2 * Testsuite for eBPF verifier
4 * Copyright (c) 2014 PLUMgrid, http://plumgrid.com
5 * Copyright (c) 2017 Facebook
6 * Copyright (c) 2018 Covalent IO, Inc. http://covalent.io
8 * This program is free software; you can redistribute it and/or
9 * modify it under the terms of version 2 of the GNU General Public
10 * License as published by the Free Software Foundation.
14 #include <asm/types.h>
15 #include <linux/types.h>
27 #include <sys/capability.h>
29 #include <linux/unistd.h>
30 #include <linux/filter.h>
31 #include <linux/bpf_perf_event.h>
32 #include <linux/bpf.h>
33 #include <linux/if_ether.h>
38 # include "autoconf.h"
40 # if defined(__i386) || defined(__x86_64) || defined(__s390x__) || defined(__aarch64__)
41 # define CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS 1
44 #include "bpf_rlimit.h"
47 #include "../../../include/linux/filter.h"
49 #define MAX_INSNS BPF_MAXINSNS
51 #define MAX_NR_MAPS 13
52 #define POINTER_VALUE 0xcafe4all
53 #define TEST_DATA_LEN 64
55 #define F_NEEDS_EFFICIENT_UNALIGNED_ACCESS (1 << 0)
56 #define F_LOAD_WITH_STRICT_ALIGNMENT (1 << 1)
58 #define UNPRIV_SYSCTL "kernel/unprivileged_bpf_disabled"
59 static bool unpriv_disabled = false;
63 struct bpf_insn insns[MAX_INSNS];
64 int fixup_map_hash_8b[MAX_FIXUPS];
65 int fixup_map_hash_48b[MAX_FIXUPS];
66 int fixup_map_hash_16b[MAX_FIXUPS];
67 int fixup_map_array_48b[MAX_FIXUPS];
68 int fixup_map_sockmap[MAX_FIXUPS];
69 int fixup_map_sockhash[MAX_FIXUPS];
70 int fixup_map_xskmap[MAX_FIXUPS];
71 int fixup_map_stacktrace[MAX_FIXUPS];
72 int fixup_prog1[MAX_FIXUPS];
73 int fixup_prog2[MAX_FIXUPS];
74 int fixup_map_in_map[MAX_FIXUPS];
75 int fixup_cgroup_storage[MAX_FIXUPS];
76 int fixup_percpu_cgroup_storage[MAX_FIXUPS];
78 const char *errstr_unpriv;
79 uint32_t retval, retval_unpriv;
84 } result, result_unpriv;
85 enum bpf_prog_type prog_type;
87 __u8 data[TEST_DATA_LEN];
88 void (*fill_helper)(struct bpf_test *self);
91 /* Note we want this to be 64 bit aligned so that the end of our array is
92 * actually the end of the structure.
94 #define MAX_ENTRIES 11
106 static void bpf_fill_ld_abs_vlan_push_pop(struct bpf_test *self)
108 /* test: {skb->data[0], vlan_push} x 68 + {skb->data[0], vlan_pop} x 68 */
110 unsigned int len = BPF_MAXINSNS;
111 struct bpf_insn *insn = self->insns;
114 insn[i++] = BPF_MOV64_REG(BPF_REG_6, BPF_REG_1);
116 for (j = 0; j < PUSH_CNT; j++) {
117 insn[i++] = BPF_LD_ABS(BPF_B, 0);
118 insn[i] = BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x34, len - i - 2);
120 insn[i++] = BPF_MOV64_REG(BPF_REG_1, BPF_REG_6);
121 insn[i++] = BPF_MOV64_IMM(BPF_REG_2, 1);
122 insn[i++] = BPF_MOV64_IMM(BPF_REG_3, 2);
123 insn[i++] = BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
124 BPF_FUNC_skb_vlan_push),
125 insn[i] = BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, len - i - 2);
129 for (j = 0; j < PUSH_CNT; j++) {
130 insn[i++] = BPF_LD_ABS(BPF_B, 0);
131 insn[i] = BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x34, len - i - 2);
133 insn[i++] = BPF_MOV64_REG(BPF_REG_1, BPF_REG_6);
134 insn[i++] = BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
135 BPF_FUNC_skb_vlan_pop),
136 insn[i] = BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, len - i - 2);
142 for (; i < len - 1; i++)
143 insn[i] = BPF_ALU32_IMM(BPF_MOV, BPF_REG_0, 0xbef);
144 insn[len - 1] = BPF_EXIT_INSN();
147 static void bpf_fill_jump_around_ld_abs(struct bpf_test *self)
149 struct bpf_insn *insn = self->insns;
150 unsigned int len = BPF_MAXINSNS;
153 insn[i++] = BPF_MOV64_REG(BPF_REG_6, BPF_REG_1);
154 insn[i++] = BPF_LD_ABS(BPF_B, 0);
155 insn[i] = BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 10, len - i - 2);
158 insn[i++] = BPF_LD_ABS(BPF_B, 1);
159 insn[i] = BPF_EXIT_INSN();
162 static void bpf_fill_rand_ld_dw(struct bpf_test *self)
164 struct bpf_insn *insn = self->insns;
168 insn[i++] = BPF_MOV32_IMM(BPF_REG_0, 0);
169 while (i < self->retval) {
170 uint64_t val = bpf_semi_rand_get();
171 struct bpf_insn tmp[2] = { BPF_LD_IMM64(BPF_REG_1, val) };
176 insn[i++] = BPF_ALU64_REG(BPF_XOR, BPF_REG_0, BPF_REG_1);
178 insn[i++] = BPF_MOV64_REG(BPF_REG_1, BPF_REG_0);
179 insn[i++] = BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 32);
180 insn[i++] = BPF_ALU64_REG(BPF_XOR, BPF_REG_0, BPF_REG_1);
181 insn[i] = BPF_EXIT_INSN();
183 self->retval = (uint32_t)res;
186 /* BPF_SK_LOOKUP contains 13 instructions, if you need to fix up maps */
187 #define BPF_SK_LOOKUP \
188 /* struct bpf_sock_tuple tuple = {} */ \
189 BPF_MOV64_IMM(BPF_REG_2, 0), \
190 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_2, -8), \
191 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -16), \
192 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -24), \
193 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -32), \
194 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -40), \
195 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -48), \
196 /* sk = sk_lookup_tcp(ctx, &tuple, sizeof tuple, 0, 0) */ \
197 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), \
198 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -48), \
199 BPF_MOV64_IMM(BPF_REG_3, sizeof(struct bpf_sock_tuple)), \
200 BPF_MOV64_IMM(BPF_REG_4, 0), \
201 BPF_MOV64_IMM(BPF_REG_5, 0), \
202 BPF_EMIT_CALL(BPF_FUNC_sk_lookup_tcp)
204 static struct bpf_test tests[] = {
208 BPF_MOV64_IMM(BPF_REG_1, 1),
209 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 2),
210 BPF_MOV64_IMM(BPF_REG_2, 3),
211 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_2),
212 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -1),
213 BPF_ALU64_IMM(BPF_MUL, BPF_REG_1, 3),
214 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
221 "DIV32 by 0, zero check 1",
223 BPF_MOV32_IMM(BPF_REG_0, 42),
224 BPF_MOV32_IMM(BPF_REG_1, 0),
225 BPF_MOV32_IMM(BPF_REG_2, 1),
226 BPF_ALU32_REG(BPF_DIV, BPF_REG_2, BPF_REG_1),
233 "DIV32 by 0, zero check 2",
235 BPF_MOV32_IMM(BPF_REG_0, 42),
236 BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL),
237 BPF_MOV32_IMM(BPF_REG_2, 1),
238 BPF_ALU32_REG(BPF_DIV, BPF_REG_2, BPF_REG_1),
245 "DIV64 by 0, zero check",
247 BPF_MOV32_IMM(BPF_REG_0, 42),
248 BPF_MOV32_IMM(BPF_REG_1, 0),
249 BPF_MOV32_IMM(BPF_REG_2, 1),
250 BPF_ALU64_REG(BPF_DIV, BPF_REG_2, BPF_REG_1),
257 "MOD32 by 0, zero check 1",
259 BPF_MOV32_IMM(BPF_REG_0, 42),
260 BPF_MOV32_IMM(BPF_REG_1, 0),
261 BPF_MOV32_IMM(BPF_REG_2, 1),
262 BPF_ALU32_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
269 "MOD32 by 0, zero check 2",
271 BPF_MOV32_IMM(BPF_REG_0, 42),
272 BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL),
273 BPF_MOV32_IMM(BPF_REG_2, 1),
274 BPF_ALU32_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
281 "MOD64 by 0, zero check",
283 BPF_MOV32_IMM(BPF_REG_0, 42),
284 BPF_MOV32_IMM(BPF_REG_1, 0),
285 BPF_MOV32_IMM(BPF_REG_2, 1),
286 BPF_ALU64_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
293 "DIV32 by 0, zero check ok, cls",
295 BPF_MOV32_IMM(BPF_REG_0, 42),
296 BPF_MOV32_IMM(BPF_REG_1, 2),
297 BPF_MOV32_IMM(BPF_REG_2, 16),
298 BPF_ALU32_REG(BPF_DIV, BPF_REG_2, BPF_REG_1),
299 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
302 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
307 "DIV32 by 0, zero check 1, cls",
309 BPF_MOV32_IMM(BPF_REG_1, 0),
310 BPF_MOV32_IMM(BPF_REG_0, 1),
311 BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
314 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
319 "DIV32 by 0, zero check 2, cls",
321 BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL),
322 BPF_MOV32_IMM(BPF_REG_0, 1),
323 BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
326 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
331 "DIV64 by 0, zero check, cls",
333 BPF_MOV32_IMM(BPF_REG_1, 0),
334 BPF_MOV32_IMM(BPF_REG_0, 1),
335 BPF_ALU64_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
338 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
343 "MOD32 by 0, zero check ok, cls",
345 BPF_MOV32_IMM(BPF_REG_0, 42),
346 BPF_MOV32_IMM(BPF_REG_1, 3),
347 BPF_MOV32_IMM(BPF_REG_2, 5),
348 BPF_ALU32_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
349 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
352 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
357 "MOD32 by 0, zero check 1, cls",
359 BPF_MOV32_IMM(BPF_REG_1, 0),
360 BPF_MOV32_IMM(BPF_REG_0, 1),
361 BPF_ALU32_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
364 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
369 "MOD32 by 0, zero check 2, cls",
371 BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL),
372 BPF_MOV32_IMM(BPF_REG_0, 1),
373 BPF_ALU32_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
376 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
381 "MOD64 by 0, zero check 1, cls",
383 BPF_MOV32_IMM(BPF_REG_1, 0),
384 BPF_MOV32_IMM(BPF_REG_0, 2),
385 BPF_ALU64_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
388 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
393 "MOD64 by 0, zero check 2, cls",
395 BPF_MOV32_IMM(BPF_REG_1, 0),
396 BPF_MOV32_IMM(BPF_REG_0, -1),
397 BPF_ALU64_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
400 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
404 /* Just make sure that JITs used udiv/umod as otherwise we get
405 * an exception from INT_MIN/-1 overflow similarly as with div
409 "DIV32 overflow, check 1",
411 BPF_MOV32_IMM(BPF_REG_1, -1),
412 BPF_MOV32_IMM(BPF_REG_0, INT_MIN),
413 BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
416 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
421 "DIV32 overflow, check 2",
423 BPF_MOV32_IMM(BPF_REG_0, INT_MIN),
424 BPF_ALU32_IMM(BPF_DIV, BPF_REG_0, -1),
427 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
432 "DIV64 overflow, check 1",
434 BPF_MOV64_IMM(BPF_REG_1, -1),
435 BPF_LD_IMM64(BPF_REG_0, LLONG_MIN),
436 BPF_ALU64_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
439 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
444 "DIV64 overflow, check 2",
446 BPF_LD_IMM64(BPF_REG_0, LLONG_MIN),
447 BPF_ALU64_IMM(BPF_DIV, BPF_REG_0, -1),
450 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
455 "MOD32 overflow, check 1",
457 BPF_MOV32_IMM(BPF_REG_1, -1),
458 BPF_MOV32_IMM(BPF_REG_0, INT_MIN),
459 BPF_ALU32_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
462 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
467 "MOD32 overflow, check 2",
469 BPF_MOV32_IMM(BPF_REG_0, INT_MIN),
470 BPF_ALU32_IMM(BPF_MOD, BPF_REG_0, -1),
473 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
478 "MOD64 overflow, check 1",
480 BPF_MOV64_IMM(BPF_REG_1, -1),
481 BPF_LD_IMM64(BPF_REG_2, LLONG_MIN),
482 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
483 BPF_ALU64_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
484 BPF_MOV32_IMM(BPF_REG_0, 0),
485 BPF_JMP_REG(BPF_JNE, BPF_REG_3, BPF_REG_2, 1),
486 BPF_MOV32_IMM(BPF_REG_0, 1),
489 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
494 "MOD64 overflow, check 2",
496 BPF_LD_IMM64(BPF_REG_2, LLONG_MIN),
497 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
498 BPF_ALU64_IMM(BPF_MOD, BPF_REG_2, -1),
499 BPF_MOV32_IMM(BPF_REG_0, 0),
500 BPF_JMP_REG(BPF_JNE, BPF_REG_3, BPF_REG_2, 1),
501 BPF_MOV32_IMM(BPF_REG_0, 1),
504 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
509 "xor32 zero extend check",
511 BPF_MOV32_IMM(BPF_REG_2, -1),
512 BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 32),
513 BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 0xffff),
514 BPF_ALU32_REG(BPF_XOR, BPF_REG_2, BPF_REG_2),
515 BPF_MOV32_IMM(BPF_REG_0, 2),
516 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0, 1),
517 BPF_MOV32_IMM(BPF_REG_0, 1),
520 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
528 .errstr = "unknown opcode 00",
536 .errstr = "R0 !read_ok",
545 .errstr = "unreachable",
551 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
552 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
555 .errstr = "unreachable",
561 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
564 .errstr = "jump out of range",
568 "out of range jump2",
570 BPF_JMP_IMM(BPF_JA, 0, 0, -2),
573 .errstr = "jump out of range",
579 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
580 BPF_LD_IMM64(BPF_REG_0, 0),
581 BPF_LD_IMM64(BPF_REG_0, 0),
582 BPF_LD_IMM64(BPF_REG_0, 1),
583 BPF_LD_IMM64(BPF_REG_0, 1),
584 BPF_MOV64_IMM(BPF_REG_0, 2),
587 .errstr = "invalid BPF_LD_IMM insn",
588 .errstr_unpriv = "R1 pointer comparison",
594 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
595 BPF_LD_IMM64(BPF_REG_0, 0),
596 BPF_LD_IMM64(BPF_REG_0, 0),
597 BPF_LD_IMM64(BPF_REG_0, 1),
598 BPF_LD_IMM64(BPF_REG_0, 1),
601 .errstr = "invalid BPF_LD_IMM insn",
602 .errstr_unpriv = "R1 pointer comparison",
608 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
609 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
610 BPF_LD_IMM64(BPF_REG_0, 0),
611 BPF_LD_IMM64(BPF_REG_0, 0),
612 BPF_LD_IMM64(BPF_REG_0, 1),
613 BPF_LD_IMM64(BPF_REG_0, 1),
616 .errstr = "invalid bpf_ld_imm64 insn",
622 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
625 .errstr = "invalid bpf_ld_imm64 insn",
631 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
633 .errstr = "invalid bpf_ld_imm64 insn",
639 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
640 BPF_RAW_INSN(0, 0, 0, 0, 0),
648 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
649 BPF_RAW_INSN(0, 0, 0, 0, 1),
658 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 1, 1),
659 BPF_RAW_INSN(0, 0, 0, 0, 1),
662 .errstr = "uses reserved fields",
668 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
669 BPF_RAW_INSN(0, 0, 0, 1, 1),
672 .errstr = "invalid bpf_ld_imm64 insn",
678 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
679 BPF_RAW_INSN(0, BPF_REG_1, 0, 0, 1),
682 .errstr = "invalid bpf_ld_imm64 insn",
688 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
689 BPF_RAW_INSN(0, 0, BPF_REG_1, 0, 1),
692 .errstr = "invalid bpf_ld_imm64 insn",
698 BPF_MOV64_IMM(BPF_REG_1, 0),
699 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, BPF_REG_1, 0, 1),
700 BPF_RAW_INSN(0, 0, 0, 0, 1),
703 .errstr = "not pointing to valid bpf_map",
709 BPF_MOV64_IMM(BPF_REG_1, 0),
710 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, BPF_REG_1, 0, 1),
711 BPF_RAW_INSN(0, 0, BPF_REG_1, 0, 1),
714 .errstr = "invalid bpf_ld_imm64 insn",
720 BPF_MOV64_IMM(BPF_REG_0, 1),
721 BPF_ALU32_IMM(BPF_ARSH, BPF_REG_0, 5),
730 BPF_LD_IMM64(BPF_REG_0, 0x1122334485667788),
731 BPF_ALU32_IMM(BPF_ARSH, BPF_REG_0, 7),
740 BPF_MOV64_IMM(BPF_REG_0, 1),
741 BPF_MOV64_IMM(BPF_REG_1, 5),
742 BPF_ALU32_REG(BPF_ARSH, BPF_REG_0, BPF_REG_1),
751 BPF_LD_IMM64(BPF_REG_0, 0xffff55667788),
752 BPF_MOV64_IMM(BPF_REG_1, 15),
753 BPF_ALU32_REG(BPF_ARSH, BPF_REG_0, BPF_REG_1),
762 BPF_MOV64_IMM(BPF_REG_0, 1),
763 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_0, 5),
771 BPF_MOV64_IMM(BPF_REG_0, 1),
772 BPF_MOV64_IMM(BPF_REG_1, 5),
773 BPF_ALU64_REG(BPF_ARSH, BPF_REG_0, BPF_REG_1),
781 BPF_ALU64_REG(BPF_MOV, BPF_REG_0, BPF_REG_2),
783 .errstr = "not an exit",
789 BPF_JMP_IMM(BPF_JA, 0, 0, -1),
792 .errstr = "back-edge",
798 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
799 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
800 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
801 BPF_JMP_IMM(BPF_JA, 0, 0, -4),
804 .errstr = "back-edge",
810 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
811 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
812 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
813 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, -3),
816 .errstr = "back-edge",
820 "read uninitialized register",
822 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
825 .errstr = "R2 !read_ok",
829 "read invalid register",
831 BPF_MOV64_REG(BPF_REG_0, -1),
834 .errstr = "R15 is invalid",
838 "program doesn't init R0 before exit",
840 BPF_ALU64_REG(BPF_MOV, BPF_REG_2, BPF_REG_1),
843 .errstr = "R0 !read_ok",
847 "program doesn't init R0 before exit in all branches",
849 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
850 BPF_MOV64_IMM(BPF_REG_0, 1),
851 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 2),
854 .errstr = "R0 !read_ok",
855 .errstr_unpriv = "R1 pointer comparison",
859 "stack out of bounds",
861 BPF_ST_MEM(BPF_DW, BPF_REG_10, 8, 0),
864 .errstr = "invalid stack",
868 "invalid call insn1",
870 BPF_RAW_INSN(BPF_JMP | BPF_CALL | BPF_X, 0, 0, 0, 0),
873 .errstr = "unknown opcode 8d",
877 "invalid call insn2",
879 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 1, 0),
882 .errstr = "BPF_CALL uses reserved",
886 "invalid function call",
888 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1234567),
891 .errstr = "invalid func unknown#1234567",
895 "uninitialized stack1",
897 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
898 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
899 BPF_LD_MAP_FD(BPF_REG_1, 0),
900 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
901 BPF_FUNC_map_lookup_elem),
904 .fixup_map_hash_8b = { 2 },
905 .errstr = "invalid indirect read from stack",
909 "uninitialized stack2",
911 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
912 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, -8),
915 .errstr = "invalid read from stack",
919 "invalid fp arithmetic",
920 /* If this gets ever changed, make sure JITs can deal with it. */
922 BPF_MOV64_IMM(BPF_REG_0, 0),
923 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
924 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 8),
925 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
928 .errstr = "R1 subtraction from stack pointer",
932 "non-invalid fp arithmetic",
934 BPF_MOV64_IMM(BPF_REG_0, 0),
935 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
941 "invalid argument register",
943 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
944 BPF_FUNC_get_cgroup_classid),
945 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
946 BPF_FUNC_get_cgroup_classid),
949 .errstr = "R1 !read_ok",
951 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
954 "non-invalid argument register",
956 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
957 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
958 BPF_FUNC_get_cgroup_classid),
959 BPF_ALU64_REG(BPF_MOV, BPF_REG_1, BPF_REG_6),
960 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
961 BPF_FUNC_get_cgroup_classid),
965 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
968 "check valid spill/fill",
970 /* spill R1(ctx) into stack */
971 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
972 /* fill it back into R2 */
973 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -8),
974 /* should be able to access R0 = *(R2 + 8) */
975 /* BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, 8), */
976 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
979 .errstr_unpriv = "R0 leaks addr",
981 .result_unpriv = REJECT,
982 .retval = POINTER_VALUE,
985 "check valid spill/fill, skb mark",
987 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
988 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
989 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
990 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
991 offsetof(struct __sk_buff, mark)),
995 .result_unpriv = ACCEPT,
998 "check corrupted spill/fill",
1000 /* spill R1(ctx) into stack */
1001 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
1002 /* mess up with R1 pointer on stack */
1003 BPF_ST_MEM(BPF_B, BPF_REG_10, -7, 0x23),
1004 /* fill back into R0 should fail */
1005 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
1008 .errstr_unpriv = "attempt to corrupt spilled",
1009 .errstr = "corrupted spill",
1013 "invalid src register in STX",
1015 BPF_STX_MEM(BPF_B, BPF_REG_10, -1, -1),
1018 .errstr = "R15 is invalid",
1022 "invalid dst register in STX",
1024 BPF_STX_MEM(BPF_B, 14, BPF_REG_10, -1),
1027 .errstr = "R14 is invalid",
1031 "invalid dst register in ST",
1033 BPF_ST_MEM(BPF_B, 14, -1, -1),
1036 .errstr = "R14 is invalid",
1040 "invalid src register in LDX",
1042 BPF_LDX_MEM(BPF_B, BPF_REG_0, 12, 0),
1045 .errstr = "R12 is invalid",
1049 "invalid dst register in LDX",
1051 BPF_LDX_MEM(BPF_B, 11, BPF_REG_1, 0),
1054 .errstr = "R11 is invalid",
1060 BPF_RAW_INSN(0, 0, 0, 0, 0),
1063 .errstr = "unknown opcode 00",
1069 BPF_RAW_INSN(1, 0, 0, 0, 0),
1072 .errstr = "BPF_LDX uses reserved fields",
1078 BPF_RAW_INSN(-1, 0, 0, 0, 0),
1081 .errstr = "unknown opcode ff",
1087 BPF_RAW_INSN(-1, -1, -1, -1, -1),
1090 .errstr = "unknown opcode ff",
1096 BPF_RAW_INSN(0x7f, -1, -1, -1, -1),
1099 .errstr = "BPF_ALU uses reserved fields",
1103 "misaligned read from stack",
1105 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1106 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, -4),
1109 .errstr = "misaligned stack access",
1113 "invalid map_fd for function call",
1115 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1116 BPF_ALU64_REG(BPF_MOV, BPF_REG_2, BPF_REG_10),
1117 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1118 BPF_LD_MAP_FD(BPF_REG_1, 0),
1119 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1120 BPF_FUNC_map_delete_elem),
1123 .errstr = "fd 0 is not pointing to valid bpf_map",
1127 "don't check return value before access",
1129 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1130 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1131 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1132 BPF_LD_MAP_FD(BPF_REG_1, 0),
1133 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1134 BPF_FUNC_map_lookup_elem),
1135 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
1138 .fixup_map_hash_8b = { 3 },
1139 .errstr = "R0 invalid mem access 'map_value_or_null'",
1143 "access memory with incorrect alignment",
1145 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1146 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1147 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1148 BPF_LD_MAP_FD(BPF_REG_1, 0),
1149 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1150 BPF_FUNC_map_lookup_elem),
1151 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
1152 BPF_ST_MEM(BPF_DW, BPF_REG_0, 4, 0),
1155 .fixup_map_hash_8b = { 3 },
1156 .errstr = "misaligned value access",
1158 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
1161 "sometimes access memory with incorrect alignment",
1163 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1164 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1165 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1166 BPF_LD_MAP_FD(BPF_REG_1, 0),
1167 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1168 BPF_FUNC_map_lookup_elem),
1169 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
1170 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
1172 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 1),
1175 .fixup_map_hash_8b = { 3 },
1176 .errstr = "R0 invalid mem access",
1177 .errstr_unpriv = "R0 leaks addr",
1179 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
1184 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1185 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -8),
1186 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
1187 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
1188 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 1),
1189 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 1),
1190 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 1),
1191 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 2),
1192 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 1),
1193 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 3),
1194 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 1),
1195 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 4),
1196 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 1),
1197 BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 5),
1198 BPF_MOV64_IMM(BPF_REG_0, 0),
1201 .errstr_unpriv = "R1 pointer comparison",
1202 .result_unpriv = REJECT,
1208 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1209 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 2),
1210 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
1211 BPF_JMP_IMM(BPF_JA, 0, 0, 14),
1212 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 2),
1213 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 0),
1214 BPF_JMP_IMM(BPF_JA, 0, 0, 11),
1215 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 2),
1216 BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 0),
1217 BPF_JMP_IMM(BPF_JA, 0, 0, 8),
1218 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 2),
1219 BPF_ST_MEM(BPF_DW, BPF_REG_2, -40, 0),
1220 BPF_JMP_IMM(BPF_JA, 0, 0, 5),
1221 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 2),
1222 BPF_ST_MEM(BPF_DW, BPF_REG_2, -48, 0),
1223 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1224 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 1),
1225 BPF_ST_MEM(BPF_DW, BPF_REG_2, -56, 0),
1226 BPF_MOV64_IMM(BPF_REG_0, 0),
1229 .errstr_unpriv = "R1 pointer comparison",
1230 .result_unpriv = REJECT,
1236 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1237 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
1238 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
1239 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1240 BPF_JMP_IMM(BPF_JA, 0, 0, 19),
1241 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 3),
1242 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 0),
1243 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
1244 BPF_JMP_IMM(BPF_JA, 0, 0, 15),
1245 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 3),
1246 BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 0),
1247 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -32),
1248 BPF_JMP_IMM(BPF_JA, 0, 0, 11),
1249 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 3),
1250 BPF_ST_MEM(BPF_DW, BPF_REG_2, -40, 0),
1251 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -40),
1252 BPF_JMP_IMM(BPF_JA, 0, 0, 7),
1253 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 3),
1254 BPF_ST_MEM(BPF_DW, BPF_REG_2, -48, 0),
1255 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -48),
1256 BPF_JMP_IMM(BPF_JA, 0, 0, 3),
1257 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 0),
1258 BPF_ST_MEM(BPF_DW, BPF_REG_2, -56, 0),
1259 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -56),
1260 BPF_LD_MAP_FD(BPF_REG_1, 0),
1261 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1262 BPF_FUNC_map_delete_elem),
1265 .fixup_map_hash_8b = { 24 },
1266 .errstr_unpriv = "R1 pointer comparison",
1267 .result_unpriv = REJECT,
1274 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1275 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1276 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1277 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1278 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1279 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1280 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1281 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1282 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1283 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1284 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1285 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1286 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1287 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1288 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1289 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1290 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1291 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1292 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1293 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1294 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1295 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1296 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1297 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1298 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1299 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1300 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1301 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1302 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1303 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1304 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1305 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1306 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1307 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1308 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1309 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1310 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1311 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1312 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1313 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1314 BPF_MOV64_IMM(BPF_REG_0, 0),
1317 .errstr_unpriv = "R1 pointer comparison",
1318 .result_unpriv = REJECT,
1324 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1325 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
1326 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1327 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1328 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1329 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1330 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1331 BPF_MOV64_IMM(BPF_REG_0, 0),
1332 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1333 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1334 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1335 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1336 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1337 BPF_MOV64_IMM(BPF_REG_0, 0),
1338 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1339 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1340 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1341 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1342 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1343 BPF_MOV64_IMM(BPF_REG_0, 0),
1344 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1345 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1346 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1347 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1348 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1349 BPF_MOV64_IMM(BPF_REG_0, 0),
1350 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1351 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1352 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1353 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1354 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1355 BPF_MOV64_IMM(BPF_REG_0, 0),
1358 .errstr_unpriv = "R1 pointer comparison",
1359 .result_unpriv = REJECT,
1363 "access skb fields ok",
1365 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1366 offsetof(struct __sk_buff, len)),
1367 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
1368 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1369 offsetof(struct __sk_buff, mark)),
1370 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
1371 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1372 offsetof(struct __sk_buff, pkt_type)),
1373 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
1374 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1375 offsetof(struct __sk_buff, queue_mapping)),
1376 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1377 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1378 offsetof(struct __sk_buff, protocol)),
1379 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1380 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1381 offsetof(struct __sk_buff, vlan_present)),
1382 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1383 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1384 offsetof(struct __sk_buff, vlan_tci)),
1385 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1386 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1387 offsetof(struct __sk_buff, napi_id)),
1388 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1394 "access skb fields bad1",
1396 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -4),
1399 .errstr = "invalid bpf_context access",
1403 "access skb fields bad2",
1405 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 9),
1406 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1407 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1408 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1409 BPF_LD_MAP_FD(BPF_REG_1, 0),
1410 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1411 BPF_FUNC_map_lookup_elem),
1412 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
1414 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
1415 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1416 offsetof(struct __sk_buff, pkt_type)),
1419 .fixup_map_hash_8b = { 4 },
1420 .errstr = "different pointers",
1421 .errstr_unpriv = "R1 pointer comparison",
1425 "access skb fields bad3",
1427 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1428 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1429 offsetof(struct __sk_buff, pkt_type)),
1431 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1432 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1433 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1434 BPF_LD_MAP_FD(BPF_REG_1, 0),
1435 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1436 BPF_FUNC_map_lookup_elem),
1437 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
1439 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
1440 BPF_JMP_IMM(BPF_JA, 0, 0, -12),
1442 .fixup_map_hash_8b = { 6 },
1443 .errstr = "different pointers",
1444 .errstr_unpriv = "R1 pointer comparison",
1448 "access skb fields bad4",
1450 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 3),
1451 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1452 offsetof(struct __sk_buff, len)),
1453 BPF_MOV64_IMM(BPF_REG_0, 0),
1455 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1456 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1457 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1458 BPF_LD_MAP_FD(BPF_REG_1, 0),
1459 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1460 BPF_FUNC_map_lookup_elem),
1461 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
1463 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
1464 BPF_JMP_IMM(BPF_JA, 0, 0, -13),
1466 .fixup_map_hash_8b = { 7 },
1467 .errstr = "different pointers",
1468 .errstr_unpriv = "R1 pointer comparison",
1472 "invalid access __sk_buff family",
1474 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1475 offsetof(struct __sk_buff, family)),
1478 .errstr = "invalid bpf_context access",
1482 "invalid access __sk_buff remote_ip4",
1484 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1485 offsetof(struct __sk_buff, remote_ip4)),
1488 .errstr = "invalid bpf_context access",
1492 "invalid access __sk_buff local_ip4",
1494 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1495 offsetof(struct __sk_buff, local_ip4)),
1498 .errstr = "invalid bpf_context access",
1502 "invalid access __sk_buff remote_ip6",
1504 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1505 offsetof(struct __sk_buff, remote_ip6)),
1508 .errstr = "invalid bpf_context access",
1512 "invalid access __sk_buff local_ip6",
1514 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1515 offsetof(struct __sk_buff, local_ip6)),
1518 .errstr = "invalid bpf_context access",
1522 "invalid access __sk_buff remote_port",
1524 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1525 offsetof(struct __sk_buff, remote_port)),
1528 .errstr = "invalid bpf_context access",
1532 "invalid access __sk_buff remote_port",
1534 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1535 offsetof(struct __sk_buff, local_port)),
1538 .errstr = "invalid bpf_context access",
1542 "valid access __sk_buff family",
1544 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1545 offsetof(struct __sk_buff, family)),
1549 .prog_type = BPF_PROG_TYPE_SK_SKB,
1552 "valid access __sk_buff remote_ip4",
1554 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1555 offsetof(struct __sk_buff, remote_ip4)),
1559 .prog_type = BPF_PROG_TYPE_SK_SKB,
1562 "valid access __sk_buff local_ip4",
1564 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1565 offsetof(struct __sk_buff, local_ip4)),
1569 .prog_type = BPF_PROG_TYPE_SK_SKB,
1572 "valid access __sk_buff remote_ip6",
1574 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1575 offsetof(struct __sk_buff, remote_ip6[0])),
1576 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1577 offsetof(struct __sk_buff, remote_ip6[1])),
1578 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1579 offsetof(struct __sk_buff, remote_ip6[2])),
1580 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1581 offsetof(struct __sk_buff, remote_ip6[3])),
1585 .prog_type = BPF_PROG_TYPE_SK_SKB,
1588 "valid access __sk_buff local_ip6",
1590 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1591 offsetof(struct __sk_buff, local_ip6[0])),
1592 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1593 offsetof(struct __sk_buff, local_ip6[1])),
1594 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1595 offsetof(struct __sk_buff, local_ip6[2])),
1596 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1597 offsetof(struct __sk_buff, local_ip6[3])),
1601 .prog_type = BPF_PROG_TYPE_SK_SKB,
1604 "valid access __sk_buff remote_port",
1606 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1607 offsetof(struct __sk_buff, remote_port)),
1611 .prog_type = BPF_PROG_TYPE_SK_SKB,
1614 "valid access __sk_buff remote_port",
1616 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1617 offsetof(struct __sk_buff, local_port)),
1621 .prog_type = BPF_PROG_TYPE_SK_SKB,
1624 "invalid access of tc_classid for SK_SKB",
1626 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1627 offsetof(struct __sk_buff, tc_classid)),
1631 .prog_type = BPF_PROG_TYPE_SK_SKB,
1632 .errstr = "invalid bpf_context access",
1635 "invalid access of skb->mark for SK_SKB",
1637 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1638 offsetof(struct __sk_buff, mark)),
1642 .prog_type = BPF_PROG_TYPE_SK_SKB,
1643 .errstr = "invalid bpf_context access",
1646 "check skb->mark is not writeable by SK_SKB",
1648 BPF_MOV64_IMM(BPF_REG_0, 0),
1649 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1650 offsetof(struct __sk_buff, mark)),
1654 .prog_type = BPF_PROG_TYPE_SK_SKB,
1655 .errstr = "invalid bpf_context access",
1658 "check skb->tc_index is writeable by SK_SKB",
1660 BPF_MOV64_IMM(BPF_REG_0, 0),
1661 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1662 offsetof(struct __sk_buff, tc_index)),
1666 .prog_type = BPF_PROG_TYPE_SK_SKB,
1669 "check skb->priority is writeable by SK_SKB",
1671 BPF_MOV64_IMM(BPF_REG_0, 0),
1672 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1673 offsetof(struct __sk_buff, priority)),
1677 .prog_type = BPF_PROG_TYPE_SK_SKB,
1680 "direct packet read for SK_SKB",
1682 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1683 offsetof(struct __sk_buff, data)),
1684 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1685 offsetof(struct __sk_buff, data_end)),
1686 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1687 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1688 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1689 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
1690 BPF_MOV64_IMM(BPF_REG_0, 0),
1694 .prog_type = BPF_PROG_TYPE_SK_SKB,
1697 "direct packet write for SK_SKB",
1699 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1700 offsetof(struct __sk_buff, data)),
1701 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1702 offsetof(struct __sk_buff, data_end)),
1703 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1704 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1705 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1706 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
1707 BPF_MOV64_IMM(BPF_REG_0, 0),
1711 .prog_type = BPF_PROG_TYPE_SK_SKB,
1714 "overlapping checks for direct packet access SK_SKB",
1716 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1717 offsetof(struct __sk_buff, data)),
1718 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1719 offsetof(struct __sk_buff, data_end)),
1720 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1721 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1722 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4),
1723 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
1724 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6),
1725 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
1726 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6),
1727 BPF_MOV64_IMM(BPF_REG_0, 0),
1731 .prog_type = BPF_PROG_TYPE_SK_SKB,
1734 "valid access family in SK_MSG",
1736 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1737 offsetof(struct sk_msg_md, family)),
1741 .prog_type = BPF_PROG_TYPE_SK_MSG,
1744 "valid access remote_ip4 in SK_MSG",
1746 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1747 offsetof(struct sk_msg_md, remote_ip4)),
1751 .prog_type = BPF_PROG_TYPE_SK_MSG,
1754 "valid access local_ip4 in SK_MSG",
1756 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1757 offsetof(struct sk_msg_md, local_ip4)),
1761 .prog_type = BPF_PROG_TYPE_SK_MSG,
1764 "valid access remote_port in SK_MSG",
1766 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1767 offsetof(struct sk_msg_md, remote_port)),
1771 .prog_type = BPF_PROG_TYPE_SK_MSG,
1774 "valid access local_port in SK_MSG",
1776 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1777 offsetof(struct sk_msg_md, local_port)),
1781 .prog_type = BPF_PROG_TYPE_SK_MSG,
1784 "valid access remote_ip6 in SK_MSG",
1786 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1787 offsetof(struct sk_msg_md, remote_ip6[0])),
1788 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1789 offsetof(struct sk_msg_md, remote_ip6[1])),
1790 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1791 offsetof(struct sk_msg_md, remote_ip6[2])),
1792 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1793 offsetof(struct sk_msg_md, remote_ip6[3])),
1797 .prog_type = BPF_PROG_TYPE_SK_SKB,
1800 "valid access local_ip6 in SK_MSG",
1802 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1803 offsetof(struct sk_msg_md, local_ip6[0])),
1804 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1805 offsetof(struct sk_msg_md, local_ip6[1])),
1806 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1807 offsetof(struct sk_msg_md, local_ip6[2])),
1808 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1809 offsetof(struct sk_msg_md, local_ip6[3])),
1813 .prog_type = BPF_PROG_TYPE_SK_SKB,
1816 "invalid 64B read of family in SK_MSG",
1818 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1,
1819 offsetof(struct sk_msg_md, family)),
1822 .errstr = "invalid bpf_context access",
1824 .prog_type = BPF_PROG_TYPE_SK_MSG,
1827 "invalid read past end of SK_MSG",
1829 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1830 offsetof(struct sk_msg_md, local_port) + 4),
1833 .errstr = "R0 !read_ok",
1835 .prog_type = BPF_PROG_TYPE_SK_MSG,
1838 "invalid read offset in SK_MSG",
1840 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1841 offsetof(struct sk_msg_md, family) + 1),
1844 .errstr = "invalid bpf_context access",
1846 .prog_type = BPF_PROG_TYPE_SK_MSG,
1847 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
1850 "direct packet read for SK_MSG",
1852 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1,
1853 offsetof(struct sk_msg_md, data)),
1854 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1,
1855 offsetof(struct sk_msg_md, data_end)),
1856 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1857 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1858 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1859 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
1860 BPF_MOV64_IMM(BPF_REG_0, 0),
1864 .prog_type = BPF_PROG_TYPE_SK_MSG,
1867 "direct packet write for SK_MSG",
1869 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1,
1870 offsetof(struct sk_msg_md, data)),
1871 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1,
1872 offsetof(struct sk_msg_md, data_end)),
1873 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1874 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1875 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1876 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
1877 BPF_MOV64_IMM(BPF_REG_0, 0),
1881 .prog_type = BPF_PROG_TYPE_SK_MSG,
1884 "overlapping checks for direct packet access SK_MSG",
1886 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1,
1887 offsetof(struct sk_msg_md, data)),
1888 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1,
1889 offsetof(struct sk_msg_md, data_end)),
1890 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1891 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1892 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4),
1893 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
1894 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6),
1895 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
1896 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6),
1897 BPF_MOV64_IMM(BPF_REG_0, 0),
1901 .prog_type = BPF_PROG_TYPE_SK_MSG,
1904 "check skb->mark is not writeable by sockets",
1906 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1907 offsetof(struct __sk_buff, mark)),
1910 .errstr = "invalid bpf_context access",
1911 .errstr_unpriv = "R1 leaks addr",
1915 "check skb->tc_index is not writeable by sockets",
1917 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1918 offsetof(struct __sk_buff, tc_index)),
1921 .errstr = "invalid bpf_context access",
1922 .errstr_unpriv = "R1 leaks addr",
1926 "check cb access: byte",
1928 BPF_MOV64_IMM(BPF_REG_0, 0),
1929 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1930 offsetof(struct __sk_buff, cb[0])),
1931 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1932 offsetof(struct __sk_buff, cb[0]) + 1),
1933 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1934 offsetof(struct __sk_buff, cb[0]) + 2),
1935 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1936 offsetof(struct __sk_buff, cb[0]) + 3),
1937 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1938 offsetof(struct __sk_buff, cb[1])),
1939 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1940 offsetof(struct __sk_buff, cb[1]) + 1),
1941 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1942 offsetof(struct __sk_buff, cb[1]) + 2),
1943 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1944 offsetof(struct __sk_buff, cb[1]) + 3),
1945 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1946 offsetof(struct __sk_buff, cb[2])),
1947 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1948 offsetof(struct __sk_buff, cb[2]) + 1),
1949 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1950 offsetof(struct __sk_buff, cb[2]) + 2),
1951 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1952 offsetof(struct __sk_buff, cb[2]) + 3),
1953 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1954 offsetof(struct __sk_buff, cb[3])),
1955 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1956 offsetof(struct __sk_buff, cb[3]) + 1),
1957 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1958 offsetof(struct __sk_buff, cb[3]) + 2),
1959 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1960 offsetof(struct __sk_buff, cb[3]) + 3),
1961 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1962 offsetof(struct __sk_buff, cb[4])),
1963 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1964 offsetof(struct __sk_buff, cb[4]) + 1),
1965 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1966 offsetof(struct __sk_buff, cb[4]) + 2),
1967 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1968 offsetof(struct __sk_buff, cb[4]) + 3),
1969 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1970 offsetof(struct __sk_buff, cb[0])),
1971 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1972 offsetof(struct __sk_buff, cb[0]) + 1),
1973 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1974 offsetof(struct __sk_buff, cb[0]) + 2),
1975 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1976 offsetof(struct __sk_buff, cb[0]) + 3),
1977 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1978 offsetof(struct __sk_buff, cb[1])),
1979 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1980 offsetof(struct __sk_buff, cb[1]) + 1),
1981 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1982 offsetof(struct __sk_buff, cb[1]) + 2),
1983 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1984 offsetof(struct __sk_buff, cb[1]) + 3),
1985 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1986 offsetof(struct __sk_buff, cb[2])),
1987 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1988 offsetof(struct __sk_buff, cb[2]) + 1),
1989 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1990 offsetof(struct __sk_buff, cb[2]) + 2),
1991 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1992 offsetof(struct __sk_buff, cb[2]) + 3),
1993 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1994 offsetof(struct __sk_buff, cb[3])),
1995 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1996 offsetof(struct __sk_buff, cb[3]) + 1),
1997 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1998 offsetof(struct __sk_buff, cb[3]) + 2),
1999 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2000 offsetof(struct __sk_buff, cb[3]) + 3),
2001 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2002 offsetof(struct __sk_buff, cb[4])),
2003 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2004 offsetof(struct __sk_buff, cb[4]) + 1),
2005 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2006 offsetof(struct __sk_buff, cb[4]) + 2),
2007 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2008 offsetof(struct __sk_buff, cb[4]) + 3),
2014 "__sk_buff->hash, offset 0, byte store not permitted",
2016 BPF_MOV64_IMM(BPF_REG_0, 0),
2017 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
2018 offsetof(struct __sk_buff, hash)),
2021 .errstr = "invalid bpf_context access",
2025 "__sk_buff->tc_index, offset 3, byte store not permitted",
2027 BPF_MOV64_IMM(BPF_REG_0, 0),
2028 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
2029 offsetof(struct __sk_buff, tc_index) + 3),
2032 .errstr = "invalid bpf_context access",
2036 "check skb->hash byte load permitted",
2038 BPF_MOV64_IMM(BPF_REG_0, 0),
2039 #if __BYTE_ORDER == __LITTLE_ENDIAN
2040 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2041 offsetof(struct __sk_buff, hash)),
2043 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2044 offsetof(struct __sk_buff, hash) + 3),
2051 "check skb->hash byte load permitted 1",
2053 BPF_MOV64_IMM(BPF_REG_0, 0),
2054 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2055 offsetof(struct __sk_buff, hash) + 1),
2061 "check skb->hash byte load permitted 2",
2063 BPF_MOV64_IMM(BPF_REG_0, 0),
2064 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2065 offsetof(struct __sk_buff, hash) + 2),
2071 "check skb->hash byte load permitted 3",
2073 BPF_MOV64_IMM(BPF_REG_0, 0),
2074 #if __BYTE_ORDER == __LITTLE_ENDIAN
2075 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2076 offsetof(struct __sk_buff, hash) + 3),
2078 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2079 offsetof(struct __sk_buff, hash)),
2086 "check cb access: byte, wrong type",
2088 BPF_MOV64_IMM(BPF_REG_0, 0),
2089 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
2090 offsetof(struct __sk_buff, cb[0])),
2093 .errstr = "invalid bpf_context access",
2095 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
2098 "check cb access: half",
2100 BPF_MOV64_IMM(BPF_REG_0, 0),
2101 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2102 offsetof(struct __sk_buff, cb[0])),
2103 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2104 offsetof(struct __sk_buff, cb[0]) + 2),
2105 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2106 offsetof(struct __sk_buff, cb[1])),
2107 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2108 offsetof(struct __sk_buff, cb[1]) + 2),
2109 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2110 offsetof(struct __sk_buff, cb[2])),
2111 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2112 offsetof(struct __sk_buff, cb[2]) + 2),
2113 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2114 offsetof(struct __sk_buff, cb[3])),
2115 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2116 offsetof(struct __sk_buff, cb[3]) + 2),
2117 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2118 offsetof(struct __sk_buff, cb[4])),
2119 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2120 offsetof(struct __sk_buff, cb[4]) + 2),
2121 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2122 offsetof(struct __sk_buff, cb[0])),
2123 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2124 offsetof(struct __sk_buff, cb[0]) + 2),
2125 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2126 offsetof(struct __sk_buff, cb[1])),
2127 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2128 offsetof(struct __sk_buff, cb[1]) + 2),
2129 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2130 offsetof(struct __sk_buff, cb[2])),
2131 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2132 offsetof(struct __sk_buff, cb[2]) + 2),
2133 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2134 offsetof(struct __sk_buff, cb[3])),
2135 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2136 offsetof(struct __sk_buff, cb[3]) + 2),
2137 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2138 offsetof(struct __sk_buff, cb[4])),
2139 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2140 offsetof(struct __sk_buff, cb[4]) + 2),
2146 "check cb access: half, unaligned",
2148 BPF_MOV64_IMM(BPF_REG_0, 0),
2149 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2150 offsetof(struct __sk_buff, cb[0]) + 1),
2153 .errstr = "misaligned context access",
2155 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2158 "check __sk_buff->hash, offset 0, half store not permitted",
2160 BPF_MOV64_IMM(BPF_REG_0, 0),
2161 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2162 offsetof(struct __sk_buff, hash)),
2165 .errstr = "invalid bpf_context access",
2169 "check __sk_buff->tc_index, offset 2, half store not permitted",
2171 BPF_MOV64_IMM(BPF_REG_0, 0),
2172 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2173 offsetof(struct __sk_buff, tc_index) + 2),
2176 .errstr = "invalid bpf_context access",
2180 "check skb->hash half load permitted",
2182 BPF_MOV64_IMM(BPF_REG_0, 0),
2183 #if __BYTE_ORDER == __LITTLE_ENDIAN
2184 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2185 offsetof(struct __sk_buff, hash)),
2187 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2188 offsetof(struct __sk_buff, hash) + 2),
2195 "check skb->hash half load permitted 2",
2197 BPF_MOV64_IMM(BPF_REG_0, 0),
2198 #if __BYTE_ORDER == __LITTLE_ENDIAN
2199 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2200 offsetof(struct __sk_buff, hash) + 2),
2202 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2203 offsetof(struct __sk_buff, hash)),
2210 "check skb->hash half load not permitted, unaligned 1",
2212 BPF_MOV64_IMM(BPF_REG_0, 0),
2213 #if __BYTE_ORDER == __LITTLE_ENDIAN
2214 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2215 offsetof(struct __sk_buff, hash) + 1),
2217 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2218 offsetof(struct __sk_buff, hash) + 3),
2222 .errstr = "invalid bpf_context access",
2226 "check skb->hash half load not permitted, unaligned 3",
2228 BPF_MOV64_IMM(BPF_REG_0, 0),
2229 #if __BYTE_ORDER == __LITTLE_ENDIAN
2230 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2231 offsetof(struct __sk_buff, hash) + 3),
2233 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2234 offsetof(struct __sk_buff, hash) + 1),
2238 .errstr = "invalid bpf_context access",
2240 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
2241 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
2244 "check cb access: half, wrong type",
2246 BPF_MOV64_IMM(BPF_REG_0, 0),
2247 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2248 offsetof(struct __sk_buff, cb[0])),
2251 .errstr = "invalid bpf_context access",
2253 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
2256 "check cb access: word",
2258 BPF_MOV64_IMM(BPF_REG_0, 0),
2259 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2260 offsetof(struct __sk_buff, cb[0])),
2261 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2262 offsetof(struct __sk_buff, cb[1])),
2263 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2264 offsetof(struct __sk_buff, cb[2])),
2265 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2266 offsetof(struct __sk_buff, cb[3])),
2267 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2268 offsetof(struct __sk_buff, cb[4])),
2269 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2270 offsetof(struct __sk_buff, cb[0])),
2271 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2272 offsetof(struct __sk_buff, cb[1])),
2273 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2274 offsetof(struct __sk_buff, cb[2])),
2275 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2276 offsetof(struct __sk_buff, cb[3])),
2277 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2278 offsetof(struct __sk_buff, cb[4])),
2284 "check cb access: word, unaligned 1",
2286 BPF_MOV64_IMM(BPF_REG_0, 0),
2287 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2288 offsetof(struct __sk_buff, cb[0]) + 2),
2291 .errstr = "misaligned context access",
2293 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2296 "check cb access: word, unaligned 2",
2298 BPF_MOV64_IMM(BPF_REG_0, 0),
2299 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2300 offsetof(struct __sk_buff, cb[4]) + 1),
2303 .errstr = "misaligned context access",
2305 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2308 "check cb access: word, unaligned 3",
2310 BPF_MOV64_IMM(BPF_REG_0, 0),
2311 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2312 offsetof(struct __sk_buff, cb[4]) + 2),
2315 .errstr = "misaligned context access",
2317 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2320 "check cb access: word, unaligned 4",
2322 BPF_MOV64_IMM(BPF_REG_0, 0),
2323 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2324 offsetof(struct __sk_buff, cb[4]) + 3),
2327 .errstr = "misaligned context access",
2329 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2332 "check cb access: double",
2334 BPF_MOV64_IMM(BPF_REG_0, 0),
2335 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2336 offsetof(struct __sk_buff, cb[0])),
2337 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2338 offsetof(struct __sk_buff, cb[2])),
2339 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2340 offsetof(struct __sk_buff, cb[0])),
2341 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2342 offsetof(struct __sk_buff, cb[2])),
2348 "check cb access: double, unaligned 1",
2350 BPF_MOV64_IMM(BPF_REG_0, 0),
2351 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2352 offsetof(struct __sk_buff, cb[1])),
2355 .errstr = "misaligned context access",
2357 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2360 "check cb access: double, unaligned 2",
2362 BPF_MOV64_IMM(BPF_REG_0, 0),
2363 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2364 offsetof(struct __sk_buff, cb[3])),
2367 .errstr = "misaligned context access",
2369 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2372 "check cb access: double, oob 1",
2374 BPF_MOV64_IMM(BPF_REG_0, 0),
2375 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2376 offsetof(struct __sk_buff, cb[4])),
2379 .errstr = "invalid bpf_context access",
2383 "check cb access: double, oob 2",
2385 BPF_MOV64_IMM(BPF_REG_0, 0),
2386 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2387 offsetof(struct __sk_buff, cb[4])),
2390 .errstr = "invalid bpf_context access",
2394 "check __sk_buff->ifindex dw store not permitted",
2396 BPF_MOV64_IMM(BPF_REG_0, 0),
2397 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2398 offsetof(struct __sk_buff, ifindex)),
2401 .errstr = "invalid bpf_context access",
2405 "check __sk_buff->ifindex dw load not permitted",
2407 BPF_MOV64_IMM(BPF_REG_0, 0),
2408 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2409 offsetof(struct __sk_buff, ifindex)),
2412 .errstr = "invalid bpf_context access",
2416 "check cb access: double, wrong type",
2418 BPF_MOV64_IMM(BPF_REG_0, 0),
2419 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2420 offsetof(struct __sk_buff, cb[0])),
2423 .errstr = "invalid bpf_context access",
2425 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
2428 "check out of range skb->cb access",
2430 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2431 offsetof(struct __sk_buff, cb[0]) + 256),
2434 .errstr = "invalid bpf_context access",
2435 .errstr_unpriv = "",
2437 .prog_type = BPF_PROG_TYPE_SCHED_ACT,
2440 "write skb fields from socket prog",
2442 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2443 offsetof(struct __sk_buff, cb[4])),
2444 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
2445 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2446 offsetof(struct __sk_buff, mark)),
2447 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2448 offsetof(struct __sk_buff, tc_index)),
2449 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
2450 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
2451 offsetof(struct __sk_buff, cb[0])),
2452 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
2453 offsetof(struct __sk_buff, cb[2])),
2457 .errstr_unpriv = "R1 leaks addr",
2458 .result_unpriv = REJECT,
2461 "write skb fields from tc_cls_act prog",
2463 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2464 offsetof(struct __sk_buff, cb[0])),
2465 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2466 offsetof(struct __sk_buff, mark)),
2467 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2468 offsetof(struct __sk_buff, tc_index)),
2469 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2470 offsetof(struct __sk_buff, tc_index)),
2471 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2472 offsetof(struct __sk_buff, cb[3])),
2473 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2474 offsetof(struct __sk_buff, tstamp)),
2475 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2476 offsetof(struct __sk_buff, tstamp)),
2479 .errstr_unpriv = "",
2480 .result_unpriv = REJECT,
2482 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2485 "PTR_TO_STACK store/load",
2487 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2488 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10),
2489 BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c),
2490 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2),
2494 .retval = 0xfaceb00c,
2497 "PTR_TO_STACK store/load - bad alignment on off",
2499 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2500 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
2501 BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c),
2502 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2),
2506 .errstr = "misaligned stack access off (0x0; 0x0)+-8+2 size 8",
2509 "PTR_TO_STACK store/load - bad alignment on reg",
2511 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2512 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10),
2513 BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
2514 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
2518 .errstr = "misaligned stack access off (0x0; 0x0)+-10+8 size 8",
2521 "PTR_TO_STACK store/load - out of bounds low",
2523 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2524 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -80000),
2525 BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
2526 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
2530 .errstr = "invalid stack off=-79992 size=8",
2533 "PTR_TO_STACK store/load - out of bounds high",
2535 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2536 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
2537 BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
2538 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
2542 .errstr = "invalid stack off=0 size=8",
2545 "unpriv: return pointer",
2547 BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
2551 .result_unpriv = REJECT,
2552 .errstr_unpriv = "R0 leaks addr",
2553 .retval = POINTER_VALUE,
2556 "unpriv: add const to pointer",
2558 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
2559 BPF_MOV64_IMM(BPF_REG_0, 0),
2565 "unpriv: add pointer to pointer",
2567 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_10),
2568 BPF_MOV64_IMM(BPF_REG_0, 0),
2572 .errstr = "R1 pointer += pointer",
2575 "unpriv: neg pointer",
2577 BPF_ALU64_IMM(BPF_NEG, BPF_REG_1, 0),
2578 BPF_MOV64_IMM(BPF_REG_0, 0),
2582 .result_unpriv = REJECT,
2583 .errstr_unpriv = "R1 pointer arithmetic",
2586 "unpriv: cmp pointer with const",
2588 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0),
2589 BPF_MOV64_IMM(BPF_REG_0, 0),
2593 .result_unpriv = REJECT,
2594 .errstr_unpriv = "R1 pointer comparison",
2597 "unpriv: cmp pointer with pointer",
2599 BPF_JMP_REG(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
2600 BPF_MOV64_IMM(BPF_REG_0, 0),
2604 .result_unpriv = REJECT,
2605 .errstr_unpriv = "R10 pointer comparison",
2608 "unpriv: check that printk is disallowed",
2610 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
2611 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2612 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
2613 BPF_MOV64_IMM(BPF_REG_2, 8),
2614 BPF_MOV64_REG(BPF_REG_3, BPF_REG_1),
2615 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2616 BPF_FUNC_trace_printk),
2617 BPF_MOV64_IMM(BPF_REG_0, 0),
2620 .errstr_unpriv = "unknown func bpf_trace_printk#6",
2621 .result_unpriv = REJECT,
2625 "unpriv: pass pointer to helper function",
2627 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
2628 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2629 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2630 BPF_LD_MAP_FD(BPF_REG_1, 0),
2631 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
2632 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
2633 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2634 BPF_FUNC_map_update_elem),
2635 BPF_MOV64_IMM(BPF_REG_0, 0),
2638 .fixup_map_hash_8b = { 3 },
2639 .errstr_unpriv = "R4 leaks addr",
2640 .result_unpriv = REJECT,
2644 "unpriv: indirectly pass pointer on stack to helper function",
2646 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2647 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2648 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2649 BPF_LD_MAP_FD(BPF_REG_1, 0),
2650 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2651 BPF_FUNC_map_lookup_elem),
2652 BPF_MOV64_IMM(BPF_REG_0, 0),
2655 .fixup_map_hash_8b = { 3 },
2656 .errstr = "invalid indirect read from stack off -8+0 size 8",
2660 "unpriv: mangle pointer on stack 1",
2662 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2663 BPF_ST_MEM(BPF_W, BPF_REG_10, -8, 0),
2664 BPF_MOV64_IMM(BPF_REG_0, 0),
2667 .errstr_unpriv = "attempt to corrupt spilled",
2668 .result_unpriv = REJECT,
2672 "unpriv: mangle pointer on stack 2",
2674 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2675 BPF_ST_MEM(BPF_B, BPF_REG_10, -1, 0),
2676 BPF_MOV64_IMM(BPF_REG_0, 0),
2679 .errstr_unpriv = "attempt to corrupt spilled",
2680 .result_unpriv = REJECT,
2684 "unpriv: read pointer from stack in small chunks",
2686 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2687 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_10, -8),
2688 BPF_MOV64_IMM(BPF_REG_0, 0),
2691 .errstr = "invalid size",
2695 "unpriv: write pointer into ctx",
2697 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, 0),
2698 BPF_MOV64_IMM(BPF_REG_0, 0),
2701 .errstr_unpriv = "R1 leaks addr",
2702 .result_unpriv = REJECT,
2703 .errstr = "invalid bpf_context access",
2707 "unpriv: spill/fill of ctx",
2709 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2710 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2711 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2712 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2713 BPF_MOV64_IMM(BPF_REG_0, 0),
2719 "unpriv: spill/fill of ctx 2",
2721 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2722 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2723 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2724 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2725 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2726 BPF_FUNC_get_hash_recalc),
2727 BPF_MOV64_IMM(BPF_REG_0, 0),
2731 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2734 "unpriv: spill/fill of ctx 3",
2736 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2737 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2738 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2739 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_10, 0),
2740 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2741 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2742 BPF_FUNC_get_hash_recalc),
2746 .errstr = "R1 type=fp expected=ctx",
2747 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2750 "unpriv: spill/fill of ctx 4",
2752 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2753 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2754 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2755 BPF_MOV64_IMM(BPF_REG_0, 1),
2756 BPF_RAW_INSN(BPF_STX | BPF_XADD | BPF_DW, BPF_REG_10,
2758 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2759 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2760 BPF_FUNC_get_hash_recalc),
2764 .errstr = "R1 type=inv expected=ctx",
2765 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2768 "unpriv: spill/fill of different pointers stx",
2770 BPF_MOV64_IMM(BPF_REG_3, 42),
2771 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2772 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2773 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
2774 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2775 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
2776 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
2777 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
2778 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2779 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2780 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_3,
2781 offsetof(struct __sk_buff, mark)),
2782 BPF_MOV64_IMM(BPF_REG_0, 0),
2786 .errstr = "same insn cannot be used with different pointers",
2787 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2790 "unpriv: spill/fill of different pointers stx - ctx and sock",
2792 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
2793 /* struct bpf_sock *sock = bpf_sock_lookup(...); */
2795 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
2797 /* void *target = &foo; */
2798 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2799 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2800 BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
2801 /* if (skb == NULL) *target = sock; */
2802 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
2803 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
2804 /* else *target = skb; */
2805 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
2806 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2807 /* struct __sk_buff *skb = *target; */
2808 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2809 /* skb->mark = 42; */
2810 BPF_MOV64_IMM(BPF_REG_3, 42),
2811 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_3,
2812 offsetof(struct __sk_buff, mark)),
2813 /* if (sk) bpf_sk_release(sk) */
2814 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
2815 BPF_EMIT_CALL(BPF_FUNC_sk_release),
2816 BPF_MOV64_IMM(BPF_REG_0, 0),
2820 .errstr = "type=ctx expected=sock",
2821 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2824 "unpriv: spill/fill of different pointers stx - leak sock",
2826 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
2827 /* struct bpf_sock *sock = bpf_sock_lookup(...); */
2829 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
2831 /* void *target = &foo; */
2832 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2833 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2834 BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
2835 /* if (skb == NULL) *target = sock; */
2836 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
2837 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
2838 /* else *target = skb; */
2839 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
2840 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2841 /* struct __sk_buff *skb = *target; */
2842 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2843 /* skb->mark = 42; */
2844 BPF_MOV64_IMM(BPF_REG_3, 42),
2845 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_3,
2846 offsetof(struct __sk_buff, mark)),
2850 //.errstr = "same insn cannot be used with different pointers",
2851 .errstr = "Unreleased reference",
2852 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2855 "unpriv: spill/fill of different pointers stx - sock and ctx (read)",
2857 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
2858 /* struct bpf_sock *sock = bpf_sock_lookup(...); */
2860 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
2862 /* void *target = &foo; */
2863 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2864 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2865 BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
2866 /* if (skb) *target = skb */
2867 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
2868 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2869 /* else *target = sock */
2870 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
2871 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
2872 /* struct bpf_sock *sk = *target; */
2873 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2874 /* if (sk) u32 foo = sk->mark; bpf_sk_release(sk); */
2875 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 2),
2876 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2877 offsetof(struct bpf_sock, mark)),
2878 BPF_EMIT_CALL(BPF_FUNC_sk_release),
2879 BPF_MOV64_IMM(BPF_REG_0, 0),
2883 .errstr = "same insn cannot be used with different pointers",
2884 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2887 "unpriv: spill/fill of different pointers stx - sock and ctx (write)",
2889 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
2890 /* struct bpf_sock *sock = bpf_sock_lookup(...); */
2892 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
2894 /* void *target = &foo; */
2895 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2896 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2897 BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
2898 /* if (skb) *target = skb */
2899 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
2900 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2901 /* else *target = sock */
2902 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
2903 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
2904 /* struct bpf_sock *sk = *target; */
2905 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2906 /* if (sk) sk->mark = 42; bpf_sk_release(sk); */
2907 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
2908 BPF_MOV64_IMM(BPF_REG_3, 42),
2909 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_3,
2910 offsetof(struct bpf_sock, mark)),
2911 BPF_EMIT_CALL(BPF_FUNC_sk_release),
2912 BPF_MOV64_IMM(BPF_REG_0, 0),
2916 //.errstr = "same insn cannot be used with different pointers",
2917 .errstr = "cannot write into socket",
2918 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2921 "unpriv: spill/fill of different pointers ldx",
2923 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2924 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2925 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
2926 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2927 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2,
2928 -(__s32)offsetof(struct bpf_perf_event_data,
2929 sample_period) - 8),
2930 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
2931 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
2932 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2933 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2934 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1,
2935 offsetof(struct bpf_perf_event_data,
2937 BPF_MOV64_IMM(BPF_REG_0, 0),
2941 .errstr = "same insn cannot be used with different pointers",
2942 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
2945 "unpriv: write pointer into map elem value",
2947 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
2948 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2949 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2950 BPF_LD_MAP_FD(BPF_REG_1, 0),
2951 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2952 BPF_FUNC_map_lookup_elem),
2953 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
2954 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
2957 .fixup_map_hash_8b = { 3 },
2958 .errstr_unpriv = "R0 leaks addr",
2959 .result_unpriv = REJECT,
2963 "alu32: mov u32 const",
2965 BPF_MOV32_IMM(BPF_REG_7, 0),
2966 BPF_ALU32_IMM(BPF_AND, BPF_REG_7, 1),
2967 BPF_MOV32_REG(BPF_REG_0, BPF_REG_7),
2968 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
2969 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_7, 0),
2976 "unpriv: partial copy of pointer",
2978 BPF_MOV32_REG(BPF_REG_1, BPF_REG_10),
2979 BPF_MOV64_IMM(BPF_REG_0, 0),
2982 .errstr_unpriv = "R10 partial copy",
2983 .result_unpriv = REJECT,
2987 "unpriv: pass pointer to tail_call",
2989 BPF_MOV64_REG(BPF_REG_3, BPF_REG_1),
2990 BPF_LD_MAP_FD(BPF_REG_2, 0),
2991 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2992 BPF_FUNC_tail_call),
2993 BPF_MOV64_IMM(BPF_REG_0, 0),
2996 .fixup_prog1 = { 1 },
2997 .errstr_unpriv = "R3 leaks addr into helper",
2998 .result_unpriv = REJECT,
3002 "unpriv: cmp map pointer with zero",
3004 BPF_MOV64_IMM(BPF_REG_1, 0),
3005 BPF_LD_MAP_FD(BPF_REG_1, 0),
3006 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0),
3007 BPF_MOV64_IMM(BPF_REG_0, 0),
3010 .fixup_map_hash_8b = { 1 },
3011 .errstr_unpriv = "R1 pointer comparison",
3012 .result_unpriv = REJECT,
3016 "unpriv: write into frame pointer",
3018 BPF_MOV64_REG(BPF_REG_10, BPF_REG_1),
3019 BPF_MOV64_IMM(BPF_REG_0, 0),
3022 .errstr = "frame pointer is read only",
3026 "unpriv: spill/fill frame pointer",
3028 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3029 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3030 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_10, 0),
3031 BPF_LDX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, 0),
3032 BPF_MOV64_IMM(BPF_REG_0, 0),
3035 .errstr = "frame pointer is read only",
3039 "unpriv: cmp of frame pointer",
3041 BPF_JMP_IMM(BPF_JEQ, BPF_REG_10, 0, 0),
3042 BPF_MOV64_IMM(BPF_REG_0, 0),
3045 .errstr_unpriv = "R10 pointer comparison",
3046 .result_unpriv = REJECT,
3050 "unpriv: adding of fp",
3052 BPF_MOV64_IMM(BPF_REG_0, 0),
3053 BPF_MOV64_IMM(BPF_REG_1, 0),
3054 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_10),
3055 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, -8),
3061 "unpriv: cmp of stack pointer",
3063 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3064 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3065 BPF_JMP_IMM(BPF_JEQ, BPF_REG_2, 0, 0),
3066 BPF_MOV64_IMM(BPF_REG_0, 0),
3069 .errstr_unpriv = "R2 pointer comparison",
3070 .result_unpriv = REJECT,
3074 "runtime/jit: tail_call within bounds, prog once",
3076 BPF_MOV64_IMM(BPF_REG_3, 0),
3077 BPF_LD_MAP_FD(BPF_REG_2, 0),
3078 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3079 BPF_FUNC_tail_call),
3080 BPF_MOV64_IMM(BPF_REG_0, 1),
3083 .fixup_prog1 = { 1 },
3088 "runtime/jit: tail_call within bounds, prog loop",
3090 BPF_MOV64_IMM(BPF_REG_3, 1),
3091 BPF_LD_MAP_FD(BPF_REG_2, 0),
3092 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3093 BPF_FUNC_tail_call),
3094 BPF_MOV64_IMM(BPF_REG_0, 1),
3097 .fixup_prog1 = { 1 },
3102 "runtime/jit: tail_call within bounds, no prog",
3104 BPF_MOV64_IMM(BPF_REG_3, 2),
3105 BPF_LD_MAP_FD(BPF_REG_2, 0),
3106 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3107 BPF_FUNC_tail_call),
3108 BPF_MOV64_IMM(BPF_REG_0, 1),
3111 .fixup_prog1 = { 1 },
3116 "runtime/jit: tail_call out of bounds",
3118 BPF_MOV64_IMM(BPF_REG_3, 256),
3119 BPF_LD_MAP_FD(BPF_REG_2, 0),
3120 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3121 BPF_FUNC_tail_call),
3122 BPF_MOV64_IMM(BPF_REG_0, 2),
3125 .fixup_prog1 = { 1 },
3130 "runtime/jit: pass negative index to tail_call",
3132 BPF_MOV64_IMM(BPF_REG_3, -1),
3133 BPF_LD_MAP_FD(BPF_REG_2, 0),
3134 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3135 BPF_FUNC_tail_call),
3136 BPF_MOV64_IMM(BPF_REG_0, 2),
3139 .fixup_prog1 = { 1 },
3144 "runtime/jit: pass > 32bit index to tail_call",
3146 BPF_LD_IMM64(BPF_REG_3, 0x100000000ULL),
3147 BPF_LD_MAP_FD(BPF_REG_2, 0),
3148 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3149 BPF_FUNC_tail_call),
3150 BPF_MOV64_IMM(BPF_REG_0, 2),
3153 .fixup_prog1 = { 2 },
3156 /* Verifier rewrite for unpriv skips tail call here. */
3160 "stack pointer arithmetic",
3162 BPF_MOV64_IMM(BPF_REG_1, 4),
3163 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
3164 BPF_MOV64_REG(BPF_REG_7, BPF_REG_10),
3165 BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -10),
3166 BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -10),
3167 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
3168 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_1),
3169 BPF_ST_MEM(0, BPF_REG_2, 4, 0),
3170 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
3171 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
3172 BPF_ST_MEM(0, BPF_REG_2, 4, 0),
3173 BPF_MOV64_IMM(BPF_REG_0, 0),
3179 "raw_stack: no skb_load_bytes",
3181 BPF_MOV64_IMM(BPF_REG_2, 4),
3182 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3183 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3184 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3185 BPF_MOV64_IMM(BPF_REG_4, 8),
3186 /* Call to skb_load_bytes() omitted. */
3187 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3191 .errstr = "invalid read from stack off -8+0 size 8",
3192 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3195 "raw_stack: skb_load_bytes, negative len",
3197 BPF_MOV64_IMM(BPF_REG_2, 4),
3198 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3199 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3200 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3201 BPF_MOV64_IMM(BPF_REG_4, -8),
3202 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3203 BPF_FUNC_skb_load_bytes),
3204 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3208 .errstr = "R4 min value is negative",
3209 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3212 "raw_stack: skb_load_bytes, negative len 2",
3214 BPF_MOV64_IMM(BPF_REG_2, 4),
3215 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3216 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3217 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3218 BPF_MOV64_IMM(BPF_REG_4, ~0),
3219 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3220 BPF_FUNC_skb_load_bytes),
3221 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3225 .errstr = "R4 min value is negative",
3226 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3229 "raw_stack: skb_load_bytes, zero len",
3231 BPF_MOV64_IMM(BPF_REG_2, 4),
3232 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3233 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3234 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3235 BPF_MOV64_IMM(BPF_REG_4, 0),
3236 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3237 BPF_FUNC_skb_load_bytes),
3238 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3242 .errstr = "invalid stack type R3",
3243 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3246 "raw_stack: skb_load_bytes, no init",
3248 BPF_MOV64_IMM(BPF_REG_2, 4),
3249 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3250 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3251 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3252 BPF_MOV64_IMM(BPF_REG_4, 8),
3253 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3254 BPF_FUNC_skb_load_bytes),
3255 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3259 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3262 "raw_stack: skb_load_bytes, init",
3264 BPF_MOV64_IMM(BPF_REG_2, 4),
3265 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3266 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3267 BPF_ST_MEM(BPF_DW, BPF_REG_6, 0, 0xcafe),
3268 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3269 BPF_MOV64_IMM(BPF_REG_4, 8),
3270 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3271 BPF_FUNC_skb_load_bytes),
3272 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3276 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3279 "raw_stack: skb_load_bytes, spilled regs around bounds",
3281 BPF_MOV64_IMM(BPF_REG_2, 4),
3282 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3283 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
3284 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
3285 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8),
3286 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3287 BPF_MOV64_IMM(BPF_REG_4, 8),
3288 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3289 BPF_FUNC_skb_load_bytes),
3290 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
3291 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 8),
3292 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
3293 offsetof(struct __sk_buff, mark)),
3294 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
3295 offsetof(struct __sk_buff, priority)),
3296 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3300 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3303 "raw_stack: skb_load_bytes, spilled regs corruption",
3305 BPF_MOV64_IMM(BPF_REG_2, 4),
3306 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3307 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3308 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
3309 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3310 BPF_MOV64_IMM(BPF_REG_4, 8),
3311 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3312 BPF_FUNC_skb_load_bytes),
3313 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3314 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
3315 offsetof(struct __sk_buff, mark)),
3319 .errstr = "R0 invalid mem access 'inv'",
3320 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3321 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
3324 "raw_stack: skb_load_bytes, spilled regs corruption 2",
3326 BPF_MOV64_IMM(BPF_REG_2, 4),
3327 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3328 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
3329 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
3330 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
3331 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8),
3332 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3333 BPF_MOV64_IMM(BPF_REG_4, 8),
3334 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3335 BPF_FUNC_skb_load_bytes),
3336 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
3337 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 8),
3338 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_6, 0),
3339 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
3340 offsetof(struct __sk_buff, mark)),
3341 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
3342 offsetof(struct __sk_buff, priority)),
3343 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3344 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_3,
3345 offsetof(struct __sk_buff, pkt_type)),
3346 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
3350 .errstr = "R3 invalid mem access 'inv'",
3351 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3352 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
3355 "raw_stack: skb_load_bytes, spilled regs + data",
3357 BPF_MOV64_IMM(BPF_REG_2, 4),
3358 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3359 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
3360 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
3361 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
3362 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8),
3363 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3364 BPF_MOV64_IMM(BPF_REG_4, 8),
3365 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3366 BPF_FUNC_skb_load_bytes),
3367 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
3368 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 8),
3369 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_6, 0),
3370 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
3371 offsetof(struct __sk_buff, mark)),
3372 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
3373 offsetof(struct __sk_buff, priority)),
3374 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3375 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
3379 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3382 "raw_stack: skb_load_bytes, invalid access 1",
3384 BPF_MOV64_IMM(BPF_REG_2, 4),
3385 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3386 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -513),
3387 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3388 BPF_MOV64_IMM(BPF_REG_4, 8),
3389 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3390 BPF_FUNC_skb_load_bytes),
3391 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3395 .errstr = "invalid stack type R3 off=-513 access_size=8",
3396 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3399 "raw_stack: skb_load_bytes, invalid access 2",
3401 BPF_MOV64_IMM(BPF_REG_2, 4),
3402 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3403 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -1),
3404 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3405 BPF_MOV64_IMM(BPF_REG_4, 8),
3406 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3407 BPF_FUNC_skb_load_bytes),
3408 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3412 .errstr = "invalid stack type R3 off=-1 access_size=8",
3413 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3416 "raw_stack: skb_load_bytes, invalid access 3",
3418 BPF_MOV64_IMM(BPF_REG_2, 4),
3419 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3420 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 0xffffffff),
3421 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3422 BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
3423 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3424 BPF_FUNC_skb_load_bytes),
3425 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3429 .errstr = "R4 min value is negative",
3430 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3433 "raw_stack: skb_load_bytes, invalid access 4",
3435 BPF_MOV64_IMM(BPF_REG_2, 4),
3436 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3437 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -1),
3438 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3439 BPF_MOV64_IMM(BPF_REG_4, 0x7fffffff),
3440 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3441 BPF_FUNC_skb_load_bytes),
3442 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3446 .errstr = "R4 unbounded memory access, use 'var &= const' or 'if (var < const)'",
3447 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3450 "raw_stack: skb_load_bytes, invalid access 5",
3452 BPF_MOV64_IMM(BPF_REG_2, 4),
3453 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3454 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
3455 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3456 BPF_MOV64_IMM(BPF_REG_4, 0x7fffffff),
3457 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3458 BPF_FUNC_skb_load_bytes),
3459 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3463 .errstr = "R4 unbounded memory access, use 'var &= const' or 'if (var < const)'",
3464 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3467 "raw_stack: skb_load_bytes, invalid access 6",
3469 BPF_MOV64_IMM(BPF_REG_2, 4),
3470 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3471 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
3472 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3473 BPF_MOV64_IMM(BPF_REG_4, 0),
3474 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3475 BPF_FUNC_skb_load_bytes),
3476 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3480 .errstr = "invalid stack type R3 off=-512 access_size=0",
3481 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3484 "raw_stack: skb_load_bytes, large access",
3486 BPF_MOV64_IMM(BPF_REG_2, 4),
3487 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3488 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
3489 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3490 BPF_MOV64_IMM(BPF_REG_4, 512),
3491 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3492 BPF_FUNC_skb_load_bytes),
3493 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3497 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3500 "context stores via ST",
3502 BPF_MOV64_IMM(BPF_REG_0, 0),
3503 BPF_ST_MEM(BPF_DW, BPF_REG_1, offsetof(struct __sk_buff, mark), 0),
3506 .errstr = "BPF_ST stores into R1 ctx is not allowed",
3508 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3511 "context stores via XADD",
3513 BPF_MOV64_IMM(BPF_REG_0, 0),
3514 BPF_RAW_INSN(BPF_STX | BPF_XADD | BPF_W, BPF_REG_1,
3515 BPF_REG_0, offsetof(struct __sk_buff, mark), 0),
3518 .errstr = "BPF_XADD stores into R1 ctx is not allowed",
3520 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3523 "direct packet access: test1",
3525 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3526 offsetof(struct __sk_buff, data)),
3527 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3528 offsetof(struct __sk_buff, data_end)),
3529 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3530 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3531 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3532 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3533 BPF_MOV64_IMM(BPF_REG_0, 0),
3537 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3540 "direct packet access: test2",
3542 BPF_MOV64_IMM(BPF_REG_0, 1),
3543 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
3544 offsetof(struct __sk_buff, data_end)),
3545 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3546 offsetof(struct __sk_buff, data)),
3547 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
3548 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 14),
3549 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_4, 15),
3550 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_3, 7),
3551 BPF_LDX_MEM(BPF_B, BPF_REG_4, BPF_REG_3, 12),
3552 BPF_ALU64_IMM(BPF_MUL, BPF_REG_4, 14),
3553 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3554 offsetof(struct __sk_buff, data)),
3555 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_4),
3556 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3557 offsetof(struct __sk_buff, len)),
3558 BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 49),
3559 BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 49),
3560 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_2),
3561 BPF_MOV64_REG(BPF_REG_2, BPF_REG_3),
3562 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
3563 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
3564 offsetof(struct __sk_buff, data_end)),
3565 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
3566 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_3, 4),
3567 BPF_MOV64_IMM(BPF_REG_0, 0),
3571 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3574 "direct packet access: test3",
3576 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3577 offsetof(struct __sk_buff, data)),
3578 BPF_MOV64_IMM(BPF_REG_0, 0),
3581 .errstr = "invalid bpf_context access off=76",
3583 .prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
3586 "direct packet access: test4 (write)",
3588 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3589 offsetof(struct __sk_buff, data)),
3590 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3591 offsetof(struct __sk_buff, data_end)),
3592 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3593 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3594 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3595 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3596 BPF_MOV64_IMM(BPF_REG_0, 0),
3600 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3603 "direct packet access: test5 (pkt_end >= reg, good access)",
3605 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3606 offsetof(struct __sk_buff, data)),
3607 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3608 offsetof(struct __sk_buff, data_end)),
3609 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3610 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3611 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 2),
3612 BPF_MOV64_IMM(BPF_REG_0, 1),
3614 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3615 BPF_MOV64_IMM(BPF_REG_0, 0),
3619 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3622 "direct packet access: test6 (pkt_end >= reg, bad access)",
3624 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3625 offsetof(struct __sk_buff, data)),
3626 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3627 offsetof(struct __sk_buff, data_end)),
3628 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3629 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3630 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 3),
3631 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3632 BPF_MOV64_IMM(BPF_REG_0, 1),
3634 BPF_MOV64_IMM(BPF_REG_0, 0),
3637 .errstr = "invalid access to packet",
3639 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3642 "direct packet access: test7 (pkt_end >= reg, both accesses)",
3644 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3645 offsetof(struct __sk_buff, data)),
3646 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3647 offsetof(struct __sk_buff, data_end)),
3648 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3649 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3650 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 3),
3651 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3652 BPF_MOV64_IMM(BPF_REG_0, 1),
3654 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3655 BPF_MOV64_IMM(BPF_REG_0, 0),
3658 .errstr = "invalid access to packet",
3660 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3663 "direct packet access: test8 (double test, variant 1)",
3665 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3666 offsetof(struct __sk_buff, data)),
3667 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3668 offsetof(struct __sk_buff, data_end)),
3669 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3670 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3671 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 4),
3672 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3673 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3674 BPF_MOV64_IMM(BPF_REG_0, 1),
3676 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3677 BPF_MOV64_IMM(BPF_REG_0, 0),
3681 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3684 "direct packet access: test9 (double test, variant 2)",
3686 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3687 offsetof(struct __sk_buff, data)),
3688 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3689 offsetof(struct __sk_buff, data_end)),
3690 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3691 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3692 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 2),
3693 BPF_MOV64_IMM(BPF_REG_0, 1),
3695 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3696 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3697 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3698 BPF_MOV64_IMM(BPF_REG_0, 0),
3702 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3705 "direct packet access: test10 (write invalid)",
3707 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3708 offsetof(struct __sk_buff, data)),
3709 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3710 offsetof(struct __sk_buff, data_end)),
3711 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3712 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3713 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
3714 BPF_MOV64_IMM(BPF_REG_0, 0),
3716 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3717 BPF_MOV64_IMM(BPF_REG_0, 0),
3720 .errstr = "invalid access to packet",
3722 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3725 "direct packet access: test11 (shift, good access)",
3727 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3728 offsetof(struct __sk_buff, data)),
3729 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3730 offsetof(struct __sk_buff, data_end)),
3731 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3732 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
3733 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
3734 BPF_MOV64_IMM(BPF_REG_3, 144),
3735 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
3736 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
3737 BPF_ALU64_IMM(BPF_RSH, BPF_REG_5, 3),
3738 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
3739 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
3740 BPF_MOV64_IMM(BPF_REG_0, 1),
3742 BPF_MOV64_IMM(BPF_REG_0, 0),
3746 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3750 "direct packet access: test12 (and, good access)",
3752 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3753 offsetof(struct __sk_buff, data)),
3754 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3755 offsetof(struct __sk_buff, data_end)),
3756 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3757 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
3758 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
3759 BPF_MOV64_IMM(BPF_REG_3, 144),
3760 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
3761 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
3762 BPF_ALU64_IMM(BPF_AND, BPF_REG_5, 15),
3763 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
3764 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
3765 BPF_MOV64_IMM(BPF_REG_0, 1),
3767 BPF_MOV64_IMM(BPF_REG_0, 0),
3771 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3775 "direct packet access: test13 (branches, good access)",
3777 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3778 offsetof(struct __sk_buff, data)),
3779 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3780 offsetof(struct __sk_buff, data_end)),
3781 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3782 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
3783 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 13),
3784 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3785 offsetof(struct __sk_buff, mark)),
3786 BPF_MOV64_IMM(BPF_REG_4, 1),
3787 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_4, 2),
3788 BPF_MOV64_IMM(BPF_REG_3, 14),
3789 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
3790 BPF_MOV64_IMM(BPF_REG_3, 24),
3791 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
3792 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
3793 BPF_ALU64_IMM(BPF_AND, BPF_REG_5, 15),
3794 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
3795 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
3796 BPF_MOV64_IMM(BPF_REG_0, 1),
3798 BPF_MOV64_IMM(BPF_REG_0, 0),
3802 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3806 "direct packet access: test14 (pkt_ptr += 0, CONST_IMM, good access)",
3808 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3809 offsetof(struct __sk_buff, data)),
3810 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3811 offsetof(struct __sk_buff, data_end)),
3812 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3813 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
3814 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 7),
3815 BPF_MOV64_IMM(BPF_REG_5, 12),
3816 BPF_ALU64_IMM(BPF_RSH, BPF_REG_5, 4),
3817 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
3818 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
3819 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_6, 0),
3820 BPF_MOV64_IMM(BPF_REG_0, 1),
3822 BPF_MOV64_IMM(BPF_REG_0, 0),
3826 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3830 "direct packet access: test15 (spill with xadd)",
3832 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3833 offsetof(struct __sk_buff, data)),
3834 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3835 offsetof(struct __sk_buff, data_end)),
3836 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3837 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3838 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
3839 BPF_MOV64_IMM(BPF_REG_5, 4096),
3840 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
3841 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
3842 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
3843 BPF_STX_XADD(BPF_DW, BPF_REG_4, BPF_REG_5, 0),
3844 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
3845 BPF_STX_MEM(BPF_W, BPF_REG_2, BPF_REG_5, 0),
3846 BPF_MOV64_IMM(BPF_REG_0, 0),
3849 .errstr = "R2 invalid mem access 'inv'",
3851 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3852 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
3855 "direct packet access: test16 (arith on data_end)",
3857 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3858 offsetof(struct __sk_buff, data)),
3859 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3860 offsetof(struct __sk_buff, data_end)),
3861 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3862 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3863 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 16),
3864 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3865 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3866 BPF_MOV64_IMM(BPF_REG_0, 0),
3869 .errstr = "R3 pointer arithmetic on pkt_end",
3871 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3874 "direct packet access: test17 (pruning, alignment)",
3876 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3877 offsetof(struct __sk_buff, data)),
3878 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3879 offsetof(struct __sk_buff, data_end)),
3880 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3881 offsetof(struct __sk_buff, mark)),
3882 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3883 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 14),
3884 BPF_JMP_IMM(BPF_JGT, BPF_REG_7, 1, 4),
3885 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3886 BPF_STX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, -4),
3887 BPF_MOV64_IMM(BPF_REG_0, 0),
3889 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 1),
3892 .errstr = "misaligned packet access off 2+(0x0; 0x0)+15+-4 size 4",
3894 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3895 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
3898 "direct packet access: test18 (imm += pkt_ptr, 1)",
3900 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3901 offsetof(struct __sk_buff, data)),
3902 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3903 offsetof(struct __sk_buff, data_end)),
3904 BPF_MOV64_IMM(BPF_REG_0, 8),
3905 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3906 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3907 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3908 BPF_MOV64_IMM(BPF_REG_0, 0),
3912 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3915 "direct packet access: test19 (imm += pkt_ptr, 2)",
3917 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3918 offsetof(struct __sk_buff, data)),
3919 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3920 offsetof(struct __sk_buff, data_end)),
3921 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3922 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3923 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
3924 BPF_MOV64_IMM(BPF_REG_4, 4),
3925 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
3926 BPF_STX_MEM(BPF_B, BPF_REG_4, BPF_REG_4, 0),
3927 BPF_MOV64_IMM(BPF_REG_0, 0),
3931 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3934 "direct packet access: test20 (x += pkt_ptr, 1)",
3936 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3937 offsetof(struct __sk_buff, data)),
3938 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3939 offsetof(struct __sk_buff, data_end)),
3940 BPF_MOV64_IMM(BPF_REG_0, 0xffffffff),
3941 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
3942 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
3943 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0x7fff),
3944 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3945 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
3946 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
3947 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0x7fff - 1),
3948 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
3949 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_4, 0),
3950 BPF_MOV64_IMM(BPF_REG_0, 0),
3953 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3955 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
3958 "direct packet access: test21 (x += pkt_ptr, 2)",
3960 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3961 offsetof(struct __sk_buff, data)),
3962 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3963 offsetof(struct __sk_buff, data_end)),
3964 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3965 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3966 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 9),
3967 BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
3968 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -8),
3969 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
3970 BPF_ALU64_IMM(BPF_AND, BPF_REG_4, 0x7fff),
3971 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
3972 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
3973 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0x7fff - 1),
3974 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
3975 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_4, 0),
3976 BPF_MOV64_IMM(BPF_REG_0, 0),
3979 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3981 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
3984 "direct packet access: test22 (x += pkt_ptr, 3)",
3986 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3987 offsetof(struct __sk_buff, data)),
3988 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3989 offsetof(struct __sk_buff, data_end)),
3990 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3991 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3992 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -8),
3993 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_3, -16),
3994 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_10, -16),
3995 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 11),
3996 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -8),
3997 BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
3998 BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_4, -8),
3999 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
4000 BPF_ALU64_IMM(BPF_RSH, BPF_REG_4, 49),
4001 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
4002 BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
4003 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 2),
4004 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
4005 BPF_MOV64_IMM(BPF_REG_2, 1),
4006 BPF_STX_MEM(BPF_H, BPF_REG_4, BPF_REG_2, 0),
4007 BPF_MOV64_IMM(BPF_REG_0, 0),
4010 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4012 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4015 "direct packet access: test23 (x += pkt_ptr, 4)",
4017 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4018 offsetof(struct __sk_buff, data)),
4019 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4020 offsetof(struct __sk_buff, data_end)),
4021 BPF_MOV64_IMM(BPF_REG_0, 0xffffffff),
4022 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
4023 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
4024 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0xffff),
4025 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4026 BPF_MOV64_IMM(BPF_REG_0, 31),
4027 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_4),
4028 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
4029 BPF_MOV64_REG(BPF_REG_5, BPF_REG_0),
4030 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0xffff - 1),
4031 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4032 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_0, 0),
4033 BPF_MOV64_IMM(BPF_REG_0, 0),
4036 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4038 .errstr = "invalid access to packet, off=0 size=8, R5(id=1,off=0,r=0)",
4039 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4042 "direct packet access: test24 (x += pkt_ptr, 5)",
4044 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4045 offsetof(struct __sk_buff, data)),
4046 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4047 offsetof(struct __sk_buff, data_end)),
4048 BPF_MOV64_IMM(BPF_REG_0, 0xffffffff),
4049 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
4050 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
4051 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0xff),
4052 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4053 BPF_MOV64_IMM(BPF_REG_0, 64),
4054 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_4),
4055 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
4056 BPF_MOV64_REG(BPF_REG_5, BPF_REG_0),
4057 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x7fff - 1),
4058 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4059 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_0, 0),
4060 BPF_MOV64_IMM(BPF_REG_0, 0),
4063 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4065 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4068 "direct packet access: test25 (marking on <, good access)",
4070 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4071 offsetof(struct __sk_buff, data)),
4072 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4073 offsetof(struct __sk_buff, data_end)),
4074 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4075 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4076 BPF_JMP_REG(BPF_JLT, BPF_REG_0, BPF_REG_3, 2),
4077 BPF_MOV64_IMM(BPF_REG_0, 0),
4079 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
4080 BPF_JMP_IMM(BPF_JA, 0, 0, -4),
4083 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4086 "direct packet access: test26 (marking on <, bad access)",
4088 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4089 offsetof(struct __sk_buff, data)),
4090 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4091 offsetof(struct __sk_buff, data_end)),
4092 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4093 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4094 BPF_JMP_REG(BPF_JLT, BPF_REG_0, BPF_REG_3, 3),
4095 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
4096 BPF_MOV64_IMM(BPF_REG_0, 0),
4098 BPF_JMP_IMM(BPF_JA, 0, 0, -3),
4101 .errstr = "invalid access to packet",
4102 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4105 "direct packet access: test27 (marking on <=, good access)",
4107 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4108 offsetof(struct __sk_buff, data)),
4109 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4110 offsetof(struct __sk_buff, data_end)),
4111 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4112 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4113 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_0, 1),
4114 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
4115 BPF_MOV64_IMM(BPF_REG_0, 1),
4119 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4123 "direct packet access: test28 (marking on <=, bad access)",
4125 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4126 offsetof(struct __sk_buff, data)),
4127 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4128 offsetof(struct __sk_buff, data_end)),
4129 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4130 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4131 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_0, 2),
4132 BPF_MOV64_IMM(BPF_REG_0, 1),
4134 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
4135 BPF_JMP_IMM(BPF_JA, 0, 0, -4),
4138 .errstr = "invalid access to packet",
4139 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4142 "helper access to packet: test1, valid packet_ptr range",
4144 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4145 offsetof(struct xdp_md, data)),
4146 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4147 offsetof(struct xdp_md, data_end)),
4148 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
4149 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
4150 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 5),
4151 BPF_LD_MAP_FD(BPF_REG_1, 0),
4152 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
4153 BPF_MOV64_IMM(BPF_REG_4, 0),
4154 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4155 BPF_FUNC_map_update_elem),
4156 BPF_MOV64_IMM(BPF_REG_0, 0),
4159 .fixup_map_hash_8b = { 5 },
4160 .result_unpriv = ACCEPT,
4162 .prog_type = BPF_PROG_TYPE_XDP,
4165 "helper access to packet: test2, unchecked packet_ptr",
4167 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4168 offsetof(struct xdp_md, data)),
4169 BPF_LD_MAP_FD(BPF_REG_1, 0),
4170 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4171 BPF_FUNC_map_lookup_elem),
4172 BPF_MOV64_IMM(BPF_REG_0, 0),
4175 .fixup_map_hash_8b = { 1 },
4177 .errstr = "invalid access to packet",
4178 .prog_type = BPF_PROG_TYPE_XDP,
4181 "helper access to packet: test3, variable add",
4183 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4184 offsetof(struct xdp_md, data)),
4185 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4186 offsetof(struct xdp_md, data_end)),
4187 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4188 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
4189 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 10),
4190 BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_2, 0),
4191 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4192 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_5),
4193 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
4194 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 8),
4195 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 4),
4196 BPF_LD_MAP_FD(BPF_REG_1, 0),
4197 BPF_MOV64_REG(BPF_REG_2, BPF_REG_4),
4198 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4199 BPF_FUNC_map_lookup_elem),
4200 BPF_MOV64_IMM(BPF_REG_0, 0),
4203 .fixup_map_hash_8b = { 11 },
4205 .prog_type = BPF_PROG_TYPE_XDP,
4208 "helper access to packet: test4, packet_ptr with bad range",
4210 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4211 offsetof(struct xdp_md, data)),
4212 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4213 offsetof(struct xdp_md, data_end)),
4214 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4215 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 4),
4216 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 2),
4217 BPF_MOV64_IMM(BPF_REG_0, 0),
4219 BPF_LD_MAP_FD(BPF_REG_1, 0),
4220 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4221 BPF_FUNC_map_lookup_elem),
4222 BPF_MOV64_IMM(BPF_REG_0, 0),
4225 .fixup_map_hash_8b = { 7 },
4227 .errstr = "invalid access to packet",
4228 .prog_type = BPF_PROG_TYPE_XDP,
4231 "helper access to packet: test5, packet_ptr with too short range",
4233 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4234 offsetof(struct xdp_md, data)),
4235 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4236 offsetof(struct xdp_md, data_end)),
4237 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
4238 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4239 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 7),
4240 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 3),
4241 BPF_LD_MAP_FD(BPF_REG_1, 0),
4242 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4243 BPF_FUNC_map_lookup_elem),
4244 BPF_MOV64_IMM(BPF_REG_0, 0),
4247 .fixup_map_hash_8b = { 6 },
4249 .errstr = "invalid access to packet",
4250 .prog_type = BPF_PROG_TYPE_XDP,
4253 "helper access to packet: test6, cls valid packet_ptr range",
4255 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4256 offsetof(struct __sk_buff, data)),
4257 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4258 offsetof(struct __sk_buff, data_end)),
4259 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
4260 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
4261 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 5),
4262 BPF_LD_MAP_FD(BPF_REG_1, 0),
4263 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
4264 BPF_MOV64_IMM(BPF_REG_4, 0),
4265 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4266 BPF_FUNC_map_update_elem),
4267 BPF_MOV64_IMM(BPF_REG_0, 0),
4270 .fixup_map_hash_8b = { 5 },
4272 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4275 "helper access to packet: test7, cls unchecked packet_ptr",
4277 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4278 offsetof(struct __sk_buff, data)),
4279 BPF_LD_MAP_FD(BPF_REG_1, 0),
4280 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4281 BPF_FUNC_map_lookup_elem),
4282 BPF_MOV64_IMM(BPF_REG_0, 0),
4285 .fixup_map_hash_8b = { 1 },
4287 .errstr = "invalid access to packet",
4288 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4291 "helper access to packet: test8, cls variable add",
4293 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4294 offsetof(struct __sk_buff, data)),
4295 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4296 offsetof(struct __sk_buff, data_end)),
4297 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4298 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
4299 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 10),
4300 BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_2, 0),
4301 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4302 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_5),
4303 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
4304 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 8),
4305 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 4),
4306 BPF_LD_MAP_FD(BPF_REG_1, 0),
4307 BPF_MOV64_REG(BPF_REG_2, BPF_REG_4),
4308 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4309 BPF_FUNC_map_lookup_elem),
4310 BPF_MOV64_IMM(BPF_REG_0, 0),
4313 .fixup_map_hash_8b = { 11 },
4315 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4318 "helper access to packet: test9, cls packet_ptr with bad range",
4320 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4321 offsetof(struct __sk_buff, data)),
4322 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4323 offsetof(struct __sk_buff, data_end)),
4324 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4325 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 4),
4326 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 2),
4327 BPF_MOV64_IMM(BPF_REG_0, 0),
4329 BPF_LD_MAP_FD(BPF_REG_1, 0),
4330 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4331 BPF_FUNC_map_lookup_elem),
4332 BPF_MOV64_IMM(BPF_REG_0, 0),
4335 .fixup_map_hash_8b = { 7 },
4337 .errstr = "invalid access to packet",
4338 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4341 "helper access to packet: test10, cls packet_ptr with too short range",
4343 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4344 offsetof(struct __sk_buff, data)),
4345 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4346 offsetof(struct __sk_buff, data_end)),
4347 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
4348 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4349 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 7),
4350 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 3),
4351 BPF_LD_MAP_FD(BPF_REG_1, 0),
4352 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4353 BPF_FUNC_map_lookup_elem),
4354 BPF_MOV64_IMM(BPF_REG_0, 0),
4357 .fixup_map_hash_8b = { 6 },
4359 .errstr = "invalid access to packet",
4360 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4363 "helper access to packet: test11, cls unsuitable helper 1",
4365 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4366 offsetof(struct __sk_buff, data)),
4367 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4368 offsetof(struct __sk_buff, data_end)),
4369 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4370 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
4371 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 7),
4372 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_7, 4),
4373 BPF_MOV64_IMM(BPF_REG_2, 0),
4374 BPF_MOV64_IMM(BPF_REG_4, 42),
4375 BPF_MOV64_IMM(BPF_REG_5, 0),
4376 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4377 BPF_FUNC_skb_store_bytes),
4378 BPF_MOV64_IMM(BPF_REG_0, 0),
4382 .errstr = "helper access to the packet",
4383 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4386 "helper access to packet: test12, cls unsuitable helper 2",
4388 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4389 offsetof(struct __sk_buff, data)),
4390 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4391 offsetof(struct __sk_buff, data_end)),
4392 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
4393 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8),
4394 BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_7, 3),
4395 BPF_MOV64_IMM(BPF_REG_2, 0),
4396 BPF_MOV64_IMM(BPF_REG_4, 4),
4397 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4398 BPF_FUNC_skb_load_bytes),
4399 BPF_MOV64_IMM(BPF_REG_0, 0),
4403 .errstr = "helper access to the packet",
4404 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4407 "helper access to packet: test13, cls helper ok",
4409 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4410 offsetof(struct __sk_buff, data)),
4411 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4412 offsetof(struct __sk_buff, data_end)),
4413 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4414 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4415 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4416 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4417 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4418 BPF_MOV64_IMM(BPF_REG_2, 4),
4419 BPF_MOV64_IMM(BPF_REG_3, 0),
4420 BPF_MOV64_IMM(BPF_REG_4, 0),
4421 BPF_MOV64_IMM(BPF_REG_5, 0),
4422 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4423 BPF_FUNC_csum_diff),
4424 BPF_MOV64_IMM(BPF_REG_0, 0),
4428 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4431 "helper access to packet: test14, cls helper ok sub",
4433 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4434 offsetof(struct __sk_buff, data)),
4435 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4436 offsetof(struct __sk_buff, data_end)),
4437 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4438 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4439 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4440 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4441 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 4),
4442 BPF_MOV64_IMM(BPF_REG_2, 4),
4443 BPF_MOV64_IMM(BPF_REG_3, 0),
4444 BPF_MOV64_IMM(BPF_REG_4, 0),
4445 BPF_MOV64_IMM(BPF_REG_5, 0),
4446 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4447 BPF_FUNC_csum_diff),
4448 BPF_MOV64_IMM(BPF_REG_0, 0),
4452 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4455 "helper access to packet: test15, cls helper fail sub",
4457 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4458 offsetof(struct __sk_buff, data)),
4459 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4460 offsetof(struct __sk_buff, data_end)),
4461 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4462 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4463 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4464 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4465 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 12),
4466 BPF_MOV64_IMM(BPF_REG_2, 4),
4467 BPF_MOV64_IMM(BPF_REG_3, 0),
4468 BPF_MOV64_IMM(BPF_REG_4, 0),
4469 BPF_MOV64_IMM(BPF_REG_5, 0),
4470 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4471 BPF_FUNC_csum_diff),
4472 BPF_MOV64_IMM(BPF_REG_0, 0),
4476 .errstr = "invalid access to packet",
4477 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4480 "helper access to packet: test16, cls helper fail range 1",
4482 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4483 offsetof(struct __sk_buff, data)),
4484 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4485 offsetof(struct __sk_buff, data_end)),
4486 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4487 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4488 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4489 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4490 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4491 BPF_MOV64_IMM(BPF_REG_2, 8),
4492 BPF_MOV64_IMM(BPF_REG_3, 0),
4493 BPF_MOV64_IMM(BPF_REG_4, 0),
4494 BPF_MOV64_IMM(BPF_REG_5, 0),
4495 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4496 BPF_FUNC_csum_diff),
4497 BPF_MOV64_IMM(BPF_REG_0, 0),
4501 .errstr = "invalid access to packet",
4502 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4505 "helper access to packet: test17, cls helper fail range 2",
4507 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4508 offsetof(struct __sk_buff, data)),
4509 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4510 offsetof(struct __sk_buff, data_end)),
4511 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4512 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4513 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4514 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4515 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4516 BPF_MOV64_IMM(BPF_REG_2, -9),
4517 BPF_MOV64_IMM(BPF_REG_3, 0),
4518 BPF_MOV64_IMM(BPF_REG_4, 0),
4519 BPF_MOV64_IMM(BPF_REG_5, 0),
4520 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4521 BPF_FUNC_csum_diff),
4522 BPF_MOV64_IMM(BPF_REG_0, 0),
4526 .errstr = "R2 min value is negative",
4527 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4530 "helper access to packet: test18, cls helper fail range 3",
4532 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4533 offsetof(struct __sk_buff, data)),
4534 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4535 offsetof(struct __sk_buff, data_end)),
4536 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4537 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4538 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4539 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4540 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4541 BPF_MOV64_IMM(BPF_REG_2, ~0),
4542 BPF_MOV64_IMM(BPF_REG_3, 0),
4543 BPF_MOV64_IMM(BPF_REG_4, 0),
4544 BPF_MOV64_IMM(BPF_REG_5, 0),
4545 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4546 BPF_FUNC_csum_diff),
4547 BPF_MOV64_IMM(BPF_REG_0, 0),
4551 .errstr = "R2 min value is negative",
4552 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4555 "helper access to packet: test19, cls helper range zero",
4557 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4558 offsetof(struct __sk_buff, data)),
4559 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4560 offsetof(struct __sk_buff, data_end)),
4561 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4562 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4563 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4564 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4565 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4566 BPF_MOV64_IMM(BPF_REG_2, 0),
4567 BPF_MOV64_IMM(BPF_REG_3, 0),
4568 BPF_MOV64_IMM(BPF_REG_4, 0),
4569 BPF_MOV64_IMM(BPF_REG_5, 0),
4570 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4571 BPF_FUNC_csum_diff),
4572 BPF_MOV64_IMM(BPF_REG_0, 0),
4576 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4579 "helper access to packet: test20, pkt end as input",
4581 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4582 offsetof(struct __sk_buff, data)),
4583 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4584 offsetof(struct __sk_buff, data_end)),
4585 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4586 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4587 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4588 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4589 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
4590 BPF_MOV64_IMM(BPF_REG_2, 4),
4591 BPF_MOV64_IMM(BPF_REG_3, 0),
4592 BPF_MOV64_IMM(BPF_REG_4, 0),
4593 BPF_MOV64_IMM(BPF_REG_5, 0),
4594 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4595 BPF_FUNC_csum_diff),
4596 BPF_MOV64_IMM(BPF_REG_0, 0),
4600 .errstr = "R1 type=pkt_end expected=fp",
4601 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4604 "helper access to packet: test21, wrong reg",
4606 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4607 offsetof(struct __sk_buff, data)),
4608 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4609 offsetof(struct __sk_buff, data_end)),
4610 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4611 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4612 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4613 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4614 BPF_MOV64_IMM(BPF_REG_2, 4),
4615 BPF_MOV64_IMM(BPF_REG_3, 0),
4616 BPF_MOV64_IMM(BPF_REG_4, 0),
4617 BPF_MOV64_IMM(BPF_REG_5, 0),
4618 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4619 BPF_FUNC_csum_diff),
4620 BPF_MOV64_IMM(BPF_REG_0, 0),
4624 .errstr = "invalid access to packet",
4625 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4628 "prevent map lookup in sockmap",
4630 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4631 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4632 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4633 BPF_LD_MAP_FD(BPF_REG_1, 0),
4634 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4635 BPF_FUNC_map_lookup_elem),
4638 .fixup_map_sockmap = { 3 },
4640 .errstr = "cannot pass map_type 15 into func bpf_map_lookup_elem",
4641 .prog_type = BPF_PROG_TYPE_SOCK_OPS,
4644 "prevent map lookup in sockhash",
4646 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4647 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4648 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4649 BPF_LD_MAP_FD(BPF_REG_1, 0),
4650 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4651 BPF_FUNC_map_lookup_elem),
4654 .fixup_map_sockhash = { 3 },
4656 .errstr = "cannot pass map_type 18 into func bpf_map_lookup_elem",
4657 .prog_type = BPF_PROG_TYPE_SOCK_OPS,
4660 "prevent map lookup in xskmap",
4662 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4663 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4664 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4665 BPF_LD_MAP_FD(BPF_REG_1, 0),
4666 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4667 BPF_FUNC_map_lookup_elem),
4670 .fixup_map_xskmap = { 3 },
4672 .errstr = "cannot pass map_type 17 into func bpf_map_lookup_elem",
4673 .prog_type = BPF_PROG_TYPE_XDP,
4676 "prevent map lookup in stack trace",
4678 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4679 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4680 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4681 BPF_LD_MAP_FD(BPF_REG_1, 0),
4682 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4683 BPF_FUNC_map_lookup_elem),
4686 .fixup_map_stacktrace = { 3 },
4688 .errstr = "cannot pass map_type 7 into func bpf_map_lookup_elem",
4689 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
4692 "prevent map lookup in prog array",
4694 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4695 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4696 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4697 BPF_LD_MAP_FD(BPF_REG_1, 0),
4698 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4699 BPF_FUNC_map_lookup_elem),
4702 .fixup_prog2 = { 3 },
4704 .errstr = "cannot pass map_type 3 into func bpf_map_lookup_elem",
4707 "valid map access into an array with a constant",
4709 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4710 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4711 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4712 BPF_LD_MAP_FD(BPF_REG_1, 0),
4713 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4714 BPF_FUNC_map_lookup_elem),
4715 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4716 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4717 offsetof(struct test_val, foo)),
4720 .fixup_map_hash_48b = { 3 },
4721 .errstr_unpriv = "R0 leaks addr",
4722 .result_unpriv = REJECT,
4726 "valid map access into an array with a register",
4728 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4729 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4730 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4731 BPF_LD_MAP_FD(BPF_REG_1, 0),
4732 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4733 BPF_FUNC_map_lookup_elem),
4734 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4735 BPF_MOV64_IMM(BPF_REG_1, 4),
4736 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4737 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4738 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4739 offsetof(struct test_val, foo)),
4742 .fixup_map_hash_48b = { 3 },
4743 .errstr_unpriv = "R0 leaks addr",
4744 .result_unpriv = REJECT,
4746 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4749 "valid map access into an array with a variable",
4751 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4752 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4753 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4754 BPF_LD_MAP_FD(BPF_REG_1, 0),
4755 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4756 BPF_FUNC_map_lookup_elem),
4757 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
4758 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4759 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES, 3),
4760 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4761 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4762 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4763 offsetof(struct test_val, foo)),
4766 .fixup_map_hash_48b = { 3 },
4767 .errstr_unpriv = "R0 leaks addr",
4768 .result_unpriv = REJECT,
4770 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4773 "valid map access into an array with a signed variable",
4775 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4776 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4777 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4778 BPF_LD_MAP_FD(BPF_REG_1, 0),
4779 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4780 BPF_FUNC_map_lookup_elem),
4781 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
4782 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4783 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 0xffffffff, 1),
4784 BPF_MOV32_IMM(BPF_REG_1, 0),
4785 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
4786 BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
4787 BPF_MOV32_IMM(BPF_REG_1, 0),
4788 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
4789 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4790 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4791 offsetof(struct test_val, foo)),
4794 .fixup_map_hash_48b = { 3 },
4795 .errstr_unpriv = "R0 leaks addr",
4796 .result_unpriv = REJECT,
4798 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4801 "invalid map access into an array with a constant",
4803 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4804 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4805 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4806 BPF_LD_MAP_FD(BPF_REG_1, 0),
4807 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4808 BPF_FUNC_map_lookup_elem),
4809 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4810 BPF_ST_MEM(BPF_DW, BPF_REG_0, (MAX_ENTRIES + 1) << 2,
4811 offsetof(struct test_val, foo)),
4814 .fixup_map_hash_48b = { 3 },
4815 .errstr = "invalid access to map value, value_size=48 off=48 size=8",
4819 "invalid map access into an array with a register",
4821 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4822 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4823 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4824 BPF_LD_MAP_FD(BPF_REG_1, 0),
4825 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4826 BPF_FUNC_map_lookup_elem),
4827 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4828 BPF_MOV64_IMM(BPF_REG_1, MAX_ENTRIES + 1),
4829 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4830 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4831 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4832 offsetof(struct test_val, foo)),
4835 .fixup_map_hash_48b = { 3 },
4836 .errstr = "R0 min value is outside of the array range",
4838 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4841 "invalid map access into an array with a variable",
4843 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4844 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4845 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4846 BPF_LD_MAP_FD(BPF_REG_1, 0),
4847 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4848 BPF_FUNC_map_lookup_elem),
4849 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4850 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4851 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4852 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4853 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4854 offsetof(struct test_val, foo)),
4857 .fixup_map_hash_48b = { 3 },
4858 .errstr = "R0 unbounded memory access, make sure to bounds check any array access into a map",
4860 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4863 "invalid map access into an array with no floor check",
4865 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4866 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4867 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4868 BPF_LD_MAP_FD(BPF_REG_1, 0),
4869 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4870 BPF_FUNC_map_lookup_elem),
4871 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
4872 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
4873 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
4874 BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
4875 BPF_MOV32_IMM(BPF_REG_1, 0),
4876 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
4877 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4878 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4879 offsetof(struct test_val, foo)),
4882 .fixup_map_hash_48b = { 3 },
4883 .errstr_unpriv = "R0 leaks addr",
4884 .errstr = "R0 unbounded memory access",
4885 .result_unpriv = REJECT,
4887 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4890 "invalid map access into an array with a invalid max check",
4892 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4893 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4894 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4895 BPF_LD_MAP_FD(BPF_REG_1, 0),
4896 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4897 BPF_FUNC_map_lookup_elem),
4898 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
4899 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4900 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES + 1),
4901 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
4902 BPF_MOV32_IMM(BPF_REG_1, 0),
4903 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
4904 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4905 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4906 offsetof(struct test_val, foo)),
4909 .fixup_map_hash_48b = { 3 },
4910 .errstr_unpriv = "R0 leaks addr",
4911 .errstr = "invalid access to map value, value_size=48 off=44 size=8",
4912 .result_unpriv = REJECT,
4914 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4917 "invalid map access into an array with a invalid max check",
4919 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4920 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4921 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4922 BPF_LD_MAP_FD(BPF_REG_1, 0),
4923 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4924 BPF_FUNC_map_lookup_elem),
4925 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
4926 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
4927 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4928 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4929 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4930 BPF_LD_MAP_FD(BPF_REG_1, 0),
4931 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4932 BPF_FUNC_map_lookup_elem),
4933 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
4934 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8),
4935 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
4936 offsetof(struct test_val, foo)),
4939 .fixup_map_hash_48b = { 3, 11 },
4940 .errstr = "R0 pointer += pointer",
4942 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4945 "direct packet read test#1 for CGROUP_SKB",
4947 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4948 offsetof(struct __sk_buff, data)),
4949 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4950 offsetof(struct __sk_buff, data_end)),
4951 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
4952 offsetof(struct __sk_buff, len)),
4953 BPF_LDX_MEM(BPF_W, BPF_REG_5, BPF_REG_1,
4954 offsetof(struct __sk_buff, pkt_type)),
4955 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4956 offsetof(struct __sk_buff, mark)),
4957 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_6,
4958 offsetof(struct __sk_buff, mark)),
4959 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4960 offsetof(struct __sk_buff, queue_mapping)),
4961 BPF_LDX_MEM(BPF_W, BPF_REG_8, BPF_REG_1,
4962 offsetof(struct __sk_buff, protocol)),
4963 BPF_LDX_MEM(BPF_W, BPF_REG_9, BPF_REG_1,
4964 offsetof(struct __sk_buff, vlan_present)),
4965 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4966 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4967 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4968 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
4969 BPF_MOV64_IMM(BPF_REG_0, 0),
4973 .result_unpriv = REJECT,
4974 .errstr_unpriv = "invalid bpf_context access off=76 size=4",
4975 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
4978 "direct packet read test#2 for CGROUP_SKB",
4980 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
4981 offsetof(struct __sk_buff, vlan_tci)),
4982 BPF_LDX_MEM(BPF_W, BPF_REG_5, BPF_REG_1,
4983 offsetof(struct __sk_buff, vlan_proto)),
4984 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4985 offsetof(struct __sk_buff, priority)),
4986 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_6,
4987 offsetof(struct __sk_buff, priority)),
4988 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4989 offsetof(struct __sk_buff,
4991 BPF_LDX_MEM(BPF_W, BPF_REG_8, BPF_REG_1,
4992 offsetof(struct __sk_buff, tc_index)),
4993 BPF_LDX_MEM(BPF_W, BPF_REG_9, BPF_REG_1,
4994 offsetof(struct __sk_buff, hash)),
4995 BPF_MOV64_IMM(BPF_REG_0, 0),
4999 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5002 "direct packet read test#3 for CGROUP_SKB",
5004 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
5005 offsetof(struct __sk_buff, cb[0])),
5006 BPF_LDX_MEM(BPF_W, BPF_REG_5, BPF_REG_1,
5007 offsetof(struct __sk_buff, cb[1])),
5008 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
5009 offsetof(struct __sk_buff, cb[2])),
5010 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
5011 offsetof(struct __sk_buff, cb[3])),
5012 BPF_LDX_MEM(BPF_W, BPF_REG_8, BPF_REG_1,
5013 offsetof(struct __sk_buff, cb[4])),
5014 BPF_LDX_MEM(BPF_W, BPF_REG_9, BPF_REG_1,
5015 offsetof(struct __sk_buff, napi_id)),
5016 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_4,
5017 offsetof(struct __sk_buff, cb[0])),
5018 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_5,
5019 offsetof(struct __sk_buff, cb[1])),
5020 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_6,
5021 offsetof(struct __sk_buff, cb[2])),
5022 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_7,
5023 offsetof(struct __sk_buff, cb[3])),
5024 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_8,
5025 offsetof(struct __sk_buff, cb[4])),
5026 BPF_MOV64_IMM(BPF_REG_0, 0),
5030 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5033 "direct packet read test#4 for CGROUP_SKB",
5035 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5036 offsetof(struct __sk_buff, family)),
5037 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5038 offsetof(struct __sk_buff, remote_ip4)),
5039 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
5040 offsetof(struct __sk_buff, local_ip4)),
5041 BPF_LDX_MEM(BPF_W, BPF_REG_5, BPF_REG_1,
5042 offsetof(struct __sk_buff, remote_ip6[0])),
5043 BPF_LDX_MEM(BPF_W, BPF_REG_5, BPF_REG_1,
5044 offsetof(struct __sk_buff, remote_ip6[1])),
5045 BPF_LDX_MEM(BPF_W, BPF_REG_5, BPF_REG_1,
5046 offsetof(struct __sk_buff, remote_ip6[2])),
5047 BPF_LDX_MEM(BPF_W, BPF_REG_5, BPF_REG_1,
5048 offsetof(struct __sk_buff, remote_ip6[3])),
5049 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
5050 offsetof(struct __sk_buff, local_ip6[0])),
5051 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
5052 offsetof(struct __sk_buff, local_ip6[1])),
5053 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
5054 offsetof(struct __sk_buff, local_ip6[2])),
5055 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
5056 offsetof(struct __sk_buff, local_ip6[3])),
5057 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
5058 offsetof(struct __sk_buff, remote_port)),
5059 BPF_LDX_MEM(BPF_W, BPF_REG_8, BPF_REG_1,
5060 offsetof(struct __sk_buff, local_port)),
5061 BPF_MOV64_IMM(BPF_REG_0, 0),
5065 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5068 "invalid access of tc_classid for CGROUP_SKB",
5070 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
5071 offsetof(struct __sk_buff, tc_classid)),
5072 BPF_MOV64_IMM(BPF_REG_0, 0),
5076 .errstr = "invalid bpf_context access",
5077 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5080 "invalid access of data_meta for CGROUP_SKB",
5082 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
5083 offsetof(struct __sk_buff, data_meta)),
5084 BPF_MOV64_IMM(BPF_REG_0, 0),
5088 .errstr = "invalid bpf_context access",
5089 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5092 "invalid access of flow_keys for CGROUP_SKB",
5094 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
5095 offsetof(struct __sk_buff, flow_keys)),
5096 BPF_MOV64_IMM(BPF_REG_0, 0),
5100 .errstr = "invalid bpf_context access",
5101 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5104 "invalid write access to napi_id for CGROUP_SKB",
5106 BPF_LDX_MEM(BPF_W, BPF_REG_9, BPF_REG_1,
5107 offsetof(struct __sk_buff, napi_id)),
5108 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_9,
5109 offsetof(struct __sk_buff, napi_id)),
5110 BPF_MOV64_IMM(BPF_REG_0, 0),
5114 .errstr = "invalid bpf_context access",
5115 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5118 "valid cgroup storage access",
5120 BPF_MOV64_IMM(BPF_REG_2, 0),
5121 BPF_LD_MAP_FD(BPF_REG_1, 0),
5122 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5123 BPF_FUNC_get_local_storage),
5124 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5125 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
5126 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
5129 .fixup_cgroup_storage = { 1 },
5131 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5134 "invalid cgroup storage access 1",
5136 BPF_MOV64_IMM(BPF_REG_2, 0),
5137 BPF_LD_MAP_FD(BPF_REG_1, 0),
5138 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5139 BPF_FUNC_get_local_storage),
5140 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5141 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
5142 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
5145 .fixup_map_hash_8b = { 1 },
5147 .errstr = "cannot pass map_type 1 into func bpf_get_local_storage",
5148 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5151 "invalid cgroup storage access 2",
5153 BPF_MOV64_IMM(BPF_REG_2, 0),
5154 BPF_LD_MAP_FD(BPF_REG_1, 1),
5155 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5156 BPF_FUNC_get_local_storage),
5157 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
5161 .errstr = "fd 1 is not pointing to valid bpf_map",
5162 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5165 "invalid cgroup storage access 3",
5167 BPF_MOV64_IMM(BPF_REG_2, 0),
5168 BPF_LD_MAP_FD(BPF_REG_1, 0),
5169 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5170 BPF_FUNC_get_local_storage),
5171 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 256),
5172 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
5173 BPF_MOV64_IMM(BPF_REG_0, 0),
5176 .fixup_cgroup_storage = { 1 },
5178 .errstr = "invalid access to map value, value_size=64 off=256 size=4",
5179 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5182 "invalid cgroup storage access 4",
5184 BPF_MOV64_IMM(BPF_REG_2, 0),
5185 BPF_LD_MAP_FD(BPF_REG_1, 0),
5186 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5187 BPF_FUNC_get_local_storage),
5188 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, -2),
5189 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
5190 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
5193 .fixup_cgroup_storage = { 1 },
5195 .errstr = "invalid access to map value, value_size=64 off=-2 size=4",
5196 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5197 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
5200 "invalid cgroup storage access 5",
5202 BPF_MOV64_IMM(BPF_REG_2, 7),
5203 BPF_LD_MAP_FD(BPF_REG_1, 0),
5204 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5205 BPF_FUNC_get_local_storage),
5206 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5207 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
5208 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
5211 .fixup_cgroup_storage = { 1 },
5213 .errstr = "get_local_storage() doesn't support non-zero flags",
5214 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5217 "invalid cgroup storage access 6",
5219 BPF_MOV64_REG(BPF_REG_2, BPF_REG_1),
5220 BPF_LD_MAP_FD(BPF_REG_1, 0),
5221 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5222 BPF_FUNC_get_local_storage),
5223 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5224 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
5225 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
5228 .fixup_cgroup_storage = { 1 },
5230 .errstr = "get_local_storage() doesn't support non-zero flags",
5231 .errstr_unpriv = "R2 leaks addr into helper function",
5232 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5235 "valid per-cpu cgroup storage access",
5237 BPF_MOV64_IMM(BPF_REG_2, 0),
5238 BPF_LD_MAP_FD(BPF_REG_1, 0),
5239 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5240 BPF_FUNC_get_local_storage),
5241 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5242 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
5243 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
5246 .fixup_percpu_cgroup_storage = { 1 },
5248 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5251 "invalid per-cpu cgroup storage access 1",
5253 BPF_MOV64_IMM(BPF_REG_2, 0),
5254 BPF_LD_MAP_FD(BPF_REG_1, 0),
5255 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5256 BPF_FUNC_get_local_storage),
5257 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5258 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
5259 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
5262 .fixup_map_hash_8b = { 1 },
5264 .errstr = "cannot pass map_type 1 into func bpf_get_local_storage",
5265 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5268 "invalid per-cpu cgroup storage access 2",
5270 BPF_MOV64_IMM(BPF_REG_2, 0),
5271 BPF_LD_MAP_FD(BPF_REG_1, 1),
5272 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5273 BPF_FUNC_get_local_storage),
5274 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
5278 .errstr = "fd 1 is not pointing to valid bpf_map",
5279 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5282 "invalid per-cpu cgroup storage access 3",
5284 BPF_MOV64_IMM(BPF_REG_2, 0),
5285 BPF_LD_MAP_FD(BPF_REG_1, 0),
5286 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5287 BPF_FUNC_get_local_storage),
5288 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 256),
5289 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
5290 BPF_MOV64_IMM(BPF_REG_0, 0),
5293 .fixup_percpu_cgroup_storage = { 1 },
5295 .errstr = "invalid access to map value, value_size=64 off=256 size=4",
5296 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5299 "invalid per-cpu cgroup storage access 4",
5301 BPF_MOV64_IMM(BPF_REG_2, 0),
5302 BPF_LD_MAP_FD(BPF_REG_1, 0),
5303 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5304 BPF_FUNC_get_local_storage),
5305 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, -2),
5306 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
5307 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
5310 .fixup_cgroup_storage = { 1 },
5312 .errstr = "invalid access to map value, value_size=64 off=-2 size=4",
5313 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5314 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
5317 "invalid per-cpu cgroup storage access 5",
5319 BPF_MOV64_IMM(BPF_REG_2, 7),
5320 BPF_LD_MAP_FD(BPF_REG_1, 0),
5321 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5322 BPF_FUNC_get_local_storage),
5323 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5324 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
5325 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
5328 .fixup_percpu_cgroup_storage = { 1 },
5330 .errstr = "get_local_storage() doesn't support non-zero flags",
5331 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5334 "invalid per-cpu cgroup storage access 6",
5336 BPF_MOV64_REG(BPF_REG_2, BPF_REG_1),
5337 BPF_LD_MAP_FD(BPF_REG_1, 0),
5338 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5339 BPF_FUNC_get_local_storage),
5340 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5341 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
5342 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
5345 .fixup_percpu_cgroup_storage = { 1 },
5347 .errstr = "get_local_storage() doesn't support non-zero flags",
5348 .errstr_unpriv = "R2 leaks addr into helper function",
5349 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5352 "write tstamp from CGROUP_SKB",
5354 BPF_MOV64_IMM(BPF_REG_0, 0),
5355 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
5356 offsetof(struct __sk_buff, tstamp)),
5357 BPF_MOV64_IMM(BPF_REG_0, 0),
5361 .result_unpriv = REJECT,
5362 .errstr_unpriv = "invalid bpf_context access off=152 size=8",
5363 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5366 "read tstamp from CGROUP_SKB",
5368 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
5369 offsetof(struct __sk_buff, tstamp)),
5370 BPF_MOV64_IMM(BPF_REG_0, 0),
5374 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5377 "multiple registers share map_lookup_elem result",
5379 BPF_MOV64_IMM(BPF_REG_1, 10),
5380 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
5381 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5382 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5383 BPF_LD_MAP_FD(BPF_REG_1, 0),
5384 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5385 BPF_FUNC_map_lookup_elem),
5386 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
5387 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
5388 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
5391 .fixup_map_hash_8b = { 4 },
5393 .prog_type = BPF_PROG_TYPE_SCHED_CLS
5396 "alu ops on ptr_to_map_value_or_null, 1",
5398 BPF_MOV64_IMM(BPF_REG_1, 10),
5399 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
5400 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5401 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5402 BPF_LD_MAP_FD(BPF_REG_1, 0),
5403 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5404 BPF_FUNC_map_lookup_elem),
5405 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
5406 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -2),
5407 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 2),
5408 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
5409 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
5412 .fixup_map_hash_8b = { 4 },
5413 .errstr = "R4 pointer arithmetic on map_value_or_null",
5415 .prog_type = BPF_PROG_TYPE_SCHED_CLS
5418 "alu ops on ptr_to_map_value_or_null, 2",
5420 BPF_MOV64_IMM(BPF_REG_1, 10),
5421 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
5422 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5423 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5424 BPF_LD_MAP_FD(BPF_REG_1, 0),
5425 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5426 BPF_FUNC_map_lookup_elem),
5427 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
5428 BPF_ALU64_IMM(BPF_AND, BPF_REG_4, -1),
5429 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
5430 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
5433 .fixup_map_hash_8b = { 4 },
5434 .errstr = "R4 pointer arithmetic on map_value_or_null",
5436 .prog_type = BPF_PROG_TYPE_SCHED_CLS
5439 "alu ops on ptr_to_map_value_or_null, 3",
5441 BPF_MOV64_IMM(BPF_REG_1, 10),
5442 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
5443 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5444 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5445 BPF_LD_MAP_FD(BPF_REG_1, 0),
5446 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5447 BPF_FUNC_map_lookup_elem),
5448 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
5449 BPF_ALU64_IMM(BPF_LSH, BPF_REG_4, 1),
5450 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
5451 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
5454 .fixup_map_hash_8b = { 4 },
5455 .errstr = "R4 pointer arithmetic on map_value_or_null",
5457 .prog_type = BPF_PROG_TYPE_SCHED_CLS
5460 "invalid memory access with multiple map_lookup_elem calls",
5462 BPF_MOV64_IMM(BPF_REG_1, 10),
5463 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
5464 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5465 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5466 BPF_LD_MAP_FD(BPF_REG_1, 0),
5467 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
5468 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
5469 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5470 BPF_FUNC_map_lookup_elem),
5471 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
5472 BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
5473 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
5474 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5475 BPF_FUNC_map_lookup_elem),
5476 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
5477 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
5480 .fixup_map_hash_8b = { 4 },
5482 .errstr = "R4 !read_ok",
5483 .prog_type = BPF_PROG_TYPE_SCHED_CLS
5486 "valid indirect map_lookup_elem access with 2nd lookup in branch",
5488 BPF_MOV64_IMM(BPF_REG_1, 10),
5489 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
5490 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5491 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5492 BPF_LD_MAP_FD(BPF_REG_1, 0),
5493 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
5494 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
5495 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5496 BPF_FUNC_map_lookup_elem),
5497 BPF_MOV64_IMM(BPF_REG_2, 10),
5498 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0, 3),
5499 BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
5500 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
5501 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5502 BPF_FUNC_map_lookup_elem),
5503 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
5504 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
5505 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
5508 .fixup_map_hash_8b = { 4 },
5510 .prog_type = BPF_PROG_TYPE_SCHED_CLS
5513 "invalid map access from else condition",
5515 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5516 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5517 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5518 BPF_LD_MAP_FD(BPF_REG_1, 0),
5519 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
5520 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5521 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5522 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES-1, 1),
5523 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
5524 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
5525 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
5526 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, offsetof(struct test_val, foo)),
5529 .fixup_map_hash_48b = { 3 },
5530 .errstr = "R0 unbounded memory access",
5532 .errstr_unpriv = "R0 leaks addr",
5533 .result_unpriv = REJECT,
5534 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
5537 "constant register |= constant should keep constant type",
5539 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5540 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
5541 BPF_MOV64_IMM(BPF_REG_2, 34),
5542 BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 13),
5543 BPF_MOV64_IMM(BPF_REG_3, 0),
5544 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5548 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5551 "constant register |= constant should not bypass stack boundary checks",
5553 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5554 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
5555 BPF_MOV64_IMM(BPF_REG_2, 34),
5556 BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 24),
5557 BPF_MOV64_IMM(BPF_REG_3, 0),
5558 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5561 .errstr = "invalid stack type R1 off=-48 access_size=58",
5563 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5566 "constant register |= constant register should keep constant type",
5568 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5569 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
5570 BPF_MOV64_IMM(BPF_REG_2, 34),
5571 BPF_MOV64_IMM(BPF_REG_4, 13),
5572 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_4),
5573 BPF_MOV64_IMM(BPF_REG_3, 0),
5574 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5578 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5581 "constant register |= constant register should not bypass stack boundary checks",
5583 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5584 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
5585 BPF_MOV64_IMM(BPF_REG_2, 34),
5586 BPF_MOV64_IMM(BPF_REG_4, 24),
5587 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_4),
5588 BPF_MOV64_IMM(BPF_REG_3, 0),
5589 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5592 .errstr = "invalid stack type R1 off=-48 access_size=58",
5594 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5597 "invalid direct packet write for LWT_IN",
5599 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5600 offsetof(struct __sk_buff, data)),
5601 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5602 offsetof(struct __sk_buff, data_end)),
5603 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5604 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5605 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
5606 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
5607 BPF_MOV64_IMM(BPF_REG_0, 0),
5610 .errstr = "cannot write into packet",
5612 .prog_type = BPF_PROG_TYPE_LWT_IN,
5615 "invalid direct packet write for LWT_OUT",
5617 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5618 offsetof(struct __sk_buff, data)),
5619 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5620 offsetof(struct __sk_buff, data_end)),
5621 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5622 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5623 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
5624 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
5625 BPF_MOV64_IMM(BPF_REG_0, 0),
5628 .errstr = "cannot write into packet",
5630 .prog_type = BPF_PROG_TYPE_LWT_OUT,
5633 "direct packet write for LWT_XMIT",
5635 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5636 offsetof(struct __sk_buff, data)),
5637 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5638 offsetof(struct __sk_buff, data_end)),
5639 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5640 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5641 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
5642 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
5643 BPF_MOV64_IMM(BPF_REG_0, 0),
5647 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
5650 "direct packet read for LWT_IN",
5652 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5653 offsetof(struct __sk_buff, data)),
5654 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5655 offsetof(struct __sk_buff, data_end)),
5656 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5657 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5658 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
5659 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
5660 BPF_MOV64_IMM(BPF_REG_0, 0),
5664 .prog_type = BPF_PROG_TYPE_LWT_IN,
5667 "direct packet read for LWT_OUT",
5669 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5670 offsetof(struct __sk_buff, data)),
5671 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5672 offsetof(struct __sk_buff, data_end)),
5673 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5674 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5675 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
5676 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
5677 BPF_MOV64_IMM(BPF_REG_0, 0),
5681 .prog_type = BPF_PROG_TYPE_LWT_OUT,
5684 "direct packet read for LWT_XMIT",
5686 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5687 offsetof(struct __sk_buff, data)),
5688 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5689 offsetof(struct __sk_buff, data_end)),
5690 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5691 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5692 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
5693 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
5694 BPF_MOV64_IMM(BPF_REG_0, 0),
5698 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
5701 "overlapping checks for direct packet access",
5703 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5704 offsetof(struct __sk_buff, data)),
5705 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5706 offsetof(struct __sk_buff, data_end)),
5707 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5708 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5709 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4),
5710 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
5711 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6),
5712 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
5713 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6),
5714 BPF_MOV64_IMM(BPF_REG_0, 0),
5718 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
5721 "make headroom for LWT_XMIT",
5723 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
5724 BPF_MOV64_IMM(BPF_REG_2, 34),
5725 BPF_MOV64_IMM(BPF_REG_3, 0),
5726 BPF_EMIT_CALL(BPF_FUNC_skb_change_head),
5727 /* split for s390 to succeed */
5728 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
5729 BPF_MOV64_IMM(BPF_REG_2, 42),
5730 BPF_MOV64_IMM(BPF_REG_3, 0),
5731 BPF_EMIT_CALL(BPF_FUNC_skb_change_head),
5732 BPF_MOV64_IMM(BPF_REG_0, 0),
5736 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
5739 "invalid access of tc_classid for LWT_IN",
5741 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
5742 offsetof(struct __sk_buff, tc_classid)),
5746 .errstr = "invalid bpf_context access",
5749 "invalid access of tc_classid for LWT_OUT",
5751 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
5752 offsetof(struct __sk_buff, tc_classid)),
5756 .errstr = "invalid bpf_context access",
5759 "invalid access of tc_classid for LWT_XMIT",
5761 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
5762 offsetof(struct __sk_buff, tc_classid)),
5766 .errstr = "invalid bpf_context access",
5769 "leak pointer into ctx 1",
5771 BPF_MOV64_IMM(BPF_REG_0, 0),
5772 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
5773 offsetof(struct __sk_buff, cb[0])),
5774 BPF_LD_MAP_FD(BPF_REG_2, 0),
5775 BPF_STX_XADD(BPF_DW, BPF_REG_1, BPF_REG_2,
5776 offsetof(struct __sk_buff, cb[0])),
5779 .fixup_map_hash_8b = { 2 },
5780 .errstr_unpriv = "R2 leaks addr into mem",
5781 .result_unpriv = REJECT,
5783 .errstr = "BPF_XADD stores into R1 ctx is not allowed",
5786 "leak pointer into ctx 2",
5788 BPF_MOV64_IMM(BPF_REG_0, 0),
5789 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
5790 offsetof(struct __sk_buff, cb[0])),
5791 BPF_STX_XADD(BPF_DW, BPF_REG_1, BPF_REG_10,
5792 offsetof(struct __sk_buff, cb[0])),
5795 .errstr_unpriv = "R10 leaks addr into mem",
5796 .result_unpriv = REJECT,
5798 .errstr = "BPF_XADD stores into R1 ctx is not allowed",
5801 "leak pointer into ctx 3",
5803 BPF_MOV64_IMM(BPF_REG_0, 0),
5804 BPF_LD_MAP_FD(BPF_REG_2, 0),
5805 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2,
5806 offsetof(struct __sk_buff, cb[0])),
5809 .fixup_map_hash_8b = { 1 },
5810 .errstr_unpriv = "R2 leaks addr into ctx",
5811 .result_unpriv = REJECT,
5815 "leak pointer into map val",
5817 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
5818 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5819 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5820 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5821 BPF_LD_MAP_FD(BPF_REG_1, 0),
5822 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5823 BPF_FUNC_map_lookup_elem),
5824 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
5825 BPF_MOV64_IMM(BPF_REG_3, 0),
5826 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
5827 BPF_STX_XADD(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
5828 BPF_MOV64_IMM(BPF_REG_0, 0),
5831 .fixup_map_hash_8b = { 4 },
5832 .errstr_unpriv = "R6 leaks addr into mem",
5833 .result_unpriv = REJECT,
5837 "helper access to map: full range",
5839 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5840 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5841 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5842 BPF_LD_MAP_FD(BPF_REG_1, 0),
5843 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5844 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5845 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5846 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
5847 BPF_MOV64_IMM(BPF_REG_3, 0),
5848 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5851 .fixup_map_hash_48b = { 3 },
5853 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5856 "helper access to map: partial range",
5858 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5859 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5860 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5861 BPF_LD_MAP_FD(BPF_REG_1, 0),
5862 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5863 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5864 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5865 BPF_MOV64_IMM(BPF_REG_2, 8),
5866 BPF_MOV64_IMM(BPF_REG_3, 0),
5867 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5870 .fixup_map_hash_48b = { 3 },
5872 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5875 "helper access to map: empty range",
5877 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5878 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5879 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5880 BPF_LD_MAP_FD(BPF_REG_1, 0),
5881 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5882 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
5883 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5884 BPF_MOV64_IMM(BPF_REG_2, 0),
5885 BPF_EMIT_CALL(BPF_FUNC_trace_printk),
5888 .fixup_map_hash_48b = { 3 },
5889 .errstr = "invalid access to map value, value_size=48 off=0 size=0",
5891 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5894 "helper access to map: out-of-bound range",
5896 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5897 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5898 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5899 BPF_LD_MAP_FD(BPF_REG_1, 0),
5900 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5901 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5902 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5903 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val) + 8),
5904 BPF_MOV64_IMM(BPF_REG_3, 0),
5905 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5908 .fixup_map_hash_48b = { 3 },
5909 .errstr = "invalid access to map value, value_size=48 off=0 size=56",
5911 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5914 "helper access to map: negative range",
5916 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5917 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5918 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5919 BPF_LD_MAP_FD(BPF_REG_1, 0),
5920 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5921 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5922 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5923 BPF_MOV64_IMM(BPF_REG_2, -8),
5924 BPF_MOV64_IMM(BPF_REG_3, 0),
5925 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5928 .fixup_map_hash_48b = { 3 },
5929 .errstr = "R2 min value is negative",
5931 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5934 "helper access to adjusted map (via const imm): full range",
5936 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5937 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5938 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5939 BPF_LD_MAP_FD(BPF_REG_1, 0),
5940 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5941 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5942 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5943 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5944 offsetof(struct test_val, foo)),
5945 BPF_MOV64_IMM(BPF_REG_2,
5946 sizeof(struct test_val) -
5947 offsetof(struct test_val, foo)),
5948 BPF_MOV64_IMM(BPF_REG_3, 0),
5949 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5952 .fixup_map_hash_48b = { 3 },
5954 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5957 "helper access to adjusted map (via const imm): partial range",
5959 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5960 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5961 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5962 BPF_LD_MAP_FD(BPF_REG_1, 0),
5963 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5964 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5965 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5966 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5967 offsetof(struct test_val, foo)),
5968 BPF_MOV64_IMM(BPF_REG_2, 8),
5969 BPF_MOV64_IMM(BPF_REG_3, 0),
5970 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5973 .fixup_map_hash_48b = { 3 },
5975 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5978 "helper access to adjusted map (via const imm): empty range",
5980 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5981 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5982 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5983 BPF_LD_MAP_FD(BPF_REG_1, 0),
5984 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5985 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5986 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5987 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5988 offsetof(struct test_val, foo)),
5989 BPF_MOV64_IMM(BPF_REG_2, 0),
5990 BPF_EMIT_CALL(BPF_FUNC_trace_printk),
5993 .fixup_map_hash_48b = { 3 },
5994 .errstr = "invalid access to map value, value_size=48 off=4 size=0",
5996 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5999 "helper access to adjusted map (via const imm): out-of-bound range",
6001 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6002 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6003 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6004 BPF_LD_MAP_FD(BPF_REG_1, 0),
6005 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6006 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
6007 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6008 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
6009 offsetof(struct test_val, foo)),
6010 BPF_MOV64_IMM(BPF_REG_2,
6011 sizeof(struct test_val) -
6012 offsetof(struct test_val, foo) + 8),
6013 BPF_MOV64_IMM(BPF_REG_3, 0),
6014 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6017 .fixup_map_hash_48b = { 3 },
6018 .errstr = "invalid access to map value, value_size=48 off=4 size=52",
6020 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6023 "helper access to adjusted map (via const imm): negative range (> adjustment)",
6025 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6026 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6027 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6028 BPF_LD_MAP_FD(BPF_REG_1, 0),
6029 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6030 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
6031 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6032 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
6033 offsetof(struct test_val, foo)),
6034 BPF_MOV64_IMM(BPF_REG_2, -8),
6035 BPF_MOV64_IMM(BPF_REG_3, 0),
6036 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6039 .fixup_map_hash_48b = { 3 },
6040 .errstr = "R2 min value is negative",
6042 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6045 "helper access to adjusted map (via const imm): negative range (< adjustment)",
6047 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6048 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6049 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6050 BPF_LD_MAP_FD(BPF_REG_1, 0),
6051 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6052 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
6053 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6054 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
6055 offsetof(struct test_val, foo)),
6056 BPF_MOV64_IMM(BPF_REG_2, -1),
6057 BPF_MOV64_IMM(BPF_REG_3, 0),
6058 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6061 .fixup_map_hash_48b = { 3 },
6062 .errstr = "R2 min value is negative",
6064 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6067 "helper access to adjusted map (via const reg): full range",
6069 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6070 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6071 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6072 BPF_LD_MAP_FD(BPF_REG_1, 0),
6073 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6074 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6075 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6076 BPF_MOV64_IMM(BPF_REG_3,
6077 offsetof(struct test_val, foo)),
6078 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6079 BPF_MOV64_IMM(BPF_REG_2,
6080 sizeof(struct test_val) -
6081 offsetof(struct test_val, foo)),
6082 BPF_MOV64_IMM(BPF_REG_3, 0),
6083 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6086 .fixup_map_hash_48b = { 3 },
6088 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6091 "helper access to adjusted map (via const reg): partial range",
6093 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6094 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6095 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6096 BPF_LD_MAP_FD(BPF_REG_1, 0),
6097 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6098 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6099 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6100 BPF_MOV64_IMM(BPF_REG_3,
6101 offsetof(struct test_val, foo)),
6102 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6103 BPF_MOV64_IMM(BPF_REG_2, 8),
6104 BPF_MOV64_IMM(BPF_REG_3, 0),
6105 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6108 .fixup_map_hash_48b = { 3 },
6110 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6113 "helper access to adjusted map (via const reg): empty range",
6115 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6116 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6117 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6118 BPF_LD_MAP_FD(BPF_REG_1, 0),
6119 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6120 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
6121 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6122 BPF_MOV64_IMM(BPF_REG_3, 0),
6123 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6124 BPF_MOV64_IMM(BPF_REG_2, 0),
6125 BPF_EMIT_CALL(BPF_FUNC_trace_printk),
6128 .fixup_map_hash_48b = { 3 },
6129 .errstr = "R1 min value is outside of the array range",
6131 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6134 "helper access to adjusted map (via const reg): out-of-bound range",
6136 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6137 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6138 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6139 BPF_LD_MAP_FD(BPF_REG_1, 0),
6140 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6141 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6142 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6143 BPF_MOV64_IMM(BPF_REG_3,
6144 offsetof(struct test_val, foo)),
6145 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6146 BPF_MOV64_IMM(BPF_REG_2,
6147 sizeof(struct test_val) -
6148 offsetof(struct test_val, foo) + 8),
6149 BPF_MOV64_IMM(BPF_REG_3, 0),
6150 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6153 .fixup_map_hash_48b = { 3 },
6154 .errstr = "invalid access to map value, value_size=48 off=4 size=52",
6156 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6159 "helper access to adjusted map (via const reg): negative range (> adjustment)",
6161 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6162 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6163 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6164 BPF_LD_MAP_FD(BPF_REG_1, 0),
6165 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6166 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6167 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6168 BPF_MOV64_IMM(BPF_REG_3,
6169 offsetof(struct test_val, foo)),
6170 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6171 BPF_MOV64_IMM(BPF_REG_2, -8),
6172 BPF_MOV64_IMM(BPF_REG_3, 0),
6173 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6176 .fixup_map_hash_48b = { 3 },
6177 .errstr = "R2 min value is negative",
6179 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6182 "helper access to adjusted map (via const reg): negative range (< adjustment)",
6184 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6185 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6186 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6187 BPF_LD_MAP_FD(BPF_REG_1, 0),
6188 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6189 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6190 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6191 BPF_MOV64_IMM(BPF_REG_3,
6192 offsetof(struct test_val, foo)),
6193 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6194 BPF_MOV64_IMM(BPF_REG_2, -1),
6195 BPF_MOV64_IMM(BPF_REG_3, 0),
6196 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6199 .fixup_map_hash_48b = { 3 },
6200 .errstr = "R2 min value is negative",
6202 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6205 "helper access to adjusted map (via variable): full range",
6207 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6208 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6209 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6210 BPF_LD_MAP_FD(BPF_REG_1, 0),
6211 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6212 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6213 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6214 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6215 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
6216 offsetof(struct test_val, foo), 4),
6217 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6218 BPF_MOV64_IMM(BPF_REG_2,
6219 sizeof(struct test_val) -
6220 offsetof(struct test_val, foo)),
6221 BPF_MOV64_IMM(BPF_REG_3, 0),
6222 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6225 .fixup_map_hash_48b = { 3 },
6227 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6230 "helper access to adjusted map (via variable): partial range",
6232 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6233 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6234 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6235 BPF_LD_MAP_FD(BPF_REG_1, 0),
6236 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6237 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6238 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6239 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6240 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
6241 offsetof(struct test_val, foo), 4),
6242 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6243 BPF_MOV64_IMM(BPF_REG_2, 8),
6244 BPF_MOV64_IMM(BPF_REG_3, 0),
6245 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6248 .fixup_map_hash_48b = { 3 },
6250 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6253 "helper access to adjusted map (via variable): empty range",
6255 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6256 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6257 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6258 BPF_LD_MAP_FD(BPF_REG_1, 0),
6259 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6260 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6261 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6262 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6263 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
6264 offsetof(struct test_val, foo), 3),
6265 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6266 BPF_MOV64_IMM(BPF_REG_2, 0),
6267 BPF_EMIT_CALL(BPF_FUNC_trace_printk),
6270 .fixup_map_hash_48b = { 3 },
6271 .errstr = "R1 min value is outside of the array range",
6273 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6276 "helper access to adjusted map (via variable): no max check",
6278 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6279 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6280 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6281 BPF_LD_MAP_FD(BPF_REG_1, 0),
6282 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6283 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6284 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6285 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6286 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6287 BPF_MOV64_IMM(BPF_REG_2, 1),
6288 BPF_MOV64_IMM(BPF_REG_3, 0),
6289 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6292 .fixup_map_hash_48b = { 3 },
6293 .errstr = "R1 unbounded memory access",
6295 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6298 "helper access to adjusted map (via variable): wrong max check",
6300 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6301 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6302 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6303 BPF_LD_MAP_FD(BPF_REG_1, 0),
6304 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6305 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6306 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6307 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6308 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
6309 offsetof(struct test_val, foo), 4),
6310 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6311 BPF_MOV64_IMM(BPF_REG_2,
6312 sizeof(struct test_val) -
6313 offsetof(struct test_val, foo) + 1),
6314 BPF_MOV64_IMM(BPF_REG_3, 0),
6315 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6318 .fixup_map_hash_48b = { 3 },
6319 .errstr = "invalid access to map value, value_size=48 off=4 size=45",
6321 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6324 "helper access to map: bounds check using <, good access",
6326 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6327 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6328 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6329 BPF_LD_MAP_FD(BPF_REG_1, 0),
6330 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6331 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6332 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6333 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6334 BPF_JMP_IMM(BPF_JLT, BPF_REG_3, 32, 2),
6335 BPF_MOV64_IMM(BPF_REG_0, 0),
6337 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6338 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
6339 BPF_MOV64_IMM(BPF_REG_0, 0),
6342 .fixup_map_hash_48b = { 3 },
6344 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6347 "helper access to map: bounds check using <, bad access",
6349 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6350 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6351 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6352 BPF_LD_MAP_FD(BPF_REG_1, 0),
6353 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6354 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6355 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6356 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6357 BPF_JMP_IMM(BPF_JLT, BPF_REG_3, 32, 4),
6358 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6359 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
6360 BPF_MOV64_IMM(BPF_REG_0, 0),
6362 BPF_MOV64_IMM(BPF_REG_0, 0),
6365 .fixup_map_hash_48b = { 3 },
6367 .errstr = "R1 unbounded memory access",
6368 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6371 "helper access to map: bounds check using <=, good access",
6373 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6374 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6375 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6376 BPF_LD_MAP_FD(BPF_REG_1, 0),
6377 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6378 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6379 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6380 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6381 BPF_JMP_IMM(BPF_JLE, BPF_REG_3, 32, 2),
6382 BPF_MOV64_IMM(BPF_REG_0, 0),
6384 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6385 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
6386 BPF_MOV64_IMM(BPF_REG_0, 0),
6389 .fixup_map_hash_48b = { 3 },
6391 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6394 "helper access to map: bounds check using <=, bad access",
6396 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6397 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6398 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6399 BPF_LD_MAP_FD(BPF_REG_1, 0),
6400 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6401 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6402 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6403 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6404 BPF_JMP_IMM(BPF_JLE, BPF_REG_3, 32, 4),
6405 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6406 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
6407 BPF_MOV64_IMM(BPF_REG_0, 0),
6409 BPF_MOV64_IMM(BPF_REG_0, 0),
6412 .fixup_map_hash_48b = { 3 },
6414 .errstr = "R1 unbounded memory access",
6415 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6418 "helper access to map: bounds check using s<, good access",
6420 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6421 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6422 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6423 BPF_LD_MAP_FD(BPF_REG_1, 0),
6424 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6425 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6426 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6427 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6428 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2),
6429 BPF_MOV64_IMM(BPF_REG_0, 0),
6431 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 0, -3),
6432 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6433 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
6434 BPF_MOV64_IMM(BPF_REG_0, 0),
6437 .fixup_map_hash_48b = { 3 },
6439 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6442 "helper access to map: bounds check using s<, good access 2",
6444 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6445 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6446 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6447 BPF_LD_MAP_FD(BPF_REG_1, 0),
6448 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6449 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6450 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6451 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6452 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2),
6453 BPF_MOV64_IMM(BPF_REG_0, 0),
6455 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, -3, -3),
6456 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6457 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
6458 BPF_MOV64_IMM(BPF_REG_0, 0),
6461 .fixup_map_hash_48b = { 3 },
6463 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6466 "helper access to map: bounds check using s<, bad access",
6468 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6469 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6470 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6471 BPF_LD_MAP_FD(BPF_REG_1, 0),
6472 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6473 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6474 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6475 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
6476 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2),
6477 BPF_MOV64_IMM(BPF_REG_0, 0),
6479 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, -3, -3),
6480 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6481 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
6482 BPF_MOV64_IMM(BPF_REG_0, 0),
6485 .fixup_map_hash_48b = { 3 },
6487 .errstr = "R1 min value is negative",
6488 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6491 "helper access to map: bounds check using s<=, good access",
6493 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6494 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6495 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6496 BPF_LD_MAP_FD(BPF_REG_1, 0),
6497 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6498 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6499 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6500 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6501 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2),
6502 BPF_MOV64_IMM(BPF_REG_0, 0),
6504 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 0, -3),
6505 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6506 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
6507 BPF_MOV64_IMM(BPF_REG_0, 0),
6510 .fixup_map_hash_48b = { 3 },
6512 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6515 "helper access to map: bounds check using s<=, good access 2",
6517 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6518 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6519 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6520 BPF_LD_MAP_FD(BPF_REG_1, 0),
6521 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6522 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6523 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6524 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6525 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2),
6526 BPF_MOV64_IMM(BPF_REG_0, 0),
6528 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, -3, -3),
6529 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6530 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
6531 BPF_MOV64_IMM(BPF_REG_0, 0),
6534 .fixup_map_hash_48b = { 3 },
6536 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6539 "helper access to map: bounds check using s<=, bad access",
6541 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6542 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6543 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6544 BPF_LD_MAP_FD(BPF_REG_1, 0),
6545 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6546 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6547 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6548 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
6549 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2),
6550 BPF_MOV64_IMM(BPF_REG_0, 0),
6552 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, -3, -3),
6553 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6554 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
6555 BPF_MOV64_IMM(BPF_REG_0, 0),
6558 .fixup_map_hash_48b = { 3 },
6560 .errstr = "R1 min value is negative",
6561 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6564 "map access: known scalar += value_ptr",
6566 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6567 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6568 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6569 BPF_LD_MAP_FD(BPF_REG_1, 0),
6570 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6571 BPF_FUNC_map_lookup_elem),
6572 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
6573 BPF_MOV64_IMM(BPF_REG_1, 4),
6574 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
6575 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
6576 BPF_MOV64_IMM(BPF_REG_0, 1),
6579 .fixup_map_array_48b = { 3 },
6584 "map access: value_ptr += known scalar",
6586 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6587 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6588 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6589 BPF_LD_MAP_FD(BPF_REG_1, 0),
6590 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6591 BPF_FUNC_map_lookup_elem),
6592 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
6593 BPF_MOV64_IMM(BPF_REG_1, 4),
6594 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6595 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
6596 BPF_MOV64_IMM(BPF_REG_0, 1),
6599 .fixup_map_array_48b = { 3 },
6604 "map access: unknown scalar += value_ptr",
6606 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6607 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6608 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6609 BPF_LD_MAP_FD(BPF_REG_1, 0),
6610 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6611 BPF_FUNC_map_lookup_elem),
6612 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6613 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
6614 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xf),
6615 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
6616 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
6617 BPF_MOV64_IMM(BPF_REG_0, 1),
6620 .fixup_map_array_48b = { 3 },
6625 "map access: value_ptr += unknown scalar",
6627 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6628 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6629 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6630 BPF_LD_MAP_FD(BPF_REG_1, 0),
6631 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6632 BPF_FUNC_map_lookup_elem),
6633 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6634 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
6635 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xf),
6636 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6637 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
6638 BPF_MOV64_IMM(BPF_REG_0, 1),
6641 .fixup_map_array_48b = { 3 },
6646 "map access: value_ptr += value_ptr",
6648 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6649 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6650 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6651 BPF_LD_MAP_FD(BPF_REG_1, 0),
6652 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6653 BPF_FUNC_map_lookup_elem),
6654 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
6655 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_0),
6656 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
6657 BPF_MOV64_IMM(BPF_REG_0, 1),
6660 .fixup_map_array_48b = { 3 },
6662 .errstr = "R0 pointer += pointer prohibited",
6665 "map access: known scalar -= value_ptr",
6667 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6668 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6669 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6670 BPF_LD_MAP_FD(BPF_REG_1, 0),
6671 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6672 BPF_FUNC_map_lookup_elem),
6673 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
6674 BPF_MOV64_IMM(BPF_REG_1, 4),
6675 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0),
6676 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
6677 BPF_MOV64_IMM(BPF_REG_0, 1),
6680 .fixup_map_array_48b = { 3 },
6682 .errstr = "R1 tried to subtract pointer from scalar",
6685 "map access: value_ptr -= known scalar",
6687 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6688 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6689 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6690 BPF_LD_MAP_FD(BPF_REG_1, 0),
6691 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6692 BPF_FUNC_map_lookup_elem),
6693 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
6694 BPF_MOV64_IMM(BPF_REG_1, 4),
6695 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
6696 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
6697 BPF_MOV64_IMM(BPF_REG_0, 1),
6700 .fixup_map_array_48b = { 3 },
6702 .errstr = "R0 min value is outside of the array range",
6705 "map access: value_ptr -= known scalar, 2",
6707 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6708 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6709 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6710 BPF_LD_MAP_FD(BPF_REG_1, 0),
6711 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6712 BPF_FUNC_map_lookup_elem),
6713 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
6714 BPF_MOV64_IMM(BPF_REG_1, 6),
6715 BPF_MOV64_IMM(BPF_REG_2, 4),
6716 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6717 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_2),
6718 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
6719 BPF_MOV64_IMM(BPF_REG_0, 1),
6722 .fixup_map_array_48b = { 3 },
6727 "map access: unknown scalar -= value_ptr",
6729 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6730 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6731 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6732 BPF_LD_MAP_FD(BPF_REG_1, 0),
6733 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6734 BPF_FUNC_map_lookup_elem),
6735 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6736 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
6737 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xf),
6738 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0),
6739 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
6740 BPF_MOV64_IMM(BPF_REG_0, 1),
6743 .fixup_map_array_48b = { 3 },
6745 .errstr = "R1 tried to subtract pointer from scalar",
6748 "map access: value_ptr -= unknown scalar",
6750 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6751 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6752 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6753 BPF_LD_MAP_FD(BPF_REG_1, 0),
6754 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6755 BPF_FUNC_map_lookup_elem),
6756 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6757 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
6758 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xf),
6759 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
6760 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
6761 BPF_MOV64_IMM(BPF_REG_0, 1),
6764 .fixup_map_array_48b = { 3 },
6766 .errstr = "R0 min value is negative",
6769 "map access: value_ptr -= unknown scalar, 2",
6771 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6772 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6773 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6774 BPF_LD_MAP_FD(BPF_REG_1, 0),
6775 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6776 BPF_FUNC_map_lookup_elem),
6777 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
6778 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
6779 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xf),
6780 BPF_ALU64_IMM(BPF_OR, BPF_REG_1, 0x7),
6781 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6782 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
6783 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0x7),
6784 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
6785 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
6786 BPF_MOV64_IMM(BPF_REG_0, 1),
6789 .fixup_map_array_48b = { 3 },
6794 "map access: value_ptr -= value_ptr",
6796 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6797 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6798 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6799 BPF_LD_MAP_FD(BPF_REG_1, 0),
6800 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6801 BPF_FUNC_map_lookup_elem),
6802 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
6803 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_0),
6804 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
6805 BPF_MOV64_IMM(BPF_REG_0, 1),
6808 .fixup_map_array_48b = { 3 },
6810 .errstr = "R0 invalid mem access 'inv'",
6811 .errstr_unpriv = "R0 pointer -= pointer prohibited",
6814 "map lookup helper access to map",
6816 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6817 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6818 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6819 BPF_LD_MAP_FD(BPF_REG_1, 0),
6820 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6821 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6822 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6823 BPF_LD_MAP_FD(BPF_REG_1, 0),
6824 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6827 .fixup_map_hash_16b = { 3, 8 },
6829 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6832 "map update helper access to map",
6834 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6835 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6836 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6837 BPF_LD_MAP_FD(BPF_REG_1, 0),
6838 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6839 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6840 BPF_MOV64_IMM(BPF_REG_4, 0),
6841 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
6842 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6843 BPF_LD_MAP_FD(BPF_REG_1, 0),
6844 BPF_EMIT_CALL(BPF_FUNC_map_update_elem),
6847 .fixup_map_hash_16b = { 3, 10 },
6849 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6852 "map update helper access to map: wrong size",
6854 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6855 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6856 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6857 BPF_LD_MAP_FD(BPF_REG_1, 0),
6858 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6859 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6860 BPF_MOV64_IMM(BPF_REG_4, 0),
6861 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
6862 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6863 BPF_LD_MAP_FD(BPF_REG_1, 0),
6864 BPF_EMIT_CALL(BPF_FUNC_map_update_elem),
6867 .fixup_map_hash_8b = { 3 },
6868 .fixup_map_hash_16b = { 10 },
6870 .errstr = "invalid access to map value, value_size=8 off=0 size=16",
6871 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6874 "map helper access to adjusted map (via const imm)",
6876 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6877 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6878 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6879 BPF_LD_MAP_FD(BPF_REG_1, 0),
6880 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6881 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
6882 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6883 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2,
6884 offsetof(struct other_val, bar)),
6885 BPF_LD_MAP_FD(BPF_REG_1, 0),
6886 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6889 .fixup_map_hash_16b = { 3, 9 },
6891 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6894 "map helper access to adjusted map (via const imm): out-of-bound 1",
6896 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6897 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6898 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6899 BPF_LD_MAP_FD(BPF_REG_1, 0),
6900 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6901 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
6902 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6903 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2,
6904 sizeof(struct other_val) - 4),
6905 BPF_LD_MAP_FD(BPF_REG_1, 0),
6906 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6909 .fixup_map_hash_16b = { 3, 9 },
6911 .errstr = "invalid access to map value, value_size=16 off=12 size=8",
6912 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6915 "map helper access to adjusted map (via const imm): out-of-bound 2",
6917 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6918 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6919 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6920 BPF_LD_MAP_FD(BPF_REG_1, 0),
6921 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6922 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
6923 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6924 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
6925 BPF_LD_MAP_FD(BPF_REG_1, 0),
6926 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6929 .fixup_map_hash_16b = { 3, 9 },
6931 .errstr = "invalid access to map value, value_size=16 off=-4 size=8",
6932 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6935 "map helper access to adjusted map (via const reg)",
6937 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6938 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6939 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6940 BPF_LD_MAP_FD(BPF_REG_1, 0),
6941 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6942 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6943 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6944 BPF_MOV64_IMM(BPF_REG_3,
6945 offsetof(struct other_val, bar)),
6946 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
6947 BPF_LD_MAP_FD(BPF_REG_1, 0),
6948 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6951 .fixup_map_hash_16b = { 3, 10 },
6953 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6956 "map helper access to adjusted map (via const reg): out-of-bound 1",
6958 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6959 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6960 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6961 BPF_LD_MAP_FD(BPF_REG_1, 0),
6962 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6963 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6964 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6965 BPF_MOV64_IMM(BPF_REG_3,
6966 sizeof(struct other_val) - 4),
6967 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
6968 BPF_LD_MAP_FD(BPF_REG_1, 0),
6969 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6972 .fixup_map_hash_16b = { 3, 10 },
6974 .errstr = "invalid access to map value, value_size=16 off=12 size=8",
6975 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6978 "map helper access to adjusted map (via const reg): out-of-bound 2",
6980 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6981 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6982 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6983 BPF_LD_MAP_FD(BPF_REG_1, 0),
6984 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6985 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6986 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6987 BPF_MOV64_IMM(BPF_REG_3, -4),
6988 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
6989 BPF_LD_MAP_FD(BPF_REG_1, 0),
6990 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6993 .fixup_map_hash_16b = { 3, 10 },
6995 .errstr = "invalid access to map value, value_size=16 off=-4 size=8",
6996 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6999 "map helper access to adjusted map (via variable)",
7001 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7002 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7003 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7004 BPF_LD_MAP_FD(BPF_REG_1, 0),
7005 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7006 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
7007 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
7008 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
7009 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
7010 offsetof(struct other_val, bar), 4),
7011 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
7012 BPF_LD_MAP_FD(BPF_REG_1, 0),
7013 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7016 .fixup_map_hash_16b = { 3, 11 },
7018 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7021 "map helper access to adjusted map (via variable): no max check",
7023 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7024 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7025 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7026 BPF_LD_MAP_FD(BPF_REG_1, 0),
7027 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7028 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
7029 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
7030 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
7031 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
7032 BPF_LD_MAP_FD(BPF_REG_1, 0),
7033 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7036 .fixup_map_hash_16b = { 3, 10 },
7038 .errstr = "R2 unbounded memory access, make sure to bounds check any array access into a map",
7039 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7042 "map helper access to adjusted map (via variable): wrong max check",
7044 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7045 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7046 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7047 BPF_LD_MAP_FD(BPF_REG_1, 0),
7048 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7049 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
7050 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
7051 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
7052 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
7053 offsetof(struct other_val, bar) + 1, 4),
7054 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
7055 BPF_LD_MAP_FD(BPF_REG_1, 0),
7056 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7059 .fixup_map_hash_16b = { 3, 11 },
7061 .errstr = "invalid access to map value, value_size=16 off=9 size=8",
7062 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7065 "map element value is preserved across register spilling",
7067 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7068 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7069 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7070 BPF_LD_MAP_FD(BPF_REG_1, 0),
7071 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7072 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
7073 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
7074 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7075 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -184),
7076 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
7077 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
7078 BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
7081 .fixup_map_hash_48b = { 3 },
7082 .errstr_unpriv = "R0 leaks addr",
7084 .result_unpriv = REJECT,
7087 "map element value or null is marked on register spilling",
7089 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7090 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7091 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7092 BPF_LD_MAP_FD(BPF_REG_1, 0),
7093 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7094 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7095 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -152),
7096 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
7097 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
7098 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
7099 BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
7102 .fixup_map_hash_48b = { 3 },
7103 .errstr_unpriv = "R0 leaks addr",
7105 .result_unpriv = REJECT,
7108 "map element value store of cleared call register",
7110 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7111 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7112 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7113 BPF_LD_MAP_FD(BPF_REG_1, 0),
7114 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7115 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
7116 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
7119 .fixup_map_hash_48b = { 3 },
7120 .errstr_unpriv = "R1 !read_ok",
7121 .errstr = "R1 !read_ok",
7123 .result_unpriv = REJECT,
7126 "map element value with unaligned store",
7128 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7129 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7130 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7131 BPF_LD_MAP_FD(BPF_REG_1, 0),
7132 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7133 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 17),
7134 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 3),
7135 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
7136 BPF_ST_MEM(BPF_DW, BPF_REG_0, 2, 43),
7137 BPF_ST_MEM(BPF_DW, BPF_REG_0, -2, 44),
7138 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
7139 BPF_ST_MEM(BPF_DW, BPF_REG_8, 0, 32),
7140 BPF_ST_MEM(BPF_DW, BPF_REG_8, 2, 33),
7141 BPF_ST_MEM(BPF_DW, BPF_REG_8, -2, 34),
7142 BPF_ALU64_IMM(BPF_ADD, BPF_REG_8, 5),
7143 BPF_ST_MEM(BPF_DW, BPF_REG_8, 0, 22),
7144 BPF_ST_MEM(BPF_DW, BPF_REG_8, 4, 23),
7145 BPF_ST_MEM(BPF_DW, BPF_REG_8, -7, 24),
7146 BPF_MOV64_REG(BPF_REG_7, BPF_REG_8),
7147 BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, 3),
7148 BPF_ST_MEM(BPF_DW, BPF_REG_7, 0, 22),
7149 BPF_ST_MEM(BPF_DW, BPF_REG_7, 4, 23),
7150 BPF_ST_MEM(BPF_DW, BPF_REG_7, -4, 24),
7153 .fixup_map_hash_48b = { 3 },
7154 .errstr_unpriv = "R0 leaks addr",
7156 .result_unpriv = REJECT,
7157 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7160 "map element value with unaligned load",
7162 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7163 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7164 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7165 BPF_LD_MAP_FD(BPF_REG_1, 0),
7166 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7167 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
7168 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
7169 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES, 9),
7170 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 3),
7171 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
7172 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 2),
7173 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
7174 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_8, 0),
7175 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_8, 2),
7176 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 5),
7177 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
7178 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 4),
7181 .fixup_map_hash_48b = { 3 },
7182 .errstr_unpriv = "R0 leaks addr",
7184 .result_unpriv = REJECT,
7185 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7188 "map element value illegal alu op, 1",
7190 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7191 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7192 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7193 BPF_LD_MAP_FD(BPF_REG_1, 0),
7194 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7195 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
7196 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 8),
7197 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
7200 .fixup_map_hash_48b = { 3 },
7201 .errstr = "R0 bitwise operator &= on pointer",
7205 "map element value illegal alu op, 2",
7207 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7208 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7209 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7210 BPF_LD_MAP_FD(BPF_REG_1, 0),
7211 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7212 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
7213 BPF_ALU32_IMM(BPF_ADD, BPF_REG_0, 0),
7214 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
7217 .fixup_map_hash_48b = { 3 },
7218 .errstr = "R0 32-bit pointer arithmetic prohibited",
7222 "map element value illegal alu op, 3",
7224 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7225 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7226 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7227 BPF_LD_MAP_FD(BPF_REG_1, 0),
7228 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7229 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
7230 BPF_ALU64_IMM(BPF_DIV, BPF_REG_0, 42),
7231 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
7234 .fixup_map_hash_48b = { 3 },
7235 .errstr = "R0 pointer arithmetic with /= operator",
7239 "map element value illegal alu op, 4",
7241 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7242 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7243 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7244 BPF_LD_MAP_FD(BPF_REG_1, 0),
7245 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7246 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
7247 BPF_ENDIAN(BPF_FROM_BE, BPF_REG_0, 64),
7248 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
7251 .fixup_map_hash_48b = { 3 },
7252 .errstr_unpriv = "R0 pointer arithmetic prohibited",
7253 .errstr = "invalid mem access 'inv'",
7255 .result_unpriv = REJECT,
7256 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7259 "map element value illegal alu op, 5",
7261 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7262 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7263 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7264 BPF_LD_MAP_FD(BPF_REG_1, 0),
7265 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7266 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
7267 BPF_MOV64_IMM(BPF_REG_3, 4096),
7268 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7269 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7270 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
7271 BPF_STX_XADD(BPF_DW, BPF_REG_2, BPF_REG_3, 0),
7272 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, 0),
7273 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
7276 .fixup_map_hash_48b = { 3 },
7277 .errstr = "R0 invalid mem access 'inv'",
7279 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7282 "map element value is preserved across register spilling",
7284 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7285 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7286 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7287 BPF_LD_MAP_FD(BPF_REG_1, 0),
7288 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7289 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
7290 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0,
7291 offsetof(struct test_val, foo)),
7292 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
7293 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7294 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -184),
7295 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
7296 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
7297 BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
7300 .fixup_map_hash_48b = { 3 },
7301 .errstr_unpriv = "R0 leaks addr",
7303 .result_unpriv = REJECT,
7304 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7307 "helper access to variable memory: stack, bitwise AND + JMP, correct bounds",
7309 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7310 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
7311 BPF_MOV64_IMM(BPF_REG_0, 0),
7312 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
7313 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
7314 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
7315 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
7316 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
7317 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
7318 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
7319 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
7320 BPF_MOV64_IMM(BPF_REG_2, 16),
7321 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
7322 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
7323 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
7324 BPF_MOV64_IMM(BPF_REG_4, 0),
7325 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
7326 BPF_MOV64_IMM(BPF_REG_3, 0),
7327 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7328 BPF_MOV64_IMM(BPF_REG_0, 0),
7332 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7335 "helper access to variable memory: stack, bitwise AND, zero included",
7337 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7338 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
7339 BPF_MOV64_IMM(BPF_REG_2, 16),
7340 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
7341 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
7342 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
7343 BPF_MOV64_IMM(BPF_REG_3, 0),
7344 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7347 .errstr = "invalid indirect read from stack off -64+0 size 64",
7349 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7352 "helper access to variable memory: stack, bitwise AND + JMP, wrong max",
7354 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7355 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
7356 BPF_MOV64_IMM(BPF_REG_2, 16),
7357 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
7358 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
7359 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 65),
7360 BPF_MOV64_IMM(BPF_REG_4, 0),
7361 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
7362 BPF_MOV64_IMM(BPF_REG_3, 0),
7363 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7364 BPF_MOV64_IMM(BPF_REG_0, 0),
7367 .errstr = "invalid stack type R1 off=-64 access_size=65",
7369 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7372 "helper access to variable memory: stack, JMP, correct bounds",
7374 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7375 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
7376 BPF_MOV64_IMM(BPF_REG_0, 0),
7377 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
7378 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
7379 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
7380 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
7381 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
7382 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
7383 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
7384 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
7385 BPF_MOV64_IMM(BPF_REG_2, 16),
7386 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
7387 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
7388 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 4),
7389 BPF_MOV64_IMM(BPF_REG_4, 0),
7390 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
7391 BPF_MOV64_IMM(BPF_REG_3, 0),
7392 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7393 BPF_MOV64_IMM(BPF_REG_0, 0),
7397 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7400 "helper access to variable memory: stack, JMP (signed), correct bounds",
7402 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7403 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
7404 BPF_MOV64_IMM(BPF_REG_0, 0),
7405 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
7406 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
7407 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
7408 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
7409 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
7410 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
7411 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
7412 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
7413 BPF_MOV64_IMM(BPF_REG_2, 16),
7414 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
7415 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
7416 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 64, 4),
7417 BPF_MOV64_IMM(BPF_REG_4, 0),
7418 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
7419 BPF_MOV64_IMM(BPF_REG_3, 0),
7420 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7421 BPF_MOV64_IMM(BPF_REG_0, 0),
7425 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7428 "helper access to variable memory: stack, JMP, bounds + offset",
7430 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7431 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
7432 BPF_MOV64_IMM(BPF_REG_2, 16),
7433 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
7434 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
7435 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 5),
7436 BPF_MOV64_IMM(BPF_REG_4, 0),
7437 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 3),
7438 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
7439 BPF_MOV64_IMM(BPF_REG_3, 0),
7440 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7441 BPF_MOV64_IMM(BPF_REG_0, 0),
7444 .errstr = "invalid stack type R1 off=-64 access_size=65",
7446 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7449 "helper access to variable memory: stack, JMP, wrong max",
7451 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7452 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
7453 BPF_MOV64_IMM(BPF_REG_2, 16),
7454 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
7455 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
7456 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 65, 4),
7457 BPF_MOV64_IMM(BPF_REG_4, 0),
7458 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
7459 BPF_MOV64_IMM(BPF_REG_3, 0),
7460 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7461 BPF_MOV64_IMM(BPF_REG_0, 0),
7464 .errstr = "invalid stack type R1 off=-64 access_size=65",
7466 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7469 "helper access to variable memory: stack, JMP, no max check",
7471 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7472 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
7473 BPF_MOV64_IMM(BPF_REG_2, 16),
7474 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
7475 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
7476 BPF_MOV64_IMM(BPF_REG_4, 0),
7477 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
7478 BPF_MOV64_IMM(BPF_REG_3, 0),
7479 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7480 BPF_MOV64_IMM(BPF_REG_0, 0),
7483 /* because max wasn't checked, signed min is negative */
7484 .errstr = "R2 min value is negative, either use unsigned or 'var &= const'",
7486 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7489 "helper access to variable memory: stack, JMP, no min check",
7491 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7492 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
7493 BPF_MOV64_IMM(BPF_REG_2, 16),
7494 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
7495 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
7496 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 3),
7497 BPF_MOV64_IMM(BPF_REG_3, 0),
7498 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7499 BPF_MOV64_IMM(BPF_REG_0, 0),
7502 .errstr = "invalid indirect read from stack off -64+0 size 64",
7504 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7507 "helper access to variable memory: stack, JMP (signed), no min check",
7509 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7510 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
7511 BPF_MOV64_IMM(BPF_REG_2, 16),
7512 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
7513 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
7514 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 64, 3),
7515 BPF_MOV64_IMM(BPF_REG_3, 0),
7516 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7517 BPF_MOV64_IMM(BPF_REG_0, 0),
7520 .errstr = "R2 min value is negative",
7522 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7525 "helper access to variable memory: map, JMP, correct bounds",
7527 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7528 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7529 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7530 BPF_LD_MAP_FD(BPF_REG_1, 0),
7531 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7532 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
7533 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
7534 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
7535 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
7536 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
7537 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
7538 sizeof(struct test_val), 4),
7539 BPF_MOV64_IMM(BPF_REG_4, 0),
7540 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
7541 BPF_MOV64_IMM(BPF_REG_3, 0),
7542 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7543 BPF_MOV64_IMM(BPF_REG_0, 0),
7546 .fixup_map_hash_48b = { 3 },
7548 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7551 "helper access to variable memory: map, JMP, wrong max",
7553 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7554 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7555 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7556 BPF_LD_MAP_FD(BPF_REG_1, 0),
7557 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7558 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
7559 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
7560 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
7561 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
7562 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
7563 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
7564 sizeof(struct test_val) + 1, 4),
7565 BPF_MOV64_IMM(BPF_REG_4, 0),
7566 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
7567 BPF_MOV64_IMM(BPF_REG_3, 0),
7568 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7569 BPF_MOV64_IMM(BPF_REG_0, 0),
7572 .fixup_map_hash_48b = { 3 },
7573 .errstr = "invalid access to map value, value_size=48 off=0 size=49",
7575 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7578 "helper access to variable memory: map adjusted, JMP, correct bounds",
7580 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7581 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7582 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7583 BPF_LD_MAP_FD(BPF_REG_1, 0),
7584 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7585 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
7586 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
7587 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 20),
7588 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
7589 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
7590 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
7591 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
7592 sizeof(struct test_val) - 20, 4),
7593 BPF_MOV64_IMM(BPF_REG_4, 0),
7594 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
7595 BPF_MOV64_IMM(BPF_REG_3, 0),
7596 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7597 BPF_MOV64_IMM(BPF_REG_0, 0),
7600 .fixup_map_hash_48b = { 3 },
7602 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7605 "helper access to variable memory: map adjusted, JMP, wrong max",
7607 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7608 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7609 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7610 BPF_LD_MAP_FD(BPF_REG_1, 0),
7611 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7612 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
7613 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
7614 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 20),
7615 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
7616 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
7617 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
7618 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
7619 sizeof(struct test_val) - 19, 4),
7620 BPF_MOV64_IMM(BPF_REG_4, 0),
7621 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
7622 BPF_MOV64_IMM(BPF_REG_3, 0),
7623 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7624 BPF_MOV64_IMM(BPF_REG_0, 0),
7627 .fixup_map_hash_48b = { 3 },
7628 .errstr = "R1 min value is outside of the array range",
7630 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7633 "helper access to variable memory: size = 0 allowed on NULL (ARG_PTR_TO_MEM_OR_NULL)",
7635 BPF_MOV64_IMM(BPF_REG_1, 0),
7636 BPF_MOV64_IMM(BPF_REG_2, 0),
7637 BPF_MOV64_IMM(BPF_REG_3, 0),
7638 BPF_MOV64_IMM(BPF_REG_4, 0),
7639 BPF_MOV64_IMM(BPF_REG_5, 0),
7640 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
7644 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
7647 "helper access to variable memory: size > 0 not allowed on NULL (ARG_PTR_TO_MEM_OR_NULL)",
7649 BPF_MOV64_IMM(BPF_REG_1, 0),
7650 BPF_MOV64_IMM(BPF_REG_2, 1),
7651 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
7652 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
7653 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
7654 BPF_MOV64_IMM(BPF_REG_3, 0),
7655 BPF_MOV64_IMM(BPF_REG_4, 0),
7656 BPF_MOV64_IMM(BPF_REG_5, 0),
7657 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
7660 .errstr = "R1 type=inv expected=fp",
7662 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
7665 "helper access to variable memory: size = 0 allowed on != NULL stack pointer (ARG_PTR_TO_MEM_OR_NULL)",
7667 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7668 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
7669 BPF_MOV64_IMM(BPF_REG_2, 0),
7670 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, 0),
7671 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 8),
7672 BPF_MOV64_IMM(BPF_REG_3, 0),
7673 BPF_MOV64_IMM(BPF_REG_4, 0),
7674 BPF_MOV64_IMM(BPF_REG_5, 0),
7675 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
7679 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
7682 "helper access to variable memory: size = 0 allowed on != NULL map pointer (ARG_PTR_TO_MEM_OR_NULL)",
7684 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7685 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7686 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7687 BPF_LD_MAP_FD(BPF_REG_1, 0),
7688 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7689 BPF_FUNC_map_lookup_elem),
7690 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
7691 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
7692 BPF_MOV64_IMM(BPF_REG_2, 0),
7693 BPF_MOV64_IMM(BPF_REG_3, 0),
7694 BPF_MOV64_IMM(BPF_REG_4, 0),
7695 BPF_MOV64_IMM(BPF_REG_5, 0),
7696 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
7699 .fixup_map_hash_8b = { 3 },
7701 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
7704 "helper access to variable memory: size possible = 0 allowed on != NULL stack pointer (ARG_PTR_TO_MEM_OR_NULL)",
7706 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7707 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7708 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7709 BPF_LD_MAP_FD(BPF_REG_1, 0),
7710 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7711 BPF_FUNC_map_lookup_elem),
7712 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7713 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
7714 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 7),
7715 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7716 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
7717 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, 0),
7718 BPF_MOV64_IMM(BPF_REG_3, 0),
7719 BPF_MOV64_IMM(BPF_REG_4, 0),
7720 BPF_MOV64_IMM(BPF_REG_5, 0),
7721 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
7724 .fixup_map_hash_8b = { 3 },
7726 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
7729 "helper access to variable memory: size possible = 0 allowed on != NULL map pointer (ARG_PTR_TO_MEM_OR_NULL)",
7731 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7732 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7733 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7734 BPF_LD_MAP_FD(BPF_REG_1, 0),
7735 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7736 BPF_FUNC_map_lookup_elem),
7737 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
7738 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
7739 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
7740 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4),
7741 BPF_MOV64_IMM(BPF_REG_3, 0),
7742 BPF_MOV64_IMM(BPF_REG_4, 0),
7743 BPF_MOV64_IMM(BPF_REG_5, 0),
7744 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
7747 .fixup_map_hash_8b = { 3 },
7749 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
7752 "helper access to variable memory: size possible = 0 allowed on != NULL packet pointer (ARG_PTR_TO_MEM_OR_NULL)",
7754 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
7755 offsetof(struct __sk_buff, data)),
7756 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7757 offsetof(struct __sk_buff, data_end)),
7758 BPF_MOV64_REG(BPF_REG_0, BPF_REG_6),
7759 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
7760 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 7),
7761 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
7762 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 0),
7763 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4),
7764 BPF_MOV64_IMM(BPF_REG_3, 0),
7765 BPF_MOV64_IMM(BPF_REG_4, 0),
7766 BPF_MOV64_IMM(BPF_REG_5, 0),
7767 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
7771 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
7772 .retval = 0 /* csum_diff of 64-byte packet */,
7773 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7776 "helper access to variable memory: size = 0 not allowed on NULL (!ARG_PTR_TO_MEM_OR_NULL)",
7778 BPF_MOV64_IMM(BPF_REG_1, 0),
7779 BPF_MOV64_IMM(BPF_REG_2, 0),
7780 BPF_MOV64_IMM(BPF_REG_3, 0),
7781 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7784 .errstr = "R1 type=inv expected=fp",
7786 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7789 "helper access to variable memory: size > 0 not allowed on NULL (!ARG_PTR_TO_MEM_OR_NULL)",
7791 BPF_MOV64_IMM(BPF_REG_1, 0),
7792 BPF_MOV64_IMM(BPF_REG_2, 1),
7793 BPF_MOV64_IMM(BPF_REG_3, 0),
7794 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7797 .errstr = "R1 type=inv expected=fp",
7799 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7802 "helper access to variable memory: size = 0 allowed on != NULL stack pointer (!ARG_PTR_TO_MEM_OR_NULL)",
7804 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7805 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
7806 BPF_MOV64_IMM(BPF_REG_2, 0),
7807 BPF_MOV64_IMM(BPF_REG_3, 0),
7808 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7812 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7815 "helper access to variable memory: size = 0 allowed on != NULL map pointer (!ARG_PTR_TO_MEM_OR_NULL)",
7817 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7818 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7819 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7820 BPF_LD_MAP_FD(BPF_REG_1, 0),
7821 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7822 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7823 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
7824 BPF_MOV64_IMM(BPF_REG_2, 0),
7825 BPF_MOV64_IMM(BPF_REG_3, 0),
7826 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7829 .fixup_map_hash_8b = { 3 },
7831 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7834 "helper access to variable memory: size possible = 0 allowed on != NULL stack pointer (!ARG_PTR_TO_MEM_OR_NULL)",
7836 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7837 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7838 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7839 BPF_LD_MAP_FD(BPF_REG_1, 0),
7840 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7841 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
7842 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
7843 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4),
7844 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7845 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
7846 BPF_MOV64_IMM(BPF_REG_3, 0),
7847 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7850 .fixup_map_hash_8b = { 3 },
7852 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7855 "helper access to variable memory: size possible = 0 allowed on != NULL map pointer (!ARG_PTR_TO_MEM_OR_NULL)",
7857 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7858 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7859 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7860 BPF_LD_MAP_FD(BPF_REG_1, 0),
7861 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7862 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
7863 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
7864 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
7865 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 2),
7866 BPF_MOV64_IMM(BPF_REG_3, 0),
7867 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7870 .fixup_map_hash_8b = { 3 },
7872 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7875 "helper access to variable memory: 8 bytes leak",
7877 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7878 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
7879 BPF_MOV64_IMM(BPF_REG_0, 0),
7880 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
7881 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
7882 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
7883 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
7884 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
7885 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
7886 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
7887 BPF_MOV64_IMM(BPF_REG_2, 1),
7888 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
7889 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
7890 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 63),
7891 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
7892 BPF_MOV64_IMM(BPF_REG_3, 0),
7893 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7894 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7897 .errstr = "invalid indirect read from stack off -64+32 size 64",
7899 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7902 "helper access to variable memory: 8 bytes no leak (init memory)",
7904 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7905 BPF_MOV64_IMM(BPF_REG_0, 0),
7906 BPF_MOV64_IMM(BPF_REG_0, 0),
7907 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
7908 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
7909 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
7910 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
7911 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
7912 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
7913 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
7914 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
7915 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
7916 BPF_MOV64_IMM(BPF_REG_2, 0),
7917 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 32),
7918 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 32),
7919 BPF_MOV64_IMM(BPF_REG_3, 0),
7920 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7921 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7925 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7928 "invalid and of negative number",
7930 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7931 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7932 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7933 BPF_LD_MAP_FD(BPF_REG_1, 0),
7934 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7935 BPF_FUNC_map_lookup_elem),
7936 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7937 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7938 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, -4),
7939 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
7940 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7941 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
7942 offsetof(struct test_val, foo)),
7945 .fixup_map_hash_48b = { 3 },
7946 .errstr = "R0 max value is outside of the array range",
7948 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7951 "invalid range check",
7953 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7954 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7955 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7956 BPF_LD_MAP_FD(BPF_REG_1, 0),
7957 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7958 BPF_FUNC_map_lookup_elem),
7959 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 12),
7960 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
7961 BPF_MOV64_IMM(BPF_REG_9, 1),
7962 BPF_ALU32_IMM(BPF_MOD, BPF_REG_1, 2),
7963 BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 1),
7964 BPF_ALU32_REG(BPF_AND, BPF_REG_9, BPF_REG_1),
7965 BPF_ALU32_IMM(BPF_ADD, BPF_REG_9, 1),
7966 BPF_ALU32_IMM(BPF_RSH, BPF_REG_9, 1),
7967 BPF_MOV32_IMM(BPF_REG_3, 1),
7968 BPF_ALU32_REG(BPF_SUB, BPF_REG_3, BPF_REG_9),
7969 BPF_ALU32_IMM(BPF_MUL, BPF_REG_3, 0x10000000),
7970 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
7971 BPF_STX_MEM(BPF_W, BPF_REG_0, BPF_REG_3, 0),
7972 BPF_MOV64_REG(BPF_REG_0, 0),
7975 .fixup_map_hash_48b = { 3 },
7976 .errstr = "R0 max value is outside of the array range",
7978 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7981 "map in map access",
7983 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
7984 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7985 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
7986 BPF_LD_MAP_FD(BPF_REG_1, 0),
7987 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7988 BPF_FUNC_map_lookup_elem),
7989 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
7990 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
7991 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7992 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
7993 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
7994 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7995 BPF_FUNC_map_lookup_elem),
7996 BPF_MOV64_IMM(BPF_REG_0, 0),
7999 .fixup_map_in_map = { 3 },
8003 "invalid inner map pointer",
8005 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
8006 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8007 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
8008 BPF_LD_MAP_FD(BPF_REG_1, 0),
8009 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8010 BPF_FUNC_map_lookup_elem),
8011 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
8012 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
8013 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8014 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
8015 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
8016 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8017 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8018 BPF_FUNC_map_lookup_elem),
8019 BPF_MOV64_IMM(BPF_REG_0, 0),
8022 .fixup_map_in_map = { 3 },
8023 .errstr = "R1 pointer arithmetic on map_ptr prohibited",
8027 "forgot null checking on the inner map pointer",
8029 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
8030 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8031 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
8032 BPF_LD_MAP_FD(BPF_REG_1, 0),
8033 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8034 BPF_FUNC_map_lookup_elem),
8035 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
8036 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8037 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
8038 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
8039 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8040 BPF_FUNC_map_lookup_elem),
8041 BPF_MOV64_IMM(BPF_REG_0, 0),
8044 .fixup_map_in_map = { 3 },
8045 .errstr = "R1 type=map_value_or_null expected=map_ptr",
8049 "ld_abs: check calling conv, r1",
8051 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
8052 BPF_MOV64_IMM(BPF_REG_1, 0),
8053 BPF_LD_ABS(BPF_W, -0x200000),
8054 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
8057 .errstr = "R1 !read_ok",
8061 "ld_abs: check calling conv, r2",
8063 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
8064 BPF_MOV64_IMM(BPF_REG_2, 0),
8065 BPF_LD_ABS(BPF_W, -0x200000),
8066 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
8069 .errstr = "R2 !read_ok",
8073 "ld_abs: check calling conv, r3",
8075 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
8076 BPF_MOV64_IMM(BPF_REG_3, 0),
8077 BPF_LD_ABS(BPF_W, -0x200000),
8078 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
8081 .errstr = "R3 !read_ok",
8085 "ld_abs: check calling conv, r4",
8087 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
8088 BPF_MOV64_IMM(BPF_REG_4, 0),
8089 BPF_LD_ABS(BPF_W, -0x200000),
8090 BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
8093 .errstr = "R4 !read_ok",
8097 "ld_abs: check calling conv, r5",
8099 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
8100 BPF_MOV64_IMM(BPF_REG_5, 0),
8101 BPF_LD_ABS(BPF_W, -0x200000),
8102 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
8105 .errstr = "R5 !read_ok",
8109 "ld_abs: check calling conv, r7",
8111 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
8112 BPF_MOV64_IMM(BPF_REG_7, 0),
8113 BPF_LD_ABS(BPF_W, -0x200000),
8114 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
8120 "ld_abs: tests on r6 and skb data reload helper",
8122 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
8123 BPF_LD_ABS(BPF_B, 0),
8124 BPF_LD_ABS(BPF_H, 0),
8125 BPF_LD_ABS(BPF_W, 0),
8126 BPF_MOV64_REG(BPF_REG_7, BPF_REG_6),
8127 BPF_MOV64_IMM(BPF_REG_6, 0),
8128 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
8129 BPF_MOV64_IMM(BPF_REG_2, 1),
8130 BPF_MOV64_IMM(BPF_REG_3, 2),
8131 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8132 BPF_FUNC_skb_vlan_push),
8133 BPF_MOV64_REG(BPF_REG_6, BPF_REG_7),
8134 BPF_LD_ABS(BPF_B, 0),
8135 BPF_LD_ABS(BPF_H, 0),
8136 BPF_LD_ABS(BPF_W, 0),
8137 BPF_MOV64_IMM(BPF_REG_0, 42),
8140 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
8142 .retval = 42 /* ultimate return value */,
8145 "ld_ind: check calling conv, r1",
8147 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
8148 BPF_MOV64_IMM(BPF_REG_1, 1),
8149 BPF_LD_IND(BPF_W, BPF_REG_1, -0x200000),
8150 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
8153 .errstr = "R1 !read_ok",
8157 "ld_ind: check calling conv, r2",
8159 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
8160 BPF_MOV64_IMM(BPF_REG_2, 1),
8161 BPF_LD_IND(BPF_W, BPF_REG_2, -0x200000),
8162 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
8165 .errstr = "R2 !read_ok",
8169 "ld_ind: check calling conv, r3",
8171 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
8172 BPF_MOV64_IMM(BPF_REG_3, 1),
8173 BPF_LD_IND(BPF_W, BPF_REG_3, -0x200000),
8174 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
8177 .errstr = "R3 !read_ok",
8181 "ld_ind: check calling conv, r4",
8183 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
8184 BPF_MOV64_IMM(BPF_REG_4, 1),
8185 BPF_LD_IND(BPF_W, BPF_REG_4, -0x200000),
8186 BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
8189 .errstr = "R4 !read_ok",
8193 "ld_ind: check calling conv, r5",
8195 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
8196 BPF_MOV64_IMM(BPF_REG_5, 1),
8197 BPF_LD_IND(BPF_W, BPF_REG_5, -0x200000),
8198 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
8201 .errstr = "R5 !read_ok",
8205 "ld_ind: check calling conv, r7",
8207 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
8208 BPF_MOV64_IMM(BPF_REG_7, 1),
8209 BPF_LD_IND(BPF_W, BPF_REG_7, -0x200000),
8210 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
8217 "check bpf_perf_event_data->sample_period byte load permitted",
8219 BPF_MOV64_IMM(BPF_REG_0, 0),
8220 #if __BYTE_ORDER == __LITTLE_ENDIAN
8221 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
8222 offsetof(struct bpf_perf_event_data, sample_period)),
8224 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
8225 offsetof(struct bpf_perf_event_data, sample_period) + 7),
8230 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
8233 "check bpf_perf_event_data->sample_period half load permitted",
8235 BPF_MOV64_IMM(BPF_REG_0, 0),
8236 #if __BYTE_ORDER == __LITTLE_ENDIAN
8237 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
8238 offsetof(struct bpf_perf_event_data, sample_period)),
8240 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
8241 offsetof(struct bpf_perf_event_data, sample_period) + 6),
8246 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
8249 "check bpf_perf_event_data->sample_period word load permitted",
8251 BPF_MOV64_IMM(BPF_REG_0, 0),
8252 #if __BYTE_ORDER == __LITTLE_ENDIAN
8253 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
8254 offsetof(struct bpf_perf_event_data, sample_period)),
8256 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
8257 offsetof(struct bpf_perf_event_data, sample_period) + 4),
8262 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
8265 "check bpf_perf_event_data->sample_period dword load permitted",
8267 BPF_MOV64_IMM(BPF_REG_0, 0),
8268 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
8269 offsetof(struct bpf_perf_event_data, sample_period)),
8273 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
8276 "check skb->data half load not permitted",
8278 BPF_MOV64_IMM(BPF_REG_0, 0),
8279 #if __BYTE_ORDER == __LITTLE_ENDIAN
8280 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
8281 offsetof(struct __sk_buff, data)),
8283 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
8284 offsetof(struct __sk_buff, data) + 2),
8289 .errstr = "invalid bpf_context access",
8292 "check skb->tc_classid half load not permitted for lwt prog",
8294 BPF_MOV64_IMM(BPF_REG_0, 0),
8295 #if __BYTE_ORDER == __LITTLE_ENDIAN
8296 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
8297 offsetof(struct __sk_buff, tc_classid)),
8299 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
8300 offsetof(struct __sk_buff, tc_classid) + 2),
8305 .errstr = "invalid bpf_context access",
8306 .prog_type = BPF_PROG_TYPE_LWT_IN,
8309 "bounds checks mixing signed and unsigned, positive bounds",
8311 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8312 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8313 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8314 BPF_LD_MAP_FD(BPF_REG_1, 0),
8315 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8316 BPF_FUNC_map_lookup_elem),
8317 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
8318 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
8319 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
8320 BPF_MOV64_IMM(BPF_REG_2, 2),
8321 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 3),
8322 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 4, 2),
8323 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8324 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
8325 BPF_MOV64_IMM(BPF_REG_0, 0),
8328 .fixup_map_hash_8b = { 3 },
8329 .errstr = "unbounded min value",
8333 "bounds checks mixing signed and unsigned",
8335 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8336 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8337 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8338 BPF_LD_MAP_FD(BPF_REG_1, 0),
8339 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8340 BPF_FUNC_map_lookup_elem),
8341 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
8342 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
8343 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
8344 BPF_MOV64_IMM(BPF_REG_2, -1),
8345 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 3),
8346 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
8347 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8348 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
8349 BPF_MOV64_IMM(BPF_REG_0, 0),
8352 .fixup_map_hash_8b = { 3 },
8353 .errstr = "unbounded min value",
8357 "bounds checks mixing signed and unsigned, variant 2",
8359 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8360 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8361 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8362 BPF_LD_MAP_FD(BPF_REG_1, 0),
8363 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8364 BPF_FUNC_map_lookup_elem),
8365 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
8366 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
8367 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
8368 BPF_MOV64_IMM(BPF_REG_2, -1),
8369 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 5),
8370 BPF_MOV64_IMM(BPF_REG_8, 0),
8371 BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_1),
8372 BPF_JMP_IMM(BPF_JSGT, BPF_REG_8, 1, 2),
8373 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8),
8374 BPF_ST_MEM(BPF_B, BPF_REG_8, 0, 0),
8375 BPF_MOV64_IMM(BPF_REG_0, 0),
8378 .fixup_map_hash_8b = { 3 },
8379 .errstr = "unbounded min value",
8383 "bounds checks mixing signed and unsigned, variant 3",
8385 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8386 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8387 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8388 BPF_LD_MAP_FD(BPF_REG_1, 0),
8389 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8390 BPF_FUNC_map_lookup_elem),
8391 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
8392 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
8393 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
8394 BPF_MOV64_IMM(BPF_REG_2, -1),
8395 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 4),
8396 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
8397 BPF_JMP_IMM(BPF_JSGT, BPF_REG_8, 1, 2),
8398 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8),
8399 BPF_ST_MEM(BPF_B, BPF_REG_8, 0, 0),
8400 BPF_MOV64_IMM(BPF_REG_0, 0),
8403 .fixup_map_hash_8b = { 3 },
8404 .errstr = "unbounded min value",
8408 "bounds checks mixing signed and unsigned, variant 4",
8410 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8411 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8412 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8413 BPF_LD_MAP_FD(BPF_REG_1, 0),
8414 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8415 BPF_FUNC_map_lookup_elem),
8416 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
8417 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
8418 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
8419 BPF_MOV64_IMM(BPF_REG_2, 1),
8420 BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
8421 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
8422 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8423 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
8424 BPF_MOV64_IMM(BPF_REG_0, 0),
8427 .fixup_map_hash_8b = { 3 },
8431 "bounds checks mixing signed and unsigned, variant 5",
8433 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8434 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8435 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8436 BPF_LD_MAP_FD(BPF_REG_1, 0),
8437 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8438 BPF_FUNC_map_lookup_elem),
8439 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
8440 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
8441 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
8442 BPF_MOV64_IMM(BPF_REG_2, -1),
8443 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 5),
8444 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 4),
8445 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 4),
8446 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
8447 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
8448 BPF_MOV64_IMM(BPF_REG_0, 0),
8451 .fixup_map_hash_8b = { 3 },
8452 .errstr = "unbounded min value",
8456 "bounds checks mixing signed and unsigned, variant 6",
8458 BPF_MOV64_IMM(BPF_REG_2, 0),
8459 BPF_MOV64_REG(BPF_REG_3, BPF_REG_10),
8460 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, -512),
8461 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
8462 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -16),
8463 BPF_MOV64_IMM(BPF_REG_6, -1),
8464 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_6, 5),
8465 BPF_JMP_IMM(BPF_JSGT, BPF_REG_4, 1, 4),
8466 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 1),
8467 BPF_MOV64_IMM(BPF_REG_5, 0),
8468 BPF_ST_MEM(BPF_H, BPF_REG_10, -512, 0),
8469 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8470 BPF_FUNC_skb_load_bytes),
8471 BPF_MOV64_IMM(BPF_REG_0, 0),
8474 .errstr = "R4 min value is negative, either use unsigned",
8478 "bounds checks mixing signed and unsigned, variant 7",
8480 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8481 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8482 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8483 BPF_LD_MAP_FD(BPF_REG_1, 0),
8484 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8485 BPF_FUNC_map_lookup_elem),
8486 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
8487 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
8488 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
8489 BPF_MOV64_IMM(BPF_REG_2, 1024 * 1024 * 1024),
8490 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 3),
8491 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
8492 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8493 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
8494 BPF_MOV64_IMM(BPF_REG_0, 0),
8497 .fixup_map_hash_8b = { 3 },
8501 "bounds checks mixing signed and unsigned, variant 8",
8503 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8504 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8505 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8506 BPF_LD_MAP_FD(BPF_REG_1, 0),
8507 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8508 BPF_FUNC_map_lookup_elem),
8509 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
8510 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
8511 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
8512 BPF_MOV64_IMM(BPF_REG_2, -1),
8513 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 2),
8514 BPF_MOV64_IMM(BPF_REG_0, 0),
8516 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
8517 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8518 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
8519 BPF_MOV64_IMM(BPF_REG_0, 0),
8522 .fixup_map_hash_8b = { 3 },
8523 .errstr = "unbounded min value",
8527 "bounds checks mixing signed and unsigned, variant 9",
8529 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8530 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8531 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8532 BPF_LD_MAP_FD(BPF_REG_1, 0),
8533 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8534 BPF_FUNC_map_lookup_elem),
8535 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
8536 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
8537 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
8538 BPF_LD_IMM64(BPF_REG_2, -9223372036854775808ULL),
8539 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 2),
8540 BPF_MOV64_IMM(BPF_REG_0, 0),
8542 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
8543 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8544 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
8545 BPF_MOV64_IMM(BPF_REG_0, 0),
8548 .fixup_map_hash_8b = { 3 },
8552 "bounds checks mixing signed and unsigned, variant 10",
8554 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8555 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8556 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8557 BPF_LD_MAP_FD(BPF_REG_1, 0),
8558 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8559 BPF_FUNC_map_lookup_elem),
8560 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
8561 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
8562 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
8563 BPF_MOV64_IMM(BPF_REG_2, 0),
8564 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 2),
8565 BPF_MOV64_IMM(BPF_REG_0, 0),
8567 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
8568 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8569 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
8570 BPF_MOV64_IMM(BPF_REG_0, 0),
8573 .fixup_map_hash_8b = { 3 },
8574 .errstr = "unbounded min value",
8578 "bounds checks mixing signed and unsigned, variant 11",
8580 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8581 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8582 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8583 BPF_LD_MAP_FD(BPF_REG_1, 0),
8584 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8585 BPF_FUNC_map_lookup_elem),
8586 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
8587 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
8588 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
8589 BPF_MOV64_IMM(BPF_REG_2, -1),
8590 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
8592 BPF_MOV64_IMM(BPF_REG_0, 0),
8594 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
8595 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8596 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
8597 BPF_MOV64_IMM(BPF_REG_0, 0),
8600 .fixup_map_hash_8b = { 3 },
8601 .errstr = "unbounded min value",
8605 "bounds checks mixing signed and unsigned, variant 12",
8607 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8608 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8609 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8610 BPF_LD_MAP_FD(BPF_REG_1, 0),
8611 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8612 BPF_FUNC_map_lookup_elem),
8613 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
8614 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
8615 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
8616 BPF_MOV64_IMM(BPF_REG_2, -6),
8617 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
8618 BPF_MOV64_IMM(BPF_REG_0, 0),
8620 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
8621 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8622 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
8623 BPF_MOV64_IMM(BPF_REG_0, 0),
8626 .fixup_map_hash_8b = { 3 },
8627 .errstr = "unbounded min value",
8631 "bounds checks mixing signed and unsigned, variant 13",
8633 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8634 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8635 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8636 BPF_LD_MAP_FD(BPF_REG_1, 0),
8637 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8638 BPF_FUNC_map_lookup_elem),
8639 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
8640 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
8641 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
8642 BPF_MOV64_IMM(BPF_REG_2, 2),
8643 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
8644 BPF_MOV64_IMM(BPF_REG_7, 1),
8645 BPF_JMP_IMM(BPF_JSGT, BPF_REG_7, 0, 2),
8646 BPF_MOV64_IMM(BPF_REG_0, 0),
8648 BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_1),
8649 BPF_JMP_IMM(BPF_JSGT, BPF_REG_7, 4, 2),
8650 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_7),
8651 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
8652 BPF_MOV64_IMM(BPF_REG_0, 0),
8655 .fixup_map_hash_8b = { 3 },
8656 .errstr = "unbounded min value",
8660 "bounds checks mixing signed and unsigned, variant 14",
8662 BPF_LDX_MEM(BPF_W, BPF_REG_9, BPF_REG_1,
8663 offsetof(struct __sk_buff, mark)),
8664 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8665 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8666 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8667 BPF_LD_MAP_FD(BPF_REG_1, 0),
8668 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8669 BPF_FUNC_map_lookup_elem),
8670 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
8671 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
8672 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
8673 BPF_MOV64_IMM(BPF_REG_2, -1),
8674 BPF_MOV64_IMM(BPF_REG_8, 2),
8675 BPF_JMP_IMM(BPF_JEQ, BPF_REG_9, 42, 6),
8676 BPF_JMP_REG(BPF_JSGT, BPF_REG_8, BPF_REG_1, 3),
8677 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
8678 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8679 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
8680 BPF_MOV64_IMM(BPF_REG_0, 0),
8682 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, -3),
8683 BPF_JMP_IMM(BPF_JA, 0, 0, -7),
8685 .fixup_map_hash_8b = { 4 },
8686 .errstr = "unbounded min value",
8690 "bounds checks mixing signed and unsigned, variant 15",
8692 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8693 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8694 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8695 BPF_LD_MAP_FD(BPF_REG_1, 0),
8696 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8697 BPF_FUNC_map_lookup_elem),
8698 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
8699 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
8700 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
8701 BPF_MOV64_IMM(BPF_REG_2, -6),
8702 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
8703 BPF_MOV64_IMM(BPF_REG_0, 0),
8705 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8706 BPF_JMP_IMM(BPF_JGT, BPF_REG_0, 1, 2),
8707 BPF_MOV64_IMM(BPF_REG_0, 0),
8709 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
8710 BPF_MOV64_IMM(BPF_REG_0, 0),
8713 .fixup_map_hash_8b = { 3 },
8714 .errstr = "unbounded min value",
8716 .result_unpriv = REJECT,
8719 "subtraction bounds (map value) variant 1",
8721 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8722 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8723 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8724 BPF_LD_MAP_FD(BPF_REG_1, 0),
8725 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8726 BPF_FUNC_map_lookup_elem),
8727 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
8728 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
8729 BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 0xff, 7),
8730 BPF_LDX_MEM(BPF_B, BPF_REG_3, BPF_REG_0, 1),
8731 BPF_JMP_IMM(BPF_JGT, BPF_REG_3, 0xff, 5),
8732 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_3),
8733 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 56),
8734 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8735 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8737 BPF_MOV64_IMM(BPF_REG_0, 0),
8740 .fixup_map_hash_8b = { 3 },
8741 .errstr = "R0 max value is outside of the array range",
8745 "subtraction bounds (map value) variant 2",
8747 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8748 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8749 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8750 BPF_LD_MAP_FD(BPF_REG_1, 0),
8751 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8752 BPF_FUNC_map_lookup_elem),
8753 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
8754 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
8755 BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 0xff, 6),
8756 BPF_LDX_MEM(BPF_B, BPF_REG_3, BPF_REG_0, 1),
8757 BPF_JMP_IMM(BPF_JGT, BPF_REG_3, 0xff, 4),
8758 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_3),
8759 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8760 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8762 BPF_MOV64_IMM(BPF_REG_0, 0),
8765 .fixup_map_hash_8b = { 3 },
8766 .errstr = "R0 min value is negative, either use unsigned index or do a if (index >=0) check.",
8770 "bounds check based on zero-extended MOV",
8772 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8773 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8774 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8775 BPF_LD_MAP_FD(BPF_REG_1, 0),
8776 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8777 BPF_FUNC_map_lookup_elem),
8778 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
8779 /* r2 = 0x0000'0000'ffff'ffff */
8780 BPF_MOV32_IMM(BPF_REG_2, 0xffffffff),
8782 BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 32),
8784 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
8785 /* access at offset 0 */
8786 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8788 BPF_MOV64_IMM(BPF_REG_0, 0),
8791 .fixup_map_hash_8b = { 3 },
8795 "bounds check based on sign-extended MOV. test1",
8797 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8798 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8799 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8800 BPF_LD_MAP_FD(BPF_REG_1, 0),
8801 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8802 BPF_FUNC_map_lookup_elem),
8803 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
8804 /* r2 = 0xffff'ffff'ffff'ffff */
8805 BPF_MOV64_IMM(BPF_REG_2, 0xffffffff),
8806 /* r2 = 0xffff'ffff */
8807 BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 32),
8808 /* r0 = <oob pointer> */
8809 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
8810 /* access to OOB pointer */
8811 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8813 BPF_MOV64_IMM(BPF_REG_0, 0),
8816 .fixup_map_hash_8b = { 3 },
8817 .errstr = "map_value pointer and 4294967295",
8821 "bounds check based on sign-extended MOV. test2",
8823 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8824 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8825 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8826 BPF_LD_MAP_FD(BPF_REG_1, 0),
8827 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8828 BPF_FUNC_map_lookup_elem),
8829 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
8830 /* r2 = 0xffff'ffff'ffff'ffff */
8831 BPF_MOV64_IMM(BPF_REG_2, 0xffffffff),
8832 /* r2 = 0xfff'ffff */
8833 BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 36),
8834 /* r0 = <oob pointer> */
8835 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
8836 /* access to OOB pointer */
8837 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8839 BPF_MOV64_IMM(BPF_REG_0, 0),
8842 .fixup_map_hash_8b = { 3 },
8843 .errstr = "R0 min value is outside of the array range",
8847 "bounds check based on reg_off + var_off + insn_off. test1",
8849 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
8850 offsetof(struct __sk_buff, mark)),
8851 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8852 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8853 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8854 BPF_LD_MAP_FD(BPF_REG_1, 0),
8855 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8856 BPF_FUNC_map_lookup_elem),
8857 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
8858 BPF_ALU64_IMM(BPF_AND, BPF_REG_6, 1),
8859 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, (1 << 29) - 1),
8860 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_6),
8861 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, (1 << 29) - 1),
8862 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 3),
8863 BPF_MOV64_IMM(BPF_REG_0, 0),
8866 .fixup_map_hash_8b = { 4 },
8867 .errstr = "value_size=8 off=1073741825",
8869 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
8872 "bounds check based on reg_off + var_off + insn_off. test2",
8874 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
8875 offsetof(struct __sk_buff, mark)),
8876 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8877 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8878 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8879 BPF_LD_MAP_FD(BPF_REG_1, 0),
8880 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8881 BPF_FUNC_map_lookup_elem),
8882 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
8883 BPF_ALU64_IMM(BPF_AND, BPF_REG_6, 1),
8884 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, (1 << 30) - 1),
8885 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_6),
8886 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, (1 << 29) - 1),
8887 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 3),
8888 BPF_MOV64_IMM(BPF_REG_0, 0),
8891 .fixup_map_hash_8b = { 4 },
8892 .errstr = "value 1073741823",
8894 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
8897 "bounds check after truncation of non-boundary-crossing range",
8899 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8900 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8901 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8902 BPF_LD_MAP_FD(BPF_REG_1, 0),
8903 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8904 BPF_FUNC_map_lookup_elem),
8905 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
8906 /* r1 = [0x00, 0xff] */
8907 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
8908 BPF_MOV64_IMM(BPF_REG_2, 1),
8909 /* r2 = 0x10'0000'0000 */
8910 BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 36),
8911 /* r1 = [0x10'0000'0000, 0x10'0000'00ff] */
8912 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
8913 /* r1 = [0x10'7fff'ffff, 0x10'8000'00fe] */
8914 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff),
8915 /* r1 = [0x00, 0xff] */
8916 BPF_ALU32_IMM(BPF_SUB, BPF_REG_1, 0x7fffffff),
8918 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
8920 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8921 /* access at offset 0 */
8922 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8924 BPF_MOV64_IMM(BPF_REG_0, 0),
8927 .fixup_map_hash_8b = { 3 },
8931 "bounds check after truncation of boundary-crossing range (1)",
8933 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8934 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8935 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8936 BPF_LD_MAP_FD(BPF_REG_1, 0),
8937 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8938 BPF_FUNC_map_lookup_elem),
8939 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
8940 /* r1 = [0x00, 0xff] */
8941 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
8942 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1),
8943 /* r1 = [0xffff'ff80, 0x1'0000'007f] */
8944 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1),
8945 /* r1 = [0xffff'ff80, 0xffff'ffff] or
8946 * [0x0000'0000, 0x0000'007f]
8948 BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 0),
8949 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1),
8950 /* r1 = [0x00, 0xff] or
8951 * [0xffff'ffff'0000'0080, 0xffff'ffff'ffff'ffff]
8953 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1),
8955 * [0x00ff'ffff'ff00'0000, 0x00ff'ffff'ffff'ffff]
8957 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
8958 /* no-op or OOB pointer computation */
8959 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8960 /* potentially OOB access */
8961 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8963 BPF_MOV64_IMM(BPF_REG_0, 0),
8966 .fixup_map_hash_8b = { 3 },
8967 /* not actually fully unbounded, but the bound is very high */
8968 .errstr = "R0 unbounded memory access",
8972 "bounds check after truncation of boundary-crossing range (2)",
8974 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8975 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8976 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8977 BPF_LD_MAP_FD(BPF_REG_1, 0),
8978 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8979 BPF_FUNC_map_lookup_elem),
8980 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
8981 /* r1 = [0x00, 0xff] */
8982 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
8983 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1),
8984 /* r1 = [0xffff'ff80, 0x1'0000'007f] */
8985 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1),
8986 /* r1 = [0xffff'ff80, 0xffff'ffff] or
8987 * [0x0000'0000, 0x0000'007f]
8988 * difference to previous test: truncation via MOV32
8991 BPF_MOV32_REG(BPF_REG_1, BPF_REG_1),
8992 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1),
8993 /* r1 = [0x00, 0xff] or
8994 * [0xffff'ffff'0000'0080, 0xffff'ffff'ffff'ffff]
8996 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1),
8998 * [0x00ff'ffff'ff00'0000, 0x00ff'ffff'ffff'ffff]
9000 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
9001 /* no-op or OOB pointer computation */
9002 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
9003 /* potentially OOB access */
9004 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
9006 BPF_MOV64_IMM(BPF_REG_0, 0),
9009 .fixup_map_hash_8b = { 3 },
9010 /* not actually fully unbounded, but the bound is very high */
9011 .errstr = "R0 unbounded memory access",
9015 "bounds check after wrapping 32-bit addition",
9017 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9018 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9019 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9020 BPF_LD_MAP_FD(BPF_REG_1, 0),
9021 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9022 BPF_FUNC_map_lookup_elem),
9023 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
9024 /* r1 = 0x7fff'ffff */
9025 BPF_MOV64_IMM(BPF_REG_1, 0x7fffffff),
9026 /* r1 = 0xffff'fffe */
9027 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff),
9029 BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 2),
9031 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
9032 /* access at offset 0 */
9033 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
9035 BPF_MOV64_IMM(BPF_REG_0, 0),
9038 .fixup_map_hash_8b = { 3 },
9042 "bounds check after shift with oversized count operand",
9044 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9045 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9046 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9047 BPF_LD_MAP_FD(BPF_REG_1, 0),
9048 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9049 BPF_FUNC_map_lookup_elem),
9050 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
9051 BPF_MOV64_IMM(BPF_REG_2, 32),
9052 BPF_MOV64_IMM(BPF_REG_1, 1),
9053 /* r1 = (u32)1 << (u32)32 = ? */
9054 BPF_ALU32_REG(BPF_LSH, BPF_REG_1, BPF_REG_2),
9055 /* r1 = [0x0000, 0xffff] */
9056 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xffff),
9057 /* computes unknown pointer, potentially OOB */
9058 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
9059 /* potentially OOB access */
9060 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
9062 BPF_MOV64_IMM(BPF_REG_0, 0),
9065 .fixup_map_hash_8b = { 3 },
9066 .errstr = "R0 max value is outside of the array range",
9070 "bounds check after right shift of maybe-negative number",
9072 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9073 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9074 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9075 BPF_LD_MAP_FD(BPF_REG_1, 0),
9076 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9077 BPF_FUNC_map_lookup_elem),
9078 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
9079 /* r1 = [0x00, 0xff] */
9080 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
9081 /* r1 = [-0x01, 0xfe] */
9082 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 1),
9083 /* r1 = 0 or 0xff'ffff'ffff'ffff */
9084 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
9085 /* r1 = 0 or 0xffff'ffff'ffff */
9086 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
9087 /* computes unknown pointer, potentially OOB */
9088 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
9089 /* potentially OOB access */
9090 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
9092 BPF_MOV64_IMM(BPF_REG_0, 0),
9095 .fixup_map_hash_8b = { 3 },
9096 .errstr = "R0 unbounded memory access",
9100 "bounds check map access with off+size signed 32bit overflow. test1",
9102 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9103 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9104 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9105 BPF_LD_MAP_FD(BPF_REG_1, 0),
9106 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9107 BPF_FUNC_map_lookup_elem),
9108 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
9110 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x7ffffffe),
9111 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
9115 .fixup_map_hash_8b = { 3 },
9116 .errstr = "map_value pointer and 2147483646",
9120 "bounds check map access with off+size signed 32bit overflow. test2",
9122 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9123 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9124 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9125 BPF_LD_MAP_FD(BPF_REG_1, 0),
9126 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9127 BPF_FUNC_map_lookup_elem),
9128 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
9130 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x1fffffff),
9131 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x1fffffff),
9132 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x1fffffff),
9133 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
9137 .fixup_map_hash_8b = { 3 },
9138 .errstr = "pointer offset 1073741822",
9142 "bounds check map access with off+size signed 32bit overflow. test3",
9144 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9145 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9146 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9147 BPF_LD_MAP_FD(BPF_REG_1, 0),
9148 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9149 BPF_FUNC_map_lookup_elem),
9150 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
9152 BPF_ALU64_IMM(BPF_SUB, BPF_REG_0, 0x1fffffff),
9153 BPF_ALU64_IMM(BPF_SUB, BPF_REG_0, 0x1fffffff),
9154 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 2),
9158 .fixup_map_hash_8b = { 3 },
9159 .errstr = "pointer offset -1073741822",
9163 "bounds check map access with off+size signed 32bit overflow. test4",
9165 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9166 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9167 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9168 BPF_LD_MAP_FD(BPF_REG_1, 0),
9169 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9170 BPF_FUNC_map_lookup_elem),
9171 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
9173 BPF_MOV64_IMM(BPF_REG_1, 1000000),
9174 BPF_ALU64_IMM(BPF_MUL, BPF_REG_1, 1000000),
9175 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
9176 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 2),
9180 .fixup_map_hash_8b = { 3 },
9181 .errstr = "map_value pointer and 1000000000000",
9185 "pointer/scalar confusion in state equality check (way 1)",
9187 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9188 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9189 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9190 BPF_LD_MAP_FD(BPF_REG_1, 0),
9191 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9192 BPF_FUNC_map_lookup_elem),
9193 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
9194 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
9196 BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
9200 .fixup_map_hash_8b = { 3 },
9202 .retval = POINTER_VALUE,
9203 .result_unpriv = REJECT,
9204 .errstr_unpriv = "R0 leaks addr as return value"
9207 "pointer/scalar confusion in state equality check (way 2)",
9209 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9210 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9211 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9212 BPF_LD_MAP_FD(BPF_REG_1, 0),
9213 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9214 BPF_FUNC_map_lookup_elem),
9215 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
9216 BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
9218 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
9221 .fixup_map_hash_8b = { 3 },
9223 .retval = POINTER_VALUE,
9224 .result_unpriv = REJECT,
9225 .errstr_unpriv = "R0 leaks addr as return value"
9228 "variable-offset ctx access",
9230 /* Get an unknown value */
9231 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
9232 /* Make it small and 4-byte aligned */
9233 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 4),
9234 /* add it to skb. We now have either &skb->len or
9235 * &skb->pkt_type, but we don't know which
9237 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
9238 /* dereference it */
9239 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
9242 .errstr = "variable ctx access var_off=(0x0; 0x4)",
9244 .prog_type = BPF_PROG_TYPE_LWT_IN,
9247 "variable-offset stack access",
9249 /* Fill the top 8 bytes of the stack */
9250 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9251 /* Get an unknown value */
9252 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
9253 /* Make it small and 4-byte aligned */
9254 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 4),
9255 BPF_ALU64_IMM(BPF_SUB, BPF_REG_2, 8),
9256 /* add it to fp. We now have either fp-4 or fp-8, but
9257 * we don't know which
9259 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_10),
9260 /* dereference it */
9261 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_2, 0),
9264 .errstr = "variable stack access var_off=(0xfffffffffffffff8; 0x4)",
9266 .prog_type = BPF_PROG_TYPE_LWT_IN,
9269 "indirect variable-offset stack access",
9271 /* Fill the top 8 bytes of the stack */
9272 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9273 /* Get an unknown value */
9274 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
9275 /* Make it small and 4-byte aligned */
9276 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 4),
9277 BPF_ALU64_IMM(BPF_SUB, BPF_REG_2, 8),
9278 /* add it to fp. We now have either fp-4 or fp-8, but
9279 * we don't know which
9281 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_10),
9282 /* dereference it indirectly */
9283 BPF_LD_MAP_FD(BPF_REG_1, 0),
9284 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9285 BPF_FUNC_map_lookup_elem),
9286 BPF_MOV64_IMM(BPF_REG_0, 0),
9289 .fixup_map_hash_8b = { 5 },
9290 .errstr = "variable stack read R2",
9292 .prog_type = BPF_PROG_TYPE_LWT_IN,
9295 "direct stack access with 32-bit wraparound. test1",
9297 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
9298 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff),
9299 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff),
9300 BPF_MOV32_IMM(BPF_REG_0, 0),
9301 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
9304 .errstr = "fp pointer and 2147483647",
9308 "direct stack access with 32-bit wraparound. test2",
9310 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
9311 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x3fffffff),
9312 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x3fffffff),
9313 BPF_MOV32_IMM(BPF_REG_0, 0),
9314 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
9317 .errstr = "fp pointer and 1073741823",
9321 "direct stack access with 32-bit wraparound. test3",
9323 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
9324 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x1fffffff),
9325 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x1fffffff),
9326 BPF_MOV32_IMM(BPF_REG_0, 0),
9327 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
9330 .errstr = "fp pointer offset 1073741822",
9334 "liveness pruning and write screening",
9336 /* Get an unknown value */
9337 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
9338 /* branch conditions teach us nothing about R2 */
9339 BPF_JMP_IMM(BPF_JGE, BPF_REG_2, 0, 1),
9340 BPF_MOV64_IMM(BPF_REG_0, 0),
9341 BPF_JMP_IMM(BPF_JGE, BPF_REG_2, 0, 1),
9342 BPF_MOV64_IMM(BPF_REG_0, 0),
9345 .errstr = "R0 !read_ok",
9347 .prog_type = BPF_PROG_TYPE_LWT_IN,
9350 "varlen_map_value_access pruning",
9352 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9353 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9354 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9355 BPF_LD_MAP_FD(BPF_REG_1, 0),
9356 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9357 BPF_FUNC_map_lookup_elem),
9358 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
9359 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
9360 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
9361 BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
9362 BPF_MOV32_IMM(BPF_REG_1, 0),
9363 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
9364 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
9365 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
9366 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
9367 offsetof(struct test_val, foo)),
9370 .fixup_map_hash_48b = { 3 },
9371 .errstr_unpriv = "R0 leaks addr",
9372 .errstr = "R0 unbounded memory access",
9373 .result_unpriv = REJECT,
9375 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9378 "invalid 64-bit BPF_END",
9380 BPF_MOV32_IMM(BPF_REG_0, 0),
9382 .code = BPF_ALU64 | BPF_END | BPF_TO_LE,
9383 .dst_reg = BPF_REG_0,
9390 .errstr = "unknown opcode d7",
9394 "XDP, using ifindex from netdev",
9396 BPF_MOV64_IMM(BPF_REG_0, 0),
9397 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9398 offsetof(struct xdp_md, ingress_ifindex)),
9399 BPF_JMP_IMM(BPF_JLT, BPF_REG_2, 1, 1),
9400 BPF_MOV64_IMM(BPF_REG_0, 1),
9404 .prog_type = BPF_PROG_TYPE_XDP,
9408 "meta access, test1",
9410 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9411 offsetof(struct xdp_md, data_meta)),
9412 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9413 offsetof(struct xdp_md, data)),
9414 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
9415 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
9416 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
9417 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
9418 BPF_MOV64_IMM(BPF_REG_0, 0),
9422 .prog_type = BPF_PROG_TYPE_XDP,
9425 "meta access, test2",
9427 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9428 offsetof(struct xdp_md, data_meta)),
9429 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9430 offsetof(struct xdp_md, data)),
9431 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
9432 BPF_ALU64_IMM(BPF_SUB, BPF_REG_0, 8),
9433 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
9434 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
9435 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
9436 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
9437 BPF_MOV64_IMM(BPF_REG_0, 0),
9441 .errstr = "invalid access to packet, off=-8",
9442 .prog_type = BPF_PROG_TYPE_XDP,
9445 "meta access, test3",
9447 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9448 offsetof(struct xdp_md, data_meta)),
9449 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9450 offsetof(struct xdp_md, data_end)),
9451 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
9452 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
9453 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
9454 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
9455 BPF_MOV64_IMM(BPF_REG_0, 0),
9459 .errstr = "invalid access to packet",
9460 .prog_type = BPF_PROG_TYPE_XDP,
9463 "meta access, test4",
9465 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9466 offsetof(struct xdp_md, data_meta)),
9467 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9468 offsetof(struct xdp_md, data_end)),
9469 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
9470 offsetof(struct xdp_md, data)),
9471 BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
9472 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
9473 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
9474 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
9475 BPF_MOV64_IMM(BPF_REG_0, 0),
9479 .errstr = "invalid access to packet",
9480 .prog_type = BPF_PROG_TYPE_XDP,
9483 "meta access, test5",
9485 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9486 offsetof(struct xdp_md, data_meta)),
9487 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
9488 offsetof(struct xdp_md, data)),
9489 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
9490 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
9491 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_4, 3),
9492 BPF_MOV64_IMM(BPF_REG_2, -8),
9493 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9494 BPF_FUNC_xdp_adjust_meta),
9495 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_3, 0),
9496 BPF_MOV64_IMM(BPF_REG_0, 0),
9500 .errstr = "R3 !read_ok",
9501 .prog_type = BPF_PROG_TYPE_XDP,
9504 "meta access, test6",
9506 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9507 offsetof(struct xdp_md, data_meta)),
9508 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9509 offsetof(struct xdp_md, data)),
9510 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
9511 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
9512 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
9513 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
9514 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_0, 1),
9515 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
9516 BPF_MOV64_IMM(BPF_REG_0, 0),
9520 .errstr = "invalid access to packet",
9521 .prog_type = BPF_PROG_TYPE_XDP,
9524 "meta access, test7",
9526 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9527 offsetof(struct xdp_md, data_meta)),
9528 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9529 offsetof(struct xdp_md, data)),
9530 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
9531 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
9532 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
9533 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
9534 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
9535 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
9536 BPF_MOV64_IMM(BPF_REG_0, 0),
9540 .prog_type = BPF_PROG_TYPE_XDP,
9543 "meta access, test8",
9545 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9546 offsetof(struct xdp_md, data_meta)),
9547 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9548 offsetof(struct xdp_md, data)),
9549 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
9550 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0xFFFF),
9551 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
9552 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
9553 BPF_MOV64_IMM(BPF_REG_0, 0),
9557 .prog_type = BPF_PROG_TYPE_XDP,
9560 "meta access, test9",
9562 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9563 offsetof(struct xdp_md, data_meta)),
9564 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9565 offsetof(struct xdp_md, data)),
9566 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
9567 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0xFFFF),
9568 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 1),
9569 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
9570 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
9571 BPF_MOV64_IMM(BPF_REG_0, 0),
9575 .errstr = "invalid access to packet",
9576 .prog_type = BPF_PROG_TYPE_XDP,
9579 "meta access, test10",
9581 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9582 offsetof(struct xdp_md, data_meta)),
9583 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9584 offsetof(struct xdp_md, data)),
9585 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
9586 offsetof(struct xdp_md, data_end)),
9587 BPF_MOV64_IMM(BPF_REG_5, 42),
9588 BPF_MOV64_IMM(BPF_REG_6, 24),
9589 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_5, -8),
9590 BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
9591 BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -8),
9592 BPF_JMP_IMM(BPF_JGT, BPF_REG_5, 100, 6),
9593 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_5),
9594 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
9595 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
9596 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8),
9597 BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_5, 1),
9598 BPF_LDX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
9599 BPF_MOV64_IMM(BPF_REG_0, 0),
9603 .errstr = "invalid access to packet",
9604 .prog_type = BPF_PROG_TYPE_XDP,
9607 "meta access, test11",
9609 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9610 offsetof(struct xdp_md, data_meta)),
9611 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9612 offsetof(struct xdp_md, data)),
9613 BPF_MOV64_IMM(BPF_REG_5, 42),
9614 BPF_MOV64_IMM(BPF_REG_6, 24),
9615 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_5, -8),
9616 BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
9617 BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -8),
9618 BPF_JMP_IMM(BPF_JGT, BPF_REG_5, 100, 6),
9619 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_5),
9620 BPF_MOV64_REG(BPF_REG_5, BPF_REG_2),
9621 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
9622 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8),
9623 BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_3, 1),
9624 BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_5, 0),
9625 BPF_MOV64_IMM(BPF_REG_0, 0),
9629 .prog_type = BPF_PROG_TYPE_XDP,
9632 "meta access, test12",
9634 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9635 offsetof(struct xdp_md, data_meta)),
9636 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9637 offsetof(struct xdp_md, data)),
9638 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
9639 offsetof(struct xdp_md, data_end)),
9640 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
9641 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 16),
9642 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_4, 5),
9643 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_3, 0),
9644 BPF_MOV64_REG(BPF_REG_5, BPF_REG_2),
9645 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 16),
9646 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 1),
9647 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
9648 BPF_MOV64_IMM(BPF_REG_0, 0),
9652 .prog_type = BPF_PROG_TYPE_XDP,
9655 "arithmetic ops make PTR_TO_CTX unusable",
9657 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
9658 offsetof(struct __sk_buff, data) -
9659 offsetof(struct __sk_buff, mark)),
9660 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9661 offsetof(struct __sk_buff, mark)),
9664 .errstr = "dereference of modified ctx ptr",
9666 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
9669 "pkt_end - pkt_start is allowed",
9671 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9672 offsetof(struct __sk_buff, data_end)),
9673 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9674 offsetof(struct __sk_buff, data)),
9675 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_2),
9679 .retval = TEST_DATA_LEN,
9680 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
9683 "XDP pkt read, pkt_end mangling, bad access 1",
9685 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9686 offsetof(struct xdp_md, data)),
9687 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9688 offsetof(struct xdp_md, data_end)),
9689 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9690 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9691 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 8),
9692 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
9693 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9694 BPF_MOV64_IMM(BPF_REG_0, 0),
9697 .errstr = "R3 pointer arithmetic on pkt_end",
9699 .prog_type = BPF_PROG_TYPE_XDP,
9702 "XDP pkt read, pkt_end mangling, bad access 2",
9704 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9705 offsetof(struct xdp_md, data)),
9706 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9707 offsetof(struct xdp_md, data_end)),
9708 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9709 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9710 BPF_ALU64_IMM(BPF_SUB, BPF_REG_3, 8),
9711 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
9712 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9713 BPF_MOV64_IMM(BPF_REG_0, 0),
9716 .errstr = "R3 pointer arithmetic on pkt_end",
9718 .prog_type = BPF_PROG_TYPE_XDP,
9721 "XDP pkt read, pkt_data' > pkt_end, good access",
9723 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9724 offsetof(struct xdp_md, data)),
9725 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9726 offsetof(struct xdp_md, data_end)),
9727 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9728 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9729 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
9730 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9731 BPF_MOV64_IMM(BPF_REG_0, 0),
9735 .prog_type = BPF_PROG_TYPE_XDP,
9736 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9739 "XDP pkt read, pkt_data' > pkt_end, bad access 1",
9741 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9742 offsetof(struct xdp_md, data)),
9743 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9744 offsetof(struct xdp_md, data_end)),
9745 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9746 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9747 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
9748 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
9749 BPF_MOV64_IMM(BPF_REG_0, 0),
9752 .errstr = "R1 offset is outside of the packet",
9754 .prog_type = BPF_PROG_TYPE_XDP,
9755 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9758 "XDP pkt read, pkt_data' > pkt_end, bad access 2",
9760 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9761 offsetof(struct xdp_md, data)),
9762 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9763 offsetof(struct xdp_md, data_end)),
9764 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9765 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9766 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 0),
9767 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9768 BPF_MOV64_IMM(BPF_REG_0, 0),
9771 .errstr = "R1 offset is outside of the packet",
9773 .prog_type = BPF_PROG_TYPE_XDP,
9774 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9777 "XDP pkt read, pkt_end > pkt_data', good access",
9779 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9780 offsetof(struct xdp_md, data)),
9781 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9782 offsetof(struct xdp_md, data_end)),
9783 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9784 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9785 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
9786 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9787 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9788 BPF_MOV64_IMM(BPF_REG_0, 0),
9792 .prog_type = BPF_PROG_TYPE_XDP,
9793 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9796 "XDP pkt read, pkt_end > pkt_data', bad access 1",
9798 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9799 offsetof(struct xdp_md, data)),
9800 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9801 offsetof(struct xdp_md, data_end)),
9802 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9803 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9804 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
9805 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9806 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9807 BPF_MOV64_IMM(BPF_REG_0, 0),
9810 .errstr = "R1 offset is outside of the packet",
9812 .prog_type = BPF_PROG_TYPE_XDP,
9813 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9816 "XDP pkt read, pkt_end > pkt_data', bad access 2",
9818 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9819 offsetof(struct xdp_md, data)),
9820 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9821 offsetof(struct xdp_md, data_end)),
9822 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9823 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9824 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
9825 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9826 BPF_MOV64_IMM(BPF_REG_0, 0),
9829 .errstr = "R1 offset is outside of the packet",
9831 .prog_type = BPF_PROG_TYPE_XDP,
9832 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9835 "XDP pkt read, pkt_data' < pkt_end, good access",
9837 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9838 offsetof(struct xdp_md, data)),
9839 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9840 offsetof(struct xdp_md, data_end)),
9841 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9842 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9843 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
9844 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9845 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9846 BPF_MOV64_IMM(BPF_REG_0, 0),
9850 .prog_type = BPF_PROG_TYPE_XDP,
9851 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9854 "XDP pkt read, pkt_data' < pkt_end, bad access 1",
9856 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9857 offsetof(struct xdp_md, data)),
9858 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9859 offsetof(struct xdp_md, data_end)),
9860 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9861 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9862 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
9863 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9864 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9865 BPF_MOV64_IMM(BPF_REG_0, 0),
9868 .errstr = "R1 offset is outside of the packet",
9870 .prog_type = BPF_PROG_TYPE_XDP,
9871 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9874 "XDP pkt read, pkt_data' < pkt_end, bad access 2",
9876 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9877 offsetof(struct xdp_md, data)),
9878 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9879 offsetof(struct xdp_md, data_end)),
9880 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9881 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9882 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
9883 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9884 BPF_MOV64_IMM(BPF_REG_0, 0),
9887 .errstr = "R1 offset is outside of the packet",
9889 .prog_type = BPF_PROG_TYPE_XDP,
9890 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9893 "XDP pkt read, pkt_end < pkt_data', good access",
9895 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9896 offsetof(struct xdp_md, data)),
9897 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9898 offsetof(struct xdp_md, data_end)),
9899 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9900 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9901 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
9902 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9903 BPF_MOV64_IMM(BPF_REG_0, 0),
9907 .prog_type = BPF_PROG_TYPE_XDP,
9908 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9911 "XDP pkt read, pkt_end < pkt_data', bad access 1",
9913 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9914 offsetof(struct xdp_md, data)),
9915 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9916 offsetof(struct xdp_md, data_end)),
9917 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9918 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9919 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
9920 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
9921 BPF_MOV64_IMM(BPF_REG_0, 0),
9924 .errstr = "R1 offset is outside of the packet",
9926 .prog_type = BPF_PROG_TYPE_XDP,
9927 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9930 "XDP pkt read, pkt_end < pkt_data', bad access 2",
9932 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9933 offsetof(struct xdp_md, data)),
9934 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9935 offsetof(struct xdp_md, data_end)),
9936 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9937 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9938 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 0),
9939 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9940 BPF_MOV64_IMM(BPF_REG_0, 0),
9943 .errstr = "R1 offset is outside of the packet",
9945 .prog_type = BPF_PROG_TYPE_XDP,
9946 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9949 "XDP pkt read, pkt_data' >= pkt_end, good access",
9951 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9952 offsetof(struct xdp_md, data)),
9953 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9954 offsetof(struct xdp_md, data_end)),
9955 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9956 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9957 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
9958 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9959 BPF_MOV64_IMM(BPF_REG_0, 0),
9963 .prog_type = BPF_PROG_TYPE_XDP,
9964 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9967 "XDP pkt read, pkt_data' >= pkt_end, bad access 1",
9969 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9970 offsetof(struct xdp_md, data)),
9971 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9972 offsetof(struct xdp_md, data_end)),
9973 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9974 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9975 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
9976 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9977 BPF_MOV64_IMM(BPF_REG_0, 0),
9980 .errstr = "R1 offset is outside of the packet",
9982 .prog_type = BPF_PROG_TYPE_XDP,
9983 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9986 "XDP pkt read, pkt_data' >= pkt_end, bad access 2",
9988 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9989 offsetof(struct xdp_md, data)),
9990 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9991 offsetof(struct xdp_md, data_end)),
9992 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9993 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9994 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 0),
9995 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9996 BPF_MOV64_IMM(BPF_REG_0, 0),
9999 .errstr = "R1 offset is outside of the packet",
10001 .prog_type = BPF_PROG_TYPE_XDP,
10002 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10005 "XDP pkt read, pkt_end >= pkt_data', good access",
10007 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10008 offsetof(struct xdp_md, data)),
10009 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10010 offsetof(struct xdp_md, data_end)),
10011 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10012 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10013 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
10014 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
10015 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10016 BPF_MOV64_IMM(BPF_REG_0, 0),
10020 .prog_type = BPF_PROG_TYPE_XDP,
10021 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10024 "XDP pkt read, pkt_end >= pkt_data', bad access 1",
10026 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10027 offsetof(struct xdp_md, data)),
10028 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10029 offsetof(struct xdp_md, data_end)),
10030 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10031 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10032 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
10033 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
10034 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
10035 BPF_MOV64_IMM(BPF_REG_0, 0),
10038 .errstr = "R1 offset is outside of the packet",
10040 .prog_type = BPF_PROG_TYPE_XDP,
10041 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10044 "XDP pkt read, pkt_end >= pkt_data', bad access 2",
10046 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10047 offsetof(struct xdp_md, data)),
10048 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10049 offsetof(struct xdp_md, data_end)),
10050 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10051 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10052 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
10053 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10054 BPF_MOV64_IMM(BPF_REG_0, 0),
10057 .errstr = "R1 offset is outside of the packet",
10059 .prog_type = BPF_PROG_TYPE_XDP,
10060 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10063 "XDP pkt read, pkt_data' <= pkt_end, good access",
10065 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10066 offsetof(struct xdp_md, data)),
10067 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10068 offsetof(struct xdp_md, data_end)),
10069 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10070 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10071 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
10072 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
10073 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10074 BPF_MOV64_IMM(BPF_REG_0, 0),
10078 .prog_type = BPF_PROG_TYPE_XDP,
10079 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10082 "XDP pkt read, pkt_data' <= pkt_end, bad access 1",
10084 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10085 offsetof(struct xdp_md, data)),
10086 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10087 offsetof(struct xdp_md, data_end)),
10088 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10089 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10090 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
10091 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
10092 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
10093 BPF_MOV64_IMM(BPF_REG_0, 0),
10096 .errstr = "R1 offset is outside of the packet",
10098 .prog_type = BPF_PROG_TYPE_XDP,
10099 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10102 "XDP pkt read, pkt_data' <= pkt_end, bad access 2",
10104 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10105 offsetof(struct xdp_md, data)),
10106 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10107 offsetof(struct xdp_md, data_end)),
10108 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10109 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10110 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
10111 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10112 BPF_MOV64_IMM(BPF_REG_0, 0),
10115 .errstr = "R1 offset is outside of the packet",
10117 .prog_type = BPF_PROG_TYPE_XDP,
10118 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10121 "XDP pkt read, pkt_end <= pkt_data', good access",
10123 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10124 offsetof(struct xdp_md, data)),
10125 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10126 offsetof(struct xdp_md, data_end)),
10127 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10128 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10129 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
10130 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
10131 BPF_MOV64_IMM(BPF_REG_0, 0),
10135 .prog_type = BPF_PROG_TYPE_XDP,
10136 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10139 "XDP pkt read, pkt_end <= pkt_data', bad access 1",
10141 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10142 offsetof(struct xdp_md, data)),
10143 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10144 offsetof(struct xdp_md, data_end)),
10145 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10146 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10147 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
10148 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10149 BPF_MOV64_IMM(BPF_REG_0, 0),
10152 .errstr = "R1 offset is outside of the packet",
10154 .prog_type = BPF_PROG_TYPE_XDP,
10155 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10158 "XDP pkt read, pkt_end <= pkt_data', bad access 2",
10160 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10161 offsetof(struct xdp_md, data)),
10162 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10163 offsetof(struct xdp_md, data_end)),
10164 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10165 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10166 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 0),
10167 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
10168 BPF_MOV64_IMM(BPF_REG_0, 0),
10171 .errstr = "R1 offset is outside of the packet",
10173 .prog_type = BPF_PROG_TYPE_XDP,
10174 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10177 "XDP pkt read, pkt_meta' > pkt_data, good access",
10179 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10180 offsetof(struct xdp_md, data_meta)),
10181 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10182 offsetof(struct xdp_md, data)),
10183 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10184 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10185 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
10186 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10187 BPF_MOV64_IMM(BPF_REG_0, 0),
10191 .prog_type = BPF_PROG_TYPE_XDP,
10192 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10195 "XDP pkt read, pkt_meta' > pkt_data, bad access 1",
10197 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10198 offsetof(struct xdp_md, data_meta)),
10199 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10200 offsetof(struct xdp_md, data)),
10201 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10202 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10203 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
10204 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
10205 BPF_MOV64_IMM(BPF_REG_0, 0),
10208 .errstr = "R1 offset is outside of the packet",
10210 .prog_type = BPF_PROG_TYPE_XDP,
10211 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10214 "XDP pkt read, pkt_meta' > pkt_data, bad access 2",
10216 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10217 offsetof(struct xdp_md, data_meta)),
10218 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10219 offsetof(struct xdp_md, data)),
10220 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10221 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10222 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 0),
10223 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10224 BPF_MOV64_IMM(BPF_REG_0, 0),
10227 .errstr = "R1 offset is outside of the packet",
10229 .prog_type = BPF_PROG_TYPE_XDP,
10230 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10233 "XDP pkt read, pkt_data > pkt_meta', good access",
10235 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10236 offsetof(struct xdp_md, data_meta)),
10237 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10238 offsetof(struct xdp_md, data)),
10239 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10240 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10241 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
10242 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
10243 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
10244 BPF_MOV64_IMM(BPF_REG_0, 0),
10248 .prog_type = BPF_PROG_TYPE_XDP,
10249 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10252 "XDP pkt read, pkt_data > pkt_meta', bad access 1",
10254 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10255 offsetof(struct xdp_md, data_meta)),
10256 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10257 offsetof(struct xdp_md, data)),
10258 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10259 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10260 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
10261 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
10262 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10263 BPF_MOV64_IMM(BPF_REG_0, 0),
10266 .errstr = "R1 offset is outside of the packet",
10268 .prog_type = BPF_PROG_TYPE_XDP,
10269 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10272 "XDP pkt read, pkt_data > pkt_meta', bad access 2",
10274 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10275 offsetof(struct xdp_md, data_meta)),
10276 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10277 offsetof(struct xdp_md, data)),
10278 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10279 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10280 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
10281 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10282 BPF_MOV64_IMM(BPF_REG_0, 0),
10285 .errstr = "R1 offset is outside of the packet",
10287 .prog_type = BPF_PROG_TYPE_XDP,
10288 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10291 "XDP pkt read, pkt_meta' < pkt_data, good access",
10293 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10294 offsetof(struct xdp_md, data_meta)),
10295 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10296 offsetof(struct xdp_md, data)),
10297 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10298 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10299 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
10300 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
10301 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
10302 BPF_MOV64_IMM(BPF_REG_0, 0),
10306 .prog_type = BPF_PROG_TYPE_XDP,
10307 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10310 "XDP pkt read, pkt_meta' < pkt_data, bad access 1",
10312 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10313 offsetof(struct xdp_md, data_meta)),
10314 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10315 offsetof(struct xdp_md, data)),
10316 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10317 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10318 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
10319 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
10320 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10321 BPF_MOV64_IMM(BPF_REG_0, 0),
10324 .errstr = "R1 offset is outside of the packet",
10326 .prog_type = BPF_PROG_TYPE_XDP,
10327 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10330 "XDP pkt read, pkt_meta' < pkt_data, bad access 2",
10332 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10333 offsetof(struct xdp_md, data_meta)),
10334 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10335 offsetof(struct xdp_md, data)),
10336 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10337 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10338 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
10339 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10340 BPF_MOV64_IMM(BPF_REG_0, 0),
10343 .errstr = "R1 offset is outside of the packet",
10345 .prog_type = BPF_PROG_TYPE_XDP,
10346 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10349 "XDP pkt read, pkt_data < pkt_meta', good access",
10351 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10352 offsetof(struct xdp_md, data_meta)),
10353 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10354 offsetof(struct xdp_md, data)),
10355 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10356 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10357 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
10358 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10359 BPF_MOV64_IMM(BPF_REG_0, 0),
10363 .prog_type = BPF_PROG_TYPE_XDP,
10364 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10367 "XDP pkt read, pkt_data < pkt_meta', bad access 1",
10369 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10370 offsetof(struct xdp_md, data_meta)),
10371 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10372 offsetof(struct xdp_md, data)),
10373 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10374 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10375 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
10376 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
10377 BPF_MOV64_IMM(BPF_REG_0, 0),
10380 .errstr = "R1 offset is outside of the packet",
10382 .prog_type = BPF_PROG_TYPE_XDP,
10383 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10386 "XDP pkt read, pkt_data < pkt_meta', bad access 2",
10388 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10389 offsetof(struct xdp_md, data_meta)),
10390 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10391 offsetof(struct xdp_md, data)),
10392 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10393 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10394 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 0),
10395 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10396 BPF_MOV64_IMM(BPF_REG_0, 0),
10399 .errstr = "R1 offset is outside of the packet",
10401 .prog_type = BPF_PROG_TYPE_XDP,
10402 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10405 "XDP pkt read, pkt_meta' >= pkt_data, good access",
10407 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10408 offsetof(struct xdp_md, data_meta)),
10409 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10410 offsetof(struct xdp_md, data)),
10411 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10412 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10413 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
10414 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
10415 BPF_MOV64_IMM(BPF_REG_0, 0),
10419 .prog_type = BPF_PROG_TYPE_XDP,
10420 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10423 "XDP pkt read, pkt_meta' >= pkt_data, bad access 1",
10425 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10426 offsetof(struct xdp_md, data_meta)),
10427 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10428 offsetof(struct xdp_md, data)),
10429 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10430 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10431 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
10432 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10433 BPF_MOV64_IMM(BPF_REG_0, 0),
10436 .errstr = "R1 offset is outside of the packet",
10438 .prog_type = BPF_PROG_TYPE_XDP,
10439 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10442 "XDP pkt read, pkt_meta' >= pkt_data, bad access 2",
10444 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10445 offsetof(struct xdp_md, data_meta)),
10446 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10447 offsetof(struct xdp_md, data)),
10448 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10449 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10450 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 0),
10451 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
10452 BPF_MOV64_IMM(BPF_REG_0, 0),
10455 .errstr = "R1 offset is outside of the packet",
10457 .prog_type = BPF_PROG_TYPE_XDP,
10458 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10461 "XDP pkt read, pkt_data >= pkt_meta', good access",
10463 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10464 offsetof(struct xdp_md, data_meta)),
10465 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10466 offsetof(struct xdp_md, data)),
10467 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10468 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10469 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
10470 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
10471 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10472 BPF_MOV64_IMM(BPF_REG_0, 0),
10476 .prog_type = BPF_PROG_TYPE_XDP,
10477 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10480 "XDP pkt read, pkt_data >= pkt_meta', bad access 1",
10482 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10483 offsetof(struct xdp_md, data_meta)),
10484 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10485 offsetof(struct xdp_md, data)),
10486 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10487 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10488 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
10489 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
10490 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
10491 BPF_MOV64_IMM(BPF_REG_0, 0),
10494 .errstr = "R1 offset is outside of the packet",
10496 .prog_type = BPF_PROG_TYPE_XDP,
10497 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10500 "XDP pkt read, pkt_data >= pkt_meta', bad access 2",
10502 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10503 offsetof(struct xdp_md, data_meta)),
10504 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10505 offsetof(struct xdp_md, data)),
10506 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10507 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10508 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
10509 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10510 BPF_MOV64_IMM(BPF_REG_0, 0),
10513 .errstr = "R1 offset is outside of the packet",
10515 .prog_type = BPF_PROG_TYPE_XDP,
10516 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10519 "XDP pkt read, pkt_meta' <= pkt_data, good access",
10521 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10522 offsetof(struct xdp_md, data_meta)),
10523 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10524 offsetof(struct xdp_md, data)),
10525 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10526 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10527 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
10528 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
10529 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10530 BPF_MOV64_IMM(BPF_REG_0, 0),
10534 .prog_type = BPF_PROG_TYPE_XDP,
10535 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10538 "XDP pkt read, pkt_meta' <= pkt_data, bad access 1",
10540 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10541 offsetof(struct xdp_md, data_meta)),
10542 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10543 offsetof(struct xdp_md, data)),
10544 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10545 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10546 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
10547 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
10548 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
10549 BPF_MOV64_IMM(BPF_REG_0, 0),
10552 .errstr = "R1 offset is outside of the packet",
10554 .prog_type = BPF_PROG_TYPE_XDP,
10555 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10558 "XDP pkt read, pkt_meta' <= pkt_data, bad access 2",
10560 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10561 offsetof(struct xdp_md, data_meta)),
10562 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10563 offsetof(struct xdp_md, data)),
10564 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10565 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10566 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
10567 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10568 BPF_MOV64_IMM(BPF_REG_0, 0),
10571 .errstr = "R1 offset is outside of the packet",
10573 .prog_type = BPF_PROG_TYPE_XDP,
10574 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10577 "XDP pkt read, pkt_data <= pkt_meta', good access",
10579 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10580 offsetof(struct xdp_md, data_meta)),
10581 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10582 offsetof(struct xdp_md, data)),
10583 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10584 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10585 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
10586 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
10587 BPF_MOV64_IMM(BPF_REG_0, 0),
10591 .prog_type = BPF_PROG_TYPE_XDP,
10592 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10595 "XDP pkt read, pkt_data <= pkt_meta', bad access 1",
10597 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10598 offsetof(struct xdp_md, data_meta)),
10599 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10600 offsetof(struct xdp_md, data)),
10601 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10602 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10603 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
10604 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10605 BPF_MOV64_IMM(BPF_REG_0, 0),
10608 .errstr = "R1 offset is outside of the packet",
10610 .prog_type = BPF_PROG_TYPE_XDP,
10611 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10614 "XDP pkt read, pkt_data <= pkt_meta', bad access 2",
10616 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10617 offsetof(struct xdp_md, data_meta)),
10618 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10619 offsetof(struct xdp_md, data)),
10620 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10621 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10622 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 0),
10623 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
10624 BPF_MOV64_IMM(BPF_REG_0, 0),
10627 .errstr = "R1 offset is outside of the packet",
10629 .prog_type = BPF_PROG_TYPE_XDP,
10630 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10633 "check deducing bounds from const, 1",
10635 BPF_MOV64_IMM(BPF_REG_0, 1),
10636 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 1, 0),
10637 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
10641 .errstr = "R0 tried to subtract pointer from scalar",
10644 "check deducing bounds from const, 2",
10646 BPF_MOV64_IMM(BPF_REG_0, 1),
10647 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 1, 1),
10649 BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 1, 1),
10651 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0),
10658 "check deducing bounds from const, 3",
10660 BPF_MOV64_IMM(BPF_REG_0, 0),
10661 BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 0, 0),
10662 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
10666 .errstr = "R0 tried to subtract pointer from scalar",
10669 "check deducing bounds from const, 4",
10671 BPF_MOV64_IMM(BPF_REG_0, 0),
10672 BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 0, 1),
10674 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 1),
10676 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0),
10682 "check deducing bounds from const, 5",
10684 BPF_MOV64_IMM(BPF_REG_0, 0),
10685 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 1, 1),
10686 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
10690 .errstr = "R0 tried to subtract pointer from scalar",
10693 "check deducing bounds from const, 6",
10695 BPF_MOV64_IMM(BPF_REG_0, 0),
10696 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 1),
10698 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
10702 .errstr = "R0 tried to subtract pointer from scalar",
10705 "check deducing bounds from const, 7",
10707 BPF_MOV64_IMM(BPF_REG_0, ~0),
10708 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 0),
10709 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0),
10710 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10711 offsetof(struct __sk_buff, mark)),
10715 .errstr = "dereference of modified ctx ptr",
10716 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10719 "check deducing bounds from const, 8",
10721 BPF_MOV64_IMM(BPF_REG_0, ~0),
10722 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 1),
10723 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
10724 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10725 offsetof(struct __sk_buff, mark)),
10729 .errstr = "dereference of modified ctx ptr",
10730 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10733 "check deducing bounds from const, 9",
10735 BPF_MOV64_IMM(BPF_REG_0, 0),
10736 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 0),
10737 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
10741 .errstr = "R0 tried to subtract pointer from scalar",
10744 "check deducing bounds from const, 10",
10746 BPF_MOV64_IMM(BPF_REG_0, 0),
10747 BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 0, 0),
10748 /* Marks reg as unknown. */
10749 BPF_ALU64_IMM(BPF_NEG, BPF_REG_0, 0),
10750 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
10754 .errstr = "math between ctx pointer and register with unbounded min value is not allowed",
10757 "bpf_exit with invalid return code. test1",
10759 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
10762 .errstr = "R0 has value (0x0; 0xffffffff)",
10764 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
10767 "bpf_exit with invalid return code. test2",
10769 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
10770 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
10774 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
10777 "bpf_exit with invalid return code. test3",
10779 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
10780 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 3),
10783 .errstr = "R0 has value (0x0; 0x3)",
10785 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
10788 "bpf_exit with invalid return code. test4",
10790 BPF_MOV64_IMM(BPF_REG_0, 1),
10794 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
10797 "bpf_exit with invalid return code. test5",
10799 BPF_MOV64_IMM(BPF_REG_0, 2),
10802 .errstr = "R0 has value (0x2; 0x0)",
10804 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
10807 "bpf_exit with invalid return code. test6",
10809 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
10812 .errstr = "R0 is not a known value (ctx)",
10814 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
10817 "bpf_exit with invalid return code. test7",
10819 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
10820 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 4),
10821 BPF_ALU64_REG(BPF_MUL, BPF_REG_0, BPF_REG_2),
10824 .errstr = "R0 has unknown scalar value",
10826 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
10829 "calls: basic sanity",
10831 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10832 BPF_MOV64_IMM(BPF_REG_0, 1),
10834 BPF_MOV64_IMM(BPF_REG_0, 2),
10837 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10841 "calls: not on unpriviledged",
10843 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10844 BPF_MOV64_IMM(BPF_REG_0, 1),
10846 BPF_MOV64_IMM(BPF_REG_0, 2),
10849 .errstr_unpriv = "function calls to other bpf functions are allowed for root only",
10850 .result_unpriv = REJECT,
10855 "calls: div by 0 in subprog",
10857 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10858 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
10859 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10860 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
10861 offsetof(struct __sk_buff, data_end)),
10862 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
10863 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
10864 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
10865 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
10866 BPF_MOV64_IMM(BPF_REG_0, 1),
10868 BPF_MOV32_IMM(BPF_REG_2, 0),
10869 BPF_MOV32_IMM(BPF_REG_3, 1),
10870 BPF_ALU32_REG(BPF_DIV, BPF_REG_3, BPF_REG_2),
10871 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10872 offsetof(struct __sk_buff, data)),
10875 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
10880 "calls: multiple ret types in subprog 1",
10882 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10883 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
10884 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10885 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
10886 offsetof(struct __sk_buff, data_end)),
10887 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
10888 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
10889 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
10890 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
10891 BPF_MOV64_IMM(BPF_REG_0, 1),
10893 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10894 offsetof(struct __sk_buff, data)),
10895 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
10896 BPF_MOV32_IMM(BPF_REG_0, 42),
10899 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
10901 .errstr = "R0 invalid mem access 'inv'",
10904 "calls: multiple ret types in subprog 2",
10906 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10907 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
10908 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10909 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
10910 offsetof(struct __sk_buff, data_end)),
10911 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
10912 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
10913 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
10914 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
10915 BPF_MOV64_IMM(BPF_REG_0, 1),
10917 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10918 offsetof(struct __sk_buff, data)),
10919 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10920 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 9),
10921 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10922 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10923 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
10924 BPF_LD_MAP_FD(BPF_REG_1, 0),
10925 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10926 BPF_FUNC_map_lookup_elem),
10927 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
10928 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_6,
10929 offsetof(struct __sk_buff, data)),
10930 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 64),
10933 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
10934 .fixup_map_hash_8b = { 16 },
10936 .errstr = "R0 min value is outside of the array range",
10939 "calls: overlapping caller/callee",
10941 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 0),
10942 BPF_MOV64_IMM(BPF_REG_0, 1),
10945 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10946 .errstr = "last insn is not an exit or jmp",
10950 "calls: wrong recursive calls",
10952 BPF_JMP_IMM(BPF_JA, 0, 0, 4),
10953 BPF_JMP_IMM(BPF_JA, 0, 0, 4),
10954 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -2),
10955 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -2),
10956 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -2),
10957 BPF_MOV64_IMM(BPF_REG_0, 1),
10960 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10961 .errstr = "jump out of range",
10965 "calls: wrong src reg",
10967 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 2, 0, 0),
10968 BPF_MOV64_IMM(BPF_REG_0, 1),
10971 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10972 .errstr = "BPF_CALL uses reserved fields",
10976 "calls: wrong off value",
10978 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, -1, 2),
10979 BPF_MOV64_IMM(BPF_REG_0, 1),
10981 BPF_MOV64_IMM(BPF_REG_0, 2),
10984 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10985 .errstr = "BPF_CALL uses reserved fields",
10989 "calls: jump back loop",
10991 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -1),
10992 BPF_MOV64_IMM(BPF_REG_0, 1),
10995 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10996 .errstr = "back-edge from insn 0 to 0",
11000 "calls: conditional call",
11002 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
11003 offsetof(struct __sk_buff, mark)),
11004 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
11005 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11006 BPF_MOV64_IMM(BPF_REG_0, 1),
11008 BPF_MOV64_IMM(BPF_REG_0, 2),
11011 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
11012 .errstr = "jump out of range",
11016 "calls: conditional call 2",
11018 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
11019 offsetof(struct __sk_buff, mark)),
11020 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
11021 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
11022 BPF_MOV64_IMM(BPF_REG_0, 1),
11024 BPF_MOV64_IMM(BPF_REG_0, 2),
11026 BPF_MOV64_IMM(BPF_REG_0, 3),
11029 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
11033 "calls: conditional call 3",
11035 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
11036 offsetof(struct __sk_buff, mark)),
11037 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
11038 BPF_JMP_IMM(BPF_JA, 0, 0, 4),
11039 BPF_MOV64_IMM(BPF_REG_0, 1),
11041 BPF_MOV64_IMM(BPF_REG_0, 1),
11042 BPF_JMP_IMM(BPF_JA, 0, 0, -6),
11043 BPF_MOV64_IMM(BPF_REG_0, 3),
11044 BPF_JMP_IMM(BPF_JA, 0, 0, -6),
11046 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
11047 .errstr = "back-edge from insn",
11051 "calls: conditional call 4",
11053 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
11054 offsetof(struct __sk_buff, mark)),
11055 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
11056 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
11057 BPF_MOV64_IMM(BPF_REG_0, 1),
11059 BPF_MOV64_IMM(BPF_REG_0, 1),
11060 BPF_JMP_IMM(BPF_JA, 0, 0, -5),
11061 BPF_MOV64_IMM(BPF_REG_0, 3),
11064 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
11068 "calls: conditional call 5",
11070 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
11071 offsetof(struct __sk_buff, mark)),
11072 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
11073 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
11074 BPF_MOV64_IMM(BPF_REG_0, 1),
11076 BPF_MOV64_IMM(BPF_REG_0, 1),
11077 BPF_JMP_IMM(BPF_JA, 0, 0, -6),
11078 BPF_MOV64_IMM(BPF_REG_0, 3),
11081 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
11082 .errstr = "back-edge from insn",
11086 "calls: conditional call 6",
11088 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11089 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, -2),
11091 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
11092 offsetof(struct __sk_buff, mark)),
11095 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
11096 .errstr = "back-edge from insn",
11100 "calls: using r0 returned by callee",
11102 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11104 BPF_MOV64_IMM(BPF_REG_0, 2),
11107 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
11111 "calls: using uninit r0 from callee",
11113 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11117 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
11118 .errstr = "!read_ok",
11122 "calls: callee is using r1",
11124 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11126 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
11127 offsetof(struct __sk_buff, len)),
11130 .prog_type = BPF_PROG_TYPE_SCHED_ACT,
11132 .retval = TEST_DATA_LEN,
11135 "calls: callee using args1",
11137 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11139 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
11142 .errstr_unpriv = "allowed for root only",
11143 .result_unpriv = REJECT,
11145 .retval = POINTER_VALUE,
11148 "calls: callee using wrong args2",
11150 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11152 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11155 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
11156 .errstr = "R2 !read_ok",
11160 "calls: callee using two args",
11162 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11163 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_6,
11164 offsetof(struct __sk_buff, len)),
11165 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_6,
11166 offsetof(struct __sk_buff, len)),
11167 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11169 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
11170 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
11173 .errstr_unpriv = "allowed for root only",
11174 .result_unpriv = REJECT,
11176 .retval = TEST_DATA_LEN + TEST_DATA_LEN - ETH_HLEN - ETH_HLEN,
11179 "calls: callee changing pkt pointers",
11181 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
11182 offsetof(struct xdp_md, data)),
11183 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
11184 offsetof(struct xdp_md, data_end)),
11185 BPF_MOV64_REG(BPF_REG_8, BPF_REG_6),
11186 BPF_ALU64_IMM(BPF_ADD, BPF_REG_8, 8),
11187 BPF_JMP_REG(BPF_JGT, BPF_REG_8, BPF_REG_7, 2),
11188 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11189 /* clear_all_pkt_pointers() has to walk all frames
11190 * to make sure that pkt pointers in the caller
11191 * are cleared when callee is calling a helper that
11192 * adjusts packet size
11194 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
11195 BPF_MOV32_IMM(BPF_REG_0, 0),
11197 BPF_MOV64_IMM(BPF_REG_2, 0),
11198 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11199 BPF_FUNC_xdp_adjust_head),
11203 .errstr = "R6 invalid mem access 'inv'",
11204 .prog_type = BPF_PROG_TYPE_XDP,
11205 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
11208 "calls: two calls with args",
11210 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11212 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11213 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 6),
11214 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
11215 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
11216 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11217 BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_0),
11218 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
11220 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
11221 offsetof(struct __sk_buff, len)),
11224 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11226 .retval = TEST_DATA_LEN + TEST_DATA_LEN,
11229 "calls: calls with stack arith",
11231 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11232 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -64),
11233 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11235 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -64),
11236 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11238 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -64),
11239 BPF_MOV64_IMM(BPF_REG_0, 42),
11240 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
11243 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11248 "calls: calls with misaligned stack access",
11250 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11251 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -63),
11252 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11254 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -61),
11255 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11257 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -63),
11258 BPF_MOV64_IMM(BPF_REG_0, 42),
11259 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
11262 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11263 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
11264 .errstr = "misaligned stack access",
11268 "calls: calls control flow, jump test",
11270 BPF_MOV64_IMM(BPF_REG_0, 42),
11271 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
11272 BPF_MOV64_IMM(BPF_REG_0, 43),
11273 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
11274 BPF_JMP_IMM(BPF_JA, 0, 0, -3),
11277 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11282 "calls: calls control flow, jump test 2",
11284 BPF_MOV64_IMM(BPF_REG_0, 42),
11285 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
11286 BPF_MOV64_IMM(BPF_REG_0, 43),
11287 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
11288 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -3),
11291 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11292 .errstr = "jump out of range from insn 1 to 4",
11296 "calls: two calls with bad jump",
11298 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11300 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11301 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 6),
11302 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
11303 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
11304 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11305 BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_0),
11306 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
11308 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
11309 offsetof(struct __sk_buff, len)),
11310 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, -3),
11313 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
11314 .errstr = "jump out of range from insn 11 to 9",
11318 "calls: recursive call. test1",
11320 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11322 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -1),
11325 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
11326 .errstr = "back-edge",
11330 "calls: recursive call. test2",
11332 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11334 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -3),
11337 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
11338 .errstr = "back-edge",
11342 "calls: unreachable code",
11344 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11346 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11348 BPF_MOV64_IMM(BPF_REG_0, 0),
11350 BPF_MOV64_IMM(BPF_REG_0, 0),
11353 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
11354 .errstr = "unreachable insn 6",
11358 "calls: invalid call",
11360 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11362 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -4),
11365 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
11366 .errstr = "invalid destination",
11370 "calls: invalid call 2",
11372 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11374 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 0x7fffffff),
11377 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
11378 .errstr = "invalid destination",
11382 "calls: jumping across function bodies. test1",
11384 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11385 BPF_MOV64_IMM(BPF_REG_0, 0),
11387 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, -3),
11390 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
11391 .errstr = "jump out of range",
11395 "calls: jumping across function bodies. test2",
11397 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
11398 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11399 BPF_MOV64_IMM(BPF_REG_0, 0),
11403 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
11404 .errstr = "jump out of range",
11408 "calls: call without exit",
11410 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11412 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11414 BPF_MOV64_IMM(BPF_REG_0, 0),
11415 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, -2),
11417 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
11418 .errstr = "not an exit",
11422 "calls: call into middle of ld_imm64",
11424 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11425 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11426 BPF_MOV64_IMM(BPF_REG_0, 0),
11428 BPF_LD_IMM64(BPF_REG_0, 0),
11431 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
11432 .errstr = "last insn",
11436 "calls: call into middle of other call",
11438 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11439 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11440 BPF_MOV64_IMM(BPF_REG_0, 0),
11442 BPF_MOV64_IMM(BPF_REG_0, 0),
11443 BPF_MOV64_IMM(BPF_REG_0, 0),
11446 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
11447 .errstr = "last insn",
11451 "calls: ld_abs with changing ctx data in callee",
11453 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11454 BPF_LD_ABS(BPF_B, 0),
11455 BPF_LD_ABS(BPF_H, 0),
11456 BPF_LD_ABS(BPF_W, 0),
11457 BPF_MOV64_REG(BPF_REG_7, BPF_REG_6),
11458 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 5),
11459 BPF_MOV64_REG(BPF_REG_6, BPF_REG_7),
11460 BPF_LD_ABS(BPF_B, 0),
11461 BPF_LD_ABS(BPF_H, 0),
11462 BPF_LD_ABS(BPF_W, 0),
11464 BPF_MOV64_IMM(BPF_REG_2, 1),
11465 BPF_MOV64_IMM(BPF_REG_3, 2),
11466 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11467 BPF_FUNC_skb_vlan_push),
11470 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11471 .errstr = "BPF_LD_[ABS|IND] instructions cannot be mixed",
11475 "calls: two calls with bad fallthrough",
11477 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11479 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11480 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 6),
11481 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
11482 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
11483 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11484 BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_0),
11485 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
11486 BPF_MOV64_REG(BPF_REG_0, BPF_REG_0),
11487 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
11488 offsetof(struct __sk_buff, len)),
11491 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
11492 .errstr = "not an exit",
11496 "calls: two calls with stack read",
11498 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11499 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11500 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11501 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11503 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11504 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 6),
11505 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
11506 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
11507 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11508 BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_0),
11509 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
11511 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
11514 .prog_type = BPF_PROG_TYPE_XDP,
11518 "calls: two calls with stack write",
11521 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11522 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11523 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11524 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11525 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
11526 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11527 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -16),
11531 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11532 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
11533 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 7),
11534 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
11535 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
11536 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
11537 BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_0),
11538 BPF_MOV64_REG(BPF_REG_0, BPF_REG_8),
11539 /* write into stack frame of main prog */
11540 BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
11544 /* read from stack frame of main prog */
11545 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
11548 .prog_type = BPF_PROG_TYPE_XDP,
11552 "calls: stack overflow using two frames (pre-call access)",
11555 BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
11556 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1),
11560 BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
11561 BPF_MOV64_IMM(BPF_REG_0, 0),
11564 .prog_type = BPF_PROG_TYPE_XDP,
11565 .errstr = "combined stack size",
11569 "calls: stack overflow using two frames (post-call access)",
11572 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 2),
11573 BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
11577 BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
11578 BPF_MOV64_IMM(BPF_REG_0, 0),
11581 .prog_type = BPF_PROG_TYPE_XDP,
11582 .errstr = "combined stack size",
11586 "calls: stack depth check using three frames. test1",
11589 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 4), /* call A */
11590 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 5), /* call B */
11591 BPF_ST_MEM(BPF_B, BPF_REG_10, -32, 0),
11592 BPF_MOV64_IMM(BPF_REG_0, 0),
11595 BPF_ST_MEM(BPF_B, BPF_REG_10, -256, 0),
11598 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, -3), /* call A */
11599 BPF_ST_MEM(BPF_B, BPF_REG_10, -64, 0),
11602 .prog_type = BPF_PROG_TYPE_XDP,
11603 /* stack_main=32, stack_A=256, stack_B=64
11604 * and max(main+A, main+A+B) < 512
11609 "calls: stack depth check using three frames. test2",
11612 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 4), /* call A */
11613 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 5), /* call B */
11614 BPF_ST_MEM(BPF_B, BPF_REG_10, -32, 0),
11615 BPF_MOV64_IMM(BPF_REG_0, 0),
11618 BPF_ST_MEM(BPF_B, BPF_REG_10, -64, 0),
11621 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, -3), /* call A */
11622 BPF_ST_MEM(BPF_B, BPF_REG_10, -256, 0),
11625 .prog_type = BPF_PROG_TYPE_XDP,
11626 /* stack_main=32, stack_A=64, stack_B=256
11627 * and max(main+A, main+A+B) < 512
11632 "calls: stack depth check using three frames. test3",
11635 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11636 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 6), /* call A */
11637 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
11638 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 8), /* call B */
11639 BPF_JMP_IMM(BPF_JGE, BPF_REG_6, 0, 1),
11640 BPF_ST_MEM(BPF_B, BPF_REG_10, -64, 0),
11641 BPF_MOV64_IMM(BPF_REG_0, 0),
11644 BPF_JMP_IMM(BPF_JLT, BPF_REG_1, 10, 1),
11646 BPF_ST_MEM(BPF_B, BPF_REG_10, -224, 0),
11647 BPF_JMP_IMM(BPF_JA, 0, 0, -3),
11649 BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 2, 1),
11650 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, -6), /* call A */
11651 BPF_ST_MEM(BPF_B, BPF_REG_10, -256, 0),
11654 .prog_type = BPF_PROG_TYPE_XDP,
11655 /* stack_main=64, stack_A=224, stack_B=256
11656 * and max(main+A, main+A+B) > 512
11658 .errstr = "combined stack",
11662 "calls: stack depth check using three frames. test4",
11663 /* void main(void) {
11668 * void func1(int alloc_or_recurse) {
11669 * if (alloc_or_recurse) {
11670 * frame_pointer[-300] = 1;
11672 * func2(alloc_or_recurse);
11675 * void func2(int alloc_or_recurse) {
11676 * if (alloc_or_recurse) {
11677 * frame_pointer[-300] = 1;
11683 BPF_MOV64_IMM(BPF_REG_1, 0),
11684 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 6), /* call A */
11685 BPF_MOV64_IMM(BPF_REG_1, 1),
11686 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 4), /* call A */
11687 BPF_MOV64_IMM(BPF_REG_1, 1),
11688 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 7), /* call B */
11689 BPF_MOV64_IMM(BPF_REG_0, 0),
11692 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 2),
11693 BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
11695 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call B */
11698 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
11699 BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
11702 .prog_type = BPF_PROG_TYPE_XDP,
11704 .errstr = "combined stack",
11707 "calls: stack depth check using three frames. test5",
11710 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call A */
11713 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call B */
11716 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call C */
11719 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call D */
11722 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call E */
11725 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call F */
11728 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call G */
11731 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call H */
11734 BPF_MOV64_IMM(BPF_REG_0, 0),
11737 .prog_type = BPF_PROG_TYPE_XDP,
11738 .errstr = "call stack",
11742 "calls: spill into caller stack frame",
11744 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11745 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11746 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11747 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11749 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, 0),
11750 BPF_MOV64_IMM(BPF_REG_0, 0),
11753 .prog_type = BPF_PROG_TYPE_XDP,
11754 .errstr = "cannot spill",
11758 "calls: write into caller stack frame",
11760 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11761 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11762 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11763 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11764 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
11766 BPF_ST_MEM(BPF_DW, BPF_REG_1, 0, 42),
11767 BPF_MOV64_IMM(BPF_REG_0, 0),
11770 .prog_type = BPF_PROG_TYPE_XDP,
11775 "calls: write into callee stack frame",
11777 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11778 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
11780 BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
11781 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, -8),
11784 .prog_type = BPF_PROG_TYPE_XDP,
11785 .errstr = "cannot return stack pointer",
11789 "calls: two calls with stack write and void return",
11792 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11793 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11794 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11795 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11796 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
11797 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11798 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -16),
11802 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11803 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
11804 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11805 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
11806 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11810 /* write into stack frame of main prog */
11811 BPF_ST_MEM(BPF_DW, BPF_REG_1, 0, 0),
11812 BPF_EXIT_INSN(), /* void return */
11814 .prog_type = BPF_PROG_TYPE_XDP,
11818 "calls: ambiguous return value",
11820 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11821 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 5),
11822 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
11823 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
11824 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11825 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
11827 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
11828 BPF_MOV64_IMM(BPF_REG_0, 0),
11831 .errstr_unpriv = "allowed for root only",
11832 .result_unpriv = REJECT,
11833 .errstr = "R0 !read_ok",
11837 "calls: two calls that return map_value",
11840 /* pass fp-16, fp-8 into a function */
11841 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11842 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11843 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11844 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
11845 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
11847 /* fetch map_value_ptr from the stack of this function */
11848 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
11849 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
11850 /* write into map value */
11851 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11852 /* fetch secound map_value_ptr from the stack */
11853 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -16),
11854 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
11855 /* write into map value */
11856 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11857 BPF_MOV64_IMM(BPF_REG_0, 0),
11861 /* call 3rd function twice */
11862 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11863 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
11864 /* first time with fp-8 */
11865 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11866 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
11867 /* second time with fp-16 */
11868 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11872 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11873 /* lookup from map */
11874 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11875 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11876 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11877 BPF_LD_MAP_FD(BPF_REG_1, 0),
11878 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11879 BPF_FUNC_map_lookup_elem),
11880 /* write map_value_ptr into stack frame of main prog */
11881 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
11882 BPF_MOV64_IMM(BPF_REG_0, 0),
11883 BPF_EXIT_INSN(), /* return 0 */
11885 .prog_type = BPF_PROG_TYPE_XDP,
11886 .fixup_map_hash_8b = { 23 },
11890 "calls: two calls that return map_value with bool condition",
11893 /* pass fp-16, fp-8 into a function */
11894 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11895 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11896 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11897 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
11898 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11899 BPF_MOV64_IMM(BPF_REG_0, 0),
11903 /* call 3rd function twice */
11904 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11905 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
11906 /* first time with fp-8 */
11907 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 9),
11908 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
11909 /* fetch map_value_ptr from the stack of this function */
11910 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
11911 /* write into map value */
11912 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11913 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
11914 /* second time with fp-16 */
11915 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
11916 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
11917 /* fetch secound map_value_ptr from the stack */
11918 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_7, 0),
11919 /* write into map value */
11920 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11924 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11925 /* lookup from map */
11926 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11927 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11928 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11929 BPF_LD_MAP_FD(BPF_REG_1, 0),
11930 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11931 BPF_FUNC_map_lookup_elem),
11932 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11933 BPF_MOV64_IMM(BPF_REG_0, 0),
11934 BPF_EXIT_INSN(), /* return 0 */
11935 /* write map_value_ptr into stack frame of main prog */
11936 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
11937 BPF_MOV64_IMM(BPF_REG_0, 1),
11938 BPF_EXIT_INSN(), /* return 1 */
11940 .prog_type = BPF_PROG_TYPE_XDP,
11941 .fixup_map_hash_8b = { 23 },
11945 "calls: two calls that return map_value with incorrect bool check",
11948 /* pass fp-16, fp-8 into a function */
11949 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11950 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11951 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11952 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
11953 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11954 BPF_MOV64_IMM(BPF_REG_0, 0),
11958 /* call 3rd function twice */
11959 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11960 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
11961 /* first time with fp-8 */
11962 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 9),
11963 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
11964 /* fetch map_value_ptr from the stack of this function */
11965 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
11966 /* write into map value */
11967 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11968 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
11969 /* second time with fp-16 */
11970 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
11971 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11972 /* fetch secound map_value_ptr from the stack */
11973 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_7, 0),
11974 /* write into map value */
11975 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11979 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11980 /* lookup from map */
11981 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11982 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11983 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11984 BPF_LD_MAP_FD(BPF_REG_1, 0),
11985 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11986 BPF_FUNC_map_lookup_elem),
11987 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11988 BPF_MOV64_IMM(BPF_REG_0, 0),
11989 BPF_EXIT_INSN(), /* return 0 */
11990 /* write map_value_ptr into stack frame of main prog */
11991 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
11992 BPF_MOV64_IMM(BPF_REG_0, 1),
11993 BPF_EXIT_INSN(), /* return 1 */
11995 .prog_type = BPF_PROG_TYPE_XDP,
11996 .fixup_map_hash_8b = { 23 },
11998 .errstr = "invalid read from stack off -16+0 size 8",
12001 "calls: two calls that receive map_value via arg=ptr_stack_of_caller. test1",
12004 /* pass fp-16, fp-8 into a function */
12005 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
12006 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
12007 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12008 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
12009 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
12010 BPF_MOV64_IMM(BPF_REG_0, 0),
12014 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12015 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
12016 /* 1st lookup from map */
12017 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
12018 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12019 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
12020 BPF_LD_MAP_FD(BPF_REG_1, 0),
12021 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12022 BPF_FUNC_map_lookup_elem),
12023 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
12024 BPF_MOV64_IMM(BPF_REG_8, 0),
12025 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
12026 /* write map_value_ptr into stack frame of main prog at fp-8 */
12027 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
12028 BPF_MOV64_IMM(BPF_REG_8, 1),
12030 /* 2nd lookup from map */
12031 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), /* 20 */
12032 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
12033 BPF_LD_MAP_FD(BPF_REG_1, 0),
12034 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, /* 24 */
12035 BPF_FUNC_map_lookup_elem),
12036 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
12037 BPF_MOV64_IMM(BPF_REG_9, 0),
12038 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
12039 /* write map_value_ptr into stack frame of main prog at fp-16 */
12040 BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
12041 BPF_MOV64_IMM(BPF_REG_9, 1),
12043 /* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
12044 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), /* 30 */
12045 BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
12046 BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
12047 BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
12048 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1), /* 34 */
12052 /* if arg2 == 1 do *arg1 = 0 */
12053 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
12054 /* fetch map_value_ptr from the stack of this function */
12055 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
12056 /* write into map value */
12057 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
12059 /* if arg4 == 1 do *arg3 = 0 */
12060 BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 1, 2),
12061 /* fetch map_value_ptr from the stack of this function */
12062 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
12063 /* write into map value */
12064 BPF_ST_MEM(BPF_DW, BPF_REG_0, 2, 0),
12067 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12068 .fixup_map_hash_8b = { 12, 22 },
12070 .errstr = "invalid access to map value, value_size=8 off=2 size=8",
12071 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
12074 "calls: two calls that receive map_value via arg=ptr_stack_of_caller. test2",
12077 /* pass fp-16, fp-8 into a function */
12078 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
12079 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
12080 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12081 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
12082 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
12083 BPF_MOV64_IMM(BPF_REG_0, 0),
12087 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12088 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
12089 /* 1st lookup from map */
12090 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
12091 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12092 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
12093 BPF_LD_MAP_FD(BPF_REG_1, 0),
12094 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12095 BPF_FUNC_map_lookup_elem),
12096 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
12097 BPF_MOV64_IMM(BPF_REG_8, 0),
12098 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
12099 /* write map_value_ptr into stack frame of main prog at fp-8 */
12100 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
12101 BPF_MOV64_IMM(BPF_REG_8, 1),
12103 /* 2nd lookup from map */
12104 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), /* 20 */
12105 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
12106 BPF_LD_MAP_FD(BPF_REG_1, 0),
12107 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, /* 24 */
12108 BPF_FUNC_map_lookup_elem),
12109 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
12110 BPF_MOV64_IMM(BPF_REG_9, 0),
12111 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
12112 /* write map_value_ptr into stack frame of main prog at fp-16 */
12113 BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
12114 BPF_MOV64_IMM(BPF_REG_9, 1),
12116 /* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
12117 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), /* 30 */
12118 BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
12119 BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
12120 BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
12121 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1), /* 34 */
12125 /* if arg2 == 1 do *arg1 = 0 */
12126 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
12127 /* fetch map_value_ptr from the stack of this function */
12128 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
12129 /* write into map value */
12130 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
12132 /* if arg4 == 1 do *arg3 = 0 */
12133 BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 1, 2),
12134 /* fetch map_value_ptr from the stack of this function */
12135 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
12136 /* write into map value */
12137 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
12140 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12141 .fixup_map_hash_8b = { 12, 22 },
12145 "calls: two jumps that receive map_value via arg=ptr_stack_of_jumper. test3",
12148 /* pass fp-16, fp-8 into a function */
12149 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
12150 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
12151 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12152 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
12153 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
12154 BPF_MOV64_IMM(BPF_REG_0, 0),
12158 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12159 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
12160 /* 1st lookup from map */
12161 BPF_ST_MEM(BPF_DW, BPF_REG_10, -24, 0),
12162 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12163 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -24),
12164 BPF_LD_MAP_FD(BPF_REG_1, 0),
12165 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12166 BPF_FUNC_map_lookup_elem),
12167 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
12168 BPF_MOV64_IMM(BPF_REG_8, 0),
12169 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
12170 /* write map_value_ptr into stack frame of main prog at fp-8 */
12171 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
12172 BPF_MOV64_IMM(BPF_REG_8, 1),
12174 /* 2nd lookup from map */
12175 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12176 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -24),
12177 BPF_LD_MAP_FD(BPF_REG_1, 0),
12178 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12179 BPF_FUNC_map_lookup_elem),
12180 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
12181 BPF_MOV64_IMM(BPF_REG_9, 0), // 26
12182 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
12183 /* write map_value_ptr into stack frame of main prog at fp-16 */
12184 BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
12185 BPF_MOV64_IMM(BPF_REG_9, 1),
12187 /* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
12188 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), // 30
12189 BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
12190 BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
12191 BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
12192 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1), // 34
12193 BPF_JMP_IMM(BPF_JA, 0, 0, -30),
12196 /* if arg2 == 1 do *arg1 = 0 */
12197 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
12198 /* fetch map_value_ptr from the stack of this function */
12199 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
12200 /* write into map value */
12201 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
12203 /* if arg4 == 1 do *arg3 = 0 */
12204 BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 1, 2),
12205 /* fetch map_value_ptr from the stack of this function */
12206 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
12207 /* write into map value */
12208 BPF_ST_MEM(BPF_DW, BPF_REG_0, 2, 0),
12209 BPF_JMP_IMM(BPF_JA, 0, 0, -8),
12211 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12212 .fixup_map_hash_8b = { 12, 22 },
12214 .errstr = "invalid access to map value, value_size=8 off=2 size=8",
12215 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
12218 "calls: two calls that receive map_value_ptr_or_null via arg. test1",
12221 /* pass fp-16, fp-8 into a function */
12222 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
12223 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
12224 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12225 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
12226 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
12227 BPF_MOV64_IMM(BPF_REG_0, 0),
12231 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12232 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
12233 /* 1st lookup from map */
12234 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
12235 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12236 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
12237 BPF_LD_MAP_FD(BPF_REG_1, 0),
12238 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12239 BPF_FUNC_map_lookup_elem),
12240 /* write map_value_ptr_or_null into stack frame of main prog at fp-8 */
12241 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
12242 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
12243 BPF_MOV64_IMM(BPF_REG_8, 0),
12244 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
12245 BPF_MOV64_IMM(BPF_REG_8, 1),
12247 /* 2nd lookup from map */
12248 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12249 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
12250 BPF_LD_MAP_FD(BPF_REG_1, 0),
12251 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12252 BPF_FUNC_map_lookup_elem),
12253 /* write map_value_ptr_or_null into stack frame of main prog at fp-16 */
12254 BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
12255 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
12256 BPF_MOV64_IMM(BPF_REG_9, 0),
12257 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
12258 BPF_MOV64_IMM(BPF_REG_9, 1),
12260 /* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
12261 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
12262 BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
12263 BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
12264 BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
12265 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
12269 /* if arg2 == 1 do *arg1 = 0 */
12270 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
12271 /* fetch map_value_ptr from the stack of this function */
12272 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
12273 /* write into map value */
12274 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
12276 /* if arg4 == 1 do *arg3 = 0 */
12277 BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 1, 2),
12278 /* fetch map_value_ptr from the stack of this function */
12279 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
12280 /* write into map value */
12281 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
12284 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12285 .fixup_map_hash_8b = { 12, 22 },
12289 "calls: two calls that receive map_value_ptr_or_null via arg. test2",
12292 /* pass fp-16, fp-8 into a function */
12293 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
12294 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
12295 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12296 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
12297 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
12298 BPF_MOV64_IMM(BPF_REG_0, 0),
12302 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12303 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
12304 /* 1st lookup from map */
12305 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
12306 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12307 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
12308 BPF_LD_MAP_FD(BPF_REG_1, 0),
12309 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12310 BPF_FUNC_map_lookup_elem),
12311 /* write map_value_ptr_or_null into stack frame of main prog at fp-8 */
12312 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
12313 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
12314 BPF_MOV64_IMM(BPF_REG_8, 0),
12315 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
12316 BPF_MOV64_IMM(BPF_REG_8, 1),
12318 /* 2nd lookup from map */
12319 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12320 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
12321 BPF_LD_MAP_FD(BPF_REG_1, 0),
12322 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12323 BPF_FUNC_map_lookup_elem),
12324 /* write map_value_ptr_or_null into stack frame of main prog at fp-16 */
12325 BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
12326 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
12327 BPF_MOV64_IMM(BPF_REG_9, 0),
12328 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
12329 BPF_MOV64_IMM(BPF_REG_9, 1),
12331 /* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
12332 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
12333 BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
12334 BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
12335 BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
12336 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
12340 /* if arg2 == 1 do *arg1 = 0 */
12341 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
12342 /* fetch map_value_ptr from the stack of this function */
12343 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
12344 /* write into map value */
12345 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
12347 /* if arg4 == 0 do *arg3 = 0 */
12348 BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 0, 2),
12349 /* fetch map_value_ptr from the stack of this function */
12350 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
12351 /* write into map value */
12352 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
12355 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12356 .fixup_map_hash_8b = { 12, 22 },
12358 .errstr = "R0 invalid mem access 'inv'",
12361 "calls: pkt_ptr spill into caller stack",
12363 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
12364 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
12365 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
12369 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
12370 offsetof(struct __sk_buff, data)),
12371 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
12372 offsetof(struct __sk_buff, data_end)),
12373 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
12374 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
12375 /* spill unchecked pkt_ptr into stack of caller */
12376 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
12377 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
12378 /* now the pkt range is verified, read pkt_ptr from stack */
12379 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
12380 /* write 4 bytes into packet */
12381 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
12385 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12386 .retval = POINTER_VALUE,
12387 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
12390 "calls: pkt_ptr spill into caller stack 2",
12392 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
12393 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
12394 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
12395 /* Marking is still kept, but not in all cases safe. */
12396 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
12397 BPF_ST_MEM(BPF_W, BPF_REG_4, 0, 0),
12401 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
12402 offsetof(struct __sk_buff, data)),
12403 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
12404 offsetof(struct __sk_buff, data_end)),
12405 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
12406 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
12407 /* spill unchecked pkt_ptr into stack of caller */
12408 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
12409 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
12410 /* now the pkt range is verified, read pkt_ptr from stack */
12411 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
12412 /* write 4 bytes into packet */
12413 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
12416 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12417 .errstr = "invalid access to packet",
12419 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
12422 "calls: pkt_ptr spill into caller stack 3",
12424 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
12425 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
12426 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
12427 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
12428 /* Marking is still kept and safe here. */
12429 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
12430 BPF_ST_MEM(BPF_W, BPF_REG_4, 0, 0),
12434 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
12435 offsetof(struct __sk_buff, data)),
12436 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
12437 offsetof(struct __sk_buff, data_end)),
12438 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
12439 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
12440 /* spill unchecked pkt_ptr into stack of caller */
12441 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
12442 BPF_MOV64_IMM(BPF_REG_5, 0),
12443 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
12444 BPF_MOV64_IMM(BPF_REG_5, 1),
12445 /* now the pkt range is verified, read pkt_ptr from stack */
12446 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
12447 /* write 4 bytes into packet */
12448 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
12449 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
12452 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12455 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
12458 "calls: pkt_ptr spill into caller stack 4",
12460 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
12461 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
12462 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
12463 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
12464 /* Check marking propagated. */
12465 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
12466 BPF_ST_MEM(BPF_W, BPF_REG_4, 0, 0),
12470 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
12471 offsetof(struct __sk_buff, data)),
12472 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
12473 offsetof(struct __sk_buff, data_end)),
12474 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
12475 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
12476 /* spill unchecked pkt_ptr into stack of caller */
12477 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
12478 BPF_MOV64_IMM(BPF_REG_5, 0),
12479 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
12480 BPF_MOV64_IMM(BPF_REG_5, 1),
12481 /* don't read back pkt_ptr from stack here */
12482 /* write 4 bytes into packet */
12483 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
12484 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
12487 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12490 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
12493 "calls: pkt_ptr spill into caller stack 5",
12495 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
12496 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
12497 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_1, 0),
12498 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
12499 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
12500 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
12504 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
12505 offsetof(struct __sk_buff, data)),
12506 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
12507 offsetof(struct __sk_buff, data_end)),
12508 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
12509 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
12510 BPF_MOV64_IMM(BPF_REG_5, 0),
12511 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
12512 /* spill checked pkt_ptr into stack of caller */
12513 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
12514 BPF_MOV64_IMM(BPF_REG_5, 1),
12515 /* don't read back pkt_ptr from stack here */
12516 /* write 4 bytes into packet */
12517 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
12518 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
12521 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12522 .errstr = "same insn cannot be used with different",
12524 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
12527 "calls: pkt_ptr spill into caller stack 6",
12529 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
12530 offsetof(struct __sk_buff, data_end)),
12531 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
12532 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
12533 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
12534 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
12535 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
12536 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
12540 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
12541 offsetof(struct __sk_buff, data)),
12542 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
12543 offsetof(struct __sk_buff, data_end)),
12544 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
12545 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
12546 BPF_MOV64_IMM(BPF_REG_5, 0),
12547 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
12548 /* spill checked pkt_ptr into stack of caller */
12549 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
12550 BPF_MOV64_IMM(BPF_REG_5, 1),
12551 /* don't read back pkt_ptr from stack here */
12552 /* write 4 bytes into packet */
12553 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
12554 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
12557 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12558 .errstr = "R4 invalid mem access",
12560 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
12563 "calls: pkt_ptr spill into caller stack 7",
12565 BPF_MOV64_IMM(BPF_REG_2, 0),
12566 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
12567 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
12568 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
12569 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
12570 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
12571 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
12575 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
12576 offsetof(struct __sk_buff, data)),
12577 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
12578 offsetof(struct __sk_buff, data_end)),
12579 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
12580 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
12581 BPF_MOV64_IMM(BPF_REG_5, 0),
12582 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
12583 /* spill checked pkt_ptr into stack of caller */
12584 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
12585 BPF_MOV64_IMM(BPF_REG_5, 1),
12586 /* don't read back pkt_ptr from stack here */
12587 /* write 4 bytes into packet */
12588 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
12589 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
12592 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12593 .errstr = "R4 invalid mem access",
12595 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
12598 "calls: pkt_ptr spill into caller stack 8",
12600 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
12601 offsetof(struct __sk_buff, data)),
12602 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
12603 offsetof(struct __sk_buff, data_end)),
12604 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
12605 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
12606 BPF_JMP_REG(BPF_JLE, BPF_REG_0, BPF_REG_3, 1),
12608 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
12609 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
12610 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
12611 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
12612 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
12613 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
12617 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
12618 offsetof(struct __sk_buff, data)),
12619 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
12620 offsetof(struct __sk_buff, data_end)),
12621 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
12622 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
12623 BPF_MOV64_IMM(BPF_REG_5, 0),
12624 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
12625 /* spill checked pkt_ptr into stack of caller */
12626 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
12627 BPF_MOV64_IMM(BPF_REG_5, 1),
12628 /* don't read back pkt_ptr from stack here */
12629 /* write 4 bytes into packet */
12630 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
12631 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
12634 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12636 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
12639 "calls: pkt_ptr spill into caller stack 9",
12641 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
12642 offsetof(struct __sk_buff, data)),
12643 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
12644 offsetof(struct __sk_buff, data_end)),
12645 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
12646 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
12647 BPF_JMP_REG(BPF_JLE, BPF_REG_0, BPF_REG_3, 1),
12649 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
12650 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
12651 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
12652 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
12653 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
12654 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
12658 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
12659 offsetof(struct __sk_buff, data)),
12660 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
12661 offsetof(struct __sk_buff, data_end)),
12662 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
12663 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
12664 BPF_MOV64_IMM(BPF_REG_5, 0),
12665 /* spill unchecked pkt_ptr into stack of caller */
12666 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
12667 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
12668 BPF_MOV64_IMM(BPF_REG_5, 1),
12669 /* don't read back pkt_ptr from stack here */
12670 /* write 4 bytes into packet */
12671 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
12672 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
12675 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12676 .errstr = "invalid access to packet",
12678 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
12681 "calls: caller stack init to zero or map_value_or_null",
12683 BPF_MOV64_IMM(BPF_REG_0, 0),
12684 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
12685 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12686 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
12687 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
12688 /* fetch map_value_or_null or const_zero from stack */
12689 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
12690 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
12691 /* store into map_value */
12692 BPF_ST_MEM(BPF_W, BPF_REG_0, 0, 0),
12696 /* if (ctx == 0) return; */
12697 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 8),
12698 /* else bpf_map_lookup() and *(fp - 8) = r0 */
12699 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
12700 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12701 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
12702 BPF_LD_MAP_FD(BPF_REG_1, 0),
12703 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
12704 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12705 BPF_FUNC_map_lookup_elem),
12706 /* write map_value_ptr_or_null into stack frame of main prog at fp-8 */
12707 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
12710 .fixup_map_hash_8b = { 13 },
12712 .prog_type = BPF_PROG_TYPE_XDP,
12715 "calls: stack init to zero and pruning",
12717 /* first make allocated_stack 16 byte */
12718 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, 0),
12719 /* now fork the execution such that the false branch
12720 * of JGT insn will be verified second and it skisp zero
12721 * init of fp-8 stack slot. If stack liveness marking
12722 * is missing live_read marks from call map_lookup
12723 * processing then pruning will incorrectly assume
12724 * that fp-8 stack slot was unused in the fall-through
12725 * branch and will accept the program incorrectly
12727 BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 2, 2),
12728 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
12729 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
12730 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12731 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
12732 BPF_LD_MAP_FD(BPF_REG_1, 0),
12733 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12734 BPF_FUNC_map_lookup_elem),
12737 .fixup_map_hash_48b = { 6 },
12738 .errstr = "invalid indirect read from stack off -8+0 size 8",
12740 .prog_type = BPF_PROG_TYPE_XDP,
12743 "calls: two calls returning different map pointers for lookup (hash, array)",
12746 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
12748 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
12750 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
12751 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
12752 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12753 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
12754 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12755 BPF_FUNC_map_lookup_elem),
12756 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
12757 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
12758 offsetof(struct test_val, foo)),
12759 BPF_MOV64_IMM(BPF_REG_0, 1),
12762 BPF_LD_MAP_FD(BPF_REG_0, 0),
12765 BPF_LD_MAP_FD(BPF_REG_0, 0),
12768 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12769 .fixup_map_hash_48b = { 13 },
12770 .fixup_map_array_48b = { 16 },
12775 "calls: two calls returning different map pointers for lookup (hash, map in map)",
12778 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
12780 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
12782 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
12783 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
12784 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12785 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
12786 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12787 BPF_FUNC_map_lookup_elem),
12788 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
12789 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
12790 offsetof(struct test_val, foo)),
12791 BPF_MOV64_IMM(BPF_REG_0, 1),
12794 BPF_LD_MAP_FD(BPF_REG_0, 0),
12797 BPF_LD_MAP_FD(BPF_REG_0, 0),
12800 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12801 .fixup_map_in_map = { 16 },
12802 .fixup_map_array_48b = { 13 },
12804 .errstr = "R0 invalid mem access 'map_ptr'",
12807 "cond: two branches returning different map pointers for lookup (tail, tail)",
12809 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
12810 offsetof(struct __sk_buff, mark)),
12811 BPF_JMP_IMM(BPF_JNE, BPF_REG_6, 0, 3),
12812 BPF_LD_MAP_FD(BPF_REG_2, 0),
12813 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
12814 BPF_LD_MAP_FD(BPF_REG_2, 0),
12815 BPF_MOV64_IMM(BPF_REG_3, 7),
12816 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12817 BPF_FUNC_tail_call),
12818 BPF_MOV64_IMM(BPF_REG_0, 1),
12821 .fixup_prog1 = { 5 },
12822 .fixup_prog2 = { 2 },
12823 .result_unpriv = REJECT,
12824 .errstr_unpriv = "tail_call abusing map_ptr",
12829 "cond: two branches returning same map pointers for lookup (tail, tail)",
12831 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
12832 offsetof(struct __sk_buff, mark)),
12833 BPF_JMP_IMM(BPF_JEQ, BPF_REG_6, 0, 3),
12834 BPF_LD_MAP_FD(BPF_REG_2, 0),
12835 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
12836 BPF_LD_MAP_FD(BPF_REG_2, 0),
12837 BPF_MOV64_IMM(BPF_REG_3, 7),
12838 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12839 BPF_FUNC_tail_call),
12840 BPF_MOV64_IMM(BPF_REG_0, 1),
12843 .fixup_prog2 = { 2, 5 },
12844 .result_unpriv = ACCEPT,
12849 "search pruning: all branches should be verified (nop operation)",
12851 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12852 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
12853 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
12854 BPF_LD_MAP_FD(BPF_REG_1, 0),
12855 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
12856 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
12857 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
12858 BPF_JMP_IMM(BPF_JEQ, BPF_REG_3, 0xbeef, 2),
12859 BPF_MOV64_IMM(BPF_REG_4, 0),
12861 BPF_MOV64_IMM(BPF_REG_4, 1),
12862 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -16),
12863 BPF_EMIT_CALL(BPF_FUNC_ktime_get_ns),
12864 BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -16),
12865 BPF_JMP_IMM(BPF_JEQ, BPF_REG_5, 0, 2),
12866 BPF_MOV64_IMM(BPF_REG_6, 0),
12867 BPF_ST_MEM(BPF_DW, BPF_REG_6, 0, 0xdead),
12870 .fixup_map_hash_8b = { 3 },
12871 .errstr = "R6 invalid mem access 'inv'",
12873 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
12876 "search pruning: all branches should be verified (invalid stack access)",
12878 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12879 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
12880 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
12881 BPF_LD_MAP_FD(BPF_REG_1, 0),
12882 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
12883 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
12884 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
12885 BPF_MOV64_IMM(BPF_REG_4, 0),
12886 BPF_JMP_IMM(BPF_JEQ, BPF_REG_3, 0xbeef, 2),
12887 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -16),
12889 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -24),
12890 BPF_EMIT_CALL(BPF_FUNC_ktime_get_ns),
12891 BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -16),
12894 .fixup_map_hash_8b = { 3 },
12895 .errstr = "invalid read from stack off -16+0 size 8",
12897 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
12900 "jit: lsh, rsh, arsh by 1",
12902 BPF_MOV64_IMM(BPF_REG_0, 1),
12903 BPF_MOV64_IMM(BPF_REG_1, 0xff),
12904 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 1),
12905 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 1),
12906 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0x3fc, 1),
12908 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 1),
12909 BPF_ALU32_IMM(BPF_RSH, BPF_REG_1, 1),
12910 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0xff, 1),
12912 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_1, 1),
12913 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0x7f, 1),
12915 BPF_MOV64_IMM(BPF_REG_0, 2),
12922 "jit: mov32 for ldimm64, 1",
12924 BPF_MOV64_IMM(BPF_REG_0, 2),
12925 BPF_LD_IMM64(BPF_REG_1, 0xfeffffffffffffffULL),
12926 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 32),
12927 BPF_LD_IMM64(BPF_REG_2, 0xfeffffffULL),
12928 BPF_JMP_REG(BPF_JEQ, BPF_REG_1, BPF_REG_2, 1),
12929 BPF_MOV64_IMM(BPF_REG_0, 1),
12936 "jit: mov32 for ldimm64, 2",
12938 BPF_MOV64_IMM(BPF_REG_0, 1),
12939 BPF_LD_IMM64(BPF_REG_1, 0x1ffffffffULL),
12940 BPF_LD_IMM64(BPF_REG_2, 0xffffffffULL),
12941 BPF_JMP_REG(BPF_JEQ, BPF_REG_1, BPF_REG_2, 1),
12942 BPF_MOV64_IMM(BPF_REG_0, 2),
12949 "jit: various mul tests",
12951 BPF_LD_IMM64(BPF_REG_2, 0xeeff0d413122ULL),
12952 BPF_LD_IMM64(BPF_REG_0, 0xfefefeULL),
12953 BPF_LD_IMM64(BPF_REG_1, 0xefefefULL),
12954 BPF_ALU64_REG(BPF_MUL, BPF_REG_0, BPF_REG_1),
12955 BPF_JMP_REG(BPF_JEQ, BPF_REG_0, BPF_REG_2, 2),
12956 BPF_MOV64_IMM(BPF_REG_0, 1),
12958 BPF_LD_IMM64(BPF_REG_3, 0xfefefeULL),
12959 BPF_ALU64_REG(BPF_MUL, BPF_REG_3, BPF_REG_1),
12960 BPF_JMP_REG(BPF_JEQ, BPF_REG_3, BPF_REG_2, 2),
12961 BPF_MOV64_IMM(BPF_REG_0, 1),
12963 BPF_MOV32_REG(BPF_REG_2, BPF_REG_2),
12964 BPF_LD_IMM64(BPF_REG_0, 0xfefefeULL),
12965 BPF_ALU32_REG(BPF_MUL, BPF_REG_0, BPF_REG_1),
12966 BPF_JMP_REG(BPF_JEQ, BPF_REG_0, BPF_REG_2, 2),
12967 BPF_MOV64_IMM(BPF_REG_0, 1),
12969 BPF_LD_IMM64(BPF_REG_3, 0xfefefeULL),
12970 BPF_ALU32_REG(BPF_MUL, BPF_REG_3, BPF_REG_1),
12971 BPF_JMP_REG(BPF_JEQ, BPF_REG_3, BPF_REG_2, 2),
12972 BPF_MOV64_IMM(BPF_REG_0, 1),
12974 BPF_LD_IMM64(BPF_REG_0, 0x952a7bbcULL),
12975 BPF_LD_IMM64(BPF_REG_1, 0xfefefeULL),
12976 BPF_LD_IMM64(BPF_REG_2, 0xeeff0d413122ULL),
12977 BPF_ALU32_REG(BPF_MUL, BPF_REG_2, BPF_REG_1),
12978 BPF_JMP_REG(BPF_JEQ, BPF_REG_2, BPF_REG_0, 2),
12979 BPF_MOV64_IMM(BPF_REG_0, 1),
12981 BPF_MOV64_IMM(BPF_REG_0, 2),
12988 "xadd/w check unaligned stack",
12990 BPF_MOV64_IMM(BPF_REG_0, 1),
12991 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
12992 BPF_STX_XADD(BPF_W, BPF_REG_10, BPF_REG_0, -7),
12993 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
12997 .errstr = "misaligned stack access off",
12998 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13001 "xadd/w check unaligned map",
13003 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
13004 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
13005 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
13006 BPF_LD_MAP_FD(BPF_REG_1, 0),
13007 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
13008 BPF_FUNC_map_lookup_elem),
13009 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
13011 BPF_MOV64_IMM(BPF_REG_1, 1),
13012 BPF_STX_XADD(BPF_W, BPF_REG_0, BPF_REG_1, 3),
13013 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 3),
13016 .fixup_map_hash_8b = { 3 },
13018 .errstr = "misaligned value access off",
13019 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13022 "xadd/w check unaligned pkt",
13024 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
13025 offsetof(struct xdp_md, data)),
13026 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
13027 offsetof(struct xdp_md, data_end)),
13028 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
13029 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
13030 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 2),
13031 BPF_MOV64_IMM(BPF_REG_0, 99),
13032 BPF_JMP_IMM(BPF_JA, 0, 0, 6),
13033 BPF_MOV64_IMM(BPF_REG_0, 1),
13034 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
13035 BPF_ST_MEM(BPF_W, BPF_REG_2, 3, 0),
13036 BPF_STX_XADD(BPF_W, BPF_REG_2, BPF_REG_0, 1),
13037 BPF_STX_XADD(BPF_W, BPF_REG_2, BPF_REG_0, 2),
13038 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_2, 1),
13042 .errstr = "BPF_XADD stores into R2 pkt is not allowed",
13043 .prog_type = BPF_PROG_TYPE_XDP,
13044 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
13047 "xadd/w check whether src/dst got mangled, 1",
13049 BPF_MOV64_IMM(BPF_REG_0, 1),
13050 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
13051 BPF_MOV64_REG(BPF_REG_7, BPF_REG_10),
13052 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
13053 BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
13054 BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
13055 BPF_JMP_REG(BPF_JNE, BPF_REG_6, BPF_REG_0, 3),
13056 BPF_JMP_REG(BPF_JNE, BPF_REG_7, BPF_REG_10, 2),
13057 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
13059 BPF_MOV64_IMM(BPF_REG_0, 42),
13063 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13067 "xadd/w check whether src/dst got mangled, 2",
13069 BPF_MOV64_IMM(BPF_REG_0, 1),
13070 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
13071 BPF_MOV64_REG(BPF_REG_7, BPF_REG_10),
13072 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -8),
13073 BPF_STX_XADD(BPF_W, BPF_REG_10, BPF_REG_0, -8),
13074 BPF_STX_XADD(BPF_W, BPF_REG_10, BPF_REG_0, -8),
13075 BPF_JMP_REG(BPF_JNE, BPF_REG_6, BPF_REG_0, 3),
13076 BPF_JMP_REG(BPF_JNE, BPF_REG_7, BPF_REG_10, 2),
13077 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_10, -8),
13079 BPF_MOV64_IMM(BPF_REG_0, 42),
13083 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13087 "bpf_get_stack return R0 within range",
13089 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
13090 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
13091 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
13092 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
13093 BPF_LD_MAP_FD(BPF_REG_1, 0),
13094 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
13095 BPF_FUNC_map_lookup_elem),
13096 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 28),
13097 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
13098 BPF_MOV64_IMM(BPF_REG_9, sizeof(struct test_val)),
13099 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
13100 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
13101 BPF_MOV64_IMM(BPF_REG_3, sizeof(struct test_val)),
13102 BPF_MOV64_IMM(BPF_REG_4, 256),
13103 BPF_EMIT_CALL(BPF_FUNC_get_stack),
13104 BPF_MOV64_IMM(BPF_REG_1, 0),
13105 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
13106 BPF_ALU64_IMM(BPF_LSH, BPF_REG_8, 32),
13107 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_8, 32),
13108 BPF_JMP_REG(BPF_JSLT, BPF_REG_1, BPF_REG_8, 16),
13109 BPF_ALU64_REG(BPF_SUB, BPF_REG_9, BPF_REG_8),
13110 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
13111 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_8),
13112 BPF_MOV64_REG(BPF_REG_1, BPF_REG_9),
13113 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 32),
13114 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_1, 32),
13115 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
13116 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_1),
13117 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
13118 BPF_MOV64_IMM(BPF_REG_5, sizeof(struct test_val)),
13119 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_5),
13120 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 4),
13121 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
13122 BPF_MOV64_REG(BPF_REG_3, BPF_REG_9),
13123 BPF_MOV64_IMM(BPF_REG_4, 0),
13124 BPF_EMIT_CALL(BPF_FUNC_get_stack),
13127 .fixup_map_hash_48b = { 4 },
13129 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
13132 "ld_abs: invalid op 1",
13134 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
13135 BPF_LD_ABS(BPF_DW, 0),
13138 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13140 .errstr = "unknown opcode",
13143 "ld_abs: invalid op 2",
13145 BPF_MOV32_IMM(BPF_REG_0, 256),
13146 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
13147 BPF_LD_IND(BPF_DW, BPF_REG_0, 0),
13150 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13152 .errstr = "unknown opcode",
13155 "ld_abs: nmap reduced",
13157 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
13158 BPF_LD_ABS(BPF_H, 12),
13159 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x806, 28),
13160 BPF_LD_ABS(BPF_H, 12),
13161 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x806, 26),
13162 BPF_MOV32_IMM(BPF_REG_0, 18),
13163 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -64),
13164 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_10, -64),
13165 BPF_LD_IND(BPF_W, BPF_REG_7, 14),
13166 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -60),
13167 BPF_MOV32_IMM(BPF_REG_0, 280971478),
13168 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -56),
13169 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_10, -56),
13170 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_10, -60),
13171 BPF_ALU32_REG(BPF_SUB, BPF_REG_0, BPF_REG_7),
13172 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 15),
13173 BPF_LD_ABS(BPF_H, 12),
13174 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x806, 13),
13175 BPF_MOV32_IMM(BPF_REG_0, 22),
13176 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -56),
13177 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_10, -56),
13178 BPF_LD_IND(BPF_H, BPF_REG_7, 14),
13179 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -52),
13180 BPF_MOV32_IMM(BPF_REG_0, 17366),
13181 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -48),
13182 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_10, -48),
13183 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_10, -52),
13184 BPF_ALU32_REG(BPF_SUB, BPF_REG_0, BPF_REG_7),
13185 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
13186 BPF_MOV32_IMM(BPF_REG_0, 256),
13188 BPF_MOV32_IMM(BPF_REG_0, 0),
13192 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0x08, 0x06, 0,
13193 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
13194 0x10, 0xbf, 0x48, 0xd6, 0x43, 0xd6,
13196 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13201 "ld_abs: div + abs, test 1",
13203 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
13204 BPF_LD_ABS(BPF_B, 3),
13205 BPF_ALU64_IMM(BPF_MOV, BPF_REG_2, 2),
13206 BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_2),
13207 BPF_ALU64_REG(BPF_MOV, BPF_REG_8, BPF_REG_0),
13208 BPF_LD_ABS(BPF_B, 4),
13209 BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_0),
13210 BPF_LD_IND(BPF_B, BPF_REG_8, -70),
13214 10, 20, 30, 40, 50,
13216 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13221 "ld_abs: div + abs, test 2",
13223 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
13224 BPF_LD_ABS(BPF_B, 3),
13225 BPF_ALU64_IMM(BPF_MOV, BPF_REG_2, 2),
13226 BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_2),
13227 BPF_ALU64_REG(BPF_MOV, BPF_REG_8, BPF_REG_0),
13228 BPF_LD_ABS(BPF_B, 128),
13229 BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_0),
13230 BPF_LD_IND(BPF_B, BPF_REG_8, -70),
13234 10, 20, 30, 40, 50,
13236 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13241 "ld_abs: div + abs, test 3",
13243 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
13244 BPF_ALU64_IMM(BPF_MOV, BPF_REG_7, 0),
13245 BPF_LD_ABS(BPF_B, 3),
13246 BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_7),
13250 10, 20, 30, 40, 50,
13252 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13257 "ld_abs: div + abs, test 4",
13259 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
13260 BPF_ALU64_IMM(BPF_MOV, BPF_REG_7, 0),
13261 BPF_LD_ABS(BPF_B, 256),
13262 BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_7),
13266 10, 20, 30, 40, 50,
13268 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13273 "ld_abs: vlan + abs, test 1",
13278 .fill_helper = bpf_fill_ld_abs_vlan_push_pop,
13279 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13284 "ld_abs: vlan + abs, test 2",
13286 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
13287 BPF_LD_ABS(BPF_B, 0),
13288 BPF_LD_ABS(BPF_H, 0),
13289 BPF_LD_ABS(BPF_W, 0),
13290 BPF_MOV64_REG(BPF_REG_7, BPF_REG_6),
13291 BPF_MOV64_IMM(BPF_REG_6, 0),
13292 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
13293 BPF_MOV64_IMM(BPF_REG_2, 1),
13294 BPF_MOV64_IMM(BPF_REG_3, 2),
13295 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
13296 BPF_FUNC_skb_vlan_push),
13297 BPF_MOV64_REG(BPF_REG_6, BPF_REG_7),
13298 BPF_LD_ABS(BPF_B, 0),
13299 BPF_LD_ABS(BPF_H, 0),
13300 BPF_LD_ABS(BPF_W, 0),
13301 BPF_MOV64_IMM(BPF_REG_0, 42),
13307 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13312 "ld_abs: jump around ld_abs",
13317 .fill_helper = bpf_fill_jump_around_ld_abs,
13318 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13323 "ld_dw: xor semi-random 64 bit imms, test 1",
13326 .fill_helper = bpf_fill_rand_ld_dw,
13327 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13332 "ld_dw: xor semi-random 64 bit imms, test 2",
13335 .fill_helper = bpf_fill_rand_ld_dw,
13336 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13341 "ld_dw: xor semi-random 64 bit imms, test 3",
13344 .fill_helper = bpf_fill_rand_ld_dw,
13345 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13350 "ld_dw: xor semi-random 64 bit imms, test 4",
13353 .fill_helper = bpf_fill_rand_ld_dw,
13354 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13359 "pass unmodified ctx pointer to helper",
13361 BPF_MOV64_IMM(BPF_REG_2, 0),
13362 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
13363 BPF_FUNC_csum_update),
13364 BPF_MOV64_IMM(BPF_REG_0, 0),
13367 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13371 "reference tracking: leak potential reference",
13374 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0), /* leak reference */
13377 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13378 .errstr = "Unreleased reference",
13382 "reference tracking: leak potential reference on stack",
13385 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
13386 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
13387 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_0, 0),
13388 BPF_MOV64_IMM(BPF_REG_0, 0),
13391 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13392 .errstr = "Unreleased reference",
13396 "reference tracking: leak potential reference on stack 2",
13399 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
13400 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
13401 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_0, 0),
13402 BPF_MOV64_IMM(BPF_REG_0, 0),
13403 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
13406 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13407 .errstr = "Unreleased reference",
13411 "reference tracking: zero potential reference",
13414 BPF_MOV64_IMM(BPF_REG_0, 0), /* leak reference */
13417 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13418 .errstr = "Unreleased reference",
13422 "reference tracking: copy and zero potential references",
13425 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
13426 BPF_MOV64_IMM(BPF_REG_0, 0),
13427 BPF_MOV64_IMM(BPF_REG_7, 0), /* leak reference */
13430 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13431 .errstr = "Unreleased reference",
13435 "reference tracking: release reference without check",
13438 /* reference in r0 may be NULL */
13439 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13440 BPF_MOV64_IMM(BPF_REG_2, 0),
13441 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13444 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13445 .errstr = "type=sock_or_null expected=sock",
13449 "reference tracking: release reference",
13452 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13453 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
13454 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13457 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13461 "reference tracking: release reference 2",
13464 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13465 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
13467 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13470 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13474 "reference tracking: release reference twice",
13477 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13478 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
13479 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
13480 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13481 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
13482 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13485 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13486 .errstr = "type=inv expected=sock",
13490 "reference tracking: release reference twice inside branch",
13493 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13494 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
13495 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3), /* goto end */
13496 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13497 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
13498 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13501 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13502 .errstr = "type=inv expected=sock",
13506 "reference tracking: alloc, check, free in one subbranch",
13508 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
13509 offsetof(struct __sk_buff, data)),
13510 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
13511 offsetof(struct __sk_buff, data_end)),
13512 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
13513 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 16),
13514 /* if (offsetof(skb, mark) > data_len) exit; */
13515 BPF_JMP_REG(BPF_JLE, BPF_REG_0, BPF_REG_3, 1),
13517 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_2,
13518 offsetof(struct __sk_buff, mark)),
13520 BPF_JMP_IMM(BPF_JEQ, BPF_REG_6, 0, 1), /* mark == 0? */
13521 /* Leak reference in R0 */
13523 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2), /* sk NULL? */
13524 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13525 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13528 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13529 .errstr = "Unreleased reference",
13531 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
13534 "reference tracking: alloc, check, free in both subbranches",
13536 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
13537 offsetof(struct __sk_buff, data)),
13538 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
13539 offsetof(struct __sk_buff, data_end)),
13540 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
13541 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 16),
13542 /* if (offsetof(skb, mark) > data_len) exit; */
13543 BPF_JMP_REG(BPF_JLE, BPF_REG_0, BPF_REG_3, 1),
13545 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_2,
13546 offsetof(struct __sk_buff, mark)),
13548 BPF_JMP_IMM(BPF_JEQ, BPF_REG_6, 0, 4), /* mark == 0? */
13549 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2), /* sk NULL? */
13550 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13551 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13553 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2), /* sk NULL? */
13554 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13555 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13558 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13560 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
13563 "reference tracking in call: free reference in subprog",
13566 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), /* unchecked reference */
13567 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
13568 BPF_MOV64_IMM(BPF_REG_0, 0),
13572 BPF_MOV64_REG(BPF_REG_2, BPF_REG_1),
13573 BPF_JMP_IMM(BPF_JEQ, BPF_REG_2, 0, 1),
13574 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13577 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13581 "pass modified ctx pointer to helper, 1",
13583 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -612),
13584 BPF_MOV64_IMM(BPF_REG_2, 0),
13585 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
13586 BPF_FUNC_csum_update),
13587 BPF_MOV64_IMM(BPF_REG_0, 0),
13590 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13592 .errstr = "dereference of modified ctx ptr",
13595 "pass modified ctx pointer to helper, 2",
13597 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -612),
13598 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
13599 BPF_FUNC_get_socket_cookie),
13600 BPF_MOV64_IMM(BPF_REG_0, 0),
13603 .result_unpriv = REJECT,
13605 .errstr_unpriv = "dereference of modified ctx ptr",
13606 .errstr = "dereference of modified ctx ptr",
13609 "pass modified ctx pointer to helper, 3",
13611 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 0),
13612 BPF_ALU64_IMM(BPF_AND, BPF_REG_3, 4),
13613 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
13614 BPF_MOV64_IMM(BPF_REG_2, 0),
13615 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
13616 BPF_FUNC_csum_update),
13617 BPF_MOV64_IMM(BPF_REG_0, 0),
13620 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13622 .errstr = "variable ctx access var_off=(0x0; 0x4)",
13625 "mov64 src == dst",
13627 BPF_MOV64_IMM(BPF_REG_2, 0),
13628 BPF_MOV64_REG(BPF_REG_2, BPF_REG_2),
13629 // Check bounds are OK
13630 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
13631 BPF_MOV64_IMM(BPF_REG_0, 0),
13634 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13638 "mov64 src != dst",
13640 BPF_MOV64_IMM(BPF_REG_3, 0),
13641 BPF_MOV64_REG(BPF_REG_2, BPF_REG_3),
13642 // Check bounds are OK
13643 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
13644 BPF_MOV64_IMM(BPF_REG_0, 0),
13647 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13651 "reference tracking in call: free reference in subprog and outside",
13654 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), /* unchecked reference */
13655 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
13656 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
13657 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
13658 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13662 BPF_MOV64_REG(BPF_REG_2, BPF_REG_1),
13663 BPF_JMP_IMM(BPF_JEQ, BPF_REG_2, 0, 1),
13664 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13667 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13668 .errstr = "type=inv expected=sock",
13672 "reference tracking in call: alloc & leak reference in subprog",
13674 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
13675 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
13676 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
13677 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13678 BPF_MOV64_IMM(BPF_REG_0, 0),
13682 BPF_MOV64_REG(BPF_REG_6, BPF_REG_4),
13684 /* spill unchecked sk_ptr into stack of caller */
13685 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
13686 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13689 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13690 .errstr = "Unreleased reference",
13694 "reference tracking in call: alloc in subprog, release outside",
13696 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
13697 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
13698 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13699 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
13700 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13705 BPF_EXIT_INSN(), /* return sk */
13707 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13708 .retval = POINTER_VALUE,
13712 "reference tracking in call: sk_ptr leak into caller stack",
13714 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
13715 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
13716 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
13717 BPF_MOV64_IMM(BPF_REG_0, 0),
13721 BPF_MOV64_REG(BPF_REG_5, BPF_REG_10),
13722 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, -8),
13723 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_4, 0),
13724 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 5),
13725 /* spill unchecked sk_ptr into stack of caller */
13726 BPF_MOV64_REG(BPF_REG_5, BPF_REG_10),
13727 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, -8),
13728 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_5, 0),
13729 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_0, 0),
13736 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13737 .errstr = "Unreleased reference",
13741 "reference tracking in call: sk_ptr spill into caller stack",
13743 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
13744 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
13745 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
13746 BPF_MOV64_IMM(BPF_REG_0, 0),
13750 BPF_MOV64_REG(BPF_REG_5, BPF_REG_10),
13751 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, -8),
13752 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_4, 0),
13753 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
13754 /* spill unchecked sk_ptr into stack of caller */
13755 BPF_MOV64_REG(BPF_REG_5, BPF_REG_10),
13756 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, -8),
13757 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_5, 0),
13758 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_0, 0),
13759 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
13760 /* now the sk_ptr is verified, free the reference */
13761 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_4, 0),
13762 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13769 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13773 "reference tracking: allow LD_ABS",
13775 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
13777 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13778 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
13779 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13780 BPF_LD_ABS(BPF_B, 0),
13781 BPF_LD_ABS(BPF_H, 0),
13782 BPF_LD_ABS(BPF_W, 0),
13785 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13789 "reference tracking: forbid LD_ABS while holding reference",
13791 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
13793 BPF_LD_ABS(BPF_B, 0),
13794 BPF_LD_ABS(BPF_H, 0),
13795 BPF_LD_ABS(BPF_W, 0),
13796 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13797 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
13798 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13801 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13802 .errstr = "BPF_LD_[ABS|IND] cannot be mixed with socket references",
13806 "reference tracking: allow LD_IND",
13808 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
13810 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13811 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
13812 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13813 BPF_MOV64_IMM(BPF_REG_7, 1),
13814 BPF_LD_IND(BPF_W, BPF_REG_7, -0x200000),
13815 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
13818 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13823 "reference tracking: forbid LD_IND while holding reference",
13825 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
13827 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
13828 BPF_MOV64_IMM(BPF_REG_7, 1),
13829 BPF_LD_IND(BPF_W, BPF_REG_7, -0x200000),
13830 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
13831 BPF_MOV64_REG(BPF_REG_1, BPF_REG_4),
13832 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
13833 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13836 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13837 .errstr = "BPF_LD_[ABS|IND] cannot be mixed with socket references",
13841 "reference tracking: check reference or tail call",
13843 BPF_MOV64_REG(BPF_REG_7, BPF_REG_1),
13845 /* if (sk) bpf_sk_release() */
13846 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13847 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 7),
13848 /* bpf_tail_call() */
13849 BPF_MOV64_IMM(BPF_REG_3, 2),
13850 BPF_LD_MAP_FD(BPF_REG_2, 0),
13851 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
13852 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
13853 BPF_FUNC_tail_call),
13854 BPF_MOV64_IMM(BPF_REG_0, 0),
13856 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13859 .fixup_prog1 = { 17 },
13860 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13864 "reference tracking: release reference then tail call",
13866 BPF_MOV64_REG(BPF_REG_7, BPF_REG_1),
13868 /* if (sk) bpf_sk_release() */
13869 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13870 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
13871 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13872 /* bpf_tail_call() */
13873 BPF_MOV64_IMM(BPF_REG_3, 2),
13874 BPF_LD_MAP_FD(BPF_REG_2, 0),
13875 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
13876 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
13877 BPF_FUNC_tail_call),
13878 BPF_MOV64_IMM(BPF_REG_0, 0),
13881 .fixup_prog1 = { 18 },
13882 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13886 "reference tracking: leak possible reference over tail call",
13888 BPF_MOV64_REG(BPF_REG_7, BPF_REG_1),
13889 /* Look up socket and store in REG_6 */
13891 /* bpf_tail_call() */
13892 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
13893 BPF_MOV64_IMM(BPF_REG_3, 2),
13894 BPF_LD_MAP_FD(BPF_REG_2, 0),
13895 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
13896 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
13897 BPF_FUNC_tail_call),
13898 BPF_MOV64_IMM(BPF_REG_0, 0),
13899 /* if (sk) bpf_sk_release() */
13900 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
13901 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
13902 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13905 .fixup_prog1 = { 16 },
13906 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13907 .errstr = "tail_call would lead to reference leak",
13911 "reference tracking: leak checked reference over tail call",
13913 BPF_MOV64_REG(BPF_REG_7, BPF_REG_1),
13914 /* Look up socket and store in REG_6 */
13916 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
13917 /* if (!sk) goto end */
13918 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
13919 /* bpf_tail_call() */
13920 BPF_MOV64_IMM(BPF_REG_3, 0),
13921 BPF_LD_MAP_FD(BPF_REG_2, 0),
13922 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
13923 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
13924 BPF_FUNC_tail_call),
13925 BPF_MOV64_IMM(BPF_REG_0, 0),
13926 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
13927 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13930 .fixup_prog1 = { 17 },
13931 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13932 .errstr = "tail_call would lead to reference leak",
13936 "reference tracking: mangle and release sock_or_null",
13939 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13940 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 5),
13941 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
13942 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13945 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13946 .errstr = "R1 pointer arithmetic on sock_or_null prohibited",
13950 "reference tracking: mangle and release sock",
13953 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13954 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
13955 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 5),
13956 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13959 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13960 .errstr = "R1 pointer arithmetic on sock prohibited",
13964 "reference tracking: access member",
13967 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
13968 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
13969 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_0, 4),
13970 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
13971 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13974 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13978 "reference tracking: write to member",
13981 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
13982 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
13983 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
13984 BPF_LD_IMM64(BPF_REG_2, 42),
13985 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_2,
13986 offsetof(struct bpf_sock, mark)),
13987 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
13988 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13989 BPF_LD_IMM64(BPF_REG_0, 0),
13992 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13993 .errstr = "cannot write into socket",
13997 "reference tracking: invalid 64-bit access of member",
14000 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
14001 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
14002 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
14003 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
14004 BPF_EMIT_CALL(BPF_FUNC_sk_release),
14007 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
14008 .errstr = "invalid bpf_sock access off=0 size=8",
14012 "reference tracking: access after release",
14015 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
14016 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
14017 BPF_EMIT_CALL(BPF_FUNC_sk_release),
14018 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
14021 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
14022 .errstr = "!read_ok",
14026 "reference tracking: direct access for lookup",
14028 /* Check that the packet is at least 64B long */
14029 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
14030 offsetof(struct __sk_buff, data)),
14031 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
14032 offsetof(struct __sk_buff, data_end)),
14033 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
14034 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 64),
14035 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 9),
14036 /* sk = sk_lookup_tcp(ctx, skb->data, ...) */
14037 BPF_MOV64_IMM(BPF_REG_3, sizeof(struct bpf_sock_tuple)),
14038 BPF_MOV64_IMM(BPF_REG_4, 0),
14039 BPF_MOV64_IMM(BPF_REG_5, 0),
14040 BPF_EMIT_CALL(BPF_FUNC_sk_lookup_tcp),
14041 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
14042 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
14043 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_0, 4),
14044 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
14045 BPF_EMIT_CALL(BPF_FUNC_sk_release),
14048 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
14052 "calls: ctx read at start of subprog",
14054 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
14055 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 5),
14056 BPF_JMP_REG(BPF_JSGT, BPF_REG_0, BPF_REG_0, 0),
14057 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
14058 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
14059 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
14061 BPF_LDX_MEM(BPF_B, BPF_REG_9, BPF_REG_1, 0),
14062 BPF_MOV64_IMM(BPF_REG_0, 0),
14065 .prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
14066 .errstr_unpriv = "function calls to other bpf functions are allowed for root only",
14067 .result_unpriv = REJECT,
14071 "check wire_len is not readable by sockets",
14073 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
14074 offsetof(struct __sk_buff, wire_len)),
14077 .errstr = "invalid bpf_context access",
14081 "check wire_len is readable by tc classifier",
14083 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
14084 offsetof(struct __sk_buff, wire_len)),
14087 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
14091 "check wire_len is not writable by tc classifier",
14093 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
14094 offsetof(struct __sk_buff, wire_len)),
14097 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
14098 .errstr = "invalid bpf_context access",
14099 .errstr_unpriv = "R1 leaks addr",
14104 static int probe_filter_length(const struct bpf_insn *fp)
14108 for (len = MAX_INSNS - 1; len > 0; --len)
14109 if (fp[len].code != 0 || fp[len].imm != 0)
14114 static int create_map(uint32_t type, uint32_t size_key,
14115 uint32_t size_value, uint32_t max_elem)
14119 fd = bpf_create_map(type, size_key, size_value, max_elem,
14120 type == BPF_MAP_TYPE_HASH ? BPF_F_NO_PREALLOC : 0);
14122 printf("Failed to create hash map '%s'!\n", strerror(errno));
14127 static int create_prog_dummy1(enum bpf_map_type prog_type)
14129 struct bpf_insn prog[] = {
14130 BPF_MOV64_IMM(BPF_REG_0, 42),
14134 return bpf_load_program(prog_type, prog,
14135 ARRAY_SIZE(prog), "GPL", 0, NULL, 0);
14138 static int create_prog_dummy2(enum bpf_map_type prog_type, int mfd, int idx)
14140 struct bpf_insn prog[] = {
14141 BPF_MOV64_IMM(BPF_REG_3, idx),
14142 BPF_LD_MAP_FD(BPF_REG_2, mfd),
14143 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
14144 BPF_FUNC_tail_call),
14145 BPF_MOV64_IMM(BPF_REG_0, 41),
14149 return bpf_load_program(prog_type, prog,
14150 ARRAY_SIZE(prog), "GPL", 0, NULL, 0);
14153 static int create_prog_array(enum bpf_map_type prog_type, uint32_t max_elem,
14157 int mfd, p1fd, p2fd;
14159 mfd = bpf_create_map(BPF_MAP_TYPE_PROG_ARRAY, sizeof(int),
14160 sizeof(int), max_elem, 0);
14162 printf("Failed to create prog array '%s'!\n", strerror(errno));
14166 p1fd = create_prog_dummy1(prog_type);
14167 p2fd = create_prog_dummy2(prog_type, mfd, p2key);
14168 if (p1fd < 0 || p2fd < 0)
14170 if (bpf_map_update_elem(mfd, &p1key, &p1fd, BPF_ANY) < 0)
14172 if (bpf_map_update_elem(mfd, &p2key, &p2fd, BPF_ANY) < 0)
14185 static int create_map_in_map(void)
14187 int inner_map_fd, outer_map_fd;
14189 inner_map_fd = bpf_create_map(BPF_MAP_TYPE_ARRAY, sizeof(int),
14190 sizeof(int), 1, 0);
14191 if (inner_map_fd < 0) {
14192 printf("Failed to create array '%s'!\n", strerror(errno));
14193 return inner_map_fd;
14196 outer_map_fd = bpf_create_map_in_map(BPF_MAP_TYPE_ARRAY_OF_MAPS, NULL,
14197 sizeof(int), inner_map_fd, 1, 0);
14198 if (outer_map_fd < 0)
14199 printf("Failed to create array of maps '%s'!\n",
14202 close(inner_map_fd);
14204 return outer_map_fd;
14207 static int create_cgroup_storage(bool percpu)
14209 enum bpf_map_type type = percpu ? BPF_MAP_TYPE_PERCPU_CGROUP_STORAGE :
14210 BPF_MAP_TYPE_CGROUP_STORAGE;
14213 fd = bpf_create_map(type, sizeof(struct bpf_cgroup_storage_key),
14214 TEST_DATA_LEN, 0, 0);
14216 printf("Failed to create cgroup storage '%s'!\n",
14222 static char bpf_vlog[UINT_MAX >> 8];
14224 static void do_test_fixup(struct bpf_test *test, enum bpf_map_type prog_type,
14225 struct bpf_insn *prog, int *map_fds)
14227 int *fixup_map_hash_8b = test->fixup_map_hash_8b;
14228 int *fixup_map_hash_48b = test->fixup_map_hash_48b;
14229 int *fixup_map_hash_16b = test->fixup_map_hash_16b;
14230 int *fixup_map_array_48b = test->fixup_map_array_48b;
14231 int *fixup_map_sockmap = test->fixup_map_sockmap;
14232 int *fixup_map_sockhash = test->fixup_map_sockhash;
14233 int *fixup_map_xskmap = test->fixup_map_xskmap;
14234 int *fixup_map_stacktrace = test->fixup_map_stacktrace;
14235 int *fixup_prog1 = test->fixup_prog1;
14236 int *fixup_prog2 = test->fixup_prog2;
14237 int *fixup_map_in_map = test->fixup_map_in_map;
14238 int *fixup_cgroup_storage = test->fixup_cgroup_storage;
14239 int *fixup_percpu_cgroup_storage = test->fixup_percpu_cgroup_storage;
14241 if (test->fill_helper)
14242 test->fill_helper(test);
14244 /* Allocating HTs with 1 elem is fine here, since we only test
14245 * for verifier and not do a runtime lookup, so the only thing
14246 * that really matters is value size in this case.
14248 if (*fixup_map_hash_8b) {
14249 map_fds[0] = create_map(BPF_MAP_TYPE_HASH, sizeof(long long),
14250 sizeof(long long), 1);
14252 prog[*fixup_map_hash_8b].imm = map_fds[0];
14253 fixup_map_hash_8b++;
14254 } while (*fixup_map_hash_8b);
14257 if (*fixup_map_hash_48b) {
14258 map_fds[1] = create_map(BPF_MAP_TYPE_HASH, sizeof(long long),
14259 sizeof(struct test_val), 1);
14261 prog[*fixup_map_hash_48b].imm = map_fds[1];
14262 fixup_map_hash_48b++;
14263 } while (*fixup_map_hash_48b);
14266 if (*fixup_map_hash_16b) {
14267 map_fds[2] = create_map(BPF_MAP_TYPE_HASH, sizeof(long long),
14268 sizeof(struct other_val), 1);
14270 prog[*fixup_map_hash_16b].imm = map_fds[2];
14271 fixup_map_hash_16b++;
14272 } while (*fixup_map_hash_16b);
14275 if (*fixup_map_array_48b) {
14276 map_fds[3] = create_map(BPF_MAP_TYPE_ARRAY, sizeof(int),
14277 sizeof(struct test_val), 1);
14279 prog[*fixup_map_array_48b].imm = map_fds[3];
14280 fixup_map_array_48b++;
14281 } while (*fixup_map_array_48b);
14284 if (*fixup_prog1) {
14285 map_fds[4] = create_prog_array(prog_type, 4, 0);
14287 prog[*fixup_prog1].imm = map_fds[4];
14289 } while (*fixup_prog1);
14292 if (*fixup_prog2) {
14293 map_fds[5] = create_prog_array(prog_type, 8, 7);
14295 prog[*fixup_prog2].imm = map_fds[5];
14297 } while (*fixup_prog2);
14300 if (*fixup_map_in_map) {
14301 map_fds[6] = create_map_in_map();
14303 prog[*fixup_map_in_map].imm = map_fds[6];
14304 fixup_map_in_map++;
14305 } while (*fixup_map_in_map);
14308 if (*fixup_cgroup_storage) {
14309 map_fds[7] = create_cgroup_storage(false);
14311 prog[*fixup_cgroup_storage].imm = map_fds[7];
14312 fixup_cgroup_storage++;
14313 } while (*fixup_cgroup_storage);
14316 if (*fixup_percpu_cgroup_storage) {
14317 map_fds[8] = create_cgroup_storage(true);
14319 prog[*fixup_percpu_cgroup_storage].imm = map_fds[8];
14320 fixup_percpu_cgroup_storage++;
14321 } while (*fixup_percpu_cgroup_storage);
14323 if (*fixup_map_sockmap) {
14324 map_fds[9] = create_map(BPF_MAP_TYPE_SOCKMAP, sizeof(int),
14327 prog[*fixup_map_sockmap].imm = map_fds[9];
14328 fixup_map_sockmap++;
14329 } while (*fixup_map_sockmap);
14331 if (*fixup_map_sockhash) {
14332 map_fds[10] = create_map(BPF_MAP_TYPE_SOCKHASH, sizeof(int),
14335 prog[*fixup_map_sockhash].imm = map_fds[10];
14336 fixup_map_sockhash++;
14337 } while (*fixup_map_sockhash);
14339 if (*fixup_map_xskmap) {
14340 map_fds[11] = create_map(BPF_MAP_TYPE_XSKMAP, sizeof(int),
14343 prog[*fixup_map_xskmap].imm = map_fds[11];
14344 fixup_map_xskmap++;
14345 } while (*fixup_map_xskmap);
14347 if (*fixup_map_stacktrace) {
14348 map_fds[12] = create_map(BPF_MAP_TYPE_STACK_TRACE, sizeof(u32),
14351 prog[*fixup_map_stacktrace].imm = map_fds[12];
14352 fixup_map_stacktrace++;
14353 } while (fixup_map_stacktrace);
14357 static int set_admin(bool admin)
14360 const cap_value_t cap_val = CAP_SYS_ADMIN;
14363 caps = cap_get_proc();
14365 perror("cap_get_proc");
14368 if (cap_set_flag(caps, CAP_EFFECTIVE, 1, &cap_val,
14369 admin ? CAP_SET : CAP_CLEAR)) {
14370 perror("cap_set_flag");
14373 if (cap_set_proc(caps)) {
14374 perror("cap_set_proc");
14379 if (cap_free(caps))
14380 perror("cap_free");
14384 static void do_test_single(struct bpf_test *test, bool unpriv,
14385 int *passes, int *errors)
14387 int fd_prog, expected_ret, alignment_prevented_execution;
14388 int prog_len, prog_type = test->prog_type;
14389 struct bpf_insn *prog = test->insns;
14390 int map_fds[MAX_NR_MAPS];
14391 const char *expected_err;
14392 uint32_t expected_val;
14397 for (i = 0; i < MAX_NR_MAPS; i++)
14401 prog_type = BPF_PROG_TYPE_SOCKET_FILTER;
14402 do_test_fixup(test, prog_type, prog, map_fds);
14403 prog_len = probe_filter_length(prog);
14406 if (test->flags & F_LOAD_WITH_STRICT_ALIGNMENT)
14407 pflags |= BPF_F_STRICT_ALIGNMENT;
14408 if (test->flags & F_NEEDS_EFFICIENT_UNALIGNED_ACCESS)
14409 pflags |= BPF_F_ANY_ALIGNMENT;
14410 fd_prog = bpf_verify_program(prog_type, prog, prog_len, pflags,
14411 "GPL", 0, bpf_vlog, sizeof(bpf_vlog), 1);
14413 expected_ret = unpriv && test->result_unpriv != UNDEF ?
14414 test->result_unpriv : test->result;
14415 expected_err = unpriv && test->errstr_unpriv ?
14416 test->errstr_unpriv : test->errstr;
14417 expected_val = unpriv && test->retval_unpriv ?
14418 test->retval_unpriv : test->retval;
14420 alignment_prevented_execution = 0;
14422 if (expected_ret == ACCEPT) {
14424 printf("FAIL\nFailed to load prog '%s'!\n",
14428 #ifndef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS
14429 if (fd_prog >= 0 &&
14430 (test->flags & F_NEEDS_EFFICIENT_UNALIGNED_ACCESS)) {
14431 alignment_prevented_execution = 1;
14436 if (fd_prog >= 0) {
14437 printf("FAIL\nUnexpected success to load!\n");
14440 if (!strstr(bpf_vlog, expected_err)) {
14441 printf("FAIL\nUnexpected error message!\n\tEXP: %s\n\tRES: %s\n",
14442 expected_err, bpf_vlog);
14447 if (fd_prog >= 0) {
14448 __u8 tmp[TEST_DATA_LEN << 2];
14449 __u32 size_tmp = sizeof(tmp);
14453 err = bpf_prog_test_run(fd_prog, 1, test->data,
14454 sizeof(test->data), tmp, &size_tmp,
14458 if (err && errno != 524/*ENOTSUPP*/ && errno != EPERM) {
14459 printf("Unexpected bpf_prog_test_run error\n");
14462 if (!err && retval != expected_val &&
14463 expected_val != POINTER_VALUE) {
14464 printf("FAIL retval %d != %d\n", retval, expected_val);
14468 #ifndef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS
14472 printf("OK%s\n", alignment_prevented_execution ?
14473 " (NOTE: not executed due to unknown alignment)" : "");
14476 for (i = 0; i < MAX_NR_MAPS; i++)
14482 printf("%s", bpf_vlog);
14486 static bool is_admin(void)
14489 cap_flag_value_t sysadmin = CAP_CLEAR;
14490 const cap_value_t cap_val = CAP_SYS_ADMIN;
14492 #ifdef CAP_IS_SUPPORTED
14493 if (!CAP_IS_SUPPORTED(CAP_SETFCAP)) {
14494 perror("cap_get_flag");
14498 caps = cap_get_proc();
14500 perror("cap_get_proc");
14503 if (cap_get_flag(caps, cap_val, CAP_EFFECTIVE, &sysadmin))
14504 perror("cap_get_flag");
14505 if (cap_free(caps))
14506 perror("cap_free");
14507 return (sysadmin == CAP_SET);
14510 static void get_unpriv_disabled()
14515 fd = fopen("/proc/sys/"UNPRIV_SYSCTL, "r");
14517 perror("fopen /proc/sys/"UNPRIV_SYSCTL);
14518 unpriv_disabled = true;
14521 if (fgets(buf, 2, fd) == buf && atoi(buf))
14522 unpriv_disabled = true;
14526 static bool test_as_unpriv(struct bpf_test *test)
14528 return !test->prog_type ||
14529 test->prog_type == BPF_PROG_TYPE_SOCKET_FILTER ||
14530 test->prog_type == BPF_PROG_TYPE_CGROUP_SKB;
14533 static int do_test(bool unpriv, unsigned int from, unsigned int to)
14535 int i, passes = 0, errors = 0, skips = 0;
14537 for (i = from; i < to; i++) {
14538 struct bpf_test *test = &tests[i];
14540 /* Program types that are not supported by non-root we
14543 if (test_as_unpriv(test) && unpriv_disabled) {
14544 printf("#%d/u %s SKIP\n", i, test->descr);
14546 } else if (test_as_unpriv(test)) {
14549 printf("#%d/u %s ", i, test->descr);
14550 do_test_single(test, true, &passes, &errors);
14556 printf("#%d/p %s SKIP\n", i, test->descr);
14559 printf("#%d/p %s ", i, test->descr);
14560 do_test_single(test, false, &passes, &errors);
14564 printf("Summary: %d PASSED, %d SKIPPED, %d FAILED\n", passes,
14566 return errors ? EXIT_FAILURE : EXIT_SUCCESS;
14569 int main(int argc, char **argv)
14571 unsigned int from = 0, to = ARRAY_SIZE(tests);
14572 bool unpriv = !is_admin();
14575 unsigned int l = atoi(argv[argc - 2]);
14576 unsigned int u = atoi(argv[argc - 1]);
14578 if (l < to && u < to) {
14582 } else if (argc == 2) {
14583 unsigned int t = atoi(argv[argc - 1]);
14591 get_unpriv_disabled();
14592 if (unpriv && unpriv_disabled) {
14593 printf("Cannot run as unprivileged user with sysctl %s.\n",
14595 return EXIT_FAILURE;
14598 bpf_semi_rand_init();
14599 return do_test(unpriv, from, to);
projects / linux-2.6-block.git / blob