2 * Testsuite for eBPF verifier
4 * Copyright (c) 2014 PLUMgrid, http://plumgrid.com
5 * Copyright (c) 2017 Facebook
6 * Copyright (c) 2018 Covalent IO, Inc. http://covalent.io
8 * This program is free software; you can redistribute it and/or
9 * modify it under the terms of version 2 of the GNU General Public
10 * License as published by the Free Software Foundation.
14 #include <asm/types.h>
15 #include <linux/types.h>
27 #include <sys/capability.h>
29 #include <linux/unistd.h>
30 #include <linux/filter.h>
31 #include <linux/bpf_perf_event.h>
32 #include <linux/bpf.h>
33 #include <linux/if_ether.h>
38 # include "autoconf.h"
40 # if defined(__i386) || defined(__x86_64) || defined(__s390x__) || defined(__aarch64__)
41 # define CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS 1
44 #include "bpf_rlimit.h"
47 #include "../../../include/linux/filter.h"
49 #define MAX_INSNS BPF_MAXINSNS
51 #define MAX_NR_MAPS 13
52 #define POINTER_VALUE 0xcafe4all
53 #define TEST_DATA_LEN 64
55 #define F_NEEDS_EFFICIENT_UNALIGNED_ACCESS (1 << 0)
56 #define F_LOAD_WITH_STRICT_ALIGNMENT (1 << 1)
58 #define UNPRIV_SYSCTL "kernel/unprivileged_bpf_disabled"
59 static bool unpriv_disabled = false;
63 struct bpf_insn insns[MAX_INSNS];
64 int fixup_map_hash_8b[MAX_FIXUPS];
65 int fixup_map_hash_48b[MAX_FIXUPS];
66 int fixup_map_hash_16b[MAX_FIXUPS];
67 int fixup_map_array_48b[MAX_FIXUPS];
68 int fixup_map_sockmap[MAX_FIXUPS];
69 int fixup_map_sockhash[MAX_FIXUPS];
70 int fixup_map_xskmap[MAX_FIXUPS];
71 int fixup_map_stacktrace[MAX_FIXUPS];
72 int fixup_prog1[MAX_FIXUPS];
73 int fixup_prog2[MAX_FIXUPS];
74 int fixup_map_in_map[MAX_FIXUPS];
75 int fixup_cgroup_storage[MAX_FIXUPS];
76 int fixup_percpu_cgroup_storage[MAX_FIXUPS];
78 const char *errstr_unpriv;
79 uint32_t retval, retval_unpriv;
84 } result, result_unpriv;
85 enum bpf_prog_type prog_type;
87 __u8 data[TEST_DATA_LEN];
88 void (*fill_helper)(struct bpf_test *self);
91 /* Note we want this to be 64 bit aligned so that the end of our array is
92 * actually the end of the structure.
94 #define MAX_ENTRIES 11
106 static void bpf_fill_ld_abs_vlan_push_pop(struct bpf_test *self)
108 /* test: {skb->data[0], vlan_push} x 68 + {skb->data[0], vlan_pop} x 68 */
110 unsigned int len = BPF_MAXINSNS;
111 struct bpf_insn *insn = self->insns;
114 insn[i++] = BPF_MOV64_REG(BPF_REG_6, BPF_REG_1);
116 for (j = 0; j < PUSH_CNT; j++) {
117 insn[i++] = BPF_LD_ABS(BPF_B, 0);
118 insn[i] = BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x34, len - i - 2);
120 insn[i++] = BPF_MOV64_REG(BPF_REG_1, BPF_REG_6);
121 insn[i++] = BPF_MOV64_IMM(BPF_REG_2, 1);
122 insn[i++] = BPF_MOV64_IMM(BPF_REG_3, 2);
123 insn[i++] = BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
124 BPF_FUNC_skb_vlan_push),
125 insn[i] = BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, len - i - 2);
129 for (j = 0; j < PUSH_CNT; j++) {
130 insn[i++] = BPF_LD_ABS(BPF_B, 0);
131 insn[i] = BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x34, len - i - 2);
133 insn[i++] = BPF_MOV64_REG(BPF_REG_1, BPF_REG_6);
134 insn[i++] = BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
135 BPF_FUNC_skb_vlan_pop),
136 insn[i] = BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, len - i - 2);
142 for (; i < len - 1; i++)
143 insn[i] = BPF_ALU32_IMM(BPF_MOV, BPF_REG_0, 0xbef);
144 insn[len - 1] = BPF_EXIT_INSN();
147 static void bpf_fill_jump_around_ld_abs(struct bpf_test *self)
149 struct bpf_insn *insn = self->insns;
150 unsigned int len = BPF_MAXINSNS;
153 insn[i++] = BPF_MOV64_REG(BPF_REG_6, BPF_REG_1);
154 insn[i++] = BPF_LD_ABS(BPF_B, 0);
155 insn[i] = BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 10, len - i - 2);
158 insn[i++] = BPF_LD_ABS(BPF_B, 1);
159 insn[i] = BPF_EXIT_INSN();
162 static void bpf_fill_rand_ld_dw(struct bpf_test *self)
164 struct bpf_insn *insn = self->insns;
168 insn[i++] = BPF_MOV32_IMM(BPF_REG_0, 0);
169 while (i < self->retval) {
170 uint64_t val = bpf_semi_rand_get();
171 struct bpf_insn tmp[2] = { BPF_LD_IMM64(BPF_REG_1, val) };
176 insn[i++] = BPF_ALU64_REG(BPF_XOR, BPF_REG_0, BPF_REG_1);
178 insn[i++] = BPF_MOV64_REG(BPF_REG_1, BPF_REG_0);
179 insn[i++] = BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 32);
180 insn[i++] = BPF_ALU64_REG(BPF_XOR, BPF_REG_0, BPF_REG_1);
181 insn[i] = BPF_EXIT_INSN();
183 self->retval = (uint32_t)res;
186 /* BPF_SK_LOOKUP contains 13 instructions, if you need to fix up maps */
187 #define BPF_SK_LOOKUP \
188 /* struct bpf_sock_tuple tuple = {} */ \
189 BPF_MOV64_IMM(BPF_REG_2, 0), \
190 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_2, -8), \
191 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -16), \
192 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -24), \
193 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -32), \
194 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -40), \
195 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -48), \
196 /* sk = sk_lookup_tcp(ctx, &tuple, sizeof tuple, 0, 0) */ \
197 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), \
198 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -48), \
199 BPF_MOV64_IMM(BPF_REG_3, sizeof(struct bpf_sock_tuple)), \
200 BPF_MOV64_IMM(BPF_REG_4, 0), \
201 BPF_MOV64_IMM(BPF_REG_5, 0), \
202 BPF_EMIT_CALL(BPF_FUNC_sk_lookup_tcp)
204 static struct bpf_test tests[] = {
208 BPF_MOV64_IMM(BPF_REG_1, 1),
209 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 2),
210 BPF_MOV64_IMM(BPF_REG_2, 3),
211 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_2),
212 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -1),
213 BPF_ALU64_IMM(BPF_MUL, BPF_REG_1, 3),
214 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
221 "DIV32 by 0, zero check 1",
223 BPF_MOV32_IMM(BPF_REG_0, 42),
224 BPF_MOV32_IMM(BPF_REG_1, 0),
225 BPF_MOV32_IMM(BPF_REG_2, 1),
226 BPF_ALU32_REG(BPF_DIV, BPF_REG_2, BPF_REG_1),
233 "DIV32 by 0, zero check 2",
235 BPF_MOV32_IMM(BPF_REG_0, 42),
236 BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL),
237 BPF_MOV32_IMM(BPF_REG_2, 1),
238 BPF_ALU32_REG(BPF_DIV, BPF_REG_2, BPF_REG_1),
245 "DIV64 by 0, zero check",
247 BPF_MOV32_IMM(BPF_REG_0, 42),
248 BPF_MOV32_IMM(BPF_REG_1, 0),
249 BPF_MOV32_IMM(BPF_REG_2, 1),
250 BPF_ALU64_REG(BPF_DIV, BPF_REG_2, BPF_REG_1),
257 "MOD32 by 0, zero check 1",
259 BPF_MOV32_IMM(BPF_REG_0, 42),
260 BPF_MOV32_IMM(BPF_REG_1, 0),
261 BPF_MOV32_IMM(BPF_REG_2, 1),
262 BPF_ALU32_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
269 "MOD32 by 0, zero check 2",
271 BPF_MOV32_IMM(BPF_REG_0, 42),
272 BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL),
273 BPF_MOV32_IMM(BPF_REG_2, 1),
274 BPF_ALU32_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
281 "MOD64 by 0, zero check",
283 BPF_MOV32_IMM(BPF_REG_0, 42),
284 BPF_MOV32_IMM(BPF_REG_1, 0),
285 BPF_MOV32_IMM(BPF_REG_2, 1),
286 BPF_ALU64_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
293 "DIV32 by 0, zero check ok, cls",
295 BPF_MOV32_IMM(BPF_REG_0, 42),
296 BPF_MOV32_IMM(BPF_REG_1, 2),
297 BPF_MOV32_IMM(BPF_REG_2, 16),
298 BPF_ALU32_REG(BPF_DIV, BPF_REG_2, BPF_REG_1),
299 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
302 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
307 "DIV32 by 0, zero check 1, cls",
309 BPF_MOV32_IMM(BPF_REG_1, 0),
310 BPF_MOV32_IMM(BPF_REG_0, 1),
311 BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
314 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
319 "DIV32 by 0, zero check 2, cls",
321 BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL),
322 BPF_MOV32_IMM(BPF_REG_0, 1),
323 BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
326 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
331 "DIV64 by 0, zero check, cls",
333 BPF_MOV32_IMM(BPF_REG_1, 0),
334 BPF_MOV32_IMM(BPF_REG_0, 1),
335 BPF_ALU64_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
338 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
343 "MOD32 by 0, zero check ok, cls",
345 BPF_MOV32_IMM(BPF_REG_0, 42),
346 BPF_MOV32_IMM(BPF_REG_1, 3),
347 BPF_MOV32_IMM(BPF_REG_2, 5),
348 BPF_ALU32_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
349 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
352 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
357 "MOD32 by 0, zero check 1, cls",
359 BPF_MOV32_IMM(BPF_REG_1, 0),
360 BPF_MOV32_IMM(BPF_REG_0, 1),
361 BPF_ALU32_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
364 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
369 "MOD32 by 0, zero check 2, cls",
371 BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL),
372 BPF_MOV32_IMM(BPF_REG_0, 1),
373 BPF_ALU32_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
376 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
381 "MOD64 by 0, zero check 1, cls",
383 BPF_MOV32_IMM(BPF_REG_1, 0),
384 BPF_MOV32_IMM(BPF_REG_0, 2),
385 BPF_ALU64_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
388 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
393 "MOD64 by 0, zero check 2, cls",
395 BPF_MOV32_IMM(BPF_REG_1, 0),
396 BPF_MOV32_IMM(BPF_REG_0, -1),
397 BPF_ALU64_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
400 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
404 /* Just make sure that JITs used udiv/umod as otherwise we get
405 * an exception from INT_MIN/-1 overflow similarly as with div
409 "DIV32 overflow, check 1",
411 BPF_MOV32_IMM(BPF_REG_1, -1),
412 BPF_MOV32_IMM(BPF_REG_0, INT_MIN),
413 BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
416 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
421 "DIV32 overflow, check 2",
423 BPF_MOV32_IMM(BPF_REG_0, INT_MIN),
424 BPF_ALU32_IMM(BPF_DIV, BPF_REG_0, -1),
427 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
432 "DIV64 overflow, check 1",
434 BPF_MOV64_IMM(BPF_REG_1, -1),
435 BPF_LD_IMM64(BPF_REG_0, LLONG_MIN),
436 BPF_ALU64_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
439 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
444 "DIV64 overflow, check 2",
446 BPF_LD_IMM64(BPF_REG_0, LLONG_MIN),
447 BPF_ALU64_IMM(BPF_DIV, BPF_REG_0, -1),
450 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
455 "MOD32 overflow, check 1",
457 BPF_MOV32_IMM(BPF_REG_1, -1),
458 BPF_MOV32_IMM(BPF_REG_0, INT_MIN),
459 BPF_ALU32_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
462 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
467 "MOD32 overflow, check 2",
469 BPF_MOV32_IMM(BPF_REG_0, INT_MIN),
470 BPF_ALU32_IMM(BPF_MOD, BPF_REG_0, -1),
473 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
478 "MOD64 overflow, check 1",
480 BPF_MOV64_IMM(BPF_REG_1, -1),
481 BPF_LD_IMM64(BPF_REG_2, LLONG_MIN),
482 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
483 BPF_ALU64_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
484 BPF_MOV32_IMM(BPF_REG_0, 0),
485 BPF_JMP_REG(BPF_JNE, BPF_REG_3, BPF_REG_2, 1),
486 BPF_MOV32_IMM(BPF_REG_0, 1),
489 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
494 "MOD64 overflow, check 2",
496 BPF_LD_IMM64(BPF_REG_2, LLONG_MIN),
497 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
498 BPF_ALU64_IMM(BPF_MOD, BPF_REG_2, -1),
499 BPF_MOV32_IMM(BPF_REG_0, 0),
500 BPF_JMP_REG(BPF_JNE, BPF_REG_3, BPF_REG_2, 1),
501 BPF_MOV32_IMM(BPF_REG_0, 1),
504 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
509 "xor32 zero extend check",
511 BPF_MOV32_IMM(BPF_REG_2, -1),
512 BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 32),
513 BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 0xffff),
514 BPF_ALU32_REG(BPF_XOR, BPF_REG_2, BPF_REG_2),
515 BPF_MOV32_IMM(BPF_REG_0, 2),
516 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0, 1),
517 BPF_MOV32_IMM(BPF_REG_0, 1),
520 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
528 .errstr = "unknown opcode 00",
536 .errstr = "R0 !read_ok",
545 .errstr = "unreachable",
551 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
552 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
555 .errstr = "unreachable",
561 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
564 .errstr = "jump out of range",
568 "out of range jump2",
570 BPF_JMP_IMM(BPF_JA, 0, 0, -2),
573 .errstr = "jump out of range",
579 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
580 BPF_LD_IMM64(BPF_REG_0, 0),
581 BPF_LD_IMM64(BPF_REG_0, 0),
582 BPF_LD_IMM64(BPF_REG_0, 1),
583 BPF_LD_IMM64(BPF_REG_0, 1),
584 BPF_MOV64_IMM(BPF_REG_0, 2),
587 .errstr = "invalid BPF_LD_IMM insn",
588 .errstr_unpriv = "R1 pointer comparison",
594 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
595 BPF_LD_IMM64(BPF_REG_0, 0),
596 BPF_LD_IMM64(BPF_REG_0, 0),
597 BPF_LD_IMM64(BPF_REG_0, 1),
598 BPF_LD_IMM64(BPF_REG_0, 1),
601 .errstr = "invalid BPF_LD_IMM insn",
602 .errstr_unpriv = "R1 pointer comparison",
608 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
609 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
610 BPF_LD_IMM64(BPF_REG_0, 0),
611 BPF_LD_IMM64(BPF_REG_0, 0),
612 BPF_LD_IMM64(BPF_REG_0, 1),
613 BPF_LD_IMM64(BPF_REG_0, 1),
616 .errstr = "invalid bpf_ld_imm64 insn",
622 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
625 .errstr = "invalid bpf_ld_imm64 insn",
631 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
633 .errstr = "invalid bpf_ld_imm64 insn",
639 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
640 BPF_RAW_INSN(0, 0, 0, 0, 0),
648 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
649 BPF_RAW_INSN(0, 0, 0, 0, 1),
658 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 1, 1),
659 BPF_RAW_INSN(0, 0, 0, 0, 1),
662 .errstr = "uses reserved fields",
668 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
669 BPF_RAW_INSN(0, 0, 0, 1, 1),
672 .errstr = "invalid bpf_ld_imm64 insn",
678 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
679 BPF_RAW_INSN(0, BPF_REG_1, 0, 0, 1),
682 .errstr = "invalid bpf_ld_imm64 insn",
688 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
689 BPF_RAW_INSN(0, 0, BPF_REG_1, 0, 1),
692 .errstr = "invalid bpf_ld_imm64 insn",
698 BPF_MOV64_IMM(BPF_REG_1, 0),
699 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, BPF_REG_1, 0, 1),
700 BPF_RAW_INSN(0, 0, 0, 0, 1),
703 .errstr = "not pointing to valid bpf_map",
709 BPF_MOV64_IMM(BPF_REG_1, 0),
710 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, BPF_REG_1, 0, 1),
711 BPF_RAW_INSN(0, 0, BPF_REG_1, 0, 1),
714 .errstr = "invalid bpf_ld_imm64 insn",
720 BPF_MOV64_IMM(BPF_REG_0, 1),
721 BPF_ALU32_IMM(BPF_ARSH, BPF_REG_0, 5),
725 .errstr = "unknown opcode c4",
730 BPF_MOV64_IMM(BPF_REG_0, 1),
731 BPF_MOV64_IMM(BPF_REG_1, 5),
732 BPF_ALU32_REG(BPF_ARSH, BPF_REG_0, BPF_REG_1),
736 .errstr = "unknown opcode cc",
741 BPF_MOV64_IMM(BPF_REG_0, 1),
742 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_0, 5),
750 BPF_MOV64_IMM(BPF_REG_0, 1),
751 BPF_MOV64_IMM(BPF_REG_1, 5),
752 BPF_ALU64_REG(BPF_ARSH, BPF_REG_0, BPF_REG_1),
760 BPF_ALU64_REG(BPF_MOV, BPF_REG_0, BPF_REG_2),
762 .errstr = "not an exit",
768 BPF_JMP_IMM(BPF_JA, 0, 0, -1),
771 .errstr = "back-edge",
777 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
778 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
779 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
780 BPF_JMP_IMM(BPF_JA, 0, 0, -4),
783 .errstr = "back-edge",
789 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
790 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
791 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
792 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, -3),
795 .errstr = "back-edge",
799 "read uninitialized register",
801 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
804 .errstr = "R2 !read_ok",
808 "read invalid register",
810 BPF_MOV64_REG(BPF_REG_0, -1),
813 .errstr = "R15 is invalid",
817 "program doesn't init R0 before exit",
819 BPF_ALU64_REG(BPF_MOV, BPF_REG_2, BPF_REG_1),
822 .errstr = "R0 !read_ok",
826 "program doesn't init R0 before exit in all branches",
828 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
829 BPF_MOV64_IMM(BPF_REG_0, 1),
830 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 2),
833 .errstr = "R0 !read_ok",
834 .errstr_unpriv = "R1 pointer comparison",
838 "stack out of bounds",
840 BPF_ST_MEM(BPF_DW, BPF_REG_10, 8, 0),
843 .errstr = "invalid stack",
847 "invalid call insn1",
849 BPF_RAW_INSN(BPF_JMP | BPF_CALL | BPF_X, 0, 0, 0, 0),
852 .errstr = "unknown opcode 8d",
856 "invalid call insn2",
858 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 1, 0),
861 .errstr = "BPF_CALL uses reserved",
865 "invalid function call",
867 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1234567),
870 .errstr = "invalid func unknown#1234567",
874 "uninitialized stack1",
876 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
877 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
878 BPF_LD_MAP_FD(BPF_REG_1, 0),
879 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
880 BPF_FUNC_map_lookup_elem),
883 .fixup_map_hash_8b = { 2 },
884 .errstr = "invalid indirect read from stack",
888 "uninitialized stack2",
890 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
891 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, -8),
894 .errstr = "invalid read from stack",
898 "invalid fp arithmetic",
899 /* If this gets ever changed, make sure JITs can deal with it. */
901 BPF_MOV64_IMM(BPF_REG_0, 0),
902 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
903 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 8),
904 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
907 .errstr = "R1 subtraction from stack pointer",
911 "non-invalid fp arithmetic",
913 BPF_MOV64_IMM(BPF_REG_0, 0),
914 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
920 "invalid argument register",
922 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
923 BPF_FUNC_get_cgroup_classid),
924 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
925 BPF_FUNC_get_cgroup_classid),
928 .errstr = "R1 !read_ok",
930 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
933 "non-invalid argument register",
935 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
936 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
937 BPF_FUNC_get_cgroup_classid),
938 BPF_ALU64_REG(BPF_MOV, BPF_REG_1, BPF_REG_6),
939 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
940 BPF_FUNC_get_cgroup_classid),
944 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
947 "check valid spill/fill",
949 /* spill R1(ctx) into stack */
950 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
951 /* fill it back into R2 */
952 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -8),
953 /* should be able to access R0 = *(R2 + 8) */
954 /* BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, 8), */
955 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
958 .errstr_unpriv = "R0 leaks addr",
960 .result_unpriv = REJECT,
961 .retval = POINTER_VALUE,
964 "check valid spill/fill, skb mark",
966 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
967 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
968 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
969 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
970 offsetof(struct __sk_buff, mark)),
974 .result_unpriv = ACCEPT,
977 "check corrupted spill/fill",
979 /* spill R1(ctx) into stack */
980 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
981 /* mess up with R1 pointer on stack */
982 BPF_ST_MEM(BPF_B, BPF_REG_10, -7, 0x23),
983 /* fill back into R0 should fail */
984 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
987 .errstr_unpriv = "attempt to corrupt spilled",
988 .errstr = "corrupted spill",
992 "invalid src register in STX",
994 BPF_STX_MEM(BPF_B, BPF_REG_10, -1, -1),
997 .errstr = "R15 is invalid",
1001 "invalid dst register in STX",
1003 BPF_STX_MEM(BPF_B, 14, BPF_REG_10, -1),
1006 .errstr = "R14 is invalid",
1010 "invalid dst register in ST",
1012 BPF_ST_MEM(BPF_B, 14, -1, -1),
1015 .errstr = "R14 is invalid",
1019 "invalid src register in LDX",
1021 BPF_LDX_MEM(BPF_B, BPF_REG_0, 12, 0),
1024 .errstr = "R12 is invalid",
1028 "invalid dst register in LDX",
1030 BPF_LDX_MEM(BPF_B, 11, BPF_REG_1, 0),
1033 .errstr = "R11 is invalid",
1039 BPF_RAW_INSN(0, 0, 0, 0, 0),
1042 .errstr = "unknown opcode 00",
1048 BPF_RAW_INSN(1, 0, 0, 0, 0),
1051 .errstr = "BPF_LDX uses reserved fields",
1057 BPF_RAW_INSN(-1, 0, 0, 0, 0),
1060 .errstr = "unknown opcode ff",
1066 BPF_RAW_INSN(-1, -1, -1, -1, -1),
1069 .errstr = "unknown opcode ff",
1075 BPF_RAW_INSN(0x7f, -1, -1, -1, -1),
1078 .errstr = "BPF_ALU uses reserved fields",
1082 "misaligned read from stack",
1084 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1085 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, -4),
1088 .errstr = "misaligned stack access",
1092 "invalid map_fd for function call",
1094 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1095 BPF_ALU64_REG(BPF_MOV, BPF_REG_2, BPF_REG_10),
1096 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1097 BPF_LD_MAP_FD(BPF_REG_1, 0),
1098 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1099 BPF_FUNC_map_delete_elem),
1102 .errstr = "fd 0 is not pointing to valid bpf_map",
1106 "don't check return value before access",
1108 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1109 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1110 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1111 BPF_LD_MAP_FD(BPF_REG_1, 0),
1112 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1113 BPF_FUNC_map_lookup_elem),
1114 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
1117 .fixup_map_hash_8b = { 3 },
1118 .errstr = "R0 invalid mem access 'map_value_or_null'",
1122 "access memory with incorrect alignment",
1124 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1125 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1126 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1127 BPF_LD_MAP_FD(BPF_REG_1, 0),
1128 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1129 BPF_FUNC_map_lookup_elem),
1130 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
1131 BPF_ST_MEM(BPF_DW, BPF_REG_0, 4, 0),
1134 .fixup_map_hash_8b = { 3 },
1135 .errstr = "misaligned value access",
1137 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
1140 "sometimes access memory with incorrect alignment",
1142 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1143 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1144 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1145 BPF_LD_MAP_FD(BPF_REG_1, 0),
1146 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1147 BPF_FUNC_map_lookup_elem),
1148 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
1149 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
1151 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 1),
1154 .fixup_map_hash_8b = { 3 },
1155 .errstr = "R0 invalid mem access",
1156 .errstr_unpriv = "R0 leaks addr",
1158 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
1163 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1164 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -8),
1165 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
1166 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
1167 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 1),
1168 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 1),
1169 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 1),
1170 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 2),
1171 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 1),
1172 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 3),
1173 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 1),
1174 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 4),
1175 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 1),
1176 BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 5),
1177 BPF_MOV64_IMM(BPF_REG_0, 0),
1180 .errstr_unpriv = "R1 pointer comparison",
1181 .result_unpriv = REJECT,
1187 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1188 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 2),
1189 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
1190 BPF_JMP_IMM(BPF_JA, 0, 0, 14),
1191 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 2),
1192 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 0),
1193 BPF_JMP_IMM(BPF_JA, 0, 0, 11),
1194 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 2),
1195 BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 0),
1196 BPF_JMP_IMM(BPF_JA, 0, 0, 8),
1197 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 2),
1198 BPF_ST_MEM(BPF_DW, BPF_REG_2, -40, 0),
1199 BPF_JMP_IMM(BPF_JA, 0, 0, 5),
1200 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 2),
1201 BPF_ST_MEM(BPF_DW, BPF_REG_2, -48, 0),
1202 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1203 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 1),
1204 BPF_ST_MEM(BPF_DW, BPF_REG_2, -56, 0),
1205 BPF_MOV64_IMM(BPF_REG_0, 0),
1208 .errstr_unpriv = "R1 pointer comparison",
1209 .result_unpriv = REJECT,
1215 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1216 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
1217 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
1218 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1219 BPF_JMP_IMM(BPF_JA, 0, 0, 19),
1220 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 3),
1221 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 0),
1222 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
1223 BPF_JMP_IMM(BPF_JA, 0, 0, 15),
1224 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 3),
1225 BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 0),
1226 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -32),
1227 BPF_JMP_IMM(BPF_JA, 0, 0, 11),
1228 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 3),
1229 BPF_ST_MEM(BPF_DW, BPF_REG_2, -40, 0),
1230 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -40),
1231 BPF_JMP_IMM(BPF_JA, 0, 0, 7),
1232 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 3),
1233 BPF_ST_MEM(BPF_DW, BPF_REG_2, -48, 0),
1234 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -48),
1235 BPF_JMP_IMM(BPF_JA, 0, 0, 3),
1236 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 0),
1237 BPF_ST_MEM(BPF_DW, BPF_REG_2, -56, 0),
1238 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -56),
1239 BPF_LD_MAP_FD(BPF_REG_1, 0),
1240 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1241 BPF_FUNC_map_delete_elem),
1244 .fixup_map_hash_8b = { 24 },
1245 .errstr_unpriv = "R1 pointer comparison",
1246 .result_unpriv = REJECT,
1253 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1254 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1255 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1256 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1257 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1258 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1259 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1260 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1261 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1262 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1263 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1264 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1265 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1266 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1267 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1268 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1269 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1270 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1271 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1272 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1273 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1274 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1275 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1276 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1277 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1278 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1279 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1280 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1281 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1282 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1283 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1284 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1285 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1286 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1287 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1288 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1289 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1290 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1291 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1292 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1293 BPF_MOV64_IMM(BPF_REG_0, 0),
1296 .errstr_unpriv = "R1 pointer comparison",
1297 .result_unpriv = REJECT,
1303 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1304 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
1305 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1306 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1307 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1308 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1309 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1310 BPF_MOV64_IMM(BPF_REG_0, 0),
1311 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1312 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1313 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1314 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1315 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1316 BPF_MOV64_IMM(BPF_REG_0, 0),
1317 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1318 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1319 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1320 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1321 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1322 BPF_MOV64_IMM(BPF_REG_0, 0),
1323 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1324 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1325 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1326 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1327 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1328 BPF_MOV64_IMM(BPF_REG_0, 0),
1329 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1330 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1331 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1332 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1333 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1334 BPF_MOV64_IMM(BPF_REG_0, 0),
1337 .errstr_unpriv = "R1 pointer comparison",
1338 .result_unpriv = REJECT,
1342 "access skb fields ok",
1344 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1345 offsetof(struct __sk_buff, len)),
1346 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
1347 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1348 offsetof(struct __sk_buff, mark)),
1349 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
1350 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1351 offsetof(struct __sk_buff, pkt_type)),
1352 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
1353 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1354 offsetof(struct __sk_buff, queue_mapping)),
1355 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1356 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1357 offsetof(struct __sk_buff, protocol)),
1358 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1359 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1360 offsetof(struct __sk_buff, vlan_present)),
1361 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1362 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1363 offsetof(struct __sk_buff, vlan_tci)),
1364 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1365 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1366 offsetof(struct __sk_buff, napi_id)),
1367 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1373 "access skb fields bad1",
1375 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -4),
1378 .errstr = "invalid bpf_context access",
1382 "access skb fields bad2",
1384 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 9),
1385 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1386 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1387 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1388 BPF_LD_MAP_FD(BPF_REG_1, 0),
1389 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1390 BPF_FUNC_map_lookup_elem),
1391 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
1393 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
1394 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1395 offsetof(struct __sk_buff, pkt_type)),
1398 .fixup_map_hash_8b = { 4 },
1399 .errstr = "different pointers",
1400 .errstr_unpriv = "R1 pointer comparison",
1404 "access skb fields bad3",
1406 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1407 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1408 offsetof(struct __sk_buff, pkt_type)),
1410 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1411 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1412 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1413 BPF_LD_MAP_FD(BPF_REG_1, 0),
1414 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1415 BPF_FUNC_map_lookup_elem),
1416 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
1418 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
1419 BPF_JMP_IMM(BPF_JA, 0, 0, -12),
1421 .fixup_map_hash_8b = { 6 },
1422 .errstr = "different pointers",
1423 .errstr_unpriv = "R1 pointer comparison",
1427 "access skb fields bad4",
1429 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 3),
1430 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1431 offsetof(struct __sk_buff, len)),
1432 BPF_MOV64_IMM(BPF_REG_0, 0),
1434 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1435 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1436 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1437 BPF_LD_MAP_FD(BPF_REG_1, 0),
1438 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1439 BPF_FUNC_map_lookup_elem),
1440 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
1442 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
1443 BPF_JMP_IMM(BPF_JA, 0, 0, -13),
1445 .fixup_map_hash_8b = { 7 },
1446 .errstr = "different pointers",
1447 .errstr_unpriv = "R1 pointer comparison",
1451 "invalid access __sk_buff family",
1453 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1454 offsetof(struct __sk_buff, family)),
1457 .errstr = "invalid bpf_context access",
1461 "invalid access __sk_buff remote_ip4",
1463 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1464 offsetof(struct __sk_buff, remote_ip4)),
1467 .errstr = "invalid bpf_context access",
1471 "invalid access __sk_buff local_ip4",
1473 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1474 offsetof(struct __sk_buff, local_ip4)),
1477 .errstr = "invalid bpf_context access",
1481 "invalid access __sk_buff remote_ip6",
1483 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1484 offsetof(struct __sk_buff, remote_ip6)),
1487 .errstr = "invalid bpf_context access",
1491 "invalid access __sk_buff local_ip6",
1493 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1494 offsetof(struct __sk_buff, local_ip6)),
1497 .errstr = "invalid bpf_context access",
1501 "invalid access __sk_buff remote_port",
1503 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1504 offsetof(struct __sk_buff, remote_port)),
1507 .errstr = "invalid bpf_context access",
1511 "invalid access __sk_buff remote_port",
1513 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1514 offsetof(struct __sk_buff, local_port)),
1517 .errstr = "invalid bpf_context access",
1521 "valid access __sk_buff family",
1523 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1524 offsetof(struct __sk_buff, family)),
1528 .prog_type = BPF_PROG_TYPE_SK_SKB,
1531 "valid access __sk_buff remote_ip4",
1533 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1534 offsetof(struct __sk_buff, remote_ip4)),
1538 .prog_type = BPF_PROG_TYPE_SK_SKB,
1541 "valid access __sk_buff local_ip4",
1543 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1544 offsetof(struct __sk_buff, local_ip4)),
1548 .prog_type = BPF_PROG_TYPE_SK_SKB,
1551 "valid access __sk_buff remote_ip6",
1553 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1554 offsetof(struct __sk_buff, remote_ip6[0])),
1555 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1556 offsetof(struct __sk_buff, remote_ip6[1])),
1557 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1558 offsetof(struct __sk_buff, remote_ip6[2])),
1559 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1560 offsetof(struct __sk_buff, remote_ip6[3])),
1564 .prog_type = BPF_PROG_TYPE_SK_SKB,
1567 "valid access __sk_buff local_ip6",
1569 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1570 offsetof(struct __sk_buff, local_ip6[0])),
1571 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1572 offsetof(struct __sk_buff, local_ip6[1])),
1573 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1574 offsetof(struct __sk_buff, local_ip6[2])),
1575 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1576 offsetof(struct __sk_buff, local_ip6[3])),
1580 .prog_type = BPF_PROG_TYPE_SK_SKB,
1583 "valid access __sk_buff remote_port",
1585 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1586 offsetof(struct __sk_buff, remote_port)),
1590 .prog_type = BPF_PROG_TYPE_SK_SKB,
1593 "valid access __sk_buff remote_port",
1595 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1596 offsetof(struct __sk_buff, local_port)),
1600 .prog_type = BPF_PROG_TYPE_SK_SKB,
1603 "invalid access of tc_classid for SK_SKB",
1605 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1606 offsetof(struct __sk_buff, tc_classid)),
1610 .prog_type = BPF_PROG_TYPE_SK_SKB,
1611 .errstr = "invalid bpf_context access",
1614 "invalid access of skb->mark for SK_SKB",
1616 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1617 offsetof(struct __sk_buff, mark)),
1621 .prog_type = BPF_PROG_TYPE_SK_SKB,
1622 .errstr = "invalid bpf_context access",
1625 "check skb->mark is not writeable by SK_SKB",
1627 BPF_MOV64_IMM(BPF_REG_0, 0),
1628 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1629 offsetof(struct __sk_buff, mark)),
1633 .prog_type = BPF_PROG_TYPE_SK_SKB,
1634 .errstr = "invalid bpf_context access",
1637 "check skb->tc_index is writeable by SK_SKB",
1639 BPF_MOV64_IMM(BPF_REG_0, 0),
1640 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1641 offsetof(struct __sk_buff, tc_index)),
1645 .prog_type = BPF_PROG_TYPE_SK_SKB,
1648 "check skb->priority is writeable by SK_SKB",
1650 BPF_MOV64_IMM(BPF_REG_0, 0),
1651 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1652 offsetof(struct __sk_buff, priority)),
1656 .prog_type = BPF_PROG_TYPE_SK_SKB,
1659 "direct packet read for SK_SKB",
1661 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1662 offsetof(struct __sk_buff, data)),
1663 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1664 offsetof(struct __sk_buff, data_end)),
1665 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1666 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1667 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1668 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
1669 BPF_MOV64_IMM(BPF_REG_0, 0),
1673 .prog_type = BPF_PROG_TYPE_SK_SKB,
1676 "direct packet write for SK_SKB",
1678 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1679 offsetof(struct __sk_buff, data)),
1680 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1681 offsetof(struct __sk_buff, data_end)),
1682 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1683 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1684 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1685 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
1686 BPF_MOV64_IMM(BPF_REG_0, 0),
1690 .prog_type = BPF_PROG_TYPE_SK_SKB,
1693 "overlapping checks for direct packet access SK_SKB",
1695 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1696 offsetof(struct __sk_buff, data)),
1697 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1698 offsetof(struct __sk_buff, data_end)),
1699 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1700 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1701 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4),
1702 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
1703 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6),
1704 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
1705 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6),
1706 BPF_MOV64_IMM(BPF_REG_0, 0),
1710 .prog_type = BPF_PROG_TYPE_SK_SKB,
1713 "valid access family in SK_MSG",
1715 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1716 offsetof(struct sk_msg_md, family)),
1720 .prog_type = BPF_PROG_TYPE_SK_MSG,
1723 "valid access remote_ip4 in SK_MSG",
1725 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1726 offsetof(struct sk_msg_md, remote_ip4)),
1730 .prog_type = BPF_PROG_TYPE_SK_MSG,
1733 "valid access local_ip4 in SK_MSG",
1735 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1736 offsetof(struct sk_msg_md, local_ip4)),
1740 .prog_type = BPF_PROG_TYPE_SK_MSG,
1743 "valid access remote_port in SK_MSG",
1745 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1746 offsetof(struct sk_msg_md, remote_port)),
1750 .prog_type = BPF_PROG_TYPE_SK_MSG,
1753 "valid access local_port in SK_MSG",
1755 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1756 offsetof(struct sk_msg_md, local_port)),
1760 .prog_type = BPF_PROG_TYPE_SK_MSG,
1763 "valid access remote_ip6 in SK_MSG",
1765 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1766 offsetof(struct sk_msg_md, remote_ip6[0])),
1767 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1768 offsetof(struct sk_msg_md, remote_ip6[1])),
1769 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1770 offsetof(struct sk_msg_md, remote_ip6[2])),
1771 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1772 offsetof(struct sk_msg_md, remote_ip6[3])),
1776 .prog_type = BPF_PROG_TYPE_SK_SKB,
1779 "valid access local_ip6 in SK_MSG",
1781 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1782 offsetof(struct sk_msg_md, local_ip6[0])),
1783 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1784 offsetof(struct sk_msg_md, local_ip6[1])),
1785 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1786 offsetof(struct sk_msg_md, local_ip6[2])),
1787 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1788 offsetof(struct sk_msg_md, local_ip6[3])),
1792 .prog_type = BPF_PROG_TYPE_SK_SKB,
1795 "invalid 64B read of family in SK_MSG",
1797 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1,
1798 offsetof(struct sk_msg_md, family)),
1801 .errstr = "invalid bpf_context access",
1803 .prog_type = BPF_PROG_TYPE_SK_MSG,
1806 "invalid read past end of SK_MSG",
1808 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1809 offsetof(struct sk_msg_md, local_port) + 4),
1812 .errstr = "R0 !read_ok",
1814 .prog_type = BPF_PROG_TYPE_SK_MSG,
1817 "invalid read offset in SK_MSG",
1819 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1820 offsetof(struct sk_msg_md, family) + 1),
1823 .errstr = "invalid bpf_context access",
1825 .prog_type = BPF_PROG_TYPE_SK_MSG,
1828 "direct packet read for SK_MSG",
1830 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1,
1831 offsetof(struct sk_msg_md, data)),
1832 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1,
1833 offsetof(struct sk_msg_md, data_end)),
1834 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1835 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1836 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1837 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
1838 BPF_MOV64_IMM(BPF_REG_0, 0),
1842 .prog_type = BPF_PROG_TYPE_SK_MSG,
1845 "direct packet write for SK_MSG",
1847 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1,
1848 offsetof(struct sk_msg_md, data)),
1849 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1,
1850 offsetof(struct sk_msg_md, data_end)),
1851 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1852 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1853 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1854 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
1855 BPF_MOV64_IMM(BPF_REG_0, 0),
1859 .prog_type = BPF_PROG_TYPE_SK_MSG,
1862 "overlapping checks for direct packet access SK_MSG",
1864 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1,
1865 offsetof(struct sk_msg_md, data)),
1866 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1,
1867 offsetof(struct sk_msg_md, data_end)),
1868 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1869 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1870 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4),
1871 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
1872 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6),
1873 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
1874 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6),
1875 BPF_MOV64_IMM(BPF_REG_0, 0),
1879 .prog_type = BPF_PROG_TYPE_SK_MSG,
1882 "check skb->mark is not writeable by sockets",
1884 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1885 offsetof(struct __sk_buff, mark)),
1888 .errstr = "invalid bpf_context access",
1889 .errstr_unpriv = "R1 leaks addr",
1893 "check skb->tc_index is not writeable by sockets",
1895 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1896 offsetof(struct __sk_buff, tc_index)),
1899 .errstr = "invalid bpf_context access",
1900 .errstr_unpriv = "R1 leaks addr",
1904 "check cb access: byte",
1906 BPF_MOV64_IMM(BPF_REG_0, 0),
1907 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1908 offsetof(struct __sk_buff, cb[0])),
1909 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1910 offsetof(struct __sk_buff, cb[0]) + 1),
1911 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1912 offsetof(struct __sk_buff, cb[0]) + 2),
1913 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1914 offsetof(struct __sk_buff, cb[0]) + 3),
1915 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1916 offsetof(struct __sk_buff, cb[1])),
1917 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1918 offsetof(struct __sk_buff, cb[1]) + 1),
1919 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1920 offsetof(struct __sk_buff, cb[1]) + 2),
1921 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1922 offsetof(struct __sk_buff, cb[1]) + 3),
1923 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1924 offsetof(struct __sk_buff, cb[2])),
1925 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1926 offsetof(struct __sk_buff, cb[2]) + 1),
1927 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1928 offsetof(struct __sk_buff, cb[2]) + 2),
1929 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1930 offsetof(struct __sk_buff, cb[2]) + 3),
1931 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1932 offsetof(struct __sk_buff, cb[3])),
1933 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1934 offsetof(struct __sk_buff, cb[3]) + 1),
1935 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1936 offsetof(struct __sk_buff, cb[3]) + 2),
1937 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1938 offsetof(struct __sk_buff, cb[3]) + 3),
1939 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1940 offsetof(struct __sk_buff, cb[4])),
1941 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1942 offsetof(struct __sk_buff, cb[4]) + 1),
1943 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1944 offsetof(struct __sk_buff, cb[4]) + 2),
1945 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1946 offsetof(struct __sk_buff, cb[4]) + 3),
1947 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1948 offsetof(struct __sk_buff, cb[0])),
1949 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1950 offsetof(struct __sk_buff, cb[0]) + 1),
1951 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1952 offsetof(struct __sk_buff, cb[0]) + 2),
1953 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1954 offsetof(struct __sk_buff, cb[0]) + 3),
1955 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1956 offsetof(struct __sk_buff, cb[1])),
1957 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1958 offsetof(struct __sk_buff, cb[1]) + 1),
1959 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1960 offsetof(struct __sk_buff, cb[1]) + 2),
1961 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1962 offsetof(struct __sk_buff, cb[1]) + 3),
1963 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1964 offsetof(struct __sk_buff, cb[2])),
1965 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1966 offsetof(struct __sk_buff, cb[2]) + 1),
1967 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1968 offsetof(struct __sk_buff, cb[2]) + 2),
1969 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1970 offsetof(struct __sk_buff, cb[2]) + 3),
1971 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1972 offsetof(struct __sk_buff, cb[3])),
1973 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1974 offsetof(struct __sk_buff, cb[3]) + 1),
1975 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1976 offsetof(struct __sk_buff, cb[3]) + 2),
1977 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1978 offsetof(struct __sk_buff, cb[3]) + 3),
1979 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1980 offsetof(struct __sk_buff, cb[4])),
1981 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1982 offsetof(struct __sk_buff, cb[4]) + 1),
1983 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1984 offsetof(struct __sk_buff, cb[4]) + 2),
1985 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1986 offsetof(struct __sk_buff, cb[4]) + 3),
1992 "__sk_buff->hash, offset 0, byte store not permitted",
1994 BPF_MOV64_IMM(BPF_REG_0, 0),
1995 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1996 offsetof(struct __sk_buff, hash)),
1999 .errstr = "invalid bpf_context access",
2003 "__sk_buff->tc_index, offset 3, byte store not permitted",
2005 BPF_MOV64_IMM(BPF_REG_0, 0),
2006 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
2007 offsetof(struct __sk_buff, tc_index) + 3),
2010 .errstr = "invalid bpf_context access",
2014 "check skb->hash byte load permitted",
2016 BPF_MOV64_IMM(BPF_REG_0, 0),
2017 #if __BYTE_ORDER == __LITTLE_ENDIAN
2018 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2019 offsetof(struct __sk_buff, hash)),
2021 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2022 offsetof(struct __sk_buff, hash) + 3),
2029 "check skb->hash byte load not permitted 1",
2031 BPF_MOV64_IMM(BPF_REG_0, 0),
2032 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2033 offsetof(struct __sk_buff, hash) + 1),
2036 .errstr = "invalid bpf_context access",
2040 "check skb->hash byte load not permitted 2",
2042 BPF_MOV64_IMM(BPF_REG_0, 0),
2043 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2044 offsetof(struct __sk_buff, hash) + 2),
2047 .errstr = "invalid bpf_context access",
2051 "check skb->hash byte load not permitted 3",
2053 BPF_MOV64_IMM(BPF_REG_0, 0),
2054 #if __BYTE_ORDER == __LITTLE_ENDIAN
2055 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2056 offsetof(struct __sk_buff, hash) + 3),
2058 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2059 offsetof(struct __sk_buff, hash)),
2063 .errstr = "invalid bpf_context access",
2067 "check cb access: byte, wrong type",
2069 BPF_MOV64_IMM(BPF_REG_0, 0),
2070 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
2071 offsetof(struct __sk_buff, cb[0])),
2074 .errstr = "invalid bpf_context access",
2076 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
2079 "check cb access: half",
2081 BPF_MOV64_IMM(BPF_REG_0, 0),
2082 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2083 offsetof(struct __sk_buff, cb[0])),
2084 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2085 offsetof(struct __sk_buff, cb[0]) + 2),
2086 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2087 offsetof(struct __sk_buff, cb[1])),
2088 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2089 offsetof(struct __sk_buff, cb[1]) + 2),
2090 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2091 offsetof(struct __sk_buff, cb[2])),
2092 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2093 offsetof(struct __sk_buff, cb[2]) + 2),
2094 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2095 offsetof(struct __sk_buff, cb[3])),
2096 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2097 offsetof(struct __sk_buff, cb[3]) + 2),
2098 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2099 offsetof(struct __sk_buff, cb[4])),
2100 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2101 offsetof(struct __sk_buff, cb[4]) + 2),
2102 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2103 offsetof(struct __sk_buff, cb[0])),
2104 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2105 offsetof(struct __sk_buff, cb[0]) + 2),
2106 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2107 offsetof(struct __sk_buff, cb[1])),
2108 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2109 offsetof(struct __sk_buff, cb[1]) + 2),
2110 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2111 offsetof(struct __sk_buff, cb[2])),
2112 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2113 offsetof(struct __sk_buff, cb[2]) + 2),
2114 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2115 offsetof(struct __sk_buff, cb[3])),
2116 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2117 offsetof(struct __sk_buff, cb[3]) + 2),
2118 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2119 offsetof(struct __sk_buff, cb[4])),
2120 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2121 offsetof(struct __sk_buff, cb[4]) + 2),
2127 "check cb access: half, unaligned",
2129 BPF_MOV64_IMM(BPF_REG_0, 0),
2130 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2131 offsetof(struct __sk_buff, cb[0]) + 1),
2134 .errstr = "misaligned context access",
2136 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2139 "check __sk_buff->hash, offset 0, half store not permitted",
2141 BPF_MOV64_IMM(BPF_REG_0, 0),
2142 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2143 offsetof(struct __sk_buff, hash)),
2146 .errstr = "invalid bpf_context access",
2150 "check __sk_buff->tc_index, offset 2, half store not permitted",
2152 BPF_MOV64_IMM(BPF_REG_0, 0),
2153 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2154 offsetof(struct __sk_buff, tc_index) + 2),
2157 .errstr = "invalid bpf_context access",
2161 "check skb->hash half load permitted",
2163 BPF_MOV64_IMM(BPF_REG_0, 0),
2164 #if __BYTE_ORDER == __LITTLE_ENDIAN
2165 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2166 offsetof(struct __sk_buff, hash)),
2168 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2169 offsetof(struct __sk_buff, hash) + 2),
2176 "check skb->hash half load not permitted",
2178 BPF_MOV64_IMM(BPF_REG_0, 0),
2179 #if __BYTE_ORDER == __LITTLE_ENDIAN
2180 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2181 offsetof(struct __sk_buff, hash) + 2),
2183 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2184 offsetof(struct __sk_buff, hash)),
2188 .errstr = "invalid bpf_context access",
2192 "check cb access: half, wrong type",
2194 BPF_MOV64_IMM(BPF_REG_0, 0),
2195 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2196 offsetof(struct __sk_buff, cb[0])),
2199 .errstr = "invalid bpf_context access",
2201 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
2204 "check cb access: word",
2206 BPF_MOV64_IMM(BPF_REG_0, 0),
2207 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2208 offsetof(struct __sk_buff, cb[0])),
2209 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2210 offsetof(struct __sk_buff, cb[1])),
2211 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2212 offsetof(struct __sk_buff, cb[2])),
2213 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2214 offsetof(struct __sk_buff, cb[3])),
2215 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2216 offsetof(struct __sk_buff, cb[4])),
2217 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2218 offsetof(struct __sk_buff, cb[0])),
2219 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2220 offsetof(struct __sk_buff, cb[1])),
2221 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2222 offsetof(struct __sk_buff, cb[2])),
2223 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2224 offsetof(struct __sk_buff, cb[3])),
2225 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2226 offsetof(struct __sk_buff, cb[4])),
2232 "check cb access: word, unaligned 1",
2234 BPF_MOV64_IMM(BPF_REG_0, 0),
2235 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2236 offsetof(struct __sk_buff, cb[0]) + 2),
2239 .errstr = "misaligned context access",
2241 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2244 "check cb access: word, unaligned 2",
2246 BPF_MOV64_IMM(BPF_REG_0, 0),
2247 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2248 offsetof(struct __sk_buff, cb[4]) + 1),
2251 .errstr = "misaligned context access",
2253 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2256 "check cb access: word, unaligned 3",
2258 BPF_MOV64_IMM(BPF_REG_0, 0),
2259 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2260 offsetof(struct __sk_buff, cb[4]) + 2),
2263 .errstr = "misaligned context access",
2265 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2268 "check cb access: word, unaligned 4",
2270 BPF_MOV64_IMM(BPF_REG_0, 0),
2271 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2272 offsetof(struct __sk_buff, cb[4]) + 3),
2275 .errstr = "misaligned context access",
2277 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2280 "check cb access: double",
2282 BPF_MOV64_IMM(BPF_REG_0, 0),
2283 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2284 offsetof(struct __sk_buff, cb[0])),
2285 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2286 offsetof(struct __sk_buff, cb[2])),
2287 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2288 offsetof(struct __sk_buff, cb[0])),
2289 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2290 offsetof(struct __sk_buff, cb[2])),
2296 "check cb access: double, unaligned 1",
2298 BPF_MOV64_IMM(BPF_REG_0, 0),
2299 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2300 offsetof(struct __sk_buff, cb[1])),
2303 .errstr = "misaligned context access",
2305 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2308 "check cb access: double, unaligned 2",
2310 BPF_MOV64_IMM(BPF_REG_0, 0),
2311 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2312 offsetof(struct __sk_buff, cb[3])),
2315 .errstr = "misaligned context access",
2317 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2320 "check cb access: double, oob 1",
2322 BPF_MOV64_IMM(BPF_REG_0, 0),
2323 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2324 offsetof(struct __sk_buff, cb[4])),
2327 .errstr = "invalid bpf_context access",
2331 "check cb access: double, oob 2",
2333 BPF_MOV64_IMM(BPF_REG_0, 0),
2334 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2335 offsetof(struct __sk_buff, cb[4])),
2338 .errstr = "invalid bpf_context access",
2342 "check __sk_buff->ifindex dw store not permitted",
2344 BPF_MOV64_IMM(BPF_REG_0, 0),
2345 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2346 offsetof(struct __sk_buff, ifindex)),
2349 .errstr = "invalid bpf_context access",
2353 "check __sk_buff->ifindex dw load not permitted",
2355 BPF_MOV64_IMM(BPF_REG_0, 0),
2356 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2357 offsetof(struct __sk_buff, ifindex)),
2360 .errstr = "invalid bpf_context access",
2364 "check cb access: double, wrong type",
2366 BPF_MOV64_IMM(BPF_REG_0, 0),
2367 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2368 offsetof(struct __sk_buff, cb[0])),
2371 .errstr = "invalid bpf_context access",
2373 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
2376 "check out of range skb->cb access",
2378 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2379 offsetof(struct __sk_buff, cb[0]) + 256),
2382 .errstr = "invalid bpf_context access",
2383 .errstr_unpriv = "",
2385 .prog_type = BPF_PROG_TYPE_SCHED_ACT,
2388 "write skb fields from socket prog",
2390 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2391 offsetof(struct __sk_buff, cb[4])),
2392 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
2393 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2394 offsetof(struct __sk_buff, mark)),
2395 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2396 offsetof(struct __sk_buff, tc_index)),
2397 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
2398 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
2399 offsetof(struct __sk_buff, cb[0])),
2400 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
2401 offsetof(struct __sk_buff, cb[2])),
2405 .errstr_unpriv = "R1 leaks addr",
2406 .result_unpriv = REJECT,
2409 "write skb fields from tc_cls_act prog",
2411 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2412 offsetof(struct __sk_buff, cb[0])),
2413 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2414 offsetof(struct __sk_buff, mark)),
2415 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2416 offsetof(struct __sk_buff, tc_index)),
2417 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2418 offsetof(struct __sk_buff, tc_index)),
2419 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2420 offsetof(struct __sk_buff, cb[3])),
2423 .errstr_unpriv = "",
2424 .result_unpriv = REJECT,
2426 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2429 "PTR_TO_STACK store/load",
2431 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2432 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10),
2433 BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c),
2434 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2),
2438 .retval = 0xfaceb00c,
2441 "PTR_TO_STACK store/load - bad alignment on off",
2443 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2444 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
2445 BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c),
2446 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2),
2450 .errstr = "misaligned stack access off (0x0; 0x0)+-8+2 size 8",
2453 "PTR_TO_STACK store/load - bad alignment on reg",
2455 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2456 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10),
2457 BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
2458 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
2462 .errstr = "misaligned stack access off (0x0; 0x0)+-10+8 size 8",
2465 "PTR_TO_STACK store/load - out of bounds low",
2467 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2468 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -80000),
2469 BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
2470 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
2474 .errstr = "invalid stack off=-79992 size=8",
2477 "PTR_TO_STACK store/load - out of bounds high",
2479 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2480 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
2481 BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
2482 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
2486 .errstr = "invalid stack off=0 size=8",
2489 "unpriv: return pointer",
2491 BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
2495 .result_unpriv = REJECT,
2496 .errstr_unpriv = "R0 leaks addr",
2497 .retval = POINTER_VALUE,
2500 "unpriv: add const to pointer",
2502 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
2503 BPF_MOV64_IMM(BPF_REG_0, 0),
2509 "unpriv: add pointer to pointer",
2511 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_10),
2512 BPF_MOV64_IMM(BPF_REG_0, 0),
2516 .errstr = "R1 pointer += pointer",
2519 "unpriv: neg pointer",
2521 BPF_ALU64_IMM(BPF_NEG, BPF_REG_1, 0),
2522 BPF_MOV64_IMM(BPF_REG_0, 0),
2526 .result_unpriv = REJECT,
2527 .errstr_unpriv = "R1 pointer arithmetic",
2530 "unpriv: cmp pointer with const",
2532 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0),
2533 BPF_MOV64_IMM(BPF_REG_0, 0),
2537 .result_unpriv = REJECT,
2538 .errstr_unpriv = "R1 pointer comparison",
2541 "unpriv: cmp pointer with pointer",
2543 BPF_JMP_REG(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
2544 BPF_MOV64_IMM(BPF_REG_0, 0),
2548 .result_unpriv = REJECT,
2549 .errstr_unpriv = "R10 pointer comparison",
2552 "unpriv: check that printk is disallowed",
2554 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
2555 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2556 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
2557 BPF_MOV64_IMM(BPF_REG_2, 8),
2558 BPF_MOV64_REG(BPF_REG_3, BPF_REG_1),
2559 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2560 BPF_FUNC_trace_printk),
2561 BPF_MOV64_IMM(BPF_REG_0, 0),
2564 .errstr_unpriv = "unknown func bpf_trace_printk#6",
2565 .result_unpriv = REJECT,
2569 "unpriv: pass pointer to helper function",
2571 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
2572 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2573 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2574 BPF_LD_MAP_FD(BPF_REG_1, 0),
2575 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
2576 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
2577 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2578 BPF_FUNC_map_update_elem),
2579 BPF_MOV64_IMM(BPF_REG_0, 0),
2582 .fixup_map_hash_8b = { 3 },
2583 .errstr_unpriv = "R4 leaks addr",
2584 .result_unpriv = REJECT,
2588 "unpriv: indirectly pass pointer on stack to helper function",
2590 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2591 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2592 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2593 BPF_LD_MAP_FD(BPF_REG_1, 0),
2594 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2595 BPF_FUNC_map_lookup_elem),
2596 BPF_MOV64_IMM(BPF_REG_0, 0),
2599 .fixup_map_hash_8b = { 3 },
2600 .errstr = "invalid indirect read from stack off -8+0 size 8",
2604 "unpriv: mangle pointer on stack 1",
2606 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2607 BPF_ST_MEM(BPF_W, BPF_REG_10, -8, 0),
2608 BPF_MOV64_IMM(BPF_REG_0, 0),
2611 .errstr_unpriv = "attempt to corrupt spilled",
2612 .result_unpriv = REJECT,
2616 "unpriv: mangle pointer on stack 2",
2618 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2619 BPF_ST_MEM(BPF_B, BPF_REG_10, -1, 0),
2620 BPF_MOV64_IMM(BPF_REG_0, 0),
2623 .errstr_unpriv = "attempt to corrupt spilled",
2624 .result_unpriv = REJECT,
2628 "unpriv: read pointer from stack in small chunks",
2630 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2631 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_10, -8),
2632 BPF_MOV64_IMM(BPF_REG_0, 0),
2635 .errstr = "invalid size",
2639 "unpriv: write pointer into ctx",
2641 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, 0),
2642 BPF_MOV64_IMM(BPF_REG_0, 0),
2645 .errstr_unpriv = "R1 leaks addr",
2646 .result_unpriv = REJECT,
2647 .errstr = "invalid bpf_context access",
2651 "unpriv: spill/fill of ctx",
2653 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2654 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2655 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2656 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2657 BPF_MOV64_IMM(BPF_REG_0, 0),
2663 "unpriv: spill/fill of ctx 2",
2665 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2666 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2667 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2668 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2669 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2670 BPF_FUNC_get_hash_recalc),
2671 BPF_MOV64_IMM(BPF_REG_0, 0),
2675 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2678 "unpriv: spill/fill of ctx 3",
2680 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2681 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2682 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2683 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_10, 0),
2684 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2685 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2686 BPF_FUNC_get_hash_recalc),
2690 .errstr = "R1 type=fp expected=ctx",
2691 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2694 "unpriv: spill/fill of ctx 4",
2696 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2697 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2698 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2699 BPF_MOV64_IMM(BPF_REG_0, 1),
2700 BPF_RAW_INSN(BPF_STX | BPF_XADD | BPF_DW, BPF_REG_10,
2702 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2703 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2704 BPF_FUNC_get_hash_recalc),
2708 .errstr = "R1 type=inv expected=ctx",
2709 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2712 "unpriv: spill/fill of different pointers stx",
2714 BPF_MOV64_IMM(BPF_REG_3, 42),
2715 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2716 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2717 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
2718 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2719 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
2720 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
2721 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
2722 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2723 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2724 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_3,
2725 offsetof(struct __sk_buff, mark)),
2726 BPF_MOV64_IMM(BPF_REG_0, 0),
2730 .errstr = "same insn cannot be used with different pointers",
2731 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2734 "unpriv: spill/fill of different pointers stx - ctx and sock",
2736 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
2737 /* struct bpf_sock *sock = bpf_sock_lookup(...); */
2739 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
2741 /* void *target = &foo; */
2742 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2743 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2744 BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
2745 /* if (skb == NULL) *target = sock; */
2746 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
2747 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
2748 /* else *target = skb; */
2749 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
2750 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2751 /* struct __sk_buff *skb = *target; */
2752 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2753 /* skb->mark = 42; */
2754 BPF_MOV64_IMM(BPF_REG_3, 42),
2755 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_3,
2756 offsetof(struct __sk_buff, mark)),
2757 /* if (sk) bpf_sk_release(sk) */
2758 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
2759 BPF_EMIT_CALL(BPF_FUNC_sk_release),
2760 BPF_MOV64_IMM(BPF_REG_0, 0),
2764 .errstr = "type=ctx expected=sock",
2765 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2768 "unpriv: spill/fill of different pointers stx - leak sock",
2770 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
2771 /* struct bpf_sock *sock = bpf_sock_lookup(...); */
2773 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
2775 /* void *target = &foo; */
2776 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2777 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2778 BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
2779 /* if (skb == NULL) *target = sock; */
2780 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
2781 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
2782 /* else *target = skb; */
2783 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
2784 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2785 /* struct __sk_buff *skb = *target; */
2786 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2787 /* skb->mark = 42; */
2788 BPF_MOV64_IMM(BPF_REG_3, 42),
2789 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_3,
2790 offsetof(struct __sk_buff, mark)),
2794 //.errstr = "same insn cannot be used with different pointers",
2795 .errstr = "Unreleased reference",
2796 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2799 "unpriv: spill/fill of different pointers stx - sock and ctx (read)",
2801 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
2802 /* struct bpf_sock *sock = bpf_sock_lookup(...); */
2804 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
2806 /* void *target = &foo; */
2807 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2808 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2809 BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
2810 /* if (skb) *target = skb */
2811 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
2812 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2813 /* else *target = sock */
2814 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
2815 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
2816 /* struct bpf_sock *sk = *target; */
2817 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2818 /* if (sk) u32 foo = sk->mark; bpf_sk_release(sk); */
2819 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 2),
2820 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2821 offsetof(struct bpf_sock, mark)),
2822 BPF_EMIT_CALL(BPF_FUNC_sk_release),
2823 BPF_MOV64_IMM(BPF_REG_0, 0),
2827 .errstr = "same insn cannot be used with different pointers",
2828 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2831 "unpriv: spill/fill of different pointers stx - sock and ctx (write)",
2833 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
2834 /* struct bpf_sock *sock = bpf_sock_lookup(...); */
2836 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
2838 /* void *target = &foo; */
2839 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2840 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2841 BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
2842 /* if (skb) *target = skb */
2843 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
2844 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2845 /* else *target = sock */
2846 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
2847 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
2848 /* struct bpf_sock *sk = *target; */
2849 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2850 /* if (sk) sk->mark = 42; bpf_sk_release(sk); */
2851 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
2852 BPF_MOV64_IMM(BPF_REG_3, 42),
2853 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_3,
2854 offsetof(struct bpf_sock, mark)),
2855 BPF_EMIT_CALL(BPF_FUNC_sk_release),
2856 BPF_MOV64_IMM(BPF_REG_0, 0),
2860 //.errstr = "same insn cannot be used with different pointers",
2861 .errstr = "cannot write into socket",
2862 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2865 "unpriv: spill/fill of different pointers ldx",
2867 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2868 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2869 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
2870 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2871 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2,
2872 -(__s32)offsetof(struct bpf_perf_event_data,
2873 sample_period) - 8),
2874 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
2875 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
2876 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2877 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2878 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1,
2879 offsetof(struct bpf_perf_event_data,
2881 BPF_MOV64_IMM(BPF_REG_0, 0),
2885 .errstr = "same insn cannot be used with different pointers",
2886 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
2889 "unpriv: write pointer into map elem value",
2891 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
2892 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2893 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2894 BPF_LD_MAP_FD(BPF_REG_1, 0),
2895 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2896 BPF_FUNC_map_lookup_elem),
2897 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
2898 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
2901 .fixup_map_hash_8b = { 3 },
2902 .errstr_unpriv = "R0 leaks addr",
2903 .result_unpriv = REJECT,
2907 "unpriv: partial copy of pointer",
2909 BPF_MOV32_REG(BPF_REG_1, BPF_REG_10),
2910 BPF_MOV64_IMM(BPF_REG_0, 0),
2913 .errstr_unpriv = "R10 partial copy",
2914 .result_unpriv = REJECT,
2918 "unpriv: pass pointer to tail_call",
2920 BPF_MOV64_REG(BPF_REG_3, BPF_REG_1),
2921 BPF_LD_MAP_FD(BPF_REG_2, 0),
2922 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2923 BPF_FUNC_tail_call),
2924 BPF_MOV64_IMM(BPF_REG_0, 0),
2927 .fixup_prog1 = { 1 },
2928 .errstr_unpriv = "R3 leaks addr into helper",
2929 .result_unpriv = REJECT,
2933 "unpriv: cmp map pointer with zero",
2935 BPF_MOV64_IMM(BPF_REG_1, 0),
2936 BPF_LD_MAP_FD(BPF_REG_1, 0),
2937 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0),
2938 BPF_MOV64_IMM(BPF_REG_0, 0),
2941 .fixup_map_hash_8b = { 1 },
2942 .errstr_unpriv = "R1 pointer comparison",
2943 .result_unpriv = REJECT,
2947 "unpriv: write into frame pointer",
2949 BPF_MOV64_REG(BPF_REG_10, BPF_REG_1),
2950 BPF_MOV64_IMM(BPF_REG_0, 0),
2953 .errstr = "frame pointer is read only",
2957 "unpriv: spill/fill frame pointer",
2959 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2960 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2961 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_10, 0),
2962 BPF_LDX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, 0),
2963 BPF_MOV64_IMM(BPF_REG_0, 0),
2966 .errstr = "frame pointer is read only",
2970 "unpriv: cmp of frame pointer",
2972 BPF_JMP_IMM(BPF_JEQ, BPF_REG_10, 0, 0),
2973 BPF_MOV64_IMM(BPF_REG_0, 0),
2976 .errstr_unpriv = "R10 pointer comparison",
2977 .result_unpriv = REJECT,
2981 "unpriv: adding of fp",
2983 BPF_MOV64_IMM(BPF_REG_0, 0),
2984 BPF_MOV64_IMM(BPF_REG_1, 0),
2985 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_10),
2986 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, -8),
2992 "unpriv: cmp of stack pointer",
2994 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2995 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2996 BPF_JMP_IMM(BPF_JEQ, BPF_REG_2, 0, 0),
2997 BPF_MOV64_IMM(BPF_REG_0, 0),
3000 .errstr_unpriv = "R2 pointer comparison",
3001 .result_unpriv = REJECT,
3005 "runtime/jit: tail_call within bounds, prog once",
3007 BPF_MOV64_IMM(BPF_REG_3, 0),
3008 BPF_LD_MAP_FD(BPF_REG_2, 0),
3009 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3010 BPF_FUNC_tail_call),
3011 BPF_MOV64_IMM(BPF_REG_0, 1),
3014 .fixup_prog1 = { 1 },
3019 "runtime/jit: tail_call within bounds, prog loop",
3021 BPF_MOV64_IMM(BPF_REG_3, 1),
3022 BPF_LD_MAP_FD(BPF_REG_2, 0),
3023 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3024 BPF_FUNC_tail_call),
3025 BPF_MOV64_IMM(BPF_REG_0, 1),
3028 .fixup_prog1 = { 1 },
3033 "runtime/jit: tail_call within bounds, no prog",
3035 BPF_MOV64_IMM(BPF_REG_3, 2),
3036 BPF_LD_MAP_FD(BPF_REG_2, 0),
3037 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3038 BPF_FUNC_tail_call),
3039 BPF_MOV64_IMM(BPF_REG_0, 1),
3042 .fixup_prog1 = { 1 },
3047 "runtime/jit: tail_call out of bounds",
3049 BPF_MOV64_IMM(BPF_REG_3, 256),
3050 BPF_LD_MAP_FD(BPF_REG_2, 0),
3051 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3052 BPF_FUNC_tail_call),
3053 BPF_MOV64_IMM(BPF_REG_0, 2),
3056 .fixup_prog1 = { 1 },
3061 "runtime/jit: pass negative index to tail_call",
3063 BPF_MOV64_IMM(BPF_REG_3, -1),
3064 BPF_LD_MAP_FD(BPF_REG_2, 0),
3065 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3066 BPF_FUNC_tail_call),
3067 BPF_MOV64_IMM(BPF_REG_0, 2),
3070 .fixup_prog1 = { 1 },
3075 "runtime/jit: pass > 32bit index to tail_call",
3077 BPF_LD_IMM64(BPF_REG_3, 0x100000000ULL),
3078 BPF_LD_MAP_FD(BPF_REG_2, 0),
3079 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3080 BPF_FUNC_tail_call),
3081 BPF_MOV64_IMM(BPF_REG_0, 2),
3084 .fixup_prog1 = { 2 },
3087 /* Verifier rewrite for unpriv skips tail call here. */
3091 "stack pointer arithmetic",
3093 BPF_MOV64_IMM(BPF_REG_1, 4),
3094 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
3095 BPF_MOV64_REG(BPF_REG_7, BPF_REG_10),
3096 BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -10),
3097 BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -10),
3098 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
3099 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_1),
3100 BPF_ST_MEM(0, BPF_REG_2, 4, 0),
3101 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
3102 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
3103 BPF_ST_MEM(0, BPF_REG_2, 4, 0),
3104 BPF_MOV64_IMM(BPF_REG_0, 0),
3110 "raw_stack: no skb_load_bytes",
3112 BPF_MOV64_IMM(BPF_REG_2, 4),
3113 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3114 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3115 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3116 BPF_MOV64_IMM(BPF_REG_4, 8),
3117 /* Call to skb_load_bytes() omitted. */
3118 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3122 .errstr = "invalid read from stack off -8+0 size 8",
3123 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3126 "raw_stack: skb_load_bytes, negative len",
3128 BPF_MOV64_IMM(BPF_REG_2, 4),
3129 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3130 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3131 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3132 BPF_MOV64_IMM(BPF_REG_4, -8),
3133 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3134 BPF_FUNC_skb_load_bytes),
3135 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3139 .errstr = "R4 min value is negative",
3140 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3143 "raw_stack: skb_load_bytes, negative len 2",
3145 BPF_MOV64_IMM(BPF_REG_2, 4),
3146 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3147 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3148 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3149 BPF_MOV64_IMM(BPF_REG_4, ~0),
3150 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3151 BPF_FUNC_skb_load_bytes),
3152 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3156 .errstr = "R4 min value is negative",
3157 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3160 "raw_stack: skb_load_bytes, zero len",
3162 BPF_MOV64_IMM(BPF_REG_2, 4),
3163 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3164 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3165 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3166 BPF_MOV64_IMM(BPF_REG_4, 0),
3167 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3168 BPF_FUNC_skb_load_bytes),
3169 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3173 .errstr = "invalid stack type R3",
3174 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3177 "raw_stack: skb_load_bytes, no init",
3179 BPF_MOV64_IMM(BPF_REG_2, 4),
3180 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3181 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3182 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3183 BPF_MOV64_IMM(BPF_REG_4, 8),
3184 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3185 BPF_FUNC_skb_load_bytes),
3186 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3190 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3193 "raw_stack: skb_load_bytes, init",
3195 BPF_MOV64_IMM(BPF_REG_2, 4),
3196 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3197 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3198 BPF_ST_MEM(BPF_DW, BPF_REG_6, 0, 0xcafe),
3199 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3200 BPF_MOV64_IMM(BPF_REG_4, 8),
3201 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3202 BPF_FUNC_skb_load_bytes),
3203 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3207 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3210 "raw_stack: skb_load_bytes, spilled regs around bounds",
3212 BPF_MOV64_IMM(BPF_REG_2, 4),
3213 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3214 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
3215 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
3216 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8),
3217 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3218 BPF_MOV64_IMM(BPF_REG_4, 8),
3219 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3220 BPF_FUNC_skb_load_bytes),
3221 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
3222 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 8),
3223 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
3224 offsetof(struct __sk_buff, mark)),
3225 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
3226 offsetof(struct __sk_buff, priority)),
3227 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3231 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3234 "raw_stack: skb_load_bytes, spilled regs corruption",
3236 BPF_MOV64_IMM(BPF_REG_2, 4),
3237 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3238 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3239 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
3240 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3241 BPF_MOV64_IMM(BPF_REG_4, 8),
3242 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3243 BPF_FUNC_skb_load_bytes),
3244 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3245 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
3246 offsetof(struct __sk_buff, mark)),
3250 .errstr = "R0 invalid mem access 'inv'",
3251 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3254 "raw_stack: skb_load_bytes, spilled regs corruption 2",
3256 BPF_MOV64_IMM(BPF_REG_2, 4),
3257 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3258 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
3259 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
3260 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
3261 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8),
3262 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3263 BPF_MOV64_IMM(BPF_REG_4, 8),
3264 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3265 BPF_FUNC_skb_load_bytes),
3266 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
3267 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 8),
3268 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_6, 0),
3269 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
3270 offsetof(struct __sk_buff, mark)),
3271 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
3272 offsetof(struct __sk_buff, priority)),
3273 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3274 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_3,
3275 offsetof(struct __sk_buff, pkt_type)),
3276 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
3280 .errstr = "R3 invalid mem access 'inv'",
3281 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3284 "raw_stack: skb_load_bytes, spilled regs + data",
3286 BPF_MOV64_IMM(BPF_REG_2, 4),
3287 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3288 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
3289 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
3290 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
3291 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8),
3292 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3293 BPF_MOV64_IMM(BPF_REG_4, 8),
3294 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3295 BPF_FUNC_skb_load_bytes),
3296 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
3297 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 8),
3298 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_6, 0),
3299 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
3300 offsetof(struct __sk_buff, mark)),
3301 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
3302 offsetof(struct __sk_buff, priority)),
3303 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3304 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
3308 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3311 "raw_stack: skb_load_bytes, invalid access 1",
3313 BPF_MOV64_IMM(BPF_REG_2, 4),
3314 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3315 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -513),
3316 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3317 BPF_MOV64_IMM(BPF_REG_4, 8),
3318 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3319 BPF_FUNC_skb_load_bytes),
3320 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3324 .errstr = "invalid stack type R3 off=-513 access_size=8",
3325 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3328 "raw_stack: skb_load_bytes, invalid access 2",
3330 BPF_MOV64_IMM(BPF_REG_2, 4),
3331 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3332 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -1),
3333 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3334 BPF_MOV64_IMM(BPF_REG_4, 8),
3335 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3336 BPF_FUNC_skb_load_bytes),
3337 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3341 .errstr = "invalid stack type R3 off=-1 access_size=8",
3342 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3345 "raw_stack: skb_load_bytes, invalid access 3",
3347 BPF_MOV64_IMM(BPF_REG_2, 4),
3348 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3349 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 0xffffffff),
3350 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3351 BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
3352 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3353 BPF_FUNC_skb_load_bytes),
3354 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3358 .errstr = "R4 min value is negative",
3359 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3362 "raw_stack: skb_load_bytes, invalid access 4",
3364 BPF_MOV64_IMM(BPF_REG_2, 4),
3365 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3366 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -1),
3367 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3368 BPF_MOV64_IMM(BPF_REG_4, 0x7fffffff),
3369 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3370 BPF_FUNC_skb_load_bytes),
3371 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3375 .errstr = "R4 unbounded memory access, use 'var &= const' or 'if (var < const)'",
3376 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3379 "raw_stack: skb_load_bytes, invalid access 5",
3381 BPF_MOV64_IMM(BPF_REG_2, 4),
3382 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3383 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
3384 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3385 BPF_MOV64_IMM(BPF_REG_4, 0x7fffffff),
3386 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3387 BPF_FUNC_skb_load_bytes),
3388 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3392 .errstr = "R4 unbounded memory access, use 'var &= const' or 'if (var < const)'",
3393 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3396 "raw_stack: skb_load_bytes, invalid access 6",
3398 BPF_MOV64_IMM(BPF_REG_2, 4),
3399 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3400 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
3401 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3402 BPF_MOV64_IMM(BPF_REG_4, 0),
3403 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3404 BPF_FUNC_skb_load_bytes),
3405 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3409 .errstr = "invalid stack type R3 off=-512 access_size=0",
3410 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3413 "raw_stack: skb_load_bytes, large access",
3415 BPF_MOV64_IMM(BPF_REG_2, 4),
3416 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3417 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
3418 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3419 BPF_MOV64_IMM(BPF_REG_4, 512),
3420 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3421 BPF_FUNC_skb_load_bytes),
3422 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3426 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3429 "context stores via ST",
3431 BPF_MOV64_IMM(BPF_REG_0, 0),
3432 BPF_ST_MEM(BPF_DW, BPF_REG_1, offsetof(struct __sk_buff, mark), 0),
3435 .errstr = "BPF_ST stores into R1 ctx is not allowed",
3437 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3440 "context stores via XADD",
3442 BPF_MOV64_IMM(BPF_REG_0, 0),
3443 BPF_RAW_INSN(BPF_STX | BPF_XADD | BPF_W, BPF_REG_1,
3444 BPF_REG_0, offsetof(struct __sk_buff, mark), 0),
3447 .errstr = "BPF_XADD stores into R1 ctx is not allowed",
3449 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3452 "direct packet access: test1",
3454 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3455 offsetof(struct __sk_buff, data)),
3456 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3457 offsetof(struct __sk_buff, data_end)),
3458 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3459 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3460 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3461 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3462 BPF_MOV64_IMM(BPF_REG_0, 0),
3466 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3469 "direct packet access: test2",
3471 BPF_MOV64_IMM(BPF_REG_0, 1),
3472 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
3473 offsetof(struct __sk_buff, data_end)),
3474 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3475 offsetof(struct __sk_buff, data)),
3476 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
3477 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 14),
3478 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_4, 15),
3479 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_3, 7),
3480 BPF_LDX_MEM(BPF_B, BPF_REG_4, BPF_REG_3, 12),
3481 BPF_ALU64_IMM(BPF_MUL, BPF_REG_4, 14),
3482 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3483 offsetof(struct __sk_buff, data)),
3484 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_4),
3485 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3486 offsetof(struct __sk_buff, len)),
3487 BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 49),
3488 BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 49),
3489 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_2),
3490 BPF_MOV64_REG(BPF_REG_2, BPF_REG_3),
3491 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
3492 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
3493 offsetof(struct __sk_buff, data_end)),
3494 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
3495 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_3, 4),
3496 BPF_MOV64_IMM(BPF_REG_0, 0),
3500 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3503 "direct packet access: test3",
3505 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3506 offsetof(struct __sk_buff, data)),
3507 BPF_MOV64_IMM(BPF_REG_0, 0),
3510 .errstr = "invalid bpf_context access off=76",
3512 .prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
3515 "direct packet access: test4 (write)",
3517 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3518 offsetof(struct __sk_buff, data)),
3519 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3520 offsetof(struct __sk_buff, data_end)),
3521 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3522 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3523 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3524 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3525 BPF_MOV64_IMM(BPF_REG_0, 0),
3529 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3532 "direct packet access: test5 (pkt_end >= reg, good access)",
3534 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3535 offsetof(struct __sk_buff, data)),
3536 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3537 offsetof(struct __sk_buff, data_end)),
3538 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3539 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3540 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 2),
3541 BPF_MOV64_IMM(BPF_REG_0, 1),
3543 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3544 BPF_MOV64_IMM(BPF_REG_0, 0),
3548 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3551 "direct packet access: test6 (pkt_end >= reg, bad access)",
3553 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3554 offsetof(struct __sk_buff, data)),
3555 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3556 offsetof(struct __sk_buff, data_end)),
3557 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3558 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3559 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 3),
3560 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3561 BPF_MOV64_IMM(BPF_REG_0, 1),
3563 BPF_MOV64_IMM(BPF_REG_0, 0),
3566 .errstr = "invalid access to packet",
3568 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3571 "direct packet access: test7 (pkt_end >= reg, both accesses)",
3573 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3574 offsetof(struct __sk_buff, data)),
3575 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3576 offsetof(struct __sk_buff, data_end)),
3577 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3578 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3579 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 3),
3580 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3581 BPF_MOV64_IMM(BPF_REG_0, 1),
3583 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3584 BPF_MOV64_IMM(BPF_REG_0, 0),
3587 .errstr = "invalid access to packet",
3589 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3592 "direct packet access: test8 (double test, variant 1)",
3594 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3595 offsetof(struct __sk_buff, data)),
3596 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3597 offsetof(struct __sk_buff, data_end)),
3598 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3599 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3600 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 4),
3601 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3602 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3603 BPF_MOV64_IMM(BPF_REG_0, 1),
3605 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3606 BPF_MOV64_IMM(BPF_REG_0, 0),
3610 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3613 "direct packet access: test9 (double test, variant 2)",
3615 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3616 offsetof(struct __sk_buff, data)),
3617 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3618 offsetof(struct __sk_buff, data_end)),
3619 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3620 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3621 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 2),
3622 BPF_MOV64_IMM(BPF_REG_0, 1),
3624 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3625 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3626 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3627 BPF_MOV64_IMM(BPF_REG_0, 0),
3631 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3634 "direct packet access: test10 (write invalid)",
3636 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3637 offsetof(struct __sk_buff, data)),
3638 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3639 offsetof(struct __sk_buff, data_end)),
3640 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3641 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3642 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
3643 BPF_MOV64_IMM(BPF_REG_0, 0),
3645 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3646 BPF_MOV64_IMM(BPF_REG_0, 0),
3649 .errstr = "invalid access to packet",
3651 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3654 "direct packet access: test11 (shift, good access)",
3656 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3657 offsetof(struct __sk_buff, data)),
3658 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3659 offsetof(struct __sk_buff, data_end)),
3660 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3661 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
3662 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
3663 BPF_MOV64_IMM(BPF_REG_3, 144),
3664 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
3665 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
3666 BPF_ALU64_IMM(BPF_RSH, BPF_REG_5, 3),
3667 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
3668 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
3669 BPF_MOV64_IMM(BPF_REG_0, 1),
3671 BPF_MOV64_IMM(BPF_REG_0, 0),
3675 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3679 "direct packet access: test12 (and, good access)",
3681 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3682 offsetof(struct __sk_buff, data)),
3683 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3684 offsetof(struct __sk_buff, data_end)),
3685 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3686 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
3687 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
3688 BPF_MOV64_IMM(BPF_REG_3, 144),
3689 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
3690 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
3691 BPF_ALU64_IMM(BPF_AND, BPF_REG_5, 15),
3692 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
3693 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
3694 BPF_MOV64_IMM(BPF_REG_0, 1),
3696 BPF_MOV64_IMM(BPF_REG_0, 0),
3700 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3704 "direct packet access: test13 (branches, good access)",
3706 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3707 offsetof(struct __sk_buff, data)),
3708 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3709 offsetof(struct __sk_buff, data_end)),
3710 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3711 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
3712 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 13),
3713 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3714 offsetof(struct __sk_buff, mark)),
3715 BPF_MOV64_IMM(BPF_REG_4, 1),
3716 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_4, 2),
3717 BPF_MOV64_IMM(BPF_REG_3, 14),
3718 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
3719 BPF_MOV64_IMM(BPF_REG_3, 24),
3720 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
3721 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
3722 BPF_ALU64_IMM(BPF_AND, BPF_REG_5, 15),
3723 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
3724 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
3725 BPF_MOV64_IMM(BPF_REG_0, 1),
3727 BPF_MOV64_IMM(BPF_REG_0, 0),
3731 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3735 "direct packet access: test14 (pkt_ptr += 0, CONST_IMM, good access)",
3737 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3738 offsetof(struct __sk_buff, data)),
3739 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3740 offsetof(struct __sk_buff, data_end)),
3741 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3742 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
3743 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 7),
3744 BPF_MOV64_IMM(BPF_REG_5, 12),
3745 BPF_ALU64_IMM(BPF_RSH, BPF_REG_5, 4),
3746 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
3747 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
3748 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_6, 0),
3749 BPF_MOV64_IMM(BPF_REG_0, 1),
3751 BPF_MOV64_IMM(BPF_REG_0, 0),
3755 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3759 "direct packet access: test15 (spill with xadd)",
3761 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3762 offsetof(struct __sk_buff, data)),
3763 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3764 offsetof(struct __sk_buff, data_end)),
3765 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3766 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3767 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
3768 BPF_MOV64_IMM(BPF_REG_5, 4096),
3769 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
3770 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
3771 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
3772 BPF_STX_XADD(BPF_DW, BPF_REG_4, BPF_REG_5, 0),
3773 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
3774 BPF_STX_MEM(BPF_W, BPF_REG_2, BPF_REG_5, 0),
3775 BPF_MOV64_IMM(BPF_REG_0, 0),
3778 .errstr = "R2 invalid mem access 'inv'",
3780 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3783 "direct packet access: test16 (arith on data_end)",
3785 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3786 offsetof(struct __sk_buff, data)),
3787 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3788 offsetof(struct __sk_buff, data_end)),
3789 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3790 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3791 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 16),
3792 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3793 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3794 BPF_MOV64_IMM(BPF_REG_0, 0),
3797 .errstr = "R3 pointer arithmetic on pkt_end",
3799 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3802 "direct packet access: test17 (pruning, alignment)",
3804 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3805 offsetof(struct __sk_buff, data)),
3806 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3807 offsetof(struct __sk_buff, data_end)),
3808 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3809 offsetof(struct __sk_buff, mark)),
3810 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3811 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 14),
3812 BPF_JMP_IMM(BPF_JGT, BPF_REG_7, 1, 4),
3813 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3814 BPF_STX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, -4),
3815 BPF_MOV64_IMM(BPF_REG_0, 0),
3817 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 1),
3820 .errstr = "misaligned packet access off 2+(0x0; 0x0)+15+-4 size 4",
3822 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3823 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
3826 "direct packet access: test18 (imm += pkt_ptr, 1)",
3828 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3829 offsetof(struct __sk_buff, data)),
3830 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3831 offsetof(struct __sk_buff, data_end)),
3832 BPF_MOV64_IMM(BPF_REG_0, 8),
3833 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3834 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3835 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3836 BPF_MOV64_IMM(BPF_REG_0, 0),
3840 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3843 "direct packet access: test19 (imm += pkt_ptr, 2)",
3845 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3846 offsetof(struct __sk_buff, data)),
3847 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3848 offsetof(struct __sk_buff, data_end)),
3849 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3850 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3851 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
3852 BPF_MOV64_IMM(BPF_REG_4, 4),
3853 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
3854 BPF_STX_MEM(BPF_B, BPF_REG_4, BPF_REG_4, 0),
3855 BPF_MOV64_IMM(BPF_REG_0, 0),
3859 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3862 "direct packet access: test20 (x += pkt_ptr, 1)",
3864 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3865 offsetof(struct __sk_buff, data)),
3866 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3867 offsetof(struct __sk_buff, data_end)),
3868 BPF_MOV64_IMM(BPF_REG_0, 0xffffffff),
3869 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
3870 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
3871 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0x7fff),
3872 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3873 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
3874 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
3875 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0x7fff - 1),
3876 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
3877 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_4, 0),
3878 BPF_MOV64_IMM(BPF_REG_0, 0),
3881 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3885 "direct packet access: test21 (x += pkt_ptr, 2)",
3887 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3888 offsetof(struct __sk_buff, data)),
3889 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3890 offsetof(struct __sk_buff, data_end)),
3891 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3892 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3893 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 9),
3894 BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
3895 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -8),
3896 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
3897 BPF_ALU64_IMM(BPF_AND, BPF_REG_4, 0x7fff),
3898 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
3899 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
3900 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0x7fff - 1),
3901 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
3902 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_4, 0),
3903 BPF_MOV64_IMM(BPF_REG_0, 0),
3906 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3910 "direct packet access: test22 (x += pkt_ptr, 3)",
3912 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3913 offsetof(struct __sk_buff, data)),
3914 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3915 offsetof(struct __sk_buff, data_end)),
3916 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3917 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3918 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -8),
3919 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_3, -16),
3920 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_10, -16),
3921 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 11),
3922 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -8),
3923 BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
3924 BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_4, -8),
3925 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
3926 BPF_ALU64_IMM(BPF_RSH, BPF_REG_4, 49),
3927 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
3928 BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
3929 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 2),
3930 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
3931 BPF_MOV64_IMM(BPF_REG_2, 1),
3932 BPF_STX_MEM(BPF_H, BPF_REG_4, BPF_REG_2, 0),
3933 BPF_MOV64_IMM(BPF_REG_0, 0),
3936 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3940 "direct packet access: test23 (x += pkt_ptr, 4)",
3942 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3943 offsetof(struct __sk_buff, data)),
3944 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3945 offsetof(struct __sk_buff, data_end)),
3946 BPF_MOV64_IMM(BPF_REG_0, 0xffffffff),
3947 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
3948 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
3949 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0xffff),
3950 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3951 BPF_MOV64_IMM(BPF_REG_0, 31),
3952 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_4),
3953 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3954 BPF_MOV64_REG(BPF_REG_5, BPF_REG_0),
3955 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0xffff - 1),
3956 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3957 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_0, 0),
3958 BPF_MOV64_IMM(BPF_REG_0, 0),
3961 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3963 .errstr = "invalid access to packet, off=0 size=8, R5(id=1,off=0,r=0)",
3966 "direct packet access: test24 (x += pkt_ptr, 5)",
3968 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3969 offsetof(struct __sk_buff, data)),
3970 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3971 offsetof(struct __sk_buff, data_end)),
3972 BPF_MOV64_IMM(BPF_REG_0, 0xffffffff),
3973 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
3974 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
3975 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0xff),
3976 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3977 BPF_MOV64_IMM(BPF_REG_0, 64),
3978 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_4),
3979 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3980 BPF_MOV64_REG(BPF_REG_5, BPF_REG_0),
3981 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x7fff - 1),
3982 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3983 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_0, 0),
3984 BPF_MOV64_IMM(BPF_REG_0, 0),
3987 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3991 "direct packet access: test25 (marking on <, good access)",
3993 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3994 offsetof(struct __sk_buff, data)),
3995 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3996 offsetof(struct __sk_buff, data_end)),
3997 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3998 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3999 BPF_JMP_REG(BPF_JLT, BPF_REG_0, BPF_REG_3, 2),
4000 BPF_MOV64_IMM(BPF_REG_0, 0),
4002 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
4003 BPF_JMP_IMM(BPF_JA, 0, 0, -4),
4006 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4009 "direct packet access: test26 (marking on <, bad access)",
4011 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4012 offsetof(struct __sk_buff, data)),
4013 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4014 offsetof(struct __sk_buff, data_end)),
4015 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4016 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4017 BPF_JMP_REG(BPF_JLT, BPF_REG_0, BPF_REG_3, 3),
4018 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
4019 BPF_MOV64_IMM(BPF_REG_0, 0),
4021 BPF_JMP_IMM(BPF_JA, 0, 0, -3),
4024 .errstr = "invalid access to packet",
4025 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4028 "direct packet access: test27 (marking on <=, good access)",
4030 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4031 offsetof(struct __sk_buff, data)),
4032 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4033 offsetof(struct __sk_buff, data_end)),
4034 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4035 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4036 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_0, 1),
4037 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
4038 BPF_MOV64_IMM(BPF_REG_0, 1),
4042 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4046 "direct packet access: test28 (marking on <=, bad access)",
4048 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4049 offsetof(struct __sk_buff, data)),
4050 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4051 offsetof(struct __sk_buff, data_end)),
4052 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4053 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4054 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_0, 2),
4055 BPF_MOV64_IMM(BPF_REG_0, 1),
4057 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
4058 BPF_JMP_IMM(BPF_JA, 0, 0, -4),
4061 .errstr = "invalid access to packet",
4062 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4065 "helper access to packet: test1, valid packet_ptr range",
4067 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4068 offsetof(struct xdp_md, data)),
4069 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4070 offsetof(struct xdp_md, data_end)),
4071 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
4072 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
4073 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 5),
4074 BPF_LD_MAP_FD(BPF_REG_1, 0),
4075 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
4076 BPF_MOV64_IMM(BPF_REG_4, 0),
4077 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4078 BPF_FUNC_map_update_elem),
4079 BPF_MOV64_IMM(BPF_REG_0, 0),
4082 .fixup_map_hash_8b = { 5 },
4083 .result_unpriv = ACCEPT,
4085 .prog_type = BPF_PROG_TYPE_XDP,
4088 "helper access to packet: test2, unchecked packet_ptr",
4090 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4091 offsetof(struct xdp_md, data)),
4092 BPF_LD_MAP_FD(BPF_REG_1, 0),
4093 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4094 BPF_FUNC_map_lookup_elem),
4095 BPF_MOV64_IMM(BPF_REG_0, 0),
4098 .fixup_map_hash_8b = { 1 },
4100 .errstr = "invalid access to packet",
4101 .prog_type = BPF_PROG_TYPE_XDP,
4104 "helper access to packet: test3, variable add",
4106 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4107 offsetof(struct xdp_md, data)),
4108 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4109 offsetof(struct xdp_md, data_end)),
4110 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4111 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
4112 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 10),
4113 BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_2, 0),
4114 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4115 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_5),
4116 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
4117 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 8),
4118 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 4),
4119 BPF_LD_MAP_FD(BPF_REG_1, 0),
4120 BPF_MOV64_REG(BPF_REG_2, BPF_REG_4),
4121 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4122 BPF_FUNC_map_lookup_elem),
4123 BPF_MOV64_IMM(BPF_REG_0, 0),
4126 .fixup_map_hash_8b = { 11 },
4128 .prog_type = BPF_PROG_TYPE_XDP,
4131 "helper access to packet: test4, packet_ptr with bad range",
4133 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4134 offsetof(struct xdp_md, data)),
4135 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4136 offsetof(struct xdp_md, data_end)),
4137 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4138 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 4),
4139 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 2),
4140 BPF_MOV64_IMM(BPF_REG_0, 0),
4142 BPF_LD_MAP_FD(BPF_REG_1, 0),
4143 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4144 BPF_FUNC_map_lookup_elem),
4145 BPF_MOV64_IMM(BPF_REG_0, 0),
4148 .fixup_map_hash_8b = { 7 },
4150 .errstr = "invalid access to packet",
4151 .prog_type = BPF_PROG_TYPE_XDP,
4154 "helper access to packet: test5, packet_ptr with too short range",
4156 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4157 offsetof(struct xdp_md, data)),
4158 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4159 offsetof(struct xdp_md, data_end)),
4160 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
4161 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4162 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 7),
4163 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 3),
4164 BPF_LD_MAP_FD(BPF_REG_1, 0),
4165 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4166 BPF_FUNC_map_lookup_elem),
4167 BPF_MOV64_IMM(BPF_REG_0, 0),
4170 .fixup_map_hash_8b = { 6 },
4172 .errstr = "invalid access to packet",
4173 .prog_type = BPF_PROG_TYPE_XDP,
4176 "helper access to packet: test6, cls valid packet_ptr range",
4178 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4179 offsetof(struct __sk_buff, data)),
4180 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4181 offsetof(struct __sk_buff, data_end)),
4182 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
4183 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
4184 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 5),
4185 BPF_LD_MAP_FD(BPF_REG_1, 0),
4186 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
4187 BPF_MOV64_IMM(BPF_REG_4, 0),
4188 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4189 BPF_FUNC_map_update_elem),
4190 BPF_MOV64_IMM(BPF_REG_0, 0),
4193 .fixup_map_hash_8b = { 5 },
4195 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4198 "helper access to packet: test7, cls unchecked packet_ptr",
4200 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4201 offsetof(struct __sk_buff, data)),
4202 BPF_LD_MAP_FD(BPF_REG_1, 0),
4203 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4204 BPF_FUNC_map_lookup_elem),
4205 BPF_MOV64_IMM(BPF_REG_0, 0),
4208 .fixup_map_hash_8b = { 1 },
4210 .errstr = "invalid access to packet",
4211 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4214 "helper access to packet: test8, cls variable add",
4216 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4217 offsetof(struct __sk_buff, data)),
4218 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4219 offsetof(struct __sk_buff, data_end)),
4220 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4221 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
4222 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 10),
4223 BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_2, 0),
4224 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4225 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_5),
4226 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
4227 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 8),
4228 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 4),
4229 BPF_LD_MAP_FD(BPF_REG_1, 0),
4230 BPF_MOV64_REG(BPF_REG_2, BPF_REG_4),
4231 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4232 BPF_FUNC_map_lookup_elem),
4233 BPF_MOV64_IMM(BPF_REG_0, 0),
4236 .fixup_map_hash_8b = { 11 },
4238 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4241 "helper access to packet: test9, cls packet_ptr with bad range",
4243 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4244 offsetof(struct __sk_buff, data)),
4245 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4246 offsetof(struct __sk_buff, data_end)),
4247 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4248 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 4),
4249 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 2),
4250 BPF_MOV64_IMM(BPF_REG_0, 0),
4252 BPF_LD_MAP_FD(BPF_REG_1, 0),
4253 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4254 BPF_FUNC_map_lookup_elem),
4255 BPF_MOV64_IMM(BPF_REG_0, 0),
4258 .fixup_map_hash_8b = { 7 },
4260 .errstr = "invalid access to packet",
4261 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4264 "helper access to packet: test10, cls packet_ptr with too short range",
4266 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4267 offsetof(struct __sk_buff, data)),
4268 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4269 offsetof(struct __sk_buff, data_end)),
4270 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
4271 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4272 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 7),
4273 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 3),
4274 BPF_LD_MAP_FD(BPF_REG_1, 0),
4275 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4276 BPF_FUNC_map_lookup_elem),
4277 BPF_MOV64_IMM(BPF_REG_0, 0),
4280 .fixup_map_hash_8b = { 6 },
4282 .errstr = "invalid access to packet",
4283 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4286 "helper access to packet: test11, cls unsuitable helper 1",
4288 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4289 offsetof(struct __sk_buff, data)),
4290 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4291 offsetof(struct __sk_buff, data_end)),
4292 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4293 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
4294 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 7),
4295 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_7, 4),
4296 BPF_MOV64_IMM(BPF_REG_2, 0),
4297 BPF_MOV64_IMM(BPF_REG_4, 42),
4298 BPF_MOV64_IMM(BPF_REG_5, 0),
4299 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4300 BPF_FUNC_skb_store_bytes),
4301 BPF_MOV64_IMM(BPF_REG_0, 0),
4305 .errstr = "helper access to the packet",
4306 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4309 "helper access to packet: test12, cls unsuitable helper 2",
4311 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4312 offsetof(struct __sk_buff, data)),
4313 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4314 offsetof(struct __sk_buff, data_end)),
4315 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
4316 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8),
4317 BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_7, 3),
4318 BPF_MOV64_IMM(BPF_REG_2, 0),
4319 BPF_MOV64_IMM(BPF_REG_4, 4),
4320 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4321 BPF_FUNC_skb_load_bytes),
4322 BPF_MOV64_IMM(BPF_REG_0, 0),
4326 .errstr = "helper access to the packet",
4327 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4330 "helper access to packet: test13, cls helper ok",
4332 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4333 offsetof(struct __sk_buff, data)),
4334 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4335 offsetof(struct __sk_buff, data_end)),
4336 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4337 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4338 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4339 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4340 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4341 BPF_MOV64_IMM(BPF_REG_2, 4),
4342 BPF_MOV64_IMM(BPF_REG_3, 0),
4343 BPF_MOV64_IMM(BPF_REG_4, 0),
4344 BPF_MOV64_IMM(BPF_REG_5, 0),
4345 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4346 BPF_FUNC_csum_diff),
4347 BPF_MOV64_IMM(BPF_REG_0, 0),
4351 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4354 "helper access to packet: test14, cls helper ok sub",
4356 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4357 offsetof(struct __sk_buff, data)),
4358 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4359 offsetof(struct __sk_buff, data_end)),
4360 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4361 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4362 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4363 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4364 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 4),
4365 BPF_MOV64_IMM(BPF_REG_2, 4),
4366 BPF_MOV64_IMM(BPF_REG_3, 0),
4367 BPF_MOV64_IMM(BPF_REG_4, 0),
4368 BPF_MOV64_IMM(BPF_REG_5, 0),
4369 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4370 BPF_FUNC_csum_diff),
4371 BPF_MOV64_IMM(BPF_REG_0, 0),
4375 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4378 "helper access to packet: test15, cls helper fail sub",
4380 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4381 offsetof(struct __sk_buff, data)),
4382 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4383 offsetof(struct __sk_buff, data_end)),
4384 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4385 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4386 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4387 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4388 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 12),
4389 BPF_MOV64_IMM(BPF_REG_2, 4),
4390 BPF_MOV64_IMM(BPF_REG_3, 0),
4391 BPF_MOV64_IMM(BPF_REG_4, 0),
4392 BPF_MOV64_IMM(BPF_REG_5, 0),
4393 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4394 BPF_FUNC_csum_diff),
4395 BPF_MOV64_IMM(BPF_REG_0, 0),
4399 .errstr = "invalid access to packet",
4400 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4403 "helper access to packet: test16, cls helper fail range 1",
4405 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4406 offsetof(struct __sk_buff, data)),
4407 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4408 offsetof(struct __sk_buff, data_end)),
4409 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4410 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4411 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4412 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4413 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4414 BPF_MOV64_IMM(BPF_REG_2, 8),
4415 BPF_MOV64_IMM(BPF_REG_3, 0),
4416 BPF_MOV64_IMM(BPF_REG_4, 0),
4417 BPF_MOV64_IMM(BPF_REG_5, 0),
4418 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4419 BPF_FUNC_csum_diff),
4420 BPF_MOV64_IMM(BPF_REG_0, 0),
4424 .errstr = "invalid access to packet",
4425 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4428 "helper access to packet: test17, cls helper fail range 2",
4430 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4431 offsetof(struct __sk_buff, data)),
4432 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4433 offsetof(struct __sk_buff, data_end)),
4434 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4435 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4436 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4437 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4438 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4439 BPF_MOV64_IMM(BPF_REG_2, -9),
4440 BPF_MOV64_IMM(BPF_REG_3, 0),
4441 BPF_MOV64_IMM(BPF_REG_4, 0),
4442 BPF_MOV64_IMM(BPF_REG_5, 0),
4443 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4444 BPF_FUNC_csum_diff),
4445 BPF_MOV64_IMM(BPF_REG_0, 0),
4449 .errstr = "R2 min value is negative",
4450 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4453 "helper access to packet: test18, cls helper fail range 3",
4455 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4456 offsetof(struct __sk_buff, data)),
4457 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4458 offsetof(struct __sk_buff, data_end)),
4459 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4460 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4461 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4462 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4463 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4464 BPF_MOV64_IMM(BPF_REG_2, ~0),
4465 BPF_MOV64_IMM(BPF_REG_3, 0),
4466 BPF_MOV64_IMM(BPF_REG_4, 0),
4467 BPF_MOV64_IMM(BPF_REG_5, 0),
4468 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4469 BPF_FUNC_csum_diff),
4470 BPF_MOV64_IMM(BPF_REG_0, 0),
4474 .errstr = "R2 min value is negative",
4475 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4478 "helper access to packet: test19, cls helper range zero",
4480 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4481 offsetof(struct __sk_buff, data)),
4482 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4483 offsetof(struct __sk_buff, data_end)),
4484 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4485 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4486 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4487 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4488 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4489 BPF_MOV64_IMM(BPF_REG_2, 0),
4490 BPF_MOV64_IMM(BPF_REG_3, 0),
4491 BPF_MOV64_IMM(BPF_REG_4, 0),
4492 BPF_MOV64_IMM(BPF_REG_5, 0),
4493 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4494 BPF_FUNC_csum_diff),
4495 BPF_MOV64_IMM(BPF_REG_0, 0),
4499 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4502 "helper access to packet: test20, pkt end as input",
4504 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4505 offsetof(struct __sk_buff, data)),
4506 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4507 offsetof(struct __sk_buff, data_end)),
4508 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4509 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4510 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4511 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4512 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
4513 BPF_MOV64_IMM(BPF_REG_2, 4),
4514 BPF_MOV64_IMM(BPF_REG_3, 0),
4515 BPF_MOV64_IMM(BPF_REG_4, 0),
4516 BPF_MOV64_IMM(BPF_REG_5, 0),
4517 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4518 BPF_FUNC_csum_diff),
4519 BPF_MOV64_IMM(BPF_REG_0, 0),
4523 .errstr = "R1 type=pkt_end expected=fp",
4524 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4527 "helper access to packet: test21, wrong reg",
4529 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4530 offsetof(struct __sk_buff, data)),
4531 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4532 offsetof(struct __sk_buff, data_end)),
4533 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4534 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4535 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4536 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4537 BPF_MOV64_IMM(BPF_REG_2, 4),
4538 BPF_MOV64_IMM(BPF_REG_3, 0),
4539 BPF_MOV64_IMM(BPF_REG_4, 0),
4540 BPF_MOV64_IMM(BPF_REG_5, 0),
4541 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4542 BPF_FUNC_csum_diff),
4543 BPF_MOV64_IMM(BPF_REG_0, 0),
4547 .errstr = "invalid access to packet",
4548 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4551 "prevent map lookup in sockmap",
4553 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4554 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4555 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4556 BPF_LD_MAP_FD(BPF_REG_1, 0),
4557 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4558 BPF_FUNC_map_lookup_elem),
4561 .fixup_map_sockmap = { 3 },
4563 .errstr = "cannot pass map_type 15 into func bpf_map_lookup_elem",
4564 .prog_type = BPF_PROG_TYPE_SOCK_OPS,
4567 "prevent map lookup in sockhash",
4569 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4570 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4571 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4572 BPF_LD_MAP_FD(BPF_REG_1, 0),
4573 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4574 BPF_FUNC_map_lookup_elem),
4577 .fixup_map_sockhash = { 3 },
4579 .errstr = "cannot pass map_type 18 into func bpf_map_lookup_elem",
4580 .prog_type = BPF_PROG_TYPE_SOCK_OPS,
4583 "prevent map lookup in xskmap",
4585 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4586 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4587 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4588 BPF_LD_MAP_FD(BPF_REG_1, 0),
4589 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4590 BPF_FUNC_map_lookup_elem),
4593 .fixup_map_xskmap = { 3 },
4595 .errstr = "cannot pass map_type 17 into func bpf_map_lookup_elem",
4596 .prog_type = BPF_PROG_TYPE_XDP,
4599 "prevent map lookup in stack trace",
4601 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4602 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4603 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4604 BPF_LD_MAP_FD(BPF_REG_1, 0),
4605 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4606 BPF_FUNC_map_lookup_elem),
4609 .fixup_map_stacktrace = { 3 },
4611 .errstr = "cannot pass map_type 7 into func bpf_map_lookup_elem",
4612 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
4615 "prevent map lookup in prog array",
4617 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4618 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4619 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4620 BPF_LD_MAP_FD(BPF_REG_1, 0),
4621 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4622 BPF_FUNC_map_lookup_elem),
4625 .fixup_prog2 = { 3 },
4627 .errstr = "cannot pass map_type 3 into func bpf_map_lookup_elem",
4630 "valid map access into an array with a constant",
4632 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4633 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4634 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4635 BPF_LD_MAP_FD(BPF_REG_1, 0),
4636 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4637 BPF_FUNC_map_lookup_elem),
4638 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4639 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4640 offsetof(struct test_val, foo)),
4643 .fixup_map_hash_48b = { 3 },
4644 .errstr_unpriv = "R0 leaks addr",
4645 .result_unpriv = REJECT,
4649 "valid map access into an array with a register",
4651 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4652 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4653 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4654 BPF_LD_MAP_FD(BPF_REG_1, 0),
4655 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4656 BPF_FUNC_map_lookup_elem),
4657 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4658 BPF_MOV64_IMM(BPF_REG_1, 4),
4659 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4660 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4661 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4662 offsetof(struct test_val, foo)),
4665 .fixup_map_hash_48b = { 3 },
4666 .errstr_unpriv = "R0 leaks addr",
4667 .result_unpriv = REJECT,
4669 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4672 "valid map access into an array with a variable",
4674 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4675 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4676 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4677 BPF_LD_MAP_FD(BPF_REG_1, 0),
4678 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4679 BPF_FUNC_map_lookup_elem),
4680 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
4681 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4682 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES, 3),
4683 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4684 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4685 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4686 offsetof(struct test_val, foo)),
4689 .fixup_map_hash_48b = { 3 },
4690 .errstr_unpriv = "R0 leaks addr",
4691 .result_unpriv = REJECT,
4693 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4696 "valid map access into an array with a signed variable",
4698 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4699 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4700 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4701 BPF_LD_MAP_FD(BPF_REG_1, 0),
4702 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4703 BPF_FUNC_map_lookup_elem),
4704 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
4705 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4706 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 0xffffffff, 1),
4707 BPF_MOV32_IMM(BPF_REG_1, 0),
4708 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
4709 BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
4710 BPF_MOV32_IMM(BPF_REG_1, 0),
4711 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
4712 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4713 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4714 offsetof(struct test_val, foo)),
4717 .fixup_map_hash_48b = { 3 },
4718 .errstr_unpriv = "R0 leaks addr",
4719 .result_unpriv = REJECT,
4721 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4724 "invalid map access into an array with a constant",
4726 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4727 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4728 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4729 BPF_LD_MAP_FD(BPF_REG_1, 0),
4730 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4731 BPF_FUNC_map_lookup_elem),
4732 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4733 BPF_ST_MEM(BPF_DW, BPF_REG_0, (MAX_ENTRIES + 1) << 2,
4734 offsetof(struct test_val, foo)),
4737 .fixup_map_hash_48b = { 3 },
4738 .errstr = "invalid access to map value, value_size=48 off=48 size=8",
4742 "invalid map access into an array with a register",
4744 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4745 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4746 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4747 BPF_LD_MAP_FD(BPF_REG_1, 0),
4748 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4749 BPF_FUNC_map_lookup_elem),
4750 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4751 BPF_MOV64_IMM(BPF_REG_1, MAX_ENTRIES + 1),
4752 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4753 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4754 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4755 offsetof(struct test_val, foo)),
4758 .fixup_map_hash_48b = { 3 },
4759 .errstr = "R0 min value is outside of the array range",
4761 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4764 "invalid map access into an array with a variable",
4766 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4767 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4768 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4769 BPF_LD_MAP_FD(BPF_REG_1, 0),
4770 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4771 BPF_FUNC_map_lookup_elem),
4772 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4773 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4774 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4775 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4776 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4777 offsetof(struct test_val, foo)),
4780 .fixup_map_hash_48b = { 3 },
4781 .errstr = "R0 unbounded memory access, make sure to bounds check any array access into a map",
4783 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4786 "invalid map access into an array with no floor check",
4788 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4789 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4790 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4791 BPF_LD_MAP_FD(BPF_REG_1, 0),
4792 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4793 BPF_FUNC_map_lookup_elem),
4794 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
4795 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
4796 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
4797 BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
4798 BPF_MOV32_IMM(BPF_REG_1, 0),
4799 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
4800 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4801 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4802 offsetof(struct test_val, foo)),
4805 .fixup_map_hash_48b = { 3 },
4806 .errstr_unpriv = "R0 leaks addr",
4807 .errstr = "R0 unbounded memory access",
4808 .result_unpriv = REJECT,
4810 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4813 "invalid map access into an array with a invalid max check",
4815 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4816 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4817 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4818 BPF_LD_MAP_FD(BPF_REG_1, 0),
4819 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4820 BPF_FUNC_map_lookup_elem),
4821 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
4822 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4823 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES + 1),
4824 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
4825 BPF_MOV32_IMM(BPF_REG_1, 0),
4826 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
4827 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4828 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4829 offsetof(struct test_val, foo)),
4832 .fixup_map_hash_48b = { 3 },
4833 .errstr_unpriv = "R0 leaks addr",
4834 .errstr = "invalid access to map value, value_size=48 off=44 size=8",
4835 .result_unpriv = REJECT,
4837 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4840 "invalid map access into an array with a invalid max check",
4842 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4843 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4844 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4845 BPF_LD_MAP_FD(BPF_REG_1, 0),
4846 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4847 BPF_FUNC_map_lookup_elem),
4848 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
4849 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
4850 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4851 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4852 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4853 BPF_LD_MAP_FD(BPF_REG_1, 0),
4854 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4855 BPF_FUNC_map_lookup_elem),
4856 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
4857 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8),
4858 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
4859 offsetof(struct test_val, foo)),
4862 .fixup_map_hash_48b = { 3, 11 },
4863 .errstr = "R0 pointer += pointer",
4865 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4868 "direct packet read test#1 for CGROUP_SKB",
4870 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4871 offsetof(struct __sk_buff, data)),
4872 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4873 offsetof(struct __sk_buff, data_end)),
4874 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
4875 offsetof(struct __sk_buff, len)),
4876 BPF_LDX_MEM(BPF_W, BPF_REG_5, BPF_REG_1,
4877 offsetof(struct __sk_buff, pkt_type)),
4878 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4879 offsetof(struct __sk_buff, mark)),
4880 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_6,
4881 offsetof(struct __sk_buff, mark)),
4882 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4883 offsetof(struct __sk_buff, queue_mapping)),
4884 BPF_LDX_MEM(BPF_W, BPF_REG_8, BPF_REG_1,
4885 offsetof(struct __sk_buff, protocol)),
4886 BPF_LDX_MEM(BPF_W, BPF_REG_9, BPF_REG_1,
4887 offsetof(struct __sk_buff, vlan_present)),
4888 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4889 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4890 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4891 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
4892 BPF_MOV64_IMM(BPF_REG_0, 0),
4896 .result_unpriv = REJECT,
4897 .errstr_unpriv = "invalid bpf_context access off=76 size=4",
4898 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
4901 "direct packet read test#2 for CGROUP_SKB",
4903 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
4904 offsetof(struct __sk_buff, vlan_tci)),
4905 BPF_LDX_MEM(BPF_W, BPF_REG_5, BPF_REG_1,
4906 offsetof(struct __sk_buff, vlan_proto)),
4907 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4908 offsetof(struct __sk_buff, priority)),
4909 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_6,
4910 offsetof(struct __sk_buff, priority)),
4911 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4912 offsetof(struct __sk_buff,
4914 BPF_LDX_MEM(BPF_W, BPF_REG_8, BPF_REG_1,
4915 offsetof(struct __sk_buff, tc_index)),
4916 BPF_LDX_MEM(BPF_W, BPF_REG_9, BPF_REG_1,
4917 offsetof(struct __sk_buff, hash)),
4918 BPF_MOV64_IMM(BPF_REG_0, 0),
4922 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
4925 "direct packet read test#3 for CGROUP_SKB",
4927 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
4928 offsetof(struct __sk_buff, cb[0])),
4929 BPF_LDX_MEM(BPF_W, BPF_REG_5, BPF_REG_1,
4930 offsetof(struct __sk_buff, cb[1])),
4931 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4932 offsetof(struct __sk_buff, cb[2])),
4933 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4934 offsetof(struct __sk_buff, cb[3])),
4935 BPF_LDX_MEM(BPF_W, BPF_REG_8, BPF_REG_1,
4936 offsetof(struct __sk_buff, cb[4])),
4937 BPF_LDX_MEM(BPF_W, BPF_REG_9, BPF_REG_1,
4938 offsetof(struct __sk_buff, napi_id)),
4939 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_4,
4940 offsetof(struct __sk_buff, cb[0])),
4941 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_5,
4942 offsetof(struct __sk_buff, cb[1])),
4943 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_6,
4944 offsetof(struct __sk_buff, cb[2])),
4945 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_7,
4946 offsetof(struct __sk_buff, cb[3])),
4947 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_8,
4948 offsetof(struct __sk_buff, cb[4])),
4949 BPF_MOV64_IMM(BPF_REG_0, 0),
4953 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
4956 "direct packet read test#4 for CGROUP_SKB",
4958 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4959 offsetof(struct __sk_buff, family)),
4960 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4961 offsetof(struct __sk_buff, remote_ip4)),
4962 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
4963 offsetof(struct __sk_buff, local_ip4)),
4964 BPF_LDX_MEM(BPF_W, BPF_REG_5, BPF_REG_1,
4965 offsetof(struct __sk_buff, remote_ip6[0])),
4966 BPF_LDX_MEM(BPF_W, BPF_REG_5, BPF_REG_1,
4967 offsetof(struct __sk_buff, remote_ip6[1])),
4968 BPF_LDX_MEM(BPF_W, BPF_REG_5, BPF_REG_1,
4969 offsetof(struct __sk_buff, remote_ip6[2])),
4970 BPF_LDX_MEM(BPF_W, BPF_REG_5, BPF_REG_1,
4971 offsetof(struct __sk_buff, remote_ip6[3])),
4972 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4973 offsetof(struct __sk_buff, local_ip6[0])),
4974 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4975 offsetof(struct __sk_buff, local_ip6[1])),
4976 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4977 offsetof(struct __sk_buff, local_ip6[2])),
4978 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4979 offsetof(struct __sk_buff, local_ip6[3])),
4980 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4981 offsetof(struct __sk_buff, remote_port)),
4982 BPF_LDX_MEM(BPF_W, BPF_REG_8, BPF_REG_1,
4983 offsetof(struct __sk_buff, local_port)),
4984 BPF_MOV64_IMM(BPF_REG_0, 0),
4988 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
4991 "invalid access of tc_classid for CGROUP_SKB",
4993 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
4994 offsetof(struct __sk_buff, tc_classid)),
4995 BPF_MOV64_IMM(BPF_REG_0, 0),
4999 .errstr = "invalid bpf_context access",
5000 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5003 "invalid access of data_meta for CGROUP_SKB",
5005 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
5006 offsetof(struct __sk_buff, data_meta)),
5007 BPF_MOV64_IMM(BPF_REG_0, 0),
5011 .errstr = "invalid bpf_context access",
5012 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5015 "invalid access of flow_keys for CGROUP_SKB",
5017 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
5018 offsetof(struct __sk_buff, flow_keys)),
5019 BPF_MOV64_IMM(BPF_REG_0, 0),
5023 .errstr = "invalid bpf_context access",
5024 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5027 "invalid write access to napi_id for CGROUP_SKB",
5029 BPF_LDX_MEM(BPF_W, BPF_REG_9, BPF_REG_1,
5030 offsetof(struct __sk_buff, napi_id)),
5031 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_9,
5032 offsetof(struct __sk_buff, napi_id)),
5033 BPF_MOV64_IMM(BPF_REG_0, 0),
5037 .errstr = "invalid bpf_context access",
5038 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5041 "valid cgroup storage access",
5043 BPF_MOV64_IMM(BPF_REG_2, 0),
5044 BPF_LD_MAP_FD(BPF_REG_1, 0),
5045 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5046 BPF_FUNC_get_local_storage),
5047 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5048 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
5049 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
5052 .fixup_cgroup_storage = { 1 },
5054 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5057 "invalid cgroup storage access 1",
5059 BPF_MOV64_IMM(BPF_REG_2, 0),
5060 BPF_LD_MAP_FD(BPF_REG_1, 0),
5061 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5062 BPF_FUNC_get_local_storage),
5063 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5064 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
5065 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
5068 .fixup_map_hash_8b = { 1 },
5070 .errstr = "cannot pass map_type 1 into func bpf_get_local_storage",
5071 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5074 "invalid cgroup storage access 2",
5076 BPF_MOV64_IMM(BPF_REG_2, 0),
5077 BPF_LD_MAP_FD(BPF_REG_1, 1),
5078 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5079 BPF_FUNC_get_local_storage),
5080 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
5084 .errstr = "fd 1 is not pointing to valid bpf_map",
5085 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5088 "invalid cgroup storage access 3",
5090 BPF_MOV64_IMM(BPF_REG_2, 0),
5091 BPF_LD_MAP_FD(BPF_REG_1, 0),
5092 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5093 BPF_FUNC_get_local_storage),
5094 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 256),
5095 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
5096 BPF_MOV64_IMM(BPF_REG_0, 0),
5099 .fixup_cgroup_storage = { 1 },
5101 .errstr = "invalid access to map value, value_size=64 off=256 size=4",
5102 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5105 "invalid cgroup storage access 4",
5107 BPF_MOV64_IMM(BPF_REG_2, 0),
5108 BPF_LD_MAP_FD(BPF_REG_1, 0),
5109 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5110 BPF_FUNC_get_local_storage),
5111 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, -2),
5112 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
5113 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
5116 .fixup_cgroup_storage = { 1 },
5118 .errstr = "invalid access to map value, value_size=64 off=-2 size=4",
5119 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5122 "invalid cgroup storage access 5",
5124 BPF_MOV64_IMM(BPF_REG_2, 7),
5125 BPF_LD_MAP_FD(BPF_REG_1, 0),
5126 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5127 BPF_FUNC_get_local_storage),
5128 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5129 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
5130 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
5133 .fixup_cgroup_storage = { 1 },
5135 .errstr = "get_local_storage() doesn't support non-zero flags",
5136 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5139 "invalid cgroup storage access 6",
5141 BPF_MOV64_REG(BPF_REG_2, BPF_REG_1),
5142 BPF_LD_MAP_FD(BPF_REG_1, 0),
5143 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5144 BPF_FUNC_get_local_storage),
5145 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5146 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
5147 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
5150 .fixup_cgroup_storage = { 1 },
5152 .errstr = "get_local_storage() doesn't support non-zero flags",
5153 .errstr_unpriv = "R2 leaks addr into helper function",
5154 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5157 "valid per-cpu cgroup storage access",
5159 BPF_MOV64_IMM(BPF_REG_2, 0),
5160 BPF_LD_MAP_FD(BPF_REG_1, 0),
5161 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5162 BPF_FUNC_get_local_storage),
5163 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5164 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
5165 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
5168 .fixup_percpu_cgroup_storage = { 1 },
5170 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5173 "invalid per-cpu cgroup storage access 1",
5175 BPF_MOV64_IMM(BPF_REG_2, 0),
5176 BPF_LD_MAP_FD(BPF_REG_1, 0),
5177 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5178 BPF_FUNC_get_local_storage),
5179 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5180 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
5181 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
5184 .fixup_map_hash_8b = { 1 },
5186 .errstr = "cannot pass map_type 1 into func bpf_get_local_storage",
5187 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5190 "invalid per-cpu cgroup storage access 2",
5192 BPF_MOV64_IMM(BPF_REG_2, 0),
5193 BPF_LD_MAP_FD(BPF_REG_1, 1),
5194 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5195 BPF_FUNC_get_local_storage),
5196 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
5200 .errstr = "fd 1 is not pointing to valid bpf_map",
5201 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5204 "invalid per-cpu cgroup storage access 3",
5206 BPF_MOV64_IMM(BPF_REG_2, 0),
5207 BPF_LD_MAP_FD(BPF_REG_1, 0),
5208 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5209 BPF_FUNC_get_local_storage),
5210 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 256),
5211 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
5212 BPF_MOV64_IMM(BPF_REG_0, 0),
5215 .fixup_percpu_cgroup_storage = { 1 },
5217 .errstr = "invalid access to map value, value_size=64 off=256 size=4",
5218 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5221 "invalid per-cpu cgroup storage access 4",
5223 BPF_MOV64_IMM(BPF_REG_2, 0),
5224 BPF_LD_MAP_FD(BPF_REG_1, 0),
5225 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5226 BPF_FUNC_get_local_storage),
5227 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, -2),
5228 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
5229 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
5232 .fixup_cgroup_storage = { 1 },
5234 .errstr = "invalid access to map value, value_size=64 off=-2 size=4",
5235 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5238 "invalid per-cpu cgroup storage access 5",
5240 BPF_MOV64_IMM(BPF_REG_2, 7),
5241 BPF_LD_MAP_FD(BPF_REG_1, 0),
5242 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5243 BPF_FUNC_get_local_storage),
5244 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5245 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
5246 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
5249 .fixup_percpu_cgroup_storage = { 1 },
5251 .errstr = "get_local_storage() doesn't support non-zero flags",
5252 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5255 "invalid per-cpu cgroup storage access 6",
5257 BPF_MOV64_REG(BPF_REG_2, BPF_REG_1),
5258 BPF_LD_MAP_FD(BPF_REG_1, 0),
5259 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5260 BPF_FUNC_get_local_storage),
5261 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5262 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
5263 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
5266 .fixup_percpu_cgroup_storage = { 1 },
5268 .errstr = "get_local_storage() doesn't support non-zero flags",
5269 .errstr_unpriv = "R2 leaks addr into helper function",
5270 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5273 "multiple registers share map_lookup_elem result",
5275 BPF_MOV64_IMM(BPF_REG_1, 10),
5276 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
5277 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5278 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5279 BPF_LD_MAP_FD(BPF_REG_1, 0),
5280 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5281 BPF_FUNC_map_lookup_elem),
5282 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
5283 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
5284 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
5287 .fixup_map_hash_8b = { 4 },
5289 .prog_type = BPF_PROG_TYPE_SCHED_CLS
5292 "alu ops on ptr_to_map_value_or_null, 1",
5294 BPF_MOV64_IMM(BPF_REG_1, 10),
5295 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
5296 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5297 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5298 BPF_LD_MAP_FD(BPF_REG_1, 0),
5299 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5300 BPF_FUNC_map_lookup_elem),
5301 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
5302 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -2),
5303 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 2),
5304 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
5305 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
5308 .fixup_map_hash_8b = { 4 },
5309 .errstr = "R4 pointer arithmetic on map_value_or_null",
5311 .prog_type = BPF_PROG_TYPE_SCHED_CLS
5314 "alu ops on ptr_to_map_value_or_null, 2",
5316 BPF_MOV64_IMM(BPF_REG_1, 10),
5317 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
5318 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5319 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5320 BPF_LD_MAP_FD(BPF_REG_1, 0),
5321 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5322 BPF_FUNC_map_lookup_elem),
5323 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
5324 BPF_ALU64_IMM(BPF_AND, BPF_REG_4, -1),
5325 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
5326 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
5329 .fixup_map_hash_8b = { 4 },
5330 .errstr = "R4 pointer arithmetic on map_value_or_null",
5332 .prog_type = BPF_PROG_TYPE_SCHED_CLS
5335 "alu ops on ptr_to_map_value_or_null, 3",
5337 BPF_MOV64_IMM(BPF_REG_1, 10),
5338 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
5339 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5340 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5341 BPF_LD_MAP_FD(BPF_REG_1, 0),
5342 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5343 BPF_FUNC_map_lookup_elem),
5344 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
5345 BPF_ALU64_IMM(BPF_LSH, BPF_REG_4, 1),
5346 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
5347 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
5350 .fixup_map_hash_8b = { 4 },
5351 .errstr = "R4 pointer arithmetic on map_value_or_null",
5353 .prog_type = BPF_PROG_TYPE_SCHED_CLS
5356 "invalid memory access with multiple map_lookup_elem calls",
5358 BPF_MOV64_IMM(BPF_REG_1, 10),
5359 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
5360 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5361 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5362 BPF_LD_MAP_FD(BPF_REG_1, 0),
5363 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
5364 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
5365 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5366 BPF_FUNC_map_lookup_elem),
5367 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
5368 BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
5369 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
5370 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5371 BPF_FUNC_map_lookup_elem),
5372 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
5373 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
5376 .fixup_map_hash_8b = { 4 },
5378 .errstr = "R4 !read_ok",
5379 .prog_type = BPF_PROG_TYPE_SCHED_CLS
5382 "valid indirect map_lookup_elem access with 2nd lookup in branch",
5384 BPF_MOV64_IMM(BPF_REG_1, 10),
5385 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
5386 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5387 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5388 BPF_LD_MAP_FD(BPF_REG_1, 0),
5389 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
5390 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
5391 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5392 BPF_FUNC_map_lookup_elem),
5393 BPF_MOV64_IMM(BPF_REG_2, 10),
5394 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0, 3),
5395 BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
5396 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
5397 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5398 BPF_FUNC_map_lookup_elem),
5399 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
5400 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
5401 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
5404 .fixup_map_hash_8b = { 4 },
5406 .prog_type = BPF_PROG_TYPE_SCHED_CLS
5409 "invalid map access from else condition",
5411 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5412 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5413 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5414 BPF_LD_MAP_FD(BPF_REG_1, 0),
5415 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
5416 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5417 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5418 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES-1, 1),
5419 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
5420 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
5421 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
5422 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, offsetof(struct test_val, foo)),
5425 .fixup_map_hash_48b = { 3 },
5426 .errstr = "R0 unbounded memory access",
5428 .errstr_unpriv = "R0 leaks addr",
5429 .result_unpriv = REJECT,
5430 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
5433 "constant register |= constant should keep constant type",
5435 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5436 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
5437 BPF_MOV64_IMM(BPF_REG_2, 34),
5438 BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 13),
5439 BPF_MOV64_IMM(BPF_REG_3, 0),
5440 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5444 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5447 "constant register |= constant should not bypass stack boundary checks",
5449 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5450 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
5451 BPF_MOV64_IMM(BPF_REG_2, 34),
5452 BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 24),
5453 BPF_MOV64_IMM(BPF_REG_3, 0),
5454 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5457 .errstr = "invalid stack type R1 off=-48 access_size=58",
5459 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5462 "constant register |= constant register should keep constant type",
5464 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5465 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
5466 BPF_MOV64_IMM(BPF_REG_2, 34),
5467 BPF_MOV64_IMM(BPF_REG_4, 13),
5468 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_4),
5469 BPF_MOV64_IMM(BPF_REG_3, 0),
5470 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5474 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5477 "constant register |= constant register should not bypass stack boundary checks",
5479 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5480 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
5481 BPF_MOV64_IMM(BPF_REG_2, 34),
5482 BPF_MOV64_IMM(BPF_REG_4, 24),
5483 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_4),
5484 BPF_MOV64_IMM(BPF_REG_3, 0),
5485 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5488 .errstr = "invalid stack type R1 off=-48 access_size=58",
5490 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5493 "invalid direct packet write for LWT_IN",
5495 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5496 offsetof(struct __sk_buff, data)),
5497 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5498 offsetof(struct __sk_buff, data_end)),
5499 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5500 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5501 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
5502 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
5503 BPF_MOV64_IMM(BPF_REG_0, 0),
5506 .errstr = "cannot write into packet",
5508 .prog_type = BPF_PROG_TYPE_LWT_IN,
5511 "invalid direct packet write for LWT_OUT",
5513 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5514 offsetof(struct __sk_buff, data)),
5515 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5516 offsetof(struct __sk_buff, data_end)),
5517 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5518 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5519 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
5520 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
5521 BPF_MOV64_IMM(BPF_REG_0, 0),
5524 .errstr = "cannot write into packet",
5526 .prog_type = BPF_PROG_TYPE_LWT_OUT,
5529 "direct packet write for LWT_XMIT",
5531 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5532 offsetof(struct __sk_buff, data)),
5533 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5534 offsetof(struct __sk_buff, data_end)),
5535 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5536 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5537 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
5538 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
5539 BPF_MOV64_IMM(BPF_REG_0, 0),
5543 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
5546 "direct packet read for LWT_IN",
5548 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5549 offsetof(struct __sk_buff, data)),
5550 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5551 offsetof(struct __sk_buff, data_end)),
5552 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5553 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5554 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
5555 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
5556 BPF_MOV64_IMM(BPF_REG_0, 0),
5560 .prog_type = BPF_PROG_TYPE_LWT_IN,
5563 "direct packet read for LWT_OUT",
5565 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5566 offsetof(struct __sk_buff, data)),
5567 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5568 offsetof(struct __sk_buff, data_end)),
5569 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5570 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5571 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
5572 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
5573 BPF_MOV64_IMM(BPF_REG_0, 0),
5577 .prog_type = BPF_PROG_TYPE_LWT_OUT,
5580 "direct packet read for LWT_XMIT",
5582 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5583 offsetof(struct __sk_buff, data)),
5584 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5585 offsetof(struct __sk_buff, data_end)),
5586 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5587 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5588 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
5589 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
5590 BPF_MOV64_IMM(BPF_REG_0, 0),
5594 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
5597 "overlapping checks for direct packet access",
5599 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5600 offsetof(struct __sk_buff, data)),
5601 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5602 offsetof(struct __sk_buff, data_end)),
5603 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5604 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5605 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4),
5606 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
5607 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6),
5608 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
5609 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6),
5610 BPF_MOV64_IMM(BPF_REG_0, 0),
5614 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
5617 "make headroom for LWT_XMIT",
5619 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
5620 BPF_MOV64_IMM(BPF_REG_2, 34),
5621 BPF_MOV64_IMM(BPF_REG_3, 0),
5622 BPF_EMIT_CALL(BPF_FUNC_skb_change_head),
5623 /* split for s390 to succeed */
5624 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
5625 BPF_MOV64_IMM(BPF_REG_2, 42),
5626 BPF_MOV64_IMM(BPF_REG_3, 0),
5627 BPF_EMIT_CALL(BPF_FUNC_skb_change_head),
5628 BPF_MOV64_IMM(BPF_REG_0, 0),
5632 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
5635 "invalid access of tc_classid for LWT_IN",
5637 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
5638 offsetof(struct __sk_buff, tc_classid)),
5642 .errstr = "invalid bpf_context access",
5645 "invalid access of tc_classid for LWT_OUT",
5647 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
5648 offsetof(struct __sk_buff, tc_classid)),
5652 .errstr = "invalid bpf_context access",
5655 "invalid access of tc_classid for LWT_XMIT",
5657 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
5658 offsetof(struct __sk_buff, tc_classid)),
5662 .errstr = "invalid bpf_context access",
5665 "leak pointer into ctx 1",
5667 BPF_MOV64_IMM(BPF_REG_0, 0),
5668 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
5669 offsetof(struct __sk_buff, cb[0])),
5670 BPF_LD_MAP_FD(BPF_REG_2, 0),
5671 BPF_STX_XADD(BPF_DW, BPF_REG_1, BPF_REG_2,
5672 offsetof(struct __sk_buff, cb[0])),
5675 .fixup_map_hash_8b = { 2 },
5676 .errstr_unpriv = "R2 leaks addr into mem",
5677 .result_unpriv = REJECT,
5679 .errstr = "BPF_XADD stores into R1 ctx is not allowed",
5682 "leak pointer into ctx 2",
5684 BPF_MOV64_IMM(BPF_REG_0, 0),
5685 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
5686 offsetof(struct __sk_buff, cb[0])),
5687 BPF_STX_XADD(BPF_DW, BPF_REG_1, BPF_REG_10,
5688 offsetof(struct __sk_buff, cb[0])),
5691 .errstr_unpriv = "R10 leaks addr into mem",
5692 .result_unpriv = REJECT,
5694 .errstr = "BPF_XADD stores into R1 ctx is not allowed",
5697 "leak pointer into ctx 3",
5699 BPF_MOV64_IMM(BPF_REG_0, 0),
5700 BPF_LD_MAP_FD(BPF_REG_2, 0),
5701 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2,
5702 offsetof(struct __sk_buff, cb[0])),
5705 .fixup_map_hash_8b = { 1 },
5706 .errstr_unpriv = "R2 leaks addr into ctx",
5707 .result_unpriv = REJECT,
5711 "leak pointer into map val",
5713 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
5714 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5715 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5716 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5717 BPF_LD_MAP_FD(BPF_REG_1, 0),
5718 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5719 BPF_FUNC_map_lookup_elem),
5720 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
5721 BPF_MOV64_IMM(BPF_REG_3, 0),
5722 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
5723 BPF_STX_XADD(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
5724 BPF_MOV64_IMM(BPF_REG_0, 0),
5727 .fixup_map_hash_8b = { 4 },
5728 .errstr_unpriv = "R6 leaks addr into mem",
5729 .result_unpriv = REJECT,
5733 "helper access to map: full range",
5735 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5736 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5737 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5738 BPF_LD_MAP_FD(BPF_REG_1, 0),
5739 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5740 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5741 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5742 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
5743 BPF_MOV64_IMM(BPF_REG_3, 0),
5744 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5747 .fixup_map_hash_48b = { 3 },
5749 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5752 "helper access to map: partial range",
5754 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5755 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5756 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5757 BPF_LD_MAP_FD(BPF_REG_1, 0),
5758 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5759 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5760 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5761 BPF_MOV64_IMM(BPF_REG_2, 8),
5762 BPF_MOV64_IMM(BPF_REG_3, 0),
5763 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5766 .fixup_map_hash_48b = { 3 },
5768 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5771 "helper access to map: empty range",
5773 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5774 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5775 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5776 BPF_LD_MAP_FD(BPF_REG_1, 0),
5777 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5778 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
5779 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5780 BPF_MOV64_IMM(BPF_REG_2, 0),
5781 BPF_EMIT_CALL(BPF_FUNC_trace_printk),
5784 .fixup_map_hash_48b = { 3 },
5785 .errstr = "invalid access to map value, value_size=48 off=0 size=0",
5787 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5790 "helper access to map: out-of-bound range",
5792 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5793 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5794 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5795 BPF_LD_MAP_FD(BPF_REG_1, 0),
5796 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5797 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5798 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5799 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val) + 8),
5800 BPF_MOV64_IMM(BPF_REG_3, 0),
5801 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5804 .fixup_map_hash_48b = { 3 },
5805 .errstr = "invalid access to map value, value_size=48 off=0 size=56",
5807 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5810 "helper access to map: negative range",
5812 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5813 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5814 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5815 BPF_LD_MAP_FD(BPF_REG_1, 0),
5816 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5817 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5818 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5819 BPF_MOV64_IMM(BPF_REG_2, -8),
5820 BPF_MOV64_IMM(BPF_REG_3, 0),
5821 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5824 .fixup_map_hash_48b = { 3 },
5825 .errstr = "R2 min value is negative",
5827 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5830 "helper access to adjusted map (via const imm): full range",
5832 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5833 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5834 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5835 BPF_LD_MAP_FD(BPF_REG_1, 0),
5836 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5837 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5838 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5839 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5840 offsetof(struct test_val, foo)),
5841 BPF_MOV64_IMM(BPF_REG_2,
5842 sizeof(struct test_val) -
5843 offsetof(struct test_val, foo)),
5844 BPF_MOV64_IMM(BPF_REG_3, 0),
5845 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5848 .fixup_map_hash_48b = { 3 },
5850 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5853 "helper access to adjusted map (via const imm): partial range",
5855 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5856 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5857 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5858 BPF_LD_MAP_FD(BPF_REG_1, 0),
5859 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5860 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5861 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5862 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5863 offsetof(struct test_val, foo)),
5864 BPF_MOV64_IMM(BPF_REG_2, 8),
5865 BPF_MOV64_IMM(BPF_REG_3, 0),
5866 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5869 .fixup_map_hash_48b = { 3 },
5871 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5874 "helper access to adjusted map (via const imm): empty range",
5876 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5877 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5878 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5879 BPF_LD_MAP_FD(BPF_REG_1, 0),
5880 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5881 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5882 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5883 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5884 offsetof(struct test_val, foo)),
5885 BPF_MOV64_IMM(BPF_REG_2, 0),
5886 BPF_EMIT_CALL(BPF_FUNC_trace_printk),
5889 .fixup_map_hash_48b = { 3 },
5890 .errstr = "invalid access to map value, value_size=48 off=4 size=0",
5892 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5895 "helper access to adjusted map (via const imm): out-of-bound range",
5897 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5898 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5899 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5900 BPF_LD_MAP_FD(BPF_REG_1, 0),
5901 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5902 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5903 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5904 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5905 offsetof(struct test_val, foo)),
5906 BPF_MOV64_IMM(BPF_REG_2,
5907 sizeof(struct test_val) -
5908 offsetof(struct test_val, foo) + 8),
5909 BPF_MOV64_IMM(BPF_REG_3, 0),
5910 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5913 .fixup_map_hash_48b = { 3 },
5914 .errstr = "invalid access to map value, value_size=48 off=4 size=52",
5916 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5919 "helper access to adjusted map (via const imm): negative range (> adjustment)",
5921 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5922 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5923 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5924 BPF_LD_MAP_FD(BPF_REG_1, 0),
5925 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5926 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5927 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5928 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5929 offsetof(struct test_val, foo)),
5930 BPF_MOV64_IMM(BPF_REG_2, -8),
5931 BPF_MOV64_IMM(BPF_REG_3, 0),
5932 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5935 .fixup_map_hash_48b = { 3 },
5936 .errstr = "R2 min value is negative",
5938 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5941 "helper access to adjusted map (via const imm): negative range (< adjustment)",
5943 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5944 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5945 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5946 BPF_LD_MAP_FD(BPF_REG_1, 0),
5947 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5948 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5949 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5950 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5951 offsetof(struct test_val, foo)),
5952 BPF_MOV64_IMM(BPF_REG_2, -1),
5953 BPF_MOV64_IMM(BPF_REG_3, 0),
5954 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5957 .fixup_map_hash_48b = { 3 },
5958 .errstr = "R2 min value is negative",
5960 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5963 "helper access to adjusted map (via const reg): full range",
5965 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5966 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5967 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5968 BPF_LD_MAP_FD(BPF_REG_1, 0),
5969 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5970 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5971 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5972 BPF_MOV64_IMM(BPF_REG_3,
5973 offsetof(struct test_val, foo)),
5974 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5975 BPF_MOV64_IMM(BPF_REG_2,
5976 sizeof(struct test_val) -
5977 offsetof(struct test_val, foo)),
5978 BPF_MOV64_IMM(BPF_REG_3, 0),
5979 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5982 .fixup_map_hash_48b = { 3 },
5984 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5987 "helper access to adjusted map (via const reg): partial range",
5989 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5990 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5991 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5992 BPF_LD_MAP_FD(BPF_REG_1, 0),
5993 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5994 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5995 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5996 BPF_MOV64_IMM(BPF_REG_3,
5997 offsetof(struct test_val, foo)),
5998 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5999 BPF_MOV64_IMM(BPF_REG_2, 8),
6000 BPF_MOV64_IMM(BPF_REG_3, 0),
6001 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6004 .fixup_map_hash_48b = { 3 },
6006 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6009 "helper access to adjusted map (via const reg): empty range",
6011 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6012 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6013 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6014 BPF_LD_MAP_FD(BPF_REG_1, 0),
6015 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6016 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
6017 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6018 BPF_MOV64_IMM(BPF_REG_3, 0),
6019 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6020 BPF_MOV64_IMM(BPF_REG_2, 0),
6021 BPF_EMIT_CALL(BPF_FUNC_trace_printk),
6024 .fixup_map_hash_48b = { 3 },
6025 .errstr = "R1 min value is outside of the array range",
6027 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6030 "helper access to adjusted map (via const reg): out-of-bound range",
6032 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6033 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6034 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6035 BPF_LD_MAP_FD(BPF_REG_1, 0),
6036 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6037 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6038 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6039 BPF_MOV64_IMM(BPF_REG_3,
6040 offsetof(struct test_val, foo)),
6041 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6042 BPF_MOV64_IMM(BPF_REG_2,
6043 sizeof(struct test_val) -
6044 offsetof(struct test_val, foo) + 8),
6045 BPF_MOV64_IMM(BPF_REG_3, 0),
6046 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6049 .fixup_map_hash_48b = { 3 },
6050 .errstr = "invalid access to map value, value_size=48 off=4 size=52",
6052 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6055 "helper access to adjusted map (via const reg): negative range (> adjustment)",
6057 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6058 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6059 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6060 BPF_LD_MAP_FD(BPF_REG_1, 0),
6061 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6062 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6063 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6064 BPF_MOV64_IMM(BPF_REG_3,
6065 offsetof(struct test_val, foo)),
6066 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6067 BPF_MOV64_IMM(BPF_REG_2, -8),
6068 BPF_MOV64_IMM(BPF_REG_3, 0),
6069 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6072 .fixup_map_hash_48b = { 3 },
6073 .errstr = "R2 min value is negative",
6075 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6078 "helper access to adjusted map (via const reg): negative range (< adjustment)",
6080 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6081 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6082 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6083 BPF_LD_MAP_FD(BPF_REG_1, 0),
6084 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6085 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6086 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6087 BPF_MOV64_IMM(BPF_REG_3,
6088 offsetof(struct test_val, foo)),
6089 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6090 BPF_MOV64_IMM(BPF_REG_2, -1),
6091 BPF_MOV64_IMM(BPF_REG_3, 0),
6092 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6095 .fixup_map_hash_48b = { 3 },
6096 .errstr = "R2 min value is negative",
6098 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6101 "helper access to adjusted map (via variable): full range",
6103 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6104 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6105 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6106 BPF_LD_MAP_FD(BPF_REG_1, 0),
6107 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6108 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6109 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6110 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6111 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
6112 offsetof(struct test_val, foo), 4),
6113 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6114 BPF_MOV64_IMM(BPF_REG_2,
6115 sizeof(struct test_val) -
6116 offsetof(struct test_val, foo)),
6117 BPF_MOV64_IMM(BPF_REG_3, 0),
6118 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6121 .fixup_map_hash_48b = { 3 },
6123 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6126 "helper access to adjusted map (via variable): partial range",
6128 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6129 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6130 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6131 BPF_LD_MAP_FD(BPF_REG_1, 0),
6132 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6133 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6134 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6135 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6136 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
6137 offsetof(struct test_val, foo), 4),
6138 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6139 BPF_MOV64_IMM(BPF_REG_2, 8),
6140 BPF_MOV64_IMM(BPF_REG_3, 0),
6141 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6144 .fixup_map_hash_48b = { 3 },
6146 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6149 "helper access to adjusted map (via variable): empty range",
6151 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6152 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6153 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6154 BPF_LD_MAP_FD(BPF_REG_1, 0),
6155 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6156 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6157 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6158 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6159 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
6160 offsetof(struct test_val, foo), 3),
6161 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6162 BPF_MOV64_IMM(BPF_REG_2, 0),
6163 BPF_EMIT_CALL(BPF_FUNC_trace_printk),
6166 .fixup_map_hash_48b = { 3 },
6167 .errstr = "R1 min value is outside of the array range",
6169 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6172 "helper access to adjusted map (via variable): no max check",
6174 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6175 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6176 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6177 BPF_LD_MAP_FD(BPF_REG_1, 0),
6178 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6179 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6180 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6181 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6182 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6183 BPF_MOV64_IMM(BPF_REG_2, 1),
6184 BPF_MOV64_IMM(BPF_REG_3, 0),
6185 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6188 .fixup_map_hash_48b = { 3 },
6189 .errstr = "R1 unbounded memory access",
6191 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6194 "helper access to adjusted map (via variable): wrong max check",
6196 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6197 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6198 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6199 BPF_LD_MAP_FD(BPF_REG_1, 0),
6200 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6201 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6202 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6203 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6204 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
6205 offsetof(struct test_val, foo), 4),
6206 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6207 BPF_MOV64_IMM(BPF_REG_2,
6208 sizeof(struct test_val) -
6209 offsetof(struct test_val, foo) + 1),
6210 BPF_MOV64_IMM(BPF_REG_3, 0),
6211 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6214 .fixup_map_hash_48b = { 3 },
6215 .errstr = "invalid access to map value, value_size=48 off=4 size=45",
6217 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6220 "helper access to map: bounds check using <, good access",
6222 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6223 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6224 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6225 BPF_LD_MAP_FD(BPF_REG_1, 0),
6226 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6227 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6228 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6229 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6230 BPF_JMP_IMM(BPF_JLT, BPF_REG_3, 32, 2),
6231 BPF_MOV64_IMM(BPF_REG_0, 0),
6233 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6234 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
6235 BPF_MOV64_IMM(BPF_REG_0, 0),
6238 .fixup_map_hash_48b = { 3 },
6240 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6243 "helper access to map: bounds check using <, bad access",
6245 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6246 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6247 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6248 BPF_LD_MAP_FD(BPF_REG_1, 0),
6249 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6250 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6251 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6252 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6253 BPF_JMP_IMM(BPF_JLT, BPF_REG_3, 32, 4),
6254 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6255 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
6256 BPF_MOV64_IMM(BPF_REG_0, 0),
6258 BPF_MOV64_IMM(BPF_REG_0, 0),
6261 .fixup_map_hash_48b = { 3 },
6263 .errstr = "R1 unbounded memory access",
6264 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6267 "helper access to map: bounds check using <=, good access",
6269 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6270 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6271 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6272 BPF_LD_MAP_FD(BPF_REG_1, 0),
6273 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6274 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6275 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6276 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6277 BPF_JMP_IMM(BPF_JLE, BPF_REG_3, 32, 2),
6278 BPF_MOV64_IMM(BPF_REG_0, 0),
6280 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6281 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
6282 BPF_MOV64_IMM(BPF_REG_0, 0),
6285 .fixup_map_hash_48b = { 3 },
6287 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6290 "helper access to map: bounds check using <=, bad access",
6292 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6293 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6294 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6295 BPF_LD_MAP_FD(BPF_REG_1, 0),
6296 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6297 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6298 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6299 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6300 BPF_JMP_IMM(BPF_JLE, BPF_REG_3, 32, 4),
6301 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6302 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
6303 BPF_MOV64_IMM(BPF_REG_0, 0),
6305 BPF_MOV64_IMM(BPF_REG_0, 0),
6308 .fixup_map_hash_48b = { 3 },
6310 .errstr = "R1 unbounded memory access",
6311 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6314 "helper access to map: bounds check using s<, good access",
6316 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6317 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6318 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6319 BPF_LD_MAP_FD(BPF_REG_1, 0),
6320 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6321 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6322 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6323 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6324 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2),
6325 BPF_MOV64_IMM(BPF_REG_0, 0),
6327 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 0, -3),
6328 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6329 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
6330 BPF_MOV64_IMM(BPF_REG_0, 0),
6333 .fixup_map_hash_48b = { 3 },
6335 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6338 "helper access to map: bounds check using s<, good access 2",
6340 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6341 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6342 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6343 BPF_LD_MAP_FD(BPF_REG_1, 0),
6344 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6345 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6346 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6347 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6348 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2),
6349 BPF_MOV64_IMM(BPF_REG_0, 0),
6351 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, -3, -3),
6352 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6353 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
6354 BPF_MOV64_IMM(BPF_REG_0, 0),
6357 .fixup_map_hash_48b = { 3 },
6359 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6362 "helper access to map: bounds check using s<, bad access",
6364 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6365 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6366 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6367 BPF_LD_MAP_FD(BPF_REG_1, 0),
6368 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6369 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6370 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6371 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
6372 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2),
6373 BPF_MOV64_IMM(BPF_REG_0, 0),
6375 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, -3, -3),
6376 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6377 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
6378 BPF_MOV64_IMM(BPF_REG_0, 0),
6381 .fixup_map_hash_48b = { 3 },
6383 .errstr = "R1 min value is negative",
6384 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6387 "helper access to map: bounds check using s<=, good access",
6389 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6390 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6391 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6392 BPF_LD_MAP_FD(BPF_REG_1, 0),
6393 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6394 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6395 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6396 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6397 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2),
6398 BPF_MOV64_IMM(BPF_REG_0, 0),
6400 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 0, -3),
6401 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6402 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
6403 BPF_MOV64_IMM(BPF_REG_0, 0),
6406 .fixup_map_hash_48b = { 3 },
6408 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6411 "helper access to map: bounds check using s<=, good access 2",
6413 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6414 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6415 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6416 BPF_LD_MAP_FD(BPF_REG_1, 0),
6417 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6418 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6419 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6420 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6421 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2),
6422 BPF_MOV64_IMM(BPF_REG_0, 0),
6424 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, -3, -3),
6425 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6426 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
6427 BPF_MOV64_IMM(BPF_REG_0, 0),
6430 .fixup_map_hash_48b = { 3 },
6432 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6435 "helper access to map: bounds check using s<=, bad access",
6437 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6438 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6439 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6440 BPF_LD_MAP_FD(BPF_REG_1, 0),
6441 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6442 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6443 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6444 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
6445 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2),
6446 BPF_MOV64_IMM(BPF_REG_0, 0),
6448 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, -3, -3),
6449 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6450 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
6451 BPF_MOV64_IMM(BPF_REG_0, 0),
6454 .fixup_map_hash_48b = { 3 },
6456 .errstr = "R1 min value is negative",
6457 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6460 "map access: known scalar += value_ptr",
6462 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6463 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6464 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6465 BPF_LD_MAP_FD(BPF_REG_1, 0),
6466 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6467 BPF_FUNC_map_lookup_elem),
6468 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
6469 BPF_MOV64_IMM(BPF_REG_1, 4),
6470 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
6471 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
6472 BPF_MOV64_IMM(BPF_REG_0, 1),
6475 .fixup_map_array_48b = { 3 },
6480 "map access: value_ptr += known scalar",
6482 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6483 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6484 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6485 BPF_LD_MAP_FD(BPF_REG_1, 0),
6486 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6487 BPF_FUNC_map_lookup_elem),
6488 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
6489 BPF_MOV64_IMM(BPF_REG_1, 4),
6490 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6491 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
6492 BPF_MOV64_IMM(BPF_REG_0, 1),
6495 .fixup_map_array_48b = { 3 },
6500 "map access: unknown scalar += value_ptr",
6502 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6503 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6504 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6505 BPF_LD_MAP_FD(BPF_REG_1, 0),
6506 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6507 BPF_FUNC_map_lookup_elem),
6508 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6509 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
6510 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xf),
6511 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
6512 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
6513 BPF_MOV64_IMM(BPF_REG_0, 1),
6516 .fixup_map_array_48b = { 3 },
6521 "map access: value_ptr += unknown scalar",
6523 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6524 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6525 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6526 BPF_LD_MAP_FD(BPF_REG_1, 0),
6527 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6528 BPF_FUNC_map_lookup_elem),
6529 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6530 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
6531 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xf),
6532 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6533 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
6534 BPF_MOV64_IMM(BPF_REG_0, 1),
6537 .fixup_map_array_48b = { 3 },
6542 "map access: value_ptr += value_ptr",
6544 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6545 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6546 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6547 BPF_LD_MAP_FD(BPF_REG_1, 0),
6548 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6549 BPF_FUNC_map_lookup_elem),
6550 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
6551 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_0),
6552 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
6553 BPF_MOV64_IMM(BPF_REG_0, 1),
6556 .fixup_map_array_48b = { 3 },
6558 .errstr = "R0 pointer += pointer prohibited",
6561 "map access: known scalar -= value_ptr",
6563 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6564 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6565 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6566 BPF_LD_MAP_FD(BPF_REG_1, 0),
6567 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6568 BPF_FUNC_map_lookup_elem),
6569 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
6570 BPF_MOV64_IMM(BPF_REG_1, 4),
6571 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0),
6572 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
6573 BPF_MOV64_IMM(BPF_REG_0, 1),
6576 .fixup_map_array_48b = { 3 },
6578 .errstr = "R1 tried to subtract pointer from scalar",
6581 "map access: value_ptr -= known scalar",
6583 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6584 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6585 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6586 BPF_LD_MAP_FD(BPF_REG_1, 0),
6587 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6588 BPF_FUNC_map_lookup_elem),
6589 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
6590 BPF_MOV64_IMM(BPF_REG_1, 4),
6591 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
6592 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
6593 BPF_MOV64_IMM(BPF_REG_0, 1),
6596 .fixup_map_array_48b = { 3 },
6598 .errstr = "R0 min value is outside of the array range",
6601 "map access: value_ptr -= known scalar, 2",
6603 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6604 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6605 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6606 BPF_LD_MAP_FD(BPF_REG_1, 0),
6607 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6608 BPF_FUNC_map_lookup_elem),
6609 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
6610 BPF_MOV64_IMM(BPF_REG_1, 6),
6611 BPF_MOV64_IMM(BPF_REG_2, 4),
6612 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6613 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_2),
6614 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
6615 BPF_MOV64_IMM(BPF_REG_0, 1),
6618 .fixup_map_array_48b = { 3 },
6623 "map access: unknown scalar -= value_ptr",
6625 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6626 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6627 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6628 BPF_LD_MAP_FD(BPF_REG_1, 0),
6629 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6630 BPF_FUNC_map_lookup_elem),
6631 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6632 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
6633 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xf),
6634 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0),
6635 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
6636 BPF_MOV64_IMM(BPF_REG_0, 1),
6639 .fixup_map_array_48b = { 3 },
6641 .errstr = "R1 tried to subtract pointer from scalar",
6644 "map access: value_ptr -= unknown scalar",
6646 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6647 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6648 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6649 BPF_LD_MAP_FD(BPF_REG_1, 0),
6650 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6651 BPF_FUNC_map_lookup_elem),
6652 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6653 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
6654 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xf),
6655 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
6656 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
6657 BPF_MOV64_IMM(BPF_REG_0, 1),
6660 .fixup_map_array_48b = { 3 },
6662 .errstr = "R0 min value is negative",
6665 "map access: value_ptr -= unknown scalar, 2",
6667 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6668 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6669 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6670 BPF_LD_MAP_FD(BPF_REG_1, 0),
6671 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6672 BPF_FUNC_map_lookup_elem),
6673 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
6674 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
6675 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xf),
6676 BPF_ALU64_IMM(BPF_OR, BPF_REG_1, 0x7),
6677 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6678 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
6679 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0x7),
6680 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
6681 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
6682 BPF_MOV64_IMM(BPF_REG_0, 1),
6685 .fixup_map_array_48b = { 3 },
6690 "map access: value_ptr -= value_ptr",
6692 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6693 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6694 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6695 BPF_LD_MAP_FD(BPF_REG_1, 0),
6696 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6697 BPF_FUNC_map_lookup_elem),
6698 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
6699 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_0),
6700 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
6701 BPF_MOV64_IMM(BPF_REG_0, 1),
6704 .fixup_map_array_48b = { 3 },
6706 .errstr = "R0 invalid mem access 'inv'",
6707 .errstr_unpriv = "R0 pointer -= pointer prohibited",
6710 "map lookup helper access to map",
6712 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6713 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6714 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6715 BPF_LD_MAP_FD(BPF_REG_1, 0),
6716 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6717 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6718 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6719 BPF_LD_MAP_FD(BPF_REG_1, 0),
6720 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6723 .fixup_map_hash_16b = { 3, 8 },
6725 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6728 "map update helper access to map",
6730 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6731 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6732 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6733 BPF_LD_MAP_FD(BPF_REG_1, 0),
6734 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6735 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6736 BPF_MOV64_IMM(BPF_REG_4, 0),
6737 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
6738 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6739 BPF_LD_MAP_FD(BPF_REG_1, 0),
6740 BPF_EMIT_CALL(BPF_FUNC_map_update_elem),
6743 .fixup_map_hash_16b = { 3, 10 },
6745 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6748 "map update helper access to map: wrong size",
6750 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6751 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6752 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6753 BPF_LD_MAP_FD(BPF_REG_1, 0),
6754 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6755 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6756 BPF_MOV64_IMM(BPF_REG_4, 0),
6757 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
6758 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6759 BPF_LD_MAP_FD(BPF_REG_1, 0),
6760 BPF_EMIT_CALL(BPF_FUNC_map_update_elem),
6763 .fixup_map_hash_8b = { 3 },
6764 .fixup_map_hash_16b = { 10 },
6766 .errstr = "invalid access to map value, value_size=8 off=0 size=16",
6767 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6770 "map helper access to adjusted map (via const imm)",
6772 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6773 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6774 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6775 BPF_LD_MAP_FD(BPF_REG_1, 0),
6776 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6777 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
6778 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6779 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2,
6780 offsetof(struct other_val, bar)),
6781 BPF_LD_MAP_FD(BPF_REG_1, 0),
6782 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6785 .fixup_map_hash_16b = { 3, 9 },
6787 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6790 "map helper access to adjusted map (via const imm): out-of-bound 1",
6792 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6793 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6794 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6795 BPF_LD_MAP_FD(BPF_REG_1, 0),
6796 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6797 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
6798 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6799 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2,
6800 sizeof(struct other_val) - 4),
6801 BPF_LD_MAP_FD(BPF_REG_1, 0),
6802 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6805 .fixup_map_hash_16b = { 3, 9 },
6807 .errstr = "invalid access to map value, value_size=16 off=12 size=8",
6808 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6811 "map helper access to adjusted map (via const imm): out-of-bound 2",
6813 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6814 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6815 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6816 BPF_LD_MAP_FD(BPF_REG_1, 0),
6817 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6818 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
6819 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6820 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
6821 BPF_LD_MAP_FD(BPF_REG_1, 0),
6822 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6825 .fixup_map_hash_16b = { 3, 9 },
6827 .errstr = "invalid access to map value, value_size=16 off=-4 size=8",
6828 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6831 "map helper access to adjusted map (via const reg)",
6833 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6834 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6835 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6836 BPF_LD_MAP_FD(BPF_REG_1, 0),
6837 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6838 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6839 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6840 BPF_MOV64_IMM(BPF_REG_3,
6841 offsetof(struct other_val, bar)),
6842 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
6843 BPF_LD_MAP_FD(BPF_REG_1, 0),
6844 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6847 .fixup_map_hash_16b = { 3, 10 },
6849 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6852 "map helper access to adjusted map (via const reg): out-of-bound 1",
6854 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6855 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6856 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6857 BPF_LD_MAP_FD(BPF_REG_1, 0),
6858 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6859 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6860 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6861 BPF_MOV64_IMM(BPF_REG_3,
6862 sizeof(struct other_val) - 4),
6863 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
6864 BPF_LD_MAP_FD(BPF_REG_1, 0),
6865 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6868 .fixup_map_hash_16b = { 3, 10 },
6870 .errstr = "invalid access to map value, value_size=16 off=12 size=8",
6871 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6874 "map helper access to adjusted map (via const reg): out-of-bound 2",
6876 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6877 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6878 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6879 BPF_LD_MAP_FD(BPF_REG_1, 0),
6880 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6881 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6882 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6883 BPF_MOV64_IMM(BPF_REG_3, -4),
6884 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
6885 BPF_LD_MAP_FD(BPF_REG_1, 0),
6886 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6889 .fixup_map_hash_16b = { 3, 10 },
6891 .errstr = "invalid access to map value, value_size=16 off=-4 size=8",
6892 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6895 "map helper access to adjusted map (via variable)",
6897 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6898 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6899 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6900 BPF_LD_MAP_FD(BPF_REG_1, 0),
6901 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6902 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6903 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6904 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6905 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
6906 offsetof(struct other_val, bar), 4),
6907 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
6908 BPF_LD_MAP_FD(BPF_REG_1, 0),
6909 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6912 .fixup_map_hash_16b = { 3, 11 },
6914 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6917 "map helper access to adjusted map (via variable): no max check",
6919 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6920 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6921 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6922 BPF_LD_MAP_FD(BPF_REG_1, 0),
6923 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6924 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6925 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6926 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6927 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
6928 BPF_LD_MAP_FD(BPF_REG_1, 0),
6929 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6932 .fixup_map_hash_16b = { 3, 10 },
6934 .errstr = "R2 unbounded memory access, make sure to bounds check any array access into a map",
6935 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6938 "map helper access to adjusted map (via variable): wrong max check",
6940 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6941 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6942 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6943 BPF_LD_MAP_FD(BPF_REG_1, 0),
6944 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6945 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6946 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6947 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6948 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
6949 offsetof(struct other_val, bar) + 1, 4),
6950 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
6951 BPF_LD_MAP_FD(BPF_REG_1, 0),
6952 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6955 .fixup_map_hash_16b = { 3, 11 },
6957 .errstr = "invalid access to map value, value_size=16 off=9 size=8",
6958 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6961 "map element value is preserved across register spilling",
6963 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6964 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6965 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6966 BPF_LD_MAP_FD(BPF_REG_1, 0),
6967 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6968 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6969 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
6970 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6971 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -184),
6972 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
6973 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
6974 BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
6977 .fixup_map_hash_48b = { 3 },
6978 .errstr_unpriv = "R0 leaks addr",
6980 .result_unpriv = REJECT,
6983 "map element value or null is marked on register spilling",
6985 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6986 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6987 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6988 BPF_LD_MAP_FD(BPF_REG_1, 0),
6989 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6990 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6991 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -152),
6992 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
6993 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
6994 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
6995 BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
6998 .fixup_map_hash_48b = { 3 },
6999 .errstr_unpriv = "R0 leaks addr",
7001 .result_unpriv = REJECT,
7004 "map element value store of cleared call register",
7006 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7007 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7008 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7009 BPF_LD_MAP_FD(BPF_REG_1, 0),
7010 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7011 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
7012 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
7015 .fixup_map_hash_48b = { 3 },
7016 .errstr_unpriv = "R1 !read_ok",
7017 .errstr = "R1 !read_ok",
7019 .result_unpriv = REJECT,
7022 "map element value with unaligned store",
7024 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7025 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7026 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7027 BPF_LD_MAP_FD(BPF_REG_1, 0),
7028 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7029 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 17),
7030 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 3),
7031 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
7032 BPF_ST_MEM(BPF_DW, BPF_REG_0, 2, 43),
7033 BPF_ST_MEM(BPF_DW, BPF_REG_0, -2, 44),
7034 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
7035 BPF_ST_MEM(BPF_DW, BPF_REG_8, 0, 32),
7036 BPF_ST_MEM(BPF_DW, BPF_REG_8, 2, 33),
7037 BPF_ST_MEM(BPF_DW, BPF_REG_8, -2, 34),
7038 BPF_ALU64_IMM(BPF_ADD, BPF_REG_8, 5),
7039 BPF_ST_MEM(BPF_DW, BPF_REG_8, 0, 22),
7040 BPF_ST_MEM(BPF_DW, BPF_REG_8, 4, 23),
7041 BPF_ST_MEM(BPF_DW, BPF_REG_8, -7, 24),
7042 BPF_MOV64_REG(BPF_REG_7, BPF_REG_8),
7043 BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, 3),
7044 BPF_ST_MEM(BPF_DW, BPF_REG_7, 0, 22),
7045 BPF_ST_MEM(BPF_DW, BPF_REG_7, 4, 23),
7046 BPF_ST_MEM(BPF_DW, BPF_REG_7, -4, 24),
7049 .fixup_map_hash_48b = { 3 },
7050 .errstr_unpriv = "R0 leaks addr",
7052 .result_unpriv = REJECT,
7053 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7056 "map element value with unaligned load",
7058 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7059 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7060 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7061 BPF_LD_MAP_FD(BPF_REG_1, 0),
7062 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7063 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
7064 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
7065 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES, 9),
7066 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 3),
7067 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
7068 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 2),
7069 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
7070 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_8, 0),
7071 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_8, 2),
7072 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 5),
7073 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
7074 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 4),
7077 .fixup_map_hash_48b = { 3 },
7078 .errstr_unpriv = "R0 leaks addr",
7080 .result_unpriv = REJECT,
7081 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7084 "map element value illegal alu op, 1",
7086 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7087 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7088 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7089 BPF_LD_MAP_FD(BPF_REG_1, 0),
7090 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7091 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
7092 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 8),
7093 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
7096 .fixup_map_hash_48b = { 3 },
7097 .errstr = "R0 bitwise operator &= on pointer",
7101 "map element value illegal alu op, 2",
7103 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7104 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7105 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7106 BPF_LD_MAP_FD(BPF_REG_1, 0),
7107 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7108 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
7109 BPF_ALU32_IMM(BPF_ADD, BPF_REG_0, 0),
7110 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
7113 .fixup_map_hash_48b = { 3 },
7114 .errstr = "R0 32-bit pointer arithmetic prohibited",
7118 "map element value illegal alu op, 3",
7120 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7121 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7122 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7123 BPF_LD_MAP_FD(BPF_REG_1, 0),
7124 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7125 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
7126 BPF_ALU64_IMM(BPF_DIV, BPF_REG_0, 42),
7127 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
7130 .fixup_map_hash_48b = { 3 },
7131 .errstr = "R0 pointer arithmetic with /= operator",
7135 "map element value illegal alu op, 4",
7137 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7138 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7139 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7140 BPF_LD_MAP_FD(BPF_REG_1, 0),
7141 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7142 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
7143 BPF_ENDIAN(BPF_FROM_BE, BPF_REG_0, 64),
7144 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
7147 .fixup_map_hash_48b = { 3 },
7148 .errstr_unpriv = "R0 pointer arithmetic prohibited",
7149 .errstr = "invalid mem access 'inv'",
7151 .result_unpriv = REJECT,
7154 "map element value illegal alu op, 5",
7156 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7157 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7158 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7159 BPF_LD_MAP_FD(BPF_REG_1, 0),
7160 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7161 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
7162 BPF_MOV64_IMM(BPF_REG_3, 4096),
7163 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7164 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7165 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
7166 BPF_STX_XADD(BPF_DW, BPF_REG_2, BPF_REG_3, 0),
7167 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, 0),
7168 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
7171 .fixup_map_hash_48b = { 3 },
7172 .errstr = "R0 invalid mem access 'inv'",
7176 "map element value is preserved across register spilling",
7178 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7179 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7180 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7181 BPF_LD_MAP_FD(BPF_REG_1, 0),
7182 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7183 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
7184 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0,
7185 offsetof(struct test_val, foo)),
7186 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
7187 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7188 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -184),
7189 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
7190 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
7191 BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
7194 .fixup_map_hash_48b = { 3 },
7195 .errstr_unpriv = "R0 leaks addr",
7197 .result_unpriv = REJECT,
7198 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7201 "helper access to variable memory: stack, bitwise AND + JMP, correct bounds",
7203 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7204 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
7205 BPF_MOV64_IMM(BPF_REG_0, 0),
7206 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
7207 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
7208 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
7209 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
7210 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
7211 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
7212 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
7213 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
7214 BPF_MOV64_IMM(BPF_REG_2, 16),
7215 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
7216 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
7217 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
7218 BPF_MOV64_IMM(BPF_REG_4, 0),
7219 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
7220 BPF_MOV64_IMM(BPF_REG_3, 0),
7221 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7222 BPF_MOV64_IMM(BPF_REG_0, 0),
7226 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7229 "helper access to variable memory: stack, bitwise AND, zero included",
7231 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7232 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
7233 BPF_MOV64_IMM(BPF_REG_2, 16),
7234 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
7235 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
7236 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
7237 BPF_MOV64_IMM(BPF_REG_3, 0),
7238 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7241 .errstr = "invalid indirect read from stack off -64+0 size 64",
7243 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7246 "helper access to variable memory: stack, bitwise AND + JMP, wrong max",
7248 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7249 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
7250 BPF_MOV64_IMM(BPF_REG_2, 16),
7251 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
7252 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
7253 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 65),
7254 BPF_MOV64_IMM(BPF_REG_4, 0),
7255 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
7256 BPF_MOV64_IMM(BPF_REG_3, 0),
7257 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7258 BPF_MOV64_IMM(BPF_REG_0, 0),
7261 .errstr = "invalid stack type R1 off=-64 access_size=65",
7263 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7266 "helper access to variable memory: stack, JMP, correct bounds",
7268 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7269 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
7270 BPF_MOV64_IMM(BPF_REG_0, 0),
7271 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
7272 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
7273 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
7274 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
7275 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
7276 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
7277 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
7278 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
7279 BPF_MOV64_IMM(BPF_REG_2, 16),
7280 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
7281 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
7282 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 4),
7283 BPF_MOV64_IMM(BPF_REG_4, 0),
7284 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
7285 BPF_MOV64_IMM(BPF_REG_3, 0),
7286 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7287 BPF_MOV64_IMM(BPF_REG_0, 0),
7291 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7294 "helper access to variable memory: stack, JMP (signed), correct bounds",
7296 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7297 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
7298 BPF_MOV64_IMM(BPF_REG_0, 0),
7299 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
7300 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
7301 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
7302 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
7303 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
7304 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
7305 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
7306 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
7307 BPF_MOV64_IMM(BPF_REG_2, 16),
7308 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
7309 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
7310 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 64, 4),
7311 BPF_MOV64_IMM(BPF_REG_4, 0),
7312 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
7313 BPF_MOV64_IMM(BPF_REG_3, 0),
7314 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7315 BPF_MOV64_IMM(BPF_REG_0, 0),
7319 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7322 "helper access to variable memory: stack, JMP, bounds + offset",
7324 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7325 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
7326 BPF_MOV64_IMM(BPF_REG_2, 16),
7327 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
7328 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
7329 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 5),
7330 BPF_MOV64_IMM(BPF_REG_4, 0),
7331 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 3),
7332 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
7333 BPF_MOV64_IMM(BPF_REG_3, 0),
7334 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7335 BPF_MOV64_IMM(BPF_REG_0, 0),
7338 .errstr = "invalid stack type R1 off=-64 access_size=65",
7340 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7343 "helper access to variable memory: stack, JMP, wrong max",
7345 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7346 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
7347 BPF_MOV64_IMM(BPF_REG_2, 16),
7348 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
7349 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
7350 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 65, 4),
7351 BPF_MOV64_IMM(BPF_REG_4, 0),
7352 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
7353 BPF_MOV64_IMM(BPF_REG_3, 0),
7354 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7355 BPF_MOV64_IMM(BPF_REG_0, 0),
7358 .errstr = "invalid stack type R1 off=-64 access_size=65",
7360 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7363 "helper access to variable memory: stack, JMP, no max check",
7365 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7366 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
7367 BPF_MOV64_IMM(BPF_REG_2, 16),
7368 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
7369 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
7370 BPF_MOV64_IMM(BPF_REG_4, 0),
7371 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
7372 BPF_MOV64_IMM(BPF_REG_3, 0),
7373 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7374 BPF_MOV64_IMM(BPF_REG_0, 0),
7377 /* because max wasn't checked, signed min is negative */
7378 .errstr = "R2 min value is negative, either use unsigned or 'var &= const'",
7380 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7383 "helper access to variable memory: stack, JMP, no min check",
7385 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7386 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
7387 BPF_MOV64_IMM(BPF_REG_2, 16),
7388 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
7389 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
7390 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 3),
7391 BPF_MOV64_IMM(BPF_REG_3, 0),
7392 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7393 BPF_MOV64_IMM(BPF_REG_0, 0),
7396 .errstr = "invalid indirect read from stack off -64+0 size 64",
7398 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7401 "helper access to variable memory: stack, JMP (signed), no min check",
7403 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7404 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
7405 BPF_MOV64_IMM(BPF_REG_2, 16),
7406 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
7407 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
7408 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 64, 3),
7409 BPF_MOV64_IMM(BPF_REG_3, 0),
7410 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7411 BPF_MOV64_IMM(BPF_REG_0, 0),
7414 .errstr = "R2 min value is negative",
7416 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7419 "helper access to variable memory: map, JMP, correct bounds",
7421 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7422 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7423 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7424 BPF_LD_MAP_FD(BPF_REG_1, 0),
7425 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7426 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
7427 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
7428 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
7429 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
7430 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
7431 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
7432 sizeof(struct test_val), 4),
7433 BPF_MOV64_IMM(BPF_REG_4, 0),
7434 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
7435 BPF_MOV64_IMM(BPF_REG_3, 0),
7436 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7437 BPF_MOV64_IMM(BPF_REG_0, 0),
7440 .fixup_map_hash_48b = { 3 },
7442 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7445 "helper access to variable memory: map, JMP, wrong max",
7447 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7448 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7449 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7450 BPF_LD_MAP_FD(BPF_REG_1, 0),
7451 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7452 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
7453 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
7454 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
7455 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
7456 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
7457 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
7458 sizeof(struct test_val) + 1, 4),
7459 BPF_MOV64_IMM(BPF_REG_4, 0),
7460 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
7461 BPF_MOV64_IMM(BPF_REG_3, 0),
7462 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7463 BPF_MOV64_IMM(BPF_REG_0, 0),
7466 .fixup_map_hash_48b = { 3 },
7467 .errstr = "invalid access to map value, value_size=48 off=0 size=49",
7469 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7472 "helper access to variable memory: map adjusted, JMP, correct bounds",
7474 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7475 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7476 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7477 BPF_LD_MAP_FD(BPF_REG_1, 0),
7478 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7479 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
7480 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
7481 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 20),
7482 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
7483 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
7484 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
7485 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
7486 sizeof(struct test_val) - 20, 4),
7487 BPF_MOV64_IMM(BPF_REG_4, 0),
7488 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
7489 BPF_MOV64_IMM(BPF_REG_3, 0),
7490 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7491 BPF_MOV64_IMM(BPF_REG_0, 0),
7494 .fixup_map_hash_48b = { 3 },
7496 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7499 "helper access to variable memory: map adjusted, JMP, wrong max",
7501 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7502 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7503 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7504 BPF_LD_MAP_FD(BPF_REG_1, 0),
7505 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7506 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
7507 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
7508 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 20),
7509 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
7510 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
7511 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
7512 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
7513 sizeof(struct test_val) - 19, 4),
7514 BPF_MOV64_IMM(BPF_REG_4, 0),
7515 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
7516 BPF_MOV64_IMM(BPF_REG_3, 0),
7517 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7518 BPF_MOV64_IMM(BPF_REG_0, 0),
7521 .fixup_map_hash_48b = { 3 },
7522 .errstr = "R1 min value is outside of the array range",
7524 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7527 "helper access to variable memory: size = 0 allowed on NULL (ARG_PTR_TO_MEM_OR_NULL)",
7529 BPF_MOV64_IMM(BPF_REG_1, 0),
7530 BPF_MOV64_IMM(BPF_REG_2, 0),
7531 BPF_MOV64_IMM(BPF_REG_3, 0),
7532 BPF_MOV64_IMM(BPF_REG_4, 0),
7533 BPF_MOV64_IMM(BPF_REG_5, 0),
7534 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
7538 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
7541 "helper access to variable memory: size > 0 not allowed on NULL (ARG_PTR_TO_MEM_OR_NULL)",
7543 BPF_MOV64_IMM(BPF_REG_1, 0),
7544 BPF_MOV64_IMM(BPF_REG_2, 1),
7545 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
7546 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
7547 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
7548 BPF_MOV64_IMM(BPF_REG_3, 0),
7549 BPF_MOV64_IMM(BPF_REG_4, 0),
7550 BPF_MOV64_IMM(BPF_REG_5, 0),
7551 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
7554 .errstr = "R1 type=inv expected=fp",
7556 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
7559 "helper access to variable memory: size = 0 allowed on != NULL stack pointer (ARG_PTR_TO_MEM_OR_NULL)",
7561 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7562 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
7563 BPF_MOV64_IMM(BPF_REG_2, 0),
7564 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, 0),
7565 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 8),
7566 BPF_MOV64_IMM(BPF_REG_3, 0),
7567 BPF_MOV64_IMM(BPF_REG_4, 0),
7568 BPF_MOV64_IMM(BPF_REG_5, 0),
7569 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
7573 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
7576 "helper access to variable memory: size = 0 allowed on != NULL map pointer (ARG_PTR_TO_MEM_OR_NULL)",
7578 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7579 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7580 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7581 BPF_LD_MAP_FD(BPF_REG_1, 0),
7582 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7583 BPF_FUNC_map_lookup_elem),
7584 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
7585 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
7586 BPF_MOV64_IMM(BPF_REG_2, 0),
7587 BPF_MOV64_IMM(BPF_REG_3, 0),
7588 BPF_MOV64_IMM(BPF_REG_4, 0),
7589 BPF_MOV64_IMM(BPF_REG_5, 0),
7590 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
7593 .fixup_map_hash_8b = { 3 },
7595 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
7598 "helper access to variable memory: size possible = 0 allowed on != NULL stack pointer (ARG_PTR_TO_MEM_OR_NULL)",
7600 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7601 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7602 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7603 BPF_LD_MAP_FD(BPF_REG_1, 0),
7604 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7605 BPF_FUNC_map_lookup_elem),
7606 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7607 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
7608 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 7),
7609 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7610 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
7611 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, 0),
7612 BPF_MOV64_IMM(BPF_REG_3, 0),
7613 BPF_MOV64_IMM(BPF_REG_4, 0),
7614 BPF_MOV64_IMM(BPF_REG_5, 0),
7615 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
7618 .fixup_map_hash_8b = { 3 },
7620 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
7623 "helper access to variable memory: size possible = 0 allowed on != NULL map pointer (ARG_PTR_TO_MEM_OR_NULL)",
7625 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7626 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7627 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7628 BPF_LD_MAP_FD(BPF_REG_1, 0),
7629 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7630 BPF_FUNC_map_lookup_elem),
7631 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
7632 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
7633 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
7634 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4),
7635 BPF_MOV64_IMM(BPF_REG_3, 0),
7636 BPF_MOV64_IMM(BPF_REG_4, 0),
7637 BPF_MOV64_IMM(BPF_REG_5, 0),
7638 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
7641 .fixup_map_hash_8b = { 3 },
7643 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
7646 "helper access to variable memory: size possible = 0 allowed on != NULL packet pointer (ARG_PTR_TO_MEM_OR_NULL)",
7648 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
7649 offsetof(struct __sk_buff, data)),
7650 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7651 offsetof(struct __sk_buff, data_end)),
7652 BPF_MOV64_REG(BPF_REG_0, BPF_REG_6),
7653 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
7654 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 7),
7655 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
7656 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 0),
7657 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4),
7658 BPF_MOV64_IMM(BPF_REG_3, 0),
7659 BPF_MOV64_IMM(BPF_REG_4, 0),
7660 BPF_MOV64_IMM(BPF_REG_5, 0),
7661 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
7665 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
7666 .retval = 0 /* csum_diff of 64-byte packet */,
7669 "helper access to variable memory: size = 0 not allowed on NULL (!ARG_PTR_TO_MEM_OR_NULL)",
7671 BPF_MOV64_IMM(BPF_REG_1, 0),
7672 BPF_MOV64_IMM(BPF_REG_2, 0),
7673 BPF_MOV64_IMM(BPF_REG_3, 0),
7674 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7677 .errstr = "R1 type=inv expected=fp",
7679 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7682 "helper access to variable memory: size > 0 not allowed on NULL (!ARG_PTR_TO_MEM_OR_NULL)",
7684 BPF_MOV64_IMM(BPF_REG_1, 0),
7685 BPF_MOV64_IMM(BPF_REG_2, 1),
7686 BPF_MOV64_IMM(BPF_REG_3, 0),
7687 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7690 .errstr = "R1 type=inv expected=fp",
7692 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7695 "helper access to variable memory: size = 0 allowed on != NULL stack pointer (!ARG_PTR_TO_MEM_OR_NULL)",
7697 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7698 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
7699 BPF_MOV64_IMM(BPF_REG_2, 0),
7700 BPF_MOV64_IMM(BPF_REG_3, 0),
7701 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7705 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7708 "helper access to variable memory: size = 0 allowed on != NULL map pointer (!ARG_PTR_TO_MEM_OR_NULL)",
7710 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7711 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7712 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7713 BPF_LD_MAP_FD(BPF_REG_1, 0),
7714 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7715 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7716 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
7717 BPF_MOV64_IMM(BPF_REG_2, 0),
7718 BPF_MOV64_IMM(BPF_REG_3, 0),
7719 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7722 .fixup_map_hash_8b = { 3 },
7724 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7727 "helper access to variable memory: size possible = 0 allowed on != NULL stack pointer (!ARG_PTR_TO_MEM_OR_NULL)",
7729 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7730 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7731 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7732 BPF_LD_MAP_FD(BPF_REG_1, 0),
7733 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7734 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
7735 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
7736 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4),
7737 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7738 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
7739 BPF_MOV64_IMM(BPF_REG_3, 0),
7740 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7743 .fixup_map_hash_8b = { 3 },
7745 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7748 "helper access to variable memory: size possible = 0 allowed on != NULL map pointer (!ARG_PTR_TO_MEM_OR_NULL)",
7750 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7751 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7752 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7753 BPF_LD_MAP_FD(BPF_REG_1, 0),
7754 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7755 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
7756 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
7757 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
7758 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 2),
7759 BPF_MOV64_IMM(BPF_REG_3, 0),
7760 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7763 .fixup_map_hash_8b = { 3 },
7765 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7768 "helper access to variable memory: 8 bytes leak",
7770 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7771 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
7772 BPF_MOV64_IMM(BPF_REG_0, 0),
7773 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
7774 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
7775 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
7776 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
7777 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
7778 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
7779 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
7780 BPF_MOV64_IMM(BPF_REG_2, 1),
7781 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
7782 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
7783 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 63),
7784 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
7785 BPF_MOV64_IMM(BPF_REG_3, 0),
7786 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7787 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7790 .errstr = "invalid indirect read from stack off -64+32 size 64",
7792 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7795 "helper access to variable memory: 8 bytes no leak (init memory)",
7797 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7798 BPF_MOV64_IMM(BPF_REG_0, 0),
7799 BPF_MOV64_IMM(BPF_REG_0, 0),
7800 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
7801 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
7802 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
7803 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
7804 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
7805 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
7806 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
7807 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
7808 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
7809 BPF_MOV64_IMM(BPF_REG_2, 0),
7810 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 32),
7811 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 32),
7812 BPF_MOV64_IMM(BPF_REG_3, 0),
7813 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7814 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7818 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7821 "invalid and of negative number",
7823 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7824 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7825 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7826 BPF_LD_MAP_FD(BPF_REG_1, 0),
7827 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7828 BPF_FUNC_map_lookup_elem),
7829 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7830 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7831 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, -4),
7832 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
7833 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7834 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
7835 offsetof(struct test_val, foo)),
7838 .fixup_map_hash_48b = { 3 },
7839 .errstr = "R0 max value is outside of the array range",
7841 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7844 "invalid range check",
7846 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7847 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7848 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7849 BPF_LD_MAP_FD(BPF_REG_1, 0),
7850 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7851 BPF_FUNC_map_lookup_elem),
7852 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 12),
7853 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
7854 BPF_MOV64_IMM(BPF_REG_9, 1),
7855 BPF_ALU32_IMM(BPF_MOD, BPF_REG_1, 2),
7856 BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 1),
7857 BPF_ALU32_REG(BPF_AND, BPF_REG_9, BPF_REG_1),
7858 BPF_ALU32_IMM(BPF_ADD, BPF_REG_9, 1),
7859 BPF_ALU32_IMM(BPF_RSH, BPF_REG_9, 1),
7860 BPF_MOV32_IMM(BPF_REG_3, 1),
7861 BPF_ALU32_REG(BPF_SUB, BPF_REG_3, BPF_REG_9),
7862 BPF_ALU32_IMM(BPF_MUL, BPF_REG_3, 0x10000000),
7863 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
7864 BPF_STX_MEM(BPF_W, BPF_REG_0, BPF_REG_3, 0),
7865 BPF_MOV64_REG(BPF_REG_0, 0),
7868 .fixup_map_hash_48b = { 3 },
7869 .errstr = "R0 max value is outside of the array range",
7871 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7874 "map in map access",
7876 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
7877 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7878 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
7879 BPF_LD_MAP_FD(BPF_REG_1, 0),
7880 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7881 BPF_FUNC_map_lookup_elem),
7882 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
7883 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
7884 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7885 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
7886 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
7887 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7888 BPF_FUNC_map_lookup_elem),
7889 BPF_MOV64_IMM(BPF_REG_0, 0),
7892 .fixup_map_in_map = { 3 },
7896 "invalid inner map pointer",
7898 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
7899 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7900 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
7901 BPF_LD_MAP_FD(BPF_REG_1, 0),
7902 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7903 BPF_FUNC_map_lookup_elem),
7904 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
7905 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
7906 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7907 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
7908 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
7909 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7910 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7911 BPF_FUNC_map_lookup_elem),
7912 BPF_MOV64_IMM(BPF_REG_0, 0),
7915 .fixup_map_in_map = { 3 },
7916 .errstr = "R1 pointer arithmetic on map_ptr prohibited",
7920 "forgot null checking on the inner map pointer",
7922 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
7923 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7924 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
7925 BPF_LD_MAP_FD(BPF_REG_1, 0),
7926 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7927 BPF_FUNC_map_lookup_elem),
7928 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
7929 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7930 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
7931 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
7932 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7933 BPF_FUNC_map_lookup_elem),
7934 BPF_MOV64_IMM(BPF_REG_0, 0),
7937 .fixup_map_in_map = { 3 },
7938 .errstr = "R1 type=map_value_or_null expected=map_ptr",
7942 "ld_abs: check calling conv, r1",
7944 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7945 BPF_MOV64_IMM(BPF_REG_1, 0),
7946 BPF_LD_ABS(BPF_W, -0x200000),
7947 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
7950 .errstr = "R1 !read_ok",
7954 "ld_abs: check calling conv, r2",
7956 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7957 BPF_MOV64_IMM(BPF_REG_2, 0),
7958 BPF_LD_ABS(BPF_W, -0x200000),
7959 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
7962 .errstr = "R2 !read_ok",
7966 "ld_abs: check calling conv, r3",
7968 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7969 BPF_MOV64_IMM(BPF_REG_3, 0),
7970 BPF_LD_ABS(BPF_W, -0x200000),
7971 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
7974 .errstr = "R3 !read_ok",
7978 "ld_abs: check calling conv, r4",
7980 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7981 BPF_MOV64_IMM(BPF_REG_4, 0),
7982 BPF_LD_ABS(BPF_W, -0x200000),
7983 BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
7986 .errstr = "R4 !read_ok",
7990 "ld_abs: check calling conv, r5",
7992 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7993 BPF_MOV64_IMM(BPF_REG_5, 0),
7994 BPF_LD_ABS(BPF_W, -0x200000),
7995 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
7998 .errstr = "R5 !read_ok",
8002 "ld_abs: check calling conv, r7",
8004 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
8005 BPF_MOV64_IMM(BPF_REG_7, 0),
8006 BPF_LD_ABS(BPF_W, -0x200000),
8007 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
8013 "ld_abs: tests on r6 and skb data reload helper",
8015 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
8016 BPF_LD_ABS(BPF_B, 0),
8017 BPF_LD_ABS(BPF_H, 0),
8018 BPF_LD_ABS(BPF_W, 0),
8019 BPF_MOV64_REG(BPF_REG_7, BPF_REG_6),
8020 BPF_MOV64_IMM(BPF_REG_6, 0),
8021 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
8022 BPF_MOV64_IMM(BPF_REG_2, 1),
8023 BPF_MOV64_IMM(BPF_REG_3, 2),
8024 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8025 BPF_FUNC_skb_vlan_push),
8026 BPF_MOV64_REG(BPF_REG_6, BPF_REG_7),
8027 BPF_LD_ABS(BPF_B, 0),
8028 BPF_LD_ABS(BPF_H, 0),
8029 BPF_LD_ABS(BPF_W, 0),
8030 BPF_MOV64_IMM(BPF_REG_0, 42),
8033 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
8035 .retval = 42 /* ultimate return value */,
8038 "ld_ind: check calling conv, r1",
8040 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
8041 BPF_MOV64_IMM(BPF_REG_1, 1),
8042 BPF_LD_IND(BPF_W, BPF_REG_1, -0x200000),
8043 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
8046 .errstr = "R1 !read_ok",
8050 "ld_ind: check calling conv, r2",
8052 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
8053 BPF_MOV64_IMM(BPF_REG_2, 1),
8054 BPF_LD_IND(BPF_W, BPF_REG_2, -0x200000),
8055 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
8058 .errstr = "R2 !read_ok",
8062 "ld_ind: check calling conv, r3",
8064 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
8065 BPF_MOV64_IMM(BPF_REG_3, 1),
8066 BPF_LD_IND(BPF_W, BPF_REG_3, -0x200000),
8067 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
8070 .errstr = "R3 !read_ok",
8074 "ld_ind: check calling conv, r4",
8076 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
8077 BPF_MOV64_IMM(BPF_REG_4, 1),
8078 BPF_LD_IND(BPF_W, BPF_REG_4, -0x200000),
8079 BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
8082 .errstr = "R4 !read_ok",
8086 "ld_ind: check calling conv, r5",
8088 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
8089 BPF_MOV64_IMM(BPF_REG_5, 1),
8090 BPF_LD_IND(BPF_W, BPF_REG_5, -0x200000),
8091 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
8094 .errstr = "R5 !read_ok",
8098 "ld_ind: check calling conv, r7",
8100 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
8101 BPF_MOV64_IMM(BPF_REG_7, 1),
8102 BPF_LD_IND(BPF_W, BPF_REG_7, -0x200000),
8103 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
8110 "check bpf_perf_event_data->sample_period byte load permitted",
8112 BPF_MOV64_IMM(BPF_REG_0, 0),
8113 #if __BYTE_ORDER == __LITTLE_ENDIAN
8114 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
8115 offsetof(struct bpf_perf_event_data, sample_period)),
8117 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
8118 offsetof(struct bpf_perf_event_data, sample_period) + 7),
8123 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
8126 "check bpf_perf_event_data->sample_period half load permitted",
8128 BPF_MOV64_IMM(BPF_REG_0, 0),
8129 #if __BYTE_ORDER == __LITTLE_ENDIAN
8130 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
8131 offsetof(struct bpf_perf_event_data, sample_period)),
8133 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
8134 offsetof(struct bpf_perf_event_data, sample_period) + 6),
8139 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
8142 "check bpf_perf_event_data->sample_period word load permitted",
8144 BPF_MOV64_IMM(BPF_REG_0, 0),
8145 #if __BYTE_ORDER == __LITTLE_ENDIAN
8146 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
8147 offsetof(struct bpf_perf_event_data, sample_period)),
8149 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
8150 offsetof(struct bpf_perf_event_data, sample_period) + 4),
8155 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
8158 "check bpf_perf_event_data->sample_period dword load permitted",
8160 BPF_MOV64_IMM(BPF_REG_0, 0),
8161 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
8162 offsetof(struct bpf_perf_event_data, sample_period)),
8166 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
8169 "check skb->data half load not permitted",
8171 BPF_MOV64_IMM(BPF_REG_0, 0),
8172 #if __BYTE_ORDER == __LITTLE_ENDIAN
8173 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
8174 offsetof(struct __sk_buff, data)),
8176 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
8177 offsetof(struct __sk_buff, data) + 2),
8182 .errstr = "invalid bpf_context access",
8185 "check skb->tc_classid half load not permitted for lwt prog",
8187 BPF_MOV64_IMM(BPF_REG_0, 0),
8188 #if __BYTE_ORDER == __LITTLE_ENDIAN
8189 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
8190 offsetof(struct __sk_buff, tc_classid)),
8192 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
8193 offsetof(struct __sk_buff, tc_classid) + 2),
8198 .errstr = "invalid bpf_context access",
8199 .prog_type = BPF_PROG_TYPE_LWT_IN,
8202 "bounds checks mixing signed and unsigned, positive bounds",
8204 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8205 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8206 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8207 BPF_LD_MAP_FD(BPF_REG_1, 0),
8208 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8209 BPF_FUNC_map_lookup_elem),
8210 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
8211 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
8212 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
8213 BPF_MOV64_IMM(BPF_REG_2, 2),
8214 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 3),
8215 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 4, 2),
8216 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8217 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
8218 BPF_MOV64_IMM(BPF_REG_0, 0),
8221 .fixup_map_hash_8b = { 3 },
8222 .errstr = "unbounded min value",
8226 "bounds checks mixing signed and unsigned",
8228 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8229 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8230 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8231 BPF_LD_MAP_FD(BPF_REG_1, 0),
8232 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8233 BPF_FUNC_map_lookup_elem),
8234 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
8235 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
8236 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
8237 BPF_MOV64_IMM(BPF_REG_2, -1),
8238 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 3),
8239 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
8240 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8241 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
8242 BPF_MOV64_IMM(BPF_REG_0, 0),
8245 .fixup_map_hash_8b = { 3 },
8246 .errstr = "unbounded min value",
8250 "bounds checks mixing signed and unsigned, variant 2",
8252 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8253 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8254 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8255 BPF_LD_MAP_FD(BPF_REG_1, 0),
8256 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8257 BPF_FUNC_map_lookup_elem),
8258 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
8259 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
8260 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
8261 BPF_MOV64_IMM(BPF_REG_2, -1),
8262 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 5),
8263 BPF_MOV64_IMM(BPF_REG_8, 0),
8264 BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_1),
8265 BPF_JMP_IMM(BPF_JSGT, BPF_REG_8, 1, 2),
8266 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8),
8267 BPF_ST_MEM(BPF_B, BPF_REG_8, 0, 0),
8268 BPF_MOV64_IMM(BPF_REG_0, 0),
8271 .fixup_map_hash_8b = { 3 },
8272 .errstr = "unbounded min value",
8276 "bounds checks mixing signed and unsigned, variant 3",
8278 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8279 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8280 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8281 BPF_LD_MAP_FD(BPF_REG_1, 0),
8282 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8283 BPF_FUNC_map_lookup_elem),
8284 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
8285 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
8286 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
8287 BPF_MOV64_IMM(BPF_REG_2, -1),
8288 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 4),
8289 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
8290 BPF_JMP_IMM(BPF_JSGT, BPF_REG_8, 1, 2),
8291 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8),
8292 BPF_ST_MEM(BPF_B, BPF_REG_8, 0, 0),
8293 BPF_MOV64_IMM(BPF_REG_0, 0),
8296 .fixup_map_hash_8b = { 3 },
8297 .errstr = "unbounded min value",
8301 "bounds checks mixing signed and unsigned, variant 4",
8303 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8304 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8305 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8306 BPF_LD_MAP_FD(BPF_REG_1, 0),
8307 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8308 BPF_FUNC_map_lookup_elem),
8309 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
8310 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
8311 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
8312 BPF_MOV64_IMM(BPF_REG_2, 1),
8313 BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
8314 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
8315 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8316 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
8317 BPF_MOV64_IMM(BPF_REG_0, 0),
8320 .fixup_map_hash_8b = { 3 },
8324 "bounds checks mixing signed and unsigned, variant 5",
8326 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8327 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8328 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8329 BPF_LD_MAP_FD(BPF_REG_1, 0),
8330 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8331 BPF_FUNC_map_lookup_elem),
8332 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
8333 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
8334 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
8335 BPF_MOV64_IMM(BPF_REG_2, -1),
8336 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 5),
8337 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 4),
8338 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 4),
8339 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
8340 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
8341 BPF_MOV64_IMM(BPF_REG_0, 0),
8344 .fixup_map_hash_8b = { 3 },
8345 .errstr = "unbounded min value",
8349 "bounds checks mixing signed and unsigned, variant 6",
8351 BPF_MOV64_IMM(BPF_REG_2, 0),
8352 BPF_MOV64_REG(BPF_REG_3, BPF_REG_10),
8353 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, -512),
8354 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
8355 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -16),
8356 BPF_MOV64_IMM(BPF_REG_6, -1),
8357 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_6, 5),
8358 BPF_JMP_IMM(BPF_JSGT, BPF_REG_4, 1, 4),
8359 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 1),
8360 BPF_MOV64_IMM(BPF_REG_5, 0),
8361 BPF_ST_MEM(BPF_H, BPF_REG_10, -512, 0),
8362 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8363 BPF_FUNC_skb_load_bytes),
8364 BPF_MOV64_IMM(BPF_REG_0, 0),
8367 .errstr = "R4 min value is negative, either use unsigned",
8371 "bounds checks mixing signed and unsigned, variant 7",
8373 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8374 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8375 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8376 BPF_LD_MAP_FD(BPF_REG_1, 0),
8377 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8378 BPF_FUNC_map_lookup_elem),
8379 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
8380 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
8381 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
8382 BPF_MOV64_IMM(BPF_REG_2, 1024 * 1024 * 1024),
8383 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 3),
8384 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
8385 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8386 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
8387 BPF_MOV64_IMM(BPF_REG_0, 0),
8390 .fixup_map_hash_8b = { 3 },
8394 "bounds checks mixing signed and unsigned, variant 8",
8396 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8397 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8398 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8399 BPF_LD_MAP_FD(BPF_REG_1, 0),
8400 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8401 BPF_FUNC_map_lookup_elem),
8402 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
8403 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
8404 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
8405 BPF_MOV64_IMM(BPF_REG_2, -1),
8406 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 2),
8407 BPF_MOV64_IMM(BPF_REG_0, 0),
8409 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
8410 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8411 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
8412 BPF_MOV64_IMM(BPF_REG_0, 0),
8415 .fixup_map_hash_8b = { 3 },
8416 .errstr = "unbounded min value",
8420 "bounds checks mixing signed and unsigned, variant 9",
8422 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8423 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8424 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8425 BPF_LD_MAP_FD(BPF_REG_1, 0),
8426 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8427 BPF_FUNC_map_lookup_elem),
8428 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
8429 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
8430 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
8431 BPF_LD_IMM64(BPF_REG_2, -9223372036854775808ULL),
8432 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 2),
8433 BPF_MOV64_IMM(BPF_REG_0, 0),
8435 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
8436 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8437 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
8438 BPF_MOV64_IMM(BPF_REG_0, 0),
8441 .fixup_map_hash_8b = { 3 },
8445 "bounds checks mixing signed and unsigned, variant 10",
8447 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8448 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8449 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8450 BPF_LD_MAP_FD(BPF_REG_1, 0),
8451 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8452 BPF_FUNC_map_lookup_elem),
8453 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
8454 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
8455 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
8456 BPF_MOV64_IMM(BPF_REG_2, 0),
8457 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 2),
8458 BPF_MOV64_IMM(BPF_REG_0, 0),
8460 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
8461 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8462 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
8463 BPF_MOV64_IMM(BPF_REG_0, 0),
8466 .fixup_map_hash_8b = { 3 },
8467 .errstr = "unbounded min value",
8471 "bounds checks mixing signed and unsigned, variant 11",
8473 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8474 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8475 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8476 BPF_LD_MAP_FD(BPF_REG_1, 0),
8477 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8478 BPF_FUNC_map_lookup_elem),
8479 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
8480 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
8481 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
8482 BPF_MOV64_IMM(BPF_REG_2, -1),
8483 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
8485 BPF_MOV64_IMM(BPF_REG_0, 0),
8487 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
8488 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8489 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
8490 BPF_MOV64_IMM(BPF_REG_0, 0),
8493 .fixup_map_hash_8b = { 3 },
8494 .errstr = "unbounded min value",
8498 "bounds checks mixing signed and unsigned, variant 12",
8500 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8501 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8502 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8503 BPF_LD_MAP_FD(BPF_REG_1, 0),
8504 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8505 BPF_FUNC_map_lookup_elem),
8506 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
8507 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
8508 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
8509 BPF_MOV64_IMM(BPF_REG_2, -6),
8510 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
8511 BPF_MOV64_IMM(BPF_REG_0, 0),
8513 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
8514 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8515 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
8516 BPF_MOV64_IMM(BPF_REG_0, 0),
8519 .fixup_map_hash_8b = { 3 },
8520 .errstr = "unbounded min value",
8524 "bounds checks mixing signed and unsigned, variant 13",
8526 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8527 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8528 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8529 BPF_LD_MAP_FD(BPF_REG_1, 0),
8530 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8531 BPF_FUNC_map_lookup_elem),
8532 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
8533 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
8534 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
8535 BPF_MOV64_IMM(BPF_REG_2, 2),
8536 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
8537 BPF_MOV64_IMM(BPF_REG_7, 1),
8538 BPF_JMP_IMM(BPF_JSGT, BPF_REG_7, 0, 2),
8539 BPF_MOV64_IMM(BPF_REG_0, 0),
8541 BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_1),
8542 BPF_JMP_IMM(BPF_JSGT, BPF_REG_7, 4, 2),
8543 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_7),
8544 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
8545 BPF_MOV64_IMM(BPF_REG_0, 0),
8548 .fixup_map_hash_8b = { 3 },
8549 .errstr = "unbounded min value",
8553 "bounds checks mixing signed and unsigned, variant 14",
8555 BPF_LDX_MEM(BPF_W, BPF_REG_9, BPF_REG_1,
8556 offsetof(struct __sk_buff, mark)),
8557 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8558 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8559 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8560 BPF_LD_MAP_FD(BPF_REG_1, 0),
8561 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8562 BPF_FUNC_map_lookup_elem),
8563 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
8564 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
8565 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
8566 BPF_MOV64_IMM(BPF_REG_2, -1),
8567 BPF_MOV64_IMM(BPF_REG_8, 2),
8568 BPF_JMP_IMM(BPF_JEQ, BPF_REG_9, 42, 6),
8569 BPF_JMP_REG(BPF_JSGT, BPF_REG_8, BPF_REG_1, 3),
8570 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
8571 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8572 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
8573 BPF_MOV64_IMM(BPF_REG_0, 0),
8575 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, -3),
8576 BPF_JMP_IMM(BPF_JA, 0, 0, -7),
8578 .fixup_map_hash_8b = { 4 },
8579 .errstr = "R0 invalid mem access 'inv'",
8583 "bounds checks mixing signed and unsigned, variant 15",
8585 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8586 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8587 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8588 BPF_LD_MAP_FD(BPF_REG_1, 0),
8589 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8590 BPF_FUNC_map_lookup_elem),
8591 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
8592 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
8593 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
8594 BPF_MOV64_IMM(BPF_REG_2, -6),
8595 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
8596 BPF_MOV64_IMM(BPF_REG_0, 0),
8598 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8599 BPF_JMP_IMM(BPF_JGT, BPF_REG_0, 1, 2),
8600 BPF_MOV64_IMM(BPF_REG_0, 0),
8602 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
8603 BPF_MOV64_IMM(BPF_REG_0, 0),
8606 .fixup_map_hash_8b = { 3 },
8607 .errstr = "unbounded min value",
8609 .result_unpriv = REJECT,
8612 "subtraction bounds (map value) variant 1",
8614 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8615 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8616 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8617 BPF_LD_MAP_FD(BPF_REG_1, 0),
8618 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8619 BPF_FUNC_map_lookup_elem),
8620 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
8621 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
8622 BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 0xff, 7),
8623 BPF_LDX_MEM(BPF_B, BPF_REG_3, BPF_REG_0, 1),
8624 BPF_JMP_IMM(BPF_JGT, BPF_REG_3, 0xff, 5),
8625 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_3),
8626 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 56),
8627 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8628 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8630 BPF_MOV64_IMM(BPF_REG_0, 0),
8633 .fixup_map_hash_8b = { 3 },
8634 .errstr = "R0 max value is outside of the array range",
8638 "subtraction bounds (map value) variant 2",
8640 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8641 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8642 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8643 BPF_LD_MAP_FD(BPF_REG_1, 0),
8644 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8645 BPF_FUNC_map_lookup_elem),
8646 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
8647 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
8648 BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 0xff, 6),
8649 BPF_LDX_MEM(BPF_B, BPF_REG_3, BPF_REG_0, 1),
8650 BPF_JMP_IMM(BPF_JGT, BPF_REG_3, 0xff, 4),
8651 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_3),
8652 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8653 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8655 BPF_MOV64_IMM(BPF_REG_0, 0),
8658 .fixup_map_hash_8b = { 3 },
8659 .errstr = "R0 min value is negative, either use unsigned index or do a if (index >=0) check.",
8663 "bounds check based on zero-extended MOV",
8665 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8666 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8667 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8668 BPF_LD_MAP_FD(BPF_REG_1, 0),
8669 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8670 BPF_FUNC_map_lookup_elem),
8671 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
8672 /* r2 = 0x0000'0000'ffff'ffff */
8673 BPF_MOV32_IMM(BPF_REG_2, 0xffffffff),
8675 BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 32),
8677 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
8678 /* access at offset 0 */
8679 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8681 BPF_MOV64_IMM(BPF_REG_0, 0),
8684 .fixup_map_hash_8b = { 3 },
8688 "bounds check based on sign-extended MOV. test1",
8690 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8691 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8692 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8693 BPF_LD_MAP_FD(BPF_REG_1, 0),
8694 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8695 BPF_FUNC_map_lookup_elem),
8696 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
8697 /* r2 = 0xffff'ffff'ffff'ffff */
8698 BPF_MOV64_IMM(BPF_REG_2, 0xffffffff),
8699 /* r2 = 0xffff'ffff */
8700 BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 32),
8701 /* r0 = <oob pointer> */
8702 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
8703 /* access to OOB pointer */
8704 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8706 BPF_MOV64_IMM(BPF_REG_0, 0),
8709 .fixup_map_hash_8b = { 3 },
8710 .errstr = "map_value pointer and 4294967295",
8714 "bounds check based on sign-extended MOV. test2",
8716 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8717 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8718 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8719 BPF_LD_MAP_FD(BPF_REG_1, 0),
8720 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8721 BPF_FUNC_map_lookup_elem),
8722 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
8723 /* r2 = 0xffff'ffff'ffff'ffff */
8724 BPF_MOV64_IMM(BPF_REG_2, 0xffffffff),
8725 /* r2 = 0xfff'ffff */
8726 BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 36),
8727 /* r0 = <oob pointer> */
8728 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
8729 /* access to OOB pointer */
8730 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8732 BPF_MOV64_IMM(BPF_REG_0, 0),
8735 .fixup_map_hash_8b = { 3 },
8736 .errstr = "R0 min value is outside of the array range",
8740 "bounds check based on reg_off + var_off + insn_off. test1",
8742 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
8743 offsetof(struct __sk_buff, mark)),
8744 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8745 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8746 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8747 BPF_LD_MAP_FD(BPF_REG_1, 0),
8748 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8749 BPF_FUNC_map_lookup_elem),
8750 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
8751 BPF_ALU64_IMM(BPF_AND, BPF_REG_6, 1),
8752 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, (1 << 29) - 1),
8753 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_6),
8754 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, (1 << 29) - 1),
8755 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 3),
8756 BPF_MOV64_IMM(BPF_REG_0, 0),
8759 .fixup_map_hash_8b = { 4 },
8760 .errstr = "value_size=8 off=1073741825",
8762 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
8765 "bounds check based on reg_off + var_off + insn_off. test2",
8767 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
8768 offsetof(struct __sk_buff, mark)),
8769 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8770 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8771 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8772 BPF_LD_MAP_FD(BPF_REG_1, 0),
8773 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8774 BPF_FUNC_map_lookup_elem),
8775 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
8776 BPF_ALU64_IMM(BPF_AND, BPF_REG_6, 1),
8777 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, (1 << 30) - 1),
8778 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_6),
8779 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, (1 << 29) - 1),
8780 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 3),
8781 BPF_MOV64_IMM(BPF_REG_0, 0),
8784 .fixup_map_hash_8b = { 4 },
8785 .errstr = "value 1073741823",
8787 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
8790 "bounds check after truncation of non-boundary-crossing range",
8792 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8793 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8794 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8795 BPF_LD_MAP_FD(BPF_REG_1, 0),
8796 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8797 BPF_FUNC_map_lookup_elem),
8798 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
8799 /* r1 = [0x00, 0xff] */
8800 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
8801 BPF_MOV64_IMM(BPF_REG_2, 1),
8802 /* r2 = 0x10'0000'0000 */
8803 BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 36),
8804 /* r1 = [0x10'0000'0000, 0x10'0000'00ff] */
8805 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
8806 /* r1 = [0x10'7fff'ffff, 0x10'8000'00fe] */
8807 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff),
8808 /* r1 = [0x00, 0xff] */
8809 BPF_ALU32_IMM(BPF_SUB, BPF_REG_1, 0x7fffffff),
8811 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
8813 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8814 /* access at offset 0 */
8815 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8817 BPF_MOV64_IMM(BPF_REG_0, 0),
8820 .fixup_map_hash_8b = { 3 },
8824 "bounds check after truncation of boundary-crossing range (1)",
8826 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8827 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8828 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8829 BPF_LD_MAP_FD(BPF_REG_1, 0),
8830 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8831 BPF_FUNC_map_lookup_elem),
8832 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
8833 /* r1 = [0x00, 0xff] */
8834 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
8835 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1),
8836 /* r1 = [0xffff'ff80, 0x1'0000'007f] */
8837 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1),
8838 /* r1 = [0xffff'ff80, 0xffff'ffff] or
8839 * [0x0000'0000, 0x0000'007f]
8841 BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 0),
8842 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1),
8843 /* r1 = [0x00, 0xff] or
8844 * [0xffff'ffff'0000'0080, 0xffff'ffff'ffff'ffff]
8846 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1),
8848 * [0x00ff'ffff'ff00'0000, 0x00ff'ffff'ffff'ffff]
8850 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
8851 /* no-op or OOB pointer computation */
8852 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8853 /* potentially OOB access */
8854 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8856 BPF_MOV64_IMM(BPF_REG_0, 0),
8859 .fixup_map_hash_8b = { 3 },
8860 /* not actually fully unbounded, but the bound is very high */
8861 .errstr = "R0 unbounded memory access",
8865 "bounds check after truncation of boundary-crossing range (2)",
8867 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8868 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8869 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8870 BPF_LD_MAP_FD(BPF_REG_1, 0),
8871 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8872 BPF_FUNC_map_lookup_elem),
8873 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
8874 /* r1 = [0x00, 0xff] */
8875 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
8876 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1),
8877 /* r1 = [0xffff'ff80, 0x1'0000'007f] */
8878 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1),
8879 /* r1 = [0xffff'ff80, 0xffff'ffff] or
8880 * [0x0000'0000, 0x0000'007f]
8881 * difference to previous test: truncation via MOV32
8884 BPF_MOV32_REG(BPF_REG_1, BPF_REG_1),
8885 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1),
8886 /* r1 = [0x00, 0xff] or
8887 * [0xffff'ffff'0000'0080, 0xffff'ffff'ffff'ffff]
8889 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1),
8891 * [0x00ff'ffff'ff00'0000, 0x00ff'ffff'ffff'ffff]
8893 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
8894 /* no-op or OOB pointer computation */
8895 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8896 /* potentially OOB access */
8897 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8899 BPF_MOV64_IMM(BPF_REG_0, 0),
8902 .fixup_map_hash_8b = { 3 },
8903 /* not actually fully unbounded, but the bound is very high */
8904 .errstr = "R0 unbounded memory access",
8908 "bounds check after wrapping 32-bit addition",
8910 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8911 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8912 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8913 BPF_LD_MAP_FD(BPF_REG_1, 0),
8914 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8915 BPF_FUNC_map_lookup_elem),
8916 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
8917 /* r1 = 0x7fff'ffff */
8918 BPF_MOV64_IMM(BPF_REG_1, 0x7fffffff),
8919 /* r1 = 0xffff'fffe */
8920 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff),
8922 BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 2),
8924 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8925 /* access at offset 0 */
8926 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8928 BPF_MOV64_IMM(BPF_REG_0, 0),
8931 .fixup_map_hash_8b = { 3 },
8935 "bounds check after shift with oversized count operand",
8937 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8938 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8939 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8940 BPF_LD_MAP_FD(BPF_REG_1, 0),
8941 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8942 BPF_FUNC_map_lookup_elem),
8943 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
8944 BPF_MOV64_IMM(BPF_REG_2, 32),
8945 BPF_MOV64_IMM(BPF_REG_1, 1),
8946 /* r1 = (u32)1 << (u32)32 = ? */
8947 BPF_ALU32_REG(BPF_LSH, BPF_REG_1, BPF_REG_2),
8948 /* r1 = [0x0000, 0xffff] */
8949 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xffff),
8950 /* computes unknown pointer, potentially OOB */
8951 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8952 /* potentially OOB access */
8953 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8955 BPF_MOV64_IMM(BPF_REG_0, 0),
8958 .fixup_map_hash_8b = { 3 },
8959 .errstr = "R0 max value is outside of the array range",
8963 "bounds check after right shift of maybe-negative number",
8965 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8966 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8967 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8968 BPF_LD_MAP_FD(BPF_REG_1, 0),
8969 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8970 BPF_FUNC_map_lookup_elem),
8971 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
8972 /* r1 = [0x00, 0xff] */
8973 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
8974 /* r1 = [-0x01, 0xfe] */
8975 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 1),
8976 /* r1 = 0 or 0xff'ffff'ffff'ffff */
8977 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
8978 /* r1 = 0 or 0xffff'ffff'ffff */
8979 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
8980 /* computes unknown pointer, potentially OOB */
8981 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8982 /* potentially OOB access */
8983 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8985 BPF_MOV64_IMM(BPF_REG_0, 0),
8988 .fixup_map_hash_8b = { 3 },
8989 .errstr = "R0 unbounded memory access",
8993 "bounds check map access with off+size signed 32bit overflow. test1",
8995 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8996 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8997 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8998 BPF_LD_MAP_FD(BPF_REG_1, 0),
8999 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9000 BPF_FUNC_map_lookup_elem),
9001 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
9003 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x7ffffffe),
9004 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
9008 .fixup_map_hash_8b = { 3 },
9009 .errstr = "map_value pointer and 2147483646",
9013 "bounds check map access with off+size signed 32bit overflow. test2",
9015 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9016 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9017 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9018 BPF_LD_MAP_FD(BPF_REG_1, 0),
9019 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9020 BPF_FUNC_map_lookup_elem),
9021 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
9023 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x1fffffff),
9024 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x1fffffff),
9025 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x1fffffff),
9026 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
9030 .fixup_map_hash_8b = { 3 },
9031 .errstr = "pointer offset 1073741822",
9035 "bounds check map access with off+size signed 32bit overflow. test3",
9037 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9038 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9039 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9040 BPF_LD_MAP_FD(BPF_REG_1, 0),
9041 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9042 BPF_FUNC_map_lookup_elem),
9043 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
9045 BPF_ALU64_IMM(BPF_SUB, BPF_REG_0, 0x1fffffff),
9046 BPF_ALU64_IMM(BPF_SUB, BPF_REG_0, 0x1fffffff),
9047 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 2),
9051 .fixup_map_hash_8b = { 3 },
9052 .errstr = "pointer offset -1073741822",
9056 "bounds check map access with off+size signed 32bit overflow. test4",
9058 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9059 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9060 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9061 BPF_LD_MAP_FD(BPF_REG_1, 0),
9062 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9063 BPF_FUNC_map_lookup_elem),
9064 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
9066 BPF_MOV64_IMM(BPF_REG_1, 1000000),
9067 BPF_ALU64_IMM(BPF_MUL, BPF_REG_1, 1000000),
9068 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
9069 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 2),
9073 .fixup_map_hash_8b = { 3 },
9074 .errstr = "map_value pointer and 1000000000000",
9078 "pointer/scalar confusion in state equality check (way 1)",
9080 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9081 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9082 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9083 BPF_LD_MAP_FD(BPF_REG_1, 0),
9084 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9085 BPF_FUNC_map_lookup_elem),
9086 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
9087 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
9089 BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
9093 .fixup_map_hash_8b = { 3 },
9095 .retval = POINTER_VALUE,
9096 .result_unpriv = REJECT,
9097 .errstr_unpriv = "R0 leaks addr as return value"
9100 "pointer/scalar confusion in state equality check (way 2)",
9102 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9103 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9104 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9105 BPF_LD_MAP_FD(BPF_REG_1, 0),
9106 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9107 BPF_FUNC_map_lookup_elem),
9108 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
9109 BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
9111 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
9114 .fixup_map_hash_8b = { 3 },
9116 .retval = POINTER_VALUE,
9117 .result_unpriv = REJECT,
9118 .errstr_unpriv = "R0 leaks addr as return value"
9121 "variable-offset ctx access",
9123 /* Get an unknown value */
9124 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
9125 /* Make it small and 4-byte aligned */
9126 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 4),
9127 /* add it to skb. We now have either &skb->len or
9128 * &skb->pkt_type, but we don't know which
9130 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
9131 /* dereference it */
9132 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
9135 .errstr = "variable ctx access var_off=(0x0; 0x4)",
9137 .prog_type = BPF_PROG_TYPE_LWT_IN,
9140 "variable-offset stack access",
9142 /* Fill the top 8 bytes of the stack */
9143 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9144 /* Get an unknown value */
9145 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
9146 /* Make it small and 4-byte aligned */
9147 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 4),
9148 BPF_ALU64_IMM(BPF_SUB, BPF_REG_2, 8),
9149 /* add it to fp. We now have either fp-4 or fp-8, but
9150 * we don't know which
9152 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_10),
9153 /* dereference it */
9154 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_2, 0),
9157 .errstr = "variable stack access var_off=(0xfffffffffffffff8; 0x4)",
9159 .prog_type = BPF_PROG_TYPE_LWT_IN,
9162 "indirect variable-offset stack access",
9164 /* Fill the top 8 bytes of the stack */
9165 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9166 /* Get an unknown value */
9167 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
9168 /* Make it small and 4-byte aligned */
9169 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 4),
9170 BPF_ALU64_IMM(BPF_SUB, BPF_REG_2, 8),
9171 /* add it to fp. We now have either fp-4 or fp-8, but
9172 * we don't know which
9174 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_10),
9175 /* dereference it indirectly */
9176 BPF_LD_MAP_FD(BPF_REG_1, 0),
9177 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9178 BPF_FUNC_map_lookup_elem),
9179 BPF_MOV64_IMM(BPF_REG_0, 0),
9182 .fixup_map_hash_8b = { 5 },
9183 .errstr = "variable stack read R2",
9185 .prog_type = BPF_PROG_TYPE_LWT_IN,
9188 "direct stack access with 32-bit wraparound. test1",
9190 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
9191 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff),
9192 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff),
9193 BPF_MOV32_IMM(BPF_REG_0, 0),
9194 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
9197 .errstr = "fp pointer and 2147483647",
9201 "direct stack access with 32-bit wraparound. test2",
9203 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
9204 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x3fffffff),
9205 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x3fffffff),
9206 BPF_MOV32_IMM(BPF_REG_0, 0),
9207 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
9210 .errstr = "fp pointer and 1073741823",
9214 "direct stack access with 32-bit wraparound. test3",
9216 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
9217 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x1fffffff),
9218 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x1fffffff),
9219 BPF_MOV32_IMM(BPF_REG_0, 0),
9220 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
9223 .errstr = "fp pointer offset 1073741822",
9227 "liveness pruning and write screening",
9229 /* Get an unknown value */
9230 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
9231 /* branch conditions teach us nothing about R2 */
9232 BPF_JMP_IMM(BPF_JGE, BPF_REG_2, 0, 1),
9233 BPF_MOV64_IMM(BPF_REG_0, 0),
9234 BPF_JMP_IMM(BPF_JGE, BPF_REG_2, 0, 1),
9235 BPF_MOV64_IMM(BPF_REG_0, 0),
9238 .errstr = "R0 !read_ok",
9240 .prog_type = BPF_PROG_TYPE_LWT_IN,
9243 "varlen_map_value_access pruning",
9245 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9246 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9247 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9248 BPF_LD_MAP_FD(BPF_REG_1, 0),
9249 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9250 BPF_FUNC_map_lookup_elem),
9251 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
9252 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
9253 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
9254 BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
9255 BPF_MOV32_IMM(BPF_REG_1, 0),
9256 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
9257 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
9258 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
9259 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
9260 offsetof(struct test_val, foo)),
9263 .fixup_map_hash_48b = { 3 },
9264 .errstr_unpriv = "R0 leaks addr",
9265 .errstr = "R0 unbounded memory access",
9266 .result_unpriv = REJECT,
9268 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9271 "invalid 64-bit BPF_END",
9273 BPF_MOV32_IMM(BPF_REG_0, 0),
9275 .code = BPF_ALU64 | BPF_END | BPF_TO_LE,
9276 .dst_reg = BPF_REG_0,
9283 .errstr = "unknown opcode d7",
9287 "XDP, using ifindex from netdev",
9289 BPF_MOV64_IMM(BPF_REG_0, 0),
9290 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9291 offsetof(struct xdp_md, ingress_ifindex)),
9292 BPF_JMP_IMM(BPF_JLT, BPF_REG_2, 1, 1),
9293 BPF_MOV64_IMM(BPF_REG_0, 1),
9297 .prog_type = BPF_PROG_TYPE_XDP,
9301 "meta access, test1",
9303 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9304 offsetof(struct xdp_md, data_meta)),
9305 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9306 offsetof(struct xdp_md, data)),
9307 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
9308 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
9309 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
9310 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
9311 BPF_MOV64_IMM(BPF_REG_0, 0),
9315 .prog_type = BPF_PROG_TYPE_XDP,
9318 "meta access, test2",
9320 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9321 offsetof(struct xdp_md, data_meta)),
9322 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9323 offsetof(struct xdp_md, data)),
9324 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
9325 BPF_ALU64_IMM(BPF_SUB, BPF_REG_0, 8),
9326 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
9327 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
9328 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
9329 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
9330 BPF_MOV64_IMM(BPF_REG_0, 0),
9334 .errstr = "invalid access to packet, off=-8",
9335 .prog_type = BPF_PROG_TYPE_XDP,
9338 "meta access, test3",
9340 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9341 offsetof(struct xdp_md, data_meta)),
9342 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9343 offsetof(struct xdp_md, data_end)),
9344 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
9345 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
9346 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
9347 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
9348 BPF_MOV64_IMM(BPF_REG_0, 0),
9352 .errstr = "invalid access to packet",
9353 .prog_type = BPF_PROG_TYPE_XDP,
9356 "meta access, test4",
9358 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9359 offsetof(struct xdp_md, data_meta)),
9360 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9361 offsetof(struct xdp_md, data_end)),
9362 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
9363 offsetof(struct xdp_md, data)),
9364 BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
9365 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
9366 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
9367 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
9368 BPF_MOV64_IMM(BPF_REG_0, 0),
9372 .errstr = "invalid access to packet",
9373 .prog_type = BPF_PROG_TYPE_XDP,
9376 "meta access, test5",
9378 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9379 offsetof(struct xdp_md, data_meta)),
9380 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
9381 offsetof(struct xdp_md, data)),
9382 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
9383 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
9384 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_4, 3),
9385 BPF_MOV64_IMM(BPF_REG_2, -8),
9386 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9387 BPF_FUNC_xdp_adjust_meta),
9388 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_3, 0),
9389 BPF_MOV64_IMM(BPF_REG_0, 0),
9393 .errstr = "R3 !read_ok",
9394 .prog_type = BPF_PROG_TYPE_XDP,
9397 "meta access, test6",
9399 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9400 offsetof(struct xdp_md, data_meta)),
9401 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9402 offsetof(struct xdp_md, data)),
9403 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
9404 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
9405 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
9406 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
9407 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_0, 1),
9408 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
9409 BPF_MOV64_IMM(BPF_REG_0, 0),
9413 .errstr = "invalid access to packet",
9414 .prog_type = BPF_PROG_TYPE_XDP,
9417 "meta access, test7",
9419 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9420 offsetof(struct xdp_md, data_meta)),
9421 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9422 offsetof(struct xdp_md, data)),
9423 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
9424 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
9425 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
9426 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
9427 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
9428 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
9429 BPF_MOV64_IMM(BPF_REG_0, 0),
9433 .prog_type = BPF_PROG_TYPE_XDP,
9436 "meta access, test8",
9438 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9439 offsetof(struct xdp_md, data_meta)),
9440 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9441 offsetof(struct xdp_md, data)),
9442 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
9443 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0xFFFF),
9444 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
9445 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
9446 BPF_MOV64_IMM(BPF_REG_0, 0),
9450 .prog_type = BPF_PROG_TYPE_XDP,
9453 "meta access, test9",
9455 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9456 offsetof(struct xdp_md, data_meta)),
9457 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9458 offsetof(struct xdp_md, data)),
9459 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
9460 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0xFFFF),
9461 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 1),
9462 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
9463 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
9464 BPF_MOV64_IMM(BPF_REG_0, 0),
9468 .errstr = "invalid access to packet",
9469 .prog_type = BPF_PROG_TYPE_XDP,
9472 "meta access, test10",
9474 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9475 offsetof(struct xdp_md, data_meta)),
9476 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9477 offsetof(struct xdp_md, data)),
9478 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
9479 offsetof(struct xdp_md, data_end)),
9480 BPF_MOV64_IMM(BPF_REG_5, 42),
9481 BPF_MOV64_IMM(BPF_REG_6, 24),
9482 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_5, -8),
9483 BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
9484 BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -8),
9485 BPF_JMP_IMM(BPF_JGT, BPF_REG_5, 100, 6),
9486 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_5),
9487 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
9488 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
9489 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8),
9490 BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_5, 1),
9491 BPF_LDX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
9492 BPF_MOV64_IMM(BPF_REG_0, 0),
9496 .errstr = "invalid access to packet",
9497 .prog_type = BPF_PROG_TYPE_XDP,
9500 "meta access, test11",
9502 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9503 offsetof(struct xdp_md, data_meta)),
9504 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9505 offsetof(struct xdp_md, data)),
9506 BPF_MOV64_IMM(BPF_REG_5, 42),
9507 BPF_MOV64_IMM(BPF_REG_6, 24),
9508 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_5, -8),
9509 BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
9510 BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -8),
9511 BPF_JMP_IMM(BPF_JGT, BPF_REG_5, 100, 6),
9512 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_5),
9513 BPF_MOV64_REG(BPF_REG_5, BPF_REG_2),
9514 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
9515 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8),
9516 BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_3, 1),
9517 BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_5, 0),
9518 BPF_MOV64_IMM(BPF_REG_0, 0),
9522 .prog_type = BPF_PROG_TYPE_XDP,
9525 "meta access, test12",
9527 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9528 offsetof(struct xdp_md, data_meta)),
9529 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9530 offsetof(struct xdp_md, data)),
9531 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
9532 offsetof(struct xdp_md, data_end)),
9533 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
9534 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 16),
9535 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_4, 5),
9536 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_3, 0),
9537 BPF_MOV64_REG(BPF_REG_5, BPF_REG_2),
9538 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 16),
9539 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 1),
9540 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
9541 BPF_MOV64_IMM(BPF_REG_0, 0),
9545 .prog_type = BPF_PROG_TYPE_XDP,
9548 "arithmetic ops make PTR_TO_CTX unusable",
9550 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
9551 offsetof(struct __sk_buff, data) -
9552 offsetof(struct __sk_buff, mark)),
9553 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9554 offsetof(struct __sk_buff, mark)),
9557 .errstr = "dereference of modified ctx ptr",
9559 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
9562 "pkt_end - pkt_start is allowed",
9564 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9565 offsetof(struct __sk_buff, data_end)),
9566 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9567 offsetof(struct __sk_buff, data)),
9568 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_2),
9572 .retval = TEST_DATA_LEN,
9573 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
9576 "XDP pkt read, pkt_end mangling, bad access 1",
9578 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9579 offsetof(struct xdp_md, data)),
9580 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9581 offsetof(struct xdp_md, data_end)),
9582 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9583 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9584 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 8),
9585 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
9586 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9587 BPF_MOV64_IMM(BPF_REG_0, 0),
9590 .errstr = "R3 pointer arithmetic on pkt_end",
9592 .prog_type = BPF_PROG_TYPE_XDP,
9595 "XDP pkt read, pkt_end mangling, bad access 2",
9597 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9598 offsetof(struct xdp_md, data)),
9599 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9600 offsetof(struct xdp_md, data_end)),
9601 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9602 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9603 BPF_ALU64_IMM(BPF_SUB, BPF_REG_3, 8),
9604 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
9605 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9606 BPF_MOV64_IMM(BPF_REG_0, 0),
9609 .errstr = "R3 pointer arithmetic on pkt_end",
9611 .prog_type = BPF_PROG_TYPE_XDP,
9614 "XDP pkt read, pkt_data' > pkt_end, good access",
9616 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9617 offsetof(struct xdp_md, data)),
9618 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9619 offsetof(struct xdp_md, data_end)),
9620 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9621 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9622 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
9623 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9624 BPF_MOV64_IMM(BPF_REG_0, 0),
9628 .prog_type = BPF_PROG_TYPE_XDP,
9631 "XDP pkt read, pkt_data' > pkt_end, bad access 1",
9633 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9634 offsetof(struct xdp_md, data)),
9635 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9636 offsetof(struct xdp_md, data_end)),
9637 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9638 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9639 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
9640 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
9641 BPF_MOV64_IMM(BPF_REG_0, 0),
9644 .errstr = "R1 offset is outside of the packet",
9646 .prog_type = BPF_PROG_TYPE_XDP,
9647 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9650 "XDP pkt read, pkt_data' > pkt_end, bad access 2",
9652 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9653 offsetof(struct xdp_md, data)),
9654 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9655 offsetof(struct xdp_md, data_end)),
9656 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9657 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9658 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 0),
9659 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9660 BPF_MOV64_IMM(BPF_REG_0, 0),
9663 .errstr = "R1 offset is outside of the packet",
9665 .prog_type = BPF_PROG_TYPE_XDP,
9668 "XDP pkt read, pkt_end > pkt_data', good access",
9670 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9671 offsetof(struct xdp_md, data)),
9672 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9673 offsetof(struct xdp_md, data_end)),
9674 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9675 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9676 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
9677 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9678 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9679 BPF_MOV64_IMM(BPF_REG_0, 0),
9683 .prog_type = BPF_PROG_TYPE_XDP,
9684 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9687 "XDP pkt read, pkt_end > pkt_data', bad access 1",
9689 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9690 offsetof(struct xdp_md, data)),
9691 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9692 offsetof(struct xdp_md, data_end)),
9693 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9694 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9695 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
9696 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9697 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9698 BPF_MOV64_IMM(BPF_REG_0, 0),
9701 .errstr = "R1 offset is outside of the packet",
9703 .prog_type = BPF_PROG_TYPE_XDP,
9706 "XDP pkt read, pkt_end > pkt_data', bad access 2",
9708 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9709 offsetof(struct xdp_md, data)),
9710 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9711 offsetof(struct xdp_md, data_end)),
9712 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9713 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9714 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
9715 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9716 BPF_MOV64_IMM(BPF_REG_0, 0),
9719 .errstr = "R1 offset is outside of the packet",
9721 .prog_type = BPF_PROG_TYPE_XDP,
9724 "XDP pkt read, pkt_data' < pkt_end, good access",
9726 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9727 offsetof(struct xdp_md, data)),
9728 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9729 offsetof(struct xdp_md, data_end)),
9730 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9731 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9732 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
9733 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9734 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9735 BPF_MOV64_IMM(BPF_REG_0, 0),
9739 .prog_type = BPF_PROG_TYPE_XDP,
9740 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9743 "XDP pkt read, pkt_data' < pkt_end, bad access 1",
9745 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9746 offsetof(struct xdp_md, data)),
9747 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9748 offsetof(struct xdp_md, data_end)),
9749 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9750 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9751 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
9752 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9753 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9754 BPF_MOV64_IMM(BPF_REG_0, 0),
9757 .errstr = "R1 offset is outside of the packet",
9759 .prog_type = BPF_PROG_TYPE_XDP,
9762 "XDP pkt read, pkt_data' < pkt_end, bad access 2",
9764 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9765 offsetof(struct xdp_md, data)),
9766 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9767 offsetof(struct xdp_md, data_end)),
9768 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9769 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9770 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
9771 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9772 BPF_MOV64_IMM(BPF_REG_0, 0),
9775 .errstr = "R1 offset is outside of the packet",
9777 .prog_type = BPF_PROG_TYPE_XDP,
9780 "XDP pkt read, pkt_end < pkt_data', good access",
9782 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9783 offsetof(struct xdp_md, data)),
9784 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9785 offsetof(struct xdp_md, data_end)),
9786 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9787 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9788 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
9789 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9790 BPF_MOV64_IMM(BPF_REG_0, 0),
9794 .prog_type = BPF_PROG_TYPE_XDP,
9797 "XDP pkt read, pkt_end < pkt_data', bad access 1",
9799 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9800 offsetof(struct xdp_md, data)),
9801 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9802 offsetof(struct xdp_md, data_end)),
9803 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9804 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9805 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
9806 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
9807 BPF_MOV64_IMM(BPF_REG_0, 0),
9810 .errstr = "R1 offset is outside of the packet",
9812 .prog_type = BPF_PROG_TYPE_XDP,
9813 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9816 "XDP pkt read, pkt_end < pkt_data', bad access 2",
9818 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9819 offsetof(struct xdp_md, data)),
9820 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9821 offsetof(struct xdp_md, data_end)),
9822 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9823 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9824 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 0),
9825 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9826 BPF_MOV64_IMM(BPF_REG_0, 0),
9829 .errstr = "R1 offset is outside of the packet",
9831 .prog_type = BPF_PROG_TYPE_XDP,
9834 "XDP pkt read, pkt_data' >= pkt_end, good access",
9836 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9837 offsetof(struct xdp_md, data)),
9838 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9839 offsetof(struct xdp_md, data_end)),
9840 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9841 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9842 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
9843 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9844 BPF_MOV64_IMM(BPF_REG_0, 0),
9848 .prog_type = BPF_PROG_TYPE_XDP,
9849 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9852 "XDP pkt read, pkt_data' >= pkt_end, bad access 1",
9854 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9855 offsetof(struct xdp_md, data)),
9856 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9857 offsetof(struct xdp_md, data_end)),
9858 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9859 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9860 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
9861 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9862 BPF_MOV64_IMM(BPF_REG_0, 0),
9865 .errstr = "R1 offset is outside of the packet",
9867 .prog_type = BPF_PROG_TYPE_XDP,
9870 "XDP pkt read, pkt_data' >= pkt_end, bad access 2",
9872 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9873 offsetof(struct xdp_md, data)),
9874 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9875 offsetof(struct xdp_md, data_end)),
9876 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9877 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9878 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 0),
9879 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9880 BPF_MOV64_IMM(BPF_REG_0, 0),
9883 .errstr = "R1 offset is outside of the packet",
9885 .prog_type = BPF_PROG_TYPE_XDP,
9886 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9889 "XDP pkt read, pkt_end >= pkt_data', good access",
9891 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9892 offsetof(struct xdp_md, data)),
9893 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9894 offsetof(struct xdp_md, data_end)),
9895 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9896 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9897 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
9898 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9899 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9900 BPF_MOV64_IMM(BPF_REG_0, 0),
9904 .prog_type = BPF_PROG_TYPE_XDP,
9907 "XDP pkt read, pkt_end >= pkt_data', bad access 1",
9909 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9910 offsetof(struct xdp_md, data)),
9911 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9912 offsetof(struct xdp_md, data_end)),
9913 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9914 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9915 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
9916 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9917 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
9918 BPF_MOV64_IMM(BPF_REG_0, 0),
9921 .errstr = "R1 offset is outside of the packet",
9923 .prog_type = BPF_PROG_TYPE_XDP,
9924 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9927 "XDP pkt read, pkt_end >= pkt_data', bad access 2",
9929 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9930 offsetof(struct xdp_md, data)),
9931 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9932 offsetof(struct xdp_md, data_end)),
9933 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9934 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9935 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
9936 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9937 BPF_MOV64_IMM(BPF_REG_0, 0),
9940 .errstr = "R1 offset is outside of the packet",
9942 .prog_type = BPF_PROG_TYPE_XDP,
9945 "XDP pkt read, pkt_data' <= pkt_end, good access",
9947 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9948 offsetof(struct xdp_md, data)),
9949 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9950 offsetof(struct xdp_md, data_end)),
9951 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9952 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9953 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
9954 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9955 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9956 BPF_MOV64_IMM(BPF_REG_0, 0),
9960 .prog_type = BPF_PROG_TYPE_XDP,
9963 "XDP pkt read, pkt_data' <= pkt_end, bad access 1",
9965 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9966 offsetof(struct xdp_md, data)),
9967 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9968 offsetof(struct xdp_md, data_end)),
9969 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9970 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9971 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
9972 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9973 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
9974 BPF_MOV64_IMM(BPF_REG_0, 0),
9977 .errstr = "R1 offset is outside of the packet",
9979 .prog_type = BPF_PROG_TYPE_XDP,
9980 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9983 "XDP pkt read, pkt_data' <= pkt_end, bad access 2",
9985 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9986 offsetof(struct xdp_md, data)),
9987 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9988 offsetof(struct xdp_md, data_end)),
9989 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9990 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9991 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
9992 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9993 BPF_MOV64_IMM(BPF_REG_0, 0),
9996 .errstr = "R1 offset is outside of the packet",
9998 .prog_type = BPF_PROG_TYPE_XDP,
10001 "XDP pkt read, pkt_end <= pkt_data', good access",
10003 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10004 offsetof(struct xdp_md, data)),
10005 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10006 offsetof(struct xdp_md, data_end)),
10007 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10008 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10009 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
10010 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
10011 BPF_MOV64_IMM(BPF_REG_0, 0),
10015 .prog_type = BPF_PROG_TYPE_XDP,
10016 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10019 "XDP pkt read, pkt_end <= pkt_data', bad access 1",
10021 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10022 offsetof(struct xdp_md, data)),
10023 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10024 offsetof(struct xdp_md, data_end)),
10025 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10026 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10027 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
10028 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10029 BPF_MOV64_IMM(BPF_REG_0, 0),
10032 .errstr = "R1 offset is outside of the packet",
10034 .prog_type = BPF_PROG_TYPE_XDP,
10037 "XDP pkt read, pkt_end <= pkt_data', bad access 2",
10039 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10040 offsetof(struct xdp_md, data)),
10041 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10042 offsetof(struct xdp_md, data_end)),
10043 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10044 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10045 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 0),
10046 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
10047 BPF_MOV64_IMM(BPF_REG_0, 0),
10050 .errstr = "R1 offset is outside of the packet",
10052 .prog_type = BPF_PROG_TYPE_XDP,
10053 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10056 "XDP pkt read, pkt_meta' > pkt_data, good access",
10058 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10059 offsetof(struct xdp_md, data_meta)),
10060 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10061 offsetof(struct xdp_md, data)),
10062 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10063 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10064 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
10065 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10066 BPF_MOV64_IMM(BPF_REG_0, 0),
10070 .prog_type = BPF_PROG_TYPE_XDP,
10073 "XDP pkt read, pkt_meta' > pkt_data, bad access 1",
10075 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10076 offsetof(struct xdp_md, data_meta)),
10077 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10078 offsetof(struct xdp_md, data)),
10079 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10080 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10081 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
10082 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
10083 BPF_MOV64_IMM(BPF_REG_0, 0),
10086 .errstr = "R1 offset is outside of the packet",
10088 .prog_type = BPF_PROG_TYPE_XDP,
10089 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10092 "XDP pkt read, pkt_meta' > pkt_data, bad access 2",
10094 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10095 offsetof(struct xdp_md, data_meta)),
10096 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10097 offsetof(struct xdp_md, data)),
10098 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10099 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10100 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 0),
10101 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10102 BPF_MOV64_IMM(BPF_REG_0, 0),
10105 .errstr = "R1 offset is outside of the packet",
10107 .prog_type = BPF_PROG_TYPE_XDP,
10110 "XDP pkt read, pkt_data > pkt_meta', good access",
10112 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10113 offsetof(struct xdp_md, data_meta)),
10114 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10115 offsetof(struct xdp_md, data)),
10116 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10117 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10118 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
10119 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
10120 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
10121 BPF_MOV64_IMM(BPF_REG_0, 0),
10125 .prog_type = BPF_PROG_TYPE_XDP,
10126 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10129 "XDP pkt read, pkt_data > pkt_meta', bad access 1",
10131 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10132 offsetof(struct xdp_md, data_meta)),
10133 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10134 offsetof(struct xdp_md, data)),
10135 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10136 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10137 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
10138 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
10139 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10140 BPF_MOV64_IMM(BPF_REG_0, 0),
10143 .errstr = "R1 offset is outside of the packet",
10145 .prog_type = BPF_PROG_TYPE_XDP,
10148 "XDP pkt read, pkt_data > pkt_meta', bad access 2",
10150 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10151 offsetof(struct xdp_md, data_meta)),
10152 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10153 offsetof(struct xdp_md, data)),
10154 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10155 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10156 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
10157 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10158 BPF_MOV64_IMM(BPF_REG_0, 0),
10161 .errstr = "R1 offset is outside of the packet",
10163 .prog_type = BPF_PROG_TYPE_XDP,
10166 "XDP pkt read, pkt_meta' < pkt_data, good access",
10168 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10169 offsetof(struct xdp_md, data_meta)),
10170 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10171 offsetof(struct xdp_md, data)),
10172 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10173 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10174 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
10175 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
10176 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
10177 BPF_MOV64_IMM(BPF_REG_0, 0),
10181 .prog_type = BPF_PROG_TYPE_XDP,
10182 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10185 "XDP pkt read, pkt_meta' < pkt_data, bad access 1",
10187 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10188 offsetof(struct xdp_md, data_meta)),
10189 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10190 offsetof(struct xdp_md, data)),
10191 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10192 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10193 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
10194 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
10195 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10196 BPF_MOV64_IMM(BPF_REG_0, 0),
10199 .errstr = "R1 offset is outside of the packet",
10201 .prog_type = BPF_PROG_TYPE_XDP,
10204 "XDP pkt read, pkt_meta' < pkt_data, bad access 2",
10206 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10207 offsetof(struct xdp_md, data_meta)),
10208 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10209 offsetof(struct xdp_md, data)),
10210 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10211 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10212 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
10213 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10214 BPF_MOV64_IMM(BPF_REG_0, 0),
10217 .errstr = "R1 offset is outside of the packet",
10219 .prog_type = BPF_PROG_TYPE_XDP,
10222 "XDP pkt read, pkt_data < pkt_meta', good access",
10224 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10225 offsetof(struct xdp_md, data_meta)),
10226 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10227 offsetof(struct xdp_md, data)),
10228 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10229 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10230 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
10231 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10232 BPF_MOV64_IMM(BPF_REG_0, 0),
10236 .prog_type = BPF_PROG_TYPE_XDP,
10239 "XDP pkt read, pkt_data < pkt_meta', bad access 1",
10241 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10242 offsetof(struct xdp_md, data_meta)),
10243 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10244 offsetof(struct xdp_md, data)),
10245 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10246 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10247 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
10248 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
10249 BPF_MOV64_IMM(BPF_REG_0, 0),
10252 .errstr = "R1 offset is outside of the packet",
10254 .prog_type = BPF_PROG_TYPE_XDP,
10255 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10258 "XDP pkt read, pkt_data < pkt_meta', bad access 2",
10260 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10261 offsetof(struct xdp_md, data_meta)),
10262 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10263 offsetof(struct xdp_md, data)),
10264 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10265 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10266 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 0),
10267 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10268 BPF_MOV64_IMM(BPF_REG_0, 0),
10271 .errstr = "R1 offset is outside of the packet",
10273 .prog_type = BPF_PROG_TYPE_XDP,
10276 "XDP pkt read, pkt_meta' >= pkt_data, good access",
10278 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10279 offsetof(struct xdp_md, data_meta)),
10280 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10281 offsetof(struct xdp_md, data)),
10282 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10283 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10284 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
10285 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
10286 BPF_MOV64_IMM(BPF_REG_0, 0),
10290 .prog_type = BPF_PROG_TYPE_XDP,
10291 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10294 "XDP pkt read, pkt_meta' >= pkt_data, bad access 1",
10296 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10297 offsetof(struct xdp_md, data_meta)),
10298 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10299 offsetof(struct xdp_md, data)),
10300 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10301 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10302 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
10303 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10304 BPF_MOV64_IMM(BPF_REG_0, 0),
10307 .errstr = "R1 offset is outside of the packet",
10309 .prog_type = BPF_PROG_TYPE_XDP,
10312 "XDP pkt read, pkt_meta' >= pkt_data, bad access 2",
10314 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10315 offsetof(struct xdp_md, data_meta)),
10316 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10317 offsetof(struct xdp_md, data)),
10318 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10319 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10320 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 0),
10321 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
10322 BPF_MOV64_IMM(BPF_REG_0, 0),
10325 .errstr = "R1 offset is outside of the packet",
10327 .prog_type = BPF_PROG_TYPE_XDP,
10328 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10331 "XDP pkt read, pkt_data >= pkt_meta', good access",
10333 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10334 offsetof(struct xdp_md, data_meta)),
10335 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10336 offsetof(struct xdp_md, data)),
10337 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10338 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10339 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
10340 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
10341 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10342 BPF_MOV64_IMM(BPF_REG_0, 0),
10346 .prog_type = BPF_PROG_TYPE_XDP,
10349 "XDP pkt read, pkt_data >= pkt_meta', bad access 1",
10351 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10352 offsetof(struct xdp_md, data_meta)),
10353 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10354 offsetof(struct xdp_md, data)),
10355 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10356 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10357 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
10358 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
10359 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
10360 BPF_MOV64_IMM(BPF_REG_0, 0),
10363 .errstr = "R1 offset is outside of the packet",
10365 .prog_type = BPF_PROG_TYPE_XDP,
10366 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10369 "XDP pkt read, pkt_data >= pkt_meta', bad access 2",
10371 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10372 offsetof(struct xdp_md, data_meta)),
10373 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10374 offsetof(struct xdp_md, data)),
10375 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10376 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10377 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
10378 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10379 BPF_MOV64_IMM(BPF_REG_0, 0),
10382 .errstr = "R1 offset is outside of the packet",
10384 .prog_type = BPF_PROG_TYPE_XDP,
10387 "XDP pkt read, pkt_meta' <= pkt_data, good access",
10389 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10390 offsetof(struct xdp_md, data_meta)),
10391 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10392 offsetof(struct xdp_md, data)),
10393 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10394 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10395 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
10396 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
10397 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10398 BPF_MOV64_IMM(BPF_REG_0, 0),
10402 .prog_type = BPF_PROG_TYPE_XDP,
10405 "XDP pkt read, pkt_meta' <= pkt_data, bad access 1",
10407 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10408 offsetof(struct xdp_md, data_meta)),
10409 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10410 offsetof(struct xdp_md, data)),
10411 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10412 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10413 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
10414 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
10415 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
10416 BPF_MOV64_IMM(BPF_REG_0, 0),
10419 .errstr = "R1 offset is outside of the packet",
10421 .prog_type = BPF_PROG_TYPE_XDP,
10422 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10425 "XDP pkt read, pkt_meta' <= pkt_data, bad access 2",
10427 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10428 offsetof(struct xdp_md, data_meta)),
10429 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10430 offsetof(struct xdp_md, data)),
10431 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10432 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10433 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
10434 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10435 BPF_MOV64_IMM(BPF_REG_0, 0),
10438 .errstr = "R1 offset is outside of the packet",
10440 .prog_type = BPF_PROG_TYPE_XDP,
10443 "XDP pkt read, pkt_data <= pkt_meta', good access",
10445 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10446 offsetof(struct xdp_md, data_meta)),
10447 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10448 offsetof(struct xdp_md, data)),
10449 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10450 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10451 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
10452 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
10453 BPF_MOV64_IMM(BPF_REG_0, 0),
10457 .prog_type = BPF_PROG_TYPE_XDP,
10458 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10461 "XDP pkt read, pkt_data <= pkt_meta', bad access 1",
10463 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10464 offsetof(struct xdp_md, data_meta)),
10465 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10466 offsetof(struct xdp_md, data)),
10467 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10468 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10469 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
10470 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10471 BPF_MOV64_IMM(BPF_REG_0, 0),
10474 .errstr = "R1 offset is outside of the packet",
10476 .prog_type = BPF_PROG_TYPE_XDP,
10479 "XDP pkt read, pkt_data <= pkt_meta', bad access 2",
10481 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10482 offsetof(struct xdp_md, data_meta)),
10483 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10484 offsetof(struct xdp_md, data)),
10485 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10486 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10487 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 0),
10488 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
10489 BPF_MOV64_IMM(BPF_REG_0, 0),
10492 .errstr = "R1 offset is outside of the packet",
10494 .prog_type = BPF_PROG_TYPE_XDP,
10495 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10498 "check deducing bounds from const, 1",
10500 BPF_MOV64_IMM(BPF_REG_0, 1),
10501 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 1, 0),
10502 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
10506 .errstr = "R0 tried to subtract pointer from scalar",
10509 "check deducing bounds from const, 2",
10511 BPF_MOV64_IMM(BPF_REG_0, 1),
10512 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 1, 1),
10514 BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 1, 1),
10516 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0),
10523 "check deducing bounds from const, 3",
10525 BPF_MOV64_IMM(BPF_REG_0, 0),
10526 BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 0, 0),
10527 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
10531 .errstr = "R0 tried to subtract pointer from scalar",
10534 "check deducing bounds from const, 4",
10536 BPF_MOV64_IMM(BPF_REG_0, 0),
10537 BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 0, 1),
10539 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 1),
10541 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0),
10547 "check deducing bounds from const, 5",
10549 BPF_MOV64_IMM(BPF_REG_0, 0),
10550 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 1),
10551 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
10555 .errstr = "R0 tried to subtract pointer from scalar",
10558 "check deducing bounds from const, 6",
10560 BPF_MOV64_IMM(BPF_REG_0, 0),
10561 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 1),
10563 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
10567 .errstr = "R0 tried to subtract pointer from scalar",
10570 "check deducing bounds from const, 7",
10572 BPF_MOV64_IMM(BPF_REG_0, ~0),
10573 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 0),
10574 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0),
10575 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10576 offsetof(struct __sk_buff, mark)),
10580 .errstr = "dereference of modified ctx ptr",
10583 "check deducing bounds from const, 8",
10585 BPF_MOV64_IMM(BPF_REG_0, ~0),
10586 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 1),
10587 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
10588 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10589 offsetof(struct __sk_buff, mark)),
10593 .errstr = "dereference of modified ctx ptr",
10596 "check deducing bounds from const, 9",
10598 BPF_MOV64_IMM(BPF_REG_0, 0),
10599 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 0),
10600 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
10604 .errstr = "R0 tried to subtract pointer from scalar",
10607 "check deducing bounds from const, 10",
10609 BPF_MOV64_IMM(BPF_REG_0, 0),
10610 BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 0, 0),
10611 /* Marks reg as unknown. */
10612 BPF_ALU64_IMM(BPF_NEG, BPF_REG_0, 0),
10613 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
10617 .errstr = "math between ctx pointer and register with unbounded min value is not allowed",
10620 "bpf_exit with invalid return code. test1",
10622 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
10625 .errstr = "R0 has value (0x0; 0xffffffff)",
10627 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
10630 "bpf_exit with invalid return code. test2",
10632 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
10633 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
10637 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
10640 "bpf_exit with invalid return code. test3",
10642 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
10643 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 3),
10646 .errstr = "R0 has value (0x0; 0x3)",
10648 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
10651 "bpf_exit with invalid return code. test4",
10653 BPF_MOV64_IMM(BPF_REG_0, 1),
10657 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
10660 "bpf_exit with invalid return code. test5",
10662 BPF_MOV64_IMM(BPF_REG_0, 2),
10665 .errstr = "R0 has value (0x2; 0x0)",
10667 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
10670 "bpf_exit with invalid return code. test6",
10672 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
10675 .errstr = "R0 is not a known value (ctx)",
10677 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
10680 "bpf_exit with invalid return code. test7",
10682 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
10683 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 4),
10684 BPF_ALU64_REG(BPF_MUL, BPF_REG_0, BPF_REG_2),
10687 .errstr = "R0 has unknown scalar value",
10689 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
10692 "calls: basic sanity",
10694 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10695 BPF_MOV64_IMM(BPF_REG_0, 1),
10697 BPF_MOV64_IMM(BPF_REG_0, 2),
10700 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10704 "calls: not on unpriviledged",
10706 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10707 BPF_MOV64_IMM(BPF_REG_0, 1),
10709 BPF_MOV64_IMM(BPF_REG_0, 2),
10712 .errstr_unpriv = "function calls to other bpf functions are allowed for root only",
10713 .result_unpriv = REJECT,
10718 "calls: div by 0 in subprog",
10720 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10721 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
10722 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10723 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
10724 offsetof(struct __sk_buff, data_end)),
10725 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
10726 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
10727 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
10728 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
10729 BPF_MOV64_IMM(BPF_REG_0, 1),
10731 BPF_MOV32_IMM(BPF_REG_2, 0),
10732 BPF_MOV32_IMM(BPF_REG_3, 1),
10733 BPF_ALU32_REG(BPF_DIV, BPF_REG_3, BPF_REG_2),
10734 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10735 offsetof(struct __sk_buff, data)),
10738 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
10743 "calls: multiple ret types in subprog 1",
10745 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10746 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
10747 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10748 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
10749 offsetof(struct __sk_buff, data_end)),
10750 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
10751 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
10752 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
10753 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
10754 BPF_MOV64_IMM(BPF_REG_0, 1),
10756 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10757 offsetof(struct __sk_buff, data)),
10758 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
10759 BPF_MOV32_IMM(BPF_REG_0, 42),
10762 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
10764 .errstr = "R0 invalid mem access 'inv'",
10767 "calls: multiple ret types in subprog 2",
10769 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10770 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
10771 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10772 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
10773 offsetof(struct __sk_buff, data_end)),
10774 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
10775 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
10776 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
10777 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
10778 BPF_MOV64_IMM(BPF_REG_0, 1),
10780 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10781 offsetof(struct __sk_buff, data)),
10782 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10783 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 9),
10784 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10785 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10786 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
10787 BPF_LD_MAP_FD(BPF_REG_1, 0),
10788 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10789 BPF_FUNC_map_lookup_elem),
10790 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
10791 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_6,
10792 offsetof(struct __sk_buff, data)),
10793 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 64),
10796 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
10797 .fixup_map_hash_8b = { 16 },
10799 .errstr = "R0 min value is outside of the array range",
10802 "calls: overlapping caller/callee",
10804 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 0),
10805 BPF_MOV64_IMM(BPF_REG_0, 1),
10808 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10809 .errstr = "last insn is not an exit or jmp",
10813 "calls: wrong recursive calls",
10815 BPF_JMP_IMM(BPF_JA, 0, 0, 4),
10816 BPF_JMP_IMM(BPF_JA, 0, 0, 4),
10817 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -2),
10818 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -2),
10819 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -2),
10820 BPF_MOV64_IMM(BPF_REG_0, 1),
10823 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10824 .errstr = "jump out of range",
10828 "calls: wrong src reg",
10830 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 2, 0, 0),
10831 BPF_MOV64_IMM(BPF_REG_0, 1),
10834 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10835 .errstr = "BPF_CALL uses reserved fields",
10839 "calls: wrong off value",
10841 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, -1, 2),
10842 BPF_MOV64_IMM(BPF_REG_0, 1),
10844 BPF_MOV64_IMM(BPF_REG_0, 2),
10847 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10848 .errstr = "BPF_CALL uses reserved fields",
10852 "calls: jump back loop",
10854 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -1),
10855 BPF_MOV64_IMM(BPF_REG_0, 1),
10858 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10859 .errstr = "back-edge from insn 0 to 0",
10863 "calls: conditional call",
10865 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10866 offsetof(struct __sk_buff, mark)),
10867 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
10868 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10869 BPF_MOV64_IMM(BPF_REG_0, 1),
10871 BPF_MOV64_IMM(BPF_REG_0, 2),
10874 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10875 .errstr = "jump out of range",
10879 "calls: conditional call 2",
10881 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10882 offsetof(struct __sk_buff, mark)),
10883 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
10884 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
10885 BPF_MOV64_IMM(BPF_REG_0, 1),
10887 BPF_MOV64_IMM(BPF_REG_0, 2),
10889 BPF_MOV64_IMM(BPF_REG_0, 3),
10892 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10896 "calls: conditional call 3",
10898 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10899 offsetof(struct __sk_buff, mark)),
10900 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
10901 BPF_JMP_IMM(BPF_JA, 0, 0, 4),
10902 BPF_MOV64_IMM(BPF_REG_0, 1),
10904 BPF_MOV64_IMM(BPF_REG_0, 1),
10905 BPF_JMP_IMM(BPF_JA, 0, 0, -6),
10906 BPF_MOV64_IMM(BPF_REG_0, 3),
10907 BPF_JMP_IMM(BPF_JA, 0, 0, -6),
10909 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10910 .errstr = "back-edge from insn",
10914 "calls: conditional call 4",
10916 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10917 offsetof(struct __sk_buff, mark)),
10918 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
10919 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
10920 BPF_MOV64_IMM(BPF_REG_0, 1),
10922 BPF_MOV64_IMM(BPF_REG_0, 1),
10923 BPF_JMP_IMM(BPF_JA, 0, 0, -5),
10924 BPF_MOV64_IMM(BPF_REG_0, 3),
10927 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10931 "calls: conditional call 5",
10933 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10934 offsetof(struct __sk_buff, mark)),
10935 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
10936 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
10937 BPF_MOV64_IMM(BPF_REG_0, 1),
10939 BPF_MOV64_IMM(BPF_REG_0, 1),
10940 BPF_JMP_IMM(BPF_JA, 0, 0, -6),
10941 BPF_MOV64_IMM(BPF_REG_0, 3),
10944 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10945 .errstr = "back-edge from insn",
10949 "calls: conditional call 6",
10951 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10952 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, -2),
10954 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10955 offsetof(struct __sk_buff, mark)),
10958 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10959 .errstr = "back-edge from insn",
10963 "calls: using r0 returned by callee",
10965 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10967 BPF_MOV64_IMM(BPF_REG_0, 2),
10970 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10974 "calls: using uninit r0 from callee",
10976 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10980 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10981 .errstr = "!read_ok",
10985 "calls: callee is using r1",
10987 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10989 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10990 offsetof(struct __sk_buff, len)),
10993 .prog_type = BPF_PROG_TYPE_SCHED_ACT,
10995 .retval = TEST_DATA_LEN,
10998 "calls: callee using args1",
11000 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11002 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
11005 .errstr_unpriv = "allowed for root only",
11006 .result_unpriv = REJECT,
11008 .retval = POINTER_VALUE,
11011 "calls: callee using wrong args2",
11013 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11015 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11018 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
11019 .errstr = "R2 !read_ok",
11023 "calls: callee using two args",
11025 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11026 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_6,
11027 offsetof(struct __sk_buff, len)),
11028 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_6,
11029 offsetof(struct __sk_buff, len)),
11030 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11032 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
11033 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
11036 .errstr_unpriv = "allowed for root only",
11037 .result_unpriv = REJECT,
11039 .retval = TEST_DATA_LEN + TEST_DATA_LEN - ETH_HLEN - ETH_HLEN,
11042 "calls: callee changing pkt pointers",
11044 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
11045 offsetof(struct xdp_md, data)),
11046 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
11047 offsetof(struct xdp_md, data_end)),
11048 BPF_MOV64_REG(BPF_REG_8, BPF_REG_6),
11049 BPF_ALU64_IMM(BPF_ADD, BPF_REG_8, 8),
11050 BPF_JMP_REG(BPF_JGT, BPF_REG_8, BPF_REG_7, 2),
11051 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11052 /* clear_all_pkt_pointers() has to walk all frames
11053 * to make sure that pkt pointers in the caller
11054 * are cleared when callee is calling a helper that
11055 * adjusts packet size
11057 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
11058 BPF_MOV32_IMM(BPF_REG_0, 0),
11060 BPF_MOV64_IMM(BPF_REG_2, 0),
11061 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11062 BPF_FUNC_xdp_adjust_head),
11066 .errstr = "R6 invalid mem access 'inv'",
11067 .prog_type = BPF_PROG_TYPE_XDP,
11070 "calls: two calls with args",
11072 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11074 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11075 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 6),
11076 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
11077 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
11078 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11079 BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_0),
11080 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
11082 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
11083 offsetof(struct __sk_buff, len)),
11086 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11088 .retval = TEST_DATA_LEN + TEST_DATA_LEN,
11091 "calls: calls with stack arith",
11093 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11094 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -64),
11095 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11097 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -64),
11098 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11100 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -64),
11101 BPF_MOV64_IMM(BPF_REG_0, 42),
11102 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
11105 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11110 "calls: calls with misaligned stack access",
11112 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11113 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -63),
11114 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11116 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -61),
11117 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11119 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -63),
11120 BPF_MOV64_IMM(BPF_REG_0, 42),
11121 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
11124 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11125 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
11126 .errstr = "misaligned stack access",
11130 "calls: calls control flow, jump test",
11132 BPF_MOV64_IMM(BPF_REG_0, 42),
11133 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
11134 BPF_MOV64_IMM(BPF_REG_0, 43),
11135 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
11136 BPF_JMP_IMM(BPF_JA, 0, 0, -3),
11139 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11144 "calls: calls control flow, jump test 2",
11146 BPF_MOV64_IMM(BPF_REG_0, 42),
11147 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
11148 BPF_MOV64_IMM(BPF_REG_0, 43),
11149 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
11150 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -3),
11153 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11154 .errstr = "jump out of range from insn 1 to 4",
11158 "calls: two calls with bad jump",
11160 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11162 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11163 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 6),
11164 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
11165 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
11166 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11167 BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_0),
11168 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
11170 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
11171 offsetof(struct __sk_buff, len)),
11172 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, -3),
11175 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
11176 .errstr = "jump out of range from insn 11 to 9",
11180 "calls: recursive call. test1",
11182 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11184 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -1),
11187 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
11188 .errstr = "back-edge",
11192 "calls: recursive call. test2",
11194 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11196 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -3),
11199 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
11200 .errstr = "back-edge",
11204 "calls: unreachable code",
11206 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11208 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11210 BPF_MOV64_IMM(BPF_REG_0, 0),
11212 BPF_MOV64_IMM(BPF_REG_0, 0),
11215 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
11216 .errstr = "unreachable insn 6",
11220 "calls: invalid call",
11222 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11224 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -4),
11227 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
11228 .errstr = "invalid destination",
11232 "calls: invalid call 2",
11234 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11236 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 0x7fffffff),
11239 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
11240 .errstr = "invalid destination",
11244 "calls: jumping across function bodies. test1",
11246 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11247 BPF_MOV64_IMM(BPF_REG_0, 0),
11249 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, -3),
11252 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
11253 .errstr = "jump out of range",
11257 "calls: jumping across function bodies. test2",
11259 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
11260 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11261 BPF_MOV64_IMM(BPF_REG_0, 0),
11265 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
11266 .errstr = "jump out of range",
11270 "calls: call without exit",
11272 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11274 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11276 BPF_MOV64_IMM(BPF_REG_0, 0),
11277 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, -2),
11279 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
11280 .errstr = "not an exit",
11284 "calls: call into middle of ld_imm64",
11286 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11287 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11288 BPF_MOV64_IMM(BPF_REG_0, 0),
11290 BPF_LD_IMM64(BPF_REG_0, 0),
11293 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
11294 .errstr = "last insn",
11298 "calls: call into middle of other call",
11300 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11301 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11302 BPF_MOV64_IMM(BPF_REG_0, 0),
11304 BPF_MOV64_IMM(BPF_REG_0, 0),
11305 BPF_MOV64_IMM(BPF_REG_0, 0),
11308 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
11309 .errstr = "last insn",
11313 "calls: ld_abs with changing ctx data in callee",
11315 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11316 BPF_LD_ABS(BPF_B, 0),
11317 BPF_LD_ABS(BPF_H, 0),
11318 BPF_LD_ABS(BPF_W, 0),
11319 BPF_MOV64_REG(BPF_REG_7, BPF_REG_6),
11320 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 5),
11321 BPF_MOV64_REG(BPF_REG_6, BPF_REG_7),
11322 BPF_LD_ABS(BPF_B, 0),
11323 BPF_LD_ABS(BPF_H, 0),
11324 BPF_LD_ABS(BPF_W, 0),
11326 BPF_MOV64_IMM(BPF_REG_2, 1),
11327 BPF_MOV64_IMM(BPF_REG_3, 2),
11328 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11329 BPF_FUNC_skb_vlan_push),
11332 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11333 .errstr = "BPF_LD_[ABS|IND] instructions cannot be mixed",
11337 "calls: two calls with bad fallthrough",
11339 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11341 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11342 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 6),
11343 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
11344 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
11345 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11346 BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_0),
11347 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
11348 BPF_MOV64_REG(BPF_REG_0, BPF_REG_0),
11349 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
11350 offsetof(struct __sk_buff, len)),
11353 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
11354 .errstr = "not an exit",
11358 "calls: two calls with stack read",
11360 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11361 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11362 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11363 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11365 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11366 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 6),
11367 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
11368 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
11369 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11370 BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_0),
11371 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
11373 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
11376 .prog_type = BPF_PROG_TYPE_XDP,
11380 "calls: two calls with stack write",
11383 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11384 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11385 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11386 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11387 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
11388 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11389 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -16),
11393 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11394 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
11395 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 7),
11396 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
11397 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
11398 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
11399 BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_0),
11400 BPF_MOV64_REG(BPF_REG_0, BPF_REG_8),
11401 /* write into stack frame of main prog */
11402 BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
11406 /* read from stack frame of main prog */
11407 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
11410 .prog_type = BPF_PROG_TYPE_XDP,
11414 "calls: stack overflow using two frames (pre-call access)",
11417 BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
11418 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1),
11422 BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
11423 BPF_MOV64_IMM(BPF_REG_0, 0),
11426 .prog_type = BPF_PROG_TYPE_XDP,
11427 .errstr = "combined stack size",
11431 "calls: stack overflow using two frames (post-call access)",
11434 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 2),
11435 BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
11439 BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
11440 BPF_MOV64_IMM(BPF_REG_0, 0),
11443 .prog_type = BPF_PROG_TYPE_XDP,
11444 .errstr = "combined stack size",
11448 "calls: stack depth check using three frames. test1",
11451 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 4), /* call A */
11452 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 5), /* call B */
11453 BPF_ST_MEM(BPF_B, BPF_REG_10, -32, 0),
11454 BPF_MOV64_IMM(BPF_REG_0, 0),
11457 BPF_ST_MEM(BPF_B, BPF_REG_10, -256, 0),
11460 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, -3), /* call A */
11461 BPF_ST_MEM(BPF_B, BPF_REG_10, -64, 0),
11464 .prog_type = BPF_PROG_TYPE_XDP,
11465 /* stack_main=32, stack_A=256, stack_B=64
11466 * and max(main+A, main+A+B) < 512
11471 "calls: stack depth check using three frames. test2",
11474 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 4), /* call A */
11475 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 5), /* call B */
11476 BPF_ST_MEM(BPF_B, BPF_REG_10, -32, 0),
11477 BPF_MOV64_IMM(BPF_REG_0, 0),
11480 BPF_ST_MEM(BPF_B, BPF_REG_10, -64, 0),
11483 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, -3), /* call A */
11484 BPF_ST_MEM(BPF_B, BPF_REG_10, -256, 0),
11487 .prog_type = BPF_PROG_TYPE_XDP,
11488 /* stack_main=32, stack_A=64, stack_B=256
11489 * and max(main+A, main+A+B) < 512
11494 "calls: stack depth check using three frames. test3",
11497 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11498 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 6), /* call A */
11499 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
11500 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 8), /* call B */
11501 BPF_JMP_IMM(BPF_JGE, BPF_REG_6, 0, 1),
11502 BPF_ST_MEM(BPF_B, BPF_REG_10, -64, 0),
11503 BPF_MOV64_IMM(BPF_REG_0, 0),
11506 BPF_JMP_IMM(BPF_JLT, BPF_REG_1, 10, 1),
11508 BPF_ST_MEM(BPF_B, BPF_REG_10, -224, 0),
11509 BPF_JMP_IMM(BPF_JA, 0, 0, -3),
11511 BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 2, 1),
11512 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, -6), /* call A */
11513 BPF_ST_MEM(BPF_B, BPF_REG_10, -256, 0),
11516 .prog_type = BPF_PROG_TYPE_XDP,
11517 /* stack_main=64, stack_A=224, stack_B=256
11518 * and max(main+A, main+A+B) > 512
11520 .errstr = "combined stack",
11524 "calls: stack depth check using three frames. test4",
11525 /* void main(void) {
11530 * void func1(int alloc_or_recurse) {
11531 * if (alloc_or_recurse) {
11532 * frame_pointer[-300] = 1;
11534 * func2(alloc_or_recurse);
11537 * void func2(int alloc_or_recurse) {
11538 * if (alloc_or_recurse) {
11539 * frame_pointer[-300] = 1;
11545 BPF_MOV64_IMM(BPF_REG_1, 0),
11546 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 6), /* call A */
11547 BPF_MOV64_IMM(BPF_REG_1, 1),
11548 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 4), /* call A */
11549 BPF_MOV64_IMM(BPF_REG_1, 1),
11550 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 7), /* call B */
11551 BPF_MOV64_IMM(BPF_REG_0, 0),
11554 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 2),
11555 BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
11557 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call B */
11560 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
11561 BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
11564 .prog_type = BPF_PROG_TYPE_XDP,
11566 .errstr = "combined stack",
11569 "calls: stack depth check using three frames. test5",
11572 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call A */
11575 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call B */
11578 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call C */
11581 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call D */
11584 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call E */
11587 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call F */
11590 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call G */
11593 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call H */
11596 BPF_MOV64_IMM(BPF_REG_0, 0),
11599 .prog_type = BPF_PROG_TYPE_XDP,
11600 .errstr = "call stack",
11604 "calls: spill into caller stack frame",
11606 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11607 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11608 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11609 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11611 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, 0),
11612 BPF_MOV64_IMM(BPF_REG_0, 0),
11615 .prog_type = BPF_PROG_TYPE_XDP,
11616 .errstr = "cannot spill",
11620 "calls: write into caller stack frame",
11622 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11623 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11624 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11625 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11626 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
11628 BPF_ST_MEM(BPF_DW, BPF_REG_1, 0, 42),
11629 BPF_MOV64_IMM(BPF_REG_0, 0),
11632 .prog_type = BPF_PROG_TYPE_XDP,
11637 "calls: write into callee stack frame",
11639 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11640 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
11642 BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
11643 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, -8),
11646 .prog_type = BPF_PROG_TYPE_XDP,
11647 .errstr = "cannot return stack pointer",
11651 "calls: two calls with stack write and void return",
11654 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11655 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11656 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11657 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11658 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
11659 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11660 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -16),
11664 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11665 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
11666 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11667 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
11668 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11672 /* write into stack frame of main prog */
11673 BPF_ST_MEM(BPF_DW, BPF_REG_1, 0, 0),
11674 BPF_EXIT_INSN(), /* void return */
11676 .prog_type = BPF_PROG_TYPE_XDP,
11680 "calls: ambiguous return value",
11682 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11683 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 5),
11684 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
11685 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
11686 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11687 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
11689 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
11690 BPF_MOV64_IMM(BPF_REG_0, 0),
11693 .errstr_unpriv = "allowed for root only",
11694 .result_unpriv = REJECT,
11695 .errstr = "R0 !read_ok",
11699 "calls: two calls that return map_value",
11702 /* pass fp-16, fp-8 into a function */
11703 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11704 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11705 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11706 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
11707 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
11709 /* fetch map_value_ptr from the stack of this function */
11710 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
11711 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
11712 /* write into map value */
11713 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11714 /* fetch secound map_value_ptr from the stack */
11715 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -16),
11716 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
11717 /* write into map value */
11718 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11719 BPF_MOV64_IMM(BPF_REG_0, 0),
11723 /* call 3rd function twice */
11724 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11725 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
11726 /* first time with fp-8 */
11727 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11728 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
11729 /* second time with fp-16 */
11730 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11734 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11735 /* lookup from map */
11736 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11737 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11738 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11739 BPF_LD_MAP_FD(BPF_REG_1, 0),
11740 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11741 BPF_FUNC_map_lookup_elem),
11742 /* write map_value_ptr into stack frame of main prog */
11743 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
11744 BPF_MOV64_IMM(BPF_REG_0, 0),
11745 BPF_EXIT_INSN(), /* return 0 */
11747 .prog_type = BPF_PROG_TYPE_XDP,
11748 .fixup_map_hash_8b = { 23 },
11752 "calls: two calls that return map_value with bool condition",
11755 /* pass fp-16, fp-8 into a function */
11756 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11757 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11758 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11759 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
11760 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11761 BPF_MOV64_IMM(BPF_REG_0, 0),
11765 /* call 3rd function twice */
11766 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11767 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
11768 /* first time with fp-8 */
11769 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 9),
11770 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
11771 /* fetch map_value_ptr from the stack of this function */
11772 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
11773 /* write into map value */
11774 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11775 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
11776 /* second time with fp-16 */
11777 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
11778 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
11779 /* fetch secound map_value_ptr from the stack */
11780 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_7, 0),
11781 /* write into map value */
11782 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11786 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11787 /* lookup from map */
11788 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11789 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11790 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11791 BPF_LD_MAP_FD(BPF_REG_1, 0),
11792 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11793 BPF_FUNC_map_lookup_elem),
11794 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11795 BPF_MOV64_IMM(BPF_REG_0, 0),
11796 BPF_EXIT_INSN(), /* return 0 */
11797 /* write map_value_ptr into stack frame of main prog */
11798 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
11799 BPF_MOV64_IMM(BPF_REG_0, 1),
11800 BPF_EXIT_INSN(), /* return 1 */
11802 .prog_type = BPF_PROG_TYPE_XDP,
11803 .fixup_map_hash_8b = { 23 },
11807 "calls: two calls that return map_value with incorrect bool check",
11810 /* pass fp-16, fp-8 into a function */
11811 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11812 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11813 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11814 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
11815 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11816 BPF_MOV64_IMM(BPF_REG_0, 0),
11820 /* call 3rd function twice */
11821 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11822 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
11823 /* first time with fp-8 */
11824 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 9),
11825 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
11826 /* fetch map_value_ptr from the stack of this function */
11827 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
11828 /* write into map value */
11829 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11830 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
11831 /* second time with fp-16 */
11832 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
11833 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11834 /* fetch secound map_value_ptr from the stack */
11835 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_7, 0),
11836 /* write into map value */
11837 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11841 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11842 /* lookup from map */
11843 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11844 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11845 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11846 BPF_LD_MAP_FD(BPF_REG_1, 0),
11847 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11848 BPF_FUNC_map_lookup_elem),
11849 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11850 BPF_MOV64_IMM(BPF_REG_0, 0),
11851 BPF_EXIT_INSN(), /* return 0 */
11852 /* write map_value_ptr into stack frame of main prog */
11853 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
11854 BPF_MOV64_IMM(BPF_REG_0, 1),
11855 BPF_EXIT_INSN(), /* return 1 */
11857 .prog_type = BPF_PROG_TYPE_XDP,
11858 .fixup_map_hash_8b = { 23 },
11860 .errstr = "invalid read from stack off -16+0 size 8",
11863 "calls: two calls that receive map_value via arg=ptr_stack_of_caller. test1",
11866 /* pass fp-16, fp-8 into a function */
11867 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11868 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11869 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11870 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
11871 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11872 BPF_MOV64_IMM(BPF_REG_0, 0),
11876 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11877 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
11878 /* 1st lookup from map */
11879 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11880 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11881 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11882 BPF_LD_MAP_FD(BPF_REG_1, 0),
11883 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11884 BPF_FUNC_map_lookup_elem),
11885 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11886 BPF_MOV64_IMM(BPF_REG_8, 0),
11887 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
11888 /* write map_value_ptr into stack frame of main prog at fp-8 */
11889 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
11890 BPF_MOV64_IMM(BPF_REG_8, 1),
11892 /* 2nd lookup from map */
11893 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), /* 20 */
11894 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11895 BPF_LD_MAP_FD(BPF_REG_1, 0),
11896 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, /* 24 */
11897 BPF_FUNC_map_lookup_elem),
11898 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11899 BPF_MOV64_IMM(BPF_REG_9, 0),
11900 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
11901 /* write map_value_ptr into stack frame of main prog at fp-16 */
11902 BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
11903 BPF_MOV64_IMM(BPF_REG_9, 1),
11905 /* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
11906 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), /* 30 */
11907 BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
11908 BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
11909 BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
11910 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1), /* 34 */
11914 /* if arg2 == 1 do *arg1 = 0 */
11915 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
11916 /* fetch map_value_ptr from the stack of this function */
11917 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
11918 /* write into map value */
11919 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11921 /* if arg4 == 1 do *arg3 = 0 */
11922 BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 1, 2),
11923 /* fetch map_value_ptr from the stack of this function */
11924 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
11925 /* write into map value */
11926 BPF_ST_MEM(BPF_DW, BPF_REG_0, 2, 0),
11929 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11930 .fixup_map_hash_8b = { 12, 22 },
11932 .errstr = "invalid access to map value, value_size=8 off=2 size=8",
11935 "calls: two calls that receive map_value via arg=ptr_stack_of_caller. test2",
11938 /* pass fp-16, fp-8 into a function */
11939 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11940 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11941 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11942 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
11943 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11944 BPF_MOV64_IMM(BPF_REG_0, 0),
11948 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11949 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
11950 /* 1st lookup from map */
11951 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11952 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11953 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11954 BPF_LD_MAP_FD(BPF_REG_1, 0),
11955 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11956 BPF_FUNC_map_lookup_elem),
11957 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11958 BPF_MOV64_IMM(BPF_REG_8, 0),
11959 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
11960 /* write map_value_ptr into stack frame of main prog at fp-8 */
11961 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
11962 BPF_MOV64_IMM(BPF_REG_8, 1),
11964 /* 2nd lookup from map */
11965 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), /* 20 */
11966 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11967 BPF_LD_MAP_FD(BPF_REG_1, 0),
11968 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, /* 24 */
11969 BPF_FUNC_map_lookup_elem),
11970 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11971 BPF_MOV64_IMM(BPF_REG_9, 0),
11972 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
11973 /* write map_value_ptr into stack frame of main prog at fp-16 */
11974 BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
11975 BPF_MOV64_IMM(BPF_REG_9, 1),
11977 /* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
11978 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), /* 30 */
11979 BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
11980 BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
11981 BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
11982 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1), /* 34 */
11986 /* if arg2 == 1 do *arg1 = 0 */
11987 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
11988 /* fetch map_value_ptr from the stack of this function */
11989 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
11990 /* write into map value */
11991 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11993 /* if arg4 == 1 do *arg3 = 0 */
11994 BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 1, 2),
11995 /* fetch map_value_ptr from the stack of this function */
11996 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
11997 /* write into map value */
11998 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
12001 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12002 .fixup_map_hash_8b = { 12, 22 },
12006 "calls: two jumps that receive map_value via arg=ptr_stack_of_jumper. test3",
12009 /* pass fp-16, fp-8 into a function */
12010 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
12011 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
12012 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12013 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
12014 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
12015 BPF_MOV64_IMM(BPF_REG_0, 0),
12019 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12020 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
12021 /* 1st lookup from map */
12022 BPF_ST_MEM(BPF_DW, BPF_REG_10, -24, 0),
12023 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12024 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -24),
12025 BPF_LD_MAP_FD(BPF_REG_1, 0),
12026 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12027 BPF_FUNC_map_lookup_elem),
12028 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
12029 BPF_MOV64_IMM(BPF_REG_8, 0),
12030 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
12031 /* write map_value_ptr into stack frame of main prog at fp-8 */
12032 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
12033 BPF_MOV64_IMM(BPF_REG_8, 1),
12035 /* 2nd lookup from map */
12036 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12037 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -24),
12038 BPF_LD_MAP_FD(BPF_REG_1, 0),
12039 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12040 BPF_FUNC_map_lookup_elem),
12041 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
12042 BPF_MOV64_IMM(BPF_REG_9, 0), // 26
12043 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
12044 /* write map_value_ptr into stack frame of main prog at fp-16 */
12045 BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
12046 BPF_MOV64_IMM(BPF_REG_9, 1),
12048 /* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
12049 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), // 30
12050 BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
12051 BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
12052 BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
12053 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1), // 34
12054 BPF_JMP_IMM(BPF_JA, 0, 0, -30),
12057 /* if arg2 == 1 do *arg1 = 0 */
12058 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
12059 /* fetch map_value_ptr from the stack of this function */
12060 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
12061 /* write into map value */
12062 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
12064 /* if arg4 == 1 do *arg3 = 0 */
12065 BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 1, 2),
12066 /* fetch map_value_ptr from the stack of this function */
12067 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
12068 /* write into map value */
12069 BPF_ST_MEM(BPF_DW, BPF_REG_0, 2, 0),
12070 BPF_JMP_IMM(BPF_JA, 0, 0, -8),
12072 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12073 .fixup_map_hash_8b = { 12, 22 },
12075 .errstr = "invalid access to map value, value_size=8 off=2 size=8",
12078 "calls: two calls that receive map_value_ptr_or_null via arg. test1",
12081 /* pass fp-16, fp-8 into a function */
12082 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
12083 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
12084 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12085 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
12086 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
12087 BPF_MOV64_IMM(BPF_REG_0, 0),
12091 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12092 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
12093 /* 1st lookup from map */
12094 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
12095 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12096 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
12097 BPF_LD_MAP_FD(BPF_REG_1, 0),
12098 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12099 BPF_FUNC_map_lookup_elem),
12100 /* write map_value_ptr_or_null into stack frame of main prog at fp-8 */
12101 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
12102 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
12103 BPF_MOV64_IMM(BPF_REG_8, 0),
12104 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
12105 BPF_MOV64_IMM(BPF_REG_8, 1),
12107 /* 2nd lookup from map */
12108 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12109 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
12110 BPF_LD_MAP_FD(BPF_REG_1, 0),
12111 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12112 BPF_FUNC_map_lookup_elem),
12113 /* write map_value_ptr_or_null into stack frame of main prog at fp-16 */
12114 BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
12115 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
12116 BPF_MOV64_IMM(BPF_REG_9, 0),
12117 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
12118 BPF_MOV64_IMM(BPF_REG_9, 1),
12120 /* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
12121 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
12122 BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
12123 BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
12124 BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
12125 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
12129 /* if arg2 == 1 do *arg1 = 0 */
12130 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
12131 /* fetch map_value_ptr from the stack of this function */
12132 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
12133 /* write into map value */
12134 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
12136 /* if arg4 == 1 do *arg3 = 0 */
12137 BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 1, 2),
12138 /* fetch map_value_ptr from the stack of this function */
12139 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
12140 /* write into map value */
12141 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
12144 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12145 .fixup_map_hash_8b = { 12, 22 },
12149 "calls: two calls that receive map_value_ptr_or_null via arg. test2",
12152 /* pass fp-16, fp-8 into a function */
12153 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
12154 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
12155 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12156 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
12157 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
12158 BPF_MOV64_IMM(BPF_REG_0, 0),
12162 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12163 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
12164 /* 1st lookup from map */
12165 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
12166 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12167 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
12168 BPF_LD_MAP_FD(BPF_REG_1, 0),
12169 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12170 BPF_FUNC_map_lookup_elem),
12171 /* write map_value_ptr_or_null into stack frame of main prog at fp-8 */
12172 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
12173 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
12174 BPF_MOV64_IMM(BPF_REG_8, 0),
12175 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
12176 BPF_MOV64_IMM(BPF_REG_8, 1),
12178 /* 2nd lookup from map */
12179 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12180 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
12181 BPF_LD_MAP_FD(BPF_REG_1, 0),
12182 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12183 BPF_FUNC_map_lookup_elem),
12184 /* write map_value_ptr_or_null into stack frame of main prog at fp-16 */
12185 BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
12186 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
12187 BPF_MOV64_IMM(BPF_REG_9, 0),
12188 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
12189 BPF_MOV64_IMM(BPF_REG_9, 1),
12191 /* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
12192 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
12193 BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
12194 BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
12195 BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
12196 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
12200 /* if arg2 == 1 do *arg1 = 0 */
12201 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
12202 /* fetch map_value_ptr from the stack of this function */
12203 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
12204 /* write into map value */
12205 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
12207 /* if arg4 == 0 do *arg3 = 0 */
12208 BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 0, 2),
12209 /* fetch map_value_ptr from the stack of this function */
12210 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
12211 /* write into map value */
12212 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
12215 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12216 .fixup_map_hash_8b = { 12, 22 },
12218 .errstr = "R0 invalid mem access 'inv'",
12221 "calls: pkt_ptr spill into caller stack",
12223 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
12224 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
12225 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
12229 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
12230 offsetof(struct __sk_buff, data)),
12231 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
12232 offsetof(struct __sk_buff, data_end)),
12233 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
12234 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
12235 /* spill unchecked pkt_ptr into stack of caller */
12236 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
12237 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
12238 /* now the pkt range is verified, read pkt_ptr from stack */
12239 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
12240 /* write 4 bytes into packet */
12241 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
12245 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12246 .retval = POINTER_VALUE,
12249 "calls: pkt_ptr spill into caller stack 2",
12251 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
12252 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
12253 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
12254 /* Marking is still kept, but not in all cases safe. */
12255 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
12256 BPF_ST_MEM(BPF_W, BPF_REG_4, 0, 0),
12260 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
12261 offsetof(struct __sk_buff, data)),
12262 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
12263 offsetof(struct __sk_buff, data_end)),
12264 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
12265 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
12266 /* spill unchecked pkt_ptr into stack of caller */
12267 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
12268 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
12269 /* now the pkt range is verified, read pkt_ptr from stack */
12270 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
12271 /* write 4 bytes into packet */
12272 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
12275 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12276 .errstr = "invalid access to packet",
12280 "calls: pkt_ptr spill into caller stack 3",
12282 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
12283 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
12284 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
12285 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
12286 /* Marking is still kept and safe here. */
12287 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
12288 BPF_ST_MEM(BPF_W, BPF_REG_4, 0, 0),
12292 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
12293 offsetof(struct __sk_buff, data)),
12294 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
12295 offsetof(struct __sk_buff, data_end)),
12296 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
12297 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
12298 /* spill unchecked pkt_ptr into stack of caller */
12299 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
12300 BPF_MOV64_IMM(BPF_REG_5, 0),
12301 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
12302 BPF_MOV64_IMM(BPF_REG_5, 1),
12303 /* now the pkt range is verified, read pkt_ptr from stack */
12304 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
12305 /* write 4 bytes into packet */
12306 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
12307 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
12310 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12315 "calls: pkt_ptr spill into caller stack 4",
12317 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
12318 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
12319 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
12320 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
12321 /* Check marking propagated. */
12322 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
12323 BPF_ST_MEM(BPF_W, BPF_REG_4, 0, 0),
12327 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
12328 offsetof(struct __sk_buff, data)),
12329 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
12330 offsetof(struct __sk_buff, data_end)),
12331 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
12332 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
12333 /* spill unchecked pkt_ptr into stack of caller */
12334 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
12335 BPF_MOV64_IMM(BPF_REG_5, 0),
12336 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
12337 BPF_MOV64_IMM(BPF_REG_5, 1),
12338 /* don't read back pkt_ptr from stack here */
12339 /* write 4 bytes into packet */
12340 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
12341 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
12344 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12349 "calls: pkt_ptr spill into caller stack 5",
12351 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
12352 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
12353 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_1, 0),
12354 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
12355 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
12356 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
12360 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
12361 offsetof(struct __sk_buff, data)),
12362 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
12363 offsetof(struct __sk_buff, data_end)),
12364 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
12365 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
12366 BPF_MOV64_IMM(BPF_REG_5, 0),
12367 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
12368 /* spill checked pkt_ptr into stack of caller */
12369 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
12370 BPF_MOV64_IMM(BPF_REG_5, 1),
12371 /* don't read back pkt_ptr from stack here */
12372 /* write 4 bytes into packet */
12373 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
12374 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
12377 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12378 .errstr = "same insn cannot be used with different",
12382 "calls: pkt_ptr spill into caller stack 6",
12384 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
12385 offsetof(struct __sk_buff, data_end)),
12386 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
12387 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
12388 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
12389 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
12390 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
12391 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
12395 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
12396 offsetof(struct __sk_buff, data)),
12397 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
12398 offsetof(struct __sk_buff, data_end)),
12399 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
12400 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
12401 BPF_MOV64_IMM(BPF_REG_5, 0),
12402 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
12403 /* spill checked pkt_ptr into stack of caller */
12404 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
12405 BPF_MOV64_IMM(BPF_REG_5, 1),
12406 /* don't read back pkt_ptr from stack here */
12407 /* write 4 bytes into packet */
12408 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
12409 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
12412 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12413 .errstr = "R4 invalid mem access",
12417 "calls: pkt_ptr spill into caller stack 7",
12419 BPF_MOV64_IMM(BPF_REG_2, 0),
12420 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
12421 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
12422 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
12423 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
12424 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
12425 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
12429 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
12430 offsetof(struct __sk_buff, data)),
12431 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
12432 offsetof(struct __sk_buff, data_end)),
12433 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
12434 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
12435 BPF_MOV64_IMM(BPF_REG_5, 0),
12436 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
12437 /* spill checked pkt_ptr into stack of caller */
12438 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
12439 BPF_MOV64_IMM(BPF_REG_5, 1),
12440 /* don't read back pkt_ptr from stack here */
12441 /* write 4 bytes into packet */
12442 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
12443 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
12446 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12447 .errstr = "R4 invalid mem access",
12451 "calls: pkt_ptr spill into caller stack 8",
12453 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
12454 offsetof(struct __sk_buff, data)),
12455 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
12456 offsetof(struct __sk_buff, data_end)),
12457 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
12458 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
12459 BPF_JMP_REG(BPF_JLE, BPF_REG_0, BPF_REG_3, 1),
12461 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
12462 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
12463 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
12464 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
12465 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
12466 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
12470 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
12471 offsetof(struct __sk_buff, data)),
12472 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
12473 offsetof(struct __sk_buff, data_end)),
12474 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
12475 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
12476 BPF_MOV64_IMM(BPF_REG_5, 0),
12477 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
12478 /* spill checked pkt_ptr into stack of caller */
12479 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
12480 BPF_MOV64_IMM(BPF_REG_5, 1),
12481 /* don't read back pkt_ptr from stack here */
12482 /* write 4 bytes into packet */
12483 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
12484 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
12487 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12491 "calls: pkt_ptr spill into caller stack 9",
12493 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
12494 offsetof(struct __sk_buff, data)),
12495 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
12496 offsetof(struct __sk_buff, data_end)),
12497 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
12498 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
12499 BPF_JMP_REG(BPF_JLE, BPF_REG_0, BPF_REG_3, 1),
12501 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
12502 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
12503 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
12504 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
12505 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
12506 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
12510 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
12511 offsetof(struct __sk_buff, data)),
12512 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
12513 offsetof(struct __sk_buff, data_end)),
12514 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
12515 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
12516 BPF_MOV64_IMM(BPF_REG_5, 0),
12517 /* spill unchecked pkt_ptr into stack of caller */
12518 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
12519 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
12520 BPF_MOV64_IMM(BPF_REG_5, 1),
12521 /* don't read back pkt_ptr from stack here */
12522 /* write 4 bytes into packet */
12523 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
12524 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
12527 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12528 .errstr = "invalid access to packet",
12532 "calls: caller stack init to zero or map_value_or_null",
12534 BPF_MOV64_IMM(BPF_REG_0, 0),
12535 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
12536 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12537 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
12538 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
12539 /* fetch map_value_or_null or const_zero from stack */
12540 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
12541 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
12542 /* store into map_value */
12543 BPF_ST_MEM(BPF_W, BPF_REG_0, 0, 0),
12547 /* if (ctx == 0) return; */
12548 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 8),
12549 /* else bpf_map_lookup() and *(fp - 8) = r0 */
12550 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
12551 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12552 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
12553 BPF_LD_MAP_FD(BPF_REG_1, 0),
12554 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
12555 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12556 BPF_FUNC_map_lookup_elem),
12557 /* write map_value_ptr_or_null into stack frame of main prog at fp-8 */
12558 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
12561 .fixup_map_hash_8b = { 13 },
12563 .prog_type = BPF_PROG_TYPE_XDP,
12566 "calls: stack init to zero and pruning",
12568 /* first make allocated_stack 16 byte */
12569 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, 0),
12570 /* now fork the execution such that the false branch
12571 * of JGT insn will be verified second and it skisp zero
12572 * init of fp-8 stack slot. If stack liveness marking
12573 * is missing live_read marks from call map_lookup
12574 * processing then pruning will incorrectly assume
12575 * that fp-8 stack slot was unused in the fall-through
12576 * branch and will accept the program incorrectly
12578 BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 2, 2),
12579 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
12580 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
12581 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12582 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
12583 BPF_LD_MAP_FD(BPF_REG_1, 0),
12584 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12585 BPF_FUNC_map_lookup_elem),
12588 .fixup_map_hash_48b = { 6 },
12589 .errstr = "invalid indirect read from stack off -8+0 size 8",
12591 .prog_type = BPF_PROG_TYPE_XDP,
12594 "calls: two calls returning different map pointers for lookup (hash, array)",
12597 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
12599 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
12601 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
12602 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
12603 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12604 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
12605 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12606 BPF_FUNC_map_lookup_elem),
12607 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
12608 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
12609 offsetof(struct test_val, foo)),
12610 BPF_MOV64_IMM(BPF_REG_0, 1),
12613 BPF_LD_MAP_FD(BPF_REG_0, 0),
12616 BPF_LD_MAP_FD(BPF_REG_0, 0),
12619 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12620 .fixup_map_hash_48b = { 13 },
12621 .fixup_map_array_48b = { 16 },
12626 "calls: two calls returning different map pointers for lookup (hash, map in map)",
12629 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
12631 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
12633 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
12634 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
12635 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12636 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
12637 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12638 BPF_FUNC_map_lookup_elem),
12639 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
12640 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
12641 offsetof(struct test_val, foo)),
12642 BPF_MOV64_IMM(BPF_REG_0, 1),
12645 BPF_LD_MAP_FD(BPF_REG_0, 0),
12648 BPF_LD_MAP_FD(BPF_REG_0, 0),
12651 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12652 .fixup_map_in_map = { 16 },
12653 .fixup_map_array_48b = { 13 },
12655 .errstr = "R0 invalid mem access 'map_ptr'",
12658 "cond: two branches returning different map pointers for lookup (tail, tail)",
12660 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
12661 offsetof(struct __sk_buff, mark)),
12662 BPF_JMP_IMM(BPF_JNE, BPF_REG_6, 0, 3),
12663 BPF_LD_MAP_FD(BPF_REG_2, 0),
12664 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
12665 BPF_LD_MAP_FD(BPF_REG_2, 0),
12666 BPF_MOV64_IMM(BPF_REG_3, 7),
12667 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12668 BPF_FUNC_tail_call),
12669 BPF_MOV64_IMM(BPF_REG_0, 1),
12672 .fixup_prog1 = { 5 },
12673 .fixup_prog2 = { 2 },
12674 .result_unpriv = REJECT,
12675 .errstr_unpriv = "tail_call abusing map_ptr",
12680 "cond: two branches returning same map pointers for lookup (tail, tail)",
12682 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
12683 offsetof(struct __sk_buff, mark)),
12684 BPF_JMP_IMM(BPF_JEQ, BPF_REG_6, 0, 3),
12685 BPF_LD_MAP_FD(BPF_REG_2, 0),
12686 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
12687 BPF_LD_MAP_FD(BPF_REG_2, 0),
12688 BPF_MOV64_IMM(BPF_REG_3, 7),
12689 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12690 BPF_FUNC_tail_call),
12691 BPF_MOV64_IMM(BPF_REG_0, 1),
12694 .fixup_prog2 = { 2, 5 },
12695 .result_unpriv = ACCEPT,
12700 "search pruning: all branches should be verified (nop operation)",
12702 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12703 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
12704 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
12705 BPF_LD_MAP_FD(BPF_REG_1, 0),
12706 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
12707 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
12708 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
12709 BPF_JMP_IMM(BPF_JEQ, BPF_REG_3, 0xbeef, 2),
12710 BPF_MOV64_IMM(BPF_REG_4, 0),
12712 BPF_MOV64_IMM(BPF_REG_4, 1),
12713 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -16),
12714 BPF_EMIT_CALL(BPF_FUNC_ktime_get_ns),
12715 BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -16),
12716 BPF_JMP_IMM(BPF_JEQ, BPF_REG_5, 0, 2),
12717 BPF_MOV64_IMM(BPF_REG_6, 0),
12718 BPF_ST_MEM(BPF_DW, BPF_REG_6, 0, 0xdead),
12721 .fixup_map_hash_8b = { 3 },
12722 .errstr = "R6 invalid mem access 'inv'",
12724 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
12727 "search pruning: all branches should be verified (invalid stack access)",
12729 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12730 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
12731 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
12732 BPF_LD_MAP_FD(BPF_REG_1, 0),
12733 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
12734 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
12735 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
12736 BPF_MOV64_IMM(BPF_REG_4, 0),
12737 BPF_JMP_IMM(BPF_JEQ, BPF_REG_3, 0xbeef, 2),
12738 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -16),
12740 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -24),
12741 BPF_EMIT_CALL(BPF_FUNC_ktime_get_ns),
12742 BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -16),
12745 .fixup_map_hash_8b = { 3 },
12746 .errstr = "invalid read from stack off -16+0 size 8",
12748 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
12751 "jit: lsh, rsh, arsh by 1",
12753 BPF_MOV64_IMM(BPF_REG_0, 1),
12754 BPF_MOV64_IMM(BPF_REG_1, 0xff),
12755 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 1),
12756 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 1),
12757 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0x3fc, 1),
12759 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 1),
12760 BPF_ALU32_IMM(BPF_RSH, BPF_REG_1, 1),
12761 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0xff, 1),
12763 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_1, 1),
12764 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0x7f, 1),
12766 BPF_MOV64_IMM(BPF_REG_0, 2),
12773 "jit: mov32 for ldimm64, 1",
12775 BPF_MOV64_IMM(BPF_REG_0, 2),
12776 BPF_LD_IMM64(BPF_REG_1, 0xfeffffffffffffffULL),
12777 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 32),
12778 BPF_LD_IMM64(BPF_REG_2, 0xfeffffffULL),
12779 BPF_JMP_REG(BPF_JEQ, BPF_REG_1, BPF_REG_2, 1),
12780 BPF_MOV64_IMM(BPF_REG_0, 1),
12787 "jit: mov32 for ldimm64, 2",
12789 BPF_MOV64_IMM(BPF_REG_0, 1),
12790 BPF_LD_IMM64(BPF_REG_1, 0x1ffffffffULL),
12791 BPF_LD_IMM64(BPF_REG_2, 0xffffffffULL),
12792 BPF_JMP_REG(BPF_JEQ, BPF_REG_1, BPF_REG_2, 1),
12793 BPF_MOV64_IMM(BPF_REG_0, 2),
12800 "jit: various mul tests",
12802 BPF_LD_IMM64(BPF_REG_2, 0xeeff0d413122ULL),
12803 BPF_LD_IMM64(BPF_REG_0, 0xfefefeULL),
12804 BPF_LD_IMM64(BPF_REG_1, 0xefefefULL),
12805 BPF_ALU64_REG(BPF_MUL, BPF_REG_0, BPF_REG_1),
12806 BPF_JMP_REG(BPF_JEQ, BPF_REG_0, BPF_REG_2, 2),
12807 BPF_MOV64_IMM(BPF_REG_0, 1),
12809 BPF_LD_IMM64(BPF_REG_3, 0xfefefeULL),
12810 BPF_ALU64_REG(BPF_MUL, BPF_REG_3, BPF_REG_1),
12811 BPF_JMP_REG(BPF_JEQ, BPF_REG_3, BPF_REG_2, 2),
12812 BPF_MOV64_IMM(BPF_REG_0, 1),
12814 BPF_MOV32_REG(BPF_REG_2, BPF_REG_2),
12815 BPF_LD_IMM64(BPF_REG_0, 0xfefefeULL),
12816 BPF_ALU32_REG(BPF_MUL, BPF_REG_0, BPF_REG_1),
12817 BPF_JMP_REG(BPF_JEQ, BPF_REG_0, BPF_REG_2, 2),
12818 BPF_MOV64_IMM(BPF_REG_0, 1),
12820 BPF_LD_IMM64(BPF_REG_3, 0xfefefeULL),
12821 BPF_ALU32_REG(BPF_MUL, BPF_REG_3, BPF_REG_1),
12822 BPF_JMP_REG(BPF_JEQ, BPF_REG_3, BPF_REG_2, 2),
12823 BPF_MOV64_IMM(BPF_REG_0, 1),
12825 BPF_LD_IMM64(BPF_REG_0, 0x952a7bbcULL),
12826 BPF_LD_IMM64(BPF_REG_1, 0xfefefeULL),
12827 BPF_LD_IMM64(BPF_REG_2, 0xeeff0d413122ULL),
12828 BPF_ALU32_REG(BPF_MUL, BPF_REG_2, BPF_REG_1),
12829 BPF_JMP_REG(BPF_JEQ, BPF_REG_2, BPF_REG_0, 2),
12830 BPF_MOV64_IMM(BPF_REG_0, 1),
12832 BPF_MOV64_IMM(BPF_REG_0, 2),
12839 "xadd/w check unaligned stack",
12841 BPF_MOV64_IMM(BPF_REG_0, 1),
12842 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
12843 BPF_STX_XADD(BPF_W, BPF_REG_10, BPF_REG_0, -7),
12844 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
12848 .errstr = "misaligned stack access off",
12849 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12852 "xadd/w check unaligned map",
12854 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
12855 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12856 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
12857 BPF_LD_MAP_FD(BPF_REG_1, 0),
12858 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12859 BPF_FUNC_map_lookup_elem),
12860 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
12862 BPF_MOV64_IMM(BPF_REG_1, 1),
12863 BPF_STX_XADD(BPF_W, BPF_REG_0, BPF_REG_1, 3),
12864 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 3),
12867 .fixup_map_hash_8b = { 3 },
12869 .errstr = "misaligned value access off",
12870 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12873 "xadd/w check unaligned pkt",
12875 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
12876 offsetof(struct xdp_md, data)),
12877 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
12878 offsetof(struct xdp_md, data_end)),
12879 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
12880 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
12881 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 2),
12882 BPF_MOV64_IMM(BPF_REG_0, 99),
12883 BPF_JMP_IMM(BPF_JA, 0, 0, 6),
12884 BPF_MOV64_IMM(BPF_REG_0, 1),
12885 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
12886 BPF_ST_MEM(BPF_W, BPF_REG_2, 3, 0),
12887 BPF_STX_XADD(BPF_W, BPF_REG_2, BPF_REG_0, 1),
12888 BPF_STX_XADD(BPF_W, BPF_REG_2, BPF_REG_0, 2),
12889 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_2, 1),
12893 .errstr = "BPF_XADD stores into R2 pkt is not allowed",
12894 .prog_type = BPF_PROG_TYPE_XDP,
12897 "xadd/w check whether src/dst got mangled, 1",
12899 BPF_MOV64_IMM(BPF_REG_0, 1),
12900 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
12901 BPF_MOV64_REG(BPF_REG_7, BPF_REG_10),
12902 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
12903 BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
12904 BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
12905 BPF_JMP_REG(BPF_JNE, BPF_REG_6, BPF_REG_0, 3),
12906 BPF_JMP_REG(BPF_JNE, BPF_REG_7, BPF_REG_10, 2),
12907 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
12909 BPF_MOV64_IMM(BPF_REG_0, 42),
12913 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12917 "xadd/w check whether src/dst got mangled, 2",
12919 BPF_MOV64_IMM(BPF_REG_0, 1),
12920 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
12921 BPF_MOV64_REG(BPF_REG_7, BPF_REG_10),
12922 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -8),
12923 BPF_STX_XADD(BPF_W, BPF_REG_10, BPF_REG_0, -8),
12924 BPF_STX_XADD(BPF_W, BPF_REG_10, BPF_REG_0, -8),
12925 BPF_JMP_REG(BPF_JNE, BPF_REG_6, BPF_REG_0, 3),
12926 BPF_JMP_REG(BPF_JNE, BPF_REG_7, BPF_REG_10, 2),
12927 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_10, -8),
12929 BPF_MOV64_IMM(BPF_REG_0, 42),
12933 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12937 "bpf_get_stack return R0 within range",
12939 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12940 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
12941 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12942 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
12943 BPF_LD_MAP_FD(BPF_REG_1, 0),
12944 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12945 BPF_FUNC_map_lookup_elem),
12946 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 28),
12947 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
12948 BPF_MOV64_IMM(BPF_REG_9, sizeof(struct test_val)),
12949 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
12950 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
12951 BPF_MOV64_IMM(BPF_REG_3, sizeof(struct test_val)),
12952 BPF_MOV64_IMM(BPF_REG_4, 256),
12953 BPF_EMIT_CALL(BPF_FUNC_get_stack),
12954 BPF_MOV64_IMM(BPF_REG_1, 0),
12955 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
12956 BPF_ALU64_IMM(BPF_LSH, BPF_REG_8, 32),
12957 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_8, 32),
12958 BPF_JMP_REG(BPF_JSLT, BPF_REG_1, BPF_REG_8, 16),
12959 BPF_ALU64_REG(BPF_SUB, BPF_REG_9, BPF_REG_8),
12960 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
12961 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_8),
12962 BPF_MOV64_REG(BPF_REG_1, BPF_REG_9),
12963 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 32),
12964 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_1, 32),
12965 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
12966 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_1),
12967 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
12968 BPF_MOV64_IMM(BPF_REG_5, sizeof(struct test_val)),
12969 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_5),
12970 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 4),
12971 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
12972 BPF_MOV64_REG(BPF_REG_3, BPF_REG_9),
12973 BPF_MOV64_IMM(BPF_REG_4, 0),
12974 BPF_EMIT_CALL(BPF_FUNC_get_stack),
12977 .fixup_map_hash_48b = { 4 },
12979 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
12982 "ld_abs: invalid op 1",
12984 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12985 BPF_LD_ABS(BPF_DW, 0),
12988 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12990 .errstr = "unknown opcode",
12993 "ld_abs: invalid op 2",
12995 BPF_MOV32_IMM(BPF_REG_0, 256),
12996 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12997 BPF_LD_IND(BPF_DW, BPF_REG_0, 0),
13000 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13002 .errstr = "unknown opcode",
13005 "ld_abs: nmap reduced",
13007 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
13008 BPF_LD_ABS(BPF_H, 12),
13009 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x806, 28),
13010 BPF_LD_ABS(BPF_H, 12),
13011 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x806, 26),
13012 BPF_MOV32_IMM(BPF_REG_0, 18),
13013 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -64),
13014 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_10, -64),
13015 BPF_LD_IND(BPF_W, BPF_REG_7, 14),
13016 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -60),
13017 BPF_MOV32_IMM(BPF_REG_0, 280971478),
13018 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -56),
13019 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_10, -56),
13020 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_10, -60),
13021 BPF_ALU32_REG(BPF_SUB, BPF_REG_0, BPF_REG_7),
13022 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 15),
13023 BPF_LD_ABS(BPF_H, 12),
13024 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x806, 13),
13025 BPF_MOV32_IMM(BPF_REG_0, 22),
13026 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -56),
13027 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_10, -56),
13028 BPF_LD_IND(BPF_H, BPF_REG_7, 14),
13029 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -52),
13030 BPF_MOV32_IMM(BPF_REG_0, 17366),
13031 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -48),
13032 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_10, -48),
13033 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_10, -52),
13034 BPF_ALU32_REG(BPF_SUB, BPF_REG_0, BPF_REG_7),
13035 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
13036 BPF_MOV32_IMM(BPF_REG_0, 256),
13038 BPF_MOV32_IMM(BPF_REG_0, 0),
13042 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0x08, 0x06, 0,
13043 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
13044 0x10, 0xbf, 0x48, 0xd6, 0x43, 0xd6,
13046 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13051 "ld_abs: div + abs, test 1",
13053 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
13054 BPF_LD_ABS(BPF_B, 3),
13055 BPF_ALU64_IMM(BPF_MOV, BPF_REG_2, 2),
13056 BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_2),
13057 BPF_ALU64_REG(BPF_MOV, BPF_REG_8, BPF_REG_0),
13058 BPF_LD_ABS(BPF_B, 4),
13059 BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_0),
13060 BPF_LD_IND(BPF_B, BPF_REG_8, -70),
13064 10, 20, 30, 40, 50,
13066 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13071 "ld_abs: div + abs, test 2",
13073 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
13074 BPF_LD_ABS(BPF_B, 3),
13075 BPF_ALU64_IMM(BPF_MOV, BPF_REG_2, 2),
13076 BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_2),
13077 BPF_ALU64_REG(BPF_MOV, BPF_REG_8, BPF_REG_0),
13078 BPF_LD_ABS(BPF_B, 128),
13079 BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_0),
13080 BPF_LD_IND(BPF_B, BPF_REG_8, -70),
13084 10, 20, 30, 40, 50,
13086 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13091 "ld_abs: div + abs, test 3",
13093 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
13094 BPF_ALU64_IMM(BPF_MOV, BPF_REG_7, 0),
13095 BPF_LD_ABS(BPF_B, 3),
13096 BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_7),
13100 10, 20, 30, 40, 50,
13102 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13107 "ld_abs: div + abs, test 4",
13109 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
13110 BPF_ALU64_IMM(BPF_MOV, BPF_REG_7, 0),
13111 BPF_LD_ABS(BPF_B, 256),
13112 BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_7),
13116 10, 20, 30, 40, 50,
13118 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13123 "ld_abs: vlan + abs, test 1",
13128 .fill_helper = bpf_fill_ld_abs_vlan_push_pop,
13129 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13134 "ld_abs: vlan + abs, test 2",
13136 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
13137 BPF_LD_ABS(BPF_B, 0),
13138 BPF_LD_ABS(BPF_H, 0),
13139 BPF_LD_ABS(BPF_W, 0),
13140 BPF_MOV64_REG(BPF_REG_7, BPF_REG_6),
13141 BPF_MOV64_IMM(BPF_REG_6, 0),
13142 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
13143 BPF_MOV64_IMM(BPF_REG_2, 1),
13144 BPF_MOV64_IMM(BPF_REG_3, 2),
13145 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
13146 BPF_FUNC_skb_vlan_push),
13147 BPF_MOV64_REG(BPF_REG_6, BPF_REG_7),
13148 BPF_LD_ABS(BPF_B, 0),
13149 BPF_LD_ABS(BPF_H, 0),
13150 BPF_LD_ABS(BPF_W, 0),
13151 BPF_MOV64_IMM(BPF_REG_0, 42),
13157 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13162 "ld_abs: jump around ld_abs",
13167 .fill_helper = bpf_fill_jump_around_ld_abs,
13168 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13173 "ld_dw: xor semi-random 64 bit imms, test 1",
13176 .fill_helper = bpf_fill_rand_ld_dw,
13177 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13182 "ld_dw: xor semi-random 64 bit imms, test 2",
13185 .fill_helper = bpf_fill_rand_ld_dw,
13186 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13191 "ld_dw: xor semi-random 64 bit imms, test 3",
13194 .fill_helper = bpf_fill_rand_ld_dw,
13195 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13200 "ld_dw: xor semi-random 64 bit imms, test 4",
13203 .fill_helper = bpf_fill_rand_ld_dw,
13204 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13209 "pass unmodified ctx pointer to helper",
13211 BPF_MOV64_IMM(BPF_REG_2, 0),
13212 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
13213 BPF_FUNC_csum_update),
13214 BPF_MOV64_IMM(BPF_REG_0, 0),
13217 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13221 "reference tracking: leak potential reference",
13224 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0), /* leak reference */
13227 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13228 .errstr = "Unreleased reference",
13232 "reference tracking: leak potential reference on stack",
13235 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
13236 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
13237 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_0, 0),
13238 BPF_MOV64_IMM(BPF_REG_0, 0),
13241 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13242 .errstr = "Unreleased reference",
13246 "reference tracking: leak potential reference on stack 2",
13249 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
13250 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
13251 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_0, 0),
13252 BPF_MOV64_IMM(BPF_REG_0, 0),
13253 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
13256 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13257 .errstr = "Unreleased reference",
13261 "reference tracking: zero potential reference",
13264 BPF_MOV64_IMM(BPF_REG_0, 0), /* leak reference */
13267 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13268 .errstr = "Unreleased reference",
13272 "reference tracking: copy and zero potential references",
13275 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
13276 BPF_MOV64_IMM(BPF_REG_0, 0),
13277 BPF_MOV64_IMM(BPF_REG_7, 0), /* leak reference */
13280 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13281 .errstr = "Unreleased reference",
13285 "reference tracking: release reference without check",
13288 /* reference in r0 may be NULL */
13289 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13290 BPF_MOV64_IMM(BPF_REG_2, 0),
13291 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13294 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13295 .errstr = "type=sock_or_null expected=sock",
13299 "reference tracking: release reference",
13302 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13303 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
13304 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13307 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13311 "reference tracking: release reference 2",
13314 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13315 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
13317 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13320 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13324 "reference tracking: release reference twice",
13327 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13328 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
13329 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
13330 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13331 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
13332 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13335 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13336 .errstr = "type=inv expected=sock",
13340 "reference tracking: release reference twice inside branch",
13343 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13344 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
13345 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3), /* goto end */
13346 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13347 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
13348 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13351 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13352 .errstr = "type=inv expected=sock",
13356 "reference tracking: alloc, check, free in one subbranch",
13358 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
13359 offsetof(struct __sk_buff, data)),
13360 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
13361 offsetof(struct __sk_buff, data_end)),
13362 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
13363 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 16),
13364 /* if (offsetof(skb, mark) > data_len) exit; */
13365 BPF_JMP_REG(BPF_JLE, BPF_REG_0, BPF_REG_3, 1),
13367 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_2,
13368 offsetof(struct __sk_buff, mark)),
13370 BPF_JMP_IMM(BPF_JEQ, BPF_REG_6, 0, 1), /* mark == 0? */
13371 /* Leak reference in R0 */
13373 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2), /* sk NULL? */
13374 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13375 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13378 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13379 .errstr = "Unreleased reference",
13383 "reference tracking: alloc, check, free in both subbranches",
13385 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
13386 offsetof(struct __sk_buff, data)),
13387 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
13388 offsetof(struct __sk_buff, data_end)),
13389 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
13390 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 16),
13391 /* if (offsetof(skb, mark) > data_len) exit; */
13392 BPF_JMP_REG(BPF_JLE, BPF_REG_0, BPF_REG_3, 1),
13394 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_2,
13395 offsetof(struct __sk_buff, mark)),
13397 BPF_JMP_IMM(BPF_JEQ, BPF_REG_6, 0, 4), /* mark == 0? */
13398 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2), /* sk NULL? */
13399 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13400 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13402 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2), /* sk NULL? */
13403 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13404 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13407 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13411 "reference tracking in call: free reference in subprog",
13414 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), /* unchecked reference */
13415 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
13416 BPF_MOV64_IMM(BPF_REG_0, 0),
13420 BPF_MOV64_REG(BPF_REG_2, BPF_REG_1),
13421 BPF_JMP_IMM(BPF_JEQ, BPF_REG_2, 0, 1),
13422 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13425 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13429 "pass modified ctx pointer to helper, 1",
13431 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -612),
13432 BPF_MOV64_IMM(BPF_REG_2, 0),
13433 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
13434 BPF_FUNC_csum_update),
13435 BPF_MOV64_IMM(BPF_REG_0, 0),
13438 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13440 .errstr = "dereference of modified ctx ptr",
13443 "pass modified ctx pointer to helper, 2",
13445 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -612),
13446 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
13447 BPF_FUNC_get_socket_cookie),
13448 BPF_MOV64_IMM(BPF_REG_0, 0),
13451 .result_unpriv = REJECT,
13453 .errstr_unpriv = "dereference of modified ctx ptr",
13454 .errstr = "dereference of modified ctx ptr",
13457 "pass modified ctx pointer to helper, 3",
13459 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 0),
13460 BPF_ALU64_IMM(BPF_AND, BPF_REG_3, 4),
13461 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
13462 BPF_MOV64_IMM(BPF_REG_2, 0),
13463 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
13464 BPF_FUNC_csum_update),
13465 BPF_MOV64_IMM(BPF_REG_0, 0),
13468 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13470 .errstr = "variable ctx access var_off=(0x0; 0x4)",
13473 "mov64 src == dst",
13475 BPF_MOV64_IMM(BPF_REG_2, 0),
13476 BPF_MOV64_REG(BPF_REG_2, BPF_REG_2),
13477 // Check bounds are OK
13478 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
13479 BPF_MOV64_IMM(BPF_REG_0, 0),
13482 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13486 "mov64 src != dst",
13488 BPF_MOV64_IMM(BPF_REG_3, 0),
13489 BPF_MOV64_REG(BPF_REG_2, BPF_REG_3),
13490 // Check bounds are OK
13491 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
13492 BPF_MOV64_IMM(BPF_REG_0, 0),
13495 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13499 "reference tracking in call: free reference in subprog and outside",
13502 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), /* unchecked reference */
13503 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
13504 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
13505 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
13506 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13510 BPF_MOV64_REG(BPF_REG_2, BPF_REG_1),
13511 BPF_JMP_IMM(BPF_JEQ, BPF_REG_2, 0, 1),
13512 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13515 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13516 .errstr = "type=inv expected=sock",
13520 "reference tracking in call: alloc & leak reference in subprog",
13522 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
13523 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
13524 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
13525 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13526 BPF_MOV64_IMM(BPF_REG_0, 0),
13530 BPF_MOV64_REG(BPF_REG_6, BPF_REG_4),
13532 /* spill unchecked sk_ptr into stack of caller */
13533 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
13534 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13537 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13538 .errstr = "Unreleased reference",
13542 "reference tracking in call: alloc in subprog, release outside",
13544 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
13545 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
13546 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13547 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
13548 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13553 BPF_EXIT_INSN(), /* return sk */
13555 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13556 .retval = POINTER_VALUE,
13560 "reference tracking in call: sk_ptr leak into caller stack",
13562 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
13563 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
13564 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
13565 BPF_MOV64_IMM(BPF_REG_0, 0),
13569 BPF_MOV64_REG(BPF_REG_5, BPF_REG_10),
13570 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, -8),
13571 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_4, 0),
13572 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 5),
13573 /* spill unchecked sk_ptr into stack of caller */
13574 BPF_MOV64_REG(BPF_REG_5, BPF_REG_10),
13575 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, -8),
13576 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_5, 0),
13577 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_0, 0),
13584 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13585 .errstr = "Unreleased reference",
13589 "reference tracking in call: sk_ptr spill into caller stack",
13591 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
13592 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
13593 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
13594 BPF_MOV64_IMM(BPF_REG_0, 0),
13598 BPF_MOV64_REG(BPF_REG_5, BPF_REG_10),
13599 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, -8),
13600 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_4, 0),
13601 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
13602 /* spill unchecked sk_ptr into stack of caller */
13603 BPF_MOV64_REG(BPF_REG_5, BPF_REG_10),
13604 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, -8),
13605 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_5, 0),
13606 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_0, 0),
13607 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
13608 /* now the sk_ptr is verified, free the reference */
13609 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_4, 0),
13610 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13617 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13621 "reference tracking: allow LD_ABS",
13623 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
13625 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13626 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
13627 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13628 BPF_LD_ABS(BPF_B, 0),
13629 BPF_LD_ABS(BPF_H, 0),
13630 BPF_LD_ABS(BPF_W, 0),
13633 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13637 "reference tracking: forbid LD_ABS while holding reference",
13639 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
13641 BPF_LD_ABS(BPF_B, 0),
13642 BPF_LD_ABS(BPF_H, 0),
13643 BPF_LD_ABS(BPF_W, 0),
13644 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13645 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
13646 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13649 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13650 .errstr = "BPF_LD_[ABS|IND] cannot be mixed with socket references",
13654 "reference tracking: allow LD_IND",
13656 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
13658 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13659 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
13660 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13661 BPF_MOV64_IMM(BPF_REG_7, 1),
13662 BPF_LD_IND(BPF_W, BPF_REG_7, -0x200000),
13663 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
13666 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13671 "reference tracking: forbid LD_IND while holding reference",
13673 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
13675 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
13676 BPF_MOV64_IMM(BPF_REG_7, 1),
13677 BPF_LD_IND(BPF_W, BPF_REG_7, -0x200000),
13678 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
13679 BPF_MOV64_REG(BPF_REG_1, BPF_REG_4),
13680 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
13681 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13684 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13685 .errstr = "BPF_LD_[ABS|IND] cannot be mixed with socket references",
13689 "reference tracking: check reference or tail call",
13691 BPF_MOV64_REG(BPF_REG_7, BPF_REG_1),
13693 /* if (sk) bpf_sk_release() */
13694 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13695 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 7),
13696 /* bpf_tail_call() */
13697 BPF_MOV64_IMM(BPF_REG_3, 2),
13698 BPF_LD_MAP_FD(BPF_REG_2, 0),
13699 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
13700 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
13701 BPF_FUNC_tail_call),
13702 BPF_MOV64_IMM(BPF_REG_0, 0),
13704 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13707 .fixup_prog1 = { 17 },
13708 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13712 "reference tracking: release reference then tail call",
13714 BPF_MOV64_REG(BPF_REG_7, BPF_REG_1),
13716 /* if (sk) bpf_sk_release() */
13717 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13718 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
13719 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13720 /* bpf_tail_call() */
13721 BPF_MOV64_IMM(BPF_REG_3, 2),
13722 BPF_LD_MAP_FD(BPF_REG_2, 0),
13723 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
13724 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
13725 BPF_FUNC_tail_call),
13726 BPF_MOV64_IMM(BPF_REG_0, 0),
13729 .fixup_prog1 = { 18 },
13730 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13734 "reference tracking: leak possible reference over tail call",
13736 BPF_MOV64_REG(BPF_REG_7, BPF_REG_1),
13737 /* Look up socket and store in REG_6 */
13739 /* bpf_tail_call() */
13740 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
13741 BPF_MOV64_IMM(BPF_REG_3, 2),
13742 BPF_LD_MAP_FD(BPF_REG_2, 0),
13743 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
13744 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
13745 BPF_FUNC_tail_call),
13746 BPF_MOV64_IMM(BPF_REG_0, 0),
13747 /* if (sk) bpf_sk_release() */
13748 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
13749 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
13750 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13753 .fixup_prog1 = { 16 },
13754 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13755 .errstr = "tail_call would lead to reference leak",
13759 "reference tracking: leak checked reference over tail call",
13761 BPF_MOV64_REG(BPF_REG_7, BPF_REG_1),
13762 /* Look up socket and store in REG_6 */
13764 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
13765 /* if (!sk) goto end */
13766 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
13767 /* bpf_tail_call() */
13768 BPF_MOV64_IMM(BPF_REG_3, 0),
13769 BPF_LD_MAP_FD(BPF_REG_2, 0),
13770 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
13771 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
13772 BPF_FUNC_tail_call),
13773 BPF_MOV64_IMM(BPF_REG_0, 0),
13774 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
13775 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13778 .fixup_prog1 = { 17 },
13779 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13780 .errstr = "tail_call would lead to reference leak",
13784 "reference tracking: mangle and release sock_or_null",
13787 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13788 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 5),
13789 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
13790 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13793 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13794 .errstr = "R1 pointer arithmetic on sock_or_null prohibited",
13798 "reference tracking: mangle and release sock",
13801 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13802 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
13803 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 5),
13804 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13807 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13808 .errstr = "R1 pointer arithmetic on sock prohibited",
13812 "reference tracking: access member",
13815 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
13816 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
13817 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_0, 4),
13818 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
13819 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13822 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13826 "reference tracking: write to member",
13829 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
13830 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
13831 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
13832 BPF_LD_IMM64(BPF_REG_2, 42),
13833 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_2,
13834 offsetof(struct bpf_sock, mark)),
13835 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
13836 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13837 BPF_LD_IMM64(BPF_REG_0, 0),
13840 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13841 .errstr = "cannot write into socket",
13845 "reference tracking: invalid 64-bit access of member",
13848 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
13849 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
13850 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
13851 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
13852 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13855 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13856 .errstr = "invalid bpf_sock access off=0 size=8",
13860 "reference tracking: access after release",
13863 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13864 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
13865 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13866 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
13869 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13870 .errstr = "!read_ok",
13874 "reference tracking: direct access for lookup",
13876 /* Check that the packet is at least 64B long */
13877 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
13878 offsetof(struct __sk_buff, data)),
13879 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
13880 offsetof(struct __sk_buff, data_end)),
13881 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
13882 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 64),
13883 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 9),
13884 /* sk = sk_lookup_tcp(ctx, skb->data, ...) */
13885 BPF_MOV64_IMM(BPF_REG_3, sizeof(struct bpf_sock_tuple)),
13886 BPF_MOV64_IMM(BPF_REG_4, 0),
13887 BPF_MOV64_IMM(BPF_REG_5, 0),
13888 BPF_EMIT_CALL(BPF_FUNC_sk_lookup_tcp),
13889 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
13890 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
13891 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_0, 4),
13892 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
13893 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13896 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13901 static int probe_filter_length(const struct bpf_insn *fp)
13905 for (len = MAX_INSNS - 1; len > 0; --len)
13906 if (fp[len].code != 0 || fp[len].imm != 0)
13911 static int create_map(uint32_t type, uint32_t size_key,
13912 uint32_t size_value, uint32_t max_elem)
13916 fd = bpf_create_map(type, size_key, size_value, max_elem,
13917 type == BPF_MAP_TYPE_HASH ? BPF_F_NO_PREALLOC : 0);
13919 printf("Failed to create hash map '%s'!\n", strerror(errno));
13924 static int create_prog_dummy1(enum bpf_map_type prog_type)
13926 struct bpf_insn prog[] = {
13927 BPF_MOV64_IMM(BPF_REG_0, 42),
13931 return bpf_load_program(prog_type, prog,
13932 ARRAY_SIZE(prog), "GPL", 0, NULL, 0);
13935 static int create_prog_dummy2(enum bpf_map_type prog_type, int mfd, int idx)
13937 struct bpf_insn prog[] = {
13938 BPF_MOV64_IMM(BPF_REG_3, idx),
13939 BPF_LD_MAP_FD(BPF_REG_2, mfd),
13940 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
13941 BPF_FUNC_tail_call),
13942 BPF_MOV64_IMM(BPF_REG_0, 41),
13946 return bpf_load_program(prog_type, prog,
13947 ARRAY_SIZE(prog), "GPL", 0, NULL, 0);
13950 static int create_prog_array(enum bpf_map_type prog_type, uint32_t max_elem,
13954 int mfd, p1fd, p2fd;
13956 mfd = bpf_create_map(BPF_MAP_TYPE_PROG_ARRAY, sizeof(int),
13957 sizeof(int), max_elem, 0);
13959 printf("Failed to create prog array '%s'!\n", strerror(errno));
13963 p1fd = create_prog_dummy1(prog_type);
13964 p2fd = create_prog_dummy2(prog_type, mfd, p2key);
13965 if (p1fd < 0 || p2fd < 0)
13967 if (bpf_map_update_elem(mfd, &p1key, &p1fd, BPF_ANY) < 0)
13969 if (bpf_map_update_elem(mfd, &p2key, &p2fd, BPF_ANY) < 0)
13982 static int create_map_in_map(void)
13984 int inner_map_fd, outer_map_fd;
13986 inner_map_fd = bpf_create_map(BPF_MAP_TYPE_ARRAY, sizeof(int),
13987 sizeof(int), 1, 0);
13988 if (inner_map_fd < 0) {
13989 printf("Failed to create array '%s'!\n", strerror(errno));
13990 return inner_map_fd;
13993 outer_map_fd = bpf_create_map_in_map(BPF_MAP_TYPE_ARRAY_OF_MAPS, NULL,
13994 sizeof(int), inner_map_fd, 1, 0);
13995 if (outer_map_fd < 0)
13996 printf("Failed to create array of maps '%s'!\n",
13999 close(inner_map_fd);
14001 return outer_map_fd;
14004 static int create_cgroup_storage(bool percpu)
14006 enum bpf_map_type type = percpu ? BPF_MAP_TYPE_PERCPU_CGROUP_STORAGE :
14007 BPF_MAP_TYPE_CGROUP_STORAGE;
14010 fd = bpf_create_map(type, sizeof(struct bpf_cgroup_storage_key),
14011 TEST_DATA_LEN, 0, 0);
14013 printf("Failed to create cgroup storage '%s'!\n",
14019 static char bpf_vlog[UINT_MAX >> 8];
14021 static void do_test_fixup(struct bpf_test *test, enum bpf_map_type prog_type,
14022 struct bpf_insn *prog, int *map_fds)
14024 int *fixup_map_hash_8b = test->fixup_map_hash_8b;
14025 int *fixup_map_hash_48b = test->fixup_map_hash_48b;
14026 int *fixup_map_hash_16b = test->fixup_map_hash_16b;
14027 int *fixup_map_array_48b = test->fixup_map_array_48b;
14028 int *fixup_map_sockmap = test->fixup_map_sockmap;
14029 int *fixup_map_sockhash = test->fixup_map_sockhash;
14030 int *fixup_map_xskmap = test->fixup_map_xskmap;
14031 int *fixup_map_stacktrace = test->fixup_map_stacktrace;
14032 int *fixup_prog1 = test->fixup_prog1;
14033 int *fixup_prog2 = test->fixup_prog2;
14034 int *fixup_map_in_map = test->fixup_map_in_map;
14035 int *fixup_cgroup_storage = test->fixup_cgroup_storage;
14036 int *fixup_percpu_cgroup_storage = test->fixup_percpu_cgroup_storage;
14038 if (test->fill_helper)
14039 test->fill_helper(test);
14041 /* Allocating HTs with 1 elem is fine here, since we only test
14042 * for verifier and not do a runtime lookup, so the only thing
14043 * that really matters is value size in this case.
14045 if (*fixup_map_hash_8b) {
14046 map_fds[0] = create_map(BPF_MAP_TYPE_HASH, sizeof(long long),
14047 sizeof(long long), 1);
14049 prog[*fixup_map_hash_8b].imm = map_fds[0];
14050 fixup_map_hash_8b++;
14051 } while (*fixup_map_hash_8b);
14054 if (*fixup_map_hash_48b) {
14055 map_fds[1] = create_map(BPF_MAP_TYPE_HASH, sizeof(long long),
14056 sizeof(struct test_val), 1);
14058 prog[*fixup_map_hash_48b].imm = map_fds[1];
14059 fixup_map_hash_48b++;
14060 } while (*fixup_map_hash_48b);
14063 if (*fixup_map_hash_16b) {
14064 map_fds[2] = create_map(BPF_MAP_TYPE_HASH, sizeof(long long),
14065 sizeof(struct other_val), 1);
14067 prog[*fixup_map_hash_16b].imm = map_fds[2];
14068 fixup_map_hash_16b++;
14069 } while (*fixup_map_hash_16b);
14072 if (*fixup_map_array_48b) {
14073 map_fds[3] = create_map(BPF_MAP_TYPE_ARRAY, sizeof(int),
14074 sizeof(struct test_val), 1);
14076 prog[*fixup_map_array_48b].imm = map_fds[3];
14077 fixup_map_array_48b++;
14078 } while (*fixup_map_array_48b);
14081 if (*fixup_prog1) {
14082 map_fds[4] = create_prog_array(prog_type, 4, 0);
14084 prog[*fixup_prog1].imm = map_fds[4];
14086 } while (*fixup_prog1);
14089 if (*fixup_prog2) {
14090 map_fds[5] = create_prog_array(prog_type, 8, 7);
14092 prog[*fixup_prog2].imm = map_fds[5];
14094 } while (*fixup_prog2);
14097 if (*fixup_map_in_map) {
14098 map_fds[6] = create_map_in_map();
14100 prog[*fixup_map_in_map].imm = map_fds[6];
14101 fixup_map_in_map++;
14102 } while (*fixup_map_in_map);
14105 if (*fixup_cgroup_storage) {
14106 map_fds[7] = create_cgroup_storage(false);
14108 prog[*fixup_cgroup_storage].imm = map_fds[7];
14109 fixup_cgroup_storage++;
14110 } while (*fixup_cgroup_storage);
14113 if (*fixup_percpu_cgroup_storage) {
14114 map_fds[8] = create_cgroup_storage(true);
14116 prog[*fixup_percpu_cgroup_storage].imm = map_fds[8];
14117 fixup_percpu_cgroup_storage++;
14118 } while (*fixup_percpu_cgroup_storage);
14120 if (*fixup_map_sockmap) {
14121 map_fds[9] = create_map(BPF_MAP_TYPE_SOCKMAP, sizeof(int),
14124 prog[*fixup_map_sockmap].imm = map_fds[9];
14125 fixup_map_sockmap++;
14126 } while (*fixup_map_sockmap);
14128 if (*fixup_map_sockhash) {
14129 map_fds[10] = create_map(BPF_MAP_TYPE_SOCKHASH, sizeof(int),
14132 prog[*fixup_map_sockhash].imm = map_fds[10];
14133 fixup_map_sockhash++;
14134 } while (*fixup_map_sockhash);
14136 if (*fixup_map_xskmap) {
14137 map_fds[11] = create_map(BPF_MAP_TYPE_XSKMAP, sizeof(int),
14140 prog[*fixup_map_xskmap].imm = map_fds[11];
14141 fixup_map_xskmap++;
14142 } while (*fixup_map_xskmap);
14144 if (*fixup_map_stacktrace) {
14145 map_fds[12] = create_map(BPF_MAP_TYPE_STACK_TRACE, sizeof(u32),
14148 prog[*fixup_map_stacktrace].imm = map_fds[12];
14149 fixup_map_stacktrace++;
14150 } while (fixup_map_stacktrace);
14154 static int set_admin(bool admin)
14157 const cap_value_t cap_val = CAP_SYS_ADMIN;
14160 caps = cap_get_proc();
14162 perror("cap_get_proc");
14165 if (cap_set_flag(caps, CAP_EFFECTIVE, 1, &cap_val,
14166 admin ? CAP_SET : CAP_CLEAR)) {
14167 perror("cap_set_flag");
14170 if (cap_set_proc(caps)) {
14171 perror("cap_set_proc");
14176 if (cap_free(caps))
14177 perror("cap_free");
14181 static void do_test_single(struct bpf_test *test, bool unpriv,
14182 int *passes, int *errors)
14184 int fd_prog, expected_ret, reject_from_alignment;
14185 int prog_len, prog_type = test->prog_type;
14186 struct bpf_insn *prog = test->insns;
14187 int map_fds[MAX_NR_MAPS];
14188 const char *expected_err;
14189 uint32_t expected_val;
14193 for (i = 0; i < MAX_NR_MAPS; i++)
14197 prog_type = BPF_PROG_TYPE_SOCKET_FILTER;
14198 do_test_fixup(test, prog_type, prog, map_fds);
14199 prog_len = probe_filter_length(prog);
14201 fd_prog = bpf_verify_program(prog_type, prog, prog_len,
14202 test->flags & F_LOAD_WITH_STRICT_ALIGNMENT,
14203 "GPL", 0, bpf_vlog, sizeof(bpf_vlog), 1);
14205 expected_ret = unpriv && test->result_unpriv != UNDEF ?
14206 test->result_unpriv : test->result;
14207 expected_err = unpriv && test->errstr_unpriv ?
14208 test->errstr_unpriv : test->errstr;
14209 expected_val = unpriv && test->retval_unpriv ?
14210 test->retval_unpriv : test->retval;
14212 reject_from_alignment = fd_prog < 0 &&
14213 (test->flags & F_NEEDS_EFFICIENT_UNALIGNED_ACCESS) &&
14214 strstr(bpf_vlog, "Unknown alignment.");
14215 #ifdef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS
14216 if (reject_from_alignment) {
14217 printf("FAIL\nFailed due to alignment despite having efficient unaligned access: '%s'!\n",
14222 if (expected_ret == ACCEPT) {
14223 if (fd_prog < 0 && !reject_from_alignment) {
14224 printf("FAIL\nFailed to load prog '%s'!\n",
14229 if (fd_prog >= 0) {
14230 printf("FAIL\nUnexpected success to load!\n");
14233 if (!strstr(bpf_vlog, expected_err) && !reject_from_alignment) {
14234 printf("FAIL\nUnexpected error message!\n\tEXP: %s\n\tRES: %s\n",
14235 expected_err, bpf_vlog);
14240 if (fd_prog >= 0) {
14241 __u8 tmp[TEST_DATA_LEN << 2];
14242 __u32 size_tmp = sizeof(tmp);
14246 err = bpf_prog_test_run(fd_prog, 1, test->data,
14247 sizeof(test->data), tmp, &size_tmp,
14251 if (err && errno != 524/*ENOTSUPP*/ && errno != EPERM) {
14252 printf("Unexpected bpf_prog_test_run error\n");
14255 if (!err && retval != expected_val &&
14256 expected_val != POINTER_VALUE) {
14257 printf("FAIL retval %d != %d\n", retval, expected_val);
14262 printf("OK%s\n", reject_from_alignment ?
14263 " (NOTE: reject due to unknown alignment)" : "");
14266 for (i = 0; i < MAX_NR_MAPS; i++)
14272 printf("%s", bpf_vlog);
14276 static bool is_admin(void)
14279 cap_flag_value_t sysadmin = CAP_CLEAR;
14280 const cap_value_t cap_val = CAP_SYS_ADMIN;
14282 #ifdef CAP_IS_SUPPORTED
14283 if (!CAP_IS_SUPPORTED(CAP_SETFCAP)) {
14284 perror("cap_get_flag");
14288 caps = cap_get_proc();
14290 perror("cap_get_proc");
14293 if (cap_get_flag(caps, cap_val, CAP_EFFECTIVE, &sysadmin))
14294 perror("cap_get_flag");
14295 if (cap_free(caps))
14296 perror("cap_free");
14297 return (sysadmin == CAP_SET);
14300 static void get_unpriv_disabled()
14305 fd = fopen("/proc/sys/"UNPRIV_SYSCTL, "r");
14307 perror("fopen /proc/sys/"UNPRIV_SYSCTL);
14308 unpriv_disabled = true;
14311 if (fgets(buf, 2, fd) == buf && atoi(buf))
14312 unpriv_disabled = true;
14316 static bool test_as_unpriv(struct bpf_test *test)
14318 return !test->prog_type ||
14319 test->prog_type == BPF_PROG_TYPE_SOCKET_FILTER ||
14320 test->prog_type == BPF_PROG_TYPE_CGROUP_SKB;
14323 static int do_test(bool unpriv, unsigned int from, unsigned int to)
14325 int i, passes = 0, errors = 0, skips = 0;
14327 for (i = from; i < to; i++) {
14328 struct bpf_test *test = &tests[i];
14330 /* Program types that are not supported by non-root we
14333 if (test_as_unpriv(test) && unpriv_disabled) {
14334 printf("#%d/u %s SKIP\n", i, test->descr);
14336 } else if (test_as_unpriv(test)) {
14339 printf("#%d/u %s ", i, test->descr);
14340 do_test_single(test, true, &passes, &errors);
14346 printf("#%d/p %s SKIP\n", i, test->descr);
14349 printf("#%d/p %s ", i, test->descr);
14350 do_test_single(test, false, &passes, &errors);
14354 printf("Summary: %d PASSED, %d SKIPPED, %d FAILED\n", passes,
14356 return errors ? EXIT_FAILURE : EXIT_SUCCESS;
14359 int main(int argc, char **argv)
14361 unsigned int from = 0, to = ARRAY_SIZE(tests);
14362 bool unpriv = !is_admin();
14365 unsigned int l = atoi(argv[argc - 2]);
14366 unsigned int u = atoi(argv[argc - 1]);
14368 if (l < to && u < to) {
14372 } else if (argc == 2) {
14373 unsigned int t = atoi(argv[argc - 1]);
14381 get_unpriv_disabled();
14382 if (unpriv && unpriv_disabled) {
14383 printf("Cannot run as unprivileged user with sysctl %s.\n",
14385 return EXIT_FAILURE;
14388 bpf_semi_rand_init();
14389 return do_test(unpriv, from, to);
projects / linux-2.6-block.git / blob