't read back pkt_ptr from stack here */
12480 /* write 4 bytes into packet */
12481 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
12482 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
12485 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12489 "calls: pkt_ptr spill into caller stack 9",
12491 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
12492 offsetof(struct __sk_buff, data)),
12493 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
12494 offsetof(struct __sk_buff, data_end)),
12495 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
12496 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
12497 BPF_JMP_REG(BPF_JLE, BPF_REG_0, BPF_REG_3, 1),
12499 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
12500 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
12501 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
12502 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
12503 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
12504 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
12508 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
12509 offsetof(struct __sk_buff, data)),
12510 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
12511 offsetof(struct __sk_buff, data_end)),
12512 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
12513 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
12514 BPF_MOV64_IMM(BPF_REG_5, 0),
12515 /* spill unchecked pkt_ptr into stack of caller */
12516 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
12517 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
12518 BPF_MOV64_IMM(BPF_REG_5, 1),
12519 /* don't read back pkt_ptr from stack here */
12520 /* write 4 bytes into packet */
12521 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
12522 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
12525 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12526 .errstr = "invalid access to packet",
12530 "calls: caller stack init to zero or map_value_or_null",
12532 BPF_MOV64_IMM(BPF_REG_0, 0),
12533 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
12534 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12535 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
12536 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
12537 /* fetch map_value_or_null or const_zero from stack */
12538 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
12539 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
12540 /* store into map_value */
12541 BPF_ST_MEM(BPF_W, BPF_REG_0, 0, 0),
12545 /* if (ctx == 0) return; */
12546 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 8),
12547 /* else bpf_map_lookup() and *(fp - 8) = r0 */
12548 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
12549 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12550 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
12551 BPF_LD_MAP_FD(BPF_REG_1, 0),
12552 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
12553 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12554 BPF_FUNC_map_lookup_elem),
12555 /* write map_value_ptr_or_null into stack frame of main prog at fp-8 */
12556 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
12559 .fixup_map_hash_8b = { 13 },
12561 .prog_type = BPF_PROG_TYPE_XDP,
12564 "calls: stack init to zero and pruning",
12566 /* first make allocated_stack 16 byte */
12567 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, 0),
12568 /* now fork the execution such that the false branch
12569 * of JGT insn will be verified second and it skisp zero
12570 * init of fp-8 stack slot. If stack liveness marking
12571 * is missing live_read marks from call map_lookup
12572 * processing then pruning will incorrectly assume
12573 * that fp-8 stack slot was unused in the fall-through
12574 * branch and will accept the program incorrectly
12576 BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 2, 2),
12577 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
12578 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
12579 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12580 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
12581 BPF_LD_MAP_FD(BPF_REG_1, 0),
12582 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12583 BPF_FUNC_map_lookup_elem),
12586 .fixup_map_hash_48b = { 6 },
12587 .errstr = "invalid indirect read from stack off -8+0 size 8",
12589 .prog_type = BPF_PROG_TYPE_XDP,
12592 "calls: two calls returning different map pointers for lookup (hash, array)",
12595 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
12597 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
12599 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
12600 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
12601 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12602 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
12603 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12604 BPF_FUNC_map_lookup_elem),
12605 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
12606 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
12607 offsetof(struct test_val, foo)),
12608 BPF_MOV64_IMM(BPF_REG_0, 1),
12611 BPF_LD_MAP_FD(BPF_REG_0, 0),
12614 BPF_LD_MAP_FD(BPF_REG_0, 0),
12617 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12618 .fixup_map_hash_48b = { 13 },
12619 .fixup_map_array_48b = { 16 },
12624 "calls: two calls returning different map pointers for lookup (hash, map in map)",
12627 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
12629 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
12631 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
12632 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
12633 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12634 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
12635 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12636 BPF_FUNC_map_lookup_elem),
12637 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
12638 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
12639 offsetof(struct test_val, foo)),
12640 BPF_MOV64_IMM(BPF_REG_0, 1),
12643 BPF_LD_MAP_FD(BPF_REG_0, 0),
12646 BPF_LD_MAP_FD(BPF_REG_0, 0),
12649 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12650 .fixup_map_in_map = { 16 },
12651 .fixup_map_array_48b = { 13 },
12653 .errstr = "R0 invalid mem access 'map_ptr'",
12656 "cond: two branches returning different map pointers for lookup (tail, tail)",
12658 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
12659 offsetof(struct __sk_buff, mark)),
12660 BPF_JMP_IMM(BPF_JNE, BPF_REG_6, 0, 3),
12661 BPF_LD_MAP_FD(BPF_REG_2, 0),
12662 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
12663 BPF_LD_MAP_FD(BPF_REG_2, 0),
12664 BPF_MOV64_IMM(BPF_REG_3, 7),
12665 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12666 BPF_FUNC_tail_call),
12667 BPF_MOV64_IMM(BPF_REG_0, 1),
12670 .fixup_prog1 = { 5 },
12671 .fixup_prog2 = { 2 },
12672 .result_unpriv = REJECT,
12673 .errstr_unpriv = "tail_call abusing map_ptr",
12678 "cond: two branches returning same map pointers for lookup (tail, tail)",
12680 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
12681 offsetof(struct __sk_buff, mark)),
12682 BPF_JMP_IMM(BPF_JEQ, BPF_REG_6, 0, 3),
12683 BPF_LD_MAP_FD(BPF_REG_2, 0),
12684 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
12685 BPF_LD_MAP_FD(BPF_REG_2, 0),
12686 BPF_MOV64_IMM(BPF_REG_3, 7),
12687 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12688 BPF_FUNC_tail_call),
12689 BPF_MOV64_IMM(BPF_REG_0, 1),
12692 .fixup_prog2 = { 2, 5 },
12693 .result_unpriv = ACCEPT,
12698 "search pruning: all branches should be verified (nop operation)",
12700 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12701 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
12702 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
12703 BPF_LD_MAP_FD(BPF_REG_1, 0),
12704 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
12705 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
12706 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
12707 BPF_JMP_IMM(BPF_JEQ, BPF_REG_3, 0xbeef, 2),
12708 BPF_MOV64_IMM(BPF_REG_4, 0),
12710 BPF_MOV64_IMM(BPF_REG_4, 1),
12711 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -16),
12712 BPF_EMIT_CALL(BPF_FUNC_ktime_get_ns),
12713 BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -16),
12714 BPF_JMP_IMM(BPF_JEQ, BPF_REG_5, 0, 2),
12715 BPF_MOV64_IMM(BPF_REG_6, 0),
12716 BPF_ST_MEM(BPF_DW, BPF_REG_6, 0, 0xdead),
12719 .fixup_map_hash_8b = { 3 },
12720 .errstr = "R6 invalid mem access 'inv'",
12722 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
12725 "search pruning: all branches should be verified (invalid stack access)",
12727 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12728 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
12729 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
12730 BPF_LD_MAP_FD(BPF_REG_1, 0),
12731 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
12732 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
12733 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
12734 BPF_MOV64_IMM(BPF_REG_4, 0),
12735 BPF_JMP_IMM(BPF_JEQ, BPF_REG_3, 0xbeef, 2),
12736 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -16),
12738 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -24),
12739 BPF_EMIT_CALL(BPF_FUNC_ktime_get_ns),
12740 BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -16),
12743 .fixup_map_hash_8b = { 3 },
12744 .errstr = "invalid read from stack off -16+0 size 8",
12746 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
12749 "jit: lsh, rsh, arsh by 1",
12751 BPF_MOV64_IMM(BPF_REG_0, 1),
12752 BPF_MOV64_IMM(BPF_REG_1, 0xff),
12753 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 1),
12754 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 1),
12755 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0x3fc, 1),
12757 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 1),
12758 BPF_ALU32_IMM(BPF_RSH, BPF_REG_1, 1),
12759 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0xff, 1),
12761 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_1, 1),
12762 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0x7f, 1),
12764 BPF_MOV64_IMM(BPF_REG_0, 2),
12771 "jit: mov32 for ldimm64, 1",
12773 BPF_MOV64_IMM(BPF_REG_0, 2),
12774 BPF_LD_IMM64(BPF_REG_1, 0xfeffffffffffffffULL),
12775 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 32),
12776 BPF_LD_IMM64(BPF_REG_2, 0xfeffffffULL),
12777 BPF_JMP_REG(BPF_JEQ, BPF_REG_1, BPF_REG_2, 1),
12778 BPF_MOV64_IMM(BPF_REG_0, 1),
12785 "jit: mov32 for ldimm64, 2",
12787 BPF_MOV64_IMM(BPF_REG_0, 1),
12788 BPF_LD_IMM64(BPF_REG_1, 0x1ffffffffULL),
12789 BPF_LD_IMM64(BPF_REG_2, 0xffffffffULL),
12790 BPF_JMP_REG(BPF_JEQ, BPF_REG_1, BPF_REG_2, 1),
12791 BPF_MOV64_IMM(BPF_REG_0, 2),
12798 "jit: various mul tests",
12800 BPF_LD_IMM64(BPF_REG_2, 0xeeff0d413122ULL),
12801 BPF_LD_IMM64(BPF_REG_0, 0xfefefeULL),
12802 BPF_LD_IMM64(BPF_REG_1, 0xefefefULL),
12803 BPF_ALU64_REG(BPF_MUL, BPF_REG_0, BPF_REG_1),
12804 BPF_JMP_REG(BPF_JEQ, BPF_REG_0, BPF_REG_2, 2),
12805 BPF_MOV64_IMM(BPF_REG_0, 1),
12807 BPF_LD_IMM64(BPF_REG_3, 0xfefefeULL),
12808 BPF_ALU64_REG(BPF_MUL, BPF_REG_3, BPF_REG_1),
12809 BPF_JMP_REG(BPF_JEQ, BPF_REG_3, BPF_REG_2, 2),
12810 BPF_MOV64_IMM(BPF_REG_0, 1),
12812 BPF_MOV32_REG(BPF_REG_2, BPF_REG_2),
12813 BPF_LD_IMM64(BPF_REG_0, 0xfefefeULL),
12814 BPF_ALU32_REG(BPF_MUL, BPF_REG_0, BPF_REG_1),
12815 BPF_JMP_REG(BPF_JEQ, BPF_REG_0, BPF_REG_2, 2),
12816 BPF_MOV64_IMM(BPF_REG_0, 1),
12818 BPF_LD_IMM64(BPF_REG_3, 0xfefefeULL),
12819 BPF_ALU32_REG(BPF_MUL, BPF_REG_3, BPF_REG_1),
12820 BPF_JMP_REG(BPF_JEQ, BPF_REG_3, BPF_REG_2, 2),
12821 BPF_MOV64_IMM(BPF_REG_0, 1),
12823 BPF_LD_IMM64(BPF_REG_0, 0x952a7bbcULL),
12824 BPF_LD_IMM64(BPF_REG_1, 0xfefefeULL),
12825 BPF_LD_IMM64(BPF_REG_2, 0xeeff0d413122ULL),
12826 BPF_ALU32_REG(BPF_MUL, BPF_REG_2, BPF_REG_1),
12827 BPF_JMP_REG(BPF_JEQ, BPF_REG_2, BPF_REG_0, 2),
12828 BPF_MOV64_IMM(BPF_REG_0, 1),
12830 BPF_MOV64_IMM(BPF_REG_0, 2),
12837 "xadd/w check unaligned stack",
12839 BPF_MOV64_IMM(BPF_REG_0, 1),
12840 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
12841 BPF_STX_XADD(BPF_W, BPF_REG_10, BPF_REG_0, -7),
12842 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
12846 .errstr = "misaligned stack access off",
12847 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12850 "xadd/w check unaligned map",
12852 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
12853 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12854 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
12855 BPF_LD_MAP_FD(BPF_REG_1, 0),
12856 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12857 BPF_FUNC_map_lookup_elem),
12858 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
12860 BPF_MOV64_IMM(BPF_REG_1, 1),
12861 BPF_STX_XADD(BPF_W, BPF_REG_0, BPF_REG_1, 3),
12862 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 3),
12865 .fixup_map_hash_8b = { 3 },
12867 .errstr = "misaligned value access off",
12868 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12871 "xadd/w check unaligned pkt",
12873 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
12874 offsetof(struct xdp_md, data)),
12875 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
12876 offsetof(struct xdp_md, data_end)),
12877 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
12878 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
12879 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 2),
12880 BPF_MOV64_IMM(BPF_REG_0, 99),
12881 BPF_JMP_IMM(BPF_JA, 0, 0, 6),
12882 BPF_MOV64_IMM(BPF_REG_0, 1),
12883 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
12884 BPF_ST_MEM(BPF_W, BPF_REG_2, 3, 0),
12885 BPF_STX_XADD(BPF_W, BPF_REG_2, BPF_REG_0, 1),
12886 BPF_STX_XADD(BPF_W, BPF_REG_2, BPF_REG_0, 2),
12887 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_2, 1),
12891 .errstr = "BPF_XADD stores into R2 pkt is not allowed",
12892 .prog_type = BPF_PROG_TYPE_XDP,
12895 "xadd/w check whether src/dst got mangled, 1",
12897 BPF_MOV64_IMM(BPF_REG_0, 1),
12898 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
12899 BPF_MOV64_REG(BPF_REG_7, BPF_REG_10),
12900 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
12901 BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
12902 BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
12903 BPF_JMP_REG(BPF_JNE, BPF_REG_6, BPF_REG_0, 3),
12904 BPF_JMP_REG(BPF_JNE, BPF_REG_7, BPF_REG_10, 2),
12905 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
12907 BPF_MOV64_IMM(BPF_REG_0, 42),
12911 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12915 "xadd/w check whether src/dst got mangled, 2",
12917 BPF_MOV64_IMM(BPF_REG_0, 1),
12918 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
12919 BPF_MOV64_REG(BPF_REG_7, BPF_REG_10),
12920 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -8),
12921 BPF_STX_XADD(BPF_W, BPF_REG_10, BPF_REG_0, -8),
12922 BPF_STX_XADD(BPF_W, BPF_REG_10, BPF_REG_0, -8),
12923 BPF_JMP_REG(BPF_JNE, BPF_REG_6, BPF_REG_0, 3),
12924 BPF_JMP_REG(BPF_JNE, BPF_REG_7, BPF_REG_10, 2),
12925 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_10, -8),
12927 BPF_MOV64_IMM(BPF_REG_0, 42),
12931 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12935 "bpf_get_stack return R0 within range",
12937 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12938 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
12939 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12940 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
12941 BPF_LD_MAP_FD(BPF_REG_1, 0),
12942 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12943 BPF_FUNC_map_lookup_elem),
12944 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 28),
12945 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
12946 BPF_MOV64_IMM(BPF_REG_9, sizeof(struct test_val)),
12947 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
12948 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
12949 BPF_MOV64_IMM(BPF_REG_3, sizeof(struct test_val)),
12950 BPF_MOV64_IMM(BPF_REG_4, 256),
12951 BPF_EMIT_CALL(BPF_FUNC_get_stack),
12952 BPF_MOV64_IMM(BPF_REG_1, 0),
12953 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
12954 BPF_ALU64_IMM(BPF_LSH, BPF_REG_8, 32),
12955 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_8, 32),
12956 BPF_JMP_REG(BPF_JSLT, BPF_REG_1, BPF_REG_8, 16),
12957 BPF_ALU64_REG(BPF_SUB, BPF_REG_9, BPF_REG_8),
12958 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
12959 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_8),
12960 BPF_MOV64_REG(BPF_REG_1, BPF_REG_9),
12961 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 32),
12962 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_1, 32),
12963 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
12964 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_1),
12965 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
12966 BPF_MOV64_IMM(BPF_REG_5, sizeof(struct test_val)),
12967 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_5),
12968 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 4),
12969 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
12970 BPF_MOV64_REG(BPF_REG_3, BPF_REG_9),
12971 BPF_MOV64_IMM(BPF_REG_4, 0),
12972 BPF_EMIT_CALL(BPF_FUNC_get_stack),
12975 .fixup_map_hash_48b = { 4 },
12977 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
12980 "ld_abs: invalid op 1",
12982 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12983 BPF_LD_ABS(BPF_DW, 0),
12986 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12988 .errstr = "unknown opcode",
12991 "ld_abs: invalid op 2",
12993 BPF_MOV32_IMM(BPF_REG_0, 256),
12994 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12995 BPF_LD_IND(BPF_DW, BPF_REG_0, 0),
12998 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13000 .errstr = "unknown opcode",
13003 "ld_abs: nmap reduced",
13005 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
13006 BPF_LD_ABS(BPF_H, 12),
13007 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x806, 28),
13008 BPF_LD_ABS(BPF_H, 12),
13009 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x806, 26),
13010 BPF_MOV32_IMM(BPF_REG_0, 18),
13011 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -64),
13012 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_10, -64),
13013 BPF_LD_IND(BPF_W, BPF_REG_7, 14),
13014 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -60),
13015 BPF_MOV32_IMM(BPF_REG_0, 280971478),
13016 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -56),
13017 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_10, -56),
13018 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_10, -60),
13019 BPF_ALU32_REG(BPF_SUB, BPF_REG_0, BPF_REG_7),
13020 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 15),
13021 BPF_LD_ABS(BPF_H, 12),
13022 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x806, 13),
13023 BPF_MOV32_IMM(BPF_REG_0, 22),
13024 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -56),
13025 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_10, -56),
13026 BPF_LD_IND(BPF_H, BPF_REG_7, 14),
13027 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -52),
13028 BPF_MOV32_IMM(BPF_REG_0, 17366),
13029 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -48),
13030 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_10, -48),
13031 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_10, -52),
13032 BPF_ALU32_REG(BPF_SUB, BPF_REG_0, BPF_REG_7),
13033 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
13034 BPF_MOV32_IMM(BPF_REG_0, 256),
13036 BPF_MOV32_IMM(BPF_REG_0, 0),
13040 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0x08, 0x06, 0,
13041 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
13042 0x10, 0xbf, 0x48, 0xd6, 0x43, 0xd6,
13044 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13049 "ld_abs: div + abs, test 1",
13051 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
13052 BPF_LD_ABS(BPF_B, 3),
13053 BPF_ALU64_IMM(BPF_MOV, BPF_REG_2, 2),
13054 BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_2),
13055 BPF_ALU64_REG(BPF_MOV, BPF_REG_8, BPF_REG_0),
13056 BPF_LD_ABS(BPF_B, 4),
13057 BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_0),
13058 BPF_LD_IND(BPF_B, BPF_REG_8, -70),
13062 10, 20, 30, 40, 50,
13064 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13069 "ld_abs: div + abs, test 2",
13071 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
13072 BPF_LD_ABS(BPF_B, 3),
13073 BPF_ALU64_IMM(BPF_MOV, BPF_REG_2, 2),
13074 BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_2),
13075 BPF_ALU64_REG(BPF_MOV, BPF_REG_8, BPF_REG_0),
13076 BPF_LD_ABS(BPF_B, 128),
13077 BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_0),
13078 BPF_LD_IND(BPF_B, BPF_REG_8, -70),
13082 10, 20, 30, 40, 50,
13084 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13089 "ld_abs: div + abs, test 3",
13091 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
13092 BPF_ALU64_IMM(BPF_MOV, BPF_REG_7, 0),
13093 BPF_LD_ABS(BPF_B, 3),
13094 BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_7),
13098 10, 20, 30, 40, 50,
13100 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13105 "ld_abs: div + abs, test 4",
13107 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
13108 BPF_ALU64_IMM(BPF_MOV, BPF_REG_7, 0),
13109 BPF_LD_ABS(BPF_B, 256),
13110 BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_7),
13114 10, 20, 30, 40, 50,
13116 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13121 "ld_abs: vlan + abs, test 1",
13126 .fill_helper = bpf_fill_ld_abs_vlan_push_pop,
13127 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13132 "ld_abs: vlan + abs, test 2",
13134 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
13135 BPF_LD_ABS(BPF_B, 0),
13136 BPF_LD_ABS(BPF_H, 0),
13137 BPF_LD_ABS(BPF_W, 0),
13138 BPF_MOV64_REG(BPF_REG_7, BPF_REG_6),
13139 BPF_MOV64_IMM(BPF_REG_6, 0),
13140 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
13141 BPF_MOV64_IMM(BPF_REG_2, 1),
13142 BPF_MOV64_IMM(BPF_REG_3, 2),
13143 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
13144 BPF_FUNC_skb_vlan_push),
13145 BPF_MOV64_REG(BPF_REG_6, BPF_REG_7),
13146 BPF_LD_ABS(BPF_B, 0),
13147 BPF_LD_ABS(BPF_H, 0),
13148 BPF_LD_ABS(BPF_W, 0),
13149 BPF_MOV64_IMM(BPF_REG_0, 42),
13155 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13160 "ld_abs: jump around ld_abs",
13165 .fill_helper = bpf_fill_jump_around_ld_abs,
13166 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13171 "ld_dw: xor semi-random 64 bit imms, test 1",
13174 .fill_helper = bpf_fill_rand_ld_dw,
13175 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13180 "ld_dw: xor semi-random 64 bit imms, test 2",
13183 .fill_helper = bpf_fill_rand_ld_dw,
13184 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13189 "ld_dw: xor semi-random 64 bit imms, test 3",
13192 .fill_helper = bpf_fill_rand_ld_dw,
13193 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13198 "ld_dw: xor semi-random 64 bit imms, test 4",
13201 .fill_helper = bpf_fill_rand_ld_dw,
13202 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13207 "pass unmodified ctx pointer to helper",
13209 BPF_MOV64_IMM(BPF_REG_2, 0),
13210 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
13211 BPF_FUNC_csum_update),
13212 BPF_MOV64_IMM(BPF_REG_0, 0),
13215 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13219 "reference tracking: leak potential reference",
13222 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0), /* leak reference */
13225 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13226 .errstr = "Unreleased reference",
13230 "reference tracking: leak potential reference on stack",
13233 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
13234 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
13235 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_0, 0),
13236 BPF_MOV64_IMM(BPF_REG_0, 0),
13239 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13240 .errstr = "Unreleased reference",
13244 "reference tracking: leak potential reference on stack 2",
13247 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
13248 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
13249 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_0, 0),
13250 BPF_MOV64_IMM(BPF_REG_0, 0),
13251 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
13254 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13255 .errstr = "Unreleased reference",
13259 "reference tracking: zero potential reference",
13262 BPF_MOV64_IMM(BPF_REG_0, 0), /* leak reference */
13265 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13266 .errstr = "Unreleased reference",
13270 "reference tracking: copy and zero potential references",
13273 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
13274 BPF_MOV64_IMM(BPF_REG_0, 0),
13275 BPF_MOV64_IMM(BPF_REG_7, 0), /* leak reference */
13278 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13279 .errstr = "Unreleased reference",
13283 "reference tracking: release reference without check",
13286 /* reference in r0 may be NULL */
13287 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13288 BPF_MOV64_IMM(BPF_REG_2, 0),
13289 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13292 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13293 .errstr = "type=sock_or_null expected=sock",
13297 "reference tracking: release reference",
13300 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13301 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
13302 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13305 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13309 "reference tracking: release reference 2",
13312 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13313 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
13315 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13318 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13322 "reference tracking: release reference twice",
13325 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13326 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
13327 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
13328 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13329 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
13330 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13333 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13334 .errstr = "type=inv expected=sock",
13338 "reference tracking: release reference twice inside branch",
13341 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13342 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
13343 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3), /* goto end */
13344 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13345 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
13346 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13349 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13350 .errstr = "type=inv expected=sock",
13354 "reference tracking: alloc, check, free in one subbranch",
13356 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
13357 offsetof(struct __sk_buff, data)),
13358 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
13359 offsetof(struct __sk_buff, data_end)),
13360 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
13361 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 16),
13362 /* if (offsetof(skb, mark) > data_len) exit; */
13363 BPF_JMP_REG(BPF_JLE, BPF_REG_0, BPF_REG_3, 1),
13365 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_2,
13366 offsetof(struct __sk_buff, mark)),
13368 BPF_JMP_IMM(BPF_JEQ, BPF_REG_6, 0, 1), /* mark == 0? */
13369 /* Leak reference in R0 */
13371 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2), /* sk NULL? */
13372 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13373 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13376 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13377 .errstr = "Unreleased reference",
13381 "reference tracking: alloc, check, free in both subbranches",
13383 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
13384 offsetof(struct __sk_buff, data)),
13385 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
13386 offsetof(struct __sk_buff, data_end)),
13387 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
13388 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 16),
13389 /* if (offsetof(skb, mark) > data_len) exit; */
13390 BPF_JMP_REG(BPF_JLE, BPF_REG_0, BPF_REG_3, 1),
13392 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_2,
13393 offsetof(struct __sk_buff, mark)),
13395 BPF_JMP_IMM(BPF_JEQ, BPF_REG_6, 0, 4), /* mark == 0? */
13396 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2), /* sk NULL? */
13397 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13398 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13400 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2), /* sk NULL? */
13401 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13402 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13405 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13409 "reference tracking in call: free reference in subprog",
13412 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), /* unchecked reference */
13413 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
13414 BPF_MOV64_IMM(BPF_REG_0, 0),
13418 BPF_MOV64_REG(BPF_REG_2, BPF_REG_1),
13419 BPF_JMP_IMM(BPF_JEQ, BPF_REG_2, 0, 1),
13420 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13423 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13427 "pass modified ctx pointer to helper, 1",
13429 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -612),
13430 BPF_MOV64_IMM(BPF_REG_2, 0),
13431 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
13432 BPF_FUNC_csum_update),
13433 BPF_MOV64_IMM(BPF_REG_0, 0),
13436 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13438 .errstr = "dereference of modified ctx ptr",
13441 "pass modified ctx pointer to helper, 2",
13443 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -612),
13444 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
13445 BPF_FUNC_get_socket_cookie),
13446 BPF_MOV64_IMM(BPF_REG_0, 0),
13449 .result_unpriv = REJECT,
13451 .errstr_unpriv = "dereference of modified ctx ptr",
13452 .errstr = "dereference of modified ctx ptr",
13455 "pass modified ctx pointer to helper, 3",
13457 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 0),
13458 BPF_ALU64_IMM(BPF_AND, BPF_REG_3, 4),
13459 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
13460 BPF_MOV64_IMM(BPF_REG_2, 0),
13461 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
13462 BPF_FUNC_csum_update),
13463 BPF_MOV64_IMM(BPF_REG_0, 0),
13466 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13468 .errstr = "variable ctx access var_off=(0x0; 0x4)",
13471 "mov64 src == dst",
13473 BPF_MOV64_IMM(BPF_REG_2, 0),
13474 BPF_MOV64_REG(BPF_REG_2, BPF_REG_2),
13475 // Check bounds are OK
13476 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
13477 BPF_MOV64_IMM(BPF_REG_0, 0),
13480 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13484 "mov64 src != dst",
13486 BPF_MOV64_IMM(BPF_REG_3, 0),
13487 BPF_MOV64_REG(BPF_REG_2, BPF_REG_3),
13488 // Check bounds are OK
13489 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
13490 BPF_MOV64_IMM(BPF_REG_0, 0),
13493 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13497 "reference tracking in call: free reference in subprog and outside",
13500 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), /* unchecked reference */
13501 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
13502 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
13503 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
13504 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13508 BPF_MOV64_REG(BPF_REG_2, BPF_REG_1),
13509 BPF_JMP_IMM(BPF_JEQ, BPF_REG_2, 0, 1),
13510 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13513 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13514 .errstr = "type=inv expected=sock",
13518 "reference tracking in call: alloc & leak reference in subprog",
13520 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
13521 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
13522 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
13523 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13524 BPF_MOV64_IMM(BPF_REG_0, 0),
13528 BPF_MOV64_REG(BPF_REG_6, BPF_REG_4),
13530 /* spill unchecked sk_ptr into stack of caller */
13531 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
13532 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13535 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13536 .errstr = "Unreleased reference",
13540 "reference tracking in call: alloc in subprog, release outside",
13542 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
13543 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
13544 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13545 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
13546 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13551 BPF_EXIT_INSN(), /* return sk */
13553 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13554 .retval = POINTER_VALUE,
13558 "reference tracking in call: sk_ptr leak into caller stack",
13560 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
13561 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
13562 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
13563 BPF_MOV64_IMM(BPF_REG_0, 0),
13567 BPF_MOV64_REG(BPF_REG_5, BPF_REG_10),
13568 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, -8),
13569 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_4, 0),
13570 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 5),
13571 /* spill unchecked sk_ptr into stack of caller */
13572 BPF_MOV64_REG(BPF_REG_5, BPF_REG_10),
13573 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, -8),
13574 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_5, 0),
13575 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_0, 0),
13582 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13583 .errstr = "Unreleased reference",
13587 "reference tracking in call: sk_ptr spill into caller stack",
13589 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
13590 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
13591 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
13592 BPF_MOV64_IMM(BPF_REG_0, 0),
13596 BPF_MOV64_REG(BPF_REG_5, BPF_REG_10),
13597 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, -8),
13598 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_4, 0),
13599 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
13600 /* spill unchecked sk_ptr into stack of caller */
13601 BPF_MOV64_REG(BPF_REG_5, BPF_REG_10),
13602 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, -8),
13603 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_5, 0),
13604 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_0, 0),
13605 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
13606 /* now the sk_ptr is verified, free the reference */
13607 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_4, 0),
13608 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13615 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13619 "reference tracking: allow LD_ABS",
13621 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
13623 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13624 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
13625 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13626 BPF_LD_ABS(BPF_B, 0),
13627 BPF_LD_ABS(BPF_H, 0),
13628 BPF_LD_ABS(BPF_W, 0),
13631 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13635 "reference tracking: forbid LD_ABS while holding reference",
13637 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
13639 BPF_LD_ABS(BPF_B, 0),
13640 BPF_LD_ABS(BPF_H, 0),
13641 BPF_LD_ABS(BPF_W, 0),
13642 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13643 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
13644 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13647 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13648 .errstr = "BPF_LD_[ABS|IND] cannot be mixed with socket references",
13652 "reference tracking: allow LD_IND",
13654 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
13656 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13657 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
13658 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13659 BPF_MOV64_IMM(BPF_REG_7, 1),
13660 BPF_LD_IND(BPF_W, BPF_REG_7, -0x200000),
13661 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
13664 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13669 "reference tracking: forbid LD_IND while holding reference",
13671 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
13673 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
13674 BPF_MOV64_IMM(BPF_REG_7, 1),
13675 BPF_LD_IND(BPF_W, BPF_REG_7, -0x200000),
13676 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
13677 BPF_MOV64_REG(BPF_REG_1, BPF_REG_4),
13678 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
13679 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13682 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13683 .errstr = "BPF_LD_[ABS|IND] cannot be mixed with socket references",
13687 "reference tracking: check reference or tail call",
13689 BPF_MOV64_REG(BPF_REG_7, BPF_REG_1),
13691 /* if (sk) bpf_sk_release() */
13692 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13693 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 7),
13694 /* bpf_tail_call() */
13695 BPF_MOV64_IMM(BPF_REG_3, 2),
13696 BPF_LD_MAP_FD(BPF_REG_2, 0),
13697 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
13698 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
13699 BPF_FUNC_tail_call),
13700 BPF_MOV64_IMM(BPF_REG_0, 0),
13702 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13705 .fixup_prog1 = { 17 },
13706 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13710 "reference tracking: release reference then tail call",
13712 BPF_MOV64_REG(BPF_REG_7, BPF_REG_1),
13714 /* if (sk) bpf_sk_release() */
13715 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13716 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
13717 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13718 /* bpf_tail_call() */
13719 BPF_MOV64_IMM(BPF_REG_3, 2),
13720 BPF_LD_MAP_FD(BPF_REG_2, 0),
13721 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
13722 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
13723 BPF_FUNC_tail_call),
13724 BPF_MOV64_IMM(BPF_REG_0, 0),
13727 .fixup_prog1 = { 18 },
13728 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13732 "reference tracking: leak possible reference over tail call",
13734 BPF_MOV64_REG(BPF_REG_7, BPF_REG_1),
13735 /* Look up socket and store in REG_6 */
13737 /* bpf_tail_call() */
13738 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
13739 BPF_MOV64_IMM(BPF_REG_3, 2),
13740 BPF_LD_MAP_FD(BPF_REG_2, 0),
13741 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
13742 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
13743 BPF_FUNC_tail_call),
13744 BPF_MOV64_IMM(BPF_REG_0, 0),
13745 /* if (sk) bpf_sk_release() */
13746 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
13747 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
13748 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13751 .fixup_prog1 = { 16 },
13752 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13753 .errstr = "tail_call would lead to reference leak",
13757 "reference tracking: leak checked reference over tail call",
13759 BPF_MOV64_REG(BPF_REG_7, BPF_REG_1),
13760 /* Look up socket and store in REG_6 */
13762 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
13763 /* if (!sk) goto end */
13764 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
13765 /* bpf_tail_call() */
13766 BPF_MOV64_IMM(BPF_REG_3, 0),
13767 BPF_LD_MAP_FD(BPF_REG_2, 0),
13768 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
13769 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
13770 BPF_FUNC_tail_call),
13771 BPF_MOV64_IMM(BPF_REG_0, 0),
13772 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
13773 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13776 .fixup_prog1 = { 17 },
13777 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13778 .errstr = "tail_call would lead to reference leak",
13782 "reference tracking: mangle and release sock_or_null",
13785 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13786 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 5),
13787 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
13788 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13791 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13792 .errstr = "R1 pointer arithmetic on sock_or_null prohibited",
13796 "reference tracking: mangle and release sock",
13799 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13800 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
13801 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 5),
13802 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13805 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13806 .errstr = "R1 pointer arithmetic on sock prohibited",
13810 "reference tracking: access member",
13813 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
13814 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
13815 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_0, 4),
13816 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
13817 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13820 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13824 "reference tracking: write to member",
13827 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
13828 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
13829 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
13830 BPF_LD_IMM64(BPF_REG_2, 42),
13831 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_2,
13832 offsetof(struct bpf_sock, mark)),
13833 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
13834 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13835 BPF_LD_IMM64(BPF_REG_0, 0),
13838 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13839 .errstr = "cannot write into socket",
13843 "reference tracking: invalid 64-bit access of member",
13846 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
13847 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
13848 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
13849 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
13850 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13853 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13854 .errstr = "invalid bpf_sock access off=0 size=8",
13858 "reference tracking: access after release",
13861 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13862 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
13863 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13864 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
13867 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13868 .errstr = "!read_ok",
13872 "reference tracking: direct access for lookup",
13874 /* Check that the packet is at least 64B long */
13875 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
13876 offsetof(struct __sk_buff, data)),
13877 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
13878 offsetof(struct __sk_buff, data_end)),
13879 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
13880 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 64),
13881 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 9),
13882 /* sk = sk_lookup_tcp(ctx, skb->data, ...) */
13883 BPF_MOV64_IMM(BPF_REG_3, sizeof(struct bpf_sock_tuple)),
13884 BPF_MOV64_IMM(BPF_REG_4, 0),
13885 BPF_MOV64_IMM(BPF_REG_5, 0),
13886 BPF_EMIT_CALL(BPF_FUNC_sk_lookup_tcp),
13887 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
13888 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
13889 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_0, 4),
13890 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
13891 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13894 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13899 static int probe_filter_length(const struct bpf_insn *fp)
13903 for (len = MAX_INSNS - 1; len > 0; --len)
13904 if (fp[len].code != 0 || fp[len].imm != 0)
13909 static int create_map(uint32_t type, uint32_t size_key,
13910 uint32_t size_value, uint32_t max_elem)
13914 fd = bpf_create_map(type, size_key, size_value, max_elem,
13915 type == BPF_MAP_TYPE_HASH ? BPF_F_NO_PREALLOC : 0);
13917 printf("Failed to create hash map '%s'!\n", strerror(errno));
13922 static int create_prog_dummy1(enum bpf_map_type prog_type)
13924 struct bpf_insn prog[] = {
13925 BPF_MOV64_IMM(BPF_REG_0, 42),
13929 return bpf_load_program(prog_type, prog,
13930 ARRAY_SIZE(prog), "GPL", 0, NULL, 0);
13933 static int create_prog_dummy2(enum bpf_map_type prog_type, int mfd, int idx)
13935 struct bpf_insn prog[] = {
13936 BPF_MOV64_IMM(BPF_REG_3, idx),
13937 BPF_LD_MAP_FD(BPF_REG_2, mfd),
13938 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
13939 BPF_FUNC_tail_call),
13940 BPF_MOV64_IMM(BPF_REG_0, 41),
13944 return bpf_load_program(prog_type, prog,
13945 ARRAY_SIZE(prog), "GPL", 0, NULL, 0);
13948 static int create_prog_array(enum bpf_map_type prog_type, uint32_t max_elem,
13952 int mfd, p1fd, p2fd;
13954 mfd = bpf_create_map(BPF_MAP_TYPE_PROG_ARRAY, sizeof(int),
13955 sizeof(int), max_elem, 0);
13957 printf("Failed to create prog array '%s'!\n", strerror(errno));
13961 p1fd = create_prog_dummy1(prog_type);
13962 p2fd = create_prog_dummy2(prog_type, mfd, p2key);
13963 if (p1fd < 0 || p2fd < 0)
13965 if (bpf_map_update_elem(mfd, &p1key, &p1fd, BPF_ANY) < 0)
13967 if (bpf_map_update_elem(mfd, &p2key, &p2fd, BPF_ANY) < 0)
13980 static int create_map_in_map(void)
13982 int inner_map_fd, outer_map_fd;
13984 inner_map_fd = bpf_create_map(BPF_MAP_TYPE_ARRAY, sizeof(int),
13985 sizeof(int), 1, 0);
13986 if (inner_map_fd < 0) {
13987 printf("Failed to create array '%s'!\n", strerror(errno));
13988 return inner_map_fd;
13991 outer_map_fd = bpf_create_map_in_map(BPF_MAP_TYPE_ARRAY_OF_MAPS, NULL,
13992 sizeof(int), inner_map_fd, 1, 0);
13993 if (outer_map_fd < 0)
13994 printf("Failed to create array of maps '%s'!\n",
13997 close(inner_map_fd);
13999 return outer_map_fd;
14002 static int create_cgroup_storage(bool percpu)
14004 enum bpf_map_type type = percpu ? BPF_MAP_TYPE_PERCPU_CGROUP_STORAGE :
14005 BPF_MAP_TYPE_CGROUP_STORAGE;
14008 fd = bpf_create_map(type, sizeof(struct bpf_cgroup_storage_key),
14009 TEST_DATA_LEN, 0, 0);
14011 printf("Failed to create cgroup storage '%s'!\n",
14017 static char bpf_vlog[UINT_MAX >> 8];
14019 static void do_test_fixup(struct bpf_test *test, enum bpf_map_type prog_type,
14020 struct bpf_insn *prog, int *map_fds)
14022 int *fixup_map_hash_8b = test->fixup_map_hash_8b;
14023 int *fixup_map_hash_48b = test->fixup_map_hash_48b;
14024 int *fixup_map_hash_16b = test->fixup_map_hash_16b;
14025 int *fixup_map_array_48b = test->fixup_map_array_48b;
14026 int *fixup_map_sockmap = test->fixup_map_sockmap;
14027 int *fixup_map_sockhash = test->fixup_map_sockhash;
14028 int *fixup_map_xskmap = test->fixup_map_xskmap;
14029 int *fixup_map_stacktrace = test->fixup_map_stacktrace;
14030 int *fixup_prog1 = test->fixup_prog1;
14031 int *fixup_prog2 = test->fixup_prog2;
14032 int *fixup_map_in_map = test->fixup_map_in_map;
14033 int *fixup_cgroup_storage = test->fixup_cgroup_storage;
14034 int *fixup_percpu_cgroup_storage = test->fixup_percpu_cgroup_storage;
14036 if (test->fill_helper)
14037 test->fill_helper(test);
14039 /* Allocating HTs with 1 elem is fine here, since we only test
14040 * for verifier and not do a runtime lookup, so the only thing
14041 * that really matters is value size in this case.
14043 if (*fixup_map_hash_8b) {
14044 map_fds[0] = create_map(BPF_MAP_TYPE_HASH, sizeof(long long),
14045 sizeof(long long), 1);
14047 prog[*fixup_map_hash_8b].imm = map_fds[0];
14048 fixup_map_hash_8b++;
14049 } while (*fixup_map_hash_8b);
14052 if (*fixup_map_hash_48b) {
14053 map_fds[1] = create_map(BPF_MAP_TYPE_HASH, sizeof(long long),
14054 sizeof(struct test_val), 1);
14056 prog[*fixup_map_hash_48b].imm = map_fds[1];
14057 fixup_map_hash_48b++;
14058 } while (*fixup_map_hash_48b);
14061 if (*fixup_map_hash_16b) {
14062 map_fds[2] = create_map(BPF_MAP_TYPE_HASH, sizeof(long long),
14063 sizeof(struct other_val), 1);
14065 prog[*fixup_map_hash_16b].imm = map_fds[2];
14066 fixup_map_hash_16b++;
14067 } while (*fixup_map_hash_16b);
14070 if (*fixup_map_array_48b) {
14071 map_fds[3] = create_map(BPF_MAP_TYPE_ARRAY, sizeof(int),
14072 sizeof(struct test_val), 1);
14074 prog[*fixup_map_array_48b].imm = map_fds[3];
14075 fixup_map_array_48b++;
14076 } while (*fixup_map_array_48b);
14079 if (*fixup_prog1) {
14080 map_fds[4] = create_prog_array(prog_type, 4, 0);
14082 prog[*fixup_prog1].imm = map_fds[4];
14084 } while (*fixup_prog1);
14087 if (*fixup_prog2) {
14088 map_fds[5] = create_prog_array(prog_type, 8, 7);
14090 prog[*fixup_prog2].imm = map_fds[5];
14092 } while (*fixup_prog2);
14095 if (*fixup_map_in_map) {
14096 map_fds[6] = create_map_in_map();
14098 prog[*fixup_map_in_map].imm = map_fds[6];
14099 fixup_map_in_map++;
14100 } while (*fixup_map_in_map);
14103 if (*fixup_cgroup_storage) {
14104 map_fds[7] = create_cgroup_storage(false);
14106 prog[*fixup_cgroup_storage].imm = map_fds[7];
14107 fixup_cgroup_storage++;
14108 } while (*fixup_cgroup_storage);
14111 if (*fixup_percpu_cgroup_storage) {
14112 map_fds[8] = create_cgroup_storage(true);
14114 prog[*fixup_percpu_cgroup_storage].imm = map_fds[8];
14115 fixup_percpu_cgroup_storage++;
14116 } while (*fixup_percpu_cgroup_storage);
14118 if (*fixup_map_sockmap) {
14119 map_fds[9] = create_map(BPF_MAP_TYPE_SOCKMAP, sizeof(int),
14122 prog[*fixup_map_sockmap].imm = map_fds[9];
14123 fixup_map_sockmap++;
14124 } while (*fixup_map_sockmap);
14126 if (*fixup_map_sockhash) {
14127 map_fds[10] = create_map(BPF_MAP_TYPE_SOCKHASH, sizeof(int),
14130 prog[*fixup_map_sockhash].imm = map_fds[10];
14131 fixup_map_sockhash++;
14132 } while (*fixup_map_sockhash);
14134 if (*fixup_map_xskmap) {
14135 map_fds[11] = create_map(BPF_MAP_TYPE_XSKMAP, sizeof(int),
14138 prog[*fixup_map_xskmap].imm = map_fds[11];
14139 fixup_map_xskmap++;
14140 } while (*fixup_map_xskmap);
14142 if (*fixup_map_stacktrace) {
14143 map_fds[12] = create_map(BPF_MAP_TYPE_STACK_TRACE, sizeof(u32),
14146 prog[*fixup_map_stacktrace].imm = map_fds[12];
14147 fixup_map_stacktrace++;
14148 } while (fixup_map_stacktrace);
14152 static void do_test_single(struct bpf_test *test, bool unpriv,
14153 int *passes, int *errors)
14155 int fd_prog, expected_ret, reject_from_alignment;
14156 int prog_len, prog_type = test->prog_type;
14157 struct bpf_insn *prog = test->insns;
14158 int map_fds[MAX_NR_MAPS];
14159 const char *expected_err;
14163 for (i = 0; i < MAX_NR_MAPS; i++)
14167 prog_type = BPF_PROG_TYPE_SOCKET_FILTER;
14168 do_test_fixup(test, prog_type, prog, map_fds);
14169 prog_len = probe_filter_length(prog);
14171 fd_prog = bpf_verify_program(prog_type, prog, prog_len,
14172 test->flags & F_LOAD_WITH_STRICT_ALIGNMENT,
14173 "GPL", 0, bpf_vlog, sizeof(bpf_vlog), 1);
14175 expected_ret = unpriv && test->result_unpriv != UNDEF ?
14176 test->result_unpriv : test->result;
14177 expected_err = unpriv && test->errstr_unpriv ?
14178 test->errstr_unpriv : test->errstr;
14180 reject_from_alignment = fd_prog < 0 &&
14181 (test->flags & F_NEEDS_EFFICIENT_UNALIGNED_ACCESS) &&
14182 strstr(bpf_vlog, "Unknown alignment.");
14183 #ifdef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS
14184 if (reject_from_alignment) {
14185 printf("FAIL\nFailed due to alignment despite having efficient unaligned access: '%s'!\n",
14190 if (expected_ret == ACCEPT) {
14191 if (fd_prog < 0 && !reject_from_alignment) {
14192 printf("FAIL\nFailed to load prog '%s'!\n",
14197 if (fd_prog >= 0) {
14198 printf("FAIL\nUnexpected success to load!\n");
14201 if (!strstr(bpf_vlog, expected_err) && !reject_from_alignment) {
14202 printf("FAIL\nUnexpected error message!\n\tEXP: %s\n\tRES: %s\n",
14203 expected_err, bpf_vlog);
14208 if (fd_prog >= 0) {
14209 __u8 tmp[TEST_DATA_LEN << 2];
14210 __u32 size_tmp = sizeof(tmp);
14212 err = bpf_prog_test_run(fd_prog, 1, test->data,
14213 sizeof(test->data), tmp, &size_tmp,
14215 if (err && errno != 524/*ENOTSUPP*/ && errno != EPERM) {
14216 printf("Unexpected bpf_prog_test_run error\n");
14219 if (!err && retval != test->retval &&
14220 test->retval != POINTER_VALUE) {
14221 printf("FAIL retval %d != %d\n", retval, test->retval);
14226 printf("OK%s\n", reject_from_alignment ?
14227 " (NOTE: reject due to unknown alignment)" : "");
14230 for (i = 0; i < MAX_NR_MAPS; i++)
14236 printf("%s", bpf_vlog);
14240 static bool is_admin(void)
14243 cap_flag_value_t sysadmin = CAP_CLEAR;
14244 const cap_value_t cap_val = CAP_SYS_ADMIN;
14246 #ifdef CAP_IS_SUPPORTED
14247 if (!CAP_IS_SUPPORTED(CAP_SETFCAP)) {
14248 perror("cap_get_flag");
14252 caps = cap_get_proc();
14254 perror("cap_get_proc");
14257 if (cap_get_flag(caps, cap_val, CAP_EFFECTIVE, &sysadmin))
14258 perror("cap_get_flag");
14259 if (cap_free(caps))
14260 perror("cap_free");
14261 return (sysadmin == CAP_SET);
14264 static int set_admin(bool admin)
14267 const cap_value_t cap_val = CAP_SYS_ADMIN;
14270 caps = cap_get_proc();
14272 perror("cap_get_proc");
14275 if (cap_set_flag(caps, CAP_EFFECTIVE, 1, &cap_val,
14276 admin ? CAP_SET : CAP_CLEAR)) {
14277 perror("cap_set_flag");
14280 if (cap_set_proc(caps)) {
14281 perror("cap_set_proc");
14286 if (cap_free(caps))
14287 perror("cap_free");
14291 static void get_unpriv_disabled()
14296 fd = fopen("/proc/sys/"UNPRIV_SYSCTL, "r");
14298 perror("fopen /proc/sys/"UNPRIV_SYSCTL);
14299 unpriv_disabled = true;
14302 if (fgets(buf, 2, fd) == buf && atoi(buf))
14303 unpriv_disabled = true;
14307 static bool test_as_unpriv(struct bpf_test *test)
14309 return !test->prog_type ||
14310 test->prog_type == BPF_PROG_TYPE_SOCKET_FILTER ||
14311 test->prog_type == BPF_PROG_TYPE_CGROUP_SKB;
14314 static int do_test(bool unpriv, unsigned int from, unsigned int to)
14316 int i, passes = 0, errors = 0, skips = 0;
14318 for (i = from; i < to; i++) {
14319 struct bpf_test *test = &tests[i];
14321 /* Program types that are not supported by non-root we
14324 if (test_as_unpriv(test) && unpriv_disabled) {
14325 printf("#%d/u %s SKIP\n", i, test->descr);
14327 } else if (test_as_unpriv(test)) {
14330 printf("#%d/u %s ", i, test->descr);
14331 do_test_single(test, true, &passes, &errors);
14337 printf("#%d/p %s SKIP\n", i, test->descr);
14340 printf("#%d/p %s ", i, test->descr);
14341 do_test_single(test, false, &passes, &errors);
14345 printf("Summary: %d PASSED, %d SKIPPED, %d FAILED\n", passes,
14347 return errors ? EXIT_FAILURE : EXIT_SUCCESS;
14350 int main(int argc, char **argv)
14352 unsigned int from = 0, to = ARRAY_SIZE(tests);
14353 bool unpriv = !is_admin();
14356 unsigned int l = atoi(argv[argc - 2]);
14357 unsigned int u = atoi(argv[argc - 1]);
14359 if (l < to && u < to) {
14363 } else if (argc == 2) {
14364 unsigned int t = atoi(argv[argc - 1]);
14372 get_unpriv_disabled();
14373 if (unpriv && unpriv_disabled) {
14374 printf("Cannot run as unprivileged user with sysctl %s.\n",
14376 return EXIT_FAILURE;
14379 bpf_semi_rand_init();
14380 return do_test(unpriv, from, to);
projects / linux-2.6-block.git / blob